« previous next »
Pages: [1]   Go Down

Author Topic: ThinkPoint has my computer at a standstill  (Read 1141 times)

0 Members and 1 Guest are viewing this topic.

Offline Alisande

  • Newbie
  • *
  • Posts: 7
ThinkPoint has my computer at a standstill
« on: October 24, 2010, 12:42:43 AM »
This afternoon Firefox suddenly closed and a window popped up with the message from "Microsoft" saying it had detected the Trojan virus on my computer. Thinking it was Microsoft, I clicked on the window. Then got a message about downloading ThinkPoint. That aroused my suspicions. Without agreeing to anything, I went upstairs to Google it. Found out that it's a fake.

I restarted my first computer, and the ThinkPoint "Safe Startup" screen appeared. Back to my upstairs computer, where I printed out instructions for removing ThinkPoint. However, I can't follow them. When I hit Ctrl-Alt-Del, I get the screen with a menu that includes Start Task Manager. But when I click on it, the screen goes immediately back to ThinkPoint Safe Startup.

I'm running Windows 7 and don't have any anti-malware installed on that computer.

What can I do now? I appreciate your help!
Logged

Offline Alisande

  • Newbie
  • *
  • Posts: 7
Re: ThinkPoint has my computer at a standstill
« Reply #1 on: October 24, 2010, 02:24:05 AM »
I think I'm cured. Please tell me if I need to do anything further.

I came upon instructions from the University of Delaware for dealing with an infected computer. Following them, I restarted in Safe Mode With Networking. I was then able to open the Task Manager and end the hotfix.exe process. Then I created a New Task and opened explorer.exe. From there I was able to download and run Malwarebytes, which found three infected files. As part of the removal process, it requested a restart. When the computer started up again, the normal desktop appeared. Everything seems fine.

I'm relieved! Should I be?

Thanks!
Logged

Online Corrine

  • The Mystical Rose
  • Administrator
  • Hero Member
  • *****
  • Posts: 11530
  • "Stronger than the past, united in our goal."
    • Security Garden
Re: ThinkPoint has my computer at a standstill
« Reply #2 on: October 24, 2010, 01:54:55 PM »
Hi, Alisande.  Welcome to LandzDown Forum.

Please post an RSIT log so we can see if there is anything else that needs to be done.  

Please download random's system information tool (RSIT):
  • Download RSIT by random/random from here and save it to your desktop.
    Note:  If you have a 64-bit machine, download this version from here
  • Double-click RSIT.exe to run RSIT.
  • Click Continue at the disclaimer screen.
  • Once it has finished, two logs will open. Please post the contents of both log.txt (<<will be maximized) and info.txt (<<will be minimized).
Logged
,  

Take a walk through the "Security Garden" -- Where Everything is Coming up Roses!

Remember - A day without laughter is a day wasted.
May the wind sing to you and the sun rise in your heart.

Offline Alisande

  • Newbie
  • *
  • Posts: 7
Re: ThinkPoint has my computer at a standstill
« Reply #3 on: October 24, 2010, 06:43:37 PM »
Thanks, Corinne. Log.txt looks awfully long. Do you want me to copy and past the whole thing?
Logged

Online Corrine

  • The Mystical Rose
  • Administrator
  • Hero Member
  • *****
  • Posts: 11530
  • "Stronger than the past, united in our goal."
    • Security Garden
Re: ThinkPoint has my computer at a standstill
« Reply #4 on: October 24, 2010, 07:29:01 PM »
Hi, Alisande. 

Yes, I want you to post both the log.txt and info.txt.  Since they appear long, it may be best if you post the logs in two separate replies -- one for each of the logs.
Logged
,  

Take a walk through the "Security Garden" -- Where Everything is Coming up Roses!

Remember - A day without laughter is a day wasted.
May the wind sing to you and the sun rise in your heart.

Offline Alisande

  • Newbie
  • *
  • Posts: 7
Re: ThinkPoint has my computer at a standstill
« Reply #5 on: October 24, 2010, 08:35:24 PM »
Okay, thanks. Here's log.txt:

Logfile of random's system information tool 1.08 (written by random/random)
Run by Susan at 2010-10-24 14:37:53
Microsoft Windows 7 Professional 
System drive C: has 61 GB (54%) free of 112 GB
Total RAM: 8190 MB (73% free)

Logfile of Trend Micro HijackThis v2.0.4
Scan saved at 2:38:11 PM, on 10/24/2010
Platform: Windows 7  (WinNT 6.00.3504)
MSIE: Internet Explorer v8.00 (8.00.7600.16671)
Boot mode: Normal

Running processes:
C:\Program Files (x86)\Symantec\Symantec Endpoint Protection\ProtectionUtilSurrogate.exe
C:\Program Files (x86)\Common Files\Nero\Lib\NMIndexStoreSvr.exe
C:\Program Files (x86)\Common Files\Symantec Shared\ccApp.exe
C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe
C:\Program Files (x86)\UPSMON\UPSMON.exe
C:\Program Files (x86)\Common Files\Real\Update_OB\realsched.exe
C:\Program Files (x86)\Mozilla Firefox\firefox.exe
C:\Program Files (x86)\Common Files\Java\Java Update\jucheck.exe
C:\Program Files (x86)\Mozilla Firefox\plugin-container.exe
C:\Program Files (x86)\Adobe\Photoshop Elements 8.0\PhotoshopElementsEditor.exe
C:\Program Files (x86)\Microsoft Office\Office12\OUTLOOK.EXE
C:\Program Files (x86)\Microsoft Office\Office12\WINWORD.EXE
C:\Program Files\trend micro\Susan.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.msnbc.msn.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = C:\Windows\SysWOW64\blank.htm
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
O2 - BHO: RealPlayer Download and Record Plugin for Internet Explorer - {3049C3E9-B461-4BC5-8870-4C09146192CA} - C:\ProgramData\Real\RealPlayer\BrowserRecordPlugin\IE\rpbrowserrecordplugin.dll
O2 - BHO: Groove GFS Browser Helper - {72853161-30C5-4D22-B7F9-0BBC1D38A37E} - C:\Program Files (x86)\Microsoft Office\Office12\GrooveShellExtensions.dll
O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files (x86)\Java\jre6\bin\jp2ssv.dll
O4 - HKLM\..\Run: [StartCCC] "C:\Program Files (x86)\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe" MSRun
O4 - HKLM\..\Run: [GrooveMonitor] "C:\Program Files (x86)\Microsoft Office\Office12\GrooveMonitor.exe"
O4 - HKLM\..\Run: [ccApp] "C:\Program Files (x86)\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files (x86)\QuickTime\QTTask.exe" -atboottime
O4 - HKLM\..\Run: [UPSMON] C:\Program Files (x86)\UPSMON\UPSMON.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files (x86)\Common Files\Real\Update_OB\realsched.exe"  -osboot
O4 - HKCU\..\Run: [IndxStoreSvr_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}] "C:\Program Files (x86)\Common Files\Nero\Lib\NMIndexStoreSvr.exe" ASO-616B5711-6DAE-4795-A05F-39A1E5104020
O4 - HKUS\S-1-5-19\..\Run: [Sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /autoRun (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-19\..\RunOnce: [mctadmin] C:\Windows\System32\mctadmin.exe (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [Sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /autoRun (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-20\..\RunOnce: [mctadmin] C:\Windows\System32\mctadmin.exe (User 'NETWORK SERVICE')
O4 - Global Startup: Adobe Gamma Loader.lnk = ?
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~2\MICROS~2\Office12\EXCEL.EXE/3000
O9 - Extra button: Send to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~2\MICROS~2\Office12\ONBttnIE.dll
O9 - Extra 'Tools' menuitem: S&end to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~2\MICROS~2\Office12\ONBttnIE.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~2\MICROS~2\Office12\REFIEBAR.DLL
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab
O18 - Protocol: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - C:\Program Files (x86)\Microsoft Office\Office12\GrooveSystemServices.dll
O23 - Service: Adobe Active File Monitor V8 (AdobeActiveFileMonitor8.0) - Adobe Systems Incorporated - C:\Program Files (x86)\Adobe\Elements Organizer 8.0\PhotoshopElementsFileAgent.exe
O23 - Service: @%SystemRoot%\system32\Alg.exe,-112 (ALG) - Unknown owner - C:\Windows\System32\alg.exe (file missing)
O23 - Service: AMD External Events Utility - Unknown owner - C:\Windows\system32\atiesrxx.exe (file missing)
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files (x86)\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files (x86)\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: @%SystemRoot%\system32\efssvc.dll,-100 (EFS) - Unknown owner - C:\Windows\System32\lsass.exe (file missing)
O23 - Service: @%systemroot%\system32\fxsresm.dll,-118 (Fax) - Unknown owner - C:\Windows\system32\fxssvc.exe (file missing)
O23 - Service: FLEXnet Licensing Service - Acresso Software Inc. - C:\Program Files (x86)\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
O23 - Service: Google Update Service (gupdate) (gupdate) - Google Inc. - C:\Program Files (x86)\Google\Update\GoogleUpdate.exe
O23 - Service: @keyiso.dll,-100 (KeyIso) - Unknown owner - C:\Windows\system32\lsass.exe (file missing)
O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~2\Symantec\LIVEUP~1\LUCOMS~1.EXE
O23 - Service: @comres.dll,-2797 (MSDTC) - Unknown owner - C:\Windows\System32\msdtc.exe (file missing)
O23 - Service: @%SystemRoot%\System32\netlogon.dll,-102 (Netlogon) - Unknown owner - C:\Windows\system32\lsass.exe (file missing)
O23 - Service: NMIndexingService - Nero AG - C:\Program Files (x86)\Common Files\Nero\Lib\NMIndexingService.exe
O23 - Service: @%systemroot%\system32\psbase.dll,-300 (ProtectedStorage) - Unknown owner - C:\Windows\system32\lsass.exe (file missing)
O23 - Service: @%systemroot%\system32\Locator.exe,-2 (RpcLocator) - Unknown owner - C:\Windows\system32\locator.exe (file missing)
O23 - Service: @%SystemRoot%\system32\samsrv.dll,-1 (SamSs) - Unknown owner - C:\Windows\system32\lsass.exe (file missing)
O23 - Service: Symantec Management Client (SmcService) - Symantec Corporation - C:\Program Files (x86)\Symantec\Symantec Endpoint Protection\Smc.exe
O23 - Service: @%SystemRoot%\system32\snmptrap.exe,-3 (SNMPTRAP) - Unknown owner - C:\Windows\System32\snmptrap.exe (file missing)
O23 - Service: @%systemroot%\system32\spoolsv.exe,-1 (Spooler) - Unknown owner - C:\Windows\System32\spoolsv.exe (file missing)
O23 - Service: @%SystemRoot%\system32\sppsvc.exe,-101 (sppsvc) - Unknown owner - C:\Windows\system32\sppsvc.exe (file missing)
O23 - Service: Symantec Endpoint Protection (Symantec AntiVirus) - Symantec Corporation - C:\Program Files (x86)\Symantec\Symantec Endpoint Protection\Rtvscan.exe
O23 - Service: @%SystemRoot%\system32\ui0detect.exe,-101 (UI0Detect) - Unknown owner - C:\Windows\system32\UI0Detect.exe (file missing)
O23 - Service: UPSMONService - Unknown owner - C:\Program Files (x86)\UPSMON\UPSMON_Service.Exe
O23 - Service: @%SystemRoot%\system32\vaultsvc.dll,-1003 (VaultSvc) - Unknown owner - C:\Windows\system32\lsass.exe (file missing)
O23 - Service: @%SystemRoot%\system32\vds.exe,-100 (vds) - Unknown owner - C:\Windows\System32\vds.exe (file missing)
O23 - Service: @%systemroot%\system32\vssvc.exe,-102 (VSS) - Unknown owner - C:\Windows\system32\vssvc.exe (file missing)
O23 - Service: @%SystemRoot%\system32\Wat\WatUX.exe,-601 (WatAdminSvc) - Unknown owner - C:\Windows\system32\Wat\WatAdminSvc.exe (file missing)
O23 - Service: @%systemroot%\system32\wbengine.exe,-104 (wbengine) - Unknown owner - C:\Windows\system32\wbengine.exe (file missing)
O23 - Service: @%Systemroot%\system32\wbem\wmiapsrv.exe,-110 (wmiApSrv) - Unknown owner - C:\Windows\system32\wbem\WmiApSrv.exe (file missing)
O23 - Service: @%PROGRAMFILES%\Windows Media Player\wmpnetwk.exe,-101 (WMPNetworkSvc) - Unknown owner - C:\Program Files (x86)\Windows Media Player\wmpnetwk.exe (file missing)

