Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Svchost Lugging Down System


  • This topic is locked This topic is locked
42 replies to this topic

#1 Arbriel

Arbriel

  • Members
  • 42 posts
  • OFFLINE
  •  
  • Location:Portland, Oregon
  • Local time:12:28 AM

Posted 05 September 2006 - 11:20 AM

Hi, Here is my information:
System: MS Windows XP Home edition Version 2002, service pack 2
Gateway
Pentium® 4 CPU 1.50GHz
256 MB of Ram (yes, I WILL BE getting more--college student got his computer to the shop first...)
ACPI Uniprocessor PC

***The problem I have been having is that svchost has been running on start-up & during times of the computer just sitting and it lugs down my computer opening programs or processing anything.***

Logfile of HijackThis v1.99.1
Scan saved at 9:15:05 AM, on 9/5/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\system32\spoolsv.exe
C:\WINNT\System32\DRIVERS\CDANTSRV.EXE
C:\WINNT\System32\nvsvc32.exe
C:\WINNT\System32\svchost.exe
C:\Program Files\PCSecurityShield\ShieldAntivirus\vrmonsvc.exe
C:\WINNT\wanmpsvc.exe
C:\WINNT\Explorer.EXE
C:\Updater.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\WINNT\system32\taskmgr.exe
C:\WINNT\System32\svchost.exe
C:\WINNT\system32\mmc.exe
C:\Program Files\Hijack This\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = www.google.com
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.comcast.net/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = www.google.com
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer presented by Comcast
F2 - REG:system.ini: UserInit=userinit.exe
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_07\bin\ssv.dll
O4 - HKLM\..\Run: [iRiver Updater] \Updater.exe
O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
O4 - HKLM\..\Run: [eTrustPPAP] "C:\Program Files\CA\eTrust Internet Security Suite\eTrust PestPatrol Anti-Spyware\PPActiveDetection.exe"
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MI1933~1\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_07\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_07\bin\ssv.dll
O9 - Extra button: Web Anti-Virus - {1F460357-8A94-4D71-9CA3-AA4ACF32ED8E} - C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 6.0\scieplugin.dll
O9 - Extra button: ComcastHSI - {669B269B-0D4E-41FB-A3D8-FD67CA94F646} - http://www.comcast.net/ (file missing)
O9 - Extra button: Support - {8828075D-D097-4055-AA02-2DBFA9D85E8A} - http://www.comcastsupport.com/ (file missing)
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MI1933~1\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Help - {97809617-3937-4F84-B335-9BB05EF1A8D4} - http://online.comcast.net/help/ (file missing)
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {1754A1BA-A1DF-4F10-B199-AA55AA1A120F} (InstallerBehaviorFactory Class) - https://signup.msn.com/pages/MsnInstC.cab
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://by114fd.bay114.hotmail.msn.com/resources/MsnPUpld.cab
O16 - DPF: {6BEA1C48-1850-486C-8F58-C7354BA3165E} (Install Class) - http://updates.lifescapeinc.com/installers...ll/pinstall.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdat...b?1143772936140
O16 - DPF: {739E8D90-2F4C-43AD-A1B8-66C356FCEA35} (RunExeActiveX.RunExe) - hcp://system/RunExeActiveX.CAB
O16 - DPF: {99CDFD87-F97A-42E1-9C13-D18220D90AD1} (StartFirstControl.CheckFirst) - hcp://system/StartFirstControl.CAB
O17 - HKLM\System\CCS\Services\Tcpip\..\{E7B93A7E-70C7-4136-9FED-04E85BA72E2E}: NameServer = 192.168.1.1
O20 - AppInit_DLLs: C:\PROGRA~1\Google\GOOGLE~2\GOEC62~1.DLL
O20 - Winlogon Notify: klogon - C:\WINNT\system32\klogon.dll
O20 - Winlogon Notify: WgaLogon - C:\WINNT\SYSTEM32\WgaLogon.dll
O20 - Winlogon Notify: WRNotifier - WRLogonNTF.dll (file missing)
O23 - Service: Kaspersky Anti-Virus 6.0 (AVP) - Unknown owner - C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 6.0\avp.exe" -r (file missing)
O23 - Service: C-DillaSrv - C-Dilla Ltd - C:\WINNT\System32\DRIVERS\CDANTSRV.EXE
O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINNT\System32\nvsvc32.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINNT\System32\HPZipm12.exe
O23 - Service: ViRobot Expert Monitoring (vrmonsvc) - HAURI - C:\Program Files\PCSecurityShield\ShieldAntivirus\vrmonsvc.exe
O23 - Service: WAN Miniport (ATW) Service (WANMiniportService) - America Online, Inc. - C:\WINNT\wanmpsvc.exe

Thank for all your help!
Arbriel

BC AdBot (Login to Remove)

 


#2 amateur

amateur

    Malware Fighter


  • Malware Response Team
  • 2,775 posts
  • OFFLINE
  •  
  • Gender:Female
  • Local time:04:28 AM

Posted 13 September 2006 - 01:53 PM

Hello Arbriel,

Welcome to BC. Helpers are all volunteers and the forum is very busy. Sorry about the delay in response.
The following are not malware, but either clutter or not necessary to load up at the start, and can be fixed with HijackThis if you like:
  • Close all open Explorer windows and browsers/email, etc
  • Run HijackThis
  • Click on the Scan button and when complete
  • Put a check beside all of the items listed below
  • Click on the "Fix Checked" button
  • When completed, close the application.
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
O4 - HKLM\..\Run: [iRiver Updater] \Updater.exe
O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k

Each instance of Svchost process [you see in Task Manager] launches a list of services. Multiple instances of Svchost.exe can run at the same time. That's normal. Not having the adequate amount of RAM could be the cause of your complaints. Although there are some malware using the same name as svchost.exe, I don't see any sign of them in your log. The legit svchost.exes (four of them) are running from System32 folder, where they should be.

You can run the following online virus scan just to make sure.

Run an online scan at Panda's ActiveScan
  • Please go here and perform a full system scan. (use Internet Explorer)
  • Once you are on the Panda site click the Scan your PC button.
  • A new window will open...click the big Check Now button.
  • Enter your Country.
  • Enter your State/Province.
  • Enter your Valid Email and click send.
  • Select either Home User or Company.
  • Click the big Scan Now button.
  • If it wants to install an ActiveX component allow it.
  • It will start downloading the files it requires for the scan.
  • Click on Local Disks to start the scan.
  • Once finished, click see report, then click Save report and save it to your desktop.
NOTE: Please ignore any entry it finds and the offer to buy the program to remove the entry.

Post back a fresh HijackThis log and the Panda scan results please.

Edited by amateur, 13 September 2006 - 01:54 PM.


#3 Arbriel

Arbriel
  • Topic Starter

  • Members
  • 42 posts
  • OFFLINE
  •  
  • Location:Portland, Oregon
  • Local time:12:28 AM

Posted 15 September 2006 - 01:13 PM

HI,
Thanks for your response.
Here is my hijack this and Panda log files. It looks like I still have some stuff left over from my trouble with surf sidekick.




Logfile of HijackThis v1.99.1
Scan saved at 11:07:34 AM, on 9/15/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\system32\spoolsv.exe
C:\WINNT\System32\DRIVERS\CDANTSRV.EXE
C:\WINNT\System32\nvsvc32.exe
C:\WINNT\System32\svchost.exe
C:\Program Files\PCSecurityShield\ShieldAntivirus\vrmonsvc.exe
C:\WINNT\wanmpsvc.exe
C:\WINNT\Explorer.EXE
C:\WINNT\System32\svchost.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\WINNT\System32\wiaacmgr.exe
C:\Program Files\Adobe\Reader\AcroRd32Info.exe
C:\Program Files\Hijack This\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = www.google.com
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.comcast.net/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = www.google.com
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer presented by Comcast
F2 - REG:system.ini: UserInit=userinit.exe
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_07\bin\ssv.dll
O4 - HKLM\..\Run: [eTrustPPAP] "C:\Program Files\CA\eTrust Internet Security Suite\eTrust PestPatrol Anti-Spyware\PPActiveDetection.exe"
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MI1933~1\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_07\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_07\bin\ssv.dll
O9 - Extra button: Web Anti-Virus - {1F460357-8A94-4D71-9CA3-AA4ACF32ED8E} - C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 6.0\scieplugin.dll
O9 - Extra button: ComcastHSI - {669B269B-0D4E-41FB-A3D8-FD67CA94F646} - http://www.comcast.net/ (file missing)
O9 - Extra button: Support - {8828075D-D097-4055-AA02-2DBFA9D85E8A} - http://www.comcastsupport.com/ (file missing)
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MI1933~1\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Help - {97809617-3937-4F84-B335-9BB05EF1A8D4} - http://online.comcast.net/help/ (file missing)
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {1754A1BA-A1DF-4F10-B199-AA55AA1A120F} (InstallerBehaviorFactory Class) - https://signup.msn.com/pages/MsnInstC.cab
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://by114fd.bay114.hotmail.msn.com/resources/MsnPUpld.cab
O16 - DPF: {6BEA1C48-1850-486C-8F58-C7354BA3165E} (Install Class) - http://updates.lifescapeinc.com/installers...ll/pinstall.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdat...b?1143772936140
O16 - DPF: {739E8D90-2F4C-43AD-A1B8-66C356FCEA35} (RunExeActiveX.RunExe) - hcp://system/RunExeActiveX.CAB
O16 - DPF: {99CDFD87-F97A-42E1-9C13-D18220D90AD1} (StartFirstControl.CheckFirst) - hcp://system/StartFirstControl.CAB
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{E7B93A7E-70C7-4136-9FED-04E85BA72E2E}: NameServer = 192.168.1.1
O20 - AppInit_DLLs: C:\PROGRA~1\Google\GOOGLE~2\GOEC62~1.DLL
O20 - Winlogon Notify: klogon - C:\WINNT\system32\klogon.dll
O20 - Winlogon Notify: WgaLogon - C:\WINNT\SYSTEM32\WgaLogon.dll
O20 - Winlogon Notify: WRNotifier - WRLogonNTF.dll (file missing)
O23 - Service: Kaspersky Anti-Virus 6.0 (AVP) - Unknown owner - C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 6.0\avp.exe" -r (file missing)
O23 - Service: C-DillaSrv - C-Dilla Ltd - C:\WINNT\System32\DRIVERS\CDANTSRV.EXE
O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINNT\System32\nvsvc32.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINNT\System32\HPZipm12.exe
O23 - Service: ViRobot Expert Monitoring (vrmonsvc) - HAURI - C:\Program Files\PCSecurityShield\ShieldAntivirus\vrmonsvc.exe
O23 - Service: WAN Miniport (ATW) Service (WANMiniportService) - America Online, Inc. - C:\WINNT\wanmpsvc.exe





