# Wermgr.exe using 20-80% of processor



## miehm (May 9, 2010)

I was plagued by a fake anti-virus program for most of yesterday. It had apparently gotten rid of my regular anti-virus(norton 2009), so I reinstalled that, and took care of the problem.
After that was all said and done with, wermgr.exe started using a ridiculous amount of processing power.
I tried disabling the windows error reporting service, but that hasn't had any effect.

I read somewhere that viruses sometimes mess with this program or use it's name, but norton doesn't seem to think there's anything wrong with it.
I also tried deleting it, but I apparently don't have permissions to do that, even though I'm the administrator. Also, it wouldn't let me change the permissions.

Any suggestions?

edit- it also doesn't appear anywhere in the task manager except for the resource monitor


----------



## Megabite (Apr 5, 2008)

Hiowdy,

Try this way to disable the Windows Error Reporting Service (WerSvc) using control
panel:

1. Open control panel.
2. Select "System & Maintenance"
3. Select "Administrative Tools"
4. Select "Services"
5. Right-Click "Windows Error Reporting Service"
6. Select "Properties"
7. In the "Service Status" Section Click [Stop]
8. Set "Startup type:" to "Manual" or if this is started by another
application select "Disabled"
9. Save and close the dialog boxes.


----------



## miehm (May 9, 2010)

Yes, I did that already. It didn't do anything.


----------



## Megabite (Apr 5, 2008)

You could post your HijackThis log and see if anything shows up

Download *HijackThis* to your desktop

*Double* click on HJTSetup.exe on your Desktop
Click *Run* and *Install*
It will install to *Program files* by default
it will launch Hijack This
Click on *"scan system and save a logfile" *usually in notepad 
Copy and Paste the logfile in your next post
Using *Ctrl+A* to copy All and *Ctrl+C* to copy and *Ctrl+V* to paste.


----------



## miehm (May 9, 2010)

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 10:10:27 AM, on 5/9/2010
Platform: Windows Vista SP2 (WinNT 6.00.1906)
MSIE: Internet Explorer v7.00 (7.00.6002.18005)
Boot mode: Normal

Running processes:
C:\Windows\system32\Dwm.exe
C:\Windows\system32\taskeng.exe
C:\Windows\Explorer.EXE
C:\Program Files\Lenovo\PMDriver\PMHandler.exe
C:\Program Files\Apoint2K\Apoint.exe
C:\Program Files\Lenovo\NPDIRECT\tpfnf7sp.exe
C:\Windows\System32\hkcmd.exe
C:\Windows\System32\igfxpers.exe
C:\Program Files\Common Files\Lenovo\Scheduler\scheduler_proxy.exe
C:\Program Files\ThinkPad\ConnectUtilities\ACWLIcon.exe
C:\Program Files\Logitech\SetPoint\SetPoint.exe
C:\Program Files\Xfire\Xfire.exe
C:\Windows\system32\igfxsrvc.exe
C:\Program Files\Apoint2K\Apntex.exe
C:\Program Files\Common Files\Logishrd\KHAL2\KHALMNPR.EXE
C:\Program Files\Norton Internet Security\Engine\16.8.0.41\ccSvcHst.exe
C:\Windows\system32\wuauclt.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\AIM\aim.exe
C:\Program Files\Windows Media Player\wmplayer.exe
C:\Windows\system32\SearchFilterHost.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://lenovo.live.com
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://lenovo.live.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = 
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = 
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = http=127.0.0.1:5555
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = 
F2 - REG:system.ini: UserInit=C:\Windows\system32\Userinit.exe
O1 - Hosts: ::1 localhost
O2 - BHO: AcroIEHelperStub - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
O2 - BHO: Symantec NCO BHO - {602ADB0E-4AFF-4217-8AA1-95DAC4DFA408} - C:\Program Files\Norton Internet Security\Engine\16.8.0.41\coIEPlg.dll
O2 - BHO: Symantec Intrusion Prevention - {6D53EC84-6AAE-4787-AEEE-F4628F01010C} - C:\Program Files\Norton Internet Security\Engine\16.8.0.41\IPSBHO.DLL
O2 - BHO: Windows Live Toolbar Helper - {BDBD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\Windows Live Toolbar\msntb.dll
O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O3 - Toolbar: Windows Live Toolbar - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\Windows Live Toolbar\msntb.dll
O3 - Toolbar: Norton Toolbar - {7FEBEFE3-6B19-4349-98D2-FFB09D4B49CA} - C:\Program Files\Norton Internet Security\Engine\16.8.0.41\coIEPlg.dll
O4 - HKLM\..\Run: [Windows Defender] %ProgramFiles%\Windows Defender\MSASCui.exe -hide
O4 - HKLM\..\Run: [PMHandler] C:\PROGRA~1\Lenovo\PMDriver\PMHandler.exe
O4 - HKLM\..\Run: [Apoint] C:\Program Files\Apoint2K\Apoint.exe
O4 - HKLM\..\Run: [TPFNF7] C:\Program Files\Lenovo\NPDIRECT\TPFNF7SP.exe /r
O4 - HKLM\..\Run: [TPWAUDAP] C:\Program Files\Lenovo\HOTKEY\TpWAudAp.exe
O4 - HKLM\..\Run: [IgfxTray] C:\Windows\system32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\Windows\system32\hkcmd.exe
O4 - HKLM\..\Run: [Persistence] C:\Windows\system32\igfxpers.exe
O4 - HKLM\..\Run: [TVT Scheduler Proxy] C:\Program Files\Common Files\Lenovo\Scheduler\scheduler_proxy.exe
O4 - HKLM\..\Run: [RoxWatchTray] "C:\Program Files\Common Files\Roxio Shared\10.0\SharedCOM\RoxWatchTray10.exe"
O4 - HKLM\..\Run: [ACWlIcon] C:\Program Files\ThinkPad\ConnectUtilities\ACWlIcon.exe
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 9.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [Adobe ARM] "C:\Program Files\Common Files\Adobe\ARM\1.0\AdobeARM.exe"
O4 - HKLM\..\Run: [Kernel and Hardware Abstraction Layer] KHALMNPR.EXE
O4 - HKCU\..\Run: [Aim] "C:\Program Files\AIM\aim.exe" /d locale=en-US
O4 - HKCU\..\Run: [nsqnwqjp] C:\Users\Miehm\AppData\Local\wcseiiusq\qpsuqevtssd.exe
O4 - HKUS\S-1-5-19\..\Run: [Sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /detectMem (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-19\..\Run: [WindowsWelcomeCenter] rundll32.exe oobefldr.dll,ShowWelcomeCenter (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [Sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /detectMem (User 'NETWORK SERVICE')
O4 - Startup: Xfire.lnk = C:\Program Files\Xfire\Xfire.exe
O4 - Global Startup: Logitech SetPoint.lnk = C:\Program Files\Logitech\SetPoint\SetPoint.exe
O8 - Extra context menu item: &Windows Live Search - res://C:\Program Files\Windows Live Toolbar\msntb.dll/search.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office12\EXCEL.EXE/3000
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\Office12\REFIEBAR.DLL
O13 - Gopher Prefix: 
O18 - Protocol: symres - {AA1061FE-6C41-421F-9344-69640C9732AB} - C:\Program Files\Norton Internet Security\Engine\16.8.0.41\coIEPlg.dll
O23 - Service: Ac Profile Manager Service (AcPrfMgrSvc) - Lenovo - C:\Program Files\ThinkPad\ConnectUtilities\AcPrfMgrSvc.exe
O23 - Service: Access Connections Main Service (AcSvc) - Lenovo - C:\Program Files\ThinkPad\ConnectUtilities\AcSvc.exe
O23 - Service: Fn+F5 Service (FNF5SVC) - Lenovo. - C:\Program Files\LENOVO\HOTKEY\FNF5SVC.exe
O23 - Service: GameConsoleService - WildTangent, Inc. - C:\Program Files\WildGames\Game Console - WildGames\GameConsoleService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: IviRegMgr - InterVideo - C:\Program Files\Common Files\InterVideo\RegMgr\iviRegMgr.exe
O23 - Service: Norton Internet Security - Symantec Corporation - C:\Program Files\Norton Internet Security\Engine\16.8.0.41\ccSvcHst.exe
O23 - Service: PMSveH - Lenovo - C:\Program Files\Lenovo\PMDriver\PMSveH.exe
O23 - Service: PnkBstrA - Unknown owner - C:\Windows\system32\PnkBstrA.exe
O23 - Service: Roxio UPnP Renderer 10 - Sonic Solutions - C:\Program Files\Roxio\Digital Home 10\RoxioUPnPRenderer10.exe
O23 - Service: Roxio Upnp Server 10 - Sonic Solutions - C:\Program Files\Roxio\Digital Home 10\RoxioUpnpService10.exe
O23 - Service: LiveShare P2P Server 10 (RoxLiveShare10) - Sonic Solutions - C:\Program Files\Common Files\Roxio Shared\10.0\SharedCOM\RoxLiveShare10.exe
O23 - Service: RoxMediaDB10 - Sonic Solutions - C:\Program Files\Common Files\Roxio Shared\10.0\SharedCOM\RoxMediaDB10.exe
O23 - Service: Roxio Hard Drive Watcher 10 (RoxWatch10) - Sonic Solutions - C:\Program Files\Common Files\Roxio Shared\10.0\SharedCOM\RoxWatch10.exe
O23 - Service: SessionLauncher - Unknown owner - C:\Users\ADMINI~1\AppData\Local\Temp\DX9\SessionLauncher.exe (file missing)
O23 - Service: Steam Client Service - Valve Corporation - C:\Program Files\Common Files\Steam\SteamService.exe
O23 - Service: stllssvr - MicroVision Development, Inc. - C:\Program Files\Common Files\SureThing Shared\stllssvr.exe
O23 - Service: System Update (SUService) - Lenovo Group Limited - c:\Program Files\Lenovo\System Update\SUService.exe
O23 - Service: ThinkVantage Registry Monitor Service - Lenovo Group Limited - c:\Program Files\Common Files\Lenovo\tvt_reg_monitor_svc.exe
O23 - Service: On Screen Display (TPHKSVC) - Lenovo Group Limited - C:\Program Files\LENOVO\HOTKEY\TPHKSVC.exe
O23 - Service: TVT Backup Protection Service - Unknown owner - C:\Program Files\Lenovo\Rescue and Recovery\rrpservice.exe
O23 - Service: TVT Backup Service - Lenovo Group Limited - C:\Program Files\Lenovo\Rescue and Recovery\rrservice.exe
O23 - Service: TVT Scheduler - Lenovo Group Limited - c:\Program Files\Common Files\Lenovo\Scheduler\tvtsched.exe
O23 - Service: TVT Windows Update Monitor (TVT_UpdateMonitor) - Lenovo Group Limited - C:\Program Files\Lenovo\Rescue and Recovery\UpdateMonitor.exe
O23 - Service: Viewpoint Manager Service - Viewpoint Corporation - C:\Program Files\Viewpoint\Common\ViewpointService.exe
O23 - Service: XAudioService - Conexant Systems, Inc. - C:\Windows\system32\DRIVERS\xaudio.exe

--
End of file - 8810 bytes


----------



## Megabite (Apr 5, 2008)

Will get someone to check your log ...please be patient


----------



## miehm (May 9, 2010)

Sounds good. Meanwhile, I think it's about lunch time.


----------



## Cookiegal (Aug 27, 2003)

Please download Malwarebytes' Anti-Malware from *Here*.

Double Click *mbam-setup.exe* to install the application.
Make sure a checkmark is placed next to *Update Malwarebytes' Anti-Malware* and *Launch Malwarebytes' Anti-Malware*, then click Finish.
If an update is found, it will download and install the latest version.
Once the program has loaded, select "*Perform Quick Scan*", then click *Scan*.
The scan may take some time to finish, so please be patient.
When the scan is complete, click *OK*, then *Show Results* to view the results.
Make sure that *everything is checked*, and click *Remove Selected*.
When disinfection is completed, a log will open in Notepad and you may be prompted to restart. (See Extra Note)
The log is automatically saved by MBAM and can be viewed by clicking the Logs tab in MBAM.
Copy and paste the entire report in your next reply.
Extra Note:

*If MBAM encounters a file that is difficult to remove, you will be presented with 1 of 2 prompts, click OK to either and let MBAM proceed with the disinfection process. If asked to restart the computer, please do so immediately.*


----------



## miehm (May 9, 2010)

Apparently good ol' norton didn't find all of it in its many scans. So, more infected stuff is gone, but after the scan and a restart the problem still persists.
The system ran for about 7 minutes before wermgr showed back up and started hogging all of the processor.

Malwarebytes' Anti-Malware 1.46
www.malwarebytes.org

Database version: 4083

Windows 6.0.6002 Service Pack 2
Internet Explorer 7.0.6002.18005

5/9/2010 12:49:52 PM
mbam-log-2010-05-09 (12-49-52).txt

Scan type: Quick scan
Objects scanned: 125633
Time elapsed: 13 minute(s), 52 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 2
Registry Values Infected: 1
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\avsuite (Rogue.AntivirusSuite) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\Software\avsuite (Rogue.AntivirusSuite) -> Quarantined and deleted successfully.

Registry Values Infected:
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\nsqnwqjp (Rogue.AntivirusSuite.Gen) -> Quarantined and deleted successfully.

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)


----------



## Cookiegal (Aug 27, 2003)

In Internet Explorer go to Tools - Internet Options - Connections Tab - Lan Settings and uncheck "Use a proxy server" and check "Automatically detect settings".

Remove the reference to 127.0.0.1:5555 under the "Use a proxy server" settings before unchecking.

In Firefox go to Tools - Options... -> Advanced Tab -> Network Tab -> "Settings" under Connection and click on "No proxy".

Please visit *Combofix Guide & Instructions * for instructions for installing the recovery console and downloading and running ComboFix.

The only thing different from the instructions there is that when downloading and saving the ComboFix.exe I would like you to rename it to puppy.exe please.

Post the log from ComboFix when you've accomplished that along with a new HijackThis log.

Important notes regarding ComboFix:

ComboFix may reset a number of Internet Explorer's settings, including making it the default browser. This can easily be changed once we're finished.

ComboFix also prevents autorun of ALL CDs, floppies and USB devices to assist with malware removal & increase security. If this is an issue or makes it difficult for you, please let me know. This can be undone manually when we're finished. Read  *HERE * for an article written by dvk01 on why we disable autoruns.


----------



## miehm (May 9, 2010)

Just out of curiosity- why puppy?

ComboFix 10-05-08.03 - Miehm 05/09/2010 13:39:18.1.2 - x86
Microsoft® Windows Vista™ Home Basic 6.0.6002.2.1252.1.1033.18.3032.1628 [GMT -4:00]
Running from: c:\users\Miehm\Desktop\puppy.exe
SP: Windows Defender *enabled* (Updated) {D68DDC3A-831F-4FAE-9E44-DA132C1ACF46}
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\programdata\Microsoft\Network\Downloader\qmgr0.dat
c:\programdata\Microsoft\Network\Downloader\qmgr1.dat
c:\users\Miehm\AppData\Roaming\PnkBstrK.sys
c:\windows\system32\Thumbs.db
Q:\Autorun.inf
S:\AUTORUN.INF

----- BITS: Possible infected sites -----

hxxp://beta.aol.com
hxxp://download.newaol.com
.
((((((((((((((((((((((((( Files Created from 2010-04-09 to 2010-05-09 )))))))))))))))))))))))))))))))
.

2010-05-09 17:48 . 2010-05-09 17:53 -------- d-----w- c:\users\Miehm\AppData\Local\temp
2010-05-09 17:48 . 2010-05-09 17:48 -------- d-----w- c:\users\Default\AppData\Local\temp
2010-05-09 16:08 . 2010-05-09 16:08 -------- d-----w- c:\users\Miehm\AppData\Roaming\Malwarebytes
2010-05-09 16:08 . 2010-04-29 19:39 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2010-05-09 16:08 . 2010-05-09 16:08 -------- d-----w- c:\programdata\Malwarebytes
2010-05-09 16:08 . 2010-05-09 16:08 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2010-05-09 16:08 . 2010-04-29 19:39 20952 ----a-w- c:\windows\system32\drivers\mbam.sys
2010-05-09 14:09 . 2010-05-09 14:09 -------- d-----w- c:\program files\Trend Micro
2010-05-09 13:37 . 2010-01-20 21:03 25648 ----a-r- c:\windows\system32\drivers\SymIMV.sys
2010-05-08 18:38 . 2010-05-09 04:52 124976 ----a-w- c:\windows\system32\drivers\SYMEVENT.SYS
2010-05-08 18:26 . 2010-05-09 04:52 -------- d-----w- c:\program files\Symantec
2010-05-08 18:26 . 2010-05-08 18:38 -------- d-----w- c:\program files\Common Files\Symantec Shared
2010-05-08 18:23 . 2010-05-09 17:00 -------- d-----w- c:\windows\system32\drivers\NIS
2010-05-08 18:23 . 2010-05-08 18:42 -------- d-----w- c:\programdata\Norton
2010-05-08 18:23 . 2010-05-08 18:24 -------- d-----w- c:\program files\Norton Internet Security
2010-05-08 18:23 . 2010-05-08 18:23 -------- d-----w- C:\fc720a33ea6109523fa55dc122
2010-05-08 18:23 . 2010-05-08 18:23 -------- d-----w- c:\program files\NortonInstaller
2010-05-08 18:22 . 2010-05-08 18:22 -------- d-----w- C:\175f27cd50e14b089ea01898b77e2797
2010-05-08 18:22 . 2010-05-08 18:22 -------- d-----w- C:\082e131d35f9ecbfe1
2010-05-08 17:44 . 2010-05-08 18:30 -------- d-----w- c:\programdata\NortonInstaller
2010-05-08 17:18 . 2010-05-08 18:07 -------- d-----w- c:\programdata\avg9
2010-05-08 16:40 . 2010-05-08 18:47 -------- d-----w- c:\users\Miehm\AppData\Local\wcseiiusq
2010-05-06 18:45 . 2010-05-06 18:45 -------- d-----w- c:\users\Miehm\AppData\Roaming\Logitech
2010-05-06 18:45 . 2010-05-06 18:45 -------- d-----w- c:\programdata\LogiShrd
2010-05-06 18:42 . 2009-07-20 16:26 84496 ----a-w- c:\windows\system32\KemXML.dll
2010-05-06 18:42 . 2009-07-20 16:26 117264 ----a-w- c:\windows\system32\KemWnd.dll
2010-05-06 18:42 . 2009-07-20 16:26 145936 ----a-w- c:\windows\system32\KemUtil.dll
2010-05-06 18:42 . 2009-07-20 16:26 170512 ----a-w- c:\windows\system32\kemutb.dll
2010-05-06 18:41 . 2010-05-06 18:41 -------- d-----w- c:\programdata\Logitech
2010-05-06 18:40 . 2010-05-06 18:45 -------- d-----w- c:\program files\Common Files\Logishrd
2010-05-06 18:40 . 2010-05-06 18:40 -------- d-----w- c:\program files\Logitech
2010-05-05 15:46 . 2010-05-06 11:23 -------- d-----w- c:\programdata\DivX
2010-05-04 20:54 . 2010-05-04 20:54 -------- d-----w- c:\program files\Common Files\Software Update Utility
2010-05-01 10:29 . 2010-05-01 10:29 -------- d-----w- c:\users\Miehm\AppData\Local\HotheadGames
2010-04-29 06:14 . 2010-04-29 06:14 98304 ----a-w- c:\windows\system32CmdLineExt.dll
2010-04-16 20:26 . 2010-04-16 20:26 41872 ----a-w- c:\windows\system32\xfcodec.dll

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-05-09 17:54 . 2009-06-19 20:03  -------- d-----w- c:\users\Miehm\AppData\Roaming\Xfire
2010-05-09 04:52 . 2010-05-08 18:38 806 ----a-w- c:\windows\system32\drivers\SYMEVENT.INF
2010-05-09 04:52 . 2010-05-08 18:38 7456 ----a-w- c:\windows\system32\drivers\SYMEVENT.CAT
2010-05-09 04:50 . 2010-05-08 18:42 554352 ----a-r- c:\programdata\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\Norton\coFFPlgn\components\coFFPlgn.dll
2010-05-08 23:27 . 2009-06-28 20:30 -------- d-----w- c:\program files\Steam
2010-05-08 18:25 . 2010-05-08 18:25 1294680 ----a-w- c:\programdata\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\Norton\SyKnAppS\SyKnAppS.dll
2010-05-08 18:25 . 2010-05-08 18:25 136840 ----a-w- c:\programdata\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\Norton\SyKnAppS\patch25.dll
2010-05-08 18:25 . 2010-05-08 18:25 288104 ----a-w- c:\programdata\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\Norton\CPDOEM\CPDOEM.dll
2010-05-08 18:25 . 2010-05-08 18:25 796016 ----a-w- c:\programdata\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\Norton\CLT\cltLMSx.dll
2010-05-08 08:00 . 2010-05-09 04:53 177520 ----a-w- c:\programdata\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\Norton\Definitions\VirusDefs\20100508.019\NAVENG32.DLL
2010-05-08 08:00 . 2010-05-09 04:53 1647984 ----a-w- c:\programdata\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\Norton\Definitions\VirusDefs\20100508.019\NAVEX32A.DLL
2010-05-08 08:00 . 2010-05-09 04:53 1324720 ----a-w- c:\programdata\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\Norton\Definitions\VirusDefs\20100508.019\NAVEX15.SYS
2010-05-08 08:00 . 2010-05-09 04:53 84912 ----a-w- c:\programdata\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\Norton\Definitions\VirusDefs\20100508.019\NAVENG.SYS
2010-05-08 08:00 . 2010-05-09 04:53 102448 ----a-w- c:\programdata\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\Norton\Definitions\VirusDefs\20100508.019\ERASER.SYS
2010-05-08 08:00 . 2010-05-09 04:53 371248 ----a-w- c:\programdata\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\Norton\Definitions\VirusDefs\20100508.019\EECTRL.SYS
2010-05-08 08:00 . 2010-05-09 04:53 2747440 ----a-w- c:\programdata\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\Norton\Definitions\VirusDefs\20100508.019\CCERASER.DLL
2010-05-08 08:00 . 2010-05-09 04:53 259440 ----a-w- c:\programdata\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\Norton\Definitions\VirusDefs\20100508.019\ECMSVR32.DLL
2010-05-07 11:05 . 2010-05-08 18:44 105 ----a-w- c:\programdata\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\Norton\SyKnAppS\LiveUpdate\cur.scr
2010-05-06 18:45 . 2010-05-06 18:45 0 ---ha-w- c:\windows\system32\drivers\Msft_Kernel_LHidFilt_01005.Wdf
2010-05-06 18:45 . 2010-05-06 18:45 0 ---ha-w- c:\windows\system32\drivers\Msft_Kernel_LMouFilt_01005.Wdf
2010-05-06 18:44 . 2010-05-06 18:44 0 ---ha-w- c:\windows\system32\drivers\Msft_Kernel_LUsbFilt_01005.Wdf
2010-05-06 18:41 . 2009-04-09 23:23 -------- d--h--w- c:\program files\InstallShield Installation Information
2010-05-06 11:50 . 2009-07-04 19:35 -------- d-----w- c:\program files\DivX
2010-05-06 11:50 . 2009-04-09 23:49 -------- d-----w- c:\program files\Common Files\PX Storage Engine
2010-05-06 11:49 . 2009-07-04 19:35 -------- d-----w- c:\program files\Common Files\DivX Shared
2010-05-06 11:24 . 2009-06-19 20:03 -------- d-----w- c:\programdata\Xfire
2010-05-06 11:24 . 2009-06-19 20:03 -------- d-----w- c:\program files\Xfire
2010-05-05 15:46 . 2010-05-05 15:48 1180952 ----a-w- c:\programdata\DivX\Setup\DivXSetup.exe
2010-05-04 20:54 . 2010-03-02 06:39 -------- d-----w- c:\program files\AIM
2010-04-22 04:49 . 2010-05-08 18:45 811896 ----a-w- c:\programdata\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\Norton\Definitions\IPSDefs\20100505.001\Scxpx86.dll
2010-04-22 04:49 . 2010-05-08 18:45 488312 ----a-w- c:\programdata\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\Norton\Definitions\IPSDefs\20100505.001\IDSxpx86.dll
2010-04-22 04:49 . 2010-05-08 18:45 466992 ----a-w- c:\programdata\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\Norton\Definitions\IPSDefs\20100505.001\IDSviA64.sys
2010-04-22 04:49 . 2010-05-08 18:45 343088 ----a-w- c:\programdata\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\Norton\Definitions\IPSDefs\20100505.001\IDSvix86.sys
2010-04-22 04:49 . 2010-05-08 18:45 329592 ----a-w- c:\programdata\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\Norton\Definitions\IPSDefs\20100505.001\IDSXpx86.sys
2010-04-22 04:49 . 2010-05-08 18:25 466992 ----a-w- c:\programdata\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\Norton\Definitions\IPSDefs\BinHub\IDSviA64.sys
2010-04-22 04:49 . 2010-05-08 18:25 343088 ----a-w- c:\programdata\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\Norton\Definitions\IPSDefs\BinHub\IDSvix86.sys
2010-04-22 04:49 . 2010-05-08 18:25 329592 ----a-w- c:\programdata\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\Norton\Definitions\IPSDefs\BinHub\IDSXpx86.sys
2010-04-22 04:49 . 2010-05-08 18:25 811896 ----a-w- c:\programdata\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\Norton\Definitions\IPSDefs\BinHub\Scxpx86.dll
2010-04-22 04:49 . 2010-05-08 18:25 488312 ----a-w- c:\programdata\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\Norton\Definitions\IPSDefs\BinHub\IDSxpx86.dll
2010-03-31 01:58 . 2009-04-10 00:00 125424 ------w- c:\windows\system32\pxinsi64.exe
2010-03-31 01:58 . 2009-04-10 00:00 123888 ------w- c:\windows\system32\pxcpyi64.exe
2010-03-31 01:58 . 2009-04-10 00:00 133616 ------w- c:\windows\system32\pxafs.dll
2010-03-27 07:17 . 2010-03-20 18:11 214864 ----a-w- c:\windows\system32\PnkBstrB.exe
2010-03-27 05:31 . 2010-03-20 18:36 138664 ----a-w- c:\windows\system32\drivers\PnkBstrK.sys
2010-03-20 18:35 . 2010-03-20 18:35 75064 ----a-w- c:\windows\system32\PnkBstrA.exe
2010-03-20 18:35 . 2010-03-20 18:31 794408 ----a-w- c:\windows\system32\pbsvc.exe
2010-03-20 07:22 . 2010-03-20 00:53 -------- d-----w- c:\program files\Electronic Arts
2010-03-20 07:01 . 2010-03-20 07:00 168061633 ----a-w- c:\programdata\EA Core\cache\EADM\{ [email protected] }\bf2142_bp1\setup.exe
2010-03-20 06:00 . 2010-03-20 06:00 -------- d-----w- c:\programdata\EA Core
2010-03-20 05:53 . 2010-03-20 05:34 -------- d-----w- c:\programdata\Electronic Arts
2010-03-20 05:42 . 2009-10-14 03:27 -------- d-----w- c:\program files\Common Files\Adobe AIR
2010-03-20 05:42 . 2009-10-14 03:27 38784 ----a-w- c:\users\Default\AppData\Roaming\Macromedia\Flash Player\www.macromedia.com\bin\airappinstaller\airappinstaller.exe
2010-03-20 05:42 . 2009-10-14 03:26 38784 ----a-w- c:\users\Miehm\AppData\Roaming\Macromedia\Flash Player\www.macromedia.com\bin\airappinstaller\airappinstaller.exe
2010-03-20 05:34 . 2010-03-20 05:34 -------- d-----w- c:\program files\Common Files\EasyInfo
2009-05-01 21:02 . 2009-05-01 21:02 1044480 ----a-w- c:\program files\mozilla firefox\plugins\libdivx.dll
2009-05-01 21:02 . 2009-05-01 21:02 200704 ----a-w- c:\program files\mozilla firefox\plugins\ssldivx.dll
2009-04-09 23:02 . 2009-04-09 23:01 8192 --sha-w- c:\windows\Users\Default\NTUSER.DAT
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown 
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Aim"="c:\program files\AIM\aim.exe" [2010-04-29 3829080]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Windows Defender"="c:\program files\Windows Defender\MSASCui.exe" [2008-01-21 1008184]
"PMHandler"="c:\progra~1\Lenovo\PMDriver\PMHandler.exe" [2008-09-23 83240]
"Apoint"="c:\program files\Apoint2K\Apoint.exe" [2008-03-26 163840]
"TPFNF7"="c:\program files\Lenovo\NPDIRECT\TPFNF7SP.exe" [2008-07-30 60192]
"TPWAUDAP"="c:\program files\Lenovo\HOTKEY\TpWAudAp.exe" [2008-03-11 54560]
"IgfxTray"="c:\windows\system32\igfxtray.exe" [2008-07-11 150040]
"HotKeysCmds"="c:\windows\system32\hkcmd.exe" [2008-07-11 170520]
"Persistence"="c:\windows\system32\igfxpers.exe" [2008-07-11 145944]
"TVT Scheduler Proxy"="c:\program files\Common Files\Lenovo\Scheduler\scheduler_proxy.exe" [2008-05-24 487424]
"RoxWatchTray"="c:\program files\Common Files\Roxio Shared\10.0\SharedCOM\RoxWatchTray10.exe" [2008-04-25 244208]
"ACWlIcon"="c:\program files\ThinkPad\ConnectUtilities\ACWlIcon.exe" [2008-08-07 148768]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2010-04-04 36272]
"Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2010-03-24 952768]
"Kernel and Hardware Abstraction Layer"="KHALMNPR.EXE" [2009-06-17 55824]

c:\users\Miehm\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\
Xfire.lnk - c:\program files\Xfire\Xfire.exe [2010-4-16 3438992]

c:\programdata\Microsoft\Windows\Start Menu\Programs\Startup\
Logitech SetPoint.lnk - c:\program files\Logitech\SetPoint\SetPoint.exe [2010-5-6 813584]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"EnableLUA"= 0 (0x0)
"EnableUIADesktopToggle"= 0 (0x0)

