popups; slooowww system

tms123 · 12-26-2007, 11:32 PM

Good Evening,

Computer is very slow, rebooting is very slow, having way too many popups. Had the "! Your computer is infected!" popup. my desktop isn't showing the original picture. sometimes all my icons disappear. this has been happening for about 3 -4 days.

Ran the Panda activescan and couldn't print out report because I was offline. (It showed 38 spyware, 0 virus, 3 suspicious files) Ran it a second time and got stuck at around 7000 files. Here is the report from the second scan:

Incident Status Location [php]

Adware:Adware/Yazzle Not disinfected c:\windows\mrofinu1239.exe
Spyware:Spyware/Virtumonde Not disinfected C:\WINDOWS\system32\efcyayx.dll
Adware:adware/sbsoft Not disinfected c:\windows\rdt.ini
Adware:adware/spymarshal Not disinfected c:\windows\xpupdate.exe
Spyware:spyware/dogpile Not disinfected C:\Documents and Settings\User\Application Data\Infospace
Adware:adware/megatds Not disinfected Windows Registry
Adware:adware/bravesentry Not disinfected Windows Registry
Spyware:Cookie/YieldManager Not disinfected C:\Documents and Settings\User\Cookies\user@ad.yieldmanager[2].txt
Spyware:Cookie/AdvancedCleaner Not disinfected C:\Documents and Settings\User\Cookies\user@advancedcleaner[2].txt
Spyware:Cookie/Advertising Not disinfected C:\Documents and Settings\User\Cookies\user@advertising[1].txt
Spyware:Cookie/Atlas DMT Not disinfected C:\Documents and Settings\User\Cookies\user@atdmt[2].txt
Spyware:Cookie/Bluestreak Not disinfected C:\Documents and Settings\User\Cookies\user@bluestreak[1].txt
Spyware:Cookie/Serving-sys Not disinfected C:\Documents and Settings\User\Cookies\user@bs.serving-sys[2].txt
Spyware:Cookie/Casalemedia Not disinfected C:\Documents and Settings\User\Cookies\user@casalemedia[2].txt
Spyware:Cookie/Com.com Not disinfected C:\Documents and Settings\User\Cookies\user@com[2].txt
Spyware:Cookie/Doubleclick Not disinfected C:\Documents and Settings\User\Cookies\user@doubleclick[1].txt
Spyware:Cookie/Hitbox Not disinfected C:\Documents and Settings\User\Cookies\user@ehg-dig.hitbox[1].txt
Spyware:Cookie/Go Not disinfected C:\Documents and Settings\User\Cookies\user@go[1].txt
Spyware:Cookie/Mediaplex Not disinfected C:\Documents and Settings\User\Cookies\user@mediaplex[1].txt
Spyware:Cookie/QuestionMarket Not disinfected C:\Documents and Settings\User\Cookies\user@questionmarket[2].txt
Spyware:Cookie/Serving-sys Not disinfected C:\Documents and Settings\User\Cookies\user@serving-sys[2].txt
Spyware:Cookie/Statcounter Not disinfected C:\Documents and Settings\User\Cookies\user@statcounter[1].txt
Spyware:Cookie/Tribalfusion Not disinfected C:\Documents and Settings\User\Cookies\user@tribalfusion[2].txt

The DSS scan looks like this:

Deckard's System Scanner v20071014.68
Extra logfile - please post this as an attachment with your post.
--------------------------------------------------------------------------------

-- System Information ----------------------------------------------------------

Microsoft Windows XP Professional (build 2600) SP 2.0
Architecture: X86; Language: English

CPU 0: Intel(R) Pentium(R) 4 CPU 2.00GHz
Percentage of Memory in Use: 64%
Physical Memory (total/avail): 382.8 MiB / 136.57 MiB
Pagefile Memory (total/avail): 921.31 MiB / 577.04 MiB
Virtual Memory (total/avail): 2047.88 MiB / 1938.34 MiB

A: is Removable (No Media)
C: is Fixed (NTFS) - 74.52 GiB total, 53.82 GiB free.
D: is CDROM (No Media)
F: is Removable (No Media)

\\.\PHYSICALDRIVE0 - WDC WD800JB-00FMA0 - 74.53 GiB - 1 partition
\PARTITION0 (bootable) - Installable File System - 74.52 GiB - C:

\\.\PHYSICALDRIVE1 - HP Officejet Pro L7 USB Device

-- Security Center -------------------------------------------------------------

AUOptions is scheduled to auto-install.
Windows Internal Firewall is disabled.

AntiVirusDisableNotify is set.
FirewallDisableNotify is set.
UpdatesDisableNotify is set.

FW: Norton AntiVirus v15.0.0.58 (Symantec Corporation)
AV: Norton AntiVirus v15.0.0.58 (Symantec Corporation) Disabled

[HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"="%windir%\\system32\\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"
"%windir%\\Network Diagnostic\\xpnetdiag.exe"="%windir%\\Network Diagnostic\\xpnetdiag.exe:*:Enabled:@xpsp3res.dll,-20000"

[HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"="%windir%\\system32\\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"
"C:\\Program Files\\QuickTime\\QuickTimePlayer.exe"="C:\\Program Files\\QuickTime\\QuickTimePlayer.exe:*:Enabled:QuickTime Player"
"C:\\Program Files\\Internet Explorer\\iexplore.exe"="C:\\Program Files\\Internet Explorer\\iexplore.exe:*:Enabled:Internet Explorer"
"C:\\Program Files\\Intuit\\QuickBooks 2007\\QBDBMgrN.exe"="C:\\Program Files\\Intuit\\QuickBooks 2007\\QBDBMgrN.exe:*:Enabled:QuickBooks 2007 Data Manager"
"%windir%\\Network Diagnostic\\xpnetdiag.exe"="%windir%\\Network Diagnostic\\xpnetdiag.exe:*:Enabled:@xpsp3res.dll,-20000"
"C:\\Program Files\\aPsychReport\\PsychReport.EXE"="C:\\Program Files\\aPsychReport\\PsychReport.EXE:*:Enabled:4th Dimension"
"C:\\Program Files\\HP\\Digital Imaging\\bin\\hpqtra08.exe"="C:\\Program Files\\HP\\Digital Imaging\\bin\\hpqtra08.exe:*:Enabled:hpqtra08.exe"
"C:\\Program Files\\HP\\Digital Imaging\\bin\\hpqste08.exe"="C:\\Program Files\\HP\\Digital Imaging\\bin\\hpqste08.exe:*:Enabled:hpqste08.exe"
"C:\\Program Files\\HP\\Digital Imaging\\bin\\hpofxm08.exe"="C:\\Program Files\\HP\\Digital Imaging\\bin\\hpofxm08.exe:*:Enabled:hpofxm08.exe"
"C:\\Program Files\\HP\\Digital Imaging\\bin\\hposfx08.exe"="C:\\Program Files\\HP\\Digital Imaging\\bin\\hposfx08.exe:*:Enabled:hposfx08.exe"
"C:\\Program Files\\HP\\Digital Imaging\\bin\\hposid01.exe"="C:\\Program Files\\HP\\Digital Imaging\\bin\\hposid01.exe:*:Enabled:hposid01.exe"
"C:\\Program Files\\HP\\Digital Imaging\\bin\\hpqscnvw.exe"="C:\\Program Files\\HP\\Digital Imaging\\bin\\hpqscnvw.exe:*:Enabled:hpqscnvw.exe"
"C:\\Program Files\\HP\\Digital Imaging\\bin\\hpqkygrp.exe"="C:\\Program Files\\HP\\Digital Imaging\\bin\\hpqkygrp.exe:*:Enabled:hpqkygrp.exe"
"C:\\Program Files\\HP\\Digital Imaging\\bin\\hpzwiz01.exe"="C:\\Program Files\\HP\\Digital Imaging\\bin\\hpzwiz01.exe:*:Enabled:hpzwiz01.exe"
"C:\\Program Files\\HP\\Digital Imaging\\Unload\\HpqPhUnl.exe"="C:\\Program Files\\HP\\Digital Imaging\\Unload\\HpqPhUnl.exe:*:Enabled:hpqphunl.exe"
"C:\\Program Files\\HP\\Digital Imaging\\Unload\\HpqDIA.exe"="C:\\Program Files\\HP\\Digital Imaging\\Unload\\HpqDIA.exe:*:Enabled:hpqdia.exe"
"C:\\Program Files\\HP\\Digital Imaging\\bin\\hpqnrs08.exe"="C:\\Program Files\\HP\\Digital Imaging\\bin\\hpqnrs08.exe:*:Enabled:hpqnrs08.exe"
"C:\\Program Files\\TechTracker\\VersionTracker Pro\\VersionTrackerPro.exe"="C:\\Program Files\\TechTracker\\VersionTracker Pro\\VersionTrackerPro.exe:*:Enabled:VersionTracker Pro Windows"
"C:\\Program Files\\iTunes\\iTunes.exe"="C:\\Program Files\\iTunes\\iTunes.exe:*:Enabled:iTunes"

-- Environment Variables -------------------------------------------------------

ALLUSERSPROFILE=C:\Documents and Settings\All Users
APPDATA=C:\Documents and Settings\User\Application Data
CLASSPATH=.;C:\Program Files\QuickTime\QTSystem\QTJava.zip
CLIENTNAME=Console
CommonProgramFiles=C:\Program Files\Common Files
COMPUTERNAME=USER2
ComSpec=C:\WINDOWS\system32\cmd.exe
DEVMGR_SHOW_NONPRESENT_DEVICES=1
FP_NO_HOST_CHECK=NO
HOMEDRIVE=C:
HOMEPATH=\Documents and Settings\User
LOGONSERVER=\\USER2
NUMBER_OF_PROCESSORS=1
OS=Windows_NT
Path=C:\WINDOWS\system32;C:\WINDOWS\system32;C:\WINDOWS;C:\WINDOWS\System32\Wbem;C:\Program Files\QuickTime\QTSystem\
PATHEXT=.COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH
PROCESSOR_ARCHITECTURE=x86
PROCESSOR_IDENTIFIER=x86 Family 15 Model 2 Stepping 4, GenuineIntel
PROCESSOR_LEVEL=15
PROCESSOR_REVISION=0204
ProgramFiles=C:\Program Files
PROMPT=$P$G
QTJAVA=C:\Program Files\QuickTime\QTSystem\QTJava.zip
SESSIONNAME=Console
SystemDrive=C:
SystemRoot=C:\WINDOWS
TEMP=C:\DOCUME~1\User\LOCALS~1\Temp
TMP=C:\DOCUME~1\User\LOCALS~1\Temp
USERDOMAIN=USER2
USERNAME=User
USERPROFILE=C:\Documents and Settings\User
windir=C:\WINDOWS

-- User Profiles ---------------------------------------------------------------

User (admin)

