1. You are viewing our forum as a guest. For full access please Register. WindowsBBS.com is completely free, paid for by advertisers and donations.

Solved Google Redirect Issue

Discussion in 'Malware and Virus Removal Archive' started by quirkymac, 2010/03/24.

  1. 2010/03/24
    quirkymac

    quirkymac Inactive Thread Starter

    Joined:
    2006/09/07
    Messages:
    196
    Likes Received:
    0
    [Resolved] Google Redirect Issue

    Hi there,
    I have come across this before and you were able to help to get rid of the issue however the same steps to remove the issue did not work again.

    Symptoms:

    First click on a google search result, IE is taken to a page that was not indicated in the search, if you click the search result again I get taken to the correct link.

    DDS report

    DDS (Ver_10-03-17.01) - NTFSx86
    Run by Milne Clan at 6:30:24.95 on Thu 25/03/2010
    Internet Explorer: 8.0.7600.16385
    Microsoft Windows 7 Professional 6.1.7600.0.1252.61.1033.18.2006.1253 [GMT 11:00]


    ============== Running Processes ===============

    C:\Windows\system32\wininit.exe
    C:\Windows\system32\lsm.exe
    C:\Windows\system32\svchost.exe -k DcomLaunch
    C:\Windows\system32\ibmpmsvc.exe
    C:\Windows\system32\svchost.exe -k RPCSS
    c:\Program Files\Microsoft Security Essentials\MsMpEng.exe
    C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted
    C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted
    C:\Windows\system32\svchost.exe -k netsvcs
    C:\Windows\system32\svchost.exe -k LocalService
    C:\Windows\system32\svchost.exe -k NetworkService
    C:\Windows\Explorer.EXE
    C:\Windows\system32\Dwm.exe
    C:\Windows\System32\spoolsv.exe
    C:\Windows\system32\taskhost.exe
    C:\Windows\system32\svchost.exe -k LocalServiceNoNetwork
    C:\Windows\System32\TpShocks.exe
    C:\Program Files\Analog Devices\Core\smax4pnp.exe
    C:\Program Files\LENOVO\HOTKEY\TPHKSVC.exe
    C:\Windows\system32\AEADISRV.EXE
    C:\Windows\System32\rundll32.exe
    C:\Program Files\Lenovo\HOTKEY\TPOSDSVC.exe
    C:\Program Files\Lenovo\HOTKEY\tpfnf6r.exe
    C:\Program Files\Lenovo\HOTKEY\TPONSCR.exe
    C:\Program Files\Lenovo\Zoom\TpScrex.exe
    C:\Program Files\Bonjour\mDNSResponder.exe
    C:\Windows\Microsoft.Net\Framework\v3.0\WPF\PresentationFontCache.exe
    C:\Program Files\Microsoft Security Essentials\msseces.exe
    C:\Windows\System32\igfxtray.exe
    C:\Windows\System32\igfxpers.exe
    C:\Windows\system32\igfxsrvc.exe
    C:\Program Files\Java\jre6\bin\jusched.exe
    C:\Program Files\Adobe\Reader 9.0\Reader\reader_sl.exe
    C:\Program Files\Skype\Phone\Skype.exe
    C:\Windows\system32\svchost.exe -k imgsvc
    C:\Windows\system32\DRIVERS\xaudio.exe
    C:\Program Files\Skype\Plugin Manager\skypePM.exe
    C:\Windows\system32\SearchIndexer.exe
    C:\Windows\system32\wbem\wmiprvse.exe
    C:\Program Files\Windows Media Player\wmpnetwk.exe
    C:\Windows\system32\svchost.exe -k LocalServiceAndNoImpersonation
    C:\Windows\System32\svchost.exe -k LocalServicePeerNet
    C:\Program Files\Internet Explorer\iexplore.exe
    C:\Program Files\Internet Explorer\iexplore.exe
    C:\Program Files\Internet Explorer\iexplore.exe
    C:\Program Files\Internet Explorer\iexplore.exe
    C:\Program Files\Internet Explorer\iexplore.exe
    C:\Windows\system32\Macromed\Flash\FlashUtil10e.exe
    C:\Windows\system32\sppsvc.exe
    C:\Program Files\Lenovo\System Update\SUService.exe
    C:\Windows\system32\wbem\wmiprvse.exe
    C:\Windows\servicing\TrustedInstaller.exe
    C:\Windows\system32\SearchFilterHost.exe
    C:\Windows\system32\SearchProtocolHost.exe
    C:\Windows\system32\SearchProtocolHost.exe
    C:\Windows\system32\DllHost.exe
    C:\Windows\system32\DllHost.exe
    C:\Users\Milne Clan\Desktop\dds.scr
    C:\Windows\system32\conhost.exe

    ============== Pseudo HJT Report ===============

    uStart Page = hxxp://www.google.com.au/
    uInternet Settings,ProxyOverride = *.local
    uSearchAssistant = hxxp://www.google.com/ie
    uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
    BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll
    BHO: Windows Live Sign-in Helper: {9030d464-4c02-4abf-8ecc-5164760863c6} - c:\program files\common files\microsoft shared\windows live\WindowsLiveLogin.dll
    BHO: Java(tm) Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
    uRun: [Skype] "c:\program files\skype\phone\Skype.exe" /nosplash /minimized
    mRun: [TpShocks] TpShocks.exe
    mRun: [SoundMAXPnP] c:\program files\analog devices\core\smax4pnp.exe
    mRun: [PWMTRV] rundll32 c:\progra~1\thinkpad\utilit~1\PWMTR32V.DLL,PwrMgrBkGndMonitor
    mRun: [TPHOTKEY] c:\program files\lenovo\hotkey\TPOSDSVC.exe
    mRun: [LENOVO.TPFNF6R] c:\program files\lenovo\hotkey\TPFNF6R.exe
    mRun: [MSSE] "c:\program files\microsoft security essentials\msseces.exe" -hide -runkey
    mRun: [IgfxTray] c:\windows\system32\igfxtray.exe
    mRun: [HotKeysCmds] c:\windows\system32\hkcmd.exe
    mRun: [Persistence] c:\windows\system32\igfxpers.exe
    mRun: [SunJavaUpdateSched] "c:\program files\java\jre6\bin\jusched.exe "
    mRun: [Adobe Reader Speed Launcher] "c:\program files\adobe\reader 9.0\reader\Reader_sl.exe "
    mRun: [Adobe ARM] "c:\program files\common files\adobe\arm\1.0\AdobeARM.exe "
    StartupFolder: c:\progra~2\micros~1\windows\startm~1\programs\startup\adobeg~1.lnk - c:\program files\common files\adobe\calibration\Adobe Gamma Loader.exe
    mPolicies-system: ConsentPromptBehaviorAdmin = 5 (0x5)
    mPolicies-system: ConsentPromptBehaviorUser = 3 (0x3)
    mPolicies-system: EnableUIADesktopToggle = 0 (0x0)
    DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_17-windows-i586.cab
    DPF: {CAFEEFAC-0016-0000-0017-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_17-windows-i586.cab
    DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_17-windows-i586.cab
    DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab
    DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - hxxp://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab
    Handler: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - c:\progra~1\common~1\skype\SKYPE4~1.DLL
    Notify: igfxcui - igfxdev.dll

    ============= SERVICES / DRIVERS ===============

    R0 TPDIGIMN;TPDIGIMN;c:\windows\system32\drivers\ApsHM86.sys [2009-6-29 20520]
    R1 lenovo.smi;Lenovo System Interface Driver;c:\windows\system32\drivers\smiif32.sys [2008-5-12 13480]
    R1 MpFilter;Microsoft Malware Protection Driver;c:\windows\system32\drivers\MpFilter.sys [2009-6-18 149040]
    R2 TPHKSVC;On Screen Display;c:\program files\lenovo\hotkey\TPHKSVC.exe [2010-1-4 62320]
    R3 MpNWMon;Microsoft Malware Protection Network Driver;c:\windows\system32\drivers\MpNWMon.sys [2009-6-18 42368]
    R3 netw5v32;Intel(R) Wireless WiFi Link 5000 Series Adapter Driver for Windows Vista 32 Bit;c:\windows\system32\drivers\netw5v32.sys [2009-6-11 4231168]
    S2 Ca1528av;SPCA1528 Video Camera Service;c:\windows\system32\drivers\Ca1528av.sys [2010-2-21 516480]
    S2 LENOVO.MICMUTE;Lenovo Microphone Mute;c:\program files\lenovo\hotkey\micmute.exe [2010-1-4 45424]
    S3 b57nd60x;Broadcom NetXtreme Gigabit Ethernet - NDIS 6.0;c:\windows\system32\drivers\b57nd60x.sys [2009-7-14 229888]
    S3 Bulk1528;SPCA1528 Still Camera Service;c:\windows\system32\drivers\Bulk1528.sys [2010-2-21 11648]
    S3 Power Manager DBC Service;Power Manager DBC Service;c:\program files\thinkpad\utilities\PWMDBSVC.exe [2010-1-4 75040]
    S3 SrvHsfHDA;SrvHsfHDA;c:\windows\system32\drivers\VSTAZL3.SYS [2009-7-14 207360]
    S3 SrvHsfV92;SrvHsfV92;c:\windows\system32\drivers\VSTDPV3.SYS [2009-7-14 980992]
    S3 SrvHsfWinac;SrvHsfWinac;c:\windows\system32\drivers\VSTCNXT3.SYS [2009-7-14 661504]
    S3 StorSvc;Storage Service;c:\windows\system32\svchost.exe -k LocalSystemNetworkRestricted [2009-7-14 20992]
    S3 WatAdminSvc;Windows Activation Technologies Service;c:\windows\system32\wat\WatAdminSvc.exe [2010-3-12 1343400]
    S4 Vhdmhervm;Vhdmhervm;c:\windows\system32\diskraid.exe [2009-7-14 276480]

    =============== Created Last 30 ================

    2010-03-24 19:01:35 0 d-sh--w- C:\$RECYCLE.BIN
    2010-03-24 18:54:01 77312 ----a-w- c:\windows\MBR.exe
    2010-03-24 18:54:00 98816 ----a-w- c:\windows\sed.exe
    2010-03-24 18:54:00 261632 ----a-w- c:\windows\PEV.exe
    2010-03-24 18:54:00 161792 ----a-w- c:\windows\SWREG.exe
    2010-03-23 19:27:51 15944 ----a-w- c:\windows\system32\drivers\hitmanpro35.sys
    2010-03-23 19:27:40 0 d-----w- c:\programdata\Hitman Pro
    2010-03-23 19:27:34 0 d-----w- c:\program files\Hitman Pro 3.5
    2010-03-18 12:18:23 0 d-----w- c:\program files\VideoLAN
    2010-03-11 17:17:26 0 d-----w- c:\windows\system32\Wat
    2010-03-11 17:16:13 641536 ----a-w- c:\windows\system32\CPFilters.dll
    2010-03-11 17:16:13 204288 ----a-w- c:\windows\system32\MSNP.ax
    2010-03-11 17:16:12 465408 ----a-w- c:\windows\system32\psisdecd.dll
    2010-03-11 17:16:12 417792 ----a-w- c:\windows\system32\msdri.dll
    2010-03-11 17:16:10 369152 ----a-w- c:\windows\system32\secproc.dll
    2010-03-11 17:16:10 365568 ----a-w- c:\windows\system32\secproc_isv.dll
    2010-03-11 17:16:10 324608 ----a-w- c:\windows\system32\RMActivate_isv.exe
    2010-03-11 17:16:10 320512 ----a-w- c:\windows\system32\RMActivate.exe
    2010-03-11 17:16:09 85504 ----a-w- c:\windows\system32\secproc_ssp_isv.dll
    2010-03-11 17:16:09 85504 ----a-w- c:\windows\system32\secproc_ssp.dll
    2010-03-11 17:16:09 280064 ----a-w- c:\windows\system32\RMActivate_ssp.exe
    2010-03-11 17:16:09 277504 ----a-w- c:\windows\system32\RMActivate_ssp_isv.exe
    2010-03-09 06:48:42 0 d-----w- c:\users\milnec~1\appdata\roaming\LEAPS
    2010-03-09 06:46:07 0 d-----w- c:\users\milnec~1\appdata\roaming\Pegasys Inc
    2010-03-09 06:43:36 0 d-----w- c:\program files\Pegasys Inc
    2010-02-24 08:52:23 2048 ----a-w- c:\windows\system32\tzres.dll