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"aux1"=wdmaud.drv

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\SymEFA.sys]
@="FSFilter Activity Monitor"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Wdf01000.sys]
@="Driver"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\WinDefend]
@="Service"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AMSG]
2008-12-20 08:55 449088 ----a-w- c:\program files\ThinkVantage\AMSG\Amsg.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\EA Core]
2007-04-17 11:59 2887680 ----a-w- c:\program files\Electronic Arts\EA Link\Core.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\LPManager]
2007-04-26 17:10 120368 ----a-w- c:\progra~1\Lenovo\LENOVO~2\LPMGR.EXE

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SmartAudio]
2008-07-21 03:19 2701880 ----a-w- c:\program files\CONEXANT\SmartAudio\SmAudio.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched]
2010-01-11 20:21 246504 ----a-w- c:\program files\Common Files\Java\Java Update\jusched.exe

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Svc]
"VistaSp2"=hex(b):a4,05,ef,b9,2d,2f,ca,01

R1 tvtumon;tvtumon;c:\windows\system32\DRIVERS\tvtumon.sys [2008-07-11 48192]
R2 Roxio Upnp Server 10;Roxio Upnp Server 10;c:\program files\Roxio\Digital Home 10\RoxioUpnpService10.exe [2008-04-25 362992]
R2 RoxLiveShare10;LiveShare P2P Server 10;c:\program files\Common Files\Roxio Shared\10.0\SharedCOM\RoxLiveShare10.exe [2008-04-25 309744]
R2 RoxWatch10;Roxio Hard Drive Watcher 10;c:\program files\Common Files\Roxio Shared\10.0\SharedCOM\RoxWatch10.exe [2008-04-25 166384]
R2 SessionLauncher;SessionLauncher;c:\users\ADMINI~1\AppData\Local\Temp\DX9\SessionLauncher.exe [x]
R2 TVT_UpdateMonitor;TVT Windows Update Monitor;c:\program files\Lenovo\Rescue and Recovery\UpdateMonitor.exe [2008-10-09 360448]
R3 Roxio UPnP Renderer 10;Roxio UPnP Renderer 10;c:\program files\Roxio\Digital Home 10\RoxioUPnPRenderer10.exe [2008-04-25 313840]
R3 RoxMediaDB10;RoxMediaDB10;c:\program files\Common Files\Roxio Shared\10.0\SharedCOM\RoxMediaDB10.exe [2008-04-25 1120752]
S0 SymEFA;Symantec Extended File Attributes;c:\windows\system32\drivers\NIS\1008000.029\SYMEFA.SYS [2010-01-20 310320]
S1 BHDrvx86;Symantec Heuristics Driver;c:\windows\System32\Drivers\NIS\1008000.029\BHDrvx86.sys [2010-01-20 259632]
S1 ccHP;Symantec Hash Provider;c:\windows\System32\Drivers\NIS\1008000.029\ccHPx86.sys [2010-05-09 482432]
S1 funfrm;funfrm; [x]
S1 IDSVix86;IDSVix86;c:\programdata\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\Norton\Definitions\ipsdefs\20100505.001\IDSvix86.sys [2010-04-22 343088]
S1 lenovo.smi;Lenovo System Interface Driver;c:\windows\system32\DRIVERS\smiif32.sys [2008-05-12 13480]
S2 FNF5SVC;Fn+F5 Service;c:\program files\LENOVO\HOTKEY\FNF5SVC.exe [2008-03-14 54560]
S2 Norton Internet Security;Norton Internet Security;c:\program files\Norton Internet Security\Engine\16.8.0.41\ccSvcHst.exe [2010-01-20 117640]
S2 TPHKSVC;On Screen Display;c:\program files\LENOVO\HOTKEY\TPHKSVC.exe [2008-08-08 53325]
S2 TVT Backup Protection Service;TVT Backup Protection Service;c:\program files\Lenovo\Rescue and Recovery\rrpservice.exe [2008-05-24 520192]
S2 Viewpoint Manager Service;Viewpoint Manager Service;c:\program files\Viewpoint\Common\ViewpointService.exe [2007-01-04 24652]
S3 b57nd60x;Broadcom NetXtreme Gigabit Ethernet - NDIS 6.0;c:\windows\system32\DRIVERS\b57nd60x.sys [2008-01-25 183808]
S3 EraserUtilRebootDrv;EraserUtilRebootDrv;c:\program files\Common Files\Symantec Shared\EENGINE\EraserUtilRebootDrv.sys [2010-05-08 102448]
S3 IntcHdmiAddService;Intel(R) High Definition Audio HDMI;c:\windows\system32\drivers\IntcHdmi.sys [2008-06-29 112128]
S3 JMCR;JMCR;c:\windows\system32\DRIVERS\jmcr.sys [2008-08-07 97536]
S3 SYMNDISV;Symantec Network Filter Driver;c:\windows\System32\Drivers\NIS\1008000.029\SYMNDISV.SYS [2010-01-20 48688]
S3 TVTI2C;Lenovo SM bus driver;c:\windows\system32\DRIVERS\Tvti2c.sys [2008-02-22 37312]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
LocalServiceNoNetwork REG_MULTI_SZ PLA DPS BFE mpssvc
.
Contents of the 'Scheduled Tasks' folder

2010-05-09 c:\windows\Tasks\Check Updates for Windows Live Toolbar.job
- c:\program files\Windows Live Toolbar\MSNTBUP.EXE [2007-02-12 19:54]

2010-04-21 c:\windows\Tasks\PCDoctorBackgroundMonitorTask.job
- c:\program files\PCDR5\pcdr5cuiw32.exe [2008-12-12 23:32]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://lenovo.live.com
uInternet Settings,ProxyServer = http=127.0.0.1:5555
uInternet Settings,ProxyOverride = <local>
IE: &Windows Live Search - c:\program files\Windows Live Toolbar\msntb.dll/search.htm
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\Office12\EXCEL.EXE/3000
FF - ProfilePath - c:\users\Miehm\AppData\Roaming\Mozilla\Firefox\Profiles\ia01t65a.default\
FF - plugin: c:\program files\Mozilla Firefox\plugins\np-mswmp.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\npdnupdater2.dll
FF - plugin: c:\program files\Viewpoint\Viewpoint Media Player\npViewpoint.dll
FF - plugin: c:\users\Miehm\AppData\Roaming\Mozilla\Firefox\Profiles\ia01t65a.default\extensions\[email protected]\plugins\npLogitechDeviceDetection.dll
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\

---- FIREFOX POLICIES ----
FF - user.js: network.protocol-handler.warn-external.dnupdate - false);user_pref(network.protocol-handler.warn-external.dnupdate, false);user_pref(network.protocol-handler.warn-external.dnupdate, false);user_pref(network.protocol-handler.warn-external.dnupdate, false);user_pref(network.protocol-handler.warn-external.dnupdate, falsec:\program files\Mozilla Firefox\greprefs\all.js - pref("ui.use_native_colors", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("ui.use_native_popup_windows", false);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.enable_click_image_resizing", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("accessibility.browsewithcaret_shortcut.enabled", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("javascript.options.mem.high_water_mark", 32);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("javascript.options.mem.gc_frequency", 1600);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.auth.force-generic-ntlm", false);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("svg.smil.enabled", false);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("ui.trackpoint_hack.enabled", -1);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.debug", false);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.agedWeight", 2);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.bucketSize", 1);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.maxTimeGroupings", 25);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.timeGroupingSize", 604800);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.boundaryWeight", 25);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.prefixWeight", 5);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("html5.enable", false);
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.allow_unrestricted_renego_everywhere__temporarily_available_pref", true);
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.renego_unrestricted_hosts", "");
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.treat_unsafe_negotiation_as_broken", false);
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.require_safe_negotiation", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox-branding.js - pref("app.update.download.backgroundInterval", 600);
c:\program files\Mozilla Firefox\defaults\pref\firefox-branding.js - pref("app.update.url.manual", "http://www.firefox.com");
c:\program files\Mozilla Firefox\defaults\pref\firefox-branding.js - pref("browser.search.param.yahoo-fr-ja", "mozff");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.name", "chrome://browser/locale/browser.properties");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.description", "chrome://browser/locale/browser.properties");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("xpinstall.whitelist.add", "addons.mozilla.org");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("xpinstall.whitelist.add.36", "getpersonas.com");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("lightweightThemes.update.enabled", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.allTabs.previews", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("plugins.hide_infobar_for_outdated_plugin", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("plugins.update.notifyUser", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("toolbar.customization.usesheet", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.enable", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.max", 20);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.cachetime", 20);
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2010-05-09 13:56
Windows 6.0.6002 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\Norton Internet Security]
"ImagePath"="\"c:\program files\Norton Internet Security\Engine\16.8.0.41\ccSvcHst.exe\" /s \"Norton Internet Security\" /m \"c:\program files\Norton Internet Security\Engine\16.8.0.41\diMaster.dll\" /prefetch:1"
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0000\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'Explorer.exe'(5168)
c:\program files\Logitech\SetPoint\lgscroll.dll
c:\program files\Lenovo\Drag-to-Disc\Shellex.dll
c:\windows\system32\DLAAPI_W.DLL
c:\program files\Lenovo\Drag-to-Disc\ShellRes.dll
.
------------------------ Other Running Processes ------------------------
.
c:\windows\system32\WLANExt.exe
c:\program files\ThinkPad\ConnectUtilities\AcPrfMgrSvc.exe
c:\program files\Microsoft Small Business\Business Contact Manager\BcmSqlStartupSvc.exe
c:\program files\Common Files\InterVideo\RegMgr\iviRegMgr.exe
c:\program files\Lenovo\PMDriver\PMSveH.exe
c:\windows\system32\PnkBstrA.exe
c:\program files\Microsoft SQL Server\90\Shared\sqlwriter.exe
c:\program files\Common Files\Lenovo\tvt_reg_monitor_svc.exe
c:\program files\Lenovo\Rescue and Recovery\rrservice.exe
c:\program files\Common Files\Lenovo\Scheduler\tvtsched.exe
c:\windows\system32\DRIVERS\xaudio.exe
c:\program files\ThinkPad\ConnectUtilities\AcSvc.exe
c:\program files\Lenovo\System Update\SUService.exe
c:\windows\system32\DllHost.exe
c:\program files\ThinkPad\ConnectUtilities\SvcGuiHlpr.exe
c:\program files\Lenovo\PMDriver\PMHandler.exe
c:\program files\Apoint2K\ApMsgFwd.exe
c:\windows\system32\igfxsrvc.exe
c:\program files\Apoint2K\Apntex.exe
c:\program files\Common Files\Logishrd\KHAL2\KHALMNPR.EXE
c:\windows\servicing\TrustedInstaller.exe
c:\windows\system32\wermgr.exe
.
**************************************************************************
.
Completion time: 2010-05-09 13:59:54 - machine was rebooted
ComboFix-quarantined-files.txt 2010-05-09 17:59

Pre-Run: 44,483,186,688 bytes free
Post-Run: 44,455,043,072 bytes free

- - End Of File - - 5B84FB0603ECD89EB6588D925FA9CB5E

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 2:05:09 PM, on 5/9/2010
Platform: Windows Vista SP2 (WinNT 6.00.1906)
MSIE: Internet Explorer v7.00 (7.00.6002.18005)
Boot mode: Normal

Running processes:
C:\Program Files\Norton Internet Security\Engine\16.8.0.41\ccSvcHst.exe
C:\Windows\system32\Dwm.exe
C:\Windows\system32\taskeng.exe
C:\Program Files\Lenovo\PMDriver\PMHandler.exe
C:\Program Files\Apoint2K\Apoint.exe
C:\Program Files\Lenovo\NPDIRECT\tpfnf7sp.exe
C:\Program Files\Apoint2K\ApMsgFwd.exe
C:\Program Files\Lenovo\HOTKEY\TpWAudAp.exe
C:\Windows\System32\hkcmd.exe
C:\Windows\System32\igfxpers.exe
C:\Windows\system32\igfxsrvc.exe
C:\Program Files\Common Files\Lenovo\Scheduler\scheduler_proxy.exe
C:\Program Files\ThinkPad\ConnectUtilities\ACWLIcon.exe
C:\Program Files\Apoint2K\Apntex.exe
C:\Program Files\Logitech\SetPoint\SetPoint.exe
C:\Program Files\Common Files\Logishrd\KHAL2\KHALMNPR.EXE
C:\Windows\system32\wuauclt.exe
C:\Windows\Explorer.exe
C:\Windows\system32\notepad.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Windows\system32\Taskmgr.exe
C:\Windows\System32\perfmon.exe
C:\Program Files\Windows Media Player\wmplayer.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://lenovo.live.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = http=127.0.0.1:5555
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = 
O2 - BHO: AcroIEHelperStub - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
O2 - BHO: Symantec NCO BHO - {602ADB0E-4AFF-4217-8AA1-95DAC4DFA408} - C:\Program Files\Norton Internet Security\Engine\16.8.0.41\coIEPlg.dll
O2 - BHO: Symantec Intrusion Prevention - {6D53EC84-6AAE-4787-AEEE-F4628F01010C} - C:\Program Files\Norton Internet Security\Engine\16.8.0.41\IPSBHO.DLL
O2 - BHO: Windows Live Toolbar Helper - {BDBD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\Windows Live Toolbar\msntb.dll
O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O3 - Toolbar: Windows Live Toolbar - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\Windows Live Toolbar\msntb.dll
O3 - Toolbar: Norton Toolbar - {7FEBEFE3-6B19-4349-98D2-FFB09D4B49CA} - C:\Program Files\Norton Internet Security\Engine\16.8.0.41\coIEPlg.dll
O4 - HKLM\..\Run: [Windows Defender] %ProgramFiles%\Windows Defender\MSASCui.exe -hide
O4 - HKLM\..\Run: [PMHandler] C:\PROGRA~1\Lenovo\PMDriver\PMHandler.exe
O4 - HKLM\..\Run: [Apoint] C:\Program Files\Apoint2K\Apoint.exe
O4 - HKLM\..\Run: [TPFNF7] C:\Program Files\Lenovo\NPDIRECT\TPFNF7SP.exe /r
O4 - HKLM\..\Run: [TPWAUDAP] C:\Program Files\Lenovo\HOTKEY\TpWAudAp.exe
O4 - HKLM\..\Run: [IgfxTray] C:\Windows\system32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\Windows\system32\hkcmd.exe
O4 - HKLM\..\Run: [Persistence] C:\Windows\system32\igfxpers.exe
O4 - HKLM\..\Run: [TVT Scheduler Proxy] C:\Program Files\Common Files\Lenovo\Scheduler\scheduler_proxy.exe
O4 - HKLM\..\Run: [RoxWatchTray] "C:\Program Files\Common Files\Roxio Shared\10.0\SharedCOM\RoxWatchTray10.exe"
O4 - HKLM\..\Run: [ACWlIcon] C:\Program Files\ThinkPad\ConnectUtilities\ACWlIcon.exe
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 9.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [Adobe ARM] "C:\Program Files\Common Files\Adobe\ARM\1.0\AdobeARM.exe"
O4 - HKLM\..\Run: [Kernel and Hardware Abstraction Layer] KHALMNPR.EXE
O4 - HKCU\..\Run: [Aim] "C:\Program Files\AIM\aim.exe" /d locale=en-US
O4 - Startup: Xfire.lnk = C:\Program Files\Xfire\Xfire.exe
O4 - Global Startup: Logitech SetPoint.lnk = C:\Program Files\Logitech\SetPoint\SetPoint.exe
O8 - Extra context menu item: &Windows Live Search - res://C:\Program Files\Windows Live Toolbar\msntb.dll/search.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office12\EXCEL.EXE/3000
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\Office12\REFIEBAR.DLL
O18 - Protocol: symres - {AA1061FE-6C41-421F-9344-69640C9732AB} - C:\Program Files\Norton Internet Security\Engine\16.8.0.41\coIEPlg.dll
O23 - Service: Ac Profile Manager Service (AcPrfMgrSvc) - Lenovo - C:\Program Files\ThinkPad\ConnectUtilities\AcPrfMgrSvc.exe
O23 - Service: Access Connections Main Service (AcSvc) - Lenovo - C:\Program Files\ThinkPad\ConnectUtilities\AcSvc.exe
O23 - Service: Fn+F5 Service (FNF5SVC) - Lenovo. - C:\Program Files\LENOVO\HOTKEY\FNF5SVC.exe
O23 - Service: GameConsoleService - WildTangent, Inc. - C:\Program Files\WildGames\Game Console - WildGames\GameConsoleService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: IviRegMgr - InterVideo - C:\Program Files\Common Files\InterVideo\RegMgr\iviRegMgr.exe
O23 - Service: Norton Internet Security - Symantec Corporation - C:\Program Files\Norton Internet Security\Engine\16.8.0.41\ccSvcHst.exe
O23 - Service: PMSveH - Lenovo - C:\Program Files\Lenovo\PMDriver\PMSveH.exe
O23 - Service: PnkBstrA - Unknown owner - C:\Windows\system32\PnkBstrA.exe
O23 - Service: Roxio UPnP Renderer 10 - Sonic Solutions - C:\Program Files\Roxio\Digital Home 10\RoxioUPnPRenderer10.exe
O23 - Service: Roxio Upnp Server 10 - Sonic Solutions - C:\Program Files\Roxio\Digital Home 10\RoxioUpnpService10.exe
O23 - Service: LiveShare P2P Server 10 (RoxLiveShare10) - Sonic Solutions - C:\Program Files\Common Files\Roxio Shared\10.0\SharedCOM\RoxLiveShare10.exe
O23 - Service: RoxMediaDB10 - Sonic Solutions - C:\Program Files\Common Files\Roxio Shared\10.0\SharedCOM\RoxMediaDB10.exe
O23 - Service: Roxio Hard Drive Watcher 10 (RoxWatch10) - Sonic Solutions - C:\Program Files\Common Files\Roxio Shared\10.0\SharedCOM\RoxWatch10.exe
O23 - Service: SessionLauncher - Unknown owner - C:\Users\ADMINI~1\AppData\Local\Temp\DX9\SessionLauncher.exe (file missing)
O23 - Service: Steam Client Service - Valve Corporation - C:\Program Files\Common Files\Steam\SteamService.exe
O23 - Service: stllssvr - MicroVision Development, Inc. - C:\Program Files\Common Files\SureThing Shared\stllssvr.exe
O23 - Service: System Update (SUService) - Lenovo Group Limited - c:\Program Files\Lenovo\System Update\SUService.exe
O23 - Service: ThinkVantage Registry Monitor Service - Lenovo Group Limited - c:\Program Files\Common Files\Lenovo\tvt_reg_monitor_svc.exe
O23 - Service: On Screen Display (TPHKSVC) - Lenovo Group Limited - C:\Program Files\LENOVO\HOTKEY\TPHKSVC.exe
O23 - Service: TVT Backup Protection Service - Unknown owner - C:\Program Files\Lenovo\Rescue and Recovery\rrpservice.exe
O23 - Service: TVT Backup Service - Lenovo Group Limited - C:\Program Files\Lenovo\Rescue and Recovery\rrservice.exe
O23 - Service: TVT Scheduler - Lenovo Group Limited - c:\Program Files\Common Files\Lenovo\Scheduler\tvtsched.exe
O23 - Service: TVT Windows Update Monitor (TVT_UpdateMonitor) - Lenovo Group Limited - C:\Program Files\Lenovo\Rescue and Recovery\UpdateMonitor.exe
O23 - Service: Viewpoint Manager Service - Viewpoint Corporation - C:\Program Files\Viewpoint\Common\ViewpointService.exe
O23 - Service: XAudioService - Conexant Systems, Inc. - C:\Windows\system32\DRIVERS\xaudio.exe

--
End of file - 7983 bytes


----------



## flavallee (May 12, 2002)

Cookiegal said:


> The only thing different from the instructions there is that when downloading and saving the ComboFix.exe I would like you to rename it to puppy.exe please.





miehm said:


> Just out of curiosity- why puppy?


Changing the name of the ComboFix executable tricks viruses/malware/spyware into thinking it's something else so it isn't prevented from running and doing its job.

That little trick is also used to run other programs.

----------------------------------------------------------

Go into the *C:\Users\(Username)\AppData\Local\Temp* folder and delete everything from inside that temp folder.

If a few files resist deletion, leave them alone and delete everything else.

It's accumulated useless junk, and it's a good place for a "nasty" to hide and do its dirty deed.

----------------------------------------------------------

That's my 2 cents worth.

I'll leave you with Cookiegal now.

---------------------------------------------------------


----------



## Cookiegal (Aug 27, 2003)

And who would expect a cute little puppy to devour malware. 

Open Notepad and copy and paste the text in the code box below into it:


```
Folder::
c:\users\Miehm\AppData\Local\wcseiiusq

Driver:;
funfrm

DDS::
uInternet Settings,ProxyServer = http=127.0.0.1:5555

Firefox::
FF - ProfilePath - c:\users\Miehm\AppData\Roaming\Mozilla\Firefox\Profiles\ia01t65a.default\
FF - plugin: c:\program files\Viewpoint\Viewpoint Media Player\npViewpoint.dll
```
Save the file to your desktop and name it CFScript.txt

Referring to the picture below, drag CFScript.txt into ComboFix.exe










This will start ComboFix again. It may ask to reboot. Post the contents of Combofix.txt in your next reply together with a new HijackThis log.

*Note: These instructions and script were created specifically for this user. If you are not this user, do NOT follow these instructions or use this script as it could damage the workings of your system.*


----------



## miehm (May 9, 2010)

Alright, here's another round of logs.

ComboFix 10-05-09.07 - Miehm 05/10/2010 12:11:31.2.2 - x86
Microsoft® Windows Vista™ Home Basic 6.0.6002.2.1252.1.1033.18.3032.1468 [GMT -4:00]
Running from: c:\users\Miehm\Desktop\puppy.exe
Command switches used :: c:\users\Miehm\Desktop\CFScript.txt.txt
SP: Windows Defender *enabled* (Updated) {D68DDC3A-831F-4FAE-9E44-DA132C1ACF46}
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\users\Miehm\AppData\Local\wcseiiusq

.
((((((((((((((((((((((((( Files Created from 2010-04-10 to 2010-05-10 )))))))))))))))))))))))))))))))
.

2010-05-10 16:21 . 2010-05-10 16:21 -------- d-----w- c:\users\Miehm\AppData\Local\temp
2010-05-10 16:21 . 2010-05-10 16:21 -------- d-----w- c:\users\Public\AppData\Local\temp
2010-05-10 16:21 . 2010-05-10 16:21 -------- d-----w- c:\users\Default\AppData\Local\temp
2010-05-10 01:13 . 2010-05-10 01:13 -------- d-----w- c:\users\Miehm\AppData\Roaming\SmartFTP
2010-05-10 01:11 . 2010-05-10 01:11 -------- d-----w- c:\program files\SmartFTP Client
2010-05-10 01:10 . 2010-05-10 01:26 -------- d-----w- c:\program files\SmartFTP Client 4.0 Setup Files
2010-05-09 16:08 . 2010-05-09 16:08 -------- d-----w- c:\users\Miehm\AppData\Roaming\Malwarebytes
2010-05-09 16:08 . 2010-04-29 19:39 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2010-05-09 16:08 . 2010-05-09 16:08 -------- d-----w- c:\programdata\Malwarebytes
2010-05-09 16:08 . 2010-05-09 16:08 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2010-05-09 16:08 . 2010-04-29 19:39 20952 ----a-w- c:\windows\system32\drivers\mbam.sys
2010-05-09 14:09 . 2010-05-09 14:09 -------- d-----w- c:\program files\Trend Micro
2010-05-09 13:37 . 2010-01-20 21:03 25648 ----a-r- c:\windows\system32\drivers\SymIMV.sys
2010-05-08 18:38 . 2010-05-09 04:52 124976 ----a-w- c:\windows\system32\drivers\SYMEVENT.SYS
2010-05-08 18:26 . 2010-05-09 04:52 -------- d-----w- c:\program files\Symantec
2010-05-08 18:26 . 2010-05-08 18:38 -------- d-----w- c:\program files\Common Files\Symantec Shared
2010-05-08 18:23 . 2010-05-09 17:00 -------- d-----w- c:\windows\system32\drivers\NIS
2010-05-08 18:23 . 2010-05-08 18:42 -------- d-----w- c:\programdata\Norton
2010-05-08 18:23 . 2010-05-08 18:24 -------- d-----w- c:\program files\Norton Internet Security
2010-05-08 18:23 . 2010-05-08 18:23 -------- d-----w- C:\fc720a33ea6109523fa55dc122
2010-05-08 18:23 . 2010-05-08 18:23 -------- d-----w- c:\program files\NortonInstaller
2010-05-08 18:22 . 2010-05-08 18:22 -------- d-----w- C:\175f27cd50e14b089ea01898b77e2797
2010-05-08 18:22 . 2010-05-08 18:22 -------- d-----w- C:\082e131d35f9ecbfe1
2010-05-08 17:44 . 2010-05-08 18:30 -------- d-----w- c:\programdata\NortonInstaller
2010-05-08 17:18 . 2010-05-08 18:07 -------- d-----w- c:\programdata\avg9
2010-05-06 18:45 . 2010-05-06 18:45 -------- d-----w- c:\users\Miehm\AppData\Roaming\Logitech
2010-05-06 18:45 . 2010-05-06 18:45 -------- d-----w- c:\programdata\LogiShrd
2010-05-06 18:42 . 2009-07-20 16:26 84496 ----a-w- c:\windows\system32\KemXML.dll
2010-05-06 18:42 . 2009-07-20 16:26 117264 ----a-w- c:\windows\system32\KemWnd.dll
2010-05-06 18:42 . 2009-07-20 16:26 145936 ----a-w- c:\windows\system32\KemUtil.dll
2010-05-06 18:42 . 2009-07-20 16:26 170512 ----a-w- c:\windows\system32\kemutb.dll
2010-05-06 18:41 . 2010-05-06 18:41 -------- d-----w- c:\programdata\Logitech
2010-05-06 18:40 . 2010-05-06 18:45 -------- d-----w- c:\program files\Common Files\Logishrd
2010-05-06 18:40 . 2010-05-06 18:40 -------- d-----w- c:\program files\Logitech
2010-05-06 18:33 . 2010-01-21 15:46 441168 ----a-w- c:\users\Miehm\AppData\Roaming\Mozilla\Firefox\Profiles\ia01t65a.default\extensions\[email protected]\plugins\npLogitechDeviceDetection.dll
2010-05-05 15:48 . 2010-05-05 15:46 1180952 ----a-w- c:\programdata\DivX\Setup\DivXSetup.exe
2010-05-05 15:48 . 2009-07-04 19:35 529200 ----a-w- c:\programdata\DivX\DivX7\DivX Plus DirectShow Filters\DivXDSFiltersUninstall.exe
2010-05-05 15:48 . 2009-07-04 19:35 529200 ----a-w- c:\programdata\DivX\DivX7\DivX Converter\DivXConverterUninstall.exe
2010-05-05 15:46 . 2010-05-06 11:23 -------- d-----w- c:\programdata\DivX
2010-05-04 20:54 . 2010-05-04 20:54 -------- d-----w- c:\program files\Common Files\Software Update Utility
2010-05-01 10:29 . 2010-05-01 10:29 -------- d-----w- c:\users\Miehm\AppData\Local\HotheadGames
2010-04-29 06:14 . 2010-04-29 06:14 98304 ----a-w- c:\windows\system32CmdLineExt.dll
2010-04-16 20:26 . 2010-04-16 20:26 41872 ----a-w- c:\windows\system32\xfcodec.dll

