# DRag/DRop - Copy/Paste



## manomina (Jul 6, 2006)

Ok, I ran all these tools and cleaned out a LOT of garbage. But I still can not drag/drop & copy/paste. I wen to Krlleys Korner and those files did'nt help.

I don't want to have to re-install windows, but that may be the only way.....


----------



## devil_himself (Apr 7, 2007)

http://www.howtofixcomputers.com/bb/ftopic140408.html

This has to do with some application that's having a lock over the Windows
Clipboard. David Candy's application should determine the Process that's
causing the problem.

Download GetOpenClipboardWindow.zip from here:
http://windowsxp.mvps.org/temp/GetOpenClipboardWindow.zip

Unzip and run the tool. Post back what it reports. For best results, run
this utility during the time you encounter the Copy<=>Paste problem.


----------



## manomina (Jul 6, 2006)

That succesfully opened and closed the clipboard and didn't see any problems.


----------



## manomina (Jul 6, 2006)

Could there be a policy that disables the drag/drop cut/paste? I have right clicked the start and drag/drop is enabled.....so I am thinking it's a policy thing.


----------



## devil_himself (Apr 7, 2007)

There Is No Policy That Can Disable Cut|Paste


----------



## manomina (Jul 6, 2006)

Really? Well, at this point my taskbar in all the way down and I can't get it back up. It's like I can't click it and move it...I tried an external mouse...thinking it was isolated to my touchpad.....but nope. I'll keep searching.....but I did have a virus.....so I just have to repair trhe damage.


----------



## devil_himself (Apr 7, 2007)

Restore Taskbar and Desktop to Default Functionality (Line 164)
http://www.kellys-korner-xp.com/xp_tweaks.htm

Restore Taskbar to default settings (Line 99)
http://www.kellys-korner-xp.com/xp_tweaks.htm

Programs Aren't Minimized in the Taskbar (Line 240)
http://www.kellys-korner-xp.com/xp_tweaks.htm

Taskbar Repair Tool Plus!
http://www.kellys-korner-xp.com/taskbarplus!.htm


----------



## manomina (Jul 6, 2006)

I'll do this again.....but I have already done it....not since I have cleared the viruses tho. I'll post back.


----------



## manomina (Jul 6, 2006)

I had disabled DCOM and I can no longer start that....I can not get to my run command to open the registry...it seems the more I try to fix this.....the worse it gets.....


----------



## devil_himself (Apr 7, 2007)

What Happens When You Click on Run Command ???


----------



## manomina (Jul 6, 2006)

I can't get to the run command....I have no taskbar and when I hit my windows key, nothing happens. CNTRL/ESC doesn't do anything either.....not sure if there is another shortcut to it.


----------



## manomina (Jul 6, 2006)

I can't get to the run command....I have no taskbar and when I hit my windows key, nothing happens. CNTRL/ESC doesn't do anything either.....not sure if there is another shortcut to it. Everytime I google something and try to run it, I get the RPC Server unavailable.....I can't get that on.....


----------



## devil_himself (Apr 7, 2007)

Win + R <<---- Shortcut To Run Command


----------



## manomina (Jul 6, 2006)

Ok, I can get the shortcuts......I can open the run line


----------



## manomina (Jul 6, 2006)

I can not run or open a properties box in my SERVICES....so I can't turn on the DCOM....I think that is one of my probs....


----------



## devil_himself (Apr 7, 2007)

I DOn't think DCOm Is Your Problem

But You can Enable It Using "DCOMbob"
http://www.grc.com/freeware/dcom.htm


----------



## manomina (Jul 6, 2006)

Oh, you do know I can't drag/drop or copy/paste.......I just noticed you mentioned that when you gave me the link to thr clipboard thingy


----------



## manomina (Jul 6, 2006)

Ok, I'll hold off on running that....my main problems happened when I disabled some services and now I can't enable them. I'll tell ya which ones I did...DCOM Process launcher, Net Logon, Remote Registry, SMS Agent Host, SMS Remote Control Agent, TCP/IP Netbios Helper and I believe that's it....but it won't let me change that at all. I did clean viruses earlier today as well....


----------



## devil_himself (Apr 7, 2007)

The Attached File Will Help You Stop Or Start Services ..


----------



## manomina (Jul 6, 2006)

I run it, I type in what I think the machine name is....and it opens with nothing in it......so maybe I got than machine name wrong. Is there an easy way to check on that?


----------



## devil_himself (Apr 7, 2007)

Right Click My Computer > Computer Name Tab ... 

Full Computer Name --->>


----------



## manomina (Jul 6, 2006)

AWESOME.....lol Thanks!


----------



## manomina (Jul 6, 2006)

Ok......I select the service and hit run.....but nothing happens.......


----------



## devil_himself (Apr 7, 2007)

How to Perform a Windows XP Repair Install
http://www.michaelstevenstech.com/XPrepairinstall.htm


----------



## manomina (Jul 6, 2006)

I tried that on my desktop and it won't change the services either


----------



## devil_himself (Apr 7, 2007)

It Does Start|Stop The Service .. But Don't Show It .... 

Might Need A Restart


----------



## manomina (Jul 6, 2006)

I will go ahead and give that a try.....holding my breath.....

Thank you so much for all your help. I'll post later if it works.....or tomorrow if it doesn't.

I do appreciate all the help.


----------



## metweek (Jun 7, 2003)

Did you ever touch/modify the Remote Procedure Call service (RPC)? I shut it down once and had problems like the one you describe. I had to reinstall Windows as I found no way to fix the problem. Even after starting the service.


----------



## manomina (Jul 6, 2006)

Metweek, I just finished backing up.....I think THAT is my problem....unfortunatel, I can not start any services. I got that service file program from the devil himself (lol) and after I try to start it and reboot, it hasn't started. Do you have maybe a registry hack to start them?

I'll wait to hear back about this.....Thanks!


----------



## devil_himself (Apr 7, 2007)

Which Services You Want To Start


----------



## manomina (Jul 6, 2006)

There are two that I had disabled...Remote Procedure Call & Remote Procedure Call Locator.

I looked online and they told me what to delete in the registry......but it wasn't where they said so i did,'t bother with it.


----------



## devil_himself (Apr 7, 2007)

Open Command Prompt

Type

*sc query rpcss*

In The Second Line Check The "State" --> Running


----------



## manomina (Jul 6, 2006)

Ok....Service_Name: rpcss
TYPE : 20 WIN32_SHARE_PROCESS
STATE : 1 STOPPED
(NOT_STOPPABLE,NOT_PAUSABLE,IGNORES_SHUTDOWN)
WIN32_EXIT_CODE : 1068 (0x42c)
SERVICE_EXIT_CODE : 0 (0x0)
CHECKPOINT : 0x0
WAIT_HINT : 0x0


----------



## manomina (Jul 6, 2006)

How do I get it running since I can't do the mmc tghing....if there was only a way to do it in the registry or command line


----------



## devil_himself (Apr 7, 2007)

Open Command Prompt

Issue The Following Commands ... There are Spaces in between .. pay attention to them

*cd \windows\system32\dllcache* ----> SPACE after cd

*copy rpcss.dll \windows\system32* -----> SPACE before and after rpcss.dll

It should say "1 file(s) copied

Now ,

*net start rpcss*


----------



## manomina (Jul 6, 2006)

Had to reboot.

Ok, that file doesn't not exist in the dllcache directory.


----------



## manomina (Jul 6, 2006)

It is in the system32 directory.....is that the wrong one?


----------



## manomina (Jul 6, 2006)

When I ran it it said:

System error 1068 has occured.

The depenency service or group failed to start.


----------



## devil_himself (Apr 7, 2007)

This VbScript Starts the Rpcss service and all its dependent services.

Save as *rpc_start.vbs*. And Double Click On It To Run It


```
strComputer = "."
Set objWMIService = GetObject("winmgmts:" _
& "{impersonationLevel=impersonate}!\\" & strComputer & "\root\cimv2")
Set colServiceList = objWMIService.ExecQuery _
("Select * from Win32_Service where Name='Rpcss'")
For each objService in colServiceList
errReturn = objService.StartService()
Next
Wscript.Sleep 20000
Set colServiceList = objWMIService.ExecQuery("Associators of " _
& "{Win32_Service.Name='Rpcss'} Where " _
& "AssocClass=Win32_DependentService " & "Role=Dependent" )
For each objService in colServiceList
objService.StartService()
Next
```


----------



## manomina (Jul 6, 2006)

Yo devil....that's not funny.....I can't copy and paste. You could email it to me at [email protected] though. I'd appreciate that.

Thanks for staying up and helping me with this. You'll have a place in heaven satan.....lmao Couldn't resist!


----------



## manomina (Jul 6, 2006)

Ok, I got it and ran it....nothing was supposed to happen was it? Nothing did, so I will reboot and see if the service started?


----------



## manomina (Jul 6, 2006)

Now I am confused. I went back and ran the Net Start rpcss and I had no errors. My services still are not started. I will try to start them again, reboot, and then post one last time for tonigh. I'm not quite sure what we just did......but thanks!


----------



## devil_himself (Apr 7, 2007)

I Think You Should Do A Repair Installation Now ... Or Format The Drive And Start From Scratch


----------



## manomina (Jul 6, 2006)

Oh....ok, those are my only choices? One of the rpc is running, but when I run a reg scan it says the rpc server isn't running.

Ok, if that is what i ned to do I'll do it.

Thanks for all your help.


----------



## manomina (Jul 6, 2006)

I'll do that when I get up.....too long of a process at this point.

Thanks again!


----------



## Blackmirror (Dec 5, 2006)

manomina said:


> Ok, I ran all these tools and cleaned out a LOT of garbage. But I still can not drag/drop & copy/paste. I wen to Krlleys Korner and those files did'nt help.
> 
> I don't want to have to re-install windows, but that may be the only way.....


have you tried a system restore ??


----------



## metweek (Jun 7, 2003)

I found this => http://community.bartdesmet.net/blogs/bart/archive/2004/10/16/438.aspx Hope it helps.


----------



## manomina (Jul 6, 2006)

I had a family urgency and just getting back to this....

I haven't tried system restore.....would that be better that the Repair feature?

I can login as ADMINISTRATOR as I have that pwd....but when I try the R option it asks for the admins pwd....well, it doesn't recognize that. When I first got this laptop, I had reset all the pwds and as I said, I can log in as administrator....so why isn't it recognizing it during this step? Is there a different administrators pwd that I should have set?

One other thing, when I am logged in as me....I go to RUN and type nusrmgr.cpl and when it pops up the users window........there is nothing in there....I can't see anyone so I wouldn't be able to change anything at this point.

I am thinking.....I have to do a fresh reinstall which I don't want to do. I have tried that with several laptops....and I have these laptops setting around...DOA.......

Any ideas?


----------



## Blackmirror (Dec 5, 2006)

Try a system restore first

start>> run >>>msconfig and launch from there if you can 

pick a date to before you had problems please.


----------



## manomina (Jul 6, 2006)

Ok...I'll give it a try. Thanks!


----------



## manomina (Jul 6, 2006)

It says it's unable to protect my computer and to reboot and try it again. Should I try this in safe mode?


----------



## Blackmirror (Dec 5, 2006)

That means the service has been turned off
No restore points to restore to

Have you tried a sfc /scannow 

start run
this will replace any system files that are corrupt


----------



## manomina (Jul 6, 2006)

Ok, so I can't do a restore? So I am faced with a fresh install?


----------



## manomina (Jul 6, 2006)

DUH! I'm sorry...I just read your post again....and I am doing the sfc /scannow right now. So it replaced the sys files, I reboot and I should be good.....or is there something else I need to do if this works?


----------



## Blackmirror (Dec 5, 2006)

Fingers crossed
reboot and see please


----------



## manomina (Jul 6, 2006)

Nope....I still don't have copy/paste drag/drop......My system is semi-functional....I am online. I keep running my scans and cleaning...Spybot/HiJackThis & virus scans and I'm clean fom that....I just don't know what this could be.....


----------



## Blackmirror (Dec 5, 2006)

Have you posted a hijack this log ???

If you have HJT already please uninstall before reinstalling new version 
*Click here* to download *HJTInstall.exe* 

Save *HJTInstall.exe* to your desktop. 
Doubleclick on the *HJTInstall.exe* icon on your desktop. 
By default it will install to *C:\Program Files\Trend Micro\HijackThis* . 
Click on *Install*. 
It will create a HijackThis icon on the desktop. 
Once installed, it will launch *Hijackthis*. 
Click on the *Do a system scan and save a logfile* button. It will scan and the log should open in notepad. 
Click on "Edit > Select All" then click on "Edit > Copy" to copy the entire contents of the log. 
Come back here to this thread and Paste the log in your next reply. 
*DO NOT* use the AnalyseThis button, its findings are dangerous if misinterpreted. 
*DO NOT* have Hijackthis fix anything yet. Most of what it finds will be harmless or even required.


----------



## Blackmirror (Dec 5, 2006)

Right click the Start button and select Properties. Click Customize and
scroll through the list of options. Be sure that the "drag/drop and
copy/paste" option is enabled.

also try this 


1] click start ---> click Run ---> and type services.msc ----> and enter
it will open the services. In the services drag down to find the Network DDE , Network DDE DSDM clipbook

2] Right click upon the Network DDE DSDM and click properties. In the properties --> General --> Startup, in the drop down select Atomatic and apply and click start.

3] Right click upon the Network DDE and click properties. In the properties --> General --> Startup, in the drop down select Atomatic and apply and click start.


4] Right click upon the Clip Book and click properties. In the properties --> General --> Startup, in the drop down select Atomatic and apply and click start.


----------



## manomina (Jul 6, 2006)

Ok, both of those are disabled....when I right click to start, the are subdued and I can not start them. Is there another way to start them?


----------



## manomina (Jul 6, 2006)

When I select properties nothing happens.


----------



## Blackmirror (Dec 5, 2006)

I would like you to post a hjt log just to check this is not caused by a virus please if you can 
instructions in post 57


----------



## manomina (Jul 6, 2006)

I can't.....I cannot copy/paste or drag/drop. The only think I can do is do that, then email it to you and you could post it?


----------



## Blackmirror (Dec 5, 2006)

manomina said:


> I can't.....I cannot copy/paste or drag/drop. The only think I can do is do that, then email it to you and you could post it?


I am so sorry.. been a long day

have you tred using control and c copy
control and v paste


----------



## manomina (Jul 6, 2006)

CTRL C & CTRL V....now why didn't I think of that....LOL (I know what you mean about a long day....it's been a long week) Yes, I have tried that, I thought there may be a shortcut with the Windows key....but nope, I am dead in the water when it comes to that. I sent you an email.....so it you want to do that, shoot me one and then I can send you the attachment......


----------



## manomina (Jul 6, 2006)

It seems that my copy/paste is sporadic.....I mean I can not do that on websites, I don't know how I was able to copy/paste my HJT log.....this is really strange


----------



## Blackmirror (Dec 5, 2006)

Well i have to get a member of the security team to look 
It might take a little time

Are you up to date with all windows updates ??


----------



## manomina (Jul 6, 2006)

Not sure if I am or not....I have always had a problem with that as I never know what I should or shouldn't have. How would I go about doing that?


----------



## Blackmirror (Dec 5, 2006)

manomina said:


> Ok, I ran all these tools and cleaned out a LOT of garbage. But I still can not drag/drop & copy/paste. I wen to Krlleys Korner and those files did'nt help.
> 
> I don't want to have to re-install windows, but that may be the only way.....


Just backtracking for a min manomina
What tools did you run exactly please.

Did you have this problem before you ran the tools ??

Leave the updates for a minute please

The hjt log is out of date 
there is a newer version available

www.trendsecure.com/portal/en-US/threat_analytics/HJTInstall.exe
Please uninstall the old one before installing that one ..
edit the post and repost the new log


----------



## manomina (Jul 6, 2006)

Ok, my system date/time is out of whack......I'll post it next. I know I got a virus awhile back....and got rid of it, but not before it disabled my taskbar drag/drop, copy/paste....it did a few other things but through what the devil himself walked through with, it seemed to correct those. It was just the tools from Kellys Korner....trying to fix the taskbar & minimized windows....nothing worked tho.


