Jump to content

Welcome to Geeks to Go - Register now for FREE

Need help with your computer or device? Want to learn new tech skills? You're in the right place!
Geeks to Go is a friendly community of tech experts who can solve any problem you have. Just create a free account and post your question. Our volunteers will reply quickly and guide you through the steps. Don't let tech troubles stop you. Join Geeks to Go now and get the support you need!

How it Works Create Account
Photo

No Specific Malware - BUT ... see text [RESOLVED]

Started by 911pchelp , Oct 02 2008 03:19 PM

  • This topic is locked This topic is locked

#1
911pchelp
Posted 02 October 2008 - 03:19 PM

911pchelp

    Member

  • Member
  • PipPipPip
  • 290 posts
Lately (last 3 months) my system initial response is slow ... suspect malware (but?). By initial response being slow I mean: 1) takes a several seconds to display contents of C: (or other hdfiles ... have 6 logical drives - 2 physical drives; 2) takes several seconds to display contents of folders; 3) in Firefox 3, takes approx 10 seconds to display the Options after selecting Tools->Options (for clearing cache when working on website updates). This is not a huge problem but the slowness wasn't there a few months ago and am concerned something has snuck into my PC.

Have religiously run AVG (weekly), Spybot/Adaware (every 2-3 weeks), Erunt (whenever necessary), CCleaner (file clean-daily, registry clean whenever think it's necessary... usually weekly), and ZoneAlarm constantly. (Went to AVG 8 a few months ago ... cause of problem? - suspect not ... but avgrsx does seem to run a lot more .)

Anyway, here is the HIJACK log when you have a chance:

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 5:15:24 PM, on 10/2/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16705)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
C:\WINDOWS\Explorer.EXE
E:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
H:\Program Files\PalickSoft\HDD Temperature\HDDTSvc.exe
C:\Program Files\Java\jre6\bin\jqs.exe
E:\Program Files\LogMeIn\x86\RaMaint.exe
E:\Program Files\LogMeIn\x86\LogMeIn.exe
E:\Program Files\LogMeIn\x86\LMIGuardian.exe
C:\WINDOWS\System32\snmp.exe
C:\PROGRA~1\AVG\AVG8\avgrsx.exe
C:\WINDOWS\system32\svchost.exe
C:\PROGRA~1\AVG\AVG8\avgemc.exe
C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_FATIABA.EXE
C:\PROGRA~1\AVG\AVG8\avgtray.exe
E:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
E:\Program Files\LogMeIn\x86\LogMeInSystray.exe
C:\Program Files\Java\jre6\bin\jusched.exe
E:\Program Files\Clipomatic\Clipomatic.exe
C:\Program Files\Creative\Sync Manager Unicode\CTSyncU.exe
C:\Documents and Settings\Alan\Local Settings\Application
Data\Google\Update\GoogleUpdate.exe
E:\Program Files\pita210\Pitaschio.exe
E:\Program Files\LogMeIn\x86\LMIGuardian.exe
E:\processes\nwProcessExplorer\procexp.exe
C:\Program Files\SpamPal\spampal.exe
E:\PROGRA~1\Webshots\webshots.scr
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Outlook Express\msimn.exe
E:\Program Files\Password Safe\pwsafe.exe
E:\Program Files\ProcessLibrary\qaccess.exe
C:\Program Files\Mozilla Firefox\firefox.exe
H:\Program Files\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page =
http://www.webshots.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL =
http://go.microsoft....k/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL =
http://go.microsoft....k/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar =
http://us.rd.yahoo.c...ttp://www.yahoo.
com/ext/search/search.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page =
http://go.microsoft....k/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page =
http://go.microsoft....k/?LinkId=69157
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - (no file)
O2 - BHO: WormRadar.com IESiteBlocker.NavFilter -
{3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - C:\Program
Files\AVG\AVG8\avgssie.dll
O2 - BHO: Spybot-S&D IE Protection -
