TechSpot

Firefox redirecting about 1/4 of my links (virus?)

Solved
By jezzag
Mar 13, 2012
Topic Status:
Not open for further replies.
  1. I've had this redirect virus for a while now. I've tried a lot of different software: Malewarebytes Anti-Malware, Norton (that I get free through my university), and Advanced System Care 5

    Since getting this "virus" about a 3 weeks ago (and before checking out this forum), I've installed several new programs and have ran Advanced System Care 5's registry scan and cleaner, and has made several restore points. (I know the forum said not that this shouldn't be done, so I wanted to let you guys know)

    The Malewarebytes program didn't find any malware. But I installed this program when I first started having an issue back on 2-27-12. I do have a log from the 1st run of the program. If you guys want this log I can post it.

    Also, the GMER scan did not produce a log.

    Here are the logs:

    Malwarebytes Anti-Malware 1.60.1.1000
    www.malwarebytes.org

    Database version: v2012.03.13.02

    Windows 7 Service Pack 1 x64 NTFS
    Internet Explorer 9.0.8112.16421
    Groth :: GROTH-THINK [administrator]

    3/13/2012 7:26:29 AM
    mbam-log-2012-03-13 (07-26-29).txt

    Scan type: Quick scan
    Scan options enabled: Memory | Startup | Registry | File System | Heuristics/Extra | Heuristics/Shuriken | PUP | PUM
    Scan options disabled: P2P
    Objects scanned: 215629
    Time elapsed: 1 minute(s), 34 second(s)

    Memory Processes Detected: 0
    (No malicious items detected)

    Memory Modules Detected: 0
    (No malicious items detected)

    Registry Keys Detected: 0
    (No malicious items detected)

    Registry Values Detected: 0
    (No malicious items detected)

    Registry Data Items Detected: 0
    (No malicious items detected)

    Folders Detected: 0
    (No malicious items detected)

    Files Detected: 0
    (No malicious items detected)

    (end)

    .
    DDS (Ver_2011-08-26.01) - NTFSAMD64
    Internet Explorer: 9.0.8112.16421 BrowserJavaVersion: 1.6.0_30
    Run by Groth at 7:38:51 on 2012-03-13
    Microsoft Windows 7 Home Premium 6.1.7601.1.1252.1.1033.18.3979.2157 [GMT -5:00]
    .
    AV: Symantec Endpoint Protection *Disabled/Updated* {63DF5164-9100-186D-2187-8DC619EFD8BF}
    SP: Windows Defender *Disabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
    SP: Symantec Endpoint Protection *Disabled/Updated* {D8BEB080-B73A-17E3-1B37-B6B462689202}
    .
    ============== Running Processes ===============
    .
    C:\Windows\system32\wininit.exe
    C:\Windows\system32\lsm.exe
    C:\Windows\system32\svchost.exe -k DcomLaunch
    C:\Program Files (x86)\IObit\Advanced SystemCare 5\ASCService.exe
    C:\Windows\system32\ibmpmsvc.exe
    C:\Windows\system32\nvvsvc.exe
    C:\Program Files (x86)\NVIDIA Corporation\3D Vision\nvSCPAPISvr.exe
    C:\Windows\system32\svchost.exe -k RPCSS
    C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted
    C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted
    C:\Windows\system32\svchost.exe -k netsvcs
    C:\Windows\system32\svchost.exe -k LocalService
    C:\Program Files (x86)\Symantec\Symantec Endpoint Protection\Smc.exe
    C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe
    C:\Windows\system32\svchost.exe -k NetworkService
    C:\Windows\system32\svchost.exe -k LocalServiceNoNetwork
    C:\Program Files (x86)\Common Files\Symantec Shared\ccSvcHst.exe
    C:\Windows\System32\spoolsv.exe
    C:\Windows\system32\svchost.exe -k LocalServiceAndNoImpersonation
    C:\Windows\system32\taskhost.exe
    C:\Program Files\LENOVO\HOTKEY\TPHKLOAD.exe
    C:\Program Files\LENOVO\HOTKEY\TPHKSVC.exe
    C:\Program Files (x86)\Lenovo\Access Connections\AcPrfMgrSvc.exe
    C:\PROGRA~1\Lenovo\HOTKEY\tpnumlkd.exe
    C:\PROGRA~1\Lenovo\HOTKEY\tpnumlk.exe
    C:\Program Files\Intel\BluetoothHS\BTHSAmpPalService.exe
    C:\Program Files (x86)\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
    C:\Program Files\Bonjour\mDNSResponder.exe
    C:\Program Files\Intel\BluetoothHS\BTHSSecurityMgr.exe
    C:\Program Files\ThinkPad\Bluetooth Software\btwdins.exe
    C:\Windows\system32\CxAudMsg64.exe
    C:\Program Files\Intel\WiFi\bin\EvtEng.exe
    C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe
    C:\Program Files (x86)\Sierra Wireless Inc\Gobi\QDLService\GobiQDLService.exe
    C:\Program Files (x86)\Intel\Services\IPT\jhi_service.exe
    C:\Program Files\Lenovo\Communications Utility\CAMMUTE.exe
    C:\Program Files\LENOVO\HOTKEY\MICMUTE.exe
    C:\Program Files\Lenovo\Communications Utility\TPKNRSVC.exe
    C:\Program Files\LENOVO\VIRTSCRL\lvvsst.exe
    C:\Program Files (x86)\Common Files\Protexis\License Service\PsiService_2.exe
    C:\PROGRA~1\LENOVO\VIRTSCRL\virtscrl.exe
    C:\Program Files\Common Files\Intel\WirelessCommon\RegSrvc.exe
    C:\Windows\SysWOW64\SAsrv.exe
    C:\Windows\system32\svchost.exe -k imgsvc
    C:\Program Files (x86)\Symantec\Symantec Endpoint Protection\Rtvscan.exe
    C:\Program Files (x86)\Common Files\Ulead Systems\DVD\ULCDRSvr.exe
    C:\Program Files\Intel\WiMAX\Bin\AppSrv.exe
    C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE
    C:\Program Files (x86)\Lenovo\Access Connections\AcSvc.exe
    C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSvcM.exe
    C:\Program Files\Intel\WiMAX\Bin\DMAgent.exe
    C:\Windows\system32\wbem\unsecapp.exe
    C:\Windows\system32\wbem\wmiprvse.exe
    C:\Windows\system32\svchost.exe -k NetworkServiceNetworkRestricted
    C:\Windows\system32\rundll32.exe
    C:\PROGRA~1\Lenovo\Zoom\TPSCREX.EXE
    C:\PROGRA~1\Lenovo\HOTKEY\TPONSCR.EXE
    C:\Windows\system32\Dwm.exe
    C:\Windows\Explorer.EXE
    C:\Program Files (x86)\Symantec\Symantec Endpoint Protection\SmcGui.exe
    C:\Program Files (x86)\Lenovo\Access Connections\AcDeskBandHlpr.exe
    C:\Program Files (x86)\Symantec\Symantec Endpoint Protection\ProtectionUtilSurrogate.exe
    C:\Program Files (x86)\Lenovo\Access Connections\SvcGuiHlpr.exe
    C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
    C:\Windows\System32\TpShocks.exe
    C:\Program Files\CONEXANT\ForteConfig\fmapp.exe
    C:\Program Files\Lenovo\Communications Utility\TpKnrres.exe
    C:\Program Files\Lenovo\AutoLock\ALCKRESI.exe
    C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
    C:\PROGRAM FILES\SYNAPTICS\SYNTP\SYNTPHELPER.EXE
    C:\Program Files (x86)\Common Files\microsoft shared\Virtualization Handler\CVH.EXE
    C:\Users\Groth\AppData\Roaming\Dropbox\bin\Dropbox.exe
    C:\Program Files (x86)\Evernote\Evernote\EvernoteClipper.exe
    C:\Windows\SysWOW64\rundll32.exe
    C:\Windows\system32\rundll32.exe
    C:\Program Files\NVIDIA Corporation\Display\nvtray.exe
    C:\Program Files (x86)\Common Files\Symantec Shared\ccApp.exe
    C:\Program Files (x86)\Microsoft Application Virtualization Client\sftvsa.exe
    C:\Program Files (x86)\Integrated Camera Driver\X64\RCIMGDIR.exe
    C:\Program Files (x86)\Microsoft Application Virtualization Client\sftlist.exe
    C:\PROGRA~2\ThinkPad\UTILIT~1\SCHTASK.exe
    C:\Program Files (x86)\Lenovo\Access Connections\AcWmaxSvr.exe
    C:\Program Files (x86)\Common Files\Microsoft Shared\Virtualization Handler\CVHSVC.EXE
    R:\140066.enu\Office14\MSOSYNC.EXE
    C:\Program Files (x86)\Common Files\microsoft shared\virtualization handler\OfficeVirt.exe
    C:\Program Files\Windows Media Player\wmpnetwk.exe
    C:\Windows\System32\svchost.exe -k LocalServicePeerNet
    C:\Windows\system32\DllHost.exe
    C:\Windows\system32\SearchIndexer.exe
    C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\IMSS\PrivacyIconClient.exe
    C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\LMS\LMS.exe
    C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\UNS\UNS.exe
    C:\Program Files (x86)\NVIDIA Corporation\NVIDIA Updatus\daemonu.exe
    C:\Program Files (x86)\Lenovo\System Update\SUService.exe
    C:\Windows\system32\taskeng.exe
    C:\Program Files (x86)\LENOVO\Message Center Plus\MCPLaunch.exe
    C:\Windows\splwow64.exe
    C:\Program Files (x86)\Mozilla Firefox\firefox.exe
    C:\Program Files (x86)\Mozilla Firefox\plugin-container.exe
    C:\Windows\system32\WUDFHost.exe
    C:\Program Files (x86)\foobar2000\foobar2000.exe
    C:\Windows\System32\svchost.exe -k swprv
    C:\Windows\system32\SearchProtocolHost.exe
    C:\Windows\system32\SearchFilterHost.exe
    C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\conhost.exe
    C:\Windows\SysWOW64\cscript.exe
    C:\Windows\system32\wbem\wmiprvse.exe
    .
    ============== Pseudo HJT Report ===============
    .
    uStart Page = hxxp://lenovo.msn.com
    uDefault_Page_URL = hxxp://lenovo.msn.com
    uInternet Settings,ProxyOverride = *.local
    mWinlogon: Userinit=userinit.exe,
    BHO: DivX Plus Web Player HTML5 <video>: {326e768d-4182-46fd-9c16-1449a49795f4} - C:\Program Files (x86)\DivX\DivX Plus Web Player\ie\DivXHTML5\DivXHTML5.dll
    BHO: Windows Live ID Sign-in Helper: {9030d464-4c02-4abf-8ecc-5164760863c6} - C:\Program Files (x86)\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
    BHO: Java(tm) Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - C:\Program Files (x86)\Java\jre6\bin\jp2ssv.dll
    uRun: [OfficeSyncProcess] "C:\Program Files (x86)\Common Files\microsoft shared\Virtualization Handler\CVH.EXE" /quietlaunch "MSOSYNC 9014006604090000"
    uRun: [Advanced SystemCare 5] "C:\Program Files (x86)\IObit\Advanced SystemCare 5\ASCTray.exe" /AutoStart
    mRun: [IMSS] "C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\IMSS\PIconStartup.exe"
    mRun: [PWMTRV] rundll32 C:\PROGRA~2\ThinkPad\UTILIT~1\PWMTR64V.DLL,PwrMgrBkGndMonitor
    mRun: [ccApp] "C:\Program Files (x86)\Common Files\Symantec Shared\ccApp.exe"
    mRun: [RotateImage] C:\Program Files (x86)\Integrated Camera Driver\X64\RCIMGDIR.exe
    mRunOnce: [Malwarebytes Anti-Malware] C:\Program Files (x86)\Malwarebytes' Anti-Malware\mbamgui.exe /install /silent
    StartupFolder: C:\Users\Groth\AppData\Roaming\MICROS~1\Windows\STARTM~1\Programs\Startup\Dropbox.lnk - C:\Users\Groth\AppData\Roaming\Dropbox\bin\Dropbox.exe
    StartupFolder: C:\Users\Groth\AppData\Roaming\MICROS~1\Windows\STARTM~1\Programs\Startup\EVERNO~1.LNK - C:\Program Files (x86)\Evernote\Evernote\EvernoteClipper.exe
    mPolicies-explorer: NoActiveDesktop = 1 (0x1)
    mPolicies-system: ConsentPromptBehaviorAdmin = 0 (0x0)
    mPolicies-system: ConsentPromptBehaviorUser = 3 (0x3)
    mPolicies-system: EnableLUA = 0 (0x0)
    mPolicies-system: EnableUIADesktopToggle = 0 (0x0)
    mPolicies-system: PromptOnSecureDesktop = 0 (0x0)
    IE: Add to Evernote 4.0 - C:\Program Files (x86)\Evernote\Evernote\EvernoteIE.dll/204
    IE: E&xport to Microsoft Excel - C:\PROGRA~2\MICROS~4\Office10\EXCEL.EXE/3000
    IE: {A95fe080-8f5d-11d2-a20b-00aa003c157a} - res://C:\Program Files (x86)\Evernote\Evernote\EvernoteIE.dll/204
    IE: {CCA281CA-C863-46ef-9331-5C8D4460577F} - C:\Program Files\ThinkPad\Bluetooth Software\btsendto_ie.htm
    IE: {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - {5F7B1267-94A9-47F5-98DB-E99415F33AEC} - C:\Program Files (x86)\Windows Live\Writer\WriterBrowserExtension.dll
    DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_30-windows-i586.cab
    DPF: {CAFEEFAC-0016-0000-0022-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_22-windows-i586.cab
    DPF: {CAFEEFAC-0016-0000-0030-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_30-windows-i586.cab
    DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_30-windows-i586.cab
    TCP: DhcpNameServer = 192.168.1.1
    TCP: Interfaces\{D96FE6C0-182A-40C7-80C3-48F5C75E0713} : DhcpNameServer = 192.168.1.1
    TCP: Interfaces\{FE6C258F-63E7-4164-8930-6F3590DCBB46} : DhcpNameServer = 192.168.1.1
    TCP: Interfaces\{FE6C258F-63E7-4164-8930-6F3590DCBB46}\26F626269716E646D656768616E6 : DhcpNameServer = 192.168.2.1
    TCP: Interfaces\{FE6C258F-63E7-4164-8930-6F3590DCBB46}\45E445 : DhcpNameServer = 192.168.0.1 216.165.129.158
    TCP: Interfaces\{FE6C258F-63E7-4164-8930-6F3590DCBB46}\7484347657563747 : DhcpNameServer = 4.2.2.1 4.2.2.2
    TCP: Interfaces\{FE6C258F-63E7-4164-8930-6F3590DCBB46}\8435C4340275962756C6563737 : DhcpNameServer = 144.92.202.58 144.92.202.59
    TCP: Interfaces\{FE6C258F-63E7-4164-8930-6F3590DCBB46}\A457A4572456567237 : DhcpNameServer = 192.168.2.1 209.18.47.61 209.18.47.62
    TCP: Interfaces\{FE6C258F-63E7-4164-8930-6F3590DCBB46}\E4544574541425 : DhcpNameServer = 192.168.1.1
    Handler: wlpg - {E43EF6CD-A37A-4A9B-9E6F-83F89B8E6324} - C:\Program Files (x86)\Windows Live\Photo Gallery\AlbumDownloadProtocolHandler.dll
    AppInit_DLLs: C:\Windows\SysWOW64\nvinit.dll
    LSA: Notification Packages = scecli ACGina
    BHO-X64: DivX Plus Web Player HTML5 <video>: {326E768D-4182-46FD-9C16-1449A49795F4} - C:\Program Files (x86)\DivX\DivX Plus Web Player\ie\DivXHTML5\DivXHTML5.dll
    BHO-X64: Increase performance and video formats for your HTML5 <video> - No File
    BHO-X64: Windows Live ID Sign-in Helper: {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files (x86)\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
    BHO-X64: Java(tm) Plug-In 2 SSV Helper: {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files (x86)\Java\jre6\bin\jp2ssv.dll
    mRun-x64: [IMSS] "C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\IMSS\PIconStartup.exe"
    mRun-x64: [PWMTRV] rundll32 C:\PROGRA~2\ThinkPad\UTILIT~1\PWMTR64V.DLL,PwrMgrBkGndMonitor
    mRun-x64: [ccApp] "C:\Program Files (x86)\Common Files\Symantec Shared\ccApp.exe"
    mRun-x64: [RotateImage] C:\Program Files (x86)\Integrated Camera Driver\X64\RCIMGDIR.exe
    mRunOnce-x64: [Malwarebytes Anti-Malware] C:\Program Files (x86)\Malwarebytes' Anti-Malware\mbamgui.exe /install /silent
    IE-X64: {A95fe080-8f5d-11d2-a20b-00aa003c157a} - res://C:\Program Files (x86)\Evernote\Evernote\EvernoteIE.dll/204
    IE-X64: {CCA281CA-C863-46ef-9331-5C8D4460577F} - C:\Program Files\ThinkPad\Bluetooth Software\btsendto_ie.htm
    AppInit_DLLs-X64: C:\Windows\SysWOW64\nvinit.dll
    Hosts: 67.215.245.19 www.google-analytics.com.
    Hosts: 67.215.245.19 ad-emea.doubleclick.net.
    Hosts: 67.215.245.19 www.statcounter.com.
    Hosts: 108.163.215.51 www.google-analytics.com.
    Hosts: 108.163.215.51 ad-emea.doubleclick.net.
    .
    Note: multiple HOSTS entries found. Please refer to Attach.txt
    .
    ================= FIREFOX ===================
    .
    FF - ProfilePath - C:\Users\Groth\AppData\Roaming\Mozilla\Firefox\Profiles\njgkb3ho.default\
    FF - prefs.js: browser.startup.homepage - hxxps://mail.google.com/mail/u/0/?shva=1#inbox|http://www.weather.com/weather/today/Madison WI 53705
    FF - prefs.js: network.proxy.type - 4
    FF - plugin: C:\PROGRA~2\MICROS~4\Office14\NPSPWRAP.DLL
    FF - plugin: C:\Program Files (x86)\Adobe\Reader 10.0\Reader\AIR\nppdf32.dll
    FF - plugin: C:\Program Files (x86)\DivX\DivX OVS Helper\npovshelper.dll
    FF - plugin: C:\Program Files (x86)\DivX\DivX Plus Web Player\npdivx32.dll
    FF - plugin: C:\Program Files (x86)\Foxit Software\Foxit Reader\plugins\npFoxitReaderPlugin.dll
    FF - plugin: C:\Program Files (x86)\Java\jre6\bin\new_plugin\npdeployJava1.dll
    FF - plugin: c:\Program Files (x86)\Microsoft Silverlight\4.1.10111.0\npctrlui.dll
    FF - plugin: C:\Program Files (x86)\Mozilla Firefox\plugins\npdeployJava1.dll
    FF - plugin: C:\Program Files (x86)\NVIDIA Corporation\3D Vision\npnv3dv.dll
    FF - plugin: C:\Program Files (x86)\NVIDIA Corporation\3D Vision\npnv3dvstreaming.dll
    FF - plugin: C:\Program Files (x86)\Windows Live\Photo Gallery\NPWLPG.dll
    FF - plugin: C:\Windows\SysWOW64\Macromed\Flash\NPSWF32.dll
    .
    ============= SERVICES / DRIVERS ===============
    .
    R0 DzHDD64;DzHDD64;C:\Windows\system32\DRIVERS\DzHDD64.sys --> C:\Windows\system32\DRIVERS\DzHDD64.sys [?]
    R0 nvpciflt;nvpciflt;C:\Windows\system32\DRIVERS\nvpciflt.sys --> C:\Windows\system32\DRIVERS\nvpciflt.sys [?]
    R0 TPDIGIMN;TPDIGIMN;C:\Windows\system32\DRIVERS\ApsHM64.sys --> C:\Windows\system32\DRIVERS\ApsHM64.sys [?]
    R1 lenovo.smi;Lenovo System Interface Driver;C:\Windows\system32\DRIVERS\smiifx64.sys --> C:\Windows\system32\DRIVERS\smiifx64.sys [?]
    R1 PHCORE;PHCORE;C:\Program Files\Lenovo\RapidBoot\PHCORE64.sys [2010-12-3 31592]
    R1 vwififlt;Virtual WiFi Filter Driver;C:\Windows\system32\DRIVERS\vwififlt.sys --> C:\Windows\system32\DRIVERS\vwififlt.sys [?]
    R2 AdvancedSystemCareService5;Advanced SystemCare Service 5;C:\Program Files (x86)\IObit\Advanced SystemCare 5\ASCService.exe [2012-2-19 497496]
    R2 AMPPALR3;Intel® Centrino® Wireless Bluetooth® 3.0 + High Speed Service;C:\Program Files\Intel\BluetoothHS\BTHSAmpPalService.exe [2011-8-8 1166848]
    R2 BTHSSecurityMgr;Intel(R) Centrino(R) Wireless Bluetooth(R) 3.0 + High Speed Security Service;C:\Program Files\Intel\BluetoothHS\BTHSSecurityMgr.exe [2011-6-3 134928]
    R2 cpuz135;cpuz135;\??\C:\Windows\system32\drivers\cpuz135_x64.sys --> C:\Windows\system32\drivers\cpuz135_x64.sys [?]
    R2 cvhsvc;Client Virtualization Handler;C:\Program Files (x86)\Common Files\microsoft shared\Virtualization Handler\CVHSVC.EXE [2012-1-4 822624]
    R2 CxAudMsg;Conexant Audio Message Service;C:\Windows\system32\CxAudMsg64.exe --> C:\Windows\system32\CxAudMsg64.exe [?]
    R2 DMAgent;Intel® PROSet/Wireless WiMAX Red Bend Device Management Service;C:\Program Files\Intel\WiMAX\Bin\DMAgent.exe [2011-6-6 498688]
    R2 GobiQDLService;Sierra Wireless QDL Service;C:\Program Files (x86)\Sierra Wireless Inc\Gobi\QDLService\GobiQDLService.exe [2011-9-1 316784]
    R2 jhi_service;Intel(R) Identity Protection Technology Host Interface Service;C:\Program Files (x86)\Intel\Services\IPT\jhi_service.exe [2011-2-7 210896]
    R2 LENOVO.CAMMUTE;Lenovo Camera Mute;C:\Program Files\Lenovo\Communications Utility\CamMute.exe [2012-2-21 41832]
    R2 LENOVO.MICMUTE;Lenovo Microphone Mute;C:\Program Files\Lenovo\HOTKEY\micmute.exe [2012-2-3 101736]
    R2 LENOVO.TPKNRSVC;Lenovo Keyboard Noise Reduction;C:\Program Files\Lenovo\Communications Utility\TPKNRSVC.exe [2012-2-21 60264]
    R2 Lenovo.VIRTSCRLSVC;Lenovo Auto Scroll;C:\Program Files\Lenovo\VIRTSCRL\lvvsst.exe [2012-2-3 133992]
    R2 nvUpdatusService;NVIDIA Update Service Daemon;C:\Program Files (x86)\NVIDIA Corporation\NVIDIA Updatus\daemonu.exe [2011-9-28 2214504]
    R2 risdxc;risdxc;C:\Windows\system32\DRIVERS\risdxc64.sys --> C:\Windows\system32\DRIVERS\risdxc64.sys [?]
    R2 SAService;Conexant SmartAudio service;C:\Windows\System32\SASrv.exe [2011-9-28 446592]
    R2 sftlist;Application Virtualization Client;C:\Program Files (x86)\Microsoft Application Virtualization Client\sftlist.exe [2011-10-1 508776]
    R2 Stereo Service;NVIDIA Stereoscopic 3D Driver Service;C:\Program Files (x86)\NVIDIA Corporation\3D Vision\nvSCPAPISvr.exe [2011-8-12 379496]
    R2 Symantec AntiVirus;Symantec Endpoint Protection;C:\Program Files (x86)\Symantec\Symantec Endpoint Protection\Rtvscan.exe [2011-3-29 1839888]
    R2 TPHKLOAD;Lenovo Hotkey Client Loader;C:\Program Files\Lenovo\HOTKEY\tphkload.exe [2012-2-3 145256]
    R2 TPHKSVC;On Screen Display;C:\Program Files\Lenovo\HOTKEY\TPHKSVC.exe [2012-2-3 142696]
    R2 UNS;Intel(R) Management and Security Application User Notification Service;C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\UNS\UNS.exe [2011-9-28 2656280]
    R2 WiMAXAppSrv;Intel® PROSet/Wireless WiMAX Service;C:\Program Files\Intel\WiMAX\Bin\AppSrv.exe [2011-6-6 986112]
    R3 5U877;USB Video Device;C:\Windows\system32\DRIVERS\5U877.sys --> C:\Windows\system32\DRIVERS\5U877.sys [?]
    R3 AMPPAL;Intel® Centrino® Wireless Bluetooth® 3.0 + High Speed Virtual Adapter;C:\Windows\system32\DRIVERS\AMPPAL.sys --> C:\Windows\system32\DRIVERS\AMPPAL.sys [?]
    R3 bpenum;Intel(R) Centrino(R) WiMAX Enumerator;C:\Windows\system32\DRIVERS\bpenum.sys --> C:\Windows\system32\DRIVERS\bpenum.sys [?]
    R3 bpmp;Intel(R) Centrino(R) WiMAX 6050 Series;C:\Windows\system32\DRIVERS\bpmp.sys --> C:\Windows\system32\DRIVERS\bpmp.sys [?]
    R3 bpusb;Intel(R) Centrino(R) WiMAX 6050 Series Function Driver;C:\Windows\system32\Drivers\bpusb.sys --> C:\Windows\system32\Drivers\bpusb.sys [?]
    R3 e1cexpress;Intel(R) PRO/1000 PCI Express Network Connection Driver C;C:\Windows\system32\DRIVERS\e1c62x64.sys --> C:\Windows\system32\DRIVERS\e1c62x64.sys [?]
    R3 EraserUtilRebootDrv;EraserUtilRebootDrv;C:\Program Files (x86)\Common Files\Symantec Shared\EENGINE\EraserUtilRebootDrv.sys [2012-3-10 138360]
    R3 iwdbus;IWD Bus Enumerator;C:\Windows\system32\DRIVERS\iwdbus.sys --> C:\Windows\system32\DRIVERS\iwdbus.sys [?]
    R3 LenovoRd;LenovoRd;C:\Windows\system32\Drivers\LenovoRd.sys --> C:\Windows\system32\Drivers\LenovoRd.sys [?]
    R3 MEIx64;Intel(R) Management Engine Interface;C:\Windows\system32\DRIVERS\HECIx64.sys --> C:\Windows\system32\DRIVERS\HECIx64.sys [?]
    R3 Sftfs;Sftfs;C:\Windows\system32\DRIVERS\Sftfslh.sys --> C:\Windows\system32\DRIVERS\Sftfslh.sys [?]
    R3 Sftplay;Sftplay;C:\Windows\system32\DRIVERS\Sftplaylh.sys --> C:\Windows\system32\DRIVERS\Sftplaylh.sys [?]
    R3 Sftredir;Sftredir;C:\Windows\system32\DRIVERS\Sftredirlh.sys --> C:\Windows\system32\DRIVERS\Sftredirlh.sys [?]
    R3 Sftvol;Sftvol;C:\Windows\system32\DRIVERS\Sftvollh.sys --> C:\Windows\system32\DRIVERS\Sftvollh.sys [?]
    R3 sftvsa;Application Virtualization Service Agent;C:\Program Files (x86)\Microsoft Application Virtualization Client\sftvsa.exe [2011-10-1 219496]
    R3 swg3kmbb01;Sierra Wireless QMI USB-NDIS 6.20 miniport for Lenovo;C:\Windows\system32\DRIVERS\swg3kmbb01.sys --> C:\Windows\system32\DRIVERS\swg3kmbb01.sys [?]
    R3 swg3knmea01;Sierra Wireless QMI NMEA Communication - Lenovo;C:\Windows\system32\DRIVERS\swg3knmea01.sys --> C:\Windows\system32\DRIVERS\swg3knmea01.sys [?]
    R3 swg3kser01;Sierra Wireless QMI USB Device for Legacy Serial Communication - Lenovo;C:\Windows\system32\DRIVERS\swg3kser01.sys --> C:\Windows\system32\DRIVERS\swg3kser01.sys [?]
    R3 swibus01;Sierra Wireless Bus Enumerator 01;C:\Windows\system32\DRIVERS\swibus01.sys --> C:\Windows\system32\DRIVERS\swibus01.sys [?]
    R3 swibusflt01;Sierra Wireless Bus Enumerator Filter 01;C:\Windows\system32\DRIVERS\swibusflt01.sys --> C:\Windows\system32\DRIVERS\swibusflt01.sys [?]
    R3 TVTI2C;Lenovo SM bus driver;C:\Windows\system32\DRIVERS\Tvti2c.sys --> C:\Windows\system32\DRIVERS\Tvti2c.sys [?]
    S2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe [2010-3-18 130384]
    S2 clr_optimization_v4.0.30319_64;Microsoft .NET Framework NGEN v4.0.30319_X64;C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe [2010-3-18 138576]
    S2 HyperW7Svc;HyperW7 Service;C:\Program Files\Lenovo\RapidBoot\HyperW7Svc64.exe [2010-12-3 116072]
    S3 AMPPALP;Intel® Centrino® Wireless Bluetooth® 3.0 + High Speed Protocol;C:\Windows\system32\DRIVERS\amppal.sys --> C:\Windows\system32\DRIVERS\amppal.sys [?]
    S3 BTWAMPFL;BTWAMPFL;C:\Windows\system32\DRIVERS\btwampfl.sys --> C:\Windows\system32\DRIVERS\btwampfl.sys [?]
    S3 btwl2cap;Bluetooth L2CAP Service;C:\Windows\system32\DRIVERS\btwl2cap.sys --> C:\Windows\system32\DRIVERS\btwl2cap.sys [?]
    S3 DozeSvc;Lenovo Doze Mode Service;C:\Program Files (x86)\ThinkPad\Utilities\DZSVC64.EXE [2011-9-28 478056]
    S3 intaud_WaveExtensible;Intel WiDi Audio Device;C:\Windows\system32\drivers\intelaud.sys --> C:\Windows\system32\drivers\intelaud.sys [?]
    S3 NETwNs64;___ Intel(R) Wireless WiFi Link 5000 Series Adapter Driver for Windows 7 - 64 Bit;C:\Windows\system32\DRIVERS\NETwNs64.sys --> C:\Windows\system32\DRIVERS\NETwNs64.sys [?]
    S3 NVHDA;Service for NVIDIA High Definition Audio Driver;C:\Windows\system32\drivers\nvhda64v.sys --> C:\Windows\system32\drivers\nvhda64v.sys [?]
    S3 osppsvc;Office Software Protection Platform;C:\Program Files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\OSPPSVC.EXE [2010-1-9 4925184]
    S3 pmxdrv;pmxdrv;\??\C:\Windows\system32\drivers\pmxdrv.sys --> C:\Windows\system32\drivers\pmxdrv.sys [?]
    S3 Power Manager DBC Service;Power Manager DBC Service;C:\Program Files (x86)\ThinkPad\Utilities\PWMDBSVC.exe [2011-9-28 89152]
    S3 PwmEWSvc;Cisco EnergyWise Enabler;C:\Program Files (x86)\ThinkPad\Utilities\PWMEWSVC.exe [2012-2-21 175168]
    S3 swg3kflt01;Sierra Wireless USB Composite Device Filter Driver 01;C:\Windows\system32\DRIVERS\swg3kflt01.sys --> C:\Windows\system32\DRIVERS\swg3kflt01.sys [?]
    S3 TsUsbFlt;TsUsbFlt;C:\Windows\system32\drivers\tsusbflt.sys --> C:\Windows\system32\drivers\tsusbflt.sys [?]
    S3 TsUsbGD;Remote Desktop Generic USB Device;C:\Windows\system32\drivers\TsUsbGD.sys --> C:\Windows\system32\drivers\TsUsbGD.sys [?]
    S3 USBAAPL64;Apple Mobile USB Driver;C:\Windows\system32\Drivers\usbaapl64.sys --> C:\Windows\system32\Drivers\usbaapl64.sys [?]
    S3 WatAdminSvc;Windows Activation Technologies Service;C:\Windows\system32\Wat\WatAdminSvc.exe --> C:\Windows\system32\Wat\WatAdminSvc.exe [?]
    S4 wlcrasvc;Windows Live Mesh remote connections service;C:\Program Files\Windows Live\Mesh\wlcrasvc.exe [2010-9-22 57184]
    .
    =============== Created Last 30 ================
    .
    2012-03-13 12:25:38 23152 ----a-w- C:\Windows\System32\drivers\mbam.sys
    2012-03-13 12:25:38 -------- d-----w- C:\Program Files (x86)\Malwarebytes' Anti-Malware
    2012-03-10 19:44:44 -------- d-----w- C:\Users\Groth\AppData\Roaming\foobar2000
    2012-03-10 19:44:40 -------- d-----w- C:\Program Files (x86)\foobar2000
    2012-03-04 15:53:06 -------- d-----w- C:\Users\Groth\AppData\Roaming\OpenOffice.org
    2012-03-04 15:52:04 -------- d-----w- C:\Program Files (x86)\OpenOffice.org 3
    2012-02-29 15:05:01 -------- d-----w- C:\Program Files (x86)\SpywareBlaster
    2012-02-28 02:08:51 -------- d-----w- C:\Users\Groth\AppData\Roaming\Malwarebytes
    2012-02-28 02:08:45 -------- d-----w- C:\ProgramData\Malwarebytes
    2012-02-28 01:44:50 -------- d-----w- C:\59172177595d2796d147
    2012-02-22 15:30:52 -------- d-----w- C:\Users\Groth\AppData\Local\Intel WiDi
    2012-02-21 18:01:31 -------- d-----w- C:\Program Files (x86)\Intel Corporation
    2012-02-21 18:01:31 -------- d-----w- C:\Program Files (x86)\Common Files\Intel Corporation
    2012-02-21 13:51:07 -------- d-----w- C:\Users\Groth\AppData\Roaming\NVIDIA
    2012-02-19 13:32:16 23896 ----a-w- C:\Windows\System32\RegistryDefragBootTime.exe
    2012-02-19 13:26:00 -------- d-----w- C:\ProgramData\IObit
    2012-02-19 13:25:48 -------- d-----w- C:\Users\Groth\AppData\Roaming\IObit
    2012-02-19 13:25:38 -------- d-----w- C:\Program Files (x86)\IObit
    2012-02-19 09:12:04 509952 ----a-w- C:\Windows\System32\ntshrui.dll
    2012-02-19 09:12:04 442880 ----a-w- C:\Windows\SysWow64\ntshrui.dll
    2012-02-19 09:07:22 515584 ----a-w- C:\Windows\System32\timedate.cpl
    2012-02-19 09:07:22 478720 ----a-w- C:\Windows\SysWow64\timedate.cpl
    2012-02-19 09:06:37 3145728 ----a-w- C:\Windows\System32\win32k.sys
    2012-02-19 09:05:37 498688 ----a-w- C:\Windows\System32\drivers\afd.sys
    2012-02-19 09:04:55 690688 ----a-w- C:\Windows\SysWow64\msvcrt.dll
    2012-02-19 09:04:55 634880 ----a-w- C:\Windows\System32\msvcrt.dll
    2012-02-16 02:12:26 -------- d-----w- C:\Program Files\iTunes
    2012-02-16 02:12:26 -------- d-----w- C:\Program Files\iPod
    2012-02-16 02:12:26 -------- d-----w- C:\Program Files (x86)\iTunes
    2012-02-13 16:05:53 -------- d-----w- C:\Users\Groth\AppData\Local\GPSENABLER
    .
    ==================== Find3M ====================
    .
    2012-03-04 04:35:56 414368 ----a-w- C:\Windows\SysWow64\FlashPlayerCPLApp.cpl
    2012-01-07 20:57:49 472808 ----a-w- C:\Windows\SysWow64\deployJava1.dll
    .
    ============= FINISH: 7:39:04.33 ===============

