ComboFix 13-08-01.01 - TurnerAdmin 08/01/2013 13:27:21.1.4 - x86 Microsoft Windows 7 Enterprise 6.1.7601.1.1252.1.1033.18.3241.2079 [GMT -7:00] Running from: c:\users\sfschultz\Desktop\ComboFix.exe AV: Symantec Endpoint Protection *Enabled/Updated* {88C95A36-8C3B-2F2C-1B8B-30FCCFDC4855} SP: Symantec Endpoint Protection *Enabled/Updated* {33A8BBD2-AA01-20A2-213B-0B8EB45B02E8} SP: Windows Defender *Disabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46} . . ((((((((((((((((((((((((((((((((((((((( Other Deletions ))))))))))))))))))))))))))))))))))))))))))))))))) . . c:\programdata\Microsoft\Windows\DRM\2D4C.tmp c:\programdata\Microsoft\Windows\DRM\983.tmp c:\programdata\Microsoft\Windows\DRM\A5F.tmp c:\users\sfschultz\chrome.exe c:\users\sfschultz\mstsc.exe . . ((((((((((((((((((((((((( Files Created from 2013-07-01 to 2013-08-01 ))))))))))))))))))))))))))))))) . . 2013-08-01 20:01 . 2013-08-01 20:01 -------- d-----w- C:\_OTL 2013-07-31 22:43 . 2013-07-31 22:44 181064 ----a-w- c:\windows\PSEXESVC.EXE 2013-07-31 22:40 . 2013-07-31 22:40 -------- d-----w- c:\program files\Tweaking.com 2013-07-31 22:17 . 2013-07-31 22:19 -------- d-----w- c:\program files\Eusing Free Registry Cleaner 2013-07-31 22:10 . 2013-07-31 22:10 -------- d-----w- c:\program files\Microsoft Silverlight 2013-07-31 22:06 . 2013-07-31 22:06 -------- d-----w- c:\programdata\webex 2013-07-31 22:01 . 2013-07-31 22:01 73432 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl 2013-07-31 22:01 . 2013-07-31 22:01 693976 ----a-w- c:\windows\system32\FlashPlayerApp.exe 2013-07-31 21:58 . 2011-12-16 07:52 690688 ----a-w- c:\windows\system32\msvcrt.dll 2013-07-31 21:56 . 2012-09-25 22:47 78336 ----a-w- c:\windows\system32\synceng.dll 2013-07-31 21:55 . 2012-02-17 05:34 826880 ----a-w- c:\windows\system32\rdpcore.dll 2013-07-31 21:55 . 2012-02-17 04:13 24576 ----a-w- c:\windows\system32\drivers\tdtcp.sys 2013-07-31 21:54 . 2012-06-06 05:05 1236992 ----a-w- c:\windows\system32\msxml3.dll 2013-07-31 21:54 . 2010-06-26 03:24 2048 ----a-w- c:\windows\system32\msxml3r.dll 2013-07-31 21:54 . 2012-06-06 05:05 143360 ----a-w- c:\program files\Common Files\System\ado\msjro.dll 2013-07-31 21:54 . 2012-06-06 05:05 372736 ----a-w- c:\program files\Common Files\System\ado\msadox.dll 2013-07-31 21:54 . 2012-06-06 05:05 57344 ----a-w- c:\program files\Common Files\System\ado\msador15.dll 2013-07-31 21:54 . 2012-06-06 05:05 352256 ----a-w- c:\program files\Common Files\System\ado\msadomd.dll 2013-07-31 21:54 . 2012-06-06 05:05 212992 ----a-w- c:\program files\Common Files\System\msadc\msadco.dll 2013-07-31 21:54 . 2012-06-06 05:05 1019904 ----a-w- c:\program files\Common Files\System\ado\msado15.dll 2013-07-31 21:54 . 2012-06-06 05:03 805376 ----a-w- c:\windows\system32\cdosys.dll 2013-07-31 21:52 . 2011-05-24 10:44 293376 ----a-w- c:\windows\system32\umpnpmgr.dll 2013-07-31 21:52 . 2013-07-31 21:52 -------- d-----w- c:\program files\MSXML 4.0 2013-07-31 21:52 . 2012-11-01 04:47 1389568 ----a-w- c:\windows\system32\msxml6.dll 2013-07-31 21:52 . 2012-03-01 05:46 19824 ----a-w- c:\windows\system32\drivers\fs_rec.sys 2013-07-31 21:52 . 2012-03-01 05:33 159232 ----a-w- c:\windows\system32\imagehlp.dll 2013-07-31 21:52 . 2012-03-01 05:29 5120 ----a-w- c:\windows\system32\wmi.dll 2013-07-31 21:51 . 2012-04-26 04:45 58880 ----a-w- c:\windows\system32\rdpwsx.dll 2013-07-31 21:51 . 2012-04-26 04:45 129536 ----a-w- c:\windows\system32\rdpcorekmts.dll 2013-07-31 21:51 . 