# Solved: Administrator has set policies to prevent this installation



## speedy0926

I am not able to run .exe files or install programs.
I am unable to run IE. 
When trying to install hjt or adaware or antivirus program I get "The system administrator has set policies to prevent this installation."
When I try to launch IE, I get an error message stating that I don't have permission to execute.

I can get into safe mode with networking; however, I still can't install some things but I can launch IE.

PLease let me know what the next step should be.


----------



## JohnWill

Please see the TSG Rules, we no longer provide any help with lost passwords or getting around password protection. Obviously, we can't determine the real intent here, so our policy is to abstain from any assistance in these matters.

Obviously, the owner or administrator of this machine has restricted what you can do on the machine. We won't help you get around such restrictions here.


----------



## Cookiegal

This is possibly due to malware so please do the following:

*Click here* to download *HJTsetup.exe*.

Save HJTsetup.exe to your desktop.
Double click on the HJTsetup.exe icon on your desktop.
By default it will install to C:\Program Files\Hijack This. 
Continue to click *Next* in the setup dialogue boxes until you get to the *Select Addition Tasks* dialogue.
Put a check by *Create a desktop icon* then click *Next* again.
Continue to follow the rest of the prompts from there.
At the final dialogue box click *Finish* and it will launch Hijack This.
Click on the *Do a system scan and save a log file* button. It will scan and then ask you to save the log.
Click *Save* to save the log file and then the log will open in notepad.
Click on "Edit > Select All" then click on "Edit > Copy" to copy the entire contents of the log.
Come back here to this thread and Paste the log in your next reply.	
*DO NOT* have Hijack This fix anything yet. Most of what it finds will be harmless or even required. 

*Note: During this process, it would help a great deal and be very much appreciated if you would refrain from installing any new software or hardware on this machine, unless absolutely necessary, until the clean up process is finished as it makes our job more tedious, with additional new files that may have to be researched, which is very time consuming.

Also, please do not run any security programs or fixes on your own as doing so may compromise what we will be doing. It is important that you wait for instructions.*


----------



## speedy0926

Here is the log:
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 8:38:02 PM, on 7/9/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16674)
Boot mode: Safe mode with network support

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://red.clientapps.yahoo.com/cus.../sbcydsl/*http://www.yahoo.com/search/ie.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://red.clientapps.yahoo.com/customize/ie/defaults/sp/sbcydsl/*http://www.yahoo.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.yahoo.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://us.rd.yahoo.com/customize/ie/defaults/su/msgr8/*http://www.yahoo.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://us.rd.yahoo.com/customize/ie/defaults/sb/msgr8/*http://www.yahoo.com/ext/search/search.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://us.rd.yahoo.com/customize/ie/defaults/sp/msgr8/*http://www.yahoo.com
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,First Home Page = http://www.dell.com
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://go.microsoft.com/fwlink/?LinkId=74005
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O4 - HKLM\..\Run: [ehTray] C:\WINDOWS\ehome\ehtray.exe
O4 - HKLM\..\Run: [igfxtray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [igfxhkcmd] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [igfxpers] C:\WINDOWS\system32\igfxpers.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_04\bin\jusched.exe"
O4 - HKLM\..\Run: [DMXLauncher] C:\Program Files\Dell\Media Experience\DMXLauncher.exe
O4 - HKLM\..\Run: [CTSysVol] C:\Program Files\Creative\SBAudigy\Surround Mixer\CTSysVol.exe /r
O4 - HKLM\..\Run: [MBMon] Rundll32 CTMBHA.DLL,MBMon
O4 - HKLM\..\Run: [UpdReg] C:\WINDOWS\UpdReg.EXE
O4 - HKLM\..\Run: [VoiceCenter] "C:\Program Files\Creative\VoiceCenter\AndreaVC.exe" /tray
O4 - HKLM\..\Run: [RealTray] C:\Program Files\Real\RealPlayer\RealPlay.exe SYSTEMBOOTHIDEPLAYER
O4 - HKLM\..\Run: [MMTray] "C:\Program Files\Musicmatch\Musicmatch Jukebox\mm_tray.exe"
O4 - HKLM\..\Run: [ISUSPM Startup] "c:\Program Files\Common Files\InstallShield\UpdateService\isuspm.exe" -startup
O4 - HKLM\..\Run: [ISUSScheduler] "C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" -start
O4 - HKLM\..\Run: [DLA] C:\WINDOWS\System32\DLA\DLACTRLW.EXE
O4 - HKLM\..\Run: [Google Desktop Search] "C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe" /startup
O4 - HKLM\..\Run: [MimBoot] C:\PROGRA~1\MUSICM~1\MUSICM~3\mimboot.exe
O4 - HKLM\..\Run: [StatusClient] C:\Program Files\Hewlett-Packard\Toolbox2.0\Apache Tomcat 4.0\webapps\Toolbox\StatusClient\StatusClient.exe /auto
O4 - HKLM\..\Run: [TomcatStartup] C:\Program Files\Hewlett-Packard\Toolbox2.0\hpbpsttp.exe
O4 - HKLM\..\Run: [HostManager] C:\Program Files\Common Files\AOL\1143691798\ee\AOLHostManager.exe
O4 - HKLM\..\Run: [BJCFD] C:\Program Files\BroadJump\Client Foundation\CFD.exe
O4 - HKLM\..\Run: [YBrowser] C:\PROGRA~1\Yahoo!\browser\ybrwicon.exe
O4 - HKLM\..\Run: [Motive SmartBridge] C:\PROGRA~1\SBCSEL~1\SMARTB~1\MotiveSB.exe
O4 - HKLM\..\Run: [OM_Monitor] C:\Program Files\OLYMPUS\OLYMPUS Master\FirstStart.exe
O4 - HKLM\..\Run: [pccguide.exe] "C:\Program Files\Trend Micro\Internet Security 2007\pccguide.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [Corel Photo Downloader] C:\Program Files\Corel\Corel Photo Album 6\MediaDetect.exe
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [dscactivate] "C:\Program Files\Dell Support Center\gs_agent\custom\dsca.exe"
O4 - HKLM\..\Run: [DellSupportCenter] "C:\Program Files\Dell Support Center\bin\sprtcmd.exe" /P DellSupportCenter
O4 - HKLM\..\RunOnce: [SpybotDeletingA5270] command /c del "C:\WINDOWS\wt\webdriver.dll"
O4 - HKLM\..\RunOnce: [SpybotDeletingC4722] cmd /c del "C:\WINDOWS\wt\webdriver.dll"
O4 - HKLM\..\RunOnce: [SpybotSnD] "C:\Program Files\Spybot - Search & Destroy\SpybotSD.exe" /autocheck
O4 - HKCU\..\Run: [SetDefaultMIDI] MIDIDef.exe
O4 - HKCU\..\Run: [Creative Detector] "C:\Program Files\Creative\MediaSource\Detector\CTDetect.exe" /R
O4 - HKCU\..\Run: [Creative MediaSource Go] "C:\Program Files\Creative\MediaSource\Go\CTCMSGo.exe" /SCB
O4 - HKCU\..\Run: [DellSupport] "C:\Program Files\DellSupport\DSAgnt.exe" /startup
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - HKCU\..\RunOnce: [SpybotDeletingB3490] command /c del "C:\WINDOWS\wt\webdriver.dll"
O4 - HKCU\..\RunOnce: [SpybotDeletingD9278] cmd /c del "C:\WINDOWS\wt\webdriver.dll"
O4 - HKUS\S-1-5-18\..\Run: [OM_Monitor] C:\Program Files\OLYMPUS\OLYMPUS Master\Monitor.exe (User 'SYSTEM')
O4 - HKUS\S-1-5-18\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe (User 'SYSTEM')
O4 - HKUS\S-1-5-18\..\Run: [Yahoo! Pager] "C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe" -quiet (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [OM_Monitor] C:\Program Files\OLYMPUS\OLYMPUS Master\Monitor.exe (User 'Default user')
O4 - Global Startup: America Online 9.0 Tray Icon.lnk = C:\Program Files\America Online 9.0\aoltray.exe
O4 - Global Startup: AT&T Self Support Tool.lnk = C:\Program Files\SBC Self Support Tool\bin\matcli.exe
O4 - Global Startup: Digital Line Detect.lnk = ?
O8 - Extra context menu item: &Google Search - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsearch.html
O8 - Extra context menu item: &Translate English Word - res://C:\Program Files\Google\GoogleToolbar1.dll/cmwordtrans.html
O8 - Extra context menu item: Backward Links - res://C:\Program Files\Google\GoogleToolbar1.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://C:\Program Files\Google\GoogleToolbar1.dll/cmcache.html
O8 - Extra context menu item: Similar Pages - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsimilar.html
O8 - Extra context menu item: Translate Page into English - res://C:\Program Files\Google\GoogleToolbar1.dll/cmtrans.html
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\system32\msjava.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\system32\msjava.dll
O9 - Extra button: Yahoo! Services - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\WINDOWS\system32\shdocvw.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~4\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\system32\Shdocvw.dll
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search && Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: Yahoo! Bingo - http://download2.games.yahoo.com/games/clients/y/xt0_x.cab
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (Installation Support) - C:\Program Files\Yahoo!\Common\Yinsthelper.dll
O16 - DPF: {406B5949-7190-4245-91A9-30A17DE16AD0} (Snapfish Activia) - http://photo.walgreens.com/WalgreensActivia.cab
O16 - DPF: {5F8469B4-B055-49DD-83F7-62B522420ECC} (Facebook Photo Uploader Control) - http://upload.facebook.com/controls/FacebookPhotoUploader.cab
O16 - DPF: {67DABFBF-D0AB-41FA-9C46-CC0F21721616} (DivXBrowserPlugin Object) - http://download.divx.com/player/DivXBrowserPlugin.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1178974640734
O16 - DPF: {9600F64D-755F-11D4-A47F-0001023E6D5A} (Shutterfly Picture Upload Plugin) - http://web1.shutterfly.com/downloads/Uploader.cab
O16 - DPF: {DF780F87-FF2B-4DF8-92D0-73DB16A1543A} (PopCapLoader Object) - http://download.games.yahoo.com/games/web_games/popcap/bejeweled2/popcaploader_v6.cab
O18 - Protocol: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - C:\Program Files\AVG\AVG8\avgpp.dll (file missing)
O20 - AppInit_DLLs: C:\PROGRA~1\Google\GOOGLE~1\GOEC62~1.DLL
O23 - Service: AOL Connectivity Service (AOL ACS) - America Online, Inc. - C:\PROGRA~1\COMMON~1\AOL\ACS\AOLacsd.exe
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: B's Recorder GOLD Library General Service (bgsvcgen) - B.H.A Corporation - C:\WINDOWS\system32\bgsvcgen.exe
O23 - Service: Creative Labs Licensing Service - Creative Labs - C:\Program Files\Common Files\Creative Labs Shared\Service\CreativeLicensing.exe
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\system32\CTsvcCDA.exe
O23 - Service: DSBrokerService - Unknown owner - C:\Program Files\DellSupport\brkrsvc.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Intel NCS NetService (NetSvc) - Intel(R) Corporation - C:\Program Files\Intel\PROSetWired\NCS\Sync\NetSvc.exe
O23 - Service: Trend Micro Central Control Component (PcCtlCom) - Trend Micro Inc. - C:\PROGRA~1\TRENDM~1\INTERN~1\PcCtlCom.exe
O23 - Service: Trend Micro Protection Against Spyware (PcScnSrv) - Trend Micro Inc. - C:\PROGRA~1\TRENDM~1\INTERN~1\PcScnSrv.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe
O23 - Service: SupportSoft Sprocket Service (dellsupportcenter) (sprtsvc_dellsupportcenter) - SupportSoft, Inc. - C:\Program Files\Dell Support Center\bin\sprtsvc.exe
O23 - Service: Trend Micro Real-time Service (Tmntsrv) - Trend Micro Inc. - C:\PROGRA~1\TRENDM~1\INTERN~1\Tmntsrv.exe
O23 - Service: Trend Micro Personal Firewall (TmPfw) - Trend Micro Inc. - C:\PROGRA~1\TRENDM~1\INTERN~1\TmPfw.exe
O23 - Service: Trend Micro Proxy Service (tmproxy) - Trend Micro Inc. - C:\PROGRA~1\TRENDM~1\INTERN~1\tmproxy.exe

