Jump to content

Bill of PA

Members
  • Posts

    16
  • Joined

  • Last visited

Reputation

0 Neutral
  1. Yes, I did run DialAFix when you suggested it (1/24). It seemed to run OK under Windows 2000 Pro (altho I am not familiar with that Util, and what it was supposed to do <g>). I did run it again yesterday (1/29) too, because I thought maybe, since some things were altered (and the SYS files are now displayable, and that wasn't case on last run), it would run 'differently'. (Again, I don't know much about the program.) I compared the two LOG files. The last run (1/29) was bigger than the first run (about 12K bytes vs 9K, 231 vs 168 lines). Seems like more files were 'touched'/listed (could not find any files with extension of .SYS tho, all files touched were in \SYSTEM32 mostly --I searched on 'SYS'). Biggest difference seems to be that there were about 29 Unregistered/Registered pairs in last run; only one in the first run. I don't know what this means but, at least, the last run seemed to do more 'things'. I forget to mention, in my message about WORM_RASTY.A, that malware apparently hops on external disks to proliferate. (*if* that was even involved, where I said "30501 with @SHELL32, seems these could (probably are) result of WORM_RASTY.A malware. Etc, ".) I don't know. I did use a USB flash drive to transfer files between my primary desktop system and the 'sick' laptop -- of course, before I knew of 'RASTY' characteristics. That worried me, but I since ran MBAM (and Avira AV and SuperAntiSpyware) from my desktop (where all 3 run fine -- XP Pro) to check the USB drive. Nothing found, all three said. So, not infected or missed or just lucky? I'm starting to search those program's forums (in addition to MBAM) for any help on why they may not function on the laptop/W2K. Since I had all three programs, that won't/function correctly, installed on the laptop at the present time, I decided to run all three in SAFE mode. (I had tried some earlier, but before I did 'some fixing'. All three ran to completion, no detections found. Hmmmm.... I know SAFE mode is not recommeded because some 'things' are not loaded but, it shows 'something' runs OK. I'm holding off converting to NTFS for awhile. Thanks for the Code tip. At some point (probably just before I reformat (?) re-install W2K from the Restore partition), I'll try the Conversion. Who knows, it might work. I don't know if the Restore process offers the choice of FAT32 or NTFS. We'll see. (I could use Partition Magic too. Whatever.....) Thanks for the warning about not installing XP over my W2K (without re-formatting, anyway). I'm also going to check the IBM forums, for info about restoring/changing OS etc before doing anything on my own. All I need now is the time to do all this. Even being retired, I do have some other work to do -- besides playing with sick computers. <VBG> Bill
  2. Well, I've been busy. No solutions though, all three 'anti -malware' programs *still* don't function. Even after I did/re-did some things. Decided, with my back against wall, I might as well just try some things, knowing full well that I could kill the patient. But, what the heck, I'll probably have to bite the bullet and wipe/re-install anyway. So why not try to learn something along the way. I replaced the missing text in the Folder Options (those five places that the @shell32.dll, - 30xxx instead its proper text). Some research seemed to indicate that these 'code' lines were a result of WORM_Rasty.A malware. But I don't know. The 'repair' went well (I did it in stages, to check if it stuck -- or, even if it run at all). When all five were replaced, the Folder Options then showed like it was supposed to (compared to my 'good' W2K system). Now I could setup to NOT hide system files and folders, etc. Also, I could now see SYS files, etc (although, 'something' I did a bit earlier allowed seeing some of them a few days ago). FIND located over 500 *.sys files now (many days prior I saw *none*). I followed up on your mention of SP4 (possibly of re-install it). Found out that there was a 'new' Rollup 1 (my SP4 came on CD, years old by now). I didn't know about it (well, I lie, -- looking back to older help messages I had in the Avira forum, somebody in July '07 suggested I should get that new rollup (even gave me KBnumber!); I just didn't do it). I downloaded that and, just today, ran it. I had nothing to lose at this point. It installed just fine -- 156MB of stuff. Still ran fine. Whew.... But no joy concerning my wayward non-functioning malware programs. Tried each. Now with SYS files now displayable, decided to re-run Avira rescueCD (even got the latest version, again) to see if that could flush out anything new. Did a few extras (15 files renamed, I guess that it couldn't delete). But, all this didn't change anything. I could install Avira in SAFE mode OK, and could install its full manual update (using the downloaded IVDF zip file -- tho, updating online would not work, it refused to budge). But, Avira wouldn't scan at all; started, as 'usually', and hung - not responding, etc. I'm going back to the Avira forum (that's how I was directed here actually), to ask for installation/running help. We'll see..... I'll probably re-run some of the utilities you put me onto (again, now that system files are 'uncovered'). I thought about changing the reformating from FAT32 to NTFS, thinking that may mess up 'odd' files. I doubt it. I would like to use NTFS anyway. And, I plan to go to IBM forums (or similar) to seek info on putting XP pro over the W2K that IBM originally installed. There is a Restore partition for W2K, If need be. As I said before, it's good that I'm retired to have time to waste. <G> Thanks for listening -- again. I'd be interested in any comments you may think of. Bill
  3. [i MESSED up, in a hurry, & don't know to edit --added this after the first post -- this was supposed to be in FRONT of the info in my last post. Sorry.] Well, here is an up to date 'report', as well as I can determine anyway. In a nutshell, everything 'seems' OK -- *Except* the three malware/virus related programs that can't run 'properly'. Uninstalled MBAM and SuperAntiSpyware. Re-installed MBAM, it updated OK and ran -- again for about 7 seven second and hung (with settings set to all four areas) resting on a file. ReInstalled SAS, or seemed to (including getting updates), but starting it just sat there 'initialling' --y and hung. Couldn't close it (said it was being 'debugged'). Only way out, Restart. As I said yesterday, Avira installed OK (tho had to do it in Safe Mode), updated -- but can't run the scan (tries, but just sits there - not running at all. ///// Now, continue at my first post of today. Gheeeshh
  4. I said I've been busy looking into 'stuff', more today too. Looking into areas that may be mis-setup. I did more comparing to other 2000 systems I have. Noticed some things. BUT -- in checking the HIDDEN and xxxxxx, I noticed several (6 different) 'odd' entries @SHELL32.DLL,-30501 etc). These are supposed to be specific text words. These seem to be the 'missing' text from the Folders Options | View settings. For example, where 30501 is, should be 'Do not show hidden files and folders' (one of the items that don't display on my wayward IBM laptop). Google search using 30501 with @SHELL32, seems these could (probably are) result of WORM_RASTY.A malware. Etc, etc. 'Maybe' these text changes were 'left over' (after the infection is detected and fixed), but maybe not. They say anyway. I would hope, think that all the various 'cleaners/etc' we used would catch it ---- but, but ....again. There are many possible solutions to correct these, 'they' say, but I wanted to run this by you before I did anything rash. Of course, there are all kinds of 'free' scans, with $ to fix after (there are so many, unknown too... etc). I don't mind spending money, if it is really necessary. But..... I do have ERUNT now, so any changes are restorable - I hope anyway. I would surely appreciate your comments about this, even if it is dire. I know we have come a long way already. I sure have learned a lot in the process at least. Thanks again. Bill
  5. Just a quick reply. Been busy doing 'stuff' (on the wayward laptop), interesting stuff. May be important, least I learned something. We'll see. I did run Dial A Fix. Avira Antiviri still can't run (I had to go to Safe Mode to install AV) but it, at least, updated itself. I didn't check others things out yet. Late in the day, I made the REGDLL.BAT and tried to run. it 'ran' but gave me error "... cannot find path specified...". Just about ready to write you, but first I noted that the code written used C:\Windows, and my system uses C:\WINNT. So I changed it, and it ran to completion. Yeah! *Lots* lines of stuff. (at the end of log it did say "'nbsp' is not recognized as an internal or external command" and "operable program or batch file" (twice, two entries -- after the 'All done updating files' line). Whatever that means....good or bad... I'll continue tomorrow and get back to you with overall results. Hope springs eternal..... Bill
  6. I didn't see your second message late Friday (1/23/08), so I'll run/do those tomorrow. I can burn a CD. In fact, I ran/tried to run Avira's RescueCD some time ago (about 1/3/09) on this wayward lap. First time I ran it with its new GUI. Ran it once. Took 21:21 to run. 22872 files, 4 records, 93 warnings and zero suspected. [i had used prior versions, before the GUI interface. Had great success fixing a friend's laptop - 100s of 'bad' files (or renamed ones). Afterward, friend's laptop would boot up -- it wouldn't before). On this version, I could save the log, as it gave me some help <g>] Anyway, I did burn a new version of RescueCD, and ran it. In fact twice. The first time let it scan (actually, I didn't notice that you could tell it to repair/rename suspect files). Results: 21:28 to run. didn't mark down files, 21 records, 93 warnings and zero suspected. On the second run, I did select repair/renamed problems. Results: 21:29 to run. 22211, 1267 directories, 21 records, 93 warnings and zero suspected. Almost the same results as first run this morning. The log was immense, couldn't find how to save it (in Linux). I did note a couple things as it started: said -- auto excluding /sys from scans (is a special fs), same message for /proc . I don't understand if that means it can't get to these files (where they may be 'suspect') -- etc. Is this all of the information you wanted from the CD runs? Or, did I miss something? Tomorrow I'll continue with your new things to try. Thanks again...