    ==================== Find3M ====================

    2010-02-23 23:16:06 181632 ------w- c:\windows\system32\MpSigStub.exe
    2010-02-19 23:47:50 3604480 ----a-w- c:\windows\system32\GPhotos.scr
    2010-02-19 20:53:40 95024 ----a-w- c:\windows\system32\drivers\SBREDrv.sys
    2010-02-14 19:05:30 56 ---ha-w- c:\programdata\ezsidmv.dat
    2010-01-28 22:28:24 0 ----a-w- c:\windows\system32\drivers\lvuvc.hs
    2009-07-14 04:56:42 31548 ----a-w- c:\windows\inf\perflib\0409\perfd.dat
    2009-07-14 04:56:42 31548 ----a-w- c:\windows\inf\perflib\0409\perfc.dat
    2009-07-14 04:56:42 291294 ----a-w- c:\windows\inf\perflib\0409\perfi.dat
    2009-07-14 04:56:42 291294 ----a-w- c:\windows\inf\perflib\0409\perfh.dat
    2009-07-14 04:41:57 174 --sha-w- c:\program files\desktop.ini
    2009-07-14 00:34:40 291294 ----a-w- c:\windows\inf\perflib\0000\perfi.dat
    2009-07-14 00:34:40 291294 ----a-w- c:\windows\inf\perflib\0000\perfh.dat
    2009-07-14 00:34:38 31548 ----a-w- c:\windows\inf\perflib\0000\perfd.dat
    2009-07-14 00:34:38 31548 ----a-w- c:\windows\inf\perflib\0000\perfc.dat
    2009-06-10 21:26:35 9633792 --sha-r- c:\windows\fonts\StaticCache.dat
    2009-07-14 01:14:45 396800 --sha-w- c:\windows\winsxs\x86_microsoft-windows-mail-app_31bf3856ad364e35_6.1.7600.16385_none_f12e83abb108c86c\WinMail.exe

    ============= FINISH: 6:30:55.27 ===============
     
    Last edited: 2010/03/24
  2. 2010/03/24
    quirkymac

    quirkymac Inactive Thread Starter

    Joined:
    2006/09/07
    Messages:
    196
    Likes Received:
    0
    UNLESS SPECIFICALLY INSTRUCTED, DO NOT POST THIS LOG.
    IF REQUESTED, ZIP IT UP & ATTACH IT

    DDS (Ver_10-03-17.01)

    Microsoft Windows 7 Professional
    Boot Device: \Device\HarddiskVolume1
    Install Date: 4/01/2010 3:53:08 PM
    System Uptime: 25/03/2010 6:24:49 AM (0 hours ago)

    Motherboard: LENOVO | | 7659AB8
    Processor: Intel(R) Core(TM)2 Duo CPU T7300 @ 2.00GHz | None | 2001/200mhz

    ==== Disk Partitions =========================

    C: is FIXED (NTFS) - 149 GiB total, 53.775 GiB free.
    D: is CDROM ()
    E: is CDROM (UDF)

    ==== Disabled Device Manager Items =============

    Class GUID:
    Description: Base System Device
    Device ID: PCI\VEN_1180&DEV_0592&SUBSYS_20CA17AA&REV_11\4&1F10D8AF&0&04F0
    Manufacturer:
    Name: Base System Device
    PNP Device ID: PCI\VEN_1180&DEV_0592&SUBSYS_20CA17AA&REV_11\4&1F10D8AF&0&04F0
    Service:

    Class GUID:
    Description: Base System Device
    Device ID: PCI\VEN_1180&DEV_0843&SUBSYS_20C917AA&REV_11\4&1F10D8AF&0&03F0
    Manufacturer:
    Name: Base System Device
    PNP Device ID: PCI\VEN_1180&DEV_0843&SUBSYS_20C917AA&REV_11\4&1F10D8AF&0&03F0
    Service:

    ==== System Restore Points ===================

    RP91: 18/03/2010 9:34:06 AM - Windows Update
    RP92: 19/03/2010 10:24:35 AM - Windows Update
    RP93: 20/03/2010 12:09:39 PM - Windows Update
    RP94: 21/03/2010 2:16:04 PM - Windows Update
    RP95: 22/03/2010 2:07:22 PM - Windows Update
    RP96: 25/03/2010 5:54:06 AM - ComboFix created restore point
    RP97: 25/03/2010 6:07:45 AM - Removed HD View

    ==== Installed Programs ======================

    Adobe Anchor Service CS3
    Adobe Asset Services CS3
    Adobe Bridge CS3
    Adobe Bridge Start Meeting
    Adobe Camera Raw 4.0
    Adobe CMaps
    Adobe Color Common Settings
    Adobe Default Language CS3
    Adobe Device Central CS3
    Adobe ExtendScript Toolkit 2
    Adobe Flash Player 10 ActiveX
    Adobe Fonts All
    Adobe Help Viewer CS3
    Adobe Linguistics CS3
    Adobe PDF Library Files
    Adobe Photoshop CS
    Adobe Premiere Pro CS3
    Adobe Premiere Pro CS3 Functional Content
    Adobe Premiere Pro CS3 Third Party Content
    Adobe Reader 9.3.1
    Adobe Setup
    Adobe Type Support
    Adobe Update Manager CS3
    Adobe Version Cue CS3 Client
    Adobe XMP DVA Panels CS3
    Adobe XMP Panels CS3
    Canon Inkjet Printer Driver Add-On Module
    Castle Link
    Command & Conquer™ Red Alert™ 3
    FMS
    Intel(R) Graphics Media Accelerator Driver
    Intel(R) TV Wizard
    Java(TM) 6 Update 17
    Lenovo System Interface Driver
    Microsoft Antimalware
    Microsoft Application Error Reporting
    Microsoft Choice Guard
    Microsoft Security Essentials
    Microsoft Silverlight
    Microsoft SQL Server 2005 Compact Edition [ENU]
    Microsoft Visual C++ 2005 ATL Update kb973923 - x86 8.0.50727.4053
    Microsoft Visual C++ 2005 Redistributable
    Microsoft Visual C++ Run Time Lib Setup
    MSVCRT
    On Screen Display
    OpenOffice.org 3.1
    Picasa 3
    Skype™ 4.1
    SoundMAX
    SPCA1528 PC Driver
    System Update
    ThinkPad FullScreen Magnifier
    ThinkPad Hotkey Features Setup
    ThinkPad Modem
    ThinkPad Power Management Driver
    ThinkPad Power Manager
    ThinkVantage Active Protection System
    TMPGEnc 4.0 XPress
    Visual C++ 2008 x86 Runtime - (v9.0.30729)
    Visual C++ 2008 x86 Runtime - v9.0.30729.01
    VLC media player 1.0.5
    Windows Live Communications Platform
    Windows Live Essentials
    Windows Live Movie Maker
    Windows Live OneCare safety scanner
    Windows Live Photo Gallery
    Windows Live Sign-in Assistant
    Windows Live Sync
    Windows Live Upload Tool
    Windows XP Mode
    WinRAR archiver

    ==== Event Viewer Messages From Past Week ========

    25/03/2010 6:25:24 AM, Error: Service Control Manager [7000] - The SPCA1528 Video Camera Service service failed to start due to the following error: The service cannot be started, either because it is disabled or because it has no enabled devices associated with it.
    25/03/2010 6:15:14 AM, Error: Microsoft Antimalware [2001] - Microsoft Antimalware has encountered an error trying to update signatures. New Signature Version: Previous Signature Version: 1.79.274.0 Update Source: Microsoft Update Server Update Stage: Search Source Path: http://www.microsoft.com Signature Type: AntiVirus Update Type: Full User: NT AUTHORITY\SYSTEM Current Engine Version: Previous Engine Version: 1.1.5605.0 Error code: 0x80072ee2 Error description: The operation timed out
    25/03/2010 6:00:10 AM, Error: Service Control Manager [7030] - The PEVSystemStart service is marked as an interactive service. However, the system is configured to not allow interactive services. This service may not function properly.
    25/03/2010 5:54:36 AM, Error: Service Control Manager [7034] - The XAudioService service terminated unexpectedly. It has done this 1 time(s).
    25/03/2010 5:53:09 AM, Error: Microsoft Antimalware [2001] - Microsoft Antimalware has encountered an error trying to update signatures. New Signature Version: Previous Signature Version: 1.79.274.0 Update Source: Microsoft Update Server Update Stage: Search Source Path: http://www.microsoft.com Signature Type: AntiVirus Update Type: Full User: NT AUTHORITY\SYSTEM Current Engine Version: Previous Engine Version: 1.1.5605.0 Error code: 0x8024402c Error description: An unexpected problem occurred while checking for updates. For information on installing or troubleshooting updates, see Help and Support.
    25/03/2010 5:49:14 AM, Error: Microsoft Antimalware [2001] - Microsoft Antimalware has encountered an error trying to update signatures. New Signature Version: Previous Signature Version: 1.79.274.0 Update Source: Microsoft Update Server Update Stage: Search Source Path: http://www.microsoft.com Signature Type: AntiVirus Update Type: Full User: NT AUTHORITY\SYSTEM Current Engine Version: Previous Engine Version: 1.1.5605.0 Error code: 0x80072ee2 Error description: The operation timed out
    24/03/2010 4:23:32 PM, Error: Microsoft Antimalware [2001] - Microsoft Antimalware has encountered an error trying to update signatures. New Signature Version: Previous Signature Version: 1.79.274.0 Update Source: Microsoft Update Server Update Stage: Search Source Path: http://www.microsoft.com Signature Type: AntiVirus Update Type: Full User: NT AUTHORITY\SYSTEM Current Engine Version: Previous Engine Version: 1.1.5605.0 Error code: 0x80072ee2 Error description: The operation timed out
    23/03/2010 2:19:54 PM, Error: Microsoft Antimalware [2001] - Microsoft Antimalware has encountered an error trying to update signatures. New Signature Version: Previous Signature Version: 1.79.274.0 Update Source: Microsoft Update Server Update Stage: Search Source Path: http://www.microsoft.com Signature Type: AntiVirus Update Type: Full User: NT AUTHORITY\SYSTEM Current Engine Version: Previous Engine Version: 1.1.5605.0 Error code: 0x80072ee2 Error description: The operation timed out
    20/03/2010 8:32:41 PM, Error: Service Control Manager [7011] - A timeout (30000 milliseconds) was reached while waiting for a transaction response from the SUService service.

    ==== End Of File ===========================
     

  3. to hide this advert.

  4. 2010/03/24
    broni

    broni Moderator Malware Analyst

    Joined:
    2002/08/01
    Messages:
    21,701
    Likes Received:
    116
    Please download ComboFix from [color= "Red"]Here[/color] or [color= "#FF0000"]Here[/color] to your Desktop.

    **Note: In the event you already have Combofix, this is a new version that I need you to download. It is important that it is saved directly to your desktop**
    1. Please, never rename Combofix unless instructed.
    2. Close any open browsers.
    3. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.
      • Very Important! Temporarily disable your anti-virus, script blocking and any anti-malware real-time protection before performing a scan. They can interfere with ComboFix or remove some of its embedded files which may cause "unpredictable results ".
      • Click on this link to see a list of programs that should be disabled. The list is not all inclusive. If yours is not listed and you don't know how to disable it, please ask.
      NOTE1. If Combofix asks you to install Recovery Console, please allow it.
      NOTE 2. If Combofix asks you to update the program, always do so.
      • Close any open browsers.
      • WARNING: Combofix will disconnect your machine from the Internet as soon as it starts
      • Please do not attempt to re-connect your machine back to the Internet until Combofix has completely finished.
      • If there is no internet connection after running Combofix, then restart your computer to restore back your connection.
    4. Double click on combofix.exe & follow the prompts.
    5. When finished, it will produce a report for you.
    6. Please post the "C:\ComboFix.txt" along with a new HijackThis log for further review.
    **Note: Do not mouseclick combofix's window while it's running. That may cause it to stall**

    Make sure, you re-enable your security programs, when you're done with Combofix.

