Jump to content


Photo

Slow performance, IE7 practically unusable. Help!


  • This topic is locked This topic is locked
27 replies to this topic

#1 jandd86

jandd86

    Member

  • Full Member
  • Pip
  • 17 posts

Posted 08 September 2007 - 03:11 PM

Word and Excel slow to start, although have tweaked per other forums and have slight improvement. Some downloads hang, such as the AVG program (took over an hour and had to keep stopping and retrying). Firefox performance has improved due to some tweaking, but have occasional hangs while loading some pages, no particular sites, just hit and miss. Completely stopped using IE7 because of hangs and sloooooooow performance, often won’t connect to internet. When putting on standby or hibernate, will occasionally hang, seems to also be hit and miss. Will hang on shutdown. Pretty much every program will either hang up at some point or take forever to load, but next time may be just fine. Basically, I can click on a link, or start a program (Word, Excel, Task Manager, any game, you name it) and go fix a cup of coffee before the program or webpage opens. Have downloaded and run SpyBot and AdAware. AVG scan will not generate report of scan.





Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 4:45:45 PM, on 9/8/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16512)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\PROGRA~1\CHARTE~1\backweb\3528733\Program\SERVIC~1.EXE
C:\Program Files\Charter High-Speed Security Suite\Anti-Virus\fsgk32st.exe
C:\Program Files\Charter High-Speed Security Suite\backweb\3528733\program\fsbwsys.exe
C:\Program Files\Charter High-Speed Security Suite\Anti-Virus\FSGK32.EXE
C:\Program Files\Charter High-Speed Security Suite\Common\FSMA32.EXE
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Charter High-Speed Security Suite\Anti-Virus\fssm32.exe
C:\Program Files\Charter High-Speed Security Suite\Common\FSMB32.EXE
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\wanmpsvc.exe
C:\Program Files\Charter High-Speed Security Suite\Common\FCH32.EXE
C:\Program Files\Charter High-Speed Security Suite\Anti-Virus\fsqh.exe
C:\Program Files\Charter High-Speed Security Suite\Common\FAMEH32.EXE
C:\Program Files\Charter High-Speed Security Suite\Anti-Virus\fsrw.exe
C:\Program Files\Charter High-Speed Security Suite\FSPC\fspc.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\Program Files\Charter High-Speed Security Suite\Anti-Virus\fsav32.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Charter High-Speed Security Suite\FWES\Program\fsdfwd.exe
C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe
C:\PROGRA~1\Dantz\RETROS~1\ComboButton.exe
C:\WINDOWS\System32\DSentry.exe
C:\Program Files\Charter High-Speed Security Suite\Common\FSM32.EXE
C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnf.exe
C:\Program Files\Charter High-Speed Security Suite\FSGUI\ispnews.exe
C:\PROGRA~1\CHARTE~1\ANTI-S~1\fsaw.exe
C:\Program Files\Charter High-Speed Security Suite\FSGUI\fsguidll.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe
C:\Program Files\Common Files\InstallShield\UpdateService\ISUSPM.exe
C:\Program Files\Lavasoft\Ad-Aware 2007\AAWTray.exe
C:\Program Files\AWS\WeatherBug\Weather.exe
C:\Program Files\ClocX\ClocX.exe
C:\Program Files\abc12DesktopAlerts\abc12DesktopAlerts.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Windows Media Player\WMPNSCFG.exe
C:\Program Files\Charter High-Speed Security Suite\backweb\3528733\Program\fspex.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpobnz08.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpoevm08.exe
C:\Program Files\Upromise_Remind_U\UpromiseRemindU.exe
C:\Program Files\Webshots\WebshotsTray.exe
C:\WINDOWS\System32\HPZipm12.exe
C:\Program Files\Upromise_Remind_U\u11050.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\Bin\hpoSTS08.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Documents and Settings\Jeff and Debbie\My Documents\Mom's Files\Downloads\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://g.msn.com/0SEENUS/SAOS01
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft....k/?LinkId=54896
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://aol.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft....k/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft....k/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft....k/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft....k/?LinkId=69157
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = 127.0.0.1
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: AOL Toolbar Launcher - {7C554162-8CB7-45A4-B8F4-8EA1C75885F9} - C:\Program Files\AOL\AOL Toolbar 4.0\aoltb.dll
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
O2 - BHO: Viewpoint Toolbar BHO - {A7327C09-B521-4EDB-8509-7D2660C9EC98} - C:\Program Files\Viewpoint\Viewpoint Toolbar\3.8.0\ViewBarBHO.dll
O2 - BHO: CIEStub Class - {EBBFE27C-BDF0-11D2-BBE5-00609419F467} - C:\WINDOWS\system32\amcis.dll
O3 - Toolbar: (no name) - {BA52B914-B692-46c4-B683-905236F6F655} - (no file)
O3 - Toolbar: AOL Toolbar - {DE9C389F-3316-41A7-809B-AA305ED9D922} - C:\Program Files\AOL\AOL Toolbar 4.0\aoltb.dll
O3 - Toolbar: Viewpoint Toolbar - {F8AD5AA5-D966-4667-9DAF-2561D68B2012} - C:\Program Files\Common Files\Viewpoint\Toolbar Runtime\3.8.0\IEViewBar.dll
O4 - HKLM\..\Run: [Synchronization Manager] %SystemRoot%\system32\mobsync.exe /logon
O4 - HKLM\..\Run: [Share-to-Web Namespace Daemon] C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe
O4 - HKLM\..\Run: [MaxtorCombo] "C:\PROGRA~1\Dantz\RETROS~1\ComboButton.exe"
O4 - HKLM\..\Run: [DVDSentry] C:\WINDOWS\System32\DSentry.exe
O4 - HKLM\..\Run: [F-Secure Manager] "C:\Program Files\Charter High-Speed Security Suite\Common\FSM32.EXE" /splash
O4 - HKLM\..\Run: [F-Secure TNB] "C:\Program Files\Charter High-Speed Security Suite\TNB\TNBUtil.exe" /CHECKALL /WAITFORSW
O4 - HKLM\..\Run: [F-Secure Startup Wizard] "C:\Program Files\Charter High-Speed Security Suite\FSGUI\FSSW.EXE" /reboot
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [UpromiseRemindU] "C:\Program Files\Upromise_Remind_U\UpromiseRemindU.exe"
O4 - HKLM\..\Run: [News Service] "C:\Program Files\Charter High-Speed Security Suite\FSGUI\ispnews.exe"
O4 - HKLM\..\Run: [!AVG Anti-Spyware] "C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" /minimized
O4 - HKLM\..\Run: [ISUSPM] "C:\Program Files\Common Files\InstallShield\UpdateService\ISUSPM.exe" -scheduler
O4 - HKLM\..\Run: [AAWTray] C:\Program Files\Lavasoft\Ad-Aware 2007\AAWTray.exe
O4 - HKCU\..\Run: [Weather] C:\Program Files\AWS\WeatherBug\Weather.exe 1
O4 - HKCU\..\Run: [ClocX] C:\Program Files\ClocX\ClocX.exe
O4 - HKCU\..\Run: [abc12DesktopAlerts] C:\Program Files\abc12DesktopAlerts\abc12DesktopAlerts.exe
O4 - HKCU\..\Run: [WMPNSCFG] C:\Program Files\Windows Media Player\WMPNSCFG.exe
O4 - HKUS\S-1-5-18\..\RunOnce: [RunNarrator] Narrator.exe (User 'SYSTEM')
O4 - HKUS\S-1-5-18\..\RunOnce: [tscuninstall] %systemroot%\system32\tscupgrd.exe (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\RunOnce: [RunNarrator] Narrator.exe (User 'Default user')
O4 - Startup: Webshots.lnk = C:\Program Files\Webshots\WebshotsTray.exe
O4 - Global Startup: Charter High-Speed Security Suite.lnk = C:\Program Files\Charter High-Speed Security Suite\backweb\3528733\Program\fspex.exe
O4 - Global Startup: hp psc 2000 Series.lnk = C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpobnz08.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O4 - Global Startup: Quicken Startup.lnk = C:\QUICKENW\QWDLLS.EXE
O8 - Extra context menu item: &Block this popup - C:\Program Files\Charter High-Speed Security Suite\Anti-Spyware\blockpopups.htm
O8 - Extra context menu item: &Clean Traces - C:\Program Files\DAP\Privacy Package\dapcleanerie.htm
O8 - Extra context menu item: &Download with &DAP - C:\Program Files\DAP\dapextie.htm
O8 - Extra context menu item: Download &all with DAP - C:\Program Files\DAP\dapextie2.htm
O8 - Extra context menu item: RemindU. - file://C:\Program Files\Upromise_Remind_U\UpromisesRemindU\UpromisetRemindU\uproC0.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\system32\msjava.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\system32\msjava.dll
O9 - Extra button: Web Filter - {200DB664-75B5-47c0-8B45-A44ACCF73C00} - C:\Program Files\Charter High-Speed Security Suite\FSPC\fspcmsie.dll
O9 - Extra button: (no name) - {200DB664-75B5-47c0-8B45-A44ACCF73F01} - C:\Program Files\Charter High-Speed Security Suite\FSPC\fspcmsie.dll
O9 - Extra 'Tools' menuitem: Web Filter - {200DB664-75B5-47c0-8B45-A44ACCF73F01} - C:\Program Files\Charter High-Speed Security Suite\FSPC\fspcmsie.dll
O9 - Extra button: IE Shield - {300DB664-75B5-47c0-8B45-A44ACCF73C00} - C:\Program Files\Charter High-Speed Security Suite\Anti-Spyware\ieshield.dll
O9 - Extra 'Tools' menuitem: IE Shield... - {300DB664-75B5-47c0-8B45-A44ACCF73C00} - C:\Program Files\Charter High-Speed Security Suite\Anti-Spyware\ieshield.dll
O9 - Extra button: AOL Toolbar - {3369AF0D-62E9-4bda-8103-B4C75499B578} - C:\Program Files\AOL\AOL Toolbar 4.0\aoltb.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE~1\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll
O9 - Extra button: Run IMVU - {d9288080-1baa-4bc4-9cf8-a92d743db949} - C:\Documents and Settings\Jeff and Debbie\Start Menu\Programs\Games\IMVU\Run IMVU.lnk (file missing)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra button: Point Alert - {16BF42FD-CA0A-4f48-819D-B0343254DD67} - file://C:\Program Files\MyPointsPointAlert\System\Temp\mypoints_script0.htm (file missing) (HKCU)
O9 - Extra button: Point Alert - {67B50696-04BA-48ea-A697-28AA0EAA9C26} - file://C:\Program Files\MyPoints_PointAlert\Sy800\Tp800\scri800a.htm (HKCU)
O9 - Extra button: Schoolpop - {B46F2A6A-3216-461c-BEEA-FBE442469812} - file://C:\Program Files\MyPointsPointAlert\System\Temp\schoolpop_script0.htm (file missing) (HKCU)
O9 - Extra button: RemindU - {B48798CE-A2E0-4918-BC00-0F72FBA708E2} - file://C:\Program Files\Upromise_Remind_U\UpromisesRemindU\UpromisetRemindU\uproC0.htm (HKCU)
O16 - DPF: ppctlcab - http://www.pestscan....er/ppctlcab.cab
O16 - DPF: Yahoo! Bingo - http://download.game...nts/y/xt0_x.cab
O16 - DPF: Yahoo! Chat - http://us.chat1.yimg...t/c381/chat.cab
O16 - DPF: Yahoo! Checkers - http://download.game...nts/y/kt4_x.cab
O16 - DPF: Yahoo! Dominoes - http://download.game...ts/y/dot8_x.cab
O16 - DPF: Yahoo! Go Fish - http://download.game...nts/y/zt3_x.cab
O16 - DPF: Yahoo! Poker - http://download.game...nts/y/pt3_x.cab
O16 - DPF: Yahoo! Pool 2 - http://download.game...ts/y/pote_x.cab
O16 - DPF: {01A88BB1-1174-41EC-ACCB-963509EAE56B} (SysProWmi Class) - http://support.dell....iler/SysPro.CAB
O16 - DPF: {1671869C-25B3-4C80-9446-8AE6111F8765} (MaxisHotDateTeleX Control) - http://thesims.ea.co...otDateTeleX.cab
O16 - DPF: {1842B0EE-B597-11D4-8997-00104BD12D94} (iCC Class) - http://www.pcpitstop...cpConnCheck.cab
O16 - DPF: {20A60F0D-9AFA-4515-A0FD-83BD84642501} (Checkers Class) - http://messenger.zon...kr.cab56986.cab
O16 - DPF: {37DF41B2-61DB-4CAC-A755-CFB3C7EE7F40} - http://esupport.aol....oach_core_1.cab
O16 - DPF: {41F31718-2B9D-4F76-85E2-DD11BBA99F8D} - http://install.spywa...r2501031120.EXE
O16 - DPF: {4A3CF76B-EC7A-405D-A67D-8DC6B52AB35B} - http://aolcc.aol.com...kup/qdiagcc.cab
O16 - DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} -
O16 - DPF: {5D6F45B3-9043-443D-A792-115447494D24} (UnoCtrl Class) - http://messenger.zon...1/GAME_UNO1.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://www.update.mi...b?1179959237062
O16 - DPF: {74C861A1-D548-4916-BC8A-FDE92EDFF62C} - http://mediaplayer.w...ler/install.cab
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai...all/xscan53.cab
O16 - DPF: {75565ED2-1560-4F15-B841-20358DE6A0D1} (ImageControl Class) - http://content.ances...ll/MFImgVwr.cab
O16 - DPF: {9522B3FB-7A2B-4646-8AF6-36E7F593073C} - http://a19.g.akamai....23/cpbrkpie.cab
O16 - DPF: {A44B714B-EE0F-453E-9300-A69B321FEF6C} (MaxisSimsFamilyTeleX Control) - http://thesims.ea.co...FamilyTeleX.cab
O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (MSN Games - Installer) - http://messenger.zon...ro.cab56649.cab
O16 - DPF: {BCC0FF27-31D9-4614-A68E-C18E1ADA4389} - http://download.av.a...,18/mcgdmgr.cab
O16 - DPF: {BD393C14-72AD-4790-A095-76522973D6B8} (CBreakshotControl Class) - http://messenger.zon...ot.cab57213.cab
O16 - DPF: {C3F79A2B-B9B4-4A66-B012-3EE46475B072} (MessengerStatsClient Class) - http://messenger.zon...nt.cab56907.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.m...ash/swflash.cab
O16 - DPF: {E856B973-45FD-4559-8F82-EAB539144667} (Dell PC Checkup Installer Control) - http://pccheckup.del...ll/gtdownde.cab
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft AB - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: Adobe Active File Monitor (AdobeActiveFileMonitor) - Unknown owner - C:\Program Files\Adobe\Photoshop Elements 3.0\PhotoshopElementsFileAgent.exe
O23 - Service: AOL Connectivity Service (AOL ACS) - Unknown owner - C:\Program Files\Common Files\AOL\ACS\AOLAcsd.exe (file missing)
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\SYSTEM32\ati2sgag.exe
O23 - Service: AVG Anti-Spyware Guard - GRISOFT s.r.o. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: Charter High-Speed Security Suite (BackWeb Plug-in - 3528733) - BackWeb Technologies Inc. - C:\PROGRA~1\CHARTE~1\backweb\3528733\Program\SERVIC~1.EXE
O23 - Service: C-DillaCdaC11BA - Macrovision - C:\WINDOWS\System32\drivers\CDAC11BA.EXE
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\System32\CTsvcCDA.exe
O23 - Service: FSGKHS (F-Secure Gatekeeper Handler Starter) - F-Secure Corporation - C:\Program Files\Charter High-Speed Security Suite\Anti-Virus\fsgk32st.exe
O23 - Service: FSBWSYS - F-Secure Corp. - C:\Program Files\Charter High-Speed Security Suite\backweb\3528733\program\fsbwsys.exe
O23 - Service: F-Secure Anti-Virus Firewall Daemon (FSDFWD) - F-Secure Corporation - C:\Program Files\Charter High-Speed Security Suite\FWES\Program\fsdfwd.exe
O23 - Service: F-Secure HTTP Server (fshttps) - F-Secure Corporation - C:\Program Files\Charter High-Speed Security Suite\FSPC\fshttps\fshttps.exe
O23 - Service: FSMA - F-Secure Corporation - C:\Program Files\Charter High-Speed Security Suite\Common\FSMA32.EXE
O23 - Service: Intel® NMS (NMSSvc) - Intel Corporation - C:\WINDOWS\System32\NMSSvc.exe
O23 - Service: Photoshop Elements Device Connect (PhotoshopElementsDeviceConnect) - Unknown owner - C:\Program Files\Adobe\Photoshop Elements 3.0\PhotoshopElementsDeviceConnect.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\System32\HPZipm12.exe
O23 - Service: Viewpoint Manager Service - Viewpoint Corporation - C:\Program Files\Viewpoint\Common\ViewpointService.exe
O23 - Service: WAN Miniport (ATW) Service (WANMiniportService) - America Online, Inc. - C:\WINDOWS\wanmpsvc.exe
O24 - Desktop Component 0: (no name) - http://us.st11.yimg....81_1910_8334009
O24 - Desktop Component 1: (no name) - http://us.st11.yimg....81_1910_8876300
O24 - Desktop Component 2: (no name) - http://www.totalhair...les-updos78.jpg
O24 - Desktop Component 3: (no name) - file:///C:/DOCUME~1/JEFFAN~1/LOCALS~1/Temp/msohtml1/01/clip_image002.jpg

--
End of file - 16923 bytes


Thanks for any and all help!!!

#2 SWI Support Robot

SWI Support Robot

    Helper robot

  • SWI Bot
  • PipPipPipPipPip
  • 23,533 posts

Posted 11 September 2007 - 05:30 AM

Welcome to SWI. We apologize for the delay; our helpers have been very busy.
If you have not received help after 3 days, please CLICK HERE, and post a link to your log and the date it was originally posted.

Thank you for your patience.

[this is an automated reply]
This is an automated message. It does not count as help.

#3 shaferintl

shaferintl

    Forum Deity

  • Trusted Advisor
  • PipPipPipPipPip
  • 1,445 posts

Posted 13 September 2007 - 04:47 AM

jandd86,

Thanks for your patience. Our volunteers are very busy. Your log indicates that you have Malware on your system. Let's get started.

Please download Combofix by sUBs. Place it on your Desktop.

You should print out these instructions, or copy them to a Notepad file for reading while in Safe Mode, because you will not be able to connect to the Internet to read from this site.

Please reboot your computer into Safe Mode. To boot into Safe Mode, please restart your computer. Tap F8 before Windows loads. Select Safe Mode at the top, on the screen that appears. Sign in with your normal user account.

Still in Safe Mode, open HijackThis, run a scan, and place a Check next to the following item(s):R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://g.msn.com/0SEENUS/SAOS01
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
O2 - BHO: CIEStub Class - {EBBFE27C-BDF0-11D2-BBE5-00609419F467} - C:\WINDOWS\system32\amcis.dll
O3 - Toolbar: (no name) - {BA52B914-B692-46c4-B683-905236F6F655} - (no file)
O4 - HKLM\..\Run: [UpromiseRemindU] "C:\Program Files\Upromise_Remind_U\UpromiseRemindU.exe"
O16 - DPF: {41F31718-2B9D-4F76-85E2-DD11BBA99F8D} - http://install.spywa...r2501031120.EXE

Then close all open windows/browsers and Click on Fix Checked.

Reboot your PC, normally.

Delete these files/folders, as follows:
  • Open notepad and copy/paste the text in the quotebox below into it (all except the word QUOTE):

    File::
    C:\WINDOWS\system32\amcis.dll
    C:\Program Files\Upromise_Remind_U\UpromiseRemindU.exe

  • Save this as CFScript
  • Then drag the CFScript (hold the left mouse button while dragging the file) and drop it (release the left mouse button) into ComboFix.exe as you see in the screenshot below. Important: Perform this instruction carefully!

    Posted Image
  • ComboFix will begin to execute, just follow the prompts. After reboot (in case it asks to reboot), it shall produce a log for you. Post that log (Combofix.txt) in your next reply.
Note: Do not mouseclick combofix's window while it is running. That may cause your system to hang.

Download Dr.Web CureIt to the desktop. Do not execute it.

You should print out these instructions, or copy them to a Notepad file for reading while in Safe Mode, because you will not be able to connect to the Internet to read from this site.

Please reboot your computer into Safe Mode. To boot into Safe Mode, please restart your computer. Tap F8 before Windows loads. Select Safe Mode at the top, on the screen that appears. Sign in with your normal user account.

Run Dr.Web CureIt as follows:
  • Doubleclick the drweb-cureit.exe file and Allow to run the express scan
  • This will scan the files currently running in memory and when something is found, click the yes button when it asks you if you want to cure it. This is only a short scan.
  • Once the short scan has finished, mark the drives that you want to scan.
  • Select all drives. A red dot shows which drives have been chosen.
  • Click the green arrow at the right, and the scan will start.
  • Click 'Yes to all' if it asks if you want to cure/move the file.
  • When the scan has finished, look if you can click next icon next to the files found: Posted Image
  • If so, click it and then click the next icon right below and select Move incurable as you'll see in next image:
    Posted Image
    This will move it to the %userprofile%\DoctorWeb\quarantaine-folder if it can't be cured. (this in case if we need samples)
  • After selecting, in the Dr.Web CureIt menu on top, click file and choose save report list
  • Save the report to your desktop. The report will be called DrWeb.csv
  • Close Dr.Web Cureit.
  • Reboot your computer!! Because it could be possible that files in use will be moved/deleted during reboot.
  • After reboot, post the contents of the log from Dr.Web you saved previously in your next reply. You can use Notepad to open the DrWeb.cvs report.
Please post the Combofix log, the DrWeb.csv report, and a new HijackThis log in your next reply. Please also say how your computer is running now. :)
shaferintl

Links to Free Tools I Use:
AVG Antivirus ... Adaware ... Spybot S&D ...
Spyware Blaster ... Zone Alarm Firewall ...
My help is free, but if you wish to help keep these forums running please consider a donation, see this topic for details.

#4 jandd86

jandd86

    Member

  • Full Member
  • Pip
  • 17 posts

Posted 13 September 2007 - 06:53 PM

Thank you so much for your assistance. I followed your instructions and created
the reports as requested. I notice some improvement in performance, but programs
such as Word still run slow and IE7 is still not functional.






Here is the ComboFix report:

ComboFix 07-09-10.2 - "Jeff and Debbie" 2007-09-13 9:54:53.1 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.140 [GMT -4:00]
* Created a new restore point

FILE::
C:\WINDOWS\system32\amcis.dll
C:\Program Files\Upromise_Remind_U\UpromiseRemindU.exe
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\Program Files\Upromise_Remind_U\UpromiseRemindU.exe


((((((((((((((((((((((((( Files Created from 2007-08-13 to 2007-09-13 )))))))))))))))))))))))))))))))
.

2007-09-09 20:23 51,200 --a------ C:\WINDOWS\NirCmd.exe
2007-09-08 10:38 <DIR> d----c--- C:\DOCUME~1\ALLUSE~1\APPLIC~1\Lavasoft
2007-09-08 10:38 <DIR> d-------- C:\Program Files\Lavasoft
2007-09-08 10:36 <DIR> d-------- C:\Program Files\Common Files\Wise Installation Wizard
2007-08-31 05:00 <DIR> d--h----- C:\WINDOWS\amc
2007-08-29 15:01 587,776 --a------ C:\WINDOWS\SYSTEM32\advert.dll
2007-08-29 11:06 10,872 --a------ C:\WINDOWS\SYSTEM32\DRIVERS\AvgAsCln.sys
2007-08-29 10:28 50,688 --a------ C:\WINDOWS\SYSTEM32\wbhelp2.dll
2007-08-29 10:28 <DIR> d-a--c--- C:\DOCUME~1\ALLUSE~1\APPLIC~1\TEMP
2007-08-28 12:24 <DIR> d-------- C:\Program Files\SpywareBlaster
2007-08-24 11:30 <DIR> d-------- C:\Program Files\Microsoft ActiveSync

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2007-09-13 10:00 --------- d-------- C:\Program Files\Upromise_Remind_U
2007-09-12 17:21 --------- d-------- C:\DOCUME~1\JEFFAN~1\APPLIC~1\WeatherBug
2007-09-10 22:32 12400 --a------ C:\WINDOWS\system32\drivers\secdrv.sys
2007-09-10 22:17 --------- d-------- C:\Program Files\Maxis
2007-09-08 09:53 --------- d-------- C:\DOCUME~1\JEFFAN~1\APPLIC~1\Uniblue
2007-09-03 22:21 --------- d-------- C:\Program Files\Starry Night Bundle Edition
2007-09-01 08:48 --------- d-------- C:\Program Files\Google
2007-08-31 09:03 --------- d-------- C:\Program Files\Wal-Mart Music Downloads Store
2007-08-31 09:03 --------- d-------- C:\DOCUME~1\JEFFAN~1\APPLIC~1\InstallShield
2007-08-30 11:49 356352 --a------ C:\WINDOWS\eSellerateEngine.dll
2007-08-30 11:48 --------- d-------- C:\Program Files\NStorm
2007-08-29 11:31 --------- d-------- C:\Program Files\Charter High-Speed Security Suite
2007-08-29 11:25 1187840 --a------ C:\WINDOWS\SYSTEM32\winsflt.dll
2007-08-29 11:00 --------- d-------- C:\Program Files\DAP
2007-08-28 17:57 --------- d----c--- C:\DOCUME~1\ALLUSE~1\APPLIC~1\Spybot - Search & Destroy
2007-08-14 23:52 --------- d----c--- C:\DOCUME~1\ALLUSE~1\APPLIC~1\yahoo!
2007-08-14 23:52 --------- d-------- C:\DOCUME~1\JEFFAN~1\APPLIC~1\Yahoo!
2007-08-14 23:21 --------- d--h----- C:\Program Files\InstallShield Installation Information
2007-08-13 15:19 --------- d-------- C:\Program Files\Audible
2007-08-11 03:00 --------- d-------- C:\Program Files\Webshots
2007-08-09 14:20 --------- d-------- C:\Program Files\Microsoft Home Publishing 2000
2007-08-08 22:54 --------- d-------- C:\DOCUME~1\JEFFAN~1\APPLIC~1\Creative
2007-08-08 19:01 --------- d-------- C:\Program Files\Creative
2007-08-08 18:52 --------- d--h----- C:\Program Files\Creative Installation Information
2007-08-08 18:49 --------- d-------- C:\Program Files\Common Files\Creative
2007-08-08 18:46 --------- d----c--- C:\DOCUME~1\ALLUSE~1\APPLIC~1\YAHOO
2007-08-08 18:46 --------- d-------- C:\Program Files\Yahoo!
2007-08-08 18:46 --------- d-------- C:\Program Files\illiminable
2007-08-08 18:39 --------- d----c--- C:\DOCUME~1\ALLUSE~1\APPLIC~1\Creative
2007-08-07 13:58 8320 --a------ C:\WINDOWS\system32\drivers\AWRTRD.sys
2007-08-07 13:56 9344 --a------ C:\WINDOWS\system32\drivers\NSDriver.sys
2007-08-01 19:54 --------- d-------- C:\Program Files\ReadIris
2007-08-01 19:43 --------- d-------- C:\Program Files\Hewlett-Packard
2007-07-30 19:19 92504 --a------ C:\WINDOWS\SYSTEM32\cdm.dll
2007-07-30 19:19 549720 --a------ C:\WINDOWS\SYSTEM32\wuapi.dll
2007-07-30 19:19 53080 --a------ C:\WINDOWS\SYSTEM32\wuauclt.exe
2007-07-30 19:19 43352 --a------ C:\WINDOWS\SYSTEM32\wups2.dll
2007-07-30 19:19 325976 --a------ C:\WINDOWS\SYSTEM32\wucltui.dll
2007-07-30 19:19 271224 --a------ C:\WINDOWS\SYSTEM32\mucltui.dll
2007-07-30 19:19 207736 --a------ C:\WINDOWS\SYSTEM32\muweb.dll
2007-07-30 19:19 203096 --a------ C:\WINDOWS\SYSTEM32\wuweb.dll
2007-07-30 19:19 1712984 --a------ C:\WINDOWS\SYSTEM32\wuaueng.dll
2007-07-30 19:18 33624 --a------ C:\WINDOWS\SYSTEM32\wups.dll
2007-07-30 09:11 --------- d-------- C:\Program Files\The Weather Channel FW
2007-07-29 16:11 --------- d----c--- C:\DOCUME~1\ALLUSE~1\APPLIC~1\F-Secure
2007-06-26 02:08 1104896 --a------ C:\WINDOWS\SYSTEM32\msxml3.dll
2007-06-19 09:31 282112 --a------ C:\WINDOWS\SYSTEM32\gdi32.dll
2007-06-13 06:23 1033216 --a------ C:\WINDOWS\explorer.exe
2002-03-10 11:26 172 --a--c--- C:\Program Files\ScrambleHighScores75.Txt
2002-03-09 20:00 177 --a--c--- C:\Program Files\TripHiScores120.Txt
2002-01-19 20:16 173 --a--c--- C:\Program Files\HiScores60.Txt
2002-01-16 20:32 174 --a--c--- C:\Program Files\ZipHiScores90.Txt
2002-01-14 18:16 173 --a--c--- C:\Program Files\TakeTwoHighScores45.Txt
2002-01-06 12:25 172 --a--c--- C:\Program Files\TowerHiScores45.Txt
2002-01-04 17:32 178 --a--c--- C:\Program Files\HiScores90_11.Txt
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.

