15 replies to this topic

[Evan]

Hi there. My wife clicked on a bad website and managed to get “Personal Antivirus” on our Lenovo. She then panicked and tried to install some other purported AV software. I’ve tried System Restore, but each restore point I’ve tried yields only the message that the system can’t be restored to that point—no explanation.
I was able to install Malwarebytes, but each time I run a scan, the program terminates after only 15 seconds.

Here’s the HijackThis logfile, below. I’d appreciate guidance.

By the way, this Lenovo has some Japanese-language software on it: some of that software may look unfamiliar in the logfile, and particularly some of the "????’"s maybe (?) come from a language-encoding issue.

Thanks for your consideration of my logfile!


Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 1:13:20 PM, on 7/31/2009
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16876)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Trend Micro\BM\TMBMSRV.exe
C:\Program Files\Microsoft Small Business\Business Contact Manager\BcmSqlStartupSvc.exe
C:\Program Files\LENOVO\HOTKEY\FNF5SVC.exe
C:\Program Files\Common Files\InterVideo\RegMgr\iviRegMgr.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\mdm.exe
C:\Program Files\Lenovo\PM Driver\PMSveH.exe
C:\Program Files\Trend Micro\TrendSecure\SecurityActivityDashboard\tmarsvc.exe
C:\Program Files\Trend Micro\Virus Buster\SfCtlCom.exe
c:\Program Files\Microsoft SQL Server\90\Shared\sqlwriter.exe
C:\WINDOWS\system32\svchost.exe
c:\Program Files\Common Files\Lenovo\tvt_reg_monitor_svc.exe
C:\Program Files\Trend Micro\Virus Buster\TmPfw.exe
C:\Program Files\Trend Micro\Virus Buster\TmProxy.exe
C:\Program Files\Lenovo\Rescue and Recovery\rrpservice.exe
C:\Program Files\Lenovo\Rescue and Recovery\rrservice.exe
c:\Program Files\Common Files\Lenovo\Scheduler\tvtsched.exe
C:\Program Files\Lenovo\Rescue and Recovery\UpdateMonitor.exe
c:\program files\lenovo\system update\suservice.exe
C:\Program Files\Trend Micro\Virus Buster\UfSeAgnt.exe
C:\WINDOWS\Explorer.EXE
C:\PROGRA~1\Lenovo\PMDRIV~1\PMHandler.exe
C:\Program Files\Apoint2K\Apoint.exe
C:\Program Files\Lenovo\NPDIRECT\TPFNF7SP.exe
C:\Program Files\Lenovo\HOTKEY\TpWAudAp.exe
C:\Program Files\CONEXANT\SMARTAUDIO\SMAUDIO.EXE
C:\WINDOWS\system32\igfxtray.exe
C:\WINDOWS\system32\hkcmd.exe
C:\WINDOWS\system32\igfxpers.exe
C:\WINDOWS\system32\igfxsrvc.exe
C:\Program Files\Common Files\Lenovo\Scheduler\scheduler_proxy.exe
C:\Program Files\Java\jre6\bin\jusched.exe
C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe
C:\PROGRA~1\Lenovo\LENOVO~2\LPMGR.exe
C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe
C:\Program Files\Apoint2K\ApMsgFwd.exe
C:\Program Files\LENOVO\Message Center Plus\MCPLaunch.exe
C:\Program Files\PersonalAV\pav.exe
C:\WINDOWS\system32\NetFilter.exe
C:\Program Files\Apoint2K\Apntex.exe
C:\Program Files\Lenovo\Camera Center\bin\LenovoCameraCenter.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Trend Micro\TrendSecure\TISProToolbar\ProToolbarUpdate.exe
C:\Program Files\Trend Micro\TrendSecure\TSCFCommander.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\SoftwareDistribution\Download\Install\SQLServer2005ExpressSP3-KB955706-x86-ENU.exe
c:\bdc6ecc7924795249b1e870a71fd\hotfix.exe
C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe
c:\bdc6ecc7924795249b1e870a71fd\HotFixExpress\Files\SQLEXPR.EXE
c:\0ca26db6043ca5169ed64897bf\setup.exe
C:\WINDOWS\system32\msiexec.exe
c:\Program Files\Microsoft SQL Server\90\Setup Bootstrap\setup.exe
C:\WINDOWS\system32\dllhost.exe
c:\WINDOWS\system32\MsiExec.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://lenovo.live.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft....k/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft....k/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft....k/?LinkId=69157
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://www.lenovo.co...me/3000notebook
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: Skype add-on (mastermind) - {22BF413B-C6D2-4d91-82A9-A0F997BA588C} - C:\Program Files\Skype\Toolbars\Internet Explorer\SkypeIEPlugin.dll
O2 - BHO: Trend Micro Toolbar BHO - {43C6D902-A1C5-45c9-91F6-FD9E90337E18} - C:\Program Files\Trend Micro\TrendSecure\TISProToolbar\TSToolbar.dll
O2 - BHO: (no name) - {A057A204-BACC-4D26-9990-79A187E2698E} - (no file)
O2 - BHO: &Helper - {A77D3539-581D-450C-9E44-A84C415A6172} - C:\WINDOWS\system32\msxmlm.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - C:\Program Files\Google\Google Toolbar\GoogleToolbar.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\5.1.1309.15642\swg.dll
O2 - BHO: Windows Live Toolbar Helper - {BDBD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\Windows Live Toolbar\msntb.dll
O2 - BHO: Google Dictionary Compression sdch - {C84D72FE-E17D-4195-BB24-76C02E2E7C4E} - C:\Program Files\Google\Google Toolbar\Component\fastsearch_A8904FB862BD9564.dll
O2 - BHO: Java™ Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
O3 - Toolbar: Windows Live Toolbar - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\Windows Live Toolbar\msntb.dll
O3 - Toolbar: (no name) - {A057A204-BACC-4D26-9990-79A187E2698E} - (no file)
O3 - Toolbar: Google Toolbar - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - C:\Program Files\Google\Google Toolbar\GoogleToolbar.dll
O3 - Toolbar: (no name) - {CCC7A320-B3CA-4199-B1A6-9F516DD69829} - (no file)
O3 - Toolbar: Trend ????? - {CCAC5586-44D7-4c43-B64A-F042461A97D2} - C:\Program Files\Trend Micro\TrendSecure\TISProToolbar\TSToolbar.dll
O4 - HKLM\..\Run: [PMHandler] C:\PROGRA~1\Lenovo\PMDRIV~1\PMHandler.exe
O4 - HKLM\..\Run: [Apoint] C:\Program Files\Apoint2K\Apoint.exe
O4 - HKLM\..\Run: [TPFNF7] C:\Program Files\Lenovo\NPDIRECT\TPFNF7SP.exe /r
O4 - HKLM\..\Run: [TPWAUDAP] C:\Program Files\Lenovo\HOTKEY\TpWAudAp.exe
O4 - HKLM\..\Run: [SmartAudio] C:\Program Files\CONEXANT\SMARTAUDIO\SMAUDIO.EXE /c
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [Persistence] C:\WINDOWS\system32\igfxpers.exe
O4 - HKLM\..\Run: [TVT Scheduler Proxy] C:\Program Files\Common Files\Lenovo\Scheduler\scheduler_proxy.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre6\bin\jusched.exe"
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [LPManager] C:\PROGRA~1\Lenovo\LENOVO~2\LPMGR.exe
O4 - HKLM\..\Run: [RoxWatchTray] "C:\Program Files\Common Files\Roxio Shared\10.0\SharedCOM\RoxWatchTray10.exe"
O4 - HKLM\..\Run: [CameraApplicationLauncher] C:\Program Files\Lenovo\Camera Center\bin\CameraApplicationLaunchpadLauncher.exe
O4 - HKLM\..\Run: [IMJPMIG8.1] "C:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE" /Spoil /RemAdvDef /Migration32
O4 - HKLM\..\Run: [IMEKRMIG6.1] C:\WINDOWS\ime\imkr6_1\IMEKRMIG.EXE
O4 - HKLM\..\Run: [MSPY2002] C:\WINDOWS\system32\IME\PINTLGNT\ImScInst.exe /SYNC
O4 - HKLM\..\Run: [PHIME2002ASync] C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /SYNC
O4 - HKLM\..\Run: [PHIME2002A] C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /IMEName
O4 - HKLM\..\Run: [Google Desktop Search] "C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe" /startup
O4 - HKLM\..\Run: [Message Center Plus] C:\Program Files\LENOVO\Message Center Plus\MCPLaunch.exe /start
O4 - HKLM\..\Run: [SetDefPrt] C:\Program Files\Brother\Brmflp03\BrStDvPt.exe
O4 - HKLM\..\Run: [PersonalAV] C:\Program Files\PersonalAV\pav.exe
O4 - HKLM\..\Run: [MSDRV] NetFilter.exe
O4 - HKLM\..\Run: [SpyHunter Security Suite] C:\Program Files\Enigma Software Group\SpyHunter\SpyHunter3.exe
O4 - HKLM\..\Run: [UfSeAgnt.exe] "C:\Program Files\Trend Micro\Virus Buster\UfSeAgnt.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
O4 - HKUS\S-1-5-18\..\Run: [DWQueuedReporting] "C:\PROGRA~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" -t (User 'SYSTEM')
O4 - HKUS\S-1-5-18\..\RunOnce: [RunNarrator] Narrator.exe (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [DWQueuedReporting] "C:\PROGRA~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" -t (User 'Default user')
O4 - HKUS\.DEFAULT\..\RunOnce: [RunNarrator] Narrator.exe (User 'Default user')
O8 - Extra context menu item: &Windows Live Search - res://C:\Program Files\Windows Live Toolbar\msntb.dll/search.htm
O8 - Extra context menu item: Add to Google Photos Screensa&ver - res://C:\WINDOWS\system32\GPhotos.scr/200
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office12\EXCEL.EXE/3000
O9 - Extra button: Skype - {77BF5300-1474-4EC7-9980-D32B190E9B07} - C:\Program Files\Skype\Toolbars\Internet Explorer\SkypeIEPlugin.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\Office12\REFIEBAR.DLL
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {0CCA191D-13A6-4E29-B746-314DEE697D83} (Facebook Photo Uploader 5 Control) - http://upload.facebook.com/controls/2008.1...toUploader5.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdat...b?1246131317687
O18 - Protocol: tmtb - {04EAF3FB-4BAC-4B5A-A37D-A1CF210A5A42} - C:\Program Files\Trend Micro\TrendSecure\TISProToolbar\TSToolbar.dll
O18 - Filter: x-sdch - {B1759355-3EEC-4C1E-B0F1-B719FE26E377} - C:\Program Files\Google\Google Toolbar\Component\fastsearch_A8904FB862BD9564.dll
O20 - AppInit_DLLs: C:\PROGRA~1\Google\GOOGLE~3\GOEC62~1.DLL
O23 - Service: Fn+F5 Service (FNF5SVC) - Lenovo. - C:\Program Files\LENOVO\HOTKEY\FNF5SVC.exe
O23 - Service: Google Desktop Manager 5.8.809.23506 (GoogleDesktopManager-092308-165331) - Google - C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe
O23 - Service: Google Software Updater (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: IviRegMgr - InterVideo - C:\Program Files\Common Files\InterVideo\RegMgr\iviRegMgr.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
O23 - Service: PMSveH - Lenovo - C:\Program Files\Lenovo\PM Driver\PMSveH.exe
O23 - Service: Roxio UPnP Renderer 10 - Sonic Solutions - C:\Program Files\Roxio\Digital Home 10\RoxioUPnPRenderer10.exe
O23 - Service: Roxio Upnp Server 10 - Sonic Solutions - C:\Program Files\Roxio\Digital Home 10\RoxioUpnpService10.exe
O23 - Service: LiveShare P2P Server 10 (RoxLiveShare10) - Sonic Solutions - C:\Program Files\Common Files\Roxio Shared\10.0\SharedCOM\RoxLiveShare10.exe
O23 - Service: RoxMediaDB10 - Sonic Solutions - C:\Program Files\Common Files\Roxio Shared\10.0\SharedCOM\RoxMediaDB10.exe
O23 - Service: Roxio Hard Drive Watcher 10 (RoxWatch10) - Sonic Solutions - C:\Program Files\Common Files\Roxio Shared\10.0\SharedCOM\RoxWatch10.exe
O23 - Service: Security Activity Dashboard Service - Trend Micro Inc. - C:\Program Files\Trend Micro\TrendSecure\SecurityActivityDashboard\tmarsvc.exe
O23 - Service: SessionLauncher - Unknown owner - C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\DX9\SessionLauncher.exe (file missing)
O23 - Service: ????????2009??????????? (SfCtlCom) - Trend Micro Inc. - C:\Program Files\Trend Micro\Virus Buster\SfCtlCom.exe
O23 - Service: stllssvr - MicroVision Development, Inc. - C:\Program Files\Common Files\SureThing Shared\stllssvr.exe
O23 - Service: System Update (SUService) - Lenovo Group Limited - c:\program files\lenovo\system update\suservice.exe
O23 - Service: ThinkVantage Registry Monitor Service - Lenovo Group Limited - c:\Program Files\Common Files\Lenovo\tvt_reg_monitor_svc.exe
O23 - Service: Trend Micro Unauthorized Change Prevention Service (TMBMServer) - Trend Micro Inc. - C:\Program Files\Trend Micro\BM\TMBMSRV.exe
O23 - Service: Trend Micro Personal Firewall (TmPfw) - Trend Micro Inc. - C:\Program Files\Trend Micro\Virus Buster\TmPfw.exe
O23 - Service: Trend Micro Proxy Service (TmProxy) - Trend Micro Inc. - C:\Program Files\Trend Micro\Virus Buster\TmProxy.exe
O23 - Service: TVT Backup Protection Service - Unknown owner - C:\Program Files\Lenovo\Rescue and Recovery\rrpservice.exe
O23 - Service: TVT Backup Service - Lenovo Group Limited - C:\Program Files\Lenovo\Rescue and Recovery\rrservice.exe
O23 - Service: TVT Scheduler - Lenovo Group Limited - c:\Program Files\Common Files\Lenovo\Scheduler\tvtsched.exe
O23 - Service: TVT Windows Update Monitor (TVT_UpdateMonitor) - Lenovo Group Limited - C:\Program Files\Lenovo\Rescue and Recovery\UpdateMonitor.exe

