Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Slow computer - is there a Bot?


  • This topic is locked This topic is locked
6 replies to this topic

#1 K Brown

K Brown

  • Members
  • 3 posts
  • OFFLINE
  •  
  • Local time:05:20 AM

Posted 21 March 2009 - 06:59 PM

Hi -
I have a new computer (2 months old) which all of a sudden became really slow on the internet. Some pages just wouldn't open. Other pages opened pretty fast. (These are mostly news related pages).
I used a pcmag page (http://www.pcmag.com/article2/0,2817,2326427,00.asp) to help diagnose the problem. It pointed me to you. Below is my hijack file. (Also I did find a strange entry in hosts file - ::1 - that I'm curious about).
Thank you, very much, for your help.
K

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 1:47:05 PM, on 3/21/2009
Platform: Windows Vista SP1 (WinNT 6.00.1905)
MSIE: Internet Explorer v7.00 (7.00.6001.18000)
Boot mode: Normal

Running processes:
C:\Program Files (x86)\Java\jre6\bin\jusched.exe
C:\Program Files (x86)\Sensible Vision\Fast Access\FATrayMon.exe
C:\Program Files (x86)\Dell\MediaDirect\PCMService.exe
C:\Program Files (x86)\OpenOffice.org 3\program\soffice.exe
C:\Program Files (x86)\OpenOffice.org 3\program\soffice.bin
C:\Program Files (x86)\Sensible Vision\Fast Access\FATrayAlert.exe
C:\Program Files (x86)\Java\jre6\bin\jucheck.exe
C:\Program Files (x86)\Spybot - Search & Destroy\TeaTimer.exe
C:\Program Files (x86)\Internet Explorer\ieuser.exe
C:\Program Files (x86)\Internet Explorer\iexplore.exe
C:\Windows\SysWow64\Macromed\Flash\FlashUtil10b.exe
C:\Program Files (x86)\Internet Explorer\iexplore.exe
C:\Program Files (x86)\Trend Micro\HijackThis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Internet Explorer provided by Dell
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
F2 - REG:system.ini: UserInit=userinit.exe
O1 - Hosts: ::1 localhost
O2 - BHO: AcroIEHelperStub - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files (x86)\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files (x86)\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: Java™ Plug-In SSV Helper - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files (x86)\Java\jre6\bin\ssv.dll
O2 - BHO: FAIESSO Helper Object - {A2F122DA-055F-4df7-8F24-7354DBDBA85B} - C:\Program Files (x86)\Sensible Vision\Fast Access\FAIESSO.dll
O2 - BHO: Browser Address Error Redirector - {CA6319C0-31B7-401E-A518-A07C3DB8F777} - C:\Program Files (x86)\Dell\BAE\BAE.dll
O2 - BHO: Java™ Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files (x86)\Java\jre6\bin\jp2ssv.dll
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files (x86)\Java\jre6\bin\jusched.exe"
O4 - HKLM\..\Run: [FATrayAlert] C:\Program Files (x86)\Sensible Vision\Fast Access\FATrayMon.exe
O4 - HKLM\..\Run: [Dell Webcam Central] "C:\Program Files (x86)\Dell Webcam\Dell Webcam Central\WebcamDell.exe" /mode2
O4 - HKLM\..\Run: [PCMService] "C:\Program Files (x86)\Dell\MediaDirect\PCMService.exe"
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Reader_sl.exe"
O4 - HKCU\..\Run: [Sidebar] C:\Program Files\Windows Sidebar\sidebar.exe /autoRun
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files (x86)\Spybot - Search & Destroy\TeaTimer.exe
O4 - HKUS\S-1-5-19\..\Run: [Sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /detectMem (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-19\..\Run: [WindowsWelcomeCenter] rundll32.exe oobefldr.dll,ShowWelcomeCenter (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [Sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /detectMem (User 'NETWORK SERVICE')
O4 - .DEFAULT User Startup: Dell Dock First Run.lnk = C:\Program Files\Dell\DellDock\DellDock.exe (User 'Default user')
O4 - Startup: OpenOffice.org 3.0.lnk = C:\Program Files (x86)\OpenOffice.org 3\program\quickstart.exe
O4 - Global Startup: QuickSet.lnk = C:\Program Files\Dell\QuickSet\quickset.exe
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\Program Files (x86)\Spybot - Search & Destroy\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search && Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\Program Files (x86)\Spybot - Search & Destroy\SDHelper.dll
O13 - Gopher Prefix:
O18 - Protocol: cozi - {5356518D-FE9C-4E08-9C1F-1E872ECD367F} - C:\Program Files (x86)\Cozi Express\CoziProtocolHandler.dll
O20 - Winlogon Notify: FastAccess - C:\Program Files (x86)\Sensible Vision\Fast Access\FALogNot.dll
O23 - Service: Andrea ST Filters Service (AESTFilters) - Unknown owner - C:\Windows\System32\DriverStore\FileRepository\stwrt64.inf_a2af78c4\AESTSr64.exe (file missing)
O23 - Service: @%SystemRoot%\system32\Alg.exe,-112 (ALG) - Unknown owner - C:\Windows\System32\alg.exe (file missing)
O23 - Service: @dfsrres.dll,-101 (DFSR) - Unknown owner - C:\Windows\system32\DFSR.exe (file missing)
O23 - Service: Dock Login Service (DockLoginService) - Stardock Corporation - C:\Program Files\Dell\DellDock\DockLogin.exe
O23 - Service: FAService - Sensible Vision - C:\Program Files (x86)\Sensible Vision\Fast Access\FAService.exe
O23 - Service: @keyiso.dll,-100 (KeyIso) - Unknown owner - C:\Windows\system32\lsass.exe (file missing)
O23 - Service: @comres.dll,-2797 (MSDTC) - Unknown owner - C:\Windows\System32\msdtc.exe (file missing)
O23 - Service: @%SystemRoot%\System32\netlogon.dll,-102 (Netlogon) - Unknown owner - C:\Windows\system32\lsass.exe (file missing)
O23 - Service: @%systemroot%\system32\psbase.dll,-300 (ProtectedStorage) - Unknown owner - C:\Windows\system32\lsass.exe (file missing)
O23 - Service: @%systemroot%\system32\Locator.exe,-2 (RpcLocator) - Unknown owner - C:\Windows\system32\locator.exe (file missing)
O23 - Service: @%SystemRoot%\system32\samsrv.dll,-1 (SamSs) - Unknown owner - C:\Windows\system32\lsass.exe (file missing)
O23 - Service: Trend Micro Central Control Component (SfCtlCom) - Trend Micro Inc. - C:\Program Files\Trend Micro\Internet Security\SfCtlCom.exe
O23 - Service: @%SystemRoot%\system32\SLsvc.exe,-101 (slsvc) - Unknown owner - C:\Windows\system32\SLsvc.exe (file missing)
O23 - Service: @%SystemRoot%\system32\snmptrap.exe,-3 (SNMPTRAP) - Unknown owner - C:\Windows\System32\snmptrap.exe (file missing)
O23 - Service: @%systemroot%\system32\spoolsv.exe,-1 (Spooler) - Unknown owner - C:\Windows\System32\spoolsv.exe (file missing)
O23 - Service: Audio Service (STacSV) - Unknown owner - C:\Windows\System32\DriverStore\FileRepository\stwrt64.inf_a2af78c4\STacSV64.exe (file missing)
O23 - Service: stllssvr - MicroVision Development, Inc. - C:\Program Files (x86)\Common Files\SureThing Shared\stllssvr.exe
O23 - Service: Trend Micro Unauthorized Change Prevention Service (TMBMServer) - Trend Micro Inc. - C:\Program Files\Trend Micro\BM\TMBMSRV.exe
O23 - Service: Trend Micro Personal Firewall (TmPfw) - Trend Micro Inc. - C:\PROGRA~1\TRENDM~1\INTERN~1\TmPfw.exe
O23 - Service: Trend Micro Proxy Service (tmproxy) - Trend Micro Inc. - C:\Program Files\Trend Micro\Internet Security\TmProxy.exe
O23 - Service: @%SystemRoot%\system32\ui0detect.exe,-101 (UI0Detect) - Unknown owner - C:\Windows\system32\UI0Detect.exe (file missing)
O23 - Service: @%SystemRoot%\system32\vds.exe,-100 (vds) - Unknown owner - C:\Windows\System32\vds.exe (file missing)
O23 - Service: @%systemroot%\system32\vssvc.exe,-102 (VSS) - Unknown owner - C:\Windows\system32\vssvc.exe (file missing)
O23 - Service: Dell Wireless WLAN Tray Service (wltrysvc) - Unknown owner - C:\Windows\System32\WLTRYSVC.EXE (file missing)
O23 - Service: @%Systemroot%\system32\wbem\wmiapsrv.exe,-110 (wmiApSrv) - Unknown owner - C:\Windows\system32\wbem\WmiApSrv.exe (file missing)
O23 - Service: @%ProgramFiles%\Windows Media Player\wmpnetwk.exe,-101 (WMPNetworkSvc) - Unknown owner - C:\Program Files (x86)\Windows Media Player\wmpnetwk.exe (file missing)

--
End of file - 7970 bytes

BC AdBot (Login to Remove)

 


#2 suebaby41

suebaby41

    W.A.M. (Women Against Malware)


  • Malware Response Team
  • 6,248 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:South Carolina, USA
  • Local time:05:20 AM

Posted 30 March 2009 - 02:29 PM

Welcome to the BleepingComputer Forums.

Since it has been a few days since you scanned your computer with HijackThis, we will need a new HijackThis log. If you have not already downloaded Random's System Information Tool (RSIT), please download Random's System Information Tool (RSIT) by random/random which includes a HijackThis log and save it to your desktop. If you have RSIT already on your computer, please run it again.
  • Double click on RSIT.exe to run RSIT.
  • Click Continue at the disclaimer screen.
  • Please post the contents of log.txt.
Thank you for your patience.

Please see Preparation Guide for use before posting about your potential Malware problem.

If you have already posted this log at another forum or if you decide to seek help at another forum, please let us know. There is a shortage of helpers and taking the time of two volunteer helpers means that someone else may not be helped.

Please post your HijackThis log as a reply to this thread and not as an attachment. I am always leery of opening attachments so I always request that HijackThis logs are to be posted as a reply to the thread. I do not think that you are attaching anything scary but others may do so.

While we are working on your HijackThis log, please:
  • Reply to this thread; do not start another!
  • Do not make any changes on your computer during the cleaning process or download/add programs on your computer unless instructed to do so.
  • Do not run any other tool until instructed to do so!
  • Let me know if any of the links do not work or if any of the tools do not work.
  • Tell me about problems or symptoms that occur during the fix.
  • Do not run any other programs or open any other windows while doing a fix.
  • Ask any questions that you have regarding the fix(es), the infection(s), the performance of your computer, etc.
Thanks.

