Jump to content

Welcome to Geeks to Go - Register now for FREE

Geeks To Go is a helpful hub, where thousands of volunteer geeks quickly serve friendly answers and support. Check out the forums and get free advice from the experts. Register now to gain access to all of our features, it's FREE and only takes one minute. Once registered and logged in, you will be able to create topics, post replies to existing threads, give reputation to your fellow members, get your own private messenger, post status updates, manage your profile and so much more.

Create Account How it Works
Photo

Slow Startup and More [RESOLVED]


  • This topic is locked This topic is locked

#1
catnapper

catnapper

    Member

  • Member
  • PipPip
  • 12 posts
Hi…

I have several problems which may or may not be related.

The first has to do with the length of time from Welcome screen, through desktop blue, to icon loading.

About 1/3 of the icons appear in generic form, and slowly, each will appear properly.

After this extended period, the drive light remained on or flashing for several minutes.
(Presently, this isn’t true, but it still takes awhile for the drive light to stay off).

I kept a Download folder for all downloaded program installers. It contained over 600 MB, and recently, it loaded one file at a time. I transferred the files in the folder to a CD, but that didn’t help the startup problem. (If I access the CD, the slow loading still holds).

There are other folders for which this holds as well.

I have the impression that some programs are slow to open and/or close.

Sometimes, Web pages are also slow to load.

“Sent” items in OE don’t show up in the “Sent” folder; they just disappear.

I installed Thunderbird, and sent items appear in the “Sent” folder OK, but after a couple of uses, the incoming messages info contained the time only, instead of date and time. The next time I sent a message in Thunderbird, the same was true in the Sent folder.

Secunia PSI opened a balloon saying one of my utilities had been deleted, but I hadn’t done it. I found it in the Recycle bin.

I tried reducing the amount of used space by deleting some entries in My Documents. When I opened each one to see if I could live without it, several documents had some info “erased.” One of them was a letter, and after the Addressee and “Dear So-and-So” the entire body of the letter was missing.

Since this is the first time I did this, I’m not certain that these results belong with my present problems.

Each time I turn my computer on, the first thing I do is update all my anti-malware programs.

Several days ago, when I updated TrojanHunter, apparently all the Trojan entries were wiped out, because the update was dated from 2006, and took perhaps 10 minutes, instead of the usual 10 seconds or less.

Last time I updated, it was OK.

Once a week, before doing a backup, I run all my anti-malware programs, and once a month I add two online scanners: Ewido and BitDefenter.

These are my anti-malware programs:

AVG Free AV, ZoneAlarm Pro, Ad-Aware Plus, SpyBot S&D, and TrojanHunter, plus SpywareBlaster.

Recently, AVG updated their program, and since then it has a separate list of suspicious Registry entries. They all relate to \Internet Explorer\ActiveX\ , and some of them include named Trojans. The last time I ran the program, there were 197 entries, which I was able to delete, as has been true with previous scans. But they don’t stay away.

I mostly use Firefox, except for Microsoft Updates and online scanners, which require IE. Otherwise, I rarely use IE, so I don’t understand the ActiveX entries.

For purposes of this post, I’ll follow the forum’s instructions for preparation.

[Incidentally, when I tried using your download link for Malwarebytes Anti-Malware, I received an error message—Connection problem (ARM 1054,12031). I Googled MBAM, but the install program from the first site resulted in an error message, saying that the file was corrupted. The next site’s download worked OK]

Here’s the MBAM log:

Malwarebytes' Anti-Malware 1.15
Database version: 834

4:41:51 PM 6/6/2008
mbam-log-6-6-2008 (16-41-51).txt

Scan type: Quick Scan
Objects scanned: 41756
Time elapsed: 7 minute(s), 57 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected).

-o-o-o-o-o-o-o-o-o-o-o-o-o-o-

All of the above was composed earlier today.

Since then, I’ve had the following problems:

During the time I was trying to download ActiveScan, my home page was hijacked to www.msn.com.

1. All references in Internet Options to Home Page selections are grayed out, and the address line reads (I think):

||?prd=ie&clcid=0x4098&pver=6.0&ar=home

At least 2 of my programs are supposed to prevent my home page from being changed—Ad-Aware and now SuperAntiSpyware. (I use “about:blank”).

2. The ActiveScan installation routine is different from your instructions, but I got it installed OK. When I ran the program, it “scanned” for about 2 seconds, and then told me I had no infections!

I left a message with Panda, but I suspect the reason lies with my machine.

I took the liberty of running BitDefender instead, and it showed no infections.

Before I run HJT, I’m going to reboot.

The next thing you’ll see will be my HJT log.

I sure hope you find something.

P.S. Tomorrow, June 7, is my day for running my anti-malware programs, but I’ll postpone it for a couple of days, in the hopes I’ll be hearing from you.

P.P.S. Although it wasn’t necessary, I defragged the C:\ drive.

Many thanks.

