Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Computer problems for the past 10 days; GoogleUpdate.exe related?


  • This topic is locked This topic is locked
8 replies to this topic

#1 Lanimilbus

Lanimilbus

  • Members
  • 59 posts
  • OFFLINE
  •  
  • Local time:09:25 PM

Posted 25 April 2009 - 08:27 PM

I made a thread on here when I first had this problem 10 days ago but apparently I made it in the wrong section so it was overlooked. The original thread contains all the details of what problems I was having:
www.bleepingcomputer.com/forums/index.php?showtopic=220017

To summarize, I was getting constant GoogleUpdate.exe errors, I couldn't open any internet browser without it immediately closing, and my computer froze every time I turned it on after only minutes of use; I ran Malwarebyte's Anti-Malware (which I had to rename to "fluffy.exe" in order for the computer to let me open it) in Safe Mode and it found two results:

Registry Keys Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\UAC (Rootkit.Trace) -> Quarantined and deleted

Files Infected:
C:\WINDOWS\system32\uacinit.dll (Trojan.Agent) -> Delete on reboot.


I ran it again and the entries were gone. I also ran full scans with Webroot Spysweeper and Norton Anti-Virus (neither one of which found anything other than a few tracking cookies). The problem with the constant GoogleUpdate.exe errors was fixed after that, as was the browser issue and the computer freezing after only minutes of use.

But apparently it's not all fixed yet; I'm still having issues with the computer freezing up when I try to access my desktop or open folders and occasionally freezing on startup when the desktop is loading. I'll have to manually shut it down after that and often times when it starts up again it will freeze on "Windows is starting up..." and I'll have to manually shut the tower down yet again and then turn it back on for it to load. I've seen some suspicious entries in my HJT logs but I haven't wanted to mess with them until I get advice from a professional.

Also noteworthy:
About a week and a half ago, around the time this started, I've been getting a "Windows Genuine Advantage Notifications" window on start up that asks me to check to see if my software is pirated or something...I've just been clicking "cancel" every time I see it but I don't know if it might have an effect on this.

Additionally, towards the end of March I followed the advice of an online forum (you can read the thread here) to add a .reg file to my computer that would enable .FLV, .MOV and .M4A video files to be displayed in thumbnail preview format in my computer's folders like .AVI or .MPG files are. I had success with this and haven't had any problems with it since making the .reg file but it should be noted that often times my computer will freeze as a result of opening one of the folders containing any .FLV, .MOV or .M4A files in it.

Hope this is enough info to go on, and as always, thanks much in advance for any and all help.

Here is my most recent HijackThis log:

=====

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 9:04:41 PM, on 4/25/2009
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
c:\Program Files\Hewlett-Packard\Drive Encryption\HpFkCrypt.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Intel\AMT\atchksrv.exe
C:\Program Files\Symantec\LiveUpdate\AluSchedulerSvc.exe
C:\Program Files\Bonjour\mDNSResponder.exe
c:\Program Files\Hewlett-Packard\IAM\bin\asghost.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Google\Update\GoogleUpdate.exe
C:\WINDOWS\system32\ifxspmgt.exe
C:\WINDOWS\system32\ifxtcs.exe
C:\Program Files\Common Files\InterVideo\RegMgr\iviRegMgr.exe
C:\Program Files\Intel\AMT\LMS.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\WINDOWS\system32\nvsvc32.exe
C:\Program Files\PDF Complete\pdfsvc.exe
C:\WINDOWS\system32\IfxPsdSv.exe
C:\WINDOWS\system32\Wacom_Tablet.exe
C:\Program Files\Intel\AMT\UNS.exe
C:\WINDOWS\system32\WTablet\Wacom_TabletUser.exe
C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe
C:\WINDOWS\system32\Wacom_Tablet.exe
C:\Program Files\Hewlett-Packard\Shared\hpqwmiex.exe
C:\Program Files\Analog Devices\Core\smax4pnp.exe
C:\Program Files\Intel\AMT\atchk.exe
C:\Program Files\Hewlett-Packard\HP ProtectTools Security Manager\PTHOSTTR.EXE
C:\Program Files\PDF Complete\pdfsty.exe
C:\WINDOWS\SMINST\Scheduler.exe
C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
C:\Program Files\Vidalia Bundle\Vidalia\vidalia.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Hewlett-Packard\Embedded Security Software\PSDrt.exe
C:\Program Files\Vidalia Bundle\Privoxy\privoxy.exe
C:\PROGRA~1\Webshots\Webshots.scr
C:\Program Files\Vidalia Bundle\Tor\tor.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Documents and Settings\Administrator\Desktop\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://ie.redirect.hp.com/svs/rdr?TYPE=3&a...&pf=desktop
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://ie.redirect.hp.com/svs/rdr?TYPE=3&a...&pf=desktop
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://ie.redirect.hp.com/svs/rdr?TYPE=3&a...&pf=desktop
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://ie.redirect.hp.com/svs/rdr?TYPE=3&a...&pf=desktop
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://ie.redirect.hp.com/svs/rdr?TYPE=3&a...&pf=desktop
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
O2 - BHO: Symantec Intrusion Prevention - {6D53EC84-6AAE-4787-AEEE-F4628F01010C} - C:\PROGRA~1\COMMON~1\SYMANT~1\IDS\IPSBHO.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: Credential Manager for HP ProtectTools - {DF21F1DB-80C6-11D3-9483-B03D0EC10000} - c:\Program Files\Hewlett-Packard\IAM\Bin\ItIEAddIn.dll
O2 - BHO: Google Gears Helper - {E0FEFE40-FBF9-42AE-BA58-794CA7E3FB53} - C:\Program Files\Google\Google Gears\Internet Explorer\0.5.16.0\gears.dll
O4 - HKLM\..\Run: [NvCplDaemon] "C:\WINDOWS\system32\RUNDLL32.EXE" C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [SoundMAXPnP] "C:\Program Files\Analog Devices\Core\smax4pnp.exe"
O4 - HKLM\..\Run: [SoundMAX] "C:\Program Files\Analog Devices\SoundMAX\Smax4.exe" /tray
O4 - HKLM\..\Run: [atchk] "C:\Program Files\Intel\AMT\atchk.exe"
O4 - HKLM\..\Run: [PTHOSTTR] "c:\Program Files\Hewlett-Packard\HP ProtectTools Security Manager\PTHOSTTR.EXE" /Start
O4 - HKLM\..\Run: [IFXSPMGT] "C:\WINDOWS\system32\ifxspmgt.exe" /NotifyLogon
O4 - HKLM\..\Run: [PDF Complete] "C:\Program Files\PDF Complete\pdfsty.exe"
O4 - HKLM\..\Run: [SetRefresh] "C:\Program Files\Compaq\SetRefresh\SetRefresh.exe"
O4 - HKLM\..\Run: [CognizanceTS] "C:\WINDOWS\system32\rundll32.exe" c:\PROGRA~1\HEWLET~1\IAM\Bin\ASTSVCC.dll,RegisterModule
O4 - HKLM\..\Run: [Recguard] "C:\WINDOWS\Sminst\Recguard.exe"
O4 - HKLM\..\Run: [Reminder] "C:\WINDOWS\Creator\Remind_XP.exe"
O4 - HKLM\..\Run: [Scheduler] "C:\WINDOWS\SMINST\Scheduler.exe"
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [osCheck] "C:\Program Files\Norton AntiVirus\osCheck.exe"
O4 - HKCU\..\Run: [Vidalia] "C:\Program Files\Vidalia Bundle\Vidalia\vidalia.exe"
O4 - HKCU\..\Run: [AIM] C:\Program Files\AIM\aim.exe -cnetwait.odl
O4 - HKCU\..\Run: [AdobeUpdater] "C:\Program Files\Common Files\Adobe\Updater5\AdobeUpdater.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\Windows Live\Messenger\msnmsgr.exe" /background
O4 - Startup: Webshots.lnk = C:\Program Files\Webshots\Launcher.exe
O4 - Global Startup: Privoxy.lnk = C:\Program Files\Vidalia Bundle\Privoxy\privoxy.exe
O4 - Global Startup: SpectraView II Gamma Loader.lnk = C:\Program Files\NEC DISPLAY SOLUTIONS\SpectraView II\SpectraView.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O9 - Extra button: (no name) - {09C04DA7-5B76-4EBC-BBEE-B25EAC5965F5} - C:\Program Files\Google\Google Gears\Internet Explorer\0.5.16.0\gears.dll
O9 - Extra 'Tools' menuitem: &Gears Settings - {09C04DA7-5B76-4EBC-BBEE-B25EAC5965F5} - C:\Program Files\Google\Google Gears\Internet Explorer\0.5.16.0\gears.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O14 - IERESET.INF: START_PAGE_URL=http://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=EN_US&c=74&bd=smb&pf=desktop
O20 - AppInit_DLLs: APSHook.dll
O20 - Winlogon Notify: OneCard - c:\Program Files\Hewlett-Packard\IAM\Bin\ASWLNPkg.dll
O23 - Service: Lavasoft Ad-Aware Service (aawservice) - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
O23 - Service: Intel® Active Management Technology System Status Service (atchksrv) - Intel Corporation - C:\Program Files\Intel\AMT\atchksrv.exe
O23 - Service: Automatic LiveUpdate Scheduler - Symantec Corporation - C:\Program Files\Symantec\LiveUpdate\AluSchedulerSvc.exe
O23 - Service: ##Id_String1.6844F930_1628_4223_B5CC_5BB94B879762## (Bonjour Service) - Apple Computer, Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: Symantec Lic NetConnect service (CLTNetCnService) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: FLEXnet Licensing Service - Macrovision Europe Ltd. - C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
O23 - Service: Google Update Service (gupdate1c96bcebbcaef66) (gupdate1c96bcebbcaef66) - Google Inc. - C:\Program Files\Google\Update\GoogleUpdate.exe
O23 - Service: Drive Encryption Service (HpFkCryptService) - SafeBoot International - c:\Program Files\Hewlett-Packard\Drive Encryption\HpFkCrypt.exe
O23 - Service: hpqwmiex - Hewlett-Packard Development Company, L.P. - C:\Program Files\Hewlett-Packard\Shared\hpqwmiex.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - c:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: Security Platform Management Service (IFXSpMgtSrv) - Infineon Technologies AG - C:\WINDOWS\system32\ifxspmgt.exe
O23 - Service: Trusted Platform Core Service (IFXTCS) - Infineon Technologies AG - C:\WINDOWS\system32\ifxtcs.exe
O23 - Service: IviRegMgr - InterVideo - C:\Program Files\Common Files\InterVideo\RegMgr\iviRegMgr.exe
O23 - Service: LiveUpdate - Symantec Corporation - C:\Program Files\Symantec\LiveUpdate\LuComServer_3_4.EXE
O23 - Service: LiveUpdate Notice - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: Intel® Active Management Technology Local Management Service (LMS) - Intel - C:\Program Files\Intel\AMT\LMS.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: PC Angel (PCA) - SoftThinks - C:\WINDOWS\SMINST\PCAngel.exe
O23 - Service: PDF Document Manager (pdfcDispatcher) - PDF Complete Inc - C:\Program Files\PDF Complete\pdfsvc.exe
O23 - Service: Personal Secure Drive service (PersonalSecureDriveService) - Infineon Technologies AG - C:\WINDOWS\system32\IfxPsdSv.exe
O23 - Service: Symantec Core LC - Unknown owner - C:\PROGRA~1\COMMON~1\SYMANT~1\CCPD-LC\symlcsvc.exe
O23 - Service: TabletServiceWacom - Wacom Technology, Corp. - C:\WINDOWS\system32\Wacom_Tablet.exe
O23 - Service: Intel® Active Management Technology User Notification Service (UNS) - Intel - C:\Program Files\Intel\AMT\UNS.exe
O23 - Service: Webroot Spy Sweeper Engine (WebrootSpySweeperService) - Webroot Software, Inc. (www.webroot.com) - C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe

--
End of file - 10564 bytes

BC AdBot (Login to Remove)

 


#2 KoanYorel

KoanYorel

    Bleepin' Conundrum


  • Members
  • 19,461 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:65 miles due East of the "Logic Free Zone", in Md, USA
  • Local time:09:25 PM

Posted 07 May 2009 - 09:18 PM

Hello and welcome to Bleeping Computer

We apologize for the delay in responding to your request for help. Here at Bleeping Computer we get overwhelmed at times, and we are trying our best to keep up. Please note that your topic was not intentionally overlooked. Our mission is to help everyone in need, but sometimes it takes just a little longer to get to every request for help. No one is ignored here.

If you have since resolved the original problem you were having, we would appreciate you letting us know. If not please perform the following steps below so we can have a look at the current condition of your machine.

