Hijacked Google search provider

brudi · November 4, 2009

Hello,

Our pc was infected with the Windows Security Suite and appears to have been removed with the free version of your utility. Like others, the google search is still being redirected to gala. I've included the 2 logs below. The MBAM log is from a subsequent run after the Windows Security Suite was removed (the post was too large with the log from the cleansing run of MBAM). I also wanted to note that during the run of HijackThis, I received a message that the program could not write to the hosts file and that I should edit the file via notepad. I also received a message that the hosts file was unusually large and that I should just delete it versus trying to clean it up. Along with the disclaimer that you should know what you are doing when editing a hosts file, I did nothing because not knowing what I'm doing is pretty common with todays pcs and software. I appreciate any and all help.

MBAM log

Malwarebytes' Anti-Malware 1.41

Database version: 3099

Windows 5.1.2600 Service Pack 3

11/4/2009 3:27:06 PM

mbam-log-2009-11-04 (15-27-06).txt

Scan type: Quick Scan

Objects scanned: 135871

Time elapsed: 8 minute(s), 6 second(s)

Memory Processes Infected: 0

Memory Modules Infected: 0

Registry Keys Infected: 0

Registry Values Infected: 0

Registry Data Items Infected: 2

Folders Infected: 0

Files Infected: 0

Memory Processes Infected:

(No malicious items detected)

Memory Modules Infected:

(No malicious items detected)

Registry Keys Infected:

(No malicious items detected)

Registry Values Infected:

(No malicious items detected)

Registry Data Items Infected:

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\AntiVirusDisableNotify (Disabled.SecurityCenter) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\FirewallDisableNotify (Disabled.SecurityCenter) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.

Folders Infected:

(No malicious items detected)

Files Infected:

(No malicious items detected)

Logfile of Trend Micro HijackThis v2.0.2

Scan saved at 3:05:11 PM, on 11/4/2009

Platform: Windows XP SP3 (WinNT 5.01.2600)

MSIE: Internet Explorer v7.00 (7.00.6000.16876)

Boot mode: Normal

Running processes:

C:\WINDOWS\System32\smss.exe

C:\WINDOWS\system32\winlogon.exe

C:\WINDOWS\system32\services.exe

C:\WINDOWS\system32\lsass.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\system32\spoolsv.exe

C:\WINDOWS\Explorer.EXE

C:\Program Files\Lenovo\FanSpeedControl\LenovoFSC.exe

C:\WINDOWS\RTHDCPL.EXE

C:\WINDOWS\system32\rundll32.exe

C:\Program Files\Common Files\Lenovo\Scheduler\scheduler_proxy.exe

C:\PROGRA~1\THINKV~1\PrdCtr\LPMGR.exe

C:\PROGRA~1\ThinkPad\UTILIT~1\SCHTASK.exe

C:\PROGRA~1\THINKV~1\PrdCtr\LPMLCHK.exe

C:\Program Files\Lenovo\Drag-to-Disc\DrgToDsc.exe

C:\PROGRA~1\ThinkPad\UTILIT~1\DPMTray.exe

C:\Program Files\LENOVO\Message Center Plus\MCPLaunch.exe

C:\Program Files\Lenovo\Client Security Solution\cssauth.exe

C:\WINDOWS\system32\igfxtray.exe

C:\WINDOWS\system32\hkcmd.exe

C:\WINDOWS\system32\igfxsrvc.exe

C:\WINDOWS\system32\igfxpers.exe

C:\Program Files\a la mode\Sched\eSched.exe

C:\Program Files\Java\jre6\bin\jusched.exe

C:\Program Files\iTunes\iTunesHelper.exe

C:\Program Files\McAfee.com\Agent\mcagent.exe

C:\WINDOWS\system32\ctfmon.exe

C:\Program Files\Messenger\msmsgs.exe

C:\Program Files\Logitech\SetPoint\SetPoint.exe

C:\Program Files\Common Files\Intuit\QuickBooks\QBUpdate\qbupdate.exe

C:\Program Files\Windows Desktop Search\WindowsSearch.exe

C:\Program Files\Common Files\Logishrd\KHAL2\KHALMNPR.EXE

C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe

C:\Program Files\Bonjour\mDNSResponder.exe

C:\WINDOWS\system32\svchost.exe

C:\Program Files\Common Files\InterVideo\RegMgr\iviRegMgr.exe

C:\Program Files\Java\jre6\bin\jqs.exe

c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe

C:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe

C:\Program Files\McAfee\MPF\MPFSrv.exe

c:\Program Files\Microsoft SQL Server\MSSQL$ALAMODE\Binn\sqlservr.exe

C:\WINDOWS\System32\svchost.exe

C:\Program Files\Common Files\Intuit\QuickBooks\QBCFMonitorService.exe

c:\Program Files\Microsoft SQL Server\90\Shared\sqlwriter.exe

C:\WINDOWS\system32\svchost.exe

c:\Program Files\Common Files\Lenovo\tvt_reg_monitor_svc.exe

C:\Program Files\Lenovo\Rescue and Recovery\rrpservice.exe

C:\Program Files\Lenovo\Rescue and Recovery\rrservice.exe

c:\Program Files\Common Files\Lenovo\Scheduler\tvtsched.exe

C:\Program Files\Lenovo\Rescue and Recovery\UpdateMonitor.exe

C:\WINDOWS\system32\SearchIndexer.exe

C:\Program Files\ThinkPad\Utilities\PWMDBSVC.EXE

c:\program files\lenovo\system update\suservice.exe

C:\Program Files\iPod\bin\iPodService.exe

C:\Program Files\Lenovo\Client Security Solution\password_manager.exe

C:\PROGRA~1\McAfee\VIRUSS~1\mcsysmon.exe

C:\Program Files\Internet Explorer\iexplore.exe

C:\Program Files\McAfee\SiteAdvisor\McSACore.exe

C:\Program Files\Java\jre6\bin\jucheck.exe

c:\PROGRA~1\mcafee\msc\mcupdui.exe

C:\Program Files\Malwarebytes' Anti-Malware\mbam.exe

C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

C:\WINDOWS\system32\NOTEPAD.EXE

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://news.google.com/nwshp?hl=en&tab=wn

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://lenovo.live.com

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896

R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157

R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local

O1 - Hosts: 74.125.45.100 safebrowsing-cache.google.com

O1 - Hosts: 74.125.45.100 www.securesoftwarebill.com

O1 - Hosts: 74.125.45.100 secure-plus-payments.com

O1 - Hosts: 74.125.45.100 www.getantivirusplusnow.com

O1 - Hosts: 74.125.45.100 www.secure-plus-payments.com

O1 - Hosts: 74.125.45.100 secure.paysecuresystem.com

O1 - Hosts: 74.125.45.100 paysoftbillsolution.com

O1 - Hosts: 88.198.198.204 google.ae

O1 - Hosts: 88.198.198.204 google.as

O1 - Hosts: 88.198.198.204 google.at

O1 - Hosts: 88.198.198.204 google.az

O1 - Hosts: 88.198.198.204 google.ba

O1 - Hosts: 88.198.198.204 google.be

O1 - Hosts: 88.198.198.204 google.bg

O1 - Hosts: 88.198.198.204 google.bs

O1 - Hosts: 88.198.198.204 google.ca

O1 - Hosts: 88.198.198.204 google.cd

O1 - Hosts: 88.198.198.204 google.com.gh

O1 - Hosts: 88.198.198.204 google.com.hk

O1 - Hosts: 88.198.198.204 google.com.jm

O1 - Hosts: 88.198.198.204 google.com.mx

O1 - Hosts: 88.198.198.204 google.com.my

O1 - Hosts: 88.198.198.204 google.com.na

O1 - Hosts: 88.198.198.204 google.com.nf

O1 - Hosts: 88.198.198.204 google.com.ng

O1 - Hosts: 88.198.198.204 google.ch

O1 - Hosts: 88.198.198.204 google.com.np

O1 - Hosts: 88.198.198.204 google.com.pr

O1 - Hosts: 88.198.198.204 google.com.qa

O1 - Hosts: 88.198.198.204 google.com.sg

O1 - Hosts: 88.198.198.204 google.com.tj

O1 - Hosts: 88.198.198.204 google.com.tw

O1 - Hosts: 88.198.198.204 google.dj

O1 - Hosts: 88.198.198.204 google.de

O1 - Hosts: 88.198.198.204 google.dk

O1 - Hosts: 88.198.198.204 google.dm

O1 - Hosts: 88.198.198.204 google.ee

O1 - Hosts: 88.198.198.204 google.fi

O1 - Hosts: 88.198.198.204 google.fm

O1 - Hosts: 88.198.198.204 google.fr

O1 - Hosts: 88.198.198.204 google.ge

O1 - Hosts: 88.198.198.204 google.gg

O1 - Hosts: 88.198.198.204 google.gm

O1 - Hosts: 88.198.198.204 google.gr

O1 - Hosts: 88.198.198.204 google.ht

O1 - Hosts: 88.198.198.204 google.ie

O1 - Hosts: 88.198.198.204 google.im

O1 - Hosts: 88.198.198.204 google.in

O1 - Hosts: 88.198.198.204 google.it

O1 - Hosts: 88.198.198.204 google.ki

O1 - Hosts: 88.198.198.204 google.la

O1 - Hosts: 88.198.198.204 google.li

O1 - Hosts: 88.198.198.204 google.lv

O1 - Hosts: 88.198.198.204 google.ma

O1 - Hosts: 88.198.198.204 google.ms

O1 - Hosts: 88.198.198.204 google.mu

O1 - Hosts: 88.198.198.204 google.mw

O1 - Hosts: 88.198.198.204 google.nl

O1 - Hosts: 88.198.198.204 google.no

O1 - Hosts: 88.198.198.204 google.nr

O1 - Hosts: 88.198.198.204 google.nu

O1 - Hosts: 88.198.198.204 google.pl

O1 - Hosts: 88.198.198.204 google.pn

O1 - Hosts: 88.198.198.204 google.pt

O1 - Hosts: 88.198.198.204 google.ro

O1 - Hosts: 88.198.198.204 google.ru

O1 - Hosts: 88.198.198.204 google.rw

O1 - Hosts: 88.198.198.204 google.sc

O1 - Hosts: 88.198.198.204 google.se

O1 - Hosts: 88.198.198.204 google.sh

O1 - Hosts: 88.198.198.204 google.si

O1 - Hosts: 88.198.198.204 google.sm

O1 - Hosts: 88.198.198.204 google.sn

O1 - Hosts: 88.198.198.204 google.st

O1 - Hosts: 88.198.198.204 google.tl

O1 - Hosts: 88.198.198.204 google.tm

O1 - Hosts: 88.198.198.204 google.tt

O1 - Hosts: 88.198.198.204 google.us

O1 - Hosts: 88.198.198.204 google.vu

O1 - Hosts: 88.198.198.204 google.ws

O1 - Hosts: 88.198.198.204 google.co.ck

O1 - Hosts: 88.198.198.204 google.co.id

O1 - Hosts: 88.198.198.204 google.co.il

O1 - Hosts: 88.198.198.204 google.co.in

O1 - Hosts: 88.198.198.204 google.co.jp

O1 - Hosts: 88.198.198.204 google.co.kr

O1 - Hosts: 88.198.198.204 google.co.ls

O1 - Hosts: 88.198.198.204 google.co.ma

O1 - Hosts: 88.198.198.204 google.co.nz

O1 - Hosts: 88.198.198.204 google.co.tz

O1 - Hosts: 88.198.198.204 google.co.ug

O1 - Hosts: 88.198.198.204 google.co.uk

O1 - Hosts: 88.198.198.204 google.co.za

O1 - Hosts: 88.198.198.204 google.co.zm

O1 - Hosts: 88.198.198.204 google.com

O1 - Hosts: 88.198.198.204 google.com.af

O1 - Hosts: 88.198.198.204 google.com.ag

O1 - Hosts: 88.198.198.204 google.com.ar

O1 - Hosts: 88.198.198.204 google.com.au

O1 - Hosts: 88.198.198.204 google.com.bn

O1 - Hosts: 88.198.198.204 google.com.br

O2 - BHO: AcroIEHelperStub - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll

O2 - BHO: scriptproxy - {7DB2D5A0-7241-4E79-B68D-6309F01C5231} - C:\Program Files\McAfee\VirusScan\scriptsn.dll

O2 - BHO: McAfee SiteAdvisor BHO - {B164E929-A1B6-4A06-B104-2CD0E90A88FF} - c:\PROGRA~1\mcafee\SITEAD~1\mcieplg.dll

O2 - BHO: Windows Live Toolbar Helper - {BDBD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\Windows Live Toolbar\msntb.dll

O2 - BHO: Password Manager Browser Helper Object - {BF468356-BB7E-42D7-9F15-4F3B9BCFCED2} - C:\Program Files\Lenovo\Client Security Solution\tvtpwm_ie_com.dll

O2 - BHO: Java Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll

O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll

O3 - Toolbar: Windows Live Toolbar - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\Windows Live Toolbar\msntb.dll

O3 - Toolbar: McAfee SiteAdvisor Toolbar - {0EBBBE48-BAD4-4B4C-8E5A-516ABECAE064} - c:\PROGRA~1\mcafee\SITEAD~1\mcieplg.dll

O4 - HKLM\..\Run: [LenovoFSC] C:\Program Files\Lenovo\FanSpeedControl\LenovoFSC.exe

O4 - HKLM\..\Run: [RTHDCPL] RTHDCPL.EXE

O4 - HKLM\..\Run: [Alcmtr] ALCMTR.EXE

O4 - HKLM\..\Run: [PWRMGRTR] rundll32 C:\PROGRA~1\ThinkPad\UTILIT~1\PWRMGRTR.DLL,PwrMgrBkGndMonitor

O4 - HKLM\..\Run: [PWRAGD] C:\PROGRA~1\ThinkPad\UTILIT~1\DPMHost.exe

O4 - HKLM\..\Run: [TVT Scheduler Proxy] C:\Program Files\Common Files\Lenovo\Scheduler\scheduler_proxy.exe

O4 - HKLM\..\Run: [LPManager] C:\PROGRA~1\THINKV~1\PrdCtr\LPMGR.exe

O4 - HKLM\..\Run: [LPMailChecker] C:\PROGRA~1\THINKV~1\PrdCtr\LPMLCHK.exe

O4 - HKLM\..\Run: [RoxioDragToDisc] C:\Program Files\Lenovo\Drag-to-Disc\DrgToDsc.exe

O4 - HKLM\..\Run: [Message Center Plus] C:\Program Files\LENOVO\Message Center Plus\MCPLaunch.exe /start

O4 - HKLM\..\Run: [cssauth] "C:\Program Files\Lenovo\Client Security Solution\cssauth.exe" silent

O4 - HKLM\..\Run: [XeroxRegistation] "C:\DOCUME~1\Di\LOCALS~1\Temp\Xerox\EReg\EReg.exe" /Startup

O4 - HKLM\..\Run: [igfxTray] C:\WINDOWS\system32\igfxtray.exe

O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe

O4 - HKLM\..\Run: [Persistence] C:\WINDOWS\system32\igfxpers.exe

O4 - HKLM\..\Run: [Logitech Hardware Abstraction Layer] KHALMNPR.EXE

O4 - HKLM\..\Run: [The Assistant] C:\Program Files\a la mode\Sched\eSched.exe

O4 - HKLM\..\Run: [sunJavaUpdateSched] "C:\Program Files\Java\jre6\bin\jusched.exe"

