Google Redirect Trojan.BHO

[joeyangel]

Thank you, I'll give this a try immediately.

By the way, I continue to receive MBAM pop-ups for outgoing IP blocks in IE; is this something that should be addressed?

[LDTate]

The first thing is to get the system stable if we can.

Then we'll go from there.

[joeyangel]

Thank you; I ran system restore but received the following failure message:

System Restore failed to extract the file (C:\Program Files (x86)\Lenovo\System Update\session\81u411ww\PWMUIAUX.EXE) from the restore point. The restore point was damaged or deleted during the restore.

I am assuming that this is because the restore point was only four days past, and definitely within the time period where this machine had already been affected.

I am not sure whether this would be helpful, but I run a back-up weekly (this week being an exception, of course) to a separate drive. I don't know if there is a restore point created, or if it would be unadvisable to connect this drive before any other situations are rectified.

Please let me know if this would be beneficial and I'll be happy to proceed from there; thanks as always.

[LDTate]

the restore point was only four days past,

Was that the only possible restore point?

[joeyangel]

Yes, I'm afraid that the two other available restore points were more recent.

[LDTate]

Can you run a new Combofix?

[joeyangel]

Certainly, thanks; I'll run it presently.

[joeyangel]

Here are the results of the new ComboFix instance - thank you:

ComboFix 11-09-20.04 - caparo 09/24/2011 11:50:45.4.2 - x64

Microsoft Windows 7 Enterprise 6.1.7601.1.1252.1.1033.18.3054.1752 [GMT -4:00]

Running from: c:\users\caparo\Desktop\ComboFix.exe

AV: Symantec Endpoint Protection *Disabled/Updated* {88C95A36-8C3B-2F2C-1B8B-30FCCFDC4855}

SP: Symantec Endpoint Protection *Disabled/Updated* {33A8BBD2-AA01-20A2-213B-0B8EB45B02E8}

SP: Windows Defender *Disabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}

.

.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))

.

.

c:\windows\Temp\tmp3.tmp

.

.

((((((((((((((((((((((((( Files Created from 2011-08-24 to 2011-09-24 )))))))))))))))))))))))))))))))

.

.

2011-09-24 16:06 . 2011-09-24 16:06 -------- d-----w- c:\users\UNC Support\AppData\Local\temp

2011-09-24 16:06 . 2011-09-24 16:06 -------- d-----w- c:\users\Default\AppData\Local\temp

2011-09-20 18:19 . 2011-08-16 12:48 8862544 ----a-w- c:\programdata\Microsoft\Windows Defender\Definition Updates\{6813238C-071B-4706-A014-49A9DAEDC4B6}\mpengine.dll

2011-09-20 17:20 . 2011-09-20 17:20 -------- d-----w- c:\windows\desktop

2011-09-20 17:20 . 2011-09-23 14:43 -------- d-----w- c:\users\caparodesktop

2011-09-19 01:30 . 2011-09-19 01:30 97792 ----a-w- c:\windows\SysWow64\srrstr.dll

2011-09-07 19:49 . 2011-09-07 22:43 -------- d-----w- c:\users\caparo\AppData\Roaming\IrfanView

2011-09-05 17:04 . 2011-09-05 17:04 183696 ----a-w- c:\program files (x86)\Mozilla Firefox\plugins\nppdf32.dll

2011-09-05 17:04 . 2011-09-05 17:04 183696 ----a-w- c:\program files (x86)\Internet Explorer\Plugins\nppdf32.dll

2011-08-30 03:55 . 2011-08-30 03:55 -------- d-----w- c:\users\caparo\AppData\Roaming\Garmin

.

.

.

(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))

.

2011-08-31 21:00 . 2010-10-30 16:49 25416 ----a-w- c:\windows\system32\drivers\mbam.sys

2011-08-18 22:12 . 2011-05-17 03:43 404640 ----a-w- c:\windows\SysWow64\FlashPlayerCPLApp.cpl

2011-07-22 05:42 . 2011-08-10 06:20 2303488 ----a-w- c:\windows\system32\jscript9.dll

2011-07-22 05:36 . 2011-08-10 06:20 1389056 ----a-w- c:\windows\system32\wininet.dll

2011-07-22 05:32 . 2011-08-10 06:20 2382848 ----a-w- c:\windows\system32\mshtml.tlb

2011-07-22 02:54 . 2011-08-10 06:20 1797632 ----a-w- c:\windows\SysWow64\jscript9.dll

2011-07-22 02:48 . 2011-08-10 06:20 1126912 ----a-w- c:\windows\SysWow64\wininet.dll

2011-07-22 02:44 . 2011-08-10 06:20 2382848 ----a-w- c:\windows\SysWow64\mshtml.tlb

2011-07-16 05:41 . 2011-08-10 06:18 362496 ----a-w- c:\windows\system32\wow64win.dll

2011-07-16 05:41 . 2011-08-10 06:18 243200 ----a-w- c:\windows\system32\wow64.dll

2011-07-16 05:41 . 2011-08-10 06:18 13312 ----a-w- c:\windows\system32\wow64cpu.dll

2011-07-16 05:39 . 2011-08-10 06:18 16384 ----a-w- c:\windows\system32\ntvdm64.dll

2011-07-16 05:37 . 2011-08-10 06:18 421888 ----a-w- c:\windows\system32\KernelBase.dll

2011-07-16 05:21 . 2011-08-10 06:18 4608 ---ha-w- c:\windows\system32\api-ms-win-core-threadpool-l1-1-0.dll

