odd webhp thing

[jeroenp]

Since a couple of days - I'm not completely sure which day - my Google chrome web search redirects to webhp.

My Google Chrome settings are these

{google:baseURL}search?{google:RLZ}{google:acceptedSuggestion}{google:originalQueryForSuggestion}{google:searchFieldtrialParameter}{google:instantFieldTrialGroupParameter}sourceid=chrome&ie={inputEncoding}&q=%s

I've run ComboFix (see the dump below).

Because of ComboFix, I had to disable the scanners (Avast! Antivirus and Window Defender).

Now comes the odd thing: if I *disable* Avast! Antivirus, then everything works fine.

Avast is version 6.0.1367 with Engine version 120215-1.

I will post the same info on the Avast forum.

A few questions:

- Is Avast hacked?

- Do I have a rootkit?

- What steps should I perform from now?

Other machines that were in the same network don'd seem to suffer from this behaviour (yet?), but to be sure, I have moved this particular machine to a quarantined portion of the network.

I will post the same info on the Avast forum.

--jeroen

ComboFix 12-02-15.01 - jeroenp 2012-02-15 19:03:37.2.8 - x64

Microsoft Windows 7 Ultimate 6.1.7601.1.1252.1.1033.18.16316.13211 [GMT 1:00]

Running from: c:\users\jeroenp\Desktop\ComboFix.exe

AV: avast! Antivirus *Disabled/Updated* {2B2D1395-420B-D5C9-657E-930FE358FC3C}

SP: avast! Antivirus *Disabled/Updated* {904CF271-6431-DA47-5FCE-A87D98DFB681}

SP: Windows Defender *Disabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}

* Created a new restore point

.

.

((((((((((((((((((((((((( Files Created from 2012-01-15 to 2012-02-15 )))))))))))))))))))))))))))))))

.

.

2012-02-15 18:07 . 2012-02-15 18:07 -------- d-----w- c:\users\nicolette\AppData\Local\temp

2012-02-15 18:07 . 2012-02-15 18:07 -------- d-----w- c:\users\Default\AppData\Local\temp

2012-02-15 18:07 . 2012-02-15 18:07 -------- d-----w- c:\users\bluelink\AppData\Local\temp

2012-02-12 20:33 . 2012-02-12 20:33 -------- d-----w- c:\users\nicolette\AppData\Roaming\PwrMgr

2012-02-12 20:31 . 2012-02-12 20:33 -------- d-----w- c:\users\nicolette\AppData\Local\Htc

2012-02-12 20:31 . 2012-02-12 20:31 -------- d-----w- c:\users\nicolette\AppData\Roaming\HTC

2012-02-12 20:31 . 2012-02-12 20:31 -------- d-----w- c:\users\nicolette\AppData\Roaming\Intel Corporation

2012-02-12 20:31 . 2012-02-12 20:31 -------- d-----w- c:\users\nicolette\AppData\Local\Broadcom

2012-02-11 01:37 . 2012-02-11 01:37 69000 ----a-w- c:\programdata\Microsoft\Windows Defender\Definition Updates\{7215903A-B452-4166-9913-B6054A392A14}\offreg.dll

2012-02-10 08:56 . 2012-01-06 05:15 8602168 ----a-w- c:\programdata\Microsoft\Windows Defender\Definition Updates\{7215903A-B452-4166-9913-B6054A392A14}\mpengine.dll

2012-02-09 12:11 . 2012-02-09 12:11 -------- d-----w- c:\program files (x86)\NVIDIA Corporation

2012-02-09 12:07 . 2012-02-09 12:07 -------- d-----w- C:\DRIVERS

2012-02-09 11:59 . 2012-02-09 11:59 -------- d-----w- c:\program files\Common Files\SPBA

2012-02-09 11:59 . 2012-02-09 11:59 -------- d-----w- c:\program files (x86)\Common Files\SPBA

2012-02-09 11:59 . 2012-02-09 12:01 -------- d-----w- c:\program files\ThinkVantage Fingerprint Software

2012-02-09 11:12 . 2012-02-09 11:12 -------- d-----w- c:\programdata\Lenovo

2012-02-03 14:26 . 2012-02-03 14:26 -------- d-----w- c:\program files (x86)\WinDirStat

2012-02-03 14:07 . 2012-02-03 14:07 -------- d-----w- c:\program files\Common Files\Lenovo

2012-02-03 14:07 . 2012-02-03 14:07 -------- d-----w- c:\program files (x86)\Common Files\Lenovo

2012-02-03 14:06 . 2011-08-11 10:20 45928 ----a-w- c:\windows\system32\ibmpmsvc.exe

2012-02-03 14:06 . 2011-08-11 10:20 39024 ----a-w- c:\windows\system32\drivers\ibmpmdrv.sys

2012-02-03 14:06 . 2011-08-11 10:20 38760 ----a-w- c:\windows\system32\tpinspm.dll

2012-02-03 14:05 . 2011-09-30 17:16 393264 ----a-w- c:\windows\system32\drivers\SynTP.sys