O4 - HKLM\..\Run: [intuit SyncManager] C:\Program Files\Common Files\Intuit\Sync\IntuitSyncManager.exe startup

O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime

O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"

O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 9.0\Reader\Reader_sl.exe"

O4 - HKLM\..\Run: [Kernel and Hardware Abstraction Layer] KHALMNPR.EXE

O4 - HKLM\..\Run: [Malwarebytes Anti-Malware (reboot)] "C:\Program Files\Malwarebytes' Anti-Malware\mbam.exe" /runcleanupscript

O4 - HKLM\..\Run: [mcagent_exe] "C:\Program Files\McAfee.com\Agent\mcagent.exe" /runkey

O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe

O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background

O4 - Global Startup: Logitech SetPoint.lnk = C:\Program Files\Logitech\SetPoint\SetPoint.exe

O4 - Global Startup: QuickBooks Update Agent.lnk = C:\Program Files\Common Files\Intuit\QuickBooks\QBUpdate\qbupdate.exe

O4 - Global Startup: Windows Search.lnk = C:\Program Files\Windows Desktop Search\WindowsSearch.exe

O8 - Extra context menu item: &Windows Live Search - res://C:\Program Files\Windows Live Toolbar\msntb.dll/search.htm

O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office12\EXCEL.EXE/3000

O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\Office12\REFIEBAR.DLL

O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe

O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe

O9 - Extra button: (no name) - {F4F55DC8-0B69-4DFE-BA94-CB677B88B2A3} - C:\Program Files\Lenovo\Client Security Solution\tvtpwm_ie_com.dll

O9 - Extra 'Tools' menuitem: Lenovo Password Manager... - {F4F55DC8-0B69-4DFE-BA94-CB677B88B2A3} - C:\Program Files\Lenovo\Client Security Solution\tvtpwm_ie_com.dll

O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe

O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe

O16 - DPF: Web-Based Email Tools - http://email03.secureserver.net/Download.CAB

O16 - DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - http://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab

O18 - Protocol: intu-help-qb2 - {84D77A00-41B5-4B8B-8ADF-86486D72E749} - C:\Intuit\QuickBooks 2009\HelpAsyncPluggableProtocol.dll

O18 - Protocol: qbwc - {FC598A64-626C-4447-85B8-53150405FD57} - mscoree.dll (file missing)

O18 - Protocol: sacore - {5513F07E-936B-4E52-9B00-067394E91CC5} - c:\PROGRA~1\mcafee\SITEAD~1\mcieplg.dll

O23 - Service: McAfee Application Installer Cleanup (0050171257357099) (0050171257357099mcinstcleanup) - McAfee, Inc. - C:\DOCUME~1\Di\LOCALS~1\Temp\005017~1.EXE

O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe

O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe

O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe

O23 - Service: IviRegMgr - InterVideo - C:\Program Files\Common Files\InterVideo\RegMgr\iviRegMgr.exe

O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe

O23 - Service: Logitech Bluetooth Service (LBTServ) - Logitech, Inc. - C:\Program Files\Common Files\Logitech\Bluetooth\LBTServ.exe

O23 - Service: McAfee SiteAdvisor Service - Unknown owner - C:\Program Files\McAfee\SiteAdvisor\McSACore.exe

O23 - Service: McAfee Services (mcmscsvc) - McAfee, Inc. - C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe

O23 - Service: McAfee Network Agent (McNASvc) - McAfee, Inc. - c:\PROGRA~1\COMMON~1\mcafee\mna\mcnasvc.exe

O23 - Service: McAfee Scanner (McODS) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcods.exe

O23 - Service: McAfee Proxy Service (McProxy) - McAfee, Inc. - c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe

O23 - Service: McAfee Real-time Scanner (McShield) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe

O23 - Service: McAfee SystemGuards (McSysmon) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcsysmon.exe

O23 - Service: McAfee Personal Firewall Service (MpfService) - McAfee, Inc. - C:\Program Files\McAfee\MPF\MPFSrv.exe

O23 - Service: Power Manager DBC Service - Unknown owner - C:\Program Files\ThinkPad\Utilities\PWMDBSVC.EXE

O23 - Service: QBCFMonitorService - Intuit - C:\Program Files\Common Files\Intuit\QuickBooks\QBCFMonitorService.exe

O23 - Service: Intuit QuickBooks FCS (QBFCService) - Intuit Inc. - C:\Program Files\Common Files\Intuit\QuickBooks\FCS\Intuit.QuickBooks.FCS.exe

O23 - Service: QuickBooksDB19 - Intuit, Inc. - C:\Intuit\QUICKB~1\QBDBMgrN.exe

O23 - Service: RoxMediaDB10 - Sonic Solutions - C:\Program Files\Common Files\Roxio Shared\10.0\SharedCOM\RoxMediaDB10.exe

O23 - Service: SessionLauncher - Unknown owner - C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\DX9\SessionLauncher.exe (file missing)

O23 - Service: stllssvr - MicroVision Development, Inc. - C:\Program Files\Common Files\SureThing Shared\stllssvr.exe

O23 - Service: System Update (SUService) - Lenovo Group Limited - c:\program files\lenovo\system update\suservice.exe

O23 - Service: ThinkVantage Registry Monitor Service - Lenovo Group Limited - c:\Program Files\Common Files\Lenovo\tvt_reg_monitor_svc.exe

O23 - Service: TVT Backup Protection Service - Unknown owner - C:\Program Files\Lenovo\Rescue and Recovery\rrpservice.exe

O23 - Service: TVT Backup Service - Lenovo Group Limited - C:\Program Files\Lenovo\Rescue and Recovery\rrservice.exe

O23 - Service: TVT Scheduler - Lenovo Group Limited - c:\Program Files\Common Files\Lenovo\Scheduler\tvtsched.exe

O23 - Service: TVT Windows Update Monitor (TVT_UpdateMonitor) - Lenovo Group Limited - C:\Program Files\Lenovo\Rescue and Recovery\UpdateMonitor.exe

--

End of file - 16652 bytes

Perplexus · November 5, 2009

Hello and welcome to Malwarebytes! :blink:

My name is Perplexus and I will be helping you fix your computer problem.

Please note that these fixes are not instantaneous. Most infections require more than one round to properly eradicate, so stay with me until given the 'all clear' even if symptoms diminish. Lack of symptoms does not always mean the job is complete.

Before we proceed to clean your computer from malware there are some points you should consider that will make the process go smoother:

Before beginning the fix, read this post completely. If there's anything that you do not understand, please ask your questions before proceeding as you may temporarily be disconnected from the internet. No question is considered dumb here. It's better to be safe than sorry!
Please print out or copy this page to Notepad in order to assist you when carrying out the following instructions.
It is IMPORTANT that you do not miss a step & perform everything in the correct order/sequence.
Kindly follow my instructions and please do no fixing on your own or running of scanners unless requested, as it can be very dangerous and cause harm to your system.
When posting logs, please ensure Wordwrap is turned off in Notepad (to check, open Notepad in the menubar click on Format and make sure that Word Wrap is unchecked)

---------------------------------------------------------------------------------------------

------------------

Step 1:

------------------

Download the HostsXpert 4.2 - Hosts File Manager.

Unzip HostsXpert 4.2 - Hosts File Manager to a convenient folder such as C:\HostsXpert 4.2 - Hosts File Manager
Run HostsXpert 4.2 - Hosts File Manager from its new home
Click on "File Handling".
Click on "Restore MS Hosts File".
Click OK on the Confirmation box.
Click on "Make Read Only?"
Click the X to exit the program.
Note: If you were using a custom Hosts file you will need to replace any of those entries yourself.

------------------

Step 2:

------------------

Download ComboFix from one of these locations:

Link 1

Link 2

* IMPORTANT !!! Save ComboFix.exe to your Desktop

Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools
Double click on ComboFix.exe & follow the prompts.
As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.
Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.
**Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.

Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:

Click on Yes, to continue scanning for malware.
When finished, it shall produce a log for you. Please include the C:\ComboFix.txt log in your next reply.

brudi · November 5, 2009

Hello Perplexus, I appreciate your time and assistance.

Following your instructions, I unzipped HostsXpert to the hard drive and proceeded to run the application.

Didn't need to click on File Handling, that was where the program opened

Received a warning - Your hosts file is marked as a "system file" and can not be manipulated. Press OK to remove system file attributes, CANCEL to quit. HostsXpert will not reset the attributes.

Clicked on OK

Received a warning - Your hosts file is marketd as a "hidden file" and can not be manipulted. Press OK to remove the hidden file attributes, CANCEL to quit. HostsXpert wil not reset the attriubtes.

Clicked OK

The contents of the hosts file was displayed.

Clicked on Restore MS Hosts File

Received Confirmation

Clicked on OK

Received Error - Cannot create file C:\windows\system32\driver\ETC\hosts

Clicked on OK

HostsXpert program closed

I believe I follow your instructions, so far, to a T. Did I miss something?

Also, how can I tell if I used a custom hosts file? Obviously, I haven't customized anything.

Perplexus · November 5, 2009

You weren't using a custom host file. The malware has hijacked it. Let's continue on with the ComboFix run and see what shakes out.

brudi · November 6, 2009

Moved on to the ComboFix ...

After installing Combix to the desktop, disabling McAfee and running the program, received the following warning

ComboFix has detected the following real time scanner(s) to be active: Antivirus: Windows Enterprise Suite

Antivirus and instrusion prevention programs are known to interfere with ComboFix's running. This may lead to unpredictable results or possible machine damage. Please disable these scanners before clicking OK

Windows Enterprise Suite is the malware I'm trying to remove .... correct?

So, I clicked on OK without the means of disabling this process and received the following warning

Antivirus: Windows Enterprise Suite

The above real time scanner(s) are still active but ComboFix shall continue to run. Kindly note that this is at your own risk.

Clicked OK (didn't really think I had a choice)

The ComboFix log follows

ComboFix 09-11-05.05 - Di 11/06/2009 9:04.1.2 - NTFSx86

Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.3037.2324 [GMT -5:00]

Running from: c:\documents and settings\Di\Desktop\ComboFix.exe

AV: McAfee VirusScan *On-access scanning disabled* (Updated) {84B5EE75-6421-4CDE-A33A-DD43BA9FAD83}

AV: Windows Enterprise Suite *On-access scanning enabled* (Updated) {B34FCF14-68EF-4AE0-BFF4-9287CCA76CD9}

FW: McAfee Personal Firewall *enabled* {94894B63-8C7F-4050-BDA4-813CA00DA3E8}

FW: Windows Enterprise Suite *enabled* {AA47C571-755B-4924-AC5B-07F016289E93}

.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))

.

c:\recycler\S-1-5-21-720729663-3674832510-483646340-500

c:\windows\system32\AutoRun.inf

.

((((((((((((((((((((((((( Files Created from 2009-10-06 to 2009-11-06 )))))))))))))))))))))))))))))))

.

2009-11-06 13:40 . 2009-11-06 13:40 -------- d-----w- c:\windows\system32\config\systemprofile\Application Data\SACore

2009-11-06 13:36 . 2009-11-06 13:36 496944 ----a-w- c:\documents and settings\All Users\Application Data\Intuit\QuickBooks 2009\Components\SyncMgr\OCD\Sybase10\mlrsa10.dll

2009-11-06 13:36 . 2009-11-06 13:36 296240 ----a-w- c:\documents and settings\All Users\Application Data\Intuit\QuickBooks 2009\Components\SyncMgr\OCD\Sybase10\mlsock10.dll

2009-11-06 13:36 . 2009-11-06 13:36 263472 ----a-w- c:\documents and settings\All Users\Application Data\Intuit\QuickBooks 2009\Components\SyncMgr\OCD\Sybase10\mlcrsa10.dll

2009-11-06 13:36 . 2009-11-06 13:36 787760 ----a-w- c:\documents and settings\All Users\Application Data\Intuit\QuickBooks 2009\Components\SyncMgr\OCD\Sybase10\dblgen10.dll

2009-11-06 13:36 . 2009-11-06 13:36 423216 ----a-w- c:\documents and settings\All Users\Application Data\Intuit\QuickBooks 2009\Components\SyncMgr\OCD\Sybase10\dbmlsync.exe

2009-11-06 13:36 . 2009-11-06 13:36 570672 ----a-w- c:\documents and settings\All Users\Application Data\Intuit\QuickBooks 2009\Components\SyncMgr\OCD\Sybase10\mlhttps10.dll

2009-11-06 13:36 . 2009-11-06 13:36 205576 ----a-w- c:\documents and settings\All Users\Application Data\Intuit\QuickBooks 2009\Components\SyncMgr\OCD\IntuitSyncManagerPatch.exe

2009-11-06 13:36 . 2009-11-06 13:36 763184 ----a-w- c:\documents and settings\All Users\Application Data\Intuit\QuickBooks 2009\Components\SyncMgr\OCD\Sybase10\dblib10.dll

2009-11-06 13:36 . 2009-11-06 13:36 398640 ----a-w- c:\documents and settings\All Users\Application Data\Intuit\QuickBooks 2009\Components\SyncMgr\OCD\Sybase10\dbcon10.dll

2009-11-06 13:36 . 2009-11-06 13:36 1152304 ----a-w- c:\documents and settings\All Users\Application Data\Intuit\QuickBooks 2009\Components\SyncMgr\OCD\Sybase10\dbtool10.dll

2009-11-06 13:36 . 2009-11-06 13:36 1085704 ----a-w- c:\documents and settings\All Users\Application Data\Intuit\QuickBooks 2009\Components\SyncMgr\OCD\IntuitSyncManager.exe

2009-11-05 18:48 . 2009-11-05 18:49 -------- d-----w- C:\HostsXpert 4.2 - Hosts File Manager

2009-11-05 18:26 . 2009-11-05 18:26 -------- d-----w- c:\documents and settings\LocalService\Application Data\SACore

2009-11-04 18:41 . 2009-11-04 18:41 -------- d-----w- c:\program files\Trend Micro

2009-11-04 17:58 . 2009-11-04 17:58 -------- d-----w- c:\documents and settings\QBDataServiceUser19\Application Data\SACore

2009-11-04 17:54 . 2009-11-04 17:54 -------- d-----w- c:\documents and settings\All Users\Application Data\SiteAdvisor

2009-11-04 17:51 . 2009-09-16 15:22 40552 ----a-w- c:\windows\system32\drivers\mfesmfk.sys

2009-11-04 17:51 . 2009-09-16 15:22 79816 ----a-w- c:\windows\system32\drivers\mfeavfk.sys

2009-11-04 17:51 . 2009-09-16 15:22 35272 ----a-w- c:\windows\system32\drivers\mfebopk.sys

2009-11-04 17:51 . 2009-07-16 17:32 120136 ----a-w- c:\windows\system32\drivers\Mpfp.sys

2009-11-04 17:51 . 2009-11-04 17:51 -------- d-----w- c:\program files\Common Files\McAfee

2009-11-04 17:51 . 2009-11-04 17:51 -------- d-----w- c:\program files\McAfee.com

2009-11-04 17:50 . 2009-09-16 15:22 34248 ----a-w- c:\windows\system32\drivers\mferkdk.sys

2009-11-04 17:39 . 2009-11-04 17:39 -------- d-----w- c:\documents and settings\Di\Application Data\Malwarebytes

2009-11-04 17:39 . 2009-09-10 19:54 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys

2009-11-04 17:39 . 2009-11-04 17:39 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware

2009-11-04 17:39 . 2009-11-04 17:39 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes

2009-11-04 17:39 . 2009-09-10 19:53 19160 ----a-w- c:\windows\system32\drivers\mbam.sys

2009-11-04 16:41 . 2009-11-06 13:32 -------- d-----w- c:\program files\McAfee

2009-11-04 15:41 . 2009-11-04 15:41 -------- d-sh--w- c:\documents and settings\All Users\Application Data\914fd87

.

