Jump to content

Welcome to Geeks to Go - Register now for FREE

Need help with your computer or device? Want to learn new tech skills? You're in the right place!
Geeks to Go is a friendly community of tech experts who can solve any problem you have. Just create a free account and post your question. Our volunteers will reply quickly and guide you through the steps. Don't let tech troubles stop you. Join Geeks to Go now and get the support you need!

How it Works Create Account
Photo

Very Very Very slow laptop [RESOLVED]

Started by JakeMC , Oct 30 2007 04:55 PM

  • This topic is locked This topic is locked

#16
harrythook
Posted 04 November 2007 - 08:21 PM

harrythook

    Trusted Helper

  • Retired Staff
  • 2,618 posts
Lets try this fix:

Start WinPFind3U. Copy/Paste the information in the quotebox below into the pane where it says "Paste fix here" and then click the Run Fix button.

[Registry - Non-Microsoft Only]
< Downloaded Program Files > -> HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Code Store Database\Distribution Units\
YN -> {11111111-1111-1111-1111-111111113457} -> - CodeBase = file://c:\ied_s7.cab
YN -> {11111111-1111-1111-1111-111191113457} -> - CodeBase = file://c:\ied_s7.cab
YN -> {24311111-1111-1121-1111-111191113457} -> - CodeBase = file://c:\eied_s7.cab
YN -> {2B96D5CC-C5B5-49A5-A69D-CC0A30F9028C} -> MiniBugTransporterX Class - CodeBase =
YN -> {33331111-1111-1111-1111-611111193457} -> - CodeBase = file://c:\ex.cab
YN -> {33331111-1111-1111-1111-611111193458} -> - CodeBase = file://c:\ex.cab
YN -> {43331111-1111-1111-1111-611111195622} -> - CodeBase = file://c:\ex.cab
YN -> {4A3CF76B-EC7A-405D-A67D-8DC6B52AB35B} -> - CodeBase = http://aolcc.aol.com...kup/qdiagcc.cab
YN -> {8A0DCBDB-6E20-489C-9041-C1E8A0352E75} -> - CodeBase = http://awbeta.net-nu.../FIX/WinATS.cab


The fix should only take a very short time. When the fix is completed a message box will popup telling you that it is finished. CLick the Ok button and Notepad will open with a log of actions taken during the fix. Post that information back here along with a new WinPFind3u scan.

I will review the information when it comes back in.

I do have to work tomorrow, but I check in the AM before work, so let me know if this works a bit better.
Post a fresh HJT log either way. :)

Harry
  • 0

Advertisements

#17
JakeMC
Posted 05 November 2007 - 11:31 AM

JakeMC

    Member

  • Topic Starter
  • Member
  • PipPip
  • 38 posts
I ran winpfind3u. The analysis was completed but when i copied and pasted the results and clicked 'run fix' the program went into busy (hourglass) mode for 3 1/2 hrs. I then assumed the program was frozen and ctrl-alt-del and ended the program. Below is the result of the initial scan and also the HJT scan:

WinPFind3 logfile created on: 11/5/2007 7:36:50 AM
WinPFind3U by OldTimer - Version 1.0.42 Folder = C:\Documents and Settings\bob harmon\Desktop\WinPFind3u\
Microsoft Windows XP Service Pack 2 (Version = 5.1.2600)
Internet Explorer (Version = 7.0.5730.11)

125.98 Mb Total Physical Memory | 10.79 Mb Available Physical Memory | 8.57% Memory free
322.62 Mb Paging File | 33.38 Mb Available in Paging File | 10.35% Paging File free
Paging file location(s): C:\pagefile.sys 192 384;

%SystemDrive% = C: | %SystemRoot% = C:\WINDOWS | %ProgramFiles% = C:\Program Files
Drive C: | 18.58 Gb Total Space | 12.11 Gb Free Space | 65.15% Space Free
Drive D: | 0.41 Mb Total Space | 0.00 Mb Free Space | 0.00% Space Free
E: Drive not present or media not loaded
F: Drive not present or media not loaded

Computer Name: CHARMIN
Current User Name: bob harmon
Logged in as Administrator.
Current Boot Mode: Normal


[Processes - Non-Microsoft Only]
aolacsd.exe -> %CommonProgramFiles%\aol\ACS\AOLacsd.exe -> AOL LLC [Ver = 4.6.1.2 | Size = 46640 bytes | Modified Date = 10/23/2006 7:50:36 AM | Attr = R ]
aoltpspd.exe -> %CommonProgramFiles%\aol\TopSpeed\2.0\aoltpspd.exe -> America Online Inc [Ver = 2, 0, 0, 0 | Size = 46768 bytes | Modified Date = 10/15/2004 3:54:12 PM | Attr = ]
aoltsmon.exe -> %CommonProgramFiles%\aol\TopSpeed\2.0\aoltsmon.exe -> America Online, Inc [Ver = 2, 0, 0, 0 | Size = 100016 bytes | Modified Date = 10/15/2004 3:54:14 PM | Attr = ]
dlbabmgr.exe -> %ProgramFiles%\Dell AIO Printer A940\dlbabmgr.exe -> Dell Computer Corporation [Ver = 0.1.1.1 | Size = 86102 bytes | Modified Date = 2/8/2003 5:42:38 PM | Attr = ]
dlbabmon.exe -> %ProgramFiles%\Dell AIO Printer A940\dlbabmon.exe -> Dell Computer Corporation [Ver = 0.1.1.1 | Size = 73806 bytes | Modified Date = 2/8/2003 5:54:48 PM | Attr = ]
guard.exe -> %UserDesktop%\New Folder\AVG Anti-Spyware 7.5\guard.exe -> GRISOFT s.r.o. [Ver = 7, 5, 1, 22 | Size = 312880 bytes | Modified Date = 5/30/2007 7:31:10 AM | Attr = ]
hkcmd.exe -> %System32%\hkcmd.exe -> Intel Corporation [Ver = 3.0.0.4342 | Size = 126976 bytes | Modified Date = 10/19/2005 8:59:12 AM | Attr = ]
lexbces.exe -> %System32%\LEXBCES.EXE -> Lexmark International, Inc. [Ver = 8.14 | Size = 303104 bytes | Modified Date = 2/6/2003 3:37:52 PM | Attr = ]
lexpps.exe -> %System32%\LEXPPS.EXE -> Lexmark International, Inc. [Ver = 8.14 | Size = 174592 bytes | Modified Date = 2/6/2003 3:26:18 AM | Attr = ]
mantispm.exe -> %ProgramFiles%\Zone Labs\ZoneAlarm\MailFrontier\mantispm.exe -> [Ver = 5, 0, 6, 8903 | Size = 804376 bytes | Modified Date = 5/11/2007 6:50:24 AM | Attr = ]
scanningprocess.exe -> %System32%\ZoneLabs\avsys\ScanningProcess.exe -> [Ver = | Size = 135168 bytes | Modified Date = 8/24/2007 6:31:48 PM | Attr = ]
scanningprocess.exe -> %System32%\ZoneLabs\avsys\ScanningProcess.exe -> [Ver = | Size = 135168 bytes | Modified Date = 8/24/2007 6:31:48 PM | Attr = ]
vsmon.exe -> %System32%\ZoneLabs\vsmon.exe -> Zone Labs, LLC [Ver = 7.0.408.000 | Size = 75304 bytes | Modified Date = 9/6/2007 3:14:18 PM | Attr = ]
waol.exe -> %ProgramFiles%\America Online 9.0f\waol.exe -> America Online, Inc. [Ver = 9.02.000 | Size = 37464 bytes | Modified Date = 11/19/2004 12:55:00 PM | Attr = ]
winpfind3u.exe -> %UserDesktop%\WinPFind3u\WinPFind3U.exe -> OldTimer Tools [Ver = 1.0.42.0 | Size = 322560 bytes | Modified Date = 9/4/2007 10:47:26 AM | Attr = ]
zlclient.exe -> %ProgramFiles%\Zone Labs\ZoneAlarm\zlclient.exe -> Zone Labs, LLC [Ver = 7.0.408.000 | Size = 919016 bytes | Modified Date = 9/6/2007 3:14:18 PM | Attr = ]

[Win32 Services - Non-Microsoft Only]
(AOL ACS) AOL Connectivity Service [Win32_Own | Auto | Running] -> %CommonProgramFiles%\aol\ACS\AOLacsd.exe -> AOL LLC [Ver = 4.6.1.2 | Size = 46640 bytes | Modified Date = 10/23/2006 7:50:36 AM | Attr = R ]
(AOL TopSpeedMonitor) AOL TopSpeed Monitor [Win32_Own | Auto | Running] -> %CommonProgramFiles%\aol\TopSpeed\2.0\aoltsmon.exe -> America Online, Inc [Ver = 2, 0, 0, 0 | Size = 100016 bytes | Modified Date = 10/15/2004 3:54:14 PM | Attr = ]
(AVG Anti-Spyware Guard) AVG Anti-Spyware Guard [Win32_Own | Auto | Running] -> %UserDesktop%\New Folder\AVG Anti-Spyware 7.5\guard.exe -> GRISOFT s.r.o. [Ver = 7, 5, 1, 22 | Size = 312880 bytes | Modified Date = 5/30/2007 7:31:10 AM | Attr = ]
(dmadmin) Logical Disk Manager Administrative Service [Win32_Shared | On_Demand | Stopped] -> %System32%\dmadmin.exe -> Microsoft Corp., Veritas Software [Ver = 2600.2180.503.0 | Size = 224768 bytes | Modified Date = 8/4/2004 2:56:48 AM | Attr = ]
(LexBceS) LexBce Server [Win32_Own | Auto | Running] -> %System32%\LEXBCES.EXE -> Lexmark International, Inc. [Ver = 8.14 | Size = 303104 bytes | Modified Date = 2/6/2003 3:37:52 PM | Attr = ]
(vsmon) TrueVector Internet Monitor [Win32_Own | Auto | Running] -> %System32%\ZoneLabs\vsmon.exe -> Zone Labs, LLC [Ver = 7.0.408.000 | Size = 75304 bytes | Modified Date = 9/6/2007 3:14:18 PM | Attr = ]