2012-02-03 14:05 . 2011-09-30 17:14 66856 ----a-w- c:\windows\SysWow64\SynTPEnhPS.dll

2012-02-03 14:05 . 2011-09-30 17:14 226600 ----a-w- c:\windows\system32\SynTPAPI.dll

2012-02-03 14:05 . 2011-09-30 17:14 148264 ----a-w- c:\windows\system32\SynTPCo9.dll

2012-02-03 14:05 . 2011-09-30 17:14 276776 ----a-w- c:\windows\system32\SynCtrl.dll

2012-02-03 14:05 . 2011-09-30 17:14 222504 ----a-w- c:\windows\SysWow64\SynCtrl.dll

2012-02-03 14:05 . 2011-09-30 17:14 177448 ----a-w- c:\windows\SysWow64\SynCOM.dll

2012-02-03 14:05 . 2011-09-14 17:11 1048576 ----a-w- c:\windows\system32\syndata.bin

2012-02-03 14:05 . 2012-02-03 14:05 -------- d-----w- c:\program files (x86)\Cisco

2012-01-22 16:55 . 2012-01-22 16:55 479232 ----a-w- c:\program files (x86)\Mozilla Firefox\msvcm80.dll

2012-01-22 16:55 . 2012-01-22 16:55 43992 ----a-w- c:\program files (x86)\Mozilla Firefox\mozutils.dll

2012-01-22 16:55 . 2012-01-22 16:55 548864 ----a-w- c:\program files (x86)\Mozilla Firefox\msvcp80.dll

2012-01-22 16:55 . 2012-01-22 16:55 626688 ----a-w- c:\program files (x86)\Mozilla Firefox\msvcr80.dll

2012-01-22 10:48 . 2012-01-22 10:48 -------- d-----w- c:\program files (x86)\Gigaset QuickSync

2012-01-21 09:23 . 2012-01-21 09:23 -------- d-----w- c:\program files (x86)\Bitcricket

2012-01-20 08:05 . 2012-01-20 08:05 -------- d-----w- c:\program files\VMware

2012-01-19 20:14 . 2012-01-19 20:14 -------- d-----w- c:\users\jeroenp\AppData\Roaming\CheckPoint

2012-01-19 09:29 . 2011-09-07 17:43 48240 ----a-w- c:\windows\system32\drivers\vmwvusb.sys

.

.

.

(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))

.

2012-01-29 08:39 . 2011-07-21 10:37 84992 ----a-w- c:\programdata\Microsoft\VisualStudio\10.0\1033\ResourceCache.dll

2012-01-26 23:52 . 2010-03-04 20:29 279656 ------w- c:\windows\system32\MpSigStub.exe

2012-01-20 08:03 . 2011-06-20 08:05 414368 ----a-w- c:\windows\SysWow64\FlashPlayerCPLApp.cpl

2011-12-01 02:05 . 2011-08-04 12:16 527424 ------w- c:\windows\PWMBTHLV.EXE

2011-12-01 02:05 . 2011-08-04 12:16 31344 ----a-w- c:\windows\system32\drivers\DZHDD64.SYS

2011-12-01 02:05 . 2011-08-04 12:16 14960 ----a-w- c:\windows\system32\drivers\TPPWR64V.SYS

2011-12-01 02:05 . 2011-08-04 12:16 1036352 ----a-w- c:\windows\system32\PWMCP64V.cpl

2011-11-28 18:01 . 2010-11-02 11:59 41184 ----a-w- c:\windows\avastSS.scr

2011-11-28 18:01 . 2010-11-02 11:59 199816 ----a-w- c:\windows\SysWow64\aswBoot.exe

2011-11-28 18:01 . 2011-02-20 22:58 256960 ----a-w- c:\windows\system32\aswBoot.exe

2011-11-28 17:54 . 2011-04-11 21:07 591192 ----a-w- c:\windows\system32\drivers\aswSnx.sys

2011-11-28 17:53 . 2010-11-02 12:01 304472 ----a-w- c:\windows\system32\drivers\aswSP.sys

2011-11-28 17:52 . 2010-11-02 12:01 42328 ----a-w- c:\windows\system32\drivers\aswRdr.sys

2011-11-28 17:52 . 2010-11-02 12:01 58712 ----a-w- c:\windows\system32\drivers\aswTdi.sys

2011-11-28 17:52 . 2010-11-02 12:01 66904 ----a-w- c:\windows\system32\drivers\aswMonFlt.sys

2011-11-28 17:51 . 2010-11-02 12:01 24408 ----a-w- c:\windows\system32\drivers\aswFsBlk.sys

2011-11-24 16:28 . 2011-11-24 16:28 794112 ----a-w- c:\windows\system32\Gqstsp.tsp

2011-11-24 16:22 . 2011-11-24 16:22 495616 ----a-w- c:\windows\SysWow64\Gqstsp.tsp

2011-11-24 04:52 . 2011-12-15 08:21 3145216 ----a-w- c:\windows\system32\win32k.sys

2011-11-19 14:58 . 2012-01-12 07:40 77312 ----a-w- c:\windows\system32\packager.dll

2011-11-19 14:01 . 2012-01-12 07:40 67072 ----a-w- c:\windows\SysWow64\packager.dll

.