--
End of file - 8741 bytes

======Listing Processes======

\SystemRoot\System32\smss.exe
%SystemRoot%\system32\csrss.exe ObjectDirectory=\Windows SharedSection=1024,20480,768 Windows=On SubSystemType=Windows ServerDll=basesrv,1 ServerDll=winsrv:UserServerDllInitialization,3 ServerDll=winsrv:ConServerDllInitialization,2 ServerDll=sxssrv,4 ProfileControl=Off MaxRequestThreads=16
wininit.exe
%SystemRoot%\system32\csrss.exe ObjectDirectory=\Windows SharedSection=1024,20480,768 Windows=On SubSystemType=Windows ServerDll=basesrv,1 ServerDll=winsrv:UserServerDllInitialization,3 ServerDll=winsrv:ConServerDllInitialization,2 ServerDll=sxssrv,4 ProfileControl=Off MaxRequestThreads=16
C:\Windows\system32\services.exe
C:\Windows\system32\lsass.exe
C:\Windows\system32\lsm.exe
winlogon.exe
C:\Windows\system32\svchost.exe -k DcomLaunch
C:\Windows\system32\svchost.exe -k RPCSS
C:\Windows\system32\atiesrxx.exe
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted
C:\Windows\system32\svchost.exe -k netsvcs
C:\Windows\system32\svchost.exe -k LocalService
atieclxx
"C:\Program Files (x86)\Symantec\Symantec Endpoint Protection\Smc.exe"
C:\Windows\system32\svchost.exe -k NetworkService
"C:\Program Files (x86)\Common Files\Symantec Shared\ccSvcHst.exe" /h ccCommon
C:\Windows\System32\spoolsv.exe
C:\Windows\system32\svchost.exe -k LocalServiceNoNetwork
"C:\Program Files (x86)\Adobe\Elements Organizer 8.0\PhotoshopElementsFileAgent.exe"
C:\Windows\system32\svchost.exe -k LocalServiceAndNoImpersonation
C:\Windows\System32\svchost.exe -k HPZ12
C:\Windows\System32\svchost.exe -k HPZ12
C:\Windows\system32\svchost.exe -k imgsvc
"C:\Program Files (x86)\Symantec\Symantec Endpoint Protection\Rtvscan.exe"
"C:\Program Files (x86)\UPSMON\UPSMON_Service.Exe"
"taskhost.exe"
C:\Windows\system32\svchost.exe -k NetworkServiceNetworkRestricted
"C:\Windows\system32\Dwm.exe"
C:\Windows\Explorer.EXE
 \\.\pipe\SygateSecurityAgentR41T38719 \\.\pipe\SygateSecurityAgentW18467T38719
C:\Windows\System32\rundll32.exe shell32.dll,SHCreateLocalServerRunDll {995C996E-D918-4a8c-A302-45719A6F4EA7} -Embedding
"C:\Program Files (x86)\UPSMON\UPSInt.exe"
\??\C:\Windows\system32\conhost.exe
"C:\Program Files (x86)\Symantec\Symantec Endpoint Protection\ProtectionUtilSurrogate.exe" {EE68EAFC-BF28-4017-8A92-D17DACF0B459} -Embedding
"C:\Program Files (x86)\Common Files\Nero\Lib\NMIndexStoreSvr.exe" ASO-616B5711-6DAE-4795-A05F-39A1E5104020
"C:\Program Files (x86)\ATI Technologies\ATI.ACE\Core-Static\MOM"
"C:\Program Files (x86)\Common Files\Symantec Shared\ccApp.exe"
"C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe"
"C:\Program Files (x86)\UPSMON\UPSMON.exe"
"C:\Program Files (x86)\Common Files\Real\Update_OB\realsched.exe"  -osboot
"C:\Program Files (x86)\Common Files\Nero\Lib\NMIndexingService.exe"
C:\Windows\system32\SearchIndexer.exe /Embedding
C:\Windows\System32\svchost.exe -k LocalServicePeerNet
"C:\Program Files\Windows Media Player\wmpnetwk.exe"
"C:\Program Files (x86)\ATI Technologies\ATI.ACE\Core-Static\CCC.exe" 0
C:\Windows\System32\svchost.exe -k secsvcs
"C:\Program Files (x86)\Mozilla Firefox\firefox.exe"
"C:\Program Files (x86)\Common Files\Java\Java Update\jucheck.exe" -auto
"C:\Program Files (x86)\Mozilla Firefox\plugin-container.exe" --channel=748.787f1a0.960661623 "C:\Windows\SysWOW64\Macromed\Flash\NPSWF32.dll" 748 plugin \\.\pipe\gecko-crash-server-pipe.748
"C:\Program Files (x86)\Adobe\Photoshop Elements 8.0\PhotoshopElementsEditor.exe" -specifier pseeditor-8.0 -nostartupscreen -nostartupscreen
"C:\Program Files (x86)\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe"
"C:\Program Files (x86)\Microsoft Office\Office12\OUTLOOK.EXE"
"C:\Program Files (x86)\Microsoft Office\Office12\WINWORD.EXE"
C:\Windows\splwow64.exe 2
"C:\Windows\system32\SearchProtocolHost.exe" Global\UsGthrFltPipeMssGthrPipe82_ Global\UsGthrCtrlFltPipeMssGthrPipe82 1 -2147483646 "Software\Microsoft\Windows Search" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT; MS Search 4.0 Robot)" "C:\ProgramData\Microsoft\Search\Data\Temp\usgthrsvc" "DownLevelDaemon"
"C:\Windows\system32\SearchFilterHost.exe" 0 516 520 528 65536 524
"C:\Users\Susan\Downloads\RSITx64.exe"
C:\Windows\system32\wbem\wmiprvse.exe

======Scheduled tasks folder======

C:\Windows\tasks\GoogleUpdateTaskMachineCore.job
C:\Windows\tasks\GoogleUpdateTaskMachineUA.job

======Registry dump======

[HKEY_LOCAL_MACHINE\SOFTWARE\wow6432node\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{3049C3E9-B461-4BC5-8870-4C09146192CA}]
RealPlayer Download and Record Plugin for Internet Explorer - C:\ProgramData\Real\RealPlayer\BrowserRecordPlugin\IE\rpbrowserrecordplugin.dll [2010-05-03 341600]

[HKEY_LOCAL_MACHINE\SOFTWARE\wow6432node\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{72853161-30C5-4D22-B7F9-0BBC1D38A37E}]
Groove GFS Browser Helper - C:\Program Files (x86)\Microsoft Office\Office12\GrooveShellExtensions.dll [2009-02-12 2217848]

