Welcome to MalwareRemoval.com,
What if we told you that you could get malware removal help from experts, and that it was 100% free? MalwareRemoval.com provides free support for people with infected computers. Our help, and the tools we use are always 100% free. No hidden catch. We simply enjoy helping others. You enjoy a clean, safe computer.

Malware Removal Instructions

Redirected Google web searches + Random Pop Ups

MalwareRemoval.com provides free support for people with infected computers. Using plain language that anyone can understand, our community of volunteer experts will walk you through each step.

Re: Redirected Google web searches + Random Pop Ups

Unread postby tenmeg » September 7th, 2009, 12:11 am

Hi - here is the log file generated by Win32kDiag

==============================================================

Log file is located at: C:\Documents and Settings\TENMEG\Desktop\Win32kDiag.txtWARNING: Could not get backup privileges!Searching 'C:\WINDOWS'...Cannot access: C:\WINDOWS\system32\temppf.sys[1] 2009-09-05 23:30:12 268435456 C:\WINDOWS\system32\temppf.sys ()Finished!

===============================================================

I checked windows/system 32 for the temppf.sys. That file is there but the warning in the log above says it "could not get backup privileges"

I did not realize that the folder I386 on my computer holds all of the Windows XP operating system. I don't want to reinstalling over my existing system files but is there a program within that 'I386 folder' whereby I can repair, modify, update or rebuild the parts of my Windows XP system that is corrupted?
tenmeg
Regular Member
 
Posts: 63
Joined: July 27th, 2009, 7:49 pm
Advertisement
Register to Remove

Re: Redirected Google web searches + Random Pop Ups

Unread postby Bio-Hazard » September 8th, 2009, 8:42 am

Hello!


=======================================================

  • Click Start
  • Click Run
  • In the box type:
  • cmd
  • Then press enter.
  • Copy this command:

    Code: Select all
    cacls \  > perms.txt && start notepad perms.txt

  • Then right click in the command window and click paste.
  • Press enter.


=======================================================

Download this on to your computer, do not install it.

http://www.microsoft.com/DownLoads/deta ... laylang=en

  • Universal Extractor will add entries to your context menus.
  • Find the Windows installer file update you downloaded from MS and right click on it.
  • Click this entry on the context menu:
    • UniExtract to SubDir
  • This will extract all the files in the to a subdirectory named the same as the Windows installer file update .
  • Open this Folder which Universal Extractor created (you'll find that folder in the same directory as the Windows installer file update ) and then copy the exe and dll's inside to system32.


  • Click Start
  • Click Run
  • In the box type:
  • cmd
  • Then press enter.
  • Copy this command:

    Code: Select all
    Msiexec.exe /regserver

  • Then right click in the command window and click paste.
  • Press enter.

Is windows installer working now?

=======================================================

  • Click Start
  • Click Run
  • In the box copy this:

    Code: Select all
    %windir%\security\logs\scesrv.log 

  • Press enter.
  • Copy and paste the contents into her next reply.

Do the same for these two logs.

%windir%\security\logs\permsanalyze.log
%windir%\security\logs\permsrepair.log


=======================================================

Logs/Information to Post in Next Reply

Please post the following logs/Information in your reply:
  • perms.txt
  • scesrv.log
  • permsanalyze.log
  • permsrepair.log
User avatar
Bio-Hazard
MRU Master Emeritus
 
Posts: 4078
Joined: May 10th, 2007, 8:28 am
Location: Cornwall, UK

Re: Redirected Google web searches + Random Pop Ups

Unread postby tenmeg » September 8th, 2009, 11:04 pm

Hi - well I thought it just might work this time but no luck?? Below are the results requested.

===============================================

Result of "perms.txt" code

C:\ 2WIRE200\Administrator:(OI)(CI)F
2WIRE200\TENMEG:(OI)(CI)F
<Account Domain not found>(OI)(CI)F

===============================================

Q -Is windows installer working now? A - No. All the .dll and exe files were loaded into /windows/system32 except "msi.dll". I kept getting a error message that someone or another program was using this file? Nothing was opened or running at the time except the windows folder. I renamed the existing "msi.dll" in /system32 to msi.dllOLD. When I tried to reinstall "msi.dll" it loaded without any errors?? I tried to start windows installer again but it would not start. Rc'd the following error: "Could not start the Windows Installer service on Local Computer - error 5 Access is denied". The executable path in Windows Installer is: "C:\WINDOWS\system32\Msiexec.exe /V" . I checked the path in the Registry to see that if it matched the Services - both were the same except I noticed that your command to register "Msiexec.exe" that the M was capitalized. The file I uploaded to System32 was "msiexec.exe". I changed the capital M to a lower case m in the registry thinking that was preventing Windows Installer from working but on retrying it again it still would not work??

================================================


%windir%\security\logs\scesrv.log - Error: Could Not Find File C:\windows\security\logs\scesrv.log
%windir%\security\logs\permsanalyze.log - A blank .txt file page opened
%windir%\security\logs\permsrepair.log - A blank .txt file page opened
tenmeg
Regular Member
 
Posts: 63
Joined: July 27th, 2009, 7:49 pm

Re: Redirected Google web searches + Random Pop Ups

Unread postby Bio-Hazard » September 11th, 2009, 7:24 am

  • Right click on my computer.
  • Click Properties on the context menu.
  • When the next page comes up, click the Advanced Tab.
  • When the next page comes up, in the section labeled Performance
  • Click the settings button.
  • When the next page appears
  • Click the Advanced button.
  • When the next page comes up, look near the bottom at the section labeled Paging.
  • Click the Change button. This will bring up another change, We are going to look but not touch! Do not make any changes or press the set button on this page!

I want you to look at the following:
If you have more than one drive listed be sure to highlight the C: drive.

Then tell me which option is enabled there.
The choices are:
Custom size
System Managed Size
No paging file


If custom size is selected, what does it list as Initial Size and Maximum size?

That page will also list Space Available. How much?

At the bottom of the page you'll see another section labeled

Total Paging file size for all drives.

Please report the categories listed there and the numbers listed for each.

===============================================

We also need to know how much Ram you have.

Right click on My computer and then click on properties. Be sure the Gerneral Tab is selected. Look for the amount of Ram as listed on that page and post that information.

===============================================


Do you have Microsoft Office installed? If so, which version is it and is Access installed with it? I saw an if file listed in one of your logs indicating Office 97 had been installed at some point.

===============================================

Please go to your system32 folder and right click on esent.dll, then click properties on the context menu, click the version tab and then tell us what that says regarding the version of the file.

===============================================

Let's see if there are any policies on Windows Update. Copy the contents of the code box to Notepad. Save the file as Query policy.bat

Code: Select all
Echo Looking  for Windows Updates policies > policy.txt
Reg query HKLM\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate /s >>policy.txt
Reg query HKCU\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate /s >>policy.txt

Cacls  %windir%\Database\secedit.sdb >>policy.txt

Start notepad policy.txt



Double click on Query policy.bat to run it.

When policy.txt opens paste its content into your next reply.
===============================================

Download fixdb.bat from this link:
http://www.andrew.cmu.edu/org/hc-tools/ ... /fixdb.bat
Save the file. We'll use it later, after we see policy.txt.
User avatar
Bio-Hazard
MRU Master Emeritus
 
Posts: 4078
Joined: May 10th, 2007, 8:28 am
Location: Cornwall, UK

Re: Redirected Google web searches + Random Pop Ups

Unread postby tenmeg » September 11th, 2009, 1:38 pm

Hello - below is the info requested

==============================================================

Q - Then tell me which option is enabled there.
A - The option selected is: Custom Size Initial Size: 765 Maximum Size: 1536

Q - That page will also list Space Available. How much?
A- Space Available: 8819 mb

Q - Please report the categories listed there and the numbers listed for each.
A - Minimum allowed: 2 mb Recommended: 765 mb Currently allocated: 256 mb

Q - We also need to know how much Ram you have.
A - Ram: 512 mb

Q - Do you have Microsoft Office installed? If so, which version is it and is Access installed with it? I saw an if file listed in one of your logs indicating Office 97 had been installed at some point.
A - The reference to Microsoft Office was Microsoft Office PowerPoint Viewer
I copied the following from that program. The Microsoft Office PowerPoint Viewer allows you to view full-featured presentations created in Microsoft Office PowerPoint 2003. The PowerPoint Viewer supports viewing presentations created in PowerPoint 97, PowerPoint 2000, and PowerPoint 2002. The PowerPoint Viewer also supports opening password-protected PowerPoint presentations.

I searched for Microsoft 97 and Access and could not find any reference to that program.

