Jump to content


Photo

PC acting strange


  • This topic is locked This topic is locked
18 replies to this topic

#1 Fixapc45

Fixapc45

    Member

  • Full Member
  • Pip
  • 31 posts

Posted 25 March 2010 - 09:15 AM

Over the past few weeks I have noticed that my Internet browsing has become slow. Slow to load pages, sometimes have to hit resend. Sometimes it hangs up entirely like it's dead. The past week my computer is booting up rather odd. It takes a very long time to get to the windows loading screen, and then once I enter my password it takes a long time to load up the icons and programs. Seems a lot longer than it used too. At first I thought the internet problem was related to updating my yahoo toolbar, but when disabling the toolbar or uninstalling it, that did nothing. I am running Mozilla which is updated. I tried using the internet with Internet Explore but that was slow also...so I figured my browser was not the problem.
I am running Windows XP, Avast, Zone Alarm, Tea Timer (as of today).

I have run Spybot: It found one cookie and one book mark. Nothing else
I ran Malware: It found nothing at all.
I ran Avast which found one infection: Win32Trojan-Gen, it removed this. This made no difference in system performance.
I ran a new Hijack log also.

I am going to run Panda Active Scan, Kapersky while I am waiting for some ideas.
Hijack Log will be posted below. (I hope that was ok to do)

Maybe I just need a defrag? But I have had this pc long enough to know it's acting weird. No blue screen, no program lock ups. Mainly the problem is related to internet browsing being super slow despite a DSL line. I have two other pc's in the house and two laptops that all use the same DSL line and they are not having these problems.

To add to this now Mozilla FireFox keeps hanging up. :bangbang:

Any help is greatly appreciated. I am stumped and the scans aren't turning up anything.
Thanks
Jan :scratchhead:

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 10:21:26 AM, on 3/25/2010
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16981)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Windows Defender\MsMpEng.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\Program Files\Adobe\Acrobat 7.0\Distillr\Acrotray.exe
C:\PROGRA~1\VISION~1\ONETOU~2.EXE
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\Program Files\Java\jre6\bin\jusched.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\WinTV\Ir.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\WINDOWS\system32\tcpsvcs.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre6\bin\ssv.dll
O2 - BHO: Adobe PDF Conversion Toolbar Helper - {AE7CD045-E861-484f-8273-0445EE161910} - C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll
O2 - BHO: Java™ Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll
O3 - Toolbar: (no name) - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - (no file)
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [Acrobat Assistant 7.0] "C:\Program Files\Adobe\Acrobat 7.0\Distillr\Acrotray.exe"
O4 - HKLM\..\Run: [OneTouch Monitor] C:\PROGRA~1\VISION~1\ONETOU~2.EXE
O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [ZoneAlarm Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre6\bin\jusched.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKUS\S-1-5-21-1390067357-573735546-839522115-1003\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe (User '?')
O4 - S-1-5-21-1390067357-573735546-839522115-1003 Startup: Check for OneTouch Updates.lnk = C:\Program Files\Visioneer OneTouch\WiseUpdt.exe (User '?')
O4 - Startup: Check for OneTouch Updates.lnk = C:\Program Files\Visioneer OneTouch\WiseUpdt.exe
O4 - Global Startup: Adobe Acrobat Speed Launcher.lnk = ?
O4 - Global Startup: AutoStart IR.lnk = C:\Program Files\WinTV\Ir.exe
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre6\bin\npjpi160_17.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre6\bin\npjpi160_17.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O10 - Unknown file in Winsock LSP: c:\windows\system32\nwprovau.dll
O16 - DPF: {D54160C3-DB7B-4534-9B65-190EE4A9C7F7} (SproutLauncherCtrl Class) - http://l.yimg.com/jh...outLauncher.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{A7273BAC-2820-4711-9EBC-0140CEA4BC09}: NameServer = 192.168.2.1
O23 - Service: Lavasoft Ad-Aware Service (aawservice) - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
O23 - Service: ArcSoft Connect Daemon (ACDaemon) - Unknown owner - C:\Program Files\Common Files\ArcSoft\Connection Service\Bin\ACService.exe (file missing)
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: avast! Antivirus - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
O23 - Service: avast! Web Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Check Point Software Technologies LTD - C:\WINDOWS\system32\ZoneLabs\vsmon.exe
O23 - Service: Windows Media Player Network Sharing Service (WMPNetworkSvc) - Unknown owner - C:\Program Files\Windows Media Player\WMPNetwk.exe (file missing)
--
Panda Active Scan found: ===========
03898910 Generic Malware Virus/Trojan
c:\documents and settings\jan\my documents\popcap games\iggle pop! deluxe v4.12.7.1\crack.exe
05738958 trj/passtealer.kb Virus/Trojan hkey_local_machine\system\controlset001\enum\root\legacy_mchinjdrv


According to their scan log it says these are not active viruses.


Will post more if I find it.

Edited by QueenVaVee, 29 March 2010 - 04:18 PM.


#2 SWI Support Robot

SWI Support Robot

    Helper robot

  • SWI Bot
  • PipPipPipPipPip
  • 23,533 posts

Posted 27 March 2010 - 09:29 PM

Welcome to SWI. We apologize for the delay; our helpers have been very busy.

If you have not received help after 3 days, please CLICK HERE, and post a link to your log and the date it was originally posted.

Thank you for your patience.


[this is an automated reply]
This is an automated message. It does not count as help.

#3 TheJoker

TheJoker

    Forum Deity

  • Boot Camp Mod
  • PipPipPipPipPip
  • 14,480 posts

Posted 02 April 2010 - 04:14 AM

Hi QueenVaVee, and Welcome Back

Sorry it has taken so long to get to you, but the board has been very busy lately, and all the Helpers here are volunteers.

I suggest printing out each set of instructions and reading the entire post before proceeding. It will make following them easier. Please follow the directions in the order listed.

I see no malware in your log, so we will need to check further.


Note what Panda's scan found. Cracks or other software designed to illegally bypass registration will infected you all the time, and some of the sites hosting that type of software will infect you simply from viewing the site in your browser.

03898910 Generic Malware Virus/Trojan
c:\documents and settings\jan\my documents\popcap games\iggle pop! deluxe v4.12.7.1\crack.exe



Download TFC to your desktop
  • Close any open windows.
  • Double click the TFC icon to run the program.
  • TFC will close all open programs itself in order to run.
  • Click the Start button to begin the process.
  • Allow TFC to run uninterrupted, it should not take long to finish.
  • Once it's finished, click OK to reboot.
  • If it does not reboot, reboot your system manually.

Please download Malwarebytes' Anti-Malware from Here

Double Click mbam-setup.exe to install the application.
  • Make sure a checkmark is placed next to Update Malwarebytes' Anti-Malware and Launch Malwarebytes' Anti-Malware, then click Finish.
  • If an update is found, it will download and install the latest version.
  • Once the program has loaded, select "Perform Quick Scan", then click Scan.
    • If the program won't start, go to MBAM's program folder (normally C:\Program Files\Malwarebytes' Anti-Malware), rename mbam.exe to a random file name (keep the .exe extension) and double-click on it to start the program.
  • The scan may take some time to finish,so please be patient.
  • When the scan is complete, click OK, then Show Results to view the results.
  • Make sure that everything is checked, and click Remove Selected.
  • When disinfection is completed, a log will open in Notepad and you may be prompted to Restart. (See Note)
  • The log is automatically saved by MBAM and can be viewed by clicking the Logs tab in MBAM.
  • Copy & Paste the entire report in your next reply along with a fresh HijackThis log.
Note:
If MBAM encounters a file that is difficult to remove, you will be presented with 1 of 2 prompts.
Click OK to either and let MBAM proceed with the disinfection process.
If asked to restart the computer, please do so immediately.



Now you need to run HijackThis and click "Do a system scan only." Place a check next to the following entries (if they are still there):

R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
O3 - Toolbar: (no name) - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - (no file)


Now close all browser and other windows except for HijackThis, and click "Fix Checked" to have HijackThis fix the entries you checked.


Please do a scan with Kaspersky Online Scanner

Note: If you are using Windows Vista or Windows 7, open your browser by right-clicking on its icon and select 'Run as administrator' to perform this scan.

Click on the Accept button and install any components it needs.
  • The program will install and then begin downloading the latest definition files.
  • After the files have been downloaded on the left side of the page in the Scan section select My Computer.
  • This will start the program and scan your system.
  • The scan will take a while, so be patient and let it run.
  • Once the scan is complete, click on View scan report
  • Now, click on the Save Report as button.
  • In the drop down box labeled Files of type change the type to Text file.
  • Save the file to your desktop.
  • Copy and paste that information in your next post.

Your antivirus is outdated and I would recommend updating it to the current version, Avast! 5, and then doing a full system scan


Download Security Check by screen317 and save it to your Desktop:
http://screen317.spy...curityCheck.exe
  • Double-click SecurityCheck.exe
  • Follow the onscreen instructions inside of the black box.
  • A Notepad document should open automatically called checkup.txt; please post the contents of that document.

Please post a new HijackThis log, the log from MBAM, the log from Kapsersky's online scanner, the log from Security Check (checkup.txt), and note any errors encountered.

Free Tools for Fighting Malware
Anti-Virus: avast! Free Antivirus / Avira Free AntiVirus
OnLine Anti-Virus: ESET / BitDefender / F-Secure
Anti-Malware: Malwarebytes' Anti-Malware / Dr.Web CureIt
Spyware/Adware Tools: MVPS HOSTS File / SpywareBlaster
Firewall: Comodo Firewall Free / Privatefirewall
Tutorials: How did I get Infected? / Internet Explorer Privacy & Security Settings
If we have helped, please help us continue the fight by using the Donate button, or see this topic for other ways to donate.

