Welcome to Tech Support Forum home to more then 136,000 problems solved. Issues have included: Spyware, Malware, Virus Issues, Windows, Microsoft, Linux, Networking, Security, Hardware, and Gaming Getting your problem solved is as easy as:
1. Registering for a free account
2. Asking your question
3. Receiving an answer

Registered members:
* Get free support
* Communicate privately with other members (PM).
* Removal of this message
* See fewer ads.
* And much more..

 




Want to know how to post a question? click here Having problems with spyware and pop-ups? First Steps
Go Back   Tech Support Forum > Security Center > HijackThis Log Help > Resolved HJT Threads
Computer is slowing, Switch User no longer works as well as Safe Mode Computer is slowing, Switch User no longer works as well as Safe Mode
User Name
Password
Site Map Register Donate Rules Blogs Mark Forums Read

Resolved HJT Threads Resolved spyware and popup issues.

 
 
Thread Tools
Old 12-19-2007, 07:17 PM   #1 (permalink)
Registered User
 
Join Date: Dec 2007
Posts: 11
OS: XP with SP2


Computer is slowing, Switch User no longer works as well as Safe Mode
Hi I am running Windows XP SP2, with Internet Explorer 7.0 my computer has recently been acting funny. I have went through the five steps and there is definitely something wrong. Please help.

Logfile of Trend Micro HijackThis v2.0.0 (BETA)
Scan saved at 7:16:51 PM, on 12/19/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
C:\Program Files\Common Files\Symantec Shared\AppCore\AppSvc32.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
C:\Program Files\Common Files\EPSON\EBAPI\SAgent2.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Lanovation\PrismXL\PRISMXL.SYS
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Webroot\Washer\WasherSvc.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\hkcmd.exe
C:\WINDOWS\system32\igfxpers.exe
C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
C:\Program Files\HP\hpcoretech\hpcmpmgr.exe
C:\Program Files\Java\jre1.6.0_02\bin\jusched.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Messenger\msmsgs.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Windows Media Player\WMPNSCFG.exe
C:\Program Files\GhostSurf 2005\Proxy.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\MSN Messenger\usnsvc.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Documents and Settings\Jenny\Desktop\HiJackThis_v2.exe
C:\WINDOWS\system32\wuauclt.exe

R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = https://loginnet.passport.com/ppsecu...th.srf?lc=1033
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = 127.0.0.1:7212
O2 - BHO: (no name) - {02478D38-C3F9-4efb-9B51-7695ECA05670} - (no file)
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: BDEX System - {0B241FD4-1EA1-4238-B505-07A484C49D1A} - C:\WINDOWS\ttvbonsmf.dll (file missing)
O2 - BHO: (no name) - {1E8A6170-7264-4D0F-BEAE-D42A53123C75} - C:\Program Files\Common Files\Symantec Shared\coShared\Browser\1.0\NppBho.dll
O2 - BHO: RXResultTracker Class - {59879FA4-4790-461c-A1CC-4EC4DE4CA483} - C:\Program Files\RXToolBar\sfcont.dll (file missing)
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: (no name) - {B6680672-71DE-97A2-28FB-8FA75AFDBC12} - C:\DOCUME~1\ZACHAR~1\APPLIC~1\SAVERE~1\errorknob.exe (file missing)
O3 - Toolbar: Show Norton Toolbar - {90222687-F593-4738-B738-FBEE9C7B26DF} - C:\Program Files\Common Files\Symantec Shared\coShared\Browser\1.0\UIBHO.dll
O3 - Toolbar: The leosrv - {8B6860DE-2CFA-4713-B42F-DC06D008DC54} - C:\WINDOWS\leosrv.dll (file missing)
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [GhostSurfDelSatellite] "C:\Program Files\GhostSurf 2005\DeleteSatellite.exe"
O4 - HKLM\..\Run: [Persistence] C:\WINDOWS\system32\igfxpers.exe
O4 - HKLM\..\Run: [HP Software Update] C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
O4 - HKLM\..\Run: [HP Component Manager] "C:\Program Files\HP\hpcoretech\hpcmpmgr.exe"
O4 - HKLM\..\Run: [Microsoft Works Update Detection] C:\Program Files\Common Files\Microsoft Shared\Works Shared\WkUFind.exe
O4 - HKLM\..\Run: [REGSHAVE] C:\Program Files\REGSHAVE\REGSHAVE.EXE /AUTORUN
O4 - HKLM\..\Run: [bolt noun kind mess] C:\Documents and Settings\All Users\Application Data\LoveDownloadBoltNoun\flagbalm.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_02\bin\jusched.exe"
O4 - HKLM\..\Run: [ZipTorrent] C:\Program Files\ZipTorrent\ZipTorrent.exe
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [osCheck] "C:\Program Files\Norton Internet Security\osCheck.exe"
O4 - HKLM\..\Run: [UserFaultCheck] %systemroot%\system32\dumprep 0 -u
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [Symantec PIF AlertEng] "C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe" /a /m "C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\AlertEng.dll"
O4 - HKCU\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKCU\..\Run: [Yahoo! Pager] "C:\PROGRA~1\Yahoo!\MESSEN~1\YAHOOM~1.EXE" -quiet
O4 - HKCU\..\Run: [MessengerPlus3] "C:\Program Files\MessengerPlus! 3\MsgPlus.exe" /WinStart
O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\MSN Messenger\msnmsgr.exe" /background
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [WMPNSCFG] C:\Program Files\Windows Media Player\WMPNSCFG.exe
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - HKUS\S-1-5-18\..\Run: [AIM] C:\Program Files\AIM\aim.exe -cnetwait.odl (User 'SYSTEM')
O4 - HKUS\S-1-5-18\..\Run: [Picasa Media Detector] C:\Program Files\Picasa2\PicasaMediaDetector.exe (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [AIM] C:\Program Files\AIM\aim.exe -cnetwait.odl (User 'Default user')
O4 - S-1-5-18 Startup: Scheduler.lnk = C:\Program Files\GhostSurf 2005\Scheduler daemon.exe (User 'SYSTEM')
O4 - .DEFAULT Startup: Scheduler.lnk = C:\Program Files\GhostSurf 2005\Scheduler daemon.exe (User 'Default user')
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: GhostSurf proxy.lnk = C:\Program Files\GhostSurf 2005\Proxy.exe
O4 - Global Startup: Watch.lnk = C:\Program Files\4.0M MPEG4 DV\Console\Watch.exe
O8 - Extra context menu item: &Yahoo! Search - file:///C:\Program Files\Yahoo!\Common/ycsrch.htm
O8 - Extra context menu item: Yahoo! &Dictionary - file:///C:\Program Files\Yahoo!\Common/ycdict.htm
O8 - Extra context menu item: Yahoo! &Maps - file:///C:\Program Files\Yahoo!\Common/ycmap.htm
O8 - Extra context menu item: Yahoo! &SMS - file:///C:\Program Files\Yahoo!\Common/ycsms.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~4\Office12\REFIEBAR.DLL
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe (file missing)
O9 - Extra button: (no name) - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - (no file)
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {01010E00-5E80-11D8-9E86-0007E96C65AE} (SupportSoft SmartIssue) - http://www.symantec.com/techsupp/asa/ctrl/tgctlsi.cab
O16 - DPF: {01012101-5E80-11D8-9E86-0007E96C65AE} (SupportSoft Script Runner Class) - http://www.symantec.com/techsupp/asa/ctrl/tgctlsr.cab
O16 - DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} (QuickTime Object) - http://a1540.g.akamai.net/7/1540/52/...x/qtplugin.cab
O16 - DPF: {1F2F4C9E-6F09-47BC-970D-3C54734667FE} (LSSupCtl Class) - http://www.symantec.com/techsupp/asa/ctrl/LSSupCtl.cab
O16 - DPF: {2917297F-F02B-4B9D-81DF-494B6333150B} (Minesweeper Flags Class) - http://messenger.zone.msn.com/binary...r.cab31267.cab
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (Installation Support) - C:\Program Files\Yahoo!\Common\Yinsthelper.dll
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://spaces.msn.com//PhotoUpload/MsnPUpld.cab
O16 - DPF: {511073AD-BE56-4D43-AE68-93390514385E} (TechToolsActivex.TechTools) - hcp://system/TechTools.CAB
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsu...?1130280773484
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsof...?1144891801187
O16 - DPF: {739E8D90-2F4C-43AD-A1B8-66C356FCEA35} (RunExeActiveX.RunExe) - hcp://system/RunExeActiveX.CAB
O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary...t.cab31267.cab
O16 - DPF: {99CDFD87-F97A-42E1-9C13-D18220D90AD1} (StartFirstControl.CheckFirst) - hcp://system/StartFirstControl.CAB
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/actives...ree/asinst.cab
O16 - DPF: {CE28D5D2-60CF-4C7D-9FE8-0F47A3308078} (ActiveDataInfo Class) - http://www.symantec.com/techsupp/asa/ctrl/SymAData.cab
O16 - DPF: {CE37E095-ACFF-4380-A856-A560D389E5E1} (XPLControlProject.XPLControl) - file://C:\Program Files\Gateway\helpspot\XPLControl.CAB
O16 - DPF: {D1E7CBDA-E60E-4970-A01C-37301EF7BF98} (Measurement Services Client v.3.11) - http://gameadvisor.futuremark.com/global/msc311.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/ge...sh/swflash.cab
O18 - Filter hijack: text/html - {2AB289AE-4B90-4281-B2AE-1F4BB034B647} - C:\Program Files\RXToolBar\sfcont.dll
O22 - SharedTaskScheduler: Browseui preloader - {438755C2-A8BA-11D1-B96B-00A0C90312E1} - C:\WINDOWS\System32\browseui.dll
O22 - SharedTaskScheduler: Component Categories cache daemon - {8C7461EF-2B13-11d2-BE35-3078302C2030} - C:\WINDOWS\System32\browseui.dll
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Automatic LiveUpdate Scheduler - Symantec Corporation - C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: Symantec Lic NetConnect service (CLTNetCnService) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: COM Host (comHost) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\VAScanner\comHost.exe
O23 - Service: EPSON Printer Status Agent2 (EPSONStatusAgent2) - SEIKO EPSON CORPORATION - C:\Program Files\Common Files\EPSON\EBAPI\SAgent2.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Symantec IS Password Validation (ISPwdSvc) - Symantec Corporation - C:\Program Files\Norton Internet Security\isPwdSvc.exe
O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
O23 - Service: LiveUpdate Notice Service Ex (LiveUpdate Notice Ex) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: LiveUpdate Notice Service - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe
O23 - Service: PrismXL - Lanovation - C:\Program Files\Common Files\Lanovation\PrismXL\PRISMXL.SYS
O23 - Service: Symantec Core LC - Unknown owner - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
O23 - Service: Symantec AppCore Service (SymAppCore) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\AppCore\AppSvc32.exe
O23 - Service: Window Washer Engine (wwEngineSvc) - Webroot Software, Inc. - C:\Program Files\Webroot\Washer\WasherSvc.exe

