VistaAntispyware 2012 ???

[MtlHab39]

Hi everyone
I have Lenovo laptop with Vista OS.

Wife and sons have been on line this evening and since then, it has been under attack as I have tried logging on.

Have a Vista icon popping up labeled Vista Antispyware 2012 - Unregistred Version telling me that 29 critical system objects have been found; the catch I guess is to get me to register which I have not.  I have tried opening programs including spybot & malware but another Vista alert popps up telling me that Trojan-BNK.Win32.Keylogger.gen has infected the program...again, it asks me to register.  I click on No, continue unprotected (dangerous) but the program will not run.

I do have CC cleaner, SysProt, SuperAntispyware and malware by Anti-Malware from last year's 'infection'.

Even as i type, pop-ups appears telling me that a Internet connection alert is present.

Please help as i have read the ground rules at the top of this section but I am unsure what to do next.

Also please specify how i can access the net (open with safe mode?).

Thank you   

   

[Allan]

I didn't see any mention of an anti virus application installed. Anyway,

Please follow the instructions in the following link and post your logs:
http://www.computerhope.com/forum/index.php/topic,46313.0.html

[SuperDave]

Hello and welcome to Computer Hope Forum. My name is Dave. I will be helping you out with your particular problem on your computer.

1. I will be working on your Malware issues. This may or may not solve other issues you have with your machine.
2. The fixes are specific to your problem and should only be used for this issue on this machine.
3. If you don't know or understand something, please don't hesitate to ask.
4. Please DO NOT run any other tools or scans while I am helping you.
5. It is important that you reply to this thread. Do not start a new topic.
6. Your security programs may give warnings for some of the tools I will ask you to use. Be assured, any links I give are safe.
7. Absence of symptoms does not mean that everything is clear.

If you can't access the internet with your infected computer you will have to download and transfer any programs to the computer you're using now and transfer them to the infected computer with a CD-RW or a USB storage device. I prefer a CD because a storage device can get infected. If you use a storage device hold the shift key down while inserting the USB storage device for about 10 secs. You will also have to transfer the logs you receive back to the good computer using the same method until we can get the computer back on-line.
*************************************************************************
SUPERAntiSpyware

If you already have SUPERAntiSpyware be sure to check for updates before scanning!

Download SuperAntispyware Free Edition (SAS)
* Double-click the icon on your desktop to run the installer.
* When asked to Update the program definitions, click Yes
* If you encounter any problems while downloading the updates, manually download and unzip them from here
* Next click the Preferences button.

•Under Start-Up Options uncheck Start SUPERAntiSpyware when Windows starts
* Click the Scanning Control tab.
* Under Scanner Options make sure only the following are checked:

•Close browsers before scanning
•Scan for tracking cookies
•Terminate memory threats before quarantining
•Please leave the others unchecked

•Click the Close button to leave the control center screen.

* On the main screen click Scan your computer
* On the left check the box for the drive you are scanning.
* On the right choose Perform Complete Scan
* Click Next to start the scan. Please be patient while it scans your computer.
* After the scan is complete a summary box will appear. Click OK
* Make sure everything in the white box has a check next to it, then click Next
* It will quarantine what it found and if it asks if you want to reboot, click Yes

•To retrieve the removal information please do the following:
•After reboot, double-click the SUPERAntiSpyware icon on your desktop.
•Click Preferences. Click the Statistics/Logs tab.

•Under Scanner Logs, double-click SUPERAntiSpyware Scan Log.

•It will open in your default text editor (preferably Notepad).
•Save the notepad file to your desktop by clicking (in notepad) File > Save As...

* Save the log somewhere you can easily find it. (normally the desktop)
* Click close and close again to exit the program.
*Copy and Paste the log in your post.
***********************************************
Please download Malwarebytes Anti-Malware from here.
Double Click mbam-setup.exe to install the application.

• Make sure a checkmark is placed next to Update Malwarebytes' Anti-Malware and Launch Malwarebytes Anti-Malware, then click Finish.
  
• If an update is found, it will download and install the latest version.
• Once the program has loaded, select "Perform Full Scan", then click Scan.
  
• The scan may take some time to finish,so please be patient.
• When the scan is complete, click OK, then Show Results to view the results.
• Make sure that everything is checked, and click Remove Selected.
  
• When disinfection is completed, a log will open in Notepad and you may be prompted to Restart. (See Extra Note)
• Please save the log to a location you will remember.
• The log is automatically saved by MBAM and can be viewed by clicking the Logs tab in MBAM.
• Copy and paste the entire report in your next reply.

Extra Note:

If MBAM encounters a file that is difficult to remove,you will be presented with 1 of 2 prompts,click OK to either and let MBAM proceed with the disinfection process. If asked to restart the computer, please do so immediately.
**************************************************
Download DDS from HERE or HERE and save it to your desktop.

Vista users right click on dds and select Run as administrator (you will receive a UAC prompt, please allow it)

* XP users Double click on dds to run it.
* If your antivirus or firewall try to block DDS then please allow it to run.
* When finished DDS will open two (2) logs.
* Save both reports to your desktop.
* The instructions here ask you to attach the Attach.txt.



1) DDS.txt
2) Attach.txt
Instead of attaching, please copy/past both logs into your Thread

Note: DDS will instruct you to post the Attach.txt log as an attachment.
Please just post it as you would any other log by copying and pasting it into the reply.

•Close the program window, and delete the program from your desktop.

Please note: You may have to disable any script protection running if the scan fails to run.
After downloading the tool, disconnect from the internet and disable all antivirus protection.
Run the scan, enable your A/V and reconnect to the internet.
Information on A/V control HERE .Then post your DDS logs. (DDS.txt and Attach.txt )

[MtlHab39]

Good morning
Tried booting in safe mode but Vista Alert bug pops up as soon as I open Explorer or even my Super AntiSpyware I am blocked.

I guess I need to do this...........

"If you can't access the internet with your infected computer you will have to download and transfer any programs to the computer you're using now and transfer them to the infected computer with a CD-RW or a USB storage device. I prefer a CD because a storage device can get infected. If you use a storage device hold the shift key down while inserting the USB storage device for about 10 secs. You will also have to transfer the logs you receive back to the good computer using the same method until we can get the computer back on-line."

Just need to be clear...I transfer SuperAntiSpyware and Malware onto this computer and then onto a stick (don't even know how to burn info on to CD???sorry).  Will this not affect security on this PC? 
Shift key down for 10 sec: I do this upon USB entry and removal from both laptop and PC?

Apologize about the level of knowledge but am waiting for children to get older so they could handle this

[SuperDave]

Will this not affect security on this PC? 
Shift key down for 10 sec: I do this upon USB entry and removal from both laptop and PC?

Just use the 10 sec. rule and your computer will be safe.

[MtlHab39]

Did as you said and used a USB to load and import Super AntiSpyware and malware and DDS.
Held shift button after loading with Safe mode; virus popped blocking SAS but allowed Malware to be installed and updated; asked me to reboot to finish for Malware.

Did this (was not sure what to do with USB during reboot time) so left it in place.

Upon reboot, was able to uninstall old SAS and load updates for new SAS; so far so good.
Update: started the SAS scan.

Will let you know... 