.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))

.

.

*Note* empty entries & legit default entries are not shown

REGEDIT4

.

[HKEY_LOCAL_MACHINE\software\wow6432node\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\DropboxExt1]

@="{FB314ED9-A251-47B7-93E1-CDD82E34AF8B}"

[HKEY_CLASSES_ROOT\CLSID\{FB314ED9-A251-47B7-93E1-CDD82E34AF8B}]

2011-02-18 05:12 94208 ----a-w- c:\users\jeroenp\AppData\Roaming\Dropbox\bin\DropboxExt.14.dll

.

[HKEY_LOCAL_MACHINE\software\wow6432node\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\DropboxExt2]

@="{FB314EDA-A251-47B7-93E1-CDD82E34AF8B}"

[HKEY_CLASSES_ROOT\CLSID\{FB314EDA-A251-47B7-93E1-CDD82E34AF8B}]

2011-02-18 05:12 94208 ----a-w- c:\users\jeroenp\AppData\Roaming\Dropbox\bin\DropboxExt.14.dll

.

[HKEY_LOCAL_MACHINE\software\wow6432node\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\DropboxExt3]

@="{FB314EDB-A251-47B7-93E1-CDD82E34AF8B}"

[HKEY_CLASSES_ROOT\CLSID\{FB314EDB-A251-47B7-93E1-CDD82E34AF8B}]

2011-02-18 05:12 94208 ----a-w- c:\users\jeroenp\AppData\Roaming\Dropbox\bin\DropboxExt.14.dll

.

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"TomTomHOME.exe"="c:\program files (x86)\TomTom HOME 2\TomTomHOMERunner.exe" [2011-04-22 247728]

"HotSwap! Applet"="c:\bin\HotSwap!64.EXE" [2009-01-10 95232]

"HotSwap! Applet"="c:\bin\HotSwap!64.EXE" [2009-01-10 103936]

"DAEMON Tools Lite"="c:\program files (x86)\DAEMON Tools Lite\DTLite.exe" [2011-01-20 1305408]

"Skype"="c:\program files (x86)\Skype\Phone\Skype.exe" [2011-10-13 17351304]

.

[HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run]

"GrooveMonitor"="c:\program files (x86)\Microsoft Office\Office12\GrooveMonitor.exe" [2009-02-26 30040]

"IME JPN 2007 Migration"="c:\progra~2\COMMON~1\MICROS~1\IME12\IMEJP\IMJPKLMG.EXE" [2011-05-31 63856]

"Korean IME Migration"="c:\progra~2\COMMON~1\MICROS~1\IME12\IMEKR\IMKRMIG.EXE" [2006-10-26 26400]

"Microsoft Pinyin IME Migration"="c:\progra~2\COMMON~1\MICROS~1\IME12\IMESC\IMSCMIG.EXE" [2011-05-31 32112]

"FreePDF Assistant"="c:\program files (x86)\FreePDF_XP\fpassist.exe" [2009-09-05 385024]

"Everything"="c:\program files (x86)\Everything\Everything.exe" [2009-03-13 602624]

"MyPoi Monitor"="c:\program files (x86)\Common Files\MyPoiWorld Shared\MyPoiMonitor\MyPoiMonitor.exe" [2010-05-10 2186488]

"IAStorIcon"="c:\program files (x86)\Intel\Intel® Rapid Storage Technology\IAStorIcon.exe" [2010-11-05 283160]

"IMSS"="c:\program files (x86)\Intel\Intel® Management Engine Components\IMSS\PIconStartup.exe" [2010-05-03 112152]

"RotateImage"="c:\program files (x86)\Integrated Camera Driver\X64\RCIMGDIR.exe" [2008-10-30 55808]

"PWMTRV"="c:\progra~2\ThinkPad\UTILIT~1\PWMTR64V.DLL" [2011-12-01 1631808]

"InputDirector"="c:\program files (x86)\Input Director\InputDirector.exe" [2011-06-23 589824]

"SunJavaUpdateSched"="c:\program files (x86)\Common Files\Java\Java Update\jusched.exe" [2011-06-09 254696]

"vmware-tray"="c:\program files (x86)\VMware\VMware Workstation\vmware-tray.exe" [2011-11-13 103536]

"Adobe Reader Speed Launcher"="c:\program files (x86)\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2012-01-03 37296]

"Adobe ARM"="c:\program files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2012-01-02 843712]

"HTC Sync Loader"="c:\program files (x86)\HTC\HTC Sync 3.0\htcUPCTLoader.exe" [2011-12-20 634880]

.

c:\users\nicolette\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\

Dropbox.lnk - c:\users\jeroenp\AppData\Roaming\Dropbox\bin\Dropbox.exe [2011-5-25 24176560]

.

c:\users\jeroenp\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\

Dropbox.lnk - c:\users\jeroenp\AppData\Roaming\Dropbox\bin\Dropbox.exe [2011-5-25 24176560]

KillSkypeHome.lnk - c:\bin\KillSkypeHome.exe [2011-9-8 304252]

.

c:\programdata\Microsoft\Windows\Start Menu\Programs\Startup\

Bluetooth.lnk - c:\program files\ThinkPad\Bluetooth Software\BTTray.exe [2011-6-13 1090848]

Digital Line Detect.lnk - c:\program files (x86)\Digital Line Detect\DLG.exe [2011-4-11 50688]

.

