Welcome to MalwareRemoval.com,
What if we told you that you could get malware removal help from experts, and that it was 100% free? MalwareRemoval.com provides free support for people with infected computers. Our help, and the tools we use are always 100% free. No hidden catch. We simply enjoy helping others. You enjoy a clean, safe computer.

Malware Removal Instructions

Wonky Computer. Runs slow, IE freezes. Can't run updates etc

MalwareRemoval.com provides free support for people with infected computers. Using plain language that anyone can understand, our community of volunteer experts will walk you through each step.

Wonky Computer. Runs slow, IE freezes. Can't run updates etc

Unread postby JenZen » June 8th, 2009, 11:59 pm

HI and thanks for taking a look at my issues. I have taken a number of steps but it might be after the fact. Unisntalled Norton Antivirus using advice from this board. Installed full version of AVG. Also installed Registry Mechanic and Spyware Dr. I do not let Spyware Dr. run in the background because it uses up the system resources. I do run it once a week. Same with Registry Mechanic. Spyware Dr. showed some malware and trojan horses. Got rid of everything I could but system is still running very slow. IE completely locks up and seldom loads and can not run the downloaded updates. I use Firefox most of the time.
Thanking you in advance, Jen


Here's the log:

Logfile of HijackThis v1.99.1
Scan saved at 11:52:32 PM, on 6/8/2009
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16827)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\AVG\AVG8\Identity Protection\agent\Bin\AVGIDSAgent.exe
C:\Program Files\Adobe\Photoshop Elements 6.0\PhotoshopElementsFileAgent.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
C:\PROGRA~1\AVG\AVG8\avgfws8.exe
C:\Program Files\AVG\AVG8\Identity Protection\agent\Bin\AVGIDSWatcher.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\Google\Update\GoogleUpdate.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\WINDOWS\System32\NMSSvc.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\Program Files\Photodex\ProShowGold\ScsiAccess.exe
C:\PROGRA~1\AVG\AVG8\avgrsx.exe
C:\WINDOWS\System32\svchost.exe
C:\PROGRA~1\AVG\AVG8\avgnsx.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\mHotkey.exe
C:\Program Files\HP\hpcoretech\hpcmpmgr.exe
C:\Program Files\Java\jre6\bin\jusched.exe
C:\Program Files\Hewlett-Packard\HP Software Update\HPWuSchd2.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\GWMDMMSG.exe
C:\PROGRA~1\AVG\AVG8\avgtray.exe
C:\Program Files\American Airlines DealFinder\American_Airlines_DealFinder.exe
C:\Program Files\Adobe\Acrobat 7.0\Distillr\Acrotray.exe
C:\Program Files\AVG\AVG8\Identity Protection\agent\bin\AVGIDSUI.exe
C:\Program Files\SanDisk\Sansa Updater\SansaDispatch.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\Program Files\Windows Media Player\WMPNSCFG.exe
C:\Program Files\Common Files\Microsoft Shared\Works Shared\wkcalrem.exe
C:\Program Files\AVG\AVG8\Identity Protection\agent\bin\AVGIDSMonitor.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\IncrediMail\bin\IMApp.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\IncrediMail\bin\IncMail.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Hijackthis\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
O2 - BHO: Yahoo! Toolbar Helper - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: Yapta Tagger - {2020dfef-8c87-4229-aa41-549d82210355} - C:\Program Files\Yapta\YaptaOverlay.dll
O2 - BHO: WormRadar.com IESiteBlocker.NavFilter - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - C:\Program Files\AVG\AVG8\avgssie.dll
O2 - BHO: NCO 2.0 IE BHO - {602ADB0E-4AFF-4217-8AA1-95DAC4DFA408} - (no file)
O2 - BHO: Symantec Intrusion Prevention - {6D53EC84-6AAE-4787-AEEE-F4628F01010C} - blank (file missing)
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - C:\Program Files\Google\Google Toolbar\GoogleToolbar.dll
O2 - BHO: Adobe PDF Conversion Toolbar Helper - {AE7CD045-E861-484f-8273-0445EE161910} - C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\5.1.1309.3572\swg.dll
O2 - BHO: Google Dictionary Compression sdch - {C84D72FE-E17D-4195-BB24-76C02E2E7C4E} - C:\Program Files\Google\Google Toolbar\Component\fastsearch_219B3E1547538286.dll
O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O3 - Toolbar: (no name) - {7FEBEFE3-6B19-4349-98D2-FFB09D4B49CA} - (no file)
O3 - Toolbar: &Google Toolbar - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - C:\Program Files\Google\Google Toolbar\GoogleToolbar.dll
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [WorksFUD] C:\Program Files\Microsoft Works\wkfud.exe
O4 - HKLM\..\Run: [Microsoft Works Portfolio] C:\Program Files\Microsoft Works\WksSb.exe /AllUsers
O4 - HKLM\..\Run: [Microsoft Works Update Detection] C:\Program Files\Microsoft Works\WkDetect.exe
O4 - HKLM\..\Run: [CHotkey] mHotkey.exe
O4 - HKLM\..\Run: [HP Component Manager] "C:\Program Files\HP\hpcoretech\hpcmpmgr.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre6\bin\jusched.exe"
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [HP Software Update] C:\Program Files\Hewlett-Packard\HP Software Update\HPWuSchd2.exe
O4 - HKLM\..\Run: [GWMDMMSG] GWMDMMSG.exe
O4 - HKLM\..\Run: [AVG8_TRAY] C:\PROGRA~1\AVG\AVG8\avgtray.exe
O4 - HKLM\..\Run: [American Airlines DealFinder] "C:\Program Files\American Airlines DealFinder\American_Airlines_DealFinder.exe"
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [Adobe Photo Downloader] "C:\Program Files\Adobe\Photoshop Elements 6.0\apdproxy.exe"
O4 - HKLM\..\Run: [Acrobat Assistant 7.0] "C:\Program Files\Adobe\Acrobat 7.0\Distillr\Acrotray.exe"
O4 - HKLM\..\Run: [AppleSyncNotifier] C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleSyncNotifier.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [AVGIDS] "C:\Program Files\AVG\AVG8\Identity Protection\agent\bin\AVGIDSUI.exe"
O4 - HKLM\..\Run: [SansaDispatch] C:\Program Files\SanDisk\Sansa Updater\SansaDispatch.exe
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
O4 - HKCU\..\Run: [WMPNSCFG] C:\Program Files\Windows Media Player\WMPNSCFG.exe
O4 - HKCU\..\Run: [updateMgr] "C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AdobeUpdateManager.exe" AcStd7_0_9 -reboot 1
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [RegistryMechanic] C:\Program Files\Registry Mechanic\RegMech.exe /H
O4 - HKCU\..\Run: [IncrediMail] C:\Program Files\IncrediMail\bin\IncMail.exe /c
O4 - HKCU\..\RunOnce: [] C:\Program Files\Mozilla Firefox\firefox.exe http://www.symantec.com/techsupp/servle ... 6.000001d8
O4 - Global Startup: Adobe Acrobat Speed Launcher.lnk = ?
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Distiller Assistant 3.01.lnk = C:\Acrobat3\Distillr\DISTASST.EXE
O4 - Global Startup: Microsoft Works Calendar Reminders.lnk = ?
O8 - Extra context menu item: Convert link target to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert link target to existing PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert selected links to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
O8 - Extra context menu item: Convert selected links to existing PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
O8 - Extra context menu item: Convert selection to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert selection to existing PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert to existing PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~4\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: Yapta.com - {0094A600-9BDD-4019-BAFE-487284F7D476} - http://www.yapta.com/user (file missing)
O9 - Extra button: Yapta Tagger Settings - {0362b485-11fe-469c-ae98-42f478e581a0} - C:\Program Files\Yapta\YaptaSettings.exe
O9 - Extra 'Tools' menuitem: Yapta Tagger Settings... - {0362b485-11fe-469c-ae98-42f478e581a0} - C:\Program Files\Yapta\YaptaSettings.exe
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~4\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O10 - Unknown file in Winsock LSP: c:\program files\bonjour\mdnsnsp.dll
O11 - Options group: [INTERNATIONAL] International*
O14 - IERESET.INF: START_PAGE_URL=http://www.bestbuy.msn.com
O15 - Trusted Zone: http://www.resource.realtor.com
O16 - DPF: {200B3EE9-7242-4EFD-B1E4-D97EE825BA53} (VerifyGMN Class) - http://h20270.www2.hp.com/ediags/gmn/in ... er_gmn.cab
O16 - DPF: {5D637FAD-E202-48D1-8F18-5B9C459BD1E3} (Image Uploader Control) - http://cdn.smugmug.com/photos/activex/I ... 082608.cab
O16 - DPF: {67A5F8DC-1A4B-4D66-9F24-A704AD929EEE} (System Requirements Lab) - http://www.nvidia.com/content/DriverDow ... eqlab2.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftup ... 3689769374
O16 - DPF: {9522B3FB-7A2B-4646-8AF6-36E7F593073C} - http://a19.g.akamai.net/7/19/7125/1450/ ... brkpie.cab
O16 - DPF: {EB387D2F-E27B-4D36-979E-847D1036C65D} (QDiagHUpdateObj Class) - http://h30043.www3.hp.com/hpdj/en/check/qdiagh.cab?326
O16 - DPF: {F375116A-793C-11D2-BFE1-444553540001} (First American Res MapActiveX Control) - http://realist2.firstamres.com/mapviewer/mapviewer.cab
O16 - DPF: {F7A05BAC-9778-410A-9CDE-BFBD4D5D2B7F} (iPIX Media Send Class) - http://216.249.24.62/code/iPIX-ImageWell-ipix.cab
O18 - Protocol: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - C:\Program Files\AVG\AVG8\avgpp.dll
O20 - Winlogon Notify: avgrsstarter - C:\WINDOWS\SYSTEM32\avgrsstx.dll
O20 - Winlogon Notify: dimsntfy - %SystemRoot%\System32\dimsntfy.dll (file missing)
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O21 - SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - C:\WINDOWS\system32\WPDShServiceObj.dll
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Adobe Active File Monitor V6 (AdobeActiveFileMonitor6.0) - Unknown owner - C:\Program Files\Adobe\Photoshop Elements 6.0\PhotoshopElementsFileAgent.exe
O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: AVG Free8 WatchDog (avg8wd) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
O23 - Service: AVG8 Firewall (avgfws8) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgfws8.exe
O23 - Service: AVGIDSAgent - Unknown owner - C:\Program Files\AVG\AVG8\Identity Protection\agent\Bin\AVGIDSAgent.exe" AVGIDSAgent (file missing)
O23 - Service: AVGIDSWatcher - AVG - C:\Program Files\AVG\AVG8\Identity Protection\agent\Bin\AVGIDSWatcher.exe
O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: FLEXnet Licensing Service - Macrovision Europe Ltd. - C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
O23 - Service: Google Update Service (gupdate1c8d7c2fd101118) (gupdate1c8d7c2fd101118) - Unknown owner - C:\Program Files\Google\Update\GoogleUpdate.exe" /svc (file missing)
O23 - Service: Google Software Updater (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Unknown owner - C:\Program Files\Java\jre6\bin\jqs.exe" -service -config "C:\Program Files\Java\jre6\lib\deploy\jqs\jqs.conf (file missing)
O23 - Service: Intel(R) NMS (NMSSvc) - Intel Corporation - C:\WINDOWS\System32\NMSSvc.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: ScsiAccess - Unknown owner - C:\Program Files\Photodex\ProShowGold\ScsiAccess.exe
O23 - Service: PC Tools Auxiliary Service (sdAuxService) - PC Tools - C:\Program Files\Spyware Doctor\pctsAuxs.exe
O23 - Service: PC Tools Security Service (sdCoreService) - PC Tools - C:\Program Files\Spyware Doctor\pctsSvc.exe
JenZen
Active Member
 
