« previous next »
Pages: [1] 2 3

Author Topic: hijacked when using google  (Read 1739 times)

Offline jjccp

  • Jr. Member
  • **
  • Posts: 72
  • Karma: +0/-0
    • View Profile
hijacked when using google
« on: March 27, 2009, 06:00:21 PM »
Hi,

When I do a search on google, I'm redirected to another advertising site. Also experiencing overall slowness.

I have AVG installed and a recent scan showed no problems.

Thanks in advance for your help.

Jim

Here's my log:

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 6:44:00 PM, on 3/27/2009
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16791)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\ibmpmsvc.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
C:\WINDOWS\system32\brsvc01a.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\brss01a.exe
C:\WINDOWS\system32\IPSSVC.EXE
C:\Program Files\ThinkPad\ConnectUtilities\AcPrfMgrSvc.exe
C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
C:\WINDOWS\system32\CTsvcCDA.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Program Files\MSN\Toolbar\3.0.0988.2\mstbsvc.exe
C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
C:\PROGRA~1\AVG\AVG8\avgrsx.exe
c:\program files\lenovo\system update\suservice.exe
C:\Program Files\Common Files\Lenovo\tvt_reg_monitor_svc.exe
C:\WINDOWS\System32\TPHDEXLG.EXE
C:\WINDOWS\system32\TpKmpSVC.exe
C:\Program Files\Lenovo\Rescue and Recovery\rrservice.exe
C:\Program Files\Common Files\Lenovo\Scheduler\tvtsched.exe
C:\Program Files\Lenovo\Rescue and Recovery\ADM\IUService.exe
C:\Program Files\RealVNC\VNC4\WinVNC4.exe
C:\Program Files\ThinkPad\ConnectUtilities\AcSvc.exe
C:\Program Files\Common Files\Lenovo\Logger\logmon.exe
C:\Program Files\ThinkPad\ConnectUtilities\SvcGuiHlpr.exe
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\PROGRA~1\ThinkPad\UTILIT~1\EzEjMnAp.Exe
C:\WINDOWS\system32\TpShocks.exe
C:\PROGRA~1\Lenovo\PkgMgr\HOTKEY\TPHKMGR.exe
C:\Program Files\Analog Devices\Core\smax4pnp.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Lenovo\PkgMgr\HOTKEY\TPONSCR.exe
C:\Program Files\Lenovo\PkgMgr\HOTKEY_1\TpScrex.exe
C:\WINDOWS\explorer.exe
C:\Program Files\ThinkPad\ConnectUtilities\ACTray.exe
C:\Program Files\ThinkPad\ConnectUtilities\ACWLIcon.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://my.realliving.com/
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: WormRadar.com IESiteBlocker.NavFilter - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - C:\Program Files\AVG\AVG8\avgssie.dll
O2 - BHO: DriveLetterAccess - {5CA3D70E-1895-11CF-8E15-001234567890} - C:\WINDOWS\System32\DLA\DLASHX_W.DLL
O2 - BHO: Java(tm) Plug-In SSV Helper - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre6\bin\ssv.dll
O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
O2 - BHO: ThinkVantage Password Manager - {F040E541-A427-4CF7-85D8-75E3E0F476C5} - C:\Program Files\Lenovo\Client Security Solution\tvtpwm_ie_com.dll
O4 - HKLM\..\Run: [PWRMGRTR] rundll32 C:\PROGRA~1\ThinkPad\UTILIT~1\PWRMGRTR.DLL,PwrMgrBkGndMonitor
O4 - HKLM\..\Run: [BLOG] rundll32 C:\PROGRA~1\ThinkPad\UTILIT~1\BatLogEx.DLL,StartBattLog
O4 - HKLM\..\Run: [SynTPLpr] C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [EZEJMNAP] C:\PROGRA~1\ThinkPad\UTILIT~1\EzEjMnAp.Exe
O4 - HKLM\..\Run: [TPKMAPHELPER] C:\Program Files\ThinkPad\Utilities\TpKmapAp.exe -helper
O4 - HKLM\..\Run: [TpShocks] TpShocks.exe
O4 - HKLM\..\Run: [TPHOTKEY] C:\PROGRA~1\Lenovo\PkgMgr\HOTKEY\TPHKMGR.exe
O4 - HKLM\..\Run: [TP4EX] tp4ex.exe
O4 - HKLM\..\Run: [SoundMAXPnP] C:\Program Files\Analog Devices\Core\smax4pnp.exe
O4 - HKLM\..\Run: [SoundMAX] C:\Program Files\Analog Devices\SoundMAX\Smax4.exe /tray
O4 - HKLM\..\Run: [igfxtray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [igfxhkcmd] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [igfxpers] C:\WINDOWS\system32\igfxpers.exe
O4 - HKLM\..\Run: [LPManager] C:\PROGRA~1\THINKV~2\PrdCtr\LPMGR.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre6\bin\jusched.exe"
O4 - HKLM\..\Run: [DLA] C:\WINDOWS\System32\DLA\DLACTRLW.EXE
O4 - HKLM\..\Run: [ISUSPM Startup] C:\PROGRA~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe -startup
O4 - HKLM\..\Run: [ISUSScheduler] "C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" -start
O4 - HKLM\..\Run: [AwaySch] C:\Program Files\Lenovo\AwayTask\AwaySch.EXE
O4 - HKLM\..\Run: [TVT Scheduler Proxy] C:\Program Files\Common Files\Lenovo\Scheduler\scheduler_proxy.exe
O4 - HKLM\..\Run: [ACTray] C:\Program Files\ThinkPad\ConnectUtilities\ACTray.exe
O4 - HKLM\..\Run: [ACWLIcon] C:\Program Files\ThinkPad\ConnectUtilities\ACWLIcon.exe
O4 - HKLM\..\Run: [PDService.exe] "C:\Program Files\Lenovo\SafeGuard PrivateDisk\pdservice.exe"
O4 - HKLM\..\Run: [cssauth] "C:\Program Files\Lenovo\Client Security Solution\cssauth.exe" silent
O4 - HKLM\..\Run: [HP Component Manager] "C:\Program Files\HP\hpcoretech\hpcmpmgr.exe"
O4 - HKLM\..\Run: [HP Software Update] "C:\Program Files\Hewlett-Packard\HP Software Update\HPWuSchd.exe"
O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb09.exe
O4 - HKLM\..\Run: [AVG8_TRAY] C:\PROGRA~1\AVG\AVG8\avgtray.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - Global Startup: HOTSYNCSHORTCUTNAME.lnk = C:\Program Files\Palm\Hotsync.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {0045D4BC-5189-4b67-969C-83BB1906C421} - C:\Program Files\Lenovo\Client Security Solution\tvtpwm_ie_com.dll
O9 - Extra 'Tools' menuitem: ThinkVantage Password Manager... - {0045D4BC-5189-4b67-969C-83BB1906C421} - C:\Program Files\Lenovo\Client Security Solution\tvtpwm_ie_com.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Software Installer - {D1A4DEBD-C2EE-449f-B9FB-E8409F9A0BC5} - C:\Program Files\Lenovo\PkgMgr\\PkgMgr.exe
O9 - Extra button: System Update - {DA320635-F48C-4613-8325-D75A933C549E} - C:\Program Files\Lenovo\System Update\sulauncher.exe (file missing)
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {74FFE28D-2378-11D5-990C-006094235084} (IBM Access Support) - http://www-307.ibm.com/pc/support/IbmEgath.cab
O16 - DPF: {AB86CE53-AC9F-449F-9399-D8ABCA09EC09} (Get_ActiveX Control) - https://h17000.www1.hp.com/ewfrf-JAVA/Secur...loadManager.ocx
O18 - Protocol: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - C:\Program Files\AVG\AVG8\avgpp.dll
O20 - Winlogon Notify: ACNotify - ACNotify.dll (file missing)
O20 - Winlogon Notify: avgrsstarter - C:\WINDOWS\SYSTEM32\avgrsstx.dll
O20 - Winlogon Notify: AwayNotify - C:\Program Files\Lenovo\AwayTask\AwayNotify.dll
O23 - Service: Ac Profile Manager Service (AcPrfMgrSvc) - Unknown owner - C:\Program Files\ThinkPad\ConnectUtilities\AcPrfMgrSvc.exe
O23 - Service: Access Connections Main Service (AcSvc) - Lenovo - C:\Program Files\ThinkPad\ConnectUtilities\AcSvc.exe
O23 - Service: AVG8 WatchDog (avg8wd) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
O23 - Service: BrSplService (Brother XP spl Service) - brother Industries Ltd - C:\WINDOWS\system32\brsvc01a.exe
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\system32\CTsvcCDA.exe
O23 - Service: Intel® PROSet/Wireless Event Log (EvtEng) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: ThinkPad PM Service (IBMPMSVC) - Lenovo - C:\WINDOWS\system32\ibmpmsvc.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: IPS Core Service (IPSSVC) - Lenovo Group Limited - C:\WINDOWS\system32\IPSSVC.EXE
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
O23 - Service: IBM PSA Access Driver Control (PsaSrv) - Unknown owner - C:\WINDOWS\system32\PsaSrv.exe (file missing)
O23 - Service: Intel® PROSet/Wireless Registry Service (RegSrvc) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
O23 - Service: Intel® PROSet/Wireless Service (S24EventMonitor) - Intel Corporation  - C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
O23 - Service: System Update (SUService) - Lenovo Group Limited - c:\program files\lenovo\system update\suservice.exe
O23 - Service: ThinkVantage Registry Monitor Service - Unknown owner - C:\Program Files\Common Files\Lenovo\tvt_reg_monitor_svc.exe
O23 - Service: ThinkPad HDD APS Logging Service (TPHDEXLGSVC) - Lenovo. - C:\WINDOWS\System32\TPHDEXLG.EXE
O23 - Service: IBM KCU Service (TpKmpSVC) - Unknown owner - C:\WINDOWS\system32\TpKmpSVC.exe
O23 - Service: TSS Core Service (TSSCoreService) - IBM - C:\Program Files\Lenovo\Client Security Solution\tvttcsd.exe
O23 - Service: TVT Backup Service - Lenovo Group Limited - C:\Program Files\Lenovo\Rescue and Recovery\rrservice.exe
O23 - Service: TVT Scheduler - Lenovo Group Limited - C:\Program Files\Common Files\Lenovo\Scheduler\tvtsched.exe
O23 - Service: tvtnetwk - Unknown owner - C:\Program Files\Lenovo\Rescue and Recovery\ADM\IUService.exe
O23 - Service: VNC Server Version 4 (WinVNC4) - RealVNC Ltd. - C:\Program Files\RealVNC\VNC4\WinVNC4.exe
O24 - Desktop Component 0: (no name) - file:///C:/DOCUME~1/JIM~1.DAL/LOCALS~1/Temp/msohtml1/01/clip_image002.jpg

--
End of file - 11184 bytes
Logged

Offline guestolo

  • Site Donator
  • Administrator
  • Hero Member
  • *****
  • Posts: 16034
  • Karma: +1/-0
    • View Profile
    • http://
hijacked when using google
« Reply #1 on: March 27, 2009, 08:16:54 PM »
Welcome jjccp

Download [color=\"#FF0000\"]> ATF Cleaner <[/color] by Atribune and save it to your Desktop.

Double Click on ATF-Cleaner.exe to Run it
Check the boxes to the left of:

Windows Temp
Current User Temp
All Users Temp
Temporary Internet Files
*Prefetch (Windows XP) only.
Java Cache

The rest are optional - if you want to remove the lot, check "Select All".
Finally click Empty Selected. When you get the "Done Cleaning" message, click OK.
If you use Firefox browser
      Click Firefox at the top and choose: Select All
      Click the Empty Selected button.
      NOTE: If you would like to keep your saved passwords, please click No at the prompt.
Click Exit from the Main menu

download Malwarebytes' Anti-Malware from Here or Here
Save the installer to desktop

Double Click mbam-setup.exe to install the application.
  • Make sure a checkmark is placed next to [color=\"#006400\"]Update Malwarebytes' Anti-Malware[/color] and [color=\"#006400\"]Launch Malwarebytes' Anti-Malware[/color], then click Finish.
       
  • If an update is found, it will download and install the latest version.
  • Once the program has loaded, select "Perform Quick Scan", then click Scan.
       
  • The scan may take some time to finish,so please be patient.
  • When the scan is complete, click OK, then Show Results to view the results.
       
  • Make sure that everything is checked, and click Remove Selected.
        * When disinfection is completed, a log will open in Notepad and you may be prompted to Restart.(See Extra Note)
       
  • The log is automatically saved by MBAM and can be viewed by clicking the Logs tab in MBAM.
  • Copy&Paste the entire report in your next reply
Extra Note:
If MBAM encounters a file that is difficult to remove,you will be presented with 1 of 2 prompts,click OK to either and let MBAM proceed with the disinfection process,if asked to restart the computer,please do so immediately.

Also post a fresh Hijackthis log please and let me know how things are running
Logged

Do you want to post your own logs from FRST?

Follow the instructions posted http://www.thetechguide.com/forum/index.php/topic/22942-please-read-how-to-post-logs-from-frst/\'>Click Here

Offline jjccp

  • Jr. Member
  • **
  • Posts: 72
  • Karma: +0/-0
    • View Profile
hijacked when using google
« Reply #2 on: March 28, 2009, 07:34:52 AM »
Thanks, followed instructions. Here is the Malwarebytes log:

Malwarebytes' Anti-Malware 1.35
Database version: 1904
Windows 5.1.2600 Service Pack 3

3/28/2009 8:23:17 AM
mbam-log-2009-03-28 (08-23-17).txt

Scan type: Quick Scan
Objects scanned: 82001
Time elapsed: 7 minute(s), 1 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 1
Registry Values Infected: 0
Registry Data Items Infected: 1
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{3aa42713-5c1e-48e2-b432-d8bf420dd31d} (Rogue.Antivirus2008) -> Quarantined and deleted successfully.