=====================================================

System32/esent.dll - Properties Version 5.1.2600.2780

=====================================================

Looking for Windows Updates policies

! REG.EXE VERSION 3.0

HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate

HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU
NoAutoUpdate REG_DWORD 0x0
AUOptions REG_DWORD 0x3
tenmeg
Regular Member
 
Posts: 63
Joined: July 27th, 2009, 7:49 pm

Re: Redirected Google web searches + Random Pop Ups

Unread postby Bio-Hazard » September 12th, 2009, 10:47 am

Did you a bad shutdown right before all this started?
Were there powercuts or a power failures right before this started?
Do you have a flash drive available?

=========================================================
Run fixdb.bat

It will tell you to try installing SP2 again. Ignore that. This is an automated way to try and fix the Cryptsvc problem you have.

Instead of trying to install SP2, see if you can install a Windows Update. One that gave you the error Cannot verify update.inf.

Let us know your results please.

=========================================================


Boot into Safe mode.

Here are the instructions how to boot into safe mode in Windows XP

  • If the computer is running shut down Windows and then turn off the power
  • Wait 30 seconds and then turn the computer on.
  • Start tapping the F8 key.(if this doesn't work try the F5 key) The Windows Advanced Options Menu appears. If you begin tapping the F8 key too soon some computers display a keyboard error message. To resolve this restart the computer and try again.
  • Ensure that the Safe mode option is selected.
  • Press Enter. The computer then begins to start in Safe mode.
  • You can see Safe mode in every corner of your screen
  • When you are finished with all troubleshooting close all programs and restart the computer as you normally would.


Let's try cacls one more time to see if that last reading was a glitch. (we may eventually grant full access to the Users Group and see if that allows you to successfully use secedit to apply the correct permissions for the drive. But that's for a bit later. + I need more information from the registry to see if we can fix the Windows Installer. It appears you have a permissions problem with the Windows Installer. It may be a launch permissions issue or a Problem with the security value. This batch will give us a look at your registry values there.

Copy the contents of the code box to notepad.
Code:
Code: Select all
C:
cd \
cacls C: >p.txt
Move p.txt "%userprofile%"
cd /d "%userprofile%"
regedit /e /a  "%userprofile%\appidmsi.txt" HKEY_LOCAL_MACHINE\SOFTWARE\Classes\AppID\{000C101C-0000-0000-C000-000000000046}
regedit /e /a "%userprofile%\server.txt" HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\MSIServer
Type  "%userprofile%\appidmsi.txt" >> p.txt
Type "%userprofile%\server.txt" >>p.txt
del "%userprofile%\appidmsi.txt"
del "%userprofile%\server.txt"
Start Notepad p.txt 


It doesn't matter where you save this batch. When it has finished, it will open a file named p.txt. Please post the contents of p.txt into your next reply here.

p.txt, if you need to find it later, will be in the %userprofile% folder. Just go to start >Run and type %userprofile% then press enter. This will open your %userprofile% folder.


=========================================================


The lack of space on the system drive is not good and is having a very negative effect on the system.

Let's let the system manage the paging file. Here are the directions:
Right click on my computer. Click Properties on the context menu. When the next page comes up, click the Advanced Tab.
When the next page comes up, in the section labeled Performance , click the settings button.
When the next page appears, Click the Advanced button. When the next page comes up, look near the bottom at the section labeled Paging. Click the Change button. This will bring up another change, We are going to look but not touch! Do not make any changes or press the set button on this page!


If you have more than one drive listed be sure to highlight the C: drive.

You want to set it to:
System Managed Size

Then press the Set button.
User avatar
Bio-Hazard
MRU Master Emeritus
 
Posts: 4078
Joined: May 10th, 2007, 8:28 am
Location: Cornwall, UK

Re: Redirected Google web searches + Random Pop Ups

Unread postby tenmeg » September 13th, 2009, 12:30 am

Hello - below is the info requested. . . . . .
+++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
HISTORY RECAP
About 2 years ago I had a virus infection and worked with a website like yours. I don't remember which site it was but they helped me clear that problem up. It was about 2 weeks after that when the screen just went blank. The User Account that I used to log on was wiped out. Lost all of my email. I worked with what was left and was able to get it running again by creating a new User Account. Reinstalled my email. I was still able to update my computer at that time. Since then I have had various virus infections and fixes and lost the ability to run the Windows Update. The paging file error appeared in just the last 6 months. When I receive a UpDate notice the line you click to load an Update is "greyed out". The User Account that was wiped out was named "USER". I have noticed that my version of Windows is 5.1 with Service Pack 2 but the End User License Agreement is Licensed to: "USER". That is the log on account that was wiped out. Recently I searched for the word USER and found a lot of files that probably belong to that User Account. The problem is the word USER is used in a lot files so you don't which USER files relate to that User Account or which files are just generic files where the word USER is used.
==============================================================================
1 - Ran fixdb.bat
2 - Yes I remember receiving the "Can not Verify update.inf". I just can't remember the circumstances. That error does not appear now but I keep receiving the following error.
3 - When I click on the Windows Update button I receive the following error.
ERROR - "The website has encountered a problem and cannot display the page you are trying to view."
Error number: 0x80248011
==============================================================================
You gave me instruction on how to start my computer in Safe Mode and then the closing line in those instructions said the following:
"When you are finished with all troubleshooting close all programs and restart the computer as you normally would" There were no troubleshooting instructions for using Safe Mode?? Did that part get left out??
==============================================================================
UserProfille..bat log
==============================================================================
C:\ 2WIRE200\Administrator:(OI)(CI)F
2WIRE200\TENMEG:(OI)(CI)F

REGEDIT4

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\AppID\{000C101C-0000-0000-C000-000000000046}]
"ServiceParameters"=""
"LocalService"="MSIServer"

REGEDIT4

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\MSIServer]
"Type"=dword:00000120
"Start"=dword:00000003
"ErrorControl"=dword:00000001
"ImagePath"=hex(2):43,3a,5c,57,49,4e,44,4f,57,53,5c,73,79,73,74,65,6d,33,32,5c,\
6d,73,69,65,78,65,63,2e,65,78,65,20,2f,56,00
"DisplayName"="Windows Installer"
"DependOnService"=hex(7):52,70,63,53,73,00,00
"DependOnGroup"=hex(7):00
"ObjectName"="LocalSystem"
"Description"="Adds, modifies, and removes applications provided as a Windows Installer (*.msi) package. If this service is disabled, any services that explicitly depend on it will fail to start."

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\MSIServer\Security]
"Security"=hex:01,00,14,80,90,00,00,00,9c,00,00,00,14,00,00,00,30,00,00,00,02,\
00,1c,00,01,00,00,00,02,80,14,00,ff,01,0f,00,01,01,00,00,00,00,00,01,00,00,\
00,00,02,00,60,00,04,00,00,00,00,00,14,00,fd,01,02,00,01,01,00,00,00,00,00,\
05,12,00,00,00,00,00,18,00,ff,01,0f,00,01,02,00,00,00,00,00,05,20,00,00,00,\
20,02,00,00,00,00,14,00,8d,01,02,00,01,01,00,00,00,00,00,05,0b,00,00,00,00,\
00,18,00,fd,01,02,00,01,02,00,00,00,00,00,05,20,00,00,00,23,02,00,00,01,01,\
00,00,00,00,00,05,12,00,00,00,01,01,00,00,00,00,00,05,12,00,00,00

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\MSIServer\Enum]
"0"="Root\\LEGACY_MSISERVER\\0000"
"Count"=dword:00000001
"NextInstance"=dword:00000001
=======================================================================
tenmeg
Regular Member
 
Posts: 63
Joined: July 27th, 2009, 7:49 pm

Re: Redirected Google web searches + Random Pop Ups

Unread postby Bio-Hazard » September 13th, 2009, 2:30 pm

Hello!

Is the paging file error still happening?

Did you make the change how the system manage the paging file?



Let's see if we can reset perms using a batch before we try anything else.
First, Disable your AV and malware to OFF so it won't prevent the reset.
Copy the contents of the code box to notepad. Save on the desktop and run it. Look for any errors like you did before. There are a few pauses written into the code so you can take a second to read the screen output. It will say press any key to continue. Pess a key when ready and the batch will continue. When finished a file named permfix.txt will open. Please paste in the contents of that file. Also let us know if you had any errors. This is going to give the Users Group control over and access to all files and folders. It will take a bit of time to reset everything if the command runs properly. This is temporary and we're hoping the secedit command will run and set it to default.