2012-04-26 04:41 8192 ----a-w- c:\windows\system32\rdrmemptylst.exe 2013-07-31 21:51 . 2011-07-09 02:30 223744 ----a-w- c:\windows\system32\drivers\mrxsmb10.sys 2013-07-31 21:51 . 2011-04-27 02:17 96768 ----a-w- c:\windows\system32\drivers\mrxsmb20.sys 2013-07-31 21:51 . 2011-04-27 02:17 123904 ----a-w- c:\windows\system32\drivers\mrxsmb.sys 2013-07-31 21:51 . 2013-07-31 21:51 -------- d-sh--w- c:\windows\system32\%APPDATA% 2013-07-31 21:50 . 2012-08-24 16:57 172544 ----a-w- c:\windows\system32\wintrust.dll 2013-07-31 21:20 . 2013-07-31 21:20 -------- d-----w- c:\program files\ESET 2013-07-31 20:40 . 2013-07-31 20:44 -------- d-----w- c:\programdata\Malwarebytes' Anti-Malware (portable) 2013-07-31 20:40 . 2013-07-31 20:40 31560 ----a-w- c:\windows\system32\drivers\mbamchameleon.sys 2013-07-31 20:21 . 2013-07-31 20:21 -------- d-----w- c:\users\sfschultz\AppData\Roaming\Malwarebytes 2013-07-31 20:07 . 2013-07-31 20:07 -------- d-----w- c:\programdata\Malwarebytes 2013-07-31 20:07 . 2013-07-31 20:07 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware 2013-07-31 20:07 . 2013-04-04 21:50 22856 ----a-w- c:\windows\system32\drivers\mbam.sys 2013-07-31 20:06 . 2013-07-31 20:06 -------- d-----w- c:\users\TurnerAdmin 2013-07-16 20:28 . 2013-07-31 17:36 -------- d-----w- c:\users\sfschultz\AppData\Local\Apple Computer . . . (((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))) . 2013-07-01 23:24 . 2013-07-01 23:24 124976 ----a-w- c:\windows\system32\drivers\SYMEVENT.SYS 2013-07-01 23:24 . 2013-07-01 23:24 89600 ----a-w- c:\windows\system32\atl71.dll 2013-07-01 23:24 . 2013-07-01 23:24 87368 ----a-w- c:\windows\system32\FwsVpn.dll 2013-07-01 23:24 . 2013-07-01 23:24 107848 ----a-w- c:\windows\system32\SymVPN.dll 2013-07-01 23:24 . 2013-07-01 23:24 43696 ----a-w- c:\windows\system32\drivers\srtspx.sys 2013-07-01 23:24 . 2013-07-01 23:24 320560 ----a-w- c:\windows\system32\drivers\srtspl.sys 2013-07-01 23:24 . 2013-07-01 23:24 281648 ----a-w- c:\windows\system32\drivers\srtsp.sys 2013-07-01 23:19 . 2013-07-01 23:19 205312 ----a-w- c:\windows\system32\Turner Screen Saver 2009.scr . . ((((((((((((((((((((((((((((((((((((( Reg Loading Points )))))))))))))))))))))))))))))))))))))))))))))))))) . . *Note* empty entries & legit default entries are not shown REGEDIT4 . [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "Apoint"="c:\program files\DellTPad\Apoint.exe" [2011-02-22 488816] "IgfxTray"="c:\windows\system32\igfxtray.exe" [2011-04-10 142680] "HotKeysCmds"="c:\windows\system32\hkcmd.exe" [2011-04-10 176472] "Persistence"="c:\windows\system32\igfxpers.exe" [2011-04-10 175448] "BCSSync"="c:\program files\Microsoft Office\Office14\BCSSync.exe" [2010-03-13 91520] "SAP_WUS_UNT"="c:\program files\SAP\SAPsetup\setup\Updater\NwSapSetupUserNotificationTool.exe" [2010-02-25 226672] "Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2009-10-03 35696] "Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2009-09-04 935288] "ccApp"="c:\program files\Common Files\Symantec Shared\ccApp.exe" [2013-07-01 115560] "GoToMeetingInstall1132"="c:\program files\Citrix\GoToMeeting\1132\G2MInstaller.exe" [2013-07-31 40816] . [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce] "ASYNCMAC"="streamci" [X] "iessetup"="c:\program files\Internet Explorer\iessetup.dll" [2009-07-14 16384] "wmssetup"="c:\program files\Windows Media Player\wmssetup.dll" [2009-07-14 16384] "ehssetup"="c:\windows\ehome\ehssetup.dll" [2009-07-14 16384] "Malwarebytes