2011-07-16 05:21 . 2011-08-10 06:18 4096 ---ha-w- c:\windows\system32\api-ms-win-core-sysinfo-l1-1-0.dll

2011-07-16 05:21 . 2011-08-10 06:18 4096 ---ha-w- c:\windows\system32\api-ms-win-core-synch-l1-1-0.dll

2011-07-16 05:21 . 2011-08-10 06:18 6144 ---ha-w- c:\windows\system32\api-ms-win-security-base-l1-1-0.dll

2011-07-16 05:21 . 2011-08-10 06:18 3584 ---ha-w- c:\windows\system32\api-ms-win-core-rtlsupport-l1-1-0.dll

2011-07-16 05:21 . 2011-08-10 06:18 3072 ---ha-w- c:\windows\system32\api-ms-win-core-xstate-l1-1-0.dll

2011-07-16 05:21 . 2011-08-10 06:18 3072 ---ha-w- c:\windows\system32\api-ms-win-core-util-l1-1-0.dll

2011-07-16 05:21 . 2011-08-10 06:18 3072 ---ha-w- c:\windows\system32\api-ms-win-core-string-l1-1-0.dll

2011-07-16 05:21 . 2011-08-10 06:18 4608 ---ha-w- c:\windows\system32\api-ms-win-core-processthreads-l1-1-0.dll

2011-07-16 05:21 . 2011-08-10 06:18 4096 ---ha-w- c:\windows\system32\api-ms-win-core-localregistry-l1-1-0.dll

2011-07-16 05:21 . 2011-08-10 06:18 3584 ---ha-w- c:\windows\system32\api-ms-win-core-namedpipe-l1-1-0.dll

2011-07-16 05:21 . 2011-08-10 06:18 3584 ---ha-w- c:\windows\system32\api-ms-win-core-memory-l1-1-0.dll

2011-07-16 05:21 . 2011-08-10 06:18 3072 ---ha-w- c:\windows\system32\api-ms-win-core-profile-l1-1-0.dll

2011-07-16 05:21 . 2011-08-10 06:18 3584 ---ha-w- c:\windows\system32\api-ms-win-core-processenvironment-l1-1-0.dll

2011-07-16 05:21 . 2011-08-10 06:18 3584 ---ha-w- c:\windows\system32\api-ms-win-core-misc-l1-1-0.dll

2011-07-16 05:21 . 2011-08-10 06:18 3584 ---ha-w- c:\windows\system32\api-ms-win-core-libraryloader-l1-1-0.dll

2011-07-16 05:21 . 2011-08-10 06:18 3072 ---ha-w- c:\windows\system32\api-ms-win-core-io-l1-1-0.dll

2011-07-16 05:21 . 2011-08-10 06:18 3072 ---ha-w- c:\windows\system32\api-ms-win-core-interlocked-l1-1-0.dll

2011-07-16 05:21 . 2011-08-10 06:18 4096 ---ha-w- c:\windows\system32\api-ms-win-core-localization-l1-1-0.dll

2011-07-16 05:21 . 2011-08-10 06:18 5120 ---ha-w- c:\windows\system32\api-ms-win-core-file-l1-1-0.dll

2011-07-16 05:21 . 2011-08-10 06:18 3072 ---ha-w- c:\windows\system32\api-ms-win-core-errorhandling-l1-1-0.dll

2011-07-16 05:21 . 2011-08-10 06:18 3072 ---ha-w- c:\windows\system32\api-ms-win-core-delayload-l1-1-0.dll

2011-07-16 05:21 . 2011-08-10 06:18 3584 ---ha-w- c:\windows\system32\api-ms-win-core-heap-l1-1-0.dll

2011-07-16 05:21 . 2011-08-10 06:18 3072 ---ha-w- c:\windows\system32\api-ms-win-core-handle-l1-1-0.dll

2011-07-16 05:21 . 2011-08-10 06:18 3072 ---ha-w- c:\windows\system32\api-ms-win-core-fibers-l1-1-0.dll

2011-07-16 05:21 . 2011-08-10 06:18 3072 ---ha-w- c:\windows\system32\api-ms-win-core-debug-l1-1-0.dll

2011-07-16 05:21 . 2011-08-10 06:18 3072 ---ha-w- c:\windows\system32\api-ms-win-core-datetime-l1-1-0.dll

2011-07-16 05:21 . 2011-08-10 06:18 3072 ---ha-w- c:\windows\system32\api-ms-win-core-console-l1-1-0.dll

2011-07-16 04:29 . 2011-08-10 06:18 14336 ----a-w- c:\windows\SysWow64\ntvdm64.dll

2011-07-16 04:26 . 2011-08-10 06:18 44032 ----a-w- c:\windows\apppatch\acwow64.dll

2011-07-16 04:25 . 2011-08-10 06:18 25600 ----a-w- c:\windows\SysWow64\setup16.exe

2011-07-16 04:24 . 2011-08-10 06:18 5120 ----a-w- c:\windows\SysWow64\wow32.dll

2011-07-16 04:24 . 2011-08-10 06:18 272384 ----a-w- c:\windows\SysWow64\KernelBase.dll

2011-07-16 04:15 . 2011-08-10 06:18 4096 ---ha-w- c:\windows\SysWow64\api-ms-win-core-sysinfo-l1-1-0.dll

2011-07-16 04:15 . 2011-08-10 06:18 4096 ---ha-w- c:\windows\SysWow64\api-ms-win-core-synch-l1-1-0.dll

2011-07-16 04:15 . 2011-08-10 06:18 3072 ---ha-w- c:\windows\SysWow64\api-ms-win-core-string-l1-1-0.dll