--
End of file - 11419 bytes

Thanks in advance for your help Cookiegal.


----------



## JohnWill

I'm not sure you want to run this booting in safe mode, normally you should run HJT in normal mode, maybe Cookiegal will have more input:


> Boot mode: Safe mode with network support


----------



## ~Candy~

I think that's the only way he can run it, JW


----------



## JohnWill

You should be able to just copy HJT to the system and run it without an installation. Maybe the new version no longer allows that?


----------



## ~Candy~

I think he has a problem with "run" as well......admin policy error.


----------



## Cookiegal

Please visit *Combofix Guide & Instructions * for instructions for installing the recovery console and downloading and running ComboFix:

Post the log from ComboFix when you've accomplished that along with a new HijackThis log.

Important notes regarding ComboFix:

ComboFix may reset a number of Internet Explorer's settings, including making it the default browser. This can easily be changed once we're finished.

ComboFix also prevents autorun of ALL CDs, floppies and USB devices to assist with malware removal & increase security. If this is an issue or makes it difficult for you, please let me know. This can be undone manually when we're finished.


----------



## speedy0926

combofix log:

ComboFix 08-07-10.1 - Administrator 2008-07-11 0:34:07.1 - NTFSx86 NETWORK
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.766 [GMT -5:00]
Running from: C:\Documents and Settings\Administrator\Desktop\ComboFix.exe
Command switches used :: C:\Documents and Settings\Administrator\Desktop\WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\Documents and Settings\Administrator\Local Settings\Application Data\Microsoft\Windows Media\10.0\WMSDKNSD.XML
C:\Program Files\popcorn Terms.html
C:\WINDOWS\system32\oeminfo.ini

.
((((((((((((((((((((((((( Files Created from 2008-06-11 to 2008-07-11 )))))))))))))))))))))))))))))))
.

2008-07-11 00:20 . 2008-07-11 00:28 d--------	C:\Documents and Settings\Administrator\Application Data\Yahoo!
2008-07-09 08:19 . 2008-07-09 08:10	691,545	--a------	C:\WINDOWS\unins000.exe
2008-07-09 08:19 . 2008-07-09 08:19	2,548	--a------	C:\WINDOWS\unins000.dat
2008-07-09 08:09 . 2008-07-09 08:22 d--------	C:\Program Files\Spybot - Search & Destroy
2008-07-09 08:09 . 2008-07-09 09:11 d--------	C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
2008-07-09 08:07 . 2008-07-09 08:42 d--------	C:\Program Files\Common Files\Wise Installation Wizard
2008-07-09 08:04 . 2008-07-09 08:04 d--------	C:\WINDOWS\LastGood
2008-07-09 01:41 . 2006-03-22 20:02 d--------	C:\Documents and Settings\MIke\Application Data\Symantec
2008-07-09 01:41 . 2006-03-22 20:06 d--------	C:\Documents and Settings\MIke\Application Data\Corel
2008-07-09 01:41 . 2008-07-09 01:41 d--------	C:\Documents and Settings\MIke
2008-07-03 00:07 . 2008-07-03 00:07	4,128	--a------	C:\INFCACHE.1
2008-06-20 12:41 . 2008-06-20 12:41	245,248	---------	C:\WINDOWS\system32\dllcache\mswsock.dll
2008-06-20 05:44 . 2008-06-20 05:44	138,368	---------	C:\WINDOWS\system32\dllcache\afd.sys
2008-06-12 10:08 . 2008-06-13 08:10	272,128	---------	C:\WINDOWS\system32\drivers\bthport.sys
2008-06-12 10:08 . 2008-06-13 08:10	272,128	---------	C:\WINDOWS\system32\dllcache\bthport.sys