-o-o-o-o-o-o-o-o-o-o-o-

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 11:39:21 PM, on 6/6/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Acronis\Schedule2\schedul2.exe
C:\Program Files\APC\APC PowerChute Personal Edition\mainserv.exe
C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
C:\PROGRA~1\Iomega\System32\AppServices.exe
C:\Program Files\MagicTune Premium\MagicTuneEngine.exe
C:\Program Files\SiteAdvisor\6261\SAService.exe
C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Acronis\Fomatik\TrueImageTryStartService.exe
C:\PROGRA~1\AVG\AVG8\avgrsx.exe
C:\Program Files\Iomega\AutoDisk\ADService.exe
C:\PROGRA~1\AVG\AVG8\avgemc.exe
C:\Program Files\Iomega\AutoDisk\ADUserMon.exe
C:\WINDOWS\htpatch.exe
C:\Program Files\Logitech\MouseWare\system\em_exec.exe
C:\program files\siteadvisor\6253\siteadv.exe
C:\WINDOWS\system32\keyhook.exe
C:\Program Files\TrojanHunter 4.7\THGuard.exe
C:\Program Files\Lavasoft\Ad-Aware\Ad-Watch.exe
C:\Program Files\Acronis\TrueImageHome\TrueImageMonitor.exe
C:\Program Files\Acronis\TrueImageHome\TimounterMonitor.exe
C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe
C:\PROGRA~1\AVG\AVG8\avgtray.exe
C:\Program Files\Common Files\Acronis\Schedule2\schedhlp.exe
C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\Program Files\MagicTune Premium\GammaTray.exe
C:\Program Files\Secunia\PSI (RC1)\psi.exe
C:\WINDOWS\system32\wuauclt.exe
C:\UTILITIES\HJT\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page =
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = 127.0.0.1;<local>
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {089FD14D-132B-48FC-8861-0048AE113215} - C:\Program Files\SiteAdvisor\6261\SiteAdv.dll
O2 - BHO: WormRadar.com IESiteBlocker.NavFilter - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - C:\Program Files\AVG\AVG8\avgssie.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O3 - Toolbar: McAfee SiteAdvisor - {0BF43445-2F28-4351-9252-17FE6E806AA0} - C:\Program Files\SiteAdvisor\6261\SiteAdv.dll
O4 - HKLM\..\Run: [ADUserMon] "C:\Program Files\Iomega\AutoDisk\ADUserMon.exe"
O4 - HKLM\..\Run: [Logitech Utility] Logi_MwX.Exe
O4 - HKLM\..\Run: [HTpatch] C:\WINDOWS\htpatch.exe
O4 - HKLM\..\Run: [SiteAdvisor] c:\program files\siteadvisor\6253\siteadv.exe
O4 - HKLM\..\Run: [SiS Windows KeyHook] C:\WINDOWS\system32\keyhook.exe
O4 - HKLM\..\Run: [Ad-Watch] C:\Program Files\Lavasoft\Ad-Aware\Ad-Watch.exe
O4 - HKLM\..\Run: [THGuard] "C:\Program Files\TrojanHunter 4.7\THGuard.exe"
O4 - HKLM\..\Run: [TrueImageMonitor.exe] C:\Program Files\Acronis\TrueImageHome\TrueImageMonitor.exe
O4 - HKLM\..\Run: [AcronisTimounterMonitor] C:\Program Files\Acronis\TrueImageHome\TimounterMonitor.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe"
O4 - HKLM\..\Run: [AVG8_TRAY] C:\PROGRA~1\AVG\AVG8\avgtray.exe
O4 - HKLM\..\Run: [Acronis Scheduler2 Service] "C:\Program Files\Common Files\Acronis\Schedule2\schedhlp.exe"
O4 - HKLM\..\Run: [NeroCheck] C:\WINDOWS\System32\\NeroCheck.exe
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [ZoneAlarm Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"
O4 - Startup: Secunia PSI (RC1).lnk = C:\Program Files\Secunia\PSI (RC1)\psi.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Reader 8.0\Reader\reader_sl.exe
O4 - Global Startup: GammaTray.lnk = ?
O4 - Global Startup: MagicTune 3.6.lnk = ?
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra button: (no name) - {85d1f590-48f4-11d9-9669-0800200c9a66} - C:\WINDOWS\bdoscandel.exe
O9 - Extra 'Tools' menuitem: Uninstall BitDefender Online Scanner v8 - {85d1f590-48f4-11d9-9669-0800200c9a66} - C:\WINDOWS\bdoscandel.exe
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\nwprovau.dll
O15 - Trusted Zone: www.bitdefender.com
O15 - Trusted Zone: http://www.ewido.net
O15 - Trusted Zone: usa.kaspersky.com
O15 - Trusted Zone: www.pandasecurity.com
O15 - Trusted Zone: http://housecall.trendmicro.com
O15 - Trusted Zone: http://*.turbotax.com
O15 - Trusted Zone: *.vanguard.com
O15 - Trusted Zone: *.verizon.net
O16 - DPF: {05317530-B882-449D-9421-18D94FA3ED34} (OSInfo Control) - http://www.sis.com/ocis/OSInfo.cab
O16 - DPF: {0D41B8C5-2599-4893-8183-00195EC8D5F9} (asusTek_sysctrl Class) - http://support.asus....ek_sys_ctrl.cab
O16 - DPF: {16095503-786F-4097-AED6-5D567A26D760} (SiS_OCX Control) - http://www.sis.com/o...utodetectNT.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft....k/?linkid=39204
O16 - DPF: {193C772A-87BE-4B19-A7BB-445B226FE9A1} (ewidoOnlineScan Control) - http://download.ewid...oOnlineScan.cab
O16 - DPF: {2D8ED06D-3C30-438B-96AE-4D110FDC1FB8} (ActiveScan 2.0 Installer Class) - http://acs.pandasoft...s/as2stubie.cab
O16 - DPF: {556DDE35-E955-11D0-A707-000000521957} - http://www.xblock.co...clean_micro.exe
O16 - DPF: {5D86DDB5-BDF9-441B-9E9E-D4730F4EE499} (BDSCANONLINE Control) - http://download.bitd...can8/oscan8.cab
O16 - DPF: {5ED80217-570B-4DA9-BF44-BE107C0EC166} (Windows Live Safety Center Base Module) - https://scan.safety....lscbase3401.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.micros...b?1120085952027
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.micros...b?1143236299578
O16 - DPF: {BB21F850-63F4-4EC9-BF9D-565BD30C9AE9} (ASquaredScanForm Element) - http://www.windowsec...scan/axscan.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - http://fpdownload2.m...ent/swflash.cab
O18 - Protocol: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - C:\Program Files\AVG\AVG8\avgpp.dll
O20 - AppInit_DLLs: avgrsstx.dll
O23 - Service: Lavasoft Ad-Aware Service (aawservice) - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
O23 - Service: Acronis Scheduler2 Service (AcrSch2Svc) - Acronis - C:\Program Files\Common Files\Acronis\Schedule2\schedul2.exe
O23 - Service: APC UPS Service - American Power Conversion Corporation - C:\Program Files\APC\APC PowerChute Personal Edition\mainserv.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: AVG8 E-mail Scanner (avg8emc) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgemc.exe
O23 - Service: AVG8 WatchDog (avg8wd) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
O23 - Service: Iomega App Services - Iomega Corporation - C:\PROGRA~1\Iomega\System32\AppServices.exe
O23 - Service: MagicTuneEngine - Unknown owner - C:\Program Files\MagicTune Premium\MagicTuneEngine.exe
O23 - Service: SiteAdvisor Service - Unknown owner - C:\Program Files\SiteAdvisor\6261\SAService.exe
O23 - Service: SoundMAX Agent Service (SoundMAX Agent Service (default)) - Analog Devices, Inc. - C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
O23 - Service: Acronis Try And Decide Service (TryAndDecideService) - Unknown owner - C:\Program Files\Common Files\Acronis\Fomatik\TrueImageTryStartService.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINDOWS\system32\ZoneLabs\vsmon.exe
O23 - Service: Iomega Active Disk (_IOMEGA_ACTIVE_DISK_SERVICE_) - Iomega Corporation - C:\Program Files\Iomega\AutoDisk\ADService.exe

--
End of file - 9458 bytes

Edited by catnapper, 09 June 2008 - 03:46 PM.

  • 0

Advertisements


#2
kahdah

kahdah

    GeekU Teacher

  • Retired Staff
  • 15,822 posts
Hello catnapper

Welcome to G2Go. :)
=====================

Please download Deckard's System Scanner (DSS) and save it to your Desktop.
  • Close all other windows before proceeding.
  • Double-click on dss.exe and follow the prompts.
  • When it has finished, dss will open two Notepads main.txt and extra.txt -- please copy (CTRL+A and then CTRL+C) and paste (CTRL+V) the contents of main.txt and extra.txt in your next reply.

  • 0

#3
catnapper

catnapper

    Member

  • Topic Starter
  • Member
  • PipPip
  • 12 posts
Hello, kahdah…

Thanks for your response.

I’ve had some additional symptoms since my first post, but I’ll get to them in a minute.