    .
    UNLESS SPECIFICALLY INSTRUCTED, DO NOT POST THIS LOG.
    IF REQUESTED, ZIP IT UP & ATTACH IT
    .
    DDS (Ver_2011-08-26.01)
    .
    Microsoft Windows 7 Home Premium
    Boot Device: \Device\HarddiskVolume1
    Install Date: 11/10/2011 7:06:03 PM
    System Uptime: 3/12/2012 9:45:30 PM (10 hours ago)
    .
    Motherboard: LENOVO | | 4177CTO
    Processor: Intel(R) Core(TM) i5-2540M CPU @ 2.60GHz | CPU | 2574/100mhz
    .
    ==== Disk Partitions =========================
    .
    C: is FIXED (NTFS) - 102 GiB total, 44.084 GiB free.
    Q: is FIXED (NTFS) - 16 GiB total, 6.581 GiB free.
    .
    ==== Disabled Device Manager Items =============
    .
    Class GUID: {4d36e968-e325-11ce-bfc1-08002be10318}
    Description: NVIDIA NVS 4200M
    Device ID: PCI\VEN_10DE&DEV_1057&SUBSYS_21D017AA&REV_A1\4&2E7E2E60&0&0008
    Manufacturer: NVIDIA
    Name: NVIDIA NVS 4200M
    PNP Device ID: PCI\VEN_10DE&DEV_1057&SUBSYS_21D017AA&REV_A1\4&2E7E2E60&0&0008
    Service: nvlddmkm
    .
    Class GUID: {4d36e972-e325-11ce-bfc1-08002be10318}
    Description: Intel(R) Centrino(R) Advanced-N 6250 AGN
    Device ID: PCI\VEN_8086&DEV_0089&SUBSYS_13118086&REV_5E\4&8C6C5B2&0&00E1
    Manufacturer: Intel Corporation
    Name: Intel(R) Centrino(R) Advanced-N 6250 AGN
    PNP Device ID: PCI\VEN_8086&DEV_0089&SUBSYS_13118086&REV_5E\4&8C6C5B2&0&00E1
    Service: NETwNs64
    .
    ==== System Restore Points ===================
    .
    RP40: 3/4/2012 8:28:13 AM - IObit Uninstaller restore point
    RP41: 3/4/2012 8:30:29 AM - IObit Uninstaller restore point
    RP42: 3/4/2012 8:30:35 AM - Removed Quicken 2012.
    RP43: 3/4/2012 8:31:35 AM - IObit Uninstaller restore point
    RP44: 3/4/2012 8:33:09 AM - IObit Uninstaller restore point
    RP45: 3/4/2012 9:50:35 AM - Installed Microsoft Visual C++ 2008 Redistributable - x64 9.0.30729.4148
    RP46: 3/4/2012 9:50:49 AM - Installed Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.4148
    RP47: 3/4/2012 9:51:37 AM - Installed Java(TM) 6 Update 22
    RP48: 3/4/2012 9:51:54 AM - Installed OpenOffice.org 3.3
    RP49: 3/11/2012 9:35:40 PM - Scheduled Checkpoint
    RP50: 3/12/2012 6:33:15 AM - IObit Uninstaller restore point
    RP51: 3/12/2012 6:33:26 AM - Removed OpenOffice.org 3.3
    RP52: 3/12/2012 7:01:15 AM - IObit Uninstaller restore point
    .
    ==== Hosts File Hijack ======================
    .
    Hosts: 67.215.245.19 www.google-analytics.com.
    Hosts: 67.215.245.19 ad-emea.doubleclick.net.
    Hosts: 67.215.245.19 www.statcounter.com.
    Hosts: 108.163.215.51 www.google-analytics.com.
    Hosts: 108.163.215.51 ad-emea.doubleclick.net.
    Hosts: 108.163.215.51 www.statcounter.com.
    .
    ==== Installed Programs ======================
    .
    µTorrent
    Advanced SystemCare 5
    AnswerWorks 5.0 English Runtime
    Apple Application Support
    Apple Software Update
    Batch PPTX to PPT Converter
    Burn.Now 4.5
    Compatibility Pack for the 2007 Office system
    Corel Burn.Now Lenovo Edition
    Corel DVD MovieFactory 7
    Corel DVD MovieFactory Lenovo Edition
    Corel WinDVD
    Create Recovery Media
    D3DX10
    Direct DiscRecorder
    DivX Setup
    Dropbox
    Evernote v. 4.5.2
    foobar2000 v1.1.11
    Foxit Reader 5.1
    Garmin USB Drivers
    Garmin WebUpdater
    Integrated Camera Driver Installer Package Ver.1.1.0.1147
    Integrated Camera TWAIN
    Intel PROSet Wireless
    Intel(R) Control Center
    Intel(R) Identity Protection Technology 1.0.74.0
    Intel(R) Management Engine Components
    Intel(R) Processor Graphics
    Intel(R) WiDi
    iSEEK AnswerWorks English Runtime
    Java Auto Updater
    Java(TM) 6 Update 22
    Java(TM) 6 Update 30
    Junk Mail filter update
    Lenovo Mobile Broadband Activation
    Lenovo Patch Utility
    Lenovo User Guide
    Lenovo Warranty Information
    Lenovo Welcome
    LiveUpdate 3.3 (Symantec Corporation)
    Malwarebytes Anti-Malware version 1.60.1.1000
    Mesh Runtime
    Message Center Plus
    Microsoft Office 2010
    Microsoft Office Click-to-Run 2010
    Microsoft Office Starter 2010 - English
    Microsoft Office XP Professional with FrontPage
    Microsoft PowerPoint Viewer
    Microsoft Silverlight
    Microsoft SQL Server 2005 Compact Edition [ENU]
    Microsoft Visual C++ 2005 ATL Update kb973923 - x86 8.0.50727.4053
    Microsoft Visual C++ 2005 Redistributable
    Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.17
    Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.4148
    Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.6161
    Mozilla Firefox 10.0.2 (x86 en-US)
    Mozilla Thunderbird 10.0.2 (x86 en-US)
    MSVCRT
    MSVCRT_amd64
    MSXML 4.0 SP2 (KB954430)
    MSXML 4.0 SP2 (KB973688)
    NVIDIA Stereoscopic 3D Driver
    RapidBoot
    RICOH Media Driver v2.10.18.02
    Security Update for Microsoft .NET Framework 4 Client Profile (KB2478663)
    Security Update for Microsoft .NET Framework 4 Client Profile (KB2518870)
    Security Update for Microsoft .NET Framework 4 Client Profile (KB2539636)
    Security Update for Microsoft .NET Framework 4 Client Profile (KB2572078)
    Security Update for Microsoft .NET Framework 4 Client Profile (KB2633870)
    Security Update for Microsoft .NET Framework 4 Client Profile (KB2656351)
    Sierra Wireless QMI Lenovo Driver Package
    Spotify
    System Update
    ThinkPad Power Manager
    ThinkPad UltraNav Utility
    ThinkVantage Access Connections
    ThinkVantage GPS
    Update for Microsoft .NET Framework 4 Client Profile (KB2468871)
    Update for Microsoft .NET Framework 4 Client Profile (KB2533523)
    Update for Microsoft .NET Framework 4 Client Profile (KB2600217)
    VC80CRTRedist - 8.0.50727.6195
    Verizon Wireless Mobile Broadband Self Activation
    VLC media player 1.1.11
    Windows Live Communications Platform
    Windows Live Essentials
    Windows Live Installer
    Windows Live Mail
    Windows Live Mesh
    Windows Live Mesh ActiveX Control for Remote Connections
    Windows Live Messenger
    Windows Live Movie Maker
    Windows Live Photo Common
    Windows Live Photo Gallery
    Windows Live PIMT Platform
    Windows Live SOXE
    Windows Live SOXE Definitions
    Windows Live UX Platform
    Windows Live UX Platform Language Pack
    Windows Live Writer
    Windows Live Writer Resources
    Windows Media Player Firefox Plugin
    Xvid Video Codec
    .
    ==== Event Viewer Messages From Past Week ========
    .
    3/8/2012 12:20:35 PM, Error: Microsoft-Windows-Smartcard-Server [616] - Reader monitor 'Lenovo Integrated Smart Card Reader 0' received uncaught error code: Access is denied.
    3/8/2012 12:20:35 PM, Error: Microsoft-Windows-Smartcard-Server [615] - Reader removal monitor error retry threshold reached: Access is denied.
    3/12/2012 8:15:45 AM, Error: iaStor [9] - The device, \Device\Ide\iaStor0, did not respond within the timeout period.
    3/12/2012 8:12:09 AM, Error: Microsoft-Windows-WER-SystemErrorReporting [1001] - The computer has rebooted from a bugcheck. The bugcheck was: 0x00000116 (0xfffffa80091e3010, 0xfffff8801062d42c, 0x0000000000000000, 0x0000000000000002). A dump was saved in: C:\Windows\MEMORY.DMP. Report Id: 031212-30950-01.
    3/11/2012 4:31:25 PM, Error: nvlddmkm [14] -
    .
    ==== End Of File ===========================

    I really appreciate any help!
     