*Note* empty entries & legit default entries are not shown

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Synchronization Manager"="C:\WINDOWS\system32\mobsync.exe" [2004-08-04 00:56]
"Share-to-Web Namespace Daemon"="C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe" [2002-04-11 05:19]
"MaxtorCombo"="C:\PROGRA~1\Dantz\RETROS~1\ComboButton.exe" [2002-07-15 21:23]
"DVDSentry"="C:\WINDOWS\System32\DSentry.exe" [2002-08-14 20:22]
"F-Secure Manager"="C:\Program Files\Charter High-Speed Security Suite\Common\FSM32.exe" [2005-10-25 21:51]
"F-Secure TNB"="C:\Program Files\Charter High-Speed Security Suite\TNB\TNBUtil.exe" [2005-07-18 10:51]
"F-Secure Startup Wizard"="C:\Program Files\Charter High-Speed Security Suite\FSGUI\FSSW.exe" [2005-10-18 04:29]
"Adobe Reader Speed Launcher"="C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2007-05-11 03:06]
"News Service"="C:\Program Files\Charter High-Speed Security Suite\FSGUI\ispnews.exe" [2005-05-31 08:45]
"!AVG Anti-Spyware"="C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" [2007-06-11 05:25]
"ISUSPM"="C:\Program Files\Common Files\InstallShield\UpdateService\ISUSPM.exe" [2006-03-20 17:34]
"AAWTray"="C:\Program Files\Lavasoft\Ad-Aware 2007\AAWTray.exe" [2007-08-08 15:53]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Weather"="C:\Program Files\AWS\WeatherBug\Weather.exe" [2006-04-07 16:02]
"ClocX"="C:\Program Files\ClocX\ClocX.exe" [2004-04-25 15:29]
"abc12DesktopAlerts"="C:\Program Files\abc12DesktopAlerts\abc12DesktopAlerts.exe" [2006-11-02 23:12]
"WMPNSCFG"="C:\Program Files\Windows Media Player\WMPNSCFG.exe" [2006-10-18 20:05]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 00:56]

[HKEY_USERS\.default\software\microsoft\windows\currentversion\runonce]
"RunNarrator"=Narrator.exe
"tscuninstall"=%systemroot%\system32\tscupgrd.exe

C:\DOCUME~1\ALLUSE~1\STARTM~1\Programs\Startup\
Charter High-Speed Security Suite.lnk - C:\Program Files\Charter High-Speed Security Suite\backweb\3528733\Program\fspex.exe [2007-08-29 11:21:01]
DESKTOP.INI [2007-05-19 10:11:54]
hp psc 2000 Series.lnk - C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpobnz08.exe [2002-06-11 11:31:50]
Microsoft Office.lnk - C:\Program Files\Microsoft Office\Office10\OSA.EXE [2001-02-13 01:01:04]
Quicken Startup.lnk - C:\QUICKENW\QWDLLS.EXE [2002-09-20 12:30:06]

C:\DOCUME~1\ADMINI~1\STARTM~1\Programs\Startup\
DESKTOP.INI [2002-09-03 11:00:00]

C:\DOCUME~1\Crystal\STARTM~1\Programs\Startup\
DESKTOP.INI [2002-09-03 11:00:00]
Webshots.lnk - C:\Program Files\Webshots\WebshotsTray.exe [2003-01-13 19:37:13]

C:\DOCUME~1\DEFAUL~1\STARTM~1\Programs\Startup\
DESKTOP.INI [2007-05-19 10:11:54]

C:\DOCUME~1\JEFFAN~1\STARTM~1\Programs\Startup\
DESKTOP.INI [2002-09-03 11:00:00]
Webshots.lnk - C:\Program Files\Webshots\WebshotsTray.exe [2003-01-13 19:37:13]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\system]
"DisableRegedit"=0 (0x0)

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\explorer]
@=

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Aim6]
"C:\Program Files\AIM6\aim6.exe" /d locale=en-US ee://aol/imApp

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AOLDialer]
C:\Program Files\Common Files\AOL\ACS\AOLDial.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AROReminder]
C:\Program Files\Advanced Registry Optimizer\aro.exe -rem

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\CTFMON.EXE]
C:\WINDOWS\system32\ctfmon.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\diagent]
"C:\Program Files\Creative\SBLive\Diagnostics\diagent.exe" startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DW4]
"C:\Program Files\The Weather Channel FW\Desktop Weather\DesktopWeather.exe"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HostManager]
C:\Program Files\Common Files\AOL\1127580058\ee\AOLSoftware.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Load]
???
?

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\OM2_Monitor]
"C:\Program Files\OLYMPUS\OLYMPUS Master 2\MMonitor.exe"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\OM_Monitor]
C:\Program Files\OLYMPUS\OLYMPUS Master\FirstStart.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PC Pitstop Optimize Scheduler]
C:\Program Files\PCPitstop\Optimize\PCPOptimize.exe -boot

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
"C:\Program Files\QuickTime\qttask.exe" -atboottime

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\RoxioDragToDisc]
"C:\Program Files\Roxio\Easy Media Creator 7\Drag to Disc\DrgToDsc.exe"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\UpdReg]
C:\WINDOWS\UpdReg.EXE

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ymetray]
"C:\Program Files\Yahoo!\Yahoo! Music Engine\YahooMusicEngine.exe" -preload

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"MCVSRte"=3 (0x3)
"mcupdmgr.exe"=3 (0x3)
"McShield"=3 (0x3)
"bgsvcgen"=2 (0x2)
"RetroLauncher"=3 (0x3)

R0 FSFW;F-Secure Firewall Driver;C:\WINDOWS\system32\drivers\fsdfw.sys
R1 cdudf_xp;cdudf_xp;C:\WINDOWS\system32\drivers\cdudf_xp.sys
R1 DVDVRRdr_xp;DVDVRRdr_xp;C:\WINDOWS\system32\drivers\DVDVRRdr_xp.sys
R1 pwd_2k;pwd_2k;C:\WINDOWS\system32\drivers\pwd_2k.sys
R1 UDFReadr;UDFReadr;C:\WINDOWS\system32\drivers\UDFReadr.sys
R2 BackWeb Plug-in - 3528733;Charter High-Speed Security Suite;C:\PROGRA~1\CHARTE~1\backweb\3528733\Program\SERVIC~1.EXE
R2 F-Secure Filter;F-Secure File System Filter;\??\C:\Program Files\Charter High-Speed Security Suite\Anti-Virus\Win2K\FSfilter.sys
R2 F-Secure Gatekeeper;F-Secure Gatekeeper;\??\C:\Program Files\Charter High-Speed Security Suite\Anti-Virus\Win2K\FSgk.sys
R2 F-Secure Recognizer;F-Secure File System Recognizer;\??\C:\Program Files\Charter High-Speed Security Suite\Anti-Virus\Win2K\FSrec.sys
R3 mmc_2K;mmc_2K;C:\WINDOWS\system32\drivers\mmc_2K.sys
R3 usbprint;Microsoft USB PRINTER Class;C:\WINDOWS\system32\DRIVERS\usbprint.sys
S3 AdobeActiveFileMonitor;Adobe Active File Monitor;C:\Program Files\Adobe\Photoshop Elements 3.0\PhotoshopElementsFileAgent.exe
S3 dvd_2K;dvd_2K;C:\WINDOWS\system32\drivers\dvd_2K.sys
S3 NMSCFG;NIC Management Service Configuration Driver;\??\C:\WINDOWS\System32\drivers\NMSCFG.SYS
S3 NMSSvc;Intel® NMS;C:\WINDOWS\System32\NMSSvc.exe
S3 PhotoshopElementsDeviceConnect;Photoshop Elements Device Connect;C:\Program Files\Adobe\Photoshop Elements 3.0\PhotoshopElementsDeviceConnect.exe
S3 Wdm1;USB Bridge Cable Driver;C:\WINDOWS\system32\Drivers\usbbc.sys

*Newly Created Service* - CATCHME
.
Contents of the 'Scheduled Tasks' folder
"2007-09-01 12:42:47 C:\WINDOWS\Tasks\FRU Task #Hewlett-Packard#hp psc 2200 series#1188650389.job"
- C:\Program Files\Hewlett-Packard\Digital Imaging\Bin\hpqfrucl.exe
"2007-09-06 12:07:14 C:\WINDOWS\Tasks\FRU Task #Hewlett-Packard#hp psc 2200 series#1189080192.job"
- C:\Program Files\Hewlett-Packard\Digital Imaging\Bin\hpqfrucl.exe
"2007-09-13 00:03:55 C:\WINDOWS\Tasks\Scheduled scanning task.job"
- C:\PROGRA~1\CHARTE~1\ANTI-V~1\fsav.exe
"2007-09-07 12:14:13 C:\WINDOWS\Tasks\Spybot - Search & Destroy - Scheduled Task.job"
- C:\Program Files\Spybot - Search & Destroy\SpybotSD.exe
"2007-09-08 13:23:01 C:\WINDOWS\Tasks\Uniblue SpeedUpMyPC Nag.job"
- C:\Program Files\Uniblue\SpeedUpMyPC 3\SpeedUpMyPC.exe
"2007-09-08 13:22:56 C:\WINDOWS\Tasks\Uniblue SpeedUpMyPC.job"
- C:\Program Files\Uniblue\SpeedUpMyPC 3\SpeedUpMyPC.exe
.
**************************************************************************

catchme 0.3.1061 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2007-09-13 10:01:04
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

**************************************************************************
.
Completion time: 2007-09-13 10:04:13
C:\ComboFix-quarantined-files.txt ... 2007-09-13 10:03
.
--- E O F ---






Here is the DrWeb report:

setup.exe;C:\Documents and Settings\Administrator\Local Settings\Application Data\AOL\UserProfiles\All Users\antiSpyware\dat\ASP3A5.tmp\a;Probably BACKDOOR.Trojan;Moved.;
setup.exe;C:\Documents and Settings\All Users\Application Data\AOL\UserProfiles\All Users\antiSpyware\dat\ASP3A5.tmp\aspapp;Probably BACKDOOR.Trojan;Moved.;
setup.exe;C:\Documents and Settings\All Users\Application Data\AOL Downloads\ietoolbar_suite_4.0.39.3;Probably BACKDOOR.Trojan;Moved.;
config.000;C:\Documents and Settings\All Users\Application Data\AOL Downloads\ssc_suite_installer_1.10.3.1;Probably BACKDOOR.Trojan;Moved.;
config.000;C:\Documents and Settings\All Users\Application Data\AOL Downloads\ssc_suite_installer_1.10.7.1;Probably BACKDOOR.Trojan;Moved.;
inst.exe;C:\Documents and Settings\All Users\Application Data\AOL Downloads\ssc_suite_installer_2.5.6.1_suite;Probably BACKDOOR.Trojan;Moved.;
inst.exe;C:\Documents and Settings\All Users\Application Data\AOL Downloads\ssc_suite_installer_210.5.2.1_suite;Probably BACKDOOR.Trojan;Moved.;
setup.exe;C:\Documents and Settings\All Users\Application Data\AOL Downloads\triton_suite_install\6.1.41.2;Probably BACKDOOR.Trojan;Moved.;
setup.exe;C:\Documents and Settings\Crystal\Local Settings\Application Data\AOL\UserProfiles\All Users\antiSpyware\dat\ASP3A5.tmp\aspapp;Probably BACKDOOR.Trojan;Moved.;
setup.exe;C:\Documents and Settings\Jeff\Local Settings\Application Data\AOL\UserProfiles\All Users\antiSpyware\dat\ASP3A5.tmp\aspapp;Probably BACKDOOR.Trojan;Moved.;
setup.exe;C:\Documents and Settings\Jeff and Debbie\Local Settings\Application Data\AOL\UserProfiles\All Users\antiSpyware\dat\ASP3A5.tmp;Probably BACKDOOR.Trojan;Moved.;
backup-20070913-093625-620.dll;C:\Documents and Settings\Jeff and Debbie\My Documents\Mom's Files\Downloads\backups;Adware.Aureate;Moved.;
config.000;C:\Program Files\AOL\Installers\AOL Safety & Security Center 1.0;Probably BACKDOOR.Trojan;Moved.;
inst.exe;C:\Program Files\AOL\Installers\AOL Safety & Security Center 1.02;Probably BACKDOOR.Trojan;Moved.;
setup.exe;C:\Program Files\AOL\Installers\ASP 2.0;Probably BACKDOOR.Trojan;Moved.;
setup.exe;C:\Program Files\Common Files\AOL\Backup\ACS\Current\Suite;Probably BACKDOOR.Trojan;Moved.;
u11050.exe;C:\Program Files\Upromise_Remind_U;Adware.Rebates;Moved.;
UpromiseRemindU.exe.vir;C:\qoobox\Quarantine\C\Program Files\Upromise_Remind_U;Adware.Rebates;Moved.;
A0057885.0ll;C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP113;Trojan.Popuper;Deleted.;
A0057900.0ll;C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP114;Trojan.Popuper;Deleted.;
A0074503.dll;C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP172;Adware.Aureate;Moved.;
A0076478.dll;C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP173;Adware.IEBar;Moved.;
A0078525.dll;C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP176;Adware.Aureate;Moved.;
A0083727.dll;C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP191;Adware.Aureate;Moved.;
A0083761.bat;C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP191;Probably SCRIPT.Virus;Moved.;
A0083845.exe;C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP192;Adware.Rebates;Moved.;
A0084000.bat;C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP192;Probably SCRIPT.Virus;Moved.;
gtdownde_110.ocx;C:\WINDOWS\SYSTEM32;Probably DLOADER.Trojan;Moved.;






And finally, the hijackthis log:


NOTE: The following entries did not show up when I ran the hijackthis program to begin the
fixes you recommended:
[/b]
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar =
http://g.msn.com/0SEENUS/SAOS01
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =



Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 2:13:17 PM, on 9/13/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16512)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe
C:\PROGRA~1\Dantz\RETROS~1\ComboButton.exe
C:\WINDOWS\System32\DSentry.exe
C:\Program Files\Charter High-Speed Security Suite\Common\FSM32.EXE
C:\Program Files\Charter High-Speed Security Suite\FSGUI\ispnews.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe
C:\Program Files\Common Files\InstallShield\UpdateService\ISUSPM.exe
C:\Program Files\Lavasoft\Ad-Aware 2007\AAWTray.exe
C:\Program Files\AWS\WeatherBug\Weather.exe
C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnf.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\Program Files\ClocX\ClocX.exe
C:\PROGRA~1\CHARTE~1\backweb\3528733\Program\SERVIC~1.EXE
C:\Program Files\abc12DesktopAlerts\abc12DesktopAlerts.exe
C:\Program Files\Charter High-Speed Security Suite\Anti-Virus\fsgk32st.exe
C:\Program Files\Windows Media Player\WMPNSCFG.exe
C:\Program Files\Charter High-Speed Security Suite\backweb\3528733\program\fsbwsys.exe
C:\Program Files\Charter High-Speed Security Suite\Anti-Virus\FSGK32.EXE
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Charter High-Speed Security Suite\Common\FSMA32.EXE
C:\Program Files\Charter High-Speed Security Suite\Anti-Virus\fssm32.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Charter High-Speed Security Suite\Common\FSMB32.EXE
C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpobnz08.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Charter High-Speed Security Suite\Common\FCH32.EXE
C:\Program Files\Charter High-Speed Security Suite\backweb\3528733\Program\fspex.exe
C:\WINDOWS\wanmpsvc.exe
C:\Program Files\Charter High-Speed Security Suite\Anti-Virus\fsqh.exe
C:\Program Files\Webshots\WebshotsTray.exe
C:\Program Files\Charter High-Speed Security Suite\Common\FAMEH32.EXE
C:\Program Files\Charter High-Speed Security Suite\Anti-Virus\fsrw.exe
C:\Program Files\Charter High-Speed Security Suite\FSPC\fspc.exe
C:\Program Files\Charter High-Speed Security Suite\Anti-Virus\fsav32.exe
C:\Program Files\Charter High-Speed Security Suite\FWES\Program\fsdfwd.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpoevm08.exe
C:\PROGRA~1\CHARTE~1\ANTI-S~1\fsaw.exe
C:\WINDOWS\System32\HPZipm12.exe
C:\Program Files\Charter High-Speed Security Suite\FSGUI\fsguidll.exe
C:\WINDOWS\system32\NOTEPAD.EXE
C:\WINDOWS\SYSTEM32\notepad.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\Bin\hpoSTS08.exe
C:\Documents and Settings\Jeff and Debbie\My Documents\Mom's Files\Downloads\HijackThis.exe
C:\WINDOWS\system32\wuauclt.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://aol.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft....k/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft....k/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft....k/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft....k/?LinkId=69157
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = 127.0.0.1
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: AOL Toolbar Launcher - {7C554162-8CB7-45A4-B8F4-8EA1C75885F9} - C:\Program Files\AOL\AOL Toolbar 4.0\aoltb.dll
O2 - BHO: Viewpoint Toolbar BHO - {A7327C09-B521-4EDB-8509-7D2660C9EC98} - C:\Program Files\Viewpoint\Viewpoint Toolbar\3.8.0\ViewBarBHO.dll
O3 - Toolbar: AOL Toolbar - {DE9C389F-3316-41A7-809B-AA305ED9D922} - C:\Program Files\AOL\AOL Toolbar 4.0\aoltb.dll
O3 - Toolbar: Viewpoint Toolbar - {F8AD5AA5-D966-4667-9DAF-2561D68B2012} - C:\Program Files\Common Files\Viewpoint\Toolbar Runtime\3.8.0\IEViewBar.dll
O4 - HKLM\..\Run: [Synchronization Manager] %SystemRoot%\system32\mobsync.exe /logon
O4 - HKLM\..\Run: [Share-to-Web Namespace Daemon] C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe
O4 - HKLM\..\Run: [MaxtorCombo] "C:\PROGRA~1\Dantz\RETROS~1\ComboButton.exe"
O4 - HKLM\..\Run: [DVDSentry] C:\WINDOWS\System32\DSentry.exe
O4 - HKLM\..\Run: [F-Secure Manager] "C:\Program Files\Charter High-Speed Security Suite\Common\FSM32.EXE" /splash
O4 - HKLM\..\Run: [F-Secure TNB] "C:\Program Files\Charter High-Speed Security Suite\TNB\TNBUtil.exe" /CHECKALL /WAITFORSW
O4 - HKLM\..\Run: [F-Secure Startup Wizard] "C:\Program Files\Charter High-Speed Security Suite\FSGUI\FSSW.EXE" /reboot
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [News Service] "C:\Program Files\Charter High-Speed Security Suite\FSGUI\ispnews.exe"
O4 - HKLM\..\Run: [!AVG Anti-Spyware] "C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" /minimized
O4 - HKLM\..\Run: [ISUSPM] "C:\Program Files\Common Files\InstallShield\UpdateService\ISUSPM.exe" -scheduler
O4 - HKLM\..\Run: [AAWTray] C:\Program Files\Lavasoft\Ad-Aware 2007\AAWTray.exe
O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
O4 - HKCU\..\Run: [Weather] C:\Program Files\AWS\WeatherBug\Weather.exe 1
O4 - HKCU\..\Run: [ClocX] C:\Program Files\ClocX\ClocX.exe
O4 - HKCU\..\Run: [abc12DesktopAlerts] C:\Program Files\abc12DesktopAlerts\abc12DesktopAlerts.exe
O4 - HKCU\..\Run: [WMPNSCFG] C:\Program Files\Windows Media Player\WMPNSCFG.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKUS\S-1-5-18\..\RunOnce: [RunNarrator] Narrator.exe (User 'SYSTEM')
O4 - HKUS\S-1-5-18\..\RunOnce: [tscuninstall] %systemroot%\system32\tscupgrd.exe (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\RunOnce: [RunNarrator] Narrator.exe (User 'Default user')
O4 - Startup: Webshots.lnk = C:\Program Files\Webshots\WebshotsTray.exe
O4 - Global Startup: Charter High-Speed Security Suite.lnk = C:\Program Files\Charter High-Speed Security Suite\backweb\3528733\Program\fspex.exe
O4 - Global Startup: hp psc 2000 Series.lnk = C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpobnz08.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O4 - Global Startup: Quicken Startup.lnk = C:\QUICKENW\QWDLLS.EXE
O8 - Extra context menu item: &Block this popup - C:\Program Files\Charter High-Speed Security Suite\Anti-Spyware\blockpopups.htm
O8 - Extra context menu item: &Clean Traces - C:\Program Files\DAP\Privacy Package\dapcleanerie.htm
O8 - Extra context menu item: &Download with &DAP - C:\Program Files\DAP\dapextie.htm
O8 - Extra context menu item: Download &all with DAP - C:\Program Files\DAP\dapextie2.htm
O8 - Extra context menu item: RemindU. - file://C:\Program Files\Upromise_Remind_U\UpromisesRemindU\UpromisetRemindU\uproC0.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\system32\msjava.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\system32\msjava.dll
O9 - Extra button: Web Filter - {200DB664-75B5-47c0-8B45-A44ACCF73C00} - C:\Program Files\Charter High-Speed Security Suite\FSPC\fspcmsie.dll
O9 - Extra button: (no name) - {200DB664-75B5-47c0-8B45-A44ACCF73F01} - C:\Program Files\Charter High-Speed Security Suite\FSPC\fspcmsie.dll
O9 - Extra 'Tools' menuitem: Web Filter - {200DB664-75B5-47c0-8B45-A44ACCF73F01} - C:\Program Files\Charter High-Speed Security Suite\FSPC\fspcmsie.dll
O9 - Extra button: IE Shield - {300DB664-75B5-47c0-8B45-A44ACCF73C00} - C:\Program Files\Charter High-Speed Security Suite\Anti-Spyware\ieshield.dll
O9 - Extra 'Tools' menuitem: IE Shield... - {300DB664-75B5-47c0-8B45-A44ACCF73C00} - C:\Program Files\Charter High-Speed Security Suite\Anti-Spyware\ieshield.dll
O9 - Extra button: AOL Toolbar - {3369AF0D-62E9-4bda-8103-B4C75499B578} - C:\Program Files\AOL\AOL Toolbar 4.0\aoltb.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE~1\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll
O9 - Extra button: Run IMVU - {d9288080-1baa-4bc4-9cf8-a92d743db949} - C:\Documents and Settings\Jeff and Debbie\Start Menu\Programs\Games\IMVU\Run IMVU.lnk (file missing)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra button: Point Alert - {16BF42FD-CA0A-4f48-819D-B0343254DD67} - file://C:\Program Files\MyPointsPointAlert\System\Temp\mypoints_script0.htm (file missing) (HKCU)
O9 - Extra button: Point Alert - {67B50696-04BA-48ea-A697-28AA0EAA9C26} - file://C:\Program Files\MyPoints_PointAlert\Sy800\Tp800\scri800a.htm (HKCU)
O9 - Extra button: Schoolpop - {B46F2A6A-3216-461c-BEEA-FBE442469812} - file://C:\Program Files\MyPointsPointAlert\System\Temp\schoolpop_script0.htm (file missing) (HKCU)
O9 - Extra button: RemindU - {B48798CE-A2E0-4918-BC00-0F72FBA708E2} - file://C:\Program Files\Upromise_Remind_U\UpromisesRemindU\UpromisetRemindU\uproC0.htm (HKCU)
O16 - DPF: ppctlcab - http://www.pestscan....er/ppctlcab.cab
O16 - DPF: Yahoo! Bingo - http://download.game...nts/y/xt0_x.cab
O16 - DPF: Yahoo! Chat - http://us.chat1.yimg...t/c381/chat.cab
O16 - DPF: Yahoo! Checkers - http://download.game...nts/y/kt4_x.cab
O16 - DPF: Yahoo! Dominoes - http://download.game...ts/y/dot8_x.cab
O16 - DPF: Yahoo! Go Fish - http://download.game...nts/y/zt3_x.cab
O16 - DPF: Yahoo! Poker - http://download.game...nts/y/pt3_x.cab
O16 - DPF: Yahoo! Pool 2 - http://download.game...ts/y/pote_x.cab
O16 - DPF: {01A88BB1-1174-41EC-ACCB-963509EAE56B} (SysProWmi Class) - http://support.dell....iler/SysPro.CAB
O16 - DPF: {1671869C-25B3-4C80-9446-8AE6111F8765} (MaxisHotDateTeleX Control) - http://thesims.ea.co...otDateTeleX.cab
O16 - DPF: {1842B0EE-B597-11D4-8997-00104BD12D94} (iCC Class) - http://www.pcpitstop...cpConnCheck.cab
O16 - DPF: {20A60F0D-9AFA-4515-A0FD-83BD84642501} (Checkers Class) - http://messenger.zon...kr.cab56986.cab
O16 - DPF: {37DF41B2-61DB-4CAC-A755-CFB3C7EE7F40} - http://esupport.aol....oach_core_1.cab
O16 - DPF: {4A3CF76B-EC7A-405D-A67D-8DC6B52AB35B} - http://aolcc.aol.com...kup/qdiagcc.cab
O16 - DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} -
O16 - DPF: {5D6F45B3-9043-443D-A792-115447494D24} (UnoCtrl Class) - http://messenger.zon...1/GAME_UNO1.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://www.update.mi...b?1179959237062
O16 - DPF: {74C861A1-D548-4916-BC8A-FDE92EDFF62C} - http://mediaplayer.w...ler/install.cab
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai...all/xscan53.cab
O16 - DPF: {75565ED2-1560-4F15-B841-20358DE6A0D1} (ImageControl Class) - http://content.ances...ll/MFImgVwr.cab
O16 - DPF: {9522B3FB-7A2B-4646-8AF6-36E7F593073C} - http://a19.g.akamai....23/cpbrkpie.cab
O16 - DPF: {A44B714B-EE0F-453E-9300-A69B321FEF6C} (MaxisSimsFamilyTeleX Control) - http://thesims.ea.co...FamilyTeleX.cab
O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (MSN Games - Installer) - http://messenger.zon...ro.cab56649.cab
O16 - DPF: {BCC0FF27-31D9-4614-A68E-C18E1ADA4389} - http://download.av.a...,18/mcgdmgr.cab
O16 - DPF: {BD393C14-72AD-4790-A095-76522973D6B8} (CBreakshotControl Class) - http://messenger.zon...ot.cab57213.cab
O16 - DPF: {C3F79A2B-B9B4-4A66-B012-3EE46475B072} (MessengerStatsClient Class) - http://messenger.zon...nt.cab56907.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.m...ash/swflash.cab
O16 - DPF: {E856B973-45FD-4559-8F82-EAB539144667} (Dell PC Checkup Installer Control) - http://pccheckup.del...ll/gtdownde.cab
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft AB - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: Adobe Active File Monitor (AdobeActiveFileMonitor) - Unknown owner - C:\Program Files\Adobe\Photoshop Elements 3.0\PhotoshopElementsFileAgent.exe
O23 - Service: AOL Connectivity Service (AOL ACS) - Unknown owner - C:\Program Files\Common Files\AOL\ACS\AOLAcsd.exe (file missing)
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\SYSTEM32\ati2sgag.exe
O23 - Service: AVG Anti-Spyware Guard - GRISOFT s.r.o. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: Charter High-Speed Security Suite (BackWeb Plug-in - 3528733) - BackWeb Technologies Inc. - C:\PROGRA~1\CHARTE~1\backweb\3528733\Program\SERVIC~1.EXE
O23 - Service: C-DillaCdaC11BA - Macrovision - C:\WINDOWS\System32\drivers\CDAC11BA.EXE
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\System32\CTsvcCDA.exe
O23 - Service: FSGKHS (F-Secure Gatekeeper Handler Starter) - F-Secure Corporation - C:\Program Files\Charter High-Speed Security Suite\Anti-Virus\fsgk32st.exe
O23 - Service: FSBWSYS - F-Secure Corp. - C:\Program Files\Charter High-Speed Security Suite\backweb\3528733\program\fsbwsys.exe
O23 - Service: F-Secure Anti-Virus Firewall Daemon (FSDFWD) - F-Secure Corporation - C:\Program Files\Charter High-Speed Security Suite\FWES\Program\fsdfwd.exe
O23 - Service: F-Secure HTTP Server (fshttps) - F-Secure Corporation - C:\Program Files\Charter High-Speed Security Suite\FSPC\fshttps\fshttps.exe
O23 - Service: FSMA - F-Secure Corporation - C:\Program Files\Charter High-Speed Security Suite\Common\FSMA32.EXE
O23 - Service: Intel® NMS (NMSSvc) - Intel Corporation - C:\WINDOWS\System32\NMSSvc.exe
O23 - Service: Photoshop Elements Device Connect (PhotoshopElementsDeviceConnect) - Unknown owner - C:\Program Files\Adobe\Photoshop Elements 3.0\PhotoshopElementsDeviceConnect.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\System32\HPZipm12.exe
O23 - Service: Viewpoint Manager Service - Viewpoint Corporation - C:\Program Files\Viewpoint\Common\ViewpointService.exe
O23 - Service: WAN Miniport (ATW) Service (WANMiniportService) - America Online, Inc. - C:\WINDOWS\wanmpsvc.exe
O24 - Desktop Component 0: (no name) - http://us.st11.yimg....81_1910_8334009
O24 - Desktop Component 1: (no name) - http://us.st11.yimg....81_1910_8876300
O24 - Desktop Component 2: (no name) - http://www.totalhair...les-updos78.jpg
O24 - Desktop Component 3: (no name) - file:///C:/DOCUME~1/JEFFAN~1/LOCALS~1/Temp/msohtml1/01/clip_image002.jpg

--
End of file - 16180 bytes

#5 shaferintl

shaferintl

    Forum Deity

  • Trusted Advisor
  • PipPipPipPipPip
  • 1,445 posts

Posted 14 September 2007 - 03:31 PM

jandd86,

Thanks for the logs and information. More to do, so let's continue.

I notice some improvement in performance, but programs such as Word still run slow and IE7 is still not functional.

OK, thanks. This may improve once we cleanup a bit more.

You should print out these instructions, or copy them to a Notepad file for reading while in Safe Mode, because you will not be able to connect to the Internet to read from this site.

Please reboot your computer into Safe Mode. To boot into Safe Mode, please restart your computer. Tap F8 before Windows loads. Select Safe Mode at the top, on the screen that appears. Sign in with your normal user account.