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\FirewallDisableNotify (Disabled.SecurityCenter) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)

Here is the new Hijack this log:

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 8:34:04 AM, on 3/28/2009
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16791)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\ibmpmsvc.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
C:\WINDOWS\system32\brsvc01a.exe
C:\WINDOWS\system32\brss01a.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\IPSSVC.EXE
C:\Program Files\ThinkPad\ConnectUtilities\AcPrfMgrSvc.exe
C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
C:\WINDOWS\system32\CTsvcCDA.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Program Files\MSN\Toolbar\3.0.0988.2\mstbsvc.exe
C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
c:\program files\lenovo\system update\suservice.exe
C:\Program Files\Common Files\Lenovo\tvt_reg_monitor_svc.exe
C:\PROGRA~1\AVG\AVG8\avgrsx.exe
C:\WINDOWS\System32\TPHDEXLG.EXE
C:\WINDOWS\system32\TpKmpSVC.exe
C:\Program Files\Lenovo\Rescue and Recovery\rrservice.exe
C:\Program Files\Common Files\Lenovo\Scheduler\tvtsched.exe
C:\Program Files\Lenovo\Rescue and Recovery\ADM\IUService.exe
C:\Program Files\RealVNC\VNC4\WinVNC4.exe
C:\Program Files\Common Files\Lenovo\Logger\logmon.exe
C:\Program Files\ThinkPad\ConnectUtilities\AcSvc.exe
C:\Program Files\ThinkPad\ConnectUtilities\SvcGuiHlpr.exe
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\PROGRA~1\ThinkPad\UTILIT~1\EzEjMnAp.Exe
C:\WINDOWS\system32\TpShocks.exe
C:\PROGRA~1\Lenovo\PkgMgr\HOTKEY\TPHKMGR.exe
C:\Program Files\Analog Devices\Core\smax4pnp.exe
C:\Program Files\Lenovo\PkgMgr\HOTKEY\TPONSCR.exe
C:\Program Files\Lenovo\PkgMgr\HOTKEY_1\TpScrex.exe
C:\WINDOWS\system32\msiexec.exe
C:\WINDOWS\explorer.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Malwarebytes' Anti-Malware\mbam.exe
C:\WINDOWS\system32\NOTEPAD.EXE
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://my.realliving.com/
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: WormRadar.com IESiteBlocker.NavFilter - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - C:\Program Files\AVG\AVG8\avgssie.dll
O2 - BHO: DriveLetterAccess - {5CA3D70E-1895-11CF-8E15-001234567890} - C:\WINDOWS\System32\DLA\DLASHX_W.DLL
O2 - BHO: Java(tm) Plug-In SSV Helper - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre6\bin\ssv.dll
O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
O2 - BHO: ThinkVantage Password Manager - {F040E541-A427-4CF7-85D8-75E3E0F476C5} - C:\Program Files\Lenovo\Client Security Solution\tvtpwm_ie_com.dll
O4 - HKLM\..\Run: [PWRMGRTR] rundll32 C:\PROGRA~1\ThinkPad\UTILIT~1\PWRMGRTR.DLL,PwrMgrBkGndMonitor
O4 - HKLM\..\Run: [BLOG] rundll32 C:\PROGRA~1\ThinkPad\UTILIT~1\BatLogEx.DLL,StartBattLog
O4 - HKLM\..\Run: [SynTPLpr] C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [EZEJMNAP] C:\PROGRA~1\ThinkPad\UTILIT~1\EzEjMnAp.Exe
O4 - HKLM\..\Run: [TPKMAPHELPER] C:\Program Files\ThinkPad\Utilities\TpKmapAp.exe -helper
O4 - HKLM\..\Run: [TpShocks] TpShocks.exe
O4 - HKLM\..\Run: [TPHOTKEY] C:\PROGRA~1\Lenovo\PkgMgr\HOTKEY\TPHKMGR.exe
O4 - HKLM\..\Run: [TP4EX] tp4ex.exe
O4 - HKLM\..\Run: [SoundMAXPnP] C:\Program Files\Analog Devices\Core\smax4pnp.exe
O4 - HKLM\..\Run: [SoundMAX] C:\Program Files\Analog Devices\SoundMAX\Smax4.exe /tray
O4 - HKLM\..\Run: [igfxtray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [igfxhkcmd] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [igfxpers] C:\WINDOWS\system32\igfxpers.exe
O4 - HKLM\..\Run: [LPManager] C:\PROGRA~1\THINKV~2\PrdCtr\LPMGR.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre6\bin\jusched.exe"
O4 - HKLM\..\Run: [DLA] C:\WINDOWS\System32\DLA\DLACTRLW.EXE
O4 - HKLM\..\Run: [ISUSPM Startup] C:\PROGRA~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe -startup
O4 - HKLM\..\Run: [ISUSScheduler] "C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" -start
O4 - HKLM\..\Run: [AwaySch] C:\Program Files\Lenovo\AwayTask\AwaySch.EXE
O4 - HKLM\..\Run: [TVT Scheduler Proxy] C:\Program Files\Common Files\Lenovo\Scheduler\scheduler_proxy.exe
O4 - HKLM\..\Run: [ACTray] C:\Program Files\ThinkPad\ConnectUtilities\ACTray.exe
O4 - HKLM\..\Run: [ACWLIcon] C:\Program Files\ThinkPad\ConnectUtilities\ACWLIcon.exe
O4 - HKLM\..\Run: [PDService.exe] "C:\Program Files\Lenovo\SafeGuard PrivateDisk\pdservice.exe"
O4 - HKLM\..\Run: [cssauth] "C:\Program Files\Lenovo\Client Security Solution\cssauth.exe" silent
O4 - HKLM\..\Run: [HP Component Manager] "C:\Program Files\HP\hpcoretech\hpcmpmgr.exe"
O4 - HKLM\..\Run: [HP Software Update] "C:\Program Files\Hewlett-Packard\HP Software Update\HPWuSchd.exe"
O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb09.exe
O4 - HKLM\..\Run: [AVG8_TRAY] C:\PROGRA~1\AVG\AVG8\avgtray.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - Global Startup: HOTSYNCSHORTCUTNAME.lnk = C:\Program Files\Palm\Hotsync.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {0045D4BC-5189-4b67-969C-83BB1906C421} - C:\Program Files\Lenovo\Client Security Solution\tvtpwm_ie_com.dll
O9 - Extra 'Tools' menuitem: ThinkVantage Password Manager... - {0045D4BC-5189-4b67-969C-83BB1906C421} - C:\Program Files\Lenovo\Client Security Solution\tvtpwm_ie_com.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Software Installer - {D1A4DEBD-C2EE-449f-B9FB-E8409F9A0BC5} - C:\Program Files\Lenovo\PkgMgr\\PkgMgr.exe
O9 - Extra button: System Update - {DA320635-F48C-4613-8325-D75A933C549E} - C:\Program Files\Lenovo\System Update\sulauncher.exe (file missing)
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {74FFE28D-2378-11D5-990C-006094235084} (IBM Access Support) - http://www-307.ibm.com/pc/support/IbmEgath.cab
O16 - DPF: {AB86CE53-AC9F-449F-9399-D8ABCA09EC09} (Get_ActiveX Control) - https://h17000.www1.hp.com/ewfrf-JAVA/Secur...loadManager.ocx
O18 - Protocol: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - C:\Program Files\AVG\AVG8\avgpp.dll
O20 - Winlogon Notify: ACNotify - ACNotify.dll (file missing)
O20 - Winlogon Notify: avgrsstarter - C:\WINDOWS\SYSTEM32\avgrsstx.dll
O20 - Winlogon Notify: AwayNotify - C:\Program Files\Lenovo\AwayTask\AwayNotify.dll
O23 - Service: Ac Profile Manager Service (AcPrfMgrSvc) - Unknown owner - C:\Program Files\ThinkPad\ConnectUtilities\AcPrfMgrSvc.exe
O23 - Service: Access Connections Main Service (AcSvc) - Lenovo - C:\Program Files\ThinkPad\ConnectUtilities\AcSvc.exe
O23 - Service: AVG8 WatchDog (avg8wd) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
O23 - Service: BrSplService (Brother XP spl Service) - brother Industries Ltd - C:\WINDOWS\system32\brsvc01a.exe
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\system32\CTsvcCDA.exe
O23 - Service: Intel® PROSet/Wireless Event Log (EvtEng) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: ThinkPad PM Service (IBMPMSVC) - Lenovo - C:\WINDOWS\system32\ibmpmsvc.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: IPS Core Service (IPSSVC) - Lenovo Group Limited - C:\WINDOWS\system32\IPSSVC.EXE
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
O23 - Service: IBM PSA Access Driver Control (PsaSrv) - Unknown owner - C:\WINDOWS\system32\PsaSrv.exe (file missing)
O23 - Service: Intel® PROSet/Wireless Registry Service (RegSrvc) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
O23 - Service: Intel® PROSet/Wireless Service (S24EventMonitor) - Intel Corporation  - C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
O23 - Service: System Update (SUService) - Lenovo Group Limited - c:\program files\lenovo\system update\suservice.exe
O23 - Service: ThinkVantage Registry Monitor Service - Unknown owner - C:\Program Files\Common Files\Lenovo\tvt_reg_monitor_svc.exe
O23 - Service: ThinkPad HDD APS Logging Service (TPHDEXLGSVC) - Lenovo. - C:\WINDOWS\System32\TPHDEXLG.EXE
O23 - Service: IBM KCU Service (TpKmpSVC) - Unknown owner - C:\WINDOWS\system32\TpKmpSVC.exe
O23 - Service: TSS Core Service (TSSCoreService) - IBM - C:\Program Files\Lenovo\Client Security Solution\tvttcsd.exe
O23 - Service: TVT Backup Service - Lenovo Group Limited - C:\Program Files\Lenovo\Rescue and Recovery\rrservice.exe
O23 - Service: TVT Scheduler - Lenovo Group Limited - C:\Program Files\Common Files\Lenovo\Scheduler\tvtsched.exe
O23 - Service: tvtnetwk - Unknown owner - C:\Program Files\Lenovo\Rescue and Recovery\ADM\IUService.exe
O23 - Service: VNC Server Version 4 (WinVNC4) - RealVNC Ltd. - C:\Program Files\RealVNC\VNC4\WinVNC4.exe
O24 - Desktop Component 0: (no name) - file:///C:/DOCUME~1/JIM~1.DAL/LOCALS~1/Temp/msohtml1/01/clip_image002.jpg

--
End of file - 11192 bytes
Logged

Offline guestolo

  • Site Donator
  • Administrator
  • Hero Member
  • *****
  • Posts: 16034
  • Karma: +1/-0
    • View Profile
    • http://
hijacked when using google
« Reply #3 on: March 28, 2009, 09:56:17 AM »
Do you recognize this Active Desktop component?
O24 - Desktop Component 0: (no name) - file:///C:/DOCUME~1/JIM~1.DAL/LOCALS~1/Temp/msohtml1/01/clip_image002.jpg

Are you still being redirected?
Logged

Do you want to post your own logs from FRST?

Follow the instructions posted http://www.thetechguide.com/forum/index.php/topic/22942-please-read-how-to-post-logs-from-frst/\'>Click Here

Offline jjccp

  • Jr. Member
  • **
  • Posts: 72
  • Karma: +0/-0
    • View Profile
hijacked when using google
« Reply #4 on: March 28, 2009, 01:20:00 PM »
Thanks for the quick reply.

I do not recognize the Active Desktop component.

I am still being redirected. I get to my google search results ok, but when I click on one of the results, I get sent to a different site. If I then hit the back button I get to the correct site.
Logged

Offline guestolo

  • Site Donator
  • Administrator
  • Hero Member
  • *****
  • Posts: 16034
  • Karma: +1/-0
    • View Profile
    • http://
hijacked when using google
« Reply #5 on: March 28, 2009, 01:32:22 PM »
Do a "System scan only" with Hijackthis and put a check next to these entries:

O24 - Desktop Component 0: (no name) - file:///C:/DOCUME~1/JIM~1.DAL/LOCALS~1/Temp/msohtml1/01/clip_image002.jpg


After you have ticked the above entries, close All other open windows
Including this one
Leave Hijackthis open and click FIX CHECKED
OK the prompt and exit Hijackthis

Reboot the computer,
Back in Windows
Download ComboFix from one of these locations:

[color=\"#0000FF\"]Link 1[/color]
[color=\"#0000FF\"]Link 2[/color]
[color=\"#0000FF\"]Link 3[/color]
[color=\"#FF0000\"]Save it ONLY to your Desktop[/color]

      --------------------------------------------------------------------
[color=\"#2E8B57\"]Temporarily Disable your AntiVirus/AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with this tool
[/color]

  • Double click on ComboFix.exe & follow the prompts.
  • As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.
  • Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.


[color=\"#2e8b57\"]**Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.
[/color]


Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:



Click on Yes, to continue scanning for malware.

When finished, it shall produce a log for you. Please include the C:\ComboFix.txt in your next reply

NOTE: Do not mouseclick inside ComboFix window as it's running, it may cause it to stall
ComboFix will/may run again on startup, it will prompt that it's creating a log
This process could take up to 10 minutes, let it run uninterrupted please

With the log from ComboFix, can you also include a fresh log from Hijackthis
Logged

Do you want to post your own logs from FRST?

Follow the instructions posted http://www.thetechguide.com/forum/index.php/topic/22942-please-read-how-to-post-logs-from-frst/\'>Click Here

Offline jjccp

  • Jr. Member
  • **
  • Posts: 72
  • Karma: +0/-0
    • View Profile
hijacked when using google
« Reply #6 on: March 28, 2009, 03:34:40 PM »
Now I'm having a problem.

