[Solved] Browser Hijacked, I need help with HijackThis log

2janealec · Jan 17, 2011

ok just a min
I think the wireless dropping is my isp

2janealec · Jan 17, 2011

MBRCheck, version 1.2.3
(c) 2010, AD

Command-line:
Windows Version: Windows XP Home Edition
Windows Information: Service Pack 3 (build 2600)
Logical Drives Mask: 0x0000000c

Kernel Drivers (total 162):
0x804D7000 \WINDOWS\system32\ntoskrnl.exe
0x806EE000 \WINDOWS\system32\hal.dll
0xF8BB5000 \WINDOWS\system32\KDCOM.DLL
0xF8AC5000 \WINDOWS\system32\BOOTVID.dll
0xF8666000 ACPI.sys
0xF8BB7000 \WINDOWS\system32\DRIVERS\WMILIB.SYS
0xF8655000 pci.sys
0xF86B5000 isapnp.sys
0xF8AC9000 ACPIEC.sys
0xF8C7D000 \WINDOWS\system32\DRIVERS\OPRGHDLR.SYS
0xF8ACD000 compbatt.sys
0xF8AD1000 \WINDOWS\System32\DRIVERS\BATTC.SYS
0xF8C7E000 pciide.sys
0xF8935000 \WINDOWS\system32\DRIVERS\PCIIDEX.SYS
0xF8BB9000 aliide.sys
0xF8BBB000 intelide.sys
0xF8BBD000 toside.sys
0xF8BBF000 viaide.sys
0xF8BC1000 cmdide.sys
0xF8637000 pcmcia.sys
0xF86C5000 MountMgr.sys
0xF8618000 ftdisk.sys
0xF893D000 PartMgr.sys
0xF86D5000 VolSnap.sys
0xF8AD5000 cpqarray.sys
0xF8600000 \WINDOWS\system32\DRIVERS\SCSIPORT.SYS
0xF85E8000 atapi.sys
0xF8AD9000 aha154x.sys
0xF8945000 sparrow.sys
0xF8ADD000 symc810.sys
0xF86E5000 aic78xx.sys
0xF8AE1000 dac960nt.sys
0xF86F5000 ql10wnt.sys
0xF8AE5000 amsint.sys
0xF894D000 asc.sys
0xF8AE9000 asc3550.sys
0xF8955000 mraid35x.sys
0xF895D000 i2omp.sys
0xF8AED000 ini910u.sys
0xF8705000 ql1240.sys
0xF8715000 aic78u2.sys
0xF8965000 symc8xx.sys
0xF896D000 sym_hi.sys
0xF8975000 sym_u3.sys
0xF897D000 ABP480N5.SYS
0xF8985000 asc3350p.sys
0xF8BC3000 cd20xrnt.sys
0xF8725000 ultra.sys
0xF85CF000 adpu160m.sys
0xF898D000 dpti2o.sys
0xF8735000 ql1080.sys
0xF8745000 ql1280.sys
0xF8755000 ql12160.sys
0xF8995000 perc2.sys
0xF8BC5000 perc2hib.sys
0xF899D000 hpn.sys
0xF8AF1000 cbidf2k.sys
0xF85A3000 dac2w2k.sys
0xF8765000 disk.sys
0xF8775000 \WINDOWS\system32\DRIVERS\CLASSPNP.SYS
0xF8583000 fltmgr.sys
0xF8571000 sr.sys
0xF855A000 KSecDD.sys
0xF84CD000 Ntfs.sys
0xF84A0000 NDIS.sys
0xF8785000 sisagp.sys
0xF8795000 viaagp.sys
0xF8486000 Mup.sys
0xF87A5000 agp440.sys
0xF87B5000 alim1541.sys
0xF87C5000 amdagp.sys
0xF87D5000 agpCPQ.sys
0xF8905000 \SystemRoot\system32\DRIVERS\intelppm.sys
0xF8A6D000 \SystemRoot\system32\DRIVERS\usbuhci.sys
0xF7D34000 \SystemRoot\system32\DRIVERS\USBPORT.SYS
0xF8A75000 \SystemRoot\system32\DRIVERS\usbehci.sys
0xF7D0C000 \SystemRoot\system32\DRIVERS\e1000325.sys
0xF8915000 \SystemRoot\system32\DRIVERS\i8042prt.sys
0xF8A7D000 \SystemRoot\system32\DRIVERS\kbdclass.sys
0xF7C26000 \SystemRoot\system32\DRIVERS\SynTP.sys
0xF8BE5000 \SystemRoot\system32\DRIVERS\USBD.SYS
0xF8A85000 \SystemRoot\system32\DRIVERS\mouclass.sys
0xF8A8D000 \SystemRoot\system32\DRIVERS\fdc.sys
0xF8925000 \SystemRoot\system32\DRIVERS\serial.sys
0xF8B91000 \SystemRoot\system32\DRIVERS\serenum.sys
0xF7C12000 \SystemRoot\system32\DRIVERS\parport.sys
0xF8A95000 \SystemRoot\system32\DRIVERS\nscirda.sys
0xF8B95000 \SystemRoot\system32\DRIVERS\irenum.sys
0xF8B9D000 \SystemRoot\system32\DRIVERS\CmBatt.sys
0xF8A9D000 \SystemRoot\system32\DRIVERS\ibmpmdrv.sys
0xF7BDC000 \SystemRoot\system32\drivers\smwdm.sys
0xF7BB8000 \SystemRoot\system32\drivers\portcls.sys
0xF841D000 \SystemRoot\system32\drivers\drmk.sys
0xF7B95000 \SystemRoot\system32\drivers\ks.sys
0xF7B75000 \SystemRoot\system32\drivers\aeaudio.sys
0xF7A50000 \SystemRoot\system32\DRIVERS\AGRSM.sys
0xF8AAD000 \SystemRoot\System32\Drivers\Modem.SYS
0xF8C92000 \SystemRoot\system32\DRIVERS\audstub.sys
0xF840D000 \SystemRoot\system32\DRIVERS\rasl2tp.sys
0xF8BB1000 \SystemRoot\system32\DRIVERS\ndistapi.sys
0xF79F9000 \SystemRoot\system32\DRIVERS\ndiswan.sys
0xF83FD000 \SystemRoot\system32\DRIVERS\raspppoe.sys
0xF83ED000 \SystemRoot\system32\DRIVERS\raspptp.sys
0xF8AB5000 \SystemRoot\system32\DRIVERS\TDI.SYS
0xF79E8000 \SystemRoot\system32\DRIVERS\psched.sys
0xF83DD000 \SystemRoot\system32\DRIVERS\msgpc.sys
0xF89B5000 \SystemRoot\system32\DRIVERS\ptilink.sys
0xF89BD000 \SystemRoot\system32\DRIVERS\raspti.sys
0xF83CD000 \SystemRoot\system32\DRIVERS\termdd.sys
0xF8BE9000 \SystemRoot\system32\DRIVERS\swenum.sys
0xF6CA2000 \SystemRoot\system32\DRIVERS\update.sys
0xF8452000 \SystemRoot\system32\DRIVERS\mssmbios.sys
0xF83AD000 \SystemRoot\System32\Drivers\NDProxy.SYS
0xF839D000 \SystemRoot\system32\DRIVERS\usbhub.sys
0xF7D60000 \SystemRoot\System32\Drivers\i2omgmt.SYS
0xF6817000 \SystemRoot\system32\DRIVERS\MpFilter.sys
0xF89D5000 \SystemRoot\system32\DRIVERS\usbccgp.sys
0xF8C0B000 \SystemRoot\System32\Drivers\Fs_Rec.SYS
0xF8CF5000 \SystemRoot\System32\Drivers\Null.SYS
0xF8C0D000 \SystemRoot\System32\Drivers\Beep.SYS
0xF89E5000 \SystemRoot\System32\drivers\vga.sys
0xF6803000 \SystemRoot\System32\drivers\VIDEOPRT.SYS
0xF8C0F000 \SystemRoot\System32\Drivers\mnmdd.SYS
0xF8C11000 \SystemRoot\System32\DRIVERS\RDPCDD.sys
0xF89ED000 \SystemRoot\System32\Drivers\Msfs.SYS
0xF89F5000 \SystemRoot\System32\Drivers\Npfs.SYS
0xF79E0000 \SystemRoot\system32\DRIVERS\rasacd.sys
0xF6780000 \SystemRoot\system32\DRIVERS\ipsec.sys
0xF6727000 \SystemRoot\system32\DRIVERS\tcpip.sys
0xF66FF000 \SystemRoot\system32\DRIVERS\netbt.sys
0xF66DD000 \SystemRoot\System32\drivers\afd.sys
0xF8825000 \SystemRoot\system32\DRIVERS\netbios.sys
0xF89FD000 \SystemRoot\System32\Drivers\TPHKDRV.SYS
0xF6692000 \SystemRoot\system32\DRIVERS\rdbss.sys
0xF6622000 \SystemRoot\system32\DRIVERS\mrxsmb.sys
0xF8865000 \SystemRoot\System32\Drivers\Fips.SYS
0xF65FC000 \SystemRoot\system32\DRIVERS\ipnat.sys
0xF8875000 \SystemRoot\system32\DRIVERS\wanarp.sys
0xF79C8000 \SystemRoot\system32\DRIVERS\usbscan.sys
0xF8A05000 \SystemRoot\system32\DRIVERS\usbprint.sys
0xF8A0D000 \SystemRoot\system32\DRIVERS\USBSTOR.SYS
0xF79C0000 \SystemRoot\System32\drivers\ANC.SYS
0xF65BC000 \SystemRoot\System32\Drivers\dump_atapi.sys
0xF8C1B000 \SystemRoot\System32\Drivers\dump_WMILIB.SYS
0xBF800000 \SystemRoot\System32\win32k.sys
0xF684A000 \SystemRoot\System32\drivers\Dxapi.sys
0xF8A1D000 \SystemRoot\System32\watchdog.sys
0xBF000000 \SystemRoot\System32\drivers\dxg.sys
0xF8D8C000 \SystemRoot\System32\drivers\dxgthk.sys
0xBFF50000 \SystemRoot\System32\framebuf.dll
0xBFFA0000 \SystemRoot\System32\ATMFD.DLL
0xF8A45000 \SystemRoot\system32\DRIVERS\AegisP.sys
0xF5FC8000 \SystemRoot\system32\DRIVERS\ndisuio.sys
0xF5DA7000 \SystemRoot\system32\DRIVERS\mrxdav.sys
0xF5C5F000 \SystemRoot\system32\DRIVERS\srv.sys
0xF8BF1000 \??\C:\WINDOWS\system32\Drivers\IBMBLDID.sys
0xF597A000 \SystemRoot\system32\drivers\wdmaud.sys
0xF5EAC000 \SystemRoot\system32\drivers\sysaudio.sys
0xF568B000 \SystemRoot\System32\Drivers\HTTP.sys
0xF5183000 \SystemRoot\system32\DRIVERS\w70n51.sys
0xF5158000 \SystemRoot\system32\drivers\kmixer.sys
0x7C900000 \WINDOWS\system32\ntdll.dll