[HKEY_LOCAL_MACHINE\SOFTWARE\wow6432node\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{DBC80044-A445-435b-BC74-9C25C1C588A9}]
Java(tm) Plug-In 2 SSV Helper - C:\Program Files (x86)\Java\jre6\bin\jp2ssv.dll [2010-02-15 41760]

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run]
"IndxStoreSvr_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}"=C:\Program Files (x86)\Common Files\Nero\Lib\NMIndexStoreSvr.exe [2008-06-24 1840424]

[HKEY_LOCAL_MACHINE\Software\wow6432node\Microsoft\Windows\CurrentVersion\Run]
"StartCCC"=C:\Program Files (x86)\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe [2009-08-13 98304]
"GrooveMonitor"=C:\Program Files (x86)\Microsoft Office\Office12\GrooveMonitor.exe [2008-10-25 31072]
"ccApp"=C:\Program Files (x86)\Common Files\Symantec Shared\ccApp.exe [2009-07-08 115560]
"SunJavaUpdateSched"=C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe [2010-01-11 246504]
"QuickTime Task"=C:\Program Files (x86)\QuickTime\QTTask.exe [2010-02-15 417792]
"UPSMON"=C:\Program Files (x86)\UPSMON\UPSMON.exe [2003-12-22 428032]
"TkBellExe"=C:\Program Files (x86)\Common Files\Real\Update_OB\realsched.exe [2010-05-03 202256]

C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup
Adobe Gamma Loader.lnk - C:\Program Files (x86)\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad]
WebCheck - {E6FB5E20-DE35-11CF-9C87-00AA005127ED}

[HKEY_LOCAL_MACHINE\SOFTWARE\wow6432node\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks]
"{B5A7F190-DDA6-4420-B3BA-52453494E6CD}"=C:\Program Files (x86)\Microsoft Office\Office12\GrooveShellExtensions.dll [2009-02-12 2217848]

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\securityproviders]
"SecurityProviders"=credssp.dll

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\ccEvtMgr]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\ccSetMgr]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Symantec Antivirus]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Symantec Antvirus]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\network\AFD]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\network\ccEvtMgr]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\network\ccSetMgr]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\network\SmcService]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\network\Symantec Antivirus]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\network\Symantec Antvirus]

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System]
"ConsentPromptBehaviorAdmin"=0
"ConsentPromptBehaviorUser"=3
"EnableLUA"=0
"EnableUIADesktopToggle"=0
"PromptOnSecureDesktop"=0
"dontdisplaylastusername"=0
"legalnoticecaption"=
"legalnoticetext"=
"shutdownwithoutlogon"=1
"undockwithoutlogon"=1

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\explorer]
"NoDriveTypeAutoRun"=145

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\explorer]
"NoActiveDesktop"=1
"NoActiveDesktopChanges"=1
"ForceActiveDesktopOn"=0

[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\standardprofile\authorizedapplications\list]

[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\domainprofile\authorizedapplications\list]

======File associations======

.js - edit - C:\Windows\System32\Notepad.exe %1
.js - open - C:\Windows\System32\WScript.exe "%1" %*

======List of files/folders created in the last 1 months======

2010-10-24 14:37:53 ----D---- C:\rsit
2010-10-24 14:37:53 ----D---- C:\Program Files\trend micro
2010-10-23 21:35:42 ----D---- C:\Users\Susan\AppData\Roaming\Malwarebytes
2010-10-23 21:35:28 ----A---- C:\Windows\SYSWOW64\drivers\mbamswissarmy.sys
2010-10-23 21:35:27 ----D---- C:\ProgramData\Malwarebytes
2010-10-23 21:35:27 ----D---- C:\Program Files (x86)\Malwarebytes' Anti-Malware
2010-10-23 21:35:27 ----A---- C:\Windows\system32\drivers\mbam.sys
2010-10-23 21:27:57 ----A---- C:\Windows\ntbtlog.txt
2010-10-23 16:24:04 ----A---- C:\Users\Susan\AppData\Roaming\34798.bat
2010-10-13 09:56:36 ----A---- C:\Windows\system32\mshtml.dll
2010-10-13 09:56:36 ----A---- C:\Windows\system32\ieframe.dll
2010-10-13 09:56:35 ----A---- C:\Windows\SYSWOW64\mshtml.dll
2010-10-13 09:56:35 ----A---- C:\Windows\SYSWOW64\iertutil.dll
2010-10-13 09:56:35 ----A---- C:\Windows\SYSWOW64\ieframe.dll
2010-10-13 09:56:35 ----A---- C:\Windows\system32\iertutil.dll
2010-10-13 09:56:34 ----A---- C:\Windows\SYSWOW64\wininet.dll
2010-10-13 09:56:34 ----A---- C:\Windows\SYSWOW64\urlmon.dll
2010-10-13 09:56:34 ----A---- C:\Windows\SYSWOW64\msfeeds.dll
2010-10-13 09:56:34 ----A---- C:\Windows\SYSWOW64\licmgr10.dll
2010-10-13 09:56:34 ----A---- C:\Windows\system32\urlmon.dll
2010-10-13 09:56:34 ----A---- C:\Windows\system32\mshtmled.dll
2010-10-13 09:56:34 ----A---- C:\Windows\system32\msfeeds.dll
2010-10-13 09:56:34 ----A---- C:\Windows\system32\licmgr10.dll
2010-10-13 09:56:33 ----A---- C:\Windows\SYSWOW64\mstime.dll
2010-10-13 09:56:33 ----A---- C:\Windows\SYSWOW64\mshtmled.dll
2010-10-13 09:56:33 ----A---- C:\Windows\SYSWOW64\msfeedssync.exe
2010-10-13 09:56:33 ----A---- C:\Windows\SYSWOW64\msfeedsbs.dll
2010-10-13 09:56:33 ----A---- C:\Windows\SYSWOW64\jsproxy.dll
2010-10-13 09:56:33 ----A---- C:\Windows\SYSWOW64\ieui.dll
2010-10-13 09:56:33 ----A---- C:\Windows\SYSWOW64\iepeers.dll
2010-10-13 09:56:33 ----A---- C:\Windows\SYSWOW64\iedkcs32.dll
2010-10-13 09:56:33 ----A---- C:\Windows\system32\wininet.dll
2010-10-13 09:56:33 ----A---- C:\Windows\system32\mstime.dll
2010-10-13 09:56:33 ----A---- C:\Windows\system32\msfeedssync.exe
2010-10-13 09:56:33 ----A---- C:\Windows\system32\msfeedsbs.dll
2010-10-13 09:56:33 ----A---- C:\Windows\system32\jsproxy.dll
2010-10-13 09:56:33 ----A---- C:\Windows\system32\ieui.dll
2010-10-13 09:56:33 ----A---- C:\Windows\system32\iepeers.dll
2010-10-13 09:56:33 ----A---- C:\Windows\system32\iedkcs32.dll
2010-10-13 09:56:16 ----A---- C:\Windows\system32\wmp.dll
2010-10-13 09:56:15 ----A---- C:\Windows\SYSWOW64\wmp.dll
2010-10-13 09:56:14 ----A---- C:\Windows\SYSWOW64\wmploc.DLL
2010-10-13 09:56:13 ----A---- C:\Windows\system32\wmploc.DLL
2010-10-13 09:56:12 ----A---- C:\Windows\SYSWOW64\ole32.dll
2010-10-13 09:56:12 ----A---- C:\Windows\system32\ole32.dll
2010-10-13 09:56:10 ----A---- C:\Windows\SYSWOW64\comctl32.dll
2010-10-13 09:56:10 ----A---- C:\Windows\system32\comctl32.dll
2010-10-13 09:56:09 ----A---- C:\Windows\SYSWOW64\wmpmde.dll
2010-10-13 09:56:09 ----A---- C:\Windows\system32\wmpmde.dll
2010-10-13 09:56:08 ----A---- C:\Windows\SYSWOW64\StructuredQuery.dll
2010-10-13 09:56:08 ----A---- C:\Windows\system32\StructuredQuery.dll
2010-10-13 09:55:51 ----A---- C:\Windows\SYSWOW64\mfc40u.dll
2010-10-13 09:55:51 ----A---- C:\Windows\SYSWOW64\mfc40.dll
2010-10-13 09:55:50 ----A---- C:\Windows\SYSWOW64\t2embed.dll
2010-10-13 09:55:50 ----A---- C:\Windows\system32\t2embed.dll
2010-10-13 09:55:49 ----A---- C:\Windows\SYSWOW64\sscore.dll
2010-10-13 09:55:49 ----A---- C:\Windows\system32\srvsvc.dll
2010-10-13 09:55:49 ----A---- C:\Windows\system32\drivers\srvnet.sys
2010-10-13 09:55:49 ----A---- C:\Windows\system32\drivers\srv2.sys
2010-10-13 09:55:49 ----A---- C:\Windows\system32\drivers\srv.sys
2010-10-13 09:55:48 ----A---- C:\Windows\SYSWOW64\schannel.dll
2010-10-13 09:55:48 ----A---- C:\Windows\system32\schannel.dll
2010-10-13 09:55:32 ----A---- C:\Windows\system32\win32k.sys
2010-09-29 23:27:58 ----A---- C:\Windows\system32\drivers\ks.sys
2010-09-29 23:27:37 ----A---- C:\Windows\SYSWOW64\tzres.dll
2010-09-29 23:27:37 ----A---- C:\Windows\system32\tzres.dll

