New virus and can't remove
2

Question

New virus and can't remove

DigitelD (Vendor)

(OP)

4 Sep 10 21:14

I saw a youtube video that I wanted my wife to see. So, I downloaded savetubevideo. Now my browser redirects to landing.savetubevideo.com. Malwarebytes, Spybot, nor AVG detects it. Has anyone seen this before?

SHK Certified (School of Hard Knocks)
NCSS, ATSP/IP

papadba (MIS) · Answer 1 · 2010-09-04 22:49:58

You might check and see if your "home page" has been modified to this. . .

goombawaho (MIS) · Answer 2 · 2010-09-05 08:34:21

Check your HOSTS file and clean it up if anything is in there that you didn't intentionally modify.
http://www.mvps.org/winhelp2002/hosts.htm

Try ComboFix per the following instructions. Run that. If no love after running it and rebooting - post HijackThis log.

http://www.bleepingcomputer.com/combofix/how-to-use-combofix

BadBigBen (MIS) · Answer 3 · 2010-09-05 17:00:40

actually, this is easy to fix, it is a spyware/redirector application:

1. Uninstall the App... SaveTubeVideo... DO NOT REBOOT at this STAGE...

2. Uninstall WinPCap (actually a legit app, but this is used to spy on you), which gets installed along side of SaveTube... NOW REBOOT...

3. for ease of fixing the left overs, Download HiJackThis, run a scan with log, post the log here, I, or someone else will discern the log and tell you what to fix...

HiJackThis from TrendMicro
http://free.antivirus.com/hijackthis/

4. Download CCleaner, run it and have it clean your PC of unwanted trash, (logfiles and unwanted Temp files)...

CCleaner
http://www.piriform.com/

waiting for your next post...

Ben
"If it works don't fix it! If it doesn't use a sledgehammer..."
How to ask a question, when posting them to a professional forum.
Only ask questions with yes/no answers if you want "yes" or "no"

goombawaho (MIS) · Answer 4 · 2010-09-06 08:24:32

The reason I mentioned combofix is that this person probably has a lot of other baddies on there as well. Might as well whack 'em all at once.

BadBigBen (MIS) · Answer 5 · 2010-09-06 18:54:44

Goom,

I am not nay-saying you, I took a close look at this piece of crap, on an install on VMWare...

and then went to town on it...

Combofix probably is not a bad idea, that is also the reason why I asked him to post a HiJackThis Log...

Ben
"If it works don't fix it! If it doesn't use a sledgehammer..."
How to ask a question, when posting them to a professional forum.
Only ask questions with yes/no answers if you want "yes" or "no"

goombawaho (MIS) · Answer 6 · 2010-09-07 07:48:03

There is a slight risk with ComboFix, so your method would entail less risk as a first step.

DigitelD (Vendor) · Answer 7 · 2010-09-07 09:54:15

Here is my hijackthis file:

Logfile of Trend Micro HijackThis v2.0.4
Scan saved at 9:53:26 AM, on 9/7/2010
Platform: Windows 7 (WinNT 6.00.3504)
MSIE: Internet Explorer v8.00 (8.00.7600.16385)
Boot mode: Normal