  2. Bobbye

    Bobbye Helper on the Fringe Posts: 16,392   +36

    Welcome to TechSpot! I'll be glad to help but I need for you to understand the how and why we give directions:

    First, I advise you to remove Advanced System Care. This is basically a registry cleaner and we do not advise anyone to use a registry cleaner. The risk far outweigh any small benefit you might get. If you chose not to uninstall this, please disable the program completely. Some of what we will do will concern the registry and having a registry cleaner working in the background is not to your advantage.

    Second, please disable CCleaner- some of the same reasons as above. Other cleaning programs may delete the temporary internet files. Some rogue program store shortcuts for you program there, so if they are removed, you may have to find each program and reset it.

    You are being redirected because your Host files have been hijacked..But they don't read the usual European or Asian hijackers. Are you using any private network?
    ========================================
    Regarding following our instructions: We do not tell you not to set a restore point. We tell you not to do a System Restore. However, if there is malware on the system and you set a restore point, it will most likely have malware in it. As far as IOBIT setting restore points, I don't know where that program stores their restore points. If it's within their program, at the end of cleaning when I have you set a new, clean restore point and drop the old ones, I don't know if the IOBIT points will be found.
    ====================================
    Let's go ahead with the following:
    I'd like you to uninstall the Malwarebytes program you have now, then download new, update and run a Full Scan:

    Download Link for Malwarebytes
    Update and rescan with Malwarebytes: Note: On the Scanner tab, make sure the the Perform Full Scan option is selected and then click on the Scan button.
    When scan has finished, you will see this image:
    [​IMG]
    • Click on OK to close box and continue.
    • Click on the Show Results button.
    • Click on the Remove Selected button to remove all the listed malware.
    • At end of malware removal, the scan log opens and displays in Notepad. Be sure to click on Format> Uncheck Word Wrap before copying the log to paste in your next reply.
    =================================
    Please note: If you have previously run Combofix and it's still on the system, please uninstall it. Then download the current version and do the scan: Uninstall directions, if needed
    • Click START> then RUN
    • Now type Combofix /Uninstall in the runbox and click OK. Note the space between the X and the U, it needs to be there.
    --------------------------------------
    Before you run the Combofix scan, please disable any security software you have running.

    Download Combofix from HERE or HERE and save to the desktop
    • Double click combofix.exe [​IMG]& follow the prompts.
    • If prompted for Recovery Console, please allow.
    • Once installed, you should see a blue screen prompt that says:
      • The Recovery Console was successfully installed.[/b]
      • Note: If Combofix was downloaded to a flash drive, the Recovery Console will not install- just bypass and go on.[/b]
      • Note: No query will be made if the Recovery Console is already on the system.
    • .Close/disable all anti virus and anti malware programs
      (If you need help with this, please see HERE)
    • .Close any open browsers.
    • .Click on Yes, to continue scanning for malware
    • .If Combofix asks you to update the program, allow
    • When the scan completes , a report will be generated-it will open a text window. Please paste the C:\ComboFix.txt in next reply..
    Re-enable your Antivirus software.
    Note 1:Do not mouse-click Combofix's window while it is running. That may cause it to stall.
    Note 2:If you receive an error "Illegal operation attempted on a registry key that has been marked for deletion", restart the computer.
    Note 3:CF disconnects your machine from the internet. The connection is automatically restored before CF completes its run. If CF runs into difficulty and terminates prematurely, the connection can be manually restored by restarting your machine.
    =======================================
    After you have run Combofix, go on to the following:
    Please run this Custom CFScript

    • [1]. Close any open browsers.
      [2]. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.
      [3]. Open notepad> click on Format> Uncheck 'Word Wrap> and copy/paste the text in the code below into it:
    Code:
    File::
    DDS::
    Hosts: 67.215.245.19 www.google-analytics.com.
    Hosts: 67.215.245.19 ad-emea.doubleclick.net.
    Hosts: 67.215.245.19 www.statcounter.com.
    Hosts: 108.163.215.51 www.google-analytics.com.
    Hosts: 108.163.215.51 ad-emea.doubleclick.net.
    Hosts: 108.163.215.51 www.statcounter.com.
    DPF: {CAFEEFAC-0016-0000-0022-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_22-windows-i586.cab
    
    Clearjavacache::
    
    
    Save this as CFScript.txt, in the same location as ComboFix.exe
    [​IMG]

    Referring to the picture above, drag CFScript into ComboFix.exe

    When finished, it will produce a log for you at C:\ComboFix.txt . Please paste into to your next reply.
    ====================
    Please update Java: Java Updates . Uninstall any earlier versions in Add/Remove Programs as they are vulnerabilities for the system.

    Be sure to check all download screens for any pre-check toolbars or BHO> if found, remove the check before the download..
    ======================
    To run the Eset Online Virus Scan:
    If you use Internet Explorer:
    1. Open the ESETOnlineScan
    2. Skip to #4 to "Continue with the directions"

      If you are using a browser other than Internet Explorer
    3. Open Eset Smart Installer
      [o] Click on the esetsmartinstaller_enu.exelink and save to the desktop.
      [o] Double click on the desktop icon to run.
      [o] After successful installation of the ESET Smart Installer, the ESET Online Scanner will be launched in a new Window
    4. Continue with the directions.
    5. Check 'Yes I accept terms of use.'
    6. Click Start button
    7. Accept any security warnings from your browser.
      [​IMG]
    8. Uncheck 'Remove found threats'
    9. Check 'Scan archives/
    10. Leave remaining settings as is.
    11. Press the Start button.
    12. ESET will then download updates for itself, install itself, and begin scanning your computer. Please wait for the scan to finish.
    13. When the scan completes, press List of found threats
    14. Push Export of text file and save the file to your desktop using a unique name, such as ESETScan. Paste this log in your next reply.
    15. Push the Back button, then Finish
    NOTE: If no malware is found then no log will be produced. Let me know if this is the case.
    ============================================
    Download CKScanner and save to your desktop.
    • Doubleclick CKScanner.exe and click Search For Files.
    • When the cursor hourglass disappears, click Save List To File.
    • A message box will verify that the file is saved.
    • Double-click the CKFiles.txt icon on your desktop and copy/paste the contents in your next reply.
    =====================================
    Please leave all logs in your next reply: Mbam Full Scan, Combofix, CFFix, Eset, CKScan.
    ======================================
    My Guidelines: please read and follow:
    • Be patient. Malware cleaning takes time. I am also working with other members while I am helping you.
    • Read my instructions carefully. If you don't understand or have a problem, ask me. Follow the order of the tasks I give you. Order is crucial in cleaning process.
    • If you have questions, or if a program doesn't work, stop and tell me about it. Don't try to get around it yourself.
    • File sharing programs should be uninstalled or disabled during the cleaning process..
    • Observe these:
      [o] Don't follow directions given to someone else
      [o] Don't use any other cleaning programs or scans while I'm helping you.
      [o] Don't use a Registry cleaner or make any changes in the Registry.
      [o] Don't download and install new programs- except those I give you.
    Threads are closed after 5 days if there is no reply.
     
  3. jezzag

    jezzag TS Rookie Topic Starter

    I never installed any private network. So know I don't think I'm using a private network. I don't whether or not this is relevant but I'm having trouble sharing my files from this computer "my laptop" with my other computer. If I hookup my laptop via a wired connection, my files are shared successfully.

    I'll try out your steps outlined above and update you on my results
     
  4. jezzag

    jezzag TS Rookie Topic Starter

    Malwarebytes Anti-Malware (Trial) 1.60.1.1000
    www.malwarebytes.org

    Database version: v2012.03.13.04

    Windows 7 Service Pack 1 x64 NTFS
    Internet Explorer 9.0.8112.16421
    Groth :: GROTH-THINK [administrator]

    Protection: Disabled

    3/13/2012 11:17:57 AM
    mbam-log-2012-03-13 (11-17-57).txt

    Scan type: Full scan
    Scan options enabled: Memory | Startup | Registry | File System | Heuristics/Extra | Heuristics/Shuriken | PUP | PUM
    Scan options disabled: P2P
    Objects scanned: 331661
    Time elapsed: 20 minute(s), 33 second(s)

    Memory Processes Detected: 0
    (No malicious items detected)

    Memory Modules Detected: 0
    (No malicious items detected)

    Registry Keys Detected: 0
    (No malicious items detected)

    Registry Values Detected: 0
    (No malicious items detected)

    Registry Data Items Detected: 0
    (No malicious items detected)

    Folders Detected: 0
    (No malicious items detected)

    Files Detected: 0
    (No malicious items detected)

    (end)