======List of files/folders modified in the last 1 months======

2010-10-24 14:38:05 ----D---- C:\Windows\Prefetch
2010-10-24 14:37:55 ----D---- C:\Windows\Temp
2010-10-24 14:37:53 ----RD---- C:\Program Files
2010-10-23 23:37:46 ----D---- C:\Windows\System32
2010-10-23 23:37:46 ----D---- C:\Windows\inf
2010-10-23 23:37:46 ----A---- C:\Windows\system32\PerfStringBackup.INI
2010-10-23 21:59:16 ----D---- C:\Windows\system32\config
2010-10-23 21:55:50 ----D---- C:\Program Files (x86)\Mozilla Firefox
2010-10-23 21:43:01 ----D---- C:\Program Files (x86)\UPSMON
2010-10-23 21:35:28 ----D---- C:\Windows\SYSWOW64\drivers
2010-10-23 21:35:27 ----RD---- C:\Program Files (x86)
2010-10-23 21:35:27 ----HD---- C:\ProgramData
2010-10-23 21:35:27 ----D---- C:\Windows\system32\drivers
2010-10-23 21:27:57 ----D---- C:\Windows
2010-10-23 02:34:18 ----SHD---- C:\System Volume Information
2010-10-18 23:04:27 ----D---- C:\Windows\system32\Tasks
2010-10-16 16:43:20 ----SHD---- C:\Windows\Installer
2010-10-13 10:19:12 ----RSD---- C:\Windows\assembly
2010-10-13 10:19:12 ----D---- C:\Windows\Microsoft.NET
2010-10-13 10:08:49 ----D---- C:\Windows\winsxs
2010-10-13 10:06:36 ----D---- C:\Windows\SysWOW64
2010-10-13 10:06:35 ----D---- C:\Windows\SYSWOW64\migration
2010-10-13 10:06:35 ----D---- C:\Windows\system32\migration
2010-10-13 10:06:35 ----D---- C:\Program Files\Internet Explorer
2010-10-13 10:06:35 ----D---- C:\Program Files (x86)\Internet Explorer
2010-10-13 10:06:34 ----D---- C:\Program Files\Windows Media Player
2010-10-13 10:06:34 ----D---- C:\Program Files (x86)\Windows Media Player
2010-10-13 10:01:49 ----D---- C:\ProgramData\Microsoft Help
2010-10-13 09:57:16 ----A---- C:\Windows\system32\MRT.exe
2010-10-13 09:56:01 ----D---- C:\Windows\system32\catroot
2010-10-13 09:56:00 ----D---- C:\Windows\system32\catroot2
2010-10-12 08:05:49 ----A---- C:\Windows\NeroDigital.ini
2010-09-30 23:59:53 ----D---- C:\Windows\rescache
2010-09-30 22:05:10 ----D---- C:\Program Files (x86)\Microsoft Silverlight
2010-09-30 22:04:00 ----D---- C:\Windows\SYSWOW64\en-US
2010-09-30 22:04:00 ----D---- C:\Windows\system32\en-US
2010-09-30 22:03:59 ----D---- C:\Windows\system32\DriverStore

======List of drivers (R=Running, S=Stopped, 0=Boot, 1=System, 2=Auto, 3=Demand, 4=Disabled)======

R0 pciide;pciide; C:\Windows\system32\DRIVERS\pciide.sys [2009-07-13 12352]
R0 PxHlpa64;PxHlpa64; C:\Windows\System32\Drivers\PxHlpa64.sys [2008-06-16 55024]
R0 rdyboost;ReadyBoost; C:\Windows\System32\drivers\rdyboost.sys [2009-07-13 214096]
R1 CSC;@%systemroot%\system32\cscsvc.dll,-202; C:\Windows\system32\drivers\csc.sys [2009-07-13 514048]
R1 eeCtrl;Symantec Eraser Control driver; \??\C:\Program Files (x86)\Common Files\Symantec Shared\EENGINE\eeCtrl64.sys [2010-05-27 475696]
R1 SRTSP;SRTSP; C:\Windows\System32\Drivers\SRTSP64.SYS [2009-08-25 443952]
R1 SRTSPX;SRTSPX; C:\Windows\System32\Drivers\SRTSPX64.SYS [2009-08-25 32304]
R1 WPS;WPS; \??\C:\Windows\system32\drivers\wpsdrvnt.sys [2009-09-17 52784]
R3 atikmdag;atikmdag; C:\Windows\system32\DRIVERS\atikmdag.sys [2009-08-14 6201856]
R3 dot4;MS IEEE-1284.4 Driver; C:\Windows\system32\DRIVERS\Dot4.sys [2009-07-13 145920]
R3 Dot4Print;Print Class Driver for IEEE-1284.4; C:\Windows\system32\DRIVERS\Dot4Prt.sys [2009-07-13 19968]
R3 dot4usb;Dot4USB Filter Dot4USB Filter; C:\Windows\system32\DRIVERS\dot4usb.sys [2009-07-13 43008]
R3 EraserUtilRebootDrv;EraserUtilRebootDrv; \??\C:\Program Files (x86)\Common Files\Symantec Shared\EENGINE\EraserUtilRebootDrv.sys [2010-05-27 132656]
R3 L1E;NDIS Miniport Driver for Atheros AR8121/AR8113/AR8114 PCI-E Ethernet Controller(NDIS6.20); C:\Windows\system32\DRIVERS\L1E62x64.sys [2009-06-19 54272]
R3 MTsensor;ATK0110 ACPI UTILITY; C:\Windows\system32\DRIVERS\ASACPI.sys [2005-03-29 8192]
R3 NAVENG;NAVENG; \??\C:\PROGRA~3\Symantec\DEFINI~1\VIRUSD~1\20101023.004\ENG64.SYS [2010-09-28 117808]
R3 NAVEX15;NAVEX15; \??\C:\PROGRA~3\Symantec\DEFINI~1\VIRUSD~1\20101023.004\EX64.SYS [2010-09-28 1804336]
R3 RDPDR;Terminal Server Device Redirector Driver; C:\Windows\System32\drivers\rdpdr.sys [2009-07-13 165376]
R3 SymEvent;SymEvent; \??\C:\Windows\system32\Drivers\SYMEVENT64x86.SYS [2010-01-16 172592]
R3 Teefer2;Teefer2 Miniport; C:\Windows\system32\DRIVERS\teefer2.sys [2009-05-27 62512]
R3 WpsHelper;WpsHelper; \??\C:\Windows\system32\drivers\WpsHelper.sys [2010-09-10 225328]
S3 s3cap;s3cap; C:\Windows\system32\DRIVERS\vms3cap.sys [2009-07-13 6656]
S3 SRTSPL;SRTSPL; C:\Windows\System32\Drivers\SRTSPL64.SYS [2009-08-25 481840]
S3 storvsc;storvsc; C:\Windows\system32\DRIVERS\storvsc.sys [2009-07-13 34896]
S3 vmbus;@%SystemRoot%\system32\vmbusres.dll,-1000; C:\Windows\system32\DRIVERS\vmbus.sys [2009-07-13 200272]
S3 VMBusHID;VMBusHID; C:\Windows\system32\DRIVERS\VMBusHID.sys [2009-07-13 21760]

======List of services (R=Running, S=Stopped, 0=Boot, 1=System, 2=Auto, 3=Demand, 4=Disabled)======

R2 AdobeActiveFileMonitor8.0;Adobe Active File Monitor V8; C:\Program Files (x86)\Adobe\Elements Organizer 8.0\PhotoshopElementsFileAgent.exe [2009-09-06 169312]
R2 AMD External Events Utility;AMD External Events Utility; C:\Windows\system32\atiesrxx.exe [2009-08-13 202752]
R2 ccEvtMgr;Symantec Event Manager; C:\Program Files (x86)\Common Files\Symantec Shared\ccSvcHst.exe [2009-07-08 108392]
R2 ccSetMgr;Symantec Settings Manager; C:\Program Files (x86)\Common Files\Symantec Shared\ccSvcHst.exe [2009-07-08 108392]
R2 CscService;@%systemroot%\system32\cscsvc.dll,-200; C:\Windows\System32\svchost.exe [2009-07-13 27136]
R2 Net Driver HPZ12;Net Driver HPZ12; C:\Windows\System32\svchost.exe [2009-07-13 27136]
R2 Pml Driver HPZ12;Pml Driver HPZ12; C:\Windows\System32\svchost.exe [2009-07-13 27136]
R2 SmcService;Symantec Management Client; C:\Program Files (x86)\Symantec\Symantec Endpoint Protection\Smc.exe [2009-09-17 3197256]
R2 Symantec AntiVirus;Symantec Endpoint Protection; C:\Program Files (x86)\Symantec\Symantec Endpoint Protection\Rtvscan.exe [2009-09-17 2477304]
R3 FLEXnet Licensing Service;FLEXnet Licensing Service; C:\Program Files (x86)\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe [2010-01-16 867080]
R3 NMIndexingService;NMIndexingService; C:\Program Files (x86)\Common Files\Nero\Lib\NMIndexingService.exe [2008-06-24 537896]
R3 UmRdpService;@%SystemRoot%\system32\umrdp.dll,-1000; C:\Windows\System32\svchost.exe [2009-07-13 27136]
S2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86; C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe [2010-03-18 130384]
S2 clr_optimization_v4.0.30319_64;Microsoft .NET Framework NGEN v4.0.30319_X64; C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe [2010-03-18 138576]
S2 gupdate;Google Update Service (gupdate); C:\Program Files (x86)\Google\Update\GoogleUpdate.exe [2010-08-07 136176]
S2 UPSMONService;UPSMONService; C:\Program Files (x86)\UPSMON\UPSMON_Service.Exe [2003-12-26 361984]
S3 AppMgmt;@appmgmts.dll,-3250; C:\Windows\system32\svchost.exe [2009-07-13 27136]
S3 LiveUpdate;LiveUpdate; C:\PROGRA~2\Symantec\LIVEUP~1\LUCOMS~1.EXE [2009-07-13 3093880]
S3 Microsoft Office Groove Audit Service;Microsoft Office Groove Audit Service; C:\Program Files (x86)\Microsoft Office\Office12\GrooveAuditService.exe [2008-10-25 65888]
S3 odserv;Microsoft Office Diagnostics Service; C:\Program Files (x86)\Common Files\Microsoft Shared\OFFICE12\ODSERV.EXE [2008-11-04 441712]
S3 ose;Office Source Engine; C:\Program Files (x86)\Common Files\Microsoft Shared\Source Engine\OSE.EXE [2006-10-26 145184]
S3 PeerDistSvc;@%SystemRoot%\system32\peerdistsvc.dll,-9000; C:\Windows\System32\svchost.exe [2009-07-13 27136]
S3 StorSvc;@%SystemRoot%\System32\StorSvc.dll,-100; C:\Windows\System32\svchost.exe [2009-07-13 27136]
S3 WatAdminSvc;@%SystemRoot%\system32\Wat\WatUX.exe,-601; C:\Windows\system32\Wat\WatAdminSvc.exe [2010-07-06 1255736]
S4 SNAC;Symantec Network Access Control; C:\Program Files (x86)\Symantec\Symantec Endpoint Protection\SNAC64.EXE [2009-09-17 411976]