MS MVP 2009-20010 and ASAP Member since 2005


#4 Fixapc45

Fixapc45

    Member

  • Full Member
  • Pip
  • 31 posts

Posted 03 April 2010 - 11:48 AM

I have followed your instructions completely.

Here is the new Malware Bytes log, which came up clean:
Malwarebytes' Anti-Malware 1.45
www.malwarebytes.org

Database version: 3930

Windows 5.1.2600 Service Pack 2
Internet Explorer 7.0.5730.13

4/2/2010 8:09:26 PM
mbam-log-2010-04-02 (20-09-26).txt

Scan type: Quick scan
Objects scanned: 106987
Time elapsed: 4 minute(s), 51 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)

The new HiJack this Log after removing the two entries you specified:
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 8:13:55 PM, on 4/2/2010
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.17023)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Windows Defender\MsMpEng.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\WINDOWS\system32\tcpsvcs.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
C:\Program Files\Adobe\Acrobat 7.0\Distillr\Acrotray.exe
C:\PROGRA~1\VISION~1\ONETOU~2.EXE
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\Program Files\Common Files\Java\Java Update\jusched.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\Program Files\WinTV\Ir.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\WINDOWS\system32\NOTEPAD.EXE
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,First Home Page = http://go.microsoft....k/?LinkId=54843
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: Adobe PDF Conversion Toolbar Helper - {AE7CD045-E861-484f-8273-0445EE161910} - C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll
O2 - BHO: Java™ Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll
O4 - HKLM\..\Run: [Acrobat Assistant 7.0] "C:\Program Files\Adobe\Acrobat 7.0\Distillr\Acrotray.exe"
O4 - HKLM\..\Run: [OneTouch Monitor] C:\PROGRA~1\VISION~1\ONETOU~2.EXE
O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKLM\..\Run: [ZoneAlarm Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Common Files\Java\Java Update\jusched.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime
O4 - HKLM\..\RunOnce: [Malwarebytes' Anti-Malware] C:\Program Files\Malwarebytes' Anti-Malware\mbamgui.exe /install /silent
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - HKUS\S-1-5-21-1390067357-573735546-839522115-1003\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe (User '?')
O4 - HKUS\S-1-5-21-1390067357-573735546-839522115-1003\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe (User '?')
O4 - S-1-5-21-1390067357-573735546-839522115-1003 Startup: Check for OneTouch Updates.lnk = C:\Program Files\Visioneer OneTouch\WiseUpdt.exe (User '?')
O4 - Startup: Check for OneTouch Updates.lnk = C:\Program Files\Visioneer OneTouch\WiseUpdt.exe
O4 - Global Startup: Adobe Acrobat Speed Launcher.lnk = ?
O4 - Global Startup: AutoStart IR.lnk = C:\Program Files\WinTV\Ir.exe
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O10 - Unknown file in Winsock LSP: c:\windows\system32\nwprovau.dll
O16 - DPF: {D54160C3-DB7B-4534-9B65-190EE4A9C7F7} (SproutLauncherCtrl Class) - http://l.yimg.com/jh...outLauncher.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{A7273BAC-2820-4711-9EBC-0140CEA4BC09}: NameServer = 192.168.2.1
O23 - Service: ArcSoft Connect Daemon (ACDaemon) - Unknown owner - C:\Program Files\Common Files\ArcSoft\Connection Service\Bin\ACService.exe (file missing)
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: avast! Antivirus - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
O23 - Service: avast! Web Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Check Point Software Technologies LTD - C:\WINDOWS\system32\ZoneLabs\vsmon.exe
O23 - Service: Windows Media Player Network Sharing Service (WMPNetworkSvc) - Unknown owner - C:\Program Files\Windows Media Player\WMPNetwk.exe (file missing)

--
End of file - 6221 bytes

I ran Kaspersky. It found nothing either.
I updated Avast and ran a complete scan. Nothing was found.

This is the Security Check Log:
Results of screen317's Security Check version 0.99.2
Windows XP Service Pack 2
Out of date service pack!!
Internet Explorer 7 Out of date!
``````````````````````````````
Antivirus/Firewall Check:

Windows Firewall Disabled!
avast! Free Antivirus
ZoneAlarm
Antivirus up to date!
```````````````````````````````
Anti-malware/Other Utilities Check:

Ad-Aware
Malwarebytes' Anti-Malware
HijackThis 2.0.2
CCleaner
Java™ 6 Update 18
Adobe Flash Player 10
````````````````````````````````
Process Check:
objlist.exe by Laurent

Ad-Aware AAWService.exe is disabled!
Ad-Aware AAWTray.exe is disabled!
````````````````````````````````
DNS Vulnerability Check:

GREAT! (Not vulnerable to DNS cache poisoning)

``````````End of Log````````````


I updated uninstalled and reinstalled Mozilla. This has made no difference in Internet/ browser lag.

Thank you again for your help. No worries about how long it takes/took. I completely understand! Please let me know if you see anything else that needs to be done or I should look into.

#5 TheJoker

TheJoker

    Forum Deity

  • Boot Camp Mod
  • PipPipPipPipPip
  • 14,480 posts

Posted 04 April 2010 - 07:17 AM

Download ComboFix© by sUBs from one of these locations:

http://download.blee...Bs/ComboFix.exe
http://www.forospywa...Bs/ComboFix.exe

* IMPORTANT !!! Save ComboFix.exe to your Desktop

Familiarize yourself with ComboFix before running it:
http://www.bleepingc...to-use-combofix

  • Disable your Avast! AntiVirus, ZoneAlarm, and any AntiSpyware programs you may be running (usually via a right click on the System Tray icon) to prevent them from interfering.
  • Double click on ComboFix.exe & follow the prompts.
  • As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware. There are some difficult to remove infections that will only be fixed if you have the Recovery Console installed.
  • Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.

**Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.


Posted Image

Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:

Posted Image

Click on Yes, to continue scanning for malware. When finished, it will save a log.

Please include the contents of the log at C:\ComboFix.txt in your next reply along with a new HijackThis log, and note any errors encountered.

Free Tools for Fighting Malware
Anti-Virus: avast! Free Antivirus / Avira Free AntiVirus
OnLine Anti-Virus: ESET / BitDefender / F-Secure
Anti-Malware: Malwarebytes' Anti-Malware / Dr.Web CureIt
Spyware/Adware Tools: MVPS HOSTS File / SpywareBlaster
Firewall: Comodo Firewall Free / Privatefirewall
Tutorials: How did I get Infected? / Internet Explorer Privacy & Security Settings
If we have helped, please help us continue the fight by using the Donate button, or see this topic for other ways to donate.

MS MVP 2009-20010 and ASAP Member since 2005


#6 Fixapc45

Fixapc45

    Member

  • Full Member
  • Pip
  • 31 posts

Posted 06 April 2010 - 09:23 PM

Ok I ran ComboFix and it said it was not able to connect to the Internet to install the Windows Recovery. For some reason...it should have been able to connect. I note that when I ran Combofix it told me I had CD emulators running and rebooted. When it booted up Combofix opened but nothing else...so perhaps my ethernet had not loaded. Anyway, here is the log from ComboFix and a new HJ log run after ComboFix.

ComboFix 10-04-05.06 - Jan 04/06/2010 23:04:19.1.1 - x86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.1535.1098 [GMT -4:00]
Running from: c:\documents and settings\Jan\My Documents\Downloads\ComboFix.exe
* Created a new restore point

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\windows\a3kebook.ini
c:\windows\akebook.ini
c:\windows\ANS2000.INI
c:\windows\Downloaded Program Files\popcaploader.inf

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Legacy_IPRIP
-------\Service_Iprip


((((((((((((((((((((((((( Files Created from 2010-03-07 to 2010-04-07 )))))))))))))))))))))))))))))))
.

2010-04-03 15:30 . 2010-04-03 15:30 -------- d-----w- c:\documents and settings\All Users\Application Data\Alwil Software
2010-03-29 23:05 . 2010-03-29 23:05 -------- d-----w- c:\program files\Common Files\Apple
2010-03-29 22:38 . 2010-04-01 13:52 -------- d-----w- c:\windows\system32\Adobe
2010-03-29 22:29 . 2010-03-29 22:29 -------- d-----w- c:\program files\Common Files\Java
2010-03-29 22:29 . 2010-03-29 22:29 503808 ----a-w- c:\documents and settings\Jan\Application Data\Sun\Java\Deployment\SystemCache\6.0\54\1a209876-3ca0b623-n\msvcp71.dll
2010-03-29 22:29 . 2010-03-29 22:29 499712 ----a-w- c:\documents and settings\Jan\Application Data\Sun\Java\Deployment\SystemCache\6.0\54\1a209876-3ca0b623-n\jmc.dll
2010-03-29 22:29 . 2010-03-29 22:29 348160 ----a-w- c:\documents and settings\Jan\Application Data\Sun\Java\Deployment\SystemCache\6.0\54\1a209876-3ca0b623-n\msvcr71.dll
2010-03-29 22:29 . 2010-03-29 22:29 61440 ----a-w- c:\documents and settings\Jan\Application Data\Sun\Java\Deployment\SystemCache\6.0\17\6d0ad391-69dacd85-n\decora-sse.dll
2010-03-29 22:29 . 2010-03-29 22:29 12800 ----a-w- c:\documents and settings\Jan\Application Data\Sun\Java\Deployment\SystemCache\6.0\17\6d0ad391-69dacd85-n\decora-d3d.dll
2010-03-29 22:28 . 2010-03-29 22:28 -------- d-----w- c:\program files\Java
2010-03-29 22:26 . 2010-03-22 19:53 32576 ----a-w- c:\documents and settings\Jan\Application Data\Mozilla\Firefox\Profiles\an1lih2t.default\extensions\{E2883E8F-472F-4fb0-9522-AC9BF37916A7}\plugins\np_gp.dll
2010-03-29 22:26 . 2010-03-22 19:53 29984 ----a-w- c:\documents and settings\Jan\Application Data\Mozilla\Firefox\Profiles\an1lih2t.default\extensions\{E2883E8F-472F-4fb0-9522-AC9BF37916A7}\chrome\content\getPlusPlus_Adobe_reg.exe
2010-03-25 15:12 . 2009-06-30 13:37 28552 ----a-w- c:\windows\system32\drivers\pavboot.sys
2010-03-25 15:11 . 2010-03-25 15:11 -------- d-----w- c:\program files\Panda Security
2010-03-25 14:21 . 2010-03-25 14:21 -------- d-----w- c:\program files\Trend Micro

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-04-06 14:54 . 2010-04-06 14:55 1802752 ----a-w- c:\windows\Internet Logs\xDB3.tmp
2010-04-03 15:32 . 2009-11-17 12:43 4883754 ----a-w- c:\windows\Internet Logs\tvDebug.Zip
2010-04-03 15:32 . 2009-06-20 18:15 -------- d-----w- c:\program files\Alwil Software
2010-04-03 00:03 . 2009-04-02 19:25 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2010-04-03 00:03 . 2009-05-22 17:59 5918775 ----a-w- c:\documents and settings\All Users\Application Data\Malwarebytes\Malwarebytes' Anti-Malware\mbam-setup.exe
2010-03-30 04:46 . 2009-04-02 19:25 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2010-03-30 04:45 . 2009-04-02 19:25 20824 ----a-w- c:\windows\system32\drivers\mbam.sys
2010-03-29 23:06 . 2008-12-11 18:29 -------- d-----w- c:\program files\QuickTime
2010-03-29 22:42 . 2006-07-10 02:37 -------- d-----w- c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy
2010-03-29 22:34 . 2009-12-21 17:07 -------- d-----w- c:\documents and settings\All Users\Application Data\NOS
2010-03-29 22:28 . 2009-06-16 12:27 411368 ----a-w- c:\windows\system32\deploytk.dll
2010-03-25 14:31 . 2006-07-10 02:37 -------- d-----w- c:\program files\Spybot - Search & Destroy
2010-03-24 20:53 . 2006-07-10 02:37 -------- d-----w- c:\program files\CCleaner
2010-03-24 20:39 . 2007-10-21 01:19 -------- d---a-w- c:\documents and settings\All Users\Application Data\TEMP
2010-03-13 05:00 . 2010-03-13 16:26 1675776 ----a-w- c:\windows\Internet Logs\xDB2.tmp
2010-03-11 12:38 . 2004-08-04 04:56 832512 ----a-w- c:\windows\system32\wininet.dll
2010-03-11 12:38 . 2004-08-04 04:56 78336 ----a-w- c:\windows\system32\ieencode.dll
2010-03-11 12:38 . 2004-08-04 04:56 17408 ----a-w- c:\windows\system32\corpol.dll
2010-03-09 10:24 . 2009-06-20 18:15 38848 ----a-w- c:\windows\system32\avastSS.scr
2010-03-09 10:24 . 2009-06-20 18:15 153184 ----a-w- c:\windows\system32\aswBoot.exe
2010-03-09 10:12 . 2009-06-20 18:15 46672 ----a-w- c:\windows\system32\drivers\aswTdi.sys
2010-03-09 10:12 . 2009-06-20 18:15 162640 ----a-w- c:\windows\system32\drivers\aswSP.sys
2010-03-09 10:09 . 2009-06-20 18:15 23376 ----a-w- c:\windows\system32\drivers\aswRdr.sys
2010-03-09 10:08 . 2009-06-20 18:15 100432 ----a-w- c:\windows\system32\drivers\aswmon2.sys
2010-03-09 10:08 . 2009-06-20 18:15 94800 ----a-w- c:\windows\system32\drivers\aswmon.sys
2010-03-09 10:08 . 2009-06-20 18:15 19024 ----a-w- c:\windows\system32\drivers\aswFsBlk.sys
2010-03-09 10:08 . 2009-06-20 18:15 28880 ----a-w- c:\windows\system32\drivers\aavmker4.sys
2010-02-24 14:16 . 2009-10-03 19:57 181632 ------w- c:\windows\system32\MpSigStub.exe
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SpybotSD TeaTimer"="c:\program files\Spybot - Search & Destroy\TeaTimer.exe" [2009-03-05 2260480]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Acrobat Assistant 7.0"="c:\program files\Adobe\Acrobat 7.0\Distillr\Acrotray.exe" [2008-04-23 483328]
"ZoneAlarm Client"="c:\program files\Zone Labs\ZoneAlarm\zlclient.exe" [2009-02-16 981384]
"SunJavaUpdateSched"="c:\program files\Common Files\Java\Java Update\jusched.exe" [2010-02-18 248040]
"QuickTime Task"="c:\program files\QuickTime\QTTask.exe" [2010-02-15 417792]
"avast5"="c:\progra~1\ALWILS~1\Avast5\avastUI.exe" [2010-03-09 2769336]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\aawservice]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\WinDefend]
@="Service"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NeroFilterCheck]
2001-07-09 14:50 155648 ----a-w- c:\windows\system32\NeroCheck.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PhotoShow Deluxe Media Manager]
2004-11-12 01:50 212992 ----a-w- c:\progra~1\Nero\data\Xtras\mssysmgr.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"TapiSrv"=3 (0x3)
"aawservice"=2 (0x2)

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run-]
"QuickTime Task"="c:\program files\QuickTime\QTTask.exe" -atboottime
"Ad-Aware"="c:\program files\Lavasoft\Ad-Aware SE Professional\Ad-Aware.exe" +c

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusOverride"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\ZoneLabsFirewall]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\SecondLife\\SLVoice.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"3587:TCP"= 3587:TCP:Windows Peer-to-Peer Grouping
"3540:UDP"= 3540:UDP:Peer Name Resolution Protocol (PNRP)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\IcmpSettings]
"AllowInboundEchoRequest"= 1 (0x1)

R0 m5228;m5228;c:\windows\system32\drivers\m5228.sys [4/6/2007 11:34 PM 44925]
R0 m5281;m5281;c:\windows\system32\drivers\m5281.sys [4/6/2007 11:35 PM 49357]
R0 pavboot;pavboot;c:\windows\system32\drivers\pavboot.sys [3/25/2010 11:12 AM 28552]
R0 sptd;sptd;c:\windows\system32\drivers\sptd.sys [9/16/2006 7:07 PM 643072]