I tried downloading dss.exe through your link, but the “Save” button was grayed out.

I Googled it and tried from several other sites, with the same result.

Is there a substitute I could try, or can you send me the file as an attachment, somehow?

Regarding the more recent problems:

(The IE hijack I mentioned takes me to msn.com):

http://www.microsoft...p...6.0&ar=home

I sent myself a test message in OE, but I didn’t get it in OE, but found it in Thunderbird.

The next day, the sent message downloaded into OE, but all the text was missing.

On two occasions in Firefox, I got a message that my browser required Jave. I do have Java, and it’s activated in Firefox.

I tried the same sites using IE, and both worked OK.

In IE, some sites take a long time to load, and I can’t access links because they won’t complete loading.

“Something” replaced Firefox with IE as my default browser. I think I’ve resolved this.

A couple of programs have frozen my machine, and I’ve had to use the reset button.

I accessed ActiveScan, but it wouldn’t scan. It took me to another window which said I have no infections.

Instead, I ran BitDefender, which came up clean.

(I have the impression I mentioned this before, but it doesn’t seem to be in my Word file).

I hope that’s all for a while, and I look forward to hearing from you soon.

Incidentally, if I don’t show up again in a reasonable time, my machine might have gone that-a-way. :)
  • 0

#4
kahdah

kahdah

    GeekU Teacher

  • Retired Staff
  • 15,822 posts
Hi that's not a hijack it is a default page set by Microsoft.
Maybe you installed Messenger or another program that by default set it to that.
Nothing to wory about there.
=============================
If you see the Run button when you download dss then you can choose that option.

As far as the Outlook Express problem try double checking your account settings.
Make sure they are correct.
Double check you password.

See if dss will run then post that back to me please.
  • 0

#5
catnapper

catnapper

    Member

  • Topic Starter
  • Member
  • PipPip
  • 12 posts
Hello, again…

This wasn’t the first time I’ve been switched to msn.com, but it IS the first time I couldn’t switch back to a blank page; my preferred home page. I like it because I can open IE to work on menu options. without being online. Besides, if I were to choose an online home page, it wouldn’t be msn.com.

I’ve never seen the address bar and the other options grayed out before….something’s wrong, and I find this unacceptable.

If I did anything to cause the change, I don’t know what it is.

You mentioned Messenger…..I have a utility called “shootthemessenger” which turns off Windows Messenger. That’s the program I told you about that was deleted without any help from me.

I put it back and ran it again; it still says that Messenger is turned off.

Regarding Outlook Express, I found a couple of interesting items:

The box “Save copy of sent messages in Sent Items folder" was unchecked. The first time I checked and applied it, it didn’t take. The second time it was OK, so I hope it holds.

The box “My server requires authentication” was checked. I think that’s wrong, so I unchecked it. I’ll find out soon enough if I was right.

I don’t use a password.

Since I made no Options or Account changes, I have to believe “something” else did.

Thanks for the suggestion to check OE, though. You’ve certainly helped there

There may well be other changes that I haven’t found yet.

With respect to dss, I neglected to tell you that there wasn’t any “Run” choice at all; just “Save” (grayed out) and “Cancel”. This isn’t the first time I’ve seen this recently.

So, what now??

-o-o-o-o-o-o-o-

Son-of-a-gun!

While reviewing the thread, I tried dss again, and darned if Save wasn't a viable option!

I was able to download it, and when I install it and get the results, I'll post them next time.

Edited by catnapper, 13 June 2008 - 10:26 PM.

  • 0

#6
kahdah

kahdah

    GeekU Teacher

  • Retired Staff
  • 15,822 posts
I don't believe that this is malware related.
I didn't see any malware sympoms in your log or description.

Just to double check before we rule it out see if you can do this scan below:

Please do a scan with Kaspersky Online Scanner

Note: If you are using Windows Vista, open your browser by right-clicking on its icon and select 'Run as administrator' to perform this scan.

Click on the Accept button and install any components it needs.
  • The program will install and then begin downloading the latest definition files.
  • After the files have been downloaded on the left side of the page in the Scan section select My Computer
  • This will start the program and scan your system.
  • The scan will take a while, so be patient and let it run.
  • Once the scan is complete, click on View scan report
  • Now, click on the Save Report as button.
  • Save the file to your desktop.
  • Copy and paste that information in your next post.

  • 0

#7
catnapper

catnapper

    Member

  • Topic Starter
  • Member
  • PipPip
  • 12 posts
Howdy…

I’m a day ahead of you regarding Kaspersky. :)

I installed and ran it yesterday, with negative results.

Also, I discovered today that “My server requires authentication” in OE has to be checked.
The test message I sent myself today appeared in the Sent folder, including the text.

Following are the two dss logs you asked for. That seems to be a pretty comprehensive program.

The only thing I can comment on is the reference to my Hosts file.

A couple of weeks ago I returned it to its default setting, and designated it as “Read Only”.

I don’t know how all that “stuff” got in there.

Anyhow, heres main.txt:

Deckard's System Scanner v20071014.68
Run by Norman on 2008-06-14 15:17:58
Computer is in Normal Mode.
--------------------------------------------------------------------------------

-- System Restore --------------------------------------------------------------

Successfully created a Deckard's System Scanner Restore Point.


-- Last 4 Restore Point(s) --
4: 2008-06-14 19:18:08 UTC - RP4 - Deckard's System Scanner Restore Point
3: 2008-06-13 17:31:15 UTC - RP3 - Standalone Scans
2: 2008-06-10 21:49:58 UTC - RP2 - Software Distribution Service 3.0
1: 2008-06-10 21:30:29 UTC - RP1 - System Checkpoint


Backed up registry hives.
Performed disk cleanup.



