Inactive Google redirect / search engines unable to load - Windows 7 system

Status
Not open for further replies.

Dtail42

Posts: 7   +0
Dear All,

For about 8-10 days, I'm having these problems with my laptop (32 bit Windows 7):
When I start up my laptop after shutting it down entirely, all seems fine; google loads quickly. Then, from between 30-120 minutes after startup, things start going bad. First, google redirects (especially from links I try access after googling 'anti virus' or similar). Then, quite rapidly afterward, google (in any country/version) won't load at all, and neither will bing or yahoo.

I have Sophos anti-virus installed, and ran a full check, with nothing found. I installed MalWare & did a quick scan, that found nothing:

Malwarebytes Anti-Malware 1.60.1.1000
www.malwarebytes.org

Database version: v2012.02.01.02

Windows 7 x86 NTFS
Internet Explorer 8.0.7600.16385
Hansen :: FADING [administrator]

01-Feb-12 12:05:52
mbam-log-2012-02-01 (12-05-52).txt

Scan type: Quick scan
Scan options enabled: Memory | Startup | Registry | File System | Heuristics/Extra | Heuristics/Shuriken | PUP | PUM
Scan options disabled: P2P
Objects scanned: 199661
Time elapsed: 12 minute(s), 7 second(s)

Memory Processes Detected: 0
(No malicious items detected)

Memory Modules Detected: 0
(No malicious items detected)

Registry Keys Detected: 0
(No malicious items detected)

Registry Values Detected: 0
(No malicious items detected)

Registry Data Items Detected: 0
(No malicious items detected)

Folders Detected: 0
(No malicious items detected)

Files Detected: 0
(No malicious items detected)

(end)


--------------------------------


Following the advice on your 5-step guide, I then ran gmer, with the following log as result:


GMER 1.0.15.15641 - http://www.gmer.net
Rootkit scan 2012-01-31 16:08:46
Windows 6.1.7600 Harddisk0\DR0 -> \Device\Ide\IAAStorageDevice-0 TOSHIBA_ rev.GJ00
Running: vtdn6o4v.exe; Driver: C:\Users\Hansen\AppData\Local\Temp\awldypod.sys


---- Kernel code sections - GMER 1.0.15 ----

.text ntkrnlpa.exe!ZwSaveKeyEx + 13AD 8307A5D9 1 Byte [06]
.text ntkrnlpa.exe!KiDispatchInterrupt + 5A2 8309F092 19 Bytes [E0, 0F, BA, F0, 07, 73, 09, ...] {LOOPNZ 0x11; MOV EDX, 0x97307f0; MOV CR4, EAX; OR AL, 0x80; MOV CR4, EAX; RET ; MOV ECX, CR3}
PAGE ntkrnlpa.exe!ZwResumeThread 832A953E 1 Byte [CC] {INT 3 }
.text iaStor.sys 83E5A8C6 1 Byte [CC] {INT 3 }

---- User code sections - GMER 1.0.15 ----

.text C:\Windows\Explorer.EXE[1972] kernel32.dll!CopyFileExW 765707DB 7 Bytes JMP 6FA075A0 C:\PROGRA~1\Sophos\SOPHOS~1\SOPHOS~1.DLL (Sophos Buffer Overrun Protection/Sophos Plc)
.text C:\Windows\Explorer.EXE[1972] kernel32.dll!MoveFileWithProgressW 7657BE8C 5 Bytes JMP 6FA07460 C:\PROGRA~1\Sophos\SOPHOS~1\SOPHOS~1.DLL (Sophos Buffer Overrun Protection/Sophos Plc)
.text C:\Windows\Explorer.EXE[1972] ole32.dll!CoCreateInstance 7739590C 8 Bytes JMP 6FA07860 C:\PROGRA~1\Sophos\SOPHOS~1\SOPHOS~1.DLL (Sophos Buffer Overrun Protection/Sophos Plc)

---- User IAT/EAT - GMER 1.0.15 ----

IAT C:\Program Files\Sophos\AutoUpdate\ALsvc.exe[2680] @ C:\Windows\system32\USER32.dll [KERNEL32.dll!GetProcAddress] [75C45E25] C:\Windows\system32\apphelp.dll (Application Compatibility Client Library/Microsoft Corporation)
IAT C:\Program Files\Sophos\AutoUpdate\ALsvc.exe[2680] @ C:\Windows\system32\GDI32.dll [KERNEL32.dll!GetProcAddress] [75C45E25] C:\Windows\system32\apphelp.dll (Application Compatibility Client Library/Microsoft Corporation)
IAT C:\Program Files\Sophos\AutoUpdate\ALsvc.exe[2680] @ C:\Windows\system32\SHLWAPI.dll [KERNEL32.dll!GetProcAddress] [75C45E25] C:\Windows\system32\apphelp.dll (Application Compatibility Client Library/Microsoft Corporation)
IAT C:\Program Files\Sophos\AutoUpdate\ALsvc.exe[2680] @ C:\Windows\system32\ADVAPI32.dll [KERNEL32.dll!GetProcAddress] [75C45E25] C:\Windows\system32\apphelp.dll (Application Compatibility Client Library/Microsoft Corporation)
IAT C:\Program Files\Sophos\AutoUpdate\ALsvc.exe[2680] @ C:\Windows\system32\WININET.dll [KERNEL32.dll!GetProcAddress] [75C45E25] C:\Windows\system32\apphelp.dll (Application Compatibility Client Library/Microsoft Corporation)
IAT C:\Program Files\Sophos\AutoUpdate\ALsvc.exe[2680] @ C:\Windows\system32\CRYPT32.dll [KERNEL32.dll!GetProcAddress] [75C45E25] C:\Windows\system32\apphelp.dll (Application Compatibility Client Library/Microsoft Corporation)

---- Devices - GMER 1.0.15 ----

AttachedDevice \Driver\kbdclass \Device\KeyboardClass0 Wdf01000.sys (Kernel Mode Driver Framework Runtime/Microsoft Corporation)
AttachedDevice \Driver\kbdclass \Device\KeyboardClass1 Wdf01000.sys (Kernel Mode Driver Framework Runtime/Microsoft Corporation)
AttachedDevice \Driver\volmgr \Device\HarddiskVolume1 fvevol.sys (BitLocker Drive Encryption Driver/Microsoft Corporation)

Device \Driver\ACPI_HAL \Device\00000058 halmacpi.dll (Hardware Abstraction Layer DLL/Microsoft Corporation)

AttachedDevice \Driver\volmgr \Device\HarddiskVolume2 fvevol.sys (BitLocker Drive Encryption Driver/Microsoft Corporation)

---- Threads - GMER 1.0.15 ----

Thread System [4:436] 88D12161
Thread System [4:504] 8AB78C30

------------------------
After this, I saved the log above, as the system seemed to be finished - and got a message that it wasn't finished yet, so I re-ran/continued (?) the scan, and the following short log was created:

GMER 1.0.15.15641 - http://www.gmer.net
Rootkit quick scan 2012-01-31 16:10:02
Windows 6.1.7600 Harddisk0\DR0 -> \Device\Ide\IAAStorageDevice-0 TOSHIBA_ rev.GJ00
Running: vtdn6o4v.exe; Driver: C:\Users\Hansen\AppData\Local\Temp\awldypod.sys


---- Devices - GMER 1.0.15 ----

AttachedDevice \Driver\kbdclass \Device\KeyboardClass0 Wdf01000.sys (Kernel Mode Driver Framework Runtime/Microsoft Corporation)
AttachedDevice \Driver\kbdclass \Device\KeyboardClass1 Wdf01000.sys (Kernel Mode Driver Framework Runtime/Microsoft Corporation)

---- Threads - GMER 1.0.15 ----

Thread System [4:436] 88D12161
Thread System [4:504] 8AB78C30

---- EOF - GMER 1.0.15 ----



------------------------------
Please help; any advice much appreciated!
Cheers,
Dennis
 
DDS logs posted here

DDS txt:

.
DDS (Ver_2011-08-26.01) - NTFSx86
Internet Explorer: 8.0.7600.16385 BrowserJavaVersion: 1.6.0_26
Run by Hansen at 12:44:04 on 2012-02-01
Microsoft Windows 7 Professional 6.1.7600.0.1252.1.1033.18.3511.1919 [GMT 1:00]
.
AV: Lavasoft Ad-Watch Live! Anti-Virus *Enabled/Updated* {9FF26384-70D4-CE6B-3ECB-E759A6A40116}
AV: Sophos Anti-Virus *Disabled/Updated* {479CCF92-4960-B3E0-7373-BF453B467D2C}
SP: Sophos Anti-Virus *Disabled/Updated* {FCFD2E76-6F5A-BC6E-49C3-843740C13791}
SP: Windows Defender *Enabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
SP: Lavasoft Ad-Watch Live! *Enabled/Updated* {24938260-56EE-C1E5-047B-DC2BDD234BAB}
.
============== Running Processes ===============
.
C:\Windows\system32\wininit.exe
C:\Windows\system32\lsm.exe
C:\Windows\system32\svchost.exe -k DcomLaunch
C:\Windows\system32\svchost.exe -k RPCSS
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted
C:\Windows\system32\svchost.exe -k netsvcs
C:\Windows\system32\svchost.exe -k LocalService
C:\Program Files\Sophos\Sophos Anti-Virus\SavService.exe
C:\Program Files\Panasonic\PNotif\PNotif.exe
C:\Windows\System32\svchost.exe -k NetworkService
C:\Windows\system32\svchost.exe -k LocalServiceNoNetwork
C:\Windows\system32\WLANExt.exe
C:\Windows\system32\conhost.exe
C:\Program Files\Lavasoft\Ad-Aware\AAWService.exe
C:\Windows\System32\spoolsv.exe
C:\Windows\system32\svchost.exe -k LocalServiceAndNoImpersonation
C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\Canon\DIAS\CnxDIAS.exe
C:\Program Files\Cisco Systems\VPN Client\cvpnd.exe
C:\Windows\system32\EtmService.exe
C:\Windows\system32\svchost.exe -k HsfXAudioService
C:\Program Files\Common Files\InterVideo\RegMgr\iviRegMgr.exe
C:\Program Files\Panasonic\PPlanEx\opdoffsv.exe
C:\Program Files\Panasonic\pcinfo\PCInfoPi.exe
C:\Program Files\Panasonic\pcinfo\PCInfoSV.exe
C:\Program Files\Common Files\Intel\WirelessCommon\RegSrvc.exe
C:\Program Files\Sophos\Sophos Anti-Virus\SAVAdminService.exe
C:\Program Files\Panasonic\Selsussv\selsussv.exe
C:\Program Files\Sophos\AutoUpdate\ALsvc.exe
C:\Windows\system32\svchost.exe -k imgsvc
C:\Program Files\Sophos\Sophos Anti-Virus\Web Intelligence\swi_service.exe
C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE
C:\Program Files\Intel\WiFi\bin\EvtEng.exe
C:\Windows\system32\Dwm.exe
C:\Windows\Explorer.EXE
C:\Windows\system32\taskhost.exe
C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSvcM.exe
C:\Windows\system32\wbem\unsecapp.exe
C:\Windows\system32\wbem\wmiprvse.exe
C:\Program Files\Panasonic\PPlanEx\PPlanEx.exe
C:\Program Files\Panasonic\WSwitch\WSwitch.exe
C:\Windows\system32\wbem\unsecapp.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Program Files\Panasonic\Hotkey Appendix\hkeyapp.exe
C:\Windows\System32\igfxtray.exe
C:\Windows\System32\hkcmd.exe
C:\Windows\System32\igfxpers.exe
C:\Windows\system32\igfxsrvc.exe
C:\Program Files\CONEXANT\cAudioFilterAgent\cAudioFilterAgent.exe
C:\Program Files\Sophos\AutoUpdate\ALMon.exe
C:\Program Files\Synaptics\SynTP\SynTPHelper.exe
C:\Program Files\Common Files\Java\Java Update\jusched.exe
C:\Program Files\Panasonic\PPlanEx\ChgBmode.exe
C:\Program Files\Toshiba\Bluetooth Toshiba Stack\TosBtMng.exe
C:\Program Files\Lavasoft\Ad-Aware\AAWTray.exe
C:\Program Files\Toshiba\Bluetooth Toshiba Stack\TosBtSrv.exe
C:\Program Files\Toshiba\Bluetooth Toshiba Stack\TosA2dp.exe
C:\Program Files\Toshiba\Bluetooth Toshiba Stack\TosBtHid.exe
C:\Program Files\Toshiba\Bluetooth Toshiba Stack\TosBtHsp.exe
C:\Program Files\Panasonic\PPopup\ppopup.exe
C:\Windows\system32\SearchIndexer.exe
C:\Program Files\Panasonic\WheelPad\Touchpad.exe
C:\Users\Hansen\AppData\Roaming\Dropbox\bin\Dropbox.exe
C:\Windows\system32\svchost.exe -k NetworkServiceNetworkRestricted
C:\Windows\System32\svchost.exe -k secsvcs
C:\Program Files\Windows Media Player\wmpnetwk.exe
C:\Windows\system32\wuauclt.exe
C:\Program Files\Common Files\Java\Java Update\jucheck.exe
C:\Program Files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\OSPPSVC.EXE
C:\Program Files\Adobe\Acrobat 7.0\Acrobat\Acrobat.exe
C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe
C:\Windows\system32\conhost.exe
C:\Windows\system32\wbem\wmiprvse.exe
.
============== Pseudo HJT Report ===============
.
uDefault_Page_URL = hxxp://panasonic.net/avc/toughbook/landing.html
uStart Page = hxxp://www.google.ch/
BHO: AcroIEHlprObj Class: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program files\adobe\acrobat 7.0\activex\AcroIEHelper.dll
BHO: DivX Plus Web Player HTML5 <video>: {326e768d-4182-46fd-9c16-1449a49795f4} - c:\program files\divx\divx plus web player\npdivx32.dll
BHO: Sophos Web Content Scanner: {39ea7695-b3f2-4c44-a4bc-297ada8fd235} - c:\program files\sophos\sophos anti-virus\SophosBHO.dll
BHO: DivX HiQ: {593ddec6-7468-4cdd-90e1-42dadaa222e9} - c:\program files\divx\divx plus web player\npdivx32.dll
BHO: Windows Live ID Sign-in Helper: {9030d464-4c02-4abf-8ecc-5164760863c6} - c:\program files\common files\microsoft shared\windows live\WindowsLiveLogin.dll
BHO: AcroIEToolbarHelper Class: {ae7cd045-e861-484f-8273-0445ee161910} - c:\program files\adobe\acrobat 7.0\acrobat\AcroIEFavClient.dll
BHO: Skype Browser Helper: {ae805869-2e5c-4ed4-8f7b-f1f7851a4497} - c:\program files\skype\toolbars\internet explorer\skypeieplugin.dll
BHO: Office Document Cache Handler: {b4f3a835-0e21-4959-ba22-42b3008e02ff} - c:\progra~1\micros~3\office14\URLREDIR.DLL
BHO: Java(tm) Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
TB: Adobe PDF: {47833539-d0c5-4125-9fa8-0819e2eaac93} - c:\program files\adobe\acrobat 7.0\acrobat\AcroIEFavClient.dll
EB: Adobe PDF: {182ec0be-5110-49c8-a062-beb1d02a220b} - c:\program files\adobe\acrobat 7.0\acrobat\AcroIEFavClient.dll
uRun: [Facebook Update] "c:\users\hansen\appdata\local\facebook\update\FacebookUpdate.exe" /c /nocrashserver
mRun: [PPlanEx] c:\program files\panasonic\pplanex\PPlanEx.exe
mRun: [WSwitch] c:\program files\panasonic\wswitch\WSwitch.exe
mRun: [SynTPEnh] %ProgramFiles%\Synaptics\SynTP\SynTPEnh.exe
mRun: [Panasonic Hotkey Manager] c:\program files\panasonic\hotkey appendix\HKEYAPP.EXE
mRun: [PCinfo] c:\program files\panasonic\pcinfo\PcInfoUt.exe
mRun: [ITSecMng] %ProgramFiles%\TOSHIBA\Bluetooth Toshiba Stack\ItSecMng.exe /START
mRun: [IgfxTray] c:\windows\system32\igfxtray.exe
mRun: [HotKeysCmds] c:\windows\system32\hkcmd.exe
mRun: [Persistence] c:\windows\system32\igfxpers.exe
mRun: [cAudioFilterAgent] c:\program files\conexant\caudiofilteragent\cAudioFilterAgent.exe
mRun: [PRunOnce] c:\util\prunonce\PRunOnce.exe
mRun: [Sophos AutoUpdate Monitor] c:\program files\sophos\autoupdate\almon.exe
mRun: [QuickTime Task] "c:\program files\quicktime\QTTask.exe" -atboottime
mRun: [<NO NAME>]
mRun: [SunJavaUpdateSched] "c:\program files\common files\java\java update\jusched.exe"
mRunOnce: [Malwarebytes Anti-Malware] c:\program files\malwarebytes' anti-malware\mbamgui.exe /install /silent
StartupFolder: c:\users\hansen\appdata\roaming\micros~1\windows\startm~1\programs\startup\dropbox.lnk - c:\users\hansen\appdata\roaming\dropbox\bin\Dropbox.exe
StartupFolder: c:\progra~2\micros~1\windows\startm~1\programs\startup\adobea~1.lnk - c:\windows\installer\{ac76ba86-1033-f400-7760-100000000002}\SC_Acrobat.exe
StartupFolder: c:\progra~2\micros~1\windows\startm~1\programs\startup\blueto~1.lnk - c:\program files\toshiba\bluetooth toshiba stack\TosBtMng.exe
StartupFolder: c:\progra~2\micros~1\windows\startm~1\programs\startup\pcinfo~1.lnk - c:\program files\panasonic\ppopup\ppopup.exe
StartupFolder: c:\progra~2\micros~1\windows\startm~1\programs\startup\touchp~1.lnk - c:\program files\panasonic\wheelpad\Touchpad.exe
mPolicies-system: ConsentPromptBehaviorAdmin = 5 (0x5)
mPolicies-system: ConsentPromptBehaviorUser = 3 (0x3)
mPolicies-system: EnableUIADesktopToggle = 0 (0x0)
IE: Convert link target to Adobe PDF - c:\program files\adobe\acrobat 7.0\acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: Convert link target to existing PDF - c:\program files\adobe\acrobat 7.0\acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convert selected links to Adobe PDF - c:\program files\adobe\acrobat 7.0\acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
IE: Convert selected links to existing PDF - c:\program files\adobe\acrobat 7.0\acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
IE: Convert selection to Adobe PDF - c:\program files\adobe\acrobat 7.0\acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: Convert selection to existing PDF - c:\program files\adobe\acrobat 7.0\acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convert to Adobe PDF - c:\program files\adobe\acrobat 7.0\acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: Convert to existing PDF - c:\program files\adobe\acrobat 7.0\acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: E&xport to Microsoft Excel - c:\progra~1\micros~3\office14\EXCEL.EXE/3000
IE: Se&nd to OneNote - c:\progra~1\micros~3\office14\ONBttnIE.dll/105
IE: {2670000A-7350-4f3c-8081-5663EE0C6C49} - {48E73304-E1D6-4330-914C-F5F514E3486C} - c:\program files\microsoft office\office14\ONBttnIE.dll
IE: {789FE86F-6FC4-46A1-9849-EDE0DB0C95CA} - {FFFDC614-B694-4AE6-AB38-5D6374584B52} - c:\program files\microsoft office\office14\ONBttnIELinkedNotes.dll
IE: {898EA8C8-E7FF-479B-8935-AEC46303B9E5} - {898EA8C8-E7FF-479B-8935-AEC46303B9E5} - c:\program files\skype\toolbars\internet explorer\skypeieplugin.dll
Trusted Zone: danid.dk
Trusted Zone: danid.dk
DPF: {7530BFB8-7293-4D34-9923-61A11451AFC5} - hxxp://download.eset.com/special/eos/OnlineScanner.cab
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_26-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0026-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_26-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_26-windows-i586.cab
DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - hxxp://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab
TCP: DhcpNameServer = 130.60.128.3 130.60.64.51
TCP: Interfaces\{2C0EFC34-B9FC-48D1-9D34-1D1D1D632395} : DhcpNameServer = 130.60.128.3 130.60.64.51
TCP: Interfaces\{D4504C51-1A91-434E-B047-ACD20B1F1A14}\0586162657C6F63716 : DhcpNameServer = 192.168.1.1 68.87.76.182 68.87.78.134
TCP: Interfaces\{D4504C51-1A91-434E-B047-ACD20B1F1A14}\34162696E6E602055726C696360275966496 : DhcpNameServer = 89.150.129.4 89.150.129.10
TCP: Interfaces\{D4504C51-1A91-434E-B047-ACD20B1F1A14}\94E6374716E64735C6565607 : DhcpNameServer = 213.191.74.12 62.109.123.254
TCP: Interfaces\{D4504C51-1A91-434E-B047-ACD20B1F1A14}\C696E6B6379737 : DhcpNameServer = 212.242.40.3 212.242.40.51
TCP: Interfaces\{D4504C51-1A91-434E-B047-ACD20B1F1A14}\D4F42494C454 : DhcpNameServer = 195.186.152.32 195.186.216.32
Filter: text/xml - {807573E5-5146-11D5-A672-00B0D022E945} - c:\program files\common files\microsoft shared\office14\MSOXMLMF.DLL
Handler: skype-ie-addon-data - {91774881-D725-4E58-B298-07617B9B86A8} - c:\program files\skype\toolbars\internet explorer\skypeieplugin.dll
Notify: igfxcui - igfxdev.dll
AppInit_DLLs: c:\progra~1\sophos\sophos~1\SOPHOS~1.DLL
.
================= FIREFOX ===================
.
FF - ProfilePath - c:\users\hansen\appdata\roaming\mozilla\firefox\profiles\gvb29958.default\
FF - prefs.js: browser.startup.homepage - www.google.com
FF - prefs.js: network.proxy.type - 4
FF - component: c:\program files\mozilla firefox\extensions\{82af8dca-6de9-405d-bd5e-43525bdad38a}\components\SkypeFfComponent.dll
FF - plugin: c:\progra~1\micros~3\office14\NPAUTHZ.DLL
FF - plugin: c:\progra~1\micros~3\office14\NPSPWRAP.DLL
FF - plugin: c:\program files\divx\divx ovs helper\npovshelper.dll
FF - plugin: c:\program files\divx\divx plus web player\npdivx32.dll
FF - plugin: c:\program files\java\jre6\bin\new_plugin\npdeployJava1.dll
FF - plugin: c:\program files\microsoft silverlight\4.0.60831.0\npctrlui.dll
FF - plugin: c:\program files\mozilla firefox\plugins\npdeployJava1.dll
FF - plugin: c:\users\hansen\appdata\local\facebook\video\skype\npFacebookVideoCalling.dll
.
============= SERVICES / DRIVERS ===============
.
R0 Lbd;Lbd;c:\windows\system32\drivers\Lbd.sys [2012-1-25 64512]
R1 SAVOnAccess;SAVOnAccess;c:\windows\system32\drivers\savonaccess.sys [2010-12-21 122360]
R1 vwififlt;Virtual WiFi Filter Driver;c:\windows\system32\drivers\vwififlt.sys [2009-7-14 48128]
R2 ETMService;Intel(R) Dynamic Power Performance Model Service Application;c:\windows\system32\EtmService.exe [2010-4-13 207384]
R2 HsfXAudioService;HsfXAudioService;c:\windows\system32\svchost.exe -k HsfXAudioService [2009-7-14 20992]
R2 Lavasoft Ad-Aware Service;Lavasoft Ad-Aware Service;c:\program files\lavasoft\ad-aware\AAWService.exe [2011-12-23 2152152]
R2 OPDOFFSV;Panasonic Opdoff Utility;c:\program files\panasonic\pplanex\opdoffsv.exe [2010-4-13 1389440]
R2 PcInfoPi;Panasonic PC Information Viewer Service 2;c:\program files\panasonic\pcinfo\PcInfoPi.exe [2010-4-13 46912]
R2 PcInfoSV;Panasonic PC Information Viewer;c:\program files\panasonic\pcinfo\PCInfoSV.exe [2010-4-13 243072]
R2 regi;regi;c:\windows\system32\drivers\regi.sys [2007-4-18 11032]
R2 SAVAdminService;Sophos Anti-Virus status reporter;c:\program files\sophos\sophos anti-virus\SAVAdminService.exe [2010-10-8 163056]
R2 SAVService;Sophos Anti-Virus;c:\program files\sophos\sophos anti-virus\SavService.exe [2010-12-21 97520]
R2 SELSUSSV;USB Selective Suspend Manager;c:\program files\panasonic\selsussv\selsussv.exe [2010-12-20 113024]
R2 Sophos AutoUpdate Service;Sophos AutoUpdate Service;c:\program files\sophos\autoupdate\ALsvc.exe [2010-9-21 230640]
R2 swi_service;Sophos Web Intelligence Service;c:\program files\sophos\sophos anti-virus\web intelligence\swi_service.exe [2010-10-8 1541360]
R3 e1kexpress;Intel(R) PRO/1000 PCI Express Network Connection Driver K;c:\windows\system32\drivers\e1k6232.sys [2010-4-13 208552]
R3 EtmDevDram;EtmDevDram;c:\windows\system32\drivers\EtmDevDram.sys [2010-4-13 56832]
R3 EtmDevGen;EtmDevGen;c:\windows\system32\drivers\EtmDevGen.sys [2010-4-13 46080]
R3 EtmDevMcp;EtmDevMcp;c:\windows\system32\drivers\EtmDevMcp.sys [2010-4-13 78336]
R3 EtmDevPch;EtmDevPch;c:\windows\system32\drivers\EtmDevPch.sys [2010-4-13 51200]
R3 EtmDrvMgr;EtmDrvMgr;c:\windows\system32\drivers\EtmDrvMgr.sys [2010-4-13 120320]
R3 EtmFan;EtmFan;c:\windows\system32\drivers\EtmDevFan.sys [2010-4-13 27136]
R3 huawei_enumerator;huawei_enumerator;c:\windows\system32\drivers\ew_jubusenum.sys [2011-1-12 70656]
R3 Impcd;Impcd;c:\windows\system32\drivers\Impcd.sys [2010-4-13 132352]
R3 IntcDAud;Intel(R) Display Audio;c:\windows\system32\drivers\IntcDAud.sys [2010-4-13 232448]
R3 Lavasoft Kernexplorer;Lavasoft helper driver;c:\program files\lavasoft\ad-aware\kernexplorer.sys [2011-12-23 15232]
R3 NETw5s32;Intel(R) Wireless WiFi Link 5000 Series Adapter Driver for Windows 7 - 32 Bit;c:\windows\system32\drivers\NETw5s32.sys [2010-1-13 6755840]
R3 NewMisc;Panasonic Misc Driver;c:\windows\system32\drivers\newmisc.sys [2010-4-13 53376]
R3 osppsvc;Office Software Protection Platform;c:\program files\common files\microsoft shared\officesoftwareprotectionplatform\OSPPSVC.EXE [2010-1-10 4640000]
S2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;c:\windows\microsoft.net\framework\v4.0.30319\mscorsvw.exe [2010-3-18 130384]
S3 b57nd60x;Broadcom NetXtreme Gigabit Ethernet - NDIS 6.0;c:\windows\system32\drivers\b57nd60x.sys [2009-7-13 229888]
S3 ew_hwusbdev;Huawei MobileBroadband USB PNP Device;c:\windows\system32\drivers\ew_hwusbdev.sys [2011-1-12 102784]
S3 ewusbnet;HUAWEI USB-NDIS miniport;c:\windows\system32\drivers\ewusbnet.sys [2011-1-12 208896]
S3 MEITBLCD;Tablet Buttons information for Panasonic PC;c:\windows\system32\drivers\meitblcd.sys [2010-4-13 11968]
S3 MEITBTN;Tablet Buttons HID Driver for Panasonic PC;c:\windows\system32\drivers\meitbtn.sys [2010-4-13 14784]
S3 sdcfilter;sdcfilter;c:\windows\system32\drivers\sdcfilter.sys [2010-12-21 23928]
S3 StorSvc;Storage Service;c:\windows\system32\svchost.exe -k LocalSystemNetworkRestricted [2009-7-14 20992]
S3 vwifimp;Microsoft Virtual WiFi Miniport Service;c:\windows\system32\drivers\vwifimp.sys [2009-7-14 14336]
S3 WatAdminSvc;Windows Activation Technologies Service;c:\windows\system32\wat\WatAdminSvc.exe [2010-12-21 1343400]
S4 SophosBootDriver;SophosBootDriver;c:\windows\system32\drivers\SophosBootDriver.sys [2010-12-21 22536]
.
=============== Created Last 30 ================
.
2012-02-01 11:05:04 -------- d-----w- c:\users\hansen\appdata\roaming\Malwarebytes
2012-02-01 11:04:53 -------- d-----w- c:\programdata\Malwarebytes
2012-02-01 11:04:52 20464 ----a-w- c:\windows\system32\drivers\mbam.sys
2012-02-01 11:04:52 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2012-01-31 14:32:15 6557240 ----a-w- c:\programdata\microsoft\windows defender\definition updates\{2ccd0128-a57b-4879-b331-bd2cc3d93e02}\mpengine.dll
2012-01-31 14:12:19 -------- d-----w- c:\users\hansen\appdata\roaming\Process Hacker 2
2012-01-31 13:45:40 -------- d-----w- c:\program files\Process Hacker 2
2012-01-31 13:22:54 626688 ----a-w- c:\program files\mozilla firefox\msvcr80.dll
2012-01-31 13:22:54 548864 ----a-w- c:\program files\mozilla firefox\msvcp80.dll
2012-01-31 13:22:54 479232 ----a-w- c:\program files\mozilla firefox\msvcm80.dll
2012-01-31 13:22:54 43992 ----a-w- c:\program files\mozilla firefox\mozutils.dll
2012-01-25 14:50:34 -------- d-----w- c:\program files\ESET
2012-01-25 13:41:09 16432 ----a-w- c:\windows\system32\lsdelete.exe
2012-01-25 13:11:50 101720 ----a-w- c:\windows\system32\drivers\SBREDrv.sys
2012-01-25 13:09:43 64512 ----a-w- c:\windows\system32\drivers\Lbd.sys
2012-01-25 13:09:35 -------- d-----w- c:\program files\Lavasoft
2012-01-18 19:51:07 224768 ----a-w- c:\windows\system32\schannel.dll
2012-01-18 19:51:07 134000 ----a-w- c:\windows\system32\drivers\ksecpkg.sys
2012-01-18 19:51:07 1037312 ----a-w- c:\windows\system32\lsasrv.dll
2012-01-18 19:51:06 99840 ----a-w- c:\windows\system32\sspicli.dll
2012-01-18 19:51:06 67440 ----a-w- c:\windows\system32\drivers\ksecdd.sys
2012-01-18 19:51:06 369352 ----a-w- c:\windows\system32\drivers\cng.sys
2012-01-18 19:51:06 314368 ----a-w- c:\windows\system32\webio.dll
2012-01-18 19:51:06 22528 ----a-w- c:\windows\system32\lsass.exe
2012-01-18 19:51:06 22016 ----a-w- c:\windows\system32\secur32.dll
2012-01-18 19:51:06 15360 ----a-w- c:\windows\system32\sspisrv.dll
2012-01-13 13:59:19 414368 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl
2012-01-13 10:59:15 851176 ----a-w- c:\windows\system32\WinUSBCoInstaller2.dll
2012-01-13 10:59:10 -------- d-----w- C:\AvaSoft7USB2
2012-01-11 12:52:05 -------- d-----w- c:\programdata\Canon
2012-01-11 12:51:34 81987 ----a-w- c:\windows\system32\AUCPLMNT.DLL
2012-01-11 06:35:00 1288984 ----a-w- c:\windows\system32\ntdll.dll
2012-01-11 06:34:59 67072 ----a-w- c:\windows\system32\packager.dll
2012-01-11 06:34:59 1328640 ----a-w- c:\windows\system32\quartz.dll
2012-01-11 06:34:58 514560 ----a-w- c:\windows\system32\qdvd.dll
.
==================== Find3M ====================
.
2011-12-07 09:08:58 236576 ------w- c:\windows\system32\MpSigStub.exe
2011-11-24 04:23:31 2340352 ----a-w- c:\windows\system32\win32k.sys
2011-11-05 04:35:50 981504 ----a-w- c:\windows\system32\wininet.dll
2011-11-05 04:34:15 44544 ----a-w- c:\windows\system32\licmgr10.dll
2011-11-05 04:30:11 2048 ----a-w- c:\windows\system32\tzres.dll
2011-11-05 03:28:41 386048 ----a-w- c:\windows\system32\html.iec
2011-11-05 02:55:38 1638912 ----a-w- c:\windows\system32\mshtml.tlb
.
============= FINISH: 12:44:55.25 ===============
 