  7. Thanks for the additional info and things to try. I did get and ran ERUNT. (Very interesting looking util!l; I read all its documentation -- thanks for this regardless what happens) Ran Ccleaner (got a fresh copy). It found 267 'issues' quite fast -- most of them apparently 'hanging' non-found files. Fixed all. Now says 'no more issues found'. Got a fresh version of MBAM, installed OK. BUT -- still hung about the same place -- 5-7 seconds, stopped on a file (various with multiple runs). And hung, becoming 'not responding'. NOTE: Ran again with Settings at 'default' (as it comes up), but unselecting 'memory scan'. It ran to completion, just like it did earlier. 2:47 minutes to finish, ~ 37,000 objects. Shows log etc, all 'clean'. Why would scanning memory contents cause/lead to a non-funtioning program? [i tried to run a 'full' scan and just selected the A: with a floppy, but MBAM still tries to run through the C: first. Of course, it soon hangs. I got and run Addmove.exe. It's txt file is below (only about 93 lines). Some comments: I'm been running this sick laptop a lot during the last couple weeks. Still haven't seen *any* 'evidences' of 'typical' malware troubles (popups, slow running, poorly running progs etc , etc). The most worrisome 'manifestation' of 'something' is not displaying any system/hidden files. I keep thinking that there is a setting which I am setting right. That and, of course, Avira Antivir and SuperAntiSpyware (can't even finish its installation), plus Malwarebytes not running correctly all. <G> Certainly not normal though. Just weird. Thanks again. AS_ADDREMOVE100.TXT Add/Remove Software Entries Utility by AdvancedSetup - Script ran on: 2009/01/22 - 14:17:49 *1*Access ThinkPad*{D547B54E-ADCC-4AC5-89C7-7D0E1F2A4315}*N/A*N/A*N/A*RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{D547B54E-ADCC-4AC5-89C7-7D0E1F2A4315}\setup.exe" *2*Adobe Acrobat 5.0*Adobe Acrobat 5.0*5.0*C:\Documents and Settings\Administrator\Local Settings\Temp\pft1~tmp\*Adobe Systems, Inc.*C:\WINNT\ISUNINST.EXE -f"C:\Program Files\Common Files\Adobe\Acrobat 5.0\NT\Uninst.isu" -c"C:\Program Files\Common Files\Adobe\Acrobat 5.0\NT\Uninst.dll" *3*ATI Display Driver Utilities*ATI Display Driver*N/A*N/A*N/A*rundll32 C:\WINNT\System32\atiiiexx.dll,_InfEngUnInstallINFFile_RunDLL@16 -force_restart -flags:0x2010001 -inf_class:DISPLAY -clean *4*Avira AntiVir Personal - Free Antivirus*AntiVir PersonalEdition Classic*N/A*N/A*Avira GmbH*C:\Program Files\Avira\AntiVir PersonalEdition Classic\SETUP.EXE /REMOVE *5*Belarc Advisor 6.0*Belarc Advisor 2.0*N/A*N/A*N/A*C:\PROGRA~1\BELARC\ADVISOR\Uninstall.exe C:\PROGRA~1\BELARC\ADVISOR\INSTALL.LOG *6*CCleaner (remove only)*CCleaner*N/A*N/A*N/A*"C:\Program Files\CCleaner215\uninst.exe" *7*ConfigSafe*ConfigSafe*N/A*N/A*N/A*C:\WINNT\ILUNINST.EXE C:\CFGSAFE *8*D-link AirPlus G DWL-G120 Wireless USB Adapter*{07070EAB-9349-4F6C-AC13-AEFE436F9775}*N/A*N/A*N/A*RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{07070EAB-9349-4F6C-AC13-AEFE436F9775}\Setup.exe" -l0x9 *9*DVDExpress*DVD Express A/V Pak*N/A*N/A*N/A*C:\WINNT\IsUninst.exe -f"C:\Program Files\Mediamatics\DVDExpress\Uninst.isu" -c"C:\Program Files\Mediamatics\DVDExpress\mydll.dll" *10*ERUNT 1.1j*ERUNT_is1*N/A*N/A*Lars Hederer*"C:\Program Files\ERUNT\unins000.exe" *11*hp deskjet 930c series (Remove only)*hp deskjet 930c series*N/A*N/A*N/A*C:\Program Files\hp deskjet 930c series\hpfiui.exe -c -vdivid=HPF -vpnum=95 -vinstport=LPT1: -vproduct=930c -huninstall *12*IBM ThinkPad On Screen Display*On Screen Display*N/A*N/A*N/A*C:\WINNT\IsUninst.exe -f"C:\Program Files\ThinkPad\Utilities\Unoscr.isu" *13*IBM TrackPoint Support*TrackPoint*N/A*N/A*N/A*%SystemRoot%\System32\tp4unins.exe *14*IBM Update Connector*{31C2FBAC-67CF-4093-8F36-15A146613747}*4.50*C:\IBMTOOLS\APPS\UPDATER\*IBM*msiexec /x "C:\IBMTools\Updater\IBM Update Connector.msi" *15*Intel SpeedStep technology Applet*Intel SpeedStep technology Applet*N/A*N/A*N/A*C:\WINNT\IsUninst.exe -f"C:\WINNT\System32\Intel® SpeedStep technology Applet.isu" *16*Intel® PRO Ethernet Adapter and Software*PROSet*N/A*N/A*N/A*Prounstl.exe *17*IrfanView (remove only)*IrfanView*N/A*N/A*N/A*C:\IrVw395\iv_uninstall.exe *18*Malwarebytes' Anti-Malware*Malwarebytes' Anti-Malware_is1*N/A*N/A*Malwarebytes Corporation*"C:\Program Files\Malwarebytes_Anti-Malware\unins000.exe" *19*Mozilla Firefox (2.0.0.14)*Mozilla Firefox (2.0.0.14)*2.0.0.14 (en-US)*N/A*Mozilla*C:\Program Files\Mozilla Firefox\uninstall\helper.exe *20*N/A*AddressBook*N/A*N/A*N/A*N/A *21*N/A*Branding*N/A*N/A*N/A*N/A *22*N/A*Connection Manager*N/A*N/A*N/A*N/A *23*N/A*DirectAnimation*N/A*N/A*N/A*N/A *24*N/A*DirectDrawEx*N/A*N/A*N/A*N/A *25*N/A*DXM_Runtime*N/A*N/A*N/A*N/A *26*N/A*expinst*N/A*N/A*N/A*N/A *27*N/A*Fontcore*N/A*N/A*N/A*N/A *28*N/A*ICW*N/A*N/A*N/A*N/A *29*N/A*IE40*N/A*N/A*N/A*N/A *30*N/A*IE4Data*N/A*N/A*N/A*N/A *31*N/A*IE5BAKEX*N/A*N/A*N/A*N/A *32*N/A*IEData*N/A*N/A*N/A*N/A *33*N/A*IEREADME*N/A*N/A*N/A*N/A *34*N/A*Microsoft NetShow Player 2.0*N/A*N/A*N/A*N/A *35*N/A*MobileOptionPack*N/A*N/A*N/A*N/A *36*N/A*MPlayer2*N/A*N/A*N/A*N/A *37*N/A*MsJavaVM*N/A*N/A*N/A*N/A *38*N/A*NetMeeting*N/A*N/A*N/A*N/A *39*N/A*OutlookExpress*N/A*N/A*N/A*N/A *40*N/A*SchedulingAgent*N/A*N/A*N/A*N/A *41*N/A*{5B239A98-4222-4D8C-AF38-1A8EC07F956B}*N/A*N/A*N/A*N/A *42*N/A*{5D0930A0-1033-433A-8BB9-602665550DD0}*N/A*N/A*N/A*N/A *43*PC-Doctor for Windows 2000*PCDoctor*N/A*N/A*N/A*C:\WINNT\UNWISE.EXE C:\PROGRA~1\PC-DOC~1\INSTALL.LOG *44*Shockwave*Shockwave*N/A*N/A*N/A*C:\WINNT\system32\MACROMED\SHOCKW~1\UNWISE.EXE C:\WINNT\system32\MACROMED\SHOCKW~1\INSTALL.LOG *45*ThinkPad Assistant*{5CAA544B-EFEE-4FA7-B414-F7A80345E916}*N/A*N/A*N/A*RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{5CAA544B-EFEE-4FA7-B414-F7A80345E916}\setup.exe" *46*ThinkPad Configuration*ThinkPad Configuration*N/A*N/A*N/A*C:\WINNT\IsUninst.exe -f"C:\Program Files\ThinkPad\Utilities\Uninst.isu" -c"C:\Program Files\ThinkPad\Utilities\tpinst32.dll" *47*ThinkPad FullScreen Magnifier*ThinkPad FullScreen Magnifier*N/A*N/A*N/A*RunDll32 setupapi.dll,InstallHinfSection DefaultUninstall.NT 132 C:\ThinkPad\UZoom\TpUZoom.inf *48*WebFldrs*{6F716D8C-398F-11D3-85E1-005004838609}*9.00.3907*C:\WINNT\System32\*Microsoft Corporation*N/A *49*Windows 2000 Service Pack 4*Windows 2000 Service Pack*N/A*N/A*N/A*C:\WINNT\$NtServicePackUninstall$\spuninst\spuninst.exe *50*Windows Installer Clean Up*{121634B0-2F4B-11D3-ADA3-00C04F52DD52}*3.00.00.0000*C:\Program Files\MSECACHE\WICU3\*Microsoft Corporation*MsiExec.exe /X{121634B0-2F4B-11D3-ADA3-00C04F52DD52} *51*Windows Media Player 7*WMP7*N/A*N/A*N/A*C:\Program Files\Windows Media Player\setup_wm.exe /Uninstall *52*WinZip*WinZip*9.0 (6028)*N/A*WinZip Computing, Inc.*"C:\Program Files\WinZip\WINZIP32.EXE" /uninstall *53*WordPerfect Office 11*{54F90B55-BEB3-4F0D-8802-228822FA5921}*11.0*D:\*Corel Corporation*MsiExec.exe /I{54F90B55-BEB3-4F0D-8802-228822FA5921} *54*xplorer
  8. Well, I simply could not get Java re-installed. I tried most of the day (it's good being retired <G>). With all the flak that Sun puts up, it's a wonder that anyone uses Java. At least, struggling with bouts like this, I even learned some 'stuff'. As I mentioned the other day, 'older' version (actually I did have the newest Java 6, update 11 version installed -- but I have no idea how it was/when installed) would remain in CP | Remove progs even after I tried to 'remove' it. It just was there, wouldn't delete/unstall. So, any other attempt to install an newer version, would be met with the message 'it is installed already' or some such. Finally I learned about Windows Install Clean Up. That allowed the prior version to no longer show in Control Panel. So a new version *should* be able to install, but it didn't. Who knows..... I'll give it another shot tomorrow, for a while. I don't have much hope tho. Actually, several days ago, before you asked me run Kaspersky, I did it on my own (while I had Java 6 installed, altho I didn't realize that it was req'd). Somewhere during my research, someone mentioned their online scan. It started to run, but I quit it after two plus hours. It seemed to be hung (not responding). I don't know what that signifies. I thought I would report this to you. See if you have any other suggestions. [Do you know of another scanner named Spyzooka? My research turned up some favorable comments on it.] Thanks again. Sorry there's no Kaspersky log, yet anyway).