-- HijackThis (run as Norman.exe) ----------------------------------------------

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 3:20:18 PM, on 6/14/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Acronis\Schedule2\schedul2.exe
C:\Program Files\APC\APC PowerChute Personal Edition\mainserv.exe
C:\Program Files\Iomega\AutoDisk\ADUserMon.exe
C:\WINDOWS\htpatch.exe
C:\program files\siteadvisor\6253\siteadv.exe
C:\WINDOWS\system32\keyhook.exe
C:\Program Files\Logitech\MouseWare\system\em_exec.exe
C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
C:\PROGRA~1\Iomega\System32\AppServices.exe
C:\Program Files\TrojanHunter 4.7\THGuard.exe
C:\Program Files\MagicTune Premium\MagicTuneEngine.exe
C:\Program Files\Acronis\TrueImageHome\TrueImageMonitor.exe
C:\Program Files\SiteAdvisor\6261\SAService.exe
C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
C:\Program Files\Acronis\TrueImageHome\TimounterMonitor.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe
C:\PROGRA~1\AVG\AVG8\avgtray.exe
C:\Program Files\Common Files\Acronis\Fomatik\TrueImageTryStartService.exe
C:\Program Files\Common Files\Acronis\Schedule2\schedhlp.exe
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\Program Files\Iomega\AutoDisk\ADService.exe
C:\PROGRA~1\AVG\AVG8\avgrsx.exe
C:\Program Files\MagicTune Premium\GammaTray.exe
C:\PROGRA~1\AVG\AVG8\avgemc.exe
C:\Program Files\Secunia\PSI (RC1)\psi.exe
C:\UTILITIES\SuperAntiSpyware\SUPERAntiSpyware.exe
C:\Program Files\Lavasoft\Ad-Aware\Ad-Watch.exe
C:\Documents and Settings\Norman\DOWNLOADS TMP\dss.exe
C:\UTILIT~1\HJT\Norman.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page =
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = 127.0.0.1;<local>
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {089FD14D-132B-48FC-8861-0048AE113215} - C:\Program Files\SiteAdvisor\6261\SiteAdv.dll
O2 - BHO: WormRadar.com IESiteBlocker.NavFilter - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - C:\Program Files\AVG\AVG8\avgssie.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O3 - Toolbar: McAfee SiteAdvisor - {0BF43445-2F28-4351-9252-17FE6E806AA0} - C:\Program Files\SiteAdvisor\6261\SiteAdv.dll
O4 - HKLM\..\Run: [ADUserMon] "C:\Program Files\Iomega\AutoDisk\ADUserMon.exe"
O4 - HKLM\..\Run: [Logitech Utility] Logi_MwX.Exe
O4 - HKLM\..\Run: [HTpatch] C:\WINDOWS\htpatch.exe
O4 - HKLM\..\Run: [SiteAdvisor] c:\program files\siteadvisor\6253\siteadv.exe
O4 - HKLM\..\Run: [SiS Windows KeyHook] C:\WINDOWS\system32\keyhook.exe
O4 - HKLM\..\Run: [Ad-Watch] C:\Program Files\Lavasoft\Ad-Aware\Ad-Watch.exe
O4 - HKLM\..\Run: [THGuard] "C:\Program Files\TrojanHunter 4.7\THGuard.exe"
O4 - HKLM\..\Run: [TrueImageMonitor.exe] C:\Program Files\Acronis\TrueImageHome\TrueImageMonitor.exe
O4 - HKLM\..\Run: [AcronisTimounterMonitor] C:\Program Files\Acronis\TrueImageHome\TimounterMonitor.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe"
O4 - HKLM\..\Run: [AVG8_TRAY] C:\PROGRA~1\AVG\AVG8\avgtray.exe
O4 - HKLM\..\Run: [Acronis Scheduler2 Service] "C:\Program Files\Common Files\Acronis\Schedule2\schedhlp.exe"
O4 - HKLM\..\Run: [NeroCheck] C:\WINDOWS\System32\\NeroCheck.exe
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [ZoneAlarm Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"
O4 - Startup: Secunia PSI (RC1).lnk = C:\Program Files\Secunia\PSI (RC1)\psi.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Reader 8.0\Reader\reader_sl.exe
O4 - Global Startup: GammaTray.lnk = ?
O4 - Global Startup: MagicTune 3.6.lnk = ?
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra button: (no name) - {85d1f590-48f4-11d9-9669-0800200c9a66} - C:\WINDOWS\bdoscandel.exe
O9 - Extra 'Tools' menuitem: Uninstall BitDefender Online Scanner v8 - {85d1f590-48f4-11d9-9669-0800200c9a66} - C:\WINDOWS\bdoscandel.exe
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\nwprovau.dll
O15 - Trusted Zone: www.bitdefender.com
O15 - Trusted Zone: http://www.ewido.net
O15 - Trusted Zone: usa.kaspersky.com
O15 - Trusted Zone: www.pandasecurity.com
O15 - Trusted Zone: http://housecall.trendmicro.com
O15 - Trusted Zone: http://*.turbotax.com
O15 - Trusted Zone: *.vanguard.com
O15 - Trusted Zone: *.verizon.net
O16 - DPF: {05317530-B882-449D-9421-18D94FA3ED34} (OSInfo Control) - http://www.sis.com/ocis/OSInfo.cab
O16 - DPF: {0D41B8C5-2599-4893-8183-00195EC8D5F9} (asusTek_sysctrl Class) - http://support.asus....ek_sys_ctrl.cab
O16 - DPF: {16095503-786F-4097-AED6-5D567A26D760} (SiS_OCX Control) - http://www.sis.com/o...utodetectNT.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft....k/?linkid=39204
O16 - DPF: {193C772A-87BE-4B19-A7BB-445B226FE9A1} (ewidoOnlineScan Control) - http://download.ewid...oOnlineScan.cab
O16 - DPF: {2D8ED06D-3C30-438B-96AE-4D110FDC1FB8} (ActiveScan 2.0 Installer Class) - http://acs.pandasoft...s/as2stubie.cab
O16 - DPF: {556DDE35-E955-11D0-A707-000000521957} - http://www.xblock.co...clean_micro.exe
O16 - DPF: {5D86DDB5-BDF9-441B-9E9E-D4730F4EE499} (BDSCANONLINE Control) - http://download.bitd...can8/oscan8.cab
O16 - DPF: {5ED80217-570B-4DA9-BF44-BE107C0EC166} (Windows Live Safety Center Base Module) - https://scan.safety....lscbase3401.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.micros...b?1120085952027
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.micros...b?1143236299578
O16 - DPF: {BB21F850-63F4-4EC9-BF9D-565BD30C9AE9} (ASquaredScanForm Element) - http://www.windowsec...scan/axscan.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - http://fpdownload2.m...ent/swflash.cab
O18 - Protocol: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - C:\Program Files\AVG\AVG8\avgpp.dll
O20 - AppInit_DLLs: avgrsstx.dll
O23 - Service: Lavasoft Ad-Aware Service (aawservice) - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
O23 - Service: Acronis Scheduler2 Service (AcrSch2Svc) - Acronis - C:\Program Files\Common Files\Acronis\Schedule2\schedul2.exe
O23 - Service: APC UPS Service - American Power Conversion Corporation - C:\Program Files\APC\APC PowerChute Personal Edition\mainserv.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: AVG8 E-mail Scanner (avg8emc) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgemc.exe
O23 - Service: AVG8 WatchDog (avg8wd) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
O23 - Service: Iomega App Services - Iomega Corporation - C:\PROGRA~1\Iomega\System32\AppServices.exe
O23 - Service: MagicTuneEngine - Unknown owner - C:\Program Files\MagicTune Premium\MagicTuneEngine.exe
O23 - Service: SiteAdvisor Service - Unknown owner - C:\Program Files\SiteAdvisor\6261\SAService.exe
O23 - Service: SoundMAX Agent Service (SoundMAX Agent Service (default)) - Analog Devices, Inc. - C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
O23 - Service: Acronis Try And Decide Service (TryAndDecideService) - Unknown owner - C:\Program Files\Common Files\Acronis\Fomatik\TrueImageTryStartService.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINDOWS\system32\ZoneLabs\vsmon.exe
O23 - Service: Iomega Active Disk (_IOMEGA_ACTIVE_DISK_SERVICE_) - Iomega Corporation - C:\Program Files\Iomega\AutoDisk\ADService.exe

--
End of file - 9472 bytes

-- File Associations -----------------------------------------------------------

All associations okay.