(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))

.

2009-11-04 17:55 . 2009-08-27 01:58 -------- d-----w- c:\documents and settings\All Users\Application Data\McAfee

2009-10-12 18:10 . 2009-08-30 16:46 -------- d-----w- c:\documents and settings\All Users\Application Data\alamode

2009-10-08 16:56 . 2009-09-12 14:26 2322 ----a-w- c:\documents and settings\All Users\Application Data\Intuit\QuickBooks 2009\qbbackup.sys

2009-10-01 19:09 . 2009-10-01 19:09 -------- d-----w- c:\documents and settings\All Users\Application Data\LogiShrd

2009-10-01 19:01 . 2009-10-01 19:00 -------- d-----w- c:\program files\Common Files\Logishrd

2009-10-01 19:01 . 2009-08-28 22:24 -------- d-----w- c:\program files\Common Files\Logitech

2009-10-01 19:00 . 2009-10-01 19:00 10134 ----a-r- c:\documents and settings\Di\Application Data\Microsoft\Installer\{3101CB58-3482-4D21-AF1A-7057FC935355}\ARPPRODUCTICON.exe

2009-10-01 19:00 . 2009-08-13 14:48 -------- d--h--w- c:\program files\InstallShield Installation Information

2009-09-22 22:39 . 2009-08-13 14:53 -------- d-----w- c:\program files\Common Files\Adobe

2009-09-16 15:22 . 2009-01-09 17:03 214664 ----a-w- c:\windows\system32\drivers\mfehidk.sys

2009-09-14 19:44 . 2009-09-14 19:38 -------- d-----w- c:\documents and settings\Di\Application Data\Apple Computer

2009-09-14 19:38 . 2009-09-14 19:37 -------- d-----w- c:\program files\iTunes

2009-09-14 19:38 . 2009-09-14 19:37 -------- d-----w- c:\documents and settings\All Users\Application Data\{755AC846-7372-4AC8-8550-C52491DAA8BD}

2009-09-14 19:37 . 2009-09-14 19:37 -------- d-----w- c:\program files\iPod

2009-09-14 19:37 . 2009-09-14 19:35 -------- d-----w- c:\program files\Common Files\Apple

2009-09-14 19:37 . 2009-09-14 19:36 -------- d-----w- c:\documents and settings\All Users\Application Data\Apple Computer

2009-09-14 19:37 . 2009-09-14 19:37 -------- d-----w- c:\program files\Bonjour

2009-09-14 19:36 . 2009-09-14 19:36 -------- d-----w- c:\program files\QuickTime

2009-09-14 19:35 . 2009-09-14 19:35 -------- d-----w- c:\program files\Apple Software Update

2009-09-14 19:35 . 2009-09-14 19:35 -------- d-----w- c:\documents and settings\All Users\Application Data\Apple

2009-09-14 17:45 . 2009-09-14 17:45 34056 ----a-w- c:\documents and settings\All Users\Application Data\Intuit\QuickBooks 2009\Components\SyncMgr\OCD\Interop.QBInstanceFinder.dll

2009-09-14 17:45 . 2009-09-14 17:45 192512 ----a-w- c:\documents and settings\All Users\Application Data\Intuit\QuickBooks 2009\Components\SyncMgr\OCD\ICSharpCode.SharpZipLib.dll

2009-09-14 17:45 . 2009-09-14 17:45 850736 ----a-w- c:\documents and settings\All Users\Application Data\Intuit\QuickBooks 2009\Components\SyncMgr\OCD\dblgen11.dll

2009-09-14 17:45 . 2009-09-14 17:45 2151728 ----a-w- c:\documents and settings\All Users\Application Data\Intuit\QuickBooks 2009\Components\SyncMgr\OCD\iAnywhere.Data.SQLAnywhere.dll

2009-09-14 17:39 . 2009-09-14 17:39 869640 ----a-w- c:\documents and settings\All Users\Application Data\Intuit\QuickBooks 2009\Components\DownloadQB19\Patch\qbpatch.exe

2009-09-14 17:39 . 2009-09-14 17:39 499712 ----a-w- c:\documents and settings\All Users\Application Data\Intuit\QuickBooks 2009\Components\DownloadQB19\Patch\msvcp71.dll

2009-09-14 17:39 . 2009-09-14 17:39 348160 ----a-w- c:\documents and settings\All Users\Application Data\Intuit\QuickBooks 2009\Components\DownloadQB19\Patch\msvcr71.dll

2009-09-12 14:17 . 2009-09-12 13:52 -------- d-----w- c:\documents and settings\All Users\Application Data\SQL Anywhere 10

2009-09-12 14:07 . 2009-09-12 14:07 -------- d-----w- c:\program files\Common Files\supportsoft

2009-09-12 14:07 . 2009-08-13 15:09 91896 ----a-w- c:\documents and settings\Administrator\Local Settings\Application Data\GDIPFONTCACHEV1.DAT

2009-09-12 14:04 . 2009-09-12 13:59 -------- d-----w- c:\documents and settings\All Users\Application Data\Intuit

2009-09-12 14:02 . 2009-09-12 13:59 -------- d-----w- c:\program files\Common Files\Intuit

2009-09-12 13:52 . 2009-09-12 13:52 -------- d-----w- c:\documents and settings\All Users\Application Data\COMMON FILES

2009-09-10 21:49 . 2009-08-13 15:12 -------- d-----w- c:\program files\Microsoft Small Business

2009-09-10 21:48 . 2009-08-13 15:07 -------- d-----w- c:\program files\Microsoft.NET

2009-09-10 21:47 . 2009-08-13 15:10 -------- d-----w- c:\program files\Microsoft SQL Server

2009-09-10 21:07 . 2009-08-13 15:06 -------- d-----w- c:\documents and settings\All Users\Application Data\Microsoft Help

2009-09-10 21:06 . 2009-09-10 21:06 -------- d-----w- c:\program files\Microsoft Works

2009-09-10 20:01 . 2009-08-13 14:57 -------- d-----w- c:\program files\Java

2009-09-10 20:00 . 2009-09-10 20:00 152576 ----a-w- c:\documents and settings\Di\Application Data\Sun\Java\jre1.6.0_15\lzma.dll

2009-09-10 18:54 . 2009-08-29 00:03 -------- d-----w- c:\program files\a la mode

2009-09-09 21:34 . 2009-09-09 21:34 -------- d-----w- c:\documents and settings\Di\Application Data\Windows Search

2009-09-09 19:52 . 2009-09-09 19:52 -------- d-----w- c:\documents and settings\Di\Application Data\Windows Desktop Search

2009-09-09 19:52 . 2009-09-09 19:52 -------- d-----w- c:\program files\Windows Desktop Search

2009-09-09 01:43 . 2009-09-09 01:43 79144 ----a-w- c:\documents and settings\All Users\Application Data\Apple Computer\Installer Cache\iTunes 9.0.0.70\SetupAdmin.exe

2009-08-31 18:25 . 2009-08-31 18:25 1886320 ----a-w- c:\documents and settings\All Users\Application Data\NOS\Adobe_Downloads\GoogleToolbarInstaller_en_signed.exe

2009-08-29 00:03 . 2009-08-29 00:03 1409 ----a-w- c:\windows\Fonts\ALAMODE.fot

2009-08-29 00:03 . 2009-08-29 00:03 1409 ----a-w- c:\windows\Fonts\AFORM120.fot

2009-08-29 00:03 . 2009-08-29 00:03 1409 ----a-w- c:\windows\Fonts\AFORM112.fot

2009-08-29 00:03 . 2009-08-29 00:03 1409 ----a-w- c:\windows\Fonts\AFORM105.fot

2009-08-29 00:03 . 2009-08-29 00:03 1409 ----a-w- c:\windows\Fonts\AFORM100.fot

2009-08-29 00:03 . 2009-08-29 00:03 1409 ----a-w- c:\windows\Fonts\AFORM09B.fot

2009-08-29 00:03 . 2009-08-29 00:03 1409 ----a-w- c:\windows\Fonts\AFORM090.fot

2009-08-29 00:03 . 2009-08-29 00:03 1409 ----a-w- c:\windows\Fonts\AFORM080.fot

2009-08-29 00:03 . 2009-08-29 00:03 1409 ----a-w- c:\windows\Fonts\ADATA095.fot

2009-08-27 02:12 . 2009-08-27 02:12 125 ----a-w- c:\documents and settings\Di\Local Settings\Application Data\fusioncache.dat

2009-08-13 15:09 . 2009-09-12 14:11 83904 ----a-w- c:\documents and settings\QBDataServiceUser19\Local Settings\Application Data\GDIPFONTCACHEV1.DAT

2009-08-13 15:09 . 2009-08-26 22:21 83904 ----a-w- c:\documents and settings\Di\Local Settings\Application Data\GDIPFONTCACHEV1.DAT

2009-08-13 15:01 . 2009-08-13 15:01 33536 ----a-w- c:\windows\system32\drivers\tvtfilter.sys

2009-08-13 15:01 . 2009-08-13 15:01 7012 ----a-w- c:\windows\system32\drivers\pmemnt.sys

2009-08-13 14:55 . 2009-09-12 14:11 10134 ----a-r- c:\documents and settings\QBDataServiceUser19\Application Data\Microsoft\Installer\{098122AB-C605-4853-B441-C0A4EB359B75}\ARPPRODUCTICON.exe

2009-08-13 14:55 . 2009-08-26 22:21 10134 ----a-r- c:\documents and settings\Di\Application Data\Microsoft\Installer\{098122AB-C605-4853-B441-C0A4EB359B75}\ARPPRODUCTICON.exe

2009-08-13 14:55 . 2009-08-26 22:20 10134 ----a-r- c:\windows\system32\config\systemprofile\Application Data\Microsoft\Installer\{098122AB-C605-4853-B441-C0A4EB359B75}\ARPPRODUCTICON.exe

2009-08-13 14:55 . 2009-08-13 14:55 10134 ----a-r- c:\documents and settings\Administrator\Application Data\Microsoft\Installer\{098122AB-C605-4853-B441-C0A4EB359B75}\ARPPRODUCTICON.exe

2009-08-13 14:48 . 2009-08-13 14:48 319488 ----a-w- c:\windows\HideWin.exe

.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))

.

*Note* empty entries & legit default entries are not shown

REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2008-04-14 15360]

"MSMSGS"="c:\program files\Messenger\msmsgs.exe" [2008-04-14 1695232]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"LenovoFSC"="c:\program files\Lenovo\FanSpeedControl\LenovoFSC.exe" [2008-09-26 40960]

"PWRMGRTR"="c:\progra~1\ThinkPad\UTILIT~1\PWRMGRTR.DLL" [2009-04-23 393216]

"PWRAGD"="c:\progra~1\ThinkPad\UTILIT~1\DPMHost.exe" [2009-04-24 72256]

"TVT Scheduler Proxy"="c:\program files\Common Files\Lenovo\Scheduler\scheduler_proxy.exe" [2008-11-24 487424]

"LPManager"="c:\progra~1\THINKV~1\PrdCtr\LPMGR.exe" [2008-06-08 165208]

"LPMailChecker"="c:\progra~1\THINKV~1\PrdCtr\LPMLCHK.exe" [2008-06-08 124248]

"RoxioDragToDisc"="c:\program files\Lenovo\Drag-to-Disc\DrgToDsc.exe" [2007-03-13 1116920]

"Message Center Plus"="c:\program files\LENOVO\Message Center Plus\MCPLaunch.exe" [2009-05-28 49976]

"cssauth"="c:\program files\Lenovo\Client Security Solution\cssauth.exe" [2008-06-14 3073336]

"IgfxTray"="c:\windows\system32\igfxtray.exe" [2008-11-12 141336]

"HotKeysCmds"="c:\windows\system32\hkcmd.exe" [2008-11-12 173592]

"Persistence"="c:\windows\system32\igfxpers.exe" [2008-11-12 141336]

"The Assistant"="c:\program files\a la mode\Sched\eSched.exe" [2007-04-16 99840]

"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2009-07-25 149280]

"Intuit SyncManager"="c:\program files\Common Files\Intuit\Sync\IntuitSyncManager.exe" [2008-11-18 623880]

"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2009-09-05 417792]

"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2009-09-09 305440]

"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2009-02-27 35696]

"Malwarebytes Anti-Malware (reboot)"="c:\program files\Malwarebytes' Anti-Malware\mbam.exe" [2009-09-10 1312080]

"mcagent_exe"="c:\program files\McAfee.com\Agent\mcagent.exe" [2009-09-17 645328]

"RTHDCPL"="RTHDCPL.EXE" - c:\windows\RTHDCPL.EXE [2008-09-09 16851968]

"Alcmtr"="ALCMTR.EXE" - c:\windows\ALCMTR.EXE [2008-06-19 57344]

"Logitech Hardware Abstraction Layer"="KHALMNPR.EXE" - c:\windows\KHALMNPR.Exe [2008-02-29 76304]

"Kernel and Hardware Abstraction Layer"="KHALMNPR.EXE" - c:\windows\KHALMNPR.Exe [2008-02-29 76304]

c:\documents and settings\All Users\Start Menu\Programs\Startup\

Logitech SetPoint.lnk - c:\program files\Logitech\SetPoint\SetPoint.exe [2009-10-1 805392]

QuickBooks Update Agent.lnk - c:\program files\Common Files\Intuit\QuickBooks\QBUpdate\qbupdate.exe [2009-7-16 984352]

Windows Search.lnk - c:\program files\Windows Desktop Search\WindowsSearch.exe [2008-5-26 123904]

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]

"{56F9679E-7826-4C84-81F3-532071A8BCC5}"= "c:\program files\Windows Desktop Search\MSNLNamespaceMgr.dll" [2008-05-27 304128]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\LBTWlgn]

2008-05-02 06:42 72208 ----a-w- c:\program files\Common Files\Logitech\Bluetooth\LBTWLgn.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options]

"Debugger"=svchost.exe

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options\brastk.exe]

"Debugger"=svchost.exe

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\mcmscsvc]

@=""

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\MCODS]

@=""

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\WdfLoadGroup]

@=""

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeAntiVirus]

"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeFirewall]

"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]

"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]

"%windir%\\Network Diagnostic\\xpnetdiag.exe"=

"%windir%\\system32\\sessmgr.exe"=

"c:\\Program Files\\Microsoft SQL Server\\MSSQL$ALAMODE\\Binn\\sqlservr.exe"=

"c:\\Program Files\\a la mode\\Sched\\eSched.exe"=

"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpofxm08.exe"=

"c:\\Program Files\\HP\\Digital Imaging\\bin\\hposfx08.exe"=

"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpzwiz01.exe"=

"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqnrs08.exe"=

"c:\\Program Files\\Microsoft Office\\Office12\\OUTLOOK.EXE"=

"c:\\Intuit\\QuickBooks 2009\\QBDBMgrN.exe"=

"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=

"c:\\Program Files\\iTunes\\iTunes.exe"=

"c:\\Program Files\\Common Files\\McAfee\\MNA\\McNASvc.exe"=

R1 tvtumon;tvtumon;c:\windows\system32\drivers\tvtumon.sys [5/9/2008 7:50 PM 46144]

R2 McAfee SiteAdvisor Service;McAfee SiteAdvisor Service;c:\program files\McAfee\SiteAdvisor\McSACore.exe [11/4/2009 11:43 AM 210216]

R2 MSSQL$ALAMODE;MSSQL$ALAMODE;c:\program files\Microsoft SQL Server\MSSQL$ALAMODE\Binn\sqlservr.exe [5/3/2005 11:04 PM 9150464]

R2 Power Manager DBC Service;Power Manager DBC Service;c:\program files\ThinkPad\Utilities\PWMDBSVC.exe [8/13/2009 9:51 AM 64064]

R2 TVT Backup Protection Service;TVT Backup Protection Service;c:\program files\Lenovo\Rescue and Recovery\rrpservice.exe [11/24/2008 5:34 PM 520192]

R2 TVT_UpdateMonitor;TVT Windows Update Monitor;c:\program files\Lenovo\Rescue and Recovery\UpdateMonitor.exe [5/9/2008 7:50 PM 360448]

R3 QuickBooksDB19;QuickBooksDB19;c:\intuit\QUICKB~1\QBDBMgrN.exe -hvQuickBooksDB19 --> c:\intuit\QUICKB~1\QBDBMgrN.exe -hvQuickBooksDB19 [?]