DDS attach.txt log

.
UNLESS SPECIFICALLY INSTRUCTED, DO NOT POST THIS LOG.
IF REQUESTED, ZIP IT UP & ATTACH IT
.
DDS (Ver_2011-08-26.01)
.
Microsoft Windows 7 Professional
Boot Device: \Device\HarddiskVolume1
Install Date: 20-Dec-10 22:14:17
System Uptime: 01-Feb-12 8:38:05 (4 hours ago)
.
Motherboard: Panasonic Corporation | | CFF9-2
Processor: Intel(R) Core(TM) i5 CPU M 520 @ 2.40GHz | IC1 | 2400/133mhz
.
==== Disk Partitions =========================
.
C: is FIXED (NTFS) - 298 GiB total, 88.226 GiB free.
.
==== Disabled Device Manager Items =============
.
Class GUID: {4d36e972-e325-11ce-bfc1-08002be10318}
Description: Microsoft Virtual WiFi Miniport Adapter
Device ID: {5D624F94-8850-40C3-A3FA-A4FD2080BAF3}\VWIFIMP\5&CE0BD7B&0&01
Manufacturer: Microsoft
Name: Microsoft Virtual WiFi Miniport Adapter
PNP Device ID: {5D624F94-8850-40C3-A3FA-A4FD2080BAF3}\VWIFIMP\5&CE0BD7B&0&01
Service: vwifimp
.
Class GUID: {4d36e972-e325-11ce-bfc1-08002be10318}
Description: Cisco Systems VPN Adapter
Device ID: ROOT\NET\0000
Manufacturer: Cisco Systems
Name: Cisco Systems VPN Adapter
PNP Device ID: ROOT\NET\0000
Service: CVirtA
.
==== System Restore Points ===================
.
RP231: 20-Jan-12 11:11:10 - Windows Update
RP233: 23-Jan-12 12:02:03 - Windows Defender Checkpoint
RP234: 24-Jan-12 8:06:58 - Windows Update
RP235: 25-Jan-12 14:08:09 - Installed Ad-Aware
RP236: 25-Jan-12 14:09:19 - Installed Ad-Aware
RP237: 27-Jan-12 17:37:00 - Windows Update
RP238: 31-Jan-12 15:31:08 - Windows Update
.
==== Installed Programs ======================
.
7-Zip 9.20
Ad-Aware
Adobe Acrobat 7.0 Professional - English, Français, Deutsch
Adobe Anchor Service CS3
Adobe Asset Services CS3
Adobe Bridge CS3
Adobe Bridge Start Meeting
Adobe Camera Raw 4.0
Adobe CMaps
Adobe Color - Photoshop Specific
Adobe Color Common Settings
Adobe Color EU Extra Settings
Adobe Color JA Extra Settings
Adobe Color NA Recommended Settings
Adobe Default Language CS3
Adobe Device Central CS3
Adobe ExtendScript Toolkit 2
Adobe Flash Player 10 ActiveX
Adobe Flash Player 11 Plugin
Adobe Fonts All
Adobe Help Viewer CS3
Adobe Linguistics CS3
Adobe PDF Library Files
Adobe Photoshop CS3
Adobe Setup
Adobe Stock Photos CS3
Adobe Type Support
Adobe Update Manager CS3
Adobe Version Cue CS3 Client
Adobe WinSoft Linguistics Plugin
Adobe XMP Panels CS3
Amazon MP3-Downloader 1.0.9
Apple Application Support
Apple Mobile Device Support
Apple Software Update
AvaSoft for AvaSpec USB2
Battery Recalibration
Bluetooth Stack for Windows by Toshiba
Bonjour
BrettspielWelt
Canon Utilities Digital Photo Professional 3.6
Cisco Systems VPN Client 5.0.07.0290
Conexant HD Audio
D3DX10
Debut Video Capture Software
Definition update for Microsoft Office 2010 (KB982726) 32-Bit Edition
DivX Setup
Dropbox
EasyBits GO
EndNote X1
ESET Online Scanner v3
Facebook Video Calling 1.1.1.1
GoldWave v5.58
Google Books Download
GooReader
HDAUDIO Soft Data Fax Modem with SmartCP
Hotkey Appendix
Hotkey Settings
Intel PROSet Wireless
Intel(R) Dynamic Power Performance Management
Intel(R) Graphics Media Accelerator Driver
Intel(R) PROSet/Wireless WiFi Software
Intel(R) Rapid Storage Technology
InterVideo WinDVD
iPhoneBrowser
ISI ResearchSoft - Export Helper
iTunes
Java Auto Updater
Java(TM) 6 Update 26
Junk Mail filter update
Loupe Utility
Magic DVD Ripper V5.5.2
Malwarebytes Anti-Malware version 1.60.1.1000
Microsoft .NET Framework 4 Client Profile
Microsoft Application Error Reporting
Microsoft Office 2010 Service Pack 1 (SP1)
Microsoft Office Access MUI (English) 2010
Microsoft Office Access Setup Metadata MUI (English) 2010
Microsoft Office Excel MUI (English) 2010
Microsoft Office Home and Student 2010
Microsoft Office OneNote MUI (English) 2010
Microsoft Office Outlook MUI (English) 2010
Microsoft Office PowerPoint MUI (English) 2010
Microsoft Office Proof (English) 2010
Microsoft Office Proof (French) 2010
Microsoft Office Proof (Spanish) 2010
Microsoft Office Proofing (English) 2010
Microsoft Office Publisher MUI (English) 2010
Microsoft Office Shared MUI (English) 2010
Microsoft Office Shared Setup Metadata MUI (English) 2010
Microsoft Office Single Image 2010
Microsoft Office Word MUI (English) 2010
Microsoft Silverlight
Microsoft Visual C++ 2005 ATL Update kb973923 - x86 8.0.50727.4053
Microsoft Visual C++ 2005 Redistributable
Mozilla Firefox 9.0.1 (x86 en-US)
Mozilla Thunderbird (3.1.17)
MSVCRT
MSXML 4.0 SP2 (KB954430)
MSXML 4.0 SP2 (KB973688)
NemID
Optical Disc Drive Letter-Setting Utility
Panasonic Common Components
Panasonic Notification
PC Information Popup
PC Information Viewer
PDF Settings
Power Plan Extension Utility
Process Hacker 2.27 (r4957)
QuickTime
R for Windows 2.12.1
Roxio Activation Module
Roxio BackOnTrack
Roxio Central Audio
Roxio Central Copy
Roxio Central Data
Roxio Central Tools
Roxio Creator LJB
Roxio File Backup
RStudio
Security Update for Microsoft .NET Framework 4 Client Profile (KB2446708)
Security Update for Microsoft .NET Framework 4 Client Profile (KB2478663)
Security Update for Microsoft .NET Framework 4 Client Profile (KB2518870)
Security Update for Microsoft .NET Framework 4 Client Profile (KB2539636)
Security Update for Microsoft .NET Framework 4 Client Profile (KB2572078)
Security Update for Microsoft .NET Framework 4 Client Profile (KB2656351)
Security Update for Microsoft Office 2010 (KB2553091)
Security Update for Microsoft Office 2010 (KB2553096)
Security Update for Microsoft Office 2010 (KB2553353) 32-Bit Edition
Security Update for Microsoft Office 2010 (KB2589320) 32-Bit Edition
Security Update for Microsoft PowerPoint 2010 (KB2553185) 32-Bit Edition
SigmaPlot 10.0
Skype Click to Call
Skype™ 5.5
Sophos Anti-Virus
Sophos AutoUpdate
Synaptics Pointing Device Driver
Touch Pad Utility
upc cablecom Installer
Update for Microsoft .NET Framework 4 Client Profile (KB2468871)
Update for Microsoft .NET Framework 4 Client Profile (KB2533523)
Update for Microsoft Excel 2010 (KB2553439) 32-Bit Edition
Update for Microsoft Office 2010 (KB2494150)
Update for Microsoft Office 2010 (KB2553065)
Update for Microsoft Office 2010 (KB2553181) 32-Bit Edition
Update for Microsoft Office 2010 (KB2553270) 32-Bit Edition
Update for Microsoft Office 2010 (KB2553310) 32-Bit Edition
Update for Microsoft Office 2010 (KB2553385) 32-Bit Edition
Update for Microsoft Office 2010 (KB2553455) 32-Bit Edition
Update for Microsoft Office 2010 (KB2566458)
Update for Microsoft Office 2010 (KB2596964) 32-Bit Edition
Update for Microsoft OneNote 2010 (KB2553290) 32-Bit Edition
Update for Microsoft Outlook 2010 (KB2553323) 32-Bit Edition
Update for Microsoft Outlook Social Connector (KB2583935)
USB Selective Suspend Manager
VC80CRTRedist - 8.0.50727.4053
VLC media player 1.1.11
Website Ripper Copier
Windows Driver Package - Avantes (WinUSB) AvantesSpectrometers (08/24/2009 1.6.0.1)
Windows Live Communications Platform
Windows Live Essentials
Windows Live ID Sign-in Assistant
Windows Live Installer
Windows Live Mail
Windows Live MIME IFilter
Windows Live Photo Common
Windows Live PIMT Platform
Windows Live SOXE
Windows Live SOXE Definitions
Windows Live UX Platform
Windows Live UX Platform Language Pack
Windows Live Writer
Windows Live Writer Resources
Wireless Switch Utility
.
==== Event Viewer Messages From Past Week ========
.
31-Jan-12 19:51:20, Error: Microsoft-Windows-DistributedCOM [10000] - Unable to start a DCOM Server: {24DC0815-9D82-47FD-81B3-11DE033EF7A3}. The error: "740" Happened while starting this command: "C:\Program Files\Sophos\Sophos Anti-Virus\SavMain.exe" -Embedding
31-Jan-12 19:49:59, Error: Microsoft-Windows-Application-Experience [205] - The Program Compatibility Assistant service failed to perform the phase two initialization.
31-Jan-12 19:49:51, Error: Service Control Manager [7026] - The following boot-start or system-start driver(s) failed to load: cdrom
.
==== End Of File ===========================
 
Welcome to TechSpot! I'll help you get going in the right direction.

