View Full Version : XP - New Topic "Windows cannot access the specified..." log
MaineJane
2009-09-03, 18:38
Here's the Hijackthis.log
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 10:19:00 AM, on 9/3/2009
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16876)
Boot mode: Safe mode
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\PROGRA~1\COMMON~1\Stardock\SDMCP.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://lenovo.live.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://lenovo.live.com
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: WormRadar.com IESiteBlocker.NavFilter - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - C:\Program Files\Secure\AV\AVG\AVG8\avgssie.dll (file missing)
O2 - BHO: DriveLetterAccess - {5CA3D70E-1895-11CF-8E15-001234567890} - C:\WINDOWS\System32\DLA\DLASHX_W.DLL
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O2 - BHO: ThinkVantage Password Manager - {F040E541-A427-4CF7-85D8-75E3E0F476C5} - C:\Program Files\Lenovo\Client Security Solution\tvtpwm_ie_com.dll
O4 - HKLM\..\Run: [TPHOTKEY] C:\Program Files\Lenovo\HOTKEY\TPOSDSVC.exe
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [Persistence] C:\WINDOWS\system32\igfxpers.exe
O4 - HKLM\..\Run: [DrvIcon] C:\Program Files\WinUtil\Vista Drv icon\VistaDriveIcon\DrvIcon.exe
O4 - HKLM\..\Run: [BLOG] rundll32 C:\PROGRA~1\ThinkPad\UTILIT~1\BatLogEx.DLL,StartBattLog
O4 - HKLM\..\Run: [BootSkin Startup Jobs] "C:\Program Files\Stardock\WinCustomize\BootSkin\BootSkin.exe" /StartupJobs
O4 - HKLM\..\Run: [Nitro PDF Printer Monitor] "C:\Program Files\Nitro PDF\Professional\NitroPDFPrinterMonitor.exe"
O4 - HKLM\..\Run: [IObit Security 360] C:\Program Files\Secure\IObit\IObit Security 360\IS360tray.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O9 - Extra button: (no name) - {0045D4BC-5189-4b67-969C-83BB1906C421} - C:\Program Files\Lenovo\Client Security Solution\tvtpwm_ie_com.dll
O9 - Extra 'Tools' menuitem: ThinkVantage Password Manager... - {0045D4BC-5189-4b67-969C-83BB1906C421} - C:\Program Files\Lenovo\Client Security Solution\tvtpwm_ie_com.dll
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\npjpi160_07.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\npjpi160_07.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O10 - Unknown file in Winsock LSP: c:\windows\system32\nwprovau.dll
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1240275574546
O16 - DPF: {700EF03F-A472-4D26-8ACB-300F4D04FD96} (Recovery ActiveX Control Module) - https://www.lojackforlaptops.com/ctmweb/testoc.cab
O23 - Service: a-squared Free Service (a2free) - Emsi Software GmbH - C:\Program Files\Secure\a2 Free\a2service.exe
O23 - Service: Intel(R) PROSet/Wireless Event Log (EvtEng) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
O23 - Service: ThinkPad PM Service (IBMPMSVC) - Lenovo - C:\WINDOWS\system32\ibmpmsvc.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1150\Intel 32\IDriverT.exe
O23 - Service: IPS Core Service (IPSSVC) - Lenovo Group Limited - C:\WINDOWS\system32\IPSSVC.EXE
O23 - Service: IS360service - IObit - C:\Program Files\Secure\IObit\IObit Security 360\IS360srv.exe
O23 - Service: Online Armor Helper Service (OAcat) - Tall Emu - C:\Program Files\Secure\Online Armor\OAcat.exe
O23 - Service: Intel(R) PROSet/Wireless Registry Service (RegSrvc) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
O23 - Service: Remote Procedure Call (RPC) Net (rpcnet) - Absolute Software Corp. - C:\WINDOWS\system32\rpcnet.exe
O23 - Service: Intel(R) PROSet/Wireless Service (S24EventMonitor) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
O23 - Service: Online Armor (SvcOnlineArmor) - Tall Emu - C:\Program Files\Secure\Online Armor\oasrv.exe
O23 - Service: ThinkVantage Registry Monitor Service - Lenovo Group Limited - C:\Program Files\Common Files\Lenovo\tvt_reg_monitor_svc.exe
O23 - Service: TVT Backup Protection Service - Unknown owner - C:\Program Files\Lenovo\Rescue and Recovery\rrpservice.exe
O23 - Service: TVT Backup Service - Lenovo Group Limited - C:\Program Files\Lenovo\Rescue and Recovery\rrservice.exe
--
End of file - 5780 bytes
http://forums.spybot.info/showthread.php?p=333479#post333479
Please note that all instructions given are customised for this computer only,
the tools used may cause damage if used on a computer with different infections.
If you think you have similar problems, please post a log in the HJT forum and wait for help.
Hello and welcome to the forums
My name is Katana and I will be helping you to remove any infection(s) that you may have.
Please observe these rules while we work:
Please Read All Instructions Carefully
If you don't understand something, stop and ask! Don't keep going on.
Please do not run any other tools or scans whilst I am helping you
Failure to reply within 5 days will result in the topic being closed.
Please continue to respond until I give you the "All Clear"
(Just because you can't see a problem doesn't mean it isn't there)
If you can do those few things, everything should go smoothly http://www.countingcows.de/laechel.gif
Some of the logs I request will be quite large, You may need to split them over a couple of replies.
Please Note, your security programs may give warnings for some of the tools I will ask you to use.
Be assured, any links I give are safe
----------------------------------------------------------------------------------------
Please download the Win32kDiag.exe tool from the following location and save it to your desktop:
http://download.bleepingcomputer.com/rootrepeal/Win32kDiag.exe
Once downloaded, double-click on the program and let it finish. When it states Finished! Press any key to exit..., you can press any key on your keyboard to close the program. On your desktop should now be a file called Win32kDiag.txt.
Double-click on this file and post the contents as a reply to this topic.
Download and Run RSIT
Please download Random's System Information Tool by random/random from here (http://images.malwareremoval.com/random/RSIT.exe) and save it to your desktop.
Double click on RSIT.exe to run RSIT.
Click Continue at the disclaimer screen.
Once it has finished, two logs will open:
log.txt will be opened maximized.
info.txt will be opened minimized.
Please post the contents of both log.txt and info.txt.
( They can also be found in the C:\RSIT folder )
MaineJane
2009-09-04, 03:06
Log file is located at: C:\Documents and Settings\Administrator\Desktop\Win32kDiag.txt
WARNING: Could not get backup privileges!
Searching 'C:\WINDOWS'...
Finished!
MaineJane
2009-09-04, 03:07
info.txt logfile of random's system information tool 1.06 2009-09-03 19:47:49
======Uninstall list======
-->C:\Program Files\InstallShield Installation Information\{3F92ABBB-6BBF-11D5-B229-002078017FBF}\SETUP.exe -l0x0009 -removeonly
-->C:\Program Files\InstallShield Installation Information\{E646DCF0-5A68-11D5-B229-002078017FBF}\SETUP.exe -l0x0009 -removeonly
-->C:\WINDOWS\IsUninst.exe -fC:\WINDOWS\orun32.isu
-->C:\WINDOWS\system32\\MSIEXEC.EXE /x {075473F5-846A-448B-BCB3-104AA1760205}
-->C:\WINDOWS\system32\\MSIEXEC.EXE /x {1206EF92-2E83-4859-ACCB-2048C3CB7DA6}
-->C:\WINDOWS\system32\\MSIEXEC.EXE /x {AB708C9B-97C8-4AC9-899B-DBF226AC9382}
-->C:\WINDOWS\system32\\MSIEXEC.EXE /x {B12665F4-4E93-4AB4-B7FC-37053B524629}
-->rundll32.exe setupapi.dll,InstallHinfSection DefaultUninstall 132 C:\WINDOWS\INF\PCHealth.inf
ACDSee 9 Photo Manager-->MsiExec.exe /X{B2D41883-3BFC-4BA0-A2F6-5A2C9836C238}
Adobe Flash Player 10 Plugin-->C:\WINDOWS\system32\Macromed\Flash\uninstall_plugin.exe
Adobe Reader 8.1.5-->MsiExec.exe /I{AC76BA86-7AD7-1033-7B44-A81300000003}
Alky for Applications (Windows XP)-->MsiExec.exe /X{BB05D173-9681-4812-A7FA-BD4042A3DA00}
Anti Trojan Elite 4.4.8-->"C:\Program Files\Secure\Anti Trojan Elite\unins000.exe"
a-squared Free 4.5-->"C:\Program Files\Secure\a2 Free\unins000.exe"
Audio Record Wizard v2.7-->"C:\Program Files\Audio\ARWizard\unins000.exe"
BootSkin-->C:\PROGRA~1\Stardock\WINCUS~1\BootSkin\UNWISE.EXE C:\PROGRA~1\Stardock\WINCUS~1\BootSkin\INSTALL.LOG
Client Security Solution-->MsiExec.exe /I{F055E1B2-8A05-4D87-8039-1BE979BA4193}
Conexant HD Audio-->C:\Program Files\CONEXANT\CNXT_HDAUDIO\UIU32a.exe -U -ILvVen5a.inf
CubeDesktop 1.3.1-->C:\Program Files\Desktop\CubeDesktop\uninst.exe
CursorFX Plus-->"C:\Documents and Settings\All Users\Application Data\{86309521-B982-4930-BEE5-E248EAAA84A7}\CursorFX_setup.exe" REMOVE=TRUE MODIFY=FALSE
CursorFX-->C:\Documents and Settings\All Users\Application Data\{86309521-B982-4930-BEE5-E248EAAA84A7}\CursorFX_setup.exe
