Need help, thanks in advance

harl · 03-31-2007, 06:57 AM

computer extremely slow (2-3 hrs) to boot, have run ad-aware, spy-bot and norton a/v...all say computer is clean. Boots normally in Safe Mode.
Here is my HJT log, looking for any help I can get.

Thank you

Logfile of HijackThis v1.99.1
Scan saved at 8:19:17 AM, on 3/31/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16414)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\Documents and Settings\HJT\hijackthis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.dell.com
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = localhost
O1 - Hosts: 64.233.167.104 sandbox.norman.no
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: (no name) - {549B5CA7-4A86-11D7-A4DF-000874180BB3} - (no file)
O2 - BHO: DriveLetterAccess - {5CA3D70E-1895-11CF-8E15-001234567890} - C:\WINDOWS\system32\dla\tfswshx.dll
O2 - BHO: ST - {9394EDE7-C8B5-483E-8773-474BF36AF6E4} - C:\Program Files\MSN Apps\ST\01.03.0000.1005\en-xu\stmain.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar2.dll
O2 - BHO: MSNToolBandBHO - {BDBD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\MSN Apps\MSN Toolbar\MSN Toolbar\01.02.5000.1021\en-us\msntb.dll
O2 - BHO: (no name) - {FDD3B846-8D59-4ffb-8758-209B6AD74ACC} - (no file)
O3 - Toolbar: (no name) - {BA52B914-B692-46c4-B683-905236F6F655} - (no file)
O3 - Toolbar: MSN - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\MSN Apps\MSN Toolbar\MSN Toolbar\01.02.5000.1021\en-us\msntb.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll
O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\SYMANT~1\SYMANT~1\vptray.exe
O4 - HKLM\..\Run: [UpdReg] C:\WINDOWS\UpdReg.EXE
O4 - HKLM\..\Run: [UpdateManager] "C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe" /r
O4 - HKLM\..\Run: [serpe] C:\WINDOWS\system32\formatsys.exe
O4 - HKLM\..\Run: [PCMService] "C:\Program Files\Dell\Media Experience\PCMService.exe"
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [MMTray] "C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mm_tray.exe"
O4 - HKLM\..\Run: [MimBoot] C:\PROGRA~1\MUSICM~1\MUSICM~2\mimboot.exe
O4 - HKLM\..\Run: [LogitechVideoTray] C:\Program Files\Logitech\Video\LogiTray.exe
O4 - HKLM\..\Run: [LogitechVideoRepair] C:\Program Files\Logitech\Video\ISStart.exe
O4 - HKLM\..\Run: [iamapp] C:\PROGRA~1\SYMANT~1\SYMANT~2\IAMAPP.EXE
O4 - HKLM\..\Run: [HP Software Update] C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
O4 - HKLM\..\Run: [DVDSentry] C:\WINDOWS\System32\DSentry.exe
O4 - HKLM\..\Run: [dla] C:\WINDOWS\system32\dla\tfswctrl.exe
O4 - HKLM\..\Run: [diagent] "C:\Program Files\Creative\SBLive\Diagnostics\diagent.exe" startup
O4 - HKLM\..\Run: [avnort] C:\WINDOWS\msmbw.exe
O4 - HKLM\..\Run: [HostManager] C:\Program Files\Common Files\AOL\1158009876\ee\AOLSoftware.exe
O4 - HKLM\..\Run: [IPHSend] C:\Program Files\Common Files\AOL\IPHSend\IPHSend.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\RunServices: [avnort] C:\WINDOWS\msmbw.exe
O4 - HKLM\..\RunServices: [serpe] C:\WINDOWS\system32\formatsys.exe
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [LDM] C:\Program Files\Logitech\Desktop Messenger\8876480\Program\LogitechDesktopMessenger.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [Aim6] "C:\Program Files\Common Files\AOL\Launch\AOLLaunch.exe" /d locale=en-US ee://aol/imApp
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\1.2.908.5008\GoogleToolbarNotifier.exe
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - Startup: PowerReg Scheduler V3.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: Billminder.lnk = C:\QUICKENW\BILLMIND.EXE
O4 - Global Startup: Digital Line Detect.lnk = ?
O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
O4 - Global Startup: HP Image Zone Fast Start.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqthb08.exe
O4 - Global Startup: Logitech Desktop Messenger.lnk = C:\Program Files\Logitech\Desktop Messenger\8876480\Program\LogitechDesktopMessenger.exe
O4 - Global Startup: Quicken Startup.lnk = C:\QUICKENW\QWDLLS.EXE
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Restrictions present
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll (file missing)
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll (file missing)
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~3\OFFICE11\REFIEBAR.DLL
O9 - Extra button: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - C:\Program Files\PartyPoker\PartyPoker.exe (file missing)
O9 - Extra 'Tools' menuitem: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - C:\Program Files\PartyPoker\PartyPoker.exe (file missing)
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O11 - Options group: [INTERNATIONAL] International*
O16 - DPF: {01113300-3E00-11D2-8470-0060089874ED} (Support.com Configuration Class) - https://activatemyfios.verizon.net/s...ad/tgctlcm.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsof...?1128800440916
O17 - HKLM\System\CCS\Services\Tcpip\..\{5B2810EE-DB61-4823-9417-35E4A236CF8D}: NameServer = 209.165.131.12,209.165.131.13
O18 - Protocol: bwfile-8876480 - {9462A756-7B47-47BC-8C80-C34B9B80B32B} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\GAPlugProtocol-8876480.dll
O18 - Protocol: livecall - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O20 - Winlogon Notify: NavLogon - C:\WINDOWS\system32\NavLogon.dll
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O21 - SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - C:\WINDOWS\system32\WPDShServiceObj.dll
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\System32\CTsvcCDA.exe
O23 - Service: DefWatch - Symantec Corporation - C:\Program Files\Symantec_Client_Security\Symantec AntiVirus\DefWatch.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: MSSQLServerADHelper - Unknown owner - C:\Program Files\Microsoft SQL Server\80\Tools\Binn\sqladhlp.exe (file missing)
O23 - Service: Intel NCS NetService (NetSvc) - Intel(R) Corporation - C:\Program Files\Intel\NCS\Sync\NetSvc.exe
O23 - Service: Symantec Client Firewall Service (NISSERV) - Symantec Corporation - C:\Program Files\Symantec_Client_Security\Symantec Client Firewall\NISSERV.EXE
O23 - Service: Symantec Client Firewall Accounts Manager (NISUM) - Symantec Corporation - C:\Program Files\Symantec_Client_Security\Symantec Client Firewall\NISUM.EXE
O23 - Service: Symantec AntiVirus Client (Norton AntiVirus Server) - Symantec Corporation - C:\Program Files\Symantec_Client_Security\Symantec AntiVirus\Rtvscan.exe
O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe
O23 - Service: Symantec Client Firewall Proxy Service (SymPxSvc) - Symantec Corporation - C:\Program Files\Symantec_Client_Security\Symantec Client Firewall\SymPxSvc.exe
O23 - Service: Viewpoint Manager Service - Viewpoint Corporation - C:\Program Files\Viewpoint\Common\ViewpointService.exe

harl · 04-02-2007, 04:32 AM

Have looked through some of the other threads that are having problems with slow computers and tried some of the fixes...but can't run anything...even Decker unless I'm in the safe mode and don't know if I should...

think at least one of my issues is the "sandman" line in the HJT, but not sure?

Thanks

harl · 04-03-2007, 02:48 PM

Hello,
It's been almost 4 days and nothing heard. Am I doing something wrong?...if its a backlog then I'll happily wait my turn... just checking...

Thank you.

Ried · 04-04-2007, 07:27 AM

Hello harl,

Yes--just backlog. Thank you for your kind patience.

Please copy this page to Notepad and save to your desktop for reference as you will not have any browsers open while you are carrying out portions of these instructions.

Also be sure to carry out the instructions in the sequence listed below.

***************************************************

Using Internet Explorer, download ResetTeaTimer.bat.

If you are using Firefox, right click the above link and choose ‘Save As’. Save it to your desktop.

Double click ResetTeaTimer.bat to remove all entries set by TeaTimer.

--------------------------------------------------------------------

From Safe Mode:

Open HijackThis and click on 'Do a System Scan Only'. 'Check' the following entries:

O1 - Hosts: 64.233.167.104 sandbox.norman.no
O2 - BHO: (no name) - {549B5CA7-4A86-11D7-A4DF-000874180BB3} - (no file)
O2 - BHO: (no name) - {FDD3B846-8D59-4ffb-8758-209B6AD74ACC} - (no file)
O3 - Toolbar: (no name) - {BA52B914-B692-46c4-B683-905236F6F655} - (no file)
O4 - HKLM\..\Run: [serpe] C:\WINDOWS\system32\formatsys.exe
O4 - HKLM\..\Run: [avnort] C:\WINDOWS\msmbw.exe
O4 - HKLM\..\RunServices: [avnort] C:\WINDOWS\msmbw.exe
O4 - HKLM\..\RunServices: [serpe] C:\WINDOWS\system32\formatsys.exe
O4 - Startup: PowerReg Scheduler V3.exe

Click 'Fix Checked' and close HijackThis.

