Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Win32 Virus/malware? How To Fix, Htl Post


  • This topic is locked This topic is locked
18 replies to this topic

#1 mnm495

mnm495

  • Members
  • 20 posts
  • OFFLINE
  •  
  • Local time:02:00 AM

Posted 02 May 2008 - 11:26 AM

Hi, trying to help fix friend's laptop, I'm pretty sure it has some kind of virus or syware problem. It takes a very long time to boot up. Bought this laptop used, have only been online a couple times so pretty sure it was already infected. When tried to go online, the internet explorer will keep shutting itself off & pop ups keep coming up before you even try to open internet explorer. It had Norton antivirus, which had expired, and AVG. Right before I ran hijackthis, I removed Norton. Tried to update AVG and it gave an error saying to check the update server (I think), so it wouldn't even get updates. I know there are alot of things on at startup that I don't recognize, but since it kicks me offline so fast, I thought I should start here to try to remove whatever I need to & hopefully someone might know how it got on the computer or how to prevent it again.
I ran hijackthis and shut it off to wait for someone to help me.
Thank you in advance!
md

i'm sorry if i post these logs in the wrong order, i can't remember which one was the main & which was the extra.


Deckard's System Scanner v20071014.68
Run by louis on 2008-05-01 13:08:42
Computer is in Normal Mode.
--------------------------------------------------------------------------------

-- System Restore --------------------------------------------------------------

Successfully created a Deckard's System Scanner Restore Point.


-- Last 5 Restore Point(s) --
5: 2008-05-01 18:09:25 UTC - RP5 - Deckard's System Scanner Restore Point
4: 2008-05-01 17:13:27 UTC - RP4 - Software Distribution Service 3.0
3: 2008-05-01 16:32:54 UTC - RP3 - Software Distribution Service 3.0
2: 2008-05-01 16:31:54 UTC - RP2 - Installed Windows Media Player 11
1: 2008-04-23 16:52:25 UTC - RP1 - System Checkpoint


Backed up registry hives.
Performed disk cleanup.



-- HijackThis (run as louis.exe) -----------------------------------------------

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 1:12:26 PM, on 5/1/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16640)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\System32\Ati2evxx.exe
C:\Program Files\WIDCOMM\Bluetooth Software\bin\btwdins.exe
C:\WINDOWS\Cpqdiag\Cpqdfwag.exe
C:\WINDOWS\System32\sexkrlst.exe
C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe
C:\Program Files\Common Files\LightScribe\LSSrvc.exe
C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe
C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
C:\WINDOWS\System32\snmp.exe
C:\WINDOWS\mrofinu1000106.exe
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\WINDOWS\system32\kjdsrngk.exe
C:\WINDOWS\wanmpsvc.exe
C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Program Files\Java\jre1.6.0_02\bin\jusched.exe
C:\Program Files\Common Files\WinAntiSpyware 2007\WAS7Mon.exe
C:\iexp1ore.exe
C:\WINDOWS\system32\qwinkldt.exe
C:\Program Files\WinAble\winable.exe
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\system32\dwwin.exe
C:\Documents and Settings\louis\My Documents\dss.exe
C:\PROGRA~1\TRENDM~1\HIJACK~1\louis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://search.presario.net/scripts/redirec...c02&lc=0409
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer provided by Compaq
O2 - BHO: (no name) - H@3B846-8D59-4ffb-8758-209B6AD74ACC} - (no file)
O2 - BHO: (no name) - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - (no file)
O2 - BHO: (no name) - {3BBF5411-FD1C-46A3-9405-72D6CF3BA6ED} - C:\WINDOWS\system32\mllii.dll (file missing)
O2 - BHO: (no name) - {3F04BED6-FDE8-4E51-BAF5-348F092701AE} - C:\Program Files\xerox\menoruz83122.dll
O2 - BHO: (no name) - {5D6D08C2-67D3-4D79-B5B4-3C449DE56762} - C:\WINDOWS\system32\wvutr.dll (file missing)
O2 - BHO: 0 - {72F49FA0-C83E-4700-DFB5-F1DE9C22A7DD} - C:\Program Files\NetMeeting\quzalebuq14.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O2 - BHO: gooochi browser optimizer - {82d40578-73a0-ce95-bfc0-72ffbbc52090} - C:\WINDOWS\system32\{746321e6-e4e5-e861-8f60-981e6455300c}.dll
O2 - BHO: (no name) - {8FA652BD-74D2-4BE4-AC08-3DF18FD66250} - C:\WINDOWS\system32\rqoli.dll (file missing)
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
O2 - BHO: (no name) - {AC81AC11-45BE-41C7-A8D7-6DDFB8F0312F} - C:\Program Files\xerox\menoruz4444.dll
O2 - BHO: (no name) - {C299948D-9231-405C-ADF5-DF73013E429F} - C:\Program Files\NetMeeting\hyjemityc777444.dll
O2 - BHO: (no name) - {CF46BFB3-2ACC-441b-B82B-36B9562C7FF1} - C:\WINDOWS\System32\jgphdsff.dll (file missing)
O2 - BHO: (no name) - {D24FD13A-3E0C-45E4-BD98-E2EDF88B1D07} - C:\WINDOWS\system32\urssp.dll (file missing)
O2 - BHO: (no name) - {E9BD0828-1FD9-410C-A50F-43EBE65D310F} - C:\WINDOWS\System32\awttroo.dll (file missing)
O2 - BHO: (no name) - ?01e16-9bfe-4b63-a5b4-7bd156758a37} - (no file)
O2 - BHO: (no name) - ?38D8D-E480-4D52-B7A2-731BB6995FDD} - (no file)
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O4 - HKLM\..\Run: [Symantec PIF AlertEng] "C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe" /a /m "C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\AlertEng.dll"
O4 - HKLM\..\Run: [runner1] C:\WINDOWS\mrofinu1000106.exe 61A847B5BBF72813329B385772FF01F0B3E35B6638993F4661AA4EBD86D67C56389B284534F310F3D2907D4E66914B5C1E9E689DB6FC45715ED96D1223AD51A6C3832212339B3E4827B144
O4 - HKLM\..\Run: [{06-68-89-99-ZN}] C:\WINDOWS\system32\kjdsrngk.exe CHD003
O4 - HKLM\..\Run: [USDR6cw] C:\Program Files\SystemDoctor 2006 Free\USDR6cw.exe -c
O4 - HKLM\..\Run: [SystemDoctor 2006 Free] C:\Program Files\SystemDoctor 2006 Free\sd2006.exe -scan
O4 - HKLM\..\Run: [SynTPLpr] C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_02\bin\jusched.exe"
O4 - HKLM\..\Run: [srmclean] C:\Cpqs\Scom\srmclean.exe
O4 - HKLM\..\Run: [SearchIndexer] rundll32.exe "C:\WINDOWS\system32\ijqldgjh.dll",sitypnow
O4 - HKLM\..\Run: [Salestart] "C:\Program Files\Common Files\WinAntiSpyware 2007\WAS7Mon.exe"
O4 - HKLM\..\Run: [pas_check] C:\Program Files\SystemDoctor 2006 Free\pasmon.exe
O4 - HKLM\..\Run: [InternetExplorer] C:\\iexp1ore.exe
O4 - HKLM\..\Run: [ExploreUpdSched] C:\WINDOWS\system32\qwinkldt.exe CHD003
O4 - HKLM\..\Run: [dc6_check] C:\Program Files\SystemDoctor 2006 Free\dcmon.exe
O4 - HKLM\..\Run: [Cpqset] c:\compaq\cpqsetup\cpqset.exe
O4 - HKLM\..\Run: [spa_start] C:\WINDOWS\System32\Rundll32.exe "C:\WINDOWS\system32\{746321e6-e4e5-e861-8f60-981e6455300c}.dll" DllInit
O4 - HKLM\..\RunServices: [CPQDFWAG] C:\WINDOWS\Cpqdiag\CpqDfwAg.exe
O4 - HKCU\..\Run: [WinAble] C:\Program Files\WinAble\winable.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - Startup: Think-Adz.lnk = C:\WINDOWS\system32\qwinkldt.exe
O4 - Startup: TA_Start.lnk = C:\WINDOWS\system32\kjdsrngk.exe
O9 - Extra button: @btrez.dll,-4015 - {CCA281CA-C863-46ef-9331-5C8D4460577F} - C:\Program Files\WIDCOMM\Bluetooth Software\btsendto_ie.htm
O9 - Extra 'Tools' menuitem: @btrez.dll,-4017 - {CCA281CA-C863-46ef-9331-5C8D4460577F} - C:\Program Files\WIDCOMM\Bluetooth Software\btsendto_ie.htm
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra button: Advisor - {4AAC555D-352C-4029-ABE8-F06ED9BC532D} - C:\Program Files\COMPAQ\Compaq Advisor\bin\rbaLauncher.exe (HKCU)
O14 - IERESET.INF: START_PAGE_URL=http://store.presario.net/scripts/redirectors/presario/storeredir2.dll?s=consumerfav&c=1c02&lc=0409
O20 - Winlogon Notify: awttroo - awttroo.dll (file missing)
O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINDOWS\System32\Ati2evxx.exe
O23 - Service: Bluetooth Service (btwdins) - Broadcom Corporation. - C:\Program Files\WIDCOMM\Bluetooth Software\bin\btwdins.exe
O23 - Service: Compaq Advisor (Compaq_RBA) - NeoPlanet - C:\Program Files\Compaq\Compaq Advisor\bin\compaq-rba.exe
O23 - Service: Compaq Remote Diagnostics Enabling Agent (CpqDfwWebAgent) - Compaq Computer Corporation - C:\WINDOWS\Cpqdiag\Cpqdfwag.exe
O23 - Service: DomainService - - C:\WINDOWS\System32\sexkrlst.exe
O23 - Service: iPod Service (iPodService) - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: LightScribeService Direct Disc Labeling Service (LightScribeService) - Hewlett-Packard Company - C:\Program Files\Common Files\LightScribe\LSSrvc.exe
O23 - Service: LiveUpdate Notice Service - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
O23 - Service: WAN Miniport (ATW) Service (WANMiniportService) - America Online, Inc. - C:\WINDOWS\wanmpsvc.exe

--
End of file - 9136 bytes

-- File Associations -----------------------------------------------------------

All associations okay.


-- Drivers: 0-Boot, 1-System, 2-Auto, 3-Demand, 4-Disabled ---------------------

R1 ClntMgmt.sys - c:\windows\system32\drivers\clntmgmt.sys <Not Verified; Compaq Computer Corp; Compaq Client Management Driver>
R2 cpqdfw (Compaq Diagnostics Driver) - c:\windows\system32\drivers\cpqdfw.sys
R2 cq_mem (Compaq Diagnostics Memory Driver) - c:\windows\system32\drivers\cq_mem.sys <Not Verified; Microsoft Corporation; Microsoft® Windows NT™ Operating System>
R2 cqcpu (Compaq Diagnostics CPU Driver) - c:\windows\system32\drivers\cqcpu.sys <Not Verified; Microsoft Corporation; Microsoft® Windows NT™ Operating System>
R2 FFSLDVRF - c:\windows\system32\ffsldvrf.rup

S3 ApiMon - c:\windows\system32\drivers\apimon.sys (file missing)
S3 SymEvent - c:\program files\symantec\symevent.sys (file missing)
S3 SYMIDSCO - c:\progra~1\common~1\symant~1\symcdata\ids-di~1\20070925.001\symidsco.sys (file missing)


-- Services: 0-Boot, 1-System, 2-Auto, 3-Demand, 4-Disabled --------------------

R2 CpqDfwWebAgent (Compaq Remote Diagnostics Enabling Agent) - c:\windows\cpqdiag\cpqdfwag.exe <Not Verified; Compaq Computer Corporation; Compaq Remote Diagnostics Enabling Agent>
R2 DomainService - c:\windows\system32\sexkrlst.exe /service <Not Verified; ; DDC>

S3 Compaq_RBA (Compaq Advisor) - c:\program files\compaq\compaq advisor\bin\compaq-rba.exe <Not Verified; NeoPlanet; NeoPlanet RBA>


-- Device Manager: Disabled ----------------------------------------------------

No disabled devices found.