DesktopX-->C:\PROGRA~1\OBJECT~1\DesktopX\UNWISE.EXE C:\PROGRA~1\OBJECT~1\DesktopX\INSTALL.LOG
DVDFab 6.0.1.0 by CATER / AHCU-->"C:\Program Files\DVD\DVDFab 6\unins000.exe"
FairStars Audio Converter 1.82-->"C:\Program Files\Audio\FairStars Audio Converter\unins000.exe"
FinalBurner PRO v2.7.0.182-->"C:\Program Files\Multimedia\Final Burner\Uninstall.exe" "C:\Program Files\Multimedia\Final Burner\install.log" -u
Gadget Extractor-->MsiExec.exe /X{C8838D06-D7DB-4CB0-BF13-7191D2D84C42}
GIMP 2.6.7-->"C:\Program Files\GIMP-2.0\setup\unins000.exe"
GOM Player-->"C:\Program Files\Multimedia\GomPlayer\Uninstall.exe"
HDAUDIO Soft Data Fax Modem with SmartCP-->C:\Program Files\CONEXANT\CNXT_MODEM_HDAUDIO_VEN_14F1&DEV_5045&SUBSYS_17AA20DA\UIU32m.exe -U -ILVVEN5Km.inf
HijackThis 2.0.2-->"E:\1 sbot forum\HijackThis.exe" /uninstall
Hotfix for Microsoft .NET Framework 3.5 SP1 (KB953595)-->C:\WINDOWS\system32\msiexec.exe /package {CE2CDD62-0124-36CA-84D3-9F4DCF5C5BD9} /uninstall /qb+ REBOOTPROMPT=""
Hotfix for Microsoft .NET Framework 3.5 SP1 (KB958484)-->C:\WINDOWS\system32\msiexec.exe /package {CE2CDD62-0124-36CA-84D3-9F4DCF5C5BD9} /uninstall {A7EEA2F2-BFCD-4A54-A575-7B81A786E658} /qb+ REBOOTPROMPT=""
Hotfix for Windows XP (KB970653-v3)-->"C:\WINDOWS\$NtUninstallKB970653-v3$\spuninst\spuninst.exe"
Intel(R) Graphics Media Accelerator Driver-->C:\WINDOWS\system32\igxpun.exe -uninstall
Intel(R) PROSet/Wireless Software-->C:\WINDOWS\Installer\iProInst.exe
IObit Security 360 RC-->"C:\Program Files\Secure\IObit\IObit Security 360\unins000.exe"
J2SE Runtime Environment 5.0 Update 6-->MsiExec.exe /I{3248F0A8-6813-11D6-A77B-00B0D0150060}
Java(TM) 6 Update 7-->MsiExec.exe /I{3248F0A8-6813-11D6-A77B-00B0D0160070}
jv16 PowerTools 2009-->"C:\Program Files\WinUtil\jv16 PowerTools 2009\unins000.exe"
Kantaris Media Player 0.5.4-->"C:\Program Files\Kantaris\unins000.exe"
Lenovo Registration-->C:\Program Files\Lenovo Registration\uninstall.exe
Loaris Trojan Remover 1.1-->"C:\Program Files\Secure\ltr\unins000.exe"
LogonStudio-->C:\PROGRA~1\WINCUS~1\LOGONS~1\UNWISE.EXE C:\PROGRA~1\WINCUS~1\LOGONS~1\INSTALL.LOG
Maintenance Manager-->Rundll32.exe setupapi.dll,InstallHinfSection DefaultUninstall 132 C:\WINDOWS\INF\AWAYTASK.INF
Malwarebytes' Anti-Malware-->"C:\Program Files\Secure\MWB\unins000.exe"
mCore-->MsiExec.exe /I{E81667C6-2856-46D6-ABEA-6A2F42166779}
mDriver-->MsiExec.exe /I{A0F925BF-5C55-44C2-A4E7-5A4C59791C29}
MediaMonkey 3.1-->"C:\Program Files\Audio\MediaMonkey\unins000.exe"
Microsoft .NET Framework 1.1 Hotfix (KB928366)-->"C:\WINDOWS\Microsoft.NET\Framework\v1.1.4322\Updates\hotfix.exe" "C:\WINDOWS\Microsoft.NET\Framework\v1.1.4322\Updates\M928366\M928366Uninstall.msp"
Microsoft .NET Framework 1.1-->msiexec.exe /X {CB2F7EDD-9D1F-43C1-90FC-4F52EAE172A1}
Microsoft .NET Framework 1.1-->MsiExec.exe /X{CB2F7EDD-9D1F-43C1-90FC-4F52EAE172A1}
Microsoft .NET Framework 2.0 Service Pack 2-->MsiExec.exe /I{C09FB3CD-3D0C-3F2D-899A-6A1D67F2073F}
Microsoft .NET Framework 3.0 Service Pack 2-->MsiExec.exe /I{A3051CD0-2F64-3813-A88D-B8DCCDE8F8C7}
Microsoft .NET Framework 3.5 SP1-->C:\WINDOWS\Microsoft.NET\Framework\v3.5\Microsoft .NET Framework 3.5 SP1\setup.exe
Microsoft .NET Framework 3.5 SP1-->MsiExec.exe /I{CE2CDD62-0124-36CA-84D3-9F4DCF5C5BD9}
Microsoft Kernel-Mode Driver Framework Feature Pack 1.5-->"C:\WINDOWS\$NtUninstallWdf01005$\spuninst\spuninst.exe"
Microsoft Office XP Small Business-->MsiExec.exe /I{91130409-6000-11D3-8CFE-0050048383C9}
Microsoft Speech SDK 5.1-->MsiExec.exe /I{A403D88E-ED7D-48E3-91FD-B8C8A720EDA1}
Microsoft Visual C++ 2005 Redistributable-->MsiExec.exe /X{7299052b-02a4-4627-81f2-1818da5d550d}
mMHouse-->MsiExec.exe /I{F0BFC7EF-9CF8-44EE-91B0-158884CD87C5}
Mozilla Firefox (3.5.2)-->C:\Program Files\Communications\Mozilla Firefox\uninstall\helper.exe
Mozilla Thunderbird (2.0.0.23)-->C:\Program Files\Communications\Mail\Thunderbird\uninstall\helper.exe
MPEG2 Codec(libmpeg2/mad)-->"C:\Program Files\GNU\MPEG2\Uninstall.exe"
mPfMgr-->MsiExec.exe /I{8B928BA1-EDEC-4227-A2DA-DD83026C36F5}
mProSafe-->MsiExec.exe /I{23FB368F-1399-4EAC-817C-4B83ECBE3D83}
MSXML 4.0 SP2 (KB927978)-->MsiExec.exe /I{37477865-A3F1-4772-AD43-AAFC6BCFF99F}
MSXML 4.0 SP2 (KB954430)-->MsiExec.exe /I{86493ADD-824D-4B8E-BD72-8C5DCDC52A71}
MSXML 6.0 Parser-->MsiExec.exe /I{AEB9948B-4FF2-47C9-990E-47014492A0FE}
mWlsSafe-->MsiExec.exe /I{FCA651F3-5BDA-4DDA-9E4A-5D87D6914CC4}
Nitro PDF Professional-->MsiExec.exe /I{8EBE1DB0-8687-43A7-8781-6445E62CAFA5}
On Screen Display-->rundll32.exe setupapi.dll,InstallHinfSection DefaultUninstall.XP 132 C:\Program Files\Lenovo\HOTKEY\tphk_tp.inf
Online Armor 3.5-->"C:\Program Files\Secure\Online Armor\unins000.exe"
OpenOffice.org 3.0-->MsiExec.exe /I{F44DA61E-720D-4E79-871F-F6E628B33242}
PC Pitstop Exterminate2 2.0-->"C:\Program Files\PCPitstop\Exterminate2\unins000.exe"
PC-Doctor 5 for Windows-->C:\Program Files\PCDR5\uninst.exe
PopTray 3.20-->C:\Program Files\Communications\Mail\\PopTray\Uninstall.exe
PopTray Microsoft Speech Plugin 1.0-->C:\Program Files\Communications\Mail\\PopTray\Plugins\UninstallMicrosoftSpeech.exe
PowerISO-->"C:\Program Files\DVD\PowerISO\uninstall.exe"
QuickTime-->MsiExec.exe /I{C78EAC6F-7A73-452E-8134-DBB2165C5A68}
RecordNow Audio-->MsiExec.exe /I{AB708C9B-97C8-4AC9-899B-DBF226AC9382}
RecordNow Copy-->MsiExec.exe /I{B12665F4-4E93-4AB4-B7FC-37053B524629}
RecordNow Data-->MsiExec.exe /I{075473F5-846A-448B-BCB3-104AA1760205}
Remove Multimedia Center-->C:\swtools\apps\MMCfTO\customiz\sequencer.exe -fc:\swtools\apps\MMCfTO\customiz\uninst.seq
Rescue and Recovery-->MsiExec.exe /I{F151F2B3-0C32-44D3-90E2-E639B8024622}
RocketDock 1.3.5-->"C:\Program Files\Desktop\RocketDock\unins000.exe"
Security Update for Windows Internet Explorer 7 (KB938127-v2)-->"C:\WINDOWS\ie7updates\KB938127-v2-IE7\spuninst\spuninst.exe"
Security Update for Windows Internet Explorer 7 (KB963027)-->"C:\WINDOWS\ie7updates\KB963027-IE7\spuninst\spuninst.exe"
Security Update for Windows Internet Explorer 7 (KB969897)-->"C:\WINDOWS\ie7updates\KB969897-IE7\spuninst\spuninst.exe"
Security Update for Windows Internet Explorer 7 (KB972260)-->"C:\WINDOWS\ie7updates\KB972260-IE7\spuninst\spuninst.exe"
Security Update for Windows Media Player (KB973540)-->"C:\WINDOWS\$NtUninstallKB973540_WM9$\spuninst\spuninst.exe"
Security Update for Windows XP (KB956744)-->"C:\WINDOWS\$NtUninstallKB956744$\spuninst\spuninst.exe"
Security Update for Windows XP (KB960859)-->"C:\WINDOWS\$NtUninstallKB960859$\spuninst\spuninst.exe"
Security Update for Windows XP (KB961371)-->"C:\WINDOWS\$NtUninstallKB961371$\spuninst\spuninst.exe"
Security Update for Windows XP (KB961501)-->"C:\WINDOWS\$NtUninstallKB961501$\spuninst\spuninst.exe"
Security Update for Windows XP (KB968537)-->"C:\WINDOWS\$NtUninstallKB968537$\spuninst\spuninst.exe"
Security Update for Windows XP (KB969898)-->"C:\WINDOWS\$NtUninstallKB969898$\spuninst\spuninst.exe"
Security Update for Windows XP (KB970238)-->"C:\WINDOWS\$NtUninstallKB970238$\spuninst\spuninst.exe"
Security Update for Windows XP (KB971557)-->"C:\WINDOWS\$NtUninstallKB971557$\spuninst\spuninst.exe"
Security Update for Windows XP (KB971633)-->"C:\WINDOWS\$NtUninstallKB971633$\spuninst\spuninst.exe"
Security Update for Windows XP (KB971657)-->"C:\WINDOWS\$NtUninstallKB971657$\spuninst\spuninst.exe"
Security Update for Windows XP (KB973346)-->"C:\WINDOWS\$NtUninstallKB973346$\spuninst\spuninst.exe"
Security Update for Windows XP (KB973354)-->"C:\WINDOWS\$NtUninstallKB973354$\spuninst\spuninst.exe"
Security Update for Windows XP (KB973507)-->"C:\WINDOWS\$NtUninstallKB973507$\spuninst\spuninst.exe"
Security Update for Windows XP (KB973869)-->"C:\WINDOWS\$NtUninstallKB973869$\spuninst\spuninst.exe"
Smarty Uninstaller Pro-->"C:\Program Files\WinUtil\Smarty Uninstaller Pro\unins000.exe"
Sonic DLA-->MsiExec.exe /I{1206EF92-2E83-4859-ACCB-2048C3CB7DA6}
Sonic Express Labeler-->MsiExec.exe /I{6675CA7F-E51B-4F6A-99D4-F8F0124C6EAA}
Sonic Icons for Lenovo-->MsiExec.exe /I{B334D9AE-1393-423E-97C0-3BDC3360E692}
Sonic Update Manager-->MsiExec.exe /I{30465B6C-B53F-49A1-9EBA-A3F187AD502E}
Startup Delayer v2.5 (build 138)-->C:\Program Files\Winutil\Startup Delayer\Uninstall.exe
Tag&Rename 3.5.2-->"C:\Program Files\Audio\TagRename\unins000.exe"
TeamViewer 4-->C:\Program Files\Communications\TeamViewer\Version4\uninstall.exe
ThinkPad EasyEject Utility -->RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{1297C681-92D7-40EF-93BF-03F66EC5105C}\SETUP.EXE" -l0x9 -AddRemove
ThinkPad FullScreen Magnifier-->RunDll32 setupapi.dll,InstallHinfSection DefaultUninstall.NT 132 C:\Program Files\Lenovo\Zoom\TpScrex.inf
