Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Slowness, weirdness--unknown cause


  • This topic is locked This topic is locked
11 replies to this topic

#1 geomoo

geomoo

  • Members
  • 8 posts
  • OFFLINE
  •  
  • Local time:11:08 AM

Posted 30 October 2009 - 12:47 AM

The symptoms are typical of what I think of as malware:

Internet is suddenly significantly slower.
Computer in general is occasionally very slow and slower to start up.
I often need to end a non-responding program (especially Firefox) when shutting down.
When I end a program using CTRL-Alt-Delete, the currently running programs window remains up with no Close icon available. I have to shift the annoying window around to keep it out of they way of what I am doing. This window doesn't go away until I Restart.
Last start-up, the keyboard didn't work. May have just been a lose connection, but with everything else going on, maybe not.
Occasionally Firefox says it must shut down because of "an illegal operation."

I run both NOD32 antivirus and Webroot antivirus with Spysweeper. I have been running them together before with no interaction problems, but that may be part of my problem. Also, I have responded to Webroot prompts saying not to allow changes such as a program attempting to be added on startup. Usually I don't know what is going on, but if I haven't made any changes, I just say no. I may have screwed that up somehow.

I bought and ran RegistryBooster per this sites recommendation. Four hundred something problems were fixed, but some 7 problems with the registry were not fixed.

I know I'm not giving you a specific problem, but I'm a good boy and take direction well. I will not be a pain in the butt, promise. Please help me. When I ran ComboFix on my other computer, the results were miraculous.


DDS (Ver_09-10-26.01) - NTFSx86
Run by George Moore at 22:02:51.20 on Thu 10/29/2009
Internet Explorer: 8.0.6001.18702 BrowserJavaVersion: 1.6.0_15
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.1014.434 [GMT -7:00]

AV: Webroot AntiVirus with Spy Sweeper *On-access scanning enabled* (Updated) {77E10C7F-2CCA-4187-9394-BDBC267AD597}
AV: ESET NOD32 antivirus system 2.70 *On-access scanning enabled* (Updated) {E5E70D32-0101-4F12-8FB0-D96ACA4F34C0}

============== Running Processes ===============

C:\Program Files\Webroot\Spy Sweeper\WRConsumerService.exe
C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
C:\WINDOWS\system32\svchost.exe -k WudfServiceGroup
svchost.exe
svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Intel Audio Studio\IntelAudioStudio.exe
C:\WINDOWS\system32\RunDLL32.exe
C:\WINDOWS\mHotkey.exe
C:\Program Files\Eset\nod32kui.exe
C:\Program Files\Hewlett-Packard\Toolbox\StatusClient\StatusClient.exe
C:\Program Files\Adobe\Photoshop Album Starter Edition\3.0\Apps\apdproxy.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Creative\Creative ZEN\ZEN Media Explorer\CTCheck.exe
C:\Program Files\Creative\Creative Live! Cam\VideoFX\StartFX.exe
C:\Program Files\Java\jre6\bin\jusched.exe
C:\Program Files\Webroot\Spy Sweeper\SpySweeperUI.exe
C:\WINDOWS\system32\ctfmon.exe
svchost.exe
C:\Program Files\Adobe\Photoshop Elements 6.0\PhotoshopElementsFileAgent.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\WINDOWS\system32\CTsvcCDA.exe
C:\WINDOWS\system32\svchost.exe -k hpdevmgmt
C:\WINDOWS\system32\svchost.exe -k HPService
C:\Program Files\Java\jre6\bin\jqs.exe
C:\WINDOWS\System32\svchost.exe -k HPZ12
C:\Program Files\Eset\nod32krn.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\Program Files\Hewlett-Packard\Toolbox\jre\bin\javaw.exe
C:\WINDOWS\System32\svchost.exe -k HPZ12
C:\WINDOWS\system32\svchost.exe -k imgsvc
C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Uniblue\RegistryBooster 2010\registrybooster.exe
C:\Documents and Settings\George Moore\Desktop\dds.scr

