Jump to content

Welcome to Geeks to Go - Register now for FREE

Need help with your computer or device? Want to learn new tech skills? You're in the right place!
Geeks to Go is a friendly community of tech experts who can solve any problem you have. Just create a free account and post your question. Our volunteers will reply quickly and guide you through the steps. Don't let tech troubles stop you. Join Geeks to Go now and get the support you need!

How it Works Create Account
Photo

HELIPHINO [Solved]


  • This topic is locked This topic is locked

#1
Temujinjr

Temujinjr

    Member

  • Member
  • PipPip
  • 18 posts
My problem is that my network adapter is connected to the router and has a connection to the internet. However any program attempting to access the internet gets shutdown, normally with a werfault32.exe Windows errors. Windows reporting also produces errors on a regular basis. The list of programs that are being forced closed includes: firefox, i.e., Norton updater, Windows updater, Content Watch updater, Spybot updater, etc.

I also cannot reinstall Norton, I do have Avast installed.

Prior to visiting this site I ran Norton Internet Security Three times. Spybot Twice. Avast Twice. I have completed the "You Must Read This" step by step.

Results:

All programs installed successfully

ATF - ran successfully cleared 125 MB
System Restore - failed with error. Did a MS Restore, none available prior to this
Erunt - ran successfully initially. Failed with error when running at startup
Malwarebytes - full scan ran successfully. Removal of item caused system failure with error although items are listed in quarantine.

System rebooted. Problem still exists.
-----------------------------------------------------------

Hijack this logs:

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 9:40:24 AM, on 12/21/2008
Platform: Windows Vista SP1 (WinNT 6.00.1905)
MSIE: Internet Explorer v7.00 (7.00.6001.18000)
Boot mode: Normal

Running processes:
C:\Windows\system32\taskeng.exe
C:\Windows\system32\Dwm.exe
C:\Windows\Explorer.EXE
C:\Windows\System32\wpcumi.exe
C:\Program Files\Alwil Software\Avast4\ashDisp.exe
C:\Program Files\Windows Media Player\wmpnscfg.exe
C:\Windows\system32\wbem\unsecapp.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.yahoo.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft....k/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft....k/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
O1 - Hosts: ::1 localhost
O2 - BHO: (no name) - {02478D38-C3F9-4efb-9B51-7695ECA05670} - (no file)
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O4 - HKLM\..\Run: [WPCUMI] C:\Windows\system32\WpcUmi.exe
O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKUS\S-1-5-19\..\Run: [Sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /detectMem (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-19\..\Run: [WindowsWelcomeCenter] rundll32.exe oobefldr.dll,ShowWelcomeCenter (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [Sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /detectMem (User 'NETWORK SERVICE')
O4 - Startup: ERUNT AutoBackup.lnk = C:\Program Files\ERUNT\AUTOBACK.EXE
O8 - Extra context menu item: &Search - ?p=ZJman000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\cwalsp.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\cwalsp.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\cwalsp.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\cwalsp.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\cwalsp.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\cwalsp.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\cwalsp.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\cwalsp.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\wpclsp.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\wpclsp.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\wpclsp.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\wpclsp.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\wpclsp.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\wpclsp.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\wpclsp.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\wpclsp.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\wpclsp.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\cwalsp.dll
O13 - Gopher Prefix:
O16 - DPF: {149E45D8-163E-4189-86FC-45022AB2B6C9} (SpinTop DRM Control) - file:///C:/Program%20Files/Turbo%20Pizza/Images/stg_drm.ocx
O16 - DPF: {CC450D71-CC90-424C-8638-1F2DBAC87A54} (ArmHelper Control) - file:///C:/Program%20Files/Pastry%20Passion/Images/armhelper.ocx
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: Automatic LiveUpdate Scheduler - Symantec Corporation - C:\Program Files\Symantec\LiveUpdate\AluSchedulerSvc.exe
O23 - Service: avast! Antivirus - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
O23 - Service: avast! Web Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
O23 - Service: ContentWatch (CwAltaService20) - ContentWatch, Inc. - C:\Program Files\ContentWatch\Internet Protection\cwsvc.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - c:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: LightScribeService Direct Disc Labeling Service (LightScribeService) - Hewlett-Packard Company - c:\Program Files\Common Files\LightScribe\LSSrvc.exe
O23 - Service: LiveUpdate - Symantec Corporation - C:\Program Files\Symantec\LiveUpdate\LuComServer_3_4.EXE
O23 - Service: SBSD Security Center Service (SBSDWSCService) - Safer Networking Ltd. - C:\Program Files\Spybot - Search & Destroy\SDWinSec.exe
O23 - Service: stllssvr - Unknown owner - c:\Program Files\Common Files\SureThing Shared\stllssvr.exe (file missing)

--
End of file - 5781 bytes

This is the second computer I have that was infected this way. I use Norton Internet Security, Sbyboy, and NetNanny, but somehow this thing got through. On the first one, two months ago, I attempted a direct MS system restore and was unable to logon to windows; the screen was completely Black even though you could hear it posting. I had to reinstall Vista which I don't want to do if I can avoid it.

What is this thing? Can i remove it? How do I prevent it from happening again?
  • 0

Advertisements


#2
Jimmy2012

Jimmy2012

    Trusted Helper

  • Retired Staff
  • 6,238 posts
Hello Temujinjr, and welcome to Geeks to go. :)
Sorry about the delay.

Lets get a fresh look at your computer.

  • Download random's system information tool (RSIT) by random/random from here and save it to your desktop.
  • Double click on RSIT.exe to run RSIT.
  • Click Continue at the disclaimer screen.
  • Once it has finished, two logs will open. Please post the contents of both log.txt (<<will be maximized) and info.txt (<<will be minimized)

Edited by Jimmy2012, 25 December 2008 - 12:55 AM.

  • 0

#3
Temujinjr

Temujinjr

    Member

  • Topic Starter
  • Member
  • PipPip
  • 18 posts
info.txt logfile of random's system information tool 1.05 2008-12-25 08:38:01