--------------------------------------------------------------------

Go to My Computer->Tools->Folder Options->View tab:
* Under the Hidden files and folders heading:
* select Show hidden files and folders.
* Uncheck Hide protected operating system files (recommended) option.
*Also, make sure there is no checkmark beside Hide file extensions for known file types.
* Click OK.

--------------------------------------------------------------------

Using 'My Computer', navigate to and delete the following Files

C:\WINDOWS\ msmbw.exe
C:\WINDOWS\system32\ formatsys.exe

--------------------------------------------------------------------

Reboot your system into Normal Mode.

--------------------------------------------------------------------

If the system is stable, please run this online scan to search for any remnants. It can take some time, so please be patient and allow it to run it's full course:

Perform an online scan with Internet Explorer with Panda ActiveScan

Click on located at the bottom of the page.
A "pop up" window will appear. * Please ensure that your pop up blocker doesn't block it *
Enter your e-mail address, country, and state & click "Free Online Scan" *The download of the 8 MB Panda's ActiveX control will take place*

Begin the scan by selecting

If it finds any malware, it will offer you a report.
Please ignore any entry it finds and the offer to buy the program to remove the entry, as we will address this later.
Click on then click

* You needn't remain online while it's doing the scan but you have to re-connect after it has finished to see the report.
* Turn off the real time scanner of any existing antivirus program while performing the online scan

--------------------------------------------------------------------

Run a scan with dss.exe

--------------------------------------------------------------------

Please include the following in your next reply:

Panda results
main.txt
an attached extra.txt
Update on system behavior

harl · 04-09-2007, 05:46 PM

Thanks Reid,

Just returned from being out of town...I'll take a try with these fixes and get back to you quickly.

harl · 04-09-2007, 06:25 PM

Here is the update...

I can only operate in Safe mode...the computer just responds so slow that I can't even open a normal window like the start window.

I was able to run the HJT and fix the checked items, but could not find the two .exe files
C:\WINDOWS\msmbw.exe
C:\WINDOWS\system32\formatsys.exe

I can not get onto the internet in either the safe or the normal mode so no luck with the online scan...

Thanks again.

Ried · 04-09-2007, 06:43 PM

Ok harl--can you use another computer to download the following tool and post the logs it produces:

Download Deckard's System Scanner (DSS) to your Desktop.

What DSS will do:

create a new System Restore point in Windows XP and Vista.
clean your Temporary Files, Downloaded Program Files, and Internet Cache Files, and also empty the Recycle Bin on all drives.
check some important areas of your system and produce a report for your analyst to review.
DSS automatically runs HijackThis for you, but it will also install and place a shortcut to HijackThis on your desktop if you do not already have HijackThis installed.

Note: You must be logged onto an account with administrator privileges.

Close all applications and windows.
Double-click on dss.exe to run it, and follow the prompts.
When the scan is complete, two text files will open - main.txt <- this one will be maximized and extra.txt <-this one will be minimized
Copy (Ctrl+A then Ctrl+C) and paste (Ctrl+V) the contents of main.txt in your thread in the HijackThis Log Help Forum.
Please attach extra.txt to your post.

To attach a file to a new post, simply

Click the[Manage Attachments] button under Additional Options > Attach Files on the post composition page, and
copy and paste the following into the "Upload File from your Computer" box:
C:\Deckard\System Scanner\extra.txt
Click Upload.

Please include the following in your next reply:

Panda results
main.txt
an attached extra.txt

harl · 04-09-2007, 07:04 PM

Reid, when I start to run it in Safe mode, it cautions me that it should be run in Normal Mode...should I just go ahead and run DSS in safe mode?

Thanks

Ried · 04-09-2007, 08:04 PM

Yes, please run it in Safe Mode if you have to.

harl · 04-10-2007, 04:47 AM

Ok Reid, here is my DSS hjt main log and the extra attached.

Still unable to run the online scan.

Thank you for your help,

Deckard's System Scanner v20070328.36
Run by B. HARL ROMINE on 2007-04-10 at 06:30:35
Computer is in Safe Mode.
--------------------------------------------------------------------------------

-- System Restore --------------------------------------------------------------

Unable to create System Restore WMI object; error code: 0x80070422
Backed up registry hives.

Performed disk cleanup.

-- HijackThis (run as B. HARL ROMINE.exe) --------------------------------------

Logfile of HijackThis v1.99.1
Scan saved at 6:36:18 AM, on 4/10/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16414)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\Documents and Settings\B. HARL ROMINE\Desktop\dss.exe
C:\DOCUME~1\HJT\HIJACK~1\B. HARL ROMINE.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.dell.com
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = localhost
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: DriveLetterAccess - {5CA3D70E-1895-11CF-8E15-001234567890} - C:\WINDOWS\system32\dla\tfswshx.dll
O2 - BHO: ST - {9394EDE7-C8B5-483E-8773-474BF36AF6E4} - C:\Program Files\MSN Apps\ST\01.03.0000.1005\en-xu\stmain.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar2.dll
O2 - BHO: MSNToolBandBHO - {BDBD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\MSN Apps\MSN Toolbar\MSN Toolbar\01.02.5000.1021\en-us\msntb.dll
O3 - Toolbar: MSN - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\MSN Apps\MSN Toolbar\MSN Toolbar\01.02.5000.1021\en-us\msntb.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll
O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\SYMANT~1\SYMANT~1\vptray.exe
O4 - HKLM\..\Run: [UpdReg] C:\WINDOWS\UpdReg.EXE
O4 - HKLM\..\Run: [UpdateManager] "C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe" /r
O4 - HKLM\..\Run: [PCMService] "C:\Program Files\Dell\Media Experience\PCMService.exe"
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [MMTray] "C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mm_tray.exe"
O4 - HKLM\..\Run: [MimBoot] C:\PROGRA~1\MUSICM~1\MUSICM~2\mimboot.exe
O4 - HKLM\..\Run: [LogitechVideoTray] C:\Program Files\Logitech\Video\LogiTray.exe
O4 - HKLM\..\Run: [LogitechVideoRepair] C:\Program Files\Logitech\Video\ISStart.exe
O4 - HKLM\..\Run: [iamapp] C:\PROGRA~1\SYMANT~1\SYMANT~2\IAMAPP.EXE
O4 - HKLM\..\Run: [HP Software Update] C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
O4 - HKLM\..\Run: [DVDSentry] C:\WINDOWS\System32\DSentry.exe
O4 - HKLM\..\Run: [dla] C:\WINDOWS\system32\dla\tfswctrl.exe
O4 - HKLM\..\Run: [diagent] "C:\Program Files\Creative\SBLive\Diagnostics\diagent.exe" startup
O4 - HKLM\..\Run: [HostManager] C:\Program Files\Common Files\AOL\1158009876\ee\AOLSoftware.exe
O4 - HKLM\..\Run: [IPHSend] C:\Program Files\Common Files\AOL\IPHSend\IPHSend.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [LDM] C:\Program Files\Logitech\Desktop Messenger\8876480\Program\LogitechDesktopMessenger.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [Aim6] "C:\Program Files\Common Files\AOL\Launch\AOLLaunch.exe" /d locale=en-US ee://aol/imApp
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\1.2.908.5008\GoogleToolbarNotifier.exe
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: Billminder.lnk = C:\QUICKENW\BILLMIND.EXE
O4 - Global Startup: Digital Line Detect.lnk = ?
O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
O4 - Global Startup: HP Image Zone Fast Start.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqthb08.exe
O4 - Global Startup: Logitech Desktop Messenger.lnk = C:\Program Files\Logitech\Desktop Messenger\8876480\Program\LogitechDesktopMessenger.exe
O4 - Global Startup: Quicken Startup.lnk = C:\QUICKENW\QWDLLS.EXE
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Restrictions present
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll (file missing)
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll (file missing)
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~3\OFFICE11\REFIEBAR.DLL
O9 - Extra button: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - C:\Program Files\PartyPoker\PartyPoker.exe (file missing)
O9 - Extra 'Tools' menuitem: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - C:\Program Files\PartyPoker\PartyPoker.exe (file missing)
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O11 - Options group: [INTERNATIONAL] International*
O16 - DPF: {01113300-3E00-11D2-8470-0060089874ED} (Support.com Configuration Class) - https://activatemyfios.verizon.net/s...ad/tgctlcm.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsof...?1128800440916
O17 - HKLM\System\CCS\Services\Tcpip\..\{5B2810EE-DB61-4823-9417-35E4A236CF8D}: NameServer = 209.165.131.12,209.165.131.13
O18 - Protocol: bwfile-8876480 - {9462A756-7B47-47BC-8C80-C34B9B80B32B} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\GAPlugProtocol-8876480.dll
O18 - Protocol: livecall - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O20 - Winlogon Notify: NavLogon - C:\WINDOWS\system32\NavLogon.dll
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O21 - SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - C:\WINDOWS\system32\WPDShServiceObj.dll
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\System32\CTsvcCDA.exe
O23 - Service: DefWatch - Symantec Corporation - C:\Program Files\Symantec_Client_Security\Symantec AntiVirus\DefWatch.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: MSSQLServerADHelper - Unknown owner - C:\Program Files\Microsoft SQL Server\80\Tools\Binn\sqladhlp.exe (file missing)
O23 - Service: Intel NCS NetService (NetSvc) - Intel(R) Corporation - C:\Program Files\Intel\NCS\Sync\NetSvc.exe
O23 - Service: Symantec Client Firewall Service (NISSERV) - Symantec Corporation - C:\Program Files\Symantec_Client_Security\Symantec Client Firewall\NISSERV.EXE
O23 - Service: Symantec Client Firewall Accounts Manager (NISUM) - Symantec Corporation - C:\Program Files\Symantec_Client_Security\Symantec Client Firewall\NISUM.EXE
O23 - Service: Symantec AntiVirus Client (Norton AntiVirus Server) - Symantec Corporation - C:\Program Files\Symantec_Client_Security\Symantec AntiVirus\Rtvscan.exe
O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe
O23 - Service: Symantec Client Firewall Proxy Service (SymPxSvc) - Symantec Corporation - C:\Program Files\Symantec_Client_Security\Symantec Client Firewall\SymPxSvc.exe