{53707962-6F74-2D53-2644-206D7942484F} -
E:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: Java™ Plug-In SSV Helper -
{761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program
Files\Java\jre6\bin\ssv.dll
O2 - BHO: Google Toolbar Notifier BHO -
{AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program
Files\Google\GoogleToolbarNotifier\2.1.1119.1736\swg.dll
O2 - BHO: Java™ Plug-In 2 SSV Helper -
{DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program
Files\Java\jre6\bin\jp2ssv.dll
O2 - BHO: JQSIEStartDetectorImpl -
{E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program
Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
O4 - HKLM\..\Run: [EPSON Stylus C88 Series]
C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_FATIABA.EXE /P23 "EPSON
Stylus C88 Series" /O6 "USB002" /M "Stylus C88"
O4 - HKLM\..\Run: [AVG8_TRAY] C:\PROGRA~1\AVG\AVG8\avgtray.exe
O4 - HKLM\..\Run: [ZoneAlarm Client] "E:\Program Files\Zone
Labs\ZoneAlarm\zlclient.exe"
O4 - HKLM\..\Run: [LogMeIn GUI] "E:\Program
Files\LogMeIn\x86\LogMeInSystray.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program
Files\Java\jre6\bin\jusched.exe"
O4 - HKCU\..\Run: [Clipomatic] E:\Program
Files\Clipomatic\Clipomatic.exe
O4 - HKCU\..\Run: [CTSyncU.exe] "C:\Program Files\Creative\Sync Manager
Unicode\CTSyncU.exe"
O4 - HKCU\..\Run: [Google Update] "C:\Documents and Settings\Alan\Local
Settings\Application Data\Google\Update\GoogleUpdate.exe" /c
O4 - Startup: Shortcut to Pitaschio.exe.lnk = E:\Program
Files\pita210\Pitaschio.exe
O4 - Startup: Shortcut to procexp.exe.lnk =
E:\processes\nwProcessExplorer\procexp.exe
O4 - Startup: SpamPl.lnk = C:\Program Files\SpamPal\spampal.exe
O4 - Startup: Webshots.lnk = E:\Program Files\Webshots\Launcher.exe
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} -
E:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration -
{DFB852A3-47F8-48C4-A200-58CAB36FD2A2} -
E:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} -
C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 -
{e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network
Diagnostic\xpnetdiag.exe
O16 - DPF: {01010200-5E80-11D8-9E86-0007E96C65AE} -
http://supportcenter...ad/tgctlins.cab
O16 - DPF: {01010E00-5E80-11D8-9E86-0007E96C65AE} (SupportSoft
SmartIssue) - http://supportcenter...oad/tgctlsi.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine
Advantage Validation Tool) -
http://go.microsoft....k/?linkid=39204
O16 - DPF: {2E12FB00-546B-4EE3-9CC2-057BF02E1C17} -
http://community.web...wsaxcontrol.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) -
http://update.micros.../en/x86/client/
muweb_site.cab?1139291678343
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer
Class) - http://acs.pandasoft...free/asinst.cab
O16 - DPF: {A90A5822-F108-45AD-8482-9BC8B12DD539} (Crucial cpcScan) -
http://www.crucial.c.../cpcScanner.cab
O16 - DPF: {CE28D5D2-60CF-4C7D-9FE8-0F47A3308078} -
O18 - Protocol: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} -
C:\Program Files\AVG\AVG8\avgpp.dll
O20 - AppInit_DLLs: avgrsstx.dll
O23 - Service: Lavasoft Ad-Aware Service (aawservice) - Lavasoft -
E:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
O23 - Service: AVG8 E-mail Scanner (avg8emc) - AVG Technologies CZ,
s.r.o. - C:\PROGRA~1\AVG\AVG8\avgemc.exe
O23 - Service: AVG8 WatchDog (avg8wd) - AVG Technologies CZ, s.r.o. -
C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program
Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: HDD Temperature (HDDTService) - PalickSoft - H:\Program
Files\PalickSoft\HDD Temperature\HDDTSvc.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun
Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
O23 - Service: LogMeIn Maintenance Service (LMIMaint) - LogMeIn, Inc. -
E:\Program Files\LogMeIn\x86\RaMaint.exe
O23 - Service: LogMeIn - LogMeIn, Inc. - E:\Program
Files\LogMeIn\x86\LogMeIn.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC -
C:\WINDOWS\system32\ZoneLabs\vsmon.exe