2011-07-16 04:15 . 2011-08-10 06:18 5120 ---ha-w- c:\windows\SysWow64\api-ms-win-core-file-l1-1-0.dll

2011-07-16 04:15 . 2011-08-10 06:18 4608 ---ha-w- c:\windows\SysWow64\api-ms-win-core-processthreads-l1-1-0.dll

2011-07-16 04:15 . 2011-08-10 06:18 4096 ---ha-w- c:\windows\SysWow64\api-ms-win-core-misc-l1-1-0.dll

2011-07-16 04:15 . 2011-08-10 06:18 4096 ---ha-w- c:\windows\SysWow64\api-ms-win-core-localregistry-l1-1-0.dll

2011-07-16 04:15 . 2011-08-10 06:18 3072 ---ha-w- c:\windows\SysWow64\api-ms-win-core-rtlsupport-l1-1-0.dll

2011-07-16 04:15 . 2011-08-10 06:18 3072 ---ha-w- c:\windows\SysWow64\api-ms-win-core-profile-l1-1-0.dll

2011-07-16 04:15 . 2011-08-10 06:18 3072 ---ha-w- c:\windows\SysWow64\api-ms-win-core-delayload-l1-1-0.dll

2011-07-16 04:15 . 2011-08-10 06:18 3584 ---ha-w- c:\windows\SysWow64\api-ms-win-core-processenvironment-l1-1-0.dll

2011-07-16 04:15 . 2011-08-10 06:18 3584 ---ha-w- c:\windows\SysWow64\api-ms-win-core-memory-l1-1-0.dll

2011-07-16 04:15 . 2011-08-10 06:18 3584 ---ha-w- c:\windows\SysWow64\api-ms-win-core-libraryloader-l1-1-0.dll

2011-07-16 04:15 . 2011-08-10 06:18 3584 ---ha-w- c:\windows\SysWow64\api-ms-win-core-interlocked-l1-1-0.dll

2011-07-16 04:15 . 2011-08-10 06:18 3584 ---ha-w- c:\windows\SysWow64\api-ms-win-core-heap-l1-1-0.dll

2011-07-16 04:15 . 2011-08-10 06:18 3072 ---ha-w- c:\windows\SysWow64\api-ms-win-core-io-l1-1-0.dll

2011-07-16 04:15 . 2011-08-10 06:18 3072 ---ha-w- c:\windows\SysWow64\api-ms-win-core-handle-l1-1-0.dll

2011-07-16 04:15 . 2011-08-10 06:18 3072 ---ha-w- c:\windows\SysWow64\api-ms-win-core-fibers-l1-1-0.dll

2011-07-16 04:15 . 2011-08-10 06:18 3072 ---ha-w- c:\windows\SysWow64\api-ms-win-core-errorhandling-l1-1-0.dll

2011-07-16 04:15 . 2011-08-10 06:18 3072 ---ha-w- c:\windows\SysWow64\api-ms-win-core-debug-l1-1-0.dll

2011-07-16 04:15 . 2011-08-10 06:18 3072 ---ha-w- c:\windows\SysWow64\api-ms-win-core-datetime-l1-1-0.dll

2011-07-16 04:15 . 2011-08-10 06:18 3584 ---ha-w- c:\windows\SysWow64\api-ms-win-core-namedpipe-l1-1-0.dll

2011-07-16 04:15 . 2011-08-10 06:18 4096 ---ha-w- c:\windows\SysWow64\api-ms-win-core-localization-l1-1-0.dll

2011-07-16 04:15 . 2011-08-10 06:18 3072 ---ha-w- c:\windows\SysWow64\api-ms-win-core-console-l1-1-0.dll

2011-07-16 02:21 . 2011-08-10 06:18 7680 ----a-w- c:\windows\SysWow64\instnm.exe

2011-07-16 02:21 . 2011-08-10 06:18 2048 ----a-w- c:\windows\SysWow64\user.exe

2011-07-16 02:17 . 2011-08-10 06:18 4608 ---ha-w- c:\windows\SysWow64\api-ms-win-core-threadpool-l1-1-0.dll

2011-07-16 02:17 . 2011-08-10 06:18 3584 ---ha-w- c:\windows\SysWow64\api-ms-win-core-xstate-l1-1-0.dll

2011-07-16 02:17 . 2011-08-10 06:18 3072 ---ha-w- c:\windows\SysWow64\api-ms-win-core-util-l1-1-0.dll

2011-07-16 02:17 . 2011-08-10 06:18 6144 ---ha-w- c:\windows\SysWow64\api-ms-win-security-base-l1-1-0.dll

2011-07-09 05:26 . 2011-08-24 13:06 2048 ----a-w- c:\windows\system32\tzres.dll

2011-07-09 04:29 . 2011-08-24 13:06 2048 ----a-w- c:\windows\SysWow64\tzres.dll

2011-07-09 02:46 . 2011-08-10 06:18 288768 ----a-w- c:\windows\system32\drivers\mrxsmb10.sys

.

.

((((((((((((((((((((((((((((( SnapShot_2011-09-23_14.45.28 )))))))))))))))))))))))))))))))))))))))))

.