    DO NOT make any other changes to your computer (like installing programs, using other cleaning tools, etc.), until it's officially declared clean!!!


    Download HijackThis:
    http://www.trendsecure.com/portal/en-US/tools/security_tools/hijackthis/download
    by clicking on Installer under Version 2.0.2
    [DO NOT download version 2.0.3 (beta)]
    Install, and run it.
    Post HijackTHis log.
    Do NOT attempt to fix anything!

    NOTE. If you're using Vista, or 7, right click on HijackThis, and click Run as Administrator
     
  5. 2010/03/25
    quirkymac

    quirkymac Inactive Thread Starter

    Joined:
    2006/09/07
    Messages:
    196
    Likes Received:
    0
    ComboFix 10-03-24.02 - Milne Clan 25/03/2010 17:07:07.3.2 - x86
    Microsoft Windows 7 Professional 6.1.7600.0.1252.61.1033.18.2006.1226 [GMT 11:00]
    Running from: c:\users\Milne Clan\Desktop\ComboFix.exe
    .

    ((((((((((((((((((((((((( Files Created from 2010-02-25 to 2010-03-25 )))))))))))))))))))))))))))))))
    .

    2010-03-25 06:11 . 2010-03-25 06:11 -------- d-----w- c:\users\Public\AppData\Local\temp
    2010-03-25 06:11 . 2010-03-25 06:11 -------- d-----w- c:\users\Default\AppData\Local\temp
    2010-03-25 06:06 . 2010-03-25 06:06 -------- d-----w- C:\32788R22FWJFW
    2010-03-25 01:32 . 2010-03-25 01:32 -------- d-----w- c:\program files\Trend Micro
    2010-03-24 20:48 . 2010-03-24 20:48 388096 ----a-r- c:\users\Milne Clan\AppData\Roaming\Microsoft\Installer\{0761C9A8-8F3A-4216-B4A7-B7AFBF24A24A}\HiJackThis.exe
    2010-03-24 20:48 . 2010-03-24 20:48 -------- d-----w- c:\program files\TrendMicro
    2010-03-24 19:01 . 2010-03-25 06:11 -------- d-----w- c:\users\Milne Clan\AppData\Local\temp
    2010-03-23 19:27 . 2010-03-23 19:27 15944 ----a-w- c:\windows\system32\drivers\hitmanpro35.sys
    2010-03-23 19:27 . 2010-03-23 19:27 -------- d-----w- c:\programdata\Hitman Pro
    2010-03-23 19:27 . 2010-03-23 19:27 -------- d-----w- c:\program files\Hitman Pro 3.5
    2010-03-18 12:18 . 2010-03-20 09:38 -------- d-----w- c:\users\Milne Clan\AppData\Roaming\vlc
    2010-03-18 12:18 . 2010-03-18 12:18 -------- d-----w- c:\program files\VideoLAN
    2010-03-11 17:17 . 2010-03-11 17:17 -------- d-----w- c:\windows\system32\Wat
    2010-03-11 17:16 . 2009-12-13 09:30 641536 ----a-w- c:\windows\system32\CPFilters.dll
    2010-03-11 17:16 . 2009-12-13 09:30 465408 ----a-w- c:\windows\system32\psisdecd.dll
    2010-03-11 17:16 . 2009-12-13 09:29 417792 ----a-w- c:\windows\system32\msdri.dll
    2010-03-11 17:16 . 2010-01-18 23:29 365568 ----a-w- c:\windows\system32\secproc_isv.dll
    2010-03-11 17:16 . 2010-01-18 23:29 369152 ----a-w- c:\windows\system32\secproc.dll
    2010-03-11 17:16 . 2010-01-18 23:28 324608 ----a-w- c:\windows\system32\RMActivate_isv.exe
    2010-03-11 17:16 . 2010-01-18 23:28 320512 ----a-w- c:\windows\system32\RMActivate.exe
    2010-03-11 17:16 . 2010-01-18 23:29 85504 ----a-w- c:\windows\system32\secproc_ssp_isv.dll
    2010-03-11 17:16 . 2010-01-18 23:29 85504 ----a-w- c:\windows\system32\secproc_ssp.dll
    2010-03-11 17:16 . 2010-01-18 23:28 277504 ----a-w- c:\windows\system32\RMActivate_ssp_isv.exe
    2010-03-11 17:16 . 2010-01-18 23:28 280064 ----a-w- c:\windows\system32\RMActivate_ssp.exe
    2010-03-09 06:48 . 2010-03-09 06:48 -------- d-----w- c:\users\Milne Clan\AppData\Roaming\LEAPS
    2010-03-09 06:46 . 2010-03-09 06:46 -------- d-----w- c:\users\Milne Clan\AppData\Roaming\Pegasys Inc
    2010-03-09 06:43 . 2010-03-09 06:43 -------- d-----w- c:\program files\Pegasys Inc
    2010-03-04 19:03 . 2010-03-04 19:03 48648 ----a-w- c:\programdata\Microsoft\eHome\Packages\MCEClientUX\UpdateableMarkup\Markup.dll
    2010-03-04 19:03 . 2010-03-04 19:03 336192 ----a-w- c:\programdata\Microsoft\eHome\Packages\MCESpotlight\MCESpotlight\SpotlightResources.dll
    2010-02-24 08:52 . 2010-02-02 07:45 2048 ----a-w- c:\windows\system32\tzres.dll

    .
    (((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
    .
    2010-03-25 05:08 . 2010-02-14 19:05 -------- d-----w- c:\users\Milne Clan\AppData\Roaming\skypePM
    2010-03-24 20:50 . 2010-02-14 14:54 -------- d-----w- c:\users\Milne Clan\AppData\Roaming\Skype
    2010-03-24 19:08 . 2010-02-05 20:47 -------- d-----w- c:\programdata\Lavasoft
    2010-03-24 19:08 . 2010-01-06 07:12 -------- d-----w- c:\users\Milne Clan\AppData\Roaming\uTorrent
    2010-03-18 00:08 . 2010-01-07 09:01 1 ----a-w- c:\users\Milne Clan\AppData\Roaming\OpenOffice.org\3\user\uno_packages\cache\stamp.sys
    2010-03-11 16:02 . 2010-01-04 06:29 -------- d-----w- c:\program files\Microsoft Security Essentials
    2010-02-23 23:16 . 2010-01-04 06:16 181632 ------w- c:\windows\system32\MpSigStub.exe
    2010-02-20 20:46 . 2010-02-20 20:46 -------- d-----w- c:\program files\SPCA1528
    2010-02-20 20:46 . 2010-01-04 06:13 -------- d--h--w- c:\program files\InstallShield Installation Information
    2010-02-19 23:47 . 2010-02-19 23:47 3604480 ----a-w- c:\windows\system32\GPhotos.scr
    2010-02-19 20:53 . 2010-02-19 20:53 95024 ----a-w- c:\windows\system32\drivers\SBREDrv.sys
    2010-02-14 19:05 . 2010-02-14 19:05 56 ---ha-w- c:\programdata\ezsidmv.dat
    2010-02-14 14:53 . 2010-02-14 14:53 -------- d-----w- c:\program files\Common Files\Skype
    2010-02-14 14:53 . 2010-02-14 14:53 -------- d-----r- c:\program files\Skype
    2010-02-14 14:53 . 2010-01-28 22:27 -------- d-----w- c:\programdata\Skype
    2010-02-09 16:42 . 2010-02-09 11:54 -------- d-----w- c:\program files\Windows Live Safety Center
    2010-02-05 06:27 . 2010-01-04 05:54 61736 ----a-w- c:\users\Milne Clan\AppData\Local\GDIPFONTCACHEV1.DAT
    2010-02-05 06:27 . 2010-02-05 06:25 -------- d-----w- c:\programdata\Microsoft Help
    2010-02-02 11:04 . 2010-02-02 03:03 -------- d-----w- c:\program files\FMS
    2010-02-02 02:47 . 2010-02-02 02:47 -------- d-----w- c:\program files\HeliSim
    2010-02-01 04:11 . 2010-02-01 04:11 -------- d-----w- c:\users\Milne Clan\AppData\Roaming\Leawo
    2010-01-31 01:54 . 2010-01-24 21:01 539 ----a-w- c:\users\Milne Clan\AppData\Local\CastleLinkProps.dat
    2010-01-28 22:28 . 2010-01-28 22:28 0 ----a-w- c:\windows\system32\drivers\lvuvc.hs
    2010-01-28 22:28 . 2010-01-28 22:28 -------- d-----w- c:\program files\Common Files\logishrd
    2010-01-24 20:59 . 2010-01-24 20:59 -------- d-----w- c:\program files\Castle Creations
    2010-01-08 03:18 . 2010-02-10 05:19 221184 ----a-w- c:\windows\system32\drivers\mrxsmb10.sys
    2010-01-08 03:17 . 2010-02-10 05:19 123392 ----a-w- c:\windows\system32\drivers\mrxsmb.sys
    2009-06-10 21:26 . 2009-07-14 02:04 9633792 --sha-r- c:\windows\Fonts\StaticCache.dat
    2009-07-14 01:14 . 2009-07-13 23:42 396800 --sha-w- c:\windows\winsxs\x86_microsoft-windows-mail-app_31bf3856ad364e35_6.1.7600.16385_none_f12e83abb108c86c\WinMail.exe
    .

    ((((((((((((((((((((((((((((( SnapShot_2010-03-25_01.39.57 )))))))))))))))))))))))))))))))))))))))))
    .
    - 2010-01-04 04:51 . 2010-03-24 20:50 16384 c:\windows\System32\config\systemprofile\AppData\Roaming\Microsoft\Windows\Cookies\index.dat
    + 2010-01-04 04:51 . 2010-03-25 02:57 16384 c:\windows\System32\config\systemprofile\AppData\Roaming\Microsoft\Windows\Cookies\index.dat
    - 2010-01-04 04:51 . 2010-03-24 20:50 32768 c:\windows\System32\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\index.dat
    + 2010-01-04 04:51 . 2010-03-25 02:57 32768 c:\windows\System32\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\index.dat
    - 2009-07-14 04:41 . 2010-03-24 20:50 16384 c:\windows\System32\config\systemprofile\AppData\Local\Microsoft\Windows\History\History.IE5\index.dat
    + 2009-07-14 04:41 . 2010-03-25 02:57 16384 c:\windows\System32\config\systemprofile\AppData\Local\Microsoft\Windows\History\History.IE5\index.dat
    + 2010-01-06 23:07 . 2010-03-25 06:01 32768 c:\windows\ServiceProfiles\LocalService\AppData\Local\Temp\Temporary Internet Files\Content.IE5\index.dat
    - 2010-01-06 23:07 . 2010-03-25 01:02 32768 c:\windows\ServiceProfiles\LocalService\AppData\Local\Temp\Temporary Internet Files\Content.IE5\index.dat
    - 2010-01-06 23:07 . 2010-03-25 01:02 16384 c:\windows\ServiceProfiles\LocalService\AppData\Local\Temp\History\History.IE5\index.dat
    + 2010-01-06 23:07 . 2010-03-25 06:01 16384 c:\windows\ServiceProfiles\LocalService\AppData\Local\Temp\History\History.IE5\index.dat
    - 2010-01-06 23:07 . 2010-03-25 01:02 16384 c:\windows\ServiceProfiles\LocalService\AppData\Local\Temp\Cookies\index.dat
    + 2010-01-06 23:07 . 2010-03-25 06:01 16384 c:\windows\ServiceProfiles\LocalService\AppData\Local\Temp\Cookies\index.dat
    + 2010-01-04 08:14 . 2010-03-25 06:01 32768 c:\windows\ServiceProfiles\LocalService\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\index.dat
    - 2010-01-04 08:14 . 2010-03-25 01:02 32768 c:\windows\ServiceProfiles\LocalService\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\index.dat
    + 2010-01-04 05:43 . 2010-03-25 05:08 260676 c:\windows\System32\wdi\SuspendPerformanceDiagnostics_SystemData_S3.bin
    .
    ((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
    .
    .
    *Note* empty entries & legit default entries are not shown
    REGEDIT4

