|
|
|
|
|||||
|
|
|
|
|
|
|||
| Welcome
to Tech Support Forum home to more then 136,000 problems solved. Issues
have included: Spyware, Malware, Virus Issues, Windows, Microsoft,
Linux, Networking, Security, Hardware, and Gaming Getting your
problem solved is as easy as: 1. Registering for a free account 2. Asking your question 3. Receiving an answer Registered members: * See fewer ads. * And much more..
|
| Want to know how to post a question? click here | Having problems with spyware and pop-ups? First Steps |
|
|||||||
| Resolved HJT Threads Resolved spyware and popup issues. |
|
|
Thread Tools |
04-12-2007, 05:49 PM
|
#1 (permalink) |
|
Analyst, Security Team
Join Date: Mar 2007
Posts: 20
OS: XP & Vista
|
Slow Computer and User permissions changed
Followed the five steps prior to posting this (Hello, my name is Carolyn and I'm a windows user....)
Running Windows XP Pro SP2, all updates applied, computer freezes up and user permissions changed from administrator to debugger... logs attached... Your help is appreciated.  Incident Status Location Spyware:Cookie/Atlas DMT Not disinfected C:\Documents and Settings\Warren\Application Data\Mozilla\Firefox\Profiles\juok93kl.default\cookies.txt[.atdmt.com/] Spyware:Cookie/Tribalfusion Not disinfected C:\Documents and Settings\Warren\Application Data\Mozilla\Firefox\Profiles\juok93kl.default\cookies.txt[.tribalfusion.com/] Deckard's System Scanner v20070411.38 Run by Warren on 2007-04-12 at 19:28:56 Computer is in Normal Mode. -------------------------------------------------------------------------------- -- System Restore -------------------------------------------------------------- Successfully created a Deckard's System Scanner Restore Point. -- Last 5 Restore Point(s) -- 78: 2007-04-12 23:29:14 UTC - RP247 - Deckard's System Scanner Restore Point 77: 2007-04-12 23:24:01 UTC - RP246 - Software Distribution Service 2.0 76: 2007-04-12 20:27:51 UTC - RP245 - Software Distribution Service 2.0 75: 2007-04-12 20:26:20 UTC - RP244 - Installed Ad-Aware SE Personal 74: 2007-04-12 20:14:07 UTC - RP243 - Software Distribution Service 2.0 -- First Restore Point -- 1: 2007-01-12 21:35:58 UTC - RP170 - System Checkpoint Backed up registry hives. Performed disk cleanup. -- HijackThis (run as Warren.exe) ---------------------------------------------- Logfile of HijackThis v1.99.1 Scan saved at 7:32:14 PM, on 4/12/2007 Platform: Windows XP SP2 (WinNT 5.01.2600) MSIE: Internet Explorer v7.00 (7.00.6000.16414) Running processes: C:\WINDOWS\System32\smss.exe C:\WINDOWS\system32\winlogon.exe C:\WINDOWS\system32\services.exe C:\WINDOWS\system32\lsass.exe C:\WINDOWS\system32\svchost.exe C:\Program Files\Windows Defender\MsMpEng.exe C:\WINDOWS\System32\svchost.exe C:\WINDOWS\System32\wltrysvc.exe C:\WINDOWS\System32\bcmwltry.exe C:\WINDOWS\system32\spoolsv.exe C:\Program Files\Symantec_Client_Security\Symantec AntiVirus\DefWatch.exe C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE C:\Program Files\Dell\NICCONFIGSVC\NICCONFIGSVC.exe C:\Program Files\Symantec_Client_Security\Symantec AntiVirus\Rtvscan.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\Explorer.EXE C:\WINDOWS\system32\hkcmd.exe C:\Program Files\Java\jre1.5.0_10\bin\jusched.exe C:\Program Files\Synaptics\SynTP\SynTPLpr.exe C:\Program Files\Synaptics\SynTP\SynTPEnh.exe C:\Program Files\Intel\PROSetWired\NCS\PROSet\PRONoMgr.exe C:\Program Files\Dell\QuickSet\quickset.exe C:\WINDOWS\system32\WLTRAY.exe C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe C:\WINDOWS\system32\dla\tfswctrl.exe C:\Program Files\Common Files\Real\Update_OB\realsched.exe C:\WINDOWS\Logi_MwX.Exe C:\Program Files\MusicMatch\MusicMatch Jukebox\mmtask.exe C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mm_tray.exe C:\Program Files\QuickTime\qttask.exe C:\Program Files\iTunes\iTunesHelper.exe C:\PROGRA~1\SYMANT~1\SYMANT~1\vptray.exe C:\WINDOWS\system32\ctfmon.exe C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BackWeb-8876480.exe C:\Program Files\Digital Line Detect\DLG.exe C:\Program Files\iPod\bin\iPodService.exe C:\Program Files\SpywareGuard\sgmain.exe C:\Program Files\SpywareGuard\sgbhp.exe C:\WINDOWS\system32\wuauclt.exe C:\Documents and Settings\Warren.U76\Desktop\dss.exe C:\PROGRA~1\HIJACK~1\Warren.exe R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.dell.com R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://www.localnet.com/adv_search.phtml R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://start.localnet.com/ R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157 R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896 R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896 R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157 R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://www.dell.com/ R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer provided by LocalNet R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = localhost O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll O2 - BHO: SpywareGuard Download Protection - {4A368E80-174F-4872-96B5-0B27DDD11DB2} - C:\Program Files\SpywareGuard\dlprotect.dll O2 - BHO: DriveLetterAccess - {5CA3D70E-1895-11CF-8E15-001234567890} - C:\WINDOWS\system32\dla\tfswshx.dll O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_10\bin\ssv.dll O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\system32\igfxtray.exe O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.5.0_10\bin\jusched.exe" O4 - HKLM\..