Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Hijackthis Log Help


  • Please log in to reply
10 replies to this topic

#1 princesseyes2000

princesseyes2000

  • Members
  • 15 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:NY
  • Local time:09:16 PM

Posted 02 July 2007 - 07:03 AM

I am having a problem with my mother's computer. It is very slow. After turning the computer on it takes about 10 to 15 minutes for it to completely startup. Then after connecting to the internet it takes about another ten minutes for Internet Explorer to open up before you can start using it. I scanned the computer with AVG Antivirus, Ad-Aware SE, McAfee Stinger, Spybot S&D, and Bitdefender. Spybot detected a couple things on the first scan but has since come back clean. The computer is old so maybe that is the only problem with it. I was hoping you could take a look the Hijackthis log, maybe there is something there that the programs couldn't detect. Thank you for your help.

Logfile of HijackThis v1.99.1
Scan saved at 7:47:52 AM, on 7/2/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16473)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Windows Defender\MsMpEng.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
C:\Program Files\Comodo\Firewall\cmdagent.exe
C:\WINDOWS\system32\slserv.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Adaptec\Easy CD Creator 5\DirectCD\DirectCD.exe
C:\Program Files\Java\jre1.5.0_11\bin\jusched.exe
C:\Program Files\Windows Defender\MSASCui.exe
C:\Program Files\Comodo\Firewall\CPF.exe
C:\Program Files\Panicware\Pop-Up Stopper Free Edition\PSFree.exe
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\system32\LVComS.exe
C:\Program Files\SpywareGuard\sgmain.exe
C:\Program Files\SpywareGuard\sgbhp.exe
C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
C:\Program Files\Grisoft\AVG7\avgcc.exe
C:\WINDOWS\system32\freecell.exe
C:\WINDOWS\system32\slrundll.exe
C:\WINDOWS\system32\CMMON32.EXE
C:\Program Files\HJT\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = www.google.com
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.localnet.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer provided by LocalNet
F2 - REG:system.ini: UserInit=c:\windows\system32\userinit.exe
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: SpywareGuard Download Protection - {4A368E80-174F-4872-96B5-0B27DDD11DB2} - C:\Program Files\SpywareGuard\dlprotect.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_11\bin\ssv.dll
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\System32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe
O4 - HKLM\..\Run: [AdaptecDirectCD] C:\Program Files\Adaptec\Easy CD Creator 5\DirectCD\DirectCD.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.5.0_11\bin\jusched.exe"
O4 - HKLM\..\Run: [LogitechVideoRepair] C:\Program Files\Logitech\Video\ISStart.exe
O4 - HKLM\..\Run: [LogitechVideoTray] C:\Program Files\Logitech\Video\LogiTray.exe
O4 - HKLM\..\Run: [Windows Defender] "C:\Program Files\Windows Defender\MSASCui.exe" -hide
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVG7\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [COMODO Firewall Pro] "C:\Program Files\Comodo\Firewall\CPF.exe" /background
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKCU\..\Run: [PopUpStopperFreeEdition] "C:\Program Files\Panicware\Pop-Up Stopper Free Edition\PSFree.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - Startup: SpywareGuard.lnk = C:\Program Files\SpywareGuard\sgmain.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_11\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_11\bin\ssv.dll
O9 - Extra button: (no name) - {85d1f590-48f4-11d9-9669-0800200c9a66} - %windir%\bdoscandel.exe (file missing)
O9 - Extra 'Tools' menuitem: Uninstall BitDefender Online Scanner v8 - {85d1f590-48f4-11d9-9669-0800200c9a66} - %windir%\bdoscandel.exe (file missing)
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O11 - Options group: [INTERNATIONAL] International*
O14 - IERESET.INF: START_PAGE_URL=http://www.localnet.com/
O16 - DPF: {0E5F0222-96B9-11D3-8997-00104BD12D94} (PCPitstop Utility) - https://support.gateway.com/support/profiler//PCPitStop.CAB
O16 - DPF: {215B8138-A3CF-44C5-803F-8226143CFC0A} (Trend Micro ActiveX Scan Agent 6.6) - http://eu-housecall.trendmicro-europe.com/...ivex/hcImpl.cab
O16 - DPF: {32305793-C19A-48E7-AD2F-D87FF7B264A4} (TenebrilSpywareScanner Control) - http://www.tenebril.com/assets/activeX/SpywareScanner.ocx
O16 - DPF: {5D86DDB5-BDF9-441B-9E9E-D4730F4EE499} (BDSCANONLINE Control) - http://download.bitdefender.com/resources/scan8/oscan8.cab
O16 - DPF: {6E5A37BF-FD42-463A-877C-4EB7002E68AE} (Housecall ActiveX 6.5) - http://housecall65.trendmicro.com/housecal...ivex/hcImpl.cab
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2004033...all/xscan53.cab
O16 - DPF: {7F8C8173-AD80-4807-AA75-5672F22B4582} (ICSScanner Class) - http://download.zonelabs.com/bin/promotion...canner37610.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab
O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn.com/download/MsnMesse...pDownloader.cab
O16 - DPF: {CE28D5D2-60CF-4C7D-9FE8-0F47A3308078} (ActiveDataInfo Class) - https://www-secure.symantec.com/techsupp/as...rl/SymAData.cab
O16 - DPF: {D719897A-B07A-4C0C-AEA9-9B663A28DFCB} - http://ax.phobos.apple.com.edgesuite.net/d.../ITDetector.cab
O16 - DPF: {F58E1CEF-A068-4C15-BA5E-587CAF3EE8C6} (MSN Chat Control 4.5) - http://chat.msn.com/bin/msnchat45.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{1AFDD6DB-CDF5-46B2-8564-391560C859AA}: NameServer = 64.80.0.167 64.80.0.162
O18 - Protocol: livecall - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O21 - SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - C:\WINDOWS\system32\WPDShServiceObj.dll
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
O23 - Service: Comodo Application Agent (CmdAgent) - COMODO - C:\Program Files\Comodo\Firewall\cmdagent.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Unknown owner - C:\Program Files\iPod\bin\iPodService.exe (file missing)
O23 - Service: SmartLinkService (SLService) - Smart Link - C:\WINDOWS\SYSTEM32\slserv.exe

BC AdBot (Login to Remove)

 


#2 Papakid

Papakid

    Guru at being a Newbie


  • Malware Response Team
  • 6,586 posts
  • ONLINE
  •  
  • Gender:Male
  • Local time:08:16 PM

Posted 12 July 2007 - 11:42 AM

Hi princesseyes2000,

Our apologiies for the delay. If you still need help, please post a new log so I can see if anything has changed.

A new version of HijackThis has now been released, so before you repost your log please download and install the new version by following the instructions in Step 9 of the Preparation Guide For Use Before Posting A Hijackthis Log. Note that it is unnecessary to uninstall the old version because the new one will be copied to a different folder.

Before doing that, please read thru Slow Computer/browser? Check Here First; It May Not Be Malware as I don't see an obvious indication of an infection in the log. For sure do a defrag and check the hard drive for errors as that alone will significantly increase speed if it has never been done before. Things like disabling unused services you can hold off on as that is more for gamers who want to squeeze out all the speed they can. If you are still having issues after that then we will look closer to see if there is something hidden to HijackThis.

The thing about people

is they change

when they walk away.--Mipso


#3 princesseyes2000

princesseyes2000
  • Topic Starter

  • Members
  • 15 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:NY
  • Local time:09:16 PM

Posted 13 July 2007 - 07:25 AM

I cleaned out the inside of the computer and it is still just as slow. If you can't find anything hidden in the log file, my mother may just have to upgrade to a newer computer,lol. Here is the new HJT log.

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 7:28:58 AM, on 7/13/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16473)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Windows Defender\MsMpEng.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
C:\WINDOWS\Explorer.EXE
C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
C:\Program Files\Comodo\Firewall\cmdagent.exe
C:\WINDOWS\system32\slserv.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Adaptec\Easy CD Creator 5\DirectCD\DirectCD.exe
C:\Program Files\Java\jre1.5.0_11\bin\jusched.exe
C:\Program Files\Logitech\Video\LogiTray.exe
C:\Program Files\Windows Defender\MSASCui.exe
C:\PROGRA~1\Grisoft\AVG7\avgcc.exe
C:\Program Files\Comodo\Firewall\CPF.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Panicware\Pop-Up Stopper Free Edition\PSFree.exe
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\system32\LVComS.exe
C:\WINDOWS\system32\spider.exe
C:\Program Files\SpywareGuard\sgmain.exe
C:\Program Files\SpywareGuard\sgbhp.exe
C:\WINDOWS\system32\slrundll.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\WINDOWS\system32\CMMON32.EXE
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = www.google.com
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.localnet.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer provided by LocalNet
F2 - REG:system.ini: UserInit=c:\windows\system32\userinit.exe
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: SpywareGuard Download Protection - {4A368E80-174F-4872-96B5-0B27DDD11DB2} - C:\Program Files\SpywareGuard\dlprotect.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_11\bin\ssv.dll
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\System32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe
O4 - HKLM\..\Run: [AdaptecDirectCD] C:\Program Files\Adaptec\Easy CD Creator 5\DirectCD\DirectCD.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.5.0_11\bin\jusched.exe"
O4 - HKLM\..\Run: [LogitechVideoRepair] C:\Program Files\Logitech\Video\ISStart.exe
O4 - HKLM\..\Run: [LogitechVideoTray] C:\Program Files\Logitech\Video\LogiTray.exe
O4 - HKLM\..\Run: [Windows Defender] "C:\Program Files\Windows Defender\MSASCui.exe" -hide
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVG7\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [COMODO Firewall Pro] "C:\Program Files\Comodo\Firewall\CPF.exe" /background
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKCU\..\Run: [PopUpStopperFreeEdition] "C:\Program Files\Panicware\Pop-Up Stopper Free Edition\PSFree.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKUS\S-1-5-19\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [DWQueuedReporting] "C:\PROGRA~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" -t (User 'SYSTEM')
O4 - HKUS\S-1-5-18\..\RunOnce: [RunNarrator] Narrator.exe (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [DWQueuedReporting] "C:\PROGRA~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" -t (User 'Default user')
O4 - HKUS\.DEFAULT\..\RunOnce: [RunNarrator] Narrator.exe (User 'Default user')
O4 - Startup: SpywareGuard.lnk = C:\Program Files\SpywareGuard\sgmain.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_11\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_11\bin\ssv.dll
O9 - Extra button: (no name) - {85d1f590-48f4-11d9-9669-0800200c9a66} - C:\WINDOWS\bdoscandel.exe
O9 - Extra 'Tools' menuitem: Uninstall BitDefender Online Scanner v8 - {85d1f590-48f4-11d9-9669-0800200c9a66} - C:\WINDOWS\bdoscandel.exe
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O14 - IERESET.INF: START_PAGE_URL=http://www.localnet.com/
O16 - DPF: {0E5F0222-96B9-11D3-8997-00104BD12D94} (PCPitstop Utility) - https://support.gateway.com/support/profiler//PCPitStop.CAB
O16 - DPF: {215B8138-A3CF-44C5-803F-8226143CFC0A} (Trend Micro ActiveX Scan Agent 6.6) - http://eu-housecall.trendmicro-europe.com/...ivex/hcImpl.cab
O16 - DPF: {32305793-C19A-48E7-AD2F-D87FF7B264A4} (TenebrilSpywareScanner Control) - http://www.tenebril.com/assets/activeX/SpywareScanner.ocx
O16 - DPF: {5D86DDB5-BDF9-441B-9E9E-D4730F4EE499} (BDSCANONLINE Control) - http://download.bitdefender.com/resources/scan8/oscan8.cab
O16 - DPF: {6E5A37BF-FD42-463A-877C-4EB7002E68AE} (Housecall ActiveX 6.5) - http://housecall65.trendmicro.com/housecal...ivex/hcImpl.cab
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2004033...all/xscan53.cab
O16 - DPF: {7F8C8173-AD80-4807-AA75-5672F22B4582} (ICSScanner Class) - http://download.zonelabs.com/bin/promotion...canner37610.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab
O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn.com/download/MsnMesse...pDownloader.cab
O16 - DPF: {CE28D5D2-60CF-4C7D-9FE8-0F47A3308078} (ActiveDataInfo Class) - https://www-secure.symantec.com/techsupp/as...rl/SymAData.cab
O16 - DPF: {D719897A-B07A-4C0C-AEA9-9B663A28DFCB} - http://ax.phobos.apple.com.edgesuite.net/d.../ITDetector.cab
O16 - DPF: {F58E1CEF-A068-4C15-BA5E-587CAF3EE8C6} (MSN Chat Control 4.5) - http://chat.msn.com/bin/msnchat45.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{1AFDD6DB-CDF5-46B2-8564-391560C859AA}: NameServer = 64.80.0.167 64.80.0.162
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
O23 - Service: Comodo Application Agent (CmdAgent) - COMODO - C:\Program Files\Comodo\Firewall\cmdagent.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Unknown owner - C:\Program Files\iPod\bin\iPodService.exe (file missing)
O23 - Service: SmartLinkService (SLService) - Smart Link - C:\WINDOWS\SYSTEM32\slserv.exe