--
End of file - 13159 bytes
xcomgs is offline  
Digg this Post!Add Post to del.icio.usBookmark Post in TechnoratiFurl this Post!Bookmark on Thread SoupReddit!
Old 12-19-2007, 07:40 PM   #2 (permalink)
Registered User
 
Join Date: Dec 2007
Posts: 11
OS: XP with SP2


Re: Computer is slowing, Switch User no longer works as well as Safe Mode
bump need help
xcomgs is offline  
Digg this Post!Add Post to del.icio.usBookmark Post in TechnoratiFurl this Post!Bookmark on Thread SoupReddit!
Old 12-23-2007, 10:03 AM   #3 (permalink)
Asst Manager Security, Expert Analyst, Moderator, Security Team; Rangemaster, Moderator, TSF Academy
 
sUBs's Avatar
 
Join Date: May 2005
Posts: 21,354
OS: XP


Re: Computer is slowing, Switch User no longer works as well as Safe Mode
TeaTimer is an excellent tool for the prevention of spyware but it can sometimes prevent HijackThis from fixing certain things. Please disable TeaTimer for now until you are clean. TeaTimer can be re-activated once your HijackThis log is clean.
  • Open Spybot Search & Destroy.
  • In the Mode menu click "Advanced mode" if not already selected.
  • Choose Yes at the Warning prompt.
  • Expand the Tools menu.
  • Click Resident.
  • Uncheck the Resident "TeaTimer" (Protection of overall system settings) active. box.
  • In the File menu click Exit to exit Spybot Search & Destroy.

Download http://www.techsupportforum.com/sect...etTeaTimer.zip
Double click ResetTeaTimer.bat to remove all entries set by TeaTimer.


----------------


Do a HijackThis scan & place a check next to these items and select "Fix checked":

O2 - BHO: BDEX System - {0B241FD4-1EA1-4238-B505-07A484C49D1A} - C:\WINDOWS\ttvbonsmf.dll (file missing)
O2 - BHO: RXResultTracker Class - {59879FA4-4790-461c-A1CC-4EC4DE4CA483} - C:\Program Files\RXToolBar\sfcont.dll (file missing)
O2 - BHO: (no name) - {B6680672-71DE-97A2-28FB-8FA75AFDBC12} - C:\DOCUME~1\ZACHAR~1\APPLIC~1\SAVERE~1\errorknob.exe (file missing)
O3 - Toolbar: The leosrv - {8B6860DE-2CFA-4713-B42F-DC06D008DC54} - C:\WINDOWS\leosrv.dll (file missing)
O4 - HKLM\..\Run: [bolt noun kind mess] C:\Documents and Settings\All Users\Application Data\LoveDownloadBoltNoun\flagbalm.exe
O9 - Extra button: (no name) - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - (no file)
O18 - Filter hijack: text/html - {2AB289AE-4B90-4281-B2AE-1F4BB034B647} - C:\Program Files\RXToolBar\sfcont.dll

Ignore any prompts for a reboot


---------------


www.bleepingcomputer.com
www.forospyware.com
www.geekstogo.com

1. Please choose from any of the above links. Download the file & Save it to Desktop.

2. Double click on ComboFix.exe & follow the prompts.

3. When finished, it shall produce a log for you. Post that & a fresh Hijackthis log in your next reply

Note:
Do not mouseclick combofix's window whilst it's running. That may cause it to stall
sUBs is offline  
Digg this Post!Add Post to del.icio.usBookmark Post in TechnoratiFurl this Post!Bookmark on Thread SoupReddit!
Old 12-23-2007, 10:31 PM   #4 (permalink)
Registered User
 
Join Date: Dec 2007
Posts: 11
OS: XP with SP2


Re: Computer is slowing, Switch User no longer works as well as Safe Mode
ComboFix 07-12-24.7 - Owner 2007-12-23 22:07:05.1 - NTFSx86
Running from: C:\Documents and Settings\Owner\Desktop\ComboFix.exe
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\Documents and Settings\Owner\Favorites\Error Cleaner.url
C:\Documents and Settings\Owner\Favorites\Privacy Protector.url
C:\Documents and Settings\Owner\Favorites\Spyware&Malware Protection.url
C:\WINDOWS\dat.txt
C:\WINDOWS\rs.txt
C:\WINDOWS\search_res.txt
C:\WINDOWS\system32\_003610_.tmp.dll
C:\WINDOWS\system32\_003616_.tmp.dll
C:\WINDOWS\system32\_003619_.tmp.dll
C:\WINDOWS\system32\_003772_.tmp.dll
C:\WINDOWS\system32\_003773_.tmp.dll
C:\WINDOWS\system32\_003774_.tmp.dll
C:\WINDOWS\system32\_003775_.tmp.dll
C:\WINDOWS\system32\_003778_.tmp.dll
C:\WINDOWS\system32\_003779_.tmp.dll
C:\WINDOWS\system32\_003780_.tmp.dll
C:\WINDOWS\system32\_003781_.tmp.dll
C:\WINDOWS\system32\NTSVC.ocx

.
((((((((((((((((((((((((( Files Created from 2007-11-24 to 2007-12-24 )))))))))))))))))))))))))))))))
.

