View Full Version : My hard drive goes berserk every time I log on
My PC has become as slow as treacle of late and yet every time I logon to the net the hard drive activity is huge so I ran Kasperskey to see if it could tell me anything. I was trying to look up some of the locked file descriptions on Google when I came across this forum and the log file is attached. Once last week I saw the expression adserv.adtech.de flash up while loading a web page and I also noticed several copies of svchost.exe present in my processes list (Is that usual?). I am very suspicious that something is not right.
Can someone tell me which of the locked files should be deleted please? Is it possible to tell from the log printout if my machine has been infected with something?
-------------------------------------------------------------------------------
KASPERSKY ONLINE SCANNER REPORT
Monday, January 07, 2008 12:10:06 PM
Operating System: Microsoft Windows 2000 Professional, Service Pack 4 (Build 2195)
Kaspersky Online Scanner version: 5.0.98.0
Kaspersky Anti-Virus database last update: 7/01/2008
Kaspersky Anti-Virus database records: 503509
-------------------------------------------------------------------------------
Scan Settings:
Scan using the following antivirus database: extended
Scan Archives: true
Scan Mail Bases: true
Scan Target - Critical Areas:
C:\WINDOWS
C:\DOCUME~1\Keith\LOCALS~1\Temp\
Scan Statistics:
Total number of scanned objects: 10532
Number of viruses found: 0
Number of infected objects: 0
Number of suspicious objects: 0
Duration of the scan process: 00:30:14
Infected Object Name / Virus Name / Last Action
C:\WINDOWS\CSC\00000001 Object is locked skipped
C:\WINDOWS\Debug\ipsecpa.log Object is locked skipped
C:\WINDOWS\Debug\oakley.log Object is locked skipped
C:\WINDOWS\Debug\PASSWD.LOG Object is locked skipped
C:\WINDOWS\SchedLog.Txt Object is locked skipped
C:\WINDOWS\SoftwareDistribution\EventCache\{F1737813-6E59-4D3D-95DF-0A5753732CE2}.bin Object is locked skipped
C:\WINDOWS\SoftwareDistribution\ReportingEvents.log Object is locked skipped
C:\WINDOWS\Sti_Trace.log Object is locked skipped
C:\WINDOWS\SYSTEM32\config\Antivirus.Evt Object is locked skipped
C:\WINDOWS\SYSTEM32\config\AppEvent.Evt Object is locked skipped
C:\WINDOWS\SYSTEM32\config\default Object is locked skipped
C:\WINDOWS\SYSTEM32\config\default.LOG Object is locked skipped
C:\WINDOWS\SYSTEM32\config\SAM Object is locked skipped
C:\WINDOWS\SYSTEM32\config\SAM.LOG Object is locked skipped
C:\WINDOWS\SYSTEM32\config\SecEvent.Evt Object is locked skipped
C:\WINDOWS\SYSTEM32\config\SECURITY Object is locked skipped
C:\WINDOWS\SYSTEM32\config\SECURITY.LOG Object is locked skipped
C:\WINDOWS\SYSTEM32\config\software Object is locked skipped
C:\WINDOWS\SYSTEM32\config\software.LOG Object is locked skipped
C:\WINDOWS\SYSTEM32\config\SysEvent.Evt Object is locked skipped
C:\WINDOWS\SYSTEM32\config\system Object is locked skipped
C:\WINDOWS\SYSTEM32\config\SYSTEM.ALT Object is locked skipped
C:\WINDOWS\SYSTEM32\Perflib_Perfdata_214.dat Object is locked skipped
C:\WINDOWS\WindowsUpdate.log Object is locked skipped
C:\DOCUME~1\Keith\LOCALS~1\Temp\~DF621F.tmp Object is locked skipped
C:\DOCUME~1\Keith\LOCALS~1\Temp\~DF7AED.tmp Object is locked skipped
C:\DOCUME~1\Keith\LOCALS~1\Temp\~DF953E.tmp Object is locked skipped
Scan process completed.
I hope following helps identify what has happened to my PC (It's shared - has it been used recklessly?
I renamed JT to HJTrenamed and got the folllowing:
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 22:49:06, on 12/01/2008
Platform: Windows 2000 SP4 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
Boot mode: Normal
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\WINDOWS\System32\svchost.exe
C:\PROGRA~1\Iomega\System32\AppServices.exe
C:\WINDOWS\system32\spool\DRIVERS\W32X86\3\HPZIPM12.EXE
C:\WINDOWS\system32\regsvc.exe
C:\WINDOWS\system32\MSTask.exe
C:\Program Files\Spyware Doctor\sdhelp.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\stisvc.exe
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\WINDOWS\System32\Tablet.exe
C:\WINDOWS\System32\WBEM\WinMgmt.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
C:\WINDOWS\TPPALDR.EXE
C:\Program Files\Thomson\SpeedTouch USB\Dragdiag.exe
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\Program Files\SpywareGuard\sgmain.exe
C:\Program Files\SpywareGuard\sgbhp.exe
C:\Documents and Settings\Keith\Desktop\hijackthisrenamed.exe
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.co.uk/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://www.netscapeonline.co.uk/search/
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://keyword.uk.netscape.com/keyword/%s
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: SpywareGuard Download Protection - {4A368E80-174F-4872-96B5-0B27DDD11DB2} - C:\Program Files\SpywareGuard\dlprotect.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: PCTools Site Guard - {5C8B2A36-3DB1-42A4-A3CB-D426709BBFEB} - C:\PROGRA~1\SPYWAR~1\tools\iesdsg.dll
O2 - BHO: PCTools Browser Monitor - {B56A7D7D-6927-48C8-A975-17DF180C71AC} - C:\PROGRA~1\SPYWAR~1\tools\iesdpb.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [TPP Auto Loader] C:\WINDOWS\TPPALDR.EXE
O4 - HKLM\..\Run: [SpeedTouch USB Diagnostics] "C:\Program Files\Thomson\SpeedTouch USB\Dragdiag.exe" /icon
O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKUS\.DEFAULT\..\Run: [internat.exe] internat.exe (User 'Default user')
O4 - HKUS\.DEFAULT\..\Run: [Spyware Doctor] "C:\Program Files\Spyware Doctor\swdoctor.exe" /Q (User 'Default user')
O4 - HKUS\.DEFAULT\..\Run: [Picasa Media Detector] C:\Program Files\Picasa2\PicasaMediaDetector.exe (User 'Default user')
O4 - HKUS\.DEFAULT\..\RunOnce: [^SetupICWDesktop] C:\Program Files\Internet Explorer\Connection Wizard\icwconn1.exe /desktop (User 'Default user')
O4 - Startup: SpywareGuard.lnk = C:\Program Files\SpywareGuard\sgmain.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~1\Office10\EXCEL.EXE/3000
O9 - Extra button: Spyware Doctor - {2D663D1A-8670-49D9-A1A5-4C56B4E14E84} - C:\PROGRA~1\SPYWAR~1\tools\iesdpb.dll
O9 - Extra button: Related - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
O9 - Extra 'Tools' menuitem: Show &Related Links - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
O16 - DPF: {01010E00-5E80-11D8-9E86-0007E96C65AE} - https://www-secure.symantec.com/techsupp/asa/ctrl/tgctlsi.cab
O16 - DPF: {01012101-5E80-11D8-9E86-0007E96C65AE} - https://www-secure.symantec.com/techsupp/asa/ctrl/tgctlsr.cab
O16 - DPF: {0E8D0700-75DF-11D3-8B4A-0008C7450C4A} (DjVuCtl Class) - http://www.lizardtech.com/download/files/win/djvuplugin/en_US/DjVuControl_en_US.cab
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/eng/partner/default/kavwebscan_unicode.cab
O16 - DPF: {1F2F4C9E-6F09-47BC-970D-3C54734667FE} - https://www-secure.symantec.com/techsupp/asa/ctrl/LSSupCtl.cab
O16 - DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} - http://download.mcafee.com/molbin/shared/mcinsctl/en-gb/4,0,0,83/mcinsctl.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1134682152277
O16 - DPF: {6B4788E2-BAE8-11D2-A1B4-00400512739B} (PWMediaSendControl Class) - http://216.249.24.143/code/PWActiveXImgCtl.CAB
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1178712875385
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab
O16 - DPF: {BCC0FF27-31D9-4614-A68E-C18E1ADA4389} - http://bin.mcafee.com/molbin/shared/mcgdmgr/en-gb/1,0,0,20/mcgdmgr.cab
O16 - DPF: {CE28D5D2-60CF-4C7D-9FE8-0F47A3308078} - https://www-secure.symantec.com/techsupp/asa/ctrl/SymAData.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{0A7E049B-EBA0-4C74-9D05-B00D80C813E5}: NameServer = 194.168.4.100 194.168.8.100
O17 - HKLM\System\CS1\Services\Tcpip\..\{0A7E049B-EBA0-4C74-9D05-B00D80C813E5}: NameServer = 194.168.4.100 194.168.8.100
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: avast! Antivirus - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
O23 - Service: avast! Web Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
O23 - Service: Logical Disk Manager Administrative Service (dmadmin) - VERITAS Software Corp. - C:\WINDOWS\System32\dmadmin.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: Iomega App Services - Iomega Corporation - C:\PROGRA~1\Iomega\System32\AppServices.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\spool\DRIVERS\W32X86\3\HPZIPM12.EXE
O23 - Service: PC Tools Spyware Doctor (SDhelper) - PC Tools Research Pty Ltd - C:\Program Files\Spyware Doctor\sdhelp.exe
O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
O23 - Service: TabletService - Wacom Technology, Corp. - C:\WINDOWS\System32\Tablet.exe
--
End of file - 7277 bytes
Hi
Have you defragged hard drive(s) lately? Fragmented hard drive can cause system slowness.