----------



## manomina (Jul 6, 2006)

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 3:47:37 AM, on 1/8/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\WIDCOMM\Bluetooth Software\bin\btwdins.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Ares\Ares.exe
C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe
C:\firefox\files\firefox.exe
C:\Program Files\Symantec Client Security\Symantec AntiVirus\DefWatch.exe
C:\Program Files\Symantec Client Security\Symantec AntiVirus\SavRoam.exe
C:\Program Files\Symantec Client Security\Symantec AntiVirus\Rtvscan.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O4 - HKCU\..\Run: [IMC] C:\Program Files\FriendFinder\FriendFinder Messenger 40\imc.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [ares] "C:\Program Files\Ares\Ares.exe" -h
O4 - HKCU\..\Run: [Yahoo! Pager] "C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe" -quiet
O4 - HKUS\S-1-5-19\..\RunOnce: [TSClientMSIUninstaller] cmd.exe /C "cscript %systemroot%\Installer\TSClientMsiTrans\tscuinst.vbs" (User '?')
O4 - HKUS\S-1-5-20\..\RunOnce: [TSClientMSIUninstaller] cmd.exe /C "cscript %systemroot%\Installer\TSClientMsiTrans\tscuinst.vbs" (User '?')
O4 - HKUS\S-1-5-21-813001092-2017230301-2172670643-1010\..\Run: [IMC] C:\Program Files\FriendFinder\FriendFinder Messenger 40\imc.exe (User '?')
O4 - HKUS\S-1-5-21-813001092-2017230301-2172670643-1010\..\Run: [ares] "C:\Program Files\Ares\Ares.exe" -h (User '?')
O4 - HKUS\S-1-5-21-813001092-2017230301-2172670643-1010\..\Run: [Yahoo! Pager] "C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe" -quiet (User '?')
O4 - HKUS\S-1-5-18\..\Run: [Picasa Media Detector] C:\Program Files\Picasa2\PicasaMediaDetector.exe (User '?')
O4 - HKUS\S-1-5-18\..\RunOnce: [TSClientMSIUninstaller] cmd.exe /C "cscript %systemroot%\Installer\TSClientMsiTrans\tscuinst.vbs" (User '?')
O4 - HKUS\.DEFAULT\..\Run: [Picasa Media Detector] C:\Program Files\Picasa2\PicasaMediaDetector.exe (User 'Default user')
O4 - HKUS\.DEFAULT\..\RunOnce: [TSClientMSIUninstaller] cmd.exe /C "cscript %systemroot%\Installer\TSClientMsiTrans\tscuinst.vbs" (User 'Default user')
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O8 - Extra context menu item: Convert link target to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert link target to existing PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert selected links to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
O8 - Extra context menu item: Convert selected links to existing PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
O8 - Extra context menu item: Convert selection to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert selection to existing PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert to existing PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Send to &Bluetooth Device... - C:\Program Files\WIDCOMM\Bluetooth Software\btsendto_ie_ctx.htm
O9 - Extra button: Yahoo! Services - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\WINDOWS\system32\shdocvw.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (Installation Support) - C:\Program Files\Yahoo!\Common\Yinsthelper.dll
O16 - DPF: {67DABFBF-D0AB-41FA-9C46-CC0F21721616} (DivXBrowserPlugin Object) - http://go.divx.com/plugin/DivXBrowserPlugin.cab
O23 - Service: Ares Chatroom server (AresChatServer) - Ares Development Group - C:\Program Files\Ares\chatServer.exe
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: avast! Antivirus - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: Bluetooth Service (btwdins) - Broadcom Corporation. - C:\Program Files\WIDCOMM\Bluetooth Software\bin\btwdins.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Network Proxy (ccProxy) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccProxy.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: Symantec AntiVirus Definition Watcher (DefWatch) - Symantec Corporation - C:\Program Files\Symantec Client Security\Symantec AntiVirus\DefWatch.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: SAVRoam (SavRoam) - symantec - C:\Program Files\Symantec Client Security\Symantec AntiVirus\SavRoam.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Symantec AntiVirus - Symantec Corporation - C:\Program Files\Symantec Client Security\Symantec AntiVirus\Rtvscan.exe
O23 - Service: Symantec SecurePort (SymSecurePort) - Symantec Corporation - C:\Program Files\Symantec Client Security\Symantec Client Firewall\SymSPort.exe

--
End of file - 6666 bytes


----------



## manomina (Jul 6, 2006)

I guess no one is able to get to this......I have been searching and not able to find anything


----------



## Blackmirror (Dec 5, 2006)

I did report your hjt log to be looked at

it takes a while


----------



## manomina (Jul 6, 2006)

Blackmirror said:


> I did report your hjt log to be looked at
> 
> it takes a while


I understand it takes awhile......I'm just stumped at why I can't even find good info on the web,.....it's just a little frustrating....


----------



## Blackmirror (Dec 5, 2006)

manomina said:


> I understand it takes awhile......I'm just stumped at why I can't even find good info on the web,.....it's just a little frustrating....


Yes i know its very frustrating


----------



## manomina (Jul 6, 2006)

I don't know, maybe my problem is too hard to figure out. I guess I'll backup and reinstall...

Thanks for your help!


----------



## Mosaic1 (Aug 17, 2001)

Hi,

I just saw this one. If you haven't nuked the system yet, would you try something please? It sounds like your Remote Procedure call was given a depndency and now that dependency has been removed. At least that's one thing to look at. If Remote Procedure call is not started, nmost of your other services will not start. And your system will act like it is doing right now. 

I have written a small batch to remove any dependency and set RPCss to auto.

If you're here, you have nothing to lose if you try it.

Download and save the zip attachment. 

Extract the contents of the zip, a batch file called clearit.bat

Double click on clearit.bat to run.


Restart the computer. See if you now have your properties page back etc. You may have to do more work in your services, but if RPCSS is started, you'll have a lot of your function back.

Let us know how you do. Good luck.


----------



## Mosaic1 (Aug 17, 2001)

If you have trouble saving the attachment, then just open it and double click on clearit.bat to run it. This will all take just a second to do. But either way, you need to restart to set your system right. A lot of other services will need to start too. A reboot should help.

If still no joy, we can look for another value in the registry DependOnGroup. So if you want to work on it, I'm here. It's a start.

If you did format, that's understandable.

* EDIT: You did have Spyware, correct?*
If none of this helps, you may have a defective copy of the file svchost.exe. There is a spyware which rewrites that file so that it no longer functions correctly if a certain other spyware file is removed. Now svchost.exe loads mopst of the windows Services. So no working svchost will get you into a terrible state.

Did you recently run Combofix? If you did, delete that copy and download the newest version to see if it corrects the problem.

I am not sure which spyware you had, but this is also a possible cause. Actually it is more than possible, it's probable.

Really, when you have a problem after a Spyware removal, you need to post in a Malware Removal forum. So many of the problems these nasties cause are not seen on the operating system forums generally. So after a cleanup, if you have problems, post at the correct forum to get specialized help. Spyware Experts will recognize these side effects.

Everyone here is more than capable. It's just that malware brings along it own set of side effects by compromising the operating system in ways it wouldn't normally be .


----------



## manomina (Jul 6, 2006)

That was EXACTLY it....thank you so much. I have my taskbar back, my sound....I can drag and drop...AWESOME!! Thank you!

I don't need my notebookcard either....it's running on my built-in wireless.....now the question is, if I were to run that bat file on my dell laptop, do you think it would also recodnize the built-in apposed to the card?

ANYWAY, I am so estatic......now can you tell me exactly what preventative software I should have on here? I have Avast! and Spybot.....but I just don't want this too happen again.....

After all this time....and handfuls of hair.......my laptop is back normal....

Do I still need to get the combofix?

THANKS!!!


----------



## manomina (Jul 6, 2006)

I still have a problem....not sure if it's related to this, but I tried to uninstall something and it said that there was something wrong with my Windows Installer....maybe it's not configured right? How to I check that?


----------



## Mosaic1 (Aug 17, 2001)

Can you give me the exact error you get re: the Windows installer please? That service may not be running.

There's a trick you can use to get the contents of an error message. When the error is on the screen, press CTRL + C 
That will copy it, Then use CTRL + V to paste the error into your next reply.

What that batch did was it fixed Remote Procedure Call so that it would run. Since so many services and Windows Functionality Depends on Remote Procedure Call and its dependent services, you got your system back in some semblance of working order.

But since you have had an infection, it is always a good idea to have help checking the current state of your Windows.

Yes. Running Combofix is still highly recommended. I no longer do the Spyware logs, but i'll have a look to see if we need to get someone else in here to finish up.

Here's a loink to a page which will instrucxt you in hwo to run combofix. Please use the link onl that page to download the newest Comvofix version. It is updated almost daily to deal with new Malware.

http://www.bleepingcomputer.com/combofix/how-to-use-combofix

Post your log and we'll take the next steps.

For the Laptop, please start new topic and someone will help.


----------



## manomina (Jul 6, 2006)

Sorry...I didn't believe the ctrl c would work like that.....thanks....learned something new....again  I will download combofix and post next. Do you have a list of other software I should be running on a daily basis?

Thanks!

---------------------------
Add or Remove Programs
---------------------------
The Windows Installer Service could not be accessed. This can occur if you are running Windows in safe mode, or if the Windows Installer is not correctly installed. Contact your support personnel for assistance.


---------------------------
OK 
---------------------------


----------



## Mosaic1 (Aug 17, 2001)

You're welcome. I love that trick! 

Once I see your Combofix log, I'll know what you are already running. Generally, you need one Anti Virus, one anti Spyware and one Firewall. 

Can you go to services.msc again and check to see that the windows installer service is set to manual. Then once set to manual, see if youc an start the service.
Later, we'll have you check to be sure all services which should be running, actually are.


----------



## manomina (Jul 6, 2006)

ComboFix 08-01-18.1 - robandrosi 2008-01-17 12:18:34.2 - NTFSx86

Running from: C:\Documents and Settings\robandrosi\Desktop\ComboFix(2).exe

*WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!*
.

((((((((((((((((((((((((( Files Created from 2007-12-18 to 2008-01-18 )))))))))))))))))))))))))))))))
.

2008-01-16 18:42 . 2007-07-30 19:19	271,224	--a------	C:\WINDOWS\system32\mucltui.dll
2008-01-16 18:42 . 2007-07-30 19:19	207,736	--a------	C:\WINDOWS\system32\muweb.dll
2008-01-16 18:42 . 2007-07-30 19:19	30,072	--a------	C:\WINDOWS\system32\mucltui.dll.mui
2008-01-15 22:03 . 2008-01-15 22:03	59	--a------	C:\WINDOWS\WININIT.INI
2008-01-14 23:21 . 2008-01-14 23:27 d--------	C:\Program Files\Yahoo!
2008-01-14 00:27 . 2007-12-04 06:53	23,152	--a------	C:\WINDOWS\system32\drivers\aswRdr.sys
2008-01-14 00:03 . 2007-12-04 06:55	94,544	--a------	C:\WINDOWS\system32\drivers\aswmon2.sys
2008-01-14 00:03 . 2007-12-04 06:56	93,264	--a------	C:\WINDOWS\system32\drivers\aswmon.sys
2008-01-14 00:03 . 2007-12-04 06:51	42,912	--a------	C:\WINDOWS\system32\drivers\aswTdi.sys
2008-01-14 00:03 . 2007-12-04 06:49	26,624	--a------	C:\WINDOWS\system32\drivers\aavmker4.sys
2008-01-13 22:56 . 2008-01-13 22:56 d--------	C:\Documents and Settings\robandrosi\DesktoAVAST-RIGHT
2008-01-13 04:11 . 2008-01-14 16:12 d--------	C:\Program Files\Network Stumbler
2008-01-12 06:58 . 2008-01-17 11:38 d--------	C:\Program Files\Desktop Clock
2008-01-12 06:58 . 2008-01-12 06:58 d--------	C:\GreetSoft
2008-01-11 17:57 . 2008-01-16 23:24 d--------	C:\Program Files\Spyware Doctor
2008-01-11 17:57 . 2008-01-11 17:57 d--------	C:\Documents and Settings\robandrosi\Application Data\PC Tools
2008-01-11 17:57 . 2007-12-10 14:53	81,288	--a------	C:\WINDOWS\system32\drivers\iksyssec.sys
2008-01-11 17:57 . 2007-12-10 14:53	66,952	--a------	C:\WINDOWS\system32\drivers\iksysflt.sys
2008-01-11 17:57 . 2007-12-10 14:53	41,864	--a------	C:\WINDOWS\system32\drivers\ikfilesec.sys
2008-01-11 17:57 . 2007-12-10 14:53	29,576	--a------	C:\WINDOWS\system32\drivers\kcom.sys
2008-01-11 00:20 . 2000-08-31 08:00	51,200	--a------	C:\WINDOWS\NirCmd.exe
2008-01-10 13:12 . 2008-01-11 00:30 d--------	C:\Program Files\ClipMagic
2008-01-10 13:12 . 2008-01-11 00:29 d--------	C:\Documents and Settings\robandrosi\Application Data\ClipMagic
2008-01-10 13:12 . 2008-01-10 13:11	737,280	--a------	C:\WINDOWS\iun6002.exe
2008-01-10 13:12 . 2008-01-10 13:12	20	--a------	C:\rules.qdb
2008-01-10 11:14 . 2008-01-10 11:14 d--------	C:\Program Files\Belarc
2008-01-10 11:14 . 2005-04-07 16:18	3,840	--a------	C:\WINDOWS\system32\drivers\BANTExt.sys
2008-01-09 20:10 . 2008-01-09 20:10	68,096	--a------	C:\King,rob.doc
2008-01-08 22:05 . 2008-01-08 22:05 d--------	C:\Sandbox
2008-01-08 17:20 . 2007-12-04 05:04	837,496	--a------	C:\WINDOWS\system32\aswBoot.exe
2008-01-08 17:20 . 2004-01-09 01:13	380,928	--a------	C:\WINDOWS\system32\actskin4.ocx
2008-01-08 17:20 . 2007-12-04 04:54	95,608	--a------	C:\WINDOWS\system32\AVASTSS.scr
2008-01-08 03:47 . 2008-01-08 03:47 d--------	C:\Program Files\Trend Micro
2008-01-07 06:58 . 2008-01-07 07:00 d--------	C:\Program Files\SpywareBlaster
2008-01-05 22:07 . 2008-01-05 22:07 d--------	C:\Program Files\Nsasoft
2008-01-05 22:07 . 2008-01-17 12:08 d-a------	C:\Documents and Settings\All Users\Application Data\TEMP
2008-01-05 19:55 . 2008-01-07 06:47 d--------	C:\Program Files\Registry Genius
2008-01-05 17:17 . 2001-08-17 14:02	9,600	--a------	C:\WINDOWS\system32\drivers\hidusb.sys
2008-01-05 17:05 . 2008-01-05 20:46 d--------	C:\Program Files\Tweak Manager
2008-01-05 02:50 . 2008-01-14 00:09	37,473	--a------	C:\WINDOWS\system32\muzika.xm
2008-01-05 02:47 . 2008-01-05 02:47 d--------	C:\Documents and Settings\robandrosi\AVAST-KEYGEN
2008-01-05 02:33 . 2008-01-05 02:33 d--------	C:\Program Files\Ares
2008-01-05 02:07 . 2008-01-05 04:07 d--------	C:\Documents and Settings\robandrosi\Application Data\BitTorrent
2008-01-05 00:20 . 2008-01-05 01:21 d--------	C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
2008-01-04 16:47 . 2008-01-04 16:47 d--------	C:\Program Files\Alwil Software
2008-01-04 14:24 . 2008-01-04 14:24 d--------	C:\Program Files\Enigma Software Group
2008-01-04 14:24 . 2008-01-16 18:42 d--------	C:\Documents and Settings\All Users\Application Data\Yahoo! Companion
2008-01-04 12:11 . 2008-01-04 12:11 d--------	C:\Program Files\Common Files\Wise Installation Wizard
2008-01-04 11:48 . 2008-01-04 11:48	23,600	--a------	C:\WINDOWS\system32\drivers\TVICHW32.SYS
2008-01-04 10:16 . 2008-01-04 11:48	2,210	--a------	C:\WINDOWS\mozver.dat
2008-01-04 10:10 . 2008-01-04 10:09	102,664	--a------	C:\WINDOWS\system32\drivers\tmcomm.sys
2008-01-04 10:09 . 2008-01-04 10:42 d--------	C:\Documents and Settings\robandrosi\.housecall6.6
2008-01-04 07:46 . 2008-01-04 07:46 d--------	C:\firefox
2008-01-04 07:46 . 2008-01-04 07:46	0	--a------	C:\WINDOWS\nsreg.dat
2008-01-04 05:16 . 2007-03-12 06:07	507,264	-ra------	C:\WINDOWS\system32\drivers\rt2860.sys
2008-01-04 02:58 . 2008-01-04 02:58 d--------	C:\Program Files\Windows Live
2008-01-04 02:58 . 2008-01-04 03:07 d--hsc---	C:\Program Files\Common Files\WindowsLiveInstaller
2008-01-04 02:58 . 2008-01-04 12:03 d--------	C:\Documents and Settings\All Users\Application Data\WLInstaller
2008-01-04 02:03 . 2008-01-04 23:26 d--------	C:\Program Files\RegVac Registry Cleaner
2008-01-02 22:35 . 2008-01-11 03:14 d--------	C:\Sound
2008-01-02 01:35 . 2008-01-02 01:35 d--------	C:\Program Files\FriendFinder
2008-01-01 17:49 . 2008-01-01 17:49 d--------	C:\WINDOWS\4B4BAF296D5A4DB5970BE17BDB448863.TMP
2008-01-01 17:38 . 2008-01-01 18:10 d--------	C:\Documents and Settings\robandrosi\Application Data\.gaim
2008-01-01 17:28 . 2008-01-01 17:28 d--------	C:\WINDOWS\PaltalkScene
2008-01-01 17:28 . 2008-01-02 02:20 d--------	C:\Documents and Settings\robandrosi\Application Data\Paltalk
2008-01-01 17:10 . 2008-01-01 17:11 d--------	C:\Program Files\ZakFromAnotherPlanet
2007-12-31 20:59 . 2007-12-31 20:59 d--------	C:\Documents and Settings\All Users\Application Data\MailFrontier
2007-12-31 20:59 . 2007-12-31 21:22	4,212	---h-----	C:\WINDOWS\system32\zllictbl.dat
2007-12-31 20:58 . 2007-12-31 21:41 d--------	C:\WINDOWS\system32\ZoneLabs
2007-12-31 20:58 . 2004-04-27 04:40	11,264	--a------	C:\WINDOWS\system32\SpOrder.dll
2007-12-31 20:57 . 2008-01-03 01:00 d--------	C:\WINDOWS\Internet Logs
2007-12-30 17:22 . 2007-12-30 17:22 d--------	C:\Documents and Settings\All Users\Application Data\Yahoo!
2007-12-30 11:46 . 2006-10-04 18:42	2,560	---------	C:\WINDOWS\system32\drivers\cdralw2k.sys
2007-12-30 11:46 . 2006-10-04 18:42	2,432	---------	C:\WINDOWS\system32\drivers\cdr4_xp.sys
2007-12-30 11:45 . 2008-01-02 05:17 d--------	C:\Program Files\Picasa2
2007-12-30 11:17 . 2007-12-30 11:17 d--------	C:\WINDOWS\Sun
2007-12-29 22:21 . 2007-12-29 22:21	0	--a------	C:\WINDOWS\VPC32.INI
2007-12-29 21:38 . 2007-12-29 21:38 d--------	C:\Documents and Settings\robandrosi\Application Data\vlc
2007-12-29 21:36 . 2007-12-29 21:36 d--------	C:\Program Files\VideoLAN
2007-12-29 19:19 . 2007-12-29 19:19 d--------	C:\Program Files\Universal
2007-12-29 13:59 . 2007-07-30 19:18	34,136	--a------	C:\WINDOWS\system32\wucltui.dll.mui
2007-12-29 13:59 . 2007-07-30 19:19	25,944	--a------	C:\WINDOWS\system32\wuaucpl.cpl.mui
2007-12-29 13:59 . 2007-07-30 19:19	25,944	--a------	C:\WINDOWS\system32\wuapi.dll.mui
2007-12-29 13:59 . 2007-07-30 19:18	20,312	--a------	C:\WINDOWS\system32\wuaueng.dll.mui
2007-12-28 02:03 . 2008-01-12 00:03 d--------	C:\Program Files\Norton Security Scan
2007-12-27 17:39 . 2007-12-27 17:39 d--------	C:\Program Files\IrfanView
2007-12-27 17:39 . 2008-01-17 12:01 d--------	C:\Program Files\Google
2007-12-27 16:53 . 2007-12-27 16:53 d--------	C:\Program Files\DivX
2007-12-27 16:53 . 2007-12-30 17:51 d--------	C:\Documents and Settings\robandrosi\Application Data\Yahoo!
2007-12-27 16:18 . 2007-12-27 16:18 d--------	C:\WINDOWS\system32\LogFiles
2007-12-27 11:53 . 2008-01-10 16:21 d--------	C:\Documents and Settings\robandrosi\Application Data\U3
2007-12-27 03:14 . 2008-01-14 23:12	61,614	--a------	C:\WINDOWS\system32\oemlogo.bmp
2007-12-27 03:14 . 2008-01-14 23:12	75	--a------	C:\WINDOWS\system32\oeminfo.ini
2007-12-27 03:12 . 2007-12-27 03:12 d--------	C:\Program Files\Max2k
2007-12-26 22:34 . 2008-01-04 07:06 d---s----	C:\Documents and Settings\robandrosi\UserData
2007-12-26 22:31 . 2008-01-01 14:51 d--------	C:\Program Files\InstallShield Installation Information
2007-12-26 22:28 . 2008-01-04 05:13 d--------	C:\WINDOWS\{C63ACB38-171D-4ACF-B18D-DCF41A35051A}
2007-12-22 02:21 . 2007-12-22 02:21 d--------	C:\Documents and Settings\robandrosi\Bluetooth Software
2007-12-22 02:18 . 2007-10-23 07:32 d--------	C:\Documents and Settings\robandrosi\Application Data\Workshare
2007-12-19 17:11 . 2004-08-04 00:56	21,504	--a------	C:\WINDOWS\system32\hidserv.dll

