TheTechGuide Forum

General Category => Tech Clinic => Topic started by: jjccp on March 27, 2009, 06:00:21 PM

Title: hijacked when using google
Post by: jjccp on March 27, 2009, 06:00:21 PM

Hi,

When I do a search on google, I'm redirected to another advertising site. Also experiencing overall slowness.

I have AVG installed and a recent scan showed no problems.

Thanks in advance for your help.

Jim

Here's my log:

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 6:44:00 PM, on 3/27/2009
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16791)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\ibmpmsvc.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
C:\WINDOWS\system32\brsvc01a.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\brss01a.exe
C:\WINDOWS\system32\IPSSVC.EXE
C:\Program Files\ThinkPad\ConnectUtilities\AcPrfMgrSvc.exe
C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
C:\WINDOWS\system32\CTsvcCDA.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Program Files\MSN\Toolbar\3.0.0988.2\mstbsvc.exe
C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
C:\PROGRA~1\AVG\AVG8\avgrsx.exe
c:\program files\lenovo\system update\suservice.exe
C:\Program Files\Common Files\Lenovo\tvt_reg_monitor_svc.exe
C:\WINDOWS\System32\TPHDEXLG.EXE
C:\WINDOWS\system32\TpKmpSVC.exe
C:\Program Files\Lenovo\Rescue and Recovery\rrservice.exe
C:\Program Files\Common Files\Lenovo\Scheduler\tvtsched.exe
C:\Program Files\Lenovo\Rescue and Recovery\ADM\IUService.exe
C:\Program Files\RealVNC\VNC4\WinVNC4.exe
C:\Program Files\ThinkPad\ConnectUtilities\AcSvc.exe
C:\Program Files\Common Files\Lenovo\Logger\logmon.exe
C:\Program Files\ThinkPad\ConnectUtilities\SvcGuiHlpr.exe
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\PROGRA~1\ThinkPad\UTILIT~1\EzEjMnAp.Exe
C:\WINDOWS\system32\TpShocks.exe
C:\PROGRA~1\Lenovo\PkgMgr\HOTKEY\TPHKMGR.exe
C:\Program Files\Analog Devices\Core\smax4pnp.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Lenovo\PkgMgr\HOTKEY\TPONSCR.exe
C:\Program Files\Lenovo\PkgMgr\HOTKEY_1\TpScrex.exe
C:\WINDOWS\explorer.exe
C:\Program Files\ThinkPad\ConnectUtilities\ACTray.exe
C:\Program Files\ThinkPad\ConnectUtilities\ACWLIcon.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157 (http://\"http://go.microsoft.com/fwlink/?LinkId=69157\")
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896 (http://\"http://go.microsoft.com/fwlink/?LinkId=54896\")
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896 (http://\"http://go.microsoft.com/fwlink/?LinkId=54896\")
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157 (http://\"http://go.microsoft.com/fwlink/?LinkId=69157\")
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://my.realliving.com/ (http://\"http://my.realliving.com/\")
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: WormRadar.com IESiteBlocker.NavFilter - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - C:\Program Files\AVG\AVG8\avgssie.dll
O2 - BHO: DriveLetterAccess - {5CA3D70E-1895-11CF-8E15-001234567890} - C:\WINDOWS\System32\DLA\DLASHX_W.DLL
O2 - BHO: Java(tm) Plug-In SSV Helper - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre6\bin\ssv.dll
O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
O2 - BHO: ThinkVantage Password Manager - {F040E541-A427-4CF7-85D8-75E3E0F476C5} - C:\Program Files\Lenovo\Client Security Solution\tvtpwm_ie_com.dll
O4 - HKLM\..\Run: [PWRMGRTR] rundll32 C:\PROGRA~1\ThinkPad\UTILIT~1\PWRMGRTR.DLL,PwrMgrBkGndMonitor
O4 - HKLM\..\Run: [BLOG] rundll32 C:\PROGRA~1\ThinkPad\UTILIT~1\BatLogEx.DLL,StartBattLog
O4 - HKLM\..\Run: [SynTPLpr] C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [EZEJMNAP] C:\PROGRA~1\ThinkPad\UTILIT~1\EzEjMnAp.Exe
O4 - HKLM\..\Run: [TPKMAPHELPER] C:\Program Files\ThinkPad\Utilities\TpKmapAp.exe -helper
O4 - HKLM\..\Run: [TpShocks] TpShocks.exe
O4 - HKLM\..\Run: [TPHOTKEY] C:\PROGRA~1\Lenovo\PkgMgr\HOTKEY\TPHKMGR.exe
O4 - HKLM\..\Run: [TP4EX] tp4ex.exe
O4 - HKLM\..\Run: [SoundMAXPnP] C:\Program Files\Analog Devices\Core\smax4pnp.exe
O4 - HKLM\..\Run: [SoundMAX] C:\Program Files\Analog Devices\SoundMAX\Smax4.exe /tray
O4 - HKLM\..\Run: [igfxtray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [igfxhkcmd] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [igfxpers] C:\WINDOWS\system32\igfxpers.exe
O4 - HKLM\..\Run: [LPManager] C:\PROGRA~1\THINKV~2\PrdCtr\LPMGR.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre6\bin\jusched.exe"
O4 - HKLM\..\Run: [DLA] C:\WINDOWS\System32\DLA\DLACTRLW.EXE
O4 - HKLM\..\Run: [ISUSPM Startup] C:\PROGRA~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe -startup
O4 - HKLM\..\Run: [ISUSScheduler] "C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" -start
O4 - HKLM\..\Run: [AwaySch] C:\Program Files\Lenovo\AwayTask\AwaySch.EXE
O4 - HKLM\..\Run: [TVT Scheduler Proxy] C:\Program Files\Common Files\Lenovo\Scheduler\scheduler_proxy.exe
O4 - HKLM\..\Run: [ACTray] C:\Program Files\ThinkPad\ConnectUtilities\ACTray.exe
O4 - HKLM\..\Run: [ACWLIcon] C:\Program Files\ThinkPad\ConnectUtilities\ACWLIcon.exe
O4 - HKLM\..\Run: [PDService.exe] "C:\Program Files\Lenovo\SafeGuard PrivateDisk\pdservice.exe"
O4 - HKLM\..\Run: [cssauth] "C:\Program Files\Lenovo\Client Security Solution\cssauth.exe" silent
O4 - HKLM\..\Run: [HP Component Manager] "C:\Program Files\HP\hpcoretech\hpcmpmgr.exe"
O4 - HKLM\..\Run: [HP Software Update] "C:\Program Files\Hewlett-Packard\HP Software Update\HPWuSchd.exe"
O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb09.exe
O4 - HKLM\..\Run: [AVG8_TRAY] C:\PROGRA~1\AVG\AVG8\avgtray.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - Global Startup: HOTSYNCSHORTCUTNAME.lnk = C:\Program Files\Palm\Hotsync.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {0045D4BC-5189-4b67-969C-83BB1906C421} - C:\Program Files\Lenovo\Client Security Solution\tvtpwm_ie_com.dll
O9 - Extra 'Tools' menuitem: ThinkVantage Password Manager... - {0045D4BC-5189-4b67-969C-83BB1906C421} - C:\Program Files\Lenovo\Client Security Solution\tvtpwm_ie_com.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Software Installer - {D1A4DEBD-C2EE-449f-B9FB-E8409F9A0BC5} - C:\Program Files\Lenovo\PkgMgr\\PkgMgr.exe
O9 - Extra button: System Update - {DA320635-F48C-4613-8325-D75A933C549E} - C:\Program Files\Lenovo\System Update\sulauncher.exe (file missing)
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {74FFE28D-2378-11D5-990C-006094235084} (IBM Access Support) - http://www-307.ibm.com/pc/support/IbmEgath.cab (http://\"http://www-307.ibm.com/pc/support/IbmEgath.cab\")
O16 - DPF: {AB86CE53-AC9F-449F-9399-D8ABCA09EC09} (Get_ActiveX Control) - https://h17000.www1.hp.com/ewfrf-JAVA/Secur...loadManager.ocx (http://\"https://h17000.www1.hp.com/ewfrf-JAVA/Secure/HPGetDownloadManager.ocx\")
O18 - Protocol: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - C:\Program Files\AVG\AVG8\avgpp.dll
O20 - Winlogon Notify: ACNotify - ACNotify.dll (file missing)
O20 - Winlogon Notify: avgrsstarter - C:\WINDOWS\SYSTEM32\avgrsstx.dll
O20 - Winlogon Notify: AwayNotify - C:\Program Files\Lenovo\AwayTask\AwayNotify.dll
O23 - Service: Ac Profile Manager Service (AcPrfMgrSvc) - Unknown owner - C:\Program Files\ThinkPad\ConnectUtilities\AcPrfMgrSvc.exe
O23 - Service: Access Connections Main Service (AcSvc) - Lenovo - C:\Program Files\ThinkPad\ConnectUtilities\AcSvc.exe
O23 - Service: AVG8 WatchDog (avg8wd) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
O23 - Service: BrSplService (Brother XP spl Service) - brother Industries Ltd - C:\WINDOWS\system32\brsvc01a.exe
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\system32\CTsvcCDA.exe
O23 - Service: Intel® PROSet/Wireless Event Log (EvtEng) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: ThinkPad PM Service (IBMPMSVC) - Lenovo - C:\WINDOWS\system32\ibmpmsvc.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: IPS Core Service (IPSSVC) - Lenovo Group Limited - C:\WINDOWS\system32\IPSSVC.EXE
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
O23 - Service: IBM PSA Access Driver Control (PsaSrv) - Unknown owner - C:\WINDOWS\system32\PsaSrv.exe (file missing)
O23 - Service: Intel® PROSet/Wireless Registry Service (RegSrvc) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
O23 - Service: Intel® PROSet/Wireless Service (S24EventMonitor) - Intel Corporation  - C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
O23 - Service: System Update (SUService) - Lenovo Group Limited - c:\program files\lenovo\system update\suservice.exe
O23 - Service: ThinkVantage Registry Monitor Service - Unknown owner - C:\Program Files\Common Files\Lenovo\tvt_reg_monitor_svc.exe
O23 - Service: ThinkPad HDD APS Logging Service (TPHDEXLGSVC) - Lenovo. - C:\WINDOWS\System32\TPHDEXLG.EXE
O23 - Service: IBM KCU Service (TpKmpSVC) - Unknown owner - C:\WINDOWS\system32\TpKmpSVC.exe
O23 - Service: TSS Core Service (TSSCoreService) - IBM - C:\Program Files\Lenovo\Client Security Solution\tvttcsd.exe
O23 - Service: TVT Backup Service - Lenovo Group Limited - C:\Program Files\Lenovo\Rescue and Recovery\rrservice.exe
O23 - Service: TVT Scheduler - Lenovo Group Limited - C:\Program Files\Common Files\Lenovo\Scheduler\tvtsched.exe
O23 - Service: tvtnetwk - Unknown owner - C:\Program Files\Lenovo\Rescue and Recovery\ADM\IUService.exe
O23 - Service: VNC Server Version 4 (WinVNC4) - RealVNC Ltd. - C:\Program Files\RealVNC\VNC4\WinVNC4.exe
O24 - Desktop Component 0: (no name) - file:///C:/DOCUME~1/JIM~1.DAL/LOCALS~1/Temp/msohtml1/01/clip_image002.jpg

--
End of file - 11184 bytes

Title: hijacked when using google
Post by: guestolo on March 27, 2009, 08:16:54 PM

Welcome jjccp

Download [color=\"#FF0000\"]> ATF Cleaner <[/color] (http://\"http://www.atribune.org/ccount/click.php?id=1\") by Atribune and save it to your Desktop.

Double Click on ATF-Cleaner.exe to Run it
Check the boxes to the left of:

Windows Temp
Current User Temp
All Users Temp
Temporary Internet Files
*Prefetch (Windows XP) only.
Java Cache

The rest are optional - if you want to remove the lot, check "Select All".
Finally click Empty Selected. When you get the "Done Cleaning" message, click OK.
If you use Firefox browser
      Click Firefox at the top and choose: Select All
      Click the Empty Selected button.
      NOTE: If you would like to keep your saved passwords, please click No at the prompt.
Click Exit from the Main menu

download Malwarebytes' Anti-Malware from Here (http://\"http://www.besttechie.net/tools/mbam-setup.exe\") or Here (http://\"http://www.majorgeeks.com/Malwarebytes_Anti-Malware_d5756.html\")
Save the installer to desktop

Double Click mbam-setup.exe to install the application.

• Make sure a checkmark is placed next to [color=\"#006400\"]Update Malwarebytes' Anti-Malware[/color] and [color=\"#006400\"]Launch Malwarebytes' Anti-Malware[/color], then click Finish.
     
  
• If an update is found, it will download and install the latest version.
• Once the program has loaded, select "Perform Quick Scan", then click Scan.
     
  
• The scan may take some time to finish,so please be patient.
• When the scan is complete, click OK, then Show Results to view the results.
     
  
• Make sure that everything is checked, and click Remove Selected.
      * When disinfection is completed, a log will open in Notepad and you may be prompted to Restart.(See Extra Note)
     
  
• The log is automatically saved by MBAM and can be viewed by clicking the Logs tab in MBAM.
• Copy&Paste the entire report in your next reply
  

Extra Note:
If MBAM encounters a file that is difficult to remove,you will be presented with 1 of 2 prompts,click OK to either and let MBAM proceed with the disinfection process,if asked to restart the computer,please do so immediately.

Also post a fresh Hijackthis log please and let me know how things are running

Title: hijacked when using google
Post by: jjccp on March 28, 2009, 07:34:52 AM

Thanks, followed instructions. Here is the Malwarebytes log:

Malwarebytes' Anti-Malware 1.35
Database version: 1904
Windows 5.1.2600 Service Pack 3

3/28/2009 8:23:17 AM
mbam-log-2009-03-28 (08-23-17).txt

Scan type: Quick Scan
Objects scanned: 82001
Time elapsed: 7 minute(s), 1 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 1
Registry Values Infected: 0
Registry Data Items Infected: 1
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{3aa42713-5c1e-48e2-b432-d8bf420dd31d} (Rogue.Antivirus2008) -> Quarantined and deleted successfully.

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\FirewallDisableNotify (Disabled.SecurityCenter) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)

Here is the new Hijack this log:

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 8:34:04 AM, on 3/28/2009
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16791)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\ibmpmsvc.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
C:\WINDOWS\system32\brsvc01a.exe
C:\WINDOWS\system32\brss01a.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\IPSSVC.EXE
C:\Program Files\ThinkPad\ConnectUtilities\AcPrfMgrSvc.exe
C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
C:\WINDOWS\system32\CTsvcCDA.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Program Files\MSN\Toolbar\3.0.0988.2\mstbsvc.exe
C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
c:\program files\lenovo\system update\suservice.exe
C:\Program Files\Common Files\Lenovo\tvt_reg_monitor_svc.exe
C:\PROGRA~1\AVG\AVG8\avgrsx.exe
C:\WINDOWS\System32\TPHDEXLG.EXE
C:\WINDOWS\system32\TpKmpSVC.exe
C:\Program Files\Lenovo\Rescue and Recovery\rrservice.exe
C:\Program Files\Common Files\Lenovo\Scheduler\tvtsched.exe
C:\Program Files\Lenovo\Rescue and Recovery\ADM\IUService.exe
C:\Program Files\RealVNC\VNC4\WinVNC4.exe
C:\Program Files\Common Files\Lenovo\Logger\logmon.exe
C:\Program Files\ThinkPad\ConnectUtilities\AcSvc.exe
C:\Program Files\ThinkPad\ConnectUtilities\SvcGuiHlpr.exe
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\PROGRA~1\ThinkPad\UTILIT~1\EzEjMnAp.Exe
C:\WINDOWS\system32\TpShocks.exe
C:\PROGRA~1\Lenovo\PkgMgr\HOTKEY\TPHKMGR.exe
C:\Program Files\Analog Devices\Core\smax4pnp.exe
C:\Program Files\Lenovo\PkgMgr\HOTKEY\TPONSCR.exe
C:\Program Files\Lenovo\PkgMgr\HOTKEY_1\TpScrex.exe
C:\WINDOWS\system32\msiexec.exe
C:\WINDOWS\explorer.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Malwarebytes' Anti-Malware\mbam.exe
C:\WINDOWS\system32\NOTEPAD.EXE
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157 (http://\"http://go.microsoft.com/fwlink/?LinkId=69157\")
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896 (http://\"http://go.microsoft.com/fwlink/?LinkId=54896\")
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896 (http://\"http://go.microsoft.com/fwlink/?LinkId=54896\")
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157 (http://\"http://go.microsoft.com/fwlink/?LinkId=69157\")
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://my.realliving.com/ (http://\"http://my.realliving.com/\")
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: WormRadar.com IESiteBlocker.NavFilter - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - C:\Program Files\AVG\AVG8\avgssie.dll
O2 - BHO: DriveLetterAccess - {5CA3D70E-1895-11CF-8E15-001234567890} - C:\WINDOWS\System32\DLA\DLASHX_W.DLL
O2 - BHO: Java(tm) Plug-In SSV Helper - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre6\bin\ssv.dll
O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
O2 - BHO: ThinkVantage Password Manager - {F040E541-A427-4CF7-85D8-75E3E0F476C5} - C:\Program Files\Lenovo\Client Security Solution\tvtpwm_ie_com.dll
O4 - HKLM\..\Run: [PWRMGRTR] rundll32 C:\PROGRA~1\ThinkPad\UTILIT~1\PWRMGRTR.DLL,PwrMgrBkGndMonitor
O4 - HKLM\..\Run: [BLOG] rundll32 C:\PROGRA~1\ThinkPad\UTILIT~1\BatLogEx.DLL,StartBattLog
O4 - HKLM\..\Run: [SynTPLpr] C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [EZEJMNAP] C:\PROGRA~1\ThinkPad\UTILIT~1\EzEjMnAp.Exe
O4 - HKLM\..\Run: [TPKMAPHELPER] C:\Program Files\ThinkPad\Utilities\TpKmapAp.exe -helper
O4 - HKLM\..\Run: [TpShocks] TpShocks.exe
O4 - HKLM\..\Run: [TPHOTKEY] C:\PROGRA~1\Lenovo\PkgMgr\HOTKEY\TPHKMGR.exe
O4 - HKLM\..\Run: [TP4EX] tp4ex.exe
O4 - HKLM\..\Run: [SoundMAXPnP] C:\Program Files\Analog Devices\Core\smax4pnp.exe
O4 - HKLM\..\Run: [SoundMAX] C:\Program Files\Analog Devices\SoundMAX\Smax4.exe /tray
O4 - HKLM\..\Run: [igfxtray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [igfxhkcmd] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [igfxpers] C:\WINDOWS\system32\igfxpers.exe
O4 - HKLM\..\Run: [LPManager] C:\PROGRA~1\THINKV~2\PrdCtr\LPMGR.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre6\bin\jusched.exe"
O4 - HKLM\..\Run: [DLA] C:\WINDOWS\System32\DLA\DLACTRLW.EXE
O4 - HKLM\..\Run: [ISUSPM Startup] C:\PROGRA~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe -startup
O4 - HKLM\..\Run: [ISUSScheduler] "C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" -start
O4 - HKLM\..\Run: [AwaySch] C:\Program Files\Lenovo\AwayTask\AwaySch.EXE
O4 - HKLM\..\Run: [TVT Scheduler Proxy] C:\Program Files\Common Files\Lenovo\Scheduler\scheduler_proxy.exe
O4 - HKLM\..\Run: [ACTray] C:\Program Files\ThinkPad\ConnectUtilities\ACTray.exe
O4 - HKLM\..\Run: [ACWLIcon] C:\Program Files\ThinkPad\ConnectUtilities\ACWLIcon.exe
O4 - HKLM\..\Run: [PDService.exe] "C:\Program Files\Lenovo\SafeGuard PrivateDisk\pdservice.exe"
O4 - HKLM\..\Run: [cssauth] "C:\Program Files\Lenovo\Client Security Solution\cssauth.exe" silent
O4 - HKLM\..\Run: [HP Component Manager] "C:\Program Files\HP\hpcoretech\hpcmpmgr.exe"
O4 - HKLM\..\Run: [HP Software Update] "C:\Program Files\Hewlett-Packard\HP Software Update\HPWuSchd.exe"
O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb09.exe
O4 - HKLM\..\Run: [AVG8_TRAY] C:\PROGRA~1\AVG\AVG8\avgtray.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - Global Startup: HOTSYNCSHORTCUTNAME.lnk = C:\Program Files\Palm\Hotsync.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {0045D4BC-5189-4b67-969C-83BB1906C421} - C:\Program Files\Lenovo\Client Security Solution\tvtpwm_ie_com.dll
O9 - Extra 'Tools' menuitem: ThinkVantage Password Manager... - {0045D4BC-5189-4b67-969C-83BB1906C421} - C:\Program Files\Lenovo\Client Security Solution\tvtpwm_ie_com.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Software Installer - {D1A4DEBD-C2EE-449f-B9FB-E8409F9A0BC5} - C:\Program Files\Lenovo\PkgMgr\\PkgMgr.exe
O9 - Extra button: System Update - {DA320635-F48C-4613-8325-D75A933C549E} - C:\Program Files\Lenovo\System Update\sulauncher.exe (file missing)
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {74FFE28D-2378-11D5-990C-006094235084} (IBM Access Support) - http://www-307.ibm.com/pc/support/IbmEgath.cab (http://\"http://www-307.ibm.com/pc/support/IbmEgath.cab\")
O16 - DPF: {AB86CE53-AC9F-449F-9399-D8ABCA09EC09} (Get_ActiveX Control) - https://h17000.www1.hp.com/ewfrf-JAVA/Secur...loadManager.ocx (http://\"https://h17000.www1.hp.com/ewfrf-JAVA/Secure/HPGetDownloadManager.ocx\")
O18 - Protocol: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - C:\Program Files\AVG\AVG8\avgpp.dll
O20 - Winlogon Notify: ACNotify - ACNotify.dll (file missing)
O20 - Winlogon Notify: avgrsstarter - C:\WINDOWS\SYSTEM32\avgrsstx.dll
O20 - Winlogon Notify: AwayNotify - C:\Program Files\Lenovo\AwayTask\AwayNotify.dll
O23 - Service: Ac Profile Manager Service (AcPrfMgrSvc) - Unknown owner - C:\Program Files\ThinkPad\ConnectUtilities\AcPrfMgrSvc.exe
O23 - Service: Access Connections Main Service (AcSvc) - Lenovo - C:\Program Files\ThinkPad\ConnectUtilities\AcSvc.exe
O23 - Service: AVG8 WatchDog (avg8wd) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
O23 - Service: BrSplService (Brother XP spl Service) - brother Industries Ltd - C:\WINDOWS\system32\brsvc01a.exe
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\system32\CTsvcCDA.exe
O23 - Service: Intel® PROSet/Wireless Event Log (EvtEng) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: ThinkPad PM Service (IBMPMSVC) - Lenovo - C:\WINDOWS\system32\ibmpmsvc.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: IPS Core Service (IPSSVC) - Lenovo Group Limited - C:\WINDOWS\system32\IPSSVC.EXE
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
O23 - Service: IBM PSA Access Driver Control (PsaSrv) - Unknown owner - C:\WINDOWS\system32\PsaSrv.exe (file missing)
O23 - Service: Intel® PROSet/Wireless Registry Service (RegSrvc) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
O23 - Service: Intel® PROSet/Wireless Service (S24EventMonitor) - Intel Corporation  - C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
O23 - Service: System Update (SUService) - Lenovo Group Limited - c:\program files\lenovo\system update\suservice.exe
O23 - Service: ThinkVantage Registry Monitor Service - Unknown owner - C:\Program Files\Common Files\Lenovo\tvt_reg_monitor_svc.exe
O23 - Service: ThinkPad HDD APS Logging Service (TPHDEXLGSVC) - Lenovo. - C:\WINDOWS\System32\TPHDEXLG.EXE
O23 - Service: IBM KCU Service (TpKmpSVC) - Unknown owner - C:\WINDOWS\system32\TpKmpSVC.exe
O23 - Service: TSS Core Service (TSSCoreService) - IBM - C:\Program Files\Lenovo\Client Security Solution\tvttcsd.exe
O23 - Service: TVT Backup Service - Lenovo Group Limited - C:\Program Files\Lenovo\Rescue and Recovery\rrservice.exe
O23 - Service: TVT Scheduler - Lenovo Group Limited - C:\Program Files\Common Files\Lenovo\Scheduler\tvtsched.exe
O23 - Service: tvtnetwk - Unknown owner - C:\Program Files\Lenovo\Rescue and Recovery\ADM\IUService.exe
O23 - Service: VNC Server Version 4 (WinVNC4) - RealVNC Ltd. - C:\Program Files\RealVNC\VNC4\WinVNC4.exe
O24 - Desktop Component 0: (no name) - file:///C:/DOCUME~1/JIM~1.DAL/LOCALS~1/Temp/msohtml1/01/clip_image002.jpg

--
End of file - 11192 bytes

Title: hijacked when using google
Post by: guestolo on March 28, 2009, 09:56:17 AM

Do you recognize this Active Desktop component?
O24 - Desktop Component 0: (no name) - file:///C:/DOCUME~1/JIM~1.DAL/LOCALS~1/Temp/msohtml1/01/clip_image002.jpg

Are you still being redirected?