2007-12-23 15:25 . 2007-12-23 15:25 <DIR> d-------- C:\Documents and Settings\Jenny\Application Data\Costco Photo Organizer
2007-12-23 15:24 . 2007-12-23 15:24 <DIR> d-------- C:\Program Files\Costco
2007-12-23 15:24 . 2007-12-23 15:24 <DIR> d-------- C:\Program Files\Common Files\HP
2007-12-23 15:19 . 2007-12-23 15:21 <DIR> d-------- C:\Documents and Settings\Jenny\Application Data\Costco Photo Viewer US
2007-12-19 15:43 . 2007-12-19 15:44 <DIR> d-------- C:\Program Files\Mozilla Sunbird
2007-12-19 14:25 . 2007-12-19 14:43 4,366 --a------ C:\WINDOWS\system32\tmp.reg
2007-12-19 14:23 . 2007-12-13 19:40 77,824 --a------ C:\WINDOWS\system32\IEDFix.exe
2007-12-19 14:23 . 2007-10-03 23:36 25,600 --a------ C:\WINDOWS\system32\WS2Fix.exe
2007-12-19 14:22 . 2007-09-05 23:22 289,144 --a------ C:\WINDOWS\system32\VCCLSID.exe
2007-12-19 14:22 . 2006-04-27 16:49 288,417 --a------ C:\WINDOWS\system32\SrchSTS.exe
2007-12-19 14:22 . 2003-06-05 20:13 53,248 --a------ C:\WINDOWS\system32\Process.exe
2007-12-19 14:22 . 2004-07-31 17:50 51,200 --a------ C:\WINDOWS\system32\dumphive.exe
2007-12-19 14:21 . 2007-12-19 14:22 <DIR> d-------- C:\Documents and Settings\Owner\SmitfraudFix
2007-12-19 14:02 . 2007-12-19 18:16 <DIR> d-------- C:\Program Files\SpywareBlaster
2007-12-19 13:25 . 2007-12-19 14:04 <DIR> d-------- C:\WINDOWS\system32\ActiveScan
2007-12-19 13:25 . 2007-12-19 13:54 30,590 --a------ C:\WINDOWS\system32\pavas.ico
2007-12-19 13:25 . 2007-12-19 13:54 2,550 --a------ C:\WINDOWS\system32\Uninstall.ico
2007-12-19 13:25 . 2007-12-19 13:54 1,406 --a------ C:\WINDOWS\system32\Help.ico
2007-12-19 00:50 . 2007-05-29 13:55 22,112 --a------ C:\WINDOWS\system32\drivers\COH_Mon.sys
2007-12-19 00:50 . 2007-05-29 13:55 10,592 --a------ C:\WINDOWS\system32\drivers\COH_Mon.cat
2007-12-19 00:50 . 2007-05-29 13:55 705 --a------ C:\WINDOWS\system32\drivers\COH_Mon.inf
2007-12-19 00:34 . 2007-03-21 20:33 503,808 --a------ C:\WINDOWS\system32\MSVCP71.DL1
2007-12-19 00:34 . 2007-03-21 20:33 348,160 --a------ C:\WINDOWS\system32\MSVCR71.DL1
2007-12-18 00:15 . 2007-12-18 00:21 <DIR> d-------- C:\Program Files\SmartVideoCodec
2007-11-30 23:57 . 2007-11-30 23:57 317,616 --a------ C:\WINDOWS\system32\drivers\srtspl.sys
2007-11-30 23:57 . 2007-11-30 23:57 279,088 --a------ C:\WINDOWS\system32\drivers\srtsp.sys
2007-11-30 23:57 . 2007-11-30 23:57 43,696 --a------ C:\WINDOWS\system32\drivers\srtspx.sys
2007-11-30 23:57 . 2007-11-30 23:57 10,549 --a------ C:\WINDOWS\system32\drivers\srtspx.cat
2007-11-30 23:57 . 2007-11-30 23:57 10,549 --a------ C:\WINDOWS\system32\drivers\srtspl.cat
2007-11-30 23:57 . 2007-11-30 23:57 10,545 --a------ C:\WINDOWS\system32\drivers\srtsp.cat
2007-11-30 23:57 . 2007-11-30 23:57 1,430 --a------ C:\WINDOWS\system32\drivers\srtspl.inf
2007-11-30 23:57 . 2007-11-30 23:57 1,421 --a------ C:\WINDOWS\system32\drivers\srtspx.inf
2007-11-30 23:57 . 2007-11-30 23:57 1,415 --a------ C:\WINDOWS\system32\drivers\srtsp.inf

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2007-12-23 22:47 --------- d-----w C:\Documents and Settings\All Users\Application Data\Symantec
2007-12-23 22:26 --------- d-----w C:\Program Files\Common Files\Symantec Shared
2007-12-19 22:19 --------- d-----w C:\Documents and Settings\All Users\Application Data\Microsoft Help
2007-12-19 22:08 --------- d-----w C:\Program Files\Detto Security Center
2007-12-19 21:01 --------- d-----w C:\Program Files\Norton Internet Security
2007-12-19 21:00 --------- d-----w C:\Program Files\iTunes
2007-12-19 21:00 --------- d-----w C:\Program Files\Common Files\Webroot Shared
2007-12-19 20:59 --------- d-----w C:\Program Files\MSN Messenger
2007-12-19 20:59 --------- d-----w C:\Program Files\GhostSurf 2005
2007-12-19 20:29 --------- d-----w C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
2007-12-19 07:46 805 ----a-w C:\WINDOWS\system32\drivers\SYMEVENT.INF
2007-12-19 07:46 60,800 ----a-w C:\WINDOWS\system32\S32EVNT1.DLL
2007-12-19 07:46 123,952 ----a-w C:\WINDOWS\system32\drivers\SYMEVENT.SYS
2007-12-19 07:46 10,740 ----a-w C:\WINDOWS\system32\drivers\SYMEVENT.CAT
2007-12-19 07:46 --------- d-----w C:\Program Files\Symantec
2007-12-18 08:02 --------- d-----w C:\Documents and Settings\Jenny\Application Data\BitTorrent
2007-12-18 07:19 --------- d-----w C:\Documents and Settings\Jenny\Application Data\LimeWire
2007-12-15 17:56 --------- d-----w C:\Program Files\QuickTime
2007-12-07 03:39 --------- d-----w C:\Program Files\Picasa2
2007-11-27 04:18 --------- d-----w C:\Program Files\LimeWire
2007-11-26 00:59 --------- d-----w C:\Documents and Settings\Alex.GATEWAY-ACD3D1B\Application Data\BitTorrent
2007-11-21 19:20 --------- d-----w C:\Program Files\BitTorrent
2007-11-21 18:45 --------- d-----w C:\Documents and Settings\Jenny\Application Data\Yahoo!
2007-11-21 18:45 --------- d-----w C:\Documents and Settings\All Users\Application Data\yahoo!
2007-11-21 18:17 --------- d-----w C:\Program Files\Yahoo!
2007-11-13 10:25 20,480 ----a-w C:\WINDOWS\system32\drivers\secdrv.sys
2007-10-31 02:55 625,032 ----a-w C:\WINDOWS\system32\SymNeti.dll
2007-10-31 02:55 39,856 ----a-w C:\WINDOWS\system32\drivers\symids.sys
2007-10-31 02:55 37,936 ----a-w C:\WINDOWS\system32\drivers\symndisv.sys
2007-10-31 02:55 35,120 ----a-w C:\WINDOWS\system32\drivers\symndis.sys
2007-10-31 02:55 27,696 ----a-w C:\WINDOWS\system32\drivers\symredrv.sys
2007-10-31 02:55 242,056 ----a-w C:\WINDOWS\system32\SymRedir.dll
2007-10-31 02:55 191,536 ----a-w C:\WINDOWS\system32\drivers\symtdi.sys
2007-10-31 02:55 145,968 ----a-w C:\WINDOWS\system32\drivers\symfw.sys
2007-10-31 02:55 12,848 ----a-w C:\WINDOWS\system32\drivers\symdns.sys
2007-10-31 02:24 12,963 ----a-w C:\WINDOWS\system32\drivers\SymRedir.cat
2007-10-31 02:24 1,358 ----a-w C:\WINDOWS\system32\drivers\SymRedir.inf
2007-10-29 22:43 1,287,680 ----a-w C:\WINDOWS\system32\quartz.dll
2007-10-28 00:40 222,720 ----a-w C:\WINDOWS\system32\wmasf.dll
2007-10-25 03:02 --------- d-----w C:\Documents and Settings\Owner\Application Data\LimeWire
2005-12-11 07:09 105,320 ----a-w C:\Documents and Settings\Jenny\Application Data\GDIPFONTCACHEV1.DAT
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Window Washer"="C:\Program Files\Webroot\Washer\wwDisp.exe" [2007-08-09 12:56]
"MessengerPlus3"="C:\Program Files\MessengerPlus! 3\MsgPlus.exe" []
"msnmsgr"="C:\Program Files\MSN Messenger\msnmsgr.exe" [2007-01-19 12:54]
"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [2007-06-29 05:24]
"MSMSGS"="C:\Program Files\Messenger\msmsgs.exe" [2004-10-13 09:24]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 00:56]
"Yahoo! Pager"="C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe" []
"WMPNSCFG"="C:\Program Files\Windows Media Player\WMPNSCFG.exe" [2006-10-18 20:05]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"IgfxTray"="C:\WINDOWS\system32\igfxtray.exe" [2005-04-05 13:22]
"HotKeysCmds"="C:\WINDOWS\system32\hkcmd.exe" [2005-04-05 13:19]
"GhostSurfDelSatellite"="C:\Program Files\GhostSurf 2005\DeleteSatellite.exe" []
"Persistence"="C:\WINDOWS\system32\igfxpers.exe" [2005-04-05 13:23]
"HP Software Update"="C:\Program Files\HP\HP Software Update\HPWuSchd2.exe" [2005-05-11 23:12]
"HP Component Manager"="C:\Program Files\HP\hpcoretech\hpcmpmgr.exe" [2004-05-12 15:18]
"Microsoft Works Update Detection"="C:\Program Files\Common Files\Microsoft Shared\Works Shared\WkUFind.exe" []
"REGSHAVE"="C:\Program Files\REGSHAVE\REGSHAVE.exe" []
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_02\bin\jusched.exe" [2007-07-12 03:00]
"ZipTorrent"="C:\Program Files\ZipTorrent\ZipTorrent.exe" []
"ccApp"="C:\Program Files\Common Files\Symantec Shared\ccApp.exe" [2007-01-09 21:59]
"osCheck"="C:\Program Files\Norton Internet Security\osCheck.exe" [2006-09-05 18:22]
"UserFaultCheck"="C:\WINDOWS\system32\dumprep 0 -u" []
"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [2007-06-29 05:24]
"iTunesHelper"="C:\Program Files\iTunes\iTunesHelper.exe" [2007-07-10 08:18]
"Symantec PIF AlertEng"="C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe" [2007-11-28 19:51]
"SemanticInsight"="C:\Program Files\RXToolBar\Semantic Insight\SemanticInsight.exe" []