[whitemajky]

i see 7 maybes, wait for an expert

[Maurice Naggar]

Hello Evan,

Do NOT attempt to use System Restore. It will not help (and desides the malware has prevented or blocked it's use).

You will want to print out or copy these instructions to Notepad for Safe Mode/offline reference!
These steps are for this member only. If you are a casual observer, do NOT try this on your system!

If at any point, if you have a question or problem, STOP & make a post to the forum.
Also, do not run or start any other programs while these utilities and tools are in use!

Please do NOT run any other tools on your own or do any fixes other than what is listed here.

=

1. Set Windows to show all files and all folders.
On your Desktop, double click My Computer, from the menu options, select tools, then Folder Options, and then select VIEW Tab and look at all of settings listed.

"CHECK" (turn on) Display the contents of system folders.

Under column, Hidden files and folders----choose ( *select* ) Show hidden files and folders.
Next, un-check Hide extensions for known file types.
Next un-check Hide protected operating system files.

2. Take out the trash (temporary files & temporary internet files)
Please download ATF Cleaner by Atribune, saving it to your desktop. It is used to cleanout temporary files & temp areas used by internet browsers.
Start ATF-Cleaner.exe to run the program.

Under Main choose: Select All

Click the Empty Selected button.

If you use Firefox browser, do this also:
Click Firefox at the top and choose: Select All

Click the Empty Selected button.

NOTE: If you would like to keep your saved passwords, please click No at the prompt.

If you use Opera browser, do this also:
Click Opera at the top and choose: Select All

Click the Empty Selected button.

NOTE: If you would like to keep your saved passwords, please click No at the prompt.

Click Exit on the Main menu to close the program.
ATF-Cleaner should be run per the above in every user-login account {User Profile}

=
Download to your Desktop FixPolicies.exe, by Bill Castner, MS-MVP, a self-extracting ZIP archive from
>>> here <<<

• Double-click FixPolicies.exe.
  
• Click the "Install" button on the bottom toolbar of the box that will open.
  
• The program will create a new Folder called FixPolicies.
  
• Double-click to Open the new Folder, and then double-click the file within: Fix_Policies.cmd.
  
• A black box will briefly appear and then close.
  
• This fix may prove temporary. Active malware may revert these changes at your next startup. You can safely run the utility again.

Next, Close all browsers and all other programs that you have started.

Start HijackThis. Look for these lines and place a checkmark against each of the following, if still present

Quote

O4 - HKLM\..\Run: [PersonalAV] C:\Program Files\PersonalAV\pav.exe

Click on Fix Checked when finished and exit HijackThis.
Make sure your Internet Explorer (& or any other window) is closed when you click Fix Checked!

=

Next, Download and SAVE this file -- to your Desktop -- (Do NOT run the file straight away from download) from any one of these sources:
Link 1
Link 2
Link 3

Using your mouse, Highlight and then Right-click | Copy the entire contents of the Code box below, including blank lines:

KILLALL::

Driver::
PersonalAV

File::
C:\Program Files\PersonalAV\pav.exe

Folder::
C:\recycler
D:\recycler
e:\recycler
f:\recycler
g:\recycler
h:\recycler

Open a new Notepad session (Do not use a Word Processor or WordPad). Click "Format" and be certain that Word Wrap is not enabled. Right-click | Paste the Code box contents from above into Notepad. Click File, Save as..., and set the location to your Desktop, and enter (including quotation marks) as the filename: "CFscript.txt" . Using your mouse, drag the new file CFscript.txt and drop it on the ComboFix.exe icon as shown:

• :!: Important: Have no other programs running. Your Task Bar should be clear of any program entries including your Browser.
  
• A window may open with a warning. Type "1" (and Enter) to start the fix. When the scan completes Notepad will open with with your results log open. Do a File, Exit and answer 'Yes' to save changes.

A caution - Do not run Combofix more than once. Do not touch your mouse/keyboard until the scan has completed, as this may cause the process to stall or your computer to lock. The scan will temporarily disable your desktop, and if interrupted may leave your desktop disabled. If this occurs, please reboot to restore the desktop. Even when ComboFix appears to be doing nothing, look at your Drive light. If it is flashing, Combofix is still at work.

A file will be created at => C:\Combofix.txt. I'll need to see that in your reply.

Do not run ComboFix more than once :!:

=

Please download & save Malwarebytes Anti-Malware from
http://www.download.com/Malwarebytes-Anti-..._4-10804572.htm or
http://www.besttechi.../mbam-setup.exe or
http://malwarebytes.gt500.org/mbam.jsp

Double Click mbam-setup.exe to install the application.

• Make sure a checkmark is placed next to Update Malwarebytes' Anti-Malware and Launch Malwarebytes Anti-Malware, then click Finish.
  
  
• If an update is found, it will download and install the latest version.
  
  
• Once the program has loaded, select Perform Quick Scan, then click Scan.
  
  
• The scan may take some time to finish,so please be patient.
  
  
• When the scan is complete, click OK, then Show Results to view the results.
  
  
• Make sure that everything is checked, and click Remove Selected.
  
  
• When disinfection is completed, a log will open in Notepad and you may be prompted to Restart.(See Extra Note)
  
  
• The log is automatically saved by MBAM and can be viewed by clicking the Logs tab in MBAM.
  
  
• Copy & Paste the entire report in your next reply.

Extra Note:
If MBAM encounters a file that is difficult to remove, you will be presented with 1 of 2 prompts.
click OK to either and let MBAM proceed with the disinfection process.
If asked to restart the computer, please do so immediately.
=

Once Complete, reboot! :!:

Run Hijackthis
Then close all windows/applications/browsers and run hijackthis, saving the log.

After following the above, post back with

1. Contents of C:\Combofix.txt;
2. the MBAM log
3. New Hijackthis log;
4. Tell me, How is your system now ?

Be sure to do a Preview prior to pressing Submit because all reports may not fit into 1 single reply. You'll likely have to do more than 1 reply.
Do not use the attachment feature to place any of your reports. Always put them in-line inside the body of reply.

[Evan]

Dear MVP Maurice,

Thanks a million for your expert, detailed and clear instructions. I’ve been pleased to read & use them. Moreover, as a result of your timely instructions, my wife’s PC is working fine. I’ll paste the log files in subsequent posts.