-----------------EOF-----------------
Logged

Offline Alisande

  • Newbie
  • *
  • Posts: 7
Re: ThinkPoint has my computer at a standstill
« Reply #6 on: October 24, 2010, 08:38:33 PM »
And here's info.txt. I didn't look over the whole thing (far from it), but I noticed the word Twitter. Why would it mention Twitter if I don't Tweet?

Thanks so much for your help!

info.txt logfile of random's system information tool 1.08 2010-10-24 14:38:13

======Uninstall list======

-->C:\Program Files (x86)\Nero\Nero8\\nero\uninstall\UNNERO.exe /UNINSTALL
-->C:\Windows\UNNeroMediaHome.exe /UNINSTALL
-->C:\Windows\UNNeroShowTime.exe /UNINSTALL
-->C:\Windows\UNNeroVision.exe /UNINSTALL
-->C:\Windows\UNRecode.exe /UNINSTALL
64 Bit HP CIO Components Installer-->MsiExec.exe /I{BE930E38-7BB3-45B6-85B2-5251F374F844}
Adobe AIR-->C:\Program Files (x86)\Common Files\Adobe AIR\Versions\1.0\Resources\Adobe AIR Updater.exe -arp:uninstall
Adobe AIR-->MsiExec.exe /I{A2BCA9F1-566C-4805-97D1-7FDC93386723}
Adobe Flash Player 10 ActiveX-->C:\Windows\SysWOW64\Macromed\Flash\uninstall_activeX.exe
Adobe Flash Player 10 Plugin-->C:\Windows\SysWOW64\Macromed\Flash\FlashUtil10k_Plugin.exe -maintain plugin
Adobe Photoshop Elements 2.0-->C:\WINDOWS\ISUNINST.EXE -f"C:\Program Files (x86)\Adobe\Photoshop Elements 2\Uninst.isu" -c"C:\Program Files (x86)\Adobe\Photoshop Elements 2\Uninst.dll"
Adobe Photoshop Elements 8.0-->msiexec /i {17DFE37C-064E-4834-AD8F-A4B2B4DF68F8}
Adobe Photoshop.com Inspiration Browser-->msiexec /qb /x {395A57A6-E0E1-C599-3A28-19A96682B4C6}
Adobe Photoshop.com Inspiration Browser-->MsiExec.exe /I{395A57A6-E0E1-C599-3A28-19A96682B4C6}
Apple Application Support-->MsiExec.exe /I{3FA365DF-2D68-45ED-8F83-8C8A33E65143}
Apple Software Update-->MsiExec.exe /I{6956856F-B6B3-4BE0-BA0B-8F495BE32033}
Catalyst Control Center - Branding-->MsiExec.exe /I{CF929EEB-CE39-4F06-B1BF-F51FC617A2B2}
DVDFab Ghosthunter release 5.2.2.2-->"C:\Program Files (x86)\DVDFab 5\unins000.exe"
Foxit Reader-->C:\Program Files (x86)\Foxit Software\Foxit Reader\Uninstall.exe
Google Earth Plug-in-->MsiExec.exe /X{171E6C1E-B5FC-11DF-B115-005056C00008}
Google Update Helper-->MsiExec.exe /I{A92DAB39-4E2C-4304-9AB6-BC44E68B55E2}
Java(TM) 6 Update 18-->MsiExec.exe /X{26A24AE4-039D-4CA4-87B4-2F83216018FF}
LiveUpdate 3.3 (Symantec Corporation)-->"C:\Program Files (x86)\Symantec\LiveUpdate\LSETUP.EXE" /U
Malwarebytes' Anti-Malware-->"C:\Program Files (x86)\Malwarebytes' Anti-Malware\unins000.exe"
Microsoft .NET Framework 4 Client Profile-->C:\Windows\Microsoft.NET\Framework64\v4.0.30319\SetupCache\Client\Setup.exe /repair /x86 /x64 /parameterfolder Client
Microsoft .NET Framework 4 Client Profile-->MsiExec.exe /X{F5B09CFD-F0B2-36AF-8DF4-1DF6B63FC7B4}
Microsoft Office 2007 Service Pack 2 (SP2)-->msiexec /package {90120000-0015-0409-0000-0000000FF1CE} /uninstall {2FC4457D-409E-466F-861F-FB0CB796B53E}
Microsoft Office 2007 Service Pack 2 (SP2)-->msiexec /package {90120000-0016-0409-0000-0000000FF1CE} /uninstall {2FC4457D-409E-466F-861F-FB0CB796B53E}
Microsoft Office 2007 Service Pack 2 (SP2)-->msiexec /package {90120000-0018-0409-0000-0000000FF1CE} /uninstall {2FC4457D-409E-466F-861F-FB0CB796B53E}
Microsoft Office 2007 Service Pack 2 (SP2)-->msiexec /package {90120000-0019-0409-0000-0000000FF1CE} /uninstall {2FC4457D-409E-466F-861F-FB0CB796B53E}
Microsoft Office 2007 Service Pack 2 (SP2)-->msiexec /package {90120000-001A-0409-0000-0000000FF1CE} /uninstall {2FC4457D-409E-466F-861F-FB0CB796B53E}
Microsoft Office 2007 Service Pack 2 (SP2)-->msiexec /package {90120000-001B-0409-0000-0000000FF1CE} /uninstall {2FC4457D-409E-466F-861F-FB0CB796B53E}
Microsoft Office 2007 Service Pack 2 (SP2)-->msiexec /package {90120000-002A-0000-1000-0000000FF1CE} /uninstall {E64BA721-2310-4B55-BE5A-2925F9706192}
Microsoft Office 2007 Service Pack 2 (SP2)-->msiexec /package {90120000-002A-0409-1000-0000000FF1CE} /uninstall {DE5A002D-8122-4278-A7EE-3121E7EA254E}
Microsoft Office 2007 Service Pack 2 (SP2)-->msiexec /package {90120000-0030-0000-0000-0000000FF1CE} /uninstall {0B36C6D6-F5D8-4EAF-BF94-4376A230AD5B}
Microsoft Office 2007 Service Pack 2 (SP2)-->msiexec /package {90120000-0044-0409-0000-0000000FF1CE} /uninstall {2FC4457D-409E-466F-861F-FB0CB796B53E}
Microsoft Office 2007 Service Pack 2 (SP2)-->msiexec /package {90120000-006E-0409-0000-0000000FF1CE} /uninstall {DE5A002D-8122-4278-A7EE-3121E7EA254E}
Microsoft Office 2007 Service Pack 2 (SP2)-->msiexec /package {90120000-00A1-0409-0000-0000000FF1CE} /uninstall {2FC4457D-409E-466F-861F-FB0CB796B53E}
Microsoft Office 2007 Service Pack 2 (SP2)-->msiexec /package {90120000-00BA-0409-0000-0000000FF1CE} /uninstall {2FC4457D-409E-466F-861F-FB0CB796B53E}
Microsoft Office 2007 Service Pack 2 (SP2)-->msiexec /package {90120000-0114-0409-0000-0000000FF1CE} /uninstall {2FC4457D-409E-466F-861F-FB0CB796B53E}
Microsoft Office 2007 Service Pack 2 (SP2)-->msiexec /package {90120000-0115-0409-0000-0000000FF1CE} /uninstall {DE5A002D-8122-4278-A7EE-3121E7EA254E}
Microsoft Office 2007 Service Pack 2 (SP2)-->msiexec /package {90120000-0116-0409-1000-0000000FF1CE} /uninstall {DE5A002D-8122-4278-A7EE-3121E7EA254E}
Microsoft Office 2007 Service Pack 2 (SP2)-->msiexec /package {90120000-0117-0409-0000-0000000FF1CE} /uninstall {2FC4457D-409E-466F-861F-FB0CB796B53E}
Microsoft Office Access MUI (English) 2007-->MsiExec.exe /X{90120000-0015-0409-0000-0000000FF1CE}
Microsoft Office Access Setup Metadata MUI (English) 2007-->MsiExec.exe /X{90120000-0117-0409-0000-0000000FF1CE}
Microsoft Office Enterprise 2007-->"C:\Program Files (x86)\Common Files\Microsoft Shared\OFFICE12\Office Setup Controller\setup.exe" /uninstall ENTERPRISE /dll OSETUP.DLL
Microsoft Office Enterprise 2007-->MsiExec.exe /X{90120000-0030-0000-0000-0000000FF1CE}
Microsoft Office Excel MUI (English) 2007-->MsiExec.exe /X{90120000-0016-0409-0000-0000000FF1CE}
Microsoft Office Groove MUI (English) 2007-->MsiExec.exe /X{90120000-00BA-0409-0000-0000000FF1CE}
Microsoft Office Groove Setup Metadata MUI (English) 2007-->MsiExec.exe /X{90120000-0114-0409-0000-0000000FF1CE}
Microsoft Office InfoPath MUI (English) 2007-->MsiExec.exe /X{90120000-0044-0409-0000-0000000FF1CE}
Microsoft Office Office 64-bit Components 2007-->MsiExec.exe /X{90120000-002A-0000-1000-0000000FF1CE}
Microsoft Office OneNote MUI (English) 2007-->MsiExec.exe /X{90120000-00A1-0409-0000-0000000FF1CE}
Microsoft Office Outlook MUI (English) 2007-->MsiExec.exe /X{90120000-001A-0409-0000-0000000FF1CE}
Microsoft Office PowerPoint MUI (English) 2007-->MsiExec.exe /X{90120000-0018-0409-0000-0000000FF1CE}
Microsoft Office Proof (English) 2007-->MsiExec.exe /X{90120000-001F-0409-0000-0000000FF1CE}
Microsoft Office Proof (French) 2007-->MsiExec.exe /X{90120000-001F-040C-0000-0000000FF1CE}
Microsoft Office Proof (Spanish) 2007-->MsiExec.exe /X{90120000-001F-0C0A-0000-0000000FF1CE}
Microsoft Office Proofing (English) 2007-->MsiExec.exe /X{90120000-002C-0409-0000-0000000FF1CE}
Microsoft Office Proofing Tools 2007 Service Pack 2 (SP2)-->msiexec /package {90120000-001F-0409-0000-0000000FF1CE} /uninstall {ABDDE972-355B-4AF1-89A8-DA50B7B5C045}
Microsoft Office Proofing Tools 2007 Service Pack 2 (SP2)-->msiexec /package {90120000-001F-040C-0000-0000000FF1CE} /uninstall {F580DDD5-8D37-4998-968E-EBB76BB86787}
Microsoft Office Proofing Tools 2007 Service Pack 2 (SP2)-->msiexec /package {90120000-001F-0C0A-0000-0000000FF1CE} /uninstall {187308AB-5FA7-4F14-9AB9-D290383A10D9}
Microsoft Office Publisher MUI (English) 2007-->MsiExec.exe /X{90120000-0019-0409-0000-0000000FF1CE}
