Solved Firefox redirect and sluggishness

[nicmatth]

Hi All,

I'm pretty good about viruses - this is my first in 8 years or so. I've done the basics - go to msconfig, remove all the programs/services I don't know in safe mode, run a few antivirus, etc. This one has eluded me. I either accidentally clicked on one of those activex screens or it used a vulnerability to allow itself on the computer. It happened very quickly.

My firefox results show up normally, but the first click to websites is being redirected. The computer also feels a little more sluggish than it should. SpyNoMore found keyloggers and trojans, but wanted money to remove.

Here are the logs:

MBAM:
Malwarebytes' Anti-Malware 1.51.0.1200
www.malwarebytes.org

Database version: 6986

Windows 6.1.7600
Internet Explorer 8.0.7600.16385

6/30/2011 9:53:47 AM
mbam-log-2011-06-30 (09-53-47).txt

Scan type: Quick scan
Objects scanned: 180815
Time elapsed: 2 minute(s), 59 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 2

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
c:\program files (x86)\mozilla firefox\0.2928573401180692.exe (Exploit.Dropper) -> Quarantined and deleted successfully.
c:\program files (x86)\mozilla firefox\0.4473215236219442.exe (Exploit.Dropper) -> Quarantined and deleted successfully.



GMER:
GMER 1.0.15.15640 - http://www.gmer.net
Rootkit scan 2011-06-30 10:05:31
Windows 6.1.7600
Running: gmer.exe


---- Registry - GMER 1.0.15 ----

Reg HKLM\SYSTEM\CurrentControlSet\services\BTHPORT\Parameters\Keys\889ffaf73100
Reg HKLM\SYSTEM\ControlSet002\services\BTHPORT\Parameters\Keys\889ffaf73100 (not active ControlSet)

---- Files - GMER 1.0.15 ----

File C:\Users\nicmatth\AppData\Local\Microsoft\Outlook\~outlook.ost.tmp 65536 bytes
File C:\Users\nicmatth\AppData\Local\Temp\plugtmp-2 0 bytes
File C:\Users\nicmatth\AppData\Local\Temp\plugtmp-2\plugin-298939.pdf 79094 bytes
File C:\Users\nicmatth\AppData\Local\Temp\etilqs_HwIGzqVcLoxm6fN 262176 bytes
File C:\Users\nicmatth\AppData\Local\Temp\How_to_Build_a_ASR_9000.ppt 1136640 bytes
File C:\Users\nicmatth\AppData\Roaming\Mozilla\Firefox\Profiles\muw3urqn.default\addons.sqlite-journal 0 bytes
File C:\Users\nicmatth\AppData\Roaming\Mozilla\Firefox\Profiles\muw3urqn.default\cookies.sqlite-shm 0 bytes
File C:\Users\nicmatth\AppData\Roaming\Mozilla\Firefox\Profiles\muw3urqn.default\cookies.sqlite-wal 0 bytes
File C:\Users\nicmatth\AppData\Roaming\Mozilla\Firefox\Profiles\muw3urqn.default\extensions.sqlite-journal 0 bytes
File C:\Users\nicmatth\AppData\Roaming\Mozilla\Firefox\Profiles\muw3urqn.default\parent.lock 0 bytes
File C:\Users\nicmatth\AppData\Roaming\Mozilla\Firefox\Profiles\muw3urqn.default\places.sqlite-shm 0 bytes
File C:\Users\nicmatth\AppData\Roaming\Mozilla\Firefox\Profiles\muw3urqn.default\places.sqlite-wal 0 bytes
File C:\Users\nicmatth\AppData\Roaming\Thunderbird\Profiles\trq05g59.default\cookies.sqlite-journal 0 bytes

---- EOF - GMER 1.0.15 ----




Attach.txt:
.
UNLESS SPECIFICALLY INSTRUCTED, DO NOT POST THIS LOG.
IF REQUESTED, ZIP IT UP & ATTACH IT
.
DDS (Ver_2011-06-23.01)
.
Microsoft Windows 7 Enterprise
Boot Device: \Device\HarddiskVolume1
Install Date: 1/26/2011 10:19:56 PM
System Uptime: 6/29/2011 3:12:28 AM (31 hours ago)
.
Motherboard: LENOVO | | 4389BB4
Processor: Intel(R) Core(TM) i7 CPU Q 720 @ 1.60GHz | None | 1600/133mhz
.
==== Disk Partitions =========================
.
C: is FIXED (NTFS) - 119 GiB total, 16.97 GiB free.
D: is CDROM ()
.
==== Disabled Device Manager Items =============
.
Class GUID: {4d36e965-e325-11ce-bfc1-08002be10318}
Description: CD-ROM Drive
Device ID: IDE\CDROMHL-DT-ST_DVDRAM_GT30N___________________LT10____\5&1C50C5D9&0&1.0.0
Manufacturer: (Standard CD-ROM drives)
Name: HL-DT-ST DVDRAM GT30N ATA Device
PNP Device ID: IDE\CDROMHL-DT-ST_DVDRAM_GT30N___________________LT10____\5&1C50C5D9&0&1.0.0
Service: cdrom
.
Class GUID: {4d36e972-e325-11ce-bfc1-08002be10318}
Description: Bluetooth Device (Personal Area Network)
Device ID: BTH\MS_BTHPAN\7&2D98A6FB&0&2
Manufacturer: Microsoft
Name: Bluetooth Device (Personal Area Network)
PNP Device ID: BTH\MS_BTHPAN\7&2D98A6FB&0&2
Service: BthPan
.
Class GUID: {4d36e972-e325-11ce-bfc1-08002be10318}
Description: VMware Virtual Ethernet Adapter for VMnet1
Device ID: ROOT\VMWARE\0000
Manufacturer: VMware, Inc.
Name: VMware Virtual Ethernet Adapter for VMnet1
PNP Device ID: ROOT\VMWARE\0000
Service: VMnetAdapter
.
Class GUID: {4d36e972-e325-11ce-bfc1-08002be10318}
Description: VMware Virtual Ethernet Adapter for VMnet8
Device ID: ROOT\VMWARE\0001
Manufacturer: VMware, Inc.
Name: VMware Virtual Ethernet Adapter for VMnet8
PNP Device ID: ROOT\VMWARE\0001
Service: VMnetAdapter
.
Class GUID: {4d36e972-e325-11ce-bfc1-08002be10318}
Description: Intel(R) Centrino(R) Ultimate-N 6300 AGN
Device ID: PCI\VEN_8086&DEV_4238&SUBSYS_11118086&REV_35\4&C36BE82&0&00E1
Manufacturer: Intel Corporation
Name: Intel(R) Centrino(R) Ultimate-N 6300 AGN
PNP Device ID: PCI\VEN_8086&DEV_4238&SUBSYS_11118086&REV_35\4&C36BE82&0&00E1
Service: NETw5s64
.
Class GUID: {4d36e972-e325-11ce-bfc1-08002be10318}
Description: Microsoft Teredo Tunneling Adapter
Device ID: ROOT\*TEREDO\0000
Manufacturer: Microsoft
Name: Teredo Tunneling Pseudo-Interface
PNP Device ID: ROOT\*TEREDO\0000
Service: tunnel
.
Class GUID: {4d36e972-e325-11ce-bfc1-08002be10318}
Description: Cisco Systems VPN Adapter for 64-bit Windows
Device ID: ROOT\NET\0000
Manufacturer: Cisco Systems
Name: Cisco Systems VPN Adapter for 64-bit Windows
PNP Device ID: ROOT\NET\0000
Service: CVirtA
.
Class GUID: {4d36e972-e325-11ce-bfc1-08002be10318}
Description: Cisco AnyConnect VPN Virtual Miniport Adapter for Windows x64
Device ID: ROOT\NET\0001
Manufacturer: Cisco Systems
Name: Cisco AnyConnect VPN Virtual Miniport Adapter for Windows x64
PNP Device ID: ROOT\NET\0001
Service: vpnva
.
==== System Restore Points ===================
.
RP67: 6/8/2011 12:05:05 PM - Scheduled Checkpoint
RP68: 6/14/2011 11:14:07 AM - Installed DesignXpert
RP69: 6/15/2011 3:00:12 PM - Windows Update
RP70: 6/23/2011 2:34:16 PM - Scheduled Checkpoint
RP71: 6/23/2011 3:00:10 PM - Windows Update
.
==== Installed Programs ======================
.
.
2007 Microsoft Office Suite Service Pack 1 (SP1)
7-Zip 9.20
Adobe Audition 1.5
Adobe Flash Player 10 ActiveX
Adobe Flash Player 10 Plugin
Adobe Reader 9.3.4
Adobe Shockwave Player 11.5
Altiris Agent
Altiris Application Metering Agent
Altiris Inventory Rule Agent
Altiris Local Security Agent
Altiris Patch Management Agent
Altiris Software Delivery Solution Agent
Altiris Task Synchronization Agent
Altiris_PCTransplant
Applications_Win32_Cisco_AltirisAgentRedirector
Applications_Win32_Cisco_PCSetupGuide
CEPS Print Client
Chinese Simplified Fonts Support For Adobe Reader 9
Chinese Traditional Fonts Support For Adobe Reader 9
Cisco AnyConnect VPN Client
Cisco DART
Cisco Direct Printing
Cisco IP Communicator
Cisco WebEx Connect
CiscoITw7blizzardwpa1
Citrix Presentation Server Client
DesignXpert
eSupport UndeletePlus 3.0.2.406
Evernote v. 4.3
FileZilla Client 3.4.0
FileZilla Server (remove only)
GIMP 2.6.11
Google Calendar Sync
Google Talk Plugin
GSplit 3
GTRC Support Central
HiJackThis
Integrated Camera Driver Installer Package Ver.1.1.0.42
iPassConnect
IPTV Viewer
Japanese Fonts Support For Adobe Reader 9
Java(TM) 6 Update 13
Keyspan USB Serial Adapter
Korean Fonts Support For Adobe Reader 9
Malwarebytes' Anti-Malware version 1.51.0.1200
McAfee Agent
McAfee AntiSpyware Enterprise Module
McAfee VirusScan Enterprise
Microsoft Office Access database engine 2007 (English)
Microsoft Office Access MUI (English) 2007
Microsoft Office Access Setup Metadata MUI (English) 2007
Microsoft Office Excel MUI (English) 2007
Microsoft Office InfoPath MUI (English) 2007
Microsoft Office Outlook MUI (English) 2007
Microsoft Office PowerPoint MUI (English) 2007
Microsoft Office Professional Plus 2007
Microsoft Office Proof (English) 2007
Microsoft Office Proof (English) 2010
Microsoft Office Proof (French) 2007
Microsoft Office Proof (French) 2010
Microsoft Office Proof (Spanish) 2007
Microsoft Office Proof (Spanish) 2010
Microsoft Office Proofing (English) 2007
Microsoft Office Proofing (English) 2010
Microsoft Office Publisher MUI (English) 2007
Microsoft Office Shared MUI (English) 2007
Microsoft Office Shared MUI (English) 2010
Microsoft Office Shared Setup Metadata MUI (English) 2007
Microsoft Office Shared Setup Metadata MUI (English) 2010
Microsoft Office Visio 2010
Microsoft Office Visio MUI (English) 2010
Microsoft Office Word MUI (English) 2007
Microsoft Save as PDF or XPS Add-in for 2007 Microsoft Office programs
Microsoft Silverlight
Microsoft Visio Standard 2010
Microsoft Visio Viewer 2010
Microsoft Visual C++ 2005 Redistributable
Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.17
Microsoft Visual C++ 2010 x86 Redistributable - 10.0.30319
Microsoft_VC90_CRT_x86
Mozilla Firefox 5.0 (x86 en-US)
Mozilla Thunderbird (3.1.11)
MSXML 4.0 SP3 Parser
MSXML 4.0 SP3 Parser (KB973685)
MultiMon TaskBar 2.1
Netformx Updater
Network Recording Player
Notepad++
ooVoo
OS_Winx64_Windows7_Drivers_Lenovo_ThinkPad_W510
Pidgin
QuickTime 7.5
Real-Time Monitoring Tool 8.5
Real-Time Monitoring Tool 8.7
Security Update for CAPICOM (KB931906)
Security Update for Microsoft .NET Framework 4 Client Profile (KB2160841)
Security Update for Microsoft .NET Framework 4 Client Profile (KB2446708)
Security Update for Microsoft .NET Framework 4 Client Profile (KB2478663)
Security Update for Microsoft .NET Framework 4 Client Profile (KB2518870)
Security Update for Microsoft .NET Framework 4 Extended (KB2416472)
SofToken II
SpyNoMore 2.98
Tftpd32 Standalone Edition
ThinkPad Power Manager
tools-linux
Update for Microsoft .NET Framework 4 Client Profile (KB2473228)
ViewMail for Outlook 7.0(2)
VirtualCloneDrive
VMware Player
VMware vCenter Converter Standalone
VMware vSphere Client 4.0
VMware vSphere Client 4.1
WebEx
WebEx Document Suite
WebEx Productivity Tools
WinPcap 4.1.2
Wireshark 1.6.0
Xobni
Xobni Core
.
==== Event Viewer Messages From Past Week ========
.
6/29/2011 8:41:50 PM, Error: Microsoft-Windows-GroupPolicy [1129] - The processing of Group Policy failed because of lack of network connectivity to a domain controller. This may be a transient condition. A success message would be generated once the machine gets connected to the domain controller and Group Policy has succesfully processed. If you do not see a success message for several hours, then contact your administrator.
6/29/2011 1:39:20 PM, Error: NETLOGON [5719] - This computer was not able to set up a secure session with a domain controller in domain CISCO due to the following: There are currently no logon servers available to service the logon request. This may lead to authentication problems. Make sure that this computer is connected to the network. If the problem persists, please contact your domain administrator. ADDITIONAL INFO If this computer is a domain controller for the specified domain, it sets up the secure session to the primary domain controller emulator in the specified domain. Otherwise, this computer sets up the secure session to any domain controller in the specified domain.
6/27/2011 9:04:52 AM, Error: Service Control Manager [7034] - The McAfee McShield service terminated unexpectedly. It has done this 1 time(s).
6/27/2011 8:58:56 AM, Error: Service Control Manager [7000] - The CMGShield service failed to start due to the following error: The system cannot find the file specified.
6/27/2011 8:57:35 AM, Error: Service Control Manager [7000] - The Altiris Agent service failed to start due to the following error: The system cannot find the file specified.
6/27/2011 8:57:23 AM, Error: Application Popup [1060] - \SystemRoot\SysWow64\drivers\pfc.sys has been blocked from loading due to incompatibility with this system. Please contact your software vendor for a compatible version of the driver.
.
==== End Of File ===========================