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-05-10 02:27 . 2009-06-28 20:30 -------- d-----w- c:\program files\Steam
2010-05-09 17:54 . 2009-06-19 20:03 -------- d-----w- c:\users\Miehm\AppData\Roaming\Xfire
2010-05-09 04:52 . 2010-05-08 18:38 806 ----a-w- c:\windows\system32\drivers\SYMEVENT.INF
2010-05-09 04:52 . 2010-05-08 18:38 7456 ----a-w- c:\windows\system32\drivers\SYMEVENT.CAT
2010-05-06 18:45 . 2010-05-06 18:45 0 ---ha-w- c:\windows\system32\drivers\Msft_Kernel_LHidFilt_01005.Wdf
2010-05-06 18:45 . 2010-05-06 18:45 0 ---ha-w- c:\windows\system32\drivers\Msft_Kernel_LMouFilt_01005.Wdf
2010-05-06 18:44 . 2010-05-06 18:44 0 ---ha-w- c:\windows\system32\drivers\Msft_Kernel_LUsbFilt_01005.Wdf
2010-05-06 18:41 . 2009-04-09 23:23 -------- d--h--w- c:\program files\InstallShield Installation Information
2010-05-06 11:50 . 2009-07-04 19:35 -------- d-----w- c:\program files\DivX
2010-05-06 11:50 . 2009-04-09 23:49 -------- d-----w- c:\program files\Common Files\PX Storage Engine
2010-05-06 11:49 . 2009-07-04 19:35 -------- d-----w- c:\program files\Common Files\DivX Shared
2010-05-06 11:24 . 2009-06-19 20:03 -------- d-----w- c:\programdata\Xfire
2010-05-06 11:24 . 2009-06-19 20:03 -------- d-----w- c:\program files\Xfire
2010-05-04 20:54 . 2010-03-02 06:39 -------- d-----w- c:\program files\AIM
2010-03-31 01:58 . 2009-04-10 00:00 125424 ------w- c:\windows\system32\pxinsi64.exe
2010-03-31 01:58 . 2009-04-10 00:00 123888 ------w- c:\windows\system32\pxcpyi64.exe
2010-03-31 01:58 . 2009-04-10 00:00 133616 ------w- c:\windows\system32\pxafs.dll
2010-03-27 07:17 . 2010-03-20 18:11 214864 ----a-w- c:\windows\system32\PnkBstrB.exe
2010-03-27 05:31 . 2010-03-20 18:36 138664 ----a-w- c:\windows\system32\drivers\PnkBstrK.sys
2010-03-20 18:35 . 2010-03-20 18:35 75064 ----a-w- c:\windows\system32\PnkBstrA.exe
2010-03-20 18:35 . 2010-03-20 18:31 794408 ----a-w- c:\windows\system32\pbsvc.exe
2010-03-20 07:22 . 2010-03-20 00:53 -------- d-----w- c:\program files\Electronic Arts
2010-03-20 07:01 . 2010-03-20 07:00 168061633 ----a-w- c:\programdata\EA Core\cache\EADM\{ [email protected] }\bf2142_bp1\setup.exe
2010-03-20 06:00 . 2010-03-20 06:00 -------- d-----w- c:\programdata\EA Core
2010-03-20 05:53 . 2010-03-20 05:34 -------- d-----w- c:\programdata\Electronic Arts
2010-03-20 05:42 . 2009-10-14 03:27 -------- d-----w- c:\program files\Common Files\Adobe AIR
2010-03-20 05:42 . 2009-10-14 03:27 38784 ----a-w- c:\users\Default\AppData\Roaming\Macromedia\Flash Player\www.macromedia.com\bin\airappinstaller\airappinstaller.exe
2010-03-20 05:42 . 2009-10-14 03:26 38784 ----a-w- c:\users\Miehm\AppData\Roaming\Macromedia\Flash Player\www.macromedia.com\bin\airappinstaller\airappinstaller.exe
2010-03-20 05:34 . 2010-03-20 05:34 -------- d-----w- c:\program files\Common Files\EasyInfo
2009-05-01 21:02 . 2009-05-01 21:02 1044480 ----a-w- c:\program files\mozilla firefox\plugins\libdivx.dll
2009-05-01 21:02 . 2009-05-01 21:02 200704 ----a-w- c:\program files\mozilla firefox\plugins\ssldivx.dll
2009-04-09 23:02 . 2009-04-09 23:01 8192 --sha-w- c:\windows\Users\Default\NTUSER.DAT
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown 
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Aim"="c:\program files\AIM\aim.exe" [2010-04-29 3829080]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Windows Defender"="c:\program files\Windows Defender\MSASCui.exe" [2008-01-21 1008184]
"PMHandler"="c:\progra~1\Lenovo\PMDriver\PMHandler.exe" [2008-09-23 83240]
"Apoint"="c:\program files\Apoint2K\Apoint.exe" [2008-03-26 163840]
"TPFNF7"="c:\program files\Lenovo\NPDIRECT\TPFNF7SP.exe" [2008-07-30 60192]
"TPWAUDAP"="c:\program files\Lenovo\HOTKEY\TpWAudAp.exe" [2008-03-11 54560]
"IgfxTray"="c:\windows\system32\igfxtray.exe" [2008-07-11 150040]
"HotKeysCmds"="c:\windows\system32\hkcmd.exe" [2008-07-11 170520]
"Persistence"="c:\windows\system32\igfxpers.exe" [2008-07-11 145944]
"TVT Scheduler Proxy"="c:\program files\Common Files\Lenovo\Scheduler\scheduler_proxy.exe" [2008-05-24 487424]
"RoxWatchTray"="c:\program files\Common Files\Roxio Shared\10.0\SharedCOM\RoxWatchTray10.exe" [2008-04-25 244208]
"ACWlIcon"="c:\program files\ThinkPad\ConnectUtilities\ACWlIcon.exe" [2008-08-07 148768]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2010-04-04 36272]
"Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2010-03-24 952768]
"Kernel and Hardware Abstraction Layer"="KHALMNPR.EXE" [2009-06-17 55824]

c:\users\Miehm\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\
Xfire.lnk - c:\program files\Xfire\Xfire.exe [2010-4-16 3438992]

c:\programdata\Microsoft\Windows\Start Menu\Programs\Startup\
Logitech SetPoint.lnk - c:\program files\Logitech\SetPoint\SetPoint.exe [2010-5-6 813584]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"EnableLUA"= 0 (0x0)
"EnableUIADesktopToggle"= 0 (0x0)

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"aux1"=wdmaud.drv

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\SymEFA.sys]
@="FSFilter Activity Monitor"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Wdf01000.sys]
@="Driver"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\WinDefend]
@="Service"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AMSG]
2008-12-20 08:55 449088 ----a-w- c:\program files\ThinkVantage\AMSG\Amsg.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\EA Core]
2007-04-17 11:59 2887680 ----a-w- c:\program files\Electronic Arts\EA Link\Core.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\LPManager]
2007-04-26 17:10 120368 ----a-w- c:\progra~1\Lenovo\LENOVO~2\LPMGR.EXE

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SmartAudio]
2008-07-21 03:19 2701880 ----a-w- c:\program files\CONEXANT\SmartAudio\SmAudio.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched]
2010-01-11 20:21 246504 ----a-w- c:\program files\Common Files\Java\Java Update\jusched.exe

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Svc]
"VistaSp2"=hex(b):a4,05,ef,b9,2d,2f,ca,01

R1 tvtumon;tvtumon;c:\windows\system32\DRIVERS\tvtumon.sys [2008-07-11 48192]
R2 FNF5SVC;Fn+F5 Service;c:\program files\LENOVO\HOTKEY\FNF5SVC.exe [2008-03-14 54560]
R2 Norton Internet Security;Norton Internet Security;c:\program files\Norton Internet Security\Engine\16.8.0.41\ccSvcHst.exe [2010-01-20 117640]
R2 Roxio Upnp Server 10;Roxio Upnp Server 10;c:\program files\Roxio\Digital Home 10\RoxioUpnpService10.exe [2008-04-25 362992]
R2 RoxLiveShare10;LiveShare P2P Server 10;c:\program files\Common Files\Roxio Shared\10.0\SharedCOM\RoxLiveShare10.exe [2008-04-25 309744]
R2 RoxWatch10;Roxio Hard Drive Watcher 10;c:\program files\Common Files\Roxio Shared\10.0\SharedCOM\RoxWatch10.exe [2008-04-25 166384]
R2 SessionLauncher;SessionLauncher;c:\users\ADMINI~1\AppData\Local\Temp\DX9\SessionLauncher.exe [x]
R2 TVT_UpdateMonitor;TVT Windows Update Monitor;c:\program files\Lenovo\Rescue and Recovery\UpdateMonitor.exe [2008-10-09 360448]
R2 Viewpoint Manager Service;Viewpoint Manager Service;c:\program files\Viewpoint\Common\ViewpointService.exe [2007-01-04 24652]
R3 Roxio UPnP Renderer 10;Roxio UPnP Renderer 10;c:\program files\Roxio\Digital Home 10\RoxioUPnPRenderer10.exe [2008-04-25 313840]
R3 RoxMediaDB10;RoxMediaDB10;c:\program files\Common Files\Roxio Shared\10.0\SharedCOM\RoxMediaDB10.exe [2008-04-25 1120752]
S0 SymEFA;Symantec Extended File Attributes;c:\windows\system32\drivers\NIS\1008000.029\SYMEFA.SYS [2010-01-20 310320]
S1 BHDrvx86;Symantec Heuristics Driver;c:\windows\System32\Drivers\NIS\1008000.029\BHDrvx86.sys [2010-01-20 259632]
S1 ccHP;Symantec Hash Provider;c:\windows\System32\Drivers\NIS\1008000.029\ccHPx86.sys [2010-05-09 482432]
S1 funfrm;funfrm; [x]
S1 IDSVix86;IDSVix86;c:\programdata\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\Norton\Definitions\ipsdefs\20100505.001\IDSvix86.sys [2010-04-22 343088]
S1 lenovo.smi;Lenovo System Interface Driver;c:\windows\system32\DRIVERS\smiif32.sys [2008-05-12 13480]
S2 TPHKSVC;On Screen Display;c:\program files\LENOVO\HOTKEY\TPHKSVC.exe [2008-08-08 53325]
S2 TVT Backup Protection Service;TVT Backup Protection Service;c:\program files\Lenovo\Rescue and Recovery\rrpservice.exe [2008-05-24 520192]
S3 b57nd60x;Broadcom NetXtreme Gigabit Ethernet - NDIS 6.0;c:\windows\system32\DRIVERS\b57nd60x.sys [2008-01-25 183808]
S3 EraserUtilRebootDrv;EraserUtilRebootDrv;c:\program files\Common Files\Symantec Shared\EENGINE\EraserUtilRebootDrv.sys [2010-05-08 102448]
S3 IntcHdmiAddService;Intel(R) High Definition Audio HDMI;c:\windows\system32\drivers\IntcHdmi.sys [2008-06-29 112128]
S3 JMCR;JMCR;c:\windows\system32\DRIVERS\jmcr.sys [2008-08-07 97536]
S3 SYMNDISV;Symantec Network Filter Driver;c:\windows\System32\Drivers\NIS\1008000.029\SYMNDISV.SYS [2010-01-20 48688]
S3 TVTI2C;Lenovo SM bus driver;c:\windows\system32\DRIVERS\Tvti2c.sys [2008-02-22 37312]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
LocalServiceNoNetwork REG_MULTI_SZ PLA DPS BFE mpssvc
.
Contents of the 'Scheduled Tasks' folder

2010-05-10 c:\windows\Tasks\Check Updates for Windows Live Toolbar.job
- c:\program files\Windows Live Toolbar\MSNTBUP.EXE [2007-02-12 19:54]

2010-04-21 c:\windows\Tasks\PCDoctorBackgroundMonitorTask.job
- c:\program files\PCDR5\pcdr5cuiw32.exe [2008-12-12 23:32]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://lenovo.live.com
uInternet Settings,ProxyOverride = <local>
IE: &Windows Live Search - c:\program files\Windows Live Toolbar\msntb.dll/search.htm
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\Office12\EXCEL.EXE/3000
FF - ProfilePath - c:\users\Miehm\AppData\Roaming\Mozilla\Firefox\Profiles\ia01t65a.default\
FF - plugin: c:\program files\Mozilla Firefox\plugins\np-mswmp.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\npdnupdater2.dll
FF - plugin: c:\program files\Viewpoint\Viewpoint Media Player\npViewpoint.dll
FF - plugin: c:\users\Miehm\AppData\Roaming\Mozilla\Firefox\Profiles\ia01t65a.default\extensions\[email protected]\plugins\npLogitechDeviceDetection.dll
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\

---- FIREFOX POLICIES ----
FF - user.js: network.protocol-handler.warn-external.dnupdate - false);user_pref(network.protocol-handler.warn-external.dnupdate, false);user_pref(network.protocol-handler.warn-external.dnupdate, false);user_pref(network.protocol-handler.warn-external.dnupdate, false);user_pref(network.protocol-handler.warn-external.dnupdate, falsec:\program files\Mozilla Firefox\greprefs\all.js - pref("ui.use_native_colors", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.auth.force-generic-ntlm", false);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("svg.smil.enabled", false);
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.allow_unrestricted_renego_everywhere__temporarily_available_pref", true);
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.renego_unrestricted_hosts", "");
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.treat_unsafe_negotiation_as_broken", false);
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.require_safe_negotiation", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.name", "chrome://browser/locale/browser.properties");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.description", "chrome://browser/locale/browser.properties");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("plugins.update.notifyUser", false);
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2010-05-10 12:21
Windows 6.0.6002 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\Norton Internet Security]
"ImagePath"="\"c:\program files\Norton Internet Security\Engine\16.8.0.41\ccSvcHst.exe\" /s \"Norton Internet Security\" /m \"c:\program files\Norton Internet Security\Engine\16.8.0.41\diMaster.dll\" /prefetch:1"
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0000\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'Explorer.exe'(2088)
c:\program files\Xfire\xfire_toucan_42424.dll
c:\program files\Logitech\SetPoint\lgscroll.dll
.
Completion time: 2010-05-10 12:25:08
ComboFix-quarantined-files.txt 2010-05-10 16:25
ComboFix2.txt 2010-05-09 17:59

Pre-Run: 39,610,040,320 bytes free
Post-Run: 39,379,300,352 bytes free

- - End Of File - - 38D01B7BA2D06EFB173FA03301C46F28

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 12:26:15 PM, on 5/10/2010
Platform: Windows Vista SP2 (WinNT 6.00.1906)
MSIE: Internet Explorer v7.00 (7.00.6002.18005)
Boot mode: Normal

Running processes:
C:\Windows\system32\Dwm.exe
C:\Windows\system32\taskeng.exe
C:\Program Files\Lenovo\PMDriver\PMHandler.exe
C:\Program Files\Apoint2K\Apoint.exe
C:\Program Files\Apoint2K\ApMsgFwd.exe
C:\Windows\System32\hkcmd.exe
C:\Windows\System32\igfxpers.exe
C:\Windows\system32\igfxsrvc.exe
C:\Program Files\ThinkPad\ConnectUtilities\ACWLIcon.exe
C:\Program Files\Apoint2K\Apntex.exe
C:\Program Files\Logitech\SetPoint\SetPoint.exe
C:\Program Files\Common Files\Logishrd\KHAL2\KHALMNPR.EXE
C:\Program Files\Steam\Steam.exe
C:\Program Files\Xfire\Xfire.exe
C:\Program Files\Windows Media Player\wmplayer.exe
C:\Program Files\AIM\aim.exe
C:\Windows\system32\wuauclt.exe
C:\Windows\Explorer.exe
C:\Windows\system32\notepad.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Windows\system32\SearchFilterHost.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://lenovo.live.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = 
O2 - BHO: AcroIEHelperStub - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
O2 - BHO: Symantec NCO BHO - {602ADB0E-4AFF-4217-8AA1-95DAC4DFA408} - C:\Program Files\Norton Internet Security\Engine\16.8.0.41\coIEPlg.dll
O2 - BHO: Symantec Intrusion Prevention - {6D53EC84-6AAE-4787-AEEE-F4628F01010C} - C:\Program Files\Norton Internet Security\Engine\16.8.0.41\IPSBHO.DLL
O2 - BHO: Windows Live Toolbar Helper - {BDBD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\Windows Live Toolbar\msntb.dll
O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O3 - Toolbar: Windows Live Toolbar - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\Windows Live Toolbar\msntb.dll
O3 - Toolbar: Norton Toolbar - {7FEBEFE3-6B19-4349-98D2-FFB09D4B49CA} - C:\Program Files\Norton Internet Security\Engine\16.8.0.41\coIEPlg.dll
O4 - HKLM\..\Run: [Windows Defender] %ProgramFiles%\Windows Defender\MSASCui.exe -hide
O4 - HKLM\..\Run: [PMHandler] C:\PROGRA~1\Lenovo\PMDriver\PMHandler.exe
O4 - HKLM\..\Run: [Apoint] C:\Program Files\Apoint2K\Apoint.exe
O4 - HKLM\..\Run: [TPFNF7] C:\Program Files\Lenovo\NPDIRECT\TPFNF7SP.exe /r
O4 - HKLM\..\Run: [TPWAUDAP] C:\Program Files\Lenovo\HOTKEY\TpWAudAp.exe
O4 - HKLM\..\Run: [IgfxTray] C:\Windows\system32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\Windows\system32\hkcmd.exe
O4 - HKLM\..\Run: [Persistence] C:\Windows\system32\igfxpers.exe
O4 - HKLM\..\Run: [TVT Scheduler Proxy] C:\Program Files\Common Files\Lenovo\Scheduler\scheduler_proxy.exe
O4 - HKLM\..\Run: [RoxWatchTray] "C:\Program Files\Common Files\Roxio Shared\10.0\SharedCOM\RoxWatchTray10.exe"
O4 - HKLM\..\Run: [ACWlIcon] C:\Program Files\ThinkPad\ConnectUtilities\ACWlIcon.exe
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 9.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [Adobe ARM] "C:\Program Files\Common Files\Adobe\ARM\1.0\AdobeARM.exe"
O4 - HKLM\..\Run: [Kernel and Hardware Abstraction Layer] KHALMNPR.EXE
O4 - HKCU\..\Run: [Aim] "C:\Program Files\AIM\aim.exe" /d locale=en-US
O4 - Startup: Xfire.lnk = C:\Program Files\Xfire\Xfire.exe
O4 - Global Startup: Logitech SetPoint.lnk = C:\Program Files\Logitech\SetPoint\SetPoint.exe
O8 - Extra context menu item: &Windows Live Search - res://C:\Program Files\Windows Live Toolbar\msntb.dll/search.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office12\EXCEL.EXE/3000
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\Office12\REFIEBAR.DLL
O18 - Protocol: symres - {AA1061FE-6C41-421F-9344-69640C9732AB} - C:\Program Files\Norton Internet Security\Engine\16.8.0.41\coIEPlg.dll
O23 - Service: Ac Profile Manager Service (AcPrfMgrSvc) - Lenovo - C:\Program Files\ThinkPad\ConnectUtilities\AcPrfMgrSvc.exe
O23 - Service: Access Connections Main Service (AcSvc) - Lenovo - C:\Program Files\ThinkPad\ConnectUtilities\AcSvc.exe
O23 - Service: Fn+F5 Service (FNF5SVC) - Lenovo. - C:\Program Files\LENOVO\HOTKEY\FNF5SVC.exe
O23 - Service: GameConsoleService - WildTangent, Inc. - C:\Program Files\WildGames\Game Console - WildGames\GameConsoleService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: IviRegMgr - InterVideo - C:\Program Files\Common Files\InterVideo\RegMgr\iviRegMgr.exe
O23 - Service: Norton Internet Security - Symantec Corporation - C:\Program Files\Norton Internet Security\Engine\16.8.0.41\ccSvcHst.exe
O23 - Service: PMSveH - Lenovo - C:\Program Files\Lenovo\PMDriver\PMSveH.exe
O23 - Service: PnkBstrA - Unknown owner - C:\Windows\system32\PnkBstrA.exe
O23 - Service: Roxio UPnP Renderer 10 - Sonic Solutions - C:\Program Files\Roxio\Digital Home 10\RoxioUPnPRenderer10.exe
O23 - Service: Roxio Upnp Server 10 - Sonic Solutions - C:\Program Files\Roxio\Digital Home 10\RoxioUpnpService10.exe
O23 - Service: LiveShare P2P Server 10 (RoxLiveShare10) - Sonic Solutions - C:\Program Files\Common Files\Roxio Shared\10.0\SharedCOM\RoxLiveShare10.exe
O23 - Service: RoxMediaDB10 - Sonic Solutions - C:\Program Files\Common Files\Roxio Shared\10.0\SharedCOM\RoxMediaDB10.exe
O23 - Service: Roxio Hard Drive Watcher 10 (RoxWatch10) - Sonic Solutions - C:\Program Files\Common Files\Roxio Shared\10.0\SharedCOM\RoxWatch10.exe
O23 - Service: SessionLauncher - Unknown owner - C:\Users\ADMINI~1\AppData\Local\Temp\DX9\SessionLauncher.exe (file missing)
O23 - Service: Steam Client Service - Valve Corporation - C:\Program Files\Common Files\Steam\SteamService.exe
O23 - Service: stllssvr - MicroVision Development, Inc. - C:\Program Files\Common Files\SureThing Shared\stllssvr.exe
O23 - Service: System Update (SUService) - Lenovo Group Limited - c:\Program Files\Lenovo\System Update\SUService.exe
O23 - Service: ThinkVantage Registry Monitor Service - Lenovo Group Limited - c:\Program Files\Common Files\Lenovo\tvt_reg_monitor_svc.exe
O23 - Service: On Screen Display (TPHKSVC) - Lenovo Group Limited - C:\Program Files\LENOVO\HOTKEY\TPHKSVC.exe
O23 - Service: TVT Backup Protection Service - Unknown owner - C:\Program Files\Lenovo\Rescue and Recovery\rrpservice.exe
O23 - Service: TVT Backup Service - Lenovo Group Limited - C:\Program Files\Lenovo\Rescue and Recovery\rrservice.exe
O23 - Service: TVT Scheduler - Lenovo Group Limited - c:\Program Files\Common Files\Lenovo\Scheduler\tvtsched.exe
O23 - Service: TVT Windows Update Monitor (TVT_UpdateMonitor) - Lenovo Group Limited - C:\Program Files\Lenovo\Rescue and Recovery\UpdateMonitor.exe
O23 - Service: Viewpoint Manager Service - Viewpoint Corporation - C:\Program Files\Viewpoint\Common\ViewpointService.exe
O23 - Service: XAudioService - Conexant Systems, Inc. - C:\Windows\system32\DRIVERS\xaudio.exe

--
End of file - 7721 bytes


----------



## Cookiegal (Aug 27, 2003)

Open HijackThis and click on the *Open Misc Tools section* button. Click on the *Open Uninstall Manager* button. Click the *Save List* button. Save the list then copy and paste it here.


----------



## miehm (May 9, 2010)

2007 Microsoft Office system
Acrobat.com
Acrobat.com
Adobe AIR
Adobe AIR
Adobe Flash Player 10 ActiveX
Adobe Flash Player 10 Plugin
Adobe Reader 9.3.2
AIM 7
ALPS Touch Pad Driver
Battlefield 2142
BeerSmith Brewing Software
Broadcom Gigabit Integrated Controller
Broadcom WLAN
Business Contact Manager for Outlook 2007 SP1
Business Contact Manager for Outlook 2007 SP1
CDDRV_Installer
Conexant HD Audio
Dark Messiah Might and Magic Multi-Player
Dark Messiah Might and Magic Single Player
DirectXInstallService
DivX Codec
DivX Converter
DivX Player
DivX Plus DirectShow Filters
DivX Web Player
Download Updater (AOL LLC)
Drag-to-Disc
EA Download Manager
EA Download Manager UI
EA Download Manager UI
EA Link
EasyCapture
GWD Text Editor
HDAUDIO Soft Data Fax Modem with SmartCP
Heroes of Might and Magic 5
Heroes of Might and Magic V: Hammers of Fate
Heroes of Might and Magic V: Tribes of the East
HijackThis 2.0.2
Hotfix for Microsoft .NET Framework 3.5 SP1 (KB953595)
Hotfix for Microsoft .NET Framework 3.5 SP1 (KB958484)
Intel(R) Graphics Media Accelerator Driver
InterVideo WinDVD
Java(TM) 6 Update 18
JMicron JMB38X Flash Media Controller
KhalInstallWrapper
Lenovo Care
Lenovo Care Supplement
Lenovo Registration
Lenovo System Interface Driver
Lenovo System Toolbox
Logitech SetPoint
Malwarebytes' Anti-Malware
Message Center
Microsoft .NET Framework 3.5 SP1
Microsoft .NET Framework 3.5 SP1
Microsoft Office 2003 Web Components
Microsoft Office 2007 Primary Interop Assemblies
Microsoft Office Access MUI (English) 2007
Microsoft Office Access Setup Metadata MUI (English) 2007
Microsoft Office Excel MUI (English) 2007
Microsoft Office Outlook MUI (English) 2007
Microsoft Office PowerPoint MUI (English) 2007
Microsoft Office Professional Hybrid 2007
Microsoft Office Proof (English) 2007
Microsoft Office Proof (French) 2007
Microsoft Office Proof (Spanish) 2007
Microsoft Office Proofing (English) 2007
Microsoft Office Publisher MUI (English) 2007
Microsoft Office Shared MUI (English) 2007
Microsoft Office Shared Setup Metadata MUI (English) 2007
Microsoft Office Small Business Connectivity Components
Microsoft Office Suite Activation Assistant
Microsoft Office Word MUI (English) 2007
Microsoft SQL Server 2005
Microsoft SQL Server 2005 Express Edition (MSSMLBIZ)
Microsoft SQL Server Native Client
Microsoft SQL Server Setup Support Files (English)
Microsoft SQL Server VSS Writer
Microsoft VC9 runtime libraries
Mozilla Firefox (3.6.3)
MSXML 4.0 SP2 (KB954430)
MSXML 4.0 SP2 (KB973688)
Norton Internet Security
On Screen Display
Penny Arcade Adventures: On the Rain-Slick Precipice of Darkness, Episode One Demo
PM Driver
Power Ux Customization
Presentation Director
Product Recovery Disc Burning Utility
PunkBuster Services
Registry patch for Windows Vista USB S3 PM Enablement
Registry patch of Changing Timing of IDLE IRP by Finger Print Driver for Windows Vista 
Registry Patch of Enabling Device Initiated Power Management(DIPM) on SATA for Windows Vista
Registry patch to improve USB device detection on resume from sleep for Windows Vista
Rescue and Recovery
Roxio Activation Module
Roxio Central Audio
Roxio Central Copy
Roxio Central Core
Roxio Central Data
Roxio Central Tools
Roxio Creator Small Business Edition
Roxio Creator Small Business Edition
Roxio Express Labeler 3
S.T.A.L.K.E.R.: Shadow of Chernobyl
SmartFTP Client
SmartFTP Client 4.0 Setup Files (remove only)
Sonic CinePlayer Decoder Pack
Sonic Icons for Lenovo
Steam
System Update
ThinkVantage Access Connections
ThinkVantage Status Gadget
ThinkVantage Technologies Welcome Message
Titan Quest
Titan Quest: Immortal Throne
Torchlight
Update for Microsoft .NET Framework 3.5 SP1 (KB963707)
Update for Office 2007 (KB934528)
Update for Office System 2007 Setup (KB929722)
VC80CRTRedist - 8.0.50727.762
Viewpoint Media Player
Vz In Home Agent
Wallpapers
WildGames
Windows Live Toolbar
Windows Live Toolbar
Windows Media Player Firefox Plugin
Xfire (remove only)


----------



## Cookiegal (Aug 27, 2003)

Go to Control Panel - Add or Remove programs and remove:

*Viewpoint Media Player*

Please do an online scan with Kaspersky WebScanner

Kaspersky online scanner uses JAVA tecnology to perform the scan. If you do not have Java then you will need to go to the following link and download the latest version:

*JRE 6 Update 20 *

Instructions for Kaspersky scan:


Read through the requirements and privacy statement and click on *Accept* button.
It will start downloading and installing the scanner and virus definitions. You will be prompted to install an application from Kaspersky. Click *Run*.
When the downloads have finished, click on *Settings*.
Make sure the following is checked. 
*Spyware, Adware, Dialers, and other potentially dangerous programs 
Archives
Mail databases*

Click on *My Computer* under *Scan*.
Once the scan is complete, it will display the results. Click on *View Scan Report*.
You will see a list of infected items there. Click on *Save Report As...*.
Save this report to a convenient place. Change the *Files of type* to *Text file (.txt)* before clicking on the *Save* button.
Please post this log in your next reply.


----------



## miehm (May 9, 2010)

--------------------------------------------------------------------------------
KASPERSKY ONLINE SCANNER 7.0: scan report
Wednesday, May 12, 2010
Operating system: Microsoft Windows Vista Home Basic Edition, 32-bit Service Pack 2 (build 6002)
Kaspersky Online Scanner version: 7.0.26.13
Last database update: Wednesday, May 12, 2010 00:05:07
Records in database: 4097379
--------------------------------------------------------------------------------

Scan settings:
scan using the following database: extended
Scan archives: yes
Scan e-mail databases: yes

Scan area - My Computer:
C:\
E:\
Q:\
S:\

Scan statistics:
Objects scanned: 161613
Threats found: 3
Infected objects found: 4
Suspicious objects found: 0
Scan duration: 04:07:10


File name / Threat / Threats count
C:\Users\Miehm\AppData\LocalLow\Sun\Java\Deployment\cache\6.0\27\7b76fb5b-6a49ee6a Infected: Exploit.Java.Agent.a 1
C:\Users\Miehm\AppData\LocalLow\Sun\Java\Deployment\cache\6.0\39\71b140a7-3ec8a5d7 Infected: Exploit.Java.Agent.f 1
C:\Users\Miehm\AppData\LocalLow\Sun\Java\Deployment\cache\6.0\46\50d407ee-5bb79fd5 Infected: Exploit.Java.Agent.a 1
C:\Users\Miehm\AppData\LocalLow\Sun\Java\Deployment\cache\6.0\46\50d407ee-5bb79fd5 Infected: Trojan-Downloader.Java.Agent.bk 1

Selected area has been scanned.