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-01-02 02:10	---------	d-----w	C:\Documents and Settings\robandrosi\Application Data\.gaim
2007-12-28 23:01	---------	d-----w	C:\Program Files\Common Files\Symantec Shared
2007-12-22 10:30	---------	d-----w	C:\Program Files\West Group
2007-12-22 10:23	---------	d-----w	C:\Program Files\Configurator
2007-12-19 22:53	---------	d-----w	C:\Documents and Settings\All Users\Application Data\Symantec
2007-11-29 22:30	200,704	----a-w	C:\WINDOWS\system32\ssldivx.dll
2007-11-29 22:30	1,044,480	----a-w	C:\WINDOWS\system32\libdivx.dll
2007-10-29 22:43	1,287,680	----a-w	C:\WINDOWS\system32\quartz.dll
2007-10-28 01:39	230,912	----a-w	C:\WINDOWS\system32\wmasf.dll
.

((((((((((((((((((((((((((((( [email protected]_ 0.22.04.70 )))))))))))))))))))))))))))))))))))))))))
.
- 2008-01-11 08:20:29	233,472	----a-w	C:\WINDOWS\erdnt\Hiv-backup\Users\00000001\NTUSER.DAT
+ 2008-01-17 20:18:09	233,472	----a-w	C:\WINDOWS\erdnt\Hiv-backup\Users\00000001\NTUSER.DAT
- 2008-01-11 08:20:29	8,192	----a-w	C:\WINDOWS\erdnt\Hiv-backup\Users\00000002\UsrClass.dat
+ 2008-01-17 20:18:09	8,192	----a-w	C:\WINDOWS\erdnt\Hiv-backup\Users\00000002\UsrClass.dat
- 2008-01-11 08:20:30	3,502,080	----a-w	C:\WINDOWS\erdnt\Hiv-backup\Users\00000003\NTUSER.DAT
+ 2008-01-17 20:18:09	233,472	----a-w	C:\WINDOWS\erdnt\Hiv-backup\Users\00000003\NTUSER.DAT
- 2008-01-11 08:20:30	110,592	----a-w	C:\WINDOWS\erdnt\Hiv-backup\Users\00000004\UsrClass.dat
+ 2008-01-17 20:18:09	8,192	----a-w	C:\WINDOWS\erdnt\Hiv-backup\Users\00000004\UsrClass.dat
- 2008-01-11 08:20:30	233,472	----a-w	C:\WINDOWS\erdnt\Hiv-backup\Users\00000005\NTUSER.DAT
+ 2008-01-17 20:18:09	3,502,080	----a-w	C:\WINDOWS\erdnt\Hiv-backup\Users\00000005\NTUSER.DAT
- 2008-01-11 08:20:30	8,192	----a-w	C:\WINDOWS\erdnt\Hiv-backup\Users\00000006\UsrClass.dat
+ 2008-01-17 20:18:10	110,592	----a-w	C:\WINDOWS\erdnt\Hiv-backup\Users\00000006\UsrClass.dat
+ 2008-01-18 20:20:59	3,998	----a-w	C:\WINDOWS\SoftwareDistribution\EventCache\{3A3C3219-B1C1-42A8-96C6-9BE9E73B4BBC}.bin
+ 2007-11-21 00:04:14	218,496	----a-r	C:\WINDOWS\system32\Macromed\Flash\FlashUtil9e.exe
+ 2008-01-14 02:45:57	74,137	----a-w	C:\WINDOWS\system32\Macromed\Flash\uninstall_activeX.exe
+ 2004-03-24 02:12:34	17,280	----a-w	C:\WINDOWS\system32\nsndis5.sys
+ 2004-03-24 02:49:36	94,208	----a-w	C:\WINDOWS\system32\nsndis50.dll
- 2008-01-04 12:57:14	64,166	----a-w	C:\WINDOWS\system32\perfc009.dat
+ 2008-01-17 19:43:04	64,166	----a-w	C:\WINDOWS\system32\perfc009.dat
- 2008-01-04 12:57:14	406,258	----a-w	C:\WINDOWS\system32\perfh009.dat
+ 2008-01-17 19:43:04	406,258	----a-w	C:\WINDOWS\system32\perfh009.dat
+ 2008-01-17 19:38:04	16,384	----atw	C:\WINDOWS\TEMP\Perflib_Perfdata_71c.dat
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown 
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"IMC"="C:\Program Files\FriendFinder\FriendFinder Messenger 40\imc.exe" [ ]
"MSMSGS"="C:\Program Files\Messenger\msmsgs.exe" [ ]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 05:00 15360]
"ares"="C:\Program Files\Ares\Ares.exe" [2007-12-31 06:29 962560]
"Yahoo! Pager"="C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe" [2007-08-30 17:43 4670704]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ISTray"="C:\Program Files\Spyware Doctor\pctsTray.exe" [2007-12-10 14:53 1103752]
"My App"="C:\Program Files\Desktop Clock\Desktop Clock.exe" [2007-04-26 19:22 701952]
"avast!"="C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe" [2007-12-04 05:00 79224]
"{0228e555-4f9c-4e35-a3ec-b109a192b4c2}"="C:\Program Files\Google\Gmail Notifier\gnotify.exe" [2005-07-15 13:48 479232]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"Picasa Media Detector"="C:\Program Files\Picasa2\PicasaMediaDetector.exe" [2007-10-23 13:18 443968]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\RunOnce]
"TSClientMSIUninstaller"="cmd.exe" [2004-08-04 05:00 388608 C:\WINDOWS\system32\cmd.exe]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"disablecad"= 0 (0x0)

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]
"NoToolbarCustomize"= 0 (0x0)
"NoBandCustomize"= 0 (0x0)
"NoCloseDragDropBands"= 0 (0x0)
"NoMovingBands"= 0 (0x0)

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-1417001333-179605362-839522115-11250\Scripts\Logon\0\0]
"Script"=redirectprinters.vbs

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-1417001333-179605362-839522115-11250\Scripts\Logon\1\0]
"Script"=addsubnetprinters.vbs

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-1417001333-179605362-839522115-11250\Scripts\Logon\2\0]
"Script"=usr_logon-main.vbs

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-1417001333-179605362-839522115-11250\Scripts\Logon\2\1]
"Script"=lprocess.vbs

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\E]
\Shell\AutoRun\command - E:\LaunchU3.exe -a

[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\CitrixICAClient]
C:\Program Files\Citrix\ICA Client\Citrix.exe

[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\Lexis-Nexis Web Client]
"C:\WINDOWS\temp\lexisnexis_peruser.exe"

[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\Office2003_FullInstall]
"C:\Program Files\OMM\clnicons.exe"

[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{7B153B16-57D0-4A25-930E-28D82BDE0C13}]
msiexec.exe /i {7B153B16-57D0-4A25-930E-28D82BDE0C13} REINSTALL=All REINSTALLMODE=ous /qb-!
.
Contents of the 'Scheduled Tasks' folder
"2008-01-17 09:00:00 C:\WINDOWS\Tasks\Defragmenter.job"
"2007-12-28 23:31:09 C:\WINDOWS\Tasks\Norton Security Scan.job"
- C:\Program Files\Norton Security Scan\Nss.exe
"2007-10-23 15:43:53 C:\WINDOWS\Tasks\Symantec NetDetect.job"
- C:\Program Files\Symantec\LiveUpdate\NDETECT.EXE
.
**************************************************************************

catchme 0.3.1344 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-01-18 12:21:06
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully 
hidden files: 0

**************************************************************************
.
Completion time: 2008-01-18 12:21:50
ComboFix2.txt 2008-01-11 08:22:18
.
2007-12-31 07:11:03	--- E O F ---


----------



## manomina (Jul 6, 2006)

It was set to manual and I just restarted it. I see that the RPC is started and automatic, BUT the RPC Locator is set to manual and is not running....should I start that one as well?


----------



## Mosaic1 (Aug 17, 2001)

No. You can leave that. IF needed, it will start.

CAn you go to start >Run and type Notepad C:\WINDOWS\WININIT.INI

Press enter.

This will open wininit.ini

Theh paste in the contents of that file please.

I'm reading your combofix log and there are a few other things we'll be fixing. I't will take me a few minutes.


----------



## manomina (Jul 6, 2006)

I installed the Recovery Console.....


----------



## Mosaic1 (Aug 17, 2001)

Good. That's a great tool.

Try to uninstrall whatever it was you were trying to uninstall earlier and see if the uninstaller works. It may not and we should try to tshoot that problem.


----------



## manomina (Jul 6, 2006)

Here you go....

[Rename]
NUL=C:\DOCUME~1\ROBAND~1\LOCALS~1\Temp\VIES1B0B


----------



## Mosaic1 (Aug 17, 2001)

Thanks. That;s set to delete a file on reboot. Don't restart yet. 

CAn you open that file in notepad please? What does it look like?


----------



## Mosaic1 (Aug 17, 2001)

I see this folder:C:\Documents and Settings\robandrosi\AVAST-KEYGEN


Do you have a cracked copy of Avast installed on yoru system? If you do, this needs to be removed. It is not legal. Plus, cracked software and the pages which instalkl it are dangerous and often infect you with more spyware.

Do you know what this is?
C:\King,rob.doc

This file can be deleted:
C:\WINDOWS\system32\muzika.xm

C:\WINDOWS\system32\muzika.xm is a leftover form an old infection you had. 

---

Also, you can delete this file:
iun6002.exe


----------



## manomina (Jul 6, 2006)

I am looking in that directory and that file doesn't exist. I am doing a search for that file...it doesn't exist. I have had problems with different .txt files that causes errors in that directory....they seem to get created when something runs, the gets deleted when I close out of that program. Strange


----------



## manomina (Jul 6, 2006)

Oh...I tried the installer/uninstaller... (ctrl c doesn't work this time)

It said that it couldn't be accessed


----------



## Mosaic1 (Aug 17, 2001)

Temp folders are noted for being folder where running programs create files and use those files while they run. When you shut down those programs,the files are deleted. Both legitimate programs and malware can crete temp files.

I am going to wait for you to catch up with all the posts I have made. Otherweise we're going to end up with a lot of confusion.


----------



## ChemicalMonkey (Nov 4, 2007)

2 options.

1. Reinstall windows
2. Boot to OS CD and repair windows

Thats all you have left in my opinion

If it is a virus problem, its already done to much damage for you to even bother repairing, and the odds of even getting rid of the whole virus is very slim, as there not stupid and when you scan, it will just copy itself into a section that has been scanned already...i had the same bugger on my laptop and its a very annoying thing.


----------



## Mosaic1 (Aug 17, 2001)

Here's a Microsoftb page on tshooting the windows installer.

http://support.microsoft.com/?kbid=315346

And whenever you get an error, please post it. Like those errors for the temp folder files.

Before you do the installer repairs, can you read all myh posts and catch up please? We have a bit to do and keeping it all straight is important.

I see you have some logon scripts. Is this a business network or a home network? Are you aware of these scripts and are they legitimate?


----------



## manomina (Jul 6, 2006)

Ok...got it taken care of. What was iun6002.exe? Was that also a virus or something? I tried to open something someone sent me and my security caught it saying that it was going to change my services......

Should I reboot now?
Thanks!


----------



## ChemicalMonkey (Nov 4, 2007)

Be advised that you are not authorized to help with HijackThis logs on this forum. Please see the forum rules regarding replying to security related threads:

http://www.techguy.org/rules.html


> *
> 
> 
> 
> ...