Processes (total 39):
0 System Idle Process
4 System
720 C:\WINDOWS\system32\smss.exe
792 csrss.exe
816 C:\WINDOWS\system32\winlogon.exe
860 C:\WINDOWS\system32\services.exe
872 C:\WINDOWS\system32\lsass.exe
1016 C:\WINDOWS\system32\ibmpmsvc.exe
1072 C:\WINDOWS\system32\svchost.exe
1156 svchost.exe
1196 C:\Program Files\Microsoft Security Client\Antimalware\MsMpEng.exe
1232 C:\WINDOWS\system32\svchost.exe
1424 svchost.exe
1468 svchost.exe
1776 C:\WINDOWS\system32\spoolsv.exe
1860 svchost.exe
1888 C:\Program Files\ThinkPad\ConnectUtilities\AcPrfMgrSvc.exe
1948 C:\Program Files\Java\jre6\bin\jqs.exe
2024 C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
128 C:\WINDOWS\system32\svchost.exe
148 C:\Program Files\ThinkPad\ConnectUtilities\AcSvc.exe
632 alg.exe
1720 C:\WINDOWS\explorer.exe
224 C:\WINDOWS\AGRSMMSG.exe
904 C:\Program Files\ThinkPad\ConnectUtilities\ACTray.exe
772 C:\Program Files\ThinkPad\ConnectUtilities\ACWLIcon.exe
1112 C:\PROGRA~1\Lenovo\PkgMgr\HOTKEY\TPHKMGR.exe
1096 C:\Program Files\Analog Devices\SoundMAX\SMax4PNP.exe
1284 C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
788 C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
1368 C:\Program Files\Lenovo\PkgMgr\HOTKEY\TPONSCR.exe
1376 C:\Program Files\Lenovo\PkgMgr\HOTKEY_1\TpScrex.exe
1396 C:\Program Files\Microsoft Security Client\msseces.exe
1640 C:\Program Files\Common Files\Java\Java Update\jusched.exe
2572 C:\Program Files\ThinkPad\ConnectUtilities\SvcGuiHlpr.exe
2996 C:\Program Files\Mozilla Firefox\firefox.exe
944 C:\Program Files\Mozilla Firefox\plugin-container.exe
2176 C:\WINDOWS\system32\rundll32.exe
4040 C:\Documents and Settings\Alec\My Documents\Downloads\MBRCheck.exe

\\.\C: --> \\.\PhysicalDrive0 at offset 0x00000000`00007e00 (NTFS)

PhysicalDrive0 Model Number: FUJITSUMHT2040AH, Rev: 006C

Size Device Name MBR Status
--------------------------------------------
33 GB \\.\PhysicalDrive0 Windows XP MBR code detected
SHA1: 31D100779DE502702C374F7C15687B56FCFD5528

Done!

Broni · Jan 17, 2011

Good

Download OTL to your Desktop.

Double click on the icon to run it. Make sure all other windows are closed and to let it run uninterrupted.

Click the Scan All Users checkbox.

Under the Custom Scan box paste this in:

netsvcs
drivers32
%SYSTEMDRIVE%\*.*
%systemroot%\Fonts\*.com
%systemroot%\Fonts\*.dll
%systemroot%\Fonts\*.ini
%systemroot%\Fonts\*.ini2
%systemroot%\Fonts\*.exe
%systemroot%\system32\spool\prtprocs\w32x86\*.*
%systemroot%\REPAIR\*.bak1
%systemroot%\REPAIR\*.ini
%systemroot%\system32\*.jpg
%systemroot%\*.jpg
%systemroot%\*.png
%systemroot%\*.scr
%systemroot%\*._sy
%APPDATA%\Adobe\Update\*.*
%ALLUSERSPROFILE%\Favorites\*.*
%APPDATA%\Microsoft\*.*
%PROGRAMFILES%\*.*
%APPDATA%\Update\*.*
%systemroot%\*. /mp /s
CREATERESTOREPOINT
%systemroot%\System32\config\*.sav
%PROGRAMFILES%\bak. /s
%systemroot%\system32\bak. /s
%ALLUSERSPROFILE%\Start Menu\*.lnk /x
%systemroot%\system32\config\systemprofile\*.dat /x
%systemroot%\*.config
%systemroot%\system32\*.db
%APPDATA%\Microsoft\Internet Explorer\Quick Launch\*.lnk /x
%USERPROFILE%\Desktop\*.exe
%PROGRAMFILES%\Common Files\*.*
%systemroot%\*.src
%systemroot%\install\*.*
%systemroot%\system32\DLL\*.*
%systemroot%\system32\HelpFiles\*.*
%systemroot%\system32\rundll\*.*
%systemroot%\winn32\*.*
%systemroot%\Java\*.*
%systemroot%\system32\test\*.*
%systemroot%\system32\Rundll32\*.*
%systemroot%\AppPatch\Custom\*.*
%APPDATA%\Roaming\Microsoft\Windows\Recent\*.lnk /x
%PROGRAMFILES%\PC-Doctor\Downloads\*.*
%PROGRAMFILES%\Internet Explorer\*.tmp
%PROGRAMFILES%\Internet Explorer\*.dat
%USERPROFILE%\My Documents\*.exe
%USERPROFILE%\*.exe
%systemroot%\ADDINS\*.*
%systemroot%\assembly\*.bak2
%systemroot%\Config\*.*
%systemroot%\REPAIR\*.bak2
%systemroot%\SECURITY\Database\*.sdb /x
%systemroot%\SYSTEM\*.bak2
%systemroot%\Web\*.bak2
%systemroot%\Driver Cache\*.*
%PROGRAMFILES%\Mozilla Firefox\0*.exe
%ProgramFiles%\Microsoft Common\*.*
%ProgramFiles%\TinyProxy.
%USERPROFILE%\Favorites\*.url /x
%systemroot%\system32\*.bk
%systemroot%\*.te
%systemroot%\system32\system32\*.*
%ALLUSERSPROFILE%\*.dat /x
%systemroot%\system32\drivers\*.rmv
dir /b "%systemroot%\system32\*.exe" | find /i " " /c
dir /b "%systemroot%\*.exe" | find /i " " /c
%PROGRAMFILES%\Microsoft\*.*
%systemroot%\System32\Wbem\proquota.exe
%PROGRAMFILES%\Mozilla Firefox\*.dat
%USERPROFILE%\Cookies\*.txt /x
%SystemRoot%\system32\fonts\*.*
%systemroot%\system32\winlog\*.*
%systemroot%\system32\Language\*.*
%systemroot%\system32\Settings\*.*
%systemroot%\system32\*.quo
%SYSTEMROOT%\AppPatch\*.exe
%SYSTEMROOT%\inf\*.exe
%SYSTEMROOT%\Installer\*.exe
%systemroot%\system32\config\*.bak2
%systemroot%\system32\Computers\*.*
%SystemRoot%\system32\Sound\*.*
%SystemRoot%\system32\SpecialImg\*.*
%SystemRoot%\system32\code\*.*
%SystemRoot%\system32\draft\*.*
%SystemRoot%\system32\MSSSys\*.*
%ProgramFiles%\Javascript\*.*
%systemroot%\pchealth\helpctr\System\*.exe /s
%systemroot%\Web\*.exe
%systemroot%\system32\msn\*.*
%systemroot%\system32\*.tro
%AppData%\Microsoft\Installer\msupdates\*.*
%ProgramFiles%\Messenger\*.*
%systemroot%\system32\systhem32\*.*
%systemroot%\system\*.exe
HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\WindowsUpdate\Auto Update\Results\Install|LastSuccessTime /rs
/md5start
/md5stop

Click the Quick Scan button. Do not change any settings unless otherwise told to do so. The scan wont take long.

When the scan completes, it will open two notepad windows: OTL.txt and Extras.txt. These are saved in the same location as OTL.

Please copy (Edit->Select All, Edit->Copy) the contents of these files, one at a time, and post them back here.

2janealec · Jan 17, 2011

OTL logfile created on: 1/17/2011 1:12:16 PM - Run 1
OTL by OldTimer - Version 3.2.20.2 Folder = C:\Documents and Settings\Alec\My Documents\Downloads
Windows XP Home Edition Service Pack 3 (Version = 5.1.2600) - Type = NTWorkstation
Internet Explorer (Version = 6.0.2900.5512)
Locale: 00000409 | Country: United States | Language: ENU | Date Format: M/d/yyyy

511.00 Mb Total Physical Memory | 287.00 Mb Available Physical Memory | 56.00% Memory free
1.00 Gb Paging File | 1.00 Gb Available in Paging File | 76.00% Paging File free
Paging file location(s): C:\pagefile.sys 768 1536 [binary data]

%SystemDrive% = C: | %SystemRoot% = C:\WINDOWS | %ProgramFiles% = C:\Program Files
Drive C: | 33.91 Gb Total Space | 26.41 Gb Free Space | 77.90% Space Free | Partition Type: NTFS

Computer Name: YOUR-929C560D3A | User Name: Alec | Logged in as Administrator.
Boot Mode: Normal | Scan Mode: All users | Quick Scan
Company Name Whitelist: On | Skip Microsoft Files: On | No Company Name Whitelist: On | File Age = 30 Days

========== Processes (SafeList) ==========

PRC - [2011/01/17 13:09:59 | 000,602,112 | ---- | M] (OldTimer Tools) -- C:\Documents and Settings\Alec\My Documents\Downloads\OTL.exe
PRC - [2010/11/30 13:20:36 | 000,997,408 | ---- | M] (Microsoft Corporation) -- C:\Program Files\Microsoft Security Client\msseces.exe
PRC - [2010/11/11 12:26:40 | 000,011,736 | ---- | M] (Microsoft Corporation) -- c:\Program Files\Microsoft Security Client\Antimalware\MsMpEng.exe
PRC - [2009/07/29 10:43:34 | 000,163,840 | ---- | M] (Lenovo ) -- C:\Program Files\ThinkPad\ConnectUtilities\SvcGuiHlpr.exe
PRC - [2009/07/29 10:42:32 | 000,221,184 | ---- | M] (Lenovo ) -- C:\Program Files\ThinkPad\ConnectUtilities\AcSvc.exe
PRC - [2009/07/29 10:42:28 | 000,098,304 | ---- | M] (Lenovo ) -- C:\Program Files\ThinkPad\ConnectUtilities\AcPrfMgrSvc.exe
PRC - [2009/07/29 10:40:40 | 000,425,984 | ---- | M] (Lenovo ) -- C:\Program Files\ThinkPad\ConnectUtilities\ACTray.exe
PRC - [2009/07/29 10:35:18 | 000,172,032 | ---- | M] (Lenovo ) -- C:\Program Files\ThinkPad\ConnectUtilities\ACWLIcon.exe
PRC - [2008/04/13 19:12:19 | 001,033,728 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\explorer.exe
PRC - [2006/10/02 10:19:48 | 000,094,208 | ---- | M] () -- C:\Program Files\Lenovo\PkgMgr\HOTKEY\TPHKMGR.exe
PRC - [2006/05/30 15:05:42 | 000,086,016 | ---- | M] (Lenovo Group Limited) -- C:\Program Files\Lenovo\PkgMgr\HOTKEY_1\TpScrex.exe
PRC - [2005/07/05 14:57:12 | 000,077,824 | ---- | M] () -- C:\Program Files\Lenovo\PkgMgr\HOTKEY\TPONSCR.exe
PRC - [2004/10/14 09:11:10 | 001,388,544 | ---- | M] (Analog Devices, Inc.) -- C:\Program Files\Analog Devices\SoundMAX\SMax4PNP.exe
PRC - [2003/07/03 01:25:00 | 000,057,344 | ---- | M] () -- C:\WINDOWS\system32\ibmpmsvc.exe
PRC - [2003/06/24 14:34:38 | 000,126,976 | ---- | M] (Synaptics, Inc.) -- C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
PRC - [2002/09/20 14:50:10 | 000,045,056 | ---- | M] (Analog Devices, Inc.) -- C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe

========== Modules (SafeList) ==========

MOD - [2011/01/17 13:09:59 | 000,602,112 | ---- | M] (OldTimer Tools) -- C:\Documents and Settings\Alec\My Documents\Downloads\OTL.exe
MOD - [2010/08/23 11:12:02 | 001,054,208 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\WinSxS\x86_Microsoft.Windows.Common-Controls_6595b64144ccf1df_6.0.2600.6028_x-ww_61e65202\comctl32.dll
MOD - [2003/06/24 14:33:54 | 000,065,536 | ---- | M] (Synaptics, Inc.) -- C:\WINDOWS\system32\SynTPFcs.dll

========== Win32 Services (SafeList) ==========

SRV - File not found [Auto | Stopped] -- -- (Irmon)
SRV - File not found [Disabled | Stopped] -- -- (HidServ)
SRV - File not found [On_Demand | Stopped] -- -- (AppMgmt)
SRV - [2010/11/11 12:26:40 | 000,011,736 | ---- | M] (Microsoft Corporation) [Auto | Running] -- c:\Program Files\Microsoft Security Client\Antimalware\MsMpEng.exe -- (MsMpSvc)
SRV - [2009/12/17 16:36:24 | 000,067,360 | ---- | M] (NOS Microsystems Ltd.) [On_Demand | Stopped] -- C:\Program Files\NOS\bin\getPlus_Helper.dll -- (getPlusHelper) getPlus(R)
SRV - [2009/07/29 10:42:32 | 000,221,184 | ---- | M] (Lenovo ) [Auto | Running] -- C:\Program Files\ThinkPad\ConnectUtilities\AcSvc.exe -- (AcSvc)
SRV - [2009/07/29 10:42:28 | 000,098,304 | ---- | M] (Lenovo ) [Auto | Running] -- C:\Program Files\ThinkPad\ConnectUtilities\AcPrfMgrSvc.exe -- (AcPrfMgrSvc)
SRV - [2005/11/22 16:20:28 | 000,036,864 | ---- | M] () [On_Demand | Stopped] -- C:\WINDOWS\system32\acs.exe -- (ACS)
SRV - [2003/07/03 01:25:00 | 000,057,344 | ---- | M] () [Auto | Running] -- C:\WINDOWS\system32\ibmpmsvc.exe -- (IBMPMSVC)
SRV - [2002/09/20 14:50:10 | 000,045,056 | ---- | M] (Analog Devices, Inc.) [Auto | Running] -- C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe -- (SoundMAX Agent Service (default))

========== Driver Services (SafeList) ==========

DRV - [2009/07/21 21:45:30 | 000,011,520 | ---- | M] (IBM Corp.) [Kernel | System | Running] -- C:\WINDOWS\system32\drivers\ANC.sys -- (ANC)
DRV - [2009/07/21 21:45:30 | 000,004,224 | ---- | M] () [Kernel | System | Running] -- C:\WINDOWS\system32\drivers\IBMBLDID.sys -- (IBMTPCHK)
DRV - [2008/04/13 13:54:36 | 000,028,672 | ---- | M] (National Semiconductor Corporation) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\nscirda.sys -- (NSCIRDA)
DRV - [2008/04/13 13:36:39 | 000,043,008 | ---- | M] (Advanced Micro Devices, Inc.) [Kernel | Boot | Running] -- C:\WINDOWS\system32\DRIVERS\amdagp.sys -- (amdagp)
DRV - [2008/04/13 13:36:39 | 000,040,960 | ---- | M] (Silicon Integrated Systems Corporation) [Kernel | Boot | Running] -- C:\WINDOWS\system32\DRIVERS\sisagp.sys -- (sisagp)
DRV - [2006/07/13 12:33:08 | 000,674,560 | ---- | M] (Intel® Corporation) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\w70n51.sys -- (w70n51) Intel(R)
DRV - [2006/02/28 07:00:00 | 000,179,584 | ---- | M] (Mylex Corporation) [Kernel | Boot | Running] -- C:\WINDOWS\system32\DRIVERS\dac2w2k.sys -- (dac2w2k)
DRV - [2006/02/28 07:00:00 | 000,049,024 | ---- | M] (QLogic Corporation) [Kernel | Boot | Running] -- C:\WINDOWS\system32\DRIVERS\ql1280.sys -- (ql1280)
DRV - [2006/02/28 07:00:00 | 000,045,312 | ---- | M] (QLogic Corporation) [Kernel | Boot | Running] -- C:\WINDOWS\system32\DRIVERS\ql12160.sys -- (ql12160)
DRV - [2006/02/28 07:00:00 | 000,040,320 | ---- | M] (QLogic Corporation) [Kernel | Boot | Running] -- C:\WINDOWS\system32\DRIVERS\ql1080.sys -- (ql1080)
DRV - [2006/02/28 07:00:00 | 000,026,496 | ---- | M] (Advanced System Products, Inc.) [Kernel | Boot | Running] -- C:\WINDOWS\system32\DRIVERS\asc.sys -- (asc)
DRV - [2006/02/28 07:00:00 | 000,017,280 | ---- | M] (American Megatrends Inc.) [Kernel | Boot | Running] -- C:\WINDOWS\system32\DRIVERS\mraid35x.sys -- (mraid35x)
DRV - [2006/02/28 07:00:00 | 000,014,848 | ---- | M] (Advanced System Products, Inc.) [Kernel | Boot | Running] -- C:\WINDOWS\system32\DRIVERS\asc3550.sys -- (asc3550)
DRV - [2006/02/28 07:00:00 | 000,006,656 | ---- | M] (CMD Technology, Inc.) [Kernel | Boot | Running] -- C:\WINDOWS\system32\DRIVERS\cmdide.sys -- (CmdIde)
DRV - [2006/02/28 07:00:00 | 000,005,248 | ---- | M] (Acer Laboratories Inc.) [Kernel | Boot | Running] -- C:\WINDOWS\system32\DRIVERS\aliide.sys -- (AliIde)
DRV - [2005/07/05 14:57:06 | 000,017,699 | ---- | M] (IBM Corporation) [Kernel | System | Running] -- C:\WINDOWS\System32\drivers\TPHKDRV.sys -- (TPHKDRV)
DRV - [2004/08/04 14:00:00 | 000,036,736 | ---- | M] (Promise Technology, Inc.) [Kernel | Boot | Running] -- C:\WINDOWS\system32\DRIVERS\ultra.sys -- (ultra)
DRV - [2004/08/04 14:00:00 | 000,032,640 | ---- | M] (LSI Logic) [Kernel | Boot | Running] -- C:\WINDOWS\system32\DRIVERS\symc8xx.sys -- (symc8xx)
DRV - [2004/08/04 14:00:00 | 000,030,688 | ---- | M] (LSI Logic) [Kernel | Boot | Running] -- C:\WINDOWS\system32\DRIVERS\sym_u3.sys -- (sym_u3)
DRV - [2004/08/04 14:00:00 | 000,028,384 | ---- | M] (LSI Logic) [Kernel | Boot | Running] -- C:\WINDOWS\system32\DRIVERS\sym_hi.sys -- (sym_hi)
DRV - [2004/08/04 14:00:00 | 000,019,072 | ---- | M] (Adaptec, Inc.) [Kernel | Boot | Running] -- C:\WINDOWS\system32\DRIVERS\sparrow.sys -- (Sparrow)
DRV - [2004/08/04 14:00:00 | 000,016,256 | ---- | M] (Symbios Logic Inc.) [Kernel | Boot | Running] -- C:\WINDOWS\system32\DRIVERS\symc810.sys -- (symc810)
DRV - [2004/08/03 17:29:56 | 001,897,408 | ---- | M] (NVIDIA Corporation) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\nv4_mini.sys -- (nv)
DRV - [2003/07/03 01:25:00 | 000,011,344 | ---- | M] (IBM Corp.) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\ibmpmdrv.sys -- (IBMPMDRV)
DRV - [2003/06/27 08:53:44 | 001,196,352 | ---- | M] (Agere Systems) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\AGRSM.sys -- (AgereSoftModem)
DRV - [2003/06/24 14:16:30 | 000,265,744 | ---- | M] (Synaptics, Inc.) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\SynTP.sys -- (SynTP)

========== Standard Registry (SafeList) ==========

========== Internet Explorer ==========

IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Local Page = %SystemRoot%\system32\blank.htm

IE - HKU\.DEFAULT\..\URLSearchHook: {A3BC75A2-1F87-4686-AA43-5347D756017C} - Reg Error: Key error. File not found
IE - HKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0

IE - HKU\S-1-5-18\..\URLSearchHook: {A3BC75A2-1F87-4686-AA43-5347D756017C} - Reg Error: Key error. File not found
IE - HKU\S-1-5-18\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0

IE - HKU\S-1-5-21-1807688380-2972523714-2664652375-1006\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
IE - HKU\S-1-5-21-1807688380-2972523714-2664652375-1006\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0

========== FireFox ==========

FF - prefs.js..browser.search.defaultenginename: "Yahoo! Search"
FF - prefs.js..browser.search.selectedEngine: "Yahoo! Search"
FF - prefs.js..browser.search.useDBForOrder: true
FF - prefs.js..browser.startup.homepage: "http://www.yahoo.com"
FF - prefs.js..extensions.enabledItems: {CAFEEFAC-0016-0000-0023-ABCDEFFEDCBA}:6.0.23
FF - prefs.js..extensions.enabledItems: jqs@sun.com:1.0
FF - prefs.js..keyword.URL: "http://us.yhs.search.yahoo.com/avg/search?fr=yhs-avg&type=yahoo_avg_hs2-tb-web_us&p="
FF - prefs.js..network.proxy.type: 0

FF - HKLM\software\mozilla\Firefox\Extensions\\avg@igeared: C:\Program Files\AVG\AVG10\Toolbar\Firefox\avg@igeared
FF - HKLM\software\mozilla\Mozilla Firefox 3.6.13\extensions\\Components: C:\Program Files\Mozilla Firefox\components [2011/01/16 20:01:53 | 000,000,000 | ---D | M]
FF - HKLM\software\mozilla\Mozilla Firefox 3.6.13\extensions\\Plugins: C:\Program Files\Mozilla Firefox\plugins [2011/01/16 16:25:17 | 000,000,000 | ---D | M]