--
End of file - 8145 bytes

#4 Papakid

Papakid

    Guru at being a Newbie


  • Malware Response Team
  • 6,586 posts
  • ONLINE
  •  
  • Gender:Male
  • Local time:08:16 PM

Posted 13 July 2007 - 10:14 AM

Well, a new computer would be nice. Before I did that tho I would try reinstalling windows if everything else fails. I am still not seeing any obvious malware but want to do some more checks, but I think I think there are probably just some problematic programs and configurations that you may be able to troubleshoot. I'll try to get into that more after your next post, but one thing I would like to ask you about is whether or not this is a laptop/notebook and how is it set up to access the internet?

Download Deckard's System Scanner (DSS) to your Desktop. Note: You must be logged onto an account with administrator privileges.
  • Close all applications and windows.
  • Double-click on dss.exe to run it, and follow the prompts.
  • When the scan is complete, two text files will open - main.txt <- this one will be maximized and extra.txt <-this one will be minimized
  • Copy (Ctrl+A then Ctrl+C) and paste (Ctrl+V) the contents of main.txt and the extra.txt in your next reply. If you have any problems with the logs, both can be found in C:\Deckard\System Scanner.
You don't quite have the latest version of Sun's Java installed. For some reason Sun will also leave older versions of Java behind, which is a security risk, because they are unpatched and still can be called on to run. Try this, and please note that clearing Java's cache can show marked improvement in performance in some cases and CCleaner is one of the few applications that will delete index.dat files that have been known to corrupt Internet Explorer cache:

Download and install CCleaner.
(Starting with v1.27.260, the standard build installs the Yahoo Toolbar as an option which is checkmarked by default during the installation. IF you do NOT want it, remove the checkmark when provided with the option OR download the toolbarfree Basic version instead.)

*After installation, see the Using and Understanding CCleaner Tutorial. Don't run it just yet.

-Go to Start > Control Panel double-click on the Software icon > add/remove programs.
-Search in the list for ALL installed versions of Java. (J2SE Runtime Environment.... )
It should have this icon next to it: Posted Image
Select each and click Remove.

Run CCleaner to clear out your Java cache and other junk files--I don't trust the issues function, so suggest you leave that button alone for now.

Please perform this online scan: Kaspersky Webscan

Note that you need to run this scan with Internet Explorer for it to work correctly.

1. Read the Requirements and Privacy statement, then select "Accept"

Note for Internet Explorer 7 users: If at any time you have trouble with the accept button of the license, click on the Zoom tool located at the right bottom of the IE window and set the zoom to 75 %. Once the license is accepted, reset to 100%.

2. A dialogue box will appear asking "Do you want to install this software?" Name: kavwebscan_unicode.cab
NOTE: If you are running XP SP2, you may need to click on the Information Bar to allow the ActiveX to install and may need to repeat step 1.
3. Select "Install" to download the ActiveX controls that allows ActiveScan to run.
4. If running MSAS beta you may receive an alert that an IE ActiveX program requires your approval. Click "Allow"
5. Wait for the scanner to initialize and update its databases. When the download is complete it will say ready, click "Next"
6. Click "Scan Settings" and check the option to use the EXTENDED DATABASE, then click "OK"
7. Select a target to scan: Click on "My Computer" and the scan will begin.
8. When the scan is complete choose save the results by clicking "Save Report As HTML" Give the Report a name and save it to your desktop. If you have any problem saving the report, copy its text to the clipboard, then paste it into an empty Notepad and save it to your desktop.
9. Post the Kaspersky scan results in your next reply.

If you have any problem running the scan to completion, disable your Antivirus temporarily, just be sure to re-enable when done.

Please post the two DSS logs and the KAV log when done and note that there is no need to run HJT again as a log from it will be included in main.txt.

The thing about people

is they change

when they walk away.--Mipso


#5 princesseyes2000

princesseyes2000
  • Topic Starter

  • Members
  • 15 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:NY
  • Local time:09:16 PM

Posted 13 July 2007 - 07:56 PM

Here are the logs you wanted. Thanks for your help.

Deckard's System Scanner v20070711.54
Run by Sheila Lamb on 2007-07-13 at 17:35:18
Computer is in Normal Mode.
--------------------------------------------------------------------------------

-- System Restore --------------------------------------------------------------

Successfully created a Deckard's System Scanner Restore Point.


-- Last 5 Restore Point(s) --
17: 2007-07-13 21:35:41 UTC - RP639 - Deckard's System Scanner Restore Point
16: 2007-07-13 10:32:19 UTC - RP638 - Software Distribution Service 3.0
15: 2007-07-12 10:39:32 UTC - RP637 - Software Distribution Service 3.0
14: 2007-07-11 14:47:39 UTC - RP636 - Software Distribution Service 3.0
13: 2007-07-10 20:07:48 UTC - RP635 - Software Distribution Service 3.0


-- First Restore Point --
1: 2007-06-28 14:39:54 UTC - RP623 - Software Distribution Service 3.0


Backed up registry hives.

Performed disk cleanup.


-- HijackThis (run as Sheila Lamb.exe) -----------------------------------------

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 7:28:58 AM, on 7/13/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16473)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Windows Defender\MsMpEng.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
C:\WINDOWS\Explorer.EXE
C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
C:\Program Files\Comodo\Firewall\cmdagent.exe
C:\WINDOWS\system32\slserv.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Adaptec\Easy CD Creator 5\DirectCD\DirectCD.exe
C:\Program Files\Java\jre1.5.0_11\bin\jusched.exe
C:\Program Files\Logitech\Video\LogiTray.exe
C:\Program Files\Windows Defender\MSASCui.exe
C:\PROGRA~1\Grisoft\AVG7\avgcc.exe
C:\Program Files\Comodo\Firewall\CPF.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Panicware\Pop-Up Stopper Free Edition\PSFree.exe
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\system32\LVComS.exe
C:\WINDOWS\system32\spider.exe
C:\Program Files\SpywareGuard\sgmain.exe
C:\Program Files\SpywareGuard\sgbhp.exe
C:\WINDOWS\system32\slrundll.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\WINDOWS\system32\CMMON32.EXE
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = www.google.com
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.localnet.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer provided by LocalNet
F2 - REG:system.ini: UserInit=c:\windows\system32\userinit.exe
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: SpywareGuard Download Protection - {4A368E80-174F-4872-96B5-0B27DDD11DB2} - C:\Program Files\SpywareGuard\dlprotect.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_11\bin\ssv.dll
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\System32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe
O4 - HKLM\..\Run: [AdaptecDirectCD] C:\Program Files\Adaptec\Easy CD Creator 5\DirectCD\DirectCD.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.5.0_11\bin\jusched.exe"
O4 - HKLM\..\Run: [LogitechVideoRepair] C:\Program Files\Logitech\Video\ISStart.exe
O4 - HKLM\..\Run: [LogitechVideoTray] C:\Program Files\Logitech\Video\LogiTray.exe
O4 - HKLM\..\Run: [Windows Defender] "C:\Program Files\Windows Defender\MSASCui.exe" -hide
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVG7\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [COMODO Firewall Pro] "C:\Program Files\Comodo\Firewall\CPF.exe" /background
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKCU\..\Run: [PopUpStopperFreeEdition] "C:\Program Files\Panicware\Pop-Up Stopper Free Edition\PSFree.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKUS\S-1-5-19\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [DWQueuedReporting] "C:\PROGRA~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" -t (User 'SYSTEM')
O4 - HKUS\S-1-5-18\..\RunOnce: [RunNarrator] Narrator.exe (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [DWQueuedReporting] "C:\PROGRA~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" -t (User 'Default user')
O4 - HKUS\.DEFAULT\..\RunOnce: [RunNarrator] Narrator.exe (User 'Default user')
O4 - Startup: SpywareGuard.lnk = C:\Program Files\SpywareGuard\sgmain.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_11\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_11\bin\ssv.dll
O9 - Extra button: (no name) - {85d1f590-48f4-11d9-9669-0800200c9a66} - C:\WINDOWS\bdoscandel.exe
O9 - Extra 'Tools' menuitem: Uninstall BitDefender Online Scanner v8 - {85d1f590-48f4-11d9-9669-0800200c9a66} - C:\WINDOWS\bdoscandel.exe
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O14 - IERESET.INF: START_PAGE_URL=http://www.localnet.com/
O16 - DPF: {0E5F0222-96B9-11D3-8997-00104BD12D94} (PCPitstop Utility) - https://support.gateway.com/support/profiler//PCPitStop.CAB
O16 - DPF: {215B8138-A3CF-44C5-803F-8226143CFC0A} (Trend Micro ActiveX Scan Agent 6.6) - http://eu-housecall.trendmicro-europe.com/...ivex/hcImpl.cab
O16 - DPF: {32305793-C19A-48E7-AD2F-D87FF7B264A4} (TenebrilSpywareScanner Control) - http://www.tenebril.com/assets/activeX/SpywareScanner.ocx
O16 - DPF: {5D86DDB5-BDF9-441B-9E9E-D4730F4EE499} (BDSCANONLINE Control) - http://download.bitdefender.com/resources/scan8/oscan8.cab
O16 - DPF: {6E5A37BF-FD42-463A-877C-4EB7002E68AE} (Housecall ActiveX 6.5) - http://housecall65.trendmicro.com/housecal...ivex/hcImpl.cab
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2004033...all/xscan53.cab
O16 - DPF: {7F8C8173-AD80-4807-AA75-5672F22B4582} (ICSScanner Class) - http://download.zonelabs.com/bin/promotion...canner37610.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab
O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn.com/download/MsnMesse...pDownloader.cab
O16 - DPF: {CE28D5D2-60CF-4C7D-9FE8-0F47A3308078} (ActiveDataInfo Class) - https://www-secure.symantec.com/techsupp/as...rl/SymAData.cab
O16 - DPF: {D719897A-B07A-4C0C-AEA9-9B663A28DFCB} - http://ax.phobos.apple.com.edgesuite.net/d.../ITDetector.cab
O16 - DPF: {F58E1CEF-A068-4C15-BA5E-587CAF3EE8C6} (MSN Chat Control 4.5) - http://chat.msn.com/bin/msnchat45.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{1AFDD6DB-CDF5-46B2-8564-391560C859AA}: NameServer = 64.80.0.167 64.80.0.162
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
O23 - Service: Comodo Application Agent (CmdAgent) - COMODO - C:\Program Files\Comodo\Firewall\cmdagent.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Unknown owner - C:\Program Files\iPod\bin\iPodService.exe (file missing)
O23 - Service: SmartLinkService (SLService) - Smart Link - C:\WINDOWS\SYSTEM32\slserv.exe

