IE Unresponsive

This is a discussion on IE Unresponsive within the Inactive Malware Help Topics forums, part of the Tech Support Forum category. Greetings. I am not sure if I have a virus of some type (malware, spyware, trojan) or if my computer


 
 
Thread Tools Search this Thread
Old 10-17-2011, 03:49 PM   #1
Registered Member
 
Join Date: Dec 2004
Posts: 108
OS: NT



Greetings. I am not sure if I have a virus of some type (malware, spyware, trojan) or if my computer is just on its last legs. I have an old Tecra laptop by Toshiba running Windows XP 2002 Service Pack 3. It has served me well and I do not have alot of resources which is why I have had to use this one for so long.

Over the past few months I have seen the performance degrade. For instance when I come to this site I get a popup that says Stack Overflow at line 660. The degraded performance also is apparant when I am online. Sometimes my IE browser will become very unresponsive. When I want to go to a different URL then where I am at nothing will happen. I click inside the window and I will get the hourglass sign and that IE is not responding when I go into the task manager. Then most of the time it will respond and go to the URL I want to go to. Even doing basic things on the computer while not online like bringing up applications takes quite awhile. For instance, even doing the save as for my dds.txt and attach.txt in the notepad was not instantaneous. I got the hourglass for a few seconds before the attach.txt was saved to my desktop and I got the hourglass for about 12 seconds before dds.txt could be saved.

At any rate I may not be in the right place but I think this is a good place to start. I have relocated within the past year and finding the local football games to watch is tough. I used to go to myp2p.eu last year and that is no longer viable. I go to other sites to attempt to stream my favorite teams but I have a feeling I may have contracted viruses from those sites.

I have followed the instructions about posting, (I hope) please let me know if I have screwed up.

Also when I went to compress my attach.txt and ark.txt I had a problem. When I selected both of these files and then right clicked and then when to Send To that tab was empty. I could not select any zip utility. Should I download Winzip? I have attached both text files but they are not zipped. Please advise.

Here is my DDS.txt output:
.
DDS (Ver_2011-08-26.01) - NTFSx86
Internet Explorer: 8.0.6001.18702 BrowserJavaVersion: 1.6.0_24
Run by Owner at 7:35:29 on 2011-10-17
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.1015.419 [GMT -7:00]
.
.
============== Running Processes ===============
.
C:\WINDOWS\system32\svchost.exe -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
svchost.exe
svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\igfxtray.exe
C:\WINDOWS\system32\hkcmd.exe
C:\WINDOWS\system32\igfxpers.exe
C:\WINDOWS\system32\igfxsrvc.exe
C:\WINDOWS\RTHDCPL.EXE
svchost.exe
C:\WINDOWS\system32\00THotkey.exe
C:\WINDOWS\system32\TFNF5.exe
C:\Program Files\MSN Toolbar\Platform\5.0.1449.0\mswinext.exe
C:\Program Files\Malwarebytes' Anti-Malware\mbamgui.exe
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\system32\igfxext.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\WINDOWS\system32\RAMASST.exe
C:\WINDOWS\system32\DVDRAMSV.exe
C:\WINDOWS\system32\svchost.exe -k hpdevmgmt
C:\WINDOWS\system32\svchost.exe -k HPService
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\Malwarebytes' Anti-Malware\mbamservice.exe
C:\WINDOWS\System32\svchost.exe -k HPZ12
C:\WINDOWS\System32\svchost.exe -k HPZ12
C:\Program Files\Common Files\Intuit\QuickBooks\QBCFMonitorService.exe
C:\Program Files\Microsoft\Search Enhancement Pack\SeaPort\SeaPort.exe
C:\WINDOWS\system32\svchost.exe -k imgsvc
C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE
C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSvcM.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\system32\msiexec.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
.
============== Pseudo HJT Report ===============
.
uStart Page = hxxp://www.yahoo.com/
BHO: {02478D38-C3F9-4efb-9B51-7695ECA05670} - No File
BHO: HP Print Enhancer: {0347c33e-8762-4905-bf09-768834316c61} - c:\program files\hp\digital imaging\smart web printing\hpswp_printenhancer.dll
BHO: vShare Plugin: {043c5167-00bb-4324-af7e-62013faedacf} - c:\program files\vshare\vshare_toolbar.dll
BHO: Adobe PDF Reader Link Helper: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelper.dll
BHO: Search Helper: {6ebf7485-159f-4bff-a14f-b9e3aac4465b} - c:\program files\microsoft\search enhancement pack\search helper\SEPsearchhelperie.dll
BHO: Windows Live ID Sign-in Helper: {9030d464-4c02-4abf-8ecc-5164760863c6} - c:\program files\common files\microsoft shared\windows

live\WindowsLiveLogin.dll
BHO: Adobe PDF Conversion Toolbar Helper: {ae7cd045-e861-484f-8273-0445ee161910} - c:\program files\adobe\acrobat 8.0\acrobat\AcroIEFavClient.dll
BHO: Bing Bar BHO: {d2ce3e00-f94a-4740-988e-03dc2f38c34f} - c:\program files\msn toolbar\platform\5.0.1449.0\npwinext.dll
BHO: Java(tm) Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
BHO: HP Smart BHO Class: {ffffffff-cf4e-4f2b-bdc2-0e72e116a856} - c:\program files\hp\digital imaging\smart web printing\hpswp_BHO.dll
TB: Adobe PDF: {47833539-d0c5-4125-9fa8-0819e2eaac93} - c:\program files\adobe\acrobat 8.0\acrobat\AcroIEFavClient.dll
TB: vShare Plugin: {043c5167-00bb-4324-af7e-62013faedacf} - c:\program files\vshare\vshare_toolbar.dll
TB: @c:\program files\msn toolbar\platform\5.0.1449.0\npwinext.dll,-100: {8dcb7100-df86-4384-8842-8fa844297b3f} - c:\program files\msn

toolbar\platform\5.0.1449.0\npwinext.dll
EB: Adobe PDF: {182ec0be-5110-49c8-a062-beb1d02a220b} - c:\program files\adobe\acrobat 8.0\acrobat\AcroIEFavClient.dll
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
mRun: [igfxtray] c:\windows\system32\igfxtray.exe
mRun: [igfxhkcmd] c:\windows\system32\hkcmd.exe
mRun: [igfxpers] c:\windows\system32\igfxpers.exe
mRun: [RTHDCPL] RTHDCPL.EXE
mRun: [Alcmtr] ALCMTR.EXE
mRun: [00THotkey] c:\windows\system32\00THotkey.exe
mRun: [TFNF5] TFNF5.exe
mRun: [TOSDCR] TOSDCR.EXE
mRun: [<NO NAME>]
mRun: [Conime] %windir%\system32\conime.exe
mRun: [Bing Bar] "c:\program files\msn toolbar\platform\5.0.1449.0\mswinext.exe"
mRun: [Microsoft Default Manager] "c:\program files\microsoft\search enhancement pack\default manager\DefMgr.exe" -resume
mRun: [Malwarebytes' Anti-Malware] "c:\program files\malwarebytes' anti-malware\mbamgui.exe" /starttray
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\ramasst.lnk - c:\windows\system32\RAMASST.exe
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~2\office11\REFIEBAR.DLL
IE: {DDE87865-83C5-48c4-8357-2F5B1AA84522} - {DDE87865-83C5-48c4-8357-2F5B1AA84522} - c:\program files\hp\digital imaging\smart web printing\hpswp_BHO.dll
Trusted Zone: sandicor.com
DPF: Web-Based Email Tools - hxxp://email.secureserver.net/Download.CAB
DPF: {65FDEDF3-8ED9-4F5B-825E-18C2D44191A7} -

hxxps://as00.estara.com/UI/proxyhttps.php?a=downloads.estara.com./&hash=03757f1e64c52f1288659fdcd7f863b0&url=http%3A%2F%2Fd.64.69.14.182.downloads.estara.com

.%2Fas%2FOneCCDM.php&template=489683&sessionid=1526952215_64.69.14.182_37748&=&req=1281671455765OneCC.cab
DPF: {6F15128C-E66A-490C-B848-5000B5ABEEAC} - hxxps://h20436.www2.hp.com/ediags/dex/secure/HPDEXAXO.cab
DPF: {7530BFB8-7293-4D34-9923-61A11451AFC5} - hxxp://download.eset.com/special/eos-beta/OnlineScanner.cab
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_24-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0024-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_24-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_24-windows-i586.cab
DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab
DPF: {EF0D1A14-1033-41A2-A589-240C01EDC078} - hxxp://download.pplive.com/config/pplite/pluginsetup.cab
DPF: {F27237D7-93C8-44C2-AC6E-D6057B9A918F} - hxxps://juniper.net/dana-cached/sc/JuniperSetupClient.cab
TCP: DhcpNameServer = 68.113.206.10 24.217.0.5 24.217.201.67
TCP: Interfaces\{146D9403-BA2B-494B-98AB-6E1DC6662F97} : DhcpNameServer = 68.113.206.10 24.217.0.5 24.217.201.67
TCP: Interfaces\{98E600D0-EABD-429E-8A10-32A590C1EE40} : NameServer = 68.105.28.11
Handler: intu-help-qb2 - {84D77A00-41B5-4b8b-8ADF-86486D72E749} - c:\program files\intuit\quickbooks 2009\HelpAsyncPluggableProtocol.dll
Handler: qbwc - {FC598A64-626C-4447-85B8-53150405FD57} - c:\windows\system32\mscoree.dll
Handler: vsharechrome - {3F3A4B8A-86FC-43A4-BB00-6D7EBE9D4484} - c:\program files\vshare\vshare_toolbar.dll
Notify: igfxcui - igfxdev.dll
Notify: itlntfy - itlnfw32.dll
Notify: psfus - c:\windows\system32\psqlpwd.dll
LSA: Notification Packages = scecli psqlpwd
.
================= FIREFOX ===================
.
FF - ProfilePath - c:\documents and settings\owner\application data\mozilla\firefox\profiles\dv0n53qx.default\
FF - prefs.js: browser.search.defaulturl - hxxp://search.conduit.com/ResultsExt.aspx?ctid=CT2405280&SearchSource=3&q={searchTerms}
FF - prefs.js: browser.search.selectedEngine - Web Search...
FF - prefs.js: browser.startup.homepage -

hxxp://mp3tubetoolbar.com/?tmp=toolbar_Mp3Tube_homepage&prt=pinballtbfour04ff&clid=28cb2314b29f4746825c7ef75eced0d4&subid=
FF - prefs.js: keyword.URL - hxxp://mp3tubetoolbar.com/?tmp=nemo_results_removelink2&q=
FF - plugin: c:\program files\google\update\1.3.21.69\npGoogleUpdate3.dll
FF - plugin: c:\program files\java\jre6\bin\new_plugin\npdeployJava1.dll
FF - plugin: c:\program files\mozilla firefox\plugins\npdeployJava1.dll
FF - plugin: c:\program files\msn toolbar\platform\5.0.1449.0\npwinext.dll
FF - plugin: c:\program files\veetle\player\npvlc.dll
FF - plugin: c:\program files\veetle\plugins\npVeetle.dll
FF - plugin: c:\windows\system32\tvuax\npTVUAx.dll
FF - Ext: Default: {972ce4c6-7e08-4474-a285-3208198ce6fd} - c:\program files\mozilla firefox\extensions\{972ce4c6-7e08-4474-a285-3208198ce6fd}
FF - Ext: Java Console: {CAFEEFAC-0016-0000-0016-ABCDEFFEDCBA} - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0016-ABCDEFFEDCBA}
FF - Ext: Java Console: {CAFEEFAC-0016-0000-0024-ABCDEFFEDCBA} - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0024-ABCDEFFEDCBA}
FF - Ext: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\microsoft.net\framework\v3.5\windows presentation