ThinkPad PC Card Power Policy-->rundll32.exe setupapi.dll,InstallHinfSection DefaultUnInstall 132 C:\SWTOOLS\OSFIXES\PCMCIAPW\pcmciapw.inf
ThinkPad Power Management Driver-->RunDll32.exe tpinspm.dll,Uninstall
ThinkPad Power Manager-->RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{A0E64EBA-8BF0-49FB-90C0-BB3D781A2016}\SETUP.EXE" -l0x9 -AddRemove
ThinkPad TrackPoint Driver-->C:\WINDOWS\system32\tp4unins.exe
ThinkVantage Technologies Welcome Message-->RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{1007F41F-7D69-468E-8017-3849A5A973C2}\Setup.exe" -l0x9 anything
TrueCrypt-->"C:\Program Files\WinUtil\TrueCrypt\TrueCrypt Setup.exe" /u
Tweak UI-->"C:\WINDOWS\system32\mshta.exe" "res://C:\WINDOWS\system32\TweakUI.exe/uninstall.hta"
UltraCompare v6.40-->MsiExec.exe /I{E962A4F0-295A-4760-805E-162AED3EE8DE}
UltraEdit 15.10-->MsiExec.exe /I{DDF17E28-E4C4-41CF-9DB9-8FA5F19B918C}
Update for Windows XP (KB973815)-->"C:\WINDOWS\$NtUninstallKB973815$\spuninst\spuninst.exe"
Wallpapers-->RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{DB71210F-8314-4AE3-B7A7-EBAF85BD30E9}\Setup.exe" -l0x9 UNINSTALL
WindowBlinds-->C:\PROGRA~1\Desktop\Stardock\OBJECT~1\WINDOW~1\UNWISE.EXE C:\PROGRA~1\Desktop\Stardock\OBJECT~1\WINDOW~1\INSTALL.LOG
Windows Driver Package - Ricoh Company (rimsptsk) hdc (11/14/2006 6.00.01.04)-->C:\PROGRA~1\DIFX\7B44739871F4D539FA473F57A832EA4B6A59EF06\DPInst.exe /us C:\PROGRA~1\DIFX\UninstallScripts\F13EE0B22AD5D087DFA50E3D4D6F13FC1AAAFB32
Windows Media Format Runtime-->"C:\Program Files\Windows Media Player\wmsetsdk.exe" /UninstallAll
Windows Media Player 10-->"C:\Program Files\Windows Media Player\Setup_wm.exe" /Uninstall
Windows Sidebar-->C:\Program Files\Windows Sidebar\uninst.exe
WinRAR archiver-->C:\Program Files\WinUtil\Archivers\WinRAR\uninstall.exe
WinSnap-->C:\Program Files\Graphics\WinSnap\uninst.exe
WinXP Manager-->MsiExec.exe /I{1043E281-B080-4947-9BD7-3F1D233BF6D2}
WirelessMon V3.1-->"C:\Program Files\WirelessMon\unins000.exe"
XnView 1.96-->"C:\Program Files\Graphics\XnView\unins000.exe"
XP Themes-->MsiExec.exe /I{C54ED2B6-1AF2-416F-BBA8-5E2B8CDCB5C4}
======Security center information======
FW: Online Armor Firewall (disabled)
======System event log======
Computer Name: LAPTOP-048AB0BF
Event Code: 7000
Message: The Remote Procedure Call (RPC) Net service failed to start due to the following error:
Access is denied.
Record Number: 2782
Source Name: Service Control Manager
Time Written: 20090730070437.000000-240
Event Type: error
User:
Computer Name: LAPTOP-048AB0BF
Event Code: 7000
Message: The pmem service failed to start due to the following error:
Access is denied.
Record Number: 2781
Source Name: Service Control Manager
Time Written: 20090730070437.000000-240
Event Type: error
User:
Computer Name: LAPTOP-048AB0BF
Event Code: 7023
Message: The HID Input Service service terminated with the following error:
The system cannot find the file specified.
Record Number: 2780
Source Name: Service Control Manager
Time Written: 20090730070437.000000-240
Event Type: error
User:
Computer Name: LAPTOP-048AB0BF
Event Code: 4
Message: Broadcom NetLink (TM) Gigabit Ethernet: The network link is down. Check to make sure the network cable is properly connected.
Record Number: 2775
Source Name: b57w2k
Time Written: 20090730070333.000000-240
Event Type: warning
User:
Computer Name: LAPTOP-048AB0BF
Event Code: 1003
Message: Your computer was not able to renew its address from the network (from the
DHCP Server) for the Network Card with network address 001CBF8AFCF9. The following
error occurred:
The operation was canceled by the user.
.
Your computer will continue to try and obtain an address on its own from
the network address (DHCP) server.
Record Number: 2772
Source Name: Dhcp
Time Written: 20090730070325.000000-240
Event Type: warning
User:
=====Application event log=====
Computer Name: LAPTOP-048AB0BF
Event Code: 1000
Message: Faulting application drwtsn32.exe, version 5.1.2600.0, faulting module dbghelp.dll, version 5.1.2600.5512, fault address 0x0001295d.
Record Number: 286
Source Name: Application Error
Time Written: 20090421080111.000000-240
Event Type: error
User:
Computer Name: LAPTOP-048AB0BF
Event Code: 1001
Message: Fault bucket 1239580114.
Record Number: 285
Source Name: Application Error
Time Written: 20090421080054.000000-240
Event Type: error
User:
Computer Name: LAPTOP-048AB0BF
Event Code: 1000
Message: Faulting application explorer.exe, version 6.0.2900.5512, faulting module dlacresw.dll, version 5.20.19.0, fault address 0x00021e7e.
Record Number: 284
Source Name: Application Error
Time Written: 20090421080021.000000-240
Event Type: error
User:
Computer Name: LAPTOP-048AB0BF
Event Code: 1517
Message: Windows saved user LAPTOP-048AB0BF\Bill registry while an application or service was still using the registry during log off. The memory used by the user's registry has not been freed. The registry will be unloaded when it is no longer in use.
This is often caused by services running as a user account, try configuring the services to run in either the LocalService or NetworkService account.
Record Number: 278
Source Name: Userenv
Time Written: 20090421074827.000000-240
Event Type: warning
User: NT AUTHORITY\SYSTEM
Computer Name: LAPTOP-048AB0BF
Event Code: 1000
Message: Faulting application sidebar.exe, version 6.0.6001.16510, faulting module vcomctl32.dll, version 0.0.0.0, fault address 0x00001213.
Record Number: 275
Source Name: Application Error
Time Written: 20090421062222.000000-240
Event Type: error
User:
======Environment variables======
"ComSpec"=%SystemRoot%\system32\cmd.exe
"Path"=%systemroot%\system32;%systemroot%;%systemroot%\system32\wbem;C:\Program Files\Intel\Wireless\Bin;C:\Program Files\Common Files\Lenovo;C:\Program Files\Lenovo\Client Security Solution;C:\Program Files\Desktop\Alky for Applications\Libraries;C:\Program Files\QuickTime\QTSystem
"windir"=%SystemRoot%
"FP_NO_HOST_CHECK"=NO
"OS"=Windows_NT
"PROCESSOR_ARCHITECTURE"=x86
"PROCESSOR_LEVEL"=6
"PROCESSOR_IDENTIFIER"=x86 Family 6 Model 15 Stepping 13, GenuineIntel
"PROCESSOR_REVISION"=0f0d
"NUMBER_OF_PROCESSORS"=2
"PATHEXT"=.COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH
"TEMP"=%SystemRoot%\TEMP
"TMP"=%SystemRoot%\TEMP
"SonicCentral"=C:\Program Files\Common Files\Sonic Shared\Sonic Central\
"TVT"=C:\Program Files\Lenovo
"TVTCOMMON"=C:\Program Files\Common Files\Lenovo
"SWSHARE"=C:\SWSHARE
"RR"=C:\Program Files\Lenovo\Rescue and Recovery
"TVTPYDIR"=C:\Program Files\Common Files\Lenovo\Python24
"CLASSPATH"=.;C:\Program Files\Java\jre1.6.0_07\lib\ext\QTJava.zip
"QTJAVA"=C:\Program Files\Java\jre1.6.0_07\lib\ext\QTJava.zip
"SAFEBOOT_OPTION"=NETWORK
-----------------EOF-----------------
MaineJane
2009-09-04, 03:09
Logfile of random's system information tool 1.06 (written by random/random)
Run by Administrator at 2009-09-03 19:47:43
Microsoft Windows XP Professional Service Pack 3
System drive C: has 26 GB (54%) free of 48 GB
Total RAM: 2038 MB (81% free)
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 7:47:47 PM, on 9/3/2009
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16876)
Boot mode: Safe mode with network support
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\PROGRA~1\COMMON~1\Stardock\SDMCP.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\igfxsrvc.exe
C:\WINDOWS\system32\notepad.exe
C:\Program Files\Communications\Mozilla Firefox\firefox.exe
C:\Documents and Settings\Administrator\Desktop\RSIT.exe
C:\Program Files\Trend Micro\HijackThis\Administrator.exe
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://lenovo.live.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://lenovo.live.com
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: WormRadar.com IESiteBlocker.NavFilter - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - C:\Program Files\Secure\AV\AVG\AVG8\avgssie.dll (file missing)
O2 - BHO: DriveLetterAccess - {5CA3D70E-1895-11CF-8E15-001234567890} - C:\WINDOWS\System32\DLA\DLASHX_W.DLL
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O2 - BHO: ThinkVantage Password Manager - {F040E541-A427-4CF7-85D8-75E3E0F476C5} - C:\Program Files\Lenovo\Client Security Solution\tvtpwm_ie_com.dll
O4 - HKLM\..\Run: [TPHOTKEY] C:\Program Files\Lenovo\HOTKEY\TPOSDSVC.exe
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [Persistence] C:\WINDOWS\system32\igfxpers.exe
O4 - HKLM\..\Run: [DrvIcon] C:\Program Files\WinUtil\Vista Drv icon\VistaDriveIcon\DrvIcon.exe
O4 - HKLM\..\Run: [BLOG] rundll32 C:\PROGRA~1\ThinkPad\UTILIT~1\BatLogEx.DLL,StartBattLog
O4 - HKLM\..\Run: [BootSkin Startup Jobs] "C:\Program Files\Stardock\WinCustomize\BootSkin\BootSkin.exe" /StartupJobs
