As Per Instructions from Fred.....

[Ariesjill]

Hi.

Just posted this in Security Forum:
http://www.techsupportforum.com/gene...tml#post681755

U will C that Fred feels there may actually B a problem.....and I am moving things here as I was told 2 do, pls C thumbnail of current Hijackthis log.....and word doc from the utililty which picked this up.

System: Dell Optiplex GX260; P 4 2.26; 1GB ram; two 80GB HDDs, runing XP Pro, SP2, IE6 fully patched.

I am 5'7", brunette, size 3. Left handed, little nuts.

Anything else...just please ask!!! I can run Astra 32 and attach entire system, chipset, whatevah.......

Thank U SO MUCH!!!

Jill

[tetonbob]

Please just copy/paste the HijackThis log into your reply.

Double click on HijackThis.exe to run the program.

1. If it gives you an intro screen, just choose 'Do a system scan and save a logfile'.
2. If you don't get the intro screen, just hit Scan and then click on Save log. When HijackThis opens Notepad with the log, press Ctrl+A to select all, Ctrl+C to copy all, then Ctrl+V to paste all into a thread.
3. Post the hijackthis.log file here. Do not fix anything in HijackThis since they may be harmless.

[Ariesjill]

Logfile of HijackThis v1.99.1
Scan saved at 2:57:05 PM, on 10/30/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\COMMON~1\AOL\ACS\AOLacsd.exe
C:\Program Files\Common Files\AOL\TopSpeed\2.0\aoltsmon.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
C:\Program Files\Ahead\InCD\InCDsrv.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\wanmpsvc.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Common Files\AOL\1130120933\ee\AOLSoftware.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe
C:\Program Files\Unlocker\UnlockerAssistant.exe
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\Program Files\IObit\Advanced WindowsCare V2 Pro\Awc.exe
C:\Program Files\Iconoid\iconoid.exe
C:\Program Files\America Online 9.0a\waol.exe
C:\Program Files\Trend Micro\Tmas\Tmas.exe
C:\Program Files\Common Files\AOL\1130120933\ee\aolsoftware.exe
C:\Program Files\America Online 9.0a\shellmon.exe
C:\Program Files\Speaking Clock\SpClock.exe
C:\WINDOWS\system32\NOTEPAD.EXE
C:\unzipped\hijackthis\HijackThis.exe

O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [SmartDefrag] "C:\Program Files\IObit\IObit SmartDefrag\IObit SmartDefrag.exe" /startup


Thanks, guys!!!!!
Jill

[tetonbob]

Ji Jill -

It seems unimaginable that that is your entire log...quite a bit of it is missing. Have you by any chance done any fixing of things with HJT?

There should be several more lines in that log.

[Ariesjill]

Totally! Over many months! Shall I send all I deleted?
Jill

[Ariesjill]

By the by.....this insect apeared only 2 days ago......i run Reg audit all the time....and this is a new thing. But let me go get my deleted file....
J.

PS am trying to copy & paste my 'Ignore List".....am having trouble doing this. Then, there is the list of backups.

Forgive my stupid.....what should I do next (aside from stabbing myself in the tummy)?
thanks,
Jill

[tetonbob]

HJT should not be used unless you've been trained in it's usage...please do this:

• Open HJT and click on View the list of Backups.
  
• Check each item showing and then click Restore
• Click Yes.
• Reboot your system.
• Post a new HJT log

[Ariesjill]

O! I had no idea....been selecting things to both delete and save for long time. I was trained by GREMLINS, ok?

THEY HAD badges.
ok.......HOLD ON.....

Jill

[tetonbob]

Ignore this post, please.

[Ariesjill]

OK I restored the backups, rebooted, rescanned.....WHAT A mess! OMG. Sorry. This does ot even look like the right log!!!!

date/time : 2006-10-30, 15:35:38, 406ms
computer name : VALUED-71BAE275
user name : Administrator <admin>
operating system : Windows XP Service Pack 2 build 2600
system language : English
system up time : 3 minutes 22 seconds
program up time : 2 minutes 39 seconds
processor : Intel(R) Pentium(R) 4 CPU 2.26GHz
physical memory : 631/1022 MB (free/total)
free disk space : (C:) 66.52 GB
display mode : 1280x1024, 32 bit
process id : $ec
allocated memory : 6.39 MB
command line : "C:\Program Files\IObit\IObit SmartDefrag\IObit SmartDefrag.exe" /startup
executable : IObit SmartDefrag.exe
exec. date/time : 2006-10-28 20:01
madExcept version : 3.0b
callstack crc : $7999fce3, $4063b112, $4063b112
exception number : 1
exception class : EThread
exception message : Thread Error: The recipient process has refused the signal (156).

