Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Hijack This Log


  • This topic is locked This topic is locked
10 replies to this topic

#1 KMF

KMF

  • Members
  • 78 posts
  • OFFLINE
  •  
  • Local time:12:26 PM

Posted 20 September 2006 - 10:19 PM

Windows running very VERY slowly...sometimes take a minute or more. Even drop down menus take their sweet time. Followed all the pre-log recommendations and did a few fixes with Adware SE and McAFee. Recently started using TDS DSL for IP (problem started prior to upgrade) but also have People PC for the moment (don't want to give up my e-addy).
Shut all my other windows and ran full scan with Norton just before running log and nothing...

Please check and let me know if anything can be done. Thank you.

KMF

Logfile of HijackThis v1.99.1
Scan saved at 10:12:23 PM, on 9/20/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.5450.0004)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Windows Defender\MsMpEng.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
C:\Program Files\Roxio\GoBack\GBPoll.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\Program Files\Norton SystemWorks\Norton AntiVirus\navapsvc.exe
C:\Program Files\Norton SystemWorks\Norton AntiVirus\IWP\NPFMntor.exe
C:\PROGRA~1\NORTON~1\NORTON~2\NPROTECT.EXE
C:\WINDOWS\system32\nvsvc32.exe
C:\PROGRA~1\NORTON~1\NORTON~2\SPEEDD~1\NOPDB.EXE
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\PeoplePC\ISP6330\Browser\Bartshel.exe
C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\Windows Defender\MSASCui.exe
C:\Program Files\HP\hpcoretech\hpcmpmgr.exe
C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\system32\RUNDLL32.EXE
C:\Program Files\Roxio\GoBack\GBTray.exe
C:\PROGRA~1\PeoplePC\ISP6330\Browser\PPShared.exe
C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
C:\Program Files\Microsoft Office\Office10\msoffice.exe
C:\WINDOWS\system32\HPZipm12.exe
C:\Program Files\HP\Digital Imaging\bin\hpqgalry.exe
C:\Program Files\Common Files\Symantec Shared\Security Console\NSCSRVCE.EXE
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Messenger\msmsgs.exe
C:\DOCUME~1\Karen\LOCALS~1\Temp\Temporary Directory 1 for HijackThis[1].zip\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://home.peoplepc.com/search
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.dogpile.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=54729
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://home.peoplepc.com/search
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://home.peoplepc.com/search
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = localhost
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O2 - BHO: PeoplePC ScamGuard - {7E3659A6-4BC5-4d93-B3FD-8B5ACC2FEDED} - C:\Program Files\PeoplePC\Toolbar\ScamGrd.dll
O2 - BHO: NAV Helper - {A8F38D8D-E480-4D52-B7A2-731BB6995FDD} - C:\Program Files\Norton SystemWorks\Norton AntiVirus\NavShExt.dll
O2 - BHO: PeoplePal Toolbar - {A8FB8EB3-183B-4598-924D-86F0E5E37085} - C:\Program Files\PeoplePC\Toolbar\PPCToolbar.dll
O3 - Toolbar: PeoplePal Toolbar - {A8FB8EB3-183B-4598-924D-86F0E5E37085} - C:\Program Files\PeoplePC\Toolbar\PPCToolbar.dll
O3 - Toolbar: Norton AntiVirus - {C4069E3A-68F1-403E-B40E-20066696354B} - C:\Program Files\Norton SystemWorks\Norton AntiVirus\NavShExt.dll
O4 - HKLM\..\Run: [Bart Station] C:\Program Files\PeoplePC\ISP6330\BIN\PPCOLink.exe -STATION
O4 - HKLM\..\Run: [REGSHAVE] C:\Program Files\REGSHAVE\REGSHAVE.EXE /AUTORUN
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [Windows Defender] "C:\Program Files\Windows Defender\MSASCui.exe" -hide
O4 - HKLM\..\Run: [HP Component Manager] "C:\Program Files\HP\hpcoretech\hpcmpmgr.exe"
O4 - HKLM\..\Run: [HP Software Update] C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NVMCTRAY.DLL,NvTaskbarInit
O4 - HKCU\..\Run: [updateMgr] "C:\Program Files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe" AcRdB7_0_7 -reboot 1
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: Forget Me Not.lnk = C:\Program Files\Broderbund\AG CreataCard\AGRemind.exe
O4 - Global Startup: GoBack.lnk = C:\Program Files\Roxio\GoBack\GBTray.exe
O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
O4 - Global Startup: HP Image Zone Fast Start.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqthb08.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O8 - Extra context menu item: &AOL Toolbar search - res://C:\Program Files\AOL Toolbar\toolbar.dll/SEARCH.HTML
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra button: Express Cleanup - {5E638779-1818-4754-A595-EF1C63B87A56} - C:\Program Files\Norton SystemWorks\Norton Cleanup\WCQuick.lnk
O9 - Extra 'Tools' menuitem: Express Cleanup - {5E638779-1818-4754-A595-EF1C63B87A56} - C:\Program Files\Norton SystemWorks\Norton Cleanup\WCQuick.lnk
O9 - Extra button: (no name) - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - (no file)
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O11 - Options group: [INTERNATIONAL] International*
O15 - Trusted Zone: http://webmail.juno.com
O15 - Trusted Zone: http://zone.msn.com
O15 - Trusted Zone: http://*.peoplepc.com
O16 - DPF: {15589FA1-C456-11CE-BF01-000000000000} - http://www.errornuker.com/products/errn200...erInstaller.exe
O16 - DPF: {192F9A01-8030-48CE-9BC6-B03DE3E613C6} (PeoplePC Web Installer) - http://www.peoplepc.com/ppcos/isp60/download/ppcwebi.cab
O16 - DPF: {215B8138-A3CF-44C5-803F-8226143CFC0A} (Trend Micro ActiveX Scan Agent 6.5) - http://eu-housecall.trendmicro-europe.com/...ivex/hcImpl.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdat...b?1124501864218
O16 - DPF: {9522B3FB-7A2B-4646-8AF6-36E7F593073C} - http://a19.g.akamai.net/7/19/7125/4056/ftp...02/cpbrkpie.cab
O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (ZoneIntro Class) - http://zone.msn.com/binFramework/v10/ZIntro.cab33902.cab
O16 - DPF: {E9348280-2D74-4933-BE25-73D946926795} (DeviceEnum Class) - http://h20270.www2.hp.com/ediags/gmn/insta...cdetection3.cab
O16 - DPF: {EB387D2F-E27B-4D36-979E-847D1036C65D} (QDiagHUpdateObj Class) - http://h30155.www3.hp.com/ediags/hpfix/aio.../qdiagh.cab?326
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O23 - Service: Automatic LiveUpdate Scheduler - Symantec Corporation - C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: GBPoll - Roxio, Inc. - C:\Program Files\Roxio\GoBack\GBPoll.exe
O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
O23 - Service: Norton AntiVirus Auto-Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton SystemWorks\Norton AntiVirus\navapsvc.exe
O23 - Service: Norton AntiVirus Firewall Monitor Service (NPFMntor) - Symantec Corporation - C:\Program Files\Norton SystemWorks\Norton AntiVirus\IWP\NPFMntor.exe
O23 - Service: Norton UnErase Protection (NProtectService) - Symantec Corporation - C:\PROGRA~1\NORTON~1\NORTON~2\NPROTECT.EXE
O23 - Service: Norton Protection Center Service (NSCService) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\Security Console\NSCSRVCE.EXE
O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe
O23 - Service: Symantec AVScan (SAVScan) - Symantec Corporation - C:\Program Files\Norton SystemWorks\Norton AntiVirus\SAVScan.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: SPBBCSvc - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
O23 - Service: Speed Disk service - Symantec Corporation - C:\PROGRA~1\NORTON~1\NORTON~2\SPEEDD~1\NOPDB.EXE
O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
O23 - Service: SymWMI Service (SymWSC) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe

Edited by KMF, 20 September 2006 - 10:22 PM.