-- Files created between 2008-04-01 and 2008-05-01 -----------------------------

2008-05-01 13:11:59 0 d-------- C:\Program Files\Trend Micro
2008-05-01 12:47:40 200768 --a------ C:\WINDOWS\system32\qwinkldn.exe
2008-05-01 12:47:39 399520 --a------ C:\Documents and Settings\louis\g39.exe
2008-05-01 12:12:38 0 d-------- C:\WINDOWS\LastGood
2008-04-22 08:03:22 0 d-------- C:\WINDOWS\VirtualEar
2008-04-22 07:39:59 109218 -r-hs---- C:\AVG7DB_F.DAT
2008-04-22 07:39:48 12296433 -----n--- C:\AVG7QT.DAT
2008-04-21 02:58:20 2846720 --a------ C:\Documents and Settings\louis\ntuser.dat
2008-04-21 02:58:19 241664 --a------ C:\Documents and Settings\LocalService\NTUSER.DAT
2008-04-14 22:54:20 0 d-------- C:\Documents and Settings\Guest.HOME\Application Data\InterVideo
2008-04-14 22:38:50 0 d-------- C:\Documents and Settings\Guest.HOME\Application Data\CyberLink
2008-04-14 22:26:33 0 d-------- C:\Documents and Settings\Guest.HOME\Application Data\AVG7
2008-04-14 06:36:52 0 d-------- C:\Program Files\WinAble
2008-04-14 05:54:30 0 d--hs---- C:\FOUND.005
2008-04-14 04:39:56 0 d-------- C:\Documents and Settings\louis\Application Data\AVG7
2008-04-14 04:39:18 0 d-------- C:\Documents and Settings\LocalService\Application Data\AVG7
2008-04-14 04:33:04 0 d-------- C:\Program Files\Insider
2008-04-13 02:19:48 0 d-------- C:\Documents and Settings\Administrator\Desktop
2008-04-13 02:19:48 0 d--hs---- C:\Documents and Settings\Administrator\Cookies
2008-04-13 02:19:48 0 dr-h----- C:\Documents and Settings\Administrator\Application Data
2008-04-13 02:19:48 0 d-------- C:\Documents and Settings\Administrator\Application Data\Real
2008-04-13 02:19:48 0 d---s---- C:\Documents and Settings\Administrator\Application Data\Microsoft
2008-04-13 02:19:48 0 d-------- C:\Documents and Settings\Administrator\Application Data\InterTrust
2008-04-13 02:19:48 0 d-------- C:\Documents and Settings\Administrator\Application Data\Identities
2008-04-13 02:19:48 0 d-------- C:\Documents and Settings\Administrator\Application Data\Adobe
2008-04-13 02:19:47 0 dr------- C:\Documents and Settings\Administrator\Favorites
2008-04-13 02:19:46 0 d--h----- C:\Documents and Settings\Administrator\Templates
2008-04-13 02:19:46 0 dr------- C:\Documents and Settings\Administrator\Start Menu
2008-04-13 02:19:46 0 dr-h----- C:\Documents and Settings\Administrator\SendTo
2008-04-13 02:19:46 0 dr-h----- C:\Documents and Settings\Administrator\Recent
2008-04-13 02:19:46 0 d--h----- C:\Documents and Settings\Administrator\PrintHood
2008-04-13 02:19:46 0 d--h----- C:\Documents and Settings\Administrator\NetHood
2008-04-13 02:19:46 0 dr------- C:\Documents and Settings\Administrator\My Documents
2008-04-13 02:19:46 0 d--h----- C:\Documents and Settings\Administrator\Local Settings
2008-04-13 02:19:45 704512 --a------ C:\Documents and Settings\Administrator\NTUSER.DAT
2008-04-09 17:30:18 0 d-------- C:\Program Files\USMT2.UNC
2008-04-08 23:09:16 0 d-------- C:\Documents and Settings\louis\Application Data\Sun
2008-04-08 08:09:48 0 d-------- C:\Program Files\Microsoft Reference
2008-04-07 11:21:38 328192 --a------ C:\WINDOWS\system32\{746321e6-e4e5-e861-8f60-981e6455300c}.dll
2008-04-04 09:13:40 0 d-------- C:\Documents and Settings\kaylie\Application Data\Real
2008-04-04 09:13:40 0 d-------- C:\Documents and Settings\kaylie\Application Data\Microsoft
2008-04-04 09:13:39 0 d-------- C:\Documents and Settings\kaylie\Cookies
2008-04-04 09:13:39 0 d-------- C:\Documents and Settings\kaylie\Application Data
2008-04-04 09:13:39 0 d-------- C:\Documents and Settings\kaylie\Application Data\Adobe
2008-04-04 09:13:37 0 d-------- C:\Documents and Settings\kaylie\Favorites
2008-04-04 09:13:32 0 d-------- C:\Documents and Settings\kaylie\Local Settings
2008-04-04 09:13:27 0 d-------- C:\Documents and Settings\kaylie\My Documents
2008-04-04 09:13:25 0 d-------- C:\Documents and Settings\kaylie\Templates
2008-04-04 09:13:21 786432 --ah----- C:\Documents and Settings\kaylie\ntuser.dat
2008-04-03 22:38:20 0 d-------- C:\Documents and Settings\louis\Application Data\LimeWire
2008-04-02 04:46:04 0 d-------- C:\Documents and Settings\louis\Application Data\Help
2008-04-02 01:27:32 0 d-------- C:\WINDOWS\system32\NtmsData
2008-04-01 19:57:49 136627 --a------ C:\WINDOWS\POTA777444.exe


-- Find3M Report ---------------------------------------------------------------

2008-05-01 11:40:24 3836 --ahs---- C:\WINDOWS\system32\rtuvw.ini2
2008-04-15 01:37:42 64260 --a------ C:\WINDOWS\compaq.reg
2008-04-01 19:58:06 932 --a------ C:\WINDOWS\system32\winpfz32.sys
2008-03-31 01:33:30 0 d-------- C:\Documents and Settings\louis\Application Data\WinAntiSpyware 2007 Free
2008-03-28 20:53:16 0 d-------- C:\Documents and Settings\louis\Application Data\Mozilla
2008-03-28 08:26:32 0 d-------- C:\Documents and Settings\louis\Application Data\Ahead
2008-03-15 21:17:46 335 --a------ C:\WINDOWS\inet.reg
2008-03-12 13:54:22 37376 -ra------ C:\WINDOWS\mrofinu1000106.exe
2008-03-07 20:43:58 0 d-------- C:\Documents and Settings\louis\Application Data\Apple Computer
2008-03-07 18:28:58 75328 --a------ C:\WINDOWS\system32\sffqhggp.exe <Not Verified; ; DDC>
2008-03-07 18:27:14 75328 --a------ C:\WINDOWS\system32\qptduypp.exe <Not Verified; ; DDC>


-- Registry Dump ---------------------------------------------------------------

*Note* empty entries & legit default entries are not shown


[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{3BBF5411-FD1C-46A3-9405-72D6CF3BA6ED}]
C:\WINDOWS\system32\mllii.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{3F04BED6-FDE8-4E51-BAF5-348F092701AE}]
08/02/2007 08:44 AM 282624 --a------ C:\Program Files\xerox\menoruz83122.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{5D6D08C2-67D3-4D79-B5B4-3C449DE56762}]
C:\WINDOWS\system32\wvutr.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{72F49FA0-C83E-4700-DFB5-F1DE9C22A7DD}]
09/30/2007 05:15 PM 70144 --a------ C:\Program Files\NetMeeting\quzalebuq14.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{82d40578-73a0-ce95-bfc0-72ffbbc52090}]
04/07/2008 11:21 AM 328192 --a------ C:\WINDOWS\system32\{746321e6-e4e5-e861-8f60-981e6455300c}.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{8FA652BD-74D2-4BE4-AC08-3DF18FD66250}]
C:\WINDOWS\system32\rqoli.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{AC81AC11-45BE-41C7-A8D7-6DDFB8F0312F}]
08/02/2007 08:44 AM 282624 --a------ C:\Program Files\xerox\menoruz4444.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{C299948D-9231-405C-ADF5-DF73013E429F}]
02/27/2008 08:54 PM 217088 --a------ C:\Program Files\NetMeeting\hyjemityc777444.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{CF46BFB3-2ACC-441b-B82B-36B9562C7FF1}]
C:\WINDOWS\System32\jgphdsff.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{D24FD13A-3E0C-45E4-BD98-E2EDF88B1D07}]
C:\WINDOWS\system32\urssp.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{E9BD0828-1FD9-410C-A50F-43EBE65D310F}]
C:\WINDOWS\System32\awttroo.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Symantec PIF AlertEng"="C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe" [03/12/2007 06:30 PM]
"runner1"="C:\WINDOWS\mrofinu1000106.exe" [03/12/2008 01:54 PM]
"{06-68-89-99-ZN}"="C:\WINDOWS\system32\kjdsrngk.exe" [09/15/2007 01:01 AM]
"USDR6cw"="C:\Program Files\SystemDoctor 2006 Free\USDR6cw.exe" []
"SystemDoctor 2006 Free"="C:\Program Files\SystemDoctor 2006 Free\sd2006.exe" []
"SynTPLpr"="C:\Program Files\Synaptics\SynTP\SynTPLpr.exe" [04/25/2002 05:15 PM]
"SynTPEnh"="C:\Program Files\Synaptics\SynTP\SynTPEnh.exe" [04/25/2002 05:14 PM]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_02\bin\jusched.exe" [07/12/2007 04:00 AM]
"srmclean"="C:\Cpqs\Scom\srmclean.exe" [07/24/2001 02:34 PM]
"SearchIndexer"="C:\WINDOWS\system32\ijqldgjh.dll" []
"Salestart"="C:\Program Files\Common Files\WinAntiSpyware 2007\WAS7Mon.exe" [06/06/2007 10:35 AM]
"pas_check"="C:\Program Files\SystemDoctor 2006 Free\pasmon.exe" []
"NWEReboot"="" []
"InternetExplorer"="C:\\iexp1ore.exe" [09/15/2007 12:17 AM]
"ExploreUpdSched"="C:\WINDOWS\system32\qwinkldt.exe" [09/15/2007 12:13 AM]
"dc6_check"="C:\Program Files\SystemDoctor 2006 Free\dcmon.exe" []
"Cpqset"="c:\compaq\cpqsetup\cpqset.exe" [04/30/2002 03:41 PM]
"cmonitor"="" []
"spa_start"="C:\WINDOWS\system32\{746321e6-e4e5-e861-8f60-981e6455300c}.dll" [04/07/2008 11:21 AM]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"WinAble"="C:\Program Files\WinAble\winable.exe" [04/14/2008 06:36 AM]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [08/04/2004 02:56 AM]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\runservices]
"CPQDFWAG"=C:\WINDOWS\Cpqdiag\CpqDfwAg.exe

C:\Documents and Settings\louis\Start Menu\Programs\Startup\
Think-Adz.lnk - C:\WINDOWS\system32\qwinkldt.exe [9/15/2007 12:13:30 AM]
TA_Start.lnk - C:\WINDOWS\system32\kjdsrngk.exe [9/15/2007 1:01:32 AM]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks]
"{E9BD0828-1FD9-410C-A50F-43EBE65D310F}"= C:\WINDOWS\System32\awttroo.dll [ ]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\awttroo]
awttroo.dll

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa]
"Authentication Packages"= msv1_0 C:\WINDOWS\system32\wvutr.dll

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\vds]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\{533C5B84-EC70-11D2-9505-00C04F79DEAF}]
@="Volume shadow copy"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\eabconfg.cpl]
C:\Program Files\Compaq\EAB\EabServr.exe /Start

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\gcasServ]
"C:\Program Files\Microsoft AntiSpyware\gcasServ.exe"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Insider]
C:\Program Files\Insider\Insider.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iTunesHelper]
C:\Program Files\iTunes\iTunesHelper.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Microsoft Works Portfolio]
C:\Program Files\Microsoft Works\WksSb.exe /AllUsers

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Microsoft Works Update Detection]
C:\Program Files\Microsoft Works\WkDetect.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\msnmsgr]
"C:\PROGRA~1\MSNMES~1\msnmsgr.exe" /background

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NeroFilterCheck]
C:\WINDOWS\system32\NeroCheck.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
"C:\Program Files\QuickTime\qttask.exe" -atboottime

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\RemoteControl]
"C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\swg]
C:\Program Files\Google\GoogleToolbarNotifier\1.2.1128.5462\GoogleToolbarNotifier.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\TkBellExe]
"C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\WatchDog]
C:\Program Files\InterVideo\DVD Check\DVDCheck.exe




-- End of Deckard's System Scanner: finished at 2008-05-01 13:15:22 ------------

Deckard's System Scanner v20071014.68
Extra logfile - please post this as an attachment with your post.
--------------------------------------------------------------------------------

-- System Information ----------------------------------------------------------

Microsoft Windows XP Home Edition (build 2600) SP 2.0
Architecture: X86; Language: English

CPU 0: Intel® Pentium® 4 CPU 2.40GHz
Percentage of Memory in Use: 57%
Physical Memory (total/avail): 511.36 MiB / 219.61 MiB
Pagefile Memory (total/avail): 1248.46 MiB / 972.4 MiB
Virtual Memory (total/avail): 2047.88 MiB / 1920.89 MiB

A: is Removable (No Media)
C: is Fixed (FAT32) - 37.25 GiB total, 27.97 GiB free.
D: is CDROM (No Media)

\\.\PHYSICALDRIVE0 - IC25N040ATCS04-0 - 37.26 GiB - 1 partition
\PARTITION0 (bootable) - Unknown - 37.26 GiB - C:



-- Security Center -------------------------------------------------------------

AUOptions is scheduled to auto-install.
Windows Internal Firewall is disabled.

AntiVirusDisableNotify is set.


[HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"="%windir%\\system32\\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"
"C:\\Program Files\\MSN Messenger\\msnmsgr.exe"="C:\\Program Files\\MSN Messenger\\msnmsgr.exe:*:Enabled:MSN Messenger 7.5"
"%windir%\\Network Diagnostic\\xpnetdiag.exe"="%windir%\\Network Diagnostic\\xpnetdiag.exe:*:Enabled:@xpsp3res.dll,-20000"

[HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"="%windir%\\system32\\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"
"C:\\Program Files\\LimeWire\\LimeWire.exe"="C:\\Program Files\\LimeWire\\LimeWire.exe:*:Enabled:LimeWire"
"C:\\Program Files\\MSN Messenger\\msnmsgr.exe"="C:\\Program Files\\MSN Messenger\\msnmsgr.exe:*:Enabled:MSN Messenger 7.5"
"C:\\WINDOWS\\System32\\sexkrlst.exe"="C:\\WINDOWS\\System32\\sex"
"C:\\Program Files\\Internet Explorer\\IEXPLORE.EXE"="C:\\Program Files\\Internet Explorer\\IEXPLORE.EXE:*:Enabled:Internet Explorer"
"%windir%\\Network Diagnostic\\xpnetdiag.exe"="%windir%\\Network Diagnostic\\xpnetdiag.exe:*:Enabled:@xpsp3res.dll,-20000"
"C:\\Program Files\\iTunes\\iTunes.exe"="C:\\Program Files\\iTunes\\iTunes.exe:*:Enabled:iTunes"


-- Environment Variables -------------------------------------------------------

ALLUSERSPROFILE=C:\Documents and Settings\All Users
APPDATA=C:\Documents and Settings\louis\Application Data
CLIENTNAME=Console
CommonProgramFiles=C:\Program Files\Common Files
COMPUTERNAME=HOME
ComSpec=C:\WINDOWS\system32\cmd.exe
FP_NO_HOST_CHECK=NO
HOMEDRIVE=C:
HOMEPATH=\Documents and Settings\louis
LOGONSERVER=\\HOME
NUMBER_OF_PROCESSORS=1
OS=Windows_NT
Path=C:\Program Files\Internet Explorer;;C:\WINDOWS\system32;C:\WINDOWS;C:\WINDOWS\System32\Wbem
PATHEXT=.COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH
PROCESSOR_ARCHITECTURE=x86
PROCESSOR_IDENTIFIER=x86 Family 15 Model 2 Stepping 4, GenuineIntel
PROCESSOR_LEVEL=15
PROCESSOR_REVISION=0204
ProgramFiles=C:\Program Files
PROMPT=$P$G
SESSIONNAME=Console
SystemDrive=C:
SystemRoot=C:\WINDOWS
TEMP=C:\DOCUME~1\louis\LOCALS~1\Temp
TMP=C:\DOCUME~1\louis\LOCALS~1\Temp
USERDOMAIN=HOME
USERNAME=louis
USERPROFILE=C:\Documents and Settings\louis
windir=C:\WINDOWS


-- User Profiles ---------------------------------------------------------------

Owner (admin)
louis (admin)
Administrator (new local, admin)
Guest.HOME (guest)