Start hjt, do a system scan, check:
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =
O9 - Extra button: Related - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
O9 - Extra 'Tools' menuitem: Show &Related Links - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
Close browser windows & click 'fix checked'.
Post a fresh hjt log.
Hi Blade81
I did a defrag about 3 weeks ago (how often should I) but I did it again this morning just in case. I did the HJT stuff you asked and the result of a fresh HJT is as follows:
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 11:15:13, on 13/01/2008
Platform: Windows 2000 SP4 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
Boot mode: Normal
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\WINDOWS\System32\svchost.exe
C:\PROGRA~1\Iomega\System32\AppServices.exe
C:\WINDOWS\system32\spool\DRIVERS\W32X86\3\HPZIPM12.EXE
C:\WINDOWS\system32\regsvc.exe
C:\WINDOWS\system32\MSTask.exe
C:\Program Files\Spyware Doctor\sdhelp.exe
C:\WINDOWS\system32\stisvc.exe
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\WINDOWS\System32\Tablet.exe
C:\WINDOWS\System32\WBEM\WinMgmt.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\TPPALDR.EXE
C:\Program Files\Thomson\SpeedTouch USB\Dragdiag.exe
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\Program Files\SpywareGuard\sgmain.exe
C:\Program Files\SpywareGuard\sgbhp.exe
C:\Program Files\Mozilla Thunderbird\thunderbird.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Documents and Settings\Keith\Desktop\hijackthisrenamed.exe
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.co.uk/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://www.netscapeonline.co.uk/search/
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://keyword.uk.netscape.com/keyword/%s
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: SpywareGuard Download Protection - {4A368E80-174F-4872-96B5-0B27DDD11DB2} - C:\Program Files\SpywareGuard\dlprotect.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: PCTools Site Guard - {5C8B2A36-3DB1-42A4-A3CB-D426709BBFEB} - C:\PROGRA~1\SPYWAR~1\tools\iesdsg.dll
O2 - BHO: PCTools Browser Monitor - {B56A7D7D-6927-48C8-A975-17DF180C71AC} - C:\PROGRA~1\SPYWAR~1\tools\iesdpb.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [TPP Auto Loader] C:\WINDOWS\TPPALDR.EXE
O4 - HKLM\..\Run: [SpeedTouch USB Diagnostics] "C:\Program Files\Thomson\SpeedTouch USB\Dragdiag.exe" /icon
O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKUS\.DEFAULT\..\Run: [internat.exe] internat.exe (User 'Default user')
O4 - HKUS\.DEFAULT\..\Run: [Spyware Doctor] "C:\Program Files\Spyware Doctor\swdoctor.exe" /Q (User 'Default user')
O4 - HKUS\.DEFAULT\..\Run: [Picasa Media Detector] C:\Program Files\Picasa2\PicasaMediaDetector.exe (User 'Default user')
O4 - HKUS\.DEFAULT\..\RunOnce: [^SetupICWDesktop] C:\Program Files\Internet Explorer\Connection Wizard\icwconn1.exe /desktop (User 'Default user')
O4 - Startup: SpywareGuard.lnk = C:\Program Files\SpywareGuard\sgmain.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~1\Office10\EXCEL.EXE/3000
O9 - Extra button: Spyware Doctor - {2D663D1A-8670-49D9-A1A5-4C56B4E14E84} - C:\PROGRA~1\SPYWAR~1\tools\iesdpb.dll
O16 - DPF: {01010E00-5E80-11D8-9E86-0007E96C65AE} - https://www-secure.symantec.com/techsupp/asa/ctrl/tgctlsi.cab
O16 - DPF: {01012101-5E80-11D8-9E86-0007E96C65AE} - https://www-secure.symantec.com/techsupp/asa/ctrl/tgctlsr.cab
O16 - DPF: {0E8D0700-75DF-11D3-8B4A-0008C7450C4A} (DjVuCtl Class) - http://www.lizardtech.com/download/files/win/djvuplugin/en_US/DjVuControl_en_US.cab
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/eng/partner/default/kavwebscan_unicode.cab
O16 - DPF: {1F2F4C9E-6F09-47BC-970D-3C54734667FE} - https://www-secure.symantec.com/techsupp/asa/ctrl/LSSupCtl.cab
O16 - DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} - http://download.mcafee.com/molbin/shared/mcinsctl/en-gb/4,0,0,83/mcinsctl.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1134682152277
O16 - DPF: {6B4788E2-BAE8-11D2-A1B4-00400512739B} (PWMediaSendControl Class) - http://216.249.24.143/code/PWActiveXImgCtl.CAB
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1178712875385
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab
O16 - DPF: {BCC0FF27-31D9-4614-A68E-C18E1ADA4389} - http://bin.mcafee.com/molbin/shared/mcgdmgr/en-gb/1,0,0,20/mcgdmgr.cab
O16 - DPF: {CE28D5D2-60CF-4C7D-9FE8-0F47A3308078} - https://www-secure.symantec.com/techsupp/asa/ctrl/SymAData.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{0A7E049B-EBA0-4C74-9D05-B00D80C813E5}: NameServer = 194.168.4.100 194.168.8.100
O17 - HKLM\System\CS1\Services\Tcpip\..\{0A7E049B-EBA0-4C74-9D05-B00D80C813E5}: NameServer = 194.168.4.100 194.168.8.100
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: avast! Antivirus - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
O23 - Service: avast! Web Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
O23 - Service: Logical Disk Manager Administrative Service (dmadmin) - VERITAS Software Corp. - C:\WINDOWS\System32\dmadmin.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: Iomega App Services - Iomega Corporation - C:\PROGRA~1\Iomega\System32\AppServices.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\spool\DRIVERS\W32X86\3\HPZIPM12.EXE
O23 - Service: PC Tools Spyware Doctor (SDhelper) - PC Tools Research Pty Ltd - C:\Program Files\Spyware Doctor\sdhelp.exe
O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
O23 - Service: TabletService - Wacom Technology, Corp. - C:\WINDOWS\System32\Tablet.exe
--
End of file - 7012 bytes
Hi
Once or twice a month (depending how hard drive is used) is a recommended pace to do defragging.
Let's check next what Deckard's System Scanner finds.
Download Deckard's System Scanner (DSS) (http://www.techsupportforum.com/sectools/Deckard/dss.exe) to your Desktop. Note: You must be logged onto an account with administrator privileges.
Close all applications and windows.
Double-click on dss.exe to run it, and follow the prompts.
When the scan is complete, two text files will open - main.txt <- this one will be maximized and extra.txt<-this one will be minimized
Copy (Ctrl+A then Ctrl+C) and paste (Ctrl+V) the contents of main.txt and the extra.txt to your post. in your reply
Hi Blade81,
The forum wouldn't let me put both main.txt and extra.txt in one reply so I have split them
Results of Decard's Scan main.txt follows:
Deckard's System Scanner v20071014.68
Run by Keith on 2008-01-13 18:33:14
Computer is in Normal Mode.
--------------------------------------------------------------------------------
Backed up registry hives.
Performed disk cleanup.
Percentage of Memory in Use: 77% (more than 75%).
Total Physical Memory: 255 MiB (256 MiB recommended).