Running processes:
C:\Windows\system32\Dwm.exe
C:\Windows\system32\taskhost.exe
C:\Windows\Explorer.EXE
C:\Windows\system32\taskeng.exe
C:\PROGRA~1\Lenovo\HOTKEY\tpnumlkd.exe
C:\Program Files\ID Vault\IDVault.exe
C:\Program Files\Realtek\Audio\HDA\RtHDVCpl.exe
C:\Program Files\Lenovo\HOTKEY\TPOSDSVC.exe
C:\Program Files\Lenovo\HOTKEY\tpfnf6r.exe
C:\Program Files\Intel\Intel Matrix Storage Manager\IAAnotif.exe
C:\Windows\System32\TpShocks.exe
C:\Windows\System32\hkcmd.exe
C:\Windows\System32\igfxpers.exe
C:\Windows\System32\rundll32.exe
C:\Program Files\Lenovo\Message Center Plus\MCPLaunch.exe
C:\Program Files\DDNI\Lenovo Idea Notes\DDNIMSGUser.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Windows\system32\igfxsrvc.exe
C:\Program Files\AVG\AVG9\avgtray.exe
C:\Program Files\Adobe\Reader 9.0\Reader\reader_sl.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\SFT\GuardedID\GIDD.exe
C:\Program Files\Synaptics\SynTP\SynTPHelper.exe
C:\Program Files\Lenovo\HOTKEY\TPONSCR.exe
C:\Program Files\Lenovo\Zoom\TpScrex.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\Program Files\Nortel Networks\ICSRT\Scheduler\scheduler.exe
C:\Program Files\OpenOffice.org 3\program\soffice.exe
C:\Program Files\OpenOffice.org 3\program\soffice.bin
C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
C:\Program Files\Mozilla Thunderbird\thunderbird.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Mozilla Firefox\plugin-container.exe
C:\Windows\system32\SearchFilterHost.exe
C:\Users\Dwayne\Desktop\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://lenovo.msn.com
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = ipoffice
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
O2 - BHO: AcroIEHelperStub - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
O2 - BHO: RealPlayer Download and Record Plugin for Internet Explorer - {3049C3E9-B461-4BC5-8870-4C09146192CA} - C:\ProgramData\Real\RealPlayer\BrowserRecordPlugin\IE\rpbrowserrecordplugin.dll
O2 - BHO: WormRadar.com IESiteBlocker.NavFilter - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - C:\Program Files\AVG\AVG9\avgssie.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: GuardId.MSIEBrowser.BHO - {5b0a01d2-b8a0-4e56-9e6b-cba0ef4b4eb5} - mscoree.dll (file missing)
O2 - BHO: Search Helper - {6EBF7485-159F-4bff-A14F-B9E3AAC4465B} - C:\Program Files\Microsoft\Search Enhancement Pack\Search Helper\SearchHelper.dll
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O2 - BHO: Windows Live Toolbar Helper - {E15A8DC0-8516-42A1-81EA-DC94EC1ACF10} - C:\Program Files\Windows Live\Toolbar\wltcore.dll
O3 - Toolbar: &Windows Live Toolbar - {21FA44EF-376D-4D53-9B0F-8A89D3229068} - C:\Program Files\Windows Live\Toolbar\wltcore.dll
O4 - HKLM\..\Run: [RtHDVCpl] C:\Program Files\Realtek\Audio\HDA\RtHDVCpl.exe
O4 - HKLM\..\Run: [TPHOTKEY] C:\Program Files\Lenovo\HOTKEY\TPOSDSVC.exe
O4 - HKLM\..\Run: [LENOVO.TPFNF6R] C:\Program Files\Lenovo\HOTKEY\TPFNF6R.exe
O4 - HKLM\..\Run: [IAAnotif] C:\Program Files\Intel\Intel Matrix Storage Manager\iaanotif.exe
O4 - HKLM\..\Run: [TpShocks] TpShocks.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\Windows\system32\hkcmd.exe
O4 - HKLM\..\Run: [Persistence] C:\Windows\system32\igfxpers.exe
O4 - HKLM\..\Run: [PWMTRV] rundll32 C:\PROGRA~1\ThinkPad\UTILIT~1\PWMTR32V.DLL,PwrMgrBkGndMonitor
O4 - HKLM\..\Run: [Message Center Plus] C:\Program Files\LENOVO\Message Center Plus\MCPLaunch.exe /start
O4 - HKLM\..\Run: [RoxWatchTray] "C:\Program Files\Common Files\Roxio Shared\10.0\SharedCOM\RoxWatchTray10.exe"
O4 - HKLM\..\Run: [IdeaNotesUser] C:\Program Files\DDNI\Lenovo Idea Notes\DDNIMSGUser.exe
O4 - HKLM\..\Run: [SynTPEnh] %ProgramFiles%\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [AVG9_TRAY] C:\PROGRA~1\AVG\AVG9\avgtray.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Common Files\Java\Java Update\jusched.exe"
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 9.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [Adobe ARM] "C:\Program Files\Common Files\Adobe\ARM\1.0\AdobeARM.exe"
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [GIDDesktop] C:\Program Files\SFT\GuardedID\gidd.exe /s
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - HKUS\S-1-5-19\..\Run: [Sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /autoRun (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-19\..\RunOnce: [mctadmin] C:\Windows\System32\mctadmin.exe (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [Sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /autoRun (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-20\..\RunOnce: [mctadmin] C:\Windows\System32\mctadmin.exe (User 'NETWORK SERVICE')
O4 - Startup: OpenOffice.org 3.2.lnk = C:\Program Files\OpenOffice.org 3\program\quickstart.exe
O4 - Global Startup: ID Vault.lnk = C:\Program Files\ID Vault\IDVault.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O4 - Global Startup: Norstar ICS Scheduler.lnk = C:\Program Files\Nortel Networks\ICSRT\Scheduler\scheduler.exe
O4 - Global Startup: VPN Client.lnk = ?
O9 - Extra button: Blog This - {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - C:\Program Files\Windows Live\Writer\WriterBrowserExtension.dll
O9 - Extra 'Tools' menuitem: &Blog This in Windows Live Writer - {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - C:\Program Files\Windows Live\Writer\WriterBrowserExtension.dll
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O18 - Protocol: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - C:\Program Files\AVG\AVG9\avgpp.dll
O20 - AppInit_DLLs: avgrsstx.dll
O23 - Service: AcPrfMgrSvc - Lenovo - C:\Program Files\Lenovo\Access Connections\AcPrfMgrSvc.exe
O23 - Service: AcSvc - Lenovo - C:\Program Files\Lenovo\Access Connections\AcSvc.exe
O23 - Service: AVG Free E-mail Scanner (avg9emc) - AVG Technologies CZ, s.r.o. - C:\Program Files\AVG\AVG9\avgemc.exe
O23 - Service: AVG Free WatchDog (avg9wd) - AVG Technologies CZ, s.r.o. - C:\Program Files\AVG\AVG9\avgwdsvc.exe
O23 - Service: Cisco Systems, Inc. VPN Service (CVPND) - Cisco Systems, Inc. - C:\Program Files\Cisco Systems\VPN Client\cvpnd.exe
O23 - Service: DDNIMSGService - Digital Delivery Networks, Inc. - C:\Program Files\DDNI\Lenovo Idea Notes\DDNIMSGService.exe
O23 - Service: DDNIService - Digital Delivery Networks, Inc. - C:\Program Files\DDNI\DIBS\DDNIService.exe
O23 - Service: Intel(R) Matrix Storage Event Monitor (IAANTMON) - Intel Corporation - C:\Program Files\Intel\Intel Matrix Storage Manager\IAANTMon.exe
O23 - Service: ThinkPad PM Service (IBMPMSVC) - Lenovo - C:\Windows\system32\ibmpmsvc.exe
O23 - Service: IDVault Service (IDVaultSvc) - White Sky, Inc. - C:\Program Files\ID Vault\IDVaultSvc.exe
O23 - Service: IviRegMgr - InterVideo - C:\Program Files\Common Files\InterVideo\RegMgr\iviRegMgr.exe
O23 - Service: Lenovo Microphone Mute (LENOVO.MICMUTE) - Lenovo Group Limited - C:\Program Files\LENOVO\HOTKEY\MICMUTE.exe
O23 - Service: Power Manager DBC Service - Lenovo - C:\Program Files\ThinkPad\Utilities\PWMDBSVC.EXE
O23 - Service: Roxio UPnP Renderer 10 - Sonic Solutions - C:\Program Files\Roxio\Digital Home 10\RoxioUPnPRenderer10.exe
O23 - Service: Roxio Upnp Server 10 - Sonic Solutions - C:\Program Files\Roxio\Digital Home 10\RoxioUpnpService10.exe
O23 - Service: LiveShare P2P Server 10 (RoxLiveShare10) - Sonic Solutions - C:\Program Files\Common Files\Roxio Shared\10.0\SharedCOM\RoxLiveShare10.exe
O23 - Service: RoxMediaDB10 - Sonic Solutions - C:\Program Files\Common Files\Roxio Shared\10.0\SharedCOM\RoxMediaDB10.exe
O23 - Service: Roxio Hard Drive Watcher 10 (RoxWatch10) - Sonic Solutions - C:\Program Files\Common Files\Roxio Shared\10.0\SharedCOM\RoxWatch10.exe
O23 - Service: SBSD Security Center Service (SBSDWSCService) - Safer Networking Ltd. - C:\Program Files\Spybot - Search & Destroy\SDWinSec.exe
O23 - Service: Sentinel Keys Server (SentinelKeysServer) - SafeNet, Inc. - C:\Program Files\Common Files\SafeNet Sentinel\Sentinel Keys Server\sntlkeyssrvr.exe
O23 - Service: Sentinel Protection Server (SentinelProtectionServer) - SafeNet, Inc - C:\Program Files\Common Files\SafeNet Sentinel\Sentinel Protection Server\WinNT\spnsrvnt.exe
O23 - Service: stllssvr - MicroVision Development, Inc. - C:\Program Files\Common Files\SureThing Shared\stllssvr.exe
O23 - Service: System Update (SUService) - Lenovo Group Limited - c:\Program Files\Lenovo\System Update\SUService.exe
O23 - Service: ThinkVantage Registry Monitor Service - Lenovo Group Limited - C:\Program Files\Common Files\Lenovo\tvt_reg_monitor_svc.exe
O23 - Service: ThinkPad HDD APS Logging Service (TPHDEXLGSVC) - Lenovo. - C:\Windows\System32\TPHDEXLG.exe
O23 - Service: On Screen Display (TPHKSVC) - Lenovo Group Limited - C:\Program Files\LENOVO\HOTKEY\TPHKSVC.exe
O23 - Service: TVT Backup Service - Lenovo Group Limited - C:\Program Files\Lenovo\Rescue and Recovery\rrservice.exe
O23 - Service: Voicemail Pro Service (VoicemailProServer) - Avaya - C:\Program Files\Avaya\IP Office\Voicemail Pro\VM\vmprov5svc.exe