-- Drivers: 0-Boot, 1-System, 2-Auto, 3-Demand, 4-Disabled ---------------------

R0 iomdisk (Iomega Devices Disk Filter Services) - c:\windows\system32\drivers\iomdisk.sys <Not Verified; Iomega Corporation; Microsoft® Windows NT® Operating System>
R2 aslm75 - c:\windows\system32\drivers\aslm75.sys
R3 SASENUM - c:\utilities\superantispyware\sasenum.sys <Not Verified; SuperAdBlocker, Inc.; SuperAntiSpyware>

S2 FILESpy - c:\program files\softwin\bitdefender9\filespy.sys (file missing)
S2 REGSpy - c:\program files\softwin\bitdefender9\regspy.sys (file missing)
S3 ASUSHWIO - c:\windows\system32\drivers\asushwio.sys
S3 BDRsDrv - c:\program files\softwin\bitdefender9\bdrsdrv.sys (file missing)
S3 MagicTune - c:\windows\system32\drivers\mtictwl.sys <Not Verified; Samsung Electronics, Inc.; MagicTunePremium>
S3 PSI - c:\windows\system32\drivers\psi_mf.sys <Not Verified; Secunia; Secunia Personal Software Inspector>


-- Services: 0-Boot, 1-System, 2-Auto, 3-Demand, 4-Disabled --------------------

R2 _IOMEGA_ACTIVE_DISK_SERVICE_ (Iomega Active Disk) - "c:\program files\iomega\autodisk\adservice.exe" <Not Verified; Iomega Corporation; Iomega Active Disk>
R2 Iomega App Services - "c:\progra~1\iomega\system32\appservices.exe" <Not Verified; Iomega Corporation; Iomega App Services>
R2 MagicTuneEngine - c:\program files\magictune premium\magictuneengine.exe

S4 Iomega Activity Disk2 - ""


-- Device Manager: Disabled ----------------------------------------------------

No disabled devices found.


-- Scheduled Tasks -------------------------------------------------------------

2008-06-06 15:11:00 244 --a------ C:\WINDOWS\Tasks\Uniblue SpeedUpMyPC Nag.job
2008-05-17 15:11:41 338 --a------ C:\WINDOWS\Tasks\Uniblue SpeedUpMyPC.job


-- Files created between 2008-05-14 and 2008-06-14 -----------------------------

2008-06-14 00:31:06 0 dr-h----- C:\Documents and Settings\Norman\Recent
2008-06-13 13:26:27 0 d-------- C:\Program Files\SpywareBlaster
2008-06-06 21:06:10 0 d-------- C:\Program Files\Panda Security
2008-06-04 21:23:55 0 d-------- C:\Documents and Settings\Norman\Application Data\Malwarebytes
2008-06-04 21:23:26 0 d-------- C:\Documents and Settings\All Users\Application Data\Malwarebytes
2008-06-04 17:48:04 0 d-------- C:\Documents and Settings\All Users\Application Data\SUPERAntiSpyware.com
2008-06-04 17:47:52 0 d-------- C:\Documents and Settings\Norman\Application Data\SUPERAntiSpyware.com
2008-06-04 16:39:47 0 d-------- C:\VundoFix Backups
2008-05-20 21:23:15 0 d-------- C:\Documents and Settings\Norman\Application Data\Macromedia
2008-05-17 15:06:01 0 d-------- C:\Documents and Settings\Norman\Application Data\Uniblue


-- Find3M Report ---------------------------------------------------------------

2008-06-10 17:28:28 0 d-------- C:\Program Files\MICROSOFT MONEY BACKUPS
2008-06-09 17:34:40 0 d-------- C:\Program Files\Mozilla Thunderbird
2008-06-09 17:25:56 4212 ---h----- C:\WINDOWS\system32\zllictbl.dat
2008-06-05 19:53:31 0 d-------- C:\Program Files\Lavasoft
2008-06-05 19:52:11 0 d-------- C:\Program Files\Common Files\Wise Installation Wizard
2008-05-26 21:15:13 36888 --a------ C:\Documents and Settings\Norman\Application Data\GDIPFONTCACHEV1.DAT
2008-05-22 17:11:37 0 d-------- C:\Program Files\SiteAdvisor
2008-05-20 21:23:14 0 d-------- C:\Documents and Settings\Norman\Application Data\Adobe
2008-05-10 18:15:15 0 d-------- C:\Documents and Settings\Norman\Application Data\Thunderbird
2008-04-30 17:20:39 0 d-------- C:\Program Files\AVG


-- Registry Dump ---------------------------------------------------------------

*Note* empty entries & legit default entries are not shown


[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ADUserMon"="C:\Program Files\Iomega\AutoDisk\ADUserMon.exe" [04/27/2008 03:48 PM]
"Logitech Utility"="Logi_MwX.Exe" [12/17/2003 09:50 AM C:\WINDOWS\LOGI_MWX.EXE]
"HTpatch"="C:\WINDOWS\htpatch.exe" [10/30/2002 05:40 AM]
"SiteAdvisor"="c:\program files\siteadvisor\6253\siteadv.exe" [07/31/2006 11:03 AM]
"SiS Windows KeyHook"="C:\WINDOWS\system32\keyhook.exe" [05/12/2004 05:22 PM]
"Ad-Watch"="C:\Program Files\Lavasoft\Ad-Aware\Ad-Watch.exe" [06/05/2008 07:58 PM]
"THGuard"="C:\Program Files\TrojanHunter 4.7\THGuard.exe" [06/23/2007 12:19 AM]
"TrueImageMonitor.exe"="C:\Program Files\Acronis\TrueImageHome\TrueImageMonitor.exe" [09/14/2007 02:52 AM]
"AcronisTimounterMonitor"="C:\Program Files\Acronis\TrueImageHome\TimounterMonitor.exe" [09/14/2007 03:02 AM]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe" [02/22/2008 05:25 AM]
"AVG8_TRAY"="C:\PROGRA~1\AVG\AVG8\avgtray.exe" [04/30/2008 05:20 PM]
"Acronis Scheduler2 Service"="C:\Program Files\Common Files\Acronis\Schedule2\schedhlp.exe" [09/14/2007 02:55 AM]
"NeroCheck"="C:\WINDOWS\System32\\NeroCheck.exe" [07/09/2001 06:50 AM]
"Adobe Reader Speed Launcher"="C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [01/11/2008 11:16 PM]
"ZoneAlarm Client"="C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe" [04/02/2008 09:07 PM]

C:\Documents and Settings\Norman\Start Menu\Programs\Startup\
Secunia PSI (RC1).lnk - C:\Program Files\Secunia\PSI (RC1)\psi.exe [2/5/2008 6:36:24 AM]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
Adobe Reader Speed Launch.lnk - C:\Program Files\Adobe\Reader 8.0\Reader\reader_sl.exe [1/11/2008 11:16:38 PM]
GammaTray.lnk - C:\Program Files\MagicTune Premium\GammaTray.exe [3/3/2007 10:38:28 PM]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"appinit_dlls"=avgrsstx.dll