BC AdBot (Login to Remove)

 


#2 DaveM59

DaveM59

    Bleepin' Grandpa


  • Members
  • 1,355 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:TN USA
  • Local time:12:26 PM

Posted 22 September 2006 - 04:46 PM

Hi KMF,

Welcome to Bleeping Computer. :thumbsup:

I will be helping you under the guidance of one of our expert coaches.

Please give me a little time to get back to you with instructions.

Cheers,
Dave

#3 DaveM59

DaveM59

    Bleepin' Grandpa


  • Members
  • 1,355 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:TN USA
  • Local time:12:26 PM

Posted 23 September 2006 - 05:28 AM

Hi again KMF,

I need to see another HijackThis log, but you need to extract (unzip) HijackThis first. Otherwise the backups made when items are fixed won't be secure. The easiest way to accomplish this is to reinstall and delete any copies of HijackThis.zip you have saved.

Please download the self-extracting version of HijackThis from here:

HijackThis_sfx download

Save HijackThis_sfx to your desktop.

Double-click the file then click the Unzip button. Then close the Self-Extractor window.

Using My Computer/Windows Explorer, navigate to C:\Program Files\HijackThis and double click on HijackThis.exe to run it. If you would like to make a shortcut for your Desktop so it's more easily accessible, right click HijackThis.exe and choose Send To > Desktop (create shortcut).

Please run the extracted HijackThis.exe from now on. Delete any copies of HijackThis.zip that you have saved.

Open your new HijackThis and run a scan. Save the new log and post it to a reply here.

In the same reply, please tell me about your computer -- make & model, Processor, RAM, and so on. You are running a lot of software and I'd like to get an idea of whether your machine is up to it. Also if you remember or can find in logfiles any specifics about what the Ad-Aware and other scans found and fixed. And finally -- last thing, I promise! -- any symptoms other than slow performance that you may have noticed -- popup ads, error messages, and so on.

Dave

#4 KMF

KMF
  • Topic Starter

  • Members
  • 78 posts
  • OFFLINE
  •  
  • Local time:12:26 PM

Posted 23 September 2006 - 04:12 PM

Hi Dave

Thanks much for the quick reply. I followed your instructons and deleted any old version of HJT and reinstalled the new one. Did my unzip and saved the log. I also added an addendum on to it with information from my scans of Adware SE (it's fairly long, though). I ran the McAfee Stinger, also, but don't recally if anything was found with that and there is no log saved under that program. I do get an error message nearly every time I close an IE window. Says "instruction at 0X01802bf2 referenced memory at 0X03296bb8. The memory could not be read". I can't be sure the string is the same every time (I added this on after initially posting so I wrote them down when I closed out the IE window) In addition, I get 2 "program not responding" boxes when I shut down that say "click ok to end program"

I have:
Hardware: Gateway Performace 1300, 256 Ram; 60g HD; HP All-in-One 4215; Diamondtron Monitor
Op. Syst: Windows XP sp1 & 2;
Computer history: Previously ran Windows ME; crashed it once (about 18 mos ago) complete with the Black Screen of Death and only a Dos prompt left, but (with the help of Bleeping Computer) got it back up and running with Windows XP :-) Had been running fine since about three mos ago.
Security Software: Norton Systemworks 2006; Windows Defender; Spybot; Adware SE; McAfee stinger
E-Mail: Microsoft Outlook
IP: TDS DSL (only since 8/06; previously used People PC and still have them for my e-addy)
Web Use: Not much...never use chat rooms; generally only download from Microsoft or other trusted sites; know enough not to open attachments from people I don't know (and even some from people I DO know); Check Snopes or Datafellows to follow up on viruses/hoaxes; do updates as frequetly as possible.
My biggest downfall is photographs...I take a LOT of them and save as many as I can. If it's the photos causing the problem, I guess I can download them onto CD, but, according to my C: drive status, they aren't taking up that much room??
Other Software: Microsoft Office XP Professional; Kid stuff, mostly. Create-A-Card; Elmo; Disney, etc. I have a granddaughter......

So, here's the HJT log with addendum. Thank you, SO SO Much!!!!