    [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "Skype "= "c:\program files\Skype\Phone\Skype.exe" [2009-10-09 25623336]

    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "TpShocks "= "TpShocks.exe" [2009-07-08 337184]
    "SoundMAXPnP "= "c:\program files\Analog Devices\Core\smax4pnp.exe" [2009-05-18 1314816]
    "PWMTRV "= "c:\progra~1\ThinkPad\UTILIT~1\PWMTR32V.DLL" [2009-09-08 714016]
    "TPHOTKEY "= "c:\program files\Lenovo\HOTKEY\TPOSDSVC.exe" [2009-03-13 68976]
    "LENOVO.TPFNF6R "= "c:\program files\Lenovo\HOTKEY\TPFNF6R.exe" [2009-08-19 62752]
    "MSSE "= "c:\program files\Microsoft Security Essentials\msseces.exe" [2010-02-20 1093208]
    "IgfxTray "= "c:\windows\system32\igfxtray.exe" [2009-08-06 141848]
    "HotKeysCmds "= "c:\windows\system32\hkcmd.exe" [2009-08-06 173592]
    "Persistence "= "c:\windows\system32\igfxpers.exe" [2009-08-06 150552]
    "SunJavaUpdateSched "= "c:\program files\Java\jre6\bin\jusched.exe" [2009-10-10 149280]
    "Adobe Reader Speed Launcher "= "c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2009-12-21 35760]
    "Adobe ARM "= "c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2009-12-11 948672]

    c:\programdata\Microsoft\Windows\Start Menu\Programs\Startup\
    Adobe Gamma Loader.lnk - c:\program files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe [2010-1-18 113664]

    [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
    "ConsentPromptBehaviorAdmin "= 5 (0x5)
    "ConsentPromptBehaviorUser "= 3 (0x3)
    "EnableUIADesktopToggle "= 0 (0x0)

    [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
    "aux1 "=wdmaud.drv

    [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\MsMpSvc]
    @= "Service "

    R2 Ca1528av;SPCA1528 Video Camera Service;c:\windows\system32\Drivers\Ca1528av.sys [2008-12-16 516480]
    R2 LENOVO.MICMUTE;Lenovo Microphone Mute;c:\program files\LENOVO\HOTKEY\MICMUTE.exe [2009-07-03 45424]
    R3 Bulk1528;SPCA1528 Still Camera Service;c:\windows\system32\Drivers\Bulk1528.sys [2008-06-27 11648]
    R3 Power Manager DBC Service;Power Manager DBC Service;c:\program files\ThinkPad\Utilities\PWMDBSVC.EXE [2009-09-08 75040]
    R3 SrvHsfHDA;SrvHsfHDA;c:\windows\system32\DRIVERS\VSTAZL3.SYS [2009-07-13 207360]
    R3 SrvHsfV92;SrvHsfV92;c:\windows\system32\DRIVERS\VSTDPV3.SYS [2009-07-13 980992]
    R3 SrvHsfWinac;SrvHsfWinac;c:\windows\system32\DRIVERS\VSTCNXT3.SYS [2009-07-13 661504]
    R3 WatAdminSvc;Windows Activation Technologies Service;c:\windows\system32\Wat\WatAdminSvc.exe [2010-03-11 1343400]
    R4 Vhdmhervm;Vhdmhervm;c:\windows\system32\diskraid.exe [2009-07-14 276480]
    S0 TPDIGIMN;TPDIGIMN;c:\windows\System32\DRIVERS\ApsHM86.sys [2009-06-29 20520]
    S1 lenovo.smi;Lenovo System Interface Driver;c:\windows\system32\DRIVERS\smiif32.sys [2008-05-12 13480]
    S2 TPHKSVC;On Screen Display;c:\program files\LENOVO\HOTKEY\TPHKSVC.exe [2009-07-14 62320]
    S3 MpNWMon;Microsoft Malware Protection Network Driver;c:\windows\system32\DRIVERS\MpNWMon.sys [2009-12-02 42368]
    S3 netw5v32;Intel(R) Wireless WiFi Link 5000 Series Adapter Driver for Windows Vista 32 Bit;c:\windows\system32\DRIVERS\netw5v32.sys [2009-07-13 4231168]

    .
    .
    ------- Supplementary Scan -------
    .
    uStart Page = hxxp://www.google.com.au/
    uInternet Settings,ProxyOverride = *.local
    uSearchAssistant = hxxp://www.google.com/ie
    uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
    .
    .
    --------------------- LOCKED REGISTRY KEYS ---------------------

    [HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0000\AllUserSettings]
    @Denied: (A) (Users)
    @Denied: (A) (Everyone)
    @Allowed: (B 1 2 3 4 5) (S-1-5-20)
    "BlindDial "=dword:00000000
    "MSCurrentCountry "=dword:00000009

    [HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\PCW\Security]
    @Denied: (Full) (Everyone)
    .
    --------------------- DLLs Loaded Under Running Processes ---------------------

    - - - - - - - > 'Explorer.exe'(5184)
    c:\progra~1\ThinkPad\UTILIT~1\PWMTR32V.DLL
    c:\progra~1\ThinkPad\UTILIT~1\US\PWMRT32V.DLL
    c:\progra~1\ThinkPad\UTILIT~1\PWMIF32V.DLL
    .
    Completion time: 2010-03-25 17:12:17
    ComboFix-quarantined-files.txt 2010-03-25 06:12
    ComboFix2.txt 2010-03-25 01:41
    ComboFix3.txt 2010-03-24 19:01

    Pre-Run: 63,617,748,992 bytes free
    Post-Run: 63,567,020,032 bytes free

    - - End Of File - - BBD1A9F49996A2A71A8883F62A66D3C7
     
  6. 2010/03/25
    quirkymac

    quirkymac Inactive Thread Starter

    Joined:
    2006/09/07
    Messages:
    196
    Likes Received:
    0
    Logfile of Trend Micro HijackThis v2.0.2
    Scan saved at 5:03:43 PM, on 25/03/2010
    Platform: Unknown Windows (WinNT 6.01.3504)
    MSIE: Internet Explorer v8.00 (8.00.7600.16385)
    Boot mode: Normal

    Running processes:
    C:\Windows\system32\Dwm.exe
    C:\Windows\system32\taskhost.exe
    C:\Windows\System32\TpShocks.exe
    C:\Program Files\Analog Devices\Core\smax4pnp.exe
    C:\Windows\System32\rundll32.exe
    C:\Program Files\Lenovo\HOTKEY\TPOSDSVC.exe
    C:\Program Files\Lenovo\HOTKEY\tpfnf6r.exe
    C:\Program Files\Lenovo\HOTKEY\TPONSCR.exe
    C:\Program Files\Lenovo\Zoom\TpScrex.exe
    C:\Program Files\Microsoft Security Essentials\msseces.exe
    C:\Windows\System32\igfxtray.exe
    C:\Windows\System32\hkcmd.exe
    C:\Windows\System32\igfxpers.exe
    C:\Windows\system32\igfxsrvc.exe
    C:\Program Files\Java\jre6\bin\jusched.exe
    C:\Program Files\Skype\Phone\Skype.exe
    C:\Program Files\Skype\Plugin Manager\skypePM.exe
    C:\Windows\Explorer.exe
    C:\Windows\system32\Macromed\Flash\FlashUtil10e.exe
    C:\Windows\system32\taskeng.exe
    C:\Program Files\Internet Explorer\iexplore.exe
    C:\Program Files\Internet Explorer\iexplore.exe
    C:\Program Files\Internet Explorer\iexplore.exe
    C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
    R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
    R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
    R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
    O2 - BHO: AcroIEHelperStub - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
    O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
    O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
    O4 - HKLM\..\Run: [TpShocks] TpShocks.exe
    O4 - HKLM\..\Run: [SoundMAXPnP] C:\Program Files\Analog Devices\Core\smax4pnp.exe
    O4 - HKLM\..\Run: [PWMTRV] rundll32 C:\PROGRA~1\ThinkPad\UTILIT~1\PWMTR32V.DLL,PwrMgrBkGndMonitor
    O4 - HKLM\..\Run: [TPHOTKEY] C:\Program Files\Lenovo\HOTKEY\TPOSDSVC.exe
    O4 - HKLM\..\Run: [LENOVO.TPFNF6R] C:\Program Files\Lenovo\HOTKEY\TPFNF6R.exe
    O4 - HKLM\..\Run: [MSSE] "c:\Program Files\Microsoft Security Essentials\msseces.exe" -hide -runkey
    O4 - HKLM\..\Run: [IgfxTray] C:\Windows\system32\igfxtray.exe
    O4 - HKLM\..\Run: [HotKeysCmds] C:\Windows\system32\hkcmd.exe
    O4 - HKLM\..\Run: [Persistence] C:\Windows\system32\igfxpers.exe
    O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre6\bin\jusched.exe "
    O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 9.0\Reader\Reader_sl.exe "
    O4 - HKLM\..\Run: [Adobe ARM] "C:\Program Files\Common Files\Adobe\ARM\1.0\AdobeARM.exe "
    O4 - HKCU\..\Run: [Skype] "C:\Program Files\Skype\Phone\Skype.exe" /nosplash /minimized
    O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
    O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab
    O16 - DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - http://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab
    O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL
    O23 - Service: Adobe LM Service - Unknown owner - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
    O23 - Service: Andrea ADI Filters Service (AEADIFilters) - Andrea Electronics Corporation - C:\Windows\system32\AEADISRV.EXE
    O23 - Service: ##Id_String1.6844F930_1628_4223_B5CC_5BB94B879762## (Bonjour Service) - Apple Computer, Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
    O23 - Service: FLEXnet Licensing Service - Macrovision Europe Ltd. - C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
    O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
    O23 - Service: ThinkPad PM Service (IBMPMSVC) - Lenovo - C:\Windows\system32\ibmpmsvc.exe
    O23 - Service: Lenovo Microphone Mute (LENOVO.MICMUTE) - Lenovo Group Limited - C:\Program Files\LENOVO\HOTKEY\MICMUTE.exe
    O23 - Service: Power Manager DBC Service - Lenovo - C:\Program Files\ThinkPad\Utilities\PWMDBSVC.EXE
    O23 - Service: System Update (SUService) - Lenovo Group Limited - C:\Program Files\Lenovo\System Update\SUService.exe
    O23 - Service: ThinkPad HDD APS Logging Service (TPHDEXLGSVC) - Lenovo. - C:\Windows\System32\TPHDEXLG.exe
    O23 - Service: On Screen Display (TPHKSVC) - Lenovo Group Limited - C:\Program Files\LENOVO\HOTKEY\TPHKSVC.exe
    O23 - Service: XAudioService - Conexant Systems, Inc. - C:\Windows\system32\DRIVERS\xaudio.exe

    --
    End of file - 5285 bytes
     
  7. 2010/03/25
    quirkymac

    quirkymac Inactive Thread Starter

    Joined:
    2006/09/07
    Messages:
    196
    Likes Received:
    0
    Also of interest is that I keep getting a popup box with the following information every time I visit this page.