----------



## Mosaic1 (Aug 17, 2001)

Yes. It is an undesirable file.



> I tried to open something someone sent me and my security caught it saying that it was going to change my services......


 NEver open any email attachments. Ask your friedn if they actually sent it. When some p[eople areinfected, the malware sends a copy of itself to all their contacts as an attachment. You open that and BAM! you're infected. So even though you might think a friend sent it, the malware did, impersonating them.

I want to get your windows installer working, so if you have performed the steps on the Microsoft page I linked you to, please do reboot and thry the uninstsall again. Let me know how that goes.

There will be other uninstalls to do later.

----------------

C:\Documents and Settings\robandrosi\Application Data\BitTorrent

You are using a Torrent program. Cracks and file sahring are dangerous. You get more than you bargained for and a lot of malware is distributed through these networks. Crack are not just illegal, they're dangerous!

* Any cracks or other illegal software you have installed needs to be uninstalled. *


----------



## manomina (Jul 6, 2006)

It's a home pc now and no, I am unaware of those scripts. They may have been used before I bought this laptop....but I don't need them.

When I get those errors, I open it up to find out what the file is then I go and delete it....but I will pay closer attention and then copy/paste them here.

Ready for the next step.


----------



## Mosaic1 (Aug 17, 2001)

We seem to have posted at the same time. Have a look at my last post and follow those instructions please. Then we'll take it further. We have a lot of leftovers to clear out and other issues to address. But we'll get there.


----------



## Mosaic1 (Aug 17, 2001)

Does the Windows installer now function?

You had trouble earlier enabling DCOM. Can you do that now please? Directions here. 
http://support.microsoft.com/kb/825750

I know you have hijackthis. Can I see a new Hijackthis log please?


----------



## manomina (Jul 6, 2006)

WOW...ok, in the beginning my taskbar was minimized and I couldn't see the time....I downloaded a desktop clock which I thought I had deleted when we fixed this...but when I rebooted I had 100 popup windows about that clock....I did a search and got rid of it. My Firefox will not work and here are the errors.....everything is running so much slower and i got another error with IE and I had to go and delete that .txt file in the temp directory. Here is the info:

C:\DOCUME~1\ROBAND~1\LOCALS~1\Temp\2562_appcompat.txt

AppName: firefox.exe AppVer: 1.8.20070.6982 ModName: firefox.exe
ModVer: 1.8.20070.6982 Offset: 00187199
-----------------------------------------
AppName: iexplore.exe AppVer: 6.0.2900.2180 ModName: unknown
ModVer: 0.0.0.0 Offset: 00000020

---------------------------
iexplore.exe - Application Error
---------------------------
The instruction at "0x6230b361" referenced memory at "0x6230b361". The memory could not be "read". 

Click on OK to terminate the program
Click on CANCEL to debug the program
---------------------------
OK Cancel 
---------------------------


----------



## manomina (Jul 6, 2006)

I believe install/uninstall works now....I uninstalled the clock software and it worked fine....


----------



## Mosaic1 (Aug 17, 2001)

Good. May I see a new hijackthis log please? Then we'll get o some cleanup.


----------



## manomina (Jul 6, 2006)

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 3:23:04 PM, on 1/18/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\WIDCOMM\Bluetooth Software\bin\btwdins.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Symantec Client Security\Symantec AntiVirus\DefWatch.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Program Files\Symantec Client Security\Symantec AntiVirus\SavRoam.exe
C:\Program Files\Spyware Doctor\pctsAuxs.exe
C:\Program Files\Spyware Doctor\pctsSvc.exe
C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
C:\Program Files\Symantec Client Security\Symantec AntiVirus\Rtvscan.exe
C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\alg.exe
C:\Program Files\Spyware Doctor\pctsTray.exe
C:\WINDOWS\System32\svchost.exe
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\Program Files\Google\Gmail Notifier\gnotify.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Alwil Software\Avast4\ashSimpl.exe
C:\Program Files\Yahoo!\Messenger\ymsgr_tray.exe
C:\Program Files\Microsoft Office\OFFICE11\WINWORD.EXE
C:\Program Files\internet explorer\iexplore.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.yahoo.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://us.rd.yahoo.com/customize/ie/defaults/su/msgr8/*http://www.yahoo.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://us.rd.yahoo.com/customize/ie/defaults/sb/msgr8/*http://www.yahoo.com/ext/search/search.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://us.rd.yahoo.com/customize/ie/defaults/sp/msgr8/*http://www.yahoo.com
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://us.rd.yahoo.com/customize/ie/defaults/su/msgr8/*http://www.yahoo.com
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\PROGRA~1\Yahoo!\Companion\Installs\cpn\yt.dll
O2 - BHO: &Yahoo! Toolbar Helper - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\PROGRA~1\Yahoo!\Companion\Installs\cpn\yt.dll
O2 - BHO: Yahoo! IE Services Button - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\PROGRA~1\Yahoo!\Companion\Installs\cpn\yt.dll
O4 - HKLM\..\Run: [ISTray] "C:\Program Files\Spyware Doctor\pctsTray.exe"
O4 - HKLM\..\Run: [My App] C:\Program Files\Desktop Clock\Desktop Clock.exe
O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKLM\..\Run: [{0228e555-4f9c-4e35-a3ec-b109a192b4c2}] C:\Program Files\Google\Gmail Notifier\gnotify.exe
O4 - HKCU\..\Run: [IMC] C:\Program Files\FriendFinder\FriendFinder Messenger 40\imc.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [ares] "C:\Program Files\Ares\Ares.exe" -h
O4 - HKCU\..\Run: [Yahoo! Pager] "C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe" -quiet
O4 - HKUS\S-1-5-19\..\RunOnce: [TSClientMSIUninstaller] cmd.exe /C "cscript %systemroot%\Installer\TSClientMsiTrans\tscuinst.vbs" (User '?')
O4 - HKUS\S-1-5-20\..\RunOnce: [TSClientMSIUninstaller] cmd.exe /C "cscript %systemroot%\Installer\TSClientMsiTrans\tscuinst.vbs" (User '?')
O4 - HKUS\S-1-5-21-813001092-2017230301-2172670643-1010\..\Run: [IMC] C:\Program Files\FriendFinder\FriendFinder Messenger 40\imc.exe (User '?')
O4 - HKUS\S-1-5-21-813001092-2017230301-2172670643-1010\..\Run: [ares] "C:\Program Files\Ares\Ares.exe" -h (User '?')
O4 - HKUS\S-1-5-21-813001092-2017230301-2172670643-1010\..\Run: [Yahoo! Pager] "C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe" -quiet (User '?')
O4 - HKUS\S-1-5-18\..\Run: [Picasa Media Detector] C:\Program Files\Picasa2\PicasaMediaDetector.exe (User '?')
O4 - HKUS\S-1-5-18\..\RunOnce: [TSClientMSIUninstaller] cmd.exe /C "cscript %systemroot%\Installer\TSClientMsiTrans\tscuinst.vbs" (User '?')
O4 - HKUS\.DEFAULT\..\Run: [Picasa Media Detector] C:\Program Files\Picasa2\PicasaMediaDetector.exe (User 'Default user')
O4 - HKUS\.DEFAULT\..\RunOnce: [TSClientMSIUninstaller] cmd.exe /C "cscript %systemroot%\Installer\TSClientMsiTrans\tscuinst.vbs" (User 'Default user')
O8 - Extra context menu item: Convert link target to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert link target to existing PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert selected links to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
O8 - Extra context menu item: Convert selected links to existing PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
O8 - Extra context menu item: Convert selection to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert selection to existing PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert to existing PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Send to &Bluetooth Device... - C:\Program Files\WIDCOMM\Bluetooth Software\btsendto_ie_ctx.htm
O9 - Extra button: Yahoo! Services - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe (file missing)
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe (file missing)
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (Installation Support) - C:\Program Files\Yahoo!\Common\Yinsthelper.dll
O16 - DPF: {67DABFBF-D0AB-41FA-9C46-CC0F21721616} (DivXBrowserPlugin Object) - http://go.divx.com/plugin/DivXBrowserPlugin.cab
O23 - Service: Ares Chatroom server (AresChatServer) - Ares Development Group - C:\Program Files\Ares\chatServer.exe
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: avast! Antivirus - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
O23 - Service: avast! Web Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
O23 - Service: Bluetooth Service (btwdins) - Broadcom Corporation. - C:\Program Files\WIDCOMM\Bluetooth Software\bin\btwdins.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Network Proxy (ccProxy) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccProxy.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: Symantec AntiVirus Definition Watcher (DefWatch) - Symantec Corporation - C:\Program Files\Symantec Client Security\Symantec AntiVirus\DefWatch.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: SAVRoam (SavRoam) - symantec - C:\Program Files\Symantec Client Security\Symantec AntiVirus\SavRoam.exe
O23 - Service: Sandboxie Service (SbieSvc) - Unknown owner - C:\Program Files\Sandboxie\SbieSvc.exe (file missing)
O23 - Service: PC Tools Auxiliary Service (sdAuxService) - PC Tools - C:\Program Files\Spyware Doctor\pctsAuxs.exe
O23 - Service: PC Tools Security Service (sdCoreService) - PC Tools - C:\Program Files\Spyware Doctor\pctsSvc.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Symantec AntiVirus - Symantec Corporation - C:\Program Files\Symantec Client Security\Symantec AntiVirus\Rtvscan.exe
O23 - Service: Symantec SecurePort (SymSecurePort) - Symantec Corporation - C:\Program Files\Symantec Client Security\Symantec Client Firewall\SymSPort.exe

--
End of file - 9702 bytes


----------



## Mosaic1 (Aug 17, 2001)

Run hijackthis. Place a check in the boxes for these items:

O4 - HKLM\..\Run: [My App] C:\Program Files\Desktop Clock\Desktop Clock.exe

O4 - HKCU\..\Run: [IMC] C:\Program Files\FriendFinder\FriendFinder Messenger 40\imc.exe

Click the remove Checked button.

-------------------

How many Anti Virus programs are running inthe background? It appears you have both Symantec and Avast. They will interfere with each other and slow down your system.

Please run only one background scanner at a time. You can keep both, but just run only one at a time.

Disable one of your AV scanners.

Now did you enable DCOM? IF so, disable it for now and then restart.

Let me know if your computer runs any faster without DCOM enabled. And if Firefox works without the DCOM.

After that we'll need a good AV scan. Do this after your post the results fo the reboot please. 
Run Kaspersky online virus from this link:

http://www.kaspersky.co.uk/virusscanner

After the updates have downloaded, click on the "Scan Settings" button.
Choose the "Extended database" for the scan.
Under "Please select a target to scan", click "My Computer".
When the scan is finished, Save the results from the scan!

Note: You have to use Internet Explorer to do the online scan.
Post the Kaspersky log into your next reply please. Or if too long, attach it.


----------



## manomina (Jul 6, 2006)

DCOM is disabled. Not sure how to disable a scanner. Should I uninstall the symantic?


----------



## Mosaic1 (Aug 17, 2001)

Was dcom enabled when you performed the restart?

Disabling security programs is covered om that combofix link I gave you earlier: (you need to do that any time you run Combofix)

http://www.bleepingcomputer.com/combofix/how-to-use-combofix



> We are almost ready to start ComboFix, but before we do so, we need to take some preventative measures so that there are no conflicts with other programs when running ComboFix. At this point you should do the following:
> 
> Close all open Windows including this one.
> 
> Close or disable all running Antivirus, Antispyware, and Firewall programs as they may interfere with the proper running of ComboFix. Instructions on disabling these type of programs can be found in this topic.


 Here's the link to those disable instructions:
http://www.bleepingcomputer.com/forums/topic114351.html


----------



## manomina (Jul 6, 2006)

I have a family emergency and I have to put this on hold right now. I will get back to this as soon as I can.

Thank you for your help & I'll be back shortly


----------



## manomina (Jul 6, 2006)

BTW _ I didn't do any thing with the DCOM....so I guess it had been disabled all along.


----------



## Mosaic1 (Aug 17, 2001)

Ok. I hope everything is all right. The slowness along with that last error might just indicate you have a corrupt BHO (IE Add in ) installed. We'll get to that when you get back. After we get your IE up to speed, you'll have better luck with a Kaspersky scan.

For now, you can disable all IE Add ins by Clicking tools on the menu. Then Click Internet Options. Then click the Advanced button on the internet options page.
Scroll down to *enable Third Party Browser Extensions.* Remove the check from that box. Now your toolbars and bho's will not work Close all Internet Explorer windows. 
Restart Internet Explorer.
 Does this speed things up?


----------



## manomina (Jul 6, 2006)

Ok, I am back....things are fine on this end...thank you.

Ok, so after I disable all AVs and the firewall, I run Kaspersky scan?

I changed the 3rd patry extensions and will reboot now.


----------



## Mosaic1 (Aug 17, 2001)

Glad to hear it.

Yes. But don't disable your firewall. Keep it running unless Kaspersly won't work.


----------



## manomina (Jul 6, 2006)

I'm sorry....it has two, the online scanner and then the File scanner....which one should I use?


----------



## Mosaic1 (Aug 17, 2001)

try the online scanner.


----------



## manomina (Jul 6, 2006)

I did the online scanner and here is the post. 

-------------------------------------------------------------------------------
KASPERSKY ONLINE SCANNER REPORT
Friday, January 18, 2008 9:33:14 PM
Operating System: Microsoft Windows XP Professional, Service Pack 2 (Build 2600)
Kaspersky Online Scanner version: 5.0.98.0
Kaspersky Anti-Virus database last update: 18/01/2008
Kaspersky Anti-Virus database records: 519095
-------------------------------------------------------------------------------

Scan Settings:
Scan using the following antivirus database: extended
Scan Archives: true
Scan Mail Bases: true

Scan Target - My Computer:
C:\
D:\

Scan Statistics:
Total number of scanned objects: 44905
Number of viruses found: 6
Number of infected objects: 20
Number of suspicious objects: 0
Duration of the scan process: 01:18:39