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-07-09 14:14	---------	d-----w	C:\Program Files\WildTangent
2008-07-09 13:17	---------	d-----w	C:\Program Files\BAE
2008-07-09 13:14	---------	d-----w	C:\Program Files\Trend Micro
2008-06-20 10:45	360,320	----a-w	C:\WINDOWS\system32\drivers\tcpip.sys
2008-06-20 10:44	138,368	----a-w	C:\WINDOWS\system32\drivers\afd.sys
2008-06-20 09:52	225,920	----a-w	C:\WINDOWS\system32\drivers\tcpip6.sys
2008-06-07 14:52	---------	d-----w	C:\Documents and Settings\Lulu Martinez\Application Data\LimeWire
2008-05-26 04:50	---------	d-----w	C:\Documents and Settings\Lulu Martinez\Application Data\Yahoo!
2008-05-16 00:41	---------	d-----w	C:\Documents and Settings\All Users\Application Data\Dell
2008-04-10 02:20	0	----a-w	C:\Program Files\temp01
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown 
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Creative Detector"="C:\Program Files\Creative\MediaSource\Detector\CTDetect.exe" [2004-12-02 19:23 102400]
"Creative MediaSource Go"="C:\Program Files\Creative\MediaSource\Go\CTCMSGo.exe" [2005-10-19 15:39 135168]
"DellSupport"="C:\Program Files\DellSupport\DSAgnt.exe" [2007-03-15 11:09 460784]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-10 06:00 15360]
"SpybotSD TeaTimer"="C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe" [2008-01-28 11:43 2097488]
"SetDefaultMIDI"="MIDIDef.exe" [2004-12-22 18:40 24576 C:\WINDOWS\MIDIDEF.EXE]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce]
"SpybotDeletingB3490"="command" [X]
"SpybotDeletingD9278"="del" [X]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ehTray"="C:\WINDOWS\ehome\ehtray.exe" [2005-09-29 15:01 67584]
"igfxtray"="C:\WINDOWS\system32\igfxtray.exe" [2005-10-14 21:49 94208]
"igfxhkcmd"="C:\WINDOWS\system32\hkcmd.exe" [2005-10-14 21:46 77824]
"igfxpers"="C:\WINDOWS\system32\igfxpers.exe" [2005-10-14 21:50 114688]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_04\bin\jusched.exe" [2007-12-14 03:42 144784]
"DMXLauncher"="C:\Program Files\Dell\Media Experience\DMXLauncher.exe" [2005-10-05 04:12 94208]
"CTSysVol"="C:\Program Files\Creative\SBAudigy\Surround Mixer\CTSysVol.exe" [2005-09-15 10:47 57344]
"UpdReg"="C:\WINDOWS\UpdReg.EXE" [2000-05-11 02:00 90112]
"VoiceCenter"="C:\Program Files\Creative\VoiceCenter\AndreaVC.exe" [2005-09-19 08:42 1159168]
"RealTray"="C:\Program Files\Real\RealPlayer\RealPlay.exe" [2006-03-22 19:59 26112]
"MMTray"="C:\Program Files\Musicmatch\Musicmatch Jukebox\mm_tray.exe" [2005-09-08 20:20 110592]
"ISUSPM Startup"="c:\Program Files\Common Files\InstallShield\UpdateService\isuspm.exe" [2005-06-10 11:44 249856]
"ISUSScheduler"="C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" [2005-06-10 11:44 81920]
"DLA"="C:\WINDOWS\System32\DLA\DLACTRLW.EXE" [2005-09-08 06:20 122940]
"Google Desktop Search"="C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe" [2006-03-22 20:09 169472]
"MimBoot"="C:\PROGRA~1\MUSICM~1\MUSICM~3\mimboot.exe" [2005-09-08 20:20 8192]
"StatusClient"="C:\Program Files\Hewlett-Packard\Toolbox2.0\Apache Tomcat 4.0\webapps\Toolbox\StatusClient\StatusClient.exe" [2002-12-16 17:51 36864]
"TomcatStartup"="C:\Program Files\Hewlett-Packard\Toolbox2.0\hpbpsttp.exe" [2003-03-31 20:28 155648]
"HostManager"="C:\Program Files\Common Files\AOL\1143691798\ee\AOLHostManager.exe" [2005-07-29 11:53 159832]
"BJCFD"="C:\Program Files\BroadJump\Client Foundation\CFD.exe" [2002-09-10 21:26 368706]
"YBrowser"="C:\PROGRA~1\Yahoo!\browser\ybrwicon.exe" [2003-12-09 14:02 57344]
"Motive SmartBridge"="C:\PROGRA~1\SBCSEL~1\SMARTB~1\MotiveSB.exe" [2003-12-10 04:52 380928]
"OM_Monitor"="C:\Program Files\OLYMPUS\OLYMPUS Master\FirstStart.exe" [2006-05-16 18:50 40960]
"pccguide.exe"="C:\Program Files\Trend Micro\Internet Security 2007\pccguide.exe" [2007-01-23 01:26 3429904]
"QuickTime Task"="C:\Program Files\QuickTime\QTTask.exe" [2008-02-01 00:13 385024]
"iTunesHelper"="C:\Program Files\iTunes\iTunesHelper.exe" [2008-02-19 14:10 267048]
"Corel Photo Downloader"="C:\Program Files\Corel\Corel Photo Album 6\MediaDetect.exe" [2005-08-31 12:06 106496]
"Adobe Reader Speed Launcher"="C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2008-01-11 22:16 39792]
"dscactivate"="C:\Program Files\Dell Support Center\gs_agent\custom\dsca.exe" [2007-11-15 09:24 16384]
"DellSupportCenter"="C:\Program Files\Dell Support Center\bin\sprtcmd.exe" [2007-11-15 09:23 202544]
"MBMon"="CTMBHA.DLL" [2005-05-19 09:54 1345520 C:\WINDOWS\system32\CTMBHA.DLL]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"OM_Monitor"="C:\Program Files\OLYMPUS\OLYMPUS Master\Monitor.exe" [2006-05-16 18:51 57344]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-10 06:00 15360]
"Yahoo! Pager"="C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe" [2007-03-27 15:22 4670968]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
America Online 9.0 Tray Icon.lnk - C:\Program Files\America Online 9.0\aoltray.exe [2006-03-22 19:59:13 156784]
AT&T Self Support Tool.lnk - C:\Program Files\SBC Self Support Tool\bin\matcli.exe [2006-09-09 11:53:04 217088]
Digital Line Detect.lnk - C:\Program Files\Digital Line Detect\DLG.exe [2006-03-22 19:54:32 24576]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"InstallVisualStyle"= C:\WINDOWS\Resources\Themes\Royale\Royale.msstyles
"InstallTheme"= C:\WINDOWS\Resources\Themes\Royale.theme

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"VIDC.MJPG"= pvmjpg21.dll

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\TrendAntiVirus]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\TrendFirewall]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\G]
\Shell\AutoRun\command - G:\JDSecure\Windows\JDSecure20.exe

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\H]
\Shell\AutoRun\command - H:\Launch.exe

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{361ac05d-0e0d-11da-9aa9-806d6172696f}]
\Shell\AutoRun\command - E:\setup.exe

.
Contents of the 'Scheduled Tasks' folder
"2008-05-29 01:14:02 C:\WINDOWS\Tasks\AppleSoftwareUpdate.job"
- C:\Program Files\Apple Software Update\SoftwareUpdate.exe
.
**************************************************************************

catchme 0.3.1361 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-07-11 00:43:10
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

PROCESS: C:\WINDOWS\system32\winlogon.exe
-> C:\WINDOWS\system32\tsd32.dll
.
Completion time: 2008-07-11 0:49:02 - machine was rebooted
ComboFix-quarantined-files.txt 2008-07-11 05:49:00

Pre-Run: 94,585,921,536 bytes free
Post-Run: 96,285,659,136 bytes free

WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(2)\WINDOWS
[operating systems]
multi(0)disk(0)rdisk(0)partition(2)\WINDOWS="Windows XP Media Center Edition" /noexecute=optin /fastdetect
C:\CMDCONS\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons

147	--- E O F ---	2008-07-09 06:22:29

HJT LOG___
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 12:49:39 AM, on 7/11/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16674)
Boot mode: Safe mode with network support

