Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Could someone help me review my HJT log?


  • This topic is locked This topic is locked
15 replies to this topic

#1 Kuk1

Kuk1

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Local time:12:15 PM

Posted 08 December 2010 - 09:18 PM

Lately my computer has been slow. I have read few topics around this and ran Spybot Search and Destroy. I found some Cookies and threads which I have removed. As a second step as suggested I have ran HJT and am posting the log here. I hope someone can help me figure out if there is anything wrong with the file.

Let me know if I should have run any other tools before running HJT.

Thanks


-----------------------------------------------------------------------------
Logfile of Trend Micro HijackThis v2.0.4
Scan saved at 9:09:28 PM, on 12/8/2010
Platform: Windows Vista SP1 (WinNT 6.00.1905)
MSIE: Internet Explorer v8.00 (8.00.6001.18975)
Boot mode: Normal

Running processes:
C:\Windows\Explorer.EXE
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Windows\System32\igfxtray.exe
C:\Windows\System32\hkcmd.exe
C:\Windows\System32\igfxpers.exe
C:\Program Files\HP\QuickPlay\QPService.exe
C:\Program Files\Windows Defender\MSASCui.exe
C:\Program Files\Hewlett-Packard\HP Quick Launch Buttons\QLBCTRL.exe
C:\Program Files\HP\Digital Imaging\bin\HpqSRmon.exe
C:\Program Files\HP\HP Software Update\hpwuSchd2.exe
C:\Program Files\Canon\MyPrinter\BJMYPRT.EXE
C:\Windows\vVX6000.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Windows Sidebar\sidebar.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\Program Files\Skype\Phone\Skype.exe
C:\Windows\system32\igfxsrvc.exe
C:\Program Files\Windows Live\Messenger\msnmsgr.exe
C:\Program Files\Windows Media Player\wmpnscfg.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\Windows\system32\wbem\unsecapp.exe
C:\Program Files\Windows Live\Contacts\wlcomm.exe
C:\Program Files\Skype\Plugin Manager\skypePM.exe
C:\Program Files\Lavasoft\Ad-Aware\AAWTray.exe
C:\Program Files\Synaptics\SynTP\SynTPHelper.exe
C:\Windows\system32\taskeng.exe
C:\Windows\system32\wuauclt.exe
C:\Windows\system32\SearchFilterHost.exe
C:\Windows\system32\Dwm.exe
C:\Users\Owner\Documents\Downloads\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=en_us&c=83&bd=Pavilion&pf=cnnb
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=en_us&c=83&bd=Pavilion&pf=cnnb
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=en_us&c=83&bd=Pavilion&pf=cnnb
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
O1 - Hosts: ::1 localhost
O2 - BHO: (no name) - MRI_DISABLED - (no file)
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: (no name) - {5C255C8A-E604-49b4-9D64-90988571CECB} - (no file)
O2 - BHO: Search Helper - {6EBF7485-159F-4bff-A14F-B9E3AAC4465B} - C:\Program Files\Microsoft\Search Enhancement Pack\Search Helper\SEPsearchhelperie.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O2 - BHO: Windows Live ID Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - C:\Program Files\Google\Google Toolbar\GoogleToolbar_32.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\5.6.5612.1312\swg.dll
O2 - BHO: Google Dictionary Compression sdch - {C84D72FE-E17D-4195-BB24-76C02E2E7C4E} - C:\Program Files\Google\Google Toolbar\Component\fastsearch_B7C5AC242193BB3E.dll
O2 - BHO: Windows Live Toolbar Helper - {E15A8DC0-8516-42A1-81EA-DC94EC1ACF10} - C:\Program Files\Windows Live\Toolbar\wltcore.dll
O2 - BHO: HP Smart BHO Class - {FFFFFFFF-CF4E-4F2B-BDC2-0E72E116A856} - C:\Program Files\HP\Digital Imaging\Smart Web Printing\hpswp_BHO.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O3 - Toolbar: Google Toolbar - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - C:\Program Files\Google\Google Toolbar\GoogleToolbar_32.dll
O3 - Toolbar: &Windows Live Toolbar - {21FA44EF-376D-4D53-9B0F-8A89D3229068} - C:\Program Files\Windows Live\Toolbar\wltcore.dll
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [IgfxTray] C:\Windows\system32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\Windows\system32\hkcmd.exe
O4 - HKLM\..\Run: [Persistence] C:\Windows\system32\igfxpers.exe
O4 - HKLM\..\Run: [QPService] "C:\Program Files\HP\QuickPlay\QPService.exe"
O4 - HKLM\..\Run: [Windows Defender] %ProgramFiles%\Windows Defender\MSASCui.exe -hide
O4 - HKLM\..\Run: [QlbCtrl.exe] C:\Program Files\Hewlett-Packard\HP Quick Launch Buttons\QlbCtrl.exe /Start
O4 - HKLM\..\Run: [hpqSRMon] C:\Program Files\HP\Digital Imaging\bin\hpqSRMon.exe
O4 - HKLM\..\Run: [HP Health Check Scheduler] c:\Program Files\Hewlett-Packard\HP Health Check\HPHC_Scheduler.exe
O4 - HKLM\..\Run: [HP Software Update] C:\Program Files\Hp\HP Software Update\HPWuSchd2.exe
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [USB2Check] RUNDLL32.EXE "C:\Windows\system32\PCLECoInst.dll",CheckUSBController
O4 - HKLM\..\Run: [CanonSolutionMenu] C:\Program Files\Canon\SolutionMenu\CNSLMAIN.exe /logon
O4 - HKLM\..\Run: [CanonMyPrinter] C:\Program Files\Canon\MyPrinter\BJMyPrt.exe /logon
O4 - HKLM\..\Run: [VX6000] C:\Windows\vVX6000.exe
O4 - HKLM\..\Run: [LifeCam] "C:\Program Files\Microsoft LifeCam\LifeExp.exe"
O4 - HKLM\..\Run: [AppleSyncNotifier] C:\Program Files\Common Files\Apple\Mobile Device Support\AppleSyncNotifier.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKCU\..\Run: [Sidebar] C:\Program Files\Windows Sidebar\sidebar.exe /autoRun
O4 - HKCU\..\Run: [swg] "C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe"
O4 - HKCU\..\Run: [Google Update] "C:\Users\Owner\AppData\Local\Google\Update\GoogleUpdate.exe" /c
O4 - HKCU\..\Run: [Skype] "C:\Program Files\Skype\Phone\Skype.exe" /nosplash /minimized
O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\Windows Live\Messenger\msnmsgr.exe" /background
O4 - HKCU\..\Run: [WMPNSCFG] C:\Program Files\Windows Media Player\WMPNSCFG.exe
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - HKUS\S-1-5-19\..\Run: [Sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /detectMem (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-19\..\Run: [WindowsWelcomeCenter] rundll32.exe oobefldr.dll,ShowWelcomeCenter (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [Sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /detectMem (User 'NETWORK SERVICE')
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra button: Blog This - {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - C:\Program Files\Windows Live\Writer\WriterBrowserExtension.dll
O9 - Extra 'Tools' menuitem: &Blog This in Windows Live Writer - {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - C:\Program Files\Windows Live\Writer\WriterBrowserExtension.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~3\OFFICE11\REFIEBAR.DLL
O9 - Extra button: HP Smart Select - {DDE87865-83C5-48c4-8357-2F5B1AA84522} - C:\Program Files\HP\Digital Imaging\Smart Web Printing\hpswp_BHO.dll
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O16 - DPF: {238F6F83-B8B4-11CF-8771-00A024541EE3} (Citrix ICA Client) - https://www.turnertalk.com/icaclient10/icaweb.cab
O16 - DPF: {5D6F45B3-9043-443D-A792-115447494D24} (UnoCtrl Class) - http://messenger.zone.msn.com/MessengerGamesContent/GameContent/Default/uno1/GAME_UNO1.cab
O16 - DPF: {C3F79A2B-B9B4-4A66-B012-3EE46475B072} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/MessengerStatsPAClient.cab56907.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL
O22 - SharedTaskScheduler: Component Categories cache daemon - {8C7461EF-2B13-11d2-BE35-3078302C2030} - C:\Windows\system32\browseui.dll
O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: Com4QLBEx - Hewlett-Packard Development Company, L.P. - C:\Program Files\Hewlett-Packard\HP Quick Launch Buttons\Com4QLBEx.exe
O23 - Service: GameConsoleService - WildTangent, Inc. - C:\Program Files\HP Games\My HP Game Console\GameConsoleService.exe
O23 - Service: Google Update Service (gupdate1c9cec7f199c4d0) (gupdate1c9cec7f199c4d0) - Google Inc. - C:\Program Files\Google\Update\GoogleUpdate.exe
O23 - Service: Google Software Updater (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: HP Health Check Service - Hewlett-Packard - c:\Program Files\Hewlett-Packard\HP Health Check\hphc_service.exe
O23 - Service: hpqwmiex - Hewlett-Packard Development Company, L.P. - C:\Program Files\Hewlett-Packard\Shared\hpqwmiex.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: Intuit Update Service (IntuitUpdateService) - Intuit Inc. - C:\Program Files\Common Files\Intuit\Update Service\IntuitUpdateService.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Lavasoft Ad-Aware Service - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware\AAWService.exe
O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
O23 - Service: Recovery Service for Windows - Unknown owner - C:\Windows\SMINST\BLService.exe
O23 - Service: Cyberlink RichVideo Service(CRVS) (RichVideo) - Unknown owner - C:\Program Files\CyberLink\Shared Files\RichVideo.exe
O23 - Service: SBSD Security Center Service (SBSDWSCService) - Safer Networking Ltd. - C:\Program Files\Spybot - Search & Destroy\SDWinSec.exe
O23 - Service: Viewpoint Manager Service - Viewpoint Corporation - C:\Program Files\Viewpoint\Common\ViewpointService.exe
O23 - Service: XAudioService - Conexant Systems, Inc. - C:\Windows\system32\DRIVERS\xaudio.exe