-- Add/Remove Programs ---------------------------------------------------------

--> C:\Program Files\Common Files\Real\Update_OB\r1puninst.exe RealNetworks|RealPlayer|6.0
--> C:\WINDOWS\IsUninst.exe -fC:\WINDOWS\orun32.isu
--> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{854A5F01-D692-11D4-A984-009027EC0A9C}\setup.exe"
--> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{945E2519-C2B9-11D3-9D56-0060B0A4823E}\setup.exe"
--> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{CD47EFC1-D692-11D4-A984-009027EC0A9C}\setup.exe"
--> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{E7E518B2-B174-11D3-9D4E-0060B0A4823E}\setup.exe"
--> rundll32.exe setupapi.dll,InstallHinfSection DefaultUninstall 132 C:\WINDOWS\INF\PCHealth.inf
Adobe Acrobat 5.0 --> C:\WINDOWS\ISUNINST.EXE -f"C:\Program Files\Common Files\Adobe\Acrobat 5.0\NT\Uninst.isu" -c"C:\Program Files\Common Files\Adobe\Acrobat 5.0\NT\Uninst.dll"
Adobe Flash Player 9 ActiveX --> C:\WINDOWS\System32\Macromed\Flash\FlashUtil9c.exe -uninstallUnlock
America Online --> C:\Program Files\Common Files\aolshare\Aolunins_us.exe
ATI Display Driver --> rundll32 C:\WINDOWS\System32\atiiiexx.dll,_InfEngUnInstallINFFile_RunDLL@16 -force_restart -flags:0x2010001 -inf_class:DISPLAY -clean
Compaq Advisor --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{C4C1AFCD-2C72-48B4-AE2E-A7354A525E87}\Setup.exe" UNINSTALL
Compaq Diagnostics for Windows --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{1881AE03-2BD4-11D4-86BF-00508B10AA88}\setup.exe"
Compaq Easy Access Buttons 3.00 B3 --> C:\WINDOWS\IsUninst.exe -f"C:\Program Files\Compaq\EAB\Uninst.isu" -c"C:\Program Files\Compaq\EAB\EABINST.DLL"
Compaq Remote Diagnostics Enabling Agent --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{71A470E1-27E7-424E-803A-F9C0D41968D3}\SETUP.EXE" -l0x9
Deewoo Network Manager removal --> C:\WINDOWS\system32\qwinkldn.exe -UPop
Encarta Online --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{C0A23442-6214-11D3-8CDF-0080C768385C}\setup.exe" -l0x9 -uninst
Enhancement Browser Tools Gooochi --> C:\WINDOWS\system32\{746321e6-e4e5-e861-8f60-981e6455300c}.dll-uninst.exe
Google Toolbar for Internet Explorer --> MsiExec.exe /I{DBEA1034-5882-4A88-8033-81C4EF0CFA29}
Google Toolbar for Internet Explorer --> regsvr32 /u /s "c:\program files\google\googletoolbar1.dll"
HP Integrated Module with Bluetooth wireless technology --> MsiExec.exe /X{3F4EC965-28EF-45C3-B063-04B25D4E9679}
Insider --> C:\Program Files\Insider\UnInstall.exe
Intel® PRO Ethernet Adapter and Software --> Prounstl.exe
InterActual Player --> C:\Program Files\InterActual\InterActual Player\inuninst.exe
InterVideo DVD Check --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{5D97A4A7-C274-4B63-86D9-07A33435F505}\setup.exe" REMOVEALL
InterVideo WinDVD --> "C:\Program Files\InstallShield Installation Information\{C1939820-A945-11D4-86F6-0001031E5712}\setup.exe" REMOVEALL
iTunes --> C:\Program Files\Common Files\InstallShield\Driver\8\Intel 32\IDriver.exe /M{BE20E2F5-1903-4AAE-B1AF-2046E586C925}
Java™ 6 Update 2 --> MsiExec.exe /I{3248F0A8-6813-11D6-A77B-00B0D0160020}
LimeWire 4.14.8 --> "C:\Program Files\LimeWire\uninstall.exe"
LiveUpdate Notice (Symantec Corporation) --> MsiExec.exe /X{DBA4DB9D-EE51-4944-A419-98AB1F1249C8}
Microsoft AntiSpyware --> MsiExec.exe /I{536F7C74-844B-4683-B0C5-EA39E19A6FE3}
Microsoft Works 6.0 --> MsiExec.exe /I{F8D0829C-9C6F-11D3-8080-00C04FA329AA}
PowerDVD --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{6811CAA0-BF12-11D4-9EA1-0050BAE317E1}\setup.exe" -uninstall
QuickTime --> C:\WINDOWS\unvise32qt.exe C:\WINDOWS\system32\QuickTime\Uninstall.log
RealPlayer --> C:\Program Files\Common Files\Real\Update_OB\r1puninst.exe RealNetworks|RealPlayer|6.0
Security Update for Step By Step Interactive Training (KB923723) --> "C:\WINDOWS\$NtUninstallKB923723$\spuninst\spuninst.exe"
Setup Compaq Software --> C:\WINDOWS\IsUninst.exe -f"C:\Program Files\COMPAQ\Setup Compaq Software\Uninst.isu" -c"C:\Program Files\COMPAQ\Setup Compaq Software\CPQUNST.DLL"
SoundMAX --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{F0A37341-D692-11D4-A984-009027EC0A9C}\Setup.exe"
Symantec KB-DocID:2003093015493306 --> MsiExec.exe /I{08C5815C-2C6E-44f8-8748-0E61BC9AFB68}
SymNet --> MsiExec.exe /I{2DA85B02-13C0-4E6D-9A76-22E6B3DD0CB2}
Synaptics TouchPad --> rundll32.exe "C:\Program Files\Synaptics\SynTP\SynISDLL.dll",standAloneUninstall
Viewpoint Media Player (Remove Only) --> C:\Program Files\Viewpoint\Viewpoint Experience Technology\mtsAxInstaller.exe -u
WinAble --> "C:\Program Files\WinAble\winable.exe" -uninstall
Windows Backup Utility --> MsiExec.exe /I{76EFFC7C-17A6-479D-9E47-8E658C1695AE}
Yahoo! Internet Mail --> C:\WINDOWS\System32\regsvr32 /u /s C:\WINDOWS\DOWNLO~1\ymmapi.dll


-- Application Event Log -------------------------------------------------------

Event Record #/Type1685 / Error
Event Submitted/Written: 05/01/2008 01:08:06 PM
Event ID/Source: 1000 / Application Error
Event Description:
Faulting application iexplore.exe, version 7.0.6000.16640, faulting module mshtml.dll, version 7.0.6000.16640, fault address 0x000fb558.
Processing media-specific event for [iexplore.exe!ws!]

Event Record #/Type1684 / Error
Event Submitted/Written: 05/01/2008 01:04:41 PM
Event ID/Source: 1000 / Application Error
Event Description:
Faulting application iexplore.exe, version 7.0.6000.16640, faulting module mshtml.dll, version 7.0.6000.16640, fault address 0x0008c45f.
Processing media-specific event for [iexplore.exe!ws!]

Event Record #/Type1683 / Error
Event Submitted/Written: 05/01/2008 00:57:19 PM
Event ID/Source: 1001 / Application Error
Event Description:
Fault bucket 745694174.
The Wep key exchange did not result in a secure connection setup after 802.1x authentication. The current setting has been marked as failed and the Wireless connection will be disconnected.

Event Record #/Type1682 / Error
Event Submitted/Written: 05/01/2008 00:57:16 PM
Event ID/Source: 1000 / Application Error
Event Description:
Faulting application iexplore.exe, version 7.0.6000.16640, faulting module menoruz83122.dll, version 0.0.0.0, fault address 0x00006845.
Processing media-specific event for [iexplore.exe!ws!]

Event Record #/Type1679 / Warning
Event Submitted/Written: 05/01/2008 00:28:43 PM
Event ID/Source: 1015 / EvntAgnt
Event Description:
TraceLevel parameter not located in registry;
Default trace level used is 32.



-- Security Event Log ----------------------------------------------------------

No Errors/Warnings found.


-- System Event Log ------------------------------------------------------------

Event Record #/Type7815 / Error
Event Submitted/Written: 05/01/2008 00:55:54 PM
Event ID/Source: 4 / E100B
Event Description:
Adapter Intel® PRO/100 VE Network Connection: Adapter Link Down

Event Record #/Type7812 / Error
Event Submitted/Written: 05/01/2008 00:55:42 PM
Event ID/Source: 4 / E100B
Event Description:
Adapter Intel® PRO/100 VE Network Connection: Adapter Link Down

Event Record #/Type7809 / Error
Event Submitted/Written: 05/01/2008 00:54:44 PM
Event ID/Source: 4 / E100B
Event Description:
Adapter Intel® PRO/100 VE Network Connection: Adapter Link Down

Event Record #/Type7780 / Error
Event Submitted/Written: 05/01/2008 00:31:36 PM
Event ID/Source: 7026 / Service Control Manager
Event Description:
The following boot-start or system-start driver(s) failed to load:
SYMTDI

Event Record #/Type7769 / Warning
Event Submitted/Written: 05/01/2008 00:22:56 PM
Event ID/Source: 1073 / USER32
Event Description:
The attempt to reboot HOME failed



-- End of Deckard's System Scanner: finished at 2008-05-01 13:15:22 ------------


Deckard's System Scanner v20071014.68
Run by louis on 2008-05-01 13:08:42
Computer is in Normal Mode.
--------------------------------------------------------------------------------

-- System Restore --------------------------------------------------------------

Successfully created a Deckard's System Scanner Restore Point.


-- Last 5 Restore Point(s) --
5: 2008-05-01 18:09:25 UTC - RP5 - Deckard's System Scanner Restore Point
4: 2008-05-01 17:13:27 UTC - RP4 - Software Distribution Service 3.0
3: 2008-05-01 16:32:54 UTC - RP3 - Software Distribution Service 3.0
2: 2008-05-01 16:31:54 UTC - RP2 - Installed Windows Media Player 11
1: 2008-04-23 16:52:25 UTC - RP1 - System Checkpoint


Backed up registry hives.
Performed disk cleanup.



-- HijackThis (run as louis.exe) -----------------------------------------------

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 1:12:26 PM, on 5/1/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16640)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\System32\Ati2evxx.exe
C:\Program Files\WIDCOMM\Bluetooth Software\bin\btwdins.exe
C:\WINDOWS\Cpqdiag\Cpqdfwag.exe
C:\WINDOWS\System32\sexkrlst.exe
C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe
C:\Program Files\Common Files\LightScribe\LSSrvc.exe
C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe
C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
C:\WINDOWS\System32\snmp.exe
C:\WINDOWS\mrofinu1000106.exe
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\WINDOWS\system32\kjdsrngk.exe
C:\WINDOWS\wanmpsvc.exe
C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Program Files\Java\jre1.6.0_02\bin\jusched.exe
C:\Program Files\Common Files\WinAntiSpyware 2007\WAS7Mon.exe
C:\iexp1ore.exe
C:\WINDOWS\system32\qwinkldt.exe
C:\Program Files\WinAble\winable.exe
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\system32\dwwin.exe
C:\Documents and Settings\louis\My Documents\dss.exe
C:\PROGRA~1\TRENDM~1\HIJACK~1\louis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://search.presario.net/scripts/redirec...c02&lc=0409
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer provided by Compaq
O2 - BHO: (no name) - H@3B846-8D59-4ffb-8758-209B6AD74ACC} - (no file)
O2 - BHO: (no name) - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - (no file)
O2 - BHO: (no name) - {3BBF5411-FD1C-46A3-9405-72D6CF3BA6ED} - C:\WINDOWS\system32\mllii.dll (file missing)
O2 - BHO: (no name) - {3F04BED6-FDE8-4E51-BAF5-348F092701AE} - C:\Program Files\xerox\menoruz83122.dll
O2 - BHO: (no name) - {5D6D08C2-67D3-4D79-B5B4-3C449DE56762} - C:\WINDOWS\system32\wvutr.dll (file missing)
O2 - BHO: 0 - {72F49FA0-C83E-4700-DFB5-F1DE9C22A7DD} - C:\Program Files\NetMeeting\quzalebuq14.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O2 - BHO: gooochi browser optimizer - {82d40578-73a0-ce95-bfc0-72ffbbc52090} - C:\WINDOWS\system32\{746321e6-e4e5-e861-8f60-981e6455300c}.dll
O2 - BHO: (no name) - {8FA652BD-74D2-4BE4-AC08-3DF18FD66250} - C:\WINDOWS\system32\rqoli.dll (file missing)
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
O2 - BHO: (no name) - {AC81AC11-45BE-41C7-A8D7-6DDFB8F0312F} - C:\Program Files\xerox\menoruz4444.dll
O2 - BHO: (no name) - {C299948D-9231-405C-ADF5-DF73013E429F} - C:\Program Files\NetMeeting\hyjemityc777444.dll
O2 - BHO: (no name) - {CF46BFB3-2ACC-441b-B82B-36B9562C7FF1} - C:\WINDOWS\System32\jgphdsff.dll (file missing)
O2 - BHO: (no name) - {D24FD13A-3E0C-45E4-BD98-E2EDF88B1D07} - C:\WINDOWS\system32\urssp.dll (file missing)
O2 - BHO: (no name) - {E9BD0828-1FD9-410C-A50F-43EBE65D310F} - C:\WINDOWS\System32\awttroo.dll (file missing)
O2 - BHO: (no name) - ?01e16-9bfe-4b63-a5b4-7bd156758a37} - (no file)
O2 - BHO: (no name) - ?38D8D-E480-4D52-B7A2-731BB6995FDD} - (no file)
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O4 - HKLM\..\Run: [Symantec PIF AlertEng] "C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe" /a /m "C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\AlertEng.dll"
O4 - HKLM\..\Run: [runner1] C:\WINDOWS\mrofinu1000106.exe 61A847B5BBF72813329B385772FF01F0B3E35B6638993F4661AA4EBD86D67C56389B284534F310F3D2907D4E66914B5C1E9E689DB6FC45715ED96D1223AD51A6C3832212339B3E4827B144
O4 - HKLM\..\Run: [{06-68-89-99-ZN}] C:\WINDOWS\system32\kjdsrngk.exe CHD003
O4 - HKLM\..\Run: [USDR6cw] C:\Program Files\SystemDoctor 2006 Free\USDR6cw.exe -c
O4 - HKLM\..\Run: [SystemDoctor 2006 Free] C:\Program Files\SystemDoctor 2006 Free\sd2006.exe -scan
O4 - HKLM\..\Run: [SynTPLpr] C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_02\bin\jusched.exe"
O4 - HKLM\..\Run: [srmclean] C:\Cpqs\Scom\srmclean.exe
O4 - HKLM\..\Run: [SearchIndexer] rundll32.exe "C:\WINDOWS\system32\ijqldgjh.dll",sitypnow
O4 - HKLM\..\Run: [Salestart] "C:\Program Files\Common Files\WinAntiSpyware 2007\WAS7Mon.exe"
O4 - HKLM\..\Run: [pas_check] C:\Program Files\SystemDoctor 2006 Free\pasmon.exe
O4 - HKLM\..\Run: [InternetExplorer] C:\\iexp1ore.exe
O4 - HKLM\..\Run: [ExploreUpdSched] C:\WINDOWS\system32\qwinkldt.exe CHD003
O4 - HKLM\..\Run: [dc6_check] C:\Program Files\SystemDoctor 2006 Free\dcmon.exe
O4 - HKLM\..\Run: [Cpqset] c:\compaq\cpqsetup\cpqset.exe
O4 - HKLM\..\Run: [spa_start] C:\WINDOWS\System32\Rundll32.exe "C:\WINDOWS\system32\{746321e6-e4e5-e861-8f60-981e6455300c}.dll" DllInit
O4 - HKLM\..\RunServices: [CPQDFWAG] C:\WINDOWS\Cpqdiag\CpqDfwAg.exe
O4 - HKCU\..\Run: [WinAble] C:\Program Files\WinAble\winable.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - Startup: Think-Adz.lnk = C:\WINDOWS\system32\qwinkldt.exe
O4 - Startup: TA_Start.lnk = C:\WINDOWS\system32\kjdsrngk.exe
O9 - Extra button: @btrez.dll,-4015 - {CCA281CA-C863-46ef-9331-5C8D4460577F} - C:\Program Files\WIDCOMM\Bluetooth Software\btsendto_ie.htm
O9 - Extra 'Tools' menuitem: @btrez.dll,-4017 - {CCA281CA-C863-46ef-9331-5C8D4460577F} - C:\Program Files\WIDCOMM\Bluetooth Software\btsendto_ie.htm
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra button: Advisor - {4AAC555D-352C-4029-ABE8-F06ED9BC532D} - C:\Program Files\COMPAQ\Compaq Advisor\bin\rbaLauncher.exe (HKCU)
O14 - IERESET.INF: START_PAGE_URL=http://store.presario.net/scripts/redirectors/presario/storeredir2.dll?s=consumerfav&c=1c02&lc=0409
O20 - Winlogon Notify: awttroo - awttroo.dll (file missing)
O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINDOWS\System32\Ati2evxx.exe
O23 - Service: Bluetooth Service (btwdins) - Broadcom Corporation. - C:\Program Files\WIDCOMM\Bluetooth Software\bin\btwdins.exe
O23 - Service: Compaq Advisor (Compaq_RBA) - NeoPlanet - C:\Program Files\Compaq\Compaq Advisor\bin\compaq-rba.exe
O23 - Service: Compaq Remote Diagnostics Enabling Agent (CpqDfwWebAgent) - Compaq Computer Corporation - C:\WINDOWS\Cpqdiag\Cpqdfwag.exe
O23 - Service: DomainService - - C:\WINDOWS\System32\sexkrlst.exe
O23 - Service: iPod Service (iPodService) - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: LightScribeService Direct Disc Labeling Service (LightScribeService) - Hewlett-Packard Company - C:\Program Files\Common Files\LightScribe\LSSrvc.exe
O23 - Service: LiveUpdate Notice Service - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
O23 - Service: WAN Miniport (ATW) Service (WANMiniportService) - America Online, Inc. - C:\WINDOWS\wanmpsvc.exe