Posts: 7
Joined: June 8th, 2009, 11:25 pm
Advertisement
Register to Remove

Re: Wonky Computer. Runs slow, IE freezes. Can't run updates etc

Unread postby Bio-Hazard » June 11th, 2009, 8:09 am

Hello and Welcome to forums!

My name is Bio-Hazard and I will be helping you to remove any infection(s) that you may have.

Please observe these rules while we work:

  • I will be working on your Malware issues this may or may not solve other issues you have with your machine.
  • The fixes are specific to your problem and should only be used for this issue on this machine.
  • I f you don't know or understand something please don't hesitate to ask.
  • Please DO NOT run any other tools or scans whilst I am helping you.
  • It is important that you reply to this thread. Do not start a new topic.
  • Your security programs may give warnings for some of the tools I will ask you to use. Be assured, any links I give are safe.
  • Absence of symptoms does not mean that everything is clear.

No Reply Within 5 Days Will Result In Your Topic Being Closed!!




Registry Cleaners

Re. Registry Mechanic

I don't personally recommend the use of ANY registry cleaners. Here is an excerpt from a discussion on regcleaners
Most reg cleaners aren't bad as such, but they aren't perfect and even the best have been known to cause problems. The point we are trying to make is that the risk of using one far outweighs any benefit. If it does work perfectly you will not see any difference. If it doesn't work properly you may end up with an expensive doorstop.


This post by Bill Castner is veryinformative: WhatTheTech Forum


STEP 1

Download DDS

Please download DDS by sUBs from one of the links below and save it to your desktop:

Image
Download DDS and save it to your desktop from:

Link1
Link2
Link3

Please disable any anti-malware program that will block scripts from running before running DDS.

  • Double-Click on dds.scr and a command window will appear. This is normal.
  • Shortly after two logs will appear:
    • DDS.txt
    • Attach.txt
  • A window will open instructing you save & post the logs
  • Save the logs to a convenient place such as your desktop
  • Copy the contents of both logs & post in your next reply


STEP 2


RootRepeal - Rootkit Detector

Download RootRepeal.zip and unzip it to your Desktop.

  • Double click RootRepeal.exe to start the program
  • Click on the Report tab at the bottom of the program window
  • Clickthe Scan button
  • In the Select Scan dialog, check:
    • Drivers
    • Files
    • Processes
    • SSDT
    • Stealth Objects
    • Hidden Services
  • Click the OK button
  • In the next dialog, select all drives showing
  • Click OK to start the scan

    The scan can take some time. DO NOT run any other programs while the scan is running
  • When the scan is complete, the Save Report button will become available
  • Click this and save the report to your Desktop as RootRepeal.txt
  • Go to File, then Exit to close the program


Next Reply

Please reply with:
  • DDS.txt
  • Attach.txt
  • RootRepeal.txt
User avatar
Bio-Hazard
MRU Master Emeritus
 
Posts: 4078
Joined: May 10th, 2007, 8:28 am
Location: Cornwall, UK

Re: Wonky Computer. Runs slow, IE freezes. Can't run updates etc

Unread postby JenZen » June 11th, 2009, 1:08 pm

Thank you Bio-Hazard. (Great name, BTW.)
I appreciate your opinion regarding the Registry Mechanic.
When we are all done and I get the "all-clear from you, I will uninstall the program. Do you feel the same about Spyware Dr?

I ran the programs per your instructions and the logs are listed below. As instructed, I also attached the Attach.txt in a zip file.
I did, however, get a small error message for the Root Repeat program, but it appears inconsequential. (Error message read: Error - Invalid PE image found).
Thank you so much for your help.
Truly appreciated!
Jen

P.S. I have a 300 gig WD Passport portable drive attached which is always plugged into my computer, so I let the programs scan this drive as well.
Also, the RootRepeal program placed saved a Settings.dat file on the desktop. I am assuming you do not need it but I have saved it in case you do.




DDS.txt

DDS (Ver_09-05-14.01) - NTFSx86
Run by JENNIFER at 12:43:41.56 on Thu 06/11/2009
Internet Explorer: 7.0.5730.11 BrowserJavaVersion: 1.6.0_13
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.1023.385 [GMT -4:00]

AV: AVG Internet Security 3-pack *On-access scanning enabled* (Updated) {17DDD097-36FF-435F-9E1B-52D74245D6BF}
FW: AVG Firewall *enabled* {8decf618-9569-4340-b34a-d78d28969b66}

============== Running Processes ===============

C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\system32\svchost.exe -k WudfServiceGroup
C:\WINDOWS\System32\svchost.exe -k netsvcs
svchost.exe
svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Google\Update\GoogleUpdate.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Adobe\Photoshop Elements 6.0\PhotoshopElementsFileAgent.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
C:\PROGRA~1\AVG\AVG8\avgfws8.exe
C:\Program Files\AVG\AVG8\Identity Protection\agent\Bin\AVGIDSWatcher.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\WINDOWS\System32\svchost.exe -k HTTPFilter
C:\Program Files\Java\jre6\bin\jqs.exe
C:\WINDOWS\System32\NMSSvc.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\Program Files\Photodex\ProShowGold\ScsiAccess.exe
C:\WINDOWS\System32\svchost.exe -k imgsvc
C:\PROGRA~1\AVG\AVG8\avgrsx.exe
C:\PROGRA~1\AVG\AVG8\avgnsx.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\mHotkey.exe
C:\Program Files\HP\hpcoretech\hpcmpmgr.exe
C:\Program Files\Java\jre6\bin\jusched.exe
C:\Program Files\Hewlett-Packard\HP Software Update\HPWuSchd2.exe
C:\WINDOWS\GWMDMMSG.exe
C:\Program Files\Adobe\Acrobat 7.0\Distillr\Acrotray.exe
C:\Program Files\AVG\AVG8\Identity Protection\agent\bin\AVGIDSUI.exe
C:\Program Files\SanDisk\Sansa Updater\SansaDispatch.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\Program Files\Windows Media Player\WMPNSCFG.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Acrobat3\Distillr\DISTASST.EXE
C:\Program Files\Common Files\Microsoft Shared\Works Shared\wkcalrem.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Adobe\Acrobat 7.0\Acrobat\Acrobat.exe
C:\DOCUME~1\JENNIFER\LOCALS~1\Temp\Adobelm_Cleanup.0001
C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
C:\DOCUME~1\JENNIFER\LOCALS~1\Temp\Adobelm_Cleanup.0001
C:\WINDOWS\PCHealth\HelpCtr\Binaries\HelpSvc.exe
C:\WINDOWS\PCHealth\HelpCtr\Binaries\HelpHost.exe
C:\Documents and Settings\JENNIFER\Desktop\dds.scr