======Uninstall list======

-->"C:\Program Files\Symantec\LiveUpdate\LSETUP.EXE" /U
Adobe Flash Player 9 ActiveX-->C:\Windows\system32\Macromed\Flash\UninstFl.exe -q
Adobe Flash Player ActiveX-->C:\Windows\system32\Macromed\Flash\uninstall_activeX.exe
Adobe Flash Player Plugin-->C:\Windows\system32\Macromed\Flash\uninstall_plugin.exe
Adobe Reader 7.0.8-->MsiExec.exe /I{AC76BA86-7AD7-1033-7B44-A70800000002}
Adobe Shockwave Player 11-->C:\Windows\system32\adobe\SHOCKW~1\UNWISE.EXE C:\Windows\system32\Adobe\SHOCKW~1\Install.log
avast! Antivirus-->C:\Program Files\Alwil Software\Avast4\aswRunDll.exe "C:\Program Files\Alwil Software\Avast4\Setup\setiface.dll",RunSetup
DivX-->C:\Program Files\DivX\DivXCodecUninstall.exe /CODEC
ERUNT 1.1j-->"C:\Program Files\ERUNT\unins000.exe"
HijackThis 2.0.2-->"C:\Program Files\Trend Micro\HijackThis\HijackThis.exe" /uninstall
HP Customer Feedback-->MsiExec.exe /I{9DBA770F-BF73-4D39-B1DF-6035D95268FC}
J2SE Runtime Environment 5.0 Update 12-->MsiExec.exe /I{3248F0A8-6813-11D6-A77B-00B0D0150120}
Java™ 6 Update 5-->MsiExec.exe /I{3248F0A8-6813-11D6-A77B-00B0D0160050}
LiveUpdate (Symantec Corporation)-->MsiExec.exe /x {E80F62FF-5D3C-4A19-8409-9721F2928206} /l*v "C:\ProgramData\LuUninstall.LiveUpdate"
LiveUpdate (Symantec Corporation)-->MsiExec.exe /X{E80F62FF-5D3C-4A19-8409-9721F2928206}
Malwarebytes' Anti-Malware-->"C:\Program Files\Malwarebytes' Anti-Malware\unins000.exe"
Mickey Mouse Toddler-->RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\0701\Intel32\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{00EE8A81-4652-4672-BAD6-8D8CAC891507}\setup.exe" -l0x9 Mickey Mouse Toddler
Microsoft Visual C++ 2005 Redistributable-->MsiExec.exe /X{7299052b-02a4-4627-81f2-1818da5d550d}
Microsoft Works-->MsiExec.exe /I{6D52C408-B09A-4520-9B18-475B81D393F1}
Mouse Suite-->C:\Program Files\InstallShield Installation Information\{EEDBE2DF-4141-44A9-8614-9832B16637E6}\setup.exe -runfromtemp -l0x0009 -removeonly
Mozilla Firefox (2.0)-->C:\Program Files\Mozilla Firefox\uninstall\uninst.exe
MSXML 4.0 SP2 (KB936181)-->MsiExec.exe /I{C04E32E0-0416-434D-AFB9-6969D703A9EF}
MSXML 4.0 SP2 (KB941833)-->MsiExec.exe /I{C523D256-313D-4866-B36A-F3DE528246EF}
MSXML 4.0 SP2 (KB954430)-->MsiExec.exe /I{86493ADD-824D-4B8E-BD72-8C5DCDC52A71}
Net Nanny Parental Controls 5.6-->"C:\Program Files\ContentWatch\Internet Protection\ContentProtect\Home\unins000.exe"
Neverwinter Nights 2-->RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\10\00\Intel32\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{F20C1251-1D0A-4944-B2AE-678581B33B19}\SETUP.exe" -l0x9 -removeonly
Norton Internet Security (Symantec Corporation)-->"C:\Program Files\Common Files\Symantec Shared\SymSetup\{C1C185CA-C531-49F5-A6FA-B838405A049D}_15_5_0_23\Setup.exe" /X
Norton Security Scan-->MsiExec.exe /I{48B82226-75E3-4E90-92CC-D30F79EA6380}
NVIDIA Drivers-->C:\Windows\system32\NVUNINST.EXE UninstallGUI
RealArcade-->"C:\Program Files\RealArcade\Installer\bin\gameinstaller.exe" "C:\Program Files\RealArcade\Installer\installerMain.clf" "C:\Program Files\RealArcade\Installer\uninstall\RealArcade.rguninst" "AddRemove"
Realtek High Definition Audio Driver-->RtlUpd.exe -r -m
SimCity™ Societies-->MsiExec.exe /X{0B5154C0-8F00-4616-B0AB-6240AE80D9CE}
Spybot - Search & Destroy-->"C:\Program Files\Spybot - Search & Destroy\unins000.exe"
Starcraft-->C:\Windows\scunin.exe C:\Windows\scunin.dat
SUPERAntiSpyware Free Edition-->MsiExec.exe /X{CDDCBBF1-2703-46BC-938B-BCC81A1EEAAA}
The Book of Pooh-->RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\0701\Intel32\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{4C612230-5534-4DC3-B721-B802A83D55C3}\setup.exe" -l0x9 The Book of Pooh
Titan Quest-->RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\11\50\Intel32\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{412B69AF-C352-4F6F-A318-B92B3CB9ACC6}\setup.exe" -l0x9 -removeonly
Ventrilo Client-->MsiExec.exe /I{789289CA-F73A-4A16-A331-54D498CE069F}
Warcraft III-->C:\Windows\War3Unin.exe C:\Windows\War3Unin.dat
Winnie the Pooh Toddler Deluxe-->RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\0701\Intel32\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{520E8334-F4F7-4DB5-AA74-E610CB19E59A}\setup.exe" -l0x9 Winnie the Pooh Toddler Deluxe
World of Warcraft-->C:\Program Files\Common Files\Blizzard Entertainment\World of Warcraft\Uninstall.exe
Yahoo! Toolbar-->C:\PROGRA~1\Yahoo!\Common\unyt.exe

======Hosts File======

127.0.0.1 www.007guard.com
127.0.0.1 007guard.com
127.0.0.1 010402.com
127.0.0.1 www.032439.com
127.0.0.1 032439.com
127.0.0.1 www.0scan.com
127.0.0.1 0scan.com
127.0.0.1 100888290cs.com
127.0.0.1 www.100888290cs.com
127.0.0.1 www.100sexlinks.com

======Security center information======

AS: Spybot - Search and Destroy (disabled) (outdated)
AS: SUPERAntiSpyware

System event log

Computer Name: VOYAGER
Event Code: 4201
Message: The system detected that network adapter Wireless Network Connection was connected to the network, and has initiated normal operation.
Record Number: 133135
Source Name: Tcpip
Time Written: 20081225143639.813456-000
Event Type: Information
User:

Computer Name: VOYAGER
Event Code: 4201
Message: The system detected that network adapter Wireless Network Connection was connected to the network, and has initiated normal operation.
Record Number: 133136
Source Name: Tcpip
Time Written: 20081225143639.813456-000
Event Type: Information
User:

Computer Name: VOYAGER
Event Code: 10029
Message: DCOM started the service wercplsupport with arguments "" in order to run the server:
{0E9A7BB5-F699-4D66-8A47-B919F5B6A1DB}
Record Number: 133137
Source Name: Microsoft-Windows-DistributedCOM
Time Written: 20081225143644.000000-000
Event Type: Information
User:

Computer Name: VOYAGER
Event Code: 7036
Message: The Problem Reports and Solutions Control Panel Support service entered the running state.
Record Number: 133138
Source Name: Service Control Manager
Time Written: 20081225143644.000000-000
Event Type: Information
User:

Computer Name: VOYAGER
Event Code: 26
Message: Application popup: WerFault.exe - Application Error : The exception unknown software exception (0xc0000409) occurred in the application at location 0x050bef89.