  9. Thanks for the example screenshots. Mine are somewhat different. I have no line(s): 'folder Icon' Hidden files and folders and both lines underneath or 'Hidden protected.......(Recommended)' or 'Remember each folder's ..........' [Do have what you show on another 'clean' W2K desktop system.] Did the HJT fixes, no problem. Finally did get (most) of JAVA out. Although CP|remProgs still says I still have Java 6, update 11! (lived through numerous restarts). Trying to remove it again, just says can't because ' an installation is running'. ?? Have to use the deletion of couple \JAVA folders tho. \JRE6 wouldn't delete, says 'access denied'; (even tried in DOS 7.10 -- booted off a CD). \JRE6 folder is empty but still shows about 23MB size. ?? However, then ran into troubles proceeding further. Kaspersky first says my system's requirements are incorrect (maybe IE is to old version, 5.0....). Then I checked its site, and it says it can use Firefox (I have 3.0.5). So I tried. But -- it refused to download etc. It's preliminary check revealed that needed JAVA 1.5 or up!! We just took Java out. Hmmm.... Now I'm confused. Am I doing something wrong? Thanks, Bill
  10. Unfortunately, no joy. At least, overall anyway. Followed your new instructions; renamed HJT as Bill.exe, ran CHKDSK /F (it restarted as you said, after the 'Y'), got a new MBAM with updates, etc. But MBAM still hung, stopping as quickly as before (5-8 seconds, with various files in system32 showing at stop point). MBAM then 'not responding'. So, no MBAM log was saved. So I decided to experiment a little, with the Settings in MBAM. Maybe it is not as meaningful as a 'full' run, but some settings allowed MBAM to finish its scan. Actually single selections of all but 'scan memory' would run to completion. Even with all (3) selected, except Memory, ran and said 'no detections'. Select all four, and that hung the Scan. Meaning? MBAM was added to the Context menu, so I could check individual files (like those MBAM showed when it hung). All checked individually OK. *Except* a couple which I couldn't find in Winnt\system32 -- I gather these are system/hiddens -- all which are still not displayable. (Trying Finding files as *.sys, returns 'no files' found.) Something, yesterday, did modify the Folders Options | view -- by checking 'hide file extensions for known files types'. I myself never run like that. But the rest of Files and Folders are still missing the 'Hidden and system files entry' -- as I reported before. There is a 'selected' circle (with a radio button dot) offset rightwards under the checked box underneath 'Files and Folders' -- but there is NO text at all after that circle (should be, I'm sure). I do have some MBAM log file (from the settings trials), but they don't show many details (except all no detections etc). So I didn't include here. I did include, because it is small, the 'clean' MBAM completed run with all except the 'scan memory' selected. And, a new HJT log run after all the trials above (after Restarts). /////// mbam-log-2009-01-19_allExcptMem (11-12-43).txt Malwarebytes' Anti-Malware 1.33 Database version: 1668 Windows 5.0.2195 Service Pack 4 1/19/2009 11:12:43 AM mbam-log-2009-01-19 (11-12-43).txt Scan type: Quick Scan Objects scanned: 36440 Time elapsed: 2 minute(s), 13 second(s) Memory Processes Infected: 0 Memory Modules Infected: 0 Registry Keys Infected: 0 Registry Values Infected: 0 Registry Data Items Infected: 0 Folders Infected: 0 Files Infected: 0 Memory Processes Infected: (No malicious items detected) Memory Modules Infected: (No malicious items detected) Registry Keys Infected: (No malicious items detected) Registry Values Infected: (No malicious items detected) Registry Data Items Infected: (No malicious items detected) Folders Infected: (No malicious items detected) Files Infected: (No malicious items detected) //////// Logfile of Trend Micro HijackThis v2.0.2 Scan saved at 12:31:01, on 1/19/2009 Platform: Windows 2000 SP4 (WinNT 5.00.2195) MSIE: Internet Explorer v5.00 (5.00.2920.0000) Boot mode: Normal Running processes: C:\WINNT\System32\smss.exe C:\WINNT\system32\winlogon.exe C:\WINNT\system32\services.exe C:\WINNT\system32\lsass.exe C:\WINNT\System32\ibmpmsvc.exe C:\WINNT\system32\svchost.exe C:\WINNT\System32\svchost.exe C:\WINNT\system32\spoolsv.exe C:\Program Files\Avira\AntiVir PersonalEdition Classic\sched.exe C:\Program Files\Avira\AntiVir PersonalEdition Classic\avguard.exe C:\WINNT\System32\ati2evxx.exe C:\Program Files\Java\jre6\bin\jqs.exe C:\WINNT\system32\regsvc.exe C:\WINNT\system32\svchost.exe C:\WINNT\System32\WBEM\WinMgmt.exe C:\WINNT\System32\mspmspsv.exe C:\WINNT\system32\svchost.exe C:\WINNT\Explorer.EXE C:\WINNT\system32\tp4serv.exe C:\WINNT\system32\RunDll32.exe C:\PROGRA~1\ThinkPad\UTILIT~1\TP98TRAY.EXE C:\WINNT\system32\RunDll32.exe C:\PROGRA~1\ThinkPad\UTILIT~1\tphkmgr.exe C:\WINNT\system32\PRPCUI.exe C:\WINNT\system32\spool\drivers\w32x86\3\hpztsb04.exe C:\Program Files\Avira\AntiVir PersonalEdition Classic\avgnt.exe C:\Program Files\Java\jre6\bin\jusched.exe C:\WINNT\system32\Atiptaxx.exe C:\CFGSAFE\AUTOCHK.EXE C:\Program Files\D-link AirPlus G DWL-G120 Wireless USB\120UTIL.exe C:\WINNT\system32\wuauclt.exe C:\Program Files\xplorer2_lite\xplorer2.exe C:\HiJackThis\Bill.exe R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157 R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896 R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896 R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = C:\windows\system32\blank.htm R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = C:\windows\system32\blank.htm O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx O2 - BHO: Java Plug-In SSV Helper - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre6\bin\ssv.dll O2 - BHO: Java Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll O3 - Toolbar: @msdxmLC.dll,-1@1033,&Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\System32\msdxm.ocx O4 - HKLM\..\Run: [TrackPointSrv] tp4serv.exe O4 - HKLM\..\Run: [soundFusion] RunDll32 cwcprops.cpl,CrystalControlWnd O4 - HKLM\..\Run: [synchronization Manager] mobsync.exe /logon O4 - HKLM\..\Run: [TPTRAY] C:\PROGRA~1\ThinkPad\UTILIT~1\TP98TRAY.EXE O4 - HKLM\..\Run: [bMMGAG] RunDll32 C:\PROGRA~1\ThinkPad\UTILIT~1\pwrmonit.dll,StartPwrMonitor O4 - HKLM\..\Run: [TpHotkey] C:\PROGRA~1\ThinkPad\UTILIT~1\tphkmgr.exe O4 - HKLM\..\Run: [PRPCMonitor] PRPCUI.exe O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINNT\system32\spool\drivers\w32x86\3\hpztsb04.exe O4 - HKLM\..\Run: [avgnt] "C:\Program Files\Avira\AntiVir PersonalEdition Classic\avgnt.exe" /min O4 - HKLM\..\Run: [tourpath] regedit /s c:\winnt\tour.reg O4 - HKLM\..\Run: [sunJavaUpdateSched] "C:\Program Files\Java\jre6\bin\jusched.exe" O4 - HKLM\..\Run: [AtiPTA] Atiptaxx.exe O4 - HKUS\.DEFAULT\..\RunOnce: [^SetupICWDesktop] C:\Program Files\Internet Explorer\Connection Wizard\icwconn1.exe /desktop (User 'Default user') O4 - Global Startup: AUTOCHK.LNK = C:\CFGSAFE\AUTOCHK.EXE O4 - Global Startup: D-link AirPlus G DWL-G120 Wireless USB.lnk = C:\Program Files\D-link AirPlus G DWL-G120 Wireless USB\120UTIL.exe O10 - Unknown file in Winsock LSP: c:\winnt\system32\nwprovau.dll O12 - Plugin for .bcf: C:\Program Files\Internet Explorer\Plugins\NPBelv32.dll O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll O16 - DPF: {193C772A-87BE-4B19-A7BB-445B226FE9A1} (ewidoOnlineScan Control) - http://downloads.ewido.net/ewidoOnlineScan.cab O17 - HKLM\System\CCS\Services\Tcpip\..\{3898492A-430B-465F-A366-B47BCB3D7F9C}: NameServer = 209.204.64.2,209.204.64.3 O23 - Service: Avira AntiVir Personal - Free Antivirus Scheduler (AntiVirScheduler) - Avira GmbH - C:\Program Files\Avira\AntiVir PersonalEdition Classic\sched.exe O23 - Service: Avira AntiVir Personal - Free Antivirus Guard (AntiVirService) - Avira GmbH - C:\Program Files\Avira\AntiVir PersonalEdition Classic\avguard.exe O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINNT\System32\ati2evxx.exe O23 - Service: Logical Disk Manager Administrative Service (dmadmin) - VERITAS Software Corp. - C:\WINNT\System32\dmadmin.exe O23 - Service: IBM PM Service (IBMPMSVC) - IBM Corp. - C:\WINNT\System32\ibmpmsvc.exe O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe -- End of file - 5077 bytes ******end of 011909 post by Bill of PA
