Welcome to MalwareRemoval.com,
What if we told you that you could get malware removal help from experts, and that it was 100% free? MalwareRemoval.com provides free support for people with infected computers. Our help, and the tools we use are always 100% free. No hidden catch. We simply enjoy helping others. You enjoy a clean, safe computer.

Malware Removal Instructions

Computer assistance request from LisaM

MalwareRemoval.com provides free support for people with infected computers. Using plain language that anyone can understand, our community of volunteer experts will walk you through each step.

Computer assistance request from LisaM

Unread postby LisaM » April 1st, 2009, 10:36 pm

Hello,
My name is Lisa and I am having trouble with the computer. I am not sure how all this works, so please be patient with me. I am not even sure if I am going to be able to post the log. I am not sure if I am suppose to copy and paste the log file here, or where? I will try to copy and paste the log file here. I am haveing a number of problems with the computer, and I am most grateful for the assistance that you can give. I do not know how to remove some of the problems that my avg has found, and I am not having any luck contacting them. I try running the avg in safemode, but my system shuts itself down after only minutes of running program. Recently I have taken almost all programs off the computer in a desperate attempt to try and correct the problems myself, not happening. too computer illiterate. Problems started during playback of some music and was causing the mediaplayer (realplayer) to stop responding on a constant basis. Since then I have had more and more strange things coming up. I also have a safely remove icon appear in my bottom taskbar, when I havent requested any hardware to b removed. Also, i have all theese programs running and I cannot shut them down. Please let me know.

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 8:31:32 PM, on 4/1/2009
Platform: Windows Vista SP1 (WinNT 6.00.1905)
MSIE: Internet Explorer v7.00 (7.00.6001.18000)
Boot mode: Normal

Running processes:
C:\Windows\system32\taskeng.exe
C:\Windows\system32\Dwm.exe
C:\Windows\Explorer.EXE
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Program Files\Windows Defender\MSASCui.exe
C:\Program Files\AVG\AVG8\avgtray.exe
C:\WINDOWS\ehome\ehtray.exe
C:\Windows\ehome\ehmsas.exe
C:\Program Files\Synaptics\SynTP\SynTPHelper.exe
C:\Program Files\Internet Explorer\ieuser.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://ie.redirect.hp.com/svs/rdr?TYPE= ... io&pf=cnnb
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://ie.redirect.hp.com/svs/rdr?TYPE= ... io&pf=cnnb
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://ie.redirect.hp.com/svs/rdr?TYPE= ... io&pf=cnnb
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
O1 - Hosts: ::1 localhost
O2 - BHO: (no name) - {02478D38-C3F9-4efb-9B51-7695ECA05670} - (no file)
O2 - BHO: WormRadar.com IESiteBlocker.NavFilter - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - C:\Program Files\AVG\AVG8\avgssie.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [Windows Defender] %ProgramFiles%\Windows Defender\MSASCui.exe -hide
O4 - HKLM\..\Run: [AVG8_TRAY] C:\PROGRA~1\AVG\AVG8\avgtray.exe
O4 - HKCU\..\Run: [ehTray.exe] C:\Windows\ehome\ehTray.exe
O4 - HKUS\S-1-5-19\..\Run: [Sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /detectMem (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-19\..\Run: [WindowsWelcomeCenter] rundll32.exe oobefldr.dll,ShowWelcomeCenter (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [Sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /detectMem (User 'NETWORK SERVICE')
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O13 - Gopher Prefix:
O18 - Protocol: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - C:\Program Files\AVG\AVG8\avgpp.dll
O20 - AppInit_DLLs: avgrsstx.dll
O23 - Service: AVG8 E-mail Scanner (avg8emc) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgemc.exe
O23 - Service: AVG8 WatchDog (avg8wd) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
O23 - Service: HP Health Check Service - Hewlett-Packard - c:\Program Files\Hewlett-Packard\HP Health Check\hphc_service.exe
O23 - Service: hpqwmiex - Hewlett-Packard Development Company, L.P. - C:\Program Files\Hewlett-Packard\Shared\hpqwmiex.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: NVIDIA Display Driver Service (nvsvc) - NVIDIA Corporation - C:\Windows\system32\nvvsvc.exe
O23 - Service: Recovery Service for Windows - Unknown owner - C:\Windows\SMINST\BLService.exe
O23 - Service: Cyberlink RichVideo Service(CRVS) (RichVideo) - Unknown owner - C:\Program Files\CyberLink\Shared Files\RichVideo.exe (file missing)
O23 - Service: XAudioService - Conexant Systems, Inc. - C:\Windows\system32\DRIVERS\xaudio.exe

--
End of file - 4204 bytes
LisaM
Active Member
 
Posts: 13
Joined: April 1st, 2009, 9:45 pm
Advertisement
Register to Remove

Re: Computer assistance request from LisaM

Unread postby Carolyn » April 7th, 2009, 1:17 pm

Hello and Welcome to the forums!

My name is Carolyn and I'll be glad to help you with your computer problems. HijackThis logs can take some time to research, so please be patient with me. I know that you need your computer working as quickly as possible, and I will work hard to help see that it happens.

Please do not run any other tool untill instructed to do so!
Please reply to this thread, do not start another!
Please tell me about any problems that have occurred during the fix.
Please tell me of any other symptoms you may be having as these can help also.
Please try as much as possible not to run anything while executing a fix.


If you follow these instructions, everything should go smoothly.


Please download Malwarebytes' Anti-Malware and save it to a convenient location.
  1. Right click on mbam-setup.exe and select Run as administrator
  2. Before clicking the Finish button, make sure that these 2 boxes are checked (ticked):
      Update Malwarebytes' Anti-Malware
      Launch Malwarebytes' Anti-Malware
  3. Malwarebytes' Anti-Malware will now check for updates. If your firewall prompts, please allow it. If you can't update it, select the Update tab. Under Update Mirror, select one of the websites and click on Check for Updates.
  4. Select the Scanner tab. Click on Perform full scan, then click on Scan.
  5. Leave the default options as it is and click on Start Scan.
  6. When done, you will be prompted. Click OK, then click on Show Results.
  7. Check (tick) all items except items in the C:\System Volume Information folder and click on Remove Selected.
  8. After it has removed the items, Notepad will open. Please post this log in your next reply. You can also find the log in the Logs tab. The bottom most log is the latest.

Next,
  • Download random's system information tool (RSIT) by random/random from here and save it to your desktop.
  • Right click on RSIT.exe and select Run as administrator to run RSIT.
  • Click Continue at the disclaimer screen.
  • Once it has finished, two logs will open. Please post the contents of both log.txt (<<will be maximized) and info.txt (<<will be minimized)

Please post the following:
  1. The Malwarebyte's Anti-Malware log
  2. The contents of log.txt
  3. The contents of info.txt
User avatar
Carolyn
MRU Emeritus
MRU Emeritus
 
Posts: 4701
Joined: April 18th, 2007, 9:36 am
Location: Maine

Re: Computer assistance request from LisaM

Unread postby LisaM » April 8th, 2009, 2:14 am

Carolyn,
Thank you very much for responding. I was worried that I had posted something wrong or something. I am pasting the logs as you requested, however, I do not know what your instructions meant by checking all items in the c:\system volume information folder nad click on remove selected? I never saw anything like that. I wanted to give you some of the details about what the system was doing though. I had a bunch of programs installed, like Realplayer, Frostwire, Limewire, and Divx player. Real player starts "not responding" alot, so I was so frustrated, that I just removed it, and a few of the other programs. think it was about that time that I got the avg download. I had been on the internet several time without the webroot program running. I wanted to tr;y to figure out why the computer was running slow so I asked a friend and they told me to go to the prefetch and temp files and clean them out. Well when I went into the prefetch file, and deleted the items, before I could close the window out, several more files appeared there. They just popped up. I thought that might be strange, so I did it again, and same thing happened. Also, I have alot of programs running in the background that I do not know what they are, and I cannot turn them off. The system lets me turn some of them off, but not the ones I am curious about. ( the ones with unknown company name ), A friend told me to shut off the system restore and run avg in safe mode. Tried that but sys. shuts itself down. Tried runnign windows defender in safe mode, but same results. At some point a I did a system recovery. Problems still exist. Avg had found some infections but said that some files cannot be healed, and specified file name not found. they were c:\users\lisa\AppData\roaming\microsoft\windows\cookies\low\lisa@atdmt(2).txt and the other one was the same except for the last part (after low) lisa@m.webtrends(2).txt. I do not recall which, but one of the programs said I had trojanhorsedownloader.generic_cAGS and the path to file was c:users\lisa\documents\frostwire\nora jones_turn me on.mp3. I do not know what to do, so here I am. please be patient, I am really computer illiterate. I will try and get you the info. that you need. Please let me know if I need to complete the first part of the instructions about the malwarebytes remove selected part. I am pasting it here for you. Thank you very much . Please let me know. Oh, during the scan from malwarebytes, about an hour or so into it the abort scan button staarted flashing, and scan began running really slow. It did say it finished sucessfully though. thanks again. Lisa


Malwarebytes' Anti-Malware 1.36
Database version: 1950
Windows 6.0.6001 Service Pack 1

4/7/2009 11:59:36 PM
mbam-log-2009-04-07 (23-59-36).txt

Scan type: Full Scan (C:\|D:\|)
Objects scanned: 157056
Time elapsed: 1 hour(s), 51 minute(s), 12 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)





malware bytes log file:

Logfile of random's system information tool 1.06 (written by random/random)
Run by Lisa at 2009-04-08 00:52:21
Microsoft® Windows Vista™ Home Premium Service Pack 1
System drive C: has 155 GB (86%) free of 181 GB
Total RAM: 2814 MB (61% free)

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 12:52:51 AM, on 4/8/2009
Platform: Windows Vista SP1 (WinNT 6.00.1905)
MSIE: Internet Explorer v7.00 (7.00.6001.18000)
Boot mode: Normal

Running processes:
C:\Windows\system32\taskeng.exe
C:\Windows\system32\Dwm.exe
C:\Windows\Explorer.EXE
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Program Files\Windows Defender\MSASCui.exe
C:\Program Files\AVG\AVG8\avgtray.exe
C:\WINDOWS\ehome\ehtray.exe
C:\Windows\ehome\ehmsas.exe
C:\Program Files\Internet Explorer\ieuser.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Synaptics\SynTP\SynTPHelper.exe
C:\Windows\system32\NOTEPAD.EXE
C:\WINDOWS\System32\notepad.exe
C:\Users\Lisa\Desktop\RSIT.exe
C:\Program Files\Trend Micro\HijackThis\Lisa.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://ie.redirect.hp.com/svs/rdr?TYPE= ... io&pf=cnnb
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://ie.redirect.hp.com/svs/rdr?TYPE= ... io&pf=cnnb
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://ie.redirect.hp.com/svs/rdr?TYPE= ... io&pf=cnnb
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
O1 - Hosts: ::1 localhost
O2 - BHO: (no name) - {02478D38-C3F9-4efb-9B51-7695ECA05670} - (no file)
O2 - BHO: WormRadar.com IESiteBlocker.NavFilter - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - C:\Program Files\AVG\AVG8\avgssie.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [Windows Defender] %ProgramFiles%\Windows Defender\MSASCui.exe -hide
O4 - HKLM\..\Run: [AVG8_TRAY] C:\PROGRA~1\AVG\AVG8\avgtray.exe
O4 - HKLM\..\RunOnce: [Malwarebytes' Anti-Malware] C:\Program Files\Malwarebytes' Anti-Malware\mbamgui.exe /install /silent
O4 - HKCU\..\Run: [ehTray.exe] C:\Windows\ehome\ehTray.exe
O4 - HKUS\S-1-5-19\..\Run: [Sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /detectMem (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-19\..\Run: [WindowsWelcomeCenter] rundll32.exe oobefldr.dll,ShowWelcomeCenter (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [Sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /detectMem (User 'NETWORK SERVICE')
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O13 - Gopher Prefix:
O18 - Protocol: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - C:\Program Files\AVG\AVG8\avgpp.dll
O20 - AppInit_DLLs: avgrsstx.dll
O23 - Service: AVG8 E-mail Scanner (avg8emc) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgemc.exe
O23 - Service: AVG8 WatchDog (avg8wd) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
O23 - Service: HP Health Check Service - Hewlett-Packard - c:\Program Files\Hewlett-Packard\HP Health Check\hphc_service.exe
O23 - Service: hpqwmiex - Hewlett-Packard Development Company, L.P. - C:\Program Files\Hewlett-Packard\Shared\hpqwmiex.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: NVIDIA Display Driver Service (nvsvc) - NVIDIA Corporation - C:\Windows\system32\nvvsvc.exe
O23 - Service: Recovery Service for Windows - Unknown owner - C:\Windows\SMINST\BLService.exe
O23 - Service: Cyberlink RichVideo Service(CRVS) (RichVideo) - Unknown owner - C:\Program Files\CyberLink\Shared Files\RichVideo.exe (file missing)
O23 - Service: XAudioService - Conexant Systems, Inc. - C:\Windows\system32\DRIVERS\xaudio.exe