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]

"ConsentPromptBehaviorAdmin"= 5 (0x5)

"ConsentPromptBehaviorUser"= 3 (0x3)

"EnableUIADesktopToggle"= 0 (0x0)

"DisableCAD"= 1 (0x1)

"LocalAccountTokenFilterPolicy"= 1 (0x1)

"SoftwareSASGeneration"= 3 (0x3)

.

[HKEY_LOCAL_MACHINE\software\wow6432node\microsoft\windows nt\currentversion\drivers32]

"mixer7"=wdmaud.drv

.

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa]

Notification Packages REG_MULTI_SZ scecli c:\program files\ThinkVantage Fingerprint Software\psqlpwd.dll

Security Packages REG_MULTI_SZ kerberos msv1_0 schannel wdigest tspkg pku2u wsauth

.

R2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;c:\windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe [2010-03-18 130384]

R2 clr_optimization_v4.0.30319_64;Microsoft .NET Framework NGEN v4.0.30319_X64;c:\windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe [2010-03-18 138576]

R2 gupdate;Google Update Service (gupdate);c:\program files (x86)\Google\Update\GoogleUpdate.exe [2011-12-17 136176]

R2 InputDirector;Input Director Service;c:\program files (x86)\Input Director\IDWinService.exe [2011-06-23 36864]

R2 rixdpcie;rixdpcie;c:\windows\system32\DRIVERS\rixdpe64.sys [x]

R3 bmdrvr;Modified Clusters Tracking Driver;c:\windows\SysWOW64\drivers\bmdrvr.sys [2009-04-17 34864]

R3 btusbflt;Bluetooth USB Filter;c:\windows\system32\drivers\btusbflt.sys [x]

R3 DozeSvc;Lenovo Doze Mode Service;c:\program files (x86)\ThinkPad\Utilities\DZSVC64.EXE [2011-12-01 478056]

R3 GigasetGenericUSB_x64;GigasetGenericUSB_x64;c:\windows\system32\DRIVERS\GigasetGenericUSB_x64.sys [x]

R3 gupdatem;Google Update Service (gupdatem);c:\program files (x86)\Google\Update\GoogleUpdate.exe [2011-12-17 136176]

R3 HTCAND64;HTC Device Driver;c:\windows\system32\Drivers\ANDROIDUSB.sys [x]

R3 htcnprot;HTC NDIS Protocol Driver;c:\windows\system32\DRIVERS\htcnprot.sys [x]

R3 hwusbdev;Huawei DataCard USB PNP Device;c:\windows\system32\DRIVERS\ewusbdev.sys [x]

R3 IDVistaService;Input Director Vista Service;c:\program files (x86)\Input Director\IDVistaService.exe [2010-07-21 13824]

R3 lvpepf64;Volume Adapter;c:\windows\system32\DRIVERS\lv302a64.sys [x]

R3 LVRS64;Logitech RightSound Filter Driver;c:\windows\system32\DRIVERS\lvrs64.sys [x]

R3 netw5v64;Intel® Wireless WiFi Link 5000 Series Adapter Driver for Windows Vista 64 Bit;c:\windows\system32\DRIVERS\netw5v64.sys [x]

R3 OXSDIDRV_x64;Oxford Semi eSATA Filter (x64);c:\windows\system32\DRIVERS\OXSDIDRV_x64.sys [x]

R3 PwmEWSvc;Cisco EnergyWise Enabler;c:\program files (x86)\ThinkPad\Utilities\PWMEWSVC.EXE [2011-12-01 175168]

R3 RdpVideoMiniport;Remote Desktop Video Miniport Driver;c:\windows\system32\drivers\rdpvideominiport.sys [x]

R3 SrvHsfHDA;SrvHsfHDA;c:\windows\system32\DRIVERS\VSTAZL6.SYS [x]

R3 SrvHsfV92;SrvHsfV92;c:\windows\system32\DRIVERS\VSTDPV6.SYS [x]

R3 SrvHsfWinac;SrvHsfWinac;c:\windows\system32\DRIVERS\VSTCNXT6.SYS [x]

R3 Synth3dVsc;Synth3dVsc;c:\windows\system32\drivers\synth3dvsc.sys [x]

R3 TsUsbFlt;TsUsbFlt;c:\windows\system32\drivers\tsusbflt.sys [x]

R3 tsusbhub;tsusbhub;c:\windows\system32\drivers\tsusbhub.sys [x]

R3 USBAAPL64;Apple Mobile USB Driver;c:\windows\system32\Drivers\usbaapl64.sys [x]