--
End of file - 10914 bytes

SHK Certified (School of Hard Knocks)
NCSS, ATSP/IP

BadBigBen (MIS) · Answer 8 · 2010-09-07 11:07:53

Dwayne,

the good news:

I can't see anything detrimental in that LOG, a few unnecessary entries but no Malware (that is detected by HJT)...

but that is also the bad news, if it is still redirecting, then by all means attempt ComboFix, as outlined by Goom...

also worth a look at, for scanning against malwares:

MBAM - Malwarebytes AntiMalware
http://www.malwarebytes.org/mbam.php

SuperAntiSpyware
http://www.superantispyware.com/

keep us posted as to the situation...

Ben
"If it works don't fix it! If it doesn't use a sledgehammer..."
How to ask a question, when posting them to a professional forum.
Only ask questions with yes/no answers if you want "yes" or "no"

DigitelD (Vendor) · Answer 9 · 2010-09-07 12:49:46

Here is the Combofix log:

ComboFix 10-09-06.04 - Dwayne 09/07/2010  12:31:14.1.2 - x86
Microsoft Windows 7 Professional   6.1.7600.0.1252.1.1033.18.2937.1628 [GMT -4:00]
Running from: c:\users\Dwayne\Desktop\ComboFix.exe
SP: Spybot - Search and Destroy *disabled* (Updated) {ED588FAF-1B8F-43B4-ACA8-8E3C85DADBE9}
SP: SUPERAntiSpyware *disabled* (Updated) {222A897C-5018-402e-943F-7E7AC8560DA7}
* Created a new restore point
.

(((((((((((((((((((((((((((((((((((((((   Other Deletions   )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\programdata\Microsoft\Network\Downloader\qmgr0.dat
c:\programdata\Microsoft\Network\Downloader\qmgr1.dat
c:\swtools\APPS\CSBED\CSBE\ACTIVATION_104\_desktop.ini
c:\swtools\APPS\CSBED\CSBE\ACTIVATION_104\BIN\_desktop.ini
c:\windows\system32\IMSMfcSupport.0406.dll
c:\windows\system32\IMSMfcSupport.0407.dll
c:\windows\system32\IMSMfcSupport.0409.dll
c:\windows\system32\IMSMfcSupport.040a.dll
c:\windows\system32\IMSMfcSupport.040b.dll
c:\windows\system32\IMSMfcSupport.040c.dll
c:\windows\system32\IMSMfcSupport.0410.dll
c:\windows\system32\IMSMfcSupport.0411.dll
c:\windows\system32\IMSMfcSupport.0413.dll
c:\windows\system32\IMSMfcSupport.0414.dll
c:\windows\system32\IMSMfcSupport.0416.dll
c:\windows\system32\IMSMfcSupport.0419.dll
c:\windows\system32\IMSMfcSupport.041d.dll
c:\windows\system32\IMSMfcSupport.0804.dll
c:\windows\system32\IMSMfcSupport.0809.dll
c:\windows\system32\IMSMfcSupport.080a.dll
c:\windows\system32\IMSMfcSupport.0816.dll
c:\windows\system32\IMSMfcSupport.0c04.dll
c:\windows\system32\IMSMfcSupport.0c0c.dll
c:\windows\system32\IMSMfcSupport.240a.dll
c:\windows\system32\IMSMfcSupport.2c0a.dll
c:\windows\system32\Thumbs.db
c:\windows\system32\UMSINST.0406.dll
c:\windows\system32\UMSINST.0407.dll
c:\windows\system32\UMSINST.0409.dll
c:\windows\system32\UMSINST.040a.dll
c:\windows\system32\UMSINST.040b.dll
c:\windows\system32\UMSINST.040c.dll
c:\windows\system32\UMSINST.0410.dll
c:\windows\system32\UMSINST.0411.dll
c:\windows\system32\UMSINST.0413.dll
c:\windows\system32\UMSINST.0414.dll
c:\windows\system32\UMSINST.0416.dll
c:\windows\system32\UMSINST.0419.dll
c:\windows\system32\UMSINST.041d.dll
c:\windows\system32\UMSINST.0804.dll
c:\windows\system32\UMSINST.0809.dll
c:\windows\system32\UMSINST.080a.dll
c:\windows\system32\UMSINST.0816.dll
c:\windows\system32\UMSINST.0c04.dll
c:\windows\system32\UMSINST.0c0c.dll
c:\windows\system32\UMSINST.240a.dll
c:\windows\system32\UMSINST.2c0a.dll
Q:\Autorun.inf

----- BITS: Possible infected sites -----

hxxp://dibs.ddni.net
.
(((((((((((((((((((((((((((((((((((((((   Drivers/Services   )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Legacy_NPF

(((((((((((((((((((((((((   Files Created from 2010-08-07 to 2010-09-07  )))))))))))))))))))))))))))))))
.

