# Solved: Not working: System Restore, Defrag, CPU-100%



## S-pie (Sep 27, 2007)

Hello,

I have a newer computer (less than 1 year old). A few days ago, after trying to play a DVD from a trusted company, it would not load, my CPU usage now hovers near 100%, web sites are very slow in loading, if they load at all, defrag will no longer work, System Restore will not restore my computer to an earlier date, no matter how many restore points I try. The dialog box response is: "Restoration Incomplete. Your computer cannot be restored to __(date)___ . No changes have been made to your computer. To choose another restore point, restart System Restore. To restart System Restore, click Home." Safe Mode shows the same message.

The web pages, hang, programs are non-responsive, the keyboard pauses before typing several keys at once. All of these problems began right after I tried to play that DVD. Device Manager lists these specs. for my DVD/CDROM drive: HL-DT-ST RW/DVD GCC-44828.

Defrag finally worked, but took several hours, instead of the usual 40 minutes. Check disk now takes several hours, instead of the usual 50 minutes.

I have Norton Internet Security Suite, 2007 installed as my default antivirus program. I use Windows Defender, Spy Bot, AdAware as manual protection. I have automatic updates enabled and manually check for updates before I run any of my antivirus programs. None of these programs could detect anything wrong, any viruses.

Playing that DVD is of no interest to me; getting my computer back to its prior functionality is. The down time has been very costly.

Thank you for any help/suggestions on fixing these problems.

S-pie


----------



## MikeSwim07 (Apr 28, 2007)

When you press CTRL+ALT+DEL and click *Processes* what *Image name* is running at High Computer usage?


----------



## S-pie (Sep 27, 2007)

MikeSwim07.

By image name do you mean the process? Three processes have high CPU usage: agent.exe, ISUSPM.exe and System Idle Process.

Thank you.

S-pie


----------



## vicks (Jan 31, 2005)

One thing you can try (I had to do this recently) right click on my computer, select system restore, settings and reduce the amount of space alloted to restoration points. That made a BIG difference on my computer.
vicks


----------



## S-pie (Sep 27, 2007)

Vicks,

I did as you suggested and moved my slider to the left to reduce the 12% maximum restore point allowance. As I stated in my original message, System Restore doesn't work in normal or safe mode. After I turned off System Restore, thereby removing all of the restore points, restart my computer, then turned System Restore back on, create a new restore point, test it, it still refuses to work and dialogs a "Restoration Incomplete" message.

I believe all of these functions, which are now failing, started after I tried to play that DVD from the trusted source.

Any other suggestions will be greatly appreciated--this computer is not working.

S-pie


----------



## vicks (Jan 31, 2005)

Sounds to me like you might have an infection of some type. I would suggest you move your post to malware removal and hopefully one of the people with the gold shield will be able to 'talk' you thru the process to be sure your system is clean. I always try to scan a 'borrowed' disk with my antivirus before running them.
I wish you luck. It can be frustrating.
vicks.


----------



## S-pie (Sep 27, 2007)

Vicks,

Thank you, Vicks. I had a boot-sector virus 2 months ago; it took IBM/Lenovo several hours before they gave up and suggested I try Symantec (Norton). Symantec tried to fix my computer remotely, but the virus blocked their access codes, so they had me manually type code after code in their attempt to gain access and take over my computer.

After calling several of their supervisors, who also failed to gain remote access to my computer, a code I typed manually, at their instructions, finally broke through the virus's stranglehold on my computer.

They then took remote control of my computer and--no exaggeration--worked on my computer for the next 10 hours, over 2 days. (IBM tried for 2 hours prior). They discovered the virus's signature and found that it had infected my entire operating system, hence the reason Windows XP, Home Edition, SP2 would not boot.

Symantec thinks that an email attachment from a trusted site caused the initial infection that penetrated my entire OS. (I have automatic e-mail scan by Trend Micro)

I did not have to scrub my disk, but for safety, scrubbed all of my Restore Points.

I will not switch to the other forum. Thank you, again, for your help.

S-pie


----------



## S-pie (Sep 27, 2007)

Vicks,

The last line of the previous post should have said: "I will NOW switch, not I will NOT switch--oops.

S-pie


----------



## wparrish (Sep 28, 2007)

Have you attempted the System Restore while running in safe mode?


----------



## S-pie (Sep 27, 2007)

Wparrish,

Yes, as I stated in my initial post, using System Restore in safe mode dialoged the exact same message as normal mode: "Restoration Incomplete. Your computer cannot be restored to (___date___). No changes have been made to your computer. To choose another restore point, restart System Restore. To restart System Restore, click Home."

That above message dialogue in both safe and normal modes. My DSL computer is now acting like a dial-up dinosaur.

S-pie


----------



## wparrish (Sep 28, 2007)

Are you using Norton?

Situation:

You have installed a 2006 version of a Norton program, such as Norton AntiVirus 2006, Norton Internet Security 2006, Norton Personal Firewall 2006, or Norton SystemWorks 2006. You run the Windows System Restore to restore your computer to a previous point. When you do, you see the message: "Restoration Incomplete. Your computer cannot be restored . . . "

Solution:
To fix this problem, follow the steps in this section. You will disable the Symantec Resource Protection feature, run Windows System Restore again, and then turn on Symantec Resource Protection.

To turn off Symantec Resource Protection and run Windows System Restore again

Start your Norton program.
Click Options.
If you see a menu, click Norton AntiVirus.
In the left pane, click Miscellaneous.
In the right pane, uncheck Turn protection on for my Symantec protect.
Click OK.
Run Windows System Restore again.
When the system is restored, go on to the next section.

To turn on Symantec Resource Protection
Start your Norton program.
Click Options.
If you see a menu, click Norton AntiVirus.
In the left pane, click Miscellaneous.
In the right pane, check Turn protection on for my Symantec protect.
Click OK.

You must repeat each of these procedures any time that you run Windows System Restore.


----------



## wparrish (Sep 28, 2007)

Otherwise you can check these things:
Try these steps if System Restore does not appear to work:

1. Ensure the System Restore service is running. verify that System
Restore services are running from Control Panel:

Click Start, Control Panel -> Performance and Maintenance ->
Click Administrative Tools -> Computer Management -> Services and
Applications. Click Services - >click System Restore Services. Ensure
the service is set to Automatic and the status is Started.

2. Verify that you have enough free space on all your drives as
required by System Restore. If the free space on any partition system
restore is monitoring falls below 50 MB, System Restore will suspend
and purge out all restore points to free up disk space. It will
automatically reactivate when 200 MB+ free space is available.

3. Examine event logs for any system restore-related errors that
could help you identify the problem.


----------



## NE_COMPUTERGUY (Sep 28, 2007)

What are some of the tasks you do on your computer to clean up files??

I have many clients that do not monitor their TEMP directories and I find GIGABYTES of files waiting in there areas that are the cause of their major slowdowns.

c:\documents and settings\user ID\local settings\TEMP

Delete all contents, if item does not want to be deleted, uncheck item and continue to delete all other files here.

Another item, when it comes to internet related problems, many of the Internet Explorer computers I have seen have their temporary internet files buffering at 1024 MB of data instead of 256MB or less. If using broadband, I suggest 128MB minimum as you don't use more than that unless you're collecting YouTube.com videos.

Inside the Windows folder, when new windows updates are found to be functioning fine on this system, do you remove the temporary directory left for uninstall by Microsoft?? These can add up to big MBs also. There is another folder that houses these updates as well, "SoftwareDistribution", inside this folder there is a "Downloads" folder and this houses new updates recently downloaded from Microsoft, whether your computer needs them or not, or perhaps it DID use them, but the writer forgot to write in the auto move or deletion of these files, that happens too. I find this folder to contain MBs of useless junk too. 

There is also a TEMP folder inside Windows, this is left for OLD 16-bit applications as I see it. Older programs that ran in previous versions of windows saved their TEMP files in the Windows Directory. Check to see that this folder is NOT full of files as well.

These simple tasks also improve the speed and ability of the computer and has helped with allowing the disk defragmenter to function better too.


----------



## S-pie (Sep 27, 2007)

wparrish,

Thank you. I will now try your suggestions. Symantec, upon discovering the boot-sector virus on my machine, uninstalled their 2006 Norton antivirus program and, after removing all traces of the virus, installed their 2007 Norton Internet Security Suite on my machine.

I have printed your suggestions, read them carefully, and will now try them.
Thank you for this help. I will post my results.

S-pie


----------



## S-pie (Sep 27, 2007)

NE_COMPUTERGUY

I regularly clean disk, defrag, then checkdisk. I also use a registry cleaner. I manually update my alternative antivirus programs and also update my automatic, default antivirus program (Norton). 

I empty my Recycle Bin and clean my history at desktop and website level in addition to using the clean disk utility.

My System Restore no longer works, even in safe mode. My Disk Deframenter also no longer functions. MY Task Manager shows CPU usage hovering consistently around 100%. ISUSPM.exe, agent, and System Idle Process are now listing very high CPU usage. My Event Viewer, application window lists ALL warnings, with msinstaller listed as the source.

I am very careful about e-mails, whose attachments are automatically scanned by Trend Micro. My firewall monitors incoming and outgoing activity. Something is definitely wrong with my computer.

I will read your suggestions carefully to determine if any of these situations apply to my computer. 

Thank you for your help.

S-pie


----------



## Triple6 (Dec 26, 2002)

Before we move this thread lets see a Hijackthis log.



Cookiegal said:


> *Click here* and then scroll down to and click on *hijackthis self installer* to download *HJTsetup.exe*
> 
> Save HJTsetup.exe to your desktop.
> Double click on the HJTsetup.exe icon on your desktop.
> ...


----------



## vicks (Jan 31, 2005)

S-pie said:


> Vicks,
> 
> Thank you, Vicks. I had a boot-sector virus 2 months ago; it took IBM/Lenovo several hours before they gave up and suggested I try Symantec (Norton). Symantec tried to fix my computer remotely, but the virus blocked their access codes, so they had me manually type code after code in their attempt to gain access and take over my computer.
> 
> ...


When I suggested changing forum, I did not mean a different site, just a different part of this site. There are several volunteers qualified to specialize in malware/virus/trojan removal and THEY ARE GOOD!!!!
vicks


----------



## S-pie (Sep 27, 2007)

Vicks,

Thank you. I knew what you meant from your original post; Lenovo (IBM) took over because my warranty is with them. They then referred me to Symantec and had their antivirus code writers diagnose my past problem. I will only contact Symantec as a last resort--they're expensive.

S-pie


----------



## S-pie (Sep 27, 2007)

Dear Triple6,

Here is my log:

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 9:35:14 PM, on 9/29/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16512)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Windows Defender\MsMpEng.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
C:\Program Files\Common Files\Symantec Shared\AppCore\AppSvc32.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
C:\WINDOWS\system32\cisvc.exe
C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
C:\Program Files\Diskeeper Corporation\Diskeeper\DkService.exe
C:\Program Files\Common Files\Command Software\dvpapi.exe
c:\program files\lenovo\system update\suservice.exe
C:\Program Files\IBM ThinkVantage\Rescue and Recovery\rrservice.exe
C:\Program Files\Common Files\Lenovo\Scheduler\tvtsched.exe
C:\Program Files\ThinkVantage\SystemUpdate\UCLauncherService.exe
C:\PROGRA~1\Lenovo\LENOVO~2\LPMGR.exe
C:\Program Files\Verizon\McciTrayApp.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\Windows Defender\MSASCui.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Common Files\InstallShield\UpdateService\ISUSPM.exe
C:\Program Files\Common Files\Lenovo\Scheduler\scheduler_proxy.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\Program Files\Windows Desktop Search\WindowsSearch.exe
C:\Program Files\Windows Desktop Search\WindowsSearchIndexer.exe
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\WINDOWS\system32\cidaemon.exe
C:\Program Files\Common Files\InstallShield\UpdateService\agent.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLLoginProxy.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
C:\Program Files\Windows Desktop Search\WindowsSearchFilter.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://wapp.verizon.net/bookmarks/bmredir.asp?region=all&bw=dsl&cd=7.0MSN&bm=ms_home
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://www.lenovo.com/us/en/
F2 - REG:system.ini: UserInit=C:\WINDOWS\system32\Userinit.exe
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {1E8A6170-7264-4D0F-BEAE-D42A53123C75} - C:\Program Files\Common Files\Symantec Shared\coShared\Browser\1.5\NppBho.dll
O2 - BHO: dsWebAllowBHO Class - {2F85D76C-0569-466F-A488-493E6BD0E955} - C:\Program Files\Windows Desktop Search\dsWebAllow.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar4.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\2.0.301.7164\swg.dll
O2 - BHO: Windows Live Toolbar Helper - {BDBD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\Windows Live Toolbar\msntb.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar4.dll
O3 - Toolbar: Windows Live Toolbar - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\Windows Live Toolbar\msntb.dll
O3 - Toolbar: Show Norton Toolbar - {90222687-F593-4738-B738-FBEE9C7B26DF} - C:\Program Files\Common Files\Symantec Shared\coShared\Browser\1.5\UIBHO.dll
O4 - HKLM\..\Run: [LPManager] C:\PROGRA~1\Lenovo\LENOVO~2\LPMGR.exe
O4 - HKLM\..\Run: [EarthLink Installer] " /C
O4 - HKLM\..\Run: [Verizon_McciTrayApp] C:\Program Files\Verizon\McciTrayApp.exe
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [osCheck] "C:\Program Files\Norton Internet Security\osCheck.exe"
O4 - HKLM\..\Run: [Symantec PIF AlertEng] "C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe" /a /m "C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\AlertEng.dll"
O4 - HKLM\..\Run: [Windows Defender] "C:\Program Files\Windows Defender\MSASCui.exe" -hide
O4 - HKLM\..\Run: [ISUSPM Startup] C:\PROGRA~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe -startup
O4 - HKLM\..\Run: [suScheduler] C:\Program Files\ThinkVantage\SystemUpdate\UCLauncher.exe /SCHEDULER
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [ISUSPM] "C:\Program Files\Common Files\InstallShield\UpdateService\ISUSPM.exe" -scheduler
O4 - HKLM\..\Run: [TVT Scheduler Proxy] C:\Program Files\Common Files\Lenovo\Scheduler\scheduler_proxy.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
O4 - HKCU\..\Run: [Uniblue RegistryBooster 2] C:\Program Files\Uniblue\RegistryBooster 2\RegistryBooster.exe /S
O4 - Global Startup: Windows Desktop Search.lnk = C:\Program Files\Windows Desktop Search\WindowsSearch.exe
O8 - Extra context menu item: &Windows Live Search - res://C:\Program Files\Windows Live Toolbar\msntb.dll/search.htm
O8 - Extra context menu item: Add to Windows &Live Favorites - http://favorites.live.com/quickadd.aspx
O8 - Extra context menu item: Encarta &Definition - http://encarta.msn.com/encnet/features/dictionary/quickDictionary.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\IBM\Java142\jre\bin\NPJPI142.dll
O9 - Extra 'Tools' menuitem: IBM Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\IBM\Java142\jre\bin\NPJPI142.dll
O9 - Extra button: Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Program Files\Yahoo!\Companion\Modules\messmod4\v6\yhexbmes.dll (file missing)
O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Program Files\Yahoo!\Companion\Modules\messmod4\v6\yhexbmes.dll (file missing)
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O11 - Options group: [JAVA_IBM] Java (IBM)
O14 - IERESET.INF: START_PAGE_URL=http://www.lenovo.com/us/en/
O16 - DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} - http://a1540.g.akamai.net/7/1540/52/20061205/qtinstall.info.apple.com/qtactivex/qtplugin.cab
O16 - DPF: {215B8138-A3CF-44C5-803F-8226143CFC0A} (Trend Micro ActiveX Scan Agent 6.6) - http://housecall65.trendmicro.com/housecall/applet/html/native/x86/win32/activex/hcImpl.cab
O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} (Symantec AntiVirus scanner) - http://security.symantec.com/sscv6/SharedContent/vc/bin/AvSniff.cab
O16 - DPF: {2DAD3559-2923-4935-AD49-B673D2539944} (IASRunner Class) - https://www-307.ibm.com/pc/support/access/aslibmain/content/AcpIR.cab
O16 - DPF: {30528230-99F7-4BB4-88D8-FA1D4F56A2AB} (YInstStarter Class) - http://us.dl1.yimg.com/download.yahoo.com/dl/yinst/yinst_current.cab
O16 - DPF: {459E93B6-150E-45D5-8D4B-45C66FC035FE} (get_atlcom Class) - http://apps.corel.com/nos_dl_manager_dev/plugin/IEGetPlugin.ocx
O16 - DPF: {4E7BD74F-2B8D-469E-D0FC-E57AF4D5FA7D} - http://www2.verizon.net/micro/vol_toolbar/vzbb.cab
O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.symantec.com/sscv6/SharedContent/common/bin/cabsa.cab
O16 - DPF: {6A344D34-5231-452A-8A57-D064AC9B7862} (Symantec Download Manager) - https://webdl.symantec.com/activex/symdlmgr.cab
O16 - DPF: {74FFE28D-2378-11D5-990C-006094235084} (IBM Access Support) - http://www-307.ibm.com/pc/support/IbmEgath.cab
O16 - DPF: {975BA4C8-C5A7-4CFD-9F42-10CF4B75F580} (Actx Control) - https://expertslive.lenovo.com/home/activex/actx.cab
O16 - DPF: {BE415DD9-C50D-46AA-9B5D-37F2EEBBBFE6} (acpRunner Class) - https://www-307.ibm.com/pc/support/access/aslibmain/content/AcpControl.cab
O18 - Filter: text/xml; charset=iso-8859-1 - {32F66A26-7614-11D4-BD11-00104BD3F987} - C:\Program Files\Design Science\MathPlayer001\MathMLMimer.dll
O18 - Filter: text/xml; charset=utf-8 - {32F66A26-7614-11D4-BD11-00104BD3F987} - C:\Program Files\Design Science\MathPlayer001\MathMLMimer.dll
O20 - AppInit_DLLs: C:\PROGRA~1\Google\GOOGLE~1\GOEC62~1.DLL
O23 - Service: Automatic LiveUpdate Scheduler - Symantec Corporation - C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: Symantec Lic NetConnect service (CLTNetCnService) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: COM Host (comHost) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\VAScanner\comHost.exe
O23 - Service: Diskeeper - Diskeeper Corporation - C:\Program Files\Diskeeper Corporation\Diskeeper\DkService.exe
O23 - Service: DvpApi (dvpapi) - Command Software Systems, Inc. - C:\Program Files\Common Files\Command Software\dvpapi.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: Symantec IS Password Validation (ISPwdSvc) - Symantec Corporation - C:\Program Files\Norton Internet Security\isPwdSvc.exe
O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
O23 - Service: LiveUpdate Notice Service Ex (LiveUpdate Notice Ex) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: LiveUpdate Notice Service - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe
O23 - Service: IBM PSA Access Driver Control (PsaSrv) - Unknown owner - C:\WINDOWS\system32\PsaSrv.exe (file missing)
O23 - Service: System Update (SUService) - Lenovo Group Limited - c:\program files\lenovo\system update\suservice.exe
O23 - Service: Symantec Core LC - Unknown owner - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
O23 - Service: Symantec AppCore Service (SymAppCore) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\AppCore\AppSvc32.exe
O23 - Service: TVT Backup Service - Unknown owner - C:\Program Files\IBM ThinkVantage\Rescue and Recovery\rrservice.exe
O23 - Service: TVT Scheduler - Lenovo Group Limited - C:\Program Files\Common Files\Lenovo\Scheduler\tvtsched.exe
O23 - Service: ThinkVantage System Update (UCLauncherService) - Unknown owner - C:\Program Files\ThinkVantage\SystemUpdate\UCLauncherService.exe

--
End of file - 12479 bytes

Thank you for your help--I sure need it.

S-pie


----------



## Cookiegal (Aug 27, 2003)

I don't see anything malware related in the log but there are things that don't show in a HJT log so let's do the following:

Download this tool to your desktop:
http://www.uploads.ejvindh.net/rootchk.exe
Run the program. After a short time a logfile will turn up. Copy the contents of the log into the thread.

Notice: Some security-programs prevent the creation of dummy drivers with certain names. This may cause false positives. If the log of rootchk contains a lot of hidden drivers, you may want to turn of your security programs while rootchk is scanning (you should then unhook your network connection as well).

Download and install *AVG Anti-Spyware v7.5*. Note to AVG Free anti-virus program users only: This is not the same program as the one you already have, this is an anti-spyware program so please proceed with the instructions. 

After download, double click on the file to launch the install process. 
Choose a language, click "*OK*" and then click "*Next*". 
Read the "_License Agreement_" and click "*I Agree*". 
Accept default installation path: C:\Program Files\Grisoft\AVG Anti-Spyware 7.5, click "*Next*", then click "*Install*". 
After setup completes, click "*Finish*" to start the program automatically or launch AVG Anti-Spyware by double-clicking its icon on your desktop or in the system tray. 
The main "*Status*" menu will appear. Select "_Change state_" to inactivate '*Resident Shield*' and '*Automatic Updates*'. _As AVG Anti-Spyware may interfere with some of our other fixes, we are temporarily disabling its active protection features until your system is clean, then you can re-enable them._ 
Then right click on AVG Anti-Spyware in the system tray and *uncheck* "*Start with Windows*". 
Connect to the Internet, go back to AVG Anti-Spyware, select the "*Update*" button and click "*Start update*". 
Wait until you see the "_Update successful_" message. If you are having problems with the updater, manually download and update with the AVG Anti-Spyware Full database installer. 
Exit AVG Anti-Spyware when done - *DO NOT perform a scan yet*.
*Reboot your computer in SAFE MODE* using the *F8* method. To do this, restart your computer and after hearing your computer beep once during startup (but before the Windows icon appears) press the F8 key repeatedly. A menu will appear with several options. Use the arrow keys to navigate and select the option to run Windows in "Safe Mode". _(Note: When run in safe mode, sometimes the GUI is larger than the screen and the buttons at the bottom are partly or completely hidden, making them inaccessible for doing a scan. If this happens press Alt + Spacebar. A menu will come open, make sure you select maximize then run the scan. If that does not help, then you may have to run your scan in normal mode and advise your helper afterwards.)_

*Scan with AVG Anti-Spyware as follows*:
Click on the "*Scanner*" button and choose the "*Settings*" tab.