\Run: [SynTPLpr] C:\Program Files\Synaptics\SynTP\SynTPLpr.exe O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe O4 - HKLM\..\Run: [PRONoMgrWired] C:\Program Files\Intel\PROSetWired\NCS\PROSet\PRONoMgr.exe O4 - HKLM\..\Run: [Dell QuickSet] C:\Program Files\Dell\QuickSet\quickset.exe O4 - HKLM\..\Run: [Dell Wireless Manager UI] C:\WINDOWS\system32\WLTRAY O4 - HKLM\..\Run: [DVDLauncher] "C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe" O4 - HKLM\..\Run: [UpdateManager] "C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe" /r O4 - HKLM\..\Run: [dla] C:\WINDOWS\system32\dla\tfswctrl.exe O4 - HKLM\..\Run: [Synchronization Manager] %SystemRoot%\system32\mobsync.exe /logon O4 - HKLM\..\Run: [Pad39A-HtEHL] D:\Pad39A.exe O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot O4 - HKLM\..\Run: [Logitech Utility] Logi_MwX.Exe O4 - HKLM\..\Run: [mmtask] c:\Program Files\MusicMatch\MusicMatch Jukebox\mmtask.exe O4 - HKLM\..\Run: [MMTray] C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mm_tray.exe O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe" O4 - HKLM\..\Run: [Windows Defender] "C:\Program Files\Windows Defender\MSASCui.exe" -hide O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\SYMANT~1\SYMANT~1\vptray.exe O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe O4 - HKCU\..\Run: [LDM] C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BackWeb-8876480.exe O4 - Startup: SpywareGuard.lnk = C:\Program Files\SpywareGuard\sgmain.exe O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Reader 8.0\Reader\reader_sl.exe O4 - Global Startup: Adobe Reader Synchronizer.lnk = C:\Program Files\Adobe\Reader 8.0\Reader\AdobeCollabSync.exe O4 - Global Startup: Digital Line Detect.lnk = ? O4 - Global Startup: Logitech Desktop Messenger.lnk = C:\Program Files\Logitech\Desktop Messenger\8876480\Program\LDMConf.exe O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000 O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_10\bin\ssv.dll O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_10\bin\ssv.dll O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing) O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing) O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe O11 - Options group: [INTERNATIONAL] International* O14 - IERESET.INF: START_PAGE_URL=http://start.localnet.com/ O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsof...?1171306338446 O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/actives...ree/asinst.cab O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = U76.LOCAL O17 - HKLM\Software\..\Telephony: DomainName = U76.LOCAL O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = U76.LOCAL O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxsrvc.dll O20 - Winlogon Notify: NavLogon - C:\WINDOWS\system32\NavLogon.dll O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll O23 - Service: DefWatch - Symantec Corporation - C:\Program Files\Symantec_Client_Security\Symantec AntiVirus\DefWatch.exe O23 - Service: iPod Service - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe O23 - Service: Intel NCS NetService (NetSvc) - Intel(R) Corporation - C:\Program Files\Intel\PROSetWired\NCS\Sync\NetSvc.exe O23 - Service: NICCONFIGSVC - Dell Inc. - C:\Program Files\Dell\NICCONFIGSVC\NICCONFIGSVC.exe O23 - Service: Symantec AntiVirus Client (Norton AntiVirus Server) - Symantec Corporation - C:\Program Files\Symantec_Client_Security\Symantec AntiVirus\Rtvscan.exe O23 - Service: Dell Wireless WLAN Tray Service (wltrysvc) - Unknown owner - C:\WINDOWS\System32\wltrysvc.exe -- File Associations ----------------------------------------------------------- All associations okay. -- Drivers: 0-Boot, 1-System, 2-Auto, 3-Demand, 4-Disabled --------------------- R0 drvmcdb - c:\windows\system32\drivers\drvmcdb.sys R1 APPDRV - c:\windows\system32\drivers\appdrv.sys R1 omci (OMCI WDM Device Driver) - c:\windows\system32\drivers\omci.sys R1 sscdbhk5 - c:\windows\system32\drivers\sscdbhk5.sys R1 ssrtln - c:\windows\system32\drivers\ssrtln.sys R2 AegisP (AEGIS Protocol (IEEE 802.1x) v3.2.0.3) - c:\windows\system32\drivers\aegisp.sys R2 drvnddm - c:\windows\system32\drivers\drvnddm.sys R2 mdmxsdk - c:\windows\system32\drivers\mdmxsdk.sys R2 tfsnboio - c:\windows\system32\dla\tfsnboio.sys R2 tfsncofs - c:\windows\system32\dla\tfsncofs.sys R2 tfsndrct - c:\windows\system32\dla\tfsndrct.sys R2 tfsndres - c:\windows\system32\dla\tfsndres.sys R2 tfsnifs - c:\windows\system32\dla\tfsnifs.sys R2 tfsnopio - c:\windows\system32\dla\tfsnopio.sys R2 tfsnpool - c:\windows\system32\dla\tfsnpool.sys R2 tfsnudf - c:\windows\system32\dla\tfsnudf.sys R2 tfsnudfa - c:\windows\system32\dla\tfsnudfa.sys R3 HSF_DP - c:\windows\system32\drivers\hsf_dp.sys R3 HSFHWICH - c:\windows\system32\drivers\hsfhwich.sys R3 ialm - c:\windows\system32\drivers\ialmnt5.sys R3 MxlW2k - c:\windows\system32\drivers\mxlw2k.sys R3 STAC97 (SigmaTel C-Major Audio) - c:\windows\system32\drivers\stac97.sys R3 winachsf - c:\windows\system32\drivers\hsf_cnxt.sys S3 BCM43XX (Dell Wireless WLAN Card Driver) - c:\windows\system32\drivers\bcmwl5.sys S4 cbidf - c:\windows\system32\drivers\cbidf2k.sys S4 dac2w2k - c:\windows\system32\drivers\dac2w2k.sys -- Services: 0-Boot, 1-System, 2-Auto, 3-Demand, 4-Disabled -------------------- R2 NICCONFIGSVC - c:\program files\dell\nicconfigsvc\nicconfigsvc.exe S2 spupdsvc (Windows Service Pack Installer update service) - c:\windows\system32\spupdsvc.exe -- Scheduled Tasks ------------------------------------------------------------- 2007-04-12 18:16:37 330 --ah----- C:\WINDOWS\Tasks\MP Scheduled Scan.job<MPSCHE~1.JOB> -- Files created between 2007-03-12 and 2007-04-12 ----------------------------- 2007-04-12 19:12:20 0 d-------- C:\ie-spyad 2007-04-12 19:11:17 0 d-------- C:\Program Files\SpywareGuard<SPYWAR~2> 2007-04-12 19:05:45 0 d-------- C:\Program Files\SpywareBlaster<SPYWAR~1> 2007-04-12 18:23:56 0 d-------- C:\WINDOWS\system32\ActiveScan<ACTIVE~1> 2007-04-12 18:23:55 0 d-------- C:\WINDOWS\LastGood 2007-04-12 16:31:27 0 d-------- C:\Documents and Settings\Warren\Application Data\Lavasoft 2007-04-12 16:27:01 0 d-------- C:\Documents and Settings\Warren.U76\Application Data\Lavasoft 2007-04-12 16:26:22 0 d-------- C:\Program Files\Lavasoft 2007-04-12 14:38:58 83672 --a------ C:\WINDOWS\system32\S32EVNT1.DLL 2007-04-12 14:38:58 73224 --a------ C:\WINDOWS\system32\drivers\SYMEVENT.SYS 2007-04-12 14:38:07 0 d-------- C:\Program Files\Symantec_Client_Security<SYMANT~1> 2007-04-12 13:08:16 0 d-------- C:\TEMP 2007-04-12 11:07:30 0 d-------- C:\Program Files\RegSeeker<REGSEE~1> 2007-04-12 11  31 0 d-------- C:\Program Files\Autoruns2007-04-12 10:58:13 0 d-------- C:\Program Files\CCleaner 2007-04-11 12:07:23 6815744 --a------ C:\Documents and Settings\Warren.U76\ntuser.dat -- Find3M Report --------------------------------------------------------------- 2007-04-12 18:45:15 0 d-------- C:\Program Files\Windows Defender<WINDOW~4> 2007-04-12 18:44:33 0 d-------- C:\Program Files\QuickTime<QUICKT~1> 2007-04-12 18:44:33 0 d-------- C:\Program Files\iTunes 2007-04-12 18:44:24 0 d-------- C:\Program Files\Digital Line Detect<DIGITA~1> 2007-04-12 16:25:50 0 d-------- C:\Program Files\Common Files\Wise Installation Wizard<WISEIN~1> 2007-04-12 14:39:00 0 d-------- C:\Program Files\Symantec 2007-04-12 14:38:20 0 d-------- C:\Program Files\Common Files\Symantec Shared<SYMANT~1> 2007-04-12 14:13:38 0 d---s---- C:\Documents and Settings\Warren.U76\Application Data\Microsoft<MICROS~1> 2007-04-12 10:33:50 0 d-------- C:\Program Files\Mozilla Thunderbird<MOZILL~2> 2007-03-17 09:43:01 292864 --a------ C:\WINDOWS\system32\winsrv.dll 2007-03-08 11:36:28 577536 --a------ C:\WINDOWS\system32\user32.dll 2007-03-08 11:36:28 40960 --a------ C:\WINDOWS\system32\mf3216.dll 2007-03-08 11:36:28 281600 --a------ C:\WINDOWS\system32\gdi32.dll 2007-03-08 09:47:48 1843584 --a------ C:\WINDOWS\system32\win32k.sys 2007-02-16 12:15:38 0 d-------- C:\Program Files\Common Files\Adobe 2007-02-12 15:43:19 0 d-------- C:\Program Files\Microsoft Works<MICROS~4> 2007-02-12 14:39:45 0 d-------- C:\Documents and Settings\Warren.U76\Application Data\Adobe 2007-02-12 14:00:22 0 d--h----- C:\Program Files\InstallShield Installation Information<INSTAL~1> 2007-02-05 16:17:02 185344 --a------ C:\WINDOWS\system32\upnphost.dll -- Registry Dump --------------------------------------------------------------- [HKEY_CURRENT_USER\software\microsoft\windows\currentversion\run] "ctfmon.exe"="C:\\WINDOWS\\system32\\ctfmon.exe" "LDM"="C:\\Program Files\\Logitech\\Desktop Messenger\\8876480\\Program\\BackWeb-8876480.exe" [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run] "IgfxTray"="C:\\WINDOWS\\system32\\igfxtray.exe" "HotKeysCmds"="C:\\WINDOWS\\system32\\hkcmd.exe" "SunJavaUpdateSched"="\"C:\\Program Files\\Java\\jre1.5.0_10\\bin\\jusched.exe\"" "SynTPLpr"="C:\\Program Files\\Synaptics\\SynTP\\SynTPLpr.exe" "SynTPEnh"="C:\\Program Files\\Synaptics\\SynTP\\SynTPEnh.exe" "PRONoMgrWired"="C:\\Program Files\\Intel\\PROSetWired\\NCS\\PROSet\\PRONoMgr.exe" "Dell QuickSet"="C:\\Program Files\\Dell\\QuickSet\\quickset.exe" "Dell Wireless Manager UI"="C:\\WINDOWS\\system32\\WLTRAY" "DVDLauncher"="\"C:\\Program Files\\CyberLink\\PowerDVD\\DVDLauncher.exe\"" "UpdateManager"="\"C:\\Program Files\\Common Files\\Sonic\\Update Manager\\sgtray.exe\" /r" "dla"="C:\\WINDOWS\\system32\\dla\\tfswctrl.exe" "Synchronization Manager"=hex(2):25,53,79,73,74,65,6d,52,6f,6f,74,25,5c,73,79,\ 73,74,65,6d,33,32,5c,6d,6f,62,73,79,6e,63,2e,65,78,65,20,2f,6c,6f,67,6f,6e,\ 00 "Pad39A-HtEHL"="D:\\Pad39A.exe" "TkBellExe"="\"C:\\Program Files\\Common Files\\Real\\Update_OB\\realsched.exe\" -osboot" "Logitech Utility"="Logi_MwX.Exe" "mmtask"="c:\\Program Files\\MusicMatch\\MusicMatch Jukebox\\mmtask.exe" "MMTray"="C:\\Program Files\\MUSICMATCH\\MUSICMATCH