--
End of file - 9136 bytes

-- File Associations -----------------------------------------------------------

All associations okay.


-- Drivers: 0-Boot, 1-System, 2-Auto, 3-Demand, 4-Disabled ---------------------

R1 ClntMgmt.sys - c:\windows\system32\drivers\clntmgmt.sys <Not Verified; Compaq Computer Corp; Compaq Client Management Driver>
R2 cpqdfw (Compaq Diagnostics Driver) - c:\windows\system32\drivers\cpqdfw.sys
R2 cq_mem (Compaq Diagnostics Memory Driver) - c:\windows\system32\drivers\cq_mem.sys <Not Verified; Microsoft Corporation; Microsoft® Windows NT™ Operating System>
R2 cqcpu (Compaq Diagnostics CPU Driver) - c:\windows\system32\drivers\cqcpu.sys <Not Verified; Microsoft Corporation; Microsoft® Windows NT™ Operating System>
R2 FFSLDVRF - c:\windows\system32\ffsldvrf.rup

S3 ApiMon - c:\windows\system32\drivers\apimon.sys (file missing)
S3 SymEvent - c:\program files\symantec\symevent.sys (file missing)
S3 SYMIDSCO - c:\progra~1\common~1\symant~1\symcdata\ids-di~1\20070925.001\symidsco.sys (file missing)


-- Services: 0-Boot, 1-System, 2-Auto, 3-Demand, 4-Disabled --------------------

R2 CpqDfwWebAgent (Compaq Remote Diagnostics Enabling Agent) - c:\windows\cpqdiag\cpqdfwag.exe <Not Verified; Compaq Computer Corporation; Compaq Remote Diagnostics Enabling Agent>
R2 DomainService - c:\windows\system32\sexkrlst.exe /service <Not Verified; ; DDC>

S3 Compaq_RBA (Compaq Advisor) - c:\program files\compaq\compaq advisor\bin\compaq-rba.exe <Not Verified; NeoPlanet; NeoPlanet RBA>


-- Device Manager: Disabled ----------------------------------------------------

No disabled devices found.


-- Files created between 2008-04-01 and 2008-05-01 -----------------------------

2008-05-01 13:11:59 0 d-------- C:\Program Files\Trend Micro
2008-05-01 12:47:40 200768 --a------ C:\WINDOWS\system32\qwinkldn.exe
2008-05-01 12:47:39 399520 --a------ C:\Documents and Settings\louis\g39.exe
2008-05-01 12:12:38 0 d-------- C:\WINDOWS\LastGood
2008-04-22 08:03:22 0 d-------- C:\WINDOWS\VirtualEar
2008-04-22 07:39:59 109218 -r-hs---- C:\AVG7DB_F.DAT
2008-04-22 07:39:48 12296433 -----n--- C:\AVG7QT.DAT
2008-04-21 02:58:20 2846720 --a------ C:\Documents and Settings\louis\ntuser.dat
2008-04-21 02:58:19 241664 --a------ C:\Documents and Settings\LocalService\NTUSER.DAT
2008-04-14 22:54:20 0 d-------- C:\Documents and Settings\Guest.HOME\Application Data\InterVideo
2008-04-14 22:38:50 0 d-------- C:\Documents and Settings\Guest.HOME\Application Data\CyberLink
2008-04-14 22:26:33 0 d-------- C:\Documents and Settings\Guest.HOME\Application Data\AVG7
2008-04-14 06:36:52 0 d-------- C:\Program Files\WinAble
2008-04-14 05:54:30 0 d--hs---- C:\FOUND.005
2008-04-14 04:39:56 0 d-------- C:\Documents and Settings\louis\Application Data\AVG7
2008-04-14 04:39:18 0 d-------- C:\Documents and Settings\LocalService\Application Data\AVG7
2008-04-14 04:33:04 0 d-------- C:\Program Files\Insider
2008-04-13 02:19:48 0 d-------- C:\Documents and Settings\Administrator\Desktop
2008-04-13 02:19:48 0 d--hs---- C:\Documents and Settings\Administrator\Cookies
2008-04-13 02:19:48 0 dr-h----- C:\Documents and Settings\Administrator\Application Data
2008-04-13 02:19:48 0 d-------- C:\Documents and Settings\Administrator\Application Data\Real
2008-04-13 02:19:48 0 d---s---- C:\Documents and Settings\Administrator\Application Data\Microsoft
2008-04-13 02:19:48 0 d-------- C:\Documents and Settings\Administrator\Application Data\InterTrust
2008-04-13 02:19:48 0 d-------- C:\Documents and Settings\Administrator\Application Data\Identities
2008-04-13 02:19:48 0 d-------- C:\Documents and Settings\Administrator\Application Data\Adobe
2008-04-13 02:19:47 0 dr------- C:\Documents and Settings\Administrator\Favorites
2008-04-13 02:19:46 0 d--h----- C:\Documents and Settings\Administrator\Templates
2008-04-13 02:19:46 0 dr------- C:\Documents and Settings\Administrator\Start Menu
2008-04-13 02:19:46 0 dr-h----- C:\Documents and Settings\Administrator\SendTo
2008-04-13 02:19:46 0 dr-h----- C:\Documents and Settings\Administrator\Recent
2008-04-13 02:19:46 0 d--h----- C:\Documents and Settings\Administrator\PrintHood
2008-04-13 02:19:46 0 d--h----- C:\Documents and Settings\Administrator\NetHood
2008-04-13 02:19:46 0 dr------- C:\Documents and Settings\Administrator\My Documents
2008-04-13 02:19:46 0 d--h----- C:\Documents and Settings\Administrator\Local Settings
2008-04-13 02:19:45 704512 --a------ C:\Documents and Settings\Administrator\NTUSER.DAT
2008-04-09 17:30:18 0 d-------- C:\Program Files\USMT2.UNC
2008-04-08 23:09:16 0 d-------- C:\Documents and Settings\louis\Application Data\Sun
2008-04-08 08:09:48 0 d-------- C:\Program Files\Microsoft Reference
2008-04-07 11:21:38 328192 --a------ C:\WINDOWS\system32\{746321e6-e4e5-e861-8f60-981e6455300c}.dll
2008-04-04 09:13:40 0 d-------- C:\Documents and Settings\kaylie\Application Data\Real
2008-04-04 09:13:40 0 d-------- C:\Documents and Settings\kaylie\Application Data\Microsoft
2008-04-04 09:13:39 0 d-------- C:\Documents and Settings\kaylie\Cookies
2008-04-04 09:13:39 0 d-------- C:\Documents and Settings\kaylie\Application Data
2008-04-04 09:13:39 0 d-------- C:\Documents and Settings\kaylie\Application Data\Adobe
2008-04-04 09:13:37 0 d-------- C:\Documents and Settings\kaylie\Favorites
2008-04-04 09:13:32 0 d-------- C:\Documents and Settings\kaylie\Local Settings
2008-04-04 09:13:27 0 d-------- C:\Documents and Settings\kaylie\My Documents
2008-04-04 09:13:25 0 d-------- C:\Documents and Settings\kaylie\Templates
2008-04-04 09:13:21 786432 --ah----- C:\Documents and Settings\kaylie\ntuser.dat
2008-04-03 22:38:20 0 d-------- C:\Documents and Settings\louis\Application Data\LimeWire
2008-04-02 04:46:04 0 d-------- C:\Documents and Settings\louis\Application Data\Help
2008-04-02 01:27:32 0 d-------- C:\WINDOWS\system32\NtmsData
2008-04-01 19:57:49 136627 --a------ C:\WINDOWS\POTA777444.exe


-- Find3M Report ---------------------------------------------------------------

2008-05-01 11:40:24 3836 --ahs---- C:\WINDOWS\system32\rtuvw.ini2
2008-04-15 01:37:42 64260 --a------ C:\WINDOWS\compaq.reg
2008-04-01 19:58:06 932 --a------ C:\WINDOWS\system32\winpfz32.sys
2008-03-31 01:33:30 0 d-------- C:\Documents and Settings\louis\Application Data\WinAntiSpyware 2007 Free
2008-03-28 20:53:16 0 d-------- C:\Documents and Settings\louis\Application Data\Mozilla
2008-03-28 08:26:32 0 d-------- C:\Documents and Settings\louis\Application Data\Ahead
2008-03-15 21:17:46 335 --a------ C:\WINDOWS\inet.reg
2008-03-12 13:54:22 37376 -ra------ C:\WINDOWS\mrofinu1000106.exe
2008-03-07 20:43:58 0 d-------- C:\Documents and Settings\louis\Application Data\Apple Computer
2008-03-07 18:28:58 75328 --a------ C:\WINDOWS\system32\sffqhggp.exe <Not Verified; ; DDC>
2008-03-07 18:27:14 75328 --a------ C:\WINDOWS\system32\qptduypp.exe <Not Verified; ; DDC>


-- Registry Dump ---------------------------------------------------------------

*Note* empty entries & legit default entries are not shown


[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{3BBF5411-FD1C-46A3-9405-72D6CF3BA6ED}]
C:\WINDOWS\system32\mllii.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{3F04BED6-FDE8-4E51-BAF5-348F092701AE}]
08/02/2007 08:44 AM 282624 --a------ C:\Program Files\xerox\menoruz83122.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{5D6D08C2-67D3-4D79-B5B4-3C449DE56762}]
C:\WINDOWS\system32\wvutr.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{72F49FA0-C83E-4700-DFB5-F1DE9C22A7DD}]
09/30/2007 05:15 PM 70144 --a------ C:\Program Files\NetMeeting\quzalebuq14.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{82d40578-73a0-ce95-bfc0-72ffbbc52090}]
04/07/2008 11:21 AM 328192 --a------ C:\WINDOWS\system32\{746321e6-e4e5-e861-8f60-981e6455300c}.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{8FA652BD-74D2-4BE4-AC08-3DF18FD66250}]
C:\WINDOWS\system32\rqoli.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{AC81AC11-45BE-41C7-A8D7-6DDFB8F0312F}]
08/02/2007 08:44 AM 282624 --a------ C:\Program Files\xerox\menoruz4444.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{C299948D-9231-405C-ADF5-DF73013E429F}]
02/27/2008 08:54 PM 217088 --a------ C:\Program Files\NetMeeting\hyjemityc777444.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{CF46BFB3-2ACC-441b-B82B-36B9562C7FF1}]
C:\WINDOWS\System32\jgphdsff.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{D24FD13A-3E0C-45E4-BD98-E2EDF88B1D07}]
C:\WINDOWS\system32\urssp.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{E9BD0828-1FD9-410C-A50F-43EBE65D310F}]
C:\WINDOWS\System32\awttroo.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Symantec PIF AlertEng"="C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe" [03/12/2007 06:30 PM]
"runner1"="C:\WINDOWS\mrofinu1000106.exe" [03/12/2008 01:54 PM]
"{06-68-89-99-ZN}"="C:\WINDOWS\system32\kjdsrngk.exe" [09/15/2007 01:01 AM]
"USDR6cw"="C:\Program Files\SystemDoctor 2006 Free\USDR6cw.exe" []
"SystemDoctor 2006 Free"="C:\Program Files\SystemDoctor 2006 Free\sd2006.exe" []
"SynTPLpr"="C:\Program Files\Synaptics\SynTP\SynTPLpr.exe" [04/25/2002 05:15 PM]
"SynTPEnh"="C:\Program Files\Synaptics\SynTP\SynTPEnh.exe" [04/25/2002 05:14 PM]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_02\bin\jusched.exe" [07/12/2007 04:00 AM]
"srmclean"="C:\Cpqs\Scom\srmclean.exe" [07/24/2001 02:34 PM]
"SearchIndexer"="C:\WINDOWS\system32\ijqldgjh.dll" []
"Salestart"="C:\Program Files\Common Files\WinAntiSpyware 2007\WAS7Mon.exe" [06/06/2007 10:35 AM]
"pas_check"="C:\Program Files\SystemDoctor 2006 Free\pasmon.exe" []
"NWEReboot"="" []
"InternetExplorer"="C:\\iexp1ore.exe" [09/15/2007 12:17 AM]
"ExploreUpdSched"="C:\WINDOWS\system32\qwinkldt.exe" [09/15/2007 12:13 AM]
"dc6_check"="C:\Program Files\SystemDoctor 2006 Free\dcmon.exe" []
"Cpqset"="c:\compaq\cpqsetup\cpqset.exe" [04/30/2002 03:41 PM]
"cmonitor"="" []
"spa_start"="C:\WINDOWS\system32\{746321e6-e4e5-e861-8f60-981e6455300c}.dll" [04/07/2008 11:21 AM]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"WinAble"="C:\Program Files\WinAble\winable.exe" [04/14/2008 06:36 AM]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [08/04/2004 02:56 AM]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\runservices]
"CPQDFWAG"=C:\WINDOWS\Cpqdiag\CpqDfwAg.exe