Title: hijacked when using google
Post by: jjccp on March 28, 2009, 01:20:00 PM

Thanks for the quick reply.

I do not recognize the Active Desktop component.

I am still being redirected. I get to my google search results ok, but when I click on one of the results, I get sent to a different site. If I then hit the back button I get to the correct site.

Title: hijacked when using google
Post by: guestolo on March 28, 2009, 01:32:22 PM

Do a "System scan only" with Hijackthis and put a check next to these entries:

O24 - Desktop Component 0: (no name) - file:///C:/DOCUME~1/JIM~1.DAL/LOCALS~1/Temp/msohtml1/01/clip_image002.jpg


After you have ticked the above entries, close All other open windows
Including this one
Leave Hijackthis open and click FIX CHECKED
OK the prompt and exit Hijackthis

Reboot the computer,
Back in Windows
Download ComboFix from one of these locations:

[color=\"#0000FF\"]Link 1[/color] (http://\"http://download.bleepingcomputer.com/sUBs/ComboFix.exe\")
[color=\"#0000FF\"]Link 2[/color] (http://\"http://www.forospyware.com/sUBs/ComboFix.exe\")
[color=\"#0000FF\"]Link 3[/color] (http://\"http://subs.geekstogo.com/ComboFix.exe\")
[color=\"#FF0000\"]Save it ONLY to your Desktop[/color]

      --------------------------------------------------------------------
[color=\"#2E8B57\"]Temporarily Disable your AntiVirus/AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with this tool
[/color]

• Double click on ComboFix.exe & follow the prompts.
  
• As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.
• Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.

[color=\"#2e8b57\"]**Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.
[/color]
(http://img.photobucket.com/albums/v706/ried7/RcAuto1.gif)

Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:
(http://img.photobucket.com/albums/v706/ried7/whatnext.png)


Click on Yes, to continue scanning for malware.

When finished, it shall produce a log for you. Please include the C:\ComboFix.txt in your next reply

NOTE: Do not mouseclick inside ComboFix window as it's running, it may cause it to stall
ComboFix will/may run again on startup, it will prompt that it's creating a log
This process could take up to 10 minutes, let it run uninterrupted please

With the log from ComboFix, can you also include a fresh log from Hijackthis

Title: hijacked when using google
Post by: jjccp on March 28, 2009, 03:34:40 PM

Now I'm having a problem.

Did the beginning Hijackthis instructions with no problem. After rebooting, downloading Combofix from link 3, double click on combofix.exe icon on desktop, program starts with little combofix window on the desktop. After approx 30 seconds combofix window blinks off and hard drive light stops blinking. No computer activity noted. I rebooted and tried to run combofix again with the same results.

Title: hijacked when using google
Post by: guestolo on March 28, 2009, 09:38:12 PM

Please try rebooting into safe mode
Sign in with your normal User account and try running ComboFix again
See if that helps

Title: hijacked when using google
Post by: jjccp on March 29, 2009, 10:58:35 AM

I rebooted into safe mode and have the exact same results with ComboFix as above. Starts to work then blinks off.

FYI, still being redirected and now rebooting is really slow. Also at reboot the icons on my desktop, at first come on with a generic icon then slowly, one by one, change to the correct icon. Hope that helps.

Thanks

Title: hijacked when using google
Post by: guestolo on March 29, 2009, 11:03:51 AM

Let's see if we can find the culprit
download >[color=\"#FF0000\"]DaonolFix[/color]< (http://\"http://jpshortstuff.247fixes.com/beta/DaonolFix.exe\")  and save it to your Desktop

• Double-click DaonolFix.exe to run it.
     
  
• Select 1. Find Daonol (no fix) by typing 1 and pressing Enter.
     
  
• You will see a lot of files being listed - don't worry, they are just being scanned.
• A log will open, please post the contents of that log in your next reply (it can also be found on your desktop, called DaonolFix.txt).

Title: hijacked when using google
Post by: jjccp on March 29, 2009, 11:11:31 AM

That worked. Here's the log:

DaonolFix (16.03.09) by jpshortstuff
Log created at 12:07 on 29/03/2009 by jim.dalessandro
Running from C:\Documents and Settings\jim.dalessandro\Desktop\DaonolFix.exe

=====Find Daonol=====

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Drivers32]
"aux"="wdmaud.drv"
"aux2"="C:\WINDOWS\system32\..\ajlrcmg.beq"
"midi"="wdmaud.drv"
"midimapper"="midimap.dll"
"mixer"="wdmaud.drv"
"msacm.iac2"="C:\WINDOWS\system32\iac25_32.ax"
"msacm.imaadpcm"="imaadp32.acm"
"msacm.l3acm"="C:\WINDOWS\system32\l3codeca.acm"
"msacm.lameacm"="LameACM.acm"
"msacm.msadpcm"="msadp32.acm"
"msacm.msaudio1"="msaud32.acm"
"msacm.msg711"="msg711.acm"
"msacm.msg723"="msg723.acm"
"msacm.msgsm610"="msgsm32.acm"
"msacm.sl_anet"="sl_anet.acm"
"msacm.trspch"="tssoft32.acm"
"vidc.cvid"="iccvid.dll"
"vidc.I420"="msh263.drv"
"vidc.iv31"="ir32_32.dll"
"vidc.iv32"="ir32_32.dll"
"vidc.iv41"="ir41_32.ax"
"vidc.iv50"="ir50_32.dll"
"vidc.iyuv"="iyuv_32.dll"
"vidc.M261"="msh261.drv"
"vidc.M263"="msh263.drv"
"vidc.mrle"="msrle32.dll"
"vidc.msvc"="msvidc32.dll"
"vidc.uyvy"="msyuv.dll"
"vidc.XVID"="xvidvfw.dll"
"vidc.yuy2"="msyuv.dll"
"vidc.yvu9"="tsbyuv.dll"
"vidc.yvyu"="msyuv.dll"
"wave"="wdmaud.drv"
"wavemapper"="msacm32.drv"

-=Daonol Files=-
(none found)

-=End Of File=-

Title: hijacked when using google
Post by: guestolo on March 29, 2009, 11:17:12 AM

Great, can you run one more scanner for me please
See if this will run
Download and save to your desktop
[color=\"#FF0000\"]OTScanIt2[/color] (http://\"http://download.bleepingcomputer.com/oldtimer/OTScanIt2.exe\")[/url]
by OldTimer

Double click on it to Run it and then Extract it to a folder on desktop
Open that newly created folder and double click on OTScanIt2.exe
Leave all defaults selected
Except, change Rootkit Search to YES

Then click on [color=\"#0000FF\"]Run Scan [/color]

When done, it will produce a log
Can you post the contents of that log back here please
A copy of it can also be found it the OTScanIt2 folder on desktop
NOTE: If you do get an error posting this log, please Upload it, but Only if you get an error

Title: hijacked when using google
Post by: jjccp on March 29, 2009, 12:18:43 PM

Here are the results of the OTscanIt2:

[code]OTScanIt2 logfile created on: 3/29/2009 12:49:20 PM - Run 1
OTScanIt2 by OldTimer - Version 1.0.9.1    Folder = C:\Documents and Settings\jim.dalessandro\Desktop\OTScanIt2
Windows XP Professional Edition Service Pack 3 (Version = 5.1.2600) - Type = NTWorkstation
Internet Explorer (Version = 7.0.5730.11)
Locale: 00000409 | Country: United States | Language: ENU | Date Format: M/d/yyyy
 
502.36 Mb Total Physical Memory | 138.29 Mb Available Physical Memory | 27.53% Memory free
1.20 Gb Paging File | 0.88 Gb Available in Paging File | 73.51% Paging File free
Paging file location(s): C:\pagefile.sys 756 1512;
 
%SystemDrive% = C: | %SystemRoot% = C:\WINDOWS | %ProgramFiles% = C:\Program Files
Drive C: | 51.29 Gb Total Space | 18.57 Gb Free Space | 36.20% Space Free | Partition Type: NTFS
D: Drive not present or media not loaded
E: Drive not present or media not loaded
F: Drive not present or media not loaded
G: Drive not present or media not loaded
H: Drive not present or media not loaded
I: Drive not present or media not loaded
 
Computer Name: JIMDALESANDRO
Current User Name: jim.dalessandro
Logged in as Administrator.
 
Current Boot Mode: Normal
Scan Mode: Current user
Whitelist: On
File Age = 30 Days
 
[Processes - Safe List]
acprfmgrsvc.exe -> %ProgramFiles%\ThinkPad\ConnectUtilities\AcPrfMgrSvc.exe -> [2007/02/19 19:15:10 | 00,053,248 | ---- | M] ()
acsvc.exe -> %ProgramFiles%\ThinkPad\ConnectUtilities\AcSvc.exe -> [2007/02/19 19:15:14 | 00,172,032 | ---- | M] (Lenovo)
avgrsx.exe -> %ProgramFiles%\AVG\AVG8\avgrsx.exe -> [2009/02/05 09:29:00 | 00,484,120 | ---- | M] (AVG Technologies CZ, s.r.o.)
avgwdsvc.exe -> %ProgramFiles%\AVG\AVG8\avgwdsvc.exe -> [2009/02/05 09:28:57 | 00,298,264 | ---- | M] (AVG Technologies CZ, s.r.o.)
brss01a.exe -> %SystemRoot%\system32\brss01a.exe -> [2001/12/13 00:01:00 | 00,045,056 | ---- | M] (brother Industries Ltd)
brsvc01a.exe -> %SystemRoot%\system32\brsvc01a.exe -> [2001/11/23 00:00:00 | 00,057,344 | ---- | M] (brother Industries Ltd)
ctsvccda.exe -> %SystemRoot%\system32\CTsvcCDA.exe -> [1999/12/12 13:01:00 | 00,044,032 | ---- | M] (Creative Technology Ltd)
evteng.exe -> %ProgramFiles%\Intel\Wireless\Bin\EvtEng.exe -> [2006/08/02 03:39:20 | 00,434,176 | ---- | M] (Intel Corporation)
explorer.exe -> %SystemRoot%\explorer.exe -> [2008/04/13 20:12:19 | 01,033,728 | ---- | M] (Microsoft Corporation)
ezejmnap.exe -> %ProgramFiles%\ThinkPad\Utilities\EZEJMNAP.EXE -> [2006/02/23 13:22:00 | 00,237,568 | ---- | M] (Lenovo Group Limited)
ibmpmsvc.exe -> %SystemRoot%\system32\ibmpmsvc.exe -> [2007/02/27 22:09:06 | 00,036,400 | ---- | M] (Lenovo)
ipssvc.exe -> %SystemRoot%\system32\IPSSVC.EXE -> [2006/08/16 13:07:00 | 00,073,728 | ---- | M] (Lenovo Group Limited)
iuservice.exe -> %ProgramFiles%\Lenovo\Rescue and Recovery\ADM\IUService.exe -> [2006/07/14 18:52:48 | 00,045,056 | ---- | M] ()
jqs.exe -> %ProgramFiles%\Java\jre6\bin\jqs.exe -> [2009/03/17 12:31:58 | 00,152,984 | ---- | M] (Sun Microsystems, Inc.)
logmon.exe -> %CommonProgramFiles%\Lenovo\Logger\logmon.exe -> [2006/07/14 20:36:00 | 00,022,016 | ---- | M] ()
mdm.exe -> %CommonProgramFiles%\Microsoft Shared\VS7DEBUG\MDM.EXE -> [2003/06/20 02:25:00 | 00,322,120 | ---- | M] (Microsoft Corporation)
mstbsvc.exe -> %ProgramFiles%\MSN\Toolbar\3.0.0988.2\mstbsvc.exe -> [2008/12/04 12:29:28 | 00,100,184 | ---- | M] (Microsoft Corp.)
otscanit2.exe -> %UserProfile%\Desktop\OTScanIt2\OTScanIt2.exe -> [2009/03/27 10:59:42 | 00,492,544 | ---- | M] (OldTimer Tools)
regsrvc.exe -> %ProgramFiles%\Intel\Wireless\Bin\RegSrvc.exe -> [2006/08/02 03:24:22 | 00,327,680 | ---- | M] (Intel Corporation)
rrservice.exe -> %ProgramFiles%\Lenovo\Rescue and Recovery\rrservice.exe -> [2006/07/14 21:01:00 | 01,974,272 | ---- | M] (Lenovo Group Limited)
s24evmon.exe -> %ProgramFiles%\Intel\Wireless\Bin\S24EvMon.exe -> [2006/08/02 03:31:22 | 00,937,984 | ---- | M] (Intel Corporation )
smax4pnp.exe -> %ProgramFiles%\Analog Devices\Core\smax4pnp.exe -> [2005/05/19 20:11:06 | 00,925,696 | ---- | M] (Analog Devices, Inc.)
suservice.exe -> %ProgramFiles%\lenovo\system update\suservice.exe -> [2007/02/12 05:35:42 | 00,013,312 | ---- | M] (Lenovo Group Limited)
svcguihlpr.exe -> %ProgramFiles%\ThinkPad\ConnectUtilities\SvcGuiHlpr.exe -> [2007/02/19 19:15:58 | 00,106,496 | ---- | M] ()
syntpenh.exe -> %ProgramFiles%\Synaptics\SynTP\SynTPEnh.exe -> [2006/02/14 01:16:28 | 00,512,000 | ---- | M] (Synaptics, Inc.)
syntplpr.exe -> %ProgramFiles%\Synaptics\SynTP\SynTPLpr.exe -> [2006/02/14 01:17:28 | 00,110,592 | ---- | M] (Synaptics, Inc.)
tphdexlg.exe -> %SystemRoot%\System32\TPHDEXLG.EXE -> [2005/06/20 15:15:00 | 00,077,824 | ---- | M] (Lenovo.)
tphkmgr.exe -> %ProgramFiles%\Lenovo\PkgMgr\HOTKEY\TPHKMGR.exe -> [2006/07/24 21:19:40 | 00,094,208 | ---- | M] ()
tpkmpsvc.exe -> %SystemRoot%\system32\TpKmpSVC.exe -> [2005/06/07 00:26:22 | 00,032,768 | ---- | M] ()
tponscr.exe -> %ProgramFiles%\Lenovo\PkgMgr\HOTKEY\TPONSCR.exe -> [2005/07/05 01:57:12 | 00,077,824 | ---- | M] ()
tpscrex.exe -> %ProgramFiles%\Lenovo\PkgMgr\HOTKEY_1\TpScrex.exe -> [2006/05/30 02:05:42 | 00,086,016 | ---- | M] (Lenovo Group Limited)
tpshocks.exe -> %SystemRoot%\system32\TpShocks.exe -> [2006/03/15 22:04:48 | 00,106,496 | ---- | M] (Lenovo, Ltd. and IBM Corporation.)
tvt_reg_monitor_svc.exe -> %CommonProgramFiles%\Lenovo\tvt_reg_monitor_svc.exe -> [2006/07/14 20:24:52 | 00,629,504 | ---- | M] ()
tvtsched.exe -> %CommonProgramFiles%\Lenovo\Scheduler\tvtsched.exe -> [2006/12/10 22:36:22 | 01,118,208 | ---- | M] (Lenovo Group Limited)
tvttcsd.exe -> %ProgramFiles%\Lenovo\Client Security Solution\tvttcsd.exe -> [2006/07/14 20:42:22 | 00,723,712 | ---- | M] (IBM)
winvnc4.exe -> %ProgramFiles%\RealVNC\VNC4\WinVNC4.exe -> [2006/05/12 18:04:08 | 00,439,248 | ---- | M] (RealVNC Ltd.)
wmpnetwk.exe -> %ProgramFiles%\Windows Media Player\WMPNetwk.exe -> [2006/10/18 23:05:24 | 00,913,408 | ---- | M] (Microsoft Corporation)
 
[Win32 Services - Safe List]
(AcPrfMgrSvc) Ac Profile Manager Service [Win32_Own | Auto | Running] -> %ProgramFiles%\ThinkPad\ConnectUtilities\AcPrfMgrSvc.exe -> [2007/02/19 19:15:10 | 00,053,248 | ---- | M] ()
(AcSvc) Access Connections Main Service [Win32_Own | Auto | Running] -> %ProgramFiles%\ThinkPad\ConnectUtilities\AcSvc.exe -> [2007/02/19 19:15:14 | 00,172,032 | ---- | M] (Lenovo)
(aspnet_state) ASP.NET State Service [Win32_Own | On_Demand | Stopped] -> %SystemRoot%\Microsoft.NET\Framework\v2.0.50727\aspnet_state.exe -> [2007/10/24 01:47:22 | 00,033,800 | ---- | M] (Microsoft Corporation)
(avg8wd) AVG8 WatchDog [Win32_Own | Auto | Running] -> %ProgramFiles%\AVG\AVG8\avgwdsvc.exe -> [2009/02/05 09:28:57 | 00,298,264 | ---- | M] (AVG Technologies CZ, s.r.o.)
(Brother XP spl Service) BrSplService [Win32_Own | Auto | Running] -> %SystemRoot%\system32\brsvc01a.exe -> [2001/11/23 00:00:00 | 00,057,344 | ---- | M] (brother Industries Ltd)
(clr_optimization_v2.0.50727_32) .NET Runtime Optimization Service v2.0.50727_X86 [Win32_Own | On_Demand | Stopped] -> %SystemRoot%\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe -> [2007/10/24 01:47:40 | 00,070,144 | ---- | M] (Microsoft Corporation)
(Creative Service for CDROM Access) Creative Service for CDROM Access [Win32_Own | Auto | Running] -> %SystemRoot%\system32\CTsvcCDA.exe -> [1999/12/12 13:01:00 | 00,044,032 | ---- | M] (Creative Technology Ltd)
(EvtEng) Intel(R) PROSet/Wireless Event Log [Win32_Own | Auto | Running] -> %ProgramFiles%\Intel\Wireless\Bin\EvtEng.exe -> [2006/08/02 03:39:20 | 00,434,176 | ---- | M] (Intel Corporation)
(gusvc) Google Updater Service [Win32_Own | On_Demand | Stopped] -> %ProgramFiles%\Google\Common\Google Updater\GoogleUpdaterService.exe -> [2008/02/04 23:40:02 | 00,138,168 | ---- | M] (Google)
(helpsvc) Help and Support [Win32_Shared | Auto | Running] -> %SystemRoot%\PCHealth\HelpCtr\Binaries\pchsvc.dll -> [2008/04/13 20:12:02 | 00,038,400 | ---- | M] (Microsoft Corporation)
(IBMPMSVC) ThinkPad PM Service [Win32_Own | Auto | Running] -> %SystemRoot%\system32\ibmpmsvc.exe -> [2007/02/27 22:09:06 | 00,036,400 | ---- | M] (Lenovo)
(IDriverT) InstallDriver Table Manager [Win32_Own | On_Demand | Stopped] -> %CommonProgramFiles%\InstallShield\Driver\11\Intel 32\IDriverT.exe -> [2005/04/04 03:41:10 | 00,069,632 | ---- | M] (Macrovision Corporation)
(IPSSVC) IPS Core Service [Win32_Own | Auto | Running] -> %SystemRoot%\system32\IPSSVC.EXE -> [2006/08/16 13:07:00 | 00,073,728 | ---- | M] (Lenovo Group Limited)
(Irmon) Infrared Monitor [Win32_Shared | Auto | Running] -> %SystemRoot%\System32\irmon.dll -> [2008/04/13 20:11:55 | 00,028,160 | ---- | M] (Microsoft Corporation)
(JavaQuickStarterService) Java Quick Starter [Win32_Own | Auto | Running] -> %ProgramFiles%\Java\jre6\bin\jqs.exe -> [2009/03/17 12:31:58 | 00,152,984 | ---- | M] (Sun Microsystems, Inc.)
(MDM) Machine Debug Manager [Win32_Own | Auto | Running] -> %CommonProgramFiles%\Microsoft Shared\VS7DEBUG\MDM.EXE -> [2003/06/20 02:25:00 | 00,322,120 | ---- | M] (Microsoft Corporation)
(mstbsvc) MSN Toolbar Setup [Win32_Own | Auto | Running] -> %ProgramFiles%\MSN\Toolbar\3.0.0988.2\mstbsvc.exe -> [2008/12/04 12:29:28 | 00,100,184 | ---- | M] (Microsoft Corp.)
(ose) Office Source Engine [Win32_Own | On_Demand | Stopped] -> %CommonProgramFiles%\Microsoft Shared\Source Engine\OSE.EXE -> [2003/07/28 15:28:22 | 00,089,136 | ---- | M] (Microsoft Corporation)
(PsaSrv) IBM PSA Access Driver Control [Win32_Own | On_Demand | Stopped] -> %SystemRoot%\System32\drivers\psasrv.exe -> [2007/05/11 20:56:02 | 00,023,552 | ---- | M] ()
(RegSrvc) Intel(R) PROSet/Wireless Registry Service [Win32_Own | Auto | Running] -> %ProgramFiles%\Intel\Wireless\Bin\RegSrvc.exe -> [2006/08/02 03:24:22 | 00,327,680 | ---- | M] (Intel Corporation)
(S24EventMonitor) Intel(R) PROSet/Wireless Service [Win32_Own | Auto | Running] -> %ProgramFiles%\Intel\Wireless\Bin\S24EvMon.exe -> [2006/08/02 03:31:22 | 00,937,984 | ---- | M] (Intel Corporation )
(SUService) System Update [Win32_Own | Auto | Running] -> %ProgramFiles%\lenovo\system update\suservice.exe -> [2007/02/12 05:35:42 | 00,013,312 | ---- | M] (Lenovo Group Limited)
(ThinkVantage Registry Monitor Service) ThinkVantage Registry Monitor Service [Win32_Own | Auto | Running] -> %CommonProgramFiles%\Lenovo\tvt_reg_monitor_svc.exe -> [2006/07/14 20:24:52 | 00,629,504 | ---- | M] ()
(TPHDEXLGSVC) ThinkPad HDD APS Logging Service [Win32_Own | Auto | Running] -> %SystemRoot%\System32\TPHDEXLG.EXE -> [2005/06/20 15:15:00 | 00,077,824 | ---- | M] (Lenovo.)
(TpKmpSVC) IBM KCU Service [Win32_Own | Auto | Running] -> %SystemRoot%\system32\TpKmpSVC.exe -> [2005/06/07 00:26:22 | 00,032,768 | ---- | M] ()
(TSSCoreService) TSS Core Service [Win32_Own | Auto | Running] -> %ProgramFiles%\Lenovo\Client Security Solution\tvttcsd.exe -> [2006/07/14 20:42:22 | 00,723,712 | ---- | M] (IBM)
(TVT Backup Service) TVT Backup Service [Win32_Own | Auto | Running] -> %ProgramFiles%\Lenovo\Rescue and Recovery\rrservice.exe -> [2006/07/14 21:01:00 | 01,974,272 | ---- | M] (Lenovo Group Limited)
(TVT Scheduler) TVT Scheduler [Win32_Own | Auto | Running] -> %CommonProgramFiles%\Lenovo\Scheduler\tvtsched.exe -> [2006/12/10 22:36:22 | 01,118,208 | ---- | M] (Lenovo Group Limited)
(tvtnetwk) tvtnetwk [Win32_Own | Auto | Running] -> %ProgramFiles%\Lenovo\Rescue and Recovery\ADM\IUService.exe -> [2006/07/14 18:52:48 | 00,045,056 | ---- | M] ()
(WinVNC4) VNC Server Version 4 [Win32_Own | Auto | Running] -> %ProgramFiles%\RealVNC\VNC4\WinVNC4.exe -> [2006/05/12 18:04:08 | 00,439,248 | ---- | M] (RealVNC Ltd.)
(WMPNetworkSvc) Windows Media Player Network Sharing Service [Win32_Own | Auto | Running] -> %ProgramFiles%\Windows Media Player\WMPNetwk.exe -> [2006/10/18 23:05:24 | 00,913,408 | ---- | M] (Microsoft Corporation)
 