[Registry - Non-Microsoft Only]
< Run [HKLM] > -> HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run ->
Dell AIO Printer A940 -> %ProgramFiles%\Dell AIO Printer A940\dlbabmgr.exe -> Dell Computer Corporation [Ver = 0.1.1.1 | Size = 86102 bytes | Modified Date = 2/8/2003 5:42:38 PM | Attr = ]
HotKeysCmds -> %System32%\hkcmd.exe -> Intel Corporation [Ver = 3.0.0.4342 | Size = 126976 bytes | Modified Date = 10/19/2005 8:59:12 AM | Attr = ]
UserFaultCheck -> -> File not found
ZoneAlarm Client -> %ProgramFiles%\Zone Labs\ZoneAlarm\zlclient.exe -> Zone Labs, LLC [Ver = 7.0.408.000 | Size = 919016 bytes | Modified Date = 9/6/2007 3:14:18 PM | Attr = ]
< Run [HKCU] > -> HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run ->
AOL Fast Start -> %ProgramFiles%\America Online 9.0f\aol.exe -> America Online, Inc. [Ver = 9.02.000 | Size = 50776 bytes | Modified Date = 7/12/2005 6:17:44 AM | Attr = ]
< SSODL [HKLM] > -> HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad ->
[HKLM] -> Reg Data - Key not found [SystemCheck2] -> File not found
< ShellExecuteHooks [HKLM] > -> HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks ->
{57B86673-276A-48B2-BAE7-C6DBB3020EB8} [HKLM] -> %UserDesktop%\New Folder\AVG Anti-Spyware 7.5\shellexecutehook.dll [AVG Anti-Spyware 7.5] -> GRISOFT s.r.o. [Ver = 7, 5, 1, 36 | Size = 79408 bytes | Modified Date = 5/30/2007 7:29:58 AM | Attr = ]
< SecurityProviders [HKLM] > -> HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\\SecurityProviders ->
< Winlogon settings [HKLM] > -> HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon ->
< Winlogon settings [HKCU] > -> HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon ->
< CurrentVersion Policy Settings [HKLM] > -> HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\ ->
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\ -> ->
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\explorer\ -> ->
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\explorer\\NoDriveAutoRun -> 67108863 ->
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\explorer\\NoDriveTypeAutoRun -> 255 ->
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\explorer\run\ -> ->
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\NonEnum\ -> ->
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\NonEnum\\{BDEADF00-C265-11D0-BCED-00A0C90AB50F} -> 1 ->
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\NonEnum\\{6DFD7C5C-2451-11d3-A299-00C04F8EF6AF} -> 1073741857 ->
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\NonEnum\\{0DF44EAA-FF21-4412-828E-260A8728E7F1} -> 32 ->
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\system\ -> ->
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\system\\dontdisplaylastusername -> 0 ->
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\system\\legalnoticecaption -> ->
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\system\\legalnoticetext -> ->
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\system\\shutdownwithoutlogon -> 1 ->
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\system\\undockwithoutlogon -> 1 ->
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Uninstall\ -> ->
< CurrentVersion Policy Settings [HKCU] > -> HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\ ->
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\ -> ->
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\ActiveDesktop\ -> ->
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Associations\ -> ->
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer\ -> ->
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer\\NoDriveTypeAutoRun -> 145 ->
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer\Run\ -> ->
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System\ -> ->
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System\\DisableRegistryTools -> 0 ->
< HOSTS File > (698 bytes) -> C:\WINDOWS\System32\drivers\etc\Hosts ->
127.0.0.1 localhost -> ->
< Internet Explorer Settings > -> ->
HKLM: Default_Page_URL -> http://www.microsoft...p...&ar=msnhome ->
HKLM: Main\\Default_Search_URL -> http://www.microsoft...amp;ar=iesearch ->
HKLM: Local Page -> C:\windows\system32\blank.htm ->
HKLM: Search Page -> http://www.microsoft...amp;ar=iesearch ->
HKLM: Start Page -> http://www.microsoft...p...ER}&ar=home ->
HKLM: CustomizeSearch -> http://ie.search.msn...st/srchcust.htm ->
HKLM: Search\\Default_Search_URL -> http://www.microsoft...amp;ar=iesearch ->
HKLM: SearchAssistant -> http://ie.search.msn...st/srchasst.htm ->
HKCU: Default_Search_URL -> http://www.microsoft...amp;ar=iesearch ->
HKCU: Local Page -> C:\windows\system32\blank.htm ->
HKCU: Search Page -> http://www.microsoft...amp;ar=iesearch ->
HKCU: Start Page -> http://www.microsoft...p...&ar=msnhome ->
HKCU: ProxyEnable -> 0 ->
< Trusted Sites > -> HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\ ->
msn.com [ - ] -> ->
< Internet Explorer Bars [HKCU] > -> HKEY_CURRENT_USER\SOFTWARE\Microsoft\Internet Explorer\Explorer Bars\ ->
{32683183-48a0-441b-a342-7c2a440a9478} [HKLM] -> Reg Data - Key not found [Reg Data - Key not found] -> File not found
< Internet Explorer ToolBars [HKCU] > -> HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\ ->
WebBrowser\\{4982D40A-C53B-4615-B15B-B5B5E98D167C} [HKLM] -> Reg Data - Key not found [Reg Data - Key not found] -> File not found
< Internet Explorer Extensions [HKLM] > -> HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Extensions\ ->
{CD67F990-D8E9-11d2-98FE-00C0F0318AFE} -> Reg Data - Value does not exist [ButtonText: Real.com] -> File not found
CmdMapping [HKLM] -> Reg Data - Key not found [MenuText: Reg Data - Value does not exist] -> File not found
< DNS Name Servers [HKLM] > -> HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\Adapters\ ->
{5D078B6F-B764-4E12-9C9F-FCA435CCAF1C} -> (Broadcom 440x 10/100 Integrated Controller) ->
< Protocol Handlers [HKLM] > -> HKEY_LOCAL_MACHINE\SOFTWARE\Classes\PROTOCOLS\Handler\ ->
ipp -> Reg Data - Key not found -> File not found
msdaipp -> Reg Data - Key not found -> File not found
< Downloaded Program Files > -> HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Code Store Database\Distribution Units\ ->
{0C3F7D74-ADA5-4976-8908-A8189590DAFA} -> 3DGreetings.com Player 2.0 - CodeBase = http://expressit.bro...tings/vroom.CAB ->
{11111111-1111-1111-1111-111111113457} -> - CodeBase = file://c:\ied_s7.cab ->
{11111111-1111-1111-1111-111191113457} -> - CodeBase = file://c:\ied_s7.cab ->
{24311111-1111-1121-1111-111191113457} -> - CodeBase = file://c:\eied_s7.cab ->
{2B96D5CC-C5B5-49A5-A69D-CC0A30F9028C} -> MiniBugTransporterX Class - CodeBase = ->
{33331111-1111-1111-1111-611111193457} -> - CodeBase = file://c:\ex.cab ->
{33331111-1111-1111-1111-611111193458} -> - CodeBase = file://c:\ex.cab ->
{43331111-1111-1111-1111-611111195622} -> - CodeBase = file://c:\ex.cab ->
{4A3CF76B-EC7A-405D-A67D-8DC6B52AB35B} -> - CodeBase = http://aolcc.aol.com...kup/qdiagcc.cab ->
{9A9307A0-7DA4-4DAF-B042-5009F29E09E1} -> ActiveScan Installer Class - CodeBase = http://acs.pandasoft...free/asinst.cab ->
{BCC0FF27-31D9-4614-A68E-C18E1ADA4389} -> - CodeBase = http://download.pw.a...,18/mcgdmgr.cab ->
DirectAnimation Java Classes -> - CodeBase = file://C:\WINDOWS\Java\classes\dajava.cab ->
Microsoft XML Parser for Java -> - CodeBase = file://C:\WINDOWS\Java\classes\xmldso.cab ->