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\explorer.exe
C:\WINDOWS\system32\notepad.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://google.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://us.rd.yahoo.com/customize/ie/defaults/sb/msgr8/*http://www.yahoo.com/ext/search/search.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,First Home Page = http://www.dell.com
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://go.microsoft.com/fwlink/?LinkId=74005
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O4 - HKLM\..\Run: [ehTray] C:\WINDOWS\ehome\ehtray.exe
O4 - HKLM\..\Run: [igfxtray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [igfxhkcmd] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [igfxpers] C:\WINDOWS\system32\igfxpers.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_04\bin\jusched.exe"
O4 - HKLM\..\Run: [DMXLauncher] C:\Program Files\Dell\Media Experience\DMXLauncher.exe
O4 - HKLM\..\Run: [CTSysVol] C:\Program Files\Creative\SBAudigy\Surround Mixer\CTSysVol.exe /r
O4 - HKLM\..\Run: [MBMon] Rundll32 CTMBHA.DLL,MBMon
O4 - HKLM\..\Run: [UpdReg] C:\WINDOWS\UpdReg.EXE
O4 - HKLM\..\Run: [VoiceCenter] "C:\Program Files\Creative\VoiceCenter\AndreaVC.exe" /tray
O4 - HKLM\..\Run: [RealTray] C:\Program Files\Real\RealPlayer\RealPlay.exe SYSTEMBOOTHIDEPLAYER
O4 - HKLM\..\Run: [MMTray] "C:\Program Files\Musicmatch\Musicmatch Jukebox\mm_tray.exe"
O4 - HKLM\..\Run: [ISUSPM Startup] "c:\Program Files\Common Files\InstallShield\UpdateService\isuspm.exe" -startup
O4 - HKLM\..\Run: [ISUSScheduler] "C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" -start
O4 - HKLM\..\Run: [DLA] C:\WINDOWS\System32\DLA\DLACTRLW.EXE
O4 - HKLM\..\Run: [Google Desktop Search] "C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe" /startup
O4 - HKLM\..\Run: [MimBoot] C:\PROGRA~1\MUSICM~1\MUSICM~3\mimboot.exe
O4 - HKLM\..\Run: [StatusClient] C:\Program Files\Hewlett-Packard\Toolbox2.0\Apache Tomcat 4.0\webapps\Toolbox\StatusClient\StatusClient.exe /auto
O4 - HKLM\..\Run: [TomcatStartup] C:\Program Files\Hewlett-Packard\Toolbox2.0\hpbpsttp.exe
O4 - HKLM\..\Run: [HostManager] C:\Program Files\Common Files\AOL\1143691798\ee\AOLHostManager.exe
O4 - HKLM\..\Run: [BJCFD] C:\Program Files\BroadJump\Client Foundation\CFD.exe
O4 - HKLM\..\Run: [YBrowser] C:\PROGRA~1\Yahoo!\browser\ybrwicon.exe
O4 - HKLM\..\Run: [Motive SmartBridge] C:\PROGRA~1\SBCSEL~1\SMARTB~1\MotiveSB.exe
O4 - HKLM\..\Run: [OM_Monitor] C:\Program Files\OLYMPUS\OLYMPUS Master\FirstStart.exe
O4 - HKLM\..\Run: [pccguide.exe] "C:\Program Files\Trend Micro\Internet Security 2007\pccguide.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [Corel Photo Downloader] C:\Program Files\Corel\Corel Photo Album 6\MediaDetect.exe
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [dscactivate] "C:\Program Files\Dell Support Center\gs_agent\custom\dsca.exe"
O4 - HKLM\..\Run: [DellSupportCenter] "C:\Program Files\Dell Support Center\bin\sprtcmd.exe" /P DellSupportCenter
O4 - HKCU\..\Run: [SetDefaultMIDI] MIDIDef.exe
O4 - HKCU\..\Run: [Creative Detector] "C:\Program Files\Creative\MediaSource\Detector\CTDetect.exe" /R
O4 - HKCU\..\Run: [Creative MediaSource Go] "C:\Program Files\Creative\MediaSource\Go\CTCMSGo.exe" /SCB
O4 - HKCU\..\Run: [DellSupport] "C:\Program Files\DellSupport\DSAgnt.exe" /startup
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - HKCU\..\RunOnce: [SpybotDeletingB3490] command /c del "C:\WINDOWS\wt\webdriver.dll"
O4 - HKCU\..\RunOnce: [SpybotDeletingD9278] cmd /c del "C:\WINDOWS\wt\webdriver.dll"
O4 - HKUS\S-1-5-18\..\Run: [OM_Monitor] C:\Program Files\OLYMPUS\OLYMPUS Master\Monitor.exe (User 'SYSTEM')
O4 - HKUS\S-1-5-18\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe (User 'SYSTEM')
O4 - HKUS\S-1-5-18\..\Run: [Yahoo! Pager] "C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe" -quiet (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [OM_Monitor] C:\Program Files\OLYMPUS\OLYMPUS Master\Monitor.exe (User 'Default user')
O4 - Global Startup: America Online 9.0 Tray Icon.lnk = C:\Program Files\America Online 9.0\aoltray.exe
O4 - Global Startup: AT&T Self Support Tool.lnk = C:\Program Files\SBC Self Support Tool\bin\matcli.exe
O4 - Global Startup: Digital Line Detect.lnk = ?
O8 - Extra context menu item: &Google Search - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsearch.html
O8 - Extra context menu item: &Translate English Word - res://C:\Program Files\Google\GoogleToolbar1.dll/cmwordtrans.html
O8 - Extra context menu item: Backward Links - res://C:\Program Files\Google\GoogleToolbar1.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://C:\Program Files\Google\GoogleToolbar1.dll/cmcache.html
O8 - Extra context menu item: Similar Pages - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsimilar.html
O8 - Extra context menu item: Translate Page into English - res://C:\Program Files\Google\GoogleToolbar1.dll/cmtrans.html
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\system32\msjava.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\system32\msjava.dll
O9 - Extra button: Yahoo! Services - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\WINDOWS\system32\shdocvw.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~4\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\system32\Shdocvw.dll
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search && Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: Yahoo! Bingo - http://download2.games.yahoo.com/games/clients/y/xt0_x.cab
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (Installation Support) - C:\Program Files\Yahoo!\Common\Yinsthelper.dll
O16 - DPF: {406B5949-7190-4245-91A9-30A17DE16AD0} (Snapfish Activia) - http://photo.walgreens.com/WalgreensActivia.cab
O16 - DPF: {5F8469B4-B055-49DD-83F7-62B522420ECC} (Facebook Photo Uploader Control) - http://upload.facebook.com/controls/FacebookPhotoUploader.cab
O16 - DPF: {67DABFBF-D0AB-41FA-9C46-CC0F21721616} (DivXBrowserPlugin Object) - http://download.divx.com/player/DivXBrowserPlugin.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1178974640734
O16 - DPF: {9600F64D-755F-11D4-A47F-0001023E6D5A} (Shutterfly Picture Upload Plugin) - http://web1.shutterfly.com/downloads/Uploader.cab
O16 - DPF: {DF780F87-FF2B-4DF8-92D0-73DB16A1543A} (PopCapLoader Object) - http://download.games.yahoo.com/games/web_games/popcap/bejeweled2/popcaploader_v6.cab
O18 - Protocol: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - C:\Program Files\AVG\AVG8\avgpp.dll (file missing)
O23 - Service: AOL Connectivity Service (AOL ACS) - America Online, Inc. - C:\PROGRA~1\COMMON~1\AOL\ACS\AOLacsd.exe
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: B's Recorder GOLD Library General Service (bgsvcgen) - B.H.A Corporation - C:\WINDOWS\system32\bgsvcgen.exe
O23 - Service: Creative Labs Licensing Service - Creative Labs - C:\Program Files\Common Files\Creative Labs Shared\Service\CreativeLicensing.exe
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\system32\CTsvcCDA.exe
O23 - Service: DSBrokerService - Unknown owner - C:\Program Files\DellSupport\brkrsvc.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Intel NCS NetService (NetSvc) - Intel(R) Corporation - C:\Program Files\Intel\PROSetWired\NCS\Sync\NetSvc.exe
O23 - Service: Trend Micro Central Control Component (PcCtlCom) - Trend Micro Inc. - C:\PROGRA~1\TRENDM~1\INTERN~1\PcCtlCom.exe
O23 - Service: Trend Micro Protection Against Spyware (PcScnSrv) - Trend Micro Inc. - C:\PROGRA~1\TRENDM~1\INTERN~1\PcScnSrv.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe
O23 - Service: SupportSoft Sprocket Service (dellsupportcenter) (sprtsvc_dellsupportcenter) - SupportSoft, Inc. - C:\Program Files\Dell Support Center\bin\sprtsvc.exe
O23 - Service: Trend Micro Real-time Service (Tmntsrv) - Trend Micro Inc. - C:\PROGRA~1\TRENDM~1\INTERN~1\Tmntsrv.exe
O23 - Service: Trend Micro Personal Firewall (TmPfw) - Trend Micro Inc. - C:\PROGRA~1\TRENDM~1\INTERN~1\TmPfw.exe
O23 - Service: Trend Micro Proxy Service (tmproxy) - Trend Micro Inc. - C:\PROGRA~1\TRENDM~1\INTERN~1\tmproxy.exe