Infected Object Name / Virus Name / Last Action
C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\02C40000.VBN	Infected: P2P-Worm.Win32.VB.fc	skipped
C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\038C0000.VBN	Infected: Trojan-Downloader.Win32.Zlob.fpf	skipped
C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\038C0001.VBN	Infected: Trojan-Downloader.Win32.Zlob.fpf	skipped
C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\038C0002.VBN	Infected: Trojan-Downloader.Win32.Zlob.fpf	skipped
C:\Documents and Settings\LocalService\Cookies\index.dat	Object is locked	skipped
C:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat	Object is locked	skipped
C:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG	Object is locked	skipped
C:\Documents and Settings\LocalService\Local Settings\History\History.IE5\index.dat	Object is locked	skipped
C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\index.dat	Object is locked	skipped
C:\Documents and Settings\LocalService\NTUSER.DAT	Object is locked	skipped
C:\Documents and Settings\LocalService\ntuser.dat.LOG	Object is locked	skipped
C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat	Object is locked	skipped
C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG	Object is locked	skipped
C:\Documents and Settings\NetworkService\NTUSER.DAT	Object is locked	skipped
C:\Documents and Settings\NetworkService\ntuser.dat.LOG	Object is locked	skipped
C:\Documents and Settings\robandrosi\Cookies\index.dat	Object is locked	skipped
C:\Documents and Settings\robandrosi\Desktop\keyfinder.exe/data.rar/officekey.exe	Infected: not-a-virusSWTool.Win32.RAS.a	skipped
C:\Documents and Settings\robandrosi\Desktop\keyfinder.exe/data.rar	Infected: not-a-virusSWTool.Win32.RAS.a	skipped
C:\Documents and Settings\robandrosi\Desktop\keyfinder.exe	RarSFX: infected - 2	skipped
C:\Documents and Settings\robandrosi\Desktop\MagicJellyBean.zip/keyfinder.exe/data.rar/officekey.exe	Infected: not-a-virusSWTool.Win32.RAS.a	skipped
C:\Documents and Settings\robandrosi\Desktop\MagicJellyBean.zip/keyfinder.exe/data.rar	Infected: not-a-virusSWTool.Win32.RAS.a	skipped
C:\Documents and Settings\robandrosi\Desktop\MagicJellyBean.zip/keyfinder.exe	Infected: not-a-virusSWTool.Win32.RAS.a	skipped
C:\Documents and Settings\robandrosi\Desktop\MagicJellyBean.zip	ZIP: infected - 3	skipped
C:\Documents and Settings\robandrosi\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat	Object is locked	skipped
C:\Documents and Settings\robandrosi\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG	Object is locked	skipped
C:\Documents and Settings\robandrosi\Local Settings\Application Data\Mozilla\Firefox\Profiles\wndwt4eu.default\Cache\B298C40Bd01	Infected: Email-Worm.Win32.Zhelatin.sg	skipped
C:\Documents and Settings\robandrosi\Local Settings\History\History.IE5\index.dat	Object is locked	skipped
C:\Documents and Settings\robandrosi\Local Settings\History\History.IE5\MSHist012008011820080119\index.dat	Object is locked	skipped
C:\Documents and Settings\robandrosi\Local Settings\Temporary Internet Files\Content.IE5\index.dat	Object is locked	skipped
C:\Documents and Settings\robandrosi\NTUSER.DAT	Object is locked	skipped
C:\Documents and Settings\robandrosi\ntuser.dat.LOG	Object is locked	skipped
C:\Program Files\Alwil Software\Avast4\DATA\aswResp.dat	Object is locked	skipped
C:\Program Files\Alwil Software\Avast4\DATA\Avast4.db	Object is locked	skipped
C:\Program Files\Alwil Software\Avast4\DATA\integ\avast.int	Object is locked	skipped
C:\Program Files\Alwil Software\Avast4\DATA\log\nshield.log	Object is locked	skipped
C:\SWSetup\RECYCLER\S-1-5-21-1417001333-179605362-839522115-11250\Dc2\Full-Install\UltraVNC-102-Setup.exe/file04	Infected: not-a-virus:RemoteAdmin.Win32.WinVNC.c	skipped
C:\SWSetup\RECYCLER\S-1-5-21-1417001333-179605362-839522115-11250\Dc2\Full-Install\UltraVNC-102-Setup.exe/file05	Infected: not-a-virus:RemoteAdmin.Win32.WinVNC.c	skipped
C:\SWSetup\RECYCLER\S-1-5-21-1417001333-179605362-839522115-11250\Dc2\Full-Install\UltraVNC-102-Setup.exe/file34	Infected: not-a-virus:RemoteAdmin.Win32.WinVNC.1102	skipped
C:\SWSetup\RECYCLER\S-1-5-21-1417001333-179605362-839522115-11250\Dc2\Full-Install\UltraVNC-102-Setup.exe	Inno: infected - 3	skipped
C:\SWSetup\RECYCLER\S-1-5-21-1417001333-179605362-839522115-11250\Dc2\LooseFiles\vnchooks.dll	Infected: not-a-virus:RemoteAdmin.Win32.WinVNC.c	skipped
C:\SWSetup\RECYCLER\S-1-5-21-1417001333-179605362-839522115-11250\Dc2\LooseFiles\vncviewer.exe	Infected: not-a-virus:RemoteAdmin.Win32.WinVNC.1102	skipped
C:\SWSetup\RECYCLER\S-1-5-21-1417001333-179605362-839522115-11250\Dc2\LooseFiles\winvnc.exe	Infected: not-a-virus:RemoteAdmin.Win32.WinVNC.c	skipped
C:\SWSetup\RECYCLER\S-1-5-21-1417001333-179605362-839522115-11250\Dc2\Viewer-only\vncviewer.exe	Infected: not-a-virus:RemoteAdmin.Win32.WinVNC.1102	skipped
C:\System Volume Information\MountPointManagerRemoteDatabase	Object is locked	skipped
C:\System Volume Information\_restore{53445A52-4EA6-4B44-89E0-B2CC5CF666F4}\RP2\change.log	Object is locked	skipped
C:\WINDOWS\CSC\00000001	Object is locked	skipped
C:\WINDOWS\Debug\PASSWD.LOG	Object is locked	skipped
C:\WINDOWS\SchedLgU.Txt	Object is locked	skipped
C:\WINDOWS\SoftwareDistribution\ReportingEvents.log	Object is locked	skipped
C:\WINDOWS\system32\CatRoot2\edb.log	Object is locked	skipped
C:\WINDOWS\system32\CatRoot2\tmp.edb	Object is locked	skipped
C:\WINDOWS\system32\config\Antivirus.Evt	Object is locked	skipped
C:\WINDOWS\system32\config\AppEvent.Evt	Object is locked	skipped
C:\WINDOWS\system32\config\default	Object is locked	skipped
C:\WINDOWS\system32\config\default.LOG	Object is locked	skipped
C:\WINDOWS\system32\config\SAM	Object is locked	skipped
C:\WINDOWS\system32\config\SAM.LOG	Object is locked	skipped
C:\WINDOWS\system32\config\SecEvent.Evt	Object is locked	skipped
C:\WINDOWS\system32\config\SECURITY	Object is locked	skipped
C:\WINDOWS\system32\config\SECURITY.LOG	Object is locked	skipped
C:\WINDOWS\system32\config\software	Object is locked	skipped
C:\WINDOWS\system32\config\software.LOG	Object is locked	skipped
C:\WINDOWS\system32\config\SysEvent.Evt	Object is locked	skipped
C:\WINDOWS\system32\config\system	Object is locked	skipped
C:\WINDOWS\system32\config\system.LOG	Object is locked	skipped
C:\WINDOWS\system32\wbem\Repository\FS\INDEX.BTR	Object is locked	skipped
C:\WINDOWS\system32\wbem\Repository\FS\INDEX.MAP	Object is locked	skipped
C:\WINDOWS\system32\wbem\Repository\FS\MAPPING.VER	Object is locked	skipped
C:\WINDOWS\system32\wbem\Repository\FS\MAPPING1.MAP	Object is locked	skipped
C:\WINDOWS\system32\wbem\Repository\FS\MAPPING2.MAP	Object is locked	skipped
C:\WINDOWS\system32\wbem\Repository\FS\OBJECTS.DATA	Object is locked	skipped
C:\WINDOWS\system32\wbem\Repository\FS\OBJECTS.MAP	Object is locked	skipped
C:\WINDOWS\TEMP\Perflib_Perfdata_71c.dat	Object is locked	skipped
C:\WINDOWS\WindowsUpdate.log	Object is locked	skipped

Scan process completed.


----------



## manomina (Jul 6, 2006)

Firefox still doesn't work. Is it ok to turn backon my AVs? I guess I can just reinstall FF, but IE is working pretty fast


----------



## Mosaic1 (Aug 17, 2001)

Firefox isn't working because we only disabled the problem in Internet Explorer. We'll get to that in a minute. 

Let's deal with the Kaspersky log. 

Empty the recycle bin.

Clear your Firefox cache.

Clean out the quarantine your Symantec AV has.

You are downloading Keygens and cracked Software. That's a source of infection. If you continue to do that, you will be constantly infected. Anything you are running using a keygen or crack needs to be uninstalled immediately. 


These files need to be deleted:
C:\Documents and Settings\robandrosi\Desktop\keyfinder.exe/data.rar/officekey.exe 
C:\Documents and Settings\robandrosi\Desktop\keyfinder.exe/data.rar 
C:\Documents and Settings\robandrosi\Desktop\keyfinder.exe RarSFX: infected - 2 skipped
C:\Documents and Settings\robandrosi\Desktop\MagicJellyBean.zip/keyfinder.exe/data.rar/officekey.exe 
C:\Documents and Settings\robandrosi\Desktop\MagicJellyBean.zip/keyfinder.exe/data.rar 
C:\Documents and Settings\robandrosi\Desktop\MagicJellyBean.zip/keyfinder.exe 
C:\Documents and Settings\robandrosi\Desktop\MagicJellyBean.zip 

----------------------------------


Add ons are the cause of your Browser problems. Legitimate add-ons. We disabled in IE.

You have these installed:
Google and Yahoo.

Both are fine. But somehow you have some corruption. So I would say, uninstall them both. Then re-enable addons in Internet Explorer.

Install the toolbars again if you like. Do the same in Firefox. 
---------------------------------------------------------------------

Let me know how you do with all this and then I'd like to have a look at your logon scripts. 

I'll review and post back on that shortly.


----------



## Mosaic1 (Aug 17, 2001)

And yes, do turn on ONE AV. Not both. Two AV's interfere with each other.


----------



## manomina (Jul 6, 2006)

I don't have a recycle bin, just a recyler on my C: and it's empty. Not sure about the Firefox cache, I can't get that running and not sure where it would be. I have Avast back on, I delete all the keygen stuff...I have enabled the ad-ons and am rebooting now.


----------



## Mosaic1 (Aug 17, 2001)

To get firefox running, you need to uninstall the Google and Yahoo toolbars. Same in IE. If you enable add-ons and these are still installed, you'll have a problem. One of them is corrupt. Please read my instructions carefully.

------------------

For the logon scripts. I believe if you bought this machine, these may just be leftovers. But let's check it out.

Please go to start >Run and type the following command:

*gpedit.msc*
Press enter.

This will open the Group Policy interface.

In the right pane, double click on the Computer Configuration icon.
Now you'll see 3 icons. Double click on the Windows Settings Icon.

Now the icons will change again.

Double click on the Scripts(Startup/Shutdown) icon.
Now the icons will change again.
Double click on the Startup icon.
This will bring up a new page.

Click this button:

*Show Files*

Now you'll be inside the folder where the scripts are stored.

You should see the following scripts:

redirectprinters.vbs

addsubnetprinters.vbs

usr_logon-main.vbs

lprocess.vbs

Create a new folder and copy each of these files into that new folder.
Then right click on that new folder and click sendto >compressed.

Upload that new zipped folder into your next reply. I'll look at those scripts for you.

To upload, do not use Quick reply. Instead, press the Orange Post a Reply button and then use Manage Attcahments. Follow the instructions.


----------



## manomina (Jul 6, 2006)

I rebooted and could not get back on the web so I went back and disabled the ad-ons again. I uninstalled Yahoo but I could not uninstall the Google Toolbar or Internet. 

I will read your last post and carry it out.


----------



## manomina (Jul 6, 2006)

There are no scripts in that folder. I did a search for those VBSs and they are not on here.


----------



## manomina (Jul 6, 2006)

Just reaDd about the posting the reply. Not sure of the difference, but ok...I'll hit the post reply.


----------



## Mosaic1 (Aug 17, 2001)

> I rebooted and could not get back on the web so I went back and disabled the ad-ons again. I uninstalled Yahoo but I could not uninstall the Google Toolbar or Internet.


 You couldn't use the browser because you had enabled the addons before you uninstalled the problem program. If internet Explorer now works, then it was Yahoo causing the problem.

Uninstall Internet? We don't want to do that.

Firefox still doesn't work?

Let's have a look at yoru uninstallers please.

Open hijackthis and press the config button.

Click the Misc Tools Button.
Press the Open uninstall manager button.

Click the Save List button. This will create a file named uninstall_list.txt Save the file and then open it. Post the contents here and we'll see what's there.


----------



## manomina (Jul 6, 2006)

IE works and I was just saying that the only Google think I have is the Google Toolbar for IE that will not uninstall. No, Firefox still doesn't work. Here is that list:

Adobe Acrobat 7.0.8 Professional
Adobe Flash Player 9 ActiveX 9.0.16.0
Adobe Flash Player ActiveX
Adobe Shockwave Player
Agere Systems HDA Modem
Ares 2.0.9
Ask Toolbar
ATI Display Driver
avast! Antivirus
Belarc Advisor 7.2
Business Fonts 1.0
DivX Content Uploader
DivX Web Player
Google Toolbar for Internet Explorer
Google Toolbar for Internet Explorer
HijackThis 2.0.2
HP Integrated Module with Bluetooth wireless technology
IrfanView (remove only)
J2SE Runtime Environment 5.0 Update 10 1.5.0.100
Kaspersky Online Scanner
LiveUpdate 2.0 (Symantec Corporation)
Microsoft .NET Framework 1.1
Microsoft .NET Framework 1.1
Microsoft .NET Framework 1.1 Hotfix (KB928366)
Microsoft .NET Framework 2.0
Microsoft Office Professional Edition 2003
MSXML 4.0 SP2 (KB936181)
Network Stumbler 0.4.0 (remove only)
Norton Security Scan
ODBC Elite SQL Reporting 1.0
OEMLogo (remove only)
Picasa 2
PowerPoint Templates 3.0
Precedent 3.2.3
Product Key Explorer 1.9.6
PS|Ship (tm) for Outlook®
Registry Genius v2.6
Security Update for Microsoft .NET Framework 2.0 (KB928365)
Security Update for Windows XP (KB937894)
Security Update for Windows XP (KB941568)
Security Update for Windows XP (KB941569)
Security Update for Windows XP (KB942615)
Security Update for Windows XP (KB943460)
Security Update for Windows XP (KB944653)
Shared Add-in Support Update for Microsoft .NET Framework 2.0 (KB908002)
Spybot - Search & Destroy 1.4
Spyware Doctor 5.5
SpywareBlaster v2.5.2
Symantec Client Security 2.0.2
Tweak Manager 2.1
Update for Windows XP (KB942763)
Update for Windows XP (KB942840)
Update for Windows XP (KB946627)
VideoLAN VLC media player 0.8.6d
Windows Live installer
WinZip 11.0.7313
Workshare Professional 4.5.8680.0
Yahoo! Install Manager
Yahoo! Messenger


----------



## Mosaic1 (Aug 17, 2001)

If IE is ok and everything is fast, then it was the Yahoo causing the problem/ Is that the case?

If you go into Control panel >Add Remove Programs, you'll find these two entries:


Yahoo! Install Manager
Yahoo! Messenger 

You can use them to remove Yahoo. 

If you want to remove google, use Add Remove Programs too.


I would also remove this one using Add remove Programs:
Ask Toolbar

Now try Firefox again and see if it works. Let me know. 

-----------------------

RE: Scripts. It looks like the scripts were removed, but gpedit was not updated.

So let's clean out the leftovers.

Download and save the zip I have attached, named polfix.zip

It contains a file named polfix.bat

Extract polfix.bat to your desktop and then double click on it. It will run quickly and remove those leftovers.


-------

I hate registry cleaners. They can cause a lot of problems. I see you have Registry Genius installed. It's my opinion that you should uninstall that program.


----------



## manomina (Jul 6, 2006)

IE works and is was faster when I was running that scan last night and then for a few minutes after but it's slower now.

I uninstalled Yahoo and it shut me down and rebooted....(I hang when rebooting) and the I uninstalled Messanger....but still cannot uninstall the google....maybe I need to tweak the register.

The ask toolbar won't uninstall because we have already deleted the dll file, so that would have to be a registry tweak also I guess.

I deleted the Registry Genius.

When I run Firefox I still get this error:

AppName: firefox.exe AppVer: 1.8.20070.6982 ModName: firefox.exe
ModVer: 1.8.20070.6982 Offset: 00187199

C:\DOCUME~1\ROBAND~1\LOCALS~1\Temp\519f_appcompat.txt


----------



## Mosaic1 (Aug 17, 2001)

For Internet Explorer : What happens when you try to uninstall google? and how are you trying to uninstall it? Do you get any errors?

You might try a reinstall of Forefox.


----------



## Mosaic1 (Aug 17, 2001)

This is a link to a Firefox Diagnostic troubleshooting page.

http://kb.mozillazine.org/Standard_diagnostic_-_Firefox

Follow the steps and see if it helps/


----------



## manomina (Jul 6, 2006)

I go to ad/unistall programs and try to uninstall it.

So, we are almost done? We got rid off all those viruses and infected programs? May be that is why I am still running slow?

Number of viruses found: 6
Number of infected objects: 20


----------



## manomina (Jul 6, 2006)

I reinstalled Firefox and it works now.


----------



## Mosaic1 (Aug 17, 2001)

> So, we are almost done? We got rid off all those viruses and infected programs? May be that is why I am still running slow?


Aftter the Kaspersky log I gave you a list of thngs to delete. Did you do that? 
I think you're running slow becuase of a corrupted addon.

Please run hijackthis and post a new log.


----------



## manomina (Jul 6, 2006)

Yes, I delete the following: I will post a new HJT next.
Thanks!

C:\Documents and Settings\robandrosi\Desktop\keyfinder.exe/data.rar/officekey.exe
C:\Documents and Settings\robandrosi\Desktop\keyfinder.exe/data.rar
C:\Documents and Settings\robandrosi\Desktop\keyfinder.exe RarSFX: infected - 2 skipped
C:\Documents and Settings\robandrosi\Desktop\MagicJellyBean.zip/keyfinder.exe/data.rar/officekey.exe
C:\Documents and Settings\robandrosi\Desktop\MagicJellyBean.zip/keyfinder.exe/data.rar
C:\Documents and Settings\robandrosi\Desktop\MagicJellyBean.zip/keyfinder.exe
C:\Documents and Settings\robandrosi\Desktop\MagicJellyBean.zip


----------



## Mosaic1 (Aug 17, 2001)

Good. I'll wait to see your Hijackthis log.