-- HijackThis (run as Keith.exe) -----------------------------------------------
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 18:33:51, on 13/01/2008
Platform: Windows 2000 SP4 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
Boot mode: Normal
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\WINDOWS\System32\svchost.exe
C:\PROGRA~1\Iomega\System32\AppServices.exe
C:\WINDOWS\system32\spool\DRIVERS\W32X86\3\HPZIPM12.EXE
C:\WINDOWS\system32\regsvc.exe
C:\WINDOWS\system32\MSTask.exe
C:\Program Files\Spyware Doctor\sdhelp.exe
C:\WINDOWS\system32\stisvc.exe
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\WINDOWS\System32\Tablet.exe
C:\WINDOWS\System32\WBEM\WinMgmt.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\TPPALDR.EXE
C:\Program Files\Thomson\SpeedTouch USB\Dragdiag.exe
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\Program Files\SpywareGuard\sgmain.exe
C:\Program Files\SpywareGuard\sgbhp.exe
C:\Documents and Settings\Keith\Desktop\dss.exe
C:\DOCUME~1\Keith\Desktop\Keith.exe
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.co.uk/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://www.netscapeonline.co.uk/search/
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://keyword.uk.netscape.com/keyword/%s
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: SpywareGuard Download Protection - {4A368E80-174F-4872-96B5-0B27DDD11DB2} - C:\Program Files\SpywareGuard\dlprotect.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: PCTools Site Guard - {5C8B2A36-3DB1-42A4-A3CB-D426709BBFEB} - C:\PROGRA~1\SPYWAR~1\tools\iesdsg.dll
O2 - BHO: PCTools Browser Monitor - {B56A7D7D-6927-48C8-A975-17DF180C71AC} - C:\PROGRA~1\SPYWAR~1\tools\iesdpb.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [TPP Auto Loader] C:\WINDOWS\TPPALDR.EXE
O4 - HKLM\..\Run: [SpeedTouch USB Diagnostics] "C:\Program Files\Thomson\SpeedTouch USB\Dragdiag.exe" /icon
O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKUS\.DEFAULT\..\Run: [internat.exe] internat.exe (User 'Default user')
O4 - HKUS\.DEFAULT\..\Run: [Spyware Doctor] "C:\Program Files\Spyware Doctor\swdoctor.exe" /Q (User 'Default user')
O4 - HKUS\.DEFAULT\..\Run: [Picasa Media Detector] C:\Program Files\Picasa2\PicasaMediaDetector.exe (User 'Default user')
O4 - HKUS\.DEFAULT\..\RunOnce: [^SetupICWDesktop] C:\Program Files\Internet Explorer\Connection Wizard\icwconn1.exe /desktop (User 'Default user')
O4 - Startup: SpywareGuard.lnk = C:\Program Files\SpywareGuard\sgmain.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~1\Office10\EXCEL.EXE/3000
O9 - Extra button: Spyware Doctor - {2D663D1A-8670-49D9-A1A5-4C56B4E14E84} - C:\PROGRA~1\SPYWAR~1\tools\iesdpb.dll
O16 - DPF: {01010E00-5E80-11D8-9E86-0007E96C65AE} - https://www-secure.symantec.com/techsupp/asa/ctrl/tgctlsi.cab
O16 - DPF: {01012101-5E80-11D8-9E86-0007E96C65AE} - https://www-secure.symantec.com/techsupp/asa/ctrl/tgctlsr.cab
O16 - DPF: {0E8D0700-75DF-11D3-8B4A-0008C7450C4A} (DjVuCtl Class) - http://www.lizardtech.com/download/files/win/djvuplugin/en_US/DjVuControl_en_US.cab
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/eng/partner/default/kavwebscan_unicode.cab
O16 - DPF: {1F2F4C9E-6F09-47BC-970D-3C54734667FE} - https://www-secure.symantec.com/techsupp/asa/ctrl/LSSupCtl.cab
O16 - DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} - http://download.mcafee.com/molbin/shared/mcinsctl/en-gb/4,0,0,83/mcinsctl.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1134682152277
O16 - DPF: {6B4788E2-BAE8-11D2-A1B4-00400512739B} (PWMediaSendControl Class) - http://216.249.24.143/code/PWActiveXImgCtl.CAB
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1178712875385
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab
O16 - DPF: {BCC0FF27-31D9-4614-A68E-C18E1ADA4389} - http://bin.mcafee.com/molbin/shared/mcgdmgr/en-gb/1,0,0,20/mcgdmgr.cab
O16 - DPF: {CE28D5D2-60CF-4C7D-9FE8-0F47A3308078} - https://www-secure.symantec.com/techsupp/asa/ctrl/SymAData.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{0A7E049B-EBA0-4C74-9D05-B00D80C813E5}: NameServer = 194.168.4.100 194.168.8.100
O17 - HKLM\System\CS1\Services\Tcpip\..\{0A7E049B-EBA0-4C74-9D05-B00D80C813E5}: NameServer = 194.168.4.100 194.168.8.100
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: avast! Antivirus - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
O23 - Service: avast! Web Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
O23 - Service: Logical Disk Manager Administrative Service (dmadmin) - VERITAS Software Corp. - C:\WINDOWS\System32\dmadmin.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: Iomega App Services - Iomega Corporation - C:\PROGRA~1\Iomega\System32\AppServices.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\spool\DRIVERS\W32X86\3\HPZIPM12.EXE
O23 - Service: PC Tools Spyware Doctor (SDhelper) - PC Tools Research Pty Ltd - C:\Program Files\Spyware Doctor\sdhelp.exe
O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
O23 - Service: TabletService - Wacom Technology, Corp. - C:\WINDOWS\System32\Tablet.exe
--
End of file - 6948 bytes
-- HijackThis Fixed Entries (C:\DOCUME~1\Keith\Desktop\backups\) ---------------
backup-20080113-111421-192 R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
backup-20080113-111421-230 O9 - Extra button: Related - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
backup-20080113-111421-451 R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =
backup-20080113-111421-715 O9 - Extra 'Tools' menuitem: Show &Related Links - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
-- File Associations -----------------------------------------------------------
.bat - batfile - DefaultIcon - C:\WINDOWS\system32\SHELL32.DLL,-153
.com - comfile - DefaultIcon - C:\WINDOWS\system32\SHELL32.DLL,2
.hlp - hlpfile - DefaultIcon - unable to read value
.ini - inifile - DefaultIcon - shell32.dll,-151
.js - JSFile - DefaultIcon - C:\Program Files\Macromedia\Dreamweaver MX\Dreamweaver.exe,2
.reg - regfile - DefaultIcon - unable to read value
.txt - txtfile - DefaultIcon - shell32.dll,-152
.vbs - VBSFile - DefaultIcon - unable to read value
-- Drivers: 0-Boot, 1-System, 2-Auto, 3-Demand, 4-Disabled ---------------------
R0 iomdisk (Iomega Devices Disk Filter Services) - c:\windows\system32\drivers\iomdisk.sys <Not Verified; Iomega Corporation; Iomega Disk Filter Driver>
R0 PenClass (Pen Class) - c:\windows\system32\drivers\penclass.sys <Not Verified; Wacom Technology Corporation; Wacom Pen Class Driver>
R1 BANTExt (Belarc SMBios Access) - c:\windows\system32\drivers\bantext.sys
R3 alcan5wn (SpeedTouch USB ADSL PPP Networking Driver (NDISWAN)) - c:\windows\system32\drivers\alcan5wn.sys <Not Verified; THOMSON; SpeedTouch USB>
S3 3c1807pd (U.S. Robotics 56K Voice Win Int) - c:\windows\system32\drivers\3c1807pd.sys <Not Verified; 3Com Corporation; 3Com modem>
S3 AWINDIS5 (AWINDIS5 Protocol Driver) - c:\windows\system32\awindis5.sys <Not Verified; AMBIT Microsystems Corporation.; AMBIT WinDis32 Protocol Driver for Windows>
S3 Dot4Print (Print Class Driver for IEEE-1284.4 hpoipr07) - c:\windows\system32\drivers\hpoipr07.sys <Not Verified; HP; HP Dot4Print>
S3 hpoid407 (IEEE-1284.4 Driver hpoid407) - c:\windows\system32\drivers\hpoid407.sys <Not Verified; HP; HP Dot4 Windows 2000>
S3 hpoius07 (USB to IEEE-1284.4 Translation Driver hpoius07) - c:\windows\system32\drivers\hpoius07.sys <Not Verified; HP; HP Dot4Usb Windows 2000>
S3 NETGEAR_WG311T_SERVICE (NETGEAR WG311T Wireless Adapter Service) - c:\windows\system32\drivers\wg311tn5.sys (file missing)
S3 NuVision (Hauppauge WinTV USB Pro (PAL I FM)) - c:\windows\system32\drivers\nuvision.sys <Not Verified; Hauppauge Computer Works; WinTV USB>
S3 TPP300 (USB Storage Adapter V3 (TPP)) - c:\windows\system32\drivers\tpp300.sys <Not Verified; In-System Design, Inc.; TPP Storage Adapter>
-- Services: 0-Boot, 1-System, 2-Auto, 3-Demand, 4-Disabled --------------------
R2 Iomega App Services - "c:\progra~1\iomega\system32\appservices.exe" <Not Verified; Iomega Corporation; Iomega App Services>
R2 TabletService - c:\windows\system32\tablet.exe <Not Verified; Wacom Technology, Corp.; Wacom Win32 Tablet Service>
S4 Iomega Activity Disk2 - ""
-- Device Manager: Disabled ----------------------------------------------------
No disabled devices found.