--
End of file - 10756 bytes


----------



## Cookiegal

Go to Control Panel - Add/Remove programs and remove:

*WildTangent*

Delete this file:

C:\Program Files\*temp01*

Delete this folder:
C:\Program Files\*WildTangent*

*Download and scan with* *SUPERAntiSpyware* Free for Home Users
Double-click *SUPERAntiSpyware.exe* and use the default settings for installation. 
An icon will be created on your desktop. Double-click that icon to launch the program. 
If asked to update the program definitions, click "*Yes*". If not, update the definitions before scanning by selecting "*Check for Updates*". (_If you encounter any problems while downloading the updates, manually download and unzip them from here._) 
Under "*Configuration and Preferences*", click the *Preferences* button. 
Click the *Scanning Control* tab. 
Under *Scanner Options* make sure the following are checked _(leave all others unchecked)_:
_Close browsers before scanning._ 
_Scan for tracking cookies._ 
_Terminate memory threats before quarantining._

Click the "*Close*" button to leave the control center screen. 
Back on the main screen, under "*Scan for Harmful Software*" click *Scan your computer*. 
On the left, make sure you check *C:\Fixed Drive*. 
On the right, under "*Complete Scan*", choose *Perform Complete Scan*. 
Click "*Next*" to start the scan. Please be patient while it scans your computer. 
After the scan is complete, a Scan Summary box will appear with potentially harmful items that were detected. Click "*OK*". 
Make sure everything has a checkmark next to it and click "*Next*". 
A notification will appear that "_Quarantine and Removal is Complete_". Click "*OK*" and then click the "*Finish*" button to return to the main menu. 
If asked if you want to reboot, click "*Yes*". 
To retrieve the removal information after reboot, launch SUPERAntispyware again.
_Click *Preferences*, then click the *Statistics/Logs* tab._ 
_Under Scanner Logs, double-click *SUPERAntiSpyware Scan Log*._ 
_If there are several logs, click the current dated log and press *View log*. A text file will open in your default text editor._ 
*Please copy and paste the Scan Log results in your next reply.*

Click *Close* to exit the program.

Please do an online scan with Kaspersky WebScanner

Kaspersky online scanner uses JAVA tecnology to perform the scan. If you do not have the latest JAVA version, follow the instructions below under *Upgrading Java*, to download and install the latest vesion.


Read through the requirements and privacy statement and click on *Accept* button.
It will start downloading and installing the scanner and virus definitions. You will be prompted to install an application from Kaspersky. Click *Run*.
When the downloads have finished, click on *Settings*.
Make sure the following is checked. 
*Spyware, Adware, Dialers, and other potentially dangerous programs 
Archives
Mail databases*

Click on *My Computer* under *Scan*.
Once the scan is complete, it will display the results. Click on *View Scan Report*.
You will see a list of infected items there. Click on *Save Report As...*.
Save this report to a convenient place. Change the *Files of type* to *Text file (.txt)* before clicking on the *Save* button.
Please post this log in your next reply.
*Upgrading Java*: 

Download the latest version of *Java Runtime Environment (JRE) 6 Update 7*.
Scroll down to where it says "*The J2SE Runtime Environment (JRE) allows end-users to run Java applications*".
Click the "*Download*" button to the right.
Select your Platform and check the box that says: "*I agree to the Java SE Runtime Environment 6 License Agreement.*".
Click on *Continue*.
Click on the link to download Windows Offline Installation (jre-6u6-windows-i586-p.exe) and save it to your desktop. Do NOT use the Sun Download Manager..
Close any programs you may have running - especially your web browser.
Go to *Start* > *Control Panel*, double-click on *Add/Remove *programs and remove all older versions of Java.
Check any item with Java Runtime Environment *(JRE or J2SE)* in the name.
Click the Remove or Change/Remove button.
Repeat as many times as necessary to remove each Java version.
Reboot your computer once all Java components are removed.
Then from your desktop double-click on the download to install the newest version.(Vista users, right click on the *jre-6u6-windows-i586-p.exe* and select "Run as an Administrator.")

*Post a new HiJackThis log along with the results from the SuperAntiSpyware and Kaspersky scans.*


----------



## speedy0926

I was unable to run and install both SUPERAntiSpyware and Kaspersky WebScanner.
Received error: The system administrator has set policies to prevent this installation.
I am logged into the pc as administrator in safe mode.


----------



## Cookiegal

Download *OTScanIt.exe *to your Desktop and double-click on it to extract the files. It will create a folder named *OTScanIt* on your desktop.

Close any open browsers.
Disconnect from the Internet.
Close/disable all anti-virus and anti-malware programs so they do not interfere with the running of OTScanIt.
Open the *OTScanIt* folder and double-click on OTScanIt.exe to start the program.
Check the box that says *Scan All User Accounts*
Under Drivers select the radio button for *All*
Check the Radio buttons for Files/Folders Created Within *30 Days* and Files/Folders Modified Within *30 Days* 
Under Additional Scans check the following:
Reg - BotCheck
Reg - Disabled MS Config Items
Reg - IE Zones & Template Policies Details
Reg - Security Settings
Reg - Software Policy Settings
Reg - Uninstall List
File - Additional Folder Scans
Evnt - EventViewer Errors/Warnings (last 7 days)

Now click the *Run Scan* button on the toolbar.
The program will be scanning huge amounts of data so depending on your system it could take a long time to complete. Let it run unhindered until it finishes.
When the scan is complete Notepad will open with the report file loaded in it automatically.
Save that Notepad file. Click the *Format* menu and make sure that *Word wrap* is not checked. If it is then click on it to uncheck it.
Use the *Reply* button and upload Notepad file here as an attachment please.


----------



## speedy0926

I've done as instructed. The file is attached.


----------



## ~Candy~

You might think about changing your name speedy


----------



## Cookiegal

Start *OTScanIt*. Copy/Paste the information in the code box below into the pane where it says *"Paste fix here"* and then click the "Run Fix" button.

The fix should only take a very short time. When the fix is completed a message box will popup telling you that it is finished. CLick the OK button and Notepad will open with a log of actions taken during the fix. Post that information back here along with a new HijackThis log please.



Code:


[Kill Explorer]
[Registry - Non-Microsoft Only]
< CurrentVersion Policy Settings [HKEY_CURRENT_USER] > -> HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\
YN -> HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Uninstall\\NoAddRemovePrograms -> 1
< CurrentVersion Policy Settings [HKEY_USERS\S-1-5-21-2373598493-468869495-574161549-500] > -> HKEY_USERS\S-1-5-21-2373598493-468869495-574161549-500\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\
YN -> HKEY_USERS\S-1-5-21-2373598493-468869495-574161549-500\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Uninstall\\NoAddRemovePrograms -> 1
< Trusted Sites Domains [HKEY_LOCAL_MACHINE\] > -> HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\
YN -> 2 domain(s) and sub-domain(s) not assigned to a zone. -> 
[Registry - Additional Scans - Non-Microsoft Only]
< Uninstall List [HKEY_LOCAL_MACHINE\] > -> HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\
YN -> {7148F0A8-6813-11D6-A77B-00B0D0142030} -> Java 2 Runtime Environment, SE v1.4.2_03
YN -> ViewpointMediaPlayer -> Viewpoint Media Player
[Files/Folders - Created Within 30 days]
NY -> 1 C:\WINDOWS\System32\*.tmp files -> C:\WINDOWS\System32\*.tmp
NY -> 1 C:\WINDOWS\*.tmp files -> C:\WINDOWS\*.tmp
[Files/Folders - Modified Within 30 days]
NY -> 1 C:\WINDOWS\System32\*.tmp files -> C:\WINDOWS\System32\*.tmp
[Empty Temp Folders]
[Start Explorer]
[Reboot]


