Safemode, Norton Hijackthis Blocked, Computer crashes with blue screen etc

By jameswesleycheng ·
Thank you very much in advance for helping me out. I'm currently on an internship in Vietnam and don't exactly speak the language here, which translate into "damnit I can't get techies to do all the work for me". I'd really appreciate it if someone could shed some light on how to save my poor laptop or at least stall the problem until I get back to Hong Kong in August. So without further ado:

Main symptoms:
- Cannot enter safemode and crashes with blue screen
- Computer crashes with blue screen (photo:**/b/f/Crash_crash_crash_by_Unidentifiedname.jpg)
- It used to crash once in a while and I thought it was because of overheating, but today it crashed 7 times and blocked Norton, and I guessed something fishy is going on
- Norton Internet Security cannot be opened
- All Microtrend software including Hijackthis cannot be run
- Any weblink that contains the term "antivirus" will be closed upon opening (sounds really like a worm) - tried Opera, IE, Firefox, Safari
- Unknown file xgsslm.exe reopens after force-closing. It says it's from system32 but I can't find it even though I have hidden files on. Couldn't find anything about this file from google search.
- MS Config can be opened but cannot be closed
- Computer overheats

History: (
- 3 weeks of CPU and GPU overheating despite the Laptop fan running at 3400 rpm (see link:
- Symptom subsided after disabling winblinds and updating computer through the Lenovo support center
- Relapsed after 2 days, in the form of Norton incapable of updating itself (definitions stuck on 26th June)

IBM Lenovo T60 Laptop
ATI Radeon Mobility X1400
IBM Thinkpad T60 Dual core 2.0 GHz 1GB RAM
80 GB Harddisk with 12% freespace
Windows XP Home SP 3

- I ran Uniblue Spyeraser and it showed no results, Registry Mechanic showed nothing wrong.
- Browsers run fine until I click on a link that has the term "antivirus" in the url and it just closes. If I'm quick enough to close the tab upon restarting the browser then it stops closing down by itself.
- Connected to the network in office through WiFi. I know one of the computers in the office is in deep crap, so it could be some contagiuos infection.

Since I couldn't run Hijackthis, I installed X-RayPc and generated a log through that:

Logfile of X-RayPc Build 39029 (Installed 1215655216)
Scan saved at 10/7/2008 2:00:32

Registry Settings:
IE Start Page (User) :
IE Start Page (Global) :**57
IE Blank Page : C:\WINDOWS\system32\blank.htm
IE Default Page :**57
IE Search Page (User) :
IE Search Page (Global) :
IE Default Search :**57
HOSTS Directory : %SystemRoot%\System32\drivers\etc