By the way, I made the following minor alterations of your instructions:
--I downloaded all the additional files to my own PC and transferred them to my wife’s PC via an external HD. (Because my wife’s PC was getting blocked from all the necessary websites for downloading.)
--I ran MBAM in Safe Mode (because in Normal Mode, MBAM consistently was terminating after a few seconds, even after running ComboFix and successfully updating MBAM).

I hope that these alterations didn’t plant any ticking bombs in the PC . . . . I apologize for not re-posting these adaptations as questions before trying them.


I have three follow-up questions. First, what do you recommend I install on my wife’s PC towards preventing further infection? Do you recommend I install the same on my own PC? I’m of course hoping for something to increase safety without hobbling our PCs’ speed.

Finally, on several occasions in the past I’ve needed emergency help (with virus removal or other software issues), and tried to find such help on a for-pay basis, but always have found help vastly inferior to what you provided. Waiting for 36 hours is usually fine—especially now when I’m unemployed, free service is fan-bloody-tastic—but when on deadline and needing help ASAP, um, whom I gonna call?

Very gratefully,
--Evan

[Evan]

ComboFix 09-08-01.09 - Evan 08/02/2009 20:33.1.2 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.984.506 [GMT -7:00]
Running from: c:\documents and settings\Evan\Desktop\ComboFix.exe
Command switches used :: E:\CFscript.txt

FILE ::
"c:\program files\PersonalAV\pav.exe"
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\documents and settings\Tomoko\Desktop\Personal Antivirus.lnk
c:\program files\PersonalAV\pav.exe
C:\recycler
c:\windows\Installer\f169a.msi
c:\windows\system32\msxmlm.dll
e:\recycler

.
((((((((((((((((((((((((( Files Created from 2009-07-03 to 2009-08-03 )))))))))))))))))))))))))))))))
.

2009-07-31 21:27 . 2009-07-31 21:27 -------- d-----w- c:\documents and settings\Tomoko\Application Data\Malwarebytes
2009-07-31 21:27 . 2009-07-31 21:27 -------- d-----w- c:\documents and settings\Evan\Application Data\Malwarebytes
2009-07-31 20:11 . 2009-07-31 20:11 -------- d-----w- c:\documents and settings\Evan\Local Settings\Application Data\Trend Micro
2009-07-31 06:49 . 2009-07-13 20:36 38160 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2009-07-31 06:49 . 2009-07-31 06:49 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes
2009-07-31 06:49 . 2009-07-13 20:36 19096 ----a-w- c:\windows\system32\drivers\mbam.sys
2009-07-31 06:48 . 2009-07-31 21:27 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2009-07-31 05:51 . 2009-07-31 05:51 -------- d-----w- c:\documents and settings\LocalService\Local Settings\Application Data\Trend Micro
2009-07-31 05:43 . 2009-07-31 05:43 -------- d-----w- c:\documents and settings\Tomoko\Local Settings\Application Data\Trend Micro
2009-07-31 05:41 . 2009-07-31 05:41 -------- d-----w- c:\windows\LocalSSL
2009-07-31 05:41 . 2009-07-31 05:41 -------- d-----w- c:\documents and settings\NetworkService\Local Settings\Application Data\Trend Micro
2009-07-31 05:40 . 2009-07-31 05:38 50192 ----a-w- c:\windows\system32\drivers\tmevtmgr.sys
2009-07-31 05:40 . 2009-07-31 05:38 50192 ----a-w- c:\windows\system32\drivers\tmactmon.sys
2009-07-31 05:40 . 2009-07-31 05:38 153104 ----a-w- c:\windows\system32\drivers\tmcomm.sys
2009-07-31 05:40 . 2009-07-31 05:44 -------- d-----w- c:\documents and settings\All Users\Application Data\Trend Micro
2009-07-31 05:39 . 2009-07-31 06:59 -------- d-----w- c:\program files\Trend Micro
2009-07-31 05:38 . 2009-07-31 05:38 80400 ----a-w- c:\windows\system32\drivers\tmtdi.sys
2009-07-31 05:38 . 2009-07-31 05:38 335376 ----a-w- c:\windows\system32\drivers\TM_CFW.sys
2009-07-31 05:38 . 2009-05-22 08:02 225296 ----a-w- c:\windows\system32\drivers\tmxpflt.sys
2009-07-31 05:38 . 2009-05-22 08:00 36368 ----a-w- c:\windows\system32\drivers\tmpreflt.sys
2009-07-31 05:38 . 2009-05-22 07:45 1220120 ----a-w- c:\windows\system32\drivers\vsapint.sys
2009-07-31 05:09 . 2009-07-31 05:09 -------- d-----w- c:\program files\Enigma Software Group
2009-07-31 04:37 . 2009-07-31 04:37 -------- d-----w- c:\documents and settings\Tomoko\Application Data\AVG8
2009-07-31 04:30 . 2009-07-30 17:32 122880 ----a-w- c:\windows\system32\NetFilter.exe
2009-07-31 04:30 . 2009-06-22 14:58 24576 ----a-w- c:\windows\system32\drivers\ndisrd.sys
2009-07-31 04:30 . 2009-05-14 09:58 61440 ----a-w- c:\windows\system32\ndisapi.dll
2009-07-31 04:29 . 2009-07-31 04:29 -------- d-----w- c:\program files\Common Files\Uninstall
2009-07-31 04:29 . 2009-08-03 03:36 -------- d-----w- c:\program files\PersonalAV
2009-07-11 17:36 . 2009-07-11 17:36 -------- d-----w- C:\3bb29009745b6414298f6397
2009-07-09 10:51 . 2001-08-18 05:36 9728 ------w- c:\windows\system32\dllcache\brcoinst.dll
2009-07-09 10:51 . 2001-08-18 05:36 9728 ------w- c:\windows\system32\brcoinst.dll
2009-07-09 10:51 . 2001-08-17 20:12 11008 ------w- c:\windows\system32\drivers\BrUsbMdm.sys
2009-07-09 10:51 . 2001-08-17 20:12 11008 ------w- c:\windows\system32\dllcache\brusbmdm.sys
2009-07-09 10:51 . 2001-08-17 20:12 2944 ------w- c:\windows\system32\drivers\BrFilt.sys
2009-07-09 10:51 . 2001-08-17 20:12 2944 ------w- c:\windows\system32\dllcache\brfilt.sys
2009-07-09 10:51 . 2001-08-17 20:12 10368 ------w- c:\windows\system32\drivers\BrUsbScn.sys
2009-07-09 10:51 . 2001-08-17 20:12 10368 ------w- c:\windows\system32\dllcache\brusbscn.sys
2009-07-09 10:40 . 2009-07-09 10:41 57 ------w- c:\documents and settings\All Users\Application Data\Brother\BrLog\BrCollectDir\BR_cat.bat
2009-07-09 10:39 . 2009-07-09 10:39 -------- d-----w- c:\documents and settings\All Users\Application Data\Brother
2009-07-08 22:29 . 2008-04-13 18:47 25856 ------w- c:\windows\system32\drivers\usbprint.sys
2009-07-08 22:29 . 2008-04-13 18:47 25856 ------w- c:\windows\system32\dllcache\usbprint.sys
2009-07-08 22:28 . 2002-02-13 08:16 176128 ------w- c:\windows\system32\Pdrvinst.dll
2009-07-08 22:28 . 2002-02-05 08:08 81920 ------w- c:\windows\system32\BrWebIns.dll
2009-07-08 22:28 . 2002-02-05 08:07 65536 ------w- c:\windows\system32\Brwebup.exe
2009-07-08 22:28 . 2009-07-08 22:28 -------- d-----w- c:\program files\Brother
2009-07-08 22:28 . 2003-01-14 08:18 487424 ------w- c:\windows\system32\brfxdial.dll
2009-07-08 16:51 . 2009-07-08 16:51 -------- d-----w- c:\documents and settings\Tomoko\Local Settings\Application Data\PCHealth