    ComboFix 12-03-13.01 - Groth 03/13/2012 12:54:57.2.4 - x64
    Microsoft Windows 7 Home Premium 6.1.7601.1.1252.1.1033.18.3979.2277 [GMT -5:00]
    Running from: c:\users\Groth\Desktop\ComboFix.exe
    Command switches used :: c:\users\Groth\Desktop\CFScript.txt
    AV: Symantec Endpoint Protection *Disabled/Updated* {63DF5164-9100-186D-2187-8DC619EFD8BF}
    SP: Symantec Endpoint Protection *Disabled/Updated* {D8BEB080-B73A-17E3-1B37-B6B462689202}
    SP: Windows Defender *Disabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
    .
    .
    ((((((((((((((((((((((((( Files Created from 2012-02-13 to 2012-03-13 )))))))))))))))))))))))))))))))
    .
    .
    2012-03-13 18:02 . 2012-03-13 18:02 -------- d-----w- c:\users\UpdatusUser\AppData\Local\temp
    2012-03-13 18:02 . 2012-03-13 18:02 -------- d-----w- c:\users\Default\AppData\Local\temp
    2012-03-13 18:02 . 2012-03-13 18:02 -------- d-----w- c:\users\Administrator\AppData\Local\temp
    2012-03-13 16:16 . 2012-03-13 16:16 -------- d-----w- c:\program files (x86)\Malwarebytes' Anti-Malware
    2012-03-13 16:16 . 2011-12-10 20:24 23152 ----a-w- c:\windows\system32\drivers\mbam.sys
    2012-03-10 19:44 . 2012-03-13 16:15 -------- d-----w- c:\users\Groth\AppData\Roaming\foobar2000
    2012-03-10 19:44 . 2012-03-10 19:44 -------- d-----w- c:\program files (x86)\foobar2000
    2012-03-04 15:53 . 2012-03-04 15:53 -------- d-----w- c:\users\Groth\AppData\Roaming\OpenOffice.org
    2012-03-04 15:52 . 2012-03-12 11:34 -------- d-----w- c:\program files (x86)\OpenOffice.org 3
    2012-02-29 15:05 . 2012-03-11 14:00 -------- d-----w- c:\program files (x86)\SpywareBlaster
    2012-02-28 02:08 . 2012-02-28 02:08 -------- d-----w- c:\users\Groth\AppData\Roaming\Malwarebytes
    2012-02-28 02:08 . 2012-02-28 02:08 -------- d-----w- c:\programdata\Malwarebytes
    2012-02-28 01:44 . 2012-02-28 01:44 -------- d-----w- C:\59172177595d2796d147
    2012-02-22 15:30 . 2012-02-22 15:30 -------- d-----w- c:\users\Groth\AppData\Local\Intel WiDi
    2012-02-21 18:01 . 2012-02-21 18:01 -------- d-----w- c:\program files (x86)\Common Files\Intel Corporation
    2012-02-21 18:01 . 2012-02-21 18:01 -------- d-----w- c:\program files (x86)\Intel Corporation
    2012-02-21 13:51 . 2012-02-21 13:51 -------- d-----w- c:\users\Groth\AppData\Roaming\NVIDIA
    2012-02-19 13:32 . 2011-12-30 23:02 23896 ----a-w- c:\windows\system32\RegistryDefragBootTime.exe
    2012-02-19 13:26 . 2012-02-19 13:26 -------- d-----w- c:\programdata\IObit
    2012-02-19 13:25 . 2012-02-29 15:48 -------- d-----w- c:\users\Groth\AppData\Roaming\IObit
    2012-02-19 13:25 . 2012-02-19 13:25 -------- d-----w- c:\program files (x86)\IObit
    2012-02-19 09:12 . 2012-01-04 10:44 509952 ----a-w- c:\windows\system32\ntshrui.dll
    2012-02-19 09:12 . 2012-01-04 08:58 442880 ----a-w- c:\windows\SysWow64\ntshrui.dll
    2012-02-19 09:07 . 2011-12-30 06:26 515584 ----a-w- c:\windows\system32\timedate.cpl
    2012-02-19 09:07 . 2011-12-30 05:27 478720 ----a-w- c:\windows\SysWow64\timedate.cpl
    2012-02-19 09:06 . 2012-01-14 04:06 3145728 ----a-w- c:\windows\system32\win32k.sys
    2012-02-19 09:05 . 2011-12-28 03:59 498688 ----a-w- c:\windows\system32\drivers\afd.sys
    2012-02-19 09:04 . 2011-12-16 08:46 634880 ----a-w- c:\windows\system32\msvcrt.dll
    2012-02-19 09:04 . 2011-12-16 07:52 690688 ----a-w- c:\windows\SysWow64\msvcrt.dll
    2012-02-16 02:12 . 2012-02-16 02:12 -------- d-----w- c:\program files\iTunes
    2012-02-16 02:12 . 2012-02-16 02:12 -------- d-----w- c:\program files (x86)\iTunes
    2012-02-16 02:12 . 2012-02-16 02:12 -------- d-----w- c:\program files\iPod
    2012-02-13 16:05 . 2012-02-13 16:06 -------- d-----w- c:\users\Groth\AppData\Local\GPSENABLER
    .
    .
    .
    (((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
    .
    2012-03-04 04:35 . 2012-01-25 14:12 414368 ----a-w- c:\windows\SysWow64\FlashPlayerCPLApp.cpl
    2012-01-07 20:57 . 2012-01-07 20:57 472808 ----a-w- c:\windows\SysWow64\deployJava1.dll
    .
    .
    ((((((((((((((((((((((((((((( SnapShot@2012-03-13_17.38.36 )))))))))))))))))))))))))))))))))))))))))
    .
    + 2009-07-14 05:10 . 2012-03-13 17:40 38488 c:\windows\system32\wdi\BootPerformanceDiagnostics_SystemData.bin
    + 2011-11-11 00:03 . 2012-03-13 17:40 7416 c:\windows\system32\wdi\{86432a0b-3c7d-4ddf-a89c-172faa90485d}\S-1-5-21-1699539174-4049867383-3466198633-1002_UserData.bin
    + 2012-03-13 17:38 . 2012-03-13 17:38 2048 c:\windows\ServiceProfiles\LocalService\AppData\Local\lastalive1.dat
    .
    ((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
    .
    .
    *Note* empty entries & legit default entries are not shown
    REGEDIT4
    .
    [HKEY_LOCAL_MACHINE\software\wow6432node\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\DropboxExt1]
    @="{FB314ED9-A251-47B7-93E1-CDD82E34AF8B}"
    [HKEY_CLASSES_ROOT\CLSID\{FB314ED9-A251-47B7-93E1-CDD82E34AF8B}]
    2012-01-18 18:49 94208 ----a-w- c:\users\Groth\AppData\Roaming\Dropbox\bin\DropboxExt.14.dll
    .
    [HKEY_LOCAL_MACHINE\software\wow6432node\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\DropboxExt2]
    @="{FB314EDA-A251-47B7-93E1-CDD82E34AF8B}"
    [HKEY_CLASSES_ROOT\CLSID\{FB314EDA-A251-47B7-93E1-CDD82E34AF8B}]
    2012-01-18 18:49 94208 ----a-w- c:\users\Groth\AppData\Roaming\Dropbox\bin\DropboxExt.14.dll
    .
    [HKEY_LOCAL_MACHINE\software\wow6432node\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\DropboxExt3]
    @="{FB314EDB-A251-47B7-93E1-CDD82E34AF8B}"
    [HKEY_CLASSES_ROOT\CLSID\{FB314EDB-A251-47B7-93E1-CDD82E34AF8B}]
    2012-01-18 18:49 94208 ----a-w- c:\users\Groth\AppData\Roaming\Dropbox\bin\DropboxExt.14.dll
    .
    [HKEY_LOCAL_MACHINE\software\wow6432node\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\DropboxExt4]
    @="{FB314EDC-A251-47B7-93E1-CDD82E34AF8B}"
    [HKEY_CLASSES_ROOT\CLSID\{FB314EDC-A251-47B7-93E1-CDD82E34AF8B}]
    2012-01-18 18:49 94208 ----a-w- c:\users\Groth\AppData\Roaming\Dropbox\bin\DropboxExt.14.dll
    .
    [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "OfficeSyncProcess"="c:\program files (x86)\Common Files\microsoft shared\Virtualization Handler\CVH.EXE" [2012-01-04 3208032]
    "Xvid"="c:\program files (x86)\xvid\checkupdate.exe" [2011-01-17 8192]
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run]
    "IMSS"="c:\program files (x86)\Intel\Intel(R) Management Engine Components\IMSS\PIconStartup.exe" [2011-01-17 112152]
    "PWMTRV"="c:\progra~2\ThinkPad\UTILIT~1\PWMTR64V.DLL" [2011-12-01 1631808]
    "ccApp"="c:\program files (x86)\Common Files\Symantec Shared\ccApp.exe" [2011-03-29 115624]
    "RotateImage"="c:\program files (x86)\Integrated Camera Driver\X64\RCIMGDIR.exe" [2008-10-30 55808]
    "iTunesHelper"="c:\program files (x86)\itunes\ituneshelper.exe" [2012-01-16 421736]
    "SunJavaUpdateSched"="c:\program files (x86)\common files\java\java update\jusched.exe" [2011-06-09 254696]
    "DivXUpdate"="c:\program files (x86)\divx\divx update\divxupdate.exe" [2011-07-28 1259376]
    "APSDaemon"="c:\program files (x86)\common files\apple\apple application support\apsdaemon.exe" [2011-11-02 59240]
    "Malwarebytes' Anti-Malware"="c:\program files (x86)\Malwarebytes' Anti-Malware\mbamgui.exe" [2012-01-13 460872]
    .
    c:\users\Groth\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\
    Dropbox.lnk - c:\users\Groth\AppData\Roaming\Dropbox\bin\Dropbox.exe [2012-2-14 24246216]
    EvernoteClipper.lnk - c:\program files (x86)\Evernote\Evernote\EvernoteClipper.exe [2011-12-2 1000288]
    .
    c:\programdata\Microsoft\Windows\Start Menu\Programs\Startup\
    Microsoft Office.lnk - c:\program files (x86)\Microsoft Office\Office10\OSA.EXE [2001-2-13 83360]
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
    "ConsentPromptBehaviorAdmin"= 0 (0x0)
    "ConsentPromptBehaviorUser"= 3 (0x3)
    "EnableLUA"= 0 (0x0)
    "EnableUIADesktopToggle"= 0 (0x0)
    "PromptOnSecureDesktop"= 0 (0x0)
    .
    [HKEY_LOCAL_MACHINE\software\wow6432node\microsoft\windows nt\currentversion\windows]
    "AppInit_DLLs"=c:\windows\SysWOW64\nvinit.dll
    .
    [HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa]
    Security Packages REG_MULTI_SZ kerberos msv1_0 schannel wdigest tspkg pku2u livessp
    .
    [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\ccEvtMgr]
    @="Service"
    .
    [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\ccSetMgr]
    @="Service"
    .
    [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Symantec Antivirus]
    @="Service"
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
    "DisableMonitoring"=dword:00000001
    .
    R2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;c:\windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe [2010-03-18 130384]
    R2 clr_optimization_v4.0.30319_64;Microsoft .NET Framework NGEN v4.0.30319_X64;c:\windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe [2010-03-18 138576]
    R2 HyperW7Svc;HyperW7 Service;c:\program files\Lenovo\RapidBoot\HyperW7Svc64.exe [2010-12-03 116072]
    R3 AMPPALP;Intel® Centrino® Wireless Bluetooth® 3.0 + High Speed Protocol;c:\windows\system32\DRIVERS\amppal.sys [x]
    R3 BTWAMPFL;BTWAMPFL;c:\windows\system32\DRIVERS\btwampfl.sys [x]
    R3 btwl2cap;Bluetooth L2CAP Service;c:\windows\system32\DRIVERS\btwl2cap.sys [x]
    R3 DozeSvc;Lenovo Doze Mode Service;c:\program files (x86)\ThinkPad\Utilities\DZSVC64.EXE [2011-12-01 478056]
    R3 intaud_WaveExtensible;Intel WiDi Audio Device;c:\windows\system32\drivers\intelaud.sys [x]
    R3 NVHDA;Service for NVIDIA High Definition Audio Driver;c:\windows\system32\drivers\nvhda64v.sys [x]
    R3 osppsvc;Office Software Protection Platform;c:\program files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\OSPPSVC.EXE [2010-01-10 4925184]
    R3 pmxdrv;pmxdrv;c:\windows\system32\drivers\pmxdrv.sys [x]
    R3 Power Manager DBC Service;Power Manager DBC Service;c:\program files (x86)\ThinkPad\Utilities\PWMDBSVC.EXE [2011-12-01 89152]
    R3 PwmEWSvc;Cisco EnergyWise Enabler;c:\program files (x86)\ThinkPad\Utilities\PWMEWSVC.EXE [2011-12-01 175168]
    R3 swg3kflt01;Sierra Wireless USB Composite Device Filter Driver 01;c:\windows\system32\DRIVERS\swg3kflt01.sys [x]
    R3 TsUsbFlt;TsUsbFlt;c:\windows\system32\drivers\tsusbflt.sys [x]
    R3 TsUsbGD;Remote Desktop Generic USB Device;c:\windows\system32\drivers\TsUsbGD.sys [x]
    R3 USBAAPL64;Apple Mobile USB Driver;c:\windows\system32\Drivers\usbaapl64.sys [x]
    R3 WatAdminSvc;Windows Activation Technologies Service;c:\windows\system32\Wat\WatAdminSvc.exe [x]
    R4 wlcrasvc;Windows Live Mesh remote connections service;c:\program files\Windows Live\Mesh\wlcrasvc.exe [2010-09-23 57184]
    S0 DzHDD64;DzHDD64;c:\windows\System32\DRIVERS\DzHDD64.sys [x]
    S0 nvpciflt;nvpciflt;c:\windows\system32\DRIVERS\nvpciflt.sys [x]
    S0 TPDIGIMN;TPDIGIMN;c:\windows\System32\DRIVERS\ApsHM64.sys [x]
    S1 lenovo.smi;Lenovo System Interface Driver;c:\windows\system32\DRIVERS\smiifx64.sys [x]
    S1 PHCORE;PHCORE;c:\program files\Lenovo\RapidBoot\PHCORE64.SYS [2010-12-03 31592]
    S1 vwififlt;Virtual WiFi Filter Driver;c:\windows\system32\DRIVERS\vwififlt.sys [x]
    S2 AMPPALR3;Intel® Centrino® Wireless Bluetooth® 3.0 + High Speed Service;c:\program files\Intel\BluetoothHS\BTHSAmpPalService.exe [2011-08-08 1166848]
    S2 BTHSSecurityMgr;Intel(R) Centrino(R) Wireless Bluetooth(R) 3.0 + High Speed Security Service;c:\program files\Intel\BluetoothHS\BTHSSecurityMgr.exe [2011-06-03 134928]
    S2 cpuz135;cpuz135;c:\windows\system32\drivers\cpuz135_x64.sys [x]
    S2 cvhsvc;Client Virtualization Handler;c:\program files (x86)\Common Files\Microsoft Shared\Virtualization Handler\CVHSVC.EXE [2012-01-04 822624]
    S2 CxAudMsg;Conexant Audio Message Service;c:\windows\system32\CxAudMsg64.exe [x]
    S2 DMAgent;Intel® PROSet/Wireless WiMAX Red Bend Device Management Service;c:\program files\Intel\WiMAX\Bin\DMAgent.exe [2011-06-06 498688]
    S2 GobiQDLService;Sierra Wireless QDL Service;c:\program files (x86)\Sierra Wireless Inc\Gobi\QDLService\GobiQDLService.exe [2011-09-01 316784]
    S2 jhi_service;Intel(R) Identity Protection Technology Host Interface Service;c:\program files (x86)\Intel\Services\IPT\jhi_service.exe [2011-02-07 210896]
    S2 LENOVO.CAMMUTE;Lenovo Camera Mute;c:\program files\Lenovo\Communications Utility\CAMMUTE.exe [2011-07-22 41832]
    S2 LENOVO.MICMUTE;Lenovo Microphone Mute;c:\program files\LENOVO\HOTKEY\MICMUTE.exe [2011-07-12 101736]
    S2 LENOVO.TPKNRSVC;Lenovo Keyboard Noise Reduction;c:\program files\Lenovo\Communications Utility\TPKNRSVC.exe [2011-07-22 60264]
    S2 Lenovo.VIRTSCRLSVC;Lenovo Auto Scroll;c:\program files\LENOVO\VIRTSCRL\lvvsst.exe [2011-07-12 133992]
    S2 MBAMService;MBAMService;c:\program files (x86)\Malwarebytes' Anti-Malware\mbamservice.exe [2012-01-13 652360]
    S2 nvUpdatusService;NVIDIA Update Service Daemon;c:\program files (x86)\NVIDIA Corporation\NVIDIA Updatus\daemonu.exe [2011-08-13 2214504]
    S2 risdxc;risdxc;c:\windows\system32\DRIVERS\risdxc64.sys [x]
    S2 sftlist;Application Virtualization Client;c:\program files (x86)\Microsoft Application Virtualization Client\sftlist.exe [2011-10-01 508776]
    S2 Stereo Service;NVIDIA Stereoscopic 3D Driver Service;c:\program files (x86)\NVIDIA Corporation\3D Vision\nvSCPAPISvr.exe [2011-08-12 379496]
    S2 TPHKLOAD;Lenovo Hotkey Client Loader;c:\program files\LENOVO\HOTKEY\TPHKLOAD.exe [2011-07-12 145256]
    S2 TPHKSVC;On Screen Display;c:\program files\LENOVO\HOTKEY\TPHKSVC.exe [2011-07-12 142696]
    S2 UNS;Intel(R) Management and Security Application User Notification Service;c:\program files (x86)\Intel\Intel(R) Management Engine Components\UNS\UNS.exe [2011-01-17 2656280]
    S2 WiMAXAppSrv;Intel® PROSet/Wireless WiMAX Service;c:\program files\Intel\WiMAX\Bin\AppSrv.exe [2011-06-06 986112]
    S3 5U877;USB Video Device;c:\windows\system32\DRIVERS\5U877.sys [x]
    S3 AMPPAL;Intel® Centrino® Wireless Bluetooth® 3.0 + High Speed Virtual Adapter;c:\windows\system32\DRIVERS\AMPPAL.sys [x]
    S3 bpenum;Intel(R) Centrino(R) WiMAX Enumerator;c:\windows\system32\DRIVERS\bpenum.sys [x]
    S3 bpmp;Intel(R) Centrino(R) WiMAX 6050 Series;c:\windows\system32\DRIVERS\bpmp.sys [x]
    S3 bpusb;Intel(R) Centrino(R) WiMAX 6050 Series Function Driver;c:\windows\system32\Drivers\bpusb.sys [x]
    S3 e1cexpress;Intel(R) PRO/1000 PCI Express Network Connection Driver C;c:\windows\system32\DRIVERS\e1c62x64.sys [x]
    S3 EraserUtilRebootDrv;EraserUtilRebootDrv;c:\program files (x86)\Common Files\Symantec Shared\EENGINE\EraserUtilRebootDrv.sys [2012-02-03 138360]
    S3 iwdbus;IWD Bus Enumerator;c:\windows\system32\DRIVERS\iwdbus.sys [x]
    S3 LenovoRd;LenovoRd;c:\windows\system32\Drivers\LenovoRd.sys [x]
    S3 MBAMProtector;MBAMProtector;c:\windows\system32\drivers\mbam.sys [x]
    S3 MEIx64;Intel(R) Management Engine Interface;c:\windows\system32\DRIVERS\HECIx64.sys [x]
    S3 NETwNs64;___ Intel(R) Wireless WiFi Link 5000 Series Adapter Driver for Windows 7 - 64 Bit;c:\windows\system32\DRIVERS\NETwNs64.sys [x]
    S3 Sftfs;Sftfs;c:\windows\system32\DRIVERS\Sftfslh.sys [x]
    S3 Sftplay;Sftplay;c:\windows\system32\DRIVERS\Sftplaylh.sys [x]
    S3 Sftredir;Sftredir;c:\windows\system32\DRIVERS\Sftredirlh.sys [x]
    S3 Sftvol;Sftvol;c:\windows\system32\DRIVERS\Sftvollh.sys [x]
    S3 sftvsa;Application Virtualization Service Agent;c:\program files (x86)\Microsoft Application Virtualization Client\sftvsa.exe [2011-10-01 219496]
    S3 swg3kmbb01;Sierra Wireless QMI USB-NDIS 6.20 miniport for Lenovo;c:\windows\system32\DRIVERS\swg3kmbb01.sys [x]
    S3 swg3knmea01;Sierra Wireless QMI NMEA Communication - Lenovo;c:\windows\system32\DRIVERS\swg3knmea01.sys [x]
    S3 swg3kser01;Sierra Wireless QMI USB Device for Legacy Serial Communication - Lenovo;c:\windows\system32\DRIVERS\swg3kser01.sys [x]
    S3 swibus01;Sierra Wireless Bus Enumerator 01;c:\windows\system32\DRIVERS\swibus01.sys [x]
    S3 swibusflt01;Sierra Wireless Bus Enumerator Filter 01;c:\windows\system32\DRIVERS\swibusflt01.sys [x]
    S3 TVTI2C;Lenovo SM bus driver;c:\windows\system32\DRIVERS\Tvti2c.sys [x]
    .
    .
    --- Other Services/Drivers In Memory ---
    .
    *NewlyCreated* - WS2IFSL
    .
    Contents of the 'Scheduled Tasks' folder
    .
    2012-02-21 c:\windows\Tasks\PCDoctorBackgroundMonitorTask.job
    - c:\program files\PC-Doctor\uaclauncher.exe [2011-06-27 15:06]
    .
    2012-03-13 c:\windows\Tasks\SystemToolsDailyTest.job
    - c:\program files\PC-Doctor\uaclauncher.exe [2011-06-27 15:06]
    .
    .
    --------- x86-64 -----------
    .
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\DropboxExt1]
    @="{FB314ED9-A251-47B7-93E1-CDD82E34AF8B}"
    [HKEY_CLASSES_ROOT\CLSID\{FB314ED9-A251-47B7-93E1-CDD82E34AF8B}]
    2012-01-18 18:49 97792 ----a-w- c:\users\Groth\AppData\Roaming\Dropbox\bin\DropboxExt64.14.dll
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\DropboxExt2]
    @="{FB314EDA-A251-47B7-93E1-CDD82E34AF8B}"
    [HKEY_CLASSES_ROOT\CLSID\{FB314EDA-A251-47B7-93E1-CDD82E34AF8B}]
    2012-01-18 18:49 97792 ----a-w- c:\users\Groth\AppData\Roaming\Dropbox\bin\DropboxExt64.14.dll
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\DropboxExt3]
    @="{FB314EDB-A251-47B7-93E1-CDD82E34AF8B}"
    [HKEY_CLASSES_ROOT\CLSID\{FB314EDB-A251-47B7-93E1-CDD82E34AF8B}]
    2012-01-18 18:49 97792 ----a-w- c:\users\Groth\AppData\Roaming\Dropbox\bin\DropboxExt64.14.dll
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\DropboxExt4]
    @="{FB314EDC-A251-47B7-93E1-CDD82E34AF8B}"
    [HKEY_CLASSES_ROOT\CLSID\{FB314EDC-A251-47B7-93E1-CDD82E34AF8B}]
    2012-01-18 18:49 97792 ----a-w- c:\users\Groth\AppData\Roaming\Dropbox\bin\DropboxExt64.14.dll
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "SynTPEnh"="c:\program files (x86)\Synaptics\SynTP\SynTPEnh.exe" [BU]
    "TpShocks"="TpShocks.exe" [2010-12-09 380776]
    "ForteConfig"="c:\program files\Conexant\ForteConfig\fmapp.exe" [2010-10-26 49056]
    "LENOVO.TPKNRRES"="c:\program files\Lenovo\Communications Utility\TPKNRRES.exe" [2011-07-22 42344]
    "ALCKRESI.EXE"="c:\program files\Lenovo\AutoLock\ALCKRESI.EXE" [2010-12-17 281448]
    "AcWin7Hlpr"="c:\program files (x86)\Lenovo\Access Connections\AcTBenabler.exe" [2011-10-20 33344]
    "SmartAudio"="c:\program files\CONEXANT\SAII\SAIICpl.exe" [2010-12-15 316032]
    "IgfxTray"="c:\windows\system32\igfxtray.exe" [2011-10-14 167704]
    "HotKeysCmds"="c:\windows\system32\hkcmd.exe" [2011-10-14 392472]
    "Persistence"="c:\windows\system32\igfxpers.exe" [2011-10-14 416024]
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows]
    "AppInit_DLLs"=c:\windows\System32\nvinitx.dll
    .
    ------- Supplementary Scan -------
    .
    uLocal Page = c:\windows\system32\blank.htm
    uStart Page = hxxp://lenovo.msn.com
    mLocal Page = c:\windows\SysWOW64\blank.htm
    uInternet Settings,ProxyOverride = *.local
    IE: Add to Evernote 4.0 - c:\program files (x86)\Evernote\Evernote\EvernoteIE.dll/204
    IE: E&xport to Microsoft Excel - c:\progra~2\MICROS~4\Office10\EXCEL.EXE/3000
    TCP: DhcpNameServer = 144.92.202.58 144.92.202.59
    FF - ProfilePath - c:\users\Groth\AppData\Roaming\Mozilla\Firefox\Profiles\njgkb3ho.default\
    FF - prefs.js: browser.startup.homepage - hxxps://mail.google.com/mail/u/0/?shva=1#inbox|http://www.weather.com/weather/today/Madison WI 53705
    FF - prefs.js: network.proxy.type - 4
    .
    - - - - ORPHANS REMOVED - - - -
    .
    Toolbar-Locked - (no file)
    .
    .
    .
    --------------------- LOCKED REGISTRY KEYS ---------------------
    .
    [HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0000\AllUserSettings]
    @Denied: (A) (Users)
    @Denied: (A) (Everyone)
    @Allowed: (B 1 2 3 4 5) (S-1-5-20)
    "BlindDial"=dword:00000000
    .
    [HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\PCW\Security]
    @Denied: (Full) (Everyone)
    .
    Completion time: 2012-03-13 13:04:59
    ComboFix-quarantined-files.txt 2012-03-13 18:04
    ComboFix2.txt 2012-03-13 17:40
    .
    Pre-Run: 44,902,502,400 bytes free
    Post-Run: 44,617,175,040 bytes free
    .
    - - End Of File - - 0A280F063B93F6E5689AABD7950D91B8
    ------------------------------------------------
    Edit: Duplicate of above Combofix log deleted by Bobbye

    No Eset Smart Installer log - nothing found

    CKScanner - Additional Security Risks - These are not necessarily bad
    scanner sequence 3.MN.11.XDAPNS
    ----- EOF -----
     
  5. Bobbye

    Bobbye Helper on the Fringe Posts: 16,392   +36

    Okay, let's do this:

    You will need to do a DNS Flush, then reset your router.
    Start> Run> type cmd> enter> at the C prompt type ipconfig /flushdns (note space before the /)

    Exit the Command prompt when finished and shut the system down.-

    • [1]. Shut down your computer, and any other computer connected to your router.
      [2]. On the back of the router, there should be a small hole or button labelled RESET. Using a bent paper clip or similar item, hold that in continuously for twenty seconds.
      [3]. Unplug the router. Wait sixty seconds.
      [4].Now holding again the reset button, plug it back in. Continue holding the reset button for twenty seconds. Unplug the router again.
      [5].With the router unplugged, start your computer. Run MBAM again.
      [6].Connect to the router again. The turn the router back on.
      [7].When it stabilizes, reboot your workstation and try to access the internet. If you have any issues, access the Router configuration page and re-enter your authentication information.
      [8]. Reboot the system and test the internet. You may have to reconfigure the router settings based on your setup.
     
  6. jezzag

    jezzag TS Rookie Topic Starter

    I did a DNS Flush and followed your protocol for resetting the router, however I forgot to turn off my other computer. Unfortunately I'm now out of town at a conference until this Sunday.

    I'll do a DNS flush, router reset, rerun MBAM, and post my results this Sunday.

    Thanks for your help.
     
  7. Bobbye

    Bobbye Helper on the Fringe Posts: 16,392   +36

    Okay, thanks for letting me know. Just start over and follow all the steps in order.
     
  8. jezzag

    jezzag TS Rookie Topic Starter

    Sorry for the delay, my flight back home was cancelled. I'm back in town now and will post my new results within the hour
     
  9. jezzag

    jezzag TS Rookie Topic Starter

    Done, no malware found

    Malwarebytes Anti-Malware (Trial) 1.60.1.1000
    www.malwarebytes.org

    Database version: v2012.03.13.04

    Windows 7 Service Pack 1 x64 NTFS
    Internet Explorer 9.0.8112.16421
    Groth :: GROTH-THINK [administrator]

    Protection: Enabled

    3/20/2012 7:19:50 AM
    mbam-log-2012-03-20 (07-19-50).txt

    Scan type: Full scan
    Scan options enabled: Memory | Startup | Registry | File System | Heuristics/Extra | Heuristics/Shuriken | PUP | PUM
    Scan options disabled: P2P
    Objects scanned: 344465
    Time elapsed: 14 minute(s), 26 second(s)

    Memory Processes Detected: 0
    (No malicious items detected)

    Memory Modules Detected: 0
    (No malicious items detected)

    Registry Keys Detected: 0
    (No malicious items detected)

    Registry Values Detected: 0
    (No malicious items detected)

    Registry Data Items Detected: 0
    (No malicious items detected)

    Folders Detected: 0
    (No malicious items detected)

    Files Detected: 0
    (No malicious items detected)

    (end)
     
  10. Bobbye

    Bobbye Helper on the Fringe Posts: 16,392   +36

    You were very specific in saying "about 1/4 of links in Firefox are being redirected."

    That's not really consistent with a true redirect. Monitor the type of sites that are redirecting- could they be secure site? In the event of no malware, I suspect this is going to be caused by a system setting- or lack of setting such as SSL and TLS.
     
  11. jezzag

    jezzag TS Rookie Topic Starter

    I will monitor type of sites that are redirecting. I can look into the SSL and TLS, but I wouldn't know what to look for with system settings.
     
     
  12. Bobbye

    Bobbye Helper on the Fringe Posts: 16,392   +36

    Be sure not to leave hyperlinks to any redirected sites. Since only a few get directed, I'm just looking for file type rather than domain.

    Just so we're clear on a 'redirect':

    You type a word in the Google search box in Firefox> Google hits come up for you to choose> you select certain site but that site isn't what comes up> instead, you are redirected to some other, unrelated site.

    If you get "server not found" in Firefox, that is not redirect> that is a connection or server or site problem, not a redirect.

    It is unusual just to have 1/4 of the links not giving what you want. If these happen to be links from Bookmarks or shortcuts for instance, the links may no longer be good
     
  13. jezzag

    jezzag TS Rookie Topic Starter

    Yes it was a clear 'redirect'. It was happening mostly when I was looking through google news, the links I clicked were taking me to other sites.

    I've been paying close attention & I have to say that I have not seen any redirects since Monday. I just was on google news and read a lot of articles for the past hour and haven't gotten one redirect.

    Thanks!
     
  14. Bobbye

    Bobbye Helper on the Fringe Posts: 16,392   +36

    I'd like you to run SuperantiSpyware:

    [​IMG]
    SuperAntiSpyware Home Edition Free Version
    • Please download SuperAntiSpyware from HERE
    • Launch SuperAntiSpyware and click on 'Check for updates'.
    • Wait for the updates to be installed
    • On the main screen click on 'Scan your computer'.
    • Check: 'Perform Complete Scan then Click 'Next' to start the scan.
    • Superantispyware will now scan your computer,when it's finished it will list all/any infections found.
    • Make sure everything found has a checkmark next to it,then press 'Next'.
    • Click on 'Finish' when you've done.
    It's possible that the program will ask you to reboot in order to delete some files.