Edited by suebaby41, 30 March 2009 - 02:31 PM.

You don't stop laughing when you get old; you get old when you stop laughing.
A Member of U-N-I-T-E (Unified Network of Instructors and Trained Eliminators)
Malware Removal University Masters Graduate

Posted Image
Join The Fight Against Malware
No reply within 5 days will result in your topic being closed. If you need more time, please let me know by posting in this topic so that your topic will not be closed.

#3 K Brown

K Brown
  • Topic Starter

  • Members
  • 3 posts
  • OFFLINE
  •  
  • Local time:05:20 AM

Posted 30 March 2009 - 03:38 PM

Thank you for your help!

I have only done 1 thing since my last post: I removed the "::1" entry from my HOSTS file. Perhaps that helped but in any case, my computer isn't slow like it was.

I also run the "arp -a" at the command prompt and get the following:
192.168.1.1
192.168.1.100
224.0.0.22
224.0.0.252
239.255.255.250
255.255.255.255
My laptop and desktop being the only 2 computers on my network.

Following is the Log file and the "info" file from RSIT:

Run by Lindsarez at 2009-03-30 16:29:01
Microsoft® Windows Vista™ Home Premium Service Pack 1
System drive C: has 253 GB (86%) free of 295 GB
Total RAM: 4054 MB (47% free)

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 4:29:03 PM, on 3/30/2009
Platform: Windows Vista SP1 (WinNT 6.00.1905)
MSIE: Internet Explorer v7.00 (7.00.6001.18000)
Boot mode: Normal

Running processes:
C:\Program Files (x86)\Spybot - Search & Destroy\TeaTimer.exe
C:\Program Files (x86)\Java\jre6\bin\jusched.exe
C:\Program Files (x86)\Sensible Vision\Fast Access\FATrayMon.exe
C:\Program Files (x86)\Dell\MediaDirect\PCMService.exe
C:\Program Files (x86)\OpenOffice.org 3\program\soffice.exe
C:\Program Files (x86)\OpenOffice.org 3\program\soffice.bin
C:\Program Files (x86)\Sensible Vision\Fast Access\FATrayAlert.exe
C:\Program Files (x86)\Internet Explorer\IEUser.exe
C:\Program Files (x86)\Internet Explorer\iexplore.exe
C:\Users\Lindsarez\Desktop\RSIT.exe
C:\Program Files (x86)\Trend Micro\HijackThis\Lindsarez.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Internet Explorer provided by Dell
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
F2 - REG:system.ini: UserInit=userinit.exe
O2 - BHO: AcroIEHelperStub - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files (x86)\Common

Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files (x86)\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: Java™ Plug-In SSV Helper - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files (x86)\Java\jre6\bin\ssv.dll
O2 - BHO: FAIESSO Helper Object - {A2F122DA-055F-4df7-8F24-7354DBDBA85B} - C:\Program Files (x86)\Sensible Vision\Fast Access\FAIESSO.dll
O2 - BHO: Browser Address Error Redirector - {CA6319C0-31B7-401E-A518-A07C3DB8F777} - C:\Program Files (x86)\Dell\BAE\BAE.dll
O2 - BHO: Java™ Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files (x86)\Java\jre6\bin\jp2ssv.dll
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files (x86)\Java\jre6\bin\jusched.exe"
O4 - HKLM\..\Run: [FATrayAlert] C:\Program Files (x86)\Sensible Vision\Fast Access\FATrayMon.exe
O4 - HKLM\..\Run: [Dell Webcam Central] "C:\Program Files (x86)\Dell Webcam\Dell Webcam Central\WebcamDell.exe" /mode2
O4 - HKLM\..\Run: [PCMService] "C:\Program Files (x86)\Dell\MediaDirect\PCMService.exe"
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Reader_sl.exe"
O4 - HKCU\..\Run: [Sidebar] C:\Program Files\Windows Sidebar\sidebar.exe /autoRun
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files (x86)\Spybot - Search & Destroy\TeaTimer.exe
O4 - HKUS\S-1-5-19\..\Run: [Sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /detectMem (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-19\..\Run: [WindowsWelcomeCenter] rundll32.exe oobefldr.dll,ShowWelcomeCenter (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [Sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /detectMem (User 'NETWORK SERVICE')
O4 - .DEFAULT User Startup: Dell Dock First Run.lnk = C:\Program Files\Dell\DellDock\DellDock.exe (User 'Default user')
O4 - Startup: OpenOffice.org 3.0.lnk = C:\Program Files (x86)\OpenOffice.org 3\program\quickstart.exe
O4 - Global Startup: QuickSet.lnk = C:\Program Files\Dell\QuickSet\quickset.exe
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\Program Files (x86)\Spybot - Search & Destroy\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search && Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\Program Files (x86)

\Spybot - Search & Destroy\SDHelper.dll
O13 - Gopher Prefix:
O18 - Protocol: cozi - {5356518D-FE9C-4E08-9C1F-1E872ECD367F} - C:\Program Files (x86)\Cozi Express\CoziProtocolHandler.dll
O20 - Winlogon Notify: FastAccess - C:\Program Files (x86)\Sensible Vision\Fast Access\FALogNot.dll
O23 - Service: Andrea ST Filters Service (AESTFilters) - Unknown owner - C:\Windows\System32\DriverStore\FileRepository\stwrt64.inf_a2af78c4

\AESTSr64.exe (file missing)
O23 - Service: @%SystemRoot%\system32\Alg.exe,-112 (ALG) - Unknown owner - C:\Windows\System32\alg.exe (file missing)
O23 - Service: @dfsrres.dll,-101 (DFSR) - Unknown owner - C:\Windows\system32\DFSR.exe (file missing)
O23 - Service: Dock Login Service (DockLoginService) - Stardock Corporation - C:\Program Files\Dell\DellDock\DockLogin.exe
O23 - Service: FAService - Sensible Vision - C:\Program Files (x86)\Sensible Vision\Fast Access\FAService.exe
O23 - Service: @keyiso.dll,-100 (KeyIso) - Unknown owner - C:\Windows\system32\lsass.exe (file missing)
O23 - Service: @comres.dll,-2797 (MSDTC) - Unknown owner - C:\Windows\System32\msdtc.exe (file missing)
O23 - Service: @%SystemRoot%\System32\netlogon.dll,-102 (Netlogon) - Unknown owner - C:\Windows\system32\lsass.exe (file missing)
O23 - Service: @%systemroot%\system32\psbase.dll,-300 (ProtectedStorage) - Unknown owner - C:\Windows\system32\lsass.exe (file missing)
O23 - Service: @%systemroot%\system32\Locator.exe,-2 (RpcLocator) - Unknown owner - C:\Windows\system32\locator.exe (file missing)
O23 - Service: @%SystemRoot%\system32\samsrv.dll,-1 (SamSs) - Unknown owner - C:\Windows\system32\lsass.exe (file missing)
O23 - Service: Trend Micro Central Control Component (SfCtlCom) - Trend Micro Inc. - C:\Program Files\Trend Micro\Internet

Security\SfCtlCom.exe
O23 - Service: @%SystemRoot%\system32\SLsvc.exe,-101 (slsvc) - Unknown owner - C:\Windows\system32\SLsvc.exe (file missing)
O23 - Service: @%SystemRoot%\system32\snmptrap.exe,-3 (SNMPTRAP) - Unknown owner - C:\Windows\System32\snmptrap.exe (file missing)
O23 - Service: @%systemroot%\system32\spoolsv.exe,-1 (Spooler) - Unknown owner - C:\Windows\System32\spoolsv.exe (file missing)
O23 - Service: Audio Service (STacSV) - Unknown owner - C:\Windows\System32\DriverStore\FileRepository\stwrt64.inf_a2af78c4\STacSV64.exe

(file missing)
O23 - Service: stllssvr - MicroVision Development, Inc. - C:\Program Files (x86)\Common Files\SureThing Shared\stllssvr.exe
O23 - Service: Trend Micro Unauthorized Change Prevention Service (TMBMServer) - Trend Micro Inc. - C:\Program Files\Trend

Micro\BM\TMBMSRV.exe
O23 - Service: Trend Micro Personal Firewall (TmPfw) - Trend Micro Inc. - C:\PROGRA~1\TRENDM~1\INTERN~1\TmPfw.exe
O23 - Service: Trend Micro Proxy Service (tmproxy) - Trend Micro Inc. - C:\Program Files\Trend Micro\Internet Security\TmProxy.exe
O23 - Service: @%SystemRoot%\system32\ui0detect.exe,-101 (UI0Detect) - Unknown owner - C:\Windows\system32\UI0Detect.exe (file missing)
O23 - Service: @%SystemRoot%\system32\vds.exe,-100 (vds) - Unknown owner - C:\Windows\System32\vds.exe (file missing)
O23 - Service: @%systemroot%\system32\vssvc.exe,-102 (VSS) - Unknown owner - C:\Windows\system32\vssvc.exe (file missing)
O23 - Service: Dell Wireless WLAN Tray Service (wltrysvc) - Unknown owner - C:\Windows\System32\WLTRYSVC.EXE (file missing)
O23 - Service: @%Systemroot%\system32\wbem\wmiapsrv.exe,-110 (wmiApSrv) - Unknown owner - C:\Windows\system32\wbem\WmiApSrv.exe (file

missing)
O23 - Service: @%ProgramFiles%\Windows Media Player\wmpnetwk.exe,-101 (WMPNetworkSvc) - Unknown owner - C:\Program Files (x86)\Windows Media

Player\wmpnetwk.exe (file missing)

--
End of file - 7821 bytes

======Scheduled tasks folder======

C:\Windows\tasks\User_Feed_Synchronization-{0D00DC43-AA33-4D76-A507-8FDE24973B8C}.job

======Registry dump======

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{18DF081C-E8AD-4283-A596-FA578C2EBDC3}]
Adobe PDF Link Helper - C:\Program Files (x86)\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll [2009-02-27 75128]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{53707962-6F74-2D53-2644-206D7942484F}]
Spybot-S&D IE Protection - C:\Program Files (x86)\Spybot - Search & Destroy\SDHelper.dll [2009-01-26 1879896]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{761497BB-D6F0-462C-B6EB-D4DAF1D92D43}]
Java™ Plug-In SSV Helper - C:\Program Files (x86)\Java\jre6\bin\ssv.dll [2009-02-02 320920]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{A2F122DA-055F-4df7-8F24-7354DBDBA85B}]
FAIESSOHelper Class - C:\Program Files (x86)\Sensible Vision\Fast Access\FAIESSO.dll [2008-09-05 206080]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{CA6319C0-31B7-401E-A518-A07C3DB8F777}]
CBrowserHelperObject Object - C:\Program Files (x86)\Dell\BAE\BAE.dll [2006-11-09 98304]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{DBC80044-A445-435b-BC74-9C25C1C588A9}]
Java™ Plug-In 2 SSV Helper - C:\Program Files (x86)\Java\jre6\bin\jp2ssv.dll [2009-02-02 34816]