C:\Documents and Settings\louis\Start Menu\Programs\Startup\
Think-Adz.lnk - C:\WINDOWS\system32\qwinkldt.exe [9/15/2007 12:13:30 AM]
TA_Start.lnk - C:\WINDOWS\system32\kjdsrngk.exe [9/15/2007 1:01:32 AM]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks]
"{E9BD0828-1FD9-410C-A50F-43EBE65D310F}"= C:\WINDOWS\System32\awttroo.dll [ ]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\awttroo]
awttroo.dll

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa]
"Authentication Packages"= msv1_0 C:\WINDOWS\system32\wvutr.dll

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\vds]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\{533C5B84-EC70-11D2-9505-00C04F79DEAF}]
@="Volume shadow copy"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\eabconfg.cpl]
C:\Program Files\Compaq\EAB\EabServr.exe /Start

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\gcasServ]
"C:\Program Files\Microsoft AntiSpyware\gcasServ.exe"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Insider]
C:\Program Files\Insider\Insider.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iTunesHelper]
C:\Program Files\iTunes\iTunesHelper.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Microsoft Works Portfolio]
C:\Program Files\Microsoft Works\WksSb.exe /AllUsers

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Microsoft Works Update Detection]
C:\Program Files\Microsoft Works\WkDetect.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\msnmsgr]
"C:\PROGRA~1\MSNMES~1\msnmsgr.exe" /background

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NeroFilterCheck]
C:\WINDOWS\system32\NeroCheck.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
"C:\Program Files\QuickTime\qttask.exe" -atboottime

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\RemoteControl]
"C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\swg]
C:\Program Files\Google\GoogleToolbarNotifier\1.2.1128.5462\GoogleToolbarNotifier.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\TkBellExe]
"C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\WatchDog]
C:\Program Files\InterVideo\DVD Check\DVDCheck.exe




-- End of Deckard's System Scanner: finished at 2008-05-01 13:15:22 ------------

BC AdBot (Login to Remove)

 


#2 pskelley

pskelley

  • Members
  • 1,487 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:02:00 AM

Posted 05 May 2008 - 07:57 PM

Welcoming to Bleeping Computer, please be sure you have read and followed the
Preparation Guide For Use Before Posting A Hijackthis Log, Instructions for receiving help in cleaning your computer http://www.bleepingcomputer.com/forums/t/34773/preparation-guide-for-use-before-using-malware-removal-tools-and-requesting-help/
All advice given is taken at your own risk.

Hi md, first thing you need to know is this is a very infected computer and cleaning it up is not going to be fast or easy. The junk will download more so it is important to stay offline unless you are troubleshooting. So we are communicating, I still see Symantec on the computer and do not see AVG? Decide what you are going to run for a antivirus program and let me know. If you need a free one I can provide links to several. If you need help removing Symantec, I can provide that also.
Let me know what you wish to do. Let's start like this.

1) Remove any old copies of combofix before you proceed.

Thanks to sUBs and anyone else who helped with this fix.

It is important that it is saved directly to your Desktop

Download ComboFix from Here to your Desktop
  • Double click combofix.exe and follow the prompts.
  • When finished, it shall produce a log for you. Post that log and a HiJackthis log in your next reply
Note: Do not mouseclick combofix's window while its running. That may cause it to stall

Post the combofix log and a new HJT log using Add Reply.

Tutorial if needed:
http://www.bleepingcomputer.com/combofix/how-to-use-combofix

If you have resolved these issues, post to let me know so I can close the topic.

Thanks
MS-MVP Windows Security 2007-08
Proud Member ASAP
UNITE Member 2006

#3 pskelley

pskelley

  • Members
  • 1,487 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:02:00 AM

Posted 12 May 2008 - 06:38 AM

There has been no response to this topic in a week
This topic is closed

Thanks...pskelley
BleepingComputer
MS-MVP Windows Security 2007-08
Proud Member ASAP
UNITE Member 2006

#4 mnm495

mnm495
  • Topic Starter

  • Members
  • 20 posts
  • OFFLINE
  •  
  • Local time:02:00 AM

Posted 12 May 2008 - 10:49 AM

I will need help removing Norton if it is still on there. Here are the 2 logs.

ComboFix 08-05-11.1 - louis 2008-05-12 10:32:11.1 - FAT32x86
Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.288 [GMT -5:00]
Running from: E:\computer\ComboFix.exe
Command switches used :: C:\Documents and Settings\louis\Desktop\WindowsXP-KB310994-SP2-Home-BootDisk-ENU.exe
* Created a new restore point
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\check_LSA7.txt
C:\Documents and Settings\All Users\Application Data\salesmonitor
C:\Documents and Settings\All Users\Application Data\WinAntiSpyware 2007
C:\Documents and Settings\All Users\Application Data\winantispyware 2007\Data\Abbr
C:\Documents and Settings\All Users\Application Data\WinAntiSpyware 2007\Data\ProductCode
C:\Documents and Settings\evie\Start Menu\Programs\Startup\TA_Start.lnk
C:\Documents and Settings\evie\Start Menu\Programs\Startup\think-adz.lnk
C:\Documents and Settings\Guest\Start Menu\Programs\Startup\ta_start.lnk
C:\Documents and Settings\Guest\Start Menu\Programs\Startup\think-adz.lnk
C:\Documents and Settings\louis\Application Data\SystemDoctor 2006 Free
C:\Documents and Settings\louis\Application Data\SystemDoctor 2006 Free\Logs\update.log
C:\Documents and Settings\louis\Application Data\WinAntiSpyware 2007 Free
C:\Documents and Settings\louis\Application Data\WinAntiSpyware 2007 Free\DownloadUWAS7.url
C:\Documents and Settings\louis\Application Data\WinAntiSpyware 2007
C:\Documents and Settings\louis\Application Data\WinAntiSpyware 2007\Logs\update.log
C:\Documents and Settings\louis\err.log
C:\Documents and Settings\louis\Start Menu\Programs\Startup\TA_Start.lnk
C:\Documents and Settings\louis\Start Menu\Programs\Startup\think-adz.lnk
C:\Program Files\Common Files\winantispyware 2007
C:\Program Files\Common Files\winantispyware 2007\err.log
C:\Program Files\Common Files\winantispyware 2007\uwas7cw.exe
C:\Program Files\Common Files\winantispyware 2007\WAS7Mon.exe
C:\Program Files\inetget2
C:\Program Files\inetget2\Installeur.exe
C:\Program Files\Insider
C:\Program Files\Insider\Insider.exe
C:\Program Files\Insider\UnInstall.exe
C:\Program Files\NetMeeting\hyjemityc777444.dll
C:\Program Files\Temporary
C:\Program Files\Temporary\wininstall.exe
C:\Program Files\WinAble
C:\Program Files\WinAble\winable.exe
C:\Program Files\Words
C:\Program Files\Words\list.txt
C:\Program Files\Words\UnInstall.exe
C:\Program Files\Words\Words.exe
C:\Temp\1cb
C:\Temp\1cb\syscheck.log
C:\Temp\fse
C:\Temp\fse\tmpZTF.log
C:\WINDOWS\b122.exe
C:\WINDOWS\b143.exe
C:\WINDOWS\b147.exe
C:\WINDOWS\cookies.ini
C:\WINDOWS\mrofinu1000106.exe
C:\WINDOWS\system32\A1
C:\WINDOWS\system32\A1\mid2dll.exe
C:\WINDOWS\system32\awvsq.dll
C:\WINDOWS\system32\bdxqoewg.dll
C:\WINDOWS\system32\byvww.dll
C:\WINDOWS\system32\byxuuus.dll
C:\WINDOWS\system32\cddgh.bak1
C:\WINDOWS\system32\cddgh.ini
C:\WINDOWS\system32\drivers\fopn.sys
C:\WINDOWS\system32\dwdsrngt.exe
C:\WINDOWS\system32\dyiqjvfr.ini
C:\WINDOWS\system32\f02WtR
C:\WINDOWS\system32\f02WtR\f02WtR1065.exe
C:\WINDOWS\system32\gcagpbqp.ini
C:\WINDOWS\system32\gweoqxdb.ini
C:\WINDOWS\system32\hgddc.dll
C:\WINDOWS\system32\hjgdlqji.ini
C:\WINDOWS\system32\hjjjl.bak1
C:\WINDOWS\system32\hjjjl.bak2
C:\WINDOWS\system32\hjjjl.ini
C:\WINDOWS\system32\ihejkycn.ini
C:\WINDOWS\system32\iloqr.bak1
C:\WINDOWS\system32\iloqr.ini
C:\WINDOWS\system32\iwvgpdin.dll
C:\WINDOWS\system32\kiiafnor.ini
C:\WINDOWS\system32\ljjiijh.dll
C:\WINDOWS\system32\ljjjh.dll
C:\WINDOWS\system32\ljjkhfd.dll
C:\WINDOWS\system32\lpxnaxum.ini
C:\WINDOWS\system32\mcrh.tmp
C:\WINDOWS\system32\mljgdef.dll
C:\WINDOWS\system32\modmdvhy.ini
C:\WINDOWS\system32\msnav32.ax
C:\WINDOWS\system32\nidpgvwi.ini
C:\WINDOWS\system32\opsru.bak2
C:\WINDOWS\system32\opsru.ini
C:\WINDOWS\system32\ovriowgr.ini
C:\WINDOWS\system32\parad.raw.exe
C:\WINDOWS\system32\prmfjtvs.ini
C:\WINDOWS\system32\prtss.bak1
C:\WINDOWS\system32\prtss.ini
C:\WINDOWS\system32\pssru.bak1
C:\WINDOWS\system32\pssru.ini
C:\WINDOWS\system32\qptduypp.exe
C:\WINDOWS\system32\qrstv.bak1
C:\WINDOWS\system32\qrstv.ini
C:\WINDOWS\system32\qsvwa.bak1
C:\WINDOWS\system32\qsvwa.ini
C:\WINDOWS\system32\raorcfdc.ini
C:\WINDOWS\system32\rbdtcrej.ini
C:\WINDOWS\system32\regscan.exe
C:\WINDOWS\system32\rtsru.ini
C:\WINDOWS\system32\rtsru.ini2
C:\WINDOWS\system32\rtuvw.ini
C:\WINDOWS\system32\rtuvw.ini2
C:\WINDOWS\system32\sffqhggp.exe
C:\WINDOWS\system32\sroydjfr.ini
C:\WINDOWS\system32\sstrp.dll
C:\WINDOWS\system32\svcp.csv
C:\WINDOWS\system32\svtjfmrp.dll
C:\WINDOWS\system32\urstr.dll
C:\WINDOWS\system32\vtsrq.dll
C:\WINDOWS\system32\vtutstr.dll
C:\WINDOWS\system32\winpfz32.sys
C:\WINDOWS\system32\winsub.xml
C:\WINDOWS\system32\wwvyb.bak1
C:\WINDOWS\system32\wwvyb.bak2
C:\WINDOWS\system32\wwvyb.ini
C:\WINDOWS\system32\wwvyb.ini2
C:\WINDOWS\system32\xnbsdayc.ini
C:\WINDOWS\system32\yfgnmwqy.ini
C:\WINDOWS\system32\yhvdmdom.dll
C:\WINDOWS\system32\zlbw.dll
C:\WINDOWS\system32\zxdnt3d.cfg
C:\WINDOWS\tk58.exe
C:\WINDOWS\TTC-4444.exe
C:\Documents and Settings\Guest.HOME\Start Menu\Programs\Startup\TA_Start.lnk . . . . failed to delete
C:\Documents and Settings\Guest.HOME\Start Menu\Programs\Startup\think-adz.lnk . . . . failed to delete

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Legacy_CMDSERVICE
-------\Legacy_DOMAINSERVICE
-------\Legacy_FOPN
-------\Legacy_NETWORK_MONITOR
-------\Service_ApiMon
-------\Service_DomainService


((((((((((((((((((((((((( Files Created from 2008-04-12 to 2008-05-12 )))))))))))))))))))))))))))))))
.