main thread ($f0):
005235d3 +053 IObit SmartDefrag.exe Classes TThread.CheckThreadError
0052360c +010 IObit SmartDefrag.exe Classes TThread.CheckThreadError
005237bb +017 IObit SmartDefrag.exe Classes TThread.Suspend
00402956 +3a6 IObit SmartDefrag.exe Tmainform.cpp 265 +112 Tmainform.cputimerTimer
00582ef3 +00f IObit SmartDefrag.exe Extctrls TTimer.Timer
00582dd7 +02b IObit SmartDefrag.exe Extctrls TTimer.WndProc
005248fc +014 IObit SmartDefrag.exe Classes _17260
77d496c2 +00a USER32.dll DispatchMessageA
0057e457 +083 IObit SmartDefrag.exe Forms TApplication.ProcessMessage
0057e48e +00a IObit SmartDefrag.exe Forms TApplication.HandleMessage
0057e6ae +096 IObit SmartDefrag.exe Forms TApplication.Run
00401ce2 +0fa IObit SmartDefrag.exe Project1.cpp 70 +18 WinMain
005cdbe8 +14c IObit SmartDefrag.exe __startup

thread $2ac (TDefragUsualThread):
7c810659 +00 kernel32.dll
>> created by main thread ($f0) at:
004219cb +33 IObit SmartDefrag.exe TDefragUsualThread.cpp 9 +0 TDefragUsualThread.Create

thread $ca4:
7c90eb94 +00 ntdll.dll KiFastSystemCallRet
7c90e9be +0a ntdll.dll NtWaitForSingleObject
71aa150a +6a WS2HELP.dll WahReferenceContextByHandle
71ab2e64 +a4 WS2_32.dll select
005f78cd +0d IObit SmartDefrag.exe Madexcept _17150
005f7937 +37 IObit SmartDefrag.exe Madexcept _17151
>> created by main thread ($f0) at:
771d9238 +00 WININET.dll

thread $ca8:
7c90eb94 +0 ntdll.dll KiFastSystemCallRet
7c90d85a +a ntdll.dll NtDelayExecution

thread $cb0:
7c90eb94 +00 ntdll.dll KiFastSystemCallRet
7c90e9a9 +0a ntdll.dll NtWaitForMultipleObjects
7c8094dc +00 kernel32.dll WaitForMultipleObjectsEx
7c80a070 +13 kernel32.dll WaitForMultipleObjects
005f78cd +0d IObit SmartDefrag.exe Madexcept _17150
005f7937 +37 IObit SmartDefrag.exe Madexcept _17151
>> created by thread $cac at:
771cd9d8 +00 WININET.dll

thread $ce8:
7c90eb94 +00 ntdll.dll KiFastSystemCallRet
7c90e9a9 +0a ntdll.dll NtWaitForMultipleObjects
7c8094dc +00 kernel32.dll WaitForMultipleObjectsEx
005f78cd +0d IObit SmartDefrag.exe Madexcept _17150
005f7937 +37 IObit SmartDefrag.exe Madexcept _17151
>> created by thread $cac at:
77dfa17c +00 ADVAPI32.DLL

thread $d10: <priority:1>
7c90eb94 +00 ntdll.dll KiFastSystemCallRet
7c90e319 +0a ntdll.dll NtRemoveIoCompletion
005f78cd +0d IObit SmartDefrag.exe Madexcept _17150
005f7937 +37 IObit SmartDefrag.exe Madexcept _17151
>> created by thread $cac at:
71a5dbb3 +00 mswsock.dll

thread $d4c:
7c90eb94 +00 ntdll.dll KiFastSystemCallRet
7c90e9be +0a ntdll.dll NtWaitForSingleObject
7c8025c5 +85 kernel32.dll WaitForSingleObjectEx
7c80252d +0d kernel32.dll WaitForSingleObject
005f78cd +0d IObit SmartDefrag.exe Madexcept _17150
005f7937 +37 IObit SmartDefrag.exe Madexcept _17151
>> created by main thread ($f0) at:
7dd07910 +00 mshtml.dll