[Driver Services - Safe List]
(ac97intc) Intel(r) 82801 Audio Driver Install Service (WDM) [Kernel | On_Demand | Stopped] -> %SystemRoot%\system32\drivers\ac97intc.sys -> [2001/08/17 08:20:04 | 00,096,256 | ---- | M] (Intel Corporation)
(ADIHdAudAddService) ADI UAA Function Driver for High Definition Audio Service [Kernel | On_Demand | Running] -> %SystemRoot%\system32\drivers\ADIHdAud.sys -> [2006/01/30 22:19:34 | 00,176,128 | ---- | M] (Analog Devices, Inc.)
(AEAudioService) AEAudio Service [Kernel | On_Demand | Running] -> %SystemRoot%\system32\drivers\AEAudio.sys -> [2006/04/26 17:42:40 | 00,093,824 | ---- | M] (Andrea Electronics Corporation)
(AegisP) AEGIS Protocol (IEEE 802.1x) v3.5.3.0 [Kernel | Auto | Running] -> %SystemRoot%\system32\DRIVERS\AegisP.sys -> [2007/05/11 20:38:10 | 00,021,419 | ---- | M] (Meetinghouse Data Communications)
(AliIde) AliIde [Kernel | Disabled | Stopped] -> %SystemRoot%\system32\DRIVERS\aliide.sys -> [2001/08/17 16:51:56 | 00,005,248 | ---- | M] (Acer Laboratories Inc.)
(amdagp) AMD AGP Bus Filter Driver [Kernel | Disabled | Stopped] -> %SystemRoot%\system32\DRIVERS\amdagp.sys -> [2008/04/13 14:36:39 | 00,043,008 | ---- | M] (Advanced Micro Devices, Inc.)
(ANC) ANC [Kernel | System | Running] -> %SystemRoot%\System32\drivers\ANC.SYS -> [2005/11/08 12:27:20 | 00,011,520 | ---- | M] (IBM Corp.)
(asc) asc [Kernel | Disabled | Stopped] -> %SystemRoot%\system32\DRIVERS\asc.sys -> [2001/08/17 16:52:00 | 00,026,496 | ---- | M] (Advanced System Products, Inc.)
(asc3550) asc3550 [Kernel | Disabled | Stopped] -> %SystemRoot%\system32\DRIVERS\asc3550.sys -> [2001/08/17 16:51:58 | 00,014,848 | ---- | M] (Advanced System Products, Inc.)
(ASPI32) ASPI32 [Kernel | System | Running] -> %SystemRoot%\System32\drivers\ASPI32.SYS -> [1999/09/10 13:06:00 | 00,025,244 | ---- | M] (Adaptec)
(atmeltpm) atmeltpm [Kernel | On_Demand | Running] -> %SystemRoot%\system32\DRIVERS\atmeltpm.sys -> [2005/05/17 13:20:08 | 00,015,872 | ---- | M] (Atmel, Inc.)
(AvgLdx86) AVG AVI Loader Driver x86 [Kernel | System | Running] -> %SystemRoot%\System32\Drivers\avgldx86.sys -> [2009/02/05 09:29:00 | 00,325,128 | ---- | M] (AVG Technologies CZ, s.r.o.)
(AvgMfx86) AVG On-access Scanner Minifilter Driver x86 [File_System | System | Running] -> %SystemRoot%\System32\Drivers\avgmfx86.sys -> [2009/02/05 09:29:00 | 00,027,656 | ---- | M] (AVG Technologies CZ, s.r.o.)
(CmdIde) CmdIde [Kernel | Disabled | Stopped] -> %SystemRoot%\system32\DRIVERS\cmdide.sys -> [2001/08/17 16:51:54 | 00,006,656 | ---- | M] (CMD Technology, Inc.)
(dac2w2k) dac2w2k [Kernel | Disabled | Stopped] -> %SystemRoot%\system32\DRIVERS\dac2w2k.sys -> [2001/08/17 16:52:16 | 00,179,584 | ---- | M] (Mylex Corporation)
(DLABOIOM) DLABOIOM [File_System | Auto | Running] -> %SystemRoot%\System32\DLA\DLABOIOM.SYS -> [2006/02/02 08:20:00 | 00,025,628 | ---- | M] (Sonic Solutions)
(DLACDBHM) DLACDBHM [File_System | System | Running] -> %SystemRoot%\System32\Drivers\DLACDBHM.SYS -> [2005/11/18 15:02:50 | 00,005,660 | ---- | M] (Sonic Solutions)
(DLADResN) DLADResN [File_System | Auto | Running] -> %SystemRoot%\System32\DLA\DLADResN.SYS -> [2006/02/02 08:20:00 | 00,002,496 | ---- | M] (Sonic Solutions)
(DLAIFS_M) DLAIFS_M [File_System | Auto | Running] -> %SystemRoot%\System32\DLA\DLAIFS_M.SYS -> [2006/02/02 08:20:00 | 00,086,652 | ---- | M] (Sonic Solutions)
(DLAOPIOM) DLAOPIOM [File_System | Auto | Running] -> %SystemRoot%\System32\DLA\DLAOPIOM.SYS -> [2006/02/02 08:20:00 | 00,014,684 | ---- | M] (Sonic Solutions)
(DLAPoolM) DLAPoolM [File_System | Auto | Running] -> %SystemRoot%\System32\DLA\DLAPoolM.SYS -> [2006/02/02 08:20:00 | 00,006,364 | ---- | M] (Sonic Solutions)
(DLARTL_N) DLARTL_N [File_System | System | Running] -> %SystemRoot%\System32\Drivers\DLARTL_N.SYS -> [2005/11/18 15:02:10 | 00,022,684 | ---- | M] (Sonic Solutions)
(DLAUDFAM) DLAUDFAM [File_System | Auto | Running] -> %SystemRoot%\System32\DLA\DLAUDFAM.SYS -> [2006/02/02 08:20:00 | 00,094,332 | ---- | M] (Sonic Solutions)
(DLAUDF_M) DLAUDF_M [File_System | Auto | Running] -> %SystemRoot%\System32\DLA\DLAUDF_M.SYS -> [2006/02/02 08:20:00 | 00,087,036 | ---- | M] (Sonic Solutions)
(DRVMCDB) DRVMCDB [Kernel | Boot | Running] -> %SystemRoot%\System32\Drivers\DRVMCDB.SYS -> [2006/03/01 06:30:00 | 00,089,472 | ---- | M] (Sonic Solutions)
(DRVNDDM) DRVNDDM [File_System | Auto | Running] -> %SystemRoot%\System32\Drivers\DRVNDDM.SYS -> [2005/11/18 08:20:00 | 00,040,544 | ---- | M] (Sonic Solutions)
(E100B) Intel(R) PRO Adapter Driver [Kernel | On_Demand | Stopped] -> %SystemRoot%\system32\DRIVERS\e100b325.sys -> [2001/08/17 08:12:10 | 00,117,760 | ---- | M] (Intel Corporation)
(e1express) Intel(R) PRO/1000 PCI Express Network Connection Driver [Kernel | On_Demand | Running] -> %SystemRoot%\system32\DRIVERS\e1e5132.sys -> [2006/04/20 02:06:50 | 00,181,760 | ---- | M] (Intel Corporation)
(EGATHDRV) IBM eGatherer [Kernel | Auto | Running] -> %SystemRoot%\SYSTEM32\EGATHDRV.SYS -> [2009/03/29 00:00:00 | 00,005,427 | ---- | M] (IBM Corporation)
(HDAudBus) Microsoft UAA Bus Driver for High Definition Audio [Kernel | On_Demand | Running] -> %SystemRoot%\system32\DRIVERS\HDAudBus.sys -> [2008/04/13 12:36:05 | 00,144,384 | ---- | M] (Windows (R) Server 2003 DDK provider)
(HSF_DPV) HSF_DPV [Kernel | On_Demand | Running] -> %SystemRoot%\system32\DRIVERS\hsx_dpv.sys -> [2005/12/05 22:21:32 | 00,936,448 | ---- | M] (Conexant Systems, Inc.)
(HSXHWAZL) HSXHWAZL [Kernel | On_Demand | Running] -> %SystemRoot%\system32\DRIVERS\hsxhwazl.sys -> [2005/12/05 22:20:48 | 00,192,512 | ---- | M] (Conexant Systems, Inc.)
(ialm) ialm [Kernel | On_Demand | Running] -> %SystemRoot%\system32\DRIVERS\ialmnt5.sys -> [2006/07/25 02:44:04 | 01,170,300 | ---- | M] (Intel Corporation)
(iaStor) Intel AHCI Controller [Kernel | Boot | Running] -> %SystemRoot%\system32\DRIVERS\iaStor.sys -> [2005/10/11 20:07:12 | 00,874,240 | ---- | M] (Intel Corporation)
(IBMPMDRV) IBMPMDRV [Kernel | On_Demand | Running] -> %SystemRoot%\system32\DRIVERS\ibmpmdrv.sys -> [2007/02/27 22:08:32 | 00,021,040 | ---- | M] (Lenovo.)
(IBMTPCHK) IBMTPCHK [Kernel | System | Running] -> %SystemRoot%\system32\Drivers\IBMBLDID.sys -> [2006/01/13 03:33:22 | 00,006,016 | ---- | M] ()
(mdmxsdk) mdmxsdk [Kernel | Auto | Running] -> %SystemRoot%\system32\DRIVERS\mdmxsdk.sys -> [2005/10/05 02:57:08 | 00,012,544 | ---- | M] (Conexant)
(mraid35x) mraid35x [Kernel | Disabled | Stopped] -> %SystemRoot%\system32\DRIVERS\mraid35x.sys -> [2001/08/17 16:52:12 | 00,017,280 | ---- | M] (American Megatrends Inc.)
(NETw3x32) Intel(R) PRO/Wireless 3945ABG Adapter Driver for Windows XP 32 Bit [Kernel | On_Demand | Running] -> %SystemRoot%\system32\DRIVERS\NETw3x32.sys -> [2006/09/27 05:36:24 | 01,709,696 | ---- | M] (Intel® Corporation)
(NSCIRDA) NSC Infrared Device Driver [Kernel | On_Demand | Running] -> %SystemRoot%\system32\DRIVERS\nscirda.sys -> [2008/04/13 14:54:36 | 00,028,672 | ---- | M] (National Semiconductor Corporation)
(nv) nv [Kernel | On_Demand | Stopped] -> %SystemRoot%\system32\DRIVERS\nv4_mini.sys -> [2004/08/03 18:29:56 | 01,897,408 | ---- | M] (NVIDIA Corporation)
(PalmUSBD) PalmUSBD [Kernel | On_Demand | Stopped] -> %SystemRoot%\system32\drivers\PalmUSBD.sys -> [2007/06/08 03:01:01 | 00,016,694 | ---- | M] (PalmSource, Inc.)
(pmem) pmem [Kernel | Auto | Running] -> %SystemRoot%\System32\drivers\pmemnt.sys -> [2007/05/11 20:55:09 | 00,007,012 | ---- | M] (Microsoft Corporation)
(PrivateDisk) PrivateDisk [Kernel | Auto | Running] -> %ProgramFiles%\Lenovo\SafeGuard PrivateDisk\PrivateDiskM.sys -> [2006/03/13 19:05:54 | 00,058,368 | R--- | M] (Utimaco Safeware AG)
(PROCDD) IPS Helper Driver [Kernel | Auto | Running] -> %SystemRoot%\system32\DRIVERS\PROCDD.SYS -> [2006/08/16 13:07:00 | 00,005,120 | ---- | M] (Lenovo Group Limited)
(psadd) Lenovo Parties Service Access Device Driver [Kernel | On_Demand | Running] -> %SystemRoot%\system32\DRIVERS\psadd.sys -> [2006/09/13 01:42:18 | 00,028,224 | ---- | M] (Lenovo (United States) Inc.)
(PTDCBus) PANTECH PC Card Composite Device Driver (UDP) [Kernel | On_Demand | Running] -> %SystemRoot%\system32\DRIVERS\PTDCBus.sys -> [2007/04/01 06:45:22 | 00,027,520 | ---- | M] (DEVGURU Co,LTD.)
(PTDCMdm) PANTECH PC Card Drivers (UDP) [Kernel | On_Demand | Running] -> %SystemRoot%\system32\DRIVERS\PTDCMdm.sys -> [2007/04/01 06:45:26 | 00,041,728 | ---- | M] (DEVGURU Co,LTD.)
(PTDCVsp) PANTECH PC Card Diagnostic Serial Port (UDP) [Kernel | On_Demand | Running] -> %SystemRoot%\system32\DRIVERS\PTDCVsp.sys -> [2007/04/01 06:45:30 | 00,039,808 | ---- | M] (DEVGURU Co,LTD.)
(PTDCWWAN) PANTECH PC Card WWAN Controller device driver [Kernel | On_Demand | Running] -> %SystemRoot%\system32\DRIVERS\PTDCWWAN.sys -> [2007/04/30 20:30:14 | 00,058,240 | ---- | M] (DEVGURU Co,LTD.)
(Ptilink) Direct Parallel Link Driver [Kernel | On_Demand | Running] -> %SystemRoot%\system32\DRIVERS\ptilink.sys -> [2004/08/04 08:00:00 | 00,017,792 | ---- | M] (Parallel Technologies, Inc.)
(PxHelp20) PxHelp20 [Kernel | Boot | Running] -> %SystemRoot%\System32\Drivers\PxHelp20.sys -> [2006/10/18 04:00:00 | 00,036,624 | ---- | M] (Sonic Solutions)
(ql1080) ql1080 [Kernel | Disabled | Stopped] -> %SystemRoot%\system32\DRIVERS\ql1080.sys -> [2001/08/17 16:52:20 | 00,040,320 | ---- | M] (QLogic Corporation)
(ql12160) ql12160 [Kernel | Disabled | Stopped] -> %SystemRoot%\system32\DRIVERS\ql12160.sys -> [2001/08/17 16:52:20 | 00,045,312 | ---- | M] (QLogic Corporation)
(ql1280) ql1280 [Kernel | Disabled | Stopped] -> %SystemRoot%\system32\DRIVERS\ql1280.sys -> [2001/08/17 16:52:18 | 00,049,024 | ---- | M] (QLogic Corporation)
(s24trans) WLAN Transport [Kernel | Auto | Running] -> %SystemRoot%\system32\DRIVERS\s24trans.sys -> [2006/08/02 04:27:48 | 00,012,544 | ---- | M] (Intel Corporation)
(Secdrv) Secdrv [Kernel | On_Demand | Stopped] -> %SystemRoot%\system32\DRIVERS\secdrv.sys -> [2007/11/13 06:25:53 | 00,020,480 | ---- | M] (Macrovision Corporation, Macrovision Europe Limited, and Macrovision Japan and Asia K.K.)
(ShockMgr) ShockMgr [Kernel | System | Running] -> %SystemRoot%\System32\drivers\ShockMgr.sys -> [2005/06/20 15:18:00 | 00,004,736 | ---- | M] (Lenovo.)
(Shockprf) Shockprf [Kernel | Boot | Running] -> %SystemRoot%\System32\drivers\shockprf.sys -> [2006/03/15 20:08:00 | 00,088,576 | ---- | M] (Lenovo)
(sisagp) SIS AGP Bus Filter [Kernel | Disabled | Stopped] -> %SystemRoot%\system32\DRIVERS\sisagp.sys -> [2008/04/13 14:36:39 | 00,040,960 | ---- | M] (Silicon Integrated Systems Corporation)
(Smapint) Smapint [Kernel | System | Running] -> %SystemRoot%\System32\drivers\Smapint.sys -> [2006/08/02 12:54:00 | 00,014,848 | ---- | M] (Microsoft Corporation)
(smi2) smi2 [Kernel | Auto | Running] -> %ProgramFiles%\SMI2\smi2.sys -> [2006/07/14 18:55:12 | 00,003,968 | ---- | M] (IBM Corp.)
(smihlp) SMI helper driver [Kernel | Auto | Running] -> %ProgramFiles%\ThinkVantage Fingerprint Software\smihlp.sys -> [2006/04/25 22:00:00 | 00,003,456 | ---- | M] (UPEK Inc.)
(SMNDIS5) SMNDIS5 NDIS Protocol Driver [Kernel | On_Demand | Stopped] -> %ProgramFiles%\Verizon Wireless\VZAccess Manager\SMNDIS5.sys -> [2002/11/26 14:54:58 | 00,016,936 | ---- | M] (Smith Micro Software, Inc.)
(Sparrow) Sparrow [Kernel | Disabled | Stopped] -> %SystemRoot%\system32\DRIVERS\sparrow.sys -> [2001/08/17 17:07:44 | 00,019,072 | ---- | M] (Adaptec, Inc.)
(symc810) symc810 [Kernel | Disabled | Stopped] -> %SystemRoot%\system32\DRIVERS\symc810.sys -> [2001/08/17 17:07:34 | 00,016,256 | ---- | M] (Symbios Logic Inc.)
(symc8xx) symc8xx [Kernel | Disabled | Stopped] -> %SystemRoot%\system32\DRIVERS\symc8xx.sys -> [2001/08/17 17:07:36 | 00,032,640 | ---- | M] (LSI Logic)
(sym_hi) sym_hi [Kernel | Disabled | Stopped] -> %SystemRoot%\system32\DRIVERS\sym_hi.sys -> [2001/08/17 17:07:40 | 00,028,384 | ---- | M] (LSI Logic)
(sym_u3) sym_u3 [Kernel | Disabled | Stopped] -> %SystemRoot%\system32\DRIVERS\sym_u3.sys -> [2001/08/17 17:07:42 | 00,030,688 | ---- | M] (LSI Logic)
(SynTP) Synaptics TouchPad Driver [Kernel | On_Demand | Running] -> %SystemRoot%\system32\DRIVERS\SynTP.sys -> [2006/02/14 01:04:58 | 00,177,664 | ---- | M] (Synaptics, Inc.)
(TcUsb) TC USB Kernel Driver [Kernel | On_Demand | Running] -> %SystemRoot%\System32\Drivers\tcusb.sys -> [2006/04/25 22:13:20 | 00,028,800 | ---- | M] (UPEK Inc.)
(TDSMAPI) TDSMAPI [Kernel | System | Running] -> %SystemRoot%\System32\drivers\TDSMAPI.SYS -> [2006/08/02 12:54:00 | 00,009,343 | ---- | M] ()
(tpflhlp) tpflhlp [Kernel | On_Demand | Stopped] -> %ProgramFiles%\Lenovo\System Update\session\79uj20us\tpflhlp.sys -> [2007/04/23 20:10:44 | 00,013,616 | ---- | M] (Lenovo Group Limited)
(TPHKDRV) TPHKDRV [Kernel | System | Running] -> %SystemRoot%\System32\drivers\TPHKDRV.sys -> [2005/07/05 01:57:06 | 00,017,699 | ---- | M] (IBM Corporation)
(TPPWRIF) TPPWRIF [Kernel | System | Running] -> %SystemRoot%\System32\drivers\Tppwrif.sys -> [2006/05/25 12:13:00 | 00,004,442 | ---- | M] ()
(TSMAPIP) TSMAPIP [Kernel | System | Running] -> %SystemRoot%\System32\drivers\TSMAPIP.SYS -> [2006/07/20 13:54:00 | 00,007,168 | ---- | M] ()
(tvtfilter) tvtfilter [Kernel | Auto | Running] -> %SystemRoot%\system32\drivers\tvtfilter.sys -> [2006/07/14 20:27:22 | 00,012,544 | ---- | M] (Lenovo)
(TVTPktFilter) TVT Packet Filter Service [Kernel | On_Demand | Running] -> %SystemRoot%\system32\DRIVERS\tvtpktfilter.sys -> [2006/07/14 20:03:04 | 00,017,664 | ---- | M] (Lenovo Group Limited)
(ultra) ultra [Kernel | Disabled | Stopped] -> %SystemRoot%\system32\DRIVERS\ultra.sys -> [2001/08/17 16:52:22 | 00,036,736 | ---- | M] (Promise Technology, Inc.)
(winachsf) winachsf [Kernel | On_Demand | Running] -> %SystemRoot%\system32\DRIVERS\hsx_cnxt.sys -> [2005/12/05 22:20:42 | 00,670,208 | ---- | M] (Conexant Systems, Inc.)
 