C:\WINDOWS\system32\services.exe (108544 0e776ed5f7cc9f94299e70461b7b8185)
C:\WINDOWS\system32\lsass.exe (13312 bf2466b3e18e970d8a976fb95fc1ca85)
C:\WINDOWS\system32\ibmpmsvc.exe (36136 35d08de36eb85f66731b7808768d512c)
C:\WINDOWS\system32\Ati2evxx.exe (495616 46e2dac60303e69e1884daf20c9d027c)
C:\WINDOWS\system32\svchost.exe (14336 27c6d03bcdb8cfeb96b716f3d8be3e1
C:\WINDOWS\System32\svchost.exe (14336 27c6d03bcdb8cfeb96b716f3d8be3e1
C:\Program Files\Intel\Wireless\Bin\EvtEng.exe (114753 44a95584057c2cfda9dff328232e123
C:\WINDOWS\system32\Ati2evxx.exe (495616 46e2dac60303e69e1884daf20c9d027c)
C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe (540745 4dc83ba53b8c42839a32b108b9e8c145)
C:\WINDOWS\system32\spoolsv.exe (57856 d8e14a61acc1d4a6cd0d38aebac7fa3b)
C:\WINDOWS\system32\IPSSVC.EXE (108080 00d8e9daebe72a5df3986fd418a995eb)
C:\Program Files\ThinkPad\ConnectUtilities\AcPrfMgrSvc.exe (86016 5ef5625e1e5a2c2503e0a9c8b83cdb2b)
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe (110592 3a4982df893f198a2dfbccd4ce10f93a)
C:\Program Files\Symantec\LiveUpdate\AluSchedulerSvc.exe (243064 7c813eb232c7aefa627a12a104dda221)
C:\Program Files\ThinkPad\Bluetooth Software\bin\btwdins.exe (258103 0ab7a2e4ec1a207f1caa1507552aed9b)
C:\Program Files\MozyHome\mozybackup.exe (87344 4ad0f23c07847894dbb13314e318ea4
C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe (217164 99ba5c9e9e59db26180fecfc1efe7b47)
C:\WINDOWS\system32\svchost.exe (14336 27c6d03bcdb8cfeb96b716f3d8be3e1
C:\Program Files\Common Files\Lenovo\tvt_reg_monitor_svc.exe (644408 9626746a9b120d2ed537dd8d76278405)
C:\WINDOWS\System32\TPHDEXLG.exe (37424 3663c0f611711dac453636af562f0831)
C:\WINDOWS\system32\TpKmpSVC.exe (32768 dfb268ff0a6dcb9280015ff527f892ff)
C:\Program Files\IBM ThinkVantage\Rescue and Recovery\rrservice.exe (1384448 495516af335599927bcbf446fbcb4be4)
C:\Program Files\Common Files\Lenovo\Scheduler\tvtsched.exe (1122304 e9ea448f1174be4052416b62263ea4ee)
C:\Program Files\ThinkPad\ConnectUtilities\AcSvc.exe (188416 7e9fde9e2a36137839e12bc8331a8fef)
c:\program files\lenovo\system update\suservice.exe (32768 f08e3e3a22e170b1e4f77add1d1cd171)
C:\Program Files\ThinkPad\ConnectUtilities\SvcGuiHlpr.exe (118784 64d1f2a20efa778f1a1fdcc72c53f66f)
C:\WINDOWS\system32\wscntfy.exe (13824 f92e1076c42fcd6db3d72d8cfe9816d5)
C:\WINDOWS\system32\ctfmon.exe (15360 5f1d5f88303d4a4dbc8e5f97ba967cc3)
C:\WINDOWS\Explorer.EXE (1033728 12896823fb95bfb3dc9b46bcaedc9923)
C:\WINDOWS\system32\dlxdyc.exe (38502 35ba35dec433e42bd3a495**1762ab32)
C:\WINDOWS\system32\xgsslm.exe (38502 35ba35dec433e42bd3a495**1762ab32)
C:\Program Files\Synaptics\SynTP\SynTPLpr.exe (122880 125481afa36d3e3ab44e3d745dba05eb)
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe (524288 65eb543efeb395ddf4e0bb764de089d0)
C:\WINDOWS\system32\TpShocks.exe (181536 686cd234bf4b816291a858782c71269b)
C:\PROGRA~1\ThinkPad\UTILIT~1\EzEjMnAp.Exe (243248 3280a362fec14ebc0791f6af548c88e3)
C:\Program Files\Lenovo\HOTKEY\TPOSDSVC.exe (66928 31ccbe6b693b9dfdd914c3e20be25374)
C:\PROGRA~1\THINKV~1\PrdCtr\LPMGR.exe (144728 7146df9479dc9f98770dd5ba69e3e679)
C:\Program Files\Lenovo\HOTKEY\TPONSCR.exe (75040 c017c4a30f1783284207b5654898ace3)