Questions and Comments:
1. This error appears in the Event Viewer:
31-Jan-12 19:51:20, Error: Microsoft-Windows-DistributedCOM [10000] - Unable to start a DCOM Server: {24DC0815-9D82-47FD-81B3-11DE033EF7A3}. The error: "740" Happened while starting this command: "C:\Program Files\Sophos\Sophos Anti-Virus\SavMain.exe" -Embedding

This may be a compatibility issue and/or it can indicate that it (requires elevation). But is DCOM won't start. you won't get very far. I am not familiar with this particular Sophos problem, but I found discussion of it here: http://community.sophos.com/t5/Sophos-Endpoint-Protection/Remote-Console-and-Windows-7/td-p/95

There are 3 errors in a row: for the CD, for the Program Compatibility and for Sophos.
==================================
I see domains fro DK> Switzerland in the Trusted zone and an IP from DhcpNameServer = 130.60.128.3
University of Zurich
descr: Zurich, Switzerland
country: CH
Please just assure me that these belong to you and your ISP.
===============================
I see you already have the Eset Online Virus scan on the system. Please update it and run a new scan. Leave log in next reply if there is one.
==============================
Please note: If you have previously run Combofix and it's still on the system, please uninstall it. Then download the current version and do the scan: Uninstall directions, if needed
  • Click START> then RUN
  • Now type Combofix /Uninstall in the runbox and click OK. Note the space between the X and the U, it needs to be there.
--------------------------------------
Expect these- they are normal:
1. If asked to install or or update the Recovery Console, allow. (you will need internet connection for this)
2. Before you run the Combofix scan, please disable any security software you have running.
3. Combofix may need to reboot your computer more than once to do its job this is normal.

Download Combofix from HERE or HEREhttp://www.forospyware.com/sUBs/ComboFix.exe and save to the desktop
  • Double click combofix.exe
    cf-icon.jpg
    & follow the prompts.
  • If prompted for Recovery Console, please allow.
  • Once installed, you should see a blue screen prompt that says:
    • The Recovery Console was successfully installed.[/b]
    • Note: If Combofix was downloaded to a flash drive, the Recovery Console will not install- just bypass and go on.[/b]
    • Note: No query will be made if the Recovery Console is already on the system.
  • .Close/disable all anti virus and anti malware programs
    (If you need help with this, please see HERE)
  • .Close any open browsers.
  • .Click on Yes, to continue scanning for malware
  • .If Combofix asks you to update the program, allow
  • When the scan completes , a report will be generated-it will open a text window. Please paste the C:\ComboFix.txt in next reply..
Re-enable your Antivirus software.
Note 1:Do not mouse-click Combofix's window while it is running. That may cause it to stall.
Note 2:If you receive an error "Illegal operation attempted on a registry key that has been marked for deletion", restart the computer.
Note 3:CF disconnects your machine from the internet. The connection is automatically restored before CF completes its run. If CF runs into difficulty and terminates prematurely, the connection can be manually restored by restarting your machine.
================================
My Guidelines: please read and follow:
  • Be patient. Malware cleaning takes time. I am also working with other members while I am helping you.
  • Read my instructions carefully. If you don't understand or have a problem, ask me. Follow the order of the tasks I give you. Order is crucial in cleaning process.
  • If you have questions, or if a program doesn't work, stop and tell me about it. Don't try to get around it yourself.
  • File sharing programs should be uninstalled or disabled during the cleaning process..
  • Observe these:
    [o] Don't follow directions given to someone else
    [o] Don't use any other cleaning programs or scans while I'm helping you.
    [o] Don't use a Registry cleaner or make any changes in the Registry.
    [o] Don't download and install new programs- except those I give you.

If I haven't replied back to you within 48 hours, you can send a PMwith your thread link in it as a reminder. Do not include technical problems from your thread. Support is given only in the forum.
Threads are closed after 5 days if there is no reply.

Please leave logs in next reply.
 
Hi Bobbye,
Thanks a lot for helping a stranger in need!

First of all: yes, the Uni Zurich and DK / CH trusted zones are correct & belong to me.

I re-ran & updated Eset online scan - result was negative, nothing found.

I installed & ran combofix - the log is here:

----
ComboFix 12-02-02.01 - Hansen 02-Feb-12 13:47:58.1.4 - x86
Microsoft Windows 7 Professional 6.1.7600.0.1252.1.1033.18.3511.2095 [GMT 1:00]
Running from: c:\users\Hansen\Desktop\ComboFix.exe
AV: Lavasoft Ad-Watch Live! Anti-Virus *Disabled/Updated* {9FF26384-70D4-CE6B-3ECB-E759A6A40116}
AV: Sophos Anti-Virus *Disabled/Updated* {479CCF92-4960-B3E0-7373-BF453B467D2C}
SP: Lavasoft Ad-Watch Live! *Disabled/Updated* {24938260-56EE-C1E5-047B-DC2BDD234BAB}
SP: Sophos Anti-Virus *Disabled/Updated* {FCFD2E76-6F5A-BC6E-49C3-843740C13791}
SP: Windows Defender *Enabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
* Created a new restore point
.
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
c:\users\Hansen\AppData\Local\Microsoft\Windows\Temporary Internet Files\{DC367470-FCA6-41BA-9529-A72E3E32F89A}.xps
c:\windows\security\Database\tmp.edb
.
.
((((((((((((((((((((((((( Files Created from 2012-01-02 to 2012-02-02 )))))))))))))))))))))))))))))))
.
.
2012-02-02 13:01 . 2012-02-02 13:01 -------- d-----w- c:\users\Webmail\AppData\Local\temp
2012-02-02 13:01 . 2012-02-02 13:01 -------- d-----w- c:\users\Default\AppData\Local\temp
2012-02-02 12:43 . 2012-02-02 12:43 56200 ----a-w- c:\programdata\Microsoft\Windows Defender\Definition Updates\{2CCD0128-A57B-4879-B331-BD2CC3D93E02}\offreg.dll
2012-02-01 11:05 . 2012-02-01 11:05 -------- d-----w- c:\users\Hansen\AppData\Roaming\Malwarebytes
2012-02-01 11:04 . 2012-02-01 11:04 -------- d-----w- c:\programdata\Malwarebytes
2012-02-01 11:04 . 2012-02-01 11:04 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2012-02-01 11:04 . 2011-12-10 14:24 20464 ----a-w- c:\windows\system32\drivers\mbam.sys
2012-01-31 14:32 . 2012-01-06 04:19 6557240 ----a-w- c:\programdata\Microsoft\Windows Defender\Definition Updates\{2CCD0128-A57B-4879-B331-BD2CC3D93E02}\mpengine.dll
2012-01-31 14:12 . 2012-01-31 14:12 -------- d-----w- c:\users\Hansen\AppData\Roaming\Process Hacker 2
2012-01-31 13:45 . 2012-01-31 13:45 -------- d-----w- c:\program files\Process Hacker 2
2012-01-31 13:22 . 2012-01-31 13:22 626688 ----a-w- c:\program files\Mozilla Firefox\msvcr80.dll
2012-01-31 13:22 . 2012-01-31 13:22 548864 ----a-w- c:\program files\Mozilla Firefox\msvcp80.dll
2012-01-31 13:22 . 2012-01-31 13:22 479232 ----a-w- c:\program files\Mozilla Firefox\msvcm80.dll
2012-01-31 13:22 . 2012-01-31 13:22 43992 ----a-w- c:\program files\Mozilla Firefox\mozutils.dll
2012-01-25 14:50 . 2012-01-25 14:50 -------- d-----w- c:\program files\ESET
2012-01-25 13:41 . 2012-01-25 13:11 16432 ----a-w- c:\windows\system32\lsdelete.exe
2012-01-25 13:11 . 2012-01-25 13:11 101720 ----a-w- c:\windows\system32\drivers\SBREDrv.sys
2012-01-25 13:09 . 2011-12-23 06:12 64512 ----a-w- c:\windows\system32\drivers\Lbd.sys
2012-01-25 13:09 . 2012-01-25 13:09 -------- d-----w- c:\programdata\Lavasoft
2012-01-25 13:09 . 2012-01-25 13:09 -------- d-----w- c:\program files\Lavasoft
2012-01-18 19:51 . 2011-11-17 05:48 134000 ----a-w- c:\windows\system32\drivers\ksecpkg.sys
2012-01-18 19:51 . 2011-11-17 05:39 224768 ----a-w- c:\windows\system32\schannel.dll
2012-01-18 19:51 . 2011-11-17 05:38 1037312 ----a-w- c:\windows\system32\lsasrv.dll
2012-01-18 19:51 . 2011-11-17 05:48 67440 ----a-w- c:\windows\system32\drivers\ksecdd.sys
2012-01-18 19:51 . 2011-11-17 05:42 369352 ----a-w- c:\windows\system32\drivers\cng.sys
2012-01-18 19:51 . 2011-11-17 05:39 314368 ----a-w- c:\windows\system32\webio.dll
2012-01-18 19:51 . 2011-11-17 05:39 99840 ----a-w- c:\windows\system32\sspicli.dll
2012-01-18 19:51 . 2011-11-17 05:39 15360 ----a-w- c:\windows\system32\sspisrv.dll
2012-01-18 19:51 . 2011-11-17 05:39 22016 ----a-w- c:\windows\system32\secur32.dll
2012-01-18 19:51 . 2011-11-17 05:36 22528 ----a-w- c:\windows\system32\lsass.exe
2012-01-13 13:59 . 2012-01-13 13:59 414368 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl
2012-01-13 10:59 . 2012-01-13 10:59 -------- d-----w- c:\program files\DIFX
2012-01-13 10:59 . 2009-07-14 05:25 851176 ----a-w- c:\windows\system32\WinUSBCoInstaller2.dll
2012-01-13 10:59 . 2012-01-13 14:47 -------- d-----w- C:\AvaSoft7USB2
2012-01-11 12:52 . 2012-01-11 12:52 -------- d-----w- c:\programdata\Canon
2012-01-11 12:51 . 2006-02-21 01:27 81987 ----a-w- c:\windows\system32\AUCPLMNT.DLL
2012-01-11 06:35 . 2011-11-17 05:41 1288984 ----a-w- c:\windows\system32\ntdll.dll
2012-01-11 06:34 . 2011-11-19 14:06 67072 ----a-w- c:\windows\system32\packager.dll
2012-01-11 06:34 . 2011-10-26 04:28 1328640 ----a-w- c:\windows\system32\quartz.dll
2012-01-11 06:34 . 2011-10-26 04:28 514560 ----a-w- c:\windows\system32\qdvd.dll
.
.
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2011-12-07 09:08 . 2010-12-21 19:15 236576 ------w- c:\windows\system32\MpSigStub.exe
2011-11-24 04:23 . 2011-12-14 09:42 2340352 ----a-w- c:\windows\system32\win32k.sys
2011-11-05 04:35 . 2011-12-14 09:43 981504 ----a-w- c:\windows\system32\wininet.dll
2011-11-05 04:34 . 2011-12-14 09:43 44544 ----a-w- c:\windows\system32\licmgr10.dll
2011-11-05 04:30 . 2011-12-14 09:42 2048 ----a-w- c:\windows\system32\tzres.dll
2011-11-05 03:28 . 2011-12-14 09:43 386048 ----a-w- c:\windows\system32\html.iec
2011-11-05 02:55 . 2011-12-14 09:43 1638912 ----a-w- c:\windows\system32\mshtml.tlb
2012-01-31 13:22 . 2011-08-24 09:27 121816 ----a-w- c:\program files\mozilla firefox\components\browsercomps.dll
.
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\DropboxExt1]
@="{FB314ED9-A251-47B7-93E1-CDD82E34AF8B}"
[HKEY_CLASSES_ROOT\CLSID\{FB314ED9-A251-47B7-93E1-CDD82E34AF8B}]
2011-02-18 05:12 94208 ----a-w- c:\users\Hansen\AppData\Roaming\Dropbox\bin\DropboxExt.14.dll
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\DropboxExt2]
@="{FB314EDA-A251-47B7-93E1-CDD82E34AF8B}"
[HKEY_CLASSES_ROOT\CLSID\{FB314EDA-A251-47B7-93E1-CDD82E34AF8B}]
2011-02-18 05:12 94208 ----a-w- c:\users\Hansen\AppData\Roaming\Dropbox\bin\DropboxExt.14.dll
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\DropboxExt3]
@="{FB314EDB-A251-47B7-93E1-CDD82E34AF8B}"
[HKEY_CLASSES_ROOT\CLSID\{FB314EDB-A251-47B7-93E1-CDD82E34AF8B}]
2011-02-18 05:12 94208 ----a-w- c:\users\Hansen\AppData\Roaming\Dropbox\bin\DropboxExt.14.dll
.
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Facebook Update"="c:\users\Hansen\AppData\Local\Facebook\Update\FacebookUpdate.exe" [2011-12-25 137536]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"PPlanEx"="c:\program files\Panasonic\PPlanEx\PPlanEx.exe" [2010-03-18 590208]
"WSwitch"="c:\program files\Panasonic\WSwitch\WSwitch.exe" [2010-03-19 1209728]
"SynTPEnh"="c:\program files\Synaptics\SynTP\SynTPEnh.exe" [2009-07-20 1545512]
"Panasonic Hotkey Manager"="c:\program files\Panasonic\Hotkey Appendix\HKEYAPP.EXE" [2010-04-05 1103232]
"PCinfo"="c:\program files\Panasonic\pcinfo\PcInfoUt.exe" [2009-07-03 99136]
"ITSecMng"="c:\program files\TOSHIBA\Bluetooth Toshiba Stack\ItSecMng.exe" [2009-07-22 83336]
"IgfxTray"="c:\windows\system32\igfxtray.exe" [2010-03-17 141848]
"HotKeysCmds"="c:\windows\system32\hkcmd.exe" [2010-03-17 175640]
"Persistence"="c:\windows\system32\igfxpers.exe" [2010-03-17 168472]
"cAudioFilterAgent"="c:\program files\Conexant\cAudioFilterAgent\cAudioFilterAgent.exe" [2010-03-22 496184]
"PRunOnce"="c:\util\prunonce\PRunOnce.exe" [2009-07-16 161088]
"Sophos AutoUpdate Monitor"="c:\program files\Sophos\AutoUpdate\almon.exe" [2010-09-21 439536]
"QuickTime Task"="c:\program files\QuickTime\QTTask.exe" [2010-11-30 421888]
"SunJavaUpdateSched"="c:\program files\Common Files\Java\Java Update\jusched.exe" [2011-04-08 254696]
.
c:\users\Hansen\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\
Dropbox.lnk - c:\users\Hansen\AppData\Roaming\Dropbox\bin\Dropbox.exe [2011-12-5 24242056]
.
c:\programdata\Microsoft\Windows\Start Menu\Programs\Startup\
Adobe Acrobat Speed Launcher.lnk - c:\windows\Installer\{AC76BA86-1033-F400-7760-100000000002}\SC_Acrobat.exe [2011-1-15 25214]
Bluetooth Manager.lnk - c:\program files\Toshiba\Bluetooth Toshiba Stack\TosBtMng.exe [2010-1-6 2717024]
PC Information Popup.lnk - c:\program files\Panasonic\PPopup\ppopup.exe [2010-4-13 718208]
Touch Pad Utility.lnk - c:\program files\Panasonic\WheelPad\Touchpad.exe [2010-4-13 373120]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"ConsentPromptBehaviorAdmin"= 5 (0x5)
"ConsentPromptBehaviorUser"= 3 (0x3)
"EnableUIADesktopToggle"= 0 (0x0)
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"AppInit_DLLs"=c:\progra~1\Sophos\SOPHOS~1\sophos_detoured.dll
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"aux5"=wdmaud.drv
.
[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa]
Security Packages REG_MULTI_SZ kerberos msv1_0 schannel wdigest tspkg pku2u livessp
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Lavasoft Ad-Aware Service]
@="Service"
.
[HKLM\~\startupfolder\C:^ProgramData^Microsoft^Windows^Start Menu^Programs^Startup^VPN Client.lnk]
path=c:\programdata\Microsoft\Windows\Start Menu\Programs\Startup\VPN Client.lnk
backup=c:\windows\pss\VPN Client.lnk.CommonStartup
backupExtension=.CommonStartup
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Acrobat Assistant 7.0]
2004-12-14 01:12 483328 ----a-w- c:\program files\Adobe\Acrobat 7.0\Distillr\acrotray.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AdobeUpdater]
2010-12-22 02:55 2356088 ----a-w- c:\program files\Common Files\Adobe\Updater5\AdobeUpdater.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DivXUpdate]
2011-03-21 18:56 1230704 ----a-w- c:\program files\DivX\DivX Update\DivXUpdate.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iTunesHelper]
2011-04-26 23:22 421160 ----a-w- c:\program files\iTunes\iTunesHelper.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SmartAudio]
2009-11-19 04:45 307768 ------w- c:\program files\CONEXANT\SAII\SAIICpl.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SophosAntiVirus]
"DisableMonitoring"=dword:00000001
.
R1 hvlbadmg;hvlbadmg;c:\windows\system32\drivers\hvlbadmg.sys [x]
R2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;c:\windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe [2010-03-18 130384]
R3 ew_hwusbdev;Huawei MobileBroadband USB PNP Device;c:\windows\system32\DRIVERS\ew_hwusbdev.sys [2010-10-25 102784]
R3 ewusbnet;HUAWEI USB-NDIS miniport;c:\windows\system32\DRIVERS\ewusbnet.sys [2010-10-25 208896]
R3 hwusbfake;Huawei DataCard USB Fake;c:\windows\system32\DRIVERS\ewusbfake.sys [x]
R3 MEITBLCD;Tablet Buttons information for Panasonic PC;c:\windows\system32\DRIVERS\MeiTBLCD.sys [2009-08-20 11968]
R3 MEITBTN;Tablet Buttons HID Driver for Panasonic PC;c:\windows\system32\DRIVERS\MeiTBtn.sys [2009-08-20 14784]
R3 osppsvc;Office Software Protection Platform;c:\program files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\OSPPSVC.EXE [2010-01-10 4640000]
R3 sdcfilter;sdcfilter;c:\windows\system32\DRIVERS\sdcfilter.sys [2010-12-21 23928]
R3 vwifimp;Microsoft Virtual WiFi Miniport Service;c:\windows\system32\DRIVERS\vwifimp.sys [2009-07-13 14336]
R3 WatAdminSvc;Windows Activation Technologies Service;c:\windows\system32\Wat\WatAdminSvc.exe [2010-12-21 1343400]
R3 wtsmpadap;Sesam Virtual Adapter;c:\windows\system32\DRIVERS\wtsmpadap.sys [x]
R4 SophosBootDriver;SophosBootDriver;c:\windows\system32\DRIVERS\SophosBootDriver.sys [2010-12-21 22536]
S0 Lbd;Lbd;c:\windows\system32\DRIVERS\Lbd.sys [2011-12-23 64512]
S1 SAVOnAccess;SAVOnAccess;c:\windows\system32\DRIVERS\savonaccess.sys [2010-10-08 122360]
S1 vwififlt;Virtual WiFi Filter Driver;c:\windows\system32\DRIVERS\vwififlt.sys [2009-07-13 48128]
S2 ETMService;Intel(R) Dynamic Power Performance Model Service Application;c:\windows\system32\EtmService.exe [2009-11-13 207384]
S2 HsfXAudioService;HsfXAudioService;c:\windows\system32\svchost.exe [2009-07-14 20992]
S2 Lavasoft Ad-Aware Service;Lavasoft Ad-Aware Service;c:\program files\Lavasoft\Ad-Aware\AAWService.exe [2012-01-25 2152152]
S2 OPDOFFSV;Panasonic Opdoff Utility;c:\program files\Panasonic\PPlanEx\opdoffsv.exe [2010-03-18 1389440]
S2 PcInfoPi;Panasonic PC Information Viewer Service 2;c:\program files\Panasonic\pcinfo\PCInfoPi.exe [2009-09-30 46912]
S2 PcInfoSV;Panasonic PC Information Viewer;c:\program files\Panasonic\pcinfo\PCInfoSV.exe [2010-03-26 243072]
S2 regi;regi;c:\windows\system32\drivers\regi.sys [2007-04-18 11032]
S2 SAVAdminService;Sophos Anti-Virus status reporter;c:\program files\Sophos\Sophos Anti-Virus\SAVAdminService.exe [2010-10-08 163056]
S2 SAVService;Sophos Anti-Virus;c:\program files\Sophos\Sophos Anti-Virus\SavService.exe [2010-12-21 97520]
S2 SELSUSSV;USB Selective Suspend Manager;c:\program files\Panasonic\Selsussv\selsussv.exe [2010-04-07 113024]
S2 swi_service;Sophos Web Intelligence Service;c:\program files\Sophos\Sophos Anti-Virus\Web Intelligence\swi_service.exe [2010-10-08 1541360]
S3 e1kexpress;Intel(R) PRO/1000 PCI Express Network Connection Driver K;c:\windows\system32\DRIVERS\e1k6232.sys [2009-09-23 208552]
S3 EtmDevDram;EtmDevDram;c:\windows\system32\DRIVERS\EtmDevDram.sys [2009-10-20 56832]
S3 EtmDevGen;EtmDevGen;c:\windows\system32\DRIVERS\EtmDevGen.sys [2009-10-20 46080]
S3 EtmDevMcp;EtmDevMcp;c:\windows\system32\DRIVERS\EtmDevMcp.sys [2009-10-20 78336]
S3 EtmDevPch;EtmDevPch;c:\windows\system32\DRIVERS\EtmDevPch.sys [2009-10-20 51200]
S3 EtmDrvMgr;EtmDrvMgr;c:\windows\system32\DRIVERS\EtmDrvMgr.sys [2009-10-20 120320]
S3 EtmFan;EtmFan;c:\windows\system32\DRIVERS\EtmDevFan.sys [2009-10-20 27136]
S3 huawei_enumerator;huawei_enumerator;c:\windows\system32\DRIVERS\ew_jubusenum.sys [2010-10-25 70656]
S3 Impcd;Impcd;c:\windows\system32\DRIVERS\Impcd.sys [2010-02-10 132352]
S3 IntcDAud;Intel(R) Display Audio;c:\windows\system32\DRIVERS\IntcDAud.sys [2010-01-07 232448]
S3 Lavasoft Kernexplorer;Lavasoft helper driver;c:\program files\Lavasoft\Ad-Aware\KernExplorer.sys [2011-12-23 15232]
S3 NETw5s32;Intel(R) Wireless WiFi Link 5000 Series Adapter Driver for Windows 7 - 32 Bit;c:\windows\system32\DRIVERS\NETw5s32.sys [2010-01-13 6755840]
S3 NewMisc;Panasonic Misc Driver;c:\windows\system32\DRIVERS\newmisc.sys [2009-10-28 53376]
.
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
HsfXAudioService REG_MULTI_SZ HsfXAudioService
.
Contents of the 'Scheduled Tasks' folder
.
2012-01-29 c:\windows\Tasks\FacebookUpdateTaskUserS-1-5-21-3142439408-3311776838-2971966211-1001Core.job
- c:\users\Hansen\AppData\Local\Facebook\Update\FacebookUpdate.exe [2011-12-25 17:45]
.
2012-02-02 c:\windows\Tasks\FacebookUpdateTaskUserS-1-5-21-3142439408-3311776838-2971966211-1001UA.job
- c:\users\Hansen\AppData\Local\Facebook\Update\FacebookUpdate.exe [2011-12-25 17:45]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.google.ch/
IE: Convert link target to Adobe PDF - c:\program files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: Convert link target to existing PDF - c:\program files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convert selected links to Adobe PDF - c:\program files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
IE: Convert selected links to existing PDF - c:\program files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
IE: Convert selection to Adobe PDF - c:\program files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: Convert selection to existing PDF - c:\program files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convert to Adobe PDF - c:\program files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: Convert to existing PDF - c:\program files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~3\Office14\EXCEL.EXE/3000
IE: Se&nd to OneNote - c:\progra~1\MICROS~3\Office14\ONBttnIE.dll/105
Trusted Zone: danid.dk
Trusted Zone: danid.dk
TCP: DhcpNameServer = 130.60.128.3 130.60.64.51
FF - ProfilePath - c:\users\Hansen\AppData\Roaming\Mozilla\Firefox\Profiles\gvb29958.default\
FF - prefs.js: browser.startup.homepage - www.google.com
FF - prefs.js: network.proxy.type - 4
.
- - - - ORPHANS REMOVED - - - -
.
Toolbar-Locked - (no file)
.
.
.
--------------------- LOCKED REGISTRY KEYS ---------------------
.
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0000\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000
.
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0001\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000
.
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0002\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000
.
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0003\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000
.
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0004\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000
.
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\PCW\Security]
@Denied: (Full) (Everyone)
.
Completion time: 2012-02-02 14:05:12
ComboFix-quarantined-files.txt 2012-02-02 13:05
.
Pre-Run: 98,281,308,160 bytes free
Post-Run: 98,461,282,304 bytes free
.
- - End Of File - - E064893E6ADA1A19AC768D29190D3D20
 