2010-09-07 15:18 . 2010-09-07 16:25    63488    ----a-w-    c:\users\Dwayne\AppData\Roaming\SUPERAntiSpyware.com\SUPERAntiSpyware\SDDLLS\SD10006.dll
2010-09-07 15:18 . 2010-09-07 15:18    52224    ----a-w-    c:\users\Dwayne\AppData\Roaming\SUPERAntiSpyware.com\SUPERAntiSpyware\SDDLLS\SD10005.dll
2010-09-07 15:18 . 2010-09-07 16:25    117760    ----a-w-    c:\users\Dwayne\AppData\Roaming\SUPERAntiSpyware.com\SUPERAntiSpyware\SDDLLS\UIREPAIR.DLL
2010-09-07 15:18 . 2010-09-07 15:18    --------    d-----w-    c:\users\Dwayne\AppData\Roaming\SUPERAntiSpyware.com
2010-09-07 15:18 . 2010-09-07 15:18    --------    d-----w-    c:\programdata\SUPERAntiSpyware.com
2010-09-07 15:18 . 2010-09-07 15:18    --------    d-----w-    c:\program files\SUPERAntiSpyware
2010-08-25 17:18 . 2009-10-10 02:57    12800    ----a-w-    c:\windows\system32\drivers\sffp_sd.sys
2010-08-25 17:18 . 2009-10-10 02:31    84992    ----a-w-    c:\windows\system32\drivers\sdbus.sys
2010-08-25 13:48 . 2010-04-07 07:10    571904    ----a-w-    c:\windows\system32\oleaut32.dll
2010-08-19 18:42 . 2010-08-19 18:42    --------    d-----w-    c:\program files\QuickTime
2010-08-19 18:42 . 2010-08-19 18:42    --------    d-----w-    c:\programdata\Apple Computer
2010-08-19 18:42 . 2010-08-19 18:42    --------    d-----w-    c:\program files\Common Files\Apple
2010-08-19 18:42 . 2010-08-19 18:42    --------    d-----w-    c:\users\Dwayne\AppData\Local\Apple
2010-08-19 18:42 . 2010-08-19 18:42    --------    d-----w-    c:\programdata\Apple
2010-08-19 18:42 . 2010-08-19 18:42    --------    d-----w-    c:\program files\Apple Software Update
2010-08-13 18:07 . 2010-07-23 14:17    25360    ------w-    c:\windows\system32\drivers\gidv2.sys
2010-08-13 18:07 . 2010-08-13 18:07    --------    d-----w-    c:\programdata\GID
2010-08-13 18:07 . 2010-08-13 18:07    --------    d-----w-    c:\program files\SFT

