access denied errors - file and folder permissions

[wontgo]

Hi, I have had adminsitrative full rights permissions ever since buying my laptop and all of a sudden I cannot get access to lots of folders such as c/documents and settings or c/users/default users or admin: my documents, start menu, templates.

The error message: Location is not available - access denied.

The reason I am posting is that I have an issue currently open (http://www.malwarebytes.org/forums/index.php?showtopic=4221&st=0) and I am trying to delete manually C:\Program Files\McAfee - although I can access this folder and the subfolder within it if I try to delete it an error message eventually comes up destination folder access denied - once the operation is confirmed it says destination folder access denied - try again. Even if I try again the same error comes up. Note I do and have had commodo running but treat is as an installer/updater allowing it so I don't think this is a problem having the firewall running.

Thanks in advace.

[DaChew]

I have had similar problems where McAfee let something thru and I had to go into safe mode and use their removal tool, in your case I suspect teatimer had a part to play in this also. I have had to reinstall programs just to get them to uninstall correctly after teatimer interfered?

[Jacee]

Hi wontgo

Type services.msc in the "start search" box. Click on the little icon and a window with a list of services will pop up.

Scroll down the list and find McAfee Framework Service, right click on it, then choose 'properties'. Click on the dropdown box, then click "Disable".

Have you tried to uninstall McAfee through Programs and Features ... or are you just deleting folders?

[AdvancedSetup]

Please use this tool for removal of the McAfee products.

Try Uninstalling using this McAfee Consumer Product Removal Tool

Download the MCPR.EXE file and double-click to run it and following the directions given.

MCPR.EXE

Also, you were probably instructed to unhide your folders and files for help in cleaning up your system.

Nothing wrong with that, but when done you should consider hiding the System files again as the Vista OS contains

hard links which redirect you to other locations on the drive. Even Administrators are denied access for removal

so you can't accidentally remove them. They can be removed but I won't go into that since there is no reason to

remove them.

Please correct me if I'm wrong but I think your issue with thinking you don't have access is mainly trying to delete

McAfee? If the Add/Remove does not work then try the Manual Removal Tool from McAfee above.

After that is removed we can discuss file/folder permissions further if you like.

[wontgo]

Hi Jacee: No I already uninstalled McAfee via control panel but even so there were still files remaining. I did do that search as suggested but when I clicked properties the disabled option was greyed out so i could not disable. I checked and this was not the case for some programmes such as Logme in which I dsabled as a startup option.

Hi DaChew: Yeah I think I had teatimer disabled when uninstalling.

Hi AdvancedSetup:

MCAFEE: Right so I downloaded the programme and it successfully wiped McAfee. To double check I checked the programme files list and its gone. BUT HJT and Sitehound both say that McAfee files still exist and are on autorun, this is even after deleting my trash can. I am a bit confused as I am not sure if its an old file they are picking up which no longer exists.

PERMISSIONS: No it's not when I attempt to delete that I get the problems its just by clicking on the file that I get access denied and I don't think they are hidden files either eg. admin/my documents , cookies, local settings etc - there are quite a few. I must remember to hide all files once cleaned - I can't remember how to do this though!

Thanks

[Jacee]

Click on the start orb, right click on 'Computer', choose open, then click on the 'tools' under the address bar. In the dropdown box, click 'folder options. Click the view tab, then check "hide protected system operating tools (recommended)

[AdvancedSetup]

Okay well please restart your computer and post a new HiJackThis log in your original thread and Jean should be able to assist you further from that point as it would still be in the category of Malware.

Just let Jean know that you ran the McAfee removal tool and for the most part it was removed.

Thanks.

[wontgo]

Hi Jacee, thanks I have unhidden the files and this has meant that folders that said previously access denied are no longer there and I can access what I need again like c/users/admin/pics etc.... I guess its what AdvancedSetup meant when saying that there are certain folders that I can't access due to the system etc.

Hi AdvancedSetup, thanks I'll restart computer and post back in the HJT forum with log, thanks for your help on this.