Karen

Logfile of HijackThis v1.99.1
Scan saved at 4:18:09 PM, on 9/23/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.5450.0004)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Windows Defender\MsMpEng.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
C:\Program Files\Roxio\GoBack\GBPoll.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\Program Files\Norton SystemWorks\Norton AntiVirus\navapsvc.exe
C:\Program Files\Norton SystemWorks\Norton AntiVirus\IWP\NPFMntor.exe
C:\PROGRA~1\NORTON~1\NORTON~2\NPROTECT.EXE
C:\WINDOWS\system32\nvsvc32.exe
C:\PROGRA~1\NORTON~1\NORTON~2\SPEEDD~1\NOPDB.EXE
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\Windows Defender\MSASCui.exe
C:\Program Files\HP\hpcoretech\hpcmpmgr.exe
C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
C:\Program Files\PeoplePC\ISP6330\Browser\Bartshel.exe
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\system32\RUNDLL32.EXE
C:\Program Files\Roxio\GoBack\GBTray.exe
C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
C:\PROGRA~1\PeoplePC\ISP6330\Browser\PPShared.exe
C:\Program Files\Microsoft Office\Office10\msoffice.exe
C:\WINDOWS\system32\HPZipm12.exe
C:\Program Files\Common Files\Symantec Shared\Security Console\NSCSRVCE.EXE
C:\Program Files\HP\Digital Imaging\bin\hpqgalry.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\Messenger\msmsgs.exe
C:\WINDOWS\desktop\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://home.peoplepc.com/search
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.dogpile.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=54729
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://home.peoplepc.com/search
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://home.peoplepc.com/search
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = localhost
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O2 - BHO: PeoplePC ScamGuard - {7E3659A6-4BC5-4d93-B3FD-8B5ACC2FEDED} - C:\Program Files\PeoplePC\Toolbar\ScamGrd.dll
O2 - BHO: NAV Helper - {A8F38D8D-E480-4D52-B7A2-731BB6995FDD} - C:\Program Files\Norton SystemWorks\Norton AntiVirus\NavShExt.dll
O2 - BHO: PeoplePal Toolbar - {A8FB8EB3-183B-4598-924D-86F0E5E37085} - C:\Program Files\PeoplePC\Toolbar\PPCToolbar.dll
O3 - Toolbar: PeoplePal Toolbar - {A8FB8EB3-183B-4598-924D-86F0E5E37085} - C:\Program Files\PeoplePC\Toolbar\PPCToolbar.dll
O3 - Toolbar: Norton AntiVirus - {C4069E3A-68F1-403E-B40E-20066696354B} - C:\Program Files\Norton SystemWorks\Norton AntiVirus\NavShExt.dll
O4 - HKLM\..\Run: [Bart Station] C:\Program Files\PeoplePC\ISP6330\BIN\PPCOLink.exe -STATION
O4 - HKLM\..\Run: [REGSHAVE] C:\Program Files\REGSHAVE\REGSHAVE.EXE /AUTORUN
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [Windows Defender] "C:\Program Files\Windows Defender\MSASCui.exe" -hide
O4 - HKLM\..\Run: [HP Component Manager] "C:\Program Files\HP\hpcoretech\hpcmpmgr.exe"
O4 - HKLM\..\Run: [HP Software Update] C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NVMCTRAY.DLL,NvTaskbarInit
O4 - HKCU\..\Run: [updateMgr] "C:\Program Files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe" AcRdB7_0_7 -reboot 1
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: Forget Me Not.lnk = C:\Program Files\Broderbund\AG CreataCard\AGRemind.exe
O4 - Global Startup: GoBack.lnk = C:\Program Files\Roxio\GoBack\GBTray.exe
O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
O4 - Global Startup: HP Image Zone Fast Start.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqthb08.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O8 - Extra context menu item: &AOL Toolbar search - res://C:\Program Files\AOL Toolbar\toolbar.dll/SEARCH.HTML
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra button: Express Cleanup - {5E638779-1818-4754-A595-EF1C63B87A56} - C:\Program Files\Norton SystemWorks\Norton Cleanup\WCQuick.lnk
O9 - Extra 'Tools' menuitem: Express Cleanup - {5E638779-1818-4754-A595-EF1C63B87A56} - C:\Program Files\Norton SystemWorks\Norton Cleanup\WCQuick.lnk
O9 - Extra button: (no name) - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - (no file)
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O11 - Options group: [INTERNATIONAL] International*
O15 - Trusted Zone: http://webmail.juno.com
O15 - Trusted Zone: http://zone.msn.com
O15 - Trusted Zone: http://*.peoplepc.com
O16 - DPF: {15589FA1-C456-11CE-BF01-000000000000} - http://www.errornuker.com/products/errn200...erInstaller.exe
O16 - DPF: {192F9A01-8030-48CE-9BC6-B03DE3E613C6} (PeoplePC Web Installer) - http://www.peoplepc.com/ppcos/isp60/download/ppcwebi.cab
O16 - DPF: {215B8138-A3CF-44C5-803F-8226143CFC0A} (Trend Micro ActiveX Scan Agent 6.5) - http://eu-housecall.trendmicro-europe.com/...ivex/hcImpl.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdat...b?1124501864218
O16 - DPF: {9522B3FB-7A2B-4646-8AF6-36E7F593073C} - http://a19.g.akamai.net/7/19/7125/4056/ftp...02/cpbrkpie.cab
O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (ZoneIntro Class) - http://zone.msn.com/binFramework/v10/ZIntro.cab33902.cab
O16 - DPF: {E9348280-2D74-4933-BE25-73D946926795} (DeviceEnum Class) - http://h20270.www2.hp.com/ediags/gmn/insta...cdetection3.cab
O16 - DPF: {EB387D2F-E27B-4D36-979E-847D1036C65D} (QDiagHUpdateObj Class) - http://h30155.www3.hp.com/ediags/hpfix/aio.../qdiagh.cab?326
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O23 - Service: Automatic LiveUpdate Scheduler - Symantec Corporation - C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: GBPoll - Roxio, Inc. - C:\Program Files\Roxio\GoBack\GBPoll.exe
O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
O23 - Service: Norton AntiVirus Auto-Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton SystemWorks\Norton AntiVirus\navapsvc.exe
O23 - Service: Norton AntiVirus Firewall Monitor Service (NPFMntor) - Symantec Corporation - C:\Program Files\Norton SystemWorks\Norton AntiVirus\IWP\NPFMntor.exe
O23 - Service: Norton UnErase Protection (NProtectService) - Symantec Corporation - C:\PROGRA~1\NORTON~1\NORTON~2\NPROTECT.EXE
O23 - Service: Norton Protection Center Service (NSCService) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\Security Console\NSCSRVCE.EXE
O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe
O23 - Service: Symantec AVScan (SAVScan) - Symantec Corporation - C:\Program Files\Norton SystemWorks\Norton AntiVirus\SAVScan.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: SPBBCSvc - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
O23 - Service: Speed Disk service - Symantec Corporation - C:\PROGRA~1\NORTON~1\NORTON~2\SPEEDD~1\NOPDB.EXE
O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
O23 - Service: SymWMI Service (SymWSC) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe


ADD ON FROM ADWARE SE SCANS

ArchiveData(auto-quarantine- 2006-09-13 23-12-41.bckp)
Referencefile : SE1R123 13.09.2006
======================================================

WINDOWS

obj[0]=RegData : scrfile\shell\open\command ""

TRACKING COOKIE

obj[1]=IECache Entry : Cookie:karen@overture.com/

COULOMB DIALER


ArchiveData(auto-quarantine- 2006-09-13 23-31-45.bckp)
Referencefile : SE1R123 13.09.2006
======================================================