[Files/Folders - Created Within 30 days]
ComboFix -> %SystemDrive%\ComboFix -> [Folder | Created Date = 10/31/2007 1:44:49 PM | Attr = ]
hiberfil.sys -> %SystemDrive%\hiberfil.sys -> [Ver = | Size = 132173824 bytes | Created Date = 1/1/1601 5:00:00 AM | Attr = HS]
qoobox -> %SystemDrive%\qoobox -> [Folder | Created Date = 10/31/2007 2:02:00 PM | Attr = ]
rollback.ini -> %SystemDrive%\rollback.ini -> [Ver = | Size = 959 bytes | Created Date = 10/29/2007 5:59:12 AM | Attr = ]
superantispyware -> %SystemDrive%\superantispyware -> [Folder | Created Date = 10/30/2007 7:46:12 AM | Attr = ]
$NtUninstallKB933729$ -> %SystemRoot%\$NtUninstallKB933729$ -> [Folder | Created Date = 10/14/2007 7:43:04 AM | Attr = H ]
$NtUninstallKB941202$ -> %SystemRoot%\$NtUninstallKB941202$ -> [Folder | Created Date = 10/14/2007 7:28:12 AM | Attr = H ]
catchme.exe -> %SystemRoot%\catchme.exe -> [Ver = | Size = 136192 bytes | Created Date = 10/31/2007 1:50:11 PM | Attr = ]
erdnt -> %SystemRoot%\erdnt -> [Folder | Created Date = 10/31/2007 3:07:30 PM | Attr = ]
Internet Logs -> %SystemRoot%\Internet Logs -> [Folder | Created Date = 10/28/2007 4:44:18 PM | Attr = ]
NirCmd.exe -> %SystemRoot%\NirCmd.exe -> NirSoft [Ver = 2.00 | Size = 51200 bytes | Created Date = 10/31/2007 1:50:11 PM | Attr = ]
zllsputility.exe -> %SystemRoot%\zllsputility.exe -> Zone Labs, LLC [Ver = 7.0.408.000 | Size = 75248 bytes | Created Date = 10/28/2007 4:48:54 PM | Attr = ]
McAfee.com Update Check (CHARMIN-bob harmon).job -> %SystemRoot%\tasks\McAfee.com Update Check (CHARMIN-bob harmon).job -> [Ver = | Size = 504 bytes | Created Date = 10/28/2007 5:36:22 PM | Attr = ]
asuninst.exe -> %System32%\asuninst.exe -> Panda Software [Ver = 1, 0, 0, 2 | Size = 73728 bytes | Created Date = 10/30/2007 9:45:28 AM | Attr = ]
dumphive.exe -> %System32%\dumphive.exe -> [Ver = | Size = 51200 bytes | Created Date = 10/31/2007 3:43:29 PM | Attr = ]
Help.ico -> %System32%\Help.ico -> [Ver = | Size = 1406 bytes | Created Date = 10/30/2007 9:43:03 AM | Attr = ]
libeay32_0.9.6l.dll -> %System32%\libeay32_0.9.6l.dll -> [Ver = | Size = 796048 bytes | Created Date = 10/28/2007 4:46:25 PM | Attr = ]
pavas.ico -> %System32%\pavas.ico -> [Ver = | Size = 30590 bytes | Created Date = 10/30/2007 9:43:00 AM | Attr = ]
Process.exe -> %System32%\Process.exe -> http://www.beyondlogic.org [Ver = 2, 0, 0, 0 | Size = 53248 bytes | Created Date = 10/31/2007 3:43:20 PM | Attr = ]
SrchSTS.exe -> %System32%\SrchSTS.exe -> S!Ri [Ver = | Size = 288417 bytes | Created Date = 10/31/2007 3:43:28 PM | Attr = ]
swreg.exe -> %System32%\swreg.exe -> SteelWerX [Ver = 2.0.1.6 | Size = 139776 bytes | Created Date = 10/31/2007 1:50:11 PM | Attr = ]
swsc.exe -> %System32%\swsc.exe -> SteelWerX [Ver = 2.0.0.0 | Size = 370688 bytes | Created Date = 10/31/2007 1:50:11 PM | Attr = ]
swxcacls.exe -> %System32%\swxcacls.exe -> SteelWerX [Ver = 1.0.1.1 | Size = 212480 bytes | Created Date = 10/31/2007 1:50:09 PM | Attr = ]
tmp.reg -> %System32%\tmp.reg -> [Ver = | Size = 3322 bytes | Created Date = 10/31/2007 4:01:27 PM | Attr = ]
Uninstall.ico -> %System32%\Uninstall.ico -> [Ver = | Size = 2550 bytes | Created Date = 10/30/2007 9:43:03 AM | Attr = ]
VCCLSID.exe -> %System32%\VCCLSID.exe -> S!Ri [Ver = | Size = 289144 bytes | Created Date = 10/31/2007 3:43:34 PM | Attr = ]
VFind.exe -> %System32%\VFind.exe -> [Ver = | Size = 49152 bytes | Created Date = 10/31/2007 1:50:11 PM | Attr = ]
vsconfig.xml -> %System32%\vsconfig.xml -> [Ver = | Size = 353401 bytes | Created Date = 10/28/2007 4:45:37 PM | Attr = ]
vsdata.dll -> %System32%\vsdata.dll -> Zone Labs, LLC [Ver = 7.0.408.000 | Size = 83432 bytes | Created Date = 10/28/2007 4:44:17 PM | Attr = ]
vsdatant.sys -> %System32%\vsdatant.sys -> Zone Labs, LLC [Ver = 7.0.408.000 | Size = 395080 bytes | Created Date = 10/28/2007 4:45:37 PM | Attr = ]
vsinit.dll -> %System32%\vsinit.dll -> Zone Labs, LLC [Ver = 7.0.408.000 | Size = 157160 bytes | Created Date = 10/28/2007 4:44:16 PM | Attr = ]
vsmonapi.dll -> %System32%\vsmonapi.dll -> Zone Labs, LLC [Ver = 7.0.408.000 | Size = 103912 bytes | Created Date = 10/28/2007 4:45:42 PM | Attr = ]
vspubapi.dll -> %System32%\vspubapi.dll -> Zone Labs, LLC [Ver = 7.0.408.000 | Size = 275944 bytes | Created Date = 10/28/2007 4:45:42 PM | Attr = ]
vsregexp.dll -> %System32%\vsregexp.dll -> Zone Labs, LLC [Ver = 7.0.408.000 | Size = 71144 bytes | Created Date = 10/28/2007 4:46:24 PM | Attr = ]
vsutil.dll -> %System32%\vsutil.dll -> Zone Labs, LLC [Ver = 7.0.408.000 | Size = 472552 bytes | Created Date = 10/28/2007 4:44:16 PM | Attr = ]
vswmi.dll -> %System32%\vswmi.dll -> Zone Labs, LLC [Ver = 7.0.408.000 | Size = 46568 bytes | Created Date = 10/28/2007 4:45:51 PM | Attr = ]
vsxml.dll -> %System32%\vsxml.dll -> Zone Labs, LLC [Ver = 7.0.408.000 | Size = 99816 bytes | Created Date = 10/28/2007 4:45:46 PM | Attr = ]
WS2Fix.exe -> %System32%\WS2Fix.exe -> [Ver = | Size = 25600 bytes | Created Date = 10/31/2007 3:43:46 PM | Attr = ]
zlcomm.dll -> %System32%\zlcomm.dll -> Zone Labs, LLC [Ver = 7.0.408.000 | Size = 83432 bytes | Created Date = 10/28/2007 4:46:17 PM | Attr = ]
zlcommdb.dll -> %System32%\zlcommdb.dll -> Zone Labs, LLC [Ver = 7.0.408.000 | Size = 71144 bytes | Created Date = 10/28/2007 4:46:17 PM | Attr = ]
zllictbl.dat -> %System32%\zllictbl.dat -> [Ver = | Size = 4212 bytes | Created Date = 10/28/2007 4:49:32 PM | Attr = H ]
ZoneLabs -> %System32%\ZoneLabs -> [Folder | Created Date = 10/28/2007 4:45:42 PM | Attr = ]
zpeng24.dll -> %System32%\zpeng24.dll -> Python Software Foundation [Ver = 2.4.2 | Size = 1086952 bytes | Created Date = 10/28/2007 4:45:46 PM | Attr = ]
ZPORT4AS.dll -> %System32%\ZPORT4AS.dll -> [Ver = | Size = 11776 bytes | Created Date = 10/30/2007 9:45:27 AM | Attr = ]
AvgAsCln.sys -> %System32%\drivers\AvgAsCln.sys -> GRISOFT, s.r.o. [Ver = 1.0.0.14 | Size = 10872 bytes | Created Date = 10/29/2007 8:27:39 PM | Attr = ]
fidbox.dat -> %System32%\drivers\fidbox.dat -> [Ver = | Size = 2677280 bytes | Created Date = 10/28/2007 5:09:32 PM | Attr = HS]
fidbox.idx -> %System32%\drivers\fidbox.idx -> [Ver = | Size = 36644 bytes | Created Date = 10/28/2007 5:09:32 PM | Attr = HS]
klif.sys -> %System32%\drivers\klif.sys -> Kaspersky Lab [Ver = 7.0.0.122 | Size = 127768 bytes | Created Date = 10/28/2007 4:47:16 PM | Attr = ]

