Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Unknown Virus Causing Internet Problems


  • This topic is locked This topic is locked
23 replies to this topic

#1 Montana32

Montana32

  • Members
  • 17 posts
  • OFFLINE
  •  
  • Local time:12:55 AM

Posted 23 June 2008 - 11:17 PM

I have done everything I know how to do to fix my problem, including following some advice from your website but I have had no luck. I hope someone here has a thought or two that may help out.

PROBLEM:
Either immediately upon starting Internet Explorer (or Mozilla Firefox) or after being online for hours, I will notice that all web pages take a long time to load. If I do a speed test on a site like Speakeasy.net, there is no decrease shown in either my upload or download speed. However, if I check on my Self-Healing Internet program from my IP it tells me that I have anywhere from 19 to 67 active internet connections. I have confirmed this information to be accurate by following advice and typing in NETSTAT from the DOS prompt.

SYSTEM:
Acer Aspire AST660 Pentium 4, 1.5 GB memory, 160 GB hard disk. OS Windows XP Media Center Edition Version 2002 Service Pack 2. Internet is Rogers Cable Express Hi-Speed (7MBps down, 512 kBps up)

ACTIONS TAKEN/RESULTS:
1) First thing I did was contact Rogers, my Internet Service Provider and ask for help to see if it was a problem on their end. It is not. They said the problem could be caused by running peer to peer services, running a server from home and using newsgroups or newsreaders. I do none of those things.
2) Next thing I did was eliminate as many potential problems as possible. I turned off all extra toolbars, closed anything on the Taskbar that wasn't needed, used a program to see the start up processes and using the list on this website I shut off any that were not needed.
3) Then I used a few virus/spyware programs. I ran scans with the most up to date virus definitions using AdAware 2007, Norton Antivirus (which runs 24/7 with a firewall on my computer), Spybot Search & Destroy, housecall.trendmicro.com online scan and lastly Malwarebytes' Anti-Malware. Most of these programs just found tracking cookies. House Calls found one adware from zedo.com that I deleted. The Anti-Malware program found 2 things and I only deleted one because of some conflicting advice on here about whether or not I should. This is the one I left alone
C:\WINDOWS\system32\KCMDNIns.exe (Trojan.Inject)
and this is the one I removed HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\SharedDLLs\C:\WINDOWS\system32\KCMDNIns.exe (Trojan.Inject).
One note, although it was recommended to me to run my programs in safe mode, the ones I had at that time could not be run in safe mode as they required an internet connection. I will try running the Anti-Malware in safe mode when I am done here. I have now run the Anti-Malware in safe mode and it found one problem, the same one I did not delete last time due to conflicting advice (or my misreading of the advice).
4) I also did a lot of cleaning up and rearranging. I deleted all the games my 5 year old downloaded from nickjr.com. I ran a scandisk/checkdisk. I defragged my computer. I opened up the tower and cleaned out all the dust.

The list of things I have tried doesn't look that big once I type it up but I have been trying very hard to fix this problem. I was told to post a Hijack This log after posting my problem in the "Am I infected?" section of this website.

Any help would be appreciated! I have no idea how all of these connections pop up but it sure is driving me crazy!!
___________________________________________________

Deckard's System Scanner v20071014.68
Run by Lisa on 2008-06-23 23:54:40
Computer is in Normal Mode.
--------------------------------------------------------------------------------

-- System Restore --------------------------------------------------------------

Successfully created a Deckard's System Scanner Restore Point.


-- Last 5 Restore Point(s) --
29: 2008-06-24 03:54:48 UTC - RP29 - Deckard's System Scanner Restore Point
28: 2008-06-23 04:10:47 UTC - RP28 - System Checkpoint
27: 2008-06-20 07:00:29 UTC - RP27 - Software Distribution Service 3.0
26: 2008-06-19 14:20:00 UTC - RP26 - System Checkpoint
25: 2008-06-18 13:39:35 UTC - RP25 - System Checkpoint


-- First Restore Point --
1: 2008-05-22 20:43:29 UTC - RP1 - System Checkpoint


Backed up registry hives.
Performed disk cleanup.



-- HijackThis Clone ------------------------------------------------------------


Emulating logfile of Trend Micro HijackThis v2.0.2
Scan saved at 2008-06-23 23:56:58
Platform: Windows XP Service Pack 2 (5.01.2600)
MSIE: Internet Explorer (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\system32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\ati2evxx.exe
C:\Program Files\Common Files\Symantec Shared\CCSETMGR.EXE
C:\Program Files\Common Files\Symantec Shared\CCEVTMGR.EXE
C:\Program Files\Common Files\Symantec Shared\CCPROXY.EXE
C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Acer\Empowering Technology\ePerformance\MemCheck.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Symantec\LiveUpdate\AluSchedulerSvc.exe
C:\Program Files\Common Files\Symantec Shared\DJSNETCN.exe
C:\WINDOWS\ehome\ehrecvr.exe
C:\WINDOWS\ehome\ehSched.exe
C:\Program Files\Common Files\LightScribe\LSSrvc.exe
C:\Program Files\Yahoo!\NAV\NAVAPSVC.EXE
C:\Program Files\Yahoo!\NAV\IWP\NPFMNTOR.EXE
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\dllhost.exe
C:\WINDOWS\explorer.exe
C:\Acer\Empowering Technology\eRecovery\eRAgent.exe
C:\Acer\Empowering Technology\eDataSecurity\eDSloader.exe
C:\Program Files\Common Files\Symantec Shared\CCAPP.EXE
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\Program Files\Rogers\SelfHealing\RogersAgent.exe
C:\Acer\Empowering Technology\Acer.Empowering.Framework.Launcher.exe
C:\Program Files\Acer WLAN 11g USB Dongle\ZDWlan.exe
C:\Program Files\Common Files\Symantec Shared\Security Console\NSCSRVCE.EXE
C:\Program Files\Adobe\Acrobat 7.0\Reader\AcroRd32.exe
C:\Program Files\Yahoo!\browser\ycommon.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Documents and Settings\Lisa\Desktop\dss.exe
C:\Program Files\Messenger\msmsgs.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://www.google.com/ie
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://www.google.com
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://ca.yahoo.com/
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://www.google.com/ie
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://www.google.com/search?q=%s
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://global.acer.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://global.acer.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://www.google.com/ie
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://ca.red.clientapps.yahoo.com/customi.../search/ie.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://ca.red.clientapps.yahoo.com/customi...//www.yahoo.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Search,Default_Search_URL = http://www.google.com/ie
R1 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://www.google.com/ie
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O2 - BHO: Yahoo! Toolbar Helper - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll (file missing)
O2 - BHO: Presale Toolbar - {123b04bd-7c85-472a-a103-33eb44412d70} - C:\Program Files\Presale\tbPre1.dll
O2 - BHO: RealPlayer Download and Record Plugin for Internet Explorer - {3049C3E9-B461-4BC5-8870-4C09146192CA} - C:\Program Files\Real\RealPlayer\rpbrowserrecordplugin.dll
O2 - BHO: Ticket Toolbar - {3d23aaa9-547c-4fb8-8c32-b00b932f8603} - C:\Program Files\Ticket\tbTic1.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - (no file)
O2 - BHO: Yahoo! IE Services Button - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O2 - BHO: EWPBrowseObject Class - {68F9551E-0411-48E4-9AAF-4BC42A6A46BE} - C:\Program Files\Canon\Easy-WebPrint\EWPBrowseLoader.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O2 - BHO: Norton Personal Firewall - {9ECB9560-04F9-4bbc-943D-298DDF1699E1} - C:\Program Files\Common Files\Symantec Shared\AdBlocking\NISShExt.dll
O2 - BHO: NAV Helper - {A8F38D8D-E480-4D52-B7A2-731BB6995FDD} - C:\Program Files\Yahoo!\NAV\NAVSHEXT.DLL
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - C:\Program Files\Google\GoogleToolbar1.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\2.0.301.7164\swg.dll
O2 - BHO: SidebarAutoLaunch Class - {F2AA9440-6328-4933-B7C9-A6CCDF9CBF6D} - C:\Program Files\Yahoo!\browser\YSidebarIEBHO.dll
O3 - Toolbar: Acer eDataSecurity Management - {5CBE3B7C-1E47-477e-A7DD-396DB0476E29} - C:\WINDOWS\system32\eDStoolbar.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - C:\Program Files\Google\GoogleToolbar1.dll
O3 - Toolbar: Easy-WebPrint - {327C2873-E90D-4c37-AA9D-10AC9BABA46C} - C:\Program Files\Canon\Easy-WebPrint\Toolband.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O3 - Toolbar: Ticket Toolbar - {3d23aaa9-547c-4fb8-8c32-b00b932f8603} - C:\Program Files\Ticket\tbTic1.dll
O3 - Toolbar: Presale Toolbar - {123b04bd-7c85-472a-a103-33eb44412d70} - C:\Program Files\Presale\tbPre1.dll
O4 - HKLM\..\Run: [eRecoveryService] C:\Acer\Empowering Technology\eRecovery\eRAgent.exe
O4 - HKLM\..\Run: [eDataSecurity Loader] C:\Acer\Empowering Technology\eDataSecurity\eDSloader.exe 1
O4 - HKLM\..\Run: [Alcmtr] ALCMTR.EXE
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\RunServices: [DJSNetCN] C:\Program Files\Common Files\Symantec Shared\DJSNETCN.exe
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - HKCU\..\Run: [SHS] "C:\Program Files\Rogers\SelfHealing\SHS.exe" /background
O4 - HKCU\..\Run: [RogersAgent] c:\Program Files\Rogers\SelfHealing\rogersagent.exe
O4 - HKCU\..\Run: [Glary Memory Optimizer] C:\Program Files\Glary Utilities\memdefrag.exe
O4 - Global Startup: Acer Empowering Technology.lnk = ?
O4 - Global Startup: Acer WLAN 11g USB Dongle.lnk = C:\Program Files\Acer WLAN 11g USB Dongle\ZDWlan.exe
O8 - Extra context menu item: Easy-WebPrint Add To Print List - res://C:\Program Files\Canon\Easy-WebPrint\Toolband.dll/RC_AddToList.html
O8 - Extra context menu item: Easy-WebPrint High Speed Print - res://C:\Program Files\Canon\Easy-WebPrint\Toolband.dll/RC_HSPrint.html
O8 - Extra context menu item: Easy-WebPrint Preview - res://C:\Program Files\Canon\Easy-WebPrint\Toolband.dll/RC_Preview.html
O8 - Extra context menu item: Easy-WebPrint Print - res://C:\Program Files\Canon\Easy-WebPrint\Toolband.dll/RC_Print.html
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra button: Rogers Yahoo! Services - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {166B1BCA-3F9C-11CF-8075-444553540000} (Shockwave ActiveX Control) - http://download.macromedia.com/pub/shockwa...director/sw.cab
O16 - DPF: {215B8138-A3CF-44C5-803F-8226143CFC0A} (Trend Micro ActiveX Scan Agent 6.6) - http://housecall65.trendmicro.com/housecal...ivex/hcImpl.cab
O16 - DPF: {67DABFBF-D0AB-41FA-9C46-CC0F21721616} (DivXBrowserPlugin Object) - http://go.divx.com/plugin/DivXBrowserPlugin.cab
O16 - DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} () - http://fpdownload.macromedia.com/get/flash...t/ultrashim.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload.macromedia.com/pub/shock...ash/swflash.cab
O16 - DPF: {D4323BF2-006A-4440-A2F5-27E3E7AB25F8} (Virtools WebPlayer Class) - http://a532.g.akamai.net/f/532/6712/5m/vir...l/installer.exe
O18 - Protocol: intu-qt2007 - {026BF40D-BA05-467b-9F1F-AD0D7A3F5F11} - C:\Program Files\QuickTax 2007\ic2007pp.dll
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: Memory Check Service (AcerMemUsageCheckService) - Acer Inc. - C:\Acer\Empowering Technology\ePerformance\MemCheck.exe
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\ati2evxx.exe
O23 - Service: Automatic LiveUpdate Scheduler - Symantec Corporation - C:\Program Files\Symantec\LiveUpdate\AluSchedulerSvc.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCEVTMGR.EXE
O23 - Service: Symantec Internet Security Password Validation (ccISPwdSvc) - Symantec Corporation - C:\Program Files\Yahoo!\NPF\ccPwdSvc.exe
O23 - Service: Symantec Network Proxy (ccProxy) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCPROXY.EXE
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCSETMGR.EXE
O23 - Service: Symantec Licensing Detect Internet Connection (DJSNETCN) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\DJSNETCN.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1150\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: LightScribeService Direct Disc Labeling Service (LightScribeService) - Hewlett-Packard Company - C:\Program Files\Common Files\LightScribe\LSSrvc.exe
O23 - Service: LiveUpdate - Symantec Corporation - C:\Program Files\Symantec\LiveUpdate\LuComServer_3_0.EXE
O23 - Service: Norton AntiVirus Auto-Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Yahoo!\NAV\NAVAPSVC.EXE
O23 - Service: Norton AntiVirus Firewall Monitor Service (NPFMntor) - Symantec Corporation - C:\Program Files\Yahoo!\NAV\IWP\NPFMNTOR.EXE
O23 - Service: Norton Protection Center Service (NSCService) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\Security Console\NSCSRVCE.EXE
O23 - Service: Symantec AVScan (SAVScan) - Symantec Corporation - C:\Program Files\Yahoo!\NAV\SAVScan.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: SPBBCSvc - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
O23 - Service: YPCService - Yahoo! Inc. - C:\WINDOWS\system32\YPcservice.exe
O24 - Desktop Component 0: - http://www.treehousetv.com/kids/games/miss...PB1280x1024.jpg

--
End of file - 12495 bytes

-- File Associations -----------------------------------------------------------

All associations okay.