MRU LIST

obj[0]=MRU FileReference : C:\Documents and Settings\Karen\Application Data\microsoft\office\recent\1033.LNK
obj[1]=MRU FileReference : C:\Documents and Settings\Karen\recent\100_FUJI.lnk
obj[2]=MRU FileReference : C:\Documents and Settings\Karen\recent\1033.lnk
obj[3]=MRU FileReference : C:\Documents and Settings\Karen\recent\2005State.lnk
obj[4]=MRU FileReference : C:\Documents and Settings\Karen\recent\2005_september_coloring_art.lnk
obj[5]=MRU FileReference : C:\Documents and Settings\Karen\recent\2006-01 (Jan).lnk
obj[6]=MRU FileReference : C:\Documents and Settings\Karen\recent\5-29-2006.lnk
obj[7]=MRU FileReference : C:\Documents and Settings\Karen\recent\AlfredVillage.lnk
obj[8]=MRU FileReference : C:\Documents and Settings\Karen\recent\aly.lnk
obj[9]=MRU FileReference : C:\Documents and Settings\Karen\recent\Alyse1.lnk
obj[10]=MRU FileReference : C:\Documents and Settings\Karen\recent\Alyse3.lnk
obj[11]=MRU FileReference : C:\Documents and Settings\Karen\recent\anisnoopydancing.lnk
obj[12]=MRU FileReference : C:\Documents and Settings\Karen\recent\Anniv2006.lnk
obj[13]=MRU FileReference : C:\Documents and Settings\Karen\recent\Aunty Rachael.lnk
obj[14]=MRU FileReference : C:\Documents and Settings\Karen\recent\autorun.lnk
obj[15]=MRU FileReference : C:\Documents and Settings\Karen\recent\Basket Labels.lnk
obj[16]=MRU FileReference : C:\Documents and Settings\Karen\recent\Bday Mix.lnk
obj[17]=MRU FileReference : C:\Documents and Settings\Karen\recent\Beka's Pictures 047.lnk
obj[18]=MRU FileReference : C:\Documents and Settings\Karen\recent\Beka's Pictures.lnk
obj[19]=MRU FileReference : C:\Documents and Settings\Karen\recent\Beka's Pictures2 149.lnk
obj[20]=MRU FileReference : C:\Documents and Settings\Karen\recent\Beka's Pictures2 161.lnk
obj[21]=MRU FileReference : C:\Documents and Settings\Karen\recent\Beka's Visit 049.lnk
obj[22]=MRU FileReference : C:\Documents and Settings\Karen\recent\Beka's Visit.lnk
obj[23]=MRU FileReference : C:\Documents and Settings\Karen\recent\Beka.lnk
obj[24]=MRU FileReference : C:\Documents and Settings\Karen\recent\BillChill.lnk
obj[25]=MRU FileReference : C:\Documents and Settings\Karen\recent\Birthday Label.lnk
obj[26]=MRU FileReference : C:\Documents and Settings\Karen\recent\Birthday Label2.lnk
obj[27]=MRU RegReference : S-1-5-21-839522115-1078145449-854245398-1003\software\microsoft\search assistant\acmru\5001
obj[28]=MRU RegReference : S-1-5-21-839522115-1078145449-854245398-1003\software\microsoft\search assistant\acmru\5603
obj[29]=MRU RegReference : S-1-5-21-839522115-1078145449-854245398-1003\software\microsoft\windows\currentversion\explorer\comdlg32\opensavemru\*
obj[30]=MRU RegReference : S-1-5-21-839522115-1078145449-854245398-1003\software\microsoft\windows\currentversion\explorer\recentdocs\.avi
obj[31]=MRU RegReference : S-1-5-21-839522115-1078145449-854245398-1003\software\microsoft\windows\currentversion\explorer\recentdocs\.bmp
obj[32]=MRU RegReference : S-1-5-21-839522115-1078145449-854245398-1003\software\microsoft\windows\currentversion\explorer\recentdocs\.brt
obj[33]=MRU RegReference : S-1-5-21-839522115-1078145449-854245398-1003\software\microsoft\windows\currentversion\explorer\recentdocs\.car
obj[34]=MRU RegReference : S-1-5-21-839522115-1078145449-854245398-1003\software\microsoft\windows\currentversion\explorer\recentdocs\.chm
obj[35]=MRU RegReference : S-1-5-21-839522115-1078145449-854245398-1003\software\microsoft\windows\currentversion\explorer\recentdocs\.css
obj[36]=MRU RegReference : S-1-5-21-839522115-1078145449-854245398-1003\software\microsoft\windows\currentversion\explorer\recentdocs\.doc
obj[37]=MRU RegReference : S-1-5-21-839522115-1078145449-854245398-1003\software\microsoft\windows\currentversion\explorer\recentdocs\.dot
obj[38]=MRU RegReference : S-1-5-21-839522115-1078145449-854245398-1003\software\microsoft\windows\currentversion\explorer\recentdocs\.gif
obj[39]=MRU RegReference : S-1-5-21-839522115-1078145449-854245398-1003\software\microsoft\windows\currentversion\explorer\recentdocs\.hcr
obj[40]=MRU RegReference : S-1-5-21-839522115-1078145449-854245398-1003\software\microsoft\windows\currentversion\explorer\recentdocs\.hta
obj[41]=MRU RegReference : S-1-5-21-839522115-1078145449-854245398-1003\software\microsoft\windows\currentversion\explorer\recentdocs\.htm
obj[42]=MRU RegReference : S-1-5-21-839522115-1078145449-854245398-1003\software\microsoft\windows\currentversion\explorer\recentdocs\.INF
obj[43]=MRU RegReference : S-1-5-21-839522115-1078145449-854245398-1003\software\microsoft\windows\currentversion\explorer\recentdocs\.ini
obj[44]=MRU RegReference : S-1-5-21-839522115-1078145449-854245398-1003\software\microsoft\windows\currentversion\explorer\recentdocs\.jpg
obj[45]=MRU RegReference : S-1-5-21-839522115-1078145449-854245398-1003\software\microsoft\windows\currentversion\explorer\recentdocs\.log
obj[46]=MRU RegReference : S-1-5-21-839522115-1078145449-854245398-1003\software\microsoft\windows\currentversion\explorer\recentdocs\.mdb
obj[47]=MRU RegReference : S-1-5-21-839522115-1078145449-854245398-1003\software\microsoft\windows\currentversion\explorer\recentdocs\.mml
obj[48]=MRU RegReference : S-1-5-21-839522115-1078145449-854245398-1003\software\microsoft\windows\currentversion\explorer\recentdocs\.pdf
obj[49]=MRU RegReference : S-1-5-21-839522115-1078145449-854245398-1003\software\microsoft\windows\currentversion\explorer\recentdocs\.png
obj[50]=MRU RegReference : S-1-5-21-839522115-1078145449-854245398-1003\software\microsoft\windows\currentversion\explorer\recentdocs\.rtf
obj[51]=MRU RegReference : S-1-5-21-839522115-1078145449-854245398-1003\software\microsoft\windows\currentversion\explorer\recentdocs\.txt
obj[52]=MRU RegReference : S-1-5-21-839522115-1078145449-854245398-1003\software\microsoft\windows\currentversion\explorer\recentdocs\.wma
obj[53]=MRU RegReference : S-1-5-21-839522115-1078145449-854245398-1003\software\microsoft\windows\currentversion\explorer\recentdocs\.wmv
obj[54]=MRU RegReference : S-1-5-21-839522115-1078145449-854245398-1003\software\microsoft\windows\currentversion\explorer\recentdocs\.wpl
obj[55]=MRU RegReference : S-1-5-21-839522115-1078145449-854245398-1003\software\microsoft\windows\currentversion\explorer\recentdocs\.xls
obj[56]=MRU RegReference : S-1-5-21-839522115-1078145449-854245398-1003\software\microsoft\windows\currentversion\explorer\recentdocs\.zdp
obj[57]=MRU RegReference : S-1-5-21-839522115-1078145449-854245398-1003\software\microsoft\windows\currentversion\explorer\recentdocs\Folder
obj[58]=MRU FileReference : C:\Documents and Settings\Karen\recent\Deb.lnk
obj[59]=MRU RegReference : S-1-5-21-839522115-1078145449-854245398-1003\software\microsoft\windows\currentversion\explorer\runmru
obj[60]=MRU RegReference : .DEFAULT\software\microsoft\windows media\wmsdk\general computername
obj[61]=MRU RegReference : S-1-5-18\software\microsoft\windows media\wmsdk\general computername
obj[62]=MRU RegReference : S-1-5-21-839522115-1078145449-854245398-1003\software\microsoft\windows media\wmsdk\general computername
obj[63]=MRU FileReference : C:\Documents and Settings\Karen\recent\DSCF1385.lnk
obj[64]=MRU FileReference : C:\Documents and Settings\Karen\recent\DSCF1425a.lnk
obj[65]=MRU FileReference : C:\Documents and Settings\Karen\recent\f1040a.lnk
obj[66]=MRU FileReference : C:\Documents and Settings\Karen\recent\ferrygals.lnk
obj[67]=MRU FileReference : C:\Documents and Settings\Karen\recent\ferrygirls_editedd.lnk
obj[68]=MRU FileReference : C:\Documents and Settings\Karen\recent\ferrys2005_edited.lnk
obj[69]=MRU FileReference : C:\Documents and Settings\Karen\recent\Fields 015.lnk
obj[70]=MRU FileReference : C:\Documents and Settings\Karen\recent\Fields.lnk
obj[71]=MRU FileReference : C:\Documents and Settings\Karen\recent\fm2575.lnk
obj[72]=MRU FileReference : C:\Documents and Settings\Karen\recent\goldilocks_coloring_page.lnk
obj[73]=MRU FileReference : C:\Documents and Settings\Karen\recent\goodbye.lnk
obj[74]=MRU FileReference : C:\Documents and Settings\Karen\recent\hat_coloring_page.lnk
obj[75]=MRU FileReference : C:\Documents and Settings\Karen\recent\hijackthis.lnk
obj[76]=MRU FileReference : C:\Documents and Settings\Karen\recent\hijackthis806.lnk
obj[77]=MRU FileReference : C:\Documents and Settings\Karen\recent\HP Software Update.lnk
obj[78]=MRU FileReference : C:\Documents and Settings\Karen\recent\http--www.tsa.dot.gov-interweb-assetlibrary-Permitted_Prohibited_Facts.doc.lnk
obj[79]=MRU FileReference : C:\Documents and Settings\Karen\recent\i1040a.lnk
obj[80]=MRU FileReference : C:\Documents and Settings\Karen\recent\Internet Explorer.lnk
obj[81]=MRU FileReference : C:\Documents and Settings\Karen\recent\invite.lnk