Code: Select all
@echo off
Echo %CD% >permfix.txt
Echo Before >>permfix.txt
cacls C: >>permfix.txt


cacls C:\ /e  /P Users:F
cacls C:\ /e  /P System:F
cacls C:\ /E /G Everyone:R
Pause
secedit.exe /analyze /db  %Userprofile%\new.sdb /cfg %Windir%\inf\defltwk.inf /log %Windir%\security\logs\permsanalyze.log
Pause
secedit.exe /configure /areas FILESTORE USER_RIGHTS REGKEYS /db %Windir%\new.db /cfg %Windir%\inf\defltwk.inf /log   %Windir%\security\logs\permsrepair.log
Pause
Echo after >>permfix.txt
cacls C:\ >>permfix.txt
net localgroup >>permfix.txt
net User >>permfix.txt
Start notepad permfix.txt





Once we see if that worked, we can have you run the Windows 3.1 Installer you downloaded a while back and not just extract the files like we did.


This is the file:
WindowsInstaller-KB893803-v2-x86.exe

If you no longer have it, download it here:


http://www.microsoft.com/downloads/deta ... laylang=en
User avatar
Bio-Hazard
MRU Master Emeritus
 
Posts: 4078
Joined: May 10th, 2007, 8:28 am
Location: Cornwall, UK

Re: Redirected Google web searches + Random Pop Ups

Unread postby tenmeg » September 13th, 2009, 7:13 pm

Hello - here is the infor requested . . ..

Q - Is the paging file error still happening? A - Yes

Q - Did you make the change how the system manage the paging file? A - Yes

When I ran the permfix.bat file I rec'd the following msg: "can not open the file secedit.chm"

I was able to run the WindowsInstaller-KB893803-v2-x86.exe.. No errors

I could not resist so I ran the Windows Update program and it worked!!!!!!! I did not UpDate any files I
just wanted to see if the UpDater worked.

=========================================================================
1 -permfix txt message
=========================================================================

C:\Documents and Settings\TENMEG\Desktop
Before
C:\Documents and Settings\TENMEG\Desktop 2WIRE200\TENMEG:F
2WIRE200\TENMEG:(OI)(CI)(IO)F
NT AUTHORITY\SYSTEM:F
NT AUTHORITY\SYSTEM:(OI)(CI)(IO)F
BUILTIN\Administrators:F
BUILTIN\Administrators:(OI)(CI)(IO)F

after
C:\ 2WIRE200\Administrator:(OI)(CI)F
2WIRE200\TENMEG:(OI)(CI)F
BUILTIN\Users:(OI)(CI)F
NT AUTHORITY\SYSTEM:(OI)(CI)F
Everyone:(OI)(CI)R


Aliases for \\2WIRE200

-------------------------------------------------------------------------------
*Administrators
*Guests
*HelpServicesGroup
*Users
The command completed successfully.


User accounts for \\2WIRE200

-------------------------------------------------------------------------------
Administrator ASPNET Guest
HelpAssistant SUPPORT_388945a0 TENMEG
The command completed successfully.

=============================================================================
2 - permfix log
=============================================================================

-------------------------------------------
Sunday, September 13, 2009 3:20:35 PM
----Configuration engine was initialized successfully.----

----Reading Configuration Template info...
Event audit settings are turned off.


----Configure User Rights...
Configure S-1-5-21-986089347-3572095111-2355310880-1002.
remove SeBatchLogonRight.
remove SeDenyNetworkLogonRight.
remove SeDenyInteractiveLogonRight.
Configure S-1-5-21-986089347-3572095111-2355310880-1004.
remove SeNetworkLogonRight.
remove SeBatchLogonRight.
remove SeServiceLogonRight.
remove SeDenyInteractiveLogonRight.
remove SeDenyRemoteInteractiveLogonRight.
remove SeImpersonatePrivilege.
Configure S-1-5-21-986089347-3572095111-2355310880-1006.
remove SeBatchLogonRight.
Configure S-1-5-32.
remove SeServiceLogonRight.
Configure S-1-5-19.
Configure S-1-5-20.
remove SeServiceLogonRight.
Configure S-1-5-32-544.
Configure S-1-5-32-545.
Configure S-1-1-0.
Configure S-1-5-4.
Configure S-1-5-6.
Configure S-1-5-21-986089347-3572095111-2355310880-501.

User Rights configuration was completed successfully.


----Configure Registry Keys...
Configure users\.default.
Configure users\.default\software\microsoft\netdde.
Configure machine\software.
Configure machine\software\classes.
Configure machine\software\microsoft\cryptography\calais.
Configure machine\software\microsoft\netdde.
Configure machine\software\microsoft\windows\currentversion\telephony.
Configure machine\software\microsoft\windows nt\currentversion\perflib.
Configure machine\system.
Configure machine\system\currentcontrolset\control\class.
Configure machine\system\currentcontrolset\control\keyboard layout.
Configure machine\system\currentcontrolset\control\keyboard layouts.
Configure machine\system\currentcontrolset\control\securepipeservers\winreg.
Configure machine\system\currentcontrolset\control\wmi\security.
Configure machine\system\currentcontrolset\services\appmgmt\security.
Configure machine\system\currentcontrolset\services\clipsrv\security.
Configure machine\system\currentcontrolset\services\cryptsvc\security.
Configure machine\system\currentcontrolset\services\ersvc\security.
Error 234: More data is available.
Error enumerating info for machine\system\currentcontrolset\services\eventlog.

Configuration of Registry Keys was completed with one or more errors.


----Configure File Security...
Configure c:\autoexec.bat.
Warning 2: The system cannot find the file specified.
Error setting security on c:\autoexec.bat.
Configure c:\boot.ini.
Configure c:\config.sys.
Warning 2: The system cannot find the file specified.
Error setting security on c:\config.sys.
Configure c:\ntbootdd.sys.
Warning 2: The system cannot find the file specified.
Error setting security on c:\ntbootdd.sys.
Configure c:\ntdetect.com.
Configure c:\ntldr.
Configure c:\program files.
Configure c:\windows.
Configure c:\windows\debug\usermode.
Configure c:\windows\repair.
Configure c:\windows\system32.
Warning 32: The process cannot access the file because it is being used by another process.
Error building security descriptor for c:\windows\system32\temppf.sys.
Configure c:\windows\system32\config.
Configure c:\windows\system32\dllcache.
Configure c:\windows\system32\ias.
Configure c:\windows\system32\setup.
Configure c:\windows\system32\spool\drivers.
Configure c:\windows\temp.

File Security configuration was completed successfully.
Event audit settings are restored.


----Un-initialize configuration engine...

==================================================================================
END
tenmeg
Regular Member
 
Posts: 63
Joined: July 27th, 2009, 7:49 pm

Re: Redirected Google web searches + Random Pop Ups

Unread postby Bio-Hazard » September 14th, 2009, 6:23 pm

You should have at Least 15% free disk space. Order us to proceed further we need to clear some space on your hard drive otherwise we are not able to help you.

Slow Computer

Read here What to do if your Computer is running slowly



If you are now able to start the Installer service please do this:
Let's use a utility written by MS to return everything to defaults.
Its name is MicrosoftFixit50198.msi


And it is a Windows Installer file.
Here's the link to it.
http://go.microsoft.com/?linkid=9646979

Save the file and run it after first disabling your AntiVirus and Malware scanner to they don't interfere. They will.
This is going to prevent the Tenmeg profile from signing in because it will remove you from the Administrators group. We'll fix that.

As soon as the MicrosoftFixit50198.msi has finished, open a command prompt and paste in this command and the press enter.

Code: Select all
net localgroup  Administrators TENMEG /add



Watch for any errors and let us know how it goes.

This will return the TENMEG identity to the administrators group so you can sign in after a reboot. If the fixit runs and you get an error running that command, then do not reboot until we fix the problem. OR you can create another profile in the administrators group and use that one to sign in until we get the problem fixed. This is insurance.

If you did run the fixit successfully, then we need to see the permissions for the drive. In the past, the reporting of the perms has been iffy.
Run this command please

Code: Select all
cacls C:\ >perms.txt & start notepad perms.txt



When perms.txt opens, copy and paste its contents into your next reply.

Now, if you had previously made any changes in how services run, such as changing Messenger's startup to Disabled, those changes are no longer in effect. So if you have changed the startup types, go into services.msc and redo those. Be careful!


***If you are unable to start the installer service, let us know.


--------------------------------------

We also need to see if your WMI problems have been fixed.
-----------------------------------
Is the system restore service able to start? Don't create a restore point yet.You have so little room on that drive we don't want to waste. But if System Restore does that automatically, you'll have to allow it to do so.
Or it is possible that lack of space will prevent a Restore point from being created.

Let's be sure that System Restore is only monitoring the C: drive.

Go to start >Run and type msconfig
Press enter
Click the Launch System Restore button. On the new page this will bring up, click the Link named System Restore Settings.