C:\WINDOWS\System32\DLA\DLACTRLW.EXE (122940 3c2d6a88715f7426102b2ac2b1f9cbcb)
C:\Program Files\IBM ThinkVantage\Client Security Solution\cssauth.exe (1996336 6902f7c3cf78150d7900cb5c13015a06)
C:\Program Files\IBM ThinkVantage\SafeGuard PrivateDisk\pdservice.exe (4**52 c997e2accd65259e49875f4d4ba80733)
C:\Program Files\Lenovo\Zoom\TpScrex.exe (111904 b8c77332394d978dd23c3687a459ec67)
C:\Program Files\ThinkPad\ConnectUtilities\ACTray.exe (425984 de17c87e63b4a542a21114167c780e2e)
C:\PROGRA~1\THINKV~1\PrdCtr\LPMLCHK.exe (124248 33d95edeef56ec73abd6a8bf76426f04)
C:\Program Files\ThinkPad\ConnectUtilities\ACWLIcon.exe (126976 cf897e774d1af68528c8995335fddc76)
C:\WINDOWS\system32\rundll32.exe (33280 037b1e7798960e0420003d05bb577ee6)
C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe (31016 38d198a2dd54a67120040566a38103ba)
C:\WINDOWS\system32\conime.exe (27648 abc9002269e569538901109441660dd2)
C:\Program Files\Common Files\Real\Update_OB\realsched.exe (185896 89d583fc41d48328128a974c25afaeb7)
C:\Program Files\Common Files\Lenovo\Scheduler\scheduler_proxy.exe (487424 58c27ebbbeb67a26484a1c50909c002c)
C:\PROGRA~1\THINKV~1\PrdCtr\LPMLCHK.exe (124248 33d95edeef56ec73abd6a8bf76426f04)
C:\Program Files\Lenovo\NPDIRECT\TPFNF7SP.exe (59680 7a777a863431ed9a32d980448be9382a)
C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\MOM.EXE (4**52 e681281d9bfc9d45d3b72532717e5880)
C:\Program Files\Lenovo\AwayTask\AwaySch.EXE (**688 78374c795b65347220250f15186b5c67)
C:\Program Files\Analog Devices\Core\smax4pnp.exe (925696 115332a83ac2726fa974d30db4bfd8de)
C:\Program Files\Microsoft ActiveSync\Wcescomm.exe (1289000 5515eb5e3a8b073f66cfc697eb0d4b55)
C:\Program Files\Uniblue\SpeedUpMyPC 3\SpeedUpMyPC.exe (9442584 23d7b8c29b86861e9dcba0cbbc5da4d1)
C:\Program Files\Messenger\msmsgs.exe (1695232 3e930c641079443d4de036167a69caa2)
C:\Program Files\Windows Media Player\WMPNSCFG.exe (204288 7eaed08ccca4ddde61a388c82598cfa9)
C:\PROGRA~1\MICROS~3\rapimgr.exe (199464 7d4a768dea3dc643cbb65222d5b1377b)
C:\WINDOWS\System32\svchost.exe (14336 27c6d03bcdb8cfeb96b716f3d8be3e1
C:\Program Files\ThinkPad\Bluetooth Software\BTTray.exe (581693 7f37e078e3b80f33921946880c9cef7e)
C:\Program Files\Digital Line Detect\DLG.exe (50688 f03ffc962e18f36a922e61f96be09925)
C:\Program Files\AlienGUIse\AlienwareDock\ObjectDock.exe (2074360 e471429971566a7da7b123a8cd2e504
C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\ccc.exe (4**52 25ca1677aaa3cdc99cd4fcf940886f3c)
C:\WINDOWS\system32\msiexec.exe (78848 5879d691e842574a20fe63817cb76df9)
C:\PROGRA~1\Intel\Wireless\Bin\Dot1XCfg.exe (397381 3ac4e603c4f070c039c29edbc45d7de6)
C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLLoginProxy.exe (118336 7fa0aa2f3daba5beb2c4ac1eec054efa)
C:\Program Files\PCDR5\pcdr5cuiw32.exe (11949856 f835804a059a3ae6979a6fe8ed7eb990)
C:\Program Files\Adobe\Acrobat 7.0\Reader\AcroRd32.exe (71288 6c37ad8c2212d3ddc456bb48a3aa398e)
C:\Program Files\Opera\opera.exe (98816 56765388a6fa93c76128af9ef679ac0d)
C:\Program Files\PCDR5\pcdrsmart.p5x (40448 b376dac5b653fb57bcf62f7b46ed4b64)
C:\Documents and Settings\James Wesly Cheng\Desktop\x-raypc.exe (348928 df5ba440e4384adcd1a0bf653da84387)

