[goldeneye]

Hi there,

I am working on a ESys machine and really don't want to resort to formatting as the drivers are not easy to aquire. When logging in the os grinds to a halt and when looking in task manager/performance the processor is at 100% usage. It is virtually impossible to use the system. I can boot into safemode just fine and the system runs perfectly without any strain on the processor, toddling along at about 8% use....I have run all anti-spyware programs, AVG, AVGAS and ATF. I'm not certain this is a malware problem but thought it was worth posting a log, would it be worth trying to run HJT in normal mode? If anyone has any ideas please let me know......

Thanks

Gold

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 11:39:21, on 19/02/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16608)
Boot mode: Safe mode with network support

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Windows Defender\MsMpEng.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft....k/?LinkId=54896
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page =
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft....k/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft....k/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft....k/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft....k/?LinkId=69157
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,First Home Page = http://go.microsoft....k/?LinkId=54843
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\2.1.615.5858\swg.dll
O2 - BHO: ZoneAlarm Spy Blocker BHO - {F0D4B231-DA4B-4daf-81E4-DFEE4931A4AA} - C:\Program Files\ZoneAlarmSB\bar\1.bin\SPYBLOCK.DLL
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O3 - Toolbar: ZoneAlarm Spy Blocker - {F0D4B239-DA4B-4daf-81E4-DFEE4931A4AA} - C:\Program Files\ZoneAlarmSB\bar\1.bin\SPYBLOCK.DLL
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [VTTimer] VTTimer.exe
O4 - HKLM\..\Run: [VTTrayp] VTtrayp.exe
O4 - HKLM\..\Run: [WinVNC] "C:\Program Files\UltraVNC\WinVNC.exe" -servicehelper
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVG7\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [Windows Defender] "C:\Program Files\Windows Defender\MSASCui.exe" -hide
O4 - HKLM\..\Run: [ZoneAlarm Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKUS\S-1-5-19\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'Default user')
O4 - Global Startup: AutorunsDisabled
O4 - Global Startup: NETGEAR WG111T Smart Wizard.lnk = ?
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://www.update.mi...b?1203159829062
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: AVG Anti-Spyware Guard - GRISOFT s.r.o. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: HBKULPDNNYQ - Unknown owner - C:\DOCUME~1\Sheila\LOCALS~1\Temp\HBKULPDNNYQ.exe (file missing)
O23 - Service: O&O Defrag 2000 (OOD2000) - O&O Software GmbH - C:\WINDOWS\system32\OOD2000.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe
O23 - Service: Symantec Core LC - Unknown owner - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINDOWS\system32\ZoneLabs\vsmon.exe
O23 - Service: VNC Server (winvnc) - UltraVNC - C:\Program Files\UltraVNC\WinVNC.exe

--
End of file - 5653 bytes

[Advertisements]

Hello

Please download Deckard's System Scanner (DSS) and save it to your Desktop.

• Close all other windows before proceeding.
• Double-click on dss.exe and follow the prompts.
• If your anti-virus or firewall complains, please allow this script to run as it is not malicious.
• When it has finished, dss will open two Notepads main.txt and extra.txt -- please copy (CTRL+A and then CTRL+C) and paste (CTRL+V) the contents of main.txt and extra.txt in your next reply.

Please do an online scan with Kaspersky WebScanner

Click on Kaspersky Online Scanner and click Accept

You will be prompted to install an ActiveX component from Kaspersky, Click Yes.

• The program will launch and then begin downloading the latest definition files:
• Once the files have been downloaded click on NEXT
  
• Now click on Scan Settings
• In the scan settings make that the following are selected:
  • Scan using the following Anti-Virus database:
  Extended (if available otherwise Standard)
  
  • Scan Options:
  Scan Archives
  Scan Mail Bases
• Click OK
• Now under select a target to scan:Select My Computer
• This will program will start and scan your system.
• The scan will take a while so be patient and let it run.
• Once the scan is complete it will display if your system has been infected.
  