  11. I'm finally back, with two log/txt files. A little worse for the 'wear' of yesterday. I had all sorts of red herrings Saturday. Most important of which, but maybe insightful too, are these two. 1) I can't set up to display hidden and system files. Those items are simply not shown in Folder Options | view (as they are in my other W2K systems). I did quite a bit of research on this. All kinds of 'helpful' attempts. Nothing worked. I gather, tho, this is one of the characteristics of some malware (according to some help sources). Does this impair, or invalidate, testing results? I fear so? 2) Re: Windows Recovery Console: (that you said "that will only take a few moments of your time." -- I'm not complaining, just explaining <g>) After many hours (again, online searching for help), I just gave up. No way could I get it installed. Most (even Microsoft's 'official') methods, depends on using a W2K CD (that I have) -- but that won't install on a W2K with SP4 installed (CD has an earlier version of winnt32). [Trying the C:\i386 folder (that *was* on my HD) was what caused me to pursue looking into not seeing system file etc. \i386 just suddenly disappeared as I started to find winnt32 'there'. Now I can't see/find *any* .sys files.] Downloading console file looked 'iffy' (sites kept wanting to sell you something). Got one, but afraid to use it. I didn't bother to get the 6 floppy set, could later. But, there's good news too. New ComboFix version ran just fine. Thanks for the input about it. (Rather quickly too, minutes). Course, no Windows Recovery Console was found (and, it was never asked for either -- it looks like it could get it online some way, since it tells you to be online). The two newest log/txt file are below. Thanks again for hanging in there with me on this. ComboFix.txt ComboFix 09-01-16.03 - Administrator 01/18/2009 15:38:48.4 - FAT32x86 Microsoft Windows 2000 Professional 5.0.2195.4.1252.1.1033.18.383.158 [GMT -5:00] Running from: c:\documents and settings\Administrator\Desktop\ComboFixNu.exe WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !! . ((((((((((((((((((((((((( Files Created from 2008-12-18 to 2009-01-18 ))))))))))))))))))))))))))))))) . 2009-01-18 15:46 . 09-01-18 15:46 16,384 --a----t- c:\winnt\system32\Perflib_Perfdata_250.dat 2009-01-18 13:32 . 09-01-18 13:32 0 -ra------ c:\winnt\system32\TFTP984 2009-01-15 12:57 . 09-01-15 12:57 <DIR> d-------- c:\program files\CCleaner 2009-01-13 10:51 . 09-01-13 10:51 <DIR> d-------- c:\documents and settings\Administrator\Application Data\SUPERAntiSpyware.com 2009-01-13 10:37 . 09-01-18 11:26 967,516 ---h----- c:\winnt\ShellIconCache 2009-01-12 10:15 . 09-01-12 10:15 <DIR> d-------- C:\$Mky&JulieXfers 2009-01-11 13:26 . 06-09-18 07:23 145,408 --a------ c:\winnt\msconfig.exe 2009-01-06 16:49 . 09-01-06 16:49 <DIR> d-------- c:\documents and settings\Administrator\Application Data\Malwarebytes 2009-01-05 14:20 . 09-01-05 14:20 <DIR> d-------- c:\program files\Avira 2009-01-05 14:20 . 09-01-05 14:20 <DIR> d-------- c:\documents and settings\All Users\Application Data\Avira 2009-01-05 12:06 . 09-01-05 12:06 <DIR> d-------- c:\program files\Malwarebytes' Anti-Malware 2009-01-04 15:53 . 09-01-04 15:53 <DIR> d-------- C:\Metapad 2009-01-04 14:42 . 09-01-04 14:42 <DIR> d-------- c:\program files\Lavasoft 2009-01-04 14:42 . 09-01-04 14:42 <DIR> d-------- c:\documents and settings\All Users\Application Data\Lavasoft 2009-01-04 13:10 . 09-01-04 13:10 <DIR> d-------- C:\HiJackThis 2009-01-04 12:12 . 09-01-04 12:12 <DIR> d-------- c:\documents and settings\Administrator\.housecall6.6 2009-01-04 12:11 . 09-01-04 12:11 <DIR> d-------- c:\winnt\Sun 2009-01-04 12:08 . 09-01-04 12:08 <DIR> d-------- c:\program files\Java 2009-01-04 12:08 . 09-01-04 12:08 410,984 --a------ c:\winnt\system32\deploytk.dll 2009-01-04 12:08 . 09-01-04 12:08 73,728 --a------ c:\winnt\system32\javacpl.cpl 2009-01-03 18:10 . 09-01-03 18:10 <DIR> d-------- c:\program files\Common Files\Wise Installation Wizard 2009-01-03 17:30 . 09-01-03 17:30 <DIR> d-------- C:\$FrmFlshDrv 2009-01-03 17:22 . 03-06-19 12:05 21,552 --a------ c:\winnt\system32\dllcache\usbstor.sys 2009-01-02 17:19 . 09-01-02 17:19 <DIR> d-------- c:\documents and settings\All Users\Application Data\Malwarebytes 2009-01-02 10:42 . 09-01-02 10:42 <DIR> d-------- c:\program files\SUPERAntiSpyware 2009-01-02 10:42 . 09-01-02 10:42 <DIR> d-------- c:\documents and settings\All Users\Application Data\SUPERAntiSpyware.com . (((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))) . 2004-04-30 21:18 271 ---h--w c:\program files\desktop.ini 2004-04-30 21:18 21,952 ---h--w c:\program files\folder.htt 2000-07-26 10:00 32,528 ----a-w c:\winnt\inf\wbfirdma.sys 2008-06-29 20:23 54,376 ----a-w c:\program files\mozilla firefox\components\jsd3250.dll 2008-06-29 20:23 34,952 ----a-w c:\program files\mozilla firefox\components\myspell.dll 2008-06-29 20:23 46,720 ----a-w c:\program files\mozilla firefox\components\spellchk.dll 2008-06-29 20:23 172,144 ----a-w c:\program files\mozilla firefox\components\xpinstal.dll 2008-06-29 20:23 67,696 ----a-w c:\program files\mozilla firefox\components\jar50.dll . ((((((((((((((((((((((((((((((((((((( Reg Loading Points )))))))))))))))))))))))))))))))))))))))))))))))))) . . *Note* empty entries & legit default entries are not shown REGEDIT4 [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "TPTRAY"="c:\progra~1\ThinkPad\UTILIT~1\TP98TRAY.EXE" [00-11-21 11:55 41472] "BMMGAG"="c:\progra~1\ThinkPad\UTILIT~1\pwrmonit.dll" [00-12-01 01:11 51200] "TpHotkey"="c:\progra~1\ThinkPad\UTILIT~1\tphkmgr.exe" [00-10-11 20:59 53248] "HPDJ Taskbar Utility"="c:\winnt\system32\spool\drivers\w32x86\3\hpztsb04.exe" [01-12-11 19:33 196608] "avgnt"="c:\program files\Avira\AntiVir PersonalEdition Classic\avgnt.exe" [08-06-12 13:28 266497] "MSConfig"="c:\winnt\msconfig.exe" [06-09-18 07:23 145408] "TrackPointSrv"="tp4serv.exe" [01-02-15 02:10 186880 c:\winnt\system32\tp4serv.exe] "SoundFusion"="cwcprops.cpl" [00-11-01 18:12 45296 c:\winnt\system32\cwcprops.cpl] "Synchronization Manager"="mobsync.exe" [03-06-19 12:05 111376 c:\winnt\system32\mobsync.exe] "PRPCMonitor"="PRPCUI.exe" [00-01-06 08:00 32768 c:\winnt\system32\prpcui.exe] [HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\RunOnce] "^SetupICWDesktop"="c:\program files\Internet Explorer\Connection Wizard\icwconn1.exe" [03-06-19 12:05 186640] c:\documents and settings\All Users\Start Menu\Programs\Startup\ AUTOCHK.LNK - c:\cfgsafe\AUTOCHK.EXE [1980-01-01 11808] D-link AirPlus G DWL-G120 Wireless USB.lnk - c:\program files\D-link AirPlus G DWL-G120 Wireless USB\120UTIL.exe [2007-07-13 241664] [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\nwprovau] 03-06-19 12:05 139536 c:\winnt\system32\NWPROVAU.DLL [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32] "aux"= mmdrv.dll [HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa] Authentication Packages REG_MULTI_SZ msv1_0 nwprovau [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\tourpath] regedit [X] [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched] --a------ 09-01-04 12:08 136600 c:\program files\Java\jre6\bin\jusched.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AtiPTA] --a------ 00-11-15 17:10 192512 c:\winnt\system32\atiptaxx.exe [HKEY_LOCAL_MACHINE\software\microsoft\security center] "AntiVirusDisableNotify"="0x00000000" "UpdatesDisableNotify"="0x00000000" R?4 windosh;Windows Image Instrumentation;c:\winnt\system32\svchost.exe -k netsvcs [1980-01-01 7952] R0 avgntmgr;avgntmgr;c:\winnt\system32\drivers\avgntmgr.sys [2009-01-05 18496] R1 avgntdd;avgntdd;c:\winnt\system32\drivers\avgntdd.sys [2009-01-05 64448] R1 TPPWR;TPPWR;c:\winnt\system32\drivers\TPPWR.SYS [2004-04-30 11776] R3 ati2mpab;ati2mpab;c:\winnt\system32\drivers\ati2mpab.sys [1980-01-01 273376] R3 Tp4Track;IBM PS/2 TrackPoint Driver;c:\winnt\system32\drivers\tp4track.sys [1980-01-01 8991] R4 PRPC;PRPC;c:\winnt\system32\drivers\prpc.sys [2004-04-30 12182] R4 V7;V7;c:\winnt\system32\drivers\V7.SYS [2004-04-30 7196] S1 SASKUTIL;SASKUTIL;\??\c:\program files\SUPERAntiSpyware\SASKUTIL.sys --> c:\program files\SUPERAntiSpyware\SASKUTIL.sys [?] S3 MBAMSwissArmy;MBAMSwissArmy;\??\c:\winnt\system32\drivers\mbamswissarmy.sys --> c:\winnt\system32\drivers\mbamswissarmy.sys [?] S3 openhci;Microsoft USB Open Host Controller Driver;c:\winnt\system32\drivers\openhci.sys [2007-07-13 24784] S3 usbhub20;USB 2.0 Root Hub Support;c:\winnt\system32\drivers\usbhub20.sys [2004-11-07 49776] HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Svchost - NetSvcs windosh . . ------- Supplementary Scan ------- . uLocal Page = c:\windows\system32\blank.htm mLocal Page = c:\windows\system32\blank.htm LSP: %SystemRoot%\system32\msafd.dll TCP: {3898492A-430B-465F-A366-B47BCB3D7F9C} = 209.204.64.2,209.204.64.3 O16 -: DirectAnimation Java Classes - file://c:\winnt\Java\classes\dajava.cab c:\winnt\Downloaded Program Files\DirectAnimation Java Classes.osd O16 -: Microsoft XML Parser for Java - file://c:\winnt\Java\classes\xmldso.cab c:\winnt\Downloaded Program Files\Microsoft XML Parser for Java.osd c:\winnt\Downloaded Program Files\ewidoOnlineScan.dll - O16 -: {193C772A-87BE-4B19-A7BB-445B226FE9A1} hxxp://downloads.ewido.net/ewidoOnlineScan.cab FF - ProfilePath - c:\documents and settings\Administrator\Application Data\Mozilla\Firefox\Profiles\c2v4jc3o.default\ FF - prefs.js: browser.startup.homepage - google.com FF - component: c:\program files\Mozilla Firefox\components\xpinstal.dll . ************************************************************************** catchme 0.3.1367 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net Rootkit scan 2009-01-18 15:47:23 Windows 5.0.2195 Service Pack 4 FAT NTAPI scanning hidden processes ... scanning hidden autostart entries ... scanning hidden files ... scan completed successfully hidden files: 0 ************************************************************************** . --------------------- DLLs Loaded Under Running Processes --------------------- - - - - - - - > 'winlogon.exe'(180) c:\winnt\system32\wzcdlg.dll c:\winnt\system32\WZCSAPI.DLL . Completion time: 2009-01-18 15:49:21 - machine was rebooted ComboFix-quarantined-files.txt 2009-01-18 20:49:18 Pre-Run: 24,780,652,544 bytes free Post-Run: 24,856,739,840 bytes free 133 ******* HiJackThis.log Logfile of Trend Micro HijackThis v2.0.2 Scan saved at 15:58:30, on 1/18/2009 Platform: Windows 2000 SP4 (WinNT 5.00.2195) MSIE: Internet Explorer v5.00 (5.00.2920.0000) Boot mode: Normal Running processes: C:\WINNT\System32\smss.exe C:\WINNT\system32\winlogon.exe C:\WINNT\system32\services.exe C:\WINNT\system32\lsass.exe C:\WINNT\System32\ibmpmsvc.exe C:\WINNT\system32\svchost.exe C:\WINNT\System32\svchost.exe C:\WINNT\system32\spoolsv.exe C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe C:\Program Files\Avira\AntiVir PersonalEdition Classic\sched.exe C:\Program Files\Avira\AntiVir PersonalEdition Classic\avguard.exe