--
End of file - 8145 bytes

-- File Associations -----------------------------------------------------------

.js - JSFile - DefaultIcon - unable to read value
.js - JSFile - shell\open\command - unable to read value


-- Drivers: 0-Boot, 1-System, 2-Auto, 3-Demand, 4-Disabled ---------------------

R0 RecAgent - c:\windows\system32\drivers\recagent.sys <Not Verified; Smart Link; Soft Modem>
R3 ac97intc (Intel® 82801 Audio Driver Install Service (WDM)) - c:\windows\system32\drivers\ac97intc.sys <Not Verified; Intel Corporation; Intel® Integrated Controller Hub Audio Driver>
R3 i81x - c:\windows\system32\drivers\i81xnt5.sys <Not Verified; Intel® Corporation; Intel® Graphics Accelerator Drivers for Windows NT®>
R3 MODEMCSA (Unimodem Streaming Filter Device) - c:\windows\system32\drivers\modemcsa.sys <Not Verified; Microsoft Corporation; Microsoft® Windows® Operating System>
R3 Mtlmnt5 - c:\windows\system32\drivers\mtlmnt5.sys <Not Verified; Smart Link; Soft Modem>
R3 Slntamr (Smart Link 56K Modem Driver) - c:\windows\system32\drivers\slntamr.sys <Not Verified; Smart Link; Soft Modem>
R3 SlWdmSup - c:\windows\system32\drivers\slwdmsup.sys <Not Verified; Smart Link; Soft Modem>

S0 szkg - c:\windows\system32\drivers\szkg.sys (file missing)
S3 BCMModem (BCM V.90 56K Modem) - c:\windows\system32\drivers\bcmdm.sys <Not Verified; BCM; BCM Modem Driver>
S3 DCamUSBSQTECH (Dual-Mode DSC(2770)) - c:\windows\system32\drivers\sqcaptur.sys <Not Verified; Service & Quality Technology.; Microsoft® Windows NT® Operating System>
S3 iAimFP0 - c:\windows\system32\drivers\wadv01nt.sys <Not Verified; Intel® Corporation; Intel® Graphics Accelerator Drivers for Windows NT®>
S3 iAimFP1 - c:\windows\system32\drivers\wadv02nt.sys <Not Verified; Intel® Corporation; Intel® Graphics Accelerator Drivers for Windows NT®>
S3 iAimFP2 - c:\windows\system32\drivers\wadv05nt.sys <Not Verified; Intel® Corporation; Intel® Graphics Accelerator Drivers for Windows NT®>
S3 iAimFP3 - c:\windows\system32\drivers\wsiintxx.sys <Not Verified; Intel® Corporation; Intel® Graphics Accelerator Drivers for Windows NT®>
S3 iAimFP4 - c:\windows\system32\drivers\wvchntxx.sys <Not Verified; Intel® Corporation; Intel® Graphics Accelerator Drivers for Windows NT®>
S3 iAimFP5 - c:\windows\system32\drivers\wadv07nt.sys <Not Verified; Intel® Corporation; Intel® Graphics Accelerator Drivers for Windows NT®>
S3 iAimFP6 - c:\windows\system32\drivers\wadv08nt.sys <Not Verified; Intel® Corporation; Intel® Graphics Accelerator Drivers for Windows NT®>
S3 iAimFP7 - c:\windows\system32\drivers\wadv09nt.sys <Not Verified; Intel® Corporation; Intel® Graphics Accelerator Drivers for Windows NT®>
S3 iAimFP8 - c:\windows\system32\drivers\wadv11nt.sys <Not Verified; Intel® Corporation; Intel® Graphics Accelerator Drivers for Windows NT®>
S3 iAimTV0 - c:\windows\system32\drivers\watv01nt.sys <Not Verified; Intel® Corporation; Intel® Graphics Accelerator Drivers for Windows NT®>
S3 iAimTV1 - c:\windows\system32\drivers\watv02nt.sys <Not Verified; Intel® Corporation; Intel® Graphics Accelerator Drivers for Windows NT®>
S3 iAimTV2 - c:\windows\system32\drivers\watv03nt.sys (file missing)
S3 iAimTV3 - c:\windows\system32\drivers\watv04nt.sys <Not Verified; Intel® Corporation; Intel® Graphics Accelerator Drivers for Windows NT®>
S3 iAimTV4 - c:\windows\system32\drivers\wch7xxnt.sys <Not Verified; Intel® Corporation; Intel® Graphics Accelerator Drivers for Windows NT®>
S3 iAimTV5 - c:\windows\system32\drivers\watv10nt.sys <Not Verified; Intel® Corporation; Intel® Graphics Accelerator Drivers for Windows NT®>
S3 iAimTV6 - c:\windows\system32\drivers\watv06nt.sys <Not Verified; Intel® Corporation; Intel® Graphics Accelerator Drivers for Windows NT®>
S3 iscFlash - c:\windows\system32\drivers\iscflash.sys (file missing)
S3 Mtlstrm - c:\windows\system32\drivers\mtlstrm.sys <Not Verified; Smart Link; Soft Modem>
S3 NtMtlFax - c:\windows\system32\drivers\ntmtlfax.sys <Not Verified; Smart Link; Soft Modem>
S3 pepifilter (Volume Adapter) - c:\windows\system32\drivers\lv302af.sys <Not Verified; Labtec Inc.; Labtec WebCam>
S3 PID_08A0 (Labtec WebCam Pro(PID_08A0)) - c:\windows\system32\drivers\lv302av.sys <Not Verified; Labtec Inc.; Labtec WebCam>
S3 SlNtHal - c:\windows\system32\drivers\slnthal.sys <Not Verified; Smart Link; Soft Modem>
S3 smwdm - c:\windows\system32\drivers\smwdm.sys <Not Verified; Analog Devices, Inc.; SoundMAX Digital Audio Driver>
S3 WpdUsb - c:\windows\system32\drivers\wpdusb.sys <Not Verified; Microsoft Corporation; Microsoft® Windows® Operating System>


-- Services: 0-Boot, 1-System, 2-Auto, 3-Demand, 4-Disabled --------------------

R2 SLService (SmartLinkService) - slserv.exe <Not Verified; Smart Link; Soft Modem>

S3 iPod Service - "c:\program files\ipod\bin\ipodservice.exe" (file missing)


-- Scheduled Tasks -------------------------------------------------------------

2007-07-13 16:07:44 330 --ah----- C:\WINDOWS\Tasks\MP Scheduled Scan.job
2007-07-03 18:21:06 284 --a------ C:\WINDOWS\Tasks\AppleSoftwareUpdate.job
2006-05-17 11:14:46 252 --a------ C:\WINDOWS\Tasks\Spybot - Search & Destroy - Scheduled Task.job


-- Files created between 2007-06-13 and 2007-07-13 -----------------------------

2007-07-13 07:22:54 0 d-------- C:\Program Files\Trend Micro
2007-07-13 06:45:12 812344 --a------ C:\HJTInstall.exe <Not Verified; Trend Micro Inc.; HijackThis>
2007-07-12 06:58:38 0 dr-h----- C:\Documents and Settings\Sheila Lamb\Recent
2007-07-12 06:45:06 0 d-------- C:\ie-spyad
2007-06-28 07:13:26 0 d-------- C:\WINDOWS\system32\ActiveScan
2007-06-26 08:04:25 0 d-------- C:\Documents and Settings\Sheila Lamb\.housecall6.6
2007-06-20 13:57:15 0 d-------- C:\Documents and Settings\Sheila Lamb\Application Data\Comodo
2007-06-20 13:56:13 0 d-------- C:\Documents and Settings\All Users\Application Data\Comodo
2007-06-20 13:50:16 0 d-------- C:\Program Files\Comodo
2007-06-20 10:18:05 0 d-------- C:\Documents and Settings\Sheila Lamb\Application Data\AVG7
2007-06-20 10:17:12 0 d-------- C:\Documents and Settings\LocalService\Application Data\AVG7
2007-06-20 10:15:28 0 d-------- C:\Documents and Settings\All Users\Application Data\Grisoft
2007-06-20 10:15:28 0 d-------- C:\Documents and Settings\All Users\Application Data\avg7


-- Find3M Report ---------------------------------------------------------------

2007-05-16 11:12:02 683520 --a------ C:\WINDOWS\system32\inetcomm.dll <Not Verified; Microsoft Corporation; Microsoft® Windows® Operating System>
2007-04-25 10:21:16 144896 --a------ C:\WINDOWS\system32\schannel.dll <Not Verified; Microsoft Corporation; Microsoft® Windows® Operating System>
2007-04-18 12:12:24 2854400 --a------ C:\WINDOWS\system32\msi.dll <Not Verified; Microsoft Corporation; Windows Installer - Unicode>
2007-04-16 22:47:36 33624 --a------ C:\WINDOWS\system32\wups.dll <Not Verified; Microsoft Corporation; Microsoft® Windows® Operating System>
2007-04-16 22:45:54 1710936 --a------ C:\WINDOWS\system32\wuaueng.dll <Not Verified; Microsoft Corporation; Microsoft® Windows® Operating System>
2007-04-16 22:45:48 549720 --a------ C:\WINDOWS\system32\wuapi.dll <Not Verified; Microsoft Corporation; Microsoft® Windows® Operating System>
2007-04-16 22:45:42 325976 --a------ C:\WINDOWS\system32\wucltui.dll <Not Verified; Microsoft Corporation; Microsoft® Windows® Operating System>
2007-04-16 22:45:36 203096 --a------ C:\WINDOWS\system32\wuweb.dll <Not Verified; Microsoft Corporation; Microsoft® Windows® Operating System>
2007-04-16 22:45:28 92504 --a------ C:\WINDOWS\system32\cdm.dll <Not Verified; Microsoft Corporation; Microsoft® Windows® Operating System>
2007-04-16 22:45:20 43352 --a------ C:\WINDOWS\system32\wups2.dll <Not Verified; Microsoft Corporation; Microsoft® Windows® Operating System>
2007-04-16 22:45:20 53080 --a------ C:\WINDOWS\system32\wuauclt.exe <Not Verified; Microsoft Corporation; Microsoft® Windows® Operating System>