modules:
00400000 IObit SmartDefrag.exe C:\Program Files\IObit\IObit SmartDefrag
02570000 taskdll.dll C:\Program Files\IObit\IObit SmartDefrag
028d0000 WLHook.dll 3.1.0.1 C:\Program Files\Common Files\AOL\ACS
02ac0000 xpsp2res.dll 5.1.2600.2180 C:\WINDOWS\system32
0ffd0000 rsaenh.dll 5.1.2600.2161 C:\WINDOWS\system32
10000000 UnlockerHook.dll C:\Program Files\Unlocker
20000000 shdoclc.dll 6.0.2900.2180 C:\WINDOWS\system32
5ad70000 uxtheme.dll 6.0.2900.2180 C:\WINDOWS\system32
5b860000 NETAPI32.dll 5.1.2600.2952 C:\WINDOWS\system32
5d090000 COMCTL32.DLL 5.82.2900.2982 C:\WINDOWS\system32
5edd0000 olepro32.dll 5.1.2600.2180 C:\WINDOWS\system32
662b0000 hnetcfg.dll 5.1.2600.2180 C:\WINDOWS\system32
68270000 injectDll.dll 2.0.39.1 c:\program files\common files\aol\1130120933\ee\services\search\ver2_0_39_1
71a50000 mswsock.dll 5.1.2600.2180 C:\WINDOWS\System32
71a90000 wshtcpip.dll 5.1.2600.2180 C:\WINDOWS\System32
71aa0000 WS2HELP.dll 5.1.2600.2180 C:\WINDOWS\system32
71ab0000 WS2_32.dll 5.1.2600.2180 C:\WINDOWS\system32
71ad0000 WSOCK32.DLL 5.1.2600.2180 C:\WINDOWS\system32
71b20000 MPR.dll 5.1.2600.2180 C:\WINDOWS\system32
722b0000 sensapi.dll 5.1.2600.2180 C:\WINDOWS\system32
73000000 WINSPOOL.DRV 5.1.2600.2180 C:\WINDOWS\system32
746c0000 msls31.dll 3.10.349.0 C:\WINDOWS\system32
754d0000 CRYPTUI.dll 5.131.2600.2180 C:\WINDOWS\system32
75830000 mstask.dll 5.1.2600.2180 C:\WINDOWS\system32
75cf0000 mlang.dll 6.0.2900.2180 C:\WINDOWS\system32
763b0000 COMDLG32.DLL 6.0.2900.2180 C:\WINDOWS\system32
767a0000 NTDSAPI.dll 5.1.2600.2180 C:\WINDOWS\system32
769c0000 USERENV.dll 5.1.2600.2180 C:\WINDOWS\system32
76b40000 WINMM.dll 5.1.2600.2180 C:\WINDOWS\system32
76bf0000 PSAPI.DLL 5.1.2600.2180 C:\WINDOWS\system32
76c30000 WINTRUST.dll 5.131.2600.2180 C:\WINDOWS\system32
76c90000 IMAGEHLP.dll 5.1.2600.2180 C:\WINDOWS\system32
76d60000 iphlpapi.dll 5.1.2600.2912 C:\WINDOWS\system32
76e80000 rtutils.dll 5.1.2600.2180 C:\WINDOWS\system32
76e90000 rasman.dll 5.1.2600.2180 C:\WINDOWS\system32
76eb0000 TAPI32.dll 5.1.2600.2180 C:\WINDOWS\system32
76ee0000 RASAPI32.DLL 5.1.2600.2180 C:\WINDOWS\system32
76f20000 DNSAPI.dll 5.1.2600.2938 C:\WINDOWS\system32
76f60000 WLDAP32.dll 5.1.2600.2180 C:\WINDOWS\system32
76fb0000 winrnr.dll 5.1.2600.2180 C:\WINDOWS\System32
76fc0000 rasadhlp.dll 5.1.2600.2938 C:\WINDOWS\system32
76fd0000 CLBCATQ.DLL 2001.12.4414.308 C:\WINDOWS\system32
77050000 COMRes.dll 2001.12.4414.258 C:\WINDOWS\system32
77120000 OLEAUT32.DLL 5.1.2600.2180 C:\WINDOWS\system32
771b0000 WININET.dll 6.0.2900.2937 C:\WINDOWS\system32
77260000 urlmon.dll 6.0.2900.2960 C:\WINDOWS\system32
773d0000 comctl32.dll 6.0.2900.2982 C:\WINDOWS\WinSxS\x86_Microsoft.Windows.Common-Controls_6595b64144ccf1df_6.0.2600.2982_x-ww_ac3f9c03
774e0000 OLE32.DLL 5.1.2600.2726 C:\WINDOWS\system32
77760000 shdocvw.dll 6.0.2900.2987 C:\WINDOWS\system32
77a80000 CRYPT32.dll 5.131.2600.2180 C:\WINDOWS\system32
77b20000 MSASN1.dll 5.1.2600.2180 C:\WINDOWS\system32
77b40000 appHelp.dll 5.1.2600.2180 C:\WINDOWS\system32
77c00000 VERSION.DLL 5.1.2600.2180 C:\WINDOWS\system32
77c10000 msvcrt.dll 7.0.2600.2180 C:\WINDOWS\system32
77c70000 msv1_0.dll 5.1.2600.2180 C:\WINDOWS\system32
77d40000 USER32.dll 5.1.2600.2622 C:\WINDOWS\system32
77dd0000 ADVAPI32.DLL 5.1.2600.2180 C:\WINDOWS\system32
77e70000 RPCRT4.dll 5.1.2600.2180 C:\WINDOWS\system32
77f10000 GDI32.dll 5.1.2600.2818 C:\WINDOWS\system32
77f60000 SHLWAPI.dll 6.0.2900.2937 C:\WINDOWS\system32
77fe0000 Secur32.dll 5.1.2600.2180 C:\WINDOWS\system32
7c800000 kernel32.dll 5.1.2600.2945 C:\WINDOWS\system32
7c900000 ntdll.dll 5.1.2600.2180 C:\WINDOWS\system32
7c9c0000 SHELL32.dll 6.0.2900.2951 C:\WINDOWS\system32
7dc30000 mshtml.dll 6.0.2900.2963 C:\WINDOWS\system32