+ 2011-09-23 18:53 . 2011-09-23 19:49 32768 c:\windows\Temporary Internet Files\Low\Content.IE5\index.dat

+ 2009-07-14 04:54 . 2011-09-23 22:56 16384 c:\windows\SysWOW64\config\systemprofile\AppData\Roaming\Microsoft\Windows\Cookies\index.dat

- 2009-07-14 04:54 . 2011-09-23 13:51 16384 c:\windows\SysWOW64\config\systemprofile\AppData\Roaming\Microsoft\Windows\Cookies\index.dat

- 2009-07-14 04:54 . 2011-09-23 13:51 32768 c:\windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\index.dat

+ 2009-07-14 04:54 . 2011-09-23 22:56 32768 c:\windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\index.dat

+ 2009-07-14 04:54 . 2011-09-23 22:56 16384 c:\windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\History\History.IE5\index.dat

- 2009-07-14 04:54 . 2011-09-23 13:51 16384 c:\windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\History\History.IE5\index.dat

+ 2010-01-07 02:43 . 2011-09-24 15:07 45262 c:\windows\system32\wdi\ShutdownPerformanceDiagnostics_SystemData.bin

- 2009-07-14 05:10 . 2011-09-23 05:38 51474 c:\windows\system32\wdi\BootPerformanceDiagnostics_SystemData.bin

+ 2009-07-14 05:10 . 2011-09-24 15:07 51474 c:\windows\system32\wdi\BootPerformanceDiagnostics_SystemData.bin

+ 2010-10-29 19:18 . 2011-09-24 15:07 13934 c:\windows\system32\wdi\{86432a0b-3c7d-4ddf-a89c-172faa90485d}\S-1-5-21-1967798008-3269264677-1605733285-1001_UserData.bin

- 2010-07-26 16:14 . 2011-09-23 05:34 16384 c:\windows\system32\config\systemprofile\AppData\Roaming\Microsoft\Windows\Cookies\index.dat

+ 2010-07-26 16:14 . 2011-09-24 15:04 16384 c:\windows\system32\config\systemprofile\AppData\Roaming\Microsoft\Windows\Cookies\index.dat

+ 2010-07-26 16:14 . 2011-09-24 15:04 32768 c:\windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\index.dat

- 2010-07-26 16:14 . 2011-09-23 05:34 32768 c:\windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\index.dat

+ 2009-07-14 04:54 . 2011-09-24 15:04 16384 c:\windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\History\History.IE5\index.dat

- 2009-07-14 04:54 . 2011-09-23 05:34 16384 c:\windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\History\History.IE5\index.dat

+ 2010-11-11 16:26 . 2011-09-23 16:14 3444 c:\windows\system32\wdi\ERCQueuedResolutions.dat

- 2010-11-11 16:26 . 2011-09-19 04:38 3444 c:\windows\system32\wdi\ERCQueuedResolutions.dat

+ 2011-09-24 15:04 . 2011-09-24 15:04 2048 c:\windows\ServiceProfiles\LocalService\AppData\Local\lastalive1.dat

- 2011-09-23 05:34 . 2011-09-23 05:34 2048 c:\windows\ServiceProfiles\LocalService\AppData\Local\lastalive1.dat

+ 2011-09-24 15:04 . 2011-09-24 15:04 2048 c:\windows\ServiceProfiles\LocalService\AppData\Local\lastalive0.dat

- 2011-09-23 05:34 . 2011-09-23 05:34 2048 c:\windows\ServiceProfiles\LocalService\AppData\Local\lastalive0.dat

+ 2011-09-24 04:47 . 2011-09-24 04:47 294820 c:\windows\Temporary Internet Files\Low\AntiPhishing\ED8654D5-B9F0-4DD9-B3E8-F8F560086FDF.dat

- 2009-07-14 05:01 . 2011-09-23 05:32 494676 c:\windows\ServiceProfiles\LocalService\AppData\Local\FontCache-System.dat

+ 2009-07-14 05:01 . 2011-09-24 14:52 494676 c:\windows\ServiceProfiles\LocalService\AppData\Local\FontCache-System.dat

+ 2011-09-23 16:48 . 2011-09-24 15:06 8110080 c:\windows\Temporary Internet Files\Content.IE5\index.dat

- 2011-08-26 15:26 . 2011-09-23 05:32 2625264 c:\windows\ServiceProfiles\LocalService\AppData\Local\FontCache3.0.0.0.dat

+ 2011-08-26 15:26 . 2011-09-24 14:52 2625264 c:\windows\ServiceProfiles\LocalService\AppData\Local\FontCache3.0.0.0.dat

+ 2011-03-09 06:40 . 2011-09-24 13:09 12708032 c:\windows\ServiceProfiles\LocalService\AppData\Local\FontCache-S-1-5-21-1967798008-3269264677-1605733285-1001-8192.dat

+ 2011-04-26 18:04 . 2011-09-24 13:09 24864300 c:\windows\ServiceProfiles\LocalService\AppData\Local\FontCache-S-1-5-21-1967798008-3269264677-1605733285-1001-4096.dat

+ 2011-04-29 05:26 . 2011-09-24 14:52 10567760 c:\windows\ServiceProfiles\LocalService\AppData\Local\FontCache-S-1-5-21-1967798008-3269264677-1605733285-1001-12288.dat

.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))

.

.

*Note* empty entries & legit default entries are not shown

REGEDIT4

.

[HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run]

"SunJavaUpdateSched"="c:\program files (x86)\Common Files\Java\Java Update\jusched.exe" [2010-02-18 248040]

"PWMTRV"="c:\progra~2\ThinkPad\UTILIT~1\PWMTR64V.DLL" [2010-08-25 1129832]

"Malwarebytes' Anti-Malware"="c:\program files (x86)\Malwarebytes' Anti-Malware\mbamgui.exe" [2011-08-31 449608]

"ccApp"="c:\program files (x86)\Common Files\Symantec Shared\ccApp.exe" [2011-02-14 115560]

"BCSSync"="c:\program files (x86)\Microsoft Office\Office14\BCSSync.exe" [2010-03-13 91520]

"Adobe ARM"="c:\program files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2011-06-06 937920]

"SoundMAXPnP"="c:\program files (x86)\Analog Devices\Core\smax4pnp.exe" [2009-05-18 1314816]

.