----------



## speedy0926

results:
Explorer killed successfully
[Registry - Non-Microsoft Only]
Registry value HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Uninstall\\NoAddRemovePrograms deleted successfully.
Registry key HKEY_USERS\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Uninstall not found.
[Registry - Additional Scans - Non-Microsoft Only]
[Files/Folders - Created Within 30 days]
C:\WINDOWS\msdownld.tmp folder deleted successfully.
[Files/Folders - Modified Within 30 days]
[Empty Temp Folders]
User's Temp folder emptied.
User's Temporary Internet Files folder emptied.
User's Internet Explorer cache folder emptied.
Local Service Temp folder emptied.
Local Service Temporary Internet Files folder emptied.
Windows Temp folder emptied.
Java cache emptied.
RecycleBin -> emptied.
Explorer started successfully
< End of fix log >
OTScanIt by OldTimer - Version 1.0.16.2 fix logfile created on 07242008_073636

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 7:42:14 AM, on 7/24/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16674)
Boot mode: Safe mode with network support

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://google.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://us.rd.yahoo.com/customize/ie/defaults/sb/msgr8/*http://www.yahoo.com/ext/search/search.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,First Home Page = http://www.dell.com
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://go.microsoft.com/fwlink/?LinkId=74005
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O4 - HKLM\..\Run: [ehTray] C:\WINDOWS\ehome\ehtray.exe
O4 - HKLM\..\Run: [igfxtray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [igfxhkcmd] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [igfxpers] C:\WINDOWS\system32\igfxpers.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_04\bin\jusched.exe"
O4 - HKLM\..\Run: [DMXLauncher] C:\Program Files\Dell\Media Experience\DMXLauncher.exe
O4 - HKLM\..\Run: [CTSysVol] C:\Program Files\Creative\SBAudigy\Surround Mixer\CTSysVol.exe /r
O4 - HKLM\..\Run: [MBMon] Rundll32 CTMBHA.DLL,MBMon
O4 - HKLM\..\Run: [UpdReg] C:\WINDOWS\UpdReg.EXE
O4 - HKLM\..\Run: [VoiceCenter] "C:\Program Files\Creative\VoiceCenter\AndreaVC.exe" /tray
O4 - HKLM\..\Run: [RealTray] C:\Program Files\Real\RealPlayer\RealPlay.exe SYSTEMBOOTHIDEPLAYER
O4 - HKLM\..\Run: [MMTray] "C:\Program Files\Musicmatch\Musicmatch Jukebox\mm_tray.exe"
O4 - HKLM\..\Run: [ISUSPM Startup] "c:\Program Files\Common Files\InstallShield\UpdateService\isuspm.exe" -startup
O4 - HKLM\..\Run: [ISUSScheduler] "C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" -start
O4 - HKLM\..\Run: [DLA] C:\WINDOWS\System32\DLA\DLACTRLW.EXE
O4 - HKLM\..\Run: [Google Desktop Search] "C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe" /startup
O4 - HKLM\..\Run: [MimBoot] C:\PROGRA~1\MUSICM~1\MUSICM~3\mimboot.exe
O4 - HKLM\..\Run: [StatusClient] C:\Program Files\Hewlett-Packard\Toolbox2.0\Apache Tomcat 4.0\webapps\Toolbox\StatusClient\StatusClient.exe /auto
O4 - HKLM\..\Run: [TomcatStartup] C:\Program Files\Hewlett-Packard\Toolbox2.0\hpbpsttp.exe
O4 - HKLM\..\Run: [HostManager] C:\Program Files\Common Files\AOL\1143691798\ee\AOLHostManager.exe
O4 - HKLM\..\Run: [BJCFD] C:\Program Files\BroadJump\Client Foundation\CFD.exe
O4 - HKLM\..\Run: [YBrowser] C:\PROGRA~1\Yahoo!\browser\ybrwicon.exe
O4 - HKLM\..\Run: [Motive SmartBridge] C:\PROGRA~1\SBCSEL~1\SMARTB~1\MotiveSB.exe
O4 - HKLM\..\Run: [OM_Monitor] C:\Program Files\OLYMPUS\OLYMPUS Master\FirstStart.exe
O4 - HKLM\..\Run: [pccguide.exe] "C:\Program Files\Trend Micro\Internet Security 2007\pccguide.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [Corel Photo Downloader] C:\Program Files\Corel\Corel Photo Album 6\MediaDetect.exe
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [dscactivate] "C:\Program Files\Dell Support Center\gs_agent\custom\dsca.exe"
O4 - HKLM\..\Run: [DellSupportCenter] "C:\Program Files\Dell Support Center\bin\sprtcmd.exe" /P DellSupportCenter
O4 - HKCU\..\Run: [SetDefaultMIDI] MIDIDef.exe
O4 - HKCU\..\Run: [Creative Detector] "C:\Program Files\Creative\MediaSource\Detector\CTDetect.exe" /R
O4 - HKCU\..\Run: [Creative MediaSource Go] "C:\Program Files\Creative\MediaSource\Go\CTCMSGo.exe" /SCB
O4 - HKCU\..\Run: [DellSupport] "C:\Program Files\DellSupport\DSAgnt.exe" /startup
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - HKCU\..\RunOnce: [SpybotDeletingB3490] command /c del "C:\WINDOWS\wt\webdriver.dll"
O4 - HKCU\..\RunOnce: [SpybotDeletingD9278] cmd /c del "C:\WINDOWS\wt\webdriver.dll"
O4 - HKUS\S-1-5-18\..\Run: [OM_Monitor] C:\Program Files\OLYMPUS\OLYMPUS Master\Monitor.exe (User 'SYSTEM')
O4 - HKUS\S-1-5-18\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe (User 'SYSTEM')
O4 - HKUS\S-1-5-18\..\Run: [Yahoo! Pager] "C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe" -quiet (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [OM_Monitor] C:\Program Files\OLYMPUS\OLYMPUS Master\Monitor.exe (User 'Default user')
O4 - Global Startup: America Online 9.0 Tray Icon.lnk = C:\Program Files\America Online 9.0\aoltray.exe
O4 - Global Startup: AT&T Self Support Tool.lnk = C:\Program Files\SBC Self Support Tool\bin\matcli.exe
O4 - Global Startup: Digital Line Detect.lnk = ?
O8 - Extra context menu item: &Google Search - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsearch.html
O8 - Extra context menu item: &Translate English Word - res://C:\Program Files\Google\GoogleToolbar1.dll/cmwordtrans.html
O8 - Extra context menu item: Backward Links - res://C:\Program Files\Google\GoogleToolbar1.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://C:\Program Files\Google\GoogleToolbar1.dll/cmcache.html
O8 - Extra context menu item: Similar Pages - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsimilar.html
O8 - Extra context menu item: Translate Page into English - res://C:\Program Files\Google\GoogleToolbar1.dll/cmtrans.html
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\system32\msjava.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\system32\msjava.dll
O9 - Extra button: Yahoo! Services - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\WINDOWS\system32\shdocvw.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~4\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\system32\Shdocvw.dll
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search && Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: Yahoo! Bingo - http://download2.games.yahoo.com/games/clients/y/xt0_x.cab
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (Installation Support) - C:\Program Files\Yahoo!\Common\Yinsthelper.dll
O16 - DPF: {406B5949-7190-4245-91A9-30A17DE16AD0} (Snapfish Activia) - http://photo.walgreens.com/WalgreensActivia.cab
O16 - DPF: {5F8469B4-B055-49DD-83F7-62B522420ECC} (Facebook Photo Uploader Control) - http://upload.facebook.com/controls/FacebookPhotoUploader.cab
O16 - DPF: {67DABFBF-D0AB-41FA-9C46-CC0F21721616} (DivXBrowserPlugin Object) - http://download.divx.com/player/DivXBrowserPlugin.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1178974640734
O16 - DPF: {9600F64D-755F-11D4-A47F-0001023E6D5A} (Shutterfly Picture Upload Plugin) - http://web1.shutterfly.com/downloads/Uploader.cab
O16 - DPF: {DF780F87-FF2B-4DF8-92D0-73DB16A1543A} (PopCapLoader Object) - http://download.games.yahoo.com/games/web_games/popcap/bejeweled2/popcaploader_v6.cab
O18 - Protocol: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - C:\Program Files\AVG\AVG8\avgpp.dll (file missing)
O23 - Service: AOL Connectivity Service (AOL ACS) - America Online, Inc. - C:\PROGRA~1\COMMON~1\AOL\ACS\AOLacsd.exe
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: B's Recorder GOLD Library General Service (bgsvcgen) - B.H.A Corporation - C:\WINDOWS\system32\bgsvcgen.exe
O23 - Service: Creative Labs Licensing Service - Creative Labs - C:\Program Files\Common Files\Creative Labs Shared\Service\CreativeLicensing.exe
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\system32\CTsvcCDA.exe
O23 - Service: DSBrokerService - Unknown owner - C:\Program Files\DellSupport\brkrsvc.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Intel NCS NetService (NetSvc) - Intel(R) Corporation - C:\Program Files\Intel\PROSetWired\NCS\Sync\NetSvc.exe
O23 - Service: Trend Micro Central Control Component (PcCtlCom) - Trend Micro Inc. - C:\PROGRA~1\TRENDM~1\INTERN~1\PcCtlCom.exe
O23 - Service: Trend Micro Protection Against Spyware (PcScnSrv) - Trend Micro Inc. - C:\PROGRA~1\TRENDM~1\INTERN~1\PcScnSrv.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe
O23 - Service: SupportSoft Sprocket Service (dellsupportcenter) (sprtsvc_dellsupportcenter) - SupportSoft, Inc. - C:\Program Files\Dell Support Center\bin\sprtsvc.exe
O23 - Service: Trend Micro Real-time Service (Tmntsrv) - Trend Micro Inc. - C:\PROGRA~1\TRENDM~1\INTERN~1\Tmntsrv.exe
O23 - Service: Trend Micro Personal Firewall (TmPfw) - Trend Micro Inc. - C:\PROGRA~1\TRENDM~1\INTERN~1\TmPfw.exe
O23 - Service: Trend Micro Proxy Service (tmproxy) - Trend Micro Inc. - C:\PROGRA~1\TRENDM~1\INTERN~1\tmproxy.exe