--
End of file - 4471 bytes

======Scheduled tasks folder======

C:\Windows\tasks\HPCeeScheduleForLisa.job

======Registry dump======

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{02478D38-C3F9-4efb-9B51-7695ECA05670}]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{3CA2F312-6F6E-4B53-A66E-4E65E497C8C0}]
AVG Safe Search - C:\Program Files\AVG\AVG8\avgssie.dll [2009-03-22 1078552]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{761497BB-D6F0-462C-B6EB-D4DAF1D92D43}]
SSVHelper Class - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll [2008-02-22 509328]

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run]
"SynTPEnh"=C:\Program Files\Synaptics\SynTP\SynTPEnh.exe [2008-04-17 1049896]
"Windows Defender"=C:\Program Files\Windows Defender\MSASCui.exe [2008-01-20 1008184]
"AVG8_TRAY"=C:\PROGRA~1\AVG\AVG8\avgtray.exe [2009-03-22 1932568]

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\RunOnce]
"Malwarebytes' Anti-Malware"=C:\Program Files\Malwarebytes' Anti-Malware\mbamgui.exe [2009-04-06 401040]

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run]
"ehTray.exe"=C:\Windows\ehome\ehTray.exe [2008-01-20 125952]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows]
"AppInit_DLLS"="avgrsstx.dll"

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System]
"dontdisplaylastusername"=0
"legalnoticecaption"=
"legalnoticetext"=
"shutdownwithoutlogon"=1
"undockwithoutlogon"=1
"EnableUIADesktopToggle"=0

[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\standardprofile\authorizedapplications\list]

[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\domainprofile\authorizedapplications\list]

======List of files/folders created in the last 1 months======

2009-04-08 00:52:20 ----D---- C:\rsit
2009-04-07 22:06:25 ----D---- C:\Users\Lisa\AppData\Roaming\Malwarebytes
2009-04-07 22:06:18 ----D---- C:\ProgramData\Malwarebytes
2009-04-07 22:06:16 ----D---- C:\Program Files\Malwarebytes' Anti-Malware
2009-04-01 20:30:11 ----D---- C:\Program Files\Trend Micro
2009-03-26 13:59:21 ----D---- C:\Program Files\NetWaiting
2009-03-26 13:59:12 ----D---- C:\Users\Lisa\AppData\Roaming\InstallShield
2009-03-26 08:18:17 ----SHD---- C:\Config.Msi
2009-03-23 23:14:56 ----D---- C:\Users\Lisa\AppData\Roaming\GTek
2009-03-21 21:14:14 ----HD---- C:\$AVG8.VAULT$
2009-03-17 23:27:26 ----A---- C:\Windows\system32\avgrsstx.dll
2009-03-17 23:27:15 ----D---- C:\Program Files\AVG
2009-03-15 11:03:52 ----A---- C:\Windows\system32\avgrep.txt
2009-03-15 02:08:30 ----A---- C:\Windows\ntbtlog.txt
2009-03-13 14:41:37 ----A---- C:\Windows\system32\wmp.dll
2009-03-13 14:41:30 ----A---- C:\Windows\system32\spwmp.dll
2009-03-13 14:41:24 ----A---- C:\Windows\system32\dxmasf.dll
2009-03-13 14:41:22 ----A---- C:\Windows\system32\wmploc.DLL
2009-03-13 14:41:14 ----A---- C:\Windows\system32\schannel.dll
2009-03-10 21:47:38 ----D---- C:\ProgramData\Apple Computer

======List of files/folders modified in the last 1 months======

2009-04-08 00:52:52 ----D---- C:\Windows\Temp
2009-04-08 00:52:40 ----D---- C:\Windows\Prefetch
2009-04-07 22:06:22 ----D---- C:\Windows\system32\drivers
2009-04-07 22:06:18 ----HD---- C:\ProgramData
2009-04-07 22:06:16 ----D---- C:\Program Files
2009-04-07 21:41:07 ----D---- C:\Windows\System32
2009-04-07 21:41:07 ----D---- C:\Windows\inf
2009-04-07 21:41:07 ----A---- C:\Windows\system32\PerfStringBackup.INI
2009-04-07 21:35:55 ----SHD---- C:\System Volume Information
2009-03-28 19:48:24 ----D---- C:\WINDOWS
2009-03-27 21:55:36 ----SD---- C:\Users\Lisa\AppData\Roaming\Microsoft
2009-03-27 21:13:10 ----D---- C:\Program Files\CONEXANT
2009-03-27 21:12:30 ----D---- C:\Windows\system32\catroot
2009-03-26 14:42:51 ----D---- C:\Windows\Microsoft.NET
2009-03-26 14:41:06 ----RSD---- C:\Windows\assembly
2009-03-26 14:12:38 ----SHD---- C:\Windows\Installer
2009-03-26 14:11:25 ----D---- C:\Windows\winsxs
2009-03-26 14:05:51 ----D---- C:\Windows\Minidump
2009-03-26 08:54:07 ----D---- C:\Program Files\Google
2009-03-26 08:44:04 ----HD---- C:\Program Files\InstallShield Installation Information
2009-03-26 08:43:28 ----D---- C:\ProgramData\Kodak
2009-03-26 08:42:05 ----D---- C:\Program Files\HP
2009-03-26 08:39:53 ----D---- C:\Windows\system32\catroot2
2009-03-26 08:37:31 ----D---- C:\Program Files\Common Files\microsoft shared
2009-03-26 08:37:13 ----D---- C:\Program Files\QuickTime
2009-03-26 08:35:31 ----D---- C:\Windows\system
2009-03-26 08:30:27 ----D---- C:\Program Files\Common Files\Real
2009-03-26 08:30:26 ----D---- C:\Users\Lisa\AppData\Roaming\Real
2009-03-26 08:30:24 ----D---- C:\Program Files\Common Files
2009-03-26 08:20:12 ----D---- C:\Program Files\Atheros
2009-03-26 08:19:07 ----D---- C:\Program Files\ArcSoft
2009-03-26 08:18:20 ----D---- C:\Program Files\Apple Software Update
2009-03-22 23:47:31 ----D---- C:\Users\Lisa\AppData\Roaming\FrostWire
2009-03-22 14:25:45 ----D---- C:\Windows\system32\WDI
2009-03-18 21:09:44 ----D---- C:\ProgramData\avg8
2009-03-15 06:56:26 ----D---- C:\Program Files\DivX
2009-03-15 06:43:19 ----D---- C:\Program Files\Common Files\PX Storage Engine
2009-03-15 06:40:30 ----D---- C:\ProgramData\Adobe
2009-03-15 06:40:30 ----D---- C:\Program Files\Adobe
2009-03-14 13:22:54 ----D---- C:\Program Files\Windows Media Player
2009-03-14 13:22:54 ----D---- C:\Program Files\Windows Mail

======List of drivers (R=Running, S=Stopped, 0=Boot, 1=System, 2=Auto, 3=Demand, 4=Disabled)======

R1 AvgLdx86;AVG AVI Loader Driver x86; C:\Windows\System32\Drivers\avgldx86.sys [2009-03-22 325640]
R1 AvgMfx86;AVG On-access Scanner Minifilter Driver x86; C:\Windows\System32\Drivers\avgmfx86.sys [2009-03-18 27656]
R1 AvgTdiX;AVG8 Network Redirector; C:\Windows\System32\Drivers\avgtdix.sys [2009-03-26 108552]
R2 mdmxsdk;mdmxsdk; C:\Windows\system32\DRIVERS\mdmxsdk.sys [2006-06-18 12672]
R2 XAudio;XAudio; C:\Windows\system32\DRIVERS\xaudio.sys [2007-10-17 8704]
R3 athr;Atheros Extensible Wireless LAN device driver; C:\Windows\system32\DRIVERS\athr.sys [2008-04-27 909824]
R3 CmBatt;Microsoft ACPI Control Method Battery Driver; C:\Windows\system32\DRIVERS\CmBatt.sys [2008-01-20 14208]
R3 CnxtHdAudService;Conexant UAA Function Driver for High Definition Audio Service; C:\Windows\system32\drivers\CHDRT32.sys [2008-10-03 222208]
R3 HpqRemHid;HP Remote Control HID Device; C:\Windows\system32\DRIVERS\HpqRemHid.sys [2007-07-11 7168]
R3 HSF_DPV;HSF_DPV; C:\Windows\system32\DRIVERS\HSX_DPV.sys [2007-10-31 985600]
R3 HSXHWAZL;HSXHWAZL; C:\Windows\system32\DRIVERS\HSXHWAZL.sys [2007-10-31 208896]
R3 NVENETFD;NVIDIA nForce Networking Controller Driver; C:\Windows\system32\DRIVERS\nvmfdx32.sys [2008-01-29 1042464]
R3 NVHDA;Service for NVIDIA High Definition Audio Driver; C:\Windows\system32\drivers\nvhda32v.sys [2008-05-03 42528]
R3 nvlddmkm;nvlddmkm; C:\Windows\system32\DRIVERS\nvlddmkm.sys [2008-05-03 7446656]
R3 nvsmu;nvsmu; C:\Windows\system32\DRIVERS\nvsmu.sys [2008-04-24 14848]
R3 SynTP;Synaptics TouchPad Driver; C:\Windows\system32\DRIVERS\SynTP.sys [2008-04-17 199344]
R3 winachsf;winachsf; C:\Windows\system32\DRIVERS\HSX_CNXT.sys [2007-10-31 661504]
R3 WmiAcpi;Microsoft Windows Management Interface for ACPI; C:\Windows\system32\DRIVERS\wmiacpi.sys [2008-01-20 11264]
R3 WUDFRd;WUDFRd; C:\Windows\system32\DRIVERS\WUDFRd.sys [2008-01-20 83328]
S3 BCM43XV;Broadcom Extensible 802.11 Network Adapter Driver; C:\Windows\system32\DRIVERS\bcmwl6.sys [2006-11-02 464384]
S3 drmkaud;Microsoft Kernel DRM Audio Descrambler; C:\Windows\system32\drivers\drmkaud.sys [2008-01-20 5632]
S3 ErrDev;Microsoft Hardware Error Device Driver; C:\Windows\system32\drivers\errdev.sys [2008-01-20 6656]
S3 HdAudAddService;Microsoft 1.1 UAA Function Driver for High Definition Audio Service; C:\Windows\system32\drivers\HdAudio.sys [2006-11-02 235520]
S3 HpqKbFiltr;HpqKbFilter Driver; C:\Windows\system32\DRIVERS\HpqKbFiltr.sys [2007-06-18 16768]
S3 HSFHWAZL;HSFHWAZL; C:\Windows\system32\DRIVERS\VSTAZL3.SYS [2008-01-20 200704]
S3 MSKSSRV;Microsoft Streaming Service Proxy; C:\Windows\system32\drivers\MSKSSRV.sys [2008-01-20 8192]
S3 MSPCLOCK;Microsoft Streaming Clock Proxy; C:\Windows\system32\drivers\MSPCLOCK.sys [2008-01-20 5888]
S3 MSPQM;Microsoft Streaming Quality Manager Proxy; C:\Windows\system32\drivers\MSPQM.sys [2008-01-20 5504]
S3 MSTEE;Microsoft Streaming Tee/Sink-to-Sink Converter; C:\Windows\system32\drivers\MSTEE.sys [2008-01-20 6016]
S3 RTSTOR;Realtek USB 2.0 Card Reader; C:\Windows\system32\drivers\RTSTOR.SYS []
S3 WpdUsb;WpdUsb; C:\Windows\system32\DRIVERS\wpdusb.sys [2008-01-20 39936]

======List of services (R=Running, S=Stopped, 0=Boot, 1=System, 2=Auto, 3=Demand, 4=Disabled)======

R2 avg8emc;AVG8 E-mail Scanner; C:\PROGRA~1\AVG\AVG8\avgemc.exe [2009-03-22 908056]
R2 avg8wd;AVG8 WatchDog; C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe [2009-03-22 298264]
R2 HP Health Check Service;HP Health Check Service; c:\Program Files\Hewlett-Packard\HP Health Check\hphc_service.exe [2008-04-15 94208]
R2 nvsvc;NVIDIA Display Driver Service; C:\Windows\system32\nvvsvc.exe [2008-05-03 196608]
R2 Recovery Service for Windows;Recovery Service for Windows; C:\Windows\SMINST\BLService.exe [2008-04-25 361808]
R2 XAudioService;XAudioService; C:\Windows\system32\DRIVERS\xaudio.exe [2007-10-17 386560]
S2 RichVideo;Cyberlink RichVideo Service(CRVS); C:\Program Files\CyberLink\Shared Files\RichVideo.exe []
S3 hpqwmiex;hpqwmiex; C:\Program Files\Hewlett-Packard\Shared\hpqwmiex.exe [2008-01-25 148832]
S3 IDriverT;InstallDriver Table Manager; C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe [2004-10-22 73728]