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-08-03 03:33 . 2009-04-09 22:25 -------- d-----w- c:\documents and settings\Tomoko\Application Data\Skype
2009-07-31 05:34 . 2009-06-03 16:28 -------- d-----w- c:\documents and settings\All Users\Application Data\avg8
2009-07-15 10:01 . 2008-11-28 05:19 -------- d-----w- c:\documents and settings\All Users\Application Data\Microsoft Help
2009-07-08 22:28 . 2008-11-28 04:47 -------- d-----w- c:\program files\Common Files\Installshield
2009-07-08 22:28 . 2008-11-28 04:51 -------- d--h--w- c:\program files\InstallShield Installation Information
2009-06-29 16:12 . 2006-04-30 06:56 827392 ----a-w- c:\windows\system32\wininet.dll
2009-06-29 16:12 . 2006-04-30 06:55 78336 ------w- c:\windows\system32\ieencode.dll
2009-06-29 16:12 . 2006-04-30 06:55 17408 ------w- c:\windows\system32\corpol.dll
2009-06-29 16:07 . 2009-06-29 16:07 -------- d-----w- c:\program files\Microsoft CAPICOM 2.1.0.2
2009-06-28 18:14 . 2008-11-28 05:12 91256 ------w- c:\documents and settings\Administrator\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2009-06-27 20:40 . 2006-04-30 07:12 86327 ------w- c:\windows\pchealth\helpctr\OfflineCache\index.dat
2009-06-26 22:39 . 2009-04-18 06:28 -------- d-----w- c:\documents and settings\Evan\Application Data\Skype
2009-06-18 03:04 . 2009-06-18 03:04 -------- d-----w- c:\documents and settings\Tomoko\Application Data\InterVideo
2009-06-16 23:51 . 2009-06-16 23:51 -------- d-----w- c:\program files\MSECache
2009-06-16 14:36 . 2006-04-30 06:56 119808 ------w- c:\windows\system32\t2embed.dll
2009-06-16 14:36 . 2006-04-30 06:55 81920 ------w- c:\windows\system32\fontsub.dll
2009-06-09 02:47 . 2009-06-09 02:47 0 ------w- c:\windows\nsreg.dat
2009-06-03 19:09 . 2006-04-30 06:55 1291264 ------w- c:\windows\system32\quartz.dll
2009-05-07 15:32 . 2006-04-30 06:55 345600 ------w- c:\windows\system32\localspl.dll
2009-07-24 03:25 . 2009-06-09 02:47 134648 ------w- c:\program files\mozilla firefox\components\brwsrcmp.dll
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2008-04-14 15360]
"swg"="c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2009-04-09 39408]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"PMHandler"="c:\progra~1\Lenovo\PMDRIV~1\PMHandler.exe" [2008-09-05 83240]
"Apoint"="c:\program files\Apoint2K\Apoint.exe" [2008-03-26 163840]
"TPFNF7"="c:\program files\Lenovo\NPDIRECT\TPFNF7SP.exe" [2008-07-30 60192]
"TPWAUDAP"="c:\program files\Lenovo\HOTKEY\TpWAudAp.exe" [2008-03-11 54560]
"SmartAudio"="c:\program files\CONEXANT\SMARTAUDIO\SMAUDIO.EXE" [2008-07-21 2701880]
"IgfxTray"="c:\windows\system32\igfxtray.exe" [2008-08-15 150040]
"HotKeysCmds"="c:\windows\system32\hkcmd.exe" [2008-08-15 178712]
"Persistence"="c:\windows\system32\igfxpers.exe" [2008-08-15 150040]
"TVT Scheduler Proxy"="c:\program files\Common Files\Lenovo\Scheduler\scheduler_proxy.exe" [2008-05-15 487424]
"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2009-04-22 148888]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2008-01-12 39792]
"LPManager"="c:\progra~1\Lenovo\LENOVO~2\LPMGR.exe" [2007-04-26 120368]
"RoxWatchTray"="c:\program files\Common Files\Roxio Shared\10.0\SharedCOM\RoxWatchTray10.exe" [2008-04-25 244208]
"CameraApplicationLauncher"="c:\program files\Lenovo\Camera Center\bin\CameraApplicationLaunchpadLauncher.exe" [2008-10-07 16384]
"IMJPMIG8.1"="c:\windows\IME\imjp8_1\IMJPMIG.EXE" [2004-08-04 208952]
"IMEKRMIG6.1"="c:\windows\ime\imkr6_1\IMEKRMIG.EXE" [2004-08-04 44032]
"MSPY2002"="c:\windows\system32\IME\PINTLGNT\ImScInst.exe" [2004-08-04 59392]
"PHIME2002ASync"="c:\windows\system32\IME\TINTLGNT\TINTSETP.EXE" [2004-08-04 455168]
"PHIME2002A"="c:\windows\system32\IME\TINTLGNT\TINTSETP.EXE" [2004-08-04 455168]
"Google Desktop Search"="c:\program files\Google\Google Desktop Search\GoogleDesktop.exe" [2009-04-15 30192]
"Message Center Plus"="c:\program files\LENOVO\Message Center Plus\MCPLaunch.exe" [2009-05-28 49976]
"SpyHunter Security Suite"="c:\program files\Enigma Software Group\SpyHunter\SpyHunter3.exe" [2009-04-02 868352]
"UfSeAgnt.exe"="c:\program files\Trend Micro\Virus Buster\UfSeAgnt.exe" [2009-04-08 995528]
"MSDRV"="NetFilter.exe" - c:\windows\system32\NetFilter.exe [2009-07-30 122880]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"DWQueuedReporting"="c:\progra~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" [2006-10-27 434528]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\RunOnce]
"RunNarrator"="Narrator.exe" - c:\windows\system32\narrator.exe [2008-04-14 53760]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\tphotkey]
2008-08-08 10:14 28672 ------w- c:\program files\Lenovo\HOTKEY\tphklock.dll

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Wdf01000.sys]
@="Driver"

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\TrendAntiVirus]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\TrendFirewall]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Microsoft Office\\Office12\\OUTLOOK.EXE"=
"c:\\Program Files\\Mozilla Firefox\\firefox.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\Skype\\Phone\\Skype.exe"=

R1 PMHler;PMHler;c:\windows\system32\drivers\PMHler.sys [5/24/2006 12:48 PM 10240]
R1 tvtumon;tvtumon;c:\windows\system32\drivers\tvtumon.sys [5/9/2008 6:50 AM 46144]
R2 BcmSqlStartupSvc;Business Contact Manager SQL Server Startup Service;c:\program files\Microsoft Small Business\Business Contact Manager\BcmSqlStartupSvc.exe [1/11/2008 6:50 PM 30312]
R2 FNF5SVC;Fn+F5 Service;c:\program files\Lenovo\HOTKEY\FnF5svc.exe [9/10/2008 11:49 PM 54560]
R2 Security Activity Dashboard Service;Security Activity Dashboard Service;c:\program files\Trend Micro\TrendSecure\SecurityActivityDashboard\tmarsvc.exe [7/30/2009 10:41 PM 181584]
R2 tmevtmgr;tmevtmgr;c:\windows\system32\drivers\tmevtmgr.sys [7/30/2009 10:40 PM 50192]
R2 TmPfw;Trend Micro Personal Firewall;c:\program files\Trend Micro\Virus Buster\TmPfw.exe [7/30/2009 10:41 PM 497008]
R2 tmpreflt;tmpreflt;c:\windows\system32\drivers\tmpreflt.sys [7/30/2009 10:38 PM 36368]
R2 TmProxy;Trend Micro Proxy Service;c:\program files\Trend Micro\Virus Buster\TmProxy.exe [7/30/2009 10:41 PM 677128]
R2 TVT Backup Protection Service;TVT Backup Protection Service;c:\program files\Lenovo\Rescue and Recovery\rrpservice.exe [5/14/2008 5:25 PM 520192]
R2 TVT_UpdateMonitor;TVT Windows Update Monitor;c:\program files\Lenovo\Rescue and Recovery\UpdateMonitor.exe [5/9/2008 6:50 AM 253952]
R3 IntcHdmiAddService;Intel® High Definition Audio HDMI Service;c:\windows\system32\drivers\IntcHdmi.sys [11/27/2008 9:32 PM 110080]
R3 JMCR;JMCR;c:\windows\system32\drivers\jmcr.sys [11/27/2008 9:54 PM 97536]
R3 tmcfw;Trend Micro Common Firewall Service;c:\windows\system32\drivers\TM_CFW.sys [7/30/2009 10:38 PM 335376]
R3 TVTI2C;Lenovo SM bus driver;c:\windows\system32\drivers\tvti2c.sys [2/22/2008 5:54 PM 37312]
R3 vm331avs;Lenovo EasyCamera;c:\windows\system32\drivers\vm331avs.sys [11/27/2008 9:52 PM 974336]
S2 Roxio Upnp Server 10;Roxio Upnp Server 10;c:\program files\Roxio\Digital Home 10\RoxioUpnpService10.exe [4/25/2008 9:18 AM 362992]
S2 RoxLiveShare10;LiveShare P2P Server 10;c:\program files\Common Files\Roxio Shared\10.0\SharedCOM\RoxLiveShare10.exe [4/25/2008 9:16 AM 309744]
S2 RoxWatch10;Roxio Hard Drive Watcher 10;c:\program files\Common Files\Roxio Shared\10.0\SharedCOM\RoxWatch10.exe [4/25/2008 9:15 AM 166384]
S2 SessionLauncher;SessionLauncher;c:\docume~1\ADMINI~1\LOCALS~1\Temp\DX9\SessionLauncher.exe --> c:\docume~1\ADMINI~1\LOCALS~1\Temp\DX9\SessionLauncher.exe [?]
S3 brfilt;Brother MFC Filter Driver;c:\windows\system32\drivers\BrFilt.sys [7/9/2009 3:51 AM 2944]
S3 BrSerWDM;Brother WDM Serial driver;c:\windows\system32\drivers\BrSerWdm.sys [3/13/2003 5:04 PM 61952]
S3 BrUsbMdm;Brother MFC USB Fax Only Modem;c:\windows\system32\drivers\BrUsbMdm.sys [7/9/2009 3:51 AM 11008]
S3 BrUsbScn;Brother MFC USB Scanner driver;c:\windows\system32\drivers\BrUsbScn.sys [7/9/2009 3:51 AM 10368]
S3 GoogleDesktopManager-092308-165331;Google Desktop Manager 5.8.809.23506;c:\program files\Google\Google Desktop Search\GoogleDesktop.exe [4/15/2009 3:00 PM 30192]
S3 MBAMSwissArmy;MBAMSwissArmy;c:\windows\system32\drivers\mbamswissarmy.sys [7/30/2009 11:49 PM 38160]
S3 MSSQL$MSSMLBIZ;SQL Server (MSSMLBIZ);c:\program files\Microsoft SQL Server\MSSQL.1\MSSQL\Binn\sqlservr.exe [2/10/2007 6:29 AM 29178224]
S3 Roxio UPnP Renderer 10;Roxio UPnP Renderer 10;c:\program files\Roxio\Digital Home 10\RoxioUPnPRenderer10.exe [4/25/2008 9:18 AM 313840]
S3 RoxMediaDB10;RoxMediaDB10;c:\program files\Common Files\Roxio Shared\10.0\SharedCOM\RoxMediaDB10.exe [4/25/2008 9:15 AM 1120752]

--- Other Services/Drivers In Memory ---

*Deregistered* - NDISRD
.
Contents of the 'Scheduled Tasks' folder

2009-08-03 c:\windows\Tasks\Check Updates for Windows Live Toolbar.job
- c:\program files\Windows Live Toolbar\MSNTBUP.EXE [2007-02-12 23:54]

2009-08-03 c:\windows\Tasks\WGASetup.job
- c:\windows\system32\KB905474\wgasetup.exe [2009-06-28 05:18]
.
- - - - ORPHANS REMOVED - - - -

Toolbar-{CCC7A320-B3CA-4199-B1A6-9F516DD69829} - (no file)
HKLM-Run-SetDefPrt - c:\program files\Brother\Brmflp03\BrStDvPt.exe