foundation\DotNetAssistantExtension
FF - Ext: Java Quick Starter: jqs@sun.com - c:\program files\java\jre6\lib\deploy\jqs\ff
FF - Ext: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - %profile%\extensions\{20a82645-c095-46ed-80e3-08825760534b}
.
---- FIREFOX POLICIES ----
FF - user.js: keyword.URL - hxxp://mp3tubetoolbar.com/?tmp=nemo_results_removelink2&q=
FF - user.js: keyword.enabled - 1
.
============= SERVICES / DRIVERS ===============
.
R0 Thpevm;TOSHIBA HDD Protection - Shock Sensor Driver;c:\windows\system32\drivers\Thpevm.sys [2007-9-4 6528]
R2 MBAMService;MBAMService;c:\program files\malwarebytes' anti-malware\mbamservice.exe [2011-7-14 366152]
R3 MBAMProtector;MBAMProtector;c:\windows\system32\drivers\mbam.sys [2011-7-14 22216]
S2 gupdate;Google Update Service (gupdate);c:\program files\google\update\GoogleUpdate.exe [2010-10-31 136176]
S2 itlperf;Intel CPU;c:\windows\system32\svchost.exe -k itlsvc [2004-8-4 14336]
S2 mrtRate;mrtRate; [x]
S3 appliandMP;appliandMP;c:\windows\system32\drivers\appliand.sys --> c:\windows\system32\drivers\appliand.sys [?]
S3 gupdatem;Google Update Service (gupdatem);c:\program files\google\update\GoogleUpdate.exe [2010-10-31 136176]
S3 hitmanpro35;Hitman Pro 3.5 Support Driver;c:\windows\system32\drivers\hitmanpro35.sys [2011-4-24 16968]
S3 SCR3xx USB Smart Card Reader;SCR3xx USB Smart Card Reader;c:\windows\system32\drivers\SCR3XX2K.sys [2009-9-11 47488]
.
=============== Created Last 30 ================
.
.
==================== Find3M ====================
.
2011-09-26 18:41:20 611328 ----a-w- c:\windows\system32\uiautomationcore.dll
2011-09-26 18:41:20 220160 ----a-w- c:\windows\system32\oleacc.dll
2011-09-26 18:41:14 20480 ----a-w- c:\windows\system32\oleaccrc.dll
2011-09-09 09:12:13 599040 ----a-w- c:\windows\system32\crypt32.dll
2011-09-06 13:20:51 1858944 ----a-w- c:\windows\system32\win32k.sys
2011-09-01 00:00:50 22216 ----a-w- c:\windows\system32\drivers\mbam.sys
2011-08-22 23:48:55 916480 ----a-w- c:\windows\system32\wininet.dll
2011-08-22 23:48:54 43520 ----a-w- c:\windows\system32\licmgr10.dll
2011-08-22 23:48:54 1469440 ------w- c:\windows\system32\inetcpl.cpl
2011-08-22 11:56:39 385024 ----a-w- c:\windows\system32\html.iec
2011-08-17 13:49:54 138496 ----a-w- c:\windows\system32\drivers\afd.sys
.
============= FINISH: 7:36:33.03 ===============
Attached Files
File Type: txt ark.txt (10.6 KB, 20 views)
File Type: txt attach.txt (24.4 KB, 14 views)

__________________
vewdodude is offline  
Old 10-19-2011, 04:38 PM   #2
Security Team
Trainee IV
 
Nistlerooy's Avatar
 
Join Date: Dec 2007
Location: San Francisco, CA
Posts: 2,367
OS: Windows XP MCE



Hello and welcome to TSF Virus & Malware support. My name is Taylor and I'll be helping you with your fix.

I am currently reviewing your log. Please note that this is under the supervision of an expert analyst, and I will be back with a fix for your problem as soon as possible.

You may wish to subscribe to this thread to get immediate notification of replies as soon as they are posted. To do this click Thread Tools, then click Subscribe to this Thread. Make sure it is set to Instant Notification, then click Subscribe.

Please be patient with me during this time.

__________________
If I am helping you with a Virus/Malware fix and have not responded within 36 hours, please PM me.
NOTE: I do not offer help of any kind via Private Messages. Please post your questions in the appropriate forum.



Nistlerooy is offline  
Old 10-19-2011, 07:49 PM   #3
Security Team
Trainee IV
 
Nistlerooy's Avatar
 
Join Date: Dec 2007
Location: San Francisco, CA
Posts: 2,367
OS: Windows XP MCE



Hi again vewdodude.

If you haven't done so already, please Subscribe to this Thread to get immediate notification of replies as soon as they are posted. To do this click Thread Tools, then click Subscribe to this Thread. Make sure it is set to Instant notification by email, then click Add Subscription.

Please note that the forum is very busy and if I don't hear from you within three days this thread will be closed.

Before beginning the fix, read this post completely. If there's anything that you do not understand, kindly ask your questions before proceeding. Ensure that there aren't any opened browsers when you are carrying out the procedures below. You may want to print and/or save the following instructions in Notepad as this webpage will not be available when you're carrying out the fix.

It is IMPORTANT that you don't miss a step & perform everything in the correct order/sequence.

------------------------------------------------------

Please note that these fixes are not instantaneous. Most infections require more than one round to properly eradicate.

Please stay with me until given the 'all clear' even if symptoms seemingly abate.

Kindly follow my instructions and please do no fixing on your own or running of scanners unless requested by a helper.

------------------------------------------------------

If there are any personal files, pics, etc. on your computer you cannot live without, back it up now just as a precaution.

------------------------------------------------------

**Read through these instructions in their entirety BEFORE executing them.** If you have any questions or are unsure about any of the following instructions PLEASE ASK for clarification before continuing. You may want to copy this page to notepad or print it as it will not be available while you run ComboFix.

Download ComboFix from one of the following locations:

* IMPORTANT !!! Place combofix.exe on your Desktop

Disable your AntiVirus and AntiSpyware applications as they may interfere with ComboFix. You can normally do this by right clicking on the System Tray icon. If you have difficulty properly disabling your protective programs, refer to this link.

Close all open browsers and windows and double click on combofix.exe & follow the prompts.
  • The Windows recovery console will allow you to boot up into a special recovery mode that allows us to help you in the case that your computer has a problem after an attempted removal of malware. With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal.



  • Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement.

  • ComboFix will now automatically install the Microsoft Windows Recovery Console onto your computer, which will show up as a new option when booting up your computer. It will be a new screen you see on bootup which will last only a few seconds. You do not have to press or do anything for Windows to load normally. Do not select the Microsoft Windows Recovery Console option when you start your computer unless requested to do so by a helper.

  • Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see a message that says:

    The Recovery Console was successfully installed.



  • Click on Yes, to continue scanning for malware.

** NOTE: Your desktop may go blank. This is normal. It will return when ComboFix is done. ComboFix may reboot your machine. This, too, is normal.

When finished it will produce a log for you (C:\ComboFix.txt). Please include this log in your next reply.

Do not mouse-click Combofix's window while it is running. This may cause it to stall.
Do not "re-run" Combofix. If you have a problem, reply back for further instructions.

Once ComboFix has finished and produced a log, ensure your Anti-Virus and Anti-Spyware applications have been re-enabled.


Let me know if you have any problems or questions.

-Taylor
__________________
If I am helping you with a Virus/Malware fix and have not responded within 36 hours, please PM me.
NOTE: I do not offer help of any kind via Private Messages. Please post your questions in the appropriate forum.



Nistlerooy is offline  
Old 10-19-2011, 11:23 PM   #4
Registered Member
 
Join Date: Dec 2004
Posts: 108
OS: NT



Hi Taylor

Thank you in advance for your help. I followed the instructions that you posted. However when I went to run combofix I was not prompted for the autorecovery window. I was not sure why. A few months ago, my wife went to doublemyspeed.com because the computer was running slow. She ended up spending over 200 bucks and I am sure they removed some viruses but the computer never ran great, it ran better but not great. I am not sure if they had run combofix on it back then or not. I had downloaded combofix from the links you posted and ran it with no problem with the exception that there was not prompting for the autorecovery console.

When I just now logged in I received 3 messages from the website that there were stack overflows. Also something I forgot to mention in my initial posting was that I could not get any autorestore points for the past few months.

At any rate here is my combofix log. Please let me know what I need to do next. Again, thanks for all of your help.