Under "*How to act?*", click on "*Recommended actions*" and choose "*Quarantine*" to set default action for detected malware. 
Under "*How to Scan? *", "*Possibly unwanted software*", and *What to Scan?*" leave all the default settings. 
Under "*Reports*" select "*Do not automatically generate reports*". 
Click the "*Scan*" tab to return to scanning options. 
Click "*Complete System Scan*" to start. 
When the scan has finished, it should automatically be set to *Quarantine*--if not click on _Recommended Action_ and set it there. 
You will also be presented with a list of infected objects found. Click "*Apply all actions*" to place the files in Quarantine.
_*IMPORTANT!* Do not save the report before you have clicked the :*Apply all actions* button. If you do, the log that is created will indicate "*No action taken*", making it more difficult to interpret the report. So be sure you save it only AFTER clicking the "Apply all actions" button._
Click on "*Save Report*" to view all completed scans. Click on the most recent scan you just performed and select "*Save report as*" - the default file name will be in date/time format as follows: *Report-Scan-20060620-142816.txt*. Save to your desktop. A copy of each report will also be saved in C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\Reports\ 
Exit AVG Anti-Spyware when done, reboot normally and post the log report in your next response.
_Note: Close all open windows, programs, and *DO NOT USE the computer while AVG Anti-Spyware is scanning*. Doing so can hamper AVG Anti-Spyware's ability to clean properly and may result in reinfection._

_AVG Anti-Spyware is free for 30 days and all the extensions of the full version will be activated. After the 30 day trial, active protection extensions will be deactivated and the program will turn into a feature-limited freeware version that you can continue to use as an on-demand scanner or you may purchase a license to use the full version. We are installing AVG Anti-Spyware with its real-time protection disabled. Once your system is clean you may re-enable it so you can continue using this feature for the remainder of the trial period._

Please go *HERE* to run Panda's ActiveScan
You need to use IE to run this scan
Once you are on the Panda site click the *Scan your PC* button
A new window will open...click the *Check Now* button
Enter your *Country*
Enter your *State/Province*
Enter your *e-mail address* and click *send*
Select either *Home User* or *Company*
Click the big *Scan Now* button
If it wants to install an ActiveX component allow it
It will start downloading the files it requires for the scan (Note: It may take a couple of minutes)
When download is complete, click on *My Computer* to start the scan
When the scan completes, if anything malicious is detected, click the *See Report* button, *then Save Report* and save it to a convenient location. Post the contents of the ActiveScan report

*Come back here and post a new HijackThis log along with the logs from the AVG and Panda scans and the rootchk log.*


----------



## S-pie (Sep 27, 2007)

Dear Cookiegal,

This is the log I received from rootchk.exe, after I disabled my antivirus program.:

********************************* ROOTCHK-(21-09-07)-LOG, by ejvindh
Mon 10/01/2007 15:33:50.92

The rootkits that are detected by this tool were not found.

********************************* ROOTCHK-LOG-end

catchme 0.3.1160 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2007-10-01 15:33:51
Windows 5.1.2600 Service Pack 2
scanning hidden processes ...

scanning hidden services & system hive ...

scanning hidden registry entries ...

scanning hidden files ...

hidden processes: 0
hidden services: 0
hidden files: 0


----------



## Cookiegal (Aug 27, 2003)

That's fine. Please run the other scans I requested.


----------



## S-pie (Sep 27, 2007)

Dear Cookiegal,

Here are the other two scans and the Hijackthis log you instructed me to post:

PANDA SCAN

Incident Status Location

Adware:adware/cws Not disinfected C:\Documents and Settings\Cathy Chapman\Favorites\health 
Spyware:Cookie/Atlas DMT Not disinfected C:\Documents and Settings\Cathy Chapman\Cookies\[email protected][2].txt 
Spyware:Cookie/Adrevolver Not disinfected C:\Documents and Settings\Cathy Chapman\Cookies\[email protected][1].txt 
Spyware:Cookie/QuestionMarket Not disinfected C:\Documents and Settings\Cathy Chapman\Cookies\[email protected][1].txt 
Adware:Adware/VideoActiveXAccess Not disinfected C:\Documents and Settings\Cathy Chapman\Local Settings\Temp\RegCureUpdate_1_5_0_0.exe[uninst.exe] 
Adware:Adware/VideoActiveXAccess Not disinfected C:\Program Files\RegCure\uninst.exe 
HIJACKTHIS LOG:

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 9:11:31 PM, on 10/1/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16512)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Windows Defender\MsMpEng.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
C:\Program Files\Common Files\Symantec Shared\AppCore\AppSvc32.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\WINDOWS\system32\cisvc.exe
C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
C:\Program Files\Diskeeper Corporation\Diskeeper\DkService.exe
C:\Program Files\Common Files\Command Software\dvpapi.exe
c:\program files\lenovo\system update\suservice.exe
C:\Program Files\IBM ThinkVantage\Rescue and Recovery\rrservice.exe
C:\Program Files\Common Files\Lenovo\Scheduler\tvtsched.exe
C:\Program Files\ThinkVantage\SystemUpdate\UCLauncherService.exe
C:\PROGRA~1\Lenovo\LENOVO~2\LPMGR.exe
C:\Program Files\Verizon\McciTrayApp.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Common Files\Lenovo\Scheduler\scheduler_proxy.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\WINDOWS\system32\cidaemon.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLLoginProxy.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\NOTEPAD.EXE
C:\Documents and Settings\Cathy Chapman\Desktop\HJTsetup.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://wapp.verizon.net/bookmarks/bmredir.asp?region=all&bw=dsl&cd=7.0MSN&bm=ms_home
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://www.lenovo.com/us/en/
F2 - REG:system.ini: UserInit=C:\WINDOWS\system32\Userinit.exe
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {1E8A6170-7264-4D0F-BEAE-D42A53123C75} - C:\Program Files\Common Files\Symantec Shared\coShared\Browser\1.5\NppBho.dll
O2 - BHO: dsWebAllowBHO Class - {2F85D76C-0569-466F-A488-493E6BD0E955} - C:\Program Files\Windows Desktop Search\dsWebAllow.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar4.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\2.0.301.7164\swg.dll
O2 - BHO: Windows Live Toolbar Helper - {BDBD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\Windows Live Toolbar\msntb.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar4.dll
O3 - Toolbar: Windows Live Toolbar - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\Windows Live Toolbar\msntb.dll
O3 - Toolbar: Show Norton Toolbar - {90222687-F593-4738-B738-FBEE9C7B26DF} - C:\Program Files\Common Files\Symantec Shared\coShared\Browser\1.5\UIBHO.dll
O4 - HKLM\..\Run: [LPManager] C:\PROGRA~1\Lenovo\LENOVO~2\LPMGR.exe
O4 - HKLM\..\Run: [EarthLink Installer] " /C
O4 - HKLM\..\Run: [Verizon_McciTrayApp] C:\Program Files\Verizon\McciTrayApp.exe
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [suScheduler] C:\Program Files\ThinkVantage\SystemUpdate\UCLauncher.exe /SCHEDULER
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [TVT Scheduler Proxy] C:\Program Files\Common Files\Lenovo\Scheduler\scheduler_proxy.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
O8 - Extra context menu item: &Windows Live Search - res://C:\Program Files\Windows Live Toolbar\msntb.dll/search.htm
O8 - Extra context menu item: Add to Windows &Live Favorites - http://favorites.live.com/quickadd.aspx
O8 - Extra context menu item: Encarta &Definition - http://encarta.msn.com/encnet/features/dictionary/quickDictionary.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\IBM\Java142\jre\bin\NPJPI142.dll
O9 - Extra 'Tools' menuitem: IBM Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\IBM\Java142\jre\bin\NPJPI142.dll
O9 - Extra button: Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Program Files\Yahoo!\Companion\Modules\messmod4\v6\yhexbmes.dll (file missing)
O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Program Files\Yahoo!\Companion\Modules\messmod4\v6\yhexbmes.dll (file missing)
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O11 - Options group: [JAVA_IBM] Java (IBM)
O14 - IERESET.INF: START_PAGE_URL=http://www.lenovo.com/us/en/
O16 - DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} - http://a1540.g.akamai.net/7/1540/52/20061205/qtinstall.info.apple.com/qtactivex/qtplugin.cab
O16 - DPF: {215B8138-A3CF-44C5-803F-8226143CFC0A} (Trend Micro ActiveX Scan Agent 6.6) - http://housecall65.trendmicro.com/housecall/applet/html/native/x86/win32/activex/hcImpl.cab
O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} (Symantec AntiVirus scanner) - http://security.symantec.com/sscv6/SharedContent/vc/bin/AvSniff.cab
O16 - DPF: {2DAD3559-2923-4935-AD49-B673D2539944} (IASRunner Class) - https://www-307.ibm.com/pc/support/access/aslibmain/content/AcpIR.cab
O16 - DPF: {30528230-99F7-4BB4-88D8-FA1D4F56A2AB} (YInstStarter Class) - http://us.dl1.yimg.com/download.yahoo.com/dl/yinst/yinst_current.cab
O16 - DPF: {459E93B6-150E-45D5-8D4B-45C66FC035FE} (get_atlcom Class) - http://apps.corel.com/nos_dl_manager_dev/plugin/IEGetPlugin.ocx
O16 - DPF: {4E7BD74F-2B8D-469E-D0FC-E57AF4D5FA7D} - http://www2.verizon.net/micro/vol_toolbar/vzbb.cab
O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.symantec.com/sscv6/SharedContent/common/bin/cabsa.cab
O16 - DPF: {6A344D34-5231-452A-8A57-D064AC9B7862} (Symantec Download Manager) - https://webdl.symantec.com/activex/symdlmgr.cab
O16 - DPF: {74FFE28D-2378-11D5-990C-006094235084} (IBM Access Support) - http://www-307.ibm.com/pc/support/IbmEgath.cab
O16 - DPF: {975BA4C8-C5A7-4CFD-9F42-10CF4B75F580} (Actx Control) - https://expertslive.lenovo.com/home/activex/actx.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab
O16 - DPF: {BE415DD9-C50D-46AA-9B5D-37F2EEBBBFE6} (acpRunner Class) - https://www-307.ibm.com/pc/support/access/aslibmain/content/AcpControl.cab
O18 - Filter: text/xml; charset=iso-8859-1 - {32F66A26-7614-11D4-BD11-00104BD3F987} - C:\Program Files\Design Science\MathPlayer001\MathMLMimer.dll
O18 - Filter: text/xml; charset=utf-8 - {32F66A26-7614-11D4-BD11-00104BD3F987} - C:\Program Files\Design Science\MathPlayer001\MathMLMimer.dll
O20 - AppInit_DLLs: C:\PROGRA~1\Google\GOOGLE~1\GOEC62~1.DLL
O23 - Service: Automatic LiveUpdate Scheduler - Symantec Corporation - C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
O23 - Service: AVG Anti-Spyware Guard - GRISOFT s.r.o. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: Symantec Lic NetConnect service (CLTNetCnService) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: COM Host (comHost) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\VAScanner\comHost.exe
O23 - Service: Diskeeper - Diskeeper Corporation - C:\Program Files\Diskeeper Corporation\Diskeeper\DkService.exe
O23 - Service: DvpApi (dvpapi) - Command Software Systems, Inc. - C:\Program Files\Common Files\Command Software\dvpapi.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: Symantec IS Password Validation (ISPwdSvc) - Symantec Corporation - C:\Program Files\Norton Internet Security\isPwdSvc.exe
O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
O23 - Service: LiveUpdate Notice Service Ex (LiveUpdate Notice Ex) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: LiveUpdate Notice Service - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe
O23 - Service: IBM PSA Access Driver Control (PsaSrv) - Unknown owner - C:\WINDOWS\system32\PsaSrv.exe (file missing)
O23 - Service: System Update (SUService) - Lenovo Group Limited - c:\program files\lenovo\system update\suservice.exe
O23 - Service: Symantec Core LC - Unknown owner - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
O23 - Service: Symantec AppCore Service (SymAppCore) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\AppCore\AppSvc32.exe
O23 - Service: TVT Backup Service - Unknown owner - C:\Program Files\IBM ThinkVantage\Rescue and Recovery\rrservice.exe
O23 - Service: TVT Scheduler - Lenovo Group Limited - C:\Program Files\Common Files\Lenovo\Scheduler\tvtsched.exe
O23 - Service: ThinkVantage System Update (UCLauncherService) - Unknown owner - C:\Program Files\ThinkVantage\SystemUpdate\UCLauncherService.exe

--
End of file - 11507 bytes

Cookiegal,

I cannot find the AVG scan, yet I followed your explicit instructions and was careful to first click "Apply all actions". I then saved it. In your instructions above, you state "Under "Reports" select "Do not automatically generate reports". Could that be a reason why I cannot find that saved file?

Thank you for your help.

S-pie


----------



## Cookiegal (Aug 27, 2003)

S-pie said:


> In your instructions above, you state "Under "Reports" select "Do not automatically generate reports". Could that be a reason why I cannot find that saved file?
> S-pie


It shouldn't unless they've fixed the bug where it wouldn't generate a report unless we selected that.

Please download *SmitfraudFix* (by *S!Ri*)

Extract (unzip) the content (a folder named *SmitfraudFix*) to your Desktop.

Open the *SmitfraudFix* folder and double-click *smitfraudfix.cmd*
Select option #1 - *Search* by typing *1* and press "*Enter*"; a text file will appear, which lists infected files (if present).
Please copy/paste the content of that report into your next reply.

*Note* : *process.exe* is detected by some antivirus programs (AntiVir, Dr.Web, Kaspersky) as a "RiskTool"; it is not a virus, but a program used to stop system processes. Antivirus programs cannot distinguish between "good" and "malicious" use of such programs, therefore they may alert the user.
http://www.beyondlogic.org/consulting/proc...processutil.htm

Warning: Do not run Option #2 until you are instructed to do so. Running option #2 on a non infected computer will remove your Desktop background.


----------



## S-pie (Sep 27, 2007)

Dear Cookiegal,

Thank you. Here is the SmitfraudFix.cmd, per your instructions:

SmitFraudFix v2.235

Scan done at 0:50:04.04, Wed 10/03/2007
Run from C:\Documents and Settings\Cathy Chapman\Desktop\SmitfraudFix\SmitfraudFix
OS: Microsoft Windows XP [Version 5.1.2600] - Windows_NT
The filesystem type is NTFS
Fix run in normal mode

»»»»»»»»»»»»»»»»»»»»»»»» Process

C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Windows Defender\MsMpEng.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
C:\Program Files\Common Files\Symantec Shared\AppCore\AppSvc32.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\WINDOWS\system32\cisvc.exe
C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
C:\Program Files\Diskeeper Corporation\Diskeeper\DkService.exe
C:\Program Files\Common Files\Command Software\dvpapi.exe
c:\program files\lenovo\system update\suservice.exe
C:\Program Files\IBM ThinkVantage\Rescue and Recovery\rrservice.exe
C:\Program Files\Common Files\Lenovo\Scheduler\tvtsched.exe
C:\Program Files\ThinkVantage\SystemUpdate\UCLauncherService.exe
C:\PROGRA~1\Lenovo\LENOVO~2\LPMGR.exe
C:\Program Files\Verizon\McciTrayApp.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Common Files\Lenovo\Scheduler\scheduler_proxy.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\WINDOWS\system32\cidaemon.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLLoginProxy.exe
C:\WINDOWS\system32\osk.exe
C:\WINDOWS\system32\MSSWCHX.EXE
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\WINDOWS\system32\cmd.exe

»»»»»»»»»»»»»»»»»»»»»»»» hosts

»»»»»»»»»»»»»»»»»»»»»»»» C:\

»»»»»»»»»»»»»»»»»»»»»»»» C:\WINDOWS

»»»»»»»»»»»»»»»»»»»»»»»» C:\WINDOWS\system

»»»»»»»»»»»»»»»»»»»»»»»» C:\WINDOWS\Web

»»»»»»»»»»»»»»»»»»»»»»»» C:\WINDOWS\system32

»»»»»»»»»»»»»»»»»»»»»»»» C:\WINDOWS\system32\LogFiles

»»»»»»»»»»»»»»»»»»»»»»»» C:\Documents and Settings\Cathy Chapman

»»»»»»»»»»»»»»»»»»»»»»»» C:\Documents and Settings\Cathy Chapman\Application Data

»»»»»»»»»»»»»»»»»»»»»»»» Start Menu

»»»»»»»»»»»»»»»»»»»»»»»» C:\DOCUME~1\CATHYC~1\FAVORI~1

»»»»»»»»»»»»»»»»»»»»»»»» Desktop

»»»»»»»»»»»»»»»»»»»»»»»» C:\Program Files

»»»»»»»»»»»»»»»»»»»»»»»» Corrupted keys

»»»»»»»»»»»»»»»»»»»»»»»» Desktop Components

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Desktop\Components\0]
"Source"="About:Home"
"SubscribedURL"="About:Home"
"FriendlyName"="My Current Home Page"

»»»»»»»»»»»»»»»»»»»»»»»» Sharedtaskscheduler
!!!Attention, following keys are not inevitably infected!!!

SrchSTS.exe by S!Ri
Search SharedTaskScheduler's .dll

»»»»»»»»»»»»»»»»»»»»»»»» AppInit_DLLs
!!!Attention, following keys are not inevitably infected!!!

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows]
"AppInit_DLLs"="C:\\PROGRA~1\\Google\\GOOGLE~1\\GOEC62~1.DLL"

»»»»»»»»»»»»»»»»»»»»»»»» Winlogon.System
!!!Attention, following keys are not inevitably infected!!!

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon]
"System"=""

»»»»»»»»»»»»»»»»»»»»»»»» Rustock

»»»»»»»»»»»»»»»»»»»»»»»» DNS

Description: VIA Rhine II Fast Ethernet Adapter - Packet Scheduler Miniport
DNS Server Search Order: 192.168.1.1
DNS Server Search Order: 192.168.1.1

HKLM\SYSTEM\CCS\Services\Tcpip\..\{AE8074AC-821A-4EAC-B8EE-B5A7E1BF24EE}:

DhcpNameServer=192.168.1.1 192.168.1.1
HKLM\SYSTEM\CS1\Services\Tcpip\..\{AE8074AC-821A-4EAC-B8EE-B5A7E1BF24EE}:

DhcpNameServer=192.168.1.1 192.168.1.1
HKLM\SYSTEM\CS2\Services\Tcpip\..\{AE8074AC-821A-4EAC-B8EE-B5A7E1BF24EE}:

DhcpNameServer=192.168.1.1 192.168.1.1
HKLM\SYSTEM\CS3\Services\Tcpip\..\{AE8074AC-821A-4EAC-B8EE-B5A7E1BF24EE}:

DhcpNameServer=192.168.1.1 192.168.1.1
HKLM\SYSTEM\CCS\Services\Tcpip\Parameters: DhcpNameServer=192.168.1.1 192.168.1.1
HKLM\SYSTEM\CS1\Services\Tcpip\Parameters: DhcpNameServer=192.168.1.1 192.168.1.1
HKLM\SYSTEM\CS2\Services\Tcpip\Parameters: DhcpNameServer=192.168.1.1 192.168.1.1
HKLM\SYSTEM\CS3\Services\Tcpip\Parameters: DhcpNameServer=192.168.1.1 192.168.1.1

»»»»»»»»»»»»»»»»»»»»»»»» Scanning for wininet.dll infection

»»»»»»»»»»»»»»»»»»»»»»»» End


----------



## Cookiegal (Aug 27, 2003)

Download *ComboFix* and save it to your desktop.

***Note: It is important that it is saved directly to your desktop***


Close any open browsers. 
Close/disable all anti-virus and anti-malware programs so they do not interfere with the running of ComboFix. 
Double click on *combofix.exe* and follow the prompts.

When finished, it will produce a report for you. Please post the *C:\ComboFix.txt* along with a *new HijackThis log* for further review.

Note: Do not mouseclick ComboFix's window while it's running. That may cause it to stall.


----------



## S-pie (Sep 27, 2007)

Dear Cookiegal,

Here are my ComboFix and HijackThis logs, per your instructions. Thank you. S-pie

COMBOFIX LOG

ComboFix 07-10-03.11 - Cathy Chapman 2007-10-03 16:31:43.1 - NTFSx86 
Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.158 [GMT -4:00]
Running from: C:\Documents and Settings\Cathy Chapman\Desktop\ComboFix.exe
* Created a new restore point
.

((((((((((((((((((((((((( Files Created from 2007-09-03 to 2007-10-03 )))))))))))))))))))))))))))))))
.