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run]
"SunJavaUpdateSched"=C:\Program Files (x86)\Java\jre6\bin\jusched.exe [2009-02-02 136600]
"FATrayAlert"=C:\Program Files (x86)\Sensible Vision\Fast Access\FATrayMon.exe [2008-09-05 95488]
"Dell Webcam Central"=C:\Program Files (x86)\Dell Webcam\Dell Webcam Central\WebcamDell.exe [2008-02-19 438403]
"PCMService"=C:\Program Files (x86)\Dell\MediaDirect\PCMService.exe [2008-07-04 132392]
"FAStartup"= []
"Adobe Reader Speed Launcher"=C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Reader_sl.exe [2009-02-27 35696]

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run]
"Sidebar"=C:\Program Files\Windows Sidebar\sidebar.exe [2008-01-20 1555968]
"SpybotSD TeaTimer"=C:\Program Files (x86)\Spybot - Search & Destroy\TeaTimer.exe [2009-01-26 2144088]

C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup
QuickSet.lnk - C:\Program Files (x86)\Dell\QuickSet\quickset.exe

C:\Users\Lindsarez\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup
OpenOffice.org 3.0.lnk - C:\Program Files (x86)\OpenOffice.org 3\program\quickstart.exe

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\FastAccess]
C:\Program Files (x86)\Sensible Vision\Fast Access\FALogNot.dll [2008-09-05 140544]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa]
"notification packages"=scecli
FAPassSync

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Wdf01000.sys]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\network\Wdf01000.sys]

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System]
"dontdisplaylastusername"=0
"legalnoticecaption"=
"legalnoticetext"=
"shutdownwithoutlogon"=1
"undockwithoutlogon"=1
"EnableUIADesktopToggle"=0

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\explorer]
"NoActiveDesktop"=
"NoActiveDesktopChanges"=
"ForceActiveDesktopOn"=

[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\standardprofile\authorizedapplications\list]

[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\domainprofile\authorizedapplications\list]

======List of files/folders created in the last 3 months======

2009-03-30 16:29:01 ----D---- C:\rsit
2009-03-21 13:46:53 ----D---- C:\Program Files (x86)\Trend Micro
2009-03-21 13:24:13 ----D---- C:\ProgramData\Spybot - Search & Destroy
2009-03-21 13:24:13 ----D---- C:\Program Files (x86)\Spybot - Search & Destroy
2009-03-17 09:21:03 ----SHD---- C:\Config.Msi
2009-03-11 13:20:53 ----A---- C:\Windows\system32\schannel.dll
2009-02-16 08:30:08 ----A---- C:\Windows\system32\EncDec.dll
2009-02-16 08:30:06 ----A---- C:\Windows\system32\psisdecd.dll
2009-02-11 09:05:51 ----A---- C:\Windows\system32\mshtml.dll
2009-02-11 09:05:49 ----A---- C:\Windows\system32\urlmon.dll
2009-02-11 09:05:49 ----A---- C:\Windows\system32\ieframe.dll
2009-02-11 09:05:48 ----A---- C:\Windows\system32\wininet.dll
2009-02-11 09:05:48 ----A---- C:\Windows\system32\mstime.dll
2009-02-11 09:05:48 ----A---- C:\Windows\system32\msfeeds.dll
2009-02-11 09:05:48 ----A---- C:\Windows\system32\iertutil.dll
2009-02-11 09:05:47 ----A---- C:\Windows\system32\jsproxy.dll
2009-02-02 17:32:45 ----D---- C:\Users\Lindsarez\AppData\Roaming\Mozilla
2009-02-02 16:07:07 ----D---- C:\Program Files (x86)\Mozilla Firefox
2009-02-02 16:04:59 ----A---- C:\Windows\system32\javaws.exe
2009-02-02 16:04:59 ----A---- C:\Windows\system32\javaw.exe
2009-02-02 16:04:59 ----A---- C:\Windows\system32\java.exe
2009-02-02 16:04:59 ----A---- C:\Windows\system32\deploytk.dll
2009-01-20 19:43:46 ----D---- C:\Program Files (x86)\Microsoft Silverlight
2009-01-19 15:59:23 ----D---- C:\Users\Lindsarez\AppData\Roaming\OpenOffice.org
2009-01-13 18:06:19 ----D---- C:\Users\Lindsarez\AppData\Roaming\CyberLink
2009-01-11 16:08:14 ----D---- C:\Program Files (x86)\JRE
2009-01-11 16:08:10 ----D---- C:\Program Files (x86)\OpenOffice.org 3
2009-01-11 09:53:44 ----A---- C:\Windows\system32\tzres.dll
2009-01-10 10:40:05 ----A---- C:\Windows\system32\connect.dll
2009-01-10 10:40:03 ----A---- C:\Windows\system32\msxml3.dll
2009-01-10 10:39:46 ----A---- C:\Windows\system32\win32spl.dll
2009-01-10 10:39:29 ----A---- C:\Windows\system32\GameUXLegacyGDFs.dll
2009-01-10 10:39:29 ----A---- C:\Windows\system32\Apphlpdm.dll
2009-01-10 10:39:05 ----A---- C:\Windows\system32\gdi32.dll
2009-01-10 10:39:03 ----A---- C:\Windows\system32\msxml6.dll
2009-01-10 10:38:52 ----A---- C:\Windows\system32\PortableDeviceApi.dll
2009-01-10 10:38:50 ----A---- C:\Windows\system32\explorer.exe
2009-01-10 10:38:50 ----A---- C:\Windows\explorer.exe
2009-01-10 10:38:44 ----A---- C:\Windows\system32\mf.dll
2009-01-10 10:38:42 ----A---- C:\Windows\system32\WMVCORE.DLL
2009-01-10 10:38:41 ----A---- C:\Windows\system32\WMNetMgr.dll
2009-01-10 10:38:41 ----A---- C:\Windows\system32\logagent.exe
2009-01-10 10:38:19 ----A---- C:\Windows\system32\shell32.dll
2009-01-10 10:38:15 ----A---- C:\Windows\system32\Faultrep.dll
2009-01-10 10:38:13 ----A---- C:\Windows\system32\WindowsCodecsExt.dll
2009-01-10 10:38:13 ----A---- C:\Windows\system32\WindowsCodecs.dll
2009-01-10 10:38:13 ----A---- C:\Windows\system32\PhotoMetadataHandler.dll
2009-01-10 10:03:04 ----D---- C:\Users\Lindsarez\AppData\Roaming\Creative
2009-01-10 09:57:41 ----A---- C:\Windows\system32\wups.dll
2009-01-10 09:57:41 ----A---- C:\Windows\system32\wudriver.dll
2009-01-10 09:57:41 ----A---- C:\Windows\system32\wuapi.dll
2009-01-10 09:57:32 ----A---- C:\Windows\system32\wuwebv.dll
2009-01-10 09:57:32 ----A---- C:\Windows\system32\wuapp.exe
2009-01-09 19:35:41 ----D---- C:\Users\Lindsarez\AppData\Roaming\Macromedia
2009-01-09 18:52:13 ----D---- C:\Users\Lindsarez\AppData\Roaming\Adobe
2009-01-09 18:32:12 ----D---- C:\Users\Lindsarez\AppData\Roaming\Dell
2009-01-09 18:31:03 ----D---- C:\Users\Lindsarez\AppData\Roaming\Identities
2009-01-09 18:30:08 ----SD---- C:\Users\Lindsarez\AppData\Roaming\Microsoft
2009-01-09 18:30:08 ----D---- C:\Users\Lindsarez\AppData\Roaming\Media Center Programs
2009-01-09 18:26:34 ----SHD---- C:\ProgramData\Templates
2009-01-09 18:26:34 ----SHD---- C:\ProgramData\Start Menu
2009-01-09 18:26:34 ----SHD---- C:\ProgramData\Favorites
2009-01-09 18:26:34 ----SHD---- C:\ProgramData\Documents
2009-01-09 18:26:34 ----SHD---- C:\ProgramData\Desktop
2009-01-09 18:26:34 ----SHD---- C:\ProgramData\Application Data
2009-01-09 18:26:34 ----SHD---- C:\Documents and Settings

======List of files/folders modified in the last 3 months======

2009-03-30 16:28:30 ----D---- C:\Windows\Temp
2009-03-30 16:18:10 ----D---- C:\Windows\SysWOW64
2009-03-30 16:17:50 ----D---- C:\Windows\System32
2009-03-23 08:34:55 ----D---- C:\Windows\inf
2009-03-21 13:46:53 ----RD---- C:\Program Files (x86)
2009-03-21 13:24:13 ----HD---- C:\ProgramData
2009-03-21 03:00:28 ----SHD---- C:\System Volume Information
2009-03-17 09:22:15 ----SHD---- C:\Windows\Installer
2009-03-17 09:21:21 ----D---- C:\ProgramData\Adobe
2009-03-17 09:21:18 ----D---- C:\Program Files (x86)\Common Files\Adobe
2009-03-14 03:56:35 ----D---- C:\Windows\Logs
2009-03-14 03:18:02 ----D---- C:\Windows\winsxs
2009-03-14 03:06:00 ----D---- C:\Program Files (x86)\Windows Mail
2009-02-28 21:44:30 ----D---- C:\Windows\LiveKernelReports
2009-02-18 04:07:59 ----D---- C:\Windows\Microsoft.NET
2009-02-18 04:07:41 ----RSD---- C:\Windows\assembly
2009-02-18 04:04:15 ----D---- C:\Windows\ehome
2009-02-15 05:01:12 ----D---- C:\Windows\Prefetch
2009-02-03 16:25:11 ----SD---- C:\ProgramData\Microsoft
2009-02-02 16:04:35 ----D---- C:\Program Files (x86)\Java
2009-01-14 09:21:09 ----D---- C:\Windows\rescache
2009-01-13 18:05:59 ----D---- C:\ProgramData\CyberLink
2009-01-11 16:31:33 ----D---- C:\Windows\AppPatch
2009-01-11 16:31:32 ----D---- C:\Windows\system32\en-US
2009-01-11 16:31:32 ----D---- C:\Windows
2009-01-11 16:31:31 ----D---- C:\Windows\system32\migration
2009-01-11 16:08:32 ----RSD---- C:\Windows\Fonts
2009-01-11 14:41:34 ----D---- C:\Windows\Debug
2009-01-09 19:34:34 ----D---- C:\Windows\Tasks
2009-01-09 19:29:22 ----D---- C:\DELL
2009-01-09 18:38:35 ----D---- C:\Windows\SoftwareDistribution
2009-01-09 18:32:00 ----D---- C:\ProgramData\Dell
2009-01-09 18:31:19 ----SHD---- C:\$Recycle.Bin
2009-01-09 18:30:08 ----RD---- C:\Users