Still in Safe Mode, open HijackThis, run a scan, and place a Check next to the following item(s):O8 - Extra context menu item: RemindU. - file://C:\Program Files\Upromise_Remind_U\UpromisesRemindU\UpromisetRemindU\uproC0.htm
O9 - Extra button: Point Alert - {16BF42FD-CA0A-4f48-819D-B0343254DD67} - file://C:\Program Files\MyPointsPointAlert\System\Temp\mypoints_script0.htm (file missing) (HKCU)
O9 - Extra button: Point Alert - {67B50696-04BA-48ea-A697-28AA0EAA9C26} - file://C:\Program Files\MyPoints_PointAlert\Sy800\Tp800\scri800a.htm (HKCU)
O9 - Extra button: Schoolpop - {B46F2A6A-3216-461c-BEEA-FBE442469812} - file://C:\Program Files\MyPointsPointAlert\System\Temp\schoolpop_script0.htm (file missing) (HKCU)
O9 - Extra button: RemindU - {B48798CE-A2E0-4918-BC00-0F72FBA708E2} - file://C:\Program Files\Upromise_Remind_U\UpromisesRemindU\UpromisetRemindU\uproC0.htm (HKCU)

This entry is optional, but I highly recommend fixing it. Weatherbug provides current outdoor temperature in the System Tray; also weather alerts. Available via Start - Programs. It is, however, clearly filled with adware. A safer alternative to Weatherbug called Weather Watcher with a free download is available here. To fix it, put a check next to this entry:O4 - HKCU\..\Run: [Weather] C:\Program Files\AWS\WeatherBug\Weather.exe 1
Then close all open windows/browsers and Click on Fix Checked.

Reboot your PC, normally.

Delete these files/folders, as follows:
  • Open notepad and copy/paste the text in the quotebox below into it (all except the word QUOTE):

    File::
    C:\WINDOWS\SYSTEM32\advert.dll
    C:\WINDOWS\eSellerateEngine.dll

    Folder::
    C:\Program Files\Upromise_Remind_U
    C:\DOCUME~1\ALLUSE~1\Applic~1\TEMP

  • Save this as CFScript
  • Then drag the CFScript (hold the left mouse button while dragging the file) and drop it (release the left mouse button) into ComboFix.exe as you see in the screenshot below. Important: Perform this instruction carefully!

    Posted Image
  • ComboFix will begin to execute, just follow the prompts. After reboot (in case it asks to reboot), it shall produce a log for you. Post that log (Combofix.txt) in your next reply.
Note: Do not mouseclick combofix's window while it is running. That may cause your system to hang.

This file was optional. If you chose to fix it above, delete it now using Windows Explorer.C:\Program Files\AWS\WeatherBug\Weather.exe
Please post the Combofix log and a new HijackThis log in your next reply. Please also say how your computer is running now. :)
shaferintl

Links to Free Tools I Use:
AVG Antivirus ... Adaware ... Spybot S&D ...
Spyware Blaster ... Zone Alarm Firewall ...
My help is free, but if you wish to help keep these forums running please consider a donation, see this topic for details.

#6 jandd86

jandd86

    Member

  • Full Member
  • Pip
  • 17 posts

Posted 15 September 2007 - 05:58 AM

Okay, here we go.

Things are improving, I'm actually using IE7 right now, was able to download weather watcher with IE7 without having to load DAP. Yay! Still have some moderate hangups on some webpages, but for the most part, things are running faster, could be better but can live with it if no further tweaking is available.

While waiting for your reply, removed some programs we never use, such as Microsoft Expedia and SpywareBlaster (although questioning if should have kept that one). Tweaked some settings in Office, Word is running a bit faster, less lag time. Will also be deleting old documents and looking for games we do not play any more, and then will defrag. (Question for you: While exploring the files on my pc, if I have a question about a particular file or program, what it is for or whether it is vital to something, and can it be safely deleted, can I discuss it with you or is there another forum for that?)

Ran ComboFix but the last step failed, screen flashed so fast was not able to see the message. When creating the log, ComboFix ran and ran and then stopped, but created the log below.

COMBOFIX LOG:



ComboFix 07-09-14.2 - "Jeff and Debbie" 2007-09-14 21:48:51.2 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.145 [GMT -4:00]
Script execution time was exceeded on script "C:\ComboFix\restore_pt.vbs".
Script execution was terminated.

FILE::
C:\WINDOWS\SYSTEM32\advert.dll
C:\WINDOWS\eSellerateEngine.dll
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\DOCUME~1\ALLUSE~1\Applic~1\TEMP
C:\Program Files\Upromise_Remind_U
C:\Program Files\Upromise_Remind_U\Readme.txt
C:\Program Files\Upromise_Remind_U\UpromiseaRemindU\upro11050.dat
C:\Program Files\Upromise_Remind_U\UpromiseaRemindU\uprop11050.dat
C:\Program Files\Upromise_Remind_U\UpromisedRemindU\Crystal\q44ddbbe82485.dat
C:\Program Files\Upromise_Remind_U\UpromisedRemindU\Jeff and Debbie\q44ddbbe82485.dat
C:\Program Files\Upromise_Remind_U\UpromisedRemindU\Jeff and Debbie\z44ddbc674bb1.dat
C:\Program Files\Upromise_Remind_U\UpromisedRemindU\s44ddbbd94aea.dat
C:\Program Files\Upromise_Remind_U\UpromisedRemindU\UpromisezRemindU.dat
C:\Program Files\Upromise_Remind_U\UpromisedRemindU\v44ddbbeb7443.dat
C:\Program Files\Upromise_Remind_U\UpromiseRemindU.dll
C:\Program Files\Upromise_Remind_U\UpromiseRemindU2.dll
C:\Program Files\Upromise_Remind_U\UpromisesRemindU\Html\conflicts3.htm
C:\Program Files\Upromise_Remind_U\UpromisesRemindU\Html\uproC0.htm
C:\Program Files\Upromise_Remind_U\UpromisesRemindU\Html\uproP1.htm
C:\Program Files\Upromise_Remind_U\UpromisesRemindU\Html\uproR1.htm
C:\Program Files\Upromise_Remind_U\UpromisesRemindU\Html\uproRPMP1.htm
C:\Program Files\Upromise_Remind_U\UpromisesRemindU\Images\p.gif
C:\Program Files\Upromise_Remind_U\UpromisesRemindU\Images\topm_hdr_savingsconfilct.gif
C:\Program Files\Upromise_Remind_U\UpromisesRemindU\Images\upro_16x16.ico
C:\Program Files\Upromise_Remind_U\UpromisesRemindU\Images\upro_20x20.ico
C:\Program Files\Upromise_Remind_U\UpromisesRemindU\Images\upro_32x32.ico
C:\Program Files\Upromise_Remind_U\UpromisesRemindU\Images\upro_changemysettings.gif
C:\Program Files\Upromise_Remind_U\UpromisesRemindU\Images\upro_clrpxl.gif
C:\Program Files\Upromise_Remind_U\UpromisesRemindU\Images\upro_getmycollegesavings.gif
C:\Program Files\Upromise_Remind_U\UpromisesRemindU\Images\upro_grayblock.gif
C:\Program Files\Upromise_Remind_U\UpromisesRemindU\Images\upro_topmoxie.gif
C:\Program Files\Upromise_Remind_U\UpromisesRemindU\Images\upro_uplogo60.gif
C:\Program Files\Upromise_Remind_U\UpromisesRemindU\UpromisesRemindU\UpromiselRemindU.dat
C:\Program Files\Upromise_Remind_U\UpromisesRemindU\UpromisesRemindU\UpromisepRemindU.dat
C:\Program Files\Upromise_Remind_U\UpromisesRemindU\UpromisesRemindU\UpromisesRemindU.dat
C:\Program Files\Upromise_Remind_U\UpromisesRemindU\UpromisetRemindU\log.txt
C:\Program Files\Upromise_Remind_U\UpromisesRemindU\UpromisetRemindU\uproC0.htm
C:\Program Files\Upromise_Remind_U\UpromisesRemindU\UpromisetRemindU\uprop1.htm
C:\Program Files\Upromise_Remind_U\UpromisesRemindU\UpromisetRemindU\upror1.htm
C:\Program Files\Upromise_Remind_U\UpromisesRemindU\UpromisetRemindU\uprorpmp1.htm
C:\WINDOWS\eSellerateEngine.dll
C:\WINDOWS\SYSTEM32\advert.dll

.
((((((((((((((((((((((((( Files Created from 2007-08-15 to 2007-09-15 )))))))))))))))))))))))))))))))
.

2007-09-14 12:31 <DIR> d-------- C:\Program Files\Microsoft.NET
2007-09-14 12:30 <DIR> dr-h-c--- C:\MSOCache
2007-09-14 12:30 <DIR> d-------- C:\Program Files\Microsoft Expedia Streets & Trips
2007-09-13 10:22 <DIR> d-------- C:\DOCUME~1\JEFFAN~1\DoctorWeb
2007-09-09 20:23 51,200 --a------ C:\WINDOWS\NirCmd.exe
2007-09-08 10:38 <DIR> d----c--- C:\DOCUME~1\ALLUSE~1\APPLIC~1\Lavasoft
2007-09-08 10:38 <DIR> d-------- C:\Program Files\Lavasoft
2007-09-08 10:36 <DIR> d-------- C:\Program Files\Common Files\Wise Installation Wizard
2007-08-31 05:00 <DIR> d--h----- C:\WINDOWS\amc
2007-08-29 11:06 10,872 --a------ C:\WINDOWS\SYSTEM32\DRIVERS\AvgAsCln.sys
2007-08-29 10:28 50,688 --a------ C:\WINDOWS\SYSTEM32\wbhelp2.dll
2007-08-28 12:24 <DIR> d-------- C:\Program Files\SpywareBlaster
2007-08-24 11:30 <DIR> d-------- C:\Program Files\Microsoft ActiveSync

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2007-09-14 12:30 --------- d-------- C:\Program Files\The Weather Channel FW
2007-09-12 17:21 --------- d-------- C:\DOCUME~1\JEFFAN~1\APPLIC~1\WeatherBug
2007-09-10 22:32 12400 --a------ C:\WINDOWS\system32\drivers\secdrv.sys
2007-09-10 22:17 --------- d-------- C:\Program Files\Maxis
2007-09-08 09:53 --------- d-------- C:\DOCUME~1\JEFFAN~1\APPLIC~1\Uniblue
2007-09-03 22:21 --------- d-------- C:\Program Files\Starry Night Bundle Edition
2007-09-01 08:48 --------- d-------- C:\Program Files\Google
2007-08-31 09:03 --------- d-------- C:\Program Files\Wal-Mart Music Downloads Store
2007-08-31 09:03 --------- d-------- C:\DOCUME~1\JEFFAN~1\APPLIC~1\InstallShield
2007-08-30 11:48 --------- d-------- C:\Program Files\NStorm
2007-08-29 11:31 --------- d-------- C:\Program Files\Charter High-Speed Security Suite
2007-08-29 11:25 1187840 --a------ C:\WINDOWS\SYSTEM32\winsflt.dll
2007-08-29 11:00 --------- d-------- C:\Program Files\DAP
2007-08-28 17:57 --------- d----c--- C:\DOCUME~1\ALLUSE~1\APPLIC~1\Spybot - Search & Destroy
2007-08-14 23:52 --------- d----c--- C:\DOCUME~1\ALLUSE~1\APPLIC~1\yahoo!
2007-08-14 23:52 --------- d-------- C:\DOCUME~1\JEFFAN~1\APPLIC~1\Yahoo!
2007-08-14 23:21 --------- d--h----- C:\Program Files\InstallShield Installation Information
2007-08-13 15:19 --------- d-------- C:\Program Files\Audible
2007-08-11 03:00 --------- d-------- C:\Program Files\Webshots
2007-08-09 14:20 --------- d-------- C:\Program Files\Microsoft Home Publishing 2000
2007-08-08 22:54 --------- d-------- C:\DOCUME~1\JEFFAN~1\APPLIC~1\Creative
2007-08-08 19:01 --------- d-------- C:\Program Files\Creative
2007-08-08 18:52 --------- d--h----- C:\Program Files\Creative Installation Information
2007-08-08 18:49 --------- d-------- C:\Program Files\Common Files\Creative
2007-08-08 18:46 --------- d----c--- C:\DOCUME~1\ALLUSE~1\APPLIC~1\YAHOO
2007-08-08 18:46 --------- d-------- C:\Program Files\Yahoo!
2007-08-08 18:46 --------- d-------- C:\Program Files\illiminable
2007-08-08 18:39 --------- d----c--- C:\DOCUME~1\ALLUSE~1\APPLIC~1\Creative
2007-08-07 13:58 8320 --a------ C:\WINDOWS\system32\drivers\AWRTRD.sys
2007-08-07 13:56 9344 --a------ C:\WINDOWS\system32\drivers\NSDriver.sys
2007-08-01 19:54 --------- d-------- C:\Program Files\ReadIris
2007-08-01 19:43 --------- d-------- C:\Program Files\Hewlett-Packard
2007-07-30 19:19 92504 --a------ C:\WINDOWS\SYSTEM32\cdm.dll
2007-07-30 19:19 549720 --a------ C:\WINDOWS\SYSTEM32\wuapi.dll
2007-07-30 19:19 53080 --a------ C:\WINDOWS\SYSTEM32\wuauclt.exe
2007-07-30 19:19 43352 --a------ C:\WINDOWS\SYSTEM32\wups2.dll
2007-07-30 19:19 325976 --a------ C:\WINDOWS\SYSTEM32\wucltui.dll
2007-07-30 19:19 271224 --a------ C:\WINDOWS\SYSTEM32\mucltui.dll
2007-07-30 19:19 207736 --a------ C:\WINDOWS\SYSTEM32\muweb.dll
2007-07-30 19:19 203096 --a------ C:\WINDOWS\SYSTEM32\wuweb.dll
2007-07-30 19:19 1712984 --a------ C:\WINDOWS\SYSTEM32\wuaueng.dll
2007-07-30 19:18 33624 --a------ C:\WINDOWS\SYSTEM32\wups.dll
2007-07-29 16:11 --------- d----c--- C:\DOCUME~1\ALLUSE~1\APPLIC~1\F-Secure
2007-06-26 02:08 1104896 --a------ C:\WINDOWS\SYSTEM32\msxml3.dll
2007-06-19 09:31 282112 --a------ C:\WINDOWS\SYSTEM32\gdi32.dll
2002-03-10 11:26 172 --a--c--- C:\Program Files\ScrambleHighScores75.Txt
2002-03-09 20:00 177 --a--c--- C:\Program Files\TripHiScores120.Txt
2002-01-19 20:16 173 --a--c--- C:\Program Files\HiScores60.Txt
2002-01-16 20:32 174 --a--c--- C:\Program Files\ZipHiScores90.Txt
2002-01-14 18:16 173 --a--c--- C:\Program Files\TakeTwoHighScores45.Txt
2002-01-06 12:25 172 --a--c--- C:\Program Files\TowerHiScores45.Txt
2002-01-04 17:32 178 --a--c--- C:\Program Files\HiScores90_11.Txt
.

((((((((((((((((((((((((((((( snapshot_2007-09-13_100223.70 )))))))))))))))))))))))))))))))))))))))))
.
----a-w 110,592 2006-08-21 15:37:38 C:\WINDOWS\assembly\GAC\ADODB\7.0.3300.0__b03f5f7f11d50a3a\adodb.dll
----a-w 64,088 2006-08-21 15:37:38 C:\WINDOWS\assembly\GAC\Microsoft.Vbe.Interop\11.0.0.0__71e9bce111e9429c\Microsoft.Vbe.Interop.dll
----a-w 229,376 2006-08-21 15:37:38 C:\WINDOWS\assembly\GAC\mscomctl\10.0.4504.0__31bf3856ad364e35\MSCOMCTL.DLL
----a-w 4,096 2006-08-21 15:37:38 C:\WINDOWS\assembly\GAC\MSDATASRC\7.0.3300.0__b03f5f7f11d50a3a\msdatasrc.dll
----a-w 223,800 2006-08-21 15:37:37 C:\WINDOWS\assembly\GAC\office\11.0.0.0__71e9bce111e9429c\OFFICE.DLL
----a-w 16,384 2006-08-21 15:37:38 C:\WINDOWS\assembly\GAC\stdole\7.0.3300.0__b03f5f7f11d50a3a\stdole.dll
-c--a-w 457,248 2007-09-14 17:05:41 C:\WINDOWS\SYSTEM32\FNTCACHE.DAT
-c--a-w 848,652 2007-09-14 16:33:22 C:\WINDOWS\SYSTEM32\Restore\rstrlog.dat
.
-c--a-w 110,592 2006-08-21 15:37:38 C:\WINDOWS\assembly\GAC\ADODB\7.0.3300.0__b03f5f7f11d50a3a\adodb.dll
-c--a-w 64,088 2006-08-21 15:37:38 C:\WINDOWS\assembly\GAC\Microsoft.Vbe.Interop\11.0.0.0__71e9bce111e9429c\Microsoft.Vbe.Interop.dll
-c--a-w 229,376 2006-08-21 15:37:38 C:\WINDOWS\assembly\GAC\mscomctl\10.0.4504.0__31bf3856ad364e35\MSCOMCTL.DLL
-c--a-w 4,096 2006-08-21 15:37:38 C:\WINDOWS\assembly\GAC\MSDATASRC\7.0.3300.0__b03f5f7f11d50a3a\msdatasrc.dll
-c--a-w 223,800 2006-08-21 15:37:37 C:\WINDOWS\assembly\GAC\office\11.0.0.0__71e9bce111e9429c\OFFICE.DLL
-c--a-w 16,384 2006-08-21 15:37:38 C:\WINDOWS\assembly\GAC\stdole\7.0.3300.0__b03f5f7f11d50a3a\stdole.dll
-c--a-w 501,032 2007-08-24 15:38:26 C:\WINDOWS\SYSTEM32\FNTCACHE.DAT
-c--a-w 142,116 2007-08-15 03:35:27 C:\WINDOWS\SYSTEM32\Restore\rstrlog.dat
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.

*Note* empty entries & legit default entries are not shown

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Synchronization Manager"="C:\WINDOWS\system32\mobsync.exe" [2004-08-04 00:56]
"Share-to-Web Namespace Daemon"="C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe" [2002-04-11 05:19]
"MaxtorCombo"="C:\PROGRA~1\Dantz\RETROS~1\ComboButton.exe" [2002-07-15 21:23]
"DVDSentry"="C:\WINDOWS\System32\DSentry.exe" [2002-08-14 20:22]
"F-Secure Manager"="C:\Program Files\Charter High-Speed Security Suite\Common\FSM32.exe" [2005-10-25 21:51]
"F-Secure TNB"="C:\Program Files\Charter High-Speed Security Suite\TNB\TNBUtil.exe" [2005-07-18 10:51]
"F-Secure Startup Wizard"="C:\Program Files\Charter High-Speed Security Suite\FSGUI\FSSW.exe" [2005-10-18 04:29]
"Adobe Reader Speed Launcher"="C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2007-05-11 03:06]
"News Service"="C:\Program Files\Charter High-Speed Security Suite\FSGUI\ispnews.exe" [2005-05-31 08:45]
"!AVG Anti-Spyware"="C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" [2007-06-11 05:25]
"AAWTray"="C:\Program Files\Lavasoft\Ad-Aware 2007\AAWTray.exe" [2007-08-08 15:53]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Weather"="C:\Program Files\AWS\WeatherBug\Weather.exe" [2006-04-07 16:02]
"ClocX"="C:\Program Files\ClocX\ClocX.exe" [2004-04-25 15:29]
"abc12DesktopAlerts"="C:\Program Files\abc12DesktopAlerts\abc12DesktopAlerts.exe" [2006-11-02 23:12]
"WMPNSCFG"="C:\Program Files\Windows Media Player\WMPNSCFG.exe" [2006-10-18 20:05]

[HKEY_USERS\.default\software\microsoft\windows\currentversion\runonce]
"RunNarrator"=Narrator.exe
"tscuninstall"=%systemroot%\system32\tscupgrd.exe

C:\DOCUME~1\ALLUSE~1\STARTM~1\Programs\Startup\
Charter High-Speed Security Suite.lnk - C:\Program Files\Charter High-Speed Security Suite\backweb\3528733\Program\fspex.exe [2007-08-29 11:21:01]
DESKTOP.INI [2007-05-19 10:11:54]
hp psc 2000 Series.lnk - C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpobnz08.exe [2002-06-11 11:31:50]
Microsoft Office.lnk - C:\Program Files\Microsoft Office\Office10\OSA.EXE [2001-02-13 01:01:04]
Quicken Startup.lnk - C:\QUICKENW\QWDLLS.EXE [2002-09-20 12:30:06]

C:\DOCUME~1\ADMINI~1\STARTM~1\Programs\Startup\
DESKTOP.INI [2002-09-03 11:00:00]

C:\DOCUME~1\Crystal\STARTM~1\Programs\Startup\
DESKTOP.INI [2002-09-03 11:00:00]
Webshots.lnk - C:\Program Files\Webshots\WebshotsTray.exe [2003-01-13 19:37:13]

C:\DOCUME~1\DEFAUL~1\STARTM~1\Programs\Startup\
DESKTOP.INI [2007-05-19 10:11:54]

C:\DOCUME~1\JEFFAN~1\STARTM~1\Programs\Startup\
DESKTOP.INI [2002-09-03 11:00:00]
Webshots.lnk - C:\Program Files\Webshots\WebshotsTray.exe [2003-01-13 19:37:13]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\system]
"DisableRegedit"=0 (0x0)
"DisableRegistryTools"=0 (0x0)

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\explorer]
@=

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Aim6]
"C:\Program Files\AIM6\aim6.exe" /d locale=en-US ee://aol/imApp

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AOLDialer]
C:\Program Files\Common Files\AOL\ACS\AOLDial.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AROReminder]
C:\Program Files\Advanced Registry Optimizer\aro.exe -rem

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\CTFMON.EXE]
C:\WINDOWS\system32\ctfmon.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\diagent]
"C:\Program Files\Creative\SBLive\Diagnostics\diagent.exe" startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DW4]
"C:\Program Files\The Weather Channel FW\Desktop Weather\DesktopWeather.exe"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HostManager]
C:\Program Files\Common Files\AOL\1127580058\ee\AOLSoftware.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\KernelFaultCheck]
%systemroot%\system32\dumprep 0 -k

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Load]
???
?

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\OM2_Monitor]
"C:\Program Files\OLYMPUS\OLYMPUS Master 2\MMonitor.exe"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\OM_Monitor]
C:\Program Files\OLYMPUS\OLYMPUS Master\FirstStart.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PC Pitstop Optimize Scheduler]
C:\Program Files\PCPitstop\Optimize\PCPOptimize.exe -boot

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
"C:\Program Files\QuickTime\qttask.exe" -atboottime

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\RoxioDragToDisc]
"C:\Program Files\Roxio\Easy Media Creator 7\Drag to Disc\DrgToDsc.exe"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\UpdReg]
C:\WINDOWS\UpdReg.EXE

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ymetray]
"C:\Program Files\Yahoo!\Yahoo! Music Engine\YahooMusicEngine.exe" -preload

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"MCVSRte"=3 (0x3)
"mcupdmgr.exe"=3 (0x3)
"McShield"=3 (0x3)
"bgsvcgen"=2 (0x2)
"RetroLauncher"=3 (0x3)

R0 FSFW;F-Secure Firewall Driver;C:\WINDOWS\system32\drivers\fsdfw.sys
R1 cdudf_xp;cdudf_xp;C:\WINDOWS\system32\drivers\cdudf_xp.sys
R1 DVDVRRdr_xp;DVDVRRdr_xp;C:\WINDOWS\system32\drivers\DVDVRRdr_xp.sys
R1 pwd_2k;pwd_2k;C:\WINDOWS\system32\drivers\pwd_2k.sys
R1 UDFReadr;UDFReadr;C:\WINDOWS\system32\drivers\UDFReadr.sys
R2 BackWeb Plug-in - 3528733;Charter High-Speed Security Suite;C:\PROGRA~1\CHARTE~1\backweb\3528733\Program\SERVIC~1.EXE
R2 F-Secure Filter;F-Secure File System Filter;\??\C:\Program Files\Charter High-Speed Security Suite\Anti-Virus\Win2K\FSfilter.sys
R2 F-Secure Gatekeeper;F-Secure Gatekeeper;\??\C:\Program Files\Charter High-Speed Security Suite\Anti-Virus\Win2K\FSgk.sys
R2 F-Secure Recognizer;F-Secure File System Recognizer;\??\C:\Program Files\Charter High-Speed Security Suite\Anti-Virus\Win2K\FSrec.sys
R3 mmc_2K;mmc_2K;C:\WINDOWS\system32\drivers\mmc_2K.sys
R3 usbprint;Microsoft USB PRINTER Class;C:\WINDOWS\system32\DRIVERS\usbprint.sys
S3 AdobeActiveFileMonitor;Adobe Active File Monitor;C:\Program Files\Adobe\Photoshop Elements 3.0\PhotoshopElementsFileAgent.exe
S3 dvd_2K;dvd_2K;C:\WINDOWS\system32\drivers\dvd_2K.sys
S3 NMSCFG;NIC Management Service Configuration Driver;\??\C:\WINDOWS\System32\drivers\NMSCFG.SYS
S3 NMSSvc;Intel® NMS;C:\WINDOWS\System32\NMSSvc.exe
S3 PhotoshopElementsDeviceConnect;Photoshop Elements Device Connect;C:\Program Files\Adobe\Photoshop Elements 3.0\PhotoshopElementsDeviceConnect.exe
S3 Wdm1;USB Bridge Cable Driver;C:\WINDOWS\system32\Drivers\usbbc.sys

.
Contents of the 'Scheduled Tasks' folder
"2007-09-01 12:42:47 C:\WINDOWS\Tasks\FRU Task #Hewlett-Packard#hp psc 2200 series#1188650389.job"
- C:\Program Files\Hewlett-Packard\Digital Imaging\Bin\hpqfrucl.exe
"2007-09-06 12:07:14 C:\WINDOWS\Tasks\FRU Task #Hewlett-Packard#hp psc 2200 series#1189080192.job"
- C:\Program Files\Hewlett-Packard\Digital Imaging\Bin\hpqfrucl.exe
"2007-09-15 01:20:09 C:\WINDOWS\Tasks\Scheduled scanning task.job"
- C:\PROGRA~1\CHARTE~1\ANTI-V~1\fsav.exe
"2007-09-14 10:44:09 C:\WINDOWS\Tasks\Spybot - Search & Destroy - Scheduled Task.job"
- C:\Program Files\Spybot - Search & Destroy\SpybotSD.exe
"2007-09-08 13:23:01 C:\WINDOWS\Tasks\Uniblue SpeedUpMyPC Nag.job"
- C:\Program Files\Uniblue\SpeedUpMyPC 3\SpeedUpMyPC.exe
"2007-09-08 13:22:56 C:\WINDOWS\Tasks\Uniblue SpeedUpMyPC.job"
- C:\Program Files\Uniblue\SpeedUpMyPC 3\SpeedUpMyPC.exe
.
**************************************************************************

catchme 0.3.1061 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2007-09-14 22:00:21
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
Completion time: 2007-09-14 22:10:35 - machine was rebooted
C:\ComboFix-quarantined-files.txt ... 2007-09-14 22:10
C:\ComboFix2.txt ... 2007-09-13 10:04
.
--- E O F ---




and now.........


