Jump to content

Bill of PA

  • Posts

  • Joined

  • Last visited

Posts posted by Bill of PA

  1. Yes, I did run DialAFix when you suggested it (1/24). It seemed to run OK under Windows 2000 Pro (altho I am not familiar with that Util, and what it was supposed to do <g>).

    I did run it again yesterday (1/29) too, because I thought maybe, since some things were altered (and the SYS files are now displayable, and that wasn't case on last run), it would run 'differently'. (Again, I don't know much about the program.)

    I compared the two LOG files. The last run (1/29) was bigger than the first run (about 12K bytes vs 9K, 231 vs 168 lines). Seems like more files were 'touched'/listed (could not find any files with extension of .SYS tho, all files touched were in \SYSTEM32 mostly --I searched on 'SYS').

    Biggest difference seems to be that there were about 29 Unregistered/Registered pairs in last run; only one in the first run. I don't know what this means but, at least, the last run seemed to do more 'things'.

    I forget to mention, in my message about WORM_RASTY.A, that malware apparently hops on external disks to proliferate. (*if* that was even involved, where I said "30501 with @SHELL32, seems these could (probably are) result of WORM_RASTY.A malware. Etc, ".) I don't know.

    I did use a USB flash drive to transfer files between my primary desktop system and the 'sick' laptop -- of course, before I knew of 'RASTY' characteristics. That worried me, but I since ran MBAM (and Avira AV and SuperAntiSpyware) from my desktop (where all 3 run fine -- XP Pro) to check the USB drive. Nothing found, all three said. So, not infected or missed or just lucky?

    I'm starting to search those program's forums (in addition to MBAM) for any help on why they may not function on the laptop/W2K.

    Since I had all three programs, that won't/function correctly, installed on the laptop at the present time, I decided to run all three in SAFE mode. (I had tried some earlier, but before I did 'some fixing'.

    All three ran to completion, no detections found. Hmmmm.... I know SAFE mode is not recommeded because some 'things' are not loaded but, it shows 'something' runs OK.

    I'm holding off converting to NTFS for awhile. Thanks for the Code tip. At some point (probably just before I reformat (?) re-install W2K from the Restore partition), I'll try the Conversion. Who knows, it might work. I don't know if the Restore process offers the choice of FAT32 or NTFS. We'll see. (I could use Partition Magic too. Whatever.....)

    Thanks for the warning about not installing XP over my W2K (without re-formatting, anyway). I'm also going to check the IBM forums, for info about restoring/changing OS etc before doing anything on my own.

    All I need now is the time to do all this. Even being retired, I do have some other work to do -- besides playing with sick computers. <VBG>


  2. Well, I've been busy. No solutions though, all three 'anti -malware' programs *still* don't function. Even after I did/re-did some things.

    Decided, with my back against wall, I might as well just try some things, knowing full well that I could kill the patient. But, what the heck, I'll probably have to bite the bullet and wipe/re-install anyway. So why not try to learn something along the way.

    I replaced the missing text in the Folder Options (those five places that the @shell32.dll, - 30xxx instead its proper text). Some research seemed to indicate that these 'code' lines were a result of WORM_Rasty.A malware. But I don't know. The 'repair' went well (I did it in stages, to check if it stuck -- or, even if it run at all). When all five were replaced, the Folder Options then showed like it was supposed to (compared to my 'good' W2K system). Now I could setup to NOT hide system files and folders, etc.

    Also, I could now see SYS files, etc (although, 'something' I did a bit earlier allowed seeing some of them a few days ago). FIND located over 500 *.sys files now (many days prior I saw *none*).

    I followed up on your mention of SP4 (possibly of re-install it). Found out that there was a 'new' Rollup 1 (my SP4 came on CD, years old by now). I didn't know about it (well, I lie, -- looking back to older help messages I had in the Avira forum, somebody in July '07 suggested I should get that new rollup (even gave me KBnumber!); I just didn't do it).

    I downloaded that and, just today, ran it. I had nothing to lose at this point. It installed just fine -- 156MB of stuff. Still ran fine. Whew....

    But no joy concerning my wayward non-functioning malware programs. Tried each.

    Now with SYS files now displayable, decided to re-run Avira rescueCD (even got the latest version, again) to see if that could flush out anything new. Did a few extras (15 files renamed, I guess that it couldn't delete).

    But, all this didn't change anything. I could install Avira in SAFE mode OK, and could install its full manual update (using the downloaded IVDF zip file -- tho, updating online would not work, it refused to budge). But, Avira wouldn't scan at all; started, as 'usually', and hung - not responding, etc.

    I'm going back to the Avira forum (that's how I was directed here actually), to ask for installation/running help. We'll see.....

    I'll probably re-run some of the utilities you put me onto (again, now that system files are 'uncovered').

    I thought about changing the reformating from FAT32 to NTFS, thinking that may mess up 'odd' files. I doubt it. I would like to use NTFS anyway.

    And, I plan to go to IBM forums (or similar) to seek info on putting XP pro over the W2K that IBM originally installed. There is a Restore partition for W2K, If need be.

    As I said before, it's good that I'm retired to have time to waste. <G>

    Thanks for listening -- again. I'd be interested in any comments you may think of.


  3. [i MESSED up, in a hurry, & don't know to edit --added this after the first post -- this was supposed to be in FRONT of the info in my last post. Sorry.]

    Well, here is an up to date 'report', as well as I can determine anyway.

    In a nutshell, everything 'seems' OK -- *Except* the three malware/virus related programs that can't run 'properly'. Uninstalled MBAM and SuperAntiSpyware. Re-installed MBAM, it updated OK and ran -- again for about 7 seven second and hung (with settings set to all four areas) resting on a file.

    ReInstalled SAS, or seemed to (including getting updates), but starting it just sat there 'initialling' --y and hung. Couldn't close it (said it was being 'debugged'). Only way out, Restart.

    As I said yesterday, Avira installed OK (tho had to do it in Safe Mode), updated -- but can't run the scan (tries, but just sits there - not running at all.

    ///// Now, continue at my first post of today. Gheeeshh

  4. I said I've been busy looking into 'stuff', more today too. Looking into areas that may be mis-setup. I did more comparing to other 2000 systems I have. Noticed some things. BUT -- in checking the HIDDEN and xxxxxx, I noticed several (6 different) 'odd' entries @SHELL32.DLL,-30501 etc). These are supposed to be specific text words.

    These seem to be the 'missing' text from the Folders Options | View settings. For example, where 30501 is, should be 'Do not show hidden files and folders' (one of the items that don't display on my wayward IBM laptop).

    Google search using 30501 with @SHELL32, seems these could (probably are) result of WORM_RASTY.A malware. Etc, etc.

    'Maybe' these text changes were 'left over' (after the infection is detected and fixed), but maybe not. They say anyway. I would hope, think that all the various 'cleaners/etc' we used would catch it ---- but, but ....again.

    There are many possible solutions to correct these, 'they' say, but I wanted to run this by you before I did anything rash. Of course, there are all kinds of 'free' scans, with $ to fix after (there are so many, unknown too... etc). I don't mind spending money, if it is really necessary. But.....

    I do have ERUNT now, so any changes are restorable - I hope anyway.

    I would surely appreciate your comments about this, even if it is dire. I know we have come a long way already. I sure have learned a lot in the process at least.

    Thanks again.


  5. Just a quick reply. Been busy doing 'stuff' (on the wayward laptop), interesting stuff. May be important, least I learned something. We'll see.

    I did run Dial A Fix. Avira Antiviri still can't run (I had to go to Safe Mode to install AV) but it, at least, updated itself.

    I didn't check others things out yet.

    Late in the day, I made the REGDLL.BAT and tried to run. it 'ran' but gave me error "... cannot find path specified...". Just about ready to write you, but first I noted that the code written used C:\Windows, and my system uses C:\WINNT. So I changed it, and it ran to completion. Yeah! *Lots* lines of stuff. (at the end of log it did say "'nbsp' is not recognized as an internal or external command" and "operable program or batch file" (twice, two entries -- after the 'All done updating files' line). Whatever that means....good or bad...

    I'll continue tomorrow and get back to you with overall results. Hope springs eternal.....


  6. I didn't see your second message late Friday (1/23/08), so I'll run/do those tomorrow.

    I can burn a CD. In fact, I ran/tried to run Avira's RescueCD some time ago (about 1/3/09) on this wayward lap. First time I ran it with its new GUI. Ran it once. Took 21:21 to run. 22872 files, 4 records, 93 warnings and zero suspected.

    [i had used prior versions, before the GUI interface. Had great success fixing a friend's laptop - 100s of 'bad' files (or renamed ones). Afterward, friend's laptop would boot up -- it wouldn't before). On this version, I could save the log, as it gave me some help <g>]

    Anyway, I did burn a new version of RescueCD, and ran it. In fact twice. The first time let it scan (actually, I didn't notice that you could tell it to repair/rename suspect files). Results: 21:28 to run. didn't mark down files, 21 records, 93 warnings and zero suspected.

    On the second run, I did select repair/renamed problems. Results: 21:29 to run. 22211, 1267 directories, 21 records, 93 warnings and zero suspected. Almost the same results as first run this morning.

    The log was immense, couldn't find how to save it (in Linux).

    I did note a couple things as it started: said -- auto excluding /sys from scans (is a special fs), same message for /proc . I don't understand if that means it can't get to these files (where they may be 'suspect') -- etc.

    Is this all of the information you wanted from the CD runs? Or, did I miss something?

    Tomorrow I'll continue with your new things to try.

    Thanks again...

  7. Thanks for the additional info and things to try.

    I did get and ran ERUNT. (Very interesting looking util!l; I read all its documentation -- thanks for this regardless what happens)

    Ran Ccleaner (got a fresh copy). It found 267 'issues' quite fast -- most of them apparently 'hanging' non-found files. Fixed all. Now says 'no more issues found'.

    Got a fresh version of MBAM, installed OK. BUT -- still hung about the same place -- 5-7 seconds, stopped on a file (various with multiple runs). And hung, becoming 'not responding'.

    NOTE: Ran again with Settings at 'default' (as it comes up), but unselecting 'memory scan'. It ran to completion, just like it did earlier. 2:47 minutes to finish, ~ 37,000 objects. Shows log etc, all 'clean'.

    Why would scanning memory contents cause/lead to a non-funtioning program?

    [i tried to run a 'full' scan and just selected the A: with a floppy, but MBAM still tries to run through the C: first. Of course, it soon hangs.

    I got and run Addmove.exe. It's txt file is below (only about 93 lines).

    Some comments: I'm been running this sick laptop a lot during the last couple weeks. Still haven't seen *any* 'evidences' of 'typical' malware troubles (popups, slow running, poorly running progs etc , etc).

    The most worrisome 'manifestation' of 'something' is not displaying any system/hidden files. I keep thinking that there is a setting which I am setting right.

    That and, of course, Avira Antivir and SuperAntiSpyware (can't even finish its installation), plus Malwarebytes not running correctly all. <G> Certainly not normal though. Just weird.

    Thanks again.