    Obtain the SuperAntiSpyware log as follows:
    • Click on 'Preferences'.
    • Click on the 'Statistics/Logs' tab.
    • Under 'Scanner Logs' double click on 'SuperAntiSpyware Scan Log'.
    It will then open in your default text editor,such as Notepad. Paste the notepad file here on your reply
     
  15. jezzag

    jezzag TS Rookie Topic Starter

    SUPERAntiSpyware Scan Log
    http://www.superantispyware.com

    Generated 03/26/2012 at 07:27 AM

    Application Version : 5.0.1146

    Core Rules Database Version : 8377
    Trace Rules Database Version: 6189

    Scan type : Complete Scan
    Total Scan Time : 00:20:37

    Operating System Information
    Windows 7 Home Premium 64-bit, Service Pack 1 (Build 6.01.7601)
    UAC Off - Administrator

    Memory items scanned : 825
    Memory threats detected : 0
    Registry items scanned : 71051
    Registry threats detected : 0
    File items scanned : 55248
    File threats detected : 17

    Adware.Tracking Cookie
    C:\Users\Groth\AppData\Roaming\Microsoft\Windows\Cookies\VBGZPREV.txt [ /collective-media.net ]
    C:\Users\Groth\AppData\Roaming\Microsoft\Windows\Cookies\DD175WXO.txt [ /invitemedia.com ]
    C:\Users\Groth\AppData\Roaming\Microsoft\Windows\Cookies\HQ7483UX.txt [ /accounts.google.com ]
    C:\Users\Groth\AppData\Roaming\Microsoft\Windows\Cookies\5ROLE0MT.txt [ /ads.bleepingcomputer.com ]
    C:\USERS\GROTH\Cookies\VBGZPREV.txt [ Cookie:groth@collective-media.net/ ]
    C:\USERS\GROTH\Cookies\DD175WXO.txt [ Cookie:groth@invitemedia.com/ ]
    C:\USERS\GROTH\Cookies\HQ7483UX.txt [ Cookie:groth@accounts.google.com/ ]
    adimages.scrippsnetworks.com [ C:\USERS\GROTH\APPDATA\ROAMING\MACROMEDIA\FLASH PLAYER\#SHAREDOBJECTS\DV5WDD4U ]
    core.insightexpressai.com [ C:\USERS\GROTH\APPDATA\ROAMING\MACROMEDIA\FLASH PLAYER\#SHAREDOBJECTS\DV5WDD4U ]
    ia.media-imdb.com [ C:\USERS\GROTH\APPDATA\ROAMING\MACROMEDIA\FLASH PLAYER\#SHAREDOBJECTS\DV5WDD4U ]
    media.mtvnservices.com [ C:\USERS\GROTH\APPDATA\ROAMING\MACROMEDIA\FLASH PLAYER\#SHAREDOBJECTS\DV5WDD4U ]
    media.socialvibe.com [ C:\USERS\GROTH\APPDATA\ROAMING\MACROMEDIA\FLASH PLAYER\#SHAREDOBJECTS\DV5WDD4U ]
    msnbcmedia.msn.com [ C:\USERS\GROTH\APPDATA\ROAMING\MACROMEDIA\FLASH PLAYER\#SHAREDOBJECTS\DV5WDD4U ]
    objects.tremormedia.com [ C:\USERS\GROTH\APPDATA\ROAMING\MACROMEDIA\FLASH PLAYER\#SHAREDOBJECTS\DV5WDD4U ]
    s0.2mdn.net [ C:\USERS\GROTH\APPDATA\ROAMING\MACROMEDIA\FLASH PLAYER\#SHAREDOBJECTS\DV5WDD4U ]
    secure-us.imrworldwide.com [ C:\USERS\GROTH\APPDATA\ROAMING\MACROMEDIA\FLASH PLAYER\#SHAREDOBJECTS\DV5WDD4U ]
    stat.easydate.biz [ C:\USERS\GROTH\APPDATA\ROAMING\MACROMEDIA\FLASH PLAYER\#SHAREDOBJECTS\DV5WDD4U ]
     
  16. Bobbye

    Bobbye Helper on the Fringe Posts: 16,392   +36

    You can eliminate those Tracking Cookies by having SAS remove the ones present now, then resetting Cookies as follows:

    Reset Cookies

    For Internet Explorer: Internet Options (through Tools or Control Panel) Privacy tab> Advanced button> CHECK 'override automatic Cookie handling'> CHECK 'accept first party Cookies'> CHECK 'Block third party Cookies'> CHECK 'allow per session Cookies'> Apply> OK.

    For Firefox: Tools> Options> Privacy> Cookies> CHECK ‘accept Cookies from Sites’> UNCHECK 'accept third party Cookies'> Set Keep until 'they expire'. This will allow you to keep Cookies for registered sites and prevent or remove others. (Note: for Firefox v3.5, after Privacy click on 'use custom settings for History.')

    I suggest using the following two add-on for Firefox. They will prevent the Tracking Cookies that come from ads and banners and other sources:
    AdBlock Plus
    Easy List

    For Chrome: Tools> Options> Under The Hood> Privacy Section> CHECK 'Restrict how third party Cookies can be used'> Close.
    (First-party and third-party cookies can be set by the website you're visiting and websites that have items embedded in the website you're visiting. But when you next visit the website, only first-party cookie information is sent to the website. Third-party cookie information isn't sent back to the websites that originally set the third-party cookies.)
    =======================================
    An FYI for you: I checked some of the sites visited and am passing this on: I use a site advisor, Web of Trust (WOT).. It rates sites on 4 categories. If a site is know to be a bad site, I get a warning and the site won't load unless I by pass the warning. (I highly recommend putting WOT on the system so The link is embedded)

    1. <secure-us.imrworldwide dot com gives the dollowing>:This site has a poor reputation based on user ratings.
    2. <collective-media dot net> several entries:
    Here is a best description of Tracking I've found:
    The reasoning behind this is suppose to be that by tracking you, it can be determined which are the best ads for you to see. Of couse, like everything else n the internet, some can be more innocuous that others.

    I also notice flash objects from these sites. Malware is frequently with flash so the fewer, the better.

    These come from 3rd party Cookies so blocking them will prevent most. Using plugins like AdBlockPlus and Easy List will also add more filters to keep the trash out.
    ====================================
    Advise take Registry Defrag off of boot. Further advise remove Advanced System Care. This is mostly a registry cleaner which we do not recommend to anyone.
    ======================================
    Last scan: First, set up a Directory for HijackThis as follows:
    Right click Taskbar> Explore> My Computer> Local Drive (C)> File> New> Folder> Name folder HijackThis
    Exit Explorer
    You now have a folder C:\HijackThis
    -----------------------------------------
    Download HijackThis and save to your desktop.
    • Click on the HJT icon> 'Extract all files'> Extraction Wizard> Click on Browse to right of dialogue box that says 'Select a folder'
    • Extract it to the directory on your hard drive you created C:\HijackThis.
    • Then navigate to that directory and double-click on the hijackthis.exe file.
    • When started click on the Scan button and then the Save Log button to create a log of your information.
    • The log file and then the log will open in notepad. Be sure to click on Format> Uncheck Word Wrap when you open Notepad
    • Click on "Edit > Select All" then click on "Edit > Copy" to copy the entire contents of the log.
    • Come back here to this thread and paste (Ctrl+V) the log in your next reply.

    NOTE: Do NOT have HijackThis fix anything yet! Most of what it finds will be harmless or even required.
     
  17. jezzag

    jezzag TS Rookie Topic Starter

    I followed your advise and installed those firefox add ons and removed Advanced System Care. I don't know how to take "registry defrag" off boot. I'm not sure what that is.

    Here's the results of HijackThis:

    Logfile of Trend Micro HijackThis v2.0.4
    Scan saved at 10:26:27 AM, on 3/27/2012
    Platform: Windows 7 SP1 (WinNT 6.00.3505)
    MSIE: Internet Explorer v9.00 (9.00.8112.16421)
    Boot mode: Normal

    Running processes:
    C:\Program Files (x86)\Lenovo\Access Connections\AcDeskBandHlpr.exe
    C:\Program Files (x86)\Symantec\Symantec Endpoint Protection\ProtectionUtilSurrogate.exe
    C:\PROGRA~1\Lenovo\Zoom\TPSCREX.EXE
    C:\PROGRA~1\Lenovo\HOTKEY\TPONSCR.EXE
    C:\Program Files\Lenovo\Communications Utility\TpKnrres.exe
    C:\Program Files\Lenovo\AutoLock\ALCKRESI.exe
    C:\Program Files (x86)\Common Files\microsoft shared\Virtualization Handler\CVH.EXE
    C:\Users\Groth\AppData\Roaming\Dropbox\bin\Dropbox.exe
    C:\Program Files (x86)\Evernote\Evernote\EvernoteClipper.exe
    C:\Windows\SysWOW64\rundll32.exe
    C:\Program Files (x86)\Common Files\Symantec Shared\ccApp.exe
    C:\Program Files (x86)\iTunes\iTunesHelper.exe
    C:\Program Files (x86)\DivX\DivX Update\DivXUpdate.exe
    C:\Program Files (x86)\Malwarebytes' Anti-Malware\mbamgui.exe
    C:\PROGRA~2\ThinkPad\UTILIT~1\SCHTASK.exe
    R:\140066.enu\Office14\MSOSYNC.EXE
    C:\Program Files (x86)\Common Files\microsoft shared\virtualization handler\OfficeVirt.exe
    C:\Program Files (x86)\LENOVO\Message Center Plus\MCPLaunch.exe
    C:\Program Files (x86)\Mozilla Firefox\firefox.exe
    C:\Program Files (x86)\Mozilla Firefox\plugin-container.exe
    C:\Program Files (x86)\foobar2000\foobar2000.exe
    C:\HijackThis\HijackThis.exe
    C:\Users\Groth\AppData\Local\Temp\Temp1_HijackThis.zip\HijackThis.exe

    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://lenovo.msn.com
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
    R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
    R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = C:\Windows\SysWOW64\blank.htm
    R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
    R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
    O2 - BHO: Increase performance and video formats for your HTML5 <video> - {326E768D-4182-46FD-9C16-1449A49795F4} - C:\Program Files (x86)\DivX\DivX Plus Web Player\ie\DivXHTML5\DivXHTML5.dll
    O2 - BHO: Windows Live ID Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files (x86)\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
    O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files (x86)\Java\jre6\bin\jp2ssv.dll
    O4 - HKLM\..\Run: [IMSS] "C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\IMSS\PIconStartup.exe"
    O4 - HKLM\..\Run: [PWMTRV] rundll32 C:\PROGRA~2\ThinkPad\UTILIT~1\PWMTR64V.DLL,PwrMgrBkGndMonitor
    O4 - HKLM\..\Run: [ccApp] "C:\Program Files (x86)\Common Files\Symantec Shared\ccApp.exe"
    O4 - HKLM\..\Run: [RotateImage] C:\Program Files (x86)\Integrated Camera Driver\X64\RCIMGDIR.exe
    O4 - HKLM\..\Run: [DivXUpdate] "c:\program files (x86)\divx\divx update\divxupdate.exe" /checknow
    O4 - HKLM\..\Run: [Malwarebytes' Anti-Malware] "C:\Program Files (x86)\Malwarebytes' Anti-Malware\mbamgui.exe" /starttray
    O4 - HKCU\..\Run: [OfficeSyncProcess] "C:\Program Files (x86)\Common Files\microsoft shared\Virtualization Handler\CVH.EXE" /quietlaunch "MSOSYNC 9014006604090000"
    O4 - HKCU\..\Run: [Xvid] c:\program files (x86)\xvid\checkupdate.exe
    O4 - HKCU\..\Run: [SUPERAntiSpyware] C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
    O4 - HKUS\S-1-5-21-1699539174-4049867383-3466198633-1000\..\Run: [Sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /autoRun (User 'UpdatusUser')
    O4 - HKUS\S-1-5-21-1699539174-4049867383-3466198633-1000\..\RunOnce: [mctadmin] C:\Windows\System32\mctadmin.exe (User 'UpdatusUser')
    O4 - Startup: Dropbox.lnk = Groth\AppData\Roaming\Dropbox\bin\Dropbox.exe
    O4 - Global Startup: Microsoft Office.lnk = C:\Program Files (x86)\Microsoft Office\Office10\OSA.EXE
    O8 - Extra context menu item: Add to Evernote 4.0 - res://C:\Program Files (x86)\Evernote\Evernote\EvernoteIE.dll/204
    O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~2\MICROS~4\Office10\EXCEL.EXE/3000
    O9 - Extra button: @C:\Program Files (x86)\Windows Live\Writer\WindowsLiveWriterShortcuts.dll,-1004 - {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - C:\Program Files (x86)\Windows Live\Writer\WriterBrowserExtension.dll
    O9 - Extra 'Tools' menuitem: @C:\Program Files (x86)\Windows Live\Writer\WindowsLiveWriterShortcuts.dll,-1003 - {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - C:\Program Files (x86)\Windows Live\Writer\WriterBrowserExtension.dll
    O9 - Extra button: @C:\Program Files (x86)\Evernote\Evernote\Resource.dll,-101 - {A95fe080-8f5d-11d2-a20b-00aa003c157a} - res://C:\Program Files (x86)\Evernote\Evernote\EvernoteIE.dll/204 (file missing)
    O9 - Extra 'Tools' menuitem: @C:\Program Files (x86)\Evernote\Evernote\Resource.dll,-101 - {A95fe080-8f5d-11d2-a20b-00aa003c157a} - res://C:\Program Files (x86)\Evernote\Evernote\EvernoteIE.dll/204 (file missing)
    O9 - Extra button: Send To Bluetooth - {CCA281CA-C863-46ef-9331-5C8D4460577F} - C:\Program Files\ThinkPad\Bluetooth Software\btsendto_ie.htm
    O9 - Extra 'Tools' menuitem: Send to &Bluetooth Device... - {CCA281CA-C863-46ef-9331-5C8D4460577F} - C:\Program Files\ThinkPad\Bluetooth Software\btsendto_ie.htm
    O10 - Unknown file in Winsock LSP: c:\program files (x86)\common files\microsoft shared\windows live\wlidnsp.dll
    O10 - Unknown file in Winsock LSP: c:\program files (x86)\common files\microsoft shared\windows live\wlidnsp.dll
    O11 - Options group: [ACCELERATED_GRAPHICS] Accelerated graphics
    O18 - Protocol: wlpg - {E43EF6CD-A37A-4A9B-9E6F-83F89B8E6324} - C:\Program Files (x86)\Windows Live\Photo Gallery\AlbumDownloadProtocolHandler.dll
    O20 - AppInit_DLLs: C:\Windows\SysWOW64\nvinit.dll
    O23 - Service: SAS Core Service (!SASCORE) - SUPERAntiSpyware.com - C:\Program Files\SUPERAntiSpyware\SASCORE64.EXE
    O23 - Service: AcPrfMgrSvc - Lenovo - C:\Program Files (x86)\Lenovo\Access Connections\AcPrfMgrSvc.exe
    O23 - Service: AcSvc - Lenovo - C:\Program Files (x86)\Lenovo\Access Connections\AcSvc.exe
    O23 - Service: @%SystemRoot%\system32\Alg.exe,-112 (ALG) - Unknown owner - C:\Windows\System32\alg.exe (file missing)
    O23 - Service: Intel® Centrino® Wireless Bluetooth® 3.0 + High Speed Service (AMPPALR3) - Intel Corporation - C:\Program Files\Intel\BluetoothHS\BTHSAmpPalService.exe
    O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files (x86)\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
    O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
    O23 - Service: Intel(R) Centrino(R) Wireless Bluetooth(R) 3.0 + High Speed Security Service (BTHSSecurityMgr) - Intel(R) Corporation - C:\Program Files\Intel\BluetoothHS\BTHSSecurityMgr.exe
    O23 - Service: Bluetooth Service (btwdins) - Broadcom Corporation. - C:\Program Files\ThinkPad\Bluetooth Software\btwdins.exe
    O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files (x86)\Common Files\Symantec Shared\ccSvcHst.exe
    O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files (x86)\Common Files\Symantec Shared\ccSvcHst.exe
    O23 - Service: @C:\Windows\system32\CxAudMsg64.exe,-100 (CxAudMsg) - Unknown owner - C:\Windows\system32\CxAudMsg64.exe (file missing)
    O23 - Service: Intel® PROSet/Wireless WiMAX Red Bend Device Management Service (DMAgent) - Red Bend Ltd. - C:\Program Files\Intel\WiMAX\Bin\DMAgent.exe
    O23 - Service: Lenovo Doze Mode Service (DozeSvc) - Lenovo. - C:\Program Files (x86)\ThinkPad\Utilities\DZSVC64.EXE
    O23 - Service: @%SystemRoot%\system32\efssvc.dll,-100 (EFS) - Unknown owner - C:\Windows\System32\lsass.exe (file missing)
    O23 - Service: Intel(R) PROSet/Wireless Event Log (EvtEng) - Intel(R) Corporation - C:\Program Files\Intel\WiFi\bin\EvtEng.exe
    O23 - Service: @%systemroot%\system32\fxsresm.dll,-118 (Fax) - Unknown owner - C:\Windows\system32\fxssvc.exe (file missing)
    O23 - Service: Sierra Wireless QDL Service (GobiQDLService) - Sierra Wireless, Inc. - C:\Program Files (x86)\Sierra Wireless Inc\Gobi\QDLService\GobiQDLService.exe
    O23 - Service: HyperW7 Service (HyperW7Svc) - Lenovo Group Limited - C:\Program Files\Lenovo\RapidBoot\HyperW7Svc64.exe
    O23 - Service: ThinkPad PM Service (IBMPMSVC) - Unknown owner - C:\Windows\system32\ibmpmsvc.exe (file missing)
    O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
    O23 - Service: Intel(R) Identity Protection Technology Host Interface Service (jhi_service) - Intel Corporation - C:\Program Files (x86)\Intel\Services\IPT\jhi_service.exe
    O23 - Service: @keyiso.dll,-100 (KeyIso) - Unknown owner - C:\Windows\system32\lsass.exe (file missing)
    O23 - Service: Lenovo Camera Mute (LENOVO.CAMMUTE) - Lenovo Group Limited - C:\Program Files\Lenovo\Communications Utility\CAMMUTE.exe
    O23 - Service: Lenovo Microphone Mute (LENOVO.MICMUTE) - Lenovo Group Limited - C:\Program Files\LENOVO\HOTKEY\MICMUTE.exe
    O23 - Service: Lenovo Keyboard Noise Reduction (LENOVO.TPKNRSVC) - Lenovo Group Limited - C:\Program Files\Lenovo\Communications Utility\TPKNRSVC.exe
    O23 - Service: Lenovo Auto Scroll (Lenovo.VIRTSCRLSVC) - Lenovo Group Limited - C:\Program Files\LENOVO\VIRTSCRL\lvvsst.exe
    O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~2\Symantec\LIVEUP~1\LUCOMS~1.EXE
    O23 - Service: Intel(R) Management and Security Application Local Management Service (LMS) - Intel Corporation - C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\LMS\LMS.exe
    O23 - Service: MBAMService - Malwarebytes Corporation - C:\Program Files (x86)\Malwarebytes' Anti-Malware\mbamservice.exe
    O23 - Service: @comres.dll,-2797 (MSDTC) - Unknown owner - C:\Windows\System32\msdtc.exe (file missing)
    O23 - Service: NVIDIA Display Driver Service (NVSvc) - Unknown owner - C:\Windows\system32\nvvsvc.exe (file missing)
    O23 - Service: NVIDIA Update Service Daemon (nvUpdatusService) - NVIDIA Corporation - C:\Program Files (x86)\NVIDIA Corporation\NVIDIA Updatus\daemonu.exe
    O23 - Service: Power Manager DBC Service - Lenovo - C:\Program Files (x86)\ThinkPad\Utilities\PWMDBSVC.EXE
    O23 - Service: @%systemroot%\system32\psbase.dll,-300 (ProtectedStorage) - Unknown owner - C:\Windows\system32\lsass.exe (file missing)
    O23 - Service: Protexis Licensing V2 (PSI_SVC_2) - Protexis Inc. - C:\Program Files (x86)\Common Files\Protexis\License Service\PsiService_2.exe
    O23 - Service: Cisco EnergyWise Enabler (PwmEWSvc) - Lenovo Group Limited - C:\Program Files (x86)\ThinkPad\Utilities\PWMEWSVC.EXE
    O23 - Service: Intel(R) PROSet/Wireless Registry Service (RegSrvc) - Intel(R) Corporation - C:\Program Files\Common Files\Intel\WirelessCommon\RegSrvc.exe
    O23 - Service: @%systemroot%\system32\Locator.exe,-2 (RpcLocator) - Unknown owner - C:\Windows\system32\locator.exe (file missing)
    O23 - Service: @%SystemRoot%\system32\samsrv.dll,-1 (SamSs) - Unknown owner - C:\Windows\system32\lsass.exe (file missing)
    O23 - Service: Conexant SmartAudio service (SAService) - Conexant Systems, Inc. - C:\Windows\system32\SAsrv.exe
    O23 - Service: Symantec Management Client (SmcService) - Symantec Corporation - C:\Program Files (x86)\Symantec\Symantec Endpoint Protection\Smc.exe
    O23 - Service: @%systemroot%\system32\spoolsv.exe,-1 (Spooler) - Unknown owner - C:\Windows\System32\spoolsv.exe (file missing)
    O23 - Service: @%SystemRoot%\system32\sppsvc.exe,-101 (sppsvc) - Unknown owner - C:\Windows\system32\sppsvc.exe (file missing)
    O23 - Service: NVIDIA Stereoscopic 3D Driver Service (Stereo Service) - NVIDIA Corporation - C:\Program Files (x86)\NVIDIA Corporation\3D Vision\nvSCPAPISvr.exe
    O23 - Service: System Update (SUService) - Lenovo Group Limited - C:\Program Files (x86)\Lenovo\System Update\SUService.exe
    O23 - Service: Symantec Endpoint Protection (Symantec AntiVirus) - Symantec Corporation - C:\Program Files (x86)\Symantec\Symantec Endpoint Protection\Rtvscan.exe
    O23 - Service: ThinkPad HDD APS Logging Service (TPHDEXLGSVC) - Unknown owner - C:\Windows\System32\TPHDEXLG64.exe (file missing)
    O23 - Service: Lenovo Hotkey Client Loader (TPHKLOAD) - Lenovo Group Limited - C:\Program Files\LENOVO\HOTKEY\TPHKLOAD.exe
    O23 - Service: On Screen Display (TPHKSVC) - Lenovo Group Limited - C:\Program Files\LENOVO\HOTKEY\TPHKSVC.exe
    O23 - Service: @%SystemRoot%\system32\ui0detect.exe,-101 (UI0Detect) - Unknown owner - C:\Windows\system32\UI0Detect.exe (file missing)
    O23 - Service: Ulead Burning Helper (UleadBurningHelper) - Ulead Systems, Inc. - C:\Program Files (x86)\Common Files\Ulead Systems\DVD\ULCDRSvr.exe
    O23 - Service: Intel(R) Management and Security Application User Notification Service (UNS) - Intel Corporation - C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\UNS\UNS.exe
    O23 - Service: @%SystemRoot%\system32\vaultsvc.dll,-1003 (VaultSvc) - Unknown owner - C:\Windows\system32\lsass.exe (file missing)
    O23 - Service: @%SystemRoot%\system32\vds.exe,-100 (vds) - Unknown owner - C:\Windows\System32\vds.exe (file missing)
    O23 - Service: @%systemroot%\system32\vssvc.exe,-102 (VSS) - Unknown owner - C:\Windows\system32\vssvc.exe (file missing)
    O23 - Service: @%SystemRoot%\system32\Wat\WatUX.exe,-601 (WatAdminSvc) - Unknown owner - C:\Windows\system32\Wat\WatAdminSvc.exe (file missing)
    O23 - Service: @%systemroot%\system32\wbengine.exe,-104 (wbengine) - Unknown owner - C:\Windows\system32\wbengine.exe (file missing)
    O23 - Service: Intel® PROSet/Wireless WiMAX Service (WiMAXAppSrv) - Intel(R) Corporation - C:\Program Files\Intel\WiMAX\Bin\AppSrv.exe
    O23 - Service: @%Systemroot%\system32\wbem\wmiapsrv.exe,-110 (wmiApSrv) - Unknown owner - C:\Windows\system32\wbem\WmiApSrv.exe (file missing)
    O23 - Service: @%PROGRAMFILES%\Windows Media Player\wmpnetwk.exe,-101 (WMPNetworkSvc) - Unknown owner - C:\Program Files (x86)\Windows Media Player\wmpnetwk.exe (file missing)

    --
    End of file - 14340 bytes
     
  18. Bobbye

    Bobbye Helper on the Fringe Posts: 16,392   +36

    Did the redirect resolve after you ran the first CFScript and reset the router?