Click on OK to terminate the program
Record Number: 133139
Source Name: Application Popup
Time Written: 20081225143648.000000-000
Event Type: Information
User:

Application event log

Computer Name: VOYAGER
Event Code: 1001
Message: Performance counters for the WmiApRpl (WmiApRpl) service were removed successfully. The Record Data contains the new values of the system Last Counter and Last Help registry entries.
Record Number: 88642
Source Name: Microsoft-Windows-LoadPerf
Time Written: 20081225143251.000000-000
Event Type: Information
User:

Computer Name: VOYAGER
Event Code: 1000
Message: Performance counters for the WmiApRpl (WmiApRpl) service were loaded successfully. The Record Data in the data section contains the new index values assigned to this service.
Record Number: 88643
Source Name: Microsoft-Windows-LoadPerf
Time Written: 20081225143251.000000-000
Event Type: Information
User:

Computer Name: VOYAGER
Event Code: 1000
Message: Faulting application WerCon.exe, version 6.0.6001.18000, time stamp 0x47918caf, faulting module CPAdvisor.dll, version 2.6.1.15, time stamp 0x47bea109, exception code 0xc0000409, fault offset 0x0004ef89, process id 0xdf8, application start time 0x01c9669e352d2441.
Record Number: 88644
Source Name: Application Error
Time Written: 20081225143644.000000-000
Event Type: Error
User:

Computer Name: VOYAGER
Event Code: 1000
Message: Faulting application avast.setup, version 4.8.0.0, time stamp 0x492d888e, faulting module CPAdvisor.dll, version 2.6.1.15, time stamp 0x47bea109, exception code 0xc0000409, fault offset 0x0004ef89, process id 0x588, application start time 0x01c9669e4129af21.
Record Number: 88645
Source Name: Application Error
Time Written: 20081225143707.000000-000
Event Type: Error
User:

Computer Name: VOYAGER
Event Code: 5
Message: Unsupported service control request (see data below)
Record Number: 88646
Source Name: LightScribeService
Time Written: 20081225143801.000000-000
Event Type: Information
User:

Security event log

Computer Name: VOYAGER
Event Code: 4688
Message: A new process has been created.

Subject:
Security ID: S-1-5-21-3560712663-2925831371-2229556997-1002
Account Name: KIDS
Account Domain: VOYAGER
Logon ID: 0xccf3f

Process Information:
New Process ID: 0x6a8
New Process Name: C:\Program Files\Windows Media Player\wmpnscfg.exe
Token Elevation Type: TokenElevationTypeDefault (1)
Creator Process ID: 0xcd8

Token Elevation Type indicates the type of token that was assigned to the new process in accordance with User Account Control policy.

Type 1 is a full token with no privileges removed or groups disabled. A full token is only used if User Account Control is disabled or if the user is the built-in Administrator account or a service account.

Type 2 is an elevated token with no privileges removed or groups disabled. An elevated token is used when User Account Control is enabled and the user chooses to start the program using Run as administrator. An elevated token is also used when an application is configured to always require administrative privilege or to always require maximum privilege, and the user is a member of the Administrators group.

Type 3 is a limited token with administrative privileges removed and administrative groups disabled. The limited token is used when User Account Control is enabled, the application does not require administrative privilege, and the user does not choose to start the program using Run as administrator.
Record Number: 186313
Source Name: Microsoft-Windows-Security-Auditing
Time Written: 20081126020657.213144-000
Event Type: Audit Success
User:

Computer Name: VOYAGER
Event Code: 4689
Message: A process has exited.

Subject:
Security ID: S-1-5-21-3560712663-2925831371-2229556997-1002
Account Name: KIDS
Account Domain: VOYAGER
Logon ID: 0xccf3f

Process Information:
Process ID: 0x6a8
Process Name: C:\Program Files\Windows Media Player\wmpnscfg.exe
Exit Status: 0x0
Record Number: 186314
Source Name: Microsoft-Windows-Security-Auditing
Time Written: 20081126020657.259944-000
Event Type: Audit Success
User:

Computer Name: VOYAGER
Event Code: 4688
Message: A new process has been created.

Subject:
Security ID: S-1-5-21-3560712663-2925831371-2229556997-1002
Account Name: KIDS
Account Domain: VOYAGER
Logon ID: 0xccf3f

Process Information:
New Process ID: 0x4f4
New Process Name: C:\Program Files\Windows Media Player\wmpnscfg.exe
Token Elevation Type: TokenElevationTypeDefault (1)
Creator Process ID: 0xcd8

Token Elevation Type indicates the type of token that was assigned to the new process in accordance with User Account Control policy.

Type 1 is a full token with no privileges removed or groups disabled. A full token is only used if User Account Control is disabled or if the user is the built-in Administrator account or a service account.

Type 2 is an elevated token with no privileges removed or groups disabled. An elevated token is used when User Account Control is enabled and the user chooses to start the program using Run as administrator. An elevated token is also used when an application is configured to always require administrative privilege or to always require maximum privilege, and the user is a member of the Administrators group.

Type 3 is a limited token with administrative privileges removed and administrative groups disabled. The limited token is used when User Account Control is enabled, the application does not require administrative privilege, and the user does not choose to start the program using Run as administrator.
Record Number: 186315
Source Name: Microsoft-Windows-Security-Auditing
Time Written: 20081126020731.049544-000
Event Type: Audit Success
User:

Computer Name: VOYAGER
Event Code: 4689
Message: A process has exited.

Subject:
Security ID: S-1-5-21-3560712663-2925831371-2229556997-1002
Account Name: KIDS
Account Domain: VOYAGER
Logon ID: 0xccf3f

Process Information:
Process ID: 0x4f4
Process Name: C:\Program Files\Windows Media Player\wmpnscfg.exe
Exit Status: 0x0
Record Number: 186316
Source Name: Microsoft-Windows-Security-Auditing
Time Written: 20081126020731.080744-000
Event Type: Audit Success
User:

Computer Name: VOYAGER
Event Code: 4688
Message: A new process has been created.

Subject:
Security ID: S-1-5-21-3560712663-2925831371-2229556997-1002
Account Name: KIDS
Account Domain: VOYAGER
Logon ID: 0xccf3f

Process Information:
New Process ID: 0xe48
New Process Name: C:\Program Files\Windows Media Player\wmpnscfg.exe
Token Elevation Type: TokenElevationTypeDefault (1)
Creator Process ID: 0xcd8

Token Elevation Type indicates the type of token that was assigned to the new process in accordance with User Account Control policy.

Type 1 is a full token with no privileges removed or groups disabled. A full token is only used if User Account Control is disabled or if the user is the built-in Administrator account or a service account.

Type 2 is an elevated token with no privileges removed or groups disabled. An elevated token is used when User Account Control is enabled and the user chooses to start the program using Run as administrator. An elevated token is also used when an application is configured to always require administrative privilege or to always require maximum privilege, and the user is a member of the Administrators group.

Type 3 is a limited token with administrative privileges removed and administrative groups disabled. The limited token is used when User Account Control is enabled, the application does not require administrative privilege, and the user does not choose to start the program using Run as administrator.
Record Number: 186317
Source Name: Microsoft-Windows-Security-Auditing
Time Written: 20081126020731.174344-000
Event Type: Audit Success
User:

======Environment variables======

"ComSpec"=%SystemRoot%\system32\cmd.exe
"FP_NO_HOST_CHECK"=NO
"OS"=Windows_NT
"Path"=%systemroot%\system32;%systemroot%;%systemroot%\system32\wbem;C:\hp\bin\Python;c:\Program Files\Common Files\Roxio Shared\DLLShared;c:\Program Files\Common Files\Roxio Shared\9.0\DLLShared
"PATHEXT"=.COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH;.MSC
"PROCESSOR_ARCHITECTURE"=x86
"TEMP"=%SystemRoot%\TEMP
"TMP"=%SystemRoot%\TEMP
"USERNAME"=SYSTEM
"windir"=%SystemRoot%
"PROCESSOR_LEVEL"=15
"PROCESSOR_IDENTIFIER"=x86 Family 15 Model 75 Stepping 2, AuthenticAMD
"PROCESSOR_REVISION"=4b02
"NUMBER_OF_PROCESSORS"=2
"CWALTAHOME"=C:\Program Files\ContentWatch

-----------------EOF-----------------

I did get a WERFAULT.exe error pop-up prior to the logs being created. I thought the program had failed but fortunately it didnt
The exception unknown software exception (0xc00004089) occurred at location 0x049def89
  • 0