    Add/Remove Software Entries

    Utility by AdvancedSetup - Script ran on: 2009/01/22 - 14:17:49

    *1*Access ThinkPad*{D547B54E-ADCC-4AC5-89C7-7D0E1F2A4315}*N/A*N/A*N/A*RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{D547B54E-ADCC-4AC5-89C7-7D0E1F2A4315}\setup.exe"

    *2*Adobe Acrobat 5.0*Adobe Acrobat 5.0*5.0*C:\Documents and Settings\Administrator\Local Settings\Temp\pft1~tmp\*Adobe Systems, Inc.*C:\WINNT\ISUNINST.EXE -f"C:\Program Files\Common Files\Adobe\Acrobat 5.0\NT\Uninst.isu" -c"C:\Program Files\Common Files\Adobe\Acrobat 5.0\NT\Uninst.dll"

    *3*ATI Display Driver Utilities*ATI Display Driver*N/A*N/A*N/A*rundll32 C:\WINNT\System32\atiiiexx.dll,_InfEngUnInstallINFFile_RunDLL@16 -force_restart -flags:0x2010001 -inf_class:DISPLAY -clean

    *4*Avira AntiVir Personal - Free Antivirus*AntiVir PersonalEdition Classic*N/A*N/A*Avira GmbH*C:\Program Files\Avira\AntiVir PersonalEdition Classic\SETUP.EXE /REMOVE

    *5*Belarc Advisor 6.0*Belarc Advisor 2.0*N/A*N/A*N/A*C:\PROGRA~1\BELARC\ADVISOR\Uninstall.exe C:\PROGRA~1\BELARC\ADVISOR\INSTALL.LOG

    *6*CCleaner (remove only)*CCleaner*N/A*N/A*N/A*"C:\Program Files\CCleaner215\uninst.exe"

    *7*ConfigSafe*ConfigSafe*N/A*N/A*N/A*C:\WINNT\ILUNINST.EXE C:\CFGSAFE

    *8*D-link AirPlus G DWL-G120 Wireless USB Adapter*{07070EAB-9349-4F6C-AC13-AEFE436F9775}*N/A*N/A*N/A*RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{07070EAB-9349-4F6C-AC13-AEFE436F9775}\Setup.exe" -l0x9

    *9*DVDExpress*DVD Express A/V Pak*N/A*N/A*N/A*C:\WINNT\IsUninst.exe -f"C:\Program Files\Mediamatics\DVDExpress\Uninst.isu" -c"C:\Program Files\Mediamatics\DVDExpress\mydll.dll"

    *10*ERUNT 1.1j*ERUNT_is1*N/A*N/A*Lars Hederer*"C:\Program Files\ERUNT\unins000.exe"

    *11*hp deskjet 930c series (Remove only)*hp deskjet 930c series*N/A*N/A*N/A*C:\Program Files\hp deskjet 930c series\hpfiui.exe -c -vdivid=HPF -vpnum=95 -vinstport=LPT1: -vproduct=930c -huninstall

    *12*IBM ThinkPad On Screen Display*On Screen Display*N/A*N/A*N/A*C:\WINNT\IsUninst.exe -f"C:\Program Files\ThinkPad\Utilities\Unoscr.isu"

    *13*IBM TrackPoint Support*TrackPoint*N/A*N/A*N/A*%SystemRoot%\System32\tp4unins.exe

    *14*IBM Update Connector*{31C2FBAC-67CF-4093-8F36-15A146613747}*4.50*C:\IBMTOOLS\APPS\UPDATER\*IBM*msiexec /x "C:\IBMTools\Updater\IBM Update Connector.msi"

    *15*Intel SpeedStep technology Applet*Intel SpeedStep technology Applet*N/A*N/A*N/A*C:\WINNT\IsUninst.exe -f"C:\WINNT\System32\Intel® SpeedStep technology Applet.isu"

    *16*Intel® PRO Ethernet Adapter and Software*PROSet*N/A*N/A*N/A*Prounstl.exe

    *17*IrfanView (remove only)*IrfanView*N/A*N/A*N/A*C:\IrVw395\iv_uninstall.exe

    *18*Malwarebytes' Anti-Malware*Malwarebytes' Anti-Malware_is1*N/A*N/A*Malwarebytes Corporation*"C:\Program Files\Malwarebytes_Anti-Malware\unins000.exe"

    *19*Mozilla Firefox (*Mozilla Firefox (* (en-US)*N/A*Mozilla*C:\Program Files\Mozilla Firefox\uninstall\helper.exe



    *22*N/A*Connection Manager*N/A*N/A*N/A*N/A












    *34*N/A*Microsoft NetShow Player 2.0*N/A*N/A*N/A*N/A









    *43*PC-Doctor for Windows 2000*PCDoctor*N/A*N/A*N/A*C:\WINNT\UNWISE.EXE C:\PROGRA~1\PC-DOC~1\INSTALL.LOG

    *44*Shockwave*Shockwave*N/A*N/A*N/A*C:\WINNT\system32\MACROMED\SHOCKW~1\UNWISE.EXE C:\WINNT\system32\MACROMED\SHOCKW~1\INSTALL.LOG

    *45*ThinkPad Assistant*{5CAA544B-EFEE-4FA7-B414-F7A80345E916}*N/A*N/A*N/A*RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{5CAA544B-EFEE-4FA7-B414-F7A80345E916}\setup.exe"

    *46*ThinkPad Configuration*ThinkPad Configuration*N/A*N/A*N/A*C:\WINNT\IsUninst.exe -f"C:\Program Files\ThinkPad\Utilities\Uninst.isu" -c"C:\Program Files\ThinkPad\Utilities\tpinst32.dll"

    *47*ThinkPad FullScreen Magnifier*ThinkPad FullScreen Magnifier*N/A*N/A*N/A*RunDll32 setupapi.dll,InstallHinfSection DefaultUninstall.NT 132 C:\ThinkPad\UZoom\TpUZoom.inf

    *48*WebFldrs*{6F716D8C-398F-11D3-85E1-005004838609}*9.00.3907*C:\WINNT\System32\*Microsoft Corporation*N/A

    *49*Windows 2000 Service Pack 4*Windows 2000 Service Pack*N/A*N/A*N/A*C:\WINNT\$NtServicePackUninstall$\spuninst\spuninst.exe

    *50*Windows Installer Clean Up*{121634B0-2F4B-11D3-ADA3-00C04F52DD52}**C:\Program Files\MSECACHE\WICU3\*Microsoft Corporation*MsiExec.exe /X{121634B0-2F4B-11D3-ADA3-00C04F52DD52}

    *51*Windows Media Player 7*WMP7*N/A*N/A*N/A*C:\Program Files\Windows Media Player\setup_wm.exe /Uninstall

    *52*WinZip*WinZip*9.0 (6028)*N/A*WinZip Computing, Inc.*"C:\Program Files\WinZip\WINZIP32.EXE" /uninstall

    *53*WordPerfect Office 11*{54F90B55-BEB3-4F0D-8802-228822FA5921}*11.0*D:\*Corel Corporation*MsiExec.exe /I{54F90B55-BEB3-4F0D-8802-228822FA5921}


  8. Well, I simply could not get Java re-installed. I tried most of the day (it's good being retired <G>). With all the flak that Sun puts up, it's a wonder that anyone uses Java.

    At least, struggling with bouts like this, I even learned some 'stuff'. As I mentioned the other day, 'older' version (actually I did have the newest Java 6, update 11 version installed -- but I have no idea how it was/when installed) would remain in CP | Remove progs even after I tried to 'remove' it. It just was there, wouldn't delete/unstall. So, any other attempt to install an newer version, would be met with the message 'it is installed already' or some such.

    Finally I learned about Windows Install Clean Up. That allowed the prior version to no longer show in Control Panel. So a new version *should* be able to install, but it didn't. Who knows.....

    I'll give it another shot tomorrow, for a while. I don't have much hope tho.

    Actually, several days ago, before you asked me run Kaspersky, I did it on my own (while I had Java 6 installed, altho I didn't realize that it was req'd). Somewhere during my research, someone mentioned their online scan. It started to run, but I quit it after two plus hours. It seemed to be hung (not responding). I don't know what that signifies.

    I thought I would report this to you. See if you have any other suggestions. [Do you know of another scanner named Spyzooka? My research turned up some favorable comments on it.]

    Thanks again. Sorry there's no Kaspersky log, yet anyway).

  9. Thanks for the example screenshots. Mine are somewhat different.

    I have no line(s): 'folder Icon' Hidden files and folders

    and both lines underneath

    or 'Hidden protected.......(Recommended)'

    or 'Remember each folder's ..........'

    [Do have what you show on another 'clean' W2K desktop system.]

    Did the HJT fixes, no problem.

    Finally did get (most) of JAVA out. Although CP|remProgs still says I still have Java 6, update 11! (lived through numerous restarts). Trying to remove it again, just says can't because ' an installation is running'. ??

    Have to use the deletion of couple \JAVA folders tho. \JRE6 wouldn't delete, says 'access denied'; (even tried in DOS 7.10 -- booted off a CD). \JRE6 folder is empty but still shows about 23MB size. ??

    However, then ran into troubles proceeding further.

    Kaspersky first says my system's requirements are incorrect (maybe IE is to old version, 5.0....).

    Then I checked its site, and it says it can use Firefox (I have 3.0.5). So I tried. But -- it refused to download etc. It's preliminary check revealed that needed JAVA 1.5 or up!! We just took Java out. Hmmm....

    Now I'm confused.

    Am I doing something wrong?



  10. Unfortunately, no joy. At least, overall anyway.

    Followed your new instructions; renamed HJT as Bill.exe, ran CHKDSK /F (it restarted as you said, after the 'Y'), got a new MBAM with updates, etc.

    But MBAM still hung, stopping as quickly as before (5-8 seconds, with various files in system32 showing at stop point). MBAM then 'not responding'.

    So, no MBAM log was saved.

    So I decided to experiment a little, with the Settings in MBAM. Maybe it is not as meaningful as a 'full' run, but some settings allowed MBAM to finish its scan. Actually single selections of all but 'scan memory' would run to completion. Even with all (3) selected, except Memory, ran and said 'no detections'. Select all four, and that hung the Scan. Meaning?

    MBAM was added to the Context menu, so I could check individual files (like those MBAM showed when it hung). All checked individually OK. *Except* a couple which I couldn't find in Winnt\system32 -- I gather these are system/hiddens -- all which are still not displayable. (Trying Finding files as *.sys, returns 'no files' found.)

    Something, yesterday, did modify the Folders Options | view -- by checking 'hide file extensions for known files types'. I myself never run like that. But the rest of Files and Folders are still missing the 'Hidden and system files entry' -- as I reported before. There is a 'selected' circle (with a radio button dot) offset rightwards under the checked box underneath 'Files and Folders' -- but there is NO text at all after that circle (should be, I'm sure).

    I do have some MBAM log file (from the settings trials), but they don't show many details (except all no detections etc). So I didn't include here.