-- Scheduled Tasks -------------------------------------------------------------
2007-12-30 22:00:03 346 --a------ C:\WINDOWS\Tasks\SmartDefrag.job
2007-12-14 08:04:10 284 --a------ C:\WINDOWS\Tasks\AppleSoftwareUpdate.job
-- Files created between 2007-12-13 and 2008-01-13 -----------------------------
2008-01-11 09:40:37 16384 --a-----t C:\WINDOWS\system32\Perflib_Perfdata_204.dat
2008-01-07 10:24:34 0 d-------- C:\WINDOWS\system32\Kaspersky Lab
2008-01-07 07:13:51 0 d-------- C:\WINDOWS\system32\ActiveScan
2007-12-25 20:24:04 16384 --a-----t C:\WINDOWS\system32\Perflib_Perfdata_1fc.dat
2007-12-24 12:41:19 16384 --a-----t C:\WINDOWS\system32\Perflib_Perfdata_210.dat
2007-12-24 06:29:33 16384 --a-----t C:\WINDOWS\system32\Perflib_Perfdata_214.dat
2007-12-21 13:44:27 16384 --a-----t C:\WINDOWS\system32\Perflib_Perfdata_21c.dat
2007-12-20 14:53:45 0 d-------- C:\Program Files\SpywareBlaster
2007-12-20 14:52:33 0 d-------- C:\Program Files\SpywareGuard
2007-12-19 20:29:29 2695168 --a------ C:\Documents and Settings\Keith\NTUSER.DAT
2007-12-14 08:04:07 16384 --a-----t C:\WINDOWS\system32\Perflib_Perfdata_354.dat
-- Find3M Report ---------------------------------------------------------------
2008-01-13 10:04:21 0 d-a------ C:\Program Files\Mozilla Thunderbird
2008-01-13 09:51:57 14304 --a------ C:\WINDOWS\system32\tablet.dat
2008-01-11 19:56:34 1204 --a------ C:\WINDOWS\system32\d3d9caps.dat
2007-12-31 11:12:30 0 d-a------ C:\Program Files\Spyware Doctor
2007-12-19 22:30:43 1285744 ---h----- C:\WINDOWS\ShellIconCache
2007-12-12 06:32:33 16384 --a-----t C:\WINDOWS\system32\Perflib_Perfdata_20c.dat
2007-12-11 09:10:59 16384 --a-----t C:\WINDOWS\system32\Perflib_Perfdata_218.dat
2007-12-03 23:00:01 0 d--h----- C:\Program Files\InstallShield Installation Information
2007-12-03 23:00:00 0 d-a------ C:\Program Files\Logitech
2007-12-03 22:15:54 0 d-------- C:\Documents and Settings\Keith\Application Data\Uniblue
2007-11-30 21:27:35 16384 --a-----t C:\WINDOWS\system32\Perflib_Perfdata_200.dat
2007-11-30 20:36:01 0 d-------- C:\Program Files\NETGEAR
2007-11-30 20:34:13 0 d-------- C:\Program Files\Canon
2007-11-30 17:33:06 0 dra------ C:\Program Files\Common Files
2007-11-30 14:47:46 0 d-------- C:\Program Files\IObit
2007-11-30 13:53:50 0 d-------- C:\Program Files\CCleaner
2007-11-30 08:46:31 16384 --a-----t C:\WINDOWS\system32\Perflib_Perfdata_208.dat
2007-11-29 23:00:01 0 d-------- C:\Program Files\Alwil Software
2007-11-29 22:52:36 0 d-a------ C:\Program Files\Common Files\Symantec Shared
2007-11-26 21:56:12 0 d-------- C:\Program Files\startup help
2007-11-26 21:43:59 0 d-------- C:\Program Files\Common Files\HP
2007-11-25 11:46:53 0 d-------- C:\Program Files\Zortam Mp3 Media Studio
2007-11-25 11:45:31 0 d-------- C:\Program Files\Zortam ID3 Tag Editor
2007-11-23 16:44:04 16384 --a-----t C:\WINDOWS\system32\Perflib_Perfdata_68c.dat
2007-11-23 16:22:23 0 d-------- C:\Documents and Settings\Keith\Application Data\Apple Computer
2007-11-23 14:03:29 0 d-------- C:\Program Files\Samsung
2007-11-20 08:04:07 0 d-------- C:\Program Files\Picasa2
2007-11-18 22:24:34 2746 --a------ C:\WINDOWS\O
2007-11-18 22:24:34 1636 --a------ C:\WINDOWS\?
2007-11-18 22:24:33 550 --a------ C:\WINDOWS\6
2007-11-18 22:24:33 67 --a------ C:\WINDOWS\°
2007-11-17 17:25:09 0 d-------- C:\Program Files\r2 Studios
2007-10-29 11:09:06 2377 --a------ C:\WINDOWS\n
2007-10-29 11:09:06 35 --a------ C:\WINDOWS\m
2007-10-29 11:09:06 4442 --a------ C:\WINDOWS\e
2007-10-29 11:09:06 2105 --a------ C:\WINDOWS\d
2007-10-24 18:58:08 73216 --a------ C:\WINDOWS\ST6UNST.EXE <Not Verified; Microsoft Corporation; Microsoft® Visual Basic for Windows>
2007-10-23 20:40:15 2980 --a------ C:\WINDOWS\0
-- Registry Dump ---------------------------------------------------------------
*Note* empty entries & legit default entries are not shown
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SystemTray"="SysTray.Exe" [07/12/99 12:00 C:\WINDOWS\SYSTEM32\systray.exe]
"Synchronization Manager"="mobsync.exe" [19/06/03 19:05 C:\WINDOWS\SYSTEM32\mobsync.exe]
"TPP Auto Loader"="C:\WINDOWS\TPPALDR.EXE" [22/08/01 14:29 ]
"SpeedTouch USB Diagnostics"="C:\Program Files\Thomson\SpeedTouch USB\Dragdiag.exe" [26/01/04 10:38 ]
"avast!"="C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe" [04/12/07 13:00 ]
[HKEY_USERS\.default\software\microsoft\windows\currentversion\runonce]
"^SetupICWDesktop"=C:\Program Files\Internet Explorer\Connection Wizard\icwconn1.exe /desktop
[HKEY_USERS\.default\software\microsoft\windows\currentversion\run]
"internat.exe"=internat.exe
"Spyware Doctor"="C:\Program Files\Spyware Doctor\swdoctor.exe" /Q
"Picasa Media Detector"=C:\Program Files\Picasa2\PicasaMediaDetector.exe
C:\Documents and Settings\Keith\Start Menu\Programs\Startup\
SpywareGuard.lnk - C:\Program Files\SpywareGuard\sgmain.exe [29/08/2003 19:05:35]
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]
"NoActiveDesktop"=0 (0x0)
"NoActiveDesktopChanges"=0 (0x0)
"NoInternetIcon"=0 (0x0)
"NoDesktop"=0 (0x0)
[HKEY_USERS\.default\software\microsoft\windows\currentversion\policies\explorer]
"NoActiveDesktop"=0 (0x0)
"NoActiveDesktopChanges"=0 (0x0)
"NoInternetIcon"=0 (0x0)
"NoDesktop"=0 (0x0)
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\sglfb.sys]
@="Driver"
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\tga.sys]
@="Driver"
-- Hosts -----------------------------------------------------------------------
127.0.0.1 i.i.com.com
-- End of Deckard's System Scanner: finished at 2008-01-13 18:35:15 ------------
Hi Blade81, extra.txt follows:
While I think about it, my sione came to stay with us for a while (way before all these troubles started) and he installed a wireless router using netgear and a Haupage WinTV. I thought I had got rid of all their entries when I took them off the system when he left but I see some references are still there. How do I get rid of them?
Deckard's System Scanner v20071014.68
Extra logfile - please post this as an attachment with your post.
--------------------------------------------------------------------------------
-- System Information ----------------------------------------------------------
Microsoft Windows 2000 Professional (build 2195) SP 4.0
Architecture: X86; Language: English
CPU 0: Intel Pentium III processor
Percentage of Memory in Use: 79%
Physical Memory (total/avail): 254.3 MiB / 52.2 MiB
Pagefile Memory (total/avail): 615.28 MiB / 407.1 MiB
Virtual Memory (total/avail): 2047.88 MiB / 1963.6 MiB
A: is Removable (No Media)
C: is Fixed (NTFS) - 13.99 GiB total, 3.97 GiB free.
D: is CDROM (CDFS)
E: is Removable (FAT)
X: is Removable (No Media)
\\.\PHYSICALDRIVE0 - QUANTUM FIREBALLlct15 15 - 13.99 GiB - 1 partition
\PARTITION0 (bootable) - Installable File System - 13.99 GiB - C:
\\.\PHYSICALDRIVE1 - 256MB USB2.0FlashDrive USB Device - 243.17 MiB - 1 partition
\PARTITION0 (bootable) - MS-DOS V4 Huge - 249.98 MiB - E:
\\.\PHYSICALDRIVE2 - HP Photosmart A510 USB Device
-- Security Center -------------------------------------------------------------
AUOptions is scheduled to auto-install.