--
End of file - 11456 bytes

I have reviewed the instructions and ran the additional tools that was mentioned as part of the instructions.

Below you can find the DDS log. Also attached you can find the other files.

Unfortunately, I cannot provide much information regarding my problem. In short, my computer was very slow. In particular the computer seemed to ber very slow when I run Internet Explorer or Firefox. The processor seemed to be working too much but I could not see any bogus processes in the task manager.

Thank you very much in advance for your help.


DDS (Ver_10-12-05.01) - NTFSx86
Run by Owner at 20:49:03.47 on Thu 12/09/2010
Internet Explorer: 8.0.6001.18975
Microsoft® Windows Vista™ Home Basic 6.0.6001.1.1252.1.1033.18.3002.1095 [GMT -5:00]

SP: Spybot - Search and Destroy *enabled* (Updated) {ED588FAF-1B8F-43B4-ACA8-8E3C85DADBE9}
SP: Windows Defender *enabled* (Updated) {D68DDC3A-831F-4FAE-9E44-DA132C1ACF46}

============== Running Processes ===============

C:\Windows\system32\wininit.exe
C:\Windows\system32\lsm.exe
C:\Windows\system32\svchost.exe -k DcomLaunch
C:\Windows\system32\svchost.exe -k rpcss
C:\Windows\System32\svchost.exe -k secsvcs
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted
C:\Windows\system32\svchost.exe -k netsvcs
C:\Windows\system32\svchost.exe -k GPSvcGroup
C:\Windows\system32\SLsvc.exe
C:\Windows\system32\svchost.exe -k LocalService
C:\Windows\system32\svchost.exe -k NetworkService
C:\Program Files\Lavasoft\Ad-Aware\AAWService.exe
C:\Windows\System32\spoolsv.exe
C:\Windows\system32\svchost.exe -k LocalServiceNoNetwork
C:\Windows\system32\taskeng.exe
C:\Windows\Explorer.EXE
C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Windows\System32\igfxtray.exe
C:\Windows\System32\igfxpers.exe
C:\Program Files\HP\QuickPlay\QPService.exe
C:\Program Files\Windows Defender\MSASCui.exe
C:\Program Files\Hewlett-Packard\HP Quick Launch Buttons\QLBCTRL.exe
C:\Program Files\HP\Digital Imaging\bin\HpqSRmon.exe
C:\Program Files\HP\HP Software Update\hpwuSchd2.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Program Files\Canon\MyPrinter\BJMYPRT.EXE
C:\Program Files\Microsoft LifeCam\MSCamS32.exe
C:\Windows\vVX6000.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Windows Sidebar\sidebar.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\Windows\system32\igfxsrvc.exe
C:\Windows\system32\svchost.exe -k NetworkServiceNetworkRestricted
C:\Program Files\Windows Media Player\wmpnscfg.exe
C:\Windows\SMINST\BLService.exe
C:\Program Files\CyberLink\Shared Files\RichVideo.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\Program Files\Microsoft\Search Enhancement Pack\SeaPort\SeaPort.exe
C:\Windows\system32\svchost.exe -k imgsvc
C:\Program Files\Viewpoint\Common\ViewpointService.exe
C:\Windows\System32\svchost.exe -k WerSvcGroup
C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE
C:\Windows\system32\SearchIndexer.exe
C:\Windows\system32\DRIVERS\xaudio.exe
C:\Program Files\Spybot - Search & Destroy\SDWinSec.exe
C:\Program Files\Hewlett-Packard\Shared\hpqwmiex.exe
C:\Windows\system32\wbem\unsecapp.exe
C:\Windows\system32\wbem\wmiprvse.exe
C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSvcM.exe
C:\Windows\system32\wbem\unsecapp.exe
C:\Program Files\Windows Media Player\wmpnetwk.exe
C:\Program Files\Hewlett-Packard\HP Quick Launch Buttons\Com4QLBEx.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Lavasoft\Ad-Aware\AAWTray.exe
C:\Program Files\Synaptics\SynTP\SynTPHelper.exe
c:\Program Files\Hewlett-Packard\HP Health Check\hphc_service.exe
C:\Program Files\Common Files\Intuit\Update Service\IntuitUpdateService.exe
C:\Windows\system32\taskeng.exe
C:\Windows\system32\wuauclt.exe
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted
C:\Windows\system32\Dwm.exe
C:\Windows\system32\WLANExt.exe
C:\Program Files\Adobe\Reader 8.0\Reader\AcroRd32.exe
C:\Windows\system32\vssvc.exe
C:\Windows\System32\svchost.exe -k swprv
C:\Windows\system32\SearchProtocolHost.exe
C:\Windows\system32\SearchFilterHost.exe
C:\Windows\system32\taskeng.exe
C:\Windows\system32\wbem\wmiprvse.exe
C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe
C:\Users\Owner\Desktop\dds.scr