************************************************
ComboFix 11-10-19.06 - Owner 10/19/2011 21:19:31.1.2 - x86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.1015.444 [GMT -7:00]
Running from: c:\documents and settings\Owner\Desktop\ComboFix.exe
.
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
c:\documents and settings\Owner\My Documents\$APAC.tmp
c:\windows\Downloaded Program Files\Install.inf
c:\windows\system32\d3d9caps.dat
.
.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
-------\Legacy_6TO4
-------\Legacy_ITLPERF
-------\Service_itlperf
.
.
((((((((((((((((((((((((( Files Created from 2011-09-20 to 2011-10-20 )))))))))))))))))))))))))))))))
.
.
.
.
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2011-09-26 18:41 . 2008-07-30 02:59 611328 ----a-w- c:\windows\system32\uiautomationcore.dll
2011-09-26 18:41 . 2004-08-04 12:00 220160 ----a-w- c:\windows\system32\oleacc.dll
2011-09-26 18:41 . 2004-08-04 12:00 20480 ----a-w- c:\windows\system32\oleaccrc.dll
2011-09-09 09:12 . 2004-08-04 12:00 599040 ----a-w- c:\windows\system32\crypt32.dll
2011-09-06 13:20 . 2004-08-04 12:00 1858944 ----a-w- c:\windows\system32\win32k.sys
2011-09-01 00:00 . 2011-07-15 02:16 22216 ----a-w- c:\windows\system32\drivers\mbam.sys
2011-08-22 23:48 . 2004-08-04 12:00 916480 ----a-w- c:\windows\system32\wininet.dll
2011-08-22 23:48 . 2004-08-04 12:00 43520 ----a-w- c:\windows\system32\licmgr10.dll
2011-08-22 23:48 . 2004-08-04 12:00 1469440 ------w- c:\windows\system32\inetcpl.cpl
2011-08-22 11:56 . 2004-08-04 12:00 385024 ----a-w- c:\windows\system32\html.iec
2011-08-17 13:49 . 2004-08-04 12:00 138496 ----a-w- c:\windows\system32\drivers\afd.sys
.
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\UEAFOverlay]
@="{F2F31467-B1AC-4df0-AE79-FD5FA085E22B}"
[HKEY_CLASSES_ROOT\CLSID\{F2F31467-B1AC-4df0-AE79-FD5FA085E22B}]
2006-12-04 00:03 2854912 ----a-w- c:\program files\Protector Suite QL\farchns.dll
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\UEAFOverlayOpen]
@="{A3E208F7-0E3A-4182-A7A6-B169D5D691AA}"
[HKEY_CLASSES_ROOT\CLSID\{A3E208F7-0E3A-4182-A7A6-B169D5D691AA}]
2006-12-04 00:03 2854912 ----a-w- c:\program files\Protector Suite QL\farchns.dll
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"igfxtray"="c:\windows\system32\igfxtray.exe" [2006-03-23 94208]
"igfxhkcmd"="c:\windows\system32\hkcmd.exe" [2006-03-23 77824]
"igfxpers"="c:\windows\system32\igfxpers.exe" [2006-03-23 118784]
"RTHDCPL"="RTHDCPL.EXE" [2005-09-22 14854144]
"00THotkey"="c:\windows\system32\00THotkey.exe" [2006-04-25 253952]
"TFNF5"="TFNF5.exe" [2006-04-11 622592]
"TOSDCR"="TOSDCR.EXE" [2005-12-13 57344]
"Conime"="c:\windows\system32\conime.exe" [2008-04-14 27648]
"Bing Bar"="c:\program files\MSN Toolbar\Platform\5.0.1449.0\mswinext.exe" [2010-04-27 243544]
"Microsoft Default Manager"="c:\program files\Microsoft\Search Enhancement Pack\Default Manager\DefMgr.exe" [2009-11-12 288088]
"Malwarebytes' Anti-Malware"="c:\program files\Malwarebytes' Anti-Malware\mbamgui.exe" [2011-09-01 449608]
.
c:\documents and settings\All Users\Start Menu\Programs\Startup\
RAMASST.lnk - c:\windows\system32\RAMASST.exe [2009-9-9 155648]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\psfus]
2006-12-03 23:50 90112 ----a-w- c:\windows\system32\psqlpwd.dll
.
[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Billminder.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Billminder.lnk
backup=c:\windows\pss\Billminder.lnkCommon Startup
.
[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^HP Digital Imaging Monitor.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\HP Digital Imaging Monitor.lnk
backup=c:\windows\pss\HP Digital Imaging Monitor.lnkCommon Startup
.
[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^HP Photosmart Premier Fast Start.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\HP Photosmart Premier Fast Start.lnk
backup=c:\windows\pss\HP Photosmart Premier Fast Start.lnkCommon Startup
.
[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^QuickBooks Update Agent.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\QuickBooks Update Agent.lnk
backup=c:\windows\pss\QuickBooks Update Agent.lnkCommon Startup
.
[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Quicken Scheduled Updates.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Quicken Scheduled Updates.lnk
backup=c:\windows\pss\Quicken Scheduled Updates.lnkCommon Startup
.
[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Quicken Startup.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Quicken Startup.lnk
backup=c:\windows\pss\Quicken Startup.lnkCommon Startup
.
[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^SentriLockCardUtility.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\SentriLockCardUtility.lnk
backup=c:\windows\pss\SentriLockCardUtility.lnkCommon Startup
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Acrobat Assistant 8.0]
2008-10-15 04:38 623992 ----a-w- c:\program files\Adobe\Acrobat 8.0\Acrobat\Acrotray.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Apoint]
2004-03-24 05:40 196608 ----a-w- c:\program files\Apoint2K\Apoint.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HP Software Update]
2007-10-15 05:17 49152 ----a-w- c:\program files\HP\HP Software Update\hpwuSchd2.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\hpqSRMon]
2007-08-23 00:31 80896 ----a-w- c:\program files\HP\Digital Imaging\bin\HpqSRmon.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Intuit SyncManager]
2009-12-22 13:47 1092872 ----a-w- c:\program files\Common Files\Intuit\Sync\IntuitSyncManager.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSMSGS]
2008-04-14 12:42 1695232 ----a-w- c:\program files\Messenger\msmsgs.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PSQLLauncher]
2006-12-03 23:29 49168 ----a-w- c:\program files\Protector Suite QL\launcher.exe
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\Intuit\\QuickBooks 2009\\QBDBMgrN.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\SopCast\\adv\\SopAdver.exe"=
"d:\\setup\\HPZNUI01.EXE"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqCopy.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\Unload\\HpqPhUnl.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\Unload\\HpqDIA.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqtra08.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqste08.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpofxm08.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hposfx08.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hposid01.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqkygrp.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpfccopy.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpzwiz01.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpoews01.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqnrs08.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpiscnapp.exe"=
"c:\\Program Files\\Common Files\\HP\\Digital Imaging\\bin\\hpqPhotoCrm.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqsudi.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqpsapp.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpofxs08.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqpse.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqgpc01.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqusgm.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqusgh.exe"=
"c:\\Program Files\\HP\\HP Software Update\\HPWUCli.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\Smart Web Printing\\SmartWebPrintExe.exe"=
"c:\\Documents and Settings\\Owner\\Application Data\\Juniper Networks\\Juniper Terminal Services Client\\dsTermServ.exe"=
.
R0 Thpevm;TOSHIBA HDD Protection - Shock Sensor Driver;c:\windows\system32\drivers\Thpevm.sys [9/4/2007 1:14 AM 6528]
R2 MBAMService;MBAMService;c:\program files\Malwarebytes' Anti-Malware\mbamservice.exe [7/14/2011 7:16 PM 366152]
R3 MBAMProtector;MBAMProtector;c:\windows\system32\drivers\mbam.sys [7/14/2011 7:16 PM 22216]
S2 gupdate;Google Update Service (gupdate);c:\program files\Google\Update\GoogleUpdate.exe [10/31/2010 9:54 AM 136176]
S2 mrtRate;mrtRate; [x]
S3 appliandMP;appliandMP;c:\windows\system32\DRIVERS\appliand.sys --> c:\windows\system32\DRIVERS\appliand.sys [?]
S3 gupdatem;Google Update Service (gupdatem);c:\program files\Google\Update\GoogleUpdate.exe [10/31/2010 9:54 AM 136176]
S3 hitmanpro35;Hitman Pro 3.5 Support Driver;c:\windows\system32\drivers\hitmanpro35.sys [4/24/2011 2:18 PM 16968]
S3 SCR3xx USB Smart Card Reader;SCR3xx USB Smart Card Reader;c:\windows\system32\drivers\SCR3XX2K.sys [9/11/2009 9:04 AM 47488]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
HPZ12 REG_MULTI_SZ Pml Driver HPZ12 Net Driver HPZ12
hpdevmgmt REG_MULTI_SZ hpqcxs08 hpqddsvc
HPService REG_MULTI_SZ HPSLPSVC
.
Contents of the 'Scheduled Tasks' folder
.
2011-10-20 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\program files\Google\Update\GoogleUpdate.exe [2010-10-31 16:54]
.
2011-10-20 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\program files\Google\Update\GoogleUpdate.exe [2010-10-31 16:54]
.
2011-10-19 c:\windows\Tasks\User_Feed_Synchronization-{551A2DD5-4654-47EA-BB4E-7BBBBF60E777}.job
- c:\windows\system32\msfeedssync.exe [2009-03-08 11:31]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.yahoo.com/
Trusted Zone: sandicor.com
TCP: DhcpNameServer = 68.113.206.10 24.217.0.5 24.217.201.67
TCP: Interfaces\{98E600D0-EABD-429E-8A10-32A590C1EE40}: NameServer = 68.105.28.11
DPF: Web-Based Email Tools - hxxp://email.secureserver.net/Download.CAB
DPF: {65FDEDF3-8ED9-4F5B-825E-18C2D44191A7} - hxxps://as00.estara.com/UI/proxyhttps.php?a=downloads.estara.com./&hash=03757f1e64c52f1288659fdcd7f863b0&url=http%3A%2F%2Fd.64.69.14.182.downloads.estara.com.%2Fas%2FOneCCDM.php&template=489683&sessionid=1526952215_64.69.14.182_37748&=&req=1281671455765OneCC.cab
DPF: {EF0D1A14-1033-41A2-A589-240C01EDC078} - hxxp://download.pplive.com/config/pplite/pluginsetup.cab
FF - ProfilePath - c:\documents and settings\Owner\Application Data\Mozilla\Firefox\Profiles\dv0n53qx.default\
FF - prefs.js: browser.search.defaulturl - hxxp://search.conduit.com/ResultsExt.aspx?ctid=CT2405280&SearchSource=3&q={searchTerms}
FF - prefs.js: browser.search.selectedEngine - Web Search...
FF - prefs.js: browser.startup.homepage - hxxp://mp3tubetoolbar.com/?tmp=toolbar_Mp3Tube_homepage&prt=pinballtbfour04ff&clid=28cb2314b29f4746825c7ef75eced0d4&subid=
FF - prefs.js: keyword.URL - hxxp://mp3tubetoolbar.com/?tmp=nemo_results_removelink2&q=
FF - Ext: Default: {972ce4c6-7e08-4474-a285-3208198ce6fd} - c:\program files\Mozilla Firefox\extensions\{972ce4c6-7e08-4474-a285-3208198ce6fd}
FF - Ext: Java Console: {CAFEEFAC-0016-0000-0016-ABCDEFFEDCBA} - c:\program files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0016-ABCDEFFEDCBA}
FF - Ext: Java Console: {CAFEEFAC-0016-0000-0024-ABCDEFFEDCBA} - c:\program files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0024-ABCDEFFEDCBA}
FF - Ext: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension
FF - Ext: Java Quick Starter: jqs@sun.com - c:\program files\Java\jre6\lib\deploy\jqs\ff
FF - Ext: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - %profile%\extensions\{20a82645-c095-46ed-80e3-08825760534b}
FF - user.js: keyword.URL - hxxp://mp3tubetoolbar.com/?tmp=nemo_results_removelink2&q=
FF - user.js: keyword.enabled - 1
.
- - - - ORPHANS REMOVED - - - -
.
Toolbar-Locked - (no file)
Notify-itlntfy - itlnfw32.dll
MSConfigStartUp-Google Update - c:\documents and settings\Owner\Local Settings\Application Data\Google\Update\GoogleUpdate.exe
MSConfigStartUp-RegistryBooster - c:\program files\Uniblue\RegistryBooster\launcher.exe
AddRemove-HitmanPro35 - c:\documents and settings\Owner\Desktop\Tool\3.HitmanPro35.exe
.
.
.
**************************************************************************
.
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, GMER - Rootkit Detector and Remover
Rootkit scan 2011-10-19 21:57
Windows 5.1.2600 Service Pack 3 NTFS
.
scanning hidden processes ...
.
scanning hidden autostart entries ...
.
scanning hidden files ...
.
scan completed successfully
hidden files: 0
.
**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------
.
- - - - - - - > 'winlogon.exe'(1044)
c:\windows\system32\psqlpwd.dll
c:\program files\Protector Suite QL\homefus2.dll
c:\program files\Protector Suite QL\infra.dll
c:\program files\Protector Suite QL\homepass.dll
c:\program files\Protector Suite QL\bio.dll
c:\program files\Protector Suite QL\remote.dll
.
- - - - - - - > 'explorer.exe'(3820)
c:\windows\system32\WININET.dll
c:\program files\Protector Suite QL\farchns.dll
c:\windows\WinSxS\x86_Microsoft.VC80.CRT_1fc8b3b9a1e18e3b_8.0.50727.3053_x-ww_b80fa8ca\MSVCR80.dll
c:\program files\Protector Suite QL\infra.dll
c:\windows\system32\ieframe.dll
c:\windows\system32\webcheck.dll
.
------------------------ Other Running Processes ------------------------
.
c:\windows\System32\SCardSvr.exe
c:\program files\Bonjour\mDNSResponder.exe
c:\windows\system32\DVDRAMSV.exe
c:\program files\Java\jre6\bin\jqs.exe
c:\program files\Common Files\Intuit\QuickBooks\QBCFMonitorService.exe
c:\program files\Microsoft\Search Enhancement Pack\SeaPort\SeaPort.exe
c:\program files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE
c:\program files\Common Files\Microsoft Shared\Windows Live\WLIDSvcM.exe
c:\windows\RTHDCPL.EXE
c:\windows\system32\TFNF5.exe
c:\windows\system32\igfxsrvc.exe
c:\windows\system32\igfxext.exe
c:\windows\system32\wscntfy.exe
.
**************************************************************************
.
Completion time: 2011-10-19 22:09:42 - machine was rebooted
ComboFix-quarantined-files.txt 2011-10-20 05:09
.
Pre-Run: 45,121,925,120 bytes free
Post-Run: 48,187,002,880 bytes free
.
- - End Of File - - 45A91149A34188C68D088430D3B7B7CB
__________________
vewdodude is offline  
Old 10-20-2011, 11:08 PM   #5
Security Team
Trainee IV
 
Nistlerooy's Avatar
 
Join Date: Dec 2007
Location: San Francisco, CA
Posts: 2,367
OS: Windows XP MCE



Hi again vewdodude.

The recovery program is probably already which is why you weren't prompted for the install through ComboFix. To be sure, let's do this:

Please download BootCheck.exe to your desktop.
  • Double click BootCheck.exe to run the check
  • When complete, a Notepad window will open with some text in it
  • Save the Notepad file to your desktop as BootCheck.txt
  • Copy the contents of BootCheck.txt and post it in your next reply

Other than the stack overflow errors and decreased performance, are you noticing any other "symptoms" with the machine?

Download SystemLook from one of the links below and save it to your desktop.

Download Mirror #1
Download Mirror #2
  • Double-click SystemLook.exe to run it.
  • Copy the content of the following codebox into the main textfield:

    Code:
    :filefind
    itlnfw32.dll
  • Click the Look button to start the scan.
  • When finished, a notepad window will open with the results of the scan. Please post this log in your next reply.
Note: The log can also be found at on your Desktop entitled SystemLook.txt

Let me know if you have any questions or problems.

-Taylor
__________________
If I am helping you with a Virus/Malware fix and have not responded within 36 hours, please PM me.
NOTE: I do not offer help of any kind via Private Messages. Please post your questions in the appropriate forum.



Nistlerooy is offline  
Old 10-21-2011, 12:54 AM   #6
Registered Member
 
Join Date: Dec 2004
Posts: 108
OS: NT



Hi Taylor

I have posted the bootcheck and systemlook logs below.

In general the computer just crawls along. I use Quickbooks alot and the performance of the application is really slow. If I have it open or for that matter any application, even IE open for a day or so then those applications become unresponsive almost to the point where I need to kill those processes.

When I ran combofix I did notice some improved performance and I also noticed that I was getting prompted by IE for security prompts which I did not used to get. Also after combo fix ran it rebooted my machine and things were very responsive. Well I have not rebooted my machine since yesterday and once again things are pretty much crawling.

Now this may or may not be virus related. As I said in my original post I was presuming it was related but I am not getting redirected, nor do I get popups or any of that stuff. I have no idea what the combofix log info has in it but I did notice some mp3tubetoolbar stuff in the supplementary scan and that seems bad to me. I don't know if all those processes it identified were good or bad either. Perhaps there are just to many reg loading points or processes that run, so if I reduce them that may help. I guess in summary if you don't see any signs of infection, please let me know what I should do, (like perhaps post the thread or move the thread to a more appropriate forum where I can debug the poor performance overall). I am not sure what to do...

Thanks for your help!!!

******************************************************
Bootcheck

CMDCONS Folder exists!

Contents of C:\boot.ini:

[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS
[operating systems]
C:\CMDCONS\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
UnsupportedDebug="do not select this" /debug
multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Professional" /noexecute=optin /fastdetect
****************************************************

SystemLook

SystemLook 30.07.11 by jpshortstuff
Log created at 23:38 on 20/10/2011 by Owner
Administrator - Elevation successful

========== filefind ==========

Searching for "itlnfw32.dll"
No files found.

-= EOF =-
__________________
vewdodude is offline  
Old 10-22-2011, 03:37 AM   #7
Security Team
Trainee IV
 
Nistlerooy's Avatar
 
Join Date: Dec 2007
Location: San Francisco, CA
Posts: 2,367
OS: Windows XP MCE


Hi vewdodude

I had to make an unexpected trip out of town and am away from my computer. I will try to reply to you tonight (Saturday), assuming I'm back. I just didn't want to keep you waiting. Thanks.

-Taylor
__________________
If I am helping you with a Virus/Malware fix and have not responded within 36 hours, please PM me.
NOTE: I do not offer help of any kind via Private Messages. Please post your questions in the appropriate forum.