O4 - HKLM\..\Run: [Nitro PDF Printer Monitor] "C:\Program Files\Nitro PDF\Professional\NitroPDFPrinterMonitor.exe"
O4 - HKLM\..\Run: [IObit Security 360] C:\Program Files\Secure\IObit\IObit Security 360\IS360tray.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O9 - Extra button: (no name) - {0045D4BC-5189-4b67-969C-83BB1906C421} - C:\Program Files\Lenovo\Client Security Solution\tvtpwm_ie_com.dll
O9 - Extra 'Tools' menuitem: ThinkVantage Password Manager... - {0045D4BC-5189-4b67-969C-83BB1906C421} - C:\Program Files\Lenovo\Client Security Solution\tvtpwm_ie_com.dll
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\npjpi160_07.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\npjpi160_07.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O10 - Unknown file in Winsock LSP: c:\windows\system32\nwprovau.dll
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1240275574546
O16 - DPF: {700EF03F-A472-4D26-8ACB-300F4D04FD96} (Recovery ActiveX Control Module) - https://www.lojackforlaptops.com/ctmweb/testoc.cab
O23 - Service: a-squared Free Service (a2free) - Emsi Software GmbH - C:\Program Files\Secure\a2 Free\a2service.exe
O23 - Service: Intel(R) PROSet/Wireless Event Log (EvtEng) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
O23 - Service: ThinkPad PM Service (IBMPMSVC) - Lenovo - C:\WINDOWS\system32\ibmpmsvc.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1150\Intel 32\IDriverT.exe
O23 - Service: IPS Core Service (IPSSVC) - Lenovo Group Limited - C:\WINDOWS\system32\IPSSVC.EXE
O23 - Service: IS360service - IObit - C:\Program Files\Secure\IObit\IObit Security 360\IS360srv.exe
O23 - Service: Online Armor Helper Service (OAcat) - Tall Emu - C:\Program Files\Secure\Online Armor\OAcat.exe
O23 - Service: Intel(R) PROSet/Wireless Registry Service (RegSrvc) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
O23 - Service: Remote Procedure Call (RPC) Net (rpcnet) - Absolute Software Corp. - C:\WINDOWS\system32\rpcnet.exe
O23 - Service: Intel(R) PROSet/Wireless Service (S24EventMonitor) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
O23 - Service: Online Armor (SvcOnlineArmor) - Tall Emu - C:\Program Files\Secure\Online Armor\oasrv.exe
O23 - Service: ThinkVantage Registry Monitor Service - Lenovo Group Limited - C:\Program Files\Common Files\Lenovo\tvt_reg_monitor_svc.exe
O23 - Service: TVT Backup Protection Service - Unknown owner - C:\Program Files\Lenovo\Rescue and Recovery\rrpservice.exe
O23 - Service: TVT Backup Service - Lenovo Group Limited - C:\Program Files\Lenovo\Rescue and Recovery\rrservice.exe
--
End of file - 5989 bytes
======Scheduled tasks folder======
C:\WINDOWS\tasks\PMTask.job
======Registry dump======
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{06849E9F-C8D7-4D59-B87D-784B7D6BE0B3}]
Adobe PDF Reader Link Helper - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll [2006-10-22 62080]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{3CA2F312-6F6E-4B53-A66E-4E65E497C8C0}]
AVG Safe Search - C:\Program Files\Secure\AV\AVG\AVG8\avgssie.dll []
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{5CA3D70E-1895-11CF-8E15-001234567890}]
DriveLetterAccess - C:\WINDOWS\System32\DLA\DLASHX_W.DLL [2006-02-02 110652]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{761497BB-D6F0-462C-B6EB-D4DAF1D92D43}]
SSVHelper Class - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll [2008-06-10 509328]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{F040E541-A427-4CF7-85D8-75E3E0F476C5}]
CPwmIEBrowserHelper Object - C:\Program Files\Lenovo\Client Security Solution\tvtpwm_ie_com.dll [2007-01-30 796224]
[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run]
"TPHOTKEY"=C:\Program Files\Lenovo\HOTKEY\TPOSDSVC.exe [2007-03-09 66176]
"IgfxTray"=C:\WINDOWS\system32\igfxtray.exe [2007-02-25 131072]
"HotKeysCmds"=C:\WINDOWS\system32\hkcmd.exe [2007-02-25 155648]
"Persistence"=C:\WINDOWS\system32\igfxpers.exe [2007-02-25 131072]
"DrvIcon"=C:\Program Files\WinUtil\Vista Drv icon\VistaDriveIcon\DrvIcon.exe [2007-07-04 45056]
"BLOG"=rundll32 C:\PROGRA~1\ThinkPad\UTILIT~1\BatLogEx.DLL,StartBattLog []
"BootSkin Startup Jobs"=C:\Program Files\Stardock\WinCustomize\BootSkin\BootSkin.exe [2004-04-26 270336]
"Nitro PDF Printer Monitor"=C:\Program Files\Nitro PDF\Professional\NitroPDFPrinterMonitor.exe [2009-03-04 209216]
"IObit Security 360"=C:\Program Files\Secure\IObit\IObit Security 360\IS360tray.exe [2009-08-20 943888]
[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"=C:\WINDOWS\system32\ctfmon.exe [2008-04-13 15360]
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\@OnlineArmor GUI]
C:\Program Files\Secure\Online Armor\oaui.exe [2009-04-16 2044104]
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Acronis Scheduler2 Service]
C:\Program Files\Common Files\Acronis\Schedule2\schedhlp.exe []
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AcronisTimounterMonitor]
C:\Program Files\Winutil\TrueImageHome\TimounterMonitor.exe []
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe Reader Speed Launcher]
C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe [2008-10-15 39792]
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Anti Trojan Elite]
C:\Program Files\Secure\Anti Trojan Elite\TJEnder.exe :NO []
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Device Detector]
DevDetect.exe -autorun []
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DLA]
C:\WINDOWS\System32\DLA\DLACTRLW.EXE [2006-02-02 122940]
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ISUSPM Startup]
C:\PROGRA~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe [2004-07-27 221184]
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ISUSScheduler]
C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe [2004-07-27 81920]
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\KernelFaultCheck]
C:\WINDOWS\system32\dumprep 0 -k []
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\LogonStudio]
C:\Program Files\WinCustomize\LogonStudio\logonstudio.exe [2005-09-06 987187]
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
C:\Program Files\QuickTime\QTTask.exe [2009-05-26 413696]
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\TrueImageMonitor.exe]
C:\Program Files\Winutil\TrueImageHome\TrueImageMonitor.exe []
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^Bill^Start Menu^Programs^Startup^ImpulseNow.lnk]
[]
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"TVT Scheduler"=2
"TVT Backup Service"=2
"TVT Backup Protection Service"=2
"tvtnetwk"=2
"SvcOnlineArmor"=2
"AcrSch2Svc"=2
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\igfxcui]
C:\WINDOWS\system32\igfxdev.dll [2007-02-25 204800]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\MCPClient]
C:\PROGRA~1\COMMON~1\Stardock\mcpstub.dll [2005-01-31 49152]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\tpfnf2]
C:\Program Files\Lenovo\HOTKEY\notifyf2.dll [2006-09-06 34344]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\tphotkey]
C:\Program Files\Lenovo\HOTKEY\tphklock.dll [2006-12-13 28672]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\WBSrv]
C:\Program Files\Desktop\Stardock\Object Desktop\WindowBlinds\wbsrv.dll [2008-07-22 210168]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\WgaLogon]
C:\WINDOWS\system32\WgaLogon.dll [2009-03-10 239496]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad]
0aMCPClient - {F5DF91F9-15E9-416B-A7C3-7519B11ECBFC} - C:\PROGRA~1\COMMON~1\Stardock\MCPCore.dll [2005-05-10 86016]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks]
"{4F07DA45-8170-4859-9B5F-037EF2970034}"=C:\PROGRA~1\Secure\ONLINE~1\oaevent.dll [2009-04-16 335048]
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\network\nm]
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\network\nm.sys]
[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System]
"dontdisplaylastusername"=0
"legalnoticecaption"=
"legalnoticetext"=
"shutdownwithoutlogon"=1
"undockwithoutlogon"=1
[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\explorer]
"NoDriveTypeAutoRun"=323
"NoDriveAutoRun"=67108863
"NoDrives"=0
[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\explorer]
"HonorAutoRunSetting"=
"NoDriveAutoRun"=
"NoDriveTypeAutoRun"=
"NoDrives"=
[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\standardprofile\authorizedapplications\list]
"%windir%\system32\sessmgr.exe"="%windir%\system32\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"
"C:\Program Files\Communications\TeamViewer\Version4\TeamViewer.exe"="C:\Program Files\Communications\TeamViewer\Version4\TeamViewer.exe:*:Enabled:TeamViewer Remote Control Application"