Microsoft Office Shared 64-bit MUI (English) 2007-->MsiExec.exe /X{90120000-002A-0409-1000-0000000FF1CE}
Microsoft Office Shared 64-bit Setup Metadata MUI (English) 2007-->MsiExec.exe /X{90120000-0116-0409-1000-0000000FF1CE}
Microsoft Office Shared MUI (English) 2007-->MsiExec.exe /X{90120000-006E-0409-0000-0000000FF1CE}
Microsoft Office Shared Setup Metadata MUI (English) 2007-->MsiExec.exe /X{90120000-0115-0409-0000-0000000FF1CE}
Microsoft Office Word MUI (English) 2007-->MsiExec.exe /X{90120000-001B-0409-0000-0000000FF1CE}
Microsoft Silverlight-->MsiExec.exe /X{89F4137D-6C26-4A84-BDB8-2E5A4BB71E00}
Microsoft Visual C++ 2005 ATL Update kb973923 - x64 8.0.50727.4053-->MsiExec.exe /X{B6E3757B-5E77-3915-866A-CCFC4B8D194C}
Microsoft Visual C++ 2005 Redistributable (x64)-->MsiExec.exe /X{071c9b48-7c32-4621-a0ac-3f809523288f}
Mozilla Firefox (3.6.10)-->C:\Program Files (x86)\Mozilla Firefox\uninstall\helper.exe
MSXML 4.0 SP2 (KB954430)-->MsiExec.exe /I{86493ADD-824D-4B8E-BD72-8C5DCDC52A71}
MSXML 4.0 SP2 (KB973688)-->MsiExec.exe /I{F662A8E6-F4DC-41A2-901E-8C11F044BDEC}
Nero 8 Essentials-->MsiExec.exe /X{7E8FF4A8-10EE-4C95-83B2-73856BFE1033}
neroxml-->MsiExec.exe /I{56C049BE-79E9-4502-BEA7-9754A3E60F9B}
PhotoME-->"C:\Program Files (x86)\PhotoME\unins000.exe"
QuickTime-->MsiExec.exe /I{8B7917E0-AF55-4E8A-9473-017F0AA03AC8}
RealPlayer-->C:\Program Files (x86)\Common Files\Real\Update_OB\r1puninst.exe RealNetworks|RealPlayer|12.0
RealUpgrade 1.0-->MsiExec.exe /I{F4F4F84E-804F-4E9A-84D7-C34283F0088F}
Security Update for 2007 Microsoft Office System (KB2288621)-->msiexec /package {90120000-0030-0000-0000-0000000FF1CE} /uninstall {5C497F0B-2061-4CC9-A61C-6B45B867354D}
Security Update for 2007 Microsoft Office System (KB2344875)-->msiexec /package {90120000-0030-0000-0000-0000000FF1CE} /uninstall {6FC5C4C1-D7AE-44C3-94B7-6424FC3E752F}
Security Update for 2007 Microsoft Office System (KB2345043)-->msiexec /package {90120000-0030-0000-0000-0000000FF1CE} /uninstall {536FB502-775F-4494-BACE-C02CC90B7A5B}
Security Update for 2007 Microsoft Office System (KB969559)-->msiexec /package {90120000-0030-0000-0000-0000000FF1CE} /uninstall {69F52148-9BF6-4CDC-BF76-103DEAF3DD08}
Security Update for 2007 Microsoft Office System (KB976321)-->msiexec /package {90120000-0030-0000-0000-0000000FF1CE} /uninstall {7F207DCA-3399-40CB-A968-6E5991B1421A}
Security Update for 2007 Microsoft Office System (KB982312)-->msiexec /package {90120000-0030-0000-0000-0000000FF1CE} /uninstall {B0EC5722-241F-4CDA-83B4-AA5846B6F9F4}
Security Update for Microsoft .NET Framework 4 Client Profile (KB2160841)-->C:\Windows\Microsoft.NET\Framework64\v4.0.30319\SetupCache\Client\setup.exe /uninstallpatch {FD8D7C9A-E56A-3E7B-BA6D-FE68F13296E3} /parameterfolder Client
Security Update for Microsoft Office Access 2007 (KB979440)-->msiexec /package {90120000-0030-0000-0000-0000000FF1CE} /uninstall {1142CCEC-ACA9-484B-BA90-C3A5CA1988C5}
Security Update for Microsoft Office Access 2007 (KB979440)-->msiexec /package {90120000-0030-0000-0000-0000000FF1CE} /uninstall {5A4E43D5-858F-49BD-BA72-8F30E1793060}
Security Update for Microsoft Office Excel 2007 (KB2345035)-->msiexec /package {90120000-0030-0000-0000-0000000FF1CE} /uninstall {B23002DD-34EC-4988-B810-A5E2A0BF04F1}
Security Update for Microsoft Office InfoPath 2007 (KB979441)-->msiexec /package {90120000-0030-0000-0000-0000000FF1CE} /uninstall {1109D0B3-EFA3-4553-AAED-4C3E9AD130E8}
Security Update for Microsoft Office InfoPath 2007 (KB979441)-->msiexec /package {90120000-0030-0000-0000-0000000FF1CE} /uninstall {8CCB781A-CF6B-4FCB-B6D8-59C64DF5C6DB}
Security Update for Microsoft Office Outlook 2007 (KB2288953)-->msiexec /package {90120000-0030-0000-0000-0000000FF1CE} /uninstall {8B772E1C-7C05-42D2-839D-3EC2D39EFF22}
Security Update for Microsoft Office PowerPoint 2007 (KB982158)-->msiexec /package {90120000-0030-0000-0000-0000000FF1CE} /uninstall {F5B70033-E79C-4569-90BF-BC9B4E4F3F46}
Security Update for Microsoft Office Publisher 2007 (KB982124)-->msiexec /package {90120000-0030-0000-0000-0000000FF1CE} /uninstall {289FA8BC-6A8E-4341-B194-EB26B49E9F5D}
Security Update for Microsoft Office system 2007 (972581)-->msiexec /package {90120000-0030-0000-0000-0000000FF1CE} /uninstall {3D019598-7B59-447A-80AE-815B703B84FF}
Security Update for Microsoft Office system 2007 (KB974234)-->msiexec /package {90120000-0030-0000-0000-0000000FF1CE} /uninstall {FCD742B9-7A55-44BC-A776-F795F21FEDDC}
Security Update for Microsoft Office Visio Viewer 2007 (KB973709)-->msiexec /package {90120000-0030-0000-0000-0000000FF1CE} /uninstall {71127777-8B2C-4F97-AF7A-6CF8CAC8224D}
Security Update for Microsoft Office Word 2007 (KB2344993)-->msiexec /package {90120000-0030-0000-0000-0000000FF1CE} /uninstall {7A5B74FA-7A92-4FC9-821A-2DD5D4E73E48}
Symantec Endpoint Protection-->MsiExec.exe /I{530992D4-DDBA-4F68-8B0D-FF50AC57531B}
The Journal 4-->"C:\Program Files (x86)\DavidRM Software\The Journal 4\unins000.exe"
Update for 2007 Microsoft Office System (KB2284654)-->msiexec /package {90120000-002A-0000-1000-0000000FF1CE} /uninstall {FB166E7C-8AA6-48C8-B726-1F25BEE7825A}
Update for 2007 Microsoft Office System (KB967642)-->msiexec /package {90120000-0030-0000-0000-0000000FF1CE} /uninstall {C444285D-5E4F-48A4-91DD-47AAAA68E92D}
Update for Microsoft Office 2007 Help for Common Features (KB963673)-->msiexec /package {90120000-006E-0409-0000-0000000FF1CE} /uninstall {AB365889-0395-4FAD-B702-CA5985D53D42}
Update for Microsoft Office Access 2007 Help (KB963663)-->msiexec /package {90120000-0015-0409-0000-0000000FF1CE} /uninstall {6B76A18A-AA1E-42AB-A7AD-6C84BBB43987}
Update for Microsoft Office Excel 2007 Help (KB963678)-->msiexec /package {90120000-0016-0409-0000-0000000FF1CE} /uninstall {199DF7B6-169C-448C-B511-1054101BE9C9}
Update for Microsoft Office Infopath 2007 Help (KB963662)-->msiexec /package {90120000-0044-0409-0000-0000000FF1CE} /uninstall {716B81B8-B13C-41DF-8EAC-7A2F656CAB63}
Update for Microsoft Office OneNote 2007 (KB980729)-->msiexec /package {90120000-0030-0000-0000-0000000FF1CE} /uninstall {329050A9-EF80-40F9-B633-74508F54C1FF}
Update for Microsoft Office OneNote 2007 Help (KB963670)-->msiexec /package {90120000-00A1-0409-0000-0000000FF1CE} /uninstall {2744EF05-38E1-4D5D-B333-E021EDAEA245}
Update for Microsoft Office Outlook 2007 Help (KB963677)-->msiexec /package {90120000-001A-0409-0000-0000000FF1CE} /uninstall {0451F231-E3E3-4943-AB9F-58EB96171784}
Update for Microsoft Office Powerpoint 2007 Help (KB963669)-->msiexec /package {90120000-0018-0409-0000-0000000FF1CE} /uninstall {397B1D4F-ED7B-4ACA-A637-43B670843876}
Update for Microsoft Office Publisher 2007 Help (KB963667)-->msiexec /package {90120000-0019-0409-0000-0000000FF1CE} /uninstall {2E40DE55-B289-4C8B-8901-5D369B16814F}
Update for Microsoft Office Script Editor Help (KB963671)-->msiexec /package {90120000-006E-0409-0000-0000000FF1CE} /uninstall {CD11C6A2-FFC6-4271-8EAB-79C3582F505C}
Update for Microsoft Office Word 2007 Help (KB963665)-->msiexec /package {90120000-001B-0409-0000-0000000FF1CE} /uninstall {80E762AA-C921-4839-9D7D-DB62A72C0726}
Update for Outlook 2007 Junk Email Filter (kb2410711)-->msiexec /package {90120000-0030-0000-0000-0000000FF1CE} /uninstall {BB5A2EB0-4515-4C6B-A618-A6F6B0AB7BAA}
UPSMON Plus for Windows-->C:\Windows\GPInstall.exe "/UNINST=C:\Program Files (x86)\UPSMON\UnInst.log" "/APPNAME=UPSMON Plus for Windows"
VCRedistSetup-->MsiExec.exe /I{3921A67A-5AB1-4E48-9444-C71814CF3027}
Windows Media Player Firefox Plugin-->MsiExec.exe /I{69FDFBB6-351D-4B8C-89D8-867DC9D0A2A4}