============== Pseudo HJT Report ===============

uStart Page = hxxp://www.google.com.tr/
uDefault_Page_URL = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=en_us&c=83&bd=Pavilion&pf=cnnb
uSearch Page = hxxp://www.google.com
uSearch Bar = hxxp://www.google.com/ie
mStart Page = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=en_us&c=83&bd=Pavilion&pf=cnnb
mDefault_Page_URL = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=en_us&c=83&bd=Pavilion&pf=cnnb
uInternet Settings,ProxyOverride = *.local
BHO: MRI_DISABLED - No File
BHO: Adobe PDF Reader Link Helper: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelper.dll
BHO: Spybot-S&D IE Protection: {53707962-6f74-2d53-2644-206d7942484f} - c:\progra~1\spybot~1\SDHelper.dll
BHO: {5C255C8A-E604-49b4-9D64-90988571CECB} - No File
BHO: Search Helper: {6ebf7485-159f-4bff-a14f-b9e3aac4465b} - c:\program files\microsoft\search enhancement pack\search helper\SEPsearchhelperie.dll
BHO: SSVHelper Class: {761497bb-d6f0-462c-b6eb-d4daf1d92d43} - c:\program files\java\jre1.6.0_05\bin\ssv.dll
BHO: Windows Live ID Sign-in Helper: {9030d464-4c02-4abf-8ecc-5164760863c6} - c:\program files\common files\microsoft shared\windows live\WindowsLiveLogin.dll
BHO: Google Toolbar Helper: {aa58ed58-01dd-4d91-8333-cf10577473f7} - c:\program files\google\google toolbar\GoogleToolbar_32.dll
BHO: Google Toolbar Notifier BHO: {af69de43-7d58-4638-b6fa-ce66b5ad205d} - c:\program files\google\googletoolbarnotifier\5.6.5612.1312\swg.dll
BHO: Google Dictionary Compression sdch: {c84d72fe-e17d-4195-bb24-76c02e2e7c4e} - c:\program files\google\google toolbar\component\fastsearch_B7C5AC242193BB3E.dll
BHO: Windows Live Toolbar Helper: {e15a8dc0-8516-42a1-81ea-dc94ec1acf10} - c:\program files\windows live\toolbar\wltcore.dll
BHO: HP Smart BHO Class: {ffffffff-cf4e-4f2b-bdc2-0e72e116a856} - c:\program files\hp\digital imaging\smart web printing\hpswp_BHO.dll
TB: Yahoo! Toolbar: {ef99bd32-c1fb-11d2-892f-0090271d4f88} - c:\program files\yahoo!\companion\installs\cpn\yt.dll
TB: Google Toolbar: {2318c2b1-4965-11d4-9b18-009027a5cd4f} - c:\program files\google\google toolbar\GoogleToolbar_32.dll
TB: &Windows Live Toolbar: {21fa44ef-376d-4d53-9b0f-8a89d3229068} - c:\program files\windows live\toolbar\wltcore.dll
TB: {043C5167-00BB-4324-AF7E-62013FAEDACF} - No File
uRun: [Sidebar] c:\program files\windows sidebar\sidebar.exe /autoRun
uRun: [swg] "c:\program files\google\googletoolbarnotifier\GoogleToolbarNotifier.exe"
uRun: [EasyDVDMon]
uRun: [Google Update] "c:\users\owner\appdata\local\google\update\GoogleUpdate.exe" /c
uRun: [NoteZilla]
uRun: [QNPlus]
uRun: [Skype] "c:\program files\skype\phone\Skype.exe" /nosplash /minimized
uRun: [msnmsgr] "c:\program files\windows live\messenger\msnmsgr.exe" /background
uRun: [WMPNSCFG] c:\program files\windows media player\WMPNSCFG.exe
uRun: [SpybotSD TeaTimer] c:\program files\spybot - search & destroy\TeaTimer.exe
mRun: [SynTPEnh] c:\program files\synaptics\syntp\SynTPEnh.exe
mRun: [IgfxTray] c:\windows\system32\igfxtray.exe
mRun: [HotKeysCmds] c:\windows\system32\hkcmd.exe
mRun: [Persistence] c:\windows\system32\igfxpers.exe
mRun: [QPService] "c:\program files\hp\quickplay\QPService.exe"
mRun: [Windows Defender] %ProgramFiles%\Windows Defender\MSASCui.exe -hide
mRun: [QlbCtrl.exe] c:\program files\hewlett-packard\hp quick launch buttons\QlbCtrl.exe /Start
mRun: [hpqSRMon] c:\program files\hp\digital imaging\bin\hpqSRMon.exe
mRun: [HP Health Check Scheduler] c:\program files\hewlett-packard\hp health check\HPHC_Scheduler.exe
mRun: [HP Software Update] c:\program files\hp\hp software update\HPWuSchd2.exe
mRun: [Adobe Reader Speed Launcher] "c:\program files\adobe\reader 8.0\reader\Reader_sl.exe"
mRun: [USB2Check] RUNDLL32.EXE "c:\windows\system32\PCLECoInst.dll",CheckUSBController
mRun: [CanonSolutionMenu] c:\program files\canon\solutionmenu\CNSLMAIN.exe /logon
mRun: [CanonMyPrinter] c:\program files\canon\myprinter\BJMyPrt.exe /logon
mRun: [VX6000] c:\windows\vVX6000.exe
mRun: [LifeCam] "c:\program files\microsoft lifecam\LifeExp.exe"
mRun: [AppleSyncNotifier] c:\program files\common files\apple\mobile device support\AppleSyncNotifier.exe
mRun: [QuickTime Task] "c:\program files\quicktime\QTTask.exe" -atboottime
mRun: [iTunesHelper] "c:\program files\itunes\iTunesHelper.exe"
uPolicies-explorer: NoDesktopCleanupWizard = 1 (0x1)
mPolicies-system: EnableUIADesktopToggle = 0 (0x0)
IE: E&xport to Microsoft Excel - c:\progra~1\micros~3\office11\EXCEL.EXE/3000
IE: {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - {CAFEEFAC-0016-0000-0005-ABCDEFFEDCBC} - c:\program files\java\jre1.6.0_05\bin\ssv.dll
IE: {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - {5F7B1267-94A9-47F5-98DB-E99415F33AEC} - c:\program files\windows live\writer\WriterBrowserExtension.dll
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~3\office11\REFIEBAR.DLL
IE: {DDE87865-83C5-48c4-8357-2F5B1AA84522} - {DDE87865-83C5-48c4-8357-2F5B1AA84522} - c:\program files\hp\digital imaging\smart web printing\hpswp_BHO.dll
IE: {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - {53707962-6F74-2D53-2644-206D7942484F} - c:\progra~1\spybot~1\SDHelper.dll
Trusted Zone: intuit.com\ttlc
DPF: {238F6F83-B8B4-11CF-8771-00A024541EE3} - hxxps://www.turnertalk.com/icaclient10/icaweb.cab
DPF: {5D6F45B3-9043-443D-A792-115447494D24} - hxxp://messenger.zone.msn.com/MessengerGamesContent/GameContent/Default/uno1/GAME_UNO1.cab
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_05-windows-i586.cab
DPF: {C3F79A2B-B9B4-4A66-B012-3EE46475B072} - hxxp://messenger.zone.msn.com/binary/MessengerStatsPAClient.cab56907.cab
DPF: {CAFEEFAC-0016-0000-0005-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_05-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_05-windows-i586.cab
DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab
Handler: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - c:\progra~1\common~1\skype\SKYPE4~1.DLL
Notify: igfxcui - igfxdev.dll