[Registry - Safe List]
< Internet Explorer Settings [HKEY_LOCAL_MACHINE\] > -> ->
HKEY_LOCAL_MACHINE\: Main\\"Default_Page_URL" -> http://go.microsoft.com/fwlink/?LinkId=69157 ->
HKEY_LOCAL_MACHINE\: Main\\"Default_Search_URL" -> http://go.microsoft.com/fwlink/?LinkId=54896 ->
HKEY_LOCAL_MACHINE\: Main\\"Default_Secondary_Page_URL" -> Reg Error: Invalid data type. ->
HKEY_LOCAL_MACHINE\: Main\\"Extensions Off Page" -> about:NoAdd-ons ->
HKEY_LOCAL_MACHINE\: Main\\"Local Page" -> %SystemRoot%\system32\blank.htm ->
HKEY_LOCAL_MACHINE\: Main\\"Search Page" -> http://go.microsoft.com/fwlink/?LinkId=54896 ->
HKEY_LOCAL_MACHINE\: Main\\"Security Risk Page" -> about:SecurityRisk ->
HKEY_LOCAL_MACHINE\: Main\\"Start Page" -> http://go.microsoft.com/fwlink/?LinkId=69157 ->
HKEY_LOCAL_MACHINE\: Search\\"CustomizeSearch" -> http://ie.search.msn.com/{SUB_RFC1766}/srchasst/srchcust.htm ->
HKEY_LOCAL_MACHINE\: Search\\"SearchAssistant" -> http://ie.search.msn.com/{SUB_RFC1766}/srchasst/srchasst.htm ->
< Internet Explorer Settings [HKEY_CURRENT_USER\] > -> ->
HKEY_CURRENT_USER\: Main\\"Local Page" -> C:\WINDOWS\system32\blank.htm ->
HKEY_CURRENT_USER\: Main\\"Search Page" -> http://www.microsoft.com/isapi/redir.dll?prd=ie&ar=iesearch ->
HKEY_CURRENT_USER\: Main\\"Start Page" -> about:blank ->
HKEY_CURRENT_USER\: "ProxyEnable" -> 0 ->
< FireFox Extensions [HKLM] > -> HKEY_LOCAL_MACHINE\SOFTWARE\Mozilla
HKLM\software\mozilla\Firefox\extensions ->  ->
HKLM\software\mozilla\Firefox\extensions\\[email protected] -> %ProgramFiles%\JAVA\JRE6\LIB\DEPLOY\JQS\FF [C:\PROGRAM FILES\JAVA\JRE6\LIB\DEPLOY\JQS\FF] -> [2009/03/17 12:31:59 | 00,000,000 | ---D | M]
< FireFox Extensions [User Folders] > ->
< HOSTS File > (734 bytes and 19 lines) -> C:\WINDOWS\System32\drivers\etc\Hosts ->
Reset Hosts
127.0.0.1      localhost
< BHO's [HKEY_LOCAL_MACHINE] > -> HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\ ->
{06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} [HKLM] -> %ProgramFiles%\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll [Adobe PDF Reader Link Helper] -> [2006/01/12 23:38:22 | 00,063,128 | ---- | M] (Adobe Systems Incorporated)
{3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} [HKLM] -> %ProgramFiles%\AVG\AVG8\avgssie.dll [AVG Safe Search] -> [2009/02/05 09:28:58 | 01,078,552 | ---- | M] (AVG Technologies CZ, s.r.o.)
{5CA3D70E-1895-11CF-8E15-001234567890} [HKLM] -> %SystemRoot%\System32\DLA\DLASHX_W.DLL [DriveLetterAccess] -> [2006/02/02 08:20:00 | 00,110,652 | ---- | M] (Sonic Solutions)
{761497BB-D6F0-462C-B6EB-D4DAF1D92D43} [HKLM] -> %ProgramFiles%\Java\jre6\bin\ssv.dll [Java(tm) Plug-In SSV Helper] -> [2009/03/17 12:31:59 | 00,320,920 | ---- | M] (Sun Microsystems, Inc.)
{DBC80044-A445-435b-BC74-9C25C1C588A9} [HKLM] -> %ProgramFiles%\Java\jre6\bin\jp2ssv.dll [Java(tm) Plug-In 2 SSV Helper] -> [2009/03/17 12:31:58 | 00,034,816 | ---- | M] (Sun Microsystems, Inc.)
{E7E6F031-17CE-4C07-BC86-EABFE594F69C} [HKLM] -> %ProgramFiles%\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll [JQSIEStartDetectorImpl Class] -> [2009/03/17 12:31:59 | 00,073,728 | ---- | M] (Sun Microsystems, Inc.)
{F040E541-A427-4CF7-85D8-75E3E0F476C5} [HKLM] -> %ProgramFiles%\Lenovo\Client Security Solution\tvtpwm_ie_com.dll [CPwmIEBrowserHelper Object] -> [2006/07/14 21:20:42 | 00,719,616 | ---- | M] (Lenovo Group Limited)
< Run [HKEY_LOCAL_MACHINE\] > -> HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run ->
"ACTray" -> %ProgramFiles%\ThinkPad\ConnectUtilities\ACTray.exe [C:\Program Files\ThinkPad\ConnectUtilities\ACTray.exe] -> [2007/02/19 19:10:46 | 00,409,600 | ---- | M] ()
"ACWLIcon" -> %ProgramFiles%\ThinkPad\ConnectUtilities\ACWLIcon.exe [C:\Program Files\ThinkPad\ConnectUtilities\ACWLIcon.exe] -> [2007/02/19 19:02:32 | 00,110,592 | ---- | M] ()
"AVG8_TRAY" -> %ProgramFiles%\AVG\AVG8\avgtray.exe [C:\PROGRA~1\AVG\AVG8\avgtray.exe] -> [2009/02/05 09:28:55 | 01,601,304 | ---- | M] (AVG Technologies CZ, s.r.o.)
"AwaySch" -> %ProgramFiles%\Lenovo\AwayTask\AwaySch.EXE [C:\Program Files\Lenovo\AwayTask\AwaySch.EXE] -> [2006/08/16 13:07:00 | 00,069,632 | ---- | M] (Lenovo Group Limited)
"BLOG" -> %ProgramFiles%\ThinkPad\Utilities\BATLOGEX.DLL [rundll32 C:\PROGRA~1\ThinkPad\UTILIT~1\BatLogEx.DLL,StartBattLog] -> [2006/05/25 12:13:00 | 00,208,896 | ---- | M] ()
"cssauth" -> %ProgramFiles%\Lenovo\Client Security Solution\cssauth.exe ["C:\Program Files\Lenovo\Client Security Solution\cssauth.exe" silent] -> [2006/07/14 21:13:14 | 02,341,632 | ---- | M] (Lenovo Group Limited)
"DLA" -> %SystemRoot%\System32\DLA\DLACTRLW.EXE [C:\WINDOWS\System32\DLA\DLACTRLW.EXE] -> [2006/02/02 08:20:00 | 00,122,940 | ---- | M] (Sonic Solutions)
"EZEJMNAP" -> %ProgramFiles%\ThinkPad\Utilities\EZEJMNAP.EXE [C:\PROGRA~1\ThinkPad\UTILIT~1\EzEjMnAp.Exe] -> [2006/02/23 13:22:00 | 00,237,568 | ---- | M] (Lenovo Group Limited)
"HP Component Manager" -> %ProgramFiles%\HP\hpcoretech\hpcmpmgr.exe ["C:\Program Files\HP\hpcoretech\hpcmpmgr.exe"] -> [2003/10/23 22:51:18 | 00,233,472 | ---- | M] (Hewlett-Packard Company)
"HP Software Update" -> %ProgramFiles%\Hewlett-Packard\HP Software Update\HPWuSchd.exe ["C:\Program Files\Hewlett-Packard\HP Software Update\HPWuSchd.exe"] -> [2003/06/25 14:24:48 | 00,049,152 | ---- | M] (Hewlett-Packard)
"HPDJ Taskbar Utility" -> %SystemRoot%\system32\spool\drivers\w32x86\3\hpztsb09.exe [C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb09.exe] -> [2005/07/22 22:40:43 | 00,176,128 | ---- | M] (HP)
"igfxhkcmd" -> %SystemRoot%\system32\hkcmd.exe [C:\WINDOWS\system32\hkcmd.exe] -> [2006/07/25 02:17:54 | 00,077,824 | ---- | M] (Intel Corporation)
"igfxpers" -> %SystemRoot%\system32\igfxpers.exe [C:\WINDOWS\system32\igfxpers.exe] -> [2006/07/25 02:21:50 | 00,118,784 | ---- | M] (Intel Corporation)
"igfxtray" -> %SystemRoot%\system32\igfxtray.exe [C:\WINDOWS\system32\igfxtray.exe] -> [2006/07/25 02:21:08 | 00,094,208 | ---- | M] (Intel Corporation)
"ISUSPM Startup" -> %SystemDrive%\PROGRA~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe [C:\PROGRA~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe -startup] -> File not found
"ISUSScheduler" -> %CommonProgramFiles%\InstallShield\UpdateService\issch.exe ["C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" -start] -> File not found
"LPManager" -> %ProgramFiles%\ThinkVantage\PrdCtr\LPMGR.EXE [C:\PROGRA~1\THINKV~2\PrdCtr\LPMGR.exe] -> [2006/07/04 12:11:00 | 00,110,592 | ---- | M] (Lenovo Group Limited)
"PDService.exe" -> %ProgramFiles%\Lenovo\SafeGuard PrivateDisk\pdservice.exe ["C:\Program Files\Lenovo\SafeGuard PrivateDisk\pdservice.exe"] -> [2006/03/13 19:38:56 | 00,041,472 | R--- | M] (Utimaco Safeware AG)
"PWRMGRTR" -> %ProgramFiles%\ThinkPad\Utilities\PWRMGRTR.DLL [rundll32 C:\PROGRA~1\ThinkPad\UTILIT~1\PWRMGRTR.DLL,PwrMgrBkGndMonitor] -> [2006/05/25 12:13:00 | 00,151,552 | ---- | M] (Lenovo Group Limited)
"SoundMAX" -> %ProgramFiles%\Analog Devices\SoundMAX\Smax4.exe [C:\Program Files\Analog Devices\SoundMAX\Smax4.exe /tray] -> [2005/05/06 18:06:12 | 00,716,800 | ---- | M] (Analog Devices, Inc.)
"SoundMAXPnP" -> %ProgramFiles%\Analog Devices\Core\smax4pnp.exe [C:\Program Files\Analog Devices\Core\smax4pnp.exe] -> [2005/05/19 20:11:06 | 00,925,696 | ---- | M] (Analog Devices, Inc.)
"SunJavaUpdateSched" -> %ProgramFiles%\Java\jre6\bin\jusched.exe ["C:\Program Files\Java\jre6\bin\jusched.exe"] -> [2009/03/17 12:31:58 | 00,136,600 | ---- | M] (Sun Microsystems, Inc.)
"SynTPEnh" -> %ProgramFiles%\Synaptics\SynTP\SynTPEnh.exe [C:\Program Files\Synaptics\SynTP\SynTPEnh.exe] -> [2006/02/14 01:16:28 | 00,512,000 | ---- | M] (Synaptics, Inc.)
"SynTPLpr" -> %ProgramFiles%\Synaptics\SynTP\SynTPLpr.exe [C:\Program Files\Synaptics\SynTP\SynTPLpr.exe] -> [2006/02/14 01:17:28 | 00,110,592 | ---- | M] (Synaptics, Inc.)
"TP4EX" -> %SystemRoot%\system32\tp4ex.exe [tp4ex.exe] -> [2005/10/17 04:11:00 | 00,065,536 | ---- | M] (Lenovo Group Limited)
"TPHOTKEY" -> %ProgramFiles%\Lenovo\PkgMgr\HOTKEY\TPHKMGR.exe [C:\PROGRA~1\Lenovo\PkgMgr\HOTKEY\TPHKMGR.exe] -> [2006/07/24 21:19:40 | 00,094,208 | ---- | M] ()
"TPKMAPHELPER" -> %ProgramFiles%\ThinkPad\Utilities\TpKmapAp.exe [C:\Program Files\ThinkPad\Utilities\TpKmapAp.exe -helper] -> [2006/06/03 01:00:18 | 00,856,064 | ---- | M] (Lenovo)
"TpShocks" -> %SystemRoot%\system32\TpShocks.exe [TpShocks.exe] -> [2006/03/15 22:04:48 | 00,106,496 | ---- | M] (Lenovo, Ltd. and IBM Corporation.)
"TVT Scheduler Proxy" -> %CommonProgramFiles%\Lenovo\Scheduler\scheduler_proxy.exe [C:\Program Files\Common Files\Lenovo\Scheduler\scheduler_proxy.exe] -> [2006/12/10 22:36:32 | 00,536,576 | ---- | M] (Lenovo Group Limited)
< All Users Startup Folder > -> C:\Documents and Settings\All Users\Start Menu\Programs\Startup ->
%AllUsersProfile%\Start Menu\Programs\Startup\HOTSYNCSHORTCUTNAME.lnk -> %ProgramFiles%\Palm\Hotsync.exe -> [2004/06/09 17:27:34 | 00,471,040 | ---- | M] (PalmSource, Inc)
< jim.dalessandro Startup Folder > -> C:\Documents and Settings\jim.dalessandro\Start Menu\Programs\Startup ->
< CurrentVersion Policy Settings - Explorer [HKEY_LOCAL_MACHINE] > -> HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer ->
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer
\\"HonorAutoRunSetting" ->  [1] -> File not found
\\"NoCDBurning" ->  [0] -> File not found
< CurrentVersion Policy Settings - System [HKEY_LOCAL_MACHINE] > -> HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System ->
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System
\\"dontdisplaylastusername" ->  [0] -> File not found
\\"legalnoticecaption" ->  [] -> File not found
\\"legalnoticetext" ->  [] -> File not found
\\"shutdownwithoutlogon" ->  [1] -> File not found
\\"undockwithoutlogon" ->  [1] -> File not found
< CurrentVersion Policy Settings - Explorer [HKEY_CURRENT_USER] > -> HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer ->
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer
\\"NoDriveTypeAutoRun" ->  [145] -> File not found
< CurrentVersion Policy Settings - System [HKEY_CURRENT_USER] > -> HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System ->
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System
\\"disableregistrytools" ->  [0] -> File not found
< Internet Explorer Menu Extensions [HKEY_CURRENT_USER\] > -> HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\MenuExt\ ->
E&xport to Microsoft Excel -> %ProgramFiles%\Microsoft Office\OFFICE11\EXCEL.EXE [res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000] -> [2007/04/06 16:12:52 | 10,289,496 | ---- | M] (Microsoft Corporation)
< Internet Explorer Extensions [HKEY_LOCAL_MACHINE] > -> HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Extensions\ ->
{0045D4BC-5189-4b67-969C-83BB1906C421}:{0FE81B52-73FA-425F-8F06-3F32451AC73F} [HKLM] -> %ProgramFiles%\Lenovo\Client Security Solution\tvtpwm_ie_com.dll [Menu: ThinkVantage Password Manager...] -> [2006/07/14 21:20:42 | 00,719,616 | ---- | M] (Lenovo Group Limited)
{92780B25-18CC-41C8-B9BE-3C9C571A8263}:{FF059E31-CC5A-4E2E-BF3B-96E929D65503} [HKLM] -> %ProgramFiles%\Microsoft Office\OFFICE11\REFIEBAR.DLL [Button: Research] -> [2003/07/15 01:57:08 | 00,040,512 | ---- | M] (Microsoft Corporation)
{D1A4DEBD-C2EE-449f-B9FB-E8409F9A0BC5}:Exec [HKLM] -> %ProgramFiles%\Lenovo\PkgMgr\PkgMgr.exe [Button: Software Installer] -> [2006/11/13 18:18:56 | 01,668,720 | ---- | M] (Lenovo Group Limited)
{DA320635-F48C-4613-8325-D75A933C549E}:Exec [HKLM] -> %ProgramFiles%\Lenovo\System Update\sulauncher.exe [Button: System Update] -> File not found
{e2e2dd38-d088-4134-82b7-f2ba38496583}:Exec [HKLM] -> %SystemRoot%\Network Diagnostic\xpnetdiag.exe [Menu: @xpsp3res.dll,-20001] -> [2008/04/13 14:53:32 | 00,558,080 | ---- | M] (Microsoft Corporation)
{FB5F1910-F110-11d2-BB9E-00C04F795683}:Exec [HKLM] -> %ProgramFiles%\Messenger\msmsgs.exe [Button: Messenger] -> [2008/04/13 20:12:28 | 01,695,232 | ---- | M] (Microsoft Corporation)
{FB5F1910-F110-11d2-BB9E-00C04F795683}:Exec [HKLM] -> %ProgramFiles%\Messenger\msmsgs.exe [Menu: Windows Messenger] -> [2008/04/13 20:12:28 | 01,695,232 | ---- | M] (Microsoft Corporation)
< Internet Explorer Plugins [HKEY_LOCAL_MACHINE] > -> HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Plugins\ ->
PluginsPageFriendlyName -> Microsoft ActiveX Gallery ->
PluginsPage -> http://activex.microsoft.com/controls/find.asp?ext=%s&mime=%s ->
< Default Prefix > -> HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\URL\DefaultPrefix
"" -> http://
< Trusted Sites Domains [HKEY_LOCAL_MACHINE\] > -> HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\ ->
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\ -> [Key] 1 domain(s) found. ->
1 domain(s) and sub-domain(s) not assigned to a zone.
< Trusted Sites Ranges [HKEY_LOCAL_MACHINE\] > -> HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Ranges\ ->
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Ranges\ -> [Key] 0 range(s) found. ->
< Trusted Sites Domains [HKEY_CURRENT_USER\] > -> HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\ ->
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\ -> [Key] 0 domain(s) found. ->
< Trusted Sites Ranges [HKEY_CURRENT_USER\] > -> HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Ranges\ ->
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Ranges\ -> [Key] 0 range(s) found. ->
< Downloaded Program Files > -> HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Code Store Database\Distribution Units\ ->
{05CA9FB0-3E3E-4B36-BF41-0E3A5CAA8CD8} [HKLM] -> http://download.microsoft.com/download/e/7/3/e7345c16-80aa-4488-ae10-9ac6be844f99/OGAControl.cab [Office Genuine Advantage Validation Tool] ->
{17492023-C23A-453E-A040-C7C580BBF700} [HKLM] -> http://download.microsoft.com/download/9/b/d/9bdc68ef-6a9f-4505-8fb8-d0d2d160e512/LegitCheckControl.cab [Windows Genuine Advantage Validation Tool] ->
{74FFE28D-2378-11D5-990C-006094235084} [HKLM] -> http://www-307.ibm.com/pc/support/IbmEgath.cab [IBM Access Support] ->
{8AD9C840-044E-11D1-B3E9-00805F499D93} [HKLM] -> http://java.sun.com/update/1.6.0/jinstall-1_6_0_11-windows-i586.cab [Java Plug-in 1.6.0_11] ->
{8FFBE65D-2C9C-4669-84BD-5829DC0B603C} [HKLM] -> http://fpdownload.macromedia.com/get/flashplayer/current/polarbear/ultrashim.cab [Reg Error: Key error.] ->
{AB86CE53-AC9F-449F-9399-D8ABCA09EC09} [HKLM] -> https://h17000.www1.hp.com/ewfrf-JAVA/Secure/HPGetDownloadManager.ocx [Get_ActiveX Control] ->
{C7DB51B4-BCF7-4923-8874-7F1A0DC92277} [HKLM] -> http://office.microsoft.com/officeupdate/content/opuc4.cab [Office Update Installation Engine] ->
{CAFEEFAC-0015-0000-0006-ABCDEFFEDCBA} [HKLM] -> http://java.sun.com/update/1.5.0/jinstall-1_5_0_06-windows-i586.cab [Java Plug-in 1.5.0_06] ->
{CAFEEFAC-0016-0000-0001-ABCDEFFEDCBA} [HKLM] -> http://java.sun.com/update/1.6.0/jinstall-1_6_0_01-windows-i586.cab [Java Plug-in 1.6.0_01] ->
{CAFEEFAC-0016-0000-0003-ABCDEFFEDCBA} [HKLM] -> http://java.sun.com/update/1.6.0/jinstall-1_6_0_03-windows-i586.cab [Java Plug-in 1.6.0_03] ->
{CAFEEFAC-0016-0000-0005-ABCDEFFEDCBA} [HKLM] -> http://java.sun.com/update/1.6.0/jinstall-1_6_0_05-windows-i586.cab [Java Plug-in 1.6.0_05] ->
{CAFEEFAC-0016-0000-0007-ABCDEFFEDCBA} [HKLM] -> http://java.sun.com/update/1.6.0/jinstall-1_6_0_07-windows-i586.cab [Java Plug-in 1.6.0_07] ->
{CAFEEFAC-0016-0000-0011-ABCDEFFEDCBA} [HKLM] -> http://java.sun.com/update/1.6.0/jinstall-1_6_0_11-windows-i586.cab [Java Plug-in 1.6.0_11] ->
{CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} [HKLM] -> http://java.sun.com/update/1.6.0/jinstall-1_6_0_11-windows-i586.cab [Java Plug-in 1.6.0_11] ->
< DNS Name Servers [HKEY_LOCAL_MACHINE] > -> HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\Adapters\ ->
{1EDEE81F-F354-433F-BCE1-25B8B9934CAA} ->   (Intel(R) PRO/Wireless 3945ABG Network Connection) ->
{54512FA9-3FF7-4E91-A388-25E83A1A31C8} ->   (Intel(R) PRO/1000 PL Network Connection) ->
{E359824B-5D88-4958-8D69-48ED5D7A6E75} ->   () ->
< Winlogon settings [HKEY_LOCAL_MACHINE] > -> HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon ->
*Shell* -> HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\\Shell ->
Explorer.exe -> %SystemRoot%\Explorer.exe -> [2008/04/13 20:12:19 | 01,033,728 | ---- | M] (Microsoft Corporation)
*MultiFile Done* -> ->
*GinaDLL* -> HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\\GinaDLL ->
vrlogon.dll -> %SystemRoot%\system32\vrlogon.dll -> [2006/04/25 22:21:28 | 00,513,536 | ---- | M] (UPEK Inc.)
*MultiFile Done* -> ->
< Winlogon\Notify settings [HKEY_LOCAL_MACHINE] > -> HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\ ->
ACNotify -> %ProgramFiles%\ThinkPad\ConnectUtilities\ACNotify.dll -> [2007/02/19 19:03:20 | 00,032,768 | ---- | M] ()
avgrsstarter -> %SystemRoot%\system32\avgrsstx.dll -> [2009/02/05 09:29:00 | 00,010,520 | ---- | M] (AVG Technologies CZ, s.r.o.)
AwayNotify -> %ProgramFiles%\Lenovo\AwayTask\AwayNotify.dll -> [2006/08/16 13:07:00 | 00,049,152 | ---- | M] (Lenovo Group Limited)
igfxcui -> %SystemRoot%\system32\igfxdev.dll -> [2006/07/25 02:16:58 | 00,139,264 | ---- | M] (Intel Corporation)
NavLogon ->  -> File not found
psfus -> %SystemRoot%\system32\psqlpwd.dll -> [2006/04/25 22:20:38 | 00,040,448 | ---- | M] (UPEK Inc.)
tpfnf2 -> %SystemRoot%\system32\notifyf2.dll -> [2005/07/05 10:45:08 | 00,028,672 | ---- | M] ()
tphotkey -> %SystemRoot%\system32\tphklock.dll -> [2005/11/30 07:16:02 | 00,024,576 | ---- | M] ()
< Domain Profile Authorized Applications List > -> HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\AuthorizedApplications\List ->
"%windir%\Network Diagnostic\xpnetdiag.exe" -> C:\WINDOWS\Network Diagnostic\xpnetdiag.exe [%windir%\Network Diagnostic\xpnetdiag.exe:*:Enabled:@xpsp3res.dll,-20000] -> [2008/04/13 14:53:32 | 00,558,080 | ---- | M] (Microsoft Corporation)
"%windir%\system32\sessmgr.exe" -> C:\WINDOWS\system32\sessmgr.exe [%windir%\system32\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019] -> [2008/04/13 20:12:34 | 00,141,312 | ---- | M] (Microsoft Corporation)
< Standard Profile Authorized Applications List > -> HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List ->
"%windir%\Network Diagnostic\xpnetdiag.exe" -> C:\WINDOWS\Network Diagnostic\xpnetdiag.exe [%windir%\Network Diagnostic\xpnetdiag.exe:*:Enabled:@xpsp3res.dll,-20000] -> [2008/04/13 14:53:32 | 00,558,080 | ---- | M] (Microsoft Corporation)
"%windir%\system32\sessmgr.exe" -> C:\WINDOWS\system32\sessmgr.exe [%windir%\system32\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019] -> [2008/04/13 20:12:34 | 00,141,312 | ---- | M] (Microsoft Corporation)
"C:\Program Files\AVG\AVG8\avgupd.exe" -> C:\Program Files\AVG\AVG8\avgupd.exe [C:\Program Files\AVG\AVG8\avgupd.exe:*:Enabled:avgupd.exe] -> [2009/02/03 10:34:56 | 01,032,984 | ---- | M] (AVG Technologies CZ, s.r.o.)
"C:\Program Files\Grisoft\AVG7\avgamsvr.exe" -> C:\Program Files\Grisoft\AVG7\avgamsvr.exe [C:\Program Files\Grisoft\AVG7\avgamsvr.exe:*:Enabled:avgamsvr.exe] -> File not found
"C:\Program Files\Grisoft\AVG7\avgcc.exe" -> C:\Program Files\Grisoft\AVG7\avgcc.exe [C:\Program Files\Grisoft\AVG7\avgcc.exe:*:Enabled:avgcc.exe] -> File not found
"C:\Program Files\Grisoft\AVG7\avginet.exe" -> C:\Program Files\Grisoft\AVG7\avginet.exe [C:\Program Files\Grisoft\AVG7\avginet.exe:*:Enabled:avginet.exe] -> File not found
"C:\Program Files\Yahoo!\Yahoo! Music Jukebox\YahooMusicEngine.exe" -> C:\Program Files\Yahoo!\Yahoo! Music Jukebox\YahooMusicEngine.exe [C:\Program Files\Yahoo!\Yahoo! Music Jukebox\YahooMusicEngine.exe:*:Enabled:Yahoo! Music Jukebox] -> File not found
< SafeBoot AlternateShell [HKEY_LOCAL_MACHINE] > -> HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot ->
"AlternateShell" -> cmd.exe ->
< CDROM Autorun Setting [HKEY_LOCAL_MACHINE]> -> HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Cdrom ->
"AutoRun" -> 1 ->
"DisplayName" -> CD-ROM Driver ->
"ImagePath" -> %SystemRoot%\system32\DRIVERS\cdrom.sys [system32\DRIVERS\cdrom.sys] -> [2008/04/13 14:40:46 | 00,062,976 | ---- | M] (Microsoft Corporation)
< Drives with AutoRun files > ->  ->
C:\AUTOEXEC.BAT [] -> %SystemDrive%\AUTOEXEC.BAT [ NTFS ] -> [2006/04/30 03:13:35 | 00,000,000 | ---- | M] ()
< MountPoints2 [HKEY_CURRENT_USER] > -> HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2 ->
 
 
[Files/Folders - Created Within 30 Days]
OTScanIt2 -> %UserProfile%\Desktop\OTScanIt2 -> [2009/03/29 12:48:08 | 00,000,000 | ---D | C]
OTScanIt2.exe -> %UserProfile%\Desktop\OTScanIt2.exe -> [2009/03/29 12:45:12 | 00,663,992 | ---- | C] ()
DaonolFix.exe -> %UserProfile%\Desktop\DaonolFix.exe -> [2009/03/29 12:07:06 | 00,091,136 | ---- | C] ()
hiberfil.sys -> %SystemDrive%\hiberfil.sys -> [2009/03/29 11:51:56 | 52,683,1616 | -HS- | C] ()
32788R22FWJFW -> %SystemDrive%\32788R22FWJFW -> [2009/03/29 11:49:01 | 00,000,000 | ---D | C]
ComboFix.exe -> %UserProfile%\Desktop\ComboFix.exe -> [2009/03/28 16:16:31 | 02,936,496 | ---- | C] ()
Malwarebytes -> %AppData%\Malwarebytes -> [2009/03/28 08:11:16 | 00,000,000 | ---D | C]
mbam.sys -> %SystemRoot%\System32\drivers\mbam.sys -> [2009/03/28 08:11:10 | 00,015,504 | ---- | C] (Malwarebytes Corporation)
Malwarebytes' Anti-Malware.lnk -> %AllUsersProfile%\Desktop\Mal

Title: hijacked when using google
Post by: guestolo on March 29, 2009, 12:37:16 PM

Can you do me a favor
Look for the following file on your computer

Let me know what folder it's found in, if you find it
ajlrcmg.beq

You may have to Set Windows To Show Hidden Files and Folders
    * Click Start.
    * Open My Computer.
    * Select the Tools menu and click Folder Options.
    * Select the View Tab.
    * Under the Hidden files and folders heading select Show hidden files and folders.
    * Uncheck the Hide protected operating system files (recommended) option.
    * Uncheck the Hide Extensions for known file types
    * Click Yes to confirm.
    * Click OK.