-- Add/Remove Programs ---------------------------------------------------------

--> "C:\Program Files\Symantec\LiveUpdate\LSETUP.EXE" /U
--> C:\Program Files\Installshield Installation Information\{08082021-2a50-4196-8196-a6f86d6e8f12}\QBReplace.exe {08082021-2a50-4196-8196-a6f86d6e8f12}#{01288593-26bb-4b3a-a04e-0a4ed28cc937}
--> MsiExec.exe /I{71EEA108-09C9-4D81-8FA2-D48C70681242}
--> rundll32.exe setupapi.dll,InstallHinfSection DefaultUninstall 132 C:\WINDOWS\INF\PCHealth.inf
Adobe Flash Player 9 ActiveX --> C:\WINDOWS\system32\Macromed\Flash\FlashUtil9b.exe -uninstallDelete
Adobe Reader 7.0.5 Language Support --> MsiExec.exe /I{AC76BA86-7AD7-5464-3428-7050000000A7}
Adobe Reader 7.0.9 --> MsiExec.exe /I{AC76BA86-7AD7-1033-7B44-A70900000002}
Adobe Shockwave Player --> C:\WINDOWS\system32\Macromed\SHOCKW~2\UNWISE.EXE C:\WINDOWS\system32\Macromed\SHOCKW~2\Install.log
Adobe® Photoshop® Album Starter Edition 3.0 --> MsiExec.exe /I{4BDFD2CE-6329-42E4-9801-9B3D1F10D79B}
AppCore --> MsiExec.exe /I{EFB5B3B5-A280-4E25-BE1C-634EEFE32C1B}
Apple Mobile Device Support --> MsiExec.exe /I{B5C209B1-8DDB-4642-A573-375B951514CB}
Apple Software Update --> MsiExec.exe /I{B74F042E-E1B9-4A5B-8D46-387BB172F0A4}
ATI Display Driver --> rundll32 C:\WINDOWS\System32\atiiiexx.dll,_InfEngUnInstallINFFile_RunDLL@16 -force_restart -flags:0x2010001 -inf_class:DISPLAY -clean
Canon Camera Access Library --> "C:\Program Files\Common Files\Canon\UIW\1.2.0.0\Uninst.exe" "C:\Program Files\Canon\CAL\Uninst.ini"
Canon Camera Support Core Library --> "C:\Program Files\Common Files\Canon\UIW\1.2.0.0\Uninst.exe" "C:\Program Files\Canon\CSCLIB\Uninst.ini"
Canon Camera Window DC_DV 5 for ZoomBrowser EX --> "C:\Program Files\Common Files\Canon\UIW\1.2.0.0\Uninst.exe" "C:\Program Files\Canon\CameraWindow\CameraWindowDVC\Uninst.ini"
Canon Camera Window DC_DV 6 for ZoomBrowser EX --> "C:\Program Files\Common Files\Canon\UIW\1.2.0.0\Uninst.exe" "C:\Program Files\Canon\CameraWindow\CameraWindowDVC6\Uninst.ini"
Canon Camera Window MC 6 for ZoomBrowser EX --> "C:\Program Files\Common Files\Canon\UIW\1.2.0.0\Uninst.exe" "C:\Program Files\Canon\CameraWindow\CameraWindowMC\Uninst.ini"
Canon G.726 WMP-Decoder --> "C:\Program Files\Common Files\Canon\UIW\1.2.0.0\Uninst.exe" "C:\Program Files\Canon\G726Decoder\G726DecUnInstall.ini"
Canon MovieEdit Task for ZoomBrowser EX --> "C:\Program Files\Common Files\Canon\UIW\1.2.0.0\Uninst.exe" "C:\Program Files\Canon\ZoomBrowser EX\Program\MVWUninst.ini"
Canon PhotoRecord --> C:\WINDOWS\IsUninst.exe -fC:\PROGRA~1\Canon\PhotoRecord\Uninst.isu -c"C:\PROGRA~1\Canon\PhotoRecord\Program\uninstdll.dll"
Canon RAW Image Task for ZoomBrowser EX --> "C:\Program Files\Common Files\Canon\UIW\1.2.0.0\Uninst.exe" "C:\Program Files\Canon\RAW Image Task\Uninst.ini"
Canon RemoteCapture Task for ZoomBrowser EX --> "C:\Program Files\Common Files\Canon\UIW\1.2.0.0\Uninst.exe" "C:\Program Files\Canon\CameraWindow\RemoteCaptureTask DC\Uninst.ini"
Canon Utilities EOS Utility --> "C:\Program Files\Common Files\Canon\UIW\1.2.0.0\Uninst.exe" "C:\Program Files\Canon\EOS Utility\Uninst.ini"
Canon Utilities File Viewer Utility 1.2 --> C:\PROGRA~1\COMMON~1\INSTAL~1\Driver\7\INTEL3~1\IDriver.exe /M{EF0DD8B7-471C-463B-A298-6066C2FABAF5}
Canon Utilities PhotoStitch --> "C:\Program Files\Common Files\Canon\UIW\1.2.0.0\Uninst.exe" "C:\Program Files\Canon\PhotoStitch\Uninst.ini"
Canon Utilities RemoteCapture 2.7 --> C:\PROGRA~1\COMMON~1\INSTAL~1\Driver\7\INTEL3~1\IDriver.exe /M{BEB03A1A-1EB6-48EB-9985-8B97315EE5C0}
Canon Utilities ZoomBrowser EX --> "C:\Program Files\Common Files\Canon\UIW\1.2.0.0\Uninst.exe" "C:\Program Files\Canon\ZoomBrowser EX\Program\Uninst.ini"
ccCommon --> MsiExec.exe /I{B24E05CC-46FF-4787-BBB8-5CD516AFB118}
Component Framework --> MsiExec.exe /I{31478BE1-CDE5-4753-A8B2-F6D4BC1FBE09}
Conexant HSF V92 56K Data Fax PCI Modem --> C:\Program Files\CONEXANT\CNXT_MODEM_PCI_VEN_14F1&DEV_2013&SUBSYS_021213E0\HXFSETUP.EXE -U -IVEN_14F1&DEV_2013&SUBSYS_021213E0
Dell ResourceCD --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{D78653C3-A8FF-415F-92E6-D774E634FF2D}\setup.exe"
Disney's Toontown Online --> C:\PROGRA~1\Disney\DISNEY~1\Toontown\UNWISE.EXE /A C:\PROGRA~1\Disney\DISNEY~1\Toontown\INSTALL.LOG
Google Earth --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\11\50\Intel32\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{3DE5E7D4-7B88-403C-A3FD-2017A8240C5B}\setup.exe" -l0x9 -removeonly
Google Toolbar for Internet Explorer --> regsvr32 /u /s "c:\program files\google\googletoolbar3.dll"
HighMAT Extension to Microsoft Windows XP CD Writing Wizard --> MsiExec.exe /X{FCE65C4E-B0E8-4FBD-AD16-EDCBE6CD591F}
Hotfix for Windows Media Format 11 SDK (KB929399) --> "C:\WINDOWS\$NtUninstallKB929399$\spuninst\spuninst.exe"
HP Customer Participation Program 7.0 --> C:\Program Files\HP\Digital Imaging\ExtCapUninstall\hpzscr01.exe -datfile hpqhsc01.dat
hp deskjet 3600 --> MsiExec.exe /X{7CA32143-2DAC-4F5F-9BAA-2AB3707EF192}
HP Driver Diagnostics --> MsiExec.exe /I{16BE87BC-69F5-4D36-8CF0-E1CB3ACD5ED3}
HP Imaging Device Functions 7.0 --> C:\Program Files\HP\Digital Imaging\DeviceManagement\hpzscr01.exe -datfile hpqbud01.dat
HP Officejet Pro All-In-One Series --> C:\Program Files\HP\Digital Imaging\{7729A02E-D1AD-4830-8FC5-11853500D90D}\setup\hpzscr01.exe -datfile hpwscr05.dat
HP Photosmart Essential --> MsiExec.exe /X{EB21A812-671B-4D08-B974-2A347F0D8F70}
HP Product Detection --> MsiExec.exe /X{CAE7D1D9-3794-4169-B4DD-964ADBC534EE}
HP Software Update --> MsiExec.exe /X{BB85ED9C-AFC9-43BD-B8DC-258C3C7DF72E}
HP Solution Center 7.0 --> C:\Program Files\HP\Digital Imaging\eSupport\hpzscr01.exe -datfile hpqbud05.dat
iPod for Windows User Guide --> C:\PROGRA~1\COMMON~1\INSTAL~1\Driver\7\INTEL3~1\IDriver.exe /M{B9987754-9A14-4B61-ABB3-73A79503238D} /l1033
iTunes --> MsiExec.exe /I{E3FEE4E7-4488-4A3F-A6BD-13745936EADB}
LiveUpdate (Symantec Corporation) --> MsiExec.exe /x {E80F62FF-5D3C-4A19-8409-9721F2928206} /l*v "C:\Documents and Settings\All Users\Application Data\LuUninstall.LiveUpdate"
LiveUpdate (Symantec Corporation) --> MsiExec.exe /X{E80F62FF-5D3C-4A19-8409-9721F2928206}
Microsoft Base Smart Card Cryptographic Service Provider Package --> "C:\WINDOWS\$NtUninstallbasecsp$\spuninst\spuninst.exe"
Microsoft Compression Client Pack 1.0 for Windows XP --> "C:\WINDOWS\$NtUninstallMSCompPackV1$\spuninst\spuninst.exe"
Microsoft Office Publisher 2003 --> MsiExec.exe /I{91190409-6000-11D3-8CFE-0150048383C9}
Microsoft Office Standard Edition 2003 --> MsiExec.exe /I{91120409-6000-11D3-8CFE-0150048383C9}
Microsoft User-Mode Driver Framework Feature Pack 1.0 --> "C:\WINDOWS\$NtUninstallWudf01000$\spuninst\spuninst.exe"
Microsoft Visual C++ 2005 Redistributable --> MsiExec.exe /X{7299052b-02a4-4627-81f2-1818da5d550d}
Move Networks Media Player for Internet Explorer --> C:\Documents and Settings\User\Application Data\Move Networks\ie_bin\Uninst.exe
MPM --> MsiExec.exe /X{D48AD533-BAD5-469B-A9AA-272C6D80E70B}
Norton AntiVirus --> MsiExec.exe /X{77FFBA7E-0973-4F39-BBDB-AC2F537578D2}
Norton AntiVirus (Symantec Corporation) --> "C:\Program Files\Common Files\Symantec Shared\SymSetup\{77FFBA7E-0973-4F39-BBDB-AC2F537578D2}_15_0_0_58\Setup.exe" /X
Norton AntiVirus Help --> MsiExec.exe /I{34EEB1F5-E939-40A1-A6BA-957282A4B2C8}
Norton Protection Center --> MsiExec.exe /I{62120008-8E1E-4807-860D-A8B48F8552DB}
OCR Software by I.R.I.S 7.0 --> C:\Program Files\HP\Digital Imaging\OCR\hpzscr01.exe -datfile hpqbud11.dat
OTOY --> RunDll32 C:\WINDOWS\DOWNLO~1\OTOYAX.dll,_RemoveGroove@16
Panda ActiveScan --> C:\WINDOWS\system32\ASUninst.exe Panda ActiveScan
QuickBooks Basic Edition 2004 --> C:\Program Files\Installshield Installation Information\{2b02f821-a9b9-458c-80e5-3ea8c0de8471}\QBReplace.exe {2b02f821-a9b9-458c-80e5-3ea8c0de8471}#{2B02F82E-A9B9-458C-80E5-3EA8C0DE8471}
QuickBooks Pro 2007 --> msiexec.exe /I {71EEA108-09C9-4D81-8FA2-D48C70681242} UNIQUE_NAME="pro" QBFULLNAME="QuickBooks Pro 2007" ADDREMOVE=1
QuickBooks Product Listing Service --> MsiExec.exe /I{55584E16-4D70-44EE-93DD-F144E8B7D4B7}
QuickTime --> MsiExec.exe /I{5B09BD67-4C99-46A1-8161-B7208CE18121}
Shockwave --> C:\WINDOWS\system32\Macromed\SHOCKW~1\UNWISE.EXE C:\WINDOWS\system32\Macromed\SHOCKW~1\Install.log
SoundMAX --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\10\00\Intel32\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{F0A37341-D692-11D4-A984-009027EC0A9C}\SETUP.exe" -l0x9 -removeonly
SPBBC 32bit --> MsiExec.exe /I{77772678-817F-4401-9301-ED1D01A8DA56}
Spyware Terminator --> "C:\Program Files\Spyware Terminator\unins000.exe"
SpywareBlaster v3.5.1 --> "C:\Program Files\SpywareBlaster\unins000.exe"
Symantec Technical Support Web Controls --> MsiExec.exe /X{9743AF47-B746-4324-B4C4-512E67D04370}
SymNet --> MsiExec.exe /I{2DA85B02-13C0-4E6D-9A76-22E6B3DD0CB2}
ViewSonic Monitor Drivers --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{B4FEA924-630D-11D4-B78E-005004566E4D}\Setup.exe" -l0x9
Windows Defender Signatures --> MsiExec.exe /I{A5CC2A09-E9D3-49EC-923D-03874BBD4C2C}
Windows Media Connect --> "C:\WINDOWS\$NtUninstallWMCSetup$\spuninst\spuninst.exe"
Windows Media Format 11 runtime --> "C:\WINDOWS\$NtUninstallWMFDist11$\spuninst\spuninst.exe"
Windows Media Format SDK Hotfix - KB891122 --> "C:\WINDOWS\$NtUninstallKB891122$\spuninst\spuninst.exe"

-- Application Event Log -------------------------------------------------------

Event Record #/Type2355 / Error
Event Submitted/Written: 12/26/2007 08:16:58 AM
Event ID/Source: 1000 / Application Error
Event Description:
Faulting application iexplore.exe, version 6.0.2900.2180, faulting module unknown, version 0.0.0.0, fault address 0x01babf75.
Processing media-specific event for [iexplore.exe!ws!]

Event Record #/Type2323 / Success
Event Submitted/Written: 12/25/2007 00:55:51 PM
Event ID/Source: 4 / 4th Dimension¨
Event Description:
PsychReport.4DC

Event Record #/Type2322 / Success
Event Submitted/Written: 12/25/2007 00:55:15 PM
Event ID/Source: 3 / 4th Dimension¨
Event Description:
PsychReport.4DC

Event Record #/Type2321 / Success
Event Submitted/Written: 12/25/2007 00:54:58 PM
Event ID/Source: 2 / 4th Dimension¨
Event Description:
PsychReport.4DC

Event Record #/Type2250 / Warning
Event Submitted/Written: 12/25/2007 02:03:25 AM
Event ID/Source: 101 / Automatic LiveUpdate Scheduler
Event Description:
Information Level: warning

A LiveUpdate session is already in progress; cannot launch Automatic LiveUpdate.

-- Security Event Log ----------------------------------------------------------

No Errors/Warnings found.

-- System Event Log ------------------------------------------------------------

Event Record #/Type17601 / Warning
Event Submitted/Written: 12/26/2007 09:03:10 PM
Event ID/Source: 4226 / Tcpip
Event Description:
TCP/IP has reached the security limit imposed on the number of concurrent TCP connect attempts.

Event Record #/Type17586 / Warning
Event Submitted/Written: 12/26/2007 03:36:57 PM
Event ID/Source: 8021 / BROWSER
Event Description:
The browser was unable to retrieve a list of servers from the browser master \\FAMILYROOM on the network \Device\NetBT_Tcpip_{C0E68B85-A155-4E69-9BD1-63C696EEA087}.
The data is the error code.