================= FIREFOX ===================

FF - ProfilePath - c:\users\owner\appdata\roaming\mozilla\firefox\profiles\q3yyqeqt.default\
FF - prefs.js: browser.startup.homepage - hxxp://www.google.com/
FF - plugin: c:\program files\google\google earth\plugin\npgeplugin.dll
FF - plugin: c:\program files\google\google updater\2.4.1536.6592\npCIDetect13.dll
FF - plugin: c:\program files\google\update\1.2.183.39\npGoogleOneClick8.dll
FF - plugin: c:\program files\microsoft\office live\npOLW.dll
FF - plugin: c:\program files\viewpoint\viewpoint media player\npViewpoint.dll
FF - plugin: c:\program files\windows live\photo gallery\NPWLPG.dll
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\microsoft.net\framework\v3.5\windows presentation foundation\dotnetassistantextension\
FF - Extension: Default: {972ce4c6-7e08-4474-a285-3208198ce6fd} - c:\program files\mozilla firefox\extensions\{972ce4c6-7e08-4474-a285-3208198ce6fd}
FF - Extension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\microsoft.net\framework\v3.5\windows presentation foundation\DotNetAssistantExtension
FF - Extension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\users\owner\appdata\roaming\mozilla\firefox\profiles\q3yyqeqt.default\extensions\{20a82645-c095-46ed-80e3-08825760534b}
FF - Extension: vShare: vshare@toolbar - c:\users\owner\appdata\roaming\mozilla\firefox\profiles\q3yyqeqt.default\extensions\vshare@toolbar

============= SERVICES / DRIVERS ===============

R0 Lbd;Lbd;c:\windows\system32\drivers\Lbd.sys [2010-10-24 64288]
R2 Lavasoft Ad-Aware Service;Lavasoft Ad-Aware Service;c:\program files\lavasoft\ad-aware\AAWService.exe [2010-2-4 1352832]
R2 Recovery Service for Windows;Recovery Service for Windows;c:\windows\sminst\BLService.exe [2008-6-28 361808]
R2 SBSDWSCService;SBSD Security Center Service;c:\program files\spybot - search & destroy\SDWinSec.exe [2010-12-8 1153368]
R2 Viewpoint Manager Service;Viewpoint Manager Service;c:\program files\viewpoint\common\ViewpointService.exe [2009-2-15 24652]
R3 Com4QLBEx;Com4QLBEx;c:\program files\hewlett-packard\hp quick launch buttons\Com4QLBEx.exe [2008-6-28 193840]
R3 IntcHdmiAddService;Intel® High Definition Audio HDMI;c:\windows\system32\drivers\IntcHdmi.sys [2008-6-4 113664]
S2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;c:\windows\microsoft.net\framework\v4.0.30319\mscorsvw.exe [2010-3-18 130384]
S2 gupdate1c9cec7f199c4d0;Google Update Service (gupdate1c9cec7f199c4d0);c:\program files\google\update\GoogleUpdate.exe [2009-5-6 133104]
S3 fssfltr;FssFltr;c:\windows\system32\drivers\fssfltr.sys [2009-11-25 54632]
S3 fsssvc;Windows Live Family Safety Service;c:\program files\windows live\family safety\fsssvc.exe [2010-4-28 704872]
S3 VX6000;Microsoft LifeCam VX-6000;c:\windows\system32\drivers\VX6000Xp.sys [2009-4-10 2077840]
S3 WPFFontCache_v0400;Windows Presentation Foundation Font Cache 4.0.0.0;c:\windows\microsoft.net\framework\v4.0.30319\wpf\WPFFontCache_v0400.exe [2010-3-18 753504]

=============== Created Last 30 ================

2010-12-08 06:21:19 -------- d-----w- c:\progra~2\Spybot - Search & Destroy
2010-12-08 06:21:05 -------- d-----w- c:\program files\Spybot - Search & Destroy
2010-12-08 03:40:20 83249512 ----a-w- c:\program files\common files\windows live\.cache\wlcBE8F.tmp
2010-12-08 03:31:12 6273872 ----a-w- c:\progra~2\microsoft\windows defender\definition updates\{6c03f5de-4a7b-4ba4-a428-0bea1838c34d}\mpengine.dll
2010-12-08 00:15:06 -------- d-----w- c:\windows\system32\EventProviders
2010-11-24 12:44:34 7680 ----a-w- c:\program files\internet explorer\iecompat.dll
2010-11-10 13:52:27 2409784 ----a-w- c:\program files\windows mail\OESpamFilter.dat

==================== Find3M ====================

2010-10-24 19:00:45 15880 ----a-w- c:\windows\system32\lsdelete.exe
2010-10-19 15:41:44 222080 ------w- c:\windows\system32\MpSigStub.exe
2010-10-12 01:43:52 4608 ----a-w- c:\windows\system32\w95inf32.dll
2010-10-12 01:43:52 2272 ----a-w- c:\windows\system32\w95inf16.dll
2010-09-20 09:25:01 231936 ----a-w- c:\windows\system32\msshsq.dll

============= FINISH: 20:49:19.57 ===============

EDIT: Posts merged ~BP

Attached Files


Edited by Budapest, 10 December 2010 - 09:01 PM.


BC AdBot (Login to Remove)

 


#2 Judicandus

Judicandus

    Bleepin' Pasta


  • Malware Response Team
  • 730 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Around the world
  • Local time:02:15 PM

Posted 16 December 2010 - 06:07 AM

Hello and welcome to Bleeping Computer

I'm judicandus and I'll be helping you out.

We apologize for the delay in responding to your request for help. Here at Bleeping Computer we get overwhelmed at times, and we are trying our best to keep up. Please note that your topic was not intentionally overlooked. Our mission is to help everyone in need, but sometimes it takes just a little longer to get to every request for help. No one is ignored here.

If you have since resolved the original problem you were having, we would appreciate you letting us know. If not please perform the following steps below so we can have a look at the current condition of your machine.

Please refrain from running tools or applying updates other than those we suggest while we are cleaning up your computer. The reason for this is so we know what is going on with the machine at any time. Some programs can interfere with others and hamper the recovery process. Please also continue to work with me until I give you the all clear. Even if your computer appears to act better, you may still be infected.

Even if you have already provided information about your PC, we need a new log to see what has changed since you originally posted your problem.

Once we start working together, please reply back within 3 days or this thread may be closed so we can help others who are waiting.

When the computer is slow, please run the following:

  • Download random's system information tool (RSIT) by random/random from here and save it to your desktop.
  • Double click on RSIT.exe to run RSIT.
  • Click Continue at the disclaimer screen.
  • Once it has finished, two logs will open. Please post the contents of both log.txt (<<will be maximized) and info.txt (<<will be minimized)

We also need a log from the GMER anti-rootkit scanner. Please first disable any CD emulation programs using the steps found in this topic:

Why we request you disable CD Emulation when receiving Malware Removal Advice

Please download GMER from one of the following locations and save it to your desktop:
  • Main Mirror
    This version will download a randomly named file (Recommended)
  • Zipped Mirror
    This version will download a zip file you will need to extract first. If you use this mirror, please extract the zip file to your desktop.
  • Disconnect from the Internet and close all running programs.
  • Temporarily disable any real-time active protection so your security programs will not conflict with gmer's driver.
  • Double-click on the randomly named GMER file (i.e. n7gmo46c.exe) and allow the gmer.sys driver to load if asked.
  • Note: If you downloaded the zipped version, extract the file to its own folder such as C:\gmer and then double-click on gmer.exe.