Nistlerooy is offline  
Old 10-22-2011, 10:08 AM   #8
Registered Member
 
Join Date: Dec 2004
Posts: 108
OS: NT



Hi Taylor

Thanks for letting me know. I will look forward to your response as my computer is bumming me out.
__________________
vewdodude is offline  
Old 10-23-2011, 01:54 AM   #9
Security Team
Trainee IV
 
Nistlerooy's Avatar
 
Join Date: Dec 2007
Location: San Francisco, CA
Posts: 2,367
OS: Windows XP MCE



Hello vewdodude. Thanks for being patient with me.

ComboFix looks to have taken out the infection which was on your machine. In the beginning, I didn't believe your problems to be Malware related and as such I believe the symptoms you are still seeing are not related to any infection. However, I certainly want to be thorough, so we'll do the following:

I see that you have MBAM installed.
  • Launch Malwarebytes' Anti-Malware
  • Under the Update tab, click Check for Updates
  • If an update is found, it will download and install the latest version.
  • Once the program has loaded, select Perform quick scan, then click Scan.
  • When the scan is complete, click OK, then Show Results to view the results.
  • Be sure that everything is checked, and click Remove Selected.
  • When completed, a log will open in Notepad and you may be prompted to Restart your computer.(See Extra Note)
  • The log is automatically saved by MBAM and can be viewed by clicking the Logs tab in MBAM.
  • Copy/Paste the entire report in your next reply.
Extra Note:
If MBAM encounters a file that is difficult to remove, you will be presented with 1 of 2 prompts. Click OK to either and let MBAM proceed with the disinfection process. If asked to restart the computer, please do so immediately.


------------------------------------------------------

Please run this online scan to help look for remnants. Ensure your external and/or USB drives are inserted during the scan.

Go here to run an online scanner from ESET and Save the file to your Desktop.
  • If you are not using Internet Explorer, double-click esetsmartinstaller_enu.exe to install it, then click 'Run'.
  • Turn off the real-time scanner of any existing antivirus program while performing the online scan.
  • Tick the box next to YES, I accept the Terms of Use.
  • Click Start
  • When asked, allow the ActiveX control to install.
  • Click Start
  • Make sure that the option Remove found threats is unticked and the Scan Archives option is ticked.
  • Click on Advanced Settings and ensure these options are ticked:
    • Scan for potentially unwanted applications
    • Scan for potentially unsafe applications
    • Enable Anti-Stealth Technology
  • Next to 'Current scan targets: Operating memory, Local drives', click the Change.. button.
  • Tick all the boxes that correspond to your external/inserted drives.
  • Click Scan
  • Wait for the scan to finish.
  • Use Notepad to open the logfile located at C:\Program Files\Eset\Eset Online Scanner\log.txt
  • Do NOT be alarmed by what you see in the report. Many of the finds have likely been quarantined.
  • Copy/paste that log as a reply to this topic.

Let me know if you have any problems or questions.

-Taylor
__________________
If I am helping you with a Virus/Malware fix and have not responded within 36 hours, please PM me.
NOTE: I do not offer help of any kind via Private Messages. Please post your questions in the appropriate forum.



Nistlerooy is offline  
Old 10-23-2011, 01:23 PM   #10
Registered Member
 
Join Date: Dec 2004
Posts: 108
OS: NT



Hi Taylor

Yeah I think the computer running so slow is due to a variety of other reasons. Other symptoms for instance are that when I power up, it takes about 3 minutes before I get connected to my network, (I have a wireless connection) and even starting applications like acrobat or quickbooks or quicken is a process that takes a minute or so. Same with exiting out of the applications.

Anyways here are the logs you requested:

10/23/2011 7:27:33 AM
mbam-log-2011-10-23 (07-27-32).txt

Scan type: Quick scan
Objects scanned: 203970
Time elapsed: 30 minute(s), 51 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)

***************************************
ESETSmartInstaller@High as CAB hook log:
OnlineScanner.ocx - registred OK
esets_scanner_update returned -1 esets_gle=1
# version=7
# iexplore.exe=8.00.6001.18702 (longhorn_ie8_rtm(wmbla).090308-0339)
# OnlineScanner.ocx=1.0.0.6528
# api_version=3.0.2
# EOSSerial=5523d7c8a3b4e640ba079b1448ed8061
# end=finished
# remove_checked=false
# archives_checked=true
# unwanted_checked=true
# unsafe_checked=true
# antistealth_checked=true
# utc_time=2011-10-23 06:48:45
# local_time=2011-10-23 11:48:45 (-0800, Pacific Daylight Time)
# country="United States"
# lang=1033
# osver=5.1.2600 NT Service Pack 3
# compatibility_mode=768 16777215 100 0 66772966 66772966 0 0
# compatibility_mode=8192 67108863 100 0 0 0 0 0
# scanned=130495
# found=10
# cleaned=0
# scan_time=14241
C:\Documents and Settings\NetworkService\Application Data\Sun\Java\Deployment\cache\6.0\4\436f3604-1b323bd3 multiple threats (unable to clean) 00000000000000000000000000000000 I
C:\Documents and Settings\Owner\Application Data\OpenCandy\OpenCandy_80075A4CAA174D0F856BBC9A9B9A5DE9\DLMgr_3_1.6.87.exe Win32/OpenCandy application (unable to clean) 00000000000000000000000000000000 I
C:\Documents and Settings\Owner\Application Data\Sun\Java\Deployment\cache\6.0\16\2cc4dd90-512b43bd a variant of Java/TrojanDownloader.Agent.NAC trojan (unable to clean) 00000000000000000000000000000000 I
C:\Documents and Settings\Owner\Application Data\Sun\Java\Deployment\cache\6.0\17\2052f711-1e384924 multiple threats (unable to clean) 00000000000000000000000000000000 I
C:\Documents and Settings\Owner\Application Data\Sun\Java\Deployment\cache\6.0\20\385aed14-6c453546 multiple threats (unable to clean) 00000000000000000000000000000000 I
C:\Documents and Settings\Owner\Application Data\Sun\Java\Deployment\cache\6.0\24\3e065f58-68de7f2b a variant of Java/Exploit.CVE-2009-2843.B trojan (unable to clean) 00000000000000000000000000000000 I
C:\Documents and Settings\Owner\Application Data\Sun\Java\Deployment\cache\6.0\43\5a294c2b-1b8b760a multiple threats (unable to clean) 00000000000000000000000000000000 I
C:\Documents and Settings\Owner\Application Data\Sun\Java\Deployment\cache\6.0\8\41ce8748-1b8c7229 multiple threats (unable to clean) 00000000000000000000000000000000 I
C:\Program Files\Perfect Uninstaller\PU.exe a variant of Win32/PerfectUninstaller application (unable to clean) 00000000000000000000000000000000 I
C:\Program Files\vShare\imedix-silent.exe Win32/Toolbar.Zugo application (unable to clean) 00000000000000000000000000000000 I
__________________
vewdodude is offline  
Old 10-23-2011, 09:42 PM   #11
Security Team
Trainee IV
 
Nistlerooy's Avatar
 
Join Date: Dec 2007
Location: San Francisco, CA
Posts: 2,367
OS: Windows XP MCE



Hi again.

Yes, what you're describing simply sounds like system issues. Performance may also be hindered if you have a lot of items loading at startup and running in the background.

Here is a way to fix your issue with your "Send To" option being blank when you right click something: Shortcuts in the "Send To" folder not appearing in the menu?

In regards to the ESET results, the first several hits are threats in the Java cache. We will clear those out in this round in just a moment.

Open Candy is up to you whether you'd like to delete it or not. It's basically a gateway for advertisements. You can read more about the program from the Open Candy website: Adware Faqs | OpenCandy

Perfect Uninstaller has been shown to give some advertising. If you're looking for a reliable third-party uninstaller, I use Revo Uninstaller. They have both a free and a paid version: Download Revo Uninstaller Freeware - Free and Full Download - Uninstall software, remove programs, solve uninstall problems I would recommend uninstalling PU via Start > Control Panel > Add/Remove programs

The last one doesn't appear to be installed on your machine, though the file is present. Zugo is also associated with annoying advertisements. It is your choice, but I would navigate to C:\Program Files\vShare\ and delete the file imedix-silent.exe

You may want to print and/or save the following instructions in Notepad as this webpage will not be available when you're carrying out the fix.

Close any open browsers.

Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.

Open notepad and copy/paste the text in the quotebox below into it:

Quote:
ClearJavaCache::
Save this as CFScript.txt, in the same location as ComboFix.exe





Referring to the picture above, drag CFScript into ComboFix.exe

When finished, it shall produce a log for you at C:\ComboFix.txt which I will require in your next reply.

ComboFix may request an update; please allow it.
Do not mouse-click Combofix's window while it is running. This may cause it to stall.
Do not "re-run" Combofix. If you have a problem, reply back for further instructions.

Once ComboFix has finished and produced a log, ensure your Anti-Virus and Anti-Spyware applications have been re-enabled.

Please ensure Java is up to date by going to java.com: Java + You and downloading the latest file by clicking on the red "Free Java Download" button.

Let me know if you have any questions or problems.

-Taylor
__________________
If I am helping you with a Virus/Malware fix and have not responded within 36 hours, please PM me.
NOTE: I do not offer help of any kind via Private Messages. Please post your questions in the appropriate forum.



Nistlerooy is offline  
Old 10-24-2011, 12:25 PM   #12
Registered Member
 
Join Date: Dec 2004
Posts: 108
OS: NT



Hi Taylor

Please see my responses to you indicated by ***.

"Open Candy is up to you whether you'd like to delete it or not. It's basically a gateway for advertisements. You can read more about the program from the Open Candy website: Adware Faqs | OpenCandy"

*** So I followed the link and it said I could remove OpenCandy with my favorite antivirus software. However when I ran MBAM it didn't see OpenCandy. I googled remove OpenCandy and it had some methods which included going into the registry with Regedit but when I did that I didnt find any Adware OpenCandy keys in the locations it recommended. I would like to remove Adware OpenCandy but am not sure how. Any other anti-virus or stuff you would recommend?

"Perfect Uninstaller has been shown to give some advertising. If you're looking for a reliable third-party uninstaller, I use Revo Uninstaller. They have both a free and a paid version: Download Revo Uninstaller Freeware - Free and Full Download - Uninstall software, remove programs, solve uninstall problems I would recommend uninstalling PU via Start > Control Panel > Add/Remove programs"

***I went to my control panel to uninstall Perfect Uninstaller and it kind of did it. What I mean by that is that it found it and uninstalled it but a window came up and said that some parts of it could not be uninstalled. However now when I go to the control panel and do an add/remove programs I don't see Perfect Uninstaller anymore. I then went and downloaded the Revo freeware and loaded it up. It did not show perfect uninstaller on the list of installed stuff. I did remove a few programs I no longer with Revo.

"The last one doesn't appear to be installed on your machine, though the file is present. Zugo is also associated with annoying advertisements. It is your choice, but I would navigate to C:\Program Files\vShare\ and delete the file imedix-silent.exe"

*** I went and deleted the entire Vshare directory and all of its contents. I also used Revo to uninstall Vshare.


***I also went and uploaded Java to make sure I have the latest per your recommendations.

***I followed your instructions to create a script, load it into ComboFix and reran Combofix. The results are below. I did have a few questions regarding the Combofix log. There seems to be ALOT of stuff there that I don't really know what it is for and I am wondering if that stuff is contributing to what I think are alot of unnecessary processes running on my machine. Originally I started to cut and past the ones that I don't think I need but that is probably beyond the scope of virus stuff and I probably need to be on another thread for that.

Anyways here is the combofix log!