    Your browser is under the threat of infection. Windows requires your permission to install online protection tool.Your browser is run in unsafe mode. Running the protection mode will help you to keep your computer safe. Staying at the suspicious website in unsafe mode may lead to the loss of personal data and computer breakage. To run the web browser in protected mode Windows requires installing the certified antivirus scanner software and online protection tool.Online Protection Tool
    Microsoft WindowsName:
    Publisher:Always trust this website
     
  8. 2010/03/25
    quirkymac

    quirkymac Inactive Thread Starter

    Joined:
    2006/09/07
    Messages:
    196
    Likes Received:
    0
    Obviously I chose not to 'Allow' this to run.
     
  9. 2010/03/25
    broni

    broni Moderator Malware Analyst

    Joined:
    2002/08/01
    Messages:
    21,701
    Likes Received:
    116
    I can see, you ran Combofix before.
    I'd like to see ComboFix2.txt and ComboFix3.txt files.
    Do you have any other browser installed, so we can see, if it's getting redirected as well?


    1. Please open Notepad
    • Click Start , then Run
    • Type notepad .exe in the Run Box.

    2. Now copy/paste the entire content of the codebox below into the Notepad window:

    Code:
    File::
    c:\programdata\ezsidmv.dat
    c:\windows\system32\drivers\lvuvc.hs
    
    
    Folder::
    
    Driver::
    
    Registry::
    
    RegLockDel::
    
    

    3. Save the above as CFScript.txt

    4. Then drag the CFScript.txt into ComboFix.exe as depicted in the animation below. This will start ComboFix again.

    [​IMG]


    5. After reboot, (in case it asks to reboot), please post the following reports/logs into your next reply:
    • Combofix.txt
    • A new HijackThis log.
     
  10. 2010/03/25
    quirkymac

    quirkymac Inactive Thread Starter

    Joined:
    2006/09/07
    Messages:
    196
    Likes Received:
    0
    Thanks Broni.
    Just ran combofix with the script.

    It told me there was a new version so as per your instructions I allowed it to update. It seemed to be running fine, it went through all the sections then moved onto deleting two the files but then I got a BSOD and resulting reboot.

    The computer is back up and running but I don't know what to do....do I run the cf script again?
    I had a look to see if a combofix.txt report had been created, but opening the combofix folder (in the C:\ drive) seems to now take me to My Computer.

    I will not do anything further until instructed.
    QK
     
  11. 2010/03/25
    quirkymac

    quirkymac Inactive Thread Starter

    Joined:
    2006/09/07
    Messages:
    196
    Likes Received:
    0
    BSOD report

    Problem signature:
    Problem Event Name: BlueScreen
    OS Version: 6.1.7600.2.0.0.256.48
    Locale ID: 3081

    Additional information about the problem:
    BCCode: 1000008e
    BCP1: 80000004
    BCP2: 82C8F330
    BCP3: 8E137BA0
    BCP4: 00000000
    OS Version: 6_1_7600
    Service Pack: 0_0
    Product: 256_1

    Files that help describe the problem:
    C:\Windows\Minidump\032610-20794-01.dmp
    C:\Users\Milne Clan\AppData\Local\temp\WER-53040-0.sysdata.xml
     
  12. 2010/03/25
    broni

    broni Moderator Malware Analyst

    Joined:
    2002/08/01
    Messages:
    21,701
    Likes Received:
    116
    Please, re-run the script.
     
  13. 2010/03/25
    quirkymac

    quirkymac Inactive Thread Starter

    Joined:
    2006/09/07
    Messages:
    196
    Likes Received:
    0
    Combofix2.txt
    ComboFix 10-03-24.02 - Milne Clan 25/03/2010 17:07:07.3.2 - x86
    Microsoft Windows 7 Professional 6.1.7600.0.1252.61.1033.18.2006.1226 [GMT 11:00]
    Running from: c:\users\Milne Clan\Desktop\ComboFix.exe
    .

    ((((((((((((((((((((((((( Files Created from 2010-02-25 to 2010-03-25 )))))))))))))))))))))))))))))))
    .

    2010-03-25 06:11 . 2010-03-25 06:11 -------- d-----w- c:\users\Public\AppData\Local\temp
    2010-03-25 06:11 . 2010-03-25 06:11 -------- d-----w- c:\users\Default\AppData\Local\temp
    2010-03-25 06:06 . 2010-03-25 06:06 -------- d-----w- C:\32788R22FWJFW
    2010-03-25 01:32 . 2010-03-25 01:32 -------- d-----w- c:\program files\Trend Micro
    2010-03-24 20:48 . 2010-03-24 20:48 388096 ----a-r- c:\users\Milne Clan\AppData\Roaming\Microsoft\Installer\{0761C9A8-8F3A-4216-B4A7-B7AFBF24A24A}\HiJackThis.exe
    2010-03-24 20:48 . 2010-03-24 20:48 -------- d-----w- c:\program files\TrendMicro
    2010-03-24 19:01 . 2010-03-25 06:11 -------- d-----w- c:\users\Milne Clan\AppData\Local\temp
    2010-03-23 19:27 . 2010-03-23 19:27 15944 ----a-w- c:\windows\system32\drivers\hitmanpro35.sys
    2010-03-23 19:27 . 2010-03-23 19:27 -------- d-----w- c:\programdata\Hitman Pro
    2010-03-23 19:27 . 2010-03-23 19:27 -------- d-----w- c:\program files\Hitman Pro 3.5
    2010-03-18 12:18 . 2010-03-20 09:38 -------- d-----w- c:\users\Milne Clan\AppData\Roaming\vlc
    2010-03-18 12:18 . 2010-03-18 12:18 -------- d-----w- c:\program files\VideoLAN
    2010-03-11 17:17 . 2010-03-11 17:17 -------- d-----w- c:\windows\system32\Wat
    2010-03-11 17:16 . 2009-12-13 09:30 641536 ----a-w- c:\windows\system32\CPFilters.dll
    2010-03-11 17:16 . 2009-12-13 09:30 465408 ----a-w- c:\windows\system32\psisdecd.dll
    2010-03-11 17:16 . 2009-12-13 09:29 417792 ----a-w- c:\windows\system32\msdri.dll
    2010-03-11 17:16 . 2010-01-18 23:29 365568 ----a-w- c:\windows\system32\secproc_isv.dll
    2010-03-11 17:16 . 2010-01-18 23:29 369152 ----a-w- c:\windows\system32\secproc.dll
    2010-03-11 17:16 . 2010-01-18 23:28 324608 ----a-w- c:\windows\system32\RMActivate_isv.exe
    2010-03-11 17:16 . 2010-01-18 23:28 320512 ----a-w- c:\windows\system32\RMActivate.exe
    2010-03-11 17:16 . 2010-01-18 23:29 85504 ----a-w- c:\windows\system32\secproc_ssp_isv.dll
    2010-03-11 17:16 . 2010-01-18 23:29 85504 ----a-w- c:\windows\system32\secproc_ssp.dll
    2010-03-11 17:16 . 2010-01-18 23:28 277504 ----a-w- c:\windows\system32\RMActivate_ssp_isv.exe
    2010-03-11 17:16 . 2010-01-18 23:28 280064 ----a-w- c:\windows\system32\RMActivate_ssp.exe
    2010-03-09 06:48 . 2010-03-09 06:48 -------- d-----w- c:\users\Milne Clan\AppData\Roaming\LEAPS
    2010-03-09 06:46 . 2010-03-09 06:46 -------- d-----w- c:\users\Milne Clan\AppData\Roaming\Pegasys Inc
    2010-03-09 06:43 . 2010-03-09 06:43 -------- d-----w- c:\program files\Pegasys Inc
    2010-03-04 19:03 . 2010-03-04 19:03 48648 ----a-w- c:\programdata\Microsoft\eHome\Packages\MCEClientUX\UpdateableMarkup\Markup.dll
    2010-03-04 19:03 . 2010-03-04 19:03 336192 ----a-w- c:\programdata\Microsoft\eHome\Packages\MCESpotlight\MCESpotlight\SpotlightResources.dll
    2010-02-24 08:52 . 2010-02-02 07:45 2048 ----a-w- c:\windows\system32\tzres.dll

    .
    (((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
    .
    2010-03-25 05:08 . 2010-02-14 19:05 -------- d-----w- c:\users\Milne Clan\AppData\Roaming\skypePM
    2010-03-24 20:50 . 2010-02-14 14:54 -------- d-----w- c:\users\Milne Clan\AppData\Roaming\Skype
    2010-03-24 19:08 . 2010-02-05 20:47 -------- d-----w- c:\programdata\Lavasoft
    2010-03-24 19:08 . 2010-01-06 07:12 -------- d-----w- c:\users\Milne Clan\AppData\Roaming\uTorrent
    2010-03-18 00:08 . 2010-01-07 09:01 1 ----a-w- c:\users\Milne Clan\AppData\Roaming\OpenOffice.org\3\user\uno_packages\cache\stamp.sys
    2010-03-11 16:02 . 2010-01-04 06:29 -------- d-----w- c:\program files\Microsoft Security Essentials
    2010-02-23 23:16 . 2010-01-04 06:16 181632 ------w- c:\windows\system32\MpSigStub.exe
    2010-02-20 20:46 . 2010-02-20 20:46 -------- d-----w- c:\program files\SPCA1528
    2010-02-20 20:46 . 2010-01-04 06:13 -------- d--h--w- c:\program files\InstallShield Installation Information
    2010-02-19 23:47 . 2010-02-19 23:47 3604480 ----a-w- c:\windows\system32\GPhotos.scr
    2010-02-19 20:53 . 2010-02-19 20:53 95024 ----a-w- c:\windows\system32\drivers\SBREDrv.sys
    2010-02-14 19:05 . 2010-02-14 19:05 56 ---ha-w- c:\programdata\ezsidmv.dat
    2010-02-14 14:53 . 2010-02-14 14:53 -------- d-----w- c:\program files\Common Files\Skype
    2010-02-14 14:53 . 2010-02-14 14:53 -------- d-----r- c:\program files\Skype
    2010-02-14 14:53 . 2010-01-28 22:27 -------- d-----w- c:\programdata\Skype
    2010-02-09 16:42 . 2010-02-09 11:54 -------- d-----w- c:\program files\Windows Live Safety Center
    2010-02-05 06:27 . 2010-01-04 05:54 61736 ----a-w- c:\users\Milne Clan\AppData\Local\GDIPFONTCACHEV1.DAT
    2010-02-05 06:27 . 2010-02-05 06:25 -------- d-----w- c:\programdata\Microsoft Help
    2010-02-02 11:04 . 2010-02-02 03:03 -------- d-----w- c:\program files\FMS
    2010-02-02 02:47 . 2010-02-02 02:47 -------- d-----w- c:\program files\HeliSim
    2010-02-01 04:11 . 2010-02-01 04:11 -------- d-----w- c:\users\Milne Clan\AppData\Roaming\Leawo
    2010-01-31 01:54 . 2010-01-24 21:01 539 ----a-w- c:\users\Milne Clan\AppData\Local\CastleLinkProps.dat
    2010-01-28 22:28 . 2010-01-28 22:28 0 ----a-w- c:\windows\system32\drivers\lvuvc.hs
    2010-01-28 22:28 . 2010-01-28 22:28 -------- d-----w- c:\program files\Common Files\logishrd
    2010-01-24 20:59 . 2010-01-24 20:59 -------- d-----w- c:\program files\Castle Creations
    2010-01-08 03:18 . 2010-02-10 05:19 221184 ----a-w- c:\windows\system32\drivers\mrxsmb10.sys
    2010-01-08 03:17 . 2010-02-10 05:19 123392 ----a-w- c:\windows\system32\drivers\mrxsmb.sys
    2009-06-10 21:26 . 2009-07-14 02:04 9633792 --sha-r- c:\windows\Fonts\StaticCache.dat
    2009-07-14 01:14 . 2009-07-13 23:42 396800 --sha-w- c:\windows\winsxs\x86_microsoft-windows-mail-app_31bf3856ad364e35_6.1.7600.16385_none_f12e83abb108c86c\WinMail.exe
    .