    Posted Image
  • GMER will open to the Rootkit/Malware tab and perform an automatic quick scan when first run. (do not use the computer while the scan is in progress)
  • If you receive a WARNING!!! about rootkit activity and are asked to fully scan your system...click NO.
  • Now click the Scan button. If you see a rootkit warning window, click OK.
  • When the scan is finished, click the Save... button to save the scan results to your Desktop. Save the file as gmer.log.
  • Click the Copy button and paste the results into your next reply.
  • Exit GMER and be sure to re-enable your anti-virus, Firewall and any other security programs you had disabled.
-- If you encounter any problems, try running GMER in safe mode.
-- If GMER crashes or keeps resulting in a BSODs, uncheck Devices on the right side before scanning
.

Also,


I see Viewpoint installed.
Viewpoint Manager is considered as foistware instead of malware since it is installed without users approval but doesn't spy or do anything "bad".

This will change from what we know in 2006 read this article: http://www.clickz.com/news/article.php/3561546

I suggest you remove the program now, if you did not install it.

Go to Start > Settings > Control Panel > Add/Remove Programs and remove the following programs if present.

Viewpoint
Viewpoint Manager
Viewpoint Media Player


If you uninstalled, please navigate to and delete the following folders
C:\Program Files\Viewpoint

Edited by Judicandus, 16 December 2010 - 06:14 AM.


#3 Kuk1

Kuk1
  • Topic Starter

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Local time:12:15 PM

Posted 19 December 2010 - 12:12 PM

Thank you very much for your response. Attached you can find the logs associated with the tools that you recommended me to run.

The computer has been acting strange. At times it is very slow but other times it is normal. This makes me believe that there is something wrong and a hidden file that gets active from time to time. In particular something associated with Internet Explorer.

Let me know if you see anything wrong or if I should be running other programs and tools.

Thanks again for your help.

Attached Files



#4 Judicandus

Judicandus

    Bleepin' Pasta


  • Malware Response Team
  • 730 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Around the world
  • Local time:02:15 PM

Posted 19 December 2010 - 12:46 PM

Hi kuk1,

While TeaTimer is an excellent tool for the prevention of spyware, it can sometimes prevent some things from being fixed.
Please disable TeaTimer for now until you are clean. TeaTimer can be re-activated once your HijackThis log is clean.

* Open Spybot Search & Destroy.
* In the Mode menu click "Advanced mode" if not already selected.
* Choose "Yes" at the Warning prompt.
* Expand the "Tools" menu.
* Click "Resident".
* Uncheck the "Resident "TeaTimer" (Protection of overall system settings) active." box.
* In the File menu click "Exit" to exit Spybot Search & Destroy.


We will begin with ComboFix.exe. Please visit this webpage for download links, and instructions for running the tool:

http://www.bleepingcomputer.com/combofix/how-to-use-combofix

* Ensure you have disabled all anti virus and anti malware programs so they do not interfere with the running of ComboFix.

Please include the C:\ComboFix.txt in your next reply for further review.

#5 Kuk1

Kuk1
  • Topic Starter

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Local time:12:15 PM

Posted 20 December 2010 - 08:54 PM

Attached you can find the ComboFix log.

Thanks for your help. Should I now enable the security tools?

Also the log created after the tool has finished is included.

ComboFix 10-12-20.01 - Owner 12/20/2010 20:42:34.1.2 - x86
Microsoft® Windows Vista™ Home Basic 6.0.6002.2.1252.1.1033.18.3002.1837 [GMT -5:00]
Running from: c:\users\Owner\Desktop\ComboFix.exe
AV: Microsoft Security Essentials *Disabled/Updated* {BF5CEBDC-F2D3-7540-343C-F0CE11FD6E66}
SP: Lavasoft Ad-Watch Live! *Disabled/Updated* {61CDFD9D-3CAC-9270-C6FC-52325ACB795B}
SP: Microsoft Security Essentials *Disabled/Updated* {043D0A38-D4E9-7ACE-0E8C-CBBC6A7A24DB}
SP: Windows Defender *Disabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
.

((((((((((((((((((((((((( Files Created from 2010-11-21 to 2010-12-21 )))))))))))))))))))))))))))))))
.