Thanks again

[wontgo]

Hi I return,

JeanInMontana said I should see if you (AdvancedSetup) can help as the following file although it doesn't exist is still being picked up by HJT and hasn't been traced by KillBox to delete and is not in the location in my programme files:

C:\Program Files\McAfee\Common Framework\FrameworkService.exe

Thanks

[AdvancedSetup]

Okay I'll try to review and provide you with some information either later tonight or tomorrow.

[AdvancedSetup]

Well it could be that one of the programs you have installed is watching to make sure entries are not added/removed/modified in the Registry.

Look for any alerts and click Yes/OK to allow the change.

Just realized you're running Windows VISTA

What version of Vista are you running?

Start REGEDIT and then if you right click on an entry do you see the PERMISSION option?

[wontgo]

I checked winpatrol and mcafee is listed anywhere so I am not sure where else to try to see if a programme has blocked it, I mean my firwall etc I am not sure of but it does seek my permission for things but I can't remember a registry type pop-up.

I tried the REGEDIT and once searched I clicked Edit menu - permissions was greyed out / not available.

[AdvancedSetup]

I checked winpatrol and mcafee is listed anywhere so I am not sure where else to try to see if a programme has blocked it, I mean my firwall etc I am not sure of but it does seek my permission for things but I can't remember a registry type pop-up.

I tried the REGEDIT and once searched I clicked Edit menu - permissions was greyed out / not available.

I was meaning a POP UP that would be there if the Registry was being modified and one of these programs didn't want you to.

So I assume then that you're using VISTA BASIC - let me see what we can do if this does not work.

Start REGEDIT then click on the + indicators on the left until you get to this location:

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run

Then look on the right side for an entry that has McAfee in it.

If you find it then highlight it with the mouse and then right click the entry for McAfee and choose DELETE

Let me know what you find and what happens.

[wontgo]

Hi, I did as you said and McAfee was not listed following that pathway! Thats strange...

[AdvancedSetup]

Download Deckard's System Scanner (DSS) to your Desktop. Note: You must be logged onto an account with administrator privileges.

1. Close all applications and windows.
   
2. Double-click on dss.exe to run it, and follow the prompts.
   
3. When the scan is complete, two text files will open - main.txt <- this one will be maximized and extra.txt<-this one will be minimized
   
4. Copy (Ctrl+A then Ctrl+C) and paste (Ctrl+V) the contents of main.txt and the extra.txt to your post. in your reply
   

What DSS will do:

• create a new System Restore point in Windows XP and Vista.
  
• clean your Temporary Files, Downloaded Program Files, and Internet Cache Files, and also empty the Recycle Bin on all drives.
  
• check some important areas of your system and produce a report for us to review. DSS automatically runs HijackThis for you, but it will also install and place
  
• a shortcut to HijackThis on your desktop if you do not already have HijackThis installed.
  

Notes: The first time that the Deckard scanner is run, the extra.txt is generated in a minimized window. The second time you will not obtain the extra.txt. You must go to Start=>Run and copy the following "%userprofile%\desktop\dss.exe" /config in the line and click OK You will receive a pop-up box with options to check for the Main log and Extra Log and Options.

Please post back both of those logs and we'll see what else might be going on.

.

[wontgo]

Okay, here are the logs, I did close the programmes but forgot to check the taskmanager before running the Application. Oh I am not sure if Deckard created a system restore point as I did one already yesterday following my original post and help from JeanInMontana.

MAINTEXT:

Deckard's System Scanner v20071014.68

Run by admin on 2008-05-10 15:02:08

Computer is in Normal Mode.

--------------------------------------------------------------------------------

-- Last 1 Restore Point(s) --

1: 2008-05-09 14:45:27 UTC - RP228 - Clean Restore Point 09.05.2008

Backed up registry hives.

Performed disk cleanup.