-- Environment Variables -------------------------------------------------------
ALLUSERSPROFILE=C:\Documents and Settings\All Users
APPDATA=C:\Documents and Settings\Keith\Application Data
BLASTER=A220 I7 D1 H5 P330 T6
CLASSPATH=.;C:\Program Files\Java\jre1.5.0_03\lib\ext\QTJava.zip
CommonProgramFiles=C:\Program Files\Common Files
COMPUTERNAME=KEITH
ComSpec=C:\WINDOWS\system32\cmd.exe
HOMEDRIVE=C:
HOMEPATH=\Documents and Settings\Keith
LOGONSERVER=\\KEITH
NUMBER_OF_PROCESSORS=1
OS=Windows_NT
Os2LibPath=C:\WINDOWS\system32\os2\dll;
Path=C:\PROGRA~1\BORLAND\DELPHI4\BIN;C:\WINDOWS;C:\WINDOWS\system32;C:\WINDOWS\system32\WBEM;C:\Program Files\QuickTime\QTSystem\
PATHEXT=.COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH
PROCESSOR_ARCHITECTURE=x86
PROCESSOR_IDENTIFIER=x86 Family 6 Model 8 Stepping 6, GenuineIntel
PROCESSOR_LEVEL=6
PROCESSOR_REVISION=0806
ProgramFiles=C:\Program Files
PROMPT=$p$g
QTJAVA=C:\Program Files\Java\jre1.5.0_03\lib\ext\QTJava.zip
SystemDrive=C:
SystemRoot=C:\WINDOWS
TEMP=C:\DOCUME~1\Keith\LOCALS~1\Temp
TMP=C:\DOCUME~1\Keith\LOCALS~1\Temp
USERDOMAIN=KEITH
USERNAME=Keith
USERPROFILE=C:\Documents and Settings\Keith
winbootdir=C:\WINDOWS
windir=C:\WINDOWS
-- User Profiles ---------------------------------------------------------------
Keith (admin)
Administrator (admin)
-- Add/Remove Programs ---------------------------------------------------------
--> "C:\Program Files\Outlook Express\setup50.exe" /APP:WAB /CALLER:IE50 /UNINSTALL /PROMPT
--> MsiExec.exe /X{DEBEA68F-45AA-4707-A9A7-DBD6DB4FBE89}
Adobe Photoshop 7.0 --> C:\WINDOWS\ISUNINST.EXE -f"C:\Program Files\Adobe\Photoshop 7.0\Uninst.isu" -c"C:\Program Files\Adobe\Photoshop 7.0\Uninst.dll"
Adobe Reader 7.0.9 --> MsiExec.exe /I{AC76BA86-7AD7-1033-7B44-A70900000002}
Apple Software Update --> MsiExec.exe /I{B74F042E-E1B9-4A5B-8D46-387BB172F0A4}
avast! Antivirus --> rundll32 C:\PROGRA~1\ALWILS~1\Avast4\Setup\setiface.dll,RunSetup
Belarc Advisor 7.2 --> C:\PROGRA~1\Belarc\Advisor\Uninstall.exe C:\PROGRA~1\Belarc\Advisor\INSTALL.LOG
Borland Delphi 4 --> C:\WINDOWS\IsUninst.exe -f"C:\Program Files\Borland\Delphi4\Uninst.isu" -cC:\WINDOWS\system32\D4UNINST.DLL
Brother's Keeper 6.2 --> C:\GENEAL~1\UNWISE.EXE C:\GENEAL~1\INSTALL.LOG
Canon Camera Support Core Library --> C:\Program Files\Common Files\InstallShield\Driver\8\Intel 32\IDriver.exe /M{A1D0D14A-B776-4907-BC00-5149F2298086} /l1033
Canon Camera TWAIN Driver 6.6 --> C:\Program Files\Common Files\InstallShield\Driver\8\Intel 32\IDriver.exe /M{E4E929CE-EF1D-407C-A14B-E1DDEDA8FA0E} /l1033
Canon Camera Window DC_DV 6 for ZoomBrowser EX --> C:\Program Files\Common Files\InstallShield\Driver\8\Intel 32\IDriver.exe /M{50E25180-3BDC-4B6D-80A2-3F1F0C9CF39D}
Canon Camera Window DSLR 5 for ZoomBrowser EX --> C:\Program Files\Common Files\InstallShield\Driver\8\Intel 32\IDriver.exe /M{0A146245-DB79-4197-BF5D-FE1A699A2CC7}
Canon Camera Window MC 6 for ZoomBrowser EX --> C:\Program Files\Common Files\InstallShield\Driver\8\Intel 32\IDriver.exe /M{6C3A75A6-9A90-44A3-A703-82AC1EA6A85D}
CANON iMAGE GATEWAY Task for ZoomBrowser EX --> C:\Program Files\Common Files\InstallShield\Driver\8\Intel 32\IDriver.exe /M{33711828-7194-4446-8C05-0DC0E59A0C1B}
Canon Internet Library for ZoomBrowser EX --> C:\Program Files\Common Files\InstallShield\Driver\8\Intel 32\IDriver.exe /M{D0E8C34D-19D2-49FD-A900-88DEB788FF86}
Canon MovieEdit Task for ZoomBrowser EX --> C:\Program Files\Common Files\InstallShield\Driver\8\Intel 32\IDriver.exe /M{B147DC1B-49B3-4368-8A01-5AD9992CD58D}
Canon PhotoRecord --> MsiExec.exe /X{BBBC2B89-E193-4348-A83C-C8DD8210A4AC}
Canon RAW Image Task for ZoomBrowser EX --> C:\Program Files\Common Files\InstallShield\Driver\8\Intel 32\IDriver.exe /M{BAA43DA2-B6C5-46EC-B163-0E8EEAF975A4}
Canon Utilities PhotoStitch 3.1 --> C:\Program Files\Common Files\InstallShield\Driver\8\Intel 32\IDriver.exe /M{874E44F3-B9A7-4AA1-B4BA-83E5684ED9C6}
Canon ZoomBrowser EX (E) --> MsiExec.exe /X{C1D76D7A-F3BB-47EA-A746-5B1E2FFC1DF2}
CCleaner (remove only) --> "C:\Program Files\CCleaner\uninst.exe"
CutePDF Writer 2.7 --> C:\Program Files\Acro Software\CutePDF Writer\uninscpw.exe /uninstall
CyberView for USB Film Scanner Multi-Language --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{09AFC8E1-0DDE-4C16-AA68-2E89365C73E9}\SETUP.EXE" -uninst
Dell ResourceCD --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\ENGINE\6\INTEL3~1\ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{D78653C3-A8FF-415F-92E6-D774E634FF2D}\setup.exe"
DOC to Image Converter 2.0 --> "C:\Program Files\PDF-Convert\doc2img\unins000.exe"
DV STUDIO2 --> C:\WINDOWS\uninst.exe -f"C:\Program Files\DV Studio2\DeIsL1.isu"
Google Earth --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\10\01\Intel32\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{3DE5E7D4-7B88-403C-A3FD-2017A8240C5B}\setup.exe" -l0x9 -removeonly
HijackThis 2.0.2 --> "C:\Documents and Settings\Keith\Desktop\HijackThis.exe" /uninstall
HP Customer Participation Program 7.0 --> C:\Program Files\HP\Digital Imaging\ExtCapUninstall\hpzscr01.exe -datfile hpqhsc01.dat
HP Imaging Device Functions 7.0 --> C:\Program Files\HP\Digital Imaging\DeviceManagement\hpzscr01.exe -datfile hpqbud01.dat
HP Photosmart and Deskjet 7.0 Software --> C:\Program Files\HP\Digital Imaging\{76BEC1D7-8A9F-472D-84C7-014BB155E4B2}\setup\hpzscr01.exe -datfile hphscr11.dat -showdisconnect -forcereboot
hp psc 700 series --> C:\WINDOWS\system32\hpocon09.exe /u 1142155400 /d "hp psc 700 series"
HP Software Update --> MsiExec.exe /X{BB85ED9C-AFC9-43BD-B8DC-258C3C7DF72E}
HP Solution Center 7.0 --> C:\Program Files\HP\Digital Imaging\eSupport\hpzscr01.exe -datfile hpqbud05.dat
Internet Explorer Q867801 --> C:\WINDOWS\ieuninst.exe C:\WINDOWS\INF\Q867801.inf
IObit SmartDefrag Beta4.01 --> "C:\Program Files\IObit\IObit SmartDefrag\unins000.exe"
Iomega HotBurn --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{B6A6FE66-296A-4B5A-9A08-33D104CDBF64}\Setup.exe" -l0x9 UNINSTALL
Jaws PDF Editor 2.5 --> C:\Program Files\Common Files\InstallShield\Driver\8\Intel 32\IDriver.exe /M{7DC23742-239C-4412-885C-C09677B2BDD3} /l1033
Kaspersky Online Scanner --> C:\WINDOWS\system32\Kaspersky Lab\Kaspersky Online Scanner\kavuninstall.exe
Link Popularity Check 3.0.2 --> "C:\Program Files\Link Popularity Check\unins000.exe"
Lizardtech DjVu Control --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{105CFC7C-6992-11D5-BD9D-000102C10FD8}\Setup.exe" -l0x9
Logitech MouseWare 9.76 --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\ENGINE\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{5809E7CF-4DCF-11D4-9875-00105ACE7734}\SETUP.EXE" -l0x9 -l0009 UNINSTALL
Macromedia Dreamweaver MX --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\ENGINE\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{8B4AB829-DFD3-436D-B808-D9733D76C590}\SETUP.EXE" -l0x9 mmUninstall
Macromedia Extension Manager --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\ENGINE\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{A5BA14E0-7384-11D4-BAE7-00409631A2C8}\setup.exe" -l0x9 mmUninstall
Macromedia Flash MX --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\ENGINE\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{3BE480ED-E17A-431A-981C-5C2EDDBCD3BF}\SETUP.EXE" -l0x9 UNINSTALL
Macromedia Flash Player 8 --> RunDll32 advpack.dll,LaunchINFSection C:\WINDOWS\INF\swflash.inf,DefaultUninstall,5
Microsoft Office 2000 Premium --> MsiExec.exe /I{00000409-78E1-11D2-B60F-006097C998E7}
Microsoft Office PowerPoint Viewer 2003 --> MsiExec.exe /X{90AF0409-6000-11D3-8CFE-0150048383C9}
Microsoft Office XP Professional with FrontPage --> MsiExec.exe /I{90280409-6000-11D3-8CFE-0050048383C9}
Mozilla Firefox (2.0.0.11) --> C:\Program Files\Mozilla Firefox\uninstall\helper.exe