2010-12-21 01:49 . 2010-12-21 01:50 -------- d-----w- c:\users\Owner\AppData\Local\temp
2010-12-21 01:49 . 2010-12-21 01:49 -------- d-----w- c:\users\Default\AppData\Local\temp
2010-12-21 01:14 . 2010-11-10 01:33 6273872 ----a-w- c:\programdata\Microsoft\Microsoft Antimalware\Definition Updates\{F083198E-5FE4-4FC8-9948-2F9717D1DA80}\mpengine.dll
2010-12-19 15:00 . 2010-12-19 15:00 -------- d-----w- C:\rsit
2010-12-19 15:00 . 2010-12-19 15:00 -------- d-----w- c:\program files\trend micro
2010-12-15 15:41 . 2010-11-02 06:03 638232 ----a-w- c:\program files\Internet Explorer\iexplore.exe
2010-12-14 14:08 . 2010-11-10 01:33 6273872 ----a-w- c:\programdata\Microsoft\Microsoft Antimalware\Definition Updates\Backup\mpengine.dll
2010-12-13 05:27 . 2010-12-13 05:27 -------- d-----w- c:\users\Owner\AppData\Local\Windows Live Writer
2010-12-13 05:27 . 2010-12-13 05:27 -------- d-----w- c:\users\Owner\AppData\Roaming\Windows Live Writer
2010-12-13 05:21 . 2010-12-13 05:21 -------- d-----w- c:\users\Owner\New Folder
2010-12-13 04:02 . 2010-12-13 04:02 -------- d-----w- c:\windows\en
2010-12-13 04:02 . 2010-09-23 05:21 39272 ----a-w- c:\windows\system32\drivers\fssfltr.sys
2010-12-13 03:58 . 2010-12-13 03:58 -------- d-----w- c:\program files\MSN Toolbar
2010-12-13 03:57 . 2010-12-13 03:58 -------- d-----w- c:\program files\Bing Bar Installer
2010-12-13 03:57 . 2009-09-04 22:44 69464 ----a-w- c:\windows\system32\XAPOFX1_3.dll
2010-12-13 03:57 . 2009-09-04 22:44 515416 ----a-w- c:\windows\system32\XAudio2_5.dll
2010-12-13 03:57 . 2009-09-04 22:29 453456 ----a-w- c:\windows\system32\d3dx10_42.dll
2010-12-13 03:56 . 2010-12-13 03:56 469256 ----a-w- c:\program files\Common Files\Windows Live\.cache\b256ec091cb9a792b\InstallManager_WLE_WLE.exe
2010-12-13 03:55 . 2010-12-13 03:55 15712 ----a-w- c:\program files\Common Files\Windows Live\.cache\a1df21d91cb9a791f\MeshBetaRemover.exe
2010-12-13 03:55 . 2010-12-13 03:55 94040 ----a-w- c:\program files\Common Files\Windows Live\.cache\9257e9991cb9a7918\DSETUP.dll
2010-12-13 03:55 . 2010-12-13 03:55 525656 ----a-w- c:\program files\Common Files\Windows Live\.cache\9257e9991cb9a7918\DXSETUP.exe
2010-12-13 03:55 . 2010-12-13 03:55 1691480 ----a-w- c:\program files\Common Files\Windows Live\.cache\9257e9991cb9a7918\dsetup32.dll
2010-12-13 03:55 . 2010-12-13 03:55 94040 ----a-w- c:\program files\Common Files\Windows Live\.cache\905f46191cb9a7917\DSETUP.dll
2010-12-13 03:55 . 2010-12-13 03:55 525656 ----a-w- c:\program files\Common Files\Windows Live\.cache\905f46191cb9a7917\DXSETUP.exe
2010-12-13 03:55 . 2010-12-13 03:55 1691480 ----a-w- c:\program files\Common Files\Windows Live\.cache\905f46191cb9a7917\dsetup32.dll
2010-12-13 03:53 . 2010-12-20 13:29 -------- d-----w- c:\users\Owner\AppData\Local\Windows Live
2010-12-13 03:52 . 2009-08-04 08:02 754688 ----a-w- c:\windows\system32\webservices.dll
2010-12-13 03:51 . 2010-12-13 03:52 -------- d-----w- c:\program files\Microsoft Security Essentials
2010-12-13 03:40 . 2010-12-13 03:40 -------- d-----w- c:\program files\Windows Portable Devices
2010-12-13 03:25 . 2009-09-10 02:00 92672 ----a-w- c:\windows\system32\UIAnimation.dll
2010-12-13 03:25 . 2009-09-10 02:00 1164800 ----a-w- c:\windows\system32\UIRibbonRes.dll
2010-12-13 03:25 . 2009-09-10 02:01 3023360 ----a-w- c:\windows\system32\UIRibbon.dll
2010-12-13 03:23 . 2009-10-01 01:02 30208 ----a-w- c:\windows\system32\WPDShextAutoplay.exe
2010-12-13 03:22 . 2009-10-08 21:08 555520 ----a-w- c:\windows\system32\UIAutomationCore.dll
2010-12-13 03:22 . 2009-10-08 21:08 234496 ----a-w- c:\windows\system32\oleacc.dll
2010-12-13 03:22 . 2009-10-08 21:07 4096 ----a-w- c:\windows\system32\oleaccrc.dll
2010-12-13 00:28 . 2010-12-13 00:28 -------- d-----w- c:\program files\iPod
2010-12-12 04:20 . 2010-12-12 04:21 -------- d-----w- c:\windows\system32\ca-ES
2010-12-12 04:20 . 2010-12-12 04:21 -------- d-----w- c:\windows\system32\eu-ES
2010-12-12 04:20 . 2010-12-12 04:21 -------- d-----w- c:\windows\system32\vi-VN
2010-12-10 15:13 . 2010-11-10 04:33 6273872 ----a-w- c:\programdata\Microsoft\Windows Defender\Definition Updates\{4CBA751C-8576-499E-A7D0-391EF8C9E697}\mpengine.dll
2010-12-08 06:21 . 2010-12-08 06:55 -------- d-----w- c:\programdata\Spybot - Search & Destroy
2010-12-08 06:21 . 2010-12-19 17:33 -------- d-----w- c:\program files\Spybot - Search & Destroy
2010-12-08 00:15 . 2010-12-08 00:15 -------- d-----w- c:\windows\system32\EventProviders
2010-11-29 22:38 . 2010-11-29 22:38 94208 ----a-w- c:\windows\system32\QuickTimeVR.qtx
2010-11-29 22:38 . 2010-11-29 22:38 69632 ----a-w- c:\windows\system32\QuickTime.qts
2010-11-24 12:44 . 2010-10-19 04:27 7680 ----a-w- c:\program files\Internet Explorer\iecompat.dll

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-12-13 03:58 . 2009-08-18 15:24 17816 ----a-w- c:\programdata\Microsoft\IdentityCRL\production\ppcrlconfig600.dll
2010-10-24 19:00 . 2010-05-09 03:25 15880 ----a-w- c:\windows\system32\lsdelete.exe
2010-10-24 19:00 . 2010-10-24 19:01 64288 ----a-w- c:\windows\system32\drivers\Lbd.sys
2010-10-19 20:51 . 2009-10-03 13:43 222080 ------w- c:\windows\system32\MpSigStub.exe
2010-10-12 01:43 . 2010-10-12 01:43 4608 ----a-w- c:\windows\system32\w95inf32.dll
2010-10-12 01:43 . 2010-10-12 01:43 2272 ----a-w- c:\windows\system32\w95inf16.dll
2010-09-28 20:44 . 2010-09-28 20:44 41984 ----a-w- c:\windows\system32\drivers\usbaapl.sys
2010-09-28 20:44 . 2010-09-28 20:44 4184352 ----a-w- c:\windows\system32\usbaaplrc.dll
2010-09-23 05:47 . 2010-09-23 05:47 49016 ----a-w- c:\windows\system32\sirenacm.dll
2010-09-23 05:32 . 2010-09-23 05:32 301936 ----a-w- c:\windows\WLXPGSS.SCR
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Sidebar"="c:\program files\Windows Sidebar\sidebar.exe" [2009-04-11 1233920]
"swg"="c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2009-05-07 39408]
"Google Update"="c:\users\Owner\AppData\Local\Google\Update\GoogleUpdate.exe" [2009-04-25 133104]
"Skype"="c:\program files\Skype\Phone\Skype.exe" [2010-05-13 26192168]
"msnmsgr"="c:\program files\Windows Live\Messenger\msnmsgr.exe" [2010-09-23 4240760]
"WMPNSCFG"="c:\program files\Windows Media Player\WMPNSCFG.exe" [2008-01-21 202240]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SynTPEnh"="c:\program files\Synaptics\SynTP\SynTPEnh.exe" [2008-04-17 1049896]
"IgfxTray"="c:\windows\system32\igfxtray.exe" [2008-06-17 150040]
"HotKeysCmds"="c:\windows\system32\hkcmd.exe" [2008-06-17 170520]
"Persistence"="c:\windows\system32\igfxpers.exe" [2008-06-17 145944]
"QPService"="c:\program files\HP\QuickPlay\QPService.exe" [2008-06-12 468264]
"QlbCtrl.exe"="c:\program files\Hewlett-Packard\HP Quick Launch Buttons\QlbCtrl.exe" [2008-05-12 202032]
"hpqSRMon"="c:\program files\HP\Digital Imaging\bin\hpqSRMon.exe" [2008-06-02 80896]
"HP Health Check Scheduler"="c:\program files\Hewlett-Packard\HP Health Check\HPHC_Scheduler.exe" [2008-04-15 70912]
"HP Software Update"="c:\program files\Hp\HP Software Update\HPWuSchd2.exe" [2007-05-08 54840]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2008-10-15 39792]
"USB2Check"="c:\windows\system32\PCLECoInst.dll" [2006-11-06 81920]
"CanonSolutionMenu"="c:\program files\Canon\SolutionMenu\CNSLMAIN.exe" [2008-12-12 722256]
"CanonMyPrinter"="c:\program files\Canon\MyPrinter\BJMyPrt.exe" [2008-03-18 1848648]
"VX6000"="c:\windows\vVX6000.exe" [2009-04-10 713744]
"LifeCam"="c:\program files\Microsoft LifeCam\LifeExp.exe" [2009-04-10 145760]
"AppleSyncNotifier"="c:\program files\Common Files\Apple\Mobile Device Support\AppleSyncNotifier.exe" [2010-09-22 47904]
"QuickTime Task"="c:\program files\QuickTime\QTTask.exe" [2010-11-29 421888]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2010-11-18 421160]
"MSSE"="c:\program files\Microsoft Security Essentials\msseces.exe" [2010-09-15 1094224]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"EnableUIADesktopToggle"= 0 (0x0)