----------



## manomina (Jul 6, 2006)

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 1:48:43 PM, on 1/18/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\WIDCOMM\Bluetooth Software\bin\btwdins.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\Program Files\Google\Gmail Notifier\gnotify.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Ares\Ares.exe
C:\Program Files\Symantec Client Security\Symantec AntiVirus\DefWatch.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Program Files\Symantec Client Security\Symantec AntiVirus\SavRoam.exe
C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
C:\Program Files\Symantec Client Security\Symantec AntiVirus\Rtvscan.exe
C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://mail.google.com/mail/?null&ui=1
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.yahoo.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://us.rd.yahoo.com/customize/ie/defaults/su/msgr8/*http://www.yahoo.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://us.rd.yahoo.com/customize/ie/defaults/sb/msgr8/*http://www.yahoo.com/ext/search/search.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://us.rd.yahoo.com/customize/ie/defaults/sp/msgr8/*http://www.yahoo.com
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://us.rd.yahoo.com/customize/ie/defaults/su/msgr8/*http://www.yahoo.com
O2 - BHO: (no name) - {02478D38-C3F9-4efb-9B51-7695ECA05670} - (no file)
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O4 - HKLM\..\Run: [My App] C:\Program Files\Desktop Clock\Desktop Clock.exe
O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKLM\..\Run: [{0228e555-4f9c-4e35-a3ec-b109a192b4c2}] C:\Program Files\Google\Gmail Notifier\gnotify.exe
O4 - HKCU\..\Run: [IMC] C:\Program Files\FriendFinder\FriendFinder Messenger 40\imc.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [ares] "C:\Program Files\Ares\Ares.exe" -h
O4 - HKUS\S-1-5-19\..\RunOnce: [TSClientMSIUninstaller] cmd.exe /C "cscript %systemroot%\Installer\TSClientMsiTrans\tscuinst.vbs" (User '?')
O4 - HKUS\S-1-5-20\..\RunOnce: [TSClientMSIUninstaller] cmd.exe /C "cscript %systemroot%\Installer\TSClientMsiTrans\tscuinst.vbs" (User '?')
O4 - HKUS\S-1-5-21-813001092-2017230301-2172670643-1010\..\Run: [IMC] C:\Program Files\FriendFinder\FriendFinder Messenger 40\imc.exe (User '?')
O4 - HKUS\S-1-5-21-813001092-2017230301-2172670643-1010\..\Run: [ares] "C:\Program Files\Ares\Ares.exe" -h (User '?')
O4 - HKUS\S-1-5-18\..\Run: [Picasa Media Detector] C:\Program Files\Picasa2\PicasaMediaDetector.exe (User '?')
O4 - HKUS\S-1-5-18\..\RunOnce: [TSClientMSIUninstaller] cmd.exe /C "cscript %systemroot%\Installer\TSClientMsiTrans\tscuinst.vbs" (User '?')
O4 - HKUS\.DEFAULT\..\Run: [Picasa Media Detector] C:\Program Files\Picasa2\PicasaMediaDetector.exe (User 'Default user')
O4 - HKUS\.DEFAULT\..\RunOnce: [TSClientMSIUninstaller] cmd.exe /C "cscript %systemroot%\Installer\TSClientMsiTrans\tscuinst.vbs" (User 'Default user')
O8 - Extra context menu item: Convert link target to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert link target to existing PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert selected links to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
O8 - Extra context menu item: Convert selected links to existing PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
O8 - Extra context menu item: Convert selection to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert selection to existing PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert to existing PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Send to &Bluetooth Device... - C:\Program Files\WIDCOMM\Bluetooth Software\btsendto_ie_ctx.htm
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe (file missing)
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe (file missing)
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/eng/partner/default/kavwebscan_unicode.cab
O16 - DPF: {67DABFBF-D0AB-41FA-9C46-CC0F21721616} (DivXBrowserPlugin Object) - http://go.divx.com/plugin/DivXBrowserPlugin.cab
O23 - Service: Ares Chatroom server (AresChatServer) - Ares Development Group - C:\Program Files\Ares\chatServer.exe
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: avast! Antivirus - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
O23 - Service: avast! Web Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
O23 - Service: Bluetooth Service (btwdins) - Broadcom Corporation. - C:\Program Files\WIDCOMM\Bluetooth Software\bin\btwdins.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Network Proxy (ccProxy) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccProxy.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: Symantec AntiVirus Definition Watcher (DefWatch) - Symantec Corporation - C:\Program Files\Symantec Client Security\Symantec AntiVirus\DefWatch.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: SAVRoam (SavRoam) - symantec - C:\Program Files\Symantec Client Security\Symantec AntiVirus\SavRoam.exe
O23 - Service: Sandboxie Service (SbieSvc) - Unknown owner - C:\Program Files\Sandboxie\SbieSvc.exe (file missing)
O23 - Service: PC Tools Auxiliary Service (sdAuxService) - PC Tools - C:\Program Files\Spyware Doctor\pctsAuxs.exe
O23 - Service: PC Tools Security Service (sdCoreService) - PC Tools - C:\Program Files\Spyware Doctor\pctsSvc.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Symantec AntiVirus - Symantec Corporation - C:\Program Files\Symantec Client Security\Symantec AntiVirus\Rtvscan.exe
O23 - Service: Symantec SecurePort (SymSecurePort) - Symantec Corporation - C:\Program Files\Symantec Client Security\Symantec Client Firewall\SymSPort.exe

--
End of file - 8449 bytes


----------



## Mosaic1 (Aug 17, 2001)

C:\Program Files\Ares\Ares.exe

This entry indicates you are still running a file sharing program. My best advice, again, is not to do that. I strong;y urge you to uninstall it.

----------
One of your security programs is preventing us from removing any startup entries.

Sign off. CLose all Firefox and internet Explorer windows.

Disable your security programs.

Then run hijackthis and select the following items. Click the fix checked button:
O2 - BHO: (no name) - {02478D38-C3F9-4efb-9B51-7695ECA05670} - (no file)
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O4 - HKLM\..\Run: [My App] C:\Program Files\Desktop Clock\Desktop Clock.exe
O4 - HKCU\..\Run: [IMC] C:\Program Files\FriendFinder\FriendFinder Messenger 40\imc.exe

------------------------

Enable your security programs.

Create a new hijackthis log and post it here please.

*** You are still running more than one Anti Virus program. This is a very bad thing for your system. ONLY 1 Anto virus is required to run at any given time.


----------



## manomina (Jul 6, 2006)

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 2:18:28 PM, on 1/18/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\WIDCOMM\Bluetooth Software\bin\btwdins.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\Program Files\Google\Gmail Notifier\gnotify.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Ares\Ares.exe
C:\Program Files\Symantec Client Security\Symantec AntiVirus\DefWatch.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Program Files\Symantec Client Security\Symantec AntiVirus\SavRoam.exe
C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
C:\Program Files\Symantec Client Security\Symantec AntiVirus\Rtvscan.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://mail.google.com/mail/?null&ui=1
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.yahoo.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://us.rd.yahoo.com/customize/ie/defaults/su/msgr8/*http://www.yahoo.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://us.rd.yahoo.com/customize/ie/defaults/sb/msgr8/*http://www.yahoo.com/ext/search/search.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://us.rd.yahoo.com/customize/ie/defaults/sp/msgr8/*http://www.yahoo.com
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://us.rd.yahoo.com/customize/ie/defaults/su/msgr8/*http://www.yahoo.com
O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKLM\..\Run: [{0228e555-4f9c-4e35-a3ec-b109a192b4c2}] C:\Program Files\Google\Gmail Notifier\gnotify.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [ares] "C:\Program Files\Ares\Ares.exe" -h
O4 - HKUS\S-1-5-19\..\RunOnce: [TSClientMSIUninstaller] cmd.exe /C "cscript %systemroot%\Installer\TSClientMsiTrans\tscuinst.vbs" (User '?')
O4 - HKUS\S-1-5-20\..\RunOnce: [TSClientMSIUninstaller] cmd.exe /C "cscript %systemroot%\Installer\TSClientMsiTrans\tscuinst.vbs" (User '?')
O4 - HKUS\S-1-5-21-813001092-2017230301-2172670643-1010\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background (User '?')
O4 - HKUS\S-1-5-18\..\Run: [Picasa Media Detector] C:\Program Files\Picasa2\PicasaMediaDetector.exe (User '?')
O4 - HKUS\S-1-5-18\..\RunOnce: [TSClientMSIUninstaller] cmd.exe /C "cscript %systemroot%\Installer\TSClientMsiTrans\tscuinst.vbs" (User '?')
O4 - HKUS\.DEFAULT\..\Run: [Picasa Media Detector] C:\Program Files\Picasa2\PicasaMediaDetector.exe (User 'Default user')
O4 - HKUS\.DEFAULT\..\RunOnce: [TSClientMSIUninstaller] cmd.exe /C "cscript %systemroot%\Installer\TSClientMsiTrans\tscuinst.vbs" (User 'Default user')
O8 - Extra context menu item: Convert link target to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert link target to existing PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert selected links to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
O8 - Extra context menu item: Convert selected links to existing PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
O8 - Extra context menu item: Convert selection to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert selection to existing PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert to existing PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Send to &Bluetooth Device... - C:\Program Files\WIDCOMM\Bluetooth Software\btsendto_ie_ctx.htm
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe (file missing)
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe (file missing)
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/eng/partner/default/kavwebscan_unicode.cab
O16 - DPF: {67DABFBF-D0AB-41FA-9C46-CC0F21721616} (DivXBrowserPlugin Object) - http://go.divx.com/plugin/DivXBrowserPlugin.cab
O23 - Service: Ares Chatroom server (AresChatServer) - Ares Development Group - C:\Program Files\Ares\chatServer.exe
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: avast! Antivirus - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
O23 - Service: avast! Web Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
O23 - Service: Bluetooth Service (btwdins) - Broadcom Corporation. - C:\Program Files\WIDCOMM\Bluetooth Software\bin\btwdins.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Network Proxy (ccProxy) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccProxy.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: Symantec AntiVirus Definition Watcher (DefWatch) - Symantec Corporation - C:\Program Files\Symantec Client Security\Symantec AntiVirus\DefWatch.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: SAVRoam (SavRoam) - symantec - C:\Program Files\Symantec Client Security\Symantec AntiVirus\SavRoam.exe
O23 - Service: Sandboxie Service (SbieSvc) - Unknown owner - C:\Program Files\Sandboxie\SbieSvc.exe (file missing)
O23 - Service: PC Tools Auxiliary Service (sdAuxService) - PC Tools - C:\Program Files\Spyware Doctor\pctsAuxs.exe
O23 - Service: PC Tools Security Service (sdCoreService) - PC Tools - C:\Program Files\Spyware Doctor\pctsSvc.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Symantec AntiVirus - Symantec Corporation - C:\Program Files\Symantec Client Security\Symantec AntiVirus\Rtvscan.exe
O23 - Service: Symantec SecurePort (SymSecurePort) - Symantec Corporation - C:\Program Files\Symantec Client Security\Symantec Client Firewall\SymSPort.exe

--
End of file - 7972 bytes


----------



## Mosaic1 (Aug 17, 2001)

You are still running the ARES program. That's your decision. What about the 
Anti virus? 

Here's what we all need:

ONLY 1 of each type program running at a time:
1 AV
1 firewall
1 Anti Spyware


----------



## Mosaic1 (Aug 17, 2001)

Is your system running any faster now? Internet Explorer?


----------



## manomina (Jul 6, 2006)

I have Avast running, but of course there is also symantic and norton and I just tried to uninstall Norton and I have the installer problem again.

---------------------------
Add or Remove Programs
---------------------------
The Windows Installer Service could not be accessed. This can occur if you are running Windows in safe mode, or if the Windows Installer is not correctly installed. Contact your support personnel for assistance.


---------------------------
OK 
---------------------------


----------



## Mosaic1 (Aug 17, 2001)

Let's repair the windows Installer again and see if that helps.

http://support.microsoft.com/?kbid=315346


----------



## manomina (Jul 6, 2006)

Nope....but I can uninstall other things, but it doesn't look like it uses the Windows Uninstaller. Is it possible to install a new one....er, copy a new one to my hard drive? I don't know....maybe that was a stupid question.....

So, if I ran that scan again, it shouldn't find any viruses?


----------



## Mosaic1 (Aug 17, 2001)

TRy this page to get a Norton Removal tool:

http://service1.symantec.com/SUPPOR...sf&view=docid&dtype=&prod=&ver=&osv=&osv_lvl=

You should be clean except for the quarantined files if you were not able to remove those. But they are not active.

We are also going ot have you uninstall combofix later. But not yet.


----------



## manomina (Jul 6, 2006)

I'm having problems posting. That link is asking for a product number and since this was on here when I got it, I don't have it so I took it off my hard drive and in the registry...that was for Norton Security, I rebooted and I get the Avast warning that Norton & Symantic are running......so I will have to do the same for Symantic Security as well.

I noticed that C:\WINDOWS\INSTALLER has all the installer modules, is it possible to re copy them from the XP cd?


----------



## Mosaic1 (Aug 17, 2001)

> That link is asking for a product number and since this was on here when I got it, I don't have it so I took it off my hard drive and in the registry...that was for Norton Security, I rebooted and I get the Avast warning that Norton & Symantic are running......so I will have to do the same for Symantic Security as well.
> 
> I noticed that C:\WINDOWS\INSTALLER has all the installer modules, is it possible to re copy them from the XP cd?


 I can't help you if you go off on your own and do things without my advice. I wish you would not have done that. We could have disabled Symantec another way. The registry is a sensitive place and so are files on the hard drive.



> noticed that C:\WINDOWS\INSTALLER has all the installer modules, is it possible to re copy them from the XP cd?


 Those are special installer packages for programs you may have installed later. Please leave that folder as it is and do not make any changes. They are not the Windows Installer Service files.

Where do you stand now? May I see a new Hijckthis log please?


----------



## manomina (Jul 6, 2006)

I am sorry I did that...I only did it with Norton,not the Symantec.....I haven't touched that directory & I won't. I won't do anything else without running it by you.
Here is the HJT:

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 12:38:47 AM, on 1/19/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\WIDCOMM\Bluetooth Software\bin\btwdins.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Symantec Client Security\Symantec AntiVirus\DefWatch.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Program Files\Symantec Client Security\Symantec AntiVirus\SavRoam.exe
C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Symantec Client Security\Symantec AntiVirus\Rtvscan.exe
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\Program Files\Google\Gmail Notifier\gnotify.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Ares\Ares.exe
C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe
C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://mail.google.com/mail/?null&ui=1
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.yahoo.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://us.rd.yahoo.com/customize/ie/defaults/su/msgr8/*http://www.yahoo.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://us.rd.yahoo.com/customize/ie/defaults/sb/msgr8/*http://www.yahoo.com/ext/search/search.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://us.rd.yahoo.com/customize/ie/defaults/sp/msgr8/*http://www.yahoo.com
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://us.rd.yahoo.com/customize/ie/defaults/su/msgr8/*http://www.yahoo.com
O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKLM\..\Run: [{0228e555-4f9c-4e35-a3ec-b109a192b4c2}] C:\Program Files\Google\Gmail Notifier\gnotify.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [ares] "C:\Program Files\Ares\Ares.exe" -h
O4 - HKCU\..\Run: [Yahoo! Pager] "C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe" -quiet
O4 - HKUS\S-1-5-19\..\RunOnce: [TSClientMSIUninstaller] cmd.exe /C "cscript %systemroot%\Installer\TSClientMsiTrans\tscuinst.vbs" (User '?')
O4 - HKUS\S-1-5-20\..\RunOnce: [TSClientMSIUninstaller] cmd.exe /C "cscript %systemroot%\Installer\TSClientMsiTrans\tscuinst.vbs" (User '?')
O4 - HKUS\S-1-5-21-813001092-2017230301-2172670643-1010\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background (User '?')
O4 - HKUS\S-1-5-21-813001092-2017230301-2172670643-1010\..\Run: [Yahoo! Pager] "C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe" -quiet (User '?')
O4 - HKUS\S-1-5-18\..\Run: [Picasa Media Detector] C:\Program Files\Picasa2\PicasaMediaDetector.exe (User '?')
O4 - HKUS\S-1-5-18\..\RunOnce: [TSClientMSIUninstaller] cmd.exe /C "cscript %systemroot%\Installer\TSClientMsiTrans\tscuinst.vbs" (User '?')
O4 - HKUS\.DEFAULT\..\Run: [Picasa Media Detector] C:\Program Files\Picasa2\PicasaMediaDetector.exe (User 'Default user')
O4 - HKUS\.DEFAULT\..\RunOnce: [TSClientMSIUninstaller] cmd.exe /C "cscript %systemroot%\Installer\TSClientMsiTrans\tscuinst.vbs" (User 'Default user')
O8 - Extra context menu item: Convert link target to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert link target to existing PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert selected links to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
O8 - Extra context menu item: Convert selected links to existing PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
O8 - Extra context menu item: Convert selection to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert selection to existing PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert to existing PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Send to &Bluetooth Device... - C:\Program Files\WIDCOMM\Bluetooth Software\btsendto_ie_ctx.htm
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe (file missing)
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe (file missing)
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/eng/partner/default/kavwebscan_unicode.cab
O16 - DPF: {67DABFBF-D0AB-41FA-9C46-CC0F21721616} (DivXBrowserPlugin Object) - http://go.divx.com/plugin/DivXBrowserPlugin.cab
O23 - Service: Ares Chatroom server (AresChatServer) - Ares Development Group - C:\Program Files\Ares\chatServer.exe
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: avast! Antivirus - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
O23 - Service: avast! Web Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
O23 - Service: Bluetooth Service (btwdins) - Broadcom Corporation. - C:\Program Files\WIDCOMM\Bluetooth Software\bin\btwdins.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Network Proxy (ccProxy) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccProxy.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: Symantec AntiVirus Definition Watcher (DefWatch) - Symantec Corporation - C:\Program Files\Symantec Client Security\Symantec AntiVirus\DefWatch.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: SAVRoam (SavRoam) - symantec - C:\Program Files\Symantec Client Security\Symantec AntiVirus\SavRoam.exe
O23 - Service: Sandboxie Service (SbieSvc) - Unknown owner - C:\Program Files\Sandboxie\SbieSvc.exe (file missing)
O23 - Service: PC Tools Auxiliary Service (sdAuxService) - PC Tools - C:\Program Files\Spyware Doctor\pctsAuxs.exe
O23 - Service: PC Tools Security Service (sdCoreService) - PC Tools - C:\Program Files\Spyware Doctor\pctsSvc.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Symantec AntiVirus - Symantec Corporation - C:\Program Files\Symantec Client Security\Symantec AntiVirus\Rtvscan.exe
O23 - Service: Symantec SecurePort (SymSecurePort) - Symantec Corporation - C:\Program Files\Symantec Client Security\Symantec Client Firewall\SymSPort.exe