Mozilla Thunderbird (2.0.0.9) --> C:\Program Files\Mozilla Thunderbird\uninstall\helper.exe
MUSICMATCH Jukebox --> C:\WINDOWS\IsUninst.exe -f"C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\Uninst.isu" -cC:\PROGRA~1\MUSICM~1\MUSICM~1\unmatch.dll
Outlook Express Q837009 --> C:\WINDOWS\oeuninst.exe C:\WINDOWS\INF\Q837009.inf
Philips Device Transfer Pop-up --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\10\00\Intel32\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{7D999C82-259D-47D6-A081-E2DFEFB2EFBE}\setup.exe" -l0x9 -removeonly
Picasa 2 --> "C:\Program Files\Picasa2\Uninstall.exe"
PictureScaler --> "C:\Program Files\Q-Technologies.biz\PictureScaler\uninstall.exe"
QuickCAD v7.0 --> C:\WINDOWS\uninst.exe -f"C:\Program Files\QuickCAD\DeIsL1.isu"
QuickTime --> MsiExec.exe /I{08094E03-AFE4-4853-9D31-6D0743DF5328}
Read in Microsoft Reader Add-in for Microsoft Word --> MsiExec.exe /I{84F1DAC1-E1BF-4A21-9D2B-DD3E12686A2C}
Registry Mechanic 6.0 --> "C:\Program Files\Registry Mechanic\unins000.exe"
Skype™ 3.2 --> MsiExec.exe /X{5C82DAE5-6EB0-4374-9254-BE3319BA4E82}
SpeedTouch USB Software --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{D41FAAA9-8048-4906-86B2-9AADEA1FA0B7}\setup.exe" /l0009 -Control_Panel
Spybot - Search & Destroy 1.4 --> "C:\Program Files\Spybot - Search & Destroy\unins000.exe"
Spyware Doctor 4.1 --> C:\Program Files\Spyware Doctor\unins000.exe
SpywareBlaster v3.5.1 --> "C:\Program Files\SpywareBlaster\unins000.exe"
SpywareGuard v2.2 --> "C:\Program Files\SpywareGuard\unins000.exe"
Tablet --> C:\Program Files\Tablet\Remove.exe /u
TomTom HOME --> C:\Program Files\InstallShield Installation Information\{CE325D55-FCAF-4273-BB79-069BB8747270}\setup.exe -runfromtemp -l0x0009 -removeonly -removeonly
TPP Storage Driver Installation --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{E258A840-7E9A-443A-B156-67102C48BF17}\Setup.exe" NotFirstInstall
U-Storage 2.0 --> C:\PROGRAM FILES\U-STORAGE WIN98 DRIVER\ADVDRVINS.EXE -u "C:\PROGRAM FILES\U-STORAGE WIN98 DRIVER"
U.S. Robotics 56K Voice Win Int --> Rsuninst.exe
U.S. Robotics Connections 6.30 --> C:\WINDOWS\IsUninst.exe -fC:\WINDOWS\Uninst.isu
USB Storage Adapter (TPP) --> tppun.exe TPP725
USB Storage Adapter V2 (TPP) --> tppun.exe TPP200
USB Storage Adapter V3 (TPP) --> tppun.exe TPP300
Windows Media Player system update (9 Series) --> C:\PROGRA~1\WINDOW~1\setup_wm.exe /Uninstall
WinZip --> "C:\PROGRAM FILES\WINZIP\WINZIP32.EXE" /uninstall
YP-U1 --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\0701\Intel32\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{E4A0225B-A975-416C-8CF7-C1C025FD32D6}\Setup.exe" -l0x9
Zortam Mp3 Media Studio 7.55 --> "C:\Program Files\Zortam Mp3 Media Studio\unins000.exe"
-- Application Event Log -------------------------------------------------------
Event Record #/Type8995 / Error
Event Submitted/Written: 01/13/2008 09:52:48 AM
Event ID/Source: 2004 / PerfNet
Event Description:
Unable to open the Server service. Server performance data
will not be returned. Error code returned is in data DWORD 0.
Event Record #/Type8993 / Error
Event Submitted/Written: 01/12/2008 10:38:18 PM
Event ID/Source: 2004 / PerfNet
Event Description:
Unable to open the Server service. Server performance data
will not be returned. Error code returned is in data DWORD 0.
Event Record #/Type8992 / Error
Event Submitted/Written: 01/12/2008 09:34:10 AM
Event ID/Source: 2004 / PerfNet
Event Description:
Unable to open the Server service. Server performance data
will not be returned. Error code returned is in data DWORD 0.
Event Record #/Type8990 / Error
Event Submitted/Written: 01/11/2008 09:41:23 AM
Event ID/Source: 2004 / PerfNet
Event Description:
Unable to open the Server service. Server performance data
will not be returned. Error code returned is in data DWORD 0.
Event Record #/Type8988 / Error
Event Submitted/Written: 01/10/2008 06:24:10 PM
Event ID/Source: 2004 / PerfNet
Event Description:
Unable to open the Server service. Server performance data
will not be returned. Error code returned is in data DWORD 0.
-- Security Event Log ----------------------------------------------------------
No Errors/Warnings found.
-- System Event Log ------------------------------------------------------------
No Errors/Warnings found.
-- End of Deckard's System Scanner: finished at 2008-01-13 18:35:15 ------------
While I think about it, my sione came to stay with us for a while (way before all these troubles started) and he installed a wireless router using netgear and a Haupage WinTV. I thought I had got rid of all their entries when I took them off the system when he left but I see some references are still there. How do I get rid of them?
You mean those entries in Drivers section of main.txt? Those won't disturb anything but if you necessarily want to remove them here's how to do it.
A Open notepad and then copy and paste the bolded lines below into it. Go to File > save as and name the file fixes.bat, change the Save as type to all files and save it to your desktop. (If you are still unsure on how to do this there is a little tutorial with pictures here (http://www.nellie2.co.uk/file.htm#How_to_Make_a_.Bat_File))
@echo off
sc stop NETGEAR_WG311T_SERVICE
sc delete NETGEAR_WG311T_SERVICE
sc stop NuVision
sc delete NuVision
Double-click on fixes.bat file to execute it.
B Delete following files (if found):
c:\windows\system32\drivers\wg311tn5.sys
c:\windows\system32\drivers\nuvision.sys
Following folders disturb me more than those two drivers.
2007-11-18 22:24:34 2746 --a------ C:\WINDOWS\O
2007-11-18 22:24:34 1636 --a------ C:\WINDOWS\?
2007-11-18 22:24:33 550 --a------ C:\WINDOWS\6
2007-11-18 22:24:33 67 --a------ C:\WINDOWS\°
2007-10-29 11:09:06 2377 --a------ C:\WINDOWS\n
2007-10-29 11:09:06 35 --a------ C:\WINDOWS\m
2007-10-29 11:09:06 4442 --a------ C:\WINDOWS\e
2007-10-29 11:09:06 2105 --a------ C:\WINDOWS\d
2007-10-23 20:40:15 2980 --a------ C:\WINDOWS\0
1. Download this file -
combofix.exe (http://download.bleepingcomputer.com/sUBs/ComboFix.exe) to your desktop.
2. Double click combofix.exe & follow the prompts.
3. When finished, it shall produce a log for you. Post that log in your
next reply
Note:
Do not mouseclick combofix's window whilst it's running. That may cause
it to stall
Hi Blade81
Sorry it took a while to get back - running combofix knocked out my ability to connect to the web and it took me all day yesterday to get it back. During the process I uninstalled Avast (because it kept saying it wasn't working properly) and replaced it with Kaspersky. Kaspersky said it found 2 problems but when I looked at the reports it only lshowed 1 (Heir.Invader). I have included the log file created by Combofix to see if you can identify anything else or do you think that was the problem all along. The problem is that yesterday I had no virus checker active for a while, while I went through all the possibilities
of what was stopping me seeing any servers so it could even be a new thing. What I don't understand is what the line in the Kaspersky log says:
not found: virus Heur.Invader (modification) File: C:\Documents and Settings\Keith\Local Settings\Application Data\Mozilla\Firefox\Profiles\8720aa6w.default\Cache\C2152591d01//PE_Patch.UPX/catchme.cfexe
Why does it say not found and then mention it?
ComboFix 08-01-13.1 - Keith 13/01/2008 21:25:39.1 - NTFSx86
Running from: C:\Documents and Settings\Keith\Desktop\ComboFix.exe
WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
C:\WINDOWS\hosts
C:\WINDOWS\start.exe
C:\WINDOWS\system32\Cfx32.lic
C:\WINDOWS\system32\cfx32.ocx
C:\WINDOWS\t\
.
((((((((((((((((((((((((( Files Created from 2007-12-13 to 2008-01-13 )))))))))))))))))))))))))))))))
.