"%windir%\Network Diagnostic\xpnetdiag.exe"="%windir%\Network Diagnostic\xpnetdiag.exe:*:Enabled:@xpsp3res.dll,-20000"
"C:\WINDOWS\system32\ctmweb.exe"="C:\WINDOWS\system32\ctmweb.exe:*:Enabled:ctmweb.exe"
"C:\Program Files\Communications\Mail\Thunderbird\thunderbird.exe"="C:\Program Files\Communications\Mail\Thunderbird\thunderbird.exe:*:Enabled:Mozilla Thunderbird"
"C:\Program Files\Audio\LimeWire\LimeWire.exe"="C:\Program Files\Audio\LimeWire\LimeWire.exe:*:Enabled:LimeWire"
[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\domainprofile\authorizedapplications\list]
"%windir%\system32\sessmgr.exe"="%windir%\system32\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"
"%windir%\Network Diagnostic\xpnetdiag.exe"="%windir%\Network Diagnostic\xpnetdiag.exe:*:Enabled:@xpsp3res.dll,-20000"
"C:\WINDOWS\SYSTEM32\ctmweb.exe"="C:\WINDOWS\SYSTEM32\ctmweb.exe:*:Enabled:ctmweb Computrace Installation/Management Application"
======List of files/folders created in the last 1 months======
2009-09-03 19:47:43 ----D---- C:\rsit
2009-09-03 19:46:26 ----D---- C:\Documents and Settings\Administrator\Application Data\Sun
2009-09-03 19:14:19 ----D---- C:\WINDOWS\Sun
2009-09-03 19:12:07 ----D---- C:\WINDOWS\LastGood
2009-09-03 10:18:43 ----D---- C:\Program Files\Trend Micro
2009-09-03 08:07:46 ----SHD---- C:\Config.Msi
2009-09-02 16:46:32 ----A---- C:\WINDOWS\system32\rpcnetp.exe
2009-09-02 14:27:58 ----D---- C:\!KillBox
2009-09-02 14:17:48 ----A---- C:\WINDOWS\system32\locate.com
2009-09-02 14:15:35 ----D---- C:\ISeeYouXP
2009-09-02 12:55:02 ----D---- C:\Program Files\PCPitstop
2009-09-01 23:00:01 ----D---- C:\Program Files\WirelessMon
2009-09-01 22:29:42 ----D---- C:\Documents and Settings\All Users\Application Data\IObit
2009-09-01 22:28:43 ----SHD---- C:\RECYCLER
2009-09-01 22:24:11 ----D---- C:\WINDOWS\temp
2009-09-01 22:24:10 ----A---- C:\ComboFix.txt
2009-09-01 22:16:46 ----A---- C:\WINDOWS\PEV.exe
2009-09-01 19:17:24 ----HD---- C:\WINDOWS\system32\GroupPolicy
2009-09-01 19:12:31 ----D---- C:\Documents and Settings\Administrator\Application Data\Macromedia
2009-09-01 19:12:31 ----D---- C:\Documents and Settings\Administrator\Application Data\Adobe
2009-09-01 19:11:33 ----D---- C:\Documents and Settings\Administrator\Application Data\Mozilla
2009-09-01 15:56:11 ----A---- C:\WINDOWS\resetlog.txt
2009-09-01 15:55:54 ----D---- C:\ERDNT
2009-09-01 14:10:09 ----D---- C:\Program Files\Common Files\Wise Installation Wizard
2009-09-01 11:19:23 ----D---- C:\VundoFix Backups
2009-09-01 11:19:23 ----A---- C:\VundoFix.txt
2009-09-01 10:36:12 ----A---- C:\avenger.txt
2009-09-01 10:12:11 ----D---- C:\Documents and Settings\Administrator\Application Data\Malwarebytes
2009-09-01 10:12:06 ----D---- C:\Documents and Settings\All Users\Application Data\Malwarebytes
2009-09-01 07:31:00 ----A---- C:\WINDOWS\zip.exe
2009-09-01 07:31:00 ----A---- C:\WINDOWS\SWXCACLS.exe
2009-09-01 07:31:00 ----A---- C:\WINDOWS\SWSC.exe
2009-09-01 07:31:00 ----A---- C:\WINDOWS\SWREG.exe
2009-09-01 07:31:00 ----A---- C:\WINDOWS\sed.exe
2009-09-01 07:31:00 ----A---- C:\WINDOWS\NIRCMD.exe
2009-09-01 07:31:00 ----A---- C:\WINDOWS\grep.exe
2009-09-01 07:30:58 ----D---- C:\WINDOWS\ERDNT
2009-09-01 07:30:57 ----SD---- C:\ComboFix
2009-09-01 07:27:56 ----D---- C:\Qoobox
2009-09-01 07:27:08 ----D---- C:\Documents and Settings\Administrator\Application Data\WinRAR
2009-09-01 07:24:48 ----SHD---- C:\WINDOWS\CSC
2009-08-28 08:18:17 ----D---- C:\Program Files\Editors
2009-08-27 13:34:00 ----D---- C:\Program Files\GIMP-2.0
2009-08-27 08:56:30 ----D---- C:\Documents and Settings\All Users\Application Data\SuperMP3Download
2009-08-26 17:15:10 ----HDC---- C:\WINDOWS\$NtUninstallKB970653-v3$
2009-08-26 04:19:22 ----D---- C:\Program Files\QuickTime
2009-08-26 04:19:20 ----D---- C:\Documents and Settings\All Users\Application Data\Apple Computer
2009-08-24 04:04:00 ----D---- C:\Program Files\ffdshow
2009-08-12 17:05:01 ----HDC---- C:\WINDOWS\$NtUninstallKB960859$
2009-08-12 17:04:57 ----HDC---- C:\WINDOWS\$NtUninstallKB971657$
2009-08-12 17:04:52 ----HDC---- C:\WINDOWS\$NtUninstallKB971557$
2009-08-12 17:04:45 ----HDC---- C:\WINDOWS\$NtUninstallKB956744$
2009-08-12 17:04:39 ----HDC---- C:\WINDOWS\$NtUninstallKB973869$
2009-08-12 17:04:34 ----HDC---- C:\WINDOWS\$NtUninstallKB973507$
2009-08-12 17:04:28 ----HDC---- C:\WINDOWS\$NtUninstallKB973354$
2009-08-12 17:04:20 ----HDC---- C:\WINDOWS\$NtUninstallKB973540_WM9$
2009-08-12 17:01:36 ----HDC---- C:\WINDOWS\$NtUninstallKB973815$
======List of files/folders modified in the last 1 months======
2009-09-03 19:44:17 ----A---- C:\WINDOWS\ntbtlog.txt
2009-09-03 19:43:20 ----A---- C:\TPHKLOCK.TXT
2009-09-03 19:43:19 ----AD---- C:\WINDOWS\system32
2009-09-03 19:41:48 ----A---- C:\WINDOWS\SchedLgU.Txt
2009-09-03 19:27:49 ----D---- C:\WINDOWS\Prefetch
2009-09-03 19:14:19 ----AD---- C:\WINDOWS
2009-09-03 19:12:08 ----HD---- C:\WINDOWS\inf
2009-09-03 19:12:07 ----D---- C:\WINDOWS\system32\CatRoot2
2009-09-03 19:06:57 ----A---- C:\WINDOWS\system32\rpcnet.dll
2009-09-03 10:18:43 ----RD---- C:\Program Files
2009-09-03 08:15:00 ----D---- C:\WINDOWS\system32\drivers
2009-09-03 08:08:37 ----SHD---- C:\WINDOWS\Installer
2009-09-03 08:08:17 ----D---- C:\WINDOWS\WinSxS
2009-09-03 08:07:53 ----D---- C:\Program Files\Common Files\Acronis
2009-09-03 08:07:50 ----D---- C:\Program Files\WinUtil
2009-09-02 14:09:54 ----D---- C:\Program Files\Windows Sidebar
2009-09-02 13:02:32 ----D---- C:\Program Files\Secure
2009-09-01 22:23:25 ----SD---- C:\WINDOWS\Tasks
2009-09-01 22:22:08 ----A---- C:\WINDOWS\system.ini
2009-09-01 22:21:08 ----D---- C:\WINDOWS\AppPatch
2009-09-01 22:20:57 ----D---- C:\Program Files\Common Files
2009-09-01 22:14:38 ----D---- C:\Program Files\Audio
2009-09-01 20:50:13 ----D---- C:\WINDOWS\Minidump
2009-09-01 20:44:50 ----SD---- C:\Documents and Settings\Administrator\Application Data\Microsoft
2009-09-01 19:36:52 ----D---- C:\WINDOWS\security
2009-09-01 15:38:00 ----D---- C:\WINDOWS\system32\config
2009-09-01 09:49:43 ----A---- C:\WINDOWS\system32\PerfStringBackupbad.INI
2009-09-01 07:45:12 ----RASH---- C:\boot.ini
2009-09-01 07:45:12 ----A---- C:\WINDOWS\win.ini
2009-08-31 11:09:58 ----HD---- C:\WINDOWS\$hf_mig$
2009-08-27 13:13:28 ----D---- C:\Program Files\Graphics
2009-08-23 22:20:16 ----ASHD---- C:\WINDOWS\system32\dllcache
2009-08-21 09:00:51 ----D---- C:\Program Files\DVD
2009-08-12 17:05:05 ----A---- C:\WINDOWS\imsins.BAK
2009-08-12 17:04:30 ----D---- C:\Program Files\Outlook Express
2009-08-08 08:11:11 ----A---- C:\WINDOWS\system32\PROCDB.INI
2009-08-08 08:10:50 ----A---- C:\WINDOWS\system32\IPSCtrl.INI
2009-08-05 05:01:48 ----A---- C:\WINDOWS\system32\mswebdvd.dll
======List of drivers (R=Running, S=Stopped, 0=Boot, 1=System, 2=Auto, 3=Demand, 4=Disabled)======
R1 DLACDBHM;DLACDBHM; C:\WINDOWS\System32\Drivers\DLACDBHM.SYS [2005-11-18 5660]
R1 DLARTL_N;DLARTL_N; C:\WINDOWS\System32\Drivers\DLARTL_N.SYS [2005-11-18 22684]
R1 OAmon;OAmon; \??\C:\WINDOWS\system32\drivers\OAmon.sys []
R1 OAnet;OAnet; \??\C:\WINDOWS\system32\drivers\OAnet.sys []
R1 Tcpip6;Microsoft IPv6 Protocol Driver; C:\WINDOWS\system32\DRIVERS\tcpip6.sys [2008-06-20 225856]
R3 b57w2k;Broadcom NetXtreme Gigabit Ethernet; C:\WINDOWS\system32\DRIVERS\b57xp32.sys [2007-05-01 161792]
R3 HDAudBus;Microsoft UAA Bus Driver for High Definition Audio; C:\WINDOWS\system32\DRIVERS\HDAudBus.sys [2008-04-13 144384]
R3 HidUsb;Microsoft HID Class Driver; C:\WINDOWS\system32\DRIVERS\hidusb.sys [2008-04-13 10368]
R3 IBMPMDRV;IBMPMDRV; C:\WINDOWS\system32\DRIVERS\ibmpmdrv.sys [2007-02-27 21040]
R3 mouhid;Mouse HID Driver; C:\WINDOWS\system32\DRIVERS\mouhid.sys [2001-08-17 12160]
R3 NETw4x32;Intel(R) Wireless WiFi Link Adapter Driver for Windows XP 32 Bit; C:\WINDOWS\system32\DRIVERS\NETw4x32.sys [2007-03-28 2204672]
R3 Tp4Track;PS/2 TrackPoint Driver; C:\WINDOWS\system32\DRIVERS\tp4track.sys [2005-07-12 13840]
R3 tunmp;Microsoft Tun Miniport Adapter Driver; C:\WINDOWS\system32\DRIVERS\tunmp.sys [2008-04-13 12288]
R3 TVTPktFilter;TVT Packet Filter Service; C:\WINDOWS\system32\DRIVERS\tvtpktfilter.sys [2007-02-08 17664]
R3 usbccgp;Microsoft USB Generic Parent Driver; C:\WINDOWS\system32\DRIVERS\usbccgp.sys [2008-04-13 32128]
R3 usbehci;Microsoft USB 2.0 Enhanced Host Controller Miniport Driver; C:\WINDOWS\system32\DRIVERS\usbehci.sys [2008-04-13 30208]
R3 usbhub;USB2 Enabled Hub; C:\WINDOWS\system32\DRIVERS\usbhub.sys [2008-04-13 59520]
R3 USBSTOR;USB Mass Storage Driver; C:\WINDOWS\system32\DRIVERS\USBSTOR.SYS [2008-04-13 26368]
R3 usbuhci;Microsoft USB Universal Host Controller Miniport Driver; C:\WINDOWS\system32\DRIVERS\usbuhci.sys [2008-04-13 20608]