Did the beginning Hijackthis instructions with no problem. After rebooting, downloading Combofix from link 3, double click on combofix.exe icon on desktop, program starts with little combofix window on the desktop. After approx 30 seconds combofix window blinks off and hard drive light stops blinking. No computer activity noted. I rebooted and tried to run combofix again with the same results.
Logged

Offline guestolo

  • Site Donator
  • Administrator
  • Hero Member
  • *****
  • Posts: 16034
  • Karma: +1/-0
    • View Profile
    • http://
hijacked when using google
« Reply #7 on: March 28, 2009, 09:38:12 PM »
Please try rebooting into safe mode
Sign in with your normal User account and try running ComboFix again
See if that helps
Logged

Do you want to post your own logs from FRST?

Follow the instructions posted http://www.thetechguide.com/forum/index.php/topic/22942-please-read-how-to-post-logs-from-frst/\'>Click Here

Offline jjccp

  • Jr. Member
  • **
  • Posts: 72
  • Karma: +0/-0
    • View Profile
hijacked when using google
« Reply #8 on: March 29, 2009, 10:58:35 AM »
I rebooted into safe mode and have the exact same results with ComboFix as above. Starts to work then blinks off.

FYI, still being redirected and now rebooting is really slow. Also at reboot the icons on my desktop, at first come on with a generic icon then slowly, one by one, change to the correct icon. Hope that helps.

Thanks
Logged

Offline guestolo

  • Site Donator
  • Administrator
  • Hero Member
  • *****
  • Posts: 16034
  • Karma: +1/-0
    • View Profile
    • http://
hijacked when using google
« Reply #9 on: March 29, 2009, 11:03:51 AM »
Let's see if we can find the culprit
download >[color=\"#FF0000\"]DaonolFix[/color]<  and save it to your Desktop
  • Double-click DaonolFix.exe to run it.
       
  • Select 1. Find Daonol (no fix) by typing 1 and pressing Enter.
       
  • You will see a lot of files being listed - don't worry, they are just being scanned.
  • A log will open, please post the contents of that log in your next reply (it can also be found on your desktop, called DaonolFix.txt).
« Last Edit: March 29, 2009, 11:04:55 AM by guestolo »
Logged

Do you want to post your own logs from FRST?

Follow the instructions posted http://www.thetechguide.com/forum/index.php/topic/22942-please-read-how-to-post-logs-from-frst/\'>Click Here

Offline jjccp

  • Jr. Member
  • **
  • Posts: 72
  • Karma: +0/-0
    • View Profile
hijacked when using google
« Reply #10 on: March 29, 2009, 11:11:31 AM »
That worked. Here's the log:

DaonolFix (16.03.09) by jpshortstuff
Log created at 12:07 on 29/03/2009 by jim.dalessandro
Running from C:\Documents and Settings\jim.dalessandro\Desktop\DaonolFix.exe

=====Find Daonol=====

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Drivers32]
"aux"="wdmaud.drv"
"aux2"="C:\WINDOWS\system32\..\ajlrcmg.beq"
"midi"="wdmaud.drv"
"midimapper"="midimap.dll"
"mixer"="wdmaud.drv"
"msacm.iac2"="C:\WINDOWS\system32\iac25_32.ax"
"msacm.imaadpcm"="imaadp32.acm"
"msacm.l3acm"="C:\WINDOWS\system32\l3codeca.acm"
"msacm.lameacm"="LameACM.acm"
"msacm.msadpcm"="msadp32.acm"
"msacm.msaudio1"="msaud32.acm"
"msacm.msg711"="msg711.acm"
"msacm.msg723"="msg723.acm"
"msacm.msgsm610"="msgsm32.acm"
"msacm.sl_anet"="sl_anet.acm"
"msacm.trspch"="tssoft32.acm"
"vidc.cvid"="iccvid.dll"
"vidc.I420"="msh263.drv"
"vidc.iv31"="ir32_32.dll"
"vidc.iv32"="ir32_32.dll"
"vidc.iv41"="ir41_32.ax"
"vidc.iv50"="ir50_32.dll"
"vidc.iyuv"="iyuv_32.dll"
"vidc.M261"="msh261.drv"
"vidc.M263"="msh263.drv"
"vidc.mrle"="msrle32.dll"
"vidc.msvc"="msvidc32.dll"
"vidc.uyvy"="msyuv.dll"
"vidc.XVID"="xvidvfw.dll"
"vidc.yuy2"="msyuv.dll"
"vidc.yvu9"="tsbyuv.dll"
"vidc.yvyu"="msyuv.dll"
"wave"="wdmaud.drv"
"wavemapper"="msacm32.drv"

-=Daonol Files=-
(none found)

-=End Of File=-
Logged

Offline guestolo

  • Site Donator
  • Administrator
  • Hero Member
  • *****
  • Posts: 16034
  • Karma: +1/-0
    • View Profile
    • http://
hijacked when using google
« Reply #11 on: March 29, 2009, 11:17:12 AM »
Great, can you run one more scanner for me please
See if this will run
Download and save to your desktop
[color=\"#FF0000\"]OTScanIt2[/color][/url]
by OldTimer

Double click on it to Run it and then Extract it to a folder on desktop
Open that newly created folder and double click on OTScanIt2.exe
Leave all defaults selected
Except, change Rootkit Search to YES

Then click on [color=\"#0000FF\"]Run Scan [/color]

When done, it will produce a log
Can you post the contents of that log back here please
A copy of it can also be found it the OTScanIt2 folder on desktop
NOTE: If you do get an error posting this log, please Upload it, but Only if you get an error
Logged

Do you want to post your own logs from FRST?

Follow the instructions posted http://www.thetechguide.com/forum/index.php/topic/22942-please-read-how-to-post-logs-from-frst/\'>Click Here

Offline jjccp

  • Jr. Member
  • **
  • Posts: 72
  • Karma: +0/-0
    • View Profile
hijacked when using google
« Reply #12 on: March 29, 2009, 12:18:43 PM »
Here are the results of the OTscanIt2:

[code]OTScanIt2 logfile created on: 3/29/2009 12:49:20 PM - Run 1
OTScanIt2 by OldTimer - Version 1.0.9.1    Folder = C:\Documents and Settings\jim.dalessandro\Desktop\OTScanIt2
Windows XP Professional Edition Service Pack 3 (Version = 5.1.2600) - Type = NTWorkstation
Internet Explorer (Version = 7.0.5730.11)
Locale: 00000409 | Country: United States | Language: ENU | Date Format: M/d/yyyy
 
502.36 Mb Total Physical Memory | 138.29 Mb Available Physical Memory | 27.53% Memory free
1.20 Gb Paging File | 0.88 Gb Available in Paging File | 73.51% Paging File free
Paging file location(s): C:\pagefile.sys 756 1512;
 
%SystemDrive% = C: | %SystemRoot% = C:\WINDOWS | %ProgramFiles% = C:\Program Files
Drive C: | 51.29 Gb Total Space | 18.57 Gb Free Space | 36.20% Space Free | Partition Type: NTFS
D: Drive not present or media not loaded
E: Drive not present or media not loaded
F: Drive not present or media not loaded
G: Drive not present or media not loaded
H: Drive not present or media not loaded
I: Drive not present or media not loaded
 
Computer Name: JIMDALESANDRO
Current User Name: jim.dalessandro
Logged in as Administrator.
 
Current Boot Mode: Normal
Scan Mode: Current user
Whitelist: On
File Age = 30 Days
 
[Processes - Safe List]
acprfmgrsvc.exe -> %ProgramFiles%\ThinkPad\ConnectUtilities\AcPrfMgrSvc.exe -> [2007/02/19 19:15:10 | 00,053,248 | ---- | M] ()
acsvc.exe -> %ProgramFiles%\ThinkPad\ConnectUtilities\AcSvc.exe -> [2007/02/19 19:15:14 | 00,172,032 | ---- | M] (Lenovo)
avgrsx.exe -> %ProgramFiles%\AVG\AVG8\avgrsx.exe -> [2009/02/05 09:29:00 | 00,484,120 | ---- | M] (AVG Technologies CZ, s.r.o.)
avgwdsvc.exe -> %ProgramFiles%\AVG\AVG8\avgwdsvc.exe -> [2009/02/05 09:28:57 | 00,298,264 | ---- | M] (AVG Technologies CZ, s.r.o.)
brss01a.exe -> %SystemRoot%\system32\brss01a.exe -> [2001/12/13 00:01:00 | 00,045,056 | ---- | M] (brother Industries Ltd)
brsvc01a.exe -> %SystemRoot%\system32\brsvc01a.exe -> [2001/11/23 00:00:00 | 00,057,344 | ---- | M] (brother Industries Ltd)
ctsvccda.exe -> %SystemRoot%\system32\CTsvcCDA.exe -> [1999/12/12 13:01:00 | 00,044,032 | ---- | M] (Creative Technology Ltd)
evteng.exe -> %ProgramFiles%\Intel\Wireless\Bin\EvtEng.exe -> [2006/08/02 03:39:20 | 00,434,176 | ---- | M] (Intel Corporation)
explorer.exe -> %SystemRoot%\explorer.exe -> [2008/04/13 20:12:19 | 01,033,728 | ---- | M] (Microsoft Corporation)
ezejmnap.exe -> %ProgramFiles%\ThinkPad\Utilities\EZEJMNAP.EXE -> [2006/02/23 13:22:00 | 00,237,568 | ---- | M] (Lenovo Group Limited)
ibmpmsvc.exe -> %SystemRoot%\system32\ibmpmsvc.exe -> [2007/02/27 22:09:06 | 00,036,400 | ---- | M] (Lenovo)
ipssvc.exe -> %SystemRoot%\system32\IPSSVC.EXE -> [2006/08/16 13:07:00 | 00,073,728 | ---- | M] (Lenovo Group Limited)
iuservice.exe -> %ProgramFiles%\Lenovo\Rescue and Recovery\ADM\IUService.exe -> [2006/07/14 18:52:48 | 00,045,056 | ---- | M] ()
jqs.exe -> %ProgramFiles%\Java\jre6\bin\jqs.exe -> [2009/03/17 12:31:58 | 00,152,984 | ---- | M] (Sun Microsystems, Inc.)
logmon.exe -> %CommonProgramFiles%\Lenovo\Logger\logmon.exe -> [2006/07/14 20:36:00 | 00,022,016 | ---- | M] ()
mdm.exe -> %CommonProgramFiles%\Microsoft Shared\VS7DEBUG\MDM.EXE -> [2003/06/20 02:25:00 | 00,322,120 | ---- | M] (Microsoft Corporation)
mstbsvc.exe -> %ProgramFiles%\MSN\Toolbar\3.0.0988.2\mstbsvc.exe -> [2008/12/04 12:29:28 | 00,100,184 | ---- | M] (Microsoft Corp.)
otscanit2.exe -> %UserProfile%\Desktop\OTScanIt2\OTScanIt2.exe -> [2009/03/27 10:59:42 | 00,492,544 | ---- | M] (OldTimer Tools)
regsrvc.exe -> %ProgramFiles%\Intel\Wireless\Bin\RegSrvc.exe -> [2006/08/02 03:24:22 | 00,327,680 | ---- | M] (Intel Corporation)
rrservice.exe -> %ProgramFiles%\Lenovo\Rescue and Recovery\rrservice.exe -> [2006/07/14 21:01:00 | 01,974,272 | ---- | M] (Lenovo Group Limited)
s24evmon.exe -> %ProgramFiles%\Intel\Wireless\Bin\S24EvMon.exe -> [2006/08/02 03:31:22 | 00,937,984 | ---- | M] (Intel Corporation )
smax4pnp.exe -> %ProgramFiles%\Analog Devices\Core\smax4pnp.exe -> [2005/05/19 20:11:06 | 00,925,696 | ---- | M] (Analog Devices, Inc.)
suservice.exe -> %ProgramFiles%\lenovo\system update\suservice.exe -> [2007/02/12 05:35:42 | 00,013,312 | ---- | M] (Lenovo Group Limited)
svcguihlpr.exe -> %ProgramFiles%\ThinkPad\ConnectUtilities\SvcGuiHlpr.exe -> [2007/02/19 19:15:58 | 00,106,496 | ---- | M] ()
syntpenh.exe -> %ProgramFiles%\Synaptics\SynTP\SynTPEnh.exe -> [2006/02/14 01:16:28 | 00,512,000 | ---- | M] (Synaptics, Inc.)
syntplpr.exe -> %ProgramFiles%\Synaptics\SynTP\SynTPLpr.exe -> [2006/02/14 01:17:28 | 00,110,592 | ---- | M] (Synaptics, Inc.)
tphdexlg.exe -> %SystemRoot%\System32\TPHDEXLG.EXE -> [2005/06/20 15:15:00 | 00,077,824 | ---- | M] (Lenovo.)
tphkmgr.exe -> %ProgramFiles%\Lenovo\PkgMgr\HOTKEY\TPHKMGR.exe -> [2006/07/24 21:19:40 | 00,094,208 | ---- | M] ()
tpkmpsvc.exe -> %SystemRoot%\system32\TpKmpSVC.exe -> [2005/06/07 00:26:22 | 00,032,768 | ---- | M] ()
tponscr.exe -> %ProgramFiles%\Lenovo\PkgMgr\HOTKEY\TPONSCR.exe -> [2005/07/05 01:57:12 | 00,077,824 | ---- | M] ()
tpscrex.exe -> %ProgramFiles%\Lenovo\PkgMgr\HOTKEY_1\TpScrex.exe -> [2006/05/30 02:05:42 | 00,086,016 | ---- | M] (Lenovo Group Limited)
tpshocks.exe -> %SystemRoot%\system32\TpShocks.exe -> [2006/03/15 22:04:48 | 00,106,496 | ---- | M] (Lenovo, Ltd. and IBM Corporation.)
tvt_reg_monitor_svc.exe -> %CommonProgramFiles%\Lenovo\tvt_reg_monitor_svc.exe -> [2006/07/14 20:24:52 | 00,629,504 | ---- | M] ()
tvtsched.exe -> %CommonProgramFiles%\Lenovo\Scheduler\tvtsched.exe -> [2006/12/10 22:36:22 | 01,118,208 | ---- | M] (Lenovo Group Limited)
tvttcsd.exe -> %ProgramFiles%\Lenovo\Client Security Solution\tvttcsd.exe -> [2006/07/14 20:42:22 | 00,723,712 | ---- | M] (IBM)
winvnc4.exe -> %ProgramFiles%\RealVNC\VNC4\WinVNC4.exe -> [2006/05/12 18:04:08 | 00,439,248 | ---- | M] (RealVNC Ltd.)
wmpnetwk.exe -> %ProgramFiles%\Windows Media Player\WMPNetwk.exe -> [2006/10/18 23:05:24 | 00,913,408 | ---- | M] (Microsoft Corporation)
 