2008-01-13 20:56 . 31/08/00 08:00 51,200 --a------ C:\WINDOWS\NirCmd.exe
2008-01-13 18:35 . 13/01/08 18:35 16,384 --a----t- C:\WINDOWS\SYSTEM32\Perflib_Perfdata_360.dat
2008-01-13 18:32 . 13/01/08 18:32 <DIR> d-------- C:\Deckard
2008-01-11 09:40 . 11/01/08 09:40 16,384 --a----t- C:\WINDOWS\SYSTEM32\Perflib_Perfdata_204.dat
2008-01-07 10:24 . 07/01/08 10:24 <DIR> d-------- C:\WINDOWS\SYSTEM32\Kaspersky Lab
2008-01-07 10:24 . 07/01/08 10:24 <DIR> d-------- C:\WINDOWS\All Users\Application Data\Kaspersky Lab
2008-01-07 07:13 . 07/01/08 07:13 <DIR> d-------- C:\WINDOWS\SYSTEM32\ActiveScan
2008-01-07 07:13 . 07/01/08 10:13 30,590 --a------ C:\WINDOWS\SYSTEM32\pavas.ico
2008-01-07 07:13 . 07/01/08 10:13 2,550 --a------ C:\WINDOWS\SYSTEM32\Uninstall.ico
2008-01-07 07:13 . 07/01/08 10:13 1,406 --a------ C:\WINDOWS\SYSTEM32\Help.ico
2007-12-30 19:30 . 11/01/08 19:56 54,156 --ah----- C:\WINDOWS\QTFont.qfn
2007-12-30 19:30 . 30/12/07 19:30 1,409 --a------ C:\WINDOWS\QTFont.for
2007-12-25 20:24 . 25/12/07 20:24 16,384 --a----t- C:\WINDOWS\SYSTEM32\Perflib_Perfdata_1fc.dat
2007-12-24 12:41 . 24/12/07 12:41 16,384 --a----t- C:\WINDOWS\SYSTEM32\Perflib_Perfdata_210.dat
2007-12-24 06:29 . 24/12/07 06:29 16,384 --a----t- C:\WINDOWS\SYSTEM32\Perflib_Perfdata_214.dat
2007-12-21 13:44 . 21/12/07 13:44 16,384 --a----t- C:\WINDOWS\SYSTEM32\Perflib_Perfdata_21c.dat
2007-12-20 14:53 . 06/01/08 15:28 <DIR> d-------- C:\Program Files\SpywareBlaster
2007-12-20 14:52 . 13/01/08 20:56 <DIR> d-------- C:\Program Files\SpywareGuard
2007-12-14 08:04 . 14/12/07 08:04 16,384 --a----t- C:\WINDOWS\SYSTEM32\Perflib_Perfdata_354.dat
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-01-13 19:16 --------- d---a-w C:\Program Files\Mozilla Thunderbird
2008-01-12 22:47 --------- d-----w C:\WINDOWS\All Users\Application Data\Spybot - Search & Destroy
2008-01-06 18:19 --------- d---a-w C:\WINDOWS\All Users\Application Data\TEMP
2007-12-31 11:12 --------- d---a-w C:\Program Files\Spyware Doctor
2007-12-04 14:56 93,264 ----a-w C:\WINDOWS\system32\drivers\aswmon.sys
2007-12-04 14:55 94,544 ----a-w C:\WINDOWS\system32\drivers\aswmon2.sys
2007-12-04 14:53 23,152 ----a-w C:\WINDOWS\system32\drivers\aswRdr.sys
2007-12-04 14:51 42,912 ----a-w C:\WINDOWS\system32\drivers\aswTdi.sys
2007-12-04 14:49 26,624 ----a-w C:\WINDOWS\system32\drivers\aavmker4.sys
2007-12-04 13:04 837,496 ----a-w C:\WINDOWS\SYSTEM32\aswBoot.exe
2007-12-04 12:54 95,608 ----a-w C:\WINDOWS\SYSTEM32\AvastSS.scr
2007-12-03 23:00 --------- d--h--w C:\Program Files\InstallShield Installation Information
2007-12-03 23:00 --------- d---a-w C:\Program Files\Logitech
2007-12-03 22:15 --------- d-----w C:\Documents and Settings\Keith\Application Data\Uniblue
2007-11-30 20:36 --------- d-----w C:\Program Files\NETGEAR
2007-11-30 20:34 --------- d-----w C:\Program Files\Canon
2007-11-30 14:47 --------- d-----w C:\Program Files\IObit
2007-11-30 13:53 --------- d-----w C:\Program Files\CCleaner
2007-11-29 23:00 --------- d-----w C:\Program Files\Alwil Software
2007-11-29 22:52 --------- d---a-w C:\Program Files\Common Files\Symantec Shared
2007-11-26 21:56 --------- d-----w C:\Program Files\startup help
2007-11-26 21:43 --------- d-----w C:\Program Files\Common Files\HP
2007-11-25 11:46 --------- d-----w C:\Program Files\Zortam Mp3 Media Studio
2007-11-25 11:45 --------- d-----w C:\Program Files\Zortam ID3 Tag Editor
2007-11-23 16:22 --------- d-----w C:\Documents and Settings\Keith\Application Data\Apple Computer
2007-11-23 16:18 --------- d---a-w C:\WINDOWS\All Users\Application Data\Apple Computer
2007-11-23 14:03 --------- d-----w C:\Program Files\Samsung
2007-11-20 08:04 --------- d-----w C:\Program Files\Picasa2
2007-11-17 17:25 --------- d-----w C:\Program Files\r2 Studios
2007-10-24 18:58 73,216 ----a-w C:\WINDOWS\ST6UNST.EXE
2007-10-24 18:58 249,856 ------w C:\WINDOWS\Setup1.exe
2006-07-13 21:19 41,984 ----a-w C:\Documents and Settings\Keith\Application Data\GDIPFONTCACHEV1.DAT
2005-10-05 12:58 21,952 ---h--w C:\Program Files\folder.htt
2005-01-21 00:53 45,056 ------r C:\Program Files\SetAttrib.exe
2004-11-30 07:23 40,960 ------r C:\Program Files\delete.exe
2001-08-22 14:24 21,866 ----a-w C:\Program Files\Common Files\tppupd2k.dll
1999-12-07 12:00 32,528 ----a-w C:\WINDOWS\inf\wbfirdma.sys
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\SlowFile Icon Overlay]
@={7D688A77-C613-11D0-999B-00C04FD655E1}
[HKEY_CLASSES_ROOT\CLSID\{7D688A77-C613-11D0-999B-00C04FD655E1}]
21/04/05 01:08 2432784 --a------ C:\WINDOWS\system32\SHELL32.DLL
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SystemTray"="SysTray.Exe" [07/12/99 12:00 3856 C:\WINDOWS\SYSTEM32\systray.exe]
"Synchronization Manager"="mobsync.exe" [19/06/03 19:05 111376 C:\WINDOWS\SYSTEM32\mobsync.exe]
"TPP Auto Loader"="C:\WINDOWS\TPPALDR.EXE" [22/08/01 14:29 118784]
"SpeedTouch USB Diagnostics"="C:\Program Files\Thomson\SpeedTouch USB\Dragdiag.exe" [26/01/04 10:38 866816]
"avast!"="C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe" [04/12/07 13:00 79224]
[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"internat.exe"="internat.exe" [07/12/99 12:00 20752 C:\WINDOWS\SYSTEM32\internat.exe]
"Spyware Doctor"="C:\Program Files\Spyware Doctor\swdoctor.exe" [16/04/07 10:47 2119176]
"Picasa Media Detector"="C:\Program Files\Picasa2\PicasaMediaDetector.exe" [23/10/07 21:18 443968]
[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\RunOnce]
"^SetupICWDesktop"="C:\Program Files\Internet Explorer\Connection Wizard\icwconn1.exe" [19/06/03 19:05 186640]
C:\Documents and Settings\Keith\Start Menu\Programs\Startup\
SpywareGuard.lnk - C:\Program Files\SpywareGuard\sgmain.exe [2003-08-29 19:05:35]
[HKEY_USERS\.default\software\microsoft\windows\currentversion\policies\explorer]
"NoActiveDesktopChanges"= 0 (0x0)
R0 PenClass;Pen Class;C:\WINDOWS\system32\Drivers\PenClass.sys [09/04/01 13:45 ]
R0 SONYPVM1;Sony Memory Stick Driver(SONYPVM1);C:\WINDOWS\system32\DRIVERS\SONYPVM1.SYS [27/05/00 03:37 ]
R2 aswMon;avast! Standard Shield Support;C:\WINDOWS\system32\drivers\aswMon.sys [04/12/07 14:56 ]
R3 usbprint;Microsoft USB PRINTER Class;C:\WINDOWS\system32\DRIVERS\usbprint.sys [19/06/03 19:05 ]
S2 PIEUsb;Pacific Image Electronics USB Scanner;C:\WINDOWS\system32\Drivers\usbscan.sys [19/06/03 18:05 ]
S3 3c1807pd;U.S. Robotics 56K Voice Win Int;C:\WINDOWS\system32\DRIVERS\3c1807pd.sys [23/06/00 10:47 ]
S3 AWINDIS5;AWINDIS5 Protocol Driver;C:\WINDOWS\system32\AWINDIS5.SYS [11/04/02 17:43 ]
S3 hpoid407;IEEE-1284.4 Driver hpoid407;C:\WINDOWS\system32\DRIVERS\hpoid407.sys [21/05/03 12:42 ]
S3 hpoius07;USB to IEEE-1284.4 Translation Driver hpoius07;C:\WINDOWS\system32\DRIVERS\hpoius07.sys [21/05/03 12:41 ]
S3 NETGEAR_WG311T_SERVICE;NETGEAR WG311T Wireless Adapter Service;C:\WINDOWS\system32\DRIVERS\wg311tn5.sys []
S3 NuVision;Hauppauge WinTV USB Pro (PAL I FM);C:\WINDOWS\system32\DRIVERS\NUVision.sys []
S3 TPP300;USB Storage Adapter V3 (TPP);C:\WINDOWS\system32\DRIVERS\TPP300.SYS [22/08/01 14:29 ]
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints\D]
\Shell\AutoRun\command - D:\pcpro.exe
*Newly Created Service* - PROCEXP90
.