--
End of file - 7362 bytes

Edited by eddie5659, 30 October 2008 - 01:10 PM.

  • 0

Advertisements

#2
eddie5659
Posted 07 October 2008 - 12:48 PM

eddie5659

    Trusted Helper

  • Malware Removal
  • 1,980 posts
  • MVP
Hiya

Are you still having this problem? If so, can you post a fresh HijackThis log please :)

Regards

eddie
  • 0

#3
911pchelp
Posted 07 October 2008 - 04:54 PM

911pchelp

    Member

  • Topic Starter
  • Member
  • PipPipPip
  • 290 posts
Yes still having problem ... you could say it's more sluggish than slow. E.G. 1) when copying files, it's slow to initially display the directory - but the actual copy is normal speed 2) as described, when clearing the Firefox cache, accessing the Options is slow, displaying the Advanced tab is slow the first time (if FF is not reloaded, subsequent displays of the Advance screen are quick) then actually clearing cache takes several seconds (only have 50 Mb cache).

Anyway, here is the log:

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 6:40:00 PM, on 10/7/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16705)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
C:\WINDOWS\Explorer.EXE
E:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
H:\Program Files\PalickSoft\HDD Temperature\HDDTSvc.exe
C:\Program Files\Java\jre6\bin\jqs.exe
E:\Program Files\LogMeIn\x86\RaMaint.exe
E:\Program Files\LogMeIn\x86\LogMeIn.exe
C:\PROGRA~1\AVG\AVG8\avgrsx.exe
E:\Program Files\LogMeIn\x86\LMIGuardian.exe
C:\WINDOWS\System32\snmp.exe
C:\WINDOWS\system32\svchost.exe
C:\PROGRA~1\AVG\AVG8\avgemc.exe
C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_FATIABA.EXE
C:\PROGRA~1\AVG\AVG8\avgtray.exe
E:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
E:\Program Files\LogMeIn\x86\LogMeInSystray.exe
C:\Program Files\Java\jre6\bin\jusched.exe
E:\Program Files\Clipomatic\Clipomatic.exe
C:\Program Files\Creative\Sync Manager Unicode\CTSyncU.exe
C:\Documents and Settings\Alan\Local Settings\Application Data\Google\Update\GoogleUpdate.exe
E:\Program Files\LogMeIn\x86\LMIGuardian.exe
E:\Program Files\pita210\Pitaschio.exe
E:\processes\nwProcessExplorer\procexp.exe
C:\Program Files\SpamPal\spampal.exe
C:\WINDOWS\system32\wuauclt.exe
E:\PROGRA~1\Webshots\webshots.scr
C:\Program Files\Outlook Express\msimn.exe
C:\Program Files\Mozilla Firefox\firefox.exe
H:\Program Files\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.webshots.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft....k/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft....k/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://us.rd.yahoo.c...rch/search.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft....k/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft....k/?LinkId=69157
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - (no file)
O2 - BHO: WormRadar.com IESiteBlocker.NavFilter - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - C:\Program Files\AVG\AVG8\avgssie.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - E:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: Java™ Plug-In SSV Helper - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre6\bin\ssv.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\2.1.1119.1736\swg.dll
O2 - BHO: Java™ Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
O4 - HKLM\..\Run: [EPSON Stylus C88 Series] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_FATIABA.EXE /P23 "EPSON Stylus C88 Series" /O6 "USB002" /M "Stylus C88"
O4 - HKLM\..\Run: [AVG8_TRAY] C:\PROGRA~1\AVG\AVG8\avgtray.exe
O4 - HKLM\..\Run: [ZoneAlarm Client] "E:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"
O4 - HKLM\..\Run: [LogMeIn GUI] "E:\Program Files\LogMeIn\x86\LogMeInSystray.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre6\bin\jusched.exe"
O4 - HKCU\..\Run: [Clipomatic] E:\Program Files\Clipomatic\Clipomatic.exe
O4 - HKCU\..\Run: [CTSyncU.exe] "C:\Program Files\Creative\Sync Manager Unicode\CTSyncU.exe"
O4 - HKCU\..\Run: [Google Update] "C:\Documents and Settings\Alan\Local Settings\Application Data\Google\Update\GoogleUpdate.exe" /c
O4 - Startup: Shortcut to Pitaschio.exe.lnk = E:\Program Files\pita210\Pitaschio.exe
O4 - Startup: Shortcut to procexp.exe.lnk = E:\processes\nwProcessExplorer\procexp.exe
O4 - Startup: SpamPl.lnk = C:\Program Files\SpamPal\spampal.exe
O4 - Startup: Webshots.lnk = E:\Program Files\Webshots\Launcher.exe
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - E:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - E:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O16 - DPF: {01010200-5E80-11D8-9E86-0007E96C65AE} - http://supportcenter...ad/tgctlins.cab
O16 - DPF: {01010E00-5E80-11D8-9E86-0007E96C65AE} (SupportSoft SmartIssue) - http://supportcenter...oad/tgctlsi.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft....k/?linkid=39204
O16 - DPF: {2E12FB00-546B-4EE3-9CC2-057BF02E1C17} - http://community.web...wsaxcontrol.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.micros...b?1139291678343
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoft...free/asinst.cab
O16 - DPF: {A90A5822-F108-45AD-8482-9BC8B12DD539} (Crucial cpcScan) - http://www.crucial.c.../cpcScanner.cab
O16 - DPF: {CE28D5D2-60CF-4C7D-9FE8-0F47A3308078} -
O18 - Protocol: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - C:\Program Files\AVG\AVG8\avgpp.dll
O20 - AppInit_DLLs: avgrsstx.dll
O23 - Service: Lavasoft Ad-Aware Service (aawservice) - Lavasoft - E:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
O23 - Service: AVG8 E-mail Scanner (avg8emc) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgemc.exe
O23 - Service: AVG8 WatchDog (avg8wd) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: HDD Temperature (HDDTService) - PalickSoft - H:\Program Files\PalickSoft\HDD Temperature\HDDTSvc.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
O23 - Service: LogMeIn Maintenance Service (LMIMaint) - LogMeIn, Inc. - E:\Program Files\LogMeIn\x86\RaMaint.exe
O23 - Service: LogMeIn - LogMeIn, Inc. - E:\Program Files\LogMeIn\x86\LogMeIn.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINDOWS\system32\ZoneLabs\vsmon.exe

--
End of file - 7274 bytes
  • 0

#4
eddie5659
Posted 08 October 2008 - 01:33 PM

eddie5659

    Trusted Helper

  • Malware Removal
  • 1,980 posts
  • MVP
Please download Malwarebytes' Anti-Malware from Here or Here

Double Click mbam-setup.exe to install the application.
  • Make sure a checkmark is placed next to Update Malwarebytes' Anti-Malware and Launch Malwarebytes' Anti-Malware, then click Finish.
  • If an update is found, it will download and install the latest version.
  • Once the program has loaded, select "Perform Quick Scan", then click Scan.
  • The scan may take some time to finish,so please be patient.
  • When the scan is complete, click OK, then Show Results to view the results.
  • Make sure that everything is checked, and click Remove Selected.
  • When disinfection is completed, a log will open in Notepad and you may be prompted to Restart.(See Extra Note)
  • The log is automatically saved by MBAM and can be viewed by clicking the Logs tab in MBAM.
  • Copy&Paste the entire report in your next reply.
Extra Note:
If MBAM encounters a file that is difficult to remove,you will be presented with 1 of 2 prompts,click OK to either and let MBAM proceed with the disinfection process,if asked to restart the computer,please do so immediatly.

Also, post a fresh HijackThis log as well :)

eddie
  • 0

#5
911pchelp
Posted 08 October 2008 - 02:53 PM

911pchelp

    Member

  • Topic Starter
  • Member
  • PipPipPip
  • 290 posts
Had just installed and run Malwarebytes' Anti-Malware before your response .... so scanned again just in case something was 'hiding' during the 1st scan ... BOTH scan logs are below.