-- Registry Dump ---------------------------------------------------------------

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects]
{06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
{4A368E80-174F-4872-96B5-0B27DDD11DB2} C:\Program Files\SpywareGuard\dlprotect.dll
{53707962-6F74-2D53-2644-206D7942484F} C:\PROGRA~1\SPYBOT~1\SDHelper.dll
{761497BB-D6F0-462C-B6EB-D4DAF1D92D43} C:\Program Files\Java\jre1.5.0_11\bin\ssv.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run]
"IgfxTray"="C:\\WINDOWS\\System32\\igfxtray.exe"
"HotKeysCmds"="C:\\WINDOWS\\System32\\hkcmd.exe"
"AdaptecDirectCD"="C:\\Program Files\\Adaptec\\Easy CD Creator 5\\DirectCD\\DirectCD.exe"
"SunJavaUpdateSched"="\"C:\\Program Files\\Java\\jre1.5.0_11\\bin\\jusched.exe\""
"LogitechVideoRepair"="C:\\Program Files\\Logitech\\Video\\ISStart.exe"
"LogitechVideoTray"="C:\\Program Files\\Logitech\\Video\\LogiTray.exe"
"Windows Defender"="\"C:\\Program Files\\Windows Defender\\MSASCui.exe\" -hide"
"AVG7_CC"="C:\\PROGRA~1\\Grisoft\\AVG7\\avgcc.exe /STARTUP"
"COMODO Firewall Pro"="\"C:\\Program Files\\Comodo\\Firewall\\CPF.exe\" /background"
"QuickTime Task"="\"C:\\Program Files\\QuickTime\\qttask.exe\" -atboottime"

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\run]
"PopUpStopperFreeEdition"="\"C:\\Program Files\\Panicware\\Pop-Up Stopper Free Edition\\PSFree.exe\""
"ctfmon.exe"="C:\\WINDOWS\\system32\\ctfmon.exe"

[HKEY_USERS\.default\software\microsoft\windows\currentversion\runonce]
"RunNarrator"="Narrator.exe"

[HKEY_USERS\.default\software\microsoft\windows\currentversion\run]
"DWQueuedReporting"="\"C:\\PROGRA~1\\COMMON~1\\MICROS~1\\DW\\dwtrig20.exe\" -t"

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\system]
"DisableRegistryTools"=dword:00000000

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\system\Shell]

HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa
Authentication Packages REG_MULTI_SZ msv1_0\0\0
Security Packages REG_MULTI_SZ kerberos\0msv1_0\0schannel\0wdigest\0\0
Notification Packages REG_MULTI_SZ scecli\0\0


[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Microsoft Office.lnk]
"backup"="C:\\WINDOWS\\pss\\Microsoft Office.lnkCommon Startup"
"location"="Common Startup"
"command"="C:\\PROGRA~1\\MICROS~4\\Office10\\OSA.EXE -b -l"
"item"="Microsoft Office"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AIM]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="aim"
"hkey"="HKCU"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HP Software Update]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="HPWuSchd2"
"hkey"="HKLM"
"command"="\"C:\\Program Files\\Hewlett-Packard\\HP Software Update\\HPWuSchd2.exe\""
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MsnMsgr]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="msnmsgr"
"hkey"="HKCU"
"command"="\"C:\\Program Files\\MSN Messenger\\msnmsgr.exe\" /background"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NapsterShell]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="napster"
"hkey"="HKLM"
"command"="C:\\Program Files\\Napster\\napster.exe /systray"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="qttask"
"hkey"="HKLM"
"command"="\"C:\\Program Files\\QuickTime\\qttask.exe\" -atboottime"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Yahoo! Pager]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="ypager"
"hkey"="HKCU"
"command"="C:\\Program Files\\Yahoo!\\Messenger\\ypager.exe -quiet"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\Microsoft\Windows NT\CurrentVersion\Svchost]
LocalService REG_MULTI_SZ Alerter\0WebClient\0LmHosts\0RemoteRegistry\0upnphost\0SSDPSRV\0\0
NetworkService REG_MULTI_SZ DnsCache\0\0
rpcss REG_MULTI_SZ RpcSs\0\0
imgsvc REG_MULTI_SZ StiSvc\0\0
termsvcs REG_MULTI_SZ TermService\0\0
HTTPFilter REG_MULTI_SZ HTTPFilter\0\0
DcomLaunch REG_MULTI_SZ DcomLaunch\0TermService\0\0
WudfServiceGroup REG_MULTI_SZ WUDFSvc\0\0



-- Hosts -----------------------------------------------------------------------

127.0.0.1 localhost #***Inserted By STOPzilla***
127.0.0.1 600pics.com # ***Inserted By STOPzilla***
127.0.0.1 a1.interclick.com # ***Inserted By STOPzilla***
127.0.0.1 absolutepics.net # ***Inserted By STOPzilla***
127.0.0.1 all-tgp.org # ***Inserted By STOPzilla***
127.0.0.1 all-websearch.com # ***Inserted By STOPzilla***
127.0.0.1 bailefunk.com # ***Inserted By STOPzilla***
127.0.0.1 best4all.net # ***Inserted By STOPzilla***
127.0.0.1 besthardcore.net # ***Inserted By STOPzilla***
127.0.0.1 bundleware.com # ***Inserted By STOPzilla***

71 more entries in hosts file.


-- End of Deckard's System Scanner: finished at 2007-07-13 at 17:43:06 ---------


KASPERSKY ONLINE SCANNER REPORT
Friday, July 13, 2007 8:34:10 PM
Operating System: Microsoft Windows XP Home Edition, Service Pack 2 (Build 2600)
Kaspersky Online Scanner version: 5.0.93.0
Kaspersky Anti-Virus database last update: 14/07/2007
Kaspersky Anti-Virus database records: 362110


Scan Settings
Scan using the following antivirus database extended
Scan Archives true
Scan Mail Bases true

Scan Target My Computer
A:\
C:\
D:\

Scan Statistics
Total number of scanned objects 38945
Number of viruses found 0
Number of infected objects 0
Number of suspicious objects 0
Duration of the scan process 01:18:33

Infected Object Name Virus Name Last Action
C:\WINDOWS\system32\config\system.LOG Object is locked skipped

C:\WINDOWS\system32\config\software.LOG Object is locked skipped

C:\WINDOWS\system32\config\default.LOG Object is locked skipped

C:\WINDOWS\system32\config\SAM.LOG Object is locked skipped

C:\WINDOWS\system32\config\SECURITY.LOG Object is locked skipped

C:\WINDOWS\system32\config\AppEvent.Evt Object is locked skipped

C:\WINDOWS\system32\config\SecEvent.Evt Object is locked skipped

C:\WINDOWS\system32\config\SysEvent.Evt Object is locked skipped

C:\WINDOWS\system32\config\DEFAULT Object is locked skipped

C:\WINDOWS\system32\config\SECURITY Object is locked skipped

C:\WINDOWS\system32\config\SOFTWARE Object is locked skipped

C:\WINDOWS\system32\config\SYSTEM Object is locked skipped

C:\WINDOWS\system32\config\SAM Object is locked skipped

C:\WINDOWS\system32\config\Internet.evt Object is locked skipped

C:\WINDOWS\system32\wbem\Repository\FS\OBJECTS.DATA Object is locked skipped

C:\WINDOWS\system32\wbem\Repository\FS\INDEX.BTR Object is locked skipped

C:\WINDOWS\system32\wbem\Repository\FS\MAPPING1.MAP Object is locked skipped

C:\WINDOWS\system32\wbem\Repository\FS\MAPPING2.MAP Object is locked skipped

C:\WINDOWS\system32\wbem\Repository\FS\MAPPING.VER Object is locked skipped

C:\WINDOWS\system32\wbem\Repository\FS\OBJECTS.MAP Object is locked skipped

C:\WINDOWS\system32\wbem\Repository\FS\INDEX.MAP Object is locked skipped

C:\WINDOWS\system32\LogFiles\WUDF\WUDFTrace.etl Object is locked skipped

C:\WINDOWS\system32\CatRoot2\tmp.edb Object is locked skipped

C:\WINDOWS\system32\CatRoot2\edb.log Object is locked skipped

C:\WINDOWS\system32\h323log.txt Object is locked skipped

C:\WINDOWS\Debug\PASSWD.LOG Object is locked skipped

C:\WINDOWS\WindowsUpdate.log Object is locked skipped

C:\WINDOWS\wiaservc.log Object is locked skipped

C:\WINDOWS\wiadebug.log Object is locked skipped

C:\WINDOWS\SchedLgU.Txt Object is locked skipped

C:\WINDOWS\Sti_Trace.log Object is locked skipped

C:\WINDOWS\ModemLog_Smart Link 56K Voice Modem.txt Object is locked skipped

C:\WINDOWS\SoftwareDistribution\ReportingEvents.log Object is locked skipped

C:\Documents and Settings\All Users\Application Data\Microsoft\Windows Defender\Support\MPLog-12062006-111642.log Object is locked skipped

C:\Documents and Settings\All Users\Application Data\avg7\Log\emc.log Object is locked skipped

C:\Documents and Settings\All Users\Application Data\Grisoft\Avg7Data\avg7log.log.lck Object is locked skipped

C:\Documents and Settings\All Users\Application Data\Grisoft\Avg7Data\avg7log.log Object is locked skipped

C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped

C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped

C:\Documents and Settings\NetworkService\ntuser.dat.LOG Object is locked skipped

C:\Documents and Settings\NetworkService\NTUSER.DAT Object is locked skipped

C:\Documents and Settings\LocalService\Local Settings\History\History.IE5\index.dat Object is locked skipped

C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped

C:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped

C:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped

C:\Documents and Settings\LocalService\Cookies\index.dat Object is locked skipped

C:\Documents and Settings\LocalService\ntuser.dat.LOG Object is locked skipped

C:\Documents and Settings\LocalService\NTUSER.DAT Object is locked skipped

C:\Documents and Settings\Sheila Lamb\ntuser.dat Object is locked skipped

C:\Documents and Settings\Sheila Lamb\Local Settings\Temp\LocalNet.log Object is locked skipped

C:\Documents and Settings\Sheila Lamb\Local Settings\Temp\~DF1402.tmp Object is locked skipped

C:\Documents and Settings\Sheila Lamb\Local Settings\Temp\~DF1447.tmp Object is locked skipped

C:\Documents and Settings\Sheila Lamb\Local Settings\Temp\~DFF2C1.tmp Object is locked skipped

C:\Documents and Settings\Sheila Lamb\Local Settings\Temp\~DF2DE3.tmp Object is locked skipped

C:\Documents and Settings\Sheila Lamb\Local Settings\Temp\~DF447E.tmp Object is locked skipped

C:\Documents and Settings\Sheila Lamb\Local Settings\History\History.IE5\index.dat Object is locked skipped

C:\Documents and Settings\Sheila Lamb\Local Settings\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped

C:\Documents and Settings\Sheila Lamb\Local Settings\Temporary Internet Files\AntiPhishing\B3BB5BBA-E7D5-40AB-A041-A5B1C0B26C8F.dat Object is locked skipped

C:\Documents and Settings\Sheila Lamb\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped

C:\Documents and Settings\Sheila Lamb\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped

C:\Documents and Settings\Sheila Lamb\Local Settings\Application Data\Microsoft\Windows Defender\FileTracker\{EE30EBA2-B27D-4736-8531-080EE4FC4D02} Object is locked skipped

C:\Documents and Settings\Sheila Lamb\Cookies\index.dat Object is locked skipped

C:\Documents and Settings\Sheila Lamb\ntuser.dat.LOG Object is locked skipped

C:\System Volume Information\_restore{81D7B38C-25F6-4524-8F35-D9473BCD6439}\RP645\change.log Object is locked skipped

Scan process completed.