If you have not done so, include a clear description of the problems you're having, along with any steps you may have performed so far.

Upon completing the steps below another staff member will review and take the steps necessary with you to get your machine back in working order clean and free of malware.

If you have already posted a DDS log, please do so again, as your situation may have changed.
Use the 'Add Reply' and add the new log to this thread.


Thanks and again sorry for the delay.

We need to see some information about what is happening in your machine. Please perform the following scan:
  • Download DDS by sUBs from one of the following links. Save it to your desktop.
  • Double click on the DDS icon, allow it to run.
  • A small box will open, with an explaination about the tool. No input is needed, the scan is running.
  • Notepad will open with the results.
  • Follow the instructions that pop up for posting the results.
  • Close the program window, and delete the program from your desktop.
Please note: You may have to disable any script protection running if the scan fails to run. After downloading the tool, disconnect from the internet and disable all antivirus protection. Run the scan, enable your A/V and reconnect to the internet.

Information on A/V control HERE

R,
K
The only easy day was yesterday.

...some do, some don't; some will, some won't (WR)

#3 Lanimilbus

Lanimilbus
  • Topic Starter

  • Members
  • 59 posts
  • OFFLINE
  •  
  • Local time:09:25 PM

Posted 12 May 2009 - 09:57 PM

Note: I have made several threads on this forum about my computer problems that I've been experiencing over the last month but haven't gotten anything other than automated responses. My most recent thread was locked literally as I was typing my newest reply to it; it can still be viewed here: Mod. edit. Link removed as I have merged this topic to the previous one mentioned here. ~ OB

It and the first thread I created (linked in the above thread) go over the problems I've been having in detail.

To sum them up in a paragraph, a month ago I began getting GoogleUpdate.exe errors that froze my computer every time I started up; I ran MBAM in safe mode (I was unable to open it in regular mode without it freezing a couple minutes into the scan) and it found and removed two suspicious items. After that I no longer got the GoogleUpdate.exe errors and my computer stopped freezing due to them but then I began having problems with Explorer; it would often freeze when I opened folders and it made it so that I couldn't access my desktop or any other folders. Usually a window would come up after this saying "(Folder Name) is not responding" and it gives me an option to "End Now" which I do, which makes the taskbar disappear for a few seconds and then come back with the programs open in a different order but with the folders and desktop working and unfrozen again. (I believe this may be as a result of installing a .reg file a month or two ago that allows .flv, .mp4 and .mov video files to be viewed as thumbnails like .avi files are in windows explorer. I could be wrong though.) I also noticed that upon restarting after this happens it will often freeze on the "Windows is starting up..." screen and never loads past that to the login screen so I'll have to manually shut it down and try again until it loads past it. My computer has still been having these symptoms but as of today I can no longer start up at all because of them. Explorer froze for me again today but didn't give me the End Now window option so I clicked Ctrl Alt Delete and manually ended it, which got rid of everything on my screen so that it was just my wallpaper and stayed that way. I shut it down after that happened and upon turning it back on got stuck on the "Windows is starting up..." screen once more so I shut it down again and turned it on again just to have it freeze on that screen yet again. Since then I've tried turning it on and off about 15-20 times and it has always stuck on that screen and hasn't loaded past it. When starting up, if I press F8 I can successfully get it to load in Safe Mode and get past that screen and to the login window but it's now impossible for me to get my computer to start up regularly (i.e. not in safe mode). EDIT: I forgot to mention when originally posting this that I ran a full system scan with MBAM in Safe Mode tonight and after nearly 400,000 items scanned and 2 hours it came up with zero results.

As requested, here are my HJT and DDS logs. They were both run in Safe Mode just now (10:00-10:45PM Eastern on Tuesday May 12th) on the problematic computer and then transferred back over to the borrowed laptop I am typing this with since I am unable to get online and post this in safe mode.

The HijackThis log:
-------
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 10:24:18 PM, on 5/12/2009
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Safe mode