processes:
000 Idle
004 System normal
278 smss.exe normal C:\WINDOWS\system32
2b8 csrss.exe
2d0 winlogon.exe high C:\WINDOWS\system32
2fc services.exe normal C:\WINDOWS\system32
308 lsass.exe normal C:\WINDOWS\system32
3a4 svchost.exe normal C:\WINDOWS\system32
3d0 svchost.exe
430 svchost.exe normal C:\WINDOWS\System32
460 vsmon.exe normal C:\WINDOWS\system32\ZoneLabs
628 spoolsv.exe normal C:\WINDOWS\system32
68c AOLacsd.exe normal C:\PROGRA~1\COMMON~1\AOL\ACS
6a8 aoltsmon.exe normal C:\Program Files\Common Files\AOL\TopSpeed\2.0
6d8 avgamsvr.exe normal C:\PROGRA~1\Grisoft\AVGFRE~1
700 aoltpspd.exe
798 Explorer.EXE normal C:\WINDOWS
7dc AOLSoftware.exe normal C:\Program Files\Common Files\AOL\1130120933\ee
7e8 avgcc.exe normal C:\PROGRA~1\Grisoft\AVGFRE~1
0c0 AOLDial.exe normal C:\Program Files\Common Files\AOL\ACS
0c8 avgupsvc.exe normal C:\PROGRA~1\Grisoft\AVGFRE~1
0d0 UnlockerAssistant.exe normal C:\Program Files\Unlocker
0dc zlclient.exe normal C:\Program Files\Zone Labs\ZoneAlarm
0b8 Awc.exe normal C:\Program Files\IObit\Advanced WindowsCare V2 Pro
0ec IObit SmartDefrag.exe normal C:\Program Files\IObit\IObit SmartDefrag
0f8 qttask.exe normal C:\Program Files\QuickTime
0e8 iconoid.exe normal C:\Program Files\Iconoid
114 avgemc.exe normal C:\PROGRA~1\Grisoft\AVGFRE~1
128 Tmas.exe normal C:\Program Files\Trend Micro\Tmas
134 waol.exe normal C:\Program Files\America Online 9.0a
1a8 InCDsrv.exe normal C:\Program Files\Ahead\InCD
4e8 svchost.exe normal C:\WINDOWS\system32
53c aolsoftware.exe normal C:\Program Files\Common Files\AOL\1130120933\ee
5c4 wdfmgr.exe
6d4 wanmpsvc.exe normal C:\WINDOWS
a24 shellmon.exe normal C:\Program Files\America Online 9.0a
a98 wmiprvse.exe
bc0 alg.exe
f38 wuauclt.exe normal C:\WINDOWS\system32
78c HijackThis.exe normal C:\unzipped\hijackthis
3fc NOTEPAD.EXE normal C:\WINDOWS\system32

hardware:
+ Computer
- ACPI Uniprocessor PC
+ Disk drives
- HDS722580VLAT20
- WDC WD800JB-00JJC0
+ Display adapters
- Intel(R) 82845G/GL/GE/PE/GV Graphics Controller (driver 6.14.10.4342)
+ DVD/CD-ROM drives
- HL-DT-ST CD-RW GCE-8486B
+ Floppy disk controllers
- Standard floppy disk controller
+ Floppy disk drives
- Floppy disk drive
+ Human Interface Devices
- HID-compliant consumer control device
- HID-compliant consumer control device
- HID-compliant device
- USB Human Interface Device
- USB Human Interface Device
- USB Human Interface Device
+ IDE ATA/ATAPI controllers
- Intel(R) 82801DB Ultra ATA Storage Controller - 24CB (driver 4.0.1001.0)
- Primary IDE Channel
- Secondary IDE Channel
+ Imaging devices
- CanoScan LiDE 25 #2 (driver 1.2.1.1)
+ Keyboards
- HID Keyboard Device
+ Mice and other pointing devices
- HID-compliant mouse
+ Modems
- Dell Data Fax Modem
+ Monitors
- Plug and Play Monitor
+ Network adapters
- Intel(R) PRO/1000 MT Network Connection (driver 6.2.21.19)
+ Ports (COM & LPT)
- Communications Port (COM1)
- Communications Port (COM2)
- ECP Printer Port (LPT1)
+ Processors
- Intel(R) Pentium(R) 4 CPU 2.26GHz
+ Sound, video and game controllers
- Audio Codecs
- Legacy Audio Drivers
- Legacy Video Capture Devices
- Media Control Devices
- SoundMAX Integrated Digital Audio (driver 5.12.1.3538)
- Video Codecs
+ System devices
- ACPI Fixed Feature Button
- ACPI Power Button
- Direct memory access controller
- Intel(R) 82801DB LPC Interface Controller - 24C0 (driver 4.0.1001.0)
- Intel(R) 82801DB PCI Bridge - 244E (driver 4.0.1001.0)
- Intel(R) 82801DB/DBM SMBus Controller - 24C3 (driver 4.0.1001.0)
- Intel(R) 82845G/GL Processor to I/O Controller 2560 (driver 4.0.1006.0)
- ISAPNP Read Data Port
- Logical Disk Manager
- Microcode Update Device
- Microsoft ACPI-Compliant System
- Microsoft System Management BIOS Driver
- Numeric data processor
- PCI bus
- Plug and Play Software Device Enumerator
- Printer Port Logical Interface
- Programmable interrupt controller
- System board
- System board
- System CMOS/real time clock
- System speaker
- System timer
- Terminal Server Device Redirector
- Terminal Server Keyboard Driver
- Terminal Server Mouse Driver
- Volume Manager
+ Universal Serial Bus controllers
- Generic USB Hub
- Intel(R) 82801DB/DBM USB 2.0 Enhanced Host Controller - 24CD
- Intel(R) 82801DB/DBM USB Universal Host Controller - 24C2 (driver 4.0.1001.0)
- Intel(R) 82801DB/DBM USB Universal Host Controller - 24C4 (driver 4.0.1001.0)
- Intel(R) 82801DB/DBM USB Universal Host Controller - 24C7 (driver 4.0.1001.0)
- USB Composite Device
- USB Root Hub
- USB Root Hub
- USB Root Hub
- USB Root Hub

cpu registers:
eax = 00ca0278
ebx = 0000009c
ecx = 00000000
edx = 005235d8
esi = 00582ee4
edi = 0012fe38
eip = 005235d8
esp = 0012fce4
ebp = 0012fd38