First scan found (and fixed) two problems - 2nd scan was clean.

Unfortunately, problem still exists ... a new HT log follows the scan logs.

BTW - Thank you for the help

SCAN LOGS:
1
Malwarebytes' Anti-Malware 1.28
Database version: 1244
Windows 5.1.2600 Service Pack 2

10/8/2008 3:47:49 PM
mbam-log-2008-10-08 (15-47-49).txt

Scan type: Quick Scan
Objects scanned: 48859
Time elapsed: 7 minute(s), 2 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 1
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 1

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Multimedia\WMPlayer\Schemes\f3pss
(Adware.MyWebSearch) -> Quarantined and deleted successfully.

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
C:\export1.bat (Trojan.Agent) -> Quarantined and deleted successfully.

2
Malwarebytes' Anti-Malware 1.28
Database version: 1244
Windows 5.1.2600 Service Pack 2

10/8/2008 4:35:01 PM
mbam-log-2008-10-08 (16-35-01).txt

Scan type: Quick Scan
Objects scanned: 49083
Time elapsed: 6 minute(s), 26 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Hijack This LOG:
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 4:50:07 PM, on 10/8/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16705)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
C:\WINDOWS\Explorer.EXE
E:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
H:\Program Files\PalickSoft\HDD Temperature\HDDTSvc.exe
C:\Program Files\Java\jre6\bin\jqs.exe
E:\Program Files\LogMeIn\x86\RaMaint.exe
E:\Program Files\LogMeIn\x86\LogMeIn.exe
E:\Program Files\LogMeIn\x86\LMIGuardian.exe
C:\WINDOWS\System32\snmp.exe
C:\PROGRA~1\AVG\AVG8\avgrsx.exe
C:\WINDOWS\system32\svchost.exe
C:\PROGRA~1\AVG\AVG8\avgemc.exe
C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_FATIABA.EXE
C:\PROGRA~1\AVG\AVG8\avgtray.exe
E:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
E:\Program Files\LogMeIn\x86\LogMeInSystray.exe
C:\Program Files\Java\jre6\bin\jusched.exe
E:\Program Files\Clipomatic\Clipomatic.exe
C:\Program Files\Creative\Sync Manager Unicode\CTSyncU.exe
C:\Documents and Settings\Alan\Local Settings\Application Data\Google\Update\GoogleUpdate.exe
E:\Program Files\pita210\Pitaschio.exe
E:\processes\nwProcessExplorer\procexp.exe
C:\Program Files\SpamPal\spampal.exe
C:\WINDOWS\system32\wuauclt.exe
E:\Program Files\LogMeIn\x86\LMIGuardian.exe
E:\PROGRA~1\Webshots\webshots.scr
C:\Program Files\Outlook Express\msimn.exe
C:\Program Files\Mozilla Firefox\firefox.exe
E:\Program Files\Password Safe\pwsafe.exe
H:\Program Files\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.webshots.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft....k/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft....k/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://us.rd.yahoo.c...rch/search.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft....k/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft....k/?LinkId=69157
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - (no file)
O2 - BHO: WormRadar.com IESiteBlocker.NavFilter - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - C:\Program Files\AVG\AVG8\avgssie.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - E:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: Java™ Plug-In SSV Helper - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre6\bin\ssv.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\2.1.1119.1736\swg.dll
O2 - BHO: Java™ Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
O4 - HKLM\..\Run: [EPSON Stylus C88 Series] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_FATIABA.EXE /P23 "EPSON Stylus C88 Series" /O6 "USB002" /M "Stylus C88"
O4 - HKLM\..\Run: [AVG8_TRAY] C:\PROGRA~1\AVG\AVG8\avgtray.exe
O4 - HKLM\..\Run: [ZoneAlarm Client] "E:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"
O4 - HKLM\..\Run: [LogMeIn GUI] "E:\Program Files\LogMeIn\x86\LogMeInSystray.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre6\bin\jusched.exe"
O4 - HKCU\..\Run: [Clipomatic] E:\Program Files\Clipomatic\Clipomatic.exe
O4 - HKCU\..\Run: [CTSyncU.exe] "C:\Program Files\Creative\Sync Manager Unicode\CTSyncU.exe"
O4 - HKCU\..\Run: [Google Update] "C:\Documents and Settings\Alan\Local Settings\Application Data\Google\Update\GoogleUpdate.exe" /c
O4 - Startup: Shortcut to Pitaschio.exe.lnk = E:\Program Files\pita210\Pitaschio.exe
O4 - Startup: Shortcut to procexp.exe.lnk = E:\processes\nwProcessExplorer\procexp.exe
O4 - Startup: SpamPl.lnk = C:\Program Files\SpamPal\spampal.exe
O4 - Startup: Webshots.lnk = E:\Program Files\Webshots\Launcher.exe
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - E:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - E:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O16 - DPF: {01010200-5E80-11D8-9E86-0007E96C65AE} - http://supportcenter...ad/tgctlins.cab
O16 - DPF: {01010E00-5E80-11D8-9E86-0007E96C65AE} (SupportSoft SmartIssue) - http://supportcenter...oad/tgctlsi.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft....k/?linkid=39204
O16 - DPF: {2E12FB00-546B-4EE3-9CC2-057BF02E1C17} - http://community.web...wsaxcontrol.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.micros...b?1139291678343
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoft...free/asinst.cab
O16 - DPF: {A90A5822-F108-45AD-8482-9BC8B12DD539} (Crucial cpcScan) - http://www.crucial.c.../cpcScanner.cab
O16 - DPF: {CE28D5D2-60CF-4C7D-9FE8-0F47A3308078} -
O18 - Protocol: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - C:\Program Files\AVG\AVG8\avgpp.dll
O20 - AppInit_DLLs: avgrsstx.dll
O23 - Service: Lavasoft Ad-Aware Service (aawservice) - Lavasoft - E:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
O23 - Service: AVG8 E-mail Scanner (avg8emc) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgemc.exe
O23 - Service: AVG8 WatchDog (avg8wd) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: HDD Temperature (HDDTService) - PalickSoft - H:\Program Files\PalickSoft\HDD Temperature\HDDTSvc.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
O23 - Service: LogMeIn Maintenance Service (LMIMaint) - LogMeIn, Inc. - E:\Program Files\LogMeIn\x86\RaMaint.exe
O23 - Service: LogMeIn - LogMeIn, Inc. - E:\Program Files\LogMeIn\x86\LogMeIn.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINDOWS\system32\ZoneLabs\vsmon.exe