[Win32 Services - Safe List]
(AcPrfMgrSvc) Ac Profile Manager Service [Win32_Own | Auto | Running] -> %ProgramFiles%\ThinkPad\ConnectUtilities\AcPrfMgrSvc.exe -> [2007/02/19 19:15:10 | 00,053,248 | ---- | M] ()
(AcSvc) Access Connections Main Service [Win32_Own | Auto | Running] -> %ProgramFiles%\ThinkPad\ConnectUtilities\AcSvc.exe -> [2007/02/19 19:15:14 | 00,172,032 | ---- | M] (Lenovo)
(aspnet_state) ASP.NET State Service [Win32_Own | On_Demand | Stopped] -> %SystemRoot%\Microsoft.NET\Framework\v2.0.50727\aspnet_state.exe -> [2007/10/24 01:47:22 | 00,033,800 | ---- | M] (Microsoft Corporation)
(avg8wd) AVG8 WatchDog [Win32_Own | Auto | Running] -> %ProgramFiles%\AVG\AVG8\avgwdsvc.exe -> [2009/02/05 09:28:57 | 00,298,264 | ---- | M] (AVG Technologies CZ, s.r.o.)
(Brother XP spl Service) BrSplService [Win32_Own | Auto | Running] -> %SystemRoot%\system32\brsvc01a.exe -> [2001/11/23 00:00:00 | 00,057,344 | ---- | M] (brother Industries Ltd)
(clr_optimization_v2.0.50727_32) .NET Runtime Optimization Service v2.0.50727_X86 [Win32_Own | On_Demand | Stopped] -> %SystemRoot%\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe -> [2007/10/24 01:47:40 | 00,070,144 | ---- | M] (Microsoft Corporation)
(Creative Service for CDROM Access) Creative Service for CDROM Access [Win32_Own | Auto | Running] -> %SystemRoot%\system32\CTsvcCDA.exe -> [1999/12/12 13:01:00 | 00,044,032 | ---- | M] (Creative Technology Ltd)
(EvtEng) Intel(R) PROSet/Wireless Event Log [Win32_Own | Auto | Running] -> %ProgramFiles%\Intel\Wireless\Bin\EvtEng.exe -> [2006/08/02 03:39:20 | 00,434,176 | ---- | M] (Intel Corporation)
(gusvc) Google Updater Service [Win32_Own | On_Demand | Stopped] -> %ProgramFiles%\Google\Common\Google Updater\GoogleUpdaterService.exe -> [2008/02/04 23:40:02 | 00,138,168 | ---- | M] (Google)
(helpsvc) Help and Support [Win32_Shared | Auto | Running] -> %SystemRoot%\PCHealth\HelpCtr\Binaries\pchsvc.dll -> [2008/04/13 20:12:02 | 00,038,400 | ---- | M] (Microsoft Corporation)
(IBMPMSVC) ThinkPad PM Service [Win32_Own | Auto | Running] -> %SystemRoot%\system32\ibmpmsvc.exe -> [2007/02/27 22:09:06 | 00,036,400 | ---- | M] (Lenovo)
(IDriverT) InstallDriver Table Manager [Win32_Own | On_Demand | Stopped] -> %CommonProgramFiles%\InstallShield\Driver\11\Intel 32\IDriverT.exe -> [2005/04/04 03:41:10 | 00,069,632 | ---- | M] (Macrovision Corporation)
(IPSSVC) IPS Core Service [Win32_Own | Auto | Running] -> %SystemRoot%\system32\IPSSVC.EXE -> [2006/08/16 13:07:00 | 00,073,728 | ---- | M] (Lenovo Group Limited)
(Irmon) Infrared Monitor [Win32_Shared | Auto | Running] -> %SystemRoot%\System32\irmon.dll -> [2008/04/13 20:11:55 | 00,028,160 | ---- | M] (Microsoft Corporation)
(JavaQuickStarterService) Java Quick Starter [Win32_Own | Auto | Running] -> %ProgramFiles%\Java\jre6\bin\jqs.exe -> [2009/03/17 12:31:58 | 00,152,984 | ---- | M] (Sun Microsystems, Inc.)
(MDM) Machine Debug Manager [Win32_Own | Auto | Running] -> %CommonProgramFiles%\Microsoft Shared\VS7DEBUG\MDM.EXE -> [2003/06/20 02:25:00 | 00,322,120 | ---- | M] (Microsoft Corporation)
(mstbsvc) MSN Toolbar Setup [Win32_Own | Auto | Running] -> %ProgramFiles%\MSN\Toolbar\3.0.0988.2\mstbsvc.exe -> [2008/12/04 12:29:28 | 00,100,184 | ---- | M] (Microsoft Corp.)
(ose) Office Source Engine [Win32_Own | On_Demand | Stopped] -> %CommonProgramFiles%\Microsoft Shared\Source Engine\OSE.EXE -> [2003/07/28 15:28:22 | 00,089,136 | ---- | M] (Microsoft Corporation)
(PsaSrv) IBM PSA Access Driver Control [Win32_Own | On_Demand | Stopped] -> %SystemRoot%\System32\drivers\psasrv.exe -> [2007/05/11 20:56:02 | 00,023,552 | ---- | M] ()
(RegSrvc) Intel(R) PROSet/Wireless Registry Service [Win32_Own | Auto | Running] -> %ProgramFiles%\Intel\Wireless\Bin\RegSrvc.exe -> [2006/08/02 03:24:22 | 00,327,680 | ---- | M] (Intel Corporation)
(S24EventMonitor) Intel(R) PROSet/Wireless Service [Win32_Own | Auto | Running] -> %ProgramFiles%\Intel\Wireless\Bin\S24EvMon.exe -> [2006/08/02 03:31:22 | 00,937,984 | ---- | M] (Intel Corporation )
(SUService) System Update [Win32_Own | Auto | Running] -> %ProgramFiles%\lenovo\system update\suservice.exe -> [2007/02/12 05:35:42 | 00,013,312 | ---- | M] (Lenovo Group Limited)
(ThinkVantage Registry Monitor Service) ThinkVantage Registry Monitor Service [Win32_Own | Auto | Running] -> %CommonProgramFiles%\Lenovo\tvt_reg_monitor_svc.exe -> [2006/07/14 20:24:52 | 00,629,504 | ---- | M] ()
(TPHDEXLGSVC) ThinkPad HDD APS Logging Service [Win32_Own | Auto | Running] -> %SystemRoot%\System32\TPHDEXLG.EXE -> [2005/06/20 15:15:00 | 00,077,824 | ---- | M] (Lenovo.)
(TpKmpSVC) IBM KCU Service [Win32_Own | Auto | Running] -> %SystemRoot%\system32\TpKmpSVC.exe -> [2005/06/07 00:26:22 | 00,032,768 | ---- | M] ()
(TSSCoreService) TSS Core Service [Win32_Own | Auto | Running] -> %ProgramFiles%\Lenovo\Client Security Solution\tvttcsd.exe -> [2006/07/14 20:42:22 | 00,723,712 | ---- | M] (IBM)
(TVT Backup Service) TVT Backup Service [Win32_Own | Auto | Running] -> %ProgramFiles%\Lenovo\Rescue and Recovery\rrservice.exe -> [2006/07/14 21:01:00 | 01,974,272 | ---- | M] (Lenovo Group Limited)
(TVT Scheduler) TVT Scheduler [Win32_Own | Auto | Running] -> %CommonProgramFiles%\Lenovo\Scheduler\tvtsched.exe -> [2006/12/10 22:36:22 | 01,118,208 | ---- | M] (Lenovo Group Limited)
(tvtnetwk) tvtnetwk [Win32_Own | Auto | Running] -> %ProgramFiles%\Lenovo\Rescue and Recovery\ADM\IUService.exe -> [2006/07/14 18:52:48 | 00,045,056 | ---- | M] ()
(WinVNC4) VNC Server Version 4 [Win32_Own | Auto | Running] -> %ProgramFiles%\RealVNC\VNC4\WinVNC4.exe -> [2006/05/12 18:04:08 | 00,439,248 | ---- | M] (RealVNC Ltd.)
(WMPNetworkSvc) Windows Media Player Network Sharing Service [Win32_Own | Auto | Running] -> %ProgramFiles%\Windows Media Player\WMPNetwk.exe -> [2006/10/18 23:05:24 | 00,913,408 | ---- | M] (Microsoft Corporation)
 