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]

"ConsentPromptBehaviorAdmin"= 5 (0x5)

"ConsentPromptBehaviorUser"= 3 (0x3)

"EnableUIADesktopToggle"= 0 (0x0)

.

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]

"RestrictWelcomeCenter"= 0 (0x0)

.

[HKEY_LOCAL_MACHINE\software\wow6432node\microsoft\windows nt\currentversion\drivers32]

"mixer1"=wdmaud.drv

.

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa]

Notification Packages REG_MULTI_SZ scecli c:\program files\ThinkVantage Fingerprint Software\psqlpwd.dll

Security Packages REG_MULTI_SZ kerberos msv1_0 schannel wdigest tspkg pku2u livessp

.

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\ccEvtMgr]

@="Service"

.

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\ccSetMgr]

@="Service"

.

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Symantec Antivirus]

@="Service"

.

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]

"DisableMonitoring"=dword:00000001

.

R2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;c:\windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe [2010-03-18 130384]

R2 clr_optimization_v4.0.30319_64;Microsoft .NET Framework NGEN v4.0.30319_X64;c:\windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe [2010-03-18 138576]

R2 LENOVO.MICMUTE;Lenovo Microphone Mute;c:\program files\LENOVO\HOTKEY\MICMUTE.exe [2010-04-07 45496]

R3 DozeSvc;Lenovo Doze Mode Service;c:\program files (x86)\ThinkPad\Utilities\DZSVC64.EXE [2010-08-25 164200]

R3 Microsoft SharePoint Workspace Audit Service;Microsoft SharePoint Workspace Audit Service;c:\program files (x86)\Microsoft Office\Office14\GROOVE.EXE [2011-06-12 31125880]

R3 MSHUSBVideo;NX6000/NX3000/VX2000/VX5000/VX5500/VX7000/Cinema Filter Driver;c:\windows\system32\Drivers\nx6000.sys [x]

R3 osppsvc;Office Software Protection Platform;c:\program files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\OSPPSVC.EXE [2010-01-10 4925184]

R3 PCDSRVC{127174DC-C366ED8B-06020101}_0;PCDSRVC{127174DC-C366ED8B-06020101}_0 - PCDR Kernel Mode Service Helper Driver;c:\program files\pc-doctor\pcdsrvc_x64.pkms [2010-12-13 25072]

R3 Power Manager DBC Service;Power Manager DBC Service;c:\program files (x86)\ThinkPad\Utilities\PWMDBSVC.EXE [2010-08-25 75112]

R3 RdpVideoMiniport;Remote Desktop Video Miniport Driver;c:\windows\system32\drivers\rdpvideominiport.sys [x]

R3 SrvHsfHDA;SrvHsfHDA;c:\windows\system32\DRIVERS\VSTAZL6.SYS [x]

R3 SrvHsfV92;SrvHsfV92;c:\windows\system32\DRIVERS\VSTDPV6.SYS [x]

R3 SrvHsfWinac;SrvHsfWinac;c:\windows\system32\DRIVERS\VSTCNXT6.SYS [x]

R3 Synth3dVsc;Synth3dVsc;c:\windows\system32\drivers\synth3dvsc.sys [x]

R3 TsUsbFlt;TsUsbFlt;c:\windows\system32\drivers\tsusbflt.sys [x]

R3 tsusbhub;tsusbhub;c:\windows\system32\drivers\tsusbhub.sys [x]

R3 VGPU;VGPU;c:\windows\system32\drivers\rdvgkmd.sys [x]

R3 WatAdminSvc;Windows Activation Technologies Service;c:\windows\system32\Wat\WatAdminSvc.exe [x]

R4 gupdate;Google Update Service (gupdate);c:\program files (x86)\Google\Update\GoogleUpdate.exe [2010-10-29 136176]

R4 gupdatem;Google Update Service (gupdatem);c:\program files (x86)\Google\Update\GoogleUpdate.exe [2010-10-29 136176]

R4 RoxMediaDB10;RoxMediaDB10;c:\program files (x86)\Common Files\Roxio Shared\10.0\SharedCOM\RoxMediaDB10.exe [2009-08-05 1124848]

S0 DzHDD64;DzHDD64;c:\windows\System32\DRIVERS\DzHDD64.sys [x]

S0 PxHlpa64;PxHlpa64;c:\windows\System32\Drivers\PxHlpa64.sys [x]

S0 TPDIGIMN;TPDIGIMN;c:\windows\System32\DRIVERS\ApsHM64.sys [x]

S1 lenovo.smi;Lenovo System Interface Driver;c:\windows\system32\DRIVERS\smiifx64.sys [x]

S1 vwififlt;Virtual WiFi Filter Driver;c:\windows\system32\DRIVERS\vwififlt.sys [x]

S2 AdobeARMservice;Adobe Acrobat Update Service;c:\program files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe [2011-06-06 64952]

S2 Lenovo.VIRTSCRLSVC;Lenovo Auto Scroll;c:\program files\LENOVO\VIRTSCRL\lvvsst.exe [2010-04-07 93032]

S2 MBAMService;MBAMService;c:\program files (x86)\Malwarebytes' Anti-Malware\mbamservice.exe [2011-08-31 366152]

S2 NVIDIA Performance Driver Service;NVIDIA Performance Driver Service;c:\program files\NVIDIA Corporation\Performance Drivers\nvPDsvc.exe [2009-07-20 4908576]