Service: AcPrfMgrSvc C:\Program Files\ThinkPad\ConnectUtilities\AcPrfMgrSvc.exe (86016 5ef5625e1e5a2c2503e0a9c8b83cdb2b)
Service: AcSvc C:\Program Files\ThinkPad\ConnectUtilities\AcSvc.exe (188416 7e9fde9e2a36137839e12bc8331a8fef)
Service: ALG C:\WINDOWS\System32\alg.exe (44544 8c515081584a38aa007909cd02020b3d)
Service: Apple Mobile Device C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe (110592 3a4982df893f198a2dfbccd4ce10f93a)
Service: Ati HotKey Poller C:\WINDOWS\system32\Ati2evxx.exe (495616 46e2dac60303e69e1884daf20c9d027c)
Service: AudioSrv C:\WINDOWS\System32\svchost.exe (14336 27c6d03bcdb8cfeb96b716f3d8be3e1
Service: Automatic LiveUpdate Scheduler C:\Program Files\Symantec\LiveUpdate\AluSchedulerSvc.exe (243064 7c813eb232c7aefa627a12a104dda221)
Service: BITS C:\WINDOWS\system32\svchost.exe (14336 27c6d03bcdb8cfeb96b716f3d8be3e1
Service: Browser C:\WINDOWS\system32\svchost.exe (14336 27c6d03bcdb8cfeb96b716f3d8be3e1
Service: btwdins C:\Program Files\ThinkPad\Bluetooth Software\bin\btwdins.exe (258103 0ab7a2e4ec1a207f1caa1507552aed9b)
Service: CryptSvc C:\WINDOWS\system32\svchost.exe (14336 27c6d03bcdb8cfeb96b716f3d8be3e1
Service: DcomLaunch C:\WINDOWS\system32\svchost -k DcomLaunch
Service: Dhcp C:\WINDOWS\system32\svchost.exe (14336 27c6d03bcdb8cfeb96b716f3d8be3e1
Service: Dnscache C:\WINDOWS\system32\svchost.exe (14336 27c6d03bcdb8cfeb96b716f3d8be3e1
Service: ERSvc C:\WINDOWS\System32\svchost.exe (14336 27c6d03bcdb8cfeb96b716f3d8be3e1
Service: Eventlog C:\WINDOWS\system32\services.exe (108544 0e776ed5f7cc9f94299e70461b7b8185)
Service: EventSystem C:\WINDOWS\system32\svchost.exe (14336 27c6d03bcdb8cfeb96b716f3d8be3e1
Service: EvtEng C:\Program Files\Intel\Wireless\Bin\EvtEng.exe (114753 44a95584057c2cfda9dff328232e123
Service: HTTPFilter C:\WINDOWS\System32\svchost.exe (14336 27c6d03bcdb8cfeb96b716f3d8be3e1
Service: IBMPMSVC C:\WINDOWS\system32\ibmpmsvc.exe (36136 35d08de36eb85f66731b7808768d512c)
Service: IPSSVC C:\WINDOWS\system32\IPSSVC.EXE (108080 00d8e9daebe72a5df3986fd418a995eb)
Service: Irmon C:\WINDOWS\system32\svchost.exe (14336 27c6d03bcdb8cfeb96b716f3d8be3e1
Service: lanmanserver C:\WINDOWS\system32\svchost.exe (14336 27c6d03bcdb8cfeb96b716f3d8be3e1
Service: lanmanworkstation C:\WINDOWS\system32\svchost.exe (14336 27c6d03bcdb8cfeb96b716f3d8be3e1
Service: LmHosts C:\WINDOWS\system32\svchost.exe (14336 27c6d03bcdb8cfeb96b716f3d8be3e1
Service: mozybackup C:\Program Files\MozyHome\mozybackup.exe (87344 4ad0f23c07847894dbb13314e318ea4
Service: MSIServer C:\WINDOWS\system32\msiexec.exe (78848 5879d691e842574a20fe63817cb76df9)
Service: Netman C:\WINDOWS\System32\svchost.exe (14336 27c6d03bcdb8cfeb96b716f3d8be3e1
Service: Nla C:\WINDOWS\system32\svchost.exe (14336 27c6d03bcdb8cfeb96b716f3d8be3e1
Service: PlugPlay C:\WINDOWS\system32\services.exe (108544 0e776ed5f7cc9f94299e70461b7b8185)
Service: PolicyAgent C:\WINDOWS\system32\lsass.exe (13312 bf2466b3e18e970d8a976fb95fc1ca85)
Service: ProtectedStorage C:\WINDOWS\system32\lsass.exe (13312 bf2466b3e18e970d8a976fb95fc1ca85)
Service: RasAuto C:\WINDOWS\system32\svchost.exe (14336 27c6d03bcdb8cfeb96b716f3d8be3e1
Service: RasMan C:\WINDOWS\system32\svchost.exe (14336 27c6d03bcdb8cfeb96b716f3d8be3e1
Service: RegSrvc C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe (217164 99ba5c9e9e59db26180fecfc1efe7b47)
Service: RpcSs C:\WINDOWS\system32\svchost -k rpcss
Service: S24EventMonitor C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe (540745 4dc83ba53b8c42839a32b108b9e8c145)
Service: SamSs C:\WINDOWS\system32\lsass.exe (13312 bf2466b3e18e970d8a976fb95fc1ca85)
Service: Schedule C:\WINDOWS\System32\svchost.exe (14336 27c6d03bcdb8cfeb96b716f3d8be3e1
Service: seclogon C:\WINDOWS\System32\svchost.exe (14336 27c6d03bcdb8cfeb96b716f3d8be3e1
Service: SENS C:\WINDOWS\system32\svchost.exe (14336 27c6d03bcdb8cfeb96b716f3d8be3e1
Service: SharedAccess C:\WINDOWS\system32\svchost.exe (14336 27c6d03bcdb8cfeb96b716f3d8be3e1
Service: ShellHWDetection C:\WINDOWS\System32\svchost.exe (14336 27c6d03bcdb8cfeb96b716f3d8be3e1
Service: Spooler C:\WINDOWS\system32\spoolsv.exe (57856 d8e14a61acc1d4a6cd0d38aebac7fa3b)
Service: SSDPSRV C:\WINDOWS\system32\svchost.exe (14336 27c6d03bcdb8cfeb96b716f3d8be3e1
Service: stisvc C:\WINDOWS\system32\svchost.exe (14336 27c6d03bcdb8cfeb96b716f3d8be3e1
Service: SUService c:\program files\lenovo\system update\suservice.exe (32768 f08e3e3a22e170b1e4f77add1d1cd171)
Service: TapiSrv C:\WINDOWS\System32\svchost.exe (14336 27c6d03bcdb8cfeb96b716f3d8be3e1
Service: TermService C:\WINDOWS\System32\svchost -k DComLaunch
Service: Themes C:\WINDOWS\System32\svchost.exe (14336 27c6d03bcdb8cfeb96b716f3d8be3e1
Service: ThinkVantage Registry Monitor Service C:\Program Files\Common Files\Lenovo\tvt_reg_monitor_svc.exe (644408 9626746a9b120d2ed537dd8d76278405)
Service: TPHDEXLGSVC System32\TPHDEXLG.exe
Service: TpKmpSVC C:\WINDOWS\system32\TpKmpSVC.exe (32768 dfb268ff0a6dcb9280015ff527f892ff)
Service: TrkWks C:\WINDOWS\system32\svchost.exe (14336 27c6d03bcdb8cfeb96b716f3d8be3e1
Service: TSSCoreService C:\Program Files\IBM ThinkVantage\Client Security Solution\ibmtcsd.exe (722480 1f7ccced8d0e539dc80fcd8db2ca0b0c)
Service: TVT Backup Service C:\Program Files\IBM ThinkVantage\Rescue and Recovery\rrservice.exe (1384448 495516af335599927bcbf446fbcb4be4)
Service: TVT Scheduler C:\Program Files\Common Files\Lenovo\Scheduler\tvtsched.exe (1122304 e9ea448f1174be4052416b62263ea4ee)
Service: upnphost C:\WINDOWS\system32\svchost.exe (14336 27c6d03bcdb8cfeb96b716f3d8be3e1
Service: W32Time C:\WINDOWS\System32\svchost.exe (14336 27c6d03bcdb8cfeb96b716f3d8be3e1
Service: WebClient C:\WINDOWS\system32\svchost.exe (14336 27c6d03bcdb8cfeb96b716f3d8be3e1
Service: winmgmt C:\WINDOWS\system32\svchost.exe (14336 27c6d03bcdb8cfeb96b716f3d8be3e1
Service: WMPNetworkSvc C:\Program Files\Windows Media Player\WMPNetwk.exe (**3408 f74e3d9a7fa9556c3bbb14d4e5e63d3b)
Service: wscsvc C:\WINDOWS\System32\svchost.exe (14336 27c6d03bcdb8cfeb96b716f3d8be3e1
Service: wuauserv C:\WINDOWS\system32\svchost.exe (14336 27c6d03bcdb8cfeb96b716f3d8be3e1
Service: WZCSVC C:\WINDOWS\System32\svchost.exe (14336 27c6d03bcdb8cfeb96b716f3d8be3e1