Incident Status Location

Spyware:spyware/surfsidekick Not disinfected C:\Documents and Settings\Elizabeth\Local Settings\Temporary Internet Files\Ssk.log
Spyware:spyware/clipgenie Not disinfected Windows Registry
Potentially unwanted tool:application/altnet Not disinfected hkey_local_machine\software\microsoft\windows\currentversion\app management\arpcache\AltnetDM
Adware:Adware/CWS Not disinfected C:\Documents and Settings\Elizabeth\.jpi_cache\file\1.0\Counter.class-762d722b-17fa26f6.class
Spyware:Cookie/YieldManager Not disinfected C:\Documents and Settings\Elizabeth\Application Data\Mozilla\Firefox\Profiles\ikjhmeop.default\cookies-1.txt[ad.yieldmanager.com/]
Spyware:Cookie/RealMedia Not disinfected C:\Documents and Settings\Elizabeth\Application Data\Mozilla\Firefox\Profiles\ikjhmeop.default\cookies-1.txt[.realmedia.com/]
Spyware:Cookie/Casalemedia Not disinfected C:\Documents and Settings\Elizabeth\Application Data\Mozilla\Firefox\Profiles\ikjhmeop.default\cookies-1.txt[.casalemedia.com/]
Spyware:Cookie/Adrevolver Not disinfected C:\Documents and Settings\Elizabeth\Application Data\Mozilla\Firefox\Profiles\ikjhmeop.default\cookies-1.txt[.adrevolver.com/]
Spyware:Cookie/Statcounter Not disinfected C:\Documents and Settings\Elizabeth\Application Data\Mozilla\Firefox\Profiles\ikjhmeop.default\cookies-1.txt[.statcounter.com/]
Spyware:Cookie/BurstNet Not disinfected C:\Documents and Settings\Elizabeth\Application Data\Mozilla\Firefox\Profiles\ikjhmeop.default\cookies-1.txt[.burstnet.com/]
Spyware:Cookie/Maxserving Not disinfected C:\Documents and Settings\Elizabeth\Application Data\Mozilla\Firefox\Profiles\ikjhmeop.default\cookies-1.txt[.maxserving.com/]
Spyware:Cookie/Atwola Not disinfected C:\Documents and Settings\Elizabeth\Application Data\Mozilla\Firefox\Profiles\ikjhmeop.default\cookies-1.txt[.atwola.com/]
Spyware:Cookie/Server.iad.Liveperson Not disinfected C:\Documents and Settings\Elizabeth\Application Data\Mozilla\Firefox\Profiles\ikjhmeop.default\cookies-1.txt[server.iad.liveperson.net/hc/89451406]
Spyware:Cookie/Server.iad.Liveperson Not disinfected C:\Documents and Settings\Elizabeth\Application Data\Mozilla\Firefox\Profiles\ikjhmeop.default\cookies-1.txt[server.iad.liveperson.net/]
Spyware:Cookie/bravenetA Not disinfected C:\Documents and Settings\Elizabeth\Application Data\Mozilla\Firefox\Profiles\ikjhmeop.default\cookies-1.txt[.bravenet.com/]
Spyware:Cookie/BurstBeacon Not disinfected C:\Documents and Settings\Elizabeth\Application Data\Mozilla\Firefox\Profiles\ikjhmeop.default\cookies-1.txt[www.burstbeacon.com/]
Spyware:Cookie/Apmebf Not disinfected C:\Documents and Settings\Elizabeth\Application Data\Mozilla\Firefox\Profiles\ikjhmeop.default\cookies-1.txt[.apmebf.com/]
Spyware:Cookie/WUpd Not disinfected C:\Documents and Settings\Elizabeth\Application Data\Mozilla\Firefox\Profiles\ikjhmeop.default\cookies-1.txt[.revenue.net/]
Spyware:Cookie/Server.iad.Liveperson Not disinfected C:\Documents and Settings\Elizabeth\Application Data\Mozilla\Firefox\Profiles\ikjhmeop.default\cookies-1.txt[server.iad.liveperson.net/hc/42607328]
Spyware:Cookie/360i Not disinfected C:\Documents and Settings\Elizabeth\Application Data\Mozilla\Firefox\Profiles\ikjhmeop.default\cookies-1.txt[.ct.360i.com/]
Spyware:Cookie/Com.com Not disinfected C:\Documents and Settings\Elizabeth\Application Data\Mozilla\Firefox\Profiles\ikjhmeop.default\cookies-1.txt[.com.com/]
Spyware:Cookie/Falkag Not disinfected C:\Documents and Settings\Elizabeth\Application Data\Mozilla\Firefox\Profiles\ikjhmeop.default\cookies-1.txt[.as-us.falkag.net/]
Spyware:Cookie/Go Not disinfected C:\Documents and Settings\Elizabeth\Application Data\Mozilla\Firefox\Profiles\ikjhmeop.default\cookies-1.txt[.go.com/]
Spyware:Cookie/Server.iad.Liveperson Not disinfected C:\Documents and Settings\Elizabeth\Application Data\Mozilla\Firefox\Profiles\ikjhmeop.default\cookies-1.txt[server.iad.liveperson.net/hc/42435556]
Spyware:Cookie/Serving-sys Not disinfected C:\Documents and Settings\Elizabeth\Application Data\Mozilla\Firefox\Profiles\ikjhmeop.default\cookies-1.txt[.serving-sys.com/]
Spyware:Cookie/Serving-sys Not disinfected C:\Documents and Settings\Elizabeth\Application Data\Mozilla\Firefox\Profiles\ikjhmeop.default\cookies-1.txt[.bs.serving-sys.com/]
Spyware:Cookie/Serving-sys Not disinfected C:\Documents and Settings\Elizabeth\Application Data\Mozilla\Firefox\Profiles\ikjhmeop.default\cookies-1.txt[.serving-sys.com/]
Spyware:Cookie/Target Not disinfected C:\Documents and Settings\Elizabeth\Application Data\Mozilla\Firefox\Profiles\ikjhmeop.default\cookies-1.txt[.target.com/]
Spyware:Cookie/Zedo Not disinfected C:\Documents and Settings\Elizabeth\Application Data\Mozilla\Firefox\Profiles\ikjhmeop.default\cookies-1.txt[.zedo.com/]
Spyware:Cookie/Server.iad.Liveperson Not disinfected C:\Documents and Settings\Elizabeth\Application Data\Mozilla\Firefox\Profiles\ikjhmeop.default\cookies-1.txt[server.iad.liveperson.net/hc/55566091]
Spyware:Cookie/FortuneCity Not disinfected C:\Documents and Settings\Elizabeth\Application Data\Mozilla\Firefox\Profiles\ikjhmeop.default\cookies-1.txt[.fortunecity.com/]
Spyware:Cookie/Peel Not disinfected C:\Documents and Settings\Elizabeth\Application Data\Mozilla\Firefox\Profiles\ikjhmeop.default\cookies-1.txt[.peel.com/]
Spyware:Cookie/Server.iad.Liveperson Not disinfected C:\Documents and Settings\Elizabeth\Application Data\Mozilla\Firefox\Profiles\ikjhmeop.default\cookies-1.txt[server.iad.liveperson.net/hc/78221172]
Spyware:Cookie/did-it Not disinfected C:\Documents and Settings\Elizabeth\Application Data\Mozilla\Firefox\Profiles\ikjhmeop.default\cookies-1.txt[.did-it.com/]
Spyware:Cookie/DomainSponsor Not disinfected C:\Documents and Settings\Elizabeth\Application Data\Mozilla\Firefox\Profiles\ikjhmeop.default\cookies-1.txt[landing.domainsponsor.com/]
Spyware:Cookie/Buydomains Not disinfected C:\Documents and Settings\Elizabeth\Application Data\Mozilla\Firefox\Profiles\ikjhmeop.default\cookies-1.txt[www47.buydomains.com/]
Spyware:Cookie/Seeq Not disinfected C:\Documents and Settings\Elizabeth\Application Data\Mozilla\Firefox\Profiles\ikjhmeop.default\cookies-1.txt[www48.seeq.com/]
Spyware:Cookie/RealMedia Not disinfected C:\Documents and Settings\Elizabeth\Application Data\Mozilla\Firefox\Profiles\ikjhmeop.default\cookies.txt[.realmedia.com/]
Spyware:Cookie/YieldManager Not disinfected C:\Documents and Settings\Elizabeth\Application Data\Mozilla\Firefox\Profiles\ikjhmeop.default\cookies.txt[ad.yieldmanager.com/]
Spyware:Cookie/Com.com Not disinfected C:\Documents and Settings\Elizabeth\Application Data\Mozilla\Firefox\Profiles\ikjhmeop.default\cookies.txt[.com.com/]
Spyware:Cookie/Casalemedia Not disinfected C:\Documents and Settings\Elizabeth\Application Data\Mozilla\Firefox\Profiles\ikjhmeop.default\cookies.txt[.casalemedia.com/]
Spyware:Cookie/Adrevolver Not disinfected C:\Documents and Settings\Elizabeth\Application Data\Mozilla\Firefox\Profiles\ikjhmeop.default\cookies.txt[.adrevolver.com/]
Spyware:Cookie/BurstNet Not disinfected C:\Documents and Settings\Elizabeth\Application Data\Mozilla\Firefox\Profiles\ikjhmeop.default\cookies.txt[.burstnet.com/]
Spyware:Cookie/bravenetA Not disinfected C:\Documents and Settings\Elizabeth\Application Data\Mozilla\Firefox\Profiles\ikjhmeop.default\cookies.txt[.bravenet.com/]
Spyware:Cookie/Maxserving Not disinfected C:\Documents and Settings\Elizabeth\Application Data\Mozilla\Firefox\Profiles\ikjhmeop.default\cookies.txt[.maxserving.com/]
Spyware:Cookie/Go Not disinfected C:\Documents and Settings\Elizabeth\Application Data\Mozilla\Firefox\Profiles\ikjhmeop.default\cookies.txt[.go.com/]
Spyware:Cookie/Statcounter Not disinfected C:\Documents and Settings\Elizabeth\Application Data\Mozilla\Firefox\Profiles\ikjhmeop.default\cookies.txt[.statcounter.com/]
Spyware:Cookie/Apmebf Not disinfected C:\Documents and Settings\Elizabeth\Application Data\Mozilla\Firefox\Profiles\ikjhmeop.default\cookies.txt[.apmebf.com/]
Spyware:Cookie/Atwola Not disinfected C:\Documents and Settings\Elizabeth\Application Data\Mozilla\Firefox\Profiles\ikjhmeop.default\cookies.txt[.atwola.com/]
Spyware:Cookie/BurstBeacon Not disinfected C:\Documents and Settings\Elizabeth\Application Data\Mozilla\Firefox\Profiles\ikjhmeop.default\cookies.txt[www.burstbeacon.com/]
Spyware:Cookie/Serving-sys Not disinfected C:\Documents and Settings\Elizabeth\Application Data\Mozilla\Firefox\Profiles\ikjhmeop.default\cookies.txt[.serving-sys.com/]
Spyware:Cookie/Serving-sys Not disinfected C:\Documents and Settings\Elizabeth\Application Data\Mozilla\Firefox\Profiles\ikjhmeop.default\cookies.txt[.bs.serving-sys.com/]
Spyware:Cookie/Serving-sys Not disinfected C:\Documents and Settings\Elizabeth\Application Data\Mozilla\Firefox\Profiles\ikjhmeop.default\cookies.txt[.serving-sys.com/]
Spyware:Cookie/Falkag Not disinfected C:\Documents and Settings\Elizabeth\Application Data\Mozilla\Firefox\Profiles\ikjhmeop.default\cookies.txt[.as-us.falkag.net/]
Spyware:Cookie/360i Not disinfected C:\Documents and Settings\Elizabeth\Application Data\Mozilla\Firefox\Profiles\ikjhmeop.default\cookies.txt[.ct.360i.com/]
Spyware:Cookie/did-it Not disinfected C:\Documents and Settings\Elizabeth\Application Data\Mozilla\Firefox\Profiles\ikjhmeop.default\cookies.txt[.did-it.com/]
Spyware:Cookie/FortuneCity Not disinfected C:\Documents and Settings\Elizabeth\Application Data\Mozilla\Firefox\Profiles\ikjhmeop.default\cookies.txt[.fortunecity.com/]
Spyware:Cookie/WUpd Not disinfected C:\Documents and Settings\Elizabeth\Application Data\Mozilla\Firefox\Profiles\ikjhmeop.default\cookies.txt[.revenue.net/]
Spyware:Cookie/Target Not disinfected C:\Documents and Settings\Elizabeth\Application Data\Mozilla\Firefox\Profiles\ikjhmeop.default\cookies.txt[.target.com/]
Spyware:Cookie/Zedo Not disinfected C:\Documents and Settings\Elizabeth\Application Data\Mozilla\Firefox\Profiles\ikjhmeop.default\cookies.txt[.zedo.com/]
Spyware:Cookie/DomainSponsor Not disinfected C:\Documents and Settings\Elizabeth\Application Data\Mozilla\Firefox\Profiles\ikjhmeop.default\cookies.txt[landing.domainsponsor.com/]
Spyware:Cookie/Server.iad.Liveperson Not disinfected C:\Documents and Settings\Elizabeth\Application Data\Mozilla\Firefox\Profiles\ikjhmeop.default\cookies.txt[server.iad.liveperson.net/]
Spyware:Cookie/Server.iad.Liveperson Not disinfected C:\Documents and Settings\Elizabeth\Application Data\Mozilla\Firefox\Profiles\ikjhmeop.default\cookies.txt[server.iad.liveperson.net/hc/42435556]
Spyware:Cookie/Server.iad.Liveperson Not disinfected C:\Documents and Settings\Elizabeth\Application Data\Mozilla\Firefox\Profiles\ikjhmeop.default\cookies.txt[server.iad.liveperson.net/hc/42607328]
Spyware:Cookie/Server.iad.Liveperson Not disinfected C:\Documents and Settings\Elizabeth\Application Data\Mozilla\Firefox\Profiles\ikjhmeop.default\cookies.txt[server.iad.liveperson.net/hc/55566091]
Spyware:Cookie/Server.iad.Liveperson Not disinfected C:\Documents and Settings\Elizabeth\Application Data\Mozilla\Firefox\Profiles\ikjhmeop.default\cookies.txt[server.iad.liveperson.net/hc/78221172]
Spyware:Cookie/Server.iad.Liveperson Not disinfected C:\Documents and Settings\Elizabeth\Application Data\Mozilla\Firefox\Profiles\ikjhmeop.default\cookies.txt[server.iad.liveperson.net/hc/89451406]
Spyware:Cookie/Atwola Not disinfected C:\Documents and Settings\Elizabeth\Cookies\elizabeth@atwola[1].txt
Spyware:Cookie/Azjmp Not disinfected C:\Documents and Settings\Elizabeth\Cookies\elizabeth@azjmp[2].txt
Spyware:Cookie/GoStats Not disinfected C:\Documents and Settings\Elizabeth\Cookies\elizabeth@gostats[1].txt



Thanks again for your help. As for RAM, I will be getting more soon. THe college student got his first.....
Arbriel

#4 amateur

amateur

    Malware Fighter


  • Malware Response Team
  • 2,775 posts
  • OFFLINE
  •  
  • Gender:Female
  • Local time:04:28 AM

Posted 15 September 2006 - 04:26 PM

Hi,

Panda is reporting mostly some tracking cookies and possible left overs here and there. Let's see if we can get them all cleaned. I don't see any signs of it in the log but in case you may have selectively removed some items in the past from the startup procedure which can hide malware from us when we are performing a fix, I would like you to reenable those startup entries by doing the following:

Please click on Start, then Run, and type msconfig and then press Enter. When the window opens you should be on the General tab. Click on the Normal Startup item. Then press ok until you are out of the program. It will ask you to reboot so reboot normally.

It's absolutely harmless deleting the .jpi_cache directory. If you have the Java plug-in, the cache for all the webpages you visit that contain java applets will be stored in the .jpi cache directory. It's basically like the Temporary Internet Files in this manner. It will just recreate itself when you visit a page that contain any applets. Windows XP stores them in the "C:\Documents and Settings\username(Elizabeth in your case)\.jpi cache" directory. Go ahead and delete it.

Please download Ccleaner and save it to your desktop.
Tutorial for CCleaner
During the installation be sure to UN-check the box for "Ccleaner Yahoo Toolbar" unless you want it

Download, update, configure these two programs: http://tomcoyote.org/aawsb.php
The newest version of Ad-aware SE is 1.06 and Spybot 1.4. Even if you have these programs, use the link to get the newest version, update and configure them as in the link. Run Spybot first, reboot then run Ad-aware. Both programs back up what they remove so delete anything the programs say should be removed.

Download and install Ewido Antimalware 4.0 .
  • Open Ewido AntiMalware
  • Go to Status menu
  • Click change status on Resident shield to inactive Under "Your computer's Security"
Update Ewido but Do not scan with it yet.

Reboot your computer in Safe Mode using the F8 method below.

a. If the computer is running, shut down Windows, and then turn off the power.
b. Wait 30 seconds, and then turn the computer on.
c. Start tapping the F8 key. The Windows Advanced Options Menu appears. If you begin tapping the F8 key too soon, some computers display a "keyboard error" message. To resolve this, restart the computer and try again.
d. Ensure that the Safe Mode option is selected.
e. Press Enter. The computer then begins to start in Safe mode.

From Safe Mode run Ccleaner
  • Click on Options,
  • Select Advanced
  • Now UNCHECK "Only delete files in Windows Temp folders older than 48 hours"
  • Make sure the Cleaner block on the left is selected.
  • Do not use the "Issues" block . It's meant for professionals.
  • Choose the Windows tab.
  • Check everything EXCEPT Advanced part of the Menu.
  • Click on "Analyze". This process could take a while.
  • If you don't want to loose your login passwords to certain sites, click on Options
  • Select cookies and move the ones you want to keep to the "cookies to keep" section, by highlighting and using the arrows in the middle.
  • Choose Run Cleaner.
When CCleaner shows how much has been removed, cleaning is finished. Click Exit.
If you have more than one users, run Ccleaner for every user

Still in Safe Mode, Run Ewido AntiMalware
  • Click Scanner
  • Click on the Scan tab
  • Click Complete System Scan to begin scanning.
  • When the scan is complete click Recommended Action and change it to Quarantine
  • Then click Apply all actions
  • Once finished, click the Save report button, then click Save Report As and save it to your desktop
NOTE: Ewido scan may need an hour.

Warning: While the scan is in progress, DO NOT open any folders or the Windows Control Panel

Your Java needs to be updated. You have a slightly older version.

Click Start>Run, type in appwiz.cpl and hit Enter. From the list
  • Remove all entries J2SE or J2SE Runtime Environment that are listed.
Reboot in Normal Mode.

Download the latest version of Java Runtime Environment (JRE) 5.0 Update 8.
  • Scroll down to where it says "The J2SE Runtime Environment (JRE) allows end-users to run Java applications".
  • Click the "Download" button to the right.
  • Check the box that says: "Accept License Agreement".
  • The page will refresh.
  • Click on the link to download Windows Offline Installation with or without Multi-language and save to your desktop.
  • Close any programs you may have running - especially your web browser.
  • Go to Start > Control Panel double-click on Add/Remove programs and remove all older versions of Java.
  • Check any item with Java Runtime Environment (JRE or J2SE) in the name. It should have the icon next to it.
  • Click the Remove or Change/Remove button.
  • Repeat as many times as necessary to remove each Java versions.
  • Reboot your computer once all Java components are removed.
  • Then from your desktop double-click on jre-1_5_0_08-windowsi586-p.exe to install the newest version.
Please scan with Panda again and post back the results along with a fresh HijackThis log.

P.S. Does your antivirus program have a firewall? If not, I would recommend that you install one. Here are some good and free ones available. Check them out but install only one. Having more than one firewall would cause problems:

ZoneAlarm here
Kerio Personal Firewall here
Outpost here
Important: (Windows XP only) If you install a firewall, be sure to turn off the WinXP-firewall!

#5 Arbriel

Arbriel
  • Topic Starter

  • Members
  • 42 posts
  • OFFLINE
  •  
  • Location:Portland, Oregon
  • Local time:12:28 AM

Posted 16 September 2006 - 11:12 PM

Hi
Thanks for all the info. I have not yet installed a new firewall, I did everything else and I am planning to get more RAM. Now, here are my logfiles. What do I do next, if anything?