----------



## Cookiegal (Aug 27, 2003)

Go to *Control Panel* - *Java *- General tab - Under *Temporary Internet Files *click on *Settings *and then on the *Temporary File Settings * screen click on *Delete Files*. Then put a check in both boxes and click OK.

Please post a new HijackThis log.


----------



## miehm (May 9, 2010)

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 8:13:28 PM, on 5/12/2010
Platform: Windows Vista SP2 (WinNT 6.00.1906)
MSIE: Internet Explorer v7.00 (7.00.6002.18005)
Boot mode: Normal

Running processes:
C:\Program Files\Norton Internet Security\Engine\16.8.0.41\ccSvcHst.exe
C:\Windows\system32\taskeng.exe
C:\Windows\system32\Dwm.exe
C:\Windows\Explorer.EXE
C:\Program Files\Lenovo\PMDriver\PMHandler.exe
C:\Program Files\Apoint2K\Apoint.exe
C:\Program Files\Lenovo\NPDIRECT\tpfnf7sp.exe
C:\Program Files\Lenovo\HOTKEY\TpWAudAp.exe
C:\Windows\System32\hkcmd.exe
C:\Windows\System32\igfxpers.exe
C:\Windows\system32\igfxsrvc.exe
C:\Program Files\Common Files\Lenovo\Scheduler\scheduler_proxy.exe
C:\Program Files\ThinkPad\ConnectUtilities\ACWLIcon.exe
C:\Program Files\Apoint2K\ApMsgFwd.exe
C:\Program Files\Common Files\Java\Java Update\jusched.exe
C:\Program Files\AIM\aim.exe
C:\Program Files\Logitech\SetPoint\SetPoint.exe
C:\Program Files\Apoint2K\Apntex.exe
C:\Program Files\Xfire\Xfire.exe
C:\Program Files\Common Files\Logishrd\KHAL2\KHALMNPR.EXE
C:\Program Files\Windows Media Player\wmplayer.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Windows\system32\wuauclt.exe
C:\Windows\system32\SearchFilterHost.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://lenovo.live.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = 
O2 - BHO: AcroIEHelperStub - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
O2 - BHO: Symantec NCO BHO - {602ADB0E-4AFF-4217-8AA1-95DAC4DFA408} - C:\Program Files\Norton Internet Security\Engine\16.8.0.41\coIEPlg.dll
O2 - BHO: Symantec Intrusion Prevention - {6D53EC84-6AAE-4787-AEEE-F4628F01010C} - C:\Program Files\Norton Internet Security\Engine\16.8.0.41\IPSBHO.DLL
O2 - BHO: Windows Live Toolbar Helper - {BDBD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\Windows Live Toolbar\msntb.dll
O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O3 - Toolbar: Windows Live Toolbar - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\Windows Live Toolbar\msntb.dll
O3 - Toolbar: Norton Toolbar - {7FEBEFE3-6B19-4349-98D2-FFB09D4B49CA} - C:\Program Files\Norton Internet Security\Engine\16.8.0.41\coIEPlg.dll
O4 - HKLM\..\Run: [Windows Defender] %ProgramFiles%\Windows Defender\MSASCui.exe -hide
O4 - HKLM\..\Run: [PMHandler] C:\PROGRA~1\Lenovo\PMDriver\PMHandler.exe
O4 - HKLM\..\Run: [Apoint] C:\Program Files\Apoint2K\Apoint.exe
O4 - HKLM\..\Run: [TPFNF7] C:\Program Files\Lenovo\NPDIRECT\TPFNF7SP.exe /r
O4 - HKLM\..\Run: [TPWAUDAP] C:\Program Files\Lenovo\HOTKEY\TpWAudAp.exe
O4 - HKLM\..\Run: [IgfxTray] C:\Windows\system32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\Windows\system32\hkcmd.exe
O4 - HKLM\..\Run: [Persistence] C:\Windows\system32\igfxpers.exe
O4 - HKLM\..\Run: [TVT Scheduler Proxy] C:\Program Files\Common Files\Lenovo\Scheduler\scheduler_proxy.exe
O4 - HKLM\..\Run: [RoxWatchTray] "C:\Program Files\Common Files\Roxio Shared\10.0\SharedCOM\RoxWatchTray10.exe"
O4 - HKLM\..\Run: [ACWlIcon] C:\Program Files\ThinkPad\ConnectUtilities\ACWlIcon.exe
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 9.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [Adobe ARM] "C:\Program Files\Common Files\Adobe\ARM\1.0\AdobeARM.exe"
O4 - HKLM\..\Run: [Kernel and Hardware Abstraction Layer] KHALMNPR.EXE
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Common Files\Java\Java Update\jusched.exe"
O4 - HKCU\..\Run: [Aim] "C:\Program Files\AIM\aim.exe" /d locale=en-US
O4 - Startup: Xfire.lnk = C:\Program Files\Xfire\Xfire.exe
O4 - Global Startup: Logitech SetPoint.lnk = C:\Program Files\Logitech\SetPoint\SetPoint.exe
O8 - Extra context menu item: &Windows Live Search - res://C:\Program Files\Windows Live Toolbar\msntb.dll/search.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office12\EXCEL.EXE/3000
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\Office12\REFIEBAR.DLL
O18 - Protocol: symres - {AA1061FE-6C41-421F-9344-69640C9732AB} - C:\Program Files\Norton Internet Security\Engine\16.8.0.41\coIEPlg.dll
O23 - Service: Ac Profile Manager Service (AcPrfMgrSvc) - Lenovo - C:\Program Files\ThinkPad\ConnectUtilities\AcPrfMgrSvc.exe
O23 - Service: Access Connections Main Service (AcSvc) - Lenovo - C:\Program Files\ThinkPad\ConnectUtilities\AcSvc.exe
O23 - Service: Fn+F5 Service (FNF5SVC) - Lenovo. - C:\Program Files\LENOVO\HOTKEY\FNF5SVC.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: IviRegMgr - InterVideo - C:\Program Files\Common Files\InterVideo\RegMgr\iviRegMgr.exe
O23 - Service: Norton Internet Security - Symantec Corporation - C:\Program Files\Norton Internet Security\Engine\16.8.0.41\ccSvcHst.exe
O23 - Service: PMSveH - Lenovo - C:\Program Files\Lenovo\PMDriver\PMSveH.exe
O23 - Service: PnkBstrA - Unknown owner - C:\Windows\system32\PnkBstrA.exe
O23 - Service: Roxio UPnP Renderer 10 - Sonic Solutions - C:\Program Files\Roxio\Digital Home 10\RoxioUPnPRenderer10.exe
O23 - Service: Roxio Upnp Server 10 - Sonic Solutions - C:\Program Files\Roxio\Digital Home 10\RoxioUpnpService10.exe
O23 - Service: LiveShare P2P Server 10 (RoxLiveShare10) - Sonic Solutions - C:\Program Files\Common Files\Roxio Shared\10.0\SharedCOM\RoxLiveShare10.exe
O23 - Service: RoxMediaDB10 - Sonic Solutions - C:\Program Files\Common Files\Roxio Shared\10.0\SharedCOM\RoxMediaDB10.exe
O23 - Service: Roxio Hard Drive Watcher 10 (RoxWatch10) - Sonic Solutions - C:\Program Files\Common Files\Roxio Shared\10.0\SharedCOM\RoxWatch10.exe
O23 - Service: SessionLauncher - Unknown owner - C:\Users\ADMINI~1\AppData\Local\Temp\DX9\SessionLauncher.exe (file missing)
O23 - Service: Steam Client Service - Valve Corporation - C:\Program Files\Common Files\Steam\SteamService.exe
O23 - Service: stllssvr - MicroVision Development, Inc. - C:\Program Files\Common Files\SureThing Shared\stllssvr.exe
O23 - Service: System Update (SUService) - Lenovo Group Limited - c:\Program Files\Lenovo\System Update\SUService.exe
O23 - Service: ThinkVantage Registry Monitor Service - Lenovo Group Limited - c:\Program Files\Common Files\Lenovo\tvt_reg_monitor_svc.exe
O23 - Service: On Screen Display (TPHKSVC) - Lenovo Group Limited - C:\Program Files\LENOVO\HOTKEY\TPHKSVC.exe
O23 - Service: TVT Backup Protection Service - Unknown owner - C:\Program Files\Lenovo\Rescue and Recovery\rrpservice.exe
O23 - Service: TVT Backup Service - Lenovo Group Limited - C:\Program Files\Lenovo\Rescue and Recovery\rrservice.exe
O23 - Service: TVT Scheduler - Lenovo Group Limited - c:\Program Files\Common Files\Lenovo\Scheduler\tvtsched.exe
O23 - Service: TVT Windows Update Monitor (TVT_UpdateMonitor) - Lenovo Group Limited - C:\Program Files\Lenovo\Rescue and Recovery\UpdateMonitor.exe
O23 - Service: Viewpoint Manager Service - Unknown owner - C:\Program Files\Viewpoint\Common\ViewpointService.exe (file missing)
O23 - Service: XAudioService - Conexant Systems, Inc. - C:\Windows\system32\DRIVERS\xaudio.exe

--
End of file - 7922 bytes


----------



## Cookiegal (Aug 27, 2003)

Go to Start - Run then type the following and click OK: s

*services.msc*

Scroll down to the* Viewpoint Manager Service* and double-click on it. In the Properties windows, on the General Tab, click the Stop button and next to Startup Type click on Disabled then click Apply and OK.

How are things now?


----------



## miehm (May 9, 2010)

That seems to have taken care of it.
Thanks for the help!
Haha, if not for your assistance, I probably would have just gotten fed up and ignored it as best as I could.


----------



## flavallee (May 12, 2002)

If you want to trim down the startup load and reduce the number of running processes and speed things up a bit more, let me know and submit a new HijackThis log.

*After Cookiegal gets done with you first*.

----------------------------------------------------------------


----------



## Cookiegal (Aug 27, 2003)

Let's just run one more scan to check for rootkits.

Download GMER from: http://gmer.net/index.php

Click on the Download exe button and save it on your desktop. It will create a oddly named exe file on your desktop. Double click that file to run it and select the rootkit tab and then press scan. When the scan is done, click *Save* and save the log in Notepad then copy and paste the log report back here please.

Note: It's important that all other windows be closed and that you don't touch the mouse or anything during the scan as it may cause it to freeze.


----------



## miehm (May 9, 2010)

Oh, I had not seen these replies! Apparently I missed the email about them.
Two things!
1- GMER freezes every time I use it, even with everything else closed and the mouse unplugged. It gets to the "VolumeShadowCopy1" and vista claims it has stopped responding, and needs to be closed. If I try to start it up again, then I get a blue screen of death, and the computer restarts.
2- wermgr has returned! It showed it's ugly face on my performance logs for the first time in three weeks tonight. The viewpoint manager service is still just as disabled as ever, so I don't know what's up now.

Help?


----------



## Cookiegal (Aug 27, 2003)

What device normally appears as your drive letter Q? Is that an external drive? Have you used it recently?


----------



## miehm (May 9, 2010)

It's a partition of the main drive- A factory installed recovery console. I've never used it.


----------



## Cookiegal (Aug 27, 2003)

Download *OTS.exe * to your Desktop. 

Close any open browsers.
If your Real protection or Antivirus interferes with OTS, allow it to run.
Double-click on *OTS.exe* to start the program.
In *Additional Scans *section put a check in Disabled MS Config Items and EventViewer logs
Now click the *Run Scan *button on the toolbar.
Let it run unhindered until it finishes.
When the scan is complete Notepad will open with the report file loaded in it.
Save that notepad file.
Use the *Reply* button, scroll down to the attachments section and attach the notepad file here.


----------



## miehm (May 9, 2010)

Here ya go!


----------



## Cookiegal (Aug 27, 2003)

miehm said:


> Oh, I had not seen these replies! Apparently I missed the email about them.
> Two things!
> 1- GMER freezes every time I use it, even with everything else closed and the mouse unplugged. It gets to the "VolumeShadowCopy1" and vista claims it has stopped responding, and needs to be closed. If I try to start it up again, then I get a blue screen of death, and the computer restarts.
> 2- wermgr has returned! It showed it's ugly face on my performance logs for the first time in three weeks tonight. The viewpoint manager service is still just as disabled as ever, so I don't know what's up now.
> ...


What do yo mean by performance log? Can you post it?

Please post a new HIjackThis log.


----------



## miehm (May 9, 2010)

Sorry for the confusion- I meant resource monitor.

I don't know what the deal is now. It's not sticking around and sucking resources all the time; it just shows up periodically to slow everything down for a few hours before disappearing again.

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 7:36:22 PM, on 6/6/2010
Platform: Windows Vista SP2 (WinNT 6.00.1906)
MSIE: Internet Explorer v7.00 (7.00.6002.18005)
Boot mode: Normal

Running processes:
C:\Program Files\Norton Internet Security\Engine\16.8.0.41\ccSvcHst.exe
C:\Windows\system32\Dwm.exe
C:\Windows\Explorer.EXE
C:\Program Files\Lenovo\PMDriver\PMHandler.exe
C:\Program Files\Apoint2K\Apoint.exe
C:\Windows\System32\hkcmd.exe
C:\Windows\System32\igfxpers.exe
C:\Program Files\ThinkPad\ConnectUtilities\ACWLIcon.exe
C:\Windows\system32\igfxsrvc.exe
C:\Program Files\Apoint2K\Apntex.exe
C:\Program Files\Xfire\Xfire.exe
C:\Windows\system32\wuauclt.exe
C:\Windows\system32\taskeng.exe
C:\Program Files\Windows Media Player\wmplayer.exe
C:\Program Files\AIM\aim.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://lenovo.live.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = 
O2 - BHO: AcroIEHelperStub - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
O2 - BHO: Symantec NCO BHO - {602ADB0E-4AFF-4217-8AA1-95DAC4DFA408} - C:\Program Files\Norton Internet Security\Engine\16.8.0.41\coIEPlg.dll
O2 - BHO: Symantec Intrusion Prevention - {6D53EC84-6AAE-4787-AEEE-F4628F01010C} - C:\Program Files\Norton Internet Security\Engine\16.8.0.41\IPSBHO.DLL
O2 - BHO: Windows Live Toolbar Helper - {BDBD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\Windows Live Toolbar\msntb.dll
O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O3 - Toolbar: Windows Live Toolbar - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\Windows Live Toolbar\msntb.dll
O3 - Toolbar: Norton Toolbar - {7FEBEFE3-6B19-4349-98D2-FFB09D4B49CA} - C:\Program Files\Norton Internet Security\Engine\16.8.0.41\coIEPlg.dll
O4 - HKLM\..\Run: [Windows Defender] %ProgramFiles%\Windows Defender\MSASCui.exe -hide
O4 - HKLM\..\Run: [PMHandler] C:\PROGRA~1\Lenovo\PMDriver\PMHandler.exe
O4 - HKLM\..\Run: [Apoint] C:\Program Files\Apoint2K\Apoint.exe
O4 - HKLM\..\Run: [TPWAUDAP] C:\Program Files\Lenovo\HOTKEY\TpWAudAp.exe
O4 - HKLM\..\Run: [IgfxTray] C:\Windows\system32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\Windows\system32\hkcmd.exe
O4 - HKLM\..\Run: [Persistence] C:\Windows\system32\igfxpers.exe
O4 - HKLM\..\Run: [RoxWatchTray] "C:\Program Files\Common Files\Roxio Shared\10.0\SharedCOM\RoxWatchTray10.exe"
O4 - HKLM\..\Run: [ACWlIcon] C:\Program Files\ThinkPad\ConnectUtilities\ACWlIcon.exe
O4 - HKLM\..\Run: [Kernel and Hardware Abstraction Layer] KHALMNPR.EXE
O4 - HKCU\..\Run: [Aim] "C:\Program Files\AIM\aim.exe" /d locale=en-US
O4 - Startup: Xfire.lnk = C:\Program Files\Xfire\Xfire.exe
O8 - Extra context menu item: &Windows Live Search - res://C:\Program Files\Windows Live Toolbar\msntb.dll/search.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office12\EXCEL.EXE/3000
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\Office12\REFIEBAR.DLL
O18 - Protocol: symres - {AA1061FE-6C41-421F-9344-69640C9732AB} - C:\Program Files\Norton Internet Security\Engine\16.8.0.41\coIEPlg.dll
O23 - Service: Ac Profile Manager Service (AcPrfMgrSvc) - Lenovo - C:\Program Files\ThinkPad\ConnectUtilities\AcPrfMgrSvc.exe
O23 - Service: Access Connections Main Service (AcSvc) - Lenovo - C:\Program Files\ThinkPad\ConnectUtilities\AcSvc.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: IviRegMgr - InterVideo - C:\Program Files\Common Files\InterVideo\RegMgr\iviRegMgr.exe
O23 - Service: Norton Internet Security - Symantec Corporation - C:\Program Files\Norton Internet Security\Engine\16.8.0.41\ccSvcHst.exe
O23 - Service: PMSveH - Lenovo - C:\Program Files\Lenovo\PMDriver\PMSveH.exe
O23 - Service: PnkBstrA - Unknown owner - C:\Windows\system32\PnkBstrA.exe
O23 - Service: Roxio UPnP Renderer 10 - Sonic Solutions - C:\Program Files\Roxio\Digital Home 10\RoxioUPnPRenderer10.exe
O23 - Service: Roxio Upnp Server 10 - Sonic Solutions - C:\Program Files\Roxio\Digital Home 10\RoxioUpnpService10.exe
O23 - Service: LiveShare P2P Server 10 (RoxLiveShare10) - Sonic Solutions - C:\Program Files\Common Files\Roxio Shared\10.0\SharedCOM\RoxLiveShare10.exe
O23 - Service: RoxMediaDB10 - Sonic Solutions - C:\Program Files\Common Files\Roxio Shared\10.0\SharedCOM\RoxMediaDB10.exe
O23 - Service: Roxio Hard Drive Watcher 10 (RoxWatch10) - Sonic Solutions - C:\Program Files\Common Files\Roxio Shared\10.0\SharedCOM\RoxWatch10.exe
O23 - Service: SessionLauncher - Unknown owner - C:\Users\ADMINI~1\AppData\Local\Temp\DX9\SessionLauncher.exe (file missing)
O23 - Service: Steam Client Service - Valve Corporation - C:\Program Files\Common Files\Steam\SteamService.exe
O23 - Service: stllssvr - MicroVision Development, Inc. - C:\Program Files\Common Files\SureThing Shared\stllssvr.exe
O23 - Service: System Update (SUService) - Lenovo Group Limited - c:\Program Files\Lenovo\System Update\SUService.exe
O23 - Service: ThinkVantage Registry Monitor Service - Lenovo Group Limited - c:\Program Files\Common Files\Lenovo\tvt_reg_monitor_svc.exe
O23 - Service: On Screen Display (TPHKSVC) - Lenovo Group Limited - C:\Program Files\LENOVO\HOTKEY\TPHKSVC.exe
O23 - Service: TVT Backup Protection Service - Unknown owner - C:\Program Files\Lenovo\Rescue and Recovery\rrpservice.exe
O23 - Service: TVT Backup Service - Lenovo Group Limited - C:\Program Files\Lenovo\Rescue and Recovery\rrservice.exe
O23 - Service: TVT Scheduler - Lenovo Group Limited - c:\Program Files\Common Files\Lenovo\Scheduler\tvtsched.exe
O23 - Service: TVT Windows Update Monitor (TVT_UpdateMonitor) - Lenovo Group Limited - C:\Program Files\Lenovo\Rescue and Recovery\UpdateMonitor.exe
O23 - Service: XAudioService - Conexant Systems, Inc. - C:\Windows\system32\DRIVERS\xaudio.exe

--
End of file - 6710 bytes


----------



## Cookiegal (Aug 27, 2003)

Download GMER from: http://gmer.net/index.php

Click on the Download exe button and save it on your desktop. It will create a oddly named exe file on your desktop. Double click that file to run it and select the rootkit tab and then press scan. When the scan is done, click *Save* and save the log in Notepad then copy and paste the log report back here please.

Note: It's important that all other windows be closed and that you don't touch the mouse or anything during the scan as it may cause it to freeze.


----------



## miehm (May 9, 2010)

Hey, it worked this time!

GMER 1.0.15.15281 - http://www.gmer.net
Rootkit scan 2010-06-08 13:29:07
Windows 6.0.6002 Service Pack 2
Running: gqz7xt7z.exe; Driver: C:\Users\Miehm\AppData\Local\Temp\axryipog.sys

---- System - GMER 1.0.15 ----

SSDT 86CB3AB8 ZwAlertResumeThread
SSDT 87468048 ZwAlertThread
SSDT 87490D28 ZwAllocateVirtualMemory
SSDT 86A4B958 ZwAlpcConnectPort
SSDT 8748B048 ZwAssignProcessToJobObject
SSDT 87496F00 ZwCreateMutant
SSDT 8749A558 ZwCreateSymbolicLinkObject
SSDT 8746CCF0 ZwCreateThread
SSDT  8746A580 ZwDebugActiveProcess
SSDT 87490F40 ZwDuplicateObject
SSDT 87490688 ZwFreeVirtualMemory
SSDT 873FFD30 ZwImpersonateAnonymousToken
SSDT 86E96310 ZwImpersonateThread
SSDT 86A4B8E0 ZwLoadDriver
SSDT 87490528 ZwMapViewOfSection
SSDT 8741A4E8 ZwOpenEvent
SSDT 8748F238 ZwOpenProcess
SSDT 86CBD068 ZwOpenProcessToken
SSDT 8742F050 ZwOpenSection
SSDT 8748F0E8 ZwOpenThread
SSDT 87499230 ZwProtectVirtualMemory
SSDT 873FFBA0 ZwResumeThread
SSDT 87484108 ZwSetContextThread
SSDT 874902D0 ZwSetInformationProcess
SSDT 8746CA78 ZwSetSystemInformation
SSDT 86B529B8 ZwSuspendProcess
SSDT 86B8C118 ZwSuspendThread
SSDT 86BDC378  ZwTerminateProcess
SSDT 8748A068 ZwTerminateThread
SSDT 8747D068 ZwUnmapViewOfSection
SSDT 874909D8 ZwWriteVirtualMemory
SSDT 8749AA28 ZwCreateThreadEx

---- Kernel code sections - GMER 1.0.15 ----

.text ntkrnlpa.exe!KeSetEvent + 11D 81CB4860 8 Bytes [B8, 3A, CB, 86, 48, 80, 46, ...]
.text ntkrnlpa.exe!KeSetEvent + 131 81CB4874 4 Bytes [28, 0D, 49, 87]
.text ntkrnlpa.exe!KeSetEvent + 13D 81CB4880 4 Bytes [58, B9, A4, 86]
.text ntkrnlpa.exe!KeSetEvent + 191 81CB48D4 4 Bytes CALL CA7B915A 
.text ntkrnlpa.exe!KeSetEvent + 1F5 81CB4938 4 Bytes [00, 6F, 49, 87]
.text ...

---- Devices - GMER 1.0.15 ----

AttachedDevice \Driver\tdx \Device\Tcp SYMTDI.SYS (Network Dispatch Driver/Symantec Corporation)
AttachedDevice \Driver\tdx \Device\Udp SYMTDI.SYS (Network Dispatch Driver/Symantec Corporation)
AttachedDevice \Driver\tdx \Device\RawIp SYMTDI.SYS (Network Dispatch Driver/Symantec Corporation)

---- Disk sectors - GMER 1.0.15 ----

Disk \Device\Harddisk0\DR0 sector 09: copy of MBR

---- Files - GMER 1.0.15 ----

File C:\RRbackups\C 0 bytes
File C:\RRbackups\C\0  0 bytes
File C:\RRbackups\common 0 bytes
File C:\RRbackups\common\backups.dat 8192 bytes
File C:\RRbackups\common\bmgrmode.dat 29 bytes
File C:\RRbackups\common\hints.dat 8192 bytes
File C:\RRbackups\common\mnd.dat 8192 bytes
File C:\RRbackups\common\regcerts.dat 8192 bytes
File C:\RRbackups\common\restore.log 110 bytes
File C:\RRbackups\common\rr.log 27038 bytes
File C:\RRbackups\common\rr_bcdenum.dat 3697 bytes
File C:\RRbackups\common\SAM 61440 bytes
File C:\RRbackups\common\secpolicy.dat 20480 bytes
File C:\RRbackups\common\settings.dat 32768 bytes
File C:\RRbackups\common\system.dat 12288 bytes
File C:\RRbackups\common\tvtcmn.dat 8192 bytes
File C:\RRbackups\common\usersids.dat 14560 bytes
File C:\RRbackups\Documents and Settings 0 bytes
File C:\RRbackups\Documents and Settings\Administrator 0 bytes
File C:\RRbackups\Documents and Settings\Administrator\AppData  0 bytes
File C:\RRbackups\Documents and Settings\Administrator\AppData\Roaming 0 bytes
File C:\RRbackups\Documents and Settings\Administrator\AppData\Roaming\Microsoft 0 bytes
File C:\RRbackups\Documents and Settings\Administrator\AppData\Roaming\Microsoft\Crypto 0 bytes
File C:\RRbackups\Documents and Settings\Administrator\AppData\Roaming\Microsoft\Crypto\RSA 0 bytes
File C:\RRbackups\Documents and Settings\Administrator\AppData\Roaming\Microsoft\Protect 0 bytes
File C:\RRbackups\Documents and Settings\Administrator\AppData\Roaming\Microsoft\Protect\CREDHIST 24 bytes
File C:\RRbackups\Documents and Settings\Administrator\AppData\Roaming\Microsoft\Protect\S-1-5-21-2269395964-3629036801-3450486125-500 0 bytes
File C:\RRbackups\Documents and Settings\Administrator\AppData\Roaming\Microsoft\Protect\S-1-5-21-2269395964-3629036801-3450486125-500\45a22690-2945-4572-b508-aa3a2e38a0f1 388 bytes
File C:\RRbackups\Documents and Settings\Administrator\AppData\Roaming\Microsoft\Protect\S-1-5-21-2269395964-3629036801-3450486125-500\Preferred 24 bytes
File C:\RRbackups\Documents and Settings\Administrator\AppData\Roaming\Microsoft\Protect\S-1-5-21-3708092645-3136395275-1263361861-500 0 bytes
File C:\RRbackups\Documents and Settings\Administrator\AppData\Roaming\Microsoft\Protect\S-1-5-21-3708092645-3136395275-1263361861-500\577a37a7-4f82-4613-82ce-63fe9c2bbb82 388 bytes
File C:\RRbackups\Documents and Settings\Administrator\AppData\Roaming\Microsoft\Protect\S-1-5-21-3708092645-3136395275-1263361861-500\Preferred 24 bytes
File C:\RRbackups\Documents and Settings\Administrator\AppData\Roaming\Microsoft\SystemCertificates 0 bytes
File C:\RRbackups\Documents and Settings\Administrator\AppData\Roaming\Microsoft\SystemCertificates\My 0 bytes
File C:\RRbackups\Documents and Settings\Administrator\AppData\Roaming\Microsoft\SystemCertificates\My\Certificates 0 bytes
File C:\RRbackups\Documents and Settings\Administrator\AppData\Roaming\Microsoft\SystemCertificates\My\CRLs 0 bytes
File C:\RRbackups\Documents and Settings\Administrator\AppData\Roaming\Microsoft\SystemCertificates\My\CTLs 0 bytes
File C:\RRbackups\Documents and Settings\Miehm  0 bytes
File C:\RRbackups\Documents and Settings\Miehm\AppData 0 bytes
File C:\RRbackups\Documents and Settings\Miehm\AppData\Roaming 0 bytes
File C:\RRbackups\Documents and Settings\Miehm\AppData\Roaming\Microsoft 0 bytes
File C:\RRbackups\Documents and Settings\Miehm\AppData\Roaming\Microsoft\Crypto 0 bytes
File C:\RRbackups\Documents and Settings\Miehm\AppData\Roaming\Microsoft\Crypto\RSA 0 bytes
File C:\RRbackups\Documents and Settings\Miehm\AppData\Roaming\Microsoft\Crypto\RSA\S-1-5-21-2703488262-2718368968-2945282138-1003 0 bytes
File C:\RRbackups\Documents and Settings\Miehm\AppData\Roaming\Microsoft\Crypto\RSA\S-1-5-21-2703488262-2718368968-2945282138-1003\62a45886e06c7d046ea8b819bec0598a_62ed9a71-e81b-4626-b4bb-3ed06b6ad860 45 bytes
File C:\RRbackups\Documents and Settings\Miehm\AppData\Roaming\Microsoft\Crypto\RSA\S-1-5-21-2703488262-2718368968-2945282138-1003\6b29ae44e85efac3c72ff4d1865d73f1_62ed9a71-e81b-4626-b4bb-3ed06b6ad860 53 bytes
File C:\RRbackups\Documents and Settings\Miehm\AppData\Roaming\Microsoft\Crypto\RSA\S-1-5-21-2703488262-2718368968-2945282138-1003\83aa4cc77f591dfc2374580bbd95f6ba_62ed9a71-e81b-4626-b4bb-3ed06b6ad860 45 bytes
File C:\RRbackups\Documents and Settings\Miehm\AppData\Roaming\Microsoft\Crypto\RSA\S-1-5-21-2703488262-2718368968-2945282138-1003\8f71098770f72c7a67cd8f1151619865_62ed9a71-e81b-4626-b4bb-3ed06b6ad860 54 bytes
File C:\RRbackups\Documents and Settings\Miehm\AppData\Roaming\Microsoft\Protect 0 bytes
File C:\RRbackups\Documents and Settings\Miehm\AppData\Roaming\Microsoft\Protect\CREDHIST 24 bytes
File C:\RRbackups\Documents and Settings\Miehm\AppData\Roaming\Microsoft\Protect\S-1-5-21-2703488262-2718368968-2945282138-1003 0 bytes
File C:\RRbackups\Documents and Settings\Miehm\AppData\Roaming\Microsoft\Protect\S-1-5-21-2703488262-2718368968-2945282138-1003\23ca5f02-c7a4-4f8e-90c5-f78caa3b11f3 388 bytes
File C:\RRbackups\Documents and Settings\Miehm\AppData\Roaming\Microsoft\Protect\S-1-5-21-2703488262-2718368968-2945282138-1003\25e3af14-fba0-4541-bed7-1029adb1249e 388 bytes
File C:\RRbackups\Documents and Settings\Miehm\AppData\Roaming\Microsoft\Protect\S-1-5-21-2703488262-2718368968-2945282138-1003\58a57173-7cb3-46a1-924e-9a507306abe5 388 bytes
File C:\RRbackups\Documents and Settings\Miehm\AppData\Roaming\Microsoft\Protect\S-1-5-21-2703488262-2718368968-2945282138-1003\991362d7-8f22-43d1-beb8-3336071a0d8a 388 bytes
File C:\RRbackups\Documents and Settings\Miehm\AppData\Roaming\Microsoft\Protect\S-1-5-21-2703488262-2718368968-2945282138-1003\Preferred 24 bytes
File C:\RRbackups\Documents and Settings\Miehm\AppData\Roaming\Microsoft\SystemCertificates 0 bytes
File C:\RRbackups\Documents and Settings\Miehm\AppData\Roaming\Microsoft\SystemCertificates\My 0 bytes
File C:\RRbackups\Documents and Settings\Miehm\AppData\Roaming\Microsoft\SystemCertificates\My\Certificates 0 bytes
File C:\RRbackups\Documents and Settings\Miehm\AppData\Roaming\Microsoft\SystemCertificates\My\CRLs 0 bytes
File C:\RRbackups\Documents and Settings\Miehm\AppData\Roaming\Microsoft\SystemCertificates\My\CTLs 0 bytes
File C:\RRbackups\ProgramData 0 bytes
File C:\RRbackups\ProgramData\Microsoft 0 bytes
File C:\RRbackups\ProgramData\Microsoft\Crypto 0 bytes
File C:\RRbackups\ProgramData\Microsoft\Crypto\RSA 0 bytes
File C:\RRbackups\ProgramData\Microsoft\Crypto\RSA\MachineKeys 0 bytes
File C:\RRbackups\ProgramData\Microsoft\Crypto\RSA\S-1-5-18 0 bytes
File C:\RRbackups\ProgramData\Microsoft\Crypto\RSA\S-1-5-18\62a45886e06c7d046ea8b819bec0598a_62ed9a71-e81b-4626-b4bb-3ed06b6ad860 45 bytes
File C:\RRbackups\ProgramData\Microsoft\Crypto\RSA\S-1-5-18\8f71098770f72c7a67cd8f1151619865_62ed9a71-e81b-4626-b4bb-3ed06b6ad860 54 bytes
File C:\RRbackups\ProgramData\Microsoft\Crypto\RSA\S-1-5-18\d42cc0c3858a58db2db37658219e6400_62ed9a71-e81b-4626-b4bb-3ed06b6ad860 893 bytes

---- EOF - GMER 1.0.15 ----


----------



## Cookiegal (Aug 27, 2003)

Download and run  HAMeb_check.exe
Post the contents of the resulting log.