    Please run this Custom CFScript:

    • [1]. Close any open browsers.
      [2]. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.
      [3]. Open notepad> click on Format> Uncheck 'Word Wrap> and copy/paste the text in the code below into it:
    Code:
    File::
    c:\windows\system32\RegistryDefragBootTime.exe
    C:\Program Files (x86)\IObit\Advanced SystemCare 5\ASCService.exe 
    Folder::
    C:\59172177595d2796d147
    c:\programdata\IObit
    c:\users\Groth\AppData\Roaming\IObit
    c:\program files (x86)\IObit
    DDS::
    uRun: [Advanced SystemCare 5] "C:\Program Files (x86)\IObit\Advanced SystemCare 5\ASCTray.exe" /AutoStart
    
    Registry::
    [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "Xvid"=-
    Driver::
    AdvancedSystemCareService5
    
    Clearjavacache::
    
    Save this as CFScript.txt, in the same location as ComboFix.exe
    [​IMG]

    Referring to the picture above, drag CFScript into ComboFix.exe

    When finished, it will produce a log for you at C:\ComboFix.txt . Please paste into to your next reply.
    ====================
    Please update Java to v6u31: Java Updates . Be sure you have uninstalled v6u22 in Add/Remove Programs as they are vulnerabilities for the system.

    Be sure to check all download screens for any pre-check toolbars or BHO> if found, remove the check before the download..
    ===========================================
    How is the system doing now? HijackThis is okay.
     
  19. jezzag

    jezzag TS Rookie Topic Starter

    System is running great now. I haven't seen any redirects since I ran CFscript and reset the router. My java is up to date to v6u31

