Jump to content


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.

Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.


Highjackthis Log

  • This topic is locked This topic is locked
2 replies to this topic

#1 cobra5000


  • Members
  • 39 posts
  • Gender:Male
  • Location:pittsburgh, pa
  • Local time:11:40 AM

Posted 19 August 2008 - 12:56 PM

i have noticed my core2 win xp media laptop running slower and graphics not performing as usual. i use ad aware and spybot ans well as superantispyware and they all come back clean. using kaspersky av also. so i used dss to clean it up and generate a hjt log. hoping someone sees something i dont.
much appreciated.

Deckard's System Scanner v20071014.68
Run by Owner on 2008-08-19 13:42:58
Computer is in Normal Mode.

-- System Restore --------------------------------------------------------------

Successfully created a Deckard's System Scanner Restore Point.

-- Last 5 Restore Point(s) --
145: 2008-08-19 17:43:13 UTC - RP312 - Deckard's System Scanner Restore Point
144: 2008-08-19 12:32:57 UTC - RP311 - System Checkpoint
143: 2008-08-18 06:23:55 UTC - RP310 - System Checkpoint
142: 2008-08-13 15:42:08 UTC - RP309 - System Checkpoint
141: 2008-08-12 15:31:38 UTC - RP308 - System Checkpoint

-- First Restore Point --
1: 2008-05-26 02:06:37 UTC - RP168 - System Checkpoint

Backed up registry hives.
Performed disk cleanup.

-- HijackThis (run as Owner.exe) -----------------------------------------------

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 1:45:29 PM, on 8/19/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 6.0\avp.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\Intel\Intel Matrix Storage Manager\iaantmon.exe
C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Program Files\Intel\Intel Matrix Storage Manager\iaanotif.exe
C:\Program Files\Motorola\SMSERIAL\sm56hlpr.exe
C:\Program Files\Intel\Wireless\bin\ZCfgSvc.exe
C:\Program Files\Intel\Wireless\Bin\ifrmewrk.exe
C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 6.0\avp.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\TomTom HOME 2\HOMERunner.exe
C:\Program Files\Intel\Wireless\Bin\Dot1XCfg.exe
C:\Documents and Settings\Owner.Laptop\Desktop\dss.exe
C:\Program Files\Real\RealPlayer\RealPlay.exe