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"AIM"="C:\Program Files\AIM\aim.exe" []
"Picasa Media Detector"="C:\Program Files\Picasa2\PicasaMediaDetector.exe" [2007-10-23 14:18]

C:\Documents and Settings\Owner\Start Menu\Programs\Startup\
Scheduler.lnk - C:\Program Files\GhostSurf 2005\Scheduler daemon.exe [2004-03-09 14:47:16]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
Adobe Reader Speed Launch.lnk - C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe [2005-09-23 22:05:26]
GhostSurf proxy.lnk - C:\Program Files\GhostSurf 2005\Proxy.exe [2004-02-21 17:12:28]

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa]
Notification Packages REG_MULTI_SZ :\WINDOWS\system32\srr

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Pre-Empt User Interface]
C:\Program Files\Detto\Pre-Empt\qfui.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
C:\Program Files\QuickTime\qttask.exe -atboottime

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"WinVNC4"=2 (0x2)

R1 oreans32;oreans32;C:\WINDOWS\system32\drivers\oreans32.sys [2006-12-20 17:00]
R2 wwEngineSvc;Window Washer Engine;C:\Program Files\Webroot\Washer\WasherSvc.exe [2007-08-09 12:56]
S3 EPUSBSTOR;EPSON USB Storage Driver;C:\WINDOWS\system32\DRIVERS\epusbsto.sys [2001-09-10 08:00]

*Newly Created Service* - CATCHME
*Newly Created Service* - COMHOST
*Newly Created Service* - PROCEXP90
.
Contents of the 'Scheduled Tasks' folder
"2007-12-17 16:49:01 C:\WINDOWS\Tasks\AppleSoftwareUpdate.job"
- C:\Program Files\Apple Software Update\SoftwareUpdate.exe
"2007-12-24 05:00:01 C:\WINDOWS\Tasks\B014ED5F917B9D4B.job"
- c:\docume~1\zachar~1\applic~1\drawfo~1\Chic Grid Shim.exe
"2007-12-22 03:00:00 C:\WINDOWS\Tasks\Norton Internet Security - Run Full System Scan - Owner.job"
- C:\PROGRA~1\NORTON~2\NORTON~1\Navw32.exe
"2007-12-23 17:51:00 C:\WINDOWS\Tasks\WebReg .job"
- C:\Program Files\HP\digital imaging\bin\hpqwrg.exe
.
**************************************************************************

catchme 0.3.1333 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2007-12-23 22:15:45
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

**************************************************************************
.
Completion time: 2007-12-23 22:18:08
.
2007-12-12 04:27:42 --- E O F ---




Logfile of Trend Micro HijackThis v2.0.0 (BETA)
Scan saved at 10:21:48 PM, on 12/23/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
C:\Program Files\Common Files\Symantec Shared\AppCore\AppSvc32.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
C:\Program Files\Common Files\EPSON\EBAPI\SAgent2.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Lanovation\PrismXL\PRISMXL.SYS
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Webroot\Washer\WasherSvc.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\MSN Messenger\usnsvc.exe
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\WINDOWS\system32\hkcmd.exe
C:\WINDOWS\system32\igfxpers.exe
C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
C:\Program Files\HP\hpcoretech\hpcmpmgr.exe
C:\Program Files\Java\jre1.6.0_02\bin\jusched.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Webroot\Washer\wwDisp.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Windows Media Player\WMPNSCFG.exe
C:\Program Files\GhostSurf 2005\Proxy.exe
C:\Program Files\GhostSurf 2005\Scheduler daemon.exe
C:\Program Files\HP\hpcoretech\comp\hptskmgr.exe
C:\WINDOWS\system32\cmd.exe
C:\WINDOWS\system32\cmd.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\explorer.exe
C:\WINDOWS\system32\notepad.exe
C:\Documents and Settings\Owner\Desktop\HiJackThis_v2.exe