--
End of file - 7317 bytes
  • 0

#6
eddie5659
Posted 09 October 2008 - 01:49 PM

eddie5659

    Trusted Helper

  • Malware Removal
  • 1,980 posts
  • MVP
Oki doki :)

Do you know what this program is:

nwProcessExplorer\procexp.exe

eddie
  • 0

#7
911pchelp
Posted 09 October 2008 - 03:33 PM

911pchelp

    Member

  • Topic Starter
  • Member
  • PipPipPip
  • 290 posts

Oki doki :)

Do you know what this program is:

nwProcessExplorer\procexp.exe

eddie


Have version 11.13 installed and running in 'tray' so I can watch CPU usage.
  • 0

#8
eddie5659
Posted 12 October 2008 - 11:12 AM

eddie5659

    Trusted Helper

  • Malware Removal
  • 1,980 posts
  • MVP
Re-open HiJackThis and choose do a system scan only. Check the boxes of all the entries listed below.

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - (no file)
O16 - DPF: {CE28D5D2-60CF-4C7D-9FE8-0F47A3308078} -

Now close all windows other than HiJackThis, then click Fix Checked. Reboot and post a fresh HijackThis log.

eddie
  • 0

#9
911pchelp
Posted 12 October 2008 - 07:47 PM

911pchelp

    Member

  • Topic Starter
  • Member
  • PipPipPip
  • 290 posts
DONE - but system still sluggish

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 6:43:58 PM, on 10/12/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16705)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
C:\WINDOWS\Explorer.EXE
E:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
H:\Program Files\PalickSoft\HDD Temperature\HDDTSvc.exe
C:\Program Files\Java\jre6\bin\jqs.exe
E:\Program Files\LogMeIn\x86\LogMeIn.exe
E:\Program Files\LogMeIn\x86\LMIGuardian.exe
C:\WINDOWS\System32\snmp.exe
C:\PROGRA~1\AVG\AVG8\avgrsx.exe
C:\WINDOWS\system32\svchost.exe
C:\PROGRA~1\AVG\AVG8\avgemc.exe
C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_FATIABA.EXE
C:\PROGRA~1\AVG\AVG8\avgtray.exe
E:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
E:\Program Files\LogMeIn\x86\LogMeInSystray.exe
C:\Program Files\Java\jre6\bin\jusched.exe
E:\Program Files\Clipomatic\Clipomatic.exe
C:\Program Files\Creative\Sync Manager Unicode\CTSyncU.exe
C:\Documents and Settings\Alan\Local Settings\Application Data\Google\Update\GoogleUpdate.exe
E:\Program Files\pita210\Pitaschio.exe
E:\processes\nwProcessExplorer\procexp.exe
E:\Program Files\LogMeIn\x86\LMIGuardian.exe
C:\Program Files\SpamPal\spampal.exe
E:\PROGRA~1\Webshots\webshots.scr
C:\WINDOWS\system32\wuauclt.exe
H:\Program Files\HijackThis\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft....k/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft....k/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://us.rd.yahoo.c...rch/search.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft....k/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft....k/?LinkId=69157
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
O2 - BHO: WormRadar.com IESiteBlocker.NavFilter - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - C:\Program Files\AVG\AVG8\avgssie.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - E:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: Java™ Plug-In SSV Helper - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre6\bin\ssv.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\4.1.805.4472\swg.dll
O2 - BHO: Java™ Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
O4 - HKLM\..\Run: [EPSON Stylus C88 Series] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_FATIABA.EXE /P23 "EPSON Stylus C88 Series" /O6 "USB002" /M "Stylus C88"
O4 - HKLM\..\Run: [AVG8_TRAY] C:\PROGRA~1\AVG\AVG8\avgtray.exe
O4 - HKLM\..\Run: [ZoneAlarm Client] "E:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"
O4 - HKLM\..\Run: [LogMeIn GUI] "E:\Program Files\LogMeIn\x86\LogMeInSystray.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre6\bin\jusched.exe"
O4 - HKCU\..\Run: [Clipomatic] E:\Program Files\Clipomatic\Clipomatic.exe
O4 - HKCU\..\Run: [CTSyncU.exe] "C:\Program Files\Creative\Sync Manager Unicode\CTSyncU.exe"
O4 - HKCU\..\Run: [Google Update] "C:\Documents and Settings\Alan\Local Settings\Application Data\Google\Update\GoogleUpdate.exe" /c
O4 - Startup: Shortcut to Pitaschio.exe.lnk = E:\Program Files\pita210\Pitaschio.exe
O4 - Startup: Shortcut to procexp.exe.lnk = E:\processes\nwProcessExplorer\procexp.exe
O4 - Startup: SpamPl.lnk = C:\Program Files\SpamPal\spampal.exe
O4 - Startup: Webshots.lnk = E:\Program Files\Webshots\Launcher.exe
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - E:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - E:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O16 - DPF: {01010200-5E80-11D8-9E86-0007E96C65AE} - http://supportcenter...ad/tgctlins.cab
O16 - DPF: {01010E00-5E80-11D8-9E86-0007E96C65AE} (SupportSoft SmartIssue) - http://supportcenter...oad/tgctlsi.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft....k/?linkid=39204
O16 - DPF: {2E12FB00-546B-4EE3-9CC2-057BF02E1C17} - http://community.web...wsaxcontrol.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.micros...b?1139291678343
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoft...free/asinst.cab
O16 - DPF: {A90A5822-F108-45AD-8482-9BC8B12DD539} (Crucial cpcScan) - http://www.crucial.c.../cpcScanner.cab
O18 - Protocol: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - C:\Program Files\AVG\AVG8\avgpp.dll
O20 - AppInit_DLLs: avgrsstx.dll
O23 - Service: Lavasoft Ad-Aware Service (aawservice) - Lavasoft - E:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
O23 - Service: AVG8 E-mail Scanner (avg8emc) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgemc.exe
O23 - Service: AVG8 WatchDog (avg8wd) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: HDD Temperature (HDDTService) - PalickSoft - H:\Program Files\PalickSoft\HDD Temperature\HDDTSvc.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
O23 - Service: LogMeIn - LogMeIn, Inc. - E:\Program Files\LogMeIn\x86\LogMeIn.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINDOWS\system32\ZoneLabs\vsmon.exe