-- HijackThis Fixed Entries (C:\DOCUME~1\HJT\HIJACK~1\backups\) ----------------

backup-20070119-060910-107 O1 - Hosts: 1.1.1.1 www.sysinternals.com
backup-20070119-060910-136 O1 - Hosts: 1.1.1.1 www.my-etrust.com
backup-20070119-060910-153 O1 - Hosts: 1.1.1.1 us.mcafee.com
backup-20070119-060910-168 O1 - Hosts: 1.1.1.1 bitdefender.com
backup-20070119-060910-189 O1 - Hosts: 1.1.1.1 zonelabs.com
backup-20070119-060910-200 O1 - Hosts: 1.1.1.1 www.zonelabs.com
backup-20070119-060910-204 O1 - Hosts: 1.1.1.1 download.mcafee.com
backup-20070119-060910-228 O1 - Hosts: 1.1.1.1 www.trendmicro.com
backup-20070119-060910-246 O2 - BHO: (no name) - {FDD3B846-8D59-4ffb-8758-209B6AD74ACC} - (no file)
backup-20070119-060910-260 O4 - HKLM\..\Run: [{C423DFF3-067E-1033-0309-0600001}] "C:\Program Files\Common Files\{C423DFF3-067E-1033-0309-0600001}\Update.exe" te-110-12-0000282
backup-20070119-060910-264 O1 - Hosts: 1.1.1.1 www.bitdefender.com
backup-20070119-060910-270 O1 - Hosts: 1.1.1.1 grisoft.com
backup-20070119-060910-271 O1 - Hosts: 1.1.1.1 update.symantec.com
backup-20070119-060910-290 F3 - REG:win.ini: run=C:\WINDOWS\system32\fnftzat\winlogon.exe
backup-20070119-060910-292 O1 - Hosts: 1.1.1.1 www.nai.com
backup-20070119-060910-303 O1 - Hosts: 1.1.1.1 vil.nai.com
backup-20070119-060910-322 O1 - Hosts: 1.1.1.1 ftp.f-secure.com
backup-20070119-060910-349 O1 - Hosts: 1.1.1.1 www.pandasoftware.com
backup-20070119-060910-356 O1 - Hosts: 1.1.1.1 secure.nai.com
backup-20070119-060910-360 O1 - Hosts: 1.1.1.1 free.grisoft.com
backup-20070119-060910-364 O1 - Hosts: 1.1.1.1 viruslist.com
backup-20070119-060910-377 O1 - Hosts: 1.1.1.1 virusscan.jotti.org
backup-20070119-060910-407 O1 - Hosts: 1.1.1.1 www.ewido.net
backup-20070119-060910-411 O1 - Hosts: 1.1.1.1 nai.com
backup-20070119-060910-428 O1 - Hosts: 1.1.1.1 www.onguardonline.gov
backup-20070119-060910-435 O1 - Hosts: 1.1.1.1 securityresponse.symantec.com
backup-20070119-060910-450 O1 - Hosts: 1.1.1.1 dispatch.mcafee.com
backup-20070119-060910-457 O1 - Hosts: 1.1.1.1 customer.symantec.com
backup-20070119-060910-460 O1 - Hosts: 1.1.1.1 www.grisoft.com
backup-20070119-060910-465 O1 - Hosts: 1.1.1.1 mast.mcafee.com
backup-20070119-060910-499 O1 - Hosts: 1.1.1.1 www.f-secure.com
backup-20070119-060910-505 O3 - Toolbar: (no name) - {0BF43445-2F28-4351-9252-17FE6E806AA0} - (no file)
backup-20070119-060910-510 F3 - REG:win.ini: load=C:\WINDOWS\system32\fnftzat\winlogon.exe
backup-20070119-060910-538 O1 - Hosts: 1.1.1.1 support.microsoft.com
backup-20070119-060910-563 O1 - Hosts: 1.1.1.1 www.spywareinfo.com
backup-20070119-060910-567 O1 - Hosts: 1.1.1.1 updates.symantec.com
backup-20070119-060910-577 O1 - Hosts: 1.1.1.1 www.avast.com
backup-20070119-060910-588 O1 - Hosts: 1.1.1.1 pandasoftware.com
backup-20070119-060910-589 O1 - Hosts: 1.1.1.1 ftp.sophos.com
backup-20070119-060910-593 R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.virushelpzone.com/
backup-20070119-060910-610 O1 - Hosts: 1.1.1.1 ewido.net
backup-20070119-060910-627 O1 - Hosts: 1.1.1.1 networkassociates.com
backup-20070119-060910-644 O1 - Hosts: 1.1.1.1 services.google.com
backup-20070119-060910-648 O1 - Hosts: 1.1.1.1 www.viruslist.com
backup-20070119-060910-655 O1 - Hosts: 1.1.1.1 www.sophos.com
backup-20070119-060910-673 O1 - Hosts: 1.1.1.1 www.merijn.org
backup-20070119-060910-685 O1 - Hosts: 1.1.1.1 f-secure.com
backup-20070119-060910-705 O1 - Hosts: 1.1.1.1 sophos.com
backup-20070119-060910-719 O1 - Hosts: 1.1.1.1 usa.kaspersky.com
backup-20070119-060910-720 O1 - Hosts: 1.1.1.1 avast.com
backup-20070119-060910-788 O1 - Hosts: 1.1.1.1 liveupdate.symantec.com
backup-20070119-060910-813 O1 - Hosts: 1.1.1.1 merijn.org
backup-20070119-060910-833 O1 - Hosts: 1.1.1.1 www.symantec.com
backup-20070119-060910-841 O1 - Hosts: 1.1.1.1 upgrade.bitdefender.com
backup-20070119-060910-843 O2 - BHO: (no name) - {549B5CA7-4A86-11D7-A4DF-000874180BB3} - (no file)
backup-20070119-060910-890 O1 - Hosts: 1.1.1.1 symantec.com
backup-20070119-060910-895 O1 - Hosts: 1.1.1.1 my-etrust.com
backup-20070119-060910-912 O1 - Hosts: 1.1.1.1 paretologic.com
backup-20070119-060910-923 O1 - Hosts: 1.1.1.1 safety.live.com
backup-20070119-060910-926 O1 - Hosts: 1.1.1.1 trendmicro.com
backup-20070119-060910-933 O1 - Hosts: 1.1.1.1 service1.symantec.com
backup-20070119-060910-941 O1 - Hosts: 1.1.1.1 rads.mcafee.com
backup-20070119-060910-947 O1 - Hosts: 1.1.1.1 onguardonline.gov
backup-20070119-060910-968 O1 - Hosts: 1.1.1.1 www.paretologic.com
backup-20070119-060910-975 O1 - Hosts: 1.1.1.1 download.bitdefender.com
backup-20070119-060910-980 O1 - Hosts: 1.1.1.1 spywareinfo.com
backup-20070119-060910-983 O1 - Hosts: 1.1.1.1 sysinternals.com
backup-20070409-195124-425 O2 - BHO: (no name) - {549B5CA7-4A86-11D7-A4DF-000874180BB3} - (no file)
backup-20070409-195124-508 O1 - Hosts: 64.233.167.104 sandbox.norman.no
backup-20070409-195124-545 O4 - HKLM\..\RunServices: [serpe] C:\WINDOWS\system32\formatsys.exe
backup-20070409-195124-662 O3 - Toolbar: (no name) - {BA52B914-B692-46c4-B683-905236F6F655} - (no file)
backup-20070409-195124-673 O2 - BHO: (no name) - {FDD3B846-8D59-4ffb-8758-209B6AD74ACC} - (no file)
backup-20070409-195124-768 O4 - HKLM\..\Run: [avnort] C:\WINDOWS\msmbw.exe
backup-20070409-195124-808 O4 - Startup: PowerReg Scheduler V3.exe
backup-20070409-195124-878 O4 - HKLM\..\RunServices: [avnort] C:\WINDOWS\msmbw.exe
backup-20070409-195124-945 O4 - HKLM\..\Run: [serpe] C:\WINDOWS\system32\formatsys.exe

-- File Associations -----------------------------------------------------------

All associations okay.