[Files/Folders - Modified Within 30 days]
BOOT.INI -> %SystemDrive%\BOOT.INI -> [Ver = | Size = 211 bytes | Modified Date = 11/1/2007 9:08:12 AM | Attr = RHS]
ComboFix -> %SystemDrive%\ComboFix -> [Folder | Modified Date = 10/31/2007 3:19:48 PM | Attr = ]
Config.Msi -> %SystemDrive%\Config.Msi -> [Folder | Modified Date = 10/31/2007 7:01:04 PM | Attr = ]
hiberfil.sys -> %SystemDrive%\hiberfil.sys -> [Ver = | Size = 132173824 bytes | Modified Date = 11/5/2007 7:05:58 AM | Attr = HS]
Program Files -> %ProgramFiles% -> [Folder | Modified Date = 11/2/2007 12:54:40 PM | Attr = ]
qoobox -> %SystemDrive%\qoobox -> [Folder | Modified Date = 10/31/2007 3:09:22 PM | Attr = ]
rollback.ini -> %SystemDrive%\rollback.ini -> [Ver = | Size = 959 bytes | Modified Date = 11/4/2007 9:56:32 PM | Attr = ]
superantispyware -> %SystemDrive%\superantispyware -> [Folder | Modified Date = 10/31/2007 4:46:50 PM | Attr = ]
WINDOWS -> %SystemRoot% -> [Folder | Modified Date = 11/2/2007 12:53:40 PM | Attr = ]
$hf_mig$ -> %SystemRoot%\$hf_mig$ -> [Folder | Modified Date = 10/14/2007 7:42:46 AM | Attr = H ]
$NtUninstallKB933729$ -> %SystemRoot%\$NtUninstallKB933729$ -> [Folder | Modified Date = 10/14/2007 7:43:10 AM | Attr = H ]
$NtUninstallKB941202$ -> %SystemRoot%\$NtUninstallKB941202$ -> [Folder | Modified Date = 10/14/2007 7:28:18 AM | Attr = H ]
BOOTSTAT.DAT -> %SystemRoot%\BOOTSTAT.DAT -> [Ver = | Size = 2048 bytes | Modified Date = 11/5/2007 7:06:00 AM | Attr = S]
catchme.exe -> %SystemRoot%\catchme.exe -> [Ver = | Size = 136192 bytes | Modified Date = 10/26/2007 8:51:18 AM | Attr = ]
Debug -> %SystemRoot%\Debug -> [Folder | Modified Date = 10/29/2007 5:32:02 PM | Attr = ]
Downloaded Program Files -> %SystemRoot%\Downloaded Program Files -> [Folder | Modified Date = 11/2/2007 1:51:40 PM | Attr = S]
erdnt -> %SystemRoot%\erdnt -> [Folder | Modified Date = 10/31/2007 3:07:32 PM | Attr = ]
ie7updates -> %SystemRoot%\ie7updates -> [Folder | Modified Date = 10/14/2007 7:31:44 AM | Attr = ]
INF -> %SystemRoot%\INF -> [Folder | Modified Date = 10/30/2007 2:26:18 PM | Attr = H ]
Installer -> %SystemRoot%\Installer -> [Folder | Modified Date = 10/31/2007 4:48:56 PM | Attr = HS]
Internet Logs -> %SystemRoot%\Internet Logs -> [Folder | Modified Date = 11/5/2007 7:39:30 AM | Attr = ]
Minidump -> %SystemRoot%\Minidump -> [Folder | Modified Date = 10/29/2007 5:31:40 PM | Attr = ]
Prefetch -> %SystemRoot%\Prefetch -> [Folder | Modified Date = 11/4/2007 2:53:04 PM | Attr = ]
pss -> %SystemRoot%\pss -> [Folder | Modified Date = 11/1/2007 8:59:22 AM | Attr = ]
Registration -> %SystemRoot%\Registration -> [Folder | Modified Date = 10/28/2007 2:48:54 PM | Attr = ]
SoftwareDistribution -> %SystemRoot%\SoftwareDistribution -> [Folder | Modified Date = 10/30/2007 1:17:48 PM | Attr = ]
SYSTEM -> %SystemRoot%\SYSTEM -> [Folder | Modified Date = 11/2/2007 12:53:38 PM | Attr = ]
SYSTEM.INI -> %SystemRoot%\SYSTEM.INI -> [Ver = | Size = 227 bytes | Modified Date = 11/1/2007 9:08:02 AM | Attr = ]
SYSTEM32 -> %System32% -> [Folder | Modified Date = 11/4/2007 5:20:34 PM | Attr = ]
Tasks -> %SystemRoot%\Tasks -> [Folder | Modified Date = 10/29/2007 2:48:06 AM | Attr = S]
Temp -> %SystemRoot%\Temp -> [Folder | Modified Date = 11/5/2007 7:17:56 AM | Attr = ]
Web -> %SystemRoot%\Web -> [Folder | Modified Date = 10/28/2007 10:04:34 PM | Attr = R ]
WIN.INI -> %SystemRoot%\WIN.INI -> [Ver = | Size = 679 bytes | Modified Date = 11/5/2007 7:31:38 AM | Attr = ]
McAfee.com Update Check (CHARMIN-bob harmon).job -> %SystemRoot%\tasks\McAfee.com Update Check (CHARMIN-bob harmon).job -> [Ver = | Size = 504 bytes | Modified Date = 11/5/2007 7:45:20 AM | Attr = ]
SA.DAT -> %SystemRoot%\tasks\SA.DAT -> [Ver = | Size = 6 bytes | Modified Date = 11/5/2007 7:06:54 AM | Attr = H ]
ActiveScan -> %System32%\ActiveScan -> [Folder | Modified Date = 10/30/2007 12:57:22 PM | Attr = ]
CatRoot2 -> %System32%\CatRoot2 -> [Folder | Modified Date = 11/2/2007 2:46:20 PM | Attr = ]
CONFIG -> %System32%\CONFIG -> [Folder | Modified Date = 10/28/2007 2:49:24 PM | Attr = ]
DLLCACHE -> %System32%\DLLCACHE -> [Folder | Modified Date = 10/14/2007 7:43:22 AM | Attr = RHS]
DRIVERS -> %System32%\DRIVERS -> [Folder | Modified Date = 11/2/2007 12:53:38 PM | Attr = ]
Help.ico -> %System32%\Help.ico -> [Ver = | Size = 1406 bytes | Modified Date = 10/30/2007 12:47:40 PM | Attr = ]
MRT.INI -> %System32%\MRT.INI -> [Ver = | Size = 197 bytes | Modified Date = 10/14/2007 7:41:26 AM | Attr = ]
pavas.ico -> %System32%\pavas.ico -> [Ver = | Size = 30590 bytes | Modified Date = 10/30/2007 12:47:40 PM | Attr = ]
PERFC009.DAT -> %System32%\PERFC009.DAT -> [Ver = | Size = 53166 bytes | Modified Date = 11/4/2007 5:42:34 AM | Attr = ]
PERFH009.DAT -> %System32%\PERFH009.DAT -> [Ver = | Size = 380918 bytes | Modified Date = 11/4/2007 5:42:34 AM | Attr = ]
PerfStringBackup.INI -> %System32%\PerfStringBackup.INI -> [Ver = | Size = 439376 bytes | Modified Date = 11/4/2007 5:42:32 AM | Attr = ]
tmp.reg -> %System32%\tmp.reg -> [Ver = | Size = 3322 bytes | Modified Date = 11/1/2007 8:31:48 AM | Attr = ]
Uninstall.ico -> %System32%\Uninstall.ico -> [Ver = | Size = 2550 bytes | Modified Date = 10/30/2007 12:47:40 PM | Attr = ]
vsconfig.xml -> %System32%\vsconfig.xml -> [Ver = | Size = 353401 bytes | Modified Date = 11/5/2007 7:13:44 AM | Attr = ]
WBEM -> %System32%\WBEM -> [Folder | Modified Date = 10/28/2007 2:48:54 PM | Attr = ]
WPA.DBL -> %System32%\WPA.DBL -> [Ver = | Size = 1170 bytes | Modified Date = 11/4/2007 5:24:14 AM | Attr = ]
zllictbl.dat -> %System32%\zllictbl.dat -> [Ver = | Size = 4212 bytes | Modified Date = 10/31/2007 7:09:44 PM | Attr = H ]
ZoneLabs -> %System32%\ZoneLabs -> [Folder | Modified Date = 10/30/2007 4:07:40 PM | Attr = ]
fidbox.dat -> %System32%\drivers\fidbox.dat -> [Ver = | Size = 2677280 bytes | Modified Date = 11/4/2007 9:36:20 PM | Attr = HS]
fidbox.idx -> %System32%\drivers\fidbox.idx -> [Ver = | Size = 36644 bytes | Modified Date = 11/3/2007 7:28:20 AM | Attr = HS]