    I did include, because it is small, the 'clean' MBAM completed run with all except the 'scan memory' selected. And, a new HJT log run after all the trials above (after Restarts).


    mbam-log-2009-01-19_allExcptMem (11-12-43).txt

    Malwarebytes' Anti-Malware 1.33

    Database version: 1668

    Windows 5.0.2195 Service Pack 4

    1/19/2009 11:12:43 AM

    mbam-log-2009-01-19 (11-12-43).txt

    Scan type: Quick Scan

    Objects scanned: 36440

    Time elapsed: 2 minute(s), 13 second(s)

    Memory Processes Infected: 0

    Memory Modules Infected: 0

    Registry Keys Infected: 0

    Registry Values Infected: 0

    Registry Data Items Infected: 0

    Folders Infected: 0

    Files Infected: 0

    Memory Processes Infected:

    (No malicious items detected)

    Memory Modules Infected:

    (No malicious items detected)

    Registry Keys Infected:

    (No malicious items detected)

    Registry Values Infected:

    (No malicious items detected)

    Registry Data Items Infected:

    (No malicious items detected)

    Folders Infected:

    (No malicious items detected)

    Files Infected:

    (No malicious items detected)


    Logfile of Trend Micro HijackThis v2.0.2

    Scan saved at 12:31:01, on 1/19/2009

    Platform: Windows 2000 SP4 (WinNT 5.00.2195)

    MSIE: Internet Explorer v5.00 (5.00.2920.0000)

    Boot mode: Normal

    Running processes:









    C:\Program Files\Avira\AntiVir PersonalEdition Classic\sched.exe

    C:\Program Files\Avira\AntiVir PersonalEdition Classic\avguard.exe


    C:\Program Files\Java\jre6\bin\jqs.exe














    C:\Program Files\Avira\AntiVir PersonalEdition Classic\avgnt.exe

    C:\Program Files\Java\jre6\bin\jusched.exe



    C:\Program Files\D-link AirPlus G DWL-G120 Wireless USB\120UTIL.exe


    C:\Program Files\xplorer2_lite\xplorer2.exe


    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157

    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896

    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896

    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = C:\windows\system32\blank.htm

    R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = C:\windows\system32\blank.htm

    O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx

    O2 - BHO: Java Plug-In SSV Helper - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre6\bin\ssv.dll

    O2 - BHO: Java Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll

    O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll

    O3 - Toolbar: @msdxmLC.dll,-1@1033,&Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\System32\msdxm.ocx

    O4 - HKLM\..\Run: [TrackPointSrv] tp4serv.exe

    O4 - HKLM\..\Run: [soundFusion] RunDll32 cwcprops.cpl,CrystalControlWnd

    O4 - HKLM\..\Run: [synchronization Manager] mobsync.exe /logon

    O4 - HKLM\..\Run: [TPTRAY] C:\PROGRA~1\ThinkPad\UTILIT~1\TP98TRAY.EXE

    O4 - HKLM\..\Run: [bMMGAG] RunDll32 C:\PROGRA~1\ThinkPad\UTILIT~1\pwrmonit.dll,StartPwrMonitor

    O4 - HKLM\..\Run: [TpHotkey] C:\PROGRA~1\ThinkPad\UTILIT~1\tphkmgr.exe

    O4 - HKLM\..\Run: [PRPCMonitor] PRPCUI.exe

    O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINNT\system32\spool\drivers\w32x86\3\hpztsb04.exe

    O4 - HKLM\..\Run: [avgnt] "C:\Program Files\Avira\AntiVir PersonalEdition Classic\avgnt.exe" /min

    O4 - HKLM\..\Run: [tourpath] regedit /s c:\winnt\tour.reg

    O4 - HKLM\..\Run: [sunJavaUpdateSched] "C:\Program Files\Java\jre6\bin\jusched.exe"

    O4 - HKLM\..\Run: [AtiPTA] Atiptaxx.exe

    O4 - HKUS\.DEFAULT\..\RunOnce: [^SetupICWDesktop] C:\Program Files\Internet Explorer\Connection Wizard\icwconn1.exe /desktop (User 'Default user')


    O4 - Global Startup: D-link AirPlus G DWL-G120 Wireless USB.lnk = C:\Program Files\D-link AirPlus G DWL-G120 Wireless USB\120UTIL.exe

    O10 - Unknown file in Winsock LSP: c:\winnt\system32\nwprovau.dll

    O12 - Plugin for .bcf: C:\Program Files\Internet Explorer\Plugins\NPBelv32.dll

    O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll

    O16 - DPF: {193C772A-87BE-4B19-A7BB-445B226FE9A1} (ewidoOnlineScan Control) - http://downloads.ewido.net/ewidoOnlineScan.cab

    O17 - HKLM\System\CCS\Services\Tcpip\..\{3898492A-430B-465F-A366-B47BCB3D7F9C}: NameServer =,

    O23 - Service: Avira AntiVir Personal - Free Antivirus Scheduler (AntiVirScheduler) - Avira GmbH - C:\Program Files\Avira\AntiVir PersonalEdition Classic\sched.exe

    O23 - Service: Avira AntiVir Personal - Free Antivirus Guard (AntiVirService) - Avira GmbH - C:\Program Files\Avira\AntiVir PersonalEdition Classic\avguard.exe

    O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINNT\System32\ati2evxx.exe

    O23 - Service: Logical Disk Manager Administrative Service (dmadmin) - VERITAS Software Corp. - C:\WINNT\System32\dmadmin.exe

    O23 - Service: IBM PM Service (IBMPMSVC) - IBM Corp. - C:\WINNT\System32\ibmpmsvc.exe

    O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe


    End of file - 5077 bytes

    ******end of 011909 post by Bill of PA

  11. I'm finally back, with two log/txt files. A little worse for the 'wear' of yesterday. I had all sorts of red herrings Saturday. Most important of which, but maybe insightful too, are these two.

    1) I can't set up to display hidden and system files. Those items are simply not shown in Folder Options | view (as they are in my other W2K systems). I did quite a bit of research on this. All kinds of 'helpful' attempts. Nothing worked. I gather, tho, this is one of the characteristics of some malware (according to some help sources).

    Does this impair, or invalidate, testing results? I fear so?

    2) Re: Windows Recovery Console: (that you said "that will only take a few moments of your time." -- I'm not complaining, just explaining <g>)

    After many hours (again, online searching for help), I just gave up. No way could I get it installed. Most (even Microsoft's 'official') methods, depends on using a W2K CD (that I have) -- but that won't install on a W2K with SP4 installed (CD has an earlier version of winnt32).

    [Trying the C:\i386 folder (that *was* on my HD) was what caused me to pursue looking into not seeing system file etc. \i386 just suddenly disappeared as I started to find winnt32 'there'. Now I can't see/find *any* .sys files.]

    Downloading console file looked 'iffy' (sites kept wanting to sell you something). Got one, but afraid to use it. I didn't bother to get the 6 floppy set, could later.

    But, there's good news too. New ComboFix version ran just fine. Thanks for the input about it. (Rather quickly too, minutes). Course, no Windows Recovery Console was found (and, it was never asked for either -- it looks like it could get it online some way, since it tells you to be online).

    The two newest log/txt file are below.

    Thanks again for hanging in there with me on this.


    ComboFix 09-01-16.03 - Administrator 01/18/2009 15:38:48.4 - FAT32x86

    Microsoft Windows 2000 Professional 5.0.2195.4.1252.1.1033.18.383.158 [GMT -5:00]

    Running from: c:\documents and settings\Administrator\Desktop\ComboFixNu.exe



    ((((((((((((((((((((((((( Files Created from 2008-12-18 to 2009-01-18 )))))))))))))))))))))))))))))))


    2009-01-18 15:46 . 09-01-18 15:46 16,384 --a----t- c:\winnt\system32\Perflib_Perfdata_250.dat

    2009-01-18 13:32 . 09-01-18 13:32 0 -ra------ c:\winnt\system32\TFTP984

    2009-01-15 12:57 . 09-01-15 12:57 <DIR> d-------- c:\program files\CCleaner

    2009-01-13 10:51 . 09-01-13 10:51 <DIR> d-------- c:\documents and settings\Administrator\Application Data\SUPERAntiSpyware.com

    2009-01-13 10:37 . 09-01-18 11:26 967,516 ---h----- c:\winnt\ShellIconCache

    2009-01-12 10:15 . 09-01-12 10:15 <DIR> d-------- C:\$Mky&JulieXfers

    2009-01-11 13:26 . 06-09-18 07:23 145,408 --a------ c:\winnt\msconfig.exe

    2009-01-06 16:49 . 09-01-06 16:49 <DIR> d-------- c:\documents and settings\Administrator\Application Data\Malwarebytes

    2009-01-05 14:20 . 09-01-05 14:20 <DIR> d-------- c:\program files\Avira

    2009-01-05 14:20 . 09-01-05 14:20 <DIR> d-------- c:\documents and settings\All Users\Application Data\Avira

    2009-01-05 12:06 . 09-01-05 12:06 <DIR> d-------- c:\program files\Malwarebytes' Anti-Malware

    2009-01-04 15:53 . 09-01-04 15:53 <DIR> d-------- C:\Metapad

    2009-01-04 14:42 . 09-01-04 14:42 <DIR> d-------- c:\program files\Lavasoft

    2009-01-04 14:42 . 09-01-04 14:42 <DIR> d-------- c:\documents and settings\All Users\Application Data\Lavasoft

    2009-01-04 13:10 . 09-01-04 13:10 <DIR> d-------- C:\HiJackThis

    2009-01-04 12:12 . 09-01-04 12:12 <DIR> d-------- c:\documents and settings\Administrator\.housecall6.6

    2009-01-04 12:11 . 09-01-04 12:11 <DIR> d-------- c:\winnt\Sun

    2009-01-04 12:08 . 09-01-04 12:08 <DIR> d-------- c:\program files\Java

    2009-01-04 12:08 . 09-01-04 12:08 410,984 --a------ c:\winnt\system32\deploytk.dll

    2009-01-04 12:08 . 09-01-04 12:08 73,728 --a------ c:\winnt\system32\javacpl.cpl

    2009-01-03 18:10 . 09-01-03 18:10 <DIR> d-------- c:\program files\Common Files\Wise Installation Wizard

    2009-01-03 17:30 . 09-01-03 17:30 <DIR> d-------- C:\$FrmFlshDrv

    2009-01-03 17:22 . 03-06-19 12:05 21,552 --a------ c:\winnt\system32\dllcache\usbstor.sys

    2009-01-02 17:19 . 09-01-02 17:19 <DIR> d-------- c:\documents and settings\All Users\Application Data\Malwarebytes

    2009-01-02 10:42 . 09-01-02 10:42 <DIR> d-------- c:\program files\SUPERAntiSpyware

    2009-01-02 10:42 . 09-01-02 10:42 <DIR> d-------- c:\documents and settings\All Users\Application Data\SUPERAntiSpyware.com


    (((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))


    2004-04-30 21:18 271 ---h--w c:\program files\desktop.ini

    2004-04-30 21:18 21,952 ---h--w c:\program files\folder.htt

    2000-07-26 10:00 32,528 ----a-w c:\winnt\inf\wbfirdma.sys

    2008-06-29 20:23 54,376 ----a-w c:\program files\mozilla firefox\components\jsd3250.dll

    2008-06-29 20:23 34,952 ----a-w c:\program files\mozilla firefox\components\myspell.dll

    2008-06-29 20:23 46,720 ----a-w c:\program files\mozilla firefox\components\spellchk.dll

    2008-06-29 20:23 172,144 ----a-w c:\program files\mozilla firefox\components\xpinstal.dll

    2008-06-29 20:23 67,696 ----a-w c:\program files\mozilla firefox\components\jar50.dll


    ((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))



    *Note* empty entries & legit default entries are not shown



    "TPTRAY"="c:\progra~1\ThinkPad\UTILIT~1\TP98TRAY.EXE" [00-11-21 11:55 41472]

    "BMMGAG"="c:\progra~1\ThinkPad\UTILIT~1\pwrmonit.dll" [00-12-01 01:11 51200]

    "TpHotkey"="c:\progra~1\ThinkPad\UTILIT~1\tphkmgr.exe" [00-10-11 20:59 53248]