======List of drivers (R=Running, S=Stopped, 0=Boot, 1=System, 2=Auto, 3=Demand, 4=Disabled)======

R1 tmlwf;Trend Micro NDIS 6.0 Filter Driver; C:\Windows\system32\DRIVERS\tmlwf.sys []
R1 tmtdi;Trend Micro TDI Driver; C:\Windows\system32\DRIVERS\tmtdi.sys []
R2 rimmptsk;rimmptsk; C:\Windows\system32\DRIVERS\rimmpx64.sys []
R2 rimsptsk;rimsptsk; C:\Windows\system32\DRIVERS\rimspx64.sys []
R2 rismxdp;Ricoh xD-Picture Card Driver; C:\Windows\system32\DRIVERS\rixdpx64.sys []
R2 tmpreflt;tmpreflt; C:\Windows\system32\DRIVERS\tmpreflt.sys []
R2 tmwfp;Trend Micro WFP Callout Driver; C:\Windows\system32\DRIVERS\tmwfp.sys []
R2 tmxpflt;tmxpflt; C:\Windows\system32\DRIVERS\tmxpflt.sys []
R2 vsapint;vsapint; C:\Windows\system32\DRIVERS\vsapint.sys []
R3 ApfiltrService;Alps Touch Pad Filter Driver for Windows XP/Vista x64; C:\Windows\system32\DRIVERS\Apfiltr.sys []
R3 BCM42RLY;BCM42RLY; C:\Windows\system32\drivers\BCM42RLY.sys []
R3 BCM43XX;Dell Wireless WLAN Card Driver; C:\Windows\system32\DRIVERS\bcmwl664.sys []
R3 CmBatt;Microsoft ACPI Control Method Battery Driver; C:\Windows\system32\DRIVERS\CmBatt.sys []
R3 FACAP;facap, FastAccess Video Capture; C:\Windows\system32\DRIVERS\facap.sys []
R3 igfx;igfx; C:\Windows\system32\DRIVERS\igdkmd64.sys []
R3 IntcHdmiAddService;Intel® High Definition Audio HDMI; C:\Windows\system32\drivers\IntcHdmi.sys []
R3 itecir;ITECIR Infrared Receiver; C:\Windows\system32\DRIVERS\itecir.sys []
R3 k57nd60a;Broadcom NetLink ™ Gigabit Ethernet - NDIS 6.0; C:\Windows\system32\DRIVERS\k57nd60a.sys []
R3 ksthunk;Kernel Streaming Thunks; C:\Windows\system32\drivers\ksthunk.sys []
R3 MSPCLOCK;Microsoft Streaming Clock Proxy; C:\Windows\system32\drivers\MSPCLOCK.sys []
R3 MSPQM;Microsoft Streaming Quality Manager Proxy; C:\Windows\system32\drivers\MSPQM.sys []
R3 OA001Ufd;Creative Camera OA001 Upper Filter Driver; C:\Windows\system32\DRIVERS\OA001Ufd.sys []
R3 OA001Vid;Creative Camera OA001 Function Driver; C:\Windows\system32\DRIVERS\OA001Vid.sys []
R3 sdbus;sdbus; C:\Windows\system32\DRIVERS\sdbus.sys []
R3 STHDA;IDT High Definition Audio CODEC; C:\Windows\system32\DRIVERS\stwrt64.sys []
R3 WmiAcpi;Microsoft Windows Management Interface for ACPI; C:\Windows\system32\DRIVERS\wmiacpi.sys []
S3 drmkaud;Microsoft Kernel DRM Audio Descrambler; C:\Windows\system32\drivers\drmkaud.sys []
S3 e1express;Intel® PRO/1000 PCI Express Network Connection Driver; C:\Windows\system32\DRIVERS\e1e6032e.sys []
S3 MSKSSRV;Microsoft Streaming Service Proxy; C:\Windows\system32\drivers\MSKSSRV.sys []
S3 MSTEE;Microsoft Streaming Tee/Sink-to-Sink Converter; C:\Windows\system32\drivers\MSTEE.sys []
S3 R300;R300; C:\Windows\system32\DRIVERS\atikmdag.sys []
S3 WUDFRd;WUDFRd; C:\Windows\system32\DRIVERS\WUDFRd.sys []
S4 ErrDev;Microsoft Hardware Error Device Driver; C:\Windows\system32\drivers\errdev.sys []
S4 MegaSR;MegaSR; C:\Windows\system32\drivers\megasr.sys []

======List of services (R=Running, S=Stopped, 0=Boot, 1=System, 2=Auto, 3=Demand, 4=Disabled)======

R2 AESTFilters;Andrea ST Filters Service; C:\Windows\System32\DriverStore\FileRepository\stwrt64.inf_a2af78c4\AESTSr64.exe []
R2 DockLoginService;Dock Login Service; C:\Program Files\Dell\DellDock\DockLogin.exe [2008-09-24 155648]
R2 FAService;FAService; C:\Program Files (x86)\Sensible Vision\Fast Access\FAService.exe [2008-09-05 2340096]
R2 SfCtlCom;Trend Micro Central Control Component; C:\Program Files\Trend Micro\Internet Security\SfCtlCom.exe [2009-02-25 818752]
R2 STacSV;Audio Service; C:\Windows\System32\DriverStore\FileRepository\stwrt64.inf_a2af78c4\STacSV64.exe []
R2 TMBMServer;Trend Micro Unauthorized Change Prevention Service; C:\Program Files\Trend Micro\BM\TMBMSRV.exe [2008-09-26 563464]
R2 wltrysvc;Dell Wireless WLAN Tray Service; C:\Windows\System32\WLTRYSVC.EXE C:\Windows\System32\bcmwltry.exe []
R3 TmPfw;Trend Micro Personal Firewall; C:\PROGRA~1\TRENDM~1\INTERN~1\TmPfw.exe [2008-09-22 585136]
R3 tmproxy;Trend Micro Proxy Service; C:\Program Files\Trend Micro\Internet Security\TmProxy.exe [2008-09-26 854280]
S3 clr_optimization_v2.0.50727_64;Microsoft .NET Framework NGEN v2.0.50727_X64; C:\Windows\Microsoft.NET\Framework64\v2.0.50727\mscorsvw.exe

[2008-01-20 93696]
S3 PerfHost;@%systemroot%\sysWow64\perfhost.exe,-2; C:\Windows\SysWow64\perfhost.exe [2008-01-20 19968]
S3 stllssvr;stllssvr; C:\Program Files (x86)\Common Files\SureThing Shared\stllssvr.exe [2008-03-24 74384]

-----------------EOF-----------------

Also from the "LOG" file that RSIT created:

info.txt logfile of random's system information tool 1.06 2009-03-30 16:29:04

======Uninstall list======

-->C:\Windows\CtDrvIns.exe -uninstall -script OA001.uns -unsext NTamd64 -plugin OA001Pin.dll -pluginres OA001Pin.crl -nodisconprompt -langid 0x0409
-->RunDll32 C:\PROGRA~2\COMMON~1\INSTAL~1\PROFES~1\RunTime\09\01\Intel32\Ctor.dll,LaunchSetup "C:\Program Files (x86)\InstallShield Installation Information\{88564CEF-20A5-4EF2-A05F-309F2EBA9B06}\setup.exe" -l0x9
-->RunDll32 C:\PROGRA~2\COMMON~1\INSTAL~1\PROFES~1\RunTime\09\01\Intel32\Ctor.dll,LaunchSetup "C:\Program Files (x86)\InstallShield Installation Information\{BC12448A-0B41-4E11-B242-B1129512F5B7}\setup.exe" -l0x9
Acrobat.com-->C:\Program Files (x86)\Common Files\Adobe AIR\Versions\1.0\Adobe AIR Application Installer.exe -uninstall com.adobe.mauby 4875E02D9FB21EE389F73B8D1702B320485DF8CE.1
Acrobat.com-->MsiExec.exe /I{77DCDCE3-2DED-62F3-8154-05E745472D07}
Adobe AIR-->C:\Program Files (x86)\Common Files\Adobe AIR\Versions\1.0\Adobe AIR Updater.exe -arp:uninstall
Adobe AIR-->MsiExec.exe /I{00203668-8170-44A0-BE44-B632FA4D780F}
Adobe Flash Player 10 ActiveX-->C:\Windows\SysWOW64\Macromed\Flash\uninstall_activeX.exe
Adobe Flash Player 10 Plugin-->C:\Windows\SysWOW64\Macromed\Flash\uninstall_plugin.exe
Adobe Reader 9.1-->MsiExec.exe /I{AC76BA86-7AD7-1033-7B44-A91000000001}
Advanced Audio FX Engine-->RunDll32 C:\PROGRA~2\COMMON~1\INSTAL~1\PROFES~1\RunTime\09\01\Intel32\Ctor.dll,LaunchSetup "C:\Program Files (x86)\InstallShield Installation Information\{88564CEF-20A5-4EF2-A05F-309F2EBA9B06}\setup.exe" -l0x9 /remove
Browser Address Error Redirector-->MsiExec.exe /I{62230596-37E5-4618-A329-0D21F529A86F}
Browser Address Error Redirector-->regsvr32 /u /s "C:\Program Files (x86)\Dell\BAE\BAE.dll"
Cisco EAP-FAST Module-->MsiExec.exe /I{6D3963B0-E13B-4FC3-B0FF-506A304BB043}
Cisco LEAP Module-->MsiExec.exe /I{83770D14-21B9-44B3-8689-F7B523F94560}
Cisco PEAP Module-->MsiExec.exe /I{669C7BD8-DAA2-49B6-966C-F1E2AAE6B17E}
Compatibility Pack for the 2007 Office system-->MsiExec.exe /X{90120000-0020-0409-0000-0000000FF1CE}
Cozi-->MsiExec.exe /X{7456BBA3-642F-4E59-9F89-7639977D7C39}
Dell Getting Started Guide-->MsiExec.exe /I{7DB9F1E5-9ACB-410D-A7DC-7A3D023CE045}
Dell Video Chat (remove only)-->C:\Program Files (x86)\Dell Video Chat\uninst.exe
Dell Webcam Central-->RunDll32 C:\PROGRA~2\COMMON~1\INSTAL~1\PROFES~1\RunTime\09\01\Intel32\Ctor.dll,LaunchSetup "C:\Program Files (x86)\InstallShield Installation Information\{BC12448A-0B41-4E11-B242-B1129512F5B7}\setup.exe" -l0x9 /remove
EDocs-->RunDll32 C:\PROGRA~2\COMMON~1\INSTAL~1\engine\6\INTEL3~1\ctor.dll,LaunchSetup "C:\Program Files (x86)\InstallShield Installation Information\{6B7B6D4D-8F9B-4CB3-8CA4-BCA9CC4C1A22}\setup.exe"
HijackThis 2.0.2-->"C:\Program Files (x86)\Trend Micro\HijackThis\HijackThis.exe" /uninstall
ITECIR-->C:\Program Files (x86)\InstallShield Installation Information\{F6BB6248-C507-46FE-8A35-1B16F35E0441}\setup.exe -runfromtemp -l0x0009 -removeonly
Java™ 6 Update 11-->MsiExec.exe /X{26A24AE4-039D-4CA4-87B4-2F83216011FF}
Java™ 6 Update 7-->MsiExec.exe /I{3248F0A8-6813-11D6-A77B-00B0D0160070}
Live! Cam Avatar Creator-->C:\Program Files (x86)\InstallShield Installation Information\{65D0C510-D7B6-4438-9FC8-E6B91115AB0D}\setup.exe -runfromtemp -l0x0009 -removeonly /remove
MediaDirect-->C:\Program Files (x86)\InstallShield Installation Information\{9C6978E8-B6D0-4AB7-A7A0-D81A74FBF745}\setup.exe -runfromtemp -l0x0009 -cluninstall
Microsoft Office PowerPoint Viewer 2007 (English)-->MsiExec.exe /X{95120000-00AF-0409-0000-0000000FF1CE}
Microsoft Silverlight-->MsiExec.exe /X{89F4137D-6C26-4A84-BDB8-2E5A4BB71E00}
Microsoft Works-->MsiExec.exe /I{15BC8CD0-A65B-47D0-A2DD-90A824590FA8}
Mozilla Firefox (3.0.6)-->C:\Program Files (x86)\Mozilla Firefox\uninstall\helper.exe
OpenOffice.org 3.0-->MsiExec.exe /I{F44DA61E-720D-4E79-871F-F6E628B33242}
Roxio Creator Audio-->MsiExec.exe /I{73A4F29F-31AC-4EBD-AA1B-0CC5F18C8F83}
Roxio Creator Copy-->MsiExec.exe /I{B6A26DE5-F2B5-4D58-9570-4FC760E00FCD}
Roxio Creator Data-->MsiExec.exe /I{08E81ABD-79F7-49C2-881F-FD6CB0975693}
Roxio Creator DE-->C:\ProgramData\Uninstall\{09760D42-E223-42AD-8C3E-55B47D0DDAC3}\setup.exe /x {09760D42-E223-42AD-8C3E-55B47D0DDAC3}
Roxio Creator DE-->MsiExec.exe /I{ED439A64-F018-4DD4-8BA5-328D85AB09AB}
Roxio Creator Tools-->MsiExec.exe /I{1F54DAFA-9261-4A62-B59D-6C9F26B48FE4}
Roxio Express Labeler 3-->MsiExec.exe /I{6675CA7F-E51B-4F6A-99D4-F8F0124C6EAA}
Roxio Update Manager-->MsiExec.exe /I{30465B6C-B53F-49A1-9EBA-A3F187AD502E}
Spelling Dictionaries Support For Adobe Reader 9-->MsiExec.exe /I{AC76BA86-7AD7-5464-3428-900000000004}
Spybot - Search & Destroy-->"C:\Program Files (x86)\Spybot - Search & Destroy\unins000.exe"