R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://windowsupdate.microsoft.com/
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = 127.0.0.1:7212
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {1E8A6170-7264-4D0F-BEAE-D42A53123C75} - C:\Program Files\Common Files\Symantec Shared\coShared\Browser\1.0\NppBho.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O3 - Toolbar: Show Norton Toolbar - {90222687-F593-4738-B738-FBEE9C7B26DF} - C:\Program Files\Common Files\Symantec Shared\coShared\Browser\1.0\UIBHO.dll
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [GhostSurfDelSatellite] "C:\Program Files\GhostSurf 2005\DeleteSatellite.exe"
O4 - HKLM\..\Run: [Persistence] C:\WINDOWS\system32\igfxpers.exe
O4 - HKLM\..\Run: [HP Software Update] C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
O4 - HKLM\..\Run: [HP Component Manager] "C:\Program Files\HP\hpcoretech\hpcmpmgr.exe"
O4 - HKLM\..\Run: [Microsoft Works Update Detection] C:\Program Files\Common Files\Microsoft Shared\Works Shared\WkUFind.exe
O4 - HKLM\..\Run: [REGSHAVE] C:\Program Files\REGSHAVE\REGSHAVE.EXE /AUTORUN
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_02\bin\jusched.exe"
O4 - HKLM\..\Run: [ZipTorrent] C:\Program Files\ZipTorrent\ZipTorrent.exe
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [osCheck] "C:\Program Files\Norton Internet Security\osCheck.exe"
O4 - HKLM\..\Run: [UserFaultCheck] %systemroot%\system32\dumprep 0 -u
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [Symantec PIF AlertEng] "C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe" /a /m "C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\AlertEng.dll"
O4 - HKLM\..\Run: [SemanticInsight] C:\Program Files\RXToolBar\Semantic Insight\SemanticInsight.exe
O4 - HKCU\..\Run: [Window Washer] "C:\Program Files\Webroot\Washer\wwDisp.exe"
O4 - HKCU\..\Run: [MessengerPlus3] "C:\Program Files\MessengerPlus! 3\MsgPlus.exe" /WinStart
O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\MSN Messenger\msnmsgr.exe" /background
O4 - HKCU\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [Yahoo! Pager] "C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe" -quiet
O4 - HKCU\..\Run: [WMPNSCFG] C:\Program Files\Windows Media Player\WMPNSCFG.exe
O4 - HKUS\S-1-5-21-1644491937-823518204-682003330-1011\..\Run: [AIM] C:\Program Files\AIM\aim.exe -cnetwait.odl (User 'Alex')
O4 - HKUS\S-1-5-21-1644491937-823518204-682003330-1011\..\Run: [msnmsgr] "C:\Program Files\MSN Messenger\msnmsgr.exe" /background (User 'Alex')
O4 - HKUS\S-1-5-21-1644491937-823518204-682003330-1011\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime (User 'Alex')
O4 - HKUS\S-1-5-21-1644491937-823518204-682003330-1011\..\Run: [Yahoo! Pager] "C:\PROGRA~1\Yahoo!\MESSEN~1\YAHOOM~1.EXE" -quiet (User 'Alex')
O4 - HKUS\S-1-5-21-1644491937-823518204-682003330-1011\..\Run: [SpybotSD TeaTimer] "C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe" (User 'Alex')
O4 - HKUS\S-1-5-21-1644491937-823518204-682003330-1011\..\Run: [Window Washer] "C:\Program Files\Webroot\Washer\wwDisp.exe" (User 'Alex')
O4 - HKUS\S-1-5-21-1644491937-823518204-682003330-1011\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background (User 'Alex')
O4 - HKUS\S-1-5-21-1644491937-823518204-682003330-1011\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe (User 'Alex')
O4 - HKUS\S-1-5-21-1644491937-823518204-682003330-1011\..\Run: [WMPNSCFG] C:\Program Files\Windows Media Player\WMPNSCFG.exe (User 'Alex')
O4 - HKUS\S-1-5-18\..\Run: [AIM] C:\Program Files\AIM\aim.exe -cnetwait.odl (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [AIM] C:\Program Files\AIM\aim.exe -cnetwait.odl (User 'Default user')
O4 - S-1-5-18 Startup: Scheduler.lnk = C:\Program Files\GhostSurf 2005\Scheduler daemon.exe (User 'SYSTEM')
O4 - .DEFAULT Startup: Scheduler.lnk = C:\Program Files\GhostSurf 2005\Scheduler daemon.exe (User 'Default user')
O4 - Startup: Scheduler.lnk = C:\Program Files\GhostSurf 2005\Scheduler daemon.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: GhostSurf proxy.lnk = C:\Program Files\GhostSurf 2005\Proxy.exe
O4 - Global Startup: Watch.lnk = C:\Program Files\4.0M MPEG4 DV\Console\Watch.exe
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~4\Office12\REFIEBAR.DLL
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe (file missing)
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {01010E00-5E80-11D8-9E86-0007E96C65AE} (SupportSoft SmartIssue) - http://www.symantec.com/techsupp/asa/ctrl/tgctlsi.cab
O16 - DPF: {01012101-5E80-11D8-9E86-0007E96C65AE} (SupportSoft Script Runner Class) - http://www.symantec.com/techsupp/asa/ctrl/tgctlsr.cab
O16 - DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} (QuickTime Object) - http://a1540.g.akamai.net/7/1540/52/...x/qtplugin.cab
O16 - DPF: {1F2F4C9E-6F09-47BC-970D-3C54734667FE} (LSSupCtl Class) - http://www.symantec.com/techsupp/asa/ctrl/LSSupCtl.cab
O16 - DPF: {2917297F-F02B-4B9D-81DF-494B6333150B} (Minesweeper Flags Class) - http://messenger.zone.msn.com/binary...r.cab31267.cab
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (Installation Support) - C:\Program Files\Yahoo!\Common\Yinsthelper.dll
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://spaces.msn.com//PhotoUpload/MsnPUpld.cab
O16 - DPF: {511073AD-BE56-4D43-AE68-93390514385E} (TechToolsActivex.TechTools) - hcp://system/TechTools.CAB
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsu...?1130280773484
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsof...?1144891801187
O16 - DPF: {739E8D90-2F4C-43AD-A1B8-66C356FCEA35} (RunExeActiveX.RunExe) - hcp://system/RunExeActiveX.CAB
O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary...t.cab31267.cab
O16 - DPF: {99CDFD87-F97A-42E1-9C13-D18220D90AD1} (StartFirstControl.CheckFirst) - hcp://system/StartFirstControl.CAB
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/actives...ree/asinst.cab
O16 - DPF: {CE28D5D2-60CF-4C7D-9FE8-0F47A3308078} (ActiveDataInfo Class) - http://www.symantec.com/techsupp/asa/ctrl/SymAData.cab
O16 - DPF: {CE37E095-ACFF-4380-A856-A560D389E5E1} (XPLControlProject.XPLControl) - file://C:\Program Files\Gateway\helpspot\XPLControl.CAB
O16 - DPF: {D1E7CBDA-E60E-4970-A01C-37301EF7BF98} (Measurement Services Client v.3.11) - http://gameadvisor.futuremark.com/global/msc311.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/ge...sh/swflash.cab
O22 - SharedTaskScheduler: Browseui preloader - {438755C2-A8BA-11D1-B96B-00A0C90312E1} - C:\WINDOWS\System32\browseui.dll
O22 - SharedTaskScheduler: Component Categories cache daemon - {8C7461EF-2B13-11d2-BE35-3078302C2030} - C:\WINDOWS\System32\browseui.dll
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Automatic LiveUpdate Scheduler - Symantec Corporation - C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: Symantec Lic NetConnect service (CLTNetCnService) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: COM Host (comHost) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\VAScanner\comHost.exe
O23 - Service: EPSON Printer Status Agent2 (EPSONStatusAgent2) - SEIKO EPSON CORPORATION - C:\Program Files\Common Files\EPSON\EBAPI\SAgent2.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Symantec IS Password Validation (ISPwdSvc) - Symantec Corporation - C:\Program Files\Norton Internet Security\isPwdSvc.exe
O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
O23 - Service: LiveUpdate Notice Service Ex (LiveUpdate Notice Ex) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: LiveUpdate Notice Service - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe
O23 - Service: PrismXL - Lanovation - C:\Program Files\Common Files\Lanovation\PrismXL\PRISMXL.SYS
O23 - Service: Symantec Core LC - Unknown owner - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
O23 - Service: Symantec AppCore Service (SymAppCore) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\AppCore\AppSvc32.exe
O23 - Service: Window Washer Engine (wwEngineSvc) - Webroot Software, Inc. - C:\Program Files\Webroot\Washer\WasherSvc.exe

--
End of file - 13391 bytes
xcomgs is offline  
Digg this Post!Add Post to del.icio.usBookmark Post in TechnoratiFurl this Post!Bookmark on Thread SoupReddit!
Old 12-24-2007, 03:59 AM   #5 (permalink)
Asst Manager Security, Expert Analyst, Moderator, Security Team; Rangemaster, Moderator, TSF Academy
 
sUBs's Avatar
 
Join Date: May 2005
Posts: 21,354
OS: XP


Re: Computer is slowing, Switch User no longer works as well as Safe Mode
Do a HijackThis scan & place a check next to these items and select "Fix checked":

O4 - HKLM\..\Run: [SemanticInsight] C:\Program Files\RXToolBar\Semantic Insight\SemanticInsight.exe


---------------


Open notepad and copy/paste the text in the quotebox below into it:

Code:
File::
C:\WINDOWS\Tasks\B014ED5F917B9D4B.job
Folder::
C:\Program Files\SmartVideoCodec
c:\docume~1\zachar~1\applic~1\drawfo~1
Registry::
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SemanticInsight"=-
[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa]
"Notification Packages"=hex(7):73,63,65,63,6c,69,00,00
Save this as "CFScript"




Refering to the picture above, drag CFScript.txt into ComboFix.exe

When finished, it shall produce a log for you, C:\ComboFix.txt. Post that log in your next reply.


---------------


Using Internet Explorer, visit http://www.kaspersky.com/service?chapter=161739400

Answer Yes, when prompted to install an ActiveX component.
  • The program will then begin downloading the latest definition files.
  • Once the files have been downloaded click on NEXT
  • Locate the Scan Settings button & configure to:
    • Scan using the following Anti-Virus database:
      • Extended
    • Scan Options:
      • Scan Archives
      • Scan Mail Bases
  • Click OK & have it scan My Computer
  • Once the scan is complete, it will display if your system has been infected. It does not provide an option to clean/disinfect. We only require a report from it.