    "HPDJ Taskbar Utility"="c:\winnt\system32\spool\drivers\w32x86\3\hpztsb04.exe" [01-12-11 19:33 196608]

    "avgnt"="c:\program files\Avira\AntiVir PersonalEdition Classic\avgnt.exe" [08-06-12 13:28 266497]

    "MSConfig"="c:\winnt\msconfig.exe" [06-09-18 07:23 145408]

    "TrackPointSrv"="tp4serv.exe" [01-02-15 02:10 186880 c:\winnt\system32\tp4serv.exe]

    "SoundFusion"="cwcprops.cpl" [00-11-01 18:12 45296 c:\winnt\system32\cwcprops.cpl]

    "Synchronization Manager"="mobsync.exe" [03-06-19 12:05 111376 c:\winnt\system32\mobsync.exe]

    "PRPCMonitor"="PRPCUI.exe" [00-01-06 08:00 32768 c:\winnt\system32\prpcui.exe]


    "^SetupICWDesktop"="c:\program files\Internet Explorer\Connection Wizard\icwconn1.exe" [03-06-19 12:05 186640]

    c:\documents and settings\All Users\Start Menu\Programs\Startup\

    AUTOCHK.LNK - c:\cfgsafe\AUTOCHK.EXE [1980-01-01 11808]

    D-link AirPlus G DWL-G120 Wireless USB.lnk - c:\program files\D-link AirPlus G DWL-G120 Wireless USB\120UTIL.exe [2007-07-13 241664]

    [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\nwprovau]

    03-06-19 12:05 139536 c:\winnt\system32\NWPROVAU.DLL

    [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]

    "aux"= mmdrv.dll


    Authentication Packages REG_MULTI_SZ msv1_0 nwprovau

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\tourpath]

    regedit [X]

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched]

    --a------ 09-01-04 12:08 136600 c:\program files\Java\jre6\bin\jusched.exe

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AtiPTA]

    --a------ 00-11-15 17:10 192512 c:\winnt\system32\atiptaxx.exe

    [HKEY_LOCAL_MACHINE\software\microsoft\security center]



    R?4 windosh;Windows Image Instrumentation;c:\winnt\system32\svchost.exe -k netsvcs [1980-01-01 7952]

    R0 avgntmgr;avgntmgr;c:\winnt\system32\drivers\avgntmgr.sys [2009-01-05 18496]

    R1 avgntdd;avgntdd;c:\winnt\system32\drivers\avgntdd.sys [2009-01-05 64448]

    R1 TPPWR;TPPWR;c:\winnt\system32\drivers\TPPWR.SYS [2004-04-30 11776]

    R3 ati2mpab;ati2mpab;c:\winnt\system32\drivers\ati2mpab.sys [1980-01-01 273376]

    R3 Tp4Track;IBM PS/2 TrackPoint Driver;c:\winnt\system32\drivers\tp4track.sys [1980-01-01 8991]

    R4 PRPC;PRPC;c:\winnt\system32\drivers\prpc.sys [2004-04-30 12182]

    R4 V7;V7;c:\winnt\system32\drivers\V7.SYS [2004-04-30 7196]

    S1 SASKUTIL;SASKUTIL;\??\c:\program files\SUPERAntiSpyware\SASKUTIL.sys --> c:\program files\SUPERAntiSpyware\SASKUTIL.sys [?]

    S3 MBAMSwissArmy;MBAMSwissArmy;\??\c:\winnt\system32\drivers\mbamswissarmy.sys --> c:\winnt\system32\drivers\mbamswissarmy.sys [?]

    S3 openhci;Microsoft USB Open Host Controller Driver;c:\winnt\system32\drivers\openhci.sys [2007-07-13 24784]

    S3 usbhub20;USB 2.0 Root Hub Support;c:\winnt\system32\drivers\usbhub20.sys [2004-11-07 49776]

    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Svchost - NetSvcs




    ------- Supplementary Scan -------


    uLocal Page = c:\windows\system32\blank.htm

    mLocal Page = c:\windows\system32\blank.htm

    LSP: %SystemRoot%\system32\msafd.dll

    TCP: {3898492A-430B-465F-A366-B47BCB3D7F9C} =,

    O16 -: DirectAnimation Java Classes - file://c:\winnt\Java\classes\dajava.cab

    c:\winnt\Downloaded Program Files\DirectAnimation Java Classes.osd

    O16 -: Microsoft XML Parser for Java - file://c:\winnt\Java\classes\xmldso.cab

    c:\winnt\Downloaded Program Files\Microsoft XML Parser for Java.osd

    c:\winnt\Downloaded Program Files\ewidoOnlineScan.dll - O16 -: {193C772A-87BE-4B19-A7BB-445B226FE9A1}


    FF - ProfilePath - c:\documents and settings\Administrator\Application Data\Mozilla\Firefox\Profiles\c2v4jc3o.default\

    FF - prefs.js: browser.startup.homepage - google.com

    FF - component: c:\program files\Mozilla Firefox\components\xpinstal.dll



    catchme 0.3.1367 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net

    Rootkit scan 2009-01-18 15:47:23

    Windows 5.0.2195 Service Pack 4 FAT NTAPI

    scanning hidden processes ...

    scanning hidden autostart entries ...

    scanning hidden files ...

    scan completed successfully

    hidden files: 0



    --------------------- DLLs Loaded Under Running Processes ---------------------

    - - - - - - - > 'winlogon.exe'(180)




    Completion time: 2009-01-18 15:49:21 - machine was rebooted

    ComboFix-quarantined-files.txt 2009-01-18 20:49:18

    Pre-Run: 24,780,652,544 bytes free

    Post-Run: 24,856,739,840 bytes free




    Logfile of Trend Micro HijackThis v2.0.2

    Scan saved at 15:58:30, on 1/18/2009

    Platform: Windows 2000 SP4 (WinNT 5.00.2195)

    MSIE: Internet Explorer v5.00 (5.00.2920.0000)

    Boot mode: Normal

    Running processes:









    C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe

    C:\Program Files\Avira\AntiVir PersonalEdition Classic\sched.exe

    C:\Program Files\Avira\AntiVir PersonalEdition Classic\avguard.exe


    C:\Program Files\Java\jre6\bin\jqs.exe













    C:\Program Files\Avira\AntiVir PersonalEdition Classic\avgnt.exe


    C:\Program Files\D-link AirPlus G DWL-G120 Wireless USB\120UTIL.exe



    C:\Program Files\xplorer2_lite\xplorer2.exe


    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157

    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896

    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896

    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = C:\windows\system32\blank.htm

    R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = C:\windows\system32\blank.htm

    O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx

    O2 - BHO: Java Plug-In SSV Helper - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre6\bin\ssv.dll

    O2 - BHO: Java Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll

    O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll

    O3 - Toolbar: @msdxmLC.dll,-1@1033,&Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\System32\msdxm.ocx

    O4 - HKLM\..\Run: [TrackPointSrv] tp4serv.exe

    O4 - HKLM\..\Run: [soundFusion] RunDll32 cwcprops.cpl,CrystalControlWnd

    O4 - HKLM\..\Run: [synchronization Manager] mobsync.exe /logon

    O4 - HKLM\..\Run: [TPTRAY] C:\PROGRA~1\ThinkPad\UTILIT~1\TP98TRAY.EXE

    O4 - HKLM\..\Run: [bMMGAG] RunDll32 C:\PROGRA~1\ThinkPad\UTILIT~1\pwrmonit.dll,StartPwrMonitor

    O4 - HKLM\..\Run: [TpHotkey] C:\PROGRA~1\ThinkPad\UTILIT~1\tphkmgr.exe

    O4 - HKLM\..\Run: [PRPCMonitor] PRPCUI.exe

    O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINNT\system32\spool\drivers\w32x86\3\hpztsb04.exe

    O4 - HKLM\..\Run: [avgnt] "C:\Program Files\Avira\AntiVir PersonalEdition Classic\avgnt.exe" /min

    O4 - HKLM\..\Run: [MSConfig] C:\WINNT\msconfig.exe /auto

    O4 - HKUS\.DEFAULT\..\RunOnce: [^SetupICWDesktop] C:\Program Files\Internet Explorer\Connection Wizard\icwconn1.exe /desktop (User 'Default user')


    O4 - Global Startup: D-link AirPlus G DWL-G120 Wireless USB.lnk = C:\Program Files\D-link AirPlus G DWL-G120 Wireless USB\120UTIL.exe

    O10 - Unknown file in Winsock LSP: c:\winnt\system32\nwprovau.dll

    O12 - Plugin for .bcf: C:\Program Files\Internet Explorer\Plugins\NPBelv32.dll

    O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll

    O16 - DPF: {193C772A-87BE-4B19-A7BB-445B226FE9A1} (ewidoOnlineScan Control) - http://downloads.ewido.net/ewidoOnlineScan.cab

    O17 - HKLM\System\CCS\Services\Tcpip\..\{3898492A-430B-465F-A366-B47BCB3D7F9C}: NameServer =,

    O23 - Service: Lavasoft Ad-Aware Service (aawservice) - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe

    O23 - Service: Avira AntiVir Personal - Free Antivirus Scheduler (AntiVirScheduler) - Avira GmbH - C:\Program Files\Avira\AntiVir PersonalEdition Classic\sched.exe

    O23 - Service: Avira AntiVir Personal - Free Antivirus Guard (AntiVirService) - Avira GmbH - C:\Program Files\Avira\AntiVir PersonalEdition Classic\avguard.exe

    O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINNT\System32\ati2evxx.exe

    O23 - Service: Logical Disk Manager Administrative Service (dmadmin) - VERITAS Software Corp. - C:\WINNT\System32\dmadmin.exe

    O23 - Service: IBM PM Service (IBMPMSVC) - IBM Corp. - C:\WINNT\System32\ibmpmsvc.exe

    O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe


    End of file - 5049 bytes


    ********end of Bill of PA latest post

  12. Well, I ran through all the various Steps in your detailed instuction message. Did print them out to follow them carefully.

    I did finally complete the process, but I'm not sure if the results will show enough meaningful data. There were a couple glitches along the way, unfortunately.

    Most important (I think anyway) is that Combofix didn't finish properly. It started OK, got through the 50 'stages' quickly and then continued without showing anything more on the screen. I watched (as they said) for a while, and the HD was flashing every 20-30 seconds or so. Waited for an hour, then left to visit a friend. Came back, still running/showing same place on the screen. HD still flashing, same rate. After 5:15 hours I simply closed it. It responded, and quit.

    [it's last line displayed (after 50 stage) was (to me) odd. '"C:\WINNT\system32" is not recognized ....as a command, or operable program or batch file.' -- I wouldn't expect system32 *folder* to run anything. ?]

    So, there was no Combofix.txt file in C:\. I found one in the C:\Combofix folder, quite small though (time shown is when Combofix started). I include it below anyway.

    As you cautioned, I didn't run ComboFix again.

    I found no 'avenger.txt' file. There was a aclreset.txt, created about time Fixacl.exe ran. So I include that below too.

    All the other utilities seemed to run OK, as instructions indicated anyway.

    Note that the DDS run was after I stopped ComboFix. Did its two txt files OK.

    I'm not doing anything more on this Laptop until I hear something from all you kind folks. I have other systems.

    All the contents of log/txt files are appended below, including the HJT log which was run after a Shutdown/Restart (on next day).