======Security center information======

AV: Trend Micro Internet Security
AS: Windows Defender

======System event log======

Computer Name: Lindsarez-PC
Event Code: 1003
Message: Your computer was not able to renew its address from the network (from the DHCP Server) for the Network Card with network address 00234E24EB57. The following error occurred:
The operation was canceled by the user.. Your computer will continue to try and obtain an address on its own from the network address (DHCP) server.
Record Number: 21118
Source Name: Microsoft-Windows-Dhcp-Client
Time Written: 20090330011219.000000-000
Event Type: Warning
User:

Computer Name: Lindsarez-PC
Event Code: 1003
Message: Your computer was not able to renew its address from the network (from the DHCP Server) for the Network Card with network address 00234E24EB57. The following error occurred:
The operation was canceled by the user.. Your computer will continue to try and obtain an address on its own from the network address (DHCP) server.
Record Number: 21122
Source Name: Microsoft-Windows-Dhcp-Client
Time Written: 20090330011226.000000-000
Event Type: Warning
User:

Computer Name: Lindsarez-PC
Event Code: 1003
Message: Your computer was not able to renew its address from the network (from the DHCP Server) for the Network Card with network address 00234E24EB57. The following error occurred:
The operation was canceled by the user.. Your computer will continue to try and obtain an address on its own from the network address (DHCP) server.
Record Number: 21131
Source Name: Microsoft-Windows-Dhcp-Client
Time Written: 20090330201752.000000-000
Event Type: Warning
User:

Computer Name: Lindsarez-PC
Event Code: 7
Message: The speed of processor 0 is being limited by system firmware. The processor has been in this reduced performance state for 11 seconds since the last report.
Record Number: 21135
Source Name: Microsoft-Windows-Kernel-Processor-Power
Time Written: 20090330201750.503000-000
Event Type: Warning
User: NT AUTHORITY\SYSTEM

Computer Name: Lindsarez-PC
Event Code: 1003
Message: Your computer was not able to renew its address from the network (from the DHCP Server) for the Network Card with network address 00234E24EB57. The following error occurred:
The operation was canceled by the user.. Your computer will continue to try and obtain an address on its own from the network address (DHCP) server.
Record Number: 21139
Source Name: Microsoft-Windows-Dhcp-Client
Time Written: 20090330201801.000000-000
Event Type: Warning
User:

=====Application event log=====

Computer Name: Lindsarez-PC
Event Code: 4621
Message: The COM+ Event System could not remove the EventSystem.EventSubscription object {AA44355E-6911-4447-BA5D-6720480579AF}-{00000000-0000-0000-0000-000000000000}-{00000000-0000-0000-0000-000000000000}. The HRESULT was 80070005.
Record Number: 1430
Source Name: Microsoft-Windows-EventSystem
Time Written: 20090321183254.000000-000
Event Type: Error
User:

Computer Name: Lindsarez-PC
Event Code: 1530
Message: Windows detected your registry file is still in use by other applications or services. The file will be unloaded now. The applications or services that hold your registry file may not function properly afterwards.

DETAIL -
28 user registry handles leaked from \Registry\User\S-1-5-21-2214874260-632106874-3071094449-1000:
Process 1304 (\Device\HarddiskVolume3\Program Files\Trend Micro\Internet Security\SfCtlCom.exe) has opened key \REGISTRY\USER\S-1-5-21-2214874260-632106874-3071094449-1000\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnceEx
Process 1304 (\Device\HarddiskVolume3\Program Files\Trend Micro\Internet Security\SfCtlCom.exe) has opened key \REGISTRY\USER\S-1-5-21-2214874260-632106874-3071094449-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks
Process 1304 (\Device\HarddiskVolume3\Program Files\Trend Micro\Internet Security\SfCtlCom.exe) has opened key \REGISTRY\USER\S-1-5-21-2214874260-632106874-3071094449-1000\Software\Wow6432Node\Microsoft\Search Assistant
Process 1304 (\Device\HarddiskVolume3\Program Files\Trend Micro\Internet Security\SfCtlCom.exe) has opened key \REGISTRY\USER\S-1-5-21-2214874260-632106874-3071094449-1000\Software\Microsoft\Windows\CurrentVersion\Internet Settings
Process 1304 (\Device\HarddiskVolume3\Program Files\Trend Micro\Internet Security\SfCtlCom.exe) has opened key \REGISTRY\USER\S-1-5-21-2214874260-632106874-3071094449-1000\Software\Microsoft\Windows\CurrentVersion\RunServices
Process 1304 (\Device\HarddiskVolume3\Program Files\Trend Micro\Internet Security\SfCtlCom.exe) has opened key \REGISTRY\USER\S-1-5-21-2214874260-632106874-3071094449-1000\Software\Microsoft\Windows\CurrentVersion\Run
Process 1304 (\Device\HarddiskVolume3\Program Files\Trend Micro\Internet Security\SfCtlCom.exe) has opened key \REGISTRY\USER\S-1-5-21-2214874260-632106874-3071094449-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce
Process 1304 (\Device\HarddiskVolume3\Program Files\Trend Micro\Internet Security\SfCtlCom.exe) has opened key \REGISTRY\USER\S-1-5-21-2214874260-632106874-3071094449-1000\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved
Process 1304 (\Device\HarddiskVolume3\Program Files\Trend Micro\Internet Security\SfCtlCom.exe) has opened key \REGISTRY\USER\S-1-5-21-2214874260-632106874-3071094449-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects
Process 1304 (\Device\HarddiskVolume3\Program Files\Trend Micro\Internet Security\SfCtlCom.exe) has opened key \REGISTRY\USER\S-1-5-21-2214874260-632106874-3071094449-1000\Software\Microsoft\Internet Explorer
Process 1304 (\Device\HarddiskVolume3\Program Files\Trend Micro\Internet Security\SfCtlCom.exe) has opened key \REGISTRY\USER\S-1-5-21-2214874260-632106874-3071094449-1000\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce
Process 1304 (\Device\HarddiskVolume3\Program Files\Trend Micro\Internet Security\SfCtlCom.exe) has opened key \REGISTRY\USER\S-1-5-21-2214874260-632106874-3071094449-1000\Software\Microsoft\Windows\CurrentVersion\RunService
Process 1304 (\Device\HarddiskVolume3\Program Files\Trend Micro\Internet Security\SfCtlCom.exe) has opened key \REGISTRY\USER\S-1-5-21-2214874260-632106874-3071094449-1000\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved
Process 1304 (\Device\HarddiskVolume3\Program Files\Trend Micro\Internet Security\SfCtlCom.exe) has opened key \REGISTRY\USER\S-1-5-21-2214874260-632106874-3071094449-1000\Software\Microsoft\Windows\CurrentVersion\RunServicesOnce
Process 1304 (\Device\HarddiskVolume3\Program Files\Trend Micro\Internet Security\SfCtlCom.exe) has opened key \REGISTRY\USER\S-1-5-21-2214874260-632106874-3071094449-1000\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\RunServicesOnce
Process 1304 (\Device\HarddiskVolume3\Program Files\Trend Micro\Internet Security\SfCtlCom.exe) has opened key \REGISTRY\USER\S-1-5-21-2214874260-632106874-3071094449-1000\Software\Microsoft\Windows NT\CurrentVersion\Winlogon
Process 1304 (\Device\HarddiskVolume3\Program Files\Trend Micro\Internet Security\SfCtlCom.exe) has opened key \REGISTRY\USER\S-1-5-21-2214874260-632106874-3071094449-1000\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Run
Process 1304 (\Device\HarddiskVolume3\Program Files\Trend Micro\Internet Security\SfCtlCom.exe) has opened key \REGISTRY\USER\S-1-5-21-2214874260-632106874-3071094449-1000\Software\Microsoft\Windows\CurrentVersion\RunServiceOnce
Process 1304 (\Device\HarddiskVolume3\Program Files\Trend Micro\Internet Security\SfCtlCom.exe) has opened key \REGISTRY\USER\S-1-5-21-2214874260-632106874-3071094449-1000\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\RunService
Process 1304 (\Device\HarddiskVolume3\Program Files\Trend Micro\Internet Security\SfCtlCom.exe) has opened key \REGISTRY\USER\S-1-5-21-2214874260-632106874-3071094449-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\UserAssist
Process 1304 (\Device\HarddiskVolume3\Program Files\Trend Micro\Internet Security\SfCtlCom.exe) has opened key \REGISTRY\USER\S-1-5-21-2214874260-632106874-3071094449-1000\Software\Microsoft\Windows\CurrentVersion\Policies
Process 1304 (\Device\HarddiskVolume3\Program Files\Trend Micro\Internet Security\SfCtlCom.exe) has opened key \REGISTRY\USER\S-1-5-21-2214874260-632106874-3071094449-1000\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects
Process 1304 (\Device\HarddiskVolume3\Program Files\Trend Micro\Internet Security\SfCtlCom.exe) has opened key \REGISTRY\USER\S-1-5-21-2214874260-632106874-3071094449-1000\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\RunServices
Process 1304 (\Device\HarddiskVolume3\Program Files\Trend Micro\Internet Security\SfCtlCom.exe) has opened key \REGISTRY\USER\S-1-5-21-2214874260-632106874-3071094449-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows
Process 1304 (\Device\HarddiskVolume3\Program Files\Trend Micro\Internet Security\SfCtlCom.exe) has opened key \REGISTRY\USER\S-1-5-21-2214874260-632106874-3071094449-1000\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks
Process 1304 (\Device\HarddiskVolume3\Program Files\Trend Micro\Internet Security\SfCtlCom.exe) has opened key \REGISTRY\USER\S-1-5-21-2214874260-632106874-3071094449-1000\Software\Microsoft\Windows\CurrentVersion\RunOnceEx
Process 1304 (\Device\HarddiskVolume3\Program Files\Trend Micro\Internet Security\SfCtlCom.exe) has opened key \REGISTRY\USER\S-1-5-21-2214874260-632106874-3071094449-1000\Software\Microsoft\Search Assistant
Process 1304 (\Device\HarddiskVolume3\Program Files\Trend Micro\Internet Security\SfCtlCom.exe) has opened key \REGISTRY\USER\S-1-5-21-2214874260-632106874-3071094449-1000\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\RunServiceOnce