--
End of file - 6809 bytes
  • 0

#10
eddie5659
Posted 13 October 2008 - 04:42 PM

eddie5659

    Trusted Helper

  • Malware Removal
  • 1,980 posts
  • MVP
Okay, lets see if this picks up anything :)

Download OTScanIt.exe to your Desktop and double-click on it to extract the files. It will create a folder named OTScanIt on your desktop.




Note: You must be logged on to the system with an account that has Administrator privileges to run this program.




  • Close ALL OTHER PROGRAMS.
  • Open the OTScanIt folder and double-click on OTScanIt.exe to start the program (if you are running on Vista then right-click the program and choose Run as Administrator).
  • In the Drivers section click on Non-Microsoft.
  • Under Additional Scans click the checkboxes in front of the following items to select them:

    • Reg - BotCheck

      File - Additional Folder Scans

  • Do not change any other settings.
  • Now click the Run Scan button on the toolbar.
  • Let it run unhindered until it finishes.
  • When the scan is complete Notepad will open with the report file loaded in it.
  • Click the Format menu and make sure that Wordwrap is not checked. If it is then click on it to uncheck it.
  • Save the file to your desktop or other location where you can find it back.

Use the Add Reply button and attach the file in your next post.
  • 0

Advertisements

#11
911pchelp
Posted 14 October 2008 - 06:40 PM

911pchelp

    Member

  • Topic Starter
  • Member
  • PipPipPip
  • 290 posts
OTScanIt DONE ... results attached.

Two issues though:
1) Before scan completed got an AVG 8 threat error for ivhgldkr.dll - ignored the error.

2) Got an Address error when tried to access www.geekstogo.com (several times last night - then several times again 2 hours ago). Thought maybe was my browser (using FF 3.03) but other addresses/websites were ok.
  • 0

#12
eddie5659
Posted 15 October 2008 - 03:45 PM

eddie5659

    Trusted Helper

  • Malware Removal
  • 1,980 posts
  • MVP
Start OTScanIt. Copy/Paste the information in the codebox below into the pane where it says "Paste fix here" and then click the Run Fix button.

[Registry - Non-Microsoft Only]
< Internet Explorer Extensions [HKEY_CURRENT_USER\] > -> HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Extensions\
YN -> CmdMapping\\{08B0E5C0-4FCB-11CF-AAA5-00401C608501} [HKEY_LOCAL_MACHINE] -> [Reg Error: Value  does not exist or could not be read.]
YN -> CmdMapping\\{A75C6120-9B36-11d4-A3F0-009027427750} [HKEY_LOCAL_MACHINE] -> [Reg Error: Key does not exist or could not be opened.]
YN -> CmdMapping\\{AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} [HKEY_LOCAL_MACHINE] -> [Reg Error: Key does not exist or could not be opened.]
[Files/Folders - Modified Within 30 days]
NY -> ivhgldkrRAP.dll -> C:\Documents and Settings\Alan\Local Settings\Temp\ivhgldkrRAP.dll
NY -> 1 C:\Documents and Settings\Alan\Local Settings\Temp\*.tmp files -> C:\Documents and Settings\Alan\Local Settings\Temp\*.tmp
NY -> Perflib_Perfdata_ca0.dat -> C:\Documents and Settings\Alan\Local Settings\Temp\Perflib_Perfdata_ca0.dat
NY -> Perflib_Perfdata_4b8.dat -> C:\WINDOWS\Temp\Perflib_Perfdata_4b8.dat
NY -> Perflib_Perfdata_54c.dat -> C:\WINDOWS\Temp\Perflib_Perfdata_54c.dat
NY -> Perflib_Perfdata_648.dat -> C:\WINDOWS\Temp\Perflib_Perfdata_648.dat
NY -> 2 C:\WINDOWS\Temp\*.tmp files -> C:\WINDOWS\Temp\*.tmp