Attached Files



#6 Papakid

Papakid

    Guru at being a Newbie


  • Malware Response Team
  • 6,586 posts
  • ONLINE
  •  
  • Gender:Male
  • Local time:08:16 PM

Posted 17 July 2007 - 01:41 PM

Sorry for the long delay.

This system appears to be malware free. Looks like there are several things causing slowness, some of which I don't know much about, but the first thing that jumps out at me is that there is not enough RAM installed.

Physical Memory (total/avail): 126.3 MiB / 24.32 MiB

Manufactuters are bad about selling machines low on RAM I suppose in order to get you to buy more from them. XP will run fine on 128 MB but the minute you start adding resource hungry programs and peripherals on there it will slow down significantly and freeze up--been there, done that. I wouldn't run XP on less than 512 MB of RAM--more would be better.

There are a few other things I can do to help you with the speed issues, then I think it would be best for you to post in the main forums for some more expert help.

DSS shows a problem with some file associations. To fix this please do the following:

Run DSS again, using these instructions:

Click START> Run - then copy the following bold blue text and paste it into the Run box & click OK.

"%userprofile%\desktop\dss.exe" /daft

Read the disclaimer and click OK.

Click on Scan.

Place a checkmark next to the entries displayed when the scan is finished then click on Fix.

Repeat the scan; you should get a message "All Associations OK!"

Next, click Save Log, and post this log in your next reply.


You don't quite have the latest version of Sun's Java installed. For some reason Sun will also leave older versions of Java behind, which is a security risk, because they are unpatched and still can be called on to run. Also clearing Java's cache, which may have been corrupted has been known to make significant improvements in speed, so try this:

Updating Java:
-Go to Start > Control Panel double-click on the Software icon > add/remove programs.
-Search in the list for ALL installed versions of Java. (J2SE Runtime Environment.... )
It should have this icon next to it: Posted Image
Select each of the following and click Remove--I also recommend you remove Viewpoint while there:

J2SE Runtime Environment 5.0 Update 10
J2SE Runtime Environment 5.0 Update 11
J2SE Runtime Environment 5.0 Update 4
J2SE Runtime Environment 5.0 Update 6
Java 2 Runtime Environment, SE v1.4.2_01
Java 2 Runtime Environment, SE v1.4.2_03
Viewpoint Media Player

You have CCleaner installed--run it to clear out your Java cache and other junk files--I don't trust the issues function, so suggest you leave it alone for now. Do this in between the uninstall of old versions and the install of the new.

-Then Download and install the newest Java version from here: http://www.java.com/en/download/manual.jsp


It appears STOPzilla is no longer installed, but has left behind a custom hosts file. While this is added security, a large hosts file can slowness if the system is not properly configured. See The Hosts File and what it can do for you for more information. I suggest resetting your hosts file back to default for now to see if it makes any difference and if you want to add a custom one back later there are links to recommended ones in the tutorial.

Easiest way to reset the hosts file:

Download the HostsXpert 3.7 - Hosts File Manager.
  • Unzip HostsXpert 3.7 - Hosts File Manager to a convenient folder such as C:\HostsXpert
  • Click HostsXpert.exe to Run HostsXpert 3.7 - Hosts File Manager from its new home
  • Click "Make Hosts Writable?" in the upper right corner (If available).
  • Click Restore Microsoft's Hosts file and then click OK.
  • Click the X to exit the program.
Lastly, you have two registry guards enabled, SpywareGuard and Windows Defender. These two have been know to clash before so I would uninstall SpywareGuard.

Scan again with HijackThis and post a fresh log along with the DAFT log from DSS and let me know if anything has helped. I'll be looking around for more information on some other items that may be causing slowness, so I'll know which other forums to send you to and may be able to make some other recommendations as well.

Is this an Acer laptop? Let me know, as I asked earlier, what type of connection you are using as there seems to be a problem in that area.

The thing about people

is they change

when they walk away.--Mipso


#7 princesseyes2000

princesseyes2000
  • Topic Starter

  • Members
  • 15 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:NY
  • Local time:09:16 PM

Posted 18 July 2007 - 03:29 PM

The computer that I have is a Gateway desktop and I connect to the Internet through Localnet dialup. Here are the logs that you wanted. The computer seems a little bit faster, there is still a little internet browser lock up, but I can deal with that. Thank you for all your help.

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 4:26:27 PM, on 7/18/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16473)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Windows Defender\MsMpEng.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
C:\WINDOWS\Explorer.EXE
C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
C:\Program Files\Comodo\Firewall\cmdagent.exe
C:\WINDOWS\system32\slserv.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Adaptec\Easy CD Creator 5\DirectCD\DirectCD.exe
C:\Program Files\Windows Defender\MSASCui.exe
C:\PROGRA~1\Grisoft\AVG7\avgcc.exe
C:\Program Files\Comodo\Firewall\CPF.exe
C:\Program Files\Panicware\Pop-Up Stopper Free Edition\PSFree.exe
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\system32\LVComS.exe
C:\WINDOWS\system32\slrundll.exe
C:\WINDOWS\system32\CMMON32.EXE
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = www.google.com
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.localnet.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer provided by LocalNet
F2 - REG:system.ini: UserInit=c:\windows\system32\userinit.exe
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\System32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe
O4 - HKLM\..\Run: [AdaptecDirectCD] C:\Program Files\Adaptec\Easy CD Creator 5\DirectCD\DirectCD.exe
O4 - HKLM\..\Run: [LogitechVideoRepair] C:\Program Files\Logitech\Video\ISStart.exe
O4 - HKLM\..\Run: [LogitechVideoTray] C:\Program Files\Logitech\Video\LogiTray.exe
O4 - HKLM\..\Run: [Windows Defender] "C:\Program Files\Windows Defender\MSASCui.exe" -hide
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVG7\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [COMODO Firewall Pro] "C:\Program Files\Comodo\Firewall\CPF.exe" /background
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_02\bin\jusched.exe"
O4 - HKCU\..\Run: [PopUpStopperFreeEdition] "C:\Program Files\Panicware\Pop-Up Stopper Free Edition\PSFree.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\MSN Messenger\msnmsgr.exe" /background
O4 - HKUS\S-1-5-19\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [DWQueuedReporting] "C:\PROGRA~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" -t (User 'SYSTEM')
O4 - HKUS\S-1-5-18\..\RunOnce: [RunNarrator] Narrator.exe (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [DWQueuedReporting] "C:\PROGRA~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" -t (User 'Default user')
O4 - HKUS\.DEFAULT\..\RunOnce: [RunNarrator] Narrator.exe (User 'Default user')
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O9 - Extra button: (no name) - {85d1f590-48f4-11d9-9669-0800200c9a66} - C:\WINDOWS\bdoscandel.exe
O9 - Extra 'Tools' menuitem: Uninstall BitDefender Online Scanner v8 - {85d1f590-48f4-11d9-9669-0800200c9a66} - C:\WINDOWS\bdoscandel.exe
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O14 - IERESET.INF: START_PAGE_URL=http://www.localnet.com/
O16 - DPF: {0E5F0222-96B9-11D3-8997-00104BD12D94} (PCPitstop Utility) - https://support.gateway.com/support/profiler//PCPitStop.CAB
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/english/kavwebscan_unicode.cab
O16 - DPF: {215B8138-A3CF-44C5-803F-8226143CFC0A} (Trend Micro ActiveX Scan Agent 6.6) - http://eu-housecall.trendmicro-europe.com/...ivex/hcImpl.cab
O16 - DPF: {32305793-C19A-48E7-AD2F-D87FF7B264A4} (TenebrilSpywareScanner Control) - http://www.tenebril.com/assets/activeX/SpywareScanner.ocx
O16 - DPF: {5D86DDB5-BDF9-441B-9E9E-D4730F4EE499} (BDSCANONLINE Control) - http://download.bitdefender.com/resources/scan8/oscan8.cab
O16 - DPF: {6E5A37BF-FD42-463A-877C-4EB7002E68AE} (Housecall ActiveX 6.5) - http://housecall65.trendmicro.com/housecal...ivex/hcImpl.cab
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2004033...all/xscan53.cab
O16 - DPF: {7F8C8173-AD80-4807-AA75-5672F22B4582} (ICSScanner Class) - http://download.zonelabs.com/bin/promotion...canner37610.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab
O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn.com/download/MsnMesse...pDownloader.cab
O16 - DPF: {CE28D5D2-60CF-4C7D-9FE8-0F47A3308078} (ActiveDataInfo Class) - https://www-secure.symantec.com/techsupp/as...rl/SymAData.cab
O16 - DPF: {D719897A-B07A-4C0C-AEA9-9B663A28DFCB} - http://ax.phobos.apple.com.edgesuite.net/d.../ITDetector.cab
O16 - DPF: {F58E1CEF-A068-4C15-BA5E-587CAF3EE8C6} (MSN Chat Control 4.5) - http://chat.msn.com/bin/msnchat45.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{1AFDD6DB-CDF5-46B2-8564-391560C859AA}: NameServer = 64.80.0.167 64.80.0.162
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
O23 - Service: Comodo Application Agent (CmdAgent) - COMODO - C:\Program Files\Comodo\Firewall\cmdagent.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Unknown owner - C:\Program Files\iPod\bin\iPodService.exe (file missing)
O23 - Service: SmartLinkService (SLService) - Smart Link - C:\WINDOWS\SYSTEM32\slserv.exe

--
End of file - 7908 bytes

DAFT Log saved on 2007-07-18 13:48:20
-----------------------------------------------------------------------
All associations okay!

#8 Papakid

Papakid

    Guru at being a Newbie


  • Malware Response Team
  • 6,586 posts
  • ONLINE
  •  
  • Gender:Male
  • Local time:08:16 PM

Posted 24 July 2007 - 03:43 PM

Sorry again for the long delay.

Doesn't look like there is much there, but let's do the following:

Please download Combofix to your desktop.