O2 - BHO: (IE7Pro BHO) - {00011268-e188-40df-a514-835fcd78b1bf} - C:\Program Files\IEPro\iepro.dll (736360 80b3c5494cfd157996886da629cfa2f9)
O2 - BHO: (Adobe PDF Reader Link Helper) - {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll (59032 4ea3a6cd9d20584ffafdb1e47dbf0e20)
O2 - BHO: (DriveLetterAccess) - {5ca3d70e-1895-11cf-8e15-001234567890} - C:\WINDOWS\System32\DLA\DLASHX_W.DLL (110652 d730dff2df12cd1a30a4186a12c60322)
O2 - BHO: (CoIEPlg.CoIEPlgObj) - {602adb0e-4aff-4217-8aa1-95dac4dfa408} - C:\Program Files\Common Files\Symantec Shared\coShared\Browser\2.0\coIEPlg.dll (316784 6bc066fcc66bb0ee33a618ebc65683d5)
O2 - BHO: (Symantec Intrusion Prevention) - {6d53ec84-6aae-4787-aeee-f4628f01010c} - C:\PROGRA~1\COMMON~1\SYMANT~1\IDS\IPSBHO.dll (116088 fa3e00177b57d5b2bf058d560931d750)
O2 - BHO: (Groove GFS Browser Helper) - {72853161-30c5-4d22-b7f9-0bbc1d38a37e} - C:\PROGRA~1\MICROS~2\Office12\GRA8E1~1.DLL (2210608 786dd1892b553efe5a004ac39775c851)
O2 - BHO: (no name) - {7e853d72-626a-48ec-a868-ba8d5e23e045} -
O2 - BHO: (Windows Live 登入小幫手) - {9030d464-4c02-4abf-8ecc-5164760863c6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll (328752 59cf5bf6684afcf906cadad39b4214de)
O2 - BHO: (Mouse Gestures) - {a6a49249-57ae-4295-8d4d-18a9502c7d8e} - C:\Program Files\Internet Explorer\Plugins\Drowse\MouseGestures.dll (376832 f9e933c8dd36c849543a3ad870a5fa03)
O2 - BHO: (Windows Live Toolbar Helper) - {bdbd1dad-c946-4a17-adc1-64b5b4ff55d0} - C:\Program Files\Windows Live Toolbar\msntb.dll (546320 cee1be1da21300208d07fbeae9ea2b51)