2007-10-03 16:29	51,200	--a------	C:\WINDOWS\NirCmd.exe
2007-10-03 00:50	2,348	--a------	C:\WINDOWS\system32\tmp.reg
2007-10-03 00:46	53,248	--a------	C:\WINDOWS\system32\Process.exe
2007-10-03 00:46	51,200	--a------	C:\WINDOWS\system32\dumphive.exe
2007-10-03 00:46	289,144	--a------	C:\WINDOWS\system32\VCCLSID.exe
2007-10-03 00:46	288,417	--a------	C:\WINDOWS\system32\SrchSTS.exe
2007-10-03 00:46	25,088	--a------	C:\WINDOWS\system32\WS2Fix.exe
2007-10-01 17:32 d--------	C:\WINDOWS\system32\ActiveScan
2007-10-01 15:51	10,872	--a------	C:\WINDOWS\system32\drivers\AvgAsCln.sys
2007-10-01 11:00 d--------	C:\Documents and Settings\Cathy Chapman\(null)
2007-09-30 09:43 d--------	C:\Documents and Settings\Administrator.CATHYCC.000\Application Data\Symantec
2007-09-30 09:43 d--------	C:\Documents and Settings\Administrator.CATHYCC.000\Application Data\IBM
2007-09-30 09:43 d--------	C:\Documents and Settings\Administrator.CATHYCC.000\Application Data\Google
2007-09-29 21:34 d--------	C:\Program Files\Trend Micro
2007-09-26 14:37 d--------	C:\Program Files\Uniblue
2007-09-25 23:39 d--------	C:\Program Files\Common Files\Lenovo
2007-09-24 20:52 d--------	C:\Documents and Settings\Cathy Chapman\Application Data\Uniblue
2007-09-21 18:56 d--------	C:\Documents and Settings\All Users\Application Data\Apple Computer
2007-09-21 18:54 d--------	C:\Program Files\InterVideo Information Service
2007-09-21 18:54 d--------	C:\Program Files\Common Files\Ulead
2007-09-21 18:39 d--h-----	C:\WINDOWS\msdownld.tmp
2007-09-21 04:37 d--------	C:\Program Files\Common Files\xing shared
2007-09-21 03:17 d--------	C:\DECCHECK
2007-09-18 14:43	43,696	--a------	C:\WINDOWS\system32\drivers\srtspx.sys
2007-09-18 14:43	317,616	--a------	C:\WINDOWS\system32\drivers\srtspl.sys
2007-09-18 14:43	278,576	--a------	C:\WINDOWS\system32\drivers\srtsp.sys
2007-09-10 10:17 d--------	C:\WINDOWS\system32\tvia

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2007-10-03 16:20	---------	d--------	C:\Program Files\Common Files\Symantec Shared
2007-10-03 15:37	---------	d--------	C:\Documents and Settings\All Users\Application Data\Symantec
2007-10-03 15:21	805	--a------	C:\WINDOWS\system32\drivers\SYMEVENT.INF
2007-10-03 15:21	60800	--a------	C:\WINDOWS\system32\S32EVNT1.DLL
2007-10-03 15:21	123952	--a------	C:\WINDOWS\system32\drivers\SYMEVENT.SYS
2007-10-03 15:21	10740	--a------	C:\WINDOWS\system32\drivers\SYMEVENT.CAT
2007-10-03 15:21	---------	d--------	C:\Program Files\Symantec
2007-10-01 18:07	---------	d--------	C:\Program Files\Windows Live Toolbar
2007-10-01 18:07	---------	d--------	C:\Program Files\Windows Desktop Search
2007-10-01 18:07	---------	d--------	C:\Program Files\Windows Defender
2007-10-01 18:07	---------	d--------	C:\Program Files\Verizon
2007-10-01 18:04	---------	d--------	C:\Program Files\Norton Internet Security
2007-10-01 18:01	---------	d--------	C:\Program Files\Google
2007-10-01 18:00	---------	d--------	C:\Program Files\Common Files\Motive
2007-10-01 18:00	---------	d--------	C:\Program Files\Common Files\Command Software
2007-09-27 09:55	---------	d--------	C:\Program Files\Yahoo!
2007-09-25 23:39	---------	d--------	C:\Program Files\Lenovo
2007-09-25 10:29	---------	d--------	C:\Program Files\Rhapsody
2007-09-25 10:06	---------	d--------	C:\Program Files\Real
2007-09-25 10:03	---------	d--------	C:\Documents and Settings\Cathy Chapman\Application Data\Real
2007-09-24 16:54	5427	--a------	C:\WINDOWS\system32\EGATHDRV.SYS
2007-09-24 16:01	---------	d--h-----	C:\Program Files\InstallShield Installation Information
2007-09-24 16:00	---------	d--------	C:\Program Files\Windows Media Connect 2
2007-09-24 16:00	---------	d--------	C:\Program Files\Common Files\Corel
2007-09-24 12:04	---------	d--------	C:\Program Files\Corel
2007-09-23 05:59	---------	d--------	C:\Program Files\QuickTime
2007-09-21 04:37	---------	d--------	C:\Program Files\Common Files\Real
2007-09-18 14:44	1430	--a------	C:\WINDOWS\system32\drivers\srtspl.inf
2007-09-18 14:44	1421	--a------	C:\WINDOWS\system32\drivers\srtspx.inf
2007-09-18 14:44	1415	--a------	C:\WINDOWS\system32\drivers\srtsp.inf
2007-09-18 14:44	10662	--a------	C:\WINDOWS\system32\drivers\srtspx.cat
2007-09-18 14:44	10662	--a------	C:\WINDOWS\system32\drivers\srtspl.cat
2007-09-18 14:44	10658	--a------	C:\WINDOWS\system32\drivers\srtsp.cat
2007-09-14 15:51	6686	--ahs----	C:\WINDOWS\system32\KGyGaAvL.sys
2007-09-10 12:45	---------	d--------	C:\Program Files\PCDR5
2007-08-29 14:17	---------	d--------	C:\Documents and Settings\Cathy Chapman\Application Data\MSN6
2007-08-25 13:47	---------	d--------	C:\Program Files\RegCure
2007-08-19 09:02	---------	d--------	C:\Program Files\MTV Networks
2007-08-19 08:39	---------	d--------	C:\Program Files\Windows Media Connect
2007-08-11 23:34	---------	d--------	C:\Documents and Settings\All Users\Application Data\Lenovo
2007-08-10 05:40	---------	d--------	C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
2007-08-06 21:57	---------	d--------	C:\Program Files\hp deskjet 940c series
2007-07-30 19:19	92504	--a------	C:\WINDOWS\system32\dllcache\cdm.dll
2007-07-30 19:19	92504	--a------	C:\WINDOWS\system32\cdm.dll
2007-07-30 19:19	549720	--a------	C:\WINDOWS\system32\wuapi.dll
2007-07-30 19:19	549720	--a------	C:\WINDOWS\system32\dllcache\wuapi.dll
2007-07-30 19:19	53080	--a------	C:\WINDOWS\system32\wuauclt.exe
2007-07-30 19:19	53080	--a------	C:\WINDOWS\system32\dllcache\wuauclt.exe
2007-07-30 19:19	43352	--a------	C:\WINDOWS\system32\wups2.dll
2007-07-30 19:19	325976	--a------	C:\WINDOWS\system32\wucltui.dll
2007-07-30 19:19	325976	--a------	C:\WINDOWS\system32\dllcache\wucltui.dll
2007-07-30 19:19	271224	--a------	C:\WINDOWS\system32\mucltui.dll
2007-07-30 19:19	207736	--a------	C:\WINDOWS\system32\muweb.dll
2007-07-30 19:19	203096	--a------	C:\WINDOWS\system32\wuweb.dll
2007-07-30 19:19	203096	--a------	C:\WINDOWS\system32\dllcache\wuweb.dll
2007-07-30 19:19	1712984	--a------	C:\WINDOWS\system32\wuaueng.dll
2007-07-30 19:19	1712984	--a------	C:\WINDOWS\system32\dllcache\wuaueng.dll
2007-07-30 19:18	33624	--a------	C:\WINDOWS\system32\wups.dll
2007-07-30 19:18	33624	--a------	C:\WINDOWS\system32\dllcache\wups.dll
2007-07-20 00:57	267112	--a------	C:\WINDOWS\system32\xactengine2_9.dll
2007-07-20 00:54	18280	--a------	C:\WINDOWS\system32\x3daudio1_2.dll
2007-07-19 18:14	444776	--a------	C:\WINDOWS\system32\d3dx10_35.dll
2007-07-19 18:14	3727720	--a------	C:\WINDOWS\system32\d3dx9_35.dll
2007-07-19 18:14	1358192	--a------	C:\WINDOWS\system32\D3DCompiler_35.dll
2007-07-19 02:59	3583488	--a------	C:\WINDOWS\system32\dllcache\mshtml.dll
2007-07-18 13:51	279816	--a------	C:\WINDOWS\system32\RealTime.scr
2007-07-12 19:31	765952	--a------	C:\WINDOWS\system32\dllcache\vgx.dll
2007-01-10 16:31	439296	---------	C:\Documents and Settings\Cathy Chapman\GoToAssist_phone__317_en.exe
2006-12-05 11:08	439296	---------	C:\Documents and Settings\Cathy Chapman\remote.exe
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"EarthLink Installer"=" /C" []
"Verizon_McciTrayApp"="C:\Program Files\Verizon\McciTrayApp.exe" [2007-03-11 17:37]
"TkBellExe"="C:\Program Files\Common Files\Real\Update_OB\realsched.exe" [2007-09-21 04:36]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 08:00]
"swg"="C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2007-06-14 14:22]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks]
"{56F9679E-7826-4C84-81F3-532071A8BCC5}"= C:\Program Files\Windows Desktop Search\MSNLNamespaceMgr.dll [2006-11-21 14:50 233472]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"appinit_dlls"=C:\PROGRA~1\Google\GOOGLE~1\GOEC62~1.DLL

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Reader Speed Launch.lnk]
backup=C:\WINDOWS\pss\Adobe Reader Speed Launch.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Windows Desktop Search.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Windows Desktop Search.lnk
backup=C:\WINDOWS\pss\Windows Desktop Search.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\A Verizon App]
C:\PROGRA~1\VERIZO~1\HELPSU~1\VERIZO~1.EXE

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AMSG]
C:\PROGRA~1\THINKV~1\AMSG\amsg.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ccApp]
"C:\Program Files\Common Files\Symantec Shared\ccApp.exe"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Corel Photo Downloader]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\cssauthe]
"C:\Program Files\IBM ThinkVantage\Client Security Solution\cssauthe.exe" silent

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ctfmon.exe]
C:\WINDOWS\system32\ctfmon.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DiskeeperSystray]
"C:\Program Files\Diskeeper Corporation\Diskeeper\DkIcon.exe"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\EarthLink Installer]
" /C

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Google Desktop Search]
"C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe" /startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\IBM Warranty Notification]
"C:\Program Files\IBM\acp\ERTS0749\ERTS0749.exe /nointro"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ISUSPM Startup]
C:\PROGRA~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe -startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ISUSScheduler]
"C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" -start

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Motive SmartBridge]
C:\PROGRA~1\Verizon\SMARTB~1\MotiveSB.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Mouse Suite 98 Daemon]
ICO.EXE

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MsnMsgr]
"C:\Program Files\MSN Messenger\msnmsgr.exe" /background

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\osCheck]
"C:\Program Files\Norton Internet Security\osCheck.exe"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PCDrProfiler]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Picasa Media Detector]
C:\Program Files\Picasa2\PicasaMediaDetector.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
"C:\Program Files\QuickTime\qttask.exe" -atboottime

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\RealTimeDesktop.exe]
"C:\Program Files\Real\RealTime\RealTimeDesktop.exe" -NoBrowser

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SoundMan]
SOUNDMAN.EXE

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\suScheduler]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\swg]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\TkBellExe]
"C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Uniblue RegistryBooster 2]
C:\Program Files\Uniblue\RegistryBooster 2\RegistryBooster.exe /S

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\updateMgr]
C:\Program Files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe AcRdB7_0_9

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\VerizonServicepoint.exe]
C:\Program Files\Verizon\Servicepoint\VerizonServicepoint.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\VTTimer]
VTTimer.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\VTTrayp]
VTtrayp.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Yahoo! Pager]
"C:\PROGRA~1\Yahoo!\MESSEN~1\YAHOOM~1.EXE" -quiet

R2 ibmfilter;ibmfilter;\??\C:\WINDOWS\system32\drivers\ibmfilter.sys
R2 smi2;smi2;\??\C:\Program Files\SMI2\smi2.sys
R3 pelmouse;Mouse Suite Driver;C:\WINDOWS\system32\DRIVERS\pelmouse.sys
R3 pelusblf;USB Mouse Low Filter Driver;C:\WINDOWS\system32\DRIVERS\pelusblf.sys
S3 PCD5SRVC{5964019C-62DD3083-05010003};PCD5SRVC{5964019C-62DD3083-05010003} - PCDR Kernel Mode Service Helper Driver;\??\C:\PROGRA~1\PCDR5\PCD5SRVC.pkms

*Newly Created Service* - COMHOST
.
Contents of the 'Scheduled Tasks' folder
"2007-10-03 20:11:01 C:\WINDOWS\Tasks\Check Updates for Windows Live Toolbar.job"
"2007-10-03 19:44:19 C:\WINDOWS\Tasks\MP Scheduled Scan.job"
"2007-09-29 07:21:09 C:\WINDOWS\Tasks\Norton Internet Security - Run Full System Scan - Cathy Chapman.job"
- C:\Program Files\Norton Internet Security\Norton AntiVirus\Navw32.exe
"2007-10-03 19:23:24 C:\WINDOWS\Tasks\RegCure Program Check.job"
"2007-09-13 08:14:42 C:\WINDOWS\Tasks\RegCure.job"
- C:\Program Files\RegCure\RegCure.exe
"2007-10-01 07:30:00 C:\WINDOWS\Tasks\RegistrySmart Scheduled Scan.job"
- C:\Program Files\RegistrySmart\RegistrySmart.exe
"2007-10-03 02:05:53 C:\WINDOWS\Tasks\User_Feed_Synchronization-{516BBBE5-428C-43E1-B291-1BE626C7C587}.job"
.
**************************************************************************

catchme 0.3.1169 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2007-10-03 16:33:26
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully 
hidden files: 0

**************************************************************************
.
Completion time: 2007-10-03 16:34:18
.
--- E O F ---

HIJACKTHIS LOG

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 4:43:06 PM, on 10/3/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16512)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Windows Defender\MsMpEng.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
C:\Program Files\Common Files\Symantec Shared\AppCore\AppSvc32.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\WINDOWS\system32\cisvc.exe
C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
C:\Program Files\Diskeeper Corporation\Diskeeper\DkService.exe
C:\Program Files\Common Files\Command Software\dvpapi.exe
c:\program files\lenovo\system update\suservice.exe
C:\Program Files\IBM ThinkVantage\Rescue and Recovery\rrservice.exe
C:\Program Files\Common Files\Lenovo\Scheduler\tvtsched.exe
C:\Program Files\ThinkVantage\SystemUpdate\UCLauncherService.exe
C:\PROGRA~1\Lenovo\LENOVO~2\LPMGR.exe
C:\Program Files\Verizon\McciTrayApp.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Common Files\Lenovo\Scheduler\scheduler_proxy.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\WINDOWS\system32\cidaemon.exe
C:\Program Files\Windows Defender\MSASCui.exe
C:\WINDOWS\explorer.exe
C:\WINDOWS\system32\notepad.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLLoginProxy.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://wapp.verizon.net/bookmarks/bmredir.asp?region=all&bw=dsl&cd=7.0MSN&bm=ms_home
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://www.lenovo.com/us/en/
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {1E8A6170-7264-4D0F-BEAE-D42A53123C75} - C:\Program Files\Common Files\Symantec Shared\coShared\Browser\1.5\NppBho.dll
O2 - BHO: dsWebAllowBHO Class - {2F85D76C-0569-466F-A488-493E6BD0E955} - C:\Program Files\Windows Desktop Search\dsWebAllow.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar4.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\2.0.301.7164\swg.dll
O2 - BHO: Windows Live Toolbar Helper - {BDBD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\Windows Live Toolbar\msntb.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar4.dll
O3 - Toolbar: Windows Live Toolbar - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\Windows Live Toolbar\msntb.dll
O3 - Toolbar: Show Norton Toolbar - {90222687-F593-4738-B738-FBEE9C7B26DF} - C:\Program Files\Common Files\Symantec Shared\coShared\Browser\1.5\UIBHO.dll
O4 - HKLM\..\Run: [EarthLink Installer] " /C
O4 - HKLM\..\Run: [Verizon_McciTrayApp] C:\Program Files\Verizon\McciTrayApp.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
O8 - Extra context menu item: &Windows Live Search - res://C:\Program Files\Windows Live Toolbar\msntb.dll/search.htm
O8 - Extra context menu item: Add to Windows &Live Favorites - http://favorites.live.com/quickadd.aspx
O8 - Extra context menu item: Encarta &Definition - http://encarta.msn.com/encnet/features/dictionary/quickDictionary.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\IBM\Java142\jre\bin\NPJPI142.dll
O9 - Extra 'Tools' menuitem: IBM Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\IBM\Java142\jre\bin\NPJPI142.dll
O9 - Extra button: Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Program Files\Yahoo!\Companion\Modules\messmod4\v6\yhexbmes.dll (file missing)
O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Program Files\Yahoo!\Companion\Modules\messmod4\v6\yhexbmes.dll (file missing)
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O11 - Options group: [JAVA_IBM] Java (IBM)
O14 - IERESET.INF: START_PAGE_URL=http://www.lenovo.com/us/en/
O16 - DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} - http://a1540.g.akamai.net/7/1540/52/20061205/qtinstall.info.apple.com/qtactivex/qtplugin.cab
O16 - DPF: {215B8138-A3CF-44C5-803F-8226143CFC0A} (Trend Micro ActiveX Scan Agent 6.6) - http://housecall65.trendmicro.com/housecall/applet/html/native/x86/win32/activex/hcImpl.cab
O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} (Symantec AntiVirus scanner) - http://security.symantec.com/sscv6/SharedContent/vc/bin/AvSniff.cab
O16 - DPF: {2DAD3559-2923-4935-AD49-B673D2539944} (IASRunner Class) - https://www-307.ibm.com/pc/support/access/aslibmain/content/AcpIR.cab
O16 - DPF: {30528230-99F7-4BB4-88D8-FA1D4F56A2AB} (YInstStarter Class) - http://us.dl1.yimg.com/download.yahoo.com/dl/yinst/yinst_current.cab
O16 - DPF: {459E93B6-150E-45D5-8D4B-45C66FC035FE} (get_atlcom Class) - http://apps.corel.com/nos_dl_manager_dev/plugin/IEGetPlugin.ocx
O16 - DPF: {4E7BD74F-2B8D-469E-D0FC-E57AF4D5FA7D} - http://www2.verizon.net/micro/vol_toolbar/vzbb.cab
O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.symantec.com/sscv6/SharedContent/common/bin/cabsa.cab
O16 - DPF: {6A344D34-5231-452A-8A57-D064AC9B7862} (Symantec Download Manager) - https://webdl.symantec.com/activex/symdlmgr.cab
O16 - DPF: {74FFE28D-2378-11D5-990C-006094235084} (IBM Access Support) - http://www-307.ibm.com/pc/support/IbmEgath.cab
O16 - DPF: {975BA4C8-C5A7-4CFD-9F42-10CF4B75F580} (Actx Control) - https://expertslive.lenovo.com/home/activex/actx.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab
O16 - DPF: {BE415DD9-C50D-46AA-9B5D-37F2EEBBBFE6} (acpRunner Class) - https://www-307.ibm.com/pc/support/access/aslibmain/content/AcpControl.cab
O18 - Filter: text/xml; charset=iso-8859-1 - {32F66A26-7614-11D4-BD11-00104BD3F987} - C:\Program Files\Design Science\MathPlayer001\MathMLMimer.dll
O18 - Filter: text/xml; charset=utf-8 - {32F66A26-7614-11D4-BD11-00104BD3F987} - C:\Program Files\Design Science\MathPlayer001\MathMLMimer.dll
O20 - AppInit_DLLs: C:\PROGRA~1\Google\GOOGLE~1\GOEC62~1.DLL
O23 - Service: Automatic LiveUpdate Scheduler - Symantec Corporation - C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
O23 - Service: AVG Anti-Spyware Guard - GRISOFT s.r.o. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: Symantec Lic NetConnect service (CLTNetCnService) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: COM Host (comHost) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\VAScanner\comHost.exe
O23 - Service: Diskeeper - Diskeeper Corporation - C:\Program Files\Diskeeper Corporation\Diskeeper\DkService.exe
O23 - Service: DvpApi (dvpapi) - Command Software Systems, Inc. - C:\Program Files\Common Files\Command Software\dvpapi.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: Symantec IS Password Validation (ISPwdSvc) - Symantec Corporation - C:\Program Files\Norton Internet Security\isPwdSvc.exe
O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
O23 - Service: LiveUpdate Notice Service Ex (LiveUpdate Notice Ex) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: LiveUpdate Notice Service - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe
O23 - Service: IBM PSA Access Driver Control (PsaSrv) - Unknown owner - C:\WINDOWS\system32\PsaSrv.exe (file missing)
O23 - Service: System Update (SUService) - Lenovo Group Limited - c:\program files\lenovo\system update\suservice.exe
O23 - Service: Symantec Core LC - Unknown owner - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
O23 - Service: Symantec AppCore Service (SymAppCore) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\AppCore\AppSvc32.exe
O23 - Service: TVT Backup Service - Unknown owner - C:\Program Files\IBM ThinkVantage\Rescue and Recovery\rrservice.exe
O23 - Service: TVT Scheduler - Lenovo Group Limited - C:\Program Files\Common Files\Lenovo\Scheduler\tvtsched.exe
O23 - Service: ThinkVantage System Update (UCLauncherService) - Unknown owner - C:\Program Files\ThinkVantage\SystemUpdate\UCLauncherService.exe

--
End of file - 11034 bytes

Thank you, Cookiegal.