obj[82]=MRU FileReference : C:\Documents and Settings\Karen\recent\Jane.lnk
obj[83]=MRU FileReference : C:\Documents and Settings\Karen\recent\juno.lnk
obj[84]=MRU FileReference : C:\Documents and Settings\Karen\recent\Kevin.lnk
obj[85]=MRU FileReference : C:\Documents and Settings\Karen\recent\ladybugs.lnk
obj[86]=MRU FileReference : C:\Documents and Settings\Karen\recent\Last Timesheet.lnk
obj[87]=MRU FileReference : C:\Documents and Settings\Karen\recent\Laura.lnk
obj[88]=MRU FileReference : C:\Documents and Settings\Karen\recent\LgBasket.lnk
obj[89]=MRU FileReference : C:\Documents and Settings\Karen\recent\LisaV (2).lnk
obj[90]=MRU FileReference : C:\Documents and Settings\Karen\recent\Lysie's Dance CD.lnk
obj[91]=MRU FileReference : C:\Documents and Settings\Karen\recent\Lysie's Dance.lnk
obj[92]=MRU FileReference : C:\Documents and Settings\Karen\recent\Lysie1.lnk
obj[93]=MRU FileReference : C:\Documents and Settings\Karen\recent\LysieWD.lnk
obj[94]=MRU FileReference : C:\Documents and Settings\Karen\recent\main.lnk
obj[95]=MRU FileReference : C:\Documents and Settings\Karen\recent\McCoyInfo.lnk
obj[96]=MRU FileReference : C:\Documents and Settings\Karen\recent\Me&Deb.lnk
obj[97]=MRU FileReference : C:\Documents and Settings\Karen\recent\My Music.lnk
obj[98]=MRU FileReference : C:\Documents and Settings\Karen\recent\My Pictures.lnk
obj[99]=MRU FileReference : C:\Documents and Settings\Karen\recent\My Playlists.lnk
obj[100]=MRU FileReference : C:\Documents and Settings\Karen\recent\MyBasket Labels.lnk
obj[101]=MRU FileReference : C:\Documents and Settings\Karen\recent\MyBasket Labels4.lnk
obj[102]=MRU FileReference : C:\Documents and Settings\Karen\recent\MyBasket Labels9.lnk
obj[103]=MRU FileReference : C:\Documents and Settings\Karen\recent\Mylabels.lnk
obj[104]=MRU FileReference : C:\Documents and Settings\Karen\recent\Norton SystemWorks_2006_Key.lnk
obj[105]=MRU FileReference : C:\Documents and Settings\Karen\recent\NoteCard4by7.lnk
obj[106]=MRU FileReference : C:\Documents and Settings\Karen\recent\NY05 001.lnk
obj[107]=MRU FileReference : C:\Documents and Settings\Karen\recent\NY05 004.lnk
obj[108]=MRU FileReference : C:\Documents and Settings\Karen\recent\NY05 008.lnk
obj[109]=MRU FileReference : C:\Documents and Settings\Karen\recent\NY05 009.lnk
obj[110]=MRU FileReference : C:\Documents and Settings\Karen\recent\NY05.lnk
obj[111]=MRU FileReference : C:\Documents and Settings\Karen\recent\On Sovereignty.doc.lnk
obj[112]=MRU FileReference : C:\Documents and Settings\Karen\recent\On Sovereignty.lnk
obj[113]=MRU FileReference : C:\Documents and Settings\Karen\recent\peanutsgang.lnk
obj[114]=MRU FileReference : C:\Documents and Settings\Karen\recent\PROJECTS.lnk
obj[115]=MRU FileReference : C:\Documents and Settings\Karen\recent\Purple label.lnk
obj[116]=MRU FileReference : C:\Documents and Settings\Karen\recent\Rach22.lnk
obj[117]=MRU FileReference : C:\Documents and Settings\Karen\recent\Removable Disk (F).lnk
obj[118]=MRU FileReference : C:\Documents and Settings\Karen\recent\Resume.lnk
obj[119]=MRU FileReference : C:\Documents and Settings\Karen\recent\Route.gif.lnk
obj[120]=MRU FileReference : C:\Documents and Settings\Karen\recent\Route11.gif.lnk
obj[121]=MRU FileReference : C:\Documents and Settings\Karen\recent\Route2.gif.lnk
obj[122]=MRU FileReference : C:\Documents and Settings\Karen\recent\Route22.gif.lnk
obj[123]=MRU FileReference : C:\Documents and Settings\Karen\recent\Route3.gif.lnk
obj[124]=MRU FileReference : C:\Documents and Settings\Karen\recent\Routeok.doc.lnk
obj[125]=MRU FileReference : C:\Documents and Settings\Karen\recent\Shamrocks.lnk
obj[126]=MRU FileReference : C:\Documents and Settings\Karen\recent\snoopyflying.lnk
obj[127]=MRU FileReference : C:\Documents and Settings\Karen\recent\snoopyreading.lnk
obj[128]=MRU FileReference : C:\Documents and Settings\Karen\recent\St Pats.lnk
obj[129]=MRU FileReference : C:\Documents and Settings\Karen\recent\StPats.lnk
obj[130]=MRU FileReference : C:\Documents and Settings\Karen\recent\StPats06.lnk
obj[131]=MRU FileReference : C:\Documents and Settings\Karen\recent\us.lnk
obj[132]=MRU FileReference : C:\Documents and Settings\Karen\recent\Various.lnk
obj[133]=MRU FileReference : C:\Documents and Settings\Karen\recent\Various1 026.lnk
obj[134]=MRU FileReference : C:\Documents and Settings\Karen\recent\Various1 046.lnk
obj[135]=MRU FileReference : C:\Documents and Settings\Karen\recent\Various1.lnk
obj[136]=MRU FileReference : C:\Documents and Settings\Karen\recent\wayne.lnk
obj[137]=MRU FileReference : C:\Documents and Settings\Karen\recent\wayne2.lnk
obj[138]=MRU FileReference : C:\Documents and Settings\Karen\recent\WIEZ.lnk
obj[139]=MRU FileReference : C:\Documents and Settings\Karen\recent\wis1a (2).lnk
obj[140]=MRU FileReference : C:\Documents and Settings\Karen\recent\wis1a.lnk
obj[141]=MRU FileReference : C:\Documents and Settings\Karen\recent\wis1ains.lnk
obj[142]=MRU FileReference : C:\Documents and Settings\Karen\recent\Wisconsin Suits.doc.lnk
obj[143]=MRU FileReference : C:\Documents and Settings\Karen\recent\wmpdb.lnk
obj[144]=MRU FileReference : C:\Documents and Settings\Karen\recent\XMas Label.lnk
obj[145]=MRU FileReference : C:\Documents and Settings\Karen\recent\XMas Label3.lnk
obj[146]=MRU FileReference : C:\Documents and Settings\Karen\recent\XMas Label6.lnk
obj[147]=MRU FileReference : C:\Documents and Settings\Karen\recent\XMas Label7.lnk
obj[149]=MRU RegReference : software\microsoft\direct3d\mostrecentapplication name
obj[150]=MRU RegReference : software\microsoft\direct3d\mostrecentapplication name
obj[151]=MRU RegReference : software\microsoft\directdraw\mostrecentapplication name
obj[152]=MRU RegReference : S-1-5-21-839522115-1078145449-854245398-1003\software\microsoft\directinput\mostrecentapplication name
obj[153]=MRU RegReference : S-1-5-21-839522115-1078145449-854245398-1003\software\microsoft\directinput\mostrecentapplication id
obj[154]=MRU RegReference : S-1-5-21-839522115-1078145449-854245398-1003\software\microsoft\frontpage\editor\recent templates
obj[155]=MRU RegReference : S-1-5-21-839522115-1078145449-854245398-1003\software\microsoft\frontpage\explorer\frontpage explorer\recent file list
obj[156]=MRU RegReference : S-1-5-21-839522115-1078145449-854245398-1003\software\microsoft\frontpage\explorer\frontpage explorer\recent page list
obj[157]=MRU RegReference : S-1-5-21-839522115-1078145449-854245398-1003\software\microsoft\frontpage\explorer\frontpage explorer\recent web list
obj[158]=MRU RegReference : S-1-5-21-839522115-1078145449-854245398-1003\software\microsoft\internet explorer download directory
obj[159]=MRU RegReference : S-1-5-21-839522115-1078145449-854245398-1003\software\microsoft\internet explorer\main save directory
obj[160]=MRU RegReference : S-1-5-21-839522115-1078145449-854245398-1003\software\microsoft\mediaplayer\medialibraryui mllastselectednode
obj[161]=MRU RegReference : S-1-5-21-839522115-1078145449-854245398-1003\software\microsoft\mediaplayer\player\settings saveasdir
obj[162]=MRU RegReference : S-1-5-21-839522115-1078145449-854245398-1003\software\microsoft\mediaplayer\player\settings opendir
obj[163]=MRU RegReference : S-1-5-21-839522115-1078145449-854245398-1003\software\microsoft\mediaplayer\preferences cdrecordpath
obj[164]=MRU RegReference : S-1-5-21-839522115-1078145449-854245398-1003\software\microsoft\mediaplayer\preferences lastplaylistindex
obj[165]=MRU RegReference : S-1-5-21-839522115-1078145449-854245398-1003\software\microsoft\mediaplayer\preferences lastplaylist
obj[166]=MRU RegReference : S-1-5-21-839522115-1078145449-854245398-1003\software\microsoft\mediaplayer\preferences searchpath
obj[167]=MRU RegReference : S-1-5-21-839522115-1078145449-854245398-1003\software\microsoft\microsoft management console\recent file list
obj[168]=MRU RegReference : S-1-5-21-839522115-1078145449-854245398-1003\software\microsoft\office\10.0\clip organizer\search\last query
obj[169]=MRU RegReference : S-1-5-21-839522115-1078145449-854245398-1003\software\microsoft\office\10.0\common\general symbolmru
obj[170]=MRU RegReference : S-1-5-21-839522115-1078145449-854245398-1003\software\microsoft\office\10.0\common\open find\microsoft word\settings\open\file name mru value
obj[171]=MRU RegReference : S-1-5-21-839522115-1078145449-854245398-1003\software\microsoft\office\10.0\common\open find\microsoft word\settings\save as\file name mru value
obj[172]=MRU RegReference : S-1-5-21-839522115-1078145449-854245398-1003\software\microsoft\office\10.0\common\search\last query
obj[173]=MRU RegReference : S-1-5-21-839522115-1078145449-854245398-1003\software\microsoft\office\10.0\word\recent templates