stack dump:
0012fce4 d8 35 52 00 de fa ed 0e - 01 00 00 00 07 00 00 00 .5R.............
0012fcf4 f8 fc 12 00 d8 35 52 00 - 78 02 ca 00 9c 00 00 00 .....5R.x.......
0012fd04 e4 2e 58 00 38 fe 12 00 - 38 fd 12 00 14 fd 12 00 ..X.8...8.......
0012fd14 5c fd 12 00 88 e0 53 00 - 38 fd 12 00 50 41 cd 00 \.....S.8...PA..
0012fd24 00 00 00 00 cc 69 cd 00 - 0b 2e 58 00 9c 00 00 00 .....i....X.....
0012fd34 00 47 84 7c 8c fd 12 00 - 11 36 52 00 50 41 cd 00 .G.|.....6R.PA..
0012fd44 c0 37 52 00 6c b3 cb 00 - 5b 29 40 00 03 00 00 00 .7R.l...[)@.....
0012fd54 6c b3 cb 00 d0 7f c9 00 - 9c fd 12 00 17 6c 5c 00 l............l\.
0012fd64 c8 a0 64 00 50 fd 12 00 - 00 00 00 00 00 00 00 00 ..d.P...........
0012fd74 00 00 00 00 00 00 00 00 - 5b 8b 4a 00 00 00 00 00 ........[.J.....
0012fd84 00 00 00 00 00 00 00 00 - b8 fd 12 00 f6 2e 58 00 ..............X.
0012fd94 c0 fd 12 00 dc 2d 58 00 - 54 fe 12 00 a8 de 53 00 .....-X.T.....S.
0012fda4 b8 fd 12 00 38 fe 12 00 - d2 0b c2 00 00 00 00 00 ....8...........
0012fdb4 6c b3 cb 00 d0 fd 12 00 - fe 48 52 00 13 01 00 00 l........HR.....
0012fdc4 01 00 00 00 00 00 00 00 - 00 00 00 00 fc fd 12 00 ................
0012fdd4 34 87 d4 77 4a 02 01 00 - 13 01 00 00 01 00 00 00 4..wJ...........
0012fde4 00 00 00 00 d2 0b c2 00 - cd ab ba dc 00 00 00 00 ................
0012fdf4 38 fe 12 00 d2 0b c2 00 - 64 fe 12 00 16 88 d4 77 8.......d......w
0012fe04 d2 0b c2 00 4a 02 01 00 - 13 01 00 00 01 00 00 00 ....J...........
0012fe14 00 00 00 00 fc fe 12 00 - f4 fe 12 00 d8 24 8f 00 .............$..