When the new Page comes up, look to see if there is an available drives list and which drives are set to Monitoring.

Anything other than the C: drive can and should be turned off. You only monitor the System Drive.

Click on the drive you want to stop monitoring to highlight it and then press the settings button. When the next page comes up, click the box labelled Turn off System Restore on this drive and Click the OK button. Do this for all drives other than C:.


--------------


At some point did you move Pagefile.sys to another drive? Please let us know. Either way, with so little room on the drive, the temporary page file Windows is using needs more free space.
User avatar
Bio-Hazard
MRU Master Emeritus
 
Posts: 4078
Joined: May 10th, 2007, 8:28 am
Location: Cornwall, UK

Re: Redirected Google web searches + Random Pop Ups

Unread postby tenmeg » September 15th, 2009, 4:42 am

Hello - I think we have made a lot of progress since the computer runs a lot faster, shuts down faster and many things that were disable are working again but . . .then we run into another problem. See below
==================================================================
1 - downloaded MicrosoftFixit50198.msi
2 - attempted to start MicrosoftFixit50198.msi file. Rc'd error msg: "Files does not have a program association for performing this action. Create an association in Folders Option Control Panel." OK I opened Folder Options & found that the .msi file extension was already associated with the Windows Installer Package.
3 - Checked Services and Windows Installer was "Started"
4 - Everything looks like it should run the MS FixIt file. But it won't run. I tried it again. Windows Installer was Started. Every time I attepted to run the FixIt file it kept telling me that it does not have a progam association but when you go to Folder Options it show it is associatd to the Windows Installer??
===================================================================
5 - Ran the Perm code anyway.
6 - C:\ 2WIRE200\Administrator:(OI)(CI)F
2WIRE200\TENMEG:(OI)(CI)F
Everyone:(OI)(CI)R
BUILTIN\Users:(OI)(CI)F
NT AUTHORITY\SYSTEM:(OI)(CI)F
====================================================================
7 - The Restore System was previously disabled. Checked the Restore System and now able to open the Restore window. System Restore Disk Space is at the Max It says it's 12% or 9133mb
8 - There is only 1 HD. C:\ drive is set to be Monitored.
9 - Pagefile.sys is still located on C drive and it's size is 783,360 KB
tenmeg
Regular Member
 
Posts: 63
Joined: July 27th, 2009, 7:49 pm

Re: Redirected Google web searches + Random Pop Ups

Unread postby Bio-Hazard » September 18th, 2009, 7:11 am

The msi package you tried to use was the fix from MS to reset all security back to defaults.
So the drive permissions etc. were not reset. cacls is not capable of doing the reset the way it should be. But secedit can do it too if I use a different command. However, I would prefer to see if the Fixit will do it for future reference.

====================

Step 1:


Assuming you saved the fixit on your desktop and your desktop folder is named Desktop, and you never moved it to another location.....
This command will run the fixit. Copy and paste it into a command prompt:
Code:


msiexec.exe /i "%userprofile%\desktop\MicrosoftFixit50198.msi"


Bear in mind, once you actually successfully have run the fixit, you'll need to run the command to put your identity back into the administrators group! Otherwise you will not be able to sign into Windows as Tenmeg! Tenmeg will be an orphan. But your files will be present.

That's this one.

Code: Select all
net localgroup  Administrators TENMEG /add



After that,be sure the command ran successfully. The command prompt window will have the results.

If the net command you just ran didn't work, then create another user profile and be sure it is created as an Administrator as insurance to be sure you can get back in to Windows.

Then do the perms.txt command again so we can see the current state of the permissions on the drive. But only if you were able to run the msi.

If this all is not going to work, then I am going to do it using a batch.

-------------------------------
Step 2:
We need to get your file association fixed so any msi will run in the future.

Let's track down where the glitch in the .msi file association is.

Copy the contents of the code box to notepad. Name the file msiassoc.bat

Run msiassoc.bat
When it has finished it will open a file named results.txt
Please copy and paste in the contents of results.txt into your next reply.

Code: Select all
Echo Querying  HKCR\Msi.Package\shell >results.txt

reg query "HKCR\Msi.Package\shell"  /s >results.txt

Echo querying  HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.msi /s >>results.txt
reg query "HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.msi" /s >>results.txt

 Start Notepad results.txt



Did you clean out your drive. And if so, do you still have the paging file error?
User avatar
Bio-Hazard
MRU Master Emeritus
 
Posts: 4078
Joined: May 10th, 2007, 8:28 am
Location: Cornwall, UK

Re: Redirected Google web searches + Random Pop Ups

Unread postby tenmeg » September 18th, 2009, 12:22 pm

Hello - It looks like many of the initial computer problems have cleared up and the computer is running faster, closing faster and I was able to download all of the current Windows Update files and Security fixes. Just to be able to install new programs quickly is really nice, thanks. I’m a happy user again. Below are the files requested
======================================================
Ran msiexec.exe /i "%userprofile%\desktop\MicrosoftFixit50198.msi"
It ran without any problems. Checked User Groups and the above fix did not delete my 'tenmeg' account.
Thinking I was going to lose the 'tenmeg' account I ran the following bat file right after the fixit program but before I checked the User Group in my Control Panel. See results below. . .
======================================================
Ran the following: net localgroup Administrators TENMEG /add
Received Error = System error 1378 has occurred. The specified account name is already a member of the local group.
To be safe I created a new backup User Account anyway so if I lost the TENMEG account on Restart.
======================================================
Perms.txt log:
C:\Documents and Settings\TENMEG\Desktop 2WIRE200\TENMEG:F
2WIRE200\TENMEG:(OI)(CI)(IO)F
NT AUTHORITY\SYSTEM:F
NT AUTHORITY\SYSTEM:(OI)(CI)(IO)F
BUILTIN\Administrators:F
BUILTIN\Administrators:(OI)(CI)(IO)F
======================================================
I ran the msiassoc.bat - log file attached below. . .

! REG.EXE VERSION 3.0

HKEY_CLASSES_ROOT\Msi.Package\shell
<NO NAME> REG_SZ Repair

HKEY_CLASSES_ROOT\Msi.Package\shell\Repair
<NO NAME> REG_SZ Re&pair
MUIVerb REG_EXPAND_SZ @%SystemRoot%\System32\msi.dll,-37

HKEY_CLASSES_ROOT\Msi.Package\shell\Repair\command

HKEY_CLASSES_ROOT\Msi.Package\shell\uniextract
<NO NAME> REG_SZ UniExtract &Files...

HKEY_CLASSES_ROOT\Msi.Package\shell\uniextract\command
<NO NAME> REG_SZ "C:\Program Files\Universal Extractor\uniextract.exe" "%1"

HKEY_CLASSES_ROOT\Msi.Package\shell\uniextract_here
<NO NAME> REG_SZ UniExtract &Here

HKEY_CLASSES_ROOT\Msi.Package\shell\uniextract_here\command
<NO NAME> REG_SZ "C:\Program Files\Universal Extractor\uniextract.exe" "%1" .

HKEY_CLASSES_ROOT\Msi.Package\shell\uniextract_sub
<NO NAME> REG_SZ UniExtract to &Subdir

HKEY_CLASSES_ROOT\Msi.Package\shell\uniextract_sub\command
<NO NAME> REG_SZ "C:\Program Files\Universal Extractor\uniextract.exe" "%1" /sub

HKEY_CLASSES_ROOT\Msi.Package\shell\Uninstall
<NO NAME> REG_SZ &Uninstall
MUIVerb REG_EXPAND_SZ @%SystemRoot%\System32\msi.dll,-38

HKEY_CLASSES_ROOT\Msi.Package\shell\Uninstall\command
querying HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.msi /s

! REG.EXE VERSION 3.0

HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.msi

HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.msi\OpenWithList
a REG_SZ iTunes.exe
MRUList REG_SZ ba
b REG_SZ IEXPLORE.EXE

HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.msi\OpenWithProgids
Msi.Package REG_NONE

================================================

Q - Did you clean out your drive. A - By clean out do you mean have I delete files to increase free disk space? I have a camera collector web site and have a lot of antique camera pics. I bought a remote hardrive 6 months ago so I could download those pics but because of the various computer problems I could not load the software that came with the hardrive. When I return to Arizona at the end of Oct I will now be able to add the remote drive and download all of thos pics. I guess I could burn them to a cd but not having ever done that I don’t know if my computer has that capacity & the required software?

Q - Do you still have the paging file error? A - It’s funny I have received that paging file error for so long that when I started my computer I didn’t even notice that it had disappeared. So that is fixed! The automatic MS Update screen appeared yesterday and I was able to download all of the new windows security and current updated files without any problems. Great!