  • Click the Save as Text button to save the file to your desktop so that you may post it in your next reply
* Turn off the real time scanner of any existing antivirus program while performing the online scan


---------------


In your next post, please include fresh logs from:
  1. Fresh Hijackthis log taken just before replying
  2. Online scan
  3. ComboFix's log
Please provide details of any problems you encountered whilst performing the above steps & update us on how the computer behaves now
sUBs is offline  
Digg this Post!Add Post to del.icio.usBookmark Post in TechnoratiFurl this Post!Bookmark on Thread SoupReddit!
Old 12-25-2007, 06:34 PM   #6 (permalink)
Registered User
 
Join Date: Dec 2007
Posts: 11
OS: XP with SP2


Re: Computer is slowing, Switch User no longer works as well as Safe Mode
I ran that Kaspersky scanner and when it was done, it just closed the Internet Explorer window. However when it was scanning I noticed it said there was a virus detected. I have Norton Virus Scanner and can run that if you want. Here are the other two logs.

ComboFix 07-12-24.7 - Owner 2007-12-23 22:07:05.1 - NTFSx86
Running from: C:\Documents and Settings\Owner\Desktop\ComboFix.exe
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\Documents and Settings\Owner\Favorites\Error Cleaner.url
C:\Documents and Settings\Owner\Favorites\Privacy Protector.url
C:\Documents and Settings\Owner\Favorites\Spyware&Malware Protection.url
C:\WINDOWS\dat.txt
C:\WINDOWS\rs.txt
C:\WINDOWS\search_res.txt
C:\WINDOWS\system32\_003610_.tmp.dll
C:\WINDOWS\system32\_003616_.tmp.dll
C:\WINDOWS\system32\_003619_.tmp.dll
C:\WINDOWS\system32\_003772_.tmp.dll
C:\WINDOWS\system32\_003773_.tmp.dll
C:\WINDOWS\system32\_003774_.tmp.dll
C:\WINDOWS\system32\_003775_.tmp.dll
C:\WINDOWS\system32\_003778_.tmp.dll
C:\WINDOWS\system32\_003779_.tmp.dll
C:\WINDOWS\system32\_003780_.tmp.dll
C:\WINDOWS\system32\_003781_.tmp.dll
C:\WINDOWS\system32\NTSVC.ocx

.
((((((((((((((((((((((((( Files Created from 2007-11-24 to 2007-12-24 )))))))))))))))))))))))))))))))
.

2007-12-23 15:25 . 2007-12-23 15:25 <DIR> d-------- C:\Documents and Settings\Jenny\Application Data\Costco Photo Organizer
2007-12-23 15:24 . 2007-12-23 15:24 <DIR> d-------- C:\Program Files\Costco
2007-12-23 15:24 . 2007-12-23 15:24 <DIR> d-------- C:\Program Files\Common Files\HP
2007-12-23 15:19 . 2007-12-23 15:21 <DIR> d-------- C:\Documents and Settings\Jenny\Application Data\Costco Photo Viewer US
2007-12-19 15:43 . 2007-12-19 15:44 <DIR> d-------- C:\Program Files\Mozilla Sunbird
2007-12-19 14:25 . 2007-12-19 14:43 4,366 --a------ C:\WINDOWS\system32\tmp.reg
2007-12-19 14:23 . 2007-12-13 19:40 77,824 --a------ C:\WINDOWS\system32\IEDFix.exe
2007-12-19 14:23 . 2007-10-03 23:36 25,600 --a------ C:\WINDOWS\system32\WS2Fix.exe
2007-12-19 14:22 . 2007-09-05 23:22 289,144 --a------ C:\WINDOWS\system32\VCCLSID.exe
2007-12-19 14:22 . 2006-04-27 16:49 288,417 --a------ C:\WINDOWS\system32\SrchSTS.exe
2007-12-19 14:22 . 2003-06-05 20:13 53,248 --a------ C:\WINDOWS\system32\Process.exe
2007-12-19 14:22 . 2004-07-31 17:50 51,200 --a------ C:\WINDOWS\system32\dumphive.exe
2007-12-19 14:21 . 2007-12-19 14:22 <DIR> d-------- C:\Documents and Settings\Owner\SmitfraudFix
2007-12-19 14:02 . 2007-12-19 18:16 <DIR> d-------- C:\Program Files\SpywareBlaster
2007-12-19 13:25 . 2007-12-19 14:04 <DIR> d-------- C:\WINDOWS\system32\ActiveScan
2007-12-19 13:25 . 2007-12-19 13:54 30,590 --a------ C:\WINDOWS\system32\pavas.ico
2007-12-19 13:25 . 2007-12-19 13:54 2,550 --a------ C:\WINDOWS\system32\Uninstall.ico
2007-12-19 13:25 . 2007-12-19 13:54 1,406 --a------ C:\WINDOWS\system32\Help.ico
2007-12-19 00:50 . 2007-05-29 13:55 22,112 --a------ C:\WINDOWS\system32\drivers\COH_Mon.sys
2007-12-19 00:50 . 2007-05-29 13:55 10,592 --a------ C:\WINDOWS\system32\drivers\COH_Mon.cat
2007-12-19 00:50 . 2007-05-29 13:55 705 --a------ C:\WINDOWS\system32\drivers\COH_Mon.inf
2007-12-19 00:34 . 2007-03-21 20:33 503,808 --a------ C:\WINDOWS\system32\MSVCP71.DL1
2007-12-19 00:34 . 2007-03-21 20:33 348,160 --a------ C:\WINDOWS\system32\MSVCR71.DL1
2007-12-18 00:15 . 2007-12-18 00:21 <DIR> d-------- C:\Program Files\SmartVideoCodec
2007-11-30 23:57 . 2007-11-30 23:57 317,616 --a------ C:\WINDOWS\system32\drivers\srtspl.sys
2007-11-30 23:57 . 2007-11-30 23:57 279,088 --a------ C:\WINDOWS\system32\drivers\srtsp.sys
2007-11-30 23:57 . 2007-11-30 23:57 43,696 --a------ C:\WINDOWS\system32\drivers\srtspx.sys
2007-11-30 23:57 . 2007-11-30 23:57 10,549 --a------ C:\WINDOWS\system32\drivers\srtspx.cat
2007-11-30 23:57 . 2007-11-30 23:57 10,549 --a------ C:\WINDOWS\system32\drivers\srtspl.cat
2007-11-30 23:57 . 2007-11-30 23:57 10,545 --a------ C:\WINDOWS\system32\drivers\srtsp.cat
2007-11-30 23:57 . 2007-11-30 23:57 1,430 --a------ C:\WINDOWS\system32\drivers\srtspl.inf
2007-11-30 23:57 . 2007-11-30 23:57 1,421 --a------ C:\WINDOWS\system32\drivers\srtspx.inf
2007-11-30 23:57 . 2007-11-30 23:57 1,415 --a------ C:\WINDOWS\system32\drivers\srtsp.inf