-----------------EOF-----------------


and the minimized file :


info.txt logfile of random's system information tool 1.06 2009-04-08 00:52:58

======Uninstall list======

Adobe Flash Player ActiveX-->C:\Windows\system32\Macromed\Flash\uninstall_activeX.exe
Adobe Shockwave Player-->MsiExec.exe /X{1BDC9633-895B-4842-BCB6-8FA1EC2A3C5A}
Atheros Driver Installation Program-->C:\Program Files\InstallShield Installation Information\{C3A32068-8AB1-4327-BB16-BED9C6219DC7}\setup.exe -runfromtemp -l0x0009
AVG 8.5-->C:\Program Files\AVG\AVG8\setup.exe /UNINSTALL
Conexant HD Audio-->C:\Program Files\CONEXANT\CNXT_AUDIO_HDA\UIU32a.exe -U -IWAHerza.INF
HDAUDIO Soft Data Fax Modem with SmartCP-->C:\Program Files\CONEXANT\CNXT_MODEM_HDAUDIO_HERMOSA_HSF\UIU32m.exe -U -IHPQHERzm.inf
Hewlett-Packard Active Check for Health Check-->MsiExec.exe /X{254C37AA-6B72-4300-84F6-98A82419187E}
Hewlett-Packard Asset Agent for Health Check-->MsiExec.exe /X{669D4A35-146B-4314-89F1-1AC3D7B88367}
HijackThis 2.0.2-->"C:\Program Files\Trend Micro\HijackThis\HijackThis.exe" /uninstall
HP Active Support Library-->C:\Program Files\InstallShield Installation Information\{9E2CCD5E-1990-4EF2-9B61-32F0BBACC29B}\setup.exe -runfromtemp -l0x0409
HP Doc Viewer-->MsiExec.exe /I{082702D5-5DD8-4600-BCE5-48B15174687F}
HP User Guides 0110-->MsiExec.exe /I{B640E7CC-7091-4A24-AE76-2140065D2054}
HP Wireless Assistant-->MsiExec.exe /I{340F521E-3576-4E1A-B75C-EB0ACF751379}
HPNetworkAssistant-->MsiExec.exe /I{228C6B46-64E2-404E-898A-EF0830603EF4}
Java(TM) 6 Update 5-->MsiExec.exe /I{3248F0A8-6813-11D6-A77B-00B0D0160050}
Malwarebytes' Anti-Malware-->"C:\Program Files\Malwarebytes' Anti-Malware\unins000.exe"
Microsoft Visual C++ 2005 Redistributable-->MsiExec.exe /X{7299052b-02a4-4627-81f2-1818da5d550d}
neroxml-->MsiExec.exe /I{56C049BE-79E9-4502-BEA7-9754A3E60F9B}
netbrdg-->MsiExec.exe /I{4537EA4B-F603-4181-89FB-2953FC695AB1}
NetWaiting-->C:\Program Files\InstallShield Installation Information\{3F92ABBB-6BBF-11D5-B229-002078017FBF}\setup.exe -runfromtemp -l0x0009 -removeonly
NVIDIA Drivers-->C:\Windows\system32\NVUNINST.EXE UninstallGUI
SFR-->MsiExec.exe /I{DB02F716-6275-42E9-B8D2-83BA2BF5100B}
Synaptics Pointing Device Driver-->rundll32.exe "C:\Program Files\Synaptics\SynTP\SynISDLL.dll",standAloneUninstall
USB Wireless Keyboard Driver-->RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\0701\Intel32\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{F07096A7-BAD7-4DC0-A430-B273DADF9280}\setup.exe" -l0x9
VCRedistSetup-->MsiExec.exe /I{3921A67A-5AB1-4E48-9444-C71814CF3027}

======Security center information======

AV: AVG Anti-Virus
AS: AVG Anti-Virus (disabled)
AS: Windows Defender

======System event log======

Computer Name: Lisa-PC
Event Code: 15016
Message: Unable to initialize the security package Kerberos for server side authentication. The data field contains the error number.
Record Number: 26579
Source Name: Microsoft-Windows-HttpEvent
Time Written: 20090408023344.689380-000
Event Type: Error
User:

Computer Name: Lisa-PC
Event Code: 7000
Message: The Parallel port driver service failed to start due to the following error:
The service cannot be started, either because it is disabled or because it has no enabled devices associated with it.
Record Number: 26620
Source Name: Service Control Manager
Time Written: 20090408023517.000000-000
Event Type: Error
User:

Computer Name: Lisa-PC
Event Code: 7000
Message: The Cyberlink RichVideo Service(CRVS) service failed to start due to the following error:
The system cannot find the file specified.
Record Number: 26629
Source Name: Service Control Manager
Time Written: 20090408023517.000000-000
Event Type: Error
User:

Computer Name: Lisa-PC
Event Code: 7
Message: The speed of processor 1 is being limited by system firmware. The processor has been in this reduced performance state for 71 seconds since the last report.
Record Number: 26678
Source Name: Microsoft-Windows-Kernel-Processor-Power
Time Written: 20090408032847.622084-000
Event Type: Warning
User: NT AUTHORITY\SYSTEM

Computer Name: Lisa-PC
Event Code: 7
Message: The speed of processor 0 is being limited by system firmware. The processor has been in this reduced performance state for 71 seconds since the last report.
Record Number: 26679
Source Name: Microsoft-Windows-Kernel-Processor-Power
Time Written: 20090408032847.622084-000
Event Type: Warning
User: NT AUTHORITY\SYSTEM

=====Application event log=====

Computer Name: Lisa-PC
Event Code: 10
Message: Event filter with query "SELECT * FROM __InstanceModificationEvent WITHIN 60 WHERE TargetInstance ISA "Win32_Processor" AND TargetInstance.LoadPercentage > 99" could not be reactivated in namespace "//./root/CIMV2" because of error 0x80041003. Events cannot be delivered through this filter until the problem is corrected.
Record Number: 2934
Source Name: Microsoft-Windows-WMI
Time Written: 20090406000238.000000-000
Event Type: Error
User:

Computer Name: Lisa-PC
Event Code: 10
Message: Event filter with query "SELECT * FROM __InstanceModificationEvent WITHIN 60 WHERE TargetInstance ISA "Win32_Processor" AND TargetInstance.LoadPercentage > 99" could not be reactivated in namespace "//./root/CIMV2" because of error 0x80041003. Events cannot be delivered through this filter until the problem is corrected.
Record Number: 2962
Source Name: Microsoft-Windows-WMI
Time Written: 20090406025315.000000-000
Event Type: Error
User:

Computer Name: Lisa-PC
Event Code: 10
Message: Event filter with query "SELECT * FROM __InstanceModificationEvent WITHIN 60 WHERE TargetInstance ISA "Win32_Processor" AND TargetInstance.LoadPercentage > 99" could not be reactivated in namespace "//./root/CIMV2" because of error 0x80041003. Events cannot be delivered through this filter until the problem is corrected.
Record Number: 2987
Source Name: Microsoft-Windows-WMI
Time Written: 20090407064548.000000-000
Event Type: Error
User:

Computer Name: Lisa-PC
Event Code: 10
Message: Event filter with query "SELECT * FROM __InstanceModificationEvent WITHIN 60 WHERE TargetInstance ISA "Win32_Processor" AND TargetInstance.LoadPercentage > 99" could not be reactivated in namespace "//./root/CIMV2" because of error 0x80041003. Events cannot be delivered through this filter until the problem is corrected.
Record Number: 3017
Source Name: Microsoft-Windows-WMI
Time Written: 20090408023516.000000-000
Event Type: Error
User:

Computer Name: Lisa-PC
Event Code: 8194
Message: Volume Shadow Copy Service error: Unexpected error querying for the IVssWriterCallback interface. hr = 0x80070005. This is often caused by incorrect security settings in either the writer or requestor process.

Operation:
Gathering Writer Data

Context:
Writer Class Id: {e8132975-6f93-4464-a53e-1050253ae220}
Writer Name: System Writer
Writer Instance ID: {65be1c48-1bbb-4880-b560-f18a2fc5eaa7}
Record Number: 3019
Source Name: VSS
Time Written: 20090408023527.000000-000
Event Type: Error
User:

=====Security event log=====

Computer Name: Lisa-PC
Event Code: 5038
Message: Code integrity determined that the image hash of a file is not valid. The file could be corrupt due to unauthorized modification or the invalid hash could indicate a potential disk device error.

File Name: \Device\HarddiskVolume1\WINDOWS\System32\drivers\tcpip.sys
Record Number: 5821
Source Name: Microsoft-Windows-Security-Auditing
Time Written: 20090408055245.140484-000
Event Type: Audit Failure
User:

Computer Name: Lisa-PC
Event Code: 5038
Message: Code integrity determined that the image hash of a file is not valid. The file could be corrupt due to unauthorized modification or the invalid hash could indicate a potential disk device error.

File Name: \Device\HarddiskVolume1\WINDOWS\System32\drivers\tcpip.sys
Record Number: 5822
Source Name: Microsoft-Windows-Security-Auditing
Time Written: 20090408055245.265284-000
Event Type: Audit Failure
User:

Computer Name: Lisa-PC
Event Code: 5038
Message: Code integrity determined that the image hash of a file is not valid. The file could be corrupt due to unauthorized modification or the invalid hash could indicate a potential disk device error.

File Name: \Device\HarddiskVolume1\WINDOWS\System32\drivers\tcpip.sys
Record Number: 5823
Source Name: Microsoft-Windows-Security-Auditing
Time Written: 20090408055245.452484-000
Event Type: Audit Failure
User:

Computer Name: Lisa-PC
Event Code: 5038
Message: Code integrity determined that the image hash of a file is not valid. The file could be corrupt due to unauthorized modification or the invalid hash could indicate a potential disk device error.

File Name: \Device\HarddiskVolume1\WINDOWS\System32\drivers\tcpip.sys
Record Number: 5824
Source Name: Microsoft-Windows-Security-Auditing
Time Written: 20090408055245.561684-000
Event Type: Audit Failure
User:

Computer Name: Lisa-PC
Event Code: 5038
Message: Code integrity determined that the image hash of a file is not valid. The file could be corrupt due to unauthorized modification or the invalid hash could indicate a potential disk device error.

File Name: \Device\HarddiskVolume1\WINDOWS\System32\drivers\tcpip.sys
Record Number: 5825
Source Name: Microsoft-Windows-Security-Auditing
Time Written: 20090408055245.655284-000
Event Type: Audit Failure
User:

======Environment variables======

"ComSpec"=%SystemRoot%\system32\cmd.exe
"DFSTRACINGON"=FALSE
"FP_NO_HOST_CHECK"=NO
"NUMBER_OF_PROCESSORS"=2
"OnlineServices"=Online Services
"OS"=Windows_NT
"Path"=%SystemRoot%\system32;%SystemRoot%;%SystemRoot%\System32\Wbem;C:\Program Files\CyberLink\Power2Go
"PATHEXT"=.COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH;.MSC
"PCBRAND"=Presario
"Platform"=MCD
"PROCESSOR_ARCHITECTURE"=x86
"PROCESSOR_IDENTIFIER"=x86 Family 17 Model 3 Stepping 1, AuthenticAMD
"PROCESSOR_LEVEL"=17
"PROCESSOR_REVISION"=0301
"TEMP"=%SystemRoot%\TEMP
"TMP"=%SystemRoot%\TEMP
"TRACE_FORMAT_SEARCH_PATH"=\\NTREL202.ntdev.corp.microsoft.com\4F18C3A5-CA09-4DBD-B6FC-219FDD4C6BE0\TraceFormat
"USERNAME"=SYSTEM
"windir"=%SystemRoot%