[2009/12/21 14:04:22 | 000,000,000 | ---D | M] (No name found) -- C:\Documents and Settings\Alec\Application Data\Mozilla\Extensions
[2011/01/10 22:37:45 | 000,000,000 | ---D | M] (No name found) -- C:\Documents and Settings\Alec\Application Data\Mozilla\Firefox\Profiles\eetd05ha.default\extensions
[2011/01/10 22:37:49 | 000,000,000 | ---D | M] (No name found) -- C:\Documents and Settings\Alec\Application Data\Mozilla\Firefox\Profiles\eetd05ha.default\extensions\{77b819fa-95ad-4f2c-ac7c-486b356188a9}-trash
[2010/01/11 19:13:25 | 000,001,720 | ---- | M] () -- C:\Documents and Settings\Alec\Application Data\Mozilla\Firefox\Profiles\eetd05ha.default\searchplugins\youtube-video-search.xml
[2011/01/17 11:20:19 | 000,000,000 | ---D | M] (No name found) -- C:\Program Files\Mozilla Firefox\extensions
[2011/01/16 16:25:24 | 000,000,000 | ---D | M] (Java Console) -- C:\Program Files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0023-ABCDEFFEDCBA}
[2011/01/16 16:24:50 | 000,000,000 | ---D | M] (Java Quick Starter) -- C:\PROGRAM FILES\JAVA\JRE6\LIB\DEPLOY\JQS\FF
[2011/01/16 16:24:48 | 000,472,808 | ---- | M] (Sun Microsystems, Inc.) -- C:\Program Files\Mozilla Firefox\plugins\npdeployJava1.dll

O1 HOSTS File: ([2011/01/16 23:30:52 | 000,000,027 | ---- | M]) - C:\WINDOWS\system32\drivers\etc\hosts
O1 - Hosts: 127.0.0.1 localhost
O2 - BHO: (AcroIEHlprObj Class) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll (Adobe Systems Incorporated)
O2 - BHO: (no name) - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - No CLSID value found.
O3 - HKU\S-1-5-21-1807688380-2972523714-2664652375-1006\..\Toolbar\ShellBrowser: (no name) - {CCC7A320-B3CA-4199-B1A6-9F516DD69829} - No CLSID value found.
O4 - HKLM..\Run: [ACTray] C:\Program Files\ThinkPad\ConnectUtilities\ACTray.exe (Lenovo )
O4 - HKLM..\Run: [ACWLIcon] C:\Program Files\ThinkPad\ConnectUtilities\ACWLIcon.exe (Lenovo )
O4 - HKLM..\Run: [MSC] c:\Program Files\Microsoft Security Client\msseces.exe (Microsoft Corporation)
O4 - HKLM..\Run: [SoundMAXPnP] C:\Program Files\Analog Devices\SoundMAX\SMax4PNP.exe (Analog Devices, Inc.)
O4 - HKLM..\Run: [SynTPLpr] C:\Program Files\Synaptics\SynTP\SynTPLpr.exe (Synaptics, Inc.)
O4 - HKLM..\Run: [TPHOTKEY] C:\Program Files\Lenovo\PkgMgr\HOTKEY\TPHKMGR.exe ()
O6 - HKLM\Software\Policies\Microsoft\Internet Explorer\Restrictions present
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: HonorAutoRunSetting = 1
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveAutoRun = 67108863
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 323
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDrives = 0
O7 - HKU\.DEFAULT\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O7 - HKU\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 323
O7 - HKU\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveAutoRun = 67108863
O7 - HKU\S-1-5-18\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O7 - HKU\S-1-5-18\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 323
O7 - HKU\S-1-5-18\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveAutoRun = 67108863
O7 - HKU\S-1-5-19\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O7 - HKU\S-1-5-19\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 145
O7 - HKU\S-1-5-20\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O7 - HKU\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 145
O7 - HKU\S-1-5-21-1807688380-2972523714-2664652375-1006\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O7 - HKU\S-1-5-21-1807688380-2972523714-2664652375-1006\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 323
O7 - HKU\S-1-5-21-1807688380-2972523714-2664652375-1006\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveAutoRun = 67108863
O7 - HKU\S-1-5-21-1807688380-2972523714-2664652375-1006\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDrives = 0
O16 - DPF: {2DAD3559-2923-4935-AD49-B673D2539944} http://www-307.ibm.com/pc/support/acpir.cab (IASRunner Class)
O16 - DPF: {31435657-9980-0010-8000-00AA00389B71} http://download.microsoft.com/download/e/2/f/e2fcec4b-6c8b-48b7-adab-ab9c403a978f/wvc1dmo.cab (Reg Error: Key error.)
O16 - DPF: {5ED80217-570B-4DA9-BF44-BE107C0EC166} http://cdn.scan.onecare.live.com/resource/download/scanner/wlscbase6770.cab (Windows Live Safety Center Base Module)
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} http://www.update.microsoft.com/mic...ls/en/x86/client/muweb_site.cab?1292689346124 (MUWebControl Class)
O16 - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} http://java.sun.com/update/1.6.0/jinstall-1_6_0_23-windows-i586.cab (Java Plug-in 1.6.0_23)
O16 - DPF: {CAFEEFAC-0016-0000-0023-ABCDEFFEDCBA} http://java.sun.com/update/1.6.0/jinstall-1_6_0_23-windows-i586.cab (Java Plug-in 1.6.0_23)
O16 - DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} http://java.sun.com/update/1.6.0/jinstall-1_6_0_23-windows-i586.cab (Java Plug-in 1.6.0_23)
O16 - DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} http://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab (get_atlcom Class)
O16 - DPF: Microsoft XML Parser for Java file://C:\WINDOWS\Java\classes\xmldso.cab (Reg Error: Key error.)
O16 - DPF: vzTCPConfig http://www.verizon.net/checkmypc/includes/vzTCPConfig.CAB (Reg Error: Key error.)
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: DhcpNameServer = 192.168.1.1
O18 - Protocol\Handler\avgsecuritytoolbar {F2DDE6B2-9684-4A55-86D4-E255E237B77C} - File not found
O20 - HKLM Winlogon: Shell - (Explorer.exe) - C:\WINDOWS\explorer.exe (Microsoft Corporation)
O20 - Winlogon\Notify\tpfnf2: DllName - notifyf2.dll - C:\WINDOWS\System32\notifyf2.dll ()
O20 - Winlogon\Notify\tphotkey: DllName - tphklock.dll - C:\WINDOWS\System32\tphklock.dll ()
O24 - Desktop WallPaper: C:\Documents and Settings\Alec\Local Settings\Application Data\Microsoft\Wallpaper2.bmp
O24 - Desktop BackupWallPaper: C:\Documents and Settings\Alec\Local Settings\Application Data\Microsoft\Wallpaper2.bmp
O32 - HKLM CDRom: AutoRun - 1
O32 - AutoRun File - [2004/08/26 13:04:39 | 000,000,000 | ---- | M] () - C:\AUTOEXEC.BAT -- [ NTFS ]
O34 - HKLM BootExecute: (autocheck autochk *) - File not found
O35 - HKLM\..comfile [open] -- "%1" %*
O35 - HKLM\..exefile [open] -- "%1" %*
O37 - HKLM\...com [@ = ComFile] -- "%1" %*
O37 - HKLM\...exe [@ = exefile] -- "%1" %*

NetSvcs: 6to4 - File not found
NetSvcs: AppMgmt - File not found
NetSvcs: HidServ - File not found
NetSvcs: Ias - File not found
NetSvcs: Iprip - File not found
NetSvcs: Irmon - File not found
NetSvcs: NWCWorkstation - File not found
NetSvcs: Nwsapagent - File not found
NetSvcs: WmdmPmSp - File not found

Drivers32: msacm.iac2 - C:\WINDOWS\system32\iac25_32.ax (Intel Corporation)
Drivers32: msacm.l3acm - C:\WINDOWS\system32\l3codeca.acm (Fraunhofer Institut Integrierte Schaltungen IIS)
Drivers32: msacm.sl_anet - C:\WINDOWS\System32\sl_anet.acm (Sipro Lab Telecom Inc.)
Drivers32: msacm.trspch - C:\WINDOWS\System32\tssoft32.acm (DSP GROUP, INC.)
Drivers32: vidc.cvid - C:\WINDOWS\System32\iccvid.dll (Radius Inc.)
Drivers32: vidc.iv31 - C:\WINDOWS\System32\ir32_32.dll ()
Drivers32: vidc.iv32 - C:\WINDOWS\System32\ir32_32.dll ()
Drivers32: vidc.iv41 - C:\WINDOWS\System32\ir41_32.ax (Intel Corporation)
Drivers32: vidc.iv50 - C:\WINDOWS\System32\ir50_32.dll (Intel Corporation)

CREATERESTOREPOINT
Restore point Set: OTL Restore Point (54901231209938944)

========== Files/Folders - Created Within 30 Days ==========

[2011/01/17 11:30:51 | 000,000,000 | ---D | C] -- C:\WINDOWS\Sun
[2011/01/17 08:31:16 | 000,083,968 | ---- | C] (eSage Lab) -- C:\Documents and Settings\Alec\remover.exe
[2011/01/17 08:22:04 | 000,000,000 | -HSD | C] -- C:\RECYCLER
[2011/01/17 07:37:55 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Start Menu\Programs\7-Zip
[2011/01/17 07:37:52 | 000,000,000 | ---D | C] -- C:\Program Files\7-Zip
[2011/01/16 23:20:34 | 000,000,000 | RHSD | C] -- C:\cmdcons
[2011/01/16 23:19:03 | 000,212,480 | ---- | C] (SteelWerX) -- C:\WINDOWS\SWXCACLS.exe
[2011/01/16 23:19:03 | 000,161,792 | ---- | C] (SteelWerX) -- C:\WINDOWS\SWREG.exe
[2011/01/16 23:19:03 | 000,136,704 | ---- | C] (SteelWerX) -- C:\WINDOWS\SWSC.exe
[2011/01/16 23:19:03 | 000,031,232 | ---- | C] (NirSoft) -- C:\WINDOWS\NIRCMD.exe
[2011/01/16 23:18:00 | 000,000,000 | ---D | C] -- C:\WINDOWS\ERDNT
[2011/01/16 21:07:24 | 000,000,000 | ---D | C] -- C:\Qoobox
[2011/01/16 20:34:51 | 000,000,000 | -H-D | C] -- C:\WINDOWS\$hf_mig$
[2011/01/16 18:04:22 | 000,000,000 | RH-D | C] -- C:\Documents and Settings\Alec\Recent
[2011/01/16 16:25:48 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Application Data\Sun
[2011/01/16 16:25:42 | 000,000,000 | ---D | C] -- C:\Program Files\Common Files\Java
[2011/01/16 16:24:30 | 000,000,000 | ---D | C] -- C:\Program Files\Java
[2011/01/16 16:22:21 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Alec\Application Data\Sun
[2011/01/16 16:14:49 | 000,000,000 | ---D | C] -- C:\Program Files\temp file cleaner
[2011/01/16 13:49:02 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Alec\Start Menu\Programs\HiJackThis
[2011/01/14 22:19:08 | 000,000,000 | ---D | C] -- C:\Documents and Settings\LocalService\Local Settings\Application Data\Adobe
[2011/01/11 22:06:01 | 000,000,000 | ---D | C] -- C:\Program Files\Trend Micro
[2011/01/10 18:33:03 | 000,000,000 | ---D | C] -- C:\Documents and Settings\NetworkService\Application Data\Identities
[2011/01/10 18:33:03 | 000,000,000 | ---D | C] -- C:\Documents and Settings\NetworkService\Application Data\Adobe
[2011/01/09 22:03:05 | 000,000,000 | ---D | C] -- C:\Documents and Settings\LocalService\Application Data\Adobe
[2011/01/06 23:32:08 | 000,000,000 | ---D | C] -- C:\Documents and Settings\NetworkService\Application Data\Adobe(2)
[2011/01/06 21:21:24 | 000,000,000 | ---D | C] -- C:\Documents and Settings\NetworkService\Application Data\Macromedia
[2011/01/06 18:56:03 | 000,000,000 | ---D | C] -- C:\Documents and Settings\LocalService\Application Data\Macromedia
[2010/12/23 08:11:35 | 000,000,000 | ---D | C] -- C:\Documents and Settings\NetworkService\Local Settings\Application Data\PCHealth
[2010/12/19 15:29:41 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Alec\Application Data\StreamTorrent
[2010/12/18 16:45:37 | 000,000,000 | ---D | C] -- C:\Program Files\Microsoft CAPICOM 2.1.0.2
[6 C:\WINDOWS\System32\dllcache\*.tmp files -> C:\WINDOWS\System32\dllcache\*.tmp -> ]
[22 C:\WINDOWS\System32\*.tmp files -> C:\WINDOWS\System32\*.tmp -> ]