It may be in one of the following folders
C:\WINDOWS\system32 folder
or C:\WINDOWS\system32\drivers folder

Do a Search for it and let me know if it shows up

Title: hijacked when using google
Post by: jjccp on March 29, 2009, 06:07:15 PM

ajlrcmg.beq was found in C:\WINDOWS

Title: hijacked when using google
Post by: guestolo on March 29, 2009, 06:17:57 PM

Can you do the following for me please
go to this link
http://www.virustotal.com/flash/index_en.html (http://\"http://www.virustotal.com/flash/index_en.html\")
Browse to the file

c:\windows\ajlrcmg.beq
Then use the SEND FILE button
Let it finish scanning
Could you post back the results this scan back here please
Or better yet, just link to the results page

Title: hijacked when using google
Post by: jjccp on March 29, 2009, 07:19:50 PM

Here you go:

http://www.virustotal.com/analisis/e8a3728...63ce2f6dcd353a4 (http://\"http://www.virustotal.com/analisis/e8a37282fcd6cfccf63ce2f6dcd353a4\")

or

File ajlrcmg.beq received on 03.30.2009 02:15:43 (CET)
Current status: Loading ... queued waiting scanning finished NOT FOUND STOPPED


Result: 0/39 (0%)
Loading server information...
Your file is queued in position: ___.
Estimated start time is between ___ and ___ .
Do not close the window until scan is complete.
The scanner that was processing your file is stopped at this moment, we are going to wait a few seconds to try to recover your result.
If you are waiting for more than five minutes you have to resend your file.
Your file is being scanned by VirusTotal in this moment,
results will be shown as they're generated.
 Compact Print results  
Your file has expired or does not exists.
Service is stopped in this moments, your file is waiting to be scanned (position: ) for an undefined time.

You can wait for web response (automatic reload) or type your email in the form below and click "request" so the system sends you a notification when the scan is finished.
 Email:  
 

Antivirus Version Last Update Result
a-squared 4.0.0.101 2009.03.30 -
AhnLab-V3 5.0.0.2 2009.03.29 -
AntiVir 7.9.0.129 2009.03.29 -
Antiy-AVL 2.0.3.1 2009.03.29 -
Authentium 5.1.2.4 2009.03.29 -
Avast 4.8.1335.0 2009.03.29 -
AVG 8.5.0.285 2009.03.29 -
BitDefender 7.2 2009.03.30 -
CAT-QuickHeal 10.00 2009.03.28 -
ClamAV 0.94.1 2009.03.29 -
Comodo 1089 2009.03.29 -
DrWeb 4.44.0.09170 2009.03.30 -
eSafe 7.0.17.0 2009.03.27 -
eTrust-Vet 31.6.6421 2009.03.27 -
F-Prot 4.4.4.56 2009.03.29 -
F-Secure 8.0.14470.0 2009.03.29 -
Fortinet 3.117.0.0 2009.03.29 -
GData 19 2009.03.30 -
Ikarus T3.1.1.48.0 2009.03.30 -
K7AntiVirus 7.10.684 2009.03.28 -
Kaspersky 7.0.0.125 2009.03.30 -
McAfee 5568 2009.03.29 -
McAfee+Artemis 5568 2009.03.29 -
McAfee-GW-Edition 6.7.6 2009.03.29 -
Microsoft 1.4502 2009.03.29 -
NOD32 3972 2009.03.28 -
Norman 6.00.06 2009.03.27 -
nProtect 2009.1.8.0 2009.03.29 -
Panda 10.0.0.10 2009.03.29 -
PCTools 4.4.2.0 2009.03.29 -
Prevx1 V2 2009.03.30 -
Rising 21.22.62.00 2009.03.29 -
Sophos 4.40.0 2009.03.30 -
Sunbelt 3.2.1858.2 2009.03.29 -
Symantec 1.4.4.12 2009.03.30 -
TheHacker 6.3.3.9.296 2009.03.30 -
TrendMicro 8.700.0.1004 2009.03.28 -
VBA32 3.12.10.1 2009.03.29 -
ViRobot 2009.3.27.1666 2009.03.27 -
Additional information
File size: 406 bytes
MD5...: 82e8f338b3c9d8ab1787d7f2abca5ccd
SHA1..: 5f197c9ea29f86307a2b3cf7683729cc0885b244
SHA256: bd92ef621c4975b87975b564d30432a73485937c0100de12c7e23504e3be4242
SHA512: 57da44624fd7793942561171755ed61ad378a188bce62ae8e1bd7db9c8b3118b
7f79a4ee03c40c8c7bfac7906cbccbb9d7993ea448dbca1f02060936c35f275f
ssdeep: 12:9+o+GJ8ieAkqCu3xml75v1DYM0x3SMoPJ1y:kGJ8ieAkqClv1DiPYM
 
PEiD..: -
TrID..: File type identification
PrintFox (C64) bitmap (100.0%)
PEInfo: -
RDS...: NSRL Reference Data Set

Title: hijacked when using google
Post by: guestolo on March 29, 2009, 07:34:46 PM

Well, let's just move the file to a safe place for now
Can you do the following
Start OTScanIt2. Copy/Paste the information in the codebox below into the pane where it says "Paste fix here" and then click the Run Fix button.

Code: [Select]

[Kill Explorer]
[Custom Items]
:files
c:\windows\ajlrcmg.beq
:reg
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Drivers32]
"aux2"="wdmaud.drv"
:end
[Empty Temp Folders]
[Start Explorer]
[Reboot]
The fix should only take a very short time. When the fix is completed a message box will popup either telling you that it is finished, or that a reboot is needed to complete the fix. If the fix is complete, click the Ok button and Notepad will open with a log of actions taken during the fix. Post that log back here in your next reply.

If a reboot is required, click the "Yes" button to reboot the machine. After the reboot, OTScanIt2 will finish moving any files that could not be moved during the fix and NotePad will open with the final results at that time

I'll need to see that log in a bit, a copy of it can also be found in the OTScanit2 folder on desktop

Can you next do the following:
Ensure your AntiVirus software is disable
Delete your Copy of ComboFix

Redownload a fresh copy from one of the links
[color=\"#0000FF\"]Link 1[/color] (http://\"http://download.bleepingcomputer.com/sUBs/ComboFix.exe\")
[color=\"#0000FF\"]Link 2[/color] (http://\"http://www.forospyware.com/sUBs/ComboFix.exe\")
[color=\"#0000FF\"]Link 3[/color] (http://\"http://subs.geekstogo.com/ComboFix.exe\")
[color=\"#FF0000\"]Save it ONLY to your Desktop[/color]

Don't try and run it yet
Instead, go to START>>RUN>>copy/paste the next command below in RED to the open field
Then click OK

[color=\"#FF0000\"]“%userprofile%\desktop\ComboFix.exe” /KillAll[/color]

Let's see if ComboFix will now run, if it will, follow the instructions earlier to run it properly
Post back all the following

1. Post the log from OTScanit2
2. Post the log from Combofix >>C:\ComboFix.txt

Title: hijacked when using google
Post by: jjccp on March 30, 2009, 10:29:52 AM

Pasting the code into OTScanIt2 went ok and that log is posted below

Deleted and redownloaded a fresh copy of ComboFix. When I pasted the command in RED into Start>>Run, I received the followint error message:

“C:\Documents

Windows Cannot find “C:\Documents’. Make sure you typed the name correctly, and then try again. To search for a file, click the Start button, and then click Search.

I've typed the error message exactly. I'm seeing the odd quotation marks and wondering if that's a problem.

Here's the OTScanIt2 log:

Process Explorer.EXE killed successfully!
[Custom Items]
========== FILES ==========
c:\windows\ajlrcmg.beq moved successfully.
========== REGISTRY ==========
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Drivers32\\"aux2"|"wdmaud.drv" /E : value set successfully!
[Empty Temp Folders]
User's Temp folder emptied.
User's Temporary Internet Files folder emptied.
User's Internet Explorer cache folder emptied.
Local Service Temp folder emptied.
File delete failed. C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\index.dat scheduled to be deleted on reboot.
Local Service Temporary Internet Files folder emptied.
File delete failed. C:\WINDOWS\temp\Perflib_Perfdata_3a4.dat scheduled to be deleted on reboot.
Windows Temp folder emptied.
Java cache emptied.
RecycleBin -> emptied.
Explorer started successfully
< End of fix log >
OTScanIt2 by OldTimer - Version 1.0.9.1 fix logfile created on 03302009_111004

Files moved on Reboot...
File move failed. C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\index.dat scheduled to be moved on reboot.
File C:\WINDOWS\temp\Perflib_Perfdata_3a4.dat not found!

Registry entries deleted on Reboot...

Title: hijacked when using google
Post by: guestolo on March 30, 2009, 09:14:48 PM

Can you ensure me that you are saving ComboFix DIRECTLY on your desktop
It cannot be saved anywhere else but ONLY your desktop

Title: hijacked when using google
Post by: jjccp on March 30, 2009, 10:38:22 PM

Attached is a screen shot of a search for combofix on the c: drive

There is a copy on the desttop, a copy in the recycle bin, then 3 more referrences.

Hope that helps

Title: hijacked when using google
Post by: guestolo on March 30, 2009, 11:15:56 PM

Go to START>>RUN>..
type cmd

Hit OK
At the command prompt, copy/paste or type exactly

ipconfig /flushdns

Then hit OK
Notice the single space after ipconfig
Reboot the computer afterwards

Are you still getting redirected?

In addition, can you do the following
supply an uninstall list from Hijackthis
Open Hijackthis>>Open MISC TOOLS SECTION>>Open UNINSTALL MANAGER
Click the SAVE LIST... button
Save the list to your desktop then copy>>Paste back here the Whole contents

Also, can you let me know if your being redirected, if you still are, in both browsers
IE and Firefox?

Can you also do the following
Please download [color=\"#0000FF\"]GooredFix[/color] (http://\"http://jpshortstuff.247fixes.com/GooredFix.exe\") and save it to your Desktop. Double-click Goored.exe to run it. Select 1. Find Goored (no fix) by typing 1 and pressing Enter. A log will open, please post the contents of that log in your next reply (it can also be found on your desktop, called GooredLog.txt). Note: [color=\"red\"]Do not run Option #2 yet[/color].

Title: hijacked when using google
Post by: jjccp on March 31, 2009, 01:47:10 PM

Today I'm not being redirected when I've tried.

FYI, I uninstalled AVG because I wasn't sure I had all of it's features turned off.

At some point do I need to change back the file settings you had me change regarding hidden files, etc.?

Here are the 2 logs you requested:

Access Help
Adobe Flash Player 10 ActiveX
Adobe Reader 7.0.8
Apple Software Update
AudibleManager
Client Security Solution
Compatibility Pack for the 2007 Office system
COWON iAUDIO 7 User's Guide
COWON Media Center - jetAudio Basic VX
Creative MediaSource 5
Creative Removable Disk Manager
Creative System Information
Creative ZEN V Series (R2)
Critical Update for Windows Media Player 11 (KB959772)
DeLorme Phone Data 2008
DeLorme Street Atlas USA 2008
DeLorme Street Atlas USA 2008 Plus
Google Earth
Help Center
HijackThis 2.0.2
Hotfix for Windows Internet Explorer 7 (KB947864)
Hotfix for Windows Media Format 11 SDK (KB929399)
Hotfix for Windows Media Format SDK (KB902344)
Hotfix for Windows Media Player 11 (KB939683)
Hotfix for Windows XP (KB952287)
hp deskjet 3600
Intel® Graphics Media Accelerator Driver
Intel® PRO Network Connections Drivers
Intel® PROSet/Wireless Software
InterVideo WinDVD
J2SE Runtime Environment 5.0 Update 6
Java(tm) 6 Update 11
Java(tm) 6 Update 3
Java(tm) 6 Update 5
Java(tm) 6 Update 7
Java(tm) SE Runtime Environment 6 Update 1
Malwarebytes' Anti-Malware
mCore
mDriver
Microsoft .NET Framework 1.1
Microsoft .NET Framework 1.1
Microsoft .NET Framework 1.1 Hotfix (KB928366)
Microsoft .NET Framework 2.0 Service Pack 1
Microsoft Compression Client Pack 1.0 for Windows XP
Microsoft Internationalized Domain Names Mitigation APIs
Microsoft National Language Support Downlevel APIs
Microsoft Office Standard Edition 2003
Microsoft User-Mode Driver Framework Feature Pack 1.0
Microsoft Visual C++ 2005 Redistributable
mMHouse
mPfMgr
mProSafe
MSN Toolbar Setup
MSXML 4.0 SP2 (KB927978)
MSXML 4.0 SP2 (KB936181)
MSXML 4.0 SP2 (KB954430)
mWlsSafe
mXML
Palm
PANTECH PC Card Software
PC-Doctor 5 for Windows
PhotoRecord
Picasa 2
Productivity Center Supplement for ThinkPad
RecordNow Audio
RecordNow Copy
RecordNow Data
Remove Multimedia Center
Rescue and Recovery
Rescue and Recovery Critical Patch for Windows Update (KB917422)
Security Update for Step By Step Interactive Training (KB923723)
Security Update for Windows Internet Explorer 7 (KB931768)
Security Update for Windows Internet Explorer 7 (KB933566)
Security Update for Windows Internet Explorer 7 (KB937143)
Security Update for Windows Internet Explorer 7 (KB938127)
Security Update for Windows Internet Explorer 7 (KB939653)
Security Update for Windows Internet Explorer 7 (KB942615)
Security Update for Windows Internet Explorer 7 (KB944533)
Security Update for Windows Internet Explorer 7 (KB950759)
Security Update for Windows Internet Explorer 7 (KB953838)
Security Update for Windows Internet Explorer 7 (KB956390)
Security Update for Windows Internet Explorer 7 (KB958215)
Security Update for Windows Internet Explorer 7 (KB960714)
Security Update for Windows Internet Explorer 7 (KB961260)
Security Update for Windows Media Player (KB952069)
Security Update for Windows Media Player 11 (KB936782)
Security Update for Windows Media Player 11 (KB954154)
Security Update for Windows XP (KB938464)
Security Update for Windows XP (KB941569)
Security Update for Windows XP (KB946648)
Security Update for Windows XP (KB950760)
Security Update for Windows XP (KB950762)
Security Update for Windows XP (KB950974)
Security Update for Windows XP (KB951066)
Security Update for Windows XP (KB951376)
Security Update for Windows XP (KB951376-v2)
Security Update for Windows XP (KB951698)
Security Update for Windows XP (KB951748)
Security Update for Windows XP (KB952954)
Security Update for Windows XP (KB953839)
Security Update for Windows XP (KB954211)
Security Update for Windows XP (KB954459)
Security Update for Windows XP (KB954600)
Security Update for Windows XP (KB955069)
Security Update for Windows XP (KB956391)
Security Update for Windows XP (KB956802)
Security Update for Windows XP (KB956803)
Security Update for Windows XP (KB956841)
Security Update for Windows XP (KB957095)
Security Update for Windows XP (KB957097)
Security Update for Windows XP (KB958644)
Security Update for Windows XP (KB958687)
Security Update for Windows XP (KB958690)
Security Update for Windows XP (KB960225)
Security Update for Windows XP (KB960715)
Software Installer
Sonic DLA
Sonic Express Labeler
Sonic Icons for Lenovo
SoundMAX
System Migration Assistant
System Update
ThinkPad Configuration
ThinkPad EasyEject Utility
ThinkPad FullScreen Magnifier
ThinkPad Keyboard Customizer Utility
ThinkPad Modem
ThinkPad PC Card Power Policy
ThinkPad Power Management Driver
ThinkPad Power Manager
ThinkPad Presentation Director
ThinkPad UltraNav Driver
ThinkPad UltraNav Wizard
ThinkVantage Access Connections
ThinkVantage Active Protection System
ThinkVantage Away Manager
ThinkVantage Productivity Center
ThinkVantage System Update Toolbar Button for IE
ThinkVantage Technologies Welcome Message
TrackPoint Accessibility Features
Update for Windows XP (KB951072-v2)
Update for Windows XP (KB951978)
Update for Windows XP (KB955839)
Update for Windows XP (KB967715)
VNC Free Edition 4.1.2
VZAccess Manager
Wallpapers
WebEx
Windows Media Connect
Windows Media Format 11 runtime
Windows Media Format 11 runtime
Windows Media Player 10 Hotfix - KB895316
Windows Media Player 11
Windows Media Player 11
Windows XP Service Pack 3
XP Themes
XviD & MP3 Codec Pack (remove only)
XviD MPEG-4 Video Codec
ZENcast Organizer







GooredFix v1.92 by jpshortstuff
Log created at 14:42 on 31/03/2009 running Option #1 (jim.dalessandro)
Firefox version [Unable to determine]

=====Suspect Goored Entries=====

=====Dumping Registry Values=====

Title: hijacked when using google
Post by: guestolo on March 31, 2009, 10:20:03 PM

Can you close down All browser windows
Then uninstall all Java versions and updates
This includes
J2SE Runtime Environment 5.0 Update 6
Javaâ„¢ 6 Update 11
Javaâ„¢ 6 Update 3
Javaâ„¢ 6 Update 5
Javaâ„¢ 6 Update 7
Javaâ„¢ SE Runtime Environment 6 Update 1

Reboot Only after the last once is uninstalled
Back in Windows

Your version of Java is outdated and needs to be updated to take advantage of fixes that have eliminated security vulnerabilities.
[color=\"blue\"]Updating Java:[/color]

• Download the latest version of  Java Runtime Environment (JRE) 6 (http://\"http://java.sun.com/javase/downloads/index.jsp\").
  
• Scroll down to where it says "JRE 6 Update 13".
  
• Click the "Download" button to the right.
  
• In the Window that opens, select Windows, beside PLATFORM:>>Check the "agree" box and click Continue.
  
• Click on the link to download Windows Offline Installation and save to your desktop.
  
• Then from your desktop double-click on jre-6u13-windows-i586-p.exe that you downloaded to install the newest version.
  

In addition, your version of Adobe Reader is outdated
Open Adobe Reader, click on HELP>>Check for Updates, ensure to update to the latest available version to help plug security holes

Post back a fresh Hijackthis log afterwards and keep me informed how things are running

Title: hijacked when using google
Post by: jjccp on April 01, 2009, 12:05:01 PM

Update on Java is done.
Update on Adobe Reader is done.

I'm not being redirected today.

Perhaps you missed my question:
At some point do I need to change back the file settings you had me change regarding hidden files, etc.?
New questions:
Should I reinstall AVG or do you suggest something else?
My computer still seems slow (I'm sure everyone says that). Anything else I can do?

Thanks.