.
((((((((((((((((((((((((((((((((((((((((   Find3M Report   ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-09-07 16:26 . 2010-06-15 20:49    --------    d-----w-    c:\programdata\Spybot - Search & Destroy
2010-09-07 13:50 . 2010-06-15 20:51    --------    d-----w-    c:\program files\SpywareBlaster
2010-09-05 13:48 . 2010-06-15 21:13    1    ----a-w-    c:\users\Dwayne\AppData\Roaming\OpenOffice.org\3\user\uno_packages\cache\stamp.sys
2010-08-26 19:37 . 2010-06-16 12:41    --------    d-----w-    c:\program files\e-Sword
2010-08-25 17:19 . 2010-08-25 17:19    0    ---ha-w-    c:\windows\system32\drivers\Msft_Kernel_SynTP_01009.Wdf
2010-08-24 19:19 . 2010-06-15 20:04    81120    ----a-w-    c:\users\Dwayne\AppData\Local\GDIPFONTCACHEV1.DAT
2010-08-16 12:41 . 2010-06-16 17:42    --------    d-----w-    c:\program files\Mozilla Thunderbird
2010-08-13 19:21 . 2010-06-15 20:08    --------    d-----w-    c:\users\Dwayne\AppData\Roaming\ID Vault
2010-08-13 18:06 . 2010-06-15 20:08    --------    d-----w-    c:\program files\ID Vault
2010-08-05 02:19 . 2010-06-15 20:14    1445120    ----a-w-    c:\programdata\White Sky, Inc\ID Vault\BHO\IdVaultCore.dll
2010-08-05 02:19 . 2010-06-15 21:22    533248    ----a-w-    c:\programdata\White Sky, Inc\ID Vault\XPCOM\Components\IdVault.XPCOM.dll
2010-08-05 02:19 . 2010-06-15 20:14    42240    ----a-w-    c:\programdata\White Sky, Inc\ID Vault\BHO\IDVault.BHO.dll
2010-08-05 02:19 . 2010-06-15 20:14    84224    ----a-w-    c:\programdata\White Sky, Inc\ID Vault\BHO\CommonDotNET.dll
2010-08-02 13:05 . 2010-06-15 21:30    --------    d-----w-    c:\program files\CCleaner
2010-07-29 06:30 . 2010-08-13 12:08    197632    ----a-w-    c:\windows\system32\ir32_32.dll
2010-07-29 06:30 . 2010-08-13 12:08    82944    ----a-w-    c:\windows\system32\iccvid.dll
2010-07-23 14:18 . 2010-07-23 14:18    65816    ----a-w-    c:\windows\system32\SysEventMenu.dll
2010-07-23 14:18 . 2010-07-23 14:18    388368    ----a-w-    c:\windows\system32\GIDHook.dll
2010-07-23 14:17 . 2010-07-23 14:17    100624    ----a-w-    c:\windows\system32\GIDBIN3.dll
2010-07-23 14:17 . 2010-07-23 14:17    171280    ----a-w-    c:\windows\system32\GIDBIN1.dll
2010-07-19 19:11 . 2010-07-19 19:11    --------    d-----w-    c:\program files\Firm Applications
2010-07-19 19:09 . 2010-07-19 19:09    --------    d-----w-    c:\program files\Common Files\Wise Installation Wizard
2010-07-15 13:26 . 2010-06-15 20:45    243024    ----a-w-    c:\windows\system32\drivers\avgtdix.sys
2010-07-15 13:26 . 2010-07-15 13:26    12536    ----a-w-    c:\windows\system32\avgrsstx.dll
2010-07-15 13:25 . 2010-06-15 20:45    216400    ----a-w-    c:\windows\system32\drivers\avgldx86.sys
2010-06-30 06:25 . 2010-08-13 12:08    978432    ----a-w-    c:\windows\system32\wininet.dll
2010-06-24 17:05 . 2010-06-24 17:05    49152    ----a-w-    c:\programdata\Real\RealPlayer\BrowserRecordPlugin\Firefox\Ext\Components\nprpffbrowserrecordext.dll
2010-06-24 17:05 . 2010-06-24 17:05    45056    ----a-w-    c:\programdata\Real\RealPlayer\BrowserRecordPlugin\ThinShims\rpnpshimwmp.dll
2010-06-24 17:05 . 2010-06-24 17:05    45056    ----a-w-    c:\programdata\Real\RealPlayer\BrowserRecordPlugin\ThinShims\rpnpshimswf.dll
2010-06-24 17:05 . 2010-06-24 17:05    45056    ----a-w-    c:\programdata\Real\RealPlayer\BrowserRecordPlugin\ThinShims\rpnpshimrp.dll
2010-06-24 17:05 . 2010-06-24 17:05    45056    ----a-w-    c:\programdata\Real\RealPlayer\BrowserRecordPlugin\ThinShims\rpnpshimqt.dll
2010-06-24 17:05 . 2010-06-24 17:05    40960    ----a-w-    c:\programdata\Real\RealPlayer\BrowserRecordPlugin\Chrome\Hook\rpchromebrowserrecordhelper.dll
2010-06-24 17:05 . 2010-06-24 17:05    308808    ----a-w-    c:\programdata\Real\RealPlayer\BrowserRecordPlugin\Common\rpmainbrowserrecordplugin.dll
2010-06-24 17:05 . 2010-06-24 17:05    14848    ----a-w-    c:\programdata\Real\RealPlayer\BrowserRecordPlugin\MozillaPlugins\nprphtml5videoshim.dll
2010-06-24 17:05 . 2010-06-24 17:05    341600    ----a-w-    c:\programdata\Real\RealPlayer\BrowserRecordPlugin\IE\rpbrowserrecordplugin.dll
2010-06-24 17:05 . 2009-09-04 21:29    348160    ----a-w-    c:\windows\system32\msvcr71.dll
2010-06-24 17:05 . 2009-09-04 21:29    499712    ----a-w-    c:\windows\system32\msvcp71.dll
2010-06-22 02:47 . 2010-08-13 12:08    310784    ----a-w-    c:\windows\system32\drivers\srv.sys
2010-06-22 02:47 . 2010-08-13 12:08    307200    ----a-w-    c:\windows\system32\drivers\srv2.sys
2010-06-22 02:47 . 2010-08-13 12:08    113664    ----a-w-    c:\windows\system32\drivers\srvnet.sys
2010-06-19 06:33 . 2010-08-13 12:08    3955080    ----a-w-    c:\windows\system32\ntkrnlpa.exe
2010-06-19 06:33 . 2010-08-13 12:08    3899784    ----a-w-    c:\windows\system32\ntoskrnl.exe
2010-06-19 06:23 . 2010-08-13 12:08    37376    ----a-w-    c:\windows\system32\rtutils.dll
2010-06-19 04:07 . 2010-08-13 12:08    2326016    ----a-w-    c:\windows\system32\win32k.sys
2010-06-18 18:24 . 2010-06-18 18:24    53632    ------w-    c:\users\Default\AppData\Roaming\Macromedia\Flash Player\www.macromedia.com\bin\airappinstaller\airappinstaller.exe
2010-06-18 18:23 . 2010-06-18 18:23    71680    ------w-    c:\programdata\NOS\Adobe_Downloads\arh.exe
2010-06-16 16:48 . 2010-06-16 16:48    0    ------w-    c:\windows\nsreg.dat
2010-06-16 13:04 . 2010-06-15 20:45    29584    ------w-    c:\windows\system32\drivers\avgmfx86.sys
2010-06-16 05:48 . 2010-08-13 12:08    224256    ----a-w-    c:\windows\system32\schannel.dll
2010-06-15 21:09 . 2010-06-15 21:09    411368    ------w-    c:\windows\system32\deployJava1.dll
2010-06-15 20:25 . 2010-06-15 20:25    1444    ------w-    c:\windows\MFGCLEAN.CMD
2010-06-15 20:13 . 2010-06-15 20:13    3678504    ------w-    c:\users\Dwayne\AppData\Roaming\ID Vault\IDVaultUpdate.exe
2010-06-15 19:42 . 2010-06-15 19:42    118520    ------w-    c:\windows\system32\pxinsi64.exe
2010-06-15 19:42 . 2010-06-15 19:42    33088    ------w-    c:\windows\system32\drivers\psadd.sys
2010-06-15 19:42 . 2010-06-15 19:42    129784    ------w-    c:\windows\system32\pxafs.dll
2010-06-15 19:42 . 2010-06-15 19:42    116472    ------w-    c:\windows\system32\pxcpyi64.exe
2010-06-15 19:37 . 2010-06-15 19:37    55072    ------w-    c:\windows\system32\jureg.exe
2010-06-14 06:12 . 2010-08-13 12:08    1286016    ----a-w-    c:\windows\system32\drivers\tcpip.sys
2009-06-10 21:26 . 2009-07-14 02:04    9633792    --sh--r-    c:\windows\Fonts\StaticCache.dat
2009-07-14 01:14 . 2009-07-13 23:42    396800    --sh--w-    c:\windows\winsxs\x86_microsoft-windows-mail-app_31bf3856ad364e35_6.1.7600.16385_none_f12e83abb108c86c\WinMail.exe
.

(((((((((((((((((((((((((((((((((((((   Reg Loading Points   ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SUPERAntiSpyware"="c:\program files\SUPERAntiSpyware\SUPERAntiSpyware.exe" [2010-08-25 2424560]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"RtHDVCpl"="c:\program files\Realtek\Audio\HDA\RtHDVCpl.exe" [2009-07-10 7612960]
"TPHOTKEY"="c:\program files\Lenovo\HOTKEY\TPOSDSVC.exe" [2009-03-13 68976]
"LENOVO.TPFNF6R"="c:\program files\Lenovo\HOTKEY\TPFNF6R.exe" [2009-08-20 62752]
"IAAnotif"="c:\program files\Intel\Intel Matrix Storage Manager\iaanotif.exe" [2009-08-07 186904]
"TpShocks"="TpShocks.exe" [2009-07-09 337184]
"HotKeysCmds"="c:\windows\system32\hkcmd.exe" [2009-08-19 174104]
"Persistence"="c:\windows\system32\igfxpers.exe" [2009-08-19 151064]
"PWMTRV"="c:\progra~1\ThinkPad\UTILIT~1\PWMTR32V.DLL" [2009-08-23 709920]
"Message Center Plus"="c:\program files\LENOVO\Message Center Plus\MCPLaunch.exe" [2009-05-28 49976]
"RoxWatchTray"="c:\program files\Common Files\Roxio Shared\10.0\SharedCOM\RoxWatchTray10.exe" [2009-08-05 244208]
"IdeaNotesUser"="c:\program files\DDNI\Lenovo Idea Notes\DDNIMSGUser.exe" [2009-08-24 221872]
"SynTPEnh"="c:\program files\Synaptics\SynTP\SynTPEnh.exe" [2010-04-23 1725736]
"AVG9_TRAY"="c:\progra~1\AVG\AVG9\avgtray.exe" [2010-07-15 2065760]
"SunJavaUpdateSched"="c:\program files\Common Files\Java\Java Update\jusched.exe" [2010-02-18 248040]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2010-06-20 35760]
"Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2010-06-09 976832]
"TkBellExe"="c:\program files\Common Files\Real\Update_OB\realsched.exe" [2010-06-24 202256]
"GIDDesktop"="c:\program files\SFT\GuardedID\gidd.exe" [2010-07-23 389896]
"QuickTime Task"="c:\program files\QuickTime\QTTask.exe" [2010-08-10 421888]