R1 aswSP;aswSP;c:\windows\system32\drivers\aswSP.sys [6/20/2009 2:15 PM 162640]
R2 aswFsBlk;aswFsBlk;c:\windows\system32\drivers\aswFsBlk.sys [6/20/2009 2:15 PM 19024]
R2 WinDefend;Windows Defender;c:\program files\Windows Defender\MsMpEng.exe [11/3/2006 7:19 PM 13592]
R3 GETND5BV;VIA Velocity Family Gigabit Ethernet Adapter Driver;c:\windows\system32\drivers\getnd5bv.sys [2/25/2010 9:02 PM 46080]
R3 HCWBT8xx;Hauppauge WinTV 848/9 WDM Video Driver;c:\windows\system32\drivers\HCWBT8XX.sys [11/21/2008 1:49 PM 472644]
R3 pmxscan;Visioneer USB Kernel;c:\windows\system32\drivers\usbscan.sys [7/9/2006 11:33 PM 15104]
S3 GETNDIS;VIA Networking Velocity Family Giga-bit Ethernet Adapter Driver;c:\windows\system32\drivers\getnd5b.sys [7/9/2006 3:46 AM 44544]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
p2psvc REG_MULTI_SZ p2psvc p2pimsvc p2pgasvc PNRPSvc
getPlusHelper REG_MULTI_SZ getPlusHelper
.
Contents of the 'Scheduled Tasks' folder

2010-04-01 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 16:34]

2010-04-07 c:\windows\Tasks\MP Scheduled Scan.job
- c:\program files\Windows Defender\MpCmdRun.exe [2006-11-03 23:20]

2008-02-23 c:\windows\Tasks\Spybot - Search & Destroy - Scheduled Task.job
- c:\program files\Spybot - Search & Destroy\SpybotSD.exe [2010-03-25 19:31]
.
.
------- Supplementary Scan -------
.
uSearchMigratedDefaultURL = hxxp://search.yahoo.com/search?p={searchTerms}&ei=utf-8&fr=b1ie7
uStart Page = hxxp://www.yahoo.com/
uInternet Connection Wizard,ShellNext = iexplore
TCP: {A7273BAC-2820-4711-9EBC-0140CEA4BC09} = 192.168.2.1
FF - ProfilePath - c:\documents and settings\Jan\Application Data\Mozilla\Firefox\Profiles\an1lih2t.default\
FF - prefs.js: browser.search.defaulturl - hxxp://search.yahoo.com/search?ei=UTF-8&fr=ytff-&p=
FF - prefs.js: browser.search.selectedEngine - Yahoo
FF - prefs.js: browser.startup.homepage - hxxp://www.yahoo.com/
FF - prefs.js: keyword.URL - hxxp://search.yahoo.com/search?ei=UTF-8&fr=ytff-&p=
FF - component: c:\documents and settings\Jan\Application Data\Mozilla\Firefox\Profiles\an1lih2t.default\extensions\{3112ca9c-de6d-4884-a869-9855de68056c}\components\frozen.dll
FF - plugin: c:\documents and settings\Jan\Application Data\Mozilla\Firefox\Profiles\an1lih2t.default\extensions\{E2883E8F-472F-4fb0-9522-AC9BF37916A7}\plugins\np_gp.dll
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\

---- FIREFOX POLICIES ----
c:\program files\Mozilla Firefox\greprefs\all.js - pref("ui.use_native_colors", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("ui.use_native_popup_windows", false);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.enable_click_image_resizing", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("accessibility.browsewithcaret_shortcut.enabled", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("javascript.options.mem.high_water_mark", 32);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("javascript.options.mem.gc_frequency", 1600);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.auth.force-generic-ntlm", false);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("svg.smil.enabled", false);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("ui.trackpoint_hack.enabled", -1);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.debug", false);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.agedWeight", 2);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.bucketSize", 1);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.maxTimeGroupings", 25);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.timeGroupingSize", 604800);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.boundaryWeight", 25);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.prefixWeight", 5);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("html5.enable", false);
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.allow_unrestricted_renego_everywhere__temporarily_available_pref", true);
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.renego_unrestricted_hosts", "");
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.treat_unsafe_negotiation_as_broken", false);
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.require_safe_negotiation", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox-branding.js - pref("app.update.download.backgroundInterval", 600);
c:\program files\Mozilla Firefox\defaults\pref\firefox-branding.js - pref("app.update.url.manual", "http://www.firefox.com");
c:\program files\Mozilla Firefox\defaults\pref\firefox-branding.js - pref("browser.search.param.yahoo-fr-ja", "mozff");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.name", "chrome://browser/locale/browser.properties");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.description", "chrome://browser/locale/browser.properties");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("xpinstall.whitelist.add", "addons.mozilla.org");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("xpinstall.whitelist.add.36", "getpersonas.com");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("lightweightThemes.update.enabled", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.allTabs.previews", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("plugins.hide_infobar_for_outdated_plugin", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("plugins.update.notifyUser", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("toolbar.customization.usesheet", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.enable", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.max", 20);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.cachetime", 20);
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2010-04-06 23:12
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************

Stealth MBR rootkit/Mebroot/Sinowal detector 0.3.7 by Gmer, http://www.gmer.net

device: opened successfully
user: MBR read successfully
called modules: ntoskrnl.exe >>UNKNOWN [0x898D5EB0]<<
kernel: MBR read successfully
detected MBR rootkit hooks:
\Driver\Disk -> 0x898d5eb0
\Driver\ACPI -> ACPI.sys @ 0xf74c5cb8
\Driver\atapi -> atapi.sys @ 0xf78452f0
IoDeviceObjectType -> DeleteProcedure -> ntoskrnl.exe @ 0x805a0084
ParseProcedure -> ntoskrnl.exe @ 0x8056f07e
\Device\Harddisk0\DR0 -> DeleteProcedure -> ntoskrnl.exe @ 0x805a0084
ParseProcedure -> ntoskrnl.exe @ 0x8056f07e
Warning: possible MBR rootkit infection !
user & kernel MBR OK

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(900)
c:\windows\system32\Ati2evxx.dll

- - - - - - - > 'explorer.exe'(2636)
c:\windows\system32\WININET.dll
c:\windows\system32\ieframe.dll
.
------------------------ Other Running Processes ------------------------
.
c:\windows\system32\Ati2evxx.exe
c:\windows\system32\Ati2evxx.exe
c:\program files\Alwil Software\Avast5\AvastSvc.exe
c:\progra~1\VISION~1\ONETOU~2.EXE
c:\program files\Adobe\Acrobat 7.0\Acrobat\Acrobat_sl.exe
c:\program files\WinTV\Ir.exe
c:\program files\Java\jre6\bin\jqs.exe
c:\windows\system32\tcpsvcs.exe
.
**************************************************************************
.
Completion time: 2010-04-06 23:17:22 - machine was rebooted
ComboFix-quarantined-files.txt 2010-04-07 03:17

Pre-Run: 134,916,472,832 bytes free
Post-Run: 135,315,279,872 bytes free

- - End Of File - - C7809A6FF3A874D1B3AD829FFF732050

HJ LOG:
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 11:19:25 PM, on 4/6/2010
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.17023)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Windows Defender\MsMpEng.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
C:\Program Files\Alwil Software\Avast5\AvastSvc.exe
C:\Program Files\Adobe\Acrobat 7.0\Distillr\Acrotray.exe
C:\PROGRA~1\VISION~1\ONETOU~2.EXE
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\Program Files\Common Files\Java\Java Update\jusched.exe
C:\PROGRA~1\ALWILS~1\Avast5\avastUI.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\WinTV\Ir.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\WINDOWS\system32\tcpsvcs.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\explorer.exe
C:\WINDOWS\system32\notepad.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft....k/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft....k/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft....k/?LinkId=54896
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,First Home Page = http://go.microsoft....k/?LinkId=54843
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: Adobe PDF Conversion Toolbar Helper - {AE7CD045-E861-484f-8273-0445EE161910} - C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll
O2 - BHO: Java™ Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll
O4 - HKLM\..\Run: [Acrobat Assistant 7.0] "C:\Program Files\Adobe\Acrobat 7.0\Distillr\Acrotray.exe"
O4 - HKLM\..\Run: [OneTouch Monitor] C:\PROGRA~1\VISION~1\ONETOU~2.EXE
O4 - HKLM\..\Run: [ZoneAlarm Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Common Files\Java\Java Update\jusched.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime
O4 - HKLM\..\Run: [avast5] C:\PROGRA~1\ALWILS~1\Avast5\avastUI.exe /nogui
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - Startup: Check for OneTouch Updates.lnk = C:\Program Files\Visioneer OneTouch\WiseUpdt.exe
O4 - Global Startup: Adobe Acrobat Speed Launcher.lnk = ?
O4 - Global Startup: AutoStart IR.lnk = C:\Program Files\WinTV\Ir.exe
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O10 - Unknown file in Winsock LSP: c:\windows\system32\nwprovau.dll
O16 - DPF: {D54160C3-DB7B-4534-9B65-190EE4A9C7F7} (SproutLauncherCtrl Class) - http://l.yimg.com/jh...outLauncher.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{A7273BAC-2820-4711-9EBC-0140CEA4BC09}: NameServer = 192.168.2.1
O23 - Service: ArcSoft Connect Daemon (ACDaemon) - Unknown owner - C:\Program Files\Common Files\ArcSoft\Connection Service\Bin\ACService.exe (file missing)
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: avast! Antivirus - ALWIL Software - C:\Program Files\Alwil Software\Avast5\AvastSvc.exe
O23 - Service: avast! Mail Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast5\AvastSvc.exe