========== Files - Modified Within 30 Days ==========

[2011/01/17 11:34:13 | 000,000,664 | ---- | M] () -- C:\WINDOWS\System32\d3d9caps.dat
[2011/01/17 08:39:19 | 000,000,424 | -H-- | M] () -- C:\WINDOWS\tasks\MP Scheduled Scan.job
[2011/01/17 08:33:36 | 000,002,048 | --S- | M] () -- C:\WINDOWS\bootstat.dat
[2011/01/17 08:33:34 | 535,810,048 | -HS- | M] () -- C:\hiberfil.sys
[2011/01/16 23:30:52 | 000,000,027 | ---- | M] () -- C:\WINDOWS\System32\drivers\etc\hosts
[2011/01/16 23:20:43 | 000,000,316 | RHS- | M] () -- C:\boot.ini
[2011/01/16 20:33:09 | 000,012,598 | ---- | M] () -- C:\WINDOWS\System32\wpa.dbl
[2011/01/16 18:13:08 | 000,000,784 | ---- | M] () -- C:\Documents and Settings\All Users\Desktop\Malwarebytes' Anti-Malware.lnk
[2011/01/16 14:31:33 | 000,002,445 | ---- | M] () -- C:\Documents and Settings\Alec\Desktop\HiJackThis.lnk
[2011/01/15 08:07:24 | 000,001,486 | ---- | M] () -- C:\Documents and Settings\Alec\Desktop\Calculator.lnk
[2011/01/10 18:57:32 | 000,001,620 | ---- | M] () -- C:\Documents and Settings\Alec\Application Data\Microsoft\Internet Explorer\Quick Launch\Mozilla Firefox.lnk
[2011/01/10 18:57:32 | 000,001,602 | ---- | M] () -- C:\Documents and Settings\All Users\Desktop\Mozilla Firefox.lnk
[2011/01/06 23:24:03 | 000,011,261 | ---- | M] () -- C:\WINDOWS\System32\saad.js
[2010/12/25 16:36:22 | 000,043,008 | ---- | M] () -- C:\Documents and Settings\Alec\Local Settings\Application Data\DCBC2A71-70D8-4DAN-EHR8-E0D61DEA3FDF.ini
[2010/12/20 18:09:00 | 000,038,224 | ---- | M] (Malwarebytes Corporation) -- C:\WINDOWS\System32\drivers\mbamswissarmy.sys
[2010/12/20 18:08:40 | 000,020,952 | ---- | M] (Malwarebytes Corporation) -- C:\WINDOWS\System32\drivers\mbam.sys
[6 C:\WINDOWS\System32\dllcache\*.tmp files -> C:\WINDOWS\System32\dllcache\*.tmp -> ]
[22 C:\WINDOWS\System32\*.tmp files -> C:\WINDOWS\System32\*.tmp -> ]

========== Files Created - No Company Name ==========

[2011/01/17 08:31:55 | 000,037,237 | ---- | C] () -- C:\Documents and Settings\Alec\bootkit_remover_debug_log.txt
[2011/01/16 23:20:43 | 000,000,201 | ---- | C] () -- C:\Boot.bak
[2011/01/16 23:20:39 | 000,260,272 | RHS- | C] () -- C:\cmldr
[2011/01/16 23:19:03 | 000,256,512 | ---- | C] () -- C:\WINDOWS\PEV.exe
[2011/01/16 23:19:03 | 000,098,816 | ---- | C] () -- C:\WINDOWS\sed.exe
[2011/01/16 23:19:03 | 000,089,088 | ---- | C] () -- C:\WINDOWS\MBR.exe
[2011/01/16 23:19:03 | 000,080,412 | ---- | C] () -- C:\WINDOWS\grep.exe
[2011/01/16 23:19:03 | 000,068,096 | ---- | C] () -- C:\WINDOWS\zip.exe
[2011/01/16 13:49:02 | 000,002,445 | ---- | C] () -- C:\Documents and Settings\Alec\Desktop\HiJackThis.lnk
[2011/01/06 18:24:05 | 000,011,261 | ---- | C] () -- C:\WINDOWS\System32\saad.js
[2010/08/18 17:13:48 | 000,043,008 | ---- | C] () -- C:\Documents and Settings\Alec\Local Settings\Application Data\DCBC2A71-70D8-4DAN-EHR8-E0D61DEA3FDF.ini
[2009/12/07 21:37:41 | 000,004,224 | ---- | C] () -- C:\WINDOWS\System32\drivers\IBMBLDID.sys
[2009/11/05 19:03:42 | 000,000,022 | ---- | C] () -- C:\WINDOWS\exchng.ini
[2009/11/05 19:03:41 | 000,000,611 | ---- | C] () -- C:\WINDOWS\ODBC.INI
[2009/11/05 14:56:35 | 000,651,264 | ---- | C] () -- C:\WINDOWS\System32\libeay32.dll
[2009/11/05 14:56:35 | 000,147,456 | ---- | C] () -- C:\WINDOWS\System32\ssleay32.dll
[2005/11/30 20:16:02 | 000,024,576 | ---- | C] () -- C:\WINDOWS\System32\tphklock.dll
[2005/07/05 23:45:08 | 000,028,672 | ---- | C] () -- C:\WINDOWS\System32\notifyf2.dll
[2004/08/27 05:50:59 | 000,000,061 | ---- | C] () -- C:\WINDOWS\smscfg.ini
[2004/08/26 11:12:43 | 000,000,465 | ---- | C] () -- C:\WINDOWS\System32\emver.ini
[2004/08/26 11:12:43 | 000,000,416 | ---- | C] () -- C:\WINDOWS\System32\oeminfo.ini
[2004/08/26 05:54:56 | 000,004,346 | ---- | C] () -- C:\WINDOWS\ODBCINST.INI
[2003/07/03 01:25:00 | 000,049,152 | ---- | C] () -- C:\WINDOWS\System32\tpinspm.dll
[2003/06/24 14:43:48 | 000,077,824 | ---- | C] () -- C:\WINDOWS\System32\SynTPCoI.dll
[1997/07/11 00:00:00 | 000,045,056 | ---- | C] () -- C:\WINDOWS\System32\XLREC.DLL
[1997/07/11 00:00:00 | 000,040,960 | ---- | C] () -- C:\WINDOWS\System32\RECNCL.DLL
[1997/07/11 00:00:00 | 000,036,864 | ---- | C] () -- C:\WINDOWS\System32\ODBCSTF.DLL
[1997/07/11 00:00:00 | 000,036,864 | ---- | C] () -- C:\WINDOWS\System32\DOCOBJ.DLL
[1997/07/11 00:00:00 | 000,032,768 | ---- | C] () -- C:\WINDOWS\System32\HLINKPRX.DLL

========== LOP Check ==========

[2009/12/07 22:12:47 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Alec\Application Data\Avaya
[2010/10/17 17:14:17 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Alec\Application Data\AVG10
[2010/11/25 08:57:45 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Alec\Application Data\Canon
[2010/12/19 15:29:41 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Alec\Application Data\StreamTorrent
[2010/09/06 12:57:31 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Alec\Application Data\Systweak
[2010/01/21 21:40:13 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Alec\Application Data\Uniblue
[2011/01/16 23:06:17 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\AVG Security Toolbar
[2010/10/17 17:03:08 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\avg9
[2010/08/22 09:28:15 | 000,000,000 | -H-D | M] -- C:\Documents and Settings\All Users\Application Data\CanonBJ
[2010/10/17 17:12:24 | 000,000,000 | -H-D | M] -- C:\Documents and Settings\All Users\Application Data\Common Files
[2011/01/16 22:36:40 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\MFAData
[2011/01/17 08:39:19 | 000,000,424 | -H-- | M] () -- C:\WINDOWS\Tasks\MP Scheduled Scan.job

========== Purity Check ==========

========== Custom Scans ==========

< %SYSTEMDRIVE%\*.* >
[2009/10/29 23:12:02 | 004,842,152 | ---- | M] (Lenovo Group Limited ) -- C:\77wc39ww.exe
[2004/08/26 13:04:39 | 000,000,000 | ---- | M] () -- C:\AUTOEXEC.BAT
[2009/11/04 01:44:21 | 000,000,201 | ---- | M] () -- C:\Boot.bak
[2011/01/16 23:20:43 | 000,000,316 | RHS- | M] () -- C:\boot.ini
[2004/08/03 23:00:00 | 000,260,272 | RHS- | M] () -- C:\cmldr
[2011/01/16 23:33:38 | 000,011,627 | ---- | M] () -- C:\ComboFix.txt
[2004/08/26 13:04:39 | 000,000,000 | ---- | M] () -- C:\CONFIG.SYS
[2011/01/17 08:33:34 | 535,810,048 | -HS- | M] () -- C:\hiberfil.sys
[2004/08/26 13:04:39 | 000,000,000 | RHS- | M] () -- C:\IO.SYS
[2004/08/26 13:04:39 | 000,000,000 | RHS- | M] () -- C:\MSDOS.SYS
[2004/08/04 14:00:00 | 000,047,564 | RHS- | M] () -- C:\NTDETECT.COM
[2010/01/22 21:49:40 | 000,250,048 | RHS- | M] () -- C:\ntldr
[2011/01/17 08:33:32 | 805,306,368 | -HS- | M] () -- C:\PAGEFILE.SYS
[2009/11/04 01:49:58 | 000,000,002 | ---- | M] () -- C:\REQUEST_OEMRESET_ENDUSER
[2011/01/16 20:29:37 | 000,045,726 | ---- | M] () -- C:\TDSSKiller.2.4.13.0_16.01.2011_20.28.06_log.txt