O3 - Toolbar: Windows Live Toolbar {bdad1dad-c946-4a17-adc1-64b5b4ff55d0} - C:\Program Files\Windows Live Toolbar\msntb.dll (546320 cee1be1da21300208d07fbeae9ea2b51)
O3 - Toolbar: 顯示 Norton 工具列 {7febefe3-6b19-4349-98d2-ffb09d4b49ca} - C:\Program Files\Common Files\Symantec Shared\coShared\Browser\2.0\CoIEPlg.dll (316784 6bc066fcc66bb0ee33a618ebc65683d5)

O4 - HKLM\..\Run: [SynTPLpr] C:\Program Files\Synaptics\SynTP\SynTPLpr.exe (122880 125481afa36d3e3ab44e3d745dba05eb)
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe (524288 65eb543efeb395ddf4e0bb764de089d0)
O4 - HKLM\..\Run: [TPKMAPHELPER] C:\Program Files\ThinkPad\Utilities\TpKmapAp.exe (868352 ac4dbf4b495bd25f6c9b9f55da640420)
O4 - HKLM\..\Run: [TpShocks] C:\WINDOWS\system32\TpShocks.exe (181536 686cd234bf4b816291a858782c71269b)
O4 - HKLM\..\Run: [TP4EX] C:\WINDOWS\system32\tp4ex.exe (65536 38f143a10a8e723026499041501b9563)
O4 - HKLM\..\Run: [EZEJMNAP] C:\PROGRA~1\ThinkPad\UTILIT~1\EzEjMnAp.Exe (243248 3280a362fec14ebc0791f6af548c88e3)
O4 - HKLM\..\Run: [TPHOTKEY] C:\Program Files\Lenovo\HOTKEY\TPOSDSVC.exe (66928 31ccbe6b693b9dfdd914c3e20be25374)
O4 - HKLM\..\Run: [SoundMAX] C:\Program Files\Analog Devices\SoundMAX\Smax4.exe (716800 81a5a2ca780340784969d2edcab0800f)
O4 - HKLM\..\Run: [LPManager] C:\PROGRA~1\THINKV~1\PrdCtr\LPMGR.exe (144728 7146df9479dc9f98770dd5ba69e3e679)
O4 - HKLM\..\Run: [DLA] C:\WINDOWS\System32\DLA\DLACTRLW.EXE (122940 3c2d6a88715f7426102b2ac2b1f9cbcb)
O4 - HKLM\..\Run: [cssauth] C:\Program Files\IBM ThinkVantage\Client Security Solution\cssauth.exe (1996336 6902f7c3cf78150d7900cb5c13015a06)
O4 - HKLM\..\Run: [PDService.exe] C:\Program Files\IBM ThinkVantage\SafeGuard PrivateDisk\pdservice.exe (4**52 c997e2accd65259e49875f4d4ba80733)
O4 - HKLM\..\Run: [ACTray] C:\Program Files\ThinkPad\ConnectUtilities\ACTray.exe (425984 de17c87e63b4a542a21114167c780e2e)
O4 - HKLM\..\Run: [ACWLIcon] C:\Program Files\ThinkPad\ConnectUtilities\ACWLIcon.exe (126976 cf897e774d1af68528c8995335fddc76)
O4 - HKLM\..\Run: [PWRMGRTR] rundll32 C:\PROGRA~1\ThinkPad\UTILIT~1\PWRMGRTR.DLL,PwrMgrBkGndMonitor
O4 - HKLM\..\Run: [BLOG] rundll32 C:\PROGRA~1\ThinkPad\UTILIT~1\BatLogEx.DLL,StartBattLog
O4 - HKLM\..\Run: [IBM Warranty Notification] C:\Program Files\IBM\acp\ERTS0749\ERTS0749.exe (106496 da1dc95523484ae608853ac282b85265)
O4 - HKLM\..\Run: [GrooveMonitor] C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe (31016 38d198a2dd54a67120040566a38103ba)
O4 - HKLM\..\Run: [ccApp] C:\Program Files\Common Files\Symantec Shared\ccApp.exe (51048 e67200b6ef51bbf60c14c64d60fad482)
O4 - HKLM\..\Run: [osCheck] C:\Program Files\Norton Internet Security\osCheck.exe (714608 **535a86f6bd48baccc3d58e6653456a)
O4 - HKLM\..\Run: [TkBellExe] C:\Program Files\Common Files\Real\Update_OB\realsched.exe (185896 89d583fc41d48328128a974c25afaeb7)
O4 - HKLM\..\Run: [TVT Scheduler Proxy] C:\Program Files\Common Files\Lenovo\Scheduler\scheduler_proxy.exe (487424 58c27ebbbeb67a26484a1c50909c002c)
O4 - HKLM\..\Run: [LPMailChecker] C:\PROGRA~1\THINKV~1\PrdCtr\LPMLCHK.exe (124248 33d95edeef56ec73abd6a8bf76426f04)
O4 - HKLM\..\Run: []
O4 - HKLM\..\Run: [StartCCC] C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe (90112 033ff248550305ed52ed2d2844a8a11b)
O4 - HKLM\..\Run: [TPFNF7] C:\Program Files\Lenovo\NPDIRECT\TPFNF7SP.exe (59680 7a777a863431ed9a32d980448be9382a)
O4 - HKLM\..\Run: [AwaySch] C:\Program Files\Lenovo\AwayTask\AwaySch.EXE (**688 78374c795b65347220250f15186b5c67)
O4 - HKLM\..\Run: [SoundMAXPnP] C:\Program Files\Analog Devices\Core\smax4pnp.exe (925696 115332a83ac2726fa974d30db4bfd8de)
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe (15360 5f1d5f88303d4a4dbc8e5f97ba967cc3)
O4 - HKCU\..\Run: [H/PC Connection Agent] C:\Program Files\Microsoft ActiveSync\Wcescomm.exe (1289000 5515eb5e3a8b073f66cfc697eb0d4b55)
O4 - HKCU\..\Run: [Uniblue SpeedUpMyPC] C:\Program Files\Uniblue\SpeedUpMyPC 3\SpeedUpMyPC.exe (9442584 23d7b8c29b86861e9dcba0cbbc5da4d1)
O4 - HKCU\..\Run: [msnmsgr] C:\Program Files\Windows Live\Messenger\msnmsgr.exe (5724184 bbfba2c7d867d11669ff6ae775f0dd09)
O4 - HKCU\..\Run: [MSMSGS] C:\Program Files\Messenger\msmsgs.exe (1695232 3e930c641079443d4de036167a69caa2)
O4 - HKCU\..\Run: [WMPNSCFG] C:\Program Files\Windows Media Player\WMPNSCFG.exe (204288 7eaed08ccca4ddde61a388c82598cfa9)
O4 - HKLM\..\ShellServiceObjectDelayLoad: [PostBootReminder] C:\WINDOWS\system32\SHELL32.dll (8461312 0cf50b1f45dab08430c1dbb79fe2ca5b)
O4 - HKLM\..\ShellServiceObjectDelayLoad: [CDBurn] C:\WINDOWS\system32\SHELL32.dll (8461312 0cf50b1f45dab08430c1dbb79fe2ca5b)
O4 - HKLM\..\ShellServiceObjectDelayLoad: [WebCheck] C:\WINDOWS\system32\webcheck.dll (233472 963362c552a52bf5a9885e8f68703c07)
O4 - HKLM\..\ShellServiceObjectDelayLoad: [SysTray] C:\WINDOWS\system32\stobject.dll (121856 50512fc9b7878e3c2c147bc17326a7db)
O4 - HKLM\..\ShellServiceObjectDelayLoad: [WPDShServiceObj] C:\WINDOWS\system32\WPDShServiceObj.dll (133632 045e228f71c31901084b64be59093499)
O4 - HKLM\..\Run: [dlxdyc.exe] C:\WINDOWS\system32\dlxdyc.exe (38502 35ba35dec433e42bd3a495**1762ab32)
O4 - HKLM\..\Run: [xgsslm.exe] C:\WINDOWS\system32\xgsslm.exe (38502 35ba35dec433e42bd3a495**1762ab32)