Event Record #/Type17333 / Error
Event Submitted/Written: 12/26/2007 08:07:19 AM
Event ID/Source: 7000 / Service Control Manager
Event Description:
The Windows Media Player Network Sharing Service service failed to start due to the following error:
%%1053

Event Record #/Type17332 / Error
Event Submitted/Written: 12/26/2007 08:07:17 AM / 12/26/2007 08:07:19 AM
Event ID/Source: 7009 / Service Control Manager
Event Description:
Timeout (30000 milliseconds) waiting for the Windows Media Player Network Sharing Service service to connect.

Event Record #/Type17327 / Warning
Event Submitted/Written: 12/26/2007 02:15:44 AM
Event ID/Source: 4226 / Tcpip
Event Description:
TCP/IP has reached the security limit imposed on the number of concurrent TCP connect attempts.

-- End of Deckard's System Scanner: finished at 2007-12-26 23:55:44 ------------

Thanks in advance for your help.

tms123 · 12-28-2007, 06:11 PM

Hello, again.

System is still very slow and stops for periods of time.

I was able to finally get a panda activescan and it is attached. Also here is a new DSS scan, but only the "main.txt" file appeared. Below is the scan.

Thank you in advance for your help.

Incident Status Location

Spyware:Spyware/Virtumonde Not disinfected C:\WINDOWS\system32\efcyayx.dll
Adware:adware/sbsoft Not disinfected c:\windows\rdt.ini
Spyware:spyware/dogpile Not disinfected C:\Documents and Settings\User\Application Data\Infospace
Adware:adware/megatds Not disinfected Windows Registry
Virus:Trj/Downloader.PLF Not disinfected C:\Deckard\System Scanner\backup\DOCUME~1\User\LOCALS~1\Temp\2314.exe[oTt26e2314.exe]
Spyware:Cookie/YieldManager Not disinfected C:\Deckard\System Scanner\backup\DOCUME~1\User\LOCALS~1\Temp\Cookies\user@ad.yieldmanager[2].txt
Spyware:Cookie/AdvancedCleaner Not disinfected C:\Deckard\System Scanner\backup\DOCUME~1\User\LOCALS~1\Temp\Cookies\user@advancedcleaner[1].txt
Spyware:Cookie/Advertising Not disinfected C:\Deckard\System Scanner\backup\DOCUME~1\User\LOCALS~1\Temp\Cookies\user@advertising[1].txt
Spyware:Cookie/Atlas DMT Not disinfected C:\Deckard\System Scanner\backup\DOCUME~1\User\LOCALS~1\Temp\Cookies\user@atdmt[2].txt
Spyware:Cookie/Casalemedia Not disinfected C:\Deckard\System Scanner\backup\DOCUME~1\User\LOCALS~1\Temp\Cookies\user@casalemedia[1].txt
Spyware:Cookie/Doubleclick Not disinfected C:\Deckard\System Scanner\backup\DOCUME~1\User\LOCALS~1\Temp\Cookies\user@doubleclick[2].txt
Spyware:Cookie/Hitbox Not disinfected C:\Deckard\System Scanner\backup\DOCUME~1\User\LOCALS~1\Temp\Cookies\user@ehg-dig.hitbox[2].txt
Spyware:Cookie/Go Not disinfected C:\Deckard\System Scanner\backup\DOCUME~1\User\LOCALS~1\Temp\Cookies\user@go[1].txt
Spyware:Cookie/QuestionMarket Not disinfected C:\Deckard\System Scanner\backup\DOCUME~1\User\LOCALS~1\Temp\Cookies\user@questionmarket[2].txt
Spyware:Cookie/Statcounter Not disinfected C:\Deckard\System Scanner\backup\DOCUME~1\User\LOCALS~1\Temp\Cookies\user@statcounter[1].txt
Spyware:Cookie/Zedo Not disinfected C:\Deckard\System Scanner\backup\DOCUME~1\User\LOCALS~1\Temp\Cookies\user@zedo[1].txt
Adware:Adware/Adband Not disinfected C:\Deckard\System Scanner\backup\DOCUME~1\User\LOCALS~1\Temp\D152.tmp[ism.exe]
Possible Virus. Not disinfected C:\Deckard\System Scanner\backup\DOCUME~1\User\LOCALS~1\Temp\D152.tmp[qdrloader.exe]
Adware:Adware/InternetSpeedMonitor Not disinfected C:\Deckard\System Scanner\backup\DOCUME~1\User\LOCALS~1\Temp\ismtpa8.exe[QdrPack11.exe]
Virus:Generic Trojan Not disinfected C:\Deckard\System Scanner\backup\DOCUME~1\User\LOCALS~1\Temp\Setup195.exe[SearchUs.exe]
Possible Virus. Not disinfected C:\Deckard\System Scanner\backup\WINDOWS\temp\ASHeuristic\yahooo_exe.vir
Spyware:Cookie/AdvancedCleaner Not disinfected C:\Documents and Settings\User\Cookies\user@advancedcleaner[2].txt
Spyware:Cookie/Bluestreak Not disinfected C:\Documents and Settings\User\Cookies\user@bluestreak[1].txt
Spyware:Cookie/Serving-sys Not disinfected C:\Documents and Settings\User\Cookies\user@bs.serving-sys[2].txt
Spyware:Cookie/Casalemedia Not disinfected C:\Documents and Settings\User\Cookies\user@casalemedia[2].txt
Spyware:Cookie/Com.com Not disinfected C:\Documents and Settings\User\Cookies\user@com[2].txt
Spyware:Cookie/Hitbox Not disinfected C:\Documents and Settings\User\Cookies\user@ehg-dig.hitbox[2].txt
Spyware:Cookie/Go Not disinfected C:\Documents and Settings\User\Cookies\user@go[1].txt
Spyware:Cookie/Searchportal Not disinfected C:\Documents and Settings\User\Cookies\user@searchportal.information[1].txt
Spyware:Spyware/Virtumonde Not disinfected C:\Documents and Settings\User\Local Settings\Temp\eygtblrp.exe
Spyware:Spyware/Vundo Not disinfected C:\Documents and Settings\User\Local Settings\Temporary Internet Files\1239.exe
Virus:Trj/Downloader.PLF Not disinfected C:\Documents and Settings\User\Local Settings\Temporary Internet Files\2314.exe[ardCo172314.exe]
Possible Virus. Not disinfected C:\WINDOWS\system32\mp43.exe
Possible Virus. Not disinfected C:\WINDOWS\yahooo.exe

Here is the DSS main.txt. :
Deckard's System Scanner v20071014.68
Run by User on 2007-12-28 18:58:27
Computer is in Normal Mode.
--------------------------------------------------------------------------------

Total Physical Memory: 383 MiB (512 MiB recommended).

-- HijackThis Clone ------------------------------------------------------------

Emulating logfile of Trend Micro HijackThis v2.0.2
Scan saved at 2007-12-28 18:58:36
Platform: Windows XP Service Pack 2 (5.01.2600)
MSIE: Internet Explorer (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\system32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Symantec\LiveUpdate\AluSchedulerSvc.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Canon\CAL\CALMAIN.exe
C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe
C:\Program Files\Adobe\Photoshop Album Starter Edition\3.0\Apps\apdproxy.exe
C:\Program Files\Hewlett-Packard\HP Software Update\hpwuSchd2.exe
C:\Program Files\Analog Devices\Core\smax4pnp.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
C:\Program Files\Messenger\msmsgs.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Documents and Settings\User\Application Data\hteixt.exe
C:\Program Files\Windows Media Player\wmpnscfg.exe
C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
C:\Program Files\Common Files\Intuit\QuickBooks\QBUpdate\qbupdate.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\WINDOWS\mrofinu.exe
C:\WINDOWS\explorer.exe
C:\Documents and Settings\User\Desktop\dss.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://www.google.com/ie
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://www.google.com
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.cnn.com/
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://www.dogpile.com/info.dogpl.to...rms/search.htm
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://www.google.com/search?q=%s
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://www.google.com/ie
R1 - HKLM\Software\Microsoft\Internet Explorer\Search,Default_Search_URL = http://www.google.com/ie
R1 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://www.dogpile.com/info.dogpl.to...rms/search.htm
R3 - URLSearchHook: (no name) - {37943D56-8F06-4BC5-8101-33F389C6AD90} - ftbar.dll (file missing)
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {1C27A215-DC35-483A-99EF-C82B3F02CBAE} - C:\Program Files\Internet Explorer\nipybacoC:\DOCUME~1\User\LOCALS~1\Temp\CEMG555077.exe.dll (file missing)
O2 - BHO: (no name) - {1C574D18-DCB0-4E8E-AFA3-C1A20F8EB1C4} - C:\Program Files\Internet Explorer\nipybacoC:\WINDOWS\system32\o9\parreo83122.exe.dll (file missing)
O2 - BHO: (no name) - {3739154B-57A7-48A8-9ED5-102DA9F457C0} - C:\WINDOWS\system32\vturo.dll
O2 - BHO: {d7c1ed3e-d70c-1b1a-bab4-4d0a7a9e38b6} - {6b83e9a7-a0d4-4bab-a1b1-c07de3de1c7d} - C:\WINDOWS\system32\cifkaywh.dll
O2 - BHO: Symantec Intrusion Prevention - {6D53EC84-6AAE-4787-AEEE-F4628F01010C} - C:\Program Files\Common Files\Symantec Shared\IDS\IPSBHO.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - C:\Program Files\Google\GoogleToolbar3.dll
O2 - BHO: (no name) - {AEBF6926-DBA6-4100-A838-1CED0169AB78} - C:\WINDOWS\system32\efcdccd.dll (file missing)
O2 - BHO: Flash Module - {B7A4FE11-BF1A-467b-9E24-C4CF9CFC74AF} - korkyst.dll (file missing)
O2 - BHO: (no name) - {CA4F0D8D-5F2B-4F16-838A-8D52249EAB21} - C:\WINDOWS\system32\efcyayx.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - C:\Program Files\Google\GoogleToolbar3.dll
O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb08.exe
O4 - HKLM\..\Run: [ISUSPM Startup] C:\PROGRA~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe -startup
O4 - HKLM\..\Run: [ISUSScheduler] "C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" -start
O4 - HKLM\..\Run: [Adobe Photo Downloader] "C:\Program Files\Adobe\Photoshop Album Starter Edition\3.0\Apps\apdproxy.exe"
O4 - HKLM\..\Run: [HP Software Update] C:\Program Files\Hewlett-Packard\HP Software Update\HPWuSchd2.exe
O4 - HKLM\..\Run: [SoundMAXPnP] C:\Program Files\Analog Devices\Core\smax4pnp.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [runner1] C:\WINDOWS\mrofinu1239.exe 61A847B5BBF72813309831466188719AB689201522886B092CBD44BD8689220221DD325762EA4EBF968951185EFC412806867680AEDE604D64C2661373FB12EADCD66A47
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [osCheck] "C:\Program Files\Norton AntiVirus\osCheck.exe"
O4 - HKLM\..\Run: [7c01316f] rundll32.exe "C:\WINDOWS\system32\skvhjbni.dll",b
O4 - HKLM\..\Run: [IESet] IExplorer.dll .dbt
O4 - HKLM\..\RunServices: [IESet] IExplorer.dll .dbt
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [WMPNSCFG] C:\Program Files\Windows Media Player\WMPNSCFG.exe
O4 - HKCU\..\Run: [IESet] IExplorer.dll .dbt
O4 - HKUS\S-1-5-18\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\1.2.1128.5462\GoogleToolbarNotifier.exe (User 'SYSTEM')
O4 - HKUS\S-1-5-18\..\Run: [IESet] IExplorer.dll .dbt (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\1.2.1128.5462\GoogleToolbarNotifier.exe (User 'Default user')
O4 - HKUS\.DEFAULT\..\Run: [IESet] IExplorer.dll .dbt (User 'Default user')
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
O4 - Global Startup: QuickBooks Update Agent.lnk = C:\Program Files\Common Files\Intuit\QuickBooks\QBUpdate\qbupdate.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - (file missing)
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\network diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\network diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=48835
O16 - DPF: {1A26F07F-0D60-4835-91CF-1E1766A0EC56} (WebInstall Class) - http://scanner2.malware-scan.com/setup/webinst.cab
O16 - DPF: {233C1507-6A77-46A4-9443-F871F945D258} (Shockwave ActiveX Control) - http://download.macromedia.com/pub/s...irector/sw.cab
O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} (Symantec AntiVirus scanner) - http://security.symantec.com/sscv6/S...in/AvSniff.cab
O16 - DPF: {3E68E405-C6DE-49FF-83AE-41EE9F4C36CE} (Office Update Installation Engine) - http://office.microsoft.com/officeup...tent/opuc3.cab
O16 - DPF: {3FB19495-15FD-E825-A846-273D2681EDB2} () - http://performanceoptimizer.com/.landing/SoftInst.cab
O16 - DPF: {406B5949-7190-4245-91A9-30A17DE16AD0} (Snapfish Activia) - http://photos.walmart.com/WalmartActivia.cab
O16 - DPF: {54BE6B6F-3056-470B-97E1-BB92E051B6C4} (DeviceEnum Class) - http://h30155.www3.hp.com/ediags/dd/...osticsxp2k.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsu...?1136576903936
O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.symantec.com/sscv6/S.../bin/cabsa.cab
O16 - DPF: {6A344D34-5231-452A-8A57-D064AC9B7862} (Symantec Download Manager) - https://webdl.symantec.com/activex/symdlmgr.cab
O16 - DPF: {6B75345B-AA36-438A-BBE6-4078B4C6984D} (HpProductDetection Class) - http://h20270.www2.hp.com/ediags/gmn...tDetection.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsof...?1137529712403
O16 - DPF: {74C861A1-D548-4916-BC8A-FDE92EDFF62C} () - http://mediaplayer.walmart.com/installer/install.cab
O16 - DPF: {77E32299-629F-43C6-AB77-6A1E6D7663F6} (Groove Control) - http://atv.disney.go.com/global/down.../OTOYAX29b.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/actives...ree/asinst.cab
O16 - DPF: {C02226EB-A5D7-4B1F-BD7E-635E46C2288D} (Toontown Installer ActiveX Control) - http://a.download.toontown.com/sv1.0.24.10/ttinst.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/s...sh/swflash.cab
O17 - HKLM\SYSTEM\CCS\Services\Tcpip\..\{C0E68B85-A155-4E69-9BD1-63C696EEA087}: NameServer = 85.255.115.52,85.255.112.85
O17 - HKLM\SYSTEM\CS1\Services\Tcpip\Parameters: NameServer = 85.255.115.52 85.255.112.85
O17 - HKLM\SYSTEM\CCS\Services\Tcpip\Parameters: NameServer = 85.255.115.52 85.255.112.85
O18 - Protocol: lid - {5C135180-9973-46D9-ABF4-148267CBB8BF} - C:\WINDOWS\system32\msvidctl.dll
O18 - Protocol: mso-offdap11 - {32505114-5902-49B2-880A-1F7738E5A384} - C:\Program Files\Common Files\Microsoft Shared\Web Components\11\OWC11.DLL
O18 - Filter: text/xml - {807553E5-5146-11D5-A672-00B0D022E945} - C:\Program Files\Common Files\Microsoft Shared\OFFICE11\MSOXMLMF.DLL
O20 - Winlogon Notify: efcdccd - C:\WINDOWS\system32\efcdccd.dll (file missing)
O20 - Winlogon Notify: efcyayx - C:\WINDOWS\system32\efcyayx.dll
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Automatic LiveUpdate Scheduler - Symantec Corporation - C:\Program Files\Symantec\LiveUpdate\AluSchedulerSvc.exe
O23 - Service: Canon Camera Access Library 8 (CCALib8) - Canon Inc. - C:\Program Files\Canon\CAL\CALMAIN.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: Symantec Lic NetConnect service (CLTNetCnService) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: LiveUpdate - Symantec Corporation - C:\Program Files\Symantec\LiveUpdate\LuComServer_3_4.EXE
O23 - Service: LiveUpdate Notice - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: QBCFMonitorService - Intuit - C:\Program Files\Common Files\Intuit\QuickBooks\QBCFMonitorService.exe
O23 - Service: Intuit QuickBooks FCS (QBFCService) - Intuit Inc. - C:\Program Files\Common Files\Intuit\QuickBooks\FCS\Intuit.QuickBooks.FCS.exe
O23 - Service: Symantec Core LC - Unknown owner - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe

--
End of file - 12614 bytes

-- Files created between 2007-11-28 and 2007-12-28 -----------------------------

2007-12-28 11:59:06 44928 --a------ C:\WINDOWS\system32\drivers\SDTHOOK.SYS <Not Verified; Panda Software; Panda® Antivirus>
2007-12-28 02:16:40 77888 --a------ C:\WINDOWS\system32\cifkaywh.dll
2007-12-28 02:13:33 90176 --a------ C:\WINDOWS\system32\skvhjbni.dll
2007-12-27 17:23:14 39936 -ra------ C:\WINDOWS\mrofinu1239.exe
2007-12-27 07:36:28 8576 --a------ C:\WINDOWS\system32\drivers\tccupuibykqw.sys <Not Verified; Panda Software International; RKPavProc Driver>
2007-12-27 01:16:06 0 d-------- C:\WINDOWS\LastGood
2007-12-26 23:20:41 0 d-------- C:\ie-spyad_zo
2007-12-26 23:09:04 0 d-------- C:\Program Files\SpywareBlaster
2007-12-26 14:46:45 0 d-------- C:\WINDOWS\system32\ActiveScan
2007-12-26 13:37:35 12800 --a------ C:\Documents and Settings\User\Application Data\hteixt.exe
2007-12-26 12:21:52 80448 --a------ C:\WINDOWS\system32\xtvubmfl.dll
2007-12-26 10:38:59 0 d-------- C:\Documents and Settings\User\Application Data\Spyware Terminator
2007-12-26 10:38:59 0 d-------- C:\Documents and Settings\All Users\Application Data\Spyware Terminator
2007-12-26 10:38:47 0 d-------- C:\Program Files\Spyware Terminator
2007-12-26 02:14:59 1283174 --a------ C:\Install
2007-12-26 02:01:52 40960 --a------ C:\WINDOWS\yahooo.exe <Not Verified; Microsoft; hd9llk'/}./;gd434656578"7fgdhdfnbnx xcvc>
2007-12-26 02:01:52 40960 --a------ C:\WINDOWS\system32\mp43.exe <Not Verified; Microsoft; hd9llk'/}./;gd434656578"7fgdhdfnbnx xcvc>
2007-12-26 01:59:06 23552 --a------ C:\winqghc.exe
2007-12-26 01:51:11 4608 --a------ C:\winruef.exe
2007-12-26 01:48:55 23552 --a------ C:\winprlb.exe
2007-12-26 00:10:26 77376 --a------ C:\WINDOWS\system32\oyxfwqcr.dll
2007-12-26 00:10:21 84545 --a------ C:\WINDOWS\system32\ysxlxsoh.dll
2007-12-25 10:26:52 478612 --a------ C:\Documents and Settings\User\load.exe
2007-12-25 00:11:37 78400 --a------ C:\WINDOWS\system32\gvgjhcyx.dll
2007-12-24 00:56:23 0 d-------- C:\Documents and Settings\Default User\Application Data\Apple Computer
2007-12-24 00:17:58 0 d-------- C:\Program Files\Windows Sidebar
2007-12-24 00:17:57 0 d-------- C:\Program Files\Norton AntiVirus
2007-12-24 00:14:34 0 d-------- C:\Program Files\Symantec
2007-12-24 00:14:33 0 d-------- C:\Documents and Settings\All Users\Application Data\Symantec
2007-12-24 00:08:58 0 d-------- C:\Program Files\Common Files\Symantec Shared
2007-12-24 00

15 0 --ahs---- C:\Documents and Settings\User\Application Data\89b19cf7d12db4ef438a91b27aa2da7526586d26.dat
2007-12-24 00

00 509122 --ahs---- C:\WINDOWS\system32\orutv.ini2
2007-12-24 00:05:33 325120 --a------ C:\WINDOWS\system32\vturo.dll
2007-12-23 23:30:46 0 d-------- C:\Documents and Settings\All Users\Symantec Temporary Files
2007-12-23 22:25:45 329664 --a------ C:\WINDOWS\system32\sstqp.dll
2007-12-23 22:20:50 20480 --a------ C:\WINDOWS\quit.exe <Not Verified; Microsoft; asfw56trjkfmghjoy8fvbfsds4656ioui;kh,ncv>
2007-12-23 20:25:42 329664 --a------ C:\WINDOWS\system32\vtsqr.dll
2007-12-23 17:59:50 329664 --a------ C:\WINDOWS\system32\awtqp.dll
2007-12-22 10:01:27 0 d-------- C:\Documents and Settings\All Users\Application Data\Rabio
2007-12-22 00:46:25 0 d-------- C:\Program Files\QdrDrive
2007-12-22 00:46:22 40448 --a------ C:\WINDOWS\system32\efcyayx.dll
2007-12-21 16:25:51 3953 -----n--- C:\WINDOWS\hpwmdl05.dat
2007-12-21 16:25:51 141382 --a------ C:\WINDOWS\hpwins05.dat
2007-12-21 16:17:50 0 d-------- C:\Documents and Settings\All Users\Application Data\Hewlett-Packard
2007-12-21 16:17:27 118272 --a------ C:\WINDOWS\system32\hpz3l4x6.dll <Not Verified; Hewlett-Packard Company; Language Monitor>
2007-12-21 16:14:55 16059 --a------ C:\WINDOWS\hpwscr05.dat
2007-12-21 16:10:15 0 d-------- C:\HP_CLJ_4700_Installer_English
2007-12-21 08:10:51 0 d-------- C:\WINDOWS\system32\o9
2007-12-21 08:10:50 0 d-------- C:\WINDOWS\system32\x1
2007-12-21 08:10:50 0 d-------- C:\WINDOWS\system32\j2
2007-12-21 08:10:50 0 d-------- C:\WINDOWS\system32\g9
2007-12-21 08:10:50 0 d-------- C:\WINDOWS\system32\d1
2007-12-21 08:10:36 0 d-------- C:\WINDOWS\system32\ardCo17
2007-12-12 20:17:03 0 d-------- C:\WINDOWS\system32\ineWc01

-- Find3M Report ---------------------------------------------------------------

2007-12-28 17:21:43 0 d-------- C:\Program Files\Messenger
2007-12-28 17:21:41 0 d-------- C:\Program Files\iTunes
2007-12-28 17:01:50 0 d-------- C:\Program Files\Google
2007-12-26 13:45:02 0 d-------- C:\Program Files\Common Files
2007-12-24 00:34:21 0 d-------- C:\Documents and Settings\User\Application Data\VersionTracker Pro
2007-12-23 23:57:46 0 d-------- C:\Documents and Settings\User\Application Data\AVG7
2007-12-23 23:42:58 0 d-------- C:\Program Files\Lavasoft
2007-12-23 17:07:14 0 d-------- C:\Program Files\There
2007-12-21 06:58:43 0 d-------- C:\Program Files\PrintMaster 16
2007-12-21 06:53:30 0 d--h----- C:\Program Files\InstallShield Installation Information
2007-12-19 09:03:08 0 d-------- C:\Program Files\Common Files\AnswerWorks 4.0
2007-12-04 16:08:44 0 d-------- C:\Documents and Settings\User\Application Data\Image Zone Express
2007-11-24 03:50:08 0 d-------- C:\Documents and Settings\User\Application Data\Apple Computer
2007-11-10 23:26:55 0 d-------- C:\Program Files\iPod
2007-11-10 23:25:26 0 d-------- C:\Program Files\QuickTime
2007-11-04 21:49:46 0 d-------- C:\Program Files\HP
2007-11-04 21:38:33 0 d-------- C:\Program Files\CONEXANT
2007-11-04 16:17:05 1 --a------ C:\WINDOWS\system32\rc.dat
2007-11-04 16:17:05 1 --a------ C:\WINDOWS\system32\ps1.dat
2007-11-04 16:17:05 1 --a------ C:\WINDOWS\system32\cs.dat
2007-11-04 16:17:05 1 --a------ C:\WINDOWS\system32\cookie1.dat
2007-11-04 16:13:22 52736 --a------ C:\WINDOWS\system32\korkyst.dll <Not Verified; Saterdat; Corp stand>
2007-11-04 16:13:22 36088 --a------ C:\WINDOWS\system32\conf.dat
2007-11-01 16:43:32 0 d-------- C:\Documents and Settings\User\Application Data\Lavasoft

-- Registry Dump ---------------------------------------------------------------

*Note* empty entries & legit default entries are not shown

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{1C27A215-DC35-483A-99EF-C82B3F02CBAE}]
C:\Program Files\Internet Explorer\nipybacoC:\DOCUME~1\User\LOCALS~1\Temp\CEMG555077.exe.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{1C574D18-DCB0-4E8E-AFA3-C1A20F8EB1C4}]
C:\Program Files\Internet Explorer\nipybacoC:\WINDOWS\system32\o9\parreo83122.exe.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{3739154B-57A7-48A8-9ED5-102DA9F457C0}]
12/24/2007 12:05 AM 325120 --a------ C:\WINDOWS\system32\vturo.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{6b83e9a7-a0d4-4bab-a1b1-c07de3de1c7d}]
12/28/2007 02:16 AM 77888 --a------ C:\WINDOWS\system32\cifkaywh.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{6D53EC84-6AAE-4787-AEEE-F4628F01010C}]
12/24/2007 12:23 AM 116088 --a------ C:\PROGRA~1\COMMON~1\SYMANT~1\IDS\IPSBHO.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{AEBF6926-DBA6-4100-A838-1CED0169AB78}]
C:\WINDOWS\system32\efcdccd.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{B7A4FE11-BF1A-467b-9E24-C4CF9CFC74AF}]