S-pie


----------



## Cookiegal (Aug 27, 2003)

Nothing really there. Just a couple of things I want to check.

Do you recognize this folder as something you created?

C:\Documents and Settings\Cathy Chapman\*(null)*

Go to *Start* - *Search* - *All Files and Folders* and under *More advanced search options*. 
Make sure there is a check by *Search System Folders* and *Search hidden files and folders* and *Search system subfolders*.

Next click on *My Computer*. Go to *Tools* - *Folder Options*. Click on the View tab and make sure that *Show hidden files and folders* is checked. Also uncheck *Hide protected operating system files* and *Hide extensions for known file types*. Now click *Apply to all folders*. Click *Apply* then *OK*.

Now, go to the following link and upload each of the following files for analysis and let me know what the results are please:

http://virusscan.jotti.org/

*C:\Documents and Settings\Cathy Chapman\remote.exe*


----------



## S-pie (Sep 27, 2007)

Dear Cookiegal,

Here are the results from uploading, C:\Documents and Settings\Cathy Chapman\remote.exe to the site: http://virusscan.jotti.org/:

Jotti's malware scan 2.99-TRANSITION_TO_3.00-R1

File to upload & scan: 
Service 
Service load: 0% 100%

File: remote.exe 
Status: OK 
MD5: 5b7b6b4f2d7de2c47fbed1c96f91f615 
Packers detected: - 
Bit9 reports: File not found

Scanner results 
Scan taken on 04 Oct 2007 04:25:29 (GMT) 
A-Squared Found nothing 
AntiVir Found nothing 
ArcaVir Found nothing 
Avast Found nothing 
AVG Antivirus Found nothing 
BitDefender Found nothing 
ClamAV Found nothing 
CPsecure Found nothing 
Dr.Web Found nothing 
F-Prot Antivirus Found nothing 
F-Secure Anti-Virus Found nothing 
Fortinet Found nothing 
Kaspersky Anti-Virus Found nothing 
NOD32 Found nothing 
Norman Virus Control Found nothing 
Panda Antivirus Found nothing 
Rising Antivirus Found nothing 
Sophos Antivirus Found nothing 
VirusBuster Found nothing 
VBA32 Found nothing

Thank you, Cookiegal.

S-pie


----------



## S-pie (Sep 27, 2007)

Dear Cookiegal,

No, I do not recognize the file: C:\Documents and Settings\Cathy Chapman\(null).
I did not create it and only I have access to this computer.


----------



## Cookiegal (Aug 27, 2003)

Let's take a look and see what's in that folder.

Open Notepad and copy and paste the text in the quote box below into it:



> DirLook::
> C:\Documents and Settings\Cathy Chapman\(null)


Save the file to you desktop and name it CFScript.txt

Then drag the CFScript.txt into the ComboFix.exe as shown in the screenshot below.










This will start ComboFix again. It may ask to reboot. Post the contents of Combofix.txt in your next reply together with a new HijackThis log.


----------



## S-pie (Sep 27, 2007)

Dear Cookiegal,

Per your instructions, below is the ComboFix and HijackThis logs. Thank you, S-pie.

COMBOFIX LOG:

ComboFix 07-10-03.11 - Cathy Chapman 2007-10-04 18:16:01.2 - NTFSx86 
Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.162 [GMT -4:00]
Running from: C:\Documents and Settings\Cathy Chapman\Desktop\ComboFix.exe
Command switches used :: C:\Documents and Settings\Cathy Chapman\Desktop\Desktop\CFScript.txt
* Created a new restore point
.

((((((((((((((((((((((((( Files Created from 2007-09-04 to 2007-10-04 )))))))))))))))))))))))))))))))
.

2007-10-03 16:29	51,200	--a------	C:\WINDOWS\NirCmd.exe
2007-10-03 00:50	2,348	--a------	C:\WINDOWS\system32\tmp.reg
2007-10-03 00:46	53,248	--a------	C:\WINDOWS\system32\Process.exe
2007-10-03 00:46	51,200	--a------	C:\WINDOWS\system32\dumphive.exe
2007-10-03 00:46	289,144	--a------	C:\WINDOWS\system32\VCCLSID.exe
2007-10-03 00:46	288,417	--a------	C:\WINDOWS\system32\SrchSTS.exe
2007-10-03 00:46	25,088	--a------	C:\WINDOWS\system32\WS2Fix.exe
2007-10-01 17:32 d--------	C:\WINDOWS\system32\ActiveScan
2007-10-01 15:51	10,872	--a------	C:\WINDOWS\system32\drivers\AvgAsCln.sys
2007-10-01 11:00 d--------	C:\Documents and Settings\Cathy Chapman\(null)
2007-09-30 09:43 d--------	C:\Documents and Settings\Administrator.CATHYCC.000\Application Data\Symantec
2007-09-30 09:43 d--------	C:\Documents and Settings\Administrator.CATHYCC.000\Application Data\IBM
2007-09-30 09:43 d--------	C:\Documents and Settings\Administrator.CATHYCC.000\Application Data\Google
2007-09-29 21:34 d--------	C:\Program Files\Trend Micro
2007-09-26 14:37 d--------	C:\Program Files\Uniblue
2007-09-25 23:39 d--------	C:\Program Files\Common Files\Lenovo
2007-09-24 20:52 d--------	C:\Documents and Settings\Cathy Chapman\Application Data\Uniblue
2007-09-21 18:56 d--------	C:\Documents and Settings\All Users\Application Data\Apple Computer
2007-09-21 18:54 d--------	C:\Program Files\InterVideo Information Service
2007-09-21 18:54 d--------	C:\Program Files\Common Files\Ulead
2007-09-21 18:39 d--h-----	C:\WINDOWS\msdownld.tmp
2007-09-21 04:37 d--------	C:\Program Files\Common Files\xing shared
2007-09-21 03:17 d--------	C:\DECCHECK
2007-09-18 14:43	43,696	--a------	C:\WINDOWS\system32\drivers\srtspx.sys
2007-09-18 14:43	317,616	--a------	C:\WINDOWS\system32\drivers\srtspl.sys
2007-09-18 14:43	278,576	--a------	C:\WINDOWS\system32\drivers\srtsp.sys
2007-09-10 10:17 d--------	C:\WINDOWS\system32\tvia

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2007-10-04 18:03	---------	d--------	C:\Program Files\Common Files\Symantec Shared
2007-10-04 17:37	---------	d--------	C:\Documents and Settings\All Users\Application Data\Symantec
2007-10-03 15:21	805	--a------	C:\WINDOWS\system32\drivers\SYMEVENT.INF
2007-10-03 15:21	60800	--a------	C:\WINDOWS\system32\S32EVNT1.DLL
2007-10-03 15:21	123952	--a------	C:\WINDOWS\system32\drivers\SYMEVENT.SYS
2007-10-03 15:21	10740	--a------	C:\WINDOWS\system32\drivers\SYMEVENT.CAT
2007-10-03 15:21	---------	d--------	C:\Program Files\Symantec
2007-10-01 18:07	---------	d--------	C:\Program Files\Windows Live Toolbar
2007-10-01 18:07	---------	d--------	C:\Program Files\Windows Desktop Search
2007-10-01 18:07	---------	d--------	C:\Program Files\Windows Defender
2007-10-01 18:07	---------	d--------	C:\Program Files\Verizon
2007-10-01 18:04	---------	d--------	C:\Program Files\Norton Internet Security
2007-10-01 18:01	---------	d--------	C:\Program Files\Google
2007-10-01 18:00	---------	d--------	C:\Program Files\Common Files\Motive
2007-10-01 18:00	---------	d--------	C:\Program Files\Common Files\Command Software
2007-09-27 09:55	---------	d--------	C:\Program Files\Yahoo!
2007-09-25 23:39	---------	d--------	C:\Program Files\Lenovo
2007-09-25 10:29	---------	d--------	C:\Program Files\Rhapsody
2007-09-25 10:06	---------	d--------	C:\Program Files\Real
2007-09-25 10:03	---------	d--------	C:\Documents and Settings\Cathy Chapman\Application Data\Real
2007-09-24 16:54	5427	--a------	C:\WINDOWS\system32\EGATHDRV.SYS
2007-09-24 16:01	---------	d--h-----	C:\Program Files\InstallShield Installation Information
2007-09-24 16:00	---------	d--------	C:\Program Files\Windows Media Connect 2
2007-09-24 16:00	---------	d--------	C:\Program Files\Common Files\Corel
2007-09-24 12:04	---------	d--------	C:\Program Files\Corel
2007-09-23 05:59	---------	d--------	C:\Program Files\QuickTime
2007-09-21 04:37	---------	d--------	C:\Program Files\Common Files\Real
2007-09-18 14:44	1430	--a------	C:\WINDOWS\system32\drivers\srtspl.inf
2007-09-18 14:44	1421	--a------	C:\WINDOWS\system32\drivers\srtspx.inf
2007-09-18 14:44	1415	--a------	C:\WINDOWS\system32\drivers\srtsp.inf
2007-09-18 14:44	10662	--a------	C:\WINDOWS\system32\drivers\srtspx.cat
2007-09-18 14:44	10662	--a------	C:\WINDOWS\system32\drivers\srtspl.cat
2007-09-18 14:44	10658	--a------	C:\WINDOWS\system32\drivers\srtsp.cat
2007-09-14 15:51	6686	--ahs----	C:\WINDOWS\system32\KGyGaAvL.sys
2007-09-10 12:45	---------	d--------	C:\Program Files\PCDR5
2007-08-29 14:17	---------	d--------	C:\Documents and Settings\Cathy Chapman\Application Data\MSN6
2007-08-25 13:47	---------	d--------	C:\Program Files\RegCure
2007-08-19 09:02	---------	d--------	C:\Program Files\MTV Networks
2007-08-19 08:39	---------	d--------	C:\Program Files\Windows Media Connect
2007-08-11 23:34	---------	d--------	C:\Documents and Settings\All Users\Application Data\Lenovo
2007-08-10 05:40	---------	d--------	C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
2007-08-06 21:57	---------	d--------	C:\Program Files\hp deskjet 940c series
2007-07-30 19:19	92504	--a------	C:\WINDOWS\system32\dllcache\cdm.dll
2007-07-30 19:19	92504	--a------	C:\WINDOWS\system32\cdm.dll
2007-07-30 19:19	549720	--a------	C:\WINDOWS\system32\wuapi.dll
2007-07-30 19:19	549720	--a------	C:\WINDOWS\system32\dllcache\wuapi.dll
2007-07-30 19:19	53080	--a------	C:\WINDOWS\system32\wuauclt.exe
2007-07-30 19:19	53080	--a------	C:\WINDOWS\system32\dllcache\wuauclt.exe
2007-07-30 19:19	43352	--a------	C:\WINDOWS\system32\wups2.dll
2007-07-30 19:19	325976	--a------	C:\WINDOWS\system32\wucltui.dll
2007-07-30 19:19	325976	--a------	C:\WINDOWS\system32\dllcache\wucltui.dll
2007-07-30 19:19	271224	--a------	C:\WINDOWS\system32\mucltui.dll
2007-07-30 19:19	207736	--a------	C:\WINDOWS\system32\muweb.dll
2007-07-30 19:19	203096	--a------	C:\WINDOWS\system32\wuweb.dll
2007-07-30 19:19	203096	--a------	C:\WINDOWS\system32\dllcache\wuweb.dll
2007-07-30 19:19	1712984	--a------	C:\WINDOWS\system32\wuaueng.dll
2007-07-30 19:19	1712984	--a------	C:\WINDOWS\system32\dllcache\wuaueng.dll
2007-07-30 19:18	33624	--a------	C:\WINDOWS\system32\wups.dll
2007-07-30 19:18	33624	--a------	C:\WINDOWS\system32\dllcache\wups.dll
2007-07-20 00:57	267112	--a------	C:\WINDOWS\system32\xactengine2_9.dll
2007-07-20 00:54	18280	--a------	C:\WINDOWS\system32\x3daudio1_2.dll
2007-07-19 18:14	444776	--a------	C:\WINDOWS\system32\d3dx10_35.dll
2007-07-19 18:14	3727720	--a------	C:\WINDOWS\system32\d3dx9_35.dll
2007-07-19 18:14	1358192	--a------	C:\WINDOWS\system32\D3DCompiler_35.dll
2007-07-19 02:59	3583488	--a------	C:\WINDOWS\system32\dllcache\mshtml.dll
2007-07-18 13:51	279816	--a------	C:\WINDOWS\system32\RealTime.scr
2007-07-12 19:31	765952	--a------	C:\WINDOWS\system32\dllcache\vgx.dll
2007-01-10 16:31	439296	---------	C:\Documents and Settings\Cathy Chapman\GoToAssist_phone__317_en.exe
2006-12-05 11:08	439296	---------	C:\Documents and Settings\Cathy Chapman\remote.exe
.

(((((((((((((((((((((((((((((((((((((((((((( Look )))))))))))))))))))))))))))))))))))))))))))))))))))))))))

---- Directory of C:\Documents and Settings\Cathy Chapman\(null) ----

2007-10-01 11:00	131	--a------	C:\Documents and Settings\Cathy Chapman\(null)\tvtsched.log

((((((((((((((((((((((((((((( [email protected]_16.33.40.32 )))))))))))))))))))))))))))))))))))))))))
.
----a-w 4,385,344 2007-10-04 16:36:28 C:\WINDOWS\SoftwareDistribution\Download\Install\mpas-fe.exe
----atw 16,384 2007-10-04 18:12:45 C:\WINDOWS\Temp\Perflib_Perfdata_240.dat
.
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"EarthLink Installer"=" /C" []
"Verizon_McciTrayApp"="C:\Program Files\Verizon\McciTrayApp.exe" [2007-03-11 17:37]
"TkBellExe"="C:\Program Files\Common Files\Real\Update_OB\realsched.exe" [2007-09-21 04:36]
"ccApp"="C:\Program Files\Common Files\Symantec Shared\ccApp.exe" [2007-01-10 01:59]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 08:00]
"swg"="C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2007-06-14 14:22]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks]
"{56F9679E-7826-4C84-81F3-532071A8BCC5}"= C:\Program Files\Windows Desktop Search\MSNLNamespaceMgr.dll [2006-11-21 14:50 233472]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"appinit_dlls"=C:\PROGRA~1\Google\GOOGLE~1\GOEC62~1.DLL

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Reader Speed Launch.lnk]
backup=C:\WINDOWS\pss\Adobe Reader Speed Launch.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Windows Desktop Search.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Windows Desktop Search.lnk
backup=C:\WINDOWS\pss\Windows Desktop Search.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\A Verizon App]
C:\PROGRA~1\VERIZO~1\HELPSU~1\VERIZO~1.EXE

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AMSG]
C:\PROGRA~1\THINKV~1\AMSG\amsg.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ccApp]
"C:\Program Files\Common Files\Symantec Shared\ccApp.exe"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Corel Photo Downloader]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\cssauthe]
"C:\Program Files\IBM ThinkVantage\Client Security Solution\cssauthe.exe" silent

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ctfmon.exe]
C:\WINDOWS\system32\ctfmon.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DiskeeperSystray]
"C:\Program Files\Diskeeper Corporation\Diskeeper\DkIcon.exe"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\EarthLink Installer]
" /C

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Google Desktop Search]
"C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe" /startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\IBM Warranty Notification]
"C:\Program Files\IBM\acp\ERTS0749\ERTS0749.exe /nointro"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ISUSPM Startup]
C:\PROGRA~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe -startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ISUSScheduler]
"C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" -start

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Motive SmartBridge]
C:\PROGRA~1\Verizon\SMARTB~1\MotiveSB.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Mouse Suite 98 Daemon]
ICO.EXE

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MsnMsgr]
"C:\Program Files\MSN Messenger\msnmsgr.exe" /background

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\osCheck]
"C:\Program Files\Norton Internet Security\osCheck.exe"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PCDrProfiler]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Picasa Media Detector]
C:\Program Files\Picasa2\PicasaMediaDetector.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
"C:\Program Files\QuickTime\qttask.exe" -atboottime

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\RealTimeDesktop.exe]
"C:\Program Files\Real\RealTime\RealTimeDesktop.exe" -NoBrowser

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SoundMan]
SOUNDMAN.EXE

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\suScheduler]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\swg]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\TkBellExe]
"C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Uniblue RegistryBooster 2]
C:\Program Files\Uniblue\RegistryBooster 2\RegistryBooster.exe /S

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\updateMgr]
C:\Program Files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe AcRdB7_0_9

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\VerizonServicepoint.exe]
C:\Program Files\Verizon\Servicepoint\VerizonServicepoint.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\VTTimer]
VTTimer.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\VTTrayp]
VTtrayp.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Yahoo! Pager]
"C:\PROGRA~1\Yahoo!\MESSEN~1\YAHOOM~1.EXE" -quiet

R2 ibmfilter;ibmfilter;\??\C:\WINDOWS\system32\drivers\ibmfilter.sys
R2 smi2;smi2;\??\C:\Program Files\SMI2\smi2.sys
R3 pelmouse;Mouse Suite Driver;C:\WINDOWS\system32\DRIVERS\pelmouse.sys
R3 pelusblf;USB Mouse Low Filter Driver;C:\WINDOWS\system32\DRIVERS\pelusblf.sys
S3 PCD5SRVC{5964019C-62DD3083-05010003};PCD5SRVC{5964019C-62DD3083-05010003} - PCDR Kernel Mode Service Helper Driver;\??\C:\PROGRA~1\PCDR5\PCD5SRVC.pkms

*Newly Created Service* - COMHOST
.
Contents of the 'Scheduled Tasks' folder
"2007-10-04 22:11:01 C:\WINDOWS\Tasks\Check Updates for Windows Live Toolbar.job"
"2007-09-29 07:21:09 C:\WINDOWS\Tasks\Norton Internet Security - Run Full System Scan - Cathy Chapman.job"
- C:\Program Files\Norton Internet Security\Norton AntiVirus\Navw32.exe
"2007-10-04 18:12:38 C:\WINDOWS\Tasks\RegCure Program Check.job"
"2007-09-13 08:14:42 C:\WINDOWS\Tasks\RegCure.job"
- C:\Program Files\RegCure\RegCure.exe
"2007-10-01 07:30:00 C:\WINDOWS\Tasks\RegistrySmart Scheduled Scan.job"
- C:\Program Files\RegistrySmart\RegistrySmart.exe
"2007-10-04 02:46:21 C:\WINDOWS\Tasks\User_Feed_Synchronization-{516BBBE5-428C-43E1-B291-1BE626C7C587}.job"
.
**************************************************************************

catchme 0.3.1169 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2007-10-04 18:18:19
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully 
hidden files: 0

**************************************************************************
.
Completion time: 2007-10-04 18:19:19
C:\ComboFix2.txt ... 2007-10-03 16:34
.
--- E O F ---

HIJACKTHIS LOG:

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 6:28:10 PM, on 10/4/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16512)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
C:\Program Files\Common Files\Symantec Shared\AppCore\AppSvc32.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
C:\Program Files\Diskeeper Corporation\Diskeeper\DkService.exe
C:\Program Files\Common Files\Command Software\dvpapi.exe
c:\program files\lenovo\system update\suservice.exe
C:\Program Files\IBM ThinkVantage\Rescue and Recovery\rrservice.exe
C:\Program Files\Common Files\Lenovo\Scheduler\tvtsched.exe
C:\Program Files\ThinkVantage\SystemUpdate\UCLauncherService.exe
C:\Program Files\Verizon\McciTrayApp.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLLoginProxy.exe
C:\WINDOWS\explorer.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://wapp.verizon.net/bookmarks/bmredir.asp?region=all&bw=dsl&cd=7.0MSN&bm=ms_home
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://www.lenovo.com/us/en/
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {1E8A6170-7264-4D0F-BEAE-D42A53123C75} - C:\Program Files\Common Files\Symantec Shared\coShared\Browser\1.5\NppBho.dll
O2 - BHO: dsWebAllowBHO Class - {2F85D76C-0569-466F-A488-493E6BD0E955} - C:\Program Files\Windows Desktop Search\dsWebAllow.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar4.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\2.0.301.7164\swg.dll
O2 - BHO: Windows Live Toolbar Helper - {BDBD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\Windows Live Toolbar\msntb.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar4.dll
O3 - Toolbar: Windows Live Toolbar - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\Windows Live Toolbar\msntb.dll
O3 - Toolbar: Show Norton Toolbar - {90222687-F593-4738-B738-FBEE9C7B26DF} - C:\Program Files\Common Files\Symantec Shared\coShared\Browser\1.5\UIBHO.dll
O4 - HKLM\..\Run: [EarthLink Installer] " /C
O4 - HKLM\..\Run: [Verizon_McciTrayApp] C:\Program Files\Verizon\McciTrayApp.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [ccApp] C:\Program Files\Common Files\Symantec Shared\ccApp.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
O8 - Extra context menu item: &Windows Live Search - res://C:\Program Files\Windows Live Toolbar\msntb.dll/search.htm
O8 - Extra context menu item: Add to Windows &Live Favorites - http://favorites.live.com/quickadd.aspx
O8 - Extra context menu item: Encarta &Definition - http://encarta.msn.com/encnet/features/dictionary/quickDictionary.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\IBM\Java142\jre\bin\NPJPI142.dll
O9 - Extra 'Tools' menuitem: IBM Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\IBM\Java142\jre\bin\NPJPI142.dll
O9 - Extra button: Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Program Files\Yahoo!\Companion\Modules\messmod4\v6\yhexbmes.dll (file missing)
O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Program Files\Yahoo!\Companion\Modules\messmod4\v6\yhexbmes.dll (file missing)
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O11 - Options group: [JAVA_IBM] Java (IBM)
O14 - IERESET.INF: START_PAGE_URL=http://www.lenovo.com/us/en/
O16 - DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} - http://a1540.g.akamai.net/7/1540/52/20061205/qtinstall.info.apple.com/qtactivex/qtplugin.cab
O16 - DPF: {215B8138-A3CF-44C5-803F-8226143CFC0A} (Trend Micro ActiveX Scan Agent 6.6) - http://housecall65.trendmicro.com/housecall/applet/html/native/x86/win32/activex/hcImpl.cab
O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} (Symantec AntiVirus scanner) - http://security.symantec.com/sscv6/SharedContent/vc/bin/AvSniff.cab
O16 - DPF: {2DAD3559-2923-4935-AD49-B673D2539944} (IASRunner Class) - https://www-307.ibm.com/pc/support/access/aslibmain/content/AcpIR.cab
O16 - DPF: {30528230-99F7-4BB4-88D8-FA1D4F56A2AB} (YInstStarter Class) - http://us.dl1.yimg.com/download.yahoo.com/dl/yinst/yinst_current.cab
O16 - DPF: {459E93B6-150E-45D5-8D4B-45C66FC035FE} (get_atlcom Class) - http://apps.corel.com/nos_dl_manager_dev/plugin/IEGetPlugin.ocx
O16 - DPF: {4E7BD74F-2B8D-469E-D0FC-E57AF4D5FA7D} - http://www2.verizon.net/micro/vol_toolbar/vzbb.cab
O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.symantec.com/sscv6/SharedContent/common/bin/cabsa.cab
O16 - DPF: {6A344D34-5231-452A-8A57-D064AC9B7862} (Symantec Download Manager) - https://webdl.symantec.com/activex/symdlmgr.cab
O16 - DPF: {74FFE28D-2378-11D5-990C-006094235084} (IBM Access Support) - http://www-307.ibm.com/pc/support/IbmEgath.cab
O16 - DPF: {975BA4C8-C5A7-4CFD-9F42-10CF4B75F580} (Actx Control) - https://expertslive.lenovo.com/home/activex/actx.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab
O16 - DPF: {BE415DD9-C50D-46AA-9B5D-37F2EEBBBFE6} (acpRunner Class) - https://www-307.ibm.com/pc/support/access/aslibmain/content/AcpControl.cab
O18 - Filter: text/xml; charset=iso-8859-1 - {32F66A26-7614-11D4-BD11-00104BD3F987} - C:\Program Files\Design Science\MathPlayer001\MathMLMimer.dll
O18 - Filter: text/xml; charset=utf-8 - {32F66A26-7614-11D4-BD11-00104BD3F987} - C:\Program Files\Design Science\MathPlayer001\MathMLMimer.dll
O20 - AppInit_DLLs: C:\PROGRA~1\Google\GOOGLE~1\GOEC62~1.DLL
O23 - Service: Automatic LiveUpdate Scheduler - Symantec Corporation - C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
O23 - Service: AVG Anti-Spyware Guard - GRISOFT s.r.o. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: Symantec Lic NetConnect service (CLTNetCnService) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: COM Host (comHost) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\VAScanner\comHost.exe
O23 - Service: Diskeeper - Diskeeper Corporation - C:\Program Files\Diskeeper Corporation\Diskeeper\DkService.exe
O23 - Service: DvpApi (dvpapi) - Command Software Systems, Inc. - C:\Program Files\Common Files\Command Software\dvpapi.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: Symantec IS Password Validation (ISPwdSvc) - Symantec Corporation - C:\Program Files\Norton Internet Security\isPwdSvc.exe
O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
O23 - Service: LiveUpdate Notice Service Ex (LiveUpdate Notice Ex) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: LiveUpdate Notice Service - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe
O23 - Service: IBM PSA Access Driver Control (PsaSrv) - Unknown owner - C:\WINDOWS\system32\PsaSrv.exe (file missing)
O23 - Service: System Update (SUService) - Lenovo Group Limited - c:\program files\lenovo\system update\suservice.exe
O23 - Service: Symantec Core LC - Unknown owner - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
O23 - Service: Symantec AppCore Service (SymAppCore) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\AppCore\AppSvc32.exe
O23 - Service: TVT Backup Service - Unknown owner - C:\Program Files\IBM ThinkVantage\Rescue and Recovery\rrservice.exe
O23 - Service: TVT Scheduler - Lenovo Group Limited - C:\Program Files\Common Files\Lenovo\Scheduler\tvtsched.exe
O23 - Service: ThinkVantage System Update (UCLauncherService) - Unknown owner - C:\Program Files\ThinkVantage\SystemUpdate\UCLauncherService.exe

--
End of file - 10886 bytes

Thank you, Cookiegal.

S-pie


----------



## Cookiegal (Aug 27, 2003)

It seems legit on Lenovo Thinkpads.

How are things running now?


----------



## S-pie (Sep 27, 2007)

Dear Cookiegal,

Disk Defragmenter is now working, but System Restore is not working in normal or safe modes and the Task Manager lists my CPU usage as hovering around 75%--a definite improvement from the almost constant 100% hovering when I first posted my problems.

Three (3) processes seem to be keeping my CPU usage hovering between 75% to 100%:
System Idle Process
agent.exe
ISUSPM.exe

Could we possibly look closer at them with that drag-to-ComboFix.exe procedure you instructed me to do in your earlier post?

System Restore is enabled with start up status and it worked before these problems started. My CPU usage is normally about 4%.

Thank you for any further suggestions you may have.

S-pie


----------



## S-pie (Sep 27, 2007)

Dear Cookiegal,

I forgot to mention in my previous post to your question--"how are things running now?"-- both normal and safe modes dialog box the same response to me about System Restore:
a red circle, with a white X, followed by, "Restoration Incomplete. Your computer cannot be restored to _____date____. No changes have been made to your computer. To choose another restore point, restart System Restore. To restart System Restore, click Home".

As I stated, normal mode AND safe mode dialog box the exact same message. Could something be hiding in my Favorites Folder--something seems to be hiding/disguising itself somewhere?

Thank you because I am at a lost.

S-pie


----------



## Cookiegal (Aug 27, 2003)

This program should tell us more.

Download *WinPFind3U.exe* to your Desktop and double-click on it to extract the files. It will create a folder named WinPFind3u on your desktop.

Open the WinPFind3u folder and double-click on *WinPFind3U.exe* to start the program.

In the *Processes * group click *ALL* 
In the *Win32 Services * group click *ALL* 
In the *Driver Services * group click *ALL* 
In the *Registry * group click *ALL* 
In the *Files Created Within* group click *60 days* Make sure Non-Microsoft only is *UNCHECKED*
In the *Files Modified Within* group select *30 days* Make sure Non-Microsoft only is *UNCHECKED*
In the *File String Search* group select *ALL*
in the *Additional Scans* sections please press select *ALL* 
Now click the *Run Scan* button on the toolbar.
The program will be scanning huge amounts of data so depending on your system it could take a long time to complete. Let it run unhindered until it finishes.
When the scan is complete Notepad will open with the report file loaded in it.
Save that notepad file but click on the "Format" menu and make sure that "word wrap" is not checked. If it is then click on it to uncheck it.
Please post the resulting log here as an attachment.


----------



## S-pie (Sep 27, 2007)

Dear Cookiegal,

I must be doing something wrong, because I cannot seem to submit the attachment correctly. Please list the steps. Thank you.

S-pie


----------



## Cookiegal (Aug 27, 2003)

Open up a reply dialog box and then click on "Manage Attachments" under "Additional Options". Click on "Browse" and locate the file on your computer and then click on "open" and "upload" and then submit your reply.


----------



## S-pie (Sep 27, 2007)

Dear Cookiegal,

WinPFind3 attachment.

Thank you,

S-pie


----------



## S-pie (Sep 27, 2007)

Dear Cookiegal,

WinPFind3 exceeded the 500 Kb maximum, so I sent it to you in two (2) parts.
Below is attachment 2.

Thank you,

S-pie


----------



## Cookiegal (Aug 27, 2003)

Do you recognize these files? I'm not sure what created them.

All are in C:\Windows\System32\

s2e0.h 
s2lc.g
s2ns.e 
s3qo.e 
s5kc.f

Please open HijackThis.
Click on *Open Misc Tools Section*
Make sure that both boxes beside "Generate StartupList Log" are checked:

*List all minor sections(Full)*
*List Empty Sections(Complete)*
Click *Generate StartupList Log*.
Click *Yes* at the prompt.
It will open a text file. Please copy the entire contents of that page and paste it here.


----------



## S-pie (Sep 27, 2007)

Dear Cookiegal,

I did not, initially, recognize these files, but after using search of: 
s2e0.h
s2lc.g
s2ns.e
s3qo.e
s5kc.f

I received the message: "Windows does not recognize this file type", when I tried to open these files. After trying several programs, one of the files finally opened, but I cannot understand the code, however in all of the lengthy code appears the string, "realtime.com/news".

So, I guess these files are all related to "realtime.com/news". Do I need them on my computer?

Below is the StartUPList log, per your instructions; 2 posts--exceeds maximum.

StartupList report, 10/7/2007, 8:27:45 PM
StartupList version: 1.52.2
Started from : C:\Program Files\Trend Micro\HijackThis\HijackThis.EXE
Detected: Windows XP SP2 (WinNT 5.01.2600)
Detected: Internet Explorer v7.00 (7.00.6000.16512)
* Using default options
* Including empty and uninteresting sections
* Showing rarely important sections
==================================================

Running processes:

C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Windows Defender\MsMpEng.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
C:\Program Files\Common Files\Symantec Shared\AppCore\AppSvc32.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
C:\Program Files\Diskeeper Corporation\Diskeeper\DkService.exe
C:\Program Files\Common Files\Command Software\dvpapi.exe
c:\program files\lenovo\system update\suservice.exe
C:\Program Files\IBM ThinkVantage\Rescue and Recovery\rrservice.exe
C:\Program Files\Common Files\Lenovo\Scheduler\tvtsched.exe
C:\Program Files\ThinkVantage\SystemUpdate\UCLauncherService.exe
C:\Program Files\Verizon\McciTrayApp.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\PROGRA~1\Lenovo\LENOVO~2\LPMGR.exe
C:\Program Files\Common Files\Lenovo\Scheduler\scheduler_proxy.exe
C:\Program Files\Common Files\InstallShield\UpdateService\ISUSPM.exe
C:\Program Files\Windows Defender\MSASCui.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\Program Files\Windows Desktop Search\WindowsSearch.exe
C:\Program Files\Windows Desktop Search\WindowsSearchIndexer.exe
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Windows Desktop Search\WindowsSearchFilter.exe
C:\Program Files\Common Files\InstallShield\UpdateService\agent.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

--------------------------------------------------

Listing of startup folders:

Shell folders Startup:
[C:\Documents and Settings\Cathy Chapman\Start Menu\Programs\Startup]
*No files*

Shell folders AltStartup:
*Folder not found*

User shell folders Startup:
*Folder not found*

User shell folders AltStartup:
*Folder not found*

Shell folders Common Startup:
[C:\Documents and Settings\All Users\Start Menu\Programs\Startup]
Windows Desktop Search.lnk = C:\Program Files\Windows Desktop Search\WindowsSearch.exe

Shell folders Common AltStartup:
*Folder not found*

User shell folders Common Startup:
*Folder not found*

User shell folders Alternate Common Startup:
*Folder not found*

--------------------------------------------------

Checking Windows NT UserInit:

[HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon]
UserInit = C:\WINDOWS\system32\userinit.exe,

[HKLM\Software\Microsoft\Windows\CurrentVersion\Winlogon]
*Registry key not found*

[HKCU\Software\Microsoft\Windows NT\CurrentVersion\Winlogon]
*Registry value not found*

[HKCU\Software\Microsoft\Windows\CurrentVersion\Winlogon]
*Registry key not found*

--------------------------------------------------

Autorun entries from Registry:
HKLM\Software\Microsoft\Windows\CurrentVersion\Run

EarthLink Installer = " /C
Verizon_McciTrayApp = C:\Program Files\Verizon\McciTrayApp.exe
TkBellExe = "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
ccApp = C:\Program Files\Common Files\Symantec Shared\ccApp.exe
suScheduler = C:\Program Files\ThinkVantage\SystemUpdate\UCLauncher.exe /SCHEDULER
Symantec PIF AlertEng = "C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe" /a /m "C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\AlertEng.dll"
osCheck = "C:\Program Files\Norton Internet Security\osCheck.exe"
ISUSPM Startup = C:\PROGRA~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe -startup
LPManager = C:\PROGRA~1\Lenovo\LENOVO~2\LPMGR.exe
Adobe Reader Speed Launcher = "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
TVT Scheduler Proxy = C:\Program Files\Common Files\Lenovo\Scheduler\scheduler_proxy.exe
ISUSPM = "C:\Program Files\Common Files\InstallShield\UpdateService\ISUSPM.exe" -scheduler
Windows Defender = "C:\Program Files\Windows Defender\MSASCui.exe" -hide

--------------------------------------------------

Autorun entries from Registry:
HKLM\Software\Microsoft\Windows\CurrentVersion\RunOnce

*No values found*

--------------------------------------------------

Autorun entries from Registry:
HKLM\Software\Microsoft\Windows\CurrentVersion\RunOnceEx

*No values found*

--------------------------------------------------

Autorun entries from Registry:
HKLM\Software\Microsoft\Windows\CurrentVersion\RunServices

*No values found*

--------------------------------------------------

Autorun entries from Registry:
HKLM\Software\Microsoft\Windows\CurrentVersion\RunServicesOnce

*Registry key not found*

--------------------------------------------------

Autorun entries from Registry:
HKCU\Software\Microsoft\Windows\CurrentVersion\Run

ctfmon.exe = C:\WINDOWS\system32\ctfmon.exe
swg = C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
Uniblue RegistryBooster 2 = C:\Program Files\Uniblue\RegistryBooster 2\RegistryBooster.exe /S

--------------------------------------------------

Autorun entries from Registry:
HKCU\Software\Microsoft\Windows\CurrentVersion\RunOnce

*No values found*

--------------------------------------------------

Autorun entries from Registry:
HKCU\Software\Microsoft\Windows\CurrentVersion\RunOnceEx

*Registry key not found*

--------------------------------------------------

Autorun entries from Registry:
HKCU\Software\Microsoft\Windows\CurrentVersion\RunServices

*No values found*

--------------------------------------------------

Autorun entries from Registry:
HKCU\Software\Microsoft\Windows\CurrentVersion\RunServicesOnce

*No values found*

--------------------------------------------------

Autorun entries from Registry:
HKLM\Software\Microsoft\Windows NT\CurrentVersion\Run

*Registry key not found*

--------------------------------------------------

Autorun entries from Registry:
HKCU\Software\Microsoft\Windows NT\CurrentVersion\Run

*Registry key not found*

--------------------------------------------------

Autorun entries in Registry subkeys of:
HKLM\Software\Microsoft\Windows\CurrentVersion\Run

[OptionalComponents]
=

--------------------------------------------------

Autorun entries in Registry subkeys of:
HKLM\Software\Microsoft\Windows\CurrentVersion\RunOnce
*No subkeys found*

--------------------------------------------------

Autorun entries in Registry subkeys of:
HKLM\Software\Microsoft\Windows\CurrentVersion\RunOnceEx
*No subkeys found*

--------------------------------------------------

Autorun entries in Registry subkeys of:
HKLM\Software\Microsoft\Windows\CurrentVersion\RunServices
*No subkeys found*

--------------------------------------------------

Autorun entries in Registry subkeys of:
HKLM\Software\Microsoft\Windows\CurrentVersion\RunServicesOnce
*Registry key not found*

--------------------------------------------------

Autorun entries in Registry subkeys of:
HKCU\Software\Microsoft\Windows\CurrentVersion\Run
*No subkeys found*

--------------------------------------------------

Autorun entries in Registry subkeys of:
HKCU\Software\Microsoft\Windows\CurrentVersion\RunOnce
*No subkeys found*

--------------------------------------------------

Autorun entries in Registry subkeys of:
HKCU\Software\Microsoft\Windows\CurrentVersion\RunOnceEx
*Registry key not found*

--------------------------------------------------

Autorun entries in Registry subkeys of:
HKCU\Software\Microsoft\Windows\CurrentVersion\RunServices
*No subkeys found*

--------------------------------------------------

Autorun entries in Registry subkeys of:
HKCU\Software\Microsoft\Windows\CurrentVersion\RunServicesOnce
*No subkeys found*

--------------------------------------------------

Autorun entries in Registry subkeys of:
HKLM\Software\Microsoft\Windows NT\CurrentVersion\Run
*Registry key not found*

--------------------------------------------------

Autorun entries in Registry subkeys of:
HKCU\Software\Microsoft\Windows NT\CurrentVersion\Run
*Registry key not found*

--------------------------------------------------

File association entry for .EXE:
HKEY_CLASSES_ROOT\exefile\shell\open\command

(Default) = "%1" %*

--------------------------------------------------

File association entry for .COM:
HKEY_CLASSES_ROOT\comfile\shell\open\command

(Default) = "%1" %*

--------------------------------------------------

File association entry for .BAT:
HKEY_CLASSES_ROOT\batfile\shell\open\command

(Default) = "%1" %*

--------------------------------------------------

File association entry for .PIF:
HKEY_CLASSES_ROOT\piffile\shell\open\command

(Default) = "%1" %*

--------------------------------------------------

File association entry for .SCR:
HKEY_CLASSES_ROOT\scrfile\shell\open\command

(Default) = "%1" /S

--------------------------------------------------

File association entry for .HTA:
HKEY_CLASSES_ROOT\htafile\shell\open\command

(Default) = C:\WINDOWS\system32\mshta.exe "%1" %*

--------------------------------------------------

File association entry for .TXT:
HKEY_CLASSES_ROOT\txtfile\shell\open\command

(Default) = %SystemRoot%\system32\NOTEPAD.EXE %1

--------------------------------------------------

Enumerating Active Setup stub paths:
HKLM\Software\Microsoft\Active Setup\Installed Components
(* = disabled by HKCU twin)

[<{12d0ed0d-0ee0-4f90-8827-78cefb8f4988}] *
StubPath = C:\WINDOWS\system32\ieudinit.exe

[>{22d6f312-b0f6-11d0-94ab-0080c74c7e95}]
StubPath = C:\WINDOWS\inf\unregmp2.exe /ShowWMP

[>{26923b43-4d38-484f-9b9e-de460746276c}] *
StubPath = C:\WINDOWS\system32\ie4uinit.exe -UserIconConfig

[>{60B49E34-C7CC-11D0-8953-00A0C90347FF}] *
StubPath = RunDLL32 IEDKCS32.DLL,BrandIE4 SIGNUP

[>{60B49E34-C7CC-11D0-8953-00A0C90347FF}MICROS] *
StubPath = RunDLL32 IEDKCS32.DLL,BrandIE4 SIGNUP

[>{881dd1c5-3dcf-431b-b061-f3f88e8be88a}] *
StubPath = %systemroot%\system32\shmgrate.exe OCInstallUserConfigOE

[{2C7339CF-2B09-4501-B3F3-F3508C9228ED}] *
StubPath = %SystemRoot%\system32\regsvr32.exe /s /n /i:/UserInstall %SystemRoot%\system32\themeui.dll

[{44BBA840-CC51-11CF-AAFA-00AA00B6015C}] *
StubPath = "%ProgramFiles%\Outlook Express\setup50.exe" /APP:OE /CALLER:WINNT /user /install

[{44BBA842-CC51-11CF-AAFA-00AA00B6015B}] *
StubPath = rundll32.exe advpack.dll,LaunchINFSection C:\WINDOWS\INF\msnetmtg.inf,NetMtg.Install.PerUser.NT

[{5945c046-1e7d-11d1-bc44-00c04fd912be}] *
StubPath = rundll32.exe advpack.dll,LaunchINFSection C:\WINDOWS\INF\msmsgs.inf,BLC.QuietInstall.PerUser

[{6BF52A52-394A-11d3-B153-00C04F79FAA6}] *
StubPath = rundll32.exe advpack.dll,LaunchINFSection C:\WINDOWS\INF\wmp10.inf,PerUserStub

[{7790769C-0471-11d2-AF11-00C04FA35D02}] *
StubPath = "%ProgramFiles%\Outlook Express\setup50.exe" /APP:WAB /CALLER:WINNT /user /install

[{89820200-ECBD-11cf-8B85-00AA005B4340}] *
StubPath = regsvr32.exe /s /n /i:U shell32.dll

[{89820200-ECBD-11cf-8B85-00AA005B4383}] *
StubPath = C:\WINDOWS\system32\ie4uinit.exe -BaseSettings

[{89B4C1CD-B018-4511-B0A1-5476DBF70820}] *
StubPath = C:\WINDOWS\system32\Rundll32.exe C:\WINDOWS\system32\mscories.dll,Install

--------------------------------------------------

Enumerating ICQ Agent Autostart apps:
HKCU\Software\Mirabilis\ICQ\Agent\Apps

*Registry key not found*

--------------------------------------------------

Load/Run keys from C:\WINDOWS\WIN.INI:

load=*INI section not found*
run=*INI section not found*

Load/Run keys from Registry:

HKLM\..\Windows NT\CurrentVersion\WinLogon: load=*Registry value not found*
HKLM\..\Windows NT\CurrentVersion\WinLogon: run=*Registry value not found*
HKLM\..\Windows\CurrentVersion\WinLogon: load=*Registry key not found*
HKLM\..\Windows\CurrentVersion\WinLogon: run=*Registry key not found*
HKCU\..\Windows NT\CurrentVersion\WinLogon: load=*Registry value not found*
HKCU\..\Windows NT\CurrentVersion\WinLogon: run=*Registry value not found*
HKCU\..\Windows\CurrentVersion\WinLogon: load=*Registry key not found*
HKCU\..\Windows\CurrentVersion\WinLogon: run=*Registry key not found*
HKCU\..\Windows NT\CurrentVersion\Windows: load=*Registry value not found*
HKCU\..\Windows NT\CurrentVersion\Windows: run=*Registry value not found*
HKLM\..\Windows NT\CurrentVersion\Windows: load=*Registry value not found*
HKLM\..\Windows NT\CurrentVersion\Windows: run=*Registry value not found*
HKLM\..\Windows NT\CurrentVersion\Windows: AppInit_DLLs=C:\PROGRA~1\Google\GOOGLE~1\GOEC62~1.DLL

--------------------------------------------------

Shell & screensaver key from C:\WINDOWS\SYSTEM.INI:

Shell=*INI section not found*
SCRNSAVE.EXE=*INI section not found*
drivers=*INI section not found*

Shell & screensaver key from Registry:

Shell=Explorer.exe
SCRNSAVE.EXE=*Registry value not found*
drivers=*Registry value not found*

Policies Shell key:

HKCU\..\Policies: Shell=*Registry value not found*
HKLM\..\Policies: Shell=*Registry value not found*

--------------------------------------------------

Checking for EXPLORER.EXE instances:

C:\WINDOWS\Explorer.exe: PRESENT!