[Driver Services - Safe List]
(ac97intc) Intel(r) 82801 Audio Driver Install Service (WDM) [Kernel | On_Demand | Stopped] -> %SystemRoot%\system32\drivers\ac97intc.sys -> [2001/08/17 08:20:04 | 00,096,256 | ---- | M] (Intel Corporation)
(ADIHdAudAddService) ADI UAA Function Driver for High Definition Audio Service [Kernel | On_Demand | Running] -> %SystemRoot%\system32\drivers\ADIHdAud.sys -> [2006/01/30 22:19:34 | 00,176,128 | ---- | M] (Analog Devices, Inc.)
(AEAudioService) AEAudio Service [Kernel | On_Demand | Running] -> %SystemRoot%\system32\drivers\AEAudio.sys -> [2006/04/26 17:42:40 | 00,093,824 | ---- | M] (Andrea Electronics Corporation)
(AegisP) AEGIS Protocol (IEEE 802.1x) v3.5.3.0 [Kernel | Auto | Running] -> %SystemRoot%\system32\DRIVERS\AegisP.sys -> [2007/05/11 20:38:10 | 00,021,419 | ---- | M] (Meetinghouse Data Communications)
(AliIde) AliIde [Kernel | Disabled | Stopped] -> %SystemRoot%\system32\DRIVERS\aliide.sys -> [2001/08/17 16:51:56 | 00,005,248 | ---- | M] (Acer Laboratories Inc.)
(amdagp) AMD AGP Bus Filter Driver [Kernel | Disabled | Stopped] -> %SystemRoot%\system32\DRIVERS\amdagp.sys -> [2008/04/13 14:36:39 | 00,043,008 | ---- | M] (Advanced Micro Devices, Inc.)
(ANC) ANC [Kernel | System | Running] -> %SystemRoot%\System32\drivers\ANC.SYS -> [2005/11/08 12:27:20 | 00,011,520 | ---- | M] (IBM Corp.)
(asc) asc [Kernel | Disabled | Stopped] -> %SystemRoot%\system32\DRIVERS\asc.sys -> [2001/08/17 16:52:00 | 00,026,496 | ---- | M] (Advanced System Products, Inc.)
(asc3550) asc3550 [Kernel | Disabled | Stopped] -> %SystemRoot%\system32\DRIVERS\asc3550.sys -> [2001/08/17 16:51:58 | 00,014,848 | ---- | M] (Advanced System Products, Inc.)
(ASPI32) ASPI32 [Kernel | System | Running] -> %SystemRoot%\System32\drivers\ASPI32.SYS -> [1999/09/10 13:06:00 | 00,025,244 | ---- | M] (Adaptec)
(atmeltpm) atmeltpm [Kernel | On_Demand | Running] -> %SystemRoot%\system32\DRIVERS\atmeltpm.sys -> [2005/05/17 13:20:08 | 00,015,872 | ---- | M] (Atmel, Inc.)
(AvgLdx86) AVG AVI Loader Driver x86 [Kernel | System | Running] -> %SystemRoot%\System32\Drivers\avgldx86.sys -> [2009/02/05 09:29:00 | 00,325,128 | ---- | M] (AVG Technologies CZ, s.r.o.)
(AvgMfx86) AVG On-access Scanner Minifilter Driver x86 [File_System | System | Running] -> %SystemRoot%\System32\Drivers\avgmfx86.sys -> [2009/02/05 09:29:00 | 00,027,656 | ---- | M] (AVG Technologies CZ, s.r.o.)
(CmdIde) CmdIde [Kernel | Disabled | Stopped] -> %SystemRoot%\system32\DRIVERS\cmdide.sys -> [2001/08/17 16:51:54 | 00,006,656 | ---- | M] (CMD Technology, Inc.)
(dac2w2k) dac2w2k [Kernel | Disabled | Stopped] -> %SystemRoot%\system32\DRIVERS\dac2w2k.sys -> [2001/08/17 16:52:16 | 00,179,584 | ---- | M] (Mylex Corporation)
(DLABOIOM) DLABOIOM [File_System | Auto | Running] -> %SystemRoot%\System32\DLA\DLABOIOM.SYS -> [2006/02/02 08:20:00 | 00,025,628 | ---- | M] (Sonic Solutions)
(DLACDBHM) DLACDBHM [File_System | System | Running] -> %SystemRoot%\System32\Drivers\DLACDBHM.SYS -> [2005/11/18 15:02:50 | 00,005,660 | ---- | M] (Sonic Solutions)
(DLADResN) DLADResN [File_System | Auto | Running] -> %SystemRoot%\System32\DLA\DLADResN.SYS -> [2006/02/02 08:20:00 | 00,002,496 | ---- | M] (Sonic Solutions)
(DLAIFS_M) DLAIFS_M [File_System | Auto | Running] -> %SystemRoot%\System32\DLA\DLAIFS_M.SYS -> [2006/02/02 08:20:00 | 00,086,652 | ---- | M] (Sonic Solutions)
(DLAOPIOM) DLAOPIOM [File_System | Auto | Running] -> %SystemRoot%\System32\DLA\DLAOPIOM.SYS -> [2006/02/02 08:20:00 | 00,014,684 | ---- | M] (Sonic Solutions)
(DLAPoolM) DLAPoolM [File_System | Auto | Running] -> %SystemRoot%\System32\DLA\DLAPoolM.SYS -> [2006/02/02 08:20:00 | 00,006,364 | ---- | M] (Sonic Solutions)
(DLARTL_N) DLARTL_N [File_System | System | Running] -> %SystemRoot%\System32\Drivers\DLARTL_N.SYS -> [2005/11/18 15:02:10 | 00,022,684 | ---- | M] (Sonic Solutions)
(DLAUDFAM) DLAUDFAM [File_System | Auto | Running] -> %SystemRoot%\System32\DLA\DLAUDFAM.SYS -> [2006/02/02 08:20:00 | 00,094,332 | ---- | M] (Sonic Solutions)
(DLAUDF_M) DLAUDF_M [File_System | Auto | Running] -> %SystemRoot%\System32\DLA\DLAUDF_M.SYS -> [2006/02/02 08:20:00 | 00,087,036 | ---- | M] (Sonic Solutions)
(DRVMCDB) DRVMCDB [Kernel | Boot | Running] -> %SystemRoot%\System32\Drivers\DRVMCDB.SYS -> [2006/03/01 06:30:00 | 00,089,472 | ---- | M] (Sonic Solutions)
(DRVNDDM) DRVNDDM [File_System | Auto | Running] -> %SystemRoot%\System32\Drivers\DRVNDDM.SYS -> [2005/11/18 08:20:00 | 00,040,544 | ---- | M] (Sonic Solutions)
(E100B) Intel(R) PRO Adapter Driver [Kernel | On_Demand | Stopped] -> %SystemRoot%\system32\DRIVERS\e100b325.sys -> [2001/08/17 08:12:10 | 00,117,760 | ---- | M] (Intel Corporation)
(e1express) Intel(R) PRO/1000 PCI Express Network Connection Driver [Kernel | On_Demand | Running] -> %SystemRoot%\system32\DRIVERS\e1e5132.sys -> [2006/04/20 02:06:50 | 00,181,760 | ---- | M] (Intel Corporation)
(EGATHDRV) IBM eGatherer [Kernel | Auto | Running] -> %SystemRoot%\SYSTEM32\EGATHDRV.SYS -> [2009/03/29 00:00:00 | 00,005,427 | ---- | M] (IBM Corporation)
(HDAudBus) Microsoft UAA Bus Driver for High Definition Audio [Kernel | On_Demand | Running] -> %SystemRoot%\system32\DRIVERS\HDAudBus.sys -> [2008/04/13 12:36:05 | 00,144,384 | ---- | M] (Windows (R) Server 2003 DDK provider)
(HSF_DPV) HSF_DPV [Kernel | On_Demand | Running] -> %SystemRoot%\system32\DRIVERS\hsx_dpv.sys -> [2005/12/05 22:21:32 | 00,936,448 | ---- | M] (Conexant Systems, Inc.)
(HSXHWAZL) HSXHWAZL [Kernel | On_Demand | Running] -> %SystemRoot%\system32\DRIVERS\hsxhwazl.sys -> [2005/12/05 22:20:48 | 00,192,512 | ---- | M] (Conexant Systems, Inc.)
(ialm) ialm [Kernel | On_Demand | Running] -> %SystemRoot%\system32\DRIVERS\ialmnt5.sys -> [2006/07/25 02:44:04 | 01,170,300 | ---- | M] (Intel Corporation)
(iaStor) Intel AHCI Controller [Kernel | Boot | Running] -> %SystemRoot%\system32\DRIVERS\iaStor.sys -> [2005/10/11 20:07:12 | 00,874,240 | ---- | M] (Intel Corporation)
(IBMPMDRV) IBMPMDRV [Kernel | On_Demand | Running] -> %SystemRoot%\system32\DRIVERS\ibmpmdrv.sys -> [2007/02/27 22:08:32 | 00,021,040 | ---- | M] (Lenovo.)
(IBMTPCHK) IBMTPCHK [Kernel | System | Running] -> %SystemRoot%\system32\Drivers\IBMBLDID.sys -> [2006/01/13 03:33:22 | 00,006,016 | ---- | M] ()
(mdmxsdk) mdmxsdk [Kernel | Auto | Running] -> %SystemRoot%\system32\DRIVERS\mdmxsdk.sys -> [2005/10/05 02:57:08 | 00,012,544 | ---- | M] (Conexant)
(mraid35x) mraid35x [Kernel | Disabled | Stopped] -> %SystemRoot%\system32\DRIVERS\mraid35x.sys -> [2001/08/17 16:52:12 | 00,017,280 | ---- | M] (American Megatrends Inc.)
(NETw3x32) Intel(R) PRO/Wireless 3945ABG Adapter Driver for Windows XP 32 Bit [Kernel | On_Demand | Running] -> %SystemRoot%\system32\DRIVERS\NETw3x32.sys -> [2006/09/27 05:36:24 | 01,709,696 | ---- | M] (Intel® Corporation)
(NSCIRDA) NSC Infrared Device Driver [Kernel | On_Demand | Running] -> %SystemRoot%\system32\DRIVERS\nscirda.sys -> [2008/04/13 14:54:36 | 00,028,672 | ---- | M] (National Semiconductor Corporation)
(nv) nv [Kernel | On_Demand | Stopped] -> %SystemRoot%\system32\DRIVERS\nv4_mini.sys -> [2004/08/03 18:29:56 | 01,897,408 | ---- | M] (NVIDIA Corporation)
(PalmUSBD) PalmUSBD [Kernel | On_Demand | Stopped] -> %SystemRoot%\system32\drivers\PalmUSBD.sys -> [2007/06/08 03:01:01 | 00,016,694 | ---- | M] (PalmSource, Inc.)
(pmem) pmem [Kernel | Auto | Running] -> %SystemRoot%\System32\drivers\pmemnt.sys -> [2007/05/11 20:55:09 | 00,007,012 | ---- | M] (Microsoft Corporation)
(PrivateDisk) PrivateDisk [Kernel | Auto | Running] -> %ProgramFiles%\Lenovo\SafeGuard PrivateDisk\PrivateDiskM.sys -> [2006/03/13 19:05:54 | 00,058,368 | R--- | M] (Utimaco Safeware AG)
(PROCDD) IPS Helper Driver [Kernel | Auto | Running] -> %SystemRoot%\system32\DRIVERS\PROCDD.SYS -> [2006/08/16 13:07:00 | 00,005,120 | ---- | M] (Lenovo Group Limited)
(psadd) Lenovo Parties Service Access Device Driver [Kernel | On_Demand | Running] -> %SystemRoot%\system32\DRIVERS\psadd.sys -> [2006/09/13 01:42:18 | 00,028,224 | ---- | M] (Lenovo (United States) Inc.)
(PTDCBus) PANTECH PC Card Composite Device Driver (UDP) [Kernel | On_Demand | Running] -> %SystemRoot%\system32\DRIVERS\PTDCBus.sys -> [2007/04/01 06:45:22 | 00,027,520 | ---- | M] (DEVGURU Co,LTD.)
(PTDCMdm) PANTECH PC Card Drivers (UDP) [Kernel | On_Demand | Running] -> %SystemRoot%\system32\DRIVERS\PTDCMdm.sys -> [2007/04/01 06:45:26 | 00,041,728 | ---- | M] (DEVGURU Co,LTD.)
(PTDCVsp) PANTECH PC Card Diagnostic Serial Port (UDP) [Kernel | On_Demand | Running] -> %SystemRoot%\system32\DRIVERS\PTDCVsp.sys -> [2007/04/01 06:45:30 | 00,039,808 | ---- | M] (DEVGURU Co,LTD.)
(PTDCWWAN) PANTECH PC Card WWAN Controller device driver [Kernel | On_Demand | Running] -> %SystemRoot%\system32\DRIVERS\PTDCWWAN.sys -> [2007/04/30 20:30:14 | 00,058,240 | ---- | M] (DEVGURU Co,LTD.)
(Ptilink) Direct Parallel Link Driver [Kernel | On_Demand | Running] -> %SystemRoot%\system32\DRIVERS\ptilink.sys -> [2004/08/04 08:00:00 | 00,017,792 | ---- | M] (Parallel Technologies, Inc.)
(PxHelp20) PxHelp20 [Kernel | Boot | Running] -> %SystemRoot%\System32\Drivers\PxHelp20.sys -> [2006/10/18 04:00:00 | 00,036,624 | ---- | M] (Sonic Solutions)
(ql1080) ql1080 [Kernel | Disabled | Stopped] -> %SystemRoot%\system32\DRIVERS\ql1080.sys -> [2001/08/17 16:52:20 | 00,040,320 | ---- | M] (QLogic Corporation)
(ql12160) ql12160 [Kernel | Disabled | Stopped] -> %SystemRoot%\system32\DRIVERS\ql12160.sys -> [2001/08/17 16:52:20 | 00,045,312 | ---- | M] (QLogic Corporation)
(ql1280) ql1280 [Kernel | Disabled | Stopped] -> %SystemRoot%\system32\DRIVERS\ql1280.sys -> [2001/08/17 16:52:18 | 00,049,024 | ---- | M] (QLogic Corporation)
(s24trans) WLAN Transport [Kernel | Auto | Running] -> %SystemRoot%\system32\DRIVERS\s24trans.sys -> [2006/08/02 04:27:48 | 00,012,544 | ---- | M] (Intel Corporation)
(Secdrv) Secdrv [Kernel | On_Demand | Stopped] -> %SystemRoot%\system32\DRIVERS\secdrv.sys -> [2007/11/13 06:25:53 | 00,020,480 | ---- | M] (Macrovision Corporation, Macrovision Europe Limited, and Macrovision Japan and Asia K.K.)
(ShockMgr) ShockMgr [Kernel | System | Running] -> %SystemRoot%\System32\drivers\ShockMgr.sys -> [2005/06/20 15:18:00 | 00,004,736 | ---- | M] (Lenovo.)
(Shockprf) Shockprf [Kernel | Boot | Running] -> %SystemRoot%\System32\drivers\shockprf.sys -> [2006/03/15 20:08:00 | 00,088,576 | ---- | M] (Lenovo)
(sisagp) SIS AGP Bus Filter [Kernel | Disabled | Stopped] -> %SystemRoot%\system32\DRIVERS\sisagp.sys -> [2008/04/13 14:36:39 | 00,040,960 | ---- | M] (Silicon Integrated Systems Corporation)
(Smapint) Smapint [Kernel | System | Running] -> %SystemRoot%\System32\drivers\Smapint.sys -> [2006/08/02 12:54:00 | 00,014,848 | ---- | M] (Microsoft Corporation)
(smi2) smi2 [Kernel | Auto | Running] -> %ProgramFiles%\SMI2\smi2.sys -> [2006/07/14 18:55:12 | 00,003,968 | ---- | M] (IBM Corp.)
(smihlp) SMI helper driver [Kernel | Auto | Running] -> %ProgramFiles%\ThinkVantage Fingerprint Software\smihlp.sys -> [2006/04/25 22:00:00 | 00,003,456 | ---- | M] (UPEK Inc.)
(SMNDIS5) SMNDIS5 NDIS Protocol Driver [Kernel | On_Demand | Stopped] -> %ProgramFiles%\Verizon Wireless\VZAccess Manager\SMNDIS5.sys -> [2002/11/26 14:54:58 | 00,016,936 | ---- | M] (Smith Micro Software, Inc.)
(Sparrow) Sparrow [Kernel | Disabled | Stopped] -> %SystemRoot%\system32\DRIVERS\sparrow.sys -> [2001/08/17 17:07:44 | 00,019,072 | ---- | M] (Adaptec, Inc.)
(symc810) symc810 [Kernel | Disabled | Stopped] -> %SystemRoot%\system32\DRIVERS\symc810.sys -> [2001/08/17 17:07:34 | 00,016,256 | ---- | M] (Symbios Logic Inc.)
(symc8xx) symc8xx [Kernel | Disabled | Stopped] -> %SystemRoot%\system32\DRIVERS\symc8xx.sys -> [2001/08/17 17:07:36 | 00,032,640 | ---- | M] (LSI Logic)
(sym_hi) sym_hi [Kernel | Disabled | Stopped] -> %SystemRoot%\system32\DRIVERS\sym_hi.sys -> [2001/08/17 17:07:40 | 00,028,384 | ---- | M] (LSI Logic)
(sym_u3) sym_u3 [Kernel | Disabled | Stopped] -> %SystemRoot%\system32\DRIVERS\sym_u3.sys -> [2001/08/17 17:07:42 | 00,030,688 | ---- | M] (LSI Logic)
(SynTP) Synaptics TouchPad Driver [Kernel | On_Demand | Running] -> %SystemRoot%\system32\DRIVERS\SynTP.sys -> [2006/02/14 01:04:58 | 00,177,664 | ---- | M] (Synaptics, Inc.)
(TcUsb) TC USB Kernel Driver [Kernel | On_Demand | Running] -> %SystemRoot%\System32\Drivers\tcusb.sys -> [2006/04/25 22:13:20 | 00,028,800 | ---- | M] (UPEK Inc.)
(TDSMAPI) TDSMAPI [Kernel | System | Running] -> %SystemRoot%\System32\drivers\TDSMAPI.SYS -> [2006/08/02 12:54:00 | 00,009,343 | ---- | M] ()
(tpflhlp) tpflhlp [Kernel | On_Demand | Stopped] -> %ProgramFiles%\Lenovo\System Update\session\79uj20us\tpflhlp.sys -> [2007/04/23 20:10:44 | 00,013,616 | ---- | M] (Lenovo Group Limited)
(TPHKDRV) TPHKDRV [Kernel | System | Running] -> %SystemRoot%\System32\drivers\TPHKDRV.sys -> [2005/07/05 01:57:06 | 00,017,699 | ---- | M] (IBM Corporation)
(TPPWRIF) TPPWRIF [Kernel | System | Running] -> %SystemRoot%\System32\drivers\Tppwrif.sys -> [2006/05/25 12:13:00 | 00,004,442 | ---- | M] ()
(TSMAPIP) TSMAPIP [Kernel | System | Running] -> %SystemRoot%\System32\drivers\TSMAPIP.SYS -> [2006/07/20 13:54:00 | 00,007,168 | ---- | M] ()
(tvtfilter) tvtfilter [Kernel | Auto | Running] -> %SystemRoot%\system32\drivers\tvtfilter.sys -> [2006/07/14 20:27:22 | 00,012,544 | ---- | M] (Lenovo)
(TVTPktFilter) TVT Packet Filter Service [Kernel | On_Demand | Running] -> %SystemRoot%\system32\DRIVERS\tvtpktfilter.sys -> [2006/07/14 20:03:04 | 00,017,664 | ---- | M] (Lenovo Group Limited)
(ultra) ultra [Kernel | Disabled | Stopped] -> %SystemRoot%\system32\DRIVERS\ultra.sys -> [2001/08/17 16:52:22 | 00,036,736 | ---- | M] (Promise Technology, Inc.)
(winachsf) winachsf [Kernel | On_Demand | Running] -> %SystemRoot%\system32\DRIVERS\hsx_cnxt.sys -> [2005/12/05 22:20:42 | 00,670,208 | ---- | M] (Conexant Systems, Inc.)
 