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Lavasoft Ad-Aware Service]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\MsMpSvc]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Wdf01000.sys]
@="Driver"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\hpWirelessAssistant]
2008-04-15 21:51 488752 ----a-w- c:\program files\Hewlett-Packard\HP Wireless Assistant\HPWAMain.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched]
2008-02-22 11:25 144784 ----a-w- c:\program files\Java\jre1.6.0_05\bin\jusched.exe

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]
"DisableMonitoring"=dword:00000001

R2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;c:\windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe [2010-03-18 130384]
R2 gupdate1c9cec7f199c4d0;Google Update Service (gupdate1c9cec7f199c4d0);c:\program files\Google\Update\GoogleUpdate.exe [2009-05-07 133104]
R3 Lavasoft Ad-Aware Service;Lavasoft Ad-Aware Service;c:\program files\Lavasoft\Ad-Aware\AAWService.exe [2010-10-24 1352832]
R3 VX6000;Microsoft LifeCam VX-6000;c:\windows\system32\DRIVERS\VX6000Xp.sys [2009-04-10 2077840]
R3 WPFFontCache_v0400;Windows Presentation Foundation Font Cache 4.0.0.0;c:\windows\Microsoft.NET\Framework\v4.0.30319\WPF\WPFFontCache_v0400.exe [2010-03-18 753504]
R4 wlcrasvc;Windows Live Mesh remote connections service;c:\program files\Windows Live\Mesh\wlcrasvc.exe [2010-09-22 51040]
S0 Lbd;Lbd;c:\windows\system32\DRIVERS\Lbd.sys [2010-10-24 64288]
S2 Recovery Service for Windows;Recovery Service for Windows;c:\windows\SMINST\BLService.exe [2008-04-26 361808]
S2 SBSDWSCService;SBSD Security Center Service;c:\program files\Spybot - Search & Destroy\SDWinSec.exe [2009-01-26 1153368]
S3 Com4QLBEx;Com4QLBEx;c:\program files\Hewlett-Packard\HP Quick Launch Buttons\Com4QLBEx.exe [2008-04-03 193840]
S3 IntcHdmiAddService;Intel® High Definition Audio HDMI;c:\windows\system32\drivers\IntcHdmi.sys [2008-06-04 113664]
S3 MpNWMon;Microsoft Malware Protection Network Driver;c:\windows\system32\DRIVERS\MpNWMon.sys [2010-03-26 42368]


[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
LocalServiceNoNetwork REG_MULTI_SZ PLA DPS BFE mpssvc
LocalServiceAndNoImpersonation REG_MULTI_SZ FontCache
.
Contents of the 'Scheduled Tasks' folder

2010-12-20 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\program files\Google\Update\GoogleUpdate.exe [2009-05-07 03:57]

2010-12-21 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\program files\Google\Update\GoogleUpdate.exe [2009-05-07 03:57]

2010-12-08 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-3644912152-2813303598-1054554250-1000Core.job
- c:\users\Owner\AppData\Local\Google\Update\GoogleUpdate.exe [2009-04-25 18:37]

2010-12-16 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-3644912152-2813303598-1054554250-1000UA.job
- c:\users\Owner\AppData\Local\Google\Update\GoogleUpdate.exe [2009-04-25 18:37]

2010-11-29 c:\windows\Tasks\HPCeeScheduleForOwner.job
- c:\program files\hewlett-packard\sdp\ceement\HPCEE.exe [2008-06-28 03:03]

2010-12-16 c:\windows\Tasks\User_Feed_Synchronization-{24627AA6-55C1-4115-B091-852729E25578}.job
- c:\windows\system32\msfeedssync.exe [2010-12-15 04:25]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.google.com.tr/
mStart Page = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=en_us&c=83&bd=Pavilion&pf=cnnb
uInternet Settings,ProxyOverride = *.local
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~3\OFFICE11\EXCEL.EXE/3000
Trusted Zone: intuit.com\ttlc
FF - ProfilePath - c:\users\Owner\AppData\Roaming\Mozilla\Firefox\Profiles\q3yyqeqt.default\
FF - prefs.js: browser.startup.homepage - hxxp://www.google.com/
FF - Ext: Default: {972ce4c6-7e08-4474-a285-3208198ce6fd} - c:\program files\Mozilla Firefox\extensions\{972ce4c6-7e08-4474-a285-3208198ce6fd}
FF - Ext: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension
FF - Ext: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - %profile%\extensions\{20a82645-c095-46ed-80e3-08825760534b}
FF - Ext: vShare: vshare@toolbar - %profile%\extensions\vshare@toolbar
.
- - - - ORPHANS REMOVED - - - -

HKCU-Run-EasyDVDMon - (no file)
HKCU-Run-NoteZilla - (no file)
HKCU-Run-QNPlus - (no file)



**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2010-12-20 20:50
Windows 6.0.6002 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

HKCU\Software\Microsoft\Windows\CurrentVersion\Run
NoteZilla = ?
QNPlus = ?

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0000\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000
.
Completion time: 2010-12-20 20:52:05
ComboFix-quarantined-files.txt 2010-12-21 01:51

Pre-Run: 170,960,510,976 bytes free
Post-Run: 172,120,399,872 bytes free

- - End Of File - - 76F863413537E2FD479DC3C9DE2ABB1E

Attached Files


Edited by Kuk1, 20 December 2010 - 08:58 PM.


#6 Judicandus

Judicandus

    Bleepin' Pasta


  • Malware Response Team
  • 730 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Around the world
  • Local time:02:15 PM

Posted 21 December 2010 - 07:13 AM

Hi kuk1,

Please go HERE to run Panda's ActiveScan
  • Once you are on the Panda site click the Scan your PC button
  • A new window will open...click the Check Now button
  • Enter your Country
  • Enter your State/Province
  • Enter your e-mail address and click send
  • Select either Home User or Company
  • Click the big Scan Now button
  • If it wants to install an ActiveX component allow it
  • It will start downloading the files it requires for the scan (Note: It may take a couple of minutes)
  • When download is complete, click on My Computer to start the scan
  • When the scan completes, if anything malicious is detected, click the See Report button, then Save Report and save it to a convenient location. Post the contents of the ActiveScan report


#7 Kuk1

Kuk1
  • Topic Starter

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Local time:12:15 PM

Posted 22 December 2010 - 09:52 PM

Attached you can find the activescan results.

Thanks in advance...

Merry Christmas and Happy New Yearrr

Attached Files



#8 Judicandus

Judicandus

    Bleepin' Pasta


  • Malware Response Team
  • 730 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Around the world
  • Local time:02:15 PM

Posted 23 December 2010 - 03:52 AM

Hi kuk1,


1. Close any open browsers.

2. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.

3. Open notepad and copy/paste the text in the quotebox below into it:

File::
c:\users\owner\appdata\locallow\sun\java\deployment\cache\6.0\54\72928336-52f18a31


Save this as CFScript.txt, in the same location as ComboFix.exe


Posted Image

Refering to the picture above, drag CFScript into ComboFix.exe

When finished, it shall produce a log for you at C:\ComboFix.txt which I will require in your next reply.