-- Drivers: 0-Boot, 1-System, 2-Auto, 3-Demand, 4-Disabled ---------------------

4 cbidf - c:\windows\system32\drivers\cbidf2k.sys
4 dac2w2k - c:\windows\system32\drivers\dac2w2k.sys
3 DCamUSBSQTECH (Dual-Mode DSC(2770)) - c:\windows\system32\drivers\sqcaptur.sys
0 drvmcdb - c:\windows\system32\drivers\drvmcdb.sys
2 drvnddm - c:\windows\system32\drivers\drvnddm.sys
3 EL90XBC (3Com EtherLink XL 90XB/C Adapter Driver) - c:\windows\system32\drivers\el90xbc5.sys
3 HSFHWBS2 - c:\windows\system32\drivers\hsfhwbs2.sys
3 HSF_DP - c:\windows\system32\drivers\hsf_dp.sys
3 i81x - c:\windows\system32\drivers\i81xnt5.sys
3 iAimFP0 - c:\windows\system32\drivers\wadv01nt.sys
3 iAimFP1 - c:\windows\system32\drivers\wadv02nt.sys
3 iAimFP2 - c:\windows\system32\drivers\wadv05nt.sys
3 iAimFP3 - c:\windows\system32\drivers\wsiintxx.sys
3 iAimFP4 - c:\windows\system32\drivers\wvchntxx.sys
3 iAimTV0 - c:\windows\system32\drivers\watv01nt.sys
3 iAimTV1 - c:\windows\system32\drivers\watv02nt.sys
3 iAimTV2 - system32\drivers\watv03nt.sys (file missing)
3 iAimTV3 - c:\windows\system32\drivers\watv04nt.sys
3 iAimTV4 - c:\windows\system32\drivers\wch7xxnt.sys
2 mdmxsdk - c:\windows\system32\drivers\mdmxsdk.sys
3 MODEMCSA (Unimodem Streaming Filter Device) - c:\windows\system32\drivers\modemcsa.sys
1 omci (OMCI WDM Device Driver) - c:\windows\system32\drivers\omci.sys
3 P16X (Creative SB Live! Series (WDM)) - c:\windows\system32\drivers\p16x.sys
2 PfModNT - c:\windows\system32\pfmodnt.sys
3 PhilCam8116 (Logitech QuickCam Pro 3000(PID_08B0)) - c:\windows\system32\drivers\camdrl21.sys
3 sonypvs1 (Sony Digital Imaging Video2) - c:\windows\system32\drivers\sonypvs1.sys
1 sscdbhk5 - c:\windows\system32\drivers\sscdbhk5.sys
1 ssrtln - c:\windows\system32\drivers\ssrtln.sys
2 tfsnboio - c:\windows\system32\dla\tfsnboio.sys
2 tfsncofs - c:\windows\system32\dla\tfsncofs.sys
2 tfsndrct - c:\windows\system32\dla\tfsndrct.sys
2 tfsndres - c:\windows\system32\dla\tfsndres.sys
2 tfsnifs - c:\windows\system32\dla\tfsnifs.sys
2 tfsnopio - c:\windows\system32\dla\tfsnopio.sys
2 tfsnpool - c:\windows\system32\dla\tfsnpool.sys
2 tfsnudf - c:\windows\system32\dla\tfsnudf.sys
2 tfsnudfa - c:\windows\system32\dla\tfsnudfa.sys
3 wanatw (WAN Miniport (ATW)) - system32\drivers\wanatw4.sys (file missing)
3 winachsf - c:\windows\system32\drivers\hsf_cnxt.sys

-- Services: 0-Boot, 1-System, 2-Auto, 3-Demand, 4-Disabled --------------------

3 MSSQLServerADHelper - c:\program files\microsoft sql server\80\tools\binn\sqladhlp.exe (file missing)
2 NISSERV (Symantec Client Firewall Service) - c:\program files\symantec_client_security\symantec client firewall\nisserv.exe
3 NISUM (Symantec Client Firewall Accounts Manager) - c:\program files\symantec_client_security\symantec client firewall\nisum.exe
2 SymPxSvc (Symantec Client Firewall Proxy Service) - c:\program files\symantec_client_security\symantec client firewall\sympxsvc.exe
3 usnsvc (Messenger Sharing USN Journal Reader service) - c:\windows\system32\svchost.exe
4 ZipToA - c:\windows\system32\ziptoa.exe

-- Scheduled Tasks -------------------------------------------------------------

2007-03-30 16:40:05 284 --a------ C:\WINDOWS\Tasks\AppleSoftwareUpdate.job<APPLES~1.JOB>
2007-03-26 12:00:00 278 --a------ C:\WINDOWS\Tasks\Disk Cleanup.job<DISKCL~1.JOB>
2004-04-14 00:55:29 430 --a------ C:\WINDOWS\Tasks\Symantec NetDetect.job<SYMANT~1.JOB>

-- Files created between 2007-03-10 and 2007-04-10 -----------------------------

2007-03-31 06:27:01 0 d-------- C:\Documents and Settings\B. HARL ROMINE\Application Data\GTek
2007-03-30 22:03:35 0 --a------ C:\Documents and Settings\B. HARL ROMINE\Application Data\Install.dat

-- Find3M Report ---------------------------------------------------------------

2007-03-31 08

25 0 d-------- C:\Program Files\WatchDog
2007-03-29 17:52:41 0 d---s---- C:\Documents and Settings\B. HARL ROMINE\Application Data\Microsoft<MICROS~1>
2007-03-27 08:08:54 0 d-------- C:\Documents and Settings\B. HARL ROMINE\Application Data\AdobeUM
2007-03-17 08:55:24 0 d-------- C:\Program Files\Microsoft Money<MICROS~2>
2007-02-13 19:55:21 0 d-------- C:\Program Files\IncrediMail<INCRED~1>
2007-02-13 17:45:50 0 d-------- C:\Program Files\MSN Messenger<MSNMES~1>
2007-02-13 17:45:47 28672 --a------ C:\WINDOWS\system32\f3PSSavr.scr

-- Registry Dump ---------------------------------------------------------------

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\run]
"MsnMsgr"="\"C:\\Program Files\\MSN Messenger\\MsnMsgr.Exe\" /background"
"Sonic RecordNow!"=""
"LDM"="C:\\Program Files\\Logitech\\Desktop Messenger\\8876480\\Program\\LogitechDesktopMessenger.exe"
"ctfmon.exe"="C:\\WINDOWS\\system32\\ctfmon.exe"
"Aim6"="\"C:\\Program Files\\Common Files\\AOL\\Launch\\AOLLaunch.exe\" /d locale=en-US ee://aol/imApp"
"swg"="C:\\Program Files\\Google\\GoogleToolbarNotifier\\1.2.908.5008\\GoogleToolbarNotifier.exe"
"SpybotSD TeaTimer"="C:\\Program Files\\Spybot - Search & Destroy\\TeaTimer.exe"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run]
"vptray"="C:\\PROGRA~1\\SYMANT~1\\SYMANT~1\\vptray.exe"
"UpdReg"="C:\\WINDOWS\\UpdReg.EXE"
"UpdateManager"="\"C:\\Program Files\\Common Files\\Sonic\\Update Manager\\sgtray.exe\" /r"
"PCMService"="\"C:\\Program Files\\Dell\\Media Experience\\PCMService.exe\""
"NvCplDaemon"="RUNDLL32.EXE C:\\WINDOWS\\System32\\NvCpl.dll,NvStartup"
"MMTray"="\"C:\\Program Files\\MUSICMATCH\\MUSICMATCH Jukebox\\mm_tray.exe\""
"MimBoot"="C:\\PROGRA~1\\MUSICM~1\\MUSICM~2\\mimboot.exe"
"LogitechVideoTray"="C:\\Program Files\\Logitech\\Video\\LogiTray.exe"
"LogitechVideoRepair"="C:\\Program Files\\Logitech\\Video\\ISStart.exe"
"iamapp"="C:\\PROGRA~1\\SYMANT~1\\SYMANT~2\\IAMAPP.EXE"
"HP Software Update"="C:\\Program Files\\HP\\HP Software Update\\HPWuSchd2.exe"
"DVDSentry"="C:\\WINDOWS\\System32\\DSentry.exe"
"dla"="C:\\WINDOWS\\system32\\dla\\tfswctrl.exe"
"diagent"="\"C:\\Program Files\\Creative\\SBLive\\Diagnostics\\diagent.exe\" startup"
"HostManager"="C:\\Program Files\\Common Files\\AOL\\1158009876\\ee\\AOLSoftware.exe"
"IPHSend"="C:\\Program Files\\Common Files\\AOL\\IPHSend\\IPHSend.exe"
"TkBellExe"="\"C:\\Program Files\\Common Files\\Real\\Update_OB\\realsched.exe\" -osboot"
"QuickTime Task"="\"C:\\Program Files\\QuickTime\\qttask.exe\" -atboottime"
"iTunesHelper"="\"C:\\Program Files\\iTunes\\iTunesHelper.exe\""

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\OptionalComponents]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\OptionalComponents\IMAIL]
"Installed"="1"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\OptionalComponents\MAPI]
"Installed"="1"
"NoChange"="1"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\OptionalComponents\MSFS]
"Installed"="1"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\runonce]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\runonce\C:]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\runonce\C:\Program Files]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\runonce\C:\Program Files\LEGO Media]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\runonce\C:\Program Files\LEGO Media\LEGO Stunt Rally]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\runonce\C:\Program Files\LEGO Media\LEGO Stunt Rally\StuntRally.exe]
@="C:\\Program Files\\LEGO Media\\LEGO Stunt Rally\\StuntRally.exe"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\shellserviceobjectdelayload]
"WPDShServiceObj"="{AAA288BA-9A4C-45B0-95D7-94D524869DB5}"