DDS.txt:
.
DDS (Ver_2011-06-23.01) - NTFSAMD64
Internet Explorer: 8.0.7600.16385
Run by nicmatth at 10:06:29 on 2011-06-30
Microsoft Windows 7 Enterprise 6.1.7600.0.1252.1.1033.18.4028.2194 [GMT -4:00]
.
AV: McAfee VirusScan Enterprise *Enabled/Updated* {86355677-4064-3EA7-ABB3-1B136EB04637}
SP: Windows Defender *Disabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
SP: McAfee VirusScan Enterprise Antispyware Module *Enabled/Updated* {3D54B793-665E-3129-9103-206115370C8A}
.
============== Running Processes ===============
.
C:\Windows\system32\wininit.exe
C:\Windows\system32\lsm.exe
C:\Windows\system32\svchost.exe -k DcomLaunch
C:\Windows\system32\ibmpmsvc.exe
C:\Windows\system32\nvvsvc.exe
C:\Windows\system32\svchost.exe -k RPCSS
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted
C:\Windows\system32\svchost.exe -k netsvcs
C:\Windows\system32\svchost.exe -k LocalService
C:\Windows\system32\WUDFHost.exe
C:\Program Files (x86)\Cisco\Cisco AnyConnect VPN Client\vpnagent.exe
C:\Windows\system32\svchost.exe -k NetworkService
C:\Windows\System32\spoolsv.exe
C:\Windows\system32\svchost.exe -k LocalServiceAndNoImpersonation
C:\Windows\system32\svchost.exe -k LocalServiceNoNetwork
C:\Program Files\LENOVO\HOTKEY\TPHKSVC.exe
C:\Windows\SysWOW64\atashost.exe
C:\Program Files (x86)\WebEx\Connect\apUpdate.exe
C:\PROGRA~1\Lenovo\HOTKEY\tpnumlk.exe
C:\Program Files (x86)\Cisco Systems\VPN Client\cvpnd.exe
C:\Program Files (x86)\FileZilla Server\FileZilla Server.exe
C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe
C:\Program Files (x86)\iPass\iPassConnect\iPassPeriodicUpdateService.exe
C:\Program Files\LENOVO\HOTKEY\CAMMUTE.exe
C:\Program Files\LENOVO\HOTKEY\MICMUTE.exe
C:\Program Files (x86)\McAfee\VirusScan Enterprise\x64\engineserver.exe
C:\Program Files (x86)\McAfee\Common Framework\FrameworkService.exe
C:\Program Files (x86)\McAfee\VirusScan Enterprise\vstskmgr.exe
C:\Program Files (x86)\Common Files\Microsoft Shared\VS7DEBUG\mdm.exe
C:\Windows\system32\mfevtps.exe
C:\Program Files (x86)\NetFormx\updater\NfxUpdaterEngine.exe
C:\Program Files (x86)\McAfee\Common Framework\naPrdMgr.exe
C:\Program Files\NVIDIA Corporation\Performance Drivers\nvPDsvc.exe
C:\Windows\system32\svchost.exe -k imgsvc
C:\Program Files (x86)\Common Files\VMware\USB\vmware-usbarbitrator.exe
C:\Windows\SysWOW64\vmnat.exe
C:\Program Files (x86)\VMware\VMware vCenter Converter Standalone\vmware-converter-a.exe
C:\Program Files (x86)\VMware\VMware vCenter Converter Standalone\vmware-converter.exe
C:\Program Files (x86)\VMware\VMware vCenter Converter Standalone\vmware-converter.exe
C:\Program Files (x86)\Xobni\XobniService.exe
C:\Program Files (x86)\VMware\VMware Player\vmware-authd.exe
C:\Windows\SysWOW64\vmnetdhcp.exe
C:\Windows\system32\svchost.exe -k bthsvcs
C:\Program Files (x86)\iPass\iPassConnect\iPassPeriodicUpdateApp.exe
C:\Windows\system32\svchost.exe -k NetworkServiceNetworkRestricted
C:\Windows\system32\nvvsvc.exe
C:\Windows\system32\taskhost.exe
C:\PROGRA~1\Lenovo\HOTKEY\tpnumlkd.exe
C:\Windows\system32\Dwm.exe
C:\Windows\Explorer.EXE
C:\Program Files\Lenovo\HOTKEY\TPOSDSVC.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Program Files (x86)\WebEx\Connect\connect.exe
C:\Program Files\Synaptics\SynTP\SynTPHelper.exe
C:\Program Files (x86)\Google\Google Calendar Sync\GoogleCalendarSync.exe
C:\Program Files\Lenovo\HOTKEY\TPONSCR.exe
C:\Program Files (x86)\MMTaskbar\MultiMon.exe
C:\Program Files\Lenovo\Zoom\TpScrex.exe
C:\Program Files (x86)\McAfee\Common Framework\UdaterUI.exe
C:\Program Files (x86)\Evernote\Evernote\EvernoteClipper.exe
C:\Program Files (x86)\Java\jre6\bin\jusched.exe
C:\Program Files (x86)\Pidgin\pidgin.exe
C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
C:\Program Files (x86)\VMware\VMware Player\hqtray.exe
C:\Program Files (x86)\Texter\texter.exe
C:\Program Files (x86)\NetFormx\updater\NfxUpdaterUI.exe
C:\Program Files (x86)\Cisco\Cisco AnyConnect VPN Client\vpnui.exe
C:\Program Files (x86)\Elaborate Bytes\VirtualCloneDrive\VCDDaemon.exe
C:\Program Files (x86)\Integrated Camera Driver\X64\RCIMGDIR.exe
C:\Program Files (x86)\McAfee\Common Framework\McTray.exe
C:\Windows\system32\SearchIndexer.exe
C:\Program Files (x86)\Malwarebytes' Anti-Malware\mbamgui.exe
C:\Program Files (x86)\McAfee\VirusScan Enterprise\SHSTAT.EXE
C:\Program Files (x86)\WebEx\Connect\wbxcOIEx.exe
C:\Program Files (x86)\Mozilla Thunderbird\thunderbird.exe
C:\Program Files (x86)\Malwarebytes' Anti-Malware\mbamservice.exe
C:\Windows\system32\wuauclt.exe
C:\Program Files (x86)\Java\jre6\bin\jucheck.exe
C:\Program Files (x86)\McAfee\VirusScan Enterprise\x64\mcshield.exe
C:\Program Files (x86)\McAfee\VirusScan Enterprise\x64\mfeann.exe
C:\Windows\system32\conhost.exe
C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe
C:\Program Files (x86)\Evernote\Evernote\Evernote.exe
C:\Program Files (x86)\Evernote\Evernote\EvernoteTray.exe
C:\Windows\SysWOW64\NOTEPAD.EXE
C:\Windows\system32\SearchProtocolHost.exe
C:\Windows\system32\SearchFilterHost.exe
C:\Program Files (x86)\Mozilla Firefox\firefox.exe
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\conhost.exe
C:\Windows\SysWOW64\cscript.exe
C:\Windows\system32\wbem\wmiprvse.exe
.
============== Pseudo HJT Report ===============
.
uStart Page = hxxp://wwwin.cisco.com
uWindow Title = Windows Internet Explorer provided by Cisco
uDefault_Page_URL = hxxp://wwwin.cisco.com
uInternet Settings,ProxyOverride = <local>
mWinlogon: Userinit=userinit.exe,
BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - C:\Program Files (x86)\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
BHO: WebEx Productivity Tools: {90e2ba2e-dd1b-4cde-9134-7a8b86d33ca7} - C:\Program Files (x86)\WebEx\Productivity Tools\ptonecli.dll
BHO: Office Document Cache Handler: {b4f3a835-0e21-4959-ba22-42b3008e02ff} - C:\PROGRA~2\MICROS~1\Office14\URLREDIR.DLL
BHO: Java(tm) Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - C:\Program Files (x86)\Java\jre6\bin\jp2ssv.dll
TB: WebEx Productivity Tools: {90e2ba2e-dd1b-4cde-9134-7a8b86d33ca7} - C:\Program Files (x86)\WebEx\Productivity Tools\ptonecli.dll
uRun: [Google Update] "C:\Users\nicmatth\AppData\Local\Google\Update\GoogleUpdate.exe" /c
uRun: [Cisco WebEx Connect] "C:\Program Files (x86)\WebEx\Connect\connect.exe"
mRun: [ShStatEXE] "C:\Program Files (x86)\McAfee\VirusScan Enterprise\SHSTAT.EXE" /STANDALONE
mRun: [McAfeeUpdaterUI] "C:\Program Files (x86)\McAfee\Common Framework\udaterui.exe" /StartedFromRunKey
mRun: [Adobe Reader Speed Launcher] "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Reader_sl.exe"
mRun: [Adobe ARM] "C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe"
mRun: [SunJavaUpdateSched] "C:\Program Files (x86)\Java\jre6\bin\jusched.exe"
mRun: [PWMTRV] rundll32 C:\PROGRA~2\ThinkPad\UTILIT~1\PWMTR64V.DLL,PwrMgrBkGndMonitor
mRun: [VMware hqtray] "C:\Program Files (x86)\VMware\VMware Player\hqtray.exe"
mRun: [Netformx Updater] "C:\Program Files (x86)\NetFormx\updater\NfxUpdaterUI.exe" -hide
mRun: [Cisco AnyConnect VPN Agent for Windows] "C:\Program Files (x86)\Cisco\Cisco AnyConnect VPN Client\vpnui.exe" -autolaunched
mRun: [VirtualCloneDrive] "C:\Program Files (x86)\Elaborate Bytes\VirtualCloneDrive\VCDDaemon.exe" /s
mRun: [RotateImage] C:\Program Files (x86)\Integrated Camera Driver\X64\RCIMGDIR.exe
mRun: [FileZilla Server Interface] "C:\Program Files (x86)\FileZilla Server\FileZilla Server Interface.exe"
mRun: [SNM] C:\Program Files (x86)\SpyNoMore\SNM.exe /startup
mRun: [Malwarebytes' Anti-Malware] "C:\Program Files (x86)\Malwarebytes' Anti-Malware\mbamgui.exe" /starttray
mRun: [Malwarebytes' Anti-Malware (reboot)] "C:\Program Files (x86)\Malwarebytes' Anti-Malware\mbam.exe" /runcleanupscript
StartupFolder: C:\Users\nicmatth\AppData\Roaming\MICROS~1\Windows\STARTM~1\Programs\Startup\CISCOW~1.LNK - C:\Program Files (x86)\WebEx\Connect\connect.exe
StartupFolder: C:\Users\nicmatth\AppData\Roaming\MICROS~1\Windows\STARTM~1\Programs\Startup\EVERNO~1.LNK - C:\Program Files (x86)\Evernote\Evernote\EvernoteClipper.exe
StartupFolder: C:\Users\nicmatth\AppData\Roaming\MICROS~1\Windows\STARTM~1\Programs\Startup\GOOGLE~1.LNK - C:\Program Files (x86)\Google\Google Calendar Sync\GoogleCalendarSync.exe
StartupFolder: C:\Users\nicmatth\AppData\Roaming\MICROS~1\Windows\STARTM~1\Programs\Startup\Pidgin.lnk - C:\Program Files (x86)\Pidgin\pidgin.exe
StartupFolder: C:\Users\nicmatth\AppData\Roaming\MICROS~1\Windows\STARTM~1\Programs\Startup\TEXTER~1.LNK - C:\Program Files (x86)\Texter\texter.exe
StartupFolder: C:\Users\nicmatth\AppData\Roaming\MICROS~1\Windows\STARTM~1\Programs\Startup\Texter.lnk - C:\Program Files (x86)\Texter\texter.exe