ArchiveData(auto-quarantine- 2006-09-13 23-36-08.bckp)
Referencefile : SE1R123 13.09.2006
======================================================

MRU LIST

obj[0]=MRU RegReference : S-1-5-21-839522115-1078145449-854245398-1003\software\microsoft\windows\currentversion\explorer\comdlg32\lastvisitedmru

ArchiveData(auto-quarantine- 2006-09-14 00-10-42.bckp)
Referencefile : SE1R123 13.09.2006
======================================================

COULOMB DIALER

obj[0]=File : C:\RECYCLER\NPROTECT\00000901.EXE

Edited by KMF, 23 September 2006 - 04:33 PM.


#5 DaveM59

DaveM59

    Bleepin' Grandpa


  • Members
  • 1,355 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:TN USA
  • Local time:12:26 PM

Posted 24 September 2006 - 06:23 PM

Hi again KMF,

Well, your Ad-Aware log only shows a dialer that Norton caught and quarantined. All those MRUs are of no concern either. I do see just a couple of items in your HijackThis log, though, so --

Please print out these instructions as you will need to do some steps in safe mode, with no internet access.


First download ewido anti-spyware from HERE and save that file to your desktop. This is a 30-day trial version of the full program; however, after the trial period it reverts to the free version, which is missing some features such as auto updating but is still fully functional as a scanner.
  • Once you have downloaded ewido anti-spyware, locate the icon on the desktop and double-click it to launch the set up program.
  • Once the setup is complete you will need to run ewido and update the definition files.
  • On the main screen select the "Update" icon then click "Start Update". The update will start and a progress bar will show the updates being installed.
  • Once the update has completed select the "Scanner" icon at the top of the screen, then select the "Settings" tab.
  • Once in the Settings screen click on "Recommended actions" and then select "Quarantine".
  • Under "Reports"
  • Select "Automatically generate report after every scan"
  • Un-Select "Only if threats were found"
After taking these steps, please close the program. Do not run it yet.


Next, open HijackThis and run a scan.

Place a check mark against the following lines:

O9 - Extra button: (no name) - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - (no file)
O16 - DPF: {15589FA1-C456-11CE-BF01-000000000000} - http://www.errornuker.com/products/errn200...erInstaller.exe
O16 - DPF: {9522B3FB-7A2B-4646-8AF6-36E7F593073C} - http://a19.g.akamai.net/7/19/7125/4056/ftp...02/cpbrkpie.cab


Make sure all other windows on your desktop are closed, then click Fix Checked.


Then, Boot into Safe Mode:

If you don't know how to do this, here are two ways:

F8 Method
  • Restart your computer.
  • When the machine first starts again it will generally list some equipment that is installed in your machine, amount of memory, hard drives installed etc. At this point you should gently tap the F8 key repeatedly until you are presented with a menu.
  • When you have the menu on the screen. Use the arrow keys to move to the line that says Safe Mode.
  • Then press <Enter> on your keyboard to boot into Safe Mode.
Bootsafe utility

If the F8 method does not work, you can download this program: Bootsafe.exe. Download the .exe file (not the zip file) directly to your desktop, it requires no installation. To use it, double click the program icon, then select the radio button Safe Mode - Minimal and click on the Reboot button.



In Safe Mode, Run Ewido:
  • Lauch ewido-anti-spyware by double-clicking the icon on your desktop.
    IMPORTANT: Do not open any other windows or programs while ewido is scanning, it may interfere with the scanning proccess.
  • Select the "Scanner" icon at the top and then the "Scan" tab then click on "Complete System Scan"
  • Ewido will now begin the scanning process, be patient this may take a little time.
  • Ewido will list any infections found on the left hand side. When the scan has finished, it should automatically set the recommended action to Quarantine--if not click on Recommended Action and set it there. Click the Apply all actions button. Ewido will display "All actions have been applied" on the right hand side.
  • Click on "Save Report", then "Save Report As". This will create a text file. Make sure you know where to find this file again (like on the Desktop).
  • Close ewido.
Now, Reboot back into normal mode:

If you used the F8 method, Windows should automatically reboot into normal mode when you restart it. If you used Bootsafe, open the program and select the Normal Mode radio button, then click Reboot.


Finally, run another HJT scan, and post the log, along with the Ewido report, in a reply to this topic. Let me know if your machine seems to be running any better. Also, could you please tell me why those websites listed in the O15 lines of your log have been placed in the Trusted Zone? They are all legitimate but I have not seen them there in any other log.

Cheers,
Dave

#6 illukka

illukka

    retar.. erm retired!