R3 SuperIO;Lenovo ASD HWM Driver;c:\windows\system32\drivers\spio.sys [3/6/2008 4:33 PM 5760]

R3 TVTI2C;Lenovo SM bus driver;c:\windows\system32\drivers\tvti2c.sys [11/19/2008 8:46 PM 37184]

S2 SessionLauncher;SessionLauncher;c:\docume~1\ADMINI~1\LOCALS~1\Temp\DX9\SessionLauncher.exe --> c:\docume~1\ADMINI~1\LOCALS~1\Temp\DX9\SessionLauncher.exe [?]

S3 RoxMediaDB10;RoxMediaDB10;c:\program files\Common Files\Roxio Shared\10.0\SharedCOM\RoxMediaDB10.exe [4/25/2008 10:15 AM 1120752]

S3 SQLAgent$ALAMODE;SQLAgent$ALAMODE;c:\program files\Microsoft SQL Server\MSSQL$ALAMODE\Binn\sqlagent.EXE [5/3/2005 8:42 PM 323584]

--- Other Services/Drivers In Memory ---

*NewlyCreated* - MBR

*NewlyCreated* - MCODS

*NewlyCreated* - PROCEXP113

*Deregistered* - mbr

*Deregistered* - PROCEXP113

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]

HPZ12 REG_MULTI_SZ Pml Driver HPZ12 Net Driver HPZ12

hpdevmgmt REG_MULTI_SZ hpqcxs08

HPService REG_MULTI_SZ HPSLPSVC

.

Contents of the 'Scheduled Tasks' folder

2009-09-15 c:\windows\Tasks\AppleSoftwareUpdate.job

- c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 16:34]

2009-11-05 c:\windows\Tasks\Check Updates for Windows Live Toolbar.job

- c:\program files\Windows Live Toolbar\MSNTBUP.EXE [2007-02-12 22:54]

2009-11-04 c:\windows\Tasks\McDefragTask.job

- c:\progra~1\mcafee\mqc\QcConsol.exe [2009-11-04 17:22]

2009-11-04 c:\windows\Tasks\McQcTask.job

- c:\progra~1\mcafee\mqc\QcConsol.exe [2009-11-04 17:22]

2009-08-13 c:\windows\Tasks\PCDoctorBackgroundMonitorTask.job

- c:\program files\PCDR5\pcdr5cuiw32.exe [2008-12-12 23:32]

2009-08-13 c:\windows\Tasks\PMTask.job

- c:\progra~1\ThinkPad\UTILIT~1\PWMIDTSK.EXE [2009-08-13 09:28]

.

------- Supplementary Scan -------

.

uStart Page = hxxp://news.google.com/nwshp?hl=en&tab=wn

mDefault_Page_URL = hxxp://lenovo.live.com

uInternet Settings,ProxyOverride = *.local

uSearchURL,(Default) = hxxp://search.yahoo.com/search?fr=mcafee&p=%s

IE: &Windows Live Search - c:\program files\Windows Live Toolbar\msntb.dll/search.htm

IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\Office12\EXCEL.EXE/3000

Handler: intu-help-qb2 - {84D77A00-41B5-4b8b-8ADF-86486D72E749} - c:\intuit\QuickBooks 2009\HelpAsyncPluggableProtocol.dll

DPF: Web-Based Email Tools - hxxp://email03.secureserver.net/Download.CAB

.

- - - - ORPHANS REMOVED - - - -

HKLM-Run-XeroxRegistation - c:\docume~1\Di\LOCALS~1\Temp\Xerox\EReg\EReg.exe

HKLM-Run-<NO NAME> - (no file)

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net

Rootkit scan 2009-11-06 09:08

Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully

hidden files: 0

**************************************************************************

.

--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(732)

c:\program files\common files\logitech\bluetooth\LBTWlgn.dll

c:\program files\common files\logitech\bluetooth\LBTServ.dll

.

Completion time: 2009-11-06 9:10

ComboFix-quarantined-files.txt 2009-11-06 14:10

Pre-Run: 222,690,254,848 bytes free

Post-Run: 222,925,139,968 bytes free

WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe

[boot loader]

timeout=2

default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS

[operating systems]

c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons

multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Professional" /noexecute=optin /fastdetect

- - End Of File - - 5389CC2607AF13F535FC89790759E428

Perplexus · November 6, 2009

Let's take a closer look. Are you still being redirected?

------------------

Step 1:

------------------

Download TFC by OldTimer to your desktop

Please double-click TFC.exe to run it. (Note: If you are running on Vista, right-click on the file and choose Run As Administrator).
It will close all programs when run, so make sure you have saved all your work before you begin.
Click the Start button to begin the process. Depending on how often you clean temp files, execution time should be anywhere from a few seconds to a minute or two. Let it run uninterrupted to completion.
Once it's finished it should reboot your machine. If it does not, please manually reboot the machine yourself to ensure a complete clean.

Note: It is a good idea to run TFC to clear out all your temp files every now and again. This helps to keep your computer running more efficiently. It also can assist in getting rid of files that may contain malicious code that could re-infect your computer.

------------------

Step 2:

------------------

Download RootRepeal from one of the following locations:

Unzip it to your Desktop.

Double click RootRepeal.exe to start the program
Click on the Report tab at the bottom of the program window
Click the Scan button
In the Select Scan dialog, check:
- Drivers
- Files
- Processes
- SSDT
- Stealth Objects
- Hidden Services
- Shadow SSDT
[*]Click the OK button
[*]In the next dialog, select all drives showing
[*]Click OK to start the scan
Note: The scan can take some time.
DO NOT
run any other programs while the scan is running
[*]When the scan is complete, the Save Report button will become available
[*]Click this and save the report to your Desktop as RootRepeal.txt
[*]Go to File, then Exit to close the program

If the report is not too long, post the contents of RootRepeal.txt in your next reply. If the report is very long, it will not be complete if you post it, so please attach it to your reply instead.

To attach a file, do the following:

Click Add Reply
Under the reply panel is the Attachments Panel
Browse for the attachment file you want to upload, then click the green Upload button
Once it has uploaded, click the Manage Current Attachments drop down box
Click on to insert the attachment into your post

------------------

Step 3:

------------------

Download OTL to your desktop.
Double click on the icon to run it. Make sure all other windows are closed and to let it run uninterrupted.
When the window appears, underneath Output at the top change it to Minimal Output.
Check the boxes beside LOP Check and Purity Check.
Under the Custom Scan box paste this in

netsvcs
%SYSTEMDRIVE%\*.exe
%SYSTEMDRIVE%\eventlog.dll /s /md5
%SYSTEMDRIVE%\scecli.dll /s /md5
%SYSTEMDRIVE%\netlogon.dll /s /md5
%SYSTEMDRIVE%\cngaudit.dll /s /md5
%SYSTEMDRIVE%\sceclt.dll /s /md5
%SYSTEMDRIVE%\ntelogon.dll /s /md5
%SYSTEMDRIVE%\logevent.dll /s /md5
%SYSTEMDRIVE%\iaStor.sys /s /md5
%SYSTEMDRIVE%\nvstor.sys /s /md5
%SYSTEMDRIVE%\atapi.sys /s /md5
%SYSTEMDRIVE%\IdeChnDr.sys /s /md5
%SYSTEMDRIVE%\viasraid.sys /s /md5
%SYSTEMDRIVE%\AGP440.sys /s /md5
Click the Run Scan button. Do not change any settings unless otherwise told to do so. The scan wont take long.
- When the scan completes, it will open two notepad windows. OTListIt.Txt and Extras.Txt. These are saved in the same location as OTL.
- Please copy (Edit->Select All, Edit->Copy) the contents of these files, one at a time, and post it with your next reply. You may need two posts to fit them all in.

------------------

Step 4:

------------------

Please post back with the following:

How your machine is running
RootRepeal.txt
OTL.txt
Extras.txt

brudi · November 6, 2009

The system appears to have ended any redirects of Google searches to the GALA search engine. Also, I noticed (prior to your help on this matter) that IE was running very slow. Now, it appears to run normal.

However, I am now a little concerned over the hosts file and the fact that ComboFix reported seeing the Windows Enterprise Suite as a viable anit-virius program running on this pc.

I have attached the RootRepeal report file and the OTL.txt and Extras.txt files are as follows:

OTL logfile created on: 11/6/2009 5:15:24 PM - Run 1

OTL by OldTimer - Version 3.1.4.0 Folder = C:\Documents and Settings\Di\Desktop

Windows XP Professional Edition Service Pack 3 (Version = 5.1.2600) - Type = NTWorkstation

Internet Explorer (Version = 7.0.5730.13)

Locale: 00000409 | Country: United States | Language: ENU | Date Format: M/d/yyyy

2.00 Gb Total Physical Memory | 2.00 Gb Available Physical Memory | 100.00% Memory free

4.00 Gb Paging File | 4.00 Gb Available in Paging File | 100.00% Paging File free

Paging file location(s): C:\pagefile.sys 2046 4092 [binary data]

%SystemDrive% = C: | %SystemRoot% = C:\WINDOWS | %ProgramFiles% = C:\Program Files

Drive C: | 229.48 Gb Total Space | 207.64 Gb Free Space | 90.48% Space Free | Partition Type: NTFS

D: Drive not present or media not loaded

E: Drive not present or media not loaded

F: Drive not present or media not loaded

G: Drive not present or media not loaded

H: Drive not present or media not loaded

I: Drive not present or media not loaded

Computer Name: DIANE

Current User Name: Di

Logged in as Administrator.

Current Boot Mode: Normal

Scan Mode: Current user

Company Name Whitelist: Off

Skip Microsoft Files: Off

File Age = 30 Days

Output = Minimal

========== Processes (SafeList) ==========

PRC - C:\Documents and Settings\Di\Desktop\OTL.exe (OldTimer Tools)

PRC - C:\Program Files\McAfee\MSC\mcmscsvc.exe (McAfee, Inc.)

PRC - C:\Program Files\McAfee.com\Agent\mcagent.exe (McAfee, Inc.)

PRC - C:\Program Files\McAfee\VirusScan\Mcshield.exe (McAfee, Inc.)

PRC - C:\Program Files\McAfee\VirusScan\mcsysmon.exe (McAfee, Inc.)

PRC - C:\Program Files\McAfee\MPF\MpfSrv.exe (McAfee, Inc.)

PRC - C:\Program Files\iTunes\iTunesHelper.exe (Apple Inc.)

PRC - C:\Program Files\iPod\bin\iPodService.exe (Apple Inc.)

PRC - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe (Apple Inc.)

PRC - C:\Program Files\Java\jre6\bin\jusched.exe (Sun Microsystems, Inc.)

PRC - C:\Program Files\Java\jre6\bin\jqs.exe (Sun Microsystems, Inc.)

PRC - C:\Program Files\Common Files\Intuit\QuickBooks\QBUpdate\qbupdate.exe (Intuit Inc.)

PRC - C:\Program Files\Common Files\Intuit\QuickBooks\QBCFMonitorService.exe (Intuit)

PRC - c:\Program Files\Common Files\McAfee\McProxy\McProxy.exe (McAfee, Inc.)

PRC - c:\Program Files\Common Files\McAfee\MNA\McNASvc.exe (McAfee, Inc.)

PRC - C:\Program Files\Lenovo\Message Center Plus\MCPLaunch.exe ()

PRC - C:\Program Files\ThinkPad\Utilities\SCHTASK.EXE ()

PRC - C:\Program Files\ThinkPad\Utilities\PWMDBSVC.exe ()

PRC - C:\Program Files\ThinkPad\Utilities\DPMTray.EXE ()

PRC - C:\Program Files\McAfee\SiteAdvisor\McSACore.exe ()

PRC - C:\Program Files\Bonjour\mDNSResponder.exe (Apple Inc.)

PRC - C:\Program Files\Common Files\Lenovo\Scheduler\scheduler_proxy.exe (Lenovo Group Limited)

PRC - c:\Program Files\Common Files\Lenovo\Scheduler\tvtsched.exe (Lenovo Group Limited)

PRC - C:\Program Files\Lenovo\Rescue and Recovery\rrservice.exe (Lenovo Group Limited)

PRC - C:\Program Files\Lenovo\Rescue and Recovery\rrpservice.exe ()

PRC - C:\WINDOWS\system32\igfxtray.exe (Intel Corporation)

PRC - C:\WINDOWS\system32\igfxsrvc.exe (Intel Corporation)

PRC - C:\WINDOWS\system32\igfxpers.exe (Intel Corporation)

PRC - C:\WINDOWS\system32\hkcmd.exe (Intel Corporation)

PRC - c:\Program Files\Lenovo\System Update\SUService.exe (Lenovo Group Limited)

PRC - C:\Program Files\Lenovo\Rescue and Recovery\UpdateMonitor.exe (Lenovo Group Limited)

PRC - C:\Program Files\Lenovo\FanSpeedControl\LenovoFSC.exe ()

PRC - C:\WINDOWS\RTHDCPL.EXE (Realtek Semiconductor Corp.)

PRC - C:\Intuit\QuickBooks 2009\QBDBMgrN.exe (Intuit, Inc.)

PRC - C:\Program Files\Lenovo\Client Security Solution\password_manager.exe (Lenovo Group Limited)

PRC - C:\Program Files\Lenovo\Client Security Solution\cssauth.exe (Lenovo Group Limited)

PRC - c:\Program Files\Common Files\Lenovo\tvt_reg_monitor_svc.exe (Lenovo Group Limited)

PRC - C:\Program Files\ThinkVantage\PrdCtr\LPMGR.EXE (Lenovo Group Limited)

PRC - C:\Program Files\ThinkVantage\PrdCtr\LPMLCHK.EXE (Lenovo Group Limited)

PRC - C:\Program Files\Windows Desktop Search\WindowsSearch.exe (Microsoft Corporation)

PRC - C:\Program Files\Logitech\SetPoint\SetPoint.exe (Logitech, Inc.)

PRC - C:\Program Files\Common Files\Logishrd\KHAL2\KHALMNPR.exe (Logitech, Inc.)