Active scan first---

Incident Status Location

Spyware:spyware/surfsidekick Not disinfected C:\Documents and Settings\Elizabeth\Local Settings\Temporary Internet Files\Ssk.log
Spyware:spyware/clipgenie Not disinfected Windows Registry
Potentially unwanted tool:application/altnet Not disinfected hkey_local_machine\software\microsoft\windows\currentversion\app management\arpcache\AltnetDM
Adware:Adware/CWS Not disinfected C:\Documents and Settings\Elizabeth\.jpi_cache\file\1.0\Counter.class-762d722b-17fa26f6.class
Spyware:Cookie/YieldManager Not disinfected C:\Documents and Settings\Elizabeth\Application Data\Mozilla\Firefox\Profiles\ikjhmeop.default\cookies-1.txt[ad.yieldmanager.com/]
Spyware:Cookie/RealMedia Not disinfected C:\Documents and Settings\Elizabeth\Application Data\Mozilla\Firefox\Profiles\ikjhmeop.default\cookies-1.txt[.realmedia.com/]
Spyware:Cookie/Casalemedia Not disinfected C:\Documents and Settings\Elizabeth\Application Data\Mozilla\Firefox\Profiles\ikjhmeop.default\cookies-1.txt[.casalemedia.com/]
Spyware:Cookie/Adrevolver Not disinfected C:\Documents and Settings\Elizabeth\Application Data\Mozilla\Firefox\Profiles\ikjhmeop.default\cookies-1.txt[.adrevolver.com/]
Spyware:Cookie/Statcounter Not disinfected C:\Documents and Settings\Elizabeth\Application Data\Mozilla\Firefox\Profiles\ikjhmeop.default\cookies-1.txt[.statcounter.com/]
Spyware:Cookie/BurstNet Not disinfected C:\Documents and Settings\Elizabeth\Application Data\Mozilla\Firefox\Profiles\ikjhmeop.default\cookies-1.txt[.burstnet.com/]
Spyware:Cookie/Maxserving Not disinfected C:\Documents and Settings\Elizabeth\Application Data\Mozilla\Firefox\Profiles\ikjhmeop.default\cookies-1.txt[.maxserving.com/]
Spyware:Cookie/Atwola Not disinfected C:\Documents and Settings\Elizabeth\Application Data\Mozilla\Firefox\Profiles\ikjhmeop.default\cookies-1.txt[.atwola.com/]
Spyware:Cookie/Server.iad.Liveperson Not disinfected C:\Documents and Settings\Elizabeth\Application Data\Mozilla\Firefox\Profiles\ikjhmeop.default\cookies-1.txt[server.iad.liveperson.net/hc/89451406]
Spyware:Cookie/Server.iad.Liveperson Not disinfected C:\Documents and Settings\Elizabeth\Application Data\Mozilla\Firefox\Profiles\ikjhmeop.default\cookies-1.txt[server.iad.liveperson.net/]
Spyware:Cookie/bravenetA Not disinfected C:\Documents and Settings\Elizabeth\Application Data\Mozilla\Firefox\Profiles\ikjhmeop.default\cookies-1.txt[.bravenet.com/]
Spyware:Cookie/BurstBeacon Not disinfected C:\Documents and Settings\Elizabeth\Application Data\Mozilla\Firefox\Profiles\ikjhmeop.default\cookies-1.txt[www.burstbeacon.com/]
Spyware:Cookie/Apmebf Not disinfected C:\Documents and Settings\Elizabeth\Application Data\Mozilla\Firefox\Profiles\ikjhmeop.default\cookies-1.txt[.apmebf.com/]
Spyware:Cookie/WUpd Not disinfected C:\Documents and Settings\Elizabeth\Application Data\Mozilla\Firefox\Profiles\ikjhmeop.default\cookies-1.txt[.revenue.net/]
Spyware:Cookie/Server.iad.Liveperson Not disinfected C:\Documents and Settings\Elizabeth\Application Data\Mozilla\Firefox\Profiles\ikjhmeop.default\cookies-1.txt[server.iad.liveperson.net/hc/42607328]
Spyware:Cookie/360i Not disinfected C:\Documents and Settings\Elizabeth\Application Data\Mozilla\Firefox\Profiles\ikjhmeop.default\cookies-1.txt[.ct.360i.com/]
Spyware:Cookie/Com.com Not disinfected C:\Documents and Settings\Elizabeth\Application Data\Mozilla\Firefox\Profiles\ikjhmeop.default\cookies-1.txt[.com.com/]
Spyware:Cookie/Falkag Not disinfected C:\Documents and Settings\Elizabeth\Application Data\Mozilla\Firefox\Profiles\ikjhmeop.default\cookies-1.txt[.as-us.falkag.net/]
Spyware:Cookie/Go Not disinfected C:\Documents and Settings\Elizabeth\Application Data\Mozilla\Firefox\Profiles\ikjhmeop.default\cookies-1.txt[.go.com/]
Spyware:Cookie/Server.iad.Liveperson Not disinfected C:\Documents and Settings\Elizabeth\Application Data\Mozilla\Firefox\Profiles\ikjhmeop.default\cookies-1.txt[server.iad.liveperson.net/hc/42435556]
Spyware:Cookie/Serving-sys Not disinfected C:\Documents and Settings\Elizabeth\Application Data\Mozilla\Firefox\Profiles\ikjhmeop.default\cookies-1.txt[.serving-sys.com/]
Spyware:Cookie/Serving-sys Not disinfected C:\Documents and Settings\Elizabeth\Application Data\Mozilla\Firefox\Profiles\ikjhmeop.default\cookies-1.txt[.bs.serving-sys.com/]
Spyware:Cookie/Serving-sys Not disinfected C:\Documents and Settings\Elizabeth\Application Data\Mozilla\Firefox\Profiles\ikjhmeop.default\cookies-1.txt[.serving-sys.com/]
Spyware:Cookie/Target Not disinfected C:\Documents and Settings\Elizabeth\Application Data\Mozilla\Firefox\Profiles\ikjhmeop.default\cookies-1.txt[.target.com/]
Spyware:Cookie/Zedo Not disinfected C:\Documents and Settings\Elizabeth\Application Data\Mozilla\Firefox\Profiles\ikjhmeop.default\cookies-1.txt[.zedo.com/]
Spyware:Cookie/Server.iad.Liveperson Not disinfected C:\Documents and Settings\Elizabeth\Application Data\Mozilla\Firefox\Profiles\ikjhmeop.default\cookies-1.txt[server.iad.liveperson.net/hc/55566091]
Spyware:Cookie/FortuneCity Not disinfected C:\Documents and Settings\Elizabeth\Application Data\Mozilla\Firefox\Profiles\ikjhmeop.default\cookies-1.txt[.fortunecity.com/]
Spyware:Cookie/Peel Not disinfected C:\Documents and Settings\Elizabeth\Application Data\Mozilla\Firefox\Profiles\ikjhmeop.default\cookies-1.txt[.peel.com/]
Spyware:Cookie/Server.iad.Liveperson Not disinfected C:\Documents and Settings\Elizabeth\Application Data\Mozilla\Firefox\Profiles\ikjhmeop.default\cookies-1.txt[server.iad.liveperson.net/hc/78221172]
Spyware:Cookie/did-it Not disinfected C:\Documents and Settings\Elizabeth\Application Data\Mozilla\Firefox\Profiles\ikjhmeop.default\cookies-1.txt[.did-it.com/]
Spyware:Cookie/DomainSponsor Not disinfected C:\Documents and Settings\Elizabeth\Application Data\Mozilla\Firefox\Profiles\ikjhmeop.default\cookies-1.txt[landing.domainsponsor.com/]
Spyware:Cookie/Buydomains Not disinfected C:\Documents and Settings\Elizabeth\Application Data\Mozilla\Firefox\Profiles\ikjhmeop.default\cookies-1.txt[www47.buydomains.com/]
Spyware:Cookie/Seeq Not disinfected C:\Documents and Settings\Elizabeth\Application Data\Mozilla\Firefox\Profiles\ikjhmeop.default\cookies-1.txt[www48.seeq.com/]
Spyware:Cookie/RealMedia Not disinfected C:\Documents and Settings\Elizabeth\Application Data\Mozilla\Firefox\Profiles\ikjhmeop.default\cookies.txt[.realmedia.com/]
Spyware:Cookie/YieldManager Not disinfected C:\Documents and Settings\Elizabeth\Application Data\Mozilla\Firefox\Profiles\ikjhmeop.default\cookies.txt[ad.yieldmanager.com/]
Spyware:Cookie/Com.com Not disinfected C:\Documents and Settings\Elizabeth\Application Data\Mozilla\Firefox\Profiles\ikjhmeop.default\cookies.txt[.com.com/]
Spyware:Cookie/Casalemedia Not disinfected C:\Documents and Settings\Elizabeth\Application Data\Mozilla\Firefox\Profiles\ikjhmeop.default\cookies.txt[.casalemedia.com/]
Spyware:Cookie/Adrevolver Not disinfected C:\Documents and Settings\Elizabeth\Application Data\Mozilla\Firefox\Profiles\ikjhmeop.default\cookies.txt[.adrevolver.com/]
Spyware:Cookie/BurstNet Not disinfected C:\Documents and Settings\Elizabeth\Application Data\Mozilla\Firefox\Profiles\ikjhmeop.default\cookies.txt[.burstnet.com/]
Spyware:Cookie/bravenetA Not disinfected C:\Documents and Settings\Elizabeth\Application Data\Mozilla\Firefox\Profiles\ikjhmeop.default\cookies.txt[.bravenet.com/]
Spyware:Cookie/Maxserving Not disinfected C:\Documents and Settings\Elizabeth\Application Data\Mozilla\Firefox\Profiles\ikjhmeop.default\cookies.txt[.maxserving.com/]
Spyware:Cookie/Go Not disinfected C:\Documents and Settings\Elizabeth\Application Data\Mozilla\Firefox\Profiles\ikjhmeop.default\cookies.txt[.go.com/]
Spyware:Cookie/Statcounter Not disinfected C:\Documents and Settings\Elizabeth\Application Data\Mozilla\Firefox\Profiles\ikjhmeop.default\cookies.txt[.statcounter.com/]
Spyware:Cookie/Apmebf Not disinfected C:\Documents and Settings\Elizabeth\Application Data\Mozilla\Firefox\Profiles\ikjhmeop.default\cookies.txt[.apmebf.com/]
Spyware:Cookie/Atwola Not disinfected C:\Documents and Settings\Elizabeth\Application Data\Mozilla\Firefox\Profiles\ikjhmeop.default\cookies.txt[.atwola.com/]
Spyware:Cookie/BurstBeacon Not disinfected C:\Documents and Settings\Elizabeth\Application Data\Mozilla\Firefox\Profiles\ikjhmeop.default\cookies.txt[www.burstbeacon.com/]
Spyware:Cookie/Serving-sys Not disinfected C:\Documents and Settings\Elizabeth\Application Data\Mozilla\Firefox\Profiles\ikjhmeop.default\cookies.txt[.serving-sys.com/]
Spyware:Cookie/Serving-sys Not disinfected C:\Documents and Settings\Elizabeth\Application Data\Mozilla\Firefox\Profiles\ikjhmeop.default\cookies.txt[.bs.serving-sys.com/]
Spyware:Cookie/Serving-sys Not disinfected C:\Documents and Settings\Elizabeth\Application Data\Mozilla\Firefox\Profiles\ikjhmeop.default\cookies.txt[.serving-sys.com/]
Spyware:Cookie/Falkag Not disinfected C:\Documents and Settings\Elizabeth\Application Data\Mozilla\Firefox\Profiles\ikjhmeop.default\cookies.txt[.as-us.falkag.net/]
Spyware:Cookie/360i Not disinfected C:\Documents and Settings\Elizabeth\Application Data\Mozilla\Firefox\Profiles\ikjhmeop.default\cookies.txt[.ct.360i.com/]
Spyware:Cookie/did-it Not disinfected C:\Documents and Settings\Elizabeth\Application Data\Mozilla\Firefox\Profiles\ikjhmeop.default\cookies.txt[.did-it.com/]
Spyware:Cookie/FortuneCity Not disinfected C:\Documents and Settings\Elizabeth\Application Data\Mozilla\Firefox\Profiles\ikjhmeop.default\cookies.txt[.fortunecity.com/]
Spyware:Cookie/WUpd Not disinfected C:\Documents and Settings\Elizabeth\Application Data\Mozilla\Firefox\Profiles\ikjhmeop.default\cookies.txt[.revenue.net/]
Spyware:Cookie/Target Not disinfected C:\Documents and Settings\Elizabeth\Application Data\Mozilla\Firefox\Profiles\ikjhmeop.default\cookies.txt[.target.com/]
Spyware:Cookie/Zedo Not disinfected C:\Documents and Settings\Elizabeth\Application Data\Mozilla\Firefox\Profiles\ikjhmeop.default\cookies.txt[.zedo.com/]
Spyware:Cookie/DomainSponsor Not disinfected C:\Documents and Settings\Elizabeth\Application Data\Mozilla\Firefox\Profiles\ikjhmeop.default\cookies.txt[landing.domainsponsor.com/]
Spyware:Cookie/Server.iad.Liveperson Not disinfected C:\Documents and Settings\Elizabeth\Application Data\Mozilla\Firefox\Profiles\ikjhmeop.default\cookies.txt[server.iad.liveperson.net/]
Spyware:Cookie/Server.iad.Liveperson Not disinfected C:\Documents and Settings\Elizabeth\Application Data\Mozilla\Firefox\Profiles\ikjhmeop.default\cookies.txt[server.iad.liveperson.net/hc/42435556]
Spyware:Cookie/Server.iad.Liveperson Not disinfected C:\Documents and Settings\Elizabeth\Application Data\Mozilla\Firefox\Profiles\ikjhmeop.default\cookies.txt[server.iad.liveperson.net/hc/42607328]
Spyware:Cookie/Server.iad.Liveperson Not disinfected C:\Documents and Settings\Elizabeth\Application Data\Mozilla\Firefox\Profiles\ikjhmeop.default\cookies.txt[server.iad.liveperson.net/hc/55566091]
Spyware:Cookie/Server.iad.Liveperson Not disinfected C:\Documents and Settings\Elizabeth\Application Data\Mozilla\Firefox\Profiles\ikjhmeop.default\cookies.txt[server.iad.liveperson.net/hc/78221172]
Spyware:Cookie/Server.iad.Liveperson Not disinfected C:\Documents and Settings\Elizabeth\Application Data\Mozilla\Firefox\Profiles\ikjhmeop.default\cookies.txt[server.iad.liveperson.net/hc/89451406]
Spyware:Cookie/Atwola Not disinfected C:\Documents and Settings\Elizabeth\Cookies\elizabeth@atwola[1].txt
Spyware:Cookie/Azjmp Not disinfected C:\Documents and Settings\Elizabeth\Cookies\elizabeth@azjmp[2].txt
Spyware:Cookie/GoStats Not disinfected C:\Documents and Settings\Elizabeth\Cookies\elizabeth@gostats[1].txt