C:\WINNT\System32\ati2evxx.exe C:\Program Files\Java\jre6\bin\jqs.exe C:\WINNT\system32\regsvc.exe C:\WINNT\system32\svchost.exe C:\WINNT\System32\WBEM\WinMgmt.exe C:\WINNT\System32\mspmspsv.exe C:\WINNT\system32\svchost.exe C:\WINNT\system32\tp4serv.exe C:\WINNT\system32\RunDll32.exe C:\PROGRA~1\ThinkPad\UTILIT~1\TP98TRAY.EXE C:\WINNT\system32\RunDll32.exe C:\PROGRA~1\ThinkPad\UTILIT~1\tphkmgr.exe C:\WINNT\system32\PRPCUI.exe C:\WINNT\system32\spool\drivers\w32x86\3\hpztsb04.exe C:\Program Files\Avira\AntiVir PersonalEdition Classic\avgnt.exe C:\CFGSAFE\AUTOCHK.EXE C:\Program Files\D-link AirPlus G DWL-G120 Wireless USB\120UTIL.exe C:\WINNT\system32\wuauclt.exe C:\WINNT\explorer.exe C:\Program Files\xplorer2_lite\xplorer2.exe C:\HiJackThis\HiJackThis.exe R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157 R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896 R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896 R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = C:\windows\system32\blank.htm R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = C:\windows\system32\blank.htm O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx O2 - BHO: Java Plug-In SSV Helper - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre6\bin\ssv.dll O2 - BHO: Java Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll O3 - Toolbar: @msdxmLC.dll,-1@1033,&Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\System32\msdxm.ocx O4 - HKLM\..\Run: [TrackPointSrv] tp4serv.exe O4 - HKLM\..\Run: [soundFusion] RunDll32 cwcprops.cpl,CrystalControlWnd O4 - HKLM\..\Run: [synchronization Manager] mobsync.exe /logon O4 - HKLM\..\Run: [TPTRAY] C:\PROGRA~1\ThinkPad\UTILIT~1\TP98TRAY.EXE O4 - HKLM\..\Run: [bMMGAG] RunDll32 C:\PROGRA~1\ThinkPad\UTILIT~1\pwrmonit.dll,StartPwrMonitor O4 - HKLM\..\Run: [TpHotkey] C:\PROGRA~1\ThinkPad\UTILIT~1\tphkmgr.exe O4 - HKLM\..\Run: [PRPCMonitor] PRPCUI.exe O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINNT\system32\spool\drivers\w32x86\3\hpztsb04.exe O4 - HKLM\..\Run: [avgnt] "C:\Program Files\Avira\AntiVir PersonalEdition Classic\avgnt.exe" /min O4 - HKLM\..\Run: [MSConfig] C:\WINNT\msconfig.exe /auto O4 - HKUS\.DEFAULT\..\RunOnce: [^SetupICWDesktop] C:\Program Files\Internet Explorer\Connection Wizard\icwconn1.exe /desktop (User 'Default user') O4 - Global Startup: AUTOCHK.LNK = C:\CFGSAFE\AUTOCHK.EXE O4 - Global Startup: D-link AirPlus G DWL-G120 Wireless USB.lnk = C:\Program Files\D-link AirPlus G DWL-G120 Wireless USB\120UTIL.exe O10 - Unknown file in Winsock LSP: c:\winnt\system32\nwprovau.dll O12 - Plugin for .bcf: C:\Program Files\Internet Explorer\Plugins\NPBelv32.dll O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll O16 - DPF: {193C772A-87BE-4B19-A7BB-445B226FE9A1} (ewidoOnlineScan Control) - http://downloads.ewido.net/ewidoOnlineScan.cab O17 - HKLM\System\CCS\Services\Tcpip\..\{3898492A-430B-465F-A366-B47BCB3D7F9C}: NameServer = 209.204.64.2,209.204.64.3 O23 - Service: Lavasoft Ad-Aware Service (aawservice) - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe O23 - Service: Avira AntiVir Personal - Free Antivirus Scheduler (AntiVirScheduler) - Avira GmbH - C:\Program Files\Avira\AntiVir PersonalEdition Classic\sched.exe O23 - Service: Avira AntiVir Personal - Free Antivirus Guard (AntiVirService) - Avira GmbH - C:\Program Files\Avira\AntiVir PersonalEdition Classic\avguard.exe O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINNT\System32\ati2evxx.exe O23 - Service: Logical Disk Manager Administrative Service (dmadmin) - VERITAS Software Corp. - C:\WINNT\System32\dmadmin.exe O23 - Service: IBM PM Service (IBMPMSVC) - IBM Corp. - C:\WINNT\System32\ibmpmsvc.exe O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe -- End of file - 5049 bytes ******** ********end of Bill of PA latest post
  12. Well, I ran through all the various Steps in your detailed instuction message. Did print them out to follow them carefully. I did finally complete the process, but I'm not sure if the results will show enough meaningful data. There were a couple glitches along the way, unfortunately. Most important (I think anyway) is that Combofix didn't finish properly. It started OK, got through the 50 'stages' quickly and then continued without showing anything more on the screen. I watched (as they said) for a while, and the HD was flashing every 20-30 seconds or so. Waited for an hour, then left to visit a friend. Came back, still running/showing same place on the screen. HD still flashing, same rate. After 5:15 hours I simply closed it. It responded, and quit. [it's last line displayed (after 50 stage) was (to me) odd. '"C:\WINNT\system32" is not recognized ....as a command, or operable program or batch file.' -- I wouldn't expect system32 *folder* to run anything. ?] So, there was no Combofix.txt file in C:\. I found one in the C:\Combofix folder, quite small though (time shown is when Combofix started). I include it below anyway. As you cautioned, I didn't run ComboFix again. I found no 'avenger.txt' file. There was a aclreset.txt, created about time Fixacl.exe ran. So I include that below too. All the other utilities seemed to run OK, as instructions indicated anyway. Note that the DDS run was after I stopped ComboFix. Did its two txt files OK. I'm not doing anything more on this Laptop until I hear something from all you kind folks. I have other systems. All the contents of log/txt files are appended below, including the HJT log which was run after a Shutdown/Restart (on next day). ComboFix.txt ComboFix 09-01-10.01 - Administrator 01/15/2009 13:29:23.3 - FAT32x86 Microsoft Windows 2000 Professional 5.0.2195.4.1252.1.1033.18.383.221 [GMT -5:00] Running from: C:\Documents and Settings\Administrator\Desktop\Combo-Fix.exe WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !! . /////// HKEY_CLASSES_ROOT\CLSID\{d5bf49a2-94f1-42bd-f434-3604812c807d} : 2 The system cannot find the file specified. HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{D5BF49A2-94F1-42BD-F434-3604812C807D}\InProcServer32 : 2 The system cannot find the file specified. HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser : 2 The system cannot find the file specified. MBAMExt.MBAMShlExt : delete Perm. ACE 2 builtin\administrators MBAMExt.MBAMShlExt : new ace for builtin\administrators MBAMExt.MBAMShlExt : delete Perm. ACE 2 nt authority\system MBAMExt.MBAMShlExt : new ace for nt authority\system MBAMExt.MBAMShlExt : delete Perm. ACE 1 nt authority\restricted MBAMExt.MBAMShlExt : new ace for nt authority\restricted MBAMExt.MBAMShlExt : new ace for bills-gcv\administrator MBAMExt.MBAMShlExt : builtin\administrators is the new owner HKEY_CLASSES_ROOT\MBAMExt.MBAMShlExt : 8 change(s) MBAMExt.MBAMShlExt.1 : delete Perm. ACE 2 builtin\administrators MBAMExt.MBAMShlExt.1 : new ace for builtin\administrators MBAMExt.MBAMShlExt.1 : delete Perm. ACE 2 nt authority\system MBAMExt.MBAMShlExt.1 : new ace for nt authority\system MBAMExt.MBAMShlExt.1 : delete Perm. ACE 1 nt authority\restricted MBAMExt.MBAMShlExt.1 : new ace for nt authority\restricted MBAMExt.MBAMShlExt.1 : new ace for bills-gcv\administrator MBAMExt.MBAMShlExt.1 : builtin\administrators is the new owner HKEY_CLASSES_ROOT\MBAMExt.MBAMShlExt.1 : 8 change(s) HKEY_CLASSES_ROOT\SSubTimer6.CTimer : 2 The system cannot find the file specified. HKEY_CLASSES_ROOT\SSubTimer6.GSubclass : 2 The system cannot find the file specified. HKEY_CLASSES_ROOT\SSubTimer6.ISubclass : 2 The system cannot find the file specified. HKEY_CLASSES_ROOT\vbAcceleratorSGrid6.cGridCell : 2 The system cannot find the file specified. HKEY_CLASSES_ROOT\vbAcceleratorSGrid6.cGridSortObject : 2 The system cannot find the file specified. HKEY_CLASSES_ROOT\vbAcceleratorSGrid6.IGridCellOwnerDraw : 2 The system cannot find the file specified. HKEY_CLASSES_ROOT\vbAcceleratorSGrid6.vbalGrid : 2 The system cannot find the file specified. MBAMExt.MBAMShlExt : delete Perm. ACE 2 builtin\administrators MBAMExt.MBAMShlExt : new ace for builtin\administrators MBAMExt.MBAMShlExt : delete Perm. ACE 2 nt authority\system MBAMExt.MBAMShlExt : new ace for nt authority\system MBAMExt.MBAMShlExt : delete Perm. ACE 2 nt authority\restricted MBAMExt.MBAMShlExt : new ace for nt authority\restricted MBAMExt.MBAMShlExt : delete Perm. ACE 2 bills-gcv\administrator MBAMExt.MBAMShlExt : new ace for bills-gcv\administrator MBAMExt.MBAMShlExt : builtin\administrators is the new owner HKEY_CLASSES_ROOT\MBAMExt.MBAMShlExt : 9 change(s) MBAMExt.MBAMShlExt.1 : delete Perm. ACE 2 builtin\administrators MBAMExt.MBAMShlExt.1 : new ace for builtin\administrators MBAMExt.MBAMShlExt.1 : delete Perm. ACE 2 nt authority\system MBAMExt.MBAMShlExt.1 : new ace for nt authority\system MBAMExt.MBAMShlExt.1 : delete Perm. ACE 2 nt authority\restricted MBAMExt.MBAMShlExt.1 : new ace for nt authority\restricted MBAMExt.MBAMShlExt.1 : delete Perm. ACE 2 bills-gcv\administrator MBAMExt.MBAMShlExt.1 : new ace for bills-gcv\administrator MBAMExt.MBAMShlExt.1 : builtin\administrators is the new owner HKEY_CLASSES_ROOT\MBAMExt.MBAMShlExt.1 : 9 change(s) HKEY_CLASSES_ROOT\SSubTimer6.CTimer : 2 The system cannot find the file specified. HKEY_CLASSES_ROOT\SSubTimer6.GSubclass : 2 The system cannot find the file specified. HKEY_CLASSES_ROOT\SSubTimer6.ISubclass : 2 The system cannot find the file specified. HKEY_CLASSES_ROOT\vbAcceleratorSGrid6.cGridCell : 2 The system cannot find the file specified. HKEY_CLASSES_ROOT\vbAcceleratorSGrid6.cGridSortObject : 2 The system cannot find the file specified. HKEY_CLASSES_ROOT\vbAcceleratorSGrid6.IGridCellOwnerDraw : 2 The system cannot find the file