-- Drivers: 0-Boot, 1-System, 2-Auto, 3-Demand, 4-Disabled ---------------------

R0 UBHelper - c:\windows\system32\drivers\ubhelper.sys
R1 StarPortLite (StarPort Storage Controller (Lite)) - c:\windows\system32\drivers\starportlite.sys <Not Verified; Rocket Division Software; StarPort Storage Controller>
R3 int15.sys - c:\acer\empowering technology\erecovery\int15.sys
R3 NTIDrvr (Upper Class Filter Driver) - c:\windows\system32\drivers\ntidrvr.sys <Not Verified; NewTech Infosystems, Inc.; >
R3 psdfilter - c:\windows\system32\drivers\psdfilter.sys <Not Verified; HiTRUST; >
R3 psdvdisk - c:\windows\system32\drivers\psdvdisk.sys <Not Verified; HiTRUST; >
R3 ZDPSp50 (ZDPSp50 NDIS Protocol Driver) - c:\windows\system32\drivers\zdpsp50.sys <Not Verified; Printing Communications Assoc., Inc. (PCAUSA); PCAUSA Rawether for Windows>


-- Services: 0-Boot, 1-System, 2-Auto, 3-Demand, 4-Disabled --------------------

R2 AcerMemUsageCheckService (Memory Check Service) - c:\acer\empowering technology\eperformance\memcheck.exe <Not Verified; Acer Inc.; >
R2 Apple Mobile Device - "c:\program files\common files\apple\mobile device support\bin\applemobiledeviceservice.exe" <Not Verified; Apple, Inc.; Apple Mobile Device Service>

S3 YPCService - c:\windows\system32\ypcser~1.exe <Not Verified; Yahoo! Inc.; YPCService Module>


-- Device Manager: Disabled ----------------------------------------------------

Class GUID: {4D36E96F-E325-11CE-BFC1-08002BE10318}
Description: Microsoft PS/2 Mouse
Device ID: ACPI\PNP0F03\4&258F370F&0
Manufacturer: Microsoft
Name: Microsoft PS/2 Mouse
PNP Device ID: ACPI\PNP0F03\4&258F370F&0
Service: i8042prt


-- Scheduled Tasks -------------------------------------------------------------

2008-06-17 13:13:03 284 --a------ C:\WINDOWS\Tasks\AppleSoftwareUpdate.job
2008-06-13 22:02:46 532 --a------ C:\WINDOWS\Tasks\Norton AntiVirus - Run Full System Scan - Lisa.job


-- Files created between 2008-05-23 and 2008-06-23 -----------------------------

2008-06-23 18:46:32 0 d-------- C:\WINDOWS\LastGood
2008-06-13 10:08:48 0 d-------- C:\Documents and Settings\All Users\Application Data\CA-SupportBridge
2008-06-08 23:10:58 0 d-------- C:\Documents and Settings\Lisa\Application Data\Malwarebytes
2008-06-08 23:10:54 0 d-------- C:\Documents and Settings\All Users\Application Data\Malwarebytes
2008-06-08 23:10:53 0 d-------- C:\Program Files\Malwarebytes' Anti-Malware
2008-05-26 14:37:43 0 d-------- C:\Documents and Settings\Lisa\.housecall6.6


-- Find3M Report ---------------------------------------------------------------

2008-06-23 23:56:39 0 d-------- C:\Program Files\Common Files\Symantec Shared
2008-06-03 20:09:31 0 d-------- C:\Documents and Settings\Lisa\Application Data\Adobe
2008-06-01 01:14:57 0 d-------- C:\Program Files\TNT Screen Capture
2008-05-31 09:46:01 0 d-------- C:\Program Files\Symantec
2008-05-22 12:18:45 0 d-------- C:\Documents and Settings\Lisa\Application Data\GlarySoft
2008-05-22 09:44:28 33377 --a------ C:\logfile
2008-05-12 20:13:10 0 d-------- C:\Program Files\Common Files\Adobe
2008-05-12 20:12:58 0 d-------- C:\Program Files\Common Files
2008-05-12 20:11:23 0 d-------- C:\Documents and Settings\Lisa\Application Data\AdobeUM
2008-05-07 12:43:23 0 d-------- C:\Documents and Settings\Lisa\Application Data\Opera
2008-05-07 12:43:18 0 d-------- C:\Program Files\Opera
2008-05-02 10:37:31 0 d-------- C:\Program Files\Java
2008-04-28 21:14:18 0 d-------- C:\Program Files\QuickTax 2007
2008-04-28 20:56:46 0 d-------- C:\Documents and Settings\Lisa\Application Data\Intuit Canada
2008-04-28 20:56:33 0 d-------- C:\Program Files\Common Files\AnswerWorks 4.0
2008-04-28 20:56:30 0 d-------- C:\Program Files\Common Files\Intuit
2008-04-10 21:46:10 499 --a------ C:\WINDOWS\EReg077.dat
2008-04-01 11:48:52 664 --a------ C:\WINDOWS\system32\d3d9caps.dat


-- Registry Dump ---------------------------------------------------------------

*Note* empty entries & legit default entries are not shown


[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{123b04bd-7c85-472a-a103-33eb44412d70}]
05/14/2008 01:57 AM 1470488 --a------ C:\Program Files\Presale\tbPre1.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{3d23aaa9-547c-4fb8-8c32-b00b932f8603}]
12/10/2007 02:27 AM 1502232 --a------ C:\Program Files\Ticket\tbTic1.dll

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser]
"{3D23AAA9-547C-4FB8-8C32-B00B932F8603}"= C:\Program Files\Ticket\tbTic1.dll [12/10/2007 02:27 AM 1502232]
"{123B04BD-7C85-472A-A103-33EB44412D70}"= C:\Program Files\Presale\tbPre1.dll [05/14/2008 01:57 AM 1470488]

[-HKEY_CLASSES_ROOT\CLSID\{3D23AAA9-547C-4FB8-8C32-B00B932F8603}]

[-HKEY_CLASSES_ROOT\CLSID\{123B04BD-7C85-472A-A103-33EB44412D70}]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"eRecoveryService"="C:\Acer\Empowering Technology\eRecovery\eRAgent.exe" [06/01/2006 06:40 PM]
"eDataSecurity Loader"="C:\Acer\Empowering Technology\eDataSecurity\eDSloader.exe" [03/17/2006 07:00 PM]
"Alcmtr"="ALCMTR.EXE" [05/03/2005 02:43 PM C:\WINDOWS\Alcmtr.exe]
"ccApp"="C:\Program Files\Common Files\Symantec Shared\ccApp.exe" [02/11/2008 05:22 PM]
"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [06/29/2007 06:24 AM]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SpybotSD TeaTimer"="C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe" [01/28/2008 11:43 AM]
"SHS"="C:\Program Files\Rogers\SelfHealing\SHS.exe" [11/06/2006 03:15 PM]
"RogersAgent"="c:\Program Files\Rogers\SelfHealing\rogersagent.exe" [11/06/2006 12:41 PM]
"Glary Memory Optimizer"="C:\Program Files\Glary Utilities\memdefrag.exe" [05/22/2007 11:16 AM]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\runservices]
"DJSNetCN"=C:\Program Files\Common Files\Symantec Shared\DJSNETCN.exe

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
Acer Empowering Technology.lnk - C:\Acer\Empowering Technology\Acer.Empowering.Framework.Launcher.exe [2/1/2007 5:09:10 PM]
Acer WLAN 11g USB Dongle.lnk - C:\Program Files\Acer WLAN 11g USB Dongle\ZDWlan.exe [11/16/2005 11:25:14 PM]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"InstallVisualStyle"=C:\WINDOWS\Resources\Themes\Royale\Royale.msstyles
"InstallTheme"=C:\WINDOWS\Resources\Themes\Royale.theme

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\securityproviders]
SecurityProviders msapsspc.dll, schannel.dll, digest.dll, msnsspc.dll,

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\aawservice]
@="Service"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run-disabled]
"iTunesHelper"="C:\Program Files\iTunes\iTunesHelper.exe"




-- End of Deckard's System Scanner: finished at 2008-06-23 23:57:38 ------------

Deckard's System Scanner v20071014.68
Extra logfile - please post this as an attachment with your post.
--------------------------------------------------------------------------------

-- System Information ----------------------------------------------------------

Microsoft Windows XP Professional (build 2600) SP 2.0
Architecture: X86; Language: English

CPU 0: Intel® Pentium® 4 CPU 3.06GHz
CPU 1: Intel® Pentium® 4 CPU 3.06GHz
Percentage of Memory in Use: 60%
Physical Memory (total/avail): 767.29 MiB / 304.73 MiB
Pagefile Memory (total/avail): 1871.6 MiB / 1335 MiB
Virtual Memory (total/avail): 2047.88 MiB / 1907.53 MiB

C: is Fixed (NTFS) - 71.36 GiB total, 22.17 GiB free.
D: is Fixed (FAT32) - 71.82 GiB total, 28.58 GiB free.
E: is CDROM (CDFS)
F: is Removable (No Media)
G: is Removable (No Media)
H: is Removable (No Media)
I: is Removable (No Media)

\\.\PHYSICALDRIVE0 - HDT722516DLA380 - 153.38 GiB - 3 partitions
\PARTITION0 - Unknown - 5.85 GiB
\PARTITION1 (bootable) - Installable File System - 71.36 GiB - C:
\PARTITION2 - Unknown - 71.84 GiB - D:

\\.\PHYSICALDRIVE2 - Generic USB CF Reader USB Device

\\.\PHYSICALDRIVE4 - Generic USB MS Reader USB Device

\\.\PHYSICALDRIVE1 - Generic USB SD Reader USB Device

\\.\PHYSICALDRIVE3 - Generic USB SM Reader USB Device



-- Security Center -------------------------------------------------------------

AUOptions is scheduled to auto-install.
Windows Internal Firewall is disabled.

FirstRunDisabled is set.
AntiVirusDisableNotify is set.
FirewallDisableNotify is set.

FW: Norton Personal Firewall v2006 (Symantec Corporation)
AV: Norton AntiVirus v2005 (Symantec Corporation)

[HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"="%windir%\\system32\\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"

[HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"="%windir%\\system32\\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"
"C:\\Program Files\\Messenger\\msmsgs.exe"="C:\\Program Files\\Messenger\\msmsgs.exe:*:Disabled:Windows Messenger"
"C:\\Program Files\\iTunes\\iTunes.exe"="C:\\Program Files\\iTunes\\iTunes.exe:*:Enabled:iTunes"
"C:\\Program Files\\Kodak\\Kodak EasyShare software\\bin\\EasyShare.exe"="C:\\Program Files\\Kodak\\Kodak EasyShare software\\bin\\EasyShare.exe:*:Enabled:EasyShare"
"C:\\Program Files\\Malwarebytes' Anti-Malware\\mbam.exe"="C:\\Program Files\\Malwarebytes' Anti-Malware\\mbam.exe:*:Enabled:Malwarebytes' Anti-Malware"


-- Environment Variables -------------------------------------------------------

ALLUSERSPROFILE=C:\Documents and Settings\All Users
APPDATA=C:\Documents and Settings\Lisa\Application Data
CLASSPATH=.;C:\Program Files\Java\jre1.6.0_01\lib\ext\QTJava.zip
CLIENTNAME=Console
CommonProgramFiles=C:\Program Files\Common Files
COMPUTERNAME=ACER-B35562F4AB
ComSpec=C:\WINDOWS\system32\cmd.exe
FP_NO_HOST_CHECK=NO
HOMEDRIVE=C:
HOMEPATH=\Documents and Settings\Lisa
LOGONSERVER=\\ACER-B35562F4AB
NUMBER_OF_PROCESSORS=2
OS=Windows_NT
Path=C:\Program Files\Internet Explorer;;C:\WINDOWS\system32;C:\WINDOWS;C:\WINDOWS\System32\Wbem;C:\Program Files\QuickTime\QTSystem\;;C:\PROGRA~1\COMMON~1\MUVEET~1\030625
PATHEXT=.COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH
PROCESSOR_ARCHITECTURE=x86
PROCESSOR_IDENTIFIER=x86 Family 15 Model 4 Stepping 9, GenuineIntel
PROCESSOR_LEVEL=15
PROCESSOR_REVISION=0409
ProgramFiles=C:\Program Files
PROMPT=$P$G
QTJAVA=C:\Program Files\Java\jre1.6.0_01\lib\ext\QTJava.zip
RNLOG_BASEKEY=Software\RealNetworks\RealPlayer\6.0\Preferences\BrowserRecordPluginLog
SESSIONNAME=Console
SystemDrive=C:
SystemRoot=C:\WINDOWS
TEMP=C:\DOCUME~1\Lisa\LOCALS~1\Temp
TMP=C:\DOCUME~1\Lisa\LOCALS~1\Temp
USERDOMAIN=ACER-B35562F4AB
USERNAME=Lisa
USERPROFILE=C:\Documents and Settings\Lisa
windir=C:\WINDOWS


-- User Profiles ---------------------------------------------------------------

Lisa (admin)
Steve (new local, admin)
Conor (admin)
Administrator (admin)