============== Pseudo HJT Report ===============

uStart Page = hxxp://www.gmail.com/
uWindow Title = Microsoft Internet Explorer provided by Comcast High-Speed Internet
mWindow Title = Microsoft Internet Explorer provided by Comcast High-Speed Internet
uInternet Connection Wizard,ShellNext = wmplayer.exe //ICWLaunch
BHO: HP Print Enhancer: {0347c33e-8762-4905-bf09-768834316c61} - c:\program files\hewlett-packard\hp laserjet 1160_1320 series\smart web printing\hpswp_printenhancer.dll
BHO: HP Print Clips: {053f9267-dc04-4294-a72c-58f732d338c0} - c:\program files\hewlett-packard\hp laserjet 1160_1320 series\smart web printing\hpswp_framework.dll
BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll
BHO: Ask.com Toolbar: {d4027c7f-154a-4066-a1ad-4243d8127440} - c:\program files\ask.com\GenericAskToolbar.dll
BHO: Java™ Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
TB: Yahoo! Toolbar: {ef99bd32-c1fb-11d2-892f-0090271d4f88} - c:\program files\yahoo!\companion\installs\cpn\yt.dll
TB: Ask.com Toolbar: {d4027c7f-154a-4066-a1ad-4243d8127440} - c:\program files\ask.com\GenericAskToolbar.dll
uRun: [ctfmon.exe] "c:\windows\system32\ctfmon.exe"
uRunOnce: [UniblueRegistryBooster] "c:\program files\uniblue\registrybooster 2010\launcher.exe" delay 20000
mRun: [NeroFilterCheck] "c:\windows\system32\NeroCheck.exe"
mRun: [SigmatelSysTrayApp] sttray.exe
mRun: [IntelAudioStudio] "c:\program files\intel audio studio\IntelAudioStudio.exe" TRAY
mRun: [NvCplDaemon] "c:\windows\system32\rundll32.exe" c:\windows\system32\NvCpl.dll,NvStartup
mRun: [nwiz] "c:\windows\system32\nwiz.exe" /install
mRun: [NvMediaCenter] "c:\windows\system32\RunDLL32.exe" NvMCTray.dll,NvTaskbarInit
mRun: [CHotkey] "c:\windows\mHotkey.exe"
mRun: [nod32kui] "c:\program files\eset\nod32kui.exe" /WAITSERVICE
mRun: [THGuard] "c:\program files\trojanhunter 4.6\THGuard.exe"
mRun: [StatusClient 2.6] "c:\program files\hewlett-packard\toolbox\statusclient\StatusClient.exe" /auto
mRun: [TomcatStartup 2.5] "c:\program files\hewlett-packard\toolbox\hpbpsttp.exe"
mRun: [Adobe Photo Downloader] "c:\program files\adobe\photoshop album starter edition\3.0\apps\apdproxy.exe"
mRun: [iTunesHelper] "c:\program files\itunes\iTunesHelper.exe"
mRun: [QuickTime Task] "c:\program files\quicktime\QTTask.exe" -atboottime
mRun: [CTCheck] "c:\program files\creative\creative zen\zen media explorer\CTCheck.exe"
mRun: [AVFX Engine] "c:\program files\creative\creative live! cam\videofx\StartFX.exe"
mRun: [SunJavaUpdateSched] "c:\program files\java\jre6\bin\jusched.exe"
mRun: [Adobe Reader Speed Launcher] "c:\program files\adobe\reader 9.0\reader\Reader_sl.exe"
mRun: [Adobe ARM] "c:\program files\common files\adobe\arm\1.0\AdobeARM.exe"
mRun: [SpySweeper] "c:\program files\webroot\spy sweeper\SpySweeperUI.exe" /startintray
IE: E&xport to Microsoft Excel - c:\progra~1\micros~2\office10\EXCEL.EXE/3000
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {58ECB495-38F0-49cb-A538-10282ABF65E7} - {E763472E-A716-4CD9-89BD-DBDA6122F741} - c:\program files\hewlett-packard\hp laserjet 1160_1320 series\smart web printing\hpswp_extensions.dll
IE: {700259D7-1666-479a-93B1-3250410481E8} - {A93C41D8-01F8-4F8B-B14C-DE20B117E636} - c:\program files\hewlett-packard\hp laserjet 1160_1320 series\smart web printing\hpswp_extensions.dll
LSP: c:\windows\system32\imon.dll
DPF: {6C269571-C6D7-4818-BCA4-32A035E8C884} - hxxp://ccfiles.creative.com/Web/softwareupdate/su/ocx/15101/CTSUEng.cab
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_15-windows-i586.cab
DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} - hxxp://fpdownload.macromedia.com/get/flashplayer/current/polarbear/ultrashim.cab
DPF: {CAFEEFAC-0015-0000-0006-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.5.0/jinstall-1_5_0_06-windows-i586.cab
DPF: {CAFEEFAC-0015-0000-0009-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.5.0/jinstall-1_5_0_09-windows-i586.cab
DPF: {CAFEEFAC-0015-0000-0010-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.5.0/jinstall-1_5_0_10-windows-i586.cab
DPF: {CAFEEFAC-0015-0000-0011-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.5.0/jinstall-1_5_0_11-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0002-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_02-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0003-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_03-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0005-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_05-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0015-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_15-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_15-windows-i586.cab
DPF: {F6ACF75C-C32C-447B-9BEF-46B766368D29} - hxxp://ccfiles.creative.com/Web/softwareupdate/su/ocx/15106/CTPID.cab
DPF: {FC6703A7-5B7E-4f58-BE6D-2693AA3906AE} - hxxp://h30299.www3.hp.com/ediags/hpnar/en/app/17/install/gtdownhp.cab?1,0,0,94
Handler: cdo - {CD00020A-8B95-11D1-82DB-00C04FB1625D} - c:\program files\common files\microsoft shared\web folders\PKMCDO.DLL
Handler: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - c:\progra~1\common~1\skype\SKYPE4~1.DLL
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll

================= FIREFOX ===================

FF - ProfilePath - c:\docume~1\george~1\applic~1\mozilla\firefox\profiles\belygnql.default\
FF - prefs.js: browser.search.defaulturl - hxxp://www.google.com/search?lr=&ie=UTF-8&oe=UTF-8&q=
FF - prefs.js: browser.search.selectedEngine - Ask.com
FF - prefs.js: browser.startup.homepage - hxxp://mail.google.com/mail/?auth=DQAAAG8AAADsEwOH19VfwRqk87iI8NiJd8ro0onDjHb-9ReLA-Jn4mxyk60bpymgxs1k-uybiPsDsRGLhd4bl1j7ozWEPZK-yDsyftn-C8aMcCZBHOHTpyIHbuPtq5alwEb0p3gMo-cQqKoXzHQFfQsi9pSJLIdh
FF - prefs.js: keyword.URL - hxxp://supertoolbar.ask.com/redirect?client=ff&src=kw&tb=WBR&o=13993&locale=en_US&q=
FF - plugin: c:\documents and settings\pat adler\application data\move networks\plugins\npqmp071505000010.dll
FF - plugin: c:\program files\google\update\1.2.183.7\npGoogleOneClick8.dll
FF - plugin: c:\program files\mozilla firefox\plugins\NPTURNMED.dll
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\microsoft.net\framework\v3.5\windows presentation foundation\dotnetassistantextension\
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0002-ABCDEFFEDCBA}
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0003-ABCDEFFEDCBA}
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0005-ABCDEFFEDCBA}
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0012-ABCDEFFEDCBA}
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0013-ABCDEFFEDCBA}
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0015-ABCDEFFEDCBA}

---- FIREFOX POLICIES ----
FF - user.js: general.useragent.extra.zencast - );user_pref(yahoo.homepage.dontask, truec:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl3.rsa_seed_sha", true);

============= SERVICES / DRIVERS ===============

R0 ssfs0bbc;ssfs0bbc;c:\windows\system32\drivers\ssfs0bbc.sys [2008-11-12 29808]
R1 nod32drv;nod32drv;c:\windows\system32\drivers\nod32drv.sys [2007-3-22 15424]
R2 AdobeActiveFileMonitor6.0;Adobe Active File Monitor V6;c:\program files\adobe\photoshop elements 6.0\PhotoshopElementsFileAgent.exe [2007-9-11 124832]
R2 WRConsumerService;Webroot Client Service;c:\program files\webroot\spy sweeper\WRConsumerService.exe [2008-12-3 1201640]
R3 P1370Aud;Creative WebCam Audio Control;c:\windows\system32\drivers\P1370Aud.sys [2006-12-27 93056]
R3 P1370Aul;PD1370 Lower Filter Driver;c:\windows\system32\drivers\P1370Aul.sys [2006-12-27 4992]
R3 P1370VID;Live! Cam Voice;c:\windows\system32\drivers\P1370Vid.sys [2006-12-27 179328]
S2 gupdate1c9b1aa427fd3c0;Google Update Service (gupdate1c9b1aa427fd3c0);c:\program files\google\update\GoogleUpdate.exe [2009-3-30 133104]

=============== Created Last 30 ================

2009-10-30 04:19:16 0 d-----w- c:\docume~1\george~1\applic~1\Uniblue
2009-10-30 04:19:10 0 d-----w- c:\program files\Uniblue
2009-10-22 19:11:58 73728 ----a-w- c:\windows\system32\javacpl.cpl
2009-10-20 17:40:28 0 d-----w- c:\program files\Plaxo
2009-10-20 16:05:46 0 d-----w- c:\program files\Litsoft
2009-10-15 03:39:14 0 d-sh--w- c:\documents and settings\george moore\PrivacIE
2009-10-15 02:37:01 594432 -c----w- c:\windows\system32\dllcache\msfeeds.dll
2009-10-15 02:37:01 55296 -c----w- c:\windows\system32\dllcache\msfeedsbs.dll
2009-10-15 02:27:32 153088 -c----w- c:\windows\system32\dllcache\triedit.dll
2009-10-15 02:27:14 128512 -c----w- c:\windows\system32\dllcache\dhtmled.ocx
2009-10-15 02:26:39 1315328 -c----w- c:\windows\system32\dllcache\msoe.dll

==================== Find3M ====================

2009-09-18 21:08:30 1563008 ----a-w- c:\windows\WRSetup.dll
2009-09-18 20:42:18 176752 ----a-w- c:\windows\system32\drivers\ssidrv.sys
2009-09-18 20:42:16 29808 ----a-w- c:\windows\system32\drivers\ssfs0bbc.sys
2009-09-18 20:42:16 23152 ----a-w- c:\windows\system32\drivers\sshrmd.sys
2009-09-11 14:18:39 136192 ----a-w- c:\windows\system32\msv1_0.dll
2009-09-04 21:03:36 58880 ----a-w- c:\windows\system32\msasn1.dll
2009-08-29 08:08:21 916480 ----a-w- c:\windows\system32\wininet.dll
2009-08-26 08:00:21 247326 ----a-w- c:\windows\system32\strmdll.dll
2009-08-05 09:01:48 204800 ----a-w- c:\windows\system32\mswebdvd.dll
2009-08-04 15:13:08 2145280 ----a-w- c:\windows\system32\ntoskrnl.exe
2009-08-04 14:20:09 2023936 ----a-w- c:\windows\system32\ntkrnlpa.exe

============= FINISH: 22:03:18.79 ===============

Attached Files



BC AdBot (Login to Remove)

 


#2 m0le

m0le

    Can U Dig It?