Doubleclick ComboFix.exe to launch the application.

Follow the prompts that will be displayed on the screen.

Don't click on the window while the fix is running, because that will cause your system to hang.

When finished, it should produce a log, combofix.txt. Note that some cleaning may require a reboot, so it won't be finished until that is done.

Post this log in your next reply.

Please perform this online scan: [b
]Kaspersky Webscan[/b]
Note that you need to run this scan with Internet Explorer for it to work correctly.

1. Read the Requirements and Privacy statement, then select "Accept"
2. A dialogue box will appear asking "Do you want to install this software?" Name: kavwebscan_unicode.cab
NOTE: If you are running XP SP2, you may need to click on the Information Bar to allow the ActiveX to install and may need to repeat step 1.
3. Select "Install" to download the ActiveX controls that allows ActiveScan to run.
4. If running MSAS beta you may receive an alert that an IE ActiveX program requires your approval. Click "Allow"
5. Wait for the scanner to initialize and update its databases. When the download is complete it will say ready, click "Next"
6. Click "Scan Settings" and check the option to use the EXTENDED DATABASE, then click "OK"
7. Select a target to scan: Click on "My Computer" and the scan will begin.
8. When the scan is complete choose save the results by clicking "Save Report As HTML" Give the Report a name and save it to your desktop. If you have any problem saving the report, copy its text to the clipboard, then paste it into an empty Notepad and save it to your desktop.
9. Post the Kaspersky scan results in your next reply.

If you have any problem running the scan to completion, disable your Antivirus temporarily, just be sure to re-enable when done.

Note for Internet Explorer 7 users: If at any time you have trouble with the accept button of the license, click on the Zoom tool located at the right bottom of the IE window and set the zoom to 75 %. Once the license is accepted, reset to 100%.

Set a side some time for Kaspersky as it can take quite a while to run.

The thing about people

is they change

when they walk away.--Mipso


#9 princesseyes2000

princesseyes2000
  • Topic Starter

  • Members
  • 15 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:NY
  • Local time:09:16 PM

Posted 25 July 2007 - 10:36 AM

Don't worry about the delay, I understand that it's been busy. Anyway, here are the logs you asked for. If you can't find anything I will look into getting some more ram for the computer. That seems to be the biggest problem. I appreciate all the help you have given me.

"Sheila Lamb" - 2007-07-25 9:21:30 - ComboFix 07-07-23.6 - Service Pack 2 FAT32


((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))


C:\DOCUME~1\SHEILA~1\Desktop\internet.lnk


((((((((((((((((((((((((( Files Created from 2007-06-25 to 2007-07-25 )))))))))))))))))))))))))))))))


2007-07-25 09:18 51,200 --a------ C:\WINDOWS\nircmd.exe
2007-07-20 13:56 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\TEMP
2007-07-19 17:30 <DIR> d-------- C:\DOCUME~1\SHEILA~1\APPLIC~1\wsInspector
2007-07-19 17:26 <DIR> d-------- C:\Program Files\Startup Inspector for Windows
2007-07-19 11:28 <DIR> d-------- C:\DOCUME~1\SHEILA~1\APPLIC~1\acccore
2007-07-19 11:25 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\AOL OCP
2007-07-19 11:25 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\AOL
2007-07-19 11:23 <DIR> d-------- C:\Program Files\Viewpoint
2007-07-19 11:21 <DIR> d-------- C:\Program Files\Common Files\AOL
2007-07-19 11:11 <DIR> d-------- C:\Program Files\AIM6
2007-07-19 06:53 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\AOL Downloads
2007-07-18 16:18 <DIR> d-------- C:\HostsXpert
2007-07-18 16:15 <DIR> d-------- C:\Program Files\CAM Development
2007-07-13 18:05 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\Kaspersky Lab
2007-07-13 17:34 <DIR> d-------- C:\Deckard
2007-07-13 07:22 <DIR> d-------- C:\Program Files\Trend Micro
2007-07-13 06:45 812,344 --a------ C:\HJTInstall.exe
2007-07-12 06:45 <DIR> d-------- C:\ie-spyad
2007-06-26 08:04 <DIR> d-------- C:\DOCUME~1\SHEILA~1\.housecall6.6


(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))

2007-07-19 15:10:10 335 ----a-w C:\WINDOWS\nsreg.dat
2007-06-20 17:57:16 -------- d-----w C:\DOCUME~1\SHEILA~1\APPLIC~1\Comodo
2007-06-20 17:50:18 -------- d-----w C:\Program Files\Comodo
2007-05-16 15:12:02 683,520 ----a-w C:\WINDOWS\system32\inetcomm.dll
2007-04-25 14:21:16 144,896 ----a-w C:\WINDOWS\system32\schannel.dll
2007-03-01 17:55:06 59,904 ----a-w C:\DOCUME~1\SHEILA~1\APPLIC~1\GDIPFONTCACHEV1.DAT


((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))


*Note* empty entries & legit default entries are not shown

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Windows Defender"="C:\Program Files\Windows Defender\MSASCui.exe" [2006-11-03 18:20]
"AVG7_CC"="C:\PROGRA~1\Grisoft\AVG7\avgcc.exe" [2007-06-20 10:15]
"COMODO Firewall Pro"="C:\Program Files\Comodo\Firewall\CPF.exe" [2007-06-20 13:50]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"PopUpStopperFreeEdition"="C:\Program Files\Panicware\Pop-Up Stopper Free Edition\PSFree.exe" [2003-10-29 11:01]
"msnmsgr"="C:\Program Files\MSN Messenger\msnmsgr.exe" [2007-01-19 12:54]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 03:56]

[HKEY_USERS\.default\software\microsoft\windows\currentversion\runonce]
"RunNarrator"=Narrator.exe

[HKEY_USERS\.default\software\microsoft\windows\currentversion\run]
"DWQueuedReporting"="C:\PROGRA~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" -t

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Microsoft Office.lnk]
backup=C:\WINDOWS\pss\Microsoft Office.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AIM]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HP Software Update]
"C:\Program Files\Hewlett-Packard\HP Software Update\HPWuSchd2.exe"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MsnMsgr]
"C:\Program Files\MSN Messenger\msnmsgr.exe" /background

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NapsterShell]
C:\Program Files\Napster\napster.exe /systray

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
"C:\Program Files\QuickTime\qttask.exe" -atboottime

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Yahoo! Pager]
C:\Program Files\Yahoo!\Messenger\ypager.exe -quiet

R0 Inspect;Comodo Network Engine;C:\WINDOWS\system32\DRIVERS\inspect.sys
R0 RecAgent;RecAgent;C:\WINDOWS\system32\DRIVERS\RecAgent.sys
R1 Cdr4_xp;Cdr4_xp;C:\WINDOWS\system32\drivers\Cdr4_xp.sys
R1 Cdralw2k;Cdralw2k;C:\WINDOWS\system32\drivers\Cdralw2k.sys
R1 cdudf_XP;cdudf_XP;C:\WINDOWS\system32\drivers\cdudf_XP.sys
R1 CmdMon;Comodo Application Engine;C:\WINDOWS\system32\DRIVERS\cmdmon.sys
R1 P3;Intel PentiumIII Processor Driver;C:\WINDOWS\system32\DRIVERS\p3.sys
R1 pwd_2K;pwd_2K;C:\WINDOWS\system32\drivers\pwd_2K.sys
R1 UdfReadr_xp;UdfReadr_xp;C:\WINDOWS\system32\drivers\UdfReadr_xp.sys
R2 Aspi32;Aspi32;C:\WINDOWS\system32\drivers\Aspi32.sys
R3 E100B;Intel® PRO Adapter Driver;C:\WINDOWS\system32\DRIVERS\e100b325.sys
R3 i81x;i81x;C:\WINDOWS\system32\DRIVERS\i81xnt5.sys
R3 mmc_2K;mmc_2K;C:\WINDOWS\system32\drivers\mmc_2K.sys
R3 Mtlmnt5;Mtlmnt5;C:\WINDOWS\system32\DRIVERS\Mtlmnt5.sys
R3 Mtlstrm;Mtlstrm;C:\WINDOWS\system32\DRIVERS\Mtlstrm.sys
R3 Slntamr;Smart Link 56K Modem Driver;C:\WINDOWS\system32\DRIVERS\slntamr.sys
R3 SlNtHal;SlNtHal;C:\WINDOWS\system32\DRIVERS\Slnthal.sys
R3 SlWdmSup;SlWdmSup;C:\WINDOWS\system32\DRIVERS\SlWdmSup.sys
S0 szkg;szkg;C:\WINDOWS\system32\DRIVERS\szkg.sys
S3 BCMModem;BCM V.90 56K Modem;C:\WINDOWS\system32\DRIVERS\BCMDM.sys
S3 DCamUSBSQTECH;Dual-Mode DSC(2770);C:\WINDOWS\system32\Drivers\SQcaptur.sys
S3 dvd_2K;dvd_2K;C:\WINDOWS\system32\drivers\dvd_2K.sys
S3 iAimFP0;iAimFP0;C:\WINDOWS\system32\DRIVERS\wADV01nt.sys
S3 iAimFP1;iAimFP1;C:\WINDOWS\system32\DRIVERS\wADV02NT.sys
S3 iAimFP2;iAimFP2;C:\WINDOWS\system32\DRIVERS\wADV05NT.sys
S3 iAimFP3;iAimFP3;C:\WINDOWS\system32\DRIVERS\wSiINTxx.sys
S3 iAimFP4;iAimFP4;C:\WINDOWS\system32\DRIVERS\wVchNTxx.sys
S3 iAimFP5;iAimFP5;C:\WINDOWS\system32\DRIVERS\wADV07nt.sys
S3 iAimFP6;iAimFP6;C:\WINDOWS\system32\DRIVERS\wADV08nt.sys
S3 iAimFP7;iAimFP7;C:\WINDOWS\system32\DRIVERS\wADV09nt.sys
S3 iAimFP8;iAimFP8;C:\WINDOWS\system32\DRIVERS\wADV11nt.sys
S3 iAimTV0;iAimTV0;C:\WINDOWS\system32\DRIVERS\wATV01nt.sys
S3 iAimTV1;iAimTV1;C:\WINDOWS\system32\DRIVERS\wATV02NT.sys
S3 iAimTV2;iAimTV2;C:\WINDOWS\system32\DRIVERS\wATV03nt.sys
S3 iAimTV3;iAimTV3;C:\WINDOWS\system32\DRIVERS\wATV04nt.sys
S3 iAimTV4;iAimTV4;C:\WINDOWS\system32\DRIVERS\wCh7xxNT.sys
S3 iAimTV5;iAimTV5;C:\WINDOWS\system32\DRIVERS\wATV10nt.sys
S3 iAimTV6;iAimTV6;C:\WINDOWS\system32\DRIVERS\wATV06nt.sys
S3 iscFlash;iscFlash;\??\C:\WINDOWS\SYSTEM32\DRIVERS\iscflash.sys
S3 NtMtlFax;NtMtlFax;C:\WINDOWS\system32\DRIVERS\NtMtlFax.sys
S3 pepifilter;Volume Adapter;C:\WINDOWS\system32\DRIVERS\lv302af.sys
S3 PID_08A0;Labtec WebCam Pro(PID_08A0);C:\WINDOWS\system32\DRIVERS\LV302AV.SYS