< %systemroot%\Fonts\*.com >
[2006/04/18 15:39:28 | 000,026,040 | ---- | M] () -- C:\WINDOWS\Fonts\GlobalMonospace.CompositeFont
[2006/06/29 14:53:56 | 000,026,489 | ---- | M] () -- C:\WINDOWS\Fonts\GlobalSansSerif.CompositeFont
[2006/04/18 15:39:28 | 000,029,779 | ---- | M] () -- C:\WINDOWS\Fonts\GlobalSerif.CompositeFont
[2006/06/29 14:58:52 | 000,030,808 | ---- | M] () -- C:\WINDOWS\Fonts\GlobalUserInterface.CompositeFont

< %systemroot%\Fonts\*.dll >

< %systemroot%\Fonts\*.ini >
[2004/08/04 14:00:00 | 000,000,067 | ---- | M] () -- C:\WINDOWS\Fonts\desktop.ini

< %systemroot%\Fonts\*.ini2 >

< %systemroot%\Fonts\*.exe >

< %systemroot%\system32\spool\prtprocs\w32x86\*.* >
[2006/09/13 04:00:00 | 000,027,136 | ---- | M] (CANON INC.) -- C:\WINDOWS\system32\spool\prtprocs\w32x86\CNMPD7I.DLL
[2006/09/13 04:00:00 | 000,069,632 | ---- | M] (CANON INC.) -- C:\WINDOWS\system32\spool\prtprocs\w32x86\CNMPP7I.DLL
[2008/07/06 07:06:10 | 000,089,088 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\system32\spool\prtprocs\w32x86\filterpipelineprintproc.dll
[2008/07/06 05:50:03 | 000,597,504 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\system32\spool\prtprocs\w32x86\printfilterpipelinesvc.exe

< %systemroot%\REPAIR\*.bak1 >

< %systemroot%\REPAIR\*.ini >

< %systemroot%\system32\*.jpg >

< %systemroot%\*.jpg >

< %systemroot%\*.png >

< %systemroot%\*.scr >

< %systemroot%\*._sy >

< %APPDATA%\Adobe\Update\*.* >

< %ALLUSERSPROFILE%\Favorites\*.* >

< %APPDATA%\Microsoft\*.* >
[2009/12/31 14:32:52 | 000,001,618 | -H-- | M] () -- C:\Documents and Settings\Alec\Application Data\Microsoft\LastFlashConfig.WFC

< %PROGRAMFILES%\*.* >

< %APPDATA%\Update\*.* >

< %systemroot%\*. /mp /s >

< %systemroot%\System32\config\*.sav >
[2004/08/26 05:53:19 | 000,094,208 | ---- | M] () -- C:\WINDOWS\system32\config\default.sav
[2004/08/26 05:53:18 | 000,634,880 | ---- | M] () -- C:\WINDOWS\system32\config\software.sav
[2004/08/26 05:53:18 | 000,864,256 | ---- | M] () -- C:\WINDOWS\system32\config\system.sav

< %PROGRAMFILES%\bak. /s >

< %systemroot%\system32\bak. /s >

< %ALLUSERSPROFILE%\Start Menu\*.lnk /x >
[2010/01/22 22:05:48 | 000,000,272 | -HS- | M] () -- C:\Documents and Settings\All Users\Start Menu\desktop.ini

< %systemroot%\system32\config\systemprofile\*.dat /x >

< %systemroot%\*.config >

< %systemroot%\system32\*.db >

< %APPDATA%\Microsoft\Internet Explorer\Quick Launch\*.lnk /x >
[2010/01/22 22:18:24 | 000,000,119 | -HS- | M] () -- C:\Documents and Settings\Alec\Application Data\Microsoft\Internet Explorer\Quick Launch\desktop.ini
[2004/08/26 13:09:49 | 000,000,079 | ---- | M] () -- C:\Documents and Settings\Alec\Application Data\Microsoft\Internet Explorer\Quick Launch\Show Desktop.scf

< %USERPROFILE%\Desktop\*.exe >
[2009/04/21 23:02:24 | 001,079,296 | ---- | M] (ADDPCs) -- C:\Documents and Settings\Alec\Desktop\tempCleaner.exe

< %PROGRAMFILES%\Common Files\*.* >

< %systemroot%\*.src >

< %systemroot%\install\*.* >

< %systemroot%\system32\DLL\*.* >

< %systemroot%\system32\HelpFiles\*.* >

< %systemroot%\system32\rundll\*.* >

< %systemroot%\winn32\*.* >

< %systemroot%\Java\*.* >

< %systemroot%\system32\test\*.* >

< %systemroot%\system32\Rundll32\*.* >

< %systemroot%\AppPatch\Custom\*.* >

< %APPDATA%\Roaming\Microsoft\Windows\Recent\*.lnk /x >

< %PROGRAMFILES%\PC-Doctor\Downloads\*.* >

< %PROGRAMFILES%\Internet Explorer\*.tmp >

< %PROGRAMFILES%\Internet Explorer\*.dat >

< %USERPROFILE%\My Documents\*.exe >

< %USERPROFILE%\*.exe >
[2010/09/01 15:33:49 | 000,083,968 | ---- | M] (eSage Lab) -- C:\Documents and Settings\Alec\remover.exe

< %systemroot%\ADDINS\*.* >

< %systemroot%\assembly\*.bak2 >

< %systemroot%\Config\*.* >

< %systemroot%\REPAIR\*.bak2 >

< %systemroot%\SECURITY\Database\*.sdb /x >

< %systemroot%\SYSTEM\*.bak2 >

< %systemroot%\Web\*.bak2 >

< %systemroot%\Driver Cache\*.* >

< %PROGRAMFILES%\Mozilla Firefox\0*.exe >

< %ProgramFiles%\Microsoft Common\*.* >

< %ProgramFiles%\TinyProxy. >

< %USERPROFILE%\Favorites\*.url /x >
[2010/01/22 22:18:25 | 000,000,122 | -HS- | M] () -- C:\Documents and Settings\Alec\Favorites\Desktop.ini

< %systemroot%\system32\*.bk >

< %systemroot%\*.te >

< %systemroot%\system32\system32\*.* >

< %ALLUSERSPROFILE%\*.dat /x >

< %systemroot%\system32\drivers\*.rmv >

< dir /b "%systemroot%\system32\*.exe" | find /i " " /c >

< dir /b "%systemroot%\*.exe" | find /i " " /c >

< %PROGRAMFILES%\Microsoft\*.* >

< %systemroot%\System32\Wbem\proquota.exe >

< %PROGRAMFILES%\Mozilla Firefox\*.dat >

< %USERPROFILE%\Cookies\*.txt /x >
[2011/01/17 11:10:31 | 000,131,072 | ---- | M] () -- C:\Documents and Settings\Alec\Cookies\index.dat

< %SystemRoot%\system32\fonts\*.* >

< %systemroot%\system32\winlog\*.* >

< %systemroot%\system32\Language\*.* >

< %systemroot%\system32\Settings\*.* >

< %systemroot%\system32\*.quo >

< %SYSTEMROOT%\AppPatch\*.exe >

< %SYSTEMROOT%\inf\*.exe >
[2007/06/26 22:10:26 | 000,317,440 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\inf\unregmp2.exe

< %SYSTEMROOT%\Installer\*.exe >

< %systemroot%\system32\config\*.bak2 >

< %systemroot%\system32\Computers\*.* >

< %SystemRoot%\system32\Sound\*.* >

< %SystemRoot%\system32\SpecialImg\*.* >

< %SystemRoot%\system32\code\*.* >

< %SystemRoot%\system32\draft\*.* >

< %SystemRoot%\system32\MSSSys\*.* >

< %ProgramFiles%\Javascript\*.* >

< %systemroot%\pchealth\helpctr\System\*.exe /s >

< %systemroot%\Web\*.exe >

< %systemroot%\system32\msn\*.* >

< %systemroot%\system32\*.tro >

< %AppData%\Microsoft\Installer\msupdates\*.* >

< %ProgramFiles%\Messenger\*.* >
[2008/04/13 19:11:51 | 000,033,792 | ---- | M] (Microsoft Corporation) -- C:\Program Files\Messenger\custsat.dll
[2004/08/04 10:06:34 | 000,004,821 | ---- | M] () -- C:\Program Files\Messenger\logowin.gif
[2004/08/04 10:06:34 | 000,007,047 | ---- | M] () -- C:\Program Files\Messenger\lvback.gif
[2008/05/02 09:01:49 | 000,083,968 | ---- | M] (Microsoft Corporation) -- C:\Program Files\Messenger\msgsc.dll
[2008/04/13 12:30:28 | 000,180,224 | ---- | M] (Microsoft Corporation) -- C:\Program Files\Messenger\msgslang.dll
[2008/04/13 19:12:28 | 001,695,232 | ---- | M] (Microsoft Corporation) -- C:\Program Files\Messenger\msmsgs.exe
[2004/08/04 10:06:36 | 000,002,882 | ---- | M] () -- C:\Program Files\Messenger\newalert.wav
[2004/08/04 10:06:36 | 000,006,156 | ---- | M] () -- C:\Program Files\Messenger\newemail.wav
[2004/08/04 10:06:36 | 000,006,160 | ---- | M] () -- C:\Program Files\Messenger\online.wav
[2004/08/04 10:06:36 | 000,004,454 | ---- | M] () -- C:\Program Files\Messenger\type.wav
[2004/08/04 10:06:36 | 000,115,981 | ---- | M] () -- C:\Program Files\Messenger\xpmsgr.chm

< %systemroot%\system32\systhem32\*.* >

< %systemroot%\system\*.exe >

< HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU >

< HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\WindowsUpdate\ Auto Update\Results\Install|LastSuccessTime /rs >

< End of report >

2janealec · Jan 17, 2011

OTL Extras logfile created on: 1/17/2011 1:12:16 PM - Run 1
OTL by OldTimer - Version 3.2.20.2 Folder = C:\Documents and Settings\Alec\My Documents\Downloads
Windows XP Home Edition Service Pack 3 (Version = 5.1.2600) - Type = NTWorkstation
Internet Explorer (Version = 6.0.2900.5512)
Locale: 00000409 | Country: United States | Language: ENU | Date Format: M/d/yyyy

511.00 Mb Total Physical Memory | 287.00 Mb Available Physical Memory | 56.00% Memory free
1.00 Gb Paging File | 1.00 Gb Available in Paging File | 76.00% Paging File free
Paging file location(s): C:\pagefile.sys 768 1536 [binary data]

%SystemDrive% = C: | %SystemRoot% = C:\WINDOWS | %ProgramFiles% = C:\Program Files
Drive C: | 33.91 Gb Total Space | 26.41 Gb Free Space | 77.90% Space Free | Partition Type: NTFS

Computer Name: YOUR-929C560D3A | User Name: Alec | Logged in as Administrator.
Boot Mode: Normal | Scan Mode: All users | Quick Scan
Company Name Whitelist: On | Skip Microsoft Files: On | No Company Name Whitelist: On | File Age = 30 Days

========== Extra Registry (SafeList) ==========

========== File Associations ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\<extension>]

[HKEY_USERS\S-1-5-21-1807688380-2972523714-2664652375-1006\SOFTWARE\Classes\<extension>]
.html [@ = FirefoxHTML] -- C:\Program Files\Mozilla Firefox\firefox.exe (Mozilla Corporation)