PRC - C:\Program Files\Messenger\msmsgs.exe (Microsoft Corporation)

PRC - C:\WINDOWS\explorer.exe (Microsoft Corporation)

PRC - C:\Program Files\a la mode\Sched\eSched.exe (a la mode, inc.)

PRC - C:\Program Files\Lenovo\Drag-to-Disc\DrgToDsc.exe (Roxio)

PRC - c:\Program Files\Microsoft SQL Server\90\Shared\sqlwriter.exe (Microsoft Corporation)

PRC - C:\Program Files\Common Files\InterVideo\RegMgr\iviRegMgr.exe (InterVideo)

PRC - c:\Program Files\Microsoft SQL Server\MSSQL.1\MSSQL\Binn\sqlservr.exe (Microsoft Corporation)

PRC - c:\Program Files\Microsoft SQL Server\90\Shared\sqlbrowser.exe (Microsoft Corporation)

PRC - c:\Program Files\Microsoft SQL Server\MSSQL$ALAMODE\Binn\sqlservr.exe (Microsoft Corporation)

PRC - C:\WINDOWS\system32\wdfmgr.exe (Microsoft Corporation)

========== Modules (SafeList) ==========

MOD - C:\Documents and Settings\Di\Desktop\OTL.exe (OldTimer Tools)

MOD - C:\Program Files\McAfee\SiteAdvisor\sahook.dll ()

MOD - C:\WINDOWS\WinSxS\x86_Microsoft.VC80.CRT_1fc8b3b9a1e18e3b_8.0.50727.3053_x-ww_b80fa8ca\msvcr80.dll (Microsoft Corporation)

MOD - C:\Program Files\Lenovo\Client Security Solution\tvtpwm_windows_hook.dll (Lenovo Group Limited)

MOD - C:\Program Files\Lenovo\Client Security Solution\tvtpwm_interface.dll (Lenovo Group Limited)

MOD - C:\Program Files\Logitech\SetPoint\lgscroll.dll (Logitech, Inc.)

MOD - C:\WINDOWS\WinSxS\x86_Microsoft.Windows.Common-Controls_6595b64144ccf1df_6.0.2600.5512_x-ww_35d4ce83\comctl32.dll (Microsoft Corporation)

MOD - C:\WINDOWS\system32\wbem\framedyn.dll (Microsoft Corporation)

MOD - C:\WINDOWS\system32\winsta.dll (Microsoft Corporation)

MOD - C:\WINDOWS\system32\wtsapi32.dll (Microsoft Corporation)

========== Win32 Services (SafeList) ==========

SRV - (SessionLauncher) -- File not found

SRV - (mcmscsvc) -- C:\Program Files\McAfee\MSC\mcmscsvc.exe (McAfee, Inc.)

SRV - (McODS) -- C:\Program Files\McAfee\VirusScan\mcods.exe (McAfee, Inc.)

SRV - (McShield) -- C:\Program Files\McAfee\VirusScan\Mcshield.exe (McAfee, Inc.)

SRV - (McSysmon) -- C:\Program Files\McAfee\VirusScan\mcsysmon.exe (McAfee, Inc.)

SRV - (MpfService) -- C:\Program Files\McAfee\MPF\MPFSrv.exe (McAfee, Inc.)

SRV - (iPod Service) -- C:\Program Files\iPod\bin\iPodService.exe (Apple Inc.)

SRV - (Apple Mobile Device) -- C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe (Apple Inc.)

SRV - (JavaQuickStarterService) -- C:\Program Files\Java\jre6\bin\jqs.exe (Sun Microsystems, Inc.)

SRV - (QBCFMonitorService) -- C:\Program Files\Common Files\Intuit\QuickBooks\QBCFMonitorService.exe (Intuit)

SRV - (McProxy) -- c:\Program Files\Common Files\McAfee\McProxy\McProxy.exe (McAfee, Inc.)

SRV - (McNASvc) -- c:\Program Files\Common Files\McAfee\MNA\McNASvc.exe (McAfee, Inc.)

SRV - (Power Manager DBC Service) -- C:\Program Files\ThinkPad\Utilities\PWMDBSVC.exe ()

SRV - (McAfee SiteAdvisor Service) -- C:\Program Files\McAfee\SiteAdvisor\McSACore.exe ()

SRV - (Bonjour Service) -- C:\Program Files\Bonjour\mDNSResponder.exe (Apple Inc.)

SRV - (TVT Scheduler) -- c:\Program Files\Common Files\Lenovo\Scheduler\tvtsched.exe (Lenovo Group Limited)

SRV - (TVT Backup Service) -- C:\Program Files\Lenovo\Rescue and Recovery\rrservice.exe (Lenovo Group Limited)

SRV - (TVT Backup Protection Service) -- C:\Program Files\Lenovo\Rescue and Recovery\rrpservice.exe ()

SRV - (QBFCService) -- C:\Program Files\Common Files\Intuit\QuickBooks\FCS\Intuit.QuickBooks.FCS.exe (Intuit Inc.)

SRV - (SUService) -- c:\Program Files\Lenovo\System Update\SUService.exe (Lenovo Group Limited)

SRV - (TVT_UpdateMonitor) -- C:\Program Files\Lenovo\Rescue and Recovery\UpdateMonitor.exe (Lenovo Group Limited)

SRV - (FontCache3.0.0.0) -- c:\WINDOWS\Microsoft.NET\Framework\v3.0\WPF\PresentationFontCache.exe (Microsoft Corporation)

SRV - (idsvc) -- C:\WINDOWS\Microsoft.NET\Framework\v3.0\Windows Communication Foundation\infocard.exe (Microsoft Corporation)

SRV - (NetTcpPortSharing) -- C:\WINDOWS\Microsoft.NET\Framework\v3.0\Windows Communication Foundation\SMSvcHost.exe (Microsoft Corporation)

SRV - (clr_optimization_v2.0.50727_32) -- C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe (Microsoft Corporation)

SRV - (aspnet_state) -- C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\aspnet_state.exe (Microsoft Corporation)

SRV - (QuickBooksDB19) -- C:\Intuit\QuickBooks 2009\QBDBMgrN.exe (Intuit, Inc.)

SRV - (ThinkVantage Registry Monitor Service) -- c:\Program Files\Common Files\Lenovo\tvt_reg_monitor_svc.exe (Lenovo Group Limited)

SRV - (LBTServ) -- C:\Program Files\Common Files\Logitech\Bluetooth\LBTServ.exe (Logitech, Inc.)

SRV - (RoxMediaDB10) -- C:\Program Files\Common Files\Roxio Shared\10.0\SharedCOM\RoxMediaDB10.exe (Sonic Solutions)

SRV - (helpsvc) -- C:\WINDOWS\pchealth\helpctr\binaries\pchsvc.dll (Microsoft Corporation)

SRV - (stllssvr) -- C:\Program Files\Common Files\SureThing Shared\stllssvr.exe (MicroVision Development, Inc.)

SRV - (HPSLPSVC) -- C:\Program Files\HP\Digital Imaging\bin\HPSLPSVC32.DLL (Hewlett-Packard Co.)

SRV - (hpqcxs08) -- C:\Program Files\HP\Digital Imaging\bin\hpqcxs08.dll (Hewlett-Packard Co.)

SRV - (SQLWriter) -- c:\Program Files\Microsoft SQL Server\90\Shared\sqlwriter.exe (Microsoft Corporation)

SRV - (IviRegMgr) -- C:\Program Files\Common Files\InterVideo\RegMgr\iviRegMgr.exe (InterVideo)

SRV - (Pml Driver HPZ12) -- C:\WINDOWS\system32\HPZIPM12.DLL (Hewlett-Packard)

SRV - (Net Driver HPZ12) -- C:\WINDOWS\system32\HPZINW12.DLL (Hewlett-Packard)

SRV - (odserv) -- C:\Program Files\Common Files\Microsoft Shared\OFFICE12\ODSERV.EXE (Microsoft Corporation)

SRV - (ose) -- C:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE (Microsoft Corporation)

SRV - (MSSQL$MSSMLBIZ) -- c:\Program Files\Microsoft SQL Server\MSSQL.1\MSSQL\Binn\sqlservr.exe (Microsoft Corporation)

SRV - (SQLBrowser) -- c:\Program Files\Microsoft SQL Server\90\Shared\sqlbrowser.exe (Microsoft Corporation)

SRV - (MSSQLServerADHelper) -- c:\Program Files\Microsoft SQL Server\90\Shared\sqladhlp90.exe (Microsoft Corporation)

SRV - (WMConnectCDS) -- C:\Program Files\Windows Media Connect 2\wmccds.exe (Microsoft Corporation)

SRV - (MSSQL$ALAMODE) -- c:\Program Files\Microsoft SQL Server\MSSQL$ALAMODE\Binn\sqlservr.exe (Microsoft Corporation)

SRV - (SQLAgent$ALAMODE) -- c:\Program Files\Microsoft SQL Server\MSSQL$ALAMODE\Binn\sqlagent.EXE (Microsoft Corporation)

SRV - (UMWdf) -- C:\WINDOWS\system32\wdfmgr.exe (Microsoft Corporation)

========== Driver Services (SafeList) ==========

DRV - (mfehidk) -- C:\WINDOWS\system32\drivers\mfehidk.sys (McAfee, Inc.)

DRV - (mfeavfk) -- C:\WINDOWS\system32\drivers\mfeavfk.sys (McAfee, Inc.)

DRV - (mfesmfk) -- C:\WINDOWS\system32\drivers\mfesmfk.sys (McAfee, Inc.)

DRV - (mfebopk) -- C:\WINDOWS\system32\drivers\mfebopk.sys (McAfee, Inc.)

DRV - (mferkdk) -- C:\WINDOWS\system32\drivers\mferkdk.sys (McAfee, Inc.)

DRV - (tvtfilter) -- C:\WINDOWS\system32\drivers\tvtfilter.sys (Lenovo)

DRV - (pmem) -- C:\WINDOWS\system32\drivers\pmemnt.sys (Microsoft Corporation)

DRV - (MPFP) -- C:\WINDOWS\system32\drivers\Mpfp.sys (McAfee, Inc.)

DRV - (GEARAspiWDM) -- C:\WINDOWS\system32\drivers\GEARAspiWDM.sys (GEAR Software Inc.)

DRV - (ialm) -- C:\WINDOWS\system32\drivers\igxpmp32.sys (Intel Corporation)

DRV - (IntcAzAudAddService) -- C:\WINDOWS\system32\drivers\RtkHDAud.sys (Realtek Semiconductor Corp.)

DRV - (TVTI2C) -- C:\WINDOWS\system32\drivers\tvti2c.sys (Lenovo (United States) Inc.)

DRV - (tvtumon) -- C:\WINDOWS\system32\drivers\tvtumon.sys (Lenovo)

DRV - (yukonwxp) -- C:\WINDOWS\system32\drivers\yk51x86.sys (Marvell)

DRV - (HDAudBus) -- C:\WINDOWS\system32\drivers\hdaudbus.sys (Windows ® Server 2003 DDK provider)

DRV - (Secdrv) -- C:\WINDOWS\system32\drivers\secdrv.sys (Macrovision Corporation, Macrovision Europe Limited, and Macrovision Japan and Asia K.K.)

DRV - (Ptilink) -- C:\WINDOWS\system32\drivers\ptilink.sys (Parallel Technologies, Inc.)

DRV - (amdagp) -- C:\WINDOWS\system32\DRIVERS\amdagp.sys (Advanced Micro Devices, Inc.)

DRV - (sisagp) -- C:\WINDOWS\system32\DRIVERS\sisagp.sys (Silicon Integrated Systems Corporation)

DRV - (psadd) -- C:\WINDOWS\system32\drivers\psadd.sys (Lenovo (United States) Inc.)

DRV - (PxHelp20) -- C:\WINDOWS\System32\Drivers\PxHelp20.sys (Sonic Solutions)

DRV - (SuperIO) -- C:\WINDOWS\system32\drivers\spio.sys ()

DRV - (LMouKE) -- C:\WINDOWS\system32\drivers\LMouKE.Sys (Logitech, Inc.)

DRV - (L8042mou) -- C:\WINDOWS\system32\drivers\L8042mou.Sys (Logitech, Inc.)

DRV - (L8042Kbd) -- C:\WINDOWS\system32\drivers\L8042Kbd.sys (Logitech, Inc.)

DRV - (DLADResM) -- C:\WINDOWS\system32\DLA\DLADResM.SYS (Roxio)

DRV - (DLABMFSM) -- C:\WINDOWS\system32\DLA\DLABMFSM.SYS (Roxio)

DRV - (DLAUDFAM) -- C:\WINDOWS\system32\DLA\DLAUDFAM.SYS (Roxio)

DRV - (DLAUDF_M) -- C:\WINDOWS\system32\DLA\DLAUDF_M.SYS (Roxio)

DRV - (DLAOPIOM) -- C:\WINDOWS\system32\DLA\DLAOPIOM.SYS (Roxio)

DRV - (DLABOIOM) -- C:\WINDOWS\system32\DLA\DLABOIOM.SYS (Roxio)

DRV - (DLAPoolM) -- C:\WINDOWS\system32\DLA\DLAPoolM.SYS (Roxio)

DRV - (DLAIFS_M) -- C:\WINDOWS\system32\DLA\DLAIFS_M.SYS (Roxio)

DRV - (DRVMCDB) -- C:\WINDOWS\System32\Drivers\DRVMCDB.SYS (Sonic Solutions)

DRV - (DRVNDDM) -- C:\WINDOWS\system32\drivers\DRVNDDM.SYS (Roxio)

DRV - (DLARTL_M) -- C:\WINDOWS\system32\drivers\DLARTL_M.SYS (Roxio)

DRV - (DLACDBHM) -- C:\WINDOWS\system32\drivers\DLACDBHM.SYS (Roxio)

DRV - (Sparrow) -- C:\WINDOWS\system32\DRIVERS\sparrow.sys (Adaptec, Inc.)

DRV - (sym_u3) -- C:\WINDOWS\system32\DRIVERS\sym_u3.sys (LSI Logic)

DRV - (sym_hi) -- C:\WINDOWS\system32\DRIVERS\sym_hi.sys (LSI Logic)

DRV - (symc8xx) -- C:\WINDOWS\system32\DRIVERS\symc8xx.sys (LSI Logic)

DRV - (symc810) -- C:\WINDOWS\system32\DRIVERS\symc810.sys (Symbios Logic Inc.)

DRV - (ultra) -- C:\WINDOWS\system32\DRIVERS\ultra.sys (Promise Technology, Inc.)

DRV - (ql12160) -- C:\WINDOWS\system32\DRIVERS\ql12160.sys (QLogic Corporation)

DRV - (ql1080) -- C:\WINDOWS\system32\DRIVERS\ql1080.sys (QLogic Corporation)

DRV - (ql1280) -- C:\WINDOWS\system32\DRIVERS\ql1280.sys (QLogic Corporation)

DRV - (dac2w2k) -- C:\WINDOWS\system32\DRIVERS\dac2w2k.sys (Mylex Corporation)

DRV - (mraid35x) -- C:\WINDOWS\system32\DRIVERS\mraid35x.sys (American Megatrends Inc.)

DRV - (asc) -- C:\WINDOWS\system32\DRIVERS\asc.sys (Advanced System Products, Inc.)

DRV - (asc3550) -- C:\WINDOWS\system32\DRIVERS\asc3550.sys (Advanced System Products, Inc.)