#9 Kuk1

Kuk1
  • Topic Starter

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Local time:12:15 PM

Posted 23 December 2010 - 11:37 PM

Combofix log attached...

Attached Files



#10 Judicandus

Judicandus

    Bleepin' Pasta


  • Malware Response Team
  • 730 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Around the world
  • Local time:02:15 PM

Posted 24 December 2010 - 05:38 AM

Hi kuk,

If you can find a file or folder with this name:
c:\users\owner\appdata\locallow\sun\java\deployment\cache\6.0\54\72928336-52f18a31
please delete it.

Uninstall Combofix
  • Press the Windows Key + R on your keyboard.
  • Now copy & paste the green bolded text in the run-box and click OK.

    ComboFix /Uninstall

    <Notice the space between the "x" and "/".>

    Posted Image
  • The following will implement some very important cleanup procedures as well as reset System Restore points.

You can now enable Security tools as well as teatimer.

How is your computer running?

Please post a fresh DDS log.

#11 Kuk1

Kuk1
  • Topic Starter

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Local time:12:15 PM

Posted 24 December 2010 - 01:43 PM

Attached you can find the DDS logs created.

My computer was very slow this morning in particular. It feels like something was wrong with IE. Even simple stuff would take very long. IE would stop responding and then crawl to open up google.com or while performing a search on google. Btw I was getting a superfetch error this morning as well. When I got it somehow my internet stopped working as well. I did a search on google and came across articles saying that I should delete the content of the prefetch directory.I did it and am hoping it is resolved as folks seemed to have success with it.

Anyway having deleted the file you suggested seems to have helped my computer.

Things are better much compared to morning but I will have to keep testing my computer.

Thanks a lot for all your help. Merry Christmas and Happy new year.

Attached Files



#12 Judicandus

Judicandus

    Bleepin' Pasta


  • Malware Response Team
  • 730 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Around the world
  • Local time:02:15 PM

Posted 25 December 2010 - 08:05 AM

Hi kuk1,

Merry Christmas to you too ;)

Let's check your java version:

Download Security Check by screen317 from here or here.
Save it to your Desktop.
Double click SecurityCheck.exe and follow the onscreen instructions inside of the black box.
A Notepad document should open automatically called checkup.txt.
Please post the contents of that document.

#13 Kuk1

Kuk1
  • Topic Starter

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Local time:12:15 PM

Posted 27 December 2010 - 12:42 AM

I ran yet another tool that you suggested :) below you can find the log created.

Results of screen317's Security Check version 0.99.8
Windows Vista Service Pack 2 (UAC is enabled)
Internet Explorer 8
``````````````````````````````
Antivirus/Firewall Check:

Windows Firewall Enabled!
Microsoft Security Essentials
WMI entry may not exist for antivirus; attempting automatic update.
Microsoft Security Essentials successfully updated!
```````````````````````````````
Anti-malware/Other Utilities Check:

Ad-Aware
Spybot - Search & Destroy
Java™ 6 Update 5
Out of date Java installed!
Adobe Flash Player 10.1.85.3
Adobe Reader 8.1.5
Japanese Fonts Support For Adobe Reader 8
Out of date Adobe Reader installed!
````````````````````````````````
Process Check:
objlist.exe by Laurent

Windows Defender MSMpEng.exe
Ad-Aware AAWService.exe
Ad-Aware AAWTray.exe
Spybot Teatimer.exe is disabled!
Microsoft Security Essentials msseces.exe
``````````End of Log````````````

#14 Judicandus

Judicandus

    Bleepin' Pasta


  • Malware Response Team
  • 730 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Around the world
  • Local time:02:15 PM

Posted 27 December 2010 - 06:47 AM

Hi kuk1,

As confirmed by this log we need to update your java:

Important Note: Your version of Java is out of date. Older versions have vulnerabilities that malicious sites can use to exploit and infect your system. Microsoft: ‘Unprecedented Wave of Java Exploitation’
Drive-by Trojan preying on out-of-date Java installations
Ghosts of Java Haunt UsersPlease follow these steps to remove older version Java components and update:
  • Download the latest version of Java Runtime Environment (JRE) Version 6 and save it to your desktop.
  • Look for "Java Platform, Standard Edition".
  • Click the "Download JRE" button to the right.
  • Select your Platform: "Windows" (32-bit) or "Windows x64" (64-bit).
  • Select your Language: "Multi-language".
  • Read the License Agreement, and then check the box that says: "I agree to the Java SE...License Agreement".
  • Click Continue and the page will refresh.
  • Under Required Files, check the box for Windows Offline Installation, click the link below it and save the file to your desktop.
  • Close any programs you may have running - especially your web browser.
Go to Posted Image > Control Panel, double-click on Add/Remove Programs or Programs and Features in Vista/Windows 7 and remove all older versions of Java.
  • Check (highlight) any item with Java Runtime Environment (JRE or J2SE) in the name.
  • Click the Remove or Change/Remove button and follow the onscreen instructions for the Java uninstaller.
  • Repeat as many times as necessary to remove each Java versions.
  • Reboot your computer once all Java components are removed.
  • Then from your desktop double-click on jre-6u23-windows-i586.exe to install the newest version.
  • If using Windows 7 or Vista and the installer refuses to launch due to insufficient user permissions, then Run As Administrator.
  • When the Java Setup - Welcome window opens, click the Install > button.
  • If offered to install a Toolbar, just uncheck the box before continuing unless you want it.
-- Starting with Java 6u10, the uninstaller incorporated in each new release uses Enhanced Auto update to automatically remove the previous version when updating to a later update release. It will not remove older versions, so they will need to be removed manually.
-- Java is updated frequently. If you want to be automatically notified of future updates, just turn on the Java Automatic Update feature and you will not have to remember to update when Java releases a new version.


Note: The Java Quick Starter (JQS.exe) adds a service to improve the initial startup time of Java applets and applications but it's not necessary.
To disable the JQS service if you don't want to use it:
  • Go to Start > Control Panel > Java > Advanced > Miscellaneous and uncheck the box for Java Quick Starter.
  • Click Ok and reboot your computer.

While you at it you might want to update your adobe reader as well. You can download the latest version of Adobe reader from: http://www.adobe.com

Let's also clean all temp files to see if the prefetch error will go away:

Please download ATF Cleaner by Atribune.Double-click ATF-Cleaner.exe to run the program.
Under Main choose: Select All
Click the Empty Selected button.
If you use Firefox browserClick Firefox at the top and choose: Select All
Click the Empty Selected button.
NOTE: If you would like to keep your saved passwords, please click No at the prompt.
If you use Opera browserClick Opera at the top and choose: Select All
Click the Empty Selected button.
NOTE: If you would like to keep your saved passwords, please click No at the prompt.
Click Exit on the Main menu to close the program.
For Technical Support, double-click the e-mail address located at the bottom of each menu.

#15 Kuk1

Kuk1
  • Topic Starter

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Local time:12:15 PM

Posted 28 December 2010 - 10:52 PM

I have done everything you asked me to. Hopefully going forward I won't experience any problems. At this point things look good. My laptop is much faster. I am keeping my fingers crossed :)

Thank you very much for all your help. I really appreciate it.

Happy New Year again thanks a lot for all your help.




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users