    ComboFix 09-01-10.01 - Administrator 01/15/2009 13:29:23.3 - FAT32x86

    Microsoft Windows 2000 Professional 5.0.2195.4.1252.1.1033.18.383.221 [GMT -5:00]

    Running from: C:\Documents and Settings\Administrator\Desktop\Combo-Fix.exe




    HKEY_CLASSES_ROOT\CLSID\{d5bf49a2-94f1-42bd-f434-3604812c807d} : 2 The system cannot find the file specified.

    HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{D5BF49A2-94F1-42BD-F434-3604812C807D}\InProcServer32 : 2 The system cannot find the file specified.

    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser : 2 The system cannot find the file specified.

    MBAMExt.MBAMShlExt : delete Perm. ACE 2 builtin\administrators

    MBAMExt.MBAMShlExt : new ace for builtin\administrators

    MBAMExt.MBAMShlExt : delete Perm. ACE 2 nt authority\system

    MBAMExt.MBAMShlExt : new ace for nt authority\system

    MBAMExt.MBAMShlExt : delete Perm. ACE 1 nt authority\restricted

    MBAMExt.MBAMShlExt : new ace for nt authority\restricted

    MBAMExt.MBAMShlExt : new ace for bills-gcv\administrator

    MBAMExt.MBAMShlExt : builtin\administrators is the new owner

    HKEY_CLASSES_ROOT\MBAMExt.MBAMShlExt : 8 change(s)

    MBAMExt.MBAMShlExt.1 : delete Perm. ACE 2 builtin\administrators

    MBAMExt.MBAMShlExt.1 : new ace for builtin\administrators

    MBAMExt.MBAMShlExt.1 : delete Perm. ACE 2 nt authority\system

    MBAMExt.MBAMShlExt.1 : new ace for nt authority\system

    MBAMExt.MBAMShlExt.1 : delete Perm. ACE 1 nt authority\restricted

    MBAMExt.MBAMShlExt.1 : new ace for nt authority\restricted

    MBAMExt.MBAMShlExt.1 : new ace for bills-gcv\administrator

    MBAMExt.MBAMShlExt.1 : builtin\administrators is the new owner

    HKEY_CLASSES_ROOT\MBAMExt.MBAMShlExt.1 : 8 change(s)

    HKEY_CLASSES_ROOT\SSubTimer6.CTimer : 2 The system cannot find the file specified.

    HKEY_CLASSES_ROOT\SSubTimer6.GSubclass : 2 The system cannot find the file specified.

    HKEY_CLASSES_ROOT\SSubTimer6.ISubclass : 2 The system cannot find the file specified.

    HKEY_CLASSES_ROOT\vbAcceleratorSGrid6.cGridCell : 2 The system cannot find the file specified.

    HKEY_CLASSES_ROOT\vbAcceleratorSGrid6.cGridSortObject : 2 The system cannot find the file specified.

    HKEY_CLASSES_ROOT\vbAcceleratorSGrid6.IGridCellOwnerDraw : 2 The system cannot find the file specified.

    HKEY_CLASSES_ROOT\vbAcceleratorSGrid6.vbalGrid : 2 The system cannot find the file specified.

    MBAMExt.MBAMShlExt : delete Perm. ACE 2 builtin\administrators

    MBAMExt.MBAMShlExt : new ace for builtin\administrators

    MBAMExt.MBAMShlExt : delete Perm. ACE 2 nt authority\system

    MBAMExt.MBAMShlExt : new ace for nt authority\system

    MBAMExt.MBAMShlExt : delete Perm. ACE 2 nt authority\restricted

    MBAMExt.MBAMShlExt : new ace for nt authority\restricted

    MBAMExt.MBAMShlExt : delete Perm. ACE 2 bills-gcv\administrator

    MBAMExt.MBAMShlExt : new ace for bills-gcv\administrator

    MBAMExt.MBAMShlExt : builtin\administrators is the new owner

    HKEY_CLASSES_ROOT\MBAMExt.MBAMShlExt : 9 change(s)

    MBAMExt.MBAMShlExt.1 : delete Perm. ACE 2 builtin\administrators

    MBAMExt.MBAMShlExt.1 : new ace for builtin\administrators

    MBAMExt.MBAMShlExt.1 : delete Perm. ACE 2 nt authority\system

    MBAMExt.MBAMShlExt.1 : new ace for nt authority\system

    MBAMExt.MBAMShlExt.1 : delete Perm. ACE 2 nt authority\restricted

    MBAMExt.MBAMShlExt.1 : new ace for nt authority\restricted

    MBAMExt.MBAMShlExt.1 : delete Perm. ACE 2 bills-gcv\administrator

    MBAMExt.MBAMShlExt.1 : new ace for bills-gcv\administrator

    MBAMExt.MBAMShlExt.1 : builtin\administrators is the new owner

    HKEY_CLASSES_ROOT\MBAMExt.MBAMShlExt.1 : 9 change(s)

    HKEY_CLASSES_ROOT\SSubTimer6.CTimer : 2 The system cannot find the file specified.

    HKEY_CLASSES_ROOT\SSubTimer6.GSubclass : 2 The system cannot find the file specified.

    HKEY_CLASSES_ROOT\SSubTimer6.ISubclass : 2 The system cannot find the file specified.

    HKEY_CLASSES_ROOT\vbAcceleratorSGrid6.cGridCell : 2 The system cannot find the file specified.

    HKEY_CLASSES_ROOT\vbAcceleratorSGrid6.cGridSortObject : 2 The system cannot find the file specified.

    HKEY_CLASSES_ROOT\vbAcceleratorSGrid6.IGridCellOwnerDraw : 2 The system cannot find the file specified.

    HKEY_CLASSES_ROOT\vbAcceleratorSGrid6.vbalGrid : 2 The system cannot find the file specified.



    DDS (Ver_09-01-07.01) - FAT32x86

    Run by Administrator at 19:08:13.65 on Thu 2009-01-15

    Internet Explorer: 5.50.4134.0600 BrowserJavaVersion: 1.6.0_11

    Microsoft Windows 2000 Professional 5.0.2195.4.1252.1.1033.18.383.212 [GMT -5:00]

    ============== Running Processes ===============



    C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe

    C:\Program Files\Avira\AntiVir PersonalEdition Classic\sched.exe

    C:\Program Files\Avira\AntiVir PersonalEdition Classic\avguard.exe


    C:\Program Files\Java\jre6\bin\jqs.exe












    C:\Program Files\Avira\AntiVir PersonalEdition Classic\avgnt.exe


    C:\Program Files\D-link AirPlus G DWL-G120 Wireless USB\120UTIL.exe


    C:\Program Files\xplorer2_lite\xplorer2.exe

    C:\Documents and Settings\Administrator\Desktop\dds.scr

    ============== Pseudo HJT Report ===============

    uLocal Page = c:\windows\system32\blank.htm

    mLocal Page = c:\windows\system32\blank.htm

    BHO: AcroIEHlprObj Class: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program files\adobe\acrobat 5.0\reader\activex\AcroIEHelper.ocx

    BHO: Java Plug-In SSV Helper: {761497bb-d6f0-462c-b6eb-d4daf1d92d43} - c:\program files\java\jre6\bin\ssv.dll

    BHO: Java Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll

    BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll

    mRun: [TrackPointSrv] tp4serv.exe

    mRun: [soundFusion] RunDll32 cwcprops.cpl,CrystalControlWnd

    mRun: [synchronization Manager] mobsync.exe /logon

    mRun: [TPTRAY] c:\progra~1\thinkpad\utilit~1\TP98TRAY.EXE

    mRun: [bMMGAG] RunDll32 c:\progra~1\thinkpad\utilit~1\pwrmonit.dll,StartPwrMonitor

    mRun: [TpHotkey] c:\progra~1\thinkpad\utilit~1\tphkmgr.exe

    mRun: [PRPCMonitor] PRPCUI.exe

    mRun: [HPDJ Taskbar Utility] c:\winnt\system32\spool\drivers\w32x86\3\hpztsb04.exe

    mRun: [avgnt] "c:\program files\avira\antivir personaledition classic\avgnt.exe" /min

    mRun: [MSConfig] c:\winnt\msconfig.exe /auto

    dRunOnce: [^SetupICWDesktop] c:\program files\internet explorer\connection wizard\icwconn1.exe /desktop

    StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\autochk.lnk - c:\cfgsafe\AUTOCHK.EXE

    StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\d-link~1.lnk - c:\program files\d-link airplus g dwl-g120 wireless usb\120UTIL.exe

    TCP: {3898492A-430B-465F-A366-B47BCB3D7F9C} =,

    Handler: belarc - {6318E0AB-2E93-11D1-B8ED-00608CC9A71F} - c:\program files\belarc\advisor\system\BAVoilaX.dll

    Notify: nwprovau - nwprovau.dll

    LSA: Authentication Packages = msv1_0 nwprovau

    ================= FIREFOX ===================

    FF - ProfilePath - c:\docume~1\admini~1\applic~1\mozilla\firefox\profiles\c2v4jc3o.default\

    FF - prefs.js: browser.startup.homepage - google.com

    ============= SERVICES / DRIVERS ===============

    R?4 windosh;Windows Image Instrumentation;c:\winnt\system32\svchost.exe -k netsvcs [1980-1-1 7952]

    R0 avgntmgr;avgntmgr;c:\winnt\system32\drivers\avgntmgr.sys [2009-1-5 18496]

    R1 avgntdd;avgntdd;c:\winnt\system32\drivers\avgntdd.sys [2009-1-5 64448]

    R1 TPPWR;TPPWR;c:\winnt\system32\drivers\TPPWR.SYS [2004-4-30 11776]

    R3 ati2mpab;ati2mpab;c:\winnt\system32\drivers\ati2mpab.sys [1980-1-1 273376]

    R3 Tp4Track;IBM PS/2 TrackPoint Driver;c:\winnt\system32\drivers\tp4track.sys [1980-1-1 8991]

    R4 aawservice;Lavasoft Ad-Aware Service;c:\program files\lavasoft\ad-aware\aawservice.exe [2008-5-12 611664]

    R4 AntiVirScheduler;Avira AntiVir Personal - Free Antivirus Scheduler;c:\program files\avira\antivir personaledition classic\sched.exe [2009-1-5 68865]

    R4 AntiVirService;Avira AntiVir Personal - Free Antivirus Guard;c:\program files\avira\antivir personaledition classic\avguard.exe [2009-1-5 151297]

    R4 PRPC;PRPC;c:\winnt\system32\drivers\prpc.sys [2004-4-30 12182]

    R4 V7;V7;c:\winnt\system32\drivers\V7.SYS [2004-4-30 7196]

    S1 SASKUTIL;SASKUTIL;\??\c:\program files\superantispyware\saskutil.sys --> c:\program files\superantispyware\SASKUTIL.sys [?]

    S3 MBAMSwissArmy;MBAMSwissArmy;\??\c:\winnt\system32\drivers\mbamswissarmy.sys --> c:\winnt\system32\drivers\mbamswissarmy.sys [?]