#4
Temujinjr

Temujinjr

    Member

  • Topic Starter
  • Member
  • PipPip
  • 18 posts
Logfile of random's system information tool 1.05 (written by random/random)
Run by ADMIN at 2008-12-25 08:37:48
Microsoft® Windows Vista™ Home Premium Service Pack 1
System drive C: has 99 GB (65%) free of 153 GB
Total RAM: 3070 MB (75% free)

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 08:38, on 2008-12-25
Platform: Windows Vista SP1 (WinNT 6.00.1905)
MSIE: Internet Explorer v7.00 (7.00.6001.18000)
Boot mode: Normal

Running processes:
C:\Windows\system32\taskeng.exe
C:\Windows\system32\Dwm.exe
C:\Windows\Explorer.EXE
C:\Windows\System32\wpcumi.exe
C:\Program Files\Alwil Software\Avast4\ashDisp.exe
C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
C:\Windows\system32\wbem\unsecapp.exe
C:\Users\ADMIN\Desktop\Clean System\RSIT.exe
C:\Windows\system32\SearchFilterHost.exe
C:\Program Files\Trend Micro\HijackThis\ADMIN.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft....k/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft....k/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft....k/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
O1 - Hosts: ::1 localhost
O2 - BHO: (no name) - {02478D38-C3F9-4efb-9B51-7695ECA05670} - (no file)
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O4 - HKLM\..\Run: [WPCUMI] C:\Windows\system32\WpcUmi.exe
O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKCU\..\Run: [SUPERAntiSpyware] C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
O4 - Startup: ERUNT AutoBackup.lnk = C:\Program Files\ERUNT\AUTOBACK.EXE
O8 - Extra context menu item: &Search - ?p=ZJman000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\cwalsp.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\cwalsp.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\cwalsp.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\cwalsp.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\cwalsp.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\cwalsp.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\cwalsp.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\cwalsp.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\wpclsp.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\wpclsp.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\wpclsp.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\wpclsp.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\wpclsp.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\wpclsp.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\wpclsp.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\wpclsp.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\wpclsp.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\cwalsp.dll
O13 - Gopher Prefix:
O16 - DPF: {149E45D8-163E-4189-86FC-45022AB2B6C9} (SpinTop DRM Control) - file:///C:/Program%20Files/Turbo%20Pizza/Images/stg_drm.ocx
O16 - DPF: {CC450D71-CC90-424C-8638-1F2DBAC87A54} (ArmHelper Control) - file:///C:/Program%20Files/Pastry%20Passion/Images/armhelper.ocx
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: Automatic LiveUpdate Scheduler - Symantec Corporation - C:\Program Files\Symantec\LiveUpdate\AluSchedulerSvc.exe
O23 - Service: avast! Antivirus - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
O23 - Service: avast! Web Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
O23 - Service: ContentWatch (CwAltaService20) - ContentWatch, Inc. - C:\Program Files\ContentWatch\Internet Protection\cwsvc.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - c:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: LightScribeService Direct Disc Labeling Service (LightScribeService) - Hewlett-Packard Company - c:\Program Files\Common Files\LightScribe\LSSrvc.exe
O23 - Service: LiveUpdate - Symantec Corporation - C:\Program Files\Symantec\LiveUpdate\LuComServer_3_4.EXE
O23 - Service: SBSD Security Center Service (SBSDWSCService) - Safer Networking Ltd. - C:\Program Files\Spybot - Search & Destroy\SDWinSec.exe
O23 - Service: stllssvr - Unknown owner - c:\Program Files\Common Files\SureThing Shared\stllssvr.exe (file missing)

--
End of file - 5568 bytes

======Scheduled tasks folder======

C:\Windows\tasks\User_Feed_Synchronization-{5ABF9491-355D-425D-982E-507CAA06DBC9}.job

======Registry dump======

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{02478D38-C3F9-4efb-9B51-7695ECA05670}]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{06849E9F-C8D7-4D59-B87D-784B7D6BE0B3}]
Adobe PDF Reader Link Helper - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll [2006-01-12 63128]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{53707962-6F74-2D53-2644-206D7942484F}]
Spybot-S&D IE Protection - C:\PROGRA~1\SPYBOT~1\SDHelper.dll [2008-09-15 1562960]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{761497BB-D6F0-462C-B6EB-D4DAF1D92D43}]
SSVHelper Class - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll [2008-02-22 509328]

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run]
"WPCUMI"=C:\Windows\system32\WpcUmi.exe [2006-11-02 176128]
"avast!"=C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe [2008-11-26 81000]

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run]
"SUPERAntiSpyware"=C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe [2008-12-04 1809648]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\cwcptray]
C:\Program Files\ContentWatch\Internet Protection\cwtray.exe [2007-10-17 403456]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ehTray.exe]
C:\Windows\ehome\ehTray.exe [2008-01-19 125952]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\FullScreen]
c:\hp\bin\spawn.exe [2000-04-08 28672]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\hpsysdrv]
c:\hp\support\hpsysdrv.exe [2006-09-28 65536]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Mouse Suite 98 Daemon]
C:\Windows\system32\ICO.EXE [2006-10-23 56128]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NvCplDaemon]
C:\Windows\system32\NvCpl.dll [2007-11-06 8530464]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NvMediaCenter]
C:\Windows\system32\NvMcTray.dll [2007-11-06 81920]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NvSvc]
C:\Windows\system32\nvsvc.dll [2007-11-06 86016]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ProcessLogger]
c:\hp\bin\ProcessLogger /m:1000 /v []

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\RtHDVCpl]
C:\Windows\RtHDVCpl.exe [2007-10-25 4702208]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SpybotSD TeaTimer]
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe [2008-09-16 1833296]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched]
C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe [2008-02-22 144784]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\updateMgr]
C:\Program Files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe [2006-03-30 313472]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Windows Defender]
C:\Program Files\Windows Defender\MSASCui.exe [2008-01-19 1008184]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\WMPNSCFG]
C:\Program Files\Windows Media Player\WMPNSCFG.exe [2008-01-19 202240]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\WPCUMI]
C:\Windows\system32\WpcUmi.exe [2006-11-02 176128]

C:\Users\ADMIN\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup
ERUNT AutoBackup.lnk - C:\Program Files\ERUNT\AUTOBACK.EXE

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\!SASWinLogon]
C:\Program Files\SUPERAntiSpyware\SASWINLO.dll [2008-12-03 352256]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"=C:\Program Files\SUPERAntiSpyware\SASSEH.DLL [2008-05-13 77824]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\PSEXESVC]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\network\PSEXESVC]

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\System]
"LogonHoursAction"=2
"DontDisplayLogonHoursWarnings"=1

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System]
"dontdisplaylastusername"=0
"legalnoticecaption"=
"legalnoticetext"=
"shutdownwithoutlogon"=1
"undockwithoutlogon"=1
"EnableUIADesktopToggle"=0

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\explorer]
"NoDriveTypeAutoRun"=145
"NoDrives"=0

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\explorer]
"NoDrives"=

[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\standardprofile\authorizedapplications\list]

[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\domainprofile\authorizedapplications\list]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{a4959ca6-813c-11dd-b209-806e6f6e6963}]
shell\AutoRun\command - D:\Launch.exe