Here's the new log:

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 12:59:23 PM, on 4/1/2009
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16791)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\ibmpmsvc.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
C:\WINDOWS\system32\brsvc01a.exe
C:\WINDOWS\system32\brss01a.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\IPSSVC.EXE
C:\Program Files\ThinkPad\ConnectUtilities\AcPrfMgrSvc.exe
C:\WINDOWS\system32\CTsvcCDA.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Program Files\MSN\Toolbar\3.0.0988.2\mstbsvc.exe
C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
c:\program files\lenovo\system update\suservice.exe
C:\Program Files\Common Files\Lenovo\tvt_reg_monitor_svc.exe
C:\WINDOWS\System32\TPHDEXLG.EXE
C:\WINDOWS\system32\TpKmpSVC.exe
C:\Program Files\Lenovo\Rescue and Recovery\rrservice.exe
C:\Program Files\Common Files\Lenovo\Scheduler\tvtsched.exe
C:\Program Files\Lenovo\Rescue and Recovery\ADM\IUService.exe
C:\Program Files\RealVNC\VNC4\WinVNC4.exe
C:\Program Files\ThinkPad\ConnectUtilities\AcSvc.exe
C:\Program Files\Common Files\Lenovo\Logger\logmon.exe
C:\Program Files\ThinkPad\ConnectUtilities\SvcGuiHlpr.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\PROGRA~1\ThinkPad\UTILIT~1\EzEjMnAp.Exe
C:\WINDOWS\system32\TpShocks.exe
C:\PROGRA~1\Lenovo\PkgMgr\HOTKEY\TPHKMGR.exe
C:\Program Files\Analog Devices\Core\smax4pnp.exe
C:\Program Files\Lenovo\PkgMgr\HOTKEY\TPONSCR.exe
C:\Program Files\Lenovo\PkgMgr\HOTKEY_1\TpScrex.exe
C:\WINDOWS\system32\hkcmd.exe
C:\WINDOWS\system32\igfxpers.exe
C:\PROGRA~1\THINKV~2\PrdCtr\LPMGR.exe
C:\WINDOWS\System32\DLA\DLACTRLW.EXE
C:\Program Files\Lenovo\AwayTask\AwaySch.EXE
C:\Program Files\Common Files\Lenovo\Scheduler\scheduler_proxy.exe
C:\Program Files\ThinkPad\ConnectUtilities\ACTray.exe
C:\Program Files\ThinkPad\ConnectUtilities\ACWLIcon.exe
C:\Program Files\Lenovo\SafeGuard PrivateDisk\pdservice.exe
C:\Program Files\Lenovo\Client Security Solution\cssauth.exe
C:\Program Files\HP\hpcoretech\hpcmpmgr.exe
C:\Program Files\Hewlett-Packard\HP Software Update\HPWuSchd.exe
C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb09.exe
C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Palm\Hotsync.exe
C:\WINDOWS\system32\msiexec.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157 (http://\"http://go.microsoft.com/fwlink/?LinkId=69157\")
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896 (http://\"http://go.microsoft.com/fwlink/?LinkId=54896\")
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896 (http://\"http://go.microsoft.com/fwlink/?LinkId=54896\")
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157 (http://\"http://go.microsoft.com/fwlink/?LinkId=69157\")
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://my.realliving.com/ (http://\"http://my.realliving.com/\")
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: WormRadar.com IESiteBlocker.NavFilter - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - C:\Program Files\AVG\AVG8\avgssie.dll (file missing)
O2 - BHO: DriveLetterAccess - {5CA3D70E-1895-11CF-8E15-001234567890} - C:\WINDOWS\System32\DLA\DLASHX_W.DLL
O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
O2 - BHO: ThinkVantage Password Manager - {F040E541-A427-4CF7-85D8-75E3E0F476C5} - C:\Program Files\Lenovo\Client Security Solution\tvtpwm_ie_com.dll
O4 - HKLM\..\Run: [PWRMGRTR] rundll32 C:\PROGRA~1\ThinkPad\UTILIT~1\PWRMGRTR.DLL,PwrMgrBkGndMonitor
O4 - HKLM\..\Run: [BLOG] rundll32 C:\PROGRA~1\ThinkPad\UTILIT~1\BatLogEx.DLL,StartBattLog
O4 - HKLM\..\Run: [SynTPLpr] C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [EZEJMNAP] C:\PROGRA~1\ThinkPad\UTILIT~1\EzEjMnAp.Exe
O4 - HKLM\..\Run: [TPKMAPHELPER] C:\Program Files\ThinkPad\Utilities\TpKmapAp.exe -helper
O4 - HKLM\..\Run: [TpShocks] TpShocks.exe
O4 - HKLM\..\Run: [TPHOTKEY] C:\PROGRA~1\Lenovo\PkgMgr\HOTKEY\TPHKMGR.exe
O4 - HKLM\..\Run: [TP4EX] tp4ex.exe
O4 - HKLM\..\Run: [SoundMAXPnP] C:\Program Files\Analog Devices\Core\smax4pnp.exe
O4 - HKLM\..\Run: [SoundMAX] C:\Program Files\Analog Devices\SoundMAX\Smax4.exe /tray
O4 - HKLM\..\Run: [igfxtray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [igfxhkcmd] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [igfxpers] C:\WINDOWS\system32\igfxpers.exe
O4 - HKLM\..\Run: [LPManager] C:\PROGRA~1\THINKV~2\PrdCtr\LPMGR.exe
O4 - HKLM\..\Run: [DLA] C:\WINDOWS\System32\DLA\DLACTRLW.EXE
O4 - HKLM\..\Run: [ISUSPM Startup] C:\PROGRA~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe -startup
O4 - HKLM\..\Run: [ISUSScheduler] "C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" -start
O4 - HKLM\..\Run: [AwaySch] C:\Program Files\Lenovo\AwayTask\AwaySch.EXE
O4 - HKLM\..\Run: [TVT Scheduler Proxy] C:\Program Files\Common Files\Lenovo\Scheduler\scheduler_proxy.exe
O4 - HKLM\..\Run: [ACTray] C:\Program Files\ThinkPad\ConnectUtilities\ACTray.exe
O4 - HKLM\..\Run: [ACWLIcon] C:\Program Files\ThinkPad\ConnectUtilities\ACWLIcon.exe
O4 - HKLM\..\Run: [PDService.exe] "C:\Program Files\Lenovo\SafeGuard PrivateDisk\pdservice.exe"
O4 - HKLM\..\Run: [cssauth] "C:\Program Files\Lenovo\Client Security Solution\cssauth.exe" silent
O4 - HKLM\..\Run: [HP Component Manager] "C:\Program Files\HP\hpcoretech\hpcmpmgr.exe"
O4 - HKLM\..\Run: [HP Software Update] "C:\Program Files\Hewlett-Packard\HP Software Update\HPWuSchd.exe"
O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb09.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre6\bin\jusched.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - Global Startup: HOTSYNCSHORTCUTNAME.lnk = C:\Program Files\Palm\Hotsync.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {0045D4BC-5189-4b67-969C-83BB1906C421} - C:\Program Files\Lenovo\Client Security Solution\tvtpwm_ie_com.dll
O9 - Extra 'Tools' menuitem: ThinkVantage Password Manager... - {0045D4BC-5189-4b67-969C-83BB1906C421} - C:\Program Files\Lenovo\Client Security Solution\tvtpwm_ie_com.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Software Installer - {D1A4DEBD-C2EE-449f-B9FB-E8409F9A0BC5} - C:\Program Files\Lenovo\PkgMgr\\PkgMgr.exe
O9 - Extra button: System Update - {DA320635-F48C-4613-8325-D75A933C549E} - C:\Program Files\Lenovo\System Update\sulauncher.exe (file missing)
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {74FFE28D-2378-11D5-990C-006094235084} (IBM Access Support) - http://www-307.ibm.com/pc/support/IbmEgath.cab (http://\"http://www-307.ibm.com/pc/support/IbmEgath.cab\")
O16 - DPF: {AB86CE53-AC9F-449F-9399-D8ABCA09EC09} (Get_ActiveX Control) - https://h17000.www1.hp.com/ewfrf-JAVA/Secur...loadManager.ocx (http://\"https://h17000.www1.hp.com/ewfrf-JAVA/Secure/HPGetDownloadManager.ocx\")
O20 - Winlogon Notify: ACNotify - ACNotify.dll (file missing)
O20 - Winlogon Notify: AwayNotify - C:\Program Files\Lenovo\AwayTask\AwayNotify.dll
O23 - Service: Ac Profile Manager Service (AcPrfMgrSvc) - Unknown owner - C:\Program Files\ThinkPad\ConnectUtilities\AcPrfMgrSvc.exe
O23 - Service: Access Connections Main Service (AcSvc) - Lenovo - C:\Program Files\ThinkPad\ConnectUtilities\AcSvc.exe
O23 - Service: BrSplService (Brother XP spl Service) - brother Industries Ltd - C:\WINDOWS\system32\brsvc01a.exe
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\system32\CTsvcCDA.exe
O23 - Service: Intel® PROSet/Wireless Event Log (EvtEng) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: ThinkPad PM Service (IBMPMSVC) - Lenovo - C:\WINDOWS\system32\ibmpmsvc.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: IPS Core Service (IPSSVC) - Lenovo Group Limited - C:\WINDOWS\system32\IPSSVC.EXE
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
O23 - Service: IBM PSA Access Driver Control (PsaSrv) - Unknown owner - C:\WINDOWS\system32\PsaSrv.exe (file missing)
O23 - Service: Intel® PROSet/Wireless Registry Service (RegSrvc) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
O23 - Service: Intel® PROSet/Wireless Service (S24EventMonitor) - Intel Corporation  - C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
O23 - Service: System Update (SUService) - Lenovo Group Limited - c:\program files\lenovo\system update\suservice.exe
O23 - Service: ThinkVantage Registry Monitor Service - Unknown owner - C:\Program Files\Common Files\Lenovo\tvt_reg_monitor_svc.exe
O23 - Service: ThinkPad HDD APS Logging Service (TPHDEXLGSVC) - Lenovo. - C:\WINDOWS\System32\TPHDEXLG.EXE
O23 - Service: IBM KCU Service (TpKmpSVC) - Unknown owner - C:\WINDOWS\system32\TpKmpSVC.exe
O23 - Service: TSS Core Service (TSSCoreService) - IBM - C:\Program Files\Lenovo\Client Security Solution\tvttcsd.exe
O23 - Service: TVT Backup Service - Lenovo Group Limited - C:\Program Files\Lenovo\Rescue and Recovery\rrservice.exe
O23 - Service: TVT Scheduler - Lenovo Group Limited - C:\Program Files\Common Files\Lenovo\Scheduler\tvtsched.exe
O23 - Service: tvtnetwk - Unknown owner - C:\Program Files\Lenovo\Rescue and Recovery\ADM\IUService.exe
O23 - Service: VNC Server Version 4 (WinVNC4) - RealVNC Ltd. - C:\Program Files\RealVNC\VNC4\WinVNC4.exe

--
End of file - 11164 bytes

Title: hijacked when using google
Post by: guestolo on April 02, 2009, 07:06:29 AM

Can you do the following
Do a "System scan only" with Hijackthis and put a check next to these entries:

O2 - BHO: WormRadar.com IESiteBlocker.NavFilter - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - C:\Program Files\AVG\AVG8\avgssie.dll (file missing)


After you have ticked the above entries, close All other open windows
Including this one
Leave Hijackthis open and click FIX CHECKED
OK the prompt and exit Hijackthis

Go back to Add and Remove programs and remove the following if still listed
J2SE Runtime Environment 5.0 Update 6

Actually, if you see any of those older versions of Java I asked you to remove earlier
Uninstall them
download [color=\"#FF0000\"]JavaRa[/color] (http://\"http://sourceforge.net/project/downloading.php?groupname=javara&filename=JavaRa.zip&use_mirror=osdn\") and unzip it to your desktop.

***Please close any instances of Internet Explorer before continuing!***

    * Double-click on JavaRa.exe to start the program.
    * From the drop-down menu, choose English and click on Select.
    * JavaRa will open; click on Remove Older Versions to remove the older versions of Java installed on your computer.
    * Click Yes when prompted. When JavaRa is done, a notice will appear that a logfile has been produced. Click OK.
    * A logfile will pop up. Please save it to a convenient location.


Reset Windows to Hide hidden files and folders
    * Click Start.
    * Open My Computer.
    * Select the Tools menu and click Folder Options.
    * Select the View Tab.
    * Under the Hidden files and folders heading select Do Not Show hidden files and folders.
    * Check the Hide protected operating system files (recommended) option.
    * Click OK.

I've been recommending Avast or Avira for AV
Since you only want one installed
Try the following
Go here and download your Free version of Avira AntiVir
http://www.download.com/Avira-AntiVir-Pers...cdlpid=10322935 (http://\"http://www.download.com/Avira-AntiVir-Personal-Free-Antivirus/3000-2239_4-10322935.html?part=dl-10322935&subj=dl&tag=button&cdlpid=10322935\")
Save the installer to desktop

Install Avira AntiVir from desktop
Ensure that you have it check for Updates
The first time it updates may take awhile, but allow it time

NOTE: Avira will display a single big Ad on your computer
Don't be alarmed, just click OK at the bottom of the Ad to close it

A scan of your System should then start
If a scan does not start after updating, double click on the Avira icon by the clock (the red/white umbrella)
and select "Scan system now"

Quarantine or delete everything it finds
When the scan is finished
Reboot the computer

Back in Windows
Can you post all the following back please

 Please post the log from Avira
Open Avira again (Double click on the red Umbrella icon by the clock)
Click on REPORTS under Overview
Double click on the Scan report you just made
Then click on "Report File"

Post that report back here with a fresh Hijackthis log
In addition, include the log from JavaRA
Keep me informed how things are running

Title: hijacked when using google
Post by: jjccp on April 03, 2009, 10:38:51 AM

The last set of instructions went perfect.

Here are the logs requested:



Avira AntiVir Personal
Report file date: Friday, April 03, 2009  06:58

Scanning for 1337662 virus strains and unwanted programs.

Licensee        : Avira AntiVir Personal - FREE Antivirus
Serial number   : 0000149996-ADJIE-0000001
Platform        : Windows XP
Windows version : (Service Pack 3)  [5.1.2600]
Boot mode       : Normally booted
Username        : SYSTEM
Computer name   : JIMDALESANDRO

Version information:
BUILD.DAT       : 9.0.0.387     17962 Bytes   3/24/2009 11:04:00
AVSCAN.EXE      : 9.0.3.3      464641 Bytes   2/24/2009 16:13:26
AVSCAN.DLL      : 9.0.3.0       40705 Bytes   2/27/2009 14:58:24
LUKE.DLL        : 9.0.3.2      209665 Bytes   2/20/2009 15:35:49
LUKERES.DLL     : 9.0.2.0       12033 Bytes   2/27/2009 14:58:52
ANTIVIR0.VDF    : 7.1.0.0    15603712 Bytes  10/27/2008 16:30:36
ANTIVIR1.VDF    : 7.1.2.12    3336192 Bytes   2/11/2009 00:33:26
ANTIVIR2.VDF    : 7.1.3.0     1330176 Bytes    4/1/2009 03:52:25
ANTIVIR3.VDF    : 7.1.3.7       34816 Bytes    4/2/2009 03:52:25
Engineversion   : 8.2.0.129
AEVDF.DLL       : 8.1.1.0      106868 Bytes   1/27/2009 21:36:42
AESCRIPT.DLL    : 8.1.1.70     369019 Bytes    4/3/2009 03:52:29
AESCN.DLL       : 8.1.1.8      127346 Bytes    4/3/2009 03:52:28
AERDL.DLL       : 8.1.1.3      438645 Bytes  10/29/2008 22:24:41
AEPACK.DLL      : 8.1.3.11     397687 Bytes    4/3/2009 03:52:28
AEOFFICE.DLL    : 8.1.0.36     196987 Bytes   2/27/2009 00:01:56
AEHEUR.DLL      : 8.1.0.111   1679736 Bytes    4/3/2009 03:52:27
AEHELP.DLL      : 8.1.2.2      119158 Bytes   2/27/2009 00:01:56
AEGEN.DLL       : 8.1.1.31     340341 Bytes    4/3/2009 03:52:25
AEEMU.DLL       : 8.1.0.9      393588 Bytes   10/9/2008 18:32:40
AECORE.DLL      : 8.1.6.6      176501 Bytes   2/17/2009 18:22:44
AEBB.DLL        : 8.1.0.3       53618 Bytes   10/9/2008 18:32:40
AVWINLL.DLL     : 9.0.0.3       18177 Bytes  12/12/2008 12:47:59
AVPREF.DLL      : 9.0.0.1       43777 Bytes   12/5/2008 14:32:15
AVREP.DLL       : 8.0.0.3      155905 Bytes   1/20/2009 18:34:28
AVREG.DLL       : 9.0.0.0       36609 Bytes   12/5/2008 14:32:09
AVARKT.DLL      : 9.0.0.1      292609 Bytes    2/9/2009 11:52:24
AVEVTLOG.DLL    : 9.0.0.7      167169 Bytes   1/30/2009 14:37:08
SQLITE3.DLL     : 3.6.1.0      326401 Bytes   1/28/2009 19:03:49
SMTPLIB.DLL     : 9.2.0.25      28417 Bytes    2/2/2009 12:21:33
NETNT.DLL       : 9.0.0.0       11521 Bytes   12/5/2008 14:32:10
RCIMAGE.DLL     : 9.0.0.21    2438401 Bytes    2/9/2009 15:45:45
RCTEXT.DLL      : 9.0.35.0      87297 Bytes   3/11/2009 19:55:12

Configuration settings for the scan:
Jobname.............................: Complete system scan
Configuration file..................: c:\program files\avira\antivir desktop\sysscan.avp
Logging.............................: low
Primary action......................: interactive
Secondary action....................: ignore
Scan master boot sector.............: on
Scan boot sector....................: on
Boot sectors........................: C:,
Process scan........................: on
Scan registry.......................: on
Search for rootkits.................: on
Integrity checking of system files..: off
Scan all files......................: All files
Scan archives.......................: on
Recursion depth.....................: 20
Smart extensions....................: on
Macro heuristic.....................: on
File heuristic......................: medium

Start of the scan: Friday, April 03, 2009  06:58

Starting search for hidden objects.
'51690' objects were checked, '0' hidden objects were found.

The scan of running processes will be started
Scan process 'avscan.exe' - '1' Module(s) have been scanned
Scan process 'avcenter.exe' - '1' Module(s) have been scanned
Scan process 'wuauclt.exe' - '1' Module(s) have been scanned
Scan process 'notepad.exe' - '1' Module(s) have been scanned
Scan process 'avgnt.exe' - '1' Module(s) have been scanned
Scan process 'sched.exe' - '1' Module(s) have been scanned
Scan process 'avguard.exe' - '1' Module(s) have been scanned
Scan process 'iexplore.exe' - '1' Module(s) have been scanned
Scan process 'WINWORD.EXE' - '1' Module(s) have been scanned
Scan process 'OUTLOOK.EXE' - '1' Module(s) have been scanned
Scan process 'Hotsync.exe' - '1' Module(s) have been scanned
Scan process 'ctfmon.exe' - '1' Module(s) have been scanned
Scan process 'hpztsb09.exe' - '1' Module(s) have been scanned
Scan process 'hpwuSchd.exe' - '1' Module(s) have been scanned
Scan process 'hpcmpmgr.exe' - '1' Module(s) have been scanned
Scan process 'cssauth.exe' - '1' Module(s) have been scanned
Scan process 'pdservice.exe' - '1' Module(s) have been scanned
Scan process 'ACWLIcon.exe' - '1' Module(s) have been scanned
Scan process 'ACTray.exe' - '1' Module(s) have been scanned
Scan process 'scheduler_proxy.exe' - '1' Module(s) have been scanned
Scan process 'AwaySch.EXE' - '1' Module(s) have been scanned
Scan process 'DLACTRLW.EXE' - '1' Module(s) have been scanned
Scan process 'LPMGR.EXE' - '1' Module(s) have been scanned
Scan process 'igfxpers.exe' - '1' Module(s) have been scanned
Scan process 'hkcmd.exe' - '1' Module(s) have been scanned
Scan process 'TpScrex.exe' - '1' Module(s) have been scanned
Scan process 'smax4pnp.exe' - '1' Module(s) have been scanned
Scan process 'TPONSCR.exe' - '1' Module(s) have been scanned
Scan process 'TPHKMGR.exe' - '1' Module(s) have been scanned
Scan process 'TpShocks.exe' - '1' Module(s) have been scanned
Scan process 'EZEJMNAP.EXE' - '1' Module(s) have been scanned
Scan process 'SynTPEnh.exe' - '1' Module(s) have been scanned
Scan process 'SynTPLpr.exe' - '1' Module(s) have been scanned
Scan process 'rundll32.exe' - '1' Module(s) have been scanned
Scan process 'explorer.exe' - '1' Module(s) have been scanned
Scan process 'SvcGuiHlpr.exe' - '1' Module(s) have been scanned
Scan process 'alg.exe' - '1' Module(s) have been scanned
Scan process 'logmon.exe' - '1' Module(s) have been scanned
Scan process 'wmpnetwk.exe' - '1' Module(s) have been scanned
Scan process 'AcSvc.exe' - '1' Module(s) have been scanned
Scan process 'winvnc4.exe' - '1' Module(s) have been scanned
Scan process 'IUService.exe' - '1' Module(s) have been scanned
Scan process 'tvtsched.exe' - '1' Module(s) have been scanned
Scan process 'rrservice.exe' - '1' Module(s) have been scanned
Scan process 'tvttcsd.exe' - '1' Module(s) have been scanned
Scan process 'TpKmpSvc.exe' - '1' Module(s) have been scanned
Scan process 'TPHDEXLG.exe' - '1' Module(s) have been scanned
Scan process 'tvt_reg_monitor_svc.exe' - '1' Module(s) have been scanned
Scan process 'SUService.exe' - '1' Module(s) have been scanned
Scan process 'RegSrvc.exe' - '1' Module(s) have been scanned
Scan process 'mstbsvc.exe' - '1' Module(s) have been scanned
Scan process 'MDM.EXE' - '1' Module(s) have been scanned
Scan process 'jqs.exe' - '1' Module(s) have been scanned
Scan process 'svchost.exe' - '1' Module(s) have been scanned
Scan process 'CTSVCCDA.EXE' - '1' Module(s) have been scanned
Scan process 'AcPrfMgrSvc.exe' - '1' Module(s) have been scanned
Scan process 'IPSSVC.EXE' - '1' Module(s) have been scanned
Scan process 'spoolsv.exe' - '1' Module(s) have been scanned
Scan process 'BRSS01A.EXE' - '1' Module(s) have been scanned
Scan process 'BRSVC01A.EXE' - '1' Module(s) have been scanned
Scan process 'svchost.exe' - '1' Module(s) have been scanned
Scan process 'svchost.exe' - '1' Module(s) have been scanned
Scan process 'S24EvMon.exe' - '1' Module(s) have been scanned
Scan process 'EvtEng.exe' - '1' Module(s) have been scanned
Scan process 'svchost.exe' - '1' Module(s) have been scanned
Scan process 'svchost.exe' - '1' Module(s) have been scanned
Scan process 'svchost.exe' - '1' Module(s) have been scanned
Scan process 'svchost.exe' - '1' Module(s) have been scanned
Scan process 'ibmpmsvc.exe' - '1' Module(s) have been scanned
Scan process 'lsass.exe' - '1' Module(s) have been scanned
Scan process 'services.exe' - '1' Module(s) have been scanned
Scan process 'winlogon.exe' - '1' Module(s) have been scanned
Scan process 'csrss.exe' - '1' Module(s) have been scanned
Scan process 'smss.exe' - '1' Module(s) have been scanned
74 processes with 74 modules were scanned

Starting master boot sector scan:

Start scanning boot sectors:

Starting to scan executable files (registry).
The registry was scanned ( '89' files ).


Starting the file scan:

Begin scan in 'C:\' <Preload>
C:\hiberfil.sys
    [WARNING]   The file could not be opened!
    [NOTE]      This file is a Windows system file.
    [NOTE]      This file cannot be opened for scanning.
C:\pagefile.sys
    [WARNING]   The file could not be opened!
    [NOTE]      This file is a Windows system file.
    [NOTE]      This file cannot be opened for scanning.
C:\WINDOWS\ajlrcmg.beq
    [DETECTION] Is the TR/Spy.Agent.frt Trojan

Beginning disinfection:
C:\WINDOWS\ajlrcmg.beq
    [DETECTION] Is the TR/Spy.Agent.frt Trojan
    [NOTE]      The file was moved to '4a41f633.qua'!


End of the scan: Friday, April 03, 2009  07:40
Used time: 40:20 Minute(s)

The scan has been done completely.