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{CA4F0D8D-5F2B-4F16-838A-8D52249EAB21}]
12/22/2007 12:46 AM 40448 --a------ C:\WINDOWS\system32\efcyayx.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"HPDJ Taskbar Utility"="C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb08.exe" [03/11/2003 04:08 AM]
"ISUSPM Startup"="C:\PROGRA~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe" [08/09/2004 05:03 AM]
"ISUSScheduler"="C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" [06/10/2005 09:44 AM]
"Adobe Photo Downloader"="C:\Program Files\Adobe\Photoshop Album Starter Edition\3.0\Apps\apdproxy.exe" [06/06/2005 11:46 PM]
"HP Software Update"="C:\Program Files\Hewlett-Packard\HP Software Update\HPWuSchd2.exe" [02/16/2005 10:11 PM]
"SoundMAXPnP"="C:\Program Files\Analog Devices\Core\smax4pnp.exe" [10/14/2004 02:42 PM]
"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [10/19/2007 08:16 PM]
"iTunesHelper"="C:\Program Files\iTunes\iTunesHelper.exe" [11/02/2007 06:36 PM]
"runner1"="C:\WINDOWS\mrofinu1239.exe" [12/27/2007 05:23 PM]
"ccApp"="C:\Program Files\Common Files\Symantec Shared\ccApp.exe" [08/24/2007 11:07 PM]
"osCheck"="C:\Program Files\Norton AntiVirus\osCheck.exe" [08/24/2007 10:53 PM]
"7c01316f"="C:\WINDOWS\system32\skvhjbni.dll" [12/28/2007 02:13 AM]
"IESet"="IExplorer.dll" []

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"MSMSGS"="C:\Program Files\Messenger\msmsgs.exe" [10/13/2004 10:24 AM]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [08/04/2004 01:56 AM]
"WMPNSCFG"="C:\Program Files\Windows Media Player\WMPNSCFG.exe" [10/18/2006 08:05 PM]
"IESet"="IExplorer.dll" []

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\runservices]
"IESet"=IExplorer.dll .dbt

[HKEY_USERS\.default\software\microsoft\windows\currentversion\run]
"swg"=C:\Program Files\Google\GoogleToolbarNotifier\1.2.1128.5462\GoogleToolbarNotifier.exe
"IESet"=IExplorer.dll .dbt

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
Adobe Reader Speed Launch.lnk - C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe [9/23/2005 10:05:26 PM]
HP Digital Imaging Monitor.lnk - C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe [2/19/2006 3:21:22 AM]
QuickBooks Update Agent.lnk - C:\Program Files\Common Files\Intuit\QuickBooks\QBUpdate\qbupdate.exe [11/9/2007 4:13:18 PM]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\system]
"Wallpaper"=

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]
"NoBandCustomize"=0 (0x0)
"NoActiveDesktop"=0 (0x0)
"ForceActiveDesktopOn"=1 (0x1)

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks]
"{AEBF6926-DBA6-4100-A838-1CED0169AB78}"= C:\WINDOWS\system32\efcdccd.dll [ ]
"{CA4F0D8D-5F2B-4F16-838A-8D52249EAB21}"= C:\WINDOWS\system32\efcyayx.dll [12/22/2007 12:46 AM 40448]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon]
"System"="kdfpz.exe"

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\efcdccd]
efcdccd.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\efcyayx]
efcyayx.dll 12/22/2007 12:46 AM 40448 C:\WINDOWS\system32\efcyayx.dll

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa]
"Authentication Packages"= msv1_0 C:\WINDOWS\system32\vturo.dll

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\vds]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\{533C5B84-EC70-11D2-9505-00C04F79DEAF}]
@="Volume shadow copy"

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
HPZ12 Pml Driver HPZ12 Net Driver HPZ12

*Newly Created Service* - MHAXYYSBXSFD
*Newly Created Service* - TCCUPUIBYKQW
*Newly Created Service* - VMFYLPGFIKYE

-- End of Deckard's System Scanner: finished at 2007-12-28 19:00:00 ------------

forhockey · 12-28-2007, 08:36 PM

Hi tms123,

This is going to take a few rounds to cleanup, so please stick with me until I say your system is clean

-------------------------------------------------------------

Please subscribe to this thread so that you are notified when you receive a reply. To do this click Thread Tools, then click Subscribe to this Thread. Make sure it is set to Instant Notification, then click Add Subscription.

--------------------------------------------------------------

Before beginning the proposed fix, read this post completely. Any questions should be kindly asked before proceeding. Ensure that there are no open browsers when carrying out the procedures below. Save the following instructions in Notepad as this webpage would not be available when you're carrying out the fix.

It is IMPORTANT that you don't miss a step & perform everything in the correct order/sequence.

--------------------------------------------------------------

Download combofix from here

**Save it directly to your desktop**

Double click on combofix.exe & follow the prompts.
When finished, it shall produce a log for you. Post that log in your next reply

Warning:
Do not mouseclick combofix's window whilst it's running. That may cause it to stall

A log will be produced that will ultimately be named C:\ComboFix.txt I'll need that in your next reply, along with a new DSS Log (main.txt)

tms123 · 12-29-2007, 09:39 AM

Thanks for getting back to me.

ComboFix scan:
ComboFix 07-12-29.5 - User 2007-12-29 10:11:31.1 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.102 [GMT -6:00]
Running from: C:\Documents and Settings\User\Desktop\ComboFix.exe
* Created a new restore point
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\Documents and Settings\User\load.exe
C:\Program Files\QdrDrive
C:\Temp\1cb
C:\Temp\1cb\syscheck.log
C:\Temp\fCOe
C:\temp\tn3
C:\Temp\tpBe12
C:\WINDOWS\cookies.ini
C:\WINDOWS\mrofinu1239.exe
C:\WINDOWS\system32\awtqp.dll
C:\WINDOWS\system32\conf.dat
C:\WINDOWS\system32\d1
C:\WINDOWS\system32\drivers\BNU64.sys
C:\WINDOWS\system32\drivers\core.cache.dsk
C:\WINDOWS\system32\drivers\symavc32.sys
C:\WINDOWS\system32\efcyayx.dll
C:\WINDOWS\system32\g9
C:\WINDOWS\system32\iexplorer.dll .dbt
C:\WINDOWS\system32\ineWc01
C:\WINDOWS\system32\j2
C:\WINDOWS\system32\mcrh.tmp
C:\WINDOWS\system32\mp43.exe
C:\WINDOWS\system32\o9
C:\WINDOWS\system32\orutv.ini
C:\WINDOWS\system32\orutv.ini2
C:\WINDOWS\system32\pac.txt
C:\WINDOWS\system32\sstqp.dll
C:\WINDOWS\system32\vtsqr.dll
C:\WINDOWS\system32\vturo.dll
C:\WINDOWS\system32\x1

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))

.
-------\LEGACY_BNU64
-------\LEGACY_CORE
-------\LEGACY_ICF

((((((((((((((((((((((((( Files Created from 2007-11-28 to 2007-12-29 )))))))))))))))))))))))))))))))
.

2007-12-29 08:51 . 2007-12-29 08:51 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Grisoft
2007-12-29 02:16 . 2007-12-29 06:29 1,031,199 --ahs---- C:\WINDOWS\system32\pqomewpr.ini
2007-12-28 11:59 . 2007-06-05 10:56 44,928 --a------ C:\WINDOWS\system32\drivers\SDTHOOK.SYS
2007-12-28 02:13 . 2007-12-28 20:46 1,031,259 --ahs---- C:\WINDOWS\system32\inbjhvks.ini
2007-12-27 07:36 . 2007-06-08 09:44 8,576 --a------ C:\WINDOWS\system32\drivers\tccupuibykqw.sys
2007-12-26 23:50 . 2007-12-26 23:50 <DIR> d-------- C:\Deckard
2007-12-26 23:20 . 2007-12-26 23:20 <DIR> d-------- C:\ie-spyad_zo
2007-12-26 23:09 . 2007-12-26 23:10 <DIR> d-------- C:\Program Files\SpywareBlaster
2007-12-26 14:46 . 2007-12-28 18:00 <DIR> d-------- C:\WINDOWS\system32\ActiveScan
2007-12-26 14:46 . 2007-12-28 16:09 30,590 --a------ C:\WINDOWS\system32\pavas.ico
2007-12-26 14:46 . 2007-12-28 16:09 2,550 --a------ C:\WINDOWS\system32\Uninstall.ico
2007-12-26 14:46 . 2007-12-28 16:09 1,406 --a------ C:\WINDOWS\system32\Help.ico
2007-12-26 10:38 . 2007-12-28 21:00 <DIR> d-------- C:\Program Files\Spyware Terminator
2007-12-26 10:38 . 2007-12-29 08:09 <DIR> d-------- C:\Documents and Settings\User\Application Data\Spyware Terminator
2007-12-26 10:38 . 2007-12-28 20:59 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Spyware Terminator
2007-12-26 02:14 . 2007-12-26 02:15 1,283,174 --a------ C:\Install
2007-12-26 02:01 . 2007-12-26 02:01 40,960 --a------ C:\WINDOWS\yahooo.exe
2007-12-26 01:59 . 2007-12-26 01:59 23,552 --a------ C:\winqghc.exe
2007-12-26 01:52 . 2007-12-26 01:52 29 --a------ C:\WINDOWS\system32\otiregfp.tmp
2007-12-26 01:51 . 2007-12-26 01:51 4,608 --a------ C:\winruef.exe
2007-12-26 01:48 . 2007-12-26 01:48 23,552 --a------ C:\winprlb.exe
2007-12-25 00:08 . 2007-12-25 02:25 1,010,113 --ahs---- C:\WINDOWS\system32\sxbpcbdv.ini
2007-12-24 00:56 . 2007-12-24 00:56 <DIR> d-------- C:\Documents and Settings\Default User\Application Data\Apple Computer
2007-12-24 00:17 . 2007-12-24 00:17 <DIR> d-------- C:\Program Files\Windows Sidebar
2007-12-24 00:17 . 2007-12-28 17:23 <DIR> d-------- C:\Program Files\Norton AntiVirus
2007-12-24 00:16 . 2007-12-26 12:26 123,952 --a------ C:\WINDOWS\system32\drivers\SYMEVENT.SYS
2007-12-24 00:16 . 2007-12-26 12:26 60,800 --a------ C:\WINDOWS\system32\S32EVNT1.DLL
2007-12-24 00:16 . 2007-12-26 12:26 10,740 --a------ C:\WINDOWS\system32\drivers\SYMEVENT.CAT
2007-12-24 00:16 . 2007-12-26 12:26 805 --a------ C:\WINDOWS\system32\drivers\SYMEVENT.INF
2007-12-24 00:14 . 2007-12-26 12:26 <DIR> d-------- C:\Program Files\Symantec
2007-12-24 00:14 . 2007-12-24 00:59 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Symantec
2007-12-24 00:08 . 2007-12-28 17:00 <DIR> d-------- C:\Program Files\Common Files\Symantec Shared
2007-12-24 00:06 . 2007-12-24 01:49 0 --ahs---- C:\Documents and Settings\User\Application Data\89b19cf7d12db4ef438a91b27aa2da7526586d26.dat
2007-12-23 23:30 . 2007-12-23 23:30 <DIR> d-------- C:\Documents and Settings\All Users\Symantec Temporary Files
2007-12-23 22:20 . 2007-12-26 02:01 20,480 --a------ C:\WINDOWS\quit.exe
2007-12-22 11:24 . 2007-12-22 11:24 4,286 --a------ C:\WINDOWS\system32\santa4.ico
2007-12-22 10:01 . 2007-12-22 10:01 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Rabio
2007-12-21 16:25 . 2007-12-21 16:25 141,382 --a------ C:\WINDOWS\hpwins05.dat
2007-12-21 16:25 . 2006-09-07 13:41 3,953 --------- C:\WINDOWS\hpwmdl05.dat
2007-12-21 16:17 . 2007-12-21 16:17 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Hewlett-Packard
2007-12-21 16:17 . 2007-08-17 21:29 118,272 --a------ C:\WINDOWS\system32\hpz3l4x6.dll
2007-12-21 16:15 . 2007-07-04 21:42 1,275,480 --a------ C:\WINDOWS\hpzshl01.exe
2007-12-21 16:15 . 2007-07-04 21:42 1,132,120 --a------ C:\WINDOWS\hpzmsi01.exe
2007-12-21 16:15 . 2007-08-22 08:28 142,067 --------- C:\WINDOWS\hpwins05.dat.temp
2007-12-21 16:15 . 2006-09-07 13:41 3,953 --------- C:\WINDOWS\hpwmdl05.dat.temp
2007-12-21 16:14 . 2007-09-14 10:12 16,059 --a------ C:\WINDOWS\hpwscr05.dat
2007-12-21 16:10 . 2007-12-21 16:10 <DIR> d-------- C:\HP_CLJ_4700_Installer_English
2007-12-21 08:10 . 2007-12-24 02:33 <DIR> d-------- C:\WINDOWS\system32\ardCo17
2007-12-21 08:10 . 2007-12-21 08:10 <DIR> d-------- C:\Temp\cEeer12
2007-11-30 23:57 . 2007-11-30 23:57 317,616 --a------ C:\WINDOWS\system32\drivers\srtspl.sys
2007-11-30 23:57 . 2007-11-30 23:57 279,088 --a------ C:\WINDOWS\system32\drivers\srtsp.sys
2007-11-30 23:57 . 2007-11-30 23:57 43,696 --a------ C:\WINDOWS\system32\drivers\srtspx.sys
2007-11-30 23:57 . 2007-11-30 23:57 10,549 --a------ C:\WINDOWS\system32\drivers\srtspx.cat
2007-11-30 23:57 . 2007-11-30 23:57 10,549 --a------ C:\WINDOWS\system32\drivers\srtspl.cat
2007-11-30 23:57 . 2007-11-30 23:57 10,545 --a------ C:\WINDOWS\system32\drivers\srtsp.cat
2007-11-30 23:57 . 2007-11-30 23:57 1,430 --a------ C:\WINDOWS\system32\drivers\srtspl.inf
2007-11-30 23:57 . 2007-11-30 23:57 1,421 --a------ C:\WINDOWS\system32\drivers\srtspx.inf
2007-11-30 23:57 . 2007-11-30 23:57 1,415 --a------ C:\WINDOWS\system32\drivers\srtsp.inf