DRV - (AliIde) -- C:\WINDOWS\system32\DRIVERS\aliide.sys (Acer Laboratories Inc.)

DRV - (CmdIde) -- C:\WINDOWS\system32\DRIVERS\cmdide.sys (CMD Technology, Inc.)

DRV - (StillCam) -- C:\WINDOWS\system32\drivers\serscan.sys (Microsoft Corporation)

========== Standard Registry (SafeList) ==========

========== Internet Explorer ==========

IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157

IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896

IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Default_Secondary_Page_URL = [binary data]

IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Extensions Off Page = about:NoAdd-ons

IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Local Page = %SystemRoot%\system32\blank.htm

IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896

IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Security Risk Page = about:SecurityRisk

IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157

IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Search,CustomizeSearch = http://ie.search.msn.com/{SUB_RFC1766}/srchasst/srchcust.htm

IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Search,SearchAssistant = http://ie.search.msn.com/{SUB_RFC1766}/srchasst/srchasst.htm

IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,Local Page = C:\WINDOWS\system32\blank.htm

IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,Search Page = http://www.microsoft.com/isapi/redir.dll?p...amp;ar=iesearch

IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,SearchDefaultBranded = 1

IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = http://news.google.com/nwshp?hl=en&tab=wn

IE - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0

IE - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyOverride" = *.local

FF - HKLM\software\mozilla\Firefox\extensions\\{20a82645-c095-46ed-80e3-08825760534b}: C:\WINDOWS\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\ [2009/08/28 08:47:37 | 00,000,000 | ---D | M]

FF - HKLM\software\mozilla\Firefox\extensions\\jqs@sun.com: C:\Program Files\Java\jre6\lib\deploy\jqs\ff [2009/08/13 09:57:39 | 00,000,000 | ---D | M]

FF - HKLM\software\mozilla\Firefox\extensions\\{B7082FAA-CB62-4872-9106-E42DD88EDE45}: C:\Program Files\McAfee\SiteAdvisor [2009/11/06 08:31:44 | 00,000,000 | ---D | M]

O1 HOSTS File: (6575 bytes) - C:\WINDOWS\system32\drivers\etc\hosts

O1 - Hosts: 74.125.45.100 safebrowsing-cache.google.com

O1 - Hosts: 74.125.45.100 www.securesoftwarebill.com

O1 - Hosts: 74.125.45.100 secure-plus-payments.com

O1 - Hosts: 74.125.45.100 www.getantivirusplusnow.com

O1 - Hosts: 74.125.45.100 www.secure-plus-payments.com

O1 - Hosts: 74.125.45.100 secure.paysecuresystem.com

O1 - Hosts: 74.125.45.100 paysoftbillsolution.com

O1 - Hosts: 88.198.198.204 google.ae

O1 - Hosts: 88.198.198.204 google.as

O1 - Hosts: 88.198.198.204 google.at

O1 - Hosts: 88.198.198.204 google.az

O1 - Hosts: 88.198.198.204 google.ba

O1 - Hosts: 88.198.198.204 google.be

O1 - Hosts: 88.198.198.204 google.bg

O1 - Hosts: 88.198.198.204 google.bs

O1 - Hosts: 88.198.198.204 google.ca

O1 - Hosts: 88.198.198.204 google.cd

O1 - Hosts: 88.198.198.204 google.com.gh

O1 - Hosts: 88.198.198.204 google.com.hk

O1 - Hosts: 88.198.198.204 google.com.jm

O1 - Hosts: 88.198.198.204 google.com.mx

O1 - Hosts: 88.198.198.204 google.com.my

O1 - Hosts: 88.198.198.204 google.com.na

O1 - Hosts: 88.198.198.204 google.com.nf

O1 - Hosts: 88.198.198.204 google.com.ng

O1 - Hosts: 193 more lines...

O2 - BHO: (Adobe PDF Link Helper) - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll (Adobe Systems Incorporated)

O2 - BHO: (scriptproxy) - {7DB2D5A0-7241-4E79-B68D-6309F01C5231} - c:\Program Files\McAfee\VirusScan\scriptsn.dll (McAfee, Inc.)

O2 - BHO: (McAfee SiteAdvisor BHO) - {B164E929-A1B6-4A06-B104-2CD0E90A88FF} - c:\Program Files\McAfee\SiteAdvisor\McIEPlg.dll ()

O2 - BHO: (Windows Live Toolbar Helper) - {BDBD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\Windows Live Toolbar\msntb.dll (Microsoft Corporation)

O2 - BHO: (IePasswordManagerHelper Class) - {BF468356-BB7E-42D7-9F15-4F3B9BCFCED2} - C:\Program Files\Lenovo\Client Security Solution\tvtpwm_ie_com.dll (Lenovo Group Limited)

O2 - BHO: (Java Plug-In 2 SSV Helper) - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll (Sun Microsystems, Inc.)

O2 - BHO: (JQSIEStartDetectorImpl Class) - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll (Sun Microsystems, Inc.)

O3 - HKLM\..\Toolbar: (McAfee SiteAdvisor Toolbar) - {0EBBBE48-BAD4-4B4C-8E5A-516ABECAE064} - c:\Program Files\McAfee\SiteAdvisor\McIEPlg.dll ()

O3 - HKLM\..\Toolbar: (Windows Live Toolbar) - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\Windows Live Toolbar\msntb.dll (Microsoft Corporation)

O3 - HKCU\..\Toolbar\WebBrowser: (no name) - {2318C2B1-4965-11D4-9B18-009027A5CD4F} - No CLSID value found.

O3 - HKCU\..\Toolbar\WebBrowser: (Windows Live Toolbar) - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\Windows Live Toolbar\msntb.dll (Microsoft Corporation)

O4 - HKLM..\Run: [Adobe Reader Speed Launcher] C:\Program Files\Adobe\Reader 9.0\Reader\Reader_sl.exe (Adobe Systems Incorporated)

O4 - HKLM..\Run: [cssauth] C:\Program Files\Lenovo\Client Security Solution\cssauth.exe (Lenovo Group Limited)

O4 - HKLM..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe (Intel Corporation)

O4 - HKLM..\Run: [igfxTray] C:\WINDOWS\system32\igfxtray.exe (Intel Corporation)

O4 - HKLM..\Run: [iTunesHelper] C:\Program Files\iTunes\iTunesHelper.exe (Apple Inc.)

O4 - HKLM..\Run: [Kernel and Hardware Abstraction Layer] C:\WINDOWS\KHALMNPR.Exe (Logitech, Inc.)

O4 - HKLM..\Run: [LenovoFSC] C:\Program Files\Lenovo\FanSpeedControl\LenovoFSC.exe ()

O4 - HKLM..\Run: [Logitech Hardware Abstraction Layer] C:\WINDOWS\KHALMNPR.Exe (Logitech, Inc.)

O4 - HKLM..\Run: [LPMailChecker] C:\Program Files\ThinkVantage\PrdCtr\LPMLCHK.EXE (Lenovo Group Limited)

O4 - HKLM..\Run: [LPManager] C:\Program Files\ThinkVantage\PrdCtr\LPMGR.EXE (Lenovo Group Limited)

O4 - HKLM..\Run: [Malwarebytes Anti-Malware (reboot)] C:\Program Files\Malwarebytes' Anti-Malware\mbam.exe (Malwarebytes Corporation)

O4 - HKLM..\Run: [mcagent_exe] C:\Program Files\McAfee.com\Agent\mcagent.exe (McAfee, Inc.)

O4 - HKLM..\Run: [Message Center Plus] C:\Program Files\LENOVO\Message Center Plus\MCPLaunch.exe ()

O4 - HKLM..\Run: [Persistence] C:\WINDOWS\system32\igfxpers.exe (Intel Corporation)

O4 - HKLM..\Run: [PWRAGD] C:\Program Files\ThinkPad\Utilities\DPMHost.EXE ()

O4 - HKLM..\Run: [PWRMGRTR] C:\Program Files\ThinkPad\Utilities\PWRMGRTR.DLL (Lenovo Group Limited)

O4 - HKLM..\Run: [QuickTime Task] C:\Program Files\QuickTime\qttask.exe (Apple Inc.)

O4 - HKLM..\Run: [RoxioDragToDisc] C:\Program Files\Lenovo\Drag-to-Disc\DrgToDsc.exe (Roxio)

O4 - HKLM..\Run: [RTHDCPL] C:\WINDOWS\RTHDCPL.EXE (Realtek Semiconductor Corp.)

O4 - HKLM..\Run: [sunJavaUpdateSched] C:\Program Files\Java\jre6\bin\jusched.exe (Sun Microsystems, Inc.)

O4 - HKLM..\Run: [The Assistant] C:\Program Files\a la mode\Sched\eSched.exe (a la mode, inc.)

O4 - HKLM..\Run: [TVT Scheduler Proxy] C:\Program Files\Common Files\Lenovo\Scheduler\scheduler_proxy.exe (Lenovo Group Limited)

O4 - HKCU..\Run: [MSMSGS] C:\Program Files\Messenger\msmsgs.exe (Microsoft Corporation)

O4 - Startup: C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Logitech SetPoint.lnk = C:\Program Files\Logitech\SetPoint\SetPoint.exe (Logitech, Inc.)

O4 - Startup: C:\Documents and Settings\All Users\Start Menu\Programs\Startup\QuickBooks Update Agent.lnk = C:\Program Files\Common Files\Intuit\QuickBooks\QBUpdate\qbupdate.exe (Intuit Inc.)

O4 - Startup: C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Windows Search.lnk = C:\Program Files\Windows Desktop Search\WindowsSearch.exe (Microsoft Corporation)

O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: HonorAutoRunSetting = 1

O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveAutoRun = 67108863

O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 323

O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDrives = 0

O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: dontdisplaylastusername = 0

O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: legalnoticecaption =

O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: legalnoticetext =

O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: shutdownwithoutlogon = 1

O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: undockwithoutlogon = 1

O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: DisableRegistryTools = 0

O7 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present

O7 - HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 323

O7 - HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveAutoRun = 67108863

O7 - HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDrives = 0

O8 - Extra context menu item: &Windows Live Search - C:\Program Files\Windows Live Toolbar\msntb.dll (Microsoft Corporation)

O8 - Extra context menu item: E&xport to Microsoft Excel - C:\Program Files\Microsoft Office\Office12\EXCEL.EXE (Microsoft Corporation)

O9 - Extra Button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\Program Files\Microsoft Office\Office12\REFIEBAR.DLL (Microsoft Corporation)

O9 - Extra 'Tools' menuitem : @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe (Microsoft Corporation)

O9 - Extra 'Tools' menuitem : Lenovo Password Manager... - {F4F55DC8-0B69-4DFE-BA94-CB677B88B2A3} - C:\Program Files\Lenovo\Client Security Solution\tvtpwm_ie_com.dll (Lenovo Group Limited)

O9 - Extra Button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe (Microsoft Corporation)

O9 - Extra 'Tools' menuitem : Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe (Microsoft Corporation)

O10 - NameSpace_Catalog5\Catalog_Entries\000000000004 [] - C:\Program Files\Bonjour\mdnsNSP.dll (Apple Inc.)

O15 - HKLM\..Trusted Domains: 1 domain(s) and sub-domain(s) not assigned to a zone.

O16 - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} http://java.sun.com/update/1.6.0/jinstall-...indows-i586.cab (Java Plug-in 1.6.0_15)

O16 - DPF: {CAFEEFAC-0016-0000-0015-ABCDEFFEDCBA} http://java.sun.com/update/1.6.0/jinstall-...indows-i586.cab (Java Plug-in 1.6.0_15)

O16 - DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} http://java.sun.com/update/1.6.0/jinstall-...indows-i586.cab (Java Plug-in 1.6.0_15)

O16 - DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} http://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab (Reg Error: Key error.)

O16 - DPF: Web-Based Email Tools http://email03.secureserver.net/Download.CAB (Reg Error: Key error.)

O17 - HKLM\System\CCS\Services\Tcpip\Parameters: DhcpNameServer = 10.1.10.1

O18 - Protocol\Handler\http\0x00000001 {E1D2BF42-A96B-11d1-9C6B-0000F875AC61} - C:\Program Files\Common Files\System\Ole DB\MSDAIPP.DLL (Microsoft Corporation)

O18 - Protocol\Handler\http\oledb {E1D2BF40-A96B-11d1-9C6B-0000F875AC61} - C:\Program Files\Common Files\System\Ole DB\MSDAIPP.DLL (Microsoft Corporation)

O18 - Protocol\Handler\https\0x00000001 {E1D2BF42-A96B-11d1-9C6B-0000F875AC61} - C:\Program Files\Common Files\System\Ole DB\MSDAIPP.DLL (Microsoft Corporation)

O18 - Protocol\Handler\https\oledb {E1D2BF40-A96B-11d1-9C6B-0000F875AC61} - C:\Program Files\Common Files\System\Ole DB\MSDAIPP.DLL (Microsoft Corporation)

O18 - Protocol\Handler\intu-help-qb2 {84D77A00-41B5-4b8b-8ADF-86486D72E749} - C:\Intuit\QuickBooks 2009\HelpAsyncPluggableProtocol.dll (Intuit, Inc.)

O18 - Protocol\Handler\ipp - No CLSID value found

O18 - Protocol\Handler\ipp\0x00000001 {E1D2BF42-A96B-11d1-9C6B-0000F875AC61} - C:\Program Files\Common Files\System\Ole DB\MSDAIPP.DLL (Microsoft Corporation)

O18 - Protocol\Handler\msdaipp - No CLSID value found

O18 - Protocol\Handler\msdaipp\0x00000001 {E1D2BF42-A96B-11d1-9C6B-0000F875AC61} - C:\Program Files\Common Files\System\Ole DB\MSDAIPP.DLL (Microsoft Corporation)

O18 - Protocol\Handler\msdaipp\oledb {E1D2BF40-A96B-11d1-9C6B-0000F875AC61} - C:\Program Files\Common Files\System\Ole DB\MSDAIPP.DLL (Microsoft Corporation)

O18 - Protocol\Handler\ms-help {314111c7-a502-11d2-bbca-00c04f8ec294} - C:\Program Files\Common Files\Microsoft Shared\Help\hxds.dll (Microsoft Corporation)

O18 - Protocol\Handler\mso-offdap11 {32505114-5902-49B2-880A-1F7738E5A384} - C:\Program Files\Common Files\Microsoft Shared\Web Components\11\OWC11.DLL (Microsoft Corporation)

O18 - Protocol\Handler\sacore {5513F07E-936B-4E52-9B00-067394E91CC5} - c:\Program Files\McAfee\SiteAdvisor\McIEPlg.dll ()

O18 - Protocol\Filter\text/xml {807563E5-5146-11D5-A672-00B0D022E945} - C:\Program Files\Common Files\Microsoft Shared\OFFICE12\MSOXMLMF.DLL (Microsoft Corporation)

O20 - HKLM Winlogon: Shell - (Explorer.exe) - C:\WINDOWS\explorer.exe (Microsoft Corporation)

O20 - Winlogon\Notify\igfxcui: DllName - igfxdev.dll - C:\WINDOWS\System32\igfxdev.dll (Intel Corporation)

O20 - Winlogon\Notify\LBTWlgn: DllName - c:\program files\common files\logitech\bluetooth\LBTWlgn.dll - c:\Program Files\Common Files\Logitech\Bluetooth\LBTWLgn.dll (Logitech, Inc.)