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\system]
"DisableTaskMgr"=dword:00000000
"NoDispAppearancePage"=dword:00000000
"NoDispBackgroundPage"=dword:00000000
"NoDispScrSavPage"=dword:00000000
"NoDispSettingsPage"=dword:00000000
"NoDispCPL"=dword:00000000
"DisableRegistryTools"=dword:00000000
"DisableLockWorkstation"=dword:00000000
"DisableChangePassword"=dword:00000000
"NoVisualStyleChoice"=dword:00000000
"NoColorChoice"=dword:00000000
"NoSizeChoice"=dword:00000000

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\explorer]
@=""
"NoCDBurning"=dword:00000000

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\explorer\Run]
"avnort"="C:\\WINDOWS\\msmbw.exe"
"serpe"="C:\\WINDOWS\\system32\\formatsys.exe"

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]
"NoFavoritesMenu"=dword:00000000
"NoCommonGroups"=dword:00000000
"NoLogOff"=dword:00000000
"StartMenuLogoff"=dword:00000000
"NoFind"=dword:00000000
"NoStartMenuSubFolders"=dword:00000000
"NoSetTaskBar"=dword:00000000
"NoSetFolders"=dword:00000000
"NoDesktop"=dword:00000000
"NoRecentDocsMenu"=dword:00000000
"NoSMHelp"=dword:00000000
"NoNetworkConnections"=dword:00000000
"NoSMMyDocs"=dword:00000000
"NoSetActiveDesktop"=dword:00000000
"NoFolderOptions"=dword:00000000
"NoActiveDesktopChanges"=dword:00000000
"NoSaveSettings"=dword:00000000
"NoRun"=dword:00000000
"NoClose"=dword:00000000
"NoNetConnectDisconnect"=dword:00000000
"NoTrayContextMenu"=dword:00000000
"NoViewContextMenu"=dword:00000000
"NoWinKeys"=dword:00000000
"NoThemesTab"=dword:00000000
"NoChangeKeyboardNavigationIndicators"=dword:00000000
"NoChangeAnimation"=dword:00000000
"NoDFSTab"=dword:00000000
"NoSecurityTab"=dword:00000000
"NoHardwareTab"=dword:00000000
"NoToolbarCustomize"=dword:00000000
"NoBandCustomize"=dword:00000000
"NoShellSearchButton"=dword:00000000
"NoPropertiesMyComputer"=dword:00000000
"NoFileAssociate"=dword:00000000
"NoFileUrl"=dword:00000000
"NoSMMyPictures"=dword:00000000
"NoStartMenuMyMusic"=dword:00000000
"NoTrayItemsDisplay"=dword:00000000
"NoToolbarsOnTaskbar"=dword:00000000
"LockTaskbar"=dword:00000000
"HideClock"=dword:00000000
"NoCDBurning"=dword:00000000
"NoStartMenuMFUprogramsList"=dword:00000000
"NoStartMenuPinnedList"=dword:00000000
"NoStartMenuMorePrograms"=dword:00000000
"NoViewOnDrive"=dword:00000000

[HKEY_CURRENT_USER\software\microsoft\internet explorer\desktop\components\0]
Source REG_SZ http://www.edhelperclipart.com/clipart/edhelp2.gif

[HKEY_CURRENT_USER\software\microsoft\internet explorer\desktop\components\1]
Source REG_SZ http://64.128.93.12/projects/broadca..._broadcast.jpg

[HKEY_CURRENT_USER\software\microsoft\internet explorer\desktop\components\2]
Source REG_SZ http://www.joycemeyer.org/projects/h...cast_title.gif

[HKEY_CURRENT_USER\software\microsoft\internet explorer\desktop\components\3]
Source REG_SZ http://joycemeyer.org/NR/rdonlyres/2.../hdr_Media.gif

[HKEY_CURRENT_USER\software\microsoft\internet explorer\desktop\components\4]
Source REG_SZ https://www.parellisavvyclub.com/images/login_image.jpg

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\securityproviders]
"SecurityProviders"="msapsspc.dll, schannel.dll, digest.dll, msnsspc.dll"

[HKEY_LOCAL_MACHINE\software\Microsoft\Windows NT\CurrentVersion\Svchost]
LocalService REG_MULTI_SZ Alerter\0WebClient\0LmHosts\0RemoteRegistry\0upnphost\0SSDPSRV\0\0
NetworkService REG_MULTI_SZ DnsCache\0\0
rpcss REG_MULTI_SZ RpcSs\0\0
imgsvc REG_MULTI_SZ StiSvc\0\0
termsvcs REG_MULTI_SZ TermService\0\0
HTTPFilter REG_MULTI_SZ HTTPFilter\0\0
DcomLaunch REG_MULTI_SZ DcomLaunch\0TermService\0\0
Usnsvc REG_MULTI_SZ usnsvc\0\0
WudfServiceGroup REG_MULTI_SZ WUDFSvc\0\0

-- End of Deckard's System Scanner: finished at 2007-04-10 at 06:36:38 ---------

Ried · 04-10-2007, 09:31 AM

Hiya,

Now I see it.

Let's try Symantec's removal tool and see how good a job it can do. Download FixSFlog.exe and save it to your desktop.

--------------------------------------------------------------------

Disconnect this PC from the internet.

--------------------------------------------------------------------

Double-click the FixSflog.exe file to start the removal tool.

Click Start to begin the process, and then allow the tool to run.
Restart the computer.
Run the removal tool again to ensure that the system is clean.

When the tool has finished running, you will see a message indicating whether W32.Serflog has infected the computer. Please copy/paste that report in your next reply.
--------------------------------------------------------------------

Run dss.exe and post the main.txt in your next reply.

How is the system behaving now?

harl · 04-11-2007, 05:17 AM

Hi Ried

I've run the removal tool and DSS...the logs are included. It found serflog on the first run, but nothing found on the second.

No significant change in performance, still won't boot normally.

My computer seems to boot and work normally in Safe mode, but when I try to open it in Normal Mode, after it loads my personal settings, it takes 30 minutes or more to show any desktop icons. Once the desktop looks normal, if I try to open any program...nothing.

here are my logs...

Symantec W32.Serflog Removal Tool 1.1.2

W32.Serflog has not been found on your computer.

Deckard's System Scanner v20070328.36
Run by B. HARL ROMINE on 2007-04-11 at 07:11:15
Computer is in Safe Mode.
--------------------------------------------------------------------------------

-- HijackThis (run as B. HARL ROMINE.exe) --------------------------------------

Logfile of HijackThis v1.99.1
Scan saved at 7:11:21 AM, on 4/11/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16414)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\Documents and Settings\B. HARL ROMINE\Desktop\dss.exe
C:\DOCUME~1\HJT\HIJACK~1\BHARLR~1.EXE