StartupFolder: C:\ALLUSE~1\MICROS~1\Windows\STARTM~1\Programs\Startup\GOOGLE~1.LNK - C:\Program Files (x86)\Google\Google Calendar Sync\GoogleCalendarSync.exe
StartupFolder: C:\ALLUSE~1\MICROS~1\Windows\STARTM~1\Programs\Startup\MULTIM~1.LNK - C:\Program Files (x86)\MMTaskbar\MultiMon.exe
StartupFolder: C:\ALLUSE~1\MICROS~1\Windows\STARTM~1\Programs\Startup\VPNGUI~1.LNK - C:\Windows\Installer\{467D5E81-8349-4892-9E81-C3674ED8E451}\Icon09DB8A851.exe
uPolicies-explorer: HideSCAHealth = 1 (0x1)
mPolicies-explorer: NoActiveDesktop = 1 (0x1)
mPolicies-explorer: NoActiveDesktopChanges = 1 (0x1)
mPolicies-system: ConsentPromptBehaviorAdmin = 0 (0x0)
mPolicies-system: ConsentPromptBehaviorUser = 3 (0x3)
mPolicies-system: EnableLUA = 0 (0x0)
mPolicies-system: EnableUIADesktopToggle = 0 (0x0)
mPolicies-system: PromptOnSecureDesktop = 0 (0x0)
mPolicies-system: HideFastUserSwitching = 1 (0x1)
IE: Add to Evernote 4.0 - C:\Program Files (x86)\Evernote\Evernote\EvernoteIE.dll/204
IE: E&xport to Microsoft Excel - C:\PROGRA~2\MICROS~1\Office12\EXCEL.EXE/3000
IE: {A95fe080-8f5d-11d2-a20b-00aa003c157a} - res://C:\Program Files (x86)\Evernote\Evernote\EvernoteIE.dll/204
LSP: C:\Program Files (x86)\VMware\VMware Player\vsocklib.dll
DPF: {55963676-2F5E-4BAF-AC28-CF26AA587566} - hxxps://provision-sjc.cisco.com/CACHE/webvpn/stc/1/binaries/vpnweb.cab
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_13-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0013-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_13-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_13-windows-i586.cab
DPF: {E06E2E99-0AA1-11D4-ABA6-0060082AA75C} -
TCP: DhcpNameServer = 64.102.6.247 161.44.124.122
TCP: Interfaces\{36CE8603-84EA-4B46-99DA-CC894FCD920F} : DhcpNameServer = 64.102.6.247 161.44.124.122
TCP: Interfaces\{36CE8603-84EA-4B46-99DA-CC894FCD920F}\26F6F6D6 : DhcpNameServer = 8.8.8.8
TCP: Interfaces\{36CE8603-84EA-4B46-99DA-CC894FCD920F}\357494D26596379647F62737 : DhcpNameServer = 172.30.3.100 172.30.3.101
TCP: Interfaces\{36CE8603-84EA-4B46-99DA-CC894FCD920F}\44D4D21393130333D27455543545 : DhcpNameServer = 12.127.17.77 12.127.16.77
TCP: Interfaces\{36CE8603-84EA-4B46-99DA-CC894FCD920F}\65562796A7F6E60214442563430303C40223646424 : DhcpNameServer = 192.168.1.1
TCP: Interfaces\{36CE8603-84EA-4B46-99DA-CC894FCD920F}\65562796A7F6E602D496649623230303029383445402355636572756 : DhcpNameServer = 192.168.1.1
TCP: Interfaces\{36CE8603-84EA-4B46-99DA-CC894FCD920F}\7657563747 : DhcpNameServer = 192.168.2.254 8.8.4.4 4.2.2.1
TCP: Interfaces\{55484E21-3916-4300-8A03-B4966AE796CC} : DhcpNameServer = 172.20.23.254
Filter: text/xml - {807573E5-5146-11D5-A672-00B0D022E945} - C:\Program Files (x86)\Common Files\microsoft shared\OFFICE14\MSOXMLMF.DLL
AppInit_DLLs: AMINIT32.dll
BHO-X64: Adobe PDF Link Helper: {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files (x86)\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
BHO-X64: AcroIEHelperStub - No File
BHO-X64: WebEx Productivity Tools: {90E2BA2E-DD1B-4cde-9134-7A8B86D33CA7} - C:\Program Files (x86)\WebEx\Productivity Tools\ptonecli.dll
BHO-X64: Office Document Cache Handler: {B4F3A835-0E21-4959-BA22-42B3008E02FF} - C:\PROGRA~2\MICROS~1\Office14\URLREDIR.DLL
BHO-X64: URLRedirectionBHO - No File
BHO-X64: Java(tm) Plug-In 2 SSV Helper: {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files (x86)\Java\jre6\bin\jp2ssv.dll
TB-X64: WebEx Productivity Tools: {90E2BA2E-DD1B-4cde-9134-7A8B86D33CA7} - C:\Program Files (x86)\WebEx\Productivity Tools\ptonecli.dll
mRun-x64: [ShStatEXE] "C:\Program Files (x86)\McAfee\VirusScan Enterprise\SHSTAT.EXE" /STANDALONE
mRun-x64: [McAfeeUpdaterUI] "C:\Program Files (x86)\McAfee\Common Framework\udaterui.exe" /StartedFromRunKey
mRun-x64: [Adobe Reader Speed Launcher] "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Reader_sl.exe"
mRun-x64: [Adobe ARM] "C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe"
mRun-x64: [SunJavaUpdateSched] "C:\Program Files (x86)\Java\jre6\bin\jusched.exe"
mRun-x64: [PWMTRV] rundll32 C:\PROGRA~2\ThinkPad\UTILIT~1\PWMTR64V.DLL,PwrMgrBkGndMonitor
mRun-x64: [VMware hqtray] "C:\Program Files (x86)\VMware\VMware Player\hqtray.exe"
mRun-x64: [Netformx Updater] "C:\Program Files (x86)\NetFormx\updater\NfxUpdaterUI.exe" -hide
mRun-x64: [Cisco AnyConnect VPN Agent for Windows] "C:\Program Files (x86)\Cisco\Cisco AnyConnect VPN Client\vpnui.exe" -autolaunched
mRun-x64: [VirtualCloneDrive] "C:\Program Files (x86)\Elaborate Bytes\VirtualCloneDrive\VCDDaemon.exe" /s
mRun-x64: [RotateImage] C:\Program Files (x86)\Integrated Camera Driver\X64\RCIMGDIR.exe
mRun-x64: [FileZilla Server Interface] "C:\Program Files (x86)\FileZilla Server\FileZilla Server Interface.exe"
mRun-x64: [SNM] C:\Program Files (x86)\SpyNoMore\SNM.exe /startup
mRun-x64: [Malwarebytes' Anti-Malware] "C:\Program Files (x86)\Malwarebytes' Anti-Malware\mbamgui.exe" /starttray
mRun-x64: [Malwarebytes' Anti-Malware (reboot)] "C:\Program Files (x86)\Malwarebytes' Anti-Malware\mbam.exe" /runcleanupscript
IE-X64: {A95fe080-8f5d-11d2-a20b-00aa003c157a} - res://C:\Program Files (x86)\Evernote\Evernote\EvernoteIE.dll/204
AppInit_DLLs-X64: AMINIT32.dll
.
================= FIREFOX ===================
.
FF - ProfilePath - C:\Users\nicmatth\AppData\Roaming\Mozilla\Firefox\Profiles\muw3urqn.default\
FF - component: C:\Program Files (x86)\WebEx\Productivity Tools\components\OCFF.dll
FF - plugin: C:\PROGRA~2\MICROS~1\Office14\NPAUTHZ.DLL
FF - plugin: C:\PROGRA~2\MICROS~1\Office14\NPSPWRAP.DLL
FF - plugin: c:\Program Files (x86)\Microsoft Silverlight\4.0.60310.0\npctrlui.dll
FF - plugin: C:\Program Files (x86)\Mozilla Firefox\plugins\npatgpc.dll
FF - plugin: C:\Program Files (x86)\QuickTime\Plugins\npatgpc.dll
FF - plugin: C:\Program Files\Google\Update\1.2.183.39\npGoogleOneClick8.dll
FF - plugin: C:\Program Files\Mozilla Firefox\plugins\np_gp.dll
FF - plugin: C:\Users\nicmatth\AppData\Local\Google\Update\1.3.21.57\npGoogleUpdate3.dll
FF - plugin: C:\Users\nicmatth\AppData\Roaming\Mozilla\plugins\npgoogletalk.dll
FF - plugin: C:\Users\nicmatth\AppData\Roaming\Mozilla\plugins\npgtpo3dautoplugin.dll
FF - plugin: C:\Windows\SysWOW64\Adobe\Director\np32dsw.dll
FF - plugin: C:\Windows\SysWOW64\Macromed\Flash\NPSWF32.dll
.
---- FIREFOX POLICIES ----
FF - user.js: network.negotiate-auth.delegation-uris - .cisco.com
.
FF - user.js: network.negotiate-auth.trusted-uris - .cisco.com
.
============= SERVICES / DRIVERS ===============
.
R0 CmgHiber;CmgHiber;C:\Windows\system32\DRIVERS\CmgHiber.sys --> C:\Windows\system32\DRIVERS\CmgHiber.sys [?]
R0 CmgShieldCEF;CmgShieldCEF;C:\Windows\system32\DRIVERS\CMGShCEF.sys --> C:\Windows\system32\DRIVERS\CMGShCEF.sys [?]
R0 CMGShieldReg;CMGShieldReg;C:\Windows\system32\DRIVERS\CmgShREG.sys --> C:\Windows\system32\DRIVERS\CmgShREG.sys [?]
R0 DzHDD64;DzHDD64;C:\Windows\system32\DRIVERS\DzHDD64.sys --> C:\Windows\system32\DRIVERS\DzHDD64.sys [?]
R0 mfehidk;McAfee Inc. mfehidk;C:\Windows\system32\drivers\mfehidk.sys --> C:\Windows\system32\drivers\mfehidk.sys [?]
R1 lenovo.smi;Lenovo System Interface Driver;C:\Windows\system32\DRIVERS\smiifx64.sys --> C:\Windows\system32\DRIVERS\smiifx64.sys [?]
R1 vwififlt;Virtual WiFi Filter Driver;C:\Windows\system32\DRIVERS\vwififlt.sys --> C:\Windows\system32\DRIVERS\vwififlt.sys [?]
R2 atashost;WebEx Service Host for Support Center;C:\Windows\SysWOW64\atashost.exe [2011-2-24 43912]
R2 CipcCdp;Cisco IP Communicator driver for CDP;C:\Windows\system32\DRIVERS\CipcCdp.sys --> C:\Windows\system32\DRIVERS\CipcCdp.sys [?]
R2 Cisco WebEx Connect Upgrade Service;Cisco WebEx Connect Upgrade Service;C:\Program Files (x86)\WebEx\Connect\apUpdate.exe [2011-4-11 824120]
R2 LENOVO.CAMMUTE;Lenovo Camera Mute;C:\Program Files\Lenovo\HOTKEY\cammute.exe [2010-3-18 54632]
R2 LENOVO.MICMUTE;Lenovo Microphone Mute;C:\Program Files\Lenovo\HOTKEY\micmute.exe [2010-3-18 44984]
R2 MBAMService;MBAMService;C:\Program Files (x86)\Malwarebytes' Anti-Malware\mbamservice.exe [2011-6-7 366640]
R2 McAfeeEngineService;McAfee Engine Service;C:\Program Files (x86)\McAfee\VirusScan Enterprise\x64\engineserver.exe [2011-2-4 20792]
R2 McAfeeFramework;McAfee Framework Service;C:\Program Files (x86)\McAfee\Common Framework\FrameworkService.exe [2011-1-12 120128]
R2 McShield;McAfee McShield;C:\Program Files (x86)\McAfee\VirusScan Enterprise\x64\mcshield.exe [2011-2-4 181480]
R2 McTaskManager;McAfee Task Manager;C:\Program Files (x86)\McAfee\VirusScan Enterprise\vstskmgr.exe [2011-2-4 66880]
R2 mfevtp;McAfee Validation Trust Protection Service;C:\Windows\system32\mfevtps.exe --> C:\Windows\system32\mfevtps.exe [?]
R2 NfxUpdaterService;NfxUpdaterService;C:\Program Files (x86)\NetFormx\updater\NfxUpdaterEngine.exe [2011-4-6 20376]