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe
c:\Program Files\Hewlett-Packard\IAM\bin\asghost.exe
C:\WINDOWS\Explorer.EXE
C:\Documents and Settings\Administrator\Desktop\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://ie.redirect.hp.com/svs/rdr?TYPE=3&a...&pf=desktop
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://ie.redirect.hp.com/svs/rdr?TYPE=3&a...&pf=desktop
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://ie.redirect.hp.com/svs/rdr?TYPE=3&a...&pf=desktop
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://ie.redirect.hp.com/svs/rdr?TYPE=3&a...&pf=desktop
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://ie.redirect.hp.com/svs/rdr?TYPE=3&a...&pf=desktop
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
O2 - BHO: Symantec Intrusion Prevention - {6D53EC84-6AAE-4787-AEEE-F4628F01010C} - C:\PROGRA~1\COMMON~1\SYMANT~1\IDS\IPSBHO.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: Credential Manager for HP ProtectTools - {DF21F1DB-80C6-11D3-9483-B03D0EC10000} - c:\Program Files\Hewlett-Packard\IAM\Bin\ItIEAddIn.dll
O2 - BHO: Google Gears Helper - {E0FEFE40-FBF9-42AE-BA58-794CA7E3FB53} - C:\Program Files\Google\Google Gears\Internet Explorer\0.5.19.0\gears.dll
O4 - HKLM\..\Run: [NvCplDaemon] "C:\WINDOWS\system32\RUNDLL32.EXE" C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [SoundMAXPnP] "C:\Program Files\Analog Devices\Core\smax4pnp.exe"
O4 - HKLM\..\Run: [SoundMAX] "C:\Program Files\Analog Devices\SoundMAX\Smax4.exe" /tray
O4 - HKLM\..\Run: [atchk] "C:\Program Files\Intel\AMT\atchk.exe"
O4 - HKLM\..\Run: [PTHOSTTR] "c:\Program Files\Hewlett-Packard\HP ProtectTools Security Manager\PTHOSTTR.EXE" /Start
O4 - HKLM\..\Run: [IFXSPMGT] "C:\WINDOWS\system32\ifxspmgt.exe" /NotifyLogon
O4 - HKLM\..\Run: [PDF Complete] "C:\Program Files\PDF Complete\pdfsty.exe"
O4 - HKLM\..\Run: [SetRefresh] "C:\Program Files\Compaq\SetRefresh\SetRefresh.exe"
O4 - HKLM\..\Run: [CognizanceTS] "C:\WINDOWS\system32\rundll32.exe" c:\PROGRA~1\HEWLET~1\IAM\Bin\ASTSVCC.dll,RegisterModule
O4 - HKLM\..\Run: [Recguard] "C:\WINDOWS\Sminst\Recguard.exe"
O4 - HKLM\..\Run: [Reminder] "C:\WINDOWS\Creator\Remind_XP.exe"
O4 - HKLM\..\Run: [Scheduler] "C:\WINDOWS\SMINST\Scheduler.exe"
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [osCheck] "C:\Program Files\Norton AntiVirus\osCheck.exe"
O4 - HKCU\..\Run: [Vidalia] "C:\Program Files\Vidalia Bundle\Vidalia\vidalia.exe"
O4 - HKCU\..\Run: [AIM] C:\Program Files\AIM\aim.exe -cnetwait.odl
O4 - HKCU\..\Run: [AdobeUpdater] "C:\Program Files\Common Files\Adobe\Updater5\AdobeUpdater.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\Windows Live\Messenger\msnmsgr.exe" /background
O4 - HKCU\..\RunOnce: [Shockwave Updater] C:\WINDOWS\system32\Adobe\SHOCKW~1\SWHELP~2.EXE -Update -1103471 -"Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9.0.1) Gecko/2008070208 Firefox/3.0.1" -"http://privatelabelresources.fornicator.xamo.net/html/popup.php?sid=%2A%03Z%40%06%1A%04%3CSS-%0A%06%3C%09W%1F%11%20%15%02%1BP%3D%0C%08%7D%05K%5B%40gtC%03%0EI_RcN%03xVMtJ%0DGSzPA%05%09aSN%7F%03%19%24%1B.3%1D_WH%5BO%60%12%19%1F%0F%1A%3D%15O%19Xc%25J%15d%3B%0F%10%24D%16I%3AzD%1D%07%5CN%04%3E%1Fd%1B%5DT%2B%0C%02%5BMz%5EA%1B%02%7BA3.P%0E%06%5BfjA%0B%06P%5ES%60%0A%11%0E%0F%06%3C%1CW%12Lp%5EA%1B%02.R%08%7E%05S%15%1C%20.%01%09%19H%19%16%27%1CA%3A%0F%028%0E%5D%06%02%21%15%1DGV%21%0E%019P%1AZ75%1C%1C_%09%0A%04%28mF%29%14%1Aw%0AP%1A%1Fq%40H"
O4 - Startup: Webshots.lnk = C:\Program Files\Webshots\Launcher.exe
O4 - Global Startup: Privoxy.lnk = C:\Program Files\Vidalia Bundle\Privoxy\privoxy.exe
O4 - Global Startup: SpectraView II Gamma Loader.lnk = C:\Program Files\NEC DISPLAY SOLUTIONS\SpectraView II\SpectraView.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O8 - Extra context menu item: En&queue current page with BID - file://C:\Program Files\Bulk Image Downloader\iemenu\iebidqueue.htm
O8 - Extra context menu item: Enqueue link tar&get with BID - file://C:\Program Files\Bulk Image Downloader\iemenu\iebidlinkqueue.htm
O8 - Extra context menu item: Open &link target with BID - file://C:\Program Files\Bulk Image Downloader\iemenu\iebidlink.htm
O8 - Extra context menu item: Open current page with BI&D - file://C:\Program Files\Bulk Image Downloader\iemenu\iebid.htm
O8 - Extra context menu item: Open current page with BID Link E&xplorer - file://C:\Program Files\Bulk Image Downloader\iemenu\iebidlinkexplorer.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O9 - Extra button: (no name) - {09C04DA7-5B76-4EBC-BBEE-B25EAC5965F5} - C:\Program Files\Google\Google Gears\Internet Explorer\0.5.19.0\gears.dll
O9 - Extra 'Tools' menuitem: &Gears Settings - {09C04DA7-5B76-4EBC-BBEE-B25EAC5965F5} - C:\Program Files\Google\Google Gears\Internet Explorer\0.5.19.0\gears.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O14 - IERESET.INF: START_PAGE_URL=http://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=EN_US&c=74&bd=smb&pf=desktop
O20 - AppInit_DLLs: APSHook.dll
O20 - Winlogon Notify: OneCard - c:\Program Files\Hewlett-Packard\IAM\Bin\ASWLNPkg.dll
O23 - Service: Lavasoft Ad-Aware Service (aawservice) - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
O23 - Service: Intel® Active Management Technology System Status Service (atchksrv) - Intel Corporation - C:\Program Files\Intel\AMT\atchksrv.exe
O23 - Service: Automatic LiveUpdate Scheduler - Symantec Corporation - C:\Program Files\Symantec\LiveUpdate\AluSchedulerSvc.exe
O23 - Service: ##Id_String1.6844F930_1628_4223_B5CC_5BB94B879762## (Bonjour Service) - Apple Computer, Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: Symantec Lic NetConnect service (CLTNetCnService) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: FLEXnet Licensing Service - Macrovision Europe Ltd. - C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
O23 - Service: Google Update Service (gupdate1c96bcebbcaef66) (gupdate1c96bcebbcaef66) - Google Inc. - C:\Program Files\Google\Update\GoogleUpdate.exe
O23 - Service: Drive Encryption Service (HpFkCryptService) - SafeBoot International - c:\Program Files\Hewlett-Packard\Drive Encryption\HpFkCrypt.exe
O23 - Service: hpqwmiex - Hewlett-Packard Development Company, L.P. - C:\Program Files\Hewlett-Packard\Shared\hpqwmiex.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - c:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: Security Platform Management Service (IFXSpMgtSrv) - Infineon Technologies AG - C:\WINDOWS\system32\ifxspmgt.exe
O23 - Service: Trusted Platform Core Service (IFXTCS) - Infineon Technologies AG - C:\WINDOWS\system32\ifxtcs.exe
O23 - Service: IviRegMgr - InterVideo - C:\Program Files\Common Files\InterVideo\RegMgr\iviRegMgr.exe
O23 - Service: LiveUpdate - Symantec Corporation - C:\Program Files\Symantec\LiveUpdate\LuComServer_3_4.EXE
O23 - Service: LiveUpdate Notice - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: Intel® Active Management Technology Local Management Service (LMS) - Intel - C:\Program Files\Intel\AMT\LMS.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: PC Angel (PCA) - SoftThinks - C:\WINDOWS\SMINST\PCAngel.exe
O23 - Service: PDF Document Manager (pdfcDispatcher) - PDF Complete Inc - C:\Program Files\PDF Complete\pdfsvc.exe
O23 - Service: Personal Secure Drive service (PersonalSecureDriveService) - Infineon Technologies AG - C:\WINDOWS\system32\IfxPsdSv.exe
O23 - Service: Symantec Core LC - Unknown owner - C:\PROGRA~1\COMMON~1\SYMANT~1\CCPD-LC\symlcsvc.exe
O23 - Service: TabletServiceWacom - Wacom Technology, Corp. - C:\WINDOWS\system32\Wacom_Tablet.exe
O23 - Service: Intel® Active Management Technology User Notification Service (UNS) - Intel - C:\Program Files\Intel\AMT\UNS.exe
O23 - Service: Webroot Spy Sweeper Engine (WebrootSpySweeperService) - Webroot Software, Inc. (www.webroot.com) - C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe

--
End of file - 10373 bytes

------
The DDS log:
------

DDS (Ver_09-03-16.01) - NTFSx86 MINIMAL
Run by Administrator at 22:25:36.71 on Tue 05/12/2009
Internet Explorer: 6.0.2900.2180
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.2012.1701 [GMT -4:00]

AV: Norton AntiVirus *On-access scanning enabled* (Updated)
FW: Norton AntiVirus *enabled*

============== Running Processes ===============

C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
C:\WINDOWS\system32\svchost.exe -k netsvcs
C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe
c:\Program Files\Hewlett-Packard\IAM\bin\asghost.exe
C:\WINDOWS\Explorer.EXE
C:\Documents and Settings\Administrator\Desktop\NN\dds.scr

============== Pseudo HJT Report ===============

uStart Page = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=EN_US&c=74&bd=smb&pf=desktop
uDefault_Page_URL = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=EN_US&c=74&bd=smb&pf=desktop
mDefault_Page_URL = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=EN_US&c=74&bd=smb&pf=desktop
mStart Page = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=EN_US&c=74&bd=smb&pf=desktop
uInternet Connection Wizard,ShellNext = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=EN_US&c=74&bd=smb&pf=desktop
uInternet Settings,ProxyOverride = *.local
BHO: Symantec Intrusion Prevention: {6d53ec84-6aae-4787-aeee-f4628f01010c} - c:\progra~1\common~1\symant~1\ids\IPSBHO.dll
BHO: SSVHelper Class: {761497bb-d6f0-462c-b6eb-d4daf1d92d43} - c:\program files\java\jre1.6.0_01\bin\ssv.dll
BHO: {7E853D72-626A-48EC-A868-BA8D5E23E045} - No File
BHO: Windows Live Sign-in Helper: {9030d464-4c02-4abf-8ecc-5164760863c6} - c:\program files\common files\microsoft shared\windows live\WindowsLiveLogin.dll
BHO: Credential Manager for HP ProtectTools: {df21f1db-80c6-11d3-9483-b03d0ec10000} - c:\program files\hewlett-packard\iam\bin\ItIEAddIn.dll
BHO: Google Gears Helper: {e0fefe40-fbf9-42ae-ba58-794ca7e3fb53} - c:\program files\google\google gears\internet explorer\0.5.19.0\gears.dll
uRun: [Vidalia] "c:\program files\vidalia bundle\vidalia\vidalia.exe"
uRun: [AIM] c:\program files\aim\aim.exe -cnetwait.odl
uRun: [AdobeUpdater] "c:\program files\common files\adobe\updater5\AdobeUpdater.exe"
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
uRun: [msnmsgr] "c:\program files\windows live\messenger\msnmsgr.exe" /background
uRunOnce: [Shockwave Updater] c:\windows\system32\adobe\shockw~1\SWHELP~2.EXE -Update -1103471 -"Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9.0.1) Gecko/2008070208 Firefox/3.0.1" -"http://privatelabelresources.fornicator.xamo.net/html/popup.php?sid=%2A%03Z%40%06%1A%04%3CSS-%0A%06%3C%09W%1F%11%20%15%02%1BP%3D%0C%08%7D%05K%5B%40gtC%03%0EI_RcN%03xVMtJ%0DGSzPA%05%09aSN%7F%03%19%24%1B.3%1D_WH%5BO%60%12%19%1F%0F%1A%3D%15O%19Xc%25J%15d%3B%0F%10%24D%16I%3AzD%1D%07%5CN%04%3E%1Fd%1B%5DT%2B%0C%02%5BMz%5EA%1B%02%7BA3.P%0E%06%5BfjA%0B%06P%5ES%60%0A%11%0E%0F%06%3C%1CW%12Lp%5EA%1B%02.R%08%7E%05S%15%1C%20.%01%09%19H%19%16%27%1CA%3A%0F%028%0E%5D%06%02%21%15%1DGV%21%0E%019P%1AZ75%1C%1C_%09%0A%04%28mF%29%14%1Aw%0AP%1A%1Fq%40H"
mRun: [NvCplDaemon] "c:\windows\system32\rundll32.exe" c:\windows\system32\NvCpl.dll,NvStartup
mRun: [SoundMAXPnP] "c:\program files\analog devices\core\smax4pnp.exe"
mRun: [SoundMAX] "c:\program files\analog devices\soundmax\Smax4.exe" /tray
mRun: [atchk] "c:\program files\intel\amt\atchk.exe"
mRun: [PTHOSTTR] "c:\program files\hewlett-packard\hp protecttools security manager\PTHOSTTR.EXE" /Start
mRun: [IFXSPMGT] "c:\windows\system32\ifxspmgt.exe" /NotifyLogon
mRun: [PDF Complete] "c:\program files\pdf complete\pdfsty.exe"
mRun: [SetRefresh] "c:\program files\compaq\setrefresh\SetRefresh.exe"
mRun: [CognizanceTS] "c:\windows\system32\rundll32.exe" c:\progra~1\hewlet~1\iam\bin\ASTSVCC.dll,RegisterModule
mRun: [Recguard] "c:\windows\sminst\Recguard.exe"
mRun: [Reminder] "c:\windows\creator\Remind_XP.exe"
mRun: [Scheduler] "c:\windows\sminst\Scheduler.exe"
mRun: [ccApp] "c:\program files\common files\symantec shared\ccApp.exe"
mRun: [osCheck] "c:\program files\norton antivirus\osCheck.exe"
StartupFolder: c:\docume~1\admini~1\startm~1\programs\startup\webshots.lnk - c:\program files\webshots\Launcher.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\privoxy.lnk - c:\program files\vidalia bundle\privoxy\privoxy.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\spectr~1.lnk - c:\program files\nec display solutions\spectraview ii\SpectraView.exe
IE: E&xport to Microsoft Excel - c:\progra~1\micros~2\office10\EXCEL.EXE/3000
IE: En&queue current page with BID - file://c:\program files\bulk image downloader\iemenu\iebidqueue.htm
IE: Enqueue link tar&get with BID - file://c:\program files\bulk image downloader\iemenu\iebidlinkqueue.htm
IE: Open &link target with BID - file://c:\program files\bulk image downloader\iemenu\iebidlink.htm
IE: Open current page with BI&D - file://c:\program files\bulk image downloader\iemenu\iebid.htm
IE: Open current page with BID Link E&xplorer - file://c:\program files\bulk image downloader\iemenu\iebidlinkexplorer.htm
IE: {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - c:\program files\aim\aim.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - {CAFEEFAC-0016-0000-0001-ABCDEFFEDCBC} - c:\program files\java\jre1.6.0_01\bin\ssv.dll
IE: {09C04DA7-5B76-4EBC-BBEE-B25EAC5965F5} - {0B4350D1-055F-47A3-B112-5F2F2B0D6F08} - c:\program files\google\google gears\internet explorer\0.5.19.0\gears.dll
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~2\office11\REFIEBAR.DLL
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_01-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0001-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_01-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_01-windows-i586.cab
Handler: cdo - {CD00020A-8B95-11D1-82DB-00C04FB1625D} - c:\program files\common files\microsoft shared\web folders\PKMCDO.DLL
Notify: OneCard - c:\program files\hewlett-packard\iam\bin\ASWLNPkg.dll
AppInit_DLLs: APSHook.dll
LSA: Notification Packages = SbHpNp scecli ASWLNPkg