Contents of the 'Scheduled Tasks' folder
2007-07-25 06:03:04 C:\WINDOWS\tasks\MP Scheduled Scan.job
2006-05-17 15:14:46 C:\WINDOWS\tasks\Spybot - Search & Destroy - Scheduled Task.job
2007-07-24 22:21:08 C:\WINDOWS\tasks\AppleSoftwareUpdate.job

**************************************************************************

catchme 0.3.1061 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2007-07-25 09:28:00
Windows 5.1.2600 Service Pack 2 FAT NTAPI

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************

Completion time: 2007-07-25 9:30:33
C:\ComboFix-quarantined-files.txt ... 2007-07-25 09:30

--- E O F ---



KASPERSKY ONLINE SCANNER REPORT
Wednesday, July 25, 2007 11:27:21 AM
Operating System: Microsoft Windows XP Home Edition, Service Pack 2 (Build 2600)
Kaspersky Online Scanner version: 5.0.93.0
Kaspersky Anti-Virus database last update: 25/07/2007
Kaspersky Anti-Virus database records: 367662


Scan Settings
Scan using the following antivirus database extended
Scan Archives true
Scan Mail Bases true

Scan Target My Computer
A:\
C:\
D:\

Scan Statistics
Total number of scanned objects 39615
Number of viruses found 0
Number of infected objects 0
Number of suspicious objects 0
Duration of the scan process 01:35:55

Infected Object Name Virus Name Last Action
C:\WINDOWS\system32\config\system.LOG Object is locked skipped

C:\WINDOWS\system32\config\software.LOG Object is locked skipped

C:\WINDOWS\system32\config\default.LOG Object is locked skipped

C:\WINDOWS\system32\config\SAM.LOG Object is locked skipped

C:\WINDOWS\system32\config\SECURITY.LOG Object is locked skipped

C:\WINDOWS\system32\config\AppEvent.Evt Object is locked skipped

C:\WINDOWS\system32\config\SecEvent.Evt Object is locked skipped

C:\WINDOWS\system32\config\SysEvent.Evt Object is locked skipped

C:\WINDOWS\system32\config\DEFAULT Object is locked skipped

C:\WINDOWS\system32\config\SECURITY Object is locked skipped

C:\WINDOWS\system32\config\SOFTWARE Object is locked skipped

C:\WINDOWS\system32\config\SYSTEM Object is locked skipped

C:\WINDOWS\system32\config\SAM Object is locked skipped

C:\WINDOWS\system32\config\Internet.evt Object is locked skipped

C:\WINDOWS\system32\wbem\Repository\FS\OBJECTS.DATA Object is locked skipped

C:\WINDOWS\system32\wbem\Repository\FS\INDEX.BTR Object is locked skipped

C:\WINDOWS\system32\wbem\Repository\FS\MAPPING1.MAP Object is locked skipped

C:\WINDOWS\system32\wbem\Repository\FS\MAPPING2.MAP Object is locked skipped

C:\WINDOWS\system32\wbem\Repository\FS\MAPPING.VER Object is locked skipped

C:\WINDOWS\system32\wbem\Repository\FS\OBJECTS.MAP Object is locked skipped

C:\WINDOWS\system32\wbem\Repository\FS\INDEX.MAP Object is locked skipped

C:\WINDOWS\system32\LogFiles\WUDF\WUDFTrace.etl Object is locked skipped

C:\WINDOWS\system32\CatRoot2\tmp.edb Object is locked skipped

C:\WINDOWS\system32\CatRoot2\edb.log Object is locked skipped

C:\WINDOWS\system32\h323log.txt Object is locked skipped

C:\WINDOWS\Debug\PASSWD.LOG Object is locked skipped

C:\WINDOWS\WindowsUpdate.log Object is locked skipped

C:\WINDOWS\wiaservc.log Object is locked skipped

C:\WINDOWS\wiadebug.log Object is locked skipped

C:\WINDOWS\SchedLgU.Txt Object is locked skipped

C:\WINDOWS\Sti_Trace.log Object is locked skipped

C:\WINDOWS\ModemLog_Smart Link 56K Voice Modem.txt Object is locked skipped

C:\WINDOWS\SoftwareDistribution\ReportingEvents.log Object is locked skipped

C:\Documents and Settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr0.dat Object is locked skipped

C:\Documents and Settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr1.dat Object is locked skipped

C:\Documents and Settings\All Users\Application Data\Microsoft\Windows Defender\Support\MPLog-12062006-111642.log Object is locked skipped

C:\Documents and Settings\All Users\Application Data\avg7\Log\emc.log Object is locked skipped

C:\Documents and Settings\All Users\Application Data\Grisoft\Avg7Data\avg7log.log.lck Object is locked skipped

C:\Documents and Settings\All Users\Application Data\Grisoft\Avg7Data\avg7log.log Object is locked skipped

C:\Documents and Settings\All Users\Application Data\Comodo\Personal Firewall\Logs\logs.log Object is locked skipped

C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped

C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped

C:\Documents and Settings\NetworkService\ntuser.dat.LOG Object is locked skipped

C:\Documents and Settings\NetworkService\NTUSER.DAT Object is locked skipped

C:\Documents and Settings\LocalService\Local Settings\History\History.IE5\index.dat Object is locked skipped

C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped

C:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped

C:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped

C:\Documents and Settings\LocalService\Cookies\index.dat Object is locked skipped

C:\Documents and Settings\LocalService\ntuser.dat.LOG Object is locked skipped

C:\Documents and Settings\LocalService\NTUSER.DAT Object is locked skipped

C:\Documents and Settings\Sheila Lamb\ntuser.dat Object is locked skipped

C:\Documents and Settings\Sheila Lamb\Local Settings\Temp\LocalNet.log Object is locked skipped

C:\Documents and Settings\Sheila Lamb\Local Settings\Temp\~DF1105.tmp Object is locked skipped

C:\Documents and Settings\Sheila Lamb\Local Settings\Temp\~DF110E.tmp Object is locked skipped

C:\Documents and Settings\Sheila Lamb\Local Settings\Temp\~DF75C7.tmp Object is locked skipped

C:\Documents and Settings\Sheila Lamb\Local Settings\History\History.IE5\index.dat Object is locked skipped

C:\Documents and Settings\Sheila Lamb\Local Settings\History\History.IE5\MSHist012007072520070726\index.dat Object is locked skipped

C:\Documents and Settings\Sheila Lamb\Local Settings\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped

C:\Documents and Settings\Sheila Lamb\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped

C:\Documents and Settings\Sheila Lamb\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped

C:\Documents and Settings\Sheila Lamb\Local Settings\Application Data\Microsoft\Windows Defender\FileTracker\{8010D37F-6941-4E54-BC86-98742254E89C} Object is locked skipped

C:\Documents and Settings\Sheila Lamb\Cookies\index.dat Object is locked skipped

C:\Documents and Settings\Sheila Lamb\ntuser.dat.LOG Object is locked skipped

C:\System Volume Information\_restore{81D7B38C-25F6-4524-8F35-D9473BCD6439}\RP662\change.log Object is locked skipped

Scan process completed.

#10 Papakid

Papakid

    Guru at being a Newbie


  • Malware Response Team
  • 6,586 posts
  • ONLINE
  •  
  • Gender:Male
  • Local time:08:16 PM

Posted 29 July 2007 - 01:00 PM

OK, well, you have a service leftover from Stopzilla that we can clean up, but it is safe to say you don't have a malware problem.

Open notepad and copy/paste the text in the quotebox below into it:

Driver::
szkg


Save this as CFScript.txt


Posted Image

Referring to the picture above, drag CFScript.txt into ComboFix.exe

When finished, it shall produce a log for you, C:\ComboFix.txt. Post that log in your next reply.

Note:
Do not mouseclick combofix's window whilst it's running. That may cause it to stall


One thing revealed by the ComboFix log is that he file system is FAT32. In theory NTSF performs better along with being more stable and secure. You could convert to NTSF, but if it were me I would just reformat to NTSF and reinstall Windows if I really wanted to switch. A couple articles with more info:

http://support.microsoft.com/kb/307881/EN-US/
http://www.aumha.org/win5/a/ntfscvt.php

There are a few other things I'm looking at that may be causing slowness and when you post back to confirm the Stopzilla service is gone and get just a bit more information I'll suggest you ask about these in the other forum I linked to.

1. You have this in running processes:

C:\WINDOWS\system32\CMMON32.EXE


According to AnswersThatWork:
http://www.answersthatwork.com/Tasklist_pages/tasklist_c.htm

Microsoft Connection Manager Monitor. Little known Microsoft program on which there is no documentation. We have only ever seen it used in conjunction with the Internet dialler provided by some ISPs – we still do not know what it actually does.

Recommendation :
There seems to be a definite impact on the performance of the PC when this background task is running. We do not have a specific recommendation yet, but in our case, whenever we have terminated the task the PC’s performance has improved, the Internet connection has stayed up, and we have observed no consequences as a result of terminating CMMON32.

You might try opening Task Manager and under the Processes tab select CMMON32 and End Task. See if you get a performance increase. I'm not sure how that process gets started, so just out of curiosity, if you would, do the following:

Download Registry Search.

- Create a new folder on your desktop named Regsearch
- Extract regsearch.zip file to the newly created folder.
- Open the Regsearch folder and double click regsearch.exe to start the program.
- Use copy and paste to enter the following bold text to search for and click OK.

CMMON32

- Notepad will be opened with text in it (the file will also be saved in the Regsearch folder as well).

Post this text in your next reply.

2. You have some Dr. Watson reports in cue as shown by these startups:

O4 - HKUS\S-1-5-18\..\Run: [DWQueuedReporting] "C:\PROGRA~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" -t (User 'SYSTEM')

O4 - HKUS\S-1-5-18\..\Run: [DWQueuedReporting] "C:\PROGRA~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" -t (User 'SYSTEM')

To be honest I'm not familiar with these, as they have just started to show up more often with the new version of HijackThis, but I do know they have to do with Dr. Watson debugger and indicate a problem of some kind, probably with third party software or hardware. I'm going to ask around, but I think you can fix these with HJT and you would have one less file running in the background. Once you are aware of he problem and that there is info about it. But let me get back with you on that.

3. It appears you may have drivers for or more than one modem, but I'm not a hardware guy. The reason I was asking about your connection type is because of that, the CMMON32 has to do with your connection and the Dr. Watson reports may as well. Now seeing that FAT32 file system is being used and you mention the computer being old, was it running an older OS before XP and perhaps some modem or hardware had to be added to be compatible for XP?

Anyway, post those logs I ask for and the BC Advisors and helpers should be able to figure all that out.

The thing about people

is they change

when they walk away.--Mipso


#11 princesseyes2000

princesseyes2000
  • Topic Starter

  • Members
  • 15 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:NY
  • Local time:09:16 PM

Posted 30 July 2007 - 07:22 AM

The reason there are drivers for more than one modem is because during a thunderstorm, lighting struck the telephone cord connected to the computer and it fried the modem, so we had to replace it. Here are the log files that you wanted.