R3 VGPU;VGPU;c:\windows\system32\drivers\rdvgkmd.sys [x]

R3 VMwareHostd;VMware Workstation Server;c:\program files (x86)\VMware\VMware Workstation\vmware-hostd.exe [2011-11-13 11839488]

R3 VX6000;Microsoft LifeCam VX-6000;c:\windows\system32\DRIVERS\VX6000Xp.sys [x]

R3 WatAdminSvc;Windows Activation Technologies Service;c:\windows\system32\Wat\WatAdminSvc.exe [x]

R3 WSDPrintDevice;WSD Print Support via UMB;c:\windows\system32\DRIVERS\WSDPrint.sys [x]

R4 LENOVO.MICMUTE;Lenovo Microphone Mute;c:\program files\LENOVO\HOTKEY\MICMUTE.exe [2011-07-12 101736]

S0 DzHDD64;DzHDD64;c:\windows\System32\DRIVERS\DzHDD64.sys [x]

S0 sptd;sptd;c:\windows\System32\Drivers\sptd.sys [x]

S0 TPDIGIMN;TPDIGIMN;c:\windows\System32\DRIVERS\ApsHM64.sys [x]

S0 vmci;VMware VMCI Bus Driver;c:\windows\system32\DRIVERS\vmci.sys [x]

S1 aswSnx;aswSnx; [x]

S1 aswSP;aswSP; [x]

S1 dtsoftbus01;DAEMON Tools Virtual Bus Driver;c:\windows\system32\DRIVERS\dtsoftbus01.sys [x]

S1 lenovo.smi;Lenovo System Interface Driver;c:\windows\system32\DRIVERS\smiifx64.sys [x]

S1 VWiFiFlt;Virtual WiFi Filter Driver;c:\windows\system32\DRIVERS\vwififlt.sys [x]

S2 aswFsBlk;aswFsBlk; [x]

S2 aswMonFlt;aswMonFlt;c:\windows\system32\drivers\aswMonFlt.sys [x]

S2 cpextender;Check Point SSL Network Extender;c:\program files (x86)\CheckPoint\SSL Network Extender\slimsvc.exe [2010-12-01 357904]

S2 HsfXAudioService;HsfXAudioService;c:\windows\system32\svchost.exe [2009-07-14 27136]

S2 IAStorDataMgrSvc;Intel® Rapid Storage Technology;c:\program files (x86)\Intel\Intel® Rapid Storage Technology\IAStorDataMgrSvc.exe [2010-11-05 13336]

S2 LENOVO.CAMMUTE;Lenovo Camera Mute;c:\program files\Lenovo\Communications Utility\CAMMUTE.exe [2010-07-27 50536]

S2 LENOVO.TPKNRSVC;Lenovo Keyboard Noise Reduction;c:\program files\Lenovo\Communications Utility\TPKNRSVC.exe [2010-07-27 74088]

S2 Lenovo.VIRTSCRLSVC;Lenovo Auto Scroll;c:\program files\LENOVO\VIRTSCRL\lvvsst.exe [2011-07-12 133992]

S2 NPF;NetGroup Packet Filter Driver;c:\windows\system32\drivers\npf.sys [x]

S2 PassThru Service;Internet Pass-Through Service;c:\program files (x86)\HTC\Internet Pass-Through\PassThruSvr.exe [2011-09-15 88576]

S2 rimspci;rimspci;c:\windows\system32\DRIVERS\rimspe64.sys [x]

S2 smihlp;SMI Helper Driver (smihlp);c:\program files\ThinkVantage Fingerprint Software\smihlp.sys [2011-05-30 13128]

S2 Stereo Service;NVIDIA Stereoscopic 3D Driver Service;c:\program files (x86)\NVIDIA Corporation\3D Vision\nvSCPAPISvr.exe [2011-04-17 378472]

S2 TomTomHOMEService;TomTomHOMEService;c:\program files (x86)\TomTom HOME 2\TomTomHOMEService.exe [2011-04-22 92592]

S2 TPHKLOAD;Lenovo Hotkey Client Loader;c:\program files\LENOVO\HOTKEY\TPHKLOAD.exe [2011-07-12 145256]

S2 TPHKSVC;On Screen Display;c:\program files\LENOVO\HOTKEY\TPHKSVC.exe [2011-07-12 142696]

S2 UNS;Intel® Management & Security Application User Notification Service;c:\program files (x86)\Intel\Intel® Management Engine Components\UNS\UNS.exe [2010-05-03 2533400]

S2 VeeamBackupService.exe;Veeam Backup and FastSCP Service;c:\program files (x86)\Veeam\Veeam Backup and FastSCP\VeeamBackupService.exe [2010-01-28 28672]

S2 VMUSBArbService;VMware USB Arbitration Service;c:\program files (x86)\Common Files\VMware\USB\vmware-usbarbitrator64.exe [2011-08-29 846448]

S2 vmware-converter-agent;VMware vCenter Converter Agent;c:\program files (x86)\VMware\VMware vCenter Converter Standalone\vmware-converter-a.exe [2009-04-17 428592]