R2 NVIDIA Performance Driver Service;NVIDIA Performance Driver Service;C:\Program Files\NVIDIA Corporation\Performance Drivers\nvPDsvc.exe [2010-4-30 6237800]
R2 rimspci;rimspci;C:\Windows\system32\DRIVERS\rimspe64.sys --> C:\Windows\system32\DRIVERS\rimspe64.sys [?]
R2 TPHKSVC;On Screen Display;C:\Program Files\Lenovo\HOTKEY\TPHKSVC.exe [2010-3-18 63928]
R2 VMUSBArbService;VMware USB Arbitration Service;C:\Program Files (x86)\Common Files\VMware\USB\vmware-usbarbitrator.exe [2010-11-11 539248]
R2 vmware-converter-agent;VMware vCenter Converter Standalone Agent;C:\Program Files (x86)\VMware\VMware vCenter Converter Standalone\vmware-converter-a.exe [2010-8-24 444976]
R2 vmware-converter-server;VMware vCenter Converter Standalone Server;C:\Program Files (x86)\VMware\VMware vCenter Converter Standalone\vmware-converter.exe [2010-8-24 444976]
R2 vmware-converter-worker;VMware vCenter Converter Standalone Worker;C:\Program Files (x86)\VMware\VMware vCenter Converter Standalone\vmware-converter.exe [2010-8-24 444976]
R2 vpnagent;Cisco AnyConnect VPN Agent;C:\Program Files (x86)\Cisco\Cisco AnyConnect VPN Client\vpnagent.exe [2010-11-15 592120]
R2 XobniService;XobniService;C:\Program Files (x86)\Xobni\XobniService.exe [2011-4-29 62184]
R3 5U877;USB Video Device;C:\Windows\system32\DRIVERS\5U877.sys --> C:\Windows\system32\DRIVERS\5U877.sys [?]
R3 connctfyMP;connctfyMP;C:\Windows\system32\DRIVERS\connctfy.sys --> C:\Windows\system32\DRIVERS\connctfy.sys [?]
R3 e1kexpress;Intel(R) PRO/1000 PCI Express Network Connection Driver K;C:\Windows\system32\DRIVERS\e1k62x64.sys --> C:\Windows\system32\DRIVERS\e1k62x64.sys [?]
R3 HECIx64;Intel(R) Management Engine Interface;C:\Windows\system32\DRIVERS\HECIx64.sys --> C:\Windows\system32\DRIVERS\HECIx64.sys [?]
R3 MBAMProtector;MBAMProtector;\??\C:\Windows\system32\drivers\mbam.sys --> C:\Windows\system32\drivers\mbam.sys [?]
R3 mfeavfk;McAfee Inc. mfeavfk;C:\Windows\system32\drivers\mfeavfk.sys --> C:\Windows\system32\drivers\mfeavfk.sys [?]
R3 NETw5s64;Intel(R) Wireless WiFi Link 5000 Series Adapter Driver for Windows 7 - 64 Bit;C:\Windows\system32\DRIVERS\NETw5s64.sys --> C:\Windows\system32\DRIVERS\NETw5s64.sys [?]
R3 nusb3hub;NEC Electronics USB 3.0 Hub Driver;C:\Windows\system32\DRIVERS\nusb3hub.sys --> C:\Windows\system32\DRIVERS\nusb3hub.sys [?]
R3 nusb3xhc;NEC Electronics USB 3.0 Host Controller Driver;C:\Windows\system32\DRIVERS\nusb3xhc.sys --> C:\Windows\system32\DRIVERS\nusb3xhc.sys [?]
R3 NVHDA;Service for NVIDIA High Definition Audio Driver;C:\Windows\system32\drivers\nvhda64v.sys --> C:\Windows\system32\drivers\nvhda64v.sys [?]
R3 SrvHsfHDA;SrvHsfHDA;C:\Windows\system32\DRIVERS\VSTAZL6.SYS --> C:\Windows\system32\DRIVERS\VSTAZL6.SYS [?]
R3 SrvHsfV92;SrvHsfV92;C:\Windows\system32\DRIVERS\VSTDPV6.SYS --> C:\Windows\system32\DRIVERS\VSTDPV6.SYS [?]
R3 SrvHsfWinac;SrvHsfWinac;C:\Windows\system32\DRIVERS\VSTCNXT6.SYS --> C:\Windows\system32\DRIVERS\VSTCNXT6.SYS [?]
S2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe [2010-3-18 130384]
S2 clr_optimization_v4.0.30319_64;Microsoft .NET Framework NGEN v4.0.30319_X64;C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe [2010-3-18 138576]
S2 CMGShield;CMGShield;C:\Windows\system32\CmgShieldSvc.exe --> C:\Windows\system32\CmgShieldSvc.exe [?]
S3 connctfy;Connectify Service;C:\Windows\system32\DRIVERS\connctfy.sys --> C:\Windows\system32\DRIVERS\connctfy.sys [?]
S3 DozeSvc;Lenovo Doze Mode Service;C:\Program Files (x86)\ThinkPad\Utilities\DZSVC64.EXE [2011-2-7 164200]
S3 mferkdet;McAfee Inc. mferkdet;C:\Windows\system32\drivers\mferkdet.sys --> C:\Windows\system32\drivers\mferkdet.sys [?]
S3 osppsvc;Office Software Protection Platform;C:\Program Files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\OSPPSVC.EXE [2010-1-9 4925184]
S3 Power Manager DBC Service;Power Manager DBC Service;C:\Program Files (x86)\ThinkPad\Utilities\PWMDBSVC.exe [2011-2-7 75112]
S3 rixdpcie;rixdpcie;C:\Windows\system32\DRIVERS\rixdpe64.sys --> C:\Windows\system32\DRIVERS\rixdpe64.sys [?]
S3 StorSvc;Storage Service;C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted [2009-7-13 20992]
S3 USA19H;USA19H;C:\Windows\system32\DRIVERS\USA19Hx64.sys --> C:\Windows\system32\DRIVERS\USA19Hx64.sys [?]
S3 USA19HP;USA19HP;C:\Windows\system32\DRIVERS\USA19Hx64p.SYS --> C:\Windows\system32\DRIVERS\USA19Hx64p.SYS [?]
S3 vwifimp;Microsoft Virtual WiFi Miniport Service;C:\Windows\system32\DRIVERS\vwifimp.sys --> C:\Windows\system32\DRIVERS\vwifimp.sys [?]
S3 WatAdminSvc;Windows Activation Technologies Service;C:\Windows\system32\Wat\WatAdminSvc.exe --> C:\Windows\system32\Wat\WatAdminSvc.exe [?]
S4 Connectify;Connectify;C:\Program Files (x86)\Connectify\Connectifyd.exe [2011-3-9 892992]
S4 EMS;EMS;EMSService.exe --> EMSService.exe [?]
.
=============== File Associations ===============
.
vbefile\shell\open2\command="%SystemRoot%\System32\CScript.exe" "%1" %*
vbsfile\shell\open2\command="%SystemRoot%\System32\CScript.exe" "%1" %*
jsefile\shell\open2\command=C:\Windows\System32\CScript.exe "%1" %*
.
=============== Created Last 30 ================
.
2011-06-30 14:05:52 2106216 ----a-w- C:\Program Files (x86)\Mozilla Firefox\D3DCompiler_43.dll
2011-06-30 14:05:52 1998168 ----a-w- C:\Program Files (x86)\Mozilla Firefox\d3dx9_43.dll
2011-06-24 19:55:14 -------- d-----w- C:\Users\nicmatth\AppData\Roaming\Wireshark
2011-06-17 12:47:55 -------- d-----w- C:\Program Files (x86)\WinPcap
2011-06-17 12:46:51 -------- d-----w- C:\Program Files\Wireshark
2011-06-15 15:44:01 482816 ----a-w- C:\Windows\System32\html.iec
2011-06-15 15:43:38 386048 ----a-w- C:\Windows\SysWow64\html.iec
2011-06-15 15:42:51 1638912 ----a-w- C:\Windows\SysWow64\mshtml.tlb
2011-06-15 15:42:51 1638912 ----a-w- C:\Windows\System32\mshtml.tlb
2011-06-15 15:33:39 976896 ----a-w- C:\Windows\System32\inetcomm.dll
2011-06-15 15:32:53 740864 ----a-w- C:\Windows\SysWow64\inetcomm.dll
2011-06-15 15:28:04 102400 ----a-w- C:\Windows\System32\drivers\dfsc.sys
2011-06-15 15:28:02 499712 ----a-w- C:\Windows\System32\drivers\afd.sys
2011-06-15 15:28:02 1896832 ----a-w- C:\Windows\System32\drivers\tcpip.sys
2011-06-15 15:28:01 1110528 ----a-w- C:\Program Files\Common Files\Microsoft Shared\VGX\VGX.dll
2011-06-15 15:27:15 759296 ----a-w- C:\Program Files (x86)\Common Files\Microsoft Shared\VGX\VGX.dll
2011-06-15 15:27:14 287744 ----a-w- C:\Windows\System32\drivers\mrxsmb10.sys
2011-06-15 15:27:13 157696 ----a-w- C:\Windows\System32\drivers\mrxsmb.sys
2011-06-15 15:27:13 126464 ----a-w- C:\Windows\System32\drivers\mrxsmb20.sys
2011-06-15 15:27:09 3133952 ----a-w- C:\Windows\System32\win32k.sys
2011-06-15 15:22:35 461312 ----a-w- C:\Windows\System32\drivers\srv.sys
2011-06-15 15:22:35 399872 ----a-w- C:\Windows\System32\drivers\srv2.sys
2011-06-15 15:22:35 161792 ----a-w- C:\Windows\System32\drivers\srvnet.sys
2011-06-15 15:18:19 861184 ----a-w- C:\Windows\System32\oleaut32.dll
2011-06-15 15:18:07 571904 ----a-w- C:\Windows\SysWow64\oleaut32.dll
2011-06-13 15:41:26 -------- d-----w- C:\Program Files (x86)\eSupport.com
2011-06-13 14:46:26 230400 ----a-w- C:\Windows\System32\Spool\prtprocs\x64\hpzppw71.dll
2011-06-08 14:47:52 -------- d-----w- C:\Users\nicmatth\DoctorWeb
2011-06-07 17:39:23 -------- d-----w- C:\Users\nicmatth\AppData\Roaming\Malwarebytes
2011-06-07 17:39:16 39984 ----a-w- C:\Windows\SysWow64\drivers\mbamswissarmy.sys
2011-06-07 17:39:14 -------- d-----w- C:\ProgramData\Malwarebytes
2011-06-07 17:39:10 25912 ----a-w- C:\Windows\System32\drivers\mbam.sys
2011-06-07 17:39:09 -------- d-----w- C:\Program Files (x86)\Malwarebytes' Anti-Malware
2011-06-07 16:38:26 1152 ----a-w- C:\Windows\SysWow64\windrv.sys
2011-06-07 16:37:58 -------- d-----w- C:\Program Files (x86)\SpyNoMore
2011-06-06 14:37:05 23864 ----a-w- C:\Program Files (x86)\Mozilla Firefox\components\Scriptff.dll
2011-06-02 15:45:20 -------- d-----w- C:\Users\nicmatth\.cisco
.
==================== Find3M ====================
.
2011-04-22 20:18:28 1197056 ----a-w- C:\Windows\System32\wininet.dll
2011-04-22 20:14:08 57856 ----a-w- C:\Windows\System32\licmgr10.dll
2011-04-22 19:31:50 981504 ----a-w- C:\Windows\SysWow64\wininet.dll
2011-04-22 19:31:26 44544 ----a-w- C:\Windows\SysWow64\licmgr10.dll
2011-04-09 06:58:56 142336 ----a-w- C:\Windows\System32\poqexec.exe
2011-04-09 06:45:48 5509504 ----a-w- C:\Windows\System32\ntoskrnl.exe
2011-04-09 06:13:06 3957632 ----a-w- C:\Windows\SysWow64\ntkrnlpa.exe
2011-04-09 06:13:06 3901824 ----a-w- C:\Windows\SysWow64\ntoskrnl.exe
2011-04-09 05:56:38 123904 ----a-w- C:\Windows\SysWow64\poqexec.exe
.
============= FINISH: 10:07:30.50 ===============