[MtlHab39]

Here is SAS
SUPERAntiSpyware Scan Log
http://www.superantispyware.com

Generated 02/01/2012 at 10:55 PM

Application Version : 5.0.1142

Core Rules Database Version : 8191
Trace Rules Database Version: 6003

Scan type       : Complete Scan
Total Scan Time : 01:25:53

Operating System Information
Windows Vista Home Basic 32-bit, Service Pack 2 (Build 6.00.6002)
UAC Off - Administrator

Memory items scanned      : 345
Memory threats detected   : 3
Registry items scanned    : 37957
Registry threats detected : 5
File items scanned        : 164078
File threats detected     : 53

Malware.Trace
   HKU\S-1-5-21-2953296840-3789730768-1391761679-1003\SOFTWARE\MICROSOFT\WINDOWS NT\CURRENTVERSION\WINLOGON#SHELL

Adware.Tracking Cookie
   C:\USERS\COSTA\AppData\Roaming\Microsoft\Windows\Cookies\Low\5AUJ5IRS.txt [ Cookie:[email protected]/accounts ]
   C:\USERS\COSTA\AppData\Roaming\Microsoft\Windows\Cookies\Low\XKCF6KNM.txt [ Cookie:[email protected]/adserving ]
   C:\USERS\COSTA\AppData\Roaming\Microsoft\Windows\Cookies\Low\GME1A6YG.txt [ Cookie:[email protected]/ ]
   C:\USERS\COSTA\AppData\Roaming\Microsoft\Windows\Cookies\Low\HAX3EHSQ.txt [ Cookie:[email protected]/accounts/ ]
   C:\USERS\COSTA\AppData\Roaming\Microsoft\Windows\Cookies\Low\9JJK9FZR.txt [ Cookie:[email protected]/ ]
   C:\USERS\COSTA\AppData\Roaming\Microsoft\Windows\Cookies\Low\QH39A6IL.txt [ Cookie:[email protected]/ ]
   C:\USERS\COSTA\AppData\Roaming\Microsoft\Windows\Cookies\Low\5BNZVZI8.txt [ Cookie:[email protected]/ ]
   C:\USERS\COSTA\AppData\Roaming\Microsoft\Windows\Cookies\Low\CF1QQXER.txt [ Cookie:[email protected]/accounts ]
   C:\USERS\COSTA\AppData\Roaming\Microsoft\Windows\Cookies\Low\PWA45YBW.txt [ Cookie:[email protected]/ ]
   C:\USERS\COSTA\AppData\Roaming\Microsoft\Windows\Cookies\Low\TZ112SZC.txt [ Cookie:[email protected]/ads/ ]
   C:\USERS\COSTA\AppData\Roaming\Microsoft\Windows\Cookies\Low\IKOR3Y1K.txt [ Cookie:[email protected]/ ]
   C:\USERS\COSTA\AppData\Roaming\Microsoft\Windows\Cookies\Low\0TIA0YRS.txt [ Cookie:[email protected]/cgi-bin ]
   C:\USERS\COSTA\AppData\Roaming\Microsoft\Windows\Cookies\Low\EENEGICA.txt [ Cookie:[email protected]/accounts ]
   C:\USERS\COSTA\AppData\Roaming\Microsoft\Windows\Cookies\Low\S5EXYI06.txt [ Cookie:[email protected]/ ]
   C:\$RECYCLE.BIN\S-1-5-21-2953296840-3789730768-1391761679-1003\$RNRK2WB\DOCUMENTS AND SETTINGS\TEMP\COOKIES\[email protected][2].TXT [ /AD.WSOD ]
   secure-us.imrworldwide.com [ C:\USERS\COSTA\APPDATA\ROAMING\MACROMEDIA\FLASH PLAYER\#SHAREDOBJECTS\7JEYPD8L ]
   .imrworldwide.com [ C:\USERS\COSTA\APPDATA\ROAMING\MOZILLA\FIREFOX\PROFILES\GYI7I6ZF.DEFAULT\COOKIES.SQLITE ]
   .imrworldwide.com [ C:\USERS\COSTA\APPDATA\ROAMING\MOZILLA\FIREFOX\PROFILES\GYI7I6ZF.DEFAULT\COOKIES.SQLITE ]
   .at.atwola.com [ C:\USERS\COSTA\APPDATA\ROAMING\MOZILLA\FIREFOX\PROFILES\GYI7I6ZF.DEFAULT\COOKIES.SQLITE ]
   .tacoda.at.atwola.com [ C:\USERS\COSTA\APPDATA\ROAMING\MOZILLA\FIREFOX\PROFILES\GYI7I6ZF.DEFAULT\COOKIES.SQLITE ]
   .tacoda.at.atwola.com [ C:\USERS\COSTA\APPDATA\ROAMING\MOZILLA\FIREFOX\PROFILES\GYI7I6ZF.DEFAULT\COOKIES.SQLITE ]
   .tacoda.at.atwola.com [ C:\USERS\COSTA\APPDATA\ROAMING\MOZILLA\FIREFOX\PROFILES\GYI7I6ZF.DEFAULT\COOKIES.SQLITE ]
   .tacoda.at.atwola.com [ C:\USERS\COSTA\APPDATA\ROAMING\MOZILLA\FIREFOX\PROFILES\GYI7I6ZF.DEFAULT\COOKIES.SQLITE ]
   .at.atwola.com [ C:\USERS\COSTA\APPDATA\ROAMING\MOZILLA\FIREFOX\PROFILES\GYI7I6ZF.DEFAULT\COOKIES.SQLITE ]
   .tacoda.at.atwola.com [ C:\USERS\COSTA\APPDATA\ROAMING\MOZILLA\FIREFOX\PROFILES\GYI7I6ZF.DEFAULT\COOKIES.SQLITE ]
   .ar.atwola.com [ C:\USERS\COSTA\APPDATA\ROAMING\MOZILLA\FIREFOX\PROFILES\GYI7I6ZF.DEFAULT\COOKIES.SQLITE ]
   .revsci.net [ C:\USERS\COSTA\APPDATA\ROAMING\MOZILLA\FIREFOX\PROFILES\GYI7I6ZF.DEFAULT\COOKIES.SQLITE ]
   .revsci.net [ C:\USERS\COSTA\APPDATA\ROAMING\MOZILLA\FIREFOX\PROFILES\GYI7I6ZF.DEFAULT\COOKIES.SQLITE ]
   .revsci.net [ C:\USERS\COSTA\APPDATA\ROAMING\MOZILLA\FIREFOX\PROFILES\GYI7I6ZF.DEFAULT\COOKIES.SQLITE ]
   .revsci.net [ C:\USERS\COSTA\APPDATA\ROAMING\MOZILLA\FIREFOX\PROFILES\GYI7I6ZF.DEFAULT\COOKIES.SQLITE ]
   .legolas-media.com [ C:\USERS\COSTA\APPDATA\ROAMING\MOZILLA\FIREFOX\PROFILES\GYI7I6ZF.DEFAULT\COOKIES.SQLITE ]
   .legolas-media.com [ C:\USERS\COSTA\APPDATA\ROAMING\MOZILLA\FIREFOX\PROFILES\GYI7I6ZF.DEFAULT\COOKIES.SQLITE ]
   video.baronsmedia.com [ C:\WINDOWS\SYSTEM32\CONFIG\SYSTEMPROFILE\APPDATA\ROAMING\MACROMEDIA\FLASH PLAYER\#SHAREDOBJECTS\SEJGYGW7 ]
   vitamine.networldmedia.net [ C:\WINDOWS\SYSTEM32\CONFIG\SYSTEMPROFILE\APPDATA\ROAMING\MACROMEDIA\FLASH PLAYER\#SHAREDOBJECTS\SEJGYGW7 ]

Trojan.Agent/Gen-Kazy
   [48C.exe] C:\PROGRAM FILES\LP\1199\48C.EXE
   C:\PROGRAM FILES\LP\1199\48C.EXE
   [48C.exe] C:\USERS\COSTA\APPDATA\ROAMING\MICROSOFT\1199\48C.EXE
   C:\USERS\COSTA\APPDATA\ROAMING\MICROSOFT\1199\48C.EXE
   [Load] C:\USERS\COSTA\APPDATA\ROAMING\0A1FD\LVVM.EXE
   C:\USERS\COSTA\APPDATA\ROAMING\0A1FD\LVVM.EXE
   C:\USERS\COSTA\APPDATA\ROAMING\9EB0A\B3B11.EXE
   C:\USERS\COSTA\APPDATA\ROAMING\9EB0A\B3B11.EXE
   C:\PROGRAM FILES\LP\1199\48C.EXE
   C:\PROGRAM FILES\0A1FD\LVVM.EXE
   C:\PROGRAM FILES\0A1FD\LVVM.EXE

Trojan.Agent/Gen-Kryptik
   [{AD82FCD2-11F7-AD7E-C49A-DA9B163BA1B6}] C:\USERS\COSTA\APPDATA\ROAMING\XIYPYC\QYFA.EXE
   C:\USERS\COSTA\APPDATA\ROAMING\XIYPYC\QYFA.EXE

Trojan.Agent/Gen
   C:\PROGRAMDATA\0LIK14T3.EXE
   C:\WINDOWS\SYSTEM32\8LKYO1UK.COM
   C:\WINDOWS\SYSTEM32\8LKYO1UK.COM_
   C:\WINDOWS\TEMP\HKI3485.EXE
   C:\WINDOWS\TEMP\VGMRHE\SETUP.EXE

Trojan.Agent/Gen-Rimecud
   C:\SWTOOLS\APPS\DDNI\DIBS\PROGRAMFILES\DDNISERVICE.EXE