-----------------EOF-----------------
LisaM
Active Member
 
Posts: 13
Joined: April 1st, 2009, 9:45 pm

Re: Computer assistance request from LisaM

Unread postby LisaM » April 8th, 2009, 2:14 am

Carolyn,
Thank you very much for responding. I was worried that I had posted something wrong or something. I am pasting the logs as you requested, however, I do not know what your instructions meant by checking all items in the c:\system volume information folder nad click on remove selected? I never saw anything like that. I wanted to give you some of the details about what the system was doing though. I had a bunch of programs installed, like Realplayer, Frostwire, Limewire, and Divx player. Real player starts "not responding" alot, so I was so frustrated, that I just removed it, and a few of the other programs. think it was about that time that I got the avg download. I had been on the internet several time without the webroot program running. I wanted to tr;y to figure out why the computer was running slow so I asked a friend and they told me to go to the prefetch and temp files and clean them out. Well when I went into the prefetch file, and deleted the items, before I could close the window out, several more files appeared there. They just popped up. I thought that might be strange, so I did it again, and same thing happened. Also, I have alot of programs running in the background that I do not know what they are, and I cannot turn them off. The system lets me turn some of them off, but not the ones I am curious about. ( the ones with unknown company name ), A friend told me to shut off the system restore and run avg in safe mode. Tried that but sys. shuts itself down. Tried runnign windows defender in safe mode, but same results. At some point a I did a system recovery. Problems still exist. Avg had found some infections but said that some files cannot be healed, and specified file name not found. they were c:\users\lisa\AppData\roaming\microsoft\windows\cookies\low\lisa@atdmt(2).txt and the other one was the same except for the last part (after low) lisa@m.webtrends(2).txt. I do not recall which, but one of the programs said I had trojanhorsedownloader.generic_cAGS and the path to file was c:users\lisa\documents\frostwire\nora jones_turn me on.mp3. I do not know what to do, so here I am. please be patient, I am really computer illiterate. I will try and get you the info. that you need. Please let me know if I need to complete the first part of the instructions about the malwarebytes remove selected part. I am pasting it here for you. Thank you very much . Please let me know. Oh, during the scan from malwarebytes, about an hour or so into it the abort scan button staarted flashing, and scan began running really slow. It did say it finished sucessfully though. thanks again. Lisa


Malwarebytes' Anti-Malware 1.36
Database version: 1950
Windows 6.0.6001 Service Pack 1

4/7/2009 11:59:36 PM
mbam-log-2009-04-07 (23-59-36).txt

Scan type: Full Scan (C:\|D:\|)
Objects scanned: 157056
Time elapsed: 1 hour(s), 51 minute(s), 12 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)





malware bytes log file:

Logfile of random's system information tool 1.06 (written by random/random)
Run by Lisa at 2009-04-08 00:52:21
Microsoft® Windows Vista™ Home Premium Service Pack 1
System drive C: has 155 GB (86%) free of 181 GB
Total RAM: 2814 MB (61% free)

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 12:52:51 AM, on 4/8/2009
Platform: Windows Vista SP1 (WinNT 6.00.1905)
MSIE: Internet Explorer v7.00 (7.00.6001.18000)
Boot mode: Normal

Running processes:
C:\Windows\system32\taskeng.exe
C:\Windows\system32\Dwm.exe
C:\Windows\Explorer.EXE
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Program Files\Windows Defender\MSASCui.exe
C:\Program Files\AVG\AVG8\avgtray.exe
C:\WINDOWS\ehome\ehtray.exe
C:\Windows\ehome\ehmsas.exe
C:\Program Files\Internet Explorer\ieuser.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Synaptics\SynTP\SynTPHelper.exe
C:\Windows\system32\NOTEPAD.EXE
C:\WINDOWS\System32\notepad.exe
C:\Users\Lisa\Desktop\RSIT.exe
C:\Program Files\Trend Micro\HijackThis\Lisa.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://ie.redirect.hp.com/svs/rdr?TYPE= ... io&pf=cnnb
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://ie.redirect.hp.com/svs/rdr?TYPE= ... io&pf=cnnb
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://ie.redirect.hp.com/svs/rdr?TYPE= ... io&pf=cnnb
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
O1 - Hosts: ::1 localhost
O2 - BHO: (no name) - {02478D38-C3F9-4efb-9B51-7695ECA05670} - (no file)
O2 - BHO: WormRadar.com IESiteBlocker.NavFilter - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - C:\Program Files\AVG\AVG8\avgssie.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [Windows Defender] %ProgramFiles%\Windows Defender\MSASCui.exe -hide
O4 - HKLM\..\Run: [AVG8_TRAY] C:\PROGRA~1\AVG\AVG8\avgtray.exe
O4 - HKLM\..\RunOnce: [Malwarebytes' Anti-Malware] C:\Program Files\Malwarebytes' Anti-Malware\mbamgui.exe /install /silent
O4 - HKCU\..\Run: [ehTray.exe] C:\Windows\ehome\ehTray.exe
O4 - HKUS\S-1-5-19\..\Run: [Sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /detectMem (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-19\..\Run: [WindowsWelcomeCenter] rundll32.exe oobefldr.dll,ShowWelcomeCenter (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [Sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /detectMem (User 'NETWORK SERVICE')
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O13 - Gopher Prefix:
O18 - Protocol: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - C:\Program Files\AVG\AVG8\avgpp.dll
O20 - AppInit_DLLs: avgrsstx.dll
O23 - Service: AVG8 E-mail Scanner (avg8emc) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgemc.exe
O23 - Service: AVG8 WatchDog (avg8wd) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
O23 - Service: HP Health Check Service - Hewlett-Packard - c:\Program Files\Hewlett-Packard\HP Health Check\hphc_service.exe
O23 - Service: hpqwmiex - Hewlett-Packard Development Company, L.P. - C:\Program Files\Hewlett-Packard\Shared\hpqwmiex.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: NVIDIA Display Driver Service (nvsvc) - NVIDIA Corporation - C:\Windows\system32\nvvsvc.exe
O23 - Service: Recovery Service for Windows - Unknown owner - C:\Windows\SMINST\BLService.exe
O23 - Service: Cyberlink RichVideo Service(CRVS) (RichVideo) - Unknown owner - C:\Program Files\CyberLink\Shared Files\RichVideo.exe (file missing)
O23 - Service: XAudioService - Conexant Systems, Inc. - C:\Windows\system32\DRIVERS\xaudio.exe

--
End of file - 4471 bytes

======Scheduled tasks folder======

C:\Windows\tasks\HPCeeScheduleForLisa.job

======Registry dump======

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{02478D38-C3F9-4efb-9B51-7695ECA05670}]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{3CA2F312-6F6E-4B53-A66E-4E65E497C8C0}]
AVG Safe Search - C:\Program Files\AVG\AVG8\avgssie.dll [2009-03-22 1078552]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{761497BB-D6F0-462C-B6EB-D4DAF1D92D43}]
SSVHelper Class - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll [2008-02-22 509328]

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run]
"SynTPEnh"=C:\Program Files\Synaptics\SynTP\SynTPEnh.exe [2008-04-17 1049896]
"Windows Defender"=C:\Program Files\Windows Defender\MSASCui.exe [2008-01-20 1008184]
"AVG8_TRAY"=C:\PROGRA~1\AVG\AVG8\avgtray.exe [2009-03-22 1932568]

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\RunOnce]
"Malwarebytes' Anti-Malware"=C:\Program Files\Malwarebytes' Anti-Malware\mbamgui.exe [2009-04-06 401040]

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run]
"ehTray.exe"=C:\Windows\ehome\ehTray.exe [2008-01-20 125952]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows]
"AppInit_DLLS"="avgrsstx.dll"

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System]
"dontdisplaylastusername"=0
"legalnoticecaption"=
"legalnoticetext"=
"shutdownwithoutlogon"=1
"undockwithoutlogon"=1
"EnableUIADesktopToggle"=0

[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\standardprofile\authorizedapplications\list]

[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\domainprofile\authorizedapplications\list]

======List of files/folders created in the last 1 months======

2009-04-08 00:52:20 ----D---- C:\rsit
2009-04-07 22:06:25 ----D---- C:\Users\Lisa\AppData\Roaming\Malwarebytes
2009-04-07 22:06:18 ----D---- C:\ProgramData\Malwarebytes
2009-04-07 22:06:16 ----D---- C:\Program Files\Malwarebytes' Anti-Malware
2009-04-01 20:30:11 ----D---- C:\Program Files\Trend Micro
2009-03-26 13:59:21 ----D---- C:\Program Files\NetWaiting
2009-03-26 13:59:12 ----D---- C:\Users\Lisa\AppData\Roaming\InstallShield
2009-03-26 08:18:17 ----SHD---- C:\Config.Msi
2009-03-23 23:14:56 ----D---- C:\Users\Lisa\AppData\Roaming\GTek
2009-03-21 21:14:14 ----HD---- C:\$AVG8.VAULT$
2009-03-17 23:27:26 ----A---- C:\Windows\system32\avgrsstx.dll
2009-03-17 23:27:15 ----D---- C:\Program Files\AVG
2009-03-15 11:03:52 ----A---- C:\Windows\system32\avgrep.txt
2009-03-15 02:08:30 ----A---- C:\Windows\ntbtlog.txt
2009-03-13 14:41:37 ----A---- C:\Windows\system32\wmp.dll
2009-03-13 14:41:30 ----A---- C:\Windows\system32\spwmp.dll
2009-03-13 14:41:24 ----A---- C:\Windows\system32\dxmasf.dll
2009-03-13 14:41:22 ----A---- C:\Windows\system32\wmploc.DLL
2009-03-13 14:41:14 ----A---- C:\Windows\system32\schannel.dll
2009-03-10 21:47:38 ----D---- C:\ProgramData\Apple Computer

======List of files/folders modified in the last 1 months======

2009-04-08 00:52:52 ----D---- C:\Windows\Temp
2009-04-08 00:52:40 ----D---- C:\Windows\Prefetch
2009-04-07 22:06:22 ----D---- C:\Windows\system32\drivers
2009-04-07 22:06:18 ----HD---- C:\ProgramData
2009-04-07 22:06:16 ----D---- C:\Program Files
2009-04-07 21:41:07 ----D---- C:\Windows\System32
2009-04-07 21:41:07 ----D---- C:\Windows\inf
2009-04-07 21:41:07 ----A---- C:\Windows\system32\PerfStringBackup.INI
2009-04-07 21:35:55 ----SHD---- C:\System Volume Information
2009-03-28 19:48:24 ----D---- C:\WINDOWS
2009-03-27 21:55:36 ----SD---- C:\Users\Lisa\AppData\Roaming\Microsoft
2009-03-27 21:13:10 ----D---- C:\Program Files\CONEXANT
2009-03-27 21:12:30 ----D---- C:\Windows\system32\catroot
2009-03-26 14:42:51 ----D---- C:\Windows\Microsoft.NET
2009-03-26 14:41:06 ----RSD---- C:\Windows\assembly
2009-03-26 14:12:38 ----SHD---- C:\Windows\Installer
2009-03-26 14:11:25 ----D---- C:\Windows\winsxs
2009-03-26 14:05:51 ----D---- C:\Windows\Minidump
2009-03-26 08:54:07 ----D---- C:\Program Files\Google
2009-03-26 08:44:04 ----HD---- C:\Program Files\InstallShield Installation Information
2009-03-26 08:43:28 ----D---- C:\ProgramData\Kodak
2009-03-26 08:42:05 ----D---- C:\Program Files\HP
2009-03-26 08:39:53 ----D---- C:\Windows\system32\catroot2
2009-03-26 08:37:31 ----D---- C:\Program Files\Common Files\microsoft shared
2009-03-26 08:37:13 ----D---- C:\Program Files\QuickTime
2009-03-26 08:35:31 ----D---- C:\Windows\system
2009-03-26 08:30:27 ----D---- C:\Program Files\Common Files\Real
2009-03-26 08:30:26 ----D---- C:\Users\Lisa\AppData\Roaming\Real
2009-03-26 08:30:24 ----D---- C:\Program Files\Common Files
2009-03-26 08:20:12 ----D---- C:\Program Files\Atheros
2009-03-26 08:19:07 ----D---- C:\Program Files\ArcSoft
2009-03-26 08:18:20 ----D---- C:\Program Files\Apple Software Update
2009-03-22 23:47:31 ----D---- C:\Users\Lisa\AppData\Roaming\FrostWire
2009-03-22 14:25:45 ----D---- C:\Windows\system32\WDI
2009-03-18 21:09:44 ----D---- C:\ProgramData\avg8
2009-03-15 06:56:26 ----D---- C:\Program Files\DivX
2009-03-15 06:43:19 ----D---- C:\Program Files\Common Files\PX Storage Engine
2009-03-15 06:40:30 ----D---- C:\ProgramData\Adobe
2009-03-15 06:40:30 ----D---- C:\Program Files\Adobe
2009-03-14 13:22:54 ----D---- C:\Program Files\Windows Media Player
2009-03-14 13:22:54 ----D---- C:\Program Files\Windows Mail

======List of drivers (R=Running, S=Stopped, 0=Boot, 1=System, 2=Auto, 3=Demand, 4=Disabled)======