-- Add/Remove Programs ---------------------------------------------------------

--> "C:\Program Files\Common Files\Symantec Shared\SymSetup\{3BD0196C-6553-460c-A0C4-90D8AE5D60D2}.exe" /X
--> "C:\Program Files\Common Files\Symantec Shared\SymSetup\{C6F5B6CF-609C-428E-876F-CA83176C021B}.exe" /X
--> "C:\Program Files\Symantec\LiveUpdate\LSETUP.EXE" /U
--> C:\Program Files\Common Files\Real\Update_OB\r1puninst.exe RealNetworks|RealPlayer|6.0
--> rundll32.exe setupapi.dll,InstallHinfSection DefaultUninstall 132 C:\WINDOWS\INF\PCHealth.inf
Acer eDataSecurity Management --> C:\Acer\Empowering Technology\eDataSecurity\eDStbmngr.exe UNINSTALL 1
Acer eDataSecurity Management 2.0.3077 --> C:\PROGRA~1\COMMON~1\INSTAL~1\Driver\1150\INTEL3~1\IDriver.exe /M{4AD13F68-CADA-4C6B-9759-C33753F89908} /l1033
Acer Empowering Technology --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\11\50\Intel32\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{AB6097D9-D722-4987-BD9E-A076E2848EE2}\setup.exe" -l0x9 -removeonly
Acer ePerformance Management --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\11\50\Intel32\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{7057702F-6D71-4F30-8000-9E72BC771887}\setup.exe" -l0x9 -removeonly
Acer WLAN 11g USB Dongle --> C:\PROGRA~1\COMMON~1\INSTAL~1\Driver\1050\INTEL3~1\IDriver.exe /M{0CB98AC0-D691-4B21-AD3D-95982517021D} /l1033
Ad-Aware 2007 --> MsiExec.exe /I{DED53B0B-B67C-4244-AE6A-D6FD3C28D1EF}
Adobe Flash Player ActiveX --> C:\WINDOWS\system32\Macromed\Flash\uninstall_activeX.exe
Adobe Flash Player Plugin --> C:\WINDOWS\system32\Macromed\Flash\uninstall_plugin.exe
Adobe Reader 7.1.0 --> MsiExec.exe /I{AC76BA86-7AD7-1033-7B44-A71000000002}
Adobe Shockwave Player --> C:\WINDOWS\system32\Adobe\SHOCKW~1\UNWISE.EXE C:\WINDOWS\system32\Adobe\SHOCKW~1\Install.log
AnalogX Atomic TimeSync --> C:\Program Files\AnalogX\Atomic TimeSync\atsu.exe
Apollo DVD Creator 4.5.1 --> "C:\Program Files\Apollo DVD Creator\unins000.exe"
Apple Mobile Device Support --> MsiExec.exe /I{3EBD3749-304E-4A4C-9575-C00E5F015217}
Apple Software Update --> MsiExec.exe /I{B74F042E-E1B9-4A5B-8D46-387BB172F0A4}
ATI Display Driver --> rundll32 C:\WINDOWS\system32\atiiiexx.dll,_InfEngUnInstallINFFile_RunDLL@16 -force_restart -flags:0x2010001 -inf_class:DISPLAY -clean
Canon iP1700 --> "C:\WINDOWS\system32\CanonIJ Uninstaller Information\{1199FAD5-9546-44f3-81CF-FFDB8040B7BF}_Canon_iP1700\DelDrv.exe" /U:{1199FAD5-9546-44f3-81CF-FFDB8040B7BF}_Canon_iP1700 /L0x0009
Canon Utilities Easy-PhotoPrint --> C:\Program Files\Canon\Easy-PhotoPrint\uninst.exe uninst.ini
Canon Utilities Easy-PrintToolBox --> C:\WINDOWS\BJPSUNST.EXE
CC_ccProxyExt --> MsiExec.exe /I{2EBF25F1-F8A2-40EA-92BE-931C142A44E2}
ccCommon --> MsiExec.exe /I{1248C09A-BD6B-47F5-BF3F-CD2B700D9FCB}
ccPxyCore --> MsiExec.exe /I{30738666-9805-4926-A78F-91DA33B6C437}
CCScore --> MsiExec.exe /I{B4B44FE7-41FF-4DAD-8C0A-E406DDA72992}
comsummer-1024x768 --> MsiExec.exe /I{D27E6ABB-AF22-4618-838E-B4A3A1B02F98}
DeepBurner v1.8.0.224 --> "C:\Program Files\Astonsoft\DeepBurner\Uninstall.exe" "C:\Program Files\Astonsoft\DeepBurner\install.log"
Disney's Winnie the Pooh Kindergarten --> C:\WINDOWS\IsUninst.exe -fC:\PROGRA~1\DISNEY~1\WINNIE~1\DeIsL2.isu -c"C:\Program Files\Disney Interactive\Winnie the Pooh Kindergarten\Code\Saved Games\Uninst.dll
Disney's Winnie the Pooh Preschool --> C:\WINDOWS\IsUninst.exe -fC:\PROGRA~1\DISNEY~1\WINNIE~2\DeIsL1.isu -c"C:\Program Files\Disney Interactive\Winnie the Pooh Preschool\Scenes\Saved Games\Uninst.dll
DivX Web Player --> C:\Program Files\DivX\DivXWebPlayerUninstall.exe /PLUGIN
DVDFab HD Decrypter 4.0.3.0 --> "C:\Program Files\DVDFab HD Decrypter 4\unins000.exe"
Easy-WebPrint --> C:\WINDOWS\IsUninst.exe -f"C:\Program Files\Canon\Easy-WebPrint\Uninst.isu"
EC Software TNT Screen Capture 2.1 --> "C:\Program Files\TNT Screen Capture\unins000.exe"
ESSCDBK --> MsiExec.exe /I{AE1FA02D-E6A4-4EA0-8E58-6483CAC016DD}
ESScore --> MsiExec.exe /I{9D8FEE90-0377-49A9-AEFB-525BDE549BA4}
ESSgui --> MsiExec.exe /I{91517631-A9F3-4B7C-B482-43E0068FD55A}
ESSini --> MsiExec.exe /I{8E92D746-CD9F-4B90-9668-42B74C14F765}
ESSPCD --> MsiExec.exe /I{14D4ED84-6A9A-45A0-96F6-1753768C3CB5}
ESSSONIC --> MsiExec.exe /I{073F22CE-9A5B-4A40-A604-C7270AC6BF34}
ESSTOOLS --> MsiExec.exe /I{8A502E38-29C9-49FA-BCFA-D727CA062589}
essvatgt --> MsiExec.exe /I{2D03B6F8-DF36-4980-B7B6-5B93D5BA3A8F}
FastStone Image Viewer 3.2 --> C:\Program Files\FastStone Image Viewer\uninst.exe
GemMaster Mystic --> "C:\Program Files\GemMaster\uninstallgemmaster.exe"
Glary Utilities 2.2.2.66 --> "C:\Program Files\Glary Utilities\unins000.exe"
Google Toolbar for Firefox --> MsiExec.exe /X{2CCBABCB-6427-4A55-B091-49864623C43F}
Google Toolbar for Internet Explorer --> MsiExec.exe /I{DBEA1034-5882-4A88-8033-81C4EF0CFA29}
Google Toolbar for Internet Explorer --> regsvr32 /u /s "c:\program files\google\googletoolbar1.dll"
High Definition Audio Driver Package - KB888111 --> "C:\WINDOWS\$NtUninstallKB888111WXPSP2$\spuninst\spuninst.exe"
Hotfix for Windows Media Format 11 SDK (KB929399) --> "C:\WINDOWS\$NtUninstallKB929399$\spuninst\spuninst.exe"
ImgBurn (Remove Only) --> "C:\Program Files\ImgBurn\uninstall.exe"
InterActual Player --> C:\Program Files\InterActual\InterActual Player\inuninst.exe
Internet Worm Protection --> MsiExec.exe /I{2908F0CB-C1D4-447F-97A2-CFC135C9F8D4}
IrfanView (remove only) --> C:\Program Files\IrfanView\iv_uninstall.exe
iTunes --> MsiExec.exe /I{B045B608-4A47-4C77-9EAD-06C394503306}
J2SE Runtime Environment 5.0 Update 6 --> MsiExec.exe /I{3248F0A8-6813-11D6-A77B-00B0D0150060}
Java™ 6 Update 2 --> MsiExec.exe /I{3248F0A8-6813-11D6-A77B-00B0D0160020}
Java™ 6 Update 3 --> MsiExec.exe /I{3248F0A8-6813-11D6-A77B-00B0D0160030}
Java™ SE Runtime Environment 6 Update 1 --> MsiExec.exe /I{3248F0A8-6813-11D6-A77B-00B0D0160010}
jv16 PowerTools 1.3 --> "C:\Program Files\jv16 PowerTools\unins000.exe"
K-Lite Codec Pack 2.70 Full --> "C:\Program Files\K-Lite Codec Pack\unins000.exe"
kgcbase --> MsiExec.exe /I{F22C222C-3CE2-4A4B-A83F-AF4681371ABE}
kgckids --> MsiExec.exe /I{693C08A7-9E76-43FF-B11E-9A58175474C4}
Kodak EasyShare software --> C:\Documents and Settings\All Users\Application Data\Kodak\EasyShareSetup\$SETUP_140002_2c3035c\Setup.exe /APR-REMOVE
KSU --> MsiExec.exe /I{B997C2A0-4383-41BF-B76E-9B8B7ECFB267}
Leap Ahead Phonics Ages 4-7 --> C:\WINDOWS\IsUninst.exe -f"C:\Program Files\The Learning Company\Leap Ahead Phonics Ages 4-7\Uninst.isu"
Malwarebytes' Anti-Malware --> "C:\Program Files\Malwarebytes' Anti-Malware\unins000.exe"
Microsoft Compression Client Pack 1.0 for Windows XP --> "C:\WINDOWS\$NtUninstallMSCompPackV1$\spuninst\spuninst.exe"
Microsoft Office 2000 Premium --> MsiExec.exe /I{00000409-78E1-11D2-B60F-006097C998E7}
Microsoft Publisher 2000 --> MsiExec.exe /I{00140409-78E1-11D2-B60F-006097C998E7}
Microsoft User-Mode Driver Framework Feature Pack 1.0 --> "C:\WINDOWS\$NtUninstallWudf01000$\spuninst\spuninst.exe"
Motorola SM56 Speakerphone Modem --> C:\WINDOWS\Motorola\SMSERIAL\sm56unst.exe
Mozilla Firefox (2.0.0.14) --> C:\Program Files\Mozilla Firefox\uninstall\helper.exe
MSRedist --> MsiExec.exe /I{B7C61755-DB48-4003-948F-3D34DB8EAF69}
NAVShortcut --> MsiExec.exe /I{F325CF11-27CE-4872-8022-6E9EB27DF24F}
netbrdg --> MsiExec.exe /I{56AB063D-1450-4BDE-9F0D-E9C693429C51}
Norton AntiSpam --> MsiExec.exe /I{3B29A786-5803-4E9E-9B58-3014A5B4E519}
Norton AntiVirus 2006 --> MsiExec.exe /X{C6F5B6CF-609C-428E-876F-CA83176C021B}
Norton AntiVirus Help --> MsiExec.exe /I{34EEB1F5-E939-40A1-A6BA-957282A4B2C8}
Norton AntiVirus Parent MSI --> MsiExec.exe /I{E5EE9939-259F-4DE2-8023-5C49E16A4F43}
Norton AntiVirus SYMLT MSI --> MsiExec.exe /I{D1FF75E7-DD42-4CFD-B052-20B3FFF4EDB8}
Norton Internet Security --> MsiExec.exe /I{12E2B9E9-05B1-407d-B0FD-B5F350535125}
Norton Internet Security --> MsiExec.exe /I{48185814-A224-447a-81DA-71BD20580E1B}
Norton Personal Firewall --> MsiExec.exe /I{3BD0196C-6553-460c-A0C4-90D8AE5D60D2}
Norton Personal Firewall --> MsiExec.exe /I{E3EFA461-EB83-4C3B-9C47-2C1D58A01555}
Norton Personal Firewall --> MsiExec.exe /I{FFB4DD53-28B7-4981-BFF0-9BD801F61095}
Norton Protection Center --> MsiExec.exe /I{82A5BF38-8461-4A5C-B2C9-24F5256D92A6}
Norton WMI Update --> MsiExec.exe /X{E85FA9A1-C241-4698-893B-DD99509B8DB0}
Norton WMI Update --> MsiExec.exe /X{F64306A5-4C32-41bb-B153-53986527FAB4}
Notifier --> MsiExec.exe /I{0008546E-DF6E-4CC1-AFD0-2CB8E16C95A2}
NTI Backup NOW! 4 --> C:\PROGRA~1\COMMON~1\INSTAL~1\Driver\7\INTEL3~1\IDriver.exe /M{385979FE-DC4F-4140-8EAD-A59625000D72} /l1033 BUN4
NTI CD & DVD-Maker --> C:\PROGRA~1\COMMON~1\INSTAL~1\Driver\7\INTEL3~1\IDriver.exe /M{1577A05B-EE62-4BBC-9DB7-FE748FA44EC2} /l1033 CDM7
OCA Client history tool install --> "C:\WINDOWS\$UninstallOCA-X86Fre-ENU$\spuninst\spuninst.exe"
OfotoXMI --> MsiExec.exe /I{B162D0A6-9A1D-4B7C-91A5-88FB48113C45}
Opera 9.27 --> MsiExec.exe /X{503D6E3E-1A48-44F5-BB7C-EB3B593FAED0}
Otto --> "C:\Program Files\EnglishOtto\uninstallotto.exe"
PCDADDIN --> MsiExec.exe /I{65D85050-5610-4A91-A3B1-D5C744291AD4}
PCDHELP --> MsiExec.exe /I{C99DCDA4-7407-4F72-A77E-C81C551D0C4E}
Picture Organiser --> MsiExec.exe /I{EA110D11-7F62-4FE9-91B4-57ED480C1C9F}
PowerDVD --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{6811CAA0-BF12-11D4-9EA1-0050BAE317E1}\setup.EXE" -uninstall
Presale Toolbar --> C:\PROGRA~1\Presale\UNWISE.EXE C:\PROGRA~1\Presale\INSTALL.LOG
QuickTax 2007 --> MsiExec.exe /X{22EC35BD-F8F2-45EB-8DCB-1C7FB65D0A71}
QuickTime --> MsiExec.exe /I{95A890AA-B3B1-44B6-9C18-A8F7AB3EE7FC}
Reader Rabbit's Reading Ages 4-6 --> C:\WINDOWS\IsUninst.exe -fC:\Tlcwin\Rrread46\Uninst\DeIsL1.isu
RealPlayer --> C:\Program Files\Common Files\Real\Update_OB\r1puninst.exe RealNetworks|RealPlayer|6.0
Realtek High Definition Audio Driver --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\11\50\Intel32\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{F132AF7F-7BCA-4EDE-8A7C-958108FE7DBC}\setup.exe" -l0x9 -removeonly
Rhapsody Player Engine --> MsiExec.exe /I{22DE1881-9D24-4981-B5CC-EC7E9F2F4D52}
Rogers Self Healing Software (remove only) --> "C:\Program Files\Rogers\SelfHealing\uninst.exe"
Rogers Yahoo! Applications --> C:\PROGRA~1\Yahoo!\Common\uninstall.exe
Security Update for Step By Step Interactive Training (KB898458) --> "C:\WINDOWS\$NtUninstallKB898458$\spuninst\spuninst.exe"
SFR --> MsiExec.exe /I{DB02F716-6275-42E9-B8D2-83BA2BF5100B}
SFR2 --> MsiExec.exe /I{A0AF08BA-3630-4505-BFB2-A41F3837B0D0}
SHASTA --> MsiExec.exe /I{605A4E39-613C-4A12-B56F-DEFBE6757237}
SKIN0001 --> MsiExec.exe /I{FDF9943A-3D5C-46B3-9679-586BD237DDEE}
SKINXSDK --> MsiExec.exe /I{F4A2E7CC-60CA-4AFA-B67F-AD5E58173C3F}
Sonic Encoders --> MsiExec.exe /I{9941F0AA-B903-4AF4-A055-83A9815CC011}
SPBBC --> MsiExec.exe /I{77772678-817F-4401-9301-ED1D01A8DA56}
Spybot - Search & Destroy --> "C:\Program Files\Spybot - Search & Destroy\unins000.exe"
StarBurn(GiveAwayOfTheDay) Version 9.5 (Build 0x20071220) --> "C:\Program Files\Give Away Of The Day\StarBurn\unins000.exe"
staticcr --> MsiExec.exe /I{8943CE61-53BD-475E-90E1-A580869E98A2}
Symantec --> MsiExec.exe /I{228F6876-A313-40A3-91C0-C3CBE6997D09}
Symantec KB-DocID:2003093015493306 --> MsiExec.exe /I{08C5815C-2C6E-44f8-8748-0E61BC9AFB68}
Ticket Toolbar --> C:\PROGRA~1\Ticket\UNWISE.EXE C:\PROGRA~1\Ticket\INSTALL.LOG
tooltips --> MsiExec.exe /I{E79987F0-0E34-42CC-B8FF-6C860AEEB26A}
Topaz Moment --> MsiExec.exe /I{16A49E91-6EC2-453A-8B2C-889577AE5FC5}
Update Rollup 2 for Windows XP Media Center Edition 2005 --> C:\WINDOWS\$NtUninstallKB900325$\spuninst\spuninst.exe
VideoLAN VLC media player 0.8.6d --> C:\Program Files\VideoLAN\VLC\uninstall.exe
Virtools 3D Life Player --> C:\Program Files\Virtools\3D Life Player\WebplayerConfig.exe -u
VPRINTOL --> MsiExec.exe /I{999D43F4-9709-4887-9B1A-83EBB15A8370}
Windows Media Format 11 runtime --> "C:\WINDOWS\$NtUninstallWMFDist11$\spuninst\spuninst.exe"
Windows XP Media Center Edition 2005 KB908246 --> "C:\WINDOWS\$NtUninstallKB908246$\spuninst\spuninst.exe"
Windows XP Media Center Edition 2005 KB925766 --> "C:\WINDOWS\$NtUninstallKB925766$\spuninst\spuninst.exe"
WIRELESS --> MsiExec.exe /I{F9593CFB-D836-49BC-BFF1-0E669A411D9F}


-- Application Event Log -------------------------------------------------------

Event Record #/Type26608 / Error
Event Submitted/Written: 06/23/2008 06:55:27 PM
Event ID/Source: 1002 / Application Hang
Event Description:
Hanging application IEXPLORE.EXE, version 6.0.2900.2180, hang module hungapp, version 0.0.0.0, hang address 0x00000000.

Event Record #/Type26585 / Error
Event Submitted/Written: 06/23/2008 01:56:58 PM
Event ID/Source: 1002 / Application Hang
Event Description:
Hanging application IEXPLORE.EXE, version 6.0.2900.2180, hang module hungapp, version 0.0.0.0, hang address 0x00000000.

Event Record #/Type26512 / Error
Event Submitted/Written: 06/19/2008 11:40:05 PM
Event ID/Source: 1002 / Application Hang
Event Description:
Hanging application msimn.exe, version 6.0.2900.2180, hang module hungapp, version 0.0.0.0, hang address 0x00000000.

Event Record #/Type26509 / Error
Event Submitted/Written: 06/19/2008 11:26:13 PM
Event ID/Source: 1002 / Application Hang
Event Description:
Hanging application IEXPLORE.EXE, version 6.0.2900.2180, hang module hungapp, version 0.0.0.0, hang address 0x00000000.

Event Record #/Type26507 / Error
Event Submitted/Written: 06/19/2008 11:18:39 PM
Event ID/Source: 1002 / Application Hang
Event Description:
Hanging application IEXPLORE.EXE, version 6.0.2900.2180, hang module hungapp, version 0.0.0.0, hang address 0x00000000.



-- Security Event Log ----------------------------------------------------------

No Errors/Warnings found.


-- System Event Log ------------------------------------------------------------

Event Record #/Type29482 / Error
Event Submitted/Written: 06/23/2008 11:55:15 AM
Event ID/Source: 6161 / Print
Event Description:
The document Flash owned by Lisa failed to print on printer Canon iP1600. Data type: NT EMF 1.008. Size of the spool file in bytes: 16973824. Number of bytes printed: 5566480. Total number of pages in the document: 4. Number of pages printed: 0. Client machine: \\ACER-B35562F4AB. Win32 error code returned by the print processor: Flash0. Flash1

Event Record #/Type29481 / Warning
Event Submitted/Written: 06/23/2008 11:30:07 AM
Event ID/Source: 36 / W32Time
Event Description:
The time service has not been able to synchronize the system time
for 49152 seconds because none of the time providers has been able to
provide a usable time stamp. The system clock is unsynchronized.

Event Record #/Type29477 / Error
Event Submitted/Written: 06/23/2008 05:50:50 AM
Event ID/Source: 10010 / DCOM
Event Description:
The server {F3A614DC-ABE0-11D2-A441-00C04F795683} did not register with DCOM within the required timeout.

Event Record #/Type29442 / Error
Event Submitted/Written: 06/22/2008 09:52:16 PM
Event ID/Source: 7000 / Service Control Manager
Event Description:
The COM+ System Application service failed to start due to the following error:
%%1053

Event Record #/Type29441 / Error
Event Submitted/Written: 06/22/2008 09:52:16 PM
Event ID/Source: 7009 / Service Control Manager
Event Description:
Timeout (30000 milliseconds) waiting for the COM+ System Application service to connect.