--
End of file - 10803 bytes


----------



## Cookiegal

Are you still not able to boot to normal mode?


----------



## speedy0926

In safe mode with networking I am able to launch ie and browse the web, however, still get "Administrator has set policies to prevent this installation " when trying to install/remove programs. In normal mode, I have no access to the web either by launching explorer thru desktop link or entering url in run I receive the following: "Windows cannot access the specified device path or file. You may not have the appropriate permissions to access the item This occurs with a profile that has full admin rights.


----------



## Cookiegal

Please go to *Start *- *Run *- type in *eventvwr.msc* to open the event viewer. Look under both "Application" and "System" for recent (the last 48 hours or so) errors (shown in red) and if found, do this for each one.

Double-click the error to open it up and then click on the icon that looks like two pieces of paper. This will copy the full error. Then "paste" the error into Notepad. Do this for each one until you have them all listed in Notepad and then copy and paste the list in a reply here please.


----------



## speedy0926

Event Type:	Error
Event Source:	MsiInstaller
Event Category:	None
Event ID:	1008
Date: 7/31/2008
Time: 12:23:54 PM
User: CHITO\Administrator
Computer:	CHITO
Description:
The installation of C:\Program Files\Common Files\Wise Installation Wizard\WISCDDCBBF1270346BC938BBCC81A1EEAAA_4_15_0_1000.MSI is not permitted due to an error in software restriction policy processing. The object cannot be trusted.

For more information, see Help and Support Center at http://go.microsoft.com/fwlink/events.asp.
Event Type:	Error
Event Source:	MsiInstaller
Event Category:	None
Event ID:	1008
Date: 7/31/2008
Time: 12:22:21 PM
User: CHITO\Administrator
Computer:	CHITO
Description:
The installation of C:\Program Files\Common Files\Wise Installation Wizard\WISCDDCBBF1270346BC938BBCC81A1EEAAA_4_15_0_1000.MSI is not permitted due to an error in software restriction policy processing. The object cannot be trusted.

For more information, see Help and Support Center at http://go.microsoft.com/fwlink/events.asp.
Event Type:	Warning
Event Source:	MsiInstaller
Event Category:	None
Event ID:	1001
Date: 7/31/2008
Time: 12:05:23 PM
User: CHITO\MIke
Computer:	CHITO
Description:
Detection of product '{1A15507A-8551-4626-915D-3D5FA095CC1B}', feature '_ISUS' failed during request for component '{D2D7B4BF-6CCA-11D5-8B3F-00105A9846E9}'

For more information, see Help and Support Center at http://go.microsoft.com/fwlink/events.asp.
Event Type:	Error
Event Source:	ESENT
Event Category:	General 
Event ID:	490
Date: 6/29/2008
Time: 10:28:43 PM
User: N/A
Computer:	CHITO
Description:
svchost (1436) An attempt to open the file "C:\WINDOWS\system32\CatRoot2\edb.log" for read / write access failed with system error 32 (0x00000020): "The process cannot access the file because it is being used by another process. ". The open file operation will fail with error -1032 (0xfffffbf8).

For more information, see Help and Support Center at http://go.microsoft.com/fwlink/events.asp.
Event Type:	Error
Event Source:	MsiInstaller
Event Category:	None
Event ID:	1008
Date: 7/12/2008
Time: 1:04:02 AM
User: CHITO\Administrator
Computer:	CHITO
Description:
The installation of C:\Program Files\Common Files\Wise Installation Wizard\WISCDDCBBF1270346BC938BBCC81A1EEAAA_4_15_0_1000.MSI is not permitted due to an error in software restriction policy processing. The object cannot be trusted.

For more information, see Help and Support Center at http://go.microsoft.com/fwlink/events.asp.
Event Type:	Error
Event Source:	Userenv
Event Category:	None
Event ID:	1512
Date: 6/25/2008
Time: 1:26:29 AM
User: NT AUTHORITY\SYSTEM
Computer:	CHITO
Description:
Windows cannot unload your registry file. The memory used by the registry has not been freed. This is often caused by services running as a user account, try configuring the services to run in either the LocalService or NetworkService account. If this problem persists, contact your administrator.

DETAIL - Insufficient system resources exist to complete the requested service.

For more information, see Help and Support Center at http://go.microsoft.com/fwlink/events.asp.
Event Type:	Error
Event Source:	MRxSmb
Event Category:	None
Event ID:	8003
Date: 8/1/2008
Time: 11:59:46 PM
User: N/A
Computer:	CHITO
Description:
The master browser has received a server announcement from the computer ALFARO that believes that it is the master browser for the domain on transport NetBT_Tcpip_{FD91D039-B993-4182-86. The master browser is stopping or an election is being forced.

For more information, see Help and Support Center at http://go.microsoft.com/fwlink/events.asp.
Data:
0000: 00 00 00 00 03 00 4e 00 ......N.
0008: 00 00 00 00 43 1f 00 c0 ....C..À
0010: 00 00 00 00 00 00 00 00 ........
0018: 00 00 00 00 00 00 00 00 ........
0020: 00 00 00 00 00 00 00 00 ........
Event Type:	Error
Event Source:	DCOM
Event Category:	None
Event ID:	10005
Date: 7/16/2008
Time: 1:01:30 PM
User: CHITO\Administrator
Computer:	CHITO
Description:
DCOM got error "This service cannot be started in Safe Mode " attempting to start the service StiSvc with arguments "" in order to run the server:
{A1F4E726-8CF1-11D1-BF92-0060081ED811}

For more information, see Help and Support Center at http://go.microsoft.com/fwlink/events.asp.
Event Type:	Error
Event Source:	Service Control Manager
Event Category:	None
Event ID:	7026
Date: 7/16/2008
Time: 12:52:58 PM
User: N/A
Computer:	CHITO
Description:
The following boot-start or system-start driver(s) failed to load: 
Fips
intelppm
tmtdi

For more information, see Help and Support Center at http://go.microsoft.com/fwlink/events.asp.
Event Type:	Error
Event Source:	MsiInstaller
Event Category:	None
Event ID:	1008
Date: 7/12/2008
Time: 1:04:02 AM
User: CHITO\Administrator
Computer:	CHITO
Description:
The installation of C:\Program Files\Common Files\Wise Installation Wizard\WISCDDCBBF1270346BC938BBCC81A1EEAAA_4_15_0_1000.MSI is not permitted due to an error in software restriction policy processing. The object cannot be trusted.