======System event log======

Computer Name: Susan-PC
Event Code: 7030
Message: The Symantec Management Client service is marked as an interactive service.  However, the system is configured to not allow interactive services.  This service may not function properly.
Record Number: 1444
Source Name: Service Control Manager
Time Written: 20100116204458.150806-000
Event Type: Error
User:

Computer Name: Susan-PC
Event Code: 1014
Message: Name resolution for the name twitter.com timed out after none of the configured DNS servers responded.
Record Number: 1065
Source Name: Microsoft-Windows-DNS-Client
Time Written: 20100116133845.278614-000
Event Type: Warning
User: NT AUTHORITY\NETWORK SERVICE

Computer Name: Susan-PC
Event Code: 1014
Message: Name resolution for the name isatap.socantel.net timed out after none of the configured DNS servers responded.
Record Number: 1046
Source Name: Microsoft-Windows-DNS-Client
Time Written: 20100116131753.531628-000
Event Type: Warning
User: NT AUTHORITY\NETWORK SERVICE

Computer Name: Susan-PC
Event Code: 1014
Message: Name resolution for the name isatap.socantel.net timed out after none of the configured DNS servers responded.
Record Number: 1042
Source Name: Microsoft-Windows-DNS-Client
Time Written: 20100116131741.504007-000
Event Type: Warning
User: NT AUTHORITY\NETWORK SERVICE

Computer Name: Susan-PC
Event Code: 1014
Message: Name resolution for the name idcs.interclick.com timed out after none of the configured DNS servers responded.
Record Number: 583
Source Name: Microsoft-Windows-DNS-Client
Time Written: 20100115213035.443438-000
Event Type: Warning
User: NT AUTHORITY\NETWORK SERVICE

=====Application event log=====

Computer Name: Susan-PC
Event Code: 63
Message: A provider, OffProv12, has been registered in the Windows Management Instrumentation namespace Root\MSAPPS12 to use the LocalSystem account. This account is privileged and the provider may cause a security violation if it does not correctly impersonate user requests.
Record Number: 576
Source Name: Microsoft-Windows-WMI
Time Written: 20100116201030.000000-000
Event Type: Warning
User: NT AUTHORITY\SYSTEM

Computer Name: Susan-PC
Event Code: 63
Message: A provider, OffProv12, has been registered in the Windows Management Instrumentation namespace Root\MSAPPS12 to use the LocalSystem account. This account is privileged and the provider may cause a security violation if it does not correctly impersonate user requests.
Record Number: 575
Source Name: Microsoft-Windows-WMI
Time Written: 20100116201030.000000-000
Event Type: Warning
User: NT AUTHORITY\SYSTEM

Computer Name: Susan-PC
Event Code: 4107
Message: Failed extract of third-party root list from auto update cab at: <http://www.download.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootstl.cab> with error: A certificate chain could not be built to a trusted root authority.
.
Record Number: 455
Source Name: Microsoft-Windows-CAPI2
Time Written: 20100116005027.952682-000
Event Type: Error
User:

Computer Name: Susan-PC
Event Code: 11
Message: Possible Memory Leak.  Application (C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted) (PID: 288) has passed a non-NULL pointer to RPC for an [out] parameter marked [allocate(all_nodes)].  [allocate(all_nodes)] parameters are always reallocated; if the original pointer contained the address of valid memory, that memory will be leaked.  The call originated on the interface with UUID ({3F31C91E-2545-4B7B-9311-9529E8BFFEF6}), Method number (20).  User Action: Contact your application vendor for an updated version of the application.
Record Number: 218
Source Name: Microsoft-Windows-RPC-Events
Time Written: 20100115212658.394833-000
Event Type: Warning
User: NT AUTHORITY\LOCAL SERVICE

Computer Name: Susan-PC
Event Code: 1008
Message: The Windows Search Service is starting up and attempting to remove the old search index {Reason: Full Index Reset}.

Record Number: 135
Source Name: Microsoft-Windows-Search
Time Written: 20100116024546.000000-000
Event Type: Warning
User:

=====Security event log=====

Computer Name: Susan-PC
Event Code: 4624
Message: An account was successfully logged on.

Subject:
   Security ID:      S-1-0-0
   Account Name:      -
   Account Domain:      -
   Logon ID:      0x0

Logon Type:         3

New Logon:
   Security ID:      S-1-5-7
   Account Name:      ANONYMOUS LOGON
   Account Domain:      NT AUTHORITY
   Logon ID:      0x96d43372
   Logon GUID:      {00000000-0000-0000-0000-000000000000}

Process Information:
   Process ID:      0x0
   Process Name:      -

Network Information:
   Workstation Name:   N3PKC-SHACK
   Source Network Address:   192.168.1.29
   Source Port:      2108

Detailed Authentication Information:
   Logon Process:      NtLmSsp
   Authentication Package:   NTLM
   Transited Services:   -
   Package Name (NTLM only):   NTLM V1
   Key Length:      0

This event is generated when a logon session is created. It is generated on the computer that was accessed.

The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe.

The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network).

The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on.

The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases.

The authentication information fields provide detailed information about this specific logon request.
   - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event.
   - Transited services indicate which intermediate services have participated in this logon request.
   - Package name indicates which sub-protocol was used among the NTLM protocols.
   - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.
Record Number: 28414
Source Name: Microsoft-Windows-Security-Auditing
Time Written: 20100501085859.072965-000
Event Type: Audit Success
User:

Computer Name: Susan-PC
Event Code: 4634
Message: An account was logged off.

Subject:
   Security ID:      S-1-5-7
   Account Name:      ANONYMOUS LOGON
   Account Domain:      NT AUTHORITY
   Logon ID:      0x96ce09fe

Logon Type:         3

This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.
Record Number: 28413
Source Name: Microsoft-Windows-Security-Auditing
Time Written: 20100501085153.765639-000
Event Type: Audit Success
User:

Computer Name: Susan-PC
Event Code: 4624
Message: An account was successfully logged on.

Subject:
   Security ID:      S-1-0-0
   Account Name:      -
   Account Domain:      -
   Logon ID:      0x0

Logon Type:         3

New Logon:
   Security ID:      S-1-5-7
   Account Name:      ANONYMOUS LOGON
   Account Domain:      NT AUTHORITY
   Logon ID:      0x96ce09fe
   Logon GUID:      {00000000-0000-0000-0000-000000000000}

Process Information:
   Process ID:      0x0
   Process Name:      -

Network Information:
   Workstation Name:   N3PKC-HP2
   Source Network Address:   192.168.1.35
   Source Port:      2503

Detailed Authentication Information:
   Logon Process:      NtLmSsp
   Authentication Package:   NTLM
   Transited Services:   -
   Package Name (NTLM only):   NTLM V1
   Key Length:      128

This event is generated when a logon session is created. It is generated on the computer that was accessed.