The fix should only take a very short time. When the fix is completed a message box will popup either telling you that it is finished, or that a reboot is needed to complete the fix. If the fix is complete, click the OK button and Notepad will open with a log of actions taken during the fix. Post that log back here in your next reply.
If a reboot is required, click the "Yes" button to reboot the machine. After the reboot, OTScanIt will finish moving any files that could not be moved during the fix and NotePad will open with the final results at that time. Post that log back here in your next reply.

Also, post a fresh HijackThis log
  • 0

#13
911pchelp
Posted 15 October 2008 - 04:40 PM

911pchelp

    Member

  • Topic Starter
  • Member
  • PipPipPip
  • 290 posts
Thank you!!

Done - system response is faster ... firefox-> options response is still sluggish (or slower) {checked FF forum previously and others didn't report this problem} ... rarely use IE7 so can't judge response there.

OTScanIt results:

[Registry - Non-Microsoft Only]
Registry value HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Extensions\CmdMapping\\{08B0E5C0-4FCB-11CF-AAA5-00401C608501} deleted successfully.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{08B0E5C0-4FCB-11CF-AAA5-00401C608501}\ deleted successfully.
Registry value HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Extensions\CmdMapping\\{A75C6120-9B36-11d4-A3F0-009027427750} deleted successfully.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{A75C6120-9B36-11d4-A3F0-009027427750}\ not found.
Registry value HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Extensions\CmdMapping\\{AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} deleted successfully.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{AC9E2541-2814-11d5-BC6D-00B0D0A1DE45}\ not found.
[Files/Folders - Modified Within 30 days]
File C:\Documents and Settings\Alan\Local Settings\Temp\ivhgldkrRAP.dll not found!
File C:\Documents and Settings\Alan\Local Settings\Temp\Perflib_Perfdata_ca0.dat not found!
File C:\WINDOWS\Temp\Perflib_Perfdata_4b8.dat not found!
File C:\WINDOWS\Temp\Perflib_Perfdata_54c.dat not found!
File C:\WINDOWS\Temp\Perflib_Perfdata_648.dat not found!
File delete failed. C:\WINDOWS\Temp\ZLT04384.TMP scheduled to be deleted on reboot.
File delete failed. C:\WINDOWS\Temp\ZLT0438a.TMP scheduled to be deleted on reboot.
< End of fix log >
OTScanIt by OldTimer - Version 1.0.19.0 fix logfile created on 10152008_181739

Files moved on Reboot...
C:\WINDOWS\Temp\ZLT04384.TMP moved successfully.
C:\WINDOWS\Temp\ZLT0438a.TMP moved successfully.



HJT log:
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 6:26:20 PM, on 10/15/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16705)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
C:\WINDOWS\Explorer.EXE
E:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
H:\Program Files\PalickSoft\HDD Temperature\HDDTSvc.exe
C:\Program Files\Java\jre6\bin\jqs.exe
E:\Program Files\LogMeIn\x86\LogMeIn.exe
E:\Program Files\LogMeIn\x86\LMIGuardian.exe
C:\WINDOWS\System32\snmp.exe
C:\WINDOWS\system32\svchost.exe
C:\PROGRA~1\AVG\AVG8\avgrsx.exe
C:\PROGRA~1\AVG\AVG8\avgemc.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_FATIABA.EXE
C:\PROGRA~1\AVG\AVG8\avgtray.exe
E:\Program Files\LogMeIn\x86\LogMeInSystray.exe
C:\Program Files\Java\jre6\bin\jusched.exe
E:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
E:\Program Files\Clipomatic\Clipomatic.exe
C:\Program Files\Creative\Sync Manager Unicode\CTSyncU.exe
E:\Program Files\LogMeIn\x86\LMIGuardian.exe
E:\Program Files\pita210\Pitaschio.exe
E:\processes\nwProcessExplorer\procexp.exe
C:\Program Files\SpamPal\spampal.exe
E:\PROGRA~1\Webshots\webshots.scr
C:\WINDOWS\system32\wuauclt.exe
E:\Program Files\Password Safe\pwsafe.exe
H:\Program Files\HijackThis\HijackThis.exe

O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINDOWS\system32\ZoneLabs\vsmon.exe

--
End of file - 1782 bytes
  • 0

#14
eddie5659
Posted 16 October 2008 - 12:50 AM

eddie5659

    Trusted Helper

  • Malware Removal
  • 1,980 posts
  • MVP
Er, looks like some of your HijackThis log is missing. Can you re-post it :)
  • 0

#15
911pchelp
Posted 16 October 2008 - 09:50 AM

911pchelp

    Member

  • Topic Starter
  • Member
  • PipPipPip
  • 290 posts
Sorry - don't know what happened