========== Shell Spawning ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\<key>\shell\[command]\command]
batfile [open] -- "%1" %*
cmdfile [open] -- "%1" %*
comfile [open] -- "%1" %*
exefile [open] -- "%1" %*
htmlfile [edit] -- Reg Error: Key error.
piffile [open] -- "%1" %*
regfile [merge] -- Reg Error: Key error.
scrfile [config] -- "%1"
scrfile [install] -- rundll32.exe desk.cpl,InstallScreenSaver %l (Microsoft Corporation)
scrfile [open] -- "%1" /S
txtfile [edit] -- Reg Error: Key error.
Unknown [openas] -- %SystemRoot%\system32\rundll32.exe %SystemRoot%\system32\shell32.dll,OpenAs_RunDLL %1
Directory [find] -- %SystemRoot%\Explorer.exe (Microsoft Corporation)
Folder [open] -- %SystemRoot%\Explorer.exe /idlist,%I,%L (Microsoft Corporation)
Folder [explore] -- %SystemRoot%\Explorer.exe /e,/idlist,%I,%L (Microsoft Corporation)
Drive [find] -- %SystemRoot%\Explorer.exe (Microsoft Corporation)

========== Security Center Settings ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center]
"FirstRunDisabled" = 1
"AntiVirusDisableNotify" = 0
"FirewallDisableNotify" = 0
"UpdatesDisableNotify" = 0
"AntiVirusOverride" = 0
"FirewallOverride" = 0

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\AhnlabAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\ComputerAssociatesAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\KasperskyAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\McAfeeAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\McAfeeFirewall]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\PandaAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\PandaFirewall]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\SophosAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\SymantecAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\SymantecFirewall]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\TinyFirewall]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\TrendAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\TrendFirewall]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\ZoneLabsFirewall]

========== System Restore Settings ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SystemRestore]
"DisableSR" = 0

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Sr]
"Start" = 0

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SrService]
"Start" = 2

========== Firewall Settings ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall]

[HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\DomainProfile]

[HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\StandardProfile]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile]
"EnableFirewall" = 1
"DisableNotifications" = 0
"DoNotAllowExceptions" = 0

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\GloballyOpenPorts\List]
"1723:TCP" = 1723:TCP:*:Enabledxpsp2res.dll,-22015
"1701:UDP" = 1701:UDP:*:Enabledxpsp2res.dll,-22016
"500:UDP" = 500:UDP:*:Enabledxpsp2res.dll,-22017

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile]
"EnableFirewall" = 1
"DoNotAllowExceptions" = 0
"DisableNotifications" = 0

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\GloballyOpenPorts\List]
"1900:UDP" = 1900:UDP:LocalSubNet:Enabledxpsp2res.dll,-22007
"2869:TCP" = 2869:TCP:LocalSubNet:Enabledxpsp2res.dll,-22008
"139:TCP" = 139:TCP:LocalSubNetisabledxpsp2res.dll,-22004
"445:TCP" = 445:TCP:LocalSubNetisabledxpsp2res.dll,-22005
"137:UDP" = 137:UDP:LocalSubNetisabledxpsp2res.dll,-22001
"138:UDP" = 138:UDP:LocalSubNetisabledxpsp2res.dll,-22002
"1723:TCP" = 1723:TCP:*:Enabledxpsp2res.dll,-22015
"1701:UDP" = 1701:UDP:*:Enabledxpsp2res.dll,-22016
"500:UDP" = 500:UDP:*:Enabledxpsp2res.dll,-22017

========== Authorized Applications List ==========

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\AuthorizedApplications\List]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List]

========== HKEY_LOCAL_MACHINE Uninstall List ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall]
"{0323CB96-221A-4042-84A3-93EDE47099FC}" = AVG 2011
"{1F1C2DFC-2D24-3E06-BCB8-725134ADF989}" = Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.4148
"{25EF00BE-F17B-11D6-88EA-000476CD2443}" = Verizon Online
"{26A24AE4-039D-4CA4-87B4-2F83216023FF}" = Java(TM) 6 Update 23
"{350C97B0-3D7C-4EE8-BAA9-00BCB3D54227}" = WebFldrs XP
"{45A66726-69BC-466B-A7A4-12FCBA4883D7}" = HiJackThis
"{4A03706F-666A-4037-7777-5F2748764D10}" = Java Auto Updater
"{76EFFC7C-17A6-479D-9E47-8E658C1695AE}" = Windows Backup Utility
"{774088D4-0777-4D78-904D-E435B318F5D2}" = Microsoft Antimalware
"{77A776C4-D10F-416D-88F0-53F2D9DCD9B3}" = Microsoft Security Client
"{7EB114D8-207F-45AE-BABD-1669715F2630}" = ThinkVantage Access Connections
"{837b34e3-7c30-493c-8f6a-2b0f04e2912c}" = Microsoft Visual C++ 2005 Redistributable
"{95120000-00B9-0409-0000-0000000FF1CE}" = Microsoft Application Error Reporting
"{9FAC9E5C-0D20-4DBF-AFE5-2E09C52A95A2}" = ThinkPad Wireless LAN Adapters Software (11a/b, 11b/g, 11a/b/g)
"{A3051CD0-2F64-3813-A88D-B8DCCDE8F8C7}" = Microsoft .NET Framework 3.0 Service Pack 2
"{AC76BA86-7AD7-1033-7B44-000000000001}" = Adobe Reader 6.0
"{BAF78226-3200-4DB4-BE33-4D922A799840}" = Windows Presentation Foundation
"{C09FB3CD-3D0C-3F2D-899A-6A1D67F2073F}" = Microsoft .NET Framework 2.0 Service Pack 2
"{CE2CDD62-0124-36CA-84D3-9F4DCF5C5BD9}" = Microsoft .NET Framework 3.5 SP1
"{CF23AFD7-3078-4134-8823-EBF6D1FE6FAD}" = Canon MP450
"{E2883E8F-472F-4fb0-9522-AC9BF37916A7}" = Adobe Download Manager
"{F0A37341-D692-11D4-A984-009027EC0A9C}" = SoundMAX
"{F4C68898-EBA5-46A9-82B3-2D30426086BF}" = AVG 2011
"7-Zip" = 7-Zip 9.20
"Adobe Flash Player ActiveX" = Adobe Flash Player 10 ActiveX
"Adobe Flash Player Plugin" = Adobe Flash Player 10 Plugin
"Agere Systems Soft Modem" = Agere Systems AC'97 Modem
"Malwarebytes' Anti-Malware_is1" = Malwarebytes' Anti-Malware
"Microsoft .NET Framework 3.5 SP1" = Microsoft .NET Framework 3.5 SP1
"Microsoft Security Client" = Microsoft Security Essentials
"Mozilla Firefox (3.6.13)" = Mozilla Firefox (3.6.13)
"MP Navigator 2.0" = Canon MP Navigator 2.0
"MSCompPackV1" = Microsoft Compression Client Pack 1.0 for Windows XP
"Office8.0" = Microsoft Office 97, Professional Edition
"Power Management Driver" = IBM ThinkPad Power Management Driver
"PROSet" = Intel(R) PRO Network Connections Drivers
"SynTPDeinstKey" = IBM ThinkPad UltraNav Driver
"ThinkPad FullScreen Magnifier" = ThinkPad FullScreen Magnifier
"WIC" = Windows Imaging Component
"Windows Live OneCare safety scanner" = Windows Live OneCare safety scanner
"Windows Media Format Runtime" = Windows Media Format 11 runtime
"Windows Media Player" = Windows Media Player 11
"Windows XP Service Pack" = Windows XP Service Pack 3
"WMFDist11" = Windows Media Format 11 runtime
"wmp11" = Windows Media Player 11
"Wudf01000" = Microsoft User-Mode Driver Framework Feature Pack 1.0
"XpsEPSC" = XML Paper Specification Shared Components Pack 1.0

========== Last 10 Event Log Errors ==========

[ Application Events ]
Error - 1/7/2011 9:30:25 PM | Computer Name = YOUR-929C560D3A | Source = crypt32 | ID = 131080
Description = Failed auto update retrieval of third-party root list sequence number
from: <http://www.download.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootseq.txt>
with error: This network connection does not exist.

Error - 1/7/2011 10:27:05 PM | Computer Name = YOUR-929C560D3A | Source = Application Error | ID = 1000
Description = Faulting application svchost.exe, version 5.1.2600.5512, faulting
module ntdll.dll, version 5.1.2600.5755, fault address 0x00023845.

Error - 1/7/2011 11:31:02 PM | Computer Name = YOUR-929C560D3A | Source = crypt32 | ID = 131083
Description = Failed extract of third-party root list from auto update cab at: <http://www.download.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootstl.cab>
with error: A required certificate is not within its validity period when verifying
against the current system clock or the timestamp in the signed file.

Error - 1/7/2011 11:31:02 PM | Computer Name = YOUR-929C560D3A | Source = crypt32 | ID = 131083
Description = Failed extract of third-party root list from auto update cab at: <http://www.download.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootstl.cab>
with error: A required certificate is not within its validity period when verifying
against the current system clock or the timestamp in the signed file.

Error - 1/7/2011 11:31:07 PM | Computer Name = YOUR-929C560D3A | Source = crypt32 | ID = 131080
Description = Failed auto update retrieval of third-party root list sequence number
from: <http://www.download.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootseq.txt>
with error: The connection with the server was terminated abnormally

Error - 1/7/2011 11:31:07 PM | Computer Name = YOUR-929C560D3A | Source = crypt32 | ID = 131083
Description = Failed extract of third-party root list from auto update cab at: <http://www.download.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootstl.cab>
with error: A required certificate is not within its validity period when verifying
against the current system clock or the timestamp in the signed file.

Error - 1/7/2011 11:31:07 PM | Computer Name = YOUR-929C560D3A | Source = crypt32 | ID = 131080
Description = Failed auto update retrieval of third-party root list sequence number
from: <http://www.download.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootseq.txt>
with error: This network connection does not exist.

Error - 1/8/2011 4:21:51 PM | Computer Name = YOUR-929C560D3A | Source = MPSampleSubmission | ID = 5000
Description = EventType mptelemetry, P1 8024402c, P2 endsearch, P3 search, P4 3.0.8107.0,
P5 mpsigdwn.dll, P6 3.0.8107.0, P7 microsoft security essentials (edb4fa23-53b8-4afa-8c5d-99752cca7094),
P8 NIL, P9 NIL, P10 NIL.

Error - 1/8/2011 10:25:45 PM | Computer Name = YOUR-929C560D3A | Source = Application Error | ID = 1000
Description = Faulting application svchost.exe, version 5.1.2600.5512, faulting
module wzcsvc.dll, version 5.1.2600.5512, fault address 0x0002d3ae.

Error - 1/9/2011 8:51:18 AM | Computer Name = MAIN | Source = Application Error | ID = 1000
Description = Faulting application svchost.exe, version 5.1.2600.5512, faulting
module wzcsvc.dll, version 5.1.2600.5512, fault address 0x0002d3ae.

[ System Events ]
Error - 1/17/2011 10:24:49 AM | Computer Name = YOUR-929C560D3A | Source = Service Control Manager | ID = 7023
Description = The Remote Access Connection Manager service terminated with the following
error: %%126

Error - 1/17/2011 10:24:50 AM | Computer Name = YOUR-929C560D3A | Source = Rasman | ID = 20063
Description = Remote Access Connection Manager failed to start because the Point
to Point Protocol failed to initialize. The specified module could not be found.