============== Pseudo HJT Report ===============

uStart Page = hxxp://www.google.com/
uSearch Page = hxxp://www.google.com
uSearch Bar = hxxp://www.google.com/ie
uSearchMigratedDefaultURL = hxxp://www.google.com/search?q={searchTerms}&sourceid=ie7&rls=com.microsoft:en-US&ie=utf8&oe=utf8
uDefault_Search_URL = hxxp://www.google.com/ie
uSearchAssistant = hxxp://www.google.com/ie
uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
mSearchAssistant = hxxp://www.google.com/ie
BHO: Yahoo! Toolbar Helper: {02478d38-c3f9-4efb-9b51-7695eca05670} - c:\program files\yahoo!\companion\installs\cpn\yt.dll
BHO: Adobe PDF Reader Link Helper: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelper.dll
BHO: Yapta Tagger: {2020dfef-8c87-4229-aa41-549d82210355} - c:\program files\yapta\YaptaOverlay.dll
BHO: AVG Safe Search: {3ca2f312-6f6e-4b53-a66e-4e65e497c8c0} - c:\program files\avg\avg8\avgssie.dll
BHO: {602ADB0E-4AFF-4217-8AA1-95DAC4DFA408} - No File
BHO: Symantec Intrusion Prevention: {6d53ec84-6aae-4787-aeee-f4628f01010c} - blank
BHO: Google Toolbar Helper: {aa58ed58-01dd-4d91-8333-cf10577473f7} - c:\program files\google\google toolbar\GoogleToolbar.dll
BHO: Adobe PDF Conversion Toolbar Helper: {ae7cd045-e861-484f-8273-0445ee161910} - c:\program files\adobe\acrobat 7.0\acrobat\AcroIEFavClient.dll
BHO: Google Toolbar Notifier BHO: {af69de43-7d58-4638-b6fa-ce66b5ad205d} - c:\program files\google\googletoolbarnotifier\5.1.1309.3572\swg.dll
BHO: Google Dictionary Compression sdch: {c84d72fe-e17d-4195-bb24-76c02e2e7c4e} - c:\program files\google\google toolbar\component\fastsearch_219B3E1547538286.dll
BHO: Java(tm) Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
TB: Adobe PDF: {47833539-d0c5-4125-9fa8-0819e2eaac93} - c:\program files\adobe\acrobat 7.0\acrobat\AcroIEFavClient.dll
TB: Yahoo! Toolbar: {ef99bd32-c1fb-11d2-892f-0090271d4f88} - c:\program files\yahoo!\companion\installs\cpn\yt.dll
TB: {7FEBEFE3-6B19-4349-98D2-FFB09D4B49CA} - No File
TB: &Google Toolbar: {2318c2b1-4965-11d4-9b18-009027a5cd4f} - c:\program files\google\google toolbar\GoogleToolbar.dll
TB: {A057A204-BACC-4D26-9990-79A187E2698E} - No File
EB: Adobe PDF: {182ec0be-5110-49c8-a062-beb1d02a220b} - c:\program files\adobe\acrobat 7.0\acrobat\AcroIEFavClient.dll
EB: {32683183-48a0-441b-a342-7c2a440a9478} - No File
uRun: [swg] c:\program files\google\googletoolbarnotifier\GoogleToolbarNotifier.exe
uRun: [WMPNSCFG] c:\program files\windows media player\WMPNSCFG.exe
uRun: [updateMgr] "c:\program files\adobe\acrobat 7.0\acrobat\AdobeUpdateManager.exe" AcStd7_0_9 -reboot 1
uRun: [MSMSGS] "c:\program files\messenger\msmsgs.exe" /background
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
uRun: [RegistryMechanic] c:\program files\registry mechanic\RegMech.exe /H
uRun: [IncrediMail] c:\program files\incredimail\bin\IncMail.exe /c
uRunOnce: [<NO NAME>] c:\program files\mozilla firefox\firefox.exe http://www.symantec.com/techsupp/servle ... 6.000001d8
mRun: [NvCplDaemon] RUNDLL32.EXE c:\windows\system32\NvCpl.dll,NvStartup
mRun: [nwiz] nwiz.exe /install
mRun: [WorksFUD] c:\program files\microsoft works\wkfud.exe
mRun: [Microsoft Works Portfolio] c:\program files\microsoft works\WksSb.exe /AllUsers
mRun: [Microsoft Works Update Detection] c:\program files\microsoft works\WkDetect.exe
mRun: [CHotkey] mHotkey.exe
mRun: [HP Component Manager] "c:\program files\hp\hpcoretech\hpcmpmgr.exe"
mRun: [SunJavaUpdateSched] "c:\program files\java\jre6\bin\jusched.exe"
mRun: [NvMediaCenter] RUNDLL32.EXE c:\windows\system32\NvMcTray.dll,NvTaskbarInit
mRun: [HP Software Update] c:\program files\hewlett-packard\hp software update\HPWuSchd2.exe
mRun: [GWMDMMSG] GWMDMMSG.exe
mRun: [AVG8_TRAY] c:\progra~1\avg\avg8\avgtray.exe
mRun: [American Airlines DealFinder] "c:\program files\american airlines dealfinder\American_Airlines_DealFinder.exe"
mRun: [Adobe Reader Speed Launcher] "c:\program files\adobe\reader 8.0\reader\Reader_sl.exe"
mRun: [Adobe Photo Downloader] "c:\program files\adobe\photoshop elements 6.0\apdproxy.exe"
mRun: [Acrobat Assistant 7.0] "c:\program files\adobe\acrobat 7.0\distillr\Acrotray.exe"
mRun: [AppleSyncNotifier] c:\program files\common files\apple\mobile device support\bin\AppleSyncNotifier.exe
mRun: [QuickTime Task] "c:\program files\quicktime\qttask.exe" -atboottime
mRun: [AVGIDS] "c:\program files\avg\avg8\identity protection\agent\bin\AVGIDSUI.exe"
mRun: [SansaDispatch] c:\program files\sandisk\sansa updater\SansaDispatch.exe
mRun: [iTunesHelper] "c:\program files\itunes\iTunesHelper.exe"
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\adobea~1.lnk - c:\windows\installer\{ac76ba86-1033-0000-ba7e-000000000002}\SC_Acrobat.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\adobeg~1.lnk - c:\program files\common files\adobe\calibration\Adobe Gamma Loader.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\distil~1.lnk - c:\acrobat3\distillr\DISTASST.EXE
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\micros~1.lnk - c:\program files\common files\microsoft shared\works shared\wkcalrem.exe
IE: Convert link target to Adobe PDF - c:\program files\adobe\acrobat 7.0\acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: Convert link target to existing PDF - c:\program files\adobe\acrobat 7.0\acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convert selected links to Adobe PDF - c:\program files\adobe\acrobat 7.0\acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
IE: Convert selected links to existing PDF - c:\program files\adobe\acrobat 7.0\acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
IE: Convert selection to Adobe PDF - c:\program files\adobe\acrobat 7.0\acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: Convert selection to existing PDF - c:\program files\adobe\acrobat 7.0\acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convert to Adobe PDF - c:\program files\adobe\acrobat 7.0\acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: Convert to existing PDF - c:\program files\adobe\acrobat 7.0\acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: E&xport to Microsoft Excel - c:\progra~1\micros~4\office11\EXCEL.EXE/3000
IE: {0094A600-9BDD-4019-BAFE-487284F7D476} - http://www.yapta.com/user
IE: {0362b485-11fe-469c-ae98-42f478e581a0} - c:\program files\yapta\YaptaSettings.exe
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~4\office11\REFIEBAR.DLL
Trusted Zone: realtor.com\www.resource
DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} - hxxp://www.apple.com/qtactivex/qtplugin.cab
DPF: {05CA9FB0-3E3E-4B36-BF41-0E3A5CAA8CD8} - hxxp://download.microsoft.com/download/ ... ontrol.cab
DPF: {200B3EE9-7242-4EFD-B1E4-D97EE825BA53} - hxxp://h20270.www2.hp.com/ediags/gmn/in ... er_gmn.cab
DPF: {33564D57-0000-0010-8000-00AA00389B71} - hxxp://download.microsoft.com/download/ ... mv9VCM.CAB
DPF: {5D637FAD-E202-48D1-8F18-5B9C459BD1E3} - hxxp://cdn.smugmug.com/photos/activex/I ... 082608.cab
DPF: {67A5F8DC-1A4B-4D66-9F24-A704AD929EEE} - hxxp://www.nvidia.com/content/DriverDow ... eqlab2.cab
DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} - hxxp://update.microsoft.com/microsoftup ... 3689769374
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinsta ... s-i586.cab
DPF: {9522B3FB-7A2B-4646-8AF6-36E7F593073C} - hxxp://a19.g.akamai.net/7/19/7125/1450/ ... brkpie.cab
DPF: {CAFEEFAC-0015-0000-0006-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.5.0/jinsta ... s-i586.cab
DPF: {CAFEEFAC-0016-0000-0005-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinsta ... s-i586.cab
DPF: {CAFEEFAC-0016-0000-0013-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinsta ... s-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinsta ... s-i586.cab
DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://download.macromedia.com/pub/shoc ... wflash.cab
DPF: {EB387D2F-E27B-4D36-979E-847D1036C65D} - hxxp://h30043.www3.hp.com/hpdj/en/check/qdiagh.cab?326
DPF: {F375116A-793C-11D2-BFE1-444553540001} - hxxp://realist2.firstamres.com/mapviewer/mapviewer.cab
DPF: {F7A05BAC-9778-410A-9CDE-BFBD4D5D2B7F} - hxxp://216.249.24.62/code/iPIX-ImageWell-ipix.cab
Handler: cetihpz - {CF184AD3-CDCB-4168-A3F7-8E447D129300} - c:\program files\hp\hpcoretech\comp\hpuiprot.dll
Handler: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - c:\program files\avg\avg8\avgpp.dll
Notify: avgrsstarter - avgrsstx.dll
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll

================= FIREFOX ===================

FF - ProfilePath - c:\docume~1\jennifer\applic~1\mozilla\firefox\profiles\5s3b9zyz.default\
FF - prefs.js: browser.search.defaulturl - hxxp://www.google.com/search?lr=&ie=UTF-8&oe=UTF-8&q=
FF - prefs.js: browser.search.selectedEngine - Search the Web
FF - prefs.js: browser.startup.homepage - hxxp://www.google.com/
FF - prefs.js: keyword.URL - hxxp://search.freecause.com/search?fr=f ... e=58997&p=
FF - component: c:\documents and settings\jennifer\application data\mozilla\firefox\profiles\5s3b9zyz.default\extensions\{95080666-90c6-4dc0-8ca6-85d13d3fe3ae}\components\Engine.dll
FF - component: c:\program files\avg\avg8\firefox\components\avgssff.dll
FF - plugin: c:\documents and settings\jennifer\application data\mozilla\firefox\profiles\5s3b9zyz.default\extensions\{0c7e3f01-99e9-4095-9bdc-f84724960b57}\plugins\NPCpnMgr.dll
FF - plugin: c:\documents and settings\jennifer\application data\mozilla\firefox\profiles\5s3b9zyz.default\extensions\moveplayer@movenetworks.com\platform\winnt_x86-msvc\plugins\npmnqmp071303000006.dll
FF - plugin: c:\documents and settings\jennifer\application data\mozilla\plugins\npPxPlay.dll
FF - plugin: c:\program files\google\google earth plugin\npgeplugin.dll
FF - plugin: c:\program files\google\google updater\2.4.1536.6592\npCIDetect13.dll
FF - plugin: c:\program files\google\update\1.2.145.5\npGoogleOneClick8.dll
FF - plugin: c:\program files\mozilla firefox\plugins\npgcplug.dll
FF - plugin: c:\program files\mozilla firefox\plugins\npmozax.dll
FF - plugin: c:\program files\mozilla firefox\plugins\npmusicn.dll
FF - plugin: c:\program files\mozilla firefox\plugins\npracplug.dll
FF - plugin: c:\program files\picasa2\npPicasa2.dll
FF - plugin: c:\program files\real\realarcade\plugins\mozilla\npracplug.dll

============= SERVICES / DRIVERS ===============

R0 AVGIDSErHr;AVGIDSErHr;c:\windows\system32\drivers\AVGIDSErHr.sys [2009-2-26 25608]
R0 fasttrak;fasttrak;c:\windows\system32\drivers\Fasttrak.sys [2002-5-23 73600]
R1 AvgLdx86;AVG Free AVI Loader Driver x86;c:\windows\system32\drivers\avgldx86.sys [2008-12-8 327688]
R1 AvgMfx86;AVG Free On-access Scanner Minifilter Driver x86;c:\windows\system32\drivers\avgmfx86.sys [2008-12-8 27784]
R1 AvgTdiX;AVG8 Network Redirector;c:\windows\system32\drivers\avgtdix.sys [2008-12-12 108552]
R2 AdobeActiveFileMonitor6.0;Adobe Active File Monitor V6;c:\program files\adobe\photoshop elements 6.0\PhotoshopElementsFileAgent.exe [2007-9-11 124832]
R2 avg8wd;AVG Free8 WatchDog;c:\progra~1\avg\avg8\avgwdsvc.exe [2009-1-7 298776]
R2 avgfws8;AVG8 Firewall;c:\progra~1\avg\avg8\avgfws8.exe [2009-4-24 1368952]
R2 AVGIDSWatcher;AVGIDSWatcher;c:\program files\avg\avg8\identity protection\agent\bin\AVGIDSWatcher.exe [2009-2-26 563720]
R3 Avgfwdx;Avgfwdx;c:\windows\system32\drivers\avgfwdx.sys [2008-12-12 29208]
R3 AVGIDSDriver;AVGIDSDriver;c:\program files\avg\avg8\identity protection\agent\driver\platform_xp\AVGIDSDriver.sys [2009-2-26 121352]
R3 AVGIDSFilter;AVGIDSFilter;c:\program files\avg\avg8\identity protection\agent\driver\platform_xp\AVGIDSFilter.sys [2009-2-26 30216]
R3 AVGIDSShim;AVGIDSShim;c:\program files\avg\avg8\identity protection\agent\driver\platform_xp\AVGIDSShim.sys [2009-2-26 27232]
S2 AVGIDSAgent;AVGIDSAgent;c:\program files\avg\avg8\identity protection\agent\bin\AVGIDSAgent.exe [2009-2-26 5576712]
S2 gupdate1c8d7c2fd101118;Google Update Service (gupdate1c8d7c2fd101118);c:\program files\google\update\GoogleUpdate.exe [2008-7-16 133104]
S3 Avgfwfd;AVG network filter service;c:\windows\system32\drivers\avgfwdx.sys [2008-12-12 29208]
S3 IKFileSec;File Security Driver;c:\windows\system32\drivers\ikfilesec.sys [2008-12-8 40840]
S3 IKSysFlt;System Filter Driver;c:\windows\system32\drivers\iksysflt.sys [2008-12-8 66952]
S3 IKSysSec;System Security Driver;c:\windows\system32\drivers\iksyssec.sys [2008-12-8 81288]
S3 LNE100;Linksys LNE100TX(v5) Fast Ethernet Adapter;c:\windows\system32\drivers\lne100v5.sys [2008-12-22 36224]
S3 sdAuxService;PC Tools Auxiliary Service;c:\program files\spyware doctor\pctsAuxs.exe [2008-12-8 356920]
S3 sdCoreService;PC Tools Security Service;c:\program files\spyware doctor\pctsSvc.exe [2008-12-8 1079176]

=============== Created Last 30 ================

2009-06-08 11:58 <DIR> --d----- c:\windows\system32\wbem\Repository
2009-06-03 14:36 <DIR> --dsh--- c:\windows\system32\lowsec
2009-05-31 18:38 995,056 a------- c:\windows\system\MSAJT200.DLL
2009-05-31 18:38 710,528 a------- c:\windows\system\MSAJT110.DLL
2009-05-31 18:38 398,416 a------- c:\windows\system\VBRUN300.DLL
2009-05-31 18:38 102,400 a------- c:\windows\system\COMPOBJ.DLL
2009-05-31 18:38 96,688 a------- c:\windows\system\MHGLBX.VBX
2009-05-31 18:38 95,200 a------- c:\windows\system\VBDB300.DLL
2009-05-31 18:38 33,280 a------- c:\windows\system\MSAES110.DLL
2009-05-31 18:38 17,440 a------- c:\windows\system\MSAJT112.DLL
2009-05-31 18:38 15,840 a------- c:\windows\system\PICCLIP.VBX
2009-05-31 18:38 13,824 a------- c:\windows\system\VBOA300.DLL
2009-05-31 18:37 <DIR> --d----- C:\winwrit2
2009-05-31 18:37 <DIR> --d----- C:\wstar20