Anti-Malware"="c:\program files\Malwarebytes' Anti-Malware\mbamgui.exe" [2013-04-04 532040] . c:\programdata\Microsoft\Windows\Start Menu\Programs\Startup\ VPN Client.lnk - c:\windows\Installer\{21E247D4-5E27-4BEA-AA4D-19A81203FE2A}\Icon3E5562ED7.ico -user_logon [2013-7-1 6144] . [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system] "ConsentPromptBehaviorAdmin"= 4 (0x4) "ConsentPromptBehaviorUser"= 3 (0x3) "EnableUIADesktopToggle"= 1 (0x1) "EnableVirtualization"= 0 (0x0) "PromptOnSecureDesktop"= 0 (0x0) "FilterAdministratorToken"= 1 (0x1) "EnableLinkedConnections"= 1 (0x1) . [HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer] "ForceStartMenuLogOff"= 1 (0x1) . [HKEY_LOCAL_MACHINE\software\policies\microsoft\windows\windowsupdate\au] "NoAutoUpdate"= 1 (0x1) . [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-1004336348-1708537768-1801674531-72771\Scripts\Logon\0\0] "Script"=\\tcco.org\NETLOGON\symantecsvctest.bat . [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-1004336348-1708537768-1801674531-72771\Scripts\Logon\1\0] "Script"=\\tcco.org\netlogon\home_data.vbs . [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\ccEvtMgr] @="Service" . [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\ccSetMgr] @="Service" . [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Symantec Antivirus] @="Service" . [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Wdf01000.sys] @="Driver" . [HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus] "DisableMonitoring"=dword:00000001 . R3 acpials;ALS Sensor Filter;c:\windows\system32\DRIVERS\acpials.sys [2009-07-13 7680] R3 cvusbdrv;Dell ControlVault;c:\windows\system32\Drivers\cvusbdrv.sys [2011-02-22 33832] R3 d554gps;Dell Wireless HSPA Mini-Card GPS Port;c:\windows\system32\drivers\d554gps.sys [2011-02-22 87592] R3 dmvsc;dmvsc;c:\windows\system32\drivers\dmvsc.sys [2010-11-20 62464] R3 e1yexpress;Intel(R) Gigabit Network Connections Driver;c:\windows\system32\DRIVERS\e1y6032.sys [2009-07-13 214016] R3 ecnssndis; Mobile Broadband Driver;c:\windows\System32\Drivers\wwanuss.sys [2011-02-22 23592] R3 ecnssndisfltr; Mobile Broadband Driver Filter;c:\windows\System32\Drivers\wwanussf.sys [2011-02-22 26152] R3 Impcd;Impcd;c:\windows\system32\drivers\Impcd.sys [2011-02-22 132480] R3 mbamchameleon;mbamchameleon;c:\windows\system32\drivers\mbamchameleon.sys [2013-07-31 31560] R3 Mbm3CBus;Dell Wireless 5530 HSPA Mini-Card Device (WDM);c:\windows\system32\drivers\Mbm3CBus.sys [2011-02-22 361032] R3 Mbm3DevMt;Dell Wireless HSPA Mini-Card Device Management Driver (WDM);c:\windows\system32\drivers\Mbm3DevMt.sys [2011-02-22 396872] R3 MEI;Intel(R) Management Engine Interface;c:\windows\system32\drivers\HECI.sys [2011-02-22 41088] R3 nusb3hub;Renesas Electronics USB 3.0 Hub Driver;c:\windows\system32\drivers\nusb3hub.sys [2011-02-22 62208] R3 nusb3xhc;Renesas Electronics USB 3.0 Host Controller Driver;c:\windows\system32\drivers\nusb3xhc.sys [2011-02-22 141568] R3 nwdelgobi3kfilter;Dell Wireless Gobi 3000 USB Composite Device Filter Driver;c:\windows\system32\drivers\nwdelgobi3kfilter.sys [2011-02-22 27264] R3 NWDellPort;Dell Wireless Mobile Broadband Status Port Driver;c:\windows\system32\drivers\nwdelser.sys [2011-02-22 176384] R3 NWDellPort2;Dell Wireless Mobile Broadband Status2 Port Driver;c:\windows\system32\drivers\nwdelser2.sys [2011-02-22 176384] R3 nwdelserial;Dell Wireless Mobile Broadband Serial Driver;c:\windows\system32\drivers\nwdelserial.sys [2011-02-22 191488] R3 O2MDRRDR;O2MDRRDR;c:\windows\system32\drivers\O2MDRw7.sys [2011-02-22 62440] R3 RdpVideoMiniport;Remote Desktop Video Miniport Driver;c:\windows\system32\drivers\rdpvideominiport.sys [2010-11-20 15872] R3 Synth3dVsc;Microsoft Virtual 3D Video Transport Driver;c:\windows\system32\drivers\Synth3dVsc.sys [2010-11-20 77184] R3 tcm;tcm;c:\windows\system32\drivers\tcm.sys [2011-02-22 12952] R3 terminpt;Microsoft Remote Desktop Input Driver;c:\windows\system32\drivers\terminpt.sys [2010-11-20 25600] R3 TsUsbFlt;TsUsbFlt;c:\windows\system32\drivers\tsusbflt.sys [2010-11-20 52224] R3 TsUsbGD;Remote Desktop Generic USB Device;c:\windows\system32\drivers\TsUsbGD.sys [2010-11-20 27264] R3 tsusbhub;Remote Deskotop USB Hub;c:\windows\system32\drivers\tsusbhub.sys [2010-11-20 112640] R3 VGPU;VGPU;c:\windows\system32\drivers\rdvgkmd.sys [x] S0 stdcfltn;Disk Class Filter Driver for Accelerometer;c:\windows\system32\DRIVERS\stdcfltn.sys [2010-08-20 17648] S2 NWSAPAutoWorkstationUpdateSvc;SAPSetup Automatic Workstation Update Service;c:\program files\SAP\SAPsetup\setup\Updater\NwSapAutoWorkstationUpdateService.exe [2010-02-25 263536] S2 TeamViewer8;TeamViewer 8;c:\program files\TeamViewer\Version8\TeamViewer_Service.exe [2013-07-08 4157280] S3 Acceler;Accelerometer Service;c:\windows\system32\DRIVERS\Accelern.sys [2011-02-22 43888] S3 EraserUtilRebootDrv;EraserUtilRebootDrv;c:\program files\Common Files\Symantec Shared\EENGINE\EraserUtilRebootDrv.sys [2013-06-17 106656] S3 NETwNs32;___ Intel(R) Wireless WiFi Link 5000 Series Adapter Driver for Windows 7 - 32 Bit;c:\windows\system32\DRIVERS\NETwNs32.sys [2011-05-01 7513088] S3 O2MDFRDR;O2MDFRDR;c:\windows\system32\DRIVERS\O2MDFw7.sys [2011-02-22 60904] S3 O2SDJRDR;O2SDJRDR;c:\windows\system32\DRIVERS\o2sdjw7.sys [2011-02-22 63848] . . --- Other Services/Drivers In Memory --- . *Deregistered* - aswMBR . Contents of the 'Scheduled Tasks' folder . 2013-08-01 c:\windows\Tasks\Adobe Flash Player Updater.job - c:\windows\system32\Macromed\Flash\FlashPlayerUpdateService.exe [2013-07-31 22:01] . . ------- Supplementary Scan ------- . Trusted Zone: 0.0.0.0 Trusted Zone: finance.turner Trusted Zone: hochtief.com Trusted Zone: intellinex.com Trusted Zone: intellinex.com\turner Trusted Zone: intellinex.com Trusted Zone: intellinex.com \turner Trusted Zone: tcco.com Trusted Zone: turnerbenefits.com Trusted Zone: turnerconstruction.com\www Trusted Zone: turnerknowledge.com Trusted Zone: turneruniversity.com\www TCP: DhcpNameServer = 172.18.90.13 172.18.2.74 172.18.2.75 . . ------- File Associations ------- . .scr=DWGTrueViewScriptFile . - - - - ORPHANS REMOVED - - - - . SafeBoot-mbamchameleon SafeBoot-Symantec Antvirus . . . --------------------- LOCKED REGISTRY KEYS --------------------- . [HKEY_USERS\S-1-5-21-2327948209-3899909735-1460329902-500\Software\Microsoft\Internet Explorer\User Preferences] @Denied: (2) (Administrator) "88D7D0879DAB32E14DE5B3A805A34F98AFF34F5977"=hex:01,00,00,00,d0,8c,9d,df,01,15, d1,11,8c,7a,00,c0,4f,c2,97,eb,01,00,00,00,20,b8,46,34,de,36,ba,42,b3,50,9e,\ "2D53CFFC5C1A3DD2E97B7979AC2A92BD59BC839E81"=hex:01,00,00,00,d0,8c,9d,df,01,15, d1,11,8c,7a,00,c0,4f,c2,97,eb,01,00,00,00,20,b8,46,34,de,36,ba,42,b3,50,9e,\ . Completion time: 2013-08-01 13:31:05 ComboFix-quarantined-files.txt 2013-08-01 20:31 . Pre-Run: 99,389,276,160 bytes free Post-Run: 99,663,929,344 bytes free . - - End Of File - - 02DBEFE30DB9A51AE1B3E4A616BADDD5 A36C5E4F47E84449FF07ED3517B43A31