Trojan.Agent/Gen-Kazy[EX]
   C:\USERS\COSTA\APPDATA\LOCAL\TEMP\ARSNOMXEWC.EXE
   C:\USERS\COSTA\APPDATA\ROAMING\WINWORD.EXE

Trojan.Agent/Gen-MSFake
   C:\USERS\COSTA\APPDATA\LOCAL\TEMP\CWSAEXORNM.EXE

Trojan.Agent/Gen-FraudScan[Prod]
   C:\USERS\COSTA\APPDATA\LOCAL\TEMP\MSIMG32.DLL
   C:\USERS\COSTA\APPDATA\LOCAL\TEMP\WOSMCXENRA.EXE
   C:\WINDOWS\SYSTEM32\DRIVERS\TDX.SYS
   C:\WINDOWS\WINSXS\X86_MICROSOFT-WINDOWS-TDI-OVER-TCPIP_31BF3856AD364E35_6.0.6002.18005_NONE_EC294157D9377403\TDX.SYS


Here is Malware
Malwarebytes Anti-Malware 1.60.1.1000
www.malwarebytes.org

Database version: v2012.01.13.04

Windows Vista Service Pack 2 x86 NTFS (Safe Mode/Networking)
Internet Explorer 9.0.8112.16421
Costa :: COSTA-PC [administrator]

2012-02-01 11:12:18 PM
mbam-log-2012-02-01 (23-12-18).txt

Scan type: Full scan
Scan options enabled: Memory | Startup | Registry | File System | Heuristics/Extra | Heuristics/Shuriken | PUP | PUM
Scan options disabled: P2P
Objects scanned: 355337
Time elapsed: 57 minute(s), 59 second(s)

Memory Processes Detected: 0
(No malicious items detected)

Memory Modules Detected: 0
(No malicious items detected)

Registry Keys Detected: 1
HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Smad (Trojan.Agent) -> Quarantined and deleted successfully.

Registry Values Detected: 1
HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run|Smad (Trojan.Agent) -> Data: "C:\Users\Costa\AppData\Local\SanctionedMedia\Smad\Smad.exe" -> Quarantined and deleted successfully.

Registry Data Items Detected: 0
(No malicious items detected)

Folders Detected: 0
(No malicious items detected)

Files Detected: 2
C:\Users\Costa\AppData\Local\SanctionedMedia\Smad\Smad.exe (Trojan.Agent) -> Quarantined and deleted successfully.
C:\Users\Costa\Local Settings\Application Data\SanctionedMedia\Smad\Smad.exe (Trojan.Agent) -> Quarantined and deleted successfully.

(end)