-- HijackThis (run as admin.exe) -----------------------------------------------

Logfile of Trend Micro HijackThis v2.0.2

Scan saved at 15:07:09, on 10/05/2008

Platform: Windows Vista (WinNT 6.00.1904)

MSIE: Internet Explorer v7.00 (7.00.6000.16643)

Boot mode: Normal

Running processes:

C:\Windows\system32\taskeng.exe

C:\Windows\system32\Dwm.exe

C:\Windows\Explorer.EXE

C:\Program Files\Windows Defender\MSASCui.exe

C:\Program Files\Synaptics\SynTP\SynTPEnh.exe

C:\Program Files\Hewlett-Packard\HP Quick Launch Buttons\QLBCTRL.exe

C:\Windows\System32\rundll32.exe

C:\Program Files\Hewlett-Packard\HP Wireless Assistant\HPWAMain.exe

C:\Program Files\Hewlett-Packard\HP Wireless Assistant\WiFiMsg.exe

C:\Program Files\HP\HP Software Update\hpwuSchd2.exe

C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe

C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe

C:\Program Files\Common Files\Real\Update_OB\realsched.exe

C:\Program Files\Mindjet\MindManager 7\MmReminderService.exe

C:\Program Files\Windows Sidebar\sidebar.exe

C:\Windows\ehome\ehtray.exe

C:\Program Files\Hewlett-Packard\Shared\HpqToaster.exe

C:\Windows\ehome\ehmsas.exe

C:\Program Files\HP\Digital Imaging\bin\hpqSTE08.exe

C:\Users\admin\Desktop\dss.exe

C:\Windows\system32\SearchFilterHost.exe

C:\PROGRA~1\TRENDM~1\HIJACK~1\admin.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = https://myuni.leeds.ac.uk/cp/home/displaylogin

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://ie.redirect.hp.com/svs/rdr?TYPE=3&a...n&pf=laptop

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896

O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll

O2 - BHO: CmjBrowserHelperObject Object - {07A11D74-9D25-4fea-A833-8B0D76A5577A} - C:\Program Files\Mindjet\MindManager 7\Mm7InternetExplorer.dll

O2 - BHO: RealPlayer Download and Record Plugin for Internet Explorer - {3049C3E9-B461-4BC5-8870-4C09146192CA} - C:\Program Files\Real\RealPlayer\rpbrowserrecordplugin.dll

O2 - BHO: WormRadar.com IESiteBlocker.NavFilter - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - C:\Program Files\AVG\AVG8\avgssie.dll

O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll

O2 - BHO: Groove GFS Browser Helper - {72853161-30C5-4D22-B7F9-0BBC1D38A37E} - C:\Program Files\Microsoft Office\Office12\GrooveShellExtensions.dll

O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll

O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll

O2 - BHO: AVG Security Toolbar - {A057A204-BACC-4D26-9990-79A187E2698E} - C:\PROGRA~1\AVG\AVG8\AVGTOO~1.DLL

O3 - Toolbar: AVG Security Toolbar - {A057A204-BACC-4D26-9990-79A187E2698E} - C:\PROGRA~1\AVG\AVG8\AVGTOO~1.DLL

O4 - HKLM\..\Run: [Windows Defender] %ProgramFiles%\Windows Defender\MSASCui.exe -hide

O4 - HKLM\..\Run: [synTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe

O4 - HKLM\..\Run: [QlbCtrl] %ProgramFiles%\Hewlett-Packard\HP Quick Launch Buttons\QlbCtrl.exe /Start

O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\Windows\system32\NvCpl.dll,NvStartup

O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\Windows\system32\NvMcTray.dll,NvTaskbarInit

O4 - HKLM\..\Run: [hpWirelessAssistant] %ProgramFiles%\Hewlett-Packard\HP Wireless Assistant\HPWAMain.exe

O4 - HKLM\..\Run: [WAWifiMessage] %ProgramFiles%\Hewlett-Packard\HP Wireless Assistant\WiFiMsg.exe

O4 - HKLM\..\Run: [HP Software Update] C:\Program Files\HP\HP Software Update\HPWuSchd2.exe