O16 - DPF: (Microsoft XML Parser for Java)- file://C:\WINDOWS\Java\classes\
O16 - DPF: {08b0e5c0-4fcb-11cf-aaa5-00401c608500} (Microsoft VM)-
O16 - DPF: {2d8ed06d-3c30-438b-96ae-4d110fdc1fb8} (ActiveScan 2.0 Installer Class)- - C:\WINDOWS\Downloaded Program Files\as2stubie.inf (289 111437964545dc8e4bd0585ba7bc06ed)
O16 - DPF: {2dad3559-2923-4935-ad49-b673d2539944} (IASRunner Class)-
O16 - DPF: {3ac7f64e-6154-47b0-82b5-764ed4077f77} (DataStorage Class)-
O16 - DPF: {6e32070a-766d-4ee6-879c-dc1fa91d2fc3} (MUWebControl Class)-
O16 - DPF: {8ad9c840-044e-11d1-b3e9-00805f499d93} (Java Plug-in 1.4.2)- - C:\Program Files\IBM\Java142\jre\bin\NPJPI142.dll (77824 31cfe610fd747b4515213db2409d6c9f)
O16 - DPF: {8ffbe65d-2c9c-4669-84bd-5829dc0b603c} -
O16 - DPF: {cafeefac-0014-0002-0000-abcdeffedcba} (Java Plug-in 1.4.2)- - C:\Program Files\IBM\Java142\jre\bin\NPJPI142.dll (77824 31cfe610fd747b4515213db2409d6c9f)
O16 - DPF: {d27cdb6e-ae6d-11cf-96b8-444553540000} (Shockwave Flash Object)-
O16 - DPF: {d91afab8-165a-11d6-b481-00b0d03f6d12} (rtf.rtfControl)-

020 - HKLM\..\Notify: [ACNotify] C:\Program Files\ThinkPad\ConnectUtilities\ACNotify.dll (32768 210da66ca4d2579e9220b1a8e57f8681)
020 - HKLM\..\Notify: [AtiExtEvent] C:\WINDOWS\system32\Ati2evxx.dll (122880 d74301954d86528a08d65c98c8017939)
020 - HKLM\..\Notify: [crypt32chain] C:\WINDOWS\system32\crypt32.dll (599040 bdaaf79dd63f194434d31a74b9bb8b77)
020 - HKLM\..\Notify: [cryptnet] C:\WINDOWS\system32\cryptnet.dll (64512 c14350fc0d47d806699c4f907fc6785b)
020 - HKLM\..\Notify: [cscdll] C:\WINDOWS\system32\cscdll.dll (101888 515a7fae2070c2b0242b2353443e2f11)
020 - HKLM\..\Notify: [dimsntfy] C:\WINDOWS\System32\dimsntfy.dll (19456 e2092f0a1d7abc243f9c2362483d150d)
020 - HKLM\..\Notify: [NavLogon]
020 - HKLM\..\Notify: [ScCertProp] C:\WINDOWS\system32\wlnotify.dll (92672 2cc34e8bb667eef78899546e1264**96)
020 - HKLM\..\Notify: [Schedule] C:\WINDOWS\system32\wlnotify.dll (92672 2cc34e8bb667eef78899546e1264**96)
020 - HKLM\..\Notify: [sclgntfy] C:\WINDOWS\system32\sclgntfy.dll (20480 63ff9068e5bda0bc9ecd38fbbb216e24)
020 - HKLM\..\Notify: [SensLogn] C:\WINDOWS\system32\WlNotify.dll (92672 2cc34e8bb667eef78899546e1264**96)
020 - HKLM\..\Notify: [termsrv] C:\WINDOWS\system32\wlnotify.dll (92672 2cc34e8bb667eef78899546e1264**96)
020 - HKLM\..\Notify: [tpfnf2] C:\Program Files\Lenovo\HOTKEY\notifyf2.dll (34344 0c3e484bf4aec2749a9f4d0a91870780)
020 - HKLM\..\Notify: [tphotkey] C:\Program Files\Lenovo\HOTKEY\tphklock.dll (28672 451cd42b003ab6a04346db4abc624717)
020 - HKLM\..\Notify: [WB] C:\PROGRA~1\Stardock\OBJECT~1\WINDOW~1\fastload.dll (24576 9f884c45f10aaee442d4370ba90a1f89)
020 - HKLM\..\Notify: [WgaLogon] C:\WINDOWS\system32\WgaLogon.dll (236928 d7dcfb4d0c58ffb569de93e1681fd37a)
020 - HKLM\..\Notify: [wlballoon] C:\WINDOWS\system32\wlnotify.dll (92672 2cc34e8bb667eef78899546e1264**96)

I've also posted this in Techsupportforum and I'll update you all if I received any updates from there. Once again thank you in advance.