c:\users\Dwayne\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\
OpenOffice.org 3.2.lnk - c:\program files\OpenOffice.org 3\program\quickstart.exe [2010-5-20 1195008]

c:\programdata\Microsoft\Windows\Start Menu\Programs\Startup\
ID Vault.lnk - c:\program files\ID Vault\IDVault.exe [2010-8-4 2880256]
Microsoft Office.lnk - c:\program files\Microsoft Office\Office\OSA9.EXE [1999-2-17 65588]
Norstar ICS Scheduler.lnk - c:\program files\Nortel Networks\ICSRT\Scheduler\scheduler.exe [2010-6-16 290816]
VPN Client.lnk - c:\windows\Installer\{B0BF7057-6869-4E4B-920C-EA2A58DA07F0}\Icon3E5562ED7.ico [2010-6-24 6144]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"ConsentPromptBehaviorAdmin"= 0 (0x0)
"ConsentPromptBehaviorUser"= 3 (0x3)
"EnableLUA"= 0 (0x0)
"EnableUIADesktopToggle"= 0 (0x0)
"PromptOnSecureDesktop"= 0 (0x0)

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"AppInit_DLLs"=c:\windows\System32\avgrsstx.dll

R2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;c:\windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe [2010-03-18 130384]
R2 Roxio Upnp Server 10;Roxio Upnp Server 10;c:\program files\Roxio\Digital Home 10\RoxioUpnpService10.exe [2009-08-05 362992]
R2 RoxLiveShare10;LiveShare P2P Server 10;c:\program files\Common Files\Roxio Shared\10.0\SharedCOM\RoxLiveShare10.exe [2009-08-05 309744]
R2 RoxWatch10;Roxio Hard Drive Watcher 10;c:\program files\Common Files\Roxio Shared\10.0\SharedCOM\RoxWatch10.exe [2009-08-05 166384]
R3 NETw1v32;Intel(R) Wireless WiFi Link 1000 Series Adapter Driver for Windows Vista 32 Bit;c:\windows\system32\DRIVERS\NETw1v32.sys [2009-08-03 5958656]
R3 netw5v32;Intel(R) Wireless WiFi Link 5000 Series Adapter Driver for Windows Vista 32 Bit;c:\windows\system32\DRIVERS\netw5v32.sys [2009-07-13 4231168]
R3 PCDSRVC{3037D694-FD904ACA-06000000}_0;PCDSRVC{3037D694-FD904ACA-06000000}_0 - PCDR Kernel Mode Service Helper Driver;c:\program files\pc-doctor\pcdsrvc.pkms [2009-08-18 20848]
R3 Power Manager DBC Service;Power Manager DBC Service;c:\program files\ThinkPad\Utilities\PWMDBSVC.EXE [2009-08-23 75040]
R3 Roxio UPnP Renderer 10;Roxio UPnP Renderer 10;c:\program files\Roxio\Digital Home 10\RoxioUPnPRenderer10.exe [2009-08-05 313840]
R3 RoxMediaDB10;RoxMediaDB10;c:\program files\Common Files\Roxio Shared\10.0\SharedCOM\RoxMediaDB10.exe [2009-08-05 1124848]
R3 ser2at;ATEN USB to Serial port driver;c:\windows\system32\DRIVERS\ser2at.sys [2009-10-15 80896]
R3 SrvHsfHDA;SrvHsfHDA;c:\windows\system32\DRIVERS\VSTAZL3.SYS [2009-07-13 207360]
R3 SrvHsfV92;SrvHsfV92;c:\windows\system32\DRIVERS\VSTDPV3.SYS [2009-07-13 980992]
R3 SrvHsfWinac;SrvHsfWinac;c:\windows\system32\DRIVERS\VSTCNXT3.SYS [2009-07-13 661504]
R3 WatAdminSvc;Windows Activation Technologies Service;c:\windows\system32\Wat\WatAdminSvc.exe [2010-06-16 1343400]
S0 TPDIGIMN;TPDIGIMN;c:\windows\System32\DRIVERS\ApsHM86.sys [2009-06-29 20520]
S1 AvgLdx86;AVG Free AVI Loader Driver x86;c:\windows\system32\Drivers\avgldx86.sys [2010-07-15 216400]
S1 AvgTdiX;AVG Free Network Redirector;c:\windows\system32\Drivers\avgtdix.sys [2010-07-15 243024]
S1 GIDv2;GIDv2; [x]
S1 lenovo.smi;Lenovo System Interface Driver;c:\windows\system32\DRIVERS\smiif32.sys [2008-05-12 13480]
S1 SASDIFSV;SASDIFSV;c:\program files\SUPERAntiSpyware\SASDIFSV.SYS [2010-02-17 12872]
S1 SASKUTIL;SASKUTIL;c:\program files\SUPERAntiSpyware\SASKUTIL.SYS [2010-05-10 67656]
S1 vwififlt;Virtual WiFi Filter Driver;c:\windows\system32\DRIVERS\vwififlt.sys [2009-07-13 48128]
S2 avg9emc;AVG Free E-mail Scanner;c:\program files\AVG\AVG9\avgemc.exe [2010-07-20 921952]
S2 avg9wd;AVG Free WatchDog;c:\program files\AVG\AVG9\avgwdsvc.exe [2010-07-15 308136]
S2 DDNIMSGService;DDNIMSGService;c:\program files\DDNI\Lenovo Idea Notes\DDNIMSGService.exe [2010-01-21 172720]
S2 DDNIService;DDNIService;c:\program files\DDNI\DIBS\DDNIService.exe [2010-01-21 160432]
S2 IDVaultSvc;IDVault Service;c:\program files\ID Vault\IDVaultSvc.exe [2010-08-05 41728]
S2 LENOVO.MICMUTE;Lenovo Microphone Mute;c:\program files\LENOVO\HOTKEY\MICMUTE.exe [2009-07-03 45424]
S2 regi;regi;c:\windows\system32\drivers\regi.sys [2007-04-18 11032]
S2 SBSDWSCService;SBSD Security Center Service;c:\program files\Spybot - Search & Destroy\SDWinSec.exe [2009-01-26 1153368]
S2 SentinelKeysServer;Sentinel Keys Server;c:\program files\Common Files\SafeNet Sentinel\Sentinel Keys Server\sntlkeyssrvr.exe [2007-04-27 316992]
S2 TPHKSVC;On Screen Display;c:\program files\LENOVO\HOTKEY\TPHKSVC.exe [2009-05-21 62320]
S2 VoicemailProServer;Voicemail Pro Service;c:\program files\Avaya\IP Office\Voicemail Pro\VM\vmprov5svc.exe [2010-02-11 6123520]
S3 5U877;USB Video Device;c:\windows\system32\DRIVERS\5U877.sys [2009-06-18 125568]
S3 IntcHdmiAddService;Intel(R) High Definition Audio HDMI;c:\windows\system32\drivers\IntcHdmi.sys [2009-05-25 122368]
S3 JMCR;JMCR;c:\windows\system32\DRIVERS\jmcr.sys [2009-05-18 119256]
S3 NETw5s32;Intel(R) Wireless WiFi Link 5000 Series Adapter Driver for Windows 7 - 32 Bit;c:\windows\system32\DRIVERS\NETw5s32.sys [2009-09-15 6114816]
S3 RTL8167;Realtek 8167 NT Driver;c:\windows\system32\DRIVERS\Rt86win7.sys [2009-11-05 230912]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
HPZ12    REG_MULTI_SZ       Pml Driver HPZ12 Net Driver HPZ12
iissvcs    REG_MULTI_SZ       w3svc was
apphost    REG_MULTI_SZ       apphostsvc