  • Malware Response Team
  • 34,527 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:London, UK
  • Local time:03:08 PM

Posted 06 November 2009 - 09:35 AM

Hi,

Welcome to Bleeping Computer. My name is m0le and I will be helping you with your log.
  • Please subscribe to this topic, if you haven't already. You can subscribe by clicking the Options box to the right of your topic title and selecting Track This Topic.

  • Please avoid installing/uninstalling or updating any programs and attempting any unsupervised fixes or scans. This can make helping you impossible.

  • Please reply to this post so I know you are there.
The forum is busy and we need to have replies as soon as possible. If I haven't had a reply after 3 days I will bump the topic and if you do not reply by the following day after that then I will close the topic.

Once I receive a reply then I will return with your first instructions.

Thanks :(
Posted Image
m0le is a proud member of UNITE

#3 m0le

m0le

    Can U Dig It?


  • Malware Response Team
  • 34,527 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:London, UK
  • Local time:03:08 PM

Posted 09 November 2009 - 02:43 PM

Since this issue appears to be resolved ... this topic has been closed. Glad we could help. :(

If you're the topic starter, and need this topic reopened, please contact me via pm with the address of the thread.

Everyone else please begin a New Topic.
Posted Image
m0le is a proud member of UNITE

#4 m0le

m0le

    Can U Dig It?


  • Malware Response Team
  • 34,527 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:London, UK
  • Local time:03:08 PM

Posted 10 November 2009 - 08:27 AM

Reopened at user's request

---------------------------------------

Hi,

Please can you do a new DDS and RootRepeal scan and post the logs.

Thanks,

m0le
Posted Image
m0le is a proud member of UNITE

#5 geomoo

geomoo
  • Topic Starter

  • Members
  • 8 posts
  • OFFLINE
  •  
  • Local time:11:08 AM

Posted 12 November 2009 - 04:29 PM

Thank you. Reposting DDS and root repeal. One minor anomaly: the DDS notepad window was also titled "Attach-notepad."

DDS (Ver_09-10-26.01) - NTFSx86
Run by George Moore at 13:09:15.51 on Thu 11/12/2009
Internet Explorer: 8.0.6001.18702 BrowserJavaVersion: 1.6.0_17
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.1014.410 [GMT -8:00]

AV: Webroot AntiVirus with Spy Sweeper *On-access scanning disabled* (Updated) {77E10C7F-2CCA-4187-9394-BDBC267AD597}
AV: ESET NOD32 antivirus system 2.70 *On-access scanning enabled* (Updated) {E5E70D32-0101-4F12-8FB0-D96ACA4F34C0}

============== Running Processes ===============

C:\Program Files\Webroot\Spy Sweeper\WRConsumerService.exe
C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
C:\WINDOWS\system32\svchost.exe -k WudfServiceGroup
svchost.exe
svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
svchost.exe
C:\Program Files\Intel Audio Studio\IntelAudioStudio.exe
C:\Program Files\Adobe\Photoshop Elements 6.0\PhotoshopElementsFileAgent.exe
C:\WINDOWS\system32\RunDLL32.exe
C:\WINDOWS\mHotkey.exe
C:\Program Files\Hewlett-Packard\Toolbox\StatusClient\StatusClient.exe
C:\Program Files\Adobe\Photoshop Album Starter Edition\3.0\Apps\apdproxy.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Creative\Creative ZEN\ZEN Media Explorer\CTCheck.exe
C:\Program Files\Creative\Creative Live! Cam\VideoFX\StartFX.exe
C:\WINDOWS\system32\CTsvcCDA.exe
C:\WINDOWS\system32\svchost.exe -k hpdevmgmt
C:\WINDOWS\system32\svchost.exe -k HPService
C:\Program Files\Java\jre6\bin\jqs.exe
C:\WINDOWS\System32\svchost.exe -k HPZ12
C:\Program Files\Eset\nod32krn.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\System32\svchost.exe -k HPZ12
C:\WINDOWS\system32\svchost.exe -k imgsvc
C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe
C:\Program Files\Java\jre6\bin\jusched.exe
C:\Program Files\Hewlett-Packard\Toolbox\jre\bin\javaw.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Documents and Settings\George Moore\Desktop\dds.scr