----------



## miehm (May 9, 2010)

The results were that this tool is not compatible with my system, and that I should press any key to continue.


----------



## Cookiegal (Aug 27, 2003)

Navigate to the *C:\Windows\mbr.exe* file and double click the mbr.exe file to run it and post the resulting log please.


----------



## miehm (May 9, 2010)

Stealth MBR rootkit/Mebroot/Sinowal detector 0.3.7 by Gmer, http://www.gmer.net

device: opened successfully
user: MBR read successfully
kernel: MBR read successfully
user & kernel MBR OK 
copy of MBR has been found in sector 9 !


----------



## Cookiegal (Aug 27, 2003)

Go to *Start *- *Control Panel *- *System and Maintenance* - *Administrative Tools* and then double-click on *Event Viewer*.*

I'm, not 100% sure if the process is the same in Vista as in XP but these are XP instructions. If not, let me know and I'll see if I can find the proper method.

Double-click the error to open it up and then click on the icon that looks like two pieces of paper. This will copy the full error. Then "paste" the error into Notepad. Do this for each one until you have them all listed in Notepad and then copy and paste the list in a reply here please.


----------



## miehm (May 9, 2010)

This is the only error I have from the past hour. The rest don't fit the time frame for the problem. There's 14 more for the past 24 hours- do you want them as well?

Log Name: System
Source: Service Control Manager
Date: 6/8/2010 1:30:53 PM
Event ID: 7011
Task Category: None
Level: Error
Keywords: Classic
User: N/A
Computer: MIEHMLAPTOP
Description:
A timeout (30000 milliseconds) was reached while waiting for a transaction response from the TrustedInstaller service.
Event Xml:
<Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event">
<System>
<Provider Name="Service Control Manager" Guid="{555908D1-A6D7-4695-8E1E-26931D2012F4}" EventSourceName="Service Control Manager" />
<EventID Qualifiers="49152">7011</EventID>
<Version>0</Version>
<Level>2</Level>
<Task>0</Task>
<Opcode>0</Opcode>
<Keywords>0x80000000000000</Keywords>
<TimeCreated SystemTime="2010-06-08T17:30:53.000Z" />
<EventRecordID>89949</EventRecordID>
<Correlation />
<Execution ProcessID="0" ThreadID="0" />
<Channel>System</Channel>
<Computer>MIEHMLAPTOP</Computer>
<Security />
</System>
<EventData>
30000
TrustedInstaller
</EventData>
</Event>


----------



## miehm (May 9, 2010)

Here's what the program itself says when I try to run it.


----------



## Cookiegal (Aug 27, 2003)

Yes, please post the other errors if they're not repeats of the same one. You would see that if they have the same event id no. (7011) and the same source (Service Control Manager).


----------



## miehm (May 9, 2010)

There's all of the errors from the last 24 hours that aren't duplicates.

Log Name: Application
Source: Microsoft-Windows-WMI
Date: 6/7/2010 3:49:20 PM
Event ID: 10
Task Category: None
Level: Error
Keywords: Classic
User: N/A
Computer: MIEHMLAPTOP
Description:
Event filter with query "SELECT * FROM __InstanceModificationEvent WITHIN 60 WHERE TargetInstance ISA "Win32_Processor" AND TargetInstance.LoadPercentage > 99" could not be reactivated in namespace "//./root/CIMV2" because of error 0x80041003. Events cannot be delivered through this filter until the problem is corrected.
Event Xml:
<Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event">
<System>
<Provider Name="Microsoft-Windows-WMI" Guid="{1edeee53-0afe-4609-b846-d8c0b2075b1f}" EventSourceName="WinMgmt" />
<EventID Qualifiers="49152">10</EventID>
<Version>0</Version>
<Level>2</Level>
<Task>0</Task>
<Opcode>0</Opcode>
<Keywords>0x80000000000000</Keywords>
<TimeCreated SystemTime="2010-06-07T19:49:20.000Z" />
<EventRecordID>8554</EventRecordID>
<Correlation />
<Execution ProcessID="0" ThreadID="0" />
<Channel>Application</Channel>
<Computer>MIEHMLAPTOP</Computer>
<Security />
</System>
<EventData>
//./root/CIMV2
SELECT * FROM __InstanceModificationEvent WITHIN 60 WHERE TargetInstance ISA "Win32_Processor" AND TargetInstance.LoadPercentage > 99
0x80041003
</EventData>
</Event>

Log Name: Application
Source: Microsoft-Windows-Perflib
Date: 6/8/2010 1:02:24 PM
Event ID: 1010
Task Category: None
Level: Error
Keywords: Classic
User: N/A
Computer: MIEHMLAPTOP
Description:
The Collect Procedure for the "EmdCache" service in DLL "C:\Windows\system32\emdmgmt.dll" generated an exception or returned an invalid status. The performance data returned by the counter DLL will not be returned in the Perf Data Block. The first four bytes (DWORD) of the Data section contains the exception code or status code.
Event Xml:
<Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event">
<System>
<Provider Name="Microsoft-Windows-Perflib" Guid="{13B197BD-7CEE-4B4E-8DD0-59314CE374CE}" EventSourceName="Perflib" />
<EventID Qualifiers="49152">1010</EventID>
<Version>0</Version>
<Level>2</Level>
<Task>0</Task>
<Opcode>0</Opcode>
<Keywords>0x80000000000000</Keywords>
<TimeCreated SystemTime="2010-06-08T17:02:24.000Z" />
<EventRecordID>8557</EventRecordID>
<Correlation />
<Execution ProcessID="0" ThreadID="0" />
<Channel>Application</Channel>
<Computer>MIEHMLAPTOP</Computer>
<Security />
</System>
<UserData>
<EventXML xmlns:auto-ns2="http://schemas.microsoft.com/win/2004/08/events" xmlns="Perflib">
<param1>EmdCache</param1>
<param2>C:\Windows\system32\emdmgmt.dll</param2>
<binaryDataSize>4</binaryDataSize>
<binaryData>8F040000</binaryData>
</EventXML>
</UserData>
</Event>

Log Name: System
Source: Service Control Manager
Date: 6/7/2010 3:49:21 PM
Event ID: 7000
Task Category: None
Level: Error
Keywords: Classic
User: N/A
Computer: MIEHMLAPTOP
Description:
The SessionLauncher service failed to start due to the following error: 
The system cannot find the path specified.
Event Xml:
<Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event">
<System>
<Provider Name="Service Control Manager" Guid="{555908D1-A6D7-4695-8E1E-26931D2012F4}" EventSourceName="Service Control Manager" />
<EventID Qualifiers="49152">7000</EventID>
<Version>0</Version>
<Level>2</Level>
<Task>0</Task>
<Opcode>0</Opcode>
<Keywords>0x80000000000000</Keywords>
<TimeCreated SystemTime="2010-06-07T19:49:21.000Z" />
<EventRecordID>89880</EventRecordID>
<Correlation />
<Execution ProcessID="0" ThreadID="0" />
<Channel>System</Channel>
<Computer>MIEHMLAPTOP</Computer>
<Security />
</System>
<EventData>
SessionLauncher
%%3
</EventData>
</Event>

Log Name: System
Source: Microsoft-Windows-DistributedCOM
Date: 6/7/2010 3:54:52 PM
Event ID: 10010
Task Category: None
Level: Error
Keywords: Classic
User: N/A
Computer: MIEHMLAPTOP
Description:
The server {752073A1-23F2-4396-85F0-8FDB879ED0ED} did not register with DCOM within the required timeout.
Event Xml:
<Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event">
<System>
<Provider Name="Microsoft-Windows-DistributedCOM" Guid="{1B562E86-B7AA-4131-BADC-B6F3A001407E}" EventSourceName="DCOM" />
<EventID Qualifiers="49152">10010</EventID>
<Version>0</Version>
<Level>2</Level>
<Task>0</Task>
<Opcode>0</Opcode>
<Keywords>0x80000000000000</Keywords>
<TimeCreated SystemTime="2010-06-07T19:54:52.000Z" />
<EventRecordID>89928</EventRecordID>
<Correlation />
<Execution ProcessID="0" ThreadID="0" />
<Channel>System</Channel>
<Computer>MIEHMLAPTOP</Computer>
<Security />
</System>
<EventData>
{752073A1-23F2-4396-85F0-8FDB879ED0ED}
</EventData>
</Event>

Log Name: System
Source: Service Control Manager
Date: 6/7/2010 3:49:21 PM
Event ID: 7026
Task Category: None
Level: Error
Keywords: Classic
User: N/A
Computer: MIEHMLAPTOP
Description:
The following boot-start or system-start driver(s) failed to load: 
tvtumon
Event Xml:
<Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event">
<System>
<Provider Name="Service Control Manager" Guid="{555908D1-A6D7-4695-8E1E-26931D2012F4}" EventSourceName="Service Control Manager" />
<EventID Qualifiers="49152">7026</EventID>
<Version>0</Version>
<Level>2</Level>
<Task>0</Task>
<Opcode>0</Opcode>
<Keywords>0x80000000000000</Keywords>
<TimeCreated SystemTime="2010-06-07T19:49:21.000Z" />
<EventRecordID>89907</EventRecordID>
<Correlation />
<Execution ProcessID="0" ThreadID="0" />
<Channel>System</Channel>
<Computer>MIEHMLAPTOP</Computer>
<Security />
</System>
<EventData>

tvtumon
</EventData>
</Event>


----------



## Cookiegal (Aug 27, 2003)

Please delete the version of ComboFix that you have by dragging it to the Recycle Bin and grab the latest version, run a new scan and post the log.

Please visit *Combofix Guide & Instructions * for instructions for installing the recovery console and downloading and running ComboFix.

The only thing different from the instructions there is that when downloading and saving the ComboFix.exe I would like you to rename it to puppy.exe please.

Post the log from ComboFix when you've accomplished that along with a new HijackThis log.


----------



## miehm (May 9, 2010)

It's log, log
it's big, it's heavy, it's wood
It's log, log 
it's better than bad, it's good
Everyone wants a log, come and get your log

ComboFix 10-06-08.02 - Miehm 06/08/2010 16:25:23.3.2 - x86
Microsoft® Windows Vista™ Home Basic 6.0.6002.2.1252.1.1033.18.3032.1962 [GMT -4:00]
Running from: c:\users\Miehm\Desktop\puppy.exe
SP: Windows Defender *enabled* (Updated) {D68DDC3A-831F-4FAE-9E44-DA132C1ACF46}
* Created a new restore point
.

((((((((((((((((((((((((( Files Created from 2010-05-08 to 2010-06-08 )))))))))))))))))))))))))))))))
.

2010-06-08 20:34 . 2010-06-08 20:34 -------- d-----w- c:\users\Miehm\AppData\Local\temp
2010-06-08 20:34 . 2010-06-08 20:34 -------- d-----w- c:\users\Public\AppData\Local\temp
2010-06-08 20:34 . 2010-06-08 20:34 -------- d-----w- c:\users\Default\AppData\Local\temp
2010-05-28 00:09 . 2010-05-28 00:09 41872 ----a-w- c:\windows\system32\xfcodec.dll
2010-05-21 00:42 . 2010-05-21 00:42 -------- d-----w- c:\users\Miehm\AppData\Local\2DBoy
2010-05-21 00:42 . 2010-05-21 00:42 -------- d-----w- c:\programdata\2DBoy
2010-05-21 00:41 . 2010-05-21 00:42 -------- d-----w- c:\program files\WorldOfGoo
2010-05-20 05:05 . 2010-05-20 05:05 444952 ----a-w- c:\windows\system32\wrap_oal.dll
2010-05-20 05:05 . 2010-05-20 05:05 109080 ----a-w- c:\windows\system32\OpenAL32.dll
2010-05-20 05:05 . 2010-05-20 05:05 -------- d-----w- c:\program files\OpenAL
2010-05-20 05:02 . 2010-05-20 05:04 -------- d-----w- c:\program files\Penumbra Overture
2010-05-20 04:28 . 2010-05-20 04:28 -------- d-----w- c:\program files\Samorost2
2010-05-15 08:51 . 2010-05-15 08:51 -------- d-----w- c:\program files\Common Files\Software Update Utility
2010-05-12 00:05 . 2010-05-19 02:26 -------- d-----w- c:\program files\Aquaria
2010-05-11 17:25 . 2010-05-11 17:25 -------- d-----w- c:\programdata\Symantec
2010-05-11 16:57 . 2010-05-11 16:57 -------- d-----w- c:\program files\Common Files\Java
2010-05-11 16:57 . 2010-05-11 16:56 411368 ----a-w- c:\windows\system32\deployJava1.dll
2010-05-11 16:56 . 2010-05-11 16:56 -------- d-----w- c:\program files\Java
2010-05-10 01:13 . 2010-05-10 01:13 -------- d-----w- c:\users\Miehm\AppData\Roaming\SmartFTP
2010-05-10 01:11 . 2010-05-10 01:11 -------- d-----w- c:\program files\SmartFTP Client
2010-05-10 01:10 . 2010-05-10 01:26 -------- d-----w- c:\program files\SmartFTP Client 4.0 Setup Files

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-06-08 16:59 . 2009-06-19 20:03 -------- d-----w- c:\users\Miehm\AppData\Roaming\Xfire
2010-06-05 20:41 . 2010-03-20 18:36 138664 ----a-w- c:\windows\system32\drivers\PnkBstrK.sys
2010-06-05 20:41 . 2010-03-20 18:11 214864 ----a-w- c:\windows\system32\PnkBstrB.exe
2010-06-04 19:35 . 2009-06-28 20:30 -------- d-----w- c:\program files\Steam
2010-06-03 21:44 . 2009-06-19 20:03 -------- d-----w- c:\programdata\Xfire
2010-06-03 21:44 . 2009-06-19 20:03 -------- d-----w- c:\program files\Xfire
2010-05-15 08:52 . 2010-03-02 06:39 -------- d-----w- c:\program files\AIM
2010-05-11 22:55 . 2009-06-18 23:26 -------- d-----w- c:\programdata\WildTangent
2010-05-09 16:08 . 2010-05-09 16:08 -------- d-----w- c:\users\Miehm\AppData\Roaming\Malwarebytes
2010-05-09 16:08 . 2010-05-09 16:08 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2010-05-09 16:08 . 2010-05-09 16:08 -------- d-----w- c:\programdata\Malwarebytes
2010-05-09 14:09 . 2010-05-09 14:09 -------- d-----w- c:\program files\Trend Micro
2010-05-09 04:52 . 2010-05-08 18:38 806 ----a-w- c:\windows\system32\drivers\SYMEVENT.INF
2010-05-09 04:52 . 2010-05-08 18:38 7456 ----a-w- c:\windows\system32\drivers\SYMEVENT.CAT
2010-05-09 04:52 . 2010-05-08 18:38 124976 ----a-w- c:\windows\system32\drivers\SYMEVENT.SYS
2010-05-09 04:52 . 2010-05-08 18:26 -------- d-----w- c:\program files\Symantec
2010-05-08 18:42 . 2010-05-08 18:23 -------- d-----w- c:\programdata\Norton
2010-05-08 18:38 . 2010-05-08 18:26 -------- d-----w- c:\program files\Common Files\Symantec Shared
2010-05-08 18:30 . 2010-05-08 17:44 -------- d-----w- c:\programdata\NortonInstaller
2010-05-08 18:24 . 2010-05-08 18:23 -------- d-----w- c:\program files\Norton Internet Security
2010-05-08 18:23 . 2010-05-08 18:23 -------- d-----w- c:\program files\NortonInstaller
2010-05-08 18:07 . 2010-05-08 17:18 -------- d-----w- c:\programdata\avg9
2010-05-06 18:45 . 2010-05-06 18:45 -------- d-----w- c:\users\Miehm\AppData\Roaming\Logitech
2010-05-06 18:45 . 2010-05-06 18:45 -------- d-----w- c:\programdata\LogiShrd
2010-05-06 18:45 . 2010-05-06 18:40 -------- d-----w- c:\program files\Common Files\Logishrd
2010-05-06 18:45 . 2010-05-06 18:45 0 ---ha-w- c:\windows\system32\drivers\Msft_Kernel_LHidFilt_01005.Wdf
2010-05-06 18:45 . 2010-05-06 18:45 0 ---ha-w- c:\windows\system32\drivers\Msft_Kernel_LMouFilt_01005.Wdf
2010-05-06 18:44 . 2010-05-06 18:44 0 ---ha-w- c:\windows\system32\drivers\Msft_Kernel_LUsbFilt_01005.Wdf
2010-05-06 18:41 . 2010-05-06 18:41 -------- d-----w- c:\programdata\Logitech
2010-05-06 18:41 . 2009-04-09 23:23 -------- d--h--w- c:\program files\InstallShield Installation Information
2010-05-06 18:40 . 2010-05-06 18:40 -------- d-----w- c:\program files\Logitech
2010-05-06 11:50 . 2009-07-04 19:35 -------- d-----w- c:\program files\DivX
2010-05-06 11:50 . 2009-04-09 23:49 -------- d-----w- c:\program files\Common Files\PX Storage Engine
2010-05-06 11:49 . 2009-07-04 19:35 -------- d-----w- c:\program files\Common Files\DivX Shared
2010-05-06 11:23 . 2010-05-05 15:46 -------- d-----w- c:\programdata\DivX
2010-05-05 15:46 . 2010-05-05 15:48 1180952 ----a-w- c:\programdata\DivX\Setup\DivXSetup.exe
2010-04-29 19:39 . 2010-05-09 16:08 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2010-04-29 19:39 . 2010-05-09 16:08 20952 ----a-w- c:\windows\system32\drivers\mbam.sys
2010-04-29 06:14 . 2010-04-29 06:14 98304 ----a-w- c:\windows\system32CmdLineExt.dll
2010-03-31 01:58 . 2009-04-10 00:00 125424 ------w- c:\windows\system32\pxinsi64.exe
2010-03-31 01:58 . 2009-04-10 00:00 123888 ------w- c:\windows\system32\pxcpyi64.exe
2010-03-31 01:58 . 2009-04-10 00:00 133616 ------w- c:\windows\system32\pxafs.dll
2010-03-20 18:35 . 2010-03-20 18:35 75064 ----a-w- c:\windows\system32\PnkBstrA.exe
2010-03-20 18:35 . 2010-03-20 18:31 794408 ----a-w- c:\windows\system32\pbsvc.exe
2010-03-20 07:01 . 2010-03-20 07:00 168061633 ----a-w- c:\programdata\EA Core\cache\EADM\{ [email protected] }\bf2142_bp1\setup.exe
2010-03-20 05:42 . 2009-10-14 03:27 38784 ----a-w- c:\users\Default\AppData\Roaming\Macromedia\Flash Player\www.macromedia.com\bin\airappinstaller\airappinstaller.exe
2010-03-20 05:42 . 2009-10-14 03:26 38784 ----a-w- c:\users\Miehm\AppData\Roaming\Macromedia\Flash Player\www.macromedia.com\bin\airappinstaller\airappinstaller.exe
2009-05-01 21:02 . 2009-05-01 21:02 1044480 ----a-w- c:\program files\mozilla firefox\plugins\libdivx.dll
2009-05-01 21:02 . 2009-05-01 21:02 200704 ----a-w- c:\program files\mozilla firefox\plugins\ssldivx.dll
2009-04-09 23:02 . 2009-04-09 23:01 8192 --sha-w- c:\windows\Users\Default\NTUSER.DAT
.

((((((((((((((((((((((((((((( [email protected]_16.21.41 )))))))))))))))))))))))))))))))))))))))))
.
+ 2008-01-21 01:58 . 2010-06-07 19:50 40530 c:\windows\System32\WDI\ShutdownPerformanceDiagnostics_SystemData.bin
+ 2006-11-02 13:02 . 2010-06-08 20:16 82222 c:\windows\System32\WDI\BootPerformanceDiagnostics_SystemData.bin
+ 2009-06-18 23:27 . 2010-06-08 20:16 11548 c:\windows\System32\WDI\{86432a0b-3c7d-4ddf-a89c-172faa90485d}\S-1-5-21-2703488262-2718368968-2945282138-1003_UserData.bin
+ 2008-01-21 02:32 . 2008-01-21 02:32 79872 c:\windows\System32\spool\drivers\w32x86\3\HPZPRLHN.DLL
+ 2008-01-21 02:32 . 2008-01-21 02:32 19968 c:\windows\System32\spool\drivers\w32x86\3\HPFRES50.DLL
+ 2008-01-21 02:32 . 2008-01-21 02:32 37376 c:\windows\System32\HPZLLLHN.DLL
+ 2008-01-21 02:32 . 2008-01-21 02:32 18944 c:\windows\System32\drivers\usbprint.sys
- 2006-11-02 09:14 . 2006-11-02 09:14 18944 c:\windows\System32\drivers\usbprint.sys
- 2009-04-09 23:54 . 2010-05-09 17:51 16384 c:\windows\System32\config\systemprofile\AppData\Roaming\Microsoft\Windows\Cookies\index.dat
+ 2009-04-09 23:54 . 2010-06-08 20:14 16384 c:\windows\System32\config\systemprofile\AppData\Roaming\Microsoft\Windows\Cookies\index.dat
- 2009-04-09 23:54 . 2010-05-09 17:51 32768 c:\windows\System32\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\index.dat
+ 2009-04-09 23:54 . 2010-06-08 20:14 32768 c:\windows\System32\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\index.dat
+ 2009-04-09 23:54 . 2010-06-08 20:14 16384 c:\windows\System32\config\systemprofile\AppData\Local\Microsoft\Windows\History\History.IE5\index.dat
- 2009-04-09 23:54 . 2010-05-09 17:51 16384 c:\windows\System32\config\systemprofile\AppData\Local\Microsoft\Windows\History\History.IE5\index.dat
+ 2009-11-26 05:31 . 2010-06-07 19:47 16384 c:\windows\ServiceProfiles\LocalService\AppData\Roaming\Microsoft\Windows\Cookies\index.dat
- 2009-11-26 05:31 . 2010-05-09 17:51 16384 c:\windows\ServiceProfiles\LocalService\AppData\Roaming\Microsoft\Windows\Cookies\index.dat
- 2009-11-26 05:31 . 2010-05-09 17:51 32768 c:\windows\ServiceProfiles\LocalService\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\index.dat
+ 2009-11-26 05:31 . 2010-06-07 19:47 32768 c:\windows\ServiceProfiles\LocalService\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\index.dat
+ 2009-11-26 05:31 . 2010-06-07 19:47 16384 c:\windows\ServiceProfiles\LocalService\AppData\Local\Microsoft\Windows\History\History.IE5\index.dat
- 2009-11-26 05:31 . 2010-05-09 17:51 16384 c:\windows\ServiceProfiles\LocalService\AppData\Local\Microsoft\Windows\History\History.IE5\index.dat
- 2010-05-09 17:51 . 2010-05-09 17:51 2048 c:\windows\ServiceProfiles\LocalService\AppData\Local\lastalive1.dat
+ 2010-06-07 19:47 . 2010-06-08 20:13 2048 c:\windows\ServiceProfiles\LocalService\AppData\Local\lastalive1.dat
+ 2010-06-07 19:47 . 2010-06-08 20:13 2048 c:\windows\ServiceProfiles\LocalService\AppData\Local\lastalive0.dat
- 2010-05-09 17:51 . 2010-05-09 17:51 2048 c:\windows\ServiceProfiles\LocalService\AppData\Local\lastalive0.dat
+ 2009-07-04 17:33 . 2010-05-31 21:21 223628 c:\windows\System32\WDI\SuspendPerformanceDiagnostics_SystemData_S4.bin
+ 2009-06-19 00:03 . 2010-06-08 20:11 273810 c:\windows\System32\WDI\SuspendPerformanceDiagnostics_SystemData_S3.bin
+ 2008-01-21 02:32 . 2008-01-21 02:32 663552 c:\windows\System32\spool\drivers\w32x86\3\HPZLELHN.DLL
+ 2008-01-21 02:32 . 2008-01-21 02:32 280064 c:\windows\System32\spool\drivers\w32x86\3\HPFIME50.DLL
- 2010-01-28 23:25 . 2009-12-17 22:14 153376 c:\windows\System32\javaws.exe
+ 2010-05-11 16:57 . 2010-05-11 16:56 153376 c:\windows\System32\javaws.exe
- 2010-01-28 23:25 . 2009-12-17 22:14 145184 c:\windows\System32\javaw.exe
+ 2010-05-11 16:57 . 2010-05-11 16:56 145184 c:\windows\System32\javaw.exe
- 2010-01-28 23:25 . 2009-12-17 22:14 145184 c:\windows\System32\java.exe
+ 2010-05-11 16:57 . 2010-05-11 16:56 145184 c:\windows\System32\java.exe
+ 2006-11-02 12:44 . 2010-06-08 20:14 413520 c:\windows\System32\FNTCACHE.DAT
- 2006-11-02 12:44 . 2009-11-13 20:10 413520 c:\windows\System32\FNTCACHE.DAT
+ 2010-05-11 16:56 . 2010-05-11 16:56 262144 c:\windows\System32\config\systemprofile\AppData\Local\Microsoft\Windows\UsrClass.dat
+ 2010-05-11 16:57 . 2010-05-11 16:57 180224 c:\windows\Installer\a1ae43f.msi
+ 2010-05-11 16:56 . 2010-05-11 16:56 577536 c:\windows\Installer\a1ae42d.msi
+ 2008-01-21 02:32 . 2008-01-21 02:32 4930560 c:\windows\System32\spool\drivers\w32x86\3\HPZLALHN.DLL
+ 2008-01-21 02:32 . 2008-01-21 02:32 1253888 c:\windows\System32\spool\drivers\w32x86\3\HPZ3RLHN.DLL
+ 2008-01-21 02:32 . 2008-01-21 02:32 5387776 c:\windows\System32\spool\drivers\w32x86\3\HPFIGLHN.DLL
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown 
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Aim"="c:\program files\AIM\aim.exe" [2010-05-13 3823960]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Windows Defender"="c:\program files\Windows Defender\MSASCui.exe" [2008-01-21 1008184]
"PMHandler"="c:\progra~1\Lenovo\PMDriver\PMHandler.exe" [2008-09-23 83240]
"Apoint"="c:\program files\Apoint2K\Apoint.exe" [2008-03-26 163840]
"TPWAUDAP"="c:\program files\Lenovo\HOTKEY\TpWAudAp.exe" [2008-03-11 54560]
"IgfxTray"="c:\windows\system32\igfxtray.exe" [2008-07-11 150040]
"HotKeysCmds"="c:\windows\system32\hkcmd.exe" [2008-07-11 170520]
"Persistence"="c:\windows\system32\igfxpers.exe" [2008-07-11 145944]
"RoxWatchTray"="c:\program files\Common Files\Roxio Shared\10.0\SharedCOM\RoxWatchTray10.exe" [2008-04-25 244208]
"ACWlIcon"="c:\program files\ThinkPad\ConnectUtilities\ACWlIcon.exe" [2008-08-07 148768]
"Kernel and Hardware Abstraction Layer"="KHALMNPR.EXE" [2009-06-17 55824]

c:\users\Miehm\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\
Xfire.lnk - c:\program files\Xfire\Xfire.exe [2010-5-27 3493264]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"EnableLUA"= 0 (0x0)
"EnableUIADesktopToggle"= 0 (0x0)