R1 AvgLdx86;AVG AVI Loader Driver x86; C:\Windows\System32\Drivers\avgldx86.sys [2009-03-22 325640]
R1 AvgMfx86;AVG On-access Scanner Minifilter Driver x86; C:\Windows\System32\Drivers\avgmfx86.sys [2009-03-18 27656]
R1 AvgTdiX;AVG8 Network Redirector; C:\Windows\System32\Drivers\avgtdix.sys [2009-03-26 108552]
R2 mdmxsdk;mdmxsdk; C:\Windows\system32\DRIVERS\mdmxsdk.sys [2006-06-18 12672]
R2 XAudio;XAudio; C:\Windows\system32\DRIVERS\xaudio.sys [2007-10-17 8704]
R3 athr;Atheros Extensible Wireless LAN device driver; C:\Windows\system32\DRIVERS\athr.sys [2008-04-27 909824]
R3 CmBatt;Microsoft ACPI Control Method Battery Driver; C:\Windows\system32\DRIVERS\CmBatt.sys [2008-01-20 14208]
R3 CnxtHdAudService;Conexant UAA Function Driver for High Definition Audio Service; C:\Windows\system32\drivers\CHDRT32.sys [2008-10-03 222208]
R3 HpqRemHid;HP Remote Control HID Device; C:\Windows\system32\DRIVERS\HpqRemHid.sys [2007-07-11 7168]
R3 HSF_DPV;HSF_DPV; C:\Windows\system32\DRIVERS\HSX_DPV.sys [2007-10-31 985600]
R3 HSXHWAZL;HSXHWAZL; C:\Windows\system32\DRIVERS\HSXHWAZL.sys [2007-10-31 208896]
R3 NVENETFD;NVIDIA nForce Networking Controller Driver; C:\Windows\system32\DRIVERS\nvmfdx32.sys [2008-01-29 1042464]
R3 NVHDA;Service for NVIDIA High Definition Audio Driver; C:\Windows\system32\drivers\nvhda32v.sys [2008-05-03 42528]
R3 nvlddmkm;nvlddmkm; C:\Windows\system32\DRIVERS\nvlddmkm.sys [2008-05-03 7446656]
R3 nvsmu;nvsmu; C:\Windows\system32\DRIVERS\nvsmu.sys [2008-04-24 14848]
R3 SynTP;Synaptics TouchPad Driver; C:\Windows\system32\DRIVERS\SynTP.sys [2008-04-17 199344]
R3 winachsf;winachsf; C:\Windows\system32\DRIVERS\HSX_CNXT.sys [2007-10-31 661504]
R3 WmiAcpi;Microsoft Windows Management Interface for ACPI; C:\Windows\system32\DRIVERS\wmiacpi.sys [2008-01-20 11264]
R3 WUDFRd;WUDFRd; C:\Windows\system32\DRIVERS\WUDFRd.sys [2008-01-20 83328]
S3 BCM43XV;Broadcom Extensible 802.11 Network Adapter Driver; C:\Windows\system32\DRIVERS\bcmwl6.sys [2006-11-02 464384]
S3 drmkaud;Microsoft Kernel DRM Audio Descrambler; C:\Windows\system32\drivers\drmkaud.sys [2008-01-20 5632]
S3 ErrDev;Microsoft Hardware Error Device Driver; C:\Windows\system32\drivers\errdev.sys [2008-01-20 6656]
S3 HdAudAddService;Microsoft 1.1 UAA Function Driver for High Definition Audio Service; C:\Windows\system32\drivers\HdAudio.sys [2006-11-02 235520]
S3 HpqKbFiltr;HpqKbFilter Driver; C:\Windows\system32\DRIVERS\HpqKbFiltr.sys [2007-06-18 16768]
S3 HSFHWAZL;HSFHWAZL; C:\Windows\system32\DRIVERS\VSTAZL3.SYS [2008-01-20 200704]
S3 MSKSSRV;Microsoft Streaming Service Proxy; C:\Windows\system32\drivers\MSKSSRV.sys [2008-01-20 8192]
S3 MSPCLOCK;Microsoft Streaming Clock Proxy; C:\Windows\system32\drivers\MSPCLOCK.sys [2008-01-20 5888]
S3 MSPQM;Microsoft Streaming Quality Manager Proxy; C:\Windows\system32\drivers\MSPQM.sys [2008-01-20 5504]
S3 MSTEE;Microsoft Streaming Tee/Sink-to-Sink Converter; C:\Windows\system32\drivers\MSTEE.sys [2008-01-20 6016]
S3 RTSTOR;Realtek USB 2.0 Card Reader; C:\Windows\system32\drivers\RTSTOR.SYS []
S3 WpdUsb;WpdUsb; C:\Windows\system32\DRIVERS\wpdusb.sys [2008-01-20 39936]

======List of services (R=Running, S=Stopped, 0=Boot, 1=System, 2=Auto, 3=Demand, 4=Disabled)======

R2 avg8emc;AVG8 E-mail Scanner; C:\PROGRA~1\AVG\AVG8\avgemc.exe [2009-03-22 908056]
R2 avg8wd;AVG8 WatchDog; C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe [2009-03-22 298264]
R2 HP Health Check Service;HP Health Check Service; c:\Program Files\Hewlett-Packard\HP Health Check\hphc_service.exe [2008-04-15 94208]
R2 nvsvc;NVIDIA Display Driver Service; C:\Windows\system32\nvvsvc.exe [2008-05-03 196608]
R2 Recovery Service for Windows;Recovery Service for Windows; C:\Windows\SMINST\BLService.exe [2008-04-25 361808]
R2 XAudioService;XAudioService; C:\Windows\system32\DRIVERS\xaudio.exe [2007-10-17 386560]
S2 RichVideo;Cyberlink RichVideo Service(CRVS); C:\Program Files\CyberLink\Shared Files\RichVideo.exe []
S3 hpqwmiex;hpqwmiex; C:\Program Files\Hewlett-Packard\Shared\hpqwmiex.exe [2008-01-25 148832]
S3 IDriverT;InstallDriver Table Manager; C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe [2004-10-22 73728]

-----------------EOF-----------------


and the minimized file :


info.txt logfile of random's system information tool 1.06 2009-04-08 00:52:58

======Uninstall list======

Adobe Flash Player ActiveX-->C:\Windows\system32\Macromed\Flash\uninstall_activeX.exe
Adobe Shockwave Player-->MsiExec.exe /X{1BDC9633-895B-4842-BCB6-8FA1EC2A3C5A}
Atheros Driver Installation Program-->C:\Program Files\InstallShield Installation Information\{C3A32068-8AB1-4327-BB16-BED9C6219DC7}\setup.exe -runfromtemp -l0x0009
AVG 8.5-->C:\Program Files\AVG\AVG8\setup.exe /UNINSTALL
Conexant HD Audio-->C:\Program Files\CONEXANT\CNXT_AUDIO_HDA\UIU32a.exe -U -IWAHerza.INF
HDAUDIO Soft Data Fax Modem with SmartCP-->C:\Program Files\CONEXANT\CNXT_MODEM_HDAUDIO_HERMOSA_HSF\UIU32m.exe -U -IHPQHERzm.inf
Hewlett-Packard Active Check for Health Check-->MsiExec.exe /X{254C37AA-6B72-4300-84F6-98A82419187E}
Hewlett-Packard Asset Agent for Health Check-->MsiExec.exe /X{669D4A35-146B-4314-89F1-1AC3D7B88367}
HijackThis 2.0.2-->"C:\Program Files\Trend Micro\HijackThis\HijackThis.exe" /uninstall
HP Active Support Library-->C:\Program Files\InstallShield Installation Information\{9E2CCD5E-1990-4EF2-9B61-32F0BBACC29B}\setup.exe -runfromtemp -l0x0409
HP Doc Viewer-->MsiExec.exe /I{082702D5-5DD8-4600-BCE5-48B15174687F}
HP User Guides 0110-->MsiExec.exe /I{B640E7CC-7091-4A24-AE76-2140065D2054}
HP Wireless Assistant-->MsiExec.exe /I{340F521E-3576-4E1A-B75C-EB0ACF751379}
HPNetworkAssistant-->MsiExec.exe /I{228C6B46-64E2-404E-898A-EF0830603EF4}
Java(TM) 6 Update 5-->MsiExec.exe /I{3248F0A8-6813-11D6-A77B-00B0D0160050}
Malwarebytes' Anti-Malware-->"C:\Program Files\Malwarebytes' Anti-Malware\unins000.exe"
Microsoft Visual C++ 2005 Redistributable-->MsiExec.exe /X{7299052b-02a4-4627-81f2-1818da5d550d}
neroxml-->MsiExec.exe /I{56C049BE-79E9-4502-BEA7-9754A3E60F9B}
netbrdg-->MsiExec.exe /I{4537EA4B-F603-4181-89FB-2953FC695AB1}
NetWaiting-->C:\Program Files\InstallShield Installation Information\{3F92ABBB-6BBF-11D5-B229-002078017FBF}\setup.exe -runfromtemp -l0x0009 -removeonly
NVIDIA Drivers-->C:\Windows\system32\NVUNINST.EXE UninstallGUI
SFR-->MsiExec.exe /I{DB02F716-6275-42E9-B8D2-83BA2BF5100B}
Synaptics Pointing Device Driver-->rundll32.exe "C:\Program Files\Synaptics\SynTP\SynISDLL.dll",standAloneUninstall
USB Wireless Keyboard Driver-->RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\0701\Intel32\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{F07096A7-BAD7-4DC0-A430-B273DADF9280}\setup.exe" -l0x9
VCRedistSetup-->MsiExec.exe /I{3921A67A-5AB1-4E48-9444-C71814CF3027}

======Security center information======

AV: AVG Anti-Virus
AS: AVG Anti-Virus (disabled)
AS: Windows Defender

======System event log======

Computer Name: Lisa-PC
Event Code: 15016
Message: Unable to initialize the security package Kerberos for server side authentication. The data field contains the error number.
Record Number: 26579
Source Name: Microsoft-Windows-HttpEvent
Time Written: 20090408023344.689380-000
Event Type: Error
User:

Computer Name: Lisa-PC
Event Code: 7000
Message: The Parallel port driver service failed to start due to the following error:
The service cannot be started, either because it is disabled or because it has no enabled devices associated with it.
Record Number: 26620
Source Name: Service Control Manager
Time Written: 20090408023517.000000-000
Event Type: Error
User:

Computer Name: Lisa-PC
Event Code: 7000
Message: The Cyberlink RichVideo Service(CRVS) service failed to start due to the following error:
The system cannot find the file specified.
Record Number: 26629
Source Name: Service Control Manager
Time Written: 20090408023517.000000-000
Event Type: Error
User:

Computer Name: Lisa-PC
Event Code: 7
Message: The speed of processor 1 is being limited by system firmware. The processor has been in this reduced performance state for 71 seconds since the last report.
Record Number: 26678
Source Name: Microsoft-Windows-Kernel-Processor-Power
Time Written: 20090408032847.622084-000
Event Type: Warning
User: NT AUTHORITY\SYSTEM

Computer Name: Lisa-PC
Event Code: 7
Message: The speed of processor 0 is being limited by system firmware. The processor has been in this reduced performance state for 71 seconds since the last report.
Record Number: 26679
Source Name: Microsoft-Windows-Kernel-Processor-Power
Time Written: 20090408032847.622084-000
Event Type: Warning
User: NT AUTHORITY\SYSTEM

=====Application event log=====

Computer Name: Lisa-PC
Event Code: 10
Message: Event filter with query "SELECT * FROM __InstanceModificationEvent WITHIN 60 WHERE TargetInstance ISA "Win32_Processor" AND TargetInstance.LoadPercentage > 99" could not be reactivated in namespace "//./root/CIMV2" because of error 0x80041003. Events cannot be delivered through this filter until the problem is corrected.
Record Number: 2934
Source Name: Microsoft-Windows-WMI
Time Written: 20090406000238.000000-000
Event Type: Error
User:

Computer Name: Lisa-PC
Event Code: 10
Message: Event filter with query "SELECT * FROM __InstanceModificationEvent WITHIN 60 WHERE TargetInstance ISA "Win32_Processor" AND TargetInstance.LoadPercentage > 99" could not be reactivated in namespace "//./root/CIMV2" because of error 0x80041003. Events cannot be delivered through this filter until the problem is corrected.
Record Number: 2962
Source Name: Microsoft-Windows-WMI
Time Written: 20090406025315.000000-000
Event Type: Error
User:

Computer Name: Lisa-PC
Event Code: 10
Message: Event filter with query "SELECT * FROM __InstanceModificationEvent WITHIN 60 WHERE TargetInstance ISA "Win32_Processor" AND TargetInstance.LoadPercentage > 99" could not be reactivated in namespace "//./root/CIMV2" because of error 0x80041003. Events cannot be delivered through this filter until the problem is corrected.
Record Number: 2987
Source Name: Microsoft-Windows-WMI
Time Written: 20090407064548.000000-000
Event Type: Error
User:

Computer Name: Lisa-PC
Event Code: 10
Message: Event filter with query "SELECT * FROM __InstanceModificationEvent WITHIN 60 WHERE TargetInstance ISA "Win32_Processor" AND TargetInstance.LoadPercentage > 99" could not be reactivated in namespace "//./root/CIMV2" because of error 0x80041003. Events cannot be delivered through this filter until the problem is corrected.
Record Number: 3017
Source Name: Microsoft-Windows-WMI
Time Written: 20090408023516.000000-000
Event Type: Error
User:

Computer Name: Lisa-PC
Event Code: 8194
Message: Volume Shadow Copy Service error: Unexpected error querying for the IVssWriterCallback interface. hr = 0x80070005. This is often caused by incorrect security settings in either the writer or requestor process.