    Here's the combofix.txt

    ComboFix 12-03-29.02 - Groth 03/29/2012 21:31:29.3.4 - x64
    Microsoft Windows 7 Home Premium 6.1.7601.1.1252.1.1033.18.3979.1180 [GMT -5:00]
    Running from: c:\users\Groth\Desktop\ComboFix.exe
    Command switches used :: c:\users\Groth\Desktop\CFScript.txt
    AV: Symantec Endpoint Protection *Disabled/Updated* {63DF5164-9100-186D-2187-8DC619EFD8BF}
    SP: Symantec Endpoint Protection *Disabled/Updated* {D8BEB080-B73A-17E3-1B37-B6B462689202}
    SP: Windows Defender *Disabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
    .
    FILE ::
    "c:\program files (x86)\IObit\Advanced SystemCare 5\ASCService.exe"
    "c:\windows\system32\RegistryDefragBootTime.exe"
    .
    .
    ((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
    .
    .
    C:\59172177595d2796d147
    c:\59172177595d2796d147\$shtdwn$.req
    c:\59172177595d2796d147\mrt.exe
    c:\59172177595d2796d147\mrtstub.exe
    c:\program files (x86)\IObit
    c:\program files (x86)\IObit\Advanced SystemCare 5\ASCServiceLog\2012-02-26.log
    c:\program files (x86)\IObit\Advanced SystemCare 5\ASCServiceLog\2012-02-27.log
    c:\program files (x86)\IObit\Advanced SystemCare 5\ASCServiceLog\2012-02-28.log
    c:\program files (x86)\IObit\Advanced SystemCare 5\ASCServiceLog\2012-02-29.log
    c:\program files (x86)\IObit\Advanced SystemCare 5\ASCServiceLog\2012-03-01.log
    c:\program files (x86)\IObit\Advanced SystemCare 5\ASCServiceLog\2012-03-02.log
    c:\program files (x86)\IObit\Advanced SystemCare 5\ASCServiceLog\2012-03-03.log
    c:\program files (x86)\IObit\Advanced SystemCare 5\ASCServiceLog\2012-03-04.log
    c:\program files (x86)\IObit\Advanced SystemCare 5\ASCServiceLog\2012-03-05.log
    c:\program files (x86)\IObit\Advanced SystemCare 5\ASCServiceLog\2012-03-06.log
    c:\program files (x86)\IObit\Advanced SystemCare 5\ASCServiceLog\2012-03-07.log
    c:\program files (x86)\IObit\Advanced SystemCare 5\ASCServiceLog\2012-03-08.log
    c:\program files (x86)\IObit\Advanced SystemCare 5\ASCServiceLog\2012-03-09.log
    c:\program files (x86)\IObit\Advanced SystemCare 5\ASCServiceLog\2012-03-10.log
    c:\program files (x86)\IObit\Advanced SystemCare 5\ASCServiceLog\2012-03-11.log
    c:\program files (x86)\IObit\Advanced SystemCare 5\ASCServiceLog\2012-03-12.log
    c:\program files (x86)\IObit\Advanced SystemCare 5\ASCServiceLog\2012-03-13.log
    c:\program files (x86)\IObit\Advanced SystemCare 5\BootTimeLog\Defrag2012-03-04(07-50-20).log
    c:\program files (x86)\IObit\Advanced SystemCare 5\checkinfo.txt
    c:\program files (x86)\IObit\Advanced SystemCare 5\LatestNews\imagenews.png
    c:\program files (x86)\IObit\Advanced SystemCare 5\LatestNews\LatestNews.ini
    c:\program files (x86)\IObit\Advanced SystemCare 5\SecurityHole_Backup\KB2600217.exe
    c:\program files (x86)\IObit\Advanced SystemCare 5\sh.dat
    c:\program files (x86)\IObit\Advanced SystemCare 5\Update\Update.Ini
    c:\program files (x86)\IObit\Advanced SystemCare 5\UpdateHistory.txt
    c:\programdata\IObit
    c:\programdata\IObit\Advanced SystemCare V5\AscService.ini
    c:\users\Groth\AppData\Local\Temp\nvSCPAPI64.dll
    c:\users\Groth\AppData\Local\Temp\nvStereoApiI64.dll
    c:\users\Groth\AppData\Roaming\IObit
    c:\users\Groth\AppData\Roaming\IObit\Advanced SystemCare V5\Backup\ASCBackup32-2012-02-19(07-29-16).reg
    c:\users\Groth\AppData\Roaming\IObit\Advanced SystemCare V5\Backup\ASCBackup32-2012-02-19(07-35-48).reg
    c:\users\Groth\AppData\Roaming\IObit\Advanced SystemCare V5\Backup\ASCBackup32-2012-02-27(17-39-25).reg
    c:\users\Groth\AppData\Roaming\IObit\Advanced SystemCare V5\Backup\ASCBackup32-2012-03-03(22-36-10).reg
    c:\users\Groth\AppData\Roaming\IObit\Advanced SystemCare V5\Backup\ASCBackup32-2012-03-10(08-38-19).reg
    c:\users\Groth\AppData\Roaming\IObit\Advanced SystemCare V5\Backup\ASCBackup32-2012-03-12(06-50-36).reg
    c:\users\Groth\AppData\Roaming\IObit\Advanced SystemCare V5\Backup\ASCBackup64-2012-02-19(07-29-16).reg
    c:\users\Groth\AppData\Roaming\IObit\Advanced SystemCare V5\Backup\ASCBackup64-2012-02-19(07-35-48).reg
    c:\users\Groth\AppData\Roaming\IObit\Advanced SystemCare V5\Backup\ASCBackup64-2012-02-27(17-39-25).reg
    c:\users\Groth\AppData\Roaming\IObit\Advanced SystemCare V5\Backup\ASCBackup64-2012-03-03(22-36-10).reg
    c:\users\Groth\AppData\Roaming\IObit\Advanced SystemCare V5\Backup\ASCBackup64-2012-03-10(08-38-19).reg
    c:\users\Groth\AppData\Roaming\IObit\Advanced SystemCare V5\Backup\ASCBackup64-2012-03-12(06-50-36).reg
    c:\users\Groth\AppData\Roaming\IObit\Advanced SystemCare V5\EmptyFolder\Restore.ini
    c:\users\Groth\AppData\Roaming\IObit\Advanced SystemCare V5\ignore.ini
    c:\users\Groth\AppData\Roaming\IObit\Advanced SystemCare V5\JFilterkey.dbd
    c:\users\Groth\AppData\Roaming\IObit\Advanced SystemCare V5\Log\ASCLog-2012-02-19(07-29-16).txt
    c:\users\Groth\AppData\Roaming\IObit\Advanced SystemCare V5\Log\ASCLog-2012-02-19(07-35-48).txt
    c:\users\Groth\AppData\Roaming\IObit\Advanced SystemCare V5\Log\ASCLog-2012-02-27(17-39-25).txt
    c:\users\Groth\AppData\Roaming\IObit\Advanced SystemCare V5\Log\ASCLog-2012-03-03(22-36-10).txt
    c:\users\Groth\AppData\Roaming\IObit\Advanced SystemCare V5\Log\ASCLog-2012-03-10(08-38-19).txt
    c:\users\Groth\AppData\Roaming\IObit\Advanced SystemCare V5\Log\ASCLog-2012-03-12(06-50-36).txt
    c:\users\Groth\AppData\Roaming\IObit\Advanced SystemCare V5\Main.ini
    c:\users\Groth\AppData\Roaming\IObit\Advanced SystemCare V5\TBWorkconfig.ini
    c:\users\Groth\AppData\Roaming\IObit\Advanced SystemCare V5\Toolbox\Config.ini
    c:\users\Groth\AppData\Roaming\IObit\IObit Uninstaller\Log\2012-03-04.log
    c:\users\Groth\AppData\Roaming\IObit\IObit Uninstaller\Log\2012-03-12.log
    c:\users\Groth\AppData\Roaming\IObit\IObit Uninstaller\SoftwareCache.ini
    c:\windows\system32\RegistryDefragBootTime.exe
    .
    .
    ((((((((((((((((((((((((( Files Created from 2012-02-28 to 2012-03-30 )))))))))))))))))))))))))))))))
    .
    .
    2012-03-30 03:18 . 2012-03-30 03:18 -------- d-----w- c:\users\UpdatusUser\AppData\Local\temp
    2012-03-30 03:18 . 2012-03-30 03:18 -------- d-----w- c:\users\Default\AppData\Local\temp
    2012-03-30 03:18 . 2012-03-30 03:18 -------- d-----w- c:\users\Administrator\AppData\Local\temp
    2012-03-28 16:43 . 2012-03-28 16:43 -------- d-----w- c:\program files (x86)\Common Files\Java
    2012-03-28 16:42 . 2012-03-28 16:42 -------- d-----w- c:\program files (x86)\Java
    2012-03-28 16:40 . 2012-03-28 16:40 525544 ----a-w- c:\windows\system32\deployJava1.dll
    2012-03-28 16:40 . 2012-03-28 16:40 -------- d-----w- c:\program files\Java
    2012-03-28 16:25 . 2012-03-28 16:25 70304 ----a-w- c:\windows\SysWow64\FlashPlayerCPLApp.cpl
    2012-03-28 16:25 . 2012-03-28 16:25 418464 ----a-w- c:\windows\SysWow64\FlashPlayerApp.exe
    2012-03-27 15:37 . 2012-03-13 18:14 476904 ----a-w- c:\program files (x86)\Mozilla Firefox\Plugins\npdeployJava1.dll
    2012-03-27 15:23 . 2012-03-27 15:27 -------- d-----w- C:\HijackThis
    2012-03-26 15:20 . 2011-11-18 00:38 66856 ----a-w- c:\windows\SysWow64\SynTPEnhPS.dll
    2012-03-26 15:20 . 2011-11-18 00:40 404016 ----a-w- c:\windows\system32\drivers\SynTP.sys
    2012-03-26 15:20 . 2011-11-18 00:38 227624 ----a-w- c:\windows\system32\SynTPAPI.dll
    2012-03-26 15:20 . 2011-11-18 00:38 148776 ----a-w- c:\windows\system32\SynTPCo9.dll
    2012-03-26 15:20 . 2011-11-18 00:38 222504 ----a-w- c:\windows\SysWow64\SynCtrl.dll
    2012-03-26 15:20 . 2011-11-18 00:38 277800 ----a-w- c:\windows\system32\SynCtrl.dll
    2012-03-26 15:20 . 2011-11-18 00:38 181544 ----a-w- c:\windows\SysWow64\SynCOM.dll
    2012-03-26 12:05 . 2012-03-26 12:05 -------- d-----w- c:\users\Groth\AppData\Roaming\SUPERAntiSpyware.com
    2012-03-26 12:05 . 2012-03-26 12:05 -------- d-----w- c:\program files\SUPERAntiSpyware
    2012-03-26 12:05 . 2012-03-26 12:05 -------- d-----w- c:\programdata\SUPERAntiSpyware.com
    2012-03-22 18:13 . 2012-03-22 18:13 592824 ----a-w- c:\program files (x86)\Mozilla Firefox\gkmedias.dll
    2012-03-22 18:13 . 2012-03-22 18:13 44472 ----a-w- c:\program files (x86)\Mozilla Firefox\mozglue.dll
    2012-03-21 13:09 . 2011-11-19 15:20 5559152 ----a-w- c:\windows\system32\ntoskrnl.exe
    2012-03-21 13:09 . 2011-11-19 14:50 3968368 ----a-w- c:\windows\SysWow64\ntkrnlpa.exe
    2012-03-21 13:09 . 2011-11-19 14:50 3913584 ----a-w- c:\windows\SysWow64\ntoskrnl.exe
    2012-03-14 18:04 . 2012-02-03 04:34 3145728 ----a-w- c:\windows\system32\win32k.sys
    2012-03-14 18:03 . 2012-02-10 06:36 1544192 ----a-w- c:\windows\system32\DWrite.dll
    2012-03-14 18:03 . 2012-02-10 05:38 1077248 ----a-w- c:\windows\SysWow64\DWrite.dll
    2012-03-14 17:34 . 2012-02-17 06:38 1031680 ----a-w- c:\windows\system32\rdpcore.dll
    2012-03-14 17:34 . 2012-02-17 05:34 826880 ----a-w- c:\windows\SysWow64\rdpcore.dll
    2012-03-14 17:34 . 2012-02-17 04:58 210944 ----a-w- c:\windows\system32\drivers\rdpwd.sys
    2012-03-14 17:34 . 2012-02-17 04:57 23552 ----a-w- c:\windows\system32\drivers\tdtcp.sys
    2012-03-14 17:34 . 2012-01-25 06:38 77312 ----a-w- c:\windows\system32\rdpwsx.dll
    2012-03-14 17:34 . 2012-01-25 06:38 149504 ----a-w- c:\windows\system32\rdpcorekmts.dll
    2012-03-14 17:34 . 2012-01-25 06:33 9216 ----a-w- c:\windows\system32\rdrmemptylst.exe
    2012-03-13 22:21 . 2012-03-13 22:21 -------- d-----w- c:\program files (x86)\ESET
    2012-03-13 16:16 . 2012-03-13 16:16 -------- d-----w- c:\program files (x86)\Malwarebytes' Anti-Malware
    2012-03-13 16:16 . 2011-12-10 20:24 23152 ----a-w- c:\windows\system32\drivers\mbam.sys
    2012-03-10 19:44 . 2012-03-27 17:35 -------- d-----w- c:\users\Groth\AppData\Roaming\foobar2000
    2012-03-10 19:44 . 2012-03-10 19:44 -------- d-----w- c:\program files (x86)\foobar2000
    2012-03-04 15:53 . 2012-03-04 15:53 -------- d-----w- c:\users\Groth\AppData\Roaming\OpenOffice.org
    2012-03-04 15:52 . 2012-03-12 11:34 -------- d-----w- c:\program files (x86)\OpenOffice.org 3
    2012-02-29 15:05 . 2012-03-11 14:00 -------- d-----w- c:\program files (x86)\SpywareBlaster
    .
    .
    .
    (((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
    .
    2012-03-28 16:42 . 2012-01-07 20:57 472808 ----a-w- c:\windows\SysWow64\deployJava1.dll
    2012-01-23 08:06 . 2011-09-28 21:13 527424 ------w- c:\windows\PWMBTHLV.EXE
    2012-01-23 08:06 . 2011-09-28 21:13 31344 ----a-w- c:\windows\system32\drivers\DZHDD64.SYS
    2012-01-23 08:06 . 2011-09-28 21:13 14960 ----a-w- c:\windows\system32\drivers\TPPWR64V.SYS
    2012-01-23 08:06 . 2011-09-28 21:13 1036352 ----a-w- c:\windows\system32\PWMCP64V.cpl
    2012-01-04 10:44 . 2012-02-19 09:12 509952 ----a-w- c:\windows\system32\ntshrui.dll
    2012-01-04 08:58 . 2012-02-19 09:12 442880 ----a-w- c:\windows\SysWow64\ntshrui.dll
    .
    .
    ((((((((((((((((((((((((((((( SnapShot@2012-03-13_17.38.36 )))))))))))))))))))))))))))))))))))))))))
    .
    - 2012-03-08 19:18 . 2012-03-08 19:19 16384 c:\windows\SysWOW64\config\systemprofile\AppData\Roaming\Microsoft\Windows\IETldCache\index.dat
    + 2012-03-08 19:18 . 2012-03-19 03:37 16384 c:\windows\SysWOW64\config\systemprofile\AppData\Roaming\Microsoft\Windows\IETldCache\index.dat
    - 2009-07-14 04:54 . 2012-03-12 13:12 16384 c:\windows\SysWOW64\config\systemprofile\AppData\Roaming\Microsoft\Windows\Cookies\index.dat
    + 2009-07-14 04:54 . 2012-03-30 01:40 16384 c:\windows\SysWOW64\config\systemprofile\AppData\Roaming\Microsoft\Windows\Cookies\index.dat
    - 2009-07-14 04:54 . 2012-03-12 13:12 32768 c:\windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\index.dat
    + 2009-07-14 04:54 . 2012-03-30 01:40 32768 c:\windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\index.dat
    + 2009-07-14 04:54 . 2012-03-30 01:40 16384 c:\windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\History\History.IE5\index.dat
    - 2009-07-14 04:54 . 2012-03-12 13:12 16384 c:\windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\History\History.IE5\index.dat
    + 2010-11-21 03:09 . 2012-03-22 12:46 60038 c:\windows\system32\wdi\ShutdownPerformanceDiagnostics_SystemData.bin
    + 2009-07-14 05:10 . 2012-03-27 15:16 38992 c:\windows\system32\wdi\BootPerformanceDiagnostics_SystemData.bin
    - 2009-07-14 05:30 . 2012-02-26 23:56 86016 c:\windows\system32\DriverStore\infpub.dat
    + 2009-07-14 05:30 . 2012-03-28 16:31 86016 c:\windows\system32\DriverStore\infpub.dat
    + 2012-03-26 15:20 . 2011-11-18 00:38 66856 c:\windows\system32\DriverStore\FileRepository\synpd.inf_amd64_neutral_71bc61cb22dcb472\SynTPEnhPS32.dll
    + 2012-03-26 15:20 . 2011-11-18 00:38 58664 c:\windows\system32\DriverStore\FileRepository\synpd.inf_amd64_neutral_71bc61cb22dcb472\SynTPEnhPS.dll
    + 2011-09-28 21:13 . 2012-03-30 03:23 16384 c:\windows\system32\config\systemprofile\AppData\Roaming\Microsoft\Windows\Cookies\index.dat
    - 2011-09-28 21:13 . 2012-03-13 17:38 16384 c:\windows\system32\config\systemprofile\AppData\Roaming\Microsoft\Windows\Cookies\index.dat
    + 2011-09-28 21:13 . 2012-03-30 03:23 32768 c:\windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\index.dat
    - 2011-09-28 21:13 . 2012-03-13 17:38 32768 c:\windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\index.dat
    - 2009-07-14 04:54 . 2012-03-13 17:38 16384 c:\windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\History\History.IE5\index.dat
    + 2009-07-14 04:54 . 2012-03-30 03:23 16384 c:\windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\History\History.IE5\index.dat
    - 2009-07-14 04:46 . 2012-03-12 11:37 95344 c:\windows\ServiceProfiles\NetworkService\AppData\Roaming\Microsoft\SoftwareProtectionPlatform\Cache\cache.dat
    + 2009-07-14 04:46 . 2012-03-27 12:04 95344 c:\windows\ServiceProfiles\NetworkService\AppData\Roaming\Microsoft\SoftwareProtectionPlatform\Cache\cache.dat
    - 2011-11-17 04:07 . 2012-03-13 17:37 3422 c:\windows\system32\wdi\ERCQueuedResolutions.dat
    + 2011-11-17 04:07 . 2012-03-26 14:01 3422 c:\windows\system32\wdi\ERCQueuedResolutions.dat
    + 2011-11-11 00:03 . 2012-03-27 15:16 7532 c:\windows\system32\wdi\{86432a0b-3c7d-4ddf-a89c-172faa90485d}\S-1-5-21-1699539174-4049867383-3466198633-1002_UserData.bin
    + 2012-03-18 22:00 . 2012-03-18 22:00 9560 c:\windows\system32\NetworkList\Icons\{A4915D9B-EC35-4A9C-8CBD-3AF55B849F1A}_48.bin
    + 2012-03-18 22:00 . 2012-03-18 22:00 4280 c:\windows\system32\NetworkList\Icons\{A4915D9B-EC35-4A9C-8CBD-3AF55B849F1A}_32.bin
    + 2012-03-18 22:00 . 2012-03-18 22:00 2456 c:\windows\system32\NetworkList\Icons\{A4915D9B-EC35-4A9C-8CBD-3AF55B849F1A}_24.bin
    + 2012-03-18 14:56 . 2012-03-18 14:56 9560 c:\windows\system32\NetworkList\Icons\{9CFF14CC-5368-4220-835B-91B449C68735}_48.bin
    + 2012-03-18 14:56 . 2012-03-18 14:56 4280 c:\windows\system32\NetworkList\Icons\{9CFF14CC-5368-4220-835B-91B449C68735}_32.bin
    + 2012-03-18 14:56 . 2012-03-18 14:56 2456 c:\windows\system32\NetworkList\Icons\{9CFF14CC-5368-4220-835B-91B449C68735}_24.bin
    + 2012-03-14 12:30 . 2012-03-14 12:30 9560 c:\windows\system32\NetworkList\Icons\{8F43AC1B-316B-40CB-BC98-5CD47480F153}_48.bin
    + 2012-03-14 12:30 . 2012-03-14 12:30 4280 c:\windows\system32\NetworkList\Icons\{8F43AC1B-316B-40CB-BC98-5CD47480F153}_32.bin
    + 2012-03-14 12:30 . 2012-03-14 12:30 2456 c:\windows\system32\NetworkList\Icons\{8F43AC1B-316B-40CB-BC98-5CD47480F153}_24.bin
    + 2012-03-19 13:56 . 2012-03-19 13:56 9560 c:\windows\system32\NetworkList\Icons\{873004FA-8873-4F49-8C67-4CBB34B2EF39}_48.bin
    + 2012-03-19 13:56 . 2012-03-19 13:56 4280 c:\windows\system32\NetworkList\Icons\{873004FA-8873-4F49-8C67-4CBB34B2EF39}_32.bin
    + 2012-03-19 13:56 . 2012-03-19 13:56 2456 c:\windows\system32\NetworkList\Icons\{873004FA-8873-4F49-8C67-4CBB34B2EF39}_24.bin
    + 2012-03-19 03:36 . 2012-03-19 03:36 9560 c:\windows\system32\NetworkList\Icons\{79DB70FA-29E1-498B-8B86-7C7F9E6B7B93}_48.bin
    + 2012-03-19 03:36 . 2012-03-19 03:36 4280 c:\windows\system32\NetworkList\Icons\{79DB70FA-29E1-498B-8B86-7C7F9E6B7B93}_32.bin
    + 2012-03-19 03:36 . 2012-03-19 03:36 2456 c:\windows\system32\NetworkList\Icons\{79DB70FA-29E1-498B-8B86-7C7F9E6B7B93}_24.bin
    + 2012-03-19 17:22 . 2012-03-19 17:22 9560 c:\windows\system32\NetworkList\Icons\{419B0567-57EA-43FE-B5B1-751FC9AB5417}_48.bin
    + 2012-03-19 17:22 . 2012-03-19 17:22 4280 c:\windows\system32\NetworkList\Icons\{419B0567-57EA-43FE-B5B1-751FC9AB5417}_32.bin
    + 2012-03-19 17:22 . 2012-03-19 17:22 2456 c:\windows\system32\NetworkList\Icons\{419B0567-57EA-43FE-B5B1-751FC9AB5417}_24.bin
    + 2012-03-15 00:50 . 2012-03-15 00:50 9560 c:\windows\system32\NetworkList\Icons\{330F497E-5B35-4FCC-9414-BAD3DDA573D3}_48.bin
    + 2012-03-15 00:50 . 2012-03-15 00:50 4280 c:\windows\system32\NetworkList\Icons\{330F497E-5B35-4FCC-9414-BAD3DDA573D3}_32.bin
    + 2012-03-15 00:50 . 2012-03-15 00:50 2456 c:\windows\system32\NetworkList\Icons\{330F497E-5B35-4FCC-9414-BAD3DDA573D3}_24.bin
    + 2012-03-26 15:20 . 2010-11-06 23:18 7728 c:\windows\system32\DriverStore\FileRepository\synpd.inf_amd64_neutral_71bc61cb22dcb472\TP4table.dat
    + 2012-03-30 03:23 . 2012-03-30 03:23 2048 c:\windows\ServiceProfiles\LocalService\AppData\Local\lastalive0.dat
    - 2012-03-13 17:38 . 2012-03-13 17:38 2048 c:\windows\ServiceProfiles\LocalService\AppData\Local\lastalive0.dat
    + 2011-09-28 20:56 . 2011-11-18 00:38 111912 c:\windows\SysWOW64\SynTPCOM.dll
    + 2012-03-28 16:25 . 2012-03-28 16:25 353440 c:\windows\SysWOW64\Macromed\Flash\FlashUtil32_11_2_202_228_Plugin.exe
    + 2012-03-28 16:25 . 2012-03-28 16:25 253600 c:\windows\SysWOW64\Macromed\Flash\FlashPlayerUpdateService.exe
    + 2012-03-28 16:42 . 2012-03-28 16:42 157472 c:\windows\SysWOW64\javaws.exe
    - 2012-01-07 20:57 . 2012-01-07 20:57 157472 c:\windows\SysWOW64\javaws.exe
    + 2012-03-28 16:42 . 2012-03-28 16:42 149280 c:\windows\SysWOW64\javaw.exe
    - 2012-01-07 20:57 . 2012-01-07 20:57 149280 c:\windows\SysWOW64\javaw.exe
    - 2012-01-07 20:57 . 2012-01-07 20:57 149280 c:\windows\SysWOW64\java.exe
    + 2012-03-28 16:42 . 2012-03-28 16:42 149280 c:\windows\SysWOW64\java.exe
    + 2011-11-11 13:27 . 2012-03-28 04:19 234316 c:\windows\system32\wdi\SuspendPerformanceDiagnostics_SystemData_S4.bin
    + 2011-11-11 00:00 . 2012-03-30 02:24 286888 c:\windows\system32\wdi\SuspendPerformanceDiagnostics_SystemData_S3.bin
    + 2011-09-28 20:56 . 2011-11-18 00:38 419624 c:\windows\system32\SynCOM.dll
    - 2009-07-14 02:36 . 2012-03-13 17:26 624622 c:\windows\system32\perfh009.dat
    + 2009-07-14 02:36 . 2012-03-30 01:45 624622 c:\windows\system32\perfh009.dat
    + 2009-07-14 02:36 . 2012-03-30 01:45 106708 c:\windows\system32\perfc009.dat
    - 2009-07-14 02:36 . 2012-03-13 17:26 106708 c:\windows\system32\perfc009.dat
    + 2012-03-28 16:25 . 2012-03-28 16:25 630432 c:\windows\system32\Macromed\Flash\FlashUtil64_11_2_202_228_Plugin.exe
    + 2012-03-28 16:40 . 2012-03-28 16:40 191264 c:\windows\system32\javaws.exe
    + 2012-03-28 16:40 . 2012-03-28 16:40 172320 c:\windows\system32\javaw.exe
    + 2012-03-28 16:40 . 2012-03-28 16:40 172320 c:\windows\system32\java.exe
    - 2009-07-14 04:45 . 2012-03-11 14:00 347936 c:\windows\system32\FNTCACHE.DAT
    + 2009-07-14 04:45 . 2012-03-22 01:42 347936 c:\windows\system32\FNTCACHE.DAT
    - 2009-07-14 05:30 . 2012-02-26 23:56 143360 c:\windows\system32\DriverStore\infstrng.dat
    + 2009-07-14 05:30 . 2012-03-28 16:31 143360 c:\windows\system32\DriverStore\infstrng.dat
    - 2009-07-14 05:30 . 2012-02-21 18:01 143360 c:\windows\system32\DriverStore\infstor.dat
    + 2009-07-14 05:30 . 2012-03-28 16:30 143360 c:\windows\system32\DriverStore\infstor.dat
    + 2012-03-26 15:20 . 2011-11-18 00:38 337192 c:\windows\system32\DriverStore\FileRepository\synpd.inf_amd64_neutral_71bc61cb22dcb472\Tutorial.exe
    + 2012-03-26 15:20 . 2011-11-18 00:38 251176 c:\windows\system32\DriverStore\FileRepository\synpd.inf_amd64_neutral_71bc61cb22dcb472\SynZMetr.exe
    + 2012-03-26 15:20 . 2011-11-18 00:39 154408 c:\windows\system32\DriverStore\FileRepository\synpd.inf_amd64_neutral_71bc61cb22dcb472\SynTPLpr.exe
    + 2012-03-26 15:20 . 2011-11-18 00:38 121640 c:\windows\system32\DriverStore\FileRepository\synpd.inf_amd64_neutral_71bc61cb22dcb472\SynTPHelper.exe
    + 2012-03-26 15:20 . 2011-11-18 00:38 111912 c:\windows\system32\DriverStore\FileRepository\synpd.inf_amd64_neutral_71bc61cb22dcb472\SynTPCOM32.dll
    + 2012-03-26 15:20 . 2011-11-18 00:38 121640 c:\windows\system32\DriverStore\FileRepository\synpd.inf_amd64_neutral_71bc61cb22dcb472\SynTPCOM.dll
    + 2012-03-26 15:20 . 2011-11-18 00:38 148776 c:\windows\system32\DriverStore\FileRepository\synpd.inf_amd64_neutral_71bc61cb22dcb472\SynTPCo9.dll
    + 2012-03-26 15:20 . 2011-11-18 00:38 227624 c:\windows\system32\DriverStore\FileRepository\synpd.inf_amd64_neutral_71bc61cb22dcb472\SynTPAPI.dll
    + 2012-03-26 15:20 . 2011-11-18 00:40 404016 c:\windows\system32\DriverStore\FileRepository\synpd.inf_amd64_neutral_71bc61cb22dcb472\SynTP.sys
    + 2012-03-26 15:20 . 2011-11-18 00:38 242984 c:\windows\system32\DriverStore\FileRepository\synpd.inf_amd64_neutral_71bc61cb22dcb472\SynMood.exe
    + 2012-03-26 15:20 . 2011-11-18 00:38 230696 c:\windows\system32\DriverStore\FileRepository\synpd.inf_amd64_neutral_71bc61cb22dcb472\SynISDLL.dll
    + 2012-03-26 15:20 . 2011-11-18 00:38 222504 c:\windows\system32\DriverStore\FileRepository\synpd.inf_amd64_neutral_71bc61cb22dcb472\SynCtrl32.dll
    + 2012-03-26 15:20 . 2011-11-18 00:38 277800 c:\windows\system32\DriverStore\FileRepository\synpd.inf_amd64_neutral_71bc61cb22dcb472\SynCtrl.dll
    + 2012-03-26 15:20 . 2011-11-18 00:38 181544 c:\windows\system32\DriverStore\FileRepository\synpd.inf_amd64_neutral_71bc61cb22dcb472\SynCOM32.dll
    + 2012-03-26 15:20 . 2011-11-18 00:38 419624 c:\windows\system32\DriverStore\FileRepository\synpd.inf_amd64_neutral_71bc61cb22dcb472\SynCOM.dll
    + 2012-03-26 15:20 . 2011-11-18 00:38 173352 c:\windows\system32\DriverStore\FileRepository\synpd.inf_amd64_neutral_71bc61cb22dcb472\InstNT.exe
    + 2012-03-26 15:20 . 2011-11-18 00:40 404016 c:\windows\system32\DriverStore\FileRepository\synhid.inf_amd64_neutral_b5a7b612b8a6267d\SynTP.sys
    + 2009-07-14 05:01 . 2012-03-30 03:22 324360 c:\windows\ServiceProfiles\LocalService\AppData\Local\FontCache-System.dat
    - 2009-07-14 05:01 . 2012-03-13 17:37 324360 c:\windows\ServiceProfiles\LocalService\AppData\Local\FontCache-System.dat
    + 2012-03-28 16:43 . 2012-03-28 16:43 207360 c:\windows\Installer\569053d.msi
    + 2012-03-28 16:39 . 2012-03-28 16:39 908800 c:\windows\Installer\5690531.msi
    + 2011-09-28 21:21 . 2012-03-29 19:52 152588 c:\windows\Installer\{8E537894-A559-4D60-B3CB-F4485E3D24E3}\ARPPRODUCTICON.exe
    - 2011-09-28 21:21 . 2012-02-03 21:58 152588 c:\windows\Installer\{8E537894-A559-4D60-B3CB-F4485E3D24E3}\ARPPRODUCTICON.exe
    + 2012-03-26 15:18 . 2012-03-26 15:18 180655 c:\windows\Installer\{5E2652DF-743F-482B-A593-C95F431A5769}\ARPPRODUCTICON.exe
    + 2012-03-26 15:19 . 2012-03-26 15:19 882688 c:\windows\assembly\NativeImages_v2.0.50727_32\PWMUICtl\8bcde1822fe8a902ccceb0d00bb7e92b\PWMUICtl.ni.dll
    + 2012-03-26 15:19 . 2012-03-26 15:19 158208 c:\windows\assembly\NativeImages_v2.0.50727_32\PWMUIAux\6da00397165e9f1cfe12445b382567bd\PWMUIAux.ni.exe
    + 2012-03-26 15:19 . 2012-03-26 15:19 928768 c:\windows\assembly\NativeImages_v2.0.50727_32\PWMUI\bd313281d9721de3ed6fad1cdcc4cdba\PWMUI.ni.exe
    + 2012-03-28 16:25 . 2012-03-28 16:25 8797344 c:\windows\SysWOW64\Macromed\Flash\NPSWF32_11_2_202_228.dll
    + 2012-03-26 15:20 . 2009-08-07 14:49 1721576 c:\windows\system32\DriverStore\FileRepository\synpd.inf_amd64_neutral_71bc61cb22dcb472\WdfCoInstaller01009.dll
    + 2012-03-26 15:20 . 2011-11-18 00:39 9302824 c:\windows\system32\DriverStore\FileRepository\synpd.inf_amd64_neutral_71bc61cb22dcb472\SynTPRes.dll
    + 2012-03-26 15:20 . 2011-11-18 00:38 2851112 c:\windows\system32\DriverStore\FileRepository\synpd.inf_amd64_neutral_71bc61cb22dcb472\SynTPEnh.exe
    + 2012-03-26 15:20 . 2011-11-18 00:38 1907496 c:\windows\system32\DriverStore\FileRepository\synpd.inf_amd64_neutral_71bc61cb22dcb472\SynTPCpl.dll
    + 2012-03-26 15:20 . 2011-09-15 00:11 1048576 c:\windows\system32\DriverStore\FileRepository\synpd.inf_amd64_neutral_71bc61cb22dcb472\syndata.bin
    + 2012-03-26 15:20 . 2009-08-07 14:49 1721576 c:\windows\system32\DriverStore\FileRepository\synhid.inf_amd64_neutral_b5a7b612b8a6267d\WdfCoInstaller01009.dll
    + 2009-07-14 04:45 . 2012-03-22 01:44 7185859 c:\windows\ServiceProfiles\NetworkService\AppData\Roaming\Microsoft\SoftwareProtectionPlatform\tokens.dat
    - 2009-07-14 04:45 . 2012-03-11 14:02 7185859 c:\windows\ServiceProfiles\NetworkService\AppData\Roaming\Microsoft\SoftwareProtectionPlatform\tokens.dat
    + 2011-09-28 21:19 . 2012-03-30 03:22 2767448 c:\windows\ServiceProfiles\LocalService\AppData\Local\FontCache3.0.0.0.dat
    - 2011-09-28 21:19 . 2012-03-13 17:37 2767448 c:\windows\ServiceProfiles\LocalService\AppData\Local\FontCache3.0.0.0.dat
    - 2011-11-11 03:24 . 2012-03-11 05:04 1282720 c:\windows\ServiceProfiles\LocalService\AppData\Local\FontCache-S-1-5-21-1699539174-4049867383-3466198633-1002-4096.dat
    + 2011-11-11 03:24 . 2012-03-30 03:22 1282720 c:\windows\ServiceProfiles\LocalService\AppData\Local\FontCache-S-1-5-21-1699539174-4049867383-3466198633-1002-4096.dat
    + 2012-03-26 15:18 . 2012-03-26 15:18 6953472 c:\windows\Installer\46b3e2.msi
    + 2012-03-26 15:18 . 2012-03-26 15:18 6953472 c:\windows\Downloaded Installations\{F9E5CC92-B881-41FE-BDA2-1517AF39CC5C}\RapidBoot.msi
    + 2009-07-14 02:34 . 2012-03-22 01:41 10485760 c:\windows\system32\SMI\Store\Machine\SCHEMA.DAT
    - 2009-07-14 02:34 . 2012-02-19 09:28 10485760 c:\windows\system32\SMI\Store\Machine\SCHEMA.DAT
    + 2011-11-10 23:39 . 2012-03-21 13:04 56297240 c:\windows\system32\MRT.exe
    + 2012-03-28 16:25 . 2012-03-28 16:25 11588768 c:\windows\system32\Macromed\Flash\NPSWF64_11_2_202_228.dll
    + 2011-11-17 04:07 . 2012-03-30 03:22 42190888 c:\windows\ServiceProfiles\LocalService\AppData\Local\FontCache-S-1-5-21-1699539174-4049867383-3466198633-1002-12288.dat
    + 2012-03-28 16:42 . 2012-03-28 16:42 12938752 c:\windows\Installer\5690536.msi
    .
    -- Snapshot reset to current date --
    .
    ((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
    .
    .
    *Note* empty entries & legit default entries are not shown
    REGEDIT4
    .
    [HKEY_LOCAL_MACHINE\software\wow6432node\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\DropboxExt1]
    @="{FB314ED9-A251-47B7-93E1-CDD82E34AF8B}"
    [HKEY_CLASSES_ROOT\CLSID\{FB314ED9-A251-47B7-93E1-CDD82E34AF8B}]
    2012-01-18 18:49 94208 ----a-w- c:\users\Groth\AppData\Roaming\Dropbox\bin\DropboxExt.14.dll
    .
    [HKEY_LOCAL_MACHINE\software\wow6432node\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\DropboxExt2]
    @="{FB314EDA-A251-47B7-93E1-CDD82E34AF8B}"
    [HKEY_CLASSES_ROOT\CLSID\{FB314EDA-A251-47B7-93E1-CDD82E34AF8B}]
    2012-01-18 18:49 94208 ----a-w- c:\users\Groth\AppData\Roaming\Dropbox\bin\DropboxExt.14.dll
    .
    [HKEY_LOCAL_MACHINE\software\wow6432node\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\DropboxExt3]
    @="{FB314EDB-A251-47B7-93E1-CDD82E34AF8B}"
    [HKEY_CLASSES_ROOT\CLSID\{FB314EDB-A251-47B7-93E1-CDD82E34AF8B}]
    2012-01-18 18:49 94208 ----a-w- c:\users\Groth\AppData\Roaming\Dropbox\bin\DropboxExt.14.dll
    .
    [HKEY_LOCAL_MACHINE\software\wow6432node\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\DropboxExt4]
    @="{FB314EDC-A251-47B7-93E1-CDD82E34AF8B}"
    [HKEY_CLASSES_ROOT\CLSID\{FB314EDC-A251-47B7-93E1-CDD82E34AF8B}]
    2012-01-18 18:49 94208 ----a-w- c:\users\Groth\AppData\Roaming\Dropbox\bin\DropboxExt.14.dll
    .
    [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "OfficeSyncProcess"="c:\program files (x86)\Common Files\microsoft shared\Virtualization Handler\CVH.EXE" [2012-01-04 3208032]
    "SUPERAntiSpyware"="c:\program files\SUPERAntiSpyware\SUPERAntiSpyware.exe" [2012-03-07 4785536]
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run]
    "IMSS"="c:\program files (x86)\Intel\Intel(R) Management Engine Components\IMSS\PIconStartup.exe" [2011-01-17 112152]
    "PWMTRV"="c:\progra~2\ThinkPad\UTILIT~1\PWMTR64V.DLL" [2012-01-23 1631808]
    "ccApp"="c:\program files (x86)\Common Files\Symantec Shared\ccApp.exe" [2011-03-29 115624]
    "RotateImage"="c:\program files (x86)\Integrated Camera Driver\X64\RCIMGDIR.exe" [2008-10-30 55808]
    "DivXUpdate"="c:\program files (x86)\divx\divx update\divxupdate.exe" [2011-07-28 1259376]
    "Malwarebytes' Anti-Malware"="c:\program files (x86)\Malwarebytes' Anti-Malware\mbamgui.exe" [2012-01-13 460872]
    "SunJavaUpdateSched"="c:\program files (x86)\Common Files\Java\Java Update\jusched.exe" [2012-01-18 254696]
    .
    c:\users\Groth\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\
    Dropbox.lnk - c:\users\Groth\AppData\Roaming\Dropbox\bin\Dropbox.exe [2012-2-14 24246216]
    .
    c:\programdata\Microsoft\Windows\Start Menu\Programs\Startup\
    Microsoft Office.lnk - c:\program files (x86)\Microsoft Office\Office10\OSA.EXE [2001-2-13 83360]
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
    "ConsentPromptBehaviorAdmin"= 0 (0x0)
    "ConsentPromptBehaviorUser"= 3 (0x3)
    "EnableLUA"= 0 (0x0)
    "EnableUIADesktopToggle"= 0 (0x0)
    "PromptOnSecureDesktop"= 0 (0x0)
    .
    [HKEY_LOCAL_MACHINE\software\wow6432node\microsoft\windows nt\currentversion\windows]
    "AppInit_DLLs"=c:\windows\SysWOW64\nvinit.dll
    .
    [HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa]
    Security Packages REG_MULTI_SZ kerberos msv1_0 schannel wdigest tspkg pku2u livessp
    .
    [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\!SASCORE]
    @=""
    .
    [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\ccEvtMgr]
    @="Service"
    .
    [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\ccSetMgr]
    @="Service"
    .
    [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Symantec Antivirus]
    @="Service"
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
    "DisableMonitoring"=dword:00000001
    .
    R2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;c:\windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe [2010-03-18 130384]
    R2 clr_optimization_v4.0.30319_64;Microsoft .NET Framework NGEN v4.0.30319_X64;c:\windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe [2010-03-18 138576]
    R2 HyperW7Svc;HyperW7 Service;c:\program files\Lenovo\RapidBoot\HyperW7Svc64.exe [2011-11-18 144448]
    R3 AdobeFlashPlayerUpdateSvc;Adobe Flash Player Update Service;c:\windows\SysWOW64\Macromed\Flash\FlashPlayerUpdateService.exe [2012-03-28 253600]
    R3 AMPPALP;Intel® Centrino® Wireless Bluetooth® 3.0 + High Speed Protocol;c:\windows\system32\DRIVERS\amppal.sys [x]
    R3 BTWAMPFL;BTWAMPFL;c:\windows\system32\DRIVERS\btwampfl.sys [x]
    R3 btwl2cap;Bluetooth L2CAP Service;c:\windows\system32\DRIVERS\btwl2cap.sys [x]
    R3 DozeSvc;Lenovo Doze Mode Service;c:\program files (x86)\ThinkPad\Utilities\DZSVC64.EXE [2012-01-23 478056]
    R3 intaud_WaveExtensible;Intel WiDi Audio Device;c:\windows\system32\drivers\intelaud.sys [x]
    R3 NVHDA;Service for NVIDIA High Definition Audio Driver;c:\windows\system32\drivers\nvhda64v.sys [x]
    R3 osppsvc;Office Software Protection Platform;c:\program files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\OSPPSVC.EXE [2010-01-10 4925184]
    R3 pmxdrv;pmxdrv;c:\windows\system32\drivers\pmxdrv.sys [x]
    R3 Power Manager DBC Service;Power Manager DBC Service;c:\program files (x86)\ThinkPad\Utilities\PWMDBSVC.EXE [2012-01-23 89152]
    R3 PwmEWSvc;Cisco EnergyWise Enabler;c:\program files (x86)\ThinkPad\Utilities\PWMEWSVC.EXE [2012-01-23 175168]
    R3 swg3kflt01;Sierra Wireless USB Composite Device Filter Driver 01;c:\windows\system32\DRIVERS\swg3kflt01.sys [x]
    R3 TsUsbFlt;TsUsbFlt;c:\windows\system32\drivers\tsusbflt.sys [x]
    R3 TsUsbGD;Remote Desktop Generic USB Device;c:\windows\system32\drivers\TsUsbGD.sys [x]
    R3 USBAAPL64;Apple Mobile USB Driver;c:\windows\system32\Drivers\usbaapl64.sys [x]
    R3 WatAdminSvc;Windows Activation Technologies Service;c:\windows\system32\Wat\WatAdminSvc.exe [x]
    R4 wlcrasvc;Windows Live Mesh remote connections service;c:\program files\Windows Live\Mesh\wlcrasvc.exe [2010-09-23 57184]
    S0 DzHDD64;DzHDD64;c:\windows\System32\DRIVERS\DzHDD64.sys [x]
    S0 nvpciflt;nvpciflt;c:\windows\system32\DRIVERS\nvpciflt.sys [x]
    S0 TPDIGIMN;TPDIGIMN;c:\windows\System32\DRIVERS\ApsHM64.sys [x]
    S1 lenovo.smi;Lenovo System Interface Driver;c:\windows\system32\DRIVERS\smiifx64.sys [x]
    S1 PHCORE;PHCORE;c:\program files\Lenovo\RapidBoot\PHCORE64.SYS [2011-07-08 32104]
    S1 SASDIFSV;SASDIFSV;c:\program files\SUPERAntiSpyware\SASDIFSV64.SYS [2011-07-22 14928]
    S1 SASKUTIL;SASKUTIL;c:\program files\SUPERAntiSpyware\SASKUTIL64.SYS [2011-07-12 12368]
    S1 vwififlt;Virtual WiFi Filter Driver;c:\windows\system32\DRIVERS\vwififlt.sys [x]
    S2 !SASCORE;SAS Core Service;c:\program files\SUPERAntiSpyware\SASCORE64.EXE [2011-08-11 140672]
    S2 AMPPALR3;Intel® Centrino® Wireless Bluetooth® 3.0 + High Speed Service;c:\program files\Intel\BluetoothHS\BTHSAmpPalService.exe [2011-08-08 1166848]
    S2 BTHSSecurityMgr;Intel(R) Centrino(R) Wireless Bluetooth(R) 3.0 + High Speed Security Service;c:\program files\Intel\BluetoothHS\BTHSSecurityMgr.exe [2011-06-03 134928]
    S2 cpuz135;cpuz135;c:\windows\system32\drivers\cpuz135_x64.sys [x]
    S2 cvhsvc;Client Virtualization Handler;c:\program files (x86)\Common Files\Microsoft Shared\Virtualization Handler\CVHSVC.EXE [2012-01-04 822624]
    S2 CxAudMsg;Conexant Audio Message Service;c:\windows\system32\CxAudMsg64.exe [x]
    S2 DMAgent;Intel® PROSet/Wireless WiMAX Red Bend Device Management Service;c:\program files\Intel\WiMAX\Bin\DMAgent.exe [2011-06-06 498688]
    S2 GobiQDLService;Sierra Wireless QDL Service;c:\program files (x86)\Sierra Wireless Inc\Gobi\QDLService\GobiQDLService.exe [2011-09-01 316784]
    S2 jhi_service;Intel(R) Identity Protection Technology Host Interface Service;c:\program files (x86)\Intel\Services\IPT\jhi_service.exe [2011-02-07 210896]
    S2 LENOVO.CAMMUTE;Lenovo Camera Mute;c:\program files\Lenovo\Communications Utility\CAMMUTE.exe [2011-07-22 41832]
    S2 LENOVO.MICMUTE;Lenovo Microphone Mute;c:\program files\LENOVO\HOTKEY\MICMUTE.exe [2011-07-12 101736]
    S2 LENOVO.TPKNRSVC;Lenovo Keyboard Noise Reduction;c:\program files\Lenovo\Communications Utility\TPKNRSVC.exe [2011-07-22 60264]
    S2 Lenovo.VIRTSCRLSVC;Lenovo Auto Scroll;c:\program files\LENOVO\VIRTSCRL\lvvsst.exe [2011-07-12 133992]
    S2 MBAMService;MBAMService;c:\program files (x86)\Malwarebytes' Anti-Malware\mbamservice.exe [2012-01-13 652360]
    S2 nvUpdatusService;NVIDIA Update Service Daemon;c:\program files (x86)\NVIDIA Corporation\NVIDIA Updatus\daemonu.exe [2011-08-13 2214504]
    S2 risdxc;risdxc;c:\windows\system32\DRIVERS\risdxc64.sys [x]
    S2 sftlist;Application Virtualization Client;c:\program files (x86)\Microsoft Application Virtualization Client\sftlist.exe [2011-10-01 508776]
    S2 TPHKLOAD;Lenovo Hotkey Client Loader;c:\program files\LENOVO\HOTKEY\TPHKLOAD.exe [2011-07-12 145256]
    S2 TPHKSVC;On Screen Display;c:\program files\LENOVO\HOTKEY\TPHKSVC.exe [2011-07-12 142696]
    S2 UNS;Intel(R) Management and Security Application User Notification Service;c:\program files (x86)\Intel\Intel(R) Management Engine Components\UNS\UNS.exe [2011-01-17 2656280]
    S2 WiMAXAppSrv;Intel® PROSet/Wireless WiMAX Service;c:\program files\Intel\WiMAX\Bin\AppSrv.exe [2011-06-06 986112]
    S3 5U877;USB Video Device;c:\windows\system32\DRIVERS\5U877.sys [x]
    S3 AMPPAL;Intel® Centrino® Wireless Bluetooth® 3.0 + High Speed Virtual Adapter;c:\windows\system32\DRIVERS\AMPPAL.sys [x]
    S3 bpenum;Intel(R) Centrino(R) WiMAX Enumerator;c:\windows\system32\DRIVERS\bpenum.sys [x]
    S3 bpmp;Intel(R) Centrino(R) WiMAX 6050 Series;c:\windows\system32\DRIVERS\bpmp.sys [x]
    S3 bpusb;Intel(R) Centrino(R) WiMAX 6050 Series Function Driver;c:\windows\system32\Drivers\bpusb.sys [x]
    S3 e1cexpress;Intel(R) PRO/1000 PCI Express Network Connection Driver C;c:\windows\system32\DRIVERS\e1c62x64.sys [x]
    S3 EraserUtilRebootDrv;EraserUtilRebootDrv;c:\program files (x86)\Common Files\Symantec Shared\EENGINE\EraserUtilRebootDrv.sys [2012-02-03 138360]
    S3 iwdbus;IWD Bus Enumerator;c:\windows\system32\DRIVERS\iwdbus.sys [x]
    S3 LenovoRd;LenovoRd;c:\windows\system32\Drivers\LenovoRd.sys [x]
    S3 MBAMProtector;MBAMProtector;c:\windows\system32\drivers\mbam.sys [x]
    S3 MEIx64;Intel(R) Management Engine Interface;c:\windows\system32\DRIVERS\HECIx64.sys [x]
    S3 NETwNs64;___ Intel(R) Wireless WiFi Link 5000 Series Adapter Driver for Windows 7 - 64 Bit;c:\windows\system32\DRIVERS\NETwNs64.sys [x]
    S3 Sftfs;Sftfs;c:\windows\system32\DRIVERS\Sftfslh.sys [x]
    S3 Sftplay;Sftplay;c:\windows\system32\DRIVERS\Sftplaylh.sys [x]
    S3 Sftredir;Sftredir;c:\windows\system32\DRIVERS\Sftredirlh.sys [x]
    S3 Sftvol;Sftvol;c:\windows\system32\DRIVERS\Sftvollh.sys [x]
    S3 sftvsa;Application Virtualization Service Agent;c:\program files (x86)\Microsoft Application Virtualization Client\sftvsa.exe [2011-10-01 219496]
    S3 swg3kmbb01;Sierra Wireless QMI USB-NDIS 6.20 miniport for Lenovo;c:\windows\system32\DRIVERS\swg3kmbb01.sys [x]
    S3 swg3knmea01;Sierra Wireless QMI NMEA Communication - Lenovo;c:\windows\system32\DRIVERS\swg3knmea01.sys [x]
    S3 swg3kser01;Sierra Wireless QMI USB Device for Legacy Serial Communication - Lenovo;c:\windows\system32\DRIVERS\swg3kser01.sys [x]
    S3 swibus01;Sierra Wireless Bus Enumerator 01;c:\windows\system32\DRIVERS\swibus01.sys [x]
    S3 swibusflt01;Sierra Wireless Bus Enumerator Filter 01;c:\windows\system32\DRIVERS\swibusflt01.sys [x]
    S3 TVTI2C;Lenovo SM bus driver;c:\windows\system32\DRIVERS\Tvti2c.sys [x]
    .
    .
    Contents of the 'Scheduled Tasks' folder
    .
    2012-03-30 c:\windows\Tasks\Adobe Flash Player Updater.job
    - c:\windows\SysWOW64\Macromed\Flash\FlashPlayerUpdateService.exe [2012-03-28 16:25]
    .
    2012-03-22 c:\windows\Tasks\PCDoctorBackgroundMonitorTask.job
    - c:\program files\PC-Doctor\uaclauncher.exe [2011-06-27 15:06]
    .
    2012-03-30 c:\windows\Tasks\SystemToolsDailyTest.job
    - c:\program files\PC-Doctor\uaclauncher.exe [2011-06-27 15:06]
    .
    .
    --------- x86-64 -----------
    .
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\DropboxExt1]
    @="{FB314ED9-A251-47B7-93E1-CDD82E34AF8B}"
    [HKEY_CLASSES_ROOT\CLSID\{FB314ED9-A251-47B7-93E1-CDD82E34AF8B}]
    2012-01-18 18:49 97792 ----a-w- c:\users\Groth\AppData\Roaming\Dropbox\bin\DropboxExt64.14.dll
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\DropboxExt2]
    @="{FB314EDA-A251-47B7-93E1-CDD82E34AF8B}"
    [HKEY_CLASSES_ROOT\CLSID\{FB314EDA-A251-47B7-93E1-CDD82E34AF8B}]
    2012-01-18 18:49 97792 ----a-w- c:\users\Groth\AppData\Roaming\Dropbox\bin\DropboxExt64.14.dll
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\DropboxExt3]
    @="{FB314EDB-A251-47B7-93E1-CDD82E34AF8B}"
    [HKEY_CLASSES_ROOT\CLSID\{FB314EDB-A251-47B7-93E1-CDD82E34AF8B}]
    2012-01-18 18:49 97792 ----a-w- c:\users\Groth\AppData\Roaming\Dropbox\bin\DropboxExt64.14.dll
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\DropboxExt4]
    @="{FB314EDC-A251-47B7-93E1-CDD82E34AF8B}"
    [HKEY_CLASSES_ROOT\CLSID\{FB314EDC-A251-47B7-93E1-CDD82E34AF8B}]
    2012-01-18 18:49 97792 ----a-w- c:\users\Groth\AppData\Roaming\Dropbox\bin\DropboxExt64.14.dll
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "SynTPEnh"="c:\program files (x86)\Synaptics\SynTP\SynTPEnh.exe" [BU]
    "TpShocks"="TpShocks.exe" [2010-12-09 380776]
    "ForteConfig"="c:\program files\Conexant\ForteConfig\fmapp.exe" [2010-10-26 49056]
    "LENOVO.TPKNRRES"="c:\program files\Lenovo\Communications Utility\TPKNRRES.exe" [2011-07-22 42344]
    "ALCKRESI.EXE"="c:\program files\Lenovo\AutoLock\ALCKRESI.EXE" [2010-12-17 281448]
    "AcWin7Hlpr"="c:\program files (x86)\Lenovo\Access Connections\AcTBenabler.exe" [2011-10-20 33344]
    "SmartAudio"="c:\program files\CONEXANT\SAII\SAIICpl.exe" [2010-12-15 316032]
    "IgfxTray"="c:\windows\system32\igfxtray.exe" [2011-10-14 167704]
    "HotKeysCmds"="c:\windows\system32\hkcmd.exe" [2011-10-14 392472]
    "Persistence"="c:\windows\system32\igfxpers.exe" [2011-10-14 416024]
    "combofix"="c:\combofix\CF31972.3XE" [2010-11-21 345088]
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows]
    "AppInit_DLLs"=c:\windows\System32\nvinitx.dll
    .
    ------- Supplementary Scan -------
    .
    uLocal Page = c:\windows\system32\blank.htm
    uStart Page = hxxp://lenovo.msn.com
    mLocal Page = c:\windows\SysWOW64\blank.htm
    uInternet Settings,ProxyOverride = *.local
    IE: Add to Evernote 4.0 - c:\program files (x86)\Evernote\Evernote\EvernoteIE.dll/204
    IE: E&xport to Microsoft Excel - c:\progra~2\MICROS~4\Office10\EXCEL.EXE/3000
    TCP: DhcpNameServer = 192.168.1.1
    FF - ProfilePath - c:\users\Groth\AppData\Roaming\Mozilla\Firefox\Profiles\njgkb3ho.default\
    FF - prefs.js: browser.startup.homepage - hxxps://mail.google.com/mail/u/0/?shva=1#inbox|http://www.weather.com/weather/today/Madison WI 53705
    FF - prefs.js: network.proxy.type - 4
    .
    - - - - ORPHANS REMOVED - - - -
    .
    Toolbar-Locked - (no file)
    .
    .
    .
    --------------------- LOCKED REGISTRY KEYS ---------------------
    .
    [HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0000\AllUserSettings]
    @Denied: (A) (Users)
    @Denied: (A) (Everyone)
    @Allowed: (B 1 2 3 4 5) (S-1-5-20)
    "BlindDial"=dword:00000000
    .
    [HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\PCW\Security]
    @Denied: (Full) (Everyone)
    .
    ------------------------ Other Running Processes ------------------------
    .
    c:\program files (x86)\Common Files\Symantec Shared\ccSvcHst.exe
    c:\program files (x86)\Lenovo\Access Connections\AcPrfMgrSvc.exe
    c:\program files (x86)\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
    c:\program files (x86)\Common Files\Protexis\License Service\PsiService_2.exe
    c:\windows\SysWOW64\SAsrv.exe
    c:\program files (x86)\Symantec\Symantec Endpoint Protection\Rtvscan.exe
    c:\program files (x86)\Common Files\Ulead Systems\DVD\ULCDRSvr.exe
    c:\program files (x86)\Lenovo\Access Connections\AcSvc.exe
    c:\program files (x86)\Symantec\Symantec Endpoint Protection\ProtectionUtilSurrogate.exe
    c:\program files (x86)\Lenovo\Access Connections\AcDeskBandHlpr.exe
    c:\windows\SysWOW64\rundll32.exe
    c:\progra~2\ThinkPad\UTILIT~1\SCHTASK.exe
    r:\140066.enu\Office14\MSOSYNC.EXE
    c:\program files (x86)\Common Files\microsoft shared\virtualization handler\OfficeVirt.exe
    c:\program files (x86)\Intel\Intel(R) Management Engine Components\LMS\LMS.exe
    c:\program files (x86)\Lenovo\System Update\SUService.exe
    .
    **************************************************************************
    .
    Completion time: 2012-03-29 22:43:45 - machine was rebooted
    ComboFix-quarantined-files.txt 2012-03-30 03:43
    ComboFix2.txt 2012-03-13 18:05
    ComboFix3.txt 2012-03-13 17:40
    .
    Pre-Run: 43,937,673,216 bytes free
    Post-Run: 43,781,357,568 bytes free
    .
    - - End Of File - - FE2E2885C74DCEEC3C267E3131E3CB3F
     