S1 intelppm;Intel Processor Driver; C:\WINDOWS\system32\DRIVERS\intelppm.sys [2008-04-13 36352]
S1 OADevice;OADriver; \??\C:\WINDOWS\system32\drivers\OADriver.sys []
S1 SCDEmu;SCDEmu; C:\WINDOWS\system32\drivers\SCDEmu.sys [2009-03-15 56268]
S1 TPHKDRV;TPHKDRV; C:\WINDOWS\system32\DRIVERS\TPHKDRV.sys [2006-10-22 17778]
S1 TPPWRIF;TPPWRIF; C:\WINDOWS\System32\drivers\Tppwrif.sys [2006-12-19 4442]
S1 truecrypt;truecrypt; C:\WINDOWS\System32\drivers\truecrypt.sys [2009-04-21 215872]
S2 AegisP;AEGIS Protocol (IEEE 802.1x) v3.6.0.0; C:\WINDOWS\system32\DRIVERS\AegisP.sys [2009-04-20 21425]
S2 DLABOIOM;DLABOIOM; C:\WINDOWS\System32\DLA\DLABOIOM.SYS [2006-02-02 25628]
S2 DLADResN;DLADResN; C:\WINDOWS\System32\DLA\DLADResN.SYS [2006-02-02 2496]
S2 DLAIFS_M;DLAIFS_M; C:\WINDOWS\System32\DLA\DLAIFS_M.SYS [2006-02-02 86652]
S2 DLAOPIOM;DLAOPIOM; C:\WINDOWS\System32\DLA\DLAOPIOM.SYS [2006-02-02 14684]
S2 DLAPoolM;DLAPoolM; C:\WINDOWS\System32\DLA\DLAPoolM.SYS [2006-02-02 6364]
S2 DLAUDF_M;DLAUDF_M; C:\WINDOWS\System32\DLA\DLAUDF_M.SYS [2006-02-02 87036]
S2 DLAUDFAM;DLAUDFAM; C:\WINDOWS\System32\DLA\DLAUDFAM.SYS [2006-02-02 94332]
S2 DRVNDDM;DRVNDDM; C:\WINDOWS\System32\Drivers\DRVNDDM.SYS [2005-11-18 40544]
S2 mdmxsdk;mdmxsdk; C:\WINDOWS\system32\DRIVERS\mdmxsdk.sys [2006-06-19 12672]
S2 NwlnkIpx;NWLink IPX/SPX/NetBIOS Compatible Transport Protocol; C:\WINDOWS\system32\DRIVERS\nwlnkipx.sys [2008-04-13 88320]
S2 NwlnkNb;NWLink NetBIOS; C:\WINDOWS\system32\DRIVERS\nwlnknb.sys [2004-08-04 63232]
S2 NwlnkSpx;NWLink SPX/SPXII Protocol; C:\WINDOWS\system32\DRIVERS\nwlnkspx.sys [2004-08-04 55936]
S2 pmem;pmem; \??\C:\WINDOWS\System32\drivers\pmemnt.sys []
S2 PROCDD;IPS Helper Driver; C:\WINDOWS\system32\DRIVERS\PROCDD.SYS [2006-11-06 12080]
S2 s24trans;WLAN Transport; C:\WINDOWS\system32\DRIVERS\s24trans.sys [2007-02-21 12416]
S2 tvtfilter;tvtfilter; C:\WINDOWS\system32\DRIVERS\tvtfilter.sys [2009-04-20 33536]
S3 ac97intc;Intel(r) 82801 Audio Driver Install Service (WDM); C:\WINDOWS\system32\drivers\ac97intc.sys [2001-08-17 96256]
S3 ATE_PROCMON;ATE_PROCMON; \??\C:\Program Files\Secure\Anti Trojan Elite\ATEPMon.sys []
S3 catchme;catchme; \??\C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\catchme.sys []
S3 CmBatt;Microsoft AC Adapter Driver; C:\WINDOWS\system32\DRIVERS\CmBatt.sys [2008-04-13 13952]
S3 E100B;Intel(R) PRO Adapter Driver; C:\WINDOWS\system32\DRIVERS\e100b325.sys [2001-08-17 117760]
S3 HdAudAddService;Microsoft UAA Function Driver for High Definition Audio Service; C:\WINDOWS\system32\drivers\CHDAudN.sys [2007-04-27 666112]
S3 HSF_DPV;HSF_DPV; C:\WINDOWS\system32\DRIVERS\HSF_DPV.sys [2007-03-25 988032]
S3 HSFHWAZL;HSFHWAZL; C:\WINDOWS\system32\DRIVERS\HSFHWAZL.sys [2007-03-25 210688]
S3 ialm;ialm; C:\WINDOWS\system32\DRIVERS\igxpmp32.sys [2007-02-25 5700096]
S3 NuidFltr;NUID filter driver; C:\WINDOWS\system32\DRIVERS\NuidFltr.sys [2009-05-09 14736]
S3 nv;nv; C:\WINDOWS\system32\DRIVERS\nv4_mini.sys [2004-08-03 1897408]
S3 pcouffin;VSO Software pcouffin; C:\WINDOWS\System32\Drivers\pcouffin.sys [2009-04-21 47360]
S3 psadd;Lenovo Parties Service Access Device Driver; C:\WINDOWS\system32\DRIVERS\psadd.sys [2006-09-13 28224]
S3 TVTI2C;Lenovo SM bus driver; C:\WINDOWS\system32\DRIVERS\Tvti2c.sys [2006-09-13 35264]
S3 UIUSys;Conexant Setup API; C:\WINDOWS\system32\DRIVERS\UIUSYS.SYS []
S3 usbscan;USB Scanner Driver; C:\WINDOWS\system32\DRIVERS\usbscan.sys [2008-04-13 15104]
S3 Wdf01000;Wdf01000; C:\WINDOWS\system32\DRIVERS\Wdf01000.sys [2006-11-02 492000]
S3 winachsf;winachsf; C:\WINDOWS\system32\DRIVERS\HSF_CNXT.sys [2007-03-25 731136]
S3 WpdUsb;WpdUsb; C:\WINDOWS\System32\Drivers\wpdusb.sys [2005-01-28 18944]
S4 agp440;Intel AGP Bus Filter; C:\WINDOWS\system32\DRIVERS\agp440.sys [2008-04-13 42368]
S4 agpCPQ;Compaq AGP Bus Filter; C:\WINDOWS\system32\DRIVERS\agpCPQ.sys [2008-04-13 44928]
S4 alim1541;ALI AGP Bus Filter; C:\WINDOWS\system32\DRIVERS\alim1541.sys [2008-04-13 42752]
S4 amdagp;AMD AGP Bus Filter Driver; C:\WINDOWS\system32\DRIVERS\amdagp.sys [2008-04-13 43008]
S4 cbidf;cbidf; C:\WINDOWS\system32\DRIVERS\cbidf2k.sys [2001-08-17 13952]
S4 iaStor;Intel AHCI Controller; C:\WINDOWS\system32\DRIVERS\iaStor.sys [2007-02-12 277784]
S4 IntelIde;IntelIde; C:\WINDOWS\system32\DRIVERS\intelide.sys [2008-04-13 5504]
S4 sisagp;SIS AGP Bus Filter; C:\WINDOWS\system32\DRIVERS\sisagp.sys [2008-04-13 40960]
S4 viaagp;VIA AGP Bus Filter; C:\WINDOWS\system32\DRIVERS\viaagp.sys [2008-04-13 42240]
======List of services (R=Running, S=Stopped, 0=Boot, 1=System, 2=Auto, 3=Demand, 4=Disabled)======
S2 a2free;a-squared Free Service; C:\Program Files\Secure\a2 Free\a2service.exe [2009-07-26 1864824]
S2 EvtEng;Intel(R) PROSet/Wireless Event Log; C:\Program Files\Intel\Wireless\Bin\EvtEng.exe [2007-03-06 643072]
S2 IBMPMSVC;ThinkPad PM Service; C:\WINDOWS\system32\ibmpmsvc.exe [2007-02-27 36400]
S2 IPSSVC;IPS Core Service; C:\WINDOWS\system32\IPSSVC.EXE [2007-01-29 108080]
S2 IS360service;IS360service; C:\Program Files\Secure\IObit\IObit Security 360\IS360srv.exe [2009-08-20 305936]
S2 OAcat;Online Armor Helper Service; C:\Program Files\Secure\Online Armor\OAcat.exe [2009-04-16 361160]
S2 RegSrvc;Intel(R) PROSet/Wireless Registry Service; C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe [2007-03-06 327680]
S2 rpcnet;Remote Procedure Call (RPC) Net; C:\WINDOWS\system32\rpcnet.exe [2009-08-03 51200]
S2 S24EventMonitor;Intel(R) PROSet/Wireless Service; C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe [2007-03-06 983040]
S2 SvcOnlineArmor;Online Armor; C:\Program Files\Secure\Online Armor\oasrv.exe [2009-04-16 3049160]
S2 ThinkVantage Registry Monitor Service;ThinkVantage Registry Monitor Service; C:\Program Files\Common Files\Lenovo\tvt_reg_monitor_svc.exe [2007-01-30 644672]
S2 TVT Backup Protection Service;TVT Backup Protection Service; C:\Program Files\Lenovo\Rescue and Recovery\rrpservice.exe [2007-02-08 569344]
S2 TVT Backup Service;TVT Backup Service; C:\Program Files\Lenovo\Rescue and Recovery\rrservice.exe [2007-02-08 950272]
S2 UMWdf;Windows User Mode Driver Framework; C:\WINDOWS\system32\wdfmgr.exe [2005-01-28 38912]
S3 aspnet_state;ASP.NET State Service; C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\aspnet_state.exe [2008-07-25 34312]
S3 clr_optimization_v2.0.50727_32;.NET Runtime Optimization Service v2.0.50727_X86; C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe [2008-07-25 69632]
S3 FontCache3.0.0.0;Windows Presentation Foundation Font Cache 3.0.0.0; c:\WINDOWS\Microsoft.NET\Framework\v3.0\WPF\PresentationFontCache.exe [2008-07-29 46104]
S3 IDriverT;InstallDriver Table Manager; C:\Program Files\Common Files\InstallShield\Driver\1150\Intel 32\IDriverT.exe [2005-11-14 69632]
S3 idsvc;Windows CardSpace; c:\WINDOWS\Microsoft.NET\Framework\v3.0\Windows Communication Foundation\infocard.exe [2008-07-29 881664]
S3 WMConnectCDS;Windows Media Connect Service; C:\Program Files\Windows Media Connect 2\wmccds.exe [2005-10-06 855552]
S4 AcrSch2Svc;Acronis Scheduler2 Service; C:\Program Files\Common Files\Acronis\Schedule2\schedul2.exe []
S4 NetTcpPortSharing;Net.Tcp Port Sharing Service; c:\WINDOWS\Microsoft.NET\Framework\v3.0\Windows Communication Foundation\SMSvcHost.exe [2008-07-29 132096]
S4 TVT Scheduler;TVT Scheduler; c:\Program Files\Common Files\Lenovo\Scheduler\tvtsched.exe [2007-02-08 1118208]
S4 tvtnetwk;tvtnetwk; C:\Program Files\Lenovo\Rescue and Recovery\ADM\IUService.exe [2007-02-08 45056]
-----------------EOF-----------------
----------------------------------------------------------------------------------------
Step 1
OTMoveIt
Please download OTM by OldTimer (http://oldtimer.geekstogo.com/OTM.exe) and save it to your desktop
Double-click OTM.exe to run it.
Copy the lines in the codebox below. ( Make sure you include :Processes )
:Processes
:Reg
[-HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{3CA2F312-6F6E-4B53-A66E-4E65E497C8C0}]
[-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Acronis Scheduler2 Service]
[-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AcronisTimounterMonitor]
[-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Device Detector]
[-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\KernelFaultCheck]
[-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\TrueImageMonitor.exe]
[-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^Bill^Start Menu^Programs^Startup^ImpulseNow.lnk]
:Commands
[Purity]
[EmptyTemp]
Return to OTM, right click in the Paste List of Files/Folders to Move window (under the yellow bar) and choose Paste.