  • Now click on the Save as Text button:
• Save the file to your desktop.
• Copy and paste that information in your next post.

[Rorschach112]

Hello

Please download Deckard's System Scanner (DSS) and save it to your Desktop.

• Close all other windows before proceeding.
• Double-click on dss.exe and follow the prompts.
• If your anti-virus or firewall complains, please allow this script to run as it is not malicious.
• When it has finished, dss will open two Notepads main.txt and extra.txt -- please copy (CTRL+A and then CTRL+C) and paste (CTRL+V) the contents of main.txt and extra.txt in your next reply.

Please do an online scan with Kaspersky WebScanner

Click on Kaspersky Online Scanner and click Accept

You will be prompted to install an ActiveX component from Kaspersky, Click Yes.

• The program will launch and then begin downloading the latest definition files:
• Once the files have been downloaded click on NEXT
  
• Now click on Scan Settings
• In the scan settings make that the following are selected:
  • Scan using the following Anti-Virus database:
  Extended (if available otherwise Standard)
  
  • Scan Options:
  Scan Archives
  Scan Mail Bases
• Click OK
• Now under select a target to scan:Select My Computer
• This will program will start and scan your system.
• The scan will take a while so be patient and let it run.
• Once the scan is complete it will display if your system has been infected.
  
  • Now click on the Save as Text button:
• Save the file to your desktop.
• Copy and paste that information in your next post.

[goldeneye]

Wow that took along time to run.....unfortunatly I cannot connect to the internet, the PC has a working LAN card which when plugged into a network picks up an IP and is also able to ping but just will not connect via a browser. My friend who I'm fixing this for usually uses a WLAN adapter which I don't have. I was able to succesfully run DSS (eventually).....here are my results

Thanks

Deckard's System Scanner v20071014.68
Run by Sheila on 2008-02-19 13:57:47
Computer is in Normal Mode.
--------------------------------------------------------------------------------

Percentage of Memory in Use: 89% (more than 75%).
Total Physical Memory: 191 MiB (512 MiB recommended).


-- HijackThis (run as Sheila.exe) ----------------------------------------------

Unable to find log (file not found); running clone.
-- HijackThis Clone ------------------------------------------------------------


Emulating logfile of Trend Micro HijackThis v2.0.2
Scan saved at 2008-02-19 14:03:24
Platform: Windows XP Service Pack 2 (5.01.2600)
MSIE: Internet Explorer (7.00.6000.16608)
Boot mode: Normal