S2 vmware-converter-server;VMware vCenter Converter Server;c:\program files (x86)\VMware\VMware vCenter Converter Standalone\vmware-converter.exe [2009-04-17 428592]

S2 vstor2-mntapi10-shared;Vstor2 MntApi 1.0 Driver (shared);SysWOW64\drivers\vstor2-mntapi10-shared.sys [x]

S2 vstor2-mntapi10;Vstor2 MntApi 1.0 Driver;c:\program files (x86)\VMware\VMware vCenter Converter Standalone\vstor2-mntapi10.sys [2009-04-17 32816]

S2 wsnm;VMware View Client;c:\program files\VMware\VMware View\Client\bin\wsnm.exe [2011-09-07 494192]

S2 wsnm_usbctrl;VMware View USB Control;c:\program files\VMware\VMware View\Client\bin\wsnm_usbctrl.exe [2011-09-07 1125488]

S3 5U877;USB Video Device;c:\windows\system32\DRIVERS\5U877.sys [x]

S3 btwl2cap;Bluetooth L2CAP Service;c:\windows\system32\DRIVERS\btwl2cap.sys [x]

S3 CAXHWAZL;CAXHWAZL;c:\windows\system32\DRIVERS\CAXHWAZL.sys [x]

S3 e1kexpress;Intel® PRO/1000 PCI Express Network Connection Driver K;c:\windows\system32\DRIVERS\e1k62x64.sys [x]

S3 HECIx64;Intel® Management Engine Interface;c:\windows\system32\DRIVERS\HECIx64.sys [x]

S3 JMCF;JMCF;c:\windows\system32\DRIVERS\jmcf.sys [x]

S3 LVUSBS64;Logitech USB Monitor Filter;c:\windows\system32\drivers\LVUSBS64.sys [x]

S3 nusb3hub;NEC Electronics USB 3.0 Hub Driver;c:\windows\system32\DRIVERS\nusb3hub.sys [x]

S3 nusb3xhc;NEC Electronics USB 3.0 Host Controller Driver;c:\windows\system32\DRIVERS\nusb3xhc.sys [x]

S3 Power Manager DBC Service;Power Manager DBC Service;c:\program files (x86)\ThinkPad\Utilities\PWMDBSVC.EXE [2011-12-01 89152]

S3 rtl8192se;Realtek Wireless LAN 802.11n PCI-E NIC NT Driver;c:\windows\system32\DRIVERS\rtl8192se.sys [x]

S3 vmwvusb;VMware View Generic USB Driver;c:\windows\system32\Drivers\vmwvusb.sys [x]

S3 VNA;Check Point Virtual Network Adapter;c:\windows\system32\DRIVERS\vna.sys [x]

S3 vwifimp;Microsoft Virtual WiFi Miniport Service;c:\windows\system32\DRIVERS\vwifimp.sys [x]

.

.

--- Other Services/Drivers In Memory ---

.

*NewlyCreated* - PROCEXP150

*Deregistered* - PROCEXP150

.

Contents of the 'Scheduled Tasks' folder

.

2012-02-15 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job

- c:\program files (x86)\Google\Update\GoogleUpdate.exe [2011-12-17 18:50]

.

2012-02-15 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job

- c:\program files (x86)\Google\Update\GoogleUpdate.exe [2011-12-17 18:50]

.

2012-02-15 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-2559922807-3192264508-2838444725-1000Core.job

- c:\users\jeroenp\AppData\Local\Google\Update\GoogleUpdate.exe [2010-08-26 22:41]

.

2012-02-15 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-2559922807-3192264508-2838444725-1000UA.job

- c:\users\jeroenp\AppData\Local\Google\Update\GoogleUpdate.exe [2010-08-26 22:41]

.

2012-02-15 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-2559922807-3192264508-2838444725-1011Core.job

- c:\users\nicolette\AppData\Local\Google\Update\GoogleUpdate.exe [2010-08-19 18:30]

.

2012-02-15 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-2559922807-3192264508-2838444725-1011UA.job

- c:\users\nicolette\AppData\Local\Google\Update\GoogleUpdate.exe [2010-08-19 18:30]

.

.

--------- x86-64 -----------

.

.

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\00avast]

@="{472083B0-C522-11CF-8763-00608CC02F24}"

[HKEY_CLASSES_ROOT\CLSID\{472083B0-C522-11CF-8763-00608CC02F24}]

2011-11-28 18:01 134384 ----a-w- c:\program files\Alwil Software\Avast5\ashShA64.dll

.

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\DropboxExt1]

@="{FB314ED9-A251-47B7-93E1-CDD82E34AF8B}"

[HKEY_CLASSES_ROOT\CLSID\{FB314ED9-A251-47B7-93E1-CDD82E34AF8B}]

2011-02-18 05:12 97792 ----a-w- c:\users\jeroenp\AppData\Roaming\Dropbox\bin\DropboxExt64.14.dll

.