================= FIREFOX ===================

FF - ProfilePath - c:\docume~1\admini~1\applic~1\mozilla\firefox\profiles\swkmmpxn.default\
FF - prefs.js: browser.search.defaulturl - hxxp://www.google.com/search?lr=&ie=UTF-8&oe=UTF-8&q=
FF - component: c:\program files\google\google gears\firefox\components\gears.dll
FF - plugin: c:\program files\google\update\1.2.145.5\npGoogleOneClick8.dll
FF - plugin: c:\program files\k-lite codec pack\real\browser\plugins\nppl3260.dll
FF - plugin: c:\program files\k-lite codec pack\real\browser\plugins\nprpjplug.dll

============= SERVICES / DRIVERS ===============

R0 SafeBoot;SafeBoot;c:\windows\system32\drivers\SafeBoot.sys [2007-6-13 101167]
R0 SbAlg;SbAlg;c:\windows\system32\drivers\SbAlg.sys [2006-10-9 44720]
R0 SbFsLock;SbFsLock;c:\windows\system32\drivers\SbFsLock.sys [2007-6-14 13184]
R0 ssfs0bbc;ssfs0bbc;c:\windows\system32\drivers\ssfs0bbc.sys [2008-8-9 29808]
R1 PersonalSecureDrive;PersonalSecureDrive;c:\windows\system32\drivers\psd.sys [2007-4-18 39080]
R2 aawservice;Lavasoft Ad-Aware Service;c:\program files\lavasoft\ad-aware\aawservice.exe [2008-5-12 611664]
R2 WebrootSpySweeperService;Webroot Spy Sweeper Engine;c:\program files\webroot\spy sweeper\SpySweeper.exe [2008-8-9 3585384]
R3 IFXTPM;IFXTPM;c:\windows\system32\drivers\ifxtpm.sys [2007-1-23 41216]
S1 RsvLock;RsvLock;c:\windows\system32\drivers\rsvlock.sys [2007-6-13 5808]
S2 ASBroker;Logon Session Broker;c:\windows\system32\svchost.exe -k Cognizance [2006-2-27 14336]
S2 ASChannel;Local Communication Channel;c:\windows\system32\svchost.exe -k Cognizance [2006-2-27 14336]
S2 ccEvtMgr;Symantec Event Manager;c:\program files\common files\symantec shared\CCSVCHST.EXE [2008-1-25 149352]
S2 ccSetMgr;Symantec Settings Manager;c:\program files\common files\symantec shared\CCSVCHST.EXE [2008-1-25 149352]
S2 gupdate1c96bcebbcaef66;Google Update Service (gupdate1c96bcebbcaef66);c:\program files\google\update\GoogleUpdate.exe [2009-1-1 133104]
S2 HpFkCryptService;Drive Encryption Service;c:\program files\hewlett-packard\drive encryption\HpFkCrypt.exe [2007-7-9 221184]
S2 LiveUpdate Notice;LiveUpdate Notice;c:\program files\common files\symantec shared\CCSVCHST.EXE [2008-1-25 149352]
S2 NDSPCIIO;NEC Display Solutions, Ltd. DDC/CI PCIIO;c:\windows\system32\drivers\NDSPCIIO.sys [2005-7-26 23568]
S2 pdfcDispatcher;PDF Document Manager;c:\program files\pdf complete\pdfsvc.exe [2008-1-4 540184]
S2 TabletServiceWacom;TabletServiceWacom;c:\windows\system32\Wacom_Tablet.exe [2008-9-16 1373480]
S2 UNS;Intel® Active Management Technology User Notification Service;c:\program files\intel\amt\UNS.exe [2008-1-4 2521880]
S3 COH_Mon;COH_Mon;c:\windows\system32\drivers\COH_Mon.sys [2008-1-12 23888]
S3 EraserUtilRebootDrv;EraserUtilRebootDrv;c:\program files\common files\symantec shared\eengine\EraserUtilRebootDrv.sys [2009-2-26 101936]
S3 i1display;i1 Display;c:\windows\system32\drivers\i1display.sys [2008-7-2 44344]
S3 ManyCam;ManyCam Virtual Webcam, WDM Video Capture Driver;c:\windows\system32\drivers\ManyCam.sys [2008-1-14 21632]
S3 NAVENG;NAVENG;c:\progra~1\common~1\symant~1\virusd~1\20090512.003\NAVENG.SYS [2009-5-12 89104]
S3 NAVEX15;NAVEX15;c:\progra~1\common~1\symant~1\virusd~1\20090512.003\NAVEX15.SYS [2009-5-12 876144]
S3 Symantec Core LC;Symantec Core LC;c:\progra~1\common~1\symant~1\ccpd-lc\symlcsvc.exe [2008-9-1 1245064]