======List of files/folders created in the last 3 months======

2008-12-25 08:37:48 ----D---- C:\rsit
2008-12-22 21:41:56 ----D---- C:\inetpub
2008-12-22 21:22:35 ----D---- C:\Windows\Minidump
2008-12-22 21:15:25 ----A---- C:\Windows\PSEXESVC.EXE
2008-12-22 21:15:15 ----D---- C:\Windows\temp
2008-12-22 21:13:28 ----D---- C:\ComboFix
2008-12-22 21:13:27 ----A---- C:\Windows\system32\CF349.exe
2008-12-22 21:13:23 ----A---- C:\Windows\system32\swsc.exe
2008-12-22 20:37:58 ----A---- C:\Windows\zip.exe
2008-12-22 20:37:58 ----A---- C:\Windows\VFIND.exe
2008-12-22 20:37:58 ----A---- C:\Windows\SWXCACLS.exe
2008-12-22 20:37:58 ----A---- C:\Windows\SWSC.exe
2008-12-22 20:37:58 ----A---- C:\Windows\SWREG.exe
2008-12-22 20:37:58 ----A---- C:\Windows\sed.exe
2008-12-22 20:37:58 ----A---- C:\Windows\NIRCMD.exe
2008-12-22 20:37:58 ----A---- C:\Windows\grep.exe
2008-12-22 20:37:58 ----A---- C:\Windows\fdsv.exe
2008-12-22 20:37:52 ----D---- C:\Qoobox
2008-12-21 21:25:21 ----D---- C:\ProgramData\SUPERAntiSpyware.com
2008-12-21 21:25:02 ----D---- C:\Users\ADMIN\AppData\Roaming\SUPERAntiSpyware.com
2008-12-21 21:25:02 ----D---- C:\Program Files\SUPERAntiSpyware
2008-12-21 09:08:57 ----D---- C:\Program Files\Trend Micro
2008-12-21 03:00:22 ----A---- C:\Windows\system32\mshtml.dll
2008-12-20 20:51:25 ----D---- C:\Users\ADMIN\AppData\Roaming\Malwarebytes
2008-12-20 20:51:21 ----D---- C:\ProgramData\Malwarebytes
2008-12-20 20:51:21 ----D---- C:\Program Files\Malwarebytes' Anti-Malware
2008-12-20 20:50:17 ----D---- C:\Windows\ERDNT
2008-12-20 20:49:21 ----D---- C:\Program Files\ERUNT
2008-12-20 19:30:10 ----A---- C:\Windows\system32\aswBoot.exe
2008-12-20 18:28:37 ----D---- C:\Windows\E80F62FF5D3C4A1984099721F2928206.TMP
2008-12-20 18:21:22 ----D---- C:\ProgramData\PCSettings
2008-12-20 18:21:20 ----D---- C:\ProgramData\Norton
2008-12-20 18:09:53 ----D---- C:\ProgramData\NortonInstaller
2008-12-20 12:56:59 ----D---- C:\Program Files\Alwil Software
2008-12-10 03:02:06 ----A---- C:\Windows\system32\tzres.dll
2008-12-09 16:17:15 ----A---- C:\Windows\system32\urlmon.dll
2008-12-09 16:17:14 ----A---- C:\Windows\system32\wininet.dll
2008-12-09 16:17:14 ----A---- C:\Windows\system32\mstime.dll
2008-12-09 16:17:14 ----A---- C:\Windows\system32\ieframe.dll
2008-12-09 16:17:13 ----A---- C:\Windows\system32\jsproxy.dll
2008-12-09 16:17:13 ----A---- C:\Windows\system32\iertutil.dll
2008-12-09 16:16:53 ----A---- C:\Windows\system32\WMVCORE.DLL
2008-12-09 16:16:53 ----A---- C:\Windows\system32\mf.dll
2008-12-09 16:16:52 ----A---- C:\Windows\system32\WMNetMgr.dll
2008-12-09 16:16:52 ----A---- C:\Windows\system32\logagent.exe
2008-12-09 16:16:33 ----A---- C:\Windows\system32\shell32.dll
2008-12-09 16:16:29 ----A---- C:\Windows\explorer.exe
2008-12-09 16:12:30 ----A---- C:\Windows\system32\gdi32.dll
2008-12-09 16:12:19 ----A---- C:\Windows\system32\Apphlpdm.dll
2008-12-09 16:12:18 ----A---- C:\Windows\system32\GameUXLegacyGDFs.dll
2008-11-25 16:54:36 ----A---- C:\Windows\system32\PortableDeviceApi.dll
2008-11-25 16:54:28 ----A---- C:\Windows\system32\PhotoMetadataHandler.dll
2008-11-25 16:54:27 ----A---- C:\Windows\system32\WindowsCodecsExt.dll
2008-11-25 16:54:27 ----A---- C:\Windows\system32\WindowsCodecs.dll
2008-11-25 16:54:21 ----A---- C:\Windows\system32\connect.dll
2008-11-14 06:40:49 ----A---- C:\Windows\system32\wups2.dll
2008-11-14 06:40:49 ----A---- C:\Windows\system32\wucltux.dll
2008-11-14 06:40:49 ----A---- C:\Windows\system32\wuaueng.dll
2008-11-14 06:40:49 ----A---- C:\Windows\system32\wuauclt.exe
2008-11-14 06:40:43 ----A---- C:\Windows\system32\wups.dll
2008-11-14 06:40:42 ----A---- C:\Windows\system32\wudriver.dll
2008-11-14 06:40:42 ----A---- C:\Windows\system32\wuapi.dll
2008-11-14 06:40:41 ----A---- C:\Windows\system32\wuwebv.dll
2008-11-14 06:40:41 ----A---- C:\Windows\system32\wuapp.exe
2008-11-13 07:14:55 ----D---- C:\World of Warcraft
2008-11-12 18:49:29 ----A---- C:\Windows\system32\msxml3.dll
2008-11-12 18:49:19 ----A---- C:\Windows\system32\msxml6.dll
2008-11-08 17:38:12 ----D---- C:\ProgramData\Blizzard
2008-10-31 14:22:00 ----A---- C:\Windows\system32\EncDec.dll
2008-10-31 14:21:59 ----A---- C:\Windows\system32\psisdecd.dll
2008-10-29 06:53:21 ----A---- C:\Windows\system32\wersvc.dll
2008-10-29 06:53:21 ----A---- C:\Windows\system32\Faultrep.dll
2008-10-29 06:53:13 ----A---- C:\Windows\system32\win32spl.dll
2008-10-23 21:47:02 ----A---- C:\Windows\system32\netapi32.dll
2008-10-15 21:42:01 ----A---- C:\Windows\system32\ntoskrnl.exe
2008-10-15 21:42:01 ----A---- C:\Windows\system32\ntkrnlpa.exe
2008-10-11 11:02:05 ----D---- C:\Windows\Sun
2008-10-10 19:42:12 ----D---- C:\ProgramData\Spybot - Search & Destroy
2008-10-10 19:42:12 ----D---- C:\Program Files\Spybot - Search & Destroy
2008-10-01 17:43:31 ----D---- C:\Users\ADMIN\AppData\Roaming\Leadertech
2008-10-01 17:42:57 ----D---- C:\Program Files\Disney Interactive
2008-10-01 17:42:30 ----A---- C:\Windows\disney.ini
2008-09-30 16:43:34 ----A---- C:\Windows\system32\msxml4.dll