    S3 openhci;Microsoft USB Open Host Controller Driver;c:\winnt\system32\drivers\openhci.sys [2007-7-13 24784]

    S3 usbhub20;USB 2.0 Root Hub Support;c:\winnt\system32\drivers\usbhub20.sys [2004-11-7 49776]

    =============== Created Last 30 ================

    2009-01-15 19:08 16,384 a------- c:\winnt\system32\Perflib_Perfdata_2f4.dat

    2009-01-15 18:59 16,384 a------- c:\winnt\system32\Perflib_Perfdata_27c.dat

    2009-01-15 13:28 161,792 a------- c:\winnt\SWREG.exe

    2009-01-15 13:28 98,816 a------- c:\winnt\sed.exe

    2009-01-15 13:28 236,304 a------- c:\winnt\system32\CF17159.exe

    2009-01-15 13:28 <DIR> --d----- C:\Combo-Fix

    2009-01-15 12:57 <DIR> --d----- c:\program files\CCleaner

    2009-01-13 10:51 <DIR> --d----- c:\docume~1\admini~1\applic~1\SUPERAntiSpyware.com

    2009-01-13 10:37 862,810 ----h--- c:\winnt\ShellIconCache

    2009-01-12 10:15 <DIR> --d----- C:\$Mky&JulieXfers

    2009-01-11 13:27 <DIR> --d----- c:\winnt\pss

    2009-01-11 13:26 145,408 a------- c:\winnt\msconfig.exe

    2009-01-06 16:49 <DIR> --d----- c:\docume~1\admini~1\applic~1\Malwarebytes

    2009-01-05 14:20 <DIR> --d----- c:\program files\Avira

    2009-01-05 14:20 <DIR> --d----- c:\docume~1\alluse~1\applic~1\Avira

    2009-01-05 12:06 <DIR> --d----- c:\program files\Malwarebytes' Anti-Malware

    2009-01-04 15:53 <DIR> --d----- C:\Metapad

    2009-01-04 14:42 <DIR> --d----- c:\program files\Lavasoft

    2009-01-04 13:10 <DIR> --d----- C:\HiJackThis

    2009-01-04 12:12 <DIR> --d----- c:\documents and settings\administrator\.housecall6.6

    2009-01-04 12:08 410,984 a------- c:\winnt\system32\deploytk.dll

    2009-01-04 12:08 73,728 a------- c:\winnt\system32\javacpl.cpl

    2009-01-03 18:10 <DIR> --d----- c:\program files\common files\Wise Installation Wizard

    2009-01-03 17:42 <DIR> --d----- c:\winnt\system32\appmgmt

    2009-01-03 17:30 <DIR> --d----- C:\$FrmFlshDrv

    2009-01-03 17:22 21,552 a------- c:\winnt\system32\dllcache\usbstor.sys

    2009-01-02 17:19 <DIR> --d----- c:\docume~1\alluse~1\applic~1\Malwarebytes

    2009-01-02 10:42 <DIR> --d----- c:\docume~1\alluse~1\applic~1\SUPERAntiSpyware.com

    2009-01-02 10:42 <DIR> --d----- c:\program files\SUPERAntiSpyware

    ==================== Find3M ====================

    2004-04-30 16:18 21,952 ----h--- c:\program files\folder.htt

    2004-04-30 16:18 271 ----h--- c:\program files\desktop.ini

    2000-07-26 05:00 32,528 a------- c:\winnt\inf\wbfirdma.sys

    ============= FINISH: 19:08:40.13 ===============





    DDS (Ver_09-01-07.01)

    Microsoft Windows 2000 Professional

    Boot Device: \Device\Harddisk0\Partition1

    Install Date:

    System Uptime: 2009-01-15 13:58:24 (6 hours ago)

    Motherboard: IBM | | 2633BC1

    Processor: Intel Pentium III processor | None | 995/100mhz

    ==== Disk Partitions =========================

    A: is Removable

    C: is FIXED (FAT32) - 27 GiB total, 23.214 GiB free.

    D: is CDROM (CDFS)

    E: is Removable

    ==== Disabled Device Manager Items =============

    Class GUID: {4D36E972-E325-11CE-BFC1-08002BE10318}

    Description: D-link AirPlus G DWL-G120 Wireless USB Adapter

    Device ID: USB\VID_2001&PID_3701\6&296C5CF&0&2

    Manufacturer: GlobespanVirata, Inc.

    Name: D-link AirPlus G DWL-G120 Wireless USB Adapter #5

    PNP Device ID: USB\VID_2001&PID_3701\6&296C5CF&0&2

    Service: PRISM_A02

    ==== System Restore Points ===================

    No restore point in system.

    ==== Installed Programs ======================

    Access ThinkPad


    Adobe Acrobat 5.0

    ATI Display Driver Utilities

    Avira AntiVir Personal - Free Antivirus

    Belarc Advisor 6.0

    CCleaner (remove only)


    D-link AirPlus G DWL-G120 Wireless USB Adapter


    HijackThis 2.0.2

    hp deskjet 930c series (Remove only)

    IBM ThinkPad On Screen Display

    IBM TrackPoint Support

    IBM Update Connector

    Intel SpeedStep technology Applet

    Intel® PRO Ethernet Adapter and Software

    IrfanView (remove only)

    Java 6 Update 11

    Mozilla Firefox (

    PC-Doctor for Windows 2000


    ThinkPad Assistant

    ThinkPad Configuration

    ThinkPad FullScreen Magnifier


    Windows 2000 Service Pack 4

    Windows Media Player 7


    WordPerfect Office 11


  13. Hi 'Deity' (I guess).

    Thanks for the detailed instructions, seems quite complex. That's OK by me, but I thought I should ask a couple questions before running those program sequences.

    1) This IBM laptop is running Windows 2000 (pre-installed when I got it from IBM), not XP. Does that make any difference? (I don't want to mess it up any more than it (might be) is. <g>)

    1a) I already had set up W2K to display hidden/system files. That's no problem.

    2) I did some research on Windows Recovery Console. Seems like most references talk about XP, but I found a few that seem to indicate W2K has that Console functionality -- if it is installed.

    2a) Seems I found references on how to install WRC after W2K is already installed (my case). I could do that if need be. (I don't know about the Step 6 that indicates WRC could be installed via download -- would it work for W2K?. During my first run of Combofix, the other day, it didn't ask about downloading WRC, just went ahead.)

    I have already downloaded all the programs that you suggested, but wanted ask these questions first before running them.

    A fallback position (I've thinking about this, if need be): The IBM has a Restore partition for W2K (no IBM CD for it tho). And there's always the possibly of switching to XP Pro too. (Tho, for the latter, I worry about losing the special programs/Utilities IBM has for its Thinkpads.)

    Thanks for any comments, before I run rampant.


  14. I ran SmitFraudFix. Followed the instructions. Seemed to run quite smoothly. Couple of warnings from Avira, tho I gather that it detected something in Smit....(Agent.OMZ.fix etc)

    Only thing I noticed was that it popped up a message that it can't do the cleaning registry section -- Error accessing the registry. But then it went on and finished the run, and displaying its txt file. (and that said 'registry cleaning done' --??)

    After the 'cleaning', Smit log was less than half of that after its 'search' mode (~ 2100 vs 4900 bytes). Seemed it did 'something'. <??>

    However, tried running Mbam (after updating). Same thing as before -- hung after a few seconds, stopping on a filename. Three tries, three hungs in 5-9 seconds, different filenames showing at the hang. (This is like all tries so far, different times/filename. And, Mbam is 'not reponding' after the hang.)

    So, no new Mba log to include. Sorry.

    Here's the HJT log though (after the other Mbam runs). I didn't include the SmitFraud txt tho, since you didn't ask for them.

    Hmmmm.....next? (after all this, I did try a Avira scan (tho didn't update either)-- just can't run (past the opening page, with all 0's showing).

    HJT after Smit run.

    Logfile of Trend Micro HijackThis v2.0.2

    Scan saved at 12:06:00, on 1/13/2009

    Platform: Windows 2000 SP4 (WinNT 5.00.2195)

    MSIE: Internet Explorer v5.00 (5.00.2920.0000)

    Boot mode: Normal

    Running processes:









    C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe

    C:\Program Files\Avira\AntiVir PersonalEdition Classic\sched.exe

    C:\Program Files\Avira\AntiVir PersonalEdition Classic\avguard.exe


    C:\Program Files\Java\jre6\bin\jqs.exe















    C:\Program Files\Java\jre6\bin\jusched.exe

    C:\Program Files\Avira\AntiVir PersonalEdition Classic\avgnt.exe


    C:\Program Files\D-link AirPlus G DWL-G120 Wireless USB\120UTIL.exe


    C:\Program Files\xplorer2_lite\xplorer2.exe


    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = C:\windows\system32\blank.htm

    R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = C:\windows\system32\blank.htm

    O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx

    O2 - BHO: Java Plug-In SSV Helper - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre6\bin\ssv.dll

    O2 - BHO: Java Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll

    O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll

    O3 - Toolbar: @msdxmLC.dll,-1@1033,&Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\System32\msdxm.ocx

    O4 - HKLM\..\Run: [TrackPointSrv] tp4serv.exe

    O4 - HKLM\..\Run: [AtiPTA] Atiptaxx.exe

    O4 - HKLM\..\Run: [soundFusion] RunDll32 cwcprops.cpl,CrystalControlWnd

    O4 - HKLM\..\Run: [tourpath] regedit /s c:\winnt\tour.reg

    O4 - HKLM\..\Run: [synchronization Manager] mobsync.exe /logon

    O4 - HKLM\..\Run: [TPTRAY] C:\PROGRA~1\ThinkPad\UTILIT~1\TP98TRAY.EXE

    O4 - HKLM\..\Run: [bMMGAG] RunDll32 C:\PROGRA~1\ThinkPad\UTILIT~1\pwrmonit.dll,StartPwrMonitor

    O4 - HKLM\..\Run: [TpHotkey] C:\PROGRA~1\ThinkPad\UTILIT~1\tphkmgr.exe

    O4 - HKLM\..\Run: [PRPCMonitor] PRPCUI.exe

    O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINNT\system32\spool\drivers\w32x86\3\hpztsb04.exe

    O4 - HKLM\..\Run: [sunJavaUpdateSched] "C:\Program Files\Java\jre6\bin\jusched.exe"

    O4 - HKLM\..\Run: [avgnt] "C:\Program Files\Avira\AntiVir PersonalEdition Classic\avgnt.exe" /min

    O4 - HKUS\.DEFAULT\..\RunOnce: [^SetupICWDesktop] C:\Program Files\Internet Explorer\Connection Wizard\icwconn1.exe /desktop (User 'Default user')


    O4 - Global Startup: D-link AirPlus G DWL-G120 Wireless USB.lnk = C:\Program Files\D-link AirPlus G DWL-G120 Wireless USB\120UTIL.exe

    O10 - Unknown file in Winsock LSP: c:\winnt\system32\nwprovau.dll

    O12 - Plugin for .bcf: C:\Program Files\Internet Explorer\Plugins\NPBelv32.dll

    O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll

    O16 - DPF: {193C772A-87BE-4B19-A7BB-445B226FE9A1} (ewidoOnlineScan Control) - http://downloads.ewido.net/ewidoOnlineScan.cab

    O17 - HKLM\System\CCS\Services\Tcpip\..\{3898492A-430B-465F-A366-B47BCB3D7F9C}: NameServer =,

    O23 - Service: Lavasoft Ad-Aware Service (aawservice) - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe

    O23 - Service: Avira AntiVir Personal - Free Antivirus Scheduler (AntiVirScheduler) - Avira GmbH - C:\Program Files\Avira\AntiVir PersonalEdition Classic\sched.exe

    O23 - Service: Avira AntiVir Personal - Free Antivirus Guard (AntiVirService) - Avira GmbH - C:\Program Files\Avira\AntiVir PersonalEdition Classic\avguard.exe

    O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINNT\System32\ati2evxx.exe

    O23 - Service: Logical Disk Manager Administrative Service (dmadmin) - VERITAS Software Corp. - C:\WINNT\System32\dmadmin.exe

    O23 - Service: IBM PM Service (IBMPMSVC) - IBM Corp. - C:\WINNT\System32\ibmpmsvc.exe

    O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe


    End of file - 4904 bytes

    *****end of Bill of PA msg above

  15. Hope I did this right (had to/did delete the 'quote' of last message to me -- about running ComfoFIx).

    Thanks for the instructions. It seemed to run fine -- except it never asked for the Windows Recovery Console, it just went ahead continuing with the Combofix run. (I did have a connection via wireless.)