Running processes:
C:\WINDOWS\system32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Windows Defender\MsMpEng.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\Program Files\Grisoft\AVG7\avgamsvr.exe
C:\Program Files\Grisoft\AVG7\avgupsvc.exe
C:\Program Files\Grisoft\AVG7\avgemc.exe
C:\WINDOWS\system32\HPZipm12.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\Program Files\UltraVNC\winvnc.exe
C:\WINDOWS\explorer.exe
C:\WINDOWS\SOUNDMAN.EXE
C:\WINDOWS\system32\VTTimer.exe
C:\WINDOWS\system32\VTTrayp.exe
C:\Program Files\Grisoft\AVG7\avgcc.exe
C:\Program Files\Windows Defender\MSASCui.exe
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\NETGEAR\WG111T\wlan111t.exe
C:\Program Files\Grisoft\AVG7\avgw.exe
C:\Documents and Settings\Sheila\Desktop\dss.exe
C:\Program Files\Trend Micro\HijackThis\Sheila.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft....k/?LinkId=54896
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,First Home Page = http://go.microsoft....k/?LinkId=54843
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft....k/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft....k/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft....k/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft....k/?LinkId=69157
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - C:\Program Files\Google\GoogleToolbar1.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\2.1.615.5858\swg.dll
O2 - BHO: ZoneAlarm Spy Blocker BHO - {F0D4B231-DA4B-4daf-81E4-DFEE4931A4AA} - C:\Program Files\ZoneAlarmSB\bar\1.bin\SPYBLOCK.DLL
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - C:\Program Files\Google\GoogleToolbar1.dll
O3 - Toolbar: ZoneAlarm Spy Blocker - {F0D4B239-DA4B-4daf-81E4-DFEE4931A4AA} - C:\Program Files\ZoneAlarmSB\bar\1.bin\SPYBLOCK.DLL
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [VTTimer] VTTimer.exe
O4 - HKLM\..\Run: [VTTrayp] VTtrayp.exe
O4 - HKLM\..\Run: [WinVNC] "C:\Program Files\UltraVNC\WinVNC.exe" -servicehelper
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVG7\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [Windows Defender] "C:\Program Files\Windows Defender\MSASCui.exe" -hide
O4 - HKLM\..\Run: [ZoneAlarm Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKUS\S-1-5-19\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'Default user')
O4 - Global Startup: AutorunsDisabled
O4 - Global Startup: NETGEAR WG111T Smart Wizard.lnk = C:\Program Files\NETGEAR\WG111T\wlan111t.exe
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\network diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\network diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://www.update.mi...b?1203159829062
O18 - Protocol: lid - {5C135180-9973-46D9-ABF4-148267CBB8BF} - C:\WINDOWS\system32\msvidctl.dll
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: AVG Anti-Spyware Guard - GRISOFT s.r.o. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\Program Files\Grisoft\AVG7\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\Program Files\Grisoft\AVG7\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\Program Files\Grisoft\AVG7\avgemc.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: HBKULPDNNYQ - Unknown owner - C:\DOCUME~1\Sheila\LOCALS~1\Temp\HBKULPDNNYQ.exe
O23 - Service: O&O Defrag 2000 (OOD2000) - O&O Software GmbH - C:\WINDOWS\system32\OOD2000.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe
O23 - Service: Symantec Core LC - Unknown owner - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINDOWS\system32\ZoneLabs\vsmon.exe
O23 - Service: VNC Server (winvnc) - UltraVNC - C:\Program Files\UltraVNC\winvnc.exe