Thanks!

 

[Bobbye]

SpyNoMore found keyloggers and trojans, but wanted money to remove.

Apparently you didn't read this when you downloaded SpyNoMore:

Price: Free to try (Scan only; no spyware removal); $29.95 to buy

I would recommend that you remove this program. I can help you find full function programs.
===============================================
As for "sluggish" there can be many reasons for this. Malware is only one of them. Others are not enough RAM or bad RAM, too many processes starting on boot and running in the background , etc. For Malware to be the cause, the system would usually have to be heavily infected\ and so far, I'm not seeing that.
===================================
Malwarebytes removed malware named ExploitDropper from Firefox. These are usually found in the Java cache and are frequently because outdated versions of Java remain on the system which cause vulnerabilities: You have Java v6u13 on the system. The current version is v6u26. Please update Java now:
Java Updates . Then uninstall any earlier versions in Add/Remove Programs as they are vulnerabilities for the system.

Note: Uncheck 'Install Yahoo Toolbar' on the download screen before you do the update.
==================================
To clear the Java Plug-in cache:

• 
  [1]. Click Start > Control Panel.
  [2]. Double-click the Java icon in the control panel.
  
  The Java Control Panel appears.
  
  
  
  [3].Click Settings under Temporary Internet Files.The Temporary Files Settings dialog box appears.
  
  
  
  [4] Click Delete Files.The Delete Temporary Files dialog box appears.
  
  
  
  [5]. Click OK on Delete Temporary Files window.
  Note: This deletes all the Downloaded Applications and Applets from the cache.
  [6]. Click Apply> OK on Temporary Files Settings window.

Images courtesy java.com
Please reboot the computer before going on
=================================================
Please note: If you have Combofix on the desktop already, please uninstall it. Then download the current version and do the scan: Uninstall directions, if needed

• Click START> then RUN
• Now type Combofix /Uninstall in the runbox and click OK. Note the space between the X and the U, it needs to be there.

--------------------------------------
Download Combofix from HERE or HEREhttp://www.forospyware.com/sUBs/ComboFix.exe and save to the desktop

• Double click combofix.exe & follow the prompts.
• ComboFix will check to see if the Microsoft Windows Recovery Console is installed. It is recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode if needed.
  **Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.
• Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.
• Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:
  
  
• .Click on Yes, to continue scanning for malware
• .If Combofix asks you to update the program, allow
• .Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.
• .Close any open browsers.
• .Double click combofix.exe
  
  & follow the prompts to run.
• When the scan completes , a report will be generated-it will open a text window. Please paste the C:\ComboFix.txt in next reply..

Re-enable your Antivirus software.

Note 1:Do not mouse-click Combofix's window while it is running. That may cause it to stall.
Note 2: ComboFix may reset a number of Internet Explorer's settings, including making I-E the default browser.
Note 3: Combofix prevents autorun of ALL CD, floppy and USB devices to assist with malware removal & increase security. If this is an issue or makes it difficult for you -- please tell your helper.
Note 4: CF disconnects your machine from the internet. The connection is automatically restored before CF completes its run. If CF runs into difficulty and terminates prematurely, the connection can be manually restored by restarting your machine.
Note 5: If you receive an error "Illegal operation attempted on a registry key that has been marked for deletion", restart computer to fix the issue.