disassembling:
004025b0 public Tmainform.cpp.Tmainform.cputimerTimer: ; function entry point
004025b0 153 push ebp
004025b1 mov ebp, esp
004025b3 add esp, -$3c
004025b6 mov [ebp-$38], edx
004025b9 mov [ebp-$34], eax
004025bc mov eax, $64a0c8
004025c1 call +$1c460a ($5c6bd0) ; __InitExceptBlockLDTC
004025c1
004025c6 155 mov edx, [ebp-$34]
004025c9 add edx, $2b98
004025cf push edx
004025d0 call +$1b19b ($41d770) ; TCpuUsage.cpp.TCpuUsage.GetCpuUsage
004025d0
004025d5 pop ecx
004025d6 mov [ebp-$3c], eax
004025d9 156 mov word ptr [ebp-$20], 8
004025df lea eax, [ebp-4]
004025e2 call -$317 ($4022d0) ; dstring.h.System.AnsiString.Create
004025e2
004025e7 mov edx, eax
004025e9 inc dword ptr [ebp-$14]
004025ec mov eax, [ebp-$3c]
004025ef call +$3c4 ($4029b8) ; dstring.h.IntToStr
004025ef
004025f4 lea edx, [ebp-4]
004025f7 push edx
004025f8 lea eax, [ebp-$c]
004025fb call -$330 ($4022d0) ; dstring.h.System.AnsiString.Create
004025fb
00402600 push eax
00402601 inc dword ptr [ebp-$14]
00402604 mov edx, $649331
00402609 lea eax, [ebp-8]
0040260c call +$1f7fe7 ($5fa5f8) ; System.AnsiString.Create
0040260c
00402611 inc dword ptr [ebp-$14]
00402614 lea edx, [ebp-8]
00402617 pop ecx
00402618 pop eax
00402619 call +$1f8176 ($5fa794) ; System.AnsiString.Create
00402619
0040261e lea edx, [ebp-$c]
00402621 mov edx, [edx]
00402623 mov eax, [ebp-$34]
00402626 mov eax, [eax+$514]
0040262c call +$18bc8b ($58e2bc) ; Controls.TControl.SetText
0040262c
00402631 dec dword ptr [ebp-$14]
00402634 lea eax, [ebp-$c]
00402637 mov edx, 2
0040263c call +$1f80fb ($5fa73c) ; System.AnsiString.Destroy
0040263c
00402641 dec dword ptr [ebp-$14]
00402644 lea eax, [ebp-8]
00402647 mov edx, 2
0040264c call +$1f80eb ($5fa73c) ; System.AnsiString.Destroy
0040264c
00402651 dec dword ptr [ebp-$14]
00402654 lea eax, [ebp-4]
00402657 mov edx, 2
0040265c call +$1f80db ($5fa73c) ; System.AnsiString.Destroy
0040265c
00402661 158 push dword ptr [ebp-$34]
00402664 call +$658b ($408bf4) ; Tmainform.cpp.Tmainform.IsBattery
00402664
00402669 pop ecx
0040266a test al, al
0040266c jz loc_402833
0040266c
00402672 161 mov ecx, [ebp-$34]
00402675 mov eax, [ecx+$490]
0040267b mov edx, [eax]
0040267d call dword ptr [edx+$c4]
0040267d
00402683 test al, al
00402685 jz loc_4026e7
00402685
00402687 163 mov ecx, [ebp-$34]
0040268a cmp byte ptr [ecx+$5d2], 2
00402691 jnz loc_4026b1
00402691
00402693 165 push 0
00402695 push dword ptr [ebp-$34]
00402698 call +$9fb3 ($40c650) ; Tmainform.cpp.Tmainform.StartTrayAnimation
00402698
0040269d add esp, 8
004026a0 166 mov eax, [ebp-$34]
004026a3 push dword ptr [eax+$59c]
004026a9 call +$1ce7a ($41f528) ; TDefragThread.cpp.TDefragThread.Stop
004026a9
004026ae pop ecx
004026af 168 jmp loc_4026d8
004026af
004026af ; ---------------------------------------------------------
004026af
004026b1 loc_4026b1:
004026b1 169 mov edx, [ebp-$34]
004026b4 cmp byte ptr [edx+$5d2], 5
004026bb jnz loc_4026d8
004026bb
004026bd 171 push 0
004026bf push dword ptr [ebp-$34]
004026c2 call +$9f89 ($40c650) ; Tmainform.cpp.Tmainform.StartTrayAnimation
004026c2
004026c7 add esp, 8
004026ca 172 mov ecx, [ebp-$34]
004026cd mov eax, [ecx+$5a0]
004026d3 call +$1210cc ($5237a4) ; Classes.TThread.Suspend
004026d3
004026d8 loc_4026d8:
004026d8 174 mov edx, [ebp-$34]
004026db mov byte ptr [edx+$5d2], 0
004026e2 176 jmp loc_402968
004026e2
004026e2 ; ---------------------------------------------------------
004026e2
004026e7 loc_4026e7:
004026e7 179 mov ecx, [ebp-$34]
004026ea cmp byte ptr [ecx+$5d1], 0
004026f1 jnz loc_402968
004026f1
004026f7 mov eax, [ebp-$34]
004026fa add eax, $2d64
004026ff push eax
00402700 call +$1c5ab ($41ecb0) ; Config.cpp.Setting.GetEnableSmartDefrag
00402700
00402705 pop ecx
00402706 test al, al
00402708 jz loc_402968
00402708
0040270e 181 mov edx, [ebp-$34]
00402711 cmp byte ptr [edx+$5d5], 0
00402718 jnz loc_4027ec
00402718
0040271e 184 mov ecx, [ebp-$34]
00402721 mov eax, [ecx+$328]
00402727 mov edx, [eax]
00402729 call dword ptr [edx+$11c]
00402729
0040272f test al, al
00402731 jz loc_4027af
00402731
00402733 186 mov ecx, [ebp-$34]
00402736 add ecx, $2d64
0040273c push ecx
0040273d call +$1c472 ($41ebb4) ; Config.cpp.Setting.GetCpuLimitValue
0040273d
00402742 pop ecx
00402743 cmp eax, [ebp-$3c]
00402746 jb loc_402785
00402746
00402748 188 mov eax, [ebp-$34]
0040274b mov edx, [eax+$5a0]
00402751 cmp byte ptr [edx+$e], 0
00402755 jz loc_402968
00402755
0040275b 192 push 1
0040275d push dword ptr [ebp-$34]
00402760 call +$9eeb ($40c650) ; Tmainform.cpp.Tmainform.StartTrayAnimation
00402760
00402765 add esp, 8
00402768 193 mov ecx, [ebp-$34]
0040276b mov eax, [ecx+$5a0]
00402771 call +$12104e ($5237c4) ; Classes.TThread.Resume
00402771
00402776 194 mov edx, [ebp-$34]
00402779 mov byte ptr [edx+$5d2], 5
00402780 198 jmp loc_402968
00402780
00402780 ; ---------------------------------------------------------
00402780
00402785 loc_402785:
00402785 202 push 0
00402787 push dword ptr [ebp-$34]
0040278a call +$9ec1 ($40c650) ; Tmainform.cpp.Tmainform.StartTrayAnimation
0040278a
0040278f add esp, 8
00402792 203 mov ecx, [ebp-$34]
00402795 mov eax, [ecx+$5a0]
0040279b call +$121004 ($5237a4) ; Classes.TThread.Suspend
0040279b
004027a0 204 mov edx, [ebp-$34]
004027a3 mov byte ptr [edx+$5d2], 0
004027aa 206 jmp loc_402968
004027aa
004027aa ; ---------------------------------------------------------
004027aa
004027af loc_4027af:
004027af 208 mov ecx, [ebp-$34]
004027b2 mov eax, [ecx+$5a0]
004027b8 cmp byte ptr [eax+$e], 0
004027bc jz loc_402968
004027bc
004027c2 211 push 1
004027c4 push dword ptr [ebp-$34]
004027c7 call +$9e84 ($40c650) ; Tmainform.cpp.Tmainform.StartTrayAnimation
004027c7
004027cc add esp, 8
004027cf 212 mov edx, [ebp-$34]
004027d2 mov eax, [edx+$5a0]
004027d8 call +$120fe7 ($5237c4) ; Classes.TThread.Resume
004027d8
004027dd 213 mov edx, [ebp-$34]
004027e0 mov byte ptr [edx+$5d2], 5
004027e7 216 jmp loc_402968
004027e7
004027e7 ; ---------------------------------------------------------
004027e7
004027ec loc_4027ec:
004027ec 217 mov ecx, [ebp-$34]
004027ef cmp byte ptr [ecx+$5d1], 0
004027f6 jnz loc_402968
004027f6
004027fc mov eax, [ebp-$34]
004027ff add eax, $2d64
00402804 push eax
00402805 call +$1c4a6 ($41ecb0) ; Config.cpp.Setting.GetEnableSmartDefrag
00402805
0040280a pop ecx
0040280b test al, al
0040280d jnz loc_402968
0040280d
00402813 219 mov edx, [ebp-$34]
00402816 mov eax, [edx+$5a0]
0040281c call +$120f83 ($5237a4) ; Classes.TThread.Suspend
0040281c
00402821 220 push 0
00402823 push dword ptr [ebp-$34]
00402826 call +$9e25 ($40c650) ; Tmainform.cpp.Tmainform.StartTrayAnimation
00402826
0040282b add esp, 8
0040282e 226 jmp loc_402968
0040282e
0040282e ; ---------------------------------------------------------
0040282e
00402833 loc_402833:
00402833 230 mov edx, [ebp-$34]
00402836 cmp byte ptr [edx+$5d1], 0
0040283d jnz loc_40292e
0040283d
00402843 mov ecx, [ebp-$34]
00402846 add ecx, $2d64
0040284c push ecx
0040284d call +$1c45e ($41ecb0) ; Config.cpp.Setting.GetEnableSmartDefrag
0040284d
00402852 pop ecx
00402853 test al, al
00402855 jz loc_40292e
00402855
0040285b 232 mov eax, [ebp-$34]
0040285e cmp byte ptr [eax+$5d5], 0
00402865 jnz loc_402968
00402865
0040286b 234 mov edx, [ebp-$34]
0040286e add edx, $2d64
00402874 push edx
00402875 call +$1c32e ($41eba8) ; Config.cpp.Setting.GetCpuLimitState
00402875
0040287a pop ecx
0040287b test al, al
0040287d jz loc_4028f8
0040287d
0040287f 236 mov ecx, [ebp-$34]
00402882 add ecx, $2d64
00402888 push ecx
00402889 call +$1c326 ($41ebb4) ; Config.cpp.Setting.GetCpuLimitValue
00402889
0040288e pop ecx
0040288f cmp eax, [ebp-$3c]
00402892 jb loc_4028d1
00402892
00402894 238 mov eax, [ebp-$34]
00402897 mov edx, [eax+$5a0]
0040289d cmp byte ptr [edx+$e], 0
004028a1 jz loc_402968
004028a1
004028a7 240 push 1
004028a9 push dword ptr [ebp-$34]
004028ac call +$9d9f ($40c650) ; Tmainform.cpp.Tmainform.StartTrayAnimation
004028ac
004028b1 add esp, 8
004028b4 241 mov ecx, [ebp-$34]
004028b7 mov eax, [ecx+$5a0]
004028bd call +$120f02 ($5237c4) ; Classes.TThread.Resume
004028bd
004028c2 242 mov edx, [ebp-$34]
004028c5 mov byte ptr [edx+$5d2], 5
004028cc 244 jmp loc_402968
004028cc
004028cc ; ---------------------------------------------------------
004028cc
004028d1 loc_4028d1:
004028d1 247 push 0
004028d3 push dword ptr [ebp-$34]
004028d6 call +$9d75 ($40c650) ; Tmainform.cpp.Tmainform.StartTrayAnimation
004028d6
004028db add esp, 8
004028de 248 mov ecx, [ebp-$34]
004028e1 mov eax, [ecx+$5a0]
004028e7 call +$120eb8 ($5237a4) ; Classes.TThread.Suspend
004028e7
004028ec 249 mov edx, [ebp-$34]
004028ef mov byte ptr [edx+$5d2], 0
004028f6 251 jmp loc_402968
004028f6
004028f6 ; ---------------------------------------------------------
004028f6
004028f8 loc_4028f8:
004028f8 253 mov ecx, [ebp-$34]
004028fb mov eax, [ecx+$5a0]
00402901 cmp byte ptr [eax+$e], 0
00402905 jz loc_402968
00402905
00402907 255 push 1
00402909 push dword ptr [ebp-$34]
0040290c call +$9d3f ($40c650) ; Tmainform.cpp.Tmainform.StartTrayAnimation
0040290c
00402911 add esp, 8
00402914 256 mov edx, [ebp-$34]
00402917 mov eax, [edx+$5a0]
0040291d call +$120ea2 ($5237c4) ; Classes.TThread.Resume
0040291d
00402922 257 mov edx, [ebp-$34]
00402925 mov byte ptr [edx+$5d2], 5
0040292c 262 jmp loc_402968
0040292c
0040292c ; ---------------------------------------------------------
0040292c
0040292e loc_40292e:
0040292e 263 mov ecx, [ebp-$34]
00402931 cmp byte ptr [ecx+$5d1], 0
00402938 jnz loc_402968
00402938
0040293a mov eax, [ebp-$34]
0040293d add eax, $2d64
00402942 push eax
00402943 call +$1c368 ($41ecb0) ; Config.cpp.Setting.GetEnableSmartDefrag
00402943
00402948 pop ecx
00402949 test al, al
0040294b jnz loc_402968
0040294b
0040294d 265 mov edx, [ebp-$34]
00402950 mov eax, [edx+$5a0]
00402956 > call +$120e49 ($5237a4) ; Classes.TThread.Suspend
00402956
0040295b 266 push 0
0040295d push dword ptr [ebp-$34]
00402960 call +$9ceb ($40c650) ; Tmainform.cpp.Tmainform.StartTrayAnimation
00402960
00402965 add esp, 8
00402960
00402968 loc_402968:
00402968 286 mov edx, [ebp-$34]
0040296b push dword ptr [edx+$5c4]
00402971 push dword ptr [ebp-$3c]
00402974 push dword ptr [ebp-$34]
00402977 call +$c84 ($403600) ; Tmainform.cpp.Tmainform.DrawCpuUsage
00402977
0040297c add esp, $c
0040297f 287 push dword ptr [ebp-$34]
00402982 call +$3129 ($405ab0) ; Tmainform.cpp.Tmainform.DrawDiskUsage
00402982
00402987 pop ecx
00402988 288 mov ecx, [ebp-$34]
0040298b inc dword ptr [ecx+$5c4]
00402991 289 mov eax, [ebp-$34]
00402994 cmp dword ptr [eax+$5c4], 5
0040299b jnz loc_4029a8
0040299b
0040299d 290 mov edx, [ebp-$34]
004029a0 xor ecx, ecx
004029a2 mov [edx+$5c4], ecx
004029a0
004029a8 loc_4029a8:
004029a8 292 mov eax, [ebp-$30]
004029ab mov fs:[0], eax
004029b1 mov esp, ebp
004029b3 pop ebp
004029b4 ret