-- End of Deckard's System Scanner: finished at 2008-06-23 23:57:38 ------------



Thank you.

BC AdBot (Login to Remove)

 


#2 suebaby41

suebaby41

    W.A.M. (Women Against Malware)


  • Malware Response Team
  • 6,248 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:South Carolina, USA
  • Local time:12:55 AM

Posted 17 July 2008 - 02:56 PM

Welcome to the BleepingComputer Forums. Since it has been a few days, please post a new Deckard's System Scanner which includes the HijackThis log. Please see Preparation Guide for use before posting about your potential Malware problem. Thank you for your patience.

If you have already posted this log at another forum or if you decide to seek help at another forum, please let us know. There is a shortage of helpers and taking the time of two volunteer helpers means that someone else may not be helped.
You don't stop laughing when you get old; you get old when you stop laughing.
A Member of U-N-I-T-E (Unified Network of Instructors and Trained Eliminators)
Malware Removal University Masters Graduate

Posted Image
Join The Fight Against Malware
No reply within 5 days will result in your topic being closed. If you need more time, please let me know by posting in this topic so that your topic will not be closed.

#3 Montana32

Montana32
  • Topic Starter

  • Members
  • 17 posts
  • OFFLINE
  •  
  • Local time:12:55 AM

Posted 18 July 2008 - 11:12 PM

Thanks for following up on this. This scan is nothing like the first one as the first time by the time I tried to let my computer download Hijack this DSS has already used an internal scanner. There was only one main notepad this time, no extra notepad to copy.
I look forward to your help.

__________________________________________________________________________________________________________________

Deckard's System Scanner v20071014.68
Run by Lisa on 2008-07-18 23:59:20
Computer is in Normal Mode.
--------------------------------------------------------------------------------



-- HijackThis (run as Lisa.exe) ------------------------------------------------

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 11:59:22 PM, on 7/18/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\Program Files\Common Files\Symantec Shared\ccProxy.exe
C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Acer\Empowering Technology\ePerformance\MemCheck.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
C:\Program Files\Common Files\Symantec Shared\DJSNETCN.exe
C:\WINDOWS\eHome\ehRecvr.exe
C:\WINDOWS\eHome\ehSched.exe
c:\Program Files\Common Files\LightScribe\LSSrvc.exe
C:\Program Files\Yahoo!\NAV\navapsvc.exe
C:\Program Files\Yahoo!\NAV\IWP\NPFMntor.exe
C:\WINDOWS\system32\svchost.exe
C:\Acer\Empowering Technology\eRecovery\eRAgent.exe
C:\Acer\Empowering Technology\eDataSecurity\eDSloader.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\Rogers\SelfHealing\rogersagent.exe
C:\Acer\Empowering Technology\Acer.Empowering.Framework.Launcher.exe
C:\Program Files\Acer WLAN 11g USB Dongle\ZDWlan.exe
C:\WINDOWS\system32\dllhost.exe
C:\Program Files\Common Files\Symantec Shared\Security Console\NSCSRVCE.EXE
C:\Program Files\Adobe\Acrobat 7.0\Reader\AcroRd32.exe
C:\WINDOWS\explorer.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\PROGRA~1\Yahoo!\browser\ycommon.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Documents and Settings\Lisa\Desktop\dss.exe
C:\PROGRA~1\TRENDM~1\HIJACK~1\Lisa.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://ca.yahoo.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://global.acer.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://ca.red.clientapps.yahoo.com/customi.../search/ie.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://ca.red.clientapps.yahoo.com/customi...//www.yahoo.com
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://global.acer.com/
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O2 - BHO: Yahoo! Toolbar Helper - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll (file missing)
O2 - BHO: Presale Toolbar - {123b04bd-7c85-472a-a103-33eb44412d70} - C:\Program Files\Presale\tbPre1.dll
O2 - BHO: RealPlayer Download and Record Plugin for Internet Explorer - {3049C3E9-B461-4BC5-8870-4C09146192CA} - C:\Program Files\Real\RealPlayer\rpbrowserrecordplugin.dll
O2 - BHO: Ticket Toolbar - {3d23aaa9-547c-4fb8-8c32-b00b932f8603} - C:\Program Files\Ticket\tbTic1.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - (no file)
O2 - BHO: Yahoo! IE Services Button - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\PROGRA~1\Yahoo!\Common\yiesrvc.dll
O2 - BHO: EWPBrowseObject Class - {68F9551E-0411-48E4-9AAF-4BC42A6A46BE} - C:\Program Files\Canon\Easy-WebPrint\EWPBrowseLoader.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O2 - BHO: Norton Personal Firewall - {9ECB9560-04F9-4bbc-943D-298DDF1699E1} - C:\Program Files\Common Files\Symantec Shared\AdBlocking\NISShExt.dll
O2 - BHO: NAV Helper - {A8F38D8D-E480-4D52-B7A2-731BB6995FDD} - C:\Program Files\Yahoo!\NAV\NavShExt.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\2.0.301.7164\swg.dll
O2 - BHO: SidebarAutoLaunch Class - {F2AA9440-6328-4933-B7C9-A6CCDF9CBF6D} - C:\Program Files\Yahoo!\browser\YSidebarIEBHO.dll
O3 - Toolbar: Acer eDataSecurity Management - {5CBE3B7C-1E47-477e-A7DD-396DB0476E29} - C:\WINDOWS\system32\eDStoolbar.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O3 - Toolbar: Easy-WebPrint - {327C2873-E90D-4c37-AA9D-10AC9BABA46C} - C:\Program Files\Canon\Easy-WebPrint\Toolband.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O3 - Toolbar: Ticket Toolbar - {3d23aaa9-547c-4fb8-8c32-b00b932f8603} - C:\Program Files\Ticket\tbTic1.dll
O3 - Toolbar: Presale Toolbar - {123b04bd-7c85-472a-a103-33eb44412d70} - C:\Program Files\Presale\tbPre1.dll
O4 - HKLM\..\Run: [eRecoveryService] C:\Acer\Empowering Technology\eRecovery\eRAgent.exe
O4 - HKLM\..\Run: [eDataSecurity Loader] C:\Acer\Empowering Technology\eDataSecurity\eDSloader.exe 1
O4 - HKLM\..\Run: [Alcmtr] ALCMTR.EXE
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\RunServices: [DJSNetCN] C:\Program Files\Common Files\Symantec Shared\DJSNETCN.exe
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - HKCU\..\Run: [SHS] "C:\Program Files\Rogers\SelfHealing\SHS.exe" /background
O4 - HKCU\..\Run: [RogersAgent] c:\Program Files\Rogers\SelfHealing\rogersagent.exe
O4 - HKCU\..\Run: [Glary Memory Optimizer] C:\Program Files\Glary Utilities\memdefrag.exe
O4 - Global Startup: Acer Empowering Technology.lnk = ?
O4 - Global Startup: Acer WLAN 11g USB Dongle.lnk = C:\Program Files\Acer WLAN 11g USB Dongle\ZDWlan.exe
O8 - Extra context menu item: Easy-WebPrint Add To Print List - res://C:\Program Files\Canon\Easy-WebPrint\Toolband.dll/RC_AddToList.html
O8 - Extra context menu item: Easy-WebPrint High Speed Print - res://C:\Program Files\Canon\Easy-WebPrint\Toolband.dll/RC_HSPrint.html
O8 - Extra context menu item: Easy-WebPrint Preview - res://C:\Program Files\Canon\Easy-WebPrint\Toolband.dll/RC_Preview.html
O8 - Extra context menu item: Easy-WebPrint Print - res://C:\Program Files\Canon\Easy-WebPrint\Toolband.dll/RC_Print.html
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra button: Rogers Yahoo! Services - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\PROGRA~1\Yahoo!\Common\yiesrvc.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {215B8138-A3CF-44C5-803F-8226143CFC0A} (Trend Micro ActiveX Scan Agent 6.6) - http://housecall65.trendmicro.com/housecal...ivex/hcImpl.cab
O16 - DPF: {67DABFBF-D0AB-41FA-9C46-CC0F21721616} (DivXBrowserPlugin Object) - http://go.divx.com/plugin/DivXBrowserPlugin.cab
O16 - DPF: {77E32299-629F-43C6-AB77-6A1E6D7663F6} (Groove Control) - http://www.nick.com/common/groove/gx/GrooveAX27.cab
O16 - DPF: {D4323BF2-006A-4440-A2F5-27E3E7AB25F8} (Virtools WebPlayer Class) - http://a532.g.akamai.net/f/532/6712/5m/vir...l/installer.exe
O18 - Protocol: intu-qt2007 - {026BF40D-BA05-467B-9F1F-AD0D7A3F5F11} - C:\Program Files\QuickTax 2007\ic2007pp.dll
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: Memory Check Service (AcerMemUsageCheckService) - Acer Inc. - C:\Acer\Empowering Technology\ePerformance\MemCheck.exe
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: Automatic LiveUpdate Scheduler - Symantec Corporation - C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Internet Security Password Validation (ccISPwdSvc) - Symantec Corporation - C:\Program Files\Yahoo!\NPF\ccPwdSvc.exe
O23 - Service: Symantec Network Proxy (ccProxy) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccProxy.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: Symantec Licensing Detect Internet Connection (DJSNETCN) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\DJSNETCN.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1150\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: LightScribeService Direct Disc Labeling Service (LightScribeService) - Hewlett-Packard Company - c:\Program Files\Common Files\LightScribe\LSSrvc.exe
O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
O23 - Service: Norton AntiVirus Auto-Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Yahoo!\NAV\navapsvc.exe
O23 - Service: Norton AntiVirus Firewall Monitor Service (NPFMntor) - Symantec Corporation - C:\Program Files\Yahoo!\NAV\IWP\NPFMntor.exe
O23 - Service: Norton Protection Center Service (NSCService) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\Security Console\NSCSRVCE.EXE
O23 - Service: Symantec AVScan (SAVScan) - Symantec Corporation - C:\Program Files\Yahoo!\NAV\SAVScan.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: SPBBCSvc - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
O23 - Service: YPCService - Yahoo! Inc. - C:\WINDOWS\system32\YPCSER~1.EXE
O24 - Desktop Component 0: (no name) - http://www.treehousetv.com/kids/games/miss...PB1280x1024.jpg

--
End of file - 11568 bytes

-- Files created between 2008-06-18 and 2008-07-18 -----------------------------

2008-07-18 23:38:45 0 d-------- C:\Program Files\Trend Micro
2008-07-09 12:11:12 0 d-------- C:\Program Files\Adobe Media Player
2008-07-09 12:11:06 0 d-------- C:\Program Files\Common Files\Adobe AIR
2008-06-30 19:57:39 0 d-------- C:\Program Files\3DGroove


-- Find3M Report ---------------------------------------------------------------

2008-07-18 23:38:31 0 d-------- C:\Program Files\Common Files\Symantec Shared
2008-07-09 12:11:19 0 d-------- C:\Documents and Settings\Lisa\Application Data\Adobe
2008-07-09 12:11:06 0 d-------- C:\Program Files\Common Files
2008-06-08 23:10:58 0 d-------- C:\Documents and Settings\Lisa\Application Data\Malwarebytes
2008-06-08 23:10:56 0 d-------- C:\Program Files\Malwarebytes' Anti-Malware
2008-06-01 01:14:57 0 d-------- C:\Program Files\TNT Screen Capture
2008-05-31 09:46:01 0 d-------- C:\Program Files\Symantec
2008-05-22 12:18:45 0 d-------- C:\Documents and Settings\Lisa\Application Data\GlarySoft
2008-05-22 09:44:28 33377 --a------ C:\logfile


-- Registry Dump ---------------------------------------------------------------

*Note* empty entries & legit default entries are not shown


[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{123b04bd-7c85-472a-a103-33eb44412d70}]
05/14/2008 01:57 AM 1470488 --a------ C:\Program Files\Presale\tbPre1.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{3d23aaa9-547c-4fb8-8c32-b00b932f8603}]
12/10/2007 02:27 AM 1502232 --a------ C:\Program Files\Ticket\tbTic1.dll

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser]
"{3D23AAA9-547C-4FB8-8C32-B00B932F8603}"= C:\Program Files\Ticket\tbTic1.dll [12/10/2007 02:27 AM 1502232]
"{123B04BD-7C85-472A-A103-33EB44412D70}"= C:\Program Files\Presale\tbPre1.dll [05/14/2008 01:57 AM 1470488]

[-HKEY_CLASSES_ROOT\CLSID\{3D23AAA9-547C-4FB8-8C32-B00B932F8603}]

[-HKEY_CLASSES_ROOT\CLSID\{123B04BD-7C85-472A-A103-33EB44412D70}]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"eRecoveryService"="C:\Acer\Empowering Technology\eRecovery\eRAgent.exe" [06/01/2006 06:40 PM]
"eDataSecurity Loader"="C:\Acer\Empowering Technology\eDataSecurity\eDSloader.exe" [03/17/2006 07:00 PM]
"Alcmtr"="ALCMTR.EXE" [05/03/2005 02:43 PM C:\WINDOWS\Alcmtr.exe]
"ccApp"="C:\Program Files\Common Files\Symantec Shared\ccApp.exe" [02/11/2008 05:22 PM]
"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [06/29/2007 06:24 AM]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SpybotSD TeaTimer"="C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe" [01/28/2008 11:43 AM]
"SHS"="C:\Program Files\Rogers\SelfHealing\SHS.exe" [11/06/2006 03:15 PM]
"RogersAgent"="c:\Program Files\Rogers\SelfHealing\rogersagent.exe" [11/06/2006 12:41 PM]
"Glary Memory Optimizer"="C:\Program Files\Glary Utilities\memdefrag.exe" [05/22/2007 11:16 AM]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\runservices]
"DJSNetCN"=C:\Program Files\Common Files\Symantec Shared\DJSNETCN.exe

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
Acer Empowering Technology.lnk - C:\Acer\Empowering Technology\Acer.Empowering.Framework.Launcher.exe [2/1/2007 5:09:10 PM]
Acer WLAN 11g USB Dongle.lnk - C:\Program Files\Acer WLAN 11g USB Dongle\ZDWlan.exe [11/16/2005 11:25:14 PM]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"InstallVisualStyle"=C:\WINDOWS\Resources\Themes\Royale\Royale.msstyles
"InstallTheme"=C:\WINDOWS\Resources\Themes\Royale.theme

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\securityproviders]
SecurityProviders msapsspc.dll, schannel.dll, digest.dll, msnsspc.dll,

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\aawservice]
@="Service"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run-disabled]
"iTunesHelper"="C:\Program Files\iTunes\iTunesHelper.exe"


[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{376e1710-b237-11db-a81c-806d6172696f}]
AutoRun\command- E:\Hi5.exe




-- End of Deckard's System Scanner: finished at 2008-07-18 23:59:47 ------------


__________________________________________________________________________________________________________________________

#4 suebaby41

suebaby41

    W.A.M. (Women Against Malware)


  • Malware Response Team
  • 6,248 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:South Carolina, USA
  • Local time:12:55 AM

Posted 20 July 2008 - 03:46 PM

You may want to print this page. Make sure to work through the fixes in the order it is mentioned below. If there's anything that you don't understand, ask your question(s) before proceeding with the fixes.

I noticed that you have some programs that need to be updated.