.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.google.com/
uInternet Connection Wizard,ShellNext = hxxp://www.lenovo.com/welcome/3000notebook
uSearchURL,(Default) = hxxp://www.google.com/search/?q=%s
IE: &Windows Live Search - c:\program files\Windows Live Toolbar\msntb.dll/search.htm
IE: Add to Google Photos Screensa&ver - c:\windows\system32\GPhotos.scr/200
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\Office12\EXCEL.EXE/3000
FF - ProfilePath - c:\documents and settings\Evan\Application Data\Mozilla\Firefox\Profiles\1o7arhzn.default\
FF - prefs.js: browser.startup.homepage - hxxp://www.google.com/
FF - component: c:\program files\Trend Micro\TrendSecure\TISProToolbar\FirefoxExtension\components\FFTMUFEHelper.dll
FF - component: c:\program files\Trend Micro\TrendSecure\TISProToolbar\FirefoxExtension\components\FFToolbarComm.dll
FF - plugin: c:\program files\Google\Picasa3\npPicasa3.dll
FF - plugin: c:\program files\Java\jre1.5.0_16\bin\NPJava11.dll
FF - plugin: c:\program files\Java\jre1.5.0_16\bin\NPJava12.dll
FF - plugin: c:\program files\Java\jre1.5.0_16\bin\NPJava13.dll
FF - plugin: c:\program files\Java\jre1.5.0_16\bin\NPJava14.dll
FF - plugin: c:\program files\Java\jre1.5.0_16\bin\NPJava32.dll
FF - plugin: c:\program files\Java\jre1.5.0_16\bin\NPJPI150_16.dll
FF - plugin: c:\program files\Java\jre1.5.0_16\bin\NPOJI610.dll
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-08-02 20:39
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(1004)
c:\program files\Lenovo\HOTKEY\tphklock.dll

- - - - - - - > 'explorer.exe'(4060)
c:\windows\system32\WININET.dll
c:\windows\system32\ieframe.dll
.
------------------------ Other Running Processes ------------------------
.
c:\program files\Trend Micro\BM\TMBMSRV.exe
c:\program files\Common Files\InterVideo\RegMgr\iviRegMgr.exe
c:\program files\Java\jre6\bin\jqs.exe
c:\program files\Common Files\Microsoft Shared\VS7DEBUG\mdm.exe
c:\program files\Lenovo\PM Driver\PMSveH.exe
c:\program files\Trend Micro\Virus Buster\SfCtlCom.exe
c:\program files\Microsoft SQL Server\90\Shared\sqlwriter.exe
c:\program files\Common Files\Lenovo\tvt_reg_monitor_svc.exe
c:\program files\Lenovo\Rescue and Recovery\rrservice.exe
c:\program files\Common Files\Lenovo\Scheduler\tvtsched.exe
c:\windows\system32\wdfmgr.exe
c:\program files\Lenovo\System Update\SUService.exe
c:\program files\Apoint2K\ApMsgFwd.exe
c:\program files\Apoint2K\ApntEx.exe
c:\windows\system32\igfxsrvc.exe
c:\program files\Lenovo\Camera Center\bin\LenovoCameraCenter.exe
c:\program files\Trend Micro\TrendSecure\TISProToolbar\ProToolbarUpdate.exe
c:\program files\Trend Micro\TrendSecure\TSCFCommander.exe
.
**************************************************************************
.
Completion time: 2009-08-03 20:48 - machine was rebooted
ComboFix-quarantined-files.txt 2009-08-03 03:45

Pre-Run: 60,160,565,248 bytes free
Post-Run: 60,236,591,104 bytes free

WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Professional" /noexecute=optin /fastdetect

257 --- E O F --- 2009-08-02 10:03

[Evan]

Malwarebytes' Anti-Malware 1.39
Database version: 2548
Windows 5.1.2600 Service Pack 3

8/2/2009 9:32:06 PM
mbam-log-2009-08-02 (21-32-06).txt

Scan type: Quick Scan
Objects scanned: 103948
Time elapsed: 2 minute(s), 50 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 1
Registry Data Items Infected: 0
Folders Infected: 3
Files Infected: 10

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\msdrv (Trojan.Agent) -> Quarantined and deleted successfully.

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
C:\Program Files\PersonalAV (Rogue.PersonalAntiVirus) -> Quarantined and deleted successfully.
C:\Program Files\Common Files\Uninstall\PersonalAV (Rogue.PersonalAntiVirus) -> Quarantined and deleted successfully.
C:\Documents and Settings\All Users\Start Menu\PersonalAV (Rogue.PersonalAntiVirus) -> Quarantined and deleted successfully.

Files Infected:
c:\documents and settings\Tomoko\Desktop\Install-1de7740_02006-85.exe (Rogue.Installer) -> Quarantined and deleted successfully.
c:\documents and settings\Tomoko\Desktop\Install-27ab1_02006-85.exe (Rogue.Installer) -> Quarantined and deleted successfully.
c:\documents and settings\Tomoko\Desktop\Install-2bd4_02006-85.exe (Rogue.Installer) -> Quarantined and deleted successfully.
c:\documents and settings\Tomoko\Desktop\Install-4f495e8_02006-85.exe (Rogue.Installer) -> Quarantined and deleted successfully.
c:\documents and settings\Tomoko\Desktop\Install-57d5ff9_02006-85.exe (Rogue.Installer) -> Quarantined and deleted successfully.
c:\documents and settings\Tomoko\Desktop\Install-9ab1b_02006-85.exe (Rogue.Installer) -> Quarantined and deleted successfully.
c:\program files\common files\uninstall\personalav\Uninstall.lnk (Rogue.PersonalAntiVirus) -> Quarantined and deleted successfully.
c:\documents and settings\all users\start menu\personalav\Personal Antivirus.lnk (Rogue.PersonalAntiVirus) -> Quarantined and deleted successfully.
c:\documents and settings\all users\start menu\personalav\Uninstall.lnk (Rogue.PersonalAntiVirus) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\NetFilter.exe (Trojan.Agent) -> Quarantined and deleted successfully.

[Evan]