2008-05-12 10:38 . 2008-05-12 10:38 52,788 --------- C:\WINDOWS\system32\dwdsrngt.exe
2008-05-01 13:11 . 2008-05-01 13:12 <DIR> d-------- C:\Program Files\Trend Micro
2008-05-01 13:08 . 2008-05-01 13:08 <DIR> d-------- C:\Deckard
2008-05-01 12:47 . 2008-05-01 12:47 399,520 --a------ C:\Documents and Settings\louis\g39.exe
2008-05-01 12:47 . 2008-05-01 12:47 200,768 --a------ C:\WINDOWS\system32\qwinkldn.exe
2008-05-01 12:47 . 2008-05-01 12:47 63,893 --a------ C:\WINDOWS\system32\{746321e6-e4e5-e861-8f60-981e6455300c}.dll-uninst.exe
2008-04-22 08:03 . 2008-04-22 08:03 <DIR> d-------- C:\WINDOWS\VirtualEar
2008-04-22 07:39 . 2008-04-22 07:39 12,296,433 --------- C:\AVG7QT.DAT
2008-04-22 07:39 . 2008-04-22 07:43 109,218 -r-hs---- C:\AVG7DB_F.DAT
2008-04-14 22:54 . 2008-04-14 22:54 <DIR> d-------- C:\Documents and Settings\Guest.HOME\Application Data\InterVideo
2008-04-14 22:38 . 2008-04-14 22:38 <DIR> d-------- C:\Documents and Settings\Guest.HOME\Application Data\CyberLink
2008-04-14 22:26 . 2008-04-14 22:26 <DIR> d-------- C:\Documents and Settings\Guest.HOME\Application Data\AVG7
2008-04-14 21:15 . 2001-08-17 13:48 12,160 --a------ C:\WINDOWS\system32\drivers\mouhid.sys
2008-04-14 21:15 . 2001-08-17 13:48 12,160 --a------ C:\WINDOWS\system32\dllcache\mouhid.sys
2008-04-14 21:14 . 2001-08-18 06:00 9,600 --a------ C:\WINDOWS\system32\drivers\hidusb.sys
2008-04-14 21:14 . 2001-08-18 06:00 9,600 --a------ C:\WINDOWS\system32\dllcache\hidusb.sys
2008-04-14 05:54 . 2008-04-14 05:54 <DIR> d--hs---- C:\FOUND.005
2008-04-14 04:39 . 2008-04-14 04:39 <DIR> d-------- C:\Documents and Settings\louis\Application Data\AVG7
2008-04-14 04:39 . 2008-04-14 04:39 <DIR> d-------- C:\Documents and Settings\LocalService\Application Data\AVG7
2008-04-13 02:19 . 2002-07-01 10:37 <DIR> d-------- C:\Documents and Settings\Administrator\Application Data\InterTrust
2008-04-13 02:19 . 2008-04-13 02:19 <DIR> d-------- C:\Documents and Settings\Administrator
2008-04-13 02:19 . 2008-05-12 10:31 1,024 --ah----- C:\Documents and Settings\Administrator\ntuser.dat.LOG

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-04-15 06:37 64,260 ----a-w C:\WINDOWS\compaq.reg
2008-04-09 22:30 --------- d-----w C:\Program Files\USMT2.UNC
2008-04-08 13:09 --------- d-----w C:\Program Files\Microsoft Reference
2008-04-04 03:38 --------- d-----w C:\Documents and Settings\louis\Application Data\LimeWire
2008-04-02 00:57 136,627 ----a-w C:\WINDOWS\POTA777444.exe
2008-04-02 00:57 130 ----a-w C:\Documents and Settings\louis\update.bat
2008-03-28 13:26 --------- d-----w C:\Documents and Settings\louis\Application Data\Ahead
2008-03-27 13:39 --------- d-----w C:\Documents and Settings\Guest\Application Data\InterVideo
2008-03-27 10:27 --------- d-----w C:\Documents and Settings\evie\Application Data\LimeWire
2008-03-26 18:03 --------- d-----w C:\Documents and Settings\evie\Application Data\CyberLink
2008-03-25 18:56 --------- d-----w C:\Documents and Settings\evie\Application Data\InterVideo
2008-03-25 18:12 --------- d-----w C:\Program Files\Spybot - Search & Destroy
2008-03-25 18:12 --------- d-----w C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{3BBF5411-FD1C-46A3-9405-72D6CF3BA6ED}]
C:\WINDOWS\system32\mllii.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{3F04BED6-FDE8-4E51-BAF5-348F092701AE}]
2007-08-02 08:44 282624 --a------ C:\Program Files\xerox\menoruz83122.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{5D6D08C2-67D3-4D79-B5B4-3C449DE56762}]
C:\WINDOWS\system32\wvutr.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{72F49FA0-C83E-4700-DFB5-F1DE9C22A7DD}]
2007-09-30 17:15 70144 --a------ C:\Program Files\NetMeeting\quzalebuq14.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{82d40578-73a0-ce95-bfc0-72ffbbc52090}]
2008-04-07 11:21 328192 --a------ C:\WINDOWS\system32\{746321e6-e4e5-e861-8f60-981e6455300c}.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{8FA652BD-74D2-4BE4-AC08-3DF18FD66250}]
C:\WINDOWS\system32\rqoli.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{AC81AC11-45BE-41C7-A8D7-6DDFB8F0312F}]
2007-08-02 08:44 282624 --a------ C:\Program Files\xerox\menoruz4444.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{D24FD13A-3E0C-45E4-BD98-E2EDF88B1D07}]
C:\WINDOWS\system32\urssp.dll

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 02:56 15360]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Symantec PIF AlertEng"="C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe" [2007-03-12 18:30 517768]
"{06-68-89-99-ZN}"="c:\windows\system32\dwdsrngt.exe" [2008-05-12 10:38 52788]
"SynTPLpr"="C:\Program Files\Synaptics\SynTP\SynTPLpr.exe" [2002-04-25 17:15 126976]
"SynTPEnh"="C:\Program Files\Synaptics\SynTP\SynTPEnh.exe" [2002-04-25 17:14 540672]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_02\bin\jusched.exe" [2007-07-12 04:00 132496]
"srmclean"="C:\Cpqs\Scom\srmclean.exe" [2001-07-24 14:34 36864]
"NWEReboot"="" []
"InternetExplorer"="C:\\iexp1ore.exe" [2007-09-15 00:17 81920]
"Cpqset"="c:\compaq\cpqsetup\cpqset.exe" [2002-04-30 15:41 163909]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServices]
"CPQDFWAG"="C:\WINDOWS\Cpqdiag\CpqDfwAg.exe" [2001-11-19 08:12 212992]

C:\Documents and Settings\Guest.HOME\Start Menu\Programs\Startup\
TA_Start.lnk - C:\WINDOWS\system32\kjdsrngk.exe [2007-09-15 01:01:32 52769]
Think-Adz.lnk - C:\WINDOWS\system32\qwinkldt.exe [2007-09-15 00:13:30 192577]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\awttroo]
awttroo.dll

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\eabconfg.cpl]
--a------ 2002-04-09 11:49 69632 C:\Program Files\Compaq\EAB\EabServr.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\gcasServ]
--a------ 2005-07-12 15:35 473928 C:\Program Files\Microsoft AntiSpyware\gcasServ.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Insider]
C:\Program Files\Insider\Insider.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iTunesHelper]
--a------ 2004-10-13 16:04 278528 C:\Program Files\iTunes\iTunesHelper.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Microsoft Works Portfolio]
--a------ 2000-07-13 12:00 311350 C:\Program Files\Microsoft Works\WksSb.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Microsoft Works Update Detection]
--a------ 2000-07-13 12:00 28739 C:\Program Files\Microsoft Works\WkDetect.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\msnmsgr]
C:\PROGRA~1\MSNMES~1\msnmsgr.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NeroFilterCheck]
C:\WINDOWS\system32\NeroCheck.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
--a------ 2007-09-28 06:55 98304 C:\Program Files\QuickTime\qttask.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\RemoteControl]
--a------ 2004-11-02 20:24 32768 C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\swg]
--a------ 2007-09-17 19:19 171448 C:\Program Files\Google\GoogleToolbarNotifier\1.2.1128.5462\GoogleToolbarNotifier.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\TkBellExe]
--a------ 2007-09-17 19:18 185632 C:\Program Files\Common Files\Real\Update_OB\realsched.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\WatchDog]
--a------ 2004-12-08 18:44 184320 C:\Program Files\InterVideo\DVD Check\DVDCheck.exe

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusDisableNotify"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"C:\\Program Files\\LimeWire\\LimeWire.exe"=
"C:\WINDOWS\System32\sexkrlst.exe"= C:\WINDOWS\System32\sex
"C:\\Program Files\\Internet Explorer\\IEXPLORE.EXE"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"C:\\Program Files\\iTunes\\iTunes.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"3389:TCP"= 3389:TCP:@xpsp2res.dll,-22009
"39564:TCP"= 39564:TCP:PORT_39564
"63348:TCP"= 63348:TCP:PORT_63348
"42387:TCP"= 42387:TCP:PORT_42387
"37110:TCP"= 37110:TCP:PORT_37110
"51497:TCP"= 51497:TCP:PORT_51497
"13467:TCP"= 13467:TCP:PORT_13467
"37713:TCP"= 37713:TCP:PORT_37713
"59382:TCP"= 59382:TCP:PORT_59382
"26310:TCP"= 26310:TCP:PORT_26310
"23849:TCP"= 23849:TCP:PORT_23849
"46024:TCP"= 46024:TCP:PORT_46024
"43923:TCP"= 43923:TCP:PORT_43923

R2 CpqDfwWebAgent;Compaq Remote Diagnostics Enabling Agent;C:\WINDOWS\Cpqdiag\Cpqdfwag.exe [2001-11-19 08:12]
R2 FFSLDVRF;FFSLDVRF;C:\WINDOWS\System32\ffsldvrf.rup [2001-08-18 06:00]

.
**************************************************************************

catchme 0.3.1361 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-05-12 10:38:54
Windows 5.1.2600 Service Pack 2 FAT NTAPI

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************

[HKEY_LOCAL_MACHINE\System\ControlSet003\Services\FFSLDVRF]
"ImagePath"="\??\C:\WINDOWS\System32\ffsldvrf.rup"
.
------------------------ Other Running Processes ------------------------
.
C:\WINDOWS\SYSTEM32\ATI2EVXX.EXE
C:\PROGRAM FILES\WIDCOMM\BLUETOOTH SOFTWARE\BIN\BTWDINS.EXE
C:\PROGRAM FILES\COMMON FILES\LIGHTSCRIBE\LSSRVC.EXE
C:\PROGRAM FILES\COMMON FILES\SYMANTEC SHARED\SNDSRVC.EXE
C:\WINDOWS\System32\snmp.exe
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\WINDOWS\wanmpsvc.exe
C:\IEXP1ORE.EXE
C:\WINDOWS\system32\wscntfy.exe
.
**************************************************************************
.
Completion time: 2008-05-12 10:41:04 - machine was rebooted [louis]
ComboFix-quarantined-files.txt 2008-05-12 15:41:00

Pre-Run: 29,913,251,840 bytes free
Post-Run: 29,977,247,744 bytes free

WindowsXP-KB310994-SP2-Home-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS
[operating systems]
multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Home Edition" /fastdetect /NoExecute=OptIn
C:\CMDCONS\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons

313 --- E O F --- 2008-05-11 10:28:43



Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 10:43:03 AM, on 5/12/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16640)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\System32\Ati2evxx.exe
C:\Program Files\WIDCOMM\Bluetooth Software\bin\btwdins.exe
C:\WINDOWS\Cpqdiag\Cpqdfwag.exe
C:\Program Files\Common Files\LightScribe\LSSrvc.exe
C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe
C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
C:\WINDOWS\System32\snmp.exe
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\WINDOWS\wanmpsvc.exe
C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe
C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Program Files\Java\jre1.6.0_02\bin\jusched.exe
C:\iexp1ore.exe
C:\WINDOWS\system32\ctfmon.exe
c:\windows\system32\dwdsrngt.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\explorer.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://search.presario.net/scripts/redirec...c02&lc=0409
O2 - BHO: (no name) - H@3B846-8D59-4ffb-8758-209B6AD74ACC} - (no file)
O2 - BHO: (no name) - {3BBF5411-FD1C-46A3-9405-72D6CF3BA6ED} - C:\WINDOWS\system32\mllii.dll (file missing)
O2 - BHO: (no name) - {3F04BED6-FDE8-4E51-BAF5-348F092701AE} - C:\Program Files\xerox\menoruz83122.dll
O2 - BHO: (no name) - {5D6D08C2-67D3-4D79-B5B4-3C449DE56762} - C:\WINDOWS\system32\wvutr.dll (file missing)
O2 - BHO: 0 - {72F49FA0-C83E-4700-DFB5-F1DE9C22A7DD} - C:\Program Files\NetMeeting\quzalebuq14.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O2 - BHO: gooochi browser optimizer - {82d40578-73a0-ce95-bfc0-72ffbbc52090} - C:\WINDOWS\system32\{746321e6-e4e5-e861-8f60-981e6455300c}.dll
O2 - BHO: (no name) - {8FA652BD-74D2-4BE4-AC08-3DF18FD66250} - C:\WINDOWS\system32\rqoli.dll (file missing)
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
O2 - BHO: (no name) - {AC81AC11-45BE-41C7-A8D7-6DDFB8F0312F} - C:\Program Files\xerox\menoruz4444.dll
O2 - BHO: (no name) - {D24FD13A-3E0C-45E4-BD98-E2EDF88B1D07} - C:\WINDOWS\system32\urssp.dll (file missing)
O2 - BHO: (no name) - ?01e16-9bfe-4b63-a5b4-7bd156758a37} - (no file)
O2 - BHO: (no name) - ?38D8D-E480-4D52-B7A2-731BB6995FDD} - (no file)
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O4 - HKLM\..\Run: [Symantec PIF AlertEng] "C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe" /a /m "C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\AlertEng.dll"
O4 - HKLM\..\Run: [{06-68-89-99-ZN}] c:\windows\system32\dwdsrngt.exe CHD003
O4 - HKLM\..\Run: [SynTPLpr] C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_02\bin\jusched.exe"
O4 - HKLM\..\Run: [srmclean] C:\Cpqs\Scom\srmclean.exe
O4 - HKLM\..\Run: [InternetExplorer] C:\\iexp1ore.exe
O4 - HKLM\..\Run: [Cpqset] c:\compaq\cpqsetup\cpqset.exe
O4 - HKLM\..\RunServices: [CPQDFWAG] C:\WINDOWS\Cpqdiag\CpqDfwAg.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O9 - Extra button: @btrez.dll,-4015 - {CCA281CA-C863-46ef-9331-5C8D4460577F} - C:\Program Files\WIDCOMM\Bluetooth Software\btsendto_ie.htm
O9 - Extra 'Tools' menuitem: @btrez.dll,-4017 - {CCA281CA-C863-46ef-9331-5C8D4460577F} - C:\Program Files\WIDCOMM\Bluetooth Software\btsendto_ie.htm
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra button: Advisor - {4AAC555D-352C-4029-ABE8-F06ED9BC532D} - C:\Program Files\COMPAQ\Compaq Advisor\bin\rbaLauncher.exe (HKCU)
O14 - IERESET.INF: START_PAGE_URL=http://store.presario.net/scripts/redirectors/presario/storeredir2.dll?s=consumerfav&c=1c02&lc=0409
O20 - Winlogon Notify: awttroo - awttroo.dll (file missing)
O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINDOWS\System32\Ati2evxx.exe
O23 - Service: Bluetooth Service (btwdins) - Broadcom Corporation. - C:\Program Files\WIDCOMM\Bluetooth Software\bin\btwdins.exe
O23 - Service: Compaq Advisor (Compaq_RBA) - NeoPlanet - C:\Program Files\Compaq\Compaq Advisor\bin\compaq-rba.exe
O23 - Service: Compaq Remote Diagnostics Enabling Agent (CpqDfwWebAgent) - Compaq Computer Corporation - C:\WINDOWS\Cpqdiag\Cpqdfwag.exe
O23 - Service: iPod Service (iPodService) - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: LightScribeService Direct Disc Labeling Service (LightScribeService) - Hewlett-Packard Company - C:\Program Files\Common Files\LightScribe\LSSrvc.exe
O23 - Service: LiveUpdate Notice Service - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
O23 - Service: WAN Miniport (ATW) Service (WANMiniportService) - America Online, Inc. - C:\WINDOWS\wanmpsvc.exe

--
End of file - 6975 bytes

#5 pskelley

pskelley

  • Members
  • 1,487 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:02:00 AM

Posted 12 May 2008 - 11:43 AM

Thanks for returning your information, proceed like this and in the numbered order.