Jukebox\\mm_tray.exe" "QuickTime Task"="\"C:\\Program Files\\QuickTime\\qttask.exe\" -atboottime" "iTunesHelper"="\"C:\\Program Files\\iTunes\\iTunesHelper.exe\"" "Windows Defender"="\"C:\\Program Files\\Windows Defender\\MSASCui.exe\" -hide" "vptray"="C:\\PROGRA~1\\SYMANT~1\\SYMANT~1\\vptray.exe" [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\OptionalComponents] [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\OptionalComponents\IMAIL] "Installed"="1" [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\OptionalComponents\MAPI] "Installed"="1" "NoChange"="1" [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\OptionalComponents\MSFS] "Installed"="1" [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shellexecutehooks] "{091EB208-39DD-417D-A5DD-7E2C2D8FB9CB}"="Microsoft AntiMalware ShellExecuteHook" "{81559C35-8464-49F7-BB0E-07A383BEF910}"="" [HKEY_USERS\.default\software\microsoft\windows\currentversion\run] "DWQueuedReporting"="\"C:\\PROGRA~1\\COMMON~1\\MICROS~1\\DW\\dwtrig20.exe\" -t" [HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer] "DisablePersonalDirChange"=dword:00000001 [HKEY_LOCAL_MACHINE\system\currentcontrolset\control\securityproviders] "SecurityProviders"="msapsspc.dll, schannel.dll, digest.dll, msnsspc.dll" [HKEY_LOCAL_MACHINE\software\Microsoft\Windows NT\CurrentVersion\Svchost] HTTPFilter REG_MULTI_SZ HTTPFilter\0\0 LocalService REG_MULTI_SZ Alerter\0WebClient\0LmHosts\0RemoteRegistry\0upnphost\0SSDPSRV\0\0 NetworkService REG_MULTI_SZ DnsCache\0\0 DcomLaunch REG_MULTI_SZ DcomLaunch\0TermService\0\0 rpcss REG_MULTI_SZ RpcSs\0\0 imgsvc REG_MULTI_SZ StiSvc\0\0 termsvcs REG_MULTI_SZ TermService\0\0 -- End of Deckard's System Scanner: finished at 2007-04-12 at 19:32:41 --------- Deckard's System Scanner v20070411.38 Extra logfile - please post this as an attachment with your post. -------------------------------------------------------------------------------- -- System Information ---------------------------------------------------------- Microsoft Windows XP Professional (build 2600) SP 2.0 Architecture: X86; Language: English CPU 0: Intel(R) Pentium(R) M processor 1.60GHz Percentage of Memory in Use: 51% Physical Memory (total/avail): 503.37 MiB / 245.96 MiB Pagefile Memory (total/avail): 1229.93 MiB / 941.32 MiB Virtual Memory (total/avail): 2047.88 MiB / 1977.77 MiB C: is Fixed (NTFS) - 37.21 GiB total, 25.26 GiB free. D: is CDROM (No Media) -- Security Center ------------------------------------------------------------- AUOptions is scheduled to auto-install. Windows Internal Firewall is enabled. FirstRunDisabled is set. -- Environment Variables ------------------------------------------------------- ALLUSERSPROFILE=C:\Documents and Settings\All Users APPDATA=C:\Documents and Settings\Warren.U76\Application Data CLASSPATH=.;C:\Program Files\Java\jre1.5.0_06\lib\ext\QTJava.zip CLIENTNAME=Console CommonProgramFiles=C:\Program Files\Common Files COMPUTERNAME=DH016481 ComSpec=C:\WINDOWS\system32\cmd.exe FP_NO_HOST_CHECK=NO HOMEDRIVE=C: HOMEPATH=\Documents and Settings\Warren.U76 LOGONSERVER=\\U76APPS01 NUMBER_OF_PROCESSORS=1 OS=Windows_NT Path=C:\WINDOWS\system32;C:\WINDOWS;C:\WINDOWS\System32\Wbem;C:\Program Files\QuickTime\QTSystem\ PATHEXT=.COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH PROCESSOR_ARCHITECTURE=x86 PROCESSOR_IDENTIFIER=x86 Family 6 Model 13 Stepping 6, GenuineIntel PROCESSOR_LEVEL=6 PROCESSOR_REVISION=0d06 ProgramFiles=C:\Program Files PROMPT=$P$G QTJAVA=C:\Program Files\Java\jre1.5.0_06\lib\ext\QTJava.zip SESSIONNAME=Console SystemDrive=C: SystemRoot=C:\WINDOWS TEMP=C:\DOCUME~1\Warren.U76\LOCALS~1\Temp TMP=C:\DOCUME~1\Warren.U76\LOCALS~1\Temp USERDNSDOMAIN=U76.LOCAL USERDOMAIN=U76 USERNAME=Warren USERPROFILE=C:\Documents and Settings\Warren.U76 windir=C:\WINDOWS -- User Profiles --------------------------------------------------------------- Warren.U76 (admin) Warren (admin) Administrator (admin) -- Add/Remove Programs --------------------------------------------------------- --> C:\Program Files\Common Files\Real\Update_OB\r1puninst.exe RealNetworks|RealPlayer|6.0 --> C:\WINDOWS\IsUninst.exe -fC:\WINDOWS\orun32.isu --> C:\WINDOWS\system32\\MSIEXEC.EXE /I {09DA4F91-2A09-4232-AB8C-6BC740096DE3} REMOVE=UpdateMgrFeature --> C:\WINDOWS\system32\\MSIEXEC.EXE /x {1206EF92-2E83-4859-ACCB-2048C3CB7DA6} --> C:\WINDOWS\system32\\MSIEXEC.EXE /x {9541FED0-327F-4df0-8B96-EF57EF622F19} --> MsiExec.exe /I{403EF592-953B-4794-BCEF-ECAB835C2095} --> rundll32.exe setupapi.dll,InstallHinfSection DefaultUninstall 132 C:\WINDOWS\INF\PCHealth.inf Ad-Aware SE Personal --> MsiExec.exe /X{78CC3BAB-DE2A-4FB4-8FBB-E4DADDC26747} Adobe Reader 8 --> MsiExec.exe /I{AC76BA86-7AD7-1033-7B44-A80000000002} Canon Camera Window for ZoomBrowser EX --> C:\PROGRA~1\COMMON~1\INSTAL~1\Driver\7\INTEL3~1\IDriver.exe /M{093625E3-7B87-49D3-AA53-AD0FCFABAF49} Canon PhotoRecord --> C:\WINDOWS\IsUninst.exe -fC:\PROGRA~1\Canon\PhotoRecord\Uninst.isu -c"C:\PROGRA~1\Canon\PhotoRecord\Program\uninstdll.dll" Canon Utilities File Viewer Utility 1.2 --> C:\PROGRA~1\COMMON~1\INSTAL~1\Driver\7\INTEL3~1\IDriver.exe /M{EF0DD8B7-471C-463B-A298-6066C2FABAF5} Canon Utilities RemoteCapture 2.7 --> C:\PROGRA~1\COMMON~1\INSTAL~1\Driver\7\INTEL3~1\IDriver.exe /M{BEB03A1A-1EB6-48EB-9985-8B97315EE5C0} Canon Utilities ZoomBrowser EX --> MsiExec.exe /X{C1D76D7A-F3BB-47EA-A746-5B1E2FFC1DF2} Conexant D110 MDC V.9x Modem --> C:\Program Files\CONEXANT\CNXT_MODEM_PCI_VEN_8086&DEV_24x6&SUBSYS_542214F1\HXFSETUP.EXE -U -Idel5422k.inf Dell Wireless WLAN Card --> C:\WINDOWS\system32\BCMWLU00.exe verbose Digital Line Detect --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{E646DCF0-5A68-11D5-B229-002078017FBF}\setup.exe" -l0x9 ControlPanel Intel(R) Graphics Media Accelerator Driver for Mobile --> RUNDLL32.EXE C:\WINDOWS\system32\ialmrem.dll,UninstallW2KIGfx2ID PCI\VEN_8086&DEV_2792 PCI\VEN_8086&DEV_2592 Intel(R) PRO Network Adapters and Drivers --> Prounstl.exe Intel(R) PROSet for Wired Connections --> MsiExec.exe /I{17334AAF-C9E7-483B-9F45-E3FCAF07FFA7} Internal Network Card Power Management --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\09\01\Intel32\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{1F528948-0E80-4C96-B455-DE4167CB1DF7}\setup.exe" -l0x9 UNINSTALL APPDRVNT4 iTunes --> MsiExec.exe /I{5878FF02-3B8F-4309-B4E5-0D3DB6F2E8E6} J2SE Runtime Environment 5.0 Update 10 --> MsiExec.exe /I{3248F0A8-6813-11D6-A77B-00B0D0150100} J2SE Runtime Environment 5.0 Update 4 --> MsiExec.exe /I{3248F0A8-6813-11D6-A77B-00B0D0150040} J2SE Runtime Environment 5.0 Update 6 --> MsiExec.exe /I{3248F0A8-6813-11D6-A77B-00B0D0150060} Java 2 Runtime Environment, SE v1.4.2_03 --> MsiExec.exe /I{7148F0A8-6813-11D6-A77B-00B0D0142030} Lavasoft VX2 Cleaner --> C:\PROGRA~1\Lavasoft\AD-AWA~1\Plugins\UNWISE.EXE C:\PROGRA~1\Lavasoft\AD-AWA~1\Plugins\INSTALL.LOG LiveUpdate 1.7 (Symantec Corporation) --> C:\Program Files\\Symantec\LiveUpdate\LSETUP.EXE /U LocalNet --> cmstp.exe /u "C:\Documents and Settings\All Users\Application Data\Microsoft\Network\Connections\Cm\Localnet\Localnet.inf" Logitech Desktop Messenger --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{900B1197-53F5-4F46-A882-2CFFFE2EEDCB}\setup.exe" -l0x9 UNINSTALL Logitech MouseWare 9.79 --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{5809E7CF-4DCF-11D4-9875-00105ACE7734}\setup.exe" -l0x9 -l0009 UNINSTALL Logitech Resource Center --> C:\PROGRA~1\Logitech\RESOUR~1\rem\UNWISE.EXE C:\PROGRA~1\Logitech\RESOUR~1\rem\INSTALL.LOG Microsoft Office Basic Edition 2003 --> MsiExec.exe /I{91130409-6000-11D3-8CFE-0150048383C9} Modem Helper --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{7F142D56-3326-11D5-B229-002078017FBF}\setup.exe" -l0x9 ControlPanel Mozilla Firefox (2.0.0.2) --> C:\PROGRA~1\Mozilla Firefox\uninstall\helper.exe Mozilla Firefox (2.0.0.3) --> C:\Program Files\Mozilla Firefox\uninstall\helper.exe Mozilla Thunderbird (1.5.0.10) --> C:\Program Files\Mozilla Thunderbird\uninstall\uninstall.exe /ua "1.5.0.10 (en-US)" MUSICMATCH® Jukebox --> C:\PROGRA~1\MUSICM~1\MUSICM~2\unmatch.exe NetWaiting --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{3F92ABBB-6BBF-11D5-B229-002078017FBF}\setup.exe" -l0x9 ControlPanelAnyText Panda ActiveScan --> C:\WINDOWS\system32\ASUninst.exe Panda ActiveScan PowerDVD 5.1 --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{6811CAA0-BF12-11D4-9EA1-0050BAE317E1}\setup.exe" -uninstall QuickSet --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\09\01\Intel32\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{C5074CC4-0E26-4716-A307-960272A90040}\setup.exe" -l0x9 UNINSTALL APPDRVNT4 QuickTime --> MsiExec.exe /I{55BF0E5F-EA8E-4C13-A8B4-9E4857F5A2DE} RealPlayer --> C:\Program Files\Common Files\Real\Update_OB\r1puninst.exe RealNetworks|RealPlayer|6.0 Security Update for Step By Step Interactive Training (KB898458) --> "C:\WINDOWS\$NtUninstallKB898458$\spuninst\spuninst.exe" Security Update for Step By Step Interactive Training (KB923723) --> "C:\WINDOWS\$NtUninstallKB923723$\spuninst\spuninst.exe" Sonic DLA --> MsiExec.exe /I{1206EF92-2E83-4859-ACCB-2048C3CB7DA6} Sonic RecordNow! Plus --> MsiExec.exe /I{9541FED0-327F-4DF0-8B96-EF57EF622F19} Sonic Update Manager --> MsiExec.exe /I{09DA4F91-2A09-4232-AB8C-6BC740096DE3} SpywareBlaster v3.5.1 --> "C:\Program Files\SpywareBlaster\unins000.exe" SpywareGuard v2.2 --> "C:\Program Files\SpywareGuard\unins000.exe" Symantec AntiVirus Client --> MsiExec.exe /X{0EFC6259-3AD8-4CD2-BC57-D4937AF5CC0E} Synaptics Pointing Device Driver --> rundll32.exe "C:\Program Files\Synaptics\SynTP\SynISDLL.dll",standAloneUninstall Windows Defender --> MsiExec.exe /I{A06275F4-324B-4E85-95E6-87B2CD729401} -- End of Deckard's System Scanner: finished at 2007-04-12 at 19:32:41 --------- Last edited by Ried : 04-16-2007 at 10:09 PM. |
|
     |
|
04-16-2007, 10:20 PM
|
#7 (permalink) |
|
Assistant Manager, TSF Academy; Moderator/Analyst Security Team
Join Date: Jan 2005
Location: Ohio
Posts: 20,048
OS: WinXP and Vista
|
Re: Slow Computer and User permissions changed
Hello Carolyn and welcome to TSF,