O24 - Desktop Components:0 (My Current Home Page) - About:Home

O28 - HKLM ShellExecuteHooks: {56F9679E-7826-4C84-81F3-532071A8BCC5} - C:\Program Files\Windows Desktop Search\MSNLNamespaceMgr.dll (Microsoft Corporation)

O31 - SafeBoot: AlternateShell - cmd.exe

O32 - HKLM CDRom: AutoRun - 1

O32 - AutoRun File - [2008/07/21 17:02:34 | 00,000,000 | ---- | M] () - C:\AUTOEXEC.BAT -- [ NTFS ]

O34 - HKLM BootExecute: (autocheck) - File not found

O34 - HKLM BootExecute: (autochk) - C:\WINDOWS\System32\autochk.exe (Microsoft Corporation)

O34 - HKLM BootExecute: (*) - File not found

O35 - comfile [open] -- "%1" %* File not found

O35 - exefile [open] -- "%1" %* File not found

NetSvcs: 6to4 - File not found

NetSvcs: Ias - C:\WINDOWS\system32\ias [2008/07/21 17:02:06 | 00,000,000 | ---D | M]

NetSvcs: Iprip - File not found

NetSvcs: Irmon - File not found

NetSvcs: NWCWorkstation - File not found

NetSvcs: Nwsapagent - File not found

NetSvcs: WmdmPmSp - File not found

NetSvcs: helpsvc - C:\WINDOWS\pchealth\helpctr\binaries\pchsvc.dll (Microsoft Corporation)

========== Files/Folders - Created Within 30 Days ==========

[2009/11/06 16:21:28 | 00,528,896 | ---- | C] (OldTimer Tools) -- C:\Documents and Settings\Di\Desktop\OTL.exe

[2009/11/06 16:20:36 | 00,000,000 | ---D | C] -- C:\RootRepeal

[2009/11/06 16:18:33 | 00,271,872 | ---- | C] (OldTimer Tools) -- C:\Documents and Settings\Di\Desktop\TFC.exe

[2009/11/06 09:04:03 | 00,000,000 | RHSD | C] -- C:\cmdcons

[2009/11/06 09:03:28 | 00,212,480 | ---- | C] (SteelWerX) -- C:\WINDOWS\SWXCACLS.exe

[2009/11/06 09:03:28 | 00,161,792 | ---- | C] (SteelWerX) -- C:\WINDOWS\SWREG.exe

[2009/11/06 09:03:28 | 00,136,704 | ---- | C] (SteelWerX) -- C:\WINDOWS\SWSC.exe

[2009/11/06 09:03:28 | 00,031,232 | ---- | C] (NirSoft) -- C:\WINDOWS\NIRCMD.exe

[2009/11/06 09:03:22 | 00,000,000 | ---D | C] -- C:\WINDOWS\ERDNT

[2009/11/06 09:03:21 | 00,000,000 | ---D | C] -- C:\ComboFix

[2009/11/06 08:57:54 | 00,000,000 | ---D | C] -- C:\Qoobox

[2009/11/05 13:48:04 | 00,000,000 | ---D | C] -- C:\HostsXpert 4.2 - Hosts File Manager

[2009/11/04 13:41:03 | 00,000,000 | ---D | C] -- C:\Program Files\Trend Micro

[2009/11/04 12:54:01 | 00,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Application Data\SiteAdvisor

[2009/11/04 12:51:54 | 00,040,552 | ---- | C] (McAfee, Inc.) -- C:\WINDOWS\System32\drivers\mfesmfk.sys

[2009/11/04 12:51:53 | 00,079,816 | ---- | C] (McAfee, Inc.) -- C:\WINDOWS\System32\drivers\mfeavfk.sys

[2009/11/04 12:51:53 | 00,035,272 | ---- | C] (McAfee, Inc.) -- C:\WINDOWS\System32\drivers\mfebopk.sys

[2009/11/04 12:51:48 | 00,120,136 | ---- | C] (McAfee, Inc.) -- C:\WINDOWS\System32\drivers\Mpfp.sys

[2009/11/04 12:51:11 | 00,000,000 | ---D | C] -- C:\Program Files\Common Files\McAfee

[2009/11/04 12:51:09 | 00,000,000 | ---D | C] -- C:\Program Files\McAfee.com

[2009/11/04 12:50:28 | 00,034,248 | ---- | C] (McAfee, Inc.) -- C:\WINDOWS\System32\drivers\mferkdk.sys

[2009/11/04 12:39:09 | 00,000,000 | ---D | C] -- C:\Documents and Settings\Di\Application Data\Malwarebytes

[2009/11/04 12:39:06 | 00,038,224 | ---- | C] (Malwarebytes Corporation) -- C:\WINDOWS\System32\drivers\mbamswissarmy.sys

[2009/11/04 12:39:05 | 00,019,160 | ---- | C] (Malwarebytes Corporation) -- C:\WINDOWS\System32\drivers\mbam.sys

[2009/11/04 12:39:05 | 00,000,000 | ---D | C] -- C:\Program Files\Malwarebytes' Anti-Malware

[2009/11/04 12:39:05 | 00,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Application Data\Malwarebytes

[2009/11/04 11:41:29 | 00,000,000 | ---D | C] -- C:\Program Files\McAfee

[2009/11/04 10:41:10 | 00,000,000 | -HSD | C] -- C:\Documents and Settings\All Users\Application Data\914fd87

[2009/08/28 19:02:54 | 00,098,304 | ---- | C] ( ) -- C:\WINDOWS\System32\AutoLicense.dll

[2009/08/28 19:02:54 | 00,045,056 | ---- | C] ( ) -- C:\WINDOWS\System32\AutoPAX.dll

========== Files - Modified Within 30 Days ==========

[2009/11/06 16:25:39 | 00,007,005 | ---- | M] () -- C:\WINDOWS\System32\Config.MPF

[2009/11/06 16:25:32 | 00,002,278 | ---- | M] () -- C:\WINDOWS\System32\wpa.dbl

[2009/11/06 16:24:47 | 00,000,006 | -H-- | M] () -- C:\WINDOWS\tasks\SA.DAT

[2009/11/06 16:24:45 | 00,002,048 | --S- | M] () -- C:\WINDOWS\bootstat.dat

[2009/11/06 16:24:44 | 31,847,75168 | -HS- | M] () -- C:\hiberfil.sys

[2009/11/06 16:24:12 | 03,670,016 | -H-- | M] () -- C:\Documents and Settings\Di\NTUSER.DAT

[2009/11/06 16:23:50 | 00,000,178 | -HS- | M] () -- C:\Documents and Settings\Di\ntuser.ini

[2009/11/06 16:22:00 | 00,000,248 | ---- | M] () -- C:\WINDOWS\tasks\Check Updates for Windows Live Toolbar.job

[2009/11/06 16:21:32 | 00,528,896 | ---- | M] (OldTimer Tools) -- C:\Documents and Settings\Di\Desktop\OTL.exe

[2009/11/06 16:20:00 | 00,000,000 | ---- | M] () -- C:\Documents and Settings\Di\settings.dat

[2009/11/06 16:18:37 | 00,271,872 | ---- | M] (OldTimer Tools) -- C:\Documents and Settings\Di\Desktop\TFC.exe

[2009/11/06 15:26:10 | 00,041,538 | ---- | M] () -- C:\WINDOWS\alaredun.ini

[2009/11/06 15:26:10 | 00,002,157 | ---- | M] () -- C:\WINDOWS\alamode.ini

[2009/11/06 10:53:52 | 00,267,264 | ---- | M] () -- C:\WINDOWS\PEV.exe

[2009/11/06 09:08:59 | 00,000,227 | ---- | M] () -- C:\WINDOWS\system.ini

[2009/11/06 09:04:07 | 00,000,281 | RHS- | M] () -- C:\boot.ini

[2009/11/06 08:51:34 | 03,562,655 | R--- | M] () -- C:\Documents and Settings\Di\Desktop\ComboFix.exe

[2009/11/04 13:41:03 | 00,001,741 | ---- | M] () -- C:\Documents and Settings\Di\Desktop\HijackThis.lnk

[2009/11/04 12:54:10 | 00,000,678 | ---- | M] () -- C:\Documents and Settings\All Users\Desktop\McAfee Security Center.lnk

[2009/11/04 12:51:28 | 00,000,334 | ---- | M] () -- C:\WINDOWS\tasks\McDefragTask.job

[2009/11/04 12:51:26 | 00,000,326 | ---- | M] () -- C:\WINDOWS\tasks\McQcTask.job

[2009/11/04 12:39:08 | 00,000,703 | ---- | M] () -- C:\Documents and Settings\All Users\Desktop\Malwarebytes' Anti-Malware.lnk

[2009/11/04 12:20:46 | 00,006,575 | RHS- | M] () -- C:\WINDOWS\System32\drivers\etc\hosts

[2009/11/04 11:38:20 | 07,475,184 | -H-- | M] () -- C:\Documents and Settings\Di\Local Settings\Application Data\IconCache.db

[2009/11/02 11:34:04 | 00,011,903 | ---- | M] () -- C:\Documents and Settings\Di\My Documents\Appraisal Order procedures.docx

[2009/11/01 08:42:31 | 00,529,940 | ---- | M] () -- C:\WINDOWS\System32\perfh009.dat

[2009/11/01 08:42:31 | 00,104,164 | ---- | M] () -- C:\WINDOWS\System32\perfc009.dat

[2009/11/01 08:42:30 | 00,646,734 | ---- | M] () -- C:\WINDOWS\System32\PerfStringBackup.INI

[2009/10/25 06:11:34 | 00,077,312 | ---- | M] () -- C:\WINDOWS\MBR.exe

========== Files Created - No Company Name ==========

[2009/11/06 16:20:00 | 00,000,000 | ---- | C] () -- C:\Documents and Settings\Di\settings.dat

[2009/11/06 15:26:09 | 00,041,538 | ---- | C] () -- C:\WINDOWS\alaredun.ini

[2009/11/06 09:04:07 | 00,000,211 | ---- | C] () -- C:\Boot.bak

[2009/11/06 09:04:05 | 00,260,272 | ---- | C] () -- C:\cmldr

[2009/11/06 09:03:28 | 00,267,264 | ---- | C] () -- C:\WINDOWS\PEV.exe

[2009/11/06 09:03:28 | 00,098,816 | ---- | C] () -- C:\WINDOWS\sed.exe

[2009/11/06 09:03:28 | 00,080,412 | ---- | C] () -- C:\WINDOWS\grep.exe

[2009/11/06 09:03:28 | 00,077,312 | ---- | C] () -- C:\WINDOWS\MBR.exe

[2009/11/06 09:03:28 | 00,068,096 | ---- | C] () -- C:\WINDOWS\zip.exe

[2009/11/06 08:51:31 | 03,562,655 | R--- | C] () -- C:\Documents and Settings\Di\Desktop\ComboFix.exe

[2009/11/04 13:41:03 | 00,001,741 | ---- | C] () -- C:\Documents and Settings\Di\Desktop\HijackThis.lnk

[2009/11/04 12:54:22 | 00,007,005 | ---- | C] () -- C:\WINDOWS\System32\Config.MPF

[2009/11/04 12:54:10 | 00,000,678 | ---- | C] () -- C:\Documents and Settings\All Users\Desktop\McAfee Security Center.lnk

[2009/11/04 12:51:27 | 00,000,334 | ---- | C] () -- C:\WINDOWS\tasks\McDefragTask.job

[2009/11/04 12:51:26 | 00,000,326 | ---- | C] () -- C:\WINDOWS\tasks\McQcTask.job

[2009/11/04 12:39:08 | 00,000,703 | ---- | C] () -- C:\Documents and Settings\All Users\Desktop\Malwarebytes' Anti-Malware.lnk

[2009/11/02 11:34:04 | 00,011,903 | ---- | C] () -- C:\Documents and Settings\Di\My Documents\Appraisal Order procedures.docx

[2009/09/12 08:52:01 | 00,000,090 | ---- | C] () -- C:\WINDOWS\QBChanUtil_Trigger.ini

[2009/08/30 11:59:34 | 00,001,397 | ---- | C] () -- C:\Documents and Settings\All Users\Application Data\hpzinstall.log

[2009/08/28 22:13:46 | 00,000,121 | ---- | C] () -- C:\WINDOWS\MercuryWT.ini

[2009/08/28 22:13:46 | 00,000,099 | ---- | C] () -- C:\WINDOWS\Mercury.ini

[2009/08/28 19:03:00 | 00,495,616 | ---- | C] () -- C:\WINDOWS\System32\TX32.dll

[2009/08/28 19:03:00 | 00,000,530 | ---- | C] () -- C:\WINDOWS\System32\tx14_ic.ini

[2009/08/28 19:02:59 | 00,327,680 | ---- | C] () -- C:\WINDOWS\System32\SmaRTEng.dll

[2009/08/28 19:02:58 | 00,577,536 | ---- | C] () -- C:\WINDOWS\System32\PAXMeta.dll

[2009/08/28 19:02:58 | 00,053,248 | ---- | C] () -- C:\WINDOWS\System32\P2kDesk.dll

[2009/08/28 19:02:56 | 00,338,944 | ---- | C] () -- C:\WINDOWS\System32\LFfpx7.dll

[2009/08/28 19:02:56 | 00,118,784 | ---- | C] () -- C:\WINDOWS\System32\LFKodak.dll

[2009/08/28 19:02:56 | 00,024,576 | ---- | C] () -- C:\WINDOWS\System32\fmt_jb2.dll

[2009/08/28 19:02:56 | 00,018,944 | ---- | C] () -- C:\WINDOWS\System32\fmt_xcx.dll

[2009/08/28 19:02:56 | 00,011,264 | ---- | C] () -- C:\WINDOWS\System32\fmt_xmf.dll

[2009/08/28 19:02:56 | 00,000,313 | ---- | C] () -- C:\WINDOWS\System32\ic32.ini

[2009/08/28 19:02:55 | 00,040,960 | ---- | C] () -- C:\WINDOWS\System32\DeskSkt.dll

[2009/08/28 19:02:55 | 00,036,864 | ---- | C] () -- C:\WINDOWS\System32\DP2kFrms.dll

[2009/08/28 19:02:54 | 00,401,408 | ---- | C] () -- C:\WINDOWS\System32\AXF_AXS.dll

[2009/08/28 19:02:54 | 00,220,160 | ---- | C] () -- C:\WINDOWS\System32\Carcla30.dll

[2009/08/28 19:02:54 | 00,204,864 | ---- | C] () -- C:\WINDOWS\System32\AtxWrap.dll

[2009/08/28 19:02:54 | 00,018,432 | ---- | C] () -- C:\WINDOWS\System32\alavistautils.dll

[2009/08/28 19:02:53 | 01,159,168 | ---- | C] () -- C:\WINDOWS\System32\alaMFC2.dll

[2009/08/28 19:02:53 | 00,151,552 | ---- | C] () -- C:\WINDOWS\System32\alaMapi.dll

[2009/08/28 19:02:53 | 00,122,880 | ---- | C] () -- C:\WINDOWS\System32\ala32.dll

[2009/08/28 19:02:53 | 00,086,016 | ---- | C] () -- C:\WINDOWS\System32\alaLaunch2.dll

[2009/08/28 19:02:53 | 00,073,728 | ---- | C] () -- C:\WINDOWS\System32\alaLaunch.dll