[File String Scan - Non-Microsoft Only]
qoologic , urllogic , urllogic , -> %SystemDrive%\rapport.txt -> [Ver = | Size = 3169 bytes | Modified Date = 11/1/2007 8:35:22 AM | Attr = ]
PEC2 , -> %System32%\ansi.cfg -> [Ver = | Size = 59252 bytes | Modified Date = 2/1/2043 11:49:40 PM | Attr = ]
PEC2 , -> %System32%\DFRG.MSC -> [Ver = | Size = 41397 bytes | Modified Date = 8/29/2002 5:00:00 AM | Attr = ]
UPX! , UPX0 , -> %System32%\SrchSTS.exe -> S!Ri [Ver = | Size = 288417 bytes | Modified Date = 4/27/2006 3:49:30 PM | Attr = ]
UPX! , UPX0 , -> %System32%\swreg.exe -> SteelWerX [Ver = 2.0.1.6 | Size = 139776 bytes | Modified Date = 4/2/2007 1:21:28 PM | Attr = ]
UPX! , UPX0 , -> %System32%\VCCLSID.exe -> S!Ri [Ver = | Size = 289144 bytes | Modified Date = 9/5/2007 10:22:24 PM | Attr = ]
winsync , -> %System32%\WBDBASE.DEU -> [Ver = | Size = 1309184 bytes | Modified Date = 8/29/2002 5:00:00 AM | Attr = ]
UPX! , UPX0 , -> %System32%\WS2Fix.exe -> [Ver = | Size = 25600 bytes | Modified Date = 10/3/2007 10:36:46 PM | Attr = ]
PTech , -> %System32%\dllcache\mtlstrm.sys -> Smart Link [Ver = 3.80.01MC15 | Size = 1309184 bytes | Modified Date = 8/4/2004 12:41:38 AM | Attr = ]
PTech , -> %System32%\drivers\mtlstrm.sys -> Smart Link [Ver = 3.80.01MC15 | Size = 1309184 bytes | Modified Date = 8/4/2004 12:41:38 AM | Attr = ]

< End of report >

Logfile of HijackThis v1.99.1
Scan saved at 12:27:30 PM, on 11/5/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16544)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\SYSTEM32\ZoneLabs\vsmon.exe
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\LEXPPS.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\AOL\ACS\AOLAcsd.exe
C:\Documents and Settings\bob harmon\Desktop\New Folder\AVG Anti-Spyware 7.5\guard.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\hkcmd.exe
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\Program Files\Dell AIO Printer A940\dlbabmgr.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Dell AIO Printer A940\dlbabmon.exe
C:\Program Files\America Online 9.0f\waol.exe
C:\PROGRA~1\ZONELA~1\ZONEAL~1\MAILFR~1\mantispm.exe
C:\Program Files\America Online 9.0f\shellmon.exe
C:\WINDOWS\notepad.exe
C:\Program Files\internet explorer\iexplore.exe
C:\Program Files\Hijackthis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer,Search = http://bigbr.cc?u=1538 (obfuscated)
R1 - HKCU\Software\Microsoft\Internet Explorer,SearchURL = http://bigbr.cc?u=1538 (obfuscated)
R1 - HKLM\Software\Microsoft\Internet Explorer,Search = http://bigbr.cc?u=1538 (obfuscated)
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [UserFaultCheck] %systemroot%\system32\dumprep 0 -u
O4 - HKLM\..\Run: [ZoneAlarm Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"
O4 - HKLM\..\Run: [Dell AIO Printer A940] "C:\Program Files\Dell AIO Printer A940\dlbabmgr.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [AOL Fast Start] "C:\Program Files\America Online 9.0f\AOL.EXE" -b
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O11 - Options group: [INTERNATIONAL] International*
O16 - DPF: {0C3F7D74-ADA5-4976-8908-A8189590DAFA} (3DGreetings.com Player 2.0) - http://expressit.bro...tings/vroom.CAB
O16 - DPF: {11111111-1111-1111-1111-111111113457} - file://c:\ied_s7.cab
O16 - DPF: {11111111-1111-1111-1111-111191113457} - file://c:\ied_s7.cab
O16 - DPF: {24311111-1111-1121-1111-111191113457} - file://c:\eied_s7.cab
O16 - DPF: {2B96D5CC-C5B5-49A5-A69D-CC0A30F9028C} (MiniBugTransporterX Class) -
O16 - DPF: {33331111-1111-1111-1111-611111193457} - file://c:\ex.cab
O16 - DPF: {33331111-1111-1111-1111-611111193458} - file://c:\ex.cab
O16 - DPF: {43331111-1111-1111-1111-611111195622} - file://c:\ex.cab
O16 - DPF: {4A3CF76B-EC7A-405D-A67D-8DC6B52AB35B} - http://aolcc.aol.com...kup/qdiagcc.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoft...free/asinst.cab
O16 - DPF: {BCC0FF27-31D9-4614-A68E-C18E1ADA4389} - http://download.pw.a...,18/mcgdmgr.cab
O23 - Service: AOL Connectivity Service (AOL ACS) - AOL LLC - C:\Program Files\Common Files\AOL\ACS\AOLAcsd.exe
O23 - Service: AOL TopSpeed Monitor (AOL TopSpeedMonitor) - America Online, Inc - C:\Program Files\Common Files\AOL\TopSpeed\2.0\aoltsmon.exe
O23 - Service: AVG Anti-Spyware Guard - GRISOFT s.r.o. - C:\Documents and Settings\bob harmon\Desktop\New Folder\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINDOWS\SYSTEM32\ZoneLabs\vsmon.exe
  • 0

#18
harrythook
Posted 05 November 2007 - 09:06 PM

harrythook

    Trusted Helper

  • Retired Staff
  • 2,618 posts
Hey Jake,
Sorry for the problems, lets go a different direction:

Download CWShredder here to its own folder.

Update CWShredder

* Open CWShredder and click I AGREE
* Click Check For Update
* Close CWShredder


Boot into Safe Mode:
Restart your computer and as soon as it starts booting up again continuously tap F8. A menu should come up where you will be given the option to enter Safe Mode.

Now run CWShredder. Click I Agree, then Fix and then Next, let it fix everything it asks about. Reboot your computer into normal windows.
Please re-open HiJackThis and scan. Check the boxes next to all the entries listed below. Please note that some of these may not be shown in the current HJT list.

R1 - HKCU\Software\Microsoft\Internet Explorer,Search = http://bigbr.cc?u=1538 (obfuscated)
R1 - HKCU\Software\Microsoft\Internet Explorer,SearchURL = http://bigbr.cc?u=1538 (obfuscated)
R1 - HKLM\Software\Microsoft\Internet Explorer,Search = http://bigbr.cc?u=1538 (obfuscated)
O16 - DPF: {11111111-1111-1111-1111-111111113457} - file://c:\ied_s7.cab
O16 - DPF: {11111111-1111-1111-1111-111191113457} - file://c:\ied_s7.cab
O16 - DPF: {24311111-1111-1121-1111-111191113457} - file://c:\eied_s7.cab
O16 - DPF: {2B96D5CC-C5B5-49A5-A69D-CC0A30F9028C} (MiniBugTransporterX Class) -
O16 - DPF: {33331111-1111-1111-1111-611111193457} - file://c:\ex.cab
O16 - DPF: {33331111-1111-1111-1111-611111193458} - file://c:\ex.cab
O16 - DPF: {43331111-1111-1111-1111-611111195622} - file://c:\ex.cab

Now close all windows other than HiJackThis, then click Fix Checked. Close HiJackThis.

Post a fresh HJT log please, run ComboFix and post the log tht produces. I am looking into why my WinPFind3 fix is not working :)

Harry
  • 0

#19
JakeMC
Posted 05 November 2007 - 10:58 PM

JakeMC

    Member

  • Topic Starter
  • Member
  • PipPip
  • 38 posts
Logfile of HijackThis v1.99.1
Scan saved at 10:56:27 PM, on 11/5/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16544)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\SYSTEM32\ZoneLabs\vsmon.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\LEXPPS.EXE
C:\Program Files\Common Files\AOL\ACS\AOLAcsd.exe
C:\Program Files\Common Files\AOL\TopSpeed\2.0\aoltsmon.exe
C:\Documents and Settings\bob harmon\Desktop\New Folder\AVG Anti-Spyware 7.5\guard.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\hkcmd.exe
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\Program Files\Dell AIO Printer A940\dlbabmgr.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Dell AIO Printer A940\dlbabmon.exe
C:\Program Files\America Online 9.0f\waol.exe
C:\Program Files\Hijackthis\HijackThis.exe
C:\PROGRA~1\ZONELA~1\ZONEAL~1\MAILFR~1\mantispm.exe
C:\Program Files\America Online 9.0f\shellmon.exe

O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [UserFaultCheck] %systemroot%\system32\dumprep 0 -u
O4 - HKLM\..\Run: [ZoneAlarm Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"
O4 - HKLM\..\Run: [Dell AIO Printer A940] "C:\Program Files\Dell AIO Printer A940\dlbabmgr.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [AOL Fast Start] "C:\Program Files\America Online 9.0f\AOL.EXE" -b
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O11 - Options group: [INTERNATIONAL] International*
O16 - DPF: {0C3F7D74-ADA5-4976-8908-A8189590DAFA} (3DGreetings.com Player 2.0) - http://expressit.bro...tings/vroom.CAB
O16 - DPF: {4A3CF76B-EC7A-405D-A67D-8DC6B52AB35B} - http://aolcc.aol.com...kup/qdiagcc.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoft...free/asinst.cab
O16 - DPF: {BCC0FF27-31D9-4614-A68E-C18E1ADA4389} - http://download.pw.a...,18/mcgdmgr.cab
O23 - Service: AOL Connectivity Service (AOL ACS) - AOL LLC - C:\Program Files\Common Files\AOL\ACS\AOLAcsd.exe
O23 - Service: AOL TopSpeed Monitor (AOL TopSpeedMonitor) - America Online, Inc - C:\Program Files\Common Files\AOL\TopSpeed\2.0\aoltsmon.exe
O23 - Service: AVG Anti-Spyware Guard - GRISOFT s.r.o. - C:\Documents and Settings\bob harmon\Desktop\New Folder\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINDOWS\SYSTEM32\ZoneLabs\vsmon.exe

ComboFix 07-10-29.1** - bob harmon 2007-11-05 23:09:29.2 - NTFSx86
Running from: C:\Documents and Settings\bob harmon\Desktop\ComboFix.exe
.