--
End of file - 8276 bytes


----------



## Mosaic1 (Aug 17, 2001)

Ok. That sounds good. I want to do this in a couple of steps. First we'll stop and delete the Symantec services and scheduled tasks. But this will include removing your firewall. that's not a good thing to be without. So if AVAST is just AV and has no firewall, then go here and download the comodo firewall:
http://www.personalfirewall.comodo.com/

Please download and save the attached zip file to your desktop. Then extract its contents, a file named symclean1.bat to your desktop.

Now disconnect from the internet and close all your browser windows.

Double click on symclean.bat to run it.

When finished it will open a file named symlog.txt, a file it will create on your desktop. Close that file for now.

Install the Comodo firewall and restart the computer before you do anything else. 
After restarting the computer, please post the contents of symlog.txt into your next reply.

Then run hijackthis and post the new log.


----------



## Mosaic1 (Aug 17, 2001)

After you have done all that, I would like to see a Startuplist please.

Go to this page and follow the driections to generate a Startuplist.
http://www.trendsecure.com/portal/en-US/tools/security_tools/hijackthis/qsg

Please copy and paste that log into your next reply.

That will let us know what else Symantec has installed for drivers.


----------



## manomina (Jul 6, 2006)

I made a mistake...ok, I did everything you said...after it created that text file, it had cleaned EVERYTHING....all was approved except the very last one and it only had the following:

Could Not Find C:\WINDOWS\Tasks\Norton Security Scan.job

Because the last line failed, I remembered that I didn't stop the windows firewall (yes I was completely off the web) so I went and disabled MS Firewall and I ran the batch file again...I thought it would prompt me to overwrite the existing file....but it did not. I am sorry, but everything was done correctly except the last line.

[SC] OpenService FAILED 1060:

The specified service does not exist as an installed service.

[SC] OpenService FAILED 1060:

The specified service does not exist as an installed service.

[SC] OpenService FAILED 1060:

The specified service does not exist as an installed service.

[SC] OpenService FAILED 1060:

The specified service does not exist as an installed service.

[SC] OpenService FAILED 1060:

The specified service does not exist as an installed service.

[SC] OpenService FAILED 1060:

The specified service does not exist as an installed service.

[SC] OpenService FAILED 1060:

The specified service does not exist as an installed service.

[SC] OpenService FAILED 1060:

The specified service does not exist as an installed service.

[SC] OpenService FAILED 1060:

The specified service does not exist as an installed service.

Could Not Find C:\WINDOWS\Tasks\Norton Security Scan.job
Could Not Find C:\WINDOWS\Tasks\Symantec NetDetect.job


----------



## Mosaic1 (Aug 17, 2001)

So the services and tasks were removed but you ran it again. That's ok. We see there's nothing left. 

But to be sure about that and a few other things, may I see that Startuplist I asked for now please? That will tell us what drivers are left to remove now as well for your Symantec.


Did you install the Comodo Firewall yet?


----------



## manomina (Jul 6, 2006)

StartupList report, 1/19/2008, 4:14:53 AM
StartupList version: 1.52.2
Started from : C:\Program Files\Trend Micro\HijackThis\HijackThis.EXE
Detected: Windows XP SP2 (WinNT 5.01.2600)
Detected: Internet Explorer v6.00 SP2 (6.00.2900.2180)
* Using default options
==================================================

Running processes:

C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\WIDCOMM\Bluetooth Software\bin\btwdins.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\COMODO\Firewall\cmdagent.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Program Files\Symantec Client Security\Symantec AntiVirus\Rtvscan.exe
C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\Program Files\Google\Gmail Notifier\gnotify.exe
C:\Program Files\COMODO\Firewall\cfp.exe
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Ares\Ares.exe
C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

--------------------------------------------------

Checking Windows NT UserInit:

[HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon]
UserInit = C:\WINDOWS\system32\userinit.exe,

--------------------------------------------------

Autorun entries from Registry:
HKLM\Software\Microsoft\Windows\CurrentVersion\Run

avast! = C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
{0228e555-4f9c-4e35-a3ec-b109a192b4c2} = C:\Program Files\Google\Gmail Notifier\gnotify.exe
COMODO Firewall Pro = "C:\Program Files\COMODO\Firewall\cfp.exe" -s

--------------------------------------------------

Autorun entries from Registry:
HKCU\Software\Microsoft\Windows\CurrentVersion\Run

MSMSGS = "C:\Program Files\Messenger\msmsgs.exe" /background
ctfmon.exe = C:\WINDOWS\system32\ctfmon.exe
ares = "C:\Program Files\Ares\Ares.exe" -h
Yahoo! Pager = "C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe" -quiet

--------------------------------------------------

Load/Run keys from C:\WINDOWS\WIN.INI:

load=*INI section not found*
run=*INI section not found*

Load/Run keys from Registry:

HKLM\..\Windows NT\CurrentVersion\WinLogon: load=*Registry value not found*
HKLM\..\Windows NT\CurrentVersion\WinLogon: run=*Registry value not found*
HKLM\..\Windows\CurrentVersion\WinLogon: load=*Registry key not found*
HKLM\..\Windows\CurrentVersion\WinLogon: run=*Registry key not found*
HKCU\..\Windows NT\CurrentVersion\WinLogon: load=*Registry value not found*
HKCU\..\Windows NT\CurrentVersion\WinLogon: run=*Registry value not found*
HKCU\..\Windows\CurrentVersion\WinLogon: load=*Registry key not found*
HKCU\..\Windows\CurrentVersion\WinLogon: run=*Registry key not found*
HKCU\..\Windows NT\CurrentVersion\Windows: load=*Registry value not found*
HKCU\..\Windows NT\CurrentVersion\Windows: run=*Registry value not found*
HKLM\..\Windows NT\CurrentVersion\Windows: load=*Registry value not found*
HKLM\..\Windows NT\CurrentVersion\Windows: run=*Registry value not found*
HKLM\..\Windows NT\CurrentVersion\Windows: AppInit_DLLs= C:\WINDOWS\system32\guard32.dll

--------------------------------------------------

Shell & screensaver key from C:\WINDOWS\SYSTEM.INI:

Shell=*INI section not found*
SCRNSAVE.EXE=*INI section not found*
drivers=*INI section not found*

Shell & screensaver key from Registry:

Shell=Explorer.exe
SCRNSAVE.EXE=*Registry value not found*
drivers=*Registry value not found*

Policies Shell key:

HKCU\..\Policies: Shell=*Registry value not found*
HKLM\..\Policies: Shell=*Registry value not found*

--------------------------------------------------

Enumerating Task Scheduler jobs:

Defragmenter.job

--------------------------------------------------

Enumerating Download Program Files:

[CKAVWebScan Object]
InProcServer32 = C:\WINDOWS\system32\Kaspersky Lab\Kaspersky Online Scanner\kavwebscan.dll
CODEBASE = http://www.kaspersky.com/kos/eng/partner/default/kavwebscan_unicode.cab

[Shockwave ActiveX Control]
InProcServer32 = C:\WINDOWS\system32\macromed\Director\SwDir.dll
CODEBASE = http://fpdownload.macromedia.com/pub/shockwave/cabs/director/sw.cab

[{33564D57-0000-0010-8000-00AA00389B71}]
CODEBASE = http://download.microsoft.com/download/F/6/E/F6E491A6-77E1-4E20-9F5F-94901338C922/wmv9VCM.CAB

[DivXBrowserPlugin Object]
InProcServer32 = C:\Program Files\DivX\DivX Web Player\npdivx32.dll
CODEBASE = http://go.divx.com/plugin/DivXBrowserPlugin.cab

[Shockwave Flash Object]
InProcServer32 = C:\WINDOWS\system32\Macromed\Flash\Flash9e.ocx
CODEBASE = http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab

--------------------------------------------------

Enumerating ShellServiceObjectDelayLoad items:

PostBootReminder: C:\WINDOWS\system32\SHELL32.dll
CDBurn: C:\WINDOWS\system32\SHELL32.dll
WebCheck: C:\WINDOWS\system32\webcheck.dll
SysTray: C:\WINDOWS\system32\stobject.dll

--------------------------------------------------
End of report, 6,090 bytes
Report generated in 0.063 seconds

Command line options:
/verbose - to add additional info on each section
/complete - to include empty sections and unsuspicious data
/full - to include several rarely-important sections
/force9x - to include Win9x-only startups even if running on WinNT
/forcent - to include WinNT-only startups even if running on Win9x
/forceall - to include all Win9x and WinNT startups, regardless of platform
/history - to list version history only


----------



## manomina (Jul 6, 2006)

Yes, I installed the comodo firewall....should I also run the MS firewall...or does that automatically turn on?


----------



## Mosaic1 (Aug 17, 2001)

One firewall is enough. Be sure you are running only the one.

That startuplist is only showing defaults. I need extended information.

Could you run it again please but this time:
*Check both boxes next to the Generate StartupList log* and then click the generate startuplist log button.

Post the new log. Sorry. The page in the link must not have mentioned that.


----------



## manomina (Jul 6, 2006)

Nope, it didn't and I wondered about that. Here is the file...too big to paste. 

Please tell me the difference between POST a reply & post QUICK reply.


----------



## Mosaic1 (Aug 17, 2001)

Quick reply allows you to type an answer. Post Reply allows you to attach ,add smilies and a few other things along with your answer.


Let's get rid of more of Symantec now, including the virus scanner service.

Download and save the attached zip named Clean drivers.zip to your desktop.

Extract the contents, a batch file named Clean drivers.bat, to your desktop.


Double click on Clean drivers.bat to run it. Please only run this one the one time.

When it has finished it will open a file named symlog.txt (yes, same name. It will overwrite the old one.)

Please paste the contents of symlog.txt into your next reply.


Then run Startuplist again just as before with the extended information included and post that log.


We'll deal with file removal later. I can only stay a very short time.


----------



## manomina (Jul 6, 2006)

Sorry that I got here so late.....so I will do what I can and whenever you get back on maybe we can finish this. As for running this next batch file, you didn't say anything about logging off the net/shutting down the firewall or anything....so i will wait and see what you say about that before I run it.


----------



## Mosaic1 (Aug 17, 2001)

You can go ahead and just run that last batch. Follow the instructions in my post and you'll be ok. You can reboot after if you like. But please do post the results before you do that.

I am not going to be here long tonight. But I'll be back tomorrow at some point.


----------



## manomina (Jul 6, 2006)

Here's the results of the batch file:

[SC] OpenService FAILED 1060:

The specified service does not exist as an installed service.

[SC] DeleteService SUCCESS
[SC] DeleteService SUCCESS

SERVICE_NAME: Symantec AntiVirus
TYPE : 110 WIN32_OWN_PROCESS (interactive)
STATE : 3 STOP_PENDING 
(STOPPABLE,NOT_PAUSABLE,ACCEPTS_SHUTDOWN)
WIN32_EXIT_CODE : 0	(0x0)
SERVICE_EXIT_CODE : 0	(0x0)
CHECKPOINT : 0x1
WAIT_HINT : 0xbb8
[SC] DeleteService SUCCESS
[SC] DeleteService SUCCESS
[SC] DeleteService SUCCESS
[SC] DeleteService SUCCESS
[SC] DeleteService SUCCESS
[SC] DeleteService SUCCESS
[SC] DeleteService SUCCESS
[SC] DeleteService SUCCESS
[SC] DeleteService SUCCESS


----------



## manomina (Jul 6, 2006)

Here ya go. I'll see you tomorrow if you are gone for today.

Thanks


----------



## Mosaic1 (Aug 17, 2001)

I'll have a quick look at yoru Startuplist and post back shortly. Then I am going to sign off.


----------



## manomina (Jul 6, 2006)

Ok, you have the startuplist....


----------



## Mosaic1 (Aug 17, 2001)

There are still some leftover drivers we need to disable. But that's for tomorrow. I'll see you then. 

In the meantime, you can restart if you haven't already.


----------



## manomina (Jul 6, 2006)

Great. Have a great night.

Thanks!


----------



## Mosaic1 (Aug 17, 2001)

You're welcome.

This will be my last post of the evening. 

Let's get the true name for the leftover driver that didn't delete and more information on your other drivers now. We'll use another batch to do that. 

Download and save the attachment to your desktop. Extract the contents to a new folder. The contents are just one batch file named query.bat

Once you have query.bat saved, if you haven't restarted the Computer since you ran the last batch ,please do that. It's important.


Double click on query.bat to run it.

When finished, it will close and there will be a new file named dlist.txt in that same folder where you saved the batch. 
Upload dlist.txt to your next reply. I want the actual file please and not a copy and paste. 

This will help me to write a new batch to clean out the leftover service drivers etc. when I see it tomorrow.


----------



## manomina (Jul 6, 2006)

There was something wrong with the batch file.....it created a blank document. Everytime I try to upload it it fails.....I have tried earlier today and then tonight but it fails and it fails no matter what I try to upload.....

Upload Errors
dlist.txt:
Upload of file failed.


----------



## Mosaic1 (Aug 17, 2001)

> There was something wrong with the batch file.....it created a blank document. Everytime I try to upload it it fails.....I have tried earlier today and then tonight but it fails and it fails no matter what I try to upload.....


There is absolutely nothing wrong with that batch. You got the result you would get if the tool which that batch uses were missing. That tool is named driverquery.exe

You bought a used computer which had been in use in a business environment. They probably removed a few tools they didn't want their employees to use.

The symantec is a leftover from them as well, among other things. When you buy a second hand computer, you get their settings, their programs, updated or not etc. You get their problems too. They did a lousy job of cleaning up after themselves. You have other traces of programs they used on their network too. I would never consider running any system like that. But you have been doing just that. At this point I am helping you to clean up their leftovers. You'll likely run into other problems and missing files along the way. They likely removed a few other things they didnt want their employees accessing.


----------



## Mosaic1 (Aug 17, 2001)

So let's try a script instead. If you get an error with this one it will likely be because WMI is malfunctioning on your system.

Download the zip.

Extract the contents of the zip to a new folder on your desktop.

The contents of the zip = get system drivers.vbs


Double click on get system drivers.vbs to run it.

If you get an alert that a malicious script is running, ignore it and allow this to run. It is just a diagnostic tool. 

When finished, a file named dlist.txt will open.

Close dlist.txt and the upload it as an attachment to your next reply here.