Logfile of HijackThis v1.99.1
Scan saved at 9:06:50 PM, on 9/16/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\Program Files\Windows Defender\MsMpEng.exe
C:\WINNT\System32\svchost.exe
C:\WINNT\system32\spoolsv.exe
C:\WINNT\System32\DRIVERS\CDANTSRV.EXE
C:\Program Files\Common Files\EPSON\EBAPI\SAgent2.exe
C:\Program Files\ewido anti-spyware 4.0\guard.exe
C:\WINNT\System32\nvsvc32.exe
C:\WINNT\System32\svchost.exe
C:\Program Files\PCSecurityShield\ShieldAntivirus\vrmonsvc.exe
C:\WINNT\wanmpsvc.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\Explorer.EXE
C:\Program Files\Windows Defender\MSASCui.exe
C:\Program Files\PCSecurityShield\ShieldAntivirus\Vrres.exe
C:\Program Files\PCSecurityShield\ShieldAntivirus\vrmonnt.exe
C:\Program Files\support.com\bin\tgcmd.exe
C:\Documents and Settings\Elizabeth\My Documents\Picasa2\PicasaMediaDetector.exe
C:\WINNT\System32\hphmon05.exe
C:\WINNT\system32\spool\drivers\w32x86\3\hpztsb09.exe
C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe
C:\WINNT\System32\HPZipm12.exe
C:\Program Files\Google\Google Desktop Search\GoogleDesktopIndex.exe
C:\Program Files\Java\jre1.5.0_08\bin\jusched.exe
C:\Program Files\Google\Google Desktop Search\GoogleDesktopCrawl.exe
C:\Program Files\Google\Google Updater\1.1.514.27546\GoogleUpdater.exe
C:\WINNT\FSScrCtl.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Hijack This\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = www.google.com
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.comcast.net/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = www.google.com
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer presented by Comcast
F2 - REG:system.ini: UserInit=userinit.exe
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_08\bin\ssv.dll
O4 - HKLM\..\Run: [eTrustPPAP] "C:\Program Files\CA\eTrust Internet Security Suite\eTrust PestPatrol Anti-Spyware\PPActiveDetection.exe"
O4 - HKLM\..\Run: [Zone Labs Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"
O4 - HKLM\..\Run: [Windows Defender] "C:\Program Files\Windows Defender\MSASCui.exe" -hide
O4 - HKLM\..\Run: [VrSchedule] C:\Program Files\PCSecurityShield\ShieldAntivirus\Vrres.exe
O4 - HKLM\..\Run: [Vrmon] C:\Program Files\PCSecurityShield\ShieldAntivirus\vrmonnt.exe Main
O4 - HKLM\..\Run: [tgcmd] "C:\Program Files\support.com\bin\tgcmd.exe" /server
O4 - HKLM\..\Run: [SpySweeper] "C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe" /startintray
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [Picasa Media Detector] C:\Documents and Settings\Elizabeth\My Documents\Picasa2\PicasaMediaDetector
O4 - HKLM\..\Run: [Ink Monitor] C:\Program Files\EPSON\Ink Monitor\InkMonitor.exe
O4 - HKLM\..\Run: [HPHUPD05] C:\Program Files\Hewlett-Packard\{45B6180B-DCAB-4093-8EE8-6164457517F0}\hphupd05.exe
O4 - HKLM\..\Run: [HPHmon05] C:\WINNT\System32\hphmon05.exe
O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINNT\system32\spool\drivers\w32x86\3\hpztsb09.exe
O4 - HKLM\..\Run: [Google Desktop Search] "C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe" /startup
O4 - HKLM\..\Run: [!ewido] "C:\Program Files\ewido anti-spyware 4.0\ewido.exe" /minimized
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.5.0_08\bin\jusched.exe"
O4 - HKCU\..\Run: [updateMgr] C:\Program Files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe AcRdB7_0_5 -reboot 1
O4 - HKCU\..\Run: [Microsoft Works Update Detection] C:\Program Files\Microsoft Works\WkDetect.exe
O4 - Startup: Screen Saver Control.lnk = C:\WINNT\FSScrCtl.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Reader\reader_sl.exe
O4 - Global Startup: EPSON Status Monitor 3 Environment Check 2.lnk = C:\WINNT\system32\spool\drivers\w32x86\3\E_SRCV02.EXE
O4 - Global Startup: Google Updater.lnk = C:\Program Files\Google\Google Updater\1.1.514.27546\GoogleUpdater.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MI1933~1\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_08\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_08\bin\ssv.dll
O9 - Extra button: Web Anti-Virus - {1F460357-8A94-4D71-9CA3-AA4ACF32ED8E} - C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 6.0\scieplugin.dll
O9 - Extra button: Panda ActiveScan - {653D93AF-C741-4e5e-8C1B-59BA43F93E16} - http://www.pandasoftware.com/activescan (file missing)
O9 - Extra button: ComcastHSI - {669B269B-0D4E-41FB-A3D8-FD67CA94F646} - http://www.comcast.net/ (file missing)
O9 - Extra button: Support - {8828075D-D097-4055-AA02-2DBFA9D85E8A} - http://www.comcastsupport.com/ (file missing)
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MI1933~1\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Help - {97809617-3937-4F84-B335-9BB05EF1A8D4} - http://online.comcast.net/help/ (file missing)
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {1754A1BA-A1DF-4F10-B199-AA55AA1A120F} (InstallerBehaviorFactory Class) - https://signup.msn.com/pages/MsnInstC.cab
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://by114fd.bay114.hotmail.msn.com/resources/MsnPUpld.cab
O16 - DPF: {6BEA1C48-1850-486C-8F58-C7354BA3165E} (Install Class) - http://updates.lifescapeinc.com/installers...ll/pinstall.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdat...b?1143772936140
O16 - DPF: {739E8D90-2F4C-43AD-A1B8-66C356FCEA35} (RunExeActiveX.RunExe) - hcp://system/RunExeActiveX.CAB
O16 - DPF: {99CDFD87-F97A-42E1-9C13-D18220D90AD1} (StartFirstControl.CheckFirst) - hcp://system/StartFirstControl.CAB
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{E7B93A7E-70C7-4136-9FED-04E85BA72E2E}: NameServer = 192.168.1.1
O20 - AppInit_DLLs: C:\PROGRA~1\Google\GOOGLE~2\GOEC62~1.DLL
O20 - Winlogon Notify: klogon - C:\WINNT\system32\klogon.dll
O20 - Winlogon Notify: WgaLogon - C:\WINNT\SYSTEM32\WgaLogon.dll
O20 - Winlogon Notify: WRNotifier - WRLogonNTF.dll (file missing)
O23 - Service: Kaspersky Anti-Virus 6.0 (AVP) - Unknown owner - C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 6.0\avp.exe" -r (file missing)
O23 - Service: C-DillaSrv - C-Dilla Ltd - C:\WINNT\System32\DRIVERS\CDANTSRV.EXE
O23 - Service: EPSON Printer Status Agent2 (EPSONStatusAgent2) - SEIKO EPSON CORPORATION - C:\Program Files\Common Files\EPSON\EBAPI\SAgent2.exe
O23 - Service: ewido anti-spyware 4.0 guard - Anti-Malware Development a.s. - C:\Program Files\ewido anti-spyware 4.0\guard.exe
O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINNT\System32\nvsvc32.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINNT\System32\HPZipm12.exe
O23 - Service: ViRobot Expert Monitoring (vrmonsvc) - HAURI - C:\Program Files\PCSecurityShield\ShieldAntivirus\vrmonsvc.exe
O23 - Service: WAN Miniport (ATW) Service (WANMiniportService) - America Online, Inc. - C:\WINNT\wanmpsvc.exe




Thanks again,
Arbriel

#6 amateur

amateur

    Malware Fighter


  • Malware Response Team
  • 2,775 posts
  • OFFLINE
  •  
  • Gender:Female
  • Local time:04:28 AM

Posted 17 September 2006 - 07:17 AM

Hi Arbriel,



The active scan results you've posted are exactly the same as the first one. I am afraid you posted the wrong log. Please post the latest taken after the fixes and scans. I would also like to see the log from the Ewido.



Thanks. :thumbsup:

Edited by amateur, 17 September 2006 - 07:18 AM.


#7 Arbriel

Arbriel
  • Topic Starter

  • Members
  • 42 posts
  • OFFLINE
  •  
  • Location:Portland, Oregon
  • Local time:12:28 AM

Posted 20 September 2006 - 10:22 AM

HI,
I thought I was sending the new one.
I am having a lot of trouble getting panda to finish before something happens to shut it doown or freeze it. This lopg was in ewido from the last time:


//==<ewido anti-spyware 4.0>===================================
Exception code: C0000005 ACCESS_VIOLATION
Fault address: 00000001 <pages range base not found>
Exception Date: 09/16/2006 10:10:23
File Version of C:\Program Files\ewido anti-spyware 4.0\ewido.exe: 4.0.0.172

MiniDump Information Saved to C:\Program Files\ewido anti-spyware 4.0\ewido.dmp

Registers:
EAX:00000001
EBX:00000000
ECX:00000000
EDX:7C97C3C0
ESI:00432B17
EDI:00F48E48
CS:EIP:001B:00000001
SS:ESP:0023:045DFE8C EBP:045DFED8
DS:0023 ES:0023 FS:003B GS:0000
Flags:00010202
//==<ewido anti-spyware 4.0>===================================
Exception code: C0000005 ACCESS_VIOLATION
Fault address: 00000001 <pages range base not found>
Exception Date: 09/20/2006 08:05:33
File Version of C:\Program Files\ewido anti-spyware 4.0\ewido.exe: 4.0.0.172

MiniDump Information Saved to C:\Program Files\ewido anti-spyware 4.0\ewido.dmp

Registers:
EAX:00000001
EBX:00000000
ECX:00000000
EDX:7C97C3C0
ESI:00432B17
EDI:00F48EC0
CS:EIP:001B:00000001
SS:ESP:0023:03ADFE8C EBP:03ADFED8
DS:0023 ES:0023 FS:003B GS:0000
Flags:00010202

Intel specific method

Call stack:
Address Frame Param 0 Param 1 Param 2 Param 3 Logical addr Module
00000001 03ADFED8 00432B17 00F48EC0 00000001 00000000 <pages range base not found>
7C927DF7 03ADFEF8 00197750 7C97C3A0 001A9178 00000000 0001:00026DF7 C:\WINNT\system32\ntdll.dll
7C927545 03ADFF40 7C927DDB 00197750 00000000 00000000 0001:00026545 C:\WINNT\system32\ntdll.dll
7C927583 03ADFF60 00000000 00197750 001A9178 03ADFFB4 0001:00026583 C:\WINNT\system32\ntdll.dll
7C927645 03ADFF74 7C927569 00000000 00197750 001A9178 0001:00026645 C:\WINNT\system32\ntdll.dll
7C92761C 03ADFFB4 00000000 00000000 00000000 00000000 0001:0002661C C:\WINNT\system32\ntdll.dll
7C80B683 03ADFFEC <frame 03ADFFEC not readable>

ImageHelp specific method

Call stack:
Address Frame Param 0 Param 1 Param 2 Param 3 Symbol/Logical address
00000001 03ADFE88 7C927911 00F48EC0 00000001 00197750 <pages range base not found>
00432B42 03ADFED8 00432B17 00F48EC0 00000001 00000000 0001:00031B42 C:\Program Files\ewido anti-spyware 4.0\ewido.exe
7C927DF7 03ADFEF8 00197750 7C97C3A0 001A9178 00000000 RtlQueueWorkItem+71F
7C927545 03ADFF40 7C927DDB 00197750 00000000 00000000 RtlUpcaseUnicodeString+159
7C927583 03ADFF60 00000000 00197750 001A9178 03ADFFB4 RtlUpcaseUnicodeString+197
7C927645 03ADFF74 7C927569 00000000 00197750 001A9178 RtlUpcaseUnicodeString+259
7C92761C 03ADFFB4 00000000 00000000 00000000 00000000 RtlUpcaseUnicodeString+230
7C80B683 03ADFFEC 7C910760 00000000 00000000 04940688 GetModuleFileNameA+1B4

Loaded Modules:
Base Size Module
00400000 609000 4.00.0000.0172 C:\Program Files\ewido anti-spyware 4.0\ewido.exe
7C900000 0B0000 5.01.2600.2180 C:\WINNT\system32\ntdll.dll
7C800000 0F4000 5.01.2600.2945 C:\WINNT\system32\kernel32.dll
76BF0000 00B000 5.01.2600.2180 C:\WINNT\system32\PSAPI.DLL
10000000 0E3000 4.00.0000.0172 C:\Program Files\ewido anti-spyware 4.0\engine.dll
77F60000 076000 6.00.2900.2937 C:\WINNT\system32\SHLWAPI.dll
77DD0000 09B000 5.01.2600.2180 C:\WINNT\system32\ADVAPI32.dll
77E70000 091000 5.01.2600.2180 C:\WINNT\system32\RPCRT4.dll
77F10000 047000 5.01.2600.2818 C:\WINNT\system32\GDI32.dll
77D40000 090000 5.01.2600.2622 C:\WINNT\system32\USER32.dll
77C10000 058000 7.00.2600.2180 C:\WINNT\system32\msvcrt.dll
71AB0000 017000 5.01.2600.2180 C:\WINNT\system32\WS2_32.dll
71AA0000 008000 5.01.2600.2180 C:\WINNT\system32\WS2HELP.dll
76B40000 02D000 5.01.2600.2180 C:\WINNT\system32\WINMM.dll
7C9C0000 815000 6.00.2900.2951 C:\WINNT\system32\SHELL32.dll
76380000 005000 5.01.2600.2180 C:\WINNT\system32\MSIMG32.dll
763B0000 049000 6.00.2900.2180 C:\WINNT\system32\comdlg32.dll
773D0000 102000 6.00.2900.2180 C:\WINNT\WinSxS\X86_Microsoft.Windows.Common-Controls_6595b64144ccf1df_6.0.2600.2180_x-ww_a84f1ff9\COMCTL32.dll
774E0000 13D000 5.01.2600.2726 C:\WINNT\system32\ole32.dll
71AD0000 009000 5.01.2600.2180 C:\WINNT\system32\WSOCK32.dll
76D60000 019000 5.01.2600.2912 C:\WINNT\system32\iphlpapi.dll
77C00000 008000 5.01.2600.2180 C:\WINNT\system32\VERSION.dll
5CD70000 007000 5.01.2600.0000 C:\WINNT\system32\serwvdrv.dll
5B0A0000 007000 5.01.2600.0000 C:\WINNT\system32\umdmxfrm.dll
5AD70000 038000 6.00.2900.2180 C:\WINNT\system32\UxTheme.dll
77B40000 022000 5.01.2600.2180 C:\WINNT\system32\appHelp.dll
76FD0000 07F000 2001.12.4414.0308 C:\WINNT\system32\CLBCATQ.DLL
77050000 0C5000 2001.12.4414.0258 C:\WINNT\system32\COMRes.dll
77120000 08C000 5.01.2600.2180 C:\WINNT\system32\OLEAUT32.dll
77A20000 054000 5.01.2600.2180 C:\WINNT\System32\cscui.dll
76600000 01D000 5.01.2600.2180 C:\WINNT\System32\CSCDLL.dll
77920000 0F3000 5.01.2600.2180 C:\WINNT\system32\SETUPAPI.dll
76980000 008000 5.01.2600.2751 C:\WINNT\system32\LINKINFO.dll
76990000 025000 5.01.2600.2180 C:\WINNT\system32\ntshrui.dll
76B20000 011000 3.05.2284.0000 C:\WINNT\system32\ATL.DLL
5B860000 054000 5.01.2600.2952 C:\WINNT\system32\NETAPI32.dll
769C0000 0B3000 5.01.2600.2180 C:\WINNT\system32\USERENV.dll
59A60000 0A1000 5.01.2600.2180 C:\WINNT\system32\DBGHELP.DLL