I'm not seeing much in these logs. Did you make any changes to your Group Policy? Upload this file D:\Pad39A.exe to http://virusscan.jotti.org and report back what it found. At the top of the window you should see "File to Upload & scan" and a blank box. Copy and paste the blue text from above into the box. Then click "submit". When it is finished, please copy and paste the information listed under "Service" and "Scanner Results" here. If the site is too busy, upload it here http://www.virustotal.com/en/indexf.html |
|
|
|
|
04-17-2007, 07:55 AM
|
#8 (permalink) |
|
Analyst, Security Team
Join Date: Mar 2007
Posts: 20
OS: XP & Vista
|
Re: Slow Computer and User permissions changed
Hi Ried,
The D: drive is the CD-RW drive on this computer. I searched the hard drive for that file but it was not found. Nothing to upload... The group policy is managed by our Windows 2003 server. I do not believe that there have been any changes made. None of the other computers in our domain are having problems. By the way, this computer is the only windows xp notebook in our office and is used as a personal computer at home by my colleague. I'm going to run a fresh set of scans and post the logs just in case they can be of use. Your help is appreciated. |
|
|
|
|
04-17-2007, 10:11 AM
|
#9 (permalink) |
|
Analyst, Security Team
Join Date: Mar 2007
Posts: 20
OS: XP & Vista
|
Re: Slow Computer and User permissions changed
Computer is still acting up. A window entitled "Just-In-Time-Debugging" just popped up. It wanted me to set a default debugger, listing "New instance of Microsoft Script Editor" as the only option. Also Real Message Center launched itself - I do not believe it had been configured to do so. Something is not right here.
Fresh set of logs... Deckard did not create extra.txt this time. Activescan.txt Incident Status Location Spyware:Cookie/Atlas DMT Not disinfected C:\Documents and Settings\Warren\Application Data\Mozilla\Firefox\Profiles\juok93kl.default\cookies.txt[.atdmt.com/] Spyware:Cookie/Tribalfusion Not disinfected C:\Documents and Settings\Warren\Application Data\Mozilla\Firefox\Profiles\juok93kl.default\cookies.txt[.tribalfusion.com/] Spyware:Cookie/Com.com Not disinfected C:\Documents and Settings\Warren.U76\Application Data\Mozilla\Firefox\Profiles\ad0i09t9.default\cookies.txt[.com.com/] main.txt Deckard's System Scanner v20070411.38 Run by Warren on 2007-04-17 at 11:55:31 Computer is in Normal Mode. -------------------------------------------------------------------------------- -- HijackThis (run as Warren.exe) ---------------------------------------------- Logfile of HijackThis v1.99.1 Scan saved at 11:56:03 AM, on 4/17/2007 Platform: Windows XP SP2 (WinNT 5.01.2600) MSIE: Internet Explorer v7.00 (7.00.6000.16414) Running processes: C:\WINDOWS\System32\smss.exe C:\WINDOWS\system32\winlogon.exe C:\WINDOWS\system32\services.exe C:\WINDOWS\system32\lsass.exe C:\WINDOWS\system32\svchost.exe C:\Program Files\Windows Defender\MsMpEng.exe C:\WINDOWS\System32\svchost.exe C:\WINDOWS\System32\wltrysvc.exe C:\WINDOWS\System32\bcmwltry.exe C:\WINDOWS\system32\spoolsv.exe C:\Program Files\Symantec_Client_Security\Symantec AntiVirus\DefWatch.exe C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE C:\Program Files\Dell\NICCONFIGSVC\NICCONFIGSVC.exe C:\Program Files\Symantec_Client_Security\Symantec AntiVirus\Rtvscan.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\Explorer.EXE C:\WINDOWS\system32\hkcmd.exe C:\Program Files\Java\jre1.6.0_01\bin\jusched.exe C:\Program Files\Synaptics\SynTP\SynTPLpr.exe C:\Program Files\Synaptics\SynTP\SynTPEnh.exe C:\Program Files\Intel\PROSetWired\NCS\PROSet\PRONoMgr.exe C:\Program Files\Dell\QuickSet\quickset.exe C:\WINDOWS\system32\WLTRAY.exe C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe C:\WINDOWS\system32\dla\tfswctrl.exe C:\WINDOWS\Logi_MwX.Exe C:\Program Files\MusicMatch\MusicMatch Jukebox\mmtask.exe C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mm_tray.exe C:\Program Files\QuickTime\qttask.exe C:\Program Files\iTunes\iTunesHelper.exe C:\PROGRA~1\SYMANT~1\SYMANT~1\vptray.exe C:\WINDOWS\system32\ctfmon.exe C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BackWeb-8876480.exe C:\Program Files\iPod\bin\iPodService.exe C:\Program Files\Digital Line Detect\DLG.exe C:\Program Files\SpywareGuard\sgmain.exe C:\Program Files\SpywareGuard\sgbhp.exe C:\Documents and Settings\Warren.U76\Desktop\dss.exe C:\PROGRA~1\HIJACK~1\Warren.exe R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.dell.com R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://www.localnet.com/adv_search.phtml R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://start.localnet.com/ R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157 R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896 R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896 R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157 R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://www.dell.com/ R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer provided by LocalNet R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = localhost O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll O2 - BHO: SpywareGuard Download Protection - {4A368E80-174F-4872-96B5-0B27DDD11DB2} - C:\Program Files\SpywareGuard\dlprotect.dll O2 - BHO: DriveLetterAccess - {5CA3D70E-1895-11CF-8E15-001234567890} - C:\WINDOWS\system32\dla\tfswshx.dll O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\system32\igfxtray.exe O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_01\bin\jusched.exe" O4 - HKLM\..