============== Pseudo HJT Report ===============

uStart Page = hxxp://www.gmail.com/
uWindow Title = Microsoft Internet Explorer provided by Comcast High-Speed Internet
mWindow Title = Microsoft Internet Explorer provided by Comcast High-Speed Internet
uInternet Connection Wizard,ShellNext = wmplayer.exe //ICWLaunch
BHO: HP Print Enhancer: {0347c33e-8762-4905-bf09-768834316c61} - c:\program files\hewlett-packard\hp laserjet 1160_1320 series\smart web printing\hpswp_printenhancer.dll
BHO: HP Print Clips: {053f9267-dc04-4294-a72c-58f732d338c0} - c:\program files\hewlett-packard\hp laserjet 1160_1320 series\smart web printing\hpswp_framework.dll
BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll
BHO: Ask.com Toolbar: {d4027c7f-154a-4066-a1ad-4243d8127440} - c:\program files\ask.com\GenericAskToolbar.dll
BHO: Java™ Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
TB: Yahoo! Toolbar: {ef99bd32-c1fb-11d2-892f-0090271d4f88} - c:\program files\yahoo!\companion\installs\cpn\yt.dll
TB: Ask.com Toolbar: {d4027c7f-154a-4066-a1ad-4243d8127440} - c:\program files\ask.com\GenericAskToolbar.dll
uRun: [ctfmon.exe] "c:\windows\system32\ctfmon.exe"
mRun: [NeroFilterCheck] "c:\windows\system32\NeroCheck.exe"
mRun: [SigmatelSysTrayApp] sttray.exe
mRun: [IntelAudioStudio] "c:\program files\intel audio studio\IntelAudioStudio.exe" TRAY
mRun: [NvCplDaemon] "c:\windows\system32\rundll32.exe" c:\windows\system32\NvCpl.dll,NvStartup
mRun: [nwiz] "c:\windows\system32\nwiz.exe" /install
mRun: [NvMediaCenter] "c:\windows\system32\RunDLL32.exe" NvMCTray.dll,NvTaskbarInit
mRun: [CHotkey] "c:\windows\mHotkey.exe"
mRun: [nod32kui] "c:\program files\eset\nod32kui.exe" /WAITSERVICE
mRun: [THGuard] "c:\program files\trojanhunter 4.6\THGuard.exe"
mRun: [StatusClient 2.6] "c:\program files\hewlett-packard\toolbox\statusclient\StatusClient.exe" /auto
mRun: [TomcatStartup 2.5] "c:\program files\hewlett-packard\toolbox\hpbpsttp.exe"
mRun: [Adobe Photo Downloader] "c:\program files\adobe\photoshop album starter edition\3.0\apps\apdproxy.exe"
mRun: [iTunesHelper] "c:\program files\itunes\iTunesHelper.exe"
mRun: [CTCheck] "c:\program files\creative\creative zen\zen media explorer\CTCheck.exe"
mRun: [AVFX Engine] "c:\program files\creative\creative live! cam\videofx\StartFX.exe"
mRun: [Adobe Reader Speed Launcher] "c:\program files\adobe\reader 9.0\reader\Reader_sl.exe"
mRun: [Adobe ARM] "c:\program files\common files\adobe\arm\1.0\AdobeARM.exe"
mRun: [QuickTime Task] "c:\program files\quicktime\QTTask.exe" -atboottime
mRun: [SunJavaUpdateSched] "c:\program files\java\jre6\bin\jusched.exe"
mRun: [SpySweeper] "c:\program files\webroot\spy sweeper\SpySweeperUI.exe" /startintray
IE: E&xport to Microsoft Excel - c:\progra~1\micros~2\office10\EXCEL.EXE/3000
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {58ECB495-38F0-49cb-A538-10282ABF65E7} - {E763472E-A716-4CD9-89BD-DBDA6122F741} - c:\program files\hewlett-packard\hp laserjet 1160_1320 series\smart web printing\hpswp_extensions.dll
IE: {700259D7-1666-479a-93B1-3250410481E8} - {A93C41D8-01F8-4F8B-B14C-DE20B117E636} - c:\program files\hewlett-packard\hp laserjet 1160_1320 series\smart web printing\hpswp_extensions.dll
LSP: c:\windows\system32\imon.dll
DPF: {6C269571-C6D7-4818-BCA4-32A035E8C884} - hxxp://ccfiles.creative.com/Web/softwareupdate/su/ocx/15101/CTSUEng.cab
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_17-windows-i586.cab
DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} - hxxp://fpdownload.macromedia.com/get/flashplayer/current/polarbear/ultrashim.cab
DPF: {CAFEEFAC-0015-0000-0006-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.5.0/jinstall-1_5_0_06-windows-i586.cab
DPF: {CAFEEFAC-0015-0000-0009-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.5.0/jinstall-1_5_0_09-windows-i586.cab
DPF: {CAFEEFAC-0015-0000-0010-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.5.0/jinstall-1_5_0_10-windows-i586.cab
DPF: {CAFEEFAC-0015-0000-0011-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.5.0/jinstall-1_5_0_11-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0002-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_02-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0003-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_03-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0005-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_05-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0017-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_17-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_17-windows-i586.cab
DPF: {F6ACF75C-C32C-447B-9BEF-46B766368D29} - hxxp://ccfiles.creative.com/Web/softwareupdate/su/ocx/15106/CTPID.cab
DPF: {FC6703A7-5B7E-4f58-BE6D-2693AA3906AE} - hxxp://h30299.www3.hp.com/ediags/hpnar/en/app/17/install/gtdownhp.cab?1,0,0,94
Handler: cdo - {CD00020A-8B95-11D1-82DB-00C04FB1625D} - c:\program files\common files\microsoft shared\web folders\PKMCDO.DLL
Handler: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - c:\progra~1\common~1\skype\SKYPE4~1.DLL
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll

================= FIREFOX ===================

FF - ProfilePath - c:\docume~1\george~1\applic~1\mozilla\firefox\profiles\belygnql.default\
FF - prefs.js: browser.search.defaulturl - hxxp://www.google.com/search?lr=&ie=UTF-8&oe=UTF-8&q=
FF - prefs.js: browser.search.selectedEngine - Ask.com
FF - prefs.js: browser.startup.homepage - hxxp://mail.google.com/mail/?auth=DQAAAG8AAADsEwOH19VfwRqk87iI8NiJd8ro0onDjHb-9ReLA-Jn4mxyk60bpymgxs1k-uybiPsDsRGLhd4bl1j7ozWEPZK-yDsyftn-C8aMcCZBHOHTpyIHbuPtq5alwEb0p3gMo-cQqKoXzHQFfQsi9pSJLIdh
FF - prefs.js: keyword.URL - hxxp://supertoolbar.ask.com/redirect?client=ff&src=kw&tb=WBR&o=13993&locale=en_US&q=
FF - plugin: c:\documents and settings\pat adler\application data\move networks\plugins\npqmp071505000010.dll
FF - plugin: c:\program files\google\update\1.2.183.13\npGoogleOneClick8.dll
FF - plugin: c:\program files\mozilla firefox\plugins\NPTURNMED.dll
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\microsoft.net\framework\v3.5\windows presentation foundation\dotnetassistantextension\
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0002-ABCDEFFEDCBA}
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0003-ABCDEFFEDCBA}
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0005-ABCDEFFEDCBA}
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0012-ABCDEFFEDCBA}
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0013-ABCDEFFEDCBA}
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0015-ABCDEFFEDCBA}
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0017-ABCDEFFEDCBA}

---- FIREFOX POLICIES ----
FF - user.js: general.useragent.extra.zencast - );user_pref(yahoo.homepage.dontask, truec:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl3.rsa_seed_sha", true);

============= SERVICES / DRIVERS ===============

R0 ssfs0bbc;ssfs0bbc;c:\windows\system32\drivers\ssfs0bbc.sys [2008-11-12 29808]
R1 nod32drv;nod32drv;c:\windows\system32\drivers\nod32drv.sys [2007-3-22 15424]
R2 AdobeActiveFileMonitor6.0;Adobe Active File Monitor V6;c:\program files\adobe\photoshop elements 6.0\PhotoshopElementsFileAgent.exe [2007-9-11 124832]
R2 WRConsumerService;Webroot Client Service;c:\program files\webroot\spy sweeper\WRConsumerService.exe [2008-12-3 1201640]
R3 P1370Aud;Creative WebCam Audio Control;c:\windows\system32\drivers\P1370Aud.sys [2006-12-27 93056]
R3 P1370Aul;PD1370 Lower Filter Driver;c:\windows\system32\drivers\P1370Aul.sys [2006-12-27 4992]
R3 P1370VID;Live! Cam Voice;c:\windows\system32\drivers\P1370Vid.sys [2006-12-27 179328]
S2 gupdate1c9b1aa427fd3c0;Google Update Service (gupdate1c9b1aa427fd3c0);c:\program files\google\update\GoogleUpdate.exe [2009-3-30 133104]

=============== Created Last 30 ================

2009-10-30 04:19:16 0 d-----w- c:\docume~1\george~1\applic~1\Uniblue
2009-10-30 04:19:10 0 d-----w- c:\program files\Uniblue
2009-10-22 19:11:58 73728 ----a-w- c:\windows\system32\javacpl.cpl
2009-10-20 17:40:28 0 d-----w- c:\program files\Plaxo
2009-10-20 16:05:46 0 d-----w- c:\program files\Litsoft
2009-10-15 03:39:14 0 d-sh--w- c:\documents and settings\george moore\PrivacIE
2009-10-15 02:37:01 594432 -c----w- c:\windows\system32\dllcache\msfeeds.dll
2009-10-15 02:37:01 55296 -c----w- c:\windows\system32\dllcache\msfeedsbs.dll
2009-10-15 02:27:32 153088 -c----w- c:\windows\system32\dllcache\triedit.dll
2009-10-15 02:27:14 128512 -c----w- c:\windows\system32\dllcache\dhtmled.ocx
2009-10-15 02:26:39 1315328 -c----w- c:\windows\system32\dllcache\msoe.dll