Here is the DDS
.
DDS (Ver_11-03-05.01) - NTFSx86 
Run by Costa at  0:32:59.30 on 2012-02-02
Internet Explorer: 9.0.8112.16421 BrowserJavaVersion: 1.6.0_24
Microsoft® Windows Vista™ Home Basic   6.0.6002.2.1252.2.1033.18.2013.816 [GMT -5:00]
.
SP: Windows Defender *Disabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
SP: Spyware Doctor *Disabled/Updated* {94076BB2-F3DA-227F-9A1E-F060FF73600F}
.
============== Running Processes ===============
.
C:\Windows\system32\wininit.exe
C:\Windows\system32\lsm.exe
C:\Windows\system32\svchost.exe -k DcomLaunch
C:\Windows\system32\ibmpmsvc.exe
C:\Windows\system32\svchost.exe -k rpcss
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted
C:\Windows\system32\svchost.exe -k netsvcs
C:\Windows\system32\svchost.exe -k GPSvcGroup
C:\Windows\system32\SLsvc.exe
C:\Windows\system32\svchost.exe -k LocalService
C:\Program Files\Lenovo\ATK Hotkey\ASLDRSrv.exe
C:\Program Files\Lenovo\ATK Hotkey\GFNEXSrv.exe
C:\Program Files\Lenovo\ATK Hotkey\LFKAS.exe
C:\Windows\system32\WLANExt.exe
C:\Windows\System32\spoolsv.exe
C:\Windows\system32\Dwm.exe
C:\Windows\system32\taskeng.exe
C:\Windows\system32\taskeng.exe
C:\Windows\Explorer.EXE
C:\Windows\system32\taskeng.exe
C:\Program Files\Lenovo\ATK Hotkey\LCONTROL.exe
C:\Program Files\Lenovo\ATK Hotkey\LFKA.exe
C:\Windows\system32\igfxsrvc.exe
C:\Program Files\SUPERAntiSpyware\SASCORE.EXE
C:\Program Files\Common Files\ArcSoft\Connection Service\Bin\ACService.exe
C:\Program Files\ThinkPad\ConnectUtilities\AcPrfMgrSvc.exe
C:\Program Files\Common Files\Adobe\ARM\1.0\armsvc.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\PC Tools Security\BDT\BDTUpdateService.exe
C:\Windows\system32\svchost.exe -k NetworkService
C:\Program Files\DDNI\DIBS\DDNIService.exe
C:\Windows\System32\svchost.exe -k LocalServiceNoNetwork
C:\Program Files\Common Files\InterVideo\RegMgr\iviRegMgr.exe
C:\Program Files\Nero\Nero8\Nero BackItUp\NBService.exe
C:\Windows\system32\IoctlSvc.exe
C:\Program Files\ThinkPad\Utilities\PWMDBSVC.EXE
C:\Program Files\Microsoft\Search Enhancement Pack\SeaPort\SeaPort.exe
C:\Windows\system32\svchost.exe -k imgsvc
c:\Program Files\Common Files\Lenovo\tvt_reg_monitor_svc.exe
C:\Windows\System32\TPHDEXLG.exe
C:\Program Files\LENOVO\HOTKEY\TPHKSVC.exe
C:\Program Files\Lenovo\Client Security Solution\tvttcsd.exe
C:\Program Files\Lenovo\Rescue and Recovery\rrpservice.exe
C:\Program Files\Lenovo\Rescue and Recovery\rrservice.exe
c:\Program Files\Common Files\Lenovo\Scheduler\tvtsched.exe
C:\Windows\System32\svchost.exe -k WerSvcGroup
C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE
C:\Windows\system32\SearchIndexer.exe
C:\Windows\system32\DRIVERS\xaudio.exe
C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSvcM.exe
C:\Program Files\ThinkPad\ConnectUtilities\AcSvc.exe
C:\Windows\system32\WUDFHost.exe
C:\Program Files\Lenovo\System Update\SUService.exe
C:\Windows\system32\wbem\wmiprvse.exe
C:\Program Files\ThinkPad\ConnectUtilities\SvcGuiHlpr.exe
C:\Program Files\Lenovo\NPDIRECT\tpfnf7sp.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Windows\System32\TpShocks.exe
C:\Program Files\Lenovo\HOTKEY\LVOSDSVC.exe
C:\Program Files\ThinkPad\Utilities\EZEJMNAP.EXE
C:\Program Files\Common Files\Lenovo\Scheduler\scheduler_proxy.exe
C:\Program Files\Lenovo\Drag-to-Disc\DrgToDsc.exe
C:\Program Files\Lenovo\LenovoCare\LPMGR.EXE
C:\Program Files\Lenovo\LenovoCare\LPMLCHK.EXE
C:\Windows\System32\rundll32.exe
C:\Program Files\ThinkPad\ConnectUtilities\ACTray.exe
C:\Program Files\ThinkPad\ConnectUtilities\ACWLIcon.exe
C:\Program Files\Lenovo\Client Security Solution\cssauth.exe
C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe
C:\Program Files\Common Files\Java\Java Update\jusched.exe
C:\Program Files\Common Files\ArcSoft\Connection Service\Bin\ACDaemon.exe
C:\Program Files\DDNI\Lenovo Idea Notes\DDNIMSGUser.exe
C:\Windows\System32\spool\drivers\w32x86\3\EKIJ5000MUI.exe
C:\Windows\System32\igfxtray.exe
C:\Windows\System32\igfxpers.exe
C:\Program Files\PC Tools Security\BDT\FGuard.exe
C:\Program Files\Browny02\Brother\BrStMonW.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\Brother\BPRSP\resources\BrSupSsp.exe
C:\Program Files\Kodak\Kodak EasyShare software\bin\EasyShare.exe
C:\Program Files\McAfee Security Scan\2.0.181\SSScheduler.exe
C:\Program Files\Lenovo\HOTKEY\TPONSCR.exe
C:\Windows\system32\wbem\unsecapp.exe
C:\Windows\system32\wbem\wmiprvse.exe
C:\Program Files\Lenovo\Zoom\TpScrex.exe
C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
C:\Program Files\Browny02\BrYNSvc.exe
C:\Program Files\Common Files\Nero\Lib\NMIndexingService.exe
C:\Program Files\Synaptics\SynTP\SynTPHelper.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Program Files\DDNI\Lenovo Idea Notes\DDNIMSGService.exe
C:\Windows\system32\svchost.exe -k LocalServiceAndNoImpersonation
C:\Windows\System32\svchost.exe -k wdisvc
C:\PROGRA~1\ThinkPad\UTILIT~1\PWMUIAux.exe
C:\Windows\system32\SearchProtocolHost.exe
C:\Windows\system32\SearchFilterHost.exe
C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe
C:\Users\Costa\Desktop\dds.scr
C:\Windows\system32\conime.exe
.
============== Pseudo HJT Report ===============
.
uStart Page = hxxp://www.google.ca/
uInternet Settings,ProxyOverride = *.local
uInternet Settings,ProxyServer = http=127.0.0.1:52162
uSearchURL,(Default) = hxxp://g.msn.ca/0SEENCA/SAOS01?FORM=TOOLBR
uURLSearchHooks: Softonic English Toolbar: {930f1200-f5f1-4870-bac6-e233ec8e7023} - c:\program files\softonic_english\tbSoft.dll
uURLSearchHooks: PC Tools Browser Guard: {472734ea-242a-422b-adf8-83d1e48cc825} - c:\program files\pc tools security\bdt\PCTBrowserDefender.dll
uURLSearchHooks: H - No File
mURLSearchHooks: Softonic English Toolbar: {930f1200-f5f1-4870-bac6-e233ec8e7023} - c:\program files\softonic_english\tbSoft.dll
BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll
BHO: PC Tools Browser Guard BHO: {2a0f3d1b-0909-4ff4-b272-609cce6054e7} - c:\program files\pc tools security\bdt\PCTBrowserDefender.dll
BHO: Conduit Engine: {30f9b915-b755-4826-820b-08fba6bd249d} - c:\program files\conduitengine\ConduitEngine.dll
BHO: Spybot-S&D IE Protection: {53707962-6f74-2d53-2644-206d7942484f} - c:\program files\spybot - search & destroy\SDHelper.dll
BHO: Search Helper: {6ebf7485-159f-4bff-a14f-b9e3aac4465b} - c:\program files\microsoft\search enhancement pack\search helper\SEPsearchhelperie.dll
BHO: Groove GFS Browser Helper: {72853161-30c5-4d22-b7f9-0bbc1d38a37e} - c:\program files\microsoft office\office12\GrooveShellExtensions.dll
BHO: Windows Live ID Sign-in Helper: {9030d464-4c02-4abf-8ecc-5164760863c6} - c:\program files\common files\microsoft shared\windows live\WindowsLiveLogin.dll
BHO: Softonic English Toolbar: {930f1200-f5f1-4870-bac6-e233ec8e7023} - c:\program files\softonic_english\tbSoft.dll
BHO: Google Toolbar Helper: {aa58ed58-01dd-4d91-8333-cf10577473f7} - c:\program files\google\google toolbar\GoogleToolbar_32.dll
BHO: IePasswordManagerHelper Class: {bf468356-bb7e-42d7-9f15-4f3b9bcfced2} - c:\program files\lenovo\client security solution\tvtpwm_ie_com.dll
BHO: WOT Helper: {c920e44a-7f78-4e64-bdd7-a57026e7feb7} - c:\program files\wot\WOT.dll
BHO: Java(tm) Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
TB: Softonic English Toolbar: {930f1200-f5f1-4870-bac6-e233ec8e7023} - c:\program files\softonic_english\tbSoft.dll
TB: Conduit Engine: {30f9b915-b755-4826-820b-08fba6bd249d} - c:\program files\conduitengine\ConduitEngine.dll