The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe.

The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network).

The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on.

The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases.

The authentication information fields provide detailed information about this specific logon request.
   - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event.
   - Transited services indicate which intermediate services have participated in this logon request.
   - Package name indicates which sub-protocol was used among the NTLM protocols.
   - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.
Record Number: 28412
Source Name: Microsoft-Windows-Security-Auditing
Time Written: 20100501085153.760639-000
Event Type: Audit Success
User:

Computer Name: Susan-PC
Event Code: 4634
Message: An account was logged off.

Subject:
   Security ID:      S-1-5-7
   Account Name:      ANONYMOUS LOGON
   Account Domain:      NT AUTHORITY
   Logon ID:      0x96ce09eb

Logon Type:         3

This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.
Record Number: 28411
Source Name: Microsoft-Windows-Security-Auditing
Time Written: 20100501085153.754638-000
Event Type: Audit Success
User:

Computer Name: Susan-PC
Event Code: 4624
Message: An account was successfully logged on.

Subject:
   Security ID:      S-1-0-0
   Account Name:      -
   Account Domain:      -
   Logon ID:      0x0

Logon Type:         3

New Logon:
   Security ID:      S-1-5-7
   Account Name:      ANONYMOUS LOGON
   Account Domain:      NT AUTHORITY
   Logon ID:      0x96ce09eb
   Logon GUID:      {00000000-0000-0000-0000-000000000000}

Process Information:
   Process ID:      0x0
   Process Name:      -

Network Information:
   Workstation Name:   N3PKC-HP2
   Source Network Address:   192.168.1.35
   Source Port:      2503

Detailed Authentication Information:
   Logon Process:      NtLmSsp
   Authentication Package:   NTLM
   Transited Services:   -
   Package Name (NTLM only):   NTLM V1
   Key Length:      128

This event is generated when a logon session is created. It is generated on the computer that was accessed.

The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe.

The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network).

The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on.

The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases.

The authentication information fields provide detailed information about this specific logon request.
   - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event.
   - Transited services indicate which intermediate services have participated in this logon request.
   - Package name indicates which sub-protocol was used among the NTLM protocols.
   - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.
Record Number: 28410
Source Name: Microsoft-Windows-Security-Auditing
Time Written: 20100501085153.748638-000
Event Type: Audit Success
User:

======Environment variables======

"ComSpec"=%SystemRoot%\system32\cmd.exe
"FP_NO_HOST_CHECK"=NO
"OS"=Windows_NT
"Path"=%SystemRoot%\system32;%SystemRoot%;%SystemRoot%\System32\Wbem;%SYSTEMROOT%\System32\WindowsPowerShell\v1.0\;C:\Program Files (x86)\ATI Technologies\ATI.ACE\Core-Static;C:\Program Files (x86)\QuickTime\QTSystem\
"PATHEXT"=.COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH;.MSC
"PROCESSOR_ARCHITECTURE"=AMD64
"TEMP"=%SystemRoot%\TEMP
"TMP"=%SystemRoot%\TEMP
"USERNAME"=SYSTEM
"windir"=%SystemRoot%
"PSModulePath"=%SystemRoot%\system32\WindowsPowerShell\v1.0\Modules\
"NUMBER_OF_PROCESSORS"=4
"PROCESSOR_LEVEL"=16
"PROCESSOR_IDENTIFIER"=AMD64 Family 16 Model 4 Stepping 2, AuthenticAMD
"PROCESSOR_REVISION"=0402
"CLASSPATH"=.;C:\Program Files (x86)\Java\jre6\lib\ext\QTJava.zip
"QTJAVA"=C:\Program Files (x86)\Java\jre6\lib\ext\QTJava.zip

-----------------EOF-----------------
Logged

Online Corrine

  • The Mystical Rose
  • Administrator
  • Hero Member
  • *****
  • Posts: 11530
  • "Stronger than the past, united in our goal."
    • Security Garden
Re: ThinkPoint has my computer at a standstill
« Reply #7 on: October 24, 2010, 10:34:57 PM »
Hi, Alisande.

Quote
And here's info.txt. I didn't look over the whole thing (far from it), but I noticed the word Twitter. Why would it mention Twitter if I don't Tweet?

There was a time-out attempting to reach twitter.com.  Perhaps you were following a link posted somewhere.  There was a similar time-out when going to socantel.net.  Since you are getting time-outs, let's flush your DNS cache and restore the HOSTS file:

Please copy/paste the lines in bold below to Notepad:

@Echo on
pushd\windows\system32\drivers\etc
attrib -h -s -r hosts
echo 127.0.0.1 localhost>HOSTS
attrib +r +h +s hosts
popd
ipconfig /release
ipconfig /renew
ipconfig /flushdns
netsh winsock reset all
netsh int ip reset all
shutdown -r -t 1
del %0

Save as flush.bat to your desktop.
Double-click flush.bat file to run it. Your computer will reboot.

Note:  For Windows Vista or Windows 7, right-click flush.bat and select "Run as Administrator".

I am not seeing signs of malware remaining, however, you have a vulnerable version of Java on the computer.  Please download JavaRa and unzip it to your desktop.

  • Double-click on JavaRa.exe to start the program.  (Windows Vista users Right-click JavaRa.exe > Select Run as Administrator)
  • Click on Remove Older Versions to remove older versions of Java.
  • A logfile will pop up. Please save it to a convenient location.

Then download and install Java SE Runtime Environment (JRE) 6 Update 22.   

Download Link: Java SE Runtime Environment 6u21

Note:  UNCHECK any pre-checked toolbar and/or software options presented with the update.  They are not part of the software update and are completely optional.   

Please let me know if Symantec is a trial or licensed version installed on your computer.
Logged
,  

Take a walk through the "Security Garden" -- Where Everything is Coming up Roses!

Remember - A day without laughter is a day wasted.
May the wind sing to you and the sun rise in your heart.

Offline Alisande

  • Newbie
  • *
  • Posts: 7
Re: ThinkPoint has my computer at a standstill
« Reply #8 on: October 25, 2010, 01:10:10 AM »
Mission accomplished--thank you!

The Symantec program is Endpoint Protection, which I didn't know I have. I know I didn't pay for it, and I doubt my son did, unless he did so when he bought the license for Windows 7. Could they have been bundled together? I can ask him tomorrow what he knows about it.
Logged

Online Corrine

  • The Mystical Rose
  • Administrator
  • Hero Member
  • *****
  • Posts: 11530
  • "Stronger than the past, united in our goal."
    • Security Garden
Re: ThinkPoint has my computer at a standstill
« Reply #9 on: October 25, 2010, 01:34:10 AM »
No, Symantec wouldn't have been bundled with the Windows 7 license, although it is often included as a trial on new computers.  I asked because trial versions are available and because of this notation in the log:

Quote
The Symantec Management Client service is marked as an interactive service.  However, the system is configured to not allow interactive services.  This service may not function properly.

Information about Symantec Endpoint:  http://www.symantec.com/business/endpoint-protection

When you ask your son about it, if there is not a current license, I suggest Microsoft Security Essentials (MSE).  It works extremely well with Windows 7.  In the event you go that route, you will need to remove the Symantec software.  I note that Add/Remove programs shows two entries:

LiveUpdate 3.3 (Symantec Corporation)
Symantec Endpoint Protection


After removing the Symantec product, make sure the Windows Firewall is on:

   1.      Open Windows Firewall by clicking the Start button Picture of the Start button, clicking Control Panel, clicking Security, and then clicking Windows Firewall.
   2.      Click Turn Windows Firewall on or off. Administrator permission required If you are prompted for an administrator password or confirmation, type the password or provide confirmation.
   3.      Click On (recommended), and then click OK.

Then download Microsoft Security Essentials (MSE).  Although this was put together when MSE was first released, this tutorial at my blog may be of assistance: Microsoft Security Essentials.

Now that you have Malwarebytes' Antimalware installed on the computer, I suggest you update and run a quick scan at least weekly.

Please let me know how you make out.
Logged
,  

Take a walk through the "Security Garden" -- Where Everything is Coming up Roses!

Remember - A day without laughter is a day wasted.
May the wind sing to you and the sun rise in your heart.

Offline Alisande

  • Newbie
  • *
  • Posts: 7
Re: ThinkPoint has my computer at a standstill
« Reply #10 on: October 25, 2010, 05:42:14 PM »
Firewall is on. My son said "feel free to uninstall the Symantec," so I did. And then I downloaded MSE. I also bookmarked your blog.

Thanks so much for your help! I feel more secure now. (And I'm not kidding.)

Susan
Logged

Online Corrine

  • The Mystical Rose
  • Administrator
  • Hero Member
  • *****
  • Posts: 11530
  • "Stronger than the past, united in our goal."
    • Security Garden
Re: ThinkPoint has my computer at a standstill
« Reply #11 on: October 25, 2010, 06:32:51 PM »
Hi, Susan.

Thank you for bookmarking my blog.  That was very kind of you.  :rose:

I am glad we were able to give you peace of mind and help get your computer updated.  Don't hesitate to look around the rest of the forum and if you have questions, we'll certainly do our best to help.

You may be interested in my favorite security program, WinPatrol which includes the features described at http://www.winpatrol.com/features.html

Logged
,  

Take a walk through the "Security Garden" -- Where Everything is Coming up Roses!

Remember - A day without laughter is a day wasted.
May the wind sing to you and the sun rise in your heart.
Pages: [1]   Go Up
« previous next »