 

[nicmatth]

Combofix log

ComboFix 11-07-03.04 - nicmatth 07/05/2011 11:08:11.1.8 - x64
Microsoft Windows 7 Enterprise 6.1.7600.0.1252.1.1033.18.4028.1830 [GMT -4:00]
Running from: c:\download\ComboFix.exe
AV: McAfee VirusScan Enterprise *Enabled/Updated* {86355677-4064-3EA7-ABB3-1B136EB04637}
SP: McAfee VirusScan Enterprise Antispyware Module *Enabled/Updated* {3D54B793-665E-3129-9103-206115370C8A}
SP: Windows Defender *Disabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
.
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
c:\users\nicmatth\AppData\Local\{556114CE-6FF4-4AC8-A1CD-336AD7733FB4}
c:\users\nicmatth\AppData\Local\{556114CE-6FF4-4AC8-A1CD-336AD7733FB4}\chrome.manifest
c:\users\nicmatth\AppData\Local\{556114CE-6FF4-4AC8-A1CD-336AD7733FB4}\chrome\content\_cfg.js
c:\users\nicmatth\AppData\Local\{556114CE-6FF4-4AC8-A1CD-336AD7733FB4}\chrome\content\overlay.xul
c:\users\nicmatth\AppData\Local\{556114CE-6FF4-4AC8-A1CD-336AD7733FB4}\install.rdf
c:\users\nicmatth\AppData\Roaming\Adobe\plugs
c:\users\nicmatth\AppData\Roaming\Adobe\shed
c:\windows\system32\blat.exe
c:\windows\system32\ZoomIt.exe
.
.
((((((((((((((((((((((((( Files Created from 2011-06-05 to 2011-07-05 )))))))))))))))))))))))))))))))
.
.
2011-07-05 15:14 . 2011-07-05 15:14 -------- d-----w- c:\users\Default\AppData\Local\temp
2011-07-05 15:14 . 2011-07-05 15:14 -------- d-----w- c:\users\Administrator\AppData\Local\temp
2011-07-05 14:52 . 2011-07-05 14:52 525544 ----a-w- c:\windows\system32\deployJava1.dll
2011-07-05 14:52 . 2011-07-05 14:52 -------- d-----w- c:\program files\Java
2011-06-30 14:05 . 2011-06-30 14:05 2106216 ----a-w- c:\program files (x86)\Mozilla Firefox\D3DCompiler_43.dll
2011-06-30 14:05 . 2011-06-30 14:05 1998168 ----a-w- c:\program files (x86)\Mozilla Firefox\d3dx9_43.dll
2011-06-30 00:52 . 2011-05-24 11:21 404992 ----a-w- c:\windows\system32\umpnpmgr.dll
2011-06-30 00:52 . 2011-05-24 10:34 145920 ----a-w- c:\windows\SysWow64\cfgmgr32.dll
2011-06-30 00:52 . 2011-05-24 10:32 252928 ----a-w- c:\windows\SysWow64\drvinst.exe
2011-06-30 00:52 . 2011-05-24 10:34 64512 ----a-w- c:\windows\SysWow64\devobj.dll
2011-06-30 00:52 . 2011-05-24 10:34 44544 ----a-w- c:\windows\SysWow64\devrtl.dll
2011-06-24 19:55 . 2011-06-24 19:55 -------- d-----w- c:\users\nicmatth\AppData\Roaming\Wireshark
2011-06-17 12:47 . 2011-06-17 12:47 -------- d-----w- c:\program files (x86)\WinPcap
2011-06-17 12:46 . 2011-06-17 12:47 -------- d-----w- c:\program files\Wireshark
2011-06-15 15:44 . 2011-04-22 18:49 482816 ----a-w- c:\windows\system32\html.iec
2011-06-15 15:43 . 2011-04-22 18:23 386048 ----a-w- c:\windows\SysWow64\html.iec
2011-06-15 15:42 . 2011-05-28 03:25 1638912 ----a-w- c:\windows\system32\mshtml.tlb
2011-06-15 15:42 . 2011-05-28 03:00 1638912 ----a-w- c:\windows\SysWow64\mshtml.tlb
2011-06-15 15:33 . 2011-05-03 05:21 976896 ----a-w- c:\windows\system32\inetcomm.dll
2011-06-15 15:32 . 2011-05-03 04:50 740864 ----a-w- c:\windows\SysWow64\inetcomm.dll
2011-06-15 15:28 . 2011-04-27 02:57 102400 ----a-w- c:\windows\system32\drivers\dfsc.sys
2011-06-15 15:28 . 2011-04-25 05:32 1896832 ----a-w- c:\windows\system32\drivers\tcpip.sys
2011-06-15 15:28 . 2011-04-25 02:44 499712 ----a-w- c:\windows\system32\drivers\afd.sys
2011-06-15 15:28 . 2011-04-29 05:47 1110528 ----a-w- c:\program files\Common Files\Microsoft Shared\VGX\VGX.dll
2011-06-15 15:27 . 2011-04-29 05:08 759296 ----a-w- c:\program files (x86)\Common Files\Microsoft Shared\VGX\VGX.dll
2011-06-15 15:27 . 2011-05-04 02:51 287744 ----a-w- c:\windows\system32\drivers\mrxsmb10.sys
2011-06-15 15:27 . 2011-05-04 02:51 157696 ----a-w- c:\windows\system32\drivers\mrxsmb.sys
2011-06-15 15:27 . 2011-05-04 02:51 126464 ----a-w- c:\windows\system32\drivers\mrxsmb20.sys
2011-06-15 15:27 . 2011-05-28 03:07 3133952 ----a-w- c:\windows\system32\win32k.sys
2011-06-15 15:22 . 2011-04-29 03:13 461312 ----a-w- c:\windows\system32\drivers\srv.sys
2011-06-15 15:22 . 2011-04-29 03:12 399872 ----a-w- c:\windows\system32\drivers\srv2.sys
2011-06-15 15:22 . 2011-04-29 03:12 161792 ----a-w- c:\windows\system32\drivers\srvnet.sys
2011-06-15 15:18 . 2010-12-18 06:13 861184 ----a-w- c:\windows\system32\oleaut32.dll
2011-06-15 15:18 . 2010-12-18 05:31 571904 ----a-w- c:\windows\SysWow64\oleaut32.dll
2011-06-13 15:41 . 2011-06-13 15:41 -------- d-----w- c:\program files (x86)\eSupport.com
2011-06-13 14:46 . 2009-07-14 01:41 230400 ----a-w- c:\windows\system32\Spool\prtprocs\x64\hpzppw71.dll
2011-06-08 14:47 . 2011-06-08 14:47 -------- d-----w- c:\users\nicmatth\DoctorWeb
2011-06-07 17:39 . 2011-06-07 17:39 -------- d-----w- c:\users\nicmatth\AppData\Roaming\Malwarebytes
2011-06-07 17:39 . 2011-05-29 13:11 39984 ----a-w- c:\windows\SysWow64\drivers\mbamswissarmy.sys
2011-06-07 17:39 . 2011-06-07 17:39 -------- d-----w- c:\programdata\Malwarebytes
2011-06-07 17:39 . 2011-05-29 13:11 25912 ----a-w- c:\windows\system32\drivers\mbam.sys
2011-06-07 17:39 . 2011-06-07 17:39 -------- d-----w- c:\program files (x86)\Malwarebytes' Anti-Malware
2011-06-07 16:38 . 2011-06-07 16:38 1152 ----a-w- c:\windows\SysWow64\windrv.sys
2011-06-06 14:37 . 2011-02-05 00:07 23864 ----a-w- c:\program files (x86)\Mozilla Firefox\components\Scriptff.dll
2011-06-06 14:36 . 2011-06-06 14:36 -------- d-----w- c:\users\Default\AppData\Roaming\McAfee
.
.
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2011-05-23 19:17 . 2011-05-23 19:17 388096 ----a-r- c:\users\nicmatth\AppData\Roaming\Microsoft\Installer\{45A66726-69BC-466B-A7A4-12FCBA4883D7}\HiJackThis.exe
2011-04-09 06:58 . 2011-05-12 23:54 142336 ----a-w- c:\windows\system32\poqexec.exe
2011-04-09 06:45 . 2011-05-11 20:27 5509504 ----a-w- c:\windows\system32\ntoskrnl.exe
2011-04-09 06:13 . 2011-05-11 20:27 3957632 ----a-w- c:\windows\SysWow64\ntkrnlpa.exe
2011-04-09 06:13 . 2011-05-11 20:27 3901824 ----a-w- c:\windows\SysWow64\ntoskrnl.exe
2011-04-09 05:56 . 2011-05-12 23:54 123904 ----a-w- c:\windows\SysWow64\poqexec.exe
.
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Cisco WebEx Connect"="c:\program files (x86)\WebEx\Connect\connect.exe" [2011-04-11 1934648]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run]
"ShStatEXE"="c:\program files (x86)\McAfee\VirusScan Enterprise\SHSTAT.EXE" [2011-02-05 124224]
"McAfeeUpdaterUI"="c:\program files (x86)\McAfee\Common Framework\udaterui.exe" [2011-01-12 161088]
"Adobe Reader Speed Launcher"="c:\program files (x86)\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2010-06-20 35760]
"Adobe ARM"="c:\program files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2010-09-21 932288]
"PWMTRV"="c:\progra~2\ThinkPad\UTILIT~1\PWMTR64V.DLL" [2010-05-12 1128296]
"VMware hqtray"="c:\program files (x86)\VMware\VMware Player\hqtray.exe" [2010-11-11 64112]
"Netformx Updater"="c:\program files (x86)\NetFormx\updater\NfxUpdaterUI.exe" [2011-03-28 127888]
"Cisco AnyConnect VPN Agent for Windows"="c:\program files (x86)\Cisco\Cisco AnyConnect VPN Client\vpnui.exe" [2010-11-15 194808]
"VirtualCloneDrive"="c:\program files (x86)\Elaborate Bytes\VirtualCloneDrive\VCDDaemon.exe" [2009-06-17 85160]
"RotateImage"="c:\program files (x86)\Integrated Camera Driver\X64\RCIMGDIR.exe" [2008-10-30 55808]
"FileZilla Server Interface"="c:\program files (x86)\FileZilla Server\FileZilla Server Interface.exe" [2010-10-17 1259008]
.
c:\users\nicmatth\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\
Cisco WebEx Connect.lnk - c:\program files (x86)\WebEx\Connect\connect.exe [2011-4-11 1934648]
EvernoteClipper.lnk - c:\program files (x86)\Evernote\Evernote\EvernoteClipper.exe [2011-4-12 973824]
GoogleCalendarSync.exe - Shortcut.lnk - c:\program files (x86)\Google\Google Calendar Sync\GoogleCalendarSync.exe [2011-4-8 542264]
Pidgin.lnk - c:\program files (x86)\Pidgin\pidgin.exe [2011-2-6 48618]
texter.exe - Shortcut.lnk - c:\program files (x86)\Texter\texter.exe [2007-11-6 377303]
Texter.lnk - c:\program files (x86)\Texter\texter.exe [2007-11-6 377303]
.
c:\programdata\Microsoft\Windows\Start Menu\Programs\Startup\
Google Calendar Sync.lnk - c:\program files (x86)\Google\Google Calendar Sync\GoogleCalendarSync.exe [2011-4-8 542264]
MultiMon Taskbar.lnk - c:\program files (x86)\MMTaskbar\MultiMon.exe [2011-2-18 294912]
vpngui.exe.lnk - c:\windows\Installer\{467D5E81-8349-4892-9E81-C3674ED8E451}\Icon09DB8A851.exe [2010-9-21 5120]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"ConsentPromptBehaviorAdmin"= 0 (0x0)
"ConsentPromptBehaviorUser"= 3 (0x3)
"EnableLUA"= 0 (0x0)
"EnableUIADesktopToggle"= 0 (0x0)
"PromptOnSecureDesktop"= 0 (0x0)
"HideFastUserSwitching"= 1 (0x1)
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\McAfeeEngineService]
@="Service"
.
R2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;c:\windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe [2010-03-18 130384]
R2 clr_optimization_v4.0.30319_64;Microsoft .NET Framework NGEN v4.0.30319_X64;c:\windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe [2010-03-18 138576]
R2 CMGShield;CMGShield;c:\windows\system32\CmgShieldSvc.exe [x]
R3 bmdrvr;Modified Clusters Tracking Driver;SysWOW64\drivers\bmdrvr.sys [x]
R3 connctfy;Connectify Service;c:\windows\system32\DRIVERS\connctfy.sys [x]
R3 DozeSvc;Lenovo Doze Mode Service;c:\program files (x86)\ThinkPad\Utilities\DZSVC64.EXE [2010-05-12 164200]
R3 MBAMProtector;MBAMProtector;c:\windows\system32\drivers\mbam.sys [x]
R3 mferkdet;McAfee Inc. mferkdet;c:\windows\system32\drivers\mferkdet.sys [x]
R3 osppsvc;Office Software Protection Platform;c:\program files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\OSPPSVC.EXE [2010-01-10 4925184]
R3 Power Manager DBC Service;Power Manager DBC Service;c:\program files (x86)\ThinkPad\Utilities\PWMDBSVC.EXE [2010-05-12 75112]
R3 rixdpcie;rixdpcie;c:\windows\system32\DRIVERS\rixdpe64.sys [x]
R3 USA19H;USA19H;c:\windows\system32\DRIVERS\USA19Hx64.sys [x]
R3 USA19HP;USA19HP;c:\windows\system32\DRIVERS\USA19Hx64p.SYS [x]
R3 vwifimp;Microsoft Virtual WiFi Miniport Service;c:\windows\system32\DRIVERS\vwifimp.sys [x]
R3 WatAdminSvc;Windows Activation Technologies Service;c:\windows\system32\Wat\WatAdminSvc.exe [x]
R4 Connectify;Connectify;c:\program files (x86)\Connectify\Connectifyd.exe [2011-03-09 892992]
R4 EMS;EMS;EMSService.exe [x]
R4 MBAMService;MBAMService;c:\program files (x86)\Malwarebytes' Anti-Malware\mbamservice.exe [2011-05-29 366640]