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\DropboxExt2]

@="{FB314EDA-A251-47B7-93E1-CDD82E34AF8B}"

[HKEY_CLASSES_ROOT\CLSID\{FB314EDA-A251-47B7-93E1-CDD82E34AF8B}]

2011-02-18 05:12 97792 ----a-w- c:\users\jeroenp\AppData\Roaming\Dropbox\bin\DropboxExt64.14.dll

.

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\DropboxExt3]

@="{FB314EDB-A251-47B7-93E1-CDD82E34AF8B}"

[HKEY_CLASSES_ROOT\CLSID\{FB314EDB-A251-47B7-93E1-CDD82E34AF8B}]

2011-02-18 05:12 97792 ----a-w- c:\users\jeroenp\AppData\Roaming\Dropbox\bin\DropboxExt64.14.dll

.

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\DropboxExt4]

@="{FB314EDC-A251-47B7-93E1-CDD82E34AF8B}"

[HKEY_CLASSES_ROOT\CLSID\{FB314EDC-A251-47B7-93E1-CDD82E34AF8B}]

2011-02-18 05:12 97792 ----a-w- c:\users\jeroenp\AppData\Roaming\Dropbox\bin\DropboxExt64.14.dll

.

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"SynTPEnh"="c:\program files (x86)\Synaptics\SynTP\SynTPEnh.exe" [bU]

"IME JPN 2007 Migration"="c:\progra~1\COMMON~1\MICROS~1\IME12\IMEJP\IMJPKLMG.EXE" [2011-05-26 119664]

"Korean IME Migration"="c:\progra~1\COMMON~1\MICROS~1\IME12\IMEKR\IMKRMIG.EXE" [2006-10-26 43808]

"Microsoft Pinyin IME Migration"="c:\progra~1\COMMON~1\MICROS~1\IME12\IMESC\IMSCMIG.EXE" [2011-05-26 59248]

"VX6000"="c:\windows\vVX6000.exe" [2009-06-30 764256]

"Windows Mobile Device Center"="c:\windows\WindowsMobile\wmdc.exe" [2007-05-31 660360]

"TpShocks"="TpShocks.exe" [2011-03-29 380776]

"SmartAudio"="c:\program files\CONEXANT\SAII\SAIICpl.exe" [2009-11-15 307768]

"ThinkPadDisplayUtility"="c:\program files\Lenovo\DISPUTIL\tplcdclr.exe" [2009-10-28 86376]

"LENOVO.TPKNRRES"="c:\program files\Lenovo\Communications Utility\TPKNRRES.exe" [2010-07-27 62312]

"PSQLLauncher"="c:\program files\ThinkVantage Fingerprint Software\launcher.exe" [2011-07-14 85832]

.

------- Supplementary Scan -------

.

uLocal Page = c:\windows\system32\blank.htm

uStart Page = about:blank

mLocal Page = c:\windows\SysWOW64\blank.htm

uInternet Settings,ProxyOverride = *.local

IE: E&xport to Microsoft Excel - c:\progra~2\MICROS~2\Office12\EXCEL.EXE/3000

IE: Send image to &Bluetooth Device... - c:\program files\ThinkPad\Bluetooth Software\btsendto_ie_ctx.htm

IE: Send page to &Bluetooth Device... - c:\program files\ThinkPad\Bluetooth Software\btsendto_ie.htm

LSP: %SystemRoot%\system32\vsocklib.dll

TCP: DhcpNameServer = 192.168.171.1 62.179.104.196 213.46.228.196

DPF: {414FB93D-DEDD-4FEF-AD7F-167992EBDB52} - hxxps://enter.ing.net/SNX/CSHELL/extender.cab

FF - ProfilePath - c:\users\jeroenp\AppData\Roaming\Mozilla\Firefox\Profiles\hns8m6u5.default\

FF - prefs.js: network.proxy.type - 0

.

.

--------------------- LOCKED REGISTRY KEYS ---------------------

.

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0000\AllUserSettings]

@Denied: (A) (Users)

@Denied: (A) (Everyone)

@Allowed: (B 1 2 3 4 5) (S-1-5-20)

"BlindDial"=dword:00000000

.

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0002\AllUserSettings]

@Denied: (A) (Users)

@Denied: (A) (Everyone)

@Allowed: (B 1 2 3 4 5) (S-1-5-20)

"BlindDial"=dword:00000000

.

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\PCW\Security]

@Denied: (Full) (Everyone)

.

Completion time: 2012-02-15 19:08:49

ComboFix-quarantined-files.txt 2012-02-15 18:08

ComboFix2.txt 2012-02-15 17:52

.

Pre-Run: 84,483,248,128 bytes free

Post-Run: 84,404,576,256 bytes free

.

- - End Of File - - 261A61B51CDD4BD280D1843B5333DC15

log.txt

[jeroenp]

More info:

- FireFox google search is fine (i.e. no webhp redirect).

- Don't have the Google Search app in IE, but if I search through the Google.com page, search is fine as well (i.e. no webhp redirect).