Record Number: 1433
Source Name: Microsoft-Windows-User Profiles Service
Time Written: 20090321183256.000000-000
Event Type: Warning
User: NT AUTHORITY\SYSTEM

Computer Name: Lindsarez-PC
Event Code: 10
Message: Event filter with query "SELECT * FROM __InstanceModificationEvent WITHIN 60 WHERE TargetInstance ISA "Win32_Processor" AND TargetInstance.LoadPercentage > 99" could not be reactivated in namespace "//./root/CIMV2" because of error 0x80041003. Events cannot be delivered through this filter until the problem is corrected.
Record Number: 1454
Source Name: Microsoft-Windows-WMI
Time Written: 20090321192228.000000-000
Event Type: Error
User:

Computer Name: Lindsarez-PC
Event Code: 1530
Message: Windows detected your registry file is still in use by other applications or services. The file will be unloaded now. The applications or services that hold your registry file may not function properly afterwards.

DETAIL -
28 user registry handles leaked from \Registry\User\S-1-5-21-2214874260-632106874-3071094449-1000:
Process 1356 (\Device\HarddiskVolume3\Program Files\Trend Micro\Internet Security\SfCtlCom.exe) has opened key \REGISTRY\USER\S-1-5-21-2214874260-632106874-3071094449-1000\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnceEx
Process 1356 (\Device\HarddiskVolume3\Program Files\Trend Micro\Internet Security\SfCtlCom.exe) has opened key \REGISTRY\USER\S-1-5-21-2214874260-632106874-3071094449-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks
Process 1356 (\Device\HarddiskVolume3\Program Files\Trend Micro\Internet Security\SfCtlCom.exe) has opened key \REGISTRY\USER\S-1-5-21-2214874260-632106874-3071094449-1000\Software\Wow6432Node\Microsoft\Search Assistant
Process 1356 (\Device\HarddiskVolume3\Program Files\Trend Micro\Internet Security\SfCtlCom.exe) has opened key \REGISTRY\USER\S-1-5-21-2214874260-632106874-3071094449-1000\Software\Microsoft\Windows\CurrentVersion\Internet Settings
Process 1356 (\Device\HarddiskVolume3\Program Files\Trend Micro\Internet Security\SfCtlCom.exe) has opened key \REGISTRY\USER\S-1-5-21-2214874260-632106874-3071094449-1000\Software\Microsoft\Windows\CurrentVersion\RunServices
Process 1356 (\Device\HarddiskVolume3\Program Files\Trend Micro\Internet Security\SfCtlCom.exe) has opened key \REGISTRY\USER\S-1-5-21-2214874260-632106874-3071094449-1000\Software\Microsoft\Windows\CurrentVersion\Run
Process 1356 (\Device\HarddiskVolume3\Program Files\Trend Micro\Internet Security\SfCtlCom.exe) has opened key \REGISTRY\USER\S-1-5-21-2214874260-632106874-3071094449-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce
Process 1356 (\Device\HarddiskVolume3\Program Files\Trend Micro\Internet Security\SfCtlCom.exe) has opened key \REGISTRY\USER\S-1-5-21-2214874260-632106874-3071094449-1000\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved
Process 1356 (\Device\HarddiskVolume3\Program Files\Trend Micro\Internet Security\SfCtlCom.exe) has opened key \REGISTRY\USER\S-1-5-21-2214874260-632106874-3071094449-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects
Process 1356 (\Device\HarddiskVolume3\Program Files\Trend Micro\Internet Security\SfCtlCom.exe) has opened key \REGISTRY\USER\S-1-5-21-2214874260-632106874-3071094449-1000\Software\Microsoft\Internet Explorer
Process 1356 (\Device\HarddiskVolume3\Program Files\Trend Micro\Internet Security\SfCtlCom.exe) has opened key \REGISTRY\USER\S-1-5-21-2214874260-632106874-3071094449-1000\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce
Process 1356 (\Device\HarddiskVolume3\Program Files\Trend Micro\Internet Security\SfCtlCom.exe) has opened key \REGISTRY\USER\S-1-5-21-2214874260-632106874-3071094449-1000\Software\Microsoft\Windows\CurrentVersion\RunService
Process 1356 (\Device\HarddiskVolume3\Program Files\Trend Micro\Internet Security\SfCtlCom.exe) has opened key \REGISTRY\USER\S-1-5-21-2214874260-632106874-3071094449-1000\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved
Process 1356 (\Device\HarddiskVolume3\Program Files\Trend Micro\Internet Security\SfCtlCom.exe) has opened key \REGISTRY\USER\S-1-5-21-2214874260-632106874-3071094449-1000\Software\Microsoft\Windows\CurrentVersion\RunServicesOnce
Process 1356 (\Device\HarddiskVolume3\Program Files\Trend Micro\Internet Security\SfCtlCom.exe) has opened key \REGISTRY\USER\S-1-5-21-2214874260-632106874-3071094449-1000\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\RunServicesOnce
Process 1356 (\Device\HarddiskVolume3\Program Files\Trend Micro\Internet Security\SfCtlCom.exe) has opened key \REGISTRY\USER\S-1-5-21-2214874260-632106874-3071094449-1000\Software\Microsoft\Windows NT\CurrentVersion\Winlogon
Process 1356 (\Device\HarddiskVolume3\Program Files\Trend Micro\Internet Security\SfCtlCom.exe) has opened key \REGISTRY\USER\S-1-5-21-2214874260-632106874-3071094449-1000\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Run
Process 1356 (\Device\HarddiskVolume3\Program Files\Trend Micro\Internet Security\SfCtlCom.exe) has opened key \REGISTRY\USER\S-1-5-21-2214874260-632106874-3071094449-1000\Software\Microsoft\Windows\CurrentVersion\RunServiceOnce
Process 1356 (\Device\HarddiskVolume3\Program Files\Trend Micro\Internet Security\SfCtlCom.exe) has opened key \REGISTRY\USER\S-1-5-21-2214874260-632106874-3071094449-1000\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\RunService
Process 1356 (\Device\HarddiskVolume3\Program Files\Trend Micro\Internet Security\SfCtlCom.exe) has opened key \REGISTRY\USER\S-1-5-21-2214874260-632106874-3071094449-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\UserAssist
Process 1356 (\Device\HarddiskVolume3\Program Files\Trend Micro\Internet Security\SfCtlCom.exe) has opened key \REGISTRY\USER\S-1-5-21-2214874260-632106874-3071094449-1000\Software\Microsoft\Windows\CurrentVersion\Policies
Process 1356 (\Device\HarddiskVolume3\Program Files\Trend Micro\Internet Security\SfCtlCom.exe) has opened key \REGISTRY\USER\S-1-5-21-2214874260-632106874-3071094449-1000\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects
Process 1356 (\Device\HarddiskVolume3\Program Files\Trend Micro\Internet Security\SfCtlCom.exe) has opened key \REGISTRY\USER\S-1-5-21-2214874260-632106874-3071094449-1000\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\RunServices
Process 1356 (\Device\HarddiskVolume3\Program Files\Trend Micro\Internet Security\SfCtlCom.exe) has opened key \REGISTRY\USER\S-1-5-21-2214874260-632106874-3071094449-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows
Process 1356 (\Device\HarddiskVolume3\Program Files\Trend Micro\Internet Security\SfCtlCom.exe) has opened key \REGISTRY\USER\S-1-5-21-2214874260-632106874-3071094449-1000\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks
Process 1356 (\Device\HarddiskVolume3\Program Files\Trend Micro\Internet Security\SfCtlCom.exe) has opened key \REGISTRY\USER\S-1-5-21-2214874260-632106874-3071094449-1000\Software\Microsoft\Windows\CurrentVersion\RunOnceEx
Process 1356 (\Device\HarddiskVolume3\Program Files\Trend Micro\Internet Security\SfCtlCom.exe) has opened key \REGISTRY\USER\S-1-5-21-2214874260-632106874-3071094449-1000\Software\Microsoft\Search Assistant
Process 1356 (\Device\HarddiskVolume3\Program Files\Trend Micro\Internet Security\SfCtlCom.exe) has opened key \REGISTRY\USER\S-1-5-21-2214874260-632106874-3071094449-1000\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\RunServiceOnce

Record Number: 1470
Source Name: Microsoft-Windows-User Profiles Service
Time Written: 20090323121401.000000-000
Event Type: Warning
User: NT AUTHORITY\SYSTEM

Computer Name: Lindsarez-PC
Event Code: 10
Message: Event filter with query "SELECT * FROM __InstanceModificationEvent WITHIN 60 WHERE TargetInstance ISA "Win32_Processor" AND TargetInstance.LoadPercentage > 99" could not be reactivated in namespace "//./root/CIMV2" because of error 0x80041003. Events cannot be delivered through this filter until the problem is corrected.
Record Number: 1484
Source Name: Microsoft-Windows-WMI
Time Written: 20090323122841.000000-000
Event Type: Error
User:

=====Security event log=====

Computer Name: Lindsarez-PC
Event Code: 4624
Message: An account was successfully logged on.