Also, here is HIJACKThis-


Logfile of HijackThis v1.99.1
Scan saved at 8:14:28 AM, on 9/20/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\Program Files\Windows Defender\MsMpEng.exe
C:\WINNT\Explorer.EXE
C:\WINNT\system32\spoolsv.exe
C:\Program Files\Windows Defender\MSASCui.exe
C:\Program Files\PCSecurityShield\ShieldAntivirus\Vrres.exe
C:\Program Files\PCSecurityShield\ShieldAntivirus\vrmonnt.exe
C:\Program Files\support.com\bin\tgcmd.exe
C:\Documents and Settings\Elizabeth\My Documents\Picasa2\PicasaMediaDetector.exe
C:\WINNT\System32\DRIVERS\CDANTSRV.EXE
C:\Program Files\Common Files\EPSON\EBAPI\SAgent2.exe
C:\Program Files\ewido anti-spyware 4.0\guard.exe
C:\WINNT\System32\nvsvc32.exe
C:\WINNT\System32\svchost.exe
C:\Program Files\PCSecurityShield\ShieldAntivirus\vrmonsvc.exe
C:\WINNT\System32\hphmon05.exe
C:\WINNT\system32\spool\drivers\w32x86\3\hpztsb09.exe
C:\WINNT\wanmpsvc.exe
C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe
C:\Program Files\Java\jre1.5.0_08\bin\jusched.exe
C:\Program Files\Google\Google Desktop Search\GoogleDesktopIndex.exe
C:\Program Files\Google\Google Updater\1.1.514.27546\GoogleUpdater.exe
C:\WINNT\FSScrCtl.exe
C:\WINNT\System32\HPZipm12.exe
C:\Program Files\Google\Google Desktop Search\GoogleDesktopCrawl.exe
C:\Program Files\Microsoft Office\Office\MSPUB.EXE
C:\WINNT\System32\svchost.exe
C:\Program Files\ewido anti-spyware 4.0\ewido.exe
C:\WINNT\system32\NOTEPAD.EXE
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Hijack This\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = www.google.com
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.comcast.net/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = www.google.com
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer presented by Comcast
F2 - REG:system.ini: UserInit=userinit.exe
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_08\bin\ssv.dll
O4 - HKLM\..\Run: [eTrustPPAP] "C:\Program Files\CA\eTrust Internet Security Suite\eTrust PestPatrol Anti-Spyware\PPActiveDetection.exe"
O4 - HKLM\..\Run: [Zone Labs Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"
O4 - HKLM\..\Run: [Windows Defender] "C:\Program Files\Windows Defender\MSASCui.exe" -hide
O4 - HKLM\..\Run: [VrSchedule] C:\Program Files\PCSecurityShield\ShieldAntivirus\Vrres.exe
O4 - HKLM\..\Run: [Vrmon] C:\Program Files\PCSecurityShield\ShieldAntivirus\vrmonnt.exe Main
O4 - HKLM\..\Run: [tgcmd] "C:\Program Files\support.com\bin\tgcmd.exe" /server
O4 - HKLM\..\Run: [SpySweeper] "C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe" /startintray
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [Picasa Media Detector] C:\Documents and Settings\Elizabeth\My Documents\Picasa2\PicasaMediaDetector
O4 - HKLM\..\Run: [Ink Monitor] C:\Program Files\EPSON\Ink Monitor\InkMonitor.exe
O4 - HKLM\..\Run: [HPHUPD05] C:\Program Files\Hewlett-Packard\{45B6180B-DCAB-4093-8EE8-6164457517F0}\hphupd05.exe
O4 - HKLM\..\Run: [HPHmon05] C:\WINNT\System32\hphmon05.exe
O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINNT\system32\spool\drivers\w32x86\3\hpztsb09.exe
O4 - HKLM\..\Run: [Google Desktop Search] "C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe" /startup
O4 - HKLM\..\Run: [!ewido] "C:\Program Files\ewido anti-spyware 4.0\ewido.exe" /minimized
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.5.0_08\bin\jusched.exe"
O4 - HKCU\..\Run: [updateMgr] C:\Program Files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe AcRdB7_0_5 -reboot 1
O4 - HKCU\..\Run: [Microsoft Works Update Detection] C:\Program Files\Microsoft Works\WkDetect.exe
O4 - Startup: Screen Saver Control.lnk = C:\WINNT\FSScrCtl.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Reader\reader_sl.exe
O4 - Global Startup: EPSON Status Monitor 3 Environment Check 2.lnk = C:\WINNT\system32\spool\drivers\w32x86\3\E_SRCV02.EXE
O4 - Global Startup: Google Updater.lnk = C:\Program Files\Google\Google Updater\1.1.514.27546\GoogleUpdater.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MI1933~1\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_08\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_08\bin\ssv.dll
O9 - Extra button: Web Anti-Virus - {1F460357-8A94-4D71-9CA3-AA4ACF32ED8E} - C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 6.0\scieplugin.dll
O9 - Extra button: Panda ActiveScan - {653D93AF-C741-4e5e-8C1B-59BA43F93E16} - http://www.pandasoftware.com/activescan (file missing)
O9 - Extra button: ComcastHSI - {669B269B-0D4E-41FB-A3D8-FD67CA94F646} - http://www.comcast.net/ (file missing)
O9 - Extra button: Support - {8828075D-D097-4055-AA02-2DBFA9D85E8A} - http://www.comcastsupport.com/ (file missing)
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MI1933~1\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Help - {97809617-3937-4F84-B335-9BB05EF1A8D4} - http://online.comcast.net/help/ (file missing)
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {1754A1BA-A1DF-4F10-B199-AA55AA1A120F} (InstallerBehaviorFactory Class) - https://signup.msn.com/pages/MsnInstC.cab
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://by114fd.bay114.hotmail.msn.com/resources/MsnPUpld.cab
O16 - DPF: {6BEA1C48-1850-486C-8F58-C7354BA3165E} (Install Class) - http://updates.lifescapeinc.com/installers...ll/pinstall.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdat...b?1143772936140
O16 - DPF: {739E8D90-2F4C-43AD-A1B8-66C356FCEA35} (RunExeActiveX.RunExe) - hcp://system/RunExeActiveX.CAB
O16 - DPF: {99CDFD87-F97A-42E1-9C13-D18220D90AD1} (StartFirstControl.CheckFirst) - hcp://system/StartFirstControl.CAB
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{E7B93A7E-70C7-4136-9FED-04E85BA72E2E}: NameServer = 192.168.1.1
O20 - AppInit_DLLs: C:\PROGRA~1\Google\GOOGLE~2\GOEC62~1.DLL
O20 - Winlogon Notify: klogon - C:\WINNT\system32\klogon.dll
O20 - Winlogon Notify: WgaLogon - C:\WINNT\SYSTEM32\WgaLogon.dll
O20 - Winlogon Notify: WRNotifier - WRLogonNTF.dll (file missing)
O23 - Service: Kaspersky Anti-Virus 6.0 (AVP) - Unknown owner - C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 6.0\avp.exe" -r (file missing)
O23 - Service: C-DillaSrv - C-Dilla Ltd - C:\WINNT\System32\DRIVERS\CDANTSRV.EXE
O23 - Service: EPSON Printer Status Agent2 (EPSONStatusAgent2) - SEIKO EPSON CORPORATION - C:\Program Files\Common Files\EPSON\EBAPI\SAgent2.exe
O23 - Service: ewido anti-spyware 4.0 guard - Anti-Malware Development a.s. - C:\Program Files\ewido anti-spyware 4.0\guard.exe
O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINNT\System32\nvsvc32.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINNT\System32\HPZipm12.exe
O23 - Service: ViRobot Expert Monitoring (vrmonsvc) - HAURI - C:\Program Files\PCSecurityShield\ShieldAntivirus\vrmonsvc.exe
O23 - Service: WAN Miniport (ATW) Service (WANMiniportService) - America Online, Inc. - C:\WINNT\wanmpsvc.exe


Also- Here is the Adaware for the last day I ddi it=



Ad-Aware SE Build 1.06r1
Logfile Created on:Friday, September 15, 2006 8:54:20 PM
Created with Ad-Aware SE Personal, free for private use.
Using definitions file:SE1R123 14.09.2006
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»

References detected during the scan:
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»
None
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»

Definition File:
=========================
Definitions File Loaded:
Reference Number : SE1R121 28.08.2006
Internal build : 147
File location : C:\Program Files\Lavasoft\Ad-Aware SE Personal\defs.ref
File size : 752587 Bytes
Total size : 2438973 Bytes
Signature data size : 2390418 Bytes
Reference data size : 48043 Bytes
Signatures total : 66289
CSI Fingerprints total : 3549
CSI data size : 138366 Bytes
Target categories : 15
Target families : 959

9-15-2006 8:50:10 PM Performing WebUpdate...

Installing Update...
Definitions File Loaded:
Reference Number : SE1R123 14.09.2006
Internal build : 151
File location : C:\Program Files\Lavasoft\Ad-Aware SE Personal\defs.ref
File size : 780435 Bytes
Total size : 2528428 Bytes
Signature data size : 2479665 Bytes
Reference data size : 48251 Bytes
Signatures total : 68293
CSI Fingerprints total : 3774
CSI data size : 152723 Bytes
Target categories : 15
Target families : 971


9-15-2006 8:50:25 PM Success
Update successfully downloaded and installed.


Memory + processor status:
==========================
Number of processors : 1
Processor architecture : Intel Pentium IV
Memory available:17 %
Total physical memory:261424 kb
Available physical memory:42168 kb
Total page file size:630976 kb
Available on page file:445928 kb
Total virtual memory:2097024 kb
Available virtual memory:2038780 kb
OS:Microsoft Windows XP Home Edition Service Pack 2 (Build 2600)

Ad-Aware SE Settings
===========================
Set : Safe mode (always request confirmation)
Set : Don't log streams smaller than 0 Bytes
Set : Scan active processes
Set : Scan registry
Set : Deep-scan registry
Set : Scan my IE Favorites for banned URLs
Set : Scan within archives
Set : Scan my Hosts file

Extended Ad-Aware SE Settings
===========================
Set : Unload recognized processes & modules during scan
Set : Scan registry for all users instead of current user only
Set : Use permanent archive caching
Set : Always try to unload modules before deletion
Set : During removal, unload Explorer and IE if necessary
Set : Let Windows remove files in use at next reboot
Set : Delete quarantined objects after restoring
Set : Disable manual quarantine if auto-quarantine is selected
Set : Reanalyze results after scanning before displaying results lists
Set : Include basic Ad-Aware settings in log file
Set : Include additional Ad-Aware settings in log file
Set : Include reference summary in log file
Set : Create log file for removal operations
Set : Include alternate data stream details in log file
Set : Dump details about unhandled exceptions to disk
Set : Play sound at scan completion if scan locates critical objects


9-15-2006 8:54:20 PM - Scan started. (Smart mode)

Listing running processes
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»

#:1 [smss.exe]
FilePath : \SystemRoot\System32\
ProcessID : 412
ThreadCreationTime : 9-16-2006 3:38:21 AM
BasePriority : Normal


#:2 [csrss.exe]
FilePath : \??\C:\WINNT\system32\
ProcessID : 528
ThreadCreationTime : 9-16-2006 3:38:27 AM
BasePriority : Normal


#:3 [winlogon.exe]
FilePath : \??\C:\WINNT\system32\
ProcessID : 552
ThreadCreationTime : 9-16-2006 3:38:29 AM
BasePriority : High


#:4 [services.exe]
FilePath : C:\WINNT\system32\
ProcessID : 596
ThreadCreationTime : 9-16-2006 3:38:30 AM
BasePriority : Normal
FileVersion : 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158)
ProductVersion : 5.1.2600.2180
ProductName : Microsoft® Windows® Operating System
CompanyName : Microsoft Corporation
FileDescription : Services and Controller app
InternalName : services.exe
LegalCopyright : © Microsoft Corporation. All rights reserved.
OriginalFilename : services.exe

#:5 [lsass.exe]
FilePath : C:\WINNT\system32\
ProcessID : 608
ThreadCreationTime : 9-16-2006 3:38:30 AM
BasePriority : Normal
FileVersion : 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158)
ProductVersion : 5.1.2600.2180
ProductName : Microsoft® Windows® Operating System
CompanyName : Microsoft Corporation
FileDescription : LSA Shell (Export Version)
InternalName : lsass.exe
LegalCopyright : © Microsoft Corporation. All rights reserved.
OriginalFilename : lsass.exe

#:6 [svchost.exe]
FilePath : C:\WINNT\system32\
ProcessID : 764
ThreadCreationTime : 9-16-2006 3:38:33 AM
BasePriority : Normal
FileVersion : 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158)
ProductVersion : 5.1.2600.2180
ProductName : Microsoft® Windows® Operating System
CompanyName : Microsoft Corporation
FileDescription : Generic Host Process for Win32 Services
InternalName : svchost.exe
LegalCopyright : © Microsoft Corporation. All rights reserved.
OriginalFilename : svchost.exe

#:7 [svchost.exe]
FilePath : C:\WINNT\system32\
ProcessID : 816
ThreadCreationTime : 9-16-2006 3:38:34 AM
BasePriority : Normal
FileVersion : 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158)
ProductVersion : 5.1.2600.2180
ProductName : Microsoft® Windows® Operating System
CompanyName : Microsoft Corporation
FileDescription : Generic Host Process for Win32 Services
InternalName : svchost.exe
LegalCopyright : © Microsoft Corporation. All rights reserved.
OriginalFilename : svchost.exe

#:8 [msmpeng.exe]
FilePath : C:\Program Files\Windows Defender\
ProcessID : 916
ThreadCreationTime : 9-16-2006 3:38:34 AM
BasePriority : Normal
FileVersion : 1.1.1347.0
ProductVersion : 1.1.1347.0
ProductName : Windows Defender
CompanyName : Microsoft Corporation
FileDescription : Service Executable
InternalName : MsMpEng.exe
LegalCopyright : © Microsoft Corporation. All rights reserved.
OriginalFilename : MsMpEng.exe

#:9 [svchost.exe]
FilePath : C:\WINNT\System32\
ProcessID : 1008
ThreadCreationTime : 9-16-2006 3:38:35 AM
BasePriority : Normal
FileVersion : 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158)
ProductVersion : 5.1.2600.2180
ProductName : Microsoft® Windows® Operating System
CompanyName : Microsoft Corporation
FileDescription : Generic Host Process for Win32 Services
InternalName : svchost.exe
LegalCopyright : © Microsoft Corporation. All rights reserved.
OriginalFilename : svchost.exe

#:10 [svchost.exe]
FilePath : C:\WINNT\System32\
ProcessID : 1148
ThreadCreationTime : 9-16-2006 3:38:36 AM
BasePriority : Normal
FileVersion : 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158)
ProductVersion : 5.1.2600.2180
ProductName : Microsoft® Windows® Operating System
CompanyName : Microsoft Corporation
FileDescription : Generic Host Process for Win32 Services
InternalName : svchost.exe
LegalCopyright : © Microsoft Corporation. All rights reserved.
OriginalFilename : svchost.exe

#:11 [spoolsv.exe]
FilePath : C:\WINNT\system32\
ProcessID : 1296
ThreadCreationTime : 9-16-2006 3:38:38 AM
BasePriority : Normal
FileVersion : 5.1.2600.2696 (xpsp_sp2_gdr.050610-1519)
ProductVersion : 5.1.2600.2696
ProductName : Microsoft® Windows® Operating System
CompanyName : Microsoft Corporation
FileDescription : Spooler SubSystem App
InternalName : spoolsv.exe
LegalCopyright : © Microsoft Corporation. All rights reserved.
OriginalFilename : spoolsv.exe

#:12 [cdantsrv.exe]
FilePath : C:\WINNT\System32\DRIVERS\
ProcessID : 1448
ThreadCreationTime : 9-16-2006 3:38:45 AM
BasePriority : Normal
FileVersion : 3.25.010
ProductVersion : 3.25.010 Windows NT 2002/01/07
ProductName : CD-Secure/CD-Compress Windows NT
CompanyName : C-Dilla Ltd
FileDescription : C-Dilla RTS Service
InternalName : CDANTSRV
LegalCopyright : Copyright © Macrovision 1993-2002
OriginalFilename : CDANTSRV.EXE
Comments : StringFileInfo: U.S. English

#:13 [sagent2.exe]
FilePath : C:\Program Files\Common Files\EPSON\EBAPI\
ProcessID : 1468
ThreadCreationTime : 9-16-2006 3:38:45 AM
BasePriority : Normal
FileVersion : 2, 1, 0, 0
ProductVersion : 1, 0, 0, 0
ProductName : EPSON Bidirectional Printer
CompanyName : SEIKO EPSON CORPORATION
FileDescription : EPSON Printer Status Agent
InternalName : SAgent2
LegalCopyright : Copyright © SEIKO EPSON CORP. 2000-2001
OriginalFilename : SAgent2.exe