Error - 1/17/2011 10:24:50 AM | Computer Name = YOUR-929C560D3A | Source = Service Control Manager | ID = 7023
Description = The Remote Access Connection Manager service terminated with the following
error: %%126

Error - 1/17/2011 10:24:58 AM | Computer Name = YOUR-929C560D3A | Source = Rasman | ID = 20063
Description = Remote Access Connection Manager failed to start because the Point
to Point Protocol failed to initialize. The specified module could not be found.

Error - 1/17/2011 10:24:59 AM | Computer Name = YOUR-929C560D3A | Source = Service Control Manager | ID = 7023
Description = The Remote Access Connection Manager service terminated with the following
error: %%126

Error - 1/17/2011 11:08:53 AM | Computer Name = YOUR-929C560D3A | Source = PSched | ID = 14103
Description = QoS [Adapter {9E3634ED-96E0-493D-8EA5-3FBA4DC72102}]: The netcard driver
failed the query for OID_GEN_LINK_SPEED.

Error - 1/17/2011 12:31:05 PM | Computer Name = YOUR-929C560D3A | Source = PSched | ID = 14103
Description = QoS [Adapter {9E3634ED-96E0-493D-8EA5-3FBA4DC72102}]: The netcard driver
failed the query for OID_GEN_LINK_SPEED.

Error - 1/17/2011 12:31:09 PM | Computer Name = YOUR-929C560D3A | Source = PSched | ID = 14103
Description = QoS [Adapter {9E3634ED-96E0-493D-8EA5-3FBA4DC72102}]: The netcard driver
failed the query for OID_GEN_LINK_SPEED.

Error - 1/17/2011 1:37:01 PM | Computer Name = YOUR-929C560D3A | Source = Rasman | ID = 20063
Description = Remote Access Connection Manager failed to start because the Point
to Point Protocol failed to initialize. The specified module could not be found.

Error - 1/17/2011 1:37:02 PM | Computer Name = YOUR-929C560D3A | Source = Service Control Manager | ID = 7023
Description = The Remote Access Connection Manager service terminated with the following
error: %%126

< End of report >

Broni · Jan 17, 2011

Run OTL
Under the Custom Scans/Fixes box at the bottom, paste in the following
Code:
:OTL
IE - HKU\.DEFAULT\..\URLSearchHook: {A3BC75A2-1F87-4686-AA43-5347D756017C} - Reg Error: Key error. File not found
IE - HKU\S-1-5-18\..\URLSearchHook: {A3BC75A2-1F87-4686-AA43-5347D756017C} - Reg Error: Key error. File not found
FF - prefs.js..keyword.URL: "http://us.yhs.search.yahoo.com/avg/search?fr=yhs-avg&type=yahoo_avg_hs2-tb-web_us&p="
FF - HKLM\software\mozilla\Firefox\Extensions\\avg@igeared: C:\Program Files\AVG\AVG10\Toolbar\Firefox\avg@igeared
O2 - BHO: (no name) - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - No CLSID value found.
O3 - HKU\S-1-5-21-1807688380-2972523714-2664652375-1006\..\Toolbar\ShellBrowser: (no name) - {CCC7A320-B3CA-4199-B1A6-9F516DD69829} - No CLSID value found.
O16 - DPF: {31435657-9980-0010-8000-00AA00389B71} http://download.microsoft.com/downlo...8f/wvc1dmo.cab (Reg Error: Key error.)
O16 - DPF: Microsoft XML Parser for Java file://C:\WINDOWS\Java\classes\xmldso.cab (Reg Error: Key error.)
O16 - DPF: vzTCPConfig http://www.verizon.net/checkmypc/inc...zTCPConfig.CAB (Reg Error: Key error.)
O18 - Protocol\Handler\avgsecuritytoolbar {F2DDE6B2-9684-4A55-86D4-E255E237B77C} - File not found
[6 C:\WINDOWS\System32\dllcache\*.tmp files -> C:\WINDOWS\System32\dllcache\*.tmp -> ]
[22 C:\WINDOWS\System32\*.tmp files -> C:\WINDOWS\System32\*.tmp -> ]
[2011/01/06 18:24:05 | 000,011,261 | ---- | C] () -- C:\WINDOWS\System32\saad.js
[2010/08/18 17:13:48 | 000,043,008 | ---- | C] () -- C:\Documents and Settings\Alec\Local Settings\Application Data\DCBC2A71-70D8-4DAN-EHR8-E0D61DEA3FDF.ini
[2010/10/17 17:14:17 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Alec\Application Data\AVG10
[2010/01/21 21:40:13 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Alec\Application Data\Uniblue
[2011/01/16 23:06:17 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\AVG Security Toolbar
[2010/10/17 17:03:08 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\avg9

:Commands
[purity]
[emptytemp]
[emptyflash]
[Reboot]
Then click the Run Fix button at the top

Let the program run unhindered, reboot the PC when it is done

You will get a log that shows the results of the fix. Please post it.
========================================================================

Last scans....

1. Download Security Check from HERE, and save it to your Desktop.

Double-click SecurityCheck.exe

Follow the onscreen instructions inside of the black box.

A Notepad document should open automatically called checkup.txt; please post the contents of that document.

NOTE SecurityCheck may produce some false warning(s), so leave the results reading to me.

2. Download Temp File Cleaner (TFC)

Double click on TFC.exe to run the program.

Click on Start button to begin cleaning process.

TFC will close all running programs, and it may ask you to restart computer.

3. Please run a free online scan with the ESET Online Scanner

Disable your antivirus program

Tick the box next to YES, I accept the Terms of Use

Click Start

IMPORTANT! UN-check Remove found threats

Accept any security warnings from your browser.

Check Scan archives

Click Start

ESET will then download updates for itself, install itself, and begin scanning your computer. Please be patient as this can take some time.

When the scan completes, push List of found threats

Click on Export to text file , and save the file to your desktop using a unique name, such as ESETScan. Include the contents of this report in your next reply.

NOTE. If Eset won't find any threats, it won't produce any log.

2janealec · Jan 17, 2011

Results of screen317's Security Check version 0.99.7
Windows XP Service Pack 3
Internet Explorer 6 Out of date!
``````````````````````````````
Antivirus/Firewall Check:
Windows Firewall Enabled!
AVG 2011
Microsoft Security Essentials
```````````````````````````````
Anti-malware/Other Utilities Check:
Malwarebytes' Anti-Malware
Java(TM) 6 Update 23
Out of date Java installed!
Adobe Flash Player 10.1.102.64
Adobe Reader 6.0
Out of date Adobe Reader installed!
Mozilla Firefox (3.6.13)
````````````````````````````````
Process Check:
objlist.exe by Laurent
Windows Defender MSMpEng.exe
Microsoft Security Essentials msseces.exe
Microsoft Security Client Antimalware MsMpEng.exe
``````````End of Log````````````

Broni · Jan 17, 2011

I can see some AVG leftovers.
Please, run this tool to remove them: http://www.avg.com/us-en/download-tools

==========================================================================

Update Internet Explorer to version 8.

=========================================================================

Update Adobe Reader

You can download it from http://www.adobe.com/products/acrobat/readstep2.html
After installing the latest Adobe Reader, uninstall all previous versions.
Note. If you already have Adobe Photoshop® Album Starter Edition installed or do not wish to have it installed UNcheck the box which says Also Download Adobe Photoshop® Album Starter Edition.

Alternatively, you can uninstall Adobe Reader (33.5 MB), download and install Foxit PDF Reader(3.5MB) from HERE.
It's a much smaller file to download and uses a lot less resources than Adobe Reader.
Note: When installing FoxitReader, make sure to UN-check any pre-checked toolbar, or other garbage.

I still need Eset log.

2janealec · Jan 17, 2011

there was no ESET log

were you expecting one?

Broni · Jan 17, 2011

You didn't tell me

Your computer is clean

1. We need to reset system restore to prevent your computer from being accidentally reinfected by using some old restore point(s). We'll create fresh, clean restore point, using following OTL script:

Run OTL

Under the Custom Scans/Fixes box at the bottom, paste in the following:
Code:
:OTL
:Commands
[purity]
[emptytemp]
[EMPTYFLASH]
[CLEARALLRESTOREPOINTS]
[Reboot]
Then click the Run Fix button at the top

Let the program run unhindered, reboot the PC when it is done

Post resulting log.

2. Now, we'll remove all tools, we used during our cleaning process

Clean up with OTL:

Double-click OTL.exe to start the program.

Close all other programs apart from OTL as this step will require a reboot

On the OTL main screen, press the CLEANUP button

Say Yes to the prompt and then allow the program to reboot your computer.

If you still have any tools or logs leftover on your computer you can go ahead and delete those off of your computer now.

3. Make sure, Windows Updates are current.

4. If any Trojan was listed among your infection(s), make sure, you change all of your on-line important passwords (bank account(s), secured web sites, etc.) immediately!

5. Download, and install WOT (Web OF Trust): http://www.mywot.com/. It'll warn you (in most cases) about dangerous web sites.

6. Run Malwarebytes "Quick scan" once in a while to assure safety of your computer.

7. Run Temporary File Cleaner (TFC) weekly.

8. Download and install Secunia Personal Software Inspector (PSI): http://secunia.com/vulnerability_scanning/personal/. The Secunia PSI is a FREE security tool designed to detect vulnerable and out-dated programs and plug-ins which expose your PC to attacks. Run it weekly.

9. (optional) If you want to keep all your programs up to date, download and install FileHippo Update Checker.
The Update Checker will scan your computer for installed software, check the versions and then send this information to FileHippo.com to see if there are any newer releases.

10. Run defrag at your convenience.

11. Read How did I get infected?, With steps so it does not happen again!: http://www.bleepingcomputer.com/forums/topic2520.html

12. Please, let me know, how your computer is doing.

Broni · Jan 22, 2011

The issue appears to be resolved.

2janealec · Jan 22, 2011

oh yes thank you
thank you
thank you

Broni · Jan 23, 2011

You're very welcome

2janealec · Feb 16, 2011

Hello
I hate to bother you again
but it appears that there is wireless network card bug
I thought it was my internet service provider
they sent a new wireless modem
but I still having an internet connection drop
and the speed is not up to the advertised, in fact it s barely half
I tried to restore to the fixed restore point but then I could not get the new modem to work
U ran me through a series of fixes and scans for the browser highjack
I hope you would not mind helping me on this issue
thanks
Mike

Broni · Feb 16, 2011

This would be out of scope of this forum.
I suggest, you start new topic in "Storage and Networking" forum.

TechSpot

[Solved] Browser Hijacked, I need help with HijackThis log

2janealec Newcomer, in training

2janealec Newcomer, in training

Broni Malware Annihilator

2janealec Newcomer, in training

2janealec Newcomer, in training

Broni Malware Annihilator

2janealec Newcomer, in training

Broni Malware Annihilator

2janealec Newcomer, in training

Broni Malware Annihilator

Broni Malware Annihilator

2janealec Newcomer, in training

Broni Malware Annihilator

2janealec Newcomer, in training

Broni Malware Annihilator