specified. HKEY_CLASSES_ROOT\vbAcceleratorSGrid6.vbalGrid : 2 The system cannot find the file specified. ///// DDS.txt DDS (Ver_09-01-07.01) - FAT32x86 Run by Administrator at 19:08:13.65 on Thu 2009-01-15 Internet Explorer: 5.50.4134.0600 BrowserJavaVersion: 1.6.0_11 Microsoft Windows 2000 Professional 5.0.2195.4.1252.1.1033.18.383.212 [GMT -5:00] ============== Running Processes =============== C:\WINNT\System32\ibmpmsvc.exe C:\WINNT\system32\spoolsv.exe C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe C:\Program Files\Avira\AntiVir PersonalEdition Classic\sched.exe C:\Program Files\Avira\AntiVir PersonalEdition Classic\avguard.exe C:\WINNT\System32\ati2evxx.exe C:\Program Files\Java\jre6\bin\jqs.exe C:\WINNT\system32\regsvc.exe C:\WINNT\System32\WBEM\WinMgmt.exe C:\WINNT\System32\mspmspsv.exe C:\WINNT\Explorer.EXE C:\WINNT\system32\tp4serv.exe C:\WINNT\system32\RunDll32.exe C:\PROGRA~1\ThinkPad\UTILIT~1\TP98TRAY.EXE C:\WINNT\system32\RunDll32.exe C:\PROGRA~1\ThinkPad\UTILIT~1\tphkmgr.exe C:\WINNT\system32\PRPCUI.exe C:\WINNT\system32\spool\drivers\w32x86\3\hpztsb04.exe C:\Program Files\Avira\AntiVir PersonalEdition Classic\avgnt.exe C:\CFGSAFE\AUTOCHK.EXE C:\Program Files\D-link AirPlus G DWL-G120 Wireless USB\120UTIL.exe C:\WINNT\system32\wuauclt.exe C:\Program Files\xplorer2_lite\xplorer2.exe C:\Documents and Settings\Administrator\Desktop\dds.scr ============== Pseudo HJT Report =============== uLocal Page = c:\windows\system32\blank.htm mLocal Page = c:\windows\system32\blank.htm BHO: AcroIEHlprObj Class: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program files\adobe\acrobat 5.0\reader\activex\AcroIEHelper.ocx BHO: Java Plug-In SSV Helper: {761497bb-d6f0-462c-b6eb-d4daf1d92d43} - c:\program files\java\jre6\bin\ssv.dll BHO: Java Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll mRun: [TrackPointSrv] tp4serv.exe mRun: [soundFusion] RunDll32 cwcprops.cpl,CrystalControlWnd mRun: [synchronization Manager] mobsync.exe /logon mRun: [TPTRAY] c:\progra~1\thinkpad\utilit~1\TP98TRAY.EXE mRun: [bMMGAG] RunDll32 c:\progra~1\thinkpad\utilit~1\pwrmonit.dll,StartPwrMonitor mRun: [TpHotkey] c:\progra~1\thinkpad\utilit~1\tphkmgr.exe mRun: [PRPCMonitor] PRPCUI.exe mRun: [HPDJ Taskbar Utility] c:\winnt\system32\spool\drivers\w32x86\3\hpztsb04.exe mRun: [avgnt] "c:\program files\avira\antivir personaledition classic\avgnt.exe" /min mRun: [MSConfig] c:\winnt\msconfig.exe /auto dRunOnce: [^SetupICWDesktop] c:\program files\internet explorer\connection wizard\icwconn1.exe /desktop StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\autochk.lnk - c:\cfgsafe\AUTOCHK.EXE StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\d-link~1.lnk - c:\program files\d-link airplus g dwl-g120 wireless usb\120UTIL.exe TCP: {3898492A-430B-465F-A366-B47BCB3D7F9C} = 209.204.64.2,209.204.64.3 Handler: belarc - {6318E0AB-2E93-11D1-B8ED-00608CC9A71F} - c:\program files\belarc\advisor\system\BAVoilaX.dll Notify: nwprovau - nwprovau.dll LSA: Authentication Packages = msv1_0 nwprovau ================= FIREFOX =================== FF - ProfilePath - c:\docume~1\admini~1\applic~1\mozilla\firefox\profiles\c2v4jc3o.default\ FF - prefs.js: browser.startup.homepage - google.com ============= SERVICES / DRIVERS =============== R?4 windosh;Windows Image Instrumentation;c:\winnt\system32\svchost.exe -k netsvcs [1980-1-1 7952] R0 avgntmgr;avgntmgr;c:\winnt\system32\drivers\avgntmgr.sys [2009-1-5 18496] R1 avgntdd;avgntdd;c:\winnt\system32\drivers\avgntdd.sys [2009-1-5 64448] R1 TPPWR;TPPWR;c:\winnt\system32\drivers\TPPWR.SYS [2004-4-30 11776] R3 ati2mpab;ati2mpab;c:\winnt\system32\drivers\ati2mpab.sys [1980-1-1 273376] R3 Tp4Track;IBM PS/2 TrackPoint Driver;c:\winnt\system32\drivers\tp4track.sys [1980-1-1 8991] R4 aawservice;Lavasoft Ad-Aware Service;c:\program files\lavasoft\ad-aware\aawservice.exe [2008-5-12 611664] R4 AntiVirScheduler;Avira AntiVir Personal - Free Antivirus Scheduler;c:\program files\avira\antivir personaledition classic\sched.exe [2009-1-5 68865] R4 AntiVirService;Avira AntiVir Personal - Free Antivirus Guard;c:\program files\avira\antivir personaledition classic\avguard.exe [2009-1-5 151297] R4 PRPC;PRPC;c:\winnt\system32\drivers\prpc.sys [2004-4-30 12182] R4 V7;V7;c:\winnt\system32\drivers\V7.SYS [2004-4-30 7196] S1 SASKUTIL;SASKUTIL;\??\c:\program files\superantispyware\saskutil.sys --> c:\program files\superantispyware\SASKUTIL.sys [?] S3 MBAMSwissArmy;MBAMSwissArmy;\??\c:\winnt\system32\drivers\mbamswissarmy.sys --> c:\winnt\system32\drivers\mbamswissarmy.sys [?] S3 openhci;Microsoft USB Open Host Controller Driver;c:\winnt\system32\drivers\openhci.sys [2007-7-13 24784] S3 usbhub20;USB 2.0 Root Hub Support;c:\winnt\system32\drivers\usbhub20.sys [2004-11-7 49776] =============== Created Last 30 ================ 2009-01-15 19:08 16,384 a------- c:\winnt\system32\Perflib_Perfdata_2f4.dat 2009-01-15 18:59 16,384 a------- c:\winnt\system32\Perflib_Perfdata_27c.dat 2009-01-15 13:28 161,792 a------- c:\winnt\SWREG.exe 2009-01-15 13:28 98,816 a------- c:\winnt\sed.exe 2009-01-15 13:28 236,304 a------- c:\winnt\system32\CF17159.exe 2009-01-15 13:28 <DIR> --d----- C:\Combo-Fix 2009-01-15 12:57 <DIR> --d----- c:\program files\CCleaner 2009-01-13 10:51 <DIR> --d----- c:\docume~1\admini~1\applic~1\SUPERAntiSpyware.com 2009-01-13 10:37 862,810 ----h--- c:\winnt\ShellIconCache 2009-01-12 10:15 <DIR> --d----- C:\$Mky&JulieXfers 2009-01-11 13:27 <DIR> --d----- c:\winnt\pss 2009-01-11 13:26 145,408 a------- c:\winnt\msconfig.exe 2009-01-06 16:49 <DIR> --d----- c:\docume~1\admini~1\applic~1\Malwarebytes 2009-01-05 14:20 <DIR> --d----- c:\program files\Avira 2009-01-05 14:20 <DIR> --d----- c:\docume~1\alluse~1\applic~1\Avira 2009-01-05 12:06 <DIR> --d----- c:\program files\Malwarebytes' Anti-Malware 2009-01-04 15:53 <DIR> --d----- C:\Metapad 2009-01-04 14:42 <DIR> --d----- c:\program files\Lavasoft 2009-01-04 13:10 <DIR> --d----- C:\HiJackThis 2009-01-04 12:12 <DIR> --d----- c:\documents and settings\administrator\.housecall6.6 2009-01-04 12:08 410,984 a------- c:\winnt\system32\deploytk.dll 2009-01-04 12:08 73,728 a------- c:\winnt\system32\javacpl.cpl 2009-01-03 18:10 <DIR> --d----- c:\program files\common files\Wise Installation Wizard 2009-01-03 17:42 <DIR> --d----- c:\winnt\system32\appmgmt 2009-01-03 17:30 <DIR> --d----- C:\$FrmFlshDrv 2009-01-03 17:22 21,552 a------- c:\winnt\system32\dllcache\usbstor.sys 2009-01-02 17:19 <DIR> --d----- c:\docume~1\alluse~1\applic~1\Malwarebytes 2009-01-02 10:42 <DIR> --d----- c:\docume~1\alluse~1\applic~1\SUPERAntiSpyware.com 2009-01-02 10:42 <DIR> --d----- c:\program files\SUPERAntiSpyware ==================== Find3M ==================== 2004-04-30 16:18 21,952 ----h--- c:\program files\folder.htt 2004-04-30 16:18 271 ----h--- c:\program files\desktop.ini 2000-07-26 05:00 32,528 a------- c:\winnt\inf\wbfirdma.sys ============= FINISH: 19:08:40.13 =============== /////// Attach.txt UNLESS SPECIFICALLY INSTRUCTED, DO NOT POST THIS LOG. IF REQUESTED, ZIP IT UP & ATTACH IT DDS (Ver_09-01-07.01) Microsoft Windows 2000 Professional Boot Device: \Device\Harddisk0\Partition1 Install Date: System Uptime: 2009-01-15 13:58:24 (6 hours ago) Motherboard: IBM | | 2633BC1 Processor: Intel Pentium III processor | None | 995/100mhz ==== Disk Partitions ========================= A: is Removable C: is FIXED (FAT32) - 27 GiB total, 23.214 GiB free. D: is CDROM (CDFS) E: is Removable ==== Disabled Device Manager Items ============= Class GUID: {4D36E972-E325-11CE-BFC1-08002BE10318} Description: D-link AirPlus G DWL-G120 Wireless USB Adapter Device ID: USB\VID_2001&PID_3701\6&296C5CF&0&2 Manufacturer: GlobespanVirata, Inc. Name: D-link AirPlus G DWL-G120 Wireless USB Adapter #5 PNP Device ID: USB\VID_2001&PID_3701\6&296C5CF&0&2 Service: PRISM_A02 ==== System Restore Points =================== No restore point in system. ==== Installed Programs ====================== Access ThinkPad Ad-Aware Adobe Acrobat 5.0 ATI Display Driver Utilities Avira AntiVir Personal - Free Antivirus Belarc Advisor 6.0 CCleaner (remove only) ConfigSafe D-link AirPlus G DWL-G120 Wireless USB Adapter DVDExpress HijackThis 2.0.2 hp deskjet 930c series (Remove only) IBM ThinkPad On Screen Display IBM TrackPoint Support IBM Update Connector Intel SpeedStep technology Applet Intel® PRO Ethernet Adapter and Software IrfanView (remove only) Java 6 Update 11 Mozilla Firefox (2.0.0.14) PC-Doctor for Windows 2000 Shockwave ThinkPad Assistant ThinkPad Configuration ThinkPad FullScreen Magnifier WebFldrs Windows 2000 Service Pack 4 Windows Media Player 7 WinZip WordPerfect Office 11 xplorer
  13. Hi 'Deity' (I guess). Thanks for the detailed instructions, seems quite complex. That's OK by me, but I thought I should ask a couple questions before running those program sequences. 1) This IBM laptop is running Windows 2000 (pre-installed when I got it from IBM), not XP. Does that make any difference? (I don't want to mess it up any more than it (might be) is. <g>) 1a) I already had set up W2K to display hidden/system files. That's no problem. 2) I did some research on Windows Recovery Console. Seems like most references talk about XP, but I found a few that seem to indicate W2K has that Console functionality -- if it is installed. 2a) Seems I found references on how to install WRC after W2K is already installed (my case). I could do that if need be. (I don't know about the Step 6 that indicates WRC could be installed via download -- would it work for W2K?. During my first run of Combofix, the other day, it didn't ask about downloading WRC, just went ahead.) I have already downloaded all the programs that you suggested, but wanted ask these questions first before running them. A fallback position (I've thinking about this, if need be): The IBM has a Restore partition for W2K (no IBM CD for it tho). And there's always the possibly of switching to XP Pro too. (Tho, for the latter, I worry about losing the special programs/Utilities IBM has for its Thinkpads.) Thanks for any comments, before I run rampant. Bill