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"aux1"=wdmaud.drv

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\SymEFA.sys]
@="FSFilter Activity Monitor"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Wdf01000.sys]
@="Driver"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\WinDefend]
@="Service"

[HKLM\~\startupfolder\C:^ProgramData^Microsoft^Windows^Start Menu^Programs^Startup^Logitech SetPoint.lnk]
path=c:\programdata\Microsoft\Windows\Start Menu\Programs\Startup\Logitech SetPoint.lnk
backup=c:\windows\pss\Logitech SetPoint.lnk.CommonStartup
backupExtension=.CommonStartup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe ARM]
2010-03-24 18:17 952768 ----a-w- c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe Reader Speed Launcher]
2010-04-04 05:42 36272 ----a-w- c:\program files\Adobe\Reader 9.0\Reader\reader_sl.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AMSG]
2008-12-20 08:55 449088 ----a-w- c:\program files\ThinkVantage\AMSG\Amsg.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\EA Core]
2007-04-17 11:59 2887680 ----a-w- c:\program files\Electronic Arts\EA Link\Core.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Kernel and Hardware Abstraction Layer]
2009-06-17 16:55 55824 ----a-w- c:\windows\KHALMNPR.Exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\LPManager]
2007-04-26 17:10 120368 ----a-w- c:\progra~1\Lenovo\LENOVO~2\LPMGR.EXE

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SmartAudio]
2008-07-21 03:19 2701880 ----a-w- c:\program files\CONEXANT\SmartAudio\SmAudio.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched]
2010-02-18 15:43 248040 ----a-w- c:\program files\Common Files\Java\Java Update\jusched.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\TPFNF7]
2008-07-30 19:00 60192 ----a-w- c:\program files\Lenovo\NPDIRECT\tpfnf7sp.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\TVT Scheduler Proxy]
2008-05-24 23:49 487424 ----a-w- c:\program files\Common Files\Lenovo\Scheduler\scheduler_proxy.exe

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Svc]
"VistaSp2"=hex(b):a4,05,ef,b9,2d,2f,ca,01

R1 tvtumon;tvtumon;c:\windows\system32\DRIVERS\tvtumon.sys [2008-07-11 48192]
R2 Roxio Upnp Server 10;Roxio Upnp Server 10;c:\program files\Roxio\Digital Home 10\RoxioUpnpService10.exe [2008-04-25 362992]
R2 RoxLiveShare10;LiveShare P2P Server 10;c:\program files\Common Files\Roxio Shared\10.0\SharedCOM\RoxLiveShare10.exe [2008-04-25 309744]
R2 RoxWatch10;Roxio Hard Drive Watcher 10;c:\program files\Common Files\Roxio Shared\10.0\SharedCOM\RoxWatch10.exe [2008-04-25 166384]
R2 SessionLauncher;SessionLauncher;c:\users\ADMINI~1\AppData\Local\Temp\DX9\SessionLauncher.exe [x]
R2 TVT_UpdateMonitor;TVT Windows Update Monitor;c:\program files\Lenovo\Rescue and Recovery\UpdateMonitor.exe [2008-10-09 360448]
R3 Roxio UPnP Renderer 10;Roxio UPnP Renderer 10;c:\program files\Roxio\Digital Home 10\RoxioUPnPRenderer10.exe [2008-04-25 313840]
R3 RoxMediaDB10;RoxMediaDB10;c:\program files\Common Files\Roxio Shared\10.0\SharedCOM\RoxMediaDB10.exe [2008-04-25 1120752]
R4 FNF5SVC;Fn+F5 Service;c:\program files\LENOVO\HOTKEY\FNF5SVC.exe [2008-03-14 54560]
R4 Viewpoint Manager Service;Viewpoint Manager Service;c:\program files\Viewpoint\Common\ViewpointService.exe [x]
S0 SymEFA;Symantec Extended File Attributes;c:\windows\system32\drivers\NIS\1008000.029\SYMEFA.SYS [2010-01-20 310320]
S1 BHDrvx86;Symantec Heuristics Driver;c:\windows\System32\Drivers\NIS\1008000.029\BHDrvx86.sys [2010-01-20 259632]
S1 ccHP;Symantec Hash Provider;c:\windows\System32\Drivers\NIS\1008000.029\ccHPx86.sys [2010-05-09 482432]
S1 funfrm;funfrm; [x]
S1 IDSVix86;IDSVix86;c:\programdata\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\Norton\Definitions\ipsdefs\20100528.003\IDSvix86.sys [2010-05-28 344112]
S1 lenovo.smi;Lenovo System Interface Driver;c:\windows\system32\DRIVERS\smiif32.sys [2008-05-12 13480]
S2 Norton Internet Security;Norton Internet Security;c:\program files\Norton Internet Security\Engine\16.8.0.41\ccSvcHst.exe [2010-01-20 117640]
S2 TPHKSVC;On Screen Display;c:\program files\LENOVO\HOTKEY\TPHKSVC.exe [2008-08-08 53325]
S2 TVT Backup Protection Service;TVT Backup Protection Service;c:\program files\Lenovo\Rescue and Recovery\rrpservice.exe [2008-05-24 520192]
S3 b57nd60x;Broadcom NetXtreme Gigabit Ethernet - NDIS 6.0;c:\windows\system32\DRIVERS\b57nd60x.sys [2008-01-25 183808]
S3 EraserUtilRebootDrv;EraserUtilRebootDrv;c:\program files\Common Files\Symantec Shared\EENGINE\EraserUtilRebootDrv.sys [2010-05-28 102448]
S3 IntcHdmiAddService;Intel(R) High Definition Audio HDMI;c:\windows\system32\drivers\IntcHdmi.sys [2008-06-29 112128]
S3 JMCR;JMCR;c:\windows\system32\DRIVERS\jmcr.sys [2008-08-07 97536]
S3 SYMNDISV;Symantec Network Filter Driver;c:\windows\System32\Drivers\NIS\1008000.029\SYMNDISV.SYS [2010-01-20 48688]
S3 TVTI2C;Lenovo SM bus driver;c:\windows\system32\DRIVERS\Tvti2c.sys [2008-02-22 37312]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
LocalServiceNoNetwork REG_MULTI_SZ PLA DPS BFE mpssvc
.
Contents of the 'Scheduled Tasks' folder

2010-06-08 c:\windows\Tasks\Check Updates for Windows Live Toolbar.job
- c:\program files\Windows Live Toolbar\MSNTBUP.EXE [2007-02-12 19:54]

2010-05-21 c:\windows\Tasks\PCDoctorBackgroundMonitorTask.job
- c:\program files\PCDR5\pcdr5cuiw32.exe [2008-12-12 23:32]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://lenovo.live.com
uInternet Settings,ProxyOverride = <local>
IE: &Windows Live Search - c:\program files\Windows Live Toolbar\msntb.dll/search.htm
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\Office12\EXCEL.EXE/3000
FF - ProfilePath - c:\users\Miehm\AppData\Roaming\Mozilla\Firefox\Profiles\ia01t65a.default\
FF - plugin: c:\program files\Java\jre6\bin\new_plugin\npdeployJava1.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\np-mswmp.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\npdnupdater2.dll
FF - plugin: c:\users\Miehm\AppData\Roaming\Mozilla\Firefox\Profiles\ia01t65a.default\extensions\[email protected]\plugins\npLogitechDeviceDetection.dll
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\

---- FIREFOX POLICIES ----
FF - user.js: network.protocol-handler.warn-external.dnupdate - false);user_pref(network.protocol-handler.warn-external.dnupdate, false);user_pref(network.protocol-handler.warn-external.dnupdate, false);user_pref(network.protocol-handler.warn-external.dnupdate, false);user_pref(network.protocol-handler.warn-external.dnupdate, false);user_pref(network.protocol-handler.warn-external.dnupdate, falsec:\program files\Mozilla Firefox\greprefs\all.js - pref("ui.use_native_colors", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.auth.force-generic-ntlm", false);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("svg.smil.enabled", false);
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.allow_unrestricted_renego_everywhere__temporarily_available_pref", true);
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.renego_unrestricted_hosts", "");
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.treat_unsafe_negotiation_as_broken", false);
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.require_safe_negotiation", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.name", "chrome://browser/locale/browser.properties");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.description", "chrome://browser/locale/browser.properties");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("plugins.update.notifyUser", false);
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2010-06-08 16:34
Windows 6.0.6002 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\Norton Internet Security]
"ImagePath"="\"c:\program files\Norton Internet Security\Engine\16.8.0.41\ccSvcHst.exe\" /s \"Norton Internet Security\" /m \"c:\program files\Norton Internet Security\Engine\16.8.0.41\diMaster.dll\" /prefetch:1"
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0000\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'Explorer.exe'(2944)
c:\program files\Xfire\xfire_toucan_42784.dll
.
Completion time: 2010-06-08 16:37:05
ComboFix-quarantined-files.txt 2010-06-08 20:37
ComboFix2.txt 2010-05-10 16:25
ComboFix3.txt 2010-05-09 17:59

Pre-Run: 33,929,773,056 bytes free
Post-Run: 33,955,897,344 bytes free

- - End Of File - - 5F7F40E7BDA7E35598A868EF5CA8C295

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 4:41:26 PM, on 6/8/2010
Platform: Windows Vista SP2 (WinNT 6.00.1906)
MSIE: Internet Explorer v7.00 (7.00.6002.18005)
Boot mode: Normal

Running processes:
C:\Program Files\Norton Internet Security\Engine\16.8.0.41\ccSvcHst.exe
C:\Windows\system32\Dwm.exe
C:\Program Files\Lenovo\PMDriver\PMHandler.exe
C:\Program Files\Apoint2K\Apoint.exe
C:\Windows\System32\hkcmd.exe
C:\Windows\System32\igfxpers.exe
C:\Program Files\ThinkPad\ConnectUtilities\ACWLIcon.exe
C:\Program Files\Xfire\Xfire.exe
C:\Windows\system32\igfxsrvc.exe
C:\Program Files\Apoint2K\Apntex.exe
C:\Windows\system32\taskeng.exe
C:\Windows\system32\wuauclt.exe
C:\Windows\Explorer.exe
C:\Windows\system32\notepad.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://lenovo.live.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = 
O2 - BHO: AcroIEHelperStub - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
O2 - BHO: Symantec NCO BHO - {602ADB0E-4AFF-4217-8AA1-95DAC4DFA408} - C:\Program Files\Norton Internet Security\Engine\16.8.0.41\coIEPlg.dll
O2 - BHO: Symantec Intrusion Prevention - {6D53EC84-6AAE-4787-AEEE-F4628F01010C} - C:\Program Files\Norton Internet Security\Engine\16.8.0.41\IPSBHO.DLL
O2 - BHO: Windows Live Toolbar Helper - {BDBD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\Windows Live Toolbar\msntb.dll
O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O3 - Toolbar: Windows Live Toolbar - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\Windows Live Toolbar\msntb.dll
O3 - Toolbar: Norton Toolbar - {7FEBEFE3-6B19-4349-98D2-FFB09D4B49CA} - C:\Program Files\Norton Internet Security\Engine\16.8.0.41\coIEPlg.dll
O4 - HKLM\..\Run: [Windows Defender] %ProgramFiles%\Windows Defender\MSASCui.exe -hide
O4 - HKLM\..\Run: [PMHandler] C:\PROGRA~1\Lenovo\PMDriver\PMHandler.exe
O4 - HKLM\..\Run: [Apoint] C:\Program Files\Apoint2K\Apoint.exe
O4 - HKLM\..\Run: [TPWAUDAP] C:\Program Files\Lenovo\HOTKEY\TpWAudAp.exe
O4 - HKLM\..\Run: [IgfxTray] C:\Windows\system32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\Windows\system32\hkcmd.exe
O4 - HKLM\..\Run: [Persistence] C:\Windows\system32\igfxpers.exe
O4 - HKLM\..\Run: [RoxWatchTray] "C:\Program Files\Common Files\Roxio Shared\10.0\SharedCOM\RoxWatchTray10.exe"
O4 - HKLM\..\Run: [ACWlIcon] C:\Program Files\ThinkPad\ConnectUtilities\ACWlIcon.exe
O4 - HKLM\..\Run: [Kernel and Hardware Abstraction Layer] KHALMNPR.EXE
O4 - HKCU\..\Run: [Aim] "C:\Program Files\AIM\aim.exe" /d locale=en-US
O4 - Startup: Xfire.lnk = C:\Program Files\Xfire\Xfire.exe
O8 - Extra context menu item: &Windows Live Search - res://C:\Program Files\Windows Live Toolbar\msntb.dll/search.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office12\EXCEL.EXE/3000
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\Office12\REFIEBAR.DLL
O18 - Protocol: symres - {AA1061FE-6C41-421F-9344-69640C9732AB} - C:\Program Files\Norton Internet Security\Engine\16.8.0.41\coIEPlg.dll
O23 - Service: Ac Profile Manager Service (AcPrfMgrSvc) - Lenovo - C:\Program Files\ThinkPad\ConnectUtilities\AcPrfMgrSvc.exe
O23 - Service: Access Connections Main Service (AcSvc) - Lenovo - C:\Program Files\ThinkPad\ConnectUtilities\AcSvc.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: IviRegMgr - InterVideo - C:\Program Files\Common Files\InterVideo\RegMgr\iviRegMgr.exe
O23 - Service: Norton Internet Security - Symantec Corporation - C:\Program Files\Norton Internet Security\Engine\16.8.0.41\ccSvcHst.exe
O23 - Service: PMSveH - Lenovo - C:\Program Files\Lenovo\PMDriver\PMSveH.exe
O23 - Service: PnkBstrA - Unknown owner - C:\Windows\system32\PnkBstrA.exe
O23 - Service: Roxio UPnP Renderer 10 - Sonic Solutions - C:\Program Files\Roxio\Digital Home 10\RoxioUPnPRenderer10.exe
O23 - Service: Roxio Upnp Server 10 - Sonic Solutions - C:\Program Files\Roxio\Digital Home 10\RoxioUpnpService10.exe
O23 - Service: LiveShare P2P Server 10 (RoxLiveShare10) - Sonic Solutions - C:\Program Files\Common Files\Roxio Shared\10.0\SharedCOM\RoxLiveShare10.exe
O23 - Service: RoxMediaDB10 - Sonic Solutions - C:\Program Files\Common Files\Roxio Shared\10.0\SharedCOM\RoxMediaDB10.exe
O23 - Service: Roxio Hard Drive Watcher 10 (RoxWatch10) - Sonic Solutions - C:\Program Files\Common Files\Roxio Shared\10.0\SharedCOM\RoxWatch10.exe
O23 - Service: SessionLauncher - Unknown owner - C:\Users\ADMINI~1\AppData\Local\Temp\DX9\SessionLauncher.exe (file missing)
O23 - Service: Steam Client Service - Valve Corporation - C:\Program Files\Common Files\Steam\SteamService.exe
O23 - Service: stllssvr - MicroVision Development, Inc. - C:\Program Files\Common Files\SureThing Shared\stllssvr.exe
O23 - Service: System Update (SUService) - Lenovo Group Limited - c:\Program Files\Lenovo\System Update\SUService.exe
O23 - Service: ThinkVantage Registry Monitor Service - Lenovo Group Limited - c:\Program Files\Common Files\Lenovo\tvt_reg_monitor_svc.exe
O23 - Service: On Screen Display (TPHKSVC) - Lenovo Group Limited - C:\Program Files\LENOVO\HOTKEY\TPHKSVC.exe
O23 - Service: TVT Backup Protection Service - Unknown owner - C:\Program Files\Lenovo\Rescue and Recovery\rrpservice.exe
O23 - Service: TVT Backup Service - Lenovo Group Limited - C:\Program Files\Lenovo\Rescue and Recovery\rrservice.exe
O23 - Service: TVT Scheduler - Lenovo Group Limited - c:\Program Files\Common Files\Lenovo\Scheduler\tvtsched.exe
O23 - Service: TVT Windows Update Monitor (TVT_UpdateMonitor) - Lenovo Group Limited - C:\Program Files\Lenovo\Rescue and Recovery\UpdateMonitor.exe
O23 - Service: XAudioService - Conexant Systems, Inc. - C:\Windows\system32\DRIVERS\xaudio.exe

--
End of file - 6661 bytes


----------



## Cookiegal (Aug 27, 2003)

Does this behaviour still occur in safe mode?


----------



## miehm (May 9, 2010)

It didn't show up after a couple of restarts in safe mode.


----------



## Cookiegal (Aug 27, 2003)

Why is Norton not set to run at startup? Are you turning it on every time manually?

Please post a new HijackThis log.


----------



## miehm (May 9, 2010)

I don't know... norton starts up every time the computer starts up.
But you're right- it's not in my startup stuff under msconfig...
Strange!

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 5:51:28 PM, on 6/10/2010
Platform: Windows Vista SP2 (WinNT 6.00.1906)
MSIE: Internet Explorer v7.00 (7.00.6002.18005)
Boot mode: Normal

Running processes:
C:\Program Files\Norton Internet Security\Engine\16.8.0.41\ccSvcHst.exe
C:\Windows\system32\Dwm.exe
C:\Windows\Explorer.EXE
C:\Program Files\Lenovo\PMDriver\PMHandler.exe
C:\Windows\System32\hkcmd.exe
C:\Windows\System32\igfxpers.exe
C:\Windows\system32\igfxsrvc.exe
C:\Program Files\ThinkPad\ConnectUtilities\ACWLIcon.exe
C:\Program Files\Xfire\Xfire.exe
C:\Windows\system32\taskeng.exe
C:\Windows\system32\wuauclt.exe
C:\Program Files\Windows Media Player\wmplayer.exe
C:\Program Files\Steam\Steam.exe
C:\Program Files\AIM\aim.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://lenovo.live.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = 
O2 - BHO: AcroIEHelperStub - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
O2 - BHO: Symantec NCO BHO - {602ADB0E-4AFF-4217-8AA1-95DAC4DFA408} - C:\Program Files\Norton Internet Security\Engine\16.8.0.41\coIEPlg.dll
O2 - BHO: Symantec Intrusion Prevention - {6D53EC84-6AAE-4787-AEEE-F4628F01010C} - C:\Program Files\Norton Internet Security\Engine\16.8.0.41\IPSBHO.DLL
O2 - BHO: Windows Live Toolbar Helper - {BDBD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\Windows Live Toolbar\msntb.dll
O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O3 - Toolbar: Windows Live Toolbar - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\Windows Live Toolbar\msntb.dll
O3 - Toolbar: Norton Toolbar - {7FEBEFE3-6B19-4349-98D2-FFB09D4B49CA} - C:\Program Files\Norton Internet Security\Engine\16.8.0.41\coIEPlg.dll
O4 - HKLM\..\Run: [Windows Defender] %ProgramFiles%\Windows Defender\MSASCui.exe -hide
O4 - HKLM\..\Run: [PMHandler] C:\PROGRA~1\Lenovo\PMDriver\PMHandler.exe
O4 - HKLM\..\Run: [Apoint] C:\Program Files\Apoint2K\Apoint.exe
O4 - HKLM\..\Run: [TPWAUDAP] C:\Program Files\Lenovo\HOTKEY\TpWAudAp.exe
O4 - HKLM\..\Run: [IgfxTray] C:\Windows\system32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\Windows\system32\hkcmd.exe
O4 - HKLM\..\Run: [Persistence] C:\Windows\system32\igfxpers.exe
O4 - HKLM\..\Run: [RoxWatchTray] "C:\Program Files\Common Files\Roxio Shared\10.0\SharedCOM\RoxWatchTray10.exe"
O4 - HKLM\..\Run: [ACWlIcon] C:\Program Files\ThinkPad\ConnectUtilities\ACWlIcon.exe
O4 - HKLM\..\Run: [Kernel and Hardware Abstraction Layer] KHALMNPR.EXE
O4 - HKCU\..\Run: [Aim] "C:\Program Files\AIM\aim.exe" /d locale=en-US
O4 - Startup: Xfire.lnk = C:\Program Files\Xfire\Xfire.exe
O8 - Extra context menu item: &Windows Live Search - res://C:\Program Files\Windows Live Toolbar\msntb.dll/search.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office12\EXCEL.EXE/3000
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\Office12\REFIEBAR.DLL
O18 - Protocol: symres - {AA1061FE-6C41-421F-9344-69640C9732AB} - C:\Program Files\Norton Internet Security\Engine\16.8.0.41\coIEPlg.dll
O23 - Service: Ac Profile Manager Service (AcPrfMgrSvc) - Lenovo - C:\Program Files\ThinkPad\ConnectUtilities\AcPrfMgrSvc.exe
O23 - Service: Access Connections Main Service (AcSvc) - Lenovo - C:\Program Files\ThinkPad\ConnectUtilities\AcSvc.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: IviRegMgr - InterVideo - C:\Program Files\Common Files\InterVideo\RegMgr\iviRegMgr.exe
O23 - Service: Norton Internet Security - Symantec Corporation - C:\Program Files\Norton Internet Security\Engine\16.8.0.41\ccSvcHst.exe
O23 - Service: PMSveH - Lenovo - C:\Program Files\Lenovo\PMDriver\PMSveH.exe
O23 - Service: PnkBstrA - Unknown owner - C:\Windows\system32\PnkBstrA.exe
O23 - Service: Roxio UPnP Renderer 10 - Sonic Solutions - C:\Program Files\Roxio\Digital Home 10\RoxioUPnPRenderer10.exe
O23 - Service: Roxio Upnp Server 10 - Sonic Solutions - C:\Program Files\Roxio\Digital Home 10\RoxioUpnpService10.exe
O23 - Service: LiveShare P2P Server 10 (RoxLiveShare10) - Sonic Solutions - C:\Program Files\Common Files\Roxio Shared\10.0\SharedCOM\RoxLiveShare10.exe
O23 - Service: RoxMediaDB10 - Sonic Solutions - C:\Program Files\Common Files\Roxio Shared\10.0\SharedCOM\RoxMediaDB10.exe
O23 - Service: Roxio Hard Drive Watcher 10 (RoxWatch10) - Sonic Solutions - C:\Program Files\Common Files\Roxio Shared\10.0\SharedCOM\RoxWatch10.exe
O23 - Service: SessionLauncher - Unknown owner - C:\Users\ADMINI~1\AppData\Local\Temp\DX9\SessionLauncher.exe (file missing)
O23 - Service: Steam Client Service - Valve Corporation - C:\Program Files\Common Files\Steam\SteamService.exe
O23 - Service: stllssvr - MicroVision Development, Inc. - C:\Program Files\Common Files\SureThing Shared\stllssvr.exe
O23 - Service: System Update (SUService) - Lenovo Group Limited - c:\Program Files\Lenovo\System Update\SUService.exe
O23 - Service: ThinkVantage Registry Monitor Service - Lenovo Group Limited - c:\Program Files\Common Files\Lenovo\tvt_reg_monitor_svc.exe
O23 - Service: On Screen Display (TPHKSVC) - Lenovo Group Limited - C:\Program Files\LENOVO\HOTKEY\TPHKSVC.exe
O23 - Service: TVT Backup Protection Service - Unknown owner - C:\Program Files\Lenovo\Rescue and Recovery\rrpservice.exe
O23 - Service: TVT Backup Service - Lenovo Group Limited - C:\Program Files\Lenovo\Rescue and Recovery\rrservice.exe
O23 - Service: TVT Scheduler - Lenovo Group Limited - c:\Program Files\Common Files\Lenovo\Scheduler\tvtsched.exe
O23 - Service: TVT Windows Update Monitor (TVT_UpdateMonitor) - Lenovo Group Limited - C:\Program Files\Lenovo\Rescue and Recovery\UpdateMonitor.exe
O23 - Service: XAudioService - Conexant Systems, Inc. - C:\Windows\system32\DRIVERS\xaudio.exe

--
End of file - 6669 bytes


----------



## Cookiegal (Aug 27, 2003)

I've checked other logs where NIS is run and there are no startup entries so it must be just running off the service now. The process is indeed running.

How are things now?


----------



## miehm (May 9, 2010)

Right now there's no mention of wermgr.exe. However, whenever the computer is started up, there seems to be some unknown chance that wermgr.exe will also start up after around 7 minutes. It always goes away again at some point a couple of hours later.
This is all new behavior. When I first started having problems with it(early may?) it started up every time, and ran continuously as long as the computer was on.
Confusion.


----------



## Cookiegal (Aug 27, 2003)

Are you having any problems with Windows updates?


----------



## miehm (May 9, 2010)

I've had problems with that on and off for a while.
Right now windows update is not working


----------



## Cookiegal (Aug 27, 2003)

It would have been helpful to know that earlier.

Go to the following link and download Dial-a-Fix:

http://majorgeeks.com/Dial-a-fix_d4899.html

Select the MSI and WU/WUAU sections and then click on Go.

After running Dial-a-Fix reboot the machine and then go to Windows update and see if you can get updates to install.

Let me know how it goes please.


----------



## miehm (May 9, 2010)

So, dial a fix doesn't work with vista(yet).
And now I remember why I never bothered to do anything about the update issues! Next to nobody seems to have a clue as to what to do, and the few solutions I did find were of no help.
When I try to check for updates, it gives me the error "80080005" after a few minutes.


----------



## Cookiegal (Aug 27, 2003)

Dial-a-Fix is supposed to run on Vista. Did you right-click and choose Run as Administrator?


----------



## miehm (May 9, 2010)

I looked around for newer versions, but that was the newest I could find. There's a thread by the creator in their forums saying not to ask about vista, because it doesn't work(yet). And it gives me this dialog box when I try to run it- whether using the "run as administrator" thing or not.


----------



## Cookiegal (Aug 27, 2003)

I'm sorry about that. I specifically checked the download link at MajorGeeks to be sure it was vista-compatible and it said it was.

Go to the following link and click on the FixIt button. Run the fix in default mode first and see if that fixes the problem with updates.

http://support.microsoft.com/kb/971058


----------



## miehm (May 9, 2010)

Yeah, I was a little surprised when the download site and program directly contradicted each other.
FixIt did not fix it. Still can't check for updates, and gives the same error number.


----------



## Cookiegal (Aug 27, 2003)

I would try dong FixIt again using Agressive mode this time.


----------



## miehm (May 9, 2010)

That didn't help either


----------



## Cookiegal (Aug 27, 2003)

Please upload the windowsupdate.log file as an attachment. It should be in C:\Windows.


----------



## miehm (May 9, 2010)

Had to zip it up to get it to fit, but here it is.


----------



## Cookiegal (Aug 27, 2003)

It does appear the problem with updates is what's causing the windows error reporting to run at intervals.

It's possible that NIS is blocking it. 

As a test, make sure all browser windows are closed and disable NIS but be sure to turn on the Windows firewall in the meantime. Then go to Windows Update and try to download updates and see if it will detect any and download them. Be sure to restart NIS as quickly as possible afterward and before doing anything else.


----------



## miehm (May 9, 2010)

No luck there either. Still got the same error number as before.


----------



## Cookiegal (Aug 27, 2003)

Please delete ComboFix by dragging it to the recycle bin and then grab the latest version, do a new scan and post the log.