ComboFix 11-10-24.02 - Owner 10/24/2011 10:24:36.2.2 - x86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.1015.554 [GMT -7:00]
Running from: c:\documents and settings\Owner\Desktop\ComboFix.exe
Command switches used :: c:\documents and settings\Owner\Desktop\CFScript.txt
.
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
c:\documents and settings\Owner\My Documents\~WRL0004.tmp
c:\documents and settings\Owner\My Documents\~WRL0054.tmp
c:\documents and settings\Owner\My Documents\~WRL0061.tmp
c:\documents and settings\Owner\My Documents\~WRL0232.tmp
c:\documents and settings\Owner\My Documents\~WRL0301.tmp
c:\documents and settings\Owner\My Documents\~WRL0562.tmp
c:\documents and settings\Owner\My Documents\~WRL0661.tmp
c:\documents and settings\Owner\My Documents\~WRL0772.tmp
c:\documents and settings\Owner\My Documents\~WRL0821.tmp
c:\documents and settings\Owner\My Documents\~WRL1182.tmp
c:\documents and settings\Owner\My Documents\~WRL1210.tmp
c:\documents and settings\Owner\My Documents\~WRL1310.tmp
c:\documents and settings\Owner\My Documents\~WRL1349.tmp
c:\documents and settings\Owner\My Documents\~WRL1415.tmp
c:\documents and settings\Owner\My Documents\~WRL1446.tmp
c:\documents and settings\Owner\My Documents\~WRL1673.tmp
c:\documents and settings\Owner\My Documents\~WRL1714.tmp
c:\documents and settings\Owner\My Documents\~WRL1923.tmp
c:\documents and settings\Owner\My Documents\~WRL1949.tmp
c:\documents and settings\Owner\My Documents\~WRL1955.tmp
c:\documents and settings\Owner\My Documents\~WRL2155.tmp
c:\documents and settings\Owner\My Documents\~WRL2279.tmp
c:\documents and settings\Owner\My Documents\~WRL2426.tmp
c:\documents and settings\Owner\My Documents\~WRL2645.tmp
c:\documents and settings\Owner\My Documents\~WRL2932.tmp
c:\documents and settings\Owner\My Documents\~WRL3178.tmp
c:\documents and settings\Owner\My Documents\~WRL3199.tmp
c:\documents and settings\Owner\My Documents\~WRL3355.tmp
c:\documents and settings\Owner\My Documents\~WRL3463.tmp
c:\documents and settings\Owner\My Documents\~WRL3601.tmp
c:\windows\help\tours\htmltour\unlock_playing.htm
.
.
((((((((((((((((((((((((( Files Created from 2011-09-24 to 2011-10-24 )))))))))))))))))))))))))))))))
.
.
2011-10-24 16:55 . 2011-10-24 16:55 -------- d-----w- c:\program files\VS Revo Group
2011-10-23 14:36 . 2011-10-23 14:36 -------- d-----w- c:\windows\LastGood
2011-10-23 14:36 . 2011-10-23 14:36 -------- d-----w- c:\program files\ESET
.
.
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2011-09-26 18:41 . 2008-07-30 02:59 611328 ----a-w- c:\windows\system32\uiautomationcore.dll
2011-09-26 18:41 . 2004-08-04 12:00 220160 ----a-w- c:\windows\system32\oleacc.dll
2011-09-26 18:41 . 2004-08-04 12:00 20480 ----a-w- c:\windows\system32\oleaccrc.dll
2011-09-09 09:12 . 2004-08-04 12:00 599040 ----a-w- c:\windows\system32\crypt32.dll
2011-09-06 13:20 . 2004-08-04 12:00 1858944 ----a-w- c:\windows\system32\win32k.sys
2011-09-01 00:00 . 2011-07-15 02:16 22216 ----a-w- c:\windows\system32\drivers\mbam.sys
2011-08-22 23:48 . 2004-08-04 12:00 916480 ----a-w- c:\windows\system32\wininet.dll
2011-08-22 23:48 . 2004-08-04 12:00 43520 ----a-w- c:\windows\system32\licmgr10.dll
2011-08-22 23:48 . 2004-08-04 12:00 1469440 ------w- c:\windows\system32\inetcpl.cpl
2011-08-22 11:56 . 2004-08-04 12:00 385024 ----a-w- c:\windows\system32\html.iec
2011-08-17 13:49 . 2004-08-04 12:00 138496 ----a-w- c:\windows\system32\drivers\afd.sys
.
.
((((((((((((((((((((((((((((( SnapShot@2011-10-20_04.56.23 )))))))))))))))))))))))))))))))))))))))))
.
+ 2011-10-23 13:46 . 2011-10-23 13:46 16384 c:\windows\Temp\Perflib_Perfdata_290.dat
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\UEAFOverlay]
@="{F2F31467-B1AC-4df0-AE79-FD5FA085E22B}"
[HKEY_CLASSES_ROOT\CLSID\{F2F31467-B1AC-4df0-AE79-FD5FA085E22B}]
2006-12-04 00:03 2854912 ----a-w- c:\program files\Protector Suite QL\farchns.dll
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\UEAFOverlayOpen]
@="{A3E208F7-0E3A-4182-A7A6-B169D5D691AA}"
[HKEY_CLASSES_ROOT\CLSID\{A3E208F7-0E3A-4182-A7A6-B169D5D691AA}]
2006-12-04 00:03 2854912 ----a-w- c:\program files\Protector Suite QL\farchns.dll
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"igfxtray"="c:\windows\system32\igfxtray.exe" [2006-03-23 94208]
"igfxhkcmd"="c:\windows\system32\hkcmd.exe" [2006-03-23 77824]
"igfxpers"="c:\windows\system32\igfxpers.exe" [2006-03-23 118784]
"RTHDCPL"="RTHDCPL.EXE" [2005-09-22 14854144]
"00THotkey"="c:\windows\system32\00THotkey.exe" [2006-04-25 253952]
"TFNF5"="TFNF5.exe" [2006-04-11 622592]
"TOSDCR"="TOSDCR.EXE" [2005-12-13 57344]
"Conime"="c:\windows\system32\conime.exe" [2008-04-14 27648]
"Bing Bar"="c:\program files\MSN Toolbar\Platform\5.0.1449.0\mswinext.exe" [2010-04-27 243544]
"Microsoft Default Manager"="c:\program files\Microsoft\Search Enhancement Pack\Default Manager\DefMgr.exe" [2009-11-12 288088]
"Malwarebytes' Anti-Malware"="c:\program files\Malwarebytes' Anti-Malware\mbamgui.exe" [2011-09-01 449608]
.
c:\documents and settings\All Users\Start Menu\Programs\Startup\
RAMASST.lnk - c:\windows\system32\RAMASST.exe [2009-9-9 155648]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\psfus]
2006-12-03 23:50 90112 ----a-w- c:\windows\system32\psqlpwd.dll
.
[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Billminder.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Billminder.lnk
backup=c:\windows\pss\Billminder.lnkCommon Startup
.
[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^HP Digital Imaging Monitor.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\HP Digital Imaging Monitor.lnk
backup=c:\windows\pss\HP Digital Imaging Monitor.lnkCommon Startup
.
[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^HP Photosmart Premier Fast Start.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\HP Photosmart Premier Fast Start.lnk
backup=c:\windows\pss\HP Photosmart Premier Fast Start.lnkCommon Startup
.
[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^QuickBooks Update Agent.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\QuickBooks Update Agent.lnk
backup=c:\windows\pss\QuickBooks Update Agent.lnkCommon Startup
.
[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Quicken Scheduled Updates.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Quicken Scheduled Updates.lnk
backup=c:\windows\pss\Quicken Scheduled Updates.lnkCommon Startup
.
[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Quicken Startup.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Quicken Startup.lnk
backup=c:\windows\pss\Quicken Startup.lnkCommon Startup
.
[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^SentriLockCardUtility.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\SentriLockCardUtility.lnk
backup=c:\windows\pss\SentriLockCardUtility.lnkCommon Startup
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Acrobat Assistant 8.0]
2008-10-15 04:38 623992 ----a-w- c:\program files\Adobe\Acrobat 8.0\Acrobat\Acrotray.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Apoint]
2004-03-24 05:40 196608 ----a-w- c:\program files\Apoint2K\Apoint.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HP Software Update]
2007-10-15 05:17 49152 ----a-w- c:\program files\HP\HP Software Update\hpwuSchd2.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\hpqSRMon]
2007-08-23 00:31 80896 ----a-w- c:\program files\HP\Digital Imaging\bin\HpqSRmon.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Intuit SyncManager]
2009-12-22 13:47 1092872 ----a-w- c:\program files\Common Files\Intuit\Sync\IntuitSyncManager.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSMSGS]
2008-04-14 12:42 1695232 ----a-w- c:\program files\Messenger\msmsgs.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PSQLLauncher]
2006-12-03 23:29 49168 ----a-w- c:\program files\Protector Suite QL\launcher.exe
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\Intuit\\QuickBooks 2009\\QBDBMgrN.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\SopCast\\adv\\SopAdver.exe"=
"d:\\setup\\HPZNUI01.EXE"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqCopy.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\Unload\\HpqPhUnl.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\Unload\\HpqDIA.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqtra08.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqste08.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpofxm08.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hposfx08.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hposid01.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqkygrp.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpfccopy.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpzwiz01.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpoews01.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqnrs08.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpiscnapp.exe"=
"c:\\Program Files\\Common Files\\HP\\Digital Imaging\\bin\\hpqPhotoCrm.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqsudi.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqpsapp.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpofxs08.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqpse.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqgpc01.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqusgm.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqusgh.exe"=
"c:\\Program Files\\HP\\HP Software Update\\HPWUCli.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\Smart Web Printing\\SmartWebPrintExe.exe"=
.
R0 Thpevm;TOSHIBA HDD Protection - Shock Sensor Driver;c:\windows\system32\drivers\Thpevm.sys [9/4/2007 1:14 AM 6528]
R2 MBAMService;MBAMService;c:\program files\Malwarebytes' Anti-Malware\mbamservice.exe [7/14/2011 7:16 PM 366152]
R3 MBAMProtector;MBAMProtector;c:\windows\system32\drivers\mbam.sys [7/14/2011 7:16 PM 22216]
S2 gupdate;Google Update Service (gupdate);c:\program files\Google\Update\GoogleUpdate.exe [10/31/2010 9:54 AM 136176]
S2 mrtRate;mrtRate; [x]
S3 appliandMP;appliandMP;c:\windows\system32\DRIVERS\appliand.sys --> c:\windows\system32\DRIVERS\appliand.sys [?]
S3 gupdatem;Google Update Service (gupdatem);c:\program files\Google\Update\GoogleUpdate.exe [10/31/2010 9:54 AM 136176]
S3 hitmanpro35;Hitman Pro 3.5 Support Driver;c:\windows\system32\drivers\hitmanpro35.sys [4/24/2011 2:18 PM 16968]
S3 SCR3xx USB Smart Card Reader;SCR3xx USB Smart Card Reader;c:\windows\system32\drivers\SCR3XX2K.sys [9/11/2009 9:04 AM 47488]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
HPZ12 REG_MULTI_SZ Pml Driver HPZ12 Net Driver HPZ12
hpdevmgmt REG_MULTI_SZ hpqcxs08 hpqddsvc
HPService REG_MULTI_SZ HPSLPSVC
.
Contents of the 'Scheduled Tasks' folder
.
2011-10-23 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\program files\Google\Update\GoogleUpdate.exe [2010-10-31 16:54]
.
2011-10-24 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\program files\Google\Update\GoogleUpdate.exe [2010-10-31 16:54]
.
2011-10-23 c:\windows\Tasks\User_Feed_Synchronization-{551A2DD5-4654-47EA-BB4E-7BBBBF60E777}.job
- c:\windows\system32\msfeedssync.exe [2009-03-08 11:31]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.yahoo.com/
Trusted Zone: sandicor.com
TCP: DhcpNameServer = 68.113.206.10 24.217.0.5 24.217.201.67
TCP: Interfaces\{98E600D0-EABD-429E-8A10-32A590C1EE40}: NameServer = 68.105.28.11
DPF: Web-Based Email Tools - hxxp://email.secureserver.net/Download.CAB
DPF: {65FDEDF3-8ED9-4F5B-825E-18C2D44191A7} - hxxps://as00.estara.com/UI/proxyhttps.php?a=downloads.estara.com./&hash=03757f1e64c52f1288659fdcd7f863b0&url=http%3A%2F%2Fd.64.69.14.182.downloads.estara.com.%2Fas%2FOneCCDM.php&template=489683&sessionid=1526952215_64.69.14.182_37748&=&req=1281671455765OneCC.cab
DPF: {EF0D1A14-1033-41A2-A589-240C01EDC078} - hxxp://download.pplive.com/config/pplite/pluginsetup.cab
FF - ProfilePath - c:\documents and settings\Owner\Application Data\Mozilla\Firefox\Profiles\dv0n53qx.default\
FF - prefs.js: browser.search.defaulturl - hxxp://search.conduit.com/ResultsExt.aspx?ctid=CT2405280&SearchSource=3&q={searchTerms}
FF - prefs.js: browser.search.selectedEngine - Web Search...
FF - prefs.js: browser.startup.homepage - hxxp://mp3tubetoolbar.com/?tmp=toolbar_Mp3Tube_homepage&prt=pinballtbfour04ff&clid=28cb2314b29f4746825c7ef75eced0d4&subid=
FF - prefs.js: keyword.URL - hxxp://mp3tubetoolbar.com/?tmp=nemo_results_removelink2&q=
FF - Ext: Default: {972ce4c6-7e08-4474-a285-3208198ce6fd} - c:\program files\Mozilla Firefox\extensions\{972ce4c6-7e08-4474-a285-3208198ce6fd}
FF - Ext: Java Console: {CAFEEFAC-0016-0000-0016-ABCDEFFEDCBA} - c:\program files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0016-ABCDEFFEDCBA}
FF - Ext: Java Console: {CAFEEFAC-0016-0000-0024-ABCDEFFEDCBA} - c:\program files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0024-ABCDEFFEDCBA}
FF - Ext: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension
FF - Ext: Java Quick Starter: jqs@sun.com - c:\program files\Java\jre6\lib\deploy\jqs\ff
FF - Ext: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - %profile%\extensions\{20a82645-c095-46ed-80e3-08825760534b}
FF - user.js: keyword.URL - hxxp://mp3tubetoolbar.com/?tmp=nemo_results_removelink2&q=
FF - user.js: keyword.enabled - 1
.
.
**************************************************************************
.
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, GMER - Rootkit Detector and Remover
Rootkit scan 2011-10-24 10:44
Windows 5.1.2600 Service Pack 3 NTFS
.
scanning hidden processes ...
.
scanning hidden autostart entries ...
.
scanning hidden files ...
.
scan completed successfully
hidden files: 0
.
**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------
.
- - - - - - - > 'winlogon.exe'(968)
c:\windows\system32\psqlpwd.dll
c:\program files\Protector Suite QL\homefus2.dll
c:\program files\Protector Suite QL\infra.dll
c:\program files\Protector Suite QL\homepass.dll
c:\program files\Protector Suite QL\bio.dll
c:\program files\Protector Suite QL\remote.dll
c:\windows\system32\igfxdev.dll
.
Completion time: 2011-10-24 10:48:12
ComboFix-quarantined-files.txt 2011-10-24 17:48
ComboFix2.txt 2011-10-20 05:09
.
Pre-Run: 48,372,203,520 bytes free
Post-Run: 49,127,043,072 bytes free
.
- - End Of File - - EE2B874F869D063946B5CECC7F43DEFA
__________________
vewdodude is offline  
Old 10-25-2011, 01:18 PM   #13
Security Team
Trainee IV
 
Nistlerooy's Avatar
 
Join Date: Dec 2007
Location: San Francisco, CA
Posts: 2,367
OS: Windows XP MCE



Hello again vewdodude.