((((((((((((((((((((((((( Files Created from 2007-10-06 to 2007-11-06 )))))))))))))))))))))))))))))))
.

2007-11-02 10:13 <DIR> d-------- C:\Documents and Settings\bob harmon\Application Data\AVG7
2007-11-02 10:10 <DIR> d-------- C:\Documents and Settings\LocalService\Application Data\AVG7
2007-11-02 10:05 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\avg7
2007-10-31 16:01 3,322 --a------ C:\WINDOWS\SYSTEM32\tmp.reg
2007-10-31 15:43 289,144 --a------ C:\WINDOWS\SYSTEM32\VCCLSID.exe
2007-10-31 15:43 288,417 --a------ C:\WINDOWS\SYSTEM32\SrchSTS.exe
2007-10-31 15:43 53,248 --a------ C:\WINDOWS\SYSTEM32\Process.exe
2007-10-31 15:43 51,200 --a------ C:\WINDOWS\SYSTEM32\dumphive.exe
2007-10-31 15:43 25,600 --a------ C:\WINDOWS\SYSTEM32\WS2Fix.exe
2007-10-31 13:50 51,200 --a------ C:\WINDOWS\NirCmd.exe
2007-10-30 07:50 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\SUPERAntiSpyware.com
2007-10-30 07:46 <DIR> d-------- C:\superantispyware
2007-10-29 20:33 <DIR> d-------- C:\Documents and Settings\bob harmon\Application Data\Grisoft
2007-10-29 20:27 10,872 --a------ C:\WINDOWS\SYSTEM32\DRIVERS\AvgAsCln.sys
2007-10-29 20:26 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Grisoft
2007-10-29 17:21 <DIR> d-------- C:\Program Files\CCleaner
2007-10-28 17:38 <DIR> d-------- C:\Documents and Settings\bob harmon\Application Data\MailFrontier
2007-10-28 17:09 2,702,368 --ahs---- C:\WINDOWS\SYSTEM32\DRIVERS\fidbox.dat
2007-10-28 16:49 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\MailFrontier
2007-10-28 16:49 4,212 ---h----- C:\WINDOWS\SYSTEM32\zllictbl.dat
2007-10-28 16:48 75,248 --a------ C:\WINDOWS\zllsputility.exe
2007-10-28 16:48 11,264 --a------ C:\WINDOWS\SYSTEM32\SpOrder.dll
2007-10-28 16:45 <DIR> d-------- C:\WINDOWS\SYSTEM32\ZoneLabs
2007-10-28 16:45 1,086,952 --a------ C:\WINDOWS\SYSTEM32\zpeng24.dll
2007-10-28 16:44 <DIR> d-------- C:\WINDOWS\Internet Logs
2007-10-28 13:56 <DIR> d-------- C:\Program Files\Lavasoft
2007-10-28 06:52 <DIR> d-------- C:\Documents and Settings\bob harmon\Application Data\GTek
2007-10-14 05:00 584,192 --------- C:\WINDOWS\SYSTEM32\DLLCACHE\rpcrt4.dll

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2007-11-06 03:26 37,004 --sha-w C:\WINDOWS\system32\drivers\fidbox.idx
2007-10-31 21:37 --------- d-----w C:\Program Files\PeoplePC
2007-10-29 22:32 --------- d-----w C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
2007-10-29 19:19 --------- d-----w C:\Program Files\SpywareAxe
2007-10-29 14:58 --------- d-----w C:\Program Files\McAfee.com
2007-10-28 22:32 --------- d-----w C:\Documents and Settings\All Users\Application Data\McAfee.com
2007-10-28 19:37 --------- d-----w C:\Program Files\Pure Networks
2007-10-28 18:57 --------- d-----w C:\Documents and Settings\bob harmon\Application Data\Lavasoft
2007-08-21 06:15 683,520 ----a-w C:\WINDOWS\SYSTEM32\inetcomm.dll
2007-08-21 06:15 683,520 ------w C:\WINDOWS\SYSTEM32\DLLCACHE\inetcomm.dll
2007-08-20 10:04 824,832 ----a-w C:\WINDOWS\SYSTEM32\DLLCACHE\wininet.dll
2007-08-20 10:04 671,232 ----a-w C:\WINDOWS\SYSTEM32\DLLCACHE\mstime.dll
2007-08-20 10:04 63,488 ------w C:\WINDOWS\SYSTEM32\DLLCACHE\icardie.dll
2007-08-20 10:04 6,058,496 ------w C:\WINDOWS\SYSTEM32\DLLCACHE\ieframe.dll
2007-08-20 10:04 52,224 ------w C:\WINDOWS\SYSTEM32\DLLCACHE\msfeedsbs.dll
2007-08-20 10:04 477,696 ----a-w C:\WINDOWS\SYSTEM32\DLLCACHE\mshtmled.dll
2007-08-20 10:04 459,264 ------w C:\WINDOWS\SYSTEM32\DLLCACHE\msfeeds.dll
2007-08-20 10:04 44,544 ------w C:\WINDOWS\SYSTEM32\DLLCACHE\iernonce.dll
2007-08-20 10:04 384,512 ------w C:\WINDOWS\SYSTEM32\DLLCACHE\iedkcs32.dll
2007-08-20 10:04 383,488 ------w C:\WINDOWS\SYSTEM32\DLLCACHE\ieapfltr.dll
2007-08-20 10:04 3,584,512 ----a-w C:\WINDOWS\SYSTEM32\DLLCACHE\mshtml.dll
2007-08-20 10:04 27,648 ----a-w C:\WINDOWS\SYSTEM32\DLLCACHE\jsproxy.dll
2007-08-20 10:04 267,776 ------w C:\WINDOWS\SYSTEM32\DLLCACHE\iertutil.dll
2007-08-20 10:04 232,960 ------w C:\WINDOWS\SYSTEM32\DLLCACHE\webcheck.dll
2007-08-20 10:04 230,400 ------w C:\WINDOWS\SYSTEM32\DLLCACHE\ieaksie.dll
2007-08-20 10:04 214,528 ----a-w C:\WINDOWS\SYSTEM32\DLLCACHE\dxtrans.dll
2007-08-20 10:04 193,024 ----a-w C:\WINDOWS\SYSTEM32\DLLCACHE\msrating.dll
2007-08-20 10:04 153,088 ------w C:\WINDOWS\SYSTEM32\DLLCACHE\ieakeng.dll
2007-08-20 10:04 132,608 ----a-w C:\WINDOWS\SYSTEM32\DLLCACHE\extmgr.dll
2007-08-20 10:04 124,928 ------w C:\WINDOWS\SYSTEM32\DLLCACHE\advpack.dll
2007-08-20 10:04 105,984 ------w C:\WINDOWS\SYSTEM32\DLLCACHE\url.dll
2007-08-20 10:04 102,400 ------w C:\WINDOWS\SYSTEM32\DLLCACHE\occache.dll
2007-08-20 10:04 1,152,000 ----a-w C:\WINDOWS\SYSTEM32\DLLCACHE\urlmon.dll
2007-08-17 10:21 625,152 ------w C:\WINDOWS\SYSTEM32\DLLCACHE\iexplore.exe
2007-08-17 10:20 63,488 ------w C:\WINDOWS\SYSTEM32\DLLCACHE\ie4uinit.exe
2007-08-17 10:20 13,824 ------w C:\WINDOWS\SYSTEM32\DLLCACHE\ieudinit.exe
2007-08-17 07:34 161,792 ------w C:\WINDOWS\SYSTEM32\DLLCACHE\ieakui.dll
.