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2007-12-23 22:47 --------- d-----w C:\Documents and Settings\All Users\Application Data\Symantec
2007-12-23 22:26 --------- d-----w C:\Program Files\Common Files\Symantec Shared
2007-12-19 22:19 --------- d-----w C:\Documents and Settings\All Users\Application Data\Microsoft Help
2007-12-19 22:08 --------- d-----w C:\Program Files\Detto Security Center
2007-12-19 21:01 --------- d-----w C:\Program Files\Norton Internet Security
2007-12-19 21:00 --------- d-----w C:\Program Files\iTunes
2007-12-19 21:00 --------- d-----w C:\Program Files\Common Files\Webroot Shared
2007-12-19 20:59 --------- d-----w C:\Program Files\MSN Messenger
2007-12-19 20:59 --------- d-----w C:\Program Files\GhostSurf 2005
2007-12-19 20:29 --------- d-----w C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
2007-12-19 07:46 805 ----a-w C:\WINDOWS\system32\drivers\SYMEVENT.INF
2007-12-19 07:46 60,800 ----a-w C:\WINDOWS\system32\S32EVNT1.DLL
2007-12-19 07:46 123,952 ----a-w C:\WINDOWS\system32\drivers\SYMEVENT.SYS
2007-12-19 07:46 10,740 ----a-w C:\WINDOWS\system32\drivers\SYMEVENT.CAT
2007-12-19 07:46 --------- d-----w C:\Program Files\Symantec
2007-12-18 08:02 --------- d-----w C:\Documents and Settings\Jenny\Application Data\BitTorrent
2007-12-18 07:19 --------- d-----w C:\Documents and Settings\Jenny\Application Data\LimeWire
2007-12-15 17:56 --------- d-----w C:\Program Files\QuickTime
2007-12-07 03:39 --------- d-----w C:\Program Files\Picasa2
2007-11-27 04:18 --------- d-----w C:\Program Files\LimeWire
2007-11-26 00:59 --------- d-----w C:\Documents and Settings\Alex.GATEWAY-ACD3D1B\Application Data\BitTorrent
2007-11-21 19:20 --------- d-----w C:\Program Files\BitTorrent
2007-11-21 18:45 --------- d-----w C:\Documents and Settings\Jenny\Application Data\Yahoo!
2007-11-21 18:45 --------- d-----w C:\Documents and Settings\All Users\Application Data\yahoo!
2007-11-21 18:17 --------- d-----w C:\Program Files\Yahoo!
2007-11-13 10:25 20,480 ----a-w C:\WINDOWS\system32\drivers\secdrv.sys
2007-10-31 02:55 625,032 ----a-w C:\WINDOWS\system32\SymNeti.dll
2007-10-31 02:55 39,856 ----a-w C:\WINDOWS\system32\drivers\symids.sys
2007-10-31 02:55 37,936 ----a-w C:\WINDOWS\system32\drivers\symndisv.sys
2007-10-31 02:55 35,120 ----a-w C:\WINDOWS\system32\drivers\symndis.sys
2007-10-31 02:55 27,696 ----a-w C:\WINDOWS\system32\drivers\symredrv.sys
2007-10-31 02:55 242,056 ----a-w C:\WINDOWS\system32\SymRedir.dll
2007-10-31 02:55 191,536 ----a-w C:\WINDOWS\system32\drivers\symtdi.sys
2007-10-31 02:55 145,968 ----a-w C:\WINDOWS\system32\drivers\symfw.sys
2007-10-31 02:55 12,848 ----a-w C:\WINDOWS\system32\drivers\symdns.sys
2007-10-31 02:24 12,963 ----a-w C:\WINDOWS\system32\drivers\SymRedir.cat
2007-10-31 02:24 1,358 ----a-w C:\WINDOWS\system32\drivers\SymRedir.inf
2007-10-29 22:43 1,287,680 ----a-w C:\WINDOWS\system32\quartz.dll
2007-10-28 00:40 222,720 ----a-w C:\WINDOWS\system32\wmasf.dll
2007-10-25 03:02 --------- d-----w C:\Documents and Settings\Owner\Application Data\LimeWire
2005-12-11 07:09 105,320 ----a-w C:\Documents and Settings\Jenny\Application Data\GDIPFONTCACHEV1.DAT
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Window Washer"="C:\Program Files\Webroot\Washer\wwDisp.exe" [2007-08-09 12:56]
"MessengerPlus3"="C:\Program Files\MessengerPlus! 3\MsgPlus.exe" []
"msnmsgr"="C:\Program Files\MSN Messenger\msnmsgr.exe" [2007-01-19 12:54]
"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [2007-06-29 05:24]
"MSMSGS"="C:\Program Files\Messenger\msmsgs.exe" [2004-10-13 09:24]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 00:56]
"Yahoo! Pager"="C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe" []
"WMPNSCFG"="C:\Program Files\Windows Media Player\WMPNSCFG.exe" [2006-10-18 20:05]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"IgfxTray"="C:\WINDOWS\system32\igfxtray.exe" [2005-04-05 13:22]
"HotKeysCmds"="C:\WINDOWS\system32\hkcmd.exe" [2005-04-05 13:19]
"GhostSurfDelSatellite"="C:\Program Files\GhostSurf 2005\DeleteSatellite.exe" []
"Persistence"="C:\WINDOWS\system32\igfxpers.exe" [2005-04-05 13:23]
"HP Software Update"="C:\Program Files\HP\HP Software Update\HPWuSchd2.exe" [2005-05-11 23:12]
"HP Component Manager"="C:\Program Files\HP\hpcoretech\hpcmpmgr.exe" [2004-05-12 15:18]
"Microsoft Works Update Detection"="C:\Program Files\Common Files\Microsoft Shared\Works Shared\WkUFind.exe" []
"REGSHAVE"="C:\Program Files\REGSHAVE\REGSHAVE.exe" []
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_02\bin\jusched.exe" [2007-07-12 03:00]
"ZipTorrent"="C:\Program Files\ZipTorrent\ZipTorrent.exe" []
"ccApp"="C:\Program Files\Common Files\Symantec Shared\ccApp.exe" [2007-01-09 21:59]
"osCheck"="C:\Program Files\Norton Internet Security\osCheck.exe" [2006-09-05 18:22]
"UserFaultCheck"="C:\WINDOWS\system32\dumprep 0 -u" []
"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [2007-06-29 05:24]
"iTunesHelper"="C:\Program Files\iTunes\iTunesHelper.exe" [2007-07-10 08:18]
"Symantec PIF AlertEng"="C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe" [2007-11-28 19:51]
"SemanticInsight"="C:\Program Files\RXToolBar\Semantic Insight\SemanticInsight.exe" []

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"AIM"="C:\Program Files\AIM\aim.exe" []
"Picasa Media Detector"="C:\Program Files\Picasa2\PicasaMediaDetector.exe" [2007-10-23 14:18]

C:\Documents and Settings\Owner\Start Menu\Programs\Startup\
Scheduler.lnk - C:\Program Files\GhostSurf 2005\Scheduler daemon.exe [2004-03-09 14:47:16]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
Adobe Reader Speed Launch.lnk - C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe [2005-09-23 22:05:26]
GhostSurf proxy.lnk - C:\Program Files\GhostSurf 2005\Proxy.exe [2004-02-21 17:12:28]

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa]
Notification Packages REG_MULTI_SZ :\WINDOWS\system32\srr

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Pre-Empt User Interface]
C:\Program Files\Detto\Pre-Empt\qfui.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
C:\Program Files\QuickTime\qttask.exe -atboottime

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"WinVNC4"=2 (0x2)

R1 oreans32;oreans32;C:\WINDOWS\system32\drivers\oreans32.sys [2006-12-20 17:00]
R2 wwEngineSvc;Window Washer Engine;C:\Program Files\Webroot\Washer\WasherSvc.exe [2007-08-09 12:56]
S3 EPUSBSTOR;EPSON USB Storage Driver;C:\WINDOWS\system32\DRIVERS\epusbsto.sys [2001-09-10 08:00]

*Newly Created Service* - CATCHME
*Newly Created Service* - COMHOST
*Newly Created Service* - PROCEXP90
.
Contents of the 'Scheduled Tasks' folder
"2007-12-17 16:49:01 C:\WINDOWS\Tasks\AppleSoftwareUpdate.job"
- C:\Program Files\Apple Software Update\SoftwareUpdate.exe
"2007-12-24 05:00:01 C:\WINDOWS\Tasks\B014ED5F917B9D4B.job"
- c:\docume~1\zachar~1\applic~1\drawfo~1\Chic Grid Shim.exe
"2007-12-22 03:00:00 C:\WINDOWS\Tasks\Norton Internet Security - Run Full System Scan - Owner.job"
- C:\PROGRA~1\NORTON~2\NORTON~1\Navw32.exe
"2007-12-23 17:51:00 C:\WINDOWS\Tasks\WebReg .job"
- C:\Program Files\HP\digital imaging\bin\hpqwrg.exe
.
**************************************************************************

catchme 0.3.1333 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2007-12-23 22:15:45
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

**************************************************************************
.
Completion time: 2007-12-23 22:18:08
.
2007-12-12 04:27:42 --- E O F ---