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 9:51:33 PM, on 8/2/2009
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16876)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Microsoft Small Business\Business Contact Manager\BcmSqlStartupSvc.exe
C:\Program Files\LENOVO\HOTKEY\FNF5SVC.exe
C:\Program Files\Common Files\InterVideo\RegMgr\iviRegMgr.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\mdm.exe
C:\Program Files\Lenovo\PM Driver\PMSveH.exe
C:\PROGRA~1\Lenovo\PMDRIV~1\PMHandler.exe
C:\Program Files\Apoint2K\Apoint.exe
C:\Program Files\Lenovo\NPDIRECT\TPFNF7SP.exe
C:\Program Files\Lenovo\HOTKEY\TpWAudAp.exe
C:\Program Files\CONEXANT\SMARTAUDIO\SMAUDIO.EXE
C:\Program Files\Apoint2K\ApMsgFwd.exe
C:\WINDOWS\system32\igfxtray.exe
C:\WINDOWS\system32\hkcmd.exe
C:\WINDOWS\system32\igfxpers.exe
C:\Program Files\Common Files\Lenovo\Scheduler\scheduler_proxy.exe
C:\Program Files\Java\jre6\bin\jusched.exe
C:\WINDOWS\system32\igfxsrvc.exe
c:\Program Files\Microsoft SQL Server\90\Shared\sqlwriter.exe
C:\WINDOWS\system32\svchost.exe
c:\Program Files\Common Files\Lenovo\tvt_reg_monitor_svc.exe
C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe
C:\Program Files\Lenovo\Rescue and Recovery\rrpservice.exe
C:\Program Files\Apoint2K\Apntex.exe
C:\PROGRA~1\Lenovo\LENOVO~2\LPMGR.exe
C:\Program Files\Lenovo\Rescue and Recovery\rrservice.exe
c:\Program Files\Common Files\Lenovo\Scheduler\tvtsched.exe
C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe
C:\Program Files\Lenovo\Rescue and Recovery\UpdateMonitor.exe
C:\Program Files\Lenovo\Camera Center\bin\LenovoCameraCenter.exe
C:\WINDOWS\system32\wdfmgr.exe
C:\Program Files\LENOVO\Message Center Plus\MCPLaunch.exe
c:\program files\lenovo\system update\suservice.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\System32\alg.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
C:\WINDOWS\system32\wbem\wmiprvse.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft....k/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft....k/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft....k/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft....k/?LinkId=69157
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://www.lenovo.co...me/3000notebook
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: Skype add-on (mastermind) - {22BF413B-C6D2-4d91-82A9-A0F997BA588C} - C:\Program Files\Skype\Toolbars\Internet Explorer\SkypeIEPlugin.dll
O2 - BHO: (no name) - {A057A204-BACC-4D26-9990-79A187E2698E} - (no file)
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - C:\Program Files\Google\Google Toolbar\GoogleToolbar.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\5.1.1309.15642\swg.dll
O2 - BHO: Windows Live Toolbar Helper - {BDBD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\Windows Live Toolbar\msntb.dll
O2 - BHO: Google Dictionary Compression sdch - {C84D72FE-E17D-4195-BB24-76C02E2E7C4E} - C:\Program Files\Google\Google Toolbar\Component\fastsearch_A8904FB862BD9564.dll
O2 - BHO: Java™ Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
O3 - Toolbar: Windows Live Toolbar - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\Windows Live Toolbar\msntb.dll
O3 - Toolbar: (no name) - {A057A204-BACC-4D26-9990-79A187E2698E} - (no file)
O3 - Toolbar: Google Toolbar - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - C:\Program Files\Google\Google Toolbar\GoogleToolbar.dll
O4 - HKLM\..\Run: [PMHandler] C:\PROGRA~1\Lenovo\PMDRIV~1\PMHandler.exe
O4 - HKLM\..\Run: [Apoint] C:\Program Files\Apoint2K\Apoint.exe
O4 - HKLM\..\Run: [TPFNF7] C:\Program Files\Lenovo\NPDIRECT\TPFNF7SP.exe /r
O4 - HKLM\..\Run: [TPWAUDAP] C:\Program Files\Lenovo\HOTKEY\TpWAudAp.exe
O4 - HKLM\..\Run: [SmartAudio] C:\Program Files\CONEXANT\SMARTAUDIO\SMAUDIO.EXE /c
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [Persistence] C:\WINDOWS\system32\igfxpers.exe
O4 - HKLM\..\Run: [TVT Scheduler Proxy] C:\Program Files\Common Files\Lenovo\Scheduler\scheduler_proxy.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre6\bin\jusched.exe"
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [LPManager] C:\PROGRA~1\Lenovo\LENOVO~2\LPMGR.exe
O4 - HKLM\..\Run: [RoxWatchTray] "C:\Program Files\Common Files\Roxio Shared\10.0\SharedCOM\RoxWatchTray10.exe"
O4 - HKLM\..\Run: [CameraApplicationLauncher] C:\Program Files\Lenovo\Camera Center\bin\CameraApplicationLaunchpadLauncher.exe
O4 - HKLM\..\Run: [IMJPMIG8.1] "C:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE" /Spoil /RemAdvDef /Migration32
O4 - HKLM\..\Run: [IMEKRMIG6.1] C:\WINDOWS\ime\imkr6_1\IMEKRMIG.EXE
O4 - HKLM\..\Run: [MSPY2002] C:\WINDOWS\system32\IME\PINTLGNT\ImScInst.exe /SYNC
O4 - HKLM\..\Run: [PHIME2002ASync] C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /SYNC
O4 - HKLM\..\Run: [PHIME2002A] C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /IMEName
O4 - HKLM\..\Run: [Google Desktop Search] "C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe" /startup
O4 - HKLM\..\Run: [Message Center Plus] C:\Program Files\LENOVO\Message Center Plus\MCPLaunch.exe /start
O4 - HKLM\..\Run: [SpyHunter Security Suite] C:\Program Files\Enigma Software Group\SpyHunter\SpyHunter3.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
O4 - HKUS\S-1-5-18\..\Run: [DWQueuedReporting] "C:\PROGRA~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" -t (User 'SYSTEM')
O4 - HKUS\S-1-5-18\..\RunOnce: [RunNarrator] Narrator.exe (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [DWQueuedReporting] "C:\PROGRA~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" -t (User 'Default user')
O4 - HKUS\.DEFAULT\..\RunOnce: [RunNarrator] Narrator.exe (User 'Default user')
O8 - Extra context menu item: &Windows Live Search - res://C:\Program Files\Windows Live Toolbar\msntb.dll/search.htm
O8 - Extra context menu item: Add to Google Photos Screensa&ver - res://C:\WINDOWS\system32\GPhotos.scr/200
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office12\EXCEL.EXE/3000
O9 - Extra button: Skype - {77BF5300-1474-4EC7-9980-D32B190E9B07} - C:\Program Files\Skype\Toolbars\Internet Explorer\SkypeIEPlugin.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\Office12\REFIEBAR.DLL
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {0CCA191D-13A6-4E29-B746-314DEE697D83} (Facebook Photo Uploader 5 Control) - http://upload.facebook.com/controls/2008.1...toUploader5.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdat...b?1246131317687
O18 - Filter: x-sdch - {B1759355-3EEC-4C1E-B0F1-B719FE26E377} - C:\Program Files\Google\Google Toolbar\Component\fastsearch_A8904FB862BD9564.dll
O23 - Service: Fn+F5 Service (FNF5SVC) - Lenovo. - C:\Program Files\LENOVO\HOTKEY\FNF5SVC.exe
O23 - Service: Google Desktop Manager 5.8.809.23506 (GoogleDesktopManager-092308-165331) - Google - C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe
O23 - Service: Google Software Updater (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: IviRegMgr - InterVideo - C:\Program Files\Common Files\InterVideo\RegMgr\iviRegMgr.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
O23 - Service: PMSveH - Lenovo - C:\Program Files\Lenovo\PM Driver\PMSveH.exe
O23 - Service: Roxio UPnP Renderer 10 - Sonic Solutions - C:\Program Files\Roxio\Digital Home 10\RoxioUPnPRenderer10.exe
O23 - Service: Roxio Upnp Server 10 - Sonic Solutions - C:\Program Files\Roxio\Digital Home 10\RoxioUpnpService10.exe
O23 - Service: LiveShare P2P Server 10 (RoxLiveShare10) - Sonic Solutions - C:\Program Files\Common Files\Roxio Shared\10.0\SharedCOM\RoxLiveShare10.exe
O23 - Service: RoxMediaDB10 - Sonic Solutions - C:\Program Files\Common Files\Roxio Shared\10.0\SharedCOM\RoxMediaDB10.exe
O23 - Service: Roxio Hard Drive Watcher 10 (RoxWatch10) - Sonic Solutions - C:\Program Files\Common Files\Roxio Shared\10.0\SharedCOM\RoxWatch10.exe
O23 - Service: SessionLauncher - Unknown owner - C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\DX9\SessionLauncher.exe (file missing)
O23 - Service: stllssvr - MicroVision Development, Inc. - C:\Program Files\Common Files\SureThing Shared\stllssvr.exe
O23 - Service: System Update (SUService) - Lenovo Group Limited - c:\program files\lenovo\system update\suservice.exe
O23 - Service: ThinkVantage Registry Monitor Service - Lenovo Group Limited - c:\Program Files\Common Files\Lenovo\tvt_reg_monitor_svc.exe
O23 - Service: TVT Backup Protection Service - Unknown owner - C:\Program Files\Lenovo\Rescue and Recovery\rrpservice.exe
O23 - Service: TVT Backup Service - Lenovo Group Limited - C:\Program Files\Lenovo\Rescue and Recovery\rrservice.exe
O23 - Service: TVT Scheduler - Lenovo Group Limited - c:\Program Files\Common Files\Lenovo\Scheduler\tvtsched.exe
O23 - Service: TVT Windows Update Monitor (TVT_UpdateMonitor) - Lenovo Group Limited - C:\Program Files\Lenovo\Rescue and Recovery\UpdateMonitor.exe

--
End of file - 11222 bytes

[Maurice Naggar]

Hello Evan,

Sorry for the delay in getting back to you. I've been tied up helping others with more severe issues.

The rogue "personal antivirus" has been squashed; but there are some items for you to update and some additional followup.
I suggest you do the following :

This system has an old version of Java Run-time.

Uninstall jre1.6 (or any earlier) + any other (JRE Runtime Environment ) Sun Java package via Add/Remove Programs.
If you see any other Java versions there,
such as
J2SE Runtime Environment 5.0
Java SE Runtime Environment
Java 6

uninstall all of them. After uninstalling, reboot if directed to do so.

In Windows Explorer, navigate to and delete C:\Program Files\Java <=this folder, if found.

Do NOT delete C:\Program Files\JavaVM <=this folder, if found!

Open an IE window and go to http://java.sun.com/...loads/index.jsp
> In top of the page ( 5th in the list), click on the Download button to the right of (JRE) 6 Update 15
> If Information Bar pop-ups up, right-click on it and say it's OK to display the blocked content; You do not have to install the Java Web Start ActiveX Control
> Accept the license agreement
> Click on Windows Offline Installation, Multi-language and Save the file to your desktop; do not Run it.

When the download is complete, close all browser windows and double-click on the saved file to install the update.

• Tip: Choose Custom install to select only the part(s) you need/want.

Delete the downloaded installation file after completing the above procedure and reboot if prompted to do so.

If you were /not/ prompted to reboot, please do so now.

To test your Java Run-time, you may go to this page http://www.java.com/...help/testvm.xml
When all is well, you should see Java Version: 1.6.0_15 from Sun Microsystems Inc.
=

De-install your Adobe Reader: Use Control Panel's Add-Remove programs, Remove Adobe Reader. Get the latest version from http://www.adobe.com.../readstep2.html

=

You will want to print out or copy these instructions to Notepad for Safe Mode/offline reference! Perhaps also save the file on your pc.

Close all browsers and all open windows & programs.

1. Please download SmitfraudFix (by S!Ri) and SAVE it to your Desktop.
It's very important that you be using the most recent version (v2.423 as of this post).

2. Reboot into Safe Mode (Restart your computer, then continually tap F8 until a menu appears. Use your up arrow key to highlight Safe Mode, then hit enter. More at http://service1.symantec.com/SUPPORT/tsgen...001052409420406.)

3. Once in Safe Mode:
Double click the SmitFruadfix.exe file. It will create a folder named SmitfraudFix) on your Desktop.

Open the SmitfraudFix folder and double-click smitfraudfix.cmd
Have plenty of patience as a Command prompt window opens. You'll eventually see a message and a "press any key to continue".
Press the space bar or any other key on the keyboard.

4. Select option #2 - Clean by typing 2 and pressing Enter to delete infected files.

5. You will be prompted: "Registry cleaning - Do you want to clean the registry ?" Answer "Yes" by typing Y and pressing Enter in order to remove the desktop background and clean registry keys associated with the infection.

6. The tool will then check if wininet.dll is infected. If prompted to replace the infected file (if found), answer "Yes" by typing Y and pressing Enter.

7. The tool may need to restart your computer to finish the cleaning process; if it doesn't, please restart it into Normal Windows.

8. A text file will appear onscreen with results from the cleaning process. Please copy/paste the content of that report into your next reply.

The report also may be found at the root of the system drive, usually at C:\rapport.txt

Notes:

• process.exe is detected by some antivirus programs (AntiVir, Dr.Web, Kaspersky) as a "RiskTool"; it is not a virus, but a program used to stop system processes. Antivirus programs cannot distinguish between "good" and "malicious" use of such programs, therefore they may alert the user. More on this at http://www.beyondlogic.org/consulting/proc...processutil.htm
  
  
• Running option #2 on a non-infected computer will remove your Desktop background. No need to worry, you were infected

Next, making sure you have no other open programs of yours:
Start your MBAM MalwareBytes' Anti-Malware.
Click the Settings Tab. Make sure all option lines have a checkmark.

Next, Click the Update tab. Press the "Check for Updates" button.
It should download the new version 1.40, and in that process, you'll be prompted to allow a Restart/reboot. Please do so.

After a reboot, Start MBAM again. Repeat the Check for Updates one more time.

When done, click the Scanner tab.
Do a Quick Scan.

When the scan is complete, click OK, then Show Results to view the results.
Make sure that everything is checked, and click Remove Selected.
When disinfection is completed, a log will open in Notepad and you may be prompted to Restart.(See Extra Note)
The log is automatically saved by MBAM and can be viewed by clicking the Logs tab in MBAM.

There will be cleanups in the next round, after this, so keep checking here when you get a notice of reply.

Post in your next reply:
copy of C:\rapport.txt
and the latest MBAM scan log
and remind us, How is this system now?

[Evan]

Hello Maurice,

Thank you very much for your second set of instructions. My Lenovo has continued to run well. I’m glad to hear we squashed its PAV infection, and glad to have updated software (Java, Adobe) per your instructions. I’ll attach the two logs below.