O4 - HKLM\..\Run: [GrooveMonitor] "C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe"

O4 - HKLM\..\Run: [sunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe"

O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"

O4 - HKLM\..\Run: [WinPatrol] C:\Program Files\BillP Studios\WinPatrol\winpatrol.exe -expressboot

O4 - HKLM\..\Run: [COMODO Firewall Pro] "C:\Program Files\COMODO\Firewall\cfp.exe" -h

O4 - HKLM\..\Run: [AVG8_TRAY] C:\PROGRA~1\AVG\AVG8\avgtray.exe

O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot

O4 - HKLM\..\Run: [MMReminderService] C:\Program Files\Mindjet\MindManager 7\MMReminderService.exe

O4 - HKCU\..\Run: [sidebar] C:\Program Files\Windows Sidebar\sidebar.exe /autoRun

O4 - HKCU\..\Run: [ehTray.exe] C:\Windows\ehome\ehTray.exe

O4 - HKUS\S-1-5-19\..\Run: [sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /detectMem (User 'LOCAL SERVICE')

O4 - HKUS\S-1-5-19\..\Run: [WindowsWelcomeCenter] rundll32.exe oobefldr.dll,ShowWelcomeCenter (User 'LOCAL SERVICE')

O4 - HKUS\S-1-5-20\..\Run: [sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /detectMem (User 'NETWORK SERVICE')

O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe

O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\Office12\EXCEL.EXE/3000

O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll

O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll

O9 - Extra button: Send to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~3\Office12\ONBttnIE.dll

O9 - Extra 'Tools' menuitem: S&end to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~3\Office12\ONBttnIE.dll

O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~3\Office12\REFIEBAR.DLL

O9 - Extra button: Send to Mindjet MindManager - {941E1A34-C6AF-4baa-A973-224F9C3E04BF} - C:\Program Files\Mindjet\MindManager 7\Mm7InternetExplorer.dll

O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll

O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll

O13 - Gopher Prefix:

O15 - Trusted Zone: http://www.pandasecurity.com

O16 - DPF: {2D8ED06D-3C30-438B-96AE-4D110FDC1FB8} (ActiveScan 2.0 Installer Class) - http://acs.pandasoftware.com/activescan/cabs/as2stubie.cab

O18 - Protocol: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - C:\Program Files\Microsoft Office\Office12\GrooveSystemServices.dll

O18 - Protocol: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - C:\Program Files\AVG\AVG8\avgpp.dll

O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL

O20 - AppInit_DLLs: C:\Windows\system32\guard32.dll,avgrsstx.dll

O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe

O23 - Service: AVG8 WatchDog (avg8wd) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe

O23 - Service: COMODO Firewall Pro Helper Service (cmdAgent) - COMODO - C:\Program Files\COMODO\Firewall\cmdagent.exe

O23 - Service: HP Health Check Service - Hewlett-Packard - c:\Program Files\Hewlett-Packard\HP Health Check\hphc_service.exe

O23 - Service: hpqwmiex - Hewlett-Packard Development Company, L.P. - C:\Program Files\Hewlett-Packard\Shared\hpqwmiex.exe

O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe

O23 - Service: LightScribeService Direct Disc Labeling Service (LightScribeService) - Hewlett-Packard Company - C:\Program Files\Common Files\LightScribe\LSSrvc.exe

O23 - Service: LogMeIn Maintenance Service (LMIMaint) - LogMeIn, Inc. - C:\Program Files\LogMeIn\x86\RaMaint.exe

O23 - Service: LogMeIn - LogMeIn, Inc. - C:\Program Files\LogMeIn\x86\LogMeIn.exe

O23 - Service: McAfee Framework Service (McAfeeFramework) - Unknown owner - C:\Program Files\McAfee\Common Framework\FrameworkService.exe (file missing)

O23 - Service: RoxMediaDB9 - Sonic Solutions - C:\Program Files\Common Files\Roxio Shared\9.0\SharedCOM\RoxMediaDB9.exe