HIJACKTHIS LOG:

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 6:59:04 AM, on 9/15/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16512)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\PROGRA~1\CHARTE~1\backweb\3528733\Program\SERVIC~1.EXE
C:\Program Files\Charter High-Speed Security Suite\Anti-Virus\fsgk32st.exe
C:\Program Files\Charter High-Speed Security Suite\backweb\3528733\program\fsbwsys.exe
C:\Program Files\Charter High-Speed Security Suite\Anti-Virus\FSGK32.EXE
C:\Program Files\Charter High-Speed Security Suite\Common\FSMA32.EXE
C:\Program Files\Charter High-Speed Security Suite\Anti-Virus\fssm32.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Charter High-Speed Security Suite\Common\FSMB32.EXE
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\wanmpsvc.exe
C:\Program Files\Charter High-Speed Security Suite\Common\FCH32.EXE
C:\Program Files\Charter High-Speed Security Suite\Common\FAMEH32.EXE
C:\Program Files\Charter High-Speed Security Suite\Anti-Virus\fsqh.exe
C:\Program Files\Charter High-Speed Security Suite\Anti-Virus\fsrw.exe
C:\Program Files\Charter High-Speed Security Suite\FSPC\fspc.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Charter High-Speed Security Suite\Anti-Virus\fsav32.exe
C:\Program Files\Charter High-Speed Security Suite\FWES\Program\fsdfwd.exe
C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe
C:\PROGRA~1\Dantz\RETROS~1\ComboButton.exe
C:\WINDOWS\System32\DSentry.exe
C:\Program Files\Charter High-Speed Security Suite\Common\FSM32.EXE
C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnf.exe
C:\PROGRA~1\CHARTE~1\ANTI-S~1\fsaw.exe
C:\Program Files\Charter High-Speed Security Suite\FSGUI\ispnews.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe
C:\Program Files\Lavasoft\Ad-Aware 2007\AAWTray.exe
C:\Program Files\Charter High-Speed Security Suite\FSGUI\fsguidll.exe
C:\Program Files\ClocX\ClocX.exe
C:\Program Files\Windows Media Player\WMPNSCFG.exe
C:\Program Files\Charter High-Speed Security Suite\backweb\3528733\Program\fspex.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpobnz08.exe
C:\Program Files\Webshots\WebshotsTray.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpoevm08.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\Bin\hpoSTS08.exe
C:\WINDOWS\System32\HPZipm12.exe
C:\Program Files\abc12DesktopAlerts\abc12DesktopAlerts.exe
C:\Program Files\Weather Watcher\ww.exe
C:\Documents and Settings\Jeff and Debbie\My Documents\Mom's Files\Downloads\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://aol.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft....k/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft....k/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft....k/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft....k/?LinkId=69157
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = 127.0.0.1
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: AOL Toolbar Launcher - {7C554162-8CB7-45A4-B8F4-8EA1C75885F9} - C:\Program Files\AOL\AOL Toolbar 4.0\aoltb.dll
O2 - BHO: Viewpoint Toolbar BHO - {A7327C09-B521-4EDB-8509-7D2660C9EC98} - C:\Program Files\Viewpoint\Viewpoint Toolbar\3.8.0\ViewBarBHO.dll
O3 - Toolbar: AOL Toolbar - {DE9C389F-3316-41A7-809B-AA305ED9D922} - C:\Program Files\AOL\AOL Toolbar 4.0\aoltb.dll
O3 - Toolbar: Viewpoint Toolbar - {F8AD5AA5-D966-4667-9DAF-2561D68B2012} - C:\Program Files\Common Files\Viewpoint\Toolbar Runtime\3.8.0\IEViewBar.dll
O4 - HKLM\..\Run: [Synchronization Manager] %SystemRoot%\system32\mobsync.exe /logon
O4 - HKLM\..\Run: [Share-to-Web Namespace Daemon] C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe
O4 - HKLM\..\Run: [MaxtorCombo] "C:\PROGRA~1\Dantz\RETROS~1\ComboButton.exe"
O4 - HKLM\..\Run: [DVDSentry] C:\WINDOWS\System32\DSentry.exe
O4 - HKLM\..\Run: [F-Secure Manager] "C:\Program Files\Charter High-Speed Security Suite\Common\FSM32.EXE" /splash
O4 - HKLM\..\Run: [F-Secure TNB] "C:\Program Files\Charter High-Speed Security Suite\TNB\TNBUtil.exe" /CHECKALL /WAITFORSW
O4 - HKLM\..\Run: [F-Secure Startup Wizard] "C:\Program Files\Charter High-Speed Security Suite\FSGUI\FSSW.EXE" /reboot
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [News Service] "C:\Program Files\Charter High-Speed Security Suite\FSGUI\ispnews.exe"
O4 - HKLM\..\Run: [!AVG Anti-Spyware] "C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" /minimized
O4 - HKLM\..\Run: [AAWTray] C:\Program Files\Lavasoft\Ad-Aware 2007\AAWTray.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKCU\..\Run: [ClocX] C:\Program Files\ClocX\ClocX.exe
O4 - HKCU\..\Run: [abc12DesktopAlerts] C:\Program Files\abc12DesktopAlerts\abc12DesktopAlerts.exe
O4 - HKCU\..\Run: [WMPNSCFG] C:\Program Files\Windows Media Player\WMPNSCFG.exe
O4 - HKUS\S-1-5-18\..\RunOnce: [RunNarrator] Narrator.exe (User 'SYSTEM')
O4 - HKUS\S-1-5-18\..\RunOnce: [tscuninstall] %systemroot%\system32\tscupgrd.exe (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\RunOnce: [RunNarrator] Narrator.exe (User 'Default user')
O4 - Startup: Webshots.lnk = C:\Program Files\Webshots\WebshotsTray.exe
O4 - Global Startup: Charter High-Speed Security Suite.lnk = C:\Program Files\Charter High-Speed Security Suite\backweb\3528733\Program\fspex.exe
O4 - Global Startup: hp psc 2000 Series.lnk = C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpobnz08.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O4 - Global Startup: Quicken Startup.lnk = C:\QUICKENW\QWDLLS.EXE
O8 - Extra context menu item: &Block this popup - C:\Program Files\Charter High-Speed Security Suite\Anti-Spyware\blockpopups.htm
O8 - Extra context menu item: &Clean Traces - C:\Program Files\DAP\Privacy Package\dapcleanerie.htm
O8 - Extra context menu item: &Download with &DAP - C:\Program Files\DAP\dapextie.htm
O8 - Extra context menu item: Download &all with DAP - C:\Program Files\DAP\dapextie2.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\system32\msjava.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\system32\msjava.dll
O9 - Extra button: Web Filter - {200DB664-75B5-47c0-8B45-A44ACCF73C00} - C:\Program Files\Charter High-Speed Security Suite\FSPC\fspcmsie.dll
O9 - Extra button: (no name) - {200DB664-75B5-47c0-8B45-A44ACCF73F01} - C:\Program Files\Charter High-Speed Security Suite\FSPC\fspcmsie.dll
O9 - Extra 'Tools' menuitem: Web Filter - {200DB664-75B5-47c0-8B45-A44ACCF73F01} - C:\Program Files\Charter High-Speed Security Suite\FSPC\fspcmsie.dll
O9 - Extra button: IE Shield - {300DB664-75B5-47c0-8B45-A44ACCF73C00} - C:\Program Files\Charter High-Speed Security Suite\Anti-Spyware\ieshield.dll
O9 - Extra 'Tools' menuitem: IE Shield... - {300DB664-75B5-47c0-8B45-A44ACCF73C00} - C:\Program Files\Charter High-Speed Security Suite\Anti-Spyware\ieshield.dll
O9 - Extra button: AOL Toolbar - {3369AF0D-62E9-4bda-8103-B4C75499B578} - C:\Program Files\AOL\AOL Toolbar 4.0\aoltb.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE~1\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll
O9 - Extra button: Run IMVU - {d9288080-1baa-4bc4-9cf8-a92d743db949} - C:\Documents and Settings\Jeff and Debbie\Start Menu\Programs\Games\IMVU\Run IMVU.lnk (file missing)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: ppctlcab - http://www.pestscan....er/ppctlcab.cab
O16 - DPF: Yahoo! Bingo - http://download.game...nts/y/xt0_x.cab
O16 - DPF: Yahoo! Chat - http://us.chat1.yimg...t/c381/chat.cab
O16 - DPF: Yahoo! Checkers - http://download.game...nts/y/kt4_x.cab
O16 - DPF: Yahoo! Dominoes - http://download.game...ts/y/dot8_x.cab
O16 - DPF: Yahoo! Go Fish - http://download.game...nts/y/zt3_x.cab
O16 - DPF: Yahoo! Poker - http://download.game...nts/y/pt3_x.cab
O16 - DPF: Yahoo! Pool 2 - http://download.game...ts/y/pote_x.cab
O16 - DPF: {01A88BB1-1174-41EC-ACCB-963509EAE56B} (SysProWmi Class) - http://support.dell....iler/SysPro.CAB
O16 - DPF: {1671869C-25B3-4C80-9446-8AE6111F8765} (MaxisHotDateTeleX Control) - http://thesims.ea.co...otDateTeleX.cab
O16 - DPF: {1842B0EE-B597-11D4-8997-00104BD12D94} (iCC Class) - http://www.pcpitstop...cpConnCheck.cab
O16 - DPF: {20A60F0D-9AFA-4515-A0FD-83BD84642501} (Checkers Class) - http://messenger.zon...kr.cab56986.cab
O16 - DPF: {37DF41B2-61DB-4CAC-A755-CFB3C7EE7F40} - http://esupport.aol....oach_core_1.cab
O16 - DPF: {4A3CF76B-EC7A-405D-A67D-8DC6B52AB35B} - http://aolcc.aol.com...kup/qdiagcc.cab
O16 - DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} -
O16 - DPF: {5D6F45B3-9043-443D-A792-115447494D24} (UnoCtrl Class) - http://messenger.zon...1/GAME_UNO1.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://www.update.mi...b?1179959237062
O16 - DPF: {74C861A1-D548-4916-BC8A-FDE92EDFF62C} - http://mediaplayer.w...ler/install.cab
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai...all/xscan53.cab
O16 - DPF: {75565ED2-1560-4F15-B841-20358DE6A0D1} (ImageControl Class) - http://content.ances...ll/MFImgVwr.cab
O16 - DPF: {9522B3FB-7A2B-4646-8AF6-36E7F593073C} - http://a19.g.akamai....23/cpbrkpie.cab
O16 - DPF: {A44B714B-EE0F-453E-9300-A69B321FEF6C} (MaxisSimsFamilyTeleX Control) - http://thesims.ea.co...FamilyTeleX.cab
O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (MSN Games - Installer) - http://messenger.zon...ro.cab56649.cab
O16 - DPF: {BCC0FF27-31D9-4614-A68E-C18E1ADA4389} - http://download.av.a...,18/mcgdmgr.cab
O16 - DPF: {BD393C14-72AD-4790-A095-76522973D6B8} (CBreakshotControl Class) - http://messenger.zon...ot.cab57213.cab
O16 - DPF: {C3F79A2B-B9B4-4A66-B012-3EE46475B072} (MessengerStatsClient Class) - http://messenger.zon...nt.cab56907.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.m...ash/swflash.cab
O16 - DPF: {E856B973-45FD-4559-8F82-EAB539144667} (Dell PC Checkup Installer Control) - http://pccheckup.del...ll/gtdownde.cab
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft AB - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: Adobe Active File Monitor (AdobeActiveFileMonitor) - Unknown owner - C:\Program Files\Adobe\Photoshop Elements 3.0\PhotoshopElementsFileAgent.exe
O23 - Service: AOL Connectivity Service (AOL ACS) - Unknown owner - C:\Program Files\Common Files\AOL\ACS\AOLAcsd.exe (file missing)
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\SYSTEM32\ati2sgag.exe
O23 - Service: AVG Anti-Spyware Guard - GRISOFT s.r.o. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: Charter High-Speed Security Suite (BackWeb Plug-in - 3528733) - BackWeb Technologies Inc. - C:\PROGRA~1\CHARTE~1\backweb\3528733\Program\SERVIC~1.EXE
O23 - Service: C-DillaCdaC11BA - Macrovision - C:\WINDOWS\System32\drivers\CDAC11BA.EXE
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\System32\CTsvcCDA.exe
O23 - Service: FSGKHS (F-Secure Gatekeeper Handler Starter) - F-Secure Corporation - C:\Program Files\Charter High-Speed Security Suite\Anti-Virus\fsgk32st.exe
O23 - Service: FSBWSYS - F-Secure Corp. - C:\Program Files\Charter High-Speed Security Suite\backweb\3528733\program\fsbwsys.exe
O23 - Service: F-Secure Anti-Virus Firewall Daemon (FSDFWD) - F-Secure Corporation - C:\Program Files\Charter High-Speed Security Suite\FWES\Program\fsdfwd.exe
O23 - Service: F-Secure HTTP Server (fshttps) - F-Secure Corporation - C:\Program Files\Charter High-Speed Security Suite\FSPC\fshttps\fshttps.exe
O23 - Service: FSMA - F-Secure Corporation - C:\Program Files\Charter High-Speed Security Suite\Common\FSMA32.EXE
O23 - Service: Intel® NMS (NMSSvc) - Intel Corporation - C:\WINDOWS\System32\NMSSvc.exe
O23 - Service: Photoshop Elements Device Connect (PhotoshopElementsDeviceConnect) - Unknown owner - C:\Program Files\Adobe\Photoshop Elements 3.0\PhotoshopElementsDeviceConnect.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\System32\HPZipm12.exe
O23 - Service: Viewpoint Manager Service - Viewpoint Corporation - C:\Program Files\Viewpoint\Common\ViewpointService.exe
O23 - Service: WAN Miniport (ATW) Service (WANMiniportService) - America Online, Inc. - C:\WINDOWS\wanmpsvc.exe
O24 - Desktop Component 0: (no name) - http://us.st11.yimg....81_1910_8334009
O24 - Desktop Component 1: (no name) - http://us.st11.yimg....81_1910_8876300
O24 - Desktop Component 2: (no name) - http://www.totalhair...les-updos78.jpg
O24 - Desktop Component 3: (no name) - file:///C:/DOCUME~1/JEFFAN~1/LOCALS~1/Temp/msohtml1/01/clip_image002.jpg

--
End of file - 14928 bytes


And finally...

I question some of these entries and hope you can clarify them:


Since I don't use AOL as my ISP anymore, do I need the toolbar launcher? I see other references to AOL and wonder if these are necessary, are they slowing things up, and can they be removed. I have grouped them together:

O2 - BHO: AOL Toolbar Launcher - {7C554162-8CB7-45A4-B8F4-8EA1C75885F9} - C:\Program Files\AOL\AOL Toolbar 4.0\aoltb.dll
O3 - Toolbar: AOL Toolbar - {DE9C389F-3316-41A7-809B-AA305ED9D922} - C:\Program Files\AOL\AOL Toolbar 4.0\aoltb.dll
O9 - Extra button: AOL Toolbar - {3369AF0D-62E9-4bda-8103-B4C75499B578} - C:\Program Files\AOL\AOL Toolbar 4.0\aoltb.dll
O16 - DPF: {37DF41B2-61DB-4CAC-A755-CFB3C7EE7F40} - http://esupport.aol....oach_core_1.cab
O16 - DPF: {4A3CF76B-EC7A-405D-A67D-8DC6B52AB35B} - http://aolcc.aol.com...kup/qdiagcc.cab
O23 - Service: AOL Connectivity Service (AOL ACS) - Unknown owner - C:\Program Files\Common Files\AOL\ACS\AOLAcsd.exe (file missing)
O23 - Service: WAN Miniport (ATW) Service (WANMiniportService) - America Online, Inc. - C:\WINDOWS\wanmpsvc.exe



I see Viewpoint and Viewpoint Manager on my pc but don't know what they are for, can you clarify and do I need them?

O2 - BHO: Viewpoint Toolbar BHO - {A7327C09-B521-4EDB-8509-7D2660C9EC98} - C:\Program Files\Viewpoint\Viewpoint Toolbar\3.8.0\ViewBarBHO.dll
O3 - Toolbar: Viewpoint Toolbar - {F8AD5AA5-D966-4667-9DAF-2561D68B2012} - C:\Program Files\Common Files\Viewpoint\Toolbar Runtime\3.8.0\IEViewBar.dll
O23 - Service: Viewpoint Manager Service - Viewpoint Corporation - C:\Program Files\Viewpoint\Common\ViewpointService.exe


I have deleted IMVU, but this entry is here. Safe to remove?

O9 - Extra button: Run IMVU - {d9288080-1baa-4bc4-9cf8-a92d743db949} - C:\Documents and Settings\Jeff and Debbie\Start Menu\Programs\Games\IMVU\Run IMVU.lnk (file missing)


Have no idea what this is????

O16 - DPF: ppctlcab - http://www.pestscan....er/ppctlcab.cab



Housecall? No idea. Ancestry.com? Never use this site.

O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai...all/xscan53.cab
O16 - DPF: {75565ED2-1560-4F15-B841-20358DE6A0D1} (ImageControl Class) - http://content.ances...ll/MFImgVwr.cab



Are these components necessary, slowing things up, etc.????

O24 - Desktop Component 0: (no name) - http://us.st11.yimg....81_1910_8334009
O24 - Desktop Component 1: (no name) - http://us.st11.yimg....81_1910_8876300
O24 - Desktop Component 2: (no name) - http://www.totalhair...les-updos78.jpg
O24 - Desktop Component 3: (no name) - file:///C:/DOCUME~1/JEFFAN~1/LOCALS~1/Temp/msohtml1/01/clip_image002.jpg



I thank you for taking the time to assist me, I'm sure you have better things to do. I am a former IT person, but have been out of the industry for 15 years and can't believe how much technology has changed and how much I have missed. I am so glad I stumbled into this forum!

Again, thank you!!!!

Edited by jandd86, 15 September 2007 - 06:08 AM.


#7 shaferintl

shaferintl

    Forum Deity

  • Trusted Advisor
  • PipPipPipPipPip
  • 1,445 posts

Posted 15 September 2007 - 09:53 PM

jandd86,

Thanks for the logs and information. Great progress so far!!

I thank you for taking the time to assist me, I'm sure you have better things to do. I am a former IT person, but have been out of the industry for 15 years and can't believe how much technology has changed and how much I have missed. I am so glad I stumbled into this forum!

Thanks for the kind words. I'm glad we could help! :)

Things are improving, I'm actually using IE7 right now

Excellent!! Keep me apprised as we move forward. :thumbsup:

... removed some programs we never use... SpywareBlaster (although questioning if should have kept that one).

That's a good one. I'll be recommending it to you again, later.

Question for you: While exploring the files on my pc, if I have a question about a particular file or program, what it is for or whether it is vital to something, and can it be safely deleted, can I discuss it with you or is there another forum for that?)

Feel free to discuss any of this with me. This forum is perfect. If I don't know, perhaps I can find someone who does. :thumbup:

Ran ComboFix but the last step failed, screen flashed so fast was not able to see the message. When creating the log, ComboFix ran and ran and then stopped, but created the log below.

It looks like it did just fine.. from the log.

I question some of these entries and hope you can clarify them:

Many of these can be removed. I'll add some of them to the next fix (below).

O16 - DPF: ppctlcab - http://www.pestscan....er/ppctlcab.cab

This entry is part of pestscan. It does not come highly recommended. Refer here. If you wish to remove it, try uninstalling first.

Are these components necessary, slowing things up, etc.????

You may want to remove them, although they probably are not slowing your system down much. Here's how: These Active Desktop Components have been configured in your system. They are represented by the following HijackThis entries:O24 - Desktop Component 0: (no name) - http://us.st11.yimg....81_1910_8334009
O24 - Desktop Component 1: (no name) - http://us.st11.yimg....81_1910_8876300
O24 - Desktop Component 2: (no name) - http://www.totalhair...les-updos78.jpg
O24 - Desktop Component 3: (no name) - file:///C:/DOCUME~1/JEFFAN~1/LOCALS~1/Temp/msohtml1/01/clip_image002.jpg

If you, or someone you trust, has purposely configured these Active Desktop Component, then skip the following instructions:
  • Click on the Start button and then select Control Panel.
  • Double-click on the Display control panel icon.
  • Click on the Desktop tab.
  • Click on the Customize Desktop button.
  • Click on the Web tab on any new Windows that pop up.
  • Under the Web pages: box you will see a list of Active Desktop Components. Simply select the ones you want to delete and then click on the Delete button.
  • Press the OK button to close this screen.
  • Press the Apply button and then the OK button to close the Display control panel.
So, let's continue with your fixes!

You have Viewpoint installed.

Viewpoint Media Player/Manager/Toolbar is considered as foistware instead of malware since it is installed without users approval but doesn't spy or do anything "bad".

I suggest you remove the program now. Go to Start > Settings > Control Panel > Add/Remove Programs and remove the following programs if present.

  • Viewpoint
  • Viewpoint Manager
  • Viewpoint Media Player
  • Viewpoint Toolbar
  • Viewpoint Experience Technology
If you are having trouble removing Viewpoint, I suggest that you use ViewpointKiller. You may download it from this link.

Once you have downloaded ViewpointKiller, unzip it to a convenient location such as your desktop. Run ViewpointKiller, and select File > Do All Killings. Follow the prompts, selecting Yes or No, depending on which selection you are most comfortable with. A logfile will be created in the folder you unzipped ViewpointKiller to, please paste the contents here.


You should print out these instructions, or copy them to a Notepad file for reading while in Safe Mode, because you will not be able to connect to the Internet to read from this site.

Please reboot your computer into Safe Mode. To boot into Safe Mode, please restart your computer. Tap F8 before Windows loads. Select Safe Mode at the top, on the screen that appears. Sign in with your normal user account.

Still in Safe Mode, open HijackThis, run a scan, and place a Check next to the following item(s):O2 - BHO: AOL Toolbar Launcher - {7C554162-8CB7-45A4-B8F4-8EA1C75885F9} - C:\Program Files\AOL\AOL Toolbar 4.0\aoltb.dll
O3 - Toolbar: AOL Toolbar - {DE9C389F-3316-41A7-809B-AA305ED9D922} - C:\Program Files\AOL\AOL Toolbar 4.0\aoltb.dll
O9 - Extra button: AOL Toolbar - {3369AF0D-62E9-4bda-8103-B4C75499B578} - C:\Program Files\AOL\AOL Toolbar 4.0\aoltb.dll
O16 - DPF: {37DF41B2-61DB-4CAC-A755-CFB3C7EE7F40} - http://esupport.aol....oach_core_1.cab
O16 - DPF: {4A3CF76B-EC7A-405D-A67D-8DC6B52AB35B} - http://aolcc.aol.com...kup/qdiagcc.cab
O23 - Service: AOL Connectivity Service (AOL ACS) - Unknown owner - C:\Program Files\Common Files\AOL\ACS\AOLAcsd.exe (file missing)
O23 - Service: WAN Miniport (ATW) Service (WANMiniportService) - America Online, Inc. - C:\WINDOWS\wanmpsvc.exe
O9 - Extra button: Run IMVU - {d9288080-1baa-4bc4-9cf8-a92d743db949} - C:\Documents and Settings\Jeff and Debbie\Start Menu\Programs\Games\IMVU\Run IMVU.lnk (file missing)
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai...all/xscan53.cab
O16 - DPF: {9522B3FB-7A2B-4646-8AF6-36E7F593073C} - http://a19.g.akamai....23/cpbrkpie.cab
O16 - DPF: {BCC0FF27-31D9-4614-A68E-C18E1ADA4389} - http://download.av.a...,18/mcgdmgr.cab
O16 - DPF: {75565ED2-1560-4F15-B841-20358DE6A0D1} (ImageControl Class) - http://content.ances...ll/MFImgVwr.cab

If you chose to remove Viewpoint above, then place a check by these entries:O2 - BHO: Viewpoint Toolbar BHO - {A7327C09-B521-4EDB-8509-7D2660C9EC98} - C:\Program Files\Viewpoint\Viewpoint Toolbar\3.8.0\ViewBarBHO.dll
O3 - Toolbar: Viewpoint Toolbar - {F8AD5AA5-D966-4667-9DAF-2561D68B2012} - C:\Program Files\Common Files\Viewpoint\Toolbar Runtime\3.8.0\IEViewBar.dll
O23 - Service: Viewpoint Manager Service - Viewpoint Corporation - C:\Program Files\Viewpoint\Common\ViewpointService.exe

Then close all open windows/browsers and Click on Fix Checked.

Reboot your PC, normally.

Delete these files/folders, as follows:
  • Open notepad and copy/paste the text in the quotebox below into it (all except the word QUOTE):

    File::
    C:\WINDOWS\wanmpsvc.exe

    Folder::
    C:\DOCUME~1\JEFFAN~1\Applic~1\WeatherBug
    C:\Program Files\AOL
    C:\Program Files\Common Files\AOL

  • Save this as CFScript
  • Then drag the CFScript (hold the left mouse button while dragging the file) and drop it (release the left mouse button) into ComboFix.exe as you see in the screenshot below. Important: Perform this instruction carefully!

    Posted Image
  • ComboFix will begin to execute, just follow the prompts. After reboot (in case it asks to reboot), it shall produce a log for you. Post that log (Combofix.txt) in your next reply.
Note: Do not mouseclick combofix's window while it is running. That may cause your system to hang.

If you chose to remove Viewpoint earlier, then delete these folders now using Windows Explorer:C:\Program Files\Viewpoint
C:\Program Files\Common Files\Viewpoint
Please run an online scan to be sure we've left nothing behind!

Run a BitDefender Online scan Here and post the results.

Please post the ViewpointKiller logfile, the BitDefender Scan Report, the Combofix log, and a new HijackThis log in your next reply. Please also say how your computer is running now. :)
shaferintl

Links to Free Tools I Use:
AVG Antivirus ... Adaware ... Spybot S&D ...
Spyware Blaster ... Zone Alarm Firewall ...
My help is free, but if you wish to help keep these forums running please consider a donation, see this topic for details.

#8 jandd86

jandd86

    Member

  • Full Member
  • Pip
  • 17 posts

Posted 17 September 2007 - 11:57 AM

Had to take a short break from computer, was dreaming of code and scan logs, sheesh! :techsupport:


So, here we go:

QUOTE
... removed some programs we never use... SpywareBlaster (although questioning if should have kept that one).

YOUR REPLY:
That's a good one. I'll be recommending it to you again, later.

Found that I did NOT delete SpywareBlaster.


QUOTE
O16 - DPF: ppctlcab - http://www.pestscan....er/ppctlcab.cab

YOUR REPLY:
This entry is part of pestscan. It does not come highly recommended. Refer here. If you wish to remove it, try uninstalling first.

Did not have this program installed after checking Add/Remove Programs, so checked it when ran HiJackThis and Fixed.


Removed four desktop Components per your instructions.


Removed through Control Panel Viewpoint Manager, Viewpoint Media Player and Viewpoint Toolbar, the other two programs were not installed. Downloaded and ran ViewpointKiller, here is the log:
----------------------------------
ViewpointKiller Version 1.22 (beta)

ViewpointKiller is now attempting to remove VIEWPOINT MANAGER...
The removal process was started at Sun Sep 16 08:21:30 2007

ViewpointKiller determined that "ViewMgr.exe" was not running.

Ran registry removal functions.
ViewpointKiller determined that the PROGRAMFILES variable was set to "C:\Program Files".

ViewpointKiller determined that the path "C:\Program Files\Viewpoint\Viewpoint Manager" does not exist.
ViewpointKiller did not find the folder "C:\Program Files\Viewpoint\Viewpoint Manager".
ViewpointKiller determined that the path "C:\Documents and Settings\All Users\Application Data\Viewpoint" does not exist.
ViewpointKiller did not find the folder "C:\Documents and Settings\All Users\Application Data\Viewpoint".

Finished reporting.
----------------------------------

----------------------------------
ViewpointKiller Version 1.22 (beta)

ViewpointKiller is now attempting to remove VIEWPOINT TOOLBAR...
The removal process was started at Sun Sep 16 08:23:30 2007

ViewpointKiller determined that "FotomatDeviceConnect.exe" was not running.
ViewpointKiller was able to close "iexplore.exe" successfully.

Ran registry removal functions.
ViewpointKiller determined that the PROGRAMFILES varible was set to "C:\Program Files".

Attempting to rename "C:\Program Files\Viewpoint\Viewpoint Toolbar V35\ViewpointPhotosShellExt.dll" to "C:\Program Files\Viewpoint\Viewpoint Toolbar V35\KillMe.dll". The error returned was 1026.
ViewpointKiller determined that the path "C:\Program Files\Viewpoint\Viewpoint Toolbar V35" does not exist.
ViewpointKiller did not find the folder "C:\Program Files\Viewpoint\Viewpoint Toolbar V35".
ViewpointKiller determined that the path "C:\Documents and Settings\Jeff and Debbie\Local Settings\Application Data\Viewpoint" does exist.
ViewpointKiller was able to remove the "C:\Documents and Settings\Jeff and Debbie\Local Settings\Application Data\Viewpoint" folder successfully.
ViewpointKiller determined that the path "C:\Program Files\Viewpoint\Viewpoint Toolbar" does exist.
ViewpointKiller was able to remove the "C:\Program Files\Viewpoint\Viewpoint Toolbar" folder successfully.
ViewpointKiller determined that the path "C:\Program Files\Common Files\Viewpoint" does exist.
ViewpointKiller was able to remove the "C:\Program Files\Common Files\Viewpoint" folder successfully.
ViewpointKiller determined that the path "C:\Documents and Settings\All Users\Application Data\Viewpoint" does not exist.
ViewpointKiller did not find the folder "C:\Documents and Settings\All Users\Application Data\Viewpoint".

Finished reporting.
----------------------------------


Ran HiJackThis in Safe Mode, Fixed Checked per your instructions.


Ran ComboFix but think log is too large for this post, it kept cutting off when I tried to post earlier today, so will try to add it as another post following this.


Removed all folders named Viewpoint, still have ViewpointKiller folders, assume okay to delete?