#:14 [nvsvc32.exe]
FilePath : C:\WINNT\System32\
ProcessID : 1508
ThreadCreationTime : 9-16-2006 3:38:45 AM
BasePriority : Normal
FileVersion : 5.13.01.1520
ProductVersion : 5.13.01.1520
ProductName : NVIDIA Driver Helper Service, Version 15.20
CompanyName : NVIDIA Corporation
FileDescription : NVIDIA Driver Helper Service, Version 15.20
InternalName : NVSVC
LegalCopyright : Copyright © 1998-2001 NVIDIA Corporation
OriginalFilename : nvsvc32.exe

#:15 [svchost.exe]
FilePath : C:\WINNT\System32\
ProcessID : 1580
ThreadCreationTime : 9-16-2006 3:38:45 AM
BasePriority : Normal
FileVersion : 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158)
ProductVersion : 5.1.2600.2180
ProductName : Microsoft® Windows® Operating System
CompanyName : Microsoft Corporation
FileDescription : Generic Host Process for Win32 Services
InternalName : svchost.exe
LegalCopyright : © Microsoft Corporation. All rights reserved.
OriginalFilename : svchost.exe

#:16 [wdfmgr.exe]
FilePath : C:\WINNT\system32\
ProcessID : 1596
ThreadCreationTime : 9-16-2006 3:38:45 AM
BasePriority : Normal
FileVersion : 5.2.3790.1230 built by: DNSRV(bld4act)
ProductVersion : 5.2.3790.1230
ProductName : Microsoft® Windows® Operating System
CompanyName : Microsoft Corporation
FileDescription : Windows User Mode Driver Manager
InternalName : WdfMgr
LegalCopyright : © Microsoft Corporation. All rights reserved.
OriginalFilename : WdfMgr.exe

#:17 [vrmonsvc.exe]
FilePath : C:\Program Files\PCSecurityShield\ShieldAntivirus\
ProcessID : 1612
ThreadCreationTime : 9-16-2006 3:38:46 AM
BasePriority : Normal
FileVersion : 2006, 1, 5, 1
ProductVersion : 2006, 1, 5, 1
ProductName : HAURI ViRobot Vrmonsvc
CompanyName : HAURI
FileDescription : ViRobot Monitoring Service
InternalName : Vrmonsvc
LegalCopyright : Copyright 1998, 2001
OriginalFilename : vrmonsvc.exe
Comments : ViRobot Monitoring Service

#:18 [wanmpsvc.exe]
FilePath : C:\WINNT\
ProcessID : 1704
ThreadCreationTime : 9-16-2006 3:38:46 AM
BasePriority : Normal
FileVersion : 7, 0, 0, 2
ProductVersion : 7, 0, 0, 2
ProductName : America Online
CompanyName : America Online, Inc.
FileDescription : Wan Miniport (ATW) Service
InternalName : WanMPSvc
LegalCopyright : Copyright © 2001 America Online, Inc.
OriginalFilename : WanMPSvc.exe

#:19 [alg.exe]
FilePath : C:\WINNT\System32\
ProcessID : 212
ThreadCreationTime : 9-16-2006 3:38:53 AM
BasePriority : Normal
FileVersion : 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158)
ProductVersion : 5.1.2600.2180
ProductName : Microsoft® Windows® Operating System
CompanyName : Microsoft Corporation
FileDescription : Application Layer Gateway Service
InternalName : ALG.exe
LegalCopyright : © Microsoft Corporation. All rights reserved.
OriginalFilename : ALG.exe

#:20 [wuauclt.exe]
FilePath : C:\WINNT\system32\
ProcessID : 532
ThreadCreationTime : 9-16-2006 3:39:35 AM
BasePriority : Normal
FileVersion : 5.8.0.2469 built by: lab01_n(wmbla)
ProductVersion : 5.8.0.2469
ProductName : Microsoft® Windows® Operating System
CompanyName : Microsoft Corporation
FileDescription : Automatic Updates
InternalName : wuauclt.exe
LegalCopyright : © Microsoft Corporation. All rights reserved.
OriginalFilename : wuauclt.exe

#:21 [explorer.exe]
FilePath : C:\WINNT\
ProcessID : 1996
ThreadCreationTime : 9-16-2006 3:47:00 AM
BasePriority : Normal
FileVersion : 6.00.2900.2180 (xpsp_sp2_rtm.040803-2158)
ProductVersion : 6.00.2900.2180
ProductName : Microsoft® Windows® Operating System
CompanyName : Microsoft Corporation
FileDescription : Windows Explorer
InternalName : explorer
LegalCopyright : © Microsoft Corporation. All rights reserved.
OriginalFilename : EXPLORER.EXE

#:22 [taskmgr.exe]
FilePath : C:\WINNT\system32\
ProcessID : 900
ThreadCreationTime : 9-16-2006 3:48:29 AM
BasePriority : High
FileVersion : 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158)
ProductVersion : 5.1.2600.2180
ProductName : Microsoft® Windows® Operating System
CompanyName : Microsoft Corporation
FileDescription : Windows TaskManager
InternalName : taskmgr
LegalCopyright : © Microsoft Corporation. All rights reserved.
OriginalFilename : taskmgr.exe

#:23 [msascui.exe]
FilePath : C:\Program Files\Windows Defender\
ProcessID : 400
ThreadCreationTime : 9-16-2006 3:48:54 AM
BasePriority : Normal
FileVersion : 1.1.1347.0
ProductVersion : 1.1.1347.0
ProductName : Windows Defender
CompanyName : Microsoft Corporation
FileDescription : Windows Defender User Interface
InternalName : MSASCUI
LegalCopyright : © Microsoft Corporation. All rights reserved.
OriginalFilename : MSASCUI.exe

#:24 [vrres.exe]
FilePath : C:\Program Files\PCSecurityShield\ShieldAntivirus\
ProcessID : 316
ThreadCreationTime : 9-16-2006 3:48:55 AM
BasePriority : Normal
FileVersion : 2002, 10, 5, 1
ProductVersion : 2002, 10, 5, 1
ProductName : VrRes Application.
CompanyName : ©HAURI
InternalName : VrRes
LegalCopyright : Copyright © 1998 - 2000
OriginalFilename : VrRes.EXE

#:25 [vrmonnt.exe]
FilePath : C:\Program Files\PCSecurityShield\ShieldAntivirus\
ProcessID : 588
ThreadCreationTime : 9-16-2006 3:48:55 AM
BasePriority : Normal
FileVersion : 2006, 1, 18, 1
ProductVersion : 2006, 1, 18, 1
ProductName : vrmonnt application
CompanyName : HAURI
FileDescription : vrmonnt application
InternalName : vrsvcexe
LegalCopyright : Copyright © 1998, 2002
OriginalFilename : vrmonnt application
Comments : Sunny Kim

#:26 [tgcmd.exe]
FilePath : C:\Program Files\support.com\bin\
ProcessID : 344
ThreadCreationTime : 9-16-2006 3:48:56 AM
BasePriority : Normal
FileVersion : 5,5,402,0
ProductVersion : 5,5,402,0
ProductName : Support.com Scheduler and Command Dispatcher
CompanyName : Support.com, Inc.
FileDescription : Support.com Scheduler and Command Dispatcher
InternalName : TGCMD
LegalCopyright : Copyright 1997-2069 Support.com
OriginalFilename : TGCMD.EXE

#:27 [jusched.exe]
FilePath : C:\Program Files\Java\jre1.5.0_07\bin\
ProcessID : 1352
ThreadCreationTime : 9-16-2006 3:48:57 AM
BasePriority : Normal


#:28 [picasamediadetector.exe]
FilePath : C:\Documents and Settings\Elizabeth\My Documents\Picasa2\
ProcessID : 1052
ThreadCreationTime : 9-16-2006 3:48:59 AM
BasePriority : Normal
FileVersion : 2.1.0
ProductVersion : 2.1.0
ProductName : Picasa
CompanyName : Google Inc.
FileDescription : Picasa
InternalName : Picasa
LegalCopyright : © 2004- 2005 Google Inc.
OriginalFilename : Picasa2.exe

#:29 [hphmon05.exe]
FilePath : C:\WINNT\System32\
ProcessID : 1180
ThreadCreationTime : 9-16-2006 3:49:04 AM
BasePriority : Normal
FileVersion : 5,0,84
ProductVersion : 5,0,84
ProductName : HP Photosmart
CompanyName : Hewlett-Packard
FileDescription : HPHmon05
InternalName : HPHmon05
LegalCopyright : Copyright © 2003
OriginalFilename : HPHmon05.exe

#:30 [hpztsb09.exe]
FilePath : C:\WINNT\system32\spool\drivers\w32x86\3\
ProcessID : 1904
ThreadCreationTime : 9-16-2006 3:49:06 AM
BasePriority : Normal
FileVersion : 2.229.1.0
ProductVersion : 2.229.1.0
ProductName : HP DeskJet
CompanyName : HP
LegalCopyright : Copyright © Hewlett-Packard Company 1999-2003

#:31 [googledesktop.exe]
FilePath : C:\Program Files\Google\Google Desktop Search\
ProcessID : 1756
ThreadCreationTime : 9-16-2006 3:49:08 AM
BasePriority : Normal


#:32 [ad-aware.exe]
FilePath : C:\Program Files\Lavasoft\Ad-Aware SE Personal\
ProcessID : 1496
ThreadCreationTime : 9-16-2006 3:49:17 AM
BasePriority : Normal
FileVersion : 6.2.0.236
ProductVersion : SE 106
ProductName : Lavasoft Ad-Aware SE
CompanyName : Lavasoft Sweden
FileDescription : Ad-Aware SE Core application
InternalName : Ad-Aware.exe
LegalCopyright : Copyright © Lavasoft AB Sweden
OriginalFilename : Ad-Aware.exe
Comments : All Rights Reserved

#:33 [googledesktopindex.exe]
FilePath : C:\Program Files\Google\Google Desktop Search\
ProcessID : 1828
ThreadCreationTime : 9-16-2006 3:49:19 AM
BasePriority : Normal


#:34 [hpzipm12.exe]
FilePath : C:\WINNT\System32\
ProcessID : 336
ThreadCreationTime : 9-16-2006 3:49:21 AM
BasePriority : Normal
FileVersion : 7, 0, 0, 0
ProductVersion : 7, 0, 0, 0
ProductName : HP PML
CompanyName : HP
FileDescription : PML Driver
InternalName : PmlDrv
LegalCopyright : Copyright © 1998, 1999 Hewlett-Packard Company
OriginalFilename : PmlDrv.exe

#:35 [googleupdater.exe]
FilePath : C:\Program Files\Google\Google Updater\1.1.514.27546\
ProcessID : 880
ThreadCreationTime : 9-16-2006 3:49:24 AM
BasePriority : Normal


#:36 [fsscrctl.exe]
FilePath : C:\WINNT\
ProcessID : 992
ThreadCreationTime : 9-16-2006 3:49:27 AM
BasePriority : Normal
FileVersion : 2, 1, 0, 46
ProductVersion : 2, 1, 0, 46
ProductName : Stardust Screen Saver Toolkit 2.1
CompanyName : Stardust Software
FileDescription : Screen Saver Control applet
InternalName : FSScrCtl
LegalCopyright : Copyright © 1998-1999 Stardust Software.
LegalTrademarks : Stardust and Screen Saver Toolkit are trademarks of Stardust Software.
OriginalFilename : FSSCRCTL.EXE
Comments : www.stardustsoftware.com

#:37 [svchost.exe]
FilePath : C:\WINNT\System32\
ProcessID : 1028
ThreadCreationTime : 9-16-2006 3:49:27 AM
BasePriority : Normal
FileVersion : 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158)
ProductVersion : 5.1.2600.2180
ProductName : Microsoft® Windows® Operating System
CompanyName : Microsoft Corporation
FileDescription : Generic Host Process for Win32 Services
InternalName : svchost.exe
LegalCopyright : © Microsoft Corporation. All rights reserved.
OriginalFilename : svchost.exe

#:38 [googledesktopcrawl.exe]
FilePath : C:\Program Files\Google\Google Desktop Search\
ProcessID : 1488
ThreadCreationTime : 9-16-2006 3:49:30 AM
BasePriority : Normal


Memory scan result:
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»
New critical objects: 0
Objects found so far: 0


Started registry scan
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»

Registry Scan result:
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»
New critical objects: 0
Objects found so far: 0


Started deep registry scan
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»

Deep registry scan result:
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»
New critical objects: 0
Objects found so far: 0


Started Tracking Cookie scan
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»


Tracking cookie scan result:
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»
New critical objects: 0
Objects found so far: 0



Deep scanning and examining files...
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»

Disk Scan Result for C:\WINNT
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»
New critical objects: 0
Objects found so far: 0

Disk Scan Result for C:\WINNT\system32
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»
New critical objects: 0
Objects found so far: 0

Disk Scan Result for C:\DOCUME~1\ELIZAB~1\LOCALS~1\Temp\
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»
New critical objects: 0
Objects found so far: 0


Scanning Hosts file......
Hosts file location:"C:\WINNT\system32\drivers\etc\hosts".
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»

Hosts file scan result:
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»
1 entries scanned.
New critical objects:0
Objects found so far: 0


8:59:00 PM Scan Complete

Summary Of This Scan
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»
Total scanning time:00:04:39.984
Objects scanned:94758
Objects identified:0
Objects ignored:0
New critical objects:0


I will send the panda if I can get it to finish.
Arbriel

#8 amateur

amateur

    Malware Fighter


  • Malware Response Team
  • 2,775 posts
  • OFFLINE
  •  
  • Gender:Female
  • Local time:04:28 AM

Posted 20 September 2006 - 02:00 PM

Hi Arbriel,

I cannot see any sign of malware in your log. However that may not always mean that your computer is free of malware. That's the reason I would like to see the Ewido results and the online virus scan results. For the online virus scan let's try a different scan and see how that goes.

Please download Dr.Web CureIt to the desktop.
  • Doubleclick the drweb-cureit.exe file and Allow to run the express scan
  • This will scan the files currently running in memory and when something is found, click the yes button when it asks you if you want to cure it. This is only a short scan.
  • Once the short scan has finished, mark the drives that you want to scan.
  • Select all drives. A red dot shows which drives have been chosen.
  • Click the green arrow at the right, and the scan will start.
  • Click 'Yes to all' if it asks if you want to cure/move the file.
  • When the scan has finished, look if you can click next icon next to the files found: Posted Image
  • If so, click it and then click the next icon right below and select Move incurable as you'll see in next image:
    Posted Image
    This will move it to the %userprofile%\DoctorWeb\quarantaine-folder if it can't be cured. (this in case if we need samples)
  • After selecting, in the Dr.Web CureIt menu on top, click file and choose save report list
  • Save the report to your desktop. The report will be called DrWeb.csv
  • Close Dr.Web Cureit.
  • Reboot your computer!! Because it could be possible that files in use will be moved/deleted during reboot.
  • After reboot, post the contents of the log from Dr.Web you saved previously, along with a new HijackThis log in your next reply.
===================================

Download and install Process Explorer from here: http://www.sysinternals.com/Utilities/ProcessExplorer.html. This will show us which svchost is running and at what %.
Expand the tree just like Windows Explorer.
Locate the svchost.exes that are running
Right click on each svchost.exe, click Properties, select Services tab
Note the Service, Display Name and Path
Post those in your next reply please.

====================================

The log file I need from Ewido is not the one you've posted. Did you have any problems while running Ewido? You've posted the Ewido dump file. Please try running Ewido again, and save the log as instructed in my previous post. I need the logfile.txt

====================================

Post back the results from Dr.WebCurit and Ewido logfile.txt along with the information about svchost.exes. Thanks.