[Ariesjill]

tetonbob....truly, I find this terrifying. Above. So sorry.
Jill

[carsey]

Run Hijack This and post the full log here.

[Ariesjill]

Isn't that wut I did? Pls advise. I will try again if not.
sorry & thanks....
Jill

[Ariesjill]

Logfile of HijackThis v1.99.1
Scan saved at 3:49:52 PM, on 10/30/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\COMMON~1\AOL\ACS\AOLacsd.exe
C:\Program Files\Common Files\AOL\TopSpeed\2.0\aoltsmon.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Common Files\AOL\1130120933\ee\AOLSoftware.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\Program Files\Unlocker\UnlockerAssistant.exe
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\Program Files\IObit\Advanced WindowsCare V2 Pro\Awc.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Iconoid\iconoid.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
C:\Program Files\Trend Micro\Tmas\Tmas.exe
C:\Program Files\America Online 9.0a\waol.exe
C:\Program Files\Ahead\InCD\InCDsrv.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Common Files\AOL\1130120933\ee\aolsoftware.exe
C:\WINDOWS\wanmpsvc.exe
C:\Program Files\America Online 9.0a\shellmon.exe
C:\unzipped\hijackthis\HijackThis.exe

O3 - Toolbar: AOL Toolbar - {4982D40A-C53B-4615-B15B-B5B5E98D167C} - (no file)
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [SmartDefrag] "C:\Program Files\IObit\IObit SmartDefrag\IObit SmartDefrag.exe" /startup
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime

***************************************
this is all i got this time.

Jill

[tetonbob]

Hi Jill -

First of all, take a breath and relax.

Second, that looks more like a startup list of some sort, not a HJT scan log.

Run the scan again using the instructions I posted above, save the log, and post it.

[tetonbob]

Ok, we cross posted.

Please do nothing until I post more instructions.

[Ariesjill]

Ten Four.

[tetonbob]

Restore Ignored:

• Open HiJackThis
• Click on the button "Open the Misc Tools section"
• Click on the Button up top that says "IgnoreList"
• Check each item one by one, and click the Delete button on the right after checking it.
• Close HJT, then reopen it, run a new scan, save that log and post it.

[Ariesjill]

Ten Five.

[Ariesjill]

OK deleted all the ignores....there were a gazillion....here is new scan...looks same 2 me but i am clueless...

Logfile of HijackThis v1.99.1
Scan saved at 3:59:59 PM, on 10/30/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\COMMON~1\AOL\ACS\AOLacsd.exe
C:\Program Files\Common Files\AOL\TopSpeed\2.0\aoltsmon.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Common Files\AOL\1130120933\ee\AOLSoftware.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\Program Files\Unlocker\UnlockerAssistant.exe
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\Program Files\IObit\Advanced WindowsCare V2 Pro\Awc.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Iconoid\iconoid.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
C:\Program Files\Trend Micro\Tmas\Tmas.exe
C:\Program Files\America Online 9.0a\waol.exe
C:\Program Files\Ahead\InCD\InCDsrv.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Common Files\AOL\1130120933\ee\aolsoftware.exe
C:\WINDOWS\wanmpsvc.exe
C:\Program Files\America Online 9.0a\shellmon.exe
C:\unzipped\hijackthis\HijackThis.exe

O3 - Toolbar: AOL Toolbar - {4982D40A-C53B-4615-B15B-B5B5E98D167C} - (no file)
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [SmartDefrag] "C:\Program Files\IObit\IObit SmartDefrag\IObit SmartDefrag.exe" /startup
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime

_________________________________________
thanks SO MUCH!
J.