Subject:
Security ID: S-1-5-18
Account Name: LINDSAREZ-PC$
Account Domain: WORKGROUP
Logon ID: 0x3e7

Logon Type: 5

New Logon:
Security ID: S-1-5-18
Account Name: SYSTEM
Account Domain: NT AUTHORITY
Logon ID: 0x3e7
Logon GUID: {00000000-0000-0000-0000-000000000000}

Process Information:
Process ID: 0x2a0
Process Name: C:\Windows\System32\services.exe

Network Information:
Workstation Name:
Source Network Address: -
Source Port: -

Detailed Authentication Information:
Logon Process: Advapi
Authentication Package: Negotiate
Transited Services: -
Package Name (NTLM only): -
Key Length: 0

This event is generated when a logon session is created. It is generated on the computer that was accessed.

The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe.

The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network).

The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on.

The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases.

The authentication information fields provide detailed information about this specific logon request.
- Logon GUID is a unique identifier that can be used to correlate this event with a KDC event.
- Transited services indicate which intermediate services have participated in this logon request.
- Package name indicates which sub-protocol was used among the NTLM protocols.
- Key length indicates the length of the generated session key. This will be 0 if no session key was requested.
Record Number: 1885
Source Name: Microsoft-Windows-Security-Auditing
Time Written: 20090329170305.855000-000
Event Type: Audit Success
User:

Computer Name: Lindsarez-PC
Event Code: 4672
Message: Special privileges assigned to new logon.

Subject:
Security ID: S-1-5-18
Account Name: SYSTEM
Account Domain: NT AUTHORITY
Logon ID: 0x3e7

Privileges: SeAssignPrimaryTokenPrivilege
SeTcbPrivilege
SeSecurityPrivilege
SeTakeOwnershipPrivilege
SeLoadDriverPrivilege
SeBackupPrivilege
SeRestorePrivilege
SeDebugPrivilege
SeAuditPrivilege
SeSystemEnvironmentPrivilege
SeImpersonatePrivilege
Record Number: 1886
Source Name: Microsoft-Windows-Security-Auditing
Time Written: 20090329170305.855000-000
Event Type: Audit Success
User:

Computer Name: Lindsarez-PC
Event Code: 4648
Message: A logon was attempted using explicit credentials.

Subject:
Security ID: S-1-5-18
Account Name: LINDSAREZ-PC$
Account Domain: WORKGROUP
Logon ID: 0x3e7
Logon GUID: {00000000-0000-0000-0000-000000000000}

Account Whose Credentials Were Used:
Account Name: SYSTEM
Account Domain: NT AUTHORITY
Logon GUID: {00000000-0000-0000-0000-000000000000}

Target Server:
Target Server Name: localhost
Additional Information: localhost

Process Information:
Process ID: 0x2a0
Process Name: C:\Windows\System32\services.exe

Network Information:
Network Address: -
Port: -

This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.
Record Number: 1887
Source Name: Microsoft-Windows-Security-Auditing
Time Written: 20090330201834.353000-000
Event Type: Audit Success
User:

Computer Name: Lindsarez-PC
Event Code: 4624
Message: An account was successfully logged on.

Subject:
Security ID: S-1-5-18
Account Name: LINDSAREZ-PC$
Account Domain: WORKGROUP
Logon ID: 0x3e7

Logon Type: 5

New Logon:
Security ID: S-1-5-18
Account Name: SYSTEM
Account Domain: NT AUTHORITY
Logon ID: 0x3e7
Logon GUID: {00000000-0000-0000-0000-000000000000}

Process Information:
Process ID: 0x2a0
Process Name: C:\Windows\System32\services.exe

Network Information:
Workstation Name:
Source Network Address: -
Source Port: -

Detailed Authentication Information:
Logon Process: Advapi
Authentication Package: Negotiate
Transited Services: -
Package Name (NTLM only): -
Key Length: 0

This event is generated when a logon session is created. It is generated on the computer that was accessed.

The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe.

The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network).

The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on.

The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases.

The authentication information fields provide detailed information about this specific logon request.
- Logon GUID is a unique identifier that can be used to correlate this event with a KDC event.
- Transited services indicate which intermediate services have participated in this logon request.
- Package name indicates which sub-protocol was used among the NTLM protocols.
- Key length indicates the length of the generated session key. This will be 0 if no session key was requested.
Record Number: 1888
Source Name: Microsoft-Windows-Security-Auditing
Time Written: 20090330201834.353000-000
Event Type: Audit Success
User:

Computer Name: Lindsarez-PC
Event Code: 4672
Message: Special privileges assigned to new logon.

Subject:
Security ID: S-1-5-18
Account Name: SYSTEM
Account Domain: NT AUTHORITY
Logon ID: 0x3e7

Privileges: SeAssignPrimaryTokenPrivilege
SeTcbPrivilege
SeSecurityPrivilege
SeTakeOwnershipPrivilege
SeLoadDriverPrivilege
SeBackupPrivilege
SeRestorePrivilege
SeDebugPrivilege
SeAuditPrivilege
SeSystemEnvironmentPrivilege
SeImpersonatePrivilege
Record Number: 1889
Source Name: Microsoft-Windows-Security-Auditing
Time Written: 20090330201834.353000-000
Event Type: Audit Success
User:

======Environment variables======

"ComSpec"=%SystemRoot%\system32\cmd.exe
"FP_NO_HOST_CHECK"=NO
"OS"=Windows_NT
"Path"=%SystemRoot%\system32;%SystemRoot%;%SystemRoot%\System32\Wbem;C:\Program Files (x86)\Common Files\Roxio Shared\DLLShared\;C:\Program Files (x86)\Common Files\Roxio Shared\10.0\DLLShared\
"PATHEXT"=.COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH;.MSC
"PROCESSOR_ARCHITECTURE"=AMD64
"TEMP"=%SystemRoot%\TEMP
"TMP"=%SystemRoot%\TEMP
"USERNAME"=SYSTEM
"windir"=%SystemRoot%
"PROCESSOR_LEVEL"=6
"PROCESSOR_IDENTIFIER"=Intel64 Family 6 Model 23 Stepping 10, GenuineIntel
"PROCESSOR_REVISION"=170a
"NUMBER_OF_PROCESSORS"=2
"TRACE_FORMAT_SEARCH_PATH"=\\NTREL202.ntdev.corp.microsoft.com\34FB5F65-FFEB-4B61-BF0E-A6A76C450FAA\TraceFormat
"DFSTRACINGON"=FALSE
"RoxioCentral"=C:\Program Files (x86)\Common Files\Roxio Shared\10.0\Roxio Central36\

-----------------EOF-----------------

#4 suebaby41

suebaby41

    W.A.M. (Women Against Malware)


  • Malware Response Team
  • 6,248 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:South Carolina, USA
  • Local time:05:20 AM

Posted 31 March 2009 - 05:07 PM

Step 1
  • Please download GooredFix , making sure that you save this file to your Desktop.
  • Double-click GooredFix.exe on your Desktop (Note: If you are using Vista, right-click GooredFix and select Run As Administrator...).
  • Select Option#1 - Find Goored (no fix), by typing 1 and pressing Enter.
  • A logfile should popup shortly. Please post the log in your next reply.

You don't stop laughing when you get old; you get old when you stop laughing.
A Member of U-N-I-T-E (Unified Network of Instructors and Trained Eliminators)
Malware Removal University Masters Graduate

Posted Image
Join The Fight Against Malware
No reply within 5 days will result in your topic being closed. If you need more time, please let me know by posting in this topic so that your topic will not be closed.

#5 K Brown

K Brown
  • Topic Starter

  • Members
  • 3 posts
  • OFFLINE
  •  
  • Local time:05:20 AM

Posted 31 March 2009 - 07:14 PM

GooredFix v1.92 by jpshortstuff
Log created at 20:12 on 31/03/2009 running Option #1 (Lindsarez)
Firefox version 3.0.6 (en-US)

=====Suspect Goored Entries=====

=====Dumping Registry Values=====

[HKEY_LOCAL_MACHINE\SOFTWARE\Mozilla\Mozilla Firefox 3.0.6\extensions]
"Plugins"="C:\Program Files (x86)\Mozilla Firefox\plugins"

[HKEY_LOCAL_MACHINE\SOFTWARE\Mozilla\Mozilla Firefox 3.0.6\extensions]
"Components"="C:\Program Files (x86)\Mozilla Firefox\components"

#6 suebaby41

suebaby41

    W.A.M. (Women Against Malware)


  • Malware Response Team
  • 6,248 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:South Carolina, USA
  • Local time:05:20 AM

Posted 03 April 2009 - 10:17 AM

O1 - Hosts: ::1 localhost is a normal entry for Vista and is safe.

Step 1

You may want to print this page. Make sure to work through the fixes in the order it is mentioned below. If there's anything that you don't understand, ask your question(s) before proceeding with the fixes.

Step 2

Let’s run ATF-Cleaner to ensure no malware is hiding in temporary folders and for general computer cleanup to free space on your computer.

Note: On Vista, “Windows Temp” is disabled. To empty “Windows Temp”, ATF-Cleaner must be “Run as an Administrator”.
  • Please download the ATF-Cleaner by Atribune.
  • Double-click ATF-Cleaner.exe to run the program.
  • Check the boxes to the left of:
    • Windows Temp
    • Current User Temp
    • All Users Temp
    • Temporary Internet Files
    • Prefetch (Windows XP) only
    • Java Cache
  • The rest are optional - if you want to remove them all, check Select All.
  • Click the Empty Selected button.
  • When you get the Done Cleaning message, click OK.
  • Follow the same steps for Firefox or Opera. You have the option of checking No if you want to save your passwords.
  • Click Exit on the Main menu to close the program.
Step 3

In normal mode, run an online antivirus check from at least two and preferably three of the following sites
BitDefender
Panda's ActiveScan
Trend Micro Housecall
Windows Live Safety Center Free Online Scan
This scanner from Trend does not require an Active X to run.
  • Detects and removes malware ( viruses, worms, trojans, etc. )
  • Detects and removes grayware and spyware
  • Restores damage caused by malware to your system.
  • Notifies about vulnerabilities in installed programs and connected network services.
  • Multi-platform support for: Windows, Linux, Solaris.
  • Easy-to-use with the Microsoft Internet Explorer and Mozilla Firefox.
When you have completed the scans, if you get a report of files that can’t be cleaned / deleted, make a note of the file location of anything that cannot be deleted so you can delete it yourself. Please post that list in your next reply.