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.dell.com
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = localhost
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: DriveLetterAccess - {5CA3D70E-1895-11CF-8E15-001234567890} - C:\WINDOWS\system32\dla\tfswshx.dll
O2 - BHO: ST - {9394EDE7-C8B5-483E-8773-474BF36AF6E4} - C:\Program Files\MSN Apps\ST\01.03.0000.1005\en-xu\stmain.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar2.dll
O2 - BHO: MSNToolBandBHO - {BDBD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\MSN Apps\MSN Toolbar\MSN Toolbar\01.02.5000.1021\en-us\msntb.dll
O3 - Toolbar: MSN - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\MSN Apps\MSN Toolbar\MSN Toolbar\01.02.5000.1021\en-us\msntb.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll
O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\SYMANT~1\SYMANT~1\vptray.exe
O4 - HKLM\..\Run: [UpdReg] C:\WINDOWS\UpdReg.EXE
O4 - HKLM\..\Run: [UpdateManager] "C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe" /r
O4 - HKLM\..\Run: [PCMService] "C:\Program Files\Dell\Media Experience\PCMService.exe"
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [MMTray] "C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mm_tray.exe"
O4 - HKLM\..\Run: [MimBoot] C:\PROGRA~1\MUSICM~1\MUSICM~2\mimboot.exe
O4 - HKLM\..\Run: [LogitechVideoTray] C:\Program Files\Logitech\Video\LogiTray.exe
O4 - HKLM\..\Run: [LogitechVideoRepair] C:\Program Files\Logitech\Video\ISStart.exe
O4 - HKLM\..\Run: [iamapp] C:\PROGRA~1\SYMANT~1\SYMANT~2\IAMAPP.EXE
O4 - HKLM\..\Run: [HP Software Update] C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
O4 - HKLM\..\Run: [DVDSentry] C:\WINDOWS\System32\DSentry.exe
O4 - HKLM\..\Run: [dla] C:\WINDOWS\system32\dla\tfswctrl.exe
O4 - HKLM\..\Run: [diagent] "C:\Program Files\Creative\SBLive\Diagnostics\diagent.exe" startup
O4 - HKLM\..\Run: [HostManager] C:\Program Files\Common Files\AOL\1158009876\ee\AOLSoftware.exe
O4 - HKLM\..\Run: [IPHSend] C:\Program Files\Common Files\AOL\IPHSend\IPHSend.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [LDM] C:\Program Files\Logitech\Desktop Messenger\8876480\Program\LogitechDesktopMessenger.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [Aim6] "C:\Program Files\Common Files\AOL\Launch\AOLLaunch.exe" /d locale=en-US ee://aol/imApp
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\1.2.908.5008\GoogleToolbarNotifier.exe
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: Billminder.lnk = C:\QUICKENW\BILLMIND.EXE
O4 - Global Startup: Digital Line Detect.lnk = ?
O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
O4 - Global Startup: HP Image Zone Fast Start.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqthb08.exe
O4 - Global Startup: Logitech Desktop Messenger.lnk = C:\Program Files\Logitech\Desktop Messenger\8876480\Program\LogitechDesktopMessenger.exe
O4 - Global Startup: Quicken Startup.lnk = C:\QUICKENW\QWDLLS.EXE
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Restrictions present
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll (file missing)
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll (file missing)
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~3\OFFICE11\REFIEBAR.DLL
O9 - Extra button: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - C:\Program Files\PartyPoker\PartyPoker.exe (file missing)
O9 - Extra 'Tools' menuitem: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - C:\Program Files\PartyPoker\PartyPoker.exe (file missing)
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O11 - Options group: [INTERNATIONAL] International*
O16 - DPF: {01113300-3E00-11D2-8470-0060089874ED} (Support.com Configuration Class) - https://activatemyfios.verizon.net/s...ad/tgctlcm.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsof...?1128800440916
O17 - HKLM\System\CCS\Services\Tcpip\..\{5B2810EE-DB61-4823-9417-35E4A236CF8D}: NameServer = 209.165.131.12,209.165.131.13
O18 - Protocol: bwfile-8876480 - {9462A756-7B47-47BC-8C80-C34B9B80B32B} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\GAPlugProtocol-8876480.dll
O18 - Protocol: livecall - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O20 - Winlogon Notify: NavLogon - C:\WINDOWS\system32\NavLogon.dll
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O21 - SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - C:\WINDOWS\system32\WPDShServiceObj.dll
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\System32\CTsvcCDA.exe
O23 - Service: DefWatch - Symantec Corporation - C:\Program Files\Symantec_Client_Security\Symantec AntiVirus\DefWatch.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: MSSQLServerADHelper - Unknown owner - C:\Program Files\Microsoft SQL Server\80\Tools\Binn\sqladhlp.exe (file missing)
O23 - Service: Intel NCS NetService (NetSvc) - Intel(R) Corporation - C:\Program Files\Intel\NCS\Sync\NetSvc.exe
O23 - Service: Symantec Client Firewall Service (NISSERV) - Symantec Corporation - C:\Program Files\Symantec_Client_Security\Symantec Client Firewall\NISSERV.EXE
O23 - Service: Symantec Client Firewall Accounts Manager (NISUM) - Symantec Corporation - C:\Program Files\Symantec_Client_Security\Symantec Client Firewall\NISUM.EXE
O23 - Service: Symantec AntiVirus Client (Norton AntiVirus Server) - Symantec Corporation - C:\Program Files\Symantec_Client_Security\Symantec AntiVirus\Rtvscan.exe
O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe
O23 - Service: Symantec Client Firewall Proxy Service (SymPxSvc) - Symantec Corporation - C:\Program Files\Symantec_Client_Security\Symantec Client Firewall\SymPxSvc.exe

-- Files created between 2007-03-11 and 2007-04-11 -----------------------------

2007-03-31 06:27:01 0 d-------- C:\Documents and Settings\B. HARL ROMINE\Application Data\GTek
2007-03-30 22:03:35 0 --a------ C:\Documents and Settings\B. HARL ROMINE\Application Data\Install.dat

-- Find3M Report ---------------------------------------------------------------

2007-03-31 08

25 0 d-------- C:\Program Files\WatchDog
2007-03-29 17:52:41 0 d---s---- C:\Documents and Settings\B. HARL ROMINE\Application Data\Microsoft<MICROS~1>
2007-03-27 08:08:54 0 d-------- C:\Documents and Settings\B. HARL ROMINE\Application Data\AdobeUM
2007-03-17 08:55:24 0 d-------- C:\Program Files\Microsoft Money<MICROS~2>
2007-02-13 19:55:21 0 d-------- C:\Program Files\IncrediMail<INCRED~1>
2007-02-13 17:45:50 0 d-------- C:\Program Files\MSN Messenger<MSNMES~1>
2007-02-13 17:45:47 28672 --a------ C:\WINDOWS\system32\f3PSSavr.scr

-- Registry Dump ---------------------------------------------------------------

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\run]
"MsnMsgr"="\"C:\\Program Files\\MSN Messenger\\MsnMsgr.Exe\" /background"
"Sonic RecordNow!"=""
"LDM"="C:\\Program Files\\Logitech\\Desktop Messenger\\8876480\\Program\\LogitechDesktopMessenger.exe"
"ctfmon.exe"="C:\\WINDOWS\\system32\\ctfmon.exe"
"Aim6"="\"C:\\Program Files\\Common Files\\AOL\\Launch\\AOLLaunch.exe\" /d locale=en-US ee://aol/imApp"
"swg"="C:\\Program Files\\Google\\GoogleToolbarNotifier\\1.2.908.5008\\GoogleToolbarNotifier.exe"
"SpybotSD TeaTimer"="C:\\Program Files\\Spybot - Search & Destroy\\TeaTimer.exe"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run]
"vptray"="C:\\PROGRA~1\\SYMANT~1\\SYMANT~1\\vptray.exe"
"UpdReg"="C:\\WINDOWS\\UpdReg.EXE"
"UpdateManager"="\"C:\\Program Files\\Common Files\\Sonic\\Update Manager\\sgtray.exe\" /r"
"PCMService"="\"C:\\Program Files\\Dell\\Media Experience\\PCMService.exe\""
"NvCplDaemon"="RUNDLL32.EXE C:\\WINDOWS\\System32\\NvCpl.dll,NvStartup"
"MMTray"="\"C:\\Program Files\\MUSICMATCH\\MUSICMATCH Jukebox\\mm_tray.exe\""
"MimBoot"="C:\\PROGRA~1\\MUSICM~1\\MUSICM~2\\mimboot.exe"
"LogitechVideoTray"="C:\\Program Files\\Logitech\\Video\\LogiTray.exe"
"LogitechVideoRepair"="C:\\Program Files\\Logitech\\Video\\ISStart.exe"
"iamapp"="C:\\PROGRA~1\\SYMANT~1\\SYMANT~2\\IAMAPP.EXE"
"HP Software Update"="C:\\Program Files\\HP\\HP Software Update\\HPWuSchd2.exe"
"DVDSentry"="C:\\WINDOWS\\System32\\DSentry.exe"
"dla"="C:\\WINDOWS\\system32\\dla\\tfswctrl.exe"
"diagent"="\"C:\\Program Files\\Creative\\SBLive\\Diagnostics\\diagent.exe\" startup"
"HostManager"="C:\\Program Files\\Common Files\\AOL\\1158009876\\ee\\AOLSoftware.exe"
"IPHSend"="C:\\Program Files\\Common Files\\AOL\\IPHSend\\IPHSend.exe"
"TkBellExe"="\"C:\\Program Files\\Common Files\\Real\\Update_OB\\realsched.exe\" -osboot"
"QuickTime Task"="\"C:\\Program Files\\QuickTime\\qttask.exe\" -atboottime"
"iTunesHelper"="\"C:\\Program Files\\iTunes\\iTunesHelper.exe\""

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\OptionalComponents]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\OptionalComponents\IMAIL]
"Installed"="1"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\OptionalComponents\MAPI]
"Installed"="1"
"NoChange"="1"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\OptionalComponents\MSFS]
"Installed"="1"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\runonce]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\runonce\C:]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\runonce\C:\Program Files]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\runonce\C:\Program Files\LEGO Media]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\runonce\C:\Program Files\LEGO Media\LEGO Stunt Rally]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\runonce\C:\Program Files\LEGO Media\LEGO Stunt Rally\StuntRally.exe]
@="C:\\Program Files\\LEGO Media\\LEGO Stunt Rally\\StuntRally.exe"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\shellserviceobjectdelayload]
"WPDShServiceObj"="{AAA288BA-9A4C-45B0-95D7-94D524869DB5}"

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\system]
"DisableTaskMgr"=dword:00000000
"NoDispAppearancePage"=dword:00000000
"NoDispBackgroundPage"=dword:00000000
"NoDispScrSavPage"=dword:00000000
"NoDispSettingsPage"=dword:00000000
"NoDispCPL"=dword:00000000
"DisableRegistryTools"=dword:00000000
"DisableLockWorkstation"=dword:00000000
"DisableChangePassword"=dword:00000000
"NoVisualStyleChoice"=dword:00000000
"NoColorChoice"=dword:00000000
"NoSizeChoice"=dword:00000000

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\explorer]
@=""
"NoCDBurning"=dword:00000000

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\explorer\Run]
"avnort"="C:\\WINDOWS\\msmbw.exe"
"serpe"="C:\\WINDOWS\\system32\\formatsys.exe"