Q - You gave me 3 Virus Software program web site links several weeks back and I notice that the one virus program I was able to download & install is no longer on my computer. If you could give them to me again I will install the necessary virus protection I need to prevent future infections. Thanks!
tenmeg
Regular Member
 
Posts: 63
Joined: July 27th, 2009, 7:49 pm

Re: Redirected Google web searches + Random Pop Ups

Unread postby Bio-Hazard » September 20th, 2009, 1:54 am

This Registry file should fix the broken .msi file association.

Copy the contents of the code box to notepad. Save as fixmsi.reg
Double click on fixmsi.reg and say yes to the prompt to enter into the registry.

Code: Select all
REGEDIT4

[HKEY_CLASSES_ROOT\Msi.Package\shell]
@="Open,Repair,Uninstall"

[HKEY_CLASSES_ROOT\Msi.Package\shell\Open]
@="&Install"
"MUIVerb"=hex(2):40,25,53,79,73,74,65,6d,52,6f,6f,74,25,5c,53,79,73,74,65,6d,\
  33,32,5c,6d,73,69,2e,64,6c,6c,2c,2d,33,36,00

[HKEY_CLASSES_ROOT\Msi.Package\shell\Open\command]
@=hex(2):22,25,53,79,73,74,65,6d,52,6f,6f,74,25,5c,53,79,73,74,65,6d,33,32,5c,\
  6d,73,69,65,78,65,63,2e,65,78,65,22,20,2f,69,20,22,25,31,22,20,25,2a,00

[HKEY_CLASSES_ROOT\Msi.Package\shell\Repair]
@="Re&pair"
"MUIVerb"=hex(2):40,25,53,79,73,74,65,6d,52,6f,6f,74,25,5c,53,79,73,74,65,6d,\
  33,32,5c,6d,73,69,2e,64,6c,6c,2c,2d,33,37,00

[HKEY_CLASSES_ROOT\Msi.Package\shell\Repair\command]
@=hex(2):22,25,53,79,73,74,65,6d,52,6f,6f,74,25,5c,53,79,73,74,65,6d,33,32,5c,\
  6d,73,69,65,78,65,63,2e,65,78,65,22,20,2f,66,20,22,25,31,22,20,25,2a,00


[HKEY_CLASSES_ROOT\Msi.Package\shell\Uninstall]
@="&Uninstall"
"MUIVerb"=hex(2):40,25,53,79,73,74,65,6d,52,6f,6f,74,25,5c,53,79,73,74,65,6d,\
  33,32,5c,6d,73,69,2e,64,6c,6c,2c,2d,33,38,00

[HKEY_CLASSES_ROOT\Msi.Package\shell\Uninstall\command]
@=hex(2):22,25,53,79,73,74,65,6d,52,6f,6f,74,25,5c,53,79,73,74,65,6d,33,32,5c,\
  6d,73,69,65,78,65,63,2e,65,78,65,22,20,2f,78,20,22,25,31,22,20,25,2a,00







I don't see the Users group listed any longer, so the fixit did run. BUT The users group should have some rights and none are listed.

I personally had an extremely irritating time with cacls not showing the rights correctly. They were in place, but not listed. So let's do this to view them:

That new Identity you created can be changed from Administrators group to Limited. You can do that in Control panel. Change account type. If you're not able to do that, post back with the name of the user profile you created, and we'll give you a batch to run to reassign that new user to the limited group.

Once that's been completed successfully, Copy the contents of the code box to notepad and name it perms.bat. Save it to the desktop of that new user.
Code: Select all
cacls C: >c.txt




Sign into that limited account and then run perms.bat from his desktop. Here's why:

The reason = cacls shows the rights of the person who is currently signed in. If that person is a limited account, then we'll see the rights currently assigned to the USERS group.


Sign back into Tenmeg, find the c.txt file in the desktop folder of that other user and post that.


I also want to check to see how your WMI is faring now.
Run this tool again please. (while signed in as Tenmeg , not the limited User. )

The WMI Diagnosis Utility -- Version 2.0

I think it was extracted it to this folder. C:\wmi?

Right click on wmidiag.vbs
Click on Open with command prompt.
This may take a while to run.
When it has finished a text file will open, save the text file to the C:\wmi folder.
The report is long but I only need to see the summary.
Go to the toolbar
Click edit and then scroll down to Find and click on that.


Find what?
Copy and paste next line into it.
WMI REPORT: BEGIN
Copy from that point to the end of the file.
Paste that into your next reply.


Could you also post new Hijackthis log so i can check your antivirus status.
User avatar
Bio-Hazard
MRU Master Emeritus
 
Posts: 4078
Joined: May 10th, 2007, 8:28 am
Location: Cornwall, UK

Re: Redirected Google web searches + Random Pop Ups

Unread postby tenmeg » September 22nd, 2009, 2:19 am

Hello - see reports as requested

==============================================
fixmsi.reg has been successfully entered into the registry.
==============================================
Ran the perms.bat file on the desktop of new User account. I could not use the windows 'switch user' button that switches from tenmeg to the new User account. I had to close tenmeg, restart computer and then logon to the new User account to run the perms.bat file from that new User account desktop. Then I realized you just hit the log out button and reopen either User account. See report below

==================================================================

C:\Documents and Settings\GemNet\Desktop 2WIRE200\GemNet:F
2WIRE200\GemNet:(OI)(CI)(IO)F
NT AUTHORITY\SYSTEM:F
NT AUTHORITY\SYSTEM:(OI)(CI)(IO)F
BUILTIN\Administrators:F
BUILTIN\Administrators:(OI)(CI)(IO)F
============================================================

Ran the wmidiag,vbs program
Rc’d the following error and I believed it ( no on screen visual of program running ) stopped at that point.

ERROR: WMIDiag detected issues that could prevent WMI to work properly!. Check 'C:\DOCUMENTS AND SETTINGS\TENMEG\LOCAL SETTINGS\TEMP\WMIDIAG-V2.0_XP___.CLI.RTM.32_2WIRE200_2009.09.21_22.46.15.LOG' for details.

============================================================

17281 23:10:09 (0) ** ----------------------------------------------------- WMI REPORT: BEGIN -----------

-----------------------------------------------
17282 23:10:09 (0) ** -------------------------------------------------------------------------------------------------

---------------------------------
17283 23:10:09 (0) **
17284 23:10:09 (0) ** -------------------------------------------------------------------------------------------------

---------------------------------
17285 23:10:09 (0) ** Windows XP - No service pack - 32-bit (2600) - User '2WIRE200

\TENMEG' on computer '2WIRE200'.
17286 23:10:09 (0) ** -------------------------------------------------------------------------------------------------

---------------------------------
17287 23:10:09 (0) ** INFO: Environment:

.................................................................................................. 1 ITEM(S)!
17288 23:10:09 (0) ** INFO: => 2 incorrect shutdown(s) detected on:
17289 23:10:09 (0) ** - Shutdown on 05 September 2009 23:30:19 (GMT+7).
17290 23:10:09 (0) ** - Shutdown on 06 September 2009 22:54:34 (GMT+7).
17291 23:10:09 (0) **
17292 23:10:09 (0) ** System drive:

....................................................................................................... C: (Disk #0 Partition #0).
17293 23:10:09 (0) ** Drive type:

......................................................................................................... IDE (TOSHIBA MK8032GAX).
17294 23:10:09 (0) ** There are no missing WMI system files:

.............................................................................. OK.
17295 23:10:09 (0) ** There are no missing WMI repository files:

.......................................................................... OK.
17296 23:10:09 (0) ** WMI repository state:

............................................................................................... N/A.
17297 23:10:09 (0) ** BEFORE running WMIDiag:
17298 23:10:09 (0) ** The WMI repository has a size of:

................................................................................... 7 MB.
17299 23:10:09 (0) ** - Disk free space on 'C:':

.......................................................................................... 54755 MB.
17300 23:10:09 (0) ** - INDEX.BTR, 1302528 bytes, 9/21/2009 10:22:34 PM
17301 23:10:09 (0) ** - INDEX.MAP, 668 bytes, 9/21/2009 10:22:34 PM
17302 23:10:09 (0) ** - OBJECTS.DATA, 5971968 bytes, 9/21/2009 10:22:33

PM
17303 23:10:09 (0) ** - OBJECTS.MAP, 2964 bytes, 9/21/2009 10:22:34

PM
17304 23:10:09 (0) ** AFTER running WMIDiag:
17305 23:10:09 (0) ** The WMI repository has a size of:

................................................................................... 7 MB.
17306 23:10:09 (0) ** - Disk free space on 'C:':