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2007-12-29 14:54 --------- d-----w C:\Documents and Settings\User\Application Data\AVG7
2007-12-29 14:52 --------- d-----w C:\Documents and Settings\All Users\Application Data\Avg7
2007-12-28 23:21 --------- d-----w C:\Program Files\iTunes
2007-12-28 23:01 --------- d-----w C:\Program Files\Google
2007-12-24 06:34 --------- d-----w C:\Documents and Settings\User\Application Data\VersionTracker Pro
2007-12-24 05:57 --------- d-----w C:\Documents and Settings\LocalService\Application Data\AVG7
2007-12-24 05:42 --------- d-----w C:\Program Files\Lavasoft
2007-12-23 23:07 --------- d-----w C:\Program Files\There
2007-12-21 12:58 --------- d-----w C:\Program Files\PrintMaster 16
2007-12-21 12:53 --------- d--h--w C:\Program Files\InstallShield Installation Information
2007-12-19 15:03 --------- d-----w C:\Program Files\Common Files\AnswerWorks 4.0
2007-12-04 22:08 --------- d-----w C:\Documents and Settings\User\Application Data\Image Zone Express
2007-11-24 09:50 --------- d-----w C:\Documents and Settings\User\Application Data\Apple Computer
2007-11-17 05:23 14,336 ----a-w C:\WINDOWS\system32\svchost.exe
2007-11-13 10:25 20,480 ----a-w C:\WINDOWS\system32\drivers\secdrv.sys
2007-11-11 05:26 --------- d-----w C:\Program Files\iPod
2007-11-11 05:25 --------- d-----w C:\Program Files\QuickTime
2007-11-05 03:49 --------- d-----w C:\Program Files\HP
2007-11-05 03:38 --------- d-----w C:\Program Files\CONEXANT
2007-11-04 22:13 52,736 ----a-w C:\WINDOWS\system32\korkyst.dll
2007-11-01 22:43 --------- d-----w C:\Documents and Settings\User\Application Data\Lavasoft
2007-11-01 22:43 --------- d-----w C:\Documents and Settings\All Users\Application Data\Lavasoft
2007-10-29 22:43 1,287,680 ----a-w C:\WINDOWS\system32\quartz.dll
2007-10-27 23:40 222,720 ----a-w C:\WINDOWS\system32\wmasf.dll
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{1C27A215-DC35-483A-99EF-C82B3F02CBAE}]
C:\Program Files\Internet Explorer\nipybacoC:\DOCUME~1\User\LOCALS~1\Temp\CEMG555077.exe.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{1C574D18-DCB0-4E8E-AFA3-C1A20F8EB1C4}]
C:\Program Files\Internet Explorer\nipybacoC:\WINDOWS\system32\o9\parreo83122.exe.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{5b678a08-1cd1-415d-b2c6-afc64a52dd10}]
C:\WINDOWS\system32\vhxbighh.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{6D53EC84-6AAE-4787-AEEE-F4628F01010C}]
2007-12-24 00:23 116088 --a------ C:\PROGRA~1\COMMON~1\SYMANT~1\IDS\IPSBHO.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{B7A4FE11-BF1A-467b-9E24-C4CF9CFC74AF}]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"MSMSGS"="C:\Program Files\Messenger\msmsgs.exe" [2004-10-13 10:24]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 01:56]
"WMPNSCFG"="C:\Program Files\Windows Media Player\WMPNSCFG.exe" [2006-10-18 20:05]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"HPDJ Taskbar Utility"="C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb08.exe" [2003-03-11 04:08]
"ISUSPM Startup"="C:\PROGRA~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe" [2004-08-09 05:03]
"ISUSScheduler"="C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" [2005-06-10 09:44]
"Adobe Photo Downloader"="C:\Program Files\Adobe\Photoshop Album Starter Edition\3.0\Apps\apdproxy.exe" [2005-06-06 23:46]
"HP Software Update"="C:\Program Files\Hewlett-Packard\HP Software Update\HPWuSchd2.exe" [2005-02-16 22:11]
"SoundMAXPnP"="C:\Program Files\Analog Devices\Core\smax4pnp.exe" [2004-10-14 14:42]
"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [2007-10-19 20:16]
"iTunesHelper"="C:\Program Files\iTunes\iTunesHelper.exe" [2007-11-02 18:36]
"ccApp"="C:\Program Files\Common Files\Symantec Shared\ccApp.exe" [2007-08-24 23:07]
"osCheck"="C:\Program Files\Norton AntiVirus\osCheck.exe" [2007-08-24 22:53]
"AVG7_CC"="C:\PROGRA~1\Grisoft\AVG7\avgcc.exe" [2007-12-29 08:51]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"swg"="C:\Program Files\Google\GoogleToolbarNotifier\1.2.1128.5462\GoogleToolbarNotifier.exe" [2007-11-24 02:29]
"AVG7_Run"="C:\PROGRA~1\Grisoft\AVG7\avgw.exe" [2007-12-29 08:51]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
Adobe Reader Speed Launch.lnk - C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe [2005-09-23 22:05:26]
HP Digital Imaging Monitor.lnk - C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe [2006-02-19 03:21:22]
QuickBooks Update Agent.lnk - C:\Program Files\Common Files\Intuit\QuickBooks\QBUpdate\qbupdate.exe [2007-11-09 16:13:18]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]
"NoBandCustomize"= 0 (0x0)

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\efcdccd]
efcdccd.dll

R2 LiveUpdate Notice;LiveUpdate Notice;"C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe" [2007-08-24 23:07]
R3 ati2mtaa;ati2mtaa;C:\WINDOWS\system32\DRIVERS\ati2mtaa.sys [2002-01-11 00:22]
R3 SymIMMP;SymIMMP;C:\WINDOWS\system32\DRIVERS\SymIM.sys [2007-08-09 18:27]
S3 ati2mpaa;ati2mpaa;C:\WINDOWS\system32\DRIVERS\ati2mpaa.sys [2001-08-17 06:48]
S3 COH_Mon;COH_Mon;C:\WINDOWS\system32\Drivers\COH_Mon.sys [2007-05-29 13:55]
S3 EraserUtilDrvI4;EraserUtilDrvI4;C:\Program Files\Common Files\Symantec Shared\EENGINE\EraserUtilDrvI4.sys []
S3 SymIM;Symantec Network Security Intermediate Filter Service;C:\WINDOWS\system32\DRIVERS\SymIM.sys [2007-08-09 18:27]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
HPZ12 REG_MULTI_SZ Pml Driver HPZ12 Net Driver HPZ12

.
Contents of the 'Scheduled Tasks' folder
"2007-12-23 03

49 C:\WINDOWS\Tasks\AppleSoftwareUpdate.job"
- C:\Program Files\Apple Software Update\SoftwareUpdate.exe
"2007-12-29 12:28:10 C:\WINDOWS\Tasks\Norton AntiVirus - Run Full System Scan - User.job"
- C:\Program Files\Norton AntiVirus\Navw32.exe
.
**************************************************************************

catchme 0.3.1333 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2007-12-29 10:27:55
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
Completion time: 2007-12-29 10:30:15 - machine was rebooted
.
2007-12-22 09:04:58 --- E O F ---

DSS log:
ACDeckard's System Scanner v20071014.68
Run by User on 2007-12-29 10:31:58
Computer is in Normal Mode.
--------------------------------------------------------------------------------

Percentage of Memory in Use: 78% (more than 75%).
Total Physical Memory: 383 MiB (512 MiB recommended).

-- HijackThis Clone ------------------------------------------------------------

Emulating logfile of Trend Micro HijackThis v2.0.2
Scan saved at 2007-12-29 10:32:44
Platform: Windows XP Service Pack 2 (5.01.2600)
MSIE: Internet Explorer (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\system32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
C:\WINDOWS\explorer.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Adobe\Photoshop Album Starter Edition\3.0\Apps\apdproxy.exe
C:\Program Files\Hewlett-Packard\HP Software Update\hpwuSchd2.exe
C:\Program Files\Analog Devices\Core\smax4pnp.exe
C:\Program Files\Symantec\LiveUpdate\AluSchedulerSvc.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
C:\Program Files\Grisoft\AVG7\avgcc.exe
C:\Program Files\Messenger\msmsgs.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Windows Media Player\wmpnscfg.exe
C:\Program Files\Grisoft\AVG7\avgamsvr.exe
C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
C:\Program Files\Common Files\Intuit\QuickBooks\QBUpdate\qbupdate.exe
C:\Program Files\Grisoft\AVG7\avgupsvc.exe
C:\Program Files\Grisoft\AVG7\avgemc.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Canon\CAL\CALMAIN.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\system32\msiexec.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\system32\notepad.exe
C:\Documents and Settings\User\Desktop\dss.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.cnn.com/
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://www.dogpile.com/info.dogpl.to...rms/search.htm
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://www.google.com/search?q=%s
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://www.google.com/ie
R1 - HKLM\Software\Microsoft\Internet Explorer\Search,Default_Search_URL = http://www.google.com/ie
R3 - URLSearchHook: (no name) - {37943D56-8F06-4BC5-8101-33F389C6AD90} - ftbar.dll (file missing)
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {1C27A215-DC35-483A-99EF-C82B3F02CBAE} - C:\Program Files\Internet Explorer\nipybacoC:\DOCUME~1\User\LOCALS~1\Temp\CEMG555077.exe.dll (file missing)
O2 - BHO: (no name) - {1C574D18-DCB0-4E8E-AFA3-C1A20F8EB1C4} - C:\Program Files\Internet Explorer\nipybacoC:\WINDOWS\system32\o9\parreo83122.exe.dll (file missing)
O2 - BHO: {01dd25a4-6cfa-6c2b-d514-1dc180a876b5} - {5b678a08-1cd1-415d-b2c6-afc64a52dd10} - C:\WINDOWS\system32\vhx