FYI, in your instructions for SmitFraudFix you wrote,
“6. The tool will then check if wininet.dll is infected. If prompted to replace the infected file (if found), answer "Yes" by typing Y and pressing Enter.”
I infer that even if I see no signs that it’s done this check, my log will show you the check was done.

FYI, in your instructions for MBAM’s "Check for Updates," you wrote
“It should download the new version 1.40, and in that process, you'll be prompted to allow a Restart/reboot.” I wasn’t prompted, and a reboot didn’t seem necessary. As I read the results, MBAM gave this PC a clean bill of health.

Gratefully,
--Evan

[Evan]

SmitFraudFix v2.423 LOG:


Malwarebytes' Anti-Malware 1.40
Database version: 2573
Windows 5.1.2600 Service Pack 3

SmitFraudFix v2.423

Scan done at 21:20:49.79, Thu 08/06/2009
Run from C:\Documents and Settings\Evan\Desktop\SmitfraudFix
OS: Microsoft Windows XP [Version 5.1.2600] - Windows_NT
The filesystem type is NTFS
Fix run in safe mode

»»»»»»»»»»»»»»»»»»»»»»»» SharedTaskScheduler Before SmitFraudFix
!!!Attention, following keys are not inevitably infected!!!

SrchSTS.exe by S!Ri
Search SharedTaskScheduler's .dll

»»»»»»»»»»»»»»»»»»»»»»»» Killing process


»»»»»»»»»»»»»»»»»»»»»»»» hosts

127.0.0.1 localhost

»»»»»»»»»»»»»»»»»»»»»»»» VACFix

VACFix
Credits: Malware Analysis & Diagnostic
Code: S!Ri


»»»»»»»»»»»»»»»»»»»»»»»» Winsock2 Fix

S!Ri's WS2Fix: LSP not Found.


»»»»»»»»»»»»»»»»»»»»»»»» Generic Renos Fix

GenericRenosFix by S!Ri


»»»»»»»»»»»»»»»»»»»»»»»» Deleting infected files


»»»»»»»»»»»»»»»»»»»»»»»» IEDFix

IEDFix
Credits: Malware Analysis & Diagnostic
Code: S!Ri



»»»»»»»»»»»»»»»»»»»»»»»» Agent.OMZ.Fix

Agent.OMZ.Fix
Credits: Malware Analysis & Diagnostic
Code: S!Ri


»»»»»»»»»»»»»»»»»»»»»»»» 404Fix

404Fix
Credits: Malware Analysis & Diagnostic
Code: S!Ri


»»»»»»»»»»»»»»»»»»»»»»»» RK


»»»»»»»»»»»»»»»»»»»»»»»» DNS

HKLM\SYSTEM\CCS\Services\Tcpip\..\{73443E50-AC49-48BF-993D-CDE6FA9D8B86}:
DhcpNameServer=138.23.146.213 138.23.201.101
HKLM\SYSTEM\CS1\Services\Tcpip\..\{73443E50-AC49-48BF-993D-CDE6FA9D8B86}:
DhcpNameServer=138.23.146.213 138.23.201.101
HKLM\SYSTEM\CS2\Services\Tcpip\..\{73443E50-AC49-48BF-993D-CDE6FA9D8B86}:
DhcpNameServer=138.23.146.213 138.23.201.101
HKLM\SYSTEM\CCS\Services\Tcpip\Parameters:
DhcpNameServer=138.23.146.213 138.23.201.101
HKLM\SYSTEM\CS1\Services\Tcpip\Parameters:
DhcpNameServer=138.23.146.213 138.23.201.101
HKLM\SYSTEM\CS2\Services\Tcpip\Parameters:
DhcpNameServer=138.23.146.213 138.23.201.101


»»»»»»»»»»»»»»»»»»»»»»»» Deleting Temp Files


»»»»»»»»»»»»»»»»»»»»»»»» Winlogon.System
!!!Attention, following keys are not inevitably infected!!!

"System"=""


»»»»»»»»»»»»»»»»»»»»»»»» RK.2



»»»»»»»»»»»»»»»»»»»»»»»» Registry Cleaning

Registry Cleaning done.

»»»»»»»»»»»»»»»»»»»»»»»» SharedTaskScheduler After SmitFraudFix
!!!Attention, following keys are not inevitably infected!!!

SrchSTS.exe by S!Ri
Search SharedTaskScheduler's .dll


»»»»»»»»»»»»»»»»»»»»»»»» End

[Evan]

8/6/2009 9:35:29 PM
mbam-log-2009-08-06 (21-35-29).txt

Scan type: Quick Scan
Objects scanned: 104822
Time elapsed: 3 minute(s), 50 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)

[Maurice Naggar]

Hello Evan,
You had asked before

Quote

First, what do you recommend I install on my wife’s PC towards preventing further infection? Do you recommend I install the same on my own PC? I’m of course hoping for something to increase safety without hobbling our PCs’ speed.

I'd recommend you purchase MBAM to get the benefit of real-time anti-malware protection, to supplement your antivirus app.
The license is a one-time fee, good forever. (no renewal fees; no expiration)
and as an aside, I am, to say the least, not at all a fan of SpyHunter. If you did not purchase it, remove it.

I have been a fan of MBAM for at least a couple of years now, and have observed it's amazing capabilities.

Check on the version of AVG. It should be the latest version 8.5
If it is not, get it updated.

See my closing advice (further down) about other security measures.
=
Cleanups:
I see that you are clear of your original issues.
If you have a problem with these steps, or something does not quite work here, do let me know.

The following few steps will remove tools we used; followed by advice on staying safer.

We have to remove Combofix and all its associated folders.
By whichever name you named it, ( you had named it combofix ), put that name in the RUN box stated just below.
The "/u" in the Run line below is to start Combofix for it's cleanup & removal function.
Note the space after x and before the slash mark.
The utility must be removed to prevent any un-intentional or accidental usage, PLUS, to free up much space on your hard disk.

• Click Start, then click Run.
  
  In the command box that opens, type or copy/paste
  combo-fix /u
  and then click OK.

Download OTL by OldTimer to your desktop: http://oldtimer.geekstogo.com/OTL.exe

• Please double-click OTL.exe to run it.
  
• Click on the CleanUp! button at upper Right corner. When you do this a text file named cleanup.txt will be downloaded from the internet. If you get a warning from your firewall or other security programs regarding OTL attempting to contact the internet you should allow it to do so. After the list has been download you'll be asked if you want to Begin cleanup process? Select Yes.
  
• This step removes the files, folders, and shortcuts created by the tools I had you download and run.

• Run ATF Cleaner, and checkmark "Empty Recycle Bin", click "Empty Selected" and exit the program. You can delete or keep this utility as you wish.
  
  
• You may reset your Windows Explorer {My Computer} Folder Options > VIEW settings back to where they had been before. {under hidden files & folders to not show hidden or system files -and- to "hide protected operating system files" }
  
  
• Configure your Antivirus software to check for updates daily, at a time in which you are sure the computer will be on.
  
  
• Check in at Windows Update and install any Critical Updates offered.
  
  
• Download and Install Windows Defender by Microsoft (free) if you do not already have it:
  http://www.microsoft.com/downloads/details...A4-F7F14E605A0D
  
  
• Make certain that Automatic Updates is enabled.
  How to configure and use Automatic Updates in WinXP:
  http://support.microsoft.com/kb/306525
  
  
• Download, install, and keep updated Spyware Blaster (free): http://www.javacools...areblaster.html (all Protections should be enabled at all times)
  
  
• I'd recommend that you get and use MVP Mike Burgess' custom hosts file http://mvps.org/winhelp2002/hosts.htm
  See the FAQ page http://mvps.org/winh...02/hostsfaq.htm
  That would help to keep your browser away from known spyware/malware sites.
  
  
• Make regular backups of your system to removable media: DVD, USB external hard drive, etc.
  
  On some regular schedule, it is a good idea to do an online scan for viruses and malware. Here is a very short list of sites where this may be done:
  Kaspersky Webscan Online Virus Scanner
  
  ESET Online Scanner
  
  Panda ActiveScan
  
  Trend Micro Housecall
  
  F-Secure Online Scanner
  
  
• Read Tony Klein's article How Did I Get Infected In The First Place
  
  
• Never, ever download free games, free tools, smileys, or anything free unless you can be absolutely sure the source is safe !
  
  Finally, spend some time reading about how to keep your computer safe on the Internet: http://www.bleepingc...tutorial82.html

We are finished here. Best regards.

[Evan]

Hello Maurice,

My own PC had a hardware meltdown that distracted me from the endgame of disinfecting/protecting my wife’s PC. So I just got back to it.

In following your last set of instructions, I got as far as running ATF-Cleaner again. I couldn’t find the program on my wife’s PC anymore, so I went to download it again. Alas, when I tried downloading it from various sites whose URLs I trusted, I only got the “Oops, this link appears to be broken” message—and atribune.org wouln’t load at all. Each time I tried, MBAM displayed a balloon warning of IP infection.

So I ran an MBAM quick scan. Found nothing.
Then I ran an MBAM full scan: it found only one file infected, as follows.

Files Infected:
C:\RRbackups\FR\UF\WINDOWS\system32\drivers\dmload.sys (Trojan.Spambot) -> Delete on reboot.

I rebooted, but this PC still can’t access atribune.org and throws the “Oops, broken link.” My wife considers her PC is fine, but if some malware is blocking access to good downloads, and throwing warnings, I guess all’s not going to be well.

Meanwhile I re-copied (from a portable HD) ATF-Cleaner, and had it clean out everything. Didn’t see any difference.

HijackThis log is below.