Contents of the 'Scheduled Tasks' folder
"2007-12-14 08:04:10 C:\WINDOWS\Tasks\AppleSoftwareUpdate.job"
- C:\Program Files\Apple Software Update\SoftwareUpdate.exe
"2007-12-30 22:00:03 C:\WINDOWS\Tasks\SmartDefrag.job"
- C:\Program Files\IObit\IObit SmartDefrag\schedule.exe
.
**************************************************************************
catchme 0.3.1344 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-01-13 21:32:02
Windows 5.0.2195 Service Pack 4 NTFS
scanning hidden processes ...
scanning hidden autostart entries ...
scanning hidden files ...
scan completed successfully
hidden files: 0
**************************************************************************
.
Completion time: 13/01/2008 21:35:55
ComboFix-quarantined-files.txt 2008-01-13 21:35:34
Hi
WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
Install Recovery Console by following instructions here (http://www.bleepingcomputer.com/tutorials/tutorial117.html#install) (screenshots are for Windows XP but will work for win2000 too).
During the process I uninstalled Avast (because it kept saying it wasn't working properly) and replaced it with Kaspersky.
Did you run ComboFix before or after Avast uninstallation? How did you do the uninstallation?
What I don't understand is what the line in the Kaspersky log says:
not found: virus Heur.Invader (modification) File: C:\Documents and Settings\Keith\Local Settings\Application Data\Mozilla\Firefox\Profiles\8720aa6w.default\Cache\C2152591d01//PE_Patch.UPX/catchme.cfexe
Cleaning temporary files should delete that finding.
Download ATF (Atribune Temp File) Cleaner© by Atribune (http://www.atribune.org/ccount/click.php?id=1) to your desktop.
Double-click ATF Cleaner.exe to open it
Under Main choose:
Windows Temp
Current User Temp
All Users Temp
Cookies
Temporary Internet Files
Prefetch
Java Cache
*The other boxes are optional*
Then click the Empty Selected button.
Firefox:
Click Firefox at the top and choose: Select All
Click the Empty Selected button.
NOTE: If you would like to keep your saved passwords, please click NO at the prompt.
If you use Opera:
Click Opera at the top and choose: Select All
Click the Empty Selected button.
NOTE: If you would like to keep your saved passwords, please click NO at the prompt.
Click Exit on the Main menu to close the program.
Hi,
I have installed the Recovery Console (how do I check it installed OK because it didn't seem to end properly?)
I ran Combofix before Avast uninstallation and I uninstalled using the Avast uninstal facility
I have run ATF
Hi
Upload these to http://www.virustotal.com or http://virusscan.jotti.org and post back the results:
C:\Program Files\SetAttrib.exe
C:\Program Files\delete.exe
To check if recovery console is properly installed run combofix once again. Has your system performance improved during this process?
Hi,
I ran the Virus checker on the two files and they both came up with zero. (I couldn't find where the results went or how to save them - is it just print to file?)
Yesterday I ran Kerspersky on my Documents and Settings folder and it found
Trojan-Spy.HTML.Bayfraud.hc 3 times
Trojan-Downloader.Win32.small.dz 2 times
Trojan-Downloader.Win32.nurech.s
The whole process took hours - would they replicate/move themselves during that time
I am going to set it running agaiin today on the whole PC
(everything is still very slow)
Hi
I ran the Virus checker on the two files and they both came up with zero. (I couldn't find where the results went or how to save them - is it just print to file?)Only way is to copy-paste the results. Doesn't matter here though since results was zero.
Yesterday I ran Kerspersky on my Documents and Settings folder and it found
Trojan-Spy.HTML.Bayfraud.hc 3 times
Trojan-Downloader.Win32.small.dz 2 times
Trojan-Downloader.Win32.nurech.s
Complete (all drives included in scan) Kaspersky report would tell me more :) Scanners find sometimes false positives too.
I am going to set it running agaiin today on the whole PC
(everything is still very slow)
You could try this (http://users.telenet.be/bluepatchy/miekiemoes/slowcomputer.html) slow computer guide written by Miekiemoes.
I was thinking through some of what as gone on in the last few days and decide to download combofix again from a different site. Then just to make sure all was OK I ran both through Virustotal and it has me very worried.
Firstly what other files are infected that neither Kaspersky or Avast don't see and more importantly what are these viruses and trojans doing with my data and my pc
The other thing that is very disturbing is that what follows pasted with ctrl V not what was shown on the screen picked up with ctrl C
File ComboFix_2_.exe received on 01.18.2008 00:11:46 (CET)
Current status: Loading ... queued waiting scanning finished NOT FOUND STOPPED
Result: 8/32 (25%)
Loading server information...
Your file is queued in position: 4.
Estimated start time is between 47 and 68 seconds.
Do not close the window until scan is complete.
The scanner that was processing your file is stopped at this moment, we are going to wait a few seconds to try to recover your result.
If you are waiting for more than five minutes you have to resend your file.
Your file is being scanned by VirusTotal in this moment,
results will be shown as they're generated.
Compact Compact
Print results Print results
Your file has expired or does not exists.
Service is stopped in this moments, your file is waiting to be scanned (position: ) for an undefined time.
You can wait for web response (automatic reload) or type your email in the form below and click "request" so the system sends you a notification when the scan is finished.
Email:
Antivirus Version Last Update Result
AhnLab-V3 2008.1.18.10 2008.01.17 -
AntiVir 7.6.0.48 2008.01.17 -
Authentium 4.93.8 2008.01.17 -
Avast 4.7.1098.0 2008.01.17 -
AVG 7.5.0.516 2008.01.17 -
BitDefender 7.2 2008.01.17 -
CAT-QuickHeal 9.00 2008.01.17 -
ClamAV 0.91.2 2008.01.17 -
DrWeb 4.44.0.09170 2008.01.17 BATCH.Virus
eSafe 7.0.15.0 2008.01.16 -
eTrust-Vet 31.3.5467 2008.01.17 -
Ewido 4.0 2008.01.17 -
FileAdvisor 1 2008.01.18 -
Fortinet 3.14.0.0 2008.01.17 -
F-Prot 4.4.2.54 2008.01.17 -
F-Secure 6.70.13260.0 2008.01.17 -
Ikarus T3.1.1.20 2008.01.17 -
Kaspersky 7.0.0.125 2008.01.18 -
McAfee 5210 2008.01.17 -
Microsoft 1.3109 2008.01.17 -
NOD32v2 2802 2008.01.17 archive damaged
Norman 5.80.02 2008.01.17 -
Panda 9.0.0.4 2008.01.17 Application/NirCmd.A
Prevx1 V2 2008.01.18 -
Rising 20.27.31.00 2008.01.17 Trojan.Win32.Malagent.a
Sophos 4.24.0 2008.01.17 NirCmd
Sunbelt 2.2.907.0 2008.01.17 VIPRE.Suspicious
Symantec 10 2008.01.17 -
TheHacker 6.2.9.189 2008.01.17 -
VBA32 3.12.2.5 2008.01.15 Trojan.StartPage.20448
VirusBuster 4.3.26:9 2008.01.17 -
Webwasher-Gateway 6.6.2 2008.01.17 Riskware.NirCmd.3
Additional information
File size: 1552034 bytes
MD5: 2cf8b75fb798f38824156e57ad3e7ad2
SHA1: 239e3b431c3cd6d44cca80bce589f7bfc7267d6b
PEiD: UPX 2.90 [LZMA] -> Markus Oberhumer, Laszlo Molnar & John Reiser
packers: UPX
packers: UPX, RAR
packers: PE_Patch.UPX, UPX, UPX, Autoit, PE_Patch.UPX, UPX, PE_Patch.UPX, UPX, UPX, UPX, UPX
Sunbelt info: VIPRE.Suspicious is a generic detection for potential threats that are deemed suspicious through heuristics.
ComboFix.exe is not malware. The reason why scanners flag it as infected is that ComboFix uses some same kind of methods as malware uses. Difference is that ComboFix uses these for good while malware does only harm. :)
Due to inactivity, this thread will now be closed.
Note:If it has been five days or more since your last post, and the helper assisting you posted a response to that post to which you did not reply, your topic will not be reopened. At that point, if you still require help, please start a new topic and include a fresh HijackThis log and a link to your previous thread.
If it has been less than five days since your last response and you need the thread re-opened, please send me or your helper a private message (pm). A valid, working link to the closed topic is required.