TB: WOT: {71576546-354d-41c9-aae8-31f2ec22bf0d} - c:\program files\wot\WOT.dll
TB: PC Tools Browser Guard: {472734ea-242a-422b-adf8-83d1e48cc825} - c:\program files\pc tools security\bdt\PCTBrowserDefender.dll
TB: Google Toolbar: {2318c2b1-4965-11d4-9b18-009027a5cd4f} - c:\program files\google\google toolbar\GoogleToolbar_32.dll
TB: {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - No File
TB: {21FA44EF-376D-4D53-9B0F-8A89D3229068} - No File
uRun: [IndxStoreSvr_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}] "c:\program files\common files\nero\lib\NMIndexStoreSvr.exe" ASO-616B5711-6DAE-4795-A05F-39A1E5104020
uRun: [SpybotSD TeaTimer] c:\program files\spybot - search & destroy\TeaTimer.exe
uRun: [swg] "c:\program files\google\googletoolbarnotifier\GoogleToolbarNotifier.exe"
mRun: [TPFNF7] c:\program files\lenovo\npdirect\TPFNF7SP.exe /r
mRun: [SynTPEnh] c:\program files\synaptics\syntp\SynTPEnh.exe
mRun: [TpShocks] TpShocks.exe
mRun: [TPHOTKEY] c:\program files\lenovo\hotkey\LVOSDSVC.exe
mRun: [EZEJMNAP] c:\progra~1\thinkpad\utilit~1\EzEjMnAp.Exe
mRun: [TVT Scheduler Proxy] c:\program files\common files\lenovo\scheduler\scheduler_proxy.exe
mRun: [RoxWatchTray] "c:\program files\common files\roxio shared\10.0\sharedcom\RoxWatchTray10.exe"
mRun: [RoxioDragToDisc] "c:\program files\lenovo\drag-to-disc\DrgToDsc.exe"
mRun: [AMSG] c:\program files\thinkvantage\amsg\Amsg.exe /startup
mRun: [LPManager] c:\progra~1\lenovo\lenovo~2\LPMGR.exe
mRun: [LPMailChecker] c:\progra~1\lenovo\lenovo~2\LPMLCHK.exe
mRun: [PWMTRV] rundll32 c:\progra~1\thinkpad\utilit~1\PWMTR32V.DLL,PwrMgrBkGndMonitor
mRun: [BLOG] rundll32 c:\progra~1\thinkpad\utilit~1\BTVLogEx.DLL,StartBattLog
mRun: [CreateLMBCShortCut] "c:\program files\lenovo\mobile broadband connect\UserShortcutCreator.exe"
mRun: [ACTray] c:\program files\thinkpad\connectutilities\ACTray.exe
mRun: [ACWlIcon] c:\program files\thinkpad\connectutilities\ACWlIcon.exe
mRun: [cssauth] "c:\program files\lenovo\client security solution\cssauth.exe" silent
mRun: [GrooveMonitor] "c:\program files\microsoft office\office12\GrooveMonitor.exe"
mRun: [SunJavaUpdateSched] "c:\program files\common files\java\java update\jusched.exe"
mRun: [ArcSoft Connection Service] c:\program files\common files\arcsoft\connection service\bin\ACDaemon.exe
mRun: [IdeaNotesUser] c:\program files\ddni\lenovo idea notes\DDNIMSGUser.exe
mRun: [EKIJ5000StatusMonitor] c:\windows\system32\spool\drivers\w32x86\3\EKIJ5000MUI.exe
mRun: [IgfxTray] c:\windows\system32\igfxtray.exe
mRun: [HotKeysCmds] c:\windows\system32\hkcmd.exe
mRun: [Persistence] c:\windows\system32\igfxpers.exe
mRun: [PCTools FGuard] c:\program files\pc tools security\bdt\FGuard.exe
mRun: [QuickTime Task] "c:\program files\quicktime\QTTask.exe" -atboottime
mRun: [BrStsMon00] c:\program files\browny02\brother\BrStMonW.exe /AUTORUN
mRun: [Adobe ARM] "c:\program files\common files\adobe\arm\1.0\AdobeARM.exe"
mRun: [APSDaemon] "c:\program files\common files\apple\apple application support\APSDaemon.exe"
mRun: [iTunesHelper] "c:\program files\itunes\iTunesHelper.exe"
StartupFolder: c:\progra~2\micros~1\windows\startm~1\programs\startup\brothe~1.lnk - c:\windows\installer\{8040527f-dd74-4b45-8a06-c4bf145b6c76}\BrSupSsp.exe_44686FC076524EF5975EF92EE48E2958.exe
StartupFolder: c:\progra~2\micros~1\windows\startm~1\programs\startup\kodake~1.lnk - c:\program files\kodak\kodak easyshare software\bin\EasyShare.exe
StartupFolder: c:\progra~2\micros~1\windows\startm~1\programs\startup\mcafee~1.lnk - c:\program files\mcafee security scan\2.0.181\SSScheduler.exe
mPolicies-explorer: BindDirectlyToPropertySetStorage = 0 (0x0)
mPolicies-system: EnableUIADesktopToggle = 0 (0x0)
IE: E&xport to Microsoft Excel - c:\progra~1\micros~2\office12\EXCEL.EXE/3000
IE: Google Sidewiki... - c:\program files\google\google toolbar\component\GoogleToolbarDynamic_mui_en_7461B1589E8B4FB7.dll/cmsidewiki.html
IE: {2670000A-7350-4f3c-8081-5663EE0C6C49} - {48E73304-E1D6-4330-914C-F5F514E3486C} - c:\progra~1\micros~2\office12\ONBttnIE.dll
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~2\office12\REFIEBAR.DLL
IE: {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - {53707962-6F74-2D53-2644-206D7942484F} - c:\program files\spybot - search & destroy\SDHelper.dll
IE: {F4F55DC8-0B69-4DFE-BA94-CB677B88B2A3} - {F4F55DC8-0B69-4DFE-BA94-CB677B88B2A3} - c:\program files\lenovo\client security solution\tvtpwm_ie_com.dll
LSP: c:\program files\common files\pc tools\lsp\PCTLsp.dll
LSP: mswsock.dll
DPF: {02BCC737-B171-4746-94C9-0D8A0B2C0089} - hxxp://office.microsoft.com/sites/production/ieawsdc32.cab
DPF: {7530BFB8-7293-4D34-9923-61A11451AFC5} - hxxp://download.eset.com/special/eos/OnlineScanner.cab
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_24-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0024-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_24-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_24-windows-i586.cab
DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - hxxp://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab
Handler: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - c:\program files\microsoft office\office12\GrooveSystemServices.dll
Handler: wot - {C2A44D6B-CB9F-4663-88A6-DF2F26E4D952} - c:\program files\wot\WOT.dll
Notify: !SASWinLogon - c:\program files\superantispyware\SASWINLO.DLL
Notify: igfxcui - igfxdev.dll
SEH: Groove GFS Stub Execution Hook: {b5a7f190-dda6-4420-b3ba-52453494e6cd} - c:\program files\microsoft office\office12\GrooveShellExtensions.dll
SEH: SABShellExecuteHook Class: {5ae067d3-9afb-48e0-853a-ebb7f4a000da} - c:\program files\superantispyware\SASSEH.DLL
.
================= FIREFOX ===================
.
FF - ProfilePath - c:\users\costa\appdata\roaming\mozilla\firefox\profiles\gyi7i6zf.default\
FF - prefs.js: browser.search.defaulturl - hxxp://search.conduit.com/ResultsExt.aspx?ctid=CT2786678&SearchSource=3&q={searchTerms}
FF - prefs.js: browser.search.selectedEngine -   
FF - prefs.js: browser.startup.homepage - hxxp://search.conduit.com/?ctid=CT2786678&SearchSource=13
FF - prefs.js: network.proxy.http - 127.0.0.1
FF - prefs.js: network.proxy.http_port - 52162
FF - prefs.js: network.proxy.type - 1
FF - component: c:\program files\pc tools security\bdt\firefox\platform\winnt_x86-msvc\components\libheuristic.dll
FF - component: c:\users\costa\appdata\roaming\mozilla\firefox\profiles\gyi7i6zf.default\extensions\{bf7380fa-e3b4-4db2-af3e-9d8783a45bfc}\components\RadioWMPCore.dll
FF - component: c:\users\costa\appdata\roaming\mozilla\firefox\profiles\gyi7i6zf.default\extensions\{bf7380fa-e3b4-4db2-af3e-9d8783a45bfc}\components\RadioWMPCoreGecko19.dll
FF - component: c:\users\costa\appdata\roaming\mozilla\firefox\profiles\gyi7i6zf.default\extensions\[email protected]\components\RadioWMPCoreGecko19.dll
FF - plugin: c:\program files\adobe\reader 10.0\reader\air\nppdf32.dll
FF - plugin: c:\program files\google\update\1.3.21.79\npGoogleUpdate3.dll
FF - plugin: c:\program files\java\jre6\bin\new_plugin\npdeployJava1.dll
FF - plugin: c:\program files\mozilla firefox\plugins\npdeployJava1.dll
FF - Ext: Default: {972ce4c6-7e08-4474-a285-3208198ce6fd} - c:\program files\mozilla firefox\extensions\{972ce4c6-7e08-4474-a285-3208198ce6fd}
FF - Ext: Java Console: {CAFEEFAC-0016-0000-0013-ABCDEFFEDCBA} - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0013-ABCDEFFEDCBA}
FF - Ext: Java Console: {CAFEEFAC-0016-0000-0024-ABCDEFFEDCBA} - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0024-ABCDEFFEDCBA}