[Registry - Safe List]
< Internet Explorer Settings [HKEY_LOCAL_MACHINE\] > -> ->
HKEY_LOCAL_MACHINE\: Main\\"Default_Page_URL" -> http://go.microsoft.com/fwlink/?LinkId=69157 ->
HKEY_LOCAL_MACHINE\: Main\\"Default_Search_URL" -> http://go.microsoft.com/fwlink/?LinkId=54896 ->
HKEY_LOCAL_MACHINE\: Main\\"Default_Secondary_Page_URL" -> Reg Error: Invalid data type. ->
HKEY_LOCAL_MACHINE\: Main\\"Extensions Off Page" -> about:NoAdd-ons ->
HKEY_LOCAL_MACHINE\: Main\\"Local Page" -> %SystemRoot%\system32\blank.htm ->
HKEY_LOCAL_MACHINE\: Main\\"Search Page" -> http://go.microsoft.com/fwlink/?LinkId=54896 ->
HKEY_LOCAL_MACHINE\: Main\\"Security Risk Page" -> about:SecurityRisk ->
HKEY_LOCAL_MACHINE\: Main\\"Start Page" -> http://go.microsoft.com/fwlink/?LinkId=69157 ->
HKEY_LOCAL_MACHINE\: Search\\"CustomizeSearch" -> http://ie.search.msn.com/{SUB_RFC1766}/srchasst/srchcust.htm ->
HKEY_LOCAL_MACHINE\: Search\\"SearchAssistant" -> http://ie.search.msn.com/{SUB_RFC1766}/srchasst/srchasst.htm ->
< Internet Explorer Settings [HKEY_CURRENT_USER\] > -> ->
HKEY_CURRENT_USER\: Main\\"Local Page" -> C:\WINDOWS\system32\blank.htm ->
HKEY_CURRENT_USER\: Main\\"Search Page" -> http://www.microsoft.com/isapi/redir.dll?prd=ie&ar=iesearch ->
HKEY_CURRENT_USER\: Main\\"Start Page" -> about:blank ->
HKEY_CURRENT_USER\: "ProxyEnable" -> 0 ->
< FireFox Extensions [HKLM] > -> HKEY_LOCAL_MACHINE\SOFTWARE\Mozilla
HKLM\software\mozilla\Firefox\extensions ->  ->
HKLM\software\mozilla\Firefox\extensions\\[email protected] -> %ProgramFiles%\JAVA\JRE6\LIB\DEPLOY\JQS\FF [C:\PROGRAM FILES\JAVA\JRE6\LIB\DEPLOY\JQS\FF] -> [2009/03/17 12:31:59 | 00,000,000 | ---D | M]
< FireFox Extensions [User Folders] > ->
< HOSTS File > (734 bytes and 19 lines) -> C:\WINDOWS\System32\drivers\etc\Hosts ->
Reset Hosts
127.0.0.1      localhost
< BHO's [HKEY_LOCAL_MACHINE] > -> HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\ ->
{06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} [HKLM] -> %ProgramFiles%\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll [Adobe PDF Reader Link Helper] -> [2006/01/12 23:38:22 | 00,063,128 | ---- | M] (Adobe Systems Incorporated)
{3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} [HKLM] -> %ProgramFiles%\AVG\AVG8\avgssie.dll [AVG Safe Search] -> [2009/02/05 09:28:58 | 01,078,552 | ---- | M] (AVG Technologies CZ, s.r.o.)
{5CA3D70E-1895-11CF-8E15-001234567890} [HKLM] -> %SystemRoot%\System32\DLA\DLASHX_W.DLL [DriveLetterAccess] -> [2006/02/02 08:20:00 | 00,110,652 | ---- | M] (Sonic Solutions)
{761497BB-D6F0-462C-B6EB-D4DAF1D92D43} [HKLM] -> %ProgramFiles%\Java\jre6\bin\ssv.dll [Java(tm) Plug-In SSV Helper] -> [2009/03/17 12:31:59 | 00,320,920 | ---- | M] (Sun Microsystems, Inc.)
{DBC80044-A445-435b-BC74-9C25C1C588A9} [HKLM] -> %ProgramFiles%\Java\jre6\bin\jp2ssv.dll [Java(tm) Plug-In 2 SSV Helper] -> [2009/03/17 12:31:58 | 00,034,816 | ---- | M] (Sun Microsystems, Inc.)
{E7E6F031-17CE-4C07-BC86-EABFE594F69C} [HKLM] -> %ProgramFiles%\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll [JQSIEStartDetectorImpl Class] -> [2009/03/17 12:31:59 | 00,073,728 | ---- | M] (Sun Microsystems, Inc.)
{F040E541-A427-4CF7-85D8-75E3E0F476C5} [HKLM] -> %ProgramFiles%\Lenovo\Client Security Solution\tvtpwm_ie_com.dll [CPwmIEBrowserHelper Object] -> [2006/07/14 21:20:42 | 00,719,616 | ---- | M] (Lenovo Group Limited)
< Run [HKEY_LOCAL_MACHINE\] > -> HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run ->
"ACTray" -> %ProgramFiles%\ThinkPad\ConnectUtilities\ACTray.exe [C:\Program Files\ThinkPad\ConnectUtilities\ACTray.exe] -> [2007/02/19 19:10:46 | 00,409,600 | ---- | M] ()
"ACWLIcon" -> %ProgramFiles%\ThinkPad\ConnectUtilities\ACWLIcon.exe [C:\Program Files\ThinkPad\ConnectUtilities\ACWLIcon.exe] -> [2007/02/19 19:02:32 | 00,110,592 | ---- | M] ()
"AVG8_TRAY" -> %ProgramFiles%\AVG\AVG8\avgtray.exe [C:\PROGRA~1\AVG\AVG8\avgtray.exe] -> [2009/02/05 09:28:55 | 01,601,304 | ---- | M] (AVG Technologies CZ, s.r.o.)
"AwaySch" -> %ProgramFiles%\Lenovo\AwayTask\AwaySch.EXE [C:\Program Files\Lenovo\AwayTask\AwaySch.EXE] -> [2006/08/16 13:07:00 | 00,069,632 | ---- | M] (Lenovo Group Limited)
"BLOG" -> %ProgramFiles%\ThinkPad\Utilities\BATLOGEX.DLL [rundll32 C:\PROGRA~1\ThinkPad\UTILIT~1\BatLogEx.DLL,StartBattLog] -> [2006/05/25 12:13:00 | 00,208,896 | ---- | M] ()
"cssauth" -> %ProgramFiles%\Lenovo\Client Security Solution\cssauth.exe ["C:\Program Files\Lenovo\Client Security Solution\cssauth.exe" silent] -> [2006/07/14 21:13:14 | 02,341,632 | ---- | M] (Lenovo Group Limited)
"DLA" -> %SystemRoot%\System32\DLA\DLACTRLW.EXE [C:\WINDOWS\System32\DLA\DLACTRLW.EXE] -> [2006/02/02 08:20:00 | 00,122,940 | ---- | M] (Sonic Solutions)
"EZEJMNAP" -> %ProgramFiles%\ThinkPad\Utilities\EZEJMNAP.EXE [C:\PROGRA~1\ThinkPad\UTILIT~1\EzEjMnAp.Exe] -> [2006/02/23 13:22:00 | 00,237,568 | ---- | M] (Lenovo Group Limited)
"HP Component Manager" -> %ProgramFiles%\HP\hpcoretech\hpcmpmgr.exe ["C:\Program Files\HP\hpcoretech\hpcmpmgr.exe"] -> [2003/10/23 22:51:18 | 00,233,472 | ---- | M] (Hewlett-Packard Company)
"HP Software Update" -> %ProgramFiles%\Hewlett-Packard\HP Software Update\HPWuSchd.exe ["C:\Program Files\Hewlett-Packard\HP Software Update\HPWuSchd.exe"] -> [2003/06/25 14:24:48 | 00,049,152 | ---- | M] (Hewlett-Packard)
"HPDJ Taskbar Utility" -> %SystemRoot%\system32\spool\drivers\w32x86\3\hpztsb09.exe [C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb09.exe] -> [2005/07/22 22:40:43 | 00,176,128 | ---- | M] (HP)
"igfxhkcmd" -> %SystemRoot%\system32\hkcmd.exe [C:\WINDOWS\system32\hkcmd.exe] -> [2006/07/25 02:17:54 | 00,077,824 | ---- | M] (Intel Corporation)
"igfxpers" -> %SystemRoot%\system32\igfxpers.exe [C:\WINDOWS\system32\igfxpers.exe] -> [2006/07/25 02:21:50 | 00,118,784 | ---- | M] (Intel Corporation)
"igfxtray" -> %SystemRoot%\system32\igfxtray.exe [C:\WINDOWS\system32\igfxtray.exe] -> [2006/07/25 02:21:08 | 00,094,208 | ---- | M] (Intel Corporation)
"ISUSPM Startup" -> %SystemDrive%\PROGRA~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe [C:\PROGRA~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe -startup] -> File not found
"ISUSScheduler" -> %CommonProgramFiles%\InstallShield\UpdateService\issch.exe ["C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" -start] -> File not found
"LPManager" -> %ProgramFiles%\ThinkVantage\PrdCtr\LPMGR.EXE [C:\PROGRA~1\THINKV~2\PrdCtr\LPMGR.exe] -> [2006/07/04 12:11:00 | 00,110,592 | ---- | M] (Lenovo Group Limited)
"PDService.exe" -> %ProgramFiles%\Lenovo\SafeGuard PrivateDisk\pdservice.exe ["C:\Program Files\Lenovo\SafeGuard PrivateDisk\pdservice.exe"] -> [2006/03/13 19:38:56 | 00,041,472 | R--- | M] (Utimaco Safeware AG)
"PWRMGRTR" -> %ProgramFiles%\ThinkPad\Utilities\PWRMGRTR.DLL [rundll32 C:\PROGRA~1\ThinkPad\UTILIT~1\PWRMGRTR.DLL,PwrMgrBkGndMonitor] -> [2006/05/25 12:13:00 | 00,151,552 | ---- | M] (Lenovo Group Limited)
"SoundMAX" -> %ProgramFiles%\Analog Devices\SoundMAX\Smax4.exe [C:\Program Files\Analog Devices\SoundMAX\Smax4.exe /tray] -> [2005/05/06 18:06:12 | 00,716,800 | ---- | M] (Analog Devices, Inc.)
"SoundMAXPnP" -> %ProgramFiles%\Analog Devices\Core\smax4pnp.exe [C:\Program Files\Analog Devices\Core\smax4pnp.exe] -> [2005/05/19 20:11:06 | 00,925,696 | ---- | M] (Analog Devices, Inc.)
"SunJavaUpdateSched" -> %ProgramFiles%\Java\jre6\bin\jusched.exe ["C:\Program Files\Java\jre6\bin\jusched.exe"] -> [2009/03/17 12:31:58 | 00,136,600 | ---- | M] (Sun Microsystems, Inc.)
"SynTPEnh" -> %ProgramFiles%\Synaptics\SynTP\SynTPEnh.exe [C:\Program Files\Synaptics\SynTP\SynTPEnh.exe] -> [2006/02/14 01:16:28 | 00,512,000 | ---- | M] (Synaptics, Inc.)
"SynTPLpr" -> %ProgramFiles%\Synaptics\SynTP\SynTPLpr.exe [C:\Program Files\Synaptics\SynTP\SynTPLpr.exe] -> [2006/02/14 01:17:28 | 00,110,592 | ---- | M] (Synaptics, Inc.)
"TP4EX" -> %SystemRoot%\system32\tp4ex.exe [tp4ex.exe] -> [2005/10/17 04:11:00 | 00,065,536 | ---- | M] (Lenovo Group Limited)
"TPHOTKEY" -> %ProgramFiles%\Lenovo\PkgMgr\HOTKEY\TPHKMGR.exe [C:\PROGRA~1\Lenovo\PkgMgr\HOTKEY\TPHKMGR.exe] -> [2006/07/24 21:19:40 | 00,094,208 | ---- | M] ()
"TPKMAPHELPER" -> %ProgramFiles%\ThinkPad\Utilities\TpKmapAp.exe [C:\Program Files\ThinkPad\Utilities\TpKmapAp.exe -helper] -> [2006/06/03 01:00:18 | 00,856,064 | ---- | M] (Lenovo)
"TpShocks" -> %SystemRoot%\system32\TpShocks.exe [TpShocks.exe] -> [2006/03/15 22:04:48 | 00,106,496 | ---- | M] (Lenovo, Ltd. and IBM Corporation.)
"TVT Scheduler Proxy" -> %CommonProgramFiles%\Lenovo\Scheduler\scheduler_proxy.exe [C:\Program Files\Common Files\Lenovo\Scheduler\scheduler_proxy.exe] -> [2006/12/10 22:36:32 | 00,536,576 | ---- | M] (Lenovo Group Limited)
< All Users Startup Folder > -> C:\Documents and Settings\All Users\Start Menu\Programs\Startup ->
%AllUsersProfile%\Start Menu\Programs\Startup\HOTSYNCSHORTCUTNAME.lnk -> %ProgramFiles%\Palm\Hotsync.exe -> [2004/06/09 17:27:34 | 00,471,040 | ---- | M] (PalmSource, Inc)
< jim.dalessandro Startup Folder > -> C:\Documents and Settings\jim.dalessandro\Start Menu\Programs\Startup ->
< CurrentVersion Policy Settings - Explorer [HKEY_LOCAL_MACHINE] > -> HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer ->
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer
\\"HonorAutoRunSetting" ->  [1] -> File not found
\\"NoCDBurning" ->  [0] -> File not found
< CurrentVersion Policy Settings - System [HKEY_LOCAL_MACHINE] > -> HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System ->
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System
\\"dontdisplaylastusername" ->  [0] -> File not found
\\"legalnoticecaption" ->  [] -> File not found
\\"legalnoticetext" ->  [] -> File not found
\\"shutdownwithoutlogon" ->  [1] -> File not found
\\"undockwithoutlogon" ->  [1] -> File not found
< CurrentVersion Policy Settings - Explorer [HKEY_CURRENT_USER] > -> HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer ->
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer
\\"NoDriveTypeAutoRun" ->  [145] -> File not found
< CurrentVersion Policy Settings - System [HKEY_CURRENT_USER] > -> HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System ->
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System
\\"disableregistrytools" ->  [0] -> File not found
< Internet Explorer Menu Extensions [HKEY_CURRENT_USER\] > -> HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\MenuExt\ ->
E&xport to Microsoft Excel -> %ProgramFiles%\Microsoft Office\OFFICE11\EXCEL.EXE [res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000] -> [2007/04/06 16:12:52 | 10,289,496 | ---- | M] (Microsoft Corporation)
< Internet Explorer Extensions [HKEY_LOCAL_MACHINE] > -> HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Extensions\ ->
{0045D4BC-5189-4b67-969C-83BB1906C421}:{0FE81B52-73FA-425F-8F06-3F32451AC73F} [HKLM] -> %ProgramFiles%\Lenovo\Client Security Solution\tvtpwm_ie_com.dll [Menu: ThinkVantage Password Manager...] -> [2006/07/14 21:20:42 | 00,719,616 | ---- | M] (Lenovo Group Limited)
{92780B25-18CC-41C8-B9BE-3C9C571A8263}:{FF059E31-CC5A-4E2E-BF3B-96E929D65503} [HKLM] -> %ProgramFiles%\Microsoft Office\OFFICE11\REFIEBAR.DLL [Button: Research] -> [2003/07/15 01:57:08 | 00,040,512 | ---- | M] (Microsoft Corporation)
{D1A4DEBD-C2EE-449f-B9FB-E8409F9A0BC5}:Exec [HKLM] -> %ProgramFiles%\Lenovo\PkgMgr\PkgMgr.exe [Button: Software Installer] -> [2006/11/13 18:18:56 | 01,668,720 | ---- | M] (Lenovo Group Limited)
{DA320635-F48C-4613-8325-D75A933C549E}:Exec [HKLM] -> %ProgramFiles%\Lenovo\System Update\sulauncher.exe [Button: System Update] -> File not found
{e2e2dd38-d088-4134-82b7-f2ba38496583}:Exec [HKLM] -> %SystemRoot%\Network Diagnostic\xpnetdiag.exe [Menu: @xpsp3res.dll,-20001] -> [2008/04/13 14:53:32 | 00,558,080 | ---- | M] (Microsoft Corporation)
{FB5F1910-F110-11d2-BB9E-00C04F795683}:Exec [HKLM] -> %ProgramFiles%\Messenger\msmsgs.exe [Button: Messenger] -> [2008/04/13 20:12:28 | 01,695,232 | ---- | M] (Microsoft Corporation)
{FB5F1910-F110-11d2-BB9E-00C04F795683}:Exec [HKLM] -> %ProgramFiles%\Messenger\msmsgs.exe [Menu: Windows Messenger] -> [2008/04/13 20:12:28 | 01,695,232 | ---- | M] (Microsoft Corporation)
< Internet Explorer Plugins [HKEY_LOCAL_MACHINE] > -> HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Plugins\ ->
PluginsPageFriendlyName -> Microsoft ActiveX Gallery ->
PluginsPage -> http://activex.microsoft.com/controls/find.asp?ext=%s&mime=%s ->
< Default Prefix > -> HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\URL\DefaultPrefix
"" -> http://
< Trusted Sites Domains [HKEY_LOCAL_MACHINE\] > -> HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\ ->
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\ -> [Key] 1 domain(s) found. ->
1 domain(s) and sub-domain(s) not assigned to a zone.
< Trusted Sites Ranges [HKEY_LOCAL_MACHINE\] > -> HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Ranges\ ->
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Ranges\ -> [Key] 0 range(s) found. ->
< Trusted Sites Domains [HKEY_CURRENT_USER\] > -> HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\ ->
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\ -> [Key] 0 domain(s) found. ->
< Trusted Sites Ranges [HKEY_CURRENT_USER\] > -> HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Ranges\ ->
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Ranges\ -> [Key] 0 range(s) found. ->
< Downloaded Program Files > -> HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Code Store Database\Distribution Units\ ->
{05CA9FB0-3E3E-4B36-BF41-0E3A5CAA8CD8} [HKLM] -> http://download.microsoft.com/download/e/7/3/e7345c16-80aa-4488-ae10-9ac6be844f99/OGAControl.cab [Office Genuine Advantage Validation Tool] ->
{17492023-C23A-453E-A040-C7C580BBF700} [HKLM] -> http://download.microsoft.com/download/9/b/d/9bdc68ef-6a9f-4505-8fb8-d0d2d160e512/LegitCheckControl.cab [Windows Genuine Advantage Validation Tool] ->
{74FFE28D-2378-11D5-990C-006094235084} [HKLM] -> http://www-307.ibm.com/pc/support/IbmEgath.cab [IBM Access Support] ->
{8AD9C840-044E-11D1-B3E9-00805F499D93} [HKLM] -> http://java.sun.com/update/1.6.0/jinstall-1_6_0_11-windows-i586.cab [Java Plug-in 1.6.0_11] ->
{8FFBE65D-2C9C-4669-84BD-5829DC0B603C} [HKLM] -> http://fpdownload.macromedia.com/get/flashplayer/current/polarbear/ultrashim.cab [Reg Error: Key error.] ->
{AB86CE53-AC9F-449F-9399-D8ABCA09EC09} [HKLM] -> https://h17000.www1.hp.com/ewfrf-JAVA/Secure/HPGetDownloadManager.ocx [Get_ActiveX Control] ->
{C7DB51B4-BCF7-4923-8874-7F1A0DC92277} [HKLM] -> http://office.microsoft.com/officeupdate/content/opuc4.cab [Office Update Installation Engine] ->
{CAFEEFAC-0015-0000-0006-ABCDEFFEDCBA} [HKLM] -> http://java.sun.com/update/1.5.0/jinstall-1_5_0_06-windows-i586.cab [Java Plug-in 1.5.0_06] ->
{CAFEEFAC-0016-0000-0001-ABCDEFFEDCBA} [HKLM] -> http://java.sun.com/update/1.6.0/jinstall-1_6_0_01-windows-i586.cab [Java Plug-in 1.6.0_01] ->
{CAFEEFAC-0016-0000-0003-ABCDEFFEDCBA} [HKLM] -> http://java.sun.com/update/1.6.0/jinstall-1_6_0_03-windows-i586.cab [Java Plug-in 1.6.0_03] ->
{CAFEEFAC-0016-0000-0005-ABCDEFFEDCBA} [HKLM] -> http://java.sun.com/update/1.6.0/jinstall-1_6_0_05-windows-i586.cab [Java Plug-in 1.6.0_05] ->
{CAFEEFAC-0016-0000-0007-ABCDEFFEDCBA} [HKLM] -> http://java.sun.com/update/1.6.0/jinstall-1_6_0_07-windows-i586.cab [Java Plug-in 1.6.0_07] ->
{CAFEEFAC-0016-0000-0011-ABCDEFFEDCBA} [HKLM] -> http://java.sun.com/update/1.6.0/jinstall-1_6_0_11-windows-i586.cab [Java Plug-in 1.6.0_11] ->
{CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} [HKLM] -> http://java.sun.com/update/1.6.0/jinstall-1_6_0_11-windows-i586.cab [Java Plug-in 1.6.0_11] ->
< DNS Name Servers [HKEY_LOCAL_MACHINE] > -> HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\Adapters\ ->
{1EDEE81F-F354-433F-BCE1-25B8B9934CAA} ->   (Intel(R) PRO/Wireless 3945ABG Network Connection) ->
{54512FA9-3FF7-4E91-A388-25E83A1A31C8} ->   (Intel(R) PRO/1000 PL Network Connection) ->
{E359824B-5D88-4958-8D69-48ED5D7A6E75} ->   () ->
< Winlogon settings [HKEY_LOCAL_MACHINE] > -> HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon ->
*Shell* -> HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\\Shell ->
Explorer.exe -> %SystemRoot%\Explorer.exe -> [2008/04/13 20:12:19 | 01,033,728 | ---- | M] (Microsoft Corporation)
*MultiFile Done* -> ->
*GinaDLL* -> HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\\GinaDLL ->
vrlogon.dll -> %SystemRoot%\system32\vrlogon.dll -> [2006/04/25 22:21:28 | 00,513,536 | ---- | M] (UPEK Inc.)
*MultiFile Done* -> ->
< Winlogon\Notify settings [HKEY_LOCAL_MACHINE] > -> HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\ ->
ACNotify -> %ProgramFiles%\ThinkPad\ConnectUtilities\ACNotify.dll -> [2007/02/19 19:03:20 | 00,032,768 | ---- | M] ()
avgrsstarter -> %SystemRoot%\system32\avgrsstx.dll -> [2009/02/05 09:29:00 | 00,010,520 | ---- | M] (AVG Technologies CZ, s.r.o.)
AwayNotify -> %ProgramFiles%\Lenovo\AwayTask\AwayNotify.dll -> [2006/08/16 13:07:00 | 00,049,152 | ---- | M] (Lenovo Group Limited)
igfxcui -> %SystemRoot%\system32\igfxdev.dll -> [2006/07/25 02:16:58 | 00,139,264 | ---- | M] (Intel Corporation)
NavLogon ->  -> File not found
psfus -> %SystemRoot%\system32\psqlpwd.dll -> [2006/04/25 22:20:38 | 00,040,448 | ---- | M] (UPEK Inc.)
tpfnf2 -> %SystemRoot%\system32\notifyf2.dll -> [2005/07/05 10:45:08 | 00,028,672 | ---- | M] ()
tphotkey -> %SystemRoot%\system32\tphklock.dll -> [2005/11/30 07:16:02 | 00,024,576 | ---- | M] ()
< Domain Profile Authorized Applications List > -> HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\AuthorizedApplications\List ->
"%windir%\Network Diagnostic\xpnetdiag.exe" -> C:\WINDOWS\Network Diagnostic\xpnetdiag.exe [%windir%\Network Diagnostic\xpnetdiag.exe:*:Enabled:@xpsp3res.dll,-20000] -> [2008/04/13 14:53:32 | 00,558,080 | ---- | M] (Microsoft Corporation)
"%windir%\system32\sessmgr.exe" -> C:\WINDOWS\system32\sessmgr.exe [%windir%\system32\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019] -> [2008/04/13 20:12:34 | 00,141,312 | ---- | M] (Microsoft Corporation)
< Standard Profile Authorized Applications List > -> HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List ->
"%windir%\Network Diagnostic\xpnetdiag.exe" -> C:\WINDOWS\Network Diagnostic\xpnetdiag.exe [%windir%\Network Diagnostic\xpnetdiag.exe:*:Enabled:@xpsp3res.dll,-20000] -> [2008/04/13 14:53:32 | 00,558,080 | ---- | M] (Microsoft Corporation)
"%windir%\system32\sessmgr.exe" -> C:\WINDOWS\system32\sessmgr.exe [%windir%\system32\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019] -> [2008/04/13 20:12:34 | 00,141,312 | ---- | M] (Microsoft Corporation)
"C:\Program Files\AVG\AVG8\avgupd.exe" -> C:\Program Files\AVG\AVG8\avgupd.exe [C:\Program Files\AVG\AVG8\avgupd.exe:*:Enabled:avgupd.exe] -> [2009/02/03 10:34:56 | 01,032,984 | ---- | M] (AVG Technologies CZ, s.r.o.)
"C:\Program Files\Grisoft\AVG7\avgamsvr.exe" -> C:\Program Files\Grisoft\AVG7\avgamsvr.exe [C:\Program Files\Grisoft\AVG7\avgamsvr.exe:*:Enabled:avgamsvr.exe] -> File not found
"C:\Program Files\Grisoft\AVG7\avgcc.exe" -> C:\Program Files\Grisoft\AVG7\avgcc.exe [C:\Program Files\Grisoft\AVG7\avgcc.exe:*:Enabled:avgcc.exe] -> File not found
"C:\Program Files\Grisoft\AVG7\avginet.exe" -> C:\Program Files\Grisoft\AVG7\avginet.exe [C:\Program Files\Grisoft\AVG7\avginet.exe:*:Enabled:avginet.exe] -> File not found
"C:\Program Files\Yahoo!\Yahoo! Music Jukebox\YahooMusicEngine.exe" -> C:\Program Files\Yahoo!\Yahoo! Music Jukebox\YahooMusicEngine.exe [C:\Program Files\Yahoo!\Yahoo! Music Jukebox\YahooMusicEngine.exe:*:Enabled:Yahoo! Music Jukebox] -> File not found
< SafeBoot AlternateShell [HKEY_LOCAL_MACHINE] > -> HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot ->
"AlternateShell" -> cmd.exe ->
< CDROM Autorun Setting [HKEY_LOCAL_MACHINE]> -> HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Cdrom ->
"AutoRun" -> 1 ->
"DisplayName" -> CD-ROM Driver ->
"ImagePath" -> %SystemRoot%\system32\DRIVERS\cdrom.sys [system32\DRIVERS\cdrom.sys] -> [2008/04/13 14:40:46 | 00,062,976 | ---- | M] (Microsoft Corporation)
< Drives with AutoRun files > ->  ->
C:\AUTOEXEC.BAT [] -> %SystemDrive%\AUTOEXEC.BAT [ NTFS ] -> [2006/04/30 03:13:35 | 00,000,000 | ---- | M] ()
< MountPoints2 [HKEY_CURRENT_USER] > -> HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2 ->
 