  • Security Colleague
  • 2,858 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:The Pits Of Hell
  • Local time:08:26 PM

Posted 29 September 2006 - 02:14 PM

KMF, still there ???
To Ride, Shoot Straight And Speak The Truth

a retired malware fighter/teacher/advisor

#7 KMF

KMF
  • Topic Starter

  • Members
  • 78 posts
  • OFFLINE
  •  
  • Local time:12:26 PM

Posted 30 September 2006 - 04:07 PM

Hi Dave:

Sorry for the delay...have been doing the fixes when I have time. Followed the instructions as requested and am attaching final (I hope) HJT log and the ewido log, as well. As for the trusted sites you inquired about, Zone is on there b/c it's an MSN game I play. I was having trouble gettting into it (pop ups blocked, java, etc) so I put it in my trusted sites to eliminate having to close three and four dialog boxes every time I go in. As for juno, I use it as an alternate e-mail addy and, I assume was having the same problem, so added it, as well. I tried the same thing to get into my work intra web, but discovered I have to keep clicking dialog boxes anyway, so took that one out. It's been so long, I'd actually forgotten they were in there.

Anyway, here are the logs. As for the windows, they seem to be opening faster. I still have to wait for a 1000 years to start any programs, but I think that's my 2006 Norton scanning every miniscule piece of data before it allows me to open anything. I guess I can live with that, it's just irritating.

Thanks much!!!

Logfile of HijackThis v1.99.1
Scan saved at 3:51:33 PM, on 9/30/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.5450.0004)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Windows Defender\MsMpEng.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
C:\Program Files\ewido anti-spyware 4.0\guard.exe
C:\Program Files\Roxio\GoBack\GBPoll.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\Program Files\Norton SystemWorks\Norton AntiVirus\navapsvc.exe
C:\Program Files\Norton SystemWorks\Norton AntiVirus\IWP\NPFMntor.exe
C:\PROGRA~1\NORTON~1\NORTON~2\NPROTECT.EXE
C:\WINDOWS\system32\nvsvc32.exe
C:\PROGRA~1\NORTON~1\NORTON~2\SPEEDD~1\NOPDB.EXE
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
C:\Program Files\PeoplePC\ISP6330\Browser\Bartshel.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\Windows Defender\MSASCui.exe
C:\Program Files\HP\hpcoretech\hpcmpmgr.exe
C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\ewido anti-spyware 4.0\ewido.exe
C:\PROGRA~1\PeoplePC\ISP6330\Browser\PPShared.exe
C:\WINDOWS\system32\RUNDLL32.EXE
C:\Program Files\Common Files\Symantec Shared\Security Console\NSCSRVCE.EXE
C:\Program Files\Roxio\GoBack\GBTray.exe
C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
C:\Program Files\Microsoft Office\Office10\msoffice.exe
C:\WINDOWS\system32\HPZipm12.exe
C:\Program Files\HP\Digital Imaging\bin\hpqgalry.exe
C:\Program Files\Messenger\msmsgs.exe
C:\WINDOWS\desktop\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://home.peoplepc.com/search
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.dogpile.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=54729
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://home.peoplepc.com/search
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://home.peoplepc.com/search
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = localhost
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O2 - BHO: PeoplePC ScamGuard - {7E3659A6-4BC5-4d93-B3FD-8B5ACC2FEDED} - C:\Program Files\PeoplePC\Toolbar\ScamGrd.dll
O2 - BHO: NAV Helper - {A8F38D8D-E480-4D52-B7A2-731BB6995FDD} - C:\Program Files\Norton SystemWorks\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: Norton AntiVirus - {C4069E3A-68F1-403E-B40E-20066696354B} - C:\Program Files\Norton SystemWorks\Norton AntiVirus\NavShExt.dll
O4 - HKLM\..\Run: [Bart Station] C:\Program Files\PeoplePC\ISP6330\BIN\PPCOLink.exe -STATION
O4 - HKLM\..\Run: [REGSHAVE] C:\Program Files\REGSHAVE\REGSHAVE.EXE /AUTORUN
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [Windows Defender] "C:\Program Files\Windows Defender\MSASCui.exe" -hide
O4 - HKLM\..\Run: [HP Component Manager] "C:\Program Files\HP\hpcoretech\hpcmpmgr.exe"
O4 - HKLM\..\Run: [HP Software Update] C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
O4 - HKLM\..\Run: [!ewido] "C:\Program Files\ewido anti-spyware 4.0\ewido.exe" /minimized
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NVMCTRAY.DLL,NvTaskbarInit
O4 - HKCU\..\Run: [updateMgr] "C:\Program Files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe" AcRdB7_0_7 -reboot 1
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: Forget Me Not.lnk = C:\Program Files\Broderbund\AG CreataCard\AGRemind.exe
O4 - Global Startup: GoBack.lnk = C:\Program Files\Roxio\GoBack\GBTray.exe
O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
O4 - Global Startup: HP Image Zone Fast Start.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqthb08.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O8 - Extra context menu item: &AOL Toolbar search - res://C:\Program Files\AOL Toolbar\toolbar.dll/SEARCH.HTML
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra button: Express Cleanup - {5E638779-1818-4754-A595-EF1C63B87A56} - C:\Program Files\Norton SystemWorks\Norton Cleanup\WCQuick.lnk
O9 - Extra 'Tools' menuitem: Express Cleanup - {5E638779-1818-4754-A595-EF1C63B87A56} - C:\Program Files\Norton SystemWorks\Norton Cleanup\WCQuick.lnk
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O11 - Options group: [INTERNATIONAL] International*
O15 - Trusted Zone: http://webmail.juno.com
O15 - Trusted Zone: http://zone.msn.com
O15 - Trusted Zone: http://*.peoplepc.com
O16 - DPF: {192F9A01-8030-48CE-9BC6-B03DE3E613C6} (PeoplePC Web Installer) - http://www.peoplepc.com/ppcos/isp60/download/ppcwebi.cab
O16 - DPF: {215B8138-A3CF-44C5-803F-8226143CFC0A} (Trend Micro ActiveX Scan Agent 6.5) - http://eu-housecall.trendmicro-europe.com/...ivex/hcImpl.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdat...b?1124501864218
O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (ZoneIntro Class) - http://zone.msn.com/binFramework/v10/ZIntro.cab33902.cab
O16 - DPF: {E9348280-2D74-4933-BE25-73D946926795} (DeviceEnum Class) - http://h20270.www2.hp.com/ediags/gmn/insta...cdetection3.cab
O16 - DPF: {EB387D2F-E27B-4D36-979E-847D1036C65D} (QDiagHUpdateObj Class) - http://h30155.www3.hp.com/ediags/hpfix/aio.../qdiagh.cab?326
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O23 - Service: Automatic LiveUpdate Scheduler - Symantec Corporation - C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: ewido anti-spyware 4.0 guard - Anti-Malware Development a.s. - C:\Program Files\ewido anti-spyware 4.0\guard.exe
O23 - Service: GBPoll - Roxio, Inc. - C:\Program Files\Roxio\GoBack\GBPoll.exe
O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
O23 - Service: Norton AntiVirus Auto-Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton SystemWorks\Norton AntiVirus\navapsvc.exe
O23 - Service: Norton AntiVirus Firewall Monitor Service (NPFMntor) - Symantec Corporation - C:\Program Files\Norton SystemWorks\Norton AntiVirus\IWP\NPFMntor.exe
O23 - Service: Norton UnErase Protection (NProtectService) - Symantec Corporation - C:\PROGRA~1\NORTON~1\NORTON~2\NPROTECT.EXE
O23 - Service: Norton Protection Center Service (NSCService) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\Security Console\NSCSRVCE.EXE
O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe
O23 - Service: Symantec AVScan (SAVScan) - Symantec Corporation - C:\Program Files\Norton SystemWorks\Norton AntiVirus\SAVScan.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: SPBBCSvc - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
O23 - Service: Speed Disk service - Symantec Corporation - C:\PROGRA~1\NORTON~1\NORTON~2\SPEEDD~1\NOPDB.EXE
O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
O23 - Service: SymWMI Service (SymWSC) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe


wido anti-spyware - Scan Report
---------------------------------------------------------