--
End of file - 6335 bytes

-- Files created between 2008-01-19 and 2008-02-19 -----------------------------

2008-02-19 11:47:33 0 d-------- C:\Documents and Settings\Sheila\EurekaLog
2008-02-19 11:42:14 0 d-------- C:\Program Files\Innovative Solutions
2008-02-19 11:39:11 0 d-------- C:\Program Files\Trend Micro
2008-02-18 22:13:30 0 d-------- C:\WINDOWS\$regcmp$
2008-02-18 17:40:58 0 d-a------ C:\Documents and Settings\All Users\Application Data\TEMP
2008-02-17 12:26:01 0 d-------- C:\Program Files\Eusing Free Registry Cleaner
2008-02-17 12:17:00 0 d--hs---- C:\WINDOWS\CSC
2008-02-17 12:07:24 0 d-------- C:\Program Files\SpeedFan
2008-02-16 22:23:13 23600 --a------ C:\WINDOWS\system32\drivers\TVICHW32.SYS <Not Verified; EnTech Taiwan; TVicHW32 Generic Device Driver for Windows 95/98/ME/NT/2000/2003/XP/XP64>
2008-02-16 20:12:51 0 d-------- C:\Documents and Settings\Administrator\Application Data\Macromedia
2008-02-16 20:06:03 0 d-------- C:\WINDOWS\network diagnostic
2008-02-16 17:21:06 0 d-------- C:\Program Files\RegCleaner
2008-02-16 17:03:51 0 d-------- C:\Program Files\RegClean
2008-02-16 16:47:59 0 d-------- C:\Program Files\FreshDevices
2008-02-16 16:16:39 0 d-------- C:\Program Files\NETGEAR
2008-02-16 16:16:15 0 d-------- C:\Documents and Settings\Administrator\Application Data\InstallShield
2008-02-16 15:31:06 0 d--h----- C:\Documents and Settings\TEMP\Templates
2008-02-16 15:31:06 0 dr------- C:\Documents and Settings\TEMP\Start Menu
2008-02-16 15:31:06 0 dr-h----- C:\Documents and Settings\TEMP\SendTo
2008-02-16 15:31:06 0 d--h----- C:\Documents and Settings\TEMP\Recent
2008-02-16 15:31:06 0 d--h----- C:\Documents and Settings\TEMP\PrintHood
2008-02-16 15:31:06 524288 --ah----- C:\Documents and Settings\TEMP\NTUSER.DAT
2008-02-16 15:31:06 0 d--h----- C:\Documents and Settings\TEMP\NetHood
2008-02-16 15:31:06 0 dr------- C:\Documents and Settings\TEMP\My Documents
2008-02-16 15:31:06 0 d--h----- C:\Documents and Settings\TEMP\Local Settings
2008-02-16 15:31:06 0 d-------- C:\Documents and Settings\TEMP\Favorites
2008-02-16 15:31:06 0 d-------- C:\Documents and Settings\TEMP\Desktop
2008-02-16 15:31:06 0 d---s---- C:\Documents and Settings\TEMP\Cookies
2008-02-16 15:31:06 0 dr-h----- C:\Documents and Settings\TEMP\Application Data
2008-02-16 15:31:06 0 d---s---- C:\Documents and Settings\TEMP\Application Data\Microsoft
2008-02-16 15:09:58 393248 --ahs---- C:\WINDOWS\system32\drivers\fidbox.dat
2008-02-16 12:14:17 0 d-------- C:\Documents and Settings\Sheila\SecurityScans
2008-02-16 11:54:25 0 d-------- C:\Documents and Settings\Administrator\SecurityScans
2008-02-16 11:50:40 0 d-------- C:\Program Files\Microsoft Baseline Security Analyzer 2
2008-02-16 11:46:09 0 d-------- C:\Program Files\ZoneAlarmSB
2008-02-16 11:35:42 0 d-------- C:\Documents and Settings\All Users\Application Data\MailFrontier
2008-02-16 11:33:26 4212 ---h----- C:\WINDOWS\system32\zllictbl.dat
2008-02-16 11:31:38 11264 --a------ C:\WINDOWS\system32\SpOrder.dll <Not Verified; Microsoft Corporation; Microsoft® Windows NT™ Operating System>
2008-02-16 11:25:45 0 d-------- C:\WINDOWS\system32\ZoneLabs
2008-02-16 11:24:09 0 d-------- C:\WINDOWS\Internet Logs
2008-02-16 11:15:38 0 d-------- C:\Program Files\Windows Defender
2008-02-16 11:11:43 0 d-------- C:\Program Files\Lavasoft
2008-02-16 11:11:38 0 d-------- C:\Documents and Settings\All Users\Application Data\Lavasoft
2008-02-16 11:09:28 0 d-------- C:\Program Files\Common Files\Wise Installation Wizard
2008-02-16 11:02:08 0 d--hs---- C:\Documents and Settings\Administrator\UserData
2008-02-16 11:01:15 0 d-------- C:\Documents and Settings\Administrator\Application Data\Google
2008-02-16 10:47:29 0 d-------- C:\Documents and Settings\Administrator\Application Data\AVG7
2008-02-16 10:47:28 0 d-------- C:\Documents and Settings\Administrator\Application Data\Grisoft
2008-02-12 08:30:32 0 d-------- C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
2008-02-07 18:53:57 0 d-------- C:\Documents and Settings\Jessica\Application Data\Grisoft
2008-02-07 18:53:41 0 d-------- C:\Documents and Settings\Jessica\Application Data\AVG7