- Close ALL open windows (especially Internet Explorer!)-
Click the red Moveit! button.
Copy everything in the Results window (under the green bar), and paste it in your next reply.
Close OTM
If a file or folder cannot be moved immediately you may be asked to reboot the machine to finish the move process. If you are asked to reboot the machine choose Yes.
----------------------------------------------------------------------------------------
Step 2
We need to scan the system with this special tool.
Please download Junction.zip (http://download.sysinternals.com/Files/Junction.zip) and save it.
Unzip it and put junction.exe in the main directory ( usually C: )
Create A Batch File
Please copy (Ctrl+C) and paste (Ctrl+V) the following text in the quote to Notepad.
Save it as "All Files" and name it look.bat Please save it on your desktop.
@Echo Off
If exist "%Temp%\Klog.txt" del /q "%Temp%\Klog.txt"
If exist "%SYSTEMDRIVE%\junction.exe" goto Cont
If exist "%UserProfile%\Desktop\junction.exe" (copy "%UserProfile%\Desktop\junction.exe" "%SYSTEMDRIVE%\junction.exe"&& Goto Cont )
Echo Junction Not Found !! >>"%Temp%\Klog.txt"
Goto End
:Cont
%SYSTEMDRIVE%\junction.exe -s c:\ >"%Temp%\Klog.txt"
:End
"%Temp%\Klog.txt"
del /q "%Temp%\Klog.txt"
del /q %0
Double click on look.bat
Please be patient, as this will search the entire disc
Notepad will open, please copy/paste the results here.
----------------------------------------------------------------------------------------
Logs/Information to Post in Reply
Please post the following logs/Information in your reply
Some of the logs I request will be quite large, You may need to split them over a couple of replies.
OTMoveIt Log
Klog.txt
MaineJane
2009-09-04, 13:54
I couldn't highlight what was under the green bar to cut & paste because a little window asking me to reboot popped up, it wouldn't allow me to click anywhere else. I tried to just close the window, instead of clicking "OK" but the machine rebooted anyway. FWIW, I didn't see any warnings or error messages.
It did not create a file called "OTMoveIt.log" either in the OTM file folder or the Desktop, instead it created 09042009_062737.log, it's contents are as follows:
All processes killed
========== PROCESSES ==========
========== REGISTRY ==========
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{3CA2F312-6F6E-4B53-A66E-4E65E497C8C0}\ deleted successfully.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{3CA2F312-6F6E-4B53-A66E-4E65E497C8C0}\ deleted successfully.
Registry key HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Acronis Scheduler2 Service\ deleted successfully.
Registry key HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AcronisTimounterMonitor\ deleted successfully.
Registry key HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Device Detector\ deleted successfully.
Registry key HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\KernelFaultCheck\ deleted successfully.
Registry key HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\TrueImageMonitor.exe\ deleted successfully.
Registry key HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^Bill^Start Menu^Programs^Startup^ImpulseNow.lnk\ deleted successfully.
========== COMMANDS ==========
[EMPTYTEMP]
User: Administrator
->Temp folder emptied: 55250 bytes
->Temporary Internet Files folder emptied: 32902 bytes
->Java cache emptied: 5045 bytes
->FireFox cache emptied: 24788068 bytes
User: All Users
User: Ann
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 67 bytes
->FireFox cache emptied: 14798995 bytes
User: Bill
->Temp folder emptied: 79856699 bytes
->Temporary Internet Files folder emptied: 111548 bytes
->Java cache emptied: 261369 bytes
->FireFox cache emptied: 39812301 bytes
User: Default User
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 0 bytes
User: LocalService
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 33170 bytes
User: NetworkService
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 33170 bytes
%systemdrive% .tmp files removed: 0 bytes
%systemroot% .tmp files removed: 0 bytes
%systemroot%\System32 .tmp files removed: 0 bytes
Windows Temp folder emptied: 483 bytes
RecycleBin emptied: 0 bytes
Total Files Cleaned = 152.39 mb
OTM by OldTimer - Version 3.0.0.6 log created on 09042009_062737
Files moved on Reboot...
Registry entries deleted on Reboot...
MaineJane
2009-09-04, 13:56
Junction v1.05 - Windows junction creator and reparse point viewer
Copyright (C) 2000-2007 Mark Russinovich
Systems Internals - http://www.sysinternals.com
Failed to open \\?\c:\\pagefile.sys: The process cannot access the file because it is being used by another process.
Failed to open \\?\c:\\System Volume Information: Access is denied.
...
...
...
...
...
...
...
...
...
...
...
...
...
...
...
...
...
...
...
...
...
...
...
...
...
...
...
.\\?\c:\\WINDOWS\assembly\GAC_32\System.EnterpriseServices\2.0.0.0__b03f5f7f11d50a3a: JUNCTION
Print Name : C:\WINDOWS\WinSxS\x86_System.EnterpriseServices_b03f5f7f11d50a3a_2.0.0.0_x-ww_7d5f3790
Substitute Name: C:\WINDOWS\WinSxS\x86_System.EnterpriseServices_b03f5f7f11d50a3a_2.0.0.0_x-ww_7d5f3790
.\\?\c:\\WINDOWS\assembly\GAC_MSIL\IEExecRemote\2.0.0.0__b03f5f7f11d50a3a: JUNCTION
Print Name : C:\WINDOWS\WinSxS\MSIL_IEExecRemote_b03f5f7f11d50a3a_2.0.0.0_x-ww_6e57c34e
Substitute Name: C:\WINDOWS\WinSxS\MSIL_IEExecRemote_b03f5f7f11d50a3a_2.0.0.0_x-ww_6e57c34e
.
...
...
...
...
...
...
...
There is no sign of any infection, please can you describe your problem in a bit more detail.
MaineJane
2009-09-04, 14:47
I ran those utilities in Safe Mode, because what has been happening in Normal Mode is that just about any program that I try to launch gives me a pop up window that says "Windows cannot access the specified device, path, or file. You may not have appropriate permissions to access this item."
If I right-click on the executable, and pick "Run As..." and choose Administrator and enter the pw, I get the same thing.
There doesn't seem to be any rhyme or reason to it, some programs will run, something as innocuous as a PDF Editor will instead return that error.
Programs that use the Windows Installer always fail in Normal Mode, I get a message that says "System Administrator has set policies to prevent this installation."
My ability to connect to the Internet via the wireless router is worse than sporadic, 9 out of 10 attempts fail.
This is a dual boot machine, I'm on Linux now, and I connect to the wireless router easily. I have full access to the other partition from Linux, if that's worth anything.
I'll reboot now, into Normal Mode, and see if anything has changed, and if I can connect, I post to you from there.
MaineJane
2009-09-04, 15:05
I couldn't connect, I open the network connections window, see available wireless connections, choose mine, and get the "Wireless Network Connection" window, which spends about 30 seconds telling me "Waiting for Network to be ready...", and then it times out, no error message, it just closes the window and I am not connected.
I can run Notepad, but if try to run the Calculator, I get "Windows cannot access the specified device, path, or file..." etc.
Pretty Darn Freaky.
Please try running this in normal mode.
Dial-A-Fix
We need to repair some of windows' internal registration settings
Please download Dial-A-Fix from one of the following mirrors:
Primary Mirror (http://djlizard.net.nyud.net:8080/software/Dial-a-fix-v0.60.0.24.zip)
Secondary Mirror (http://djlizard.net/software/Dial-a-fix-v0.60.0.24.zip)
Extract the zip file to your desktop.
Double click Dial-a-Fix.exe to start the program.
Press the green double checkmark box (Looks like this: http://billy-oneal.com/BleepingComputer/ScreenShots/DialAFix/checkmark.png)
UNcheck Empty Temp Folders, as well as Adjust Time/Date in the prep section. The prep section should then look like this:
http://billy-oneal.com/BleepingComputer/ScreenShots/DialAFix/toUncheck.png
When the window looks like this, press the GO button in the bottom of the window.
http://billy-oneal.com/BleepingComputer/ScreenShots/DialAFix/mainWindow.png
Exit/Close Dial-A-Fix
If that doesn't solve the problem, please try the following.
Please download FixPolicies.exe (http://downloads.malwareremoval.com/BillCastner/FixPolicies.exe) by Bill Castner and save it to your desktop.
Double click on FixPolicies.exe to run it.
Click on Install. It will create a folder named FixPolicies on your desktop.
Open the FixPolicies folder.
Double click on Fix_policies.cmd to run it. Command Prompt will open and close quickly; this is normal.
MaineJane
2009-09-04, 16:15
During that last boot into Normal Mode, I got the WinXP splash screen, and then the system just hung for two minutes with no disk activity. I shut the computer off with the power button.
Upon powering up, I was presented with my boot menu (Linux or Windows), chose Windows, and then I got the message that Windows was shut down improperly, and chose the option to boot from the last known good configuration.
It, by all appearances, booted normally, I logged into my account. Still no connecting to wireless router.
Neither of those two programs you referred me to would run. I get the "Windows cannot access the specified device, path, or file. You may not have appropriate permissions to access this item." message.
Would it be worth trying these in Safe Mode, or would that not be applicable?
MaineJane
2009-09-04, 17:50
I have to step out for a couple of hours.
I'm suspecting that just about any new program that I try to run in Normal Mode is going to run into that error, while there have been occasions where I have been able to run newly downloaded programs in Safe Mode instead.
I'll check in when I get back.
MaineJane
2009-09-04, 21:37
So that's the end of it? Throw me a bone here.
Are you gone for the Holiday Weekend? I can dig that.
So that's the end of it? Throw me a bone here.
No, but I do have my own life to live as well.
Neither of those two programs you referred me to would run. I get the "Windows cannot access the specified device, path, or file. You may not have appropriate permissions to access this item." message.
Right click on the files and select Properties
Is there an UnBlock button near the bottom ?
MaineJane
2009-09-05, 09:57
>No, but I do have my own life to live as well.
I appreciate that.
I don't mean to sound like an ingrate.
there is no "unblock" option..
Thanks
I notice in the Combofix log you posted
c:\windows\system32\GroupPolicy
Did you try to alter the group policies, or is this something the infection did ?
MaineJane
2009-09-05, 18:42
Yes, I attempted to change the group policies...per a suggestion to another user with a near identical problem (in a thread in a Major Geeks forum), before I joined this forum.
I didn't see anything in the editor that was worth changing.
MaineJane
2009-09-05, 19:59
Attempt to run those programs in Safe Mode?
MaineJane
2009-09-05, 22:25
>Attempt to run those programs in Safe Mode?
I haven't yet...shall I?
shall I?
Please.
How many accounts are on the machine ?
Have you tried using a different profile ?
MaineJane
2009-09-06, 02:23
two accounts, three if you count Administrator...
I'm going to boot to Administrator and try running those now.
MaineJane
2009-09-06, 03:40
In Safe Mode, I was able to run Dial-a-Fix, I didn't receive any error messages...