Operation:
Gathering Writer Data

Context:
Writer Class Id: {e8132975-6f93-4464-a53e-1050253ae220}
Writer Name: System Writer
Writer Instance ID: {65be1c48-1bbb-4880-b560-f18a2fc5eaa7}
Record Number: 3019
Source Name: VSS
Time Written: 20090408023527.000000-000
Event Type: Error
User:

=====Security event log=====

Computer Name: Lisa-PC
Event Code: 5038
Message: Code integrity determined that the image hash of a file is not valid. The file could be corrupt due to unauthorized modification or the invalid hash could indicate a potential disk device error.

File Name: \Device\HarddiskVolume1\WINDOWS\System32\drivers\tcpip.sys
Record Number: 5821
Source Name: Microsoft-Windows-Security-Auditing
Time Written: 20090408055245.140484-000
Event Type: Audit Failure
User:

Computer Name: Lisa-PC
Event Code: 5038
Message: Code integrity determined that the image hash of a file is not valid. The file could be corrupt due to unauthorized modification or the invalid hash could indicate a potential disk device error.

File Name: \Device\HarddiskVolume1\WINDOWS\System32\drivers\tcpip.sys
Record Number: 5822
Source Name: Microsoft-Windows-Security-Auditing
Time Written: 20090408055245.265284-000
Event Type: Audit Failure
User:

Computer Name: Lisa-PC
Event Code: 5038
Message: Code integrity determined that the image hash of a file is not valid. The file could be corrupt due to unauthorized modification or the invalid hash could indicate a potential disk device error.

File Name: \Device\HarddiskVolume1\WINDOWS\System32\drivers\tcpip.sys
Record Number: 5823
Source Name: Microsoft-Windows-Security-Auditing
Time Written: 20090408055245.452484-000
Event Type: Audit Failure
User:

Computer Name: Lisa-PC
Event Code: 5038
Message: Code integrity determined that the image hash of a file is not valid. The file could be corrupt due to unauthorized modification or the invalid hash could indicate a potential disk device error.

File Name: \Device\HarddiskVolume1\WINDOWS\System32\drivers\tcpip.sys
Record Number: 5824
Source Name: Microsoft-Windows-Security-Auditing
Time Written: 20090408055245.561684-000
Event Type: Audit Failure
User:

Computer Name: Lisa-PC
Event Code: 5038
Message: Code integrity determined that the image hash of a file is not valid. The file could be corrupt due to unauthorized modification or the invalid hash could indicate a potential disk device error.

File Name: \Device\HarddiskVolume1\WINDOWS\System32\drivers\tcpip.sys
Record Number: 5825
Source Name: Microsoft-Windows-Security-Auditing
Time Written: 20090408055245.655284-000
Event Type: Audit Failure
User:

======Environment variables======

"ComSpec"=%SystemRoot%\system32\cmd.exe
"DFSTRACINGON"=FALSE
"FP_NO_HOST_CHECK"=NO
"NUMBER_OF_PROCESSORS"=2
"OnlineServices"=Online Services
"OS"=Windows_NT
"Path"=%SystemRoot%\system32;%SystemRoot%;%SystemRoot%\System32\Wbem;C:\Program Files\CyberLink\Power2Go
"PATHEXT"=.COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH;.MSC
"PCBRAND"=Presario
"Platform"=MCD
"PROCESSOR_ARCHITECTURE"=x86
"PROCESSOR_IDENTIFIER"=x86 Family 17 Model 3 Stepping 1, AuthenticAMD
"PROCESSOR_LEVEL"=17
"PROCESSOR_REVISION"=0301
"TEMP"=%SystemRoot%\TEMP
"TMP"=%SystemRoot%\TEMP
"TRACE_FORMAT_SEARCH_PATH"=\\NTREL202.ntdev.corp.microsoft.com\4F18C3A5-CA09-4DBD-B6FC-219FDD4C6BE0\TraceFormat
"USERNAME"=SYSTEM
"windir"=%SystemRoot%

-----------------EOF-----------------
LisaM
Active Member
 
Posts: 13
Joined: April 1st, 2009, 9:45 pm

Re: Computer assistance request from LisaM

Unread postby Carolyn » April 8th, 2009, 1:09 pm

Hi Lisa,

You are doing just fine. No worries. If you find any of my instructions to be unclear or confusing, let me know. I encourage you to ask questions. I want to make this process very easy for you.

=======================

I am glad that you have uninstalled LimeWire and FrostWire. The use of peer to peer (p2p) programs is dangerous. Here is the information I usually post when I see p2p programs on someone's computer:


We have noticed that most people seeking help from us are coming with infections contracted from the use of P2P programs.

Unless you uninstall all P2P software, I am sorry, but my only advice to you will be to reformat the computer.

I must also warn you that continued use of P2P and other questionable programs will likely result in your computer being in the same state again. P2P programs form a direct conduit on to your computer. They have always been a target of malware writers and increasingly so of late. P2P security measures are easily circumvented. Further to that, if your P2P program is not configured correctly, you may be sharing more files than you realize. There have been cases where people's passwords, address books and other personal, private, and financial details have been exposed to the file sharing network by a badly configured program. In addition to infections of the nature found on this computer, use of P2P programs can result in Identity Theft.

If we clean your computer of infection, and you return to us a short time later with an infection contracted by the use of P2P programs, we will refuse our help.

Please go to Start > Control Panel > Add/Remove Programs
If present, remove the following programs:

BitTorrent
Limewire
Morpheus
etc


** Take care when answering any questions posed by an uninstaller. Some questions may be worded to deceive you into keeping the program.

Close the Control Panel.

=======================

I asked a friend and they told me to go to the prefetch and temp files and clean them out. Well when I went into the prefetch file, and deleted the items, before I could close the window out, several more files appeared there.
They just popped up. I thought that might be strange, so I did it again, and same thing happened. Also, I have alot of programs running in the background that I do not know what they are, and I cannot turn them off. The system lets
me turn some of them off, but not the ones I am curious about. ( the ones with unknown company name )


Prefetch and Temp files are created by the operating system all of the time, so what you are describing is not unusual. Those types of files will continue to "just pop up".

There will be many programs running in the background that are unfamiliar to you. Some will belong to Windows, some will belong to the programs you have installed. Can you tell me which programs you are concerned about?

=======================

Update Java
Older versions have vulnerabilities that malware can use to infect your system. Please follow these steps to remove older version Java components and update.

  • Go to http://java.sun.com/javase/downloads/index.jsp
  • Scroll down to where it says Java Runtime Environment (JRE) 6 Update 13.
  • Click the Download button to the right.ex.jsp
  • Select Windows from the drop-down list for Platform.
  • Check the box that says: Accept License Agreement.
  • The page will refresh.
  • Click on the link to download Windows Offline Installation with or without Multi-language and save to your desktop.
  • Go to start > control panel > programs and features.
  • Right click on the following:

    Java(TM) 6 Update 5

  • Click Uninstall & then follow the prompts to remove it.
  • Close any programs you may have running - especially your web browser.
  • Right click on jre-6u13-windows-i586-p.exe and select Run As Administrator to install Java.
  • Reboot your computer.

=======================

Right click on your favourite web browser (Internet Explorer, Firefox, etc) and select Run As Administrator to run it.

Go to Kaspersky website and perform an online antivirus scan.

  1. Read through the requirements and privacy statement and click on Accept button.
  2. It will start downloading and installing the scanner and virus definitions. You will be prompted to install an application from Kaspersky. Click Run.
  3. When the downloads have finished, click on Settings.
  4. Make sure these boxes are checked (ticked). If they are not, please tick them and click on the Save button:
      Spyware, Adware, Dialers, and other potentially dangerous programs
      Archives
      Mail databases
  5. Click on My Computer under Scan.
  6. Once the scan is complete, it will display the results. Click on View Scan Report.
  7. You will see a list of infected items there. Click on Save Report As....
  8. Save this report to a convenient place. Change the Files of type to Text file (.txt) before clicking on the Save button.

=======================

Please post the following in your next reply:
  • The Kaspersky log
  • A fresh HijackThislog
  • Answers to my questions
  • Any questions that you have
User avatar
Carolyn
MRU Emeritus
MRU Emeritus
 
Posts: 4701
Joined: April 18th, 2007, 9:36 am
Location: Maine

Re: Computer assistance request from LisaM

Unread postby LisaM » April 9th, 2009, 2:00 am

Carolyn,

Having some difficulties. After installing of Java, and rebooting, opened explorer and raa, I was in the kaspersky attempting to install when a warning-security said the applications digital signature has an error and do I want to run the application? the information in that box said name jReport the publisher is kaspersky lab and it was from http://www.kaspersky.com . It also says digital signature ws generated with a trusted certificate, but has expired. then I got a windows internet
explorer window that said starting java applet has failed! Please go online to use this program. I needed to ask first.
Not sure what to do. I am pasting the hijack log file to this, I raa and did sys scan and saved logfile. I did have some programs open when I did it, so If I need to do again, please let me know. It seems smaller than the first one.?

The questions I had, I came across when in windows defender under the software explorer, and category, currently running programs, nd showing all users was " Publisher not available" called Application STServices: 1936 and under the classification it is not yet classified. the file name is BLService.exe and the display name is Application STServices the description is ST Services, the publisher is not available , the user name is NT Authority\System. It is not yet classified. The other one I was wondering about is HP Health Check Service: 2940 and its file name is hphc_service.exe the display name is HP HealthCheck Service, publisher is Hewlitt Packard , its not digitally signed, its not yet classified, its file path is c\program files\ hewlitt packard\
HP Health check\hphc_service.exe the user name is NT Authority\system and its not yet classified. I think that I found them odd because they have something missing like no signature, or classification, or publisher.

I also had another question re: defender, I had run across something that bothered me a while back. I went under history, adn programs and actions, the name was unknown, and the alert level was unkwn, and the action taken was PERMIT, dated 3-14-9 and the status said SUCCEDED. (WOW! wonder what that was?) it said the resource file was c\windows\system32\drivers\etc\hosts and it is not yet classified. I wonder if I told it to permit by mistake? the other one was settings modifier: win32/Possible Hosts File Hijack and its alert level was medium, the action taken was Cleaned, the date was 3-14-9 and the status was succeeded. it sa;ys the resources for this file is c\windows\system32\drivers\etc\hosts and its category was settings modifier. Wonder why the resources for both of the files are the same?