Did the Right-click > Send To problem get resolved?

In regards to the OpenCandy file, I'll give instructions below for ComboFix to handle it for you.

For Perfect Uninstaller, the parts its referring to may have to do with registry entries. We'll run another scan this round and see what, if anything, remains.

If you're still seeing performance problems and you believe it may be due to running processes, what I would recommend to "trim the fat" is go through your Add/Remove programs list and take out the things you don't feel you need using Revo. Lots of things can slow the machine down, everything from programs you have on startup to Internet toolbars to background programs. Just be sure to exercise extreme caution in trying to manually enhance the performance of the machine. The fact of the matter is that programs today rely on the resources of today's technology. If our system specs are at or near the minimums suggested, performance will lack greatly.

I am seeing that you have a lot of programs starting as soon as your machine boots up which are constantly running in the background. You'll find a list of these under Start > All Progarms > Startup. You may want to start there. Removing any program from that last will mean that you would have to start it manually and it wouldn't be running constantly in the background.

You may want to print and/or save the following instructions in Notepad as this webpage will not be available when you're carrying out the fix.

Close any open browsers.

Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.

Open notepad and copy/paste the text in the quotebox below into it:

Quote:
Folder::
C:\Documents and Settings\Owner\Application Data\OpenCandy
Save this as CFScript.txt, in the same location as ComboFix.exe





Referring to the picture above, drag CFScript into ComboFix.exe

When finished, it shall produce a log for you at C:\ComboFix.txt which I will require in your next reply.

ComboFix may request an update; please allow it.
Do not mouse-click Combofix's window while it is running. This may cause it to stall.
Do not "re-run" Combofix. If you have a problem, reply back for further instructions.

Once ComboFix has finished and produced a log, ensure your Anti-Virus and Anti-Spyware applications have been re-enabled.

Let me know if you have any questions or problems.

-Taylor
__________________
If I am helping you with a Virus/Malware fix and have not responded within 36 hours, please PM me.
NOTE: I do not offer help of any kind via Private Messages. Please post your questions in the appropriate forum.



Nistlerooy is offline  
Old 10-25-2011, 08:14 PM   #14
Registered Member
 
Join Date: Dec 2004
Posts: 108
OS: NT



Hi Taylor

Okay thanks for reminding me about the empty send to... I followed the link and downloaded the fixsendto.vbs script. The problem is that I do not know how to execute the script in xp. When I double click on the script, I simply get prompted by xp asking if I want to open the script.

So my dumb question is, how do I run a vbs script in xp.

Also this may or may not be pertinent, I hope I don't screw this up, I have inserted a screen cap of the empty send to pulldown:



**************

Also I went to the start>all programs>startup as you recommended but I did not see any processes or programs under that pulldown. The only thing there is RAMASST. That confuses me bigtime because I know upon startup alot of crap gets executed. I have enclosed a screencap.. I hope correctly...

Startup-Screen-Cap.jpg picture by vewdodude - Photobucket

So yes I agree with you about needing to prune a bunch of startup processes but I dont know how or where to find them. Sorry for being lame.

**********

So yes I am still having pretty cruddy performance and I do think it is due to a multitude of processes. I went on a trim the fat expedition based on your advice and I thought I removed alot of programs but after looking at the combofix scan I am not so sure. For instance I used to have a program called Sentrilock for some real estate work I did. I removed that program via the add/remove programs using the control panel. Yet on the latest combofix scan I see

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^SentriLockCardUtility.lnk]
backup=c:\windows\pss\SentriLockCardUtility.lnkCommon Startup

so I don't understand why I would still see that.

Also I used to have an HP all in one 3300 printer scanner fax. It died on me a year ago and I tossed it but I had all the software still on my computer and it seems like there are a ton of processes due to that. I do have a little HP office jet printer now, (which totally sucks by the way) but I use it to scan docs into pdf files alot. So I am pretty sure I got rid of all the old 3300 stuff but again on the combofix scan I see a ton of HP stuff. I wish I knew what I could get rid of and what I must keep to retain basic printing and scanning capability. Don't need to fax. Dont need any of that HP customer support or store or any of that crap.

I also see a few other things in the scans I dont understand:

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Billminder.lnk]
backup=c:\windows\pss\Billminder.lnkCommon Startup
.

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSMSGS]
2008-04-14 12:42 1695232 ----a-w- c:\program files\Messenger\msmsgs.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PSQLLauncher]
2006-12-03 23:29 49168 ----a-w- c:\program files\Protector Suite QL\launcher.exe
.

S2 gupdate;Google Update Service (gupdate);c:\program files\Google\Update\GoogleUpdate.exe [10/31/2010 9:54 AM 136176]
S2 mrtRate;mrtRate; [x]
S3 appliandMP;appliandMP;c:\windows\system32\DRIVERS\appliand.sys --> c:\windows\system32\DRIVERS\appliand.sys [?]
S3 gupdatem;Google Update Service (gupdatem);c:\program files\Google\Update\GoogleUpdate.exe [10/31/2010 9:54 AM 136176]
S3 hitmanpro35;Hitman Pro 3.5 Support Driver;c:\windows\system32\drivers\hitmanpro35.sys [4/24/2011 2:18 PM 16968]

Contents of the 'Scheduled Tasks' folder
.
2011-10-25 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\program files\Google\Update\GoogleUpdate.exe [2010-10-31 16:54]
.
2011-10-25 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\program files\Google\Update\GoogleUpdate.exe [2010-10-31 16:54]
.

and then these as well

------- Supplementary Scan -------
DPF: {65FDEDF3-8ED9-4F5B-825E-18C2D44191A7} - hxxps://as00.estara.com/UI/proxyhttps.php?a=downloads.estara.com./&hash=03757f1e64c52f1288659fdcd7f863b0&url=http%3A%2F%2Fd.64.69.14.182.downloads.estara.com.%2Fas%2FOneCCDM.php&template=489683&sessionid=1526952215_64.69.14.182_37748&=&req=1281671455765OneCC.cab
DPF: {EF0D1A14-1033-41A2-A589-240C01EDC078} - hxxp://download.pplive.com/config/pplite/pluginsetup.cab
FF - ProfilePath - c:\documents and settings\Owner\Application Data\Mozilla\Firefox\Profiles\dv0n53qx.default\
FF - prefs.js: browser.search.defaulturl - hxxp://search.conduit.com/ResultsExt.aspx?ctid=CT2405280&SearchSource=3&q={searchTerms}
FF - prefs.js: browser.search.selectedEngine - Web Search...
FF - prefs.js: browser.startup.homepage - hxxp://mp3tubetoolbar.com/?tmp=toolbar_Mp3Tube_homepage&prt=pinballtbfour04ff&clid=28cb2314b29f4746825c7ef75eced0d4&subid=
FF - prefs.js: keyword.URL - hxxp://mp3tubetoolbar.com/?tmp=nemo_results_removelink2&q=
FF - Ext: Default: {972ce4c6-7e08-4474-a285-3208198ce6fd} - c:\program files\Mozilla Firefox\extensions\{972ce4c6-7e08-4474-a285-3208198ce6fd}
FF - Ext: Java Console: {CAFEEFAC-0016-0000-0016-ABCDEFFEDCBA} - c:\program files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0016-ABCDEFFEDCBA}
FF - Ext: Java Console: {CAFEEFAC-0016-0000-0024-ABCDEFFEDCBA} - c:\program files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0024-ABCDEFFEDCBA}
FF - Ext: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-FF - user.js: keyword.URL - hxxp://mp3tubetoolbar.com/?tmp=nemo_results_removelink2&q=
FF - user.js: keyword.enabled - 1
.


Anyways I know that alot of that stuff is beyond the scope of Malware so if you tell me that it is something that you cannot help with I completely understand. I have posted the full combo fix log below. My computer still runs like a turd but I think it is a little less turdy from your help and from the trimming you recommended that I do.

Finally I just wanted to thank you for all of your time and patience in working with me. I really appreciate it.