O23 - Service: SBSD Security Center Service (SBSDWSCService) - Safer Networking Ltd. - C:\Program Files\Spybot - Search & Destroy\SDWinSec.exe

O23 - Service: SupportSoft Sprocket Service (TalkTalk) (sprtsvc_TalkTalk) - SupportSoft, Inc. - C:\Program Files\TalkTalk\bin\sprtsvc.exe

O23 - Service: stllssvr - MicroVision Development, Inc. - C:\Program Files\Common Files\SureThing Shared\stllssvr.exe

O23 - Service: SupportSoft RemoteAssist - SupportSoft, Inc. - C:\Program Files\Common Files\Supportsoft\bin\ssrc.exe

O23 - Service: SupportSoft Repair Service (TalkTalk) (tgsrvc_TalkTalk) - SupportSoft, Inc. - C:\Program Files\Common Files\Supportsoft\bin\tgsrvc.exe

O23 - Service: XAudioService - Conexant Systems, Inc. - C:\Windows\system32\DRIVERS\xaudio.exe

--

End of file - 9092 bytes

-- HijackThis Fixed Entries (C:\PROGRA~1\TRENDM~1\HIJACK~1\backups\) -----------

backup-20080411-192606-171 O3 - Toolbar: (no name) - {0BF43445-2F28-4351-9252-17FE6E806AA0} - (no file)

backup-20080411-192606-472 R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =

backup-20080411-192606-795 R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =

backup-20080411-192606-817 O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)

backup-20080429-003629-698 R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =

backup-20080429-003629-877 R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =

backup-20080506-111043-179 O4 - HKLM\..\Run: [McAfeeUpdaterUI] "C:\Program Files\McAfee\Common Framework\UdaterUI.exe" /StartedFromRunKey

backup-20080506-111043-876 O23 - Service: McAfee Framework Service (McAfeeFramework) - Unknown owner - C:\Program Files\McAfee\Common Framework\FrameworkService.exe (file missing)

backup-20080506-111151-947 O23 - Service: McAfee Framework Service (McAfeeFramework) - Unknown owner - C:\Program Files\McAfee\Common Framework\FrameworkService.exe (file missing)

backup-20080506-111332-868 O23 - Service: McAfee Framework Service (McAfeeFramework) - Unknown owner - C:\Program Files\McAfee\Common Framework\FrameworkService.exe (file missing)

backup-20080506-112131-534 O23 - Service: McAfee Framework Service (McAfeeFramework) - Unknown owner - C:\Program Files\McAfee\Common Framework\FrameworkService.exe (file missing)

-- File Associations -----------------------------------------------------------

.reg - regfile - shell\open\command - regedit.exe "%1" %*

.scr - scrfile - shell\open\command - "%1" %*

-- Drivers: 0-Boot, 1-System, 2-Auto, 3-Demand, 4-Disabled ---------------------

All drivers whitelisted.

-- Services: 0-Boot, 1-System, 2-Auto, 3-Demand, 4-Disabled --------------------

R2 HP Health Check Service - "c:\program files\hewlett-packard\hp health check\hphc_service.exe" <Not Verified; Hewlett-Packard; HP Health Check Service>

S2 McAfeeFramework (McAfee Framework Service) - "c:\program files\mcafee\common framework\frameworkservice.exe" /servicestart (file missing)

-- Device Manager: Disabled ----------------------------------------------------

Class GUID: {4d36e972-e325-11ce-bfc1-08002be10318}

Description: Microsoft ISATAP Adapter

Device ID: ROOT\*ISATAP\0001

Manufacturer: Microsoft

Name: isatap.leeds.ac.uk

PNP Device ID: ROOT\*ISATAP\0001

Service: tunnel

-- Scheduled Tasks -------------------------------------------------------------

2008-05-05 09:00:00 328 --a------ C:\Windows\Tasks\Spybot - Search & Destroy - Scheduled Task.job

2008-04-30 09:21:40 300 --a------ C:\Windows\Tasks\WebReg Deskjet F300 series.job