    ((((((((((((((((((((((((((((( SnapShot_2010-03-25_01.39.57 )))))))))))))))))))))))))))))))))))))))))
    .
    - 2010-01-04 04:51 . 2010-03-24 20:50 16384 c:\windows\System32\config\systemprofile\AppData\Roaming\Microsoft\Windows\Cookies\index.dat
    + 2010-01-04 04:51 . 2010-03-25 02:57 16384 c:\windows\System32\config\systemprofile\AppData\Roaming\Microsoft\Windows\Cookies\index.dat
    - 2010-01-04 04:51 . 2010-03-24 20:50 32768 c:\windows\System32\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\index.dat
    + 2010-01-04 04:51 . 2010-03-25 02:57 32768 c:\windows\System32\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\index.dat
    - 2009-07-14 04:41 . 2010-03-24 20:50 16384 c:\windows\System32\config\systemprofile\AppData\Local\Microsoft\Windows\History\History.IE5\index.dat
    + 2009-07-14 04:41 . 2010-03-25 02:57 16384 c:\windows\System32\config\systemprofile\AppData\Local\Microsoft\Windows\History\History.IE5\index.dat
    + 2010-01-06 23:07 . 2010-03-25 06:01 32768 c:\windows\ServiceProfiles\LocalService\AppData\Local\Temp\Temporary Internet Files\Content.IE5\index.dat
    - 2010-01-06 23:07 . 2010-03-25 01:02 32768 c:\windows\ServiceProfiles\LocalService\AppData\Local\Temp\Temporary Internet Files\Content.IE5\index.dat
    - 2010-01-06 23:07 . 2010-03-25 01:02 16384 c:\windows\ServiceProfiles\LocalService\AppData\Local\Temp\History\History.IE5\index.dat
    + 2010-01-06 23:07 . 2010-03-25 06:01 16384 c:\windows\ServiceProfiles\LocalService\AppData\Local\Temp\History\History.IE5\index.dat
    - 2010-01-06 23:07 . 2010-03-25 01:02 16384 c:\windows\ServiceProfiles\LocalService\AppData\Local\Temp\Cookies\index.dat
    + 2010-01-06 23:07 . 2010-03-25 06:01 16384 c:\windows\ServiceProfiles\LocalService\AppData\Local\Temp\Cookies\index.dat
    + 2010-01-04 08:14 . 2010-03-25 06:01 32768 c:\windows\ServiceProfiles\LocalService\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\index.dat
    - 2010-01-04 08:14 . 2010-03-25 01:02 32768 c:\windows\ServiceProfiles\LocalService\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\index.dat
    + 2010-01-04 05:43 . 2010-03-25 05:08 260676 c:\windows\System32\wdi\SuspendPerformanceDiagnostics_SystemData_S3.bin
    .
    ((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
    .
    .
    *Note* empty entries & legit default entries are not shown
    REGEDIT4

    [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "Skype "= "c:\program files\Skype\Phone\Skype.exe" [2009-10-09 25623336]

    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "TpShocks "= "TpShocks.exe" [2009-07-08 337184]
    "SoundMAXPnP "= "c:\program files\Analog Devices\Core\smax4pnp.exe" [2009-05-18 1314816]
    "PWMTRV "= "c:\progra~1\ThinkPad\UTILIT~1\PWMTR32V.DLL" [2009-09-08 714016]
    "TPHOTKEY "= "c:\program files\Lenovo\HOTKEY\TPOSDSVC.exe" [2009-03-13 68976]
    "LENOVO.TPFNF6R "= "c:\program files\Lenovo\HOTKEY\TPFNF6R.exe" [2009-08-19 62752]
    "MSSE "= "c:\program files\Microsoft Security Essentials\msseces.exe" [2010-02-20 1093208]
    "IgfxTray "= "c:\windows\system32\igfxtray.exe" [2009-08-06 141848]
    "HotKeysCmds "= "c:\windows\system32\hkcmd.exe" [2009-08-06 173592]
    "Persistence "= "c:\windows\system32\igfxpers.exe" [2009-08-06 150552]
    "SunJavaUpdateSched "= "c:\program files\Java\jre6\bin\jusched.exe" [2009-10-10 149280]
    "Adobe Reader Speed Launcher "= "c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2009-12-21 35760]
    "Adobe ARM "= "c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2009-12-11 948672]

    c:\programdata\Microsoft\Windows\Start Menu\Programs\Startup\
    Adobe Gamma Loader.lnk - c:\program files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe [2010-1-18 113664]

    [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
    "ConsentPromptBehaviorAdmin "= 5 (0x5)
    "ConsentPromptBehaviorUser "= 3 (0x3)
    "EnableUIADesktopToggle "= 0 (0x0)

    [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
    "aux1 "=wdmaud.drv

    [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\MsMpSvc]
    @= "Service "

    R2 Ca1528av;SPCA1528 Video Camera Service;c:\windows\system32\Drivers\Ca1528av.sys [2008-12-16 516480]
    R2 LENOVO.MICMUTE;Lenovo Microphone Mute;c:\program files\LENOVO\HOTKEY\MICMUTE.exe [2009-07-03 45424]
    R3 Bulk1528;SPCA1528 Still Camera Service;c:\windows\system32\Drivers\Bulk1528.sys [2008-06-27 11648]
    R3 Power Manager DBC Service;Power Manager DBC Service;c:\program files\ThinkPad\Utilities\PWMDBSVC.EXE [2009-09-08 75040]
    R3 SrvHsfHDA;SrvHsfHDA;c:\windows\system32\DRIVERS\VSTAZL3.SYS [2009-07-13 207360]
    R3 SrvHsfV92;SrvHsfV92;c:\windows\system32\DRIVERS\VSTDPV3.SYS [2009-07-13 980992]
    R3 SrvHsfWinac;SrvHsfWinac;c:\windows\system32\DRIVERS\VSTCNXT3.SYS [2009-07-13 661504]
    R3 WatAdminSvc;Windows Activation Technologies Service;c:\windows\system32\Wat\WatAdminSvc.exe [2010-03-11 1343400]
    R4 Vhdmhervm;Vhdmhervm;c:\windows\system32\diskraid.exe [2009-07-14 276480]
    S0 TPDIGIMN;TPDIGIMN;c:\windows\System32\DRIVERS\ApsHM86.sys [2009-06-29 20520]
    S1 lenovo.smi;Lenovo System Interface Driver;c:\windows\system32\DRIVERS\smiif32.sys [2008-05-12 13480]
    S2 TPHKSVC;On Screen Display;c:\program files\LENOVO\HOTKEY\TPHKSVC.exe [2009-07-14 62320]
    S3 MpNWMon;Microsoft Malware Protection Network Driver;c:\windows\system32\DRIVERS\MpNWMon.sys [2009-12-02 42368]
    S3 netw5v32;Intel(R) Wireless WiFi Link 5000 Series Adapter Driver for Windows Vista 32 Bit;c:\windows\system32\DRIVERS\netw5v32.sys [2009-07-13 4231168]

    .
    .
    ------- Supplementary Scan -------
    .
    uStart Page = hxxp://www.google.com.au/
    uInternet Settings,ProxyOverride = *.local
    uSearchAssistant = hxxp://www.google.com/ie
    uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
    .
    .
    --------------------- LOCKED REGISTRY KEYS ---------------------

    [HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0000\AllUserSettings]
    @Denied: (A) (Users)
    @Denied: (A) (Everyone)
    @Allowed: (B 1 2 3 4 5) (S-1-5-20)
    "BlindDial "=dword:00000000
    "MSCurrentCountry "=dword:00000009

    [HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\PCW\Security]
    @Denied: (Full) (Everyone)
    .
    --------------------- DLLs Loaded Under Running Processes ---------------------

    - - - - - - - > 'Explorer.exe'(5184)
    c:\progra~1\ThinkPad\UTILIT~1\PWMTR32V.DLL
    c:\progra~1\ThinkPad\UTILIT~1\US\PWMRT32V.DLL
    c:\progra~1\ThinkPad\UTILIT~1\PWMIF32V.DLL
    .
    Completion time: 2010-03-25 17:12:17
    ComboFix-quarantined-files.txt 2010-03-25 06:12
    ComboFix2.txt 2010-03-25 01:41
    ComboFix3.txt 2010-03-24 19:01

    Pre-Run: 63,617,748,992 bytes free
    Post-Run: 63,567,020,032 bytes free

    - - End Of File - - BBD1A9F49996A2A71A8883F62A66D3C7
     
  14. 2010/03/25
    quirkymac

    quirkymac Inactive Thread Starter

    Joined:
    2006/09/07
    Messages:
    196
    Likes Received:
    0
    Combofix3.txt too large to post 530kb in size (as compared to the other reports which are around 14kb in size)

    Do you want me to try and send it in manageable sections?
     
  15. 2010/03/25
    quirkymac

    quirkymac Inactive Thread Starter

    Joined:
    2006/09/07
    Messages:
    196
    Likes Received:
    0
    I don't have any other internet browsers installed.
     
  16. 2010/03/25
    quirkymac

    quirkymac Inactive Thread Starter

    Joined:
    2006/09/07
    Messages:
    196
    Likes Received:
    0
    Will run it now. Thanks.
     
  17. 2010/03/25
    quirkymac

    quirkymac Inactive Thread Starter

    Joined:
    2006/09/07
    Messages:
    196
    Likes Received:
    0
    ComboFix 10-03-25.02 - Milne Clan 26/03/2010 6:30.5.2 - x86
    Microsoft Windows 7 Professional 6.1.7600.0.1252.61.1033.18.2006.1209 [GMT 11:00]
    Running from: c:\users\Milne Clan\Desktop\ComboFix.exe
    Command switches used :: c:\users\Milne Clan\Desktop\cfscript.txt

    FILE ::
    "c:\programdata\ezsidmv.dat "
    "c:\windows\system32\drivers\lvuvc.hs "
    .

    ((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
    .

    c:\programdata\ezsidmv.dat
    .
    ---- Previous Run -------
    .
    c:\programdata\ezsidmv.dat
    c:\windows\system32\drivers\lvuvc.hs

    .
    ((((((((((((((((((((((((( Files Created from 2010-02-25 to 2010-03-25 )))))))))))))))))))))))))))))))
    .