12-26-2007, 11:32 PM	#1 (permalink)
tms123 Registered User Join Date: Dec 2007 Posts: 20 OS: win xp professional sp2	popups; slooowww system Good Evening, Computer is very slow, rebooting is very slow, having way too many popups. Had the "! Your computer is infected!" popup. my desktop isn't showing the original picture. sometimes all my icons disappear. this has been happening for about 3 -4 days. Ran the Panda activescan and couldn't print out report because I was offline. (It showed 38 spyware, 0 virus, 3 suspicious files) Ran it a second time and got stuck at around 7000 files. Here is the report from the second scan: Incident Status Location [php] Adware:Adware/Yazzle Not disinfected c:\windows\mrofinu1239.exe Spyware:Spyware/Virtumonde Not disinfected C:\WINDOWS\system32\efcyayx.dll Adware:adware/sbsoft Not disinfected c:\windows\rdt.ini Adware:adware/spymarshal Not disinfected c:\windows\xpupdate.exe Spyware:spyware/dogpile Not disinfected C:\Documents and Settings\User\Application Data\Infospace Adware:adware/megatds Not disinfected Windows Registry Adware:adware/bravesentry Not disinfected Windows Registry Spyware:Cookie/YieldManager Not disinfected C:\Documents and Settings\User\Cookies\user@ad.yieldmanager[2].txt Spyware:Cookie/AdvancedCleaner Not disinfected C:\Documents and Settings\User\Cookies\user@advancedcleaner[2].txt Spyware:Cookie/Advertising Not disinfected C:\Documents and Settings\User\Cookies\user@advertising[1].txt Spyware:Cookie/Atlas DMT Not disinfected C:\Documents and Settings\User\Cookies\user@atdmt[2].txt Spyware:Cookie/Bluestreak Not disinfected C:\Documents and Settings\User\Cookies\user@bluestreak[1].txt Spyware:Cookie/Serving-sys Not disinfected C:\Documents and Settings\User\Cookies\user@bs.serving-sys[2].txt Spyware:Cookie/Casalemedia Not disinfected C:\Documents and Settings\User\Cookies\user@casalemedia[2].txt Spyware:Cookie/Com.com Not disinfected C:\Documents and Settings\User\Cookies\user@com[2].txt Spyware:Cookie/Doubleclick Not disinfected C:\Documents and Settings\User\Cookies\user@doubleclick[1].txt Spyware:Cookie/Hitbox Not disinfected C:\Documents and Settings\User\Cookies\user@ehg-dig.hitbox[1].txt Spyware:Cookie/Go Not disinfected C:\Documents and Settings\User\Cookies\user@go[1].txt Spyware:Cookie/Mediaplex Not disinfected C:\Documents and Settings\User\Cookies\user@mediaplex[1].txt Spyware:Cookie/QuestionMarket Not disinfected C:\Documents and Settings\User\Cookies\user@questionmarket[2].txt Spyware:Cookie/Serving-sys Not disinfected C:\Documents and Settings\User\Cookies\user@serving-sys[2].txt Spyware:Cookie/Statcounter Not disinfected C:\Documents and Settings\User\Cookies\user@statcounter[1].txt Spyware:Cookie/Tribalfusion Not disinfected C:\Documents and Settings\User\Cookies\user@tribalfusion[2].txt The DSS scan looks like this: Deckard's System Scanner v20071014.68 Extra logfile - please post this as an attachment with your post. -------------------------------------------------------------------------------- -- System Information ---------------------------------------------------------- Microsoft Windows XP Professional (build 2600) SP 2.0 Architecture: X86; Language: English CPU 0: Intel(R) Pentium(R) 4 CPU 2.00GHz Percentage of Memory in Use: 64% Physical Memory (total/avail): 382.8 MiB / 136.57 MiB Pagefile Memory (total/avail): 921.31 MiB / 577.04 MiB Virtual Memory (total/avail): 2047.88 MiB / 1938.34 MiB A: is Removable (No Media) C: is Fixed (NTFS) - 74.52 GiB total, 53.82 GiB free. D: is CDROM (No Media) F: is Removable (No Media) \\.\PHYSICALDRIVE0 - WDC WD800JB-00FMA0 - 74.53 GiB - 1 partition \PARTITION0 (bootable) - Installable File System - 74.52 GiB - C: \\.\PHYSICALDRIVE1 - HP Officejet Pro L7 USB Device -- Security Center ------------------------------------------------------------- AUOptions is scheduled to auto-install. Windows Internal Firewall is disabled. AntiVirusDisableNotify is set. FirewallDisableNotify is set. UpdatesDisableNotify is set. FW: Norton AntiVirus v15.0.0.58 (Symantec Corporation) AV: Norton AntiVirus v15.0.0.58 (Symantec Corporation) Disabled [HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\AuthorizedApplications\List] "%windir%\\system32\\sessmgr.exe"="%windir%\\system32\\sessmgr.exe::enabled:@xpsp2res.dll,-22019" "%windir%\\Network Diagnostic\\xpnetdiag.exe"="%windir%\\Network Diagnostic\\xpnetdiag.exe::Enabled:@xpsp3res.dll,-20000" [HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List] "%windir%\\system32\\sessmgr.exe"="%windir%\\system32\\sessmgr.exe::enabled:@xpsp2res.dll,-22019" "C:\\Program Files\\QuickTime\\QuickTimePlayer.exe"="C:\\Program Files\\QuickTime\\QuickTimePlayer.exe::Enabled:QuickTime Player" "C:\\Program Files\\Internet Explorer\\iexplore.exe"="C:\\Program Files\\Internet Explorer\\iexplore.exe::Enabled:Internet Explorer" "C:\\Program Files\\Intuit\\QuickBooks 2007\\QBDBMgrN.exe"="C:\\Program Files\\Intuit\\QuickBooks 2007\\QBDBMgrN.exe::Enabled:QuickBooks 2007 Data Manager" "%windir%\\Network Diagnostic\\xpnetdiag.exe"="%windir%\\Network Diagnostic\\xpnetdiag.exe::Enabled:@xpsp3res.dll,-20000" "C:\\Program Files\\aPsychReport\\PsychReport.EXE"="C:\\Program Files\\aPsychReport\\PsychReport.EXE::Enabled:4th Dimension" "C:\\Program Files\\HP\\Digital Imaging\\bin\\hpqtra08.exe"="C:\\Program Files\\HP\\Digital Imaging\\bin\\hpqtra08.exe::Enabled:hpqtra08.exe" "C:\\Program Files\\HP\\Digital Imaging\\bin\\hpqste08.exe"="C:\\Program Files\\HP\\Digital Imaging\\bin\\hpqste08.exe::Enabled:hpqste08.exe" "C:\\Program Files\\HP\\Digital Imaging\\bin\\hpofxm08.exe"="C:\\Program Files\\HP\\Digital Imaging\\bin\\hpofxm08.exe::Enabled:hpofxm08.exe" "C:\\Program Files\\HP\\Digital Imaging\\bin\\hposfx08.exe"="C:\\Program Files\\HP\\Digital Imaging\\bin\\hposfx08.exe::Enabled:hposfx08.exe" "C:\\Program Files\\HP\\Digital Imaging\\bin\\hposid01.exe"="C:\\Program Files\\HP\\Digital Imaging\\bin\\hposid01.exe::Enabled:hposid01.exe" "C:\\Program Files\\HP\\Digital Imaging\\bin\\hpqscnvw.exe"="C:\\Program Files\\HP\\Digital Imaging\\bin\\hpqscnvw.exe::Enabled:hpqscnvw.exe" "C:\\Program Files\\HP\\Digital Imaging\\bin\\hpqkygrp.exe"="C:\\Program Files\\HP\\Digital Imaging\\bin\\hpqkygrp.exe::Enabled:hpqkygrp.exe" "C:\\Program Files\\HP\\Digital Imaging\\bin\\hpzwiz01.exe"="C:\\Program Files\\HP\\Digital Imaging\\bin\\hpzwiz01.exe::Enabled:hpzwiz01.exe" "C:\\Program Files\\HP\\Digital Imaging\\Unload\\HpqPhUnl.exe"="C:\\Program Files\\HP\\Digital Imaging\\Unload\\HpqPhUnl.exe::Enabled:hpqphunl.exe" "C:\\Program Files\\HP\\Digital Imaging\\Unload\\HpqDIA.exe"="C:\\Program Files\\HP\\Digital Imaging\\Unload\\HpqDIA.exe::Enabled:hpqdia.exe" "C:\\Program Files\\HP\\Digital Imaging\\bin\\hpqnrs08.exe"="C:\\Program Files\\HP\\Digital Imaging\\bin\\hpqnrs08.exe::Enabled:hpqnrs08.exe" "C:\\Program Files\\TechTracker\\VersionTracker Pro\\VersionTrackerPro.exe"="C:\\Program Files\\TechTracker\\VersionTracker Pro\\VersionTrackerPro.exe::Enabled:VersionTracker Pro Windows" "C:\\Program Files\\iTunes\\iTunes.exe"="C:\\Program Files\\iTunes\\iTunes.exe::Enabled:iTunes" -- Environment Variables ------------------------------------------------------- ALLUSERSPROFILE=C:\Documents and Settings\All Users APPDATA=C:\Documents and Settings\User\Application Data CLASSPATH=.;C:\Program Files\QuickTime\QTSystem\QTJava.zip CLIENTNAME=Console CommonProgramFiles=C:\Program Files\Common Files COMPUTERNAME=USER2 ComSpec=C:\WINDOWS\system32\cmd.exe DEVMGR_SHOW_NONPRESENT_DEVICES=1 FP_NO_HOST_CHECK=NO HOMEDRIVE=C: HOMEPATH=\Documents and Settings\User LOGONSERVER=\\USER2 NUMBER_OF_PROCESSORS=1 OS=Windows_NT Path=C:\WINDOWS\system32;C:\WINDOWS\system32;C:\WINDOWS;C:\WINDOWS\System32\Wbem;C:\Program Files\QuickTime\QTSystem\ PATHEXT=.COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH PROCESSOR_ARCHITECTURE=x86 PROCESSOR_IDENTIFIER=x86 Family 15 Model 2 Stepping 4, GenuineIntel PROCESSOR_LEVEL=15 PROCESSOR_REVISION=0204 ProgramFiles=C:\Program Files PROMPT=$P$G QTJAVA=C:\Program Files\QuickTime\QTSystem\QTJava.zip SESSIONNAME=Console SystemDrive=C: SystemRoot=C:\WINDOWS TEMP=C:\DOCUME~1\User\LOCALS~1\Temp TMP=C:\DOCUME~1\User\LOCALS~1\Temp USERDOMAIN=USER2 USERNAME=User USERPROFILE=C:\Documents and Settings\User windir=C:\WINDOWS -- User Profiles --------------------------------------------------------------- User (admin)* -- Add/Remove Programs --------------------------------------------------------- --> "C:\Program Files\Symantec\LiveUpdate\LSETUP.EXE" /U --> C:\Program Files\Installshield Installation Information\{08082021-2a50-4196-8196-a6f86d6e8f12}\QBReplace.exe {08082021-2a50-4196-8196-a6f86d6e8f12}#{01288593-26bb-4b3a-a04e-0a4ed28cc937} --> MsiExec.exe /I{71EEA108-09C9-4D81-8FA2-D48C70681242} --> rundll32.exe setupapi.dll,InstallHinfSection DefaultUninstall 132 C:\WINDOWS\INF\PCHealth.inf Adobe Flash Player 9 ActiveX --> C:\WINDOWS\system32\Macromed\Flash\FlashUtil9b.exe -uninstallDelete Adobe Reader 7.0.5 Language Support --> MsiExec.exe /I{AC76BA86-7AD7-5464-3428-7050000000A7} Adobe Reader 7.0.9 --> MsiExec.exe /I{AC76BA86-7AD7-1033-7B44-A70900000002} Adobe Shockwave Player --> C:\WINDOWS\system32\Macromed\SHOCKW~2\UNWISE.EXE C:\WINDOWS\system32\Macromed\SHOCKW~2\Install.log Adobe® Photoshop® Album Starter Edition 3.0 --> MsiExec.exe /I{4BDFD2CE-6329-42E4-9801-9B3D1F10D79B} AppCore --> MsiExec.exe /I{EFB5B3B5-A280-4E25-BE1C-634EEFE32C1B} Apple Mobile Device Support --> MsiExec.exe /I{B5C209B1-8DDB-4642-A573-375B951514CB} Apple Software Update --> MsiExec.exe /I{B74F042E-E1B9-4A5B-8D46-387BB172F0A4} ATI Display Driver --> rundll32 C:\WINDOWS\System32\atiiiexx.dll,_InfEngUnInstallINFFile_RunDLL@16 -force_restart -flags:0x2010001 -inf_class:DISPLAY -clean Canon Camera Access Library --> "C:\Program Files\Common Files\Canon\UIW\1.2.0.0\Uninst.exe" "C:\Program Files\Canon\CAL\Uninst.ini" Canon Camera Support Core Library --> "C:\Program Files\Common Files\Canon\UIW\1.2.0.0\Uninst.exe" "C:\Program Files\Canon\CSCLIB\Uninst.ini" Canon Camera Window DC_DV 5 for ZoomBrowser EX --> "C:\Program Files\Common Files\Canon\UIW\1.2.0.0\Uninst.exe" "C:\Program Files\Canon\CameraWindow\CameraWindowDVC\Uninst.ini" Canon Camera Window DC_DV 6 for ZoomBrowser EX --> "C:\Program Files\Common Files\Canon\UIW\1.2.0.0\Uninst.exe" "C:\Program Files\Canon\CameraWindow\CameraWindowDVC6\Uninst.ini" Canon Camera Window MC 6 for ZoomBrowser EX --> "C:\Program Files\Common Files\Canon\UIW\1.2.0.0\Uninst.exe" "C:\Program Files\Canon\CameraWindow\CameraWindowMC\Uninst.ini" Canon G.726 WMP-Decoder --> "C:\Program Files\Common Files\Canon\UIW\1.2.0.0\Uninst.exe" "C:\Program Files\Canon\G726Decoder\G726DecUnInstall.ini" Canon MovieEdit Task for ZoomBrowser EX --> "C:\Program Files\Common Files\Canon\UIW\1.2.0.0\Uninst.exe" "C:\Program Files\Canon\ZoomBrowser EX\Program\MVWUninst.ini" Canon PhotoRecord --> C:\WINDOWS\IsUninst.exe -fC:\PROGRA~1\Canon\PhotoRecord\Uninst.isu -c"C:\PROGRA~1\Canon\PhotoRecord\Program\uninstdll.dll" Canon RAW Image Task for ZoomBrowser EX --> "C:\Program Files\Common Files\Canon\UIW\1.2.0.0\Uninst.exe" "C:\Program Files\Canon\RAW Image Task\Uninst.ini" Canon RemoteCapture Task for ZoomBrowser EX --> "C:\Program Files\Common Files\Canon\UIW\1.2.0.0\Uninst.exe" "C:\Program Files\Canon\CameraWindow\RemoteCaptureTask DC\Uninst.ini" Canon Utilities EOS Utility --> "C:\Program Files\Common Files\Canon\UIW\1.2.0.0\Uninst.exe" "C:\Program Files\Canon\EOS Utility\Uninst.ini" Canon Utilities File Viewer Utility 1.2 --> C:\PROGRA~1\COMMON~1\INSTAL~1\Driver\7\INTEL3~1\IDriver.exe /M{EF0DD8B7-471C-463B-A298-6066C2FABAF5} Canon Utilities PhotoStitch --> "C:\Program Files\Common Files\Canon\UIW\1.2.0.0\Uninst.exe" "C:\Program Files\Canon\PhotoStitch\Uninst.ini" Canon Utilities RemoteCapture 2.7 --> C:\PROGRA~1\COMMON~1\INSTAL~1\Driver\7\INTEL3~1\IDriver.exe /M{BEB03A1A-1EB6-48EB-9985-8B97315EE5C0} Canon Utilities ZoomBrowser EX --> "C:\Program Files\Common Files\Canon\UIW\1.2.0.0\Uninst.exe" "C:\Program Files\Canon\ZoomBrowser EX\Program\Uninst.ini" ccCommon --> MsiExec.exe /I{B24E05CC-46FF-4787-BBB8-5CD516AFB118} Component Framework --> MsiExec.exe /I{31478BE1-CDE5-4753-A8B2-F6D4BC1FBE09} Conexant HSF V92 56K Data Fax PCI Modem --> C:\Program Files\CONEXANT\CNXT_MODEM_PCI_VEN_14F1&DEV_2013&SUBSYS_021213E0\HXFSETUP.EXE -U -IVEN_14F1&DEV_2013&SUBSYS_021213E0 Dell ResourceCD --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{D78653C3-A8FF-415F-92E6-D774E634FF2D}\setup.exe" Disney's Toontown Online --> C:\PROGRA~1\Disney\DISNEY~1\Toontown\UNWISE.EXE /A C:\PROGRA~1\Disney\DISNEY~1\Toontown\INSTALL.LOG Google Earth --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\11\50\Intel32\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{3DE5E7D4-7B88-403C-A3FD-2017A8240C5B}\setup.exe" -l0x9 -removeonly Google Toolbar for Internet Explorer --> regsvr32 /u /s "c:\program files\google\googletoolbar3.dll" HighMAT Extension to Microsoft Windows XP CD Writing Wizard --> MsiExec.exe /X{FCE65C4E-B0E8-4FBD-AD16-EDCBE6CD591F} Hotfix for Windows Media Format 11 SDK (KB929399) --> "C:\WINDOWS\$NtUninstallKB929399$\spuninst\spuninst.exe" HP Customer Participation Program 7.0 --> C:\Program Files\HP\Digital Imaging\ExtCapUninstall\hpzscr01.exe -datfile hpqhsc01.dat hp deskjet 3600 --> MsiExec.exe /X{7CA32143-2DAC-4F5F-9BAA-2AB3707EF192} HP Driver Diagnostics --> MsiExec.exe /I{16BE87BC-69F5-4D36-8CF0-E1CB3ACD5ED3} HP Imaging Device Functions 7.0 --> C:\Program Files\HP\Digital Imaging\DeviceManagement\hpzscr01.exe -datfile hpqbud01.dat HP Officejet Pro All-In-One Series --> C:\Program Files\HP\Digital Imaging\{7729A02E-D1AD-4830-8FC5-11853500D90D}\setup\hpzscr01.exe -datfile hpwscr05.dat HP Photosmart Essential --> MsiExec.exe /X{EB21A812-671B-4D08-B974-2A347F0D8F70} HP Product Detection --> MsiExec.exe /X{CAE7D1D9-3794-4169-B4DD-964ADBC534EE} HP Software Update --> MsiExec.exe /X{BB85ED9C-AFC9-43BD-B8DC-258C3C7DF72E} HP Solution Center 7.0 --> C:\Program Files\HP\Digital Imaging\eSupport\hpzscr01.exe -datfile hpqbud05.dat iPod for Windows User Guide --> C:\PROGRA~1\COMMON~1\INSTAL~1\Driver\7\INTEL3~1\IDriver.exe /M{B9987754-9A14-4B61-ABB3-73A79503238D} /l1033 iTunes --> MsiExec.exe /I{E3FEE4E7-4488-4A3F-A6BD-13745936EADB} LiveUpdate (Symantec Corporation) --> MsiExec.exe /x {E80F62FF-5D3C-4A19-8409-9721F2928206} /l*v "C:\Documents and Settings\All Users\Application Data\LuUninstall.LiveUpdate" LiveUpdate (Symantec Corporation) --> MsiExec.exe /X{E80F62FF-5D3C-4A19-8409-9721F2928206} Microsoft Base Smart Card Cryptographic Service Provider Package --> "C:\WINDOWS\$NtUninstallbasecsp$\spuninst\spuninst.exe" Microsoft Compression Client Pack 1.0 for Windows XP --> "C:\WINDOWS\$NtUninstallMSCompPackV1$\spuninst\spuninst.exe" Microsoft Office Publisher 2003 --> MsiExec.exe /I{91190409-6000-11D3-8CFE-0150048383C9} Microsoft Office Standard Edition 2003 --> MsiExec.exe /I{91120409-6000-11D3-8CFE-0150048383C9} Microsoft User-Mode Driver Framework Feature Pack 1.0 --> "C:\WINDOWS\$NtUninstallWudf01000$\spuninst\spuninst.exe" Microsoft Visual C++ 2005 Redistributable --> MsiExec.exe /X{7299052b-02a4-4627-81f2-1818da5d550d} Move Networks Media Player for Internet Explorer --> C:\Documents and Settings\User\Application Data\Move Networks\ie_bin\Uninst.exe MPM --> MsiExec.exe /X{D48AD533-BAD5-469B-A9AA-272C6D80E70B} Norton AntiVirus --> MsiExec.exe /X{77FFBA7E-0973-4F39-BBDB-AC2F537578D2} Norton AntiVirus (Symantec Corporation) --> "C:\Program Files\Common Files\Symantec Shared\SymSetup\{77FFBA7E-0973-4F39-BBDB-AC2F537578D2}_15_0_0_58\Setup.exe" /X Norton AntiVirus Help --> MsiExec.exe /I{34EEB1F5-E939-40A1-A6BA-957282A4B2C8} Norton Protection Center --> MsiExec.exe /I{62120008-8E1E-4807-860D-A8B48F8552DB} OCR Software by I.R.I.S 7.0 --> C:\Program Files\HP\Digital Imaging\OCR\hpzscr01.exe -datfile hpqbud11.dat OTOY --> RunDll32 C:\WINDOWS\DOWNLO~1\OTOYAX.dll,_RemoveGroove@16 Panda ActiveScan --> C:\WINDOWS\system32\ASUninst.exe Panda ActiveScan QuickBooks Basic Edition 2004 --> C:\Program Files\Installshield Installation Information\{2b02f821-a9b9-458c-80e5-3ea8c0de8471}\QBReplace.exe {2b02f821-a9b9-458c-80e5-3ea8c0de8471}#{2B02F82E-A9B9-458C-80E5-3EA8C0DE8471} QuickBooks Pro 2007 --> msiexec.exe /I {71EEA108-09C9-4D81-8FA2-D48C70681242} UNIQUE_NAME="pro" QBFULLNAME="QuickBooks Pro 2007" ADDREMOVE=1 QuickBooks Product Listing Service --> MsiExec.exe /I{55584E16-4D70-44EE-93DD-F144E8B7D4B7} QuickTime --> MsiExec.exe /I{5B09BD67-4C99-46A1-8161-B7208CE18121} Shockwave --> C:\WINDOWS\system32\Macromed\SHOCKW~1\UNWISE.EXE C:\WINDOWS\system32\Macromed\SHOCKW~1\Install.log SoundMAX --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\10\00\Intel32\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{F0A37341-D692-11D4-A984-009027EC0A9C}\SETUP.exe" -l0x9 -removeonly SPBBC 32bit --> MsiExec.exe /I{77772678-817F-4401-9301-ED1D01A8DA56} Spyware Terminator --> "C:\Program Files\Spyware Terminator\unins000.exe" SpywareBlaster v3.5.1 --> "C:\Program Files\SpywareBlaster\unins000.exe" Symantec Technical Support Web Controls --> MsiExec.exe /X{9743AF47-B746-4324-B4C4-512E67D04370} SymNet --> MsiExec.exe /I{2DA85B02-13C0-4E6D-9A76-22E6B3DD0CB2} ViewSonic Monitor Drivers --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{B4FEA924-630D-11D4-B78E-005004566E4D}\Setup.exe" -l0x9 Windows Defender Signatures --> MsiExec.exe /I{A5CC2A09-E9D3-49EC-923D-03874BBD4C2C} Windows Media Connect --> "C:\WINDOWS\$NtUninstallWMCSetup$\spuninst\spuninst.exe" Windows Media Format 11 runtime --> "C:\WINDOWS\$NtUninstallWMFDist11$\spuninst\spuninst.exe" Windows Media Format SDK Hotfix - KB891122 --> "C:\WINDOWS\$NtUninstallKB891122$\spuninst\spuninst.exe" -- Application Event Log ------------------------------------------------------- Event Record #/Type2355 / Error Event Submitted/Written: 12/26/2007 08:16:58 AM Event ID/Source: 1000 / Application Error Event Description: Faulting application iexplore.exe, version 6.0.2900.2180, faulting module unknown, version 0.0.0.0, fault address 0x01babf75. Processing media-specific event for [iexplore.exe!ws!] Event Record #/Type2323 / Success Event Submitted/Written: 12/25/2007 00:55:51 PM Event ID/Source: 4 / 4th Dimension¨ Event Description: PsychReport.4DC Event Record #/Type2322 / Success Event Submitted/Written: 12/25/2007 00:55:15 PM Event ID/Source: 3 / 4th Dimension¨ Event Description: PsychReport.4DC Event Record #/Type2321 / Success Event Submitted/Written: 12/25/2007 00:54:58 PM Event ID/Source: 2 / 4th Dimension¨ Event Description: PsychReport.4DC Event Record #/Type2250 / Warning Event Submitted/Written: 12/25/2007 02:03:25 AM Event ID/Source: 101 / Automatic LiveUpdate Scheduler Event Description: Information Level: warning A LiveUpdate session is already in progress; cannot launch Automatic LiveUpdate. -- Security Event Log ---------------------------------------------------------- No Errors/Warnings found. -- System Event Log ------------------------------------------------------------ Event Record #/Type17601 / Warning Event Submitted/Written: 12/26/2007 09:03:10 PM Event ID/Source: 4226 / Tcpip Event Description: TCP/IP has reached the security limit imposed on the number of concurrent TCP connect attempts. Event Record #/Type17586 / Warning Event Submitted/Written: 12/26/2007 03:36:57 PM Event ID/Source: 8021 / BROWSER Event Description: The browser was unable to retrieve a list of servers from the browser master \\FAMILYROOM on the network \Device\NetBT_Tcpip_{C0E68B85-A155-4E69-9BD1-63C696EEA087}. The data is the error code. Event Record #/Type17333 / Error Event Submitted/Written: 12/26/2007 08:07:19 AM Event ID/Source: 7000 / Service Control Manager Event Description: The Windows Media Player Network Sharing Service service failed to start due to the following error: %%1053 Event Record #/Type17332 / Error Event Submitted/Written: 12/26/2007 08:07:17 AM / 12/26/2007 08:07:19 AM Event ID/Source: 7009 / Service Control Manager Event Description: Timeout (30000 milliseconds) waiting for the Windows Media Player Network Sharing Service service to connect. Event Record #/Type17327 / Warning Event Submitted/Written: 12/26/2007 02:15:44 AM Event ID/Source: 4226 / Tcpip Event Description: TCP/IP has reached the security limit imposed on the number of concurrent TCP connect attempts. -- End of Deckard's System Scanner: finished at 2007-12-26 23:55:44 ------------ Thanks in advance for your help.