-- Files created between 2008-04-10 and 2008-05-10 -----------------------------

2008-05-06 11:15:21 0 d-------- C:\!KillBox

2008-05-03 13:52:05 5632 --a------ C:\Windows\system32\pxc25pm.dll <Not Verified; Tracker Software; PDF-XChange Port Monitor>

2008-05-03 13:50:42 0 d-------- C:\Users\All Users\Mindjet

2008-05-03 13:50:41 0 d-------- C:\Program Files\Mindjet

2008-05-01 16:48:51 0 d-------- C:\Program Files\Common Files\xing shared

2008-04-27 18:00:06 0 d-------- C:\Program Files\hpHosts

2008-04-27 15:20:04 0 d--h----- C:\$AVG8.VAULT$

2008-04-27 12:34:06 0 d-------- C:\Windows\system32\drivers\Avg

2008-04-27 12:33:47 0 d-------- C:\Program Files\AVG

2008-04-27 12:33:46 0 d-------- C:\Users\All Users\avg8

2008-04-19 15:46:34 0 d-------- C:\Users\All Users\comodo

2008-04-19 15:46:28 0 d-------- C:\Program Files\COMODO

2008-04-18 16:08:05 0 d-------- C:\Program Files\RogueRemover FREE

2008-04-18 15:45:08 0 d-------- C:\Program Files\FireTrust

2008-04-18 15:25:02 0 d-------- C:\Program Files\BillP Studios

2008-04-18 15:17:46 0 d-------- C:\Program Files\SpywareBlaster

2008-04-14 15:22:37 0 d-------- C:\Users\All Users\Office Genuine Advantage

2008-04-10 12:57:04 0 d-------- C:\Program Files\Common Files\Adobe

-- Find3M Report ---------------------------------------------------------------

2008-05-09 17:42:41 0 d-------- C:\Program Files\Lavasoft

2008-05-09 16:55:18 0 d-------- C:\Program Files\Malwarebytes' Anti-Malware

2008-05-03 00:22:29 0 d-------- C:\Program Files\LogMeIn

2008-05-01 16:49:31 0 d-------- C:\Users\admin\AppData\Roaming\Real

2008-05-01 16:48:51 0 d-------- C:\Program Files\Common Files

2008-05-01 16:48:44 0 d-------- C:\Program Files\Common Files\Real

2008-05-01 16:48:24 0 d-------- C:\Program Files\Real

2008-04-26 19:13:31 0 d-------- C:\Program Files\Common Files\Symantec Shared

2008-04-19 17:18:02 0 d-------- C:\Users\admin\AppData\Roaming\WinPatrol

2008-04-19 15:46:35 0 d-------- C:\Users\admin\AppData\Roaming\Comodo

2008-04-18 15:47:33 0 d-------- C:\Users\admin\AppData\Roaming\SiteHound

2008-04-12 23:38:17 0 d-------- C:\Users\admin\AppData\Roaming\Skype

2008-04-12 22:40:51 0 d-------- C:\Users\admin\AppData\Roaming\skypePM

2008-04-10 11:23:58 0 d-------- C:\Program Files\Windows Mail

2008-04-09 16:18:38 0 d-------- C:\Program Files\Panda Security

2008-04-09 13:27:47 0 d-------- C:\Users\admin\AppData\Roaming\Malwarebytes

2008-04-09 10:02:48 0 d-------- C:\Users\admin\AppData\Roaming\Uniblue

2008-04-09 09:21:26 148991 --a------ C:\Windows\hpoins19.dat

2008-04-04 11:45:30 0 d-------- C:\Program Files\Java

2008-04-04 11:41:16 0 d-------- C:\Users\admin\AppData\Roaming\Image Zone Express

2008-04-02 11:35:18 0 d-------- C:\Program Files\Skype

2008-04-02 11:35:10 0 d-------- C:\Program Files\Common Files\Skype

2008-03-30 22:15:30 0 d-------- C:\Program Files\TalkTalk

2008-03-25 13:17:42 0 d-------- C:\Program Files\Common Files\InstallShield

2008-03-25 13:17:20 0 d--h----- C:\Program Files\InstallShield Installation Information