FF - Ext: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\microsoft.net\framework\v3.5\windows presentation foundation\DotNetAssistantExtension
FF - Ext: Browser Defender Toolbar: {cb84136f-9c44-433a-9048-c5cd9df1dc16} - c:\program files\pc tools security\bdt\Firefox
FF - Ext: Conduit Engine : [email protected] - %profile%\extensions\[email protected]
FF - Ext: uTorrentBar Community Toolbar: {bf7380fa-e3b4-4db2-af3e-9d8783a45bfc} - %profile%\extensions\{bf7380fa-e3b4-4db2-af3e-9d8783a45bfc}
.
============= SERVICES / DRIVERS ===============
.
R0 PCTCore;PCTools KDS;c:\windows\system32\drivers\PCTCore.sys [2011-3-13 239168]
R0 pctDS;PC Tools Data Store;c:\windows\system32\drivers\pctDS.sys [2011-3-13 338880]
R0 pctEFA;PC Tools Extended File Attributes;c:\windows\system32\drivers\pctEFA.sys [2011-3-13 656320]
R0 TPDIGIMN;TPDIGIMN;c:\windows\system32\drivers\ApsHM86.sys [2008-5-14 19496]
R1 lenovo.smi;Lenovo System Interface Driver;c:\windows\system32\drivers\smiif32.sys [2008-5-19 13480]
R1 SASDIFSV;SASDIFSV;c:\program files\superantispyware\sasdifsv.sys [2011-7-22 12880]
R1 SASKUTIL;SASKUTIL;c:\program files\superantispyware\SASKUTIL.SYS [2011-7-12 67664]
R2 !SASCORE;SAS Core Service;c:\program files\superantispyware\SASCore.exe [2011-8-11 116608]
R2 AdobeARMservice;Adobe Acrobat Update Service;c:\program files\common files\adobe\arm\1.0\armsvc.exe [2011-6-6 64952]
R2 Browser Defender Update Service;Browser Defender Update Service;c:\program files\pc tools security\bdt\BDTUpdateService.exe [2011-3-13 247760]
R2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;c:\windows\microsoft.net\framework\v4.0.30319\mscorsvw.exe [2010-3-18 130384]
R2 DDNIMSGService;DDNIMSGService;c:\program files\ddni\lenovo idea notes\DDNIMSGService.exe [2009-6-23 171872]
R2 DDNIService;DDNIService;c:\program files\ddni\dibs\DDNIService.exe [2010-4-18 163680]
R2 FontCache;Windows Font Cache Service;c:\windows\system32\svchost.exe -k LocalServiceAndNoImpersonation [2008-1-20 21504]
R2 LFKAS;Service of LFKA;c:\program files\lenovo\atk hotkey\LFKAS.exe [2009-5-19 208896]
R2 Power Manager DBC Service;Power Manager DBC Service;c:\program files\thinkpad\utilities\PWMDBSVC.exe [2009-5-19 66848]
R2 TPHKSVC;On Screen Display;c:\program files\lenovo\hotkey\TPHKSVC.exe [2008-9-23 53325]
R2 TVT Backup Protection Service;TVT Backup Protection Service;c:\program files\lenovo\rescue and recovery\rrpservice.exe [2008-5-24 520192]
R3 BrYNSvc;BrYNSvc;c:\program files\browny02\BrYNSvc.exe [2011-5-9 245760]
R3 IntcHdmiAddService;Intel(R) High Definition Audio HDMI;c:\windows\system32\drivers\IntcHdmi.sys [2009-5-19 112128]
S1 tvtumon;tvtumon;c:\windows\system32\drivers\tvtumon.sys [2009-5-19 48192]
S2 gupdate;Google Update Service (gupdate);c:\program files\google\update\GoogleUpdate.exe [2010-10-8 136176]
S2 Roxio Upnp Server 10;Roxio Upnp Server 10;c:\program files\roxio\digital home 10\RoxioUpnpService10.exe [2008-4-25 362992]
S2 RoxLiveShare10;LiveShare P2P Server 10;c:\program files\common files\roxio shared\10.0\sharedcom\RoxLiveShare10.exe [2008-4-25 309744]
S2 RoxWatch10;Roxio Hard Drive Watcher 10;c:\program files\common files\roxio shared\10.0\sharedcom\RoxWatch10.exe [2008-4-25 166384]
S2 SBSDWSCService;SBSD Security Center Service;c:\program files\spybot - search & destroy\SDWinSec.exe [2010-9-8 1153368]
S2 SessionLauncher;SessionLauncher;c:\users\admini~1\appdata\local\temp\dx9\sessionlauncher.exe --> c:\users\admini~1\appdata\local\temp\dx9\SessionLauncher.exe [?]
S2 TVT_UpdateMonitor;TVT Windows Update Monitor;c:\program files\lenovo\rescue and recovery\UpdateMonitor.exe [2008-5-24 360448]
S3 gupdatem;Google Update Service (gupdatem);c:\program files\google\update\GoogleUpdate.exe [2010-10-8 136176]
S3 McComponentHostService;McAfee Security Scan Component Host Service;c:\program files\mcafee security scan\2.0.181\McCHSvc.exe [2010-1-15 227232]
S3 Roxio UPnP Renderer 10;Roxio UPnP Renderer 10;c:\program files\roxio\digital home 10\RoxioUPnPRenderer10.exe [2008-4-25 313840]
S3 RoxMediaDB10;RoxMediaDB10;c:\program files\common files\roxio shared\10.0\sharedcom\RoxMediaDB10.exe [2008-4-25 1120752]
S3 sdAuxService;PC Tools Auxiliary Service;c:\program files\pc tools security\pctsAuxs.exe [2011-3-13 366840]
S3 sdCoreService;PC Tools Security Service;c:\program files\pc tools security\pctsSvc.exe [2011-3-13 1150936]
S3 WPFFontCache_v0400;Windows Presentation Foundation Font Cache 4.0.0.0;c:\windows\microsoft.net\framework\v4.0.30319\wpf\WPFFontCache_v0400.exe [2010-3-18 753504]
S4 TomTomHOMEService;TomTomHOMEService;c:\program files\tomtom home 2\TomTomHOMEService.exe [2011-12-5 92592]
.
=============== Created Last 30 ================
.
2012-02-02 00:16:17   440192   ----a-w-   c:\windows\system32\drivers\ksecdd.sys
2012-02-02 00:16:17   278528   ----a-w-   c:\windows\system32\schannel.dll
2012-02-02 00:16:17   1259008   ----a-w-   c:\windows\system32\lsasrv.dll
2012-02-02 00:16:16   9728   ----a-w-   c:\windows\system32\lsass.exe
2012-02-02 00:16:16   72704   ----a-w-   c:\windows\system32\secur32.dll
2012-02-02 00:16:16   377344   ----a-w-   c:\windows\system32\winhttp.dll
2012-01-28 13:34:40   --------   d-----w-   c:\program files\0A1FD
2012-01-28 13:34:30   --------   d-----w-   c:\program files\LP
2012-01-27 01:56:21   --------   d-----w-   c:\users\costa\appdata\roaming\Xiypyc
2012-01-27 01:56:21   --------   d-----w-   c:\users\costa\appdata\roaming\Bavu
2012-01-27 01:52:45   --------   d-----w-   c:\users\costa\appdata\roaming\0A1FD
2012-01-27 01:52:33   98816   ----a-w-   c:\users\costa\appdata\roaming\microsoft\1199\E85F.tmp
2012-01-27 01:52:23   --------   d-----w-   c:\users\costa\appdata\roaming\9EB0A
2012-01-27 01:51:49   --------   d-----w-   c:\users\costa\appdata\local\SanctionedMedia
2012-01-24 13:39:27   6557240   ----a-w-   c:\progra~2\microsoft\windows defender\definition updates\{13b9286a-88e7-4de5-8347-ee27386ae36b}\mpengine.dll
2012-01-11 18:55:15   376320   ----a-w-   c:\windows\system32\winsrv.dll
2012-01-11 18:55:08   189952   ----a-w-   c:\windows\system32\winmm.dll
2012-01-11 18:55:07   23552   ----a-w-   c:\windows\system32\mciseq.dll
2012-01-11 18:55:01   1205064   ----a-w-   c:\windows\system32\ntdll.dll
2012-01-11 18:54:39   66560   ----a-w-   c:\windows\system32\packager.dll
2012-01-11 18:54:32   2409784   ----a-w-   c:\program files\windows mail\OESpamFilter.dat
2012-01-11 18:54:19   497152   ----a-w-   c:\windows\system32\qdvd.dll
2012-01-11 18:54:19   1314816   ----a-w-   c:\windows\system32\quartz.dll
2012-01-05 21:22:23   --------   d-----w-   c:\program files\TomTom HOME 2
2012-01-05 21:09:28   --------   d-----w-   c:\program files\MyTomTom 3
2012-01-05 16:20:26   --------   d-----w-   c:\progra~2\TomTom
2012-01-05 16:18:04   --------   d-----w-   c:\users\costa\appdata\roaming\TomTom
2012-01-05 16:18:04   --------   d-----w-   c:\users\costa\appdata\local\TomTom
2012-01-05 16:18:01   --------   d-----w-   c:\program files\TomTom International B.V
.
==================== Find3M  ====================
.
2012-01-27 01:52:36   414368   ----a-w-   c:\windows\system32\FlashPlayerCPLApp.cpl
2011-11-23 13:37:27   2043904   ----a-w-   c:\windows\system32\win32k.sys
2011-11-15 19:29:56   222080   ------w-   c:\windows\system32\MpSigStub.exe
2011-11-08 14:42:19   2048   ----a-w-   c:\windows\system32\tzres.dll
.
============= FINISH:  0:34:28.55 ===============