Ran BitDefender but report did not save in correct format, so cleaned up and here it is:

Scan report generated at: Sun, Sep 16, 2007 - 14:31:58

A:\;C:\;D:\;E:\;F:\;



Statistics
Time 04:20:11
Files 465720
Folders 14246
Boot Sectors 3
Archives 5074
Packed Files 15777


Results
Identified Viruses 5
Infected Files 33
Suspect Files 0
Warnings 0
Disinfected 0
Deleted Files 33

Engines Info
Virus Definitions 804163
Engine build AVCORE v1.0 (build 2411) (i386) (Jul 9 2007 12:10:22)
Scan plugins 14
Archive plugins 38
Unpack plugins 7
E-mail plugins 6
System plugins 1

Scan Settings
First Action Disinfect
Second Action Delete
Heuristics Yes
Enable Warnings Yes
Scanned Extensions *;
Exclude Extensions
Scan Emails Yes
Scan Archives Yes
Scan Packed Yes
Scan Files Yes
Scan Boot Yes



>C:\Documents and Settings\Jeff and Debbie\My Documents\Mom's Files\Downloads\ak.ex Infected with: Trojan.Isbar.Q

C:\Documents and Settings\Jeff and Debbie\My Documents\Mom's Files\Downloads\ak.ex Disinfection failed

C:\Documents and Settings\Jeff and Debbie\My Documents\Mom's Files\Downloads\ak.ex Deleted

C:\Program Files\Real\RealJukebox\MSearch\default.swf=>[SWF command]
Infected with: Trojan.SwfDL.A

C:\Program Files\Real\RealJukebox\MSearch\default.swf=>[SWF command
Disinfection failed

C:\Program Files\Real\RealJukebox\MSearch\default.swf=>[SWF command
Deleted

C:\Program Files\Real\RealJukebox\MSearch\default.swf
Update failed

C:\Program Files\Real\RealJukebox\MSearch\default.swf=>[SWF command
Infected with: Trojan.SwfDL.A

C:\Program Files\Real\RealJukebox\MSearch\default.swf=>[SWF command
Disinfection failed

C:\Program Files\Real\RealJukebox\MSearch\default.swf=>[SWF command
Deleted

C:\Program Files\Real\RealJukebox\MSearch\default.swf
Update failed

C:\Program Files\Real\RealJukebox\MSearch\default.swf=>[SWF command
Infected with: Trojan.SwfDL.A

C:\Program Files\Real\RealJukebox\MSearch\default.swf=>[SWF command
Disinfection failed

C:\Program Files\Real\RealJukebox\MSearch\default.swf=>[SWF command
Deleted

C:\Program Files\Real\RealJukebox\MSearch\default.swf
Update failed

C:\Program Files\Real\RealJukebox\MSearch\default.swf=>[SWF command
Infected with: Trojan.SwfDL.A

C:\Program Files\Real\RealJukebox\MSearch\default.swf=>[SWF command
Disinfection failed

C:\Program Files\Real\RealJukebox\MSearch\default.swf=>[SWF command
Deleted

C:\Program Files\Real\RealJukebox\MSearch\default.swf
Update failed

C:\Program Files\Real\RealJukebox\MSearch\default.swf=>[SWF command
Infected with: Trojan.SwfDL.A

C:\Program Files\Real\RealJukebox\MSearch\default.swf=>[SWF command
Disinfection failed

C:\Program Files\Real\RealJukebox\MSearch\default.swf=>[SWF command
Deleted

C:\Program Files\Real\RealJukebox\MSearch\default.swf
Update failed

C:\Program Files\Real\RealJukebox\MSearch\default.swf=>[SWF command
Infected with: Trojan.SwfDL.A

C:\Program Files\Real\RealJukebox\MSearch\default.swf=>[SWF command
Disinfection failed

C:\Program Files\Real\RealJukebox\MSearch\default.swf=>[SWF command
Deleted

C:\Program Files\Real\RealJukebox\MSearch\default.swf
Update failed

C:\Program Files\Real\RealJukebox\MSearch\default.swf=>[SWF command
Infected with: Trojan.SwfDL.A

C:\Program Files\Real\RealJukebox\MSearch\default.swf=>[SWF command
Disinfection failed

C:\Program Files\Real\RealJukebox\MSearch\default.swf=>[SWF command
Deleted

C:\Program Files\Real\RealJukebox\MSearch\default.swf
Update failed

C:\Program Files\Real\RealJukebox\MSearch\default.swf=>[SWF command
Infected with: Trojan.SwfDL.A

C:\Program Files\Real\RealJukebox\MSearch\default.swf=>[SWF command
Disinfection failed

C:\Program Files\Real\RealJukebox\MSearch\default.swf=>[SWF command
Deleted

>C:\Program Files\Real\RealJukebox\MSearch\default.swf
Update failed

C:\Program Files\Real\RealJukebox\MSearch\default.swf=>[SWF command
Infected with: Trojan.SwfDL.A

C:\Program Files\Real\RealJukebox\MSearch\default.swf=>[SWF command
Disinfection failed

C:\Program Files\Real\RealJukebox\MSearch\default.swf=>[SWF command
Deleted

C:\Program Files\Real\RealJukebox\MSearch\default.swf
Update failed

C:\Program Files\Real\RealJukebox\MSearch\default.swf=>[SWF command
Infected with: Trojan.SwfDL.A

C:\Program Files\Real\RealJukebox\MSearch\default.swf=>[SWF command
Disinfection failed

C:\Program Files\Real\RealJukebox\MSearch\default.swf=>[SWF command
Deleted

C:\Program Files\Real\RealJukebox\MSearch\default.swf
Update failed

C:\Program Files\Real\RealJukebox\MSearch\default.swf=>[SWF command
Infected with: Trojan.SwfDL.A

C:\Program Files\Real\RealJukebox\MSearch\default.swf=>[SWF command]
Disinfection failed

C:\Program Files\Real\RealJukebox\MSearch\default.swf=>[SWF command]
Deleted

C:\Program Files\Real\RealJukebox\MSearch\default.swf
Update failed

C:\Program Files\Real\RealJukebox\MSearch\default.swf=>[SWF command]
Infected with: Trojan.SwfDL.A

C:\Program Files\Real\RealJukebox\MSearch\default.swf=>[SWF command]
Disinfection failed

C:\Program Files\Real\RealJukebox\MSearch\default.swf=>[SWF command]
Deleted

C:\Program Files\Real\RealJukebox\MSearch\default.swf
Update failed

C:\Program Files\Real\RealJukebox\MSearch\default.swf=>[SWF command]
Infected with: Trojan.SwfDL.A

C:\Program Files\Real\RealJukebox\MSearch\default.swf=>[SWF command]
Disinfection failed

C:\Program Files\Real\RealJukebox\MSearch\default.swf=>[SWF command]
Deleted

C:\Program Files\Real\RealJukebox\MSearch\default.swf
Update failed

C:\Program Files\Real\RealJukebox\MSearch\default.swf=>[SWF command]
Infected with: Trojan.SwfDL.A

C:\Program Files\Real\RealJukebox\MSearch\default.swf=>[SWF command]
Disinfection failed

C:\Program Files\Real\RealJukebox\MSearch\default.swf=>[SWF command]
Deleted

C:\Program Files\Real\RealJukebox\MSearch\default.swf
Update failed

C:\Program Files\Real\RealJukebox\MSearch\hold\default.swf=>[SWF command]
Infected with: Trojan.SwfDL.A

C:\Program Files\Real\RealJukebox\MSearch\hold\default.swf=>[SWF command]
Disinfection failed

C:\Program Files\Real\RealJukebox\MSearch\hold\default.swf=>[SWF command]
Deleted

C:\Program Files\Real\RealJukebox\MSearch\hold\default.swf
Update failed

C:\Program Files\Real\RealJukebox\MSearch\hold\default.swf=>[SWF command]
Infected with: Trojan.SwfDL.A

C:\Program Files\Real\RealJukebox\MSearch\hold\default.swf=>[SWF command]
Disinfection failed

C:\Program Files\Real\RealJukebox\MSearch\hold\default.swf=>[SWF command]
Deleted

C:\Program Files\Real\RealJukebox\MSearch\hold\default.swf
Update failed

C:\Program Files\Real\RealJukebox\MSearch\hold\default.swf=>[SWF command]
Infected with: Trojan.SwfDL.A

C:\Program Files\Real\RealJukebox\MSearch\hold\default.swf=>[SWF command]
Disinfection failed

C:\Program Files\Real\RealJukebox\MSearch\hold\default.swf=>[SWF command]
Deleted

C:\Program Files\Real\RealJukebox\MSearch\hold\default.swf
Update failed

C:\Program Files\Real\RealJukebox\MSearch\hold\default.swf=>[SWF command]
Infected with: Trojan.SwfDL.A

C:\Program Files\Real\RealJukebox\MSearch\hold\default.swf=>[SWF command]
Disinfection failed

C:\Program Files\Real\RealJukebox\MSearch\hold\default.swf=>[SWF command]
Deleted

C:\Program Files\Real\RealJukebox\MSearch\hold\default.swf
Update failed

C:\Program Files\Real\RealJukebox\MSearch\hold\default.swf=>[SWF command]
Infected with: Trojan.SwfDL.A

C:\Program Files\Real\RealJukebox\MSearch\hold\default.swf=>[SWF command]
Disinfection failed

C:\Program Files\Real\RealJukebox\MSearch\hold\default.swf=>[SWF command]
Deleted

C:\Program Files\Real\RealJukebox\MSearch\hold\default.swf
Update failed

C:\Program Files\Real\RealJukebox\MSearch\hold\default.swf=>[SWF command]
Infected with: Trojan.SwfDL.A

C:\Program Files\Real\RealJukebox\MSearch\hold\default.swf=>[SWF command]
Disinfection failed

C:\Program Files\Real\RealJukebox\MSearch\hold\default.swf=>[SWF command]
Deleted

C:\Program Files\Real\RealJukebox\MSearch\hold\default.swf
Update failed

C:\Program Files\Real\RealJukebox\MSearch\hold\default.swf=>[SWF command]
Infected with: Trojan.SwfDL.A

C:\Program Files\Real\RealJukebox\MSearch\hold\default.swf=>[SWF command]
Disinfection failed

C:\Program Files\Real\RealJukebox\MSearch\hold\default.swf=>[SWF command]
Deleted

C:\Program Files\Real\RealJukebox\MSearch\hold\default.swf
Update failed

C:\Program Files\Real\RealJukebox\MSearch\hold\default.swf=>[SWF command]
Infected with: Trojan.SwfDL.A

C:\Program Files\Real\RealJukebox\MSearch\hold\default.swf=>[SWF command
Disinfection failed

C:\Program Files\Real\RealJukebox\MSearch\hold\default.swf=>[SWF command
Deleted

C:\Program Files\Real\RealJukebox\MSearch\hold\default.swf
Update failed

C:\Program Files\Real\RealJukebox\MSearch\hold\default.swf=>[SWF commandInfected with: Trojan.SwfDL.A

C:\Program Files\Real\RealJukebox\MSearch\hold\default.swf=>[SWF command
Disinfection failed

C:\Program Files\Real\RealJukebox\MSearch\hold\default.swf=>[SWF command
Deleted

C:\Program Files\Real\RealJukebox\MSearch\hold\default.swf
Update failed

C:\Program Files\Real\RealJukebox\MSearch\hold\default.swf=>[SWF command
Infected with: Trojan.SwfDL.A

C:\Program Files\Real\RealJukebox\MSearch\hold\default.swf=>[SWF command
>Disinfection failed

C:\Program Files\Real\RealJukebox\MSearch\hold\default.swf=>[SWF command
Deleted

C:\Program Files\Real\RealJukebox\MSearch\hold\default.swf
Update failed

C:\Program Files\Real\RealJukebox\MSearch\hold\default.swf=>[SWF command
Infected with: Trojan.SwfDL.A

C:\Program Files\Real\RealJukebox\MSearch\hold\default.swf=>[SWF command
Disinfection failed

C:\Program Files\Real\RealJukebox\MSearch\hold\default.swf=>[SWF command
Deleted

C:\Program Files\Real\RealJukebox\MSearch\hold\default.swf
Update failed

C:\Program Files\Real\RealJukebox\MSearch\hold\default.swf=>[SWF command
Infected with: Trojan.SwfDL.A

C:\Program Files\Real\RealJukebox\MSearch\hold\default.swf=>[SWF command
Disinfection failed

C:\Program Files\Real\RealJukebox\MSearch\hold\default.swf=>[SWF command
Deleted

C:\Program Files\Real\RealJukebox\MSearch\hold\default.swf
Update failed

C:\Program Files\Real\RealJukebox\MSearch\hold\default.swf=>[SWF command
Infected with: Trojan.SwfDL.A

C:\Program Files\Real\RealJukebox\MSearch\hold\default.swf=>[SWF command
Disinfection failed

C:\Program Files\Real\RealJukebox\MSearch\hold\default.swf=>[SWF command
Deleted

C:\Program Files\Real\RealJukebox\MSearch\hold\default.swf
Update failed

C:\Program Files\Real\RealJukebox\MSearch\hold\default.swf=>[SWF command
Infected with: Trojan.SwfDL.A

C:\Program Files\Real\RealJukebox\MSearch\hold\default.swf=>[SWF command
Disinfection failed

C:\Program Files\Real\RealJukebox\MSearch\hold\default.swf=>[SWF command
Deleted

C:\Program Files\Real\RealJukebox\MSearch\hold\default.swf
Update failed

C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP113\A0057888.exe
Infected with: Trojan.Zlob.GD

C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP113\A0057888.exe
Disinfection failed

C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP113\A0057888.exe
Deleted

C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP114\A0057898.exe
Infected with: Trojan.Zlob.GD

C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP114\A0057898.exe
Disinfection failed

C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP114\A0057898.exe
Deleted

C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP114\A0057917.dll
Infected with: Trojan.Zlobie.AH

C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP114\A0057917.dll
Disinfection failed

C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP114\A0057917.dll
Deleted

C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP114\A0057919.0xe
Infected with: Trojan.Downloader.Zlob.AJZ

C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP114\A0057919.0xe
Disinfection failed

C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP114\A0057919.0xe
Deleted

Scan Info

Scanned Files 481164

Infected Files 33

Virus Detected
Trojan.Zlob.GD 2
Trojan.Downloader.Zlob.AJZ 1
Trojan.SwfDL.A 28
Trojan.Isbar.Q 1
Trojan.Zlobie.AH 1


Decided to run BitDefender again to see if could get report to save correctly, success! Report shows same 28 infected files as above (Trojan.SwfDL.A), other five files are gone.



And finally ran new HiJackThis and here is the log:

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 7:03:59 AM, on 9/17/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16512)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\PROGRA~1\CHARTE~1\backweb\3528733\Program\SERVIC~1.EXE
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Charter High-Speed Security Suite\Anti-Virus\fsgk32st.exe
C:\Program Files\Charter High-Speed Security Suite\Anti-Virus\FSGK32.EXE
C:\Program Files\Charter High-Speed Security Suite\backweb\3528733\program\fsbwsys.exe
C:\Program Files\Charter High-Speed Security Suite\backweb\3528733\Program\fspex.exe
C:\Program Files\Charter High-Speed Security Suite\Common\FSMA32.EXE
C:\Program Files\Charter High-Speed Security Suite\Anti-Virus\fssm32.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Charter High-Speed Security Suite\Common\FSMB32.EXE
C:\Program Files\Charter High-Speed Security Suite\Common\FCH32.EXE
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Charter High-Speed Security Suite\Common\FAMEH32.EXE
C:\Program Files\Charter High-Speed Security Suite\Anti-Virus\fsqh.exe
C:\Program Files\Charter High-Speed Security Suite\Anti-Virus\fsrw.exe
C:\Program Files\Charter High-Speed Security Suite\FSPC\fspc.exe
C:\Program Files\Charter High-Speed Security Suite\Anti-Virus\fsav32.exe
C:\Program Files\Charter High-Speed Security Suite\FWES\Program\fsdfwd.exe
C:\PROGRA~1\Dantz\RETROS~1\ComboButton.exe
C:\WINDOWS\System32\DSentry.exe
C:\Program Files\Charter High-Speed Security Suite\Common\FSM32.EXE
C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnf.exe
C:\PROGRA~1\CHARTE~1\ANTI-S~1\fsaw.exe
C:\Program Files\Charter High-Speed Security Suite\FSGUI\ispnews.exe
C:\Program Files\Charter High-Speed Security Suite\FSGUI\fsguidll.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe
C:\Program Files\Lavasoft\Ad-Aware 2007\AAWTray.exe
C:\Program Files\ClocX\ClocX.exe
C:\Program Files\abc12DesktopAlerts\abc12DesktopAlerts.exe
C:\Program Files\Windows Media Player\WMPNSCFG.exe
C:\Program Files\Weather Watcher\ww.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpobnz08.exe
C:\Program Files\Webshots\WebshotsTray.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpoevm08.exe
C:\WINDOWS\System32\HPZipm12.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\Bin\hpoSTS08.exe
C:\Documents and Settings\Jeff and Debbie\My Documents\Mom's Files\Downloads\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://aol.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft....k/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft....k/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft....k/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft....k/?LinkId=69157
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = 127.0.0.1
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O4 - HKLM\..\Run: [Synchronization Manager] %SystemRoot%\system32\mobsync.exe /logon
O4 - HKLM\..\Run: [Share-to-Web Namespace Daemon] C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe
O4 - HKLM\..\Run: [MaxtorCombo] "C:\PROGRA~1\Dantz\RETROS~1\ComboButton.exe"
O4 - HKLM\..\Run: [DVDSentry] C:\WINDOWS\System32\DSentry.exe
O4 - HKLM\..\Run: [F-Secure Manager] "C:\Program Files\Charter High-Speed Security Suite\Common\FSM32.EXE" /splash
O4 - HKLM\..\Run: [F-Secure TNB] "C:\Program Files\Charter High-Speed Security Suite\TNB\TNBUtil.exe" /CHECKALL /WAITFORSW
O4 - HKLM\..\Run: [F-Secure Startup Wizard] "C:\Program Files\Charter High-Speed Security Suite\FSGUI\FSSW.EXE" /reboot
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [News Service] "C:\Program Files\Charter High-Speed Security Suite\FSGUI\ispnews.exe"
O4 - HKLM\..\Run: [!AVG Anti-Spyware] "C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" /minimized
O4 - HKLM\..\Run: [AAWTray] C:\Program Files\Lavasoft\Ad-Aware 2007\AAWTray.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKCU\..\Run: [ClocX] C:\Program Files\ClocX\ClocX.exe
O4 - HKCU\..\Run: [abc12DesktopAlerts] C:\Program Files\abc12DesktopAlerts\abc12DesktopAlerts.exe
O4 - HKCU\..\Run: [WMPNSCFG] C:\Program Files\Windows Media Player\WMPNSCFG.exe
O4 - HKCU\..\Run: [WeatherWatcher] C:\Program Files\Weather Watcher\ww.exe
O4 - HKUS\S-1-5-18\..\RunOnce: [RunNarrator] Narrator.exe (User 'SYSTEM')
O4 - HKUS\S-1-5-18\..\RunOnce: [tscuninstall] %systemroot%\system32\tscupgrd.exe (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\RunOnce: [RunNarrator] Narrator.exe (User 'Default user')
O4 - Startup: Webshots.lnk = C:\Program Files\Webshots\WebshotsTray.exe
O4 - Global Startup: Charter High-Speed Security Suite.lnk = C:\Program Files\Charter High-Speed Security Suite\backweb\3528733\Program\fspex.exe
O4 - Global Startup: hp psc 2000 Series.lnk = C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpobnz08.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O4 - Global Startup: Quicken Startup.lnk = C:\QUICKENW\QWDLLS.EXE
O8 - Extra context menu item: &Block this popup - C:\Program Files\Charter High-Speed Security Suite\Anti-Spyware\blockpopups.htm
O8 - Extra context menu item: &Clean Traces - C:\Program Files\DAP\Privacy Package\dapcleanerie.htm
O8 - Extra context menu item: &Download with &DAP - C:\Program Files\DAP\dapextie.htm
O8 - Extra context menu item: Download &all with DAP - C:\Program Files\DAP\dapextie2.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\system32\msjava.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\system32\msjava.dll
O9 - Extra button: Web Filter - {200DB664-75B5-47c0-8B45-A44ACCF73C00} - C:\Program Files\Charter High-Speed Security Suite\FSPC\fspcmsie.dll
O9 - Extra button: (no name) - {200DB664-75B5-47c0-8B45-A44ACCF73F01} - C:\Program Files\Charter High-Speed Security Suite\FSPC\fspcmsie.dll
O9 - Extra 'Tools' menuitem: Web Filter - {200DB664-75B5-47c0-8B45-A44ACCF73F01} - C:\Program Files\Charter High-Speed Security Suite\FSPC\fspcmsie.dll
O9 - Extra button: IE Shield - {300DB664-75B5-47c0-8B45-A44ACCF73C00} - C:\Program Files\Charter High-Speed Security Suite\Anti-Spyware\ieshield.dll
O9 - Extra 'Tools' menuitem: IE Shield... - {300DB664-75B5-47c0-8B45-A44ACCF73C00} - C:\Program Files\Charter High-Speed Security Suite\Anti-Spyware\ieshield.dll
O9 - Extra button: (no name) - {85d1f590-48f4-11d9-9669-0800200c9a66} - C:\WINDOWS\bdoscandel.exe
O9 - Extra 'Tools' menuitem: Uninstall BitDefender Online Scanner v8 - {85d1f590-48f4-11d9-9669-0800200c9a66} - C:\WINDOWS\bdoscandel.exe
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE~1\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: Yahoo! Bingo - http://download.game...nts/y/xt0_x.cab
O16 - DPF: Yahoo! Chat - http://us.chat1.yimg...t/c381/chat.cab
O16 - DPF: Yahoo! Checkers - http://download.game...nts/y/kt4_x.cab
O16 - DPF: Yahoo! Dominoes - http://download.game...ts/y/dot8_x.cab
O16 - DPF: Yahoo! Go Fish - http://download.game...nts/y/zt3_x.cab
O16 - DPF: Yahoo! Pool 2 - http://download.game...ts/y/pote_x.cab
O16 - DPF: {01A88BB1-1174-41EC-ACCB-963509EAE56B} (SysProWmi Class) - http://support.dell....iler/SysPro.CAB
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky...can_unicode.cab
O16 - DPF: {1671869C-25B3-4C80-9446-8AE6111F8765} (MaxisHotDateTeleX Control) - http://thesims.ea.co...otDateTeleX.cab
O16 - DPF: {1842B0EE-B597-11D4-8997-00104BD12D94} (iCC Class) - http://www.pcpitstop...cpConnCheck.cab
O16 - DPF: {20A60F0D-9AFA-4515-A0FD-83BD84642501} (Checkers Class) - http://messenger.zon...kr.cab56986.cab
O16 - DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} -
O16 - DPF: {5D6F45B3-9043-443D-A792-115447494D24} (UnoCtrl Class) - http://messenger.zon...1/GAME_UNO1.cab
O16 - DPF: {5D86DDB5-BDF9-441B-9E9E-D4730F4EE499} (BDSCANONLINE Control) - http://download.bitd...can8/oscan8.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://www.update.mi...b?1179959237062
O16 - DPF: {74C861A1-D548-4916-BC8A-FDE92EDFF62C} - http://mediaplayer.w...ler/install.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoft...free/asinst.cab
O16 - DPF: {A44B714B-EE0F-453E-9300-A69B321FEF6C} (MaxisSimsFamilyTeleX Control) - http://thesims.ea.co...FamilyTeleX.cab
O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (MSN Games - Installer) - http://messenger.zon...ro.cab56649.cab
O16 - DPF: {BD393C14-72AD-4790-A095-76522973D6B8} (CBreakshotControl Class) - http://messenger.zon...ot.cab57213.cab
O16 - DPF: {C3F79A2B-B9B4-4A66-B012-3EE46475B072} (MessengerStatsClient Class) - http://messenger.zon...nt.cab56907.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.m...ash/swflash.cab
O16 - DPF: {E856B973-45FD-4559-8F82-EAB539144667} (Dell PC Checkup Installer Control) - http://pccheckup.del...ll/gtdownde.cab
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft AB - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: Adobe Active File Monitor (AdobeActiveFileMonitor) - Unknown owner - C:\Program Files\Adobe\Photoshop Elements 3.0\PhotoshopElementsFileAgent.exe
O23 - Service: AOL Connectivity Service (AOL ACS) - Unknown owner - C:\Program Files\Common Files\AOL\ACS\AOLAcsd.exe (file missing)
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\SYSTEM32\ati2sgag.exe
O23 - Service: AVG Anti-Spyware Guard - GRISOFT s.r.o. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: Charter High-Speed Security Suite (BackWeb Plug-in - 3528733) - BackWeb Technologies Inc. - C:\PROGRA~1\CHARTE~1\backweb\3528733\Program\SERVIC~1.EXE
O23 - Service: C-DillaCdaC11BA - Macrovision - C:\WINDOWS\System32\drivers\CDAC11BA.EXE
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\System32\CTsvcCDA.exe
O23 - Service: FSGKHS (F-Secure Gatekeeper Handler Starter) - F-Secure Corporation - C:\Program Files\Charter High-Speed Security Suite\Anti-Virus\fsgk32st.exe
O23 - Service: FSBWSYS - F-Secure Corp. - C:\Program Files\Charter High-Speed Security Suite\backweb\3528733\program\fsbwsys.exe
O23 - Service: F-Secure Anti-Virus Firewall Daemon (FSDFWD) - F-Secure Corporation - C:\Program Files\Charter High-Speed Security Suite\FWES\Program\fsdfwd.exe
O23 - Service: F-Secure HTTP Server (fshttps) - F-Secure Corporation - C:\Program Files\Charter High-Speed Security Suite\FSPC\fshttps\fshttps.exe
O23 - Service: FSMA - F-Secure Corporation - C:\Program Files\Charter High-Speed Security Suite\Common\FSMA32.EXE
O23 - Service: Intel® NMS (NMSSvc) - Intel Corporation - C:\WINDOWS\System32\NMSSvc.exe
O23 - Service: Photoshop Elements Device Connect (PhotoshopElementsDeviceConnect) - Unknown owner - C:\Program Files\Adobe\Photoshop Elements 3.0\PhotoshopElementsDeviceConnect.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\System32\HPZipm12.exe
O23 - Service: WAN Miniport (ATW) Service (WANMiniportService) - Unknown owner - C:\WINDOWS\wanmpsvc.exe (file missing)

--
End of file - 13177 bytes


I see there are still two references to AOL, assume these can be removed?


Searched pc for AOL files and found many files in folder qoobox\quarantine. Okay to delete?


As far as how the computer is running, things seem to be running much better. While testing IE7, tried to view video on YouTube and had to download updated Adobe Flashplayer, can now view videos, although had to download with DAP again. When we are through with this, intend to use Mozilla exclusively, but want IE7 to be functional as some websites require it (such as the online scans). Believe it or not, THIS forum seems to give me the most trouble, often having to either click a link a second time to load it, or the page just hangs, so am actually posting this in Mozilla this time. But all in all, things are improving. While waiting for your reply, will defrag and test again.

Thanks again for ALL your help, you don't know how much I appreciate it!!!

Edited by jandd86, 17 September 2007 - 01:18 PM.


#9 jandd86

jandd86

    Member

  • Full Member
  • Pip
  • 17 posts

Posted 17 September 2007 - 01:25 PM

...Geez I feel computer illiterate today...

Edited by jandd86, 17 September 2007 - 01:38 PM.


#10 jandd86

jandd86

    Member

  • Full Member
  • Pip
  • 17 posts

Posted 17 September 2007 - 01:30 PM

Okay, tried to put ComboFix log here, but again, must be too long, keeps cutting off. It is 243K and see that attachments are limited to 100K, so what would you like me to do? Should I break it up into smaller files.....?

Edited by jandd86, 17 September 2007 - 01:36 PM.


#11 shaferintl

shaferintl

    Forum Deity

  • Trusted Advisor
  • PipPipPipPipPip
  • 1,445 posts

Posted 17 September 2007 - 02:00 PM

Okay, tried to put ComboFix log here, but again, must be too long, keeps cutting off. It is 243K and see that attachments are limited to 100K, so what would you like me to do? Should I break it up into smaller files.....?

OK to break it into 3 pieces. Thanks!
shaferintl

Links to Free Tools I Use:
AVG Antivirus ... Adaware ... Spybot S&D ...
Spyware Blaster ... Zone Alarm Firewall ...
My help is free, but if you wish to help keep these forums running please consider a donation, see this topic for details.

#12 jandd86

jandd86

    Member

  • Full Member
  • Pip
  • 17 posts

Posted 17 September 2007 - 05:25 PM

Okay, here is ComboFix Part 1:

Tried adding log here, but it would not all showup, so am adding as an attachment.

Attached Files


Edited by jandd86, 17 September 2007 - 05:48 PM.


#13 jandd86

jandd86

    Member

  • Full Member
  • Pip
  • 17 posts

Posted 17 September 2007 - 05:30 PM

...ComboFix Part 2:


Okay, this is not working, won't let me add another attachment


Upload failed. The file was larger than the available space

Max. single upload size: 18.14K


Edited by jandd86, 17 September 2007 - 05:56 PM.


#14 jandd86

jandd86

    Member

  • Full Member
  • Pip
  • 17 posts

Posted 17 September 2007 - 05:32 PM

...ComboFix Part 3:

Edited by jandd86, 17 September 2007 - 05:57 PM.


#15 jandd86

jandd86

    Member

  • Full Member
  • Pip
  • 17 posts

Posted 17 September 2007 - 05:35 PM

And now I'm making too many mistakes, therefore this unnecessary duplicate post, so am taking a break for a moment. Sorry for these past few posts, will get my act together momentarily.

Edited by jandd86, 17 September 2007 - 05:59 PM.


#16 shaferintl

shaferintl

    Forum Deity

  • Trusted Advisor
  • PipPipPipPipPip
  • 1,445 posts

Posted 17 September 2007 - 06:10 PM

And now I'm making too many mistakes, therefore this unnecessary duplicate post, so am taking a break for a moment. Sorry for these past few posts, will get my act together momentarily.

Don't worry about it. Please cut and paste everything after the deletions. These deletions are just a whole lot of AOL files that I don't need to see. Sorry about that. :whistle:
shaferintl

Links to Free Tools I Use:
AVG Antivirus ... Adaware ... Spybot S&D ...
Spyware Blaster ... Zone Alarm Firewall ...
My help is free, but if you wish to help keep these forums running please consider a donation, see this topic for details.

#17 jandd86

jandd86

    Member

  • Full Member
  • Pip
  • 17 posts

Posted 17 September 2007 - 06:49 PM

Please cut and paste everything after the deletions.


Okay, here goes:

.
((((((((((((((((((((((((( Files Created from 2007-08-16 to 2007-09-16 )))))))))))))))))))))))))))))))
.