Step 1

Your Java Runtime Environment is out of date. The latest version is Java Runtime Environment (JRE) 6 Update 7
Older versions have vulnerabilities that malware can use to infect your system.
Please follow these steps to remove the older versions of Java Runtime Environment..
  • Close any programs you may have running, ESPECIALLY your web browser
  • Click Start > Control Panel.
  • Click Add/Remove Programs.
  • Check any item with Java Runtime Environment (JRE or J2SE) in the name.
  • Click the Remove or Change/Remove button.
  • Repeat as many times as necessary to remove all versions of Java.
  • Reboot your computer after all Java components are removed.
Please download the latest Java Runtime Environment.
  • Scroll down to where it says Java Runtime Environment (JRE) 6 Update 7. The Java SE Runtime Environment (JRE) allows end-users to run Java applications.
  • Click the Download button to the right. When a new window opens, you will see
    NOTE: This page offers files for different platforms - please be sure to download the proper file(s) for your platform.
    Required: You must accept the license agreement to download the product.
  • Click to place a check mark by Accept License Agreement.
  • Make the selection corresponding to your computer platform. For Windows, click on Windows Offline Installation, Multi-languagelink to download. Save it to your desktop.
  • On your desktop, double-click on jre-6u7-windows-i586-p.exe to install the newest version.
After you have installed the Java software on your computer, you must restart your browser. You can verify that Java Runtime Environment (RTE) has been installed correctly by clicking on the Verify Installation button on the Welcome To Java and Verify Installation page.

Step 2

Your "Adobe Reader" is out of date.
You may want to download the latest version, Adobe® Reader® 8.

Step 3

In normal mode, run an online antivirus check from at least two and preferably three of the following sites
BitDefender
Computer Associates Online Virus Scan
Panda's ActiveScan
Trend Micro Housecall
Windows Live Safety Center Free Online Scan
This scanner from Trend does not require an Active X to run.
  • Detects and removes malware ( viruses, worms, trojans, etc. )
  • Detects and removes grayware and spyware
  • Restores damage caused by malware to your system.
  • Notifies about vulnerabilities in installed programs and connected network services.
  • Multi-platform support for: Windows, Linux, Solaris.
  • Easy-to-use with the Microsoft Internet Explorer and Mozilla Firefox.
When you have completed the scans, if you get a report of files that can’t be cleaned / deleted, make a note of the file location of anything that cannot be deleted so you can delete it yourself. Please post that list in your next reply.

Step 4

Please download Ad-Aware 2008.
Please check this link, Ad-Aware 2007/ 2008 for instructions on how to download, install and use Ad-Aware. Run this program as soon as possible.

Step 5

I recommend using Spyware Blaster.
Please download SpywareBlaster. SpywareBlaster helps to:
  • Prevent the installation of Active X-based spyware, adware, browser hijackers, dialers, and other potentially unwanted software.
  • Block spyware/tracking cookies in Internet Explorer and Mozilla/Firefox.
  • Restrict the actions of potentially unwanted sites in Internet Explorer.
Please see Using SpywareBlaster to protect your computer from Spyware, Hijackers, and Malware for instructions on how to download, install, and use SpywareBlaster.

Step 6

Windows Defender is a free program that helps protect your computer against pop-ups, slow performance, and security threats caused by spyware and other unwanted software. It features Real-Time Protection, a monitoring system that recommends actions against spyware when it is detected and minimizes interruptions and helps you stay productive.

Please download and install Windows Defender.
  • Confirm that your computer meets the minimum system requirements to install Windows Defender.
  • Visit the Windows Defender page in the Microsoft Download Center. Click the Continue button and follow the directions on the succeeding pages to download the program and start the Installation Wizard.
  • Follow the steps in the Installation Wizard. You will be asked if you want to participate in the Microsoft SpyNet online community. We suggest you choose the first option,
  • Use recommended settings.
  • Click Next to continue.
  • Click Install to begin installing Windows Defender.
  • When installation is complete, click Finish. Windows Defender will begin to scan your computer.
  • For more information, See How to install and set up Windows Defender
Step 7

ATF-Cleaner features include:
  • Cleaning of all user temp folders, administrator only can use this feature.
  • Cleaning of the Java cache, which seems to be harboring more and more malware.
  • Cleaning the cache, cookies, history, download history, visited links and saved passwords. You have the option of checking no if you want to save your passwords.
Please download the ATF-Cleaner by Atribune.
Instructions:
  • Double-click ATF-Cleaner.exe to run the program.
  • Check the boxes to the left of:
    • Windows Temp
    • Current User Temp
    • All Users Temp
    • Temporary Internet Files
    • Prefetch (Windows XP) only
    • Java Cache
  • The rest are optional - if you want to remove them all, check Select All.
  • Click the Empty Selected button.
  • When you get the Done Cleaning message, click OK.
If you use the Firefox browser:
  • Click Firefox at the top and choose: Select All.
  • Click the Empty Selected button.
  • When you get the Done Cleaning message, click OK.
  • NOTE: If you would like to keep your saved passwords, please click No at the prompt.
If you use the Opera browser:
  • Click Opera at the top and choose: Select All.
  • Click the Empty Selected button.
  • When you get the Done Cleaning message, click OK.
  • NOTE: If you would like to keep your saved passwords, please click No at the prompt.
Click Exit on the Main menu to close the program.
If needed, Tutorial on ATF Cleaner with pictures.
Do not run it yet.

Step 8

Please disconnect from the Internet. Please close ALL browser windows (including this one).

Now we will address the HijackThis fixes.

Please run HijackThis and click Scan. Place checks next to the following entries (make sure not to miss any):

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://ca.red.clientapps.yahoo.com/customi.../search/ie.html

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://ca.red.clientapps.yahoo.com/customi...//www.yahoo.com

O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll (file missing)

O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - (no file)

O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll

O3 - Toolbar: Ticket Toolbar - {3d23aaa9-547c-4fb8-8c32-b00b932f8603} - C:\Program Files\Ticket\tbTic1.dll ??

O4 - HKLM\..\Run: [Alcmtr] ALCMTR.EXE

O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll

O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll

O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe


Step 9

Optional Fixes is the name that we use for fixes for unnecessary programs that load during startup and run in the background. These programs are not required to start automatically as you can start them manually if you need them. You would be removing the program from your startup but you would not be removing the program itself.

Your computer may be sluggish due to the many programs loading during startup and running in the background that are not necessary. Windows has a facility for starting programs at startup time. Some of these programs are required for your computer and the applications installed on it to run correctly. A good example of such a program is a virus-checking application that must always run, constantly checking for and isolating or removing files with viruses. Other such programs are not strictly required, or are optional. In some cases, you can gain significant performance enhancements by disabling the automatic startup of these programs. In many cases, the functionality offered by the programs is still available by starting the programs manually by, for example, starting the program from the Windows Start->Programs menu. Media players and instant messaging programs often fall into this category. In fact, it is common for many modern software applications, when installed, to add programs at startup that add items to the system tray or shortcut (context) menus in Windows Explorer to provide quick access to the features and functions of these applications. While they may be useful, they do increase boot time and consume system resources. It is advised that you disable these programs so that they do not take up necessary resources or slow the boot time.

Other than ScanRegistry, SystemTray, StateMgr, antivirus program entries, and firewall program entries, very few others need to load and run.

Read the articles below to see if it applies to your computer problem with being slow to respond.
Slow_Computer_Check_here_first_it_may_not_be_malware.
Help! My computer is slow!
50 Tips for a Super Fast PC
4 Ways to Speed Up Your Computer's Performance
It's not always malware: How to fix the top 10 Internet Explorer issues

If you decide that you want to stop the Optional Fixes in your startup, let me know and I will give you a list with instructions. You would be removing the program from your startup but you would not be removing the program itself.

Step 10

Close all browsers and other windows except for HijackThis, and click Fix Checked to have HijackThis fix the entries you checked.


Step 11

Do you know what the Ticket program is and know that it is safe? Please locate the file in Windows Explorer. Right click on the file, tbTic1.dll, and click Properties. Please post any details that you found.

I found only a few or no details on the following entries.

O24 - Desktop Component 0: (no name) - http://www.treehousetv.com/kids/games/miss...PB1280x1024.jpg

O2 - BHO: Ticket Toolbar - {3d23aaa9-547c-4fb8-8c32-b00b932f8603} - C:\Program Files\Ticket\tbTic1.dll


Step 12

Let’s run ATF-Cleaner to ensure no malware is hiding in temporary folders and for general computer cleanup to free space on your computer.

Step 13

Please run HijackThis in Normal Mode and post a new HijackThis log so I can make sure that all the malware was deleted according to plan.

Please post the list of file names and locations for any files that can’t be cleaned / deleted that were reported after you completed the online scans.

Please advise me of any problems you still have.
You don't stop laughing when you get old; you get old when you stop laughing.
A Member of U-N-I-T-E (Unified Network of Instructors and Trained Eliminators)
Malware Removal University Masters Graduate

Posted Image
Join The Fight Against Malware
No reply within 5 days will result in your topic being closed. If you need more time, please let me know by posting in this topic so that your topic will not be closed.

#5 suebaby41

suebaby41

    W.A.M. (Women Against Malware)


  • Malware Response Team
  • 6,248 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:South Carolina, USA
  • Local time:12:55 AM

Posted 28 July 2008 - 08:01 PM

This subject is now closed. If you need this topic reopened, please contact a member of the HJT Team and we will reopen it for you. Include the address of this thread in your request. If you should have a new issue, please start a new topic. This applies only to the original topic starter. Everyone else please begin a New Topic.
You don't stop laughing when you get old; you get old when you stop laughing.
A Member of U-N-I-T-E (Unified Network of Instructors and Trained Eliminators)
Malware Removal University Masters Graduate

Posted Image
Join The Fight Against Malware
No reply within 5 days will result in your topic being closed. If you need more time, please let me know by posting in this topic so that your topic will not be closed.

#6 suebaby41

suebaby41

    W.A.M. (Women Against Malware)


  • Malware Response Team
  • 6,248 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:South Carolina, USA
  • Local time:12:55 AM

Posted 28 July 2008 - 08:28 PM

Opened at your request. Please post a new HijackThis log and let me know how your computer is behaving. Thanks.
You don't stop laughing when you get old; you get old when you stop laughing.
A Member of U-N-I-T-E (Unified Network of Instructors and Trained Eliminators)
Malware Removal University Masters Graduate

Posted Image
Join The Fight Against Malware
No reply within 5 days will result in your topic being closed. If you need more time, please let me know by posting in this topic so that your topic will not be closed.

#7 Montana32

Montana32
  • Topic Starter

  • Members
  • 17 posts
  • OFFLINE
  •  
  • Local time:12:55 AM

Posted 28 July 2008 - 09:27 PM

I am posting everything here using the same Steps you asked me to follow. I hope that makes it easier to follow. There were problems found that it told me not to fix myself so I will definitely need some help here please.

Step 1: Update Java, Done
Step 2: Update Adobe, Done (updated from 7 to 9)
Step 3a: Run BitDefender, Done
I am attaching the log as it said "at least one of the infected files could not be disinfected or deleted".
LOG: BitDefender Online Scanner



Scan report generated at: Fri, Jul 25, 2008 - 13:51:12





Scan path: C:\;D:\;E:\;F:\;G:\;H:\;I:\;







Statistics

Time
01:15:58

Files
345672

Folders
7677

Boot Sectors
4

Archives
36123

Packed Files
16240




Results

Identified Viruses
8

Infected Files
17

Suspect Files
0

Warnings
0

Disinfected
0

Deleted Files
19




Engines Info

Virus Definitions
1389053

Engine build
AVCORE v1.0 (build 2422) (i386) (Sep 25 2007 08:26:36)

Scan plugins
16

Archive plugins
43

Unpack plugins
7

E-mail plugins
6

System plugins
5




Scan Settings

First Action
Disinfect

Second Action
Delete

Heuristics
Yes

Enable Warnings
Yes

Scanned Extensions
*;

Exclude Extensions


Scan Emails
Yes

Scan Archives
Yes

Scan Packed
Yes

Scan Files
Yes

Scan Boot
Yes




Scanned File
Status

C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus\Quarantine\5FEA2230.htm=>(Quarantine-2)
Infected with: Generic.XPL.ADODB.AB1F7F6E

C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus\Quarantine\5FEA2230.htm=>(Quarantine-2)
Disinfection failed

C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus\Quarantine\5FEA2230.htm=>(Quarantine-2)
Deleted

C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus\Quarantine\604863C8.htm=>(Quarantine-2)
Infected with: Exploit.HTML.Agent.AO

C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus\Quarantine\604863C8.htm=>(Quarantine-2)
Disinfection failed

C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus\Quarantine\604863C8.htm=>(Quarantine-2)
Deleted

C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus\Quarantine\6D617613.tmp=>(Quarantine-2)=>VaaaaaaaBaa.class
Infected with: Trojan.Java.Classloader.AO

C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus\Quarantine\6D617613.tmp=>(Quarantine-2)=>VaaaaaaaBaa.class
Deleted

C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus\Quarantine\6D617613.tmp=>(Quarantine-2)
Updated

C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus\Quarantine\6D617613.tmp=>(Quarantine-2)=>Dvnny.class
Infected with: Java.Trojan.Exploit.Bytverify

C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus\Quarantine\6D617613.tmp=>(Quarantine-2)=>Dvnny.class
Disinfection failed

C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus\Quarantine\6D617613.tmp=>(Quarantine-2)=>Dvnny.class
Deleted

C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus\Quarantine\6D617613.tmp=>(Quarantine-2)
Updated

C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus\Quarantine\6D617613.tmp=>(Quarantine-2)=>Baaaaa.class
Infected with: Java.Trojan.Exploit.Bytverify.I

C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus\Quarantine\6D617613.tmp=>(Quarantine-2)=>Baaaaa.class
Deleted

C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus\Quarantine\6D617613.tmp=>(Quarantine-2)
Updated

C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus\Quarantine\6D617613.tmp=>(Quarantine-2)=>Dex.class
Infected with: Trojan.Classloader.G

C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus\Quarantine\6D617613.tmp=>(Quarantine-2)=>Dex.class
Deleted

C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus\Quarantine\6D617613.tmp=>(Quarantine-2)
Updated

C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus\Quarantine\6D617613.tmp=>(Quarantine-2)=>Dix.class
Infected with: Trojan.Java.ClassLoader.D

C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus\Quarantine\6D617613.tmp=>(Quarantine-2)=>Dix.class
Deleted

C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus\Quarantine\6D617613.tmp=>(Quarantine-2)
Updated

C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus\Quarantine\6D617613.tmp=>(Quarantine-2)=>Dux.class
Infected with: Trojan.Java.ClassLoader.D

C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus\Quarantine\6D617613.tmp=>(Quarantine-2)=>Dux.class
Deleted

C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus\Quarantine\6D617613.tmp=>(Quarantine-2)
Updated

C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus\Quarantine\6D617613.tmp
Update failed

C:\RECYCLER\S-1-5-21-287040438-4150434519-1452255736-1005\Dc8.bak=>(message 103): [Bulk] How would You like to divert 1000s of fresh new visitors daily=>[Subject: [Bulk] How would You like to divert 10][Date: Thu, 17 Jul 2008 05:29:41 +1000]=>(MIME part)=>Full_Details.htm
Infected with: Trojan.Clicker.MQL

C:\RECYCLER\S-1-5-21-287040438-4150434519-1452255736-1005\Dc8.bak=>(message 103): [Bulk] How would You like to divert 1000s of fresh new visitors daily=>[Subject: [Bulk] How would You like to divert 10][Date: Thu, 17 Jul 2008 05:29:41 +1000]=>(MIME part)=>Full_Details.htm
Deleted

C:\RECYCLER\S-1-5-21-287040438-4150434519-1452255736-1005\Dc8.bak=>(message 103): [Bulk] How would You like to divert 1000s of fresh new visitors daily=>[Subject: [Bulk] How would You like to divert 10][Date: Thu, 17 Jul 2008 05:29:41 +1000]=>(MIME part)
Updated

C:\RECYCLER\S-1-5-21-287040438-4150434519-1452255736-1005\Dc8.bak=>(message 103): [Bulk] How would You like to divert 1000s of fresh new visitors daily
Updated

C:\RECYCLER\S-1-5-21-287040438-4150434519-1452255736-1005\Dc8.bak
Updated

C:\RECYCLER\S-1-5-21-287040438-4150434519-1452255736-1005\Dc8.bak=>(message 188): [Bulk] Feed Blaster puts your ad right to the screens of millions in 15 Minutes !=>[Subject: [Bulk] Feed Blaster puts your ad right][Date: Tue, 15 Jul 2008 00:22:06 +0200]=>(MIME part)=>Full_Details.htm
Infected with: Trojan.Clicker.MQL