C:\Explorer.exe: not present
C:\WINDOWS\Explorer\Explorer.exe: not present
C:\WINDOWS\System\Explorer.exe: not present
C:\WINDOWS\System32\Explorer.exe: not present
C:\WINDOWS\Command\Explorer.exe: not present
C:\WINDOWS\Fonts\Explorer.exe: not present

--------------------------------------------------

Checking for superhidden extensions:

.lnk: HIDDEN! (arrow overlay: yes)
.pif: HIDDEN! (arrow overlay: yes)
.exe: not hidden
.com: not hidden
.bat: not hidden
.hta: not hidden
.scr: not hidden
.shs: HIDDEN!
.shb: HIDDEN!
.vbs: not hidden
.vbe: not hidden
.wsh: not hidden
.scf: HIDDEN! (arrow overlay: NO!)
.url: HIDDEN! (arrow overlay: yes)
.js: not hidden
.jse: not hidden

--------------------------------------------------

Verifying REGEDIT.EXE integrity:

- Regedit.exe found in C:\WINDOWS
- .reg open command is normal (regedit.exe %1)
- Company name OK: 'Microsoft Corporation'
- Original filename OK: 'REGEDIT.EXE'
- File description: 'Registry Editor'

Registry check passed

--------------------------------------------------

Enumerating Browser Helper Objects:

(no name) - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3}
(no name) - C:\Program Files\Common Files\Symantec Shared\coShared\Browser\1.5\NppBho.dll - {1E8A6170-7264-4D0F-BEAE-D42A53123C75}
(no name) - C:\Program Files\Windows Desktop Search\dsWebAllow.dll - {2F85D76C-0569-466F-A488-493E6BD0E955}
(no name) - C:\PROGRA~1\SPYBOT~1\SDHelper.dll - {53707962-6F74-2D53-2644-206D7942484F}
(no name) - (no file) - {7E853D72-626A-48EC-A868-BA8D5E23E045}
(no name) - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll - {9030D464-4C02-4ABF-8ECC-5164760863C6}
(no name) - c:\program files\google\googletoolbar4.dll - {AA58ED58-01DD-4d91-8333-CF10577473F7}
(no name) - C:\Program Files\Google\GoogleToolbarNotifier\2.0.301.7164\swg.dll - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D}
(no name) - C:\Program Files\Windows Live Toolbar\msntb.dll - {BDBD1DAD-C946-4A17-ADC1-64B5B4FF55D0}

--------------------------------------------------

Enumerating Task Scheduler jobs:

Check Updates for Windows Live Toolbar.job
MP Scheduled Scan.job
Norton Internet Security - Run Full System Scan - Cathy Chapman.job
RegCure Program Check.job
RegCure.job
RegistrySmart Scheduled Scan.job
User_Feed_Synchronization-{516BBBE5-428C-43E1-B291-1BE626C7C587}.job

--------------------------------------------------


----------



## S-pie (Sep 27, 2007)

Dear Cookiegal,

Second post.

Thank you,

S-pie

Enumerating Download Program Files:

[{02BF25D5-8C17-4B23-BC80-D3488ABDDC6B}]
CODEBASE = http://a1540.g.akamai.net/7/1540/52/20061205/qtinstall.info.apple.com/qtactivex/qtplugin.cab

[Windows Genuine Advantage Validation Tool]
InProcServer32 = C:\WINDOWS\system32\LegitCheckControl.DLL
CODEBASE = http://download.microsoft.com/downl...-4505-8fb8-d0d2d160e512/LegitCheckControl.cab

[Trend Micro ActiveX Scan Agent 6.6]
InProcServer32 = C:\WINDOWS\Downloaded Program Files\Housecall_ActiveX.dll
CODEBASE = http://housecall65.trendmicro.com/housecall/applet/html/native/x86/win32/activex/hcImpl.cab

[Symantec AntiVirus scanner]
InProcServer32 = C:\WINDOWS\Downloaded Program Files\avsniff.dll
CODEBASE = http://security.symantec.com/sscv6/SharedContent/vc/bin/AvSniff.cab

[IASRunner Class]
InProcServer32 = C:\WINDOWS\Downloaded Program Files\acpir2.dll
CODEBASE = https://www-307.ibm.com/pc/support/access/aslibmain/content/AcpIR.cab

[YInstStarter Class]
InProcServer32 = C:\WINDOWS\Downloaded Program Files\yinsthelper.dll
CODEBASE = http://us.dl1.yimg.com/download.yahoo.com/dl/yinst/yinst_current.cab

[get_atlcom Class]
InProcServer32 = C:\WINDOWS\Downloaded Program Files\IEGetPlugin.ocx
CODEBASE = http://apps.corel.com/nos_dl_manager_dev/plugin/IEGetPlugin.ocx

[{4E7BD74F-2B8D-469E-D0FC-E57AF4D5FA7D}]
CODEBASE = http://www2.verizon.net/micro/vol_toolbar/vzbb.cab

[Symantec RuFSI Utility Class]
InProcServer32 = C:\WINDOWS\Downloaded Program Files\rufsi.dll
CODEBASE = http://security.symantec.com/sscv6/SharedContent/common/bin/cabsa.cab

[Symantec Download Manager]
InProcServer32 = C:\WINDOWS\Downloaded Program Files\symdlmgr.dll
CODEBASE = https://webdl.symantec.com/activex/symdlmgr.cab

[IBM Access Support]
InProcServer32 = C:\WINDOWS\Downloaded Program Files\IbmEgath.dll
CODEBASE = http://www-307.ibm.com/pc/support/IbmEgath.cab

[Java Plug-in 1.4.2]
InProcServer32 = C:\Program Files\IBM\Java142\jre\bin\NPJPI142.dll
CODEBASE = http://java.sun.com/products/plugin/1.4.2/jinstall-142-win.cab

[{8FFBE65D-2C9C-4669-84BD-5829DC0B603C}]
CODEBASE = http://fpdownload.macromedia.com/get/flashplayer/current/ultrashim.cab

[Actx Control]
InProcServer32 = C:\WINDOWS\DOWNLO~1\actx.ocx
CODEBASE = https://expertslive.lenovo.com/home/activex/actx.cab

[ActiveScan Installer Class]
InProcServer32 = C:\WINDOWS\Downloaded Program Files\asinst.dll
CODEBASE = http://acs.pandasoftware.com/activescan/as5free/asinst.cab

[acpRunner Class]
InProcServer32 = C:\WINDOWS\Downloaded Program Files\acpcontroller2.dll
CODEBASE = https://www-307.ibm.com/pc/support/access/aslibmain/content/AcpControl.cab

[Java Plug-in 1.4.2]
InProcServer32 = C:\Program Files\IBM\Java142\jre\bin\NPJPI142.dll
CODEBASE = http://java.sun.com/products/plugin/1.4.2/jinstall-142-win.cab

[CTAdjust Class]
InProcServer32 = C:\WINDOWS\Downloaded Program Files\clearadjust.dll
CODEBASE = http://download.microsoft.com/download/7/E/6/7E6A8567-DFE4-4624-87C3-163549BE2704/clearadj.cab

--------------------------------------------------

Enumerating Winsock LSP files:

NameSpace #1: C:\WINDOWS\System32\mswsock.dll
NameSpace #2: C:\WINDOWS\System32\winrnr.dll
NameSpace #3: C:\WINDOWS\System32\mswsock.dll
Protocol #1: C:\WINDOWS\system32\mswsock.dll
Protocol #2: C:\WINDOWS\system32\mswsock.dll
Protocol #3: C:\WINDOWS\system32\mswsock.dll
Protocol #4: C:\WINDOWS\system32\rsvpsp.dll
Protocol #5: C:\WINDOWS\system32\rsvpsp.dll
Protocol #6: C:\WINDOWS\system32\mswsock.dll
Protocol #7: C:\WINDOWS\system32\mswsock.dll
Protocol #8: C:\WINDOWS\system32\mswsock.dll
Protocol #9: C:\WINDOWS\system32\mswsock.dll
Protocol #10: C:\WINDOWS\system32\mswsock.dll
Protocol #11: C:\WINDOWS\system32\mswsock.dll