----------



## manomina (Jul 6, 2006)

Ok, sorry about that...I just figured something went wrong. Here is the next file....but I saw nothing in it either....


----------



## Mosaic1 (Aug 17, 2001)

Ok. Nothing there either.

Can you go into your Windows\system32 folder and see if the file driverquery.exe is there please?


----------



## manomina (Jul 6, 2006)

Yes it is.


----------



## Mosaic1 (Aug 17, 2001)

Since both of those files work here and neither one works there, I am at a loss for the moment.

I wonder if this is permissions. But that doesn't make much sense considering what else you've been able to do on that system. 
For now, I am going to have to let this go. 
I'll get back to you tomorrow. I'll work from your startuplist and see how we do with that.


----------



## manomina (Jul 6, 2006)

OK! Thank you.


----------



## Mosaic1 (Aug 17, 2001)

You're welcome. Can you go to My Computer and right click on it please. Then click on properties. Do you get an error when you do that?


----------



## Mosaic1 (Aug 17, 2001)

Also, I want to check out your path statement another way.

Go to start >Run and paste in the following command. then press enter:
*cmd /c path>p.txt && p.txt*

This will open a text file named p.txt

Please paste the contents of p.txt into your next reply.


----------



## Mosaic1 (Aug 17, 2001)

If the winmgmt service is not running, you'll get no errors, but neither of those two files you ran will work. One will be 0 bytes and the other 2 bytes. Just like you had. Although your startuplist said it was set to automatic. Let's triple check for ourselves.

Please go to start >run and paste in this next command and then press enter:

*cmd /c sc query winmgmt >query.txt && query.txt*

A file named query.txt will open. Please paste the contents of query.txt into your next reply.


----------



## Mosaic1 (Aug 17, 2001)

This all may sound like a lot, but it will only take a minute to do these last few things. Now I want to see if the service is being implemented by svchost.exe. If not, then it will not run even if set to automatic. 

Download the zip attachment. Save and then extract the contents, a file named netlook.bat to it's own folder.

Double click on netlook.bat to run it. When finished it will open a text file named net.txt

Please copy and paste the contents of net.txt into your next reply here. 

These last few posts should narrow down the problem so we can fix it tomorrow, hopefully, wthout taking up too much time.


----------



## manomina (Jul 6, 2006)

Nope, no error message when I right click. Here is the first results for
cmd /c path>p.txt && p.txt

PATH=C:\WINDOWS\system32;C:\WINDOWS;C:\WINDOWS\system32\wbem;C:\Program Files\Microsoft SQL Server\80\Tools\BINN;C:\Program Files\Hummingbird\DOCS Open\progs\;C:\Program Files\Workshare\Modules\;C:\Program Files\INFORMIX\BIN

results for:

cmd /c sc query winmgmt >query.txt && query.txt

SERVICE_NAME: winmgmt
TYPE : 20 WIN32_SHARE_PROCESS 
STATE : 4 RUNNING 
(STOPPABLE,PAUSABLE,ACCEPTS_SHUTDOWN)
WIN32_EXIT_CODE : 0	(0x0)
SERVICE_EXIT_CODE : 0	(0x0)
CHECKPOINT : 0x0
WAIT_HINT : 0x0


----------



## manomina (Jul 6, 2006)

Here is Netlook results


! REG.EXE VERSION 3.0

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SvcHost
netsvcs	REG_MULTI_SZ	6to4\0AppMgmt\0AudioSrv\0Browser\0CryptSvc\0DMServer\0DHCP\0ERSvc\0EventSystem\0FastUserSwitchingCompatibility\0HidServ\0Ias\0Iprip\0Irmon\0LanmanServer\0LanmanWorkstation\0Messenger\0Netman\0Nla\0Ntmssvc\0NWCWorkstation\0Nwsapagent\0Rasauto\0Rasman\0Remoteaccess\0Schedule\0Seclogon\0SENS\0Sharedaccess\0SRService\0Tapisrv\0Themes\0TrkWks\0W32Time\0WZCSVC\0Wmi\0WmdmPmSp\0winmgmt\0wscsvc\0xmlprov\0BITS\0wuauserv\0ShellHWDetection\0helpsvc\0WmdmPmSN\0\0


----------



## Mosaic1 (Aug 17, 2001)

CAn you gfo to start> run and paste this in and then press enter?

cmd /c sc query termservice >query.txt && query.txt

It will open a file named query.txt
Please paste in the contents of query.txt to your next reply.


----------



## Mosaic1 (Aug 17, 2001)

I think your services might be a problem for you. Your DCOM LAunch is set to manual, I think and it should be on automatic. Go into services.msc and find this service and see if it has started. If not, set it to automatic and then attempt to start it. Let me know if you get any errors trying to start this service. Keep me up to date as to what is going on with this one.

Please go to the Elder Geek Services Guide and set your services to the defaults recommended for your Windows XP Service Pack level. Sp2

Here's a link:

http://www.theeldergeek.com/services_guide.htm

It is very important that you read carefully and follow the instructions to the letter. Then reboot. If you cannot get into windows, then restart and tap F8 to get the Boot menu. Select Last Known Good Configuration from the menu to get back into windows.

Let me know how you do.


----------



## manomina (Jul 6, 2006)

SERVICE_NAME: termservice
TYPE : 20 WIN32_SHARE_PROCESS 
STATE : 4 RUNNING 
(NOT_STOPPABLE,NOT_PAUSABLE,IGNORES_SHUTDOWN)
WIN32_EXIT_CODE : 0	(0x0)
SERVICE_EXIT_CODE : 0	(0x0)
CHECKPOINT : 0x0
WAIT_HINT : 0x0


----------



## Mosaic1 (Aug 17, 2001)

Did you do the rest? Please follow my instrcutions and let me know how that all goes. I can use sc to get ibnformation, but I want you to read the Elder Geek and set your services to defaults. then I am going to need to see if Svchost is implementing all the services. I don't think it is. DcomLaunch for one.

This is a lot of work just uninstalling Symantec has pointed out some major problems. Howeverr, you werr in services before you came here and made a lot of changes which made your system unusable. The RPCss, we fixed, but I want to get back to default settings for your other services and see how it performs.


----------



## manomina (Jul 6, 2006)

I went through and set my services. I do NOT have these on my system though: I will reboot now.

Internet Connection - Firewall (ICF) / Sharing (ICS) Service
ScriptBlocking Service
Smart Card Helper Service
Upload Manager Service


----------



## Mosaic1 (Aug 17, 2001)

Then, after yoru restart, please go to start >run and copy in the following command and press enter:

*cmd /c sc query DcomLaunch>DcomL.txt && DcomL.txt*

This will open a file named DcomL.txt

Please paste the contents of that file into your next reply here.


----------



## manomina (Jul 6, 2006)

SERVICE_NAME: Dcomlaunch
TYPE : 20 WIN32_SHARE_PROCESS 
STATE : 4 RUNNING 
(NOT_STOPPABLE,NOT_PAUSABLE,IGNORES_SHUTDOWN)
WIN32_EXIT_CODE : 0	(0x0)
SERVICE_EXIT_CODE : 0	(0x0)
CHECKPOINT : 0x0
WAIT_HINT : 0x0


----------



## Mosaic1 (Aug 17, 2001)

Let's try running the query.bat again and see if dlist.txt is still empty.

If it is, then I think it's time to troubleshoot your WMI using a Microsoft tool. We'll get to that later if it is needed.


----------



## manomina (Jul 6, 2006)

It worked....and now my installer works as well....here it is.


----------



## Mosaic1 (Aug 17, 2001)

Great! I'll have a look. I will take a while. This is all about cleaning up your Symantec and Norton now.


----------



## Mosaic1 (Aug 17, 2001)

Services are a very ijportatn thing and rearranging them can have dire consequences. 

For the heck of it, see if the Symantec uninstaller works now. It may not.

Let me know.


----------



## manomina (Jul 6, 2006)

Great. I'm going to have to step away for a few hours. Please leave more instructions and I will get on it tonight. It is 7pst and it may be 3 or 4 hours until I get back on. 

Thank you and I appreciate your dedication to this.


----------



## Mosaic1 (Aug 17, 2001)

Ok. I am one Eastern time and it's 10:00 pm here. So I am going to sign off shortly. I am not sure I'll post anuy more instructions tonight. But do the the Symantec uninstaller in Add Remove Programs and see if it works.

Then post a new Startuplist please. We'll see if anything was removed and take it from there.


----------



## manomina (Jul 6, 2006)

Ok. I only have the Semantic Security in my add/remove programs. I tried to uninstall and I get this message. Now I still have two folders in my program file directory: I didn't mess with this one in the registry....so not sure why. See you tomorrow. G'nite

Symantec 
Symantec Client Security

---------------------------
Add or Remove Programs
---------------------------
This action is only valid for products that are currently installed.


---------------------------
OK 
---------------------------


----------



## manomina (Jul 6, 2006)

Here is that list.


----------



## Mosaic1 (Aug 17, 2001)

I got side tracked at another site and am still here. So one last file for you to run and delete the leftover services. 

As usual, save the zip attachment. Extract its contents, a file named remdrivers.bat
Double click on remdrivers.bat to run it.

When finished it will produce and open a file named out.txt

Please paste the contents of out.txt into your next reply here.

Then restart the system.

Once we're sure none of the files are in memory, we'll delete the rest of the folders left behind. 

See you tomorrow.


----------



## manomina (Jul 6, 2006)

eeCtrl driver 
[SC] DeleteService SUCCESS
NAVENG 
[SC] DeleteService SUCCESS
NAVEX15 
[SC] DeleteService SUCCESS


----------



## Mosaic1 (Aug 17, 2001)

Sorry. I got busy today and haven't been here. That looks good. We can clean up folder and files leftover from the symantec later. I do want you to be sure everything is working on your system. Give it a day or two and give it a good workout. 
Then we'll clean out your System Restore points. If they exist, they are full of bad registry information due to your services problems. They are definitely nothing you would want to use. Then we'll create a new restore point. 


One more thing is that you did a clean up before you came here for help. So I really have no idea what infections you had. Giving good advice is hard when I have no idea what your original infections were.

so I'll ask you if you do any banking online or use Paypal or have anything very personal on that system. A lot of the latest Trojans steal your information and either use it or sell it to others. Bank account passwords and anything financial is a favorite target. If you or anyone else on your system and /or network uses it for online financial transactions, you should contact your bank etc and ask for new passwords. Find out if there's been any unusual activity on your accounts. This is a precaution.


----------



## manomina (Jul 6, 2006)

Not a problem. Things seem to be working pretty good. I wished I would have written down that virus that aVast cleaned. I thought it started out with a Kal...so I did a search and I I found too thing and I havee no idea wht it is. It is this file & directory and I'm not sure if this is safe or not.

Kaliningrad C:\Program Files\Java\jre1.5.0_10\lib\zi\Europe
Kaliningrad lib\zi\Europe

I have only used my credit card once on here to buy something but I don't have that info stored on here. I will, haven't yet, but would like to be able to check my bank account from online.

I'll give it a work out and post back tonight if I have problems.

Thanks!


----------



## Mosaic1 (Aug 17, 2001)

If a virus was cleaned, then it would not be there.

Before we take any new steps to install or clean up, let's flush your old restore points and start fresh.

Be sure everything is in working order. It is time to flush your system restore points. Once you do that you will not be able to correct any problems you may have now by going back to a point before today. However, since you restore points are so faulty, it is good to get rid of them.

After something like this it is a good idea to Flush the Restore Points and start fresh.
To flush the XP system Restore Points. 
Go to Start>Run and type msconfig Press enter.

When msconfig opens, click the Launch System Restore Button.
On the next page, click the System Restore Settings Link on the left.

Check the box labeled Turn off System restore. 
Reboot. Go back in and Turn System Restore Back on. A new Restore Point will be created.
--------------------------------

Now that you have a fresh restore point, let's continue.








Your *Java* is out of date. Older versions have vulnerabilities that malware can use to infect your system. Please follow these steps to remove older version of *Java* components and upgrade the application. *Beware it is NOT supported for use in 9x or ME and probably will not install in those systems*

*Ugrading Java*:


Download the latest version of *Java Runtime Environment (JRE) 6u4*.

Scroll down to where it says "*The J2SE Runtime Environment (JRE) allows end-users to run Java applications*".

Click the "*Download*" button to the right.

Check the box that says: "*Accept License Agreement*".

The page will refresh.

Click on the link to download Windows Offline Installation with or without Multi-language and save to your desktop.

Close any programs you may have running - especially your web browser.

Go to *Start* > *Control Panel*, double-click on *Add/Remove *programs and remove all older versions of Java.

Check any item with Java Runtime Environment *(JRE or J2SE)* in the name.

Click the Remove or Change/Remove button.

Repeat as many times as necessary to remove each Java version.

Reboot your computer once all Java components are removed.

Then from your desktop double-click on the download to install the newest version.


As for online banking, wait on that one for a bit. You need to read about security measures you should take to try and avoid a repeat.

Here is an excellent source for tips to tighten security. Follow the advice and get the free downloads to help avoid some of these problems in the future.
http://www.computercops.biz/postt7736.html


----------



## manomina (Jul 6, 2006)

Hi, I did the restore points. I won't be able to be one here to much today as I have to go out of town for work, but should be back later on.


----------



## manomina (Jul 6, 2006)

Ok, I have the Java installed a and I have thank link marked and will look at it when I get back into town.


----------



## Mosaic1 (Aug 17, 2001)

That sounds like a good plan.


----------



## manomina (Jul 6, 2006)

Sorry about today, it was crazy. I haven't read that website totally yet. System is working pretty good, but when I run Spybot, I get pretty much the same thing every time. Does this mean something isn't protecting my system good enough? Here is a picture of the results. I will be back on tomorrow, Wed, night.


----------



## manomina (Jul 6, 2006)

Here are the results of my Avast! Should I manually delete these?


----------



## Mosaic1 (Aug 17, 2001)

The Spybot results are just cookies. You delete them and the next time you visit that site, a new cookie is added. Some of those tracking cookies would not be there if you were to add a hosts file. Please read that link I gave you on incresing security for a link to a hosts file.

For the other, can you get the actual log please? Pictures are not good to work with.


----------



## manomina (Jul 6, 2006)

Whew...I'm back. I have read that site and downloaded everything...I haven't ran anything yet, but I will after this post.


----------



## Mosaic1 (Aug 17, 2001)

Yes. It's a lot of work trying to tighten security. Hopefully, this is almost the end of your work for this round.


----------



## manomina (Jul 6, 2006)

What do you recommend, Avast or AVG? Which one is better?


----------



## Mosaic1 (Aug 17, 2001)

Sorry, I missed your last erply. I don't generally recommend any particular AV. It is a matter of opinion and experience. No AV will get everything. Are you referrring to free AV?


----------



## manomina (Jul 6, 2006)

Mosaic1, I am posting this onto this because this is the same computer and it may be related to whatever was going on before. This has been going on even when you were helping with the other problems. 

The HP Compaq 6515b laptop that you helped me with, if the powercord is plugged into it, I will not get a display. I guess it IS booting up, but I see nothing. I have to unplug the cord from my system, hit the on button and then I can plugged the cord in right away and it will boot up. It is also running pretty slow booting up.....and there are a few other things that though they are not life threatening, could be helpful if fixed. When I go into the Network Connections I can not right click and select properties...I get the following error:

---------------------------
Network Connections
---------------------------
An unexpected error occurred.
---------------------------
OK 
---------------------------

Nothing is really urgent per se, but the speed would be nice to fix....maybe they are all related I don't know?


----------



## Mosaic1 (Aug 17, 2001)

For the Network connections error try this.

Go to start >Run and paste in this command and then press enter:
*regsvr32 netshell.dll*

Wait for the success message.

Then go back to start >Run 
Paste in this command and then press enter:

*regsvr32 ole32.dll*

Wait for the success message.

See if that helps. Let me know.


----------



## Mosaic1 (Aug 17, 2001)

I really don't like the sound of that problem with your power cord. I think you should post about that in the hardware forum. Slow boot may be related or not. But you definitely have issues with that system. And no startup with the power cord in is not good. And plugging it in while the system is running is not a good idea. Please post in hardware.


----------



## manomina (Jul 6, 2006)

That did the trick. Thank you very much. I will post that in hardware.

Thanks again.


----------



## Mosaic1 (Aug 17, 2001)

You're welcome. Don't put off getting help. It may be a loose connection or that you need a new power cord or any number of things. I would really hate for you to lose your system because of a delay in getting help. You may also think about taking it to a tech.


----------



## manomina (Jul 6, 2006)

Thank you. I have posted in Hardware and just waiting a reply.


----------