S2 smihlp2;SMI Helper Driver (smihlp2);c:\program files\ThinkVantage Fingerprint Software\smihlp.sys [2009-03-13 13840]

S2 TPHKSVC;On Screen Display;c:\program files\LENOVO\HOTKEY\TPHKSVC.exe [2010-04-07 63928]

S3 CAXHWAZL;CAXHWAZL;c:\windows\system32\DRIVERS\CAXHWAZL.sys [x]

S3 EraserUtilRebootDrv;EraserUtilRebootDrv;c:\program files (x86)\Common Files\Symantec Shared\EENGINE\EraserUtilRebootDrv.sys [2011-07-27 136824]

S3 LenovoRd;LenovoRd;c:\windows\system32\Drivers\LenovoRd.sys [x]

S3 MBAMProtector;MBAMProtector;c:\windows\system32\drivers\mbam.sys [x]

S3 TVTI2C;Lenovo SM bus driver;c:\windows\system32\DRIVERS\Tvti2c.sys [x]

S3 vwifimp;Microsoft Virtual WiFi Miniport Service;c:\windows\system32\DRIVERS\vwifimp.sys [x]

.

.

Contents of the 'Scheduled Tasks' folder

.

2011-09-24 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job

- c:\program files (x86)\Google\Update\GoogleUpdate.exe [2010-10-29 20:58]

.

2011-09-24 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job

- c:\program files (x86)\Google\Update\GoogleUpdate.exe [2010-10-29 20:58]

.

2011-09-07 c:\windows\Tasks\PCDoctorBackgroundMonitorTask.job

- c:\program files\PC-Doctor\uaclauncher.exe [2010-12-13 21:55]

.

2011-09-23 c:\windows\Tasks\SystemToolsDailyTest.job

- c:\program files\PC-Doctor\pcdrcui.exe [2010-12-13 21:55]

.

.

--------- x86-64 -----------

.

.

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"TpShocks"="TpShocks.exe" [2010-07-01 380776]

"TPHOTKEY"="c:\program files\Lenovo\HOTKEY\TPOSDSVC.exe" [2010-07-27 69560]

"SynTPEnh"="c:\program files (x86)\Synaptics\SynTP\SynTPEnh.exe" [bU]

"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2009-09-05 16336488]

"LENOVO.TPFNF6R"="c:\program files\Lenovo\HOTKEY\TPFNF6R.exe" [2009-08-20 62752]

"cssauth"="c:\program files\Lenovo\Client Security Solution\cssauth.exe" [2009-10-19 5894968]

"nwiz"="nwiz.exe" [2009-08-27 1712672]

"Logitech Download Assistant"="c:\windows\system32\rundll32.exe" [2009-07-14 45568]

.

------- Supplementary Scan -------

.

uLocal Page = c:\windows\system32\blank.htm

uStart Page = hxxp://webmail.earthlink.net/wam/index.jsp?folder=INBOX

mLocal Page = c:\windows\SysWOW64\blank.htm

uInternet Settings,ProxyServer = http=127.0.0.1:60646

uInternet Settings,ProxyOverride = <local>

Trusted Zone: earthlink.net\webmail

Trusted Zone: yougov.com\today

TCP: DhcpNameServer = 207.69.188.186 207.69.188.187

TCP: Interfaces\{10D4270F-F0E7-4997-90C0-A0ACD10F54AF}\478656028696A7A797: DhcpNameServer = 207.69.188.186 207.69.188.187

TCP: Interfaces\{10D4270F-F0E7-4997-90C0-A0ACD10F54AF}\55E434D213: DhcpNameServer = 152.19.240.8 152.2.253.100

TCP: Interfaces\{10D4270F-F0E7-4997-90C0-A0ACD10F54AF}\55E434D2355636572756: DhcpNameServer = 152.19.240.8 152.2.253.100

TCP: Interfaces\{10D4270F-F0E7-4997-90C0-A0ACD10F54AF}\D41484D41484: DhcpNameServer = 192.168.0.1

DPF: Garmin Communicator Plug-In - hxxps://static.garmincdn.com/gcp/ie/3.0.1.0/GarminAxControl.CAB

FF - ProfilePath - c:\users\caparo\AppData\Roaming\Mozilla\Firefox\Profiles\dwv589ee.default\

FF - prefs.js: browser.search.selectedEngine - Bing

FF - prefs.js: browser.startup.homepage - hxxp://www.google.com/

FF - prefs.js: keyword.URL - hxxp://www.google.com/webhp?ie=UTF-8&oe=UTF-8

FF - prefs.js: network.proxy.gopher - 127.0.0.1

FF - prefs.js: network.proxy.gopher_port - 60646

FF - prefs.js: network.proxy.http - 127.0.0.1

FF - prefs.js: network.proxy.http_port - 60646

FF - prefs.js: network.proxy.type - 0

.

- - - - ORPHANS REMOVED - - - -

.

WebBrowser-{D4027C7F-154A-4066-A1AD-4243D8127440} - (no file)

.

.

.

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\PCDSRVC{127174DC-C366ED8B-06020101}_0]

"ImagePath"="\??\c:\program files\pc-doctor\pcdsrvc_x64.pkms"

.

--------------------- LOCKED REGISTRY KEYS ---------------------

.

[HKEY_USERS\S-1-5-21-1967798008-3269264677-1605733285-1001\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.*j*p*g* \OpenWithList]

@Class="Shell"

"a"="mspaint.exe"

"MRUList"="a"

.