C:\RECYCLER\S-1-5-21-287040438-4150434519-1452255736-1005\Dc8.bak=>(message 188): [Bulk] Feed Blaster puts your ad right to the screens of millions in 15 Minutes !=>[Subject: [Bulk] Feed Blaster puts your ad right][Date: Tue, 15 Jul 2008 00:22:06 +0200]=>(MIME part)=>Full_Details.htm
Deleted

C:\RECYCLER\S-1-5-21-287040438-4150434519-1452255736-1005\Dc8.bak=>(message 188): [Bulk] Feed Blaster puts your ad right to the screens of millions in 15 Minutes !=>[Subject: [Bulk] Feed Blaster puts your ad right][Date: Tue, 15 Jul 2008 00:22:06 +0200]=>(MIME part)
Updated

C:\RECYCLER\S-1-5-21-287040438-4150434519-1452255736-1005\Dc8.bak=>(message 188): [Bulk] Feed Blaster puts your ad right to the screens of millions in 15 Minutes !
Updated

C:\RECYCLER\S-1-5-21-287040438-4150434519-1452255736-1005\Dc8.bak
Updated

C:\RECYCLER\S-1-5-21-287040438-4150434519-1452255736-1005\Dc8.bak=>(message 296): [Bulk] "How would you like to have your ad on 2 Million Websites ?"=>[Subject: [Bulk] "How would you like to have you][Date: Sat, 12 Jul 2008 23:23:28 -0100]=>(MIME part)=>Full_Details.htm
Infected with: Trojan.Clicker.MQL

C:\RECYCLER\S-1-5-21-287040438-4150434519-1452255736-1005\Dc8.bak=>(message 296): [Bulk] "How would you like to have your ad on 2 Million Websites ?"=>[Subject: [Bulk] "How would you like to have you][Date: Sat, 12 Jul 2008 23:23:28 -0100]=>(MIME part)=>Full_Details.htm
Deleted

C:\RECYCLER\S-1-5-21-287040438-4150434519-1452255736-1005\Dc8.bak=>(message 296): [Bulk] "How would you like to have your ad on 2 Million Websites ?"=>[Subject: [Bulk] "How would you like to have you][Date: Sat, 12 Jul 2008 23:23:28 -0100]=>(MIME part)
Updated

C:\RECYCLER\S-1-5-21-287040438-4150434519-1452255736-1005\Dc8.bak=>(message 296): [Bulk] "How would you like to have your ad on 2 Million Websites ?"
Updated

C:\RECYCLER\S-1-5-21-287040438-4150434519-1452255736-1005\Dc8.bak
Updated

C:\RECYCLER\S-1-5-21-287040438-4150434519-1452255736-1005\Dc8.bak=>(message 386): [Bulk] =>[Subject: [Bulk] ][Date: Fri, 11 Jul 2008 06:59:35 -0400]=>(MIME part)=>Full_Details.htm
Infected with: Trojan.Clicker.MQL

C:\RECYCLER\S-1-5-21-287040438-4150434519-1452255736-1005\Dc8.bak=>(message 386): [Bulk] =>[Subject: [Bulk] ][Date: Fri, 11 Jul 2008 06:59:35 -0400]=>(MIME part)=>Full_Details.htm
Deleted

C:\RECYCLER\S-1-5-21-287040438-4150434519-1452255736-1005\Dc8.bak=>(message 386): [Bulk] =>[Subject: [Bulk] ][Date: Fri, 11 Jul 2008 06:59:35 -0400]=>(MIME part)
Updated

C:\RECYCLER\S-1-5-21-287040438-4150434519-1452255736-1005\Dc8.bak=>(message 386): [Bulk]
Updated

C:\RECYCLER\S-1-5-21-287040438-4150434519-1452255736-1005\Dc8.bak
Updated

C:\RECYCLER\S-1-5-21-287040438-4150434519-1452255736-1005\Dc8.bak=>(message 561): [Bulk] How would You like to divert 1000s of fresh new visitors daily=>[Subject: [Bulk] How would You like to divert 10][Date: Tue, 08 Jul 2008 17:06:56 -0500]=>(MIME part)=>Full_Details.htm
Infected with: Trojan.Clicker.MQL

C:\RECYCLER\S-1-5-21-287040438-4150434519-1452255736-1005\Dc8.bak=>(message 561): [Bulk] How would You like to divert 1000s of fresh new visitors daily=>[Subject: [Bulk] How would You like to divert 10][Date: Tue, 08 Jul 2008 17:06:56 -0500]=>(MIME part)=>Full_Details.htm
Deleted

C:\RECYCLER\S-1-5-21-287040438-4150434519-1452255736-1005\Dc8.bak=>(message 561): [Bulk] How would You like to divert 1000s of fresh new visitors daily=>[Subject: [Bulk] How would You like to divert 10][Date: Tue, 08 Jul 2008 17:06:56 -0500]=>(MIME part)
Updated

C:\RECYCLER\S-1-5-21-287040438-4150434519-1452255736-1005\Dc8.bak=>(message 561): [Bulk] How would You like to divert 1000s of fresh new visitors daily
Updated

C:\RECYCLER\S-1-5-21-287040438-4150434519-1452255736-1005\Dc8.bak
Updated

C:\RECYCLER\S-1-5-21-287040438-4150434519-1452255736-1005\Dc8.bak=>(message 713): [Bulk] Make up to $500 per day, working less than one hour per day!=>[Subject: [Bulk] Make up to $500 per day, workin][Date: Sat, 05 Jul 2008 09:50:53 -0300]=>(MIME part)=>Full_Details.htm
Infected with: Trojan.Clicker.MQL

C:\RECYCLER\S-1-5-21-287040438-4150434519-1452255736-1005\Dc8.bak=>(message 713): [Bulk] Make up to $500 per day, working less than one hour per day!=>[Subject: [Bulk] Make up to $500 per day, workin][Date: Sat, 05 Jul 2008 09:50:53 -0300]=>(MIME part)=>Full_Details.htm
Deleted

C:\RECYCLER\S-1-5-21-287040438-4150434519-1452255736-1005\Dc8.bak=>(message 713): [Bulk] Make up to $500 per day, working less than one hour per day!=>[Subject: [Bulk] Make up to $500 per day, workin][Date: Sat, 05 Jul 2008 09:50:53 -0300]=>(MIME part)
Updated

C:\RECYCLER\S-1-5-21-287040438-4150434519-1452255736-1005\Dc8.bak=>(message 713): [Bulk] Make up to $500 per day, working less than one hour per day!
Updated

C:\RECYCLER\S-1-5-21-287040438-4150434519-1452255736-1005\Dc8.bak
Updated

C:\RECYCLER\S-1-5-21-287040438-4150434519-1452255736-1005\Dc8.bak=>(message 852): [Bulk] Post your ads where people read them!=>[Subject: [Bulk] Post your ads where people read][Date: Thu, 03 Jul 2008 13:42:26 +1100]=>(MIME part)=>Full_Details.htm
Infected with: Trojan.Clicker.MQL

C:\RECYCLER\S-1-5-21-287040438-4150434519-1452255736-1005\Dc8.bak=>(message 852): [Bulk] Post your ads where people read them!=>[Subject: [Bulk] Post your ads where people read][Date: Thu, 03 Jul 2008 13:42:26 +1100]=>(MIME part)=>Full_Details.htm
Deleted

C:\RECYCLER\S-1-5-21-287040438-4150434519-1452255736-1005\Dc8.bak=>(message 852): [Bulk] Post your ads where people read them!=>[Subject: [Bulk] Post your ads where people read][Date: Thu, 03 Jul 2008 13:42:26 +1100]=>(MIME part)
Updated

C:\RECYCLER\S-1-5-21-287040438-4150434519-1452255736-1005\Dc8.bak=>(message 852): [Bulk] Post your ads where people read them!
Updated

C:\RECYCLER\S-1-5-21-287040438-4150434519-1452255736-1005\Dc8.bak
Updated

C:\RECYCLER\S-1-5-21-287040438-4150434519-1452255736-1005\Dc8.bak=>(message 982): [Bulk] Take paid online surveys - $10-$100 per survey!=>[Subject: [Bulk] Take paid online surveys - $10-][Date: Tue, 01 Jul 2008 09:30:00 -0400]=>(MIME part)=>Full_Details.htm
Infected with: Trojan.Clicker.MQL

C:\RECYCLER\S-1-5-21-287040438-4150434519-1452255736-1005\Dc8.bak=>(message 982): [Bulk] Take paid online surveys - $10-$100 per survey!=>[Subject: [Bulk] Take paid online surveys - $10-][Date: Tue, 01 Jul 2008 09:30:00 -0400]=>(MIME part)=>Full_Details.htm
Deleted

C:\RECYCLER\S-1-5-21-287040438-4150434519-1452255736-1005\Dc8.bak=>(message 982): [Bulk] Take paid online surveys - $10-$100 per survey!=>[Subject: [Bulk] Take paid online surveys - $10-][Date: Tue, 01 Jul 2008 09:30:00 -0400]=>(MIME part)
Updated

C:\RECYCLER\S-1-5-21-287040438-4150434519-1452255736-1005\Dc8.bak=>(message 982): [Bulk] Take paid online surveys - $10-$100 per survey!
Updated

C:\RECYCLER\S-1-5-21-287040438-4150434519-1452255736-1005\Dc8.bak
Updated

C:\RECYCLER\S-1-5-21-287040438-4150434519-1452255736-1005\Dc8.bak=>(message 1062): [Bulk] Post your ads where people read them!=>[Subject: [Bulk] Post your ads where people read][Date: Sun, 29 Jun 2008 13:32:17 -0700]=>(MIME part)=>Full_Details.htm
Infected with: Trojan.Clicker.MQL

C:\RECYCLER\S-1-5-21-287040438-4150434519-1452255736-1005\Dc8.bak=>(message 1062): [Bulk] Post your ads where people read them!=>[Subject: [Bulk] Post your ads where people read][Date: Sun, 29 Jun 2008 13:32:17 -0700]=>(MIME part)=>Full_Details.htm
Deleted

C:\RECYCLER\S-1-5-21-287040438-4150434519-1452255736-1005\Dc8.bak=>(message 1062): [Bulk] Post your ads where people read them!=>[Subject: [Bulk] Post your ads where people read][Date: Sun, 29 Jun 2008 13:32:17 -0700]=>(MIME part)
Updated

C:\RECYCLER\S-1-5-21-287040438-4150434519-1452255736-1005\Dc8.bak=>(message 1062): [Bulk] Post your ads where people read them!
Updated