==================== Find3M ====================

2009-06-10 19:36 327,688 a------- c:\windows\system32\drivers\avgldx86.sys
2009-05-31 17:29 1,901 ac------ c:\windows\panose.bin
2009-05-12 09:02 410,984 a------- c:\windows\system32\deploytk.dll
2009-05-07 11:32 345,600 a------- c:\windows\system32\localspl.dll
2009-05-07 11:32 345,600 -------- c:\windows\system32\dllcache\localspl.dll
2009-04-29 00:56 827,392 a------- c:\windows\system32\wininet.dll
2009-04-29 00:56 827,392 a------- c:\windows\system32\dllcache\wininet.dll
2009-04-29 00:56 233,472 a------- c:\windows\system32\dllcache\webcheck.dll
2009-04-29 00:56 1,159,680 a------- c:\windows\system32\dllcache\urlmon.dll
2009-04-29 00:56 671,232 a------- c:\windows\system32\dllcache\mstime.dll
2009-04-29 00:56 105,984 a------- c:\windows\system32\dllcache\url.dll
2009-04-29 00:56 102,912 a------- c:\windows\system32\dllcache\occache.dll
2009-04-29 00:56 44,544 a------- c:\windows\system32\dllcache\pngfilt.dll
2009-04-29 00:56 3,596,288 a------- c:\windows\system32\dllcache\mshtml.dll
2009-04-29 00:56 477,696 a------- c:\windows\system32\dllcache\mshtmled.dll
2009-04-29 00:56 193,024 a------- c:\windows\system32\dllcache\msrating.dll
2009-04-28 05:05 70,656 a------- c:\windows\system32\dllcache\ie4uinit.exe
2009-04-28 05:05 13,824 -------- c:\windows\system32\dllcache\ieudinit.exe
2009-04-25 01:27 636,088 a------- c:\windows\system32\dllcache\iexplore.exe
2009-04-25 01:26 161,792 a------- c:\windows\system32\dllcache\ieakui.dll
2009-04-24 10:06 11,952 a------- c:\windows\system32\avgrsstx.dll
2009-04-24 10:06 50,968 a------- c:\windows\system32\avgfwdx.dll
2009-04-24 10:06 29,208 a------- c:\windows\system32\drivers\avgfwdx.sys
2009-04-24 10:06 108,552 a------- c:\windows\system32\drivers\avgtdix.sys
2009-04-17 08:26 1,847,168 a------- c:\windows\system32\win32k.sys
2009-04-17 08:26 1,847,168 -------- c:\windows\system32\dllcache\win32k.sys
2009-04-15 10:51 585,216 a------- c:\windows\system32\rpcrt4.dll
2009-04-15 10:51 585,216 -------- c:\windows\system32\dllcache\rpcrt4.dll
2009-03-21 10:06 989,696 -------- c:\windows\system32\dllcache\kernel32.dll
2006-05-04 22:40 774,144 ac------ c:\program files\RngInterstitial.dll
2009-01-05 21:07 32,768 ac-sh--- c:\windows\system32\config\systemprofile\local settings\history\history.ie5\mshist012009010520090106\index.dat

============= FINISH: 12:44:22.07 ===============

[RootRepeal.txt

ROOTREPEAL (c) AD, 2007-2009
==================================================
Scan Time: 2009/06/11 12:46
Program Version: Version 1.3.0.0
Windows Version: Windows XP SP3
==================================================

Drivers
-------------------
Name: dump_IdeChnDr.sys
Image Path: C:\WINDOWS\System32\Drivers\dump_IdeChnDr.sys
Address: 0xEC3D7000 Size: 90112 File Visible: No Signed: -
Status: -

Name: rootrepeal.sys
Image Path: C:\WINDOWS\system32\drivers\rootrepeal.sys
Address: 0xB8D59000 Size: 49152 File Visible: No Signed: -
Status: -

Hidden/Locked Files
-------------------
Path: C:\hiberfil.sys
Status: Locked to the Windows API!

Path: C:\WINDOWS\Temp\52b24d39-6c5e-4a9f-9417-1381464025eb.tmp
Status: Invisible to the Windows API!

Path: C:\WINDOWS\Temp\8d609fad-5267-4d9a-a5da-ac96ec1ba6b0.tmp
Status: Invisible to the Windows API!

Path: C:\WINDOWS\Temp\9231e2d4-e13d-4f9b-9d90-7e52ed076cd2.tmp
Status: Invisible to the Windows API!

Path: C:\WINDOWS\Temp\042670ee-12c1-42f5-bc4a-666bfb6316a8.tmp
Status: Invisible to the Windows API!

Path: C:\WINDOWS\Temp\1777da98-5d02-44be-a1d5-128172d15266.tmp
Status: Visible to the Windows API, but not on disk.

Path: C:\WINDOWS\Temp\f33e8375-d0e0-4daf-aedf-2c542390ab67.tmp
Status: Visible to the Windows API, but not on disk.

Path: c:\documents and settings\jennifer\local settings\temp\etilqs_0qqa4n4khuikzsmuzu6x
Status: Allocation size mismatch (API: 65536, Raw: 0)

Path: c:\documents and settings\jennifer\local settings\application data\mozilla\firefox\profiles\5s3b9zyz.default\cache\_cache_001_
Status: Size mismatch (API: 2124717, Raw: 2123693)

SSDT
-------------------
#: 025 Function Name: NtClose
Status: Hooked by "C:\Program Files\AVG\AVG8\Identity Protection\agent\driver\platform_XP\AVGIDSShim.sys" at address 0xf6e858a0

#: 122 Function Name: NtOpenProcess
Status: Hooked by "C:\Program Files\AVG\AVG8\Identity Protection\agent\driver\platform_XP\AVGIDSShim.sys" at address 0xf6e858d0

#: 257 Function Name: NtTerminateProcess
Status: Hooked by "C:\Program Files\AVG\AVG8\Identity Protection\agent\driver\platform_XP\AVGIDSShim.sys" at address 0xf6e85980

#: 258 Function Name: NtTerminateThread
Status: Hooked by "C:\Program Files\AVG\AVG8\Identity Protection\agent\driver\platform_XP\AVGIDSShim.sys" at address 0xf6e85a20

#: 277 Function Name: NtWriteVirtualMemory
Status: Hooked by "C:\Program Files\AVG\AVG8\Identity Protection\agent\driver\platform_XP\AVGIDSShim.sys" at address 0xf6e85ac0

==EOF==
You do not have the required permissions to view the files attached to this post.
JenZen
Active Member
 
Posts: 7
Joined: June 8th, 2009, 11:25 pm

Re: Wonky Computer. Runs slow, IE freezes. Can't run updates etc

Unread postby Bio-Hazard » June 11th, 2009, 2:30 pm

Do you feel the same about Spyware Dr?


You can keep that one.

I have a 300 gig WD Passport portable drive attached which is always plugged into my computer, so I let the programs scan this drive as well.


Thats good.

Regarding yapta tagger please read this yapta privacy policy and let me know what do you want to do with it.


Do you know what this is: MyFonts Order M704955



Malwarebytes' Anti-Malware

Please download Malwarebytes Anti-Malware and save it to your desktop.

  • Make sure you are connected to the Internet.
  • Double-click on mbam-setup.exe to install the application.
  • When the installation begins, follow the prompts and do not make any changes to default settings.
  • When installation has finished, make sure you leave both of these checked:
    • Update Malwarebytes' Anti-Malware
    • Launch Malwarebytes' Anti-Malware
  • Then click Finish.
  • MBAM will automatically start and you will be asked to update the program before performing a scan. If an update is found, the program will automatically update itself. Press the OK button to close that box and continue. If you encounter any problems while downloading the updates, manually download them from here and just double-click on mbam-rules.exe to install.
  • On the Scanner tab:
    • Make sure the Perform Full Scan option is selected.
    • Then click on the Scan button.
  • If asked to select the drives to scan, leave all the drives selected and click on the Start Scan button.
  • The scan will begin and Scan in progress will show at the top. It may take some time to complete so please be patient.
  • When the scan is finished, a message box will say The scan completed successfully. Click 'Show Results' to display all objects found.
  • Click OK to close the message box and continue with the removal process.
  • Back at the main Scanner screen, click on the Show Results button to see a list of any malware that was found.
  • Make sure that everything is checked, and click Remove Selected.
  • When removal is completed, a log report will open in Notepad and you may be prompted to restart your computer. (see Note below)
  • The log is automatically saved and can be viewed by clicking the Logs tab in MBAM.
  • Copy and paste the contents of that report in your next reply and exit MBAM.
Note: If MBAM encounters a file that is difficult to remove, you will be presented with 1 of 2 prompts. Click OK to either and let MBAM proceed with the disinfection process. If asked to restart the computer, please do so immediately. Failure to reboot will prevent MBAM from removing all the malware.


Logs/Information to Post in Next Reply

Please post the following logs/Information in your reply:
  • Answers to my questions
  • Malwarebytes Antimalware Log
  • A fresh HijackThis Log ( after all the above has been done)
  • A description of how your computer is behaving
User avatar
Bio-Hazard
MRU Master Emeritus
 
Posts: 4078
Joined: May 10th, 2007, 8:28 am
Location: Cornwall, UK

Re: Wonky Computer. Runs slow, IE freezes. Can't run updates etc

Unread postby JenZen » June 11th, 2009, 6:34 pm

Regarding yapta tagger please read this yapta privacy policy and let me know what do you want to do with it.

"We may collect personally identifiable information ("Personal Data") about you that you specifically and voluntarily provide to us while using the site.
Personal Data includes information that can identify you as a specific individual, such as your email address, name, address, phone number, airline itinerary information (confirmation Code, travel dates, etc.)."
Well, isn't that comforting. Shame on me for not reading the policy. I will 86 it. <I mean uninstall>
Do you know what this is: MyFonts Order M704955

MyFonts Order M704955 appears to be an exe program that I downloaded so I could install some fonts I purchased,
but I don't recall ever having to install something in order to download fonts that I have downloaded. I usually just install them into the fonts directory.
Should I just delete it?