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]
"NoFavoritesMenu"=dword:00000000
"NoCommonGroups"=dword:00000000
"NoLogOff"=dword:00000000
"StartMenuLogoff"=dword:00000000
"NoFind"=dword:00000000
"NoStartMenuSubFolders"=dword:00000000
"NoSetTaskBar"=dword:00000000
"NoSetFolders"=dword:00000000
"NoDesktop"=dword:00000000
"NoRecentDocsMenu"=dword:00000000
"NoSMHelp"=dword:00000000
"NoNetworkConnections"=dword:00000000
"NoSMMyDocs"=dword:00000000
"NoSetActiveDesktop"=dword:00000000
"NoFolderOptions"=dword:00000000
"NoActiveDesktopChanges"=dword:00000000
"NoSaveSettings"=dword:00000000
"NoRun"=dword:00000000
"NoClose"=dword:00000000
"NoNetConnectDisconnect"=dword:00000000
"NoTrayContextMenu"=dword:00000000
"NoViewContextMenu"=dword:00000000
"NoWinKeys"=dword:00000000
"NoThemesTab"=dword:00000000
"NoChangeKeyboardNavigationIndicators"=dword:00000000
"NoChangeAnimation"=dword:00000000
"NoDFSTab"=dword:00000000
"NoSecurityTab"=dword:00000000
"NoHardwareTab"=dword:00000000
"NoToolbarCustomize"=dword:00000000
"NoBandCustomize"=dword:00000000
"NoShellSearchButton"=dword:00000000
"NoPropertiesMyComputer"=dword:00000000
"NoFileAssociate"=dword:00000000
"NoFileUrl"=dword:00000000
"NoSMMyPictures"=dword:00000000
"NoStartMenuMyMusic"=dword:00000000
"NoTrayItemsDisplay"=dword:00000000
"NoToolbarsOnTaskbar"=dword:00000000
"LockTaskbar"=dword:00000000
"HideClock"=dword:00000000
"NoCDBurning"=dword:00000000
"NoStartMenuMFUprogramsList"=dword:00000000
"NoStartMenuPinnedList"=dword:00000000
"NoStartMenuMorePrograms"=dword:00000000
"NoViewOnDrive"=dword:00000000

[HKEY_CURRENT_USER\software\microsoft\internet explorer\desktop\components\0]
Source REG_SZ http://www.edhelperclipart.com/clipart/edhelp2.gif

[HKEY_CURRENT_USER\software\microsoft\internet explorer\desktop\components\1]
Source REG_SZ http://64.128.93.12/projects/broadca..._broadcast.jpg

[HKEY_CURRENT_USER\software\microsoft\internet explorer\desktop\components\2]
Source REG_SZ http://www.joycemeyer.org/projects/h...cast_title.gif

[HKEY_CURRENT_USER\software\microsoft\internet explorer\desktop\components\3]
Source REG_SZ http://joycemeyer.org/NR/rdonlyres/2.../hdr_Media.gif

[HKEY_CURRENT_USER\software\microsoft\internet explorer\desktop\components\4]
Source REG_SZ https://www.parellisavvyclub.com/images/login_image.jpg

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\securityproviders]
"SecurityProviders"="msapsspc.dll, schannel.dll, digest.dll, msnsspc.dll"

[HKEY_LOCAL_MACHINE\software\Microsoft\Windows NT\CurrentVersion\Svchost]
LocalService REG_MULTI_SZ Alerter\0WebClient\0LmHosts\0RemoteRegistry\0upnphost\0SSDPSRV\0\0
NetworkService REG_MULTI_SZ DnsCache\0\0
rpcss REG_MULTI_SZ RpcSs\0\0
imgsvc REG_MULTI_SZ StiSvc\0\0
termsvcs REG_MULTI_SZ TermService\0\0
HTTPFilter REG_MULTI_SZ HTTPFilter\0\0
DcomLaunch REG_MULTI_SZ DcomLaunch\0TermService\0\0
Usnsvc REG_MULTI_SZ usnsvc\0\0
WudfServiceGroup REG_MULTI_SZ WUDFSvc\0\0

-- End of Deckard's System Scanner: finished at 2007-04-11 at 07:11:39 ---------

Ried · 04-11-2007, 10:58 AM

Apparently Symantec's tool didn't do a very good job as those entries have returned again. There are likely additonal files that need to be taken care of that I cannot see yet, so I was hoping Symantec's tool would find and eliminate those for us.

We need to be able to use tools other than dss.exe. An online scan would be best, but is not an option just yet. Let's see if we can knock it out enough to get Normal Mode and the internet.

Please copy this page to Notepad and save to your desktop for reference as you will not have any browsers open while you are carrying out portions of these instructions.

Also be sure to carry out the instructions in the sequence listed below.

***************************************************

Download Combofix and save it to your desktop. Do not run it yet.

**Note: It is important that it is saved directly to your desktop**

--------------------------------------------------------------------

Download Dr.Web CureIt to the desktop:
ftp://ftp.drweb.com/pub/drweb/cureit/cureit.exe

--------------------------------------------------------------------

Download the attached harl.zip file to your desktop.

--------------------------------------------------------------------

Disconnect this PC from the internet.

--------------------------------------------------------------------

Double click on the harl.zip folder, then double click on the .reg file within. Click yes to allow it to merge into your registry.

--------------------------------------------------------------------

Delete these files if they still exist:

C:\WINDOWS\ msmbw.exe
C:\WINDOWS\system32\ formatsys.exe

--------------------------------------------------------------------

Doubleclick the drweb-cureit.exe file and Allow the express scan[*]This will scan the files currently running in memory and when something is found, click the yes button when it asks you if you want to cure it. This is only a short scan.

Once the short scan has finished, mark the drives that you want to scan.
Select all drives. A red dot shows which drives have been chosen.
Click the green arrow at the right, and the scan will start.
Click 'Yes to all' if it asks if you want to cure/move the file.
When the scan has finished, look if you can click next icon next to the files found:
If so, click it and then click the next icon right below and select Move incurable as you'll see in next image:

This will move it to the %userprofile%DoctorWebquarantaine-folder if it can't be cured. (this in case if we need samples)
After selecting, in the Dr.Web CureIt menu on top, click file and choose save report list
Save the report to your desktop. The report will be called DrWeb.csv
Close Dr.Web Cureit.
Reboot your computer!! Because it could be possible that files in use will be moved/deleted during reboot.
After reboot, post the contents of the log from Dr.Web you saved previously in your next reply.

--------------------------------------------------------------------

Double click on combofix.exe & follow the prompts.
When finished, it shall produce a log for you.

Note:
Do not mouseclick combofix's window while it's running. That may cause it to stall

Post the ComboFix.txt in your next reply.

--------------------------------------------------------------------

Run a scan with HijackThis and save the log.

--------------------------------------------------------------------[/

Please include the following in your next reply:

Dr Web report
C:\ComboFix.txt
New HijackThis log
Update on system behavior

harl · 04-11-2007, 07:59 PM

Hi Ried,
Thanks again for you help on this...it is a pain

Here are my logs...

When I ran Dr Web, nothing was found so there were no files to pass.

My combofix log...

"B. HARL ROMINE" - 07-04-11 20:46:24 Service Pack 2
ComboFix 07-04-05 - Running from: "C:\Documents and Settings\B. HARL ROMINE\Desktop"

(((((((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))

C:\DOCUME~1\B1215~1.HAR\APPLIC~1.\install.dat

((((((((((((((((((((((((((((((( Files Created from 2007-03-11 to 2007-04-11 ))))))))))))))))))))))))))))))))))

2007-04-11 19:33 <DIR> d-------- C:\DOCUME~1\B1215~1.HAR\DoctorWeb
2007-04-10 06:30 <DIR> d-------- C:\Deckard
2007-03-31 06:27 <DIR> d-------- C:\DOCUME~1\B1215~1.HAR\APPLIC~1\GTek

(((((((((((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))))

2007-03-31 08:06 -------- d-------- C:\Program Files\watchdog
2007-03-17 08:55 -------- d-------- C:\Program Files\microsoft money
2007-02-17 14:57 127034 -r------- C:\WINDOWS\bwunin-8.1.1.50-8876480sl.exe
2007-02-13 17:45 28672 --a------ C:\WINDOWS\SYSTEM32\f3pssavr.scr
2007-02-13 17:45 -------- d-------- C:\Program Files\msn messenger

(((((((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))