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 11:48:42 AM, on 10/16/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16735)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
C:\WINDOWS\Explorer.EXE
E:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
H:\Program Files\PalickSoft\HDD Temperature\HDDTSvc.exe
C:\Program Files\Java\jre6\bin\jqs.exe
E:\Program Files\LogMeIn\x86\LogMeIn.exe
E:\Program Files\LogMeIn\x86\LMIGuardian.exe
C:\PROGRA~1\AVG\AVG8\avgrsx.exe
C:\WINDOWS\System32\snmp.exe
C:\WINDOWS\system32\svchost.exe
C:\PROGRA~1\AVG\AVG8\avgemc.exe
C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_FATIABA.EXE
C:\PROGRA~1\AVG\AVG8\avgtray.exe
E:\Program Files\LogMeIn\x86\LogMeInSystray.exe
C:\Program Files\Java\jre6\bin\jusched.exe
E:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
E:\Program Files\Clipomatic\Clipomatic.exe
C:\Program Files\Creative\Sync Manager Unicode\CTSyncU.exe
E:\Program Files\LogMeIn\x86\LMIGuardian.exe
E:\Program Files\pita210\Pitaschio.exe
E:\processes\nwProcessExplorer\procexp.exe
C:\Program Files\SpamPal\spampal.exe
E:\PROGRA~1\Webshots\webshots.scr
C:\WINDOWS\system32\wuauclt.exe
C:\Documents and Settings\Alan\Local Settings\Application Data\Google\Update\GoogleUpdate.exe
C:\Program Files\Outlook Express\msimn.exe
C:\Program Files\Mozilla Firefox\firefox.exe
H:\Program Files\HijackThis\HijackThis.exe
H:\Program Files\HijackThis\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft....k/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft....k/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://us.rd.yahoo.c...rch/search.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft....k/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft....k/?LinkId=69157
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
O2 - BHO: WormRadar.com IESiteBlocker.NavFilter - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - C:\Program Files\AVG\AVG8\avgssie.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - E:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: Java™ Plug-In SSV Helper - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre6\bin\ssv.dll
O2 - BHO: Java™ Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
O2 - BHO: ZoneAlarm Spy Blocker BHO - {F0D4B231-DA4B-4daf-81E4-DFEE4931A4AA} - C:\Program Files\ZoneAlarmSB\bar\1.bin\SPYBLOCK.DLL
O3 - Toolbar: ZoneAlarm Spy Blocker - {F0D4B239-DA4B-4daf-81E4-DFEE4931A4AA} - C:\Program Files\ZoneAlarmSB\bar\1.bin\SPYBLOCK.DLL
O4 - HKLM\..\Run: [EPSON Stylus C88 Series] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_FATIABA.EXE /P23 "EPSON Stylus C88 Series" /O6 "USB002" /M "Stylus C88"
O4 - HKLM\..\Run: [AVG8_TRAY] C:\PROGRA~1\AVG\AVG8\avgtray.exe
O4 - HKLM\..\Run: [LogMeIn GUI] "E:\Program Files\LogMeIn\x86\LogMeInSystray.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre6\bin\jusched.exe"
O4 - HKLM\..\Run: [ZoneAlarm Client] "E:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"
O4 - HKCU\..\Run: [Clipomatic] E:\Program Files\Clipomatic\Clipomatic.exe
O4 - HKCU\..\Run: [CTSyncU.exe] "C:\Program Files\Creative\Sync Manager Unicode\CTSyncU.exe"
O4 - Startup: Shortcut to Pitaschio.exe.lnk = E:\Program Files\pita210\Pitaschio.exe
O4 - Startup: Shortcut to procexp.exe.lnk = E:\processes\nwProcessExplorer\procexp.exe
O4 - Startup: SpamPl.lnk = C:\Program Files\SpamPal\spampal.exe
O4 - Startup: Webshots.lnk = E:\Program Files\Webshots\Launcher.exe
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - E:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - E:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O16 - DPF: {01010200-5E80-11D8-9E86-0007E96C65AE} - http://supportcenter...ad/tgctlins.cab
O16 - DPF: {01010E00-5E80-11D8-9E86-0007E96C65AE} (SupportSoft SmartIssue) - http://supportcenter...oad/tgctlsi.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft....k/?linkid=39204
O16 - DPF: {2E12FB00-546B-4EE3-9CC2-057BF02E1C17} - http://community.web...wsaxcontrol.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.micros...b?1139291678343
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoft...free/asinst.cab
O16 - DPF: {A90A5822-F108-45AD-8482-9BC8B12DD539} (Crucial cpcScan) - http://www.crucial.c.../cpcScanner.cab
O18 - Protocol: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - C:\Program Files\AVG\AVG8\avgpp.dll
O20 - AppInit_DLLs: avgrsstx.dll
O23 - Service: Lavasoft Ad-Aware Service (aawservice) - Lavasoft - E:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
O23 - Service: AVG8 E-mail Scanner (avg8emc) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgemc.exe
O23 - Service: AVG8 WatchDog (avg8wd) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: HDD Temperature (HDDTService) - PalickSoft - H:\Program Files\PalickSoft\HDD Temperature\HDDTSvc.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
O23 - Service: LogMeIn - LogMeIn, Inc. - E:\Program Files\LogMeIn\x86\LogMeIn.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINDOWS\system32\ZoneLabs\vsmon.exe

--
End of file - 6853 bytes
  • 0
Back to Virus, Spyware, Malware Removal · Next Unread Topic →




Similar Topics

0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

  1. Geeks to Go Community
  2. Security
  3. Virus, Spyware, Malware Removal

As Featured On:

Microsoft Yahoo BBC MSN PC Magazine Washington Post HP