    2010-03-25 19:35 . 2010-03-25 19:35 -------- d-----w- c:\users\Milne Clan\AppData\Local\temp
    2010-03-25 19:35 . 2010-03-25 19:35 -------- d-----w- c:\users\Public\AppData\Local\temp
    2010-03-25 19:35 . 2010-03-25 19:35 -------- d-----w- c:\users\Default\AppData\Local\temp
    2010-03-25 19:29 . 2010-03-25 19:29 -------- d-----w- C:\32788R22FWJFW
    2010-03-25 01:32 . 2010-03-25 01:32 -------- d-----w- c:\program files\Trend Micro
    2010-03-24 20:48 . 2010-03-24 20:48 388096 ----a-r- c:\users\Milne Clan\AppData\Roaming\Microsoft\Installer\{0761C9A8-8F3A-4216-B4A7-B7AFBF24A24A}\HiJackThis.exe
    2010-03-24 20:48 . 2010-03-24 20:48 -------- d-----w- c:\program files\TrendMicro
    2010-03-23 19:27 . 2010-03-23 19:27 15944 ----a-w- c:\windows\system32\drivers\hitmanpro35.sys
    2010-03-23 19:27 . 2010-03-23 19:27 -------- d-----w- c:\programdata\Hitman Pro
    2010-03-23 19:27 . 2010-03-23 19:27 -------- d-----w- c:\program files\Hitman Pro 3.5
    2010-03-18 12:18 . 2010-03-20 09:38 -------- d-----w- c:\users\Milne Clan\AppData\Roaming\vlc
    2010-03-18 12:18 . 2010-03-18 12:18 -------- d-----w- c:\program files\VideoLAN
    2010-03-11 17:17 . 2010-03-11 17:17 -------- d-----w- c:\windows\system32\Wat
    2010-03-11 17:16 . 2009-12-13 09:30 641536 ----a-w- c:\windows\system32\CPFilters.dll
    2010-03-11 17:16 . 2009-12-13 09:30 465408 ----a-w- c:\windows\system32\psisdecd.dll
    2010-03-11 17:16 . 2009-12-13 09:29 417792 ----a-w- c:\windows\system32\msdri.dll
    2010-03-11 17:16 . 2010-01-18 23:29 365568 ----a-w- c:\windows\system32\secproc_isv.dll
    2010-03-11 17:16 . 2010-01-18 23:29 369152 ----a-w- c:\windows\system32\secproc.dll
    2010-03-11 17:16 . 2010-01-18 23:28 324608 ----a-w- c:\windows\system32\RMActivate_isv.exe
    2010-03-11 17:16 . 2010-01-18 23:28 320512 ----a-w- c:\windows\system32\RMActivate.exe
    2010-03-11 17:16 . 2010-01-18 23:29 85504 ----a-w- c:\windows\system32\secproc_ssp_isv.dll
    2010-03-11 17:16 . 2010-01-18 23:29 85504 ----a-w- c:\windows\system32\secproc_ssp.dll
    2010-03-11 17:16 . 2010-01-18 23:28 277504 ----a-w- c:\windows\system32\RMActivate_ssp_isv.exe
    2010-03-11 17:16 . 2010-01-18 23:28 280064 ----a-w- c:\windows\system32\RMActivate_ssp.exe
    2010-03-09 06:48 . 2010-03-09 06:48 -------- d-----w- c:\users\Milne Clan\AppData\Roaming\LEAPS
    2010-03-09 06:46 . 2010-03-09 06:46 -------- d-----w- c:\users\Milne Clan\AppData\Roaming\Pegasys Inc
    2010-03-09 06:43 . 2010-03-09 06:43 -------- d-----w- c:\program files\Pegasys Inc
    2010-03-04 19:03 . 2010-03-04 19:03 48648 ----a-w- c:\programdata\Microsoft\eHome\Packages\MCEClientUX\UpdateableMarkup\Markup.dll
    2010-03-04 19:03 . 2010-03-04 19:03 336192 ----a-w- c:\programdata\Microsoft\eHome\Packages\MCESpotlight\MCESpotlight\SpotlightResources.dll
    2010-02-24 08:52 . 2010-02-02 07:45 2048 ----a-w- c:\windows\system32\tzres.dll

    .
    (((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
    .
    2010-03-25 18:58 . 2010-02-14 14:54 -------- d-----w- c:\users\Milne Clan\AppData\Roaming\Skype
    2010-03-25 17:38 . 2010-02-14 19:05 -------- d-----w- c:\users\Milne Clan\AppData\Roaming\skypePM
    2010-03-24 19:08 . 2010-02-05 20:47 -------- d-----w- c:\programdata\Lavasoft
    2010-03-24 19:08 . 2010-01-06 07:12 -------- d-----w- c:\users\Milne Clan\AppData\Roaming\uTorrent
    2010-03-18 00:08 . 2010-01-07 09:01 1 ----a-w- c:\users\Milne Clan\AppData\Roaming\OpenOffice.org\3\user\uno_packages\cache\stamp.sys
    2010-03-11 16:02 . 2010-01-04 06:29 -------- d-----w- c:\program files\Microsoft Security Essentials
    2010-02-23 23:16 . 2010-01-04 06:16 181632 ------w- c:\windows\system32\MpSigStub.exe
    2010-02-20 20:46 . 2010-02-20 20:46 -------- d-----w- c:\program files\SPCA1528
    2010-02-20 20:46 . 2010-01-04 06:13 -------- d--h--w- c:\program files\InstallShield Installation Information
    2010-02-19 23:47 . 2010-02-19 23:47 3604480 ----a-w- c:\windows\system32\GPhotos.scr
    2010-02-19 20:53 . 2010-02-19 20:53 95024 ----a-w- c:\windows\system32\drivers\SBREDrv.sys
    2010-02-14 14:53 . 2010-02-14 14:53 -------- d-----w- c:\program files\Common Files\Skype
    2010-02-14 14:53 . 2010-02-14 14:53 -------- d-----r- c:\program files\Skype
    2010-02-14 14:53 . 2010-01-28 22:27 -------- d-----w- c:\programdata\Skype
    2010-02-09 16:42 . 2010-02-09 11:54 -------- d-----w- c:\program files\Windows Live Safety Center
    2010-02-05 06:27 . 2010-01-04 05:54 61736 ----a-w- c:\users\Milne Clan\AppData\Local\GDIPFONTCACHEV1.DAT
    2010-02-05 06:27 . 2010-02-05 06:25 -------- d-----w- c:\programdata\Microsoft Help
    2010-02-02 11:04 . 2010-02-02 03:03 -------- d-----w- c:\program files\FMS
    2010-02-02 02:47 . 2010-02-02 02:47 -------- d-----w- c:\program files\HeliSim
    2010-02-01 04:11 . 2010-02-01 04:11 -------- d-----w- c:\users\Milne Clan\AppData\Roaming\Leawo
    2010-01-31 01:54 . 2010-01-24 21:01 539 ----a-w- c:\users\Milne Clan\AppData\Local\CastleLinkProps.dat
    2010-01-28 22:28 . 2010-01-28 22:28 -------- d-----w- c:\program files\Common Files\logishrd
    2010-01-24 20:59 . 2010-01-24 20:59 -------- d-----w- c:\program files\Castle Creations
    2010-01-08 03:18 . 2010-02-10 05:19 221184 ----a-w- c:\windows\system32\drivers\mrxsmb10.sys
    2010-01-08 03:17 . 2010-02-10 05:19 123392 ----a-w- c:\windows\system32\drivers\mrxsmb.sys
    2009-06-10 21:26 . 2009-07-14 02:04 9633792 --sha-r- c:\windows\Fonts\StaticCache.dat
    2009-07-14 01:14 . 2009-07-13 23:42 396800 --sha-w- c:\windows\winsxs\x86_microsoft-windows-mail-app_31bf3856ad364e35_6.1.7600.16385_none_f12e83abb108c86c\WinMail.exe
    .

    ((((((((((((((((((((((((((((( SnapShot_2010-03-25_01.39.57 )))))))))))))))))))))))))))))))))))))))))
    .
    + 2010-01-04 17:15 . 2010-03-25 08:29 25026 c:\windows\System32\wdi\ShutdownPerformanceDiagnostics_SystemData.bin
    - 2009-07-14 04:55 . 2010-03-24 20:52 37732 c:\windows\System32\wdi\BootPerformanceDiagnostics_SystemData.bin
    + 2009-07-14 04:55 . 2010-03-25 18:44 37732 c:\windows\System32\wdi\BootPerformanceDiagnostics_SystemData.bin
    - 2010-01-04 04:51 . 2010-03-24 20:50 16384 c:\windows\System32\config\systemprofile\AppData\Roaming\Microsoft\Windows\Cookies\index.dat
    + 2010-01-04 04:51 . 2010-03-25 18:43 16384 c:\windows\System32\config\systemprofile\AppData\Roaming\Microsoft\Windows\Cookies\index.dat
    + 2010-01-04 04:51 . 2010-03-25 18:43 32768 c:\windows\System32\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\index.dat
    - 2010-01-04 04:51 . 2010-03-24 20:50 32768 c:\windows\System32\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\index.dat
    - 2009-07-14 04:41 . 2010-03-24 20:50 16384 c:\windows\System32\config\systemprofile\AppData\Local\Microsoft\Windows\History\History.IE5\index.dat
    + 2009-07-14 04:41 . 2010-03-25 18:43 16384 c:\windows\System32\config\systemprofile\AppData\Local\Microsoft\Windows\History\History.IE5\index.dat
    + 2010-01-04 05:44 . 2010-03-25 18:43 16384 c:\windows\ServiceProfiles\NetworkService\AppData\Roaming\Microsoft\Windows\Cookies\index.dat
    - 2010-01-04 05:44 . 2010-03-24 20:51 16384 c:\windows\ServiceProfiles\NetworkService\AppData\Roaming\Microsoft\Windows\Cookies\index.dat
    + 2010-01-04 05:44 . 2010-03-25 18:43 32768 c:\windows\ServiceProfiles\NetworkService\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\index.dat
    - 2010-01-04 05:44 . 2010-03-24 20:51 32768 c:\windows\ServiceProfiles\NetworkService\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\index.dat
    + 2010-01-04 05:44 . 2010-03-25 18:43 16384 c:\windows\ServiceProfiles\NetworkService\AppData\Local\Microsoft\Windows\History\History.IE5\index.dat
    - 2010-01-04 05:44 . 2010-03-24 20:51 16384 c:\windows\ServiceProfiles\NetworkService\AppData\Local\Microsoft\Windows\History\History.IE5\index.dat
    - 2010-01-04 08:14 . 2010-03-24 20:51 16384 c:\windows\ServiceProfiles\LocalService\AppData\Roaming\Microsoft\Windows\Cookies\index.dat
    + 2010-01-04 08:14 . 2010-03-25 18:43 16384 c:\windows\ServiceProfiles\LocalService\AppData\Roaming\Microsoft\Windows\Cookies\index.dat
    + 2010-01-06 23:07 . 2010-03-25 19:10 32768 c:\windows\ServiceProfiles\LocalService\AppData\Local\Temp\Temporary Internet Files\Content.IE5\index.dat
    - 2010-01-06 23:07 . 2010-03-25 01:02 32768 c:\windows\ServiceProfiles\LocalService\AppData\Local\Temp\Temporary Internet Files\Content.IE5\index.dat
    + 2010-01-06 23:07 . 2010-03-25 19:10 16384 c:\windows\ServiceProfiles\LocalService\AppData\Local\Temp\History\History.IE5\index.dat
    - 2010-01-06 23:07 . 2010-03-25 01:02 16384 c:\windows\ServiceProfiles\LocalService\AppData\Local\Temp\History\History.IE5\index.dat
    + 2010-01-06 23:07 . 2010-03-25 19:10 16384 c:\windows\ServiceProfiles\LocalService\AppData\Local\Temp\Cookies\index.dat
    - 2010-01-06 23:07 . 2010-03-25 01:02 16384 c:\windows\ServiceProfiles\LocalService\AppData\Local\Temp\Cookies\index.dat
    - 2010-01-04 08:14 . 2010-03-25 01:02 32768 c:\windows\ServiceProfiles\LocalService\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\index.dat
    + 2010-01-04 08:14 . 2010-03-25 19:10 32768 c:\windows\ServiceProfiles\LocalService\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\index.dat
    - 2010-01-04 08:14 . 2010-03-24 20:51 16384 c:\windows\ServiceProfiles\LocalService\AppData\Local\Microsoft\Windows\History\History.IE5\index.dat
    + 2010-01-04 08:14 . 2010-03-25 18:43 16384 c:\windows\ServiceProfiles\LocalService\AppData\Local\Microsoft\Windows\History\History.IE5\index.dat
    + 2010-01-04 05:53 . 2010-03-25 18:44 5374 c:\windows\System32\wdi\{86432a0b-3c7d-4ddf-a89c-172faa90485d}\S-1-5-21-4145999798-798303625-3923857219-1000_UserData.bin
    - 2010-03-24 20:50 . 2010-03-24 20:50 2048 c:\windows\ServiceProfiles\LocalService\AppData\Local\lastalive1.dat
    + 2010-03-25 08:27 . 2010-03-25 18:42 2048 c:\windows\ServiceProfiles\LocalService\AppData\Local\lastalive1.dat
    - 2010-03-24 20:50 . 2010-03-24 20:50 2048 c:\windows\ServiceProfiles\LocalService\AppData\Local\lastalive0.dat
    + 2010-03-25 08:27 . 2010-03-25 18:42 2048 c:\windows\ServiceProfiles\LocalService\AppData\Local\lastalive0.dat
    + 2010-01-04 05:43 . 2010-03-25 10:12 260956 c:\windows\System32\wdi\SuspendPerformanceDiagnostics_SystemData_S3.bin
    + 2009-07-14 02:03 . 2010-03-25 08:40 6815744 c:\windows\System32\SMI\Store\Machine\SCHEMA.DAT
    - 2009-07-14 02:03 . 2010-03-25 00:18 6815744 c:\windows\System32\SMI\Store\Machine\SCHEMA.DAT
    - 2010-01-04 17:07 . 2010-03-24 20:49 2073840 c:\windows\ServiceProfiles\LocalService\AppData\Local\FontCache3.0.0.0.dat
    + 2010-01-04 17:07 . 2010-03-25 08:26 2073840 c:\windows\ServiceProfiles\LocalService\AppData\Local\FontCache3.0.0.0.dat
    .
    ((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
    .
    .
    *Note* empty entries & legit default entries are not shown
    REGEDIT4