    One more thing: I turned off Avira Antiviri (deactivated it), but it still popped up (?) one warning about something in ComboFix; I said to Ignore it. That's all.

    Did an HJT run right after ComboFix finished.

    Here's the two txt/log contents:


    ComboFix 09-01-11.04 - Administrator 01/12/2009 10:44:15.1 - FAT32x86

    Microsoft Windows 2000 Professional 5.0.2195.4.1252.1.1033.18.383.227 [GMT -5:00]

    Running from: c:\documents and settings\Administrator\Desktop\ComboFix.exe



    ((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))




    ((((((((((((((((((((((((( Files Created from 2008-12-12 to 2009-01-12 )))))))))))))))))))))))))))))))


    2009-01-12 10:48 . 09-01-12 10:48 16,384 --a----t- c:\winnt\system32\Perflib_Perfdata_254.dat

    2009-01-12 10:15 . 09-01-12 10:15 <DIR> d-------- C:\$Mky&JulieXfers

    2009-01-11 16:41 . 09-01-12 10:37 861,516 ---h----- c:\winnt\ShellIconCache

    2009-01-11 13:26 . 06-09-18 07:23 145,408 --a------ c:\winnt\msconfig.exe

    2009-01-06 16:49 . 09-01-06 16:49 <DIR> d-------- c:\documents and settings\Administrator\Application Data\Malwarebytes

    2009-01-06 16:49 . 09-01-04 18:41 38,496 --a------ c:\winnt\system32\drivers\mbamswissarmy.sys

    2009-01-06 16:49 . 09-01-04 18:41 15,504 --a------ c:\winnt\system32\drivers\mbam.sys

    2009-01-05 14:20 . 09-01-05 14:20 <DIR> d-------- c:\program files\Avira

    2009-01-05 14:20 . 09-01-05 14:20 <DIR> d-------- c:\documents and settings\All Users\Application Data\Avira

    2009-01-05 12:06 . 09-01-05 12:06 <DIR> d-------- c:\program files\Malwarebytes' Anti-Malware

    2009-01-04 15:53 . 09-01-04 15:53 <DIR> d-------- C:\Metapad

    2009-01-04 15:40 . 09-01-04 15:40 <DIR> d-------- c:\program files\CCleaner

    2009-01-04 14:42 . 09-01-04 14:42 <DIR> d-------- c:\program files\Lavasoft

    2009-01-04 14:42 . 09-01-04 14:42 <DIR> d-------- c:\documents and settings\All Users\Application Data\Lavasoft

    2009-01-04 13:10 . 09-01-04 13:10 <DIR> d-------- C:\HiJackThis

    2009-01-04 12:12 . 09-01-04 12:12 <DIR> d-------- c:\documents and settings\Administrator\.housecall6.6

    2009-01-04 12:11 . 09-01-04 12:11 <DIR> d-------- c:\winnt\Sun

    2009-01-04 12:08 . 09-01-04 12:08 <DIR> d-------- c:\program files\Java

    2009-01-04 12:08 . 09-01-04 12:08 410,984 --a------ c:\winnt\system32\deploytk.dll

    2009-01-04 12:08 . 09-01-04 12:08 73,728 --a------ c:\winnt\system32\javacpl.cpl

    2009-01-03 18:10 . 09-01-03 18:10 <DIR> d-------- c:\program files\Common Files\Wise Installation Wizard

    2009-01-03 17:30 . 09-01-03 17:30 <DIR> d-------- C:\$FrmFlshDrv

    2009-01-03 17:22 . 03-06-19 12:05 21,552 --a------ c:\winnt\system32\dllcache\usbstor.sys

    2009-01-02 17:19 . 09-01-02 17:19 <DIR> d-------- c:\documents and settings\All Users\Application Data\Malwarebytes

    2009-01-02 10:42 . 09-01-02 10:42 <DIR> d-------- c:\program files\SUPERAntiSpyware

    2009-01-02 10:42 . 09-01-02 10:42 <DIR> d-------- c:\documents and settings\All Users\Application Data\SUPERAntiSpyware.com


    (((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))


    2004-04-30 21:18 271 ---h--w c:\program files\desktop.ini

    2004-04-30 21:18 21,952 ---h--w c:\program files\folder.htt

    2000-07-26 10:00 32,528 ----a-w c:\winnt\inf\wbfirdma.sys

    2008-06-29 20:23 54,376 ----a-w c:\program files\mozilla firefox\components\jsd3250.dll

    2008-06-29 20:23 34,952 ----a-w c:\program files\mozilla firefox\components\myspell.dll

    2008-06-29 20:23 46,720 ----a-w c:\program files\mozilla firefox\components\spellchk.dll

    2008-06-29 20:23 172,144 ----a-w c:\program files\mozilla firefox\components\xpinstal.dll

    2008-06-29 20:23 67,696 ----a-w c:\program files\mozilla firefox\components\jar50.dll


    ((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))



    *Note* empty entries & legit default entries are not shown



    "tourpath"="regedit" [X]

    "TPTRAY"="c:\progra~1\ThinkPad\UTILIT~1\TP98TRAY.EXE" [00-11-21 11:55 41472]

    "BMMGAG"="c:\progra~1\ThinkPad\UTILIT~1\pwrmonit.dll" [00-12-01 01:11 51200]

    "TpHotkey"="c:\progra~1\ThinkPad\UTILIT~1\tphkmgr.exe" [00-10-11 20:59 53248]

    "HPDJ Taskbar Utility"="c:\winnt\system32\spool\drivers\w32x86\3\hpztsb04.exe" [01-12-11 19:33 196608]

    "SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [09-01-04 12:08 136600]

    "avgnt"="c:\program files\Avira\AntiVir PersonalEdition Classic\avgnt.exe" [08-06-12 13:28 266497]

    "TrackPointSrv"="tp4serv.exe" [01-02-15 02:10 186880 c:\winnt\system32\tp4serv.exe]

    "AtiPTA"="Atiptaxx.exe" [00-11-15 17:10 192512 c:\winnt\system32\atiptaxx.exe]

    "SoundFusion"="cwcprops.cpl" [00-11-01 18:12 45296 c:\winnt\system32\cwcprops.cpl]

    "Synchronization Manager"="mobsync.exe" [03-06-19 12:05 111376 c:\winnt\system32\mobsync.exe]

    "PRPCMonitor"="PRPCUI.exe" [00-01-06 08:00 32768 c:\winnt\system32\prpcui.exe]


    "^SetupICWDesktop"="c:\program files\Internet Explorer\Connection Wizard\icwconn1.exe" [03-06-19 12:05 186640]

    c:\documents and settings\All Users\Start Menu\Programs\Startup\

    AUTOCHK.LNK - c:\cfgsafe\AUTOCHK.EXE [1980-01-01 11808]

    D-link AirPlus G DWL-G120 Wireless USB.lnk - c:\program files\D-link AirPlus G DWL-G120 Wireless USB\120UTIL.exe [2007-07-13 241664]

    [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\nwprovau]

    03-06-19 12:05 139536 c:\winnt\system32\NWPROVAU.DLL

    [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]

    "aux"= mmdrv.dll


    Authentication Packages REG_MULTI_SZ msv1_0 nwprovau

    R?4 windosh;Windows Image Instrumentation;c:\winnt\system32\svchost.exe -k netsvcs [1980-01-01 7952]

    R0 avgntmgr;avgntmgr;c:\winnt\system32\drivers\avgntmgr.sys [2009-01-05 18496]

    R1 avgntdd;avgntdd;c:\winnt\system32\drivers\avgntdd.sys [2009-01-05 64448]

    R1 TPPWR;TPPWR;c:\winnt\system32\drivers\TPPWR.SYS [2004-04-30 11776]

    R3 ati2mpab;ati2mpab;c:\winnt\system32\drivers\ati2mpab.sys [1980-01-01 273376]

    R3 Tp4Track;IBM PS/2 TrackPoint Driver;c:\winnt\system32\drivers\tp4track.sys [1980-01-01 8991]

    R4 PRPC;PRPC;c:\winnt\system32\drivers\prpc.sys [2004-04-30 12182]

    R4 V7;V7;c:\winnt\system32\drivers\V7.SYS [2004-04-30 7196]

    S1 SASKUTIL;SASKUTIL;\??\c:\program files\SUPERAntiSpyware\SASKUTIL.sys --> c:\program files\SUPERAntiSpyware\SASKUTIL.sys [?]

    S3 openhci;Microsoft USB Open Host Controller Driver;c:\winnt\system32\drivers\openhci.sys [2007-07-13 24784]

    S3 usbhub20;USB 2.0 Root Hub Support;c:\winnt\system32\drivers\usbhub20.sys [2004-11-07 49776]

    --- Other Services/Drivers In Memory ---

    *NewlyCreated* - IPNAT

    *NewlyCreated* - SHAREDACCESS

    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Svchost - NetSvcs




    ------- Supplementary Scan -------


    LSP: %SystemRoot%\system32\msafd.dll

    TCP: {3898492A-430B-465F-A366-B47BCB3D7F9C} =,

    O16 -: DirectAnimation Java Classes - file://c:\winnt\Java\classes\dajava.cab

    c:\winnt\Downloaded Program Files\DirectAnimation Java Classes.osd

    O16 -: Microsoft XML Parser for Java - file://c:\winnt\Java\classes\xmldso.cab

    c:\winnt\Downloaded Program Files\Microsoft XML Parser for Java.osd

    c:\winnt\Downloaded Program Files\ewidoOnlineScan.dll - O16 -: {193C772A-87BE-4B19-A7BB-445B226FE9A1}


    FF - ProfilePath - c:\documents and settings\Administrator\Application Data\Mozilla\Firefox\Profiles\c2v4jc3o.default\

    FF - prefs.js: browser.startup.homepage - google.com

    FF - component: c:\program files\Mozilla Firefox\components\xpinstal.dll



    catchme 0.3.1367 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net

    Rootkit scan 2009-01-12 10:48:47

    Windows 5.0.2195 Service Pack 4 FAT NTAPI

    scanning hidden processes ...

    scanning hidden autostart entries ...

    scanning hidden files ...

    scan completed successfully

    hidden files: 0



    --------------------- DLLs Loaded Under Running Processes ---------------------

    - - - - - - - > 'winlogon.exe'(180)




    Completion time: 2009-01-12 10:50:34 - machine was rebooted

    ComboFix-quarantined-files.txt 2009-01-12 15:50:32

    Pre-Run: 24,519,376,896 bytes free

    Post-Run: 24,949,686,272 bytes free




    and HJT log:

    Logfile of Trend Micro HijackThis v2.0.2

    Scan saved at 10:58:39 AM, on 1/12/2009

    Platform: Windows 2000 SP4 (WinNT 5.00.2195)