  14. I ran SmitFraudFix. Followed the instructions. Seemed to run quite smoothly. Couple of warnings from Avira, tho I gather that it detected something in Smit....(Agent.OMZ.fix etc) Only thing I noticed was that it popped up a message that it can't do the cleaning registry section -- Error accessing the registry. But then it went on and finished the run, and displaying its txt file. (and that said 'registry cleaning done' --??) After the 'cleaning', Smit log was less than half of that after its 'search' mode (~ 2100 vs 4900 bytes). Seemed it did 'something'. <??> However, tried running Mbam (after updating). Same thing as before -- hung after a few seconds, stopping on a filename. Three tries, three hungs in 5-9 seconds, different filenames showing at the hang. (This is like all tries so far, different times/filename. And, Mbam is 'not reponding' after the hang.) So, no new Mba log to include. Sorry. Here's the HJT log though (after the other Mbam runs). I didn't include the SmitFraud txt tho, since you didn't ask for them. Hmmmm.....next? (after all this, I did try a Avira scan (tho didn't update either)-- just can't run (past the opening page, with all 0's showing). HJT after Smit run. Logfile of Trend Micro HijackThis v2.0.2 Scan saved at 12:06:00, on 1/13/2009 Platform: Windows 2000 SP4 (WinNT 5.00.2195) MSIE: Internet Explorer v5.00 (5.00.2920.0000) Boot mode: Normal Running processes: C:\WINNT\System32\smss.exe C:\WINNT\system32\winlogon.exe C:\WINNT\system32\services.exe C:\WINNT\system32\lsass.exe C:\WINNT\System32\ibmpmsvc.exe C:\WINNT\system32\svchost.exe C:\WINNT\System32\svchost.exe C:\WINNT\system32\spoolsv.exe C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe C:\Program Files\Avira\AntiVir PersonalEdition Classic\sched.exe C:\Program Files\Avira\AntiVir PersonalEdition Classic\avguard.exe C:\WINNT\System32\ati2evxx.exe C:\Program Files\Java\jre6\bin\jqs.exe C:\WINNT\system32\regsvc.exe C:\WINNT\system32\svchost.exe C:\WINNT\System32\WBEM\WinMgmt.exe C:\WINNT\System32\mspmspsv.exe C:\WINNT\system32\svchost.exe C:\WINNT\Explorer.EXE C:\WINNT\system32\tp4serv.exe C:\WINNT\system32\Atiptaxx.exe C:\WINNT\system32\RunDll32.exe C:\PROGRA~1\ThinkPad\UTILIT~1\TP98TRAY.EXE C:\WINNT\system32\RunDll32.exe C:\PROGRA~1\ThinkPad\UTILIT~1\tphkmgr.exe C:\WINNT\system32\PRPCUI.exe C:\WINNT\system32\spool\drivers\w32x86\3\hpztsb04.exe C:\Program Files\Java\jre6\bin\jusched.exe C:\Program Files\Avira\AntiVir PersonalEdition Classic\avgnt.exe C:\CFGSAFE\AUTOCHK.EXE C:\Program Files\D-link AirPlus G DWL-G120 Wireless USB\120UTIL.exe C:\WINNT\system32\wuauclt.exe C:\Program Files\xplorer2_lite\xplorer2.exe C:\HiJackThis\HiJackThis.exe R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = C:\windows\system32\blank.htm R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = C:\windows\system32\blank.htm O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx O2 - BHO: Java Plug-In SSV Helper - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre6\bin\ssv.dll O2 - BHO: Java Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll O3 - Toolbar: @msdxmLC.dll,-1@1033,&Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\System32\msdxm.ocx O4 - HKLM\..\Run: [TrackPointSrv] tp4serv.exe O4 - HKLM\..\Run: [AtiPTA] Atiptaxx.exe O4 - HKLM\..\Run: [soundFusion] RunDll32 cwcprops.cpl,CrystalControlWnd O4 - HKLM\..\Run: [tourpath] regedit /s c:\winnt\tour.reg O4 - HKLM\..\Run: [synchronization Manager] mobsync.exe /logon O4 - HKLM\..\Run: [TPTRAY] C:\PROGRA~1\ThinkPad\UTILIT~1\TP98TRAY.EXE O4 - HKLM\..\Run: [bMMGAG] RunDll32 C:\PROGRA~1\ThinkPad\UTILIT~1\pwrmonit.dll,StartPwrMonitor O4 - HKLM\..\Run: [TpHotkey] C:\PROGRA~1\ThinkPad\UTILIT~1\tphkmgr.exe O4 - HKLM\..\Run: [PRPCMonitor] PRPCUI.exe O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINNT\system32\spool\drivers\w32x86\3\hpztsb04.exe O4 - HKLM\..\Run: [sunJavaUpdateSched] "C:\Program Files\Java\jre6\bin\jusched.exe" O4 - HKLM\..\Run: [avgnt] "C:\Program Files\Avira\AntiVir PersonalEdition Classic\avgnt.exe" /min O4 - HKUS\.DEFAULT\..\RunOnce: [^SetupICWDesktop] C:\Program Files\Internet Explorer\Connection Wizard\icwconn1.exe /desktop (User 'Default user') O4 - Global Startup: AUTOCHK.LNK = C:\CFGSAFE\AUTOCHK.EXE O4 - Global Startup: D-link AirPlus G DWL-G120 Wireless USB.lnk = C:\Program Files\D-link AirPlus G DWL-G120 Wireless USB\120UTIL.exe O10 - Unknown file in Winsock LSP: c:\winnt\system32\nwprovau.dll O12 - Plugin for .bcf: C:\Program Files\Internet Explorer\Plugins\NPBelv32.dll O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll O16 - DPF: {193C772A-87BE-4B19-A7BB-445B226FE9A1} (ewidoOnlineScan Control) - http://downloads.ewido.net/ewidoOnlineScan.cab O17 - HKLM\System\CCS\Services\Tcpip\..\{3898492A-430B-465F-A366-B47BCB3D7F9C}: NameServer = 209.204.64.2,209.204.64.3 O23 - Service: Lavasoft Ad-Aware Service (aawservice) - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe O23 - Service: Avira AntiVir Personal - Free Antivirus Scheduler (AntiVirScheduler) - Avira GmbH - C:\Program Files\Avira\AntiVir PersonalEdition Classic\sched.exe O23 - Service: Avira AntiVir Personal - Free Antivirus Guard (AntiVirService) - Avira GmbH - C:\Program Files\Avira\AntiVir PersonalEdition Classic\avguard.exe O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINNT\System32\ati2evxx.exe O23 - Service: Logical Disk Manager Administrative Service (dmadmin) - VERITAS Software Corp. - C:\WINNT\System32\dmadmin.exe O23 - Service: IBM PM Service (IBMPMSVC) - IBM Corp. - C:\WINNT\System32\ibmpmsvc.exe O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe -- End of file - 4904 bytes *****end of Bill of PA msg above
  15. Hope I did this right (had to/did delete the 'quote' of last message to me -- about running ComfoFIx). Thanks for the instructions. It seemed to run fine -- except it never asked for the Windows Recovery Console, it just went ahead continuing with the Combofix run. (I did have a connection via wireless.) One more thing: I turned off Avira Antiviri (deactivated it), but it still popped up (?) one warning about something in ComboFix; I said to Ignore it. That's all. Did an HJT run right after ComboFix finished. Here's the two txt/log contents: ComboFix.txt ComboFix 09-01-11.04 - Administrator 01/12/2009 10:44:15.1 - FAT32x86 Microsoft Windows 2000 Professional 5.0.2195.4.1252.1.1033.18.383.227 [GMT -5:00] Running from: c:\documents and settings\Administrator\Desktop\ComboFix.exe WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !! . ((((((((((((((((((((((((((((((((((((((( Other Deletions ))))))))))))))))))))))))))))))))))))))))))))))))) . c:\winnt\Web\default.htt . ((((((((((((((((((((((((( Files Created from 2008-12-12 to 2009-01-12 ))))))))))))))))))))))))))))))) . 2009-01-12 10:48 . 09-01-12 10:48 16,384 --a----t- c:\winnt\system32\Perflib_Perfdata_254.dat 2009-01-12 10:15 . 09-01-12 10:15 <DIR> d-------- C:\$Mky&JulieXfers 2009-01-11 16:41 . 09-01-12 10:37 861,516 ---h----- c:\winnt\ShellIconCache 2009-01-11 13:26 . 06-09-18 07:23 145,408 --a------ c:\winnt\msconfig.exe 2009-01-06 16:49 . 09-01-06 16:49 <DIR> d-------- c:\documents and settings\Administrator\Application Data\Malwarebytes 2009-01-06 16:49 . 09-01-04 18:41 38,496 --a------ c:\winnt\system32\drivers\mbamswissarmy.sys 2009-01-06 16:49 . 09-01-04 18:41 15,504 --a------ c:\winnt\system32\drivers\mbam.sys 2009-01-05 14:20 . 09-01-05 14:20 <DIR> d-------- c:\program files\Avira 2009-01-05 14:20 . 09-01-05 14:20 <DIR> d-------- c:\documents and settings\All Users\Application Data\Avira 2009-01-05 12:06 . 09-01-05 12:06 <DIR> d-------- c:\program files\Malwarebytes' Anti-Malware 2009-01-04 15:53 . 09-01-04 15:53 <DIR> d-------- C:\Metapad 2009-01-04 15:40 . 09-01-04 15:40 <DIR> d-------- c:\program files\CCleaner 2009-01-04 14:42 . 09-01-04 14:42 <DIR> d-------- c:\program files\Lavasoft 2009-01-04 14:42 . 09-01-04 14:42 <DIR> d-------- c:\documents and settings\All Users\Application Data\Lavasoft 2009-01-04 13:10 . 09-01-04 13:10 <DIR> d-------- C:\HiJackThis 2009-01-04 12:12 . 09-01-04 12:12 <DIR> d-------- c:\documents and settings\Administrator\.housecall6.6 2009-01-04 12:11 . 09-01-04 12:11 <DIR> d-------- c:\winnt\Sun 2009-01-04 12:08 . 09-01-04 12:08 <DIR> d-------- c:\program files\Java 2009-01-04 12:08 . 09-01-04 12:08 410,984 --a------ c:\winnt\system32\deploytk.dll 2009-01-04 12:08 . 09-01-04 12:08 73,728 --a------ c:\winnt\system32\javacpl.cpl 2009-01-03 18:10 . 09-01-03 18:10 <DIR> d-------- c:\program files\Common Files\Wise Installation Wizard 2009-01-03 17:30 . 09-01-03 17:30 <DIR> d-------- C:\$FrmFlshDrv 2009-01-03 17:22 . 03-06-19 12:05 21,552 --a------ c:\winnt\system32\dllcache\usbstor.sys 2009-01-02 17:19 . 09-01-02 17:19 <DIR> d-------- c:\documents and settings\All Users\Application Data\Malwarebytes 2009-01-02 10:42 . 09-01-02 10:42 <DIR> d-------- c:\program files\SUPERAntiSpyware 2009-01-02 10:42 . 09-01-02 10:42 <DIR> d-------- c:\documents and settings\All Users\Application Data\SUPERAntiSpyware.com . (((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))) . 