  20. Bobbye

    Bobbye Helper on the Fringe Posts: 16,392   +36

    Okay, looks good. 2 entries to remove but I don't need the log:> Looks like you ran Combofix a couple of years ago but didn't fully uninstall. So I put the registry entry for it in the script. Please also follow the removal with the command in the instructions below for the current install of Combofix:

    Custom CFScript

    • [1]. Close any open browsers.
      [2]. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.
      [3]. Open notepad> click on Format> Uncheck 'Word Wrap> and copy/paste the text in the code below into it:
    Code:
    Registry::
    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "combofix"=-
    [HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
    "DisableMonitoring"=-
    
    Save this as CFScript.txt, in the same location as ComboFix.exe
    [​IMG]

    Referring to the picture above, drag CFScript into ComboFix.exe

    When finished, it will produce a log for you at C:\ComboFix.txt . No need to leave new log.
    ====================
    Remove all of the tools we used and the files and folders they created
    • Uninstall ComboFix and all Backups of the files it deleted
      [o] Click START> then RUN
      [o] Now type Combofix /Uninstall in the runbox and click OK. Note the space between the X and the U, it needs to be there.
    • Download OTCleanIt by OldTimer and save it to your Desktop.
      [o] Double click OTCleanIt.exe.
      [o] Click the CleanUp! button.
      [o] If you are prompted to Reboot during the cleanup, select Yes.
      [o]The tool will delete itself once it finishes.
      Note: If you receive a warning from your firewall or other security programs regarding OTC attempting to contact the internet, please allow it to do so.
      Note: If any tool, file or folder (belonging to the program we have used) hasn't been deleted, please delete it manually.
    • Set a new, clean Restore Point
      [o] Click on Start> right click on Computer> Properties
      [o] Select System Protection
      [o] Click on the Create button (near bottom)
      [o] Type a name for the Restore Point
      [o] Click on Create again to save the restore point.
    • Deleting all but the most recent System Protection point in Windows 7
      [o] Click Start> Computer> right click the C Drive and choose Properties> enter.
      [o] Click Disk Cleanup from there.
      [​IMG]
      [o] Click Clean up system files
      This restarts Disk Cleanup to run in elevated mode.
      [o] Click the More Options tab
      [​IMG]
      [o] Click the Clean up under System Restore and Shadow Copies.
      [o] Click OK.
      [o] You will get a confirmation screen> Just click Delete.
      [o] Click OK on the Disk Cleanup Screen.
      [o] Click Delete Files on the Confirmation screen.
    [​IMG]
    This runs the Disk Cleanup utility along with other selections if you have chosen any. (if you had a lot System Restore points, you will see a significant change in the free space in C drive)
    Images courtesy lytebyte.

    Empty the Recycle Bin
    ================================
    This is optional but I recommend stopping or removing these Scheduled Tasks:

    -------------------------
    Opening scheduled tasks to modify or delete them:
    Access Scheduled Tasks with Click on Start> All Programs> Accessories> System Tools> Scheduled Tasks.

    • To change the settings for a task: right-click the Task> click Properties> do any of the following: Select 1,2,3 or 4 for each.
      1. To change the schedule for the task, click the Schedule tab.
      2. To customize the settings for the task,such as run time,idle time, power management options, click the Settings tab.
      3. To delete a task> right-click the task> click Delete.
      4. To prevent task from running until you run again>
        [o] right-click the task> Properties> On the General tab>
        [o] clear the Enabled check box> Select the check box again when you are ready to run it again.
      ======================================

      Let me know if you have any questions.
     
    jezzag likes this.
  21. jezzag

    jezzag TS Rookie Topic Starter

    Thanks for all your help!
     
  22. Bobbye

    Bobbye Helper on the Fringe Posts: 16,392   +36

    You're welcome! I didn't realize the thread was still open.
     
Topic Status:
Not open for further replies.


Add New Comment

TechSpot Members
Login or sign up for free,
it takes about 30 seconds.
You may also...


Get complete access to the TechSpot community. Join thousands of technology enthusiasts that contribute and share knowledge in our forum. Get a private inbox, upload your own photo gallery and more.