[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{9191979D-821C-4EA8-B021-2DA1D859A7C5}-3Reg]
2010-07-23 14:19    431368    ----a-w-    c:\program files\SFT\GuardedID\GIDI.exe
.
Contents of the 'Scheduled Tasks' folder

2010-08-16 c:\windows\Tasks\PCDoctorBackgroundMonitorTask.job
- c:\program files\PC-Doctor\pcdr5cuiw32.exe [2009-08-25 23:12]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.google.com
uInternet Settings,ProxyOverride = ipoffice
FF - ProfilePath - c:\users\Dwayne\AppData\Roaming\Mozilla\Firefox\Profiles\4oqagv6f.default\
FF - prefs.js: browser.search.selectedEngine - www.google-feed.net
FF - prefs.js: browser.startup.homepage - hxxp://www.foxnews.com/
FF - prefs.js: keyword.URL - hxxp://www.veerboo.com/results.php?q=
FF - component: c:\program files\AVG\AVG9\Firefox\components\avgssff.dll
FF - component: c:\programdata\Real\RealPlayer\BrowserRecordPlugin\Firefox\Ext\components\nprpffbrowserrecordext.dll
FF - component: c:\programdata\White Sky, Inc\ID Vault\XPCOM\components\IdVault.XPCOM.dll
FF - plugin: c:\program files\Java\jre6\bin\new_plugin\npdeployJava1.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\np-mswmp.dll
FF - plugin: c:\programdata\Real\RealPlayer\BrowserRecordPlugin\MozillaPlugins\nprphtml5videoshim.dll

---- FIREFOX POLICIES ----
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgbaam7a8h", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgberp4a5d4ar", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled", false);
.
- - - - ORPHANS REMOVED - - - -

Toolbar-Locked - (no file)

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\PCDSRVC{3037D694-FD904ACA-06000000}_0]
"ImagePath"="\??\c:\program files\pc-doctor\pcdsrvc.pkms"
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\PCW\Security]
@Denied: (Full) (Everyone)
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'Explorer.exe'(3400)
c:\windows\system32\GIDHook.dll
c:\windows\system32\GIDBIN1.dll
c:\windows\system32\EasyHook32.dll
c:\progra~1\ThinkPad\UTILIT~1\PWMTR32V.DLL
c:\progra~1\ThinkPad\UTILIT~1\US\PWMRT32V.DLL
c:\progra~1\ThinkPad\UTILIT~1\PWMIF32V.DLL
.
------------------------ Other Running Processes ------------------------
.
c:\windows\system32\ibmpmsvc.exe
c:\progra~1\Lenovo\HOTKEY\tpnumlk.exe
c:\program files\Lenovo\Access Connections\AcPrfMgrSvc.exe
c:\program files\Cisco Systems\VPN Client\cvpnd.exe
c:\windows\Microsoft.Net\Framework\v3.0\WPF\PresentationFontCache.exe
c:\program files\AVG\AVG9\avgnsx.exe
c:\program files\Common Files\SafeNet Sentinel\Sentinel Protection Server\WinNT\spnsrvnt.exe
c:\program files\Intel\Intel Matrix Storage Manager\IAANTMon.exe
c:\program files\AVG\AVG9\avgchsvx.exe
c:\program files\AVG\AVG9\avgrsx.exe
c:\program files\AVG\AVG9\avgcsrvx.exe
c:\program files\Lenovo\Access Connections\AcSvc.exe
c:\program files\AVG\AVG9\avgcsrvx.exe
c:\windows\system32\DllHost.exe
c:\windows\system32\taskhost.exe
c:\progra~1\Lenovo\HOTKEY\tpnumlkd.exe
c:\windows\system32\conhost.exe
c:\windows\System32\TpShocks.exe
c:\windows\System32\rundll32.exe
c:\program files\AVG\AVG9\avgtray.exe
c:\windows\system32\igfxsrvc.exe
c:\program files\Lenovo\HOTKEY\TPONSCR.exe
c:\program files\Lenovo\Zoom\TpScrex.exe
c:\program files\Synaptics\SynTP\SynTPHelper.exe
c:\program files\Synaptics\SynTP\SynTPLpr.exe
c:\program files\OpenOffice.org 3\program\soffice.exe
c:\program files\OpenOffice.org 3\program\soffice.bin
c:\program files\Lenovo\Access Connections\SvcGuiHlpr.exe
c:\program files\Common Files\InterVideo\RegMgr\iviRegMgr.exe
c:\program files\Microsoft\Search Enhancement Pack\SeaPort\SeaPort.exe
c:\windows\system32\sppsvc.exe
c:\program files\Lenovo\System Update\SUService.exe
c:\program files\Common Files\Lenovo\tvt_reg_monitor_svc.exe
c:\windows\system32\taskhost.exe
.
**************************************************************************
.
Completion time: 2010-09-07  12:47:40 - machine was rebooted
ComboFix-quarantined-files.txt  2010-09-07 16:47