    MSIE: Internet Explorer v5.00 (5.00.2920.0000)

    Boot mode: Normal

    Running processes:









    C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe

    C:\Program Files\Avira\AntiVir PersonalEdition Classic\sched.exe

    C:\Program Files\Avira\AntiVir PersonalEdition Classic\avguard.exe


    C:\Program Files\Java\jre6\bin\jqs.exe














    C:\Program Files\Java\jre6\bin\jusched.exe

    C:\Program Files\Avira\AntiVir PersonalEdition Classic\avgnt.exe


    C:\Program Files\D-link AirPlus G DWL-G120 Wireless USB\120UTIL.exe



    C:\Program Files\xplorer2_lite\xplorer2.exe


    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157

    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896

    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896

    O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx

    O2 - BHO: Java Plug-In SSV Helper - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre6\bin\ssv.dll

    O2 - BHO: Java Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll

    O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll

    O3 - Toolbar: @msdxmLC.dll,-1@1033,&Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\System32\msdxm.ocx

    O4 - HKLM\..\Run: [TrackPointSrv] tp4serv.exe

    O4 - HKLM\..\Run: [AtiPTA] Atiptaxx.exe

    O4 - HKLM\..\Run: [soundFusion] RunDll32 cwcprops.cpl,CrystalControlWnd

    O4 - HKLM\..\Run: [tourpath] regedit /s c:\winnt\tour.reg

    O4 - HKLM\..\Run: [synchronization Manager] mobsync.exe /logon

    O4 - HKLM\..\Run: [TPTRAY] C:\PROGRA~1\ThinkPad\UTILIT~1\TP98TRAY.EXE

    O4 - HKLM\..\Run: [bMMGAG] RunDll32 C:\PROGRA~1\ThinkPad\UTILIT~1\pwrmonit.dll,StartPwrMonitor

    O4 - HKLM\..\Run: [TpHotkey] C:\PROGRA~1\ThinkPad\UTILIT~1\tphkmgr.exe

    O4 - HKLM\..\Run: [PRPCMonitor] PRPCUI.exe

    O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINNT\system32\spool\drivers\w32x86\3\hpztsb04.exe

    O4 - HKLM\..\Run: [sunJavaUpdateSched] "C:\Program Files\Java\jre6\bin\jusched.exe"

    O4 - HKLM\..\Run: [avgnt] "C:\Program Files\Avira\AntiVir PersonalEdition Classic\avgnt.exe" /min

    O4 - HKUS\.DEFAULT\..\RunOnce: [^SetupICWDesktop] C:\Program Files\Internet Explorer\Connection Wizard\icwconn1.exe /desktop (User 'Default user')


    O4 - Global Startup: D-link AirPlus G DWL-G120 Wireless USB.lnk = C:\Program Files\D-link AirPlus G DWL-G120 Wireless USB\120UTIL.exe

    O10 - Unknown file in Winsock LSP: c:\winnt\system32\nwprovau.dll

    O12 - Plugin for .bcf: C:\Program Files\Internet Explorer\Plugins\NPBelv32.dll

    O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll

    O16 - DPF: {193C772A-87BE-4B19-A7BB-445B226FE9A1} (ewidoOnlineScan Control) - http://downloads.ewido.net/ewidoOnlineScan.cab

    O17 - HKLM\System\CCS\Services\Tcpip\..\{3898492A-430B-465F-A366-B47BCB3D7F9C}: NameServer =,

    O23 - Service: Lavasoft Ad-Aware Service (aawservice) - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe

    O23 - Service: Avira AntiVir Personal - Free Antivirus Scheduler (AntiVirScheduler) - Avira GmbH - C:\Program Files\Avira\AntiVir PersonalEdition Classic\sched.exe

    O23 - Service: Avira AntiVir Personal - Free Antivirus Guard (AntiVirService) - Avira GmbH - C:\Program Files\Avira\AntiVir PersonalEdition Classic\avguard.exe

    O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINNT\System32\ati2evxx.exe

    O23 - Service: Logical Disk Manager Administrative Service (dmadmin) - VERITAS Software Corp. - C:\WINNT\System32\dmadmin.exe

    O23 - Service: IBM PM Service (IBMPMSVC) - IBM Corp. - C:\WINNT\System32\ibmpmsvc.exe

    O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe


    End of file - 5063 bytes

    ****end of Bill of PA response/file contents

  16. Hi,

    My problem (with Mbam anyway) is that it won't run past the first seconds (except in SAFE mode).

    I was directed here by a CNET forum member. I've been having all sorts of 'funny' AntiMalware program responses while trying to ascertain the condition of my IBM laptop running Window 2000. Recently introduced it to wireless Internet (off new Linksys router). At first, my antivirus (Avira Personal). MalwareBytes and SuperAntiSpyware wouldn't run at all. All would start and then hang (and became 'not responding').

    That concerned me that 'something' interfering with such programs. Note that I never saw any 'odd popups' or other 'evidences' except the non-functioning protection programs.

    Finally I got Avira to finish in SAFE mode (I'm in Avira's forum too). After that, then got MBAM to finish in SAFE mode. (in normal mode, it still hung after a few seconds; stopping on a variety of programs -- different one every time). So I have no LOG from normal mode runs. I do have a Log from the SAFE mode run. I enclose it below, along a HJT log after the Mbam run (HJT ran to completion OK.)

    Just to mention it: I've been wrestling with this for a week or more. During that time, I ran a variety of 'scanner/cleaners'; Ewido, Avira's rescueCD, F-secure and CCleaner (whew !!, hope I got all of them ). Somewhere along the time, 'something' changed (I think anyway) a bunch of filenames (FIND found 246). Now these *all* have an 'xx' appended just before the .extension. Most are DRIVERS in IBMTOOLS and C:\DRIVERS, most of rest are in Winnt\system32. Whatever this all means.....

    Some of these 'xx' files are running (HJT log)??

    Two latest LOGs are below:

    Thanks for any help or comments. I really appreciate any insight concerning any of these.


    Mbam LOG run SAFE mode:

    Malwarebytes' Anti-Malware 1.32

    Database version: 1625

    Windows 5.0.2195 Service Pack 4

    1/11/2009 2:17:24 PM

    mbam-log-2009-01-11 (14-17-24).txt

    Scan type: Quick Scan

    Objects scanned: 40225

    Time elapsed: 4 minute(s), 39 second(s)

    Memory Processes Infected: 0

    Memory Modules Infected: 0

    Registry Keys Infected: 0

    Registry Values Infected: 0

    Registry Data Items Infected: 0

    Folders Infected: 0

    Files Infected: 0

    Memory Processes Infected:

    (No malicious items detected)

    Memory Modules Infected:

    (No malicious items detected)

    Registry Keys Infected:

    (No malicious items detected)

    Registry Values Infected:

    (No malicious items detected)

    Registry Data Items Infected:

    (No malicious items detected)

    Folders Infected:

    (No malicious items detected)

    Files Infected:

    (No malicious items detected)



    HiJackThis LOG run normal mode

    Logfile of Trend Micro HijackThis v2.0.2

    Scan saved at 2:39:24 PM, on 1/11/2009

    Platform: Windows 2000 SP4 (WinNT 5.00.2195)

    MSIE: Internet Explorer v5.00 (5.00.2920.0000)

    Boot mode: Normal

    Running processes:









    C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe

    C:\Program Files\Avira\AntiVir PersonalEdition Classic\sched.exe

    C:\Program Files\Avira\AntiVir PersonalEdition Classic\avguard.exe


    C:\Program Files\Java\jre6\bin\jqs.exe
















    C:\Program Files\Java\jre6\bin\jusched.exe

    C:\Program Files\Avira\AntiVir PersonalEdition Classic\avgnt.exe


    C:\Program Files\D-link AirPlus G DWL-G120 Wireless USB\120UTIL.exe


    C:\Program Files\xplorer2_lite\xplorer2.exe


    O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx

    O2 - BHO: Java Plug-In SSV Helper - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre6\bin\ssv.dll

    O2 - BHO: Java Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll

    O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll

    O3 - Toolbar: @msdxmLC.dll,-1@1033,&Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\System32\msdxm.ocx

    O4 - HKLM\..\Run: [TrackPointSrv] tp4serv.exe

    O4 - HKLM\..\Run: [AtiPTA] Atiptaxx.exe

    O4 - HKLM\..\Run: [soundFusion] RunDll32 cwcprops.cpl,CrystalControlWnd

    O4 - HKLM\..\Run: [tourpath] regedit /s c:\winnt\tour.reg

    O4 - HKLM\..\Run: [synchronization Manager] mobsync.exe /logon

    O4 - HKLM\..\Run: [TPTRAY] C:\PROGRA~1\ThinkPad\UTILIT~1\TP98TRAY.EXE

    O4 - HKLM\..\Run: [bMMGAG] RunDll32 C:\PROGRA~1\ThinkPad\UTILIT~1\pwrmonit.dll,StartPwrMonitor

    O4 - HKLM\..\Run: [TpHotkey] C:\PROGRA~1\ThinkPad\UTILIT~1\tphkmgr.exe

    O4 - HKLM\..\Run: [PRPCMonitor] PRPCUI.exe

    O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINNT\system32\spool\drivers\w32x86\3\hpztsb04.exe

    O4 - HKLM\..\Run: [sunJavaUpdateSched] "C:\Program Files\Java\jre6\bin\jusched.exe"

    O4 - HKLM\..\Run: [avgnt] "C:\Program Files\Avira\AntiVir PersonalEdition Classic\avgnt.exe" /min

    O4 - HKUS\.DEFAULT\..\RunOnce: [^SetupICWDesktop] C:\Program Files\Internet Explorer\Connection Wizard\icwconn1.exe /desktop (User 'Default user')


    O4 - Global Startup: D-link AirPlus G DWL-G120 Wireless USB.lnk = C:\Program Files\D-link AirPlus G DWL-G120 Wireless USB\120UTIL.exe

    O10 - Unknown file in Winsock LSP: c:\winnt\system32\nwprovau.dll

    O12 - Plugin for .bcf: C:\Program Files\Internet Explorer\Plugins\NPBelv32.dll

    O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll

    O16 - DPF: {193C772A-87BE-4B19-A7BB-445B226FE9A1} (ewidoOnlineScan Control) - http://downloads.ewido.net/ewidoOnlineScan.cab

    O17 - HKLM\System\CCS\Services\Tcpip\..\{3898492A-430B-465F-A366-B47BCB3D7F9C}: NameServer =,

    O23 - Service: Lavasoft Ad-Aware Service (aawservice) - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe

    O23 - Service: Avira AntiVir Personal - Free Antivirus Scheduler (AntiVirScheduler) - Avira GmbH - C:\Program Files\Avira\AntiVir PersonalEdition Classic\sched.exe

    O23 - Service: Avira AntiVir Personal - Free Antivirus Guard (AntiVirService) - Avira GmbH - C:\Program Files\Avira\AntiVir PersonalEdition Classic\avguard.exe

    O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINNT\System32\ati2evxx.exe

    O23 - Service: Logical Disk Manager Administrative Service (dmadmin) - VERITAS Software Corp. - C:\WINNT\System32\dmadmin.exe

    O23 - Service: IBM PM Service (IBMPMSVC) - IBM Corp. - C:\WINNT\System32\ibmpmsvc.exe

    O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe


    End of file - 4744 bytes

    ****end of Bill of PA's tome

Back to top
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.