R4 XobniService;XobniService;c:\program files (x86)\Xobni\XobniService.exe [2011-04-30 62184]
S0 CmgHiber;CmgHiber;c:\windows\system32\DRIVERS\CmgHiber.sys [x]
S0 CmgShieldCEF;CmgShieldCEF;c:\windows\system32\DRIVERS\CMGShCEF.sys [x]
S0 CMGShieldReg;CMGShieldReg;c:\windows\system32\DRIVERS\CmgShREG.sys [x]
S0 DzHDD64;DzHDD64;c:\windows\System32\DRIVERS\DzHDD64.sys [x]
S1 lenovo.smi;Lenovo System Interface Driver;c:\windows\system32\DRIVERS\smiifx64.sys [x]
S1 vwififlt;Virtual WiFi Filter Driver;c:\windows\system32\DRIVERS\vwififlt.sys [x]
S2 atashost;WebEx Service Host for Support Center;c:\windows\SysWOW64\atashost.exe [2011-02-24 43912]
S2 CipcCdp;Cisco IP Communicator driver for CDP;c:\windows\system32\DRIVERS\CipcCdp.sys [x]
S2 Cisco WebEx Connect Upgrade Service;Cisco WebEx Connect Upgrade Service;c:\program files (x86)\WebEx\Connect\apUpdate.exe [2011-04-11 824120]
S2 LENOVO.CAMMUTE;Lenovo Camera Mute;c:\program files\LENOVO\HOTKEY\CAMMUTE.exe [2009-11-09 54632]
S2 LENOVO.MICMUTE;Lenovo Microphone Mute;c:\program files\LENOVO\HOTKEY\MICMUTE.exe [2009-11-17 44984]
S2 McAfeeEngineService;McAfee Engine Service;c:\program files (x86)\McAfee\VirusScan Enterprise\x64\engineserver.exe [2011-02-05 20792]
S2 mfevtp;McAfee Validation Trust Protection Service;c:\windows\system32\mfevtps.exe [x]
S2 NfxUpdaterService;NfxUpdaterService;c:\program files (x86)\NetFormx\updater\NfxUpdaterEngine.exe [2011-03-28 20376]
S2 NPF;NetGroup Packet Filter Driver;c:\windows\system32\drivers\npf.sys [x]
S2 NVIDIA Performance Driver Service;NVIDIA Performance Driver Service;c:\program files\NVIDIA Corporation\Performance Drivers\nvPDsvc.exe [2010-04-30 6237800]
S2 rimspci;rimspci;c:\windows\system32\DRIVERS\rimspe64.sys [x]
S2 TPHKSVC;On Screen Display;c:\program files\LENOVO\HOTKEY\TPHKSVC.exe [2010-01-18 63928]
S2 vmci;VMware vmci;c:\windows\system32\drivers\vmci.sys [x]
S2 VMUSBArbService;VMware USB Arbitration Service;c:\program files (x86)\Common Files\VMware\USB\vmware-usbarbitrator.exe [2010-11-11 539248]
S2 vmware-converter-agent;VMware vCenter Converter Standalone Agent;c:\program files (x86)\VMware\VMware vCenter Converter Standalone\vmware-converter-a.exe [2010-08-24 444976]
S2 vmware-converter-server;VMware vCenter Converter Standalone Server;c:\program files (x86)\VMware\VMware vCenter Converter Standalone\vmware-converter.exe [2010-08-24 444976]
S2 vmware-converter-worker;VMware vCenter Converter Standalone Worker;c:\program files (x86)\VMware\VMware vCenter Converter Standalone\vmware-converter.exe [2010-08-24 444976]
S2 vpnagent;Cisco AnyConnect VPN Agent;c:\program files (x86)\Cisco\Cisco AnyConnect VPN Client\vpnagent.exe [2010-11-15 592120]
S2 vstor2-mntapi10-shared;Vstor2 MntApi 1.0 Driver (shared);SysWOW64\drivers\vstor2-mntapi10-shared.sys [x]
S3 5U877;USB Video Device;c:\windows\system32\DRIVERS\5U877.sys [x]
S3 connctfyMP;connctfyMP;c:\windows\system32\DRIVERS\connctfy.sys [x]
S3 e1kexpress;Intel(R) PRO/1000 PCI Express Network Connection Driver K;c:\windows\system32\DRIVERS\e1k62x64.sys [x]
S3 HECIx64;Intel(R) Management Engine Interface;c:\windows\system32\DRIVERS\HECIx64.sys [x]
S3 NETw5s64;Intel(R) Wireless WiFi Link 5000 Series Adapter Driver for Windows 7 - 64 Bit;c:\windows\system32\DRIVERS\NETw5s64.sys [x]
S3 nusb3hub;NEC Electronics USB 3.0 Hub Driver;c:\windows\system32\DRIVERS\nusb3hub.sys [x]
S3 nusb3xhc;NEC Electronics USB 3.0 Host Controller Driver;c:\windows\system32\DRIVERS\nusb3xhc.sys [x]
S3 NVHDA;Service for NVIDIA High Definition Audio Driver;c:\windows\system32\drivers\nvhda64v.sys [x]
S3 SrvHsfHDA;SrvHsfHDA;c:\windows\system32\DRIVERS\VSTAZL6.SYS [x]
S3 SrvHsfV92;SrvHsfV92;c:\windows\system32\DRIVERS\VSTDPV6.SYS [x]
S3 SrvHsfWinac;SrvHsfWinac;c:\windows\system32\DRIVERS\VSTCNXT6.SYS [x]
.
.
Contents of the 'Scheduled Tasks' folder
.
2011-07-05 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-1708537768-1303643608-725345543-210157Core.job
- c:\users\nicmatth\AppData\Local\Google\Update\GoogleUpdate.exe [2011-04-11 16:51]
.
2011-07-05 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-1708537768-1303643608-725345543-210157UA.job
- c:\users\nicmatth\AppData\Local\Google\Update\GoogleUpdate.exe [2011-04-11 16:51]
.
.
--------- x86-64 -----------
.
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"TPHOTKEY"="c:\program files\Lenovo\HOTKEY\TPOSDSVC.exe" [2009-12-21 69568]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows]
"LoadAppInit_DLLs"=0x1
"AppInit_DLLs"=c:\windows\System32\AMInit64.dll
.
------- Supplementary Scan -------
.
uLocal Page = c:\windows\system32\blank.htm
uStart Page = hxxp://wwwin.cisco.com
mLocal Page = c:\windows\SysWOW64\blank.htm
uInternet Settings,ProxyOverride = <local>
IE: Add to Evernote 4.0 - c:\program files (x86)\Evernote\Evernote\EvernoteIE.dll/204
IE: E&xport to Microsoft Excel - c:\progra~2\MICROS~1\Office12\EXCEL.EXE/3000
IE: {{A95fe080-8f5d-11d2-a20b-00aa003c157a} - res://c:\program files (x86)\Evernote\Evernote\EvernoteIE.dll/204
LSP: c:\program files (x86)\VMware\VMware Player\vsocklib.dll
TCP: DhcpNameServer = 64.102.6.247 171.70.168.183 171.68.226.120
DPF: {55963676-2F5E-4BAF-AC28-CF26AA587566} - hxxps://provision-sjc.cisco.com/CACHE/webvpn/stc/1/binaries/vpnweb.cab
FF - ProfilePath - c:\users\nicmatth\AppData\Roaming\Mozilla\Firefox\Profiles\muw3urqn.default\
FF - user.js: network.negotiate-auth.delegation-uris - .cisco.com
FF - user.js: network.negotiate-auth.trusted-uris - .cisco.com
.
.
------- File Associations -------
.
vbefile\shell\open2\command="%SystemRoot%\System32\CScript.exe" "%1" %*
vbsfile\shell\open2\command="%SystemRoot%\System32\CScript.exe" "%1" %*
jsefile\shell\open2\command=c:\windows\System32\CScript.exe "%1" %*
.
- - - - ORPHANS REMOVED - - - -
.
HKLM-Run-SynTPEnh - c:\program files (x86)\Synaptics\SynTP\SynTPEnh.exe
AddRemove-Altiris PCTransplant - c:\program files\Altiris\PCT\PCTUninstaller.exe
AddRemove-AltirisAgent - c:\program files (x86)\Altiris\Altiris Agent\AeXNSAgent.exe
AddRemove-Cisco Direct Printing - c:\ciscodirectprinting\CiscoDirectPrinting.exe
AddRemove-{92F2A534-C3E4-4B18-BEBD-329F5E848C8B} - c:\program files (x86)\Altiris\Altiris Agent\AeXNSAgent.exe
.
.
.
--------------------- LOCKED REGISTRY KEYS ---------------------
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{19114156-8E9A-4D4E-9EE9-17A0E48D3BBB}]
@Denied: (A 2) (Everyone)
@="FlashBroker"
"LocalizedString"="@c:\\Windows\\system32\\Macromed\\Flash\\FlashUtil10d.exe,-101"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{19114156-8E9A-4D4E-9EE9-17A0E48D3BBB}\Elevation]
"Enabled"=dword:00000001
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{19114156-8E9A-4D4E-9EE9-17A0E48D3BBB}\LocalServer32]
@="c:\\Windows\\SysWow64\\Macromed\\Flash\\FlashUtil10d.exe"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{19114156-8E9A-4D4E-9EE9-17A0E48D3BBB}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}]
@Denied: (A 2) (Everyone)
@="Shockwave Flash Object"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\InprocServer32]
@="c:\\Windows\\SysWow64\\Macromed\\Flash\\Flash10d.ocx"
"ThreadingModel"="Apartment"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\MiscStatus]
@="0"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\ProgID]
@="ShockwaveFlash.ShockwaveFlash.10"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\ToolboxBitmap32]
@="c:\\Windows\\SysWow64\\Macromed\\Flash\\Flash10d.ocx, 1"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\TypeLib]
@="{D27CDB6B-AE6D-11cf-96B8-444553540000}"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\Version]
@="1.0"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\VersionIndependentProgID]
@="ShockwaveFlash.ShockwaveFlash"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}]
@Denied: (A 2) (Everyone)
@="Macromedia Flash Factory Object"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\InprocServer32]
@="c:\\Windows\\SysWow64\\Macromed\\Flash\\Flash10d.ocx"
"ThreadingModel"="Apartment"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\ProgID]
@="FlashFactory.FlashFactory.1"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\ToolboxBitmap32]
@="c:\\Windows\\SysWow64\\Macromed\\Flash\\Flash10d.ocx, 1"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\TypeLib]
@="{D27CDB6B-AE6D-11cf-96B8-444553540000}"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\Version]
@="1.0"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\VersionIndependentProgID]
@="FlashFactory.FlashFactory"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{1D4C8A81-B7AC-460A-8C23-98713C41D6B3}]
@Denied: (A 2) (Everyone)
@="IFlashBroker3"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{1D4C8A81-B7AC-460A-8C23-98713C41D6B3}\ProxyStubClsid32]
@="{00020424-0000-0000-C000-000000000046}"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{1D4C8A81-B7AC-460A-8C23-98713C41D6B3}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
"Version"="1.0"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\McAfee]
"SymbolicLinkValue"=hex(6):5c,00,52,00,65,00,67,00,69,00,73,00,74,00,72,00,79,
00,5c,00,4d,00,41,00,43,00,48,00,49,00,4e,00,45,00,5c,00,53,00,6f,00,66,00,\
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Network Associates]
"SymbolicLinkValue"=hex(6):5c,00,52,00,65,00,67,00,69,00,73,00,74,00,72,00,79,
00,5c,00,4d,00,41,00,43,00,48,00,49,00,4e,00,45,00,5c,00,53,00,6f,00,66,00,\
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Office\Common\Smart Tag\Actions\{B7EFF951-E52F-45CC-9EF7-57124F2177CC}]
@Denied: (A) (Everyone)
"Solution"="{15727DE6-F92D-4E46-ACB4-0E2C58B31A18}"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Schema Library\ActionsPane3]
@Denied: (A) (Everyone)
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Schema Library\ActionsPane3\0]
"Key"="ActionsPane3"
"Location"="c:\\Program Files (x86)\\Common Files\\Microsoft Shared\\VSTO\\ActionsPane3.xsd"
.
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0000\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000
.
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\PCW\Security]
@Denied: (Full) (Everyone)
.
Completion time: 2011-07-05 11:17:00
ComboFix-quarantined-files.txt 2011-07-05 15:16
.
Pre-Run: 27,103,358,976 bytes free
Post-Run: 26,734,227,456 bytes free
.
- - End Of File - - 97B3B3EF2D4B8D6A0E6B3CDD7C23ABE5