\Run: [SynTPLpr] C:\Program Files\Synaptics\SynTP\SynTPLpr.exe O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe O4 - HKLM\..\Run: [PRONoMgrWired] C:\Program Files\Intel\PROSetWired\NCS\PROSet\PRONoMgr.exe O4 - HKLM\..\Run: [Dell QuickSet] C:\Program Files\Dell\QuickSet\quickset.exe O4 - HKLM\..\Run: [Dell Wireless Manager UI] C:\WINDOWS\system32\WLTRAY O4 - HKLM\..\Run: [DVDLauncher] "C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe" O4 - HKLM\..\Run: [UpdateManager] "C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe" /r O4 - HKLM\..\Run: [dla] C:\WINDOWS\system32\dla\tfswctrl.exe O4 - HKLM\..\Run: [Synchronization Manager] %SystemRoot%\system32\mobsync.exe /logon O4 - HKLM\..\Run: [Pad39A-HtEHL] D:\Pad39A.exe O4 - HKLM\..\Run: [Logitech Utility] Logi_MwX.Exe O4 - HKLM\..\Run: [mmtask] c:\Program Files\MusicMatch\MusicMatch Jukebox\mmtask.exe O4 - HKLM\..\Run: [MMTray] C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mm_tray.exe O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe" O4 - HKLM\..\Run: [Windows Defender] "C:\Program Files\Windows Defender\MSASCui.exe" -hide O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\SYMANT~1\SYMANT~1\vptray.exe O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe O4 - HKCU\..\Run: [LDM] C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BackWeb-8876480.exe O4 - Startup: SpywareGuard.lnk = C:\Program Files\SpywareGuard\sgmain.exe O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Reader 8.0\Reader\reader_sl.exe O4 - Global Startup: Adobe Reader Synchronizer.lnk = C:\Program Files\Adobe\Reader 8.0\Reader\AdobeCollabSync.exe O4 - Global Startup: Digital Line Detect.lnk = ? O4 - Global Startup: Logitech Desktop Messenger.lnk = C:\Program Files\Logitech\Desktop Messenger\8876480\Program\LDMConf.exe O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000 O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing) O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing) O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe O11 - Options group: [INTERNATIONAL] International* O14 - IERESET.INF: START_PAGE_URL=http://start.localnet.com/ O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsof...?1171306338446 O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/actives...ree/asinst.cab O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = U76.LOCAL O17 - HKLM\Software\..\Telephony: DomainName = U76.LOCAL O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = U76.LOCAL O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxsrvc.dll O20 - Winlogon Notify: NavLogon - C:\WINDOWS\system32\NavLogon.dll O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll O23 - Service: DefWatch - Symantec Corporation - C:\Program Files\Symantec_Client_Security\Symantec AntiVirus\DefWatch.exe O23 - Service: iPod Service - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe O23 - Service: Intel NCS NetService (NetSvc) - Intel(R) Corporation - C:\Program Files\Intel\PROSetWired\NCS\Sync\NetSvc.exe O23 - Service: NICCONFIGSVC - Dell Inc. - C:\Program Files\Dell\NICCONFIGSVC\NICCONFIGSVC.exe O23 - Service: Symantec AntiVirus Client (Norton AntiVirus Server) - Symantec Corporation - C:\Program Files\Symantec_Client_Security\Symantec AntiVirus\Rtvscan.exe O23 - Service: Dell Wireless WLAN Tray Service (wltrysvc) - Unknown owner - C:\WINDOWS\System32\wltrysvc.exe -- Files created between 2007-03-17 and 2007-04-17 ----------------------------- 2007-04-17 10:40:00 0 d-------- C:\WINDOWS\LastGood 2007-04-12 19:12:20 0 d-------- C:\ie-spyad 2007-04-12 19:11:17 0 d-------- C:\Program Files\SpywareGuard<SPYWAR~2> 2007-04-12 19:05:45 0 d-------- C:\Program Files\SpywareBlaster<SPYWAR~1> 2007-04-12 18:23:56 0 d-------- C:\WINDOWS\system32\ActiveScan<ACTIVE~1> 2007-04-12 16:31:27 0 d-------- C:\Documents and Settings\Warren\Application Data\Lavasoft 2007-04-12 16:27:01 0 d-------- C:\Documents and Settings\Warren.U76\Application Data\Lavasoft 2007-04-12 16:26:22 0 d-------- C:\Program Files\Lavasoft 2007-04-12 14:38:58 83672 --a------ C:\WINDOWS\system32\S32EVNT1.DLL 2007-04-12 14:38:58 73224 --a------ C:\WINDOWS\system32\drivers\SYMEVENT.SYS 2007-04-12 14:38:07 0 d-------- C:\Program Files\Symantec_Client_Security<SYMANT~1> 2007-04-12 13:08:16 0 d-------- C:\TEMP 2007-04-12 11:07:30 0 d-------- C:\Program Files\RegSeeker<REGSEE~1> 2007-04-12 11 31 0 d-------- C:\Program Files\Autoruns2007-04-12 10:58:13 0 d-------- C:\Program Files\CCleaner 2007-04-11 12:07:23 7077888 --a------ C:\Documents and Settings\Warren.U76\ntuser.dat -- Find3M Report --------------------------------------------------------------- 2007-04-17 11:17:05 0 d-------- C:\Program Files\Windows Defender<WINDOW~4> 2007-04-17 11:16:08 0 d-------- C:\Program Files\QuickTime<QUICKT~1> 