[jeroenp]

<p>This is the aswMBR log:</p>

<p> </p>

<p> </p>

<div>aswMBR version 0.9.9.1532 Copyright© 2011 AVAST Software</div>

<div>Run date: 2012-02-15 23:26:56</div>

<div>-----------------------------</div>

<div>23:26:56.223    OS Version: Windows x64 6.1.7601 Service Pack 1</div>

<div>23:26:56.223    Number of processors: 8 586 0x1E05</div>

<div>23:26:56.224    ComputerName: W701UJPL  UserName: jeroenp</div>

<div>23:26:57.565    Initialize success</div>

<div>23:27:00.495    AVAST engine defs: 12021501</div>

<div>23:27:31.670    Disk 0 (boot) \Device\Harddisk0\DR0 -> \Device\Ide\IAAStorageDevice-0</div>

<div>23:27:31.673    Disk 0 Vendor: INTEL_SS 4PC1 Size: 572325MB BusType: 3</div>

<div>23:27:31.676    Disk 1  \Device\Harddisk1\DR1 -> \Device\Ide\IAAStorageDevice-1</div>

<div>23:27:31.679    Disk 1 Vendor: SAMSUNG_ 2AM1 Size: 953869MB BusType: 3</div>

<div>23:27:31.684    Disk 2  \Device\Harddisk2\DR2 -> \Device\Ide\IAAStorageDevice-2</div>

<div>23:27:31.688    Disk 2 Vendor: INTEL_SS 4PC1 Size: 572325MB BusType: 3</div>

<div>23:27:31.695    Disk 3  \Device\Harddisk3\SR0 -> \Device\SdBus-0</div>

<div>23:27:31.699    Disk 3 Vendor: (  Size: 1964MB BusType: 12</div>

<div>23:27:31.705    Disk 4  \Device\Harddisk4\DR3 -> \Device\Scsi\JMCF1Port1Path0Target0Lun0</div>

<div>23:27:31.710    Disk 4 Vendor: JMCR____  Size: 30559MB BusType: 1</div>

<div>23:27:31.717    Disk 0 MBR read successfully</div>

<div>23:27:31.723    Disk 0 MBR scan</div>

<div>23:27:31.729    Disk 0 Windows 7 default MBR code</div>

<div>23:27:31.737    Disk 0 Partition 1 80 (A) 07    HPFS/NTFS NTFS          100 MB offset 2048</div>

<div>23:27:31.744    Disk 0 Partition 2 00     07    HPFS/NTFS NTFS       572222 MB offset 206848</div>

<div>23:27:31.751    Service scanning</div>

<div>23:27:32.208    Service sptd C:\Windows\System32\Drivers\sptd.sys **LOCKED** 32</div>

<div>23:27:32.797    Modules scanning</div>

<div>23:27:32.804    Disk 0 trace - called modules:</div>

<div>23:27:32.813    ntoskrnl.exe CLASSPNP.SYS disk.sys ACPI.sys iaStor.sys spjf.sys hal.dll </div>

<div>23:27:32.819    1 nt!IofCallDriver -> \Device\Harddisk0\DR0[0xfffffa800ded9790]</div>

<div>23:27:32.827    3 CLASSPNP.SYS[fffff88001a5143f] -> nt!IofCallDriver -> [0xfffffa800dc59480]</div>

<div>23:27:32.834    5 ACPI.sys[fffff8800118a7a1] -> nt!IofCallDriver -> \Device\Ide\IAAStorageDevice-0[0xfffffa800dc58050]</div>

<div>23:27:34.056    AVAST engine scan C:\Windows</div>

<div>23:27:35.290    AVAST engine scan C:\Windows\system32</div>

<div>23:28:23.890    AVAST engine scan C:\Windows\system32\drivers</div>

<div>23:28:29.969    AVAST engine scan C:\Users\jeroenp</div>

<div>23:29:08.381    AVAST engine scan C:\ProgramData</div>

<div>23:29:14.179    Scan finished successfully</div>

<div>23:31:53.384    Disk 0 MBR has been saved successfully to "C:\Users\jeroenp\AppData\Local\Temp\MBR.dat"</div>

<div>23:31:53.393    The log file has been saved successfully to "C:\Users\jeroenp\AppData\Local\Temp\aswMBR.txt"</div>

<div> </div>

[jeroenp]

This seems to be resolved though I'm still having a feeling I don't have the full answer to the cause.

Please see the additional information in the Avast! forum thread: http://forum.avast.com/index.php?topic=93431.0

If anyone has additional info on how to dig deeper into this, please let me know.

--jeroen

[screen317]

Hi and welcome to Malwarebytes.

Please update MBAM, run a Quick Scan, and post its log.

Next, download DDS by sUBs and save it to your Desktop.

Double-click on the DDS icon and let the scan run. When it has run two logs will be produced, please post only DDS.txt directly into your reply.

[Maurice Naggar]

Due to the lack of feedback this topic is closed to prevent others from posting here. If you need this topic reopened, please send a Private Message to any one of the moderating team members. Please include a link to this thread with your request. This applies only to the originator of this thread.

Other members who need assistance please start your own topic in a new thread. Thanks!