 
[Files/Folders - Created Within 30 Days]
OTScanIt2 -> %UserProfile%\Desktop\OTScanIt2 -> [2009/03/29 12:48:08 | 00,000,000 | ---D | C]
OTScanIt2.exe -> %UserProfile%\Desktop\OTScanIt2.exe -> [2009/03/29 12:45:12 | 00,663,992 | ---- | C] ()
DaonolFix.exe -> %UserProfile%\Desktop\DaonolFix.exe -> [2009/03/29 12:07:06 | 00,091,136 | ---- | C] ()
hiberfil.sys -> %SystemDrive%\hiberfil.sys -> [2009/03/29 11:51:56 | 52,683,1616 | -HS- | C] ()
32788R22FWJFW -> %SystemDrive%\32788R22FWJFW -> [2009/03/29 11:49:01 | 00,000,000 | ---D | C]
ComboFix.exe -> %UserProfile%\Desktop\ComboFix.exe -> [2009/03/28 16:16:31 | 02,936,496 | ---- | C] ()
Malwarebytes -> %AppData%\Malwarebytes -> [2009/03/28 08:11:16 | 00,000,000 | ---D | C]
mbam.sys -> %SystemRoot%\System32\drivers\mbam.sys -> [2009/03/28 08:11:10 | 00,015,504 | ---- | C] (Malwarebytes Corporation)
Malwarebytes' Anti-Malware.lnk -> %AllUsersProfile%\Desktop\Mal
Logged