==================== Find3M ====================

2009-10-11 12:17:27 411368 ----a-w- c:\windows\system32\deploytk.dll
2009-09-18 21:08:30 1563008 ----a-w- c:\windows\WRSetup.dll
2009-09-18 20:42:18 176752 ----a-w- c:\windows\system32\drivers\ssidrv.sys
2009-09-18 20:42:16 29808 ----a-w- c:\windows\system32\drivers\ssfs0bbc.sys
2009-09-18 20:42:16 23152 ----a-w- c:\windows\system32\drivers\sshrmd.sys
2009-09-11 14:18:39 136192 ----a-w- c:\windows\system32\msv1_0.dll
2009-09-04 21:03:36 58880 ----a-w- c:\windows\system32\msasn1.dll
2009-08-29 08:08:21 916480 ----a-w- c:\windows\system32\wininet.dll
2009-08-26 08:00:21 247326 ----a-w- c:\windows\system32\strmdll.dll

============= FINISH: 13:09:50.68 ===============

Attached Files



#6 m0le

m0le

    Can U Dig It?


  • Malware Response Team
  • 34,527 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:London, UK
  • Local time:03:08 PM

Posted 12 November 2009 - 06:34 PM

Hi Geomoo,

What kind of weirdness are you experiencing. Slowness could be down to the fact that you are running two antiviruses. Even if it isn't, I do not recommend that you have more than one anti virus product installed and running on your computer at a time.

The reason for this is that if both products have their automatic (Real-Time) protection switched on, then those products which do not encrypt the virus strings within them can cause other anti virus products to cause "false alarms". It can also lead to a clash as both products fight for access to files which are opened again this is the resident/automatic protection. In general terms, the two programs may conflict and cause:

1) False Alarms: When the anti virus software tells you that your PC has a virus when it actually doesn't.
2) System Performance Problems: Your system may lock up due to both products attempting to access the same file at the same time.
Therefore please go to add/remove in the control panel and remove either Webroot or NOD32.


However, some malware is very sneaky these days so let's take a look at the PC

Please download Posted Image Malwarebytes Anti-Malware and save it to your desktop.
  • Make sure you are connected to the Internet.
  • Double-click on mbam-setup.exe to install the application or, if you are using Vista, right-click and select Run As Administrator on mbam-setup.exe to install the application.
  • When the installation begins, follow the prompts and do not make any changes to default settings.
  • When installation has finished, make sure you leave both of these checked:
    • Update Malwarebytes' Anti-Malware
    • Launch Malwarebytes' Anti-Malware
  • Then click Finish.
  • MBAM will automatically start and you will be asked to update the program before performing a scan. If an update is found, the program will automatically update itself. Press the OK button to close that box and continue. If you encounter any problems while downloading the updates, manually download them from here and just double-click on mbam-rules.exe to install.
  • On the Scanner tab:
    • Make sure the "Perform Full Scan" option is selected.
    • Then click on the Scan button.
  • If asked to select the drives to scan, leave all the drives selected and click on the Start Scan button.
  • The scan will begin and "Scan in progress" will show at the top. It may take some time to complete so please be patient.
  • When the scan is finished, a message box will say "The scan completed successfully. Click 'Show Results' to display all objects found".
  • Click OK to close the message box and continue with the removal process.
  • Back at the main Scanner screen, click on the Show Results button to see a list of any malware that was found.
  • Make sure that everything is checked, and click Remove Selected.
  • When removal is completed, a log report will open in Notepad.
  • The log is automatically saved and can be viewed by clicking the Logs tab in MBAM.
  • Copy and paste the contents of that report in your next reply and exit MBAM.
Note: If MBAM encounters a file that is difficult to remove, you may be asked to reboot your computer so it can proceed with the disinfection process. Regardless if prompted to restart the computer or not, please do so immediately. Failure to reboot normally (not into safe mode) will prevent MBAM from removing all the malware. MBAM may make changes to your registry as part of its disinfection routine. If you're using other security programs that detect registry changes, they may alert you after scanning with MBAM. Please permit the program to allow the changes.


Then

I'd like us to scan your machine with ESET OnlineScan
  • Hold down Control and click on the following link to open ESET OnlineScan in a new window.
    ESET OnlineScan
  • Click the Posted Image button.
  • For alternate browsers only: (Microsoft Internet Explorer users can skip these steps)
    • Click on Posted Image to download the ESET Smart Installer. Save it to your desktop.
    • Double click on the Posted Image icon on your desktop.
  • Check Posted Image
  • Click the Posted Image button.
  • Accept any security warnings from your browser.
  • Check Posted Image
  • Push the Start button.
  • ESET will then download updates for itself, install itself, and begin scanning your computer. Please be patient as this can take some time.
  • When the scan completes, push Posted Image
  • Push Posted Image, and save the file to your desktop using a unique name, such as ESETScan. Include the contents of this report in your next reply.
  • Push the Posted Image button.
  • Push Posted Image
Thanks :(
Posted Image
m0le is a proud member of UNITE