This conversation is currently closed to new comments.

Thread display: Collapse - | Expand +

All Answers

Collapse -

You didn't last long :)

by Jacky Howe In reply to Safemode, Norton Hijackth ...

Download an emergency copy of SAV32CLI. Install it and extract the IDE files to the SAV32CLI folder then copy it to a medium that can be write-protected. EG: CD/ROM or Flash Stick.
Restart the computer in Safe Mode. Go to Start|Shut Down. Select 'Restart' from the dropdown list and click 'OK'. Windows will restart. Press F8 when you see the following text at the bottom of the screen "For troubleshooting and advanced startup options for Windows 2000, press F8". In the Windows 2000 Advanced Options Menu, select the third option 'Safe Mode with Command Prompt'.
At the affected computer, place the CD in the CD drive ( in this example). At the command prompt type

to access the CD drive. Type: <b>CD SAV32CLI</b>
Then type: <b>SAV32CLI -REMOVE -P=C:\LOGFILE.TXT</b>
to remove the file.
Before leaving Safe Mode, check the Log File to make sure that everything has been removed, this should give you the Name of the Virus.

Download Spybot - Search & Destroy 1.5.2 and install it. Update it.
Run it after Sophos in Safe Mode and check to make sure that it can remove everything.

If you cant get the others to work use this as a last resort.
avast! Virus Cleaner - free virus removal tool:

Let us know how you get on.
< add a bit >
Start, run and type in msconfig and press Enter
Click on the Boot.ini Tab and tick SafeBoot
This should get you into Safe Mode.

Collapse -

While not related to the above fix

by OH Smeg In reply to You didn't last long :)

You should purchase a Cool Pad for the NB as well to keep things cool and clean on the air intakes and CPU and other Heat sinks that are cooled by the Systems Fan/s.

Something like this

Will help the NB to keep working but will do nothing to prevent infections. You should be able to pickup a cheap no name copy where you are that will do the job.


Collapse -

He just smiled :)

by Jacky Howe In reply to While not related to the ...

and gave me a vegemite sandwich.

Collapse -

Yehh... 'twas naught but false hope

by jameswesleycheng In reply to You didn't last long :)

Hehe.. thanks. Trying as you speak.

The *thing* tried closing my winzip self-extractor for the sophos AV but I kept on competing with it speedwise and overcame it by having a sticky enter key

So far:
Could not open boot.ini.
Could not open a certain message_id in opera\mail\indexer

Seems to have progress though, because at lesat the program runs unlike PCTools and Norton and Trend Micro and every AV that I tried...

Collapse -

Found virus.. yay

by jameswesleycheng In reply to Yehh... 'twas naught but ...


All in Temp Internet Files\IE5

And to think that I'm safe by not using IE... hehe

Collapse -

Turn off

by Jacky Howe In reply to Yehh... 'twas naught but ...

System Restore as it could be lurking in there to.
Can you run <b>regedt32</b>
Start, Run and type in regedt32 and press Enter. Navigate to Run.
and delete these two files.

Collapse -

oh no...

by jameswesleycheng In reply to Turn off

Cannot uncheck boot.ini /safeboot. MSConfig crashes immediately

Sophos Antivirus was closed the moment it finished scanning. Not that I should have run it in normal mode anyway.

Cannot open registry through Run or by 3rd party software like registry booster.

Not looking good.

Collapse -


by jameswesleycheng In reply to oh no...

Blocked bootsafe as well.

Also blocks update modes of spyeraser and spybot.

Tried Avant Antivirus before, it just closes the installation program since the program has the word antivirus on it. BAsically it tries to close ANYTHING that has the word Virus in the title. Even if I search Virus on Wiki.

Did an experiment by downloading an HTML page and renaming it without the word Virus in the title and it works fine.

This thing does have some class

Collapse -

OK then you need something that can run off a boot Disc

by OH Smeg In reply to Wow..

So that Windows and the Infection/s are not loaded. Do you have access to a Live Linux CD? Here I would use Knoppix myself and try a On Line Scan and removal.

But to be quite honest when I run into things like this I just save the data on the drive and then **** away the entire thing wipe the drive so everything is destroyed and then do a clean install. It's faster easier and better that way and cheaper for the customer as well.

The T60 should have a Recovery Partition on the HDD so you should be able to format the drive and rebuild the original Factory Software install from there. Of course if the writers of this piece of junk took thta into account it may reappear on the new install and put you right back into this position again.

This happens because when you Format a Drive only every third Sector is access by the Windows Format Utility so there are two thirds of the driv left untouched which can allow infections to carry on unaffected.

Not much help but that how things happen.


Collapse -

I agree with Col

by Dumphrey In reply to OK then you need somethin ...

Even with good cd-rom media (knoppix, UBCD4WIN, AV rescue disk, etc) it can take 2-5 hours to clean out a deeply rooted virus, and even then you never really know...
Use a live cd to copy your data to a cd/usb stick and reload the OS from scratch. I would format the system partition et all. Personally, I would delete all partitions before starting install from a clean disk, though the OEM restore partition should be safe.
Are both good tools if you can not wipe out a disk. Process Monitor will allow you to "sleep" several virus/trojan/work processes and delete them as a group to get around the issue of a process watching and restarting an infection process.

Related Discussions

Related Forums