[2009/08/28 19:01:36 | 00,002,157 | ---- | C] () -- C:\WINDOWS\alamode.ini

[2009/08/26 21:12:40 | 00,000,125 | ---- | C] () -- C:\Documents and Settings\Di\Local Settings\Application Data\fusioncache.dat

[2009/08/26 17:21:18 | 00,000,062 | -HS- | C] () -- C:\Documents and Settings\Di\Application Data\desktop.ini

[2009/08/26 17:21:17 | 07,475,184 | -H-- | C] () -- C:\Documents and Settings\Di\Local Settings\Application Data\IconCache.db

[2009/08/26 17:21:17 | 00,083,904 | ---- | C] () -- C:\Documents and Settings\Di\Local Settings\Application Data\GDIPFONTCACHEV1.DAT

[2009/08/13 10:13:33 | 00,000,061 | ---- | C] () -- C:\WINDOWS\smscfg.ini

[2009/08/13 09:57:23 | 00,056,056 | ---- | C] () -- C:\WINDOWS\System32\DLAAPI_W.DLL

[2009/08/13 09:57:23 | 00,000,120 | ---- | C] () -- C:\WINDOWS\wininit.ini

[2009/08/13 09:54:56 | 00,204,800 | ---- | C] () -- C:\WINDOWS\System32\IVIresizeW7.dll

[2009/08/13 09:54:56 | 00,200,704 | ---- | C] () -- C:\WINDOWS\System32\IVIresizeA6.dll

[2009/08/13 09:54:56 | 00,192,512 | ---- | C] () -- C:\WINDOWS\System32\IVIresizeP6.dll

[2009/08/13 09:54:56 | 00,192,512 | ---- | C] () -- C:\WINDOWS\System32\IVIresizeM6.dll

[2009/08/13 09:54:56 | 00,188,416 | ---- | C] () -- C:\WINDOWS\System32\IVIresizePX.dll

[2009/08/13 09:54:56 | 00,020,480 | ---- | C] () -- C:\WINDOWS\System32\IVIresize.dll

[2008/07/22 10:22:09 | 00,004,670 | ---- | C] () -- C:\WINDOWS\System32\OEMINFO.INI

[2008/07/21 17:50:07 | 00,000,583 | ---- | C] () -- C:\WINDOWS\win.ini

[2008/07/21 17:50:05 | 00,000,227 | ---- | C] () -- C:\WINDOWS\system.ini

[2008/07/21 09:55:32 | 00,000,062 | -HS- | C] () -- C:\Documents and Settings\All Users\Application Data\desktop.ini

[2008/03/06 16:33:50 | 00,005,760 | ---- | C] () -- C:\WINDOWS\System32\drivers\spio.sys

[2007/09/27 09:51:02 | 00,020,698 | ---- | C] () -- C:\WINDOWS\System32\idxcntrs.ini

[2007/09/27 09:48:48 | 00,030,628 | ---- | C] () -- C:\WINDOWS\System32\gsrvctr.ini

[2007/09/27 09:48:28 | 00,031,698 | ---- | C] () -- C:\WINDOWS\System32\gthrctr.ini

[2006/06/29 13:58:52 | 00,030,808 | ---- | C] () -- C:\WINDOWS\Fonts\GlobalUserInterface.CompositeFont

[2006/06/29 13:53:56 | 00,026,489 | ---- | C] () -- C:\WINDOWS\Fonts\GlobalSansSerif.CompositeFont

[2006/04/18 14:39:28 | 00,029,779 | ---- | C] () -- C:\WINDOWS\Fonts\GlobalSerif.CompositeFont

[2006/04/18 14:39:28 | 00,026,040 | ---- | C] () -- C:\WINDOWS\Fonts\GlobalMonospace.CompositeFont

========== LOP Check ==========

[2009/11/04 10:41:29 | 00,000,000 | -HSD | M] -- C:\Documents and Settings\All Users\Application Data\914fd87

[2009/10/12 13:10:02 | 00,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\alamode

[2009/09/12 08:52:00 | 00,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\COMMON FILES

[2009/08/26 20:54:35 | 00,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\Lenovo

[2009/08/13 10:05:26 | 00,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\PC-Doctor

[2009/08/13 10:00:38 | 00,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\PCDr

[2009/09/12 09:17:34 | 00,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\SQL Anywhere 10

[2009/08/13 09:51:38 | 00,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\SuperIO

[2009/08/13 09:57:21 | 00,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\Uninstall

[2009/09/14 14:38:01 | 00,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\{755AC846-7372-4AC8-8550-C52491DAA8BD}

[2009/08/13 09:59:51 | 00,000,000 | ---D | M] -- C:\Documents and Settings\Di\Application Data\DesktopPwrMgr

[2009/08/13 09:57:46 | 00,000,000 | ---D | M] -- C:\Documents and Settings\Di\Application Data\Downloaded Installations

[2009/08/26 20:54:35 | 00,000,000 | ---D | M] -- C:\Documents and Settings\Di\Application Data\Lenovo

[2009/09/09 14:52:31 | 00,000,000 | ---D | M] -- C:\Documents and Settings\Di\Application Data\Windows Desktop Search

[2009/09/09 16:34:28 | 00,000,000 | ---D | M] -- C:\Documents and Settings\Di\Application Data\Windows Search

[2009/11/06 16:22:00 | 00,000,248 | ---- | M] () -- C:\WINDOWS\Tasks\Check Updates for Windows Live Toolbar.job

[2008/04/14 07:00:00 | 00,000,065 | RH-- | M] () -- C:\WINDOWS\Tasks\desktop.ini

[2009/11/04 12:51:28 | 00,000,334 | ---- | M] () -- C:\WINDOWS\Tasks\McDefragTask.job

[2009/11/04 12:51:26 | 00,000,326 | ---- | M] () -- C:\WINDOWS\Tasks\McQcTask.job

[2009/08/13 10:00:41 | 00,000,436 | ---- | M] () -- C:\WINDOWS\Tasks\PCDoctorBackgroundMonitorTask.job

[2009/08/13 09:51:54 | 00,000,316 | ---- | M] () -- C:\WINDOWS\Tasks\PMTask.job

[2009/11/06 16:24:47 | 00,000,006 | -H-- | M] () -- C:\WINDOWS\Tasks\SA.DAT

========== Purity Check ==========

========== Custom Scans ==========

< %SYSTEMDRIVE%\*.exe >

< %SYSTEMDRIVE%\eventlog.dll /s /md5 >

[2008/04/14 07:00:00 | 00,056,320 | ---- | M] (Microsoft Corporation) MD5=6D4FEB43EE538FC5428CC7F0565AA656 -- C:\WINDOWS\ERDNT\cache\eventlog.dll

[2008/04/14 07:00:00 | 00,056,320 | ---- | M] (Microsoft Corporation) MD5=6D4FEB43EE538FC5428CC7F0565AA656 -- C:\WINDOWS\system32\eventlog.dll

< %SYSTEMDRIVE%\scecli.dll /s /md5 >

[2008/04/14 07:00:00 | 00,181,248 | ---- | M] (Microsoft Corporation) MD5=A86BB5E61BF3E39B62AB4C7E7085A084 -- C:\WINDOWS\ERDNT\cache\scecli.dll

[2008/04/14 07:00:00 | 00,181,248 | ---- | M] (Microsoft Corporation) MD5=A86BB5E61BF3E39B62AB4C7E7085A084 -- C:\WINDOWS\system32\scecli.dll

< %SYSTEMDRIVE%\netlogon.dll /s /md5 >

[2008/04/14 07:00:00 | 00,407,040 | ---- | M] (Microsoft Corporation) MD5=1B7F071C51B77C272875C3A23E1E4550 -- C:\WINDOWS\ERDNT\cache\netlogon.dll

[2008/04/14 07:00:00 | 00,407,040 | ---- | M] (Microsoft Corporation) MD5=1B7F071C51B77C272875C3A23E1E4550 -- C:\WINDOWS\system32\netlogon.dll

< %SYSTEMDRIVE%\cngaudit.dll /s /md5 >

< %SYSTEMDRIVE%\sceclt.dll /s /md5 >

< %SYSTEMDRIVE%\ntelogon.dll /s /md5 >

< %SYSTEMDRIVE%\logevent.dll /s /md5 >

< %SYSTEMDRIVE%\iaStor.sys /s /md5 >

< %SYSTEMDRIVE%\nvstor.sys /s /md5 >

< %SYSTEMDRIVE%\atapi.sys /s /md5 >

[2008/04/14 02:10:32 | 00,096,512 | ---- | M] (Microsoft Corporation) MD5=9F3A2F5AA6875C72BF062C712CFA2674 -- C:\WINDOWS\ERDNT\cache\atapi.sys

[2008/04/14 02:10:32 | 00,096,512 | ---- | M] (Microsoft Corporation) MD5=9F3A2F5AA6875C72BF062C712CFA2674 -- C:\WINDOWS\system32\drivers\atapi.sys

< %SYSTEMDRIVE%\IdeChnDr.sys /s /md5 >

< %SYSTEMDRIVE%\viasraid.sys /s /md5 >

< %SYSTEMDRIVE%\AGP440.sys /s /md5 >

[2008/04/14 02:06:40 | 00,042,368 | ---- | M] (Microsoft Corporation) MD5=08FD04AA961BDC77FB983F328334E3D7 -- C:\WINDOWS\ERDNT\cache\AGP440.SYS

[2008/04/14 02:06:40 | 00,042,368 | ---- | M] (Microsoft Corporation) MD5=08FD04AA961BDC77FB983F328334E3D7 -- C:\WINDOWS\system32\drivers\AGP440.SYS

< End of report >

OTL Extras logfile created on: 11/6/2009 5:15:24 PM - Run 1

OTL by OldTimer - Version 3.1.4.0 Folder = C:\Documents and Settings\Di\Desktop

Windows XP Professional Edition Service Pack 3 (Version = 5.1.2600) - Type = NTWorkstation

Internet Explorer (Version = 7.0.5730.13)

Locale: 00000409 | Country: United States | Language: ENU | Date Format: M/d/yyyy

2.00 Gb Total Physical Memory | 2.00 Gb Available Physical Memory | 100.00% Memory free

4.00 Gb Paging File | 4.00 Gb Available in Paging File | 100.00% Paging File free

Paging file location(s): C:\pagefile.sys 2046 4092 [binary data]

%SystemDrive% = C: | %SystemRoot% = C:\WINDOWS | %ProgramFiles% = C:\Program Files

Drive C: | 229.48 Gb Total Space | 207.64 Gb Free Space | 90.48% Space Free | Partition Type: NTFS

D: Drive not present or media not loaded

E: Drive not present or media not loaded

F: Drive not present or media not loaded

G: Drive not present or media not loaded

H: Drive not present or media not loaded

I: Drive not present or media not loaded

Computer Name: DIANE

Current User Name: Di

Logged in as Administrator.

Current Boot Mode: Normal

Scan Mode: Current user

Company Name Whitelist: Off

Skip Microsoft Files: Off

File Age = 30 Days

Output = Minimal

========== Extra Registry (SafeList) ==========

========== File Associations ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\<extension>]

.chm [@ = chm.file] -- "%SYSTEMROOT%\hh.exe" %1

.html [@ = htmlfile] -- C:\Program Files\Internet Explorer\IEXPLORE.EXE (Microsoft Corporation)

========== Shell Spawning ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\<key>\shell\[command]\command]

batfile [open] -- "%1" %* File not found

chm.file [open] -- "%SYSTEMROOT%\hh.exe" %1 File not found

cmdfile [open] -- "%1" %* File not found

comfile [open] -- "%1" %* File not found

exefile [open] -- "%1" %* File not found

htmlfile [edit] -- "C:\Program Files\Microsoft Office\Office12\msohtmed.exe" %1 (Microsoft Corporation)

htmlfile [open] -- "C:\Program Files\Internet Explorer\IEXPLORE.EXE" -nohome (Microsoft Corporation)

htmlfile [opennew] -- "C:\Program Files\Internet Explorer\IEXPLORE.EXE" %1 (Microsoft Corporation)

http [open] -- "C:\Program Files\Internet Explorer\IEXPLORE.EXE" -nohome (Microsoft Corporation)

https [open] -- "C:\Program Files\Internet Explorer\IEXPLORE.EXE" -nohome (Microsoft Corporation)

piffile [open] -- "%1" %* File not found

regfile [merge] -- Reg Error: Key error.

scrfile [config] -- "%1" File not found

scrfile [install] -- rundll32.exe desk.cpl,InstallScreenSaver %l (Microsoft Corporation)

scrfile [open] -- "%1" /S File not found

txtfile [edit] -- Reg Error: Key error.

Unknown [openas] -- %SystemRoot%\system32\rundll32.exe %SystemRoot%\system32\shell32.dll,OpenAs_RunDLL %1 File not found

Directory [find] -- %SystemRoot%\Explorer.exe (Microsoft Corporation)

Folder [open] -- %SystemRoot%\Explorer.exe /idlist,%I,%L (Microsoft Corporation)

Folder [explore] -- %SystemRoot%\Explorer.exe /e,/idlist,%I,%L (Microsoft Corporation)

Drive [find] -- %SystemRoot%\Explorer.exe (Microsoft Corporation)

Applications\iexplore.exe [open] -- "C:\Program Files\Internet Explorer\IEXPLORE.EXE" %1 (Microsoft Corporation)

CLSID\{871C5380-42A0-1069-A2EA-08002B30309D} [OpenHomePage] -- "%programfiles%\internet explorer\iexplore.exe" File not found

========== Security Center Settings ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center]

"FirstRunDisabled" = 1

"UpdatesDisableNotify" = 0

"AntiVirusOverride" = 0

"FirewallOverride" = 0

"AntiVirusDisableNotify" = 0

"FirewallDisableNotify" = 0

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\AhnlabAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\ComputerAssociatesAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\KasperskyAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\McAfeeAntiVirus]

"DisableMonitoring" = 1

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\McAfeeFirewall]

"DisableMonitoring" = 1

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\PandaAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\PandaFirewall]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\SophosAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\SymantecAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\SymantecFirewall]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\TinyFirewall]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\TrendAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\TrendFirewall]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\ZoneLabsFirewall]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\GloballyOpenPorts\List]

"1900:UDP" = 1900:UDP:LocalSubNet:Enabled:@xpsp2res.dll,-22007

"2869:TCP" = 2869:TCP:LocalSubNet:Enabled:@xpsp2res.dll,-22008

"10280:UDP" = 10280:UDP:LocalSubNet:Enabled:Windows Media Connect

"10281:UDP" = 10281:UDP:LocalSubNet:Enabled:Windows Media Connect

"10282:UDP" = 10282:UDP:LocalSubNet:Enabled:Windows Media Connect

"10283:UDP" = 10283:UDP:LocalSubNet:Enabled:Windows Media Connect

"10284:UDP" = 10284:UDP:LocalSubNet:Enabled:Windows Media Connect

"10243:TCP" = 10243:TCP:LocalSubNet:Enabled:Windows Media Connect

"139:TCP" = 139:TCP:*:Enabled:@xpsp2res.dll,-22004

"445:TCP" = 445:TCP:*:Enabled:@xpsp2res.dll,-22005

"137:UDP" = 137:UDP:*:Enabled:@xpsp2res.dll,-22001

"138:UDP" = 138:UDP:*:Enabled:@xpsp2res.dll,-22002

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile]

"EnableFirewall" = 0

"DoNotAllowExceptions" = 0

"DisableNotifications" = 0

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\GloballyOpenPorts\List]