Edited by amateur, 20 September 2006 - 02:01 PM.


#9 Arbriel

Arbriel
  • Topic Starter

  • Members
  • 42 posts
  • OFFLINE
  •  
  • Location:Portland, Oregon
  • Local time:12:28 AM

Posted 20 September 2006 - 02:50 PM

HI,
I got your email and I will try to do the other scan. I ran Panda for an hour and it got stuck again. here is the partial report. I will report back once I run the other.
Arbriel


Incident Status Location

Spyware:spyware/clipgenie Not disinfected Windows Registry
Potentially unwanted tool:application/altnet Not disinfected hkey_local_machine\software\microsoft\windows\currentversion\app management\arpcache\AltnetDM
Adware:adware/popupsearches Not disinfected Windows Registry
Spyware:spyware/safesurf Not disinfected Windows Registry
Spyware:spyware/new.net Not disinfected Windows Registry

Edited by Arbriel, 20 September 2006 - 08:16 PM.


#10 Arbriel

Arbriel
  • Topic Starter

  • Members
  • 42 posts
  • OFFLINE
  •  
  • Location:Portland, Oregon
  • Local time:12:28 AM

Posted 20 September 2006 - 08:29 PM

Okay,
I was trying to run the ewido Resident Sheild but it keeps giving error messages so it is inactive.
So, I ran the scan properly this time and here it is:

---------------------------------------------------------
ewido anti-spyware - Scan Report
---------------------------------------------------------

+ Created at: 6:13:02 PM 9/20/2006

+ Scan result:



HKU\S-1-5-21-101265881-222395546-2225589205-1005\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{4A2AACF3-ADF6-11D5-98A9-00E018981B9E} -> Adware.NewDotNet : No action taken.
:mozilla.180:C:\Documents and Settings\Elizabeth\Application Data\Mozilla\Firefox\Profiles\ikjhmeop.default\cookies.txt -> TrackingCookie.Adbrite : No action taken.
:mozilla.181:C:\Documents and Settings\Elizabeth\Application Data\Mozilla\Firefox\Profiles\ikjhmeop.default\cookies.txt -> TrackingCookie.Adbrite : No action taken.
:mozilla.73:C:\Documents and Settings\Elizabeth\Application Data\Mozilla\Firefox\Profiles\ikjhmeop.default\cookies.txt -> TrackingCookie.Adrevolver : No action taken.
:mozilla.74:C:\Documents and Settings\Elizabeth\Application Data\Mozilla\Firefox\Profiles\ikjhmeop.default\cookies.txt -> TrackingCookie.Adrevolver : No action taken.
:mozilla.75:C:\Documents and Settings\Elizabeth\Application Data\Mozilla\Firefox\Profiles\ikjhmeop.default\cookies.txt -> TrackingCookie.Adrevolver : No action taken.
:mozilla.76:C:\Documents and Settings\Elizabeth\Application Data\Mozilla\Firefox\Profiles\ikjhmeop.default\cookies.txt -> TrackingCookie.Adrevolver : No action taken.
:mozilla.77:C:\Documents and Settings\Elizabeth\Application Data\Mozilla\Firefox\Profiles\ikjhmeop.default\cookies.txt -> TrackingCookie.Adrevolver : No action taken.
:mozilla.79:C:\Documents and Settings\Elizabeth\Application Data\Mozilla\Firefox\Profiles\ikjhmeop.default\cookies.txt -> TrackingCookie.Adrevolver : No action taken.
:mozilla.81:C:\Documents and Settings\Elizabeth\Application Data\Mozilla\Firefox\Profiles\ikjhmeop.default\cookies.txt -> TrackingCookie.Casalemedia : No action taken.
:mozilla.82:C:\Documents and Settings\Elizabeth\Application Data\Mozilla\Firefox\Profiles\ikjhmeop.default\cookies.txt -> TrackingCookie.Casalemedia : No action taken.
:mozilla.83:C:\Documents and Settings\Elizabeth\Application Data\Mozilla\Firefox\Profiles\ikjhmeop.default\cookies.txt -> TrackingCookie.Casalemedia : No action taken.
:mozilla.84:C:\Documents and Settings\Elizabeth\Application Data\Mozilla\Firefox\Profiles\ikjhmeop.default\cookies.txt -> TrackingCookie.Casalemedia : No action taken.
:mozilla.85:C:\Documents and Settings\Elizabeth\Application Data\Mozilla\Firefox\Profiles\ikjhmeop.default\cookies.txt -> TrackingCookie.Casalemedia : No action taken.
:mozilla.86:C:\Documents and Settings\Elizabeth\Application Data\Mozilla\Firefox\Profiles\ikjhmeop.default\cookies.txt -> TrackingCookie.Casalemedia : No action taken.
:mozilla.175:C:\Documents and Settings\Elizabeth\Application Data\Mozilla\Firefox\Profiles\ikjhmeop.default\cookies.txt -> TrackingCookie.Kmpads : No action taken.
:mozilla.176:C:\Documents and Settings\Elizabeth\Application Data\Mozilla\Firefox\Profiles\ikjhmeop.default\cookies.txt -> TrackingCookie.Kmpads : No action taken.
:mozilla.177:C:\Documents and Settings\Elizabeth\Application Data\Mozilla\Firefox\Profiles\ikjhmeop.default\cookies.txt -> TrackingCookie.Kmpads : No action taken.
:mozilla.179:C:\Documents and Settings\Elizabeth\Application Data\Mozilla\Firefox\Profiles\ikjhmeop.default\cookies.txt -> TrackingCookie.Statcounter : No action taken.
:mozilla.45:C:\Documents and Settings\Elizabeth\Application Data\Mozilla\Firefox\Profiles\ikjhmeop.default\cookies.txt -> TrackingCookie.Yieldmanager : No action taken.
:mozilla.46:C:\Documents and Settings\Elizabeth\Application Data\Mozilla\Firefox\Profiles\ikjhmeop.default\cookies.txt -> TrackingCookie.Yieldmanager : No action taken.
:mozilla.47:C:\Documents and Settings\Elizabeth\Application Data\Mozilla\Firefox\Profiles\ikjhmeop.default\cookies.txt -> TrackingCookie.Yieldmanager : No action taken.
:mozilla.48:C:\Documents and Settings\Elizabeth\Application Data\Mozilla\Firefox\Profiles\ikjhmeop.default\cookies.txt -> TrackingCookie.Yieldmanager : No action taken.
:mozilla.49:C:\Documents and Settings\Elizabeth\Application Data\Mozilla\Firefox\Profiles\ikjhmeop.default\cookies.txt -> TrackingCookie.Yieldmanager : No action taken.


::Report end

*****And here is the results for the DR web scan:

It took 2.5 hours



tgcmd.exe;C:\Program Files\support.com\bin;Probably DLOADER.Trojan;Will be deleted after reboot.;
setup.exe;C:\Documents and Settings\All Users\Application Data\AOL Downloads\triton_suite_install_2.0.7.1;Probably BACKDOOR.Trojan;Deleted.;
GWMDMPI.EXE;C:\OEMDRVRS;Probably BACKDOOR.Trojan;Deleted.;
sdcmon.dll;C:\Program Files\support.com\bin;Probably DLOADER.Trojan;Will be deleted after reboot.;
tgcmd.exe;C:\Program Files\support.com\bin;Probably DLOADER.Trojan;Will be deleted after reboot.;
tgupdate.exe;C:\Program Files\support.com\bin;Probably DLOADER.Trojan;Deleted.;
A0314456.exe;C:\System Volume Information\_restore{0193FC1C-0A70-478B-8107-B531B8E70CAB}\RP1756;Adware.VMN;Deleted.;



And finally, here is a current hiJack this:


Logfile of HijackThis v1.99.1
Scan saved at 6:22:46 PM, on 9/20/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\Program Files\Windows Defender\MsMpEng.exe
C:\WINNT\system32\spoolsv.exe
C:\WINNT\System32\DRIVERS\CDANTSRV.EXE
C:\Program Files\Common Files\EPSON\EBAPI\SAgent2.exe
C:\Program Files\ewido anti-spyware 4.0\guard.exe
C:\WINNT\System32\nvsvc32.exe
C:\WINNT\System32\svchost.exe
C:\Program Files\PCSecurityShield\ShieldAntivirus\vrmonsvc.exe
C:\WINNT\wanmpsvc.exe
C:\WINNT\Explorer.EXE
C:\Program Files\Windows Defender\MSASCui.exe
C:\Program Files\PCSecurityShield\ShieldAntivirus\Vrres.exe
C:\Program Files\PCSecurityShield\ShieldAntivirus\vrmonnt.exe
C:\Documents and Settings\Elizabeth\My Documents\Picasa2\PicasaMediaDetector.exe
C:\WINNT\System32\hphmon05.exe
C:\WINNT\system32\spool\drivers\w32x86\3\hpztsb09.exe
C:\Program Files\Java\jre1.5.0_08\bin\jusched.exe
C:\WINNT\System32\HPZipm12.exe
C:\WINNT\FSScrCtl.exe
C:\WINNT\system32\taskmgr.exe
C:\Program Files\ewido anti-spyware 4.0\ewido.exe
C:\WINNT\System32\svchost.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Hijack This\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = www.google.com
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.comcast.net/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = www.google.com
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer presented by Comcast
F2 - REG:system.ini: UserInit=userinit.exe
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_08\bin\ssv.dll
O4 - HKLM\..\Run: [eTrustPPAP] "C:\Program Files\CA\eTrust Internet Security Suite\eTrust PestPatrol Anti-Spyware\PPActiveDetection.exe"
O4 - HKLM\..\Run: [Zone Labs Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"
O4 - HKLM\..\Run: [Windows Defender] "C:\Program Files\Windows Defender\MSASCui.exe" -hide
O4 - HKLM\..\Run: [VrSchedule] C:\Program Files\PCSecurityShield\ShieldAntivirus\Vrres.exe
O4 - HKLM\..\Run: [Vrmon] C:\Program Files\PCSecurityShield\ShieldAntivirus\vrmonnt.exe Main
O4 - HKLM\..\Run: [SpySweeper] "C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe" /startintray
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [Picasa Media Detector] C:\Documents and Settings\Elizabeth\My Documents\Picasa2\PicasaMediaDetector
O4 - HKLM\..\Run: [Ink Monitor] C:\Program Files\EPSON\Ink Monitor\InkMonitor.exe
O4 - HKLM\..\Run: [HPHUPD05] C:\Program Files\Hewlett-Packard\{45B6180B-DCAB-4093-8EE8-6164457517F0}\hphupd05.exe
O4 - HKLM\..\Run: [HPHmon05] C:\WINNT\System32\hphmon05.exe
O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINNT\system32\spool\drivers\w32x86\3\hpztsb09.exe
O4 - HKLM\..\Run: [Google Desktop Search] "C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe" /startup
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.5.0_08\bin\jusched.exe"
O4 - HKCU\..\Run: [updateMgr] C:\Program Files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe AcRdB7_0_5 -reboot 1
O4 - HKCU\..\Run: [Microsoft Works Update Detection] C:\Program Files\Microsoft Works\WkDetect.exe
O4 - Startup: Screen Saver Control.lnk = C:\WINNT\FSScrCtl.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Reader\reader_sl.exe
O4 - Global Startup: EPSON Status Monitor 3 Environment Check 2.lnk = C:\WINNT\system32\spool\drivers\w32x86\3\E_SRCV02.EXE
O4 - Global Startup: Google Updater.lnk = C:\Program Files\Google\Google Updater\1.1.514.27546\GoogleUpdater.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MI1933~1\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_08\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_08\bin\ssv.dll
O9 - Extra button: Web Anti-Virus - {1F460357-8A94-4D71-9CA3-AA4ACF32ED8E} - C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 6.0\scieplugin.dll
O9 - Extra button: Panda ActiveScan - {653D93AF-C741-4e5e-8C1B-59BA43F93E16} - http://www.pandasoftware.com/activescan (file missing)
O9 - Extra button: ComcastHSI - {669B269B-0D4E-41FB-A3D8-FD67CA94F646} - http://www.comcast.net/ (file missing)
O9 - Extra button: Support - {8828075D-D097-4055-AA02-2DBFA9D85E8A} - http://www.comcastsupport.com/ (file missing)
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MI1933~1\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Help - {97809617-3937-4F84-B335-9BB05EF1A8D4} - http://online.comcast.net/help/ (file missing)
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {1754A1BA-A1DF-4F10-B199-AA55AA1A120F} (InstallerBehaviorFactory Class) - https://signup.msn.com/pages/MsnInstC.cab
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://by114fd.bay114.hotmail.msn.com/resources/MsnPUpld.cab
O16 - DPF: {6BEA1C48-1850-486C-8F58-C7354BA3165E} (Install Class) - http://updates.lifescapeinc.com/installers...ll/pinstall.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdat...b?1143772936140
O16 - DPF: {739E8D90-2F4C-43AD-A1B8-66C356FCEA35} (RunExeActiveX.RunExe) - hcp://system/RunExeActiveX.CAB
O16 - DPF: {99CDFD87-F97A-42E1-9C13-D18220D90AD1} (StartFirstControl.CheckFirst) - hcp://system/StartFirstControl.CAB
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{E7B93A7E-70C7-4136-9FED-04E85BA72E2E}: NameServer = 192.168.1.1
O20 - AppInit_DLLs: C:\PROGRA~1\Google\GOOGLE~2\GOEC62~1.DLL
O20 - Winlogon Notify: klogon - C:\WINNT\system32\klogon.dll
O20 - Winlogon Notify: WgaLogon - C:\WINNT\SYSTEM32\WgaLogon.dll
O20 - Winlogon Notify: WRNotifier - WRLogonNTF.dll (file missing)
O23 - Service: Kaspersky Anti-Virus 6.0 (AVP) - Unknown owner - C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 6.0\avp.exe" -r (file missing)
O23 - Service: C-DillaSrv - C-Dilla Ltd - C:\WINNT\System32\DRIVERS\CDANTSRV.EXE
O23 - Service: EPSON Printer Status Agent2 (EPSONStatusAgent2) - SEIKO EPSON CORPORATION - C:\Program Files\Common Files\EPSON\EBAPI\SAgent2.exe
O23 - Service: ewido anti-spyware 4.0 guard - Anti-Malware Development a.s. - C:\Program Files\ewido anti-spyware 4.0\guard.exe
O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINNT\System32\nvsvc32.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINNT\System32\HPZipm12.exe
O23 - Service: ViRobot Expert Monitoring (vrmonsvc) - HAURI - C:\Program Files\PCSecurityShield\ShieldAntivirus\vrmonsvc.exe
O23 - Service: WAN Miniport (ATW) Service (WANMiniportService) - America Online, Inc. - C:\WINNT\wanmpsvc.exe

THe precoess explorer will come next. I am still running it.
Arbriel

#11 Arbriel

Arbriel
  • Topic Starter

  • Members
  • 42 posts
  • OFFLINE
  •  
  • Location:Portland, Oregon
  • Local time:12:28 AM

Posted 20 September 2006 - 11:18 PM

HI again
I finally got the process explorer to settle down & give me a repport. It never really stops does it?
Oh, well. Here is a report:


Process PID CPU Description Company Name
System Idle Process 0 97
Interrupts n/a Hardware Interrupts
DPCs n/a 2 Deferred Procedure Calls
System 4
smss.exe 476 Windows NT Session Manager Microsoft Corporation
csrss.exe 532 Client Server Runtime Process Microsoft Corporation
winlogon.exe 556 Windows NT Logon Application Microsoft Corporation
services.exe 600 2 Services and Controller app Microsoft Corporation
svchost.exe 764 Generic Host Process for Win32 Services Microsoft Corporation
svchost.exe 808 Generic Host Process for Win32 Services Microsoft Corporation
MsMpEng.exe 908 Service Executable Microsoft Corporation
svchost.exe 1088 Generic Host Process for Win32 Services Microsoft Corporation
svchost.exe 1156 Generic Host Process for Win32 Services Microsoft Corporation
spoolsv.exe 1304 Spooler SubSystem App Microsoft Corporation
CDANTSRV.EXE 1432 C-Dilla RTS Service C-Dilla Ltd
SAgent2.exe 1448 EPSON Printer Status Agent SEIKO EPSON CORPORATION
guard.exe 1484 ewido anti-spyware guard Anti-Malware Development a.s.
nvsvc32.exe 1556 NVIDIA Driver Helper Service, Version 15.20 NVIDIA Corporation
svchost.exe 1620 Generic Host Process for Win32 Services Microsoft Corporation
wdfmgr.exe 1640 Windows User Mode Driver Manager Microsoft Corporation
vrmonsvc.exe 1724 ViRobot Monitoring Service HAURI
wanmpsvc.exe 1760 Wan Miniport (ATW) Service America Online, Inc.
alg.exe 196 Application Layer Gateway Service Microsoft Corporation
HPZipm12.exe 2392 PML Driver HP
svchost.exe 3100 Generic Host Process for Win32 Services Microsoft Corporation
lsass.exe 612 LSA Shell (Export Version) Microsoft Corporation
explorer.exe 1044 Windows Explorer Microsoft Corporation
MSASCui.exe 220 Windows Defender User Interface Microsoft Corporation
VrRes.exe 320 ©HAURI
vrmonnt.exe 340 vrmonnt application HAURI
PicasaMediaDetector.exe 444 Picasa Google Inc.
hphmon05.exe 492 HPHmon05 Hewlett-Packard
hpztsb09.exe 524 HP
jusched.exe 1240 Java™ 2 Platform Standard Edition binary Sun Microsystems, Inc.
FSScrCtl.exe 2476 Screen Saver Control applet Stardust Software
ewido.exe 3200 ewido anti-spyware Anti-Malware Development a.s.
procexp.exe 952 Sysinternals Process Explorer Sysinternals

Thanks for all your help
Arbriel

#12 amateur

amateur

    Malware Fighter


  • Malware Response Team
  • 2,775 posts
  • OFFLINE
  •  
  • Gender:Female
  • Local time:04:28 AM

Posted 21 September 2006 - 12:40 PM

Hi Arbriel,

I cannot see anything unusual or malware among your running processes or in the HijackThis the log. Did you notice any excessive use (high%) by any of the processes?

You have some background processes, such as Stardust Screen Saver, Picasa Media Detector and Ewido which are known to use a lot of resources. Are you using AOL? Let me know if you are not using it. That's another resource hogger. Let's configure Ewido so that it will not use any ressources and will be available only when you need to scan with it. The automatic updates and the guard will cease to function at the end of the trial period anyway.

Locate the icon on the desktop and double-click it to launch the set up program.
Select Change status" to inactive for 'Resident Sheild' and 'Automatic Updates'.
Right click on Ewido in the system tray and uncheck "Start with Windows".
" Go to Start > Run and type: services.msc
" Press "OK".
" In Services, click the "Extended tab" and scroll down the list to find ewido anti-spyware 4.0 guard.
" When you find the guard service, double-click on it.
" In the Properties Window > General Tab that opens, click the "Stop" button.
" From the drop-down menu next to "Startup Type", click on "Manual".
" Now click "Apply", then "OK" and close the Services window.
You will need run Ewido and update the definition files before scanning with it.

For the other processes which are not needed at the startup, you can download Startup Inspector from here
This program will help you to decide exactly what programs you disable from running at startup.
The Readme.txt file included has instructions on how to use it.

The following is needed if what you have is a Gateway 450 portable computer. You can go to the C:\Documents and Settings\<User Name>\DoctorWeb\Quarantine folder and restore that file if that's the case:

C:\OEMDRVRS\GWMDMPI.EXE


Run Ccleaner again first to shorten the scanning time, and then try running this online scanner since you were not having a good luck with Panda.

Kaspersky Online Scanner
1. Click on Kapersky Online Scanner
2. A new smaller window will pop up. Press on Accept (after reading the contents).
3. Now Kapersky will update the anti-virus database. Let it run.
4. Click on Next>Scan Settings, and make sure the database is set to "extended". And check both the scan options. Then click OK.
5. Then click on "My Computer". And the scan will start.
6. Once finished, save a log as ".txt" to the desktop. And restart.

For Kaspersky's WebScan you may need to set 'Download Unsigned Activex' to Prompt in order to get it to run.

In Internet Explorer, go to Tools > Internet Options > Security tab and select Custom Level. Scroll down and set Download unsigned Active X to Prompt. That should allow the Kaspersky scan to download the Active X after a prompting you.

Please post back the results from Kaspersky and let me know if you notice any improvement.

#13 Arbriel

Arbriel
  • Topic Starter

  • Members
  • 42 posts
  • OFFLINE
  •  
  • Location:Portland, Oregon
  • Local time:12:28 AM

Posted 24 September 2006 - 02:36 PM

HI, here is my report. As for whether or not I get any improvement, I have not really tried working with the computer today as yet. If you think I will, then I will look for it. I am planning on taking the device in for some more RAM this week. Thanks for your help.
Arbriel




KASPERSKY ONLINE SCANNER REPORT
Sunday, September 24, 2006 9:29:20 AM
Operating System: Microsoft Windows XP Home Edition, Service Pack 2 (Build 2600)
Kaspersky Online Scanner version: 5.0.83.0
Kaspersky Anti-Virus database last update: 24/09/2006
Kaspersky Anti-Virus database records: 226001


Scan Settings
Scan using the following antivirus database extended
Scan Archives true
Scan Mail Bases true

Scan Target My Computer
A:\
C:\
D:\
E:\
F:\

Scan Statistics
Total number of scanned objects 174792
Number of viruses found 0
Number of infected objects 0 / 0
Number of suspicious objects 0
Duration of the scan process 01:47:31

Infected Object Name Virus Name Last Action
C:\Documents and Settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr0.dat Object is locked skipped

C:\Documents and Settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr1.dat Object is locked skipped

C:\Documents and Settings\All Users\Application Data\Microsoft\Windows Defender\Support\WDLog-07072006-194510.log Object is locked skipped

C:\Documents and Settings\Elizabeth\Cookies\index.dat Object is locked skipped

C:\Documents and Settings\Elizabeth\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped

C:\Documents and Settings\Elizabeth\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped

C:\Documents and Settings\Elizabeth\Local Settings\History\History.IE5\index.dat Object is locked skipped

C:\Documents and Settings\Elizabeth\Local Settings\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped

C:\Documents and Settings\Elizabeth\ntuser.dat Object is locked skipped

C:\Documents and Settings\Elizabeth\ntuser.dat.LOG Object is locked skipped

C:\Documents and Settings\LocalService\Cookies\index.dat Object is locked skipped

C:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped

C:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped

C:\Documents and Settings\LocalService\Local Settings\History\History.IE5\index.dat Object is locked skipped

C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped

C:\Documents and Settings\LocalService\NTUSER.DAT Object is locked skipped

C:\Documents and Settings\LocalService\ntuser.dat.LOG Object is locked skipped

C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped

C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped

C:\Documents and Settings\NetworkService\NTUSER.DAT Object is locked skipped

C:\Documents and Settings\NetworkService\ntuser.dat.LOG Object is locked skipped

C:\System Volume Information\_restore{0193FC1C-0A70-478B-8107-B531B8E70CAB}\RP1766\change.log Object is locked skipped

C:\WINNT\Debug\PASSWD.LOG Object is locked skipped

C:\WINNT\Sti_Trace.log Object is locked skipped

C:\WINNT\system32\CatRoot2\edb.log Object is locked skipped

C:\WINNT\system32\CatRoot2\tmp.edb Object is locked skipped

C:\WINNT\system32\config\AppEvent.Evt Object is locked skipped

C:\WINNT\system32\config\DEFAULT Object is locked skipped

C:\WINNT\system32\config\default.LOG Object is locked skipped

C:\WINNT\system32\config\SAM Object is locked skipped

C:\WINNT\system32\config\SAM.LOG Object is locked skipped

C:\WINNT\system32\config\SecEvent.Evt Object is locked skipped

C:\WINNT\system32\config\SECURITY Object is locked skipped

C:\WINNT\system32\config\SECURITY.LOG Object is locked skipped

C:\WINNT\system32\config\SOFTWARE Object is locked skipped

C:\WINNT\system32\config\software.LOG Object is locked skipped

C:\WINNT\system32\config\SysEvent.Evt Object is locked skipped

C:\WINNT\system32\config\SYSTEM Object is locked skipped

C:\WINNT\system32\config\system.LOG Object is locked skipped

C:\WINNT\system32\drivers\fidbox.dat Object is locked skipped

C:\WINNT\system32\drivers\fidbox.idx Object is locked skipped

C:\WINNT\system32\drivers\fidbox2.dat Object is locked skipped

C:\WINNT\system32\drivers\fidbox2.idx Object is locked skipped

C:\WINNT\system32\h323log.txt Object is locked skipped

C:\WINNT\system32\wbem\Repository\FS\INDEX.BTR Object is locked skipped

C:\WINNT\system32\wbem\Repository\FS\INDEX.MAP Object is locked skipped

C:\WINNT\system32\wbem\Repository\FS\MAPPING.VER Object is locked skipped

C:\WINNT\system32\wbem\Repository\FS\MAPPING1.MAP Object is locked skipped

C:\WINNT\system32\wbem\Repository\FS\MAPPING2.MAP Object is locked skipped

C:\WINNT\system32\wbem\Repository\FS\OBJECTS.DATA Object is locked skipped

C:\WINNT\system32\wbem\Repository\FS\OBJECTS.MAP Object is locked skipped

C:\WINNT\Temp\~DFEF6C.tmp Object is locked skipped

C:\WINNT\wiadebug.log Object is locked skipped

C:\WINNT\wiaservc.log Object is locked skipped

Scan process completed.

#14 amateur

amateur

    Malware Fighter


  • Malware Response Team
  • 2,775 posts
  • OFFLINE
  •  
  • Gender:Female
  • Local time:04:28 AM

Posted 24 September 2006 - 02:56 PM

Hi Arbriel,

Kaspersky report is clean. I am glad that you're going to get some more memory. I am sure that's going to help a lot. In the mean time, we can do one more thing to improve the performance of the computer.



Have you ever defragmented the disk? Over time, the disk gets fragmented. Go to Start>All Programs>Accessories>System Tools>Disk defragmenter and click on Analyze. It will let you know if you need to defragment the harddisk or not. Do so, if it says it's needed. Let me know how that went and post a fresh HijackThis log, please.

#15 amateur

amateur

    Malware Fighter


  • Malware Response Team
  • 2,775 posts
  • OFFLINE
  •  
  • Gender:Female
  • Local time:04:28 AM

Posted 27 September 2006 - 12:40 PM

as per pm the topic is re-opened.




Logfile of HijackThis v1.99.1
Scan saved at 12:08:58 PM, on 9/27/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\Program Files\Windows Defender\MsMpEng.exe
C:\WINNT\system32\spoolsv.exe
C:\WINNT\System32\DRIVERS\CDANTSRV.EXE
C:\Program Files\Common Files\EPSON\EBAPI\SAgent2.exe
C:\WINNT\System32\nvsvc32.exe
C:\WINNT\System32\svchost.exe
C:\Program Files\PCSecurityShield\ShieldAntivirus\vrmonsvc.exe
C:\WINNT\wanmpsvc.exe
C:\WINNT\Explorer.EXE
C:\Palm\Hotsync.exe
C:\WINNT\system32\wuauclt.exe
C:\WINNT\system32\taskmgr.exe
C:\WINNT\System32\svchost.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Hijack This\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = www.google.com
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.comcast.net/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = www.google.com
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer presented by Comcast
F2 - REG:system.ini: UserInit=userinit.exe
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_08\bin\ssv.dll
O4 - Startup: Palm Registration.lnk = C:\Palm\register.exe
O4 - Global Startup: HOTSYNCSHORTCUTNAME.lnk = C:\Palm\Hotsync.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MI1933~1\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_08\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_08\bin\ssv.dll
O9 - Extra button: Web Anti-Virus - {1F460357-8A94-4D71-9CA3-AA4ACF32ED8E} - C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 6.0\scieplugin.dll
O9 - Extra button: ComcastHSI - {669B269B-0D4E-41FB-A3D8-FD67CA94F646} - http://www.comcast.net/ (file missing)
O9 - Extra button: Support - {8828075D-D097-4055-AA02-2DBFA9D85E8A} - http://www.comcastsupport.com/ (file missing)
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MI1933~1\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Help - {97809617-3937-4F84-B335-9BB05EF1A8D4} - http://online.comcast.net/help/ (file missing)
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/eng/partner/d...can_unicode.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {1754A1BA-A1DF-4F10-B199-AA55AA1A120F} (InstallerBehaviorFactory Class) - https://signup.msn.com/pages/MsnInstC.cab
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://by114fd.bay114.hotmail.msn.com/resources/MsnPUpld.cab
O16 - DPF: {6BEA1C48-1850-486C-8F58-C7354BA3165E} (Install Class) - http://updates.lifescapeinc.com/installers...ll/pinstall.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdat...b?1143772936140
O16 - DPF: {739E8D90-2F4C-43AD-A1B8-66C356FCEA35} (RunExeActiveX.RunExe) - hcp://system/RunExeActiveX.CAB
O16 - DPF: {99CDFD87-F97A-42E1-9C13-D18220D90AD1} (StartFirstControl.CheckFirst) - hcp://system/StartFirstControl.CAB
O17 - HKLM\System\CCS\Services\Tcpip\..\{E7B93A7E-70C7-4136-9FED-04E85BA72E2E}: NameServer = 192.168.1.1
O20 - Winlogon Notify: klogon - C:\WINNT\system32\klogon.dll
O20 - Winlogon Notify: WgaLogon - C:\WINNT\SYSTEM32\WgaLogon.dll
O20 - Winlogon Notify: WRNotifier - WRLogonNTF.dll (file missing)
O23 - Service: Kaspersky Anti-Virus 6.0 (AVP) - Unknown owner - C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 6.0\avp.exe" -r (file missing)
O23 - Service: C-DillaSrv - C-Dilla Ltd - C:\WINNT\System32\DRIVERS\CDANTSRV.EXE
O23 - Service: EPSON Printer Status Agent2 (EPSONStatusAgent2) - SEIKO EPSON CORPORATION - C:\Program Files\Common Files\EPSON\EBAPI\SAgent2.exe
O23 - Service: ewido anti-spyware 4.0 guard - Anti-Malware Development a.s. - C:\Program Files\ewido anti-spyware 4.0\guard.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINNT\System32\nvsvc32.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINNT\System32\HPZipm12.exe
O23 - Service: ViRobot Expert Monitoring (vrmonsvc) - HAURI - C:\Program Files\PCSecurityShield\ShieldAntivirus\vrmonsvc.exe
O23 - Service: WAN Miniport (ATW) Service (WANMiniportService) - America Online, Inc. - C:\WINNT\wanmpsvc.exe

What continues to happen is the start-up is lugged down, software doesn't work sometimes after start-up & icons are constantly reappearing after I have put them into "hide always" on the task bar. Things keep getting undone that I adjust. my start-up is clogged with all kinds of things I do not know what I need and what I do not need. svchost seems to run large amounts at start-up for things that , I think are unnecessary because , if I run start-up as diagnostic only, it does not happen, but things like my internet connection do not come on.

The reason it took me so long to respiond was that I went to get memory before I finidshed sending all the info so we could see whether it solved things. It didn't.
Thanks again
Arbriel


Edited by amateur, 27 September 2006 - 02:29 PM.





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users