=============== Created Last 30 ================

2009-05-07 20:08 <DIR> --d----- c:\docume~1\admini~1\applic~1\BID
2009-05-07 20:08 <DIR> --d----- c:\program files\Bulk Image Downloader
2009-05-03 03:04 118,784 a------- c:\windows\system32\chg.exe
2009-04-16 22:55 <DIR> --d----- c:\docume~1\admini~1\applic~1\Malwarebytes
2009-04-16 22:53 15,504 a------- c:\windows\system32\drivers\mbam.sys
2009-04-16 22:53 38,496 a------- c:\windows\system32\drivers\mbamswissarmy.sys
2009-04-16 22:53 <DIR> --d----- c:\program files\Malwarebytes' Anti-Malware
2009-04-16 22:53 <DIR> --d----- c:\docume~1\alluse~1\applic~1\Malwarebytes
2009-04-16 21:40 715,264 -------- c:\windows\system32\dllcache\ntdll.dll
2009-04-16 21:40 617,984 -------- c:\windows\system32\dllcache\advapi32.dll
2009-04-16 21:40 473,088 -------- c:\windows\system32\dllcache\fastprox.dll
2009-04-16 21:40 401,408 -------- c:\windows\system32\dllcache\rpcss.dll
2009-04-16 21:40 284,160 -------- c:\windows\system32\dllcache\pdh.dll
2009-04-16 21:40 227,840 -------- c:\windows\system32\dllcache\wmiprvse.exe
2009-04-16 21:40 110,592 -------- c:\windows\system32\dllcache\services.exe
2009-04-16 21:40 60,416 -------- c:\windows\system32\dllcache\colbact.dll
2009-04-16 21:40 35,328 -------- c:\windows\system32\dllcache\sc.exe
2009-04-16 21:39 1,193,414 -------- c:\windows\system32\dllcache\sysmain.sdb
2009-04-16 21:39 215,552 -------- c:\windows\system32\dllcache\wordpad.exe

==================== Find3M ====================

2009-03-21 10:18 986,112 -------- c:\windows\system32\dllcache\kernel32.dll
2009-03-06 10:00 284,160 a------- c:\windows\system32\pdh.dll
2009-03-02 19:27 1,499,136 -------- c:\windows\system32\dllcache\shdocvw.dll
2009-02-20 17:44 3,067,904 -------- c:\windows\system32\dllcache\mshtml.dll
2009-02-19 13:03 579,464 a------- c:\windows\system32\SymNeti.dll
2009-02-19 13:03 207,240 a------- c:\windows\system32\SymRedir.dll
2009-02-19 05:50 18,432 -------- c:\windows\system32\dllcache\iedw.exe
2008-08-03 23:56 82 a------- c:\docume~1\alluse~1\applic~1\SUMQU0C1-FE20-APII-YE7M-BEDSDWMY5R6A.dat

============= FINISH: 22:25:58.15 ===============

And the "Attach.txt" DDS document is attached in this post.

I hope this gives enough information needed to help solve this problem; prompt help would, as always, be much appreciated since I am now without access to my computer and have some time sensitive work that needs to be done on it, so I would appreciate any help that I can get on how to get it back to normal.

Thanks in advance.

Attached Files


Edited by Orange Blossom, 13 May 2009 - 06:29 PM.


#4 Orange Blossom

Orange Blossom

    OBleepin Investigator


  • Moderator
  • 36,963 posts
  • ONLINE
  •  
  • Gender:Not Telling
  • Location:Bloomington, IN
  • Local time:09:25 PM

Posted 13 May 2009 - 06:27 PM

Hello Lanimilbus,

For the sake of continuity and to avoid further delay in assistance, I have merged your latest topic to your previously existing topic.

An HJT Team member should be with you soon.

Orange Blossom ~ forum moderator
Help us help you. If HelpBot replies, you MUST follow step 1 in its reply so we know you need help.

Orange Blossom

An ounce of prevention is worth a pound of cure

SpywareBlaster, WinPatrol Plus, ESET Smart Security, Malwarebytes' Anti-Malware, NoScript Firefox ext., Norton noscript

#5 Farbar

Farbar

    Just Curious


  • Security Developer
  • 21,714 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:The Netherlands
  • Local time:03:25 AM

Posted 15 May 2009 - 02:27 PM

Hi Lanimilbus,

Welcome to BC HijackThis forum. I am farbar. I am going to assist you with your problem.

Please refrain from making any changes to your system (updating Windows, installing applications, removing files, etc.) from now on as it might prolong handling your log and make the job for both of us more difficult.

Please open HiJackThis and choose do a system scan only. Check the boxes next to ONLY the entries listed below (if present):

O4 - HKCU\..\RunOnce: [Shockwave Updater] C:\WINDOWS\system32\Adobe\SHOCKW~1\SWHELP~2.EXE -Update -1103471 -"Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9.0.1) Gecko/2008070208 Firefox/3.0.1" -"http://privatelabelresources.fornicator.xamo.net/html/popup.php?sid=%2A%03Z%40%06%1A%04%3CSS-%0A%06%3C%09W%1F%11%20%15%02%1BP%3D%0C%08%7D%05K%5B%40gtC%03%0EI_RcN%03xVMtJ%0DGSzPA%05%09aSN%7F%03%19%24%1B.3%1D_WH%5BO%60%12%19%1F%0F%1A%3D%15O%19Xc%25J%15d%3B%0F%10%24D%16I%3AzD%1D%07%5CN%04%3E%1Fd%1B%5DT%2B%0C%02%5BMz%5EA%1B%02%7BA3.P%0E%06%5BfjA%0B%06P%5ES%60%0A%11%0E%0F%06%3C%1CW%12Lp%5EA%1B%02.R%08%7E%05S%15%1C%20.%01%09%19H%19%16%27%1CA%3A%0F%028%0E%5D%06%02%21%15%1DGV%21%0E%019P%1AZ75%1C%1C_%09%0A%04%28mF%29%14%1Aw%0AP%1A%1Fq%40H"

Now close all windows other than HiJackThis, including browsers, so that nothing other than HijackThis is open, then click Fix Checked. A box will pop up asking you if you wish to fix the selected items. Please choose YES. Once it has fixed them, please exit/close HijackThis.