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa]
"Authentication Packages"= msv1_0 relog_ap

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\aawservice]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\svcWRSSSDK]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\vds]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\{533C5B84-EC70-11D2-9505-00C04F79DEAF}]
@="Volume shadow copy"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\StartCCC]
C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe

*Newly Created Service* - AD-WATCH_REAL-TIME_SCANNER
*Newly Created Service* - AD-WATCH_REGISTRY_FILTER

[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\ccc-core-static]
msiexec /fums {3CBBEE47-C8F4-316A-92FF-ED7E3DFAE41E} /qb



-- Hosts -----------------------------------------------------------------------

127.0.0.1 www.007guard.com
127.0.0.1 007guard.com
127.0.0.1 008i.com
127.0.0.1 www.008k.com
127.0.0.1 008k.com
127.0.0.1 www.00hq.com
127.0.0.1 00hq.com
127.0.0.1 010402.com
127.0.0.1 www.032439.com
127.0.0.1 032439.com

8724 more entries in hosts file.


-- End of Deckard's System Scanner: finished at 2008-06-14 15:21:21 ------------


And here’s extra.txt:

Deckard's System Scanner v20071014.68
Run by Norman on 2008-06-14 15:17:58
Computer is in Normal Mode.
--------------------------------------------------------------------------------

-- System Restore --------------------------------------------------------------

Successfully created a Deckard's System Scanner Restore Point.


-- Last 4 Restore Point(s) --
4: 2008-06-14 19:18:08 UTC - RP4 - Deckard's System Scanner Restore Point
3: 2008-06-13 17:31:15 UTC - RP3 - Standalone Scans
2: 2008-06-10 21:49:58 UTC - RP2 - Software Distribution Service 3.0
1: 2008-06-10 21:30:29 UTC - RP1 - System Checkpoint


Backed up registry hives.
Performed disk cleanup.



-- HijackThis (run as Norman.exe) ----------------------------------------------

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 3:20:18 PM, on 6/14/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Acronis\Schedule2\schedul2.exe
C:\Program Files\APC\APC PowerChute Personal Edition\mainserv.exe
C:\Program Files\Iomega\AutoDisk\ADUserMon.exe
C:\WINDOWS\htpatch.exe
C:\program files\siteadvisor\6253\siteadv.exe
C:\WINDOWS\system32\keyhook.exe
C:\Program Files\Logitech\MouseWare\system\em_exec.exe
C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
C:\PROGRA~1\Iomega\System32\AppServices.exe
C:\Program Files\TrojanHunter 4.7\THGuard.exe
C:\Program Files\MagicTune Premium\MagicTuneEngine.exe
C:\Program Files\Acronis\TrueImageHome\TrueImageMonitor.exe
C:\Program Files\SiteAdvisor\6261\SAService.exe
C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
C:\Program Files\Acronis\TrueImageHome\TimounterMonitor.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe
C:\PROGRA~1\AVG\AVG8\avgtray.exe
C:\Program Files\Common Files\Acronis\Fomatik\TrueImageTryStartService.exe
C:\Program Files\Common Files\Acronis\Schedule2\schedhlp.exe
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\Program Files\Iomega\AutoDisk\ADService.exe
C:\PROGRA~1\AVG\AVG8\avgrsx.exe
C:\Program Files\MagicTune Premium\GammaTray.exe
C:\PROGRA~1\AVG\AVG8\avgemc.exe
C:\Program Files\Secunia\PSI (RC1)\psi.exe
C:\UTILITIES\SuperAntiSpyware\SUPERAntiSpyware.exe
C:\Program Files\Lavasoft\Ad-Aware\Ad-Watch.exe
C:\Documents and Settings\Norman\DOWNLOADS TMP\dss.exe
C:\UTILIT~1\HJT\Norman.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page =
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = 127.0.0.1;<local>
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {089FD14D-132B-48FC-8861-0048AE113215} - C:\Program Files\SiteAdvisor\6261\SiteAdv.dll
O2 - BHO: WormRadar.com IESiteBlocker.NavFilter - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - C:\Program Files\AVG\AVG8\avgssie.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O3 - Toolbar: McAfee SiteAdvisor - {0BF43445-2F28-4351-9252-17FE6E806AA0} - C:\Program Files\SiteAdvisor\6261\SiteAdv.dll
O4 - HKLM\..\Run: [ADUserMon] "C:\Program Files\Iomega\AutoDisk\ADUserMon.exe"
O4 - HKLM\..\Run: [Logitech Utility] Logi_MwX.Exe
O4 - HKLM\..\Run: [HTpatch] C:\WINDOWS\htpatch.exe
O4 - HKLM\..\Run: [SiteAdvisor] c:\program files\siteadvisor\6253\siteadv.exe
O4 - HKLM\..\Run: [SiS Windows KeyHook] C:\WINDOWS\system32\keyhook.exe
O4 - HKLM\..\Run: [Ad-Watch] C:\Program Files\Lavasoft\Ad-Aware\Ad-Watch.exe
O4 - HKLM\..\Run: [THGuard] "C:\Program Files\TrojanHunter 4.7\THGuard.exe"
O4 - HKLM\..\Run: [TrueImageMonitor.exe] C:\Program Files\Acronis\TrueImageHome\TrueImageMonitor.exe
O4 - HKLM\..\Run: [AcronisTimounterMonitor] C:\Program Files\Acronis\TrueImageHome\TimounterMonitor.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe"
O4 - HKLM\..\Run: [AVG8_TRAY] C:\PROGRA~1\AVG\AVG8\avgtray.exe
O4 - HKLM\..\Run: [Acronis Scheduler2 Service] "C:\Program Files\Common Files\Acronis\Schedule2\schedhlp.exe"
O4 - HKLM\..\Run: [NeroCheck] C:\WINDOWS\System32\\NeroCheck.exe
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [ZoneAlarm Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"
O4 - Startup: Secunia PSI (RC1).lnk = C:\Program Files\Secunia\PSI (RC1)\psi.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Reader 8.0\Reader\reader_sl.exe
O4 - Global Startup: GammaTray.lnk = ?
O4 - Global Startup: MagicTune 3.6.lnk = ?
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra button: (no name) - {85d1f590-48f4-11d9-9669-0800200c9a66} - C:\WINDOWS\bdoscandel.exe
O9 - Extra 'Tools' menuitem: Uninstall BitDefender Online Scanner v8 - {85d1f590-48f4-11d9-9669-0800200c9a66} - C:\WINDOWS\bdoscandel.exe
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\nwprovau.dll
O15 - Trusted Zone: www.bitdefender.com
O15 - Trusted Zone: http://www.ewido.net
O15 - Trusted Zone: usa.kaspersky.com
O15 - Trusted Zone: www.pandasecurity.com
O15 - Trusted Zone: http://housecall.trendmicro.com
O15 - Trusted Zone: http://*.turbotax.com
O15 - Trusted Zone: *.vanguard.com
O15 - Trusted Zone: *.verizon.net
O16 - DPF: {05317530-B882-449D-9421-18D94FA3ED34} (OSInfo Control) - http://www.sis.com/ocis/OSInfo.cab
O16 - DPF: {0D41B8C5-2599-4893-8183-00195EC8D5F9} (asusTek_sysctrl Class) - http://support.asus....ek_sys_ctrl.cab
O16 - DPF: {16095503-786F-4097-AED6-5D567A26D760} (SiS_OCX Control) - http://www.sis.com/o...utodetectNT.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft....k/?linkid=39204
O16 - DPF: {193C772A-87BE-4B19-A7BB-445B226FE9A1} (ewidoOnlineScan Control) - http://download.ewid...oOnlineScan.cab
O16 - DPF: {2D8ED06D-3C30-438B-96AE-4D110FDC1FB8} (ActiveScan 2.0 Installer Class) - http://acs.pandasoft...s/as2stubie.cab
O16 - DPF: {556DDE35-E955-11D0-A707-000000521957} - http://www.xblock.co...clean_micro.exe
O16 - DPF: {5D86DDB5-BDF9-441B-9E9E-D4730F4EE499} (BDSCANONLINE Control) - http://download.bitd...can8/oscan8.cab
O16 - DPF: {5ED80217-570B-4DA9-BF44-BE107C0EC166} (Windows Live Safety Center Base Module) - https://scan.safety....lscbase3401.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.micros...b?1120085952027
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.micros...b?1143236299578
O16 - DPF: {BB21F850-63F4-4EC9-BF9D-565BD30C9AE9} (ASquaredScanForm Element) - http://www.windowsec...scan/axscan.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - http://fpdownload2.m...ent/swflash.cab
O18 - Protocol: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - C:\Program Files\AVG\AVG8\avgpp.dll
O20 - AppInit_DLLs: avgrsstx.dll
O23 - Service: Lavasoft Ad-Aware Service (aawservice) - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
O23 - Service: Acronis Scheduler2 Service (AcrSch2Svc) - Acronis - C:\Program Files\Common Files\Acronis\Schedule2\schedul2.exe
O23 - Service: APC UPS Service - American Power Conversion Corporation - C:\Program Files\APC\APC PowerChute Personal Edition\mainserv.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: AVG8 E-mail Scanner (avg8emc) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgemc.exe
O23 - Service: AVG8 WatchDog (avg8wd) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
O23 - Service: Iomega App Services - Iomega Corporation - C:\PROGRA~1\Iomega\System32\AppServices.exe
O23 - Service: MagicTuneEngine - Unknown owner - C:\Program Files\MagicTune Premium\MagicTuneEngine.exe
O23 - Service: SiteAdvisor Service - Unknown owner - C:\Program Files\SiteAdvisor\6261\SAService.exe
O23 - Service: SoundMAX Agent Service (SoundMAX Agent Service (default)) - Analog Devices, Inc. - C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
O23 - Service: Acronis Try And Decide Service (TryAndDecideService) - Unknown owner - C:\Program Files\Common Files\Acronis\Fomatik\TrueImageTryStartService.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINDOWS\system32\ZoneLabs\vsmon.exe
O23 - Service: Iomega Active Disk (_IOMEGA_ACTIVE_DISK_SERVICE_) - Iomega Corporation - C:\Program Files\Iomega\AutoDisk\ADService.exe