I will need help removing Norton if it is still on there. Here are the 2 logs.

Norton/Symantec is the only antivirus program you have running on the computer. Why do you want to remove it? What do you intend to run for virus protection? If you wish to install something else, remove Norton/Symantec in AddRemove programs.

1) How to make files and folders visible:
Click Start > Open My Computer.
Select the Tools menu and click Folder Options.
Select the View Tab. Under the Hidden files and folders heading, select Show hidden files and folders.
Uncheck: Hide file extensions for known file types
Uncheck the Hide protected operating system files (recommended) option.
Click Yes to confirm. Click OK.
You may reverse this for safety when we are finished.

2) Please download ATF Cleaner by Atribune
http://www.atribune.org/public-beta/ATF-Cleaner.exe
Save it to your Desktop. We will use this later.

3) Open HijackThis and choose "Do a system scan only" then check the box in front of these line items:

O2 - BHO: (no name) - H@3B846-8D59-4ffb-8758-209B6AD74ACC} - (no file)
O2 - BHO: (no name) - {3BBF5411-FD1C-46A3-9405-72D6CF3BA6ED} - C:\WINDOWS\system32\mllii.dll (file missing)
O2 - BHO: (no name) - {3F04BED6-FDE8-4E51-BAF5-348F092701AE} - C:\Program Files\xerox\menoruz83122.dll
O2 - BHO: (no name) - {5D6D08C2-67D3-4D79-B5B4-3C449DE56762} - C:\WINDOWS\system32\wvutr.dll (file missing)
O2 - BHO: 0 - {72F49FA0-C83E-4700-DFB5-F1DE9C22A7DD} - C:\Program Files\NetMeeting\quzalebuq14.dll
O2 - BHO: gooochi browser optimizer - {82d40578-73a0-ce95-bfc0-72ffbbc52090} - C:\WINDOWS\system32\{746321e6-e4e5-e861-8f60-981e6455300c}.dll
O2 - BHO: (no name) - {8FA652BD-74D2-4BE4-AC08-3DF18FD66250} - C:\WINDOWS\system32\rqoli.dll (file missing)
O2 - BHO: (no name) - {AC81AC11-45BE-41C7-A8D7-6DDFB8F0312F} - C:\Program Files\xerox\menoruz4444.dll
O2 - BHO: (no name) - {D24FD13A-3E0C-45E4-BD98-E2EDF88B1D07} - C:\WINDOWS\system32\urssp.dll (file missing)
O2 - BHO: (no name) - ?01e16-9bfe-4b63-a5b4-7bd156758a37} - (no file)
O2 - BHO: (no name) - ?38D8D-E480-4D52-B7A2-731BB6995FDD} - (no file)
O4 - HKLM\..\Run: [{06-68-89-99-ZN}] c:\windows\system32\dwdsrngt.exe CHD003
O4 - HKLM\..\Run: [InternetExplorer] C:\\iexp1ore.exe
O20 - Winlogon Notify: awttroo - awttroo.dll (file missing)

Close all programs but HJT and all browser windows, then click on "Fix Checked"

4) Right click Start > Explore and navigate to these files/folders and delete them if there.

C:\iexp1ore.exe <<< delete that file

c:\windows\system32\dwdsrngt.exe <<< delete that file

5) Run ATF Cleaner
Double-click ATF-Cleaner.exe to run the program.
Click Select All found at the bottom of the list.
Click the Empty Selected button.
Click Exit on the Main menu to close the program.

Restart and post a new HJT log, provide the information I requested and tell me how the computer is running now.

Thanks

Edited by pskelley, 12 May 2008 - 11:44 AM.
adjust information

MS-MVP Windows Security 2007-08
Proud Member ASAP
UNITE Member 2006

#6 mnm495

mnm495
  • Topic Starter

  • Members
  • 20 posts
  • OFFLINE
  •  
  • Local time:02:00 AM

Posted 12 May 2008 - 02:31 PM

Hi,

The Norton had expired. I had AVG, but it stopped working from all the virus stuff. I have to reinstall it. The computer is still extremely, slow. It may have other problems as well, but thought I needed to fix this first. Everytime I turn it on, there is a message saying found new hardware, it tries to install a printer, there is nothing plugged in. The startup menu looks much better, I think, before there were alot of things I didn't recognize. It is slow to even open folders.
Here is the log.
thank you!

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 2:18:57 PM, on 5/12/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16640)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\System32\Ati2evxx.exe
C:\Program Files\WIDCOMM\Bluetooth Software\bin\btwdins.exe
C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe
C:\WINDOWS\Cpqdiag\Cpqdfwag.exe
C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe
C:\WINDOWS\System32\snmp.exe
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\WINDOWS\wanmpsvc.exe
C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Program Files\Java\jre1.6.0_02\bin\jusched.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\system32\rundll32.exe
C:\WINDOWS\system32\wuauclt.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://search.presario.net/scripts/redirec...c02&lc=0409
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O4 - HKLM\..\Run: [Symantec PIF AlertEng] "C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe" /a /m "C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\AlertEng.dll"
O4 - HKLM\..\Run: [SynTPLpr] C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_02\bin\jusched.exe"
O4 - HKLM\..\Run: [srmclean] C:\Cpqs\Scom\srmclean.exe
O4 - HKLM\..\Run: [Cpqset] c:\compaq\cpqsetup\cpqset.exe
O4 - HKLM\..\RunServices: [CPQDFWAG] C:\WINDOWS\Cpqdiag\CpqDfwAg.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O9 - Extra button: @btrez.dll,-4015 - {CCA281CA-C863-46ef-9331-5C8D4460577F} - C:\Program Files\WIDCOMM\Bluetooth Software\btsendto_ie.htm
O9 - Extra 'Tools' menuitem: @btrez.dll,-4017 - {CCA281CA-C863-46ef-9331-5C8D4460577F} - C:\Program Files\WIDCOMM\Bluetooth Software\btsendto_ie.htm
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra button: Advisor - {4AAC555D-352C-4029-ABE8-F06ED9BC532D} - C:\Program Files\COMPAQ\Compaq Advisor\bin\rbaLauncher.exe (HKCU)
O14 - IERESET.INF: START_PAGE_URL=http://store.presario.net/scripts/redirectors/presario/storeredir2.dll?s=consumerfav&c=1c02&lc=0409
O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINDOWS\System32\Ati2evxx.exe
O23 - Service: Bluetooth Service (btwdins) - Broadcom Corporation. - C:\Program Files\WIDCOMM\Bluetooth Software\bin\btwdins.exe
O23 - Service: Compaq Advisor (Compaq_RBA) - NeoPlanet - C:\Program Files\Compaq\Compaq Advisor\bin\compaq-rba.exe
O23 - Service: Compaq Remote Diagnostics Enabling Agent (CpqDfwWebAgent) - Compaq Computer Corporation - C:\WINDOWS\Cpqdiag\Cpqdfwag.exe
O23 - Service: iPod Service (iPodService) - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: LightScribeService Direct Disc Labeling Service (LightScribeService) - Hewlett-Packard Company - C:\Program Files\Common Files\LightScribe\LSSrvc.exe
O23 - Service: LiveUpdate Notice Service - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
O23 - Service: WAN Miniport (ATW) Service (WANMiniportService) - America Online, Inc. - C:\WINDOWS\wanmpsvc.exe

--
End of file - 5509 bytes

#7 pskelley

pskelley

  • Members
  • 1,487 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:02:00 AM

Posted 12 May 2008 - 03:32 PM

Thanks for returning your information and the feedback, looks like we have our work cut out for us, I will do what I can and we have excellant forums that are not malware related if we need them. I don't know if things have improved at all, but combofix removed a load of malware from the computer. I suggest we take this a step or two at a time, and once again I also suggest unless you are troubleshooting, you stay offline.

Let's tackle a few issues at a time.

1) The printer issue, I can see printer software:
C:\WINDOWS\system32\spoolsv.exe
spoolsv.exe - spoolsv process informationProcess name: Microsoft Printer Spooler Service
If you are not using a printer, look in Add Remove programs for one and uninstall it if there.

2) You still have Symantec/Norton, have you tried to uninstall it in Add Remove programs? Is so, then look at this information:
http://basconotw.mvps.org/SymRem.htm

You may want to download AVG free 7.5 to your Desktop so all you have to do is install it once Symantec is gone.
http://free.grisoft.com/

3) Post an uninstall list also:
Open Hijackthis.
Click the "Open the Misc Tools" section Button.
Click the "Open Uninstall Manager" Button.
Click the "Save list..." Button.
Save it to your desktop. Copy and paste the contents into your reply.
(You may edit out Microsoft, Hotfixes, Security Update for Windows XP,
Update for Windows XP and Windows XP Hotfix to shorten the list
)

If you can get that far, post a new HJT log.

Thanks
MS-MVP Windows Security 2007-08
Proud Member ASAP
UNITE Member 2006

#8 mnm495

mnm495
  • Topic Starter

  • Members
  • 20 posts
  • OFFLINE
  •  
  • Local time:02:00 AM

Posted 13 May 2008 - 12:32 AM

Thank you so much! It seems a little bit faster restarting but it is still really slow. I looked in Add/Remove prog. and didn't find the printer or Norton or symantic. I uninstalled printer & couple symantic things from hardware manager. Let me know if there is still more norton. I did download the AVG but forgot to add it to desktop, I will next time.

Just let me know if it sounds like I need to just reformat. Everytime the computer starts up, it tries to run
the checkdisc utility & it doesn't complete it, it freezes right at the beginning. I have been just skipping it.

It has cd/dvd/rw drive, but when I put in a music cd, it won't even show anything in the drive, like its empty. but it will play a dvd, I didn't think that was possible.

And, the screen resolution keeps flickering to an old, horrible setting, then it will flip back to correct resolution.

Here are the logs.

Adobe Acrobat 5.0
Adobe Flash Player 9 ActiveX
America Online
ATI Display Driver
Compaq Advisor
Compaq Diagnostics for Windows
Compaq Easy Access Buttons 3.00 B3
Compaq Remote Diagnostics Enabling Agent
Encarta Online
Enhancement Browser Tools Gooochi
Google Toolbar for Internet Explorer
Google Toolbar for Internet Explorer
HijackThis 2.0.2
HP Integrated Module with Bluetooth wireless technology
Intel® PRO Ethernet Adapter and Software
InterActual Player
InterVideo DVD Check
InterVideo WinDVD
iTunes
Java™ 6 Update 2
LimeWire 4.14.8
LiveUpdate Notice (Symantec Corporation)
Microsoft AntiSpyware
Microsoft Internationalized Domain Names Mitigation APIs
Microsoft National Language Support Downlevel APIs
Microsoft Works 6.0
PowerDVD
QuickTime
RealPlayer
Security Update for Step By Step Interactive Training (KB923723)
Security Update for Windows Internet Explorer 7 (KB937143)
Security Update for Windows Internet Explorer 7 (KB938127)
Security Update for Windows Internet Explorer 7 (KB944533)
Security Update for Windows Media Player (KB911564)
Security Update for Windows Media Player 6.4 (KB925398)
Security Update for Windows Media Player 9 (KB936782)
Security Update for Windows XP (KB890046)
Security Update for Windows XP (KB893756)
Security Update for Windows XP (KB900725)
Security Update for Windows XP (KB901017)
Security Update for Windows XP (KB901190)
Security Update for Windows XP (KB901214)
Security Update for Windows XP (KB902400)
Security Update for Windows XP (KB904706)
Security Update for Windows XP (KB905414)
Security Update for Windows XP (KB905749)
Security Update for Windows XP (KB908519)
Security Update for Windows XP (KB911562)
Security Update for Windows XP (KB911927)
Security Update for Windows XP (KB913580)
Security Update for Windows XP (KB914388)
Security Update for Windows XP (KB914389)
Security Update for Windows XP (KB917344)
Security Update for Windows XP (KB917953)
Security Update for Windows XP (KB918118)
Security Update for Windows XP (KB918439)
Security Update for Windows XP (KB919007)
Security Update for Windows XP (KB920213)
Security Update for Windows XP (KB920670)
Security Update for Windows XP (KB920683)
Security Update for Windows XP (KB920685)
Security Update for Windows XP (KB921503)
Security Update for Windows XP (KB922819)
Security Update for Windows XP (KB923191)
Security Update for Windows XP (KB923414)
Security Update for Windows XP (KB923689)
Security Update for Windows XP (KB923980)
Security Update for Windows XP (KB924270)
Security Update for Windows XP (KB924496)
Security Update for Windows XP (KB924667)
Security Update for Windows XP (KB925902)
Security Update for Windows XP (KB926247)
Security Update for Windows XP (KB926255)
Security Update for Windows XP (KB926436)
Security Update for Windows XP (KB927779)
Security Update for Windows XP (KB927802)
Security Update for Windows XP (KB928255)
Security Update for Windows XP (KB928843)
Security Update for Windows XP (KB929123)
Security Update for Windows XP (KB930178)
Security Update for Windows XP (KB931261)
Security Update for Windows XP (KB931784)
Security Update for Windows XP (KB932168)
Security Update for Windows XP (KB935839)
Security Update for Windows XP (KB935840)
Security Update for Windows XP (KB936021)
Security Update for Windows XP (KB937143)
Security Update for Windows XP (KB938127)
Security Update for Windows XP (KB938829)
Security Update for Windows XP (KB941202)
Security Update for Windows XP (KB941568)
Security Update for Windows XP (KB941644)
Security Update for Windows XP (KB941693)
Security Update for Windows XP (KB943485)
Security Update for Windows XP (KB945553)
Security Update for Windows XP (KB946026)
Security Update for Windows XP (KB948590)
Security Update for Windows XP (KB948881)
Setup Compaq Software
SoundMAX
Symantec KB-DocID:2003093015493306
SymNet
Synaptics TouchPad
Update for Windows XP (KB894391)
Update for Windows XP (KB898461)
Update for Windows XP (KB900485)
Update for Windows XP (KB904942)
Update for Windows XP (KB908531)
Update for Windows XP (KB910437)
Update for Windows XP (KB911280)
Update for Windows XP (KB916595)
Update for Windows XP (KB920872)
Update for Windows XP (KB922582)
Update for Windows XP (KB927891)
Update for Windows XP (KB930916)
Update for Windows XP (KB933360)
Update for Windows XP (KB936357)
Update for Windows XP (KB938828)
Update for Windows XP (KB942763)
Viewpoint Media Player (Remove Only)
Windows Backup Utility
Windows Installer 3.1 (KB893803)
Windows Internet Explorer 7
Windows XP Hotfix - KB873339
Windows XP Hotfix - KB885835
Windows XP Hotfix - KB885836
Windows XP Hotfix - KB886185
Windows XP Hotfix - KB887472
Windows XP Hotfix - KB888302
Windows XP Hotfix - KB890859
Windows XP Hotfix - KB891781
Windows XP Service Pack 2
Yahoo! Internet Mail


Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 11:50:27 PM, on 5/12/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16640)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\System32\Ati2evxx.exe
C:\Program Files\WIDCOMM\Bluetooth Software\bin\btwdins.exe
C:\WINDOWS\Cpqdiag\Cpqdfwag.exe
C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe
C:\Program Files\Common Files\LightScribe\LSSrvc.exe
C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe
C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
C:\WINDOWS\System32\snmp.exe
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\WINDOWS\wanmpsvc.exe
C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Program Files\Java\jre1.6.0_02\bin\jusched.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\system32\wscntfy.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://search.presario.net/scripts/redirec...c02&lc=0409
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O4 - HKLM\..\Run: [Symantec PIF AlertEng] "C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe" /a /m "C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\AlertEng.dll"
O4 - HKLM\..\Run: [SynTPLpr] C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_02\bin\jusched.exe"
O4 - HKLM\..\Run: [srmclean] C:\Cpqs\Scom\srmclean.exe
O4 - HKLM\..\Run: [Cpqset] c:\compaq\cpqsetup\cpqset.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\RunServices: [CPQDFWAG] C:\WINDOWS\Cpqdiag\CpqDfwAg.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O9 - Extra button: @btrez.dll,-4015 - {CCA281CA-C863-46ef-9331-5C8D4460577F} - C:\Program Files\WIDCOMM\Bluetooth Software\btsendto_ie.htm
O9 - Extra 'Tools' menuitem: @btrez.dll,-4017 - {CCA281CA-C863-46ef-9331-5C8D4460577F} - C:\Program Files\WIDCOMM\Bluetooth Software\btsendto_ie.htm
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra button: Advisor - {4AAC555D-352C-4029-ABE8-F06ED9BC532D} - C:\Program Files\COMPAQ\Compaq Advisor\bin\rbaLauncher.exe (HKCU)
O14 - IERESET.INF: START_PAGE_URL=http://store.presario.net/scripts/redirectors/presario/storeredir2.dll?s=consumerfav&c=1c02&lc=0409
O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINDOWS\System32\Ati2evxx.exe
O23 - Service: Bluetooth Service (btwdins) - Broadcom Corporation. - C:\Program Files\WIDCOMM\Bluetooth Software\bin\btwdins.exe
O23 - Service: Compaq Advisor (Compaq_RBA) - NeoPlanet - C:\Program Files\Compaq\Compaq Advisor\bin\compaq-rba.exe
O23 - Service: Compaq Remote Diagnostics Enabling Agent (CpqDfwWebAgent) - Compaq Computer Corporation - C:\WINDOWS\Cpqdiag\Cpqdfwag.exe
O23 - Service: iPod Service (iPodService) - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: LightScribeService Direct Disc Labeling Service (LightScribeService) - Hewlett-Packard Company - C:\Program Files\Common Files\LightScribe\LSSrvc.exe
O23 - Service: LiveUpdate Notice Service - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
O23 - Service: WAN Miniport (ATW) Service (WANMiniportService) - America Online, Inc. - C:\WINDOWS\wanmpsvc.exe

--
End of file - 5750 bytes

#9 pskelley

pskelley

  • Members
  • 1,487 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:02:00 AM

Posted 13 May 2008 - 07:35 AM

Thanks for returning your information and the feedback, you asked:

Just let me know if it sounds like I need to just reformat.

This is a decision you will have to make, understand it is not a bad thing, generally restores the computer to like new, here is information if you wish to look:
http://spyware-free.us/tutorials/reformat/
http://www.cyberwalker.net/faqs/how-tos/reinstall-faq.html
http://helpdesk.its.uiowa.edu/windows/inst...ns/reformat.htm

These infections are hard on a computer and you can see from what combofix removed, that you were badly infected. When ChkDsk tries to run, it needs (and should be telling you this) to run when the computer first start.
http://www.google.com/search?hl=en&q=h...G=Google+Search
When it is trying to run like that, the utility knows there are problems on the hard drive that need attention. I suggest you start it yourself and when you are told it needs to run without anything else, schedule it for the next day and make sure you check to tell it to repair any issues it locates. When you boot the next day, it will run as soon as you start, before anything else starts and it will take a couple of hours or more. When it is trying to start like that, it is a sign you may have hard drive issues that you may or may not be able to fix.
http://home.earthlink.net/~lreynol929/ruXP...ools/chkdsk.htm

How old is this computer, I see Compaq programs?

Uninstall list: uninstall these

Symantec KB-DocID:2003093015493306
Viewpoint Media Player (Remove Only)

I posted a link that Symantec provides to remove it: http://basconotw.mvps.org/SymRem.htm
You said this:

Let me know if there is still more norton

Look at your HijackThis log, everywhere you look you see Symantec? Symantec and Norton are the same thing.

Use that tool and get Symantec/Norton off the computer then install a new antivirus programs. When this is done, post a new HJT log.

Thanks
MS-MVP Windows Security 2007-08
Proud Member ASAP
UNITE Member 2006

#10 mnm495

mnm495
  • Topic Starter

  • Members
  • 20 posts
  • OFFLINE
  •  
  • Local time:02:00 AM

Posted 13 May 2008 - 11:25 PM

Hi, thanks for all the help. Ok, when I clicked on the link for the norton removal tool, it said to pick which version you had, I had absolutely no idea, it was out of date when we got this computer & I just removed it. I removed another part of it, the liveupdate symantic, that was the only thing that showed in add/remove programs.
This laptop is old, I think 2002, yes Compaq presario 1500. I put AVG on the desktop, so it's ready.
Here's the log:

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 11:15:34 PM, on 5/13/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16640)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\System32\Ati2evxx.exe
C:\Program Files\WIDCOMM\Bluetooth Software\bin\btwdins.exe
C:\WINDOWS\Cpqdiag\Cpqdfwag.exe
C:\Program Files\Common Files\LightScribe\LSSrvc.exe
C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
C:\WINDOWS\System32\snmp.exe
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
C:\WINDOWS\wanmpsvc.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Program Files\Java\jre1.6.0_02\bin\jusched.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://search.presario.net/scripts/redirec...c02&lc=0409
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O4 - HKLM\..\Run: [SynTPLpr] C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_02\bin\jusched.exe"
O4 - HKLM\..\Run: [srmclean] C:\Cpqs\Scom\srmclean.exe
O4 - HKLM\..\Run: [Cpqset] c:\compaq\cpqsetup\cpqset.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\RunServices: [CPQDFWAG] C:\WINDOWS\Cpqdiag\CpqDfwAg.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O9 - Extra button: @btrez.dll,-4015 - {CCA281CA-C863-46ef-9331-5C8D4460577F} - C:\Program Files\WIDCOMM\Bluetooth Software\btsendto_ie.htm
O9 - Extra 'Tools' menuitem: @btrez.dll,-4017 - {CCA281CA-C863-46ef-9331-5C8D4460577F} - C:\Program Files\WIDCOMM\Bluetooth Software\btsendto_ie.htm
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra button: Advisor - {4AAC555D-352C-4029-ABE8-F06ED9BC532D} - C:\Program Files\COMPAQ\Compaq Advisor\bin\rbaLauncher.exe (HKCU)
O14 - IERESET.INF: START_PAGE_URL=http://store.presario.net/scripts/redirectors/presario/storeredir2.dll?s=consumerfav&c=1c02&lc=0409
O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINDOWS\System32\Ati2evxx.exe
O23 - Service: Bluetooth Service (btwdins) - Broadcom Corporation. - C:\Program Files\WIDCOMM\Bluetooth Software\bin\btwdins.exe
O23 - Service: Compaq Advisor (Compaq_RBA) - NeoPlanet - C:\Program Files\Compaq\Compaq Advisor\bin\compaq-rba.exe
O23 - Service: Compaq Remote Diagnostics Enabling Agent (CpqDfwWebAgent) - Compaq Computer Corporation - C:\WINDOWS\Cpqdiag\Cpqdfwag.exe
O23 - Service: iPod Service (iPodService) - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: LightScribeService Direct Disc Labeling Service (LightScribeService) - Hewlett-Packard Company - C:\Program Files\Common Files\LightScribe\LSSrvc.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
O23 - Service: WAN Miniport (ATW) Service (WANMiniportService) - America Online, Inc. - C:\WINDOWS\wanmpsvc.exe

--
End of file - 5192 bytes

#11 pskelley

pskelley

  • Members
  • 1,487 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:02:00 AM

Posted 14 May 2008 - 07:43 AM

Not a lot I can do about finding the correct version from where I am setting. You are in front of the computer. Here is what is in the HJT log.

C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe G
O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe

If you can not figure the version from that, look for the program and open it, click Help on the top of the console and click About. The version number should be on the next Windows to open. The only other way I can think of is ask Symantec:
http://www.symantec.com/enterprise/support/index.jsp
What version you have.

Thanks
MS-MVP Windows Security 2007-08
Proud Member ASAP
UNITE Member 2006

#12 mnm495

mnm495
  • Topic Starter

  • Members
  • 20 posts
  • OFFLINE
  •  
  • Local time:02:00 AM

Posted 14 May 2008 - 09:54 PM

Hi, I used the Norton removal tool, so it should be gone now. Also, the chkdisc ran all the way & fixed things, it starts up much better now & opens folders quicker too. :thumbsup: Slowly getting better! Here is a new log.

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 9:49:17 PM, on 5/14/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16640)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\System32\Ati2evxx.exe
C:\Program Files\WIDCOMM\Bluetooth Software\bin\btwdins.exe
C:\WINDOWS\Cpqdiag\Cpqdfwag.exe
C:\Program Files\Common Files\LightScribe\LSSrvc.exe
C:\WINDOWS\System32\snmp.exe
C:\WINDOWS\wanmpsvc.exe
C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Program Files\Java\jre1.6.0_02\bin\jusched.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
C:\WINDOWS\system32\wscntfy.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://search.presario.net/scripts/redirec...c02&lc=0409
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O4 - HKLM\..\Run: [SynTPLpr] C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_02\bin\jusched.exe"
O4 - HKLM\..\Run: [srmclean] C:\Cpqs\Scom\srmclean.exe
O4 - HKLM\..\Run: [Cpqset] c:\compaq\cpqsetup\cpqset.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\RunServices: [CPQDFWAG] C:\WINDOWS\Cpqdiag\CpqDfwAg.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O9 - Extra button: @btrez.dll,-4015 - {CCA281CA-C863-46ef-9331-5C8D4460577F} - C:\Program Files\WIDCOMM\Bluetooth Software\btsendto_ie.htm
O9 - Extra 'Tools' menuitem: @btrez.dll,-4017 - {CCA281CA-C863-46ef-9331-5C8D4460577F} - C:\Program Files\WIDCOMM\Bluetooth Software\btsendto_ie.htm
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra button: Advisor - {4AAC555D-352C-4029-ABE8-F06ED9BC532D} - C:\Program Files\COMPAQ\Compaq Advisor\bin\rbaLauncher.exe (HKCU)
O14 - IERESET.INF: START_PAGE_URL=http://store.presario.net/scripts/redirectors/presario/storeredir2.dll?s=consumerfav&c=1c02&lc=0409
O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINDOWS\System32\Ati2evxx.exe
O23 - Service: Bluetooth Service (btwdins) - Broadcom Corporation. - C:\Program Files\WIDCOMM\Bluetooth Software\bin\btwdins.exe
O23 - Service: Compaq Advisor (Compaq_RBA) - NeoPlanet - C:\Program Files\Compaq\Compaq Advisor\bin\compaq-rba.exe
O23 - Service: Compaq Remote Diagnostics Enabling Agent (CpqDfwWebAgent) - Compaq Computer Corporation - C:\WINDOWS\Cpqdiag\Cpqdfwag.exe
O23 - Service: iPod Service (iPodService) - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: LightScribeService Direct Disc Labeling Service (LightScribeService) - Hewlett-Packard Company - C:\Program Files\Common Files\LightScribe\LSSrvc.exe
O23 - Service: WAN Miniport (ATW) Service (WANMiniportService) - America Online, Inc. - C:\WINDOWS\wanmpsvc.exe

--
End of file - 4764 bytes

#13 pskelley

pskelley

  • Members
  • 1,487 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:02:00 AM

Posted 15 May 2008 - 05:56 AM

Thanks for returning your HJT log...

O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_02\bin\jusched.exe"
This is the Java update scheduler and since it is out of date, probably not working. The tool has a history of being buggy. I turn it off since it does not work and wastes resources. Java does need to be updated now though, see this:
http://forums.spybot.info/showpost.php?p=1...amp;postcount=2

I do not see an antivirus program running, so please get one installed. Once installed, open the Security Center in the Start > Control Panel and make sure all three areas ago on.

Run this online scan using Internet Explorer:
Kaspersky Online Scanner from http://www.kaspersky.com/virusscanner

Next Click on Launch Kaspersky Online Scanner

You will be prompted to install an ActiveX component from Kaspersky, Click Yes.

* The program will launch and then begin downloading the latest definition files:
* Once the files have been downloaded click on NEXT
* Now click on Scan Settings
* In the scan settings make that the following are selected:
* Scan using the following Anti-Virus database:
* Standard
* Scan Options:
* Scan Archives
* Scan Mail Bases
* Click OK
* Now under select a target to scan:
* Select My Computer
* This will program will start and scan your system.
* The scan will take a while so be patient and let it run.
* Once the scan is complete it will display if your system has been infected.
* Now click on the Save as Text button:
* Save the file to your desktop.

Then post it here along with a new HJT log so I can see that antivirus program install ok.

Thanks
MS-MVP Windows Security 2007-08
Proud Member ASAP
UNITE Member 2006

#14 mnm495

mnm495
  • Topic Starter

  • Members
  • 20 posts
  • OFFLINE
  •  
  • Local time:02:00 AM

Posted 17 May 2008 - 02:04 AM

ok, thanks! Since I'm going online to do the scan, do I also turn on the firewall that has been shut off? or leave it off?

#15 pskelley

pskelley

  • Members
  • 1,487 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:02:00 AM

Posted 17 May 2008 - 06:00 AM

I don't recall asking you to turn off your firewall? Try it with the firewall on, Kaspersky Online Scan should run fine with it on.

Thanks
MS-MVP Windows Security 2007-08
Proud Member ASAP
UNITE Member 2006




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users