Malwarebytes Antimalware Log -

Malwarebytes' Anti-Malware 1.37
Database version: 2263
Windows 5.1.2600 Service Pack 3

6/11/2009 5:35:22 PM
mbam-log-2009-06-11 (17-35-22).txt

Scan type: Full Scan (A:\|C:\|D:\|E:\|F:\|)
Objects scanned: 345993
Time elapsed: 2 hour(s), 11 minute(s), 13 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 4
Registry Values Infected: 1
Registry Data Items Infected: 2
Folders Infected: 1
Files Infected: 2

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
HKEY_USERS\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\{19127ad2-394b-70f5-c650-b97867baa1f7} (Backdoor.Bot) -> Quarantined and deleted successfully.
HKEY_USERS\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\{43bf8cd1-c5d5-2230-7bb2-98f22c2b7dc6} (Backdoor.Bot) -> Quarantined and deleted successfully.
HKEY_USERS\S-1-5-18\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\{19127ad2-394b-70f5-c650-b97867baa1f7} (Backdoor.Bot) -> Quarantined and deleted successfully.
HKEY_USERS\S-1-5-18\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\{43bf8cd1-c5d5-2230-7bb2-98f22c2b7dc6} (Backdoor.Bot) -> Quarantined and deleted successfully.

Registry Values Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Network\UID (Malware.Trace) -> Quarantined and deleted successfully.

Registry Data Items Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\AntiVirusDisableNotify (Disabled.SecurityCenter) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\FirewallDisableNotify (Disabled.SecurityCenter) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.

Folders Infected:
C:\WINDOWS\SYSTEM32\lowsec (Stolen.Data) -> Quarantined and deleted successfully.

Files Infected:
c:\WINDOWS\SYSTEM32\lowsec\local.ds (Stolen.Data) -> Quarantined and deleted successfully.
c:\WINDOWS\SYSTEM32\lowsec\user.ds (Stolen.Data) -> Quarantined and deleted successfully.


NEW HijackThis Log -

Logfile of HijackThis v1.99.1
Scan saved at 6:03:32 PM, on 6/11/2009
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16850)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Google\Update\GoogleUpdate.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Adobe\Photoshop Elements 6.0\PhotoshopElementsFileAgent.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
C:\PROGRA~1\AVG\AVG8\avgfws8.exe
C:\Program Files\AVG\AVG8\Identity Protection\agent\Bin\AVGIDSWatcher.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\WINDOWS\System32\NMSSvc.exe
C:\PROGRA~1\AVG\AVG8\avgrsx.exe
C:\PROGRA~1\AVG\AVG8\avgnsx.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\Program Files\Photodex\ProShowGold\ScsiAccess.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\mHotkey.exe
C:\Program Files\HP\hpcoretech\hpcmpmgr.exe
C:\Program Files\Java\jre6\bin\jusched.exe
C:\Program Files\Hewlett-Packard\HP Software Update\HPWuSchd2.exe
C:\WINDOWS\GWMDMMSG.exe
C:\PROGRA~1\AVG\AVG8\avgtray.exe
C:\Program Files\Adobe\Acrobat 7.0\Distillr\Acrotray.exe
C:\Program Files\AVG\AVG8\Identity Protection\agent\bin\AVGIDSUI.exe
C:\Program Files\SanDisk\Sansa Updater\SansaDispatch.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\Program Files\Windows Media Player\WMPNSCFG.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\AVG\AVG8\Identity Protection\agent\bin\AVGIDSMonitor.exe
C:\Acrobat3\Distillr\DISTASST.EXE
C:\Program Files\Common Files\Microsoft Shared\Works Shared\wkcalrem.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\AVG\AVG8\avgui.exe
C:\WINDOWS\system32\wscntfy.exe
C:\Program Files\Hijackthis\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,First Home Page = http://go.microsoft.com/fwlink/?LinkId=54843
O2 - BHO: Yahoo! Toolbar Helper - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: Yapta Tagger - {2020dfef-8c87-4229-aa41-549d82210355} - C:\Program Files\Yapta\YaptaOverlay.dll
O2 - BHO: WormRadar.com IESiteBlocker.NavFilter - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - C:\Program Files\AVG\AVG8\avgssie.dll
O2 - BHO: NCO 2.0 IE BHO - {602ADB0E-4AFF-4217-8AA1-95DAC4DFA408} - (no file)
O2 - BHO: Symantec Intrusion Prevention - {6D53EC84-6AAE-4787-AEEE-F4628F01010C} - blank (file missing)
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - C:\Program Files\Google\Google Toolbar\GoogleToolbar.dll
O2 - BHO: Adobe PDF Conversion Toolbar Helper - {AE7CD045-E861-484f-8273-0445EE161910} - C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\5.1.1309.3572\swg.dll
O2 - BHO: Google Dictionary Compression sdch - {C84D72FE-E17D-4195-BB24-76C02E2E7C4E} - C:\Program Files\Google\Google Toolbar\Component\fastsearch_219B3E1547538286.dll
O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O3 - Toolbar: (no name) - {7FEBEFE3-6B19-4349-98D2-FFB09D4B49CA} - (no file)
O3 - Toolbar: &Google Toolbar - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - C:\Program Files\Google\Google Toolbar\GoogleToolbar.dll
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [WorksFUD] C:\Program Files\Microsoft Works\wkfud.exe
O4 - HKLM\..\Run: [Microsoft Works Portfolio] C:\Program Files\Microsoft Works\WksSb.exe /AllUsers
O4 - HKLM\..\Run: [Microsoft Works Update Detection] C:\Program Files\Microsoft Works\WkDetect.exe
O4 - HKLM\..\Run: [CHotkey] mHotkey.exe
O4 - HKLM\..\Run: [HP Component Manager] "C:\Program Files\HP\hpcoretech\hpcmpmgr.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre6\bin\jusched.exe"
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [HP Software Update] C:\Program Files\Hewlett-Packard\HP Software Update\HPWuSchd2.exe
O4 - HKLM\..\Run: [GWMDMMSG] GWMDMMSG.exe
O4 - HKLM\..\Run: [AVG8_TRAY] C:\PROGRA~1\AVG\AVG8\avgtray.exe
O4 - HKLM\..\Run: [American Airlines DealFinder] "C:\Program Files\American Airlines DealFinder\American_Airlines_DealFinder.exe"
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [Adobe Photo Downloader] "C:\Program Files\Adobe\Photoshop Elements 6.0\apdproxy.exe"
O4 - HKLM\..\Run: [Acrobat Assistant 7.0] "C:\Program Files\Adobe\Acrobat 7.0\Distillr\Acrotray.exe"
O4 - HKLM\..\Run: [AppleSyncNotifier] C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleSyncNotifier.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [AVGIDS] "C:\Program Files\AVG\AVG8\Identity Protection\agent\bin\AVGIDSUI.exe"
O4 - HKLM\..\Run: [SansaDispatch] C:\Program Files\SanDisk\Sansa Updater\SansaDispatch.exe
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
O4 - HKCU\..\Run: [WMPNSCFG] C:\Program Files\Windows Media Player\WMPNSCFG.exe
O4 - HKCU\..\Run: [updateMgr] "C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AdobeUpdateManager.exe" AcStd7_0_9 -reboot 1
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [RegistryMechanic] C:\Program Files\Registry Mechanic\RegMech.exe /H
O4 - HKCU\..\Run: [IncrediMail] C:\Program Files\IncrediMail\bin\IncMail.exe /c
O4 - HKCU\..\RunOnce: [] C:\Program Files\Mozilla Firefox\firefox.exe http://www.symantec.com/techsupp/servle ... 6.000001d8
O4 - Global Startup: Adobe Acrobat Speed Launcher.lnk = ?
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Distiller Assistant 3.01.lnk = C:\Acrobat3\Distillr\DISTASST.EXE
O4 - Global Startup: Microsoft Works Calendar Reminders.lnk = ?
O8 - Extra context menu item: Convert link target to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert link target to existing PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert selected links to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
O8 - Extra context menu item: Convert selected links to existing PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
O8 - Extra context menu item: Convert selection to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert selection to existing PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert to existing PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~4\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: Yapta.com - {0094A600-9BDD-4019-BAFE-487284F7D476} - http://www.yapta.com/user (file missing)
O9 - Extra button: Yapta Tagger Settings - {0362b485-11fe-469c-ae98-42f478e581a0} - C:\Program Files\Yapta\YaptaSettings.exe
O9 - Extra 'Tools' menuitem: Yapta Tagger Settings... - {0362b485-11fe-469c-ae98-42f478e581a0} - C:\Program Files\Yapta\YaptaSettings.exe
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~4\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O10 - Unknown file in Winsock LSP: c:\program files\bonjour\mdnsnsp.dll
O11 - Options group: [INTERNATIONAL] International*
O14 - IERESET.INF: START_PAGE_URL=http://www.bestbuy.msn.com
O15 - Trusted Zone: http://www.resource.realtor.com
O16 - DPF: {200B3EE9-7242-4EFD-B1E4-D97EE825BA53} (VerifyGMN Class) - http://h20270.www2.hp.com/ediags/gmn/in ... er_gmn.cab
O16 - DPF: {5D637FAD-E202-48D1-8F18-5B9C459BD1E3} (Image Uploader Control) - http://cdn.smugmug.com/photos/activex/I ... 082608.cab
O16 - DPF: {67A5F8DC-1A4B-4D66-9F24-A704AD929EEE} (System Requirements Lab) - http://www.nvidia.com/content/DriverDow ... eqlab2.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftup ... 3689769374
O16 - DPF: {9522B3FB-7A2B-4646-8AF6-36E7F593073C} - http://a19.g.akamai.net/7/19/7125/1450/ ... brkpie.cab
O16 - DPF: {EB387D2F-E27B-4D36-979E-847D1036C65D} (QDiagHUpdateObj Class) - http://h30043.www3.hp.com/hpdj/en/check/qdiagh.cab?326
O16 - DPF: {F375116A-793C-11D2-BFE1-444553540001} (First American Res MapActiveX Control) - http://realist2.firstamres.com/mapviewer/mapviewer.cab
O16 - DPF: {F7A05BAC-9778-410A-9CDE-BFBD4D5D2B7F} (iPIX Media Send Class) - http://216.249.24.62/code/iPIX-ImageWell-ipix.cab
O18 - Protocol: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - C:\Program Files\AVG\AVG8\avgpp.dll
O20 - Winlogon Notify: avgrsstarter - C:\WINDOWS\SYSTEM32\avgrsstx.dll
O20 - Winlogon Notify: dimsntfy - %SystemRoot%\System32\dimsntfy.dll (file missing)
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O21 - SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - C:\WINDOWS\system32\WPDShServiceObj.dll
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Adobe Active File Monitor V6 (AdobeActiveFileMonitor6.0) - Unknown owner - C:\Program Files\Adobe\Photoshop Elements 6.0\PhotoshopElementsFileAgent.exe
O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: AVG Free8 WatchDog (avg8wd) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
O23 - Service: AVG8 Firewall (avgfws8) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgfws8.exe
O23 - Service: AVGIDSAgent - Unknown owner - C:\Program Files\AVG\AVG8\Identity Protection\agent\Bin\AVGIDSAgent.exe" AVGIDSAgent (file missing)
O23 - Service: AVGIDSWatcher - AVG - C:\Program Files\AVG\AVG8\Identity Protection\agent\Bin\AVGIDSWatcher.exe
O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: FLEXnet Licensing Service - Macrovision Europe Ltd. - C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
O23 - Service: Google Update Service (gupdate1c8d7c2fd101118) (gupdate1c8d7c2fd101118) - Unknown owner - C:\Program Files\Google\Update\GoogleUpdate.exe" /svc (file missing)
O23 - Service: Google Software Updater (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Unknown owner - C:\Program Files\Java\jre6\bin\jqs.exe" -service -config "C:\Program Files\Java\jre6\lib\deploy\jqs\jqs.conf (file missing)
O23 - Service: Intel(R) NMS (NMSSvc) - Intel Corporation - C:\WINDOWS\System32\NMSSvc.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: ScsiAccess - Unknown owner - C:\Program Files\Photodex\ProShowGold\ScsiAccess.exe
O23 - Service: PC Tools Auxiliary Service (sdAuxService) - PC Tools - C:\Program Files\Spyware Doctor\pctsAuxs.exe
O23 - Service: PC Tools Security Service (sdCoreService) - PC Tools - C:\Program Files\Spyware Doctor\pctsSvc.exe