Please visit *Combofix Guide & Instructions * for instructions for installing the recovery console and downloading and running ComboFix.

The only thing different from the instructions there is that when downloading and saving the ComboFix.exe I would like you to rename it to puppy.exe please.


----------



## miehm (May 9, 2010)

Here's the latest(and dare I say greatest?) log file in a long line of filed logs!

ComboFix 10-06-17.02 - Miehm 06/18/2010 2:45.4.2 - x86
Microsoft® Windows Vista™ Home Basic 6.0.6002.2.1252.1.1033.18.3032.1898 [GMT -4:00]
Running from: c:\users\Miehm\Desktop\puppy.exe
SP: Windows Defender *enabled* (Updated) {D68DDC3A-831F-4FAE-9E44-DA132C1ACF46}
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\windows\system32\win.com
c:\windows\xpsp1hfm.log

.
((((((((((((((((((((((((( Files Created from 2010-05-18 to 2010-06-18 )))))))))))))))))))))))))))))))
.

2010-06-18 06:54 . 2010-06-18 06:55 -------- d-----w- c:\users\Miehm\AppData\Local\temp
2010-06-18 06:54 . 2010-06-18 06:54 -------- d-----w- c:\users\Public\AppData\Local\temp
2010-06-18 06:54 . 2010-06-18 06:54 -------- d-----w- c:\users\Default\AppData\Local\temp
2010-06-15 04:48 . 2010-06-15 04:49 -------- d-----w- c:\programdata\WinZip
2010-06-14 01:13 . 2010-06-14 01:16 -------- d-----w- c:\windows\system32\catroot2
2010-06-13 06:17 . 2010-06-13 06:19 -------- d-----w- c:\windows\system32\catroot2.bak
2010-05-28 00:09 . 2010-05-28 00:09 41872 ----a-w- c:\windows\system32\xfcodec.dll
2010-05-21 00:42 . 2010-05-21 00:42 -------- d-----w- c:\users\Miehm\AppData\Local\2DBoy
2010-05-21 00:42 . 2010-05-21 00:42 -------- d-----w- c:\programdata\2DBoy
2010-05-21 00:41 . 2010-05-21 00:42 -------- d-----w- c:\program files\WorldOfGoo
2010-05-20 05:05 . 2010-05-20 05:05 444952 ----a-w- c:\windows\system32\wrap_oal.dll
2010-05-20 05:05 . 2010-05-20 05:05 109080 ----a-w- c:\windows\system32\OpenAL32.dll
2010-05-20 05:05 . 2010-05-20 05:05 -------- d-----w- c:\program files\OpenAL
2010-05-20 05:02 . 2010-05-20 05:04 -------- d-----w- c:\program files\Penumbra Overture
2010-05-20 04:28 . 2010-05-20 04:28 -------- d-----w- c:\program files\Samorost2

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-06-18 05:26 . 2009-06-28 20:30 -------- d-----w- c:\program files\Steam
2010-06-15 04:20 . 2009-06-19 20:03 -------- d-----w- c:\users\Miehm\AppData\Roaming\Xfire
2010-06-14 01:23 . 2010-03-20 18:36 138664 ----a-w- c:\windows\system32\drivers\PnkBstrK.sys
2010-06-14 01:22 . 2010-03-20 18:11 214864 ----a-w- c:\windows\system32\PnkBstrB.exe
2010-06-03 21:44 . 2009-06-19 20:03 -------- d-----w- c:\programdata\Xfire
2010-06-03 21:44 . 2009-06-19 20:03 -------- d-----w- c:\program files\Xfire
2010-05-19 02:26 . 2010-05-12 00:05 -------- d-----w- c:\program files\Aquaria
2010-05-15 08:52 . 2010-03-02 06:39 -------- d-----w- c:\program files\AIM
2010-05-15 08:51 . 2010-05-15 08:51 -------- d-----w- c:\program files\Common Files\Software Update Utility
2010-05-11 22:55 . 2009-06-18 23:26 -------- d-----w- c:\programdata\WildTangent
2010-05-11 17:25 . 2010-05-11 17:25 -------- d-----w- c:\programdata\Symantec
2010-05-11 16:57 . 2010-05-11 16:57 -------- d-----w- c:\program files\Common Files\Java
2010-05-11 16:56 . 2010-05-11 16:57 411368 ----a-w- c:\windows\system32\deployJava1.dll
2010-05-11 16:56 . 2010-05-11 16:56 -------- d-----w- c:\program files\Java
2010-05-10 01:26 . 2010-05-10 01:10 -------- d-----w- c:\program files\SmartFTP Client 4.0 Setup Files
2010-05-10 01:13 . 2010-05-10 01:13 -------- d-----w- c:\users\Miehm\AppData\Roaming\SmartFTP
2010-05-10 01:11 . 2010-05-10 01:11 -------- d-----w- c:\program files\SmartFTP Client
2010-05-09 16:08 . 2010-05-09 16:08 -------- d-----w- c:\users\Miehm\AppData\Roaming\Malwarebytes
2010-05-09 16:08 . 2010-05-09 16:08 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2010-05-09 16:08 . 2010-05-09 16:08 -------- d-----w- c:\programdata\Malwarebytes
2010-05-09 14:09 . 2010-05-09 14:09 -------- d-----w- c:\program files\Trend Micro
2010-05-09 04:52 . 2010-05-08 18:38 806 ----a-w- c:\windows\system32\drivers\SYMEVENT.INF
2010-05-09 04:52 . 2010-05-08 18:38 7456 ----a-w- c:\windows\system32\drivers\SYMEVENT.CAT
2010-05-09 04:52 . 2010-05-08 18:38 124976 ----a-w- c:\windows\system32\drivers\SYMEVENT.SYS
2010-05-09 04:52 . 2010-05-08 18:26 -------- d-----w- c:\program files\Symantec
2010-05-08 18:42 . 2010-05-08 18:23 -------- d-----w- c:\programdata\Norton
2010-05-08 18:38 . 2010-05-08 18:26 -------- d-----w- c:\program files\Common Files\Symantec Shared
2010-05-08 18:30 . 2010-05-08 17:44 -------- d-----w- c:\programdata\NortonInstaller
2010-05-08 18:24 . 2010-05-08 18:23 -------- d-----w- c:\program files\Norton Internet Security
2010-05-08 18:23 . 2010-05-08 18:23 -------- d-----w- c:\program files\NortonInstaller
2010-05-08 18:07 . 2010-05-08 17:18 -------- d-----w- c:\programdata\avg9
2010-05-06 18:45 . 2010-05-06 18:45 -------- d-----w- c:\users\Miehm\AppData\Roaming\Logitech
2010-05-06 18:45 . 2010-05-06 18:45 -------- d-----w- c:\programdata\LogiShrd
2010-05-06 18:45 . 2010-05-06 18:40 -------- d-----w- c:\program files\Common Files\Logishrd
2010-05-06 18:45 . 2010-05-06 18:45 0 ---ha-w- c:\windows\system32\drivers\Msft_Kernel_LHidFilt_01005.Wdf
2010-05-06 18:45 . 2010-05-06 18:45 0 ---ha-w- c:\windows\system32\drivers\Msft_Kernel_LMouFilt_01005.Wdf
2010-05-06 18:44 . 2010-05-06 18:44 0 ---ha-w- c:\windows\system32\drivers\Msft_Kernel_LUsbFilt_01005.Wdf
2010-05-06 18:41 . 2010-05-06 18:41 -------- d-----w- c:\programdata\Logitech
2010-05-06 18:41 . 2009-04-09 23:23 -------- d--h--w- c:\program files\InstallShield Installation Information
2010-05-06 18:40 . 2010-05-06 18:40 -------- d-----w- c:\program files\Logitech
2010-05-06 11:50 . 2009-07-04 19:35 -------- d-----w- c:\program files\DivX
2010-05-06 11:50 . 2009-04-09 23:49 -------- d-----w- c:\program files\Common Files\PX Storage Engine
2010-05-06 11:49 . 2009-07-04 19:35 -------- d-----w- c:\program files\Common Files\DivX Shared
2010-05-06 11:23 . 2010-05-05 15:46 -------- d-----w- c:\programdata\DivX
2010-05-05 15:46 . 2010-05-05 15:48 1180952 ----a-w- c:\programdata\DivX\Setup\DivXSetup.exe
2010-04-29 19:39 . 2010-05-09 16:08 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2010-04-29 19:39 . 2010-05-09 16:08 20952 ----a-w- c:\windows\system32\drivers\mbam.sys
2010-04-29 06:14 . 2010-04-29 06:14 98304 ----a-w- c:\windows\system32CmdLineExt.dll
2010-03-31 01:58 . 2009-04-10 00:00 125424 ------w- c:\windows\system32\pxinsi64.exe
2010-03-31 01:58 . 2009-04-10 00:00 123888 ------w- c:\windows\system32\pxcpyi64.exe
2010-03-31 01:58 . 2009-04-10 00:00 133616 ------w- c:\windows\system32\pxafs.dll
2010-03-20 18:35 . 2010-03-20 18:35 75064 ----a-w- c:\windows\system32\PnkBstrA.exe
2010-03-20 18:35 . 2010-03-20 18:31 794408 ----a-w- c:\windows\system32\pbsvc.exe
2010-03-20 07:01 . 2010-03-20 07:00 168061633 ----a-w- c:\programdata\EA Core\cache\EADM\{ [email protected] }\bf2142_bp1\setup.exe
2009-05-01 21:02 . 2009-05-01 21:02 1044480 ----a-w- c:\program files\mozilla firefox\plugins\libdivx.dll
2009-05-01 21:02 . 2009-05-01 21:02 200704 ----a-w- c:\program files\mozilla firefox\plugins\ssldivx.dll
2009-04-09 23:02 . 2009-04-09 23:01 8192 --sha-w- c:\windows\Users\Default\NTUSER.DAT
.

((((((((((((((((((((((((((((( [email protected]_16.21.41 )))))))))))))))))))))))))))))))))))))))))
.
+ 2008-01-21 01:58 . 2010-06-18 03:23 40816 c:\windows\System32\WDI\ShutdownPerformanceDiagnostics_SystemData.bin
+ 2006-11-02 13:02 . 2010-06-18 03:23 82286 c:\windows\System32\WDI\BootPerformanceDiagnostics_SystemData.bin
+ 2009-06-18 23:27 . 2010-06-18 03:23 11858 c:\windows\System32\WDI\{86432a0b-3c7d-4ddf-a89c-172faa90485d}\S-1-5-21-2703488262-2718368968-2945282138-1003_UserData.bin
+ 2008-01-21 02:32 . 2008-01-21 02:32 79872 c:\windows\System32\spool\drivers\w32x86\3\HPZPRLHN.DLL
+ 2008-01-21 02:32 . 2008-01-21 02:32 19968 c:\windows\System32\spool\drivers\w32x86\3\HPFRES50.DLL
+ 2008-01-21 02:32 . 2008-01-21 02:32 37376 c:\windows\System32\HPZLLLHN.DLL
- 2006-11-02 09:14 . 2006-11-02 09:14 18944 c:\windows\System32\drivers\usbprint.sys
+ 2008-01-21 02:32 . 2008-01-21 02:32 18944 c:\windows\System32\drivers\usbprint.sys
- 2009-04-09 23:54 . 2010-05-09 17:51 16384 c:\windows\System32\config\systemprofile\AppData\Roaming\Microsoft\Windows\Cookies\index.dat
+ 2009-04-09 23:54 . 2010-06-18 03:27 16384 c:\windows\System32\config\systemprofile\AppData\Roaming\Microsoft\Windows\Cookies\index.dat
+ 2009-04-09 23:54 . 2010-06-18 03:27 32768 c:\windows\System32\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\index.dat
- 2009-04-09 23:54 . 2010-05-09 17:51 32768 c:\windows\System32\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\index.dat
- 2009-04-09 23:54 . 2010-05-09 17:51 16384 c:\windows\System32\config\systemprofile\AppData\Local\Microsoft\Windows\History\History.IE5\index.dat
+ 2009-04-09 23:54 . 2010-06-18 03:27 16384 c:\windows\System32\config\systemprofile\AppData\Local\Microsoft\Windows\History\History.IE5\index.dat
- 2009-11-26 05:31 . 2010-05-09 17:51 16384 c:\windows\ServiceProfiles\LocalService\AppData\Roaming\Microsoft\Windows\Cookies\index.dat
+ 2009-11-26 05:31 . 2010-06-18 03:21 16384 c:\windows\ServiceProfiles\LocalService\AppData\Roaming\Microsoft\Windows\Cookies\index.dat
+ 2009-11-26 05:31 . 2010-06-18 03:21 32768 c:\windows\ServiceProfiles\LocalService\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\index.dat
- 2009-11-26 05:31 . 2010-05-09 17:51 32768 c:\windows\ServiceProfiles\LocalService\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\index.dat
+ 2009-11-26 05:31 . 2010-06-18 03:21 16384 c:\windows\ServiceProfiles\LocalService\AppData\Local\Microsoft\Windows\History\History.IE5\index.dat
- 2009-11-26 05:31 . 2010-05-09 17:51 16384 c:\windows\ServiceProfiles\LocalService\AppData\Local\Microsoft\Windows\History\History.IE5\index.dat
+ 2010-06-15 04:49 . 2010-06-15 04:49 29184 c:\windows\Installer\{CD95F661-A5C4-44F5-A6AA-ECDD91C240BD}\IconCD95F6617.exe
- 2010-05-09 17:51 . 2010-05-09 17:51 2048 c:\windows\ServiceProfiles\LocalService\AppData\Local\lastalive1.dat
+ 2010-06-18 03:21 . 2010-06-18 03:21 2048 c:\windows\ServiceProfiles\LocalService\AppData\Local\lastalive1.dat
- 2010-05-09 17:51 . 2010-05-09 17:51 2048 c:\windows\ServiceProfiles\LocalService\AppData\Local\lastalive0.dat
+ 2010-06-18 03:21 . 2010-06-18 03:21 2048 c:\windows\ServiceProfiles\LocalService\AppData\Local\lastalive0.dat
+ 2009-07-04 17:33 . 2010-06-15 20:23 227256 c:\windows\System32\WDI\SuspendPerformanceDiagnostics_SystemData_S4.bin
+ 2009-06-19 00:03 . 2010-06-16 21:52 274202 c:\windows\System32\WDI\SuspendPerformanceDiagnostics_SystemData_S3.bin
+ 2008-01-21 02:32 . 2008-01-21 02:32 663552 c:\windows\System32\spool\drivers\w32x86\3\HPZLELHN.DLL
+ 2008-01-21 02:32 . 2008-01-21 02:32 280064 c:\windows\System32\spool\drivers\w32x86\3\HPFIME50.DLL
+ 2010-06-13 03:06 . 2010-06-13 03:06 231888 c:\windows\System32\Macromed\Flash\FlashUtil10h_Plugin.exe
- 2010-01-28 23:25 . 2009-12-17 22:14 153376 c:\windows\System32\javaws.exe
+ 2010-05-11 16:57 . 2010-05-11 16:56 153376 c:\windows\System32\javaws.exe
- 2010-01-28 23:25 . 2009-12-17 22:14 145184 c:\windows\System32\javaw.exe
+ 2010-05-11 16:57 . 2010-05-11 16:56 145184 c:\windows\System32\javaw.exe
- 2010-01-28 23:25 . 2009-12-17 22:14 145184 c:\windows\System32\java.exe
+ 2010-05-11 16:57 . 2010-05-11 16:56 145184 c:\windows\System32\java.exe
- 2006-11-02 12:44 . 2009-11-13 20:10 413520 c:\windows\System32\FNTCACHE.DAT
+ 2006-11-02 12:44 . 2010-06-08 20:14 413520 c:\windows\System32\FNTCACHE.DAT
+ 2010-05-11 16:56 . 2010-05-11 16:56 262144 c:\windows\System32\config\systemprofile\AppData\Local\Microsoft\Windows\UsrClass.dat
+ 2010-05-11 16:57 . 2010-05-11 16:57 180224 c:\windows\Installer\a1ae43f.msi
+ 2010-05-11 16:56 . 2010-05-11 16:56 577536 c:\windows\Installer\a1ae42d.msi
+ 2010-06-15 04:49 . 2010-06-15 04:49 632320 c:\windows\Installer\{CD95F661-A5C4-44F5-A6AA-ECDD91C240BD}\IconCD95F66110.exe
+ 2008-01-21 02:32 . 2008-01-21 02:32 4930560 c:\windows\System32\spool\drivers\w32x86\3\HPZLALHN.DLL
+ 2008-01-21 02:32 . 2008-01-21 02:32 1253888 c:\windows\System32\spool\drivers\w32x86\3\HPZ3RLHN.DLL
+ 2008-01-21 02:32 . 2008-01-21 02:32 5387776 c:\windows\System32\spool\drivers\w32x86\3\HPFIGLHN.DLL
+ 2010-01-27 01:07 . 2010-06-13 03:06 5612496 c:\windows\System32\Macromed\Flash\NPSWF32.dll
+ 2010-06-15 04:49 . 2010-06-15 04:49 1544192 c:\windows\Installer\2095859.msi
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown 
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Aim"="c:\program files\AIM\aim.exe" [2010-05-13 3823960]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Windows Defender"="c:\program files\Windows Defender\MSASCui.exe" [2008-01-21 1008184]
"PMHandler"="c:\progra~1\Lenovo\PMDriver\PMHandler.exe" [2008-09-23 83240]
"Apoint"="c:\program files\Apoint2K\Apoint.exe" [2008-03-26 163840]
"TPWAUDAP"="c:\program files\Lenovo\HOTKEY\TpWAudAp.exe" [2008-03-11 54560]
"IgfxTray"="c:\windows\system32\igfxtray.exe" [2008-07-11 150040]
"HotKeysCmds"="c:\windows\system32\hkcmd.exe" [2008-07-11 170520]
"Persistence"="c:\windows\system32\igfxpers.exe" [2008-07-11 145944]
"RoxWatchTray"="c:\program files\Common Files\Roxio Shared\10.0\SharedCOM\RoxWatchTray10.exe" [2008-04-25 244208]
"ACWlIcon"="c:\program files\ThinkPad\ConnectUtilities\ACWlIcon.exe" [2008-08-07 148768]

c:\users\Miehm\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\
Xfire.lnk - c:\program files\Xfire\Xfire.exe [2010-5-27 3493264]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"EnableLUA"= 0 (0x0)
"EnableUIADesktopToggle"= 0 (0x0)

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"aux1"=wdmaud.drv

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\SymEFA.sys]
@="FSFilter Activity Monitor"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Wdf01000.sys]
@="Driver"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\WinDefend]
@="Service"

[HKLM\~\startupfolder\C:^ProgramData^Microsoft^Windows^Start Menu^Programs^Startup^Logitech SetPoint.lnk]
path=c:\programdata\Microsoft\Windows\Start Menu\Programs\Startup\Logitech SetPoint.lnk
backup=c:\windows\pss\Logitech SetPoint.lnk.CommonStartup
backupExtension=.CommonStartup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe ARM]
2010-03-24 18:17 952768 ----a-w- c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe Reader Speed Launcher]
2010-04-04 05:42 36272 ----a-w- c:\program files\Adobe\Reader 9.0\Reader\reader_sl.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AMSG]
2008-12-20 08:55 449088 ----a-w- c:\program files\ThinkVantage\AMSG\Amsg.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\EA Core]
2007-04-17 11:59 2887680 ----a-w- c:\program files\Electronic Arts\EA Link\Core.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Kernel and Hardware Abstraction Layer]
2009-06-17 16:55 55824 ----a-w- c:\windows\KHALMNPR.Exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\LPManager]
2007-04-26 17:10 120368 ----a-w- c:\progra~1\Lenovo\LENOVO~2\LPMGR.EXE

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SmartAudio]
2008-07-21 03:19 2701880 ----a-w- c:\program files\CONEXANT\SmartAudio\SmAudio.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched]
2010-02-18 15:43 248040 ----a-w- c:\program files\Common Files\Java\Java Update\jusched.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\TPFNF7]
2008-07-30 19:00 60192 ----a-w- c:\program files\Lenovo\NPDIRECT\tpfnf7sp.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\TVT Scheduler Proxy]
2008-05-24 23:49 487424 ----a-w- c:\program files\Common Files\Lenovo\Scheduler\scheduler_proxy.exe

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Svc]
"VistaSp2"=hex(b):a4,05,ef,b9,2d,2f,ca,01

R1 tvtumon;tvtumon;c:\windows\system32\DRIVERS\tvtumon.sys [2008-07-11 48192]
R2 Roxio Upnp Server 10;Roxio Upnp Server 10;c:\program files\Roxio\Digital Home 10\RoxioUpnpService10.exe [2008-04-25 362992]
R2 RoxLiveShare10;LiveShare P2P Server 10;c:\program files\Common Files\Roxio Shared\10.0\SharedCOM\RoxLiveShare10.exe [2008-04-25 309744]
R2 RoxWatch10;Roxio Hard Drive Watcher 10;c:\program files\Common Files\Roxio Shared\10.0\SharedCOM\RoxWatch10.exe [2008-04-25 166384]
R2 SessionLauncher;SessionLauncher;c:\users\ADMINI~1\AppData\Local\Temp\DX9\SessionLauncher.exe [x]
R2 TVT_UpdateMonitor;TVT Windows Update Monitor;c:\program files\Lenovo\Rescue and Recovery\UpdateMonitor.exe [2008-10-09 360448]
R3 Roxio UPnP Renderer 10;Roxio UPnP Renderer 10;c:\program files\Roxio\Digital Home 10\RoxioUPnPRenderer10.exe [2008-04-25 313840]
R3 RoxMediaDB10;RoxMediaDB10;c:\program files\Common Files\Roxio Shared\10.0\SharedCOM\RoxMediaDB10.exe [2008-04-25 1120752]
R4 FNF5SVC;Fn+F5 Service;c:\program files\LENOVO\HOTKEY\FNF5SVC.exe [2008-03-14 54560]
R4 Viewpoint Manager Service;Viewpoint Manager Service;c:\program files\Viewpoint\Common\ViewpointService.exe [x]
S0 SymEFA;Symantec Extended File Attributes;c:\windows\system32\drivers\NIS\1008000.029\SYMEFA.SYS [2010-01-20 310320]
S1 BHDrvx86;Symantec Heuristics Driver;c:\windows\System32\Drivers\NIS\1008000.029\BHDrvx86.sys [2010-01-20 259632]
S1 ccHP;Symantec Hash Provider;c:\windows\System32\Drivers\NIS\1008000.029\ccHPx86.sys [2010-05-09 482432]
S1 funfrm;funfrm; [x]
S1 IDSVix86;IDSVix86;c:\programdata\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\Norton\Definitions\ipsdefs\20100617.001\IDSvix86.sys [2010-05-28 344112]
S1 lenovo.smi;Lenovo System Interface Driver;c:\windows\system32\DRIVERS\smiif32.sys [2008-05-12 13480]
S2 Norton Internet Security;Norton Internet Security;c:\program files\Norton Internet Security\Engine\16.8.0.41\ccSvcHst.exe [2010-01-20 117640]
S2 TPHKSVC;On Screen Display;c:\program files\LENOVO\HOTKEY\TPHKSVC.exe [2008-08-08 53325]
S2 TVT Backup Protection Service;TVT Backup Protection Service;c:\program files\Lenovo\Rescue and Recovery\rrpservice.exe [2008-05-24 520192]
S3 b57nd60x;Broadcom NetXtreme Gigabit Ethernet - NDIS 6.0;c:\windows\system32\DRIVERS\b57nd60x.sys [2008-01-25 183808]
S3 EraserUtilRebootDrv;EraserUtilRebootDrv;c:\program files\Common Files\Symantec Shared\EENGINE\EraserUtilRebootDrv.sys [2010-05-28 102448]
S3 IntcHdmiAddService;Intel(R) High Definition Audio HDMI;c:\windows\system32\drivers\IntcHdmi.sys [2008-06-29 112128]
S3 JMCR;JMCR;c:\windows\system32\DRIVERS\jmcr.sys [2008-08-07 97536]
S3 SYMNDISV;Symantec Network Filter Driver;c:\windows\System32\Drivers\NIS\1008000.029\SYMNDISV.SYS [2010-01-20 48688]
S3 TVTI2C;Lenovo SM bus driver;c:\windows\system32\DRIVERS\Tvti2c.sys [2008-02-22 37312]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
LocalServiceNoNetwork REG_MULTI_SZ PLA DPS BFE mpssvc
.
Contents of the 'Scheduled Tasks' folder

2010-06-18 c:\windows\Tasks\Check Updates for Windows Live Toolbar.job
- c:\program files\Windows Live Toolbar\MSNTBUP.EXE [2007-02-12 19:54]

2010-05-21 c:\windows\Tasks\PCDoctorBackgroundMonitorTask.job
- c:\program files\PCDR5\pcdr5cuiw32.exe [2008-12-12 23:32]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://lenovo.live.com
uInternet Settings,ProxyOverride = <local>
IE: &Windows Live Search - c:\program files\Windows Live Toolbar\msntb.dll/search.htm
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\Office12\EXCEL.EXE/3000
FF - ProfilePath - c:\users\Miehm\AppData\Roaming\Mozilla\Firefox\Profiles\ia01t65a.default\
FF - plugin: c:\program files\Java\jre6\bin\new_plugin\npdeployJava1.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\np-mswmp.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\npdnupdater2.dll
FF - plugin: c:\users\Miehm\AppData\Roaming\Mozilla\Firefox\Profiles\ia01t65a.default\extensions\[email protected]\plugins\npLogitechDeviceDetection.dll
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\

---- FIREFOX POLICIES ----
FF - user.js: network.protocol-handler.warn-external.dnupdate - false);user_pref(network.protocol-handler.warn-external.dnupdate, false);user_pref(network.protocol-handler.warn-external.dnupdate, false);user_pref(network.protocol-handler.warn-external.dnupdate, false);user_pref(network.protocol-handler.warn-external.dnupdate, false);user_pref(network.protocol-handler.warn-external.dnupdate, falsec:\program files\Mozilla Firefox\greprefs\all.js - pref("ui.use_native_colors", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.auth.force-generic-ntlm", false);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("svg.smil.enabled", false);
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.allow_unrestricted_renego_everywhere__temporarily_available_pref", true);
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.renego_unrestricted_hosts", "");
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.treat_unsafe_negotiation_as_broken", false);
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.require_safe_negotiation", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.name", "chrome://browser/locale/browser.properties");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.description", "chrome://browser/locale/browser.properties");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("plugins.update.notifyUser", false);
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2010-06-18 02:55
Windows 6.0.6002 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\Norton Internet Security]
"ImagePath"="\"c:\program files\Norton Internet Security\Engine\16.8.0.41\ccSvcHst.exe\" /s \"Norton Internet Security\" /m \"c:\program files\Norton Internet Security\Engine\16.8.0.41\diMaster.dll\" /prefetch:1"
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0000\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000
.
Completion time: 2010-06-18 02:58:21
ComboFix-quarantined-files.txt 2010-06-18 06:58
ComboFix2.txt 2010-06-08 20:37
ComboFix3.txt 2010-05-10 16:25
ComboFix4.txt 2010-05-09 17:59

Pre-Run: 34,118,070,272 bytes free
Post-Run: 33,946,513,408 bytes free

- - End Of File - - 9E009788E7212F51C06905013AE8D372


----------



## Cookiegal (Aug 27, 2003)

Open Notepad and copy and paste the text in the code box below into it:


```
Driver::
funfrm
Viewpoint Manager Service
```
Save the file to your desktop and name it CFScript.txt

Referring to the picture below, drag CFScript.txt into ComboFix.exe










This will start ComboFix again. It may ask to reboot. Post the contents of Combofix.txt in your next reply together with a new HijackThis log.


----------



## miehm (May 9, 2010)

ComboFix 10-06-18.03 - Miehm 06/19/2010 3:40.6.2 - x86
Microsoft® Windows Vista™ Home Basic 6.0.6002.2.1252.1.1033.18.3032.1853 [GMT -4:00]
Running from: c:\users\Miehm\Desktop\puppy.exe
Command switches used :: c:\users\Miehm\Desktop\cfscript.txt
SP: Windows Defender *enabled* (Updated) {D68DDC3A-831F-4FAE-9E44-DA132C1ACF46}
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Legacy_VIEWPOINT_MANAGER_SERVICE
-------\Service_funfrm
-------\Service_Viewpoint Manager Service

((((((((((((((((((((((((( Files Created from 2010-05-19 to 2010-06-19 )))))))))))))))))))))))))))))))
.