O23 - Service: avast! Web Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast5\AvastSvc.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Check Point Software Technologies LTD - C:\WINDOWS\system32\ZoneLabs\vsmon.exe
O23 - Service: Windows Media Player Network Sharing Service (WMPNetworkSvc) - Unknown owner - C:\Program Files\Windows Media Player\WMPNetwk.exe (file missing)

--
End of file - 5547 bytes

Thanks again
J

#7 TheJoker

TheJoker

    Forum Deity

  • Boot Camp Mod
  • PipPipPipPipPip
  • 14,480 posts

Posted 06 April 2010 - 10:02 PM

Please download MBR.exe from http://www2.gmer.net/mbr/mbr.exe
Save the file to your desktop.
Click Start > Run and copy and paste the following text into the Run box and then click OK.
"%userprofile%\desktop\mbr.exe" -f
You must copy and paste or type in this exactly. The quotes must be exactly as shown and there is a space before the -f
Please post the contents of the MBR.log file in your next reply.


Please Run Malwarebytes' Anti-Malware.
  • Click the Update tab.
  • Click Check for Updates.
  • If an update is found, it will download and install.
  • Click the Scanner tab.
  • Select "Perform Quick Scan", then click Scan.
  • The scan may take some time to finish,so please be patient.
  • When the scan is complete, click OK, then Show Results to view the results.
  • Make sure that everything is checked, and click Remove Selected.
  • When disinfection is completed, a log will open in Notepad and you may be prompted to Restart. (See Note)
  • The log is automatically saved by MBAM and can be viewed by clicking the Logs tab in MBAM.
  • Copy & Paste the entire report in your next reply along with a fresh HijackThis log.
Note:
If MBAM encounters a file that is difficult to remove, you will be presented with 1 of 2 prompts.
Click OK to either and let MBAM proceed with the disinfection process.
If asked to restart the computer, please do so immediately.



The Kaspersky Rescue Disk is a bootable CD based version of Kaspersky Antivirus.
The download is in ISO format.
If you are not sure how to burn an image, please read How to write a CD/DVD image or ISO. If you need a FREE utility to burn the ISO image, download and use ImgBurn.

Download the Kaspersky Rescue Disk:
http://devbuilds.kas...lds/RescueDisk/
  • Burn the Kaspersky Rescue Disk ISO image to CD.
  • Insert the Kaspersky Rescue Disk CD into your CD/DVD drive and boot the computer (you may need to change the boot sequence in your system's BIOS to boot from the CD/DVD drive).
  • Follow the instructions in the initial text screen to press Enter to start Kaspersky AntiVirus.
  • Select your language (or wait a few seconds for the default English to load).
  • Your screen may go blank for several minutes while the program loads.
  • After the Kaspersky Rescue Disk loads, the database will be updated (if you have network connectivity)
    • Click the Update tab to view the update progress.
    • When the update has completed, click the Scan tab.
  • Place a checkmark in all the available drives to scan the entire system.
  • Click the "Security level" option, and select options.
    • Make sure "All Files" is selected
    • Under "Scan of compound files" ensure all options are selected and click the OK button.
  • Click the "On threat detection" option
    • Select "Do not prompt", "Disinfect", and "Delete if disinfection fails".
  • Click the "Start scan" button.
  • When the scan has completed, click the Reports button.
    • Click the Save button, and select your System drive (normally your C: drive)
    • In the "File name" box, name the file krd-log and click the Save button.
    • Click Close to close the Reports window.
  • Click the Exit button to close the Rescue Disk program and confirm.
    In the lower left of the screen, left-click the red K button, select Logout, and confirm.
  • The computer will shut down.
  • Restart the computer and reboot normally.
  • Please post the log (krd-log.txt) in your next reply.

Please post a new HijackThis log, the log from MBAM, the contents of the log from running MBR.exe (MBR.log), and note any errors encountered.

Free Tools for Fighting Malware
Anti-Virus: avast! Free Antivirus / Avira Free AntiVirus
OnLine Anti-Virus: ESET / BitDefender / F-Secure
Anti-Malware: Malwarebytes' Anti-Malware / Dr.Web CureIt
Spyware/Adware Tools: MVPS HOSTS File / SpywareBlaster
Firewall: Comodo Firewall Free / Privatefirewall
Tutorials: How did I get Infected? / Internet Explorer Privacy & Security Settings
If we have helped, please help us continue the fight by using the Donate button, or see this topic for other ways to donate.

MS MVP 2009-20010 and ASAP Member since 2005


#8 Fixapc45

Fixapc45

    Member

  • Full Member
  • Pip
  • 31 posts

Posted 13 April 2010 - 05:57 AM

All done.

MBR Log:
Stealth MBR rootkit/Mebroot/Sinowal detector 0.3.7 by Gmer, http://www.gmer.net

device: opened successfully
user: MBR read successfully
kernel: MBR read successfully
user & kernel MBR OK


Malware Bytes Log:
Malwarebytes' Anti-Malware 1.45
www.malwarebytes.org

Database version: 3982

Windows 5.1.2600 Service Pack 2
Internet Explorer 7.0.5730.13

4/12/2010 3:33:12 PM
mbam-log-2010-04-12 (15-33-12).txt

Scan type: Quick scan
Objects scanned: 108901
Time elapsed: 6 minute(s), 3 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)

Kapersky Rescue Log:
Scan: completed 4/12/10 11:03 PM (events: 2, objects: 260105, time: 03:55:58)
4/12/10 7:07 PM Task started
4/12/10 11:03 PM Task completed


New Hijack Log:

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 7:46:28 AM, on 4/13/2010
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.17023)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Windows Defender\MsMpEng.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Alwil Software\Avast5\AvastSvc.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\WINDOWS\system32\tcpsvcs.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Adobe\Acrobat 7.0\Distillr\Acrotray.exe
C:\PROGRA~1\VISION~1\ONETOU~2.EXE
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\Program Files\Common Files\Java\Java Update\jusched.exe
C:\PROGRA~1\ALWILS~1\Avast5\avastUI.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\Program Files\WinTV\Ir.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
C:\WINDOWS\system32\ZoneLabs\UpdClient.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft....k/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft....k/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft....k/?LinkId=54896
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,First Home Page = http://go.microsoft....k/?LinkId=54843
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: Adobe PDF Conversion Toolbar Helper - {AE7CD045-E861-484f-8273-0445EE161910} - C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll
O2 - BHO: Java™ Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll
O4 - HKLM\..\Run: [Acrobat Assistant 7.0] "C:\Program Files\Adobe\Acrobat 7.0\Distillr\Acrotray.exe"
O4 - HKLM\..\Run: [OneTouch Monitor] C:\PROGRA~1\VISION~1\ONETOU~2.EXE
O4 - HKLM\..\Run: [ZoneAlarm Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Common Files\Java\Java Update\jusched.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime
O4 - HKLM\..\Run: [avast5] C:\PROGRA~1\ALWILS~1\Avast5\avastUI.exe /nogui
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - Startup: Check for OneTouch Updates.lnk = C:\Program Files\Visioneer OneTouch\WiseUpdt.exe
O4 - Global Startup: Adobe Acrobat Speed Launcher.lnk = ?
O4 - Global Startup: AutoStart IR.lnk = C:\Program Files\WinTV\Ir.exe
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O10 - Unknown file in Winsock LSP: c:\windows\system32\nwprovau.dll
O16 - DPF: {D54160C3-DB7B-4534-9B65-190EE4A9C7F7} (SproutLauncherCtrl Class) - http://l.yimg.com/jh...outLauncher.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{A7273BAC-2820-4711-9EBC-0140CEA4BC09}: NameServer = 192.168.2.1
O23 - Service: ArcSoft Connect Daemon (ACDaemon) - Unknown owner - C:\Program Files\Common Files\ArcSoft\Connection Service\Bin\ACService.exe (file missing)
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: avast! Antivirus - ALWIL Software - C:\Program Files\Alwil Software\Avast5\AvastSvc.exe
O23 - Service: avast! Mail Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast5\AvastSvc.exe
O23 - Service: avast! Web Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast5\AvastSvc.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Check Point Software Technologies LTD - C:\WINDOWS\system32\ZoneLabs\vsmon.exe
O23 - Service: Windows Media Player Network Sharing Service (WMPNetworkSvc) - Unknown owner - C:\Program Files\Windows Media Player\WMPNetwk.exe (file missing)

--
End of file - 5681 bytes


The only thing I see in the HJ log is that I don't have GameHouse games on this pc. Haven't for a long time. But...everything I ran appears to be clean. Unless I am missing something.
Mozilla still gets slow if you open a second tab and sometimes won't load the second tab without resending. But aside from the internet/browsing issue the pc seems to be loading up normally again.

#9 Fixapc45

Fixapc45

    Member

  • Full Member
  • Pip
  • 31 posts

Posted 23 April 2010 - 05:30 PM

Not sure how to properly bump a post but it's been a while since I've heard anything. I still have problems with Mozilla lagging. I disabled all the Add On's as per Mozillazine troubleshooting. This did nothing. Just can't open more than one tab without problems. It gets really slow.
Perhaps this is a problem with Mozilla....not me. I don't know.

#10 TheJoker

TheJoker

    Forum Deity

  • Boot Camp Mod
  • PipPipPipPipPip
  • 14,480 posts

Posted 23 April 2010 - 05:46 PM

Sorry, I missed your reply.

I don't see anything wrong with the logs you posted.

Let's start back with running an updated version of ComboFix.
We need to make sure you have the most recent version of ComboFix.
  • Delete your current copy of ComboFix.exe.
  • Download ComboFix© by sUBs from one of these links:
    http://download.blee...Bs/ComboFix.exe
    http://www.forospywa...Bs/ComboFix.exe