--------------------------------------------------

Enumerating Windows NT/2000/XP services

abp480n5: \SystemRoot\system32\DRIVERS\ABP480N5.SYS (disabled)
Intel(r) 82801 Audio Driver Install Service (WDM): system32\drivers\ac97intc.sys (manual start)
Microsoft ACPI Driver: system32\DRIVERS\ACPI.sys (system)
adpu160m: \SystemRoot\system32\DRIVERS\adpu160m.sys (disabled)
Microsoft Kernel Acoustic Echo Canceller: system32\drivers\aec.sys (manual start)
AFD: \SystemRoot\System32\drivers\afd.sys (system)
Intel AGP Bus Filter: \SystemRoot\system32\DRIVERS\agp440.sys (disabled)
Compaq AGP Bus Filter: \SystemRoot\system32\DRIVERS\agpCPQ.sys (disabled)
Aha154x: \SystemRoot\system32\DRIVERS\aha154x.sys (disabled)
aic78u2: \SystemRoot\system32\DRIVERS\aic78u2.sys (disabled)
aic78xx: \SystemRoot\system32\DRIVERS\aic78xx.sys (disabled)
Service for Realtek AC97 Audio (WDM): system32\drivers\ALCXWDM.SYS (manual start)
Alerter: %SystemRoot%\system32\svchost.exe -k LocalService (disabled)
Application Layer Gateway Service: %SystemRoot%\System32\alg.exe (manual start)
AliIde: \SystemRoot\system32\DRIVERS\aliide.sys (disabled)
ALI AGP Bus Filter: \SystemRoot\system32\DRIVERS\alim1541.sys (disabled)
AMD AGP Bus Filter Driver: \SystemRoot\system32\DRIVERS\amdagp.sys (disabled)
amsint: \SystemRoot\system32\DRIVERS\amsint.sys (disabled)
Application Management: %SystemRoot%\system32\svchost.exe -k netsvcs (manual start)
asc: \SystemRoot\system32\DRIVERS\asc.sys (disabled)
asc3350p: \SystemRoot\system32\DRIVERS\asc3350p.sys (disabled)
asc3550: \SystemRoot\system32\DRIVERS\asc3550.sys (disabled)
ASP.NET State Service: %SystemRoot%\Microsoft.NET\Framework\v2.0.50727\aspnet_state.exe (manual start)
RAS Asynchronous Media Driver: system32\DRIVERS\asyncmac.sys (manual start)
Standard IDE/ESDI Hard Disk Controller: system32\DRIVERS\atapi.sys (system)
ATM ARP Client Protocol: system32\DRIVERS\atmarpc.sys (manual start)
Windows Audio: %SystemRoot%\System32\svchost.exe -k netsvcs (autostart)
Audio Stub Driver: system32\DRIVERS\audstub.sys (manual start)
Automatic LiveUpdate Scheduler: "C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe" (autostart)
AVG Anti-Spyware Driver: \??\C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.sys (system)
AVG Anti-Spyware Guard: C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe (autostart)
AVG Anti-Spyware Clean Driver: System32\DRIVERS\AvgAsCln.sys (system)
Background Intelligent Transfer Service: %SystemRoot%\system32\svchost.exe -k netsvcs (autostart)
Computer Browser: %SystemRoot%\system32\svchost.exe -k netsvcs (autostart)
catchme: \??\C:\DOCUME~1\CATHYC~1\LOCALS~1\Temp\catchme.sys (manual start)
cbidf: \SystemRoot\system32\DRIVERS\cbidf2k.sys (disabled)
Symantec Event Manager: "C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe" /h ccCommon (autostart)
Symantec Settings Manager: "C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe" /h ccCommon (autostart)
cd20xrnt: \SystemRoot\system32\DRIVERS\cd20xrnt.sys (disabled)
CD-ROM Driver: system32\DRIVERS\cdrom.sys (system)
Indexing Service: %SystemRoot%\system32\cisvc.exe (manual start)
ClipBook: %SystemRoot%\system32\clipsrv.exe (disabled)
.NET Runtime Optimization Service v2.0.50727_X86: C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe (manual start)
Symantec Lic NetConnect service: "C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe" /h cltCommon (autostart)
CmdIde: \SystemRoot\system32\DRIVERS\cmdide.sys (disabled)
COM Host: "C:\Program Files\Common Files\Symantec Shared\VAScanner\comHost.exe" (manual start)
COM+ System Application: C:\WINDOWS\system32\dllhost.exe /Processid:{02D4B3F1-FD88-11D1-960D-00805FC79235} (manual start)
Cpqarray: \SystemRoot\system32\DRIVERS\cpqarray.sys (disabled)
Cryptographic Services: %SystemRoot%\system32\svchost.exe -k netsvcs (autostart)
CSS DVP: system32\DRIVERS\css-dvp.sys (autostart)
dac2w2k: \SystemRoot\system32\DRIVERS\dac2w2k.sys (disabled)
dac960nt: \SystemRoot\system32\DRIVERS\dac960nt.sys (disabled)
DCOM Server Process Launcher: %SystemRoot%\system32\svchost -k DcomLaunch (autostart)
DHCP Client: %SystemRoot%\system32\svchost.exe -k netsvcs (autostart)
Disk Driver: system32\DRIVERS\disk.sys (system)
Diskeeper: "C:\Program Files\Diskeeper Corporation\Diskeeper\DkService.exe" (autostart)
Logical Disk Manager Administrative Service: %SystemRoot%\System32\dmadmin.exe /com (manual start)
dmboot: System32\drivers\dmboot.sys (disabled)
dmio: System32\drivers\dmio.sys (disabled)
dmload: System32\drivers\dmload.sys (disabled)
Logical Disk Manager: %SystemRoot%\System32\svchost.exe -k netsvcs (manual start)
Microsoft Kernel DLS Syntheiszer: system32\drivers\DMusic.sys (manual start)
DNS Client: %SystemRoot%\system32\svchost.exe -k NetworkService (autostart)
dpti2o: \SystemRoot\system32\DRIVERS\dpti2o.sys (disabled)
Microsoft Kernel DRM Audio Descrambler: system32\drivers\drmkaud.sys (manual start)
DvpApi: "C:\Program Files\Common Files\Command Software\dvpapi.exe" (autostart)
Intel(R) PRO Adapter Driver: system32\DRIVERS\e100b325.sys (manual start)
Symantec Eraser Control driver: \??\C:\Program Files\Common Files\Symantec Shared\EENGINE\eeCtrl.sys (system)
IBM eGatherer: \??\C:\WINDOWS\SYSTEM32\EGATHDRV.SYS (autostart)
EraserUtilRebootDrv: \??\C:\Program Files\Common Files\Symantec Shared\EENGINE\EraserUtilRebootDrv.sys (manual start)
Error Reporting Service: %SystemRoot%\System32\svchost.exe -k netsvcs (autostart)
Event Log: %SystemRoot%\system32\services.exe (autostart)
COM+ Event System: C:\WINDOWS\system32\svchost.exe -k netsvcs (manual start)
Fast User Switching Compatibility: %SystemRoot%\System32\svchost.exe -k netsvcs (manual start)
Floppy Disk Controller Driver: system32\DRIVERS\fdc.sys (manual start)
VIA Rhine-Family Fast Ethernet Adapter Driver Service: system32\DRIVERS\fetnd5bv.sys (manual start)
VIA PCI 10/100Mb Fast Ethernet Adapter NT Driver: system32\DRIVERS\fetnd5.sys (manual start)
Floppy Disk Driver: system32\DRIVERS\flpydisk.sys (manual start)
FltMgr: system32\DRIVERS\fltMgr.sys (system)
Volume Manager Driver: system32\DRIVERS\ftdisk.sys (system)
Generic Packet Classifier: system32\DRIVERS\msgpc.sys (manual start)
Google Updater Service: "C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe" (manual start)
Help and Support: %SystemRoot%\System32\svchost.exe -k netsvcs (autostart)
Human Interface Device Access: %SystemRoot%\System32\svchost.exe -k netsvcs (disabled)
Microsoft HID Class Driver: system32\DRIVERS\hidusb.sys (manual start)
hpn: \SystemRoot\system32\DRIVERS\hpn.sys (disabled)
HTTP: System32\Drivers\HTTP.sys (manual start)
HTTP SSL: %SystemRoot%\System32\svchost.exe -k HTTPFilter (manual start)
i2omp: \SystemRoot\system32\DRIVERS\i2omp.sys (disabled)
i8042 Keyboard and PS/2 Mouse Port Driver: system32\DRIVERS\i8042prt.sys (system)
ibmfilter: \??\C:\WINDOWS\system32\drivers\ibmfilter.sys (autostart)
InstallDriver Table Manager: "C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe" (manual start)
CD-Burning Filter Driver: system32\DRIVERS\imapi.sys (system)
IMAPI CD-Burning COM Service: C:\WINDOWS\system32\imapi.exe (manual start)
ini910u: \SystemRoot\system32\DRIVERS\ini910u.sys (disabled)
IntelIde: \SystemRoot\system32\DRIVERS\intelide.sys (disabled)
IPv6 Windows Firewall Driver: system32\DRIVERS\Ip6Fw.sys (manual start)
IP Traffic Filter Driver: system32\DRIVERS\ipfltdrv.sys (manual start)
IP in IP Tunnel Driver: system32\DRIVERS\ipinip.sys (manual start)
IP Network Address Translator: system32\DRIVERS\ipnat.sys (manual start)
IPSEC driver: system32\DRIVERS\ipsec.sys (system)
IR Enumerator Service: system32\DRIVERS\irenum.sys (manual start)
PnP ISA/EISA Bus Driver: system32\DRIVERS\isapnp.sys (system)
Symantec IS Password Validation: "C:\Program Files\Norton Internet Security\isPwdSvc.exe" (manual start)
Keyboard Class Driver: system32\DRIVERS\kbdclass.sys (system)
Microsoft Kernel Wave Audio Mixer: system32\drivers\kmixer.sys (manual start)
Server: %SystemRoot%\system32\svchost.exe -k netsvcs (autostart)
Workstation: %SystemRoot%\system32\svchost.exe -k netsvcs (autostart)
LiveUpdate: "C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE" (manual start)
LiveUpdate Notice Service Ex: "C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe" /h ccCommon (autostart)
LiveUpdate Notice Service: "C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe" /m "C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PifEng.dll" (autostart)
TCP/IP NetBIOS Helper: %SystemRoot%\system32\svchost.exe -k LocalService (autostart)
Messenger: %SystemRoot%\system32\svchost.exe -k netsvcs (disabled)
NetMeeting Remote Desktop Sharing: C:\WINDOWS\system32\mnmsrvc.exe (manual start)
Mouse Class Driver: system32\DRIVERS\mouclass.sys (system)
Mouse HID Driver: system32\DRIVERS\mouhid.sys (manual start)
mraid35x: \SystemRoot\system32\DRIVERS\mraid35x.sys (disabled)
MREMPR5 NDIS Protocol Driver: \??\C:\PROGRA~1\COMMON~1\Motive\MREMPR5.SYS (manual start)
MRENDIS5 NDIS Protocol Driver: \??\C:\PROGRA~1\COMMON~1\Motive\MRENDIS5.SYS (manual start)
WebDav Client Redirector: system32\DRIVERS\mrxdav.sys (manual start)
MRXSMB: system32\DRIVERS\mrxsmb.sys (system)
Distributed Transaction Coordinator: C:\WINDOWS\system32\msdtc.exe (manual start)
Windows Installer: C:\WINDOWS\system32\msiexec.exe /V (manual start)
Microsoft Streaming Service Proxy: system32\drivers\MSKSSRV.sys (manual start)
Microsoft Streaming Clock Proxy: system32\drivers\MSPCLOCK.sys (manual start)
Microsoft Streaming Quality Manager Proxy: system32\drivers\MSPQM.sys (manual start)
Microsoft System Management BIOS Driver: system32\DRIVERS\mssmbios.sys (manual start)
NAVENG: \??\C:\PROGRA~1\COMMON~1\SYMANT~1\VIRUSD~1\20071007.006\NAVENG.SYS (manual start)
NAVEX15: \??\C:\PROGRA~1\COMMON~1\SYMANT~1\VIRUSD~1\20071007.006\NAVEX15.SYS (manual start)
Remote Access NDIS TAPI Driver: system32\DRIVERS\ndistapi.sys (manual start)
NDIS Usermode I/O Protocol: system32\DRIVERS\ndisuio.sys (manual start)
Remote Access NDIS WAN Driver: system32\DRIVERS\ndiswan.sys (manual start)
NetBIOS Interface: system32\DRIVERS\netbios.sys (system)
NetBios over Tcpip: system32\DRIVERS\netbt.sys (system)
Network DDE: %SystemRoot%\system32\netdde.exe (disabled)
Network DDE DSDM: %SystemRoot%\system32\netdde.exe (disabled)
Net Logon: %SystemRoot%\system32\lsass.exe (manual start)
Network Connections: %SystemRoot%\System32\svchost.exe -k netsvcs (manual start)
Network Location Awareness (NLA): %SystemRoot%\system32\svchost.exe -k netsvcs (manual start)
NT LM Security Support Provider: %SystemRoot%\system32\lsass.exe (manual start)
Removable Storage: %SystemRoot%\system32\svchost.exe -k netsvcs (manual start)
nv: system32\DRIVERS\nv4_mini.sys (manual start)
IPX Traffic Filter Driver: system32\DRIVERS\nwlnkflt.sys (manual start)
IPX Traffic Forwarder Driver: system32\DRIVERS\nwlnkfwd.sys (manual start)
Parallel port driver: system32\DRIVERS\parport.sys (manual start)
PCD5SRVC{5964019C-62DD3083-05010003} - PCDR Kernel Mode Service Helper Driver: \??\C:\PROGRA~1\PCDR5\PCD5SRVC.pkms (manual start)
PCDRNDISUIO Usermode I/O Protocol: system32\DRIVERS\pcdrndisuio.sys (manual start)
PCI Bus Driver: system32\DRIVERS\pci.sys (system)
PCIIde: system32\DRIVERS\pciide.sys (system)
Mouse Suite Driver: system32\DRIVERS\pelmouse.sys (manual start)
USB Mouse Low Filter Driver: system32\DRIVERS\pelusblf.sys (manual start)
perc2: \SystemRoot\system32\DRIVERS\perc2.sys (disabled)
perc2hib: \SystemRoot\system32\DRIVERS\perc2hib.sys (disabled)
Plug and Play: %SystemRoot%\system32\services.exe (autostart)
PMEM: \??\C:\WINDOWS\system32\drivers\PMEMNT.SYS (autostart)
IPSEC Services: %SystemRoot%\system32\lsass.exe (autostart)
WAN Miniport (PPTP): system32\DRIVERS\raspptp.sys (manual start)
Processor Driver: system32\DRIVERS\processr.sys (system)
Protected Storage: %SystemRoot%\system32\lsass.exe (autostart)
Lenovo Parties Service Access Device Driver: system32\DRIVERS\psadd.sys (manual start)
IBM PSA Access Driver Control: C:\WINDOWS\system32\PsaSrv.exe (manual start)
QoS Packet Scheduler: system32\DRIVERS\psched.sys (manual start)
Direct Parallel Link Driver: system32\DRIVERS\ptilink.sys (manual start)
PxHelp20: System32\Drivers\PxHelp20.sys (system)
ql1080: \SystemRoot\system32\DRIVERS\ql1080.sys (disabled)
Ql10wnt: \SystemRoot\system32\DRIVERS\ql10wnt.sys (disabled)
ql12160: \SystemRoot\system32\DRIVERS\ql12160.sys (disabled)
ql1240: \SystemRoot\system32\DRIVERS\ql1240.sys (disabled)
ql1280: \SystemRoot\system32\DRIVERS\ql1280.sys (disabled)
Remote Access Auto Connection Driver: system32\DRIVERS\rasacd.sys (system)
Remote Access Auto Connection Manager: %SystemRoot%\system32\svchost.exe -k netsvcs (manual start)
WAN Miniport (L2TP): system32\DRIVERS\rasl2tp.sys (manual start)
Remote Access Connection Manager: %SystemRoot%\system32\svchost.exe -k netsvcs (manual start)
Remote Access PPPOE Driver: system32\DRIVERS\raspppoe.sys (manual start)
Direct Parallel: system32\DRIVERS\raspti.sys (manual start)
Rdbss: system32\DRIVERS\rdbss.sys (system)
RDPCDD: System32\DRIVERS\RDPCDD.sys (system)
Terminal Server Device Redirector Driver: system32\DRIVERS\rdpdr.sys (manual start)
Remote Desktop Help Session Manager: C:\WINDOWS\system32\sessmgr.exe (manual start)
Digital CD Audio Playback Filter Driver: system32\DRIVERS\redbook.sys (system)
Routing and Remote Access: %SystemRoot%\system32\svchost.exe -k netsvcs (disabled)
Remote Procedure Call (RPC) Locator: %SystemRoot%\system32\locator.exe (manual start)
Remote Procedure Call (RPC): %SystemRoot%\system32\svchost -k rpcss (autostart)
QoS RSVP: %SystemRoot%\system32\rsvp.exe (manual start)
Security Accounts Manager: %SystemRoot%\system32\lsass.exe (autostart)
Smart Card: %SystemRoot%\System32\SCardSvr.exe (manual start)
Task Scheduler: %SystemRoot%\System32\svchost.exe -k netsvcs (autostart)
Secdrv: system32\DRIVERS\secdrv.sys (manual start)
Secondary Logon: %SystemRoot%\System32\svchost.exe -k netsvcs (autostart)
System Event Notification: %SystemRoot%\system32\svchost.exe -k netsvcs (autostart)
Serenum Filter Driver: system32\DRIVERS\serenum.sys (manual start)
Serial port driver: system32\DRIVERS\serial.sys (system)
Windows Firewall/Internet Connection Sharing (ICS): %SystemRoot%\System32\svchost.exe -k netsvcs (autostart)
Shell Hardware Detection: %SystemRoot%\System32\svchost.exe -k netsvcs (autostart)
SIS AGP Bus Filter: \SystemRoot\system32\DRIVERS\sisagp.sys (disabled)
smi2: \??\C:\Program Files\SMI2\smi2.sys (autostart)
Sparrow: \SystemRoot\system32\DRIVERS\sparrow.sys (disabled)
SPBBCDrv: \??\C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCDrv.sys (manual start)
Microsoft Kernel Audio Splitter: system32\drivers\splitter.sys (manual start)
Print Spooler: %SystemRoot%\system32\spoolsv.exe (autostart)
System Restore Filter Driver: system32\DRIVERS\sr.sys (system)
System Restore Service: %SystemRoot%\system32\svchost.exe -k netsvcs (autostart)
SRTSP: System32\Drivers\SRTSP.SYS (manual start)
SRTSPL: System32\Drivers\SRTSPL.SYS (manual start)
SRTSPX: System32\Drivers\SRTSPX.SYS (system)
Srv: system32\DRIVERS\srv.sys (manual start)
SSDP Discovery Service: %SystemRoot%\system32\svchost.exe -k LocalService (manual start)
Windows Image Acquisition (WIA): %SystemRoot%\system32\svchost.exe -k imgsvc (manual start)
System Update: c:\program files\lenovo\system update\suservice.exe (autostart)
Software Bus Driver: system32\DRIVERS\swenum.sys (manual start)
Microsoft Kernel GS Wavetable Synthesizer: system32\drivers\swmidi.sys (manual start)
MS Software Shadow Copy Provider: C:\WINDOWS\system32\dllhost.exe /Processid:{32411D1B-0BD6-43D7-8682-0DD9ACA00532} (manual start)
Symantec Core LC: "C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe" (manual start)
Symantec AppCore Service: "C:\Program Files\Common Files\Symantec Shared\AppCore\AppSvc32.exe" (autostart)
symc810: \SystemRoot\system32\DRIVERS\symc810.sys (disabled)
symc8xx: \SystemRoot\system32\DRIVERS\symc8xx.sys (disabled)
SYMDNS: \SystemRoot\System32\Drivers\SYMDNS.SYS (manual start)
SymEvent: \??\C:\WINDOWS\system32\Drivers\SYMEVENT.SYS (manual start)
SYMFW: \SystemRoot\System32\Drivers\SYMFW.SYS (manual start)
SYMIDS: \SystemRoot\System32\Drivers\SYMIDS.SYS (manual start)
SYMIDSCO: \??\C:\PROGRA~1\COMMON~1\SYMANT~1\SymcData\idsdefs\20071002.003\SymIDSCo.sys (manual start)
SYMNDIS: \SystemRoot\System32\Drivers\SYMNDIS.SYS (manual start)
SYMREDRV: \SystemRoot\System32\Drivers\SYMREDRV.SYS (manual start)
SYMTDI: \SystemRoot\System32\Drivers\SYMTDI.SYS (system)
sym_hi: \SystemRoot\system32\DRIVERS\sym_hi.sys (disabled)
sym_u3: \SystemRoot\system32\DRIVERS\sym_u3.sys (disabled)
Microsoft Kernel System Audio Device: system32\drivers\sysaudio.sys (manual start)
Performance Logs and Alerts: %SystemRoot%\system32\smlogsvc.exe (manual start)
Telephony: %SystemRoot%\System32\svchost.exe -k netsvcs (manual start)
TCP/IP Protocol Driver: system32\DRIVERS\tcpip.sys (system)
Terminal Device Driver: system32\DRIVERS\termdd.sys (system)
Terminal Services: %SystemRoot%\System32\svchost -k DComLaunch (manual start)
Themes: %SystemRoot%\System32\svchost.exe -k netsvcs (autostart)
tmcomm: \??\C:\WINDOWS\system32\drivers\tmcomm.sys (autostart)
TosIde: \SystemRoot\system32\DRIVERS\toside.sys (disabled)
Distributed Link Tracking Client: %SystemRoot%\system32\svchost.exe -k netsvcs (autostart)
TVT Backup Service: "C:\Program Files\IBM ThinkVantage\Rescue and Recovery\rrservice.exe" (autostart)
TVT Scheduler: "C:\Program Files\Common Files\Lenovo\Scheduler\tvtsched.exe" (autostart)
ThinkVantage System Update: C:\Program Files\ThinkVantage\SystemUpdate\UCLauncherService.exe (autostart)
ultra: \SystemRoot\system32\DRIVERS\ultra.sys (disabled)
Microcode Update Driver: system32\DRIVERS\update.sys (manual start)
Universal Plug and Play Device Host: %SystemRoot%\system32\svchost.exe -k LocalService (manual start)
Uninterruptible Power Supply: %SystemRoot%\System32\ups.exe (manual start)
Microsoft USB 2.0 Enhanced Host Controller Miniport Driver: system32\DRIVERS\usbehci.sys (manual start)
USB2 Enabled Hub: system32\DRIVERS\usbhub.sys (manual start)
Microsoft USB PRINTER Class: system32\DRIVERS\usbprint.sys (manual start)
Microsoft USB Universal Host Controller Miniport Driver: system32\DRIVERS\usbuhci.sys (manual start)
Messenger Sharing Folders USN Journal Reader service: "C:\Program Files\MSN Messenger\usnsvc.exe" (manual start)
VgaSave: \SystemRoot\System32\drivers\vga.sys (system)
VIA AGP Bus Filter: \SystemRoot\system32\DRIVERS\viaagp.sys (disabled)
VIA AGP Filter: system32\DRIVERS\viaagp1.sys (system)
viagfx: system32\DRIVERS\vtmini.sys (manual start)
ViaIde: system32\DRIVERS\viaide.sys (system)
Volume Shadow Copy: %SystemRoot%\System32\vssvc.exe (manual start)
Windows Time: %SystemRoot%\System32\svchost.exe -k netsvcs (autostart)
Remote Access IP ARP Driver: system32\DRIVERS\wanarp.sys (manual start)
Microsoft WINMM WDM Audio Compatibility Driver: system32\drivers\wdmaud.sys (manual start)
WebClient: %SystemRoot%\system32\svchost.exe -k LocalService (autostart)
Windows Defender: "C:\Program Files\Windows Defender\MsMpEng.exe" (autostart)
Windows Management Instrumentation: %systemroot%\system32\svchost.exe -k netsvcs (autostart)
Portable Media Serial Number Service: %SystemRoot%\System32\svchost.exe -k netsvcs (manual start)
WMI Performance Adapter: C:\WINDOWS\system32\wbem\wmiapsrv.exe (manual start)
Security Center: %SystemRoot%\System32\svchost.exe -k netsvcs (disabled)
Automatic Updates: %systemroot%\system32\svchost.exe -k netsvcs (autostart)
Windows Driver Foundation - User-mode Driver Framework Platform Driver: system32\DRIVERS\WudfPf.sys (manual start)
Windows Driver Foundation - User-mode Driver Framework Reflector: system32\DRIVERS\wudfrd.sys (manual start)
Windows Driver Foundation - User-mode Driver Framework: %SystemRoot%\system32\svchost.exe -k WudfServiceGroup (manual start)
Wireless Zero Configuration: %SystemRoot%\System32\svchost.exe -k netsvcs (autostart)
Network Provisioning Service: %SystemRoot%\System32\svchost.exe -k netsvcs (manual start)

--------------------------------------------------

Enumerating Windows NT logon/logoff scripts:
*No scripts set to run*

Windows NT checkdisk command:
BootExecute = autocheck autochk *

Windows NT 'Wininit.ini':
PendingFileRenameOperations: *Registry value not found*

--------------------------------------------------

Enumerating ShellServiceObjectDelayLoad items:

PostBootReminder: C:\WINDOWS\system32\SHELL32.dll
CDBurn: C:\WINDOWS\system32\SHELL32.dll
WebCheck: C:\WINDOWS\system32\webcheck.dll
SysTray: C:\WINDOWS\system32\stobject.dll
WPDShServiceObj: C:\WINDOWS\system32\WPDShServiceObj.dll

--------------------------------------------------
Autorun entries from Registry:
HKCU\Software\Microsoft\Windows\CurrentVersion\policies\Explorer\Run

*No values found*

--------------------------------------------------

Autorun entries from Registry:
HKLM\Software\Microsoft\Windows\CurrentVersion\policies\Explorer\Run

*No values found*

--------------------------------------------------

End of report, 43,181 bytes
Report generated in 0.375 seconds

Command line options:
/verbose - to add additional info on each section
/complete - to include empty sections and unsuspicious data
/full - to include several rarely-important sections
/force9x - to include Win9x-only startups even if running on WinNT
/forcent - to include WinNT-only startups even if running on Win9x
/forceall - to include all Win9x and WinNT startups, regardless of platform
/history - to list version history only

Cookiegal,

Should so many entries be "disabled'?

Thank you,

S-pie


----------



## S-pie (Sep 27, 2007)

Dear Cookiegal,

1. In the above HijackThis log you instructed me to post, upon closer inspection in the category, "Windows NT/2000/XP Services", these Symantec (Norton) entries ALL stop my OS from normally shutting down with a dialog box that includes: "instructions at.....
referenced..... cannot be read (write)...." Click OK to close, however the boxes close so fast before I can even click OK.
These are the Symantec entries, listed under "Windows NT/2000/XP Services" that stop my OS from normally shutting down:
Symantec Event Manager
Symantec Settings Manager
Symantec Lic NetConnect Service
Live Update Notice Service Ex: (Symantec Shared)

2. Why are so many of the services listed under "Windows NT/2000/XP Services" disabled?

3. Why are there so many:
Registry key not found
No subkeys found
No values found
Folder not found
Section not found?

Thank you for your help,

S-pie


----------



## Cookiegal (Aug 27, 2003)

It's possible Norton has been damaged so I would uninstall and reinstall it.

Anything showing "not found" simply means they do not exist and this is not a bad thing. Services that are disabled are not required to run.

As for those files I asked about, do you visit that site regularly? I wonder if they might be connected to your RSS feeds.


May I see a new HijackThis default scan log please.


----------



## S-pie (Sep 27, 2007)

Dear Cookiegal,

Those files, with e, g, extensions are related to RSS feeds. I just do not know why all of that lengthy code that I cannot understand is in those files.

i was trying to uninstall, reinstall my Norton Security Suite before I HijackThis default log to you, but I cannot seem tio uninstall Norton. The pages freeze on the site and I have to shut down or restart my computer to get rid of them.

Below is HijackThis default log.

Thank you,

S-pie

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 1:50:21 PM, on 10/9/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16512)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Windows Defender\MsMpEng.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
C:\Program Files\Common Files\Symantec Shared\AppCore\AppSvc32.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
C:\Program Files\Diskeeper Corporation\Diskeeper\DkService.exe
C:\Program Files\Common Files\Command Software\dvpapi.exe
c:\program files\lenovo\system update\suservice.exe
C:\Program Files\IBM ThinkVantage\Rescue and Recovery\rrservice.exe
C:\Program Files\Common Files\Lenovo\Scheduler\tvtsched.exe
C:\Program Files\ThinkVantage\SystemUpdate\UCLauncherService.exe
C:\Program Files\Verizon\McciTrayApp.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\PROGRA~1\Lenovo\LENOVO~2\LPMGR.exe
C:\Program Files\Common Files\Lenovo\Scheduler\scheduler_proxy.exe
C:\Program Files\Common Files\InstallShield\UpdateService\ISUSPM.exe
C:\Program Files\Common Files\InstallShield\UpdateService\agent.exe
C:\Program Files\Windows Defender\MSASCui.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\Program Files\MSN Messenger\msnmsgr.exe
C:\Program Files\Windows Desktop Search\WindowsSearch.exe
C:\Program Files\Windows Desktop Search\WindowsSearchIndexer.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://wapp.verizon.net/bookmarks/bmredir.asp?region=all&bw=dsl&cd=7.0MSN&bm=ms_home
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://www.lenovo.com/us/en/
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {1E8A6170-7264-4D0F-BEAE-D42A53123C75} - C:\Program Files\Common Files\Symantec Shared\coShared\Browser\1.5\NppBho.dll
O2 - BHO: dsWebAllowBHO Class - {2F85D76C-0569-466F-A488-493E6BD0E955} - C:\Program Files\Windows Desktop Search\dsWebAllow.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar4.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\2.0.301.7164\swg.dll
O2 - BHO: Windows Live Toolbar Helper - {BDBD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\Windows Live Toolbar\msntb.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar4.dll
O3 - Toolbar: Windows Live Toolbar - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\Windows Live Toolbar\msntb.dll
O3 - Toolbar: Show Norton Toolbar - {90222687-F593-4738-B738-FBEE9C7B26DF} - C:\Program Files\Common Files\Symantec Shared\coShared\Browser\1.5\UIBHO.dll
O4 - HKLM\..\Run: [EarthLink Installer] " /C
O4 - HKLM\..\Run: [Verizon_McciTrayApp] C:\Program Files\Verizon\McciTrayApp.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [ccApp] C:\Program Files\Common Files\Symantec Shared\ccApp.exe
O4 - HKLM\..\Run: [suScheduler] C:\Program Files\ThinkVantage\SystemUpdate\UCLauncher.exe /SCHEDULER
O4 - HKLM\..\Run: [Symantec PIF AlertEng] "C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe" /a /m "C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\AlertEng.dll"
O4 - HKLM\..\Run: [osCheck] "C:\Program Files\Norton Internet Security\osCheck.exe"
O4 - HKLM\..\Run: [ISUSPM Startup] C:\PROGRA~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe -startup
O4 - HKLM\..\Run: [LPManager] C:\PROGRA~1\Lenovo\LENOVO~2\LPMGR.exe
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [TVT Scheduler Proxy] C:\Program Files\Common Files\Lenovo\Scheduler\scheduler_proxy.exe
O4 - HKLM\..\Run: [ISUSPM] "C:\Program Files\Common Files\InstallShield\UpdateService\ISUSPM.exe" -scheduler
O4 - HKLM\..\Run: [Windows Defender] "C:\Program Files\Windows Defender\MSASCui.exe" -hide
O4 - HKLM\..\Run: [MSConfig] C:\WINDOWS\PCHealth\HelpCtr\Binaries\MSConfig.exe /auto
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
O4 - HKCU\..\Run: [Uniblue RegistryBooster 2] C:\Program Files\Uniblue\RegistryBooster 2\RegistryBooster.exe /S
O4 - Global Startup: Windows Desktop Search.lnk = C:\Program Files\Windows Desktop Search\WindowsSearch.exe
O8 - Extra context menu item: &Windows Live Search - res://C:\Program Files\Windows Live Toolbar\msntb.dll/search.htm
O8 - Extra context menu item: Add to Windows &Live Favorites - http://favorites.live.com/quickadd.aspx
O8 - Extra context menu item: Encarta &Definition - http://encarta.msn.com/encnet/features/dictionary/quickDictionary.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\IBM\Java142\jre\bin\NPJPI142.dll
O9 - Extra 'Tools' menuitem: IBM Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\IBM\Java142\jre\bin\NPJPI142.dll
O9 - Extra button: Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Program Files\Yahoo!\Companion\Modules\messmod4\v6\yhexbmes.dll (file missing)
O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Program Files\Yahoo!\Companion\Modules\messmod4\v6\yhexbmes.dll (file missing)
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O11 - Options group: [JAVA_IBM] Java (IBM)
O14 - IERESET.INF: START_PAGE_URL=http://www.lenovo.com/us/en/
O16 - DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} - http://a1540.g.akamai.net/7/1540/52/20061205/qtinstall.info.apple.com/qtactivex/qtplugin.cab
O16 - DPF: {215B8138-A3CF-44C5-803F-8226143CFC0A} (Trend Micro ActiveX Scan Agent 6.6) - http://housecall65.trendmicro.com/housecall/applet/html/native/x86/win32/activex/hcImpl.cab
O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} (Symantec AntiVirus scanner) - http://security.symantec.com/sscv6/SharedContent/vc/bin/AvSniff.cab
O16 - DPF: {2DAD3559-2923-4935-AD49-B673D2539944} (IASRunner Class) - https://www-307.ibm.com/pc/support/access/aslibmain/content/AcpIR.cab
O16 - DPF: {30528230-99F7-4BB4-88D8-FA1D4F56A2AB} (YInstStarter Class) - http://us.dl1.yimg.com/download.yahoo.com/dl/yinst/yinst_current.cab
O16 - DPF: {459E93B6-150E-45D5-8D4B-45C66FC035FE} (get_atlcom Class) - http://apps.corel.com/nos_dl_manager_dev/plugin/IEGetPlugin.ocx
O16 - DPF: {4E7BD74F-2B8D-469E-D0FC-E57AF4D5FA7D} - http://www2.verizon.net/micro/vol_toolbar/vzbb.cab
O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.symantec.com/sscv6/SharedContent/common/bin/cabsa.cab
O16 - DPF: {6A344D34-5231-452A-8A57-D064AC9B7862} (Symantec Download Manager) - https://webdl.symantec.com/activex/symdlmgr.cab
O16 - DPF: {74FFE28D-2378-11D5-990C-006094235084} (IBM Access Support) - http://www-307.ibm.com/pc/support/IbmEgath.cab
O16 - DPF: {975BA4C8-C5A7-4CFD-9F42-10CF4B75F580} (Actx Control) - https://expertslive.lenovo.com/home/activex/actx.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab
O16 - DPF: {BE415DD9-C50D-46AA-9B5D-37F2EEBBBFE6} (acpRunner Class) - https://www-307.ibm.com/pc/support/access/aslibmain/content/AcpControl.cab
O18 - Filter: text/xml; charset=iso-8859-1 - {32F66A26-7614-11D4-BD11-00104BD3F987} - C:\Program Files\Design Science\MathPlayer001\MathMLMimer.dll
O18 - Filter: text/xml; charset=utf-8 - {32F66A26-7614-11D4-BD11-00104BD3F987} - C:\Program Files\Design Science\MathPlayer001\MathMLMimer.dll
O20 - AppInit_DLLs: C:\PROGRA~1\Google\GOOGLE~1\GOEC62~1.DLL
O23 - Service: Automatic LiveUpdate Scheduler - Symantec Corporation - C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
O23 - Service: AVG Anti-Spyware Guard - GRISOFT s.r.o. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: Symantec Lic NetConnect service (CLTNetCnService) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: COM Host (comHost) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\VAScanner\comHost.exe
O23 - Service: Diskeeper - Diskeeper Corporation - C:\Program Files\Diskeeper Corporation\Diskeeper\DkService.exe
O23 - Service: DvpApi (dvpapi) - Command Software Systems, Inc. - C:\Program Files\Common Files\Command Software\dvpapi.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: Symantec IS Password Validation (ISPwdSvc) - Symantec Corporation - C:\Program Files\Norton Internet Security\isPwdSvc.exe
O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
O23 - Service: LiveUpdate Notice Service Ex (LiveUpdate Notice Ex) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: LiveUpdate Notice Service - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe
O23 - Service: IBM PSA Access Driver Control (PsaSrv) - Unknown owner - C:\WINDOWS\system32\PsaSrv.exe (file missing)
O23 - Service: System Update (SUService) - Lenovo Group Limited - c:\program files\lenovo\system update\suservice.exe
O23 - Service: Symantec Core LC - Unknown owner - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
O23 - Service: Symantec AppCore Service (SymAppCore) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\AppCore\AppSvc32.exe
O23 - Service: TVT Backup Service - Unknown owner - C:\Program Files\IBM ThinkVantage\Rescue and Recovery\rrservice.exe
O23 - Service: TVT Scheduler - Lenovo Group Limited - C:\Program Files\Common Files\Lenovo\Scheduler\tvtsched.exe
O23 - Service: ThinkVantage System Update (UCLauncherService) - Unknown owner - C:\Program Files\ThinkVantage\SystemUpdate\UCLauncherService.exe