Step 4
  • Please download Ad-Aware Free - Anniversary Edition to your desktop. The Ad-Aware Free - Anniversary Edition installation file will be Ad-AwareAE.exe.
  • Double-click the file and follow the on-screen instructions in the Installation Wizard to install.
  • When the Please Enter Your License Information screen appears, click Cancel and Ad-Aware Free - Anniversary Edition will be installed.
  • When the Ad-Aware Free - Anniversary Edition Has Been Successfully Installed Screen appears, click Finish to complete the installation and to launch Ad-Aware Free - Anniversary Edition.
  • The Status screen will appear. You will see four sections.
    • System Protection Status section where you will see Real Time Protection with a check in the Off dialog box and Automatic Updates with a check in the On dialog box.
    • Update Status section
    • System Scan section
    • License Status section where you will see that the Type: will be Free Edition and License Expires in: Never.
  • In the list on the left of the screen, click Scan. You will be given a choice of Smart Scan, Full Scan, and Custom Scan. (Scheduler on the right of the screen is only available in Ad-Aware 2008 Plus and Ad-Aware Pro.)
  • In the list on the left of the screen, click Settings > Scanning tab. Use the default settings unless you see some changes that you want to make.
  • In the list on the left of the screen, click Status. In the System Scan section, click Scan Now.
  • When the scan finishes, the Critical Objects tab window appears.
  • Under Scan Results, you will see the list of Critical Objects that Ad-Aware Free - Anniversary Edition found. You are given three choices, Add to ignore, Quarantine, Remove, and System Restore. You may choose to create a System Restore Point prior to removing any objects that you are unsure of removing or after a scan when you know the system is clean. If Critical Objects are found, select all objects found (right click anywhere in the list of found objects and click "Select All Objects").
  • Click Remove.
  • If no Critical Objects are found, click the Privacy Objects tab.
  • If there are Privacy Objects listed, select all objects found (right click anywhere in the list of found objects and click "Select All Objects"). Select Add to ignore or Remove..
  • Click Remove.
  • If no Privacy Objects are found, click the Log File tab to see the statistics of the Ad-Aware Free - Anniversary Edition scan.
  • Click Finish.
  • The next screen shows you the Scan Summary in the left panel and System Restore in the right panel.
    • You may choose to create a System Restore Point prior to removing any objects that you are unsure of removing or after a scan when you know the system is clean. If you choose to create a System Restore Point, click Set.
    • You may want to export the results Click Export and save the log on your computer .
    • Click Scan Again to repeat the scan.
  • You will be returned to the Status screen. Click on the X in the upper right corner to exit Ad-Aware Free - Anniversary Edition.
Step 5

I recommend using Spyware Blaster.
  • Please download SpywareBlaster and save it to your desktop.
  • Double click on it to install the program.
  • Follow the prompts and choose the default locations when installing the program.
  • When the program is installed, it will place an icon on your desktop.
  • Double click on the SpywareBlaster icon and you will be presented with a brief tutorial. On the first page of this tutorial, you will see some of the SpywareBlaster features
  • Click on the Next button to proceed to the second page of the tutorial.
  • If you want to purchase the software, then you should select Automatic Updating. If you do not plan on purchasing the software, then you should select the option for Manual Updating. Press the Next button.
  • At the next screen, click Finish.
  • At the next screen, Protection Status, click Enable All Protection.
  • Click Download Latest Protection Updates. This will ensure that SpywareBlaster has the latest definitions so that it can protect your browser more efficiently. You should update SpywareBlaster regularly, as much as every few days, in order to provide the best protection. Each time you update, be sure to click Enable All Protection.
Step 6

Malwarebytes' Anti-Malware is FREEWARE, however you may upgrade to the PRO version which contains realtime protection, scheduled scanning and updating.
  • Please download Malwarebytes Anti-Malware (MBAM). Alternate download link
  • Double-click on Download_mbam-setup.exe to install the application.
  • When the installation begins, follow the prompts and do not make any changes to default settings.
  • When installation has finished, make sure you leave both of these checked:
    • Update Malwarebytes' Anti-Malware
    • Launch Malwarebytes' Anti-Malware
  • Click Finish.
  • MBAM will automatically start and you will be asked to update the program before performing scan. If an update is found, the program will automatically update itself.
  • Press the OK button to close that box and continue. If you encounter any problems while downloading the updates, manually download them from the Malware Bytes Web site. Scroll down the page until you see Latest Database; click Download from GT500.org
  • Double-click on mbam-rules.exe to install.
  • On the Scanner tab, make sure the Perform Quick Scan option is selected.
  • Click on the Scan button.
  • If asked to select the drives to scan, leave all the drives selected and click on the Start Scan button.
  • The scan will begin and Scan in progress will show at the top. It may take some time to complete; please be patient.
  • When the scan is finished, a message box will say "The scan completed successfully.
  • At the main Scanner screen, click on the Show Results button to see a list of any malware that was found.
  • Make sure that everything is checked, and click Remove Selected.
  • When removal is completed, a log report will open in Notepad and you may be prompted to restart your computer. (see Note below)
  • The log is automatically saved and can be viewed by clicking the Logs tab in MBAM.
  • Copy and paste the contents of that report in your next reply and exit MBAM.
  • Note: If MBAM encounters a file that is difficult to remove, you will be presented with 1 of 2 prompts. Click OK to either and let MBAM proceed with the disinfection process. If asked to restart the computer, please do so immediately. Failure to reboot will prevent MBAM from removing all the malware.
Step 7
  • Please download SUPERAntiSpyware (SAS) - SUPERAntiSpyware Free Version For Home Users
  • Install it and double-click the icon on your desktop to run it.
  • It will ask if you want to update the program definitions, click Yes.
  • Under Configuration and Preferences, click the Preferences button.
  • Click the Scanning Control tab.
  • Under Scanner Options, make sure the following are checked:
    • Close browsers before scanning.
    • Scan for tracking cookies.
    • Terminate memory threats before quarantining.
    • Please leave the others unchecked.
  • Click the Close button to leave the control center screen.
  • On the main screen, under Scan for Harmful Software, click Scan your computer.
  • On the left, check C:\Fixed Drive.
  • On the right, under Complete Scan, choose Perform Complete Scan.
  • Click Next to start the scan. Please be patient while it scans your computer.
  • After the scan is complete, a summary box will appear. Click OK.
  • Make sure everything in the white box has a check next to it, then click Next.
  • It will quarantine what it found and if it asks if you want to reboot, click Yes.
  • To retrieve the removal information, please do the following:
    • After reboot, double-click the SUPERAntispyware icon on your desktop.
    • Click Preferences. Click the Statistics/Logs tab.
    • Under Scanner Logs, double-click SUPERAntiSpyware Scan Log.
    • It will open in your default text editor (such as Notepad/Wordpad).
    • Please highlight everything in the notepad, then right-click and choose Copy.
    • Click Close and Close again to exit the program.
  • Please post that information with a new HijackThis log.
Step 8

Optional Fixes is the name that we use for fixes for unnecessary programs that load during startup and run in the background. These programs are not required to start automatically as you can start them manually if you need them. You would be removing the program from your startup but you would not be removing the program itself.

Your computer may be sluggish due to the many programs loading during startup and running in the background that are not necessary. Windows has a facility for starting programs at startup time. Some of these programs are required for your computer and the applications installed on it to run correctly. A good example of such a program is a virus-checking application that must always run, constantly checking for and isolating or removing files with viruses. Other such programs are not strictly required, or are optional. In some cases, you can gain significant performance enhancements by disabling the automatic startup of these programs. In many cases, the functionality offered by the programs is still available by starting the programs manually by, for example, starting the program from the Windows Start->Programs menu. Media players and instant messaging programs often fall into this category. In fact, it is common for many modern software applications, when installed, to add programs at startup that add items to the system tray or shortcut (context) menus in Windows Explorer to provide quick access to the features and functions of these applications. While they may be useful, they do increase boot time and consume system resources. It is advised that you disable these programs so that they do not take up necessary resources or slow the boot time.

Other than ScanRegistry, SystemTray, StateMgr, antivirus program entries, and firewall program entries, very few others need to load and run.

Read the articles below to see if it applies to your computer problem with being slow to respond.
Slow Computer/browser? Check Here First; It May Not Be Malware
What to do if your Computer is running slowly
Help! My computer is slow!
50 Tips for a Super Fast PC
4 Ways to Speed Up Your Computer's Performance
It's not always malware: How to fix the top 10 Internet Explorer issues

If you decide that you want to stop the Optional Fixes in your startup, let me know and I will give you a list with instructions. You would be removing the program from your startup but you would not be removing the program itself.

Step 9

Check your computer with anti-rootkit applications. I recommend avast! antirootkit or Trend Micro RootkitBuster.

Step 10

Check to see if you have insecure applications with
Secunia Software Inspector. Secunia Software Inspector:
  • Detects insecure versions of common/popular programs installed on your computer.
  • Verifies that all Microsoft patches are applied.
  • Assists you in updating, patching, and protecting your computer.
  • Activates additional security features in Sun Java.
  • Runs through your browser. No installation or download is required.
Step 11

Please run HijackThis in Normal Mode and post a new HijackThis log so I can make sure that all the malware was deleted according to plan.

Please post:
  • the list of file names and locations for any files that cannot be cleaned / deleted that were reported after you completed the online scans.
  • the log from MalwareBytes
  • the log from SUPERAntiSpyware
  • a new HijackThis log
Please advise me of any problems you still have.
You don't stop laughing when you get old; you get old when you stop laughing.
A Member of U-N-I-T-E (Unified Network of Instructors and Trained Eliminators)
Malware Removal University Masters Graduate

Posted Image
Join The Fight Against Malware
No reply within 5 days will result in your topic being closed. If you need more time, please let me know by posting in this topic so that your topic will not be closed.

#7 suebaby41

suebaby41

    W.A.M. (Women Against Malware)


  • Malware Response Team
  • 6,248 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:South Carolina, USA
  • Local time:05:20 AM

Posted 19 April 2009 - 05:51 PM

This subject is now closed. If you need this topic reopened, please contact a member of the HJT Team and we will reopen it for you. Include the address of this thread in your request. If you should have a new issue, please start a new topic. This applies only to the original topic starter. Everyone else please begin a New Topic.
You don't stop laughing when you get old; you get old when you stop laughing.
A Member of U-N-I-T-E (Unified Network of Instructors and Trained Eliminators)
Malware Removal University Masters Graduate

Posted Image
Join The Fight Against Malware
No reply within 5 days will result in your topic being closed. If you need more time, please let me know by posting in this topic so that your topic will not be closed.




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users