C:\RECYCLER\S-1-5-21-287040438-4150434519-1452255736-1005\Dc8.bak
Updated

Step 3b: Run Windows Live Safety Center Free Online Scan, Done
Found 3 severe protection issues, 1 not able to be cleaned
Found 217 registry items, 202 cleaned, 15 errors
Found 343.4 MB of temp files, all cleaned
Found C Drive to be 25% fragmented, fixed
- Both of these files were found in the Norton Anitivirus quarantine
" TrojanDownloader:Js/PSYme.gen 6bae25f1.htm and 6b912c12.htm"
It said "manual removal not recommended" Removed by byte.verifyDownloader
Step 4: Download Ad Aware 2008, Done and Ran it
Deleted some tracking cookies
Step 5: Download SpyBlaster , Done
Step 6: Download Windows Defender, Done
"No unwanted or harmful software detected."
Step 7: Download ATF-Cleaner, Done
899 MB cleaned, used it for all three browsers
Step 8: Disconnect from internet and run HijackThis and click Scan
Step 9: Optional Fixes, NOT Done
I would like to do this, when I did it before I think I disabled some things I should not have so I will need help please.
Step 10: Click Fix Checked on HijackThis, Checked and removed all but one.
I left 023 Service Ad-Aware because it did not say the same thing. I previously had Ad-Aware 2007 which was deleted when I updated in Step 4.
this line now says "023- Service: Lavasoft Ad-Aware Service (aawservice)-Lavasoft-C:/ProgramFiles/Lavasoft/Ad-Aware/aawservice.exe
Step 11: Ticket is a 1.43 MB Application Extension by Conduit Toolbar. I use it to find out what concerts are going on sale in my area. I do not know if it is safe, I can delete it if you think I should. The destop component from Treehouse TV is from a Canadian television station and I believe it to be trustworthy.
Step 12: Run HijackThis and post log, Done
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 9:02:22 PM, on 7/28/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\Program Files\Common Files\Symantec Shared\ccProxy.exe
C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Acer\Empowering Technology\ePerformance\MemCheck.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
C:\Program Files\Common Files\Symantec Shared\DJSNETCN.exe
C:\WINDOWS\eHome\ehRecvr.exe
C:\WINDOWS\eHome\ehSched.exe
c:\Program Files\Common Files\LightScribe\LSSrvc.exe
C:\Program Files\Yahoo!\NAV\navapsvc.exe
C:\Program Files\Yahoo!\NAV\IWP\NPFMntor.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\dllhost.exe
C:\WINDOWS\Explorer.EXE
C:\Acer\Empowering Technology\eRecovery\eRAgent.exe
C:\Acer\Empowering Technology\eDataSecurity\eDSloader.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Rogers\SelfHealing\rogersagent.exe
C:\Acer\Empowering Technology\Acer.Empowering.Framework.Launcher.exe
C:\Program Files\Acer WLAN 11g USB Dongle\ZDWlan.exe
C:\Program Files\Common Files\Symantec Shared\Security Console\NSCSRVCE.EXE
C:\Program Files\AnalogX\Atomic TimeSync\ats.exe
C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
C:\Program Files\Windows Defender\MsMpEng.exe
C:\Program Files\Windows Defender\MSASCui.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://ca.yahoo.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://global.acer.com
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://global.acer.com/
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O2 - BHO: Yahoo! Toolbar Helper - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O2 - BHO: Presale Toolbar - {123b04bd-7c85-472a-a103-33eb44412d70} - C:\Program Files\Presale\tbPre1.dll
O2 - BHO: AcroIEHelperStub - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
O2 - BHO: RealPlayer Download and Record Plugin for Internet Explorer - {3049C3E9-B461-4BC5-8870-4C09146192CA} - C:\Program Files\Real\RealPlayer\rpbrowserrecordplugin.dll
O2 - BHO: Ticket Toolbar - {3d23aaa9-547c-4fb8-8c32-b00b932f8603} - C:\Program Files\Ticket\tbTic1.dll
O2 - BHO: Yahoo! IE Services Button - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\PROGRA~1\Yahoo!\Common\yiesrvc.dll
O2 - BHO: EWPBrowseObject Class - {68F9551E-0411-48E4-9AAF-4BC42A6A46BE} - C:\Program Files\Canon\Easy-WebPrint\EWPBrowseLoader.dll
O2 - BHO: Norton Personal Firewall - {9ECB9560-04F9-4bbc-943D-298DDF1699E1} - C:\Program Files\Common Files\Symantec Shared\AdBlocking\NISShExt.dll
O2 - BHO: NAV Helper - {A8F38D8D-E480-4D52-B7A2-731BB6995FDD} - C:\Program Files\Yahoo!\NAV\NavShExt.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\2.0.301.7164\swg.dll
O2 - BHO: SidebarAutoLaunch Class - {F2AA9440-6328-4933-B7C9-A6CCDF9CBF6D} - C:\Program Files\Yahoo!\browser\YSidebarIEBHO.dll
O3 - Toolbar: Acer eDataSecurity Management - {5CBE3B7C-1E47-477e-A7DD-396DB0476E29} - C:\WINDOWS\system32\eDStoolbar.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O3 - Toolbar: Easy-WebPrint - {327C2873-E90D-4c37-AA9D-10AC9BABA46C} - C:\Program Files\Canon\Easy-WebPrint\Toolband.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O3 - Toolbar: Presale Toolbar - {123b04bd-7c85-472a-a103-33eb44412d70} - C:\Program Files\Presale\tbPre1.dll
O4 - HKLM\..\Run: [eRecoveryService] C:\Acer\Empowering Technology\eRecovery\eRAgent.exe
O4 - HKLM\..\Run: [eDataSecurity Loader] C:\Acer\Empowering Technology\eDataSecurity\eDSloader.exe 1
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe"
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 9.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [Windows Defender] "C:\Program Files\Windows Defender\MSASCui.exe" -hide
O4 - HKLM\..\RunServices: [DJSNetCN] C:\Program Files\Common Files\Symantec Shared\DJSNETCN.exe
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - HKCU\..\Run: [SHS] "C:\Program Files\Rogers\SelfHealing\SHS.exe" /background
O4 - HKCU\..\Run: [RogersAgent] c:\Program Files\Rogers\SelfHealing\rogersagent.exe
O4 - HKCU\..\Run: [Glary Memory Optimizer] C:\Program Files\Glary Utilities\memdefrag.exe
O4 - HKCU\..\RunOnce: [Shockwave Updater] C:\WINDOWS\system32\Adobe\SHOCKW~1\SWHELP~1.EXE -Update -1100429 -Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; YPC 3.2.0; .NET CLR 1.0.3705; .NET CLR 1.1.4322; Media Center PC 4.0)
O4 - Global Startup: Acer Empowering Technology.lnk = ?
O4 - Global Startup: Acer WLAN 11g USB Dongle.lnk = C:\Program Files\Acer WLAN 11g USB Dongle\ZDWlan.exe
O8 - Extra context menu item: Easy-WebPrint Add To Print List - res://C:\Program Files\Canon\Easy-WebPrint\Toolband.dll/RC_AddToList.html
O8 - Extra context menu item: Easy-WebPrint High Speed Print - res://C:\Program Files\Canon\Easy-WebPrint\Toolband.dll/RC_HSPrint.html
O8 - Extra context menu item: Easy-WebPrint Preview - res://C:\Program Files\Canon\Easy-WebPrint\Toolband.dll/RC_Preview.html
O8 - Extra context menu item: Easy-WebPrint Print - res://C:\Program Files\Canon\Easy-WebPrint\Toolband.dll/RC_Print.html
O9 - Extra button: Rogers Yahoo! Services - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\PROGRA~1\Yahoo!\Common\yiesrvc.dll
O9 - Extra button: (no name) - {85d1f590-48f4-11d9-9669-0800200c9a66} - C:\WINDOWS\bdoscandel.exe
O9 - Extra 'Tools' menuitem: Uninstall BitDefender Online Scanner v8 - {85d1f590-48f4-11d9-9669-0800200c9a66} - C:\WINDOWS\bdoscandel.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {215B8138-A3CF-44C5-803F-8226143CFC0A} - http://housecall65.trendmicro.com/housecal...ivex/hcImpl.cab
O16 - DPF: {5D86DDB5-BDF9-441B-9E9E-D4730F4EE499} (BDSCANONLINE Control) - http://download.bitdefender.com/resources/scan8/oscan8.cab
O16 - DPF: {5ED80217-570B-4DA9-BF44-BE107C0EC166} (Windows Live Safety Center Base Module) - http://cdn.scan.onecare.live.com/resource/...lscbase5036.cab
O16 - DPF: {67DABFBF-D0AB-41FA-9C46-CC0F21721616} (DivXBrowserPlugin Object) - http://go.divx.com/plugin/DivXBrowserPlugin.cab
O16 - DPF: {77E32299-629F-43C6-AB77-6A1E6D7663F6} (Groove Control) - http://www.nick.com/common/groove/gx/GrooveAX27.cab
O16 - DPF: {CAFEEFAC-0015-0000-0006-ABCDEFFEDCBA} (Java Plug-in 1.5.0_06) -
O16 - DPF: {CAFEEFAC-0016-0000-0001-ABCDEFFEDCBA} (Java Plug-in 1.6.0_01) -
O16 - DPF: {CAFEEFAC-0016-0000-0002-ABCDEFFEDCBA} (Java Plug-in 1.6.0_02) -
O16 - DPF: {CAFEEFAC-0016-0000-0003-ABCDEFFEDCBA} (Java Plug-in 1.6.0_03) -
O16 - DPF: {D4323BF2-006A-4440-A2F5-27E3E7AB25F8} (Virtools WebPlayer Class) - http://a532.g.akamai.net/f/532/6712/5m/vir...l/installer.exe
O18 - Protocol: intu-qt2007 - {026BF40D-BA05-467B-9F1F-AD0D7A3F5F11} - C:\Program Files\QuickTax 2007\ic2007pp.dll
O23 - Service: Lavasoft Ad-Aware Service (aawservice) - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
O23 - Service: Memory Check Service (AcerMemUsageCheckService) - Acer Inc. - C:\Acer\Empowering Technology\ePerformance\MemCheck.exe
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: Automatic LiveUpdate Scheduler - Symantec Corporation - C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Internet Security Password Validation (ccISPwdSvc) - Symantec Corporation - C:\Program Files\Yahoo!\NPF\ccPwdSvc.exe
O23 - Service: Symantec Network Proxy (ccProxy) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccProxy.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: Symantec Licensing Detect Internet Connection (DJSNETCN) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\DJSNETCN.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1150\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: LightScribeService Direct Disc Labeling Service (LightScribeService) - Hewlett-Packard Company - c:\Program Files\Common Files\LightScribe\LSSrvc.exe
O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
O23 - Service: Norton AntiVirus Auto-Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Yahoo!\NAV\navapsvc.exe
O23 - Service: Norton AntiVirus Firewall Monitor Service (NPFMntor) - Symantec Corporation - C:\Program Files\Yahoo!\NAV\IWP\NPFMntor.exe
O23 - Service: Norton Protection Center Service (NSCService) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\Security Console\NSCSRVCE.EXE
O23 - Service: Symantec AVScan (SAVScan) - Symantec Corporation - C:\Program Files\Yahoo!\NAV\SAVScan.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: SPBBCSvc - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
O23 - Service: YPCService - Yahoo! Inc. - C:\WINDOWS\system32\YPCSER~1.EXE
O24 - Desktop Component 0: (no name) - http://www.treehousetv.com/kids/games/miss...PB1280x1024.jpg

--
End of file - 12322 bytes


______________________________
So it looks like there are a few things I still need to fix, if you will tell me how I will do them. None of my other virus programs found any problems but both of the ones I ran that you suggested did so perhaps the solution to the problem has been found. I will keep an eye on my active connections and advise you as to what is going on after I have been online for a day or so. :thumbsup:

#8 suebaby41

suebaby41

    W.A.M. (Women Against Malware)


  • Malware Response Team
  • 6,248 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:South Carolina, USA
  • Local time:12:55 AM

Posted 29 July 2008 - 03:13 PM

If you feel comfortable and would like to clean the Norton Quarantine folder and the Recycler folder, the instructions are below.
Step 1

- Both of these files were found in the Norton Anitivirus quarantine
" TrojanDownloader:Js/PSYme.gen 6bae25f1.htm and 6b912c12.htm"
It said "manual removal not recommended" Removed by byte.verifyDownloader

At some point, you will need to visit the "Quarantine" folder of your Symantec and delete the infected file(s). The files in "C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus\Quarantine" can be deleted. Make sure you have no process from your antivirus program running.

To perform a Symantec Norton quarantine cleanup:
  • Disconnect your computer from the Internet (physically unplug the cable)
  • Boot to Safe Mode ( without networking support !). If you don’t know how to boot in Safe Mode, use this tutorial, How To Start Windows in Safe Mode.
  • Open the Symantic Norton AntiVirus program by double clicking on yellow shield on lower right hand corner of your desktop.
  • On the left panel, click the + sign to the left of View.
  • Click on Quarantine.
  • You should see the infected file(s) listed in the Quarantine window on the right side panel.
  • Click on the infected file(s).
  • To delete them, click on the Delete button represented by the Red X found on the top of the screen. Delete the items a few at a time.
  • After deleting, click on Backup Items and Repaired Items found on the left panel and perform steps 4-6 on these folders as well. If there are no infected files listed under "Backup or Repaired items", ignore the step above.
  • Turn off the computer, reconnect your Internet cable and restart your computer. Make sure you empty the Recycle Bin periodically.
Step 2

The files in C:\RECYCLER\S-1-5-21-287040438-4150434519-1452255736-1005 can be deleted.

To Delete Files From The Recycler (Not the Recycle Bin).
  • Start > Run. Type in: cmd.
  • In Command window, type: rd /s /q c:\recycler (Ensure that a space is between rd and /s and /q and c:\recycler.)
  • Press Enter (after pressing Enter, you will not get notification anything was done).
  • Type in: exit (this closes the Command window.)
  • Reboot/Restart computer
  • Note: explorer.exe may need to be ended in Windows Task Manager first.
After completing these two steps, please run the two online scanners, BitDefender
and Windows Live Safety Center Free Online Scan.

Edited by suebaby41, 29 July 2008 - 04:25 PM.
extra words

You don't stop laughing when you get old; you get old when you stop laughing.
A Member of U-N-I-T-E (Unified Network of Instructors and Trained Eliminators)
Malware Removal University Masters Graduate

Posted Image
Join The Fight Against Malware
No reply within 5 days will result in your topic being closed. If you need more time, please let me know by posting in this topic so that your topic will not be closed.

#9 Montana32

Montana32
  • Topic Starter

  • Members
  • 17 posts
  • OFFLINE
  •  
  • Local time:12:55 AM

Posted 29 July 2008 - 05:16 PM

I need some help/advice before completing Step 1.

It seems I can not access Norton Antivirus if I am not connected to the Internet. My service provider gives me Norton free of charge as part of my service but I see it is Rogers Yahoo Norton AntiVirus online protection. Therefore when I boot in safe mode and am not connected to the internet, Norton is not on my computer, neither are the quarantined files.

So, is it okay to be connected to the internet and running in normal mode to do step 1??

I didn't know if it was important to do these two procedures in this order so I have not attempted to do Step 2 yet.

Thank you.

#10 suebaby41

suebaby41

    W.A.M. (Women Against Malware)


  • Malware Response Team
  • 6,248 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:South Carolina, USA
  • Local time:12:55 AM

Posted 29 July 2008 - 05:41 PM

You can do it in Normal Mode. Just start with Step 3.

In this case, the order is not that important.
You don't stop laughing when you get old; you get old when you stop laughing.
A Member of U-N-I-T-E (Unified Network of Instructors and Trained Eliminators)
Malware Removal University Masters Graduate

Posted Image
Join The Fight Against Malware
No reply within 5 days will result in your topic being closed. If you need more time, please let me know by posting in this topic so that your topic will not be closed.

#11 Montana32

Montana32
  • Topic Starter

  • Members
  • 17 posts
  • OFFLINE
  •  
  • Local time:12:55 AM

Posted 29 July 2008 - 11:49 PM

Step 1: Norton cleanup in normal mode - done
Step 2: Delete files from Recycler - done
Run BitDefender - done ( no problems found )
Run Windows Live Safety Center scan - done ( no viruses or spyware found, 303 registry items, 60.1 MB temp files, Drive C: 24% fragmented - ( 284 cleaned, 19 errors, 0 skipped by user, 60.1 MB temp files cleaned or compressed, drive C: defragmented)

I have already noticed something different. Before when I opened my ISP program that checked number of active internet connections the bar was usually orange (many connections) or red (tons of connections) and sometimes green (6-12 connections). Since I have done what you asked me to do, the bar doesn't even show up any more and I have only seen 1 active connection. Looks like I am on the road to recovery finally!!

If your offer still stands to do the optional fixes for unnescessary programs that run during start up, I would like help with that. Previously, I have used your website to help determine (one running process at a time and checking all 53) which ones I could disable or get rid of all together. I didn't do a very good job I guess as every time I restarted the computer it wanted to undo the changes I made and did not seem to make a difference in speed at all.


Thanks for sharing your knowledge as I did a lot of things to fix this problem but nothing I did worked and I think this has!!!!

#12 suebaby41

suebaby41

    W.A.M. (Women Against Malware)


  • Malware Response Team
  • 6,248 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:South Carolina, USA
  • Local time:12:55 AM

Posted 30 July 2008 - 08:19 AM

Step 1

Spybot - Search and Destroy TeaTimer
  • Please disable Spybot - Search and Destroy TeaTimer, as it will prevent HijackThis from fixing the infection. You can enable it after you're clean. To disable Spybot - Search and Destroy TeaTimer:
  • Open Spybot - Search and Destroy.
  • Click Mode in the toolbar.
  • Select Advance Mode.
  • Click Tools.
  • ClickResident.
  • Uncheck the box next to Resident Tea-Timer.
  • Close Spybot - Search and Destroy.
  • Reboot your machine.

Step 2

Please run HijackThis and click Scan. Place checks next to the following entries (make sure not to miss any):

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =
O16 - DPF: {CAFEEFAC-0015-0000-0006-ABCDEFFEDCBA} (Java Plug-in 1.5.0_06) -
O16 - DPF: {CAFEEFAC-0016-0000-0001-ABCDEFFEDCBA} (Java Plug-in 1.6.0_01) -
O16 - DPF: {CAFEEFAC-0016-0000-0002-ABCDEFFEDCBA} (Java Plug-in 1.6.0_02) -
O16 - DPF: {CAFEEFAC-0016-0000-0003-ABCDEFFEDCBA} (Java Plug-in 1.6.0_03) -


Close all browsers and other windows except for HijackThis, and click Fix Checked to have HijackThis fix the entries you checked.

Step 3

Remember that you will be removing the program from your startup but you would not be removing the program itself.

Please run "HijackThis" and click "Scan". Place checks next to the following entries if you decide to do the Optional Fixes.

eRAgent.exe (Acer's eRecovery Management) process can be removed to free up resources without compromising system performance. Part of Acer's eRecovery Management program. This program allows you to create and restore backups of your computer. It also enables you to restore your computer back to the factory default installation.This is a valid program but it is not required to run on startup. Whether or not you need to run this program on startup must be decided by you. If you feel that you want this program starting automatically so that you have it available as needed, then do not disable it. This program is not required to start automatically as you can start it manually if you need it. It is advised that you disable this program so that it does not take up necessary resources. Many users have reported this process slows their boot time. It may be worthwhile to fix it with HijackThis. Item(s) to fix in HijackThis:

O4 - HKLM\..\Run: [eRecoveryService] C:\Acer\Empowering Technology\eRecovery\eRAgent.exe

You have QuickTime running at Startup. This is QuickTime's system tray icon and not necessary for the program to function properly. It is considered to be a resource hog. You will still be able to start it manually if you need it. You can fix this with HijackThis, but you will need to change the setting in QuickTime Player itself to keep it from resetting itself. Item(s) to fix in HijackThis:

O4 ‑ HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" ‑atboottime

There is a small program that will prevent QuickTime from resetting itself.
Please download Engraph-QuickTime-Killer This is a free utility from EnGraph software. For more information about EnGraph, go to www.engraph.com. This application is intended for people that use or consume Sprint Video Mail, as Sprint uses QuickTime for viewing thier movies. (or anybody that hates QuickTime) Of course, as soon as QuickTime is ran, it adds itself to startup, which is very annoying to me. This application will remove QuickTime from start up and kill any running QuickTime processes. This application runs silently at start up and closes itself as soon as it takes care of QuickTime.