((((((((((((((((((((((((((((( snapshot@2007-10-31_16.03.28.13 )))))))))))))))))))))))))))))))))))))))))
.
- 2007-10-26 13:51:17 136,192 ----a-w C:\WINDOWS\catchme.exe
+ 2007-10-26 14:51:17 136,192 ----a-w C:\WINDOWS\catchme.exe
- 2007-03-11 09:45:43 53,166 -c--a-w C:\WINDOWS\SYSTEM32\PERFC009.DAT
+ 2007-11-04 10:42:33 53,166 ----a-w C:\WINDOWS\SYSTEM32\PERFC009.DAT
- 2007-03-11 09:45:43 380,918 -c--a-w C:\WINDOWS\SYSTEM32\PERFH009.DAT
+ 2007-11-04 10:42:33 380,918 ----a-w C:\WINDOWS\SYSTEM32\PERFH009.DAT
- 2007-04-02 18:21:27 139,776 ----a-w C:\WINDOWS\SYSTEM32\swreg.exe
+ 2007-04-02 19:21:27 139,776 ----a-w C:\WINDOWS\SYSTEM32\swreg.exe
- 2007-10-31 19:22:45 344,628 ----a-w C:\WINDOWS\SYSTEM32\ZoneLabs\avsys\bases\sfdb.dat
+ 2007-11-06 03:09:46 348,660 ----a-w C:\WINDOWS\SYSTEM32\ZoneLabs\avsys\bases\sfdb.dat
+ 2007-11-06 02:56:09 169,062 ----a-w C:\WINDOWS\SYSTEM32\ZoneLabs\Updates\unpacked==anti_spyware=SpywareDatabase-70-Patch.zip\spyware.patch.dat
+ 2007-11-06 02:56:09 59,904 ----a-w C:\WINDOWS\SYSTEM32\ZoneLabs\Updates\unpacked==anti_spyware=SpywareDatabase-70-Patch.zip\tools\patch.exe
+ 2007-11-06 02:56:09 112,376 ----a-w C:\WINDOWS\SYSTEM32\ZoneLabs\Updates\unpacked==anti_spyware=SpywareDatabase-70-Patch.zip\tools\UpdAntiSpyware.dll
- 2007-10-29 19:19:51 2,808,832 ----a-w C:\WINDOWS\SYSTEM32\ZoneLabs\zlqrtdb.dat
+ 2007-11-05 12:53:32 5,055,488 ----a-w C:\WINDOWS\SYSTEM32\ZoneLabs\zlqrtdb.dat
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"HotKeysCmds"="C:\WINDOWS\system32\hkcmd.exe" [2005-10-19 08:59]
"UserFaultCheck"="C:\WINDOWS\system32\dumprep 0 -u" []
"ZoneAlarm Client"="C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe" [2007-09-06 15:14]
"Dell AIO Printer A940"="C:\Program Files\Dell AIO Printer A940\dlbabmgr.exe" [2003-02-08 17:42]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 02:56]
"AOL Fast Start"="C:\Program Files\America Online 9.0f\AOL.exe" [2005-07-12 06:17]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Digital Line Detect.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Digital Line Detect.lnk
backup=C:\WINDOWS\pss\Digital Line Detect.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AdaptecDirectCD]
"C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AOL Spyware Protection]
C:\PROGRA~1\COMMON~1\AOL\AOLSPY~1\AOLSP Scheduler.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AOLCC]
"C:\Program Files\AOL Computer Check-Up\ACCAgnt.exe" /startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AOLDialer]
C:\Program Files\Common Files\AOL\ACS\AOLDial.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\CARPService]
carpserv.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DadApp]
C:\Program Files\Dell\AccessDirect\dadapp.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HostManager]
C:\Program Files\Common Files\AOL\1103634972\ee\AOLSoftware.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MCAgentExe]
c:\PROGRA~1\mcafee.com\agent\mcagent.exe files\mcafee.com\agent\mcagent.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MCUpdateExe]
C:\PROGRA~1\mcafee.com\agent\mcupdate.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Pure Networks Port Magic]
"C:\PROGRA~1\PURENE~1\PORTMA~1\PortAOL.exe" -Run

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SpywareAxe]
C:\Program Files\SpywareAxe\spywareaxe.exe /h

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\TkBellExe]
"C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Weather]
C:\PROGRA~1\AWS\WEATHE~1\Weather.exe 1

S3 {5C8B2B62-A385-11d5-A78B-00104B672758};AIM 3.0 Part 01 Codec Driver CH-7017-A;C:\WINDOWS\system32\drivers\A311.sys
S3 {5C8B2B65-A385-11d5-A78B-00104B672758};AIM 3.0 Part 01 Codec Driver CH-7017-B;C:\WINDOWS\system32\drivers\A310.sys

.
Contents of the 'Scheduled Tasks' folder
"2007-11-06 04:25:12 C:\WINDOWS\Tasks\McAfee.com Update Check (CHARMIN-bob harmon).job"
.
**************************************************************************

catchme 0.3.1239 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2007-11-05 23:21:15
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
Completion time: 2007-11-05 23:30:24
C:\ComboFix2.txt ... 2007-10-31 15:09
.
--- E O F ---
  • 0

#20
harrythook
Posted 06 November 2007 - 08:59 PM

harrythook

    Trusted Helper

  • Retired Staff
  • 2,618 posts
Hey JakeMC,
Log looks a little better, hope we are making progress here.

Lets run 2 scans, each a bit different so it might take a bit to run them.
Please go HERE to run Panda's ActiveScan
  • Once you are on the Panda site click the Scan your PC button
  • A new window will open...click the Check Now button
  • Enter your Country
  • Enter your State/Province
  • Enter your e-mail address and click send
  • Select either Home User or Company
  • Click the big Scan Now button
  • If it wants to install an ActiveX component allow it
  • It will start downloading the files it requires for the scan (Note: It may take a couple of minutes)
  • When download is complete, click on My Computer to start the scan
  • When the scan completes, if anything malicious is detected, click the See Report button, then Save Report and save it to a convenient location. Post the contents of the ActiveScan report
Download GMER from here:
http://www.gmer.net/files.php

Unzip it to the desktop.

Open the program and click on the Rootkit tab.
Make sure all the boxes on the right of the screen are checked, EXCEPT for ‘Show All’.
Click on Scan.
When the scan has run click Copy and paste the results (if any) into this thread.

What we are looking at is an active scan and a peek to see if there is any rootkit activity.
Lets see what the results show.

Harry
  • 0

#21
JakeMC
Posted 07 November 2007 - 04:09 PM

JakeMC

    Member

  • Topic Starter
  • Member
  • PipPip
  • 38 posts
Hi Harry

I hate to be a pain in the [bleep] but I started Panda Scan at approximately 9:00 am this morning. It is still scanning now at 5:08pm. It is not frozen just real slow. If this is not normal please let me know and I'll stop it. Otherwise I'll keep it running but at this rate it will probably be done sometime tomorrow. The number of files scanned so far are 68,826. I don't know how many files he has on this laptop but its' probably a lot more than this. Please advise. I have auto notify by email enabled for when you reply thanks.
  • 0

#22
JakeMC
Posted 07 November 2007 - 05:10 PM

JakeMC

    Member

  • Topic Starter
  • Member
  • PipPip
  • 38 posts
I probably should have run the other program first :)
  • 0

#23
harrythook
Posted 07 November 2007 - 07:52 PM

harrythook

    Trusted Helper

  • Retired Staff
  • 2,618 posts

The number of files scanned so far are 68,826.

Let it scan, lets see what it produces. Sorry its so slow.

Harry
  • 0

#24
JakeMC
Posted 07 November 2007 - 09:03 PM

JakeMC

    Member

  • Topic Starter
  • Member
  • PipPip
  • 38 posts
I ended the program prior to your response. I also ran gmer. TWICE. There is a 'save' command which I clicked but the result file doesn't seem to be saved anywhere. I will run Panda again (all night). If it doesn't work then I'll forget about this laptop. I'm very close to having had enough with this thing. It's not even mine. I do appreciate all your help though. Get back to you in the morning. Thanks Again
  • 0

#25
JakeMC
Posted 08 November 2007 - 07:07 AM

JakeMC

    Member

  • Topic Starter
  • Member
  • PipPip
  • 38 posts
Harry

I ran Panda last night at 10pm. It scanned 62,000 files in an hour but a little less than 2,000 in the next 8 hours. It is still running. I'll leave it running all today if its running normally unless there is something wrong with the program. It seems to slow down when it reaches the cab.dll files. Let me know if you can. Thanks
  • 0

Advertisements

#26
JakeMC
Posted 08 November 2007 - 03:55 PM

JakeMC

    Member

  • Topic Starter
  • Member
  • PipPip
  • 38 posts
Hi Harry

Temper tantrum is over. Here is the result of Panda. GMER keeps crashing as it is running so I am unable to complete the GMER scan. the log file seemed longer than this when it was complete. But anyway here is is.



Incident Status Location

Adware:adware/nowfind Not disinfected c:\windows\system32\cidft.dll
Adware:adware/popmonster Not disinfected c:\windows\system32\MSrdk.xml
Adware:adware/24-7-search Not disinfected c:\windows\system32\unPPC.exe
Adware:adware/ist.yoursitebar Not disinfected c:\windows\downloaded program files\ysbactivex.inf
Adware:adware/ieplugin Not disinfected c:\windows\kwv2.dat
Dialer:dialer.xd Not disinfected c:\windows\switchagreement.txt
Adware:adware/webattaker Not disinfected c:\windows\uniq
Adware:adware/exact.bargainbuddy Not disinfected Windows Registry
Spyware:Cookie/YieldManager Not disinfected C:\Documents and Settings\bob harmon\Cookies\[email protected][2].txt
Spyware:Cookie/Clickbank Not disinfected C:\Documents and Settings\bob harmon\Cookies\bob_harmon@clickbank[1].txt
Spyware:Cookie/Statcounter Not disinfected C:\Documents and Settings\bob harmon\Cookies\bob_harmon@statcounter[1].txt
Potentially unwanted tool:Application/NirCmd.A Not disinfected C:\Documents and Settings\bob harmon\Desktop\ComboFix.exe[nircmd.exe]
Potentially unwanted tool:Application/NirCmd.A Not disinfected C:\Documents and Settings\bob harmon\Desktop\ComboFix.exe[nircmd.cfexe]
Potentially unwanted tool:Application/Processor Not disinfected C:\Documents and Settings\bob harmon\Desktop\SmitfraudFix\Process.exe
Potentially unwanted tool:Application/SuperFast Not disinfected C:\Documents and Settings\bob harmon\Desktop\SmitfraudFix\restart.exe
Dialer:Dialer.ABR Not disinfected C:\Program Files\Hijackthis\backups\backup-20071105-225342-888.inf
Adware:Adware/PurityScan Not disinfected C:\Program Files\Hijackthis\backups\backup-20071105-225343-969.inf
  • 0

#27
harrythook
Posted 08 November 2007 - 08:35 PM

harrythook

    Trusted Helper

  • Retired Staff
  • 2,618 posts
Hey JakeMC,

Lets do a couple of things, hopefully these will not hang like the other scans.