Please let me know about the kaspersky and java. I thought I followed directions exactly. When you tell me, I will try again. Thank you for your patience. Lisa

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 12:16:36 AM, on 4/9/2009
Platform: Windows Vista SP1 (WinNT 6.00.1905)
MSIE: Internet Explorer v7.00 (7.00.6001.18000)
Boot mode: Normal

Running processes:
C:\Windows\system32\taskeng.exe
C:\Windows\system32\Dwm.exe
C:\Windows\Explorer.EXE
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Program Files\Java\jre6\bin\jusched.exe
C:\WINDOWS\ehome\ehtray.exe
C:\Windows\ehome\ehmsas.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Synaptics\SynTP\SynTPHelper.exe
C:\WINDOWS\System32\notepad.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://ie.redirect.hp.com/svs/rdr?TYPE= ... io&pf=cnnb
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://ie.redirect.hp.com/svs/rdr?TYPE= ... io&pf=cnnb
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://ie.redirect.hp.com/svs/rdr?TYPE= ... io&pf=cnnb
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
O1 - Hosts: ::1 localhost
O2 - BHO: (no name) - {02478D38-C3F9-4efb-9B51-7695ECA05670} - (no file)
O2 - BHO: WormRadar.com IESiteBlocker.NavFilter - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - C:\Program Files\AVG\AVG8\avgssie.dll
O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [Windows Defender] %ProgramFiles%\Windows Defender\MSASCui.exe -hide
O4 - HKLM\..\Run: [AVG8_TRAY] C:\PROGRA~1\AVG\AVG8\avgtray.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre6\bin\jusched.exe"
O4 - HKCU\..\Run: [ehTray.exe] C:\Windows\ehome\ehTray.exe
O4 - HKUS\S-1-5-19\..\Run: [Sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /detectMem (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-19\..\Run: [WindowsWelcomeCenter] rundll32.exe oobefldr.dll,ShowWelcomeCenter (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [Sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /detectMem (User 'NETWORK SERVICE')
O13 - Gopher Prefix:
O18 - Protocol: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - C:\Program Files\AVG\AVG8\avgpp.dll
O20 - AppInit_DLLs: avgrsstx.dll
O23 - Service: AVG8 E-mail Scanner (avg8emc) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgemc.exe
O23 - Service: AVG8 WatchDog (avg8wd) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
O23 - Service: HP Health Check Service - Hewlett-Packard - c:\Program Files\Hewlett-Packard\HP Health Check\hphc_service.exe
O23 - Service: hpqwmiex - Hewlett-Packard Development Company, L.P. - C:\Program Files\Hewlett-Packard\Shared\hpqwmiex.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: NVIDIA Display Driver Service (nvsvc) - NVIDIA Corporation - C:\Windows\system32\nvvsvc.exe
O23 - Service: Recovery Service for Windows - Unknown owner - C:\Windows\SMINST\BLService.exe
O23 - Service: Cyberlink RichVideo Service(CRVS) (RichVideo) - Unknown owner - C:\Program Files\CyberLink\Shared Files\RichVideo.exe (file missing)
O23 - Service: XAudioService - Conexant Systems, Inc. - C:\Windows\system32\DRIVERS\xaudio.exe

--
End of file - 4038 bytes
LisaM
Active Member
 
Posts: 13
Joined: April 1st, 2009, 9:45 pm

Re: Computer assistance request from LisaM

Unread postby Carolyn » April 10th, 2009, 7:55 am

Hi,

BLService.exe is a legitimate program

http://www.systemlookup.com/search.php? ... ervice.exe

HP Health Check is a legitimate program that comes preinstalled on HP computers

http://www.systemlookup.com/search.php? ... ervice.exe

c\windows\system32\drivers\etc\hosts

also legit. it sounds like Defender found something suspicious in the hosts file and cleaned it.

Here is some info about the hosts file http://en.wikipedia.org/wiki/Hosts_file

================================

  1. Click here to perform a Panda online scan. Please use Internet Explorer as it requires ActiveX.
  2. Click on Scan your PC now.
  3. A new window will open.
  4. Select your country and type in your email address. You may also optionally choose to receive emails from Panda. If you don't wish to, please select I do not want to receive marketing information from Panda Software and/or its International Representatives where applicable. option.
  5. Click on Free online scan.
  6. You will be prompted to install an ActiveX. Please allow it.
  7. Once installed, it will start downloading the virus definitions. Please be patient. This takes a while.
  8. Once the files are downloaded, it will ask you to select what to scan. Select My Computer.
  9. The scan will start. It takes a while, please be patient.
  10. Once done, click on View Report.
  11. You will be brought to another page. Click on Save Report. Save it to your desktop. Please post this report in your next reply.

================================

Please post the following:
  • The Panda log
  • A fresh HijackThis log
User avatar
Carolyn
MRU Emeritus
MRU Emeritus
 
Posts: 4701
Joined: April 18th, 2007, 9:36 am
Location: Maine

Re: Computer assistance request from LisaM

Unread postby LisaM » April 11th, 2009, 1:18 am

Hello,

I think I had better luck this time. I am pasting the panda log, and a fresh Hijack Log like you requested. Thank you for letting me know about those files I had questions on. I appreciate it. Please let me know. Lisa






;***********************************************************************************************************************************************************************************
ANALYSIS: 2009-04-11 00:03:59
PROTECTIONS: 3
MALWARE: 8
SUSPECTS: 0
;***********************************************************************************************************************************************************************************
PROTECTIONS
Description Version Active Updated
;===================================================================================================================================================================================
AVG Anti-Virus 8.0 Yes Yes
AVG Anti-Virus 8.0 No Yes
Windows Defender 1.1.1505.0 No Yes
;===================================================================================================================================================================================
MALWARE
Id Description Type Active Severity Disinfectable Disinfected Location
;===================================================================================================================================================================================
00167642 Cookie/Com.com TrackingCookie No 0 Yes No C:\Users\Lisa\AppData\Roaming\Microsoft\Windows\Cookies\Low\lisa@com[1].txt
00168061 Cookie/Apmebf TrackingCookie No 0 Yes No C:\Users\Lisa\AppData\Roaming\Microsoft\Windows\Cookies\Low\lisa@apmebf[2].txt
00168110 Cookie/Server.iad.Liveperson TrackingCookie No 0 Yes No C:\Users\Lisa\AppData\Roaming\Microsoft\Windows\Cookies\Low\lisa@server.iad.liveperson[2].txt
00168114 Cookie/onestat.com TrackingCookie No 0 Yes No C:\Users\Lisa\AppData\Roaming\Microsoft\Windows\Cookies\Low\lisa@stat.onestat[2].txt
00170495 Cookie/PointRoll TrackingCookie No 0 Yes No C:\Users\Lisa\AppData\Roaming\Microsoft\Windows\Cookies\Low\lisa@ads.pointroll[1].txt
00191644 Cookie/adultfriendfinder TrackingCookie No 0 Yes No C:\Users\Lisa\AppData\Roaming\Microsoft\Windows\Cookies\lisa@adultfriendfinder[1].txt
00191644 Cookie/adultfriendfinder TrackingCookie No 0 Yes No C:\Users\Lisa\AppData\Roaming\Microsoft\Windows\Cookies\Low\lisa@adultfriendfinder[2].txt
00207862 Cookie/did-it TrackingCookie No 0 Yes No C:\Users\Lisa\AppData\Roaming\Microsoft\Windows\Cookies\Low\lisa@did-it[1].txt
00293517 Cookie/AdDynamix TrackingCookie No 0 Yes No C:\Users\Lisa\AppData\Roaming\Microsoft\Windows\Cookies\Low\lisa@ads.addynamix[1].txt
;===================================================================================================================================================================================
SUSPECTS
Sent Location �w�(��39
;===================================================================================================================================================================================
;===================================================================================================================================================================================
VULNERABILITIES
Id Severity Description �w�(��39
;===================================================================================================================================================================================
;===================================================================================================================================================================================



Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 12:10:02 AM, on 4/11/2009
Platform: Windows Vista SP1 (WinNT 6.00.1905)
MSIE: Internet Explorer v7.00 (7.00.6001.18000)
Boot mode: Normal

Running processes:
C:\Windows\system32\taskeng.exe
C:\Windows\system32\Dwm.exe
C:\Windows\Explorer.EXE
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Program Files\Windows Defender\MSASCui.exe
C:\Program Files\AVG\AVG8\avgtray.exe
C:\Program Files\Java\jre6\bin\jusched.exe
C:\WINDOWS\ehome\ehtray.exe
C:\Windows\ehome\ehmsas.exe
C:\Program Files\Internet Explorer\ieuser.exe
C:\Program Files\Synaptics\SynTP\SynTPHelper.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Windows\system32\DllHost.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://ie.redirect.hp.com/svs/rdr?TYPE= ... io&pf=cnnb
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://ie.redirect.hp.com/svs/rdr?TYPE= ... io&pf=cnnb
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://ie.redirect.hp.com/svs/rdr?TYPE= ... io&pf=cnnb
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
O1 - Hosts: ::1 localhost
O2 - BHO: (no name) - {02478D38-C3F9-4efb-9B51-7695ECA05670} - (no file)
O2 - BHO: WormRadar.com IESiteBlocker.NavFilter - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - C:\Program Files\AVG\AVG8\avgssie.dll
O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [Windows Defender] %ProgramFiles%\Windows Defender\MSASCui.exe -hide
O4 - HKLM\..\Run: [AVG8_TRAY] C:\PROGRA~1\AVG\AVG8\avgtray.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre6\bin\jusched.exe"
O4 - HKCU\..\Run: [ehTray.exe] C:\Windows\ehome\ehTray.exe
O4 - HKUS\S-1-5-19\..\Run: [Sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /detectMem (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-19\..\Run: [WindowsWelcomeCenter] rundll32.exe oobefldr.dll,ShowWelcomeCenter (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [Sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /detectMem (User 'NETWORK SERVICE')
O13 - Gopher Prefix:
O16 - DPF: {2D8ED06D-3C30-438B-96AE-4D110FDC1FB8} (ActiveScan 2.0 Installer Class) - http://acs.pandasoftware.com/activescan ... stubie.cab
O18 - Protocol: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - C:\Program Files\AVG\AVG8\avgpp.dll
O20 - AppInit_DLLs: avgrsstx.dll
O23 - Service: AVG8 E-mail Scanner (avg8emc) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgemc.exe
O23 - Service: AVG8 WatchDog (avg8wd) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
O23 - Service: HP Health Check Service - Hewlett-Packard - c:\Program Files\Hewlett-Packard\HP Health Check\hphc_service.exe
O23 - Service: hpqwmiex - Hewlett-Packard Development Company, L.P. - C:\Program Files\Hewlett-Packard\Shared\hpqwmiex.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: NVIDIA Display Driver Service (nvsvc) - NVIDIA Corporation - C:\Windows\system32\nvvsvc.exe
O23 - Service: Recovery Service for Windows - Unknown owner - C:\Windows\SMINST\BLService.exe
O23 - Service: Cyberlink RichVideo Service(CRVS) (RichVideo) - Unknown owner - C:\Program Files\CyberLink\Shared Files\RichVideo.exe (file missing)
O23 - Service: XAudioService - Conexant Systems, Inc. - C:\Windows\system32\DRIVERS\xaudio.exe

--
End of file - 4317 bytes
LisaM
Active Member
 
Posts: 13
Joined: April 1st, 2009, 9:45 pm

Re: Computer assistance request from LisaM

Unread postby Carolyn » April 13th, 2009, 7:56 am

Hi,

I'm sorry for taking so long to reply. Your logs look good. Panda found some cookies that should be deleted, so let's take care of that.

Show All Files And Folders in Vista
Now you need to show all files and folders
  • Click Start.
  • Open "Computer".
  • Select the Organize menu and click Folder Options.
  • Select the View Tab.
  • Under the Hidden files and folders heading select Show hidden files and folders.
  • Uncheck Hide file extensions for known file types
  • Uncheck the Hide protected operating system files (recommended) option.
  • Click Yes to confirm.
  • Click OK.

Using Windows Explore by right-clicking the Start button and left clicking Explore navigate to and find the following files: if found, delete them

C:\Users\Lisa\AppData\Roaming\Microsoft\Windows\Cookies\Low\lisa@com[1].txt <<File
C:\Users\Lisa\AppData\Roaming\Microsoft\Windows\Cookies\Low\lisa@apmebf[2].txt <<File
C:\Users\Lisa\AppData\Roaming\Microsoft\Windows\Cookies\Low\lisa@server.iad.liveperson[2].txt <<File
C:\Users\Lisa\AppData\Roaming\Microsoft\Windows\Cookies\Low\lisa@stat.onestat[2].txt <<File
C:\Users\Lisa\AppData\Roaming\Microsoft\Windows\Cookies\Low\lisa@ads.pointroll[1].txt <<File
C:\Users\Lisa\AppData\Roaming\Microsoft\Windows\Cookies\lisa@adultfriendfinder[1].txt <<File
C:\Users\Lisa\AppData\Roaming\Microsoft\Windows\Cookies\Low\lisa@adultfriendfinder[2].txt <<File
C:\Users\Lisa\AppData\Roaming\Microsoft\Windows\Cookies\Low\lisa@did-it[1].txt <<File
C:\Users\Lisa\AppData\Roaming\Microsoft\Windows\Cookies\Low\lisa@ads.addynamix[1].txt <<File

Now empty you’re Recycle Bin.

=================================


This is my general post for when your logs show no signs of malware ;)- Please let me know if you still are having problems with your computer and what these problems are

Your log now appears to be clean. Congratulations!

You can get rid of the tools we used:
  • Please delete RSIT.exe from your computer

    Protection Programs
    Don't forget to re-enable any protection programs we disabled during your fix.

    General Security and Computer Health
    Below are some steps to follow in order to dramatically lower the chances of reinfection. You may have already implemented some of the steps below, however you should follow any steps that you have not already implemented.

    • Clear Infected System Restore Points
      Turn off System Restore-Vista
      • Click the Vista/Start icon.
      • Right Click >> Computer
      • Click Properties.
      • Click the System Protection tab.
      • Uncheck All drives
      • Click "Turn Off System Restore" at the prompt then click "Apply".
      • Restart your computer.

      Turn ON System Restore-Vista
      • Click the Vista/Start icon
      • Right Click >> Computer
      • Click Properties.
      • Click the System Protection tab.
      • Checkmark All drives that were selected previously then click "Apply".