  • * IMPORTANT !!! Save ComboFix.exe to your Desktop
  • Disable your AntiVirus and any AntiSpyware programs you may be running (usually via a right click on the System Tray icon) to prevent them from interfering.
  • Double click on ComboFix.exe & follow the prompts.
  • When finished, it will save a log.
Please include the contents of the log at C:\ComboFix.txt in your next reply, along with a new HijackThis log.

Free Tools for Fighting Malware
Anti-Virus: avast! Free Antivirus / Avira Free AntiVirus
OnLine Anti-Virus: ESET / BitDefender / F-Secure
Anti-Malware: Malwarebytes' Anti-Malware / Dr.Web CureIt
Spyware/Adware Tools: MVPS HOSTS File / SpywareBlaster
Firewall: Comodo Firewall Free / Privatefirewall
Tutorials: How did I get Infected? / Internet Explorer Privacy & Security Settings
If we have helped, please help us continue the fight by using the Donate button, or see this topic for other ways to donate.

MS MVP 2009-20010 and ASAP Member since 2005


#11 Fixapc45

Fixapc45

    Member

  • Full Member
  • Pip
  • 31 posts

Posted 04 May 2010 - 01:53 PM

Ok, I disabled all antivirus/antispyware and removed the old ComboFix. Downloaded and installed the new one. Once again it tells me it cannot connect to the internet during the ComboFix installation. I have no idea why, I am running DSL which is plugged, so there is no reason it should not be able to connect?? Unless I am missing something. I had no problems installing Combofix on my laptop and that was over wireless dsl. This computer is actually plugged in. Ugh.


But here are the logs:

ComboFix 10-05-04.01 - Jan 05/04/2010 15:34:43.2.1 - x86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.1535.1104 [GMT -4:00]
Running from: c:\documents and settings\Jan\Desktop\ComboFix.exe
AV: avast! Antivirus *On-access scanning disabled* (Updated) {7591DB91-41F0-48A3-B128-1A293FD8233D}
FW: ZoneAlarm Firewall *enabled* {829BDA32-94B3-44F4-8446-F8FCFF809F8B}

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\program files\WindowsUpdate

.
((((((((((((((((((((((((( Files Created from 2010-04-04 to 2010-05-04 )))))))))))))))))))))))))))))))
.

2010-04-12 19:02 . 2010-04-12 19:02 -------- d-----w- c:\documents and settings\All Users\Application Data\Kaspersky Lab

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-05-04 13:32 . 2009-11-17 12:43 7112441 ----a-w- c:\windows\Internet Logs\tvDebug.Zip
2010-04-19 18:09 . 2009-12-21 17:07 -------- d-----w- c:\documents and settings\All Users\Application Data\NOS
2010-04-14 16:47 . 2009-06-20 18:15 38848 ----a-w- c:\windows\system32\avastSS.scr
2010-04-14 16:47 . 2009-06-20 18:15 153184 ----a-w- c:\windows\system32\aswBoot.exe
2010-04-14 16:35 . 2009-06-20 18:15 46672 ----a-w- c:\windows\system32\drivers\aswTdi.sys
2010-04-14 16:35 . 2009-06-20 18:15 162768 ----a-w- c:\windows\system32\drivers\aswSP.sys
2010-04-14 16:31 . 2009-06-20 18:15 23376 ----a-w- c:\windows\system32\drivers\aswRdr.sys
2010-04-14 16:31 . 2009-06-20 18:15 100432 ----a-w- c:\windows\system32\drivers\aswmon2.sys
2010-04-14 16:31 . 2009-06-20 18:15 94800 ----a-w- c:\windows\system32\drivers\aswmon.sys
2010-04-14 16:31 . 2009-06-20 18:15 19024 ----a-w- c:\windows\system32\drivers\aswFsBlk.sys
2010-04-14 16:30 . 2009-06-20 18:15 28880 ----a-w- c:\windows\system32\drivers\aavmker4.sys
2010-04-06 14:54 . 2010-04-06 14:55 1802752 ----a-w- c:\windows\Internet Logs\xDB3.tmp
2010-04-03 15:32 . 2009-06-20 18:15 -------- d-----w- c:\program files\Alwil Software
2010-04-03 15:30 . 2010-04-03 15:30 -------- d-----w- c:\documents and settings\All Users\Application Data\Alwil Software
2010-04-03 00:03 . 2009-04-02 19:25 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2010-04-03 00:03 . 2009-05-22 17:59 5918775 ----a-w- c:\documents and settings\All Users\Application Data\Malwarebytes\Malwarebytes' Anti-Malware\mbam-setup.exe
2010-03-30 04:46 . 2009-04-02 19:25 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2010-03-30 04:45 . 2009-04-02 19:25 20824 ----a-w- c:\windows\system32\drivers\mbam.sys
2010-03-29 23:06 . 2008-12-11 18:29 -------- d-----w- c:\program files\QuickTime
2010-03-29 23:05 . 2010-03-29 23:05 -------- d-----w- c:\program files\Common Files\Apple
2010-03-29 22:42 . 2006-07-10 02:37 -------- d-----w- c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy
2010-03-29 22:29 . 2010-03-29 22:29 -------- d-----w- c:\program files\Common Files\Java
2010-03-29 22:29 . 2010-03-29 22:29 503808 ----a-w- c:\documents and settings\Jan\Application Data\Sun\Java\Deployment\SystemCache\6.0\54\1a209876-3ca0b623-n\msvcp71.dll
2010-03-29 22:29 . 2010-03-29 22:29 499712 ----a-w- c:\documents and settings\Jan\Application Data\Sun\Java\Deployment\SystemCache\6.0\54\1a209876-3ca0b623-n\jmc.dll
2010-03-29 22:29 . 2010-03-29 22:29 348160 ----a-w- c:\documents and settings\Jan\Application Data\Sun\Java\Deployment\SystemCache\6.0\54\1a209876-3ca0b623-n\msvcr71.dll
2010-03-29 22:29 . 2010-03-29 22:29 61440 ----a-w- c:\documents and settings\Jan\Application Data\Sun\Java\Deployment\SystemCache\6.0\17\6d0ad391-69dacd85-n\decora-sse.dll
2010-03-29 22:29 . 2010-03-29 22:29 12800 ----a-w- c:\documents and settings\Jan\Application Data\Sun\Java\Deployment\SystemCache\6.0\17\6d0ad391-69dacd85-n\decora-d3d.dll
2010-03-29 22:28 . 2009-06-16 12:27 411368 ----a-w- c:\windows\system32\deploytk.dll
2010-03-29 22:28 . 2010-03-29 22:28 -------- d-----w- c:\program files\Java
2010-03-25 15:11 . 2010-03-25 15:11 -------- d-----w- c:\program files\Panda Security
2010-03-25 14:31 . 2006-07-10 02:37 -------- d-----w- c:\program files\Spybot - Search & Destroy
2010-03-25 14:21 . 2010-03-25 14:21 -------- d-----w- c:\program files\Trend Micro
2010-03-24 20:53 . 2006-07-10 02:37 -------- d-----w- c:\program files\CCleaner
2010-03-24 20:39 . 2007-10-21 01:19 -------- d---a-w- c:\documents and settings\All Users\Application Data\TEMP
2010-03-22 19:53 . 2010-03-29 22:26 32576 ----a-w- c:\documents and settings\Jan\Application Data\Mozilla\Firefox\Profiles\an1lih2t.default\extensions\{E2883E8F-472F-4fb0-9522-AC9BF37916A7}\plugins\np_gp.dll
2010-03-22 19:53 . 2010-03-29 22:26 29984 ----a-w- c:\documents and settings\Jan\Application Data\Mozilla\Firefox\Profiles\an1lih2t.default\extensions\{E2883E8F-472F-4fb0-9522-AC9BF37916A7}\chrome\content\getPlusPlus_Adobe_reg.exe
2010-03-13 05:00 . 2010-03-13 16:26 1675776 ----a-w- c:\windows\Internet Logs\xDB2.tmp
2010-03-11 12:38 . 2004-08-04 04:56 832512 ------w- c:\windows\system32\wininet.dll
2010-03-11 12:38 . 2004-08-04 04:56 78336 ----a-w- c:\windows\system32\ieencode.dll
2010-03-11 12:38 . 2004-08-04 04:56 17408 ----a-w- c:\windows\system32\corpol.dll
2010-03-09 11:09 . 2004-08-04 04:56 430080 ----a-w- c:\windows\system32\vbscript.dll
2010-02-24 14:16 . 2009-10-03 19:57 181632 ------w- c:\windows\system32\MpSigStub.exe
2010-02-24 12:31 . 2004-08-04 03:15 454016 ----a-w- c:\windows\system32\drivers\mrxsmb.sys
2010-02-16 13:19 . 2004-08-04 03:20 2181376 ------w- c:\windows\system32\ntoskrnl.exe
2010-02-16 12:39 . 2004-08-03 22:59 2058368 ------w- c:\windows\system32\ntkrnlpa.exe
2010-02-12 04:47 . 2004-08-04 04:56 100864 ----a-w- c:\windows\system32\6to4svc.dll
2010-02-11 12:01 . 2004-08-04 03:07 226880 ----a-w- c:\windows\system32\drivers\tcpip6.sys
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SpybotSD TeaTimer"="c:\program files\Spybot - Search & Destroy\TeaTimer.exe" [2009-03-05 2260480]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Acrobat Assistant 7.0"="c:\program files\Adobe\Acrobat 7.0\Distillr\Acrotray.exe" [2008-04-23 483328]
"ZoneAlarm Client"="c:\program files\Zone Labs\ZoneAlarm\zlclient.exe" [2009-02-16 981384]
"SunJavaUpdateSched"="c:\program files\Common Files\Java\Java Update\jusched.exe" [2010-02-18 248040]
"QuickTime Task"="c:\program files\QuickTime\QTTask.exe" [2010-02-15 417792]
"avast5"="c:\progra~1\ALWILS~1\Avast5\avastUI.exe" [2010-04-14 2790472]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\aawservice]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\WinDefend]
@="Service"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NeroFilterCheck]
2001-07-09 14:50 155648 ----a-w- c:\windows\system32\NeroCheck.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PhotoShow Deluxe Media Manager]
2004-11-12 01:50 212992 ----a-w- c:\progra~1\Nero\data\Xtras\mssysmgr.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"TapiSrv"=3 (0x3)
"aawservice"=2 (0x2)

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run-]
"QuickTime Task"="c:\program files\QuickTime\QTTask.exe" -atboottime
"Ad-Aware"="c:\program files\Lavasoft\Ad-Aware SE Professional\Ad-Aware.exe" +c

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusOverride"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\ZoneLabsFirewall]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\SecondLife\\SLVoice.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"3587:TCP"= 3587:TCP:Windows Peer-to-Peer Grouping
"3540:UDP"= 3540:UDP:Peer Name Resolution Protocol (PNRP)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\IcmpSettings]
"AllowInboundEchoRequest"= 1 (0x1)

R0 m5228;m5228;c:\windows\system32\drivers\m5228.sys [4/6/2007 11:34 PM 44925]
R0 m5281;m5281;c:\windows\system32\drivers\m5281.sys [4/6/2007 11:35 PM 49357]
R0 pavboot;pavboot;c:\windows\system32\drivers\pavboot.sys [3/25/2010 11:12 AM 28552]
R1 aswSP;aswSP;c:\windows\system32\drivers\aswSP.sys [6/20/2009 2:15 PM 162768]
R2 aswFsBlk;aswFsBlk;c:\windows\system32\drivers\aswFsBlk.sys [6/20/2009 2:15 PM 19024]
R2 WinDefend;Windows Defender;c:\program files\Windows Defender\MsMpEng.exe [11/3/2006 7:19 PM 13592]
R3 GETND5BV;VIA Velocity Family Gigabit Ethernet Adapter Driver;c:\windows\system32\drivers\getnd5bv.sys [2/25/2010 9:02 PM 46080]
R3 HCWBT8xx;Hauppauge WinTV 848/9 WDM Video Driver;c:\windows\system32\drivers\HCWBT8XX.sys [11/21/2008 1:49 PM 472644]
R3 pmxscan;Visioneer USB Kernel;c:\windows\system32\drivers\usbscan.sys [7/9/2006 11:33 PM 15104]
S0 sptd;sptd;c:\windows\system32\drivers\sptd.sys [9/16/2006 7:07 PM 643072]