--
End of file - 9472 bytes

-- File Associations -----------------------------------------------------------

All associations okay.


-- Drivers: 0-Boot, 1-System, 2-Auto, 3-Demand, 4-Disabled ---------------------

R0 iomdisk (Iomega Devices Disk Filter Services) - c:\windows\system32\drivers\iomdisk.sys <Not Verified; Iomega Corporation; Microsoft® Windows NT® Operating System>
R2 aslm75 - c:\windows\system32\drivers\aslm75.sys
R3 SASENUM - c:\utilities\superantispyware\sasenum.sys <Not Verified; SuperAdBlocker, Inc.; SuperAntiSpyware>

S2 FILESpy - c:\program files\softwin\bitdefender9\filespy.sys (file missing)
S2 REGSpy - c:\program files\softwin\bitdefender9\regspy.sys (file missing)
S3 ASUSHWIO - c:\windows\system32\drivers\asushwio.sys
S3 BDRsDrv - c:\program files\softwin\bitdefender9\bdrsdrv.sys (file missing)
S3 MagicTune - c:\windows\system32\drivers\mtictwl.sys <Not Verified; Samsung Electronics, Inc.; MagicTunePremium>
S3 PSI - c:\windows\system32\drivers\psi_mf.sys <Not Verified; Secunia; Secunia Personal Software Inspector>


-- Services: 0-Boot, 1-System, 2-Auto, 3-Demand, 4-Disabled --------------------

R2 _IOMEGA_ACTIVE_DISK_SERVICE_ (Iomega Active Disk) - "c:\program files\iomega\autodisk\adservice.exe" <Not Verified; Iomega Corporation; Iomega Active Disk>
R2 Iomega App Services - "c:\progra~1\iomega\system32\appservices.exe" <Not Verified; Iomega Corporation; Iomega App Services>
R2 MagicTuneEngine - c:\program files\magictune premium\magictuneengine.exe

S4 Iomega Activity Disk2 - ""


-- Device Manager: Disabled ----------------------------------------------------

No disabled devices found.


-- Scheduled Tasks -------------------------------------------------------------

2008-06-06 15:11:00 244 --a------ C:\WINDOWS\Tasks\Uniblue SpeedUpMyPC Nag.job
2008-05-17 15:11:41 338 --a------ C:\WINDOWS\Tasks\Uniblue SpeedUpMyPC.job


-- Files created between 2008-05-14 and 2008-06-14 -----------------------------

2008-06-14 00:31:06 0 dr-h----- C:\Documents and Settings\Norman\Recent
2008-06-13 13:26:27 0 d-------- C:\Program Files\SpywareBlaster
2008-06-06 21:06:10 0 d-------- C:\Program Files\Panda Security
2008-06-04 21:23:55 0 d-------- C:\Documents and Settings\Norman\Application Data\Malwarebytes
2008-06-04 21:23:26 0 d-------- C:\Documents and Settings\All Users\Application Data\Malwarebytes
2008-06-04 17:48:04 0 d-------- C:\Documents and Settings\All Users\Application Data\SUPERAntiSpyware.com
2008-06-04 17:47:52 0 d-------- C:\Documents and Settings\Norman\Application Data\SUPERAntiSpyware.com
2008-06-04 16:39:47 0 d-------- C:\VundoFix Backups
2008-05-20 21:23:15 0 d-------- C:\Documents and Settings\Norman\Application Data\Macromedia
2008-05-17 15:06:01 0 d-------- C:\Documents and Settings\Norman\Application Data\Uniblue