    • Set correct settings for files
      • Click Start > Computer > Organize menu (at top of page) > Folder and Search Options > View tab.
      • Under Hidden files and folders if necessary select Do not show hidden files and folders.
      • If unchecked please check Hide protected operating system files (Recommended)
      • If necessary check Display content of system folders
      • If necessary Uncheck Hide file extensions for known file types.
      • Click OK


    • Make sure that you keep your antivirus updated
      New viruses come out every minute, so it is essential that you have the latest signatures for your antivirus program to provide you with the best possible protection from malicious software.
      Note: You should only have one antivirus installed at a time. Having more than one antivirus program installed at once is likely to cause conflicts and may well decrease your overall protection as well as impairing the performance of your PC.


    • Security Updates for Windows, Internet Explorer & Microsoft Office
      Whenever a security problem in its software is found, Microsoft will usually create a patch so that after the patch is installed, attackers can't use the vulnerability to install malicious software on your PC. Keeping up with these patches will help to prevent malicious software being installed on your PC. Ensure you are registered for Windows updates via Start > right-click on My Computer > Properties > Automatic Updates tab.

    • Update Non-Microsoft Programs
      Microsoft isn't the only company whose products can contain security vulnerabilities. To check whether other programs running on your PC are in need of an update, you can use the Secunia Software Inspector - I suggest that you run it at least once a month.

    • Make Internet Explorer More Secure
      You are using Internet Explorer v. 7. Therefore please read and follow the recommendations at this SITE


    Recommended Programs

    I would recommend the download and installation of some or all of the following programs (if not already present), and the updating of them on a regular basis.

    • WinPatrol
      As a robust security monitor, WinPatrol will alert you to hijackings, malware attacks and critical changes made to your computer without your permission. WinPatrol takes snapshot of your critical system resources and alerts you to any changes that may occur without your knowledge. For more information, please visit HERE.

    • Malwarebytes' Anti-Malware
      Malwarebytes' Anti-Malware is an anti-malware application that can thoroughly remove even the most advanced malware. It includes a number of features, including a built in protection monitor that blocks malicious processes before they even start.You can download Malwarebytes' Anti-Malware from HERE. You can find a tutorial HERE.

    • Use an alternative Internet Browser
      Many of the exploits are directed to users of Internet Explorer. Try using a different browser instead:
      Firefox
      Opera


Finally I am trying to make one point very clear. It is absolutely essential to keep all of your security programs up to date.

Also please read this great article by Tony Klein So How Did I Get Infected In First Place

I'd be grateful if you could reply to this post so that I know you have read it and, if you've no other questions, the thread can be closed.
User avatar
Carolyn
MRU Emeritus
MRU Emeritus
 
Posts: 4701
Joined: April 18th, 2007, 9:36 am
Location: Maine

Re: Computer assistance request from LisaM

Unread postby LisaM » April 13th, 2009, 2:47 pm

carlon
My name is David Can you please call Lisa she is having major problem with her computer her number is
********** She will tell you whats wrong Thank You and have a great day She can not
Connect to the internet :) :)

I've removed the number. Please do not post telephone numbers in an open forum, it is not safe to do so.

No helper at this site will contact anyone by phone, all help is given through this forum - Gary R
LisaM
Active Member
 
Posts: 13
Joined: April 1st, 2009, 9:45 pm

Re: Computer assistance request from LisaM

Unread postby LisaM » April 14th, 2009, 2:55 pm

Carolyn,

I had been having trouble getting onto the internet, and I am so very sorry for not getting back with you. My friend sent the last response from his computer because I couldnt do it from mine. I dont know what was wrong. I didnt mean to break any rules or anything bad by asking him to send the note. I apologize.

The infomation that you have given me has been very useful, and I know I will be using your advice and following instruction.

I tried to go to windows explore by following your instruction, but I did not see explore navigate to left click on. My options are open, explore, scan w/ AVG, properties, open all users, and explore all users. I lft. clicked explore but I didnt see any of the files you referred to. Can you please instruct me further on how to find. I do not mean to be so needey, so I apologize. You have been so very helpful, and I do appreciate your time. Thank you. Lisa
LisaM
Active Member
 
Posts: 13
Joined: April 1st, 2009, 9:45 pm

Re: Computer assistance request from LisaM

Unread postby Carolyn » April 15th, 2009, 2:07 pm

Hi Lisa,

Download and Run OTMoveIt3

Download OTMoveIt3 by Old Timer and save it to your Desktop.
  • Double-click OTMoveIt3.exe. (Vista users, please right click on OTMoveit3.exe and select "Run as an Administrator")
  • Copy the lines in the codebox below.
Code: Select all
C:\Users\Lisa\AppData\Roaming\Microsoft\Windows\Cookies\Low\lisa@com[1].txt
C:\Users\Lisa\AppData\Roaming\Microsoft\Windows\Cookies\Low\lisa@apmebf[2].txt
C:\Users\Lisa\AppData\Roaming\Microsoft\Windows\Cookies\Low\lisa@server.iad.liveperson[2].txt
C:\Users\Lisa\AppData\Roaming\Microsoft\Windows\Cookies\Low\lisa@stat.onestat[2].txt
C:\Users\Lisa\AppData\Roaming\Microsoft\Windows\Cookies\Low\lisa@ads.pointroll[1].txt
C:\Users\Lisa\AppData\Roaming\Microsoft\Windows\Cookies\lisa@adultfriendfinder[1].txt
C:\Users\Lisa\AppData\Roaming\Microsoft\Windows\Cookies\Low\lisa@adultfriendfinder[2].txt
C:\Users\Lisa\AppData\Roaming\Microsoft\Windows\Cookies\Low\lisa@did-it[1].txt
C:\Users\Lisa\AppData\Roaming\Microsoft\Windows\Cookies\Low\lisa@ads.addynamix[1].txt

  • Return to OTMoveIt3, right click in the Paste Instructions for Items to be Moved window (under the yellow bar) and choose Paste.
  • Click the red Moveit! button.
  • Copy everything in the Results window (under the green bar), and paste it in your next reply.
  • Close OTMoveIt3
User avatar
Carolyn
MRU Emeritus
MRU Emeritus
 
Posts: 4701
Joined: April 18th, 2007, 9:36 am
Location: Maine

Re: Computer assistance request from LisaM

Unread postby LisaM » April 15th, 2009, 7:39 pm

Carolyn,

Here ya go.
Error: Unable to interpret <C:\Users\Lisa\AppData\Roaming\Microsoft\Windows\Cookies\Low\lisa@com[1].txt> in the current context!
Error: Unable to interpret <C:\Users\Lisa\AppData\Roaming\Microsoft\Windows\Cookies\Low\lisa@apmebf[2].txt> in the current context!
Error: Unable to interpret <C:\Users\Lisa\AppData\Roaming\Microsoft\Windows\Cookies\Low\lisa@server.iad.liveperson[2].txt> in the current context!
Error: Unable to interpret <C:\Users\Lisa\AppData\Roaming\Microsoft\Windows\Cookies\Low\lisa@stat.onestat[2].txt> in the current context!
Error: Unable to interpret <C:\Users\Lisa\AppData\Roaming\Microsoft\Windows\Cookies\Low\lisa@ads.pointroll[1].txt> in the current context!
Error: Unable to interpret <C:\Users\Lisa\AppData\Roaming\Microsoft\Windows\Cookies\lisa@adultfriendfinder[1].txt> in the current context!
Error: Unable to interpret <C:\Users\Lisa\AppData\Roaming\Microsoft\Windows\Cookies\Low\lisa@adultfriendfinder[2].txt> in the current context!
Error: Unable to interpret <C:\Users\Lisa\AppData\Roaming\Microsoft\Windows\Cookies\Low\lisa@did-it[1].txt> in the current context!
Error: Unable to interpret <C:\Users\Lisa\AppData\Roaming\Microsoft\Windows\Cookies\Low\lisa@ads.addynamix[1].txt> in the current context!

OTMoveIt3 by OldTimer - Version 1.0.11.0 log created on 04152009_183638
LisaM
Active Member
 
Posts: 13
Joined: April 1st, 2009, 9:45 pm

Re: Computer assistance request from LisaM

Unread postby Carolyn » April 15th, 2009, 8:43 pm

Sorry Lisa, I made a mistake in my instructions to you. Please do the following:

Double-click OTMoveIt3.exe. (Vista users, please right click on OTMoveit3.exe and select "Run as an Administrator")
  • Copy the lines in the codebox below.
Code: Select all
:files
C:\Users\Lisa\AppData\Roaming\Microsoft\Windows\Cookies\Low\lisa@com[1].txt
C:\Users\Lisa\AppData\Roaming\Microsoft\Windows\Cookies\Low\lisa@apmebf[2].txt
C:\Users\Lisa\AppData\Roaming\Microsoft\Windows\Cookies\Low\lisa@server.iad.liveperson[2].txt
C:\Users\Lisa\AppData\Roaming\Microsoft\Windows\Cookies\Low\lisa@stat.onestat[2].txt
C:\Users\Lisa\AppData\Roaming\Microsoft\Windows\Cookies\Low\lisa@ads.pointroll[1].txt
C:\Users\Lisa\AppData\Roaming\Microsoft\Windows\Cookies\lisa@adultfriendfinder[1].txt
C:\Users\Lisa\AppData\Roaming\Microsoft\Windows\Cookies\Low\lisa@adultfriendfinder[2].txt
C:\Users\Lisa\AppData\Roaming\Microsoft\Windows\Cookies\Low\lisa@did-it[1].txt
C:\Users\Lisa\AppData\Roaming\Microsoft\Windows\Cookies\Low\lisa@ads.addynamix[1].txt

  • Return to OTMoveIt3, right click in the Paste Instructions for Items to be Moved window (under the yellow bar) and choose Paste.
  • Click the red Moveit! button.
  • Copy everything in the Results window (under the green bar), and paste it in your next reply.
  • Close OTMoveIt3
User avatar
Carolyn
MRU Emeritus
MRU Emeritus
 
Posts: 4701
Joined: April 18th, 2007, 9:36 am
Location: Maine

Re: Computer assistance request from LisaM

Unread postby LisaM » April 15th, 2009, 10:25 pm

I did it. I have a question about internet explorer, I know you have advised me to change, but I have not done so yet. I tried to open and RAA, and the normal popup came on and said that "A program needs your permission to continue" but it said it was windows vista se build and under that it said microsoft corporation. I clicked on the details box and it opened and said C:\Program Files\Internet Explorer\iexplore.exe, arnt they suppose to say the name of the program that you selected? :? TY Lisa

FILES ==========
File/Folder C:\Users\Lisa\AppData\Roaming\Microsoft\Windows\Cookies\Low\lisa@com[1].txt not found.
File/Folder C:\Users\Lisa\AppData\Roaming\Microsoft\Windows\Cookies\Low\lisa@apmebf[2].txt not found.
File/Folder C:\Users\Lisa\AppData\Roaming\Microsoft\Windows\Cookies\Low\lisa@server.iad.liveperson[2].txt not found.
File/Folder C:\Users\Lisa\AppData\Roaming\Microsoft\Windows\Cookies\Low\lisa@stat.onestat[2].txt not found.
File/Folder C:\Users\Lisa\AppData\Roaming\Microsoft\Windows\Cookies\Low\lisa@ads.pointroll[1].txt not found.
File/Folder C:\Users\Lisa\AppData\Roaming\Microsoft\Windows\Cookies\lisa@adultfriendfinder[1].txt not found.
File/Folder C:\Users\Lisa\AppData\Roaming\Microsoft\Windows\Cookies\Low\lisa@adultfriendfinder[2].txt not found.
File/Folder C:\Users\Lisa\AppData\Roaming\Microsoft\Windows\Cookies\Low\lisa@did-it[1].txt not found.
File/Folder C:\Users\Lisa\AppData\Roaming\Microsoft\Windows\Cookies\Low\lisa@ads.addynamix[1].txt not found.

OTMoveIt3 by OldTimer - Version 1.0.11.0 log created on 04152009_211603
LisaM
Active Member
 
Posts: 13
Joined: April 1st, 2009, 9:45 pm
Advertisement
Register to Remove

Next

  • Similar Topics
    Replies
    Views
    Last post

Return to Infected? Virus, malware, adware, ransomware, oh my!



Who is online

Users browsing this forum: No registered users and 475 guests

Contact us:

Advertisements do not imply our endorsement of that product or service. Register to remove all ads. The forum is run by volunteers who donate their time and expertise. We make every attempt to ensure that the help and advice posted is accurate and will not cause harm to your computer. However, we do not guarantee that they are accurate and they are to be used at your own risk. All trademarks are the property of their respective owners.

Member site: UNITE Against Malware