How the Computer is running?

Computer is still running fairly slow opening and closing programs take a while but some of the quirkier things have stopped.I can now open IE and also open and run IE update to install v.8. (I did not do this yet.) I only use IE for a few business related sites which are not Firefox compatible. (Would that be your recommendation?)

Stupid, I know, but for several years know I have used IncrediMail and just kept using it because I'm stuck. I have so many emails saved that I need and I can not export them over to Outlook (as far as I know). I am having a lot of doubts about continuing to use this program but i am in the middle of a project that requires me to constantly refer to many of the emails saved in Incredimail. Would you please advise me the best option? I would also assume you don't think to highly of this program. It uses up a lot of resources. On the other hand, it has a really cute little duck that waddles up and quacks when you get new email. :)

I believe I have gotten as much as I can out of this 6 year old system and I can't upgrade it anymore. I plan on giving to my nephew, however I know I do need to strip the data off the hard drive. Someone recommended CCleaner to me a while back. http://www.ccleaner.com/ I would truly appreciate your recommendation(s). (I do plan on using the install disc that came with the computer to bring it back to how it was out of the box and I'll upgrade drivers etc. for him.)

I need to do this same process for my husband's laptop (which I occasionally plug into with my hard drive when I am copying files back and forth) ? It is also running the same way. Do I start a new thread?

Thanks so very much!! Jen

P.S. I am surprised that AVG didn't catch those backdoor trojans.

I apologize, but I failed to mention that we do use a router. I connect directly to the Internet on this computer but it's also hooked into a router for the two other computers in the house. It's a Buffalo AirStation Wireless G. Sorry for forgetting to mention that. I also regularly delete temp files, and just recently ran a defrag, etc.
JenZen
Active Member
 
Posts: 7
Joined: June 8th, 2009, 11:25 pm

Re: Wonky Computer. Runs slow, IE freezes. Can't run updates etc

Unread postby Bio-Hazard » June 13th, 2009, 7:40 am

BACKDOOR TROJAN

I'm afraid I have some bad news for you. Your computer is infected with BACKDOOR TROJAN. Backdoor Trojans are the most dangerous and most widespread type of Trojan. Backdoor Trojans provide the author or "master" of the Trojan with remote "administration" of victims machines. Unlike legitimate remote administration utilities, they install, launch and run invisibly, without the consent or knowledge of the user. Once installed, Backdoor Trojans can be instructed to send, receive, execute and delete files, harvest confidential data from the computer, log activity on the computer, change settings on the computer and more. Please read this article by Roger A. Grimes on Remote Access Trojans it will give you an Idea of the severity of the type of infection you have.

What are Remote Access Trojans and why are they dangerous

You are strongly advised to do the following:

  • Disconnect the computer from the Internet and from any networked computers until it is cleaned.
  • Back up all your important data except programs. The programs can be reinstalled back from the original disc or from the Net.
  • Call all your banks, financial institutions, credit card companies and inform them that you may be a victim of identity theft and put a watch on your accounts. If you don't mind the hassle, change all youraccount numbers.
  • From a clean computer, change all your passwords (ISP login password, your email address(es) passwords, financial accounts, PayPal, eBay, Amazon, online groups and forums and any other online activities you carry out which require a username and password).

Do NOT change your passwords from this computer as the attacker will be able to get all the new passwords and transaction records.


How do I respond to a possible identity theft and how do I prevent it


Because of the severity and the capabilities of this type of virus, (it cannot be known what changes to your system it has made or if it opened up other ways into your system) The only responsible course of action I can advise is to reformat your computer and reinstall windows.

Further reading:

When should do a reformat and reinstallation of my OS
Where to backup your files
How to backup your files in Windows XP
Restoring your backups

Should you have any questions please feel free to ask.



Computer is still running fairly slow opening and closing programs take a while but some of the quirkier things have stopped.I can now open IE and also open and run IE update to install v.8. (I did not do this yet.) I only use IE for a few business related sites which are not Firefox compatible. (Would that be your recommendation?)


I only use Firefox myself. So what you are doing now is good. I do need to ask: is this a business computer?

Would you please advise me the best option?


I am sorry but i have no experience of both programs so i cant really say. I know about them but i have never used them myself.


I believe I have gotten as much as I can out of this 6 year old system and I can't upgrade it anymore. I plan on giving to my nephew, however I know I do need to strip the data off the hard drive. Someone recommended CCleaner to me a while back. http://www.ccleaner.com/ I would truly appreciate your recommendation(s).


Well if you need to get rid of documents and other important things CCleaner wont be able to help you. It is designed to clear temp files and so on. There are other programs for deleting important information.

I need to do this same process for my husband's laptop (which I occasionally plug into with my hard drive when I am copying files back and forth) ? It is also running the same way. Do I start a new thread?


Yes you need to start a new thread. Please wait till we have finished dealing with your computer.
User avatar
Bio-Hazard
MRU Master Emeritus
 
Posts: 4078
Joined: May 10th, 2007, 8:28 am
Location: Cornwall, UK

Re: Wonky Computer. Runs slow, IE freezes. Can't run updates etc

Unread postby JenZen » June 13th, 2009, 2:38 pm

Yes, this is indeed bad news. The computer is used for business. There are two other computers connected by a router I would imagine are also involved.
I apologize in advance for all the questions. I am sure you can understand my concern!

1. Could you please give me the exact information on where the Backdoor Trojan was found and at this point has it been quarantined or deleted? Is there any way to tell the date of how long this Trojan has been on my computer?
2. I am assuming this type of Trojan is an executable file so I would assume it cannot be transferred via my backup usb drive? (Is it okay for me to plug this into a usb port on another computer?)

On one of the sections of the links you provided, I read the following:

If the computer was connected to the Internet for a long time with the backdoor installed, or if the malware used ICQ to actively contact hackers, then it is more likely the backdoor was used. Therefore there is a high risk if re-formatting and re-installing is not done.
If the backdoor merely opens a port to listen the risk is slightly lower.
If the backdoor merely opens a port to listen and the computer was behind a working firewall or NAT router, then the risk of the backdoor being used is greatly reduced. Therefore there is probably a much lower risk if re-formatting and re-installing is not done.