*Note* empty entries & legit default entries are not shown

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\run]
"MsnMsgr"="\"C:\\Program Files\\MSN Messenger\\MsnMsgr.Exe\" /background"
"Sonic RecordNow!"=""
"LDM"="C:\\Program Files\\Logitech\\Desktop Messenger\\8876480\\Program\\LogitechDesktopMessenger.exe"
"ctfmon.exe"="C:\\WINDOWS\\system32\\ctfmon.exe"
"Aim6"="\"C:\\Program Files\\Common Files\\AOL\\Launch\\AOLLaunch.exe\" /d locale=en-US ee://aol/imApp"
"swg"="C:\\Program Files\\Google\\GoogleToolbarNotifier\\1.2.908.5008\\GoogleToolbarNotifier.exe"
"SpybotSD TeaTimer"="C:\\Program Files\\Spybot - Search & Destroy\\TeaTimer.exe"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run]
"vptray"="C:\\PROGRA~1\\SYMANT~1\\SYMANT~1\\vptray.exe"
"UpdReg"="C:\\WINDOWS\\UpdReg.EXE"
"UpdateManager"="\"C:\\Program Files\\Common Files\\Sonic\\Update Manager\\sgtray.exe\" /r"
"PCMService"="\"C:\\Program Files\\Dell\\Media Experience\\PCMService.exe\""
"NvCplDaemon"="RUNDLL32.EXE C:\\WINDOWS\\System32\\NvCpl.dll,NvStartup"
"MMTray"="\"C:\\Program Files\\MUSICMATCH\\MUSICMATCH Jukebox\\mm_tray.exe\""
"MimBoot"="C:\\PROGRA~1\\MUSICM~1\\MUSICM~2\\mimboot.exe"
"LogitechVideoTray"="C:\\Program Files\\Logitech\\Video\\LogiTray.exe"
"LogitechVideoRepair"="C:\\Program Files\\Logitech\\Video\\ISStart.exe"
"iamapp"="C:\\PROGRA~1\\SYMANT~1\\SYMANT~2\\IAMAPP.EXE"
"HP Software Update"="C:\\Program Files\\HP\\HP Software Update\\HPWuSchd2.exe"
"DVDSentry"="C:\\WINDOWS\\System32\\DSentry.exe"
"dla"="C:\\WINDOWS\\system32\\dla\\tfswctrl.exe"
"diagent"="\"C:\\Program Files\\Creative\\SBLive\\Diagnostics\\diagent.exe\" startup"
"HostManager"="C:\\Program Files\\Common Files\\AOL\\1158009876\\ee\\AOLSoftware.exe"
"IPHSend"="C:\\Program Files\\Common Files\\AOL\\IPHSend\\IPHSend.exe"
"TkBellExe"="\"C:\\Program Files\\Common Files\\Real\\Update_OB\\realsched.exe\" -osboot"
"QuickTime Task"="\"C:\\Program Files\\QuickTime\\qttask.exe\" -atboottime"
"iTunesHelper"="\"C:\\Program Files\\iTunes\\iTunesHelper.exe\""

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\OptionalComponents]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\OptionalComponents\IMAIL]
"Installed"="1"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\OptionalComponents\MAPI]
"Installed"="1"
"NoChange"="1"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\OptionalComponents\MSFS]
"Installed"="1"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\runonce]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\runonce\C:]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\runonce\C:\Program Files]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\runonce\C:\Program Files\LEGO Media]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\runonce\C:\Program Files\LEGO Media\LEGO Stunt Rally]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\runonce\C:\Program Files\LEGO Media\LEGO Stunt Rally\StuntRally.exe]
@="C:\\Program Files\\LEGO Media\\LEGO Stunt Rally\\StuntRally.exe"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\shellserviceobjectdelayload]
"WPDShServiceObj"="{AAA288BA-9A4C-45B0-95D7-94D524869DB5}"

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]
"NoFavoritesMenu"=dword:00000000

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer\run]

[HKEY_CURRENT_USER\software\microsoft\internet explorer\desktop\components\0]
Source REG_SZ http://www.edhelperclipart.com/clipart/edhelp2.gif

[HKEY_CURRENT_USER\software\microsoft\internet explorer\desktop\components\1]
Source REG_SZ http://64.128.93.12/projects/broadca..._broadcast.jpg

[HKEY_CURRENT_USER\software\microsoft\internet explorer\desktop\components\2]
Source REG_SZ http://www.joycemeyer.org/projects/h...cast_title.gif

[HKEY_CURRENT_USER\software\microsoft\internet explorer\desktop\components\3]
Source REG_SZ http://joycemeyer.org/NR/rdonlyres/2.../hdr_Media.gif

[HKEY_CURRENT_USER\software\microsoft\internet explorer\desktop\components\4]
Source REG_SZ https://www.parellisavvyclub.com/images/login_image.jpg

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\securityproviders]
"SecurityProviders"="msapsspc.dll, schannel.dll, digest.dll, msnsspc.dll"

HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa
Authentication Packages REG_MULTI_SZ msv1_0\0\0
Security Packages REG_MULTI_SZ kerberos\0msv1_0\0schannel\0wdigest\0\0
Notification Packages REG_MULTI_SZ scecli\0\0

[HKEY_LOCAL_MACHINE\software\Microsoft\Windows NT\CurrentVersion\Svchost]
LocalService REG_MULTI_SZ Alerter\0WebClient\0LmHosts\0RemoteRegistry\0upnphost\0SSDPSRV\0\0
NetworkService REG_MULTI_SZ DnsCache\0\0
rpcss REG_MULTI_SZ RpcSs\0\0
imgsvc REG_MULTI_SZ StiSvc\0\0
termsvcs REG_MULTI_SZ TermService\0\0
HTTPFilter REG_MULTI_SZ HTTPFilter\0\0
DcomLaunch REG_MULTI_SZ DcomLaunch\0TermService\0\0
Usnsvc REG_MULTI_SZ usnsvc\0\0
WudfServiceGroup REG_MULTI_SZ WUDFSvc\0\0

~ ~ ~ ~ ~ ~ ~ ~ Hijackthis Backups ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~

backup-20070409-195124-808
O4 - Startup: PowerReg Scheduler V3.exe
backup-20070409-195124-545
O4 - HKLM\..\RunServices: [serpe] C:\WINDOWS\system32\formatsys.exe
backup-20070409-195124-878
O4 - HKLM\..\RunServices: [avnort] C:\WINDOWS\msmbw.exe
backup-20070409-195124-768
O4 - HKLM\..\Run: [avnort] C:\WINDOWS\msmbw.exe
backup-20070409-195124-945
O4 - HKLM\..\Run: [serpe] C:\WINDOWS\system32\formatsys.exe
backup-20070409-195124-673
O2 - BHO: (no name) - {FDD3B846-8D59-4ffb-8758-209B6AD74ACC} - (no file)
backup-20070409-195124-662
O3 - Toolbar: (no name) - {BA52B914-B692-46c4-B683-905236F6F655} - (no file)
backup-20070409-195124-425
O2 - BHO: (no name) - {549B5CA7-4A86-11D7-A4DF-000874180BB3} - (no file)
backup-20070409-195124-508
O1 - Hosts: 64.233.167.104 sandbox.norman.no
backup-20070119-060910-260
O4 - HKLM\..\Run: [{C423DFF3-067E-1033-0309-0600001}] "C:\Program Files\Common Files\{C423DFF3-067E-1033-0309-0600001}\Update.exe" te-110-12-0000282
backup-20070119-060910-264
O1 - Hosts: 1.1.1.1 www.bitdefender.com
backup-20070119-060910-270
O1 - Hosts: 1.1.1.1 grisoft.com
backup-20070119-060910-271
O1 - Hosts: 1.1.1.1 update.symantec.com
backup-20070119-060910-290
F3 - REG:win.ini: run=C:\WINDOWS\system32\fnftzat\winlogon.exe
backup-20070119-060910-292
O1 - Hosts: 1.1.1.1 www.nai.com
backup-20070119-060910-303
O1 - Hosts: 1.1.1.1 vil.nai.com
backup-20070119-060910-322
O1 - Hosts: 1.1.1.1 ftp.f-secure.com
backup-20070119-060910-349
O1 - Hosts: 1.1.1.1 www.pandasoftware.com
backup-20070119-060910-356
O1 - Hosts: 1.1.1.1 secure.nai.com
backup-20070119-060910-360
O1 - Hosts: 1.1.1.1 free.grisoft.com
backup-20070119-060910-364
O1 - Hosts: 1.1.1.1 viruslist.com
backup-20070119-060910-377
O1 - Hosts: 1.1.1.1 virusscan.jotti.org
backup-20070119-060910-407
O1 - Hosts: 1.1.1.1 www.ewido.net
backup-20070119-060910-411
O1 - Hosts: 1.1.1.1 nai.com
backup-20070119-060910-428
O1 - Hosts: 1.1.1.1 www.onguardonline.gov
backup-20070119-060910-435
O1 - Hosts: 1.1.1.1 securityresponse.symantec.com
backup-20070119-060910-450
O1 - Hosts: 1.1.1.1 dispatch.mcafee.com
backup-20070119-060910-457
O1 - Hosts: 1.1.1.1 customer.symantec.com
backup-20070119-060910-460
O1 - Hosts: 1.1.1.1 www.grisoft.com
backup-20070119-060910-465
O1 - Hosts: 1.1.1.1 mast.mcafee.com
backup-20070119-060910-499
O1 - Hosts: 1.1.1.1 www.f-secure.com
backup-20070119-060910-505
O3 - Toolbar: (no name) - {0BF43445-2F28-4351-9252-17FE6E806AA0} - (no file)
backup-20070119-060910-510
F3 - REG:win.ini: load=C:\WINDOWS\system32\fnftzat\winlogon.exe
backup-20070119-060910-538
O1 - Hosts: 1.1.1.1 support.microsoft.com
backup-20070119-060910-563
O1 - Hosts: 1.1.1.1 www.spywareinfo.com
backup-20070119-060910-567
O1 - Hosts: 1.1.1.1 updates.symantec.com
backup-20070119-060910-577
O1 - Hosts: 1.1.1.1 www.avast.com
backup-20070119-060