Please download the OTMoveIt by OldTimer.
  • Save it to your desktop.
  • Please double-click OTMoveIt.exe to run it.
  • Copy the file paths below to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose copy):

    c:\windows\system32\cidft.dll
    c:\windows\system32\MSrdk.xml
    c:\windows\system32\unPPC.exe
    c:\windows\downloaded program files\ysbactivex.inf
    c:\windows\kwv2.dat
    c:\windows\switchagreement.txt
    c:\windows\uniq
    C:\Program Files\SpywareAxe

  • Return to OTMoveIt, right click on the "Paste List of Files/Folders to be moved" window and choose Paste.
  • Click the red Moveit! button.
  • Copy everything on the Results window to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose copy), and paste it on your next reply.
  • Close OTMoveIt
*If a file or folder cannot be moved immediately, you may be asked to reboot the machine to finish the move process. If you are asked to reboot the machine, choose Yes.
**If a reboot was necessary or you needed to Exit before posting the log, you will find a copy of the log at the root of the drive where OTMoveIt is installed, usually at :
C:\_OTMoveIt\MovedFiles\********_******.log
(where "********_******" is the "date_time")

Click "Exit" to close OTMoveIt.

ATF:
Please download ATF Cleaner by Atribune.
This program is for XP and Windows 2000 onlyDouble-click ATF-Cleaner.exe to run the program.
Under Main choose: Select All
Click the Empty Selected button.
If you use Firefox browserClick Firefox at the top and choose: Select All
Click the Empty Selected button.
NOTE: If you would like to keep your saved passwords, please click No at the prompt.
If you use Opera browserClick Opera at the top and choose: Select All
Click the Empty Selected button.
NOTE: If you would like to keep your saved passwords, please click No at the prompt.
Click Exit on the Main menu to close the program.
For Technical Support, double-click the e-mail address located at the bottom of each menu.

SDFix:
Download SDFix and save it to your Desktop.

Double click SDFix.exe and it will extract the files to %systemdrive%
(Drive that contains the Windows Directory, typically C:\SDFix)

Please then reboot your computer in Safe Mode by doing the following :
  • Restart your computer
  • After hearing your computer beep once during startup, but before the Windows icon appears, tap the F8 key continually;
  • Instead of Windows loading as normal, the Advanced Options Menu should appear;
  • Select the first option, to run Windows in Safe Mode, then press Enter.
  • Choose your usual account.
  • Open the extracted SDFix folder and double click RunThis.bat to start the script.
  • Type Y to begin the cleanup process.
  • It will remove any Trojan Services and Registry Entries that it finds then prompt you to press any key to Reboot.
  • Press any Key and it will restart the PC.
  • When the PC restarts the Fixtool will run again and complete the removal process then display Finished, press any key to end the script and load your desktop icons.
  • Once the desktop icons load the SDFix report will open on screen and also save into the SDFix folder as Report.txt
    (Report.txt will also be copied to Clipboard ready for posting back on the forum).
  • Finally paste the contents of the Report.txt back on the forum with a new HijackThis log

And on a final note, when running GMER, on the lower right corner of the window there is a copy button. If you click on that it will save all the information to your clipboard, which in turn you can paste to any text program (wordpad, notepad, word, ect).

Temper tantrum is over.

No worries, we will get to the cure for this. Hang in there :)

Harry
  • 0

#28
JakeMC
Posted 09 November 2007 - 08:39 AM

JakeMC

    Member

  • Topic Starter
  • Member
  • PipPip
  • 38 posts
I ran the moveit fix before I ran sdfix so i lost the moveit log. it moved the files you requested with the exception of c:\windows\system32\cidft.dll the program could not find this file.


SDFix: Version 1.114

Run by bob harmon on Fri 11/09/2007 at 08:51 AM

Microsoft Windows XP [Version 5.1.2600]

Running From: C:\sdfix

Safe Mode:
Checking Services:


Restoring Windows Registry Values
Restoring Windows Default Hosts File

Rebooting...


Normal Mode:
Checking Files:

No Trojan Files Found




Removing Temp Files...

ADS Check:

C:\WINDOWS
No streams found.

C:\WINDOWS\system32
No streams found.

C:\WINDOWS\system32\svchost.exe
No streams found.

C:\WINDOWS\system32\ntoskrnl.exe
No streams found.



Final Check:

catchme 0.3.1262 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2007-11-09 09:08:28
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden services & system hive ...

scanning hidden registry entries ...

scanning hidden files ...

scan completed successfully
hidden processes: 0
hidden services: 0
hidden files: 0


Remaining Services:
------------------



Authorized Application Key Export:

[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\standardprofile\authorizedapplications\list]

[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\domainprofile\authorizedapplications\list]

Remaining Files:
---------------


Files with Hidden Attributes:

Fri 19 Nov 2004 54,872 A..H. --- "C:\Program Files\America Online 9.0f\AOLphx.exe"
Fri 19 Nov 2004 31,832 A..H. --- "C:\Program Files\America Online 9.0f\rbm.exe"
Sun 9 Sep 2007 417 A..H. --- "C:\Program Files\Common Files\aol\IPHSend\IPH.BAK"

Finished!


Logfile of HijackThis v1.99.1
Scan saved at 9:36:14 AM, on 11/9/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16544)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\SYSTEM32\ZoneLabs\vsmon.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\LEXPPS.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\AOL\ACS\AOLAcsd.exe
C:\Program Files\Common Files\AOL\TopSpeed\2.0\aoltsmon.exe
C:\Documents and Settings\bob harmon\Desktop\New Folder\AVG Anti-Spyware 7.5\guard.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\hkcmd.exe
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\Program Files\Dell AIO Printer A940\dlbabmgr.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Dell AIO Printer A940\dlbabmon.exe
C:\PROGRA~1\ZONELA~1\ZONEAL~1\MAILFR~1\mantispm.exe
C:\Program Files\internet explorer\iexplore.exe
C:\Program Files\Hijackthis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [UserFaultCheck] %systemroot%\system32\dumprep 0 -u
O4 - HKLM\..\Run: [ZoneAlarm Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"
O4 - HKLM\..\Run: [Dell AIO Printer A940] "C:\Program Files\Dell AIO Printer A940\dlbabmgr.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O11 - Options group: [INTERNATIONAL] International*
O16 - DPF: {0C3F7D74-ADA5-4976-8908-A8189590DAFA} (3DGreetings.com Player 2.0) - http://expressit.bro...tings/vroom.CAB
O16 - DPF: {4A3CF76B-EC7A-405D-A67D-8DC6B52AB35B} - http://aolcc.aol.com...kup/qdiagcc.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoft...free/asinst.cab
O16 - DPF: {BCC0FF27-31D9-4614-A68E-C18E1ADA4389} - http://download.pw.a...,18/mcgdmgr.cab
O23 - Service: AOL Connectivity Service (AOL ACS) - AOL LLC - C:\Program Files\Common Files\AOL\ACS\AOLAcsd.exe
O23 - Service: AOL TopSpeed Monitor (AOL TopSpeedMonitor) - America Online, Inc - C:\Program Files\Common Files\AOL\TopSpeed\2.0\aoltsmon.exe
O23 - Service: AVG Anti-Spyware Guard - GRISOFT s.r.o. - C:\Documents and Settings\bob harmon\Desktop\New Folder\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINDOWS\SYSTEM32\ZoneLabs\vsmon.exe
  • 0

#29
harrythook
Posted 09 November 2007 - 08:56 AM

harrythook

    Trusted Helper

  • Retired Staff
  • 2,618 posts
Hey JakeMC,
how is this machine running, any better?
Also, could you give me an uninstall list.

Harry

Edited by harrythook, 09 November 2007 - 08:57 AM.

  • 0

#30
JakeMC
Posted 09 November 2007 - 09:27 AM

JakeMC

    Member

  • Topic Starter
  • Member
  • PipPip
  • 38 posts
it is running better. I'm not sure what you mean about the uninstall list or how to find it. Thanks
  • 0
Back to Virus, Spyware, Malware Removal · Next Unread Topic →




Similar Topics

1 user(s) are reading this topic

0 members, 1 guests, 0 anonymous users

  1. Geeks to Go Community
  2. Security
  3. Virus, Spyware, Malware Removal

As Featured On:

Microsoft Yahoo BBC MSN PC Magazine Washington Post HP