2004-04-30 21:18 271 ---h--w c:\program files\desktop.ini 2004-04-30 21:18 21,952 ---h--w c:\program files\folder.htt 2000-07-26 10:00 32,528 ----a-w c:\winnt\inf\wbfirdma.sys 2008-06-29 20:23 54,376 ----a-w c:\program files\mozilla firefox\components\jsd3250.dll 2008-06-29 20:23 34,952 ----a-w c:\program files\mozilla firefox\components\myspell.dll 2008-06-29 20:23 46,720 ----a-w c:\program files\mozilla firefox\components\spellchk.dll 2008-06-29 20:23 172,144 ----a-w c:\program files\mozilla firefox\components\xpinstal.dll 2008-06-29 20:23 67,696 ----a-w c:\program files\mozilla firefox\components\jar50.dll . ((((((((((((((((((((((((((((((((((((( Reg Loading Points )))))))))))))))))))))))))))))))))))))))))))))))))) . . *Note* empty entries & legit default entries are not shown REGEDIT4 [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "tourpath"="regedit" [X] "TPTRAY"="c:\progra~1\ThinkPad\UTILIT~1\TP98TRAY.EXE" [00-11-21 11:55 41472] "BMMGAG"="c:\progra~1\ThinkPad\UTILIT~1\pwrmonit.dll" [00-12-01 01:11 51200] "TpHotkey"="c:\progra~1\ThinkPad\UTILIT~1\tphkmgr.exe" [00-10-11 20:59 53248] "HPDJ Taskbar Utility"="c:\winnt\system32\spool\drivers\w32x86\3\hpztsb04.exe" [01-12-11 19:33 196608] "SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [09-01-04 12:08 136600] "avgnt"="c:\program files\Avira\AntiVir PersonalEdition Classic\avgnt.exe" [08-06-12 13:28 266497] "TrackPointSrv"="tp4serv.exe" [01-02-15 02:10 186880 c:\winnt\system32\tp4serv.exe] "AtiPTA"="Atiptaxx.exe" [00-11-15 17:10 192512 c:\winnt\system32\atiptaxx.exe] "SoundFusion"="cwcprops.cpl" [00-11-01 18:12 45296 c:\winnt\system32\cwcprops.cpl] "Synchronization Manager"="mobsync.exe" [03-06-19 12:05 111376 c:\winnt\system32\mobsync.exe] "PRPCMonitor"="PRPCUI.exe" [00-01-06 08:00 32768 c:\winnt\system32\prpcui.exe] [HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\RunOnce] "^SetupICWDesktop"="c:\program files\Internet Explorer\Connection Wizard\icwconn1.exe" [03-06-19 12:05 186640] c:\documents and settings\All Users\Start Menu\Programs\Startup\ AUTOCHK.LNK - c:\cfgsafe\AUTOCHK.EXE [1980-01-01 11808] D-link AirPlus G DWL-G120 Wireless USB.lnk - c:\program files\D-link AirPlus G DWL-G120 Wireless USB\120UTIL.exe [2007-07-13 241664] [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\nwprovau] 03-06-19 12:05 139536 c:\winnt\system32\NWPROVAU.DLL [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32] "aux"= mmdrv.dll [HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa] Authentication Packages REG_MULTI_SZ msv1_0 nwprovau R?4 windosh;Windows Image Instrumentation;c:\winnt\system32\svchost.exe -k netsvcs [1980-01-01 7952] R0 avgntmgr;avgntmgr;c:\winnt\system32\drivers\avgntmgr.sys [2009-01-05 18496] R1 avgntdd;avgntdd;c:\winnt\system32\drivers\avgntdd.sys [2009-01-05 64448] R1 TPPWR;TPPWR;c:\winnt\system32\drivers\TPPWR.SYS [2004-04-30 11776] R3 ati2mpab;ati2mpab;c:\winnt\system32\drivers\ati2mpab.sys [1980-01-01 273376] R3 Tp4Track;IBM PS/2 TrackPoint Driver;c:\winnt\system32\drivers\tp4track.sys [1980-01-01 8991] R4 PRPC;PRPC;c:\winnt\system32\drivers\prpc.sys [2004-04-30 12182] R4 V7;V7;c:\winnt\system32\drivers\V7.SYS [2004-04-30 7196] S1 SASKUTIL;SASKUTIL;\??\c:\program files\SUPERAntiSpyware\SASKUTIL.sys --> c:\program files\SUPERAntiSpyware\SASKUTIL.sys [?] S3 openhci;Microsoft USB Open Host Controller Driver;c:\winnt\system32\drivers\openhci.sys [2007-07-13 24784] S3 usbhub20;USB 2.0 Root Hub Support;c:\winnt\system32\drivers\usbhub20.sys [2004-11-07 49776] --- Other Services/Drivers In Memory --- *NewlyCreated* - IPNAT *NewlyCreated* - SHAREDACCESS HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Svchost - NetSvcs windosh . . ------- Supplementary Scan ------- . LSP: %SystemRoot%\system32\msafd.dll TCP: {3898492A-430B-465F-A366-B47BCB3D7F9C} = 209.204.64.2,209.204.64.3 O16 -: DirectAnimation Java Classes - file://c:\winnt\Java\classes\dajava.cab c:\winnt\Downloaded Program Files\DirectAnimation Java Classes.osd O16 -: Microsoft XML Parser for Java - file://c:\winnt\Java\classes\xmldso.cab c:\winnt\Downloaded Program Files\Microsoft XML Parser for Java.osd c:\winnt\Downloaded Program Files\ewidoOnlineScan.dll - O16 -: {193C772A-87BE-4B19-A7BB-445B226FE9A1} hxxp://downloads.ewido.net/ewidoOnlineScan.cab FF - ProfilePath - c:\documents and settings\Administrator\Application Data\Mozilla\Firefox\Profiles\c2v4jc3o.default\ FF - prefs.js: browser.startup.homepage - google.com FF - component: c:\program files\Mozilla Firefox\components\xpinstal.dll . ************************************************************************** catchme 0.3.1367 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net Rootkit scan 2009-01-12 10:48:47 Windows 5.0.2195 Service Pack 4 FAT NTAPI scanning hidden processes ... scanning hidden autostart entries ... scanning hidden files ... scan completed successfully hidden files: 0 ************************************************************************** . --------------------- DLLs Loaded Under Running Processes --------------------- - - - - - - - > 'winlogon.exe'(180) c:\winnt\system32\wzcdlg.dll c:\winnt\system32\WZCSAPI.DLL . Completion time: 2009-01-12 10:50:34 - machine was rebooted ComboFix-quarantined-files.txt 2009-01-12 15:50:32 Pre-Run: 24,519,376,896 bytes free Post-Run: 24,949,686,272 bytes free 130 ********** ********** and HJT log: Logfile of Trend Micro HijackThis v2.0.2 Scan saved at 10:58:39 AM, on 1/12/2009 Platform: Windows 2000 SP4 (WinNT 5.00.2195) MSIE: Internet Explorer v5.00 (5.00.2920.0000) Boot mode: Normal Running processes: C:\WINNT\System32\smss.exe C:\WINNT\system32\winlogon.exe C:\WINNT\system32\services.exe C:\WINNT\system32\lsass.exe C:\WINNT\System32\ibmpmsvc.exe C:\WINNT\system32\svchost.exe C:\WINNT\System32\svchost.exe C:\WINNT\system32\spoolsv.exe C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe C:\Program Files\Avira\AntiVir PersonalEdition Classic\sched.exe C:\Program Files\Avira\AntiVir PersonalEdition Classic\avguard.exe C:\WINNT\System32\ati2evxx.exe C:\Program Files\Java\jre6\bin\jqs.exe C:\WINNT\system32\regsvc.exe C:\WINNT\system32\svchost.exe C:\WINNT\System32\WBEM\WinMgmt.exe C:\WINNT\System32\mspmspsv.exe C:\WINNT\system32\svchost.exe C:\WINNT\system32\tp4serv.exe C:\WINNT\system32\Atiptaxx.exe C:\WINNT\system32\RunDll32.exe C:\PROGRA~1\ThinkPad\UTILIT~1\TP98TRAY.EXE C:\WINNT\system32\RunDll32.exe C:\PROGRA~1\ThinkPad\UTILIT~1\tphkmgr.exe C:\WINNT\system32\PRPCUI.exe C:\WINNT\system32\spool\drivers\w32x86\3\hpztsb04.exe C:\Program Files\Java\jre6\bin\jusched.exe C:\Program Files\Avira\AntiVir PersonalEdition Classic\avgnt.exe C:\CFGSAFE\AUTOCHK.EXE C:\Program Files\D-link AirPlus G DWL-G120 Wireless USB\120UTIL.exe C:\WINNT\system32\wuauclt.exe C:\WINNT\explorer.exe C:\Program Files\xplorer2_lite\xplorer2.exe C:\HiJackThis\HiJackThis.exe R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157 R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896 R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896 O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx O2 - BHO: Java Plug-In SSV Helper - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre6\bin\ssv.dll O2 - BHO: Java Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll O3 - Toolbar: @msdxmLC.dll,-1@1033,&Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\System32\msdxm.ocx O4 - HKLM\..\Run: [TrackPointSrv] tp4serv.exe O4 - HKLM\..\Run: [AtiPTA] Atiptaxx.exe O4 - HKLM\..\Run: [soundFusion] RunDll32 cwcprops.cpl,CrystalControlWnd O4 - HKLM\..\Run: [tourpath] regedit /s c:\winnt\tour.reg O4 - HKLM\..\Run: [synchronization Manager] mobsync.exe /logon O4 - HKLM\..\Run: [TPTRAY] C:\PROGRA~1\ThinkPad\UTILIT~1\TP98TRAY.EXE O4 - HKLM\..\Run: [bMMGAG] RunDll32 C:\PROGRA~1\ThinkPad\UTILIT~1\pwrmonit.dll,StartPwrMonitor O4 - HKLM\..\Run: [TpHotkey] C:\PROGRA~1\ThinkPad\UTILIT~1\tphkmgr.exe O4 - HKLM\..\Run: [PRPCMonitor] PRPCUI.exe O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINNT\system32\spool\drivers\w32x86\3\hpztsb04.exe O4 - HKLM\..\Run: [sunJavaUpdateSched] "C:\Program Files\Java\jre6\bin\jusched.exe" O4 - HKLM\..\Run: [avgnt] "C:\Program Files\Avira\AntiVir PersonalEdition Classic\avgnt.exe" /min O4 - HKUS\.DEFAULT\..\RunOnce: [^SetupICWDesktop] C:\Program Files\Internet Explorer\Connection Wizard\icwconn1.exe /desktop (User 'Default user') O4 - Global Startup: AUTOCHK.LNK = C:\CFGSAFE\AUTOCHK.EXE O4 - Global Startup: D-link AirPlus G DWL-G120 Wireless USB.lnk = C:\Program Files\D-link AirPlus G DWL-G120 Wireless USB\120UTIL.exe O10 - Unknown file in Winsock LSP: c:\winnt\system32\nwprovau.dll O12 - Plugin for .bcf: C:\Program Files\Internet Explorer\Plugins\NPBelv32.dll O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll O16 - DPF: {193C772A-87BE-4B19-A7BB-445B226FE9A1} (ewidoOnlineScan Control) - http://downloads.ewido.net/ewidoOnlineScan.cab O17 - HKLM\System\CCS\Services\Tcpip\..\{3898492A-430B-465F-A366-B47BCB3D7F9C}: NameServer = 209.204.64.2,209.204.64.3 O23 - Service: Lavasoft Ad-Aware Service (aawservice) - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe O23 - Service: Avira AntiVir Personal - Free Antivirus Scheduler (AntiVirScheduler) - Avira GmbH - C:\Program Files\Avira\AntiVir PersonalEdition Classic\sched.exe O23 - Service: Avira AntiVir Personal - Free Antivirus Guard (AntiVirService) - Avira GmbH - C:\Program Files\Avira\AntiVir PersonalEdition Classic\avguard.exe O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINNT\System32\ati2evxx.exe O23 - Service: Logical Disk Manager Administrative Service (dmadmin) - VERITAS Software Corp. - C:\WINNT\System32\dmadmin.exe O23 - Service: IBM PM Service (IBMPMSVC) - IBM Corp. - C:\WINNT\System32\ibmpmsvc.exe O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe -- End of file - 5063 bytes ****end of Bill of PA response/file contents
Back to top
×
×
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.