For more information, see Help and Support Center at http://go.microsoft.com/fwlink/events.asp.
Event Type:	Error
Event Source:	MsiInstaller
Event Category:	None
Event ID:	1008
Date: 7/11/2008
Time: 10:17:32 PM
User: CHITO\Administrator
Computer:	CHITO
Description:
The installation of C:\Program Files\Common Files\Wise Installation Wizard\WISCDDCBBF1270346BC938BBCC81A1EEAAA_4_15_0_1000.MSI is not permitted due to an error in software restriction policy processing. The object cannot be trusted.

For more information, see Help and Support Center at http://go.microsoft.com/fwlink/events.asp.
Event Type:	Error
Event Source:	MsiInstaller
Event Category:	None
Event ID:	1008
Date: 7/11/2008
Time: 10:37:35 PM
User: CHITO\Administrator
Computer:	CHITO
Description:
The installation of http://javadl.sun.com/webapps/download/GetFile/1.6.0_07-b06/windows-i586/jre1.6.0_07-iftw.msi is not permitted due to an error in software restriction policy processing. The object cannot be trusted.

For more information, see Help and Support Center at http://go.microsoft.com/fwlink/events.asp.
Event Type:	Error
Event Source:	MsiInstaller
Event Category:	None
Event ID:	1008
Date: 7/11/2008
Time: 11:05:23 PM
User: CHITO\Administrator
Computer:	CHITO
Description:
The installation of C:\Program Files\Common Files\Wise Installation Wizard\WISCDDCBBF1270346BC938BBCC81A1EEAAA_4_15_0_1000.MSI is not permitted due to an error in software restriction policy processing. The object cannot be trusted.

For more information, see Help and Support Center at http://go.microsoft.com/fwlink/events.asp.


----------



## Rollin' Rog

Run *regedit* and verify that there are no policy restrictions disabling installer under this key:

[HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Installer]

If there are, just right click on them and delete them. A reboot may be necessary.

The restriction name would be "DisableMsi"

Also, as a test, if you are logging in as Administrator in Safe Mode -- could you try creating a new User Account and giving it Administrative rights and test these issues under the new account in normal mode?

One more thing, just to make sure the account you are having problems with in "normal" mode really has administrative rights, would you right click on the Start tab and see if "open" and "explore" "All Users" is present?

*Edit:*

By the way, evidently this problem may also be encountered on computers which have insufficient disk space available. How much free space exists on this drive?

http://www.eventid.net/display.asp?eventid=1008&eventno=9140&source=MsiInstaller&phase=1


----------



## speedy0926

Policy in path provided was not found. The only things listed in the path provided is default and EnableAdminTSR. 
Issues still persisted with newly created user account with admin rights.
In normal mode open" and "explore" "All Users" is present for user account with admin rights.
Disk is 83% free.


----------



## Rollin' Rog

Do you have XP PRO or Home? If PRO, look at how "software restriction Policies" are defined using the tools available in PRO. You can delete them as they are not enabled by default.

http://support.microsoft.com/kb/310791
http://www.mechbgon.com/srp/
http://technet.microsoft.com/en-us/library/bb457006.aspx

Run: *secpol.msc* >>










If you have XP Home, these keys should not be present -- but check to see if somehow they have been added >>

*HKEY_CURRENT_USER\Software\Microsoft\Windows\
CurrentVersion\Group Policy

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\
CurrentVersion\Group Policy*

--------------------------------------------------------------------------------------------------------------
I think what you are seeing is defined above, but an installer log will verify this >>

Let's see if we can find a clue in the installer logs for these applications.

Go to start and run *%temp%*

This will open up your temporary file directory.

Do a search for

*Msi*.log*

There should be some recent ones -- check the dates. If not, follow these instructions to enable installer logging with "verbose" output and try again after a failed installation.

http://www.pctools.com/guides/registry/detail/1127/


----------



## speedy0926

HKEY_CURRENT_USER\Software\Microsoft\Windows\
CurrentVersion\Group Policy

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\
CurrentVersion\Group Policy

They are both present. 

The search for Msi*.log was not successful.


----------



## Rollin' Rog

Very strange -- I can't completely interpret what I see in the right pane but I assume that I am seeing a SID (Security Identifier) and a policy which disables installs assocated with it. Since there are many other entries under the Group Policy key -- many policies must have been set.

In any case this "Group Policy" key as a whole does not belong in XP Home. You can compare what should be with my screenshot

Right click on the "Group Policy" key in the left pane and delete it. (Or if this is XP Pro, follow the directions previously given to run secpol.msc)

If it refuses to delete, right click on it again and select Permissions and give Everyone Full control or and delete it again.

Do this for both instances of the key (HKLM and HKCU)

Reboot and test the issue.

*edit* -- by the way, in your OT scan I've also discovered this >>

*GroupPolicy -> %SystemRoot%\System32\GroupPolicy -> [Folder | Modified Date = 7/11/2008 10:22:00 PM | Attr = H ]*

This is a "Hidden" folder, but you should be able to see it by checking "show hidden files and folders" in Folder Options > View.

I would rename or delete it. Its modification date may be an indication of who or what or how this was installed.

I have not seen this on XP Home -- to use Group olicy on Home normally requires installation of several "PRO" related files, in particular *gpedit.msc* and a few dlls.

You should see if that is present; it is not malicious in itself -- just the Group Policy editor.


----------



## speedy0926

XP Home Edition svp 2 is installed on the machine. Which should I do? I can run secpol.msc. In secpol.msc Security Levels is set for unrestricted; however, there are the following additional rules:
%HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SystemRoot%

%HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SystemRoot%*.exe

%HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SystemRoot%System32\*.exe

%HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows \CurrentVersion\ProgramFilesDir%


I've deleted:

HKEY_CURRENT_USER\Software\Microsoft\Windows\
CurrentVersion\Group Policy

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\
CurrentVersion\Group Policy 

Also don't know if I was supposed to delete Group Policy Objects from USERS but I deleted it as well.

Deleted: %SystemRoot%\System32\GroupPolicy folder as well.


----------



## Rollin' Rog

By default Secpol.msc should be showing nothing in the "Software Restriction Policies" folder -- but the message "No Software Restriction Policies Defined"

So I would delete anything you see in that right pane. Don't delete anythinng else. What you should be seeing is just what is here >>










In fact by default, secpol.msc shouldn't even be in XP home.

Someone knew what they were doing to install these -- either an experienced system administrator (I wouldn't have known without research) -- or someone who had access to 3rd party software which could do it -- and who knew how to use it to accomplish such a thorough lockdown.

Any clues for us on how this happened?


----------



## speedy0926

No clue as to how this occurred. No one that uses the machine is an advanced computer user. After the deletions done in my last posting, secpol.msc shows exactly as it should compared to your screenshot. I went back into the registry and the folders I've deleted : 
HKEY_CURRENT_USER\Software\Microsoft\Windows\
CurrentVersion\Group Policy

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\
CurrentVersion\Group Policy 
have reappeared after rebooting the computer.


----------



## Rollin' Rog

Does secpol.msc still show any software policy restrictions after the reboot? Use Secpol to delete them rather than the direct registry edit.

Have those keys repopulated with all the same values as before?

I don't know what would cause that to re-appear unless there is a hidden program doing it.

Some further rootkit analysis might be needed, but Cookiegal will have to help you with that.

Can you post a screenshot of what you are seeing in Secpol.msc if there are restrictions that are appearing?

Post something similar to the attached image below which is the default for Vista Business with no restrictions enabled.


----------



## speedy0926

Secpol.msc now shows no software restriction policies policies defined as in the image you provided. Here is the screenshot of secpol.msc after a reboot.


----------



## Rollin' Rog

And yet the registry entries and all other problems remain unchanged?

If that is the case about all I can suggest is this >>

http://www.winhelponline.com/blog/reset-the-registry-and-the-file-permissions-in-windows-xp/

http://www.microsoft.com/downloads/...56-d8fe-4a91-93cf-ed6985e3927b&displaylang=en

Try the subinacl utility as explained above. His directions are almost identical to MS's for certain service pack issues.


----------



## speedy0926

Upon booting up at the Dell screen I pressed F12 then booted from main disk. Once loaded up to windows I logged into a user account with admin rights. I was able to download and run Superantispyware fixed errors and updated to service pack 3, after a reboot all issues were not duplicated. I was able to launch explorer and download other software without getting the windows installer message: Administrator has set policies to prevent this installation.


----------



## Cookiegal

That's good. 

Please post the SuperAntiSpyware log.


----------