Here is the attachtxt
.
UNLESS SPECIFICALLY INSTRUCTED, DO NOT POST THIS LOG.
IF REQUESTED, ZIP IT UP & ATTACH IT
.
DDS (Ver_11-03-05.01)
.
Microsoft® Windows Vista™ Home Basic
Boot Device: \Device\HarddiskVolume1
Install Date: 2009-05-19 2:13:34 PM
System Uptime: 2012-02-02 12:24:28 AM (0 hours ago)
.
Motherboard: LENOVO                        |  | 2743CTO   
Processor: Intel(R) Core(TM)2 Duo CPU     T6570  @ 2.10GHz | Socket 478 | 1200/200mhz
.
==== Disk Partitions =========================
.
C: is FIXED (NTFS) - 138 GiB total, 78.607 GiB free.
D: is CDROM ()
E: is Removable
Q: is FIXED (NTFS) - 10 GiB total, 4.1 GiB free.
S: is FIXED (NTFS) - 1 GiB total, 0.686 GiB free.
.
==== Disabled Device Manager Items =============
.
Class GUID: {4d36e972-e325-11ce-bfc1-08002be10318}
Description: Microsoft ISATAP Adapter
Device ID: ROOT\*ISATAP\0001
Manufacturer: Microsoft
Name: Microsoft ISATAP Adapter
PNP Device ID: ROOT\*ISATAP\0001
Service: tunnel
.
==== System Restore Points ===================
.
.
==== Installed Programs ======================
.
.
 Update for Microsoft Office 2007 (KB2508958)
ABBYY PDF Transformer 2.0
Access Help
Adobe AIR
Adobe Flash Player 10 Plugin
Adobe Flash Player 11 ActiveX
Adobe Reader X (10.1.1)
Adobe Shockwave Player 11.5
Apple Application Support
Apple Mobile Device Support
Apple Software Update
ArcSoft Print Creations
ArcSoft Print Creations - Album Page
ArcSoft Print Creations - Funhouse
ArcSoft Print Creations - Greeting Card
ArcSoft Print Creations - Photo Book
ArcSoft Print Creations - Photo Calendar
ArcSoft Print Creations - Scrapbook
ArcSoft Print Creations - Slimline Card
Bonjour
Brother Product Research and Support Program
Browser Defender 3.0
CCleaner
CCScore
Cisco EAP-FAST Module
Cisco LEAP Module
Cisco PEAP Module
Client Security - Password Manager
Comical 0.8
Conduit Engine
Conexant HD Audio
D3DX10
DIBS
DirectXInstallService
DivX Web Player
Drag-to-Disc
ESET Online Scanner v3
ESSBrwr
ESSCDBK
ESScore
ESSgui
ESSini
ESSPCD
ESSPDock
ESSTOOLS
essvatgt
ExamView Player
ExamView Pro
fflink
Foxit Reader
Google Chrome
Google Toolbar for Internet Explorer
Google Update Helper
HDAUDIO Soft Data Fax Modem with SmartCP
Help Center
HiJackThis
HL-2240
Hotfix for Microsoft .NET Framework 3.5 SP1 (KB953595)
Hotfix for Microsoft .NET Framework 3.5 SP1 (KB958484)
Intel(R) Graphics Media Accelerator Driver
InterVideo Register Manager
InterVideo WinDVD
iTunes
Java Auto Updater
Java(TM) 6 Update 24
Kodak EasyShare software
Lenovo Care
Lenovo Care Supplement
Lenovo Central
Lenovo Idea Notes
Lenovo Registration
Lenovo System Interface Driver
Lenovo System Toolbox
Lenovo Welcome v1.0.24.3
Lenovo_ATK_Package
Malwarebytes Anti-Malware version 1.60.1.1000
McAfee Security Scan Plus
Message Center
Microsoft .NET Framework 3.5 SP1
Microsoft .NET Framework 4 Client Profile
Microsoft Application Error Reporting
Microsoft Office 2007 Service Pack 2 (SP2)
Microsoft Office Access MUI (English) 2007
Microsoft Office Access Setup Metadata MUI (English) 2007
Microsoft Office Enterprise 2007
Microsoft Office Excel MUI (English) 2007
Microsoft Office File Validation Add-In
Microsoft Office Groove MUI (English) 2007
Microsoft Office Groove Setup Metadata MUI (English) 2007
Microsoft Office InfoPath MUI (English) 2007
Microsoft Office OneNote MUI (English) 2007
Microsoft Office Outlook MUI (English) 2007
Microsoft Office PowerPoint MUI (English) 2007
Microsoft Office Proof (English) 2007
Microsoft Office Proof (French) 2007
Microsoft Office Proof (Spanish) 2007
Microsoft Office Proofing (English) 2007
Microsoft Office Proofing Tools 2007 Service Pack 2 (SP2)
Microsoft Office Publisher MUI (English) 2007
Microsoft Office Shared MUI (English) 2007
Microsoft Office Shared Setup Metadata MUI (English) 2007
Microsoft Office Suite Activation Assistant
Microsoft Office Word MUI (English) 2007
Microsoft Search Enhancement Pack
Microsoft Silverlight
Microsoft SQL Server Native Client
Microsoft SQL Server Setup Support Files (English)
Microsoft SQL Server VSS Writer
Microsoft Visual C++ 2005 ATL Update kb973923 - x86 8.0.50727.4053
Microsoft Visual C++ 2005 Redistributable
Microsoft Visual C++ 2008 Redistributable - KB2467174 - x86 9.0.30729.5570
Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.17
Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.4148
Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.6161
Microsoft Visual C++ 2010  x86 Redistributable - 10.0.40219
Mobile Broadband Connect
Mozilla Firefox (3.0.19)
MP3 Rocket
MSVCRT
MSXML 4.0 SP2 (KB954430)
MSXML 4.0 SP2 (KB973688)
MSXML4SP2
MyTomTom 3.1.0.530
Nero 8
neroxml
netbrdg
OfotoXMI
On Screen Display
Presentation Director
Product Recovery Disc Burning Utility
QuickTime
Realtek 8169 8168 8101E 8102E Ethernet Driver
Registry patch for Windows Vista USB S3 PM Enablement
Registry patch of Changing Timing of IDLE IRP by Finger Print Driver for Windows Vista
Registry Patch of Enabling Device Initiated Power Management(DIPM) on SATA for Windows Vista
Registry patch to improve USB device detection on resume from sleep for Windows Vista
Rescue and Recovery
RICOH R5C83x/84x Flash Media Controller Driver Ver.3.55.01
Roxio Activation Module
Roxio Central Audio
Roxio Central Copy
Roxio Central Core
Roxio Central Data
Roxio Central Tools
Roxio Creator Small Business Edition
Roxio Express Labeler 3
Security Update for 2007 Microsoft Office System (KB2288621)
Security Update for 2007 Microsoft Office System (KB2288931)
Security Update for 2007 Microsoft Office System (KB2345043)
Security Update for 2007 Microsoft Office System (KB2553089)
Security Update for 2007 Microsoft Office System (KB2553090)
Security Update for 2007 Microsoft Office System (KB2584063)
Security Update for 2007 Microsoft Office System (KB969559)
Security Update for 2007 Microsoft Office System (KB976321)
Security Update for Microsoft .NET Framework 3.5 SP1 (KB2657424)
Security Update for Microsoft .NET Framework 4 Client Profile (KB2446708)
Security Update for Microsoft .NET Framework 4 Client Profile (KB2478663)
Security Update for Microsoft .NET Framework 4 Client Profile (KB2518870)
Security Update for Microsoft .NET Framework 4 Client Profile (KB2539636)
Security Update for Microsoft .NET Framework 4 Client Profile (KB2572078)
Security Update for Microsoft .NET Framework 4 Client Profile (KB2656351)
Security Update for Microsoft Office 2007 suites (KB2596785) 32-Bit Edition
Security Update for Microsoft Office Access 2007 (KB979440)
Security Update for Microsoft Office Groove 2007 (KB2552997)
Security Update for Microsoft Office InfoPath 2007 (KB2510061)
Security Update for Microsoft Office InfoPath 2007 (KB979441)
Security Update for Microsoft Office PowerPoint 2007 (KB2596764) 32-Bit Edition
Security Update for Microsoft Office PowerPoint 2007 (KB2596912) 32-Bit Edition
Security Update for Microsoft Office Publisher 2007 (KB2596705) 32-Bit Edition
Security Update for Microsoft Office system 2007 (972581)
Security Update for Microsoft Office system 2007 (KB974234)
Security Update for Microsoft Office Visio Viewer 2007 (KB973709)
Security Update for Microsoft Office Word 2007 (KB2344993)
Segoe UI
SFR
SHASTA
skin0001
SKINXSDK
Soap 3.0 Toolkit
Softonic_English Toolbar
Sonic CinePlayer Decoder Pack
Sonic Icons for Lenovo
Spybot - Search & Destroy
Spyware Doctor 8.0
staticcr
SUPERAntiSpyware
System Update
ThinkPad EasyEject Utility
ThinkPad FullScreen Magnifier
ThinkPad Hotkey Features Setup
ThinkPad Mobility Center Customization
ThinkPad Power Management Driver for SL Series
ThinkPad Power Manager
ThinkPad UltraNav Driver
ThinkPad UltraNav Utility
Thinkpad Wireless LAN Adapters Software (11a/b/g/n)
ThinkVantage Access Connections
ThinkVantage Active Protection System
ThinkVantage Status Gadget
ThinkVantage Technologies Welcome Message
TomTom HOME 2.8.3.2458
TomTom HOME Visual Studio Merge Modules
UFile 2009
UFile 2010
UFile Updater 2009
UFile Updater 2010
Update for 2007 Microsoft Office System (KB967642)
Update for Microsoft .NET Framework 3.5 SP1 (KB963707)
Update for Microsoft .NET Framework 4 Client Profile (KB2468871)
Update for Microsoft .NET Framework 4 Client Profile (KB2533523)
Update for Microsoft Office 2007 Help for Common Features (KB963673)
Update for Microsoft Office 2007 suites (KB2596651) 32-Bit Edition
Update for Microsoft Office 2007 suites (KB2596686) 32-Bit Edition
Update for Microsoft Office 2007 suites (KB2596789) 32-Bit Edition
Update for Microsoft Office 2007 System (KB2539530)
Update for Microsoft Office Access 2007 Help (KB963663)
Update for Microsoft Office Excel 2007 (KB2596596) 32-Bit Edition
Update for Microsoft Office Excel 2007 Help (KB963678)
Update for Microsoft Office Infopath 2007 Help (KB963662)
Update for Microsoft Office OneNote 2007 (KB980729)
Update for Microsoft Office OneNote 2007 Help (KB963670)
Update for Microsoft Office Outlook 2007 (KB2583910)
Update for Microsoft Office Outlook 2007 Help (KB963677)
Update for Microsoft Office Powerpoint 2007 Help (KB963669)
Update for Microsoft Office Publisher 2007 Help (KB963667)
Update for Microsoft Office Script Editor Help (KB963671)
Update for Microsoft Office Word 2007 Help (KB963665)
VC80CRTRedist - 8.0.50727.762
Verizon Wireless BroadbandAccess Self Activation
Visual Studio C++ 10.0 Runtime
VPRINTOL
Wallpapers
Windows Driver Package - Lenovo 1.44 (05/14/2008 1.44)
Windows Live Communications Platform
Windows Live Essentials
Windows Live ID Sign-in Assistant
Windows Live Installer
Windows Live Messenger
Windows Live Photo Common
Windows Live PIMT Platform
Windows Live SOXE
Windows Live SOXE Definitions
Windows Live UX Platform
Windows Live UX Platform Language Pack
Windows Media Player Firefox Plugin
WinRAR archiver
WIRELESS
WOT for Internet Explorer
.
==== End Of File ===========================