S3 GETNDIS;VIA Networking Velocity Family Giga-bit Ethernet Adapter Driver;c:\windows\system32\drivers\getnd5b.sys [7/9/2006 3:46 AM 44544]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
p2psvc REG_MULTI_SZ p2psvc p2pimsvc p2pgasvc PNRPSvc
getPlusHelper REG_MULTI_SZ getPlusHelper
.
Contents of the 'Scheduled Tasks' folder

2010-04-15 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 16:34]

2010-05-04 c:\windows\Tasks\MP Scheduled Scan.job
- c:\program files\Windows Defender\MpCmdRun.exe [2006-11-03 23:20]

2008-02-23 c:\windows\Tasks\Spybot - Search & Destroy - Scheduled Task.job
- c:\program files\Spybot - Search & Destroy\SpybotSD.exe [2010-03-25 19:31]
.
.
------- Supplementary Scan -------
.
uSearchMigratedDefaultURL = hxxp://search.yahoo.com/search?p={searchTerms}&ei=utf-8&fr=b1ie7
uStart Page = hxxp://www.yahoo.com/
uInternet Connection Wizard,ShellNext = iexplore
TCP: {A7273BAC-2820-4711-9EBC-0140CEA4BC09} = 192.168.2.1
FF - ProfilePath - c:\documents and settings\Jan\Application Data\Mozilla\Firefox\Profiles\an1lih2t.default\
FF - prefs.js: browser.search.defaulturl - hxxp://search.yahoo.com/search?ei=UTF-8&fr=ytff-&p=
FF - prefs.js: browser.search.selectedEngine - Yahoo
FF - prefs.js: browser.startup.homepage - hxxp://www.yahoo.com/
FF - prefs.js: keyword.URL - hxxp://search.yahoo.com/search?ei=UTF-8&fr=ytff-&p=
FF - plugin: c:\documents and settings\Jan\Application Data\Mozilla\Firefox\Profiles\an1lih2t.default\extensions\{E2883E8F-472F-4fb0-9522-AC9BF37916A7}\plugins\np_gp.dll
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\

---- FIREFOX POLICIES ----
c:\program files\Mozilla Firefox\greprefs\all.js - pref("ui.use_native_colors", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("ui.use_native_popup_windows", false);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.enable_click_image_resizing", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("accessibility.browsewithcaret_shortcut.enabled", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("javascript.options.mem.high_water_mark", 32);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("javascript.options.mem.gc_frequency", 1600);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.auth.force-generic-ntlm", false);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("svg.smil.enabled", false);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("ui.trackpoint_hack.enabled", -1);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.debug", false);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.agedWeight", 2);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.bucketSize", 1);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.maxTimeGroupings", 25);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.timeGroupingSize", 604800);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.boundaryWeight", 25);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.prefixWeight", 5);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("html5.enable", false);
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.allow_unrestricted_renego_everywhere__temporarily_available_pref", true);
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.renego_unrestricted_hosts", "");
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.treat_unsafe_negotiation_as_broken", false);
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.require_safe_negotiation", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox-branding.js - pref("app.update.download.backgroundInterval", 600);
c:\program files\Mozilla Firefox\defaults\pref\firefox-branding.js - pref("app.update.url.manual", "http://www.firefox.com");
c:\program files\Mozilla Firefox\defaults\pref\firefox-branding.js - pref("browser.search.param.yahoo-fr-ja", "mozff");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.name", "chrome://browser/locale/browser.properties");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.description", "chrome://browser/locale/browser.properties");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("xpinstall.whitelist.add", "addons.mozilla.org");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("xpinstall.whitelist.add.36", "getpersonas.com");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("lightweightThemes.update.enabled", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.allTabs.previews", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("plugins.hide_infobar_for_outdated_plugin", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("plugins.update.notifyUser", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("toolbar.customization.usesheet", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.enable", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.max", 20);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.cachetime", 20);
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2010-05-04 15:40
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(840)
c:\windows\system32\Ati2evxx.dll
.
Completion time: 2010-05-04 15:43:07
ComboFix-quarantined-files.txt 2010-05-04 19:43
ComboFix2.txt 2010-04-07 03:17

Pre-Run: 134,463,496,192 bytes free
Post-Run: 134,483,865,600 bytes free

- - End Of File - - 3F0AD84B3EE4B20403FFDF8E53E68571

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 3:48:12 PM, on 5/4/2010
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.17023)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Windows Defender\MsMpEng.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
C:\Program Files\Alwil Software\Avast5\AvastSvc.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\WINDOWS\system32\tcpsvcs.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\WINDOWS\explorer.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft....k/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft....k/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft....k/?LinkId=54896
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: Adobe PDF Conversion Toolbar Helper - {AE7CD045-E861-484f-8273-0445EE161910} - C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll
O2 - BHO: Java™ Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll
O4 - HKLM\..\Run: [Acrobat Assistant 7.0] "C:\Program Files\Adobe\Acrobat 7.0\Distillr\Acrotray.exe"
O4 - HKLM\..\Run: [OneTouch Monitor] C:\PROGRA~1\VISION~1\ONETOU~2.EXE
O4 - HKLM\..\Run: [ZoneAlarm Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Common Files\Java\Java Update\jusched.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime
O4 - HKLM\..\Run: [avast5] C:\PROGRA~1\ALWILS~1\Avast5\avastUI.exe /nogui
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - Startup: Check for OneTouch Updates.lnk = C:\Program Files\Visioneer OneTouch\WiseUpdt.exe
O4 - Global Startup: Adobe Acrobat Speed Launcher.lnk = ?
O4 - Global Startup: AutoStart IR.lnk = C:\Program Files\WinTV\Ir.exe
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O10 - Unknown file in Winsock LSP: c:\windows\system32\nwprovau.dll
O16 - DPF: {D54160C3-DB7B-4534-9B65-190EE4A9C7F7} (SproutLauncherCtrl Class) - http://l.yimg.com/jh...outLauncher.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{A7273BAC-2820-4711-9EBC-0140CEA4BC09}: NameServer = 192.168.2.1
O23 - Service: ArcSoft Connect Daemon (ACDaemon) - Unknown owner - C:\Program Files\Common Files\ArcSoft\Connection Service\Bin\ACService.exe (file missing)
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: avast! Antivirus - ALWIL Software - C:\Program Files\Alwil Software\Avast5\AvastSvc.exe
O23 - Service: avast! Mail Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast5\AvastSvc.exe
O23 - Service: avast! Web Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast5\AvastSvc.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Check Point Software Technologies LTD - C:\WINDOWS\system32\ZoneLabs\vsmon.exe
O23 - Service: Windows Media Player Network Sharing Service (WMPNetworkSvc) - Unknown owner - C:\Program Files\Windows Media Player\WMPNetwk.exe (file missing)

--
End of file - 5224 bytes


As always thank you. If we can get ComboFix to install the recovery console....that would be super.

#12 TheJoker

TheJoker

    Forum Deity

  • Boot Camp Mod
  • PipPipPipPipPip
  • 14,480 posts

Posted 06 May 2010 - 04:29 AM

Ok, I disabled all antivirus/antispyware and removed the old ComboFix. Downloaded and installed the new one. Once again it tells me it cannot connect to the internet during the ComboFix installation. I have no idea why, I am running DSL which is plugged, so there is no reason it should not be able to connect?? ....As always thank you. If we can get ComboFix to install the recovery console....that would be super.

In your ComboFix log:
FW: ZoneAlarm Firewall *enabled*
I'd bet it was simply ZoneAlarm that blocked ComboFix fro accessing the Internet.

I see no problem with the logs. Are you still experiencing a problem other than the Recovery Console woudln't install?

Free Tools for Fighting Malware
Anti-Virus: avast! Free Antivirus / Avira Free AntiVirus
OnLine Anti-Virus: ESET / BitDefender / F-Secure
Anti-Malware: Malwarebytes' Anti-Malware / Dr.Web CureIt
Spyware/Adware Tools: MVPS HOSTS File / SpywareBlaster
Firewall: Comodo Firewall Free / Privatefirewall
Tutorials: How did I get Infected? / Internet Explorer Privacy & Security Settings
If we have helped, please help us continue the fight by using the Donate button, or see this topic for other ways to donate.

MS MVP 2009-20010 and ASAP Member since 2005


#13 Fixapc45

Fixapc45

    Member

  • Full Member
  • Pip
  • 31 posts

Posted 13 May 2010 - 07:11 AM

Ok, I disabled all antivirus/antispyware and removed the old ComboFix. Downloaded and installed the new one. Once again it tells me it cannot connect to the internet during the ComboFix installation. I have no idea why, I am running DSL which is plugged, so there is no reason it should not be able to connect?? ....As always thank you. If we can get ComboFix to install the recovery console....that would be super.

In your ComboFix log:
FW: ZoneAlarm Firewall *enabled*
I'd bet it was simply ZoneAlarm that blocked ComboFix fro accessing the Internet.

I see no problem with the logs. Are you still experiencing a problem other than the Recovery Console woudln't install?