Logfile of Trend Micro HijackThis v2.0.0 (BETA)
Scan saved at 6:34:05 PM, on 12/25/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
C:\Program Files\Common Files\Symantec Shared\AppCore\AppSvc32.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
C:\Program Files\Common Files\EPSON\EBAPI\SAgent2.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Lanovation\PrismXL\PRISMXL.SYS
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Webroot\Washer\WasherSvc.exe
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\hkcmd.exe
C:\WINDOWS\system32\igfxpers.exe
C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
C:\Program Files\HP\hpcoretech\hpcmpmgr.exe
C:\Program Files\Java\jre1.6.0_02\bin\jusched.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Webroot\Washer\wwDisp.exe
C:\Program Files\MSN Messenger\msnmsgr.exe
C:\Program Files\Messenger\msmsgs.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Windows Media Player\WMPNSCFG.exe
C:\Program Files\GhostSurf 2005\Proxy.exe
C:\Program Files\GhostSurf 2005\Scheduler daemon.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\MSN Messenger\usnsvc.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\WINDOWS\system32\msiexec.exe
C:\Documents and Settings\Owner\Desktop\backups\HiJackThis_v2.exe

R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://windowsupdate.microsoft.com/
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = 127.0.0.1:7212
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {1E8A6170-7264-4D0F-BEAE-D42A53123C75} - C:\Program Files\Common Files\Symantec Shared\coShared\Browser\1.0\NppBho.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O3 - Toolbar: Show Norton Toolbar - {90222687-F593-4738-B738-FBEE9C7B26DF} - C:\Program Files\Common Files\Symantec Shared\coShared\Browser\1.0\UIBHO.dll
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [GhostSurfDelSatellite] "C:\Program Files\GhostSurf 2005\DeleteSatellite.exe"
O4 - HKLM\..\Run: [Persistence] C:\WINDOWS\system32\igfxpers.exe
O4 - HKLM\..\Run: [HP Software Update] C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
O4 - HKLM\..\Run: [HP Component Manager] "C:\Program Files\HP\hpcoretech\hpcmpmgr.exe"
O4 - HKLM\..\Run: [Microsoft Works Update Detection] C:\Program Files\Common Files\Microsoft Shared\Works Shared\WkUFind.exe
O4 - HKLM\..\Run: [REGSHAVE] C:\Program Files\REGSHAVE\REGSHAVE.EXE /AUTORUN
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_02\bin\jusched.exe"
O4 - HKLM\..\Run: [ZipTorrent] C:\Program Files\ZipTorrent\ZipTorrent.exe
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [osCheck] "C:\Program Files\Norton Internet Security\osCheck.exe"
O4 - HKLM\..\Run: [UserFaultCheck] %systemroot%\system32\dumprep 0 -u
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [Symantec PIF AlertEng] "C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe" /a /m "C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\AlertEng.dll"
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\RunOnce: [getPlusUninstall_dll] rundll32.exe advpack.dll,LaunchINFSection C:\WINDOWS\inf\GETPLUSd.INF, DefaultUninstall
O4 - HKCU\..\Run: [Window Washer] "C:\Program Files\Webroot\Washer\wwDisp.exe"
O4 - HKCU\..\Run: [MessengerPlus3] "C:\Program Files\MessengerPlus! 3\MsgPlus.exe" /WinStart
O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\MSN Messenger\msnmsgr.exe" /background
O4 - HKCU\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [Yahoo! Pager] "C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe" -quiet
O4 - HKCU\..\Run: [WMPNSCFG] C:\Program Files\Windows Media Player\WMPNSCFG.exe
O4 - HKUS\S-1-5-18\..\Run: [AIM] C:\Program Files\AIM\aim.exe -cnetwait.odl (User 'SYSTEM')
O4 - HKUS\S-1-5-18\..\Run: [Picasa Media Detector] C:\Program Files\Picasa2\PicasaMediaDetector.exe (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [AIM] C:\Program Files\AIM\aim.exe -cnetwait.odl (User 'Default user')
O4 - S-1-5-18 Startup: Scheduler.lnk = C:\Program Files\GhostSurf 2005\Scheduler daemon.exe (User 'SYSTEM')
O4 - .DEFAULT Startup: Scheduler.lnk = C:\Program Files\GhostSurf 2005\Scheduler daemon.exe (User 'Default user')
O4 - Startup: Scheduler.lnk = C:\Program Files\GhostSurf 2005\Scheduler daemon.exe
O4 - Global Startup: GhostSurf proxy.lnk = C:\Program Files\GhostSurf 2005\Proxy.exe
O4 - Global Startup: Watch.lnk = C:\Program Files\4.0M MPEG4 DV\Console\Watch.exe
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~4\Office12\REFIEBAR.DLL
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe (file missing)
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {01010E00-5E80-11D8-9E86-0007E96C65AE} (SupportSoft SmartIssue) - http://www.symantec.com/techsupp/asa/ctrl/tgctlsi.cab
O16 - DPF: {01012101-5E80-11D8-9E86-0007E96C65AE} (SupportSoft Script Runner Class) - http://www.symantec.com/techsupp/asa/ctrl/tgctlsr.cab
O16 - DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} (QuickTime Object) - http://a1540.g.akamai.net/7/1540/52/...x/qtplugin.cab
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/eng/par...an_unicode.cab
O16 - DPF: {1F2F4C9E-6F09-47BC-970D-3C54734667FE} (LSSupCtl Class) - http://www.symantec.com/techsupp/asa/ctrl/LSSupCtl.cab
O16 - DPF: {2917297F-F02B-4B9D-81DF-494B6333150B} (Minesweeper Flags Class) - http://messenger.zone.msn.com/binary...r.cab31267.cab
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (Installation Support) - C:\Program Files\Yahoo!\Common\Yinsthelper.dll
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://spaces.msn.com//PhotoUpload/MsnPUpld.cab
O16 - DPF: {511073AD-BE56-4D43-AE68-93390514385E} (TechToolsActivex.TechTools) - hcp://system/TechTools.CAB
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsu...?1130280773484
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsof...?1144891801187
O16 - DPF: {739E8D90-2F4C-43AD-A1B8-66C356FCEA35} (RunExeActiveX.RunExe) - hcp://system/RunExeActiveX.CAB
O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary...t.cab31267.cab
O16 - DPF: {99CDFD87-F97A-42E1-9C13-D18220D90AD1} (StartFirstControl.CheckFirst) - hcp://system/StartFirstControl.CAB
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/actives...ree/asinst.cab
O16 - DPF: {CE28D5D2-60CF-4C7D-9FE8-0F47A3308078} (ActiveDataInfo Class) - http://www.symantec.com/techsupp/asa/ctrl/SymAData.cab
O16 - DPF: {CE37E095-ACFF-4380-A856-A560D389E5E1} (XPLControlProject.XPLControl) - file://C:\Program Files\Gateway\helpspot\XPLControl.CAB
O16 - DPF: {D1E7CBDA-E60E-4970-A01C-37301EF7BF98} (Measurement Services Client v.3.11) - http://gameadvisor.futuremark.com/global/msc311.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/ge...sh/swflash.cab
O22 - SharedTaskScheduler: Browseui preloader - {438755C2-A8BA-11D1-B96B-00A0C90312E1} - C:\WINDOWS\System32\browseui.dll
O22 - SharedTaskScheduler: Component Categories cache daemon - {8C7461EF-2B13-11d2-BE35-3078302C2030} - C:\WINDOWS\System32\browseui.dll
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Automatic LiveUpdate Scheduler - Symantec Corporation - C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: Symantec Lic NetConnect service (CLTNetCnService) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: COM Host (comHost) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\VAScanner\comHost.exe
O23 - Service: EPSON Printer Status Agent2 (EPSONStatusAgent2) - SEIKO EPSON CORPORATION - C:\Program Files\Common Files\EPSON\EBAPI\SAgent2.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Symantec IS Password Validation (ISPwdSvc) - Symantec Corporation - C:\Program Files\Norton Internet Security\isPwdSvc.exe
O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
O23 - Service: LiveUpdate Notice Service Ex (LiveUpdate Notice Ex) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: LiveUpdate Notice Service - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe
O23 - Service: PrismXL - Lanovation - C:\Program Files\Common Files\Lanovation\PrismXL\PRISMXL.SYS
O23 - Service: Symantec Core LC - Unknown owner - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
O23 - Service: Symantec AppCore Service (SymAppCore) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\AppCore\AppSvc32.exe
O23 - Service: Window Washer Engine (wwEngineSvc) - Webroot Software, Inc. - C:\Program Files\Webroot\Washer\WasherSvc.exe

--
End of file - 12378 bytes