-- Find3M Report ---------------------------------------------------------------

2008-02-19 13:53:52 0 d-------- C:\Documents and Settings\Sheila\Application Data\AVG7
2008-02-16 22:38:27 0 d-------- C:\Program Files\HP
2008-02-16 22:36:58 0 d-------- C:\Program Files\Common Files\Symantec Shared
2008-02-16 22:23:11 2722 --a------ C:\WINDOWS\mozver.dat
2008-02-16 22:08:44 0 d--h----- C:\Program Files\InstallShield Installation Information
2008-02-16 11:09:28 0 d-------- C:\Program Files\Common Files
2008-01-22 14:24:56 0 d-------- C:\Program Files\RegistrySmart
2008-01-18 09:51:50 0 d-------- C:\Documents and Settings\Sheila\Application Data\Grisoft
2008-01-17 23:06:31 25992 --a------ C:\WINDOWS\system32\pgdfgsvc.exe <Not Verified; Sysinternals - www.sysinternals.com; Page File Defragmenter>
2008-01-17 22:50:59 0 d-------- C:\Program Files\OOD2KFRE
2008-01-08 15:39:16 0 d-------- C:\Documents and Settings\Sheila\Application Data\RegistrySmart
2007-12-23 12:40:16 0 d-------- C:\Program Files\Google
2007-12-21 23:01:30 0 d-------- C:\Documents and Settings\Sheila\Application Data\Google


-- Registry Dump ---------------------------------------------------------------

*Note* empty entries & legit default entries are not shown


[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{F0D4B231-DA4B-4daf-81E4-DFEE4931A4AA}]
16/02/2008 11:46 262144 --a------ C:\Program Files\ZoneAlarmSB\bar\1.bin\SPYBLOCK.DLL

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SoundMan"="SOUNDMAN.EXE" [17/08/2005 10:39 C:\WINDOWS\SOUNDMAN.EXE]
"VTTimer"="VTTimer.exe" [16/02/2008 21:36 C:\WINDOWS\system32\VTTimer.exe]
"VTTrayp"="VTtrayp.exe" [16/02/2008 21:37 C:\WINDOWS\system32\VTTrayp.exe]
"WinVNC"="C:\Program Files\UltraVNC\WinVNC.exe" [18/06/2006 13:56]
"Adobe Reader Speed Launcher"="C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [10/10/2007 18:51]
"AVG7_CC"="C:\PROGRA~1\Grisoft\AVG7\avgcc.exe" [17/01/2008 22:44]
"Windows Defender"="C:\Program Files\Windows Defender\MSASCui.exe" [03/11/2006 18:20]
"ZoneAlarm Client"="C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe" [14/11/2007 16:05]
"RegistryMechanic"="" []

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SpybotSD TeaTimer"="C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe" [28/01/2008 11:43]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [03/08/2004 23:56]

[HKEY_USERS\.default\software\microsoft\windows\currentversion\run]
"DWQueuedReporting"="C:\PROGRA~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" -t

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
NETGEAR WG111T Smart Wizard.lnk - C:\Program Files\NETGEAR\WG111T\wlan111t.exe [16/02/2008 16:16:40]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\system]
"DisableRegistryTools"=0 (0x0)

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\aawservice]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\vds]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\{533C5B84-EC70-11D2-9505-00C04F79DEAF}]
@="Volume shadow copy"




-- End of Deckard's System Scanner: finished at 2008-02-19 14:39:17 ------------

[Rorschach112]

Your logs are clean

Are you having any visible problems ?

[goldeneye]

No visual problems, just a total lockup of the processor, but ok within safemode. It is constantly running at 97-100% usage althought nothing in taskman/processes shows anything of high use. If this is not a spyware/virus/malware problem is there somewhere more appropriate I could post?

Thanks for your help

Gold

[Rorschach112]

I would post in the Windows XP forum, your best bet

Few things to do

You can delete the tools that we used


Below I have included a number of recommendations for how to protect your computer against malware infections.

* Keep Windows updated by regularly checking their website at :
http://windowsupdate.microsoft.com/
This will ensure your computer has always the latest security updates available installed on your computer.