You have jusched.exe running at Startup. It checks with Sun's Java updates site to see if newer Java versions are available. This program is not required to start automatically. You can do this manually by visiting http://java.sun.com or just run the Java Plug-In Control Panel. It is advised that you disable this program so that it does not take up necessary resources. It may be worthwhile to fix it with HijackThis. Item(s) to fix in HijackThis:

O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe"

You have reader_sl.exe running at Startup. This is a process associated with the Adobe Reader. It is used to decrease the load time for the reader when a PDF document is selected. This is a non-essential process. You will still be able to start it manually if you need it. You can fix this with HijackThis. Item(s) to fix in HijackThis:

O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Reader 9.0\Reader\reader_sl.exe

You have realsched.exe (RealPlayer's autoupdate program) running at Startup. This is RealPlayer's autoupdate program and is not necessary for the program to function properly. realsched.exe is a program which schedules for manual update checks for Real Networks products. This is a non-essential process. Disabling or enabling this is down to user preference however disabling may prevent notification of updates. It is considered to be a resource hog. You will still be able to start it manually if you need it. You can fix this with HijackThis, but you will need to change the setting in RealPlayer itself to keep it from resetting itself. Item(s) to fix in HijackThis:

O4 ‑ HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" ‑osboot

msmsgs.exe (MSN Messenger Internet chat tool) is the main process relating to the MSN Messenger Internet chat tool installed by default on most Windows computers. The Windows Messenger (IM, MSN Messenger) from Microsoft provides Online Chat and Instant Messaging. If you don't use Windows Messenger, you can
  • Rename the "Messenger" folder.
  • Uninstall, Stop, Disable or Remove "Windows Messenger (IM, MSN Messenger)".
A tray bar is also installed alongside this process for easy access to its features which include Internet chat, file sharing and audio/video conferencing. This is a non-essential process. Disabling or enabling it is down to user preference. process can be removed to free up resources without compromising system performance. This program is not required to start automatically as you can start it manually if you need it. It is advised that you disable this program so that it does not take up necessary resources. Many users have reported this process slows their boot time. It may be worthwhile to fix it with HijackThis. Item(s) to fix in HijackThis:

O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe

O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe

AppleMobileDeviceService.exe (Apple Mobile Device) process can be removed to free up resources without compromising system performance. Used by iTunes to communicate with the Apple iPhone when it is connected to your computer. This is a valid program, but it is up to you whether or not you want it to run on startup. Whether or not you need to run this program on startup must be decided by you. If you feel that you want this program starting automatically so that you have it available as needed, then do not disable it. This program is not required to start automatically as you can start it manually if you need it. It is advised that you disable this program so that it does not take up necessary resources. Many users have reported this process slows their boot time. To change the service to Manual.
  • Right-click on My Computer and choose Manage.
  • Expand the Services and Applications section and click on Services.
  • On the right-side of the screen, find the entry for Apple Mobile Device and double-click on it.
  • Change the Startup Type: to Manual.
  • Hit the OK button and close the Computer Management screen.
It may be worthwhile to fix it with HijackThis. Item(s) to fix in HijackThis:

O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe

ati2evxx.exe is the ATI External Event Utility for your ATI display drivers. It manages the ATI Hotkey feature. This process can be removed to free up resources without compromising system performance. ati2evxx.exe is a process which provides optional features that the majority of us really do not use. The XT's overdrive feature uses this. If you have an XT you'll probably want to leave this on. This program is not required to start automatically as you can start it manually if you need it. It is advised that you disable this program so that it does not take up necessary resources. Many users have reported this process slows their boot time. It may be worthwhile to fix it with HijackThis.
To change the service to Manual.
  • Right-click on My Computer and choose Manage.
  • Expand the Services and Applications section and click on Services.
  • On the right-side of the screen, find the entry for Ati HotKey Poller and double-click on it.
  • Change the Startup Type: to Manual.
  • Hit the OK button and close the Computer Management screen.
Item(s) to fix in HijackThis:

O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe

IDriverT.exe (InstallShield- InstallDriver Table Manager) process can be removed to free up resources without compromising system performance. idrivert.exe is a process which belongs to the InstallShield product installation service which should only appear when you are installing a new piece of software. This program is not required to start automatically as you can start it manually if you need it. To change to Manual:
  • Right-click on My Computer and choose Manage.
  • Expand the Services and Applications section and click on Services.
  • On the right-side of the screen, find the entry for InstallDriver Table Manager and double-click on it.
  • Change the Startup Type: to Manual.
  • Hit the OK button and close the Computer Management screen.
Many users have reported this process slows their boot time. It may be worthwhile to fix it with HijackThis. Item(s) to fix in HijackThis:

O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1150\Intel 32\IDriverT.exe

ipodservice.exe is a process belonging to Apple's iTunes peer-to-peer download tool. The ipodservice.exe process is a utility used to download mp3 files for your iPod. If you do not use it, or do not have an iPod, you can safely disable this process. This process can be removed to free up resources without compromising system performance. It is advised that you disable this program so that it does not take up necessary resources. To disable ipodservice, click Start > Settings > Control Panel > Performance and Maintenance > Administrative Tools > Services. Find the IpodService, Right-click and select Properties. Change the setting in StartUp type: to Disabled or click Start > Run. Type services.msc Find the IpodService, Right-click and select Properties. Change the setting in StartUp type to Disabled to disable the service. Item(s) to fix in HijackThis:

O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe

Close all browsers and other windows except for HijackThis, and click Fix Checked to have HijackThis fix the entries you checked.

Please post a new HijackThis Log.
You don't stop laughing when you get old; you get old when you stop laughing.
A Member of U-N-I-T-E (Unified Network of Instructors and Trained Eliminators)
Malware Removal University Masters Graduate

Posted Image
Join The Fight Against Malware
No reply within 5 days will result in your topic being closed. If you need more time, please let me know by posting in this topic so that your topic will not be closed.

#13 Montana32

Montana32
  • Topic Starter

  • Members
  • 17 posts
  • OFFLINE
  •  
  • Local time:12:55 AM

Posted 30 July 2008 - 02:46 PM

Step 1: - done
Step 2: - done
Step 3: check eRAgent - done
check Quicktime and download Quicktime Killer - done
check jusched - done
check reader_sle - not done, it was not there
check realsched - not done, it was not there
disable memsgs - not done, already set to disable
check messenger - done
check messenger - done
change Apple to manual - done
check Apple - done
change ATI to manual - done
check ATI hotkey - done
change IDriverT to manual - not done, already set to manual
check IDriverT - done
disable iPod - done
check iPod - done
post a hijackthis log -done, posted below
___________________________________________

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 3:31:59 PM, on 7/30/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Windows Defender\MsMpEng.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\Program Files\Common Files\Symantec Shared\ccProxy.exe
C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Acer\Empowering Technology\ePerformance\MemCheck.exe
C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
C:\Program Files\Common Files\Symantec Shared\DJSNETCN.exe
C:\WINDOWS\eHome\ehRecvr.exe
C:\WINDOWS\eHome\ehSched.exe
c:\Program Files\Common Files\LightScribe\LSSrvc.exe
C:\Program Files\Yahoo!\NAV\navapsvc.exe
C:\Program Files\Yahoo!\NAV\IWP\NPFMntor.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\dllhost.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\Explorer.EXE
C:\Acer\Empowering Technology\eDataSecurity\eDSloader.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\Windows Defender\MSASCui.exe
C:\Program Files\Rogers\SelfHealing\SHS.exe
C:\Program Files\Rogers\SelfHealing\rogersagent.exe
C:\Acer\Empowering Technology\Acer.Empowering.Framework.Launcher.exe
C:\Program Files\Acer WLAN 11g USB Dongle\ZDWlan.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Common Files\Symantec Shared\Security Console\NSCSRVCE.EXE
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://ca.yahoo.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://global.acer.com
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://global.acer.com/
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O2 - BHO: Yahoo! Toolbar Helper - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll (file missing)
O2 - BHO: Presale Toolbar - {123b04bd-7c85-472a-a103-33eb44412d70} - C:\Program Files\Presale\tbPre1.dll
O2 - BHO: AcroIEHelperStub - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
O2 - BHO: RealPlayer Download and Record Plugin for Internet Explorer - {3049C3E9-B461-4BC5-8870-4C09146192CA} - C:\Program Files\Real\RealPlayer\rpbrowserrecordplugin.dll
O2 - BHO: Ticket Toolbar - {3d23aaa9-547c-4fb8-8c32-b00b932f8603} - C:\Program Files\Ticket\tbTic1.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: Yahoo! IE Services Button - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\PROGRA~1\Yahoo!\Common\yiesrvc.dll
O2 - BHO: EWPBrowseObject Class - {68F9551E-0411-48E4-9AAF-4BC42A6A46BE} - C:\Program Files\Canon\Easy-WebPrint\EWPBrowseLoader.dll
O2 - BHO: (no name) - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - (no file)
O2 - BHO: Norton Personal Firewall - {9ECB9560-04F9-4bbc-943D-298DDF1699E1} - C:\Program Files\Common Files\Symantec Shared\AdBlocking\NISShExt.dll
O2 - BHO: NAV Helper - {A8F38D8D-E480-4D52-B7A2-731BB6995FDD} - C:\Program Files\Yahoo!\NAV\NavShExt.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\2.0.301.7164\swg.dll
O2 - BHO: SidebarAutoLaunch Class - {F2AA9440-6328-4933-B7C9-A6CCDF9CBF6D} - C:\Program Files\Yahoo!\browser\YSidebarIEBHO.dll
O3 - Toolbar: Acer eDataSecurity Management - {5CBE3B7C-1E47-477e-A7DD-396DB0476E29} - C:\WINDOWS\system32\eDStoolbar.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O3 - Toolbar: Easy-WebPrint - {327C2873-E90D-4c37-AA9D-10AC9BABA46C} - C:\Program Files\Canon\Easy-WebPrint\Toolband.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O3 - Toolbar: Presale Toolbar - {123b04bd-7c85-472a-a103-33eb44412d70} - C:\Program Files\Presale\tbPre1.dll
O4 - HKLM\..\Run: [eDataSecurity Loader] C:\Acer\Empowering Technology\eDataSecurity\eDSloader.exe 1
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [Windows Defender] "C:\Program Files\Windows Defender\MSASCui.exe" -hide
O4 - HKLM\..\Run: [EnGraph QuickTimeKiller] C:\Program Files\EnGraph\QuickTimeKiller\QuickTimeKiller.exe
O4 - HKLM\..\RunServices: [DJSNetCN] C:\Program Files\Common Files\Symantec Shared\DJSNETCN.exe
O4 - HKCU\..\Run: [SHS] "C:\Program Files\Rogers\SelfHealing\SHS.exe" /background
O4 - HKCU\..\Run: [RogersAgent] c:\Program Files\Rogers\SelfHealing\rogersagent.exe
O4 - HKCU\..\Run: [Glary Memory Optimizer] C:\Program Files\Glary Utilities\memdefrag.exe
O4 - Global Startup: Acer Empowering Technology.lnk = ?
O4 - Global Startup: Acer WLAN 11g USB Dongle.lnk = C:\Program Files\Acer WLAN 11g USB Dongle\ZDWlan.exe
O8 - Extra context menu item: Easy-WebPrint Add To Print List - res://C:\Program Files\Canon\Easy-WebPrint\Toolband.dll/RC_AddToList.html
O8 - Extra context menu item: Easy-WebPrint High Speed Print - res://C:\Program Files\Canon\Easy-WebPrint\Toolband.dll/RC_HSPrint.html
O8 - Extra context menu item: Easy-WebPrint Preview - res://C:\Program Files\Canon\Easy-WebPrint\Toolband.dll/RC_Preview.html
O8 - Extra context menu item: Easy-WebPrint Print - res://C:\Program Files\Canon\Easy-WebPrint\Toolband.dll/RC_Print.html
O9 - Extra button: Rogers Yahoo! Services - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\PROGRA~1\Yahoo!\Common\yiesrvc.dll
O9 - Extra button: (no name) - {85d1f590-48f4-11d9-9669-0800200c9a66} - C:\WINDOWS\bdoscandel.exe
O9 - Extra 'Tools' menuitem: Uninstall BitDefender Online Scanner v8 - {85d1f590-48f4-11d9-9669-0800200c9a66} - C:\WINDOWS\bdoscandel.exe
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {215B8138-A3CF-44C5-803F-8226143CFC0A} - http://housecall65.trendmicro.com/housecal...ivex/hcImpl.cab
O16 - DPF: {5D86DDB5-BDF9-441B-9E9E-D4730F4EE499} (BDSCANONLINE Control) - http://download.bitdefender.com/resources/scan8/oscan8.cab
O16 - DPF: {5ED80217-570B-4DA9-BF44-BE107C0EC166} (Windows Live Safety Center Base Module) - http://cdn.scan.onecare.live.com/resource/...lscbase5036.cab
O16 - DPF: {67DABFBF-D0AB-41FA-9C46-CC0F21721616} (DivXBrowserPlugin Object) - http://go.divx.com/plugin/DivXBrowserPlugin.cab
O16 - DPF: {77E32299-629F-43C6-AB77-6A1E6D7663F6} (Groove Control) - http://www.nick.com/common/groove/gx/GrooveAX27.cab
O16 - DPF: {D4323BF2-006A-4440-A2F5-27E3E7AB25F8} (Virtools WebPlayer Class) - http://a532.g.akamai.net/f/532/6712/5m/vir...l/installer.exe
O18 - Protocol: intu-qt2007 - {026BF40D-BA05-467B-9F1F-AD0D7A3F5F11} - C:\Program Files\QuickTax 2007\ic2007pp.dll
O23 - Service: Lavasoft Ad-Aware Service (aawservice) - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
O23 - Service: Memory Check Service (AcerMemUsageCheckService) - Acer Inc. - C:\Acer\Empowering Technology\ePerformance\MemCheck.exe
O23 - Service: Automatic LiveUpdate Scheduler - Symantec Corporation - C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Internet Security Password Validation (ccISPwdSvc) - Symantec Corporation - C:\Program Files\Yahoo!\NPF\ccPwdSvc.exe
O23 - Service: Symantec Network Proxy (ccProxy) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccProxy.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: Symantec Licensing Detect Internet Connection (DJSNETCN) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\DJSNETCN.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1150\Intel 32\IDriverT.exe
O23 - Service: LightScribeService Direct Disc Labeling Service (LightScribeService) - Hewlett-Packard Company - c:\Program Files\Common Files\LightScribe\LSSrvc.exe
O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
O23 - Service: Norton AntiVirus Auto-Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Yahoo!\NAV\navapsvc.exe
O23 - Service: Norton AntiVirus Firewall Monitor Service (NPFMntor) - Symantec Corporation - C:\Program Files\Yahoo!\NAV\IWP\NPFMntor.exe
O23 - Service: Norton Protection Center Service (NSCService) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\Security Console\NSCSRVCE.EXE
O23 - Service: Symantec AVScan (SAVScan) - Symantec Corporation - C:\Program Files\Yahoo!\NAV\SAVScan.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: SPBBCSvc - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
O23 - Service: YPCService - Yahoo! Inc. - C:\WINDOWS\system32\YPCSER~1.EXE
O24 - Desktop Component 0: (no name) - http://www.treehousetv.com/kids/games/miss...PB1280x1024.jpg

--
End of file - 10892 bytes

#14 Montana32

Montana32
  • Topic Starter

  • Members
  • 17 posts
  • OFFLINE
  •  
  • Local time:12:55 AM

Posted 30 July 2008 - 08:21 PM

I thought I should let you know that my computer seemed a little slow tonight so I checked and see I have 28 active internet connections. This is with Outlook Express open and Mozilla Firefox 2.0.0.16 with just the main window and no tabs and just the google toolbar and the normal buttons toolbar.

#15 suebaby41

suebaby41

    W.A.M. (Women Against Malware)


  • Malware Response Team
  • 6,248 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:South Carolina, USA
  • Local time:12:55 AM

Posted 31 July 2008 - 09:02 PM

As you can see in your HijackThis log, there are a lot of entries for the Norton Internet Security program. Norton and McAfee Internet Security Programs are heavy programs. You may want to consider uninstalling the Norton Internet Security and installing the lighter free versions of an antivirus program and a firewall program. That is your decision. If you want to do so, let me know and I can give you a list of free antivirus programs and firewalls.

I noticed that you are using Firefox 2; you may want to update to Firefox 3 which seems to be faster.

You are using Internet Explorer 6; you may want to update to Internet Explorer 7.

You have Service Pack 2; you may want to update to Service Pack 3.

I have all of them on my computer and the updated versions are faster as well as being more secure. I know you have seen pros and cons of updating to Service Pack 3, but I have it on my computers and have not had any problems.

Let me know if you want to update the programs and want a list of the free anitvirus and firewall programs.
You don't stop laughing when you get old; you get old when you stop laughing.
A Member of U-N-I-T-E (Unified Network of Instructors and Trained Eliminators)
Malware Removal University Masters Graduate

Posted Image
Join The Fight Against Malware
No reply within 5 days will result in your topic being closed. If you need more time, please let me know by posting in this topic so that your topic will not be closed.




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users