======List of files/folders modified in the last 3 months======

2008-12-25 08:37:59 ----D---- C:\Windows\Prefetch
2008-12-25 08:32:51 ----D---- C:\Windows\System32
2008-12-25 08:32:51 ----D---- C:\Windows\inf
2008-12-25 08:32:51 ----A---- C:\Windows\system32\PerfStringBackup.INI
2008-12-22 22:23:13 ----RSD---- C:\Windows\assembly
2008-12-22 22:23:13 ----D---- C:\Windows\Microsoft.NET
2008-12-22 22:21:29 ----D---- C:\Windows\rescache
2008-12-22 22:15:22 ----SHD---- C:\System Volume Information
2008-12-22 22:15:22 ----D---- C:\Windows\Logs
2008-12-22 22:06:26 ----D---- C:\Windows\winsxs
2008-12-22 22:05:55 ----D---- C:\Windows\system32\inetsrv
2008-12-22 22:04:08 ----D---- C:\Windows\system32\en-US
2008-12-22 22:04:08 ----D---- C:\Windows\system32\0409
2008-12-22 21:43:05 ----D---- C:\Windows
2008-12-22 21:42:00 ----D---- C:\Windows\system32\wbem
2008-12-22 21:42:00 ----D---- C:\Windows\system32\migration
2008-12-22 21:42:00 ----D---- C:\Windows\system32\drivers
2008-12-22 21:37:15 ----SHD---- C:\Windows\Installer
2008-12-22 21:35:22 ----RD---- C:\Program Files
2008-12-22 21:35:22 ----D---- C:\Program Files\Internet Explorer
2008-12-22 21:15:27 ----A---- C:\Windows\system.ini
2008-12-22 21:14:41 ----D---- C:\Windows\AppPatch
2008-12-22 21:14:41 ----D---- C:\Program Files\Common Files
2008-12-22 20:39:56 ----SD---- C:\Windows\Downloaded Program Files
2008-12-22 19:36:30 ----D---- C:\Windows\Debug
2008-12-21 21:25:21 ----HD---- C:\ProgramData
2008-12-21 21:25:13 ----SD---- C:\Users\ADMIN\AppData\Roaming\Microsoft
2008-12-21 21:24:29 ----D---- C:\Program Files\Common Files\Wise Installation Wizard
2008-12-21 17:53:11 ----D---- C:\Program Files\Warcraft III
2008-12-21 03:00:32 ----D---- C:\Windows\system32\catroot
2008-12-21 03:00:31 ----D---- C:\Windows\system32\catroot2
2008-12-20 20:47:33 ----D---- C:\Windows\system32\restore
2008-12-20 18:47:46 ----D---- C:\Program Files\Norton Security Scan
2008-12-20 18:43:07 ----D---- C:\Program Files\Common Files\Symantec Shared
2008-12-20 18:28:36 ----D---- C:\Program Files\Symantec
2008-12-20 18:28:32 ----D---- C:\ProgramData\Symantec
2008-12-20 18:22:39 ----D---- C:\Windows\Tasks
2008-12-20 17:16:13 ----D---- C:\Program Files\Yahoo!
2008-12-20 17:13:34 ----D---- C:\Users\ADMIN\AppData\Roaming\Move Networks
2008-12-10 03:08:35 ----D---- C:\Program Files\Windows Mail
2008-12-02 15:26:30 ----A---- C:\Windows\system32\mrt.exe
2008-11-11 20:13:20 ----A---- C:\Windows\ntbtlog.txt
2008-11-08 17:54:58 ----D---- C:\Program Files\Common Files\Blizzard Entertainment
2008-11-01 02:00:19 ----D---- C:\Windows\ehome
2008-10-11 10:33:08 ----D---- C:\Windows\Registration
2008-10-11 10:29:58 ----D---- C:\Windows\system32\Tasks
2008-10-01 17:46:50 ----HD---- C:\Program Files\InstallShield Installation Information
2008-10-01 17:43:21 ----RSD---- C:\Windows\Fonts

======List of drivers (R=Running, S=Stopped, 0=Boot, 1=System, 2=Auto, 3=Demand, 4=Disabled)======

R1 aswRdr;aswRdr; C:\Windows\system32\drivers\aswRdr.sys [2008-11-26 23152]
R1 aswSP;avast! Self Protection; C:\Windows\system32\drivers\aswSP.sys [2008-11-26 111184]
R1 aswTdi;avast! Network Shield Support; C:\Windows\system32\drivers\aswTdi.sys [2008-11-26 50864]
R1 SASDIFSV;SASDIFSV; \??\C:\Program Files\SUPERAntiSpyware\SASDIFSV.SYS [2008-12-04 8944]
R1 SASKUTIL;SASKUTIL; \??\C:\Program Files\SUPERAntiSpyware\SASKUTIL.sys [2008-12-04 55024]
R2 aswFsBlk;aswFsBlk; C:\Windows\system32\DRIVERS\aswFsBlk.sys [2008-11-26 20560]
R2 aswMonFlt;aswMonFlt; C:\Windows\system32\DRIVERS\aswMonFlt.sys [2008-11-26 51792]
R3 athr;Atheros Extensible Wireless LAN device driver; C:\Windows\system32\DRIVERS\athr.sys [2008-05-07 767488]
R3 IntcAzAudAddService;Service for Realtek HD Audio (WDM); C:\Windows\system32\drivers\RTKVHDA.sys [2007-10-25 2015192]
R3 NVENETFD;NVIDIA nForce Networking Controller Driver; C:\Windows\system32\DRIVERS\nvmfdx32.sys [2007-05-04 1065384]
R3 nvlddmkm;nvlddmkm; C:\Windows\system32\DRIVERS\nvlddmkm.sys [2007-11-06 8230496]
R3 SASENUM;SASENUM; \??\C:\Program Files\SUPERAntiSpyware\SASENUM.SYS [2008-12-04 7408]
S3 catchme;catchme; \??\C:\Users\ADMIN\AppData\Local\Temp\catchme.sys []
S3 drmkaud;Microsoft Kernel DRM Audio Descrambler; C:\Windows\system32\drivers\drmkaud.sys [2008-01-18 5632]
S3 EagleNT;EagleNT; \??\C:\Windows\system32\drivers\EagleNT.sys [2008-05-13 448384]
S3 HdAudAddService;Microsoft 1.1 UAA Function Driver for High Definition Audio Service; C:\Windows\system32\drivers\HdAudio.sys [2006-11-02 235520]
S3 MSKSSRV;Microsoft Streaming Service Proxy; C:\Windows\system32\drivers\MSKSSRV.sys [2008-01-18 8192]
S3 MSPCLOCK;Microsoft Streaming Clock Proxy; C:\Windows\system32\drivers\MSPCLOCK.sys [2008-01-18 5888]
S3 MSPQM;Microsoft Streaming Quality Manager Proxy; C:\Windows\system32\drivers\MSPQM.sys [2008-01-18 5504]
S3 MSTEE;Microsoft Streaming Tee/Sink-to-Sink Converter; C:\Windows\system32\drivers\MSTEE.sys [2008-01-18 6016]
S3 pelmouse;Mouse Suite Driver; C:\Windows\system32\DRIVERS\pelmouse.sys [2007-04-17 18944]
S3 pelusblf;USB Mouse Low Filter Driver; C:\Windows\system32\DRIVERS\pelusblf.sys [2007-04-11 17920]
S3 SymIMMP;SymIMMP; C:\Windows\system32\DRIVERS\SymIM.sys []
S3 WpdUsb;WpdUsb; C:\Windows\system32\DRIVERS\wpdusb.sys [2008-01-19 39936]
S3 WUDFRd;WUDFRd; C:\Windows\system32\DRIVERS\WUDFRd.sys [2008-01-18 83328]
S4 WmiAcpi;Microsoft Windows Management Interface for ACPI; C:\Windows\system32\drivers\wmiacpi.sys [2006-11-02 11264]