Pre-Run: 215,193,391,104 bytes free
Post-Run: 214,526,197,760 bytes free

- - End Of File - - 5AADCBBB9DA12CB4E01F9882A7ACE02A

SHK Certified (School of Hard Knocks)
NCSS, ATSP/IP

goombawaho (MIS) · Answer 10 · 2010-09-08 08:27:40

BadBigBen - He had said originally "Malwarebytes, Spybot, nor AVG detects it." That's why I was already going towards ComboFix.

DigitelD But the question you didn't answer is "Is everything okay now?"

DigitelD (Vendor) · Answer 11 · 2010-09-08 08:42:07

No, it is still happening. All this does is redirect you to a google search page. It is annoying. Nothing is detecting this.

SHK Certified (School of Hard Knocks)
NCSS, ATSP/IP

kjv1611 (IS/IT - Management) · Answer 12 · 2010-09-08 08:53:34

DigitelD,

Did you try goombawaho's suggestion on checking your hosts file?

Also, have you checked your LAN/connection settings?  Here's what I'm talking about....

Open Internet Explorer, go to Tools -> Internet Options..
On the Connections tab, click the LAN Settings button.. Do you have anything in the Proxy server box?  If so, and you didn't put it there, take it out, and uncheck that box..

Also, try running a couple general clean-up tools after the other tools:

Advanced System care
Glary Utilities
CCleaner(mentioned by BadBigBen) - also use the registry cleaner option..

And I THINK that from your last post, you mean that nothing listed in this forum thread is working so far... but please specify what exactly it is you've tried.  I see you posted logs from HJT and Combofix, but what have you actually DONE on your computer to try and fix the problem?

goombawaho (MIS) · Answer 13 · 2010-09-08 09:41:02

Yes - check HOSTS file and Proxy Settings.

DigitelD (Vendor) · Answer 14 · 2010-09-08 09:47:00

I did check the Hosts file this morning after I read your replies. I can't find the proxy settings. I am running Windows 7. I haven't had the redirection happen so far after I replaced the Hosts file.

SHK Certified (School of Hard Knocks)
NCSS, ATSP/IP

DigitelD (Vendor) · Answer 15 · 2010-09-08 09:47:52

It just happened again.

SHK Certified (School of Hard Knocks)
NCSS, ATSP/IP

DigitelD (Vendor) · Answer 16 · 2010-09-08 10:08:29

I checked the proxy settings and no proxy was entered in. This is unreal.

SHK Certified (School of Hard Knocks)
NCSS, ATSP/IP

goombawaho (MIS) · Answer 17 · 2010-09-08 11:02:31

http://support.mozilla.com/en-US/questions/737327

BadBigBen (MIS) · Answer 18 · 2010-09-08 16:54:22

Goom, I missed that with MBAM...

and good find there on the Support Site, I guess when I installed it on the VM, it had not gotten nested in FF yet, although it was redirecting in IE and FF, and the cleanup on the VM went smooth...

have a star, for the find...

Ben
"If it works don't fix it! If it doesn't use a sledgehammer..."
How to ask a question, when posting them to a professional forum.
Only ask questions with yes/no answers if you want "yes" or "no"

goombawaho (MIS) · Answer 19 · 2010-09-09 07:54:31

I was ready to give up if that didn't work. Thanks for the star.

DigitelD (Vendor) · Answer 20 · 2010-09-09 08:07:55

Yes goom have a star. Thanks to everyone that replied. I had to reinstall the savetubevideo software and then use Revo Uninstaller Pro. I did that a couple times and then I uninstalled Mozilla completely and then reinstalled and that has seemed to fix it, I hope!

SHK Certified (School of Hard Knocks)
NCSS, ATSP/IP

goombawaho (MIS) · Answer 21 · 2010-09-09 08:12:49

Thanks again.

This is the first crapware that I've seen where you have to remove Firefox and reinstall to get it fixed. I've seen IE hosed beyond use infinitely more often.

DigitelD (Vendor) · Answer 22 · 2010-09-14 09:56:19

Ever since this happened I now get:
Server Error 404 "Default Website"
This happens on yahoo mail and other links. I am about to pull my hair out.

SHK Certified (School of Hard Knocks)
NCSS, ATSP/IP

sennister (MIS) · Answer 23 · 2010-09-14 22:05:11

I could return the favor by telling you to take it to a professional. This is what we are paid to do.

However. You are using the right tools in my mind. Malware Bytes has done a good job of cleaning up stuff in our environment. Have you pulled the hard drive and put it in a different computer? This is the easiest way to clean systems like this. I didn't read all the posts but I think this is a laptop but that doesn't matter. Most laptops made in the last 4 years or so use SATA drives so if you have a desktop that uses SATA drives hook it up as a secondary drive, of course make sure your AV is up to date before doing this. Run multiple full scans with Malware Bytes and Spybot. Once all those are clean then do the same with your AV program. Then reinstall the drive in the laptop and run the scans again. If these do not fix it. I would just reimage the machine. You are wasting more time trying to fix the issue than it would take to start over with the system.

BadBigBen (MIS) · Answer 24 · 2010-09-15 02:06:43

one last thing to do, before I would suggest the same, as in reinstall the OS...

open a CMD line window (START >> RUN >> CMD [ENTER]) there type the following and hit [ENTER] then reboot:

netsh winsock reset catalog

that command redefines how Windows network software should access network services to the factory default settings. It is known that malware hook into these to redirect network communication...

Ben
"If it works don't fix it! If it doesn't use a sledgehammer..."
How to ask a question, when posting them to a professional forum.
Only ask questions with yes/no answers if you want "yes" or "no"

DigitelD (Vendor) · Answer 25 · 2010-09-15 10:25:12

I found the issue. I had looked at my Hosts file before and did not notice something. I finally noticed it, removed it, and all is well now. Thanks guys for everything.

SHK Certified (School of Hard Knocks)
NCSS, ATSP/IP

Come Join Us!

Posting Guidelines

New virus and can't remove
2