* To reduce re-infection for malware in the future, I strongly recommend installing these free programs:
SpywareBlaster protects against bad ActiveX
IE-SPYAD puts over 5000 sites in your restricted zone so you'll be protected when you visit innocent-looking sites that aren't actually innocent at all
Have a look at this tutorial for IE-Spyad here

* SpywareGuard offers realtime protection from spyware installation attempts.

Make Internet Explorer more secure

• Click Start > Run
• Type Inetcpl.cpl & click OK
• Click on the Security tab
• Click Reset all zones to default level
• Make sure the Internet Zone is selected & Click Custom level
• In the ActiveX section, set the first two options ("Download signed and unsigned ActiveX controls) to "Prompt", and ("Initialize and Script ActiveX controls not marked as safe") to "Disable".
• Next Click OK, then Apply button and then OK to exit the Internet Properties page.

* MVPS Hosts file replaces your current HOSTS file with one containing well known ad sites and other bad sites. Basically, this prevents your computer from connecting to those sites by redirecting them to 127.0.0.1 which is your local computer, meaning it will be difficult to infect yourself in the future.

* Please consider using an alternate browser. Mozilla's Firefox browser is fantastic; it is much more
secure than Internet Explorer, immune to almost all known browser hijackers, and also has the best built-in pop up
blocker (as an added benefit!) that I have ever seen. If you are interested, Firefox may be downloaded from
Here

* Take a good look at the following suggestions for malware prevention by reading Tony Klein’s article 'How Did I Get Infected In The First Place'
Here

Thank you for your patience, and performing all of the procedures requested.

[goldeneye]

Thanks for your time and advice

[Rorschach112]

Since this issue appears to be resolved ... this Topic has been closed. Glad we could help.

If you're the topic starter, and need this topic reopened, please contact a staff member with the address of the thread.

Everyone else please begin a New Topic.

[Rorschach112]

Lets just double check something

Click Start > Run > Copy and paste the following in bold sc delete HBKULPDNNYQ > Click ok



click on Start, click on Run
copy and paste the following in bold in the open window and then click OK
"%userprofile%\desktop\dss.exe" /config
This will open up DSS configuration
click on Check All
click Scan
DSS will now run again when finished
Please post back both logs that open in notepad
Main txt and extra txt



Please download Malwarebytes' Anti-Malware from Here or Here

Double Click mbam-setup.exe to install the application.

• Make sure a checkmark is placed next to Update Malwarebytes' Anti-Malware and Launch Malwarebytes' Anti-Malware, then click Finish.
• If an update is found, it will download and install the latest version.
• Once the program has loaded, select "Perform Quick Scan", then click Scan.
• The scan may take some time to finish,so please be patient.
• When the scan is complete, click OK, then Show Results to view the results.
• Make sure that everything is checked, and click Remove Selected.
• When disinfection is completed, a log will open in Notepad and you may be prompted to Restart.(See Extra Note)
• The log is automatically saved by MBAM and can be viewed by clicking the Logs tab in MBAM.
• Copy&Paste the entire report in your next reply.

Extra Note:
If MBAM encounters a file that is difficult to remove,you will be presented with 1 of 2 prompts,click OK to either and let MBAM proceed with the disinfection process,if asked to restart the computer,please do so immediatly.


Also download and run the Norton Removal Tool from here

http://service1.syma...005033108162039


Then tell me is your PC having any visible problems

Edited by Rorschach112, 20 February 2008 - 05:14 PM.

[goldeneye]

I do apologise for wasting your time, but after discovering that one chip of ram was infact defect last night I reformatted the machine and it appears to be running very smoothly now. If it was my own machine I would have continued, but the friend I'm doing it for is very impatient.

Thanks for your help Rorschach112

[Rorschach112]

Since this issue appears to be resolved ... this Topic has been closed. Glad we could help.

If you're the topic starter, and need this topic reopened, please contact a staff member with the address of the thread.

Everyone else please begin a New Topic.