Also, I tried to look into the Sophos problem, but no luck finding anything useful. If it's a problem, should I uninstall it, and install/use a different anti-virus? If so, please advise.

Cheers!
 
So far, I'm looking at a nice, clean, lean system!

1. "all seems fine; google loads quickly".> Explain Do you mean when you search Google the site you choose loads right away? If not, what do you men.?

2. "Then, from between 30-120 minutes after startup, things start going bad."> What are you trying to do t this time?

3." First, google redirects (especially from links I try access after googling 'anti virus' or similar)".> When you say 'redirect', do you mean you are taken to a site other than the one you choose in a search from Google? If not, what? Does this just happen on security-related sites?

3."Then, quite rapidly afterward, google (in any country/version) won't load at all, and neither will bing or yahoo.">
How do you mean won't load? Do you get a 'server can't find...' or other message?
Again with respect to 'load'> Do you mean the search engine itself Google won't load for you to do a search?
If not, and this includes all 3 of the search engines-do you mean that you are unable to access a site using any of the 3 search engines? Message? What?

4. Do you have an internet connection? When you boot, you have access. Look at the computer screens in the area by the clock> do you see a red X go on either when you hit the 30-120 min?
===============================
I'd like you to disable the AdAware Adwatch which now lists itself as an antivirus:
Ad-Aware AE Ad-Watch Live!
  • Right click on the Ad-Aware icon in the system tray.
    icon_304.gif
  • Click on Disable Ad-Watch Live!

It's possible that there is a conflict between the Sophos AV and AdWatch.
Reboot the computer after disabling AdWatch and see if it makes any difference.
=========================
I'd like you to check some Services:

Please download Farbar Service Scanner
  • Check Include all files option
  • Press the Scan button
  • Log named FSS.txt will be created in the same directory as the tool
  • Please paste the log into your next reply
======================================
The only thing I observe in the logs is that Java is outdated. That would not cause what you are describing.
=============================
Please leave answers to my questions and Farbar log in next reply.
 
Hi Bobbye,

I have disabled AdAware.

I downloaded & ran Farbar Service Scanner. However, there was no option to tick 'include all files' -- see screenshot here:
http://imageshack.us/photo/my-images/824/fssscreen.jpg/
Please advise if I need to do things differently.

Here is the log the scan created:
Farbar Service Scanner Version: 05-02-2012
Ran by Hansen (administrator) on 07-02-2012 at 16:19:08
Running from "C:\Users\Hansen\Downloads"
Microsoft Windows 7 Professional (X86)
Boot Mode: Normal
****************************************************************

Internet Services:
============

Connection Status:
==============
Localhost is accessible.
LAN connected.
Google IP is accessible.
Yahoo IP is accessible.


File Check:
========
C:\Windows\system32\nsisvc.dll => MD5 is legit
C:\Windows\system32\Drivers\nsiproxy.sys => MD5 is legit
C:\Windows\system32\dhcpcore.dll => MD5 is legit
C:\Windows\system32\Drivers\afd.sys => MD5 is legit
C:\Windows\system32\Drivers\tdx.sys => MD5 is legit
C:\Windows\system32\Drivers\tcpip.sys
[2011-11-09 09:38] - [2011-09-29 16:43] - 1285488 ____A (Microsoft Corporation) 56C198AC82EFA622DD93E9E43575F79C

C:\Windows\system32\dnsrslvr.dll
[2011-04-14 07:13] - [2011-03-03 06:29] - 0132608 ____A (Microsoft Corporation) B15BE77A2BACF9C3177D27518AFE26A9

C:\Windows\system32\svchost.exe => MD5 is legit
C:\Windows\system32\rpcss.dll => MD5 is legit
**** End of log ****


In response to your questions:
1. "all seems fine; google loads quickly".> Explain Do you mean when you search Google the site you choose loads right away? If not, what do you men.?
I mean that when I hit my 'home' button in firefox (which is set to www.google.com), then the google page pops up instantly, and search queries produce good results.

2. "Then, from between 30-120 minutes after startup, things start going bad."> What are you trying to do t this time?
3." First, google redirects (especially from links I try access after googling 'anti virus' or similar)".> When you say 'redirect', do you mean you are taken to a site other than the one you choose in a search from Google? If not, what? Does this just happen on security-related sites?

This means that when I, at some time into this period from whatever webpage (news site, scientific journals, etc), try to call up google by pressing the 'home' button again it takes distinctly longer (around 2-4 seconds) before google shows.
From then on, what seem to be legit links resulting from google searches will take me to clearly non-intended sites --e.g. a search for 'elephant seed dispersal' (bear with me, I'm a bio-nerd) will produce a link to a colleague's website - but clicking the link takes me to a site filled with ads for online services or downloads. That kind of thing.