.......................................................................................... 54757 MB.
17307 23:10:09 (0) ** - INDEX.BTR, 1302528 bytes, 9/21/2009 10:22:34 PM
17308 23:10:09 (0) ** - INDEX.MAP, 668 bytes, 9/21/2009 10:22:34 PM
17309 23:10:09 (0) ** - OBJECTS.DATA, 5971968 bytes, 9/21/2009 10:22:33

PM
17310 23:10:09 (0) ** - OBJECTS.MAP, 2964 bytes, 9/21/2009 10:22:34

PM
17311 23:10:09 (0) ** -------------------------------------------------------------------------------------------------

---------------------------------
17312 23:10:09 (0) ** Windows Firewall:

................................................................................................... NOT INSTALLED.
17313 23:10:09 (0) ** -------------------------------------------------------------------------------------------------

---------------------------------
17314 23:10:09 (0) ** DCOM Status:

........................................................................................................ OK.
17315 23:10:09 (0) ** WMI registry setup:

................................................................................................. OK.
17316 23:10:09 (0) ** WMI Service has no dependents:

...................................................................................... OK.
17317 23:10:09 (0) ** RPCSS service:

...................................................................................................... OK (Already started).
17318 23:10:09 (0) ** WINMGMT service:

.................................................................................................... OK (Already started).
17319 23:10:09 (0) ** -------------------------------------------------------------------------------------------------

---------------------------------
17320 23:10:09 (0) ** WMI service DCOM setup:

............................................................................................. OK.
17321 23:10:09 (2) !! WARNING: WMI DCOM components registration is missing for the

following EXE/DLLs: .................................... 6 WARNING(S)!
17322 23:10:09 (0) ** - C:\WINDOWS\SYSTEM32\WBEM\FASTPROX.DLL

(\CLSID\{7A0227F6-7108-11D1-AD90-00C04FD8FDFF}\InProcServer32)
17323 23:10:09 (0) ** - C:\WINDOWS\SYSTEM32\WBEM\FASTPROX.DLL

(\CLSID\{D71EE747-F455-4804-9DF6-2ED81025F2C1}\InProcServer32)
17324 23:10:09 (0) ** - C:\WINDOWS\SYSTEM32\WBEM\FASTPROX.DLL

(\CLSID\{ED51D12E-511F-4999-8DCD-C2BAC91BE86E}\InProcServer32)
17325 23:10:09 (0) ** - C:\WINDOWS\SYSTEM32\WBEM\WBEMPROX.DLL

(\CLSID\{4C6055D8-84B9-4111-A7D3-6623894EEDB3}\InProcServer32)
17326 23:10:09 (0) ** - C:\WINDOWS\SYSTEM32\WBEM\WBEMPROX.DLL

(\CLSID\{A1044801-8F7E-11D1-9E7C-00C04FC324A8}\InProcServer32)
17327 23:10:09 (0) ** - C:\WINDOWS\SYSTEM32\WBEM\WBEMPROX.DLL

(\CLSID\{F7CE2E13-8C90-11D1-9E7B-00C04FC324A8}\InProcServer32)
17328 23:10:09 (0) ** => WMI System components are not properly registered as COM

objects, which could make WMI to
17329 23:10:09 (0) ** fail depending on the operation requested.
17330 23:10:09 (0) ** => For a .DLL, you can correct the DCOM configuration by executing

the 'REGSVR32.EXE <Filename.DLL>' command.
17331 23:10:09 (0) **
17332 23:10:09 (0) ** WMI ProgID registrations:

........................................................................................... OK.
17333 23:10:09 (0) ** WMI provider DCOM registrations:

.................................................................................... OK.
17334 23:10:09 (0) ** WMI provider CIM registrations:

..................................................................................... OK.
17335 23:10:09 (0) ** WMI provider CLSIDs:

................................................................................................ OK.
17336 23:10:09 (0) ** WMI providers EXE/DLL availability:

................................................................................. OK.
17337 23:10:09 (0) ** -------------------------------------------------------------------------------------------------

---------------------------------
17338 23:10:09 (0) ** DCOM security for 'Microsoft WBEM UnSecured Apartment' (Launch &

Activation Permissions): ........................... MODIFIED.
17339 23:10:09 (1) !! ERROR: Default trustee 'BUILTIN\ADMINISTRATORS' has been

REMOVED!
17340 23:10:09 (0) ** - REMOVED ACE:
17341 23:10:09 (0) ** ACEType: &h0
17342 23:10:09 (0) ** ACCESS_ALLOWED_ACE_TYPE
17343 23:10:09 (0) ** ACEFlags: &h0
17344 23:10:09 (0) ** ACEMask: &h1
17345 23:10:09 (0) ** DCOM_RIGHT_EXECUTE
17346 23:10:09 (0) **
17347 23:10:09 (0) ** => The REMOVED ACE was part of the DEFAULT setup for the

trustee.
17348 23:10:09 (0) ** Removing default security will cause some operations to fail!
17349 23:10:09 (0) ** It is possible to fix this issue by editing the security descriptor and

adding the ACE.
17350 23:10:09 (0) ** For DCOM objects, this can be done with 'DCOMCNFG.EXE'.
17351 23:10:09 (0) **
17352 23:10:09 (0) ** DCOM security for 'Microsoft WBEM UnSecured Apartment' (Launch &

Activation Permissions): ........................... MODIFIED.
17353 23:10:09 (1) !! ERROR: Default trustee 'NT AUTHORITY\INTERACTIVE' has been

REMOVED!
17354 23:10:09 (0) ** - REMOVED ACE:
17355 23:10:09 (0) ** ACEType: &h0
17356 23:10:09 (0) ** ACCESS_ALLOWED_ACE_TYPE
17357 23:10:09 (0) ** ACEFlags: &h0
17358 23:10:09 (0) ** ACEMask: &h1
17359 23:10:09 (0) ** DCOM_RIGHT_EXECUTE
17360 23:10:09 (0) **
17361 23:10:09 (0) ** => The REMOVED ACE was part of the DEFAULT setup for the

trustee.
17362 23:10:09 (0) ** Removing default security will cause some operations to fail!
17363 23:10:09 (0) ** It is possible to fix this issue by editing the security descriptor and

adding the ACE.
17364 23:10:09 (0) ** For DCOM objects, this can be done with 'DCOMCNFG.EXE'.
17365 23:10:09 (0) **
17366 23:10:09 (0) ** DCOM security for 'Microsoft WBEM UnSecured Apartment' (Launch &

Activation Permissions): ........................... MODIFIED.
17367 23:10:09 (1) !! ERROR: Default trustee 'NT AUTHORITY\SYSTEM' has been

REMOVED!
17368 23:10:09 (0) ** - REMOVED ACE:
17369 23:10:09 (0) ** ACEType: &h0
17370 23:10:09 (0) ** ACCESS_ALLOWED_ACE_TYPE
17371 23:10:09 (0) ** ACEFlags: &h0
17372 23:10:09 (0) ** ACEMask: &h1
17373 23:10:09 (0) ** DCOM_RIGHT_EXECUTE
17374 23:10:09 (0) **
17375 23:10:09 (0) ** => The REMOVED ACE was part of the DEFAULT setup for the

trustee.
17376 23:10:09 (0) ** Removing default security will cause some operations to fail!
17377 23:10:09 (0) ** It is possible to fix this issue by editing the security descriptor and

adding the ACE.
17378 23:10:09 (0) ** For DCOM objects, this can be done with 'DCOMCNFG.EXE'.
17379 23:10:09 (0) **
17380 23:10:09 (0) ** WMI namespace security for 'ROOT/SERVICEMODEL':

..................................................................... MODIFIED.
17381 23:10:09 (1) !! ERROR: Actual trustee 'NT AUTHORITY\NETWORK SERVICE' DOES

NOT match corresponding expected trustee rights (Actual->Default)
17382 23:10:09 (0) ** - ACTUAL ACE:
17383 23:10:09 (0) ** ACEType: &h0
17384 23:10:09 (0) ** ACCESS_ALLOWED_ACE_TYPE
17385 23:10:09 (0) ** ACEFlags: &h2
17386 23:10:09 (0) ** CONTAINER_INHERIT_ACE
17387 23:10:09 (0) ** ACEMask: &h1
17388 23:10:09 (0) ** WBEM_ENABLE
17389 23:10:09 (0) ** - EXPECTED ACE:
17390 23:10:09 (0) ** ACEType: &h0
17391 23:10:09 (0) ** ACCESS_ALLOWED_ACE_TYPE
17392 23:10:09 (0) ** ACEFlags: &h12
17393 23:10:09 (0) ** CONTAINER_INHERIT_ACE
17394 23:10:09 (0) ** INHERITED_ACE
17395 23:10:09 (0) ** ACEMask: &h13
17396 23:10:09 (0) ** WBEM_ENABLE
17397 23:10:09 (0) ** WBEM_METHOD_EXECUTE
17398 23:10:09 (0) ** WBEM_WRITE_PROVIDER
17399 23:10:09 (0) **
17400 23:10:09 (0) ** => The actual ACE has the right(s) '&h12