Now try to reboot to normal mode and tell me exactly what you see. Do you pass the log on screen and how far it goes.

#6 Lanimilbus

Lanimilbus
  • Topic Starter

  • Members
  • 59 posts
  • OFFLINE
  •  
  • Local time:09:25 PM

Posted 15 May 2009 - 07:46 PM

I deleted that entry and restarted my computer and was able to get to the login screen; however, I had restarted already before removing that entry and was still able to get to the login screen and that entry doesn't appear on my earlier HJT logs when I was still having problems with it getting stuck on startup so I'm not sure how much that entry has(/d) to do with the startup issue.

Here's my most recent HijackThis log (from just now):
http://textsnip.com/text/hjtlogmay09

I pasted it on textsnip to conserve space in the thread so that things wouldn't be as cluttered, hope that's okay.

A brief update: after finally getting my computer to load past the "Windows is starting up..." screen in normal boot mode I logged in and ran a Malwarebytes Anti-Malware full scan overnight. When I woke up this morning MBAM said it had found no malicious entries but Norton Anti-Virus Auto-Protect came up with a warning saying it had detected and removed three viruses while I was asleep with just the MBAM scan running: two "Backdoor.Tidserv" viruses and a "Packed.Generic.200" virus. I can give the locations and filenames of where it found the viruses if necessary.

Also, I'm not an expert in this stuff by any means, but I have three opinions and thoughts on this matter.

First, a few of the HJT entries kind of sent up a red flag for me:

First off, the running process
C:\Program Files\Google\Update\GoogleUpdate.exe

This seems to be what caused this whole mess in the first place and, after researching it, does not appear to be necessary for anything on my computer since I don't use Google Chrome. I have Google Gears but would not mind losing them.

Also, same deal with this entry:
O23 - Service: Google Update Service (gupdate1c96bcebbcaef66) (gupdate1c96bcebbcaef66) - Google Inc. - C:\Program Files\Google\Update\GoogleUpdate.exe

Now, I'm not going to remove these with HijackThis or anything else on my own, but I'd like to have anything "GoogleUpdate" related gone from my computer if at all possible.

Second, I believe I mentioned this in one of my earlier posts but one of the things that's been happening since my computer started having problems has been this "Windows Genuine Advantage Notifications" message that I get every time I start up the computer. My version of XP is definitely legitimate but I would rather not go along with this things prompts due to the vastly negative feedback I've found about it after searching for it online. Several sites, like this one call it spyware so I'd really rather not have it anywhere on my computer. I've seen several sets of instructions on how to remove it, mostly looking like this:

1. Lauch Windows Task Manager.
2. End wgatray.exe process in Task Manager.
3. Restart Windows XP in Safe Mode.
4. Delete WgaTray.exe from c:\Windows\System32.
5. Delete WgaTray.exe from c:\Windows\System32\dllcache.
6. Lauch RegEdit.
7. Browse to the following location:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
Windows NT\CurrentVersion\Winlogon\Notify
8. Delete the folder ‘WgaLogon’ and all its contents
9. Reboot Windows XP.


This video also demonstrates these steps and seems to be well rated and watched plenty of times, but again, I'd rather not do this until I get some kind of confirmation from someone here that this would be a good idea.

Third, I'd like to know how to undo the registry file (.reg) that I saved and activated that made it so that .FLV, .MOV and .M4A video files appear as thumbnails in my folders instead of just icons. I believe this may be what keeps crashing Explorer (explorer.exe) as every time I view one of the folders with .FLV, .MOV or .M4A files inside I have problems soon after, so I would like to reverse it back to the way it was before if at all possible. Here is the text I copied into Notepad, saved as a .reg file, then clicked to activate.

REGEDIT4

[HKEY_CLASSES_ROOT\.flv\ShellEx\{BB2E617C-0920-11d1-9A0B-00C04FC2D6C1}]
@="{c5a40261-cd64-4ccf-84cb-c394da41d590}"

[HKEY_CLASSES_ROOT\.mov\ShellEx\{BB2E617C-0920-11d1-9A0B-00C04FC2D6C1}]
@="{c5a40261-cd64-4ccf-84cb-c394da41d590}"

[HKEY_CLASSES_ROOT\.mp4\ShellEx\{BB2E617C-0920-11d1-9A0B-00C04FC2D6C1}]
@="{c5a40261-cd64-4ccf-84cb-c394da41d590}"

Again, I'm not an expert at this stuff, but it seems like these three things (GoogleUpdate, Windows Genuine Advantage Notifications and the .reg file to enable video thumbnails) are all contributing to the problems I've been having.

Thanks in advance for any and all help.

#7 Farbar

Farbar

    Just Curious


  • Security Developer
  • 21,714 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:The Netherlands
  • Local time:03:25 AM

Posted 15 May 2009 - 08:24 PM

Hi Lanimilbus,

I would like to give my frank opinion on the style of posting:

1. I prefer copy and pasting the logs, if specifically needed attaching them here.
2. Long and unrelated posts just make it difficult for me to concentrate on the main issue. To be frank I might not read them and miss the important part which I should now. So I prefer to get a direct answer to my question first. Then you may add anything, but make sure the addition is readable.
3. I frankly tell you I don't need you to analyze the log for me. I need you to tell me what I can't see, that is what you see when you are sitting there and watching things happen. The logs I can read for myself.
4. When I ask you to fix an entry I don't expect magic. I'm ruling out the possibilities. I need your feedback about what you see after that fix.

So please start again.
Copy and paste a fresh hijackthis to you reply and just without any addition give me feedback about the question I asked. I need to know what happens now and not what happened last night. We need to boot the computer to normal mode as soon as possible to do run our fixes.

#8 Farbar

Farbar

    Just Curious


  • Security Developer
  • 21,714 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:The Netherlands
  • Local time:03:25 AM

Posted 16 May 2009 - 07:35 AM

To add to my last post: My first priority is making sure the infection is removed. Then later on we can attend the remaining issues and preferences. A clean log of MBAM and Hijackthis is a good sign but by no means it ensures the computer is clean as long as boot problem is not resolved and Norton is detecting malware. We need to run in depth tools, specially in normal mode.

#9 Farbar

Farbar

    Just Curious


  • Security Developer
  • 21,714 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:The Netherlands
  • Local time:03:25 AM

Posted 20 May 2009 - 02:39 PM

This topic is closed due to lack of activity.




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users