2007-09-15 17:35 <DIR> d-------- C:\WINDOWS\SYSTEM32\ActiveScan
2007-09-15 09:53 <DIR> d----c--- C:\DOCUME~1\ALLUSE~1\APPLIC~1\Kaspersky Lab
2007-09-15 09:53 <DIR> d-------- C:\WINDOWS\SYSTEM32\Kaspersky Lab
2007-09-15 06:39 102,400 --a------ C:\WINDOWS\SYSTEM32\unzip32.dll
2007-09-15 06:39 <DIR> d-------- C:\Program Files\Weather Watcher
2007-09-15 06:35 <DIR> d-a--c--- C:\DOCUME~1\ALLUSE~1\APPLIC~1\TEMP
2007-09-14 12:31 <DIR> d-------- C:\Program Files\Microsoft.NET
2007-09-14 12:30 <DIR> dr-h-c--- C:\MSOCache
2007-09-14 12:30 <DIR> d-------- C:\Program Files\Microsoft Expedia Streets & Trips
2007-09-13 10:22 <DIR> d-------- C:\DOCUME~1\JEFFAN~1\DoctorWeb
2007-09-09 20:23 51,200 --a------ C:\WINDOWS\NirCmd.exe
2007-09-08 10:38 <DIR> d----c--- C:\DOCUME~1\ALLUSE~1\APPLIC~1\Lavasoft
2007-09-08 10:38 <DIR> d-------- C:\Program Files\Lavasoft
2007-09-08 10:36 <DIR> d-------- C:\Program Files\Common Files\Wise Installation Wizard
2007-08-31 05:00 <DIR> d--h----- C:\WINDOWS\amc
2007-08-29 11:06 10,872 --a------ C:\WINDOWS\SYSTEM32\DRIVERS\AvgAsCln.sys
2007-08-29 10:28 50,688 --a------ C:\WINDOWS\SYSTEM32\wbhelp2.dll
2007-08-28 12:24 <DIR> d-------- C:\Program Files\SpywareBlaster
2007-08-24 11:30 <DIR> d-------- C:\Program Files\Microsoft ActiveSync

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2007-09-15 20:21 --------- d-------- C:\Program Files\Webshots
2007-09-15 19:26 --------- d-------- C:\Program Files\DAP
2007-09-15 18:00 --------- d-------- C:\DOCUME~1\JEFFAN~1\APPLIC~1\ispnews
2007-09-15 11:57 --------- d-------- C:\DOCUME~1\Jeff\APPLIC~1\AOL
2007-09-15 11:54 --------- d----c--- C:\DOCUME~1\Crystal\APPLIC~1\AOL
2007-09-10 22:32 12400 --a------ C:\WINDOWS\system32\drivers\secdrv.sys
2007-09-10 22:17 --------- d-------- C:\Program Files\Maxis
2007-09-08 09:53 --------- d-------- C:\DOCUME~1\JEFFAN~1\APPLIC~1\Uniblue
2007-09-03 22:21 --------- d-------- C:\Program Files\Starry Night Bundle Edition
2007-09-01 08:48 --------- d-------- C:\Program Files\Google
2007-08-31 09:03 --------- d-------- C:\Program Files\Wal-Mart Music Downloads Store
2007-08-31 09:03 --------- d-------- C:\DOCUME~1\JEFFAN~1\APPLIC~1\InstallShield
2007-08-30 11:48 --------- d-------- C:\Program Files\NStorm
2007-08-29 11:31 --------- d-------- C:\Program Files\Charter High-Speed Security Suite
2007-08-29 11:25 1187840 --a------ C:\WINDOWS\SYSTEM32\winsflt.dll
2007-08-28 17:57 --------- d----c--- C:\DOCUME~1\ALLUSE~1\APPLIC~1\Spybot - Search & Destroy
2007-08-14 23:52 --------- d----c--- C:\DOCUME~1\ALLUSE~1\APPLIC~1\yahoo!
2007-08-14 23:52 --------- d-------- C:\DOCUME~1\JEFFAN~1\APPLIC~1\Yahoo!
2007-08-14 23:21 --------- d--h----- C:\Program Files\InstallShield Installation Information
2007-08-13 15:19 --------- d-------- C:\Program Files\Audible
2007-08-09 14:20 --------- d-------- C:\Program Files\Microsoft Home Publishing 2000
2007-08-08 22:54 --------- d-------- C:\DOCUME~1\JEFFAN~1\APPLIC~1\Creative
2007-08-08 19:01 --------- d-------- C:\Program Files\Creative
2007-08-08 18:52 --------- d--h----- C:\Program Files\Creative Installation Information
2007-08-08 18:49 --------- d-------- C:\Program Files\Common Files\Creative
2007-08-08 18:46 --------- d----c--- C:\DOCUME~1\ALLUSE~1\APPLIC~1\YAHOO
2007-08-08 18:46 --------- d-------- C:\Program Files\Yahoo!
2007-08-08 18:46 --------- d-------- C:\Program Files\illiminable
2007-08-08 18:39 --------- d----c--- C:\DOCUME~1\ALLUSE~1\APPLIC~1\Creative
2007-08-07 13:58 8320 --a------ C:\WINDOWS\system32\drivers\AWRTRD.sys
2007-08-07 13:56 9344 --a------ C:\WINDOWS\system32\drivers\NSDriver.sys
2007-08-01 19:54 --------- d-------- C:\Program Files\ReadIris
2007-08-01 19:43 --------- d-------- C:\Program Files\Hewlett-Packard
2007-07-30 19:19 92504 --a------ C:\WINDOWS\SYSTEM32\cdm.dll
2007-07-30 19:19 549720 --a------ C:\WINDOWS\SYSTEM32\wuapi.dll
2007-07-30 19:19 53080 --a------ C:\WINDOWS\SYSTEM32\wuauclt.exe
2007-07-30 19:19 43352 --a------ C:\WINDOWS\SYSTEM32\wups2.dll
2007-07-30 19:19 325976 --a------ C:\WINDOWS\SYSTEM32\wucltui.dll
2007-07-30 19:19 271224 --a------ C:\WINDOWS\SYSTEM32\mucltui.dll
2007-07-30 19:19 207736 --a------ C:\WINDOWS\SYSTEM32\muweb.dll
2007-07-30 19:19 203096 --a------ C:\WINDOWS\SYSTEM32\wuweb.dll
2007-07-30 19:19 1712984 --a------ C:\WINDOWS\SYSTEM32\wuaueng.dll
2007-07-30 19:18 33624 --a------ C:\WINDOWS\SYSTEM32\wups.dll
2007-07-29 16:11 --------- d----c--- C:\DOCUME~1\ALLUSE~1\APPLIC~1\F-Secure
2007-06-26 02:08 1104896 --a------ C:\WINDOWS\SYSTEM32\msxml3.dll
2007-06-19 09:31 282112 --a------ C:\WINDOWS\SYSTEM32\gdi32.dll
2002-03-10 11:26 172 --a--c--- C:\Program Files\ScrambleHighScores75.Txt
2002-03-09 20:00 177 --a--c--- C:\Program Files\TripHiScores120.Txt
2002-01-19 20:16 173 --a--c--- C:\Program Files\HiScores60.Txt
2002-01-16 20:32 174 --a--c--- C:\Program Files\ZipHiScores90.Txt
2002-01-14 18:16 173 --a--c--- C:\Program Files\TakeTwoHighScores45.Txt
2002-01-06 12:25 172 --a--c--- C:\Program Files\TowerHiScores45.Txt
2002-01-04 17:32 178 --a--c--- C:\Program Files\HiScores90_11.Txt
.

((((((((((((((((((((((((((((( snapshot_2007-09-13_100223.70 )))))))))))))))))))))))))))))))))))))))))
.
----a-w 53,248 2006-05-25 05:22:06 C:\WINDOWS\bdoscandel.exe
----a-w 110,592 2006-08-21 15:37:38 C:\WINDOWS\assembly\GAC\ADODB\7.0.3300.0__b03f5f7f11d50a3a\adodb.dll
----a-w 64,088 2006-08-21 15:37:38 C:\WINDOWS\assembly\GAC\Microsoft.Vbe.Interop\11.0.0.0__71e9bce111e9429c\Microsoft.Vbe.Interop.dll
----a-w 229,376 2006-08-21 15:37:38 C:\WINDOWS\assembly\GAC\mscomctl\10.0.4504.0__31bf3856ad364e35\MSCOMCTL.DLL
----a-w 4,096 2006-08-21 15:37:38 C:\WINDOWS\assembly\GAC\MSDATASRC\7.0.3300.0__b03f5f7f11d50a3a\msdatasrc.dll
----a-w 223,800 2006-08-21 15:37:37 C:\WINDOWS\assembly\GAC\office\11.0.0.0__71e9bce111e9429c\OFFICE.DLL
----a-w 16,384 2006-08-21 15:37:38 C:\WINDOWS\assembly\GAC\stdole\7.0.3300.0__b03f5f7f11d50a3a\stdole.dll
----a-w 141,424 2006-08-24 12:28:54 C:\WINDOWS\Downloaded Program Files\asinst.dll
----a-w 118,784 2005-03-01 18:08:48 C:\WINDOWS\Downloaded Program Files\bdupd.dll
----a-w 53,248 2005-03-01 18:08:52 C:\WINDOWS\Downloaded Program Files\ipsupd.dll
----a-w 73,728 2006-08-02 16:39:06 C:\WINDOWS\SYSTEM32\asuninst.exe
-c--a-w 457,248 2007-09-14 17:05:41 C:\WINDOWS\SYSTEM32\FNTCACHE.DAT
----a-w 11,776 2003-03-25 22:53:50 C:\WINDOWS\SYSTEM32\ZPORT4AS.dll
----a-w 110,592 2007-03-29 13:20:50 C:\WINDOWS\SYSTEM32\ActiveScan\as.dll
----a-w 233,472 2006-10-05 20:15:26 C:\WINDOWS\SYSTEM32\ActiveScan\ascontrol.dll
----a-w 96,256 2005-06-03 18:03:18 C:\WINDOWS\SYSTEM32\ActiveScan\asmdat.dll
----a-w 36,864 2003-08-01 15:00:16 C:\WINDOWS\SYSTEM32\ActiveScan\certdll.dll
----a-w 86,016 2005-05-20 17:42:44 C:\WINDOWS\SYSTEM32\ActiveScan\instlsp.dll
----a-w 4,608 2006-02-16 22:20:20 C:\WINDOWS\SYSTEM32\ActiveScan\memvfile.dll
----a-w 348,160 2005-10-25 22:08:32 C:\WINDOWS\SYSTEM32\ActiveScan\msvcr71.dll
----a-w 139,264 2004-05-04 19:01:02 C:\WINDOWS\SYSTEM32\ActiveScan\pavaleas.dll
----a-w 45,056 2006-07-14 17:04:10 C:\WINDOWS\SYSTEM32\ActiveScan\pavdr.exe
----a-w 159,832 2006-04-10 14:50:02 C:\WINDOWS\SYSTEM32\ActiveScan\pavexcom.dll
----a-w 94,208 2006-02-14 17:05:38 C:\WINDOWS\SYSTEM32\ActiveScan\pavinas.dll
----a-w 180,224 2006-02-16 22:35:38 C:\WINDOWS\SYSTEM32\ActiveScan\pavoe.dll
----a-w 122,880 2006-10-05 20:15:38 C:\WINDOWS\SYSTEM32\ActiveScan\pavpz.dll
----a-w 8,704 2006-06-30 18:13:38 C:\WINDOWS\SYSTEM32\ActiveScan\pfdnnt.exe
----a-w 49,152 2004-02-04 18:08:42 C:\WINDOWS\SYSTEM32\ActiveScan\port32.dll
----a-w 69,632 2006-08-01 17:23:10 C:\WINDOWS\SYSTEM32\ActiveScan\pscpu.dll
----a-w 1,388,544 2006-08-23 17:06:08 C:\WINDOWS\SYSTEM32\ActiveScan\pskahk.dll
----a-w 10,752 2006-08-17 15:38:14 C:\WINDOWS\SYSTEM32\ActiveScan\pskalloc.dll
----a-w 61,440 2006-09-04 15:49:54 C:\WINDOWS\SYSTEM32\ActiveScan\pskas.dll
----a-w 779,264 2006-08-18 12:46:18 C:\WINDOWS\SYSTEM32\ActiveScan\pskavs.dll
----a-w 417,792 2007-03-26 18:25:34 C:\WINDOWS\SYSTEM32\ActiveScan\pskcmp.dll
----a-w 90,112 2006-08-09 14:42:24 C:\WINDOWS\SYSTEM32\ActiveScan\pskfss.dll
----a-w 208,896 2006-07-19 14:55:58 C:\WINDOWS\SYSTEM32\ActiveScan\pskhtml.dll
----a-w 9,728 2006-01-20 20:57:00 C:\WINDOWS\SYSTEM32\ActiveScan\pskmas.dll
----a-w 14,336 2006-05-17 13:50:12 C:\WINDOWS\SYSTEM32\ActiveScan\pskmdfs.dll
----a-w 33,280 2006-08-16 14:58:12 C:\WINDOWS\SYSTEM32\ActiveScan\pskpack.dll
----a-w 266,240 2006-06-30 18:42:36 C:\WINDOWS\SYSTEM32\ActiveScan\pskscs.dll
----a-w 62,976 2006-08-17 18:33:14 C:\WINDOWS\SYSTEM32\ActiveScan\pskutil.dll
----a-w 13,312 2006-08-08 17:13:10 C:\WINDOWS\SYSTEM32\ActiveScan\pskvfile.dll
----a-w 69,632 2006-08-18 12:53:08 C:\WINDOWS\SYSTEM32\ActiveScan\pskvfs.dll
----a-w 167,936 2006-08-18 12:49:50 C:\WINDOWS\SYSTEM32\ActiveScan\pskvm.dll
----a-w 353,840 2007-04-18 21:16:04 C:\WINDOWS\SYSTEM32\ActiveScan\psscan.dll
----a-w 35,328 2007-01-22 18:42:48 C:\WINDOWS\SYSTEM32\ActiveScan\rawvfile.dll
----a-w 9,488 1997-09-18 10:12:32 C:\WINDOWS\SYSTEM32\ActiveScan\sporder.dll
----a-w 69,632 2006-02-28 21:23:40 C:\WINDOWS\SYSTEM32\ActiveScan\tcpvfile.dll
----a-w 213,048 2005-05-24 15:27:16 C:\WINDOWS\SYSTEM32\Kaspersky Lab\Kaspersky Online Scanner\kavss.dll
----a-w 94,208 2007-09-07 15:29:00 C:\WINDOWS\SYSTEM32\Kaspersky Lab\Kaspersky Online Scanner\kavuninstall.exe
----a-w 946,176 2007-09-07 15:29:00 C:\WINDOWS\SYSTEM32\Kaspersky Lab\Kaspersky Online Scanner\kavwebscan.dll
-c--a-w 848,652 2007-09-14 16:33:22 C:\WINDOWS\SYSTEM32\Restore\rstrlog.dat
.
-c--a-w 110,592 2006-08-21 15:37:38 C:\WINDOWS\assembly\GAC\ADODB\7.0.3300.0__b03f5f7f11d50a3a\adodb.dll
-c--a-w 64,088 2006-08-21 15:37:38 C:\WINDOWS\assembly\GAC\Microsoft.Vbe.Interop\11.0.0.0__71e9bce111e9429c\Microsoft.Vbe.Interop.dll
-c--a-w 229,376 2006-08-21 15:37:38 C:\WINDOWS\assembly\GAC\mscomctl\10.0.4504.0__31bf3856ad364e35\MSCOMCTL.DLL
-c--a-w 4,096 2006-08-21 15:37:38 C:\WINDOWS\assembly\GAC\MSDATASRC\7.0.3300.0__b03f5f7f11d50a3a\msdatasrc.dll
-c--a-w 223,800 2006-08-21 15:37:37 C:\WINDOWS\assembly\GAC\office\11.0.0.0__71e9bce111e9429c\OFFICE.DLL
-c--a-w 16,384 2006-08-21 15:37:38 C:\WINDOWS\assembly\GAC\stdole\7.0.3300.0__b03f5f7f11d50a3a\stdole.dll
-c--a-w 501,032 2007-08-24 15:38:26 C:\WINDOWS\SYSTEM32\FNTCACHE.DAT
-c--a-w 142,116 2007-08-15 03:35:27 C:\WINDOWS\SYSTEM32\Restore\rstrlog.dat
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.

*Note* empty entries & legit default entries are not shown

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Synchronization Manager"="C:\WINDOWS\system32\mobsync.exe" [2004-08-04 00:56]
"Share-to-Web Namespace Daemon"="C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe" [2002-04-11 05:19]
"MaxtorCombo"="C:\PROGRA~1\Dantz\RETROS~1\ComboButton.exe" [2002-07-15 21:23]
"DVDSentry"="C:\WINDOWS\System32\DSentry.exe" [2002-08-14 20:22]
"F-Secure Manager"="C:\Program Files\Charter High-Speed Security Suite\Common\FSM32.exe" [2005-10-25 21:51]
"F-Secure TNB"="C:\Program Files\Charter High-Speed Security Suite\TNB\TNBUtil.exe" [2005-07-18 10:51]
"F-Secure Startup Wizard"="C:\Program Files\Charter High-Speed Security Suite\FSGUI\FSSW.exe" [2005-10-18 04:29]
"Adobe Reader Speed Launcher"="C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2007-05-11 03:06]
"News Service"="C:\Program Files\Charter High-Speed Security Suite\FSGUI\ispnews.exe" [2005-05-31 08:45]
"!AVG Anti-Spyware"="C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" [2007-06-11 05:25]
"AAWTray"="C:\Program Files\Lavasoft\Ad-Aware 2007\AAWTray.exe" [2007-08-08 15:53]
"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [2007-04-27 09:41]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ClocX"="C:\Program Files\ClocX\ClocX.exe" [2004-04-25 15:29]
"abc12DesktopAlerts"="C:\Program Files\abc12DesktopAlerts\abc12DesktopAlerts.exe" [2006-11-02 23:12]
"WMPNSCFG"="C:\Program Files\Windows Media Player\WMPNSCFG.exe" [2006-10-18 20:05]

[HKEY_USERS\.default\software\microsoft\windows\currentversion\runonce]
"RunNarrator"=Narrator.exe
"tscuninstall"=%systemroot%\system32\tscupgrd.exe

C:\DOCUME~1\ALLUSE~1\STARTM~1\Programs\Startup\
Charter High-Speed Security Suite.lnk - C:\Program Files\Charter High-Speed Security Suite\backweb\3528733\Program\fspex.exe [2007-08-29 11:21:01]
DESKTOP.INI [2007-05-19 10:11:54]
hp psc 2000 Series.lnk - C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpobnz08.exe [2002-06-11 11:31:50]
Microsoft Office.lnk - C:\Program Files\Microsoft Office\Office10\OSA.EXE [2001-02-13 01:01:04]
Quicken Startup.lnk - C:\QUICKENW\QWDLLS.EXE [2002-09-20 12:30:06]

C:\DOCUME~1\ADMINI~1\STARTM~1\Programs\Startup\
DESKTOP.INI [2002-09-03 11:00:00]

C:\DOCUME~1\Crystal\STARTM~1\Programs\Startup\
DESKTOP.INI [2002-09-03 11:00:00]
Webshots.lnk - C:\Program Files\Webshots\WebshotsTray.exe [2003-01-13 19:37:13]

C:\DOCUME~1\DEFAUL~1\STARTM~1\Programs\Startup\
DESKTOP.INI [2007-05-19 10:11:54]

C:\DOCUME~1\JEFFAN~1\STARTM~1\Programs\Startup\
DESKTOP.INI [2002-09-03 11:00:00]
Webshots.lnk - C:\Program Files\Webshots\WebshotsTray.exe [2003-01-13 19:37:13]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\system]
"DisableRegedit"=0 (0x0)
"DisableRegistryTools"=0 (0x0)

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\explorer]
@=

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Aim6]
"C:\Program Files\AIM6\aim6.exe" /d locale=en-US ee://aol/imApp

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AOLDialer]
C:\Program Files\Common Files\AOL\ACS\AOLDial.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AROReminder]
C:\Program Files\Advanced Registry Optimizer\aro.exe -rem

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\CTFMON.EXE]
C:\WINDOWS\system32\ctfmon.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\diagent]
"C:\Program Files\Creative\SBLive\Diagnostics\diagent.exe" startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DW4]
"C:\Program Files\The Weather Channel FW\Desktop Weather\DesktopWeather.exe"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HostManager]
C:\Program Files\Common Files\AOL\1127580058\ee\AOLSoftware.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\KernelFaultCheck]
%systemroot%\system32\dumprep 0 -k

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Load]
???
?

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\OM2_Monitor]
"C:\Program Files\OLYMPUS\OLYMPUS Master 2\MMonitor.exe"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\OM_Monitor]
C:\Program Files\OLYMPUS\OLYMPUS Master\FirstStart.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PC Pitstop Optimize Scheduler]
C:\Program Files\PCPitstop\Optimize\PCPOptimize.exe -boot

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
"C:\Program Files\QuickTime\qttask.exe" -atboottime

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\RoxioDragToDisc]
"C:\Program Files\Roxio\Easy Media Creator 7\Drag to Disc\DrgToDsc.exe"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\UpdReg]
C:\WINDOWS\UpdReg.EXE

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ymetray]
"C:\Program Files\Yahoo!\Yahoo! Music Engine\YahooMusicEngine.exe" -preload

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"MCVSRte"=3 (0x3)
"mcupdmgr.exe"=3 (0x3)
"McShield"=3 (0x3)
"bgsvcgen"=2 (0x2)
"RetroLauncher"=3 (0x3)

R0 FSFW;F-Secure Firewall Driver;C:\WINDOWS\system32\drivers\fsdfw.sys
R1 cdudf_xp;cdudf_xp;C:\WINDOWS\system32\drivers\cdudf_xp.sys
R1 DVDVRRdr_xp;DVDVRRdr_xp;C:\WINDOWS\system32\drivers\DVDVRRdr_xp.sys
R1 pwd_2k;pwd_2k;C:\WINDOWS\system32\drivers\pwd_2k.sys
R1 UDFReadr;UDFReadr;C:\WINDOWS\system32\drivers\UDFReadr.sys
R2 BackWeb Plug-in - 3528733;Charter High-Speed Security Suite;C:\PROGRA~1\CHARTE~1\backweb\3528733\Program\SERVIC~1.EXE
R2 F-Secure Filter;F-Secure File System Filter;\??\C:\Program Files\Charter High-Speed Security Suite\Anti-Virus\Win2K\FSfilter.sys
R2 F-Secure Gatekeeper;F-Secure Gatekeeper;\??\C:\Program Files\Charter High-Speed Security Suite\Anti-Virus\Win2K\FSgk.sys
R2 F-Secure Recognizer;F-Secure File System Recognizer;\??\C:\Program Files\Charter High-Speed Security Suite\Anti-Virus\Win2K\FSrec.sys
R3 mmc_2K;mmc_2K;C:\WINDOWS\system32\drivers\mmc_2K.sys
R3 usbprint;Microsoft USB PRINTER Class;C:\WINDOWS\system32\DRIVERS\usbprint.sys
S3 AdobeActiveFileMonitor;Adobe Active File Monitor;C:\Program Files\Adobe\Photoshop Elements 3.0\PhotoshopElementsFileAgent.exe
S3 dvd_2K;dvd_2K;C:\WINDOWS\system32\drivers\dvd_2K.sys
S3 NMSCFG;NIC Management Service Configuration Driver;\??\C:\WINDOWS\System32\drivers\NMSCFG.SYS
S3 NMSSvc;Intel® NMS;C:\WINDOWS\System32\NMSSvc.exe
S3 PhotoshopElementsDeviceConnect;Photoshop Elements Device Connect;C:\Program Files\Adobe\Photoshop Elements 3.0\PhotoshopElementsDeviceConnect.exe
S3 Wdm1;USB Bridge Cable Driver;C:\WINDOWS\system32\Drivers\usbbc.sys

.
Contents of the 'Scheduled Tasks' folder
"2007-09-01 12:42:47 C:\WINDOWS\Tasks\FRU Task #Hewlett-Packard#hp psc 2200 series#1188650389.job"
- C:\Program Files\Hewlett-Packard\Digital Imaging\Bin\hpqfrucl.exe
"2007-09-06 12:07:14 C:\WINDOWS\Tasks\FRU Task #Hewlett-Packard#hp psc 2200 series#1189080192.job"
- C:\Program Files\Hewlett-Packard\Digital Imaging\Bin\hpqfrucl.exe
"2007-09-16 00:05:48 C:\WINDOWS\Tasks\Scheduled scanning task.job"
- C:\PROGRA~1\CHARTE~1\ANTI-V~1\fsav.exe
"2007-09-14 10:44:09 C:\WINDOWS\Tasks\Spybot - Search & Destroy - Scheduled Task.job"
- C:\Program Files\Spybot - Search & Destroy\SpybotSD.exe
"2007-09-08 13:23:01 C:\WINDOWS\Tasks\Uniblue SpeedUpMyPC Nag.job"
- C:\Program Files\Uniblue\SpeedUpMyPC 3\SpeedUpMyPC.exe
"2007-09-08 13:22:56 C:\WINDOWS\Tasks\Uniblue SpeedUpMyPC.job"
- C:\Program Files\Uniblue\SpeedUpMyPC 3\SpeedUpMyPC.exe
.
**************************************************************************

catchme 0.3.1061 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2007-09-16 09:50:24
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
Completion time: 2007-09-16 10:00:56 - machine was rebooted
C:\ComboFix-quarantined-files.txt ... 2007-09-16 10:00
C:\ComboFix2.txt ... 2007-09-14 22:10
C:\ComboFix3.txt ... 2007-09-13 10:04
.
--- E O F ---

#18 shaferintl

shaferintl

    Forum Deity

  • Trusted Advisor
  • PipPipPipPipPip
  • 1,445 posts

Posted 18 September 2007 - 06:39 AM

jandd86,

Thanks for the post. Your system appears to be clean!! :thumbsup: :thumbsup:

Removed all folders named Viewpoint, still have ViewpointKiller folders, assume okay to delete?

Yes, you may delete them.

Decided to run BitDefender again to see if could get report to save correctly, success! Report shows same 28 infected files as above (Trojan.SwfDL.A), other five files are gone.

There are some false positives here. Bitdefender cleaned up some old stuff and is now looking good. :thumbsup:

I see there are still two references to AOL, assume these can be removed?

Yes, you may fix them using HJT.

Searched pc for AOL files and found many files in folder qoobox\quarantine. Okay to delete?

You may delete the entire qoobox folder.

... Believe it or not, THIS forum seems to give me the most trouble, often having to either click a link a second time to load it, or the page just hangs, so am actually posting this in Mozilla this time.

This forum is difficult to load sometimes using IE. It depends upon how busy. What you've described seems normal from my experience.

.. But all in all, things are improving.

Excellent! :thumbsup:

Below I have included a number of recommendations for how to protect your computer in order to prevent future malware infections. Please take these recommendations seriously; these few simple steps can stave off the vast majority of spyware problems. As happy as we at SWI are to help you, for your sake we would rather not have repeat customers. :p

Please either enable Automatic Updates under Start -> Control Panel -> Automatic Updates , or get into the habit of checking for Windows updates regularly. I cannot stress enough how important this is.

1) First and foremost, you should maintain your firewall. It is the primary way to keep out malware. A tutorial on understanding and using firewalls may be found here.

2) In order to protect yourself against spyware, you should consider installing and running the following free programs:

You are already a user of Ad-aware and SpywareBlaster. :thumbsup:

SpywareGuard
A tutorial on using SpywareGuard for realtime protection against spyware and hijackers may be found here.

Make sure to keep these programs up-to-date and to run them regularly, as this can prevent a great deal of spyware hassle.

3) I see you use Mozilla's Firefox. Mozilla's Firefox browser is fantastic; it is much more secure than Internet Explorer, immune to almost all known browser hijackers, and also has the best built-in popup blocker (as an added benefit!) that I have ever seen. I would recommend you continue to use Firefox.

4) Also make sure to run your antivirus software, perform scans regularly, and to keep it up-to-date.

Please also read Tony Klein's excellent article: How I got Infected in the First Place

If you have other "clutter" you are considering removing and would like to talk about it, just ask. I'll leave this thread open for awhile yet.

Hopefully this should take care of your problems! Good luck. :D
shaferintl

Links to Free Tools I Use:
AVG Antivirus ... Adaware ... Spybot S&D ...
Spyware Blaster ... Zone Alarm Firewall ...
My help is free, but if you wish to help keep these forums running please consider a donation, see this topic for details.

#19 jandd86

jandd86

    Member

  • Full Member
  • Pip
  • 17 posts

Posted 19 September 2007 - 06:16 AM

QUOTE
... Believe it or not, THIS forum seems to give me the most trouble, often having to either click a link a second time to load it, or the page just hangs, so am actually posting this in Mozilla this time.
This forum is difficult to load sometimes using IE. It depends upon how busy. What you've described seems normal from my experience.


Good to know it is not just my pc. Yesterday morning got an ISP error, did some research and found other forums with same problem, many saying that heavy traffic may be the reason for the slow down.

Found in my download file - registryfix.exe, created Thursday, January 12, 2006, 2:03:59 PM, accessed February 11, 2007, 8:38:38 AM. Don't know where it came from and tried to remove it, getting the following error message: Cannot delete: It is being used by another person or program. Do you know what this file is used for and do I need and/or how do I get rid of it?

After cleaning up old programs/files, recovered 1.6 gigs of free space! Will keep looking and let you know if I find any questionable files.


Your suggestions:

Automatic Updates already enabled.

Currently use F-Secure through Charter, using their internet shield (assume that's the firewall), virus and spy protection, and web filtering services. Virus definitions updated daily, full weekly scan already scheduled.

Ad-Aware – updated weekly, scheduled weekly scan.
AVG Anti-Spyware - updated daily, scheduled weekly scan.
Had Spybot installed previously but had used rarely. Updated, scheduled weekly scans.
Had SpywareBlaster already installed – Updated and running
Spyguard – downloaded, updated and running.

So now have five (6 if you include F-Secure) spyware programs. Overkill? Which would be your best recommendations?

Read Tony Klein's article and followed up some of the information I was not utilizing.