2008-03-25 13:11:17 0 d-------- C:\Program Files\Common Files\Wise Installation Wizard

2008-03-25 13:06:32 0 d-------- C:\Program Files\Common Files\SupportSoft

-- Registry Dump ---------------------------------------------------------------

*Note* empty entries & legit default entries are not shown

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{07A11D74-9D25-4fea-A833-8B0D76A5577A}]

18/05/2007 00:05 71184 -ra------ C:\Program Files\Mindjet\MindManager 7\Mm7InternetExplorer.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{A057A204-BACC-4D26-9990-79A187E2698E}]

27/04/2008 12:34 2050816 --a------ C:\PROGRA~1\AVG\AVG8\AVGTOO~1.DLL

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser]

"{A057A204-BACC-4D26-9990-79A187E2698E}"= C:\PROGRA~1\AVG\AVG8\AVGTOO~1.DLL [27/04/2008 12:34 2050816]

[-HKEY_CLASSES_ROOT\CLSID\{A057A204-BACC-4D26-9990-79A187E2698E}]

[HKEY_CLASSES_ROOT\avgtoolbar.AVGTOOLBAR]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"Windows Defender"="C:\Program Files\Windows Defender\MSASCui.exe" [21/09/2007 16:22]

"SynTPEnh"="C:\Program Files\Synaptics\SynTP\SynTPEnh.exe" [13/01/2007 04:36]

"QlbCtrl"="C:\Program Files\Hewlett-Packard\HP Quick Launch Buttons\QlbCtrl.exe" [13/02/2007 19:38]

"NvCplDaemon"="C:\Windows\system32\NvCpl.dll" [16/05/2007 00:38]

"NvMediaCenter"="C:\Windows\system32\NvMcTray.dll" [16/05/2007 00:38]

"hpWirelessAssistant"="C:\Program Files\Hewlett-Packard\HP Wireless Assistant\HPWAMain.exe" [01/03/2007 21:18]

"WAWifiMessage"="C:\Program Files\Hewlett-Packard\HP Wireless Assistant\WiFiMsg.exe" [11/01/2007 00:12]

"HP Software Update"="C:\Program Files\HP\HP Software Update\HPWuSchd2.exe" [10/12/2006 21:52]

"GrooveMonitor"="C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe" [24/08/2007 07:00]

"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe" [22/02/2008 05:25]

"Adobe Reader Speed Launcher"="C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [11/01/2008 22:16]

"WinPatrol"="C:\Program Files\BillP Studios\WinPatrol\winpatrol.exe" [27/01/2008 06:38]

"COMODO Firewall Pro"="C:\Program Files\COMODO\Firewall\cfp.exe" [19/04/2008 15:46]

"AVG8_TRAY"="C:\PROGRA~1\AVG\AVG8\avgtray.exe" [27/04/2008 12:34]

"TkBellExe"="C:\Program Files\Common Files\Real\Update_OB\realsched.exe" [01/05/2008 16:48]

"MMReminderService"="C:\Program Files\Mindjet\MindManager 7\MMReminderService.exe" [18/05/2007 00:05]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"Sidebar"="C:\Program Files\Windows Sidebar\sidebar.exe" [10/01/2008 13:52]

"ehTray.exe"="C:\Windows\ehome\ehTray.exe" [02/11/2006 13:35]

C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup\

HP Digital Imaging Monitor.lnk - C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe [02/01/2007 21:40:10]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]

"ConsentPromptBehaviorAdmin"=2 (0x2)

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]

"appinit_dlls"=C:\Windows\system32\guard32.dll,avgrsstx.dll

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\aawservice]

@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\AppInfo]

@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\KeyIso]

@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\NTDS]

@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\ProfSvc]

@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\sacsvr]

@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\SWPRV]

@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\TabletInputService]