--Evan

[Evan]

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 01:14:10, on 8/21/2009
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v8.00 (8.00.6001.18702)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\PROGRA~1\Lenovo\PMDRIV~1\PMHandler.exe
C:\Program Files\Apoint2K\Apoint.exe
C:\Program Files\Lenovo\NPDIRECT\TPFNF7SP.exe
C:\Program Files\Lenovo\HOTKEY\TpWAudAp.exe
C:\Program Files\CONEXANT\SMARTAUDIO\SMAUDIO.EXE
C:\WINDOWS\system32\igfxtray.exe
C:\WINDOWS\system32\hkcmd.exe
C:\WINDOWS\system32\igfxpers.exe
C:\Program Files\Common Files\Lenovo\Scheduler\scheduler_proxy.exe
C:\PROGRA~1\Lenovo\LENOVO~2\LPMGR.exe
C:\WINDOWS\system32\igfxsrvc.exe
C:\Program Files\Apoint2K\ApMsgFwd.exe
C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe
C:\Program Files\LENOVO\Message Center Plus\MCPLaunch.exe
C:\Program Files\Java\jre6\bin\jusched.exe
C:\Program Files\Malwarebytes' Anti-Malware\mbamgui.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\Program Files\Lenovo\Camera Center\bin\LenovoCameraCenter.exe
C:\Program Files\Apoint2K\Apntex.exe
C:\Program Files\Microsoft Small Business\Business Contact Manager\BcmSqlStartupSvc.exe
C:\Program Files\LENOVO\HOTKEY\FNF5SVC.exe
C:\Program Files\Common Files\InterVideo\RegMgr\iviRegMgr.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\Malwarebytes' Anti-Malware\mbamservice.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\mdm.exe
C:\Program Files\Lenovo\PM Driver\PMSveH.exe
c:\Program Files\Microsoft SQL Server\90\Shared\sqlwriter.exe
C:\WINDOWS\system32\svchost.exe
c:\Program Files\Common Files\Lenovo\tvt_reg_monitor_svc.exe
C:\Program Files\Lenovo\Rescue and Recovery\rrpservice.exe
C:\Program Files\Lenovo\Rescue and Recovery\rrservice.exe
c:\Program Files\Common Files\Lenovo\Scheduler\tvtsched.exe
C:\Program Files\Lenovo\Rescue and Recovery\UpdateMonitor.exe
c:\program files\lenovo\system update\suservice.exe
C:\WINDOWS\system32\wscntfy.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\Malwarebytes' Anti-Malware\mbam.exe
C:\WINDOWS\system32\NOTEPAD.EXE
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft....k/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft....k/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft....k/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft....k/?LinkId=69157
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://www.lenovo.co...me/3000notebook
O2 - BHO: AcroIEHelperStub - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
O2 - BHO: Skype add-on (mastermind) - {22BF413B-C6D2-4d91-82A9-A0F997BA588C} - C:\Program Files\Skype\Toolbars\Internet Explorer\SkypeIEPlugin.dll
O2 - BHO: (no name) - {A057A204-BACC-4D26-9990-79A187E2698E} - (no file)
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - C:\Program Files\Google\Google Toolbar\GoogleToolbar.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\5.1.1309.15642\swg.dll
O2 - BHO: Windows Live Toolbar Helper - {BDBD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\Windows Live Toolbar\msntb.dll
O2 - BHO: Google Dictionary Compression sdch - {C84D72FE-E17D-4195-BB24-76C02E2E7C4E} - C:\Program Files\Google\Google Toolbar\Component\fastsearch_A8904FB862BD9564.dll
O2 - BHO: Java™ Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
O3 - Toolbar: Windows Live Toolbar - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\Windows Live Toolbar\msntb.dll
O3 - Toolbar: (no name) - {A057A204-BACC-4D26-9990-79A187E2698E} - (no file)
O3 - Toolbar: Google Toolbar - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - C:\Program Files\Google\Google Toolbar\GoogleToolbar.dll
O4 - HKLM\..\Run: [PMHandler] C:\PROGRA~1\Lenovo\PMDRIV~1\PMHandler.exe
O4 - HKLM\..\Run: [Apoint] C:\Program Files\Apoint2K\Apoint.exe
O4 - HKLM\..\Run: [TPFNF7] C:\Program Files\Lenovo\NPDIRECT\TPFNF7SP.exe /r
O4 - HKLM\..\Run: [TPWAUDAP] C:\Program Files\Lenovo\HOTKEY\TpWAudAp.exe
O4 - HKLM\..\Run: [SmartAudio] C:\Program Files\CONEXANT\SMARTAUDIO\SMAUDIO.EXE /c
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [Persistence] C:\WINDOWS\system32\igfxpers.exe
O4 - HKLM\..\Run: [TVT Scheduler Proxy] C:\Program Files\Common Files\Lenovo\Scheduler\scheduler_proxy.exe
O4 - HKLM\..\Run: [LPManager] C:\PROGRA~1\Lenovo\LENOVO~2\LPMGR.exe
O4 - HKLM\..\Run: [RoxWatchTray] "C:\Program Files\Common Files\Roxio Shared\10.0\SharedCOM\RoxWatchTray10.exe"
O4 - HKLM\..\Run: [CameraApplicationLauncher] C:\Program Files\Lenovo\Camera Center\bin\CameraApplicationLaunchpadLauncher.exe
O4 - HKLM\..\Run: [IMJPMIG8.1] "C:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE" /Spoil /RemAdvDef /Migration32
O4 - HKLM\..\Run: [IMEKRMIG6.1] C:\WINDOWS\ime\imkr6_1\IMEKRMIG.EXE
O4 - HKLM\..\Run: [MSPY2002] C:\WINDOWS\system32\IME\PINTLGNT\ImScInst.exe /SYNC
O4 - HKLM\..\Run: [PHIME2002ASync] C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /SYNC
O4 - HKLM\..\Run: [PHIME2002A] C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /IMEName
O4 - HKLM\..\Run: [Google Desktop Search] "C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe" /startup
O4 - HKLM\..\Run: [Message Center Plus] C:\Program Files\LENOVO\Message Center Plus\MCPLaunch.exe /start
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre6\bin\jusched.exe"
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 9.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [Malwarebytes' Anti-Malware] "C:\Program Files\Malwarebytes' Anti-Malware\mbamgui.exe" /starttray
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
O4 - HKUS\S-1-5-18\..\Run: [DWQueuedReporting] "C:\PROGRA~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" -t (User 'SYSTEM')
O4 - HKUS\S-1-5-18\..\RunOnce: [RunNarrator] Narrator.exe (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [DWQueuedReporting] "C:\PROGRA~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" -t (User 'Default user')
O4 - HKUS\.DEFAULT\..\RunOnce: [RunNarrator] Narrator.exe (User 'Default user')
O8 - Extra context menu item: &Windows Live Search - res://C:\Program Files\Windows Live Toolbar\msntb.dll/search.htm
O8 - Extra context menu item: Add to Google Photos Screensa&ver - res://C:\WINDOWS\system32\GPhotos.scr/200
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office12\EXCEL.EXE/3000
O9 - Extra button: Skype - {77BF5300-1474-4EC7-9980-D32B190E9B07} - C:\Program Files\Skype\Toolbars\Internet Explorer\SkypeIEPlugin.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\Office12\REFIEBAR.DLL
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {0CCA191D-13A6-4E29-B746-314DEE697D83} (Facebook Photo Uploader 5 Control) - http://upload.facebook.com/controls/2008.1...toUploader5.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdat...b?1246131317687
O16 - DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - http://platformdl.ad...Plus/1.6/gp.cab
O18 - Filter: x-sdch - {B1759355-3EEC-4C1E-B0F1-B719FE26E377} - C:\Program Files\Google\Google Toolbar\Component\fastsearch_A8904FB862BD9564.dll
O23 - Service: Fn+F5 Service (FNF5SVC) - Lenovo. - C:\Program Files\LENOVO\HOTKEY\FNF5SVC.exe
O23 - Service: Google Desktop Manager 5.8.809.23506 (GoogleDesktopManager-092308-165331) - Google - C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe
O23 - Service: Google Software Updater (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: IviRegMgr - InterVideo - C:\Program Files\Common Files\InterVideo\RegMgr\iviRegMgr.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
O23 - Service: MBAMService - Malwarebytes Corporation - C:\Program Files\Malwarebytes' Anti-Malware\mbamservice.exe
O23 - Service: PMSveH - Lenovo - C:\Program Files\Lenovo\PM Driver\PMSveH.exe
O23 - Service: Roxio UPnP Renderer 10 - Sonic Solutions - C:\Program Files\Roxio\Digital Home 10\RoxioUPnPRenderer10.exe
O23 - Service: Roxio Upnp Server 10 - Sonic Solutions - C:\Program Files\Roxio\Digital Home 10\RoxioUpnpService10.exe
O23 - Service: LiveShare P2P Server 10 (RoxLiveShare10) - Sonic Solutions - C:\Program Files\Common Files\Roxio Shared\10.0\SharedCOM\RoxLiveShare10.exe
O23 - Service: RoxMediaDB10 - Sonic Solutions - C:\Program Files\Common Files\Roxio Shared\10.0\SharedCOM\RoxMediaDB10.exe
O23 - Service: Roxio Hard Drive Watcher 10 (RoxWatch10) - Sonic Solutions - C:\Program Files\Common Files\Roxio Shared\10.0\SharedCOM\RoxWatch10.exe
O23 - Service: SessionLauncher - Unknown owner - C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\DX9\SessionLauncher.exe (file missing)
O23 - Service: stllssvr - MicroVision Development, Inc. - C:\Program Files\Common Files\SureThing Shared\stllssvr.exe
O23 - Service: System Update (SUService) - Lenovo Group Limited - c:\program files\lenovo\system update\suservice.exe
O23 - Service: ThinkVantage Registry Monitor Service - Lenovo Group Limited - c:\Program Files\Common Files\Lenovo\tvt_reg_monitor_svc.exe
O23 - Service: TVT Backup Protection Service - Unknown owner - C:\Program Files\Lenovo\Rescue and Recovery\rrpservice.exe
O23 - Service: TVT Backup Service - Lenovo Group Limited - C:\Program Files\Lenovo\Rescue and Recovery\rrservice.exe
O23 - Service: TVT Scheduler - Lenovo Group Limited - c:\Program Files\Common Files\Lenovo\Scheduler\tvtsched.exe
O23 - Service: TVT Windows Update Monitor (TVT_UpdateMonitor) - Lenovo Group Limited - C:\Program Files\Lenovo\Rescue and Recovery\UpdateMonitor.exe

--
End of file - 11819 bytes

[Evan]

A second full scan with MBAM found nothing.

[Maurice Naggar]

Good to hear that MBAM found nothing. We are done here and I'll close this topic.
I'll have to test my system on the weekend to see about the ATF Cleaner download and if I get the same message.
You can accomplish most the same functions as ATF Cleaner by running Disk Cleanup off your Start menu >All Program > Accessories > System Tools

Cheers