UPDATE:

While doing all of the above, Charter automatically downloaded an update to the F-Secure software, installed it, and completely annihilated my internet connection. My network connection had limited or no connectivity, could not access the internet, all browsers closed. The new version would not finish the install because it could not connect to verify my activation key. Did a System Restore to before the install and was able to restore my internet connection, but the old version of F-Secure was malfunctioning. Spent most of afternoon trying to restore, had to reinstall old version four times before it became fully functional and am now back up and running. Experienced severe slowdowns all afternoon, seems to have improved today, but wonder if you could look at HiJackThis one more time to make sure nothing happened during this fiasco. Extremely frustrating!! :grrr:

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 7:58:10 AM, on 9/19/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16512)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\PROGRA~1\CHARTE~1\backweb\3528733\Program\SERVIC~1.EXE
C:\Program Files\Charter High-Speed Security Suite\Anti-Virus\fsgk32st.exe
C:\Program Files\Charter High-Speed Security Suite\backweb\3528733\program\fsbwsys.exe
C:\Program Files\Charter High-Speed Security Suite\Anti-Virus\FSGK32.EXE
C:\Program Files\Charter High-Speed Security Suite\Common\FSMA32.EXE
C:\Program Files\Charter High-Speed Security Suite\Anti-Virus\fssm32.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Charter High-Speed Security Suite\Common\FSMB32.EXE
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe
C:\PROGRA~1\Dantz\RETROS~1\ComboButton.exe
C:\WINDOWS\System32\DSentry.exe
C:\Program Files\Charter High-Speed Security Suite\Common\FCH32.EXE
C:\Program Files\Charter High-Speed Security Suite\FSGUI\ispnews.exe
C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnf.exe
C:\Program Files\Charter High-Speed Security Suite\Common\FAMEH32.EXE
C:\Program Files\Charter High-Speed Security Suite\Anti-Virus\fsqh.exe
C:\Program Files\Charter High-Speed Security Suite\backweb\3528733\Program\fspex.exe
C:\Program Files\Charter High-Speed Security Suite\FSPC\fspc.exe
C:\Program Files\Charter High-Speed Security Suite\Anti-Virus\fsrw.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe
C:\Program Files\Lavasoft\Ad-Aware 2007\AAWTray.exe
C:\Program Files\Charter High-Speed Security Suite\Common\FSM32.EXE
C:\Program Files\Charter High-Speed Security Suite\FWES\Program\fsdfwd.exe
C:\Program Files\ClocX\ClocX.exe
C:\Program Files\abc12DesktopAlerts\abc12DesktopAlerts.exe
C:\Program Files\Windows Media Player\WMPNSCFG.exe
C:\Program Files\Charter High-Speed Security Suite\Anti-Virus\fsav32.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpobnz08.exe
C:\Program Files\SpywareGuard\sgmain.exe
C:\PROGRA~1\CHARTE~1\ANTI-S~1\fsaw.exe
C:\Program Files\Webshots\WebshotsTray.exe
C:\Program Files\Charter High-Speed Security Suite\FSGUI\fsguidll.exe
C:\Program Files\SpywareGuard\sgbhp.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpoevm08.exe
C:\WINDOWS\System32\HPZipm12.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\Bin\hpoSTS08.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Microsoft Office\Office10\WINWORD.EXE
C:\Documents and Settings\Jeff and Debbie\My Documents\Mom's Files\Computer Help Stuff\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://aol.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft....k/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft....k/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft....k/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft....k/?LinkId=69157
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = 127.0.0.1
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: SpywareGuard Download Protection - {4A368E80-174F-4872-96B5-0B27DDD11DB2} - C:\Program Files\SpywareGuard\dlprotect.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O4 - HKLM\..\Run: [Synchronization Manager] %SystemRoot%\system32\mobsync.exe /logon
O4 - HKLM\..\Run: [Share-to-Web Namespace Daemon] C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe
O4 - HKLM\..\Run: [MaxtorCombo] "C:\PROGRA~1\Dantz\RETROS~1\ComboButton.exe"
O4 - HKLM\..\Run: [DVDSentry] C:\WINDOWS\System32\DSentry.exe
O4 - HKLM\..\Run: [F-Secure TNB] "C:\Program Files\Charter High-Speed Security Suite\TNB\TNBUtil.exe" /CHECKALL /WAITFORSW
O4 - HKLM\..\Run: [F-Secure Startup Wizard] "C:\Program Files\Charter High-Speed Security Suite\FSGUI\FSSW.EXE" /reboot
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [News Service] "C:\Program Files\Charter High-Speed Security Suite\FSGUI\ispnews.exe"
O4 - HKLM\..\Run: [!AVG Anti-Spyware] "C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" /minimized
O4 - HKLM\..\Run: [AAWTray] C:\Program Files\Lavasoft\Ad-Aware 2007\AAWTray.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [F-Secure Manager] "C:\Program Files\Charter High-Speed Security Suite\Common\FSM32.EXE" /splash
O4 - HKCU\..\Run: [ClocX] C:\Program Files\ClocX\ClocX.exe
O4 - HKCU\..\Run: [abc12DesktopAlerts] C:\Program Files\abc12DesktopAlerts\abc12DesktopAlerts.exe
O4 - HKCU\..\Run: [WMPNSCFG] C:\Program Files\Windows Media Player\WMPNSCFG.exe
O4 - HKUS\S-1-5-18\..\RunOnce: [RunNarrator] Narrator.exe (User 'SYSTEM')
O4 - HKUS\S-1-5-18\..\RunOnce: [tscuninstall] %systemroot%\system32\tscupgrd.exe (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\RunOnce: [RunNarrator] Narrator.exe (User 'Default user')
O4 - Startup: SpywareGuard.lnk = C:\Program Files\SpywareGuard\sgmain.exe
O4 - Startup: Webshots.lnk = C:\Program Files\Webshots\WebshotsTray.exe
O4 - Global Startup: Charter High-Speed Security Suite.lnk = C:\Program Files\Charter High-Speed Security Suite\backweb\3528733\Program\fspex.exe
O4 - Global Startup: hp psc 2000 Series.lnk = C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpobnz08.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O4 - Global Startup: Quicken Startup.lnk = C:\QUICKENW\QWDLLS.EXE
O8 - Extra context menu item: &Block this popup - C:\Program Files\Charter High-Speed Security Suite\Anti-Spyware\blockpopups.htm
O8 - Extra context menu item: &Clean Traces - C:\Program Files\DAP\Privacy Package\dapcleanerie.htm
O8 - Extra context menu item: &Download with &DAP - C:\Program Files\DAP\dapextie.htm
O8 - Extra context menu item: Download &all with DAP - C:\Program Files\DAP\dapextie2.htm
O9 - Extra button: Web Filter - {200DB664-75B5-47c0-8B45-A44ACCF73C00} - C:\Program Files\Charter High-Speed Security Suite\FSPC\fspcmsie.dll
O9 - Extra button: (no name) - {200DB664-75B5-47c0-8B45-A44ACCF73F01} - C:\Program Files\Charter High-Speed Security Suite\FSPC\fspcmsie.dll
O9 - Extra 'Tools' menuitem: Web Filter - {200DB664-75B5-47c0-8B45-A44ACCF73F01} - C:\Program Files\Charter High-Speed Security Suite\FSPC\fspcmsie.dll
O9 - Extra button: IE Shield - {300DB664-75B5-47c0-8B45-A44ACCF73C00} - C:\Program Files\Charter High-Speed Security Suite\Anti-Spyware\ieshield.dll
O9 - Extra 'Tools' menuitem: IE Shield... - {300DB664-75B5-47c0-8B45-A44ACCF73C00} - C:\Program Files\Charter High-Speed Security Suite\Anti-Spyware\ieshield.dll
O16 - DPF: Yahoo! Bingo - http://download.game...nts/y/xt0_x.cab
O16 - DPF: Yahoo! Chat - http://us.chat1.yimg...t/c381/chat.cab
O16 - DPF: Yahoo! Checkers - http://download.game...nts/y/kt4_x.cab
O16 - DPF: Yahoo! Dominoes - http://download.game...ts/y/dot8_x.cab
O16 - DPF: Yahoo! Go Fish - http://download.game...nts/y/zt3_x.cab
O16 - DPF: Yahoo! Pool 2 - http://download.game...ts/y/pote_x.cab
O16 - DPF: {01A88BB1-1174-41EC-ACCB-963509EAE56B} (SysProWmi Class) - http://support.dell....iler/SysPro.CAB
O16 - DPF: {1671869C-25B3-4C80-9446-8AE6111F8765} (MaxisHotDateTeleX Control) - http://thesims.ea.co...otDateTeleX.cab
O16 - DPF: {1842B0EE-B597-11D4-8997-00104BD12D94} (iCC Class) - http://www.pcpitstop...cpConnCheck.cab
O16 - DPF: {20A60F0D-9AFA-4515-A0FD-83BD84642501} (Checkers Class) - http://messenger.zon...kr.cab56986.cab
O16 - DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} -
O16 - DPF: {5D6F45B3-9043-443D-A792-115447494D24} (UnoCtrl Class) - http://messenger.zon...1/GAME_UNO1.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://www.update.mi...b?1179959237062
O16 - DPF: {74C861A1-D548-4916-BC8A-FDE92EDFF62C} - http://mediaplayer.w...ler/install.cab
O16 - DPF: {A44B714B-EE0F-453E-9300-A69B321FEF6C} (MaxisSimsFamilyTeleX Control) - http://thesims.ea.co...FamilyTeleX.cab
O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (MSN Games - Installer) - http://messenger.zon...ro.cab56649.cab
O16 - DPF: {BD393C14-72AD-4790-A095-76522973D6B8} (CBreakshotControl Class) - http://messenger.zon...ot.cab57213.cab
O16 - DPF: {C3F79A2B-B9B4-4A66-B012-3EE46475B072} (MessengerStatsClient Class) - http://messenger.zon...nt.cab56907.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.m...ash/swflash.cab
O16 - DPF: {E856B973-45FD-4559-8F82-EAB539144667} (Dell PC Checkup Installer Control) - http://pccheckup.del...ll/gtdownde.cab
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft AB - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: Adobe Active File Monitor (AdobeActiveFileMonitor) - Unknown owner - C:\Program Files\Adobe\Photoshop Elements 3.0\PhotoshopElementsFileAgent.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\SYSTEM32\ati2sgag.exe
O23 - Service: AVG Anti-Spyware Guard - GRISOFT s.r.o. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: Charter High-Speed Security Suite (BackWeb Plug-in - 3528733) - BackWeb Technologies Inc. - C:\PROGRA~1\CHARTE~1\backweb\3528733\Program\SERVIC~1.EXE
O23 - Service: C-DillaCdaC11BA - Macrovision - C:\WINDOWS\System32\drivers\CDAC11BA.EXE
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\System32\CTsvcCDA.exe
O23 - Service: FSGKHS (F-Secure Gatekeeper Handler Starter) - F-Secure Corporation - C:\Program Files\Charter High-Speed Security Suite\Anti-Virus\fsgk32st.exe
O23 - Service: FSBWSYS - F-Secure Corp. - C:\Program Files\Charter High-Speed Security Suite\backweb\3528733\program\fsbwsys.exe
O23 - Service: F-Secure Anti-Virus Firewall Daemon (FSDFWD) - F-Secure Corporation - C:\Program Files\Charter High-Speed Security Suite\FWES\Program\fsdfwd.exe
O23 - Service: F-Secure HTTP Server (fshttps) - F-Secure Corporation - C:\Program Files\Charter High-Speed Security Suite\FSPC\fshttps\fshttps.exe
O23 - Service: F-Secure Installer restarter (FSIHS) - Unknown owner - C:\WINDOWS\TEMP\Installer�000001\bootstrap\fsihs.exe (file missing)
O23 - Service: FSMA - F-Secure Corporation - C:\Program Files\Charter High-Speed Security Suite\Common\FSMA32.EXE
O23 - Service: Intel® NMS (NMSSvc) - Intel Corporation - C:\WINDOWS\System32\NMSSvc.exe
O23 - Service: Photoshop Elements Device Connect (PhotoshopElementsDeviceConnect) - Unknown owner - C:\Program Files\Adobe\Photoshop Elements 3.0\PhotoshopElementsDeviceConnect.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\System32\HPZipm12.exe
O23 - Service: WAN Miniport (ATW) Service (WANMiniportService) - Unknown owner - C:\WINDOWS\wanmpsvc.exe (file missing)

--
End of file - 12246 bytes

It looks okay to me, but am no expert in this department. Did notice all the spyware listed, except SpywareBlaster.


Once again, I thank you for taking the time to help me. :keybrd:

#20 shaferintl

shaferintl

    Forum Deity

  • Trusted Advisor
  • PipPipPipPipPip
  • 1,445 posts

Posted 19 September 2007 - 09:51 PM

jandd86,

Found in my download file - registryfix.exe, created Thursday, January 12, 2006, 2:03:59 PM, accessed February 11, 2007, 8:38:38 AM. Don't know where it came from and tried to remove it, getting the following error message: Cannot delete: It is being used by another person or program. Do you know what this file is used for and do I need and/or how do I get rid of it?

This is from RegistryCleaner. It is a legitimate application. If you want to remove it, try uninstalling it using Start > Control Panel > Add or Remove Programs. If that doesn't work, let me know.

After cleaning up old programs/files, recovered 1.6 gigs of free space! Will keep looking and let you know if I find any questionable files.

That's progress!

So now have five (6 if you include F-Secure) spyware programs. Overkill? Which would be your best recommendations?

No, not necessarily. I recommend F-Secure, SpywareBlaster, Ad-aware, and AVG AS. You keep what works for you.

... seems to have improved today, but wonder if you could look at HiJackThis one more time to make sure nothing happened during this fiasco. Extremely frustrating!! :grrr:

What a pain. Hang in there. :)

I checked your HJT log and it is clean. You might want to fix these entries:O8 - Extra context menu item: &Clean Traces - C:\Program Files\DAP\Privacy Package\dapcleanerie.htm
O8 - Extra context menu item: &Download with &DAP - C:\Program Files\DAP\dapextie.htm
O8 - Extra context menu item: Download &all with DAP - C:\Program Files\DAP\dapextie2.htm

They are not malware, in and of themselves, but they bring malware with them. Some better alternatives may be found here. If you do decide to fix the entries, you'll need to delete the C:\Program Files\DAP folder, as well.

Post a fresh Combofix log, just to be sure. Thanks! :thumbup:
shaferintl

Links to Free Tools I Use:
AVG Antivirus ... Adaware ... Spybot S&D ...
Spyware Blaster ... Zone Alarm Firewall ...
My help is free, but if you wish to help keep these forums running please consider a donation, see this topic for details.

#21 jandd86

jandd86

    Member

  • Full Member
  • Pip
  • 17 posts

Posted 20 September 2007 - 11:35 AM

:ugh: When it rains, it pours! This morning I was once again kicked off the internet and found that the router went down, although took awhile to figure out that was the problem after two calls to Charter and numerous reboots, but all is fine now and we are chugging along like the little engine that could. I am very happy with the fixes you have made for me and even hubby said "wow" when saw how fast webpages were loading. :hyper:

By the way, Charter did tell me they know the new F-Secure update has a "glitch" in it and are working to fix it. Thought you might like to know this if you have similar complaints.

Found in my download file - registryfix.exe, created Thursday, January 12, 2006, 2:03:59 PM, accessed February 11, 2007, 8:38:38 AM. Don't know where it came from and tried to remove it, getting the following error message: Cannot delete: It is being used by another person or program. Do you know what this file is used for and do I need and/or how do I get rid of it?

YOUR REPLY:

This is from RegistryCleaner. It is a legitimate application. If you want to remove it, try uninstalling it using Start > Control Panel > Add or Remove Programs. If that doesn't work, let me know.

Do not have RegistryCleaner installed, don't remember downloading it, so if I don't need it to run any other program, would like to get rid of it.

I recommend F-Secure, SpywareBlaster, Ad-aware, and AVG AS. You keep what works for you.


Thanks for the recommendations, will work with them all and see how they work and decide which ones to keep. So far, I like them all, with the exception of Spybot's TeaTimer, so will probably disable that part.

You might want to fix these entries:

O8 - Extra context menu item: &Clean Traces - C:\Program Files\DAP\Privacy Package\dapcleanerie.htm
O8 - Extra context menu item: &Download with &DAP - C:\Program Files\DAP\dapextie.htm
O8 - Extra context menu item: Download &all with DAP - C:\Program Files\DAP\dapextie2.htm

Uninstalled and removed all things DAP, ran a new HiJackThis and found no references to those entries.

Downloaded Download Express per your recommendations, tested it by downloading ComboFix (had deleted it yesterday) and works great. Will continue to test it, but anything spyware-free makes me happy. :D

Here is the new ComboFix log:

ComboFix 07-09-20.1 - "Jeff and Debbie" 2007-09-20 12:57:06.4 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.73 [GMT -4:00]
Script execution time was exceeded on script "C:\ComboFix\restore_pt.vbs".
Script execution was terminated.
.

((((((((((((((((((((((((( Files Created from 2007-08-20 to 2007-09-20 )))))))))))))))))))))))))))))))
.

2007-09-20 11:53 <DIR> d-------- C:\DOCUME~1\DEFAUL~1\APPLIC~1\MetaProducts
2007-09-20 11:52 <DIR> d----c--- C:\DOCUME~1\Crystal\APPLIC~1\MetaProducts
2007-09-20 11:52 <DIR> d----c--- C:\DOCUME~1\ADMINI~1\APPLIC~1\MetaProducts
2007-09-20 11:52 <DIR> d-------- C:\Program Files\Download Express
2007-09-20 11:52 <DIR> d-------- C:\DOCUME~1\JEFFAN~1\APPLIC~1\MetaProducts
2007-09-20 11:52 <DIR> d-------- C:\DOCUME~1\Jeff\APPLIC~1\MetaProducts
2007-09-19 13:57 9,600 --a--c--- C:\WINDOWS\SYSTEM32\DLLCACHE\hidusb.sys
2007-09-19 13:57 9,600 --a------ C:\WINDOWS\SYSTEM32\DRIVERS\hidusb.sys
2007-09-19 13:57 12,160 --a--c--- C:\WINDOWS\SYSTEM32\DLLCACHE\mouhid.sys
2007-09-19 13:57 12,160 --a------ C:\WINDOWS\SYSTEM32\DRIVERS\mouhid.sys
2007-09-18 23:19 <DIR> d-------- C:\Program Files\Add Remove Manager
2007-09-18 13:46 <DIR> d----c--- C:\DOCUME~1\ALLUSE~1\APPLIC~1\fssg
2007-09-18 11:17 <DIR> d-------- C:\Program Files\SpywareGuard
2007-09-18 09:27 <DIR> d--h----- C:\WINDOWS\PIF
2007-09-16 10:09 <DIR> d-------- C:\WINDOWS\BDOSCAN8
2007-09-15 09:53 <DIR> d-------- C:\WINDOWS\SYSTEM32\Kaspersky Lab
2007-09-15 06:39 102,400 --a------ C:\WINDOWS\SYSTEM32\unzip32.dll
2007-09-15 06:35 <DIR> d-a--c--- C:\DOCUME~1\ALLUSE~1\APPLIC~1\TEMP
2007-09-14 12:31 <DIR> d-------- C:\Program Files\Microsoft.NET
2007-09-14 12:30 <DIR> dr-h-c--- C:\MSOCache
2007-09-13 10:22 <DIR> d-------- C:\DOCUME~1\JEFFAN~1\DoctorWeb
2007-09-09 20:23 51,200 --a------ C:\WINDOWS\NirCmd.exe
2007-09-08 10:38 <DIR> d----c--- C:\DOCUME~1\ALLUSE~1\APPLIC~1\Lavasoft
2007-09-08 10:38 <DIR> d-------- C:\Program Files\Lavasoft
2007-09-08 10:36 <DIR> d-------- C:\Program Files\Common Files\Wise Installation Wizard
2007-08-31 05:00 <DIR> d--h----- C:\WINDOWS\amc
2007-08-29 11:06 10,872 --a------ C:\WINDOWS\SYSTEM32\DRIVERS\AvgAsCln.sys
2007-08-28 12:24 <DIR> d-------- C:\Program Files\SpywareBlaster
2007-08-24 11:30 <DIR> d-------- C:\Program Files\Microsoft ActiveSync

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2007-09-20 11:07 --------- d----c--- C:\DOCUME~1\ALLUSE~1\APPLIC~1\Spybot - Search & Destroy
2007-09-18 23:40 --------- d-------- C:\Program Files\abc12DesktopAlerts
2007-09-18 21:29 --------- d-------- C:\Program Files\Charter High-Speed Security Suite
2007-09-18 21:26 1187840 --a------ C:\WINDOWS\SYSTEM32\winsflt.dll
2007-09-18 20:27 118842 -r------- C:\WINDOWS\bwUnin-6.3.2.129-3528733L.exe
2007-09-18 19:56 --------- d----c--- C:\DOCUME~1\ALLUSE~1\APPLIC~1\F-Secure
2007-09-18 11:02 82380 --a------ C:\WINDOWS\system32\drivers\AFS2K.SYS
2007-09-18 08:49 --------- d-------- C:\Program Files\TurboTax
2007-09-17 05:55 --------- d-------- C:\Program Files\Starry Night Bundle Edition
2007-09-15 20:21 --------- d-------- C:\Program Files\Webshots
2007-09-15 18:00 --------- d-------- C:\DOCUME~1\JEFFAN~1\APPLIC~1\ispnews
2007-09-10 22:32 12400 --a------ C:\WINDOWS\system32\drivers\secdrv.sys
2007-09-10 22:17 --------- d-------- C:\Program Files\Maxis
2007-09-08 09:53 --------- d-------- C:\DOCUME~1\JEFFAN~1\APPLIC~1\Uniblue
2007-09-01 08:48 --------- d-------- C:\Program Files\Google
2007-08-31 09:03 --------- d-------- C:\Program Files\Wal-Mart Music Downloads Store
2007-08-31 09:03 --------- d-------- C:\DOCUME~1\JEFFAN~1\APPLIC~1\InstallShield
2007-08-30 11:48 --------- d-------- C:\Program Files\NStorm
2007-08-14 23:52 --------- d----c--- C:\DOCUME~1\ALLUSE~1\APPLIC~1\yahoo!
2007-08-14 23:52 --------- d-------- C:\DOCUME~1\JEFFAN~1\APPLIC~1\Yahoo!
2007-08-14 23:21 --------- d--h----- C:\Program Files\InstallShield Installation Information
2007-08-13 15:19 --------- d-------- C:\Program Files\Audible
2007-08-09 14:20 --------- d-------- C:\Program Files\Microsoft Home Publishing 2000
2007-08-08 22:54 --------- d-------- C:\DOCUME~1\JEFFAN~1\APPLIC~1\Creative
2007-08-08 19:01 --------- d-------- C:\Program Files\Creative
2007-08-08 18:52 --------- d--h----- C:\Program Files\Creative Installation Information
2007-08-08 18:49 --------- d-------- C:\Program Files\Common Files\Creative
2007-08-08 18:46 --------- d----c--- C:\DOCUME~1\ALLUSE~1\APPLIC~1\YAHOO
2007-08-08 18:46 --------- d-------- C:\Program Files\Yahoo!
2007-08-08 18:46 --------- d-------- C:\Program Files\illiminable
2007-08-08 18:39 --------- d----c--- C:\DOCUME~1\ALLUSE~1\APPLIC~1\Creative
2007-08-07 13:58 8320 --a------ C:\WINDOWS\system32\drivers\AWRTRD.sys
2007-08-07 13:56 9344 --a------ C:\WINDOWS\system32\drivers\NSDriver.sys
2007-08-01 19:54 --------- d-------- C:\Program Files\ReadIris
2007-08-01 19:43 --------- d-------- C:\Program Files\Hewlett-Packard
2007-07-30 19:19 92504 --a------ C:\WINDOWS\SYSTEM32\cdm.dll
2007-07-30 19:19 549720 --a------ C:\WINDOWS\SYSTEM32\wuapi.dll
2007-07-30 19:19 53080 --a------ C:\WINDOWS\SYSTEM32\wuauclt.exe
2007-07-30 19:19 43352 --a------ C:\WINDOWS\SYSTEM32\wups2.dll
2007-07-30 19:19 325976 --a------ C:\WINDOWS\SYSTEM32\wucltui.dll
2007-07-30 19:19 271224 --a------ C:\WINDOWS\SYSTEM32\mucltui.dll
2007-07-30 19:19 207736 --a------ C:\WINDOWS\SYSTEM32\muweb.dll
2007-07-30 19:19 203096 --a------ C:\WINDOWS\SYSTEM32\wuweb.dll
2007-07-30 19:19 1712984 --a------ C:\WINDOWS\SYSTEM32\wuaueng.dll
2007-07-30 19:18 33624 --a------ C:\WINDOWS\SYSTEM32\wups.dll
2007-06-26 02:08 1104896 --a------ C:\WINDOWS\SYSTEM32\msxml3.dll
2002-03-10 11:26 172 --a--c--- C:\Program Files\ScrambleHighScores75.Txt
2002-03-09 20:00 177 --a--c--- C:\Program Files\TripHiScores120.Txt
2002-01-19 20:16 173 --a--c--- C:\Program Files\HiScores60.Txt
2002-01-16 20:32 174 --a--c--- C:\Program Files\ZipHiScores90.Txt
2002-01-14 18:16 173 --a--c--- C:\Program Files\TakeTwoHighScores45.Txt
2002-01-06 12:25 172 --a--c--- C:\Program Files\TowerHiScores45.Txt
2002-01-04 17:32 178 --a--c--- C:\Program Files\HiScores90_11.Txt
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.

*Note* empty entries & legit default entries are not shown

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Synchronization Manager"="C:\WINDOWS\system32\mobsync.exe" [2004-08-04 00:56]
"Share-to-Web Namespace Daemon"="C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe" [2002-04-11 05:19]
"MaxtorCombo"="C:\PROGRA~1\Dantz\RETROS~1\ComboButton.exe" [2002-07-15 21:23]
"DVDSentry"="C:\WINDOWS\System32\DSentry.exe" [2002-08-14 20:22]
"F-Secure TNB"="C:\Program Files\Charter High-Speed Security Suite\TNB\TNBUtil.exe" [2005-07-18 10:51]
"F-Secure Startup Wizard"="C:\Program Files\Charter High-Speed Security Suite\FSGUI\FSSW.exe" [2005-10-18 04:29]
"Adobe Reader Speed Launcher"="C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2007-05-11 03:06]
"News Service"="C:\Program Files\Charter High-Speed Security Suite\FSGUI\ispnews.exe" [2005-05-31 08:45]
"!AVG Anti-Spyware"="C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" [2007-06-11 05:25]
"AAWTray"="C:\Program Files\Lavasoft\Ad-Aware 2007\AAWTray.exe" [2007-08-08 15:53]
"F-Secure Manager"="C:\Program Files\Charter High-Speed Security Suite\Common\FSM32.exe" [2005-10-25 21:51]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ClocX"="C:\Program Files\ClocX\ClocX.exe" [2004-04-25 15:29]
"abc12DesktopAlerts"="C:\Program Files\abc12DesktopAlerts\abc12DesktopAlerts.exe" [2006-11-02 23:12]
"WMPNSCFG"="C:\Program Files\Windows Media Player\WMPNSCFG.exe" [2006-10-18 20:05]
"SpybotSD TeaTimer"="C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe" [2005-05-31 01:04]

[HKEY_USERS\.default\software\microsoft\windows\currentversion\runonce]
"RunNarrator"=Narrator.exe
"tscuninstall"=%systemroot%\system32\tscupgrd.exe

C:\DOCUME~1\ALLUSE~1\STARTM~1\Programs\Startup\
Charter High-Speed Security Suite.lnk - C:\Program Files\Charter High-Speed Security Suite\backweb\3528733\Program\fspex.exe [2007-09-18 20:27:53]
DESKTOP.INI [2007-05-19 10:11:54]
hp psc 2000 Series.lnk - C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpobnz08.exe [2002-06-11 11:31:50]
Microsoft Office.lnk - C:\Program Files\Microsoft Office\Office10\OSA.EXE [2001-02-13 01:01:04]
Quicken Startup.lnk - C:\QUICKENW\QWDLLS.EXE [2002-09-20 12:30:06]

C:\DOCUME~1\ADMINI~1\STARTM~1\Programs\Startup\
DESKTOP.INI [2002-09-03 11:00:00]

C:\DOCUME~1\Crystal\STARTM~1\Programs\Startup\
DESKTOP.INI [2002-09-03 11:00:00]
Webshots.lnk - C:\Program Files\Webshots\WebshotsTray.exe [2003-01-13 19:37:13]

C:\DOCUME~1\DEFAUL~1\STARTM~1\Programs\Startup\
DESKTOP.INI [2007-05-19 10:11:54]

C:\DOCUME~1\JEFFAN~1\STARTM~1\Programs\Startup\
DESKTOP.INI [2002-09-03 11:00:00]
SpywareGuard.lnk - C:\Program Files\SpywareGuard\sgmain.exe [2003-08-29 19:05:35]
Webshots.lnk - C:\Program Files\Webshots\WebshotsTray.exe [2003-01-13 19:37:13]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\system]
"DisableRegedit"=0 (0x0)

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\explorer]
@=

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Aim6]
"C:\Program Files\AIM6\aim6.exe" /d locale=en-US ee://aol/imApp

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AOLDialer]
C:\Program Files\Common Files\AOL\ACS\AOLDial.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AROReminder]
C:\Program Files\Advanced Registry Optimizer\aro.exe -rem

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\CTFMON.EXE]
C:\WINDOWS\system32\ctfmon.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\diagent]
"C:\Program Files\Creative\SBLive\Diagnostics\diagent.exe" startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DW4]
"C:\Program Files\The Weather Channel FW\Desktop Weather\DesktopWeather.exe"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HostManager]
C:\Program Files\Common Files\AOL\1127580058\ee\AOLSoftware.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\KernelFaultCheck]
%systemroot%\system32\dumprep 0 -k

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Load]
???
?