"Sheila Lamb" - 2007-07-30 7:39:50 - ComboFix 07-07-23.6 - Service Pack 2 FAT32
Command switches used :: C:\Documents and Settings\Sheila Lamb\CFScript.txt


((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))


-------\LEGACY_SZKG
-------\szkg


((((((((((((((((((((((((( Files Created from 2007-06-28 to 2007-07-30 )))))))))))))))))))))))))))))))


2007-07-25 09:18 51,200 --a------ C:\WINDOWS\nircmd.exe
2007-07-20 13:56 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\TEMP
2007-07-19 17:30 <DIR> d-------- C:\DOCUME~1\SHEILA~1\APPLIC~1\wsInspector
2007-07-19 17:26 <DIR> d-------- C:\Program Files\Startup Inspector for Windows
2007-07-19 11:28 <DIR> d-------- C:\DOCUME~1\SHEILA~1\APPLIC~1\acccore
2007-07-19 11:25 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\AOL OCP
2007-07-19 11:25 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\AOL
2007-07-19 11:23 <DIR> d-------- C:\Program Files\Viewpoint
2007-07-19 11:21 <DIR> d-------- C:\Program Files\Common Files\AOL
2007-07-19 11:11 <DIR> d-------- C:\Program Files\AIM6
2007-07-19 06:53 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\AOL Downloads
2007-07-18 16:18 <DIR> d-------- C:\HostsXpert
2007-07-18 16:15 <DIR> d-------- C:\Program Files\CAM Development
2007-07-13 18:05 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\Kaspersky Lab
2007-07-13 17:34 <DIR> d-------- C:\Deckard
2007-07-13 07:22 <DIR> d-------- C:\Program Files\Trend Micro
2007-07-13 06:45 812,344 --a------ C:\HJTInstall.exe
2007-07-12 06:45 <DIR> d-------- C:\ie-spyad
2007-06-26 08:04 <DIR> d-------- C:\DOCUME~1\SHEILA~1\.housecall6.6
2007-06-20 13:57 <DIR> d-------- C:\DOCUME~1\SHEILA~1\APPLIC~1\Comodo
2007-06-20 13:56 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\Comodo
2007-06-20 13:50 <DIR> d-------- C:\Program Files\Comodo
2007-06-04 07:10 <DIR> d-------- C:\DOCUME~1\SHEILA~1\Contacts
2007-06-04 06:43 <DIR> d-------- C:\WINDOWS\system32\DRVSTORE


(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))

2007-07-19 15:10:10 335 ----a-w C:\WINDOWS\nsreg.dat
2007-05-16 15:12:02 683,520 ----a-w C:\WINDOWS\system32\inetcomm.dll
2007-03-01 17:55:06 59,904 ----a-w C:\DOCUME~1\SHEILA~1\APPLIC~1\GDIPFONTCACHEV1.DAT


((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))


*Note* empty entries & legit default entries are not shown

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Windows Defender"="C:\Program Files\Windows Defender\MSASCui.exe" [2006-11-03 18:20]
"AVG7_CC"="C:\PROGRA~1\Grisoft\AVG7\avgcc.exe" [2007-06-20 10:15]
"COMODO Firewall Pro"="C:\Program Files\Comodo\Firewall\CPF.exe" [2007-06-20 13:50]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"PopUpStopperFreeEdition"="C:\Program Files\Panicware\Pop-Up Stopper Free Edition\PSFree.exe" [2003-10-29 11:01]
"msnmsgr"="C:\Program Files\MSN Messenger\msnmsgr.exe" [2007-01-19 12:54]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 03:56]

[HKEY_USERS\.default\software\microsoft\windows\currentversion\runonce]
"RunNarrator"=Narrator.exe

[HKEY_USERS\.default\software\microsoft\windows\currentversion\run]
"DWQueuedReporting"="C:\PROGRA~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" -t

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Microsoft Office.lnk]
backup=C:\WINDOWS\pss\Microsoft Office.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AIM]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HP Software Update]
"C:\Program Files\Hewlett-Packard\HP Software Update\HPWuSchd2.exe"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MsnMsgr]
"C:\Program Files\MSN Messenger\msnmsgr.exe" /background

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NapsterShell]
C:\Program Files\Napster\napster.exe /systray

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
"C:\Program Files\QuickTime\qttask.exe" -atboottime

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Yahoo! Pager]
C:\Program Files\Yahoo!\Messenger\ypager.exe -quiet

R0 Inspect;Comodo Network Engine;C:\WINDOWS\system32\DRIVERS\inspect.sys
R0 RecAgent;RecAgent;C:\WINDOWS\system32\DRIVERS\RecAgent.sys
R1 Cdr4_xp;Cdr4_xp;C:\WINDOWS\system32\drivers\Cdr4_xp.sys
R1 Cdralw2k;Cdralw2k;C:\WINDOWS\system32\drivers\Cdralw2k.sys
R1 cdudf_XP;cdudf_XP;C:\WINDOWS\system32\drivers\cdudf_XP.sys
R1 CmdMon;Comodo Application Engine;C:\WINDOWS\system32\DRIVERS\cmdmon.sys
R1 P3;Intel PentiumIII Processor Driver;C:\WINDOWS\system32\DRIVERS\p3.sys
R1 pwd_2K;pwd_2K;C:\WINDOWS\system32\drivers\pwd_2K.sys
R1 UdfReadr_xp;UdfReadr_xp;C:\WINDOWS\system32\drivers\UdfReadr_xp.sys
R2 Aspi32;Aspi32;C:\WINDOWS\system32\drivers\Aspi32.sys
R3 E100B;Intel® PRO Adapter Driver;C:\WINDOWS\system32\DRIVERS\e100b325.sys
R3 i81x;i81x;C:\WINDOWS\system32\DRIVERS\i81xnt5.sys
R3 mmc_2K;mmc_2K;C:\WINDOWS\system32\drivers\mmc_2K.sys
R3 Mtlmnt5;Mtlmnt5;C:\WINDOWS\system32\DRIVERS\Mtlmnt5.sys
R3 Slntamr;Smart Link 56K Modem Driver;C:\WINDOWS\system32\DRIVERS\slntamr.sys
R3 SlWdmSup;SlWdmSup;C:\WINDOWS\system32\DRIVERS\SlWdmSup.sys
S3 BCMModem;BCM V.90 56K Modem;C:\WINDOWS\system32\DRIVERS\BCMDM.sys
S3 DCamUSBSQTECH;Dual-Mode DSC(2770);C:\WINDOWS\system32\Drivers\SQcaptur.sys
S3 dvd_2K;dvd_2K;C:\WINDOWS\system32\drivers\dvd_2K.sys
S3 iAimFP0;iAimFP0;C:\WINDOWS\system32\DRIVERS\wADV01nt.sys
S3 iAimFP1;iAimFP1;C:\WINDOWS\system32\DRIVERS\wADV02NT.sys
S3 iAimFP2;iAimFP2;C:\WINDOWS\system32\DRIVERS\wADV05NT.sys
S3 iAimFP3;iAimFP3;C:\WINDOWS\system32\DRIVERS\wSiINTxx.sys
S3 iAimFP4;iAimFP4;C:\WINDOWS\system32\DRIVERS\wVchNTxx.sys
S3 iAimFP5;iAimFP5;C:\WINDOWS\system32\DRIVERS\wADV07nt.sys
S3 iAimFP6;iAimFP6;C:\WINDOWS\system32\DRIVERS\wADV08nt.sys
S3 iAimFP7;iAimFP7;C:\WINDOWS\system32\DRIVERS\wADV09nt.sys
S3 iAimFP8;iAimFP8;C:\WINDOWS\system32\DRIVERS\wADV11nt.sys
S3 iAimTV0;iAimTV0;C:\WINDOWS\system32\DRIVERS\wATV01nt.sys
S3 iAimTV1;iAimTV1;C:\WINDOWS\system32\DRIVERS\wATV02NT.sys
S3 iAimTV2;iAimTV2;C:\WINDOWS\system32\DRIVERS\wATV03nt.sys
S3 iAimTV3;iAimTV3;C:\WINDOWS\system32\DRIVERS\wATV04nt.sys
S3 iAimTV4;iAimTV4;C:\WINDOWS\system32\DRIVERS\wCh7xxNT.sys
S3 iAimTV5;iAimTV5;C:\WINDOWS\system32\DRIVERS\wATV10nt.sys
S3 iAimTV6;iAimTV6;C:\WINDOWS\system32\DRIVERS\wATV06nt.sys
S3 iscFlash;iscFlash;\??\C:\WINDOWS\SYSTEM32\DRIVERS\iscflash.sys
S3 Mtlstrm;Mtlstrm;C:\WINDOWS\system32\DRIVERS\Mtlstrm.sys
S3 NtMtlFax;NtMtlFax;C:\WINDOWS\system32\DRIVERS\NtMtlFax.sys
S3 pepifilter;Volume Adapter;C:\WINDOWS\system32\DRIVERS\lv302af.sys
S3 PID_08A0;Labtec WebCam Pro(PID_08A0);C:\WINDOWS\system32\DRIVERS\LV302AV.SYS
S3 SlNtHal;SlNtHal;C:\WINDOWS\system32\DRIVERS\Slnthal.sys


Contents of the 'Scheduled Tasks' folder
2007-07-30 11:53:06 C:\WINDOWS\tasks\MP Scheduled Scan.job
2006-05-17 15:14:46 C:\WINDOWS\tasks\Spybot - Search & Destroy - Scheduled Task.job
2007-07-24 22:21:08 C:\WINDOWS\tasks\AppleSoftwareUpdate.job

**************************************************************************

catchme 0.3.1061 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2007-07-30 07:52:14
Windows 5.1.2600 Service Pack 2 FAT NTAPI

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************

Completion time: 2007-07-30 7:58:50 - machine was rebooted
C:\ComboFix-quarantined-files.txt ... 2007-07-30 07:58
C:\ComboFix2.txt ... 2007-07-25 09:30

--- E O F ---


Windows Registry Editor Version 5.00

; Registry Search 2.0 by Bobbi Flekman © 2005
; Version: 2.0.5.0

; Results at 7/30/2007 8:14:50 AM for strings:
; 'cmmon32'
; Strings excluded from search:
; (None)
; Search in:
; Registry Keys Registry Values Registry Data
; HKEY_LOCAL_MACHINE HKEY_USERS


[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Control\Nls\MUILanguages\RCV2\cmmon32.exe]

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet004\Control\Nls\MUILanguages\RCV2\cmmon32.exe]

[HKEY_LOCAL_MACHINE\SYSTEM\Software\Comodo\Personal Firewall\AppCtrl\Apps\5]
"ParentFilename"="C:\\WINDOWS\\system32\\CMMON32.EXE"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Nls\MUILanguages\RCV2\cmmon32.exe]

[HKEY_CURRENT_USER\Software\Microsoft\Windows\ShellNoRoam\MUICache]
"C:\\WINDOWS\\system32\\CMMON32.EXE"="Microsoft Connection Manager Monitor"

; End Of The Log...




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users