@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\TBS]

@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\TrustedInstaller]

@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\VDS]

@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\volmgr.sys]

@="Driver"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\volmgrx.sys]

@="Driver"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\{533C5B84-EC70-11D2-9505-00C04F79DEAF}]

@="Volume shadow copy"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\{6BDD1FC1-810F-11D0-BEC7-08002BE2092F}]

@="IEEE 1394 Bus host controllers"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\{D48179BE-EC20-11D1-B6B8-00C04FA372A7}]

@="SBP2 IEEE 1394 Devices"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\{D94EE5D8-D189-4994-83D2-F68D7D41B0E6}]

@="SecurityDevices"

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]

LocalSystemNetworkRestricted hidserv UxSms WdiSystemHost Netman trkwks AudioEndpointBuilder WUDFSvc irmon sysmain IPBusEnum dot3svc PcaSvc EMDMgmt TabletInputService wlansvc WPDBusEnum

HPZ12 Pml Driver HPZ12 Net Driver HPZ12

hpdevmgmt hpqcxs08 hpqddsvc

[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\>{22d6f312-b0f6-11d0-94ab-0080c74c7e95}]

C:\Windows\system32\unregmp2.exe /ShowWMP

[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{6BF52A52-394A-11d3-B153-00C04F79FAA6}]

%SystemRoot%\system32\unregmp2.exe /FirstLogon /Shortcuts /RegBrowsers /ResetMUI

-- Hosts -----------------------------------------------------------------------

127.0.0.1 www.007guard.com

127.0.0.1 007guard.com

127.0.0.1 008i.com

127.0.0.1 www.008k.com

127.0.0.1 008k.com

127.0.0.1 www.00hq.com

127.0.0.1 00hq.com

127.0.0.1 010402.com

127.0.0.1 www.032439.com

127.0.0.1 032439.com

8300 more entries in hosts file.

-- End of Deckard's System Scanner: finished at 2008-05-10 15:13:54 ------------

EXTRA.TEXT

Deckard's System Scanner v20071014.68

Extra logfile - please post this as an attachment with your post.

--------------------------------------------------------------------------------

-- System Information ----------------------------------------------------------

Microsoft

[wontgo]

Hi both of our replies of today were here and now they are gone - thats a bit weird!

[AdvancedSetup]

Yes in deed - not sure what happened but both your post and my post response are now gone.

So were you able to read it before it was deleted?

You need a newer Java 6 update 6

You need to remove the 023 entry for the McAfee Service - not the same as the 04 entry you had before. If it won't go away we will have to do something else as it's a service trying to say it's installed when it's not there.

[wontgo]

okay really strange - I did reply to this, here is my response again though:

RE: SPYBOT (AS: Spybot - Search and Destroy v1.0.0.5 (Safer Networking Ltd.) Disabled Outdated) - I already have the correct version 1.5.2 I tried looking in programme files but the older version you picked out was no where to be found and not around when I searched the drives

RE: MCAFEE KEY 023 - I did as you said and already tried to get rid of this with JeanInMontana - unfortunately it keeps on coming back and will not budge no matter how many times I rescan and try to delete.

RE: Java - thanks I uninstalled the 2 previous versions and now only have Java 6 update 6.

So the only thing left is McAfee B) O

Oh I am away until Friday this week - why you may ask??? Revision / exams so I won't be able to reply until then as I am becoming computerless to really get down to work lol.

Thanks B)

[AdvancedSetup]

RE: MCAFEE KEY 023 - I did as you said and already tried to get rid of this with JeanInMontana - unfortunately it keeps on coming back and will not budge no matter how many times I rescan and try to delete.

Okay the Spybot version is probably some string in a file that the scanner picked up. Just ignore it.

The RE: MCAFEE KEY 023 is a service. You worked on a 04 KEY with Jean, but that's okay.

It will require a different approach to remove that one. HJT is not the best tool for that.

We may have to try a couple methods for removal of that service as they are often based on short names when using automated removal tools.

Reply back when you're ready.