#7 geomoo

geomoo
  • Topic Starter

  • Members
  • 8 posts
  • OFFLINE
  •  
  • Local time:11:08 AM

Posted 13 November 2009 - 03:04 AM

MBAM: no infections found

Malwarebytes' Anti-Malware 1.41
Database version: 2775
Windows 5.1.2600 Service Pack 3

11/12/2009 9:25:37 PM
mbam-log-2009-11-12 (21-25-37).txt

Scan type: Full Scan (C:\|D:\|E:\|F:\|)
Objects scanned: 217360
Time elapsed: 1 hour(s), 0 minute(s), 37 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)

ESET scan: 1 infection found and quarantined:

C:\Documents and Settings\Pat Adler\Desktop\sspsetup4931_1.exe probably a variant of Win32/Agent trojan deleted - quarantined

#8 m0le

m0le

    Can U Dig It?


  • Malware Response Team
  • 34,527 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:London, UK
  • Local time:03:08 PM

Posted 13 November 2009 - 08:28 AM

Did you remove one of the antivirus programs?

Also, tell me what sort of sympoms you are actually getting.
Posted Image
m0le is a proud member of UNITE

#9 geomoo

geomoo
  • Topic Starter

  • Members
  • 8 posts
  • OFFLINE
  •  
  • Local time:11:08 AM

Posted 13 November 2009 - 07:12 PM

Yes, I reluctantly removed Webroot. I like it because it alerts me to changes in the startup that NOD ignores, but I usually read of NOD as the best. Sigh.

Well, I feel a little bad because it looks like I wasted your time. The most suspicious behavior--freezing, programs refusing to close, suspicious delays when opening the browser--haven't appeared in over a week now, so perhaps the cleaning of the registry by Registry Booster got at it.

The computer is still very slow to start up, and Firefox takes much longer than I am accustomed to on initial start-up, but there are too many possibilities for that to want to take up more of your time. I am reassured that there is nothing dire going on as I had suspected.

Question: Can I run that on-line NOD scan anytime? Is it a more complete scan than I get from using the NOD installed on my computer?

Second question: Also, is it possible for a virus or malware to be cleared from one user's windows environment and still be present in another user's environment on the same computer?

Thanks so much. If you have any more ideas, I'll all ears. I'll send along a few bucks to the site. For you, here's a little joke by way of payment:

Doctor tells a man, "I have two pieces of bad news. First, you have AIDS."
"Oh no. How terrible. What's the other news?"
"You have Alzheimer's."
"Oh no. How awful." Thinking a moment. "Well, at least I don't have AIDS."

Thanks. I hope I didn't waste too much of your time.

#10 m0le

m0le

    Can U Dig It?


  • Malware Response Team
  • 34,527 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:London, UK
  • Local time:03:08 PM

Posted 13 November 2009 - 10:45 PM

Question: Can I run that on-line NOD scan anytime? Is it a more complete scan than I get from using the NOD installed on my computer?


Yes, you can run that any time, it isn't as complete as the NOD on the PC in so far as it can only scan and remove whereas the installed antivirus can actually prevent the infection in the first place. It's a useful scanner though, very powerful.

Second question: Also, is it possible for a virus or malware to be cleared from one user's windows environment and still be present in another user's environment on the same computer?


Yes it is. Where there are multiple users we recommend that all log in and produce the scans separately.

Thanks for the joke and you didn't waste my time, that's why I (and the other BCers) are here

One last thing, please update your Java

Old versions of Java are big doors to malware. JavaRa removes them and updates your version to the most current.

Please download JavaRa to your desktop and unzip it to its own folder
  • Run JavaRa.exe, pick the language of your choice and click Select. Then click Remove Older Versions.
  • Accept any prompts.
  • Open JavaRa.exe again and select Search For Updates.
  • Select Update Using Sun Java's Website then click Search and click on the Open Webpage button. Download and install the latest Java Runtime Environment (JRE) version for your computer.

    Please make sure you turn on the Java Automatic Update Feature

    Then you will not have to remember to update it when Java introduces a new version.
    Java is updated very frequently, and the old versions are malware magnets.

    Note: This feature is available only on Windows XP, 2003, 2000 (SP2 or higher) and set by default for these operating systems.
That's it, cheers

m0le

:(
Posted Image
m0le is a proud member of UNITE

#11 geomoo

geomoo
  • Topic Starter

  • Members
  • 8 posts
  • OFFLINE
  •  
  • Local time:11:08 AM

Posted 13 November 2009 - 11:22 PM

Will do on Java. This is a terrific service. Thanks again.

#12 m0le

m0le

    Can U Dig It?


  • Malware Response Team
  • 34,527 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:London, UK
  • Local time:03:08 PM

Posted 19 November 2009 - 07:16 PM

Thanks for the compliment, Geomoo :(

-------------------------------------

Since this issue appears to be resolved ... this topic has been closed. Glad we could help. :(

If you're the topic starter, and need this topic reopened, please contact me via pm with the address of the thread.

Everyone else please begin a New Topic.
Posted Image
m0le is a proud member of UNITE




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users