R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.gateway.com/g/startpage.html?Ch...TB&M=MX6960
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
O2 - BHO: HelperObject Class - {00C6482D-C502-44C8-8409-FCE54AD9C208} - C:\Program Files\TechSmith\SnagIt 7\SnagItBHO.dll
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: RealPlayer Download and Record Plugin for Internet Explorer - {3049C3E9-B461-4BC5-8870-4C09146192CA} - C:\Program Files\Real\RealPlayer\rpbrowserrecordplugin.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_15\bin\ssv.dll
O2 - BHO: Browser Address Error Redirector - {CA6319C0-31B7-401E-A518-A07C3DB8F777} - c:\windows\system32\BAE.dll
O3 - Toolbar: SnagIt - {8FF5E183-ABDE-46EB-B09E-D2AAB95CABE3} - C:\Program Files\TechSmith\SnagIt 7\SnagItIEAddin.dll
O4 - HKLM\..\Run: [SynTPLpr] C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [IAAnotif] C:\Program Files\Intel\Intel Matrix Storage Manager\iaanotif.exe
O4 - HKLM\..\Run: [SMSERIAL] C:\Program Files\Motorola\SMSERIAL\sm56hlpr.exe
O4 - HKLM\..\Run: [igfxtray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [igfxhkcmd] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [igfxpers] C:\WINDOWS\system32\igfxpers.exe
O4 - HKLM\..\Run: [IntelZeroConfig] "C:\Program Files\Intel\Wireless\bin\ZCfgSvc.exe"
O4 - HKLM\..\Run: [IntelWireless] "C:\Program Files\Intel\Wireless\Bin\ifrmewrk.exe" /tf Intel PROSet/Wireless
O4 - HKLM\..\Run: [AVP] "C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 6.0\avp.exe"
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKCU\..\Run: [TomTomHOME.exe] "C:\Program Files\TomTom HOME 2\HOMERunner.exe"
O4 - Startup: Check for ContinuumClient Updates.lnk.disabled
O4 - Startup: Check for TWS Updates.lnk.disabled
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_15\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_15\bin\ssv.dll
O9 - Extra button: Web Anti-Virus statistics - {1F460357-8A94-4D71-9CA3-AA4ACF32ED8E} - C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 6.0\scieplugin.dll
O9 - Extra button: Skype - {77BF5300-1474-4EC7-9980-D32B190E9B07} - C:\Program Files\Skype\Toolbars\Internet Explorer\SkypeIEPlugin.dll
O9 - Extra button: Bonjour - {7F9DB11C-E358-4ca6-A83D-ACC663939424} - C:\Program Files\Bonjour\ExplorerPlugin.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - (no file)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} (Symantec AntiVirus scanner) - http://security.symantec.com/sscv6/SharedC...bin/AvSniff.cab
O16 - DPF: {54BE6B6F-3056-470B-97E1-BB92E051B6C4} (DeviceEnum Class) - http://h30155.www3.hp.com/ediags/dd/instal...nosticsxp2k.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.microsoft.com/windowsupd...b?1193359500953
O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.symantec.com/sscv6/SharedC...n/bin/cabsa.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://www.update.microsoft.com/microsoftu...b?1211857640000
O16 - DPF: {86A88967-7A20-11D2-8EDA-00600818EDB1} (ParallelGraphics Cortona Control) - http://www.parallelgraphics.com/bin/cortvrml.cab
O16 - DPF: {A90A5822-F108-45AD-8482-9BC8B12DD539} (Crucial cpcScan) - http://www.crucial.com/controls/cpcScanner.cab
O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (MSN Games - Installer) - http://cdn2.zone.msn.com/binFramework/v10/...ro.cab56649.cab
O16 - DPF: {CF40ACC5-E1BB-4AFF-AC72-04C2F616BCA7} (get_atlcom Class) - http://www.adobe.com/products/acrobat/nos/gp.cab
O16 - DPF: {EF791A6B-FC12-4C68-99EF-FB9E207A39E6} (McFreeScan Class) - http://download.mcafee.com/molbin/iss-loc/...322/mcfscan.cab
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
O23 - Service: Kaspersky Anti-Virus 6.0 (AVP) - Kaspersky Lab - C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 6.0\avp.exe
O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: CSIScanner - Unknown owner - C:\Program Files\PrevxCSI\prevxcsi.exe (file missing)
O23 - Service: Intel® PROSet/Wireless Event Log (EvtEng) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
O23 - Service: Intel® Matrix Storage Event Monitor (IAANTMon) - Intel Corporation - C:\Program Files\Intel\Intel Matrix Storage Manager\iaantmon.exe
O23 - Service: Intel® PROSet/Wireless Registry Service (RegSrvc) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
O23 - Service: Intel® PROSet/Wireless Service (S24EventMonitor) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
O23 - Service: Start BT in service - Unknown owner - C:\Program Files\IVT Corporation\BlueSoleil\StartSkysolSvc.exe
O23 - Service: TRANSFLO Client Agent Service (TRANSFLOClientAgentService) - Pegasus TransTech Corp. - c:\program files\pegasus transtech\transflo now\transflo.client.agent.exe

End of file - 8307 bytes

-- File Associations -----------------------------------------------------------

All associations okay.

-- Drivers: 0-Boot, 1-System, 2-Auto, 3-Demand, 4-Disabled ---------------------

R0 BootScreen - c:\windows\\systemroot\system32\drivers\vidstub.sys (file missing)
R0 pxark - c:\windows\system32\drivers\pxark.sys <Not Verified; Prevx; Prevx CSI>
R2 AegisP (AEGIS Protocol (IEEE 802.1x) v3.5.3.0) - c:\windows\system32\drivers\aegisp.sys <Not Verified; Meetinghouse Data Communications; AEGIS Client>
R2 s24trans (WLAN Transport) - c:\windows\system32\drivers\s24trans.sys <Not Verified; Intel Corporation; Intel Wireless LAN Packet Driver>

S3 NSNDIS5 (NSNDIS5 NDIS Protocol Driver) - c:\windows\system32\nsndis5.sys (file missing)

-- Services: 0-Boot, 1-System, 2-Auto, 3-Demand, 4-Disabled --------------------

R2 Bonjour Service - "c:\program files\bonjour\mdnsresponder.exe" <Not Verified; Apple Inc.; Bonjour>
R2 RegSrvc (Intel® PROSet/Wireless Registry Service) - c:\program files\intel\wireless\bin\regsrvc.exe <Not Verified; Intel Corporation; Intel® PROSet/Wireless Registry Service>

S2 CSIScanner - "c:\program files\prevxcsi\prevxcsi.exe" /service (file missing)
S3 TRANSFLOClientAgentService (TRANSFLO Client Agent Service) - c:\program files\pegasus transtech\transflo now\transflo.client.agent.exe <Not Verified; Pegasus TransTech Corp.; TRANSFLOŽ>

-- Device Manager: Disabled ----------------------------------------------------

No disabled devices found.