2007-04-17 11:10:54 0 d-------- C:\Program Files\iTunes 2007-04-17 11:10:19 0 d-------- C:\Program Files\Digital Line Detect<DIGITA~1> 2007-04-17 09:37:38 0 d-------- C:\Program Files\Java 2007-04-12 16:25:50 0 d-------- C:\Program Files\Common Files\Wise Installation Wizard<WISEIN~1> 2007-04-12 14:39:00 0 d-------- C:\Program Files\Symantec 2007-04-12 14:38:20 0 d-------- C:\Program Files\Common Files\Symantec Shared<SYMANT~1> 2007-04-12 14:13:38 0 d---s---- C:\Documents and Settings\Warren.U76\Application Data\Microsoft<MICROS~1> 2007-04-12 10:33:50 0 d-------- C:\Program Files\Mozilla Thunderbird<MOZILL~2> 2007-03-17 09:43:01 292864 --a------ C:\WINDOWS\system32\winsrv.dll 2007-03-08 11:36:28 577536 --a------ C:\WINDOWS\system32\user32.dll 2007-03-08 11:36:28 40960 --a------ C:\WINDOWS\system32\mf3216.dll 2007-03-08 11:36:28 281600 --a------ C:\WINDOWS\system32\gdi32.dll 2007-03-08 09:47:48 1843584 --a------ C:\WINDOWS\system32\win32k.sys 2007-02-05 16:17:02 185344 --a------ C:\WINDOWS\system32\upnphost.dll -- Registry Dump --------------------------------------------------------------- [HKEY_CURRENT_USER\software\microsoft\windows\currentversion\run] "ctfmon.exe"="C:\\WINDOWS\\system32\\ctfmon.exe" "LDM"="C:\\Program Files\\Logitech\\Desktop Messenger\\8876480\\Program\\BackWeb-8876480.exe" [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run] "IgfxTray"="C:\\WINDOWS\\system32\\igfxtray.exe" "HotKeysCmds"="C:\\WINDOWS\\system32\\hkcmd.exe" "SunJavaUpdateSched"="\"C:\\Program Files\\Java\\jre1.6.0_01\\bin\\jusched.exe\"" "SynTPLpr"="C:\\Program Files\\Synaptics\\SynTP\\SynTPLpr.exe" "SynTPEnh"="C:\\Program Files\\Synaptics\\SynTP\\SynTPEnh.exe" "PRONoMgrWired"="C:\\Program Files\\Intel\\PROSetWired\\NCS\\PROSet\\PRONoMgr.exe" "Dell QuickSet"="C:\\Program Files\\Dell\\QuickSet\\quickset.exe" "Dell Wireless Manager UI"="C:\\WINDOWS\\system32\\WLTRAY" "DVDLauncher"="\"C:\\Program Files\\CyberLink\\PowerDVD\\DVDLauncher.exe\"" "UpdateManager"="\"C:\\Program Files\\Common Files\\Sonic\\Update Manager\\sgtray.exe\" /r" "dla"="C:\\WINDOWS\\system32\\dla\\tfswctrl.exe" "Synchronization Manager"=hex(2):25,53,79,73,74,65,6d,52,6f,6f,74,25,5c,73,79,\ 73,74,65,6d,33,32,5c,6d,6f,62,73,79,6e,63,2e,65,78,65,20,2f,6c,6f,67,6f,6e,\ 00 "Pad39A-HtEHL"="D:\\Pad39A.exe" "Logitech Utility"="Logi_MwX.Exe" "mmtask"="c:\\Program Files\\MusicMatch\\MusicMatch Jukebox\\mmtask.exe" "MMTray"="C:\\Program Files\\MUSICMATCH\\MUSICMATCH Jukebox\\mm_tray.exe" "QuickTime Task"="\"C:\\Program Files\\QuickTime\\qttask.exe\" -atboottime" "iTunesHelper"="\"C:\\Program Files\\iTunes\\iTunesHelper.exe\"" "Windows Defender"="\"C:\\Program Files\\Windows Defender\\MSASCui.exe\" -hide" "vptray"="C:\\PROGRA~1\\SYMANT~1\\SYMANT~1\\vptray.exe" [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\OptionalComponents] [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\OptionalComponents\IMAIL] "Installed"="1" [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\OptionalComponents\MAPI] "Installed"="1" "NoChange"="1" [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\OptionalComponents\MSFS] "Installed"="1" [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shellexecutehooks] "{091EB208-39DD-417D-A5DD-7E2C2D8FB9CB}"="Microsoft AntiMalware ShellExecuteHook" "{81559C35-8464-49F7-BB0E-07A383BEF910}"="" [HKEY_USERS\.default\software\microsoft\windows\currentversion\run] "DWQueuedReporting"="\"C:\\PROGRA~1\\COMMON~1\\MICROS~1\\DW\\dwtrig20.exe\" -t" [HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer] "DisablePersonalDirChange"=dword:00000001 [HKEY_LOCAL_MACHINE\system\currentcontrolset\control\securityproviders] "SecurityProviders"="msapsspc.dll, schannel.dll, digest.dll, msnsspc.dll" [HKEY_LOCAL_MACHINE\software\Microsoft\Windows NT\CurrentVersion\Svchost] HTTPFilter REG_MULTI_SZ HTTPFilter\0\0 LocalService REG_MULTI_SZ Alerter\0WebClient\0LmHosts\0RemoteRegistry\0upnphost\0SSDPSRV\0\0 NetworkService REG_MULTI_SZ DnsCache\0\0 DcomLaunch REG_MULTI_SZ DcomLaunch\0TermService\0\0 rpcss REG_MULTI_SZ RpcSs\0\0 imgsvc REG_MULTI_SZ StiSvc\0\0 termsvcs REG_MULTI_SZ TermService\0\0 -- End of Deckard's System Scanner: finished at 2007-04-17 at 11:56:17 --------- |
|
|
|
|
04-17-2007, 09:37 PM
|
#10 (permalink) | |
|
Assistant Manager, TSF Academy; Moderator/Analyst Security Team
Join Date: Jan 2005
Location: Ohio
Posts: 20,048
OS: WinXP and Vista
|
Re: Slow Computer and User permissions changed
Hello Carolyn,
I don't believe your issues are malware related. I would suggest you contact your IT person (if you have one). If not, you would be better served discussing your issue in either the Windows XP or Networking Support section of this forum. Let them know you've been sent from the HijackThis Help forum and tell them this: Quote:
O4 - HKLM\..\Run: [Pad39A-HtEHL] D:\Pad39A.exe Click 'Fix Checked' and close HijackThis.
__________________
 "It is one life whether we spend it laughing or weeping." "Take the time to laugh--it is the music of the soul."
Last edited by Ried : 04-17-2007 at 09:49 PM. |
|
|
|
Re: Slow Computer and User permissions changed