************
ComboFix 11-10-25.04 - Owner 10/25/2011 15:47:27.3.2 - x86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.1015.422 [GMT -7:00]
Running from: c:\documents and settings\Owner\Desktop\ComboFix.exe
Command switches used :: c:\documents and settings\Owner\Desktop\CFScript.txt
.
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
c:\documents and settings\Owner\Application Data\OpenCandy
c:\documents and settings\Owner\Application Data\OpenCandy\OpenCandy_80075A4CAA174D0F856BBC9A9B9A5DE9\DLMgr_3_1.6.87.exe
c:\windows\system32\spool\prtprocs\w32x86\hpzpp054(2).dll
c:\windows\system32\spool\prtprocs\w32x86\hpzpp054(3).dll
c:\windows\system32\spool\prtprocs\w32x86\hpzpp054(4).dll
c:\windows\system32\spool\prtprocs\w32x86\hpzpp054(5).dll
c:\windows\system32\spool\prtprocs\w32x86\hpzpp054(6).dll
.
.
((((((((((((((((((((((((( Files Created from 2011-09-25 to 2011-10-25 )))))))))))))))))))))))))))))))
.
.
2011-10-24 17:58 . 2011-10-24 17:58 -------- d-----w- c:\program files\Common Files\Java
2011-10-24 16:55 . 2011-10-24 16:55 -------- d-----w- c:\program files\VS Revo Group
2011-10-23 14:36 . 2011-10-23 14:36 -------- d-----w- c:\program files\ESET
.
.
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2011-10-03 12:06 . 2011-04-24 22:12 472808 ----a-w- c:\windows\system32\deployJava1.dll
2011-10-03 09:37 . 2009-10-12 22:59 73728 ----a-w- c:\windows\system32\javacpl.cpl
2011-09-26 18:41 . 2008-07-30 02:59 611328 ----a-w- c:\windows\system32\uiautomationcore.dll
2011-09-26 18:41 . 2004-08-04 12:00 220160 ----a-w- c:\windows\system32\oleacc.dll
2011-09-26 18:41 . 2004-08-04 12:00 20480 ----a-w- c:\windows\system32\oleaccrc.dll
2011-09-09 09:12 . 2004-08-04 12:00 599040 ----a-w- c:\windows\system32\crypt32.dll
2011-09-06 13:20 . 2004-08-04 12:00 1858944 ----a-w- c:\windows\system32\win32k.sys
2011-09-01 00:00 . 2011-07-15 02:16 22216 ----a-w- c:\windows\system32\drivers\mbam.sys
2011-08-22 23:48 . 2004-08-04 12:00 916480 ----a-w- c:\windows\system32\wininet.dll
2011-08-22 23:48 . 2004-08-04 12:00 43520 ----a-w- c:\windows\system32\licmgr10.dll
2011-08-22 23:48 . 2004-08-04 12:00 1469440 ------w- c:\windows\system32\inetcpl.cpl
2011-08-22 11:56 . 2004-08-04 12:00 385024 ----a-w- c:\windows\system32\html.iec
2011-08-17 13:49 . 2004-08-04 12:00 138496 ----a-w- c:\windows\system32\drivers\afd.sys
.
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\UEAFOverlay]
@="{F2F31467-B1AC-4df0-AE79-FD5FA085E22B}"
[HKEY_CLASSES_ROOT\CLSID\{F2F31467-B1AC-4df0-AE79-FD5FA085E22B}]
2006-12-04 00:03 2854912 ----a-w- c:\program files\Protector Suite QL\farchns.dll
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\UEAFOverlayOpen]
@="{A3E208F7-0E3A-4182-A7A6-B169D5D691AA}"
[HKEY_CLASSES_ROOT\CLSID\{A3E208F7-0E3A-4182-A7A6-B169D5D691AA}]
2006-12-04 00:03 2854912 ----a-w- c:\program files\Protector Suite QL\farchns.dll
.
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"DoubleMySpeed Registry Cleaner"="c:\program files\CyberDefender\Registry Scanner\CDregclean.exe" [2011-01-05 7530088]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"igfxtray"="c:\windows\system32\igfxtray.exe" [2006-03-23 94208]
"igfxhkcmd"="c:\windows\system32\hkcmd.exe" [2006-03-23 77824]
"igfxpers"="c:\windows\system32\igfxpers.exe" [2006-03-23 118784]
"RTHDCPL"="RTHDCPL.EXE" [2005-09-22 14854144]
"00THotkey"="c:\windows\system32\00THotkey.exe" [2006-04-25 253952]
"TFNF5"="TFNF5.exe" [2006-04-11 622592]
"TOSDCR"="TOSDCR.EXE" [2005-12-13 57344]
"Conime"="c:\windows\system32\conime.exe" [2008-04-14 27648]
"Bing Bar"="c:\program files\MSN Toolbar\Platform\5.0.1449.0\mswinext.exe" [2010-04-27 243544]
"Microsoft Default Manager"="c:\program files\Microsoft\Search Enhancement Pack\Default Manager\DefMgr.exe" [2009-11-12 288088]
"Malwarebytes' Anti-Malware"="c:\program files\Malwarebytes' Anti-Malware\mbamgui.exe" [2011-09-01 449608]
"SunJavaUpdateSched"="c:\program files\Common Files\Java\Java Update\jusched.exe" [2011-06-09 254696]
.
c:\documents and settings\All Users\Start Menu\Programs\Startup\
RAMASST.lnk - c:\windows\system32\RAMASST.exe [2009-9-9 155648]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\psfus]
2006-12-03 23:50 90112 ----a-w- c:\windows\system32\psqlpwd.dll
.
[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Billminder.lnk]
backup=c:\windows\pss\Billminder.lnkCommon Startup
.
[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^HP Digital Imaging Monitor.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\HP Digital Imaging Monitor.lnk
backup=c:\windows\pss\HP Digital Imaging Monitor.lnkCommon Startup
.
[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^HP Photosmart Premier Fast Start.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\HP Photosmart Premier Fast Start.lnk
backup=c:\windows\pss\HP Photosmart Premier Fast Start.lnkCommon Startup
.
[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^QuickBooks Update Agent.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\QuickBooks Update Agent.lnk
backup=c:\windows\pss\QuickBooks Update Agent.lnkCommon Startup
.
[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Quicken Scheduled Updates.lnk]
backup=c:\windows\pss\Quicken Scheduled Updates.lnkCommon Startup
.
[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Quicken Startup.lnk]
backup=c:\windows\pss\Quicken Startup.lnkCommon Startup
.
[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^SentriLockCardUtility.lnk]
backup=c:\windows\pss\SentriLockCardUtility.lnkCommon Startup
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Acrobat Assistant 8.0]
2008-10-15 04:38 623992 ----a-w- c:\program files\Adobe\Acrobat 8.0\Acrobat\Acrotray.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Apoint]
2004-03-24 05:40 196608 ----a-w- c:\program files\Apoint2K\Apoint.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HP Software Update]
2007-10-15 05:17 49152 ----a-w- c:\program files\HP\HP Software Update\hpwuSchd2.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\hpqSRMon]
2007-08-23 00:31 80896 ----a-w- c:\program files\HP\Digital Imaging\bin\HpqSRmon.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Intuit SyncManager]
2009-12-22 13:47 1092872 ----a-w- c:\program files\Common Files\Intuit\Sync\IntuitSyncManager.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSMSGS]
2008-04-14 12:42 1695232 ----a-w- c:\program files\Messenger\msmsgs.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PSQLLauncher]
2006-12-03 23:29 49168 ----a-w- c:\program files\Protector Suite QL\launcher.exe
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\Intuit\\QuickBooks 2009\\QBDBMgrN.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"d:\\setup\\HPZNUI01.EXE"=
"c:\\Program Files\\HP\\Digital Imaging\\Unload\\HpqPhUnl.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\Unload\\HpqDIA.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqste08.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hposid01.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqkygrp.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpoews01.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpiscnapp.exe"=
"c:\\Program Files\\Common Files\\HP\\Digital Imaging\\bin\\hpqPhotoCrm.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqsudi.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqpsapp.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqpse.exe"=
"c:\\Program Files\\HP\\HP Software Update\\HPWUCli.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\Smart Web Printing\\SmartWebPrintExe.exe"=
.
R0 Thpevm;TOSHIBA HDD Protection - Shock Sensor Driver;c:\windows\system32\drivers\Thpevm.sys [9/4/2007 1:14 AM 6528]
R2 MBAMService;MBAMService;c:\program files\Malwarebytes' Anti-Malware\mbamservice.exe [7/14/2011 7:16 PM 366152]
R3 MBAMProtector;MBAMProtector;c:\windows\system32\drivers\mbam.sys [7/14/2011 7:16 PM 22216]
S2 gupdate;Google Update Service (gupdate);c:\program files\Google\Update\GoogleUpdate.exe [10/31/2010 9:54 AM 136176]
S2 mrtRate;mrtRate; [x]
S3 appliandMP;appliandMP;c:\windows\system32\DRIVERS\appliand.sys --> c:\windows\system32\DRIVERS\appliand.sys [?]
S3 gupdatem;Google Update Service (gupdatem);c:\program files\Google\Update\GoogleUpdate.exe [10/31/2010 9:54 AM 136176]
S3 hitmanpro35;Hitman Pro 3.5 Support Driver;c:\windows\system32\drivers\hitmanpro35.sys [4/24/2011 2:18 PM 16968]
S3 SCR3xx USB Smart Card Reader;SCR3xx USB Smart Card Reader;c:\windows\system32\drivers\SCR3XX2K.sys [9/11/2009 9:04 AM 47488]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
HPZ12 REG_MULTI_SZ Pml Driver HPZ12 Net Driver HPZ12
HPService REG_MULTI_SZ HPSLPSVC
.
Contents of the 'Scheduled Tasks' folder
.
2011-10-25 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\program files\Google\Update\GoogleUpdate.exe [2010-10-31 16:54]
.
2011-10-25 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\program files\Google\Update\GoogleUpdate.exe [2010-10-31 16:54]
.
2011-10-24 c:\windows\Tasks\User_Feed_Synchronization-{551A2DD5-4654-47EA-BB4E-7BBBBF60E777}.job
- c:\windows\system32\msfeedssync.exe [2009-03-08 11:31]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.yahoo.com/
Trusted Zone: sandicor.com
TCP: DhcpNameServer = 68.113.206.10 24.217.0.5 24.217.201.67
TCP: Interfaces\{98E600D0-EABD-429E-8A10-32A590C1EE40}: NameServer = 68.105.28.11
DPF: Web-Based Email Tools - hxxp://email.secureserver.net/Download.CAB
DPF: {65FDEDF3-8ED9-4F5B-825E-18C2D44191A7} - hxxps://as00.estara.com/UI/proxyhttps.php?a=downloads.estara.com./&hash=03757f1e64c52f1288659fdcd7f863b0&url=http%3A%2F%2Fd.64.69.14.182.downloads.estara.com.%2Fas%2FOneCCDM.php&template=489683&sessionid=1526952215_64.69.14.182_37748&=&req=1281671455765OneCC.cab
DPF: {EF0D1A14-1033-41A2-A589-240C01EDC078} - hxxp://download.pplive.com/config/pplite/pluginsetup.cab
FF - ProfilePath - c:\documents and settings\Owner\Application Data\Mozilla\Firefox\Profiles\dv0n53qx.default\
FF - prefs.js: browser.search.defaulturl - hxxp://search.conduit.com/ResultsExt.aspx?ctid=CT2405280&SearchSource=3&q={searchTerms}
FF - prefs.js: browser.search.selectedEngine - Web Search...
FF - prefs.js: browser.startup.homepage - hxxp://mp3tubetoolbar.com/?tmp=toolbar_Mp3Tube_homepage&prt=pinballtbfour04ff&clid=28cb2314b29f4746825c7ef75eced0d4&subid=
FF - prefs.js: keyword.URL - hxxp://mp3tubetoolbar.com/?tmp=nemo_results_removelink2&q=
FF - Ext: Default: {972ce4c6-7e08-4474-a285-3208198ce6fd} - c:\program files\Mozilla Firefox\extensions\{972ce4c6-7e08-4474-a285-3208198ce6fd}
FF - Ext: Java Console: {CAFEEFAC-0016-0000-0016-ABCDEFFEDCBA} - c:\program files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0016-ABCDEFFEDCBA}
FF - Ext: Java Console: {CAFEEFAC-0016-0000-0024-ABCDEFFEDCBA} - c:\program files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0024-ABCDEFFEDCBA}
FF - Ext: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension
FF - Ext: Java Quick Starter: jqs@sun.com - c:\program files\Java\jre6\lib\deploy\jqs\ff
FF - Ext: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - %profile%\extensions\{20a82645-c095-46ed-80e3-08825760534b}
FF - user.js: keyword.URL - hxxp://mp3tubetoolbar.com/?tmp=nemo_results_removelink2&q=
FF - user.js: keyword.enabled - 1
.
.
**************************************************************************
.
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, GMER - Rootkit Detector and Remover
Rootkit scan 2011-10-25 16:07
Windows 5.1.2600 Service Pack 3 NTFS
.
scanning hidden processes ...
.
scanning hidden autostart entries ...
.
scanning hidden files ...
.
scan completed successfully
hidden files: 0
.
**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------
.
- - - - - - - > 'winlogon.exe'(996)
c:\windows\system32\psqlpwd.dll
c:\program files\Protector Suite QL\homefus2.dll
c:\program files\Protector Suite QL\infra.dll
c:\program files\Protector Suite QL\homepass.dll
c:\program files\Protector Suite QL\bio.dll
c:\program files\Protector Suite QL\remote.dll
.
Completion time: 2011-10-25 16:11:21
ComboFix-quarantined-files.txt 2011-10-25 23:11
ComboFix2.txt 2011-10-24 17:48
ComboFix3.txt 2011-10-20 05:09
.
Pre-Run: 48,942,088,192 bytes free
Post-Run: 49,464,532,992 bytes free
.
- - End Of File - - B6F29B86846EBF5B4CEFDDBBADB3D906
__________________
vewdodude is offline  
Old 10-25-2011, 08:15 PM   #15
Registered Member
 
Join Date: Dec 2004
Posts: 108
OS: NT



Darn I guess I didn't insert the first screencap correctly. Here is the Send to Screepcap link.

Send-To-Screen-Cap.jpg picture by vewdodude - Photobucket
__________________
vewdodude is offline  
Old 10-27-2011, 07:47 AM   #16
Security Team
Trainee IV
 
Nistlerooy's Avatar
 
Join Date: Dec 2007
Location: San Francisco, CA
Posts: 2,367
OS: Windows XP MCE


Hi vewdodude.

To run your VBS script do this: ensure the VBS script is on your desktop. Go to Start > Run and in the Open field type or copy/paste the following:
Quote:
cscript fixsendto.vbs
That should do the trick.

--------------------------------------------------------

Quote:
[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^SentriLockCardUtility.lnk]
backup=c:\windows\pss\SentriLockCardUtility.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Billminder.lnk]
backup=c:\windows\pss\Billminder.lnkCommon Startup
I think I may know why you're not seeing these. When you go look at the Start menu from your desktop, you're looking at the one for your user account. Windows XP has two different types of "areas" it can keep things in: Global (viewable to all users) and local (only the account you're logged into). You're looking at the local. Even if you're the only username registered on the machine, there's always (usually) an admin account. Therefore, if you delete the files out of your account's startup menu, they may exist in the global one. Here's how to find them.

Right click on Start and at the bottom of the menu select Explore All Users

A Windows Explorer window should pop up to the path C:\Documents and Settings\All Users\Start Menu. Open the folder Programs and then Startup. My hunch is that you'll find the links listed there and you can simply delete the shortcuts out of that folder.

In regards to the other parts that you've copied and pasted, as I said earlier we don't want to go manually poking holes. What I use on my machine to control what starts up and what doesn't is Windows Defender. WD is an Anti-Spyware program, but here's how it can be used for this feature:
  • Dowload Microsoft Windows Defender from here.

  • Install the program, then start it.

  • From the main screen, at the top click on Tools

  • Click on Software Explorer

  • Under Category select Startup Programs

  • On the left you will see a list of things that start when you boot your machine normally to Windows. When you highlight something, on the right you will see detailed information about it. In the bottom right corner you will see three buttons. When you find a program you don't want to start on startup, highlight it and click Disable. A window will popup asking if you are sure you want to disable it.

  • Again, I would use great caution in disabling things on startup. Just take care not to disable things such as graphics software or other drivers that may cause problems with hardware on your machine

With your HP printer, you mentioned that you have uninstalled the software, but did you uninstall the printer? Go to Start > Printers and Faxes (Also may be found under Start > Settings). Find the Printer you no longer need, then right click on it and select "delete"

Once the printer is no longer listed, you can unstall the drivers by going to File > Server Properties. Then click on the Drivers tab. Select the old printer and click Remove. It will ask you if you are sure you want to do that. If you get an error saying that the device is in use, that means it's still listed in your printers and you haven't yet deleted it.