======List of services (R=Running, S=Stopped, 0=Boot, 1=System, 2=Auto, 3=Demand, 4=Disabled)======

R2 aswUpdSv;avast! iAVS4 Control Service; C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe [2008-11-26 18752]
R2 Automatic LiveUpdate Scheduler;Automatic LiveUpdate Scheduler; C:\Program Files\Symantec\LiveUpdate\AluSchedulerSvc.exe [2008-02-09 238968]
R2 avast! Antivirus;avast! Antivirus; C:\Program Files\Alwil Software\Avast4\ashServ.exe [2008-11-26 155160]
R2 CwAltaService20;ContentWatch; C:\Program Files\ContentWatch\Internet Protection\cwsvc.exe [2007-10-17 1223168]
R2 LightScribeService;LightScribeService Direct Disc Labeling Service; c:\Program Files\Common Files\LightScribe\LSSrvc.exe [2006-10-19 61440]
R2 SBSDWSCService;SBSD Security Center Service; C:\Program Files\Spybot - Search & Destroy\SDWinSec.exe [2008-07-07 809296]
S3 avast! Mail Scanner;avast! Mail Scanner; C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe [2008-11-26 254040]
S3 avast! Web Scanner;avast! Web Scanner; C:\Program Files\Alwil Software\Avast4\ashWebSv.exe [2008-11-26 352920]
S3 IDriverT;InstallDriver Table Manager; c:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe [2004-10-22 73728]
S3 LiveUpdate;LiveUpdate; C:\Program Files\Symantec\LiveUpdate\LuComServer_3_4.EXE [2008-08-04 3220856]
S3 stllssvr;stllssvr; c:\Program Files\Common Files\SureThing Shared\stllssvr.exe []

-----------------EOF-----------------


Thanks again for your help!!
  • 0

#5
Jimmy2012

Jimmy2012

    Trusted Helper

  • Retired Staff
  • 6,238 posts
Hello Temujinjr,

I did get a WERFAULT.exe error pop-up prior to the logs being created.

Do you get that error in safe mode as well? If you have not tryed it in safe mode please try and let me know.

Boot into Safe Mode:
1) Restart your computer
2) After hearing your computer beep once during startup, but before the Windows icon appears, press F8.
3) Instead of Windows loading as normal, a menu should appear
4) Select the option, Safe Mode with Networking.
5) Select your normal user account.

After doing the above please see if it gives you that error, after trying this please restart your computer to get back to normal windows.






Please reopen HijackThis and click on Do a system scan only. And put a check next to the following line.

O8 - Extra context menu item: &Search - ?p=ZJman000

Once you have the check in that line please make sure all open windows are closed (keep HijackThis open) and click Fix checked on HijackThis. A box will open up asking if you want to fix the selected item, please click Yes. After you have fixed that line you can close HijackThis.

Please post a new HijackThis log in your next reply.

Edited by Jimmy2012, 25 December 2008 - 10:13 PM.

  • 0

#6
Temujinjr

Temujinjr

    Member

  • Topic Starter
  • Member
  • PipPip
  • 18 posts
SAFE MODE:
Running the computer in safemode eliminated all werfault.exe errors.

I clicked fix this upon selecting the O8 - Extra context menu item: &Search - ?p=ZJman000
item and created a log file:

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 08:23, on 2008-12-26
Platform: Windows Vista SP1 (WinNT 6.00.1905)
MSIE: Internet Explorer v7.00 (7.00.6001.18000)
Boot mode: Normal

Running processes:
C:\Windows\system32\taskeng.exe
C:\Windows\system32\Dwm.exe
C:\Windows\Explorer.EXE
C:\Program Files\Alwil Software\Avast4\ashDisp.exe
C:\Windows\system32\wbem\unsecapp.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft....k/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft....k/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft....k/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
O1 - Hosts: ::1 localhost
O2 - BHO: (no name) - {02478D38-C3F9-4efb-9B51-7695ECA05670} - (no file)
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O4 - HKLM\..\Run: [WPCUMI] C:\Windows\system32\WpcUmi.exe
O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKCU\..\Run: [SUPERAntiSpyware] C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
O4 - Startup: ERUNT AutoBackup.lnk = C:\Program Files\ERUNT\AUTOBACK.EXE
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\cwalsp.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\cwalsp.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\cwalsp.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\cwalsp.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\cwalsp.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\cwalsp.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\cwalsp.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\cwalsp.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\wpclsp.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\wpclsp.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\wpclsp.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\wpclsp.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\wpclsp.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\wpclsp.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\wpclsp.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\wpclsp.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\wpclsp.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\cwalsp.dll
O13 - Gopher Prefix:
O16 - DPF: {149E45D8-163E-4189-86FC-45022AB2B6C9} (SpinTop DRM Control) - file:///C:/Program%20Files/Turbo%20Pizza/Images/stg_drm.ocx
O16 - DPF: {CC450D71-CC90-424C-8638-1F2DBAC87A54} (ArmHelper Control) - file:///C:/Program%20Files/Pastry%20Passion/Images/armhelper.ocx
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: Automatic LiveUpdate Scheduler - Symantec Corporation - C:\Program Files\Symantec\LiveUpdate\AluSchedulerSvc.exe
O23 - Service: avast! Antivirus - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
O23 - Service: avast! Web Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
O23 - Service: ContentWatch (CwAltaService20) - ContentWatch, Inc. - C:\Program Files\ContentWatch\Internet Protection\cwsvc.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - c:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: LightScribeService Direct Disc Labeling Service (LightScribeService) - Hewlett-Packard Company - c:\Program Files\Common Files\LightScribe\LSSrvc.exe
O23 - Service: LiveUpdate - Symantec Corporation - C:\Program Files\Symantec\LiveUpdate\LuComServer_3_4.EXE
O23 - Service: SBSD Security Center Service (SBSDWSCService) - Safer Networking Ltd. - C:\Program Files\Spybot - Search & Destroy\SDWinSec.exe
O23 - Service: stllssvr - Unknown owner - c:\Program Files\Common Files\SureThing Shared\stllssvr.exe (file missing)

--
End of file - 5344 bytes


Upon completing HIJACKTHIS, I did not attempt to open a browser or updater. System remains in same state as listed above.
  • 0

#7
Jimmy2012

Jimmy2012

    Trusted Helper

  • Retired Staff
  • 6,238 posts
Hello Temujinjr,

Running the computer in safemode eliminated all werfault.exe errors.

That's good to hear. :)

Right before your computer started giving you this error did you install or uninstall anything?
  • 0

#8
Temujinjr

Temujinjr

    Member

  • Topic Starter
  • Member
  • PipPip
  • 18 posts
Nothing that I can remember. This is the kids computer, and they are setup as a standard user so they should not be able to install anything. The problem started around the 17th of December. I thought it might be one of MS updates causing a conflict with the network adapter. Uninstalling these did not resolve the current problem. It is interesting to note that after I uninstalled the MS updates for around that period of time, I noticed that the same update appeared on the list when I viewed it a couple days later. So either it was never truly removed or MS found a way to get updates using the connection but bypassing the problem.