--
End of file - 12579 bytes


----------



## Cookiegal (Aug 27, 2003)

Did you try using the removal tool to remove Norton?

http://service1.symantec.com/SUPPOR...docid=2002102220044206&nsf=nav.nsf&view=docid

Try that but first download AVG Free anti-virus but don't install it until after removing Norton. There could be a conflict with Norton. Then let's see how things are.

http://free.grisoft.com/doc/2/


----------



## Cookiegal (Aug 27, 2003)

Also, end task in the Control Manager (Ctrl-Alt-Del) on these:

*ISUSPM.exe
agent.exe*

Then uncheck these via msconfig:

*ISUSPM Startup
ISUSPM*


----------



## S-pie (Sep 27, 2007)

Dear Cookiegal,

I ended processes: ISUSPM.exe and agent.exe. What were they? I then went into msconfig and unchecked ISUSPM startup and ISUSPM. Where do I find out what were those processes, part of my IBM preload, and why they were preloaded on my machine?

I disabled Norton Internet Security Suite, my licensed antivirus program, then installed the AVG Anti-Virus Free Edition. I noticed that AVG is only an antivirus program, whereas Norton is antivirus, antispyware, antispam, firewall, 24/7 technical support.

What is the purpose of installing the limited AVG program on my machine? Also, after I installed it, successfully, there was this statement---1 warning occured: 
--------------------------------------------
Action failed for registry value:
HKLM\SOFTWARE\Classes\Component Categories\{56FFCC30-D398-11D0-82AE-00A0C908FA49}: creating registry value...
Access is denied. (5)
--------------------------------------------------
I immediately updated AVG, and ran my first complete scan, as directed. AVG will now run daily scans.

Cookiegal, Norton my licensed product, is my default antivirus program. Should I run AVG manually, in between the Norton automatic scans?

System Restore, refused to work during this problem I was having. Disk Defragmenter, my keyboard and my email all also stopped working or only worked occasionally. Now Disk Defragmenter works, as does my keyboard, my email. However, System Restore is the only holdout, both in normal and safe modes.

Thank you for all of your help, and any suggestions you may have about System Restore.

S-pie


----------



## Cookiegal (Aug 27, 2003)

Those items I had you disable belong to the InstallShield UpdateService and are likely the reason for the high CPU usage you were talking about. They are probably trying to update all the time, even if not connected. It is not necessary to have them running at start up.

The purpose of uninstalling Norton and installing AVG was to do a test as it often happens that Norton is imcompatible with some programs you're running and can cause problems. I wanted to see if you still had problems without it. You should disable any of its components if you want it to do its job properly. You can go ahead and remove AVG Free and reinstall Norton.

When you try a system restore, what happens? Do you see available restore points in the calendar?


----------



## S-pie (Sep 27, 2007)

Dear Cookiegal,

I have many Restore Points on my calendar. After this problem started occurring, I tried to Restore my computer back to a time prior to the problems. I tried all of my restore points in normal and safe mode, and would get this message: "Restoration Incomplete. Your computer cannot be restored to ____(date)_____. No changes have been made to your computer. To choose another restore point, restart System Restore. To restart System Restore, click Home."

I tried all my restore points and then F8 into safe mode and tried them--the exact same "Restoration Incomplete" message appeared. My System Restore is on and I have restored my computer to an earlier point before these problems started.

Thank you for any suggestions you may have.

S-pie


----------



## Cookiegal (Aug 27, 2003)

It looks like that problem is related to Norton as well:

http://service1.symantec.com/SUPPORT/sharedtech.nsf/pfdocs/2005113009323013


----------



## S-pie (Sep 27, 2007)

Dear Cookiegal,

Thank you for that website. I have bookmarked and printed it. Remember when I told you that four (4) Norton files, at different times, block my computer from shutting down normally by an "Application Error" dialog box appearing that says: "The ____(numbers)__, referenced at _____(numbers)______ , cannot be read (written). Click OK to terminate the program". Then the box disappears so fast before I can click OK or copy the filename in the title bar.
It has happened so many times that I was able to copy parts of the program names before the box closed. All four of the programs are Symantec (Norton).

It seems that Norton is causing me a lot of different problems throughout the functioning of my computer. Do you have any suggestions on other antivirus programs that are as comprehensive as Norton but will not interfere with so many other functions and utilities like Norton apparently does?

Thank you for any suggestions you have.

S-pie


----------



## S-pie (Sep 27, 2007)

Dear Cookiegal,

I waited a few days to see if my computer will keep this stability. It has, I thank you and Tech Support Guy for your much needed help and I am marking this post solved.

S-pie


----------



## Cookiegal (Aug 27, 2003)

You're quite welcome.  

If you want to purchase a superior anti-virus program then I would go with Nod32 or Kaspersky. If you want a free one, you can stay with AVG. If you go with Nod32 or AVG, then you will need to get a firewall so you can get Zone Alarm, which works well and is quite user friendly. If you go with Kaspersky, you can get the suite that includes a firewall.


Before I give you some final instructions, I would like you to run another Panda scan and post the results please.


----------



## S-pie (Sep 27, 2007)

Dear Cookiegal,

Thank you for your antivirus software suggestions. I will definitely be purchasing one of them. Excuse my presumption, my deeming my problem "solved". I just know that my CPU usage is now hovering around 4%--its normal range.

Norton Internet Security Suite 2007 and my Windows XP, Home Edition, SP2, conflict. That will be Symantec's problem.

The major problems seem resolved. Per your instructions, I will clean System Restore, then create a new Restore Point and test it, after I follow the web site you gave me that explains the conflict Norton has with System Restore.

Below is the Panda ActiveScan:
Incident Status Location

Adware:adware/cws Not disinfected C:\Documents and Settings\Cathy Chapman\Favorites\health  
Spyware:Cookie/2o7 Not disinfected C:\Documents and Settings\Cathy Chapman\Cookies\[email protected][2].txt 
Spyware:Cookie/Adrevolver Not disinfected C:\Documents and Settings\Cathy Chapman\Cookies\[email protected][2].txt 
Spyware:Cookie/PointRoll Not disinfected C:\Documents and Settings\Cathy Chapman\Cookies\[email protected][2].txt 
Spyware:Cookie/Advertising Not disinfected C:\Documents and Settings\Cathy Chapman\Cookies\[email protected][1].txt 
Spyware:Cookie/Atlas DMT Not disinfected C:\Documents and Settings\Cathy Chapman\Cookies\[email protected][2].txt 
Spyware:Cookie/BurstNet Not disinfected C:\Documents and Settings\Cathy Chapman\Cookies\[email protected][1].txt 
Spyware:Cookie/Casalemedia Not disinfected C:\Documents and Settings\Cathy Chapman\Cookies\[email protected][1].txt 
Spyware:Cookie/Doubleclick Not disinfected C:\Documents and Settings\Cathy Chapman\Cookies\[email protected][1].txt 
Spyware:Cookie/FastClick Not disinfected C:\Documents and Settings\Cathy Chapman\Cookies\[email protected][1].txt 
Spyware:Cookie/HotLog Not disinfected C:\Documents and Settings\Cathy Chapman\Cookies\[email protected][1].txt 
Spyware:Cookie/Linksynergy Not disinfected C:\Documents and Settings\Cathy Chapman\Cookies\[email protected][1].txt  
Spyware:Cookie/Overture Not disinfected C:\Documents and Settings\Cathy Chapman\Cookies\[email protected][1].txt 
Spyware:Cookie/QuestionMarket Not disinfected C:\Documents and Settings\Cathy Chapman\Cookies\[email protected][2].txt 
Spyware:Cookie/RealMedia Not disinfected C:\Documents and Settings\Cathy Chapman\Cookies\[email protected][2].txt 
Spyware:Cookie/Tribalfusion Not disinfected C:\Documents and Settings\Cathy Chapman\Cookies\[email protected][2].txt 
Spyware:Cookie/myaffiliateprogram Not disinfected C:\Documents and Settings\Cathy Chapman\Cookies\[email protected][2].txt 
Spyware:Cookie/Yadro Not disinfected C:\Documents and Settings\Cathy Chapman\Cookies\[email protected][2].txt 
Spyware:Cookie/Zedo Not disinfected C:\Documents and Settings\Cathy Chapman\Cookies\[email protected][1].txt 
Potentially unwanted tool:Application/NirCmd.A Not disinfected C:\Documents and Settings\Cathy Chapman\Desktop\ComboFix.exe[nircmd.exe] 
Potentially unwanted tool:Application/NirCmd.A Not disinfected C:\Documents and Settings\Cathy Chapman\Desktop\ComboFix.exe[nircmd.cfexe] 
Potentially unwanted tool:Application/Processor Not disinfected C:\Documents and Settings\Cathy Chapman\Desktop\Desktop\SmitfraudFix\SmitfraudFix\Process.exe 
Virus:Trj/Rebooter.J Disinfected C:\Documents and Settings\Cathy Chapman\Desktop\Desktop\SmitfraudFix\SmitfraudFix\Reboot.exe  
Potentially unwanted tool:Application/SuperFast Not disinfected C:\Documents and Settings\Cathy Chapman\Desktop\Desktop\SmitfraudFix\SmitfraudFix\restart.exe 
Potentially unwanted tool:Application/Processor Not disinfected C:\Documents and Settings\Cathy Chapman\Desktop\Desktop\SmitfraudFix.zip[SmitfraudFix/Process.exe] 
Virus:Trj/Rebooter.J Disinfected C:\Documents and Settings\Cathy Chapman\Desktop\Desktop\SmitfraudFix.zip[SmitfraudFix/Reboot.exe] 
Potentially unwanted tool:Application/SuperFast Not disinfected C:\Documents and Settings\Cathy Chapman\Desktop\Desktop\SmitfraudFix.zip[SmitfraudFix/restart.exe] 
Potentially unwanted tool:Application/NirCmd.A Not disinfected C:\WINDOWS\NirCmd.exe 
Potentially unwanted tool:Application/Processor Not disinfected C:\WINDOWS\system32\Process.exe

Thank you,
S-pie


----------



## Cookiegal (Aug 27, 2003)

Please locate and delete this folder:

C:\Documents and Settings\Cathy Chapman\Favorites\*health *

The rest are either cookies or related to the tools we used. Often some of their components are flagged as malware because of the nature of what they do, although they certainly are not malware.

You can remove the SmitfraudFix, WinpFind3u and ComboFix programs now.

You should clear out all of your cookies. After doing this, you will have to logon to certain sites again so be sure you know your passwords.

*Clean your Cache and Cookies in IE:* 
Close all instances of Outlook Express and Internet Explorer 
Go to Control Panel > Internet Options > General tab 
Click the "Delete Cookies" button 
Next to it, Click the "Delete Files" button 
When prompted, place a check in: "Delete all offline content", click OK

and then reset them as follows:

In IE click on Tools - Internet Options - privacy tab and select "advanced". Set First Party cookies to "prompt" and Third Party cookies to either "block" or "prompt" and check "always allow session cookies". Basically, you should refuse all cookies except those from sites you trust or need to log in to.

You can refuse a cookie each time it asks (if you're not sure and don't want to block it all the time) or you can select the option to "apply my decision to all cookies from this website" and then select "block or allow". If you block a cookie and later find it's needed, you can go back into Internet Options, under the privacy tab and click on "sites" and remove it from the list of blocked cookies there or change its designation to "always allow".

Now you should turn system restore off to flush out all previous system restore points, then turn it back on and create a new restore point:

To turn off system restore, on the Desktop, right click on *My Computer* and click on *Properties.*
Click the *System Restore* tab.
Check *Turn off System Restore.*
Click Apply and then click OK.

Restart your computer, turn System Restore back on and create a restore point.

To create a new restore point, click on *Start*  *All Programs*  *Accessories*  *System Tools* and then select *System Restore*.

In the System Restore wizard, select *Create a restore point* and click the Next button.

Type a name for your new restore point then click on Create.

I also recommend downloading  *SPYWAREBLASTER* for added protection.

*Read here* for info on how to tighten your security.


----------



## S-pie (Sep 27, 2007)

Dear Cookiegal,

I followed your instructions in your latest post. SpywareBlaster is downloaded and installed. I will, most likely, opt for Kaspersky. Though Norton Internet Security Suite 2007.4 (?) is installed, I will disable it. I also use manual antivirus programs like Windows Defender, Ad-Aware, Spybot.

One thing I did wrong was accept a DVD from a very trusted source, then a lot of these problems started. Maybe some of them were already there; I just did not know about them.

I also opened the Tech Guy site you posted of one of the other moderators, printed it for reference.

Thank you, again, and again.

S-pie


----------



## Cookiegal (Aug 27, 2003)

It's my pleasure.


----------



## S-pie (Sep 27, 2007)

Dear Cookiegal,

The AVG antivirus program you suggested I download caught a Trojan horse Downoader.Zlob this morning, Oct. 15, 2007. It was in the rootkit.exe file, backup copy, on my desktop. It is now quarantined. Is there any further danger?

Thank you,

S-pie


----------



## Cookiegal (Aug 27, 2003)

What do you mean the rootkit.exe file back up copy? What was the entire past to this file please?


----------



## S-pie (Sep 27, 2007)

Dear Cookiegal,

I meant rootchk.exe, not rootkit.exe.

The "entire past to this file":
In Post #20, page two (2) of my thread, your instructions to "download this tool to your desktop:
http://www.uploads.ejvindh.net/rootchk.exe
That process created a back up copy, to my desktop, named rootchk.exe. That file was still on my desktop when I ran one of those "superior" antivirus programs you suggested I get, in your post, #55, on page four (4) of my thread.

October 15, 2007, (yesterday), I ran one of those better antivirus programs you recommended, and this is the result:

AVG, Anti-Virus, free edition, from its first scan, has in its virus vault:
--------------------------------------------- 
Virus Name: Trojan horse Downloader.Zlob
Path: C:\Documents and Settings\Cathy Chapman\Desktop\Desktop\rootchk.exe, Back-up copy
Date of Detection: October 15, 2007
Filename: rootchk.exe
---------------------------------------------
So, my guess is that, when the above program made a backup copy of my current files, in those files was a trojan horse virus, similar to a restore point backup having an infected file. That is just my guess.

Thank you for any suggestions you have,

S-pie


----------



## Cookiegal (Aug 27, 2003)

No, it's the program itself being detected but it's not malicious. In any event you can delete it as it's no longer required.


----------



## S-pie (Sep 27, 2007)

Dear Cookiegal,

Thank you, Cookiegal. I'm curious, though, why would AVG, Anti-virus program, free edition, identify rootchk.exe, on my desktop, as having a Trojan horse Downloader. Zlob?

Thank you for your instructions on better anitvirus programs; I've already installed one of them, a day later, and it seems to be doing a much better job at surveillance than my licensed antivirus program.

Again, thanks to you and for your tremendous help.

S-pie


----------



## Cookiegal (Aug 27, 2003)

Because of the nature of the program as it acts the way malware might act. It's common for many of the tools we use to detected as false positives.

Do you have two Desktop folders?

C:\Documents and Settings\Cathy Chapman\*Desktop*\*Desktop*


----------



## S-pie (Sep 27, 2007)

Dear Cookiegal,

Yes, I do have two (2) desktop folders. I created a second one to use exclusively for my instructions from you.

Thank you,

S-pie


----------



## Cookiegal (Aug 27, 2003)

OK, thanks. Just checking.


----------



## S-pie (Sep 27, 2007)

Dear Cookiegal,

Everything seems to be working again: my keyboard, Disk Defragmenter, my e-mail. System Restore still will not work. I opened the website in your post, #52,: 
http://service1.symantec.com/SUPPORT...0511300932013, followed those instructions, and I still cannot get System Restore to work again. The same message, as before, appears: "Restoration Incomplete. Your computer cannot be restored..."

Cookiegal, any suggestions on what I try next to get back my System Restore utility?

Thank you,

S-pie


----------



## Cookiegal (Aug 27, 2003)

Yes, please read through this article which has more information and try what is suggested there. Let me know if it works after please.

http://bertk.mvps.org/html/symantecdoc1.html


----------



## S-pie (Sep 27, 2007)

Dear Cookiegal,

Finally! Following those instructions does not work in normal mode, but only in safe mode. So, what I will do is first follow the instructions in normal mode, and if it does not work, again, I will then try it in safe mode.

Thank you, Cookiegal. That second set of instructions, with the extra warning note in that box, about how System Restore STILL will not work if changes have been made to any of Symantec's Registry keys seemed to be the solution.

Of course, ultimately, there is even a better solution--get rid of Symantec (Norton).


S-pie


----------



## Cookiegal (Aug 27, 2003)

Great! I was sure that was the problem.  

You're quite welcome.


----------



## S-pie (Sep 27, 2007)

Dear Cookiegal,

I'm thankful, I'm grateful--I'm donating.

S-pie


----------



## Cookiegal (Aug 27, 2003)

It's my pleasure and thank you for donating. The kind gesture is very much appreciated.


----------



## S-pie (Sep 27, 2007)

Dear Cookiegal,

I donated, I will donate again.

Thank you,

S-pie


----------



## Cookiegal (Aug 27, 2003)

Thanks again. :up:


----------