The only remaining issue I have is with Mozilla lagging like crazy when you open tabs. I beleive this is a Mozilla issues though that I haven't determined the cause of. The computer itself seems to run fine. I will try disabling Zone Alarm before running ComboFix to see if I can install the recovery console.
Thank you again for all your help. I don't think there is anything more needed. Thank you again!

#14 TheJoker

TheJoker

    Forum Deity

  • Boot Camp Mod
  • PipPipPipPipPip
  • 14,480 posts

Posted 14 May 2010 - 05:18 AM

You shouldn't be running ComboFix again just to install the Recovery Console. That isn't necessary as there is no malware to clean.

Go to start > run and copy and paste the next command in the field:
ComboFix /uninstall

Make sure there's a space between Combofix and /
Then hit enter.

This will uninstall Combofix, implement some cleanup procedures, and reset System Restore points.

For the Firefox problem, I would uninstall it and then reinstall it.
Open Firefox, go to Tools > Add-ons, and uninstall any installed add-ons.
Export your bookmarks to a folder other than the Firefox folder (such as your Desktop):
http://mozilla.gunna...s_tutorial.html
Completely uninstall Firefox, to include settings, from Control Panel's Add or Remove Programs.

Reconfigure Windows to show hidden files:
Click Start. Open My Computer.
Select the Tools menu and click Folder Options. Select the View Tab.
Under the Hidden files and folders heading select "Show hidden files and folders".
Uncheck the "Hide protected operating system files (recommended)" option.
Uncheck the "Hide file extensions for known file types" option.
Click Yes to confirm. Click OK.

Delete the following folders if found:
C:\Program Files\Mozilla Firefox
c:\documents and settings\All Users\Application Data\Mozilla
c:\documents and settings\Jan\Application Data\Mozilla

Now you need to hide the files you un-hid earlier:
Click Start. Open My Computer.
Select the Tools menu and click Folder Options. Select the View Tab.
Under the Hidden files and folders heading unselect "Show hidden files and folders".
Check the "Hide protected operating system files (recommended)" option.
Click Yes to confirm. Click OK.

Download and reinstall Firefox:
http://www.mozilla.c...ox/firefox.html
Import your previously exported bookmarks.

How does Firefox run now?

Free Tools for Fighting Malware
Anti-Virus: avast! Free Antivirus / Avira Free AntiVirus
OnLine Anti-Virus: ESET / BitDefender / F-Secure
Anti-Malware: Malwarebytes' Anti-Malware / Dr.Web CureIt
Spyware/Adware Tools: MVPS HOSTS File / SpywareBlaster
Firewall: Comodo Firewall Free / Privatefirewall
Tutorials: How did I get Infected? / Internet Explorer Privacy & Security Settings
If we have helped, please help us continue the fight by using the Donate button, or see this topic for other ways to donate.

MS MVP 2009-20010 and ASAP Member since 2005


#15 Fixapc45

Fixapc45

    Member

  • Full Member
  • Pip
  • 31 posts

Posted 14 May 2010 - 02:41 PM

You shouldn't be running ComboFix again just to install the Recovery Console. That isn't necessary as there is no malware to clean.

Go to start > run and copy and paste the next command in the field:
ComboFix /uninstall

Make sure there's a space between Combofix and /
Then hit enter.

This will uninstall Combofix, implement some cleanup procedures, and reset System Restore points.

For the Firefox problem, I would uninstall it and then reinstall it.
Open Firefox, go to Tools > Add-ons, and uninstall any installed add-ons.
Export your bookmarks to a folder other than the Firefox folder (such as your Desktop):
http://mozilla.gunna...s_tutorial.html
Completely uninstall Firefox, to include settings, from Control Panel's Add or Remove Programs.

Reconfigure Windows to show hidden files:
Click Start. Open My Computer.
Select the Tools menu and click Folder Options. Select the View Tab.
Under the Hidden files and folders heading select "Show hidden files and folders".
Uncheck the "Hide protected operating system files (recommended)" option.
Uncheck the "Hide file extensions for known file types" option.
Click Yes to confirm. Click OK.

Delete the following folders if found:
C:\Program Files\Mozilla Firefox
c:\documents and settings\All Users\Application Data\Mozilla
c:\documents and settings\Jan\Application Data\Mozilla

Now you need to hide the files you un-hid earlier:
Click Start. Open My Computer.
Select the Tools menu and click Folder Options. Select the View Tab.
Under the Hidden files and folders heading unselect "Show hidden files and folders".
Check the "Hide protected operating system files (recommended)" option.
Click Yes to confirm. Click OK.

Download and reinstall Firefox:
http://www.mozilla.c...ox/firefox.html
Import your previously exported bookmarks.

How does Firefox run now?



Firefox seems to be faster and working better. I added my Yahoo Toolbar back in and then problems began. So I disabled that and Mozilla works better.

I had some kind of issue uninstalling the ComboFix but I'll try that again later.

I think the problem is with the newer Yahoo Toolbar. The old one worked fine with Mozilla. So I will just skip that from here on out. It's nice to have all those plug ins gone as well. I could not a find a way to remove them originally.
Thanks!! If everything is still going smooth in the next few days I will let you know so we can close out this thread!

#16 TheJoker

TheJoker

    Forum Deity

  • Boot Camp Mod
  • PipPipPipPipPip
  • 14,480 posts

Posted 15 May 2010 - 09:09 AM

I had some kind of issue uninstalling the ComboFix but I'll try that again later.

Is ComboFix on the Desktop, and do you have the space in the line (copy pase the line rather than type it).

The Yahoo Toolbar has caused some people trouble before, sometimes slowing a system down. I've never felt that the convenience of the toolbar was worth the possible performance cost.

You can now also delete SecurityCheck.exe and MBR.exe that you downloaded earlier.

Your version of Windwos XP needs to be updated, the Service Pack is out-of-date. Please go to Windows Update and download and install Windows XP Service Pack 3. Reboot afterwards, and go back to Windows Update and install any other security updates you may now see.

Please post a new HijackThis log after that.

Free Tools for Fighting Malware
Anti-Virus: avast! Free Antivirus / Avira Free AntiVirus
OnLine Anti-Virus: ESET / BitDefender / F-Secure
Anti-Malware: Malwarebytes' Anti-Malware / Dr.Web CureIt
Spyware/Adware Tools: MVPS HOSTS File / SpywareBlaster
Firewall: Comodo Firewall Free / Privatefirewall
Tutorials: How did I get Infected? / Internet Explorer Privacy & Security Settings
If we have helped, please help us continue the fight by using the Donate button, or see this topic for other ways to donate.

MS MVP 2009-20010 and ASAP Member since 2005


#17 Fixapc45

Fixapc45

    Member

  • Full Member
  • Pip
  • 31 posts

Posted 24 May 2010 - 08:42 AM

I had some kind of issue uninstalling the ComboFix but I'll try that again later.

Is ComboFix on the Desktop, and do you have the space in the line (copy pase the line rather than type it).

The Yahoo Toolbar has caused some people trouble before, sometimes slowing a system down. I've never felt that the convenience of the toolbar was worth the possible performance cost.

You can now also delete SecurityCheck.exe and MBR.exe that you downloaded earlier.

Your version of Windwos XP needs to be updated, the Service Pack is out-of-date. Please go to Windows Update and download and install Windows XP Service Pack 3. Reboot afterwards, and go back to Windows Update and install any other security updates you may now see.

Please post a new HijackThis log after that.


I am still trying to install the service pack without success. It keeps telling me there is in internal error and it cannot install it. When I finally get it installed..I will reply back with new log

#18 TheJoker

TheJoker

    Forum Deity

  • Boot Camp Mod
  • PipPipPipPipPip
  • 14,480 posts

Posted 24 May 2010 - 04:16 PM

I am still trying to install the service pack without success. It keeps telling me there is in internal error and it cannot install it.

What is the exact error?

If you are still having trouble installing Windows XP Service Pack 3 from Windows Update, you can try installing it from the stand-alone installer that you can download from the Microsoft Download Center at the link below:
http://www.microsoft...08-1E1555D4F3D4

Did that solve the problem?

Free Tools for Fighting Malware
Anti-Virus: avast! Free Antivirus / Avira Free AntiVirus
OnLine Anti-Virus: ESET / BitDefender / F-Secure
Anti-Malware: Malwarebytes' Anti-Malware / Dr.Web CureIt
Spyware/Adware Tools: MVPS HOSTS File / SpywareBlaster
Firewall: Comodo Firewall Free / Privatefirewall
Tutorials: How did I get Infected? / Internet Explorer Privacy & Security Settings
If we have helped, please help us continue the fight by using the Donate button, or see this topic for other ways to donate.

MS MVP 2009-20010 and ASAP Member since 2005


#19 TheJoker

TheJoker

    Forum Deity

  • Boot Camp Mod
  • PipPipPipPipPip
  • 14,480 posts

Posted 20 June 2010 - 05:10 AM

Due to the lack of feedback this Topic is closed.

If you need this topic reopened, please tell the moderating team by replying here with the address of the thread. This applies only to the original topic starter.

Everyone else please begin a New Topic.

Free Tools for Fighting Malware
Anti-Virus: avast! Free Antivirus / Avira Free AntiVirus
OnLine Anti-Virus: ESET / BitDefender / F-Secure
Anti-Malware: Malwarebytes' Anti-Malware / Dr.Web CureIt
Spyware/Adware Tools: MVPS HOSTS File / SpywareBlaster
Firewall: Comodo Firewall Free / Privatefirewall
Tutorials: How did I get Infected? / Internet Explorer Privacy & Security Settings
If we have helped, please help us continue the fight by using the Donate button, or see this topic for other ways to donate.

MS MVP 2009-20010 and ASAP Member since 2005





Member of UNITE
Support SpywareInfo Forum - click the button