WBEM_METHOD_EXECUTE WBEM_WRITE_PROVIDER' removed!
17401 23:10:09 (0) ** This will cause some operations to fail!
17402 23:10:09 (0) ** It is possible to fix this issue by editing the security descriptor and

adding the removed right.
17403 23:10:09 (0) ** For WMI namespaces, this can be done with 'WMIMGMT.MSC'.
17404 23:10:09 (0) ** Note: WMIDiag has no specific knowledge of this WMI namespace.
17405 23:10:09 (0) ** The security diagnostic is based on the WMI namespace expected

defaults.
17406 23:10:09 (0) ** A specific WMI application can always require a security setup

different
17407 23:10:09 (0) ** than the WMI security defaults.
17408 23:10:09 (0) **
17409 23:10:09 (0) ** WMI namespace security for 'ROOT/SERVICEMODEL':

..................................................................... MODIFIED.
17410 23:10:09 (1) !! ERROR: Actual trustee 'NT AUTHORITY\LOCAL SERVICE' DOES

NOT match corresponding expected trustee rights (Actual->Default)
17411 23:10:09 (0) ** - ACTUAL ACE:
17412 23:10:09 (0) ** ACEType: &h0
17413 23:10:09 (0) ** ACCESS_ALLOWED_ACE_TYPE
17414 23:10:09 (0) ** ACEFlags: &h2
17415 23:10:09 (0) ** CONTAINER_INHERIT_ACE
17416 23:10:09 (0) ** ACEMask: &h1
17417 23:10:09 (0) ** WBEM_ENABLE
17418 23:10:09 (0) ** - EXPECTED ACE:
17419 23:10:09 (0) ** ACEType: &h0
17420 23:10:09 (0) ** ACCESS_ALLOWED_ACE_TYPE
17421 23:10:09 (0) ** ACEFlags: &h12
17422 23:10:09 (0) ** CONTAINER_INHERIT_ACE
17423 23:10:09 (0) ** INHERITED_ACE
17424 23:10:09 (0) ** ACEMask: &h13
17425 23:10:09 (0) ** WBEM_ENABLE
17426 23:10:09 (0) ** WBEM_METHOD_EXECUTE
17427 23:10:09 (0) ** WBEM_WRITE_PROVIDER
17428 23:10:09 (0) **
17429 23:10:09 (0) ** => The actual ACE has the right(s) '&h12

WBEM_METHOD_EXECUTE WBEM_WRITE_PROVIDER' removed!
17430 23:10:09 (0) ** This will cause some operations to fail!
17431 23:10:09 (0) ** It is possible to fix this issue by editing the security descriptor and

adding the removed right.
17432 23:10:09 (0) ** For WMI namespaces, this can be done with 'WMIMGMT.MSC'.
17433 23:10:09 (0) ** Note: WMIDiag has no specific knowledge of this WMI namespace.
17434 23:10:09 (0) ** The security diagnostic is based on the WMI namespace expected

defaults.
17435 23:10:09 (0) ** A specific WMI application can always require a security setup

different
17436 23:10:09 (0) ** than the WMI security defaults.
17437 23:10:09 (0) **
17438 23:10:09 (0) ** WMI namespace security for 'ROOT/SERVICEMODEL':

..................................................................... MODIFIED.
17439 23:10:09 (1) !! ERROR: Default trustee 'EVERYONE' has been REMOVED!
17440 23:10:09 (0) ** - REMOVED ACE:
17441 23:10:09 (0) ** ACEType: &h0
17442 23:10:09 (0) ** ACCESS_ALLOWED_ACE_TYPE
17443 23:10:09 (0) ** ACEFlags: &h12
17444 23:10:09 (0) ** CONTAINER_INHERIT_ACE
17445 23:10:09 (0) ** INHERITED_ACE
17446 23:10:09 (0) ** ACEMask: &h13
17447 23:10:09 (0) ** WBEM_ENABLE
17448 23:10:09 (0) ** WBEM_METHOD_EXECUTE
17449 23:10:09 (0) ** WBEM_WRITE_PROVIDER
17450 23:10:09 (0) **
17451 23:10:09 (0) ** => The REMOVED ACE was part of the DEFAULT setup for the

trustee.
17452 23:10:09 (0) ** Removing default security will cause some operations to fail!
17453 23:10:09 (0) ** It is possible to fix this issue by editing the security descriptor and

adding the ACE.
17454 23:10:09 (0) ** For WMI namespaces, this can be done with 'WMIMGMT.MSC'.
17455 23:10:09 (0) ** Note: WMIDiag has no specific knowledge of this WMI namespace.
17456 23:10:09 (0) ** The security diagnostic is based on the WMI namespace expected

defaults.
17457 23:10:09 (0) ** A specific WMI application can always require a security setup

different
17458 23:10:09 (0) ** than the WMI security defaults.
17459 23:10:09 (0) **
17460 23:10:09 (0) **
17461 23:10:09 (0) ** DCOM security warning(s) detected:

.................................................................................. 0.
17462 23:10:09 (0) ** DCOM security error(s) detected:

.................................................................................... 3.
17463 23:10:09 (0) ** WMI security warning(s) detected:

................................................................................... 0.
17464 23:10:09 (0) ** WMI security error(s) detected:

..................................................................................... 3.
17465 23:10:09 (0) **
17466 23:10:09 (1) !! ERROR: Overall DCOM security status:

................................................................................ ERROR!
17467 23:10:09 (1) !! ERROR: Overall WMI security status:

................................................................................. ERROR!
17468 23:10:09 (0) ** - Started at 'Root' ------------------------------------------------------------------------

--------------------------------------
17469 23:10:09 (0) ** INFO: WMI permanent SUBSCRIPTION(S):

................................................................................ 3.
17470 23:10:09 (0) ** - ROOT/DEFAULT, MSFT_UCScenarioControl.Name="Microsoft WMI

Updating Consumer Scenario Control".
17471 23:10:09 (0) ** 'SELECT * FROM __InstanceOperationEvent WHERE TargetInstance

ISA 'MSFT_UCScenario''
17472 23:10:09 (0) ** - ROOT/SUBSCRIPTION,

MSFT_UCScenarioControl.Name="Microsoft WMI Updating Consumer Scenario Control".
17473 23:10:09 (0) ** 'SELECT * FROM __InstanceOperationEvent WHERE TargetInstance

ISA 'MSFT_UCScenario''
17474 23:10:09 (0) ** - ROOT/SUBSCRIPTION, NTEventLogEventConsumer.Name="SCM

Event Log Consumer".
17475 23:10:09 (0) ** 'select * from MSFT_SCMEventLogEvent'
17476 23:10:09 (0) **
17477 23:10:09 (0) ** WMI TIMER instruction(s):

........................................................................................... NONE.
17478 23:10:09 (0) ** INFO: WMI ADAP status:

.............................................................................................. 2.
17479 23:10:09 (0) ** => The WMI ADAP process is processing a performance library (2).
17480 23:10:09 (0) ** Some WMI performance classes could be missing at the time

WMIDiag was executed.
17481 23:10:09 (0) ** INFO: WMI namespace(s) requiring PACKET PRIVACY:

.................................................................... 1 NAMESPACE(S)!
17482 23:10:09 (0) ** - ROOT/SERVICEMODEL.
17483 23:10:09 (0) ** => When remotely connecting, the namespace(s) listed require(s) the

WMI client to
17484 23:10:09 (0) ** use an encrypted connection by specifying the PACKET PRIVACY

authentication level.
17485 23:10:09 (0) ** (RPC_C_AUTHN_LEVEL_PKT_PRIVACY or PktPrivacy flags)
17486 23:10:09 (0) ** i.e. 'WMIC.EXE /NODE:"2WIRE200" /AUTHLEVEL:Pktprivacy

/NAMESPACE:\\ROOT\SERVICEMODEL Class __SystemSecurity'
17487 23:10:09 (0) **
17488 23:10:09 (0) ** WMI MONIKER CONNECTIONS:

............................................................................................ OK.
17489 23:10:09 (0) ** WMI CONNECTIONS:

.................................................................................................... OK.
17490 23:10:09 (0) ** WMI GET operations:

................................................................................................. OK.
17491 23:10:09 (0) ** WMI MOF representations:

............................................................................................ OK.
17492 23:10:09 (0) ** WMI QUALIFIER access operations:

.................................................................................... OK.
17493 23:10:09 (2) !! WARNING: WMI ENUMERATION operation errors reported:

................................................................. 1 WARNING(S)!
17494 23:10:09 (0) ** - Root/Default, InstancesOf, 'SystemRestore' did not return any instance

while AT LEAST 1 instance is expected.
17495 23:10:09 (0) ** MOF Registration: 'C:\WINDOWS\SYSTEM32\WBEM\SR.MOF'
17496 23:10:09 (0) **
17497 23:10:09 (2) !! WARNING: WMI EXECQUERY operation errors reported:

................................................................... 1 WARNING(S)!
17498 23:10:09 (0) ** - Root/Default, 'Select * From SystemRestore' did not return any

instance while AT LEAST 1 instance is expected.
17499 23:10:09 (0) **
17500 23:10:09 (0) ** WMI GET VALUE operations:

........................................................................................... OK.
17501 23:10:09 (0) ** WMI WRITE operations:

............................................................................................... NOT TESTED.
17502 23:10:09 (0) ** WMI PUT operations:

................................................................................................. NOT TESTED.
17503 23:10:09 (0) ** WMI DELETE operations:

.............................................................................................. NOT TESTED.
17504 23:10:09 (0) ** WMI static instances retrieved:

..................................................................................... 648.
17505 23:10:09 (0) ** WMI dynamic instances retrieved:

.................................................................................... 0.
17506 23:10:09 (0) ** WMI instance request cancellations (to limit performance impact):

................................................... 0.
17507 23:10:09 (0) ** -------------------------------------------------------------------------------------------------

---------------------------------
17508 23:10:09 (0) ** # of Event Log events BEFORE WMIDiag execution since the last 20

day(s):
17509 23:10:09 (0) ** DCOM:

............................................................................................................. 137.
17510 23:10:09 (0) ** WINMGMT:

.......................................................................................................... 1.
17511 23:10:09 (0) ** WMIADAPTER:

....................................................................................................... 0.
17512 23:10:09 (0) ** => Verify the WMIDiag LOG at line #16104 for more details.
17513 23:10:09 (0) **
17514 23:10:09 (0) ** # of additional Event Log events AFTER WMIDiag execution:
17515 23:10:09 (0) ** DCOM:

............................................................................................................. 0.
17516 23:10:09 (0) ** WINMGMT:

.......................................................................................................... 0.
17517 23:10:09 (0) ** WMIADAPTER:

....................................................................................................... 0.
17518 23:10:09 (0) ** -------------------------------------------------------------------------------------------------

---------------------------------
17519 23:10:09 (0) ** WMI Registry key setup:

............................................................................................. OK.
17520 23:10:09 (0) ** -------------------------------------------------------------------------------------------------

---------------------------------
17521 23:10:09 (0) ** -------------------------------------------------------------------------------------------------

---------------------------------
17522 23:10:09 (0) ** -------------------------------------------------------------------------------------------------

---------------------------------
17523 23:10:09 (0) ** -------------------------------------------------------------------------------------------------

---------------------------------
17524 23:10:09 (0) **
17525 23:10:09 (0) ** -------------------------------------------------------------------------------------------------

---------------------------------
17526 23:10:09 (0) ** ------------------------------------------------------ WMI REPORT: END -------------

----------------------------------------------
17527 23:10:09 (0) ** -------------------------------------------------------------------------------------------------

---------------------------------
17528 23:10:09 (0) **
17529 23:10:09 (0) ** ERROR: WMIDiag detected issues that could prevent WMI to work

properly!. Check 'C:\DOCUMENTS AND SETTINGS\TENMEG\LOCAL

SETTINGS\TEMP\WMIDIAG-

V2.0_XP___.CLI.RTM.32_2WIRE200_2009.09.21_23.07.37.LOG' for details.
17530 23:10:09 (0) **
17531 23:10:09 (0) ** WMIDiag v2.0 ended on Monday, September 21, 2009 at 23:10 (W:80

E:22 S:1).
(W:80 E:22 S:1).

=================================================================

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 11:17:33 PM, on 9/21/2009
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v8.00 (8.00.6001.18702)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\WINDOWS\system32\cisvc.exe
C:\Program Files\Common Files\LightScribe\LSSrvc.exe
C:\WINDOWS\system32\locator.exe
C:\Program Files\Hewlett-Packard\Shared\hpqwmiex.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe
C:\Program Files\Brother\Brmfcmon\BrMfcWnd.exe
C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Logitech\SetPoint\SetPoint.exe
C:\Program Files\Common Files\Logitech\KHAL\KHALMNPR.EXE
C:\Program Files\Brother\Brmfcmon\BrMfcmon.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\Microsoft Works\wkswp.exe
C:\Program Files\Microsoft Works\WkDStore.exe
C:\Program Files\Microsoft Works\wkgdcach.exe
C:\WINDOWS\system32\NOTEPAD.EXE
C:\WINDOWS\system32\NOTEPAD.EXE
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://hp-desktop.aol.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://www.personalfirewall.comodo.com/ ... CF6FF3F27F
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: Canon Easy Web Print Helper - {68F9551E-0411-48E4-9AAF-4BC42A6A46BE} - C:\Program Files\Canon\Easy-WebPrint\EWPBrowseLoader.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_06\bin\ssv.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar3.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\2.1.615.5858\swg.dll
O3 - Toolbar: Easy-WebPrint - {327C2873-E90D-4c37-AA9D-10AC9BABA46C} - C:\Program Files\Canon\Easy-WebPrint\Toolband.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar3.dll
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [LSBWatcher] c:\hp\drivers\hplsbwatcher\lsburnwatcher.exe
O4 - HKLM\..\Run: [ISUSScheduler] "C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" -start
O4 - HKLM\..\Run: [ISUSPM Startup] C:\PROGRA~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe -startup
O4 - HKLM\..\Run: [Cpqset] C:\Program Files\HPQ\Default Settings\cpqset.exe
O4 - HKLM\..\Run: [BrMfcWnd] C:\Program Files\Brother\Brmfcmon\BrMfcWnd.exe /AUTORUN
O4 - HKLM\..\Run: [ATIPTA] "C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [cdloader] "C:\Documents and Settings\TENMEG\Application Data\mjusbsp\cdloader2.exe" MAGICJACK
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - Global Startup: Logitech SetPoint.lnk = C:\Program Files\Logitech\SetPoint\SetPoint.exe
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_06\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_06\bin\ssv.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O14 - IERESET.INF: START_PAGE_URL=http://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=EN_US&c=Q405&bd=pavilion&pf=laptop
O15 - Trusted Zone: http://forums.cnet.com
O15 - Trusted Zone: http://download.windowsupdate.com
O16 - DPF: {215B8138-A3CF-44C5-803F-8226143CFC0A} (Trend Micro ActiveX Scan Agent 6.6) - http://housecall65.trendmicro.com/house ... hcImpl.cab
O16 - DPF: {5ED80217-570B-4DA9-BF44-BE107C0EC166} (Windows Live Safety Center Base Module) - http://cdn.scan.onecare.live.com/resour ... se1140.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.microsoft.com/windows ... 9970259671
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftup ... 9971399281
O16 - DPF: {6F15128C-E66A-490C-B848-5000B5ABEEAC} (HP Download Manager) - https://h20436.www2.hp.com/ediags/dex/s ... DEXAXO.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/get/s ... wflash.cab
O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: HP WMI Interface (hpqwmi) - Hewlett-Packard Development Company, L.P. - C:\Program Files\HPQ\SHARED\HPQWMI.exe
O23 - Service: hpqwmiex - Hewlett-Packard Development Company, L.P. - C:\Program Files\Hewlett-Packard\Shared\hpqwmiex.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Kodak Camera Connection Software (KodakCCS) - Eastman Kodak Company - C:\WINDOWS\system32\drivers\KodakCCS.exe
O23 - Service: LightScribeService Direct Disc Labeling Service (LightScribeService) - Hewlett-Packard Company - C:\Program Files\Common Files\LightScribe\LSSrvc.exe

--
End of file - 8415 bytes
tenmeg
Regular Member
 
Posts: 63
Joined: July 27th, 2009, 7:49 pm
Advertisement
Register to Remove

PreviousNext

  • Similar Topics
    Replies
    Views
    Last post

Return to Infected? Virus, malware, adware, ransomware, oh my!



Who is online

Users browsing this forum: No registered users and 87 guests

Contact us:

Advertisements do not imply our endorsement of that product or service. Register to remove all ads. The forum is run by volunteers who donate their time and expertise. We make every attempt to ensure that the help and advice posted is accurate and will not cause harm to your computer. However, we do not guarantee that they are accurate and they are to be used at your own risk. All trademarks are the property of their respective owners.

Member site: UNITE Against Malware