-- Find3M Report ---------------------------------------------------------------

2008-06-10 17:28:28 0 d-------- C:\Program Files\MICROSOFT MONEY BACKUPS
2008-06-09 17:34:40 0 d-------- C:\Program Files\Mozilla Thunderbird
2008-06-09 17:25:56 4212 ---h----- C:\WINDOWS\system32\zllictbl.dat
2008-06-05 19:53:31 0 d-------- C:\Program Files\Lavasoft
2008-06-05 19:52:11 0 d-------- C:\Program Files\Common Files\Wise Installation Wizard
2008-05-26 21:15:13 36888 --a------ C:\Documents and Settings\Norman\Application Data\GDIPFONTCACHEV1.DAT
2008-05-22 17:11:37 0 d-------- C:\Program Files\SiteAdvisor
2008-05-20 21:23:14 0 d-------- C:\Documents and Settings\Norman\Application Data\Adobe
2008-05-10 18:15:15 0 d-------- C:\Documents and Settings\Norman\Application Data\Thunderbird
2008-04-30 17:20:39 0 d-------- C:\Program Files\AVG


-- Registry Dump ---------------------------------------------------------------

*Note* empty entries & legit default entries are not shown


[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ADUserMon"="C:\Program Files\Iomega\AutoDisk\ADUserMon.exe" [04/27/2008 03:48 PM]
"Logitech Utility"="Logi_MwX.Exe" [12/17/2003 09:50 AM C:\WINDOWS\LOGI_MWX.EXE]
"HTpatch"="C:\WINDOWS\htpatch.exe" [10/30/2002 05:40 AM]
"SiteAdvisor"="c:\program files\siteadvisor\6253\siteadv.exe" [07/31/2006 11:03 AM]
"SiS Windows KeyHook"="C:\WINDOWS\system32\keyhook.exe" [05/12/2004 05:22 PM]
"Ad-Watch"="C:\Program Files\Lavasoft\Ad-Aware\Ad-Watch.exe" [06/05/2008 07:58 PM]
"THGuard"="C:\Program Files\TrojanHunter 4.7\THGuard.exe" [06/23/2007 12:19 AM]
"TrueImageMonitor.exe"="C:\Program Files\Acronis\TrueImageHome\TrueImageMonitor.exe" [09/14/2007 02:52 AM]
"AcronisTimounterMonitor"="C:\Program Files\Acronis\TrueImageHome\TimounterMonitor.exe" [09/14/2007 03:02 AM]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe" [02/22/2008 05:25 AM]
"AVG8_TRAY"="C:\PROGRA~1\AVG\AVG8\avgtray.exe" [04/30/2008 05:20 PM]
"Acronis Scheduler2 Service"="C:\Program Files\Common Files\Acronis\Schedule2\schedhlp.exe" [09/14/2007 02:55 AM]
"NeroCheck"="C:\WINDOWS\System32\\NeroCheck.exe" [07/09/2001 06:50 AM]
"Adobe Reader Speed Launcher"="C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [01/11/2008 11:16 PM]
"ZoneAlarm Client"="C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe" [04/02/2008 09:07 PM]

C:\Documents and Settings\Norman\Start Menu\Programs\Startup\
Secunia PSI (RC1).lnk - C:\Program Files\Secunia\PSI (RC1)\psi.exe [2/5/2008 6:36:24 AM]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
Adobe Reader Speed Launch.lnk - C:\Program Files\Adobe\Reader 8.0\Reader\reader_sl.exe [1/11/2008 11:16:38 PM]
GammaTray.lnk - C:\Program Files\MagicTune Premium\GammaTray.exe [3/3/2007 10:38:28 PM]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"appinit_dlls"=avgrsstx.dll

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa]
"Authentication Packages"= msv1_0 relog_ap

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\aawservice]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\svcWRSSSDK]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\vds]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\{533C5B84-EC70-11D2-9505-00C04F79DEAF}]
@="Volume shadow copy"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\StartCCC]
C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe

*Newly Created Service* - AD-WATCH_REAL-TIME_SCANNER
*Newly Created Service* - AD-WATCH_REGISTRY_FILTER

[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\ccc-core-static]
msiexec /fums {3CBBEE47-C8F4-316A-92FF-ED7E3DFAE41E} /qb



-- Hosts -----------------------------------------------------------------------

127.0.0.1 www.007guard.com
127.0.0.1 007guard.com
127.0.0.1 008i.com
127.0.0.1 www.008k.com
127.0.0.1 008k.com
127.0.0.1 www.00hq.com
127.0.0.1 00hq.com
127.0.0.1 010402.com
127.0.0.1 www.032439.com
127.0.0.1 032439.com

8724 more entries in hosts file.


-- End of Deckard's System Scanner: finished at 2008-06-14 15:21:21 ------------

Thanks.
  • 0

#8
kahdah

kahdah

    GeekU Teacher

  • Retired Staff
  • 15,822 posts
Spybot's immunization feature adds those names to the host file to protect your system.

I really don't see anything to do with malware in your logs.
Please go ahead and delete this folder >C:\Deckard also delete the dss icon from off of your desktop.
========================
Can you tell me what problems that you are currently experiencing?
  • 0

#9
catnapper

catnapper

    Member

  • Topic Starter
  • Member
  • PipPip
  • 12 posts
Thanks for the Hosts file info. I’ll leave it alone.

I believe OE and Thunderbird are OK now. Even the missing date stamps have mysteriously reappeared.

Right now, my major concerns are the extreme slowness on startup, plus the slow and/or erratic opening of some programs, and/or their contents.

For instance, when I open Zone Alarm, the frame appears, but the content is only partially there. After some delay, the rest of the content appears, but there’s an additional delay before I can access the features along the left side.

Also, the one-at-a-time appearance of files in (for instance) the Download folder remains problematic.

The disappearing files problem is still unresolved, but I’ve not had any new examples since my last mention of it.

Since you suggested that the browser home page hijack isn’t malware, I’m going to try Microsoft’s IE forum, and see if I can convince them to relinquish their stranglehold on my browser :) (I call it “hijack” because I’ve lost control.)

So, many thanks for your help, and I hope to hook up with you again.

Edited by catnapper, 15 June 2008 - 02:52 PM.

  • 0

#10
kahdah

kahdah

    GeekU Teacher

  • Retired Staff
  • 15,822 posts
Sounds like more of a hardware issue or a software issue to me.
=========================================
Have you upgraded the ram in your computer?
512mb is recommended.

Also check your Hard drive for bad sectors.

You could also post in the Xp Forum where they may be able to assist you further.
You can find that link here > http://www.geekstogo...2003-NT-f5.html

You are welcome and since this issue appears to be resolved it will be closed.
If you need this topic re-opened again feel free tp pm me or one of the staff to re-open it for you.
  • 0

#11
kahdah

kahdah

    GeekU Teacher

  • Retired Staff
  • 15,822 posts
Since this issue appears to be resolved ... this Topic has been closed. Glad we could help. :)

If you're the topic starter, and need this topic reopened, please contact a staff member with the address of the thread.

Everyone else please begin a New Topic.
  • 0






Similar Topics

0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

As Featured On:

Microsoft Yahoo BBC MSN PC Magazine Washington Post HP