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\OM2_Monitor]
"C:\Program Files\OLYMPUS\OLYMPUS Master 2\MMonitor.exe"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\OM_Monitor]
C:\Program Files\OLYMPUS\OLYMPUS Master\FirstStart.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PC Pitstop Optimize Scheduler]
C:\Program Files\PCPitstop\Optimize\PCPOptimize.exe -boot

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
"C:\Program Files\QuickTime\qttask.exe" -atboottime

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\RoxioDragToDisc]
"C:\Program Files\Roxio\Easy Media Creator 7\Drag to Disc\DrgToDsc.exe"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\UpdReg]
C:\WINDOWS\UpdReg.EXE

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ymetray]
"C:\Program Files\Yahoo!\Yahoo! Music Engine\YahooMusicEngine.exe" -preload

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"MCVSRte"=3 (0x3)
"mcupdmgr.exe"=3 (0x3)
"McShield"=3 (0x3)
"bgsvcgen"=2 (0x2)
"RetroLauncher"=3 (0x3)

R0 FSFW;F-Secure Firewall Driver;C:\WINDOWS\system32\drivers\fsdfw.sys
R1 cdudf_xp;cdudf_xp;C:\WINDOWS\system32\drivers\cdudf_xp.sys
R1 DVDVRRdr_xp;DVDVRRdr_xp;C:\WINDOWS\system32\drivers\DVDVRRdr_xp.sys
R1 pwd_2k;pwd_2k;C:\WINDOWS\system32\drivers\pwd_2k.sys
R1 UDFReadr;UDFReadr;C:\WINDOWS\system32\drivers\UDFReadr.sys
R2 BackWeb Plug-in - 3528733;Charter High-Speed Security Suite;C:\PROGRA~1\CHARTE~1\backweb\3528733\Program\SERVIC~1.EXE
R2 F-Secure Filter;F-Secure File System Filter;\??\C:\Program Files\Charter High-Speed Security Suite\Anti-Virus\Win2K\FSfilter.sys
R2 F-Secure Gatekeeper;F-Secure Gatekeeper;\??\C:\Program Files\Charter High-Speed Security Suite\Anti-Virus\Win2K\FSgk.sys
R2 F-Secure Recognizer;F-Secure File System Recognizer;\??\C:\Program Files\Charter High-Speed Security Suite\Anti-Virus\Win2K\FSrec.sys
R3 mmc_2K;mmc_2K;C:\WINDOWS\system32\drivers\mmc_2K.sys
R3 usbprint;Microsoft USB PRINTER Class;C:\WINDOWS\system32\DRIVERS\usbprint.sys
S2 FSIHS;F-Secure Installer restarter;"C:\WINDOWS\TEMP\Installer�000001\bootstrap\fsihs.exe"
S3 AdobeActiveFileMonitor;Adobe Active File Monitor;C:\Program Files\Adobe\Photoshop Elements 3.0\PhotoshopElementsFileAgent.exe
S3 dvd_2K;dvd_2K;C:\WINDOWS\system32\drivers\dvd_2K.sys
S3 NMSCFG;NIC Management Service Configuration Driver;\??\C:\WINDOWS\System32\drivers\NMSCFG.SYS
S3 NMSSvc;Intel® NMS;C:\WINDOWS\System32\NMSSvc.exe
S3 PhotoshopElementsDeviceConnect;Photoshop Elements Device Connect;C:\Program Files\Adobe\Photoshop Elements 3.0\PhotoshopElementsDeviceConnect.exe
S3 Wdm1;USB Bridge Cable Driver;C:\WINDOWS\system32\Drivers\usbbc.sys

.
Contents of the 'Scheduled Tasks' folder
"2007-09-19 10:48:41 C:\WINDOWS\Tasks\Ad-Aware 2007.job"
- C:\PROGRA~1\Lavasoft\AD-AWA~1\AD-AWA~1.EXE
"2007-09-20 04:30:50 C:\WINDOWS\Tasks\AVG Anti-Spyware.job"
- C:\PROGRA~1\Grisoft\AVGANT~1.5\avgas.exe
"2007-09-20 00:54:35 C:\WINDOWS\Tasks\Scheduled scanning task.job"
- C:\PROGRA~1\CHARTE~1\ANTI-V~1\fsav.exe
"2007-09-19 10:58:15 C:\WINDOWS\Tasks\Spybot - Search & Destroy - Scheduled Task.job"
- C:\Program Files\Spybot - Search & Destroy\SpybotSD.exe
.
**************************************************************************

catchme 0.3.1061 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2007-09-20 13:03:19
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
Completion time: 2007-09-20 13:08:11
C:\ComboFix-quarantined-files.txt ... 2007-09-16 10:00
C:\ComboFix2.txt ... 2007-09-16 10:00
C:\ComboFix3.txt ... 2007-09-14 22:10
.
--- E O F ---


I see the report references AOL. Does that mean anything or not to worry?

#22 shaferintl

shaferintl

    Forum Deity

  • Trusted Advisor
  • PipPipPipPipPip
  • 1,445 posts

Posted 20 September 2007 - 07:12 PM

jandd86,

Thanks for the Combofix log! It is clean. I see the AOL entries and have provided a fix below.

... but all is fine now and we are chugging along like the little engine that could.

Awesome! :thumbsup:

By the way, Charter did tell me they know the new F-Secure update has a "glitch" in it and are working to fix it. Thought you might like to know this if you have similar complaints.

Thanks for the info.

Found in my download file - registryfix.exe... don't remember downloading it, so if I don't need it to run any other program, would like to get rid of it.

OK, removal is included below.

You should print out these instructions, or copy them to a Notepad file for reading while in Safe Mode, because you will not be able to connect to the Internet to read from this site.

Please reboot your computer into Safe Mode. To boot into Safe Mode, please restart your computer. Tap F8 before Windows loads. Select Safe Mode at the top, on the screen that appears. Sign in with your normal user account.

Still in Safe Mode, delete the file, registryfix.exe using Windows Explorer.

Reboot your PC, normally.

Delete these Entries, as follows:
  • Open notepad and copy/paste the text in the quotebox below into it (all except the word QUOTE):

    Registry::
    [-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Aim6]
    [-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AOLDialer]
    [-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HostManager]

  • Save this as CFScript
  • Then drag the CFScript (hold the left mouse button while dragging the file) and drop it (release the left mouse button) into ComboFix.exe as you see in the screenshot below. Important: Perform this instruction carefully!

    Posted Image
  • ComboFix will begin to execute, just follow the prompts. After reboot (in case it asks to reboot), it shall produce a log for you. Post that log (Combofix.txt) in your next reply.
Note: Do not mouseclick combofix's window while it is running. That may cause your system to hang.

Please post the Combofix log in your next reply. Thanks! :)
shaferintl

Links to Free Tools I Use:
AVG Antivirus ... Adaware ... Spybot S&D ...
Spyware Blaster ... Zone Alarm Firewall ...
My help is free, but if you wish to help keep these forums running please consider a donation, see this topic for details.

#23 jandd86

jandd86

    Member

  • Full Member
  • Pip
  • 17 posts

Posted 22 September 2007 - 05:17 AM

Here is the ComboFix log:

ComboFix 07-09-20.1 - "Jeff and Debbie" 2007-09-21 18:58:30.5 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.127 [GMT -4:00]
Script execution time was exceeded on script "C:\ComboFix\restore_pt.vbs".
Script execution was terminated.
.

((((((((((((((((((((((((( Files Created from 2007-08-21 to 2007-09-21 )))))))))))))))))))))))))))))))
.

2007-09-20 11:53 <DIR> d-------- C:\DOCUME~1\DEFAUL~1\APPLIC~1\MetaProducts
2007-09-20 11:52 <DIR> d----c--- C:\DOCUME~1\Crystal\APPLIC~1\MetaProducts
2007-09-20 11:52 <DIR> d----c--- C:\DOCUME~1\ADMINI~1\APPLIC~1\MetaProducts
2007-09-20 11:52 <DIR> d-------- C:\Program Files\Download Express
2007-09-20 11:52 <DIR> d-------- C:\DOCUME~1\JEFFAN~1\APPLIC~1\MetaProducts
2007-09-20 11:52 <DIR> d-------- C:\DOCUME~1\Jeff\APPLIC~1\MetaProducts
2007-09-19 13:57 9,600 --a--c--- C:\WINDOWS\SYSTEM32\DLLCACHE\hidusb.sys
2007-09-19 13:57 9,600 --a------ C:\WINDOWS\SYSTEM32\DRIVERS\hidusb.sys
2007-09-19 13:57 12,160 --a--c--- C:\WINDOWS\SYSTEM32\DLLCACHE\mouhid.sys
2007-09-19 13:57 12,160 --a------ C:\WINDOWS\SYSTEM32\DRIVERS\mouhid.sys
2007-09-18 23:19 <DIR> d-------- C:\Program Files\Add Remove Manager
2007-09-18 13:46 <DIR> d----c--- C:\DOCUME~1\ALLUSE~1\APPLIC~1\fssg
2007-09-18 11:17 <DIR> d-------- C:\Program Files\SpywareGuard
2007-09-18 09:27 <DIR> d--h----- C:\WINDOWS\PIF
2007-09-16 10:09 <DIR> d-------- C:\WINDOWS\BDOSCAN8
2007-09-15 09:53 <DIR> d-------- C:\WINDOWS\SYSTEM32\Kaspersky Lab
2007-09-15 06:39 102,400 --a------ C:\WINDOWS\SYSTEM32\unzip32.dll
2007-09-15 06:35 <DIR> d-a--c--- C:\DOCUME~1\ALLUSE~1\APPLIC~1\TEMP
2007-09-14 12:31 <DIR> d-------- C:\Program Files\Microsoft.NET
2007-09-14 12:30 <DIR> dr-h-c--- C:\MSOCache
2007-09-13 10:22 <DIR> d-------- C:\DOCUME~1\JEFFAN~1\DoctorWeb
2007-09-09 20:23 51,200 --a------ C:\WINDOWS\NirCmd.exe
2007-09-08 10:38 <DIR> d----c--- C:\DOCUME~1\ALLUSE~1\APPLIC~1\Lavasoft
2007-09-08 10:38 <DIR> d-------- C:\Program Files\Lavasoft
2007-09-08 10:36 <DIR> d-------- C:\Program Files\Common Files\Wise Installation Wizard
2007-08-31 05:00 <DIR> d--h----- C:\WINDOWS\amc
2007-08-29 11:06 10,872 --a------ C:\WINDOWS\SYSTEM32\DRIVERS\AvgAsCln.sys
2007-08-28 12:24 <DIR> d-------- C:\Program Files\SpywareBlaster
2007-08-24 11:30 <DIR> d-------- C:\Program Files\Microsoft ActiveSync

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2007-09-20 11:07 --------- d----c--- C:\DOCUME~1\ALLUSE~1\APPLIC~1\Spybot - Search & Destroy
2007-09-18 23:40 --------- d-------- C:\Program Files\abc12DesktopAlerts
2007-09-18 21:29 --------- d-------- C:\Program Files\Charter High-Speed Security Suite
2007-09-18 21:26 1187840 --a------ C:\WINDOWS\SYSTEM32\winsflt.dll
2007-09-18 20:27 118842 -r------- C:\WINDOWS\bwUnin-6.3.2.129-3528733L.exe
2007-09-18 19:56 --------- d----c--- C:\DOCUME~1\ALLUSE~1\APPLIC~1\F-Secure
2007-09-18 11:02 82380 --a------ C:\WINDOWS\system32\drivers\AFS2K.SYS
2007-09-18 08:49 --------- d-------- C:\Program Files\TurboTax
2007-09-17 05:55 --------- d-------- C:\Program Files\Starry Night Bundle Edition
2007-09-15 20:21 --------- d-------- C:\Program Files\Webshots
2007-09-15 18:00 --------- d-------- C:\DOCUME~1\JEFFAN~1\APPLIC~1\ispnews
2007-09-10 22:32 12400 --a------ C:\WINDOWS\system32\drivers\secdrv.sys
2007-09-10 22:17 --------- d-------- C:\Program Files\Maxis
2007-09-08 09:53 --------- d-------- C:\DOCUME~1\JEFFAN~1\APPLIC~1\Uniblue
2007-09-01 08:48 --------- d-------- C:\Program Files\Google
2007-08-31 09:03 --------- d-------- C:\Program Files\Wal-Mart Music Downloads Store
2007-08-31 09:03 --------- d-------- C:\DOCUME~1\JEFFAN~1\APPLIC~1\InstallShield
2007-08-30 11:48 --------- d-------- C:\Program Files\NStorm
2007-08-14 23:52 --------- d----c--- C:\DOCUME~1\ALLUSE~1\APPLIC~1\yahoo!
2007-08-14 23:52 --------- d-------- C:\DOCUME~1\JEFFAN~1\APPLIC~1\Yahoo!
2007-08-14 23:21 --------- d--h----- C:\Program Files\InstallShield Installation Information
2007-08-13 15:19 --------- d-------- C:\Program Files\Audible
2007-08-09 14:20 --------- d-------- C:\Program Files\Microsoft Home Publishing 2000
2007-08-08 22:54 --------- d-------- C:\DOCUME~1\JEFFAN~1\APPLIC~1\Creative
2007-08-08 19:01 --------- d-------- C:\Program Files\Creative
2007-08-08 18:52 --------- d--h----- C:\Program Files\Creative Installation Information
2007-08-08 18:49 --------- d-------- C:\Program Files\Common Files\Creative
2007-08-08 18:46 --------- d----c--- C:\DOCUME~1\ALLUSE~1\APPLIC~1\YAHOO
2007-08-08 18:46 --------- d-------- C:\Program Files\Yahoo!
2007-08-08 18:46 --------- d-------- C:\Program Files\illiminable
2007-08-08 18:39 --------- d----c--- C:\DOCUME~1\ALLUSE~1\APPLIC~1\Creative
2007-08-07 13:58 8320 --a------ C:\WINDOWS\system32\drivers\AWRTRD.sys
2007-08-07 13:56 9344 --a------ C:\WINDOWS\system32\drivers\NSDriver.sys
2007-08-01 19:54 --------- d-------- C:\Program Files\ReadIris
2007-08-01 19:43 --------- d-------- C:\Program Files\Hewlett-Packard
2007-07-30 19:19 92504 --a------ C:\WINDOWS\SYSTEM32\cdm.dll
2007-07-30 19:19 549720 --a------ C:\WINDOWS\SYSTEM32\wuapi.dll
2007-07-30 19:19 53080 --a------ C:\WINDOWS\SYSTEM32\wuauclt.exe
2007-07-30 19:19 43352 --a------ C:\WINDOWS\SYSTEM32\wups2.dll
2007-07-30 19:19 325976 --a------ C:\WINDOWS\SYSTEM32\wucltui.dll
2007-07-30 19:19 271224 --a------ C:\WINDOWS\SYSTEM32\mucltui.dll
2007-07-30 19:19 207736 --a------ C:\WINDOWS\SYSTEM32\muweb.dll
2007-07-30 19:19 203096 --a------ C:\WINDOWS\SYSTEM32\wuweb.dll
2007-07-30 19:19 1712984 --a------ C:\WINDOWS\SYSTEM32\wuaueng.dll
2007-07-30 19:18 33624 --a------ C:\WINDOWS\SYSTEM32\wups.dll
2007-06-26 02:08 1104896 --a------ C:\WINDOWS\SYSTEM32\msxml3.dll
2002-03-10 11:26 172 --a--c--- C:\Program Files\ScrambleHighScores75.Txt
2002-03-09 20:00 177 --a--c--- C:\Program Files\TripHiScores120.Txt
2002-01-19 20:16 173 --a--c--- C:\Program Files\HiScores60.Txt
2002-01-16 20:32 174 --a--c--- C:\Program Files\ZipHiScores90.Txt
2002-01-14 18:16 173 --a--c--- C:\Program Files\TakeTwoHighScores45.Txt
2002-01-06 12:25 172 --a--c--- C:\Program Files\TowerHiScores45.Txt
2002-01-04 17:32 178 --a--c--- C:\Program Files\HiScores90_11.Txt
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.

*Note* empty entries & legit default entries are not shown

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Synchronization Manager"="C:\WINDOWS\system32\mobsync.exe" [2004-08-04 00:56]
"Share-to-Web Namespace Daemon"="C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe" [2002-04-11 05:19]
"MaxtorCombo"="C:\PROGRA~1\Dantz\RETROS~1\ComboButton.exe" [2002-07-15 21:23]
"DVDSentry"="C:\WINDOWS\System32\DSentry.exe" [2002-08-14 20:22]
"F-Secure TNB"="C:\Program Files\Charter High-Speed Security Suite\TNB\TNBUtil.exe" [2005-07-18 10:51]
"F-Secure Startup Wizard"="C:\Program Files\Charter High-Speed Security Suite\FSGUI\FSSW.exe" [2005-10-18 04:29]
"Adobe Reader Speed Launcher"="C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2007-05-11 03:06]
"News Service"="C:\Program Files\Charter High-Speed Security Suite\FSGUI\ispnews.exe" [2005-05-31 08:45]
"!AVG Anti-Spyware"="C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" [2007-06-11 05:25]
"AAWTray"="C:\Program Files\Lavasoft\Ad-Aware 2007\AAWTray.exe" [2007-08-08 15:53]
"F-Secure Manager"="C:\Program Files\Charter High-Speed Security Suite\Common\FSM32.exe" [2005-10-25 21:51]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ClocX"="C:\Program Files\ClocX\ClocX.exe" [2004-04-25 15:29]
"abc12DesktopAlerts"="C:\Program Files\abc12DesktopAlerts\abc12DesktopAlerts.exe" [2006-11-02 23:12]
"WMPNSCFG"="C:\Program Files\Windows Media Player\WMPNSCFG.exe" [2006-10-18 20:05]

[HKEY_USERS\.default\software\microsoft\windows\currentversion\runonce]
"RunNarrator"=Narrator.exe
"tscuninstall"=%systemroot%\system32\tscupgrd.exe

C:\DOCUME~1\ALLUSE~1\STARTM~1\Programs\Startup\
Charter High-Speed Security Suite.lnk - C:\Program Files\Charter High-Speed Security Suite\backweb\3528733\Program\fspex.exe [2007-09-18 20:27:53]
DESKTOP.INI [2007-05-19 10:11:54]
hp psc 2000 Series.lnk - C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpobnz08.exe [2002-06-11 11:31:50]
Microsoft Office.lnk - C:\Program Files\Microsoft Office\Office10\OSA.EXE [2001-02-13 01:01:04]
Quicken Startup.lnk - C:\QUICKENW\QWDLLS.EXE [2002-09-20 12:30:06]

C:\DOCUME~1\ADMINI~1\STARTM~1\Programs\Startup\
DESKTOP.INI [2002-09-03 11:00:00]

C:\DOCUME~1\Crystal\STARTM~1\Programs\Startup\
DESKTOP.INI [2002-09-03 11:00:00]
Webshots.lnk - C:\Program Files\Webshots\WebshotsTray.exe [2003-01-13 19:37:13]

C:\DOCUME~1\DEFAUL~1\STARTM~1\Programs\Startup\
DESKTOP.INI [2007-05-19 10:11:54]

C:\DOCUME~1\JEFFAN~1\STARTM~1\Programs\Startup\
DESKTOP.INI [2002-09-03 11:00:00]
SpywareGuard.lnk - C:\Program Files\SpywareGuard\sgmain.exe [2003-08-29 19:05:35]
Webshots.lnk - C:\Program Files\Webshots\WebshotsTray.exe [2003-01-13 19:37:13]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\system]
"DisableRegedit"=0 (0x0)

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\explorer]
@=

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AROReminder]
C:\Program Files\Advanced Registry Optimizer\aro.exe -rem

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\CTFMON.EXE]
C:\WINDOWS\system32\ctfmon.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\diagent]
"C:\Program Files\Creative\SBLive\Diagnostics\diagent.exe" startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DW4]
"C:\Program Files\The Weather Channel FW\Desktop Weather\DesktopWeather.exe"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\KernelFaultCheck]
%systemroot%\system32\dumprep 0 -k

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Load]
???
?

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\OM2_Monitor]
"C:\Program Files\OLYMPUS\OLYMPUS Master 2\MMonitor.exe"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\OM_Monitor]
C:\Program Files\OLYMPUS\OLYMPUS Master\FirstStart.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PC Pitstop Optimize Scheduler]
C:\Program Files\PCPitstop\Optimize\PCPOptimize.exe -boot

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
"C:\Program Files\QuickTime\qttask.exe" -atboottime

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\RoxioDragToDisc]
"C:\Program Files\Roxio\Easy Media Creator 7\Drag to Disc\DrgToDsc.exe"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\UpdReg]
C:\WINDOWS\UpdReg.EXE

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ymetray]
"C:\Program Files\Yahoo!\Yahoo! Music Engine\YahooMusicEngine.exe" -preload

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"MCVSRte"=3 (0x3)
"mcupdmgr.exe"=3 (0x3)
"McShield"=3 (0x3)
"bgsvcgen"=2 (0x2)
"RetroLauncher"=3 (0x3)

R0 FSFW;F-Secure Firewall Driver;C:\WINDOWS\system32\drivers\fsdfw.sys
R1 cdudf_xp;cdudf_xp;C:\WINDOWS\system32\drivers\cdudf_xp.sys
R1 DVDVRRdr_xp;DVDVRRdr_xp;C:\WINDOWS\system32\drivers\DVDVRRdr_xp.sys
R1 pwd_2k;pwd_2k;C:\WINDOWS\system32\drivers\pwd_2k.sys
R1 UDFReadr;UDFReadr;C:\WINDOWS\system32\drivers\UDFReadr.sys
R2 BackWeb Plug-in - 3528733;Charter High-Speed Security Suite;C:\PROGRA~1\CHARTE~1\backweb\3528733\Program\SERVIC~1.EXE
R2 F-Secure Filter;F-Secure File System Filter;\??\C:\Program Files\Charter High-Speed Security Suite\Anti-Virus\Win2K\FSfilter.sys
R2 F-Secure Gatekeeper;F-Secure Gatekeeper;\??\C:\Program Files\Charter High-Speed Security Suite\Anti-Virus\Win2K\FSgk.sys
R2 F-Secure Recognizer;F-Secure File System Recognizer;\??\C:\Program Files\Charter High-Speed Security Suite\Anti-Virus\Win2K\FSrec.sys
R3 mmc_2K;mmc_2K;C:\WINDOWS\system32\drivers\mmc_2K.sys
R3 usbprint;Microsoft USB PRINTER Class;C:\WINDOWS\system32\DRIVERS\usbprint.sys
S2 FSIHS;F-Secure Installer restarter;"C:\WINDOWS\TEMP\Installer�000001\bootstrap\fsihs.exe"
S3 AdobeActiveFileMonitor;Adobe Active File Monitor;C:\Program Files\Adobe\Photoshop Elements 3.0\PhotoshopElementsFileAgent.exe
S3 dvd_2K;dvd_2K;C:\WINDOWS\system32\drivers\dvd_2K.sys
S3 NMSCFG;NIC Management Service Configuration Driver;\??\C:\WINDOWS\System32\drivers\NMSCFG.SYS
S3 NMSSvc;Intel® NMS;C:\WINDOWS\System32\NMSSvc.exe
S3 PhotoshopElementsDeviceConnect;Photoshop Elements Device Connect;C:\Program Files\Adobe\Photoshop Elements 3.0\PhotoshopElementsDeviceConnect.exe
S3 Wdm1;USB Bridge Cable Driver;C:\WINDOWS\system32\Drivers\usbbc.sys

.
Contents of the 'Scheduled Tasks' folder
"2007-09-19 10:48:41 C:\WINDOWS\Tasks\Ad-Aware 2007.job"
- C:\PROGRA~1\Lavasoft\AD-AWA~1\AD-AWA~1.EXE
"2007-09-20 04:30:50 C:\WINDOWS\Tasks\AVG Anti-Spyware.job"
- C:\PROGRA~1\Grisoft\AVGANT~1.5\avgas.exe
"2007-09-21 09:11:34 C:\WINDOWS\Tasks\Scheduled scanning task.job"
- C:\PROGRA~1\CHARTE~1\ANTI-V~1\fsav.exe
"2007-09-21 10:04:13 C:\WINDOWS\Tasks\Spybot - Search & Destroy - Scheduled Task.job"
- C:\Program Files\Spybot - Search & Destroy\SpybotSD.exe
.
**************************************************************************

catchme 0.3.1061 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2007-09-21 19:04:12
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
Completion time: 2007-09-21 19:07:37
C:\ComboFix-quarantined-files.txt ... 2007-09-16 10:00
C:\ComboFix2.txt ... 2007-09-20 13:08
C:\ComboFix3.txt ... 2007-09-16 10:00
.
--- E O F ---


Still in Safe Mode, delete the file, registryfix.exe using Windows Explorer

I neglected to tell you that I had already tried this and received the same error message. Tried again, and same result. If this program is not important, or is not going to cause trouble, I can live with it. Everything else seems to be running smoothly, all spyware is working well, and computer is definitely running faster.

Will keep cleaning up and if question something will get back with you. Unless you have something more for me to do I suppose we can call this case closed! :weee:

#24 shaferintl

shaferintl

    Forum Deity

  • Trusted Advisor
  • PipPipPipPipPip
  • 1,445 posts

Posted 22 September 2007 - 08:42 AM

jandd86,

<regarding> registryfix.exe... If this program is not important, or is not going to cause trouble, I can live with it.

Probably not worth the effort. It is not malware, so it's up to you.

I will leave this topic open for a few more days, in case you have questions. Good luck! :)
shaferintl

Links to Free Tools I Use:
AVG Antivirus ... Adaware ... Spybot S&D ...
Spyware Blaster ... Zone Alarm Firewall ...
My help is free, but if you wish to help keep these forums running please consider a donation, see this topic for details.

#25 jandd86

jandd86

    Member

  • Full Member
  • Pip
  • 17 posts

Posted 22 September 2007 - 03:13 PM

Okay, have finished going through the files and have questions about just a couple more:

Found C:\qoobox, which contains folders named BackEnv and Quarantine, and a file snapshot 2007-09-20. Is it okay to delete the qoobox folder?

Found C:\Program Files\WebCyberCoach created 5/17/07
WebCyberCoach(2) created 3/19/07
WebCyberCoach(3) created 4/17/07
WebCyberCoach(4) created 5/14/07

Just curious as to why there are four folders, what they are used for, and do I need them. The first folder is 3.74MB and 2,3, and 4 appear to contain the same thing and are only 418 bytes.

Finally, was looking over last ComboFix log and found three entries that refer to programs I no longer use (the registry optimizer I don't even remember using).

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AROReminder]
C:\Program Files\Advanced Registry Optimizer\aro.exe -rem

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DW4]
"C:\Program Files\The Weather Channel FW\Desktop Weather\DesktopWeather.exe"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\RoxioDragToDisc]
"C:\Program Files\Roxio\Easy Media Creator 7\Drag to Disc\DrgToDsc.exe"

Have now recovered 2 gig of free space and intend to have kids delete old game programs and documents they no longer need.

After clearing up the above issues, I believe we will be done!

#26 shaferintl

shaferintl

    Forum Deity

  • Trusted Advisor
  • PipPipPipPipPip
  • 1,445 posts

Posted 22 September 2007 - 08:35 PM

jandd86,

Found C:\qoobox, which contains folders named BackEnv and Quarantine, and a file snapshot 2007-09-20. Is it okay to delete the qoobox folder?

Yes, you may delete it. Any time that you run Combofix, it will be created again.

Found C:\Program Files\WebCyberCoach created 5/17/07
WebCyberCoach(2) created 3/19/07
WebCyberCoach(3) created 4/17/07
WebCyberCoach(4) created 5/14/07

These are installed as part of the Dell OS. They say "WebCyberCoach is an innovative interactive tutorial system that consists of live multimedia interactive tutorials and demonstrations, distributed over the Internet." It is basically advertising. You should take a look to see if it can be uninstalled.

Finally, was looking over last ComboFix log and found three entries that refer to programs I no longer use (the registry optimizer I don't even remember using).

OK, here's the fix.

Uninstall any of these programs that you find using Start > Control Panel > Add or Remove ProgramsAdvanced Registry Optimizer
The Weather Channel FW
Drag to Disc

Delete these files/folders, as follows:
  • Open notepad and copy/paste the text in the quotebox below into it (all except the word QUOTE):

    Folder::
    C:\Program Files\Advanced Registry Optimizer
    C:\Program Files\The Weather Channel FW
    C:\Program Files\Roxio\Easy Media Creator 7\Drag to Disc

    Registry::
    [-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AROReminder]
    [-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DW4]
    [-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\RoxioDragToDisc]

  • Save this as CFScript
  • Then drag the CFScript (hold the left mouse button while dragging the file) and drop it (release the left mouse button) into ComboFix.exe as you see in the screenshot below. Important: Perform this instruction carefully!

    Posted Image
  • ComboFix will begin to execute, just follow the prompts. After reboot (in case it asks to reboot), it shall produce a log for you. Post that log (Combofix.txt) in your next reply.
Note: Do not mouseclick combofix's window while it is running. That may cause your system to hang.

After clearing up the above issues, I believe we will be done!

If you have anymore questions, let me know. :thumbsup:
shaferintl

Links to Free Tools I Use:
AVG Antivirus ... Adaware ... Spybot S&D ...
Spyware Blaster ... Zone Alarm Firewall ...
My help is free, but if you wish to help keep these forums running please consider a donation, see this topic for details.

#27 jandd86

jandd86

    Member

  • Full Member
  • Pip
  • 17 posts

Posted 22 September 2007 - 10:12 PM

This is my final post!!!! All fixes done, computer running smoothly, and I am one happy camper. :bounce: I can't thank you enough for all your help. You can close this topic.

#28 shaferintl

shaferintl

    Forum Deity

  • Trusted Advisor
  • PipPipPipPipPip
  • 1,445 posts

Posted 23 September 2007 - 05:50 AM

Glad we could help. :)

If you need this topic reopened, please tell the moderating team by replying here with the address of the thread. This applies only to the original topic starter. Everyone else please begin a New Topic.
shaferintl

Links to Free Tools I Use:
AVG Antivirus ... Adaware ... Spybot S&D ...
Spyware Blaster ... Zone Alarm Firewall ...
My help is free, but if you wish to help keep these forums running please consider a donation, see this topic for details.




Member of UNITE
Support SpywareInfo Forum - click the button