-- Scheduled Tasks -------------------------------------------------------------

2007-05-14 18:22:53 258 --a------ C:\WINDOWS\Tasks\ISP signup reminder 1.job

-- Files created between 2008-07-19 and 2008-08-19 -----------------------------

2008-08-19 13:45:19 0 d-------- C:\Program Files\Trend Micro
2008-08-05 10:23:25 0 d-------- C:\Program Files\MktDelta
2008-07-29 23:34:21 0 d-------- C:\cyf
2008-07-27 13:13:58 0 d-------- C:\iowagrain

-- Find3M Report ---------------------------------------------------------------

2008-08-04 21:19:51 0 d-------- C:\Program Files\PowerArchiver
2008-07-27 14:45:52 0 d-------- C:\Program Files\FMS
2008-07-17 11:23:12 0 d--h----- C:\Program Files\InstallShield Installation Information
2008-07-11 00:40:56 0 d-------- C:\Documents and Settings\Owner.Laptop\Application Data\Mozilla
2008-07-11 00:40:37 0 d-------- C:\Program Files\TomTom HOME 2
2008-07-10 21:03:53 0 d-------- C:\Program Files\Delftship
2008-07-10 13:16:33 0 d-------- C:\Documents and Settings\Owner.Laptop\Application Data\uTorrent
2008-07-09 21:39:15 36412 --ah----- C:\WINDOWS\system32\mlfcache.dat
2008-07-08 16:52:46 0 d-------- C:\Documents and Settings\Owner.Laptop\Application Data\Apple Computer
2008-07-08 16:52:33 0 d-------- C:\Program Files\Safari
2008-07-08 16:51:56 0 d-------- C:\Program Files\Bonjour
2008-07-08 16:51:48 0 d-------- C:\Program Files\Apple Software Update
2008-07-06 15:24:23 0 d-------- C:\Documents and Settings\Owner.Laptop\Application Data\TrueCrypt
2008-07-06 12:59:09 0 d-------- C:\Program Files\TrueCrypt
2008-07-05 23:03:31 0 d-------- C:\Program Files\RealFlightG4
2008-07-05 22:10:34 0 d-------- C:\Program Files\Common Files\knifeedge
2008-07-05 22:01:42 0 d-------- C:\Program Files\DAEMON Tools Lite
2008-07-05 21:53:49 0 d-------- C:\Documents and Settings\Owner.Laptop\Application Data\DAEMON Tools
2008-07-05 20:59:22 0 d-------- C:\Program Files\PhoenixRC
2008-07-04 23:44:39 0 d-------- C:\Program Files\RealFlight G4 Demo
2008-07-03 20:16:26 0 d-------- C:\Program Files\PhoenixRC Demo
2008-07-03 14:36:13 0 d-------- C:\Documents and Settings\Owner.Laptop\Application Data\Uniblue
2008-07-03 14:36:07 0 d-------- C:\Program Files\Uniblue
2008-07-03 14:29:20 0 d-------- C:\Program Files\Common Files
2008-06-29 10:32:09 0 d-------- C:\Program Files\HeliSim
2008-06-27 09:29:28 0 d-------- C:\Documents and Settings\Owner.Laptop\Application Data\GTek
2008-06-01 05:03:21 50688 --a------ C:\ATF-Cleaner.exe <Not Verified; Atribune.org; ATF Cleaner>
2008-06-01 04:18:26 214528 --a------ C:\VundoFix.exe <Not Verified; Atribune.org; VundoFix>
2008-05-26 22:45:53 12 --a------ C:\WINDOWS\bthservsdp.dat
2008-05-26 22:43:16 800 --ahs---- C:\WINDOWS\system32\xwvyyGgh.ini2
2008-05-26 09:14:40 67561 --a------ C:\WINDOWS\lfn.exe
2008-05-25 21:25:02 902587 --ahs---- C:\WINDOWS\system32\sDKjkSBc.ini2
2008-05-25 15:04:32 910725 --ahs---- C:\WINDOWS\system32\wGQXHkkj.ini2

-- Registry Dump ---------------------------------------------------------------

*Note* empty entries & legit default entries are not shown

"SynTPLpr"="C:\Program Files\Synaptics\SynTP\SynTPLpr.exe" [11/05/2004 01:47 PM]
"SynTPEnh"="C:\Program Files\Synaptics\SynTP\SynTPEnh.exe" [11/05/2004 01:47 PM]
"IAAnotif"="C:\Program Files\Intel\Intel Matrix Storage Manager\iaanotif.exe" [10/12/2005 04:30 PM]
"SMSERIAL"="C:\Program Files\Motorola\SMSERIAL\sm56hlpr.exe" [05/23/2006 09:22 PM]
"igfxtray"="C:\WINDOWS\system32\igfxtray.exe" [03/23/2006 02:17 PM]
"igfxhkcmd"="C:\WINDOWS\system32\hkcmd.exe" [03/23/2006 02:13 PM]
"igfxpers"="C:\WINDOWS\system32\igfxpers.exe" [03/23/2006 02:17 PM]
"IntelZeroConfig"="C:\Program Files\Intel\Wireless\bin\ZCfgSvc.exe" [08/02/2006 04:38 AM]
"IntelWireless"="C:\Program Files\Intel\Wireless\Bin\ifrmewrk.exe" [08/02/2006 04:32 AM]
"AVP"="C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 6.0\avp.exe" [01/29/2007 11:02 PM]
"Adobe Reader Speed Launcher"="C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [10/10/2007 08:51 PM]
"TkBellExe"="C:\Program Files\Common Files\Real\Update_OB\realsched.exe" [03/19/2008 10:48 PM]
"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [01/26/2007 11:27 AM]