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}]

@Denied: (A 2) (Everyone)

@="FlashBroker"

"LocalizedString"="@c:\\Windows\\SysWOW64\\Macromed\\Flash\\FlashUtil10v_ActiveX.exe,-101"

.

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\Elevation]

"Enabled"=dword:00000001

.

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\LocalServer32]

@="c:\\Windows\\SysWOW64\\Macromed\\Flash\\FlashUtil10v_ActiveX.exe"

.

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\TypeLib]

@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"

.

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}]

@Denied: (A 2) (Everyone)

@="Shockwave Flash Object"

.

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\InprocServer32]

@="c:\\Windows\\SysWOW64\\Macromed\\Flash\\Flash10v.ocx"

"ThreadingModel"="Apartment"

.

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\MiscStatus]

@="0"

.

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\ProgID]

@="ShockwaveFlash.ShockwaveFlash.10"

.

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\ToolboxBitmap32]

@="c:\\Windows\\SysWOW64\\Macromed\\Flash\\Flash10v.ocx, 1"

.

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\TypeLib]

@="{D27CDB6B-AE6D-11cf-96B8-444553540000}"

.

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\Version]

@="1.0"

.

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\VersionIndependentProgID]

@="ShockwaveFlash.ShockwaveFlash"

.

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}]

@Denied: (A 2) (Everyone)

@="Macromedia Flash Factory Object"

.

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\InprocServer32]

@="c:\\Windows\\SysWOW64\\Macromed\\Flash\\Flash10v.ocx"

"ThreadingModel"="Apartment"

.

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\ProgID]

@="FlashFactory.FlashFactory.1"

.

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\ToolboxBitmap32]

@="c:\\Windows\\SysWOW64\\Macromed\\Flash\\Flash10v.ocx, 1"

.

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\TypeLib]

@="{D27CDB6B-AE6D-11cf-96B8-444553540000}"

.

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\Version]

@="1.0"

.

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\VersionIndependentProgID]

@="FlashFactory.FlashFactory"

.

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}]

@Denied: (A 2) (Everyone)

@="IFlashBroker4"

.

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\ProxyStubClsid32]

@="{00020424-0000-0000-C000-000000000046}"

.

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\TypeLib]

@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"

"Version"="1.0"

.

[HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Office\Common\Smart Tag\Actions\{B7EFF951-E52F-45CC-9EF7-57124F2177CC}]

@Denied: (A) (Everyone)

"Solution"="{15727DE6-F92D-4E46-ACB4-0E2C58B31A18}"

.

[HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Schema Library\ActionsPane3]

@Denied: (A) (Everyone)

.

[HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Schema Library\ActionsPane3\0]

"Key"="ActionsPane3"

"Location"="c:\\Program Files (x86)\\Common Files\\Microsoft Shared\\VSTO\\ActionsPane3.xsd"

.

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0000\AllUserSettings]

@Denied: (A) (Users)

@Denied: (A) (Everyone)

@Allowed: (B 1 2 3 4 5) (S-1-5-20)

"BlindDial"=dword:00000000

.

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\PCW\Security]

@Denied: (Full) (Everyone)

.

Completion time: 2011-09-24 12:11:34

ComboFix-quarantined-files.txt 2011-09-24 16:11

ComboFix2.txt 2011-09-23 16:25

ComboFix3.txt 2011-09-23 14:51

ComboFix4.txt 2011-09-20 20:25

.

Pre-Run: 43,452,768,256 bytes free

Post-Run: 43,640,983,552 bytes free

.

- - End Of File - - 652ECCA54A0E2139EC3D2B0285676D86

[LDTate]

Are you up to uninstalling Symantec Endpoint Protection?

[joeyangel]

Yes, thanks; I haven't tried to uninstall it before, but it hasn't been capable of performing a complete scan since this started (it stalls out, which I've seen noted elsewhere as a result of similar post-viral situations).

One possible issue with this is that Symantec was installed on my laptop as part of an pre-bundled educational package; as such, I don't have any licensing information and am unsure as to whether this would impede re-installing it. Do you feel that this might be an issue?

[LDTate]

http://www.symantec.com/connect/articles/how-uninstall-symantec-endpoint-client-if-uninstall-password-place

[joeyangel]

Wonderful, thanks; this is worth a try. Before I procede, do you forsee any critical issues with a reinstall?

[LDTate]

Here's another one

http://helpdeskgeek.com/help-desk/uninstall-symantec-endpoint-protection-without-a-password/

[LDTate]

I use a free AV myself.

[joeyangel]

It's worth a try, thanks; which AV do you prefer, by the way?

[LDTate]

Microsoft Security Essentials

[joeyangel]

Great, thanks; that may come in handy.

I've uninstalled Symantec (at least as far as I am able to be sure of that); how should I proceed.

[LDTate]

Let's run a new MBAM scan

[joeyangel]

Thanks, here are the results of the latest scan.

I have recent protection logs, as well, if you feel that reviewing these would be beneficial.

Also, thanks for the tip regarding MSE as an AV - I've been very happy with it's performance so far.

Malwarebytes' Anti-Malware 1.51.2.1300

www.malwarebytes.org

Database version: 7795

Windows 6.1.7601 Service Pack 1

Internet Explorer 9.0.8112.16421

9/25/2011 10:39:53 AM

mbam-log-2011-09-25 (10-39-53).txt

Scan type: Full scan (C:\|D:\|)

Objects scanned: 419643

Time elapsed: 1 hour(s), 38 minute(s), 23 second(s)

Memory Processes Infected: 0

Memory Modules Infected: 0

Registry Keys Infected: 0

Registry Values Infected: 0

Registry Data Items Infected: 0

Folders Infected: 0

Files Infected: 0

Memory Processes Infected:

(No malicious items detected)

Memory Modules Infected:

(No malicious items detected)

Registry Keys Infected:

(No malicious items detected)

Registry Values Infected:

(No malicious items detected)

Registry Data Items Infected:

(No malicious items detected)

Folders Infected:

(No malicious items detected)

Files Infected:

(No malicious items detected)

[LDTate]

How's it running now?