   6951 Scanned directories
 334553 Files were scanned
      1 Viruses and/or unwanted programs were found
      0 Files were classified as suspicious
      0 files were deleted
      0 Viruses and unwanted programs were repaired
      1 Files were moved to quarantine
      0 Files were renamed
      2 Files cannot be scanned
 334550 Files not concerned
   8113 Archives were scanned
      2 Warnings
      3 Notes
  51690 Objects were scanned with rootkit scan
      0 Hidden objects were found



Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 11:37:04 AM, on 4/3/2009
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16791)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\ibmpmsvc.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
C:\WINDOWS\system32\brsvc01a.exe
C:\WINDOWS\system32\brss01a.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Avira\AntiVir Desktop\sched.exe
C:\WINDOWS\system32\IPSSVC.EXE
C:\Program Files\ThinkPad\ConnectUtilities\AcPrfMgrSvc.exe
C:\Program Files\Avira\AntiVir Desktop\avguard.exe
C:\WINDOWS\system32\CTsvcCDA.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Program Files\MSN\Toolbar\3.0.0988.2\mstbsvc.exe
C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
c:\program files\lenovo\system update\suservice.exe
C:\Program Files\Common Files\Lenovo\tvt_reg_monitor_svc.exe
C:\WINDOWS\System32\TPHDEXLG.EXE
C:\WINDOWS\system32\TpKmpSVC.exe
C:\Program Files\Lenovo\Rescue and Recovery\rrservice.exe
C:\Program Files\Common Files\Lenovo\Scheduler\tvtsched.exe
C:\Program Files\Lenovo\Rescue and Recovery\ADM\IUService.exe
C:\Program Files\RealVNC\VNC4\WinVNC4.exe
C:\Program Files\ThinkPad\ConnectUtilities\AcSvc.exe
C:\Program Files\Common Files\Lenovo\Logger\logmon.exe
C:\Program Files\ThinkPad\ConnectUtilities\SvcGuiHlpr.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\PROGRA~1\ThinkPad\UTILIT~1\EzEjMnAp.Exe
C:\WINDOWS\system32\TpShocks.exe
C:\PROGRA~1\Lenovo\PkgMgr\HOTKEY\TPHKMGR.exe
C:\Program Files\Lenovo\PkgMgr\HOTKEY\TPONSCR.exe
C:\Program Files\Lenovo\PkgMgr\HOTKEY_1\TpScrex.exe
C:\Program Files\Analog Devices\Core\smax4pnp.exe
C:\WINDOWS\system32\hkcmd.exe
C:\WINDOWS\system32\igfxpers.exe
C:\PROGRA~1\THINKV~2\PrdCtr\LPMGR.exe
C:\WINDOWS\System32\DLA\DLACTRLW.EXE
C:\Program Files\Lenovo\AwayTask\AwaySch.EXE
C:\Program Files\Common Files\Lenovo\Scheduler\scheduler_proxy.exe
C:\Program Files\ThinkPad\ConnectUtilities\ACTray.exe
C:\Program Files\ThinkPad\ConnectUtilities\ACWLIcon.exe
C:\Program Files\Lenovo\SafeGuard PrivateDisk\pdservice.exe
C:\Program Files\Lenovo\Client Security Solution\cssauth.exe
C:\Program Files\HP\hpcoretech\hpcmpmgr.exe
C:\Program Files\Hewlett-Packard\HP Software Update\HPWuSchd.exe
C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb09.exe
C:\Program Files\Java\jre6\bin\jusched.exe
C:\Program Files\Avira\AntiVir Desktop\avgnt.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Palm\Hotsync.exe
C:\Program Files\Microsoft Office\OFFICE11\WINWORD.EXE
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157 (http://\"http://go.microsoft.com/fwlink/?LinkId=69157\")
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896 (http://\"http://go.microsoft.com/fwlink/?LinkId=54896\")
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896 (http://\"http://go.microsoft.com/fwlink/?LinkId=54896\")
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157 (http://\"http://go.microsoft.com/fwlink/?LinkId=69157\")
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://my.realliving.com/ (http://\"http://my.realliving.com/\")
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: DriveLetterAccess - {5CA3D70E-1895-11CF-8E15-001234567890} - C:\WINDOWS\System32\DLA\DLASHX_W.DLL
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre6\bin\ssv.dll
O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
O2 - BHO: ThinkVantage Password Manager - {F040E541-A427-4CF7-85D8-75E3E0F476C5} - C:\Program Files\Lenovo\Client Security Solution\tvtpwm_ie_com.dll
O4 - HKLM\..\Run: [PWRMGRTR] rundll32 C:\PROGRA~1\ThinkPad\UTILIT~1\PWRMGRTR.DLL,PwrMgrBkGndMonitor
O4 - HKLM\..\Run: [BLOG] rundll32 C:\PROGRA~1\ThinkPad\UTILIT~1\BatLogEx.DLL,StartBattLog
O4 - HKLM\..\Run: [SynTPLpr] C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [EZEJMNAP] C:\PROGRA~1\ThinkPad\UTILIT~1\EzEjMnAp.Exe
O4 - HKLM\..\Run: [TPKMAPHELPER] C:\Program Files\ThinkPad\Utilities\TpKmapAp.exe -helper
O4 - HKLM\..\Run: [TpShocks] TpShocks.exe
O4 - HKLM\..\Run: [TPHOTKEY] C:\PROGRA~1\Lenovo\PkgMgr\HOTKEY\TPHKMGR.exe
O4 - HKLM\..\Run: [TP4EX] tp4ex.exe
O4 - HKLM\..\Run: [SoundMAXPnP] C:\Program Files\Analog Devices\Core\smax4pnp.exe
O4 - HKLM\..\Run: [SoundMAX] C:\Program Files\Analog Devices\SoundMAX\Smax4.exe /tray
O4 - HKLM\..\Run: [igfxtray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [igfxhkcmd] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [igfxpers] C:\WINDOWS\system32\igfxpers.exe
O4 - HKLM\..\Run: [LPManager] C:\PROGRA~1\THINKV~2\PrdCtr\LPMGR.exe
O4 - HKLM\..\Run: [DLA] C:\WINDOWS\System32\DLA\DLACTRLW.EXE
O4 - HKLM\..\Run: [ISUSPM Startup] C:\PROGRA~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe -startup
O4 - HKLM\..\Run: [ISUSScheduler] "C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" -start
O4 - HKLM\..\Run: [AwaySch] C:\Program Files\Lenovo\AwayTask\AwaySch.EXE
O4 - HKLM\..\Run: [TVT Scheduler Proxy] C:\Program Files\Common Files\Lenovo\Scheduler\scheduler_proxy.exe
O4 - HKLM\..\Run: [ACTray] C:\Program Files\ThinkPad\ConnectUtilities\ACTray.exe
O4 - HKLM\..\Run: [ACWLIcon] C:\Program Files\ThinkPad\ConnectUtilities\ACWLIcon.exe
O4 - HKLM\..\Run: [PDService.exe] "C:\Program Files\Lenovo\SafeGuard PrivateDisk\pdservice.exe"
O4 - HKLM\..\Run: [cssauth] "C:\Program Files\Lenovo\Client Security Solution\cssauth.exe" silent
O4 - HKLM\..\Run: [HP Component Manager] "C:\Program Files\HP\hpcoretech\hpcmpmgr.exe"
O4 - HKLM\..\Run: [HP Software Update] "C:\Program Files\Hewlett-Packard\HP Software Update\HPWuSchd.exe"
O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb09.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre6\bin\jusched.exe
O4 - HKLM\..\Run: [avgnt] "C:\Program Files\Avira\AntiVir Desktop\avgnt.exe" /min
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - Global Startup: HOTSYNCSHORTCUTNAME.lnk = C:\Program Files\Palm\Hotsync.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {0045D4BC-5189-4b67-969C-83BB1906C421} - C:\Program Files\Lenovo\Client Security Solution\tvtpwm_ie_com.dll
O9 - Extra 'Tools' menuitem: ThinkVantage Password Manager... - {0045D4BC-5189-4b67-969C-83BB1906C421} - C:\Program Files\Lenovo\Client Security Solution\tvtpwm_ie_com.dll
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre6\bin\jp2iexp.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre6\bin\jp2iexp.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Software Installer - {D1A4DEBD-C2EE-449f-B9FB-E8409F9A0BC5} - C:\Program Files\Lenovo\PkgMgr\\PkgMgr.exe
O9 - Extra button: System Update - {DA320635-F48C-4613-8325-D75A933C549E} - C:\Program Files\Lenovo\System Update\sulauncher.exe (file missing)
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {74FFE28D-2378-11D5-990C-006094235084} (IBM Access Support) - http://www-307.ibm.com/pc/support/IbmEgath.cab (http://\"http://www-307.ibm.com/pc/support/IbmEgath.cab\")
O16 - DPF: {AB86CE53-AC9F-449F-9399-D8ABCA09EC09} (Get_ActiveX Control) - https://h17000.www1.hp.com/ewfrf-JAVA/Secur...loadManager.ocx (http://\"https://h17000.www1.hp.com/ewfrf-JAVA/Secure/HPGetDownloadManager.ocx\")
O20 - Winlogon Notify: ACNotify - ACNotify.dll (file missing)
O20 - Winlogon Notify: AwayNotify - C:\Program Files\Lenovo\AwayTask\AwayNotify.dll
O23 - Service: Ac Profile Manager Service (AcPrfMgrSvc) - Unknown owner - C:\Program Files\ThinkPad\ConnectUtilities\AcPrfMgrSvc.exe
O23 - Service: Access Connections Main Service (AcSvc) - Lenovo - C:\Program Files\ThinkPad\ConnectUtilities\AcSvc.exe
O23 - Service: Avira AntiVir Scheduler (AntiVirSchedulerService) - Avira GmbH - C:\Program Files\Avira\AntiVir Desktop\sched.exe
O23 - Service: Avira AntiVir Guard (AntiVirService) - Avira GmbH - C:\Program Files\Avira\AntiVir Desktop\avguard.exe
O23 - Service: BrSplService (Brother XP spl Service) - brother Industries Ltd - C:\WINDOWS\system32\brsvc01a.exe
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\system32\CTsvcCDA.exe
O23 - Service: Intel® PROSet/Wireless Event Log (EvtEng) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: ThinkPad PM Service (IBMPMSVC) - Lenovo - C:\WINDOWS\system32\ibmpmsvc.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: IPS Core Service (IPSSVC) - Lenovo Group Limited - C:\WINDOWS\system32\IPSSVC.EXE
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
O23 - Service: IBM PSA Access Driver Control (PsaSrv) - Unknown owner - C:\WINDOWS\system32\PsaSrv.exe (file missing)
O23 - Service: Intel® PROSet/Wireless Registry Service (RegSrvc) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
O23 - Service: Intel® PROSet/Wireless Service (S24EventMonitor) - Intel Corporation  - C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
O23 - Service: System Update (SUService) - Lenovo Group Limited - c:\program files\lenovo\system update\suservice.exe
O23 - Service: ThinkVantage Registry Monitor Service - Unknown owner - C:\Program Files\Common Files\Lenovo\tvt_reg_monitor_svc.exe
O23 - Service: ThinkPad HDD APS Logging Service (TPHDEXLGSVC) - Lenovo. - C:\WINDOWS\System32\TPHDEXLG.EXE
O23 - Service: IBM KCU Service (TpKmpSVC) - Unknown owner - C:\WINDOWS\system32\TpKmpSVC.exe
O23 - Service: TSS Core Service (TSSCoreService) - IBM - C:\Program Files\Lenovo\Client Security Solution\tvttcsd.exe
O23 - Service: TVT Backup Service - Lenovo Group Limited - C:\Program Files\Lenovo\Rescue and Recovery\rrservice.exe
O23 - Service: TVT Scheduler - Lenovo Group Limited - C:\Program Files\Common Files\Lenovo\Scheduler\tvtsched.exe
O23 - Service: tvtnetwk - Unknown owner - C:\Program Files\Lenovo\Rescue and Recovery\ADM\IUService.exe
O23 - Service: VNC Server Version 4 (WinVNC4) - RealVNC Ltd. - C:\Program Files\RealVNC\VNC4\WinVNC4.exe

--
End of file - 11924 bytes




JavaRa 1.13 Removal Log.

Report follows after line.

------------------------------------

The JavaRa removal process was started on Thu Apr 02 23:39:15 2009

Found and removed: Software\JavaSoft\Java2D\1.5.0_06

Found and removed: SOFTWARE\Classes\CLSID\{CAFEEFAC-0015-0000-0006-ABCDEFFEDCBA}

Found and removed: SOFTWARE\Classes\JavaPlugin.150_06

Found and removed: SOFTWARE\Classes\JavaWebStart.isInstalled.1.5.0.0

Found and removed: Software\Classes\CLSID\{CAFEEFAC-0013-0000-0003-ABCDEFFEDCBA}

Found and removed: Software\Classes\CLSID\{CAFEEFAC-0013-0000-0004-ABCDEFFEDCBA}

Found and removed: Software\Classes\CLSID\{CAFEEFAC-0013-0000-0005-ABCDEFFEDCBA}

Found and removed: SOFTWARE\JavaSoft\Java Web Start\1.0.1

Found and removed: SOFTWARE\JavaSoft\Java Web Start\1.0.1_02

Found and removed: SOFTWARE\JavaSoft\Java Web Start\1.0.1_03

Found and removed: SOFTWARE\JavaSoft\Java Web Start\1.0.1_04

Found and removed: SOFTWARE\JavaSoft\Java Web Start\1.2

Found and removed: SOFTWARE\JavaSoft\Java Web Start\1.2.0_01

Found and removed: Software\Classes\CLSID\{CAFEEFAC-0013-0001-0000-ABCDEFFEDCBA}

Found and removed: Software\Classes\CLSID\{CAFEEFAC-0013-0001-0001-ABCDEFFEDCBA}

Found and removed: Software\Classes\CLSID\{CAFEEFAC-0013-0001-0001-ABCDEFFEDCBB}

Found and removed: Software\Classes\CLSID\{CAFEEFAC-0013-0001-0002-ABCDEFFEDCBA}

Found and removed: Software\Classes\CLSID\{CAFEEFAC-0013-0001-0002-ABCDEFFEDCBB}

Found and removed: Software\Classes\CLSID\{CAFEEFAC-0013-0001-0003-ABCDEFFEDCBA}

Found and removed: Software\Classes\CLSID\{CAFEEFAC-0013-0001-0003-ABCDEFFEDCBB}

Found and removed: Software\Classes\CLSID\{CAFEEFAC-0013-0001-0004-ABCDEFFEDCBA}

Found and removed: Software\Classes\CLSID\{CAFEEFAC-0013-0001-0004-ABCDEFFEDCBB}

Found and removed: Software\Classes\CLSID\{CAFEEFAC-0013-0001-0005-ABCDEFFEDCBA}

Found and removed: Software\Classes\CLSID\{CAFEEFAC-0013-0001-0005-ABCDEFFEDCBB}

Found and removed: Software\Classes\CLSID\{CAFEEFAC-0013-0001-0006-ABCDEFFEDCBA}

Found and removed: Software\Classes\CLSID\{CAFEEFAC-0013-0001-0006-ABCDEFFEDCBB}

Found and removed: Software\Classes\CLSID\{CAFEEFAC-0013-0001-0007-ABCDEFFEDCBA}

Found and removed: Software\Classes\CLSID\{CAFEEFAC-0013-0001-0007-ABCDEFFEDCBB}

Found and removed: Software\Classes\CLSID\{CAFEEFAC-0013-0001-0008-ABCDEFFEDCBA}

Found and removed: Software\Classes\CLSID\{CAFEEFAC-0013-0001-0008-ABCDEFFEDCBB}

Found and removed: Software\Classes\CLSID\{CAFEEFAC-0013-0001-0009-ABCDEFFEDCBA}

Found and removed: Software\Classes\CLSID\{CAFEEFAC-0013-0001-0009-ABCDEFFEDCBB}

Found and removed: Software\Classes\CLSID\{CAFEEFAC-0013-0001-0010-ABCDEFFEDCBA}

Found and removed: Software\Classes\CLSID\{CAFEEFAC-0013-0001-0010-ABCDEFFEDCBB}

Found and removed: Software\Classes\CLSID\{CAFEEFAC-0013-0001-0011-ABCDEFFEDCBA}

Found and removed: Software\Classes\CLSID\{CAFEEFAC-0013-0001-0011-ABCDEFFEDCBB}

Found and removed: Software\Classes\CLSID\{CAFEEFAC-0013-0001-0012-ABCDEFFEDCBA}

Found and removed: Software\Classes\CLSID\{CAFEEFAC-0013-0001-0012-ABCDEFFEDCBB}

Found and removed: Software\Classes\CLSID\{CAFEEFAC-0013-0001-0013-ABCDEFFEDCBA}

Found and removed: Software\Classes\CLSID\{CAFEEFAC-0013-0001-0013-ABCDEFFEDCBB}

Found and removed: Software\Classes\CLSID\{CAFEEFAC-0013-0001-0014-ABCDEFFEDCBA}

Found and removed: Software\Classes\CLSID\{CAFEEFAC-0013-0001-0014-ABCDEFFEDCBB}

Found and removed: Software\Classes\CLSID\{CAFEEFAC-0013-0001-0015-ABCDEFFEDCBA}

Found and removed: Software\Classes\CLSID\{CAFEEFAC-0013-0001-0015-ABCDEFFEDCBB}

Found and removed: Software\Classes\CLSID\{CAFEEFAC-0013-0001-0016-ABCDEFFEDCBA}

Found and removed: Software\Classes\CLSID\{CAFEEFAC-0013-0001-0016-ABCDEFFEDCBB}

Found and removed: Software\Classes\CLSID\{CAFEEFAC-0013-0001-0017-ABCDEFFEDCBA}

Found and removed: Software\Classes\CLSID\{CAFEEFAC-0013-0001-0017-ABCDEFFEDCBB}

Found and removed: Software\Classes\CLSID\{CAFEEFAC-0013-0001-0018-ABCDEFFEDCBA}

Found and removed: Software\Classes\CLSID\{CAFEEFAC-0013-0001-0018-ABCDEFFEDCBB}

Found and removed: Software\Classes\CLSID\{CAFEEFAC-0013-0001-0019-ABCDEFFEDCBA}

Found and removed: Software\Classes\CLSID\{CAFEEFAC-0013-0001-0019-ABCDEFFEDCBB}

Found and removed: Software\Classes\CLSID\{CAFEEFAC-0013-0001-0020-ABCDEFFEDCBA}

Found and removed: Software\Classes\CLSID\{CAFEEFAC-0013-0001-0020-ABCDEFFEDCBB}

Found and removed: Software\Classes\CLSID\{CAFEEFAC-0013-0001-0021-ABCDEFFEDCBA}

Found and removed: Software\Classes\CLSID\{CAFEEFAC-0013-0001-0021-ABCDEFFEDCBB}

Found and removed: Software\Classes\CLSID\{CAFEEFAC-0013-0001-0022-ABCDEFFEDCBA}

Found and removed: Software\Classes\CLSID\{CAFEEFAC-0013-0001-0022-ABCDEFFEDCBB}

Found and removed: Software\Classes\CLSID\{CAFEEFAC-0013-0001-0023-ABCDEFFEDCBA}

Found and removed: Software\Classes\CLSID\{CAFEEFAC-0013-0001-0023-ABCDEFFEDCBB}

Found and removed: Software\Classes\CLSID\{CAFEEFAC-0013-0001-0024-ABCDEFFEDCBA}

Found and removed: Software\Classes\CLSID\{CAFEEFAC-0013-0001-0024-ABCDEFFEDCBB}

Found and removed: Software\Classes\CLSID\{CAFEEFAC-0013-0001-0025-ABCDEFFEDCBA}

Found and removed: Software\Classes\CLSID\{CAFEEFAC-0013-0001-0025-ABCDEFFEDCBB}

Found and removed: Software\Classes\CLSID\{CAFEEFAC-0013-0001-0026-ABCDEFFEDCBA}

Found and removed: Software\Classes\CLSID\{CAFEEFAC-0013-0001-0026-ABCDEFFEDCBB}

Found and removed: Software\Classes\CLSID\{CAFEEFAC-0013-0001-0027-ABCDEFFEDCBA}

Found and removed: Software\Classes\CLSID\{CAFEEFAC-0013-0001-0027-ABCDEFFEDCBB}

Found and removed: Software\Classes\CLSID\{CAFEEFAC-0013-0001-0028-ABCDEFFEDCBA}

Found and removed: Software\Classes\CLSID\{CAFEEFAC-0013-0001-0028-ABCDEFFEDCBB}

Found and removed: Software\Classes\CLSID\{CAFEEFAC-0013-0001-0029-ABCDEFFEDCBA}

Found and removed: Software\Classes\CLSID\{CAFEEFAC-0013-0001-0029-ABCDEFFEDCBB}

Found and removed: Software\Classes\CLSID\{CAFEEFAC-0013-0001-0030-ABCDEFFEDCBA}

Found and removed: Software\Classes\CLSID\{CAFEEFAC-0013-0001-0030-ABCDEFFEDCBB}

------------------------------------

Finished reporting.

Title: hijacked when using google
Post by: jjccp on April 05, 2009, 04:46:18 PM

Today upon reboot, received an error message that the program CiceroUIWndFrame was not responding. I didn't get the extension quick enough. I've noticed that error a couple other times recently, but didn't think it was a problem. When searching for that file name, nothing is found.

At the same reboot all the icons on my desktop rearranged.

Not getting redirected on google today.

Thanks

Title: hijacked when using google
Post by: guestolo on April 05, 2009, 05:01:23 PM

Quote

Today upon reboot, received an error message that the program CiceroUIWndFrame was not responding. I didn't get the extension quick enough. I've noticed that error a couple other times recently, but didn't think it was a problem. When searching for that file name, nothing is found.

Please take a look at the following link
http://www.onlinecomputertips.com/troubles...UIWndFrame.html (http://\"http://www.onlinecomputertips.com/troubleshooting/CiceroUIWndFrame.html\")

Let me know how that works for you

Title: hijacked when using google
Post by: jjccp on April 06, 2009, 10:06:20 AM

I did the fix for CiceroUIWndFrame.

I still see some weirdness. For example when I did the above fix, while going to Settings, Control Panel, when the window appeared all the icons for Control Panel were generic, then slowly changed to normal individual icons. Does that along with the Desktop icon weirdness tell you anything?

Not being redirected anymore. Other than the above issue, am I good to go?

Title: hijacked when using google
Post by: guestolo on April 07, 2009, 10:53:12 AM

I want to try one more time with ComboFix, please delete any copy you have right now
Then do the following

Download ComboFix from one of these locations:

[color=\"#0000FF\"]Link 1[/color] (http://\"http://download.bleepingcomputer.com/sUBs/ComboFix.exe\")
[color=\"#0000FF\"]Link 2[/color] (http://\"http://subs.geekstogo.com/ComboFix.exe\")

• If you are using Firefox, make sure that your download settings are as follows:
• Tools->Options->Main tab
• Set to "Always ask me where to Save the files".
• During the download, rename Combofix to Combo-Fix as follows:
  

(http://i266.photobucket.com/albums/ii277/sUBs_/combofix/CF_download_FF.gif)
(http://i266.photobucket.com/albums/ii277/sUBs_/combofix/CF_download_rename.gif)

* It is important you rename Combofix during the download, but not after.
    * Please do not rename Combofix to other names, but only to the one indicated.

      --------------------------------------------------------------------
[color=\"#2E8B57\"]Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with some tools[/color]
Ensure to Right click on the Avira icon by the clock and Disable the Guard

• Double click on Combo-Fix.exe & follow the prompts.
  
• As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.
• Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.

[color=\"#2e8b57\"]**Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.
[/color]
(http://img.photobucket.com/albums/v706/ried7/RcAuto1.gif)

Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:
(http://img.photobucket.com/albums/v706/ried7/whatnext.png)


Click on Yes, to continue scanning for malware.

When finished, it shall produce a log for you. Please include the C:\Combo-Fix.txt in your next reply

Title: hijacked when using google
Post by: jjccp on April 07, 2009, 05:25:08 PM

I was able to install and run Conbo-Fix. Here's the log:

ComboFix 09-04-04.01 - jim.dalessandro 2009-04-07 18:12:14.1 - NTFSx86
Microsoft Windows XP Professional  5.1.2600.3.1252.1.1033.18.502.130 [GMT -4:00]
Running from: c:\documents and settings\jim.dalessandro\Desktop\Combo-Fix.exe
AV: AntiVir Desktop *On-access scanning disabled* (Updated)
 * Created a new restore point
.

(((((((((((((((((((((((((((((((((((((((   Other Deletions   )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\documents and settings\jim.dalessandro\Local Settings\Temporary Internet Files\index.dat

.
(((((((((((((((((((((((((   Files Created from 2009-03-07 to 2009-04-07  )))))))))))))))))))))))))))))))
.