"TomTomHOME.exe"="C:\Program Files\TomTom HOME 2\HOMERunner.exe" [05/06/2008 04:42 AM]

C:\Documents and Settings\Owner.Laptop\Start Menu\Programs\Startup\
Check for ContinuumClient Updates.lnk.disabled [3/18/2008 12:57:03 PM]
Check for TWS Updates.lnk.disabled [3/27/2008 3:54:19 PM]


"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= C:\Program Files\SUPERAntiSpyware\SASSEH.DLL [05/13/2008 10:13 AM 77824]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
C:\Program Files\SUPERAntiSpyware\SASWINLO.dll 04/19/2007 01:41 PM 294912 C:\Program Files\SUPERAntiSpyware\SASWINLO.dll

"Authentication Packages"= msv1_0 C:\WINDOWS\system32\hgGyyvwx

"updateMgr"=C:\Program Files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe AcRdB7_0_9
"MSMSGS"="C:\Program Files\Messenger\msmsgs.exe" /background

"MSKDetectorExe"=C:\Program Files\McAfee\SpamKiller\MSKDetct.exe /uninstall
"Transflo Notify"=C:\Program Files\Pegasus TransTech\TRANSFLO Now\Transflo.Notify.exe
"TomTomHOME.exe"="C:\Program Files\TomTom HOME 2\HOMERunner.exe" -s
"TotalRecorderScheduler"="C:\Program Files\HighCriteria\TotalRecorder\TotRecSched.exe"
"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" -atboottime

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
bthsvcs BthServ

AutoRun\command- H:\InstallTomTomHOME.exe

-- End of Deckard's System Scanner: finished at 2008-08-19 13:46:20 ------------

BC AdBot (Login to Remove)


#2 SifuMike


    malware expert

  • Members
  • 15,385 posts
  • Gender:Male
  • Location:Vancouver (not BC) WA (Not DC) USA
  • Local time:08:40 AM

Posted 23 August 2008 - 09:59 PM

Hello cobalt5002,

Please download Malwarebytes' Anti-Malware from Here or Here

Double Click mbam-setup.exe to install the application.
Make sure a checkmark is placed next to Update Malwarebytes' Anti-Malware and Launch Malwarebytes' Anti-Malware, then click Finish.
If an update is found, it will download and install the latest version.
Once the program has loaded, select "Perform Quick Scan", then click Scan.
The scan may take some time to finish, so please be patient.
When the scan is complete, click OK, then Show Results to view the results.
Make sure that everything is checked, and click Remove Selected.
When disinfection is completed, a log will open in Notepad and you may be prompted to Restart. (See Extra Note)
The log is automatically saved by MBAM and can be viewed by clicking the Logs tab in MBAM.

Copy and Paste the entire report in your next reply along with a fresh HijackThis log.

Extra Note:
If MBAM encounters a file that is difficult to remove, you will be presented with 1 of 2 prompts, click OK to either and let MBAM proceed with the disinfection process, if asked to restart the computer, please do so immediatly.

If you encounter this message:"c:\program files\malwarebytes' Anti-Malware\mbamext.dll Unable to register the dll/ocx: RegSvr32 failed with exit code 0x5" Click on ignore mbamext.dll

If I've saved you time & money,
please make a donation so I can keep helping people just like you! You can donate using a credit card and PayPal. Thank you!

Posted Image

Asking for help via Private Message or Mail will be ignored - So If you need help, post your problem in the forum.

#3 SifuMike


    malware expert

  • Members
  • 15,385 posts
  • Gender:Male
  • Location:Vancouver (not BC) WA (Not DC) USA
  • Local time:08:40 AM

Posted 29 August 2008 - 06:07 PM

Due to inactivity, this thread will now be closed. If you need this topic reopened, please contact me or a member of the HJT Team and we will reopen it for you. Include the address of this thread in your request. If you should have a new issue, please start a new topic. This applies only to the original topic starter. Everyone else please begin a New Topic.
If I've saved you time & money,
please make a donation so I can keep helping people just like you! You can donate using a credit card and PayPal. Thank you!

Posted Image

Asking for help via Private Message or Mail will be ignored - So If you need help, post your problem in the forum.

0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users