Thnaks for the help.

[SuperDave]

Download OTL to your desktop.

* Open OTL
* Copy and Paste the following text in the codebox into the Custom Scans/Fixes window.

Code: [Select]

:OTL

uURLSearchHooks: H - No File
TB: {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - No File
TB: {21FA44EF-376D-4D53-9B0F-8A89D3229068} - No File
FF - prefs.js: network.proxy.http - 127.0.0.1
FF - prefs.js: network.proxy.http_port - 52162

:COMMANDS
[resethosts]
[purity]
[start explorer]

* Click Run Fix
* OTLI2 may ask to reboot the machine. Please do so if asked.
* Click OK
* A report will open. Copy and Paste that report in your next reply.
**************************************************************
Download Combofix from any of the links below, and save it to your desktop. 

Link 1
Link 2
Link 3

To prevent your anti-virus application interfering with  ComboFix we need to disable it. See here for a tutorial regarding how to do so if you are unsure.

• Close any open windows and double click ComboFix.exe to run it.
  
  You will see the following image:
  

Click I Agree to start the program.

ComboFix will then extract the necessary files and you will see this:



As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it's strongly recommended to  have this pre-installed on your machine before doing any malware  removal. This will not occur in Windows Vista and 7

It will allow you to boot up into a special recovery/repair  mode that will allow us to more easily help you should your computer  have a problem after an attempted removal of malware.

If you did not have it installed, you will see the prompt below. Choose YES.



Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.

**Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.

Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:



Click on Yes, to continue scanning for malware.

When finished, it will produce a report for you. Please post the contents of the log (C:\ComboFix.txt).

Leave your computer alone while ComboFix is running. ComboFix will restart your computer if malware is found; allow it to do so.

Note: Please Do NOT mouseclick combofix's window while its running because it may call it to stall.

[MtlHab39]

Hi SuperDave

Since last we spoke, have not been able to get online even in safe mode.
Via USB, have ran OTL without any problem; will post results soon but seemed to be clear.

Combofix has run for ~30 minutes and seemed to get stuck when a pop up window said that the PC has been 'infected with Rootkit'; this was a couple of minutes after it had another window saying that it 'failed to get data for Enable LUA or LVA'.

It asked me to rerun Combofix again so I have; same result except it seems to have done something to rootkit; window now says that
'Combofix has detected the presence of rootkit activity and needs to reboot the machine'

Do I press OK or will combofix continue itself?

[MtlHab39]

Pressed OK and the whole process has went faster than first 2 times but......still finds rootkit and same windows telling me to close and reboot.

I will look for created file for combofix and post next.

[SuperDave]

Please download aswMBR.exe ( 511KB ) to your desktop.

Double click the aswMBR.exe to run it



Click the "Scan" button to start scan

Note: Do not take action against any **Rootkit** entries until I have reviewed the log. Often there are false positives



On completion of the scan click save log, save it to your desktop and post in your next reply

[MtlHab39]

Here is the OTL report.

========== OTL ==========
Prefs.js: network.proxy.http - 127.0.0.1 removed from refs.js
Prefs.js: network.proxy.http_port - 52162 removed from refs.js
========== COMMANDS ==========
HOSTS file reset successfully
 
OTL by OldTimer - Version 3.2.31.0 log created on 02052012_164956

I will post the asw once complete.

[MtlHab39]

Here is the ASW report

aswMBR version 0.9.9.1532 Copyright(c) 2011 AVAST Software
Run date: 2012-02-06 10:15:34
-----------------------------
10:15:34.583    OS Version: Windows 6.0.6002 Service Pack 2
10:15:34.583    Number of processors: 2 586 0x170A
10:15:34.583    ComputerName: COSTA-PC  UserName: Costa
10:15:35.582    Initialize success
10:15:56.969    Disk 0 (boot) \Device\Harddisk0\DR0 -> \Device\Ide\IAAStorageDevice-1
10:15:56.969    Disk 0 Vendor: HITACHI_ FB2Z Size: 152627MB BusType: 3
10:15:56.985    Disk 0 MBR read successfully
10:15:56.985    Disk 0 MBR scan
10:15:56.985    Disk 0 unknown MBR code
10:15:57.001    Disk 0 Partition 1 80 (A) 07    HPFS/NTFS NTFS         1500 MB offset 2048
10:15:57.016    Disk 0 Partition 2 00     07    HPFS/NTFS NTFS       141124 MB offset 3074048
10:15:57.047    Disk 0 Partition 3 00     07    HPFS/NTFS NTFS        10000 MB offset 292098048
10:15:57.047    Disk 0 scanning sectors +312578048
10:15:57.125    Disk 0 scanning C:\Windows\system32\drivers
10:16:05.534    Service scanning
10:16:09.574    Modules scanning
10:16:21.695    Disk 0 trace - called modules:
10:16:21.727    ntkrnlpa.exe CLASSPNP.SYS disk.sys PCTCore.sys acpi.sys hal.dll iastor.sys
10:16:21.727    1 nt!IofCallDriver -> \Device\Harddisk0\DR0[0x86d055f0]
10:16:21.758    3 CLASSPNP.SYS[897d08b3] -> nt!IofCallDriver -> [0x86d05df0]
10:16:21.758    5 PCTCore.sys[83704099] -> nt!IofCallDriver -> [0x85842118]
10:16:21.773    7 acpi.sys[806d06bc] -> nt!IofCallDriver -> \Device\Ide\IAAStorageDevice-1[0x861f9028]
10:16:21.773    Scan finished successfully
10:16:37.249    Disk 0 MBR has been saved successfully to "C:\Users\Costa\Desktop\MBR.dat"
10:16:37.249    The log file has been saved successfully to "C:\Users\Costa\Desktop\aswMBR.txt"
10:17:14.720    Disk 0 MBR has been saved successfully to "E:\ASW\MBR.dat"
10:17:14.735    The log file has been saved successfully to "E:\ASW\aswMBR.txt"

[SuperDave]

Please download MBRCheck.exe by a_d_13 from one of the links provided below and save it to your desktop.

Link 1
Link 2
Link 3

•Double-click on MBRCheck.exe to run it.

•It will open a black window...please do not fix anything (if it gives you an option).

•When complete, you should see Done! Press ENTER to exit.... Press Enter on the keyboard.

•A log named MBRCheck_date_time.txt (i.e. MBRCheck_07.21.10_10.22.51.txt) will appear on the desktop.
•Please copy and paste the contents of that log in your next reply.

[MtlHab39]

Black box opens with this message after 5 seconds

Found non-standard or infected MBR.
Enter 'Y' and hit enter for more options, or 'N' to exit:


what should I do next?