Could this be something that was dormant for a while and then was later activated? I wish I had a name for this bugger, heliphino doesnt seem to do it justice.
  • 0

#9
Jimmy2012

Jimmy2012

    Trusted Helper

  • Retired Staff
  • 6,238 posts
Hello Temujinjr,
I am not sure why your computer is doing this, it is not looking like a malware problem. But, lets do one more scan and see if it finds anything. :)




Before running a new scan let's clean out the temporary folders.


Download ATF Cleaner to your Desktop.

  • Double-click ATF-Cleaner.exe to run the program.
  • Click Select All found at the bottom of the list.
  • Click the Empty Selected button.
If you use Firefox browser, do this also:

  • Click Firefox at the top and choose Select All from the list.
  • Click the Empty Selected button.
  • NOTE : If you would like to keep your saved passwords, please click No at the prompt.
If you use Opera browser, do this also:

  • Click Opera at the top and choose Select All from the list.
  • Close ALL Internet browsers (very important).
  • Click the Empty Selected button.
  • NOTE : If you would like to keep your saved passwords, please click No at the prompt.
Click Exit on the Main menu to close the program.



Now download OTScanIt2.exe to your Desktop and double-click on it to extract the files. It will create a folder named OTScanIt2 on your desktop.

Note: You must be logged on to the system with an account that has Administrator privileges to run this program.

  • Close ALL OTHER PROGRAMS.
  • Open the OTScanIt2 folder and double-click on OTScanIt2.exe to start the program (if you are running on Vista then right-click the program and choose Run as Administrator).
  • Check the Radio button for Rootkit check YES
  • Under Additional Scans click the checkboxes in front of the following items to select them:

    • File - Lop Check
    • File - Purity Scan
  • Do not change any other settings.
  • Now click the Run Scan button on the toolbar.
  • Let it run unhindered until it finishes.
  • When the scan is complete Notepad will open with the report file loaded in it.
  • Click the Format menu and make sure that Wordwrap is not checked. If it is then click on it to uncheck it.
  • Save the file to your desktop or other location where you can find it back.
Use the Add Reply button and attach the file in your next post.
  • 0

#10
Temujinjr

Temujinjr

    Member

  • Topic Starter
  • Member
  • PipPip
  • 18 posts
This OTScanIt program seems to be the Fatman of Anti-V programs. It found something located in at users/admin/appdate/local/temp/lipnjlsu.dll The Avast program popped up and it said Win32:Inject - EV [trj] 081219

Could this be the problem? I put it in my Avast chest and took no further action.

I attached the scan for both users. All scans to date have been done only on the Admin user. I switched to Kids and ran ATF and OTScanIt there as well. On Kids I kept getting a "Microsoft feeds sync has stopped working" system error as well as my normal werfault.exe errors.

I hope something in this post gets us closer to fixing it.

BTW - I will be OOT for about 3-5 days.

Attached Files


Edited by Temujinjr, 27 December 2008 - 11:23 AM.

  • 0

Advertisements


#11
Jimmy2012

Jimmy2012

    Trusted Helper

  • Retired Staff
  • 6,238 posts
Hello Temujinjr,

I will be OOT for about 3-5 days.

No problem. :)



Still nothing really showing up in those logs, is your computer still acting the same as before?
  • 0

#12
Temujinjr

Temujinjr

    Member

  • Topic Starter
  • Member
  • PipPip
  • 18 posts
My computer was still acting the same as before as of Yesterday posting.

Do I need to do anything about the Win32:Inject - EV [trj] 081219 detection by Avast while OTScanIt was running? It is still in my Avast chest.
  • 0

#13
Jimmy2012

Jimmy2012

    Trusted Helper

  • Retired Staff
  • 6,238 posts
Hello Temujinjr,
I am not sure why your computer is giving you those errors, but it does not look to have anything to do with malware since your logs look clean. I recommend that once we are done here you start a new topic in the Vista forum and someone over there should have some ideas on how to fix it. :)

Do I need to do anything about the Win32:Inject - EV [trj] 081219 detection by Avast while OTScanIt was running? It is still in my Avast chest.

As long as it is in your Avast chest it is nothing to worry about, if you would like you can clear it out.



Other then those errors you told me about, are there any other problems with your computer?
  • 0

#14
Temujinjr

Temujinjr

    Member

  • Topic Starter
  • Member
  • PipPip
  • 18 posts

Other then those errors you told me about, are there any other problems with your computer?


No. I cannot utilize any program that attempts to connect to the internet. Attempting to do so any an normal mode causes werfault.exe errors. I am not able to install an Norton-Internet Security 2009. Most Malware programs like Malewarebytes is not allowed to fix issues without shutting down. That is about it.
  • 0

#15
Jimmy2012

Jimmy2012

    Trusted Helper

  • Retired Staff
  • 6,238 posts
Hello Temujinjr,
There is not much else I can do here, I recommend that you go ahead and start a new topic over in the Vista forum and tell them the problems you are having. Someone over there should be able to help more with this. :)


Lets go ahead and remove the tools used and update a few programs.





Please download JavaRa to your desktop and unzip it to its own folder
  • Run JavaRa.exe, pick the language of your choice and click Select. Then click Remove Older Versions.
  • Accept any prompts.
  • Open JavaRa.exe again and select Search For Updates.
  • Select Update Using Sun Java's Website then click Search and click on the Open Webpage button. Download and install the latest Java Runtime Environment (JRE) version for your computer.







You are using a old version of Adobe Acrobat Reader, please update it here.








Please download OTCleanIt and save it to your Desktop.
  • Double-click OTCleanIt.exe
  • Click the CleanUp! button to begin removing tools used to clean your computer
  • If you are prompted to Reboot during the cleanup, please select Yes

Please remove any leftover tools used to clean your computer.









Reset and Re-enable your System Restore to remove infected files that have been backed up by Windows. The files in System Restore are protected to prevent any programs from changing those files. This is the only way to clean these files: (You will lose all previous restore points which are likely to be infected)

Please click Start>Control Panel>System and Maintenance>System>System Protection. And uncheck the checkboxes next to each hard drive listed under the Create restore points automatically on the selected disks, when you uncheck a disk there will be another screen pop up, please click Turn System Protection Off. After doing that please click Apply and then OK. Now please restart your computer and then start system restore again, to do this please do the following.



Please click Start>Control Panel>System and Maintenance>System>System Protection. And put a checkmark in the checkboxes next to each hard drive listed under the Create restore points automatically on the selected disks. After doing that please click Apply and then OK.


System Restore will now be active again.

The following is a list of tools and utilities that I like to suggest to people. This list is full of great tools and utilities to help you understand how you got infected and how to keep from getting infected again.

1. Spywareguard: Is realtime protection from spyware.

2. Spywareblaster: Helps protect against any bad ActiveX from installing on your computer.

3. SuperAntiSpyware: Use this program to help remove any spyware that may have gotten on your computer.

4. FireFox: This is a great alternate browser over Internet Explorer. Firefox is much more secure then Internet Explorer and also has a bulilt in pop up blocker.

5. ATF Cleaner: This program cleans out your temporary files. This is a great tool that can help speed your computer up.

6. Trillian or Miranda-IM - These are Malware free Instant Messenger programs which allow you to connect to multiple IM services in one program! (AOL, Yahoo, ICQ, IRC, MSN)

7. Windows Updates - It is very important to make sure that both Internet Explorer and Windows are kept current with the latest critical security patches from Microsoft. To do this just start Internet Explorer and select Tools > Windows Update, and follow the online instructions from there.
  • 0






Similar Topics

0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

As Featured On:

Microsoft Yahoo BBC MSN PC Magazine Washington Post HP