3. This computer that is infected is connected to a router (which has a firewall). In addition, in the past I was using Norton Antivirus & Firewall. That was completely removed (following instructions here and using the Norton removal tool) and then I installed the full version of AVG Internet Security 3-pack. Why didn't AVG find this?
How do I know which type of backdoor trojan it is (as referenced above)?

I will be able to reinstall the computer to its original our of the box state and reinstall all updates, etc. Is there a chance of reinfecting the computer from my backed-up data? I obviously have many programs and executable files. Will I be able to scan this backed updata and see if there is a trojan amongst any of the .exe files?

4. I have one computer (fairly new) that was used as a stand alone computer in another office that has not been used for the past year that is most likely not infected. Since I need to use an uninfected computer, should I also use your malware program or should I post a hijack this thread to make sure that no malware exists on this computer before I start this process, as well?

I apologize for my lack of knowledge and I appreciate your patience and expertise. Thanking you 100 times.

Jen
JenZen
Active Member
 
Posts: 7
Joined: June 8th, 2009, 11:25 pm

Re: Wonky Computer. Runs slow, IE freezes. Can't run updates etc

Unread postby Bio-Hazard » June 13th, 2009, 5:24 pm

Hello!

It is never nice to give these kind of news but it is in your best interest.

1. Could you please give me the exact information on where the Backdoor Trojan was found and at this point has it been quarantined or deleted? Is there any way to tell the date of how long this Trojan has been on my computer?

There is no way of knowing how long has it been in the system. It does not matter whether or not the offending trojan was quarantined and/or deleted. The computer has been seriously compromised and will not be safe to use until it's been reformatted.

From Malwarebytes Antimalware log:
Files Infected:
c:\WINDOWS\SYSTEM32\lowsec\local.ds (Stolen.Data) -> Quarantined and deleted successfully.
c:\WINDOWS\SYSTEM32\lowsec\user.ds (Stolen.Data) -> Quarantined and deleted successfully.

ThreatExpert report.


2. I am assuming this type of Trojan is an executable file so I would assume it cannot be transferred via my backup usb drive? (Is it okay for me to plug this into a usb port on another computer?)


This one is not a executable file. It is quite possible that any drive that has been connected to this computer via a USB port may also have been infected. That includes all external hard drives and USB sticks as well.


3. This computer that is infected is connected to a router (which has a firewall). In addition, in the past I was using Norton Antivirus & Firewall. That was completely removed (following instructions here and using the Norton removal tool) and then I installed the full version of AVG Internet Security 3-pack. Why didn't AVG find this?


No antivirus or antimalware software can give you 100% protection. If AVG dont have virus signature for his kind of virus then it cant see/stop it.


I will be able to reinstall the computer to its original our of the box state and reinstall all updates, etc. Is there a chance of reinfecting the computer from my backed-up data? I obviously have many programs and executable files. Will I be able to scan this backed updata and see if there is a trojan amongst any of the .exe files?


Reverting to the factory settings will be enough. No program files nor executable files can not be backed up, nor should any previously backed up programs and/or executable files be restored to this or any other computer. Backups should be made of documents, music and pictures only. Nothing else. These backups should be made to CD or DVD, not USB devices.

4. I have one computer (fairly new) that was used as a stand alone computer in another office that has not been used for the past year that is most likely not infected. Since I need to use an uninfected computer, should I also use your malware program or should I post a hijack this thread to make sure that no malware exists on this computer before I start this process, as well?


Best thing to do is install all the Windows updates and make sure the antivirus/antimalware programs are updated. If you want you can post the HijackThis log here. You can not use this computer in the same network with the infected computers until they have been reformatted.

I apologize for my lack of knowledge and I appreciate your patience and expertise. Thanking you 100 times.


No need to apologize. It is good to ask questions. It is unfortunate situation but end of the day you want to be safe when you are online.
User avatar
Bio-Hazard
MRU Master Emeritus
 
Posts: 4078
Joined: May 10th, 2007, 8:28 am
Location: Cornwall, UK

Re: Wonky Computer. Runs slow, IE freezes. Can't run updates etc

Unread postby JenZen » June 13th, 2009, 6:09 pm

Reverting to the factory settings will be enough. No program files nor executable files can not be backed up, nor should any previously backed up programs and/or executable files be restored to this or any other computer. Backups should be made of documents, music and pictures only. Nothing else. These backups should be made to CD or DVD, not USB devices.

Am trying to figure out how the heck to handle this for a number of reasons. There are waaaay too many files and photos to be able to back-up data onto CDs or DVDs.
That would be practically impossible. I am an amateur underwater photographer and just the photos alone would be about 20-30 gigs worth.
There has to be another option. I must be able to drag and drop documents and photos etc. to a portable usb drive.
In addition I have numerous underwater videos and presentations that must also be saved and they are executable. I simply can not delete all this work.That is not an option.

I also realized that the "safe" computer I mentioned is not safe...as I used the usb hard drive on this computer as well. The computer was barely used in the past year, but I did use it in conjunction with the usb hard drive when I needed to scan photos.
So, the fact of the matter is, I do not own a computer that has not been compromised.

Should I take the least likely computer and run a hijack this report on it?
JenZen
Active Member
 
Posts: 7
Joined: June 8th, 2009, 11:25 pm

Re: Wonky Computer. Runs slow, IE freezes. Can't run updates etc

Unread postby Bio-Hazard » June 14th, 2009, 2:11 pm

The online anti-malware community primarily exists to serve home computer users and is therefore not ideally suited to deal with business computers and data that are best handled by a company's own IT department, or (if the company does not have an IT department) an on-site IT professional. All companies have, or should have, their own set of policies and procedures for handling situations like this, which are beyond this site's sphere of knowledge. Additionally, it is this site's policy that we restrict ourselves to assisting with computers that are only used for home/personal use. As the subject computer has been identified as an infected computer that is used for business purposes, it falls beyond the scope of this forum. Accordingly, I will not be able to proceed beyond the scans I instructed you to run prior to learning that this computer was being used for business purposes.

I have consulted with a site Administrator regarding your situation and we have reached the following conclusion... As this situation involves multiple computers, possibly multiple external hard drives, all of which may be infected and may contain important and/or critical business and personal data as well, help from an online forum is not your best option. Your best course of action is to use an IT professional who can actually have physical access to the computers. A competent professional should be able to disinfect the USB drives and make back-ups of your data as well.

If you have any questions, I will try to answer them; if not, this topic will be closed.
User avatar
Bio-Hazard
MRU Master Emeritus
 
Posts: 4078
Joined: May 10th, 2007, 8:28 am
Location: Cornwall, UK

!! Wonky Computer. Runs slow, IE freezes. Can't run updates

Unread postby JenZen » June 15th, 2009, 5:07 pm

I am quite surprised by your reply. AND perplexed! What family does not have more than one computer in the house? There is a home computer for a home based business. I have a laptop. My husband also has a laptop. Le's see that's 3. Then, I said I had another computer that I could replace this one with (the one you have been helping me with). That's the average number of computers in a household. I am very frustrated that you are going to bail. Especially when all I wanted to do was to ask 1.) another option to backing up on CDs and 2.) Wanting to running another Hijack this scan on the computer I am going to replace it with. Why is this all of a sudden a job for an IT guy???
JenZen
Active Member
 
Posts: 7
Joined: June 8th, 2009, 11:25 pm

Re: Wonky Computer. Runs slow, IE freezes. Can't run updates etc

Unread postby JenZen » June 15th, 2009, 5:20 pm

P.S. I would very much appreciate it if you could please look at the new computer and let me run a log. This is the only computer being used at the moment and it is not connected to any external hard drives. I just need at least one computer to try and continue to work from. Hopefully this one is not infected.
JenZen
Active Member
 
Posts: 7
Joined: June 8th, 2009, 11:25 pm

Re: Wonky Computer. Runs slow, IE freezes. Can't run updates etc

Unread postby NonSuch » June 15th, 2009, 5:47 pm

This topic was originally started by you in order to deal with the issues you were experiencing with a computer that you use for business. This forum does not deal with computers that are used for business for reasons that have already been explained to you.

If you have another personal computer that you would like to have checked, and that computer is not being used for business purposes, then you will need to start another topic for that computer. However, you should be aware that if your other computer is also infected with a backdoor trojan and/or rootkit, it will need reformatting to ensure the malware is completely eradicated.

As this issue involves a business system, and therefore falls outside the scope of this forum, this topic is now closed.
User avatar
NonSuch
Administrator
Administrator
 
Posts: 27300
Joined: February 23rd, 2005, 7:08 am
Location: California
Advertisement
Register to Remove


  • Similar Topics
    Replies
    Views
    Last post

Return to Infected? Virus, malware, adware, ransomware, oh my!



Who is online

Users browsing this forum: No registered users and 51 guests

Contact us:

Advertisements do not imply our endorsement of that product or service. Register to remove all ads. The forum is run by volunteers who donate their time and expertise. We make every attempt to ensure that the help and advice posted is accurate and will not cause harm to your computer. However, we do not guarantee that they are accurate and they are to be used at your own risk. All trademarks are the property of their respective owners.

Member site: UNITE Against Malware