+ Created at: 8:48:25 PM 9/27/2006

+ Scan result:



HKLM\SOFTWARE\Classes\CLSID\{A8FB8EB3-183B-4598-924D-86F0E5E37085} -> Adware.WhyPPC : Cleaned with backup (quarantined).
HKLM\SOFTWARE\Microsoft\Internet Explorer\Toolbar\\{A8FB8EB3-183B-4598-924D-86F0E5E37085} -> Adware.WhyPPC : Cleaned with backup (quarantined).
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{A8FB8EB3-183B-4598-924D-86F0E5E37085} -> Adware.WhyPPC : Cleaned with backup (quarantined).
HKU\S-1-5-21-839522115-1078145449-854245398-1003\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{A8FB8EB3-183B-4598-924D-86F0E5E37085} -> Adware.WhyPPC : Cleaned with backup (quarantined).
C:\Documents and Settings\Karen\Cookies\karen@2o7[2].txt -> TrackingCookie.2o7 : Cleaned with backup (quarantined).
C:\Documents and Settings\Karen\Cookies\karen@adrevolver[1].txt -> TrackingCookie.Adrevolver : Cleaned with backup (quarantined).
C:\Documents and Settings\Karen\Cookies\karen@casalemedia[2].txt -> TrackingCookie.Casalemedia : Cleaned with backup (quarantined).
C:\Documents and Settings\Karen\Cookies\karen@adopt.specificclick[2].txt -> TrackingCookie.Specificclick : Cleaned with backup (quarantined).
C:\Documents and Settings\Karen\Cookies\karen@trafficmp[2].txt -> TrackingCookie.Trafficmp : Cleaned with backup (quarantined).


::Report end

Edited by KMF, 30 September 2006 - 04:14 PM.


#8 DaveM59

DaveM59

    Bleepin' Grandpa


  • Members
  • 1,355 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:TN USA
  • Local time:12:26 PM

Posted 01 October 2006 - 07:31 AM

Hi again KMF,

Glad you got back to me.

Your Hihack This log is clean. :thumbsup:

Interesting that Ewido was more aggressive than I was -- it tagged your PeoplePC toolbar as adware and quarantined it. Not to say I disagree, but it is a judgment call. When I saw PeoplePC in your Trusted zone, I thought perhaps you had put it there. From your answer here it would appear that you did not. So, my advice is, if you can live without it, do not reinstall the toolbar, and also get PeoplePC out of the trusted zone.

To do that, run a HJT scan and check that O15 line that refers to PeoplePC. Don't forget to close all windows before you click Fix Checked, and reboot afterwards.

As for those other O15s, my view is that I do not want to allow any website to put scripts (programs) on my hard drive and run them without asking my permission. That is what the Trusted Zone means. However, it is your decision whether the convenience is worth the risk.

I didn't really expect those HJT fixes you did to speed your machine up very much. I wouldn't expect this new one to, either.

Now that we have ruled out malware, I am fairly sure your speed problems are related to memory and possibly hard drive issues. Even with a basic setup, 256 megs is pretty marginal for running Windows XP. You are also running a large number of resident programs, each of which requires some memory. My coach Illukka tells me that Internet Explorer 7 also requires a lot of resources. Personally I haven't tried it; I use Firefox about 100 percent of the time. :flowers:

Bottom line, I'd recommend increasing your memory to 512 megs if that is possible. I don't want to go into the technicalities here, this is a malware forum and we have a hardware forum where you can get specific guidance from a number of experts. You should also ask them about checking your hard drive performance -- in particular, how to make sure DMA is enabled.

Another avenue to explore is the possibility of disabling some of your startups. You have a lot of programs that fall in the "optional" category, that is to say, they are perfectly legitimate, but they are not necessary for the basic function of your computer. By changing their settings so that they only run when you launch them, you can free up quite a bit of memory. I suggest you investigate your startups using the Bleeping Computer startup database. The database is located here:

http://www.bleepingcomputer.com/startups/

And there is a forum devoted to it here:

http://www.bleepingcomputer.com/forums/f/85/windows-startup-programs-database/

Start with the pinned topics at the top; the first one is Grinler's tutorial on using the database.

Good luck.

Dave

#9 KMF

KMF
  • Topic Starter

  • Members
  • 78 posts
  • OFFLINE
  •  
  • Local time:12:26 PM

Posted 02 October 2006 - 11:14 AM

Thanks so much, Dave; and Illukka, as well. I will follow up on the start up and see what I can remove from there. As much as I enjoy the computer, I really don't have much time for it anymore, so I know I'm not using programs that are, apparently, running in the background there. Will see what I can do about that.
I'll also take the items out of my trusted sites. That wasn't too bright, I suppose. I never have time to play the games now anyway.

Glad the scans were clean and I'll be cancelling my subscription with People PC anyway, so I won't be using the toolbar; not that I ever did. I only recently started using IE7. Is IE6 just as much of an issue with memory? If not, I'll download the fix to remove 7 (it didn't leave an imprint in my add/remove in control panel...apparently that's an "issue" with the program....WTG Microsoft) and reload 6. If it doesn't matter which one, I'll leave it alone for now. A new computer is in the plan right behind the house fixes and cleaning up the credit cards......yea, maybe 2010!!! :-o. I'll stop by hardware forums and get some info then on size and speed.

Your help, as always, is much appreciated. Hopefully, I won't be needing it again REAL soon!!!

Take care
KMF

#10 DaveM59

DaveM59

    Bleepin' Grandpa


  • Members
  • 1,355 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:TN USA
  • Local time:12:26 PM

Posted 02 October 2006 - 09:18 PM

Hi again KMF,

To answer your question, It is my understanding that IE7 requires more memory than IE6. Having no experience with it I can't really say how much speed you might pick up by reverting to IE 6.

I don't think you need a new computer to get reasonable performance from Windows XP. My "spare bedroom" computer is a 6-year-old machine with a 600 MHz Duron processor, a lot slower than your 1300 MHz Pentium 4, and it runs Windows XP fine. Not as fast as my newer machine, but perfectly acceptable. However, I did upgrade it to 384 megs of RAM, and I keep it well trimmed -- my HijackThis log on that computer will print on a single page. You will probably find when you get into it that you can pare your system down almost as much. If you have specific questions, the startup list forum is a great resource.

So, don't give up on your old Gateway. A memory upgrade should cost you a lot less than a new PC, probably under $100. As I advised before, start a topic with the good people at the BC Hardware forum, and don't forget to ask about possible hard drive issues.


Now that we have your computer clean, it's a good idea to flush your system restore points and set a new one. Please see this tutorial:

http://www.bleepingcomputer.com/tutorials/windows-xp-system-restore-guide/

This procedure will assure that you don't accidentally re-infect your computer if you ever have to do a system restore.


You should also take a look at this excellent overview of internet security:

http://www.bleepingcomputer.com/tutorials/keep-your-computer-safe-online/


Good luck --

Dave

#11 illukka

illukka

    retar.. erm retired!


  • Security Colleague
  • 2,858 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:The Pits Of Hell
  • Local time:08:26 PM

Posted 29 October 2006 - 11:11 AM

as the problem here seems to be resolved this topic is now closed
to get it reopened PM a staff member with the address of this thread.
this applies to the topic starter only, everyone else with similar problems start a new topic.

glad we could help :thumbsup:

thank you DaveM59 :flowers:
To Ride, Shoot Straight And Speak The Truth

a retired malware fighter/teacher/advisor




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users