 

[nicmatth]

After testing a bit, this seems to have fixed it.

What actually looks like it fixed it - clearing the java cache or was there something deeper?

Thanks for the help.

 

[Bobbye]

I'd like you to run this online virus scan:

• Hold down Control and click on the following link to open ESET OnlineScan in a new window.
  ESETOnlineScan
• For alternate browsers only: (Microsoft Internet Explorer users can skip these steps)
  [o] Click on Posted Image to download the ESET Smart Installer. Save it to your desktop.
  [o] Double click on the
  
  on your desktop.
• Check 'Yes I accept terms of use.'
• Click Start button
• Accept any security warnings from your browser.
  
  
• Uncheck 'Remove found threats'
• Check 'Scan archives/
• Leave remaining settings as is.
• Press the Start button.
• ESET will then download updates for itself, install itself, and begin scanning your computer. Please wait for the scan to finish.
• When the scan completes, press List of found threats
• Push Export of text file and save the file to your desktop using a unique name, such as ESETScan. Paste this log in your next reply.
• Push the Back button
• Push Finish

NOTE: If no malware is found then no log will be produced. Let me know if this is the case.

 

[nicmatth]

C:\Users\nicmatth\AppData\Local\Mozilla\Firefox\Profiles\muw3urqn.default\Cache\D\BB\A9C10d01 JS/Kryptik.AQ.Gen trojan

What do you think?

 

[Bobbye]

I think you are running a work computer on the Cisco network that has less than the basic security protection- no firewall, only McAfee antimalware. I think you hoped that I could wave my magic hand and make everything okay!

I think you are slow because of things like this:

StartupFolder: C:\Users\nicmatth\AppData\Roaming\MICROS~1\Windows\STARTM~1\Programs\Startu p\CISCOW~1.LNK - C:\Program Files (x86)\WebEx\Connect\connect.exe
StartupFolder: C:\Users\nicmatth\AppData\Roaming\MICROS~1\Windows\STARTM~1\Programs\Startu p\EVERNO~1.LNK - C:\Program Files (x86)\Evernote\Evernote\EvernoteClipper.exe
StartupFolder: C:\Users\nicmatth\AppData\Roaming\MICROS~1\Windows\STARTM~1\Programs\Startu p\GOOGLE~1.LNK - C:\Program Files (x86)\Google\Google Calendar Sync\GoogleCalendarSync.exe
StartupFolder: C:\Users\nicmatth\AppData\Roaming\MICROS~1\Windows\STARTM~1\Programs\Startu p\Pidgin.lnk - C:\Program Files (x86)\Pidgin\pidgin.exe
StartupFolder: C:\Users\nicmatth\AppData\Roaming\MICROS~1\Windows\STARTM~1\Programs\Startu p\TEXTER~1.LNK - C:\Program Files (x86)\Texter\texter.exe
StartupFolder: C:\Users\nicmatth\AppData\Roaming\MICROS~1\Windows\STARTM~1\Programs\Startu p\Texter.lnk - C:\Program Files (x86)\Texter\texter.exe
StartupFolder: C:\ALLUSE~1\MICROS~1\Windows\STARTM~1\Programs\Startup\GOOGLE~1.LNK - C:\Program Files (x86)\Google\Google Calendar Sync\GoogleCalendarSync.exe
StartupFolder: C:\ALLUSE~1\MICROS~1\Windows\STARTM~1\Programs\Startup\MULTIM~1.LNK - C:\Program Files (x86)\MMTaskbar\MultiMon.exe
StartupFolder: C:\ALLUSE~1\MICROS~1\Windows\STARTM~1\Programs\Startup\VPNGUI~1.LNK - C:\Windows\Installer\{467D5E81-8349-4892-9E81-C3674ED8E451}\Icon09DB8A851.exe

==============================================
Please download OTMovit by Old Timer and save to your desktop.

• Double-click OTMoveIt3.exe to run it. (Vista users, please right click on OTMoveit3.exe and select "Run as an Administrator")
• Copy the file paths below to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose Copy):
  

  :Files 
  C:\Users\nicmatth\AppData\Local\Mozilla\Firefox\Profiles\muw3urqn.default\Cache\D\BB\A9C10d01
  :Commands
  [purity]
  [emptytemp]
  [start explorer]
  [Reboot]

• Return to OTMoveIt3, right click in the "Paste Instructions for Items to be Moved" window and choose Paste.
• Click the red Moveit! button.
• A log of files and folders moved will be created in the c:\_OTMoveIt\MovedFiles folder in the form of Date and Time (mmddyyyy_hhmmss.log). Please open this log in Notepad and post its contents in your next reply.
• Close OTMoveIt3

If a file or folder cannot be moved immediately you may be asked to reboot the machine to finish the move process. If you are asked to reboot the machine choose Yes.
==============================================
The Firefox cache temporarily stores images, scripts, and other parts of websites while you are browsing.
Clear the cache

1. Open Firefox> Click on Tools> Options
2. Click on Advanced> Network tab
3. Offline Storage> click on Clear Now

-----------------------------------
Clear Private Data

1. Open Firefox> Click on Tools> Click on Clear recent History
   or
2. Open Firefox> Tools> Options> Privacy> History>
3. Set 'use custom setting' in dialog box> Set days to keep HX (as few as possible- I have 3)
4. Cookies> Check 'accept Cookies from Websites> Uncheck '3rd party Cookies> Click on 'Clean HX when Firefox closes.> Click on Settings
5. In Settings, Check Browsing HX Forms & Search
6. In Data> Check Offline Web Pages

Use any of the above or a combination of the above.
=====================================
I suggest you put a bi-directional firewall on the system and add antimalware programs such as Spywareblaster.
I think there is too much work-related software installed for me to try and remove entries.
=====================================
Remove all of the tools we used and the files and folders they created

• Uninstall ComboFix and all Backups of the files it deleted
  [o] Click START> then RUN
  [o] Now type Combofix /Uninstall in the runbox and click OK. Note the space between the X and the U, it needs to be there.
  
• Download OTCleanIt by OldTimer and save it to your Desktop.
  [o] Double click OTCleanIt.exe.
  [o] Click the CleanUp! button.
  [o] If you are prompted to Reboot during the cleanup, select Yes.
  [o]The tool will delete itself once it finishes.
  Note: If you receive a warning from your firewall or other security programs regarding OTC attempting to contact the internet, please allow it to do so.
  Note: If any tool, file or folder (belonging to the program we have used) hasn't been deleted, please delete it manually.
  
• Set a new, clean Restore Point
  [o] Click on Start> right click on Computer> Properties
  [o] Select System Protection
  [o] Click on the Create button (near bottom)
  [o] Type a name for the Restore Point
  [o] Click on Create again to save the restore point.
  
• Deleting all but the most recent System Protection point in Windows 7
  [o] Click Start> Computer> right click the C Drive and choose Properties> enter.
  [o] Click Disk Cleanup from there.
  
  
  
  [o] Click Clean up system files
  This restarts Disk Cleanup to run in elevated mode.
  [o] Click the More Options tab
  
  
  
  [o] Click the Clean up under System Restore and Shadow Copies.
  [o] Click OK.
  [o] You will get a confirmation screen> Just click Delete.
  [o] Click OK on the Disk Cleanup Screen.
  [o] Click Delete Files on the Confirmation screen.

This runs the Disk Cleanup utility along with other selections if you have chosen any. (if you had a lot System Restore points, you will see a significant change in the free space in C drive)
Images courtesy lytebyte.

Empty the Recycle Bin

Please update the Java to v6u26 .Java Updates Uninstall any earlier versions in Add/Remove Programs as they are vulnerabilities for the system.

Note: Uncheck 'Install Yahoo Toolbar' on the download screen before you do the update.

 

[nicmatth]

Wasn't really expecting a magic solution - was actually just kind of curious which of the steps had fixed the problem. My computer has been running fine since running combofix. Thanks for help, I'll do all this stuff.

 

[Bobbye]

Okay. Sometimes we can't pin down the exact entries that were the cause. Combofix removed some, OTM removed some and emptying the Java cache removed some.