I ran OTM...
Here is the log:
All processes killed
========== PROCESSES ==========
========== REGISTRY ==========
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{3CA2F312-6F6E-4B53-A66E-4E65E497C8C0}\ not found.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{3CA2F312-6F6E-4B53-A66E-4E65E497C8C0}\ not found.
Registry key HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Acronis Scheduler2 Service\ not found.
Registry key HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AcronisTimounterMonitor\ not found.
Registry key HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Device Detector\ not found.
Registry key HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\KernelFaultCheck\ not found.
Registry key HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\TrueImageMonitor.exe\ not found.
Registry key HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^Bill^Start Menu^Programs^Startup^ImpulseNow.lnk\ not found.
========== COMMANDS ==========
[EMPTYTEMP]
User: Administrator
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 33170 bytes
->Java cache emptied: 0 bytes
->FireFox cache emptied: 2799180 bytes
User: All Users
User: Ann
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 0 bytes
->FireFox cache emptied: 0 bytes
User: Bill
->Temp folder emptied: 16252 bytes
->Temporary Internet Files folder emptied: 33170 bytes
->Java cache emptied: 0 bytes
->FireFox cache emptied: 0 bytes
User: Default User
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 0 bytes
User: LocalService
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 0 bytes
User: NetworkService
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 0 bytes
%systemdrive% .tmp files removed: 0 bytes
%systemroot% .tmp files removed: 0 bytes
%systemroot%\System32 .tmp files removed: 696320 bytes
Windows Temp folder emptied: 483 bytes
RecycleBin emptied: 0 bytes
Total Files Cleaned = 3.41 mb
OTM by OldTimer - Version 3.0.0.6 log created on 09052009_193615
------------------------------
I created another "look.bat" file on the Administrator destop...double clicking on it, it won't run, and error window pops up informing me that it is "not a valid win32 application".
I copied the file to root, dropped down to dos via Start>Run>CMD and ran it, here are the contents of KLOG.TXT:
Junction v1.05 - Windows junction creator and reparse point viewer
Copyright (C) 2000-2007 Mark Russinovich
Systems Internals - http://www.sysinternals.com
Failed to open \\?\c:\\pagefile.sys: The process cannot access the file because it is being used by another process.
Failed to open \\?\c:\\System Volume Information: Access is denied.
...
...
...
...
...
...
...
...
...
...
...
...
...
...
...
...
...
...
...
...
...
...
...
...
...
...
...
.\\?\c:\\WINDOWS\assembly\GAC_32\System.EnterpriseServices\2.0.0.0__b03f5f7f11d50a3a: JUNCTION
Print Name : C:\WINDOWS\WinSxS\x86_System.EnterpriseServices_b03f5f7f11d50a3a_2.0.0.0_x-ww_7d5f3790
Substitute Name: C:\WINDOWS\WinSxS\x86_System.EnterpriseServices_b03f5f7f11d50a3a_2.0.0.0_x-ww_7d5f3790
.\\?\c:\\WINDOWS\assembly\GAC_MSIL\IEExecRemote\2.0.0.0__b03f5f7f11d50a3a: JUNCTION
Print Name : C:\WINDOWS\WinSxS\MSIL_IEExecRemote_b03f5f7f11d50a3a_2.0.0.0_x-ww_6e57c34e
Substitute Name: C:\WINDOWS\WinSxS\MSIL_IEExecRemote_b03f5f7f11d50a3a_2.0.0.0_x-ww_6e57c34e
.
...
...
...
...
...
...
...
_____________________
The most recent file in root is TPHKLOCK.TXT
it's a hundred and twenty seven lines, all of them "1 00FFFFF7"
MaineJane
2009-09-06, 04:30
nothing has changed.
still can't run Calculator, Wordpad...still get the "Windows cannot access the specified device, path, or file..."
I gather that TPHKLOCK.TXT is kosher, it is related to the ThinkPad utilities.
Did you try FixPolicies ?
MaineJane
2009-09-06, 14:03
Yes, I tried FixPolicies, but I doesn't appear that it made any difference.
Still can't run things as simple as Calculator, Wordpad, or Solitaire in Normal Mode
but I CAN run them under a user account in Safe Mode.
I do have Avast anti-virus on the Linux side, I suppose I could have it do a scan of the NTFS partition...shall I give that a shot?
I do have Avast anti-virus on the Linux side, I suppose I could have it do a scan of the NTFS partition...shall I give that a shot?
Not a lot of point really, there is no active infection showing in your logs.
It sounds like there has been some serious corruption of file/profile permissions.
Unfortunately you are now outside my area of knowledge, so I'm going to have to recommend that you visit one of the tech forums for assistance.
http://www.techsupportforum.com/
http://www.bleepingcomputer.com/forums/
http://forums.whatthetech.com/forums.html
----------------------------------------------------------------------------------------
Uninstall Combofix
This will clear your System Volume Information restore points and remove all the infected files that were quarantined
Click START then RUN
Now type Combofix /u in the runbox and click OK. Note the space between the X and the /U, it needs to be there.
http://i189.photobucket.com/albums/z176/EPL47/CF_Cleanup.png
OTCleanup
Please download OTCleanup from HERE (http://oldtimer.geekstogo.com/OTC.exe)
Click the OTC.exe icon and then click the CleanUp button.
If you get any pop ups asking if it is OK let the program proceed. At the end the program will ask to let it reboot the computer. Let it do so.
Let me know if there were any problems with OT CleanIt
You can also delete any logs we have produced and any other tools we have downloaded.
----------------------------------------------------------- -----------------------------------------------------------
The following is some info to help you stay safe and clean.
You may already have some of the following programs, but I include the full list for the benefit of all the other people who will be reading this thread in the future.
( Vista users must ensure that any programs are Vista compatible BEFORE installing )
Online Scanners
I would recommend a scan at one or more of the following sites at least once a month.
http://www.pandasecurity.com/activescan
http://www.kaspersky.com/kos/eng/partner/71706/kavwebscan.html
!!! Make sure that all your programs are updated !!!
Secunia Software Inspector does all the work for you, .... see HERE (http://secunia.com/software_inspector/) for details
AntiSpyware
AntiSpyware is not the same thing as Antivirus.
Different AntiSpyware programs detect different things, so in this case it is recommended that you have more than one.
You should only have one running all the time, the other/s should be used "on demand" on a regular basis.
Most of the programs in this list have a free (for Home Users ) and paid versions,
it is worth paying for one and having "realtime" protection, unless you intend to do a manual scan often.
Spybot - Search & Destroy (http://www.safer-networking.org/) <<< A must have program It includes host protection and registry protection A hosts file is a bit like a phone book, it points to the actual numeric address (i.e. the IP address) from the human friendly name of a website. This feature can be used to block malicious websites
MalwareBytes Anti-malware (http://www.malwarebytes.org/mbam.php) <<< A New and effective program
a-squared Free (http://www.emsisoft.com/en/software/free/) <<< A good "realtime" or "on demand" scanner
superantispyware (http://www.superantispyware.com/) <<< A good "realtime" or "on demand" scanner
Prevention
These programs don't detect malware, they help stop it getting on your machine in the first place.
Each does a different job, so you can have more than one
Winpatrol (http://www.winpatrol.com) An excellent startup manager and then some !! Notifies you if programs are added to startup Allows delayed startup A must have addition
SpywareBlaster 4.0 (http://www.javacoolsoftware.com/spywareblaster.html) SpywareBlaster sets killbits in the registry to prevent known malicious activex controls from installing themselves on your computer.
SpywareGuard 2.2 (http://www.javacoolsoftware.com/spywareguard.html) SpywareGuard provides real-time protection against spyware. Not required if you have other "realtime" antispyware or Winpatrol
ZonedOut (http://www.funkytoad.com/index.php?option=com_content&view=article&id=15&Itemid=33) Formerly known as IE-SPYAD, adds a long list of sites and domains associated with known advertisers and marketers to the Restricted sites zone of Internet Explorer.
MVPS HOSTS (http://www.mvps.org/winhelp2002/hosts.zip) This little program packs a powerful punch as it blocks ads, banners, 3rd party Cookies, 3rd party page counters, web bugs, and many hijackers. For information on how to download and install, please read this tutorial (http://www.mvps.org/winhelp2002/hosts.htm) by WinHelp2002. Not required if you are using other host file protections
Internet Browsers
Microsoft has worked hard to make IE.7 a more secure browser, unfortunately whilst it is still the leading browser of choice it will always be under attack from the bad guys.
Using a different web browser can help stop malware getting on your machine.
Make your Internet Explorer more secure - This can be done by following these simple instructions:
From within Internet Explorer click on the Tools menu and then click on Options.
Click once on the Security tab
Click once on the Internet icon so it becomes highlighted.
Click once on the Custom Level button.
Change the Download signed ActiveX controls to Prompt
Change the Download unsigned ActiveX controls to Disable
Change the Initialise and script ActiveX controls not marked as safe to Disable
Change the Installation of desktop items to Prompt
Change the Launching programs and files in an IFRAME to Prompt
Change the Navigate sub-frames across different domains to Prompt
When all these settings have been made, click on the OK button.
If it prompts you as to whether or not you want to save the settings, press the Yes button.
Next press the Apply button and then the OK to exit the Internet Properties page.
If you are still using IE6 then either update, or get one of the following.
FireFox (http://www.mozilla.com/en-US/firefox/) With many addons available that make customization easy this is a very popular choice NoScript and AdBlockPlus addons are essential
Opera (http://www.opera.com/) Another popular alternative
Netscape (http://browser.netscape.com/addons) Another popular alternative Also has Addons available
Cleaning Temporary Internet Files and Tracking Cookies
Temporary Internet Files are mainly the files that are downloaded when you open a web page.
Unfortunately, if the site you visit is of a dubious nature or has been hacked, they can also be an entry point for malware.
It is a good idea to empty the Temporary Internet Files folder on a regular basis.
Tracking Cookies are files that websites use to monitor which sites you visit and how often.
A lot of Antispyware scanners pick up these tracking cookies and flag them as unwanted.
CAUTION :- If you delete all your cookies you will lose any autologin information for sites that you visit, and will need your passwords
Both of these can be cleaned manually, but a quicker option is to use a program
ATF Cleaner (http://www.atribune.org/index.php?option=com_content&task=view&id=25&Itemid=25) Free and very simple to use
CCleaner (http://www.ccleaner.com/) Free and very flexible, you can chose which cookies to keep
Also PLEASE read this article.....So How Did I Get Infected In The First Place (http://forum.malwareremoval.com/viewtopic.php?t=4959)
The last and most important thing I can tell you is UPDATE.
If you don't update your security programs (Antivirus, Antispyware even Windows) then you are at risk.
Malware changes on a day to day basis. You should update every week at the very least.
If you follow this advice then (with a bit of luck) you will never have to hear from me again :D
If you could post back one more time to let me know everything is OK, then I can have this thread archived.
Happy surfing K'
MaineJane
2009-09-06, 17:53
Thanks for all your effort.
It's been a frustrating few days, I'm going to take a break from this for the next 24 hours and resume try to get some help in one of those other forums.
Thanks again.
-J