2010-06-19 07:52 . 2010-06-19 07:57 -------- d-----w- c:\users\Miehm\AppData\Local\temp
2010-06-19 07:52 . 2010-06-19 07:52 -------- d-----w- c:\users\Public\AppData\Local\temp
2010-06-19 07:52 . 2010-06-19 07:52 -------- d-----w- c:\users\Default\AppData\Local\temp
2010-06-15 04:48 . 2010-06-15 04:49 -------- d-----w- c:\programdata\WinZip
2010-06-14 01:13 . 2010-06-14 01:16 -------- d-----w- c:\windows\system32\catroot2
2010-06-13 06:17 . 2010-06-13 06:19 -------- d-----w- c:\windows\system32\catroot2.bak
2010-05-28 00:09 . 2010-05-28 00:09 41872 ----a-w- c:\windows\system32\xfcodec.dll
2010-05-21 00:42 . 2010-05-21 00:42 -------- d-----w- c:\users\Miehm\AppData\Local\2DBoy
2010-05-21 00:42 . 2010-05-21 00:42 -------- d-----w- c:\programdata\2DBoy
2010-05-21 00:41 . 2010-05-21 00:42 -------- d-----w- c:\program files\WorldOfGoo

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-06-19 07:32 . 2009-06-28 20:30 -------- d-----w- c:\program files\Steam
2010-06-19 07:31 . 2009-06-19 20:03 -------- d-----w- c:\programdata\Xfire
2010-06-15 04:20 . 2009-06-19 20:03 -------- d-----w- c:\users\Miehm\AppData\Roaming\Xfire
2010-06-14 01:23 . 2010-03-20 18:36 138664 ----a-w- c:\windows\system32\drivers\PnkBstrK.sys
2010-06-14 01:22 . 2010-03-20 18:11 214864 ----a-w- c:\windows\system32\PnkBstrB.exe
2010-06-03 21:44 . 2009-06-19 20:03 -------- d-----w- c:\program files\Xfire
2010-05-20 05:05 . 2010-05-20 05:05 444952 ----a-w- c:\windows\system32\wrap_oal.dll
2010-05-20 05:05 . 2010-05-20 05:05 109080 ----a-w- c:\windows\system32\OpenAL32.dll
2010-05-20 05:05 . 2010-05-20 05:05 -------- d-----w- c:\program files\OpenAL
2010-05-20 05:04 . 2010-05-20 05:02 -------- d-----w- c:\program files\Penumbra Overture
2010-05-20 04:28 . 2010-05-20 04:28 -------- d-----w- c:\program files\Samorost2
2010-05-19 02:26 . 2010-05-12 00:05 -------- d-----w- c:\program files\Aquaria
2010-05-15 08:52 . 2010-03-02 06:39 -------- d-----w- c:\program files\AIM
2010-05-15 08:51 . 2010-05-15 08:51 -------- d-----w- c:\program files\Common Files\Software Update Utility
2010-05-11 22:55 . 2009-06-18 23:26 -------- d-----w- c:\programdata\WildTangent
2010-05-11 17:25 . 2010-05-11 17:25 -------- d-----w- c:\programdata\Symantec
2010-05-11 16:57 . 2010-05-11 16:57 -------- d-----w- c:\program files\Common Files\Java
2010-05-11 16:56 . 2010-05-11 16:57 411368 ----a-w- c:\windows\system32\deployJava1.dll
2010-05-11 16:56 . 2010-05-11 16:56 -------- d-----w- c:\program files\Java
2010-05-10 01:26 . 2010-05-10 01:10 -------- d-----w- c:\program files\SmartFTP Client 4.0 Setup Files
2010-05-10 01:13 . 2010-05-10 01:13 -------- d-----w- c:\users\Miehm\AppData\Roaming\SmartFTP
2010-05-10 01:11 . 2010-05-10 01:11 -------- d-----w- c:\program files\SmartFTP Client
2010-05-09 16:08 . 2010-05-09 16:08 -------- d-----w- c:\users\Miehm\AppData\Roaming\Malwarebytes
2010-05-09 16:08 . 2010-05-09 16:08 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2010-05-09 16:08 . 2010-05-09 16:08 -------- d-----w- c:\programdata\Malwarebytes
2010-05-09 14:09 . 2010-05-09 14:09 -------- d-----w- c:\program files\Trend Micro
2010-05-09 04:52 . 2010-05-08 18:38 806 ----a-w- c:\windows\system32\drivers\SYMEVENT.INF
2010-05-09 04:52 . 2010-05-08 18:38 7456 ----a-w- c:\windows\system32\drivers\SYMEVENT.CAT
2010-05-09 04:52 . 2010-05-08 18:38 124976 ----a-w- c:\windows\system32\drivers\SYMEVENT.SYS
2010-05-09 04:52 . 2010-05-08 18:26 -------- d-----w- c:\program files\Symantec
2010-05-08 18:42 . 2010-05-08 18:23 -------- d-----w- c:\programdata\Norton
2010-05-08 18:38 . 2010-05-08 18:26 -------- d-----w- c:\program files\Common Files\Symantec Shared
2010-05-08 18:30 . 2010-05-08 17:44 -------- d-----w- c:\programdata\NortonInstaller
2010-05-08 18:24 . 2010-05-08 18:23 -------- d-----w- c:\program files\Norton Internet Security
2010-05-08 18:23 . 2010-05-08 18:23 -------- d-----w- c:\program files\NortonInstaller
2010-05-08 18:07 . 2010-05-08 17:18 -------- d-----w- c:\programdata\avg9
2010-05-06 18:45 . 2010-05-06 18:45 -------- d-----w- c:\users\Miehm\AppData\Roaming\Logitech
2010-05-06 18:45 . 2010-05-06 18:45 -------- d-----w- c:\programdata\LogiShrd
2010-05-06 18:45 . 2010-05-06 18:40 -------- d-----w- c:\program files\Common Files\Logishrd
2010-05-06 18:45 . 2010-05-06 18:45 0 ---ha-w- c:\windows\system32\drivers\Msft_Kernel_LHidFilt_01005.Wdf
2010-05-06 18:45 . 2010-05-06 18:45 0 ---ha-w- c:\windows\system32\drivers\Msft_Kernel_LMouFilt_01005.Wdf
2010-05-06 18:44 . 2010-05-06 18:44 0 ---ha-w- c:\windows\system32\drivers\Msft_Kernel_LUsbFilt_01005.Wdf
2010-05-06 18:41 . 2010-05-06 18:41 -------- d-----w- c:\programdata\Logitech
2010-05-06 18:41 . 2009-04-09 23:23 -------- d--h--w- c:\program files\InstallShield Installation Information
2010-05-06 18:40 . 2010-05-06 18:40 -------- d-----w- c:\program files\Logitech
2010-05-06 11:50 . 2009-07-04 19:35 -------- d-----w- c:\program files\DivX
2010-05-06 11:50 . 2009-04-09 23:49 -------- d-----w- c:\program files\Common Files\PX Storage Engine
2010-05-06 11:49 . 2009-07-04 19:35 -------- d-----w- c:\program files\Common Files\DivX Shared
2010-05-06 11:23 . 2010-05-05 15:46 -------- d-----w- c:\programdata\DivX
2010-05-05 15:46 . 2010-05-05 15:48 1180952 ----a-w- c:\programdata\DivX\Setup\DivXSetup.exe
2010-04-29 19:39 . 2010-05-09 16:08 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2010-04-29 19:39 . 2010-05-09 16:08 20952 ----a-w- c:\windows\system32\drivers\mbam.sys
2010-04-29 06:14 . 2010-04-29 06:14 98304 ----a-w- c:\windows\system32CmdLineExt.dll
2010-03-31 01:58 . 2009-04-10 00:00 125424 ------w- c:\windows\system32\pxinsi64.exe
2010-03-31 01:58 . 2009-04-10 00:00 123888 ------w- c:\windows\system32\pxcpyi64.exe
2010-03-31 01:58 . 2009-04-10 00:00 133616 ------w- c:\windows\system32\pxafs.dll
2009-05-01 21:02 . 2009-05-01 21:02 1044480 ----a-w- c:\program files\mozilla firefox\plugins\libdivx.dll
2009-05-01 21:02 . 2009-05-01 21:02 200704 ----a-w- c:\program files\mozilla firefox\plugins\ssldivx.dll
2009-04-09 23:02 . 2009-04-09 23:01 8192 --sha-w- c:\windows\Users\Default\NTUSER.DAT
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown 
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Aim"="c:\program files\AIM\aim.exe" [2010-05-13 3823960]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Windows Defender"="c:\program files\Windows Defender\MSASCui.exe" [2008-01-21 1008184]
"PMHandler"="c:\progra~1\Lenovo\PMDriver\PMHandler.exe" [2008-09-23 83240]
"Apoint"="c:\program files\Apoint2K\Apoint.exe" [2008-03-26 163840]
"TPWAUDAP"="c:\program files\Lenovo\HOTKEY\TpWAudAp.exe" [2008-03-11 54560]
"IgfxTray"="c:\windows\system32\igfxtray.exe" [2008-07-11 150040]
"HotKeysCmds"="c:\windows\system32\hkcmd.exe" [2008-07-11 170520]
"Persistence"="c:\windows\system32\igfxpers.exe" [2008-07-11 145944]
"RoxWatchTray"="c:\program files\Common Files\Roxio Shared\10.0\SharedCOM\RoxWatchTray10.exe" [2008-04-25 244208]
"ACWlIcon"="c:\program files\ThinkPad\ConnectUtilities\ACWlIcon.exe" [2008-08-07 148768]

c:\users\Miehm\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\
Xfire.lnk - c:\program files\Xfire\Xfire.exe [2010-5-27 3493264]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"EnableLUA"= 0 (0x0)
"EnableUIADesktopToggle"= 0 (0x0)

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"aux1"=wdmaud.drv

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\SymEFA.sys]
@="FSFilter Activity Monitor"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Wdf01000.sys]
@="Driver"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\WinDefend]
@="Service"

[HKLM\~\startupfolder\C:^ProgramData^Microsoft^Windows^Start Menu^Programs^Startup^Logitech SetPoint.lnk]
path=c:\programdata\Microsoft\Windows\Start Menu\Programs\Startup\Logitech SetPoint.lnk
backup=c:\windows\pss\Logitech SetPoint.lnk.CommonStartup
backupExtension=.CommonStartup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe ARM]
2010-03-24 18:17 952768 ----a-w- c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe Reader Speed Launcher]
2010-04-04 05:42 36272 ----a-w- c:\program files\Adobe\Reader 9.0\Reader\reader_sl.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AMSG]
2008-12-20 08:55 449088 ----a-w- c:\program files\ThinkVantage\AMSG\Amsg.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\EA Core]
2007-04-17 11:59 2887680 ----a-w- c:\program files\Electronic Arts\EA Link\Core.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Kernel and Hardware Abstraction Layer]
2009-06-17 16:55 55824 ----a-w- c:\windows\KHALMNPR.Exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\LPManager]
2007-04-26 17:10 120368 ----a-w- c:\progra~1\Lenovo\LENOVO~2\LPMGR.EXE

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SmartAudio]
2008-07-21 03:19 2701880 ----a-w- c:\program files\CONEXANT\SmartAudio\SmAudio.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched]
2010-02-18 15:43 248040 ----a-w- c:\program files\Common Files\Java\Java Update\jusched.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\TPFNF7]
2008-07-30 19:00 60192 ----a-w- c:\program files\Lenovo\NPDIRECT\tpfnf7sp.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\TVT Scheduler Proxy]
2008-05-24 23:49 487424 ----a-w- c:\program files\Common Files\Lenovo\Scheduler\scheduler_proxy.exe

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Svc]
"VistaSp2"=hex(b):a4,05,ef,b9,2d,2f,ca,01

R1 tvtumon;tvtumon;c:\windows\system32\DRIVERS\tvtumon.sys [2008-07-11 48192]
R2 Roxio Upnp Server 10;Roxio Upnp Server 10;c:\program files\Roxio\Digital Home 10\RoxioUpnpService10.exe [2008-04-25 362992]
R2 RoxLiveShare10;LiveShare P2P Server 10;c:\program files\Common Files\Roxio Shared\10.0\SharedCOM\RoxLiveShare10.exe [2008-04-25 309744]
R2 RoxWatch10;Roxio Hard Drive Watcher 10;c:\program files\Common Files\Roxio Shared\10.0\SharedCOM\RoxWatch10.exe [2008-04-25 166384]
R2 SessionLauncher;SessionLauncher;c:\users\ADMINI~1\AppData\Local\Temp\DX9\SessionLauncher.exe [x]
R2 TVT_UpdateMonitor;TVT Windows Update Monitor;c:\program files\Lenovo\Rescue and Recovery\UpdateMonitor.exe [2008-10-09 360448]
R3 Roxio UPnP Renderer 10;Roxio UPnP Renderer 10;c:\program files\Roxio\Digital Home 10\RoxioUPnPRenderer10.exe [2008-04-25 313840]
R3 RoxMediaDB10;RoxMediaDB10;c:\program files\Common Files\Roxio Shared\10.0\SharedCOM\RoxMediaDB10.exe [2008-04-25 1120752]
R4 FNF5SVC;Fn+F5 Service;c:\program files\LENOVO\HOTKEY\FNF5SVC.exe [2008-03-14 54560]
S0 SymEFA;Symantec Extended File Attributes;c:\windows\system32\drivers\NIS\1008000.029\SYMEFA.SYS [2010-01-20 310320]
S1 BHDrvx86;Symantec Heuristics Driver;c:\windows\System32\Drivers\NIS\1008000.029\BHDrvx86.sys [2010-01-20 259632]
S1 ccHP;Symantec Hash Provider;c:\windows\System32\Drivers\NIS\1008000.029\ccHPx86.sys [2010-05-09 482432]
S1 IDSVix86;IDSVix86;c:\programdata\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\Norton\Definitions\ipsdefs\20100617.005\IDSvix86.sys [2010-05-28 344112]
S1 lenovo.smi;Lenovo System Interface Driver;c:\windows\system32\DRIVERS\smiif32.sys [2008-05-12 13480]
S2 Norton Internet Security;Norton Internet Security;c:\program files\Norton Internet Security\Engine\16.8.0.41\ccSvcHst.exe [2010-01-20 117640]
S2 TPHKSVC;On Screen Display;c:\program files\LENOVO\HOTKEY\TPHKSVC.exe [2008-08-08 53325]
S2 TVT Backup Protection Service;TVT Backup Protection Service;c:\program files\Lenovo\Rescue and Recovery\rrpservice.exe [2008-05-24 520192]
S3 b57nd60x;Broadcom NetXtreme Gigabit Ethernet - NDIS 6.0;c:\windows\system32\DRIVERS\b57nd60x.sys [2008-01-25 183808]
S3 EraserUtilRebootDrv;EraserUtilRebootDrv;c:\program files\Common Files\Symantec Shared\EENGINE\EraserUtilRebootDrv.sys [2010-05-28 102448]
S3 IntcHdmiAddService;Intel(R) High Definition Audio HDMI;c:\windows\system32\drivers\IntcHdmi.sys [2008-06-29 112128]
S3 JMCR;JMCR;c:\windows\system32\DRIVERS\jmcr.sys [2008-08-07 97536]
S3 SYMNDISV;Symantec Network Filter Driver;c:\windows\System32\Drivers\NIS\1008000.029\SYMNDISV.SYS [2010-01-20 48688]
S3 TVTI2C;Lenovo SM bus driver;c:\windows\system32\DRIVERS\Tvti2c.sys [2008-02-22 37312]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
LocalServiceNoNetwork REG_MULTI_SZ PLA DPS BFE mpssvc
.
Contents of the 'Scheduled Tasks' folder

2010-06-19 c:\windows\Tasks\Check Updates for Windows Live Toolbar.job
- c:\program files\Windows Live Toolbar\MSNTBUP.EXE [2007-02-12 19:54]

2010-05-21 c:\windows\Tasks\PCDoctorBackgroundMonitorTask.job
- c:\program files\PCDR5\pcdr5cuiw32.exe [2008-12-12 23:32]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://lenovo.live.com
uInternet Settings,ProxyOverride = <local>
IE: &Windows Live Search - c:\program files\Windows Live Toolbar\msntb.dll/search.htm
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\Office12\EXCEL.EXE/3000
FF - ProfilePath - c:\users\Miehm\AppData\Roaming\Mozilla\Firefox\Profiles\ia01t65a.default\
FF - plugin: c:\program files\Java\jre6\bin\new_plugin\npdeployJava1.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\np-mswmp.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\npdnupdater2.dll
FF - plugin: c:\users\Miehm\AppData\Roaming\Mozilla\Firefox\Profiles\ia01t65a.default\extensions\[email protected]\plugins\npLogitechDeviceDetection.dll
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\

---- FIREFOX POLICIES ----
FF - user.js: network.protocol-handler.warn-external.dnupdate - false);user_pref(network.protocol-handler.warn-external.dnupdate, false);user_pref(network.protocol-handler.warn-external.dnupdate, false);user_pref(network.protocol-handler.warn-external.dnupdate, false);user_pref(network.protocol-handler.warn-external.dnupdate, false);user_pref(network.protocol-handler.warn-external.dnupdate, falsec:\program files\Mozilla Firefox\greprefs\all.js - pref("ui.use_native_colors", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.auth.force-generic-ntlm", false);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("svg.smil.enabled", false);
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.allow_unrestricted_renego_everywhere__temporarily_available_pref", true);
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.renego_unrestricted_hosts", "");
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.treat_unsafe_negotiation_as_broken", false);
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.require_safe_negotiation", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.name", "chrome://browser/locale/browser.properties");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.description", "chrome://browser/locale/browser.properties");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("plugins.update.notifyUser", false);
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2010-06-19 03:57
Windows 6.0.6002 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\Norton Internet Security]
"ImagePath"="\"c:\program files\Norton Internet Security\Engine\16.8.0.41\ccSvcHst.exe\" /s \"Norton Internet Security\" /m \"c:\program files\Norton Internet Security\Engine\16.8.0.41\diMaster.dll\" /prefetch:1"
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0000\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'Explorer.exe'(2928)
c:\program files\Xfire\xfire_toucan_42784.dll
c:\program files\Lenovo\Drag-to-Disc\Shellex.dll
c:\windows\system32\DLAAPI_W.DLL
c:\program files\Lenovo\Drag-to-Disc\ShellRes.dll
.
------------------------ Other Running Processes ------------------------
.
c:\windows\system32\WLANExt.exe
c:\program files\ThinkPad\ConnectUtilities\AcPrfMgrSvc.exe
c:\program files\Microsoft Small Business\Business Contact Manager\BcmSqlStartupSvc.exe
c:\program files\Common Files\InterVideo\RegMgr\iviRegMgr.exe
c:\program files\Lenovo\PMDriver\PMSveH.exe
c:\windows\system32\PnkBstrA.exe
c:\program files\Microsoft SQL Server\90\Shared\sqlwriter.exe
c:\program files\Common Files\Lenovo\tvt_reg_monitor_svc.exe
c:\program files\Lenovo\Rescue and Recovery\rrservice.exe
c:\program files\Common Files\Lenovo\Scheduler\tvtsched.exe
c:\windows\system32\DRIVERS\xaudio.exe
c:\program files\ThinkPad\ConnectUtilities\AcSvc.exe
c:\program files\Lenovo\System Update\SUService.exe
c:\windows\system32\DllHost.exe
c:\program files\ThinkPad\ConnectUtilities\SvcGuiHlpr.exe
c:\program files\Lenovo\PMDriver\PMHandler.exe
c:\windows\system32\igfxsrvc.exe
.
**************************************************************************
.
Completion time: 2010-06-19 04:02:36 - machine was rebooted
ComboFix-quarantined-files.txt 2010-06-19 08:02
ComboFix2.txt 2010-06-18 06:58
ComboFix3.txt 2010-06-08 20:37
ComboFix4.txt 2010-05-10 16:25
ComboFix5.txt 2010-06-19 07:11

Pre-Run: 33,221,365,760 bytes free
Post-Run: 36,073,783,296 bytes free

- - End Of File - - 11628FF07095E667CE1017607BCA697A

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 4:07:14 AM, on 6/19/2010
Platform: Windows Vista SP2 (WinNT 6.00.1906)
MSIE: Internet Explorer v7.00 (7.00.6002.18005)
Boot mode: Normal

Running processes:
C:\Program Files\Norton Internet Security\Engine\16.8.0.41\ccSvcHst.exe
C:\Windows\system32\taskeng.exe
C:\Windows\system32\Dwm.exe
C:\Program Files\Lenovo\PMDriver\PMHandler.exe
C:\Program Files\Apoint2K\Apoint.exe
C:\Program Files\Lenovo\HOTKEY\TpWAudAp.exe
C:\Windows\System32\hkcmd.exe
C:\Windows\System32\igfxpers.exe
C:\Program Files\ThinkPad\ConnectUtilities\ACWLIcon.exe
C:\Program Files\AIM\aim.exe
C:\Program Files\Xfire\Xfire.exe
C:\Windows\system32\igfxsrvc.exe
C:\Windows\system32\wuauclt.exe
C:\Windows\Explorer.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Windows Media Player\wmplayer.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://lenovo.live.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = 
O2 - BHO: AcroIEHelperStub - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
O2 - BHO: Symantec NCO BHO - {602ADB0E-4AFF-4217-8AA1-95DAC4DFA408} - C:\Program Files\Norton Internet Security\Engine\16.8.0.41\coIEPlg.dll
O2 - BHO: Symantec Intrusion Prevention - {6D53EC84-6AAE-4787-AEEE-F4628F01010C} - C:\Program Files\Norton Internet Security\Engine\16.8.0.41\IPSBHO.DLL
O2 - BHO: Windows Live Toolbar Helper - {BDBD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\Windows Live Toolbar\msntb.dll
O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O3 - Toolbar: Windows Live Toolbar - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\Windows Live Toolbar\msntb.dll
O3 - Toolbar: Norton Toolbar - {7FEBEFE3-6B19-4349-98D2-FFB09D4B49CA} - C:\Program Files\Norton Internet Security\Engine\16.8.0.41\coIEPlg.dll
O4 - HKLM\..\Run: [Windows Defender] %ProgramFiles%\Windows Defender\MSASCui.exe -hide
O4 - HKLM\..\Run: [PMHandler] C:\PROGRA~1\Lenovo\PMDriver\PMHandler.exe
O4 - HKLM\..\Run: [Apoint] C:\Program Files\Apoint2K\Apoint.exe
O4 - HKLM\..\Run: [TPWAUDAP] C:\Program Files\Lenovo\HOTKEY\TpWAudAp.exe
O4 - HKLM\..\Run: [IgfxTray] C:\Windows\system32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\Windows\system32\hkcmd.exe
O4 - HKLM\..\Run: [Persistence] C:\Windows\system32\igfxpers.exe
O4 - HKLM\..\Run: [RoxWatchTray] "C:\Program Files\Common Files\Roxio Shared\10.0\SharedCOM\RoxWatchTray10.exe"
O4 - HKLM\..\Run: [ACWlIcon] C:\Program Files\ThinkPad\ConnectUtilities\ACWlIcon.exe
O4 - HKCU\..\Run: [Aim] "C:\Program Files\AIM\aim.exe" /d locale=en-US
O4 - Startup: Xfire.lnk = C:\Program Files\Xfire\Xfire.exe
O8 - Extra context menu item: &Windows Live Search - res://C:\Program Files\Windows Live Toolbar\msntb.dll/search.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office12\EXCEL.EXE/3000
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\Office12\REFIEBAR.DLL
O18 - Protocol: symres - {AA1061FE-6C41-421F-9344-69640C9732AB} - C:\Program Files\Norton Internet Security\Engine\16.8.0.41\coIEPlg.dll
O23 - Service: Ac Profile Manager Service (AcPrfMgrSvc) - Lenovo - C:\Program Files\ThinkPad\ConnectUtilities\AcPrfMgrSvc.exe
O23 - Service: Access Connections Main Service (AcSvc) - Lenovo - C:\Program Files\ThinkPad\ConnectUtilities\AcSvc.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: IviRegMgr - InterVideo - C:\Program Files\Common Files\InterVideo\RegMgr\iviRegMgr.exe
O23 - Service: Norton Internet Security - Symantec Corporation - C:\Program Files\Norton Internet Security\Engine\16.8.0.41\ccSvcHst.exe
O23 - Service: PMSveH - Lenovo - C:\Program Files\Lenovo\PMDriver\PMSveH.exe
O23 - Service: PnkBstrA - Unknown owner - C:\Windows\system32\PnkBstrA.exe
O23 - Service: Roxio UPnP Renderer 10 - Sonic Solutions - C:\Program Files\Roxio\Digital Home 10\RoxioUPnPRenderer10.exe
O23 - Service: Roxio Upnp Server 10 - Sonic Solutions - C:\Program Files\Roxio\Digital Home 10\RoxioUpnpService10.exe
O23 - Service: LiveShare P2P Server 10 (RoxLiveShare10) - Sonic Solutions - C:\Program Files\Common Files\Roxio Shared\10.0\SharedCOM\RoxLiveShare10.exe
O23 - Service: RoxMediaDB10 - Sonic Solutions - C:\Program Files\Common Files\Roxio Shared\10.0\SharedCOM\RoxMediaDB10.exe
O23 - Service: Roxio Hard Drive Watcher 10 (RoxWatch10) - Sonic Solutions - C:\Program Files\Common Files\Roxio Shared\10.0\SharedCOM\RoxWatch10.exe
O23 - Service: SessionLauncher - Unknown owner - C:\Users\ADMINI~1\AppData\Local\Temp\DX9\SessionLauncher.exe (file missing)
O23 - Service: Steam Client Service - Valve Corporation - C:\Program Files\Common Files\Steam\SteamService.exe
O23 - Service: stllssvr - MicroVision Development, Inc. - C:\Program Files\Common Files\SureThing Shared\stllssvr.exe
O23 - Service: System Update (SUService) - Lenovo Group Limited - c:\Program Files\Lenovo\System Update\SUService.exe
O23 - Service: ThinkVantage Registry Monitor Service - Lenovo Group Limited - c:\Program Files\Common Files\Lenovo\tvt_reg_monitor_svc.exe
O23 - Service: On Screen Display (TPHKSVC) - Lenovo Group Limited - C:\Program Files\LENOVO\HOTKEY\TPHKSVC.exe
O23 - Service: TVT Backup Protection Service - Unknown owner - C:\Program Files\Lenovo\Rescue and Recovery\rrpservice.exe
O23 - Service: TVT Backup Service - Lenovo Group Limited - C:\Program Files\Lenovo\Rescue and Recovery\rrservice.exe
O23 - Service: TVT Scheduler - Lenovo Group Limited - c:\Program Files\Common Files\Lenovo\Scheduler\tvtsched.exe
O23 - Service: TVT Windows Update Monitor (TVT_UpdateMonitor) - Lenovo Group Limited - C:\Program Files\Lenovo\Rescue and Recovery\UpdateMonitor.exe
O23 - Service: XAudioService - Conexant Systems, Inc. - C:\Windows\system32\DRIVERS\xaudio.exe

--
End of file - 6646 bytes


----------



## Cookiegal (Aug 27, 2003)

Did you install and uninstall AVG recently?

If so, you should delete this folder:

c:\programdata\*avg9*

How are things now?


----------



## miehm (May 9, 2010)

After running for 7 minutes and 44 seconds, wermgr came on. I think this is around the time it normally comes up, but this time it directly coincided with checking if windows update was working.
Windows update still can't check for updates, and still lists the same error number.


----------



## miehm (May 9, 2010)

Also, yes I installed and uninstalled avg back when this whole mess started. Folder is gone now.


----------



## Cookiegal (Aug 27, 2003)

Are there other user accounts on this computer?


----------



## miehm (May 9, 2010)

Nope, just the one.


----------



## Cookiegal (Aug 27, 2003)

Let's give this tool a try. Save it to your desktop. Then right-click on it and select "Run as Administrator".

http://users.telenet.be/marcvn/tools/WUS_Fix.exe

Let me know how it goes please.


----------



## miehm (May 9, 2010)

That doesn't seem to have accomplished anything. It opened up a little black and white window, quickly filled it with text, and then closed itself before I could read any of it. Things are unchanged with windows update.


----------



## Cookiegal (Aug 27, 2003)

Did you reboot after running it?


----------



## miehm (May 9, 2010)

I tried it without restarting, I tried it with restarting, I tried it without norton running...what else?
I think that was it.


----------



## Cookiegal (Aug 27, 2003)

I would suggest contacting Microsoft at this point. I believe support is free regarding updates but be sure that is determined at the beginning before any charges are incurred.


----------



## miehm (May 9, 2010)

Haha, okay. Well, I appreciate the assistance anyway.


----------



## Cookiegal (Aug 27, 2003)

You're welcome.

Here are some final instructions for you.

*Follow these steps to uninstall Combofix and all of its files and components.*

 Click *START* then *RUN*
 Now type *ComboFix /uninstall* in the runbox and click *OK*. Note the *space* between the *X* and the */uninstall*, it needs to be there (the screenshot is just for illustration purposes but the actual command uses the entire word "uninstall" and not just the "u").










Now you should turn system restore off to flush out all previous system restore points, then turn it back on and create a new restore point:

Click on the Start button to open your Start Menu. 
Click on the Control Panel menu option.
Click on the System and Maintenance menu option.
Click on the System menu option.
Click on System Protection in the left-hand task list.

You will now be at the System Protection tab in the System control panel.

Clear the check box next to the disk to turn off System Protection, and then click OK. This will flush out all previous restore points.

Now select the check box next to the disk, and then click OK to turn system restore back on.

Now create a new restore point. Click on the Create button. When you press this button a prompt will appear asking you to provide a title for this manual restore point.

Type in a title for the manual restore point and press the Create button. Vista will now create a manual restore point, and when completed, display a notice saying that it was created successfully.

I also recommend downloading  *SPYWAREBLASTER* for added protection.

*Read here* for info on how to tighten your security.


----------