    [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "Skype "= "c:\program files\Skype\Phone\Skype.exe" [2009-10-09 25623336]

    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "TpShocks "= "TpShocks.exe" [2009-07-08 337184]
    "SoundMAXPnP "= "c:\program files\Analog Devices\Core\smax4pnp.exe" [2009-05-18 1314816]
    "PWMTRV "= "c:\progra~1\ThinkPad\UTILIT~1\PWMTR32V.DLL" [2009-09-08 714016]
    "TPHOTKEY "= "c:\program files\Lenovo\HOTKEY\TPOSDSVC.exe" [2009-03-13 68976]
    "LENOVO.TPFNF6R "= "c:\program files\Lenovo\HOTKEY\TPFNF6R.exe" [2009-08-19 62752]
    "MSSE "= "c:\program files\Microsoft Security Essentials\msseces.exe" [2010-02-20 1093208]
    "IgfxTray "= "c:\windows\system32\igfxtray.exe" [2009-08-06 141848]
    "HotKeysCmds "= "c:\windows\system32\hkcmd.exe" [2009-08-06 173592]
    "Persistence "= "c:\windows\system32\igfxpers.exe" [2009-08-06 150552]
    "SunJavaUpdateSched "= "c:\program files\Java\jre6\bin\jusched.exe" [2009-10-10 149280]
    "Adobe Reader Speed Launcher "= "c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2009-12-21 35760]
    "Adobe ARM "= "c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2009-12-11 948672]

    c:\programdata\Microsoft\Windows\Start Menu\Programs\Startup\
    Adobe Gamma Loader.lnk - c:\program files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe [2010-1-18 113664]

    [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
    "ConsentPromptBehaviorAdmin "= 5 (0x5)
    "ConsentPromptBehaviorUser "= 3 (0x3)
    "EnableUIADesktopToggle "= 0 (0x0)

    [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
    "aux1 "=wdmaud.drv

    [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\MsMpSvc]
    @= "Service "

    R2 Ca1528av;SPCA1528 Video Camera Service;c:\windows\system32\Drivers\Ca1528av.sys [2008-12-16 516480]
    R2 LENOVO.MICMUTE;Lenovo Microphone Mute;c:\program files\LENOVO\HOTKEY\MICMUTE.exe [2009-07-03 45424]
    R3 Bulk1528;SPCA1528 Still Camera Service;c:\windows\system32\Drivers\Bulk1528.sys [2008-06-27 11648]
    R3 Power Manager DBC Service;Power Manager DBC Service;c:\program files\ThinkPad\Utilities\PWMDBSVC.EXE [2009-09-08 75040]
    R3 SrvHsfHDA;SrvHsfHDA;c:\windows\system32\DRIVERS\VSTAZL3.SYS [2009-07-13 207360]
    R3 SrvHsfV92;SrvHsfV92;c:\windows\system32\DRIVERS\VSTDPV3.SYS [2009-07-13 980992]
    R3 SrvHsfWinac;SrvHsfWinac;c:\windows\system32\DRIVERS\VSTCNXT3.SYS [2009-07-13 661504]
    R3 WatAdminSvc;Windows Activation Technologies Service;c:\windows\system32\Wat\WatAdminSvc.exe [2010-03-11 1343400]
    R4 Vhdmhervm;Vhdmhervm;c:\windows\system32\diskraid.exe [2009-07-14 276480]
    S0 TPDIGIMN;TPDIGIMN;c:\windows\System32\DRIVERS\ApsHM86.sys [2009-06-29 20520]
    S1 lenovo.smi;Lenovo System Interface Driver;c:\windows\system32\DRIVERS\smiif32.sys [2008-05-12 13480]
    S2 TPHKSVC;On Screen Display;c:\program files\LENOVO\HOTKEY\TPHKSVC.exe [2009-07-14 62320]
    S3 MpNWMon;Microsoft Malware Protection Network Driver;c:\windows\system32\DRIVERS\MpNWMon.sys [2009-12-02 42368]
    S3 netw5v32;Intel(R) Wireless WiFi Link 5000 Series Adapter Driver for Windows Vista 32 Bit;c:\windows\system32\DRIVERS\netw5v32.sys [2009-07-13 4231168]

    .
    .
    ------- Supplementary Scan -------
    .
    uStart Page = hxxp://www.google.com.au/
    uInternet Settings,ProxyOverride = *.local
    uSearchAssistant = hxxp://www.google.com/ie
    uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
    .
    .
    --------------------- LOCKED REGISTRY KEYS ---------------------

    [HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0000\AllUserSettings]
    @Denied: (A) (Users)
    @Denied: (A) (Everyone)
    @Allowed: (B 1 2 3 4 5) (S-1-5-20)
    "BlindDial "=dword:00000000
    "MSCurrentCountry "=dword:00000009

    [HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\PCW\Security]
    @Denied: (Full) (Everyone)
    .
    Completion time: 2010-03-26 06:36:27
    ComboFix-quarantined-files.txt 2010-03-25 19:36
    ComboFix2.txt 2010-03-25 06:12
    ComboFix3.txt 2010-03-25 01:41
    ComboFix4.txt 2010-03-24 19:01

    Pre-Run: 63,243,345,920 bytes free
    Post-Run: 63,192,834,048 bytes free

    - - End Of File - - 5C63B77C5A8FAD03050764FF57B3FEBD
     
  18. 2010/03/25
    quirkymac

    quirkymac Inactive Thread Starter

    Joined:
    2006/09/07
    Messages:
    196
    Likes Received:
    0
    Logfile of Trend Micro HijackThis v2.0.2
    Scan saved at 6:38:53 AM, on 26/03/2010
    Platform: Unknown Windows (WinNT 6.01.3504)
    MSIE: Internet Explorer v8.00 (8.00.7600.16385)
    Boot mode: Normal

    Running processes:
    C:\Windows\system32\taskhost.exe
    C:\Windows\system32\Dwm.exe
    C:\Windows\System32\TpShocks.exe
    C:\Program Files\Analog Devices\Core\smax4pnp.exe
    C:\Program Files\Lenovo\HOTKEY\TPOSDSVC.exe
    C:\Program Files\Lenovo\HOTKEY\tpfnf6r.exe
    C:\Program Files\Lenovo\HOTKEY\TPONSCR.exe
    C:\Program Files\Lenovo\Zoom\TpScrex.exe
    C:\Program Files\Microsoft Security Essentials\msseces.exe
    C:\Windows\System32\igfxtray.exe
    C:\Windows\System32\hkcmd.exe
    C:\Windows\System32\igfxpers.exe
    C:\Windows\system32\igfxsrvc.exe
    C:\Program Files\Java\jre6\bin\jusched.exe
    C:\Windows\explorer.exe
    C:\Program Files\Internet Explorer\iexplore.exe
    C:\Program Files\Internet Explorer\iexplore.exe
    C:\Program Files\Internet Explorer\iexplore.exe
    C:\Windows\system32\SearchProtocolHost.exe
    C:\Windows\system32\SearchFilterHost.exe
    C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
    R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
    R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
    R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
    O2 - BHO: AcroIEHelperStub - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
    O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
    O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
    O4 - HKLM\..\Run: [TpShocks] TpShocks.exe
    O4 - HKLM\..\Run: [SoundMAXPnP] C:\Program Files\Analog Devices\Core\smax4pnp.exe
    O4 - HKLM\..\Run: [PWMTRV] rundll32 C:\PROGRA~1\ThinkPad\UTILIT~1\PWMTR32V.DLL,PwrMgrBkGndMonitor
    O4 - HKLM\..\Run: [TPHOTKEY] C:\Program Files\Lenovo\HOTKEY\TPOSDSVC.exe
    O4 - HKLM\..\Run: [LENOVO.TPFNF6R] C:\Program Files\Lenovo\HOTKEY\TPFNF6R.exe
    O4 - HKLM\..\Run: [MSSE] "c:\Program Files\Microsoft Security Essentials\msseces.exe" -hide -runkey
    O4 - HKLM\..\Run: [IgfxTray] C:\Windows\system32\igfxtray.exe
    O4 - HKLM\..\Run: [HotKeysCmds] C:\Windows\system32\hkcmd.exe
    O4 - HKLM\..\Run: [Persistence] C:\Windows\system32\igfxpers.exe
    O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre6\bin\jusched.exe "
    O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 9.0\Reader\Reader_sl.exe "
    O4 - HKLM\..\Run: [Adobe ARM] "C:\Program Files\Common Files\Adobe\ARM\1.0\AdobeARM.exe "
    O4 - HKCU\..\Run: [Skype] "C:\Program Files\Skype\Phone\Skype.exe" /nosplash /minimized
    O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
    O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab
    O16 - DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - http://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab
    O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL
    O23 - Service: Adobe LM Service - Unknown owner - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
    O23 - Service: Andrea ADI Filters Service (AEADIFilters) - Andrea Electronics Corporation - C:\Windows\system32\AEADISRV.EXE
    O23 - Service: ##Id_String1.6844F930_1628_4223_B5CC_5BB94B879762## (Bonjour Service) - Apple Computer, Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
    O23 - Service: FLEXnet Licensing Service - Macrovision Europe Ltd. - C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
    O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
    O23 - Service: ThinkPad PM Service (IBMPMSVC) - Lenovo - C:\Windows\system32\ibmpmsvc.exe
    O23 - Service: Lenovo Microphone Mute (LENOVO.MICMUTE) - Lenovo Group Limited - C:\Program Files\LENOVO\HOTKEY\MICMUTE.exe
    O23 - Service: Power Manager DBC Service - Lenovo - C:\Program Files\ThinkPad\Utilities\PWMDBSVC.EXE
    O23 - Service: System Update (SUService) - Lenovo Group Limited - C:\Program Files\Lenovo\System Update\SUService.exe
    O23 - Service: ThinkPad HDD APS Logging Service (TPHDEXLGSVC) - Lenovo. - C:\Windows\System32\TPHDEXLG.exe
    O23 - Service: On Screen Display (TPHKSVC) - Lenovo Group Limited - C:\Program Files\LENOVO\HOTKEY\TPHKSVC.exe
    O23 - Service: XAudioService - Conexant Systems, Inc. - C:\Windows\system32\DRIVERS\xaudio.exe

    --
    End of file - 5160 bytes
     
  19. 2010/03/25
    broni

    broni Moderator Malware Analyst

    Joined:
    2002/08/01
    Messages:
    21,701
    Likes Received:
    116
    Upload the file(s) here: http://uploadmb.com/
    Post download link (Direct Link).
     
  20. 2010/03/25
    broni

    broni Moderator Malware Analyst

    Joined:
    2002/08/01
    Messages:
    21,701
    Likes Received:
    116
    Download Kenco.exe to your desktop
    • Close all windows and run the program.
    • It wont take long to run.
    • Kenco will reboot the system if it finds anything.
    • Post the log it gives you ( it will be saved in the same place as Kenco.exe).
     
  21. 2010/03/25
    quirkymac

    quirkymac Inactive Thread Starter

    Joined:
    2006/09/07
    Messages:
    196
    Likes Received:
    0

Share This Page

  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.