[joeyangel]

Everything seems to be running fine, thanks, with the exception of the folder control issues noted previously. Is there a point in the earlier fixes that I should return to, or are there other options that should be pursued?

[joeyangel]

Perhaps I spoke too soon; I just received a MBAM pop-up warning and ran a quick scan, the results of which are included below.

Malwarebytes' Anti-Malware 1.51.2.1300

www.malwarebytes.org

Database version: 7797

Windows 6.1.7601 Service Pack 1

Internet Explorer 9.0.8112.16421

9/25/2011 9:29:32 PM

mbam-log-2011-09-25 (21-29-28).txt

Scan type: Flash scan

Objects scanned: 164973

Time elapsed: 19 second(s)

Memory Processes Infected: 0

Memory Modules Infected: 0

Registry Keys Infected: 1

Registry Values Infected: 0

Registry Data Items Infected: 0

Folders Infected: 0

Files Infected: 2

Memory Processes Infected:

(No malicious items detected)

Memory Modules Infected:

(No malicious items detected)

Registry Keys Infected:

HKEY_CLASSES_ROOT\.fsharproj (Trojan.BHO) -> No action taken.

Registry Values Infected:

(No malicious items detected)

Registry Data Items Infected:

(No malicious items detected)

Folders Infected:

(No malicious items detected)

Files Infected:

c:\Users\caparo\local settings\application data\Adobe\adobeupdate\adobeupdt32.dll (Trojan.SHarpro) -> No action taken.

c:\Users\caparo\AppData\Local\Adobe\adobeupdate\adobeupdt32.dll (Trojan.SHarpro) -> No action taken.

[LDTate]

No action taken

.Are you removing those?

[joeyangel]

Yes, thanks; I always "delete all selected" after I run the scans.

After I posted this last night, I updated MBAM and MSE, then I physically disconnedted the machine from Internet. I ran complete scans with both apps, neither of which discovered any intrusions. I'll post the MBAM log below.

This morning, I reconnedted the machine and updated MBAM and MSE. I ran an MBAM flash scan whcih immediately turned in the following log. All instances were deleted and the machine was restarted, upon which I (predictably) received an error message stating that "There was an error starting C:\ProgramData\JavaPolicyTray.dll. The specific module could not be found." I'm assuming that this was an infected module (as noted in the MBAM log) and that it has no real effect on the regular operation of the machine under normal circumstances.

Is there something I'm doing that is facilitating the recurrence of this malware? It only seems able to perpetuate itself when the machine is online; is there a security flaw I an not addressing adequately?

The first log below is this morning's, the second for the full scan from last night. Thanks again for all your help - I really do appreciate it.

Malwarebytes' Anti-Malware 1.51.2.1300

www.malwarebytes.org

Database version: 7801

Windows 6.1.7601 Service Pack 1

Internet Explorer 9.0.8112.16421

9/26/2011 11:28:22 AM

mbam-log-2011-09-26 (11-28-22).txt

Scan type: Flash scan

Objects scanned: 164919

Time elapsed: 16 second(s)

Memory Processes Infected: 0

Memory Modules Infected: 1

Registry Keys Infected: 0

Registry Values Infected: 2

Registry Data Items Infected: 0

Folders Infected: 0

Files Infected: 1

Memory Processes Infected:

(No malicious items detected)

Memory Modules Infected:

c:\programdata\javapolicytray.dll (Trojan.SHarpro.PGen) -> Delete on reboot.

Registry Keys Infected:

(No malicious items detected)

Registry Values Infected:

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\JavaPolicyTray (Trojan.SHarpro.PGen) -> Value: JavaPolicyTray -> Quarantined and deleted successfully.

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Adobe Update (Trojan.SHarpro.PGen) -> Value: Adobe Update -> Quarantined and deleted successfully.

Registry Data Items Infected:

(No malicious items detected)

Folders Infected:

(No malicious items detected)

Files Infected:

c:\programdata\javapolicytray.dll (Trojan.SHarpro.PGen) -> Quarantined and deleted successfully.

Malwarebytes' Anti-Malware 1.51.2.1300

www.malwarebytes.org

Database version: 7797

Windows 6.1.7601 Service Pack 1

Internet Explorer 9.0.8112.16421

9/26/2011 1:59:02 AM

mbam-log-2011-09-26 (01-59-01).txt

Scan type: Full scan (C:\|D:\|)

Objects scanned: 434481

Time elapsed: 2 hour(s), 51 minute(s), 53 second(s)

Memory Processes Infected: 0

Memory Modules Infected: 0

Registry Keys Infected: 0

Registry Values Infected: 0

Registry Data Items Infected: 0

Folders Infected: 0

Files Infected: 0

Memory Processes Infected:

(No malicious items detected)

Memory Modules Infected:

(No malicious items detected)

Registry Keys Infected:

(No malicious items detected)

Registry Values Infected:

(No malicious items detected)

Registry Data Items Infected:

(No malicious items detected)

Folders Infected:

(No malicious items detected)

Files Infected:

(No malicious items detected)

[LDTate]

Can you run a new Combofix scan?

Be sure to update if it shows a new version is available.