2009-04-05 19:32 . 2009-04-05 19:32   <DIR>   d--------   c:\program files\Common Files\Adobe AIR
2009-04-05 19:30 . 2009-04-05 19:31   <DIR>   d--------   c:\program files\Common Files\Adobe
2009-04-05 19:14 . 2009-04-05 19:14   <DIR>   d--------   c:\program files\NOS
2009-04-05 19:14 . 2009-04-05 19:18   <DIR>   d--------   c:\documents and settings\All Users\Application Data\NOS
2009-04-02 23:46 . 2009-04-02 23:46   <DIR>   d--------   c:\program files\Avira
2009-04-02 23:46 . 2009-04-02 23:46   <DIR>   d--------   c:\documents and settings\All Users\Application Data\Avira
2009-04-02 23:46 . 2009-02-13 11:31   55,640   --a------   c:\windows\system32\drivers\avgntflt.sys
2009-04-02 10:39 . 2009-04-02 10:39   <DIR>   d--------   c:\documents and settings\jim.dalessandro\TOSHIBA
2009-04-02 10:37 . 2008-01-25 04:55   303,104   -ra------   c:\windows\system32\eST3snm.dll
2009-04-01 12:49 . 2009-04-01 12:49   73,728   --a------   c:\windows\system32\javacpl.cpl
2009-03-31 20:29 . 2009-03-31 20:29   <DIR>   d--------   c:\program files\Citrix
2009-03-30 11:10 . 2009-03-30 11:10   <DIR>   d--------   C:\_OTScanIt
2009-03-28 08:11 . 2009-03-28 08:11   <DIR>   d--------   c:\program files\Malwarebytes' Anti-Malware
2009-03-28 08:11 . 2009-03-28 08:11   <DIR>   d--------   c:\documents and settings\jim.dalessandro\Application Data\Malwarebytes
2009-03-28 08:11 . 2009-03-28 08:11   <DIR>   d--------   c:\documents and settings\All Users\Application Data\Malwarebytes
2009-03-28 08:11 . 2009-03-26 16:49   38,496   --a------   c:\windows\system32\drivers\mbamswissarmy.sys
2009-03-28 08:11 . 2009-03-26 16:49   15,504   --a------   c:\windows\system32\drivers\mbam.sys
2009-03-27 18:43 . 2009-03-27 18:43   <DIR>   d--------   c:\program files\Trend Micro
2009-03-17 12:32 . 2009-04-01 12:49   410,984   --a------   c:\windows\system32\deploytk.dll

.
((((((((((((((((((((((((((((((((((((((((   Find3M Report   ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-04-03 03:31   ---------   d-----w   c:\program files\Java
2009-04-01 16:53   ---------   d-----w   c:\documents and settings\jim.dalessandro\Application Data\AdobeUM
2009-03-31 03:55   ---------   d-----w   c:\documents and settings\All Users\Application Data\avg8
2009-03-27 22:17   ---------   d-----w   c:\program files\PCDR5
2009-03-15 05:02   ---------   d-----w   c:\documents and settings\jim.dalessandro\Application Data\Move Networks
2008-03-02 22:50   630,784   ----a-w   c:\documents and settings\jim.dalessandro\GoToAssist_chat2way__317_en.exe
2007-05-12 00:41   32,768   --sh--w   c:\windows\system32\config\systemprofile\Local Settings\Application Data\Microsoft\Feeds Cache\index.dat
2007-06-05 11:43   32,768   --sh--w   c:\windows\system32\config\systemprofile\Local Settings\History\History.IE5\MSHist012007060520070606\index.dat
2008-09-09 19:16   32,768   --sha-w   c:\windows\system32\config\systemprofile\Local Settings\History\History.IE5\MSHist012008090920080910\index.dat
.

(((((((((((((((((((((((((((((((((((((   Reg Loading Points   ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2008-04-13 15360]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"PWRMGRTR"="c:\progra~1\ThinkPad\UTILIT~1\PWRMGRTR.DLL" [2006-05-25 151552]
"BLOG"="c:\progra~1\ThinkPad\UTILIT~1\BatLogEx.DLL" [2006-05-25 208896]
"SynTPLpr"="c:\program files\Synaptics\SynTP\SynTPLpr.exe" [2006-02-14 110592]
"SynTPEnh"="c:\program files\Synaptics\SynTP\SynTPEnh.exe" [2006-02-14 512000]
"EZEJMNAP"="c:\progra~1\ThinkPad\UTILIT~1\EzEjMnAp.Exe" [2006-02-23 237568]
"TPKMAPHELPER"="c:\program files\ThinkPad\Utilities\TpKmapAp.exe" [2006-06-03 856064]
"TPHOTKEY"="c:\progra~1\Lenovo\PkgMgr\HOTKEY\TPHKMGR.exe" [2006-07-24 94208]
"SoundMAXPnP"="c:\program files\Analog Devices\Core\smax4pnp.exe" [2005-05-19 925696]
"igfxtray"="c:\windows\system32\igfxtray.exe" [2006-07-25 94208]
"igfxhkcmd"="c:\windows\system32\hkcmd.exe" [2006-07-25 77824]
"igfxpers"="c:\windows\system32\igfxpers.exe" [2006-07-25 118784]
"LPManager"="c:\progra~1\THINKV~2\PrdCtr\LPMGR.exe" [2006-07-04 110592]
"DLA"="c:\windows\System32\DLA\DLACTRLW.EXE" [2006-02-02 122940]
"AwaySch"="c:\program files\Lenovo\AwayTask\AwaySch.EXE" [2006-08-16 69632]
"TVT Scheduler Proxy"="c:\program files\Common Files\Lenovo\Scheduler\scheduler_proxy.exe" [2006-12-10 536576]
"ACTray"="c:\program files\ThinkPad\ConnectUtilities\ACTray.exe" [2007-02-19 409600]
"ACWLIcon"="c:\program files\ThinkPad\ConnectUtilities\ACWLIcon.exe" [2007-02-19 110592]
"PDService.exe"="c:\program files\Lenovo\SafeGuard PrivateDisk\pdservice.exe" [2006-03-13 41472]
"cssauth"="c:\program files\Lenovo\Client Security Solution\cssauth.exe" [2006-07-14 2341632]
"HP Component Manager"="c:\program files\HP\hpcoretech\hpcmpmgr.exe" [2003-10-23 233472]
"HP Software Update"="c:\program files\Hewlett-Packard\HP Software Update\HPWuSchd.exe" [2003-06-25 49152]
"HPDJ Taskbar Utility"="c:\windows\system32\spool\drivers\w32x86\3\hpztsb09.exe" [2005-07-22 176128]
"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2009-04-01 148888]
"avgnt"="c:\program files\Avira\AntiVir Desktop\avgnt.exe" [2009-03-02 209153]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2009-02-27 35696]
"TpShocks"="TpShocks.exe" [2006-03-15 c:\windows\system32\TpShocks.exe]
"TP4EX"="tp4ex.exe" [2005-10-17 c:\windows\system32\TP4EX.exe]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
HOTSYNCSHORTCUTNAME.lnk - c:\program files\Palm\Hotsync.exe [2004-06-09 471040]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\AwayNotify]
2006-08-16 13:07 49152 c:\program files\Lenovo\AwayTask\AwayNotify.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\ACNotify]
2007-02-19 19:03 32768 c:\program files\ThinkPad\ConnectUtilities\ACNotify.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\psfus]
2006-04-25 22:20 40448 c:\windows\system32\psqlpwd.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\tpfnf2]
2005-07-05 10:45 28672 c:\windows\system32\notifyf2.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\tphotkey]
2005-11-30 07:16 24576 c:\windows\system32\tphklock.dll

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa]
Notification Packages   REG_MULTI_SZ      scecli psqlpwd ACGina

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusOverride"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"3389:TCP"= 3389:TCP:@xpsp2res.dll,-22009

R0 Shockprf;Shockprf;c:\windows\system32\drivers\shockprf.sys [2007-05-11 88576]
R1 ANC;ANC;c:\windows\system32\drivers\ANC.sys [2007-05-11 11520]
R1 IBMTPCHK;IBMTPCHK;c:\windows\system32\drivers\IBMBLDID.sys [2007-05-11 6016]
R1 ShockMgr;ShockMgr;c:\windows\system32\drivers\ShockMgr.sys [2007-05-11 4736]
R1 TPPWRIF;TPPWRIF;c:\windows\system32\drivers\TPPWRIF.SYS [2007-05-11 4442]
R2 AntiVirSchedulerService;Avira AntiVir Scheduler;c:\program files\Avira\AntiVir Desktop\sched.exe [2009-04-02 108289]
R2 mstbsvc;MSN Toolbar Setup;c:\program files\MSN\Toolbar\3.0.0988.2\mstbsvc.exe [2008-12-04 100184]
R2 PrivateDisk;PrivateDisk;c:\program files\Lenovo\SafeGuard PrivateDisk\privatediskm.sys [2006-03-13 58368]
R2 smi2;smi2;c:\program files\SMI2\smi2.sys [2006-07-14 3968]
R2 smihlp;SMI helper driver;c:\program files\ThinkVantage Fingerprint Software\smihlp.sys [2006-04-25 3456]
R3 PTDCWWAN;PANTECH PC Card WWAN Controller device driver;c:\windows\system32\drivers\PTDCWWAN.sys [2008-09-05 58240]
S3 getPlus® Helper;getPlus® Helper;c:\program files\NOS\bin\getPlus_HelperSvc.exe [2009-04-05 33176]
S3 tpflhlp;tpflhlp;c:\program files\Lenovo\System Update\session\79uj20us\tpflhlp.sys [2007-04-23 13616]
.
Contents of the 'Scheduled Tasks' folder

2009-04-07 c:\windows\Tasks\PMTask.job
- c:\progra~1\ThinkPad\UTILIT~1\PWMIDTSK.EXE [2006-05-25 12:13]
.
- - - - ORPHANS REMOVED - - - -

HKLM-Run-ISUSPM Startup - c:\progra~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe
HKLM-Run-ISUSScheduler - c:\program files\Common Files\InstallShield\UpdateService\issch.exe
Notify-NavLogon - (no file)


.
------- Supplementary Scan -------
.
uStart Page = about:blank
uInternet Connection Wizard,ShellNext = hxxp://my.realliving.com/
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
.

**************************************************************************

catchme 0.3.1375 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net (http://\"http://www.gmer.net\")
Rootkit scan 2009-04-07 18:18:23
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...  

scanning hidden autostart entries ...

scanning hidden files ...  

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(1656)
c:\windows\system32\vrlogon.dll
c:\program files\ThinkPad\ConnectUtilities\ACNotify.dll
c:\program files\ThinkPad\ConnectUtilities\AcSvcStub.dll
c:\program files\ThinkPad\ConnectUtilities\AcLocSettings.dll
c:\program files\ThinkPad\ConnectUtilities\ACHelper.dll
c:\windows\system32\psqlpwd.dll
c:\program files\ThinkVantage Fingerprint Software\infra.dll
c:\program files\ThinkVantage Fingerprint Software\homefus2.dll
c:\windows\system32\biologon.dll
c:\program files\ThinkVantage Fingerprint Software\homepass.dll
c:\program files\ThinkVantage Fingerprint Software\bio.dll
c:\program files\ThinkVantage Fingerprint Software\remote.dll
c:\windows\system32\tphklock.dll
c:\program files\ThinkVantage Fingerprint Software\crypto.dll
c:\program files\Lenovo\AwayTask\AwayNotify.dll

- - - - - - - > 'lsass.exe'(1712)
c:\windows\system32\psqlpwd.dll
c:\program files\ThinkVantage Fingerprint Software\infra.dll
c:\program files\ThinkVantage Fingerprint Software\homefus2.dll
c:\program files\ThinkPad\ConnectUtilities\ACGina.dll
c:\program files\ThinkPad\ConnectUtilities\ACHelper.dll
c:\program files\ThinkPad\ConnectUtilities\AcSvcStub.dll
c:\program files\ThinkPad\ConnectUtilities\AcLocSettings.dll
c:\program files\ThinkPad\ConnectUtilities\ACON.dll
c:\program files\ThinkPad\ConnectUtilities\AcPrfMgr.dll
c:\program files\ThinkPad\ConnectUtilities\AcCryptHlpr.dll
c:\program files\ThinkPad\ConnectUtilities\ACTurinSupport.dll
c:\program files\ThinkPad\ConnectUtilities\AcAdaptersInfo.dll
.
------------------------ Other Running Processes ------------------------
.
c:\windows\system32\ibmpmsvc.exe
c:\program files\Intel\Wireless\Bin\EvtEng.exe
c:\program files\Intel\Wireless\Bin\S24EvMon.exe
c:\windows\system32\BRSS01A.EXE
c:\windows\system32\IPSSVC.EXE
c:\program files\ThinkPad\ConnectUtilities\AcPrfMgrSvc.exe
c:\program files\Avira\AntiVir Desktop\avguard.exe
c:\windows\system32\CTSVCCDA.EXE
c:\program files\Java\jre6\bin\jqs.exe
c:\program files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
c:\program files\Intel\Wireless\Bin\RegSrvc.exe
c:\program files\Lenovo\System Update\SUService.exe
c:\program files\Common Files\Lenovo\tvt_reg_monitor_svc.exe
c:\windows\system32\TPHDEXLG.exe
c:\windows\system32\TpKmpSvc.exe
c:\program files\Lenovo\Client Security Solution\tvttcsd.exe
c:\program files\Lenovo\Rescue and Recovery\rrservice.exe
c:\program files\Common Files\Lenovo\Scheduler\tvtsched.exe
c:\program files\Lenovo\Rescue and Recovery\ADM\IUService.exe
c:\program files\RealVNC\VNC4\winvnc4.exe
c:\program files\ThinkPad\ConnectUtilities\AcSvc.exe
c:\program files\Windows Media Player\wmpnetwk.exe
c:\program files\Common Files\Lenovo\Logger\logmon.exe
c:\program files\ThinkPad\ConnectUtilities\SvcGuiHlpr.exe
c:\windows\system32\msiexec.exe
c:\windows\system32\rundll32.exe
c:\program files\ThinkPad\Utilities\EZEJMNAP.EXE
c:\program files\ThinkPad\UltraNav Wizard\UNavTray.exe
c:\program files\Lenovo\PkgMgr\HOTKEY\TPONSCR.exe
c:\program files\Lenovo\PkgMgr\HOTKEY_1\TpScrex.exe
.
**************************************************************************
.
Completion time: 2009-04-07 18:20:54 - machine was rebooted
ComboFix-quarantined-files.txt  2009-04-07 22:20:50

Pre-Run: 18,477,457,408 bytes free
Post-Run: 19,464,728,576 bytes free

WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Professional" /noexecute=optin /fastdetect

219   --- E O F ---   2009-03-21 07:03:14

Title: hijacked when using google
Post by: guestolo on April 07, 2009, 10:15:20 PM

Go to START>>RUN>>
copy and paste the following

 [color=\"#FF0000\"]combofix /u[/color]
and press enter
This will uninstall ComboFix and it's components

Double click on OTScanit to run it

• Click the Cleanup button
  A list will be downloaded>>Allow it Internet access if prompted by your Firewall
  Don't change anything in this list
  
• Select Yes at the prompt
  Wait for the confirmation box to open to reboot the computer
  Don't mouseclick during the wait as you may cause the tool to stall
  
• Select Yes to reboot Now
  

I suggest that you add SpywareBlaster to your protection software
SpywareBlaster  by JavaCool (http://\"http://www.javacoolsoftware.com/spywareblaster.html\")  
At the link you can read more about it then continue with
Free Download on the right>>Continue Download at next page
Basically it

*Will block bad ActiveX Controls
*Block Malevolent cookies in Internet Explorer and Firefox
*Restrict actions of potentially dangerous sites in Internet Explorer

Select Manual updating when installing
After installation, Check for updates
After updating, select "Protection Status" on the Left
Then select "Enable all Protection"
"Check for updates every couple of weeks"
after every update just simply click the "enable protection on all unprotected items"
or again, click on Protection Startus>>enable all protection

Ensure your copy of Adobe Reader is up to date
Open Adobe Reader and click on HELP>>Check for Updates

Title: hijacked when using google
Post by: jjccp on April 08, 2009, 11:32:27 AM

The last set of instructions all done and went perfect.

Title: hijacked when using google
Post by: jjccp on April 09, 2009, 02:16:52 PM

Here's a new issue. Just started in the last couple of days. When in Internet Explorer, when I hit the back arrow or backspace key, nothing happens. I hear the audible click and briefly see the address on the bottom status bar, but no other action.

Title: hijacked when using google
Post by: jjccp on April 09, 2009, 06:07:48 PM

More weirdness today. BTW, this computer has been rock solid for the last couple of years until this redirecting issue started. I'm saying that because the things I'm calling weirdness are brand new for this machine.

Everything went well today until just now. When I left my office, I just closed the laptop and left. When I got home and opened it, the log in screen was really big on the screen. I swiped my finger and it came to life, but the icons were also gigantic and scrambled on the desktop. I rebooted and when the desktop icons appeared, they were all generic. Very slowly they changed back to normal.

I need your advice here because most of my business is on this machine. I regularly burn a CD back up of My Documents. But now I'm using Outlook a lot also. If this machine is going to puke, I want to be backed up. What do you suggest?

Title: hijacked when using google
Post by: jjccp on April 10, 2009, 05:37:36 AM

My screen saver decided to set itself to "none." It's always been set to "blank."

Title: hijacked when using google
Post by: guestolo on April 10, 2009, 09:13:56 AM

Let's see if we can fix the slow loading icons
Your iconcache file could be corrupt
Set Windows To Show Hidden Files and Folders
    * Click Start.
    * Open My Computer.
    * Select the Tools menu and click Folder Options.
    * Select the View Tab.
    * Under the Hidden files and folders heading select Show hidden files and folders.
    * Click APPLY and then OK.

Navigate to the folder
C:\Documents and Settings\jim.dalessandro\Local Settings\Application Data

In the Application Data right click on and delete IconCache.db file
This file will be rebuilt
Reset Windows to Hide hidden files/folders
* Click Start.
    * Open My Computer.
    * Select the Tools menu and click Folder Options.
    * Select the View Tab.
    * Under the Hidden files and folders heading deselect Show hidden files and folders.
    * Click APPLY and then OK.

Reboot the computer
See if that's any help

Title: hijacked when using google
Post by: jjccp on April 10, 2009, 10:48:08 AM

When I did the above instructions, Show Hidden Files was already checked. I know for a fact that I set that to Hide back in Post #26. That, plus the screensaver turning itself off is interesting.

Anyway, I follwed the instructions, deleted the icon file and rebooted.

Here's another issue that just started in the last 2 days. On two different websites with Internet Explorer, I'm getting an error as soon as I hit the page that says Out of Memory on Line XX. Please take a look at the attached screen shot for an example.

BTW, thanks for sticking in there with me.

Title: hijacked when using google
Post by: guestolo on April 10, 2009, 11:21:23 AM

Can we reinstall Flash player and see if it has any effect

First, do the following:
Can you download this Flash uninstaller, save it to desktop, don't run it yet
http://download.macromedia.com/pub/flashpl...lash_player.exe (http://\"http://download.macromedia.com/pub/flashplayer/current/uninstall_flash_player.exe\")
Close down all browser windows and run the uninstaller
You can delete it after it was run successfully

Reboot the computer
Back in Windows
Use IE>>Go to the following link
http://get.adobe.com/flashplayer/?promoid=DXLUJ (http://\"http://get.adobe.com/flashplayer/?promoid=DXLUJ\")
Ensure to UNTICK the optional "Free Google Toolbar"
Then click on the Agree and Install Now button
Allow the ActiveX component to install and run
You will then be prompted that Flash was successfully installed in a bit

Let me know if that helps the error message

Edit>>in addition, can you do the following please
==Open Notepad (START>>>RUN>>>type in notepad)
Hit OK
Copy the contents of the CODE box, not including the word "code"
Paste it to the empty Notepad file
In Notepad click FILE>>SAVE AS
IMPORTANT>>>Change the Save as Type to All Files.
Name the file as export.bat

Save this file on the desktop

 

Code: [Select]

regedit /e export.txt "HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32"
export.txt

Double click on export.bat, a text file will open, can you copy/paste back here that info please

Title: hijacked when using google
Post by: jjccp on April 10, 2009, 06:30:02 PM

Last set of instructions done.

Here's the log:

Windows Registry Editor Version 5.00

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"midimapper"="midimap.dll"
"msacm.imaadpcm"="imaadp32.acm"
"msacm.msadpcm"="msadp32.acm"
"msacm.msg711"="msg711.acm"
"msacm.msgsm610"="msgsm32.acm"
"msacm.trspch"="tssoft32.acm"
"vidc.cvid"="iccvid.dll"
"vidc.I420"="msh263.drv"
"vidc.iv31"="ir32_32.dll"
"vidc.iv32"="ir32_32.dll"
"vidc.iv41"="ir41_32.ax"
"vidc.iyuv"="iyuv_32.dll"
"vidc.mrle"="msrle32.dll"
"vidc.msvc"="msvidc32.dll"
"vidc.uyvy"="msyuv.dll"
"vidc.yuy2"="msyuv.dll"
"vidc.yvu9"="tsbyuv.dll"
"vidc.yvyu"="msyuv.dll"
"wavemapper"="msacm32.drv"
"msacm.msg723"="msg723.acm"
"vidc.M263"="msh263.drv"
"vidc.M261"="msh261.drv"
"msacm.msaudio1"="msaud32.acm"
"msacm.sl_anet"="sl_anet.acm"
"msacm.iac2"="C:\\WINDOWS\\system32\\iac25_32.ax"
"vidc.iv50"="ir50_32.dll"
"msacm.l3acm"="C:\\WINDOWS\\system32\\l3codeca.acm"
"wave"="wdmaud.drv"
"midi"="wdmaud.drv"
"mixer"="wdmaud.drv"
"aux"="wdmaud.drv"
"msacm.lameacm"="LameACM.acm"
"vidc.XVID"="xvidvfw.dll"
"aux2"="wdmaud.drv"

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32\Terminal Server]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32\Terminal Server\RDP]
"wave"="rdpsnd.dll"
"mixer"="rdpsnd.dll"
"MaxBandwidth"=dword:000056b9
"wavemapper"="msacm32.drv"
"EnableMP3Codec"=dword:00000001
"midimapper"="midimap.dll"

Title: hijacked when using google
Post by: guestolo on April 10, 2009, 06:41:44 PM

What about the out of memory error message you were receiving,
Any problems with that now?

Title: hijacked when using google
Post by: jjccp on April 12, 2009, 08:38:46 AM

I'm still getting the Out of Memory error. BTW, as much as I click OK on the error message, it won't go away. I have to go to Task Manager and End Program to get out of IE.

Title: hijacked when using google
Post by: guestolo on April 12, 2009, 09:01:25 AM

Can you give me an example of a site this is happening at

Title: hijacked when using google
Post by: jjccp on April 12, 2009, 10:03:48 AM

No problem. Post #39 attachment shows one from a couple of days ago. I've attached another one on this post.

Title: hijacked when using google
Post by: guestolo on April 12, 2009, 12:31:55 PM

I got the exact same error message with IE7 as you did
Firefox isn't effected at all, so it's not on your end
It's on the sites more than likely
I'll try playing around with IE, see if there is anything I can change, but my settings for IE7 are all default, shouldn't have to change a thing

Have you thought about using Firefox?

I'm going to put the link here, so I don't have to keep typing it in
http://www.timeatlas.com/mos/Email/Outlook...s_with_Outlook/ (http://\"http://www.timeatlas.com/mos/Email/Outlook/Creating_Mailing_Labels_with_Outlook/\")

Edit>>Can you confirm this, I restored all of IE to default, even tried running in IE with no Addons
Still the error on that page
If I close IE, then open it's Internet Options (either thru right clicking it's icon and select Properties/ or
under Internet Options in the Windows Control Panel
 under the General tab>>Browsing History>>Delete...>>If I clear
Temp files
History
Cookies

Reopen IE and revisit that link, no error message comes up, but if I refresh the page I receive the error

Title: hijacked when using google
Post by: jjccp on April 12, 2009, 07:31:10 PM

I tried that website on a different computer and received the same error, so that one isn't on my computer.

Title: hijacked when using google
Post by: guestolo on April 12, 2009, 08:03:35 PM

Of course you probably want to be able to visit that page, correct?

Any other problems still remaining?

Title: hijacked when using google
Post by: jjccp on April 12, 2009, 09:51:36 PM

I don't really need that page anymore. I solved the problem I was having with Outlook.

I'm not seeing any problems right now.

Title: hijacked when using google
Post by: guestolo on April 12, 2009, 11:07:07 PM

Sounds good, I'll lock this topic as your problems appear resolved
Take care jjccp  /smile.gif\' class=\'bbc_emoticon\' alt=\':)\' />