Offline guestolo

  • Site Donator
  • Administrator
  • Hero Member
  • *****
  • Posts: 16034
  • Karma: +1/-0
    • View Profile
    • http://
hijacked when using google
« Reply #13 on: March 29, 2009, 12:37:16 PM »
Can you do me a favor
Look for the following file on your computer

Let me know what folder it's found in, if you find it
ajlrcmg.beq

You may have to Set Windows To Show Hidden Files and Folders
    * Click Start.
    * Open My Computer.
    * Select the Tools menu and click Folder Options.
    * Select the View Tab.
    * Under the Hidden files and folders heading select Show hidden files and folders.
    * Uncheck the Hide protected operating system files (recommended) option.
    * Uncheck the Hide Extensions for known file types
    * Click Yes to confirm.
    * Click OK.

It may be in one of the following folders
C:\WINDOWS\system32 folder
or C:\WINDOWS\system32\drivers folder

Do a Search for it and let me know if it shows up
Logged

Do you want to post your own logs from FRST?

Follow the instructions posted http://www.thetechguide.com/forum/index.php/topic/22942-please-read-how-to-post-logs-from-frst/\'>Click Here

Offline jjccp

  • Jr. Member
  • **
  • Posts: 72
  • Karma: +0/-0
    • View Profile
hijacked when using google
« Reply #14 on: March 29, 2009, 06:07:15 PM »
ajlrcmg.beq was found in C:\WINDOWS
Logged

Offline guestolo

  • Site Donator
  • Administrator
  • Hero Member
  • *****
  • Posts: 16034
  • Karma: +1/-0
    • View Profile
    • http://
hijacked when using google
« Reply #15 on: March 29, 2009, 06:17:57 PM »
Can you do the following for me please
go to this link
http://www.virustotal.com/flash/index_en.html
Browse to the file

c:\windows\ajlrcmg.beq
Then use the SEND FILE button
Let it finish scanning
Could you post back the results this scan back here please
Or better yet, just link to the results page
« Last Edit: March 29, 2009, 06:18:34 PM by guestolo »
Logged

Do you want to post your own logs from FRST?

Follow the instructions posted http://www.thetechguide.com/forum/index.php/topic/22942-please-read-how-to-post-logs-from-frst/\'>Click Here

Offline jjccp

  • Jr. Member
  • **
  • Posts: 72
  • Karma: +0/-0
    • View Profile
hijacked when using google
« Reply #16 on: March 29, 2009, 07:19:50 PM »
Here you go:

http://www.virustotal.com/analisis/e8a3728...63ce2f6dcd353a4

or

File ajlrcmg.beq received on 03.30.2009 02:15:43 (CET)
Current status: Loading ... queued waiting scanning finished NOT FOUND STOPPED


Result: 0/39 (0%)
Loading server information...
Your file is queued in position: ___.
Estimated start time is between ___ and ___ .
Do not close the window until scan is complete.
The scanner that was processing your file is stopped at this moment, we are going to wait a few seconds to try to recover your result.
If you are waiting for more than five minutes you have to resend your file.
Your file is being scanned by VirusTotal in this moment,
results will be shown as they're generated.
 Compact Print results  
Your file has expired or does not exists.
Service is stopped in this moments, your file is waiting to be scanned (position: ) for an undefined time.

You can wait for web response (automatic reload) or type your email in the form below and click "request" so the system sends you a notification when the scan is finished.
 Email:  
 

Antivirus Version Last Update Result
a-squared 4.0.0.101 2009.03.30 -
AhnLab-V3 5.0.0.2 2009.03.29 -
AntiVir 7.9.0.129 2009.03.29 -
Antiy-AVL 2.0.3.1 2009.03.29 -
Authentium 5.1.2.4 2009.03.29 -
Avast 4.8.1335.0 2009.03.29 -
AVG 8.5.0.285 2009.03.29 -
BitDefender 7.2 2009.03.30 -
CAT-QuickHeal 10.00 2009.03.28 -
ClamAV 0.94.1 2009.03.29 -
Comodo 1089 2009.03.29 -
DrWeb 4.44.0.09170 2009.03.30 -
eSafe 7.0.17.0 2009.03.27 -
eTrust-Vet 31.6.6421 2009.03.27 -
F-Prot 4.4.4.56 2009.03.29 -
F-Secure 8.0.14470.0 2009.03.29 -
Fortinet 3.117.0.0 2009.03.29 -
GData 19 2009.03.30 -
Ikarus T3.1.1.48.0 2009.03.30 -
K7AntiVirus 7.10.684 2009.03.28 -
Kaspersky 7.0.0.125 2009.03.30 -
McAfee 5568 2009.03.29 -
McAfee+Artemis 5568 2009.03.29 -
McAfee-GW-Edition 6.7.6 2009.03.29 -
Microsoft 1.4502 2009.03.29 -
NOD32 3972 2009.03.28 -
Norman 6.00.06 2009.03.27 -
nProtect 2009.1.8.0 2009.03.29 -
Panda 10.0.0.10 2009.03.29 -
PCTools 4.4.2.0 2009.03.29 -
Prevx1 V2 2009.03.30 -
Rising 21.22.62.00 2009.03.29 -
Sophos 4.40.0 2009.03.30 -
Sunbelt 3.2.1858.2 2009.03.29 -
Symantec 1.4.4.12 2009.03.30 -
TheHacker 6.3.3.9.296 2009.03.30 -
TrendMicro 8.700.0.1004 2009.03.28 -
VBA32 3.12.10.1 2009.03.29 -
ViRobot 2009.3.27.1666 2009.03.27 -
Additional information
File size: 406 bytes
MD5...: 82e8f338b3c9d8ab1787d7f2abca5ccd
SHA1..: 5f197c9ea29f86307a2b3cf7683729cc0885b244
SHA256: bd92ef621c4975b87975b564d30432a73485937c0100de12c7e23504e3be4242
SHA512: 57da44624fd7793942561171755ed61ad378a188bce62ae8e1bd7db9c8b3118b
7f79a4ee03c40c8c7bfac7906cbccbb9d7993ea448dbca1f02060936c35f275f
ssdeep: 12:9+o+GJ8ieAkqCu3xml75v1DYM0x3SMoPJ1y:kGJ8ieAkqClv1DiPYM
 
PEiD..: -
TrID..: File type identification
PrintFox (C64) bitmap (100.0%)
PEInfo: -
RDS...: NSRL Reference Data Set
Logged

Offline guestolo

  • Site Donator
  • Administrator
  • Hero Member
  • *****
  • Posts: 16034
  • Karma: +1/-0
    • View Profile
    • http://
hijacked when using google
« Reply #17 on: March 29, 2009, 07:34:46 PM »
Well, let's just move the file to a safe place for now
Can you do the following
Start OTScanIt2. Copy/Paste the information in the codebox below into the pane where it says "Paste fix here" and then click the Run Fix button.
Code: [Select]
[Kill Explorer]
[Custom Items]
:files
c:\windows\ajlrcmg.beq
:reg
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Drivers32]
"aux2"="wdmaud.drv"
:end
[Empty Temp Folders]
[Start Explorer]
[Reboot]
The fix should only take a very short time. When the fix is completed a message box will popup either telling you that it is finished, or that a reboot is needed to complete the fix. If the fix is complete, click the Ok button and Notepad will open with a log of actions taken during the fix. Post that log back here in your next reply.

If a reboot is required, click the "Yes" button to reboot the machine. After the reboot, OTScanIt2 will finish moving any files that could not be moved during the fix and NotePad will open with the final results at that time

I'll need to see that log in a bit, a copy of it can also be found in the OTScanit2 folder on desktop

Can you next do the following:
Ensure your AntiVirus software is disable
Delete your Copy of ComboFix

Redownload a fresh copy from one of the links
[color=\"#0000FF\"]Link 1[/color]
[color=\"#0000FF\"]Link 2[/color]
[color=\"#0000FF\"]Link 3[/color]
[color=\"#FF0000\"]Save it ONLY to your Desktop[/color]

Don't try and run it yet
Instead, go to START>>RUN>>copy/paste the next command below in RED to the open field
Then click OK

[color=\"#FF0000\"]“%userprofile%\desktop\ComboFix.exe” /KillAll[/color]

Let's see if ComboFix will now run, if it will, follow the instructions earlier to run it properly
Post back all the following

1. Post the log from OTScanit2
2. Post the log from Combofix >>C:\ComboFix.txt
« Last Edit: March 29, 2009, 07:35:40 PM by guestolo »
Logged

Do you want to post your own logs from FRST?

Follow the instructions posted http://www.thetechguide.com/forum/index.php/topic/22942-please-read-how-to-post-logs-from-frst/\'>Click Here

Offline jjccp

  • Jr. Member
  • **
  • Posts: 72
  • Karma: +0/-0
    • View Profile
hijacked when using google
« Reply #18 on: March 30, 2009, 10:29:52 AM »
Pasting the code into OTScanIt2 went ok and that log is posted below

Deleted and redownloaded a fresh copy of ComboFix. When I pasted the command in RED into Start>>Run, I received the followint error message:

“C:\Documents

Windows Cannot find “C:\Documents’. Make sure you typed the name correctly, and then try again. To search for a file, click the Start button, and then click Search.

I've typed the error message exactly. I'm seeing the odd quotation marks and wondering if that's a problem.

Here's the OTScanIt2 log:

Process Explorer.EXE killed successfully!
[Custom Items]
========== FILES ==========
c:\windows\ajlrcmg.beq moved successfully.
========== REGISTRY ==========
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Drivers32\\"aux2"|"wdmaud.drv" /E : value set successfully!
[Empty Temp Folders]
User's Temp folder emptied.
User's Temporary Internet Files folder emptied.
User's Internet Explorer cache folder emptied.
Local Service Temp folder emptied.
File delete failed. C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\index.dat scheduled to be deleted on reboot.
Local Service Temporary Internet Files folder emptied.
File delete failed. C:\WINDOWS\temp\Perflib_Perfdata_3a4.dat scheduled to be deleted on reboot.
Windows Temp folder emptied.
Java cache emptied.
RecycleBin -> emptied.
Explorer started successfully
< End of fix log >
OTScanIt2 by OldTimer - Version 1.0.9.1 fix logfile created on 03302009_111004

Files moved on Reboot...
File move failed. C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\index.dat scheduled to be moved on reboot.
File C:\WINDOWS\temp\Perflib_Perfdata_3a4.dat not found!

Registry entries deleted on Reboot...
Logged

Offline guestolo

  • Site Donator
  • Administrator
  • Hero Member
  • *****
  • Posts: 16034
  • Karma: +1/-0
    • View Profile
    • http://
hijacked when using google
« Reply #19 on: March 30, 2009, 09:14:48 PM »
Can you ensure me that you are saving ComboFix DIRECTLY on your desktop
It cannot be saved anywhere else but ONLY your desktop
Logged

Do you want to post your own logs from FRST?

Follow the instructions posted http://www.thetechguide.com/forum/index.php/topic/22942-please-read-how-to-post-logs-from-frst/\'>Click Here

Pages: [1] 2 3
« previous next »