3."Then, quite rapidly afterward, google (in any country/version) won't load at all, and neither will bing or yahoo.">
How do you mean won't load? Do you get a 'server can't find...' or other message?
Again with respect to 'load'> Do you mean the search engine itself Google won't load for you to do a search?

If not, and this includes all 3 of the search engines-do you mean that you are unable to access a site using any of the 3 search engines? Message? What?
I get a 'server can't find' error page - for all three search engines.

4. Do you have an internet connection? When you boot, you have access. Look at the computer screens in the area by the clock> do you see a red X go on either when you hit the 30-120 min?
I have a wired connection at university, and a wifi connection at home - I have tried to look out for red x's during online time on both connections, but have not consciously noted any such thing around the time google/search engines won't work.

Update: The problem with onset of 'server can't find'-errors for google/search engines persists. However, it seems that it now takes significantly longer - around 60-180 minutes - after a fresh restart/boot before the error occurs, and google/search engines won't load anymore.There are also now not any searches for legit things that result in redirects to 'ad/download' pages. However, when I do a search for anything with anti-virus and then click on a legit link, I am still sometimes taken to a clearly non-intended 'ad/download' page.
 
Please note: I will be Offline on Wednesday, 2/8 and Thursday, 2/9. When I return on Friday, 2/10, I will pick up the oldest threads first.
 
I downloaded & ran Farbar Service Scanner. However, there was no option to tick 'include all files' -- see screenshot here:
Open Farbar again. Look at the screen shot>
fss.gif

all of the boxes should be checked. You only have the first 2 instead of 'all of the files.' Please run new scan with all boxes checked.

Will change my confusing directions! I downloaded and ran twice and do not see the option to choose all! Sorry about that.
==============================
Can you help me out on this please- no English safe sites to ID:
AvaSoft7USB2
=============================
For this:
'server can't find' error page - for all three search engines.
For some reason and especially since the time intervals are random you are losing the internet connection. I think you are going to check things with your ISP- You have the following listed:
IP 130.60.128.3 > Zurich
IP 195.186.152.32 > Linkys router default
IP 212.242.40.3> Telenor,, DK> Blacklisted for email
IP 89.150.129.4 > Fullrate A/S> Denmark

Advise check which one is connecting when you lose the connection and can't get the page.

A redirect is different.
 
Hi Bobbye,

I re-ran Farbar Service Scanner with all boxes ticked; here's the log:

------------
Farbar Service Scanner Version: 12-02-2012 01
Ran by Hansen (administrator) on 13-02-2012 at 09:13:39
Running from "C:\Users\Hansen\Downloads"
Microsoft Windows 7 Professional (X86)
Boot Mode: Normal
****************************************************************

Internet Services:
============

Connection Status:
==============
Localhost is accessible.
LAN connected.
Google IP is accessible.
Yahoo IP is accessible.


Windows Firewall:
=============

Firewall Disabled Policy:
==================


System Restore:
============

System Restore Disabled Policy:
========================


Security Center:
============

Windows Update:
============

Windows Defender:
==============

File Check:
========
C:\Windows\system32\nsisvc.dll => MD5 is legit
C:\Windows\system32\Drivers\nsiproxy.sys => MD5 is legit
C:\Windows\system32\dhcpcore.dll => MD5 is legit
C:\Windows\system32\Drivers\afd.sys => MD5 is legit
C:\Windows\system32\Drivers\tdx.sys => MD5 is legit
C:\Windows\system32\Drivers\tcpip.sys
[2011-11-09 09:38] - [2011-09-29 16:43] - 1285488 ____A (Microsoft Corporation) 56C198AC82EFA622DD93E9E43575F79C

C:\Windows\system32\dnsrslvr.dll
[2011-04-14 07:13] - [2011-03-03 06:29] - 0132608 ____A (Microsoft Corporation) B15BE77A2BACF9C3177D27518AFE26A9

C:\Windows\system32\mpssvc.dll
[2009-07-14 00:53] - [2009-07-14 02:15] - 0565760 ____A (Microsoft Corporation) 5CD996CECF45CBC3E8D109C86B82D69E

C:\Windows\system32\bfe.dll
[2009-07-14 00:54] - [2009-07-14 02:14] - 0493568 ____A (Microsoft Corporation) 85AC71C045CEB054ED48A7841AAE0C11

C:\Windows\system32\Drivers\mpsdrv.sys => MD5 is legit
C:\Windows\system32\SDRSVC.dll
[2009-07-14 00:23] - [2009-07-14 02:16] - 0125952 ____A (Microsoft Corporation) 5FD90ABDBFAEE85986802622CBB03446

C:\Windows\system32\vssvc.exe
[2009-07-14 00:24] - [2009-07-14 02:14] - 1025536 ____A (Microsoft Corporation) 7EA2BCD94D9CFAF4C556F5CC94532A6C

C:\Windows\system32\wscsvc.dll
[2011-02-09 07:12] - [2010-12-21 06:38] - 0073728 ____A (Microsoft Corporation) A661A76333057B383A06E65F0073222F

C:\Windows\system32\wbem\WMIsvc.dll => MD5 is legit
C:\Windows\system32\wuaueng.dll
[2009-07-14 01:15] - [2009-07-14 02:16] - 1912832 ____A (Microsoft Corporation) A33408CC036F9C08142B11BE5E93F0A1

C:\Windows\system32\qmgr.dll
[2009-07-14 00:30] - [2009-07-14 02:16] - 0589312 ____A (Microsoft Corporation) 53F476476F55A27F580661BDE09C4EC4

C:\Windows\system32\es.dll => MD5 is legit
C:\Windows\system32\cryptsvc.dll => MD5 is legit
C:\Program Files\Windows Defender\MpSvc.dll => MD5 is legit
C:\Windows\system32\svchost.exe => MD5 is legit
C:\Windows\system32\rpcss.dll => MD5 is legit

**** End of log ****

Regarding the 'AvaSoft7USB2' - this is software related to a photospectrometer I recently installed in my lab (from the company Avantes), and is safe.

Regarding the ISP IP's - the two from Switzerland are legit; they are my university network, and my home internet provider. I expect the two in Denmark to be legit as well; one at my parent's place, one at a colleague where I stay from time to time & use his net every time.

The redirect problem as well as the "can't find server error" occur in the same way on both of the Swiss networks. I haven't been on the Danish ones in quite a while.

Something funny happened while looking up the IP's, though - it may help you in determining what is wrong: When (in Firefox) I google for a "what's my IP address'-website, google gives me as the first result 'your public IP address is: XYZ' - where XYZ stands for one out of five (!) IP addresses that seem to cycle through at random for every time I hit the 'reload current page' in the address bar:
209.190.46.194
46.23.64.114
173.192.170.112
209.222.8.98
77.79.10.67

BUT: If I go to any of the "what is my IP address" websites (e.g. www.whatismyip.com), I get the correct, current uni-Zurich address (130.60.20.162).

Checking the above five addresses on www.whatismyipaddress.com, I get the following results -- and checking the blacklist-status here, too, they are all five blacklisted, but only once, at the same site: blackholes.five-ten-sg.com.

IP: 209.190.46.194
Decimal: 3518901954
Hostname: c2.2e.be.static.xlhost.com
ISP: eNET
Organization: XLHost.com
Services: None detected
Type: Corporate
Assignment: Static IP
Location: USA, Columbus, Ohio

IP: 46.23.64.114
Decimal: 773275762
Hostname: 46.23.64.114
ISP: UK2 - Ltd
Organization: UK2 Infrastructure
Services: None detected
Type:
Assignment: Static IP
Location: United Kingdom

IP: 173.192.170.112
Decimal: 2915084912
Hostname: 173.192.170.112-static.reverse.softlayer.com
ISP: SoftLayer Technologies
Organization: Hosting Services
Services: None detected
Type: Corporate
Assignment: Static IP
Location: USA, Dallas, Texas

209.222.8.98
Decimal: 3520989282
Hostname: 209.222.8.98.choopa.net
ISP: Choopa.com
Organization: Reliable_Servers
Services: None detected
Type: Corporate
Assignment: Static IP
Location: USA, Newark, New Jersey

IP: 77.79.10.67
Decimal: 1297025603
Hostname: hst-10-67.duomenucentras.lt
ISP: SPLIUS, UAB
Organization: Webhosting, collocation services
Services: None detected
Type:
Assignment: Static IP
Location: Lithuania

I hope this somehow helps????
CHeers,
Dennis
 
Dennis, if you do a tracert, you may be able to observe these IPs as the trace proceeds. Google Support explains this:
When you type the query [ what is my ip ], Google will respond by showing you the IP address of the computer from which the query was received. In the simplest case, this IP address uniquely identifies your computer among all computers on the Internet. There are, however, several network configurations that may cause Google to receive an IP address that differs from the one assigned to your computer. For example, if you have a home network or a corporate network, devices are usually assigned "internal" IP addresses by a Network Address Translator (NAT) located within your router or modem. The NAT hides the internal IP addresses from websites, making the entire home network appear to outside computers to have a single, "external" IP address. In this case, we will show you the external IP address assigned to your home. Other network configurations, such as proxies, can also cause the IP address received by Google to differ from the actual IP address of your computer.

Why you may get different IPs: also from Google:
if you have a home network or a corporate network, devices are usually assigned "internal" IP addresses by a Network Address Translator (NAT) located within your router or modem. The NAT hides the internal IP addresses from websites, making the entire home network appear to outside computers to have a single, "external" IP address. In this case, we will show you the external IP address assigned to your home. Other network configurations, such as proxies, can also cause the IP address received by Google to differ from the actual IP address of your computer.

More explanation for static vs dynamic IP: http://whatismyipaddress.com/
-------------------------------------
It appears that each of the ISPs you listed gave you a static IP: You have access in several different countries, so I don't know that I can do anything with the IPs you identified. You can watch any site as it loads in the lower left corner of the screen and follow the loading.
=========================================
I'd like to try the following. The fact that all; 3 browsers are being affected leans more toward a setting problem-or-something blocking access:

Boot into Safe Mode with Networking
  • Restart your computer and start pressing the F8 key on your keyboard.
  • Select the Safe Mode with Networking Option when the Windows Advanced Options menu appears, and then press ENTER.

Once there, see of any or ll of the browsers will access correctly. There are a lot of processes running from Sophos. It won't start in this mode> see if it makes a difference.
 
Dennis, it's time to close the thread. Please send me a PM if you still have the problem and I can reopen the thread.
 
Status
Not open for further replies.
Back