12-28-2007, 08:36 PM	#3 (permalink)
forhockey Analyst, Security Team Join Date: Sep 2006 Location: Ontario, Canada Posts: 2,584 OS: Windows XP Pro	Re: popups; slooowww system Hi tms123, This is going to take a few rounds to cleanup, so please stick with me until I say your system is clean ------------------------------------------------------------- Please subscribe to this thread so that you are notified when you receive a reply. To do this click Thread Tools, then click Subscribe to this Thread. Make sure it is set to Instant Notification, then click Add Subscription. -------------------------------------------------------------- Before beginning the proposed fix, read this post completely. Any questions should be kindly asked before proceeding. Ensure that there are no open browsers when carrying out the procedures below. Save the following instructions in Notepad as this webpage would not be available when you're carrying out the fix. It is IMPORTANT that you don't miss a step & perform everything in the correct order/sequence. -------------------------------------------------------------- Download combofix from here Save it directly to your desktop Double click on combofix.exe & follow the prompts. When finished, it shall produce a log for you. Post that log in your next reply Warning: Do not mouseclick combofix's window whilst it's running. That may cause it to stall A log will be produced that will ultimately be named C:\ComboFix.txt I'll need that in your next reply, along with a new DSS Log (main.txt) __________________ Proud Member of ASAP Proud Member of UNITE Keep this forum alive - if you've been helped at this forum, please do consider a donation. Thank you for your support. Donation link for Tech Support Forum