Also, please go to http://www.eset.com/onlinescan/ and run another online scan as you did before, remembering to copy/paste the results here again.

Let me know how all that goes, or if you have any questions or problems.

-Taylor
__________________
If I am helping you with a Virus/Malware fix and have not responded within 36 hours, please PM me.
NOTE: I do not offer help of any kind via Private Messages. Please post your questions in the appropriate forum.



Nistlerooy is offline  
Old 10-27-2011, 06:44 PM   #17
Registered Member
 
Join Date: Dec 2004
Posts: 108
OS: NT



Hi Taylor

Okay so here is the latest:

Ran the vbs script at the command prompt per your instructions. No change, the Send To field is still empty. I went back to the link where you directed me to go to get the vbs script. It seems like that solution is for restoring manual links that used to be in the Send To pulldown. I kind of figured that Send To had several defaults (My Documents for instance) and as you saw from my screenshot even the defaults were not in there. It was totally empty. When the script ran it ran super quickly but as I said, no change.

************

I followed your instructions to go to the all users but there was nothing there. Only the RAMASST was in that directory. I did a screen shot and it is included here:

[URL="http://s225.photobucket.com/albums/dd118/vewdodude/?action=view&current=StartMenu.jpg"]

So needless to say I am at a loss as to how to find out what all these processes are and how I can see them.

*****************

I went and downloaded Windows Defender per your recommendation. Defender also only confirmed 1 program at startup which was the RAMASST. I am to lazy to send a screen shot.

On a side note I like WIndows Defender it is pretty neat. I looked at what other software was currently running. One program is called Bonjour from Apple. I have no clue what this program is and am very tempted to delete it but wanted to run it by you first.

Also at the currently running software there were at least 10 Microsoft Generic Host Processes. I didnt mess with anything but was curious.

*******************

Here is my ESET log:

ESETSmartInstaller@High as CAB hook log:
OnlineScanner.ocx - registred OK
# version=7
# iexplore.exe=8.00.6001.18702 (longhorn_ie8_rtm(wmbla).090308-0339)
# OnlineScanner.ocx=1.0.0.6583
# api_version=3.0.2
# EOSSerial=5523d7c8a3b4e640ba079b1448ed8061
# end=stopped
# remove_checked=false
# archives_checked=true
# unwanted_checked=true
# unsafe_checked=true
# antistealth_checked=true
# utc_time=2011-10-27 07:07:52
# local_time=2011-10-27 12:07:52 (-0800, Pacific Daylight Time)
# country="United States"
# lang=1033
# osver=5.1.2600 NT Service Pack 3
# compatibility_mode=768 16777215 100 0 67132475 67132475 0 0
# compatibility_mode=6143 16777215 0 0 0 0 0 0
# compatibility_mode=8192 67108863 100 0 0 0 0 0
# scanned=30691
# found=1
# cleaned=0
# scan_time=1477
C:\Documents and Settings\NetworkService\Application Data\Sun\Java\Deployment\cache\6.0\4\436f3604-1b323bd3 multiple threats (unable to clean) 00000000000000000000000000000000 I
esets_scanner_update returned -1 esets_gle=53251
# version=7
# iexplore.exe=8.00.6001.18702 (longhorn_ie8_rtm(wmbla).090308-0339)
# OnlineScanner.ocx=1.0.0.6583
# api_version=3.0.2
# EOSSerial=5523d7c8a3b4e640ba079b1448ed8061
# end=finished
# remove_checked=false
# archives_checked=true
# unwanted_checked=true
# unsafe_checked=true
# antistealth_checked=true
# utc_time=2011-10-27 10:42:06
# local_time=2011-10-27 03:42:06 (-0800, Pacific Daylight Time)
# country="United States"
# lang=1033
# osver=5.1.2600 NT Service Pack 3
# compatibility_mode=768 16777215 100 0 67134135 67134135 0 0
# compatibility_mode=6143 16777215 0 0 0 0 0 0
# compatibility_mode=8192 67108863 100 0 0 0 0 0
# scanned=129148
# found=3
# cleaned=0
# scan_time=12666
C:\Documents and Settings\NetworkService\Application Data\Sun\Java\Deployment\cache\6.0\4\436f3604-1b323bd3 multiple threats (unable to clean) 00000000000000000000000000000000 I
C:\Qoobox\Quarantine\C\Documents and Settings\Owner\Application Data\OpenCandy\OpenCandy_80075A4CAA174D0F856BBC9A9B9A5DE9\DLMgr_3_1.6.87.exe.vir Win32/OpenCandy application (unable to clean) 00000000000000000000000000000000 I
C:\System Volume Information\_restore{8FCD261E-E7FB-44B0-A336-F9ACF755D10F}\RP12591\A0115684.exe Win32/OpenCandy application (unable to clean) 00000000000000000000000000000000 I
__________________
vewdodude is offline  
Old 10-29-2011, 01:14 PM   #18
Security Team
Trainee IV
 
Nistlerooy's Avatar
 
Join Date: Dec 2007
Location: San Francisco, CA
Posts: 2,367
OS: Windows XP MCE



We'd like to get a handle on the Sendto folder problem first, then we'll tackle the startup stuff.

Go to Start > Run and type in msconfig then click OK. This will open the System Config Utility.

***NOTE: This utility should only be used as directed and should never be used to "tweak" a system! This is a powerful utility used to diagnose problems and can render a machine inoperable very easily. Please be sure to follow my instructions carefully.

Click on the Services tab and in the bottom right click on Enable All

Next, click on the Startup tab and in the bottom right click on Enable All

Click OK. It will ask you if you want to restart your machine, allow it to do so. When Windows boots back up, you will get a warning window. Click ok to close it.

-------------------------------------------

Open notepad and copy/paste the text in the quotebox below into it:
Quote:
@echo off
reg export "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer" rp.txt
reg export "HKEY_CLASSES_ROOT\AllFilesystemObjects\shellex\ContextMenuHandlers" rp2.txt
reg export "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer" rp3.txt
type rp.txt > regpeek.txt
echo. >> regpeek.txt
echo ------------------------------- >>regpeek.txt
echo. >> regpeek.txt
type rp2.txt >> regpeek.txt
echo. >> regpeek.txt
echo ------------------------------- >>regpeek.txt
echo. >> regpeek.txt
type rp3.txt >> regpeek.txt
del /q rp.txt rp2.txt rp3.txt
notepad regpeek.txt
del /q regpeek.txt
del %0
Go File > Save As and below where you type the file name, change Save as type: from "Text Documents (*.txt)" to All files
Save this as rpbatch.bat
It should look like this:
On your desktop, double click on rpbatch.bat & allow it to run. A notepad file will open. Copy that information into your next reply, please.
Note: Once you close the text file it will delete itself and rpbatch.bat

-------------------------------------------

Open Start > Run and type the following, then click OK:
Quote:
SendTo >
A windows should pop up, what do you see in there?

-------------------------------------------

Navigate to C:\ and you should see a file named Add-Remove Programs.txt Please attach that file in your next reply.

-Taylor
__________________
If I am helping you with a Virus/Malware fix and have not responded within 36 hours, please PM me.
NOTE: I do not offer help of any kind via Private Messages. Please post your questions in the appropriate forum.



Nistlerooy is offline  
Old 10-29-2011, 08:41 PM   #19
Registered Member
 
Join Date: Dec 2004
Posts: 108
OS: NT



Hi Taylor

Followed your instructions. A quick note before I address the main topics. When I was in the Startup tab in MSCONFIG I noted at the bottom of the tab that there were two programs that were not enabled to run at startup. Both of them should not be there because they were related to the HP Photosmart printer that that is no longer hooked up to this computer. When I enabled all for the Startup tab when I rebooted the mached I got stuck in this endless loop because these two programs were trying to execute and those directories are gone. Needless to say that was irritating. So I went back into MSCONFIG and disabled them. I took a screenshot of them. Do you know how I can get them out of there (MSCONFIG Startup) as that printer is not hooked up and I have manually removed them via the control panel. Here is a screenshot of the MSCONFIG Startup Tab:

StartupTabonmsconfig.jpg picture by vewdodude - Photobucket

Okay I created the batch file per your instructions and ran it. I then went to the command line and ran SendTo manually. A window named SendTo popped up but there was nothing in it. Totally empty...bubkus...I took a screenshot for you of it:

StartupTabonmsconfig.jpg picture by vewdodude - Photobucket

Also there was no add-remove programs.txt in the location C/. I did however find an add-remove programs.txt in the location C/Qoobox but that was dated 10/25/11 so it was obviously not created today. I was not sure where in the batch file the add-remove programs.txt was created as I didn't see that file getting created.
__________________
vewdodude is offline  
Old 10-30-2011, 09:39 AM   #20
Security Team
Trainee IV
 
Nistlerooy's Avatar
 
Join Date: Dec 2007
Location: San Francisco, CA
Posts: 2,367
OS: Windows XP MCE



Hello again. Hope you're having a good weekend.

Quote:
Do you know how I can get them out of there (MSCONFIG Startup) as that printer is not hooked up and I have manually removed them via the control panel.
If you'll notice, the patch for those in MSCONFIG is in C:\Program Files\HP. You could try deleting everything left over in that folder. However, it's ok to leave it unchecked as it was, it won't do any harm.

Quote:
Okay I created the batch file per your instructions and ran it.
The batch file should have produced a report for you in Notepad. I need that report. If you closed notepad the batch file and text file were both deleted and you'll just need to run it again and then copy/paste the results here.

Quote:
Also there was no add-remove programs.txt in the location C/. I did however find an add-remove programs.txt in the location C/Qoobox but that was dated 10/25/11 so it was obviously not created today. I was not sure where in the batch file the add-remove programs.txt was created as I didn't see that file getting created.
That's my error, and I apologize. The correct path is C:\Qoobox\Add-Remove Programs.txt If you could please attach that in your next reply for me that would be great.

Go look in the folder C:\WINDOWS\system32\config\systemprofile\SendTo and tell me what you find there.

Hope you're having a good weekend.

-Taylor

__________________
If I am helping you with a Virus/Malware fix and have not responded within 36 hours, please PM me.
NOTE: I do not offer help of any kind via Private Messages. Please post your questions in the appropriate forum.



Nistlerooy is offline  
 

Thread Tools Search this Thread
Search this Thread:

Advanced Search

Similar Threads
Thread Thread Starter Forum Replies Last Post
Computer shuts off randomly, script is unresponsive, and possible virus
Greetings: The problems I am having with my desktop computer are as follows. 1)when playing a game on facebook, my computer shuts off automatically 2) I receive a notice that pops up and says the script is unresponsive and will cause my computer to become slower and give me the option to stop the...
misscranky1 Resolved HJT Threads 37 07-01-2011 10:54 PM
[SOLVED] Help! Monitor/keyboard/mouse unresponsive... [Moved from Microsoft Support]
Alright, I'm having troubles with my computer and I am even unsure to which forum to post in, but here goes nothing...For a while now I have been keeping my computer on 24/7 and using 'sleep' at night while I sleep. The reason I do this is because when I have been shutting it down or even...
boomer456 Motherboards, Bios & CPU 4 02-16-2011 02:19 PM
Help! Monitor/keyboard/mouse unresponsive...
Alright, I'm having troubles with my computer and I am even unsure to which forum to post in, but here goes nothing...For a while now I have been keeping my computer on 24/7 and using 'sleep' at night while I sleep. The reason I do this is because when I have been shutting it down or even...
boomer456 Other Hardware Support 1 02-15-2011 05:50 PM
Computer Slow, Unresponsive, Unable to Boot Time Scan
This is a friend's computer. He says (and I can confirm) that is is slow and unresponsive to a nearly debilitating degree. It is a Sony VAIO running Windows Vista 32-Bit. An Avast scan turned up one infected file, C:/Windows/MEMORY.DMP that was "successfully deleted," but Avast also says that...
I'mThatGuy Virus/Trojan/Spyware Help 9 01-22-2011 12:35 PM
[SOLVED] Black Ops goes black and unresponsive after intro.
Hello everyone! I recently purchased Call of Duty: Black Ops on Steam but I'm having a hard time getting it working. My troubles are as follows: I start up the game and enter the menu, no problems. I choose a new campaign and the intro starts playing. After the part where Mason says:...
Reclusiarch PC Gaming Support 1 01-09-2011 11:14 PM

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is on
Smilies are on
[IMG] code is on
HTML code is Off
Trackbacks are Off
Pingbacks are Off
Refbacks are Off


Post a Question


» Site Navigation
 > FAQ
  > 10.0.0.2


All times are GMT -7. The time now is 07:28 AM.


Copyright 2001 - 2014, Tech Support Forum

Windows 7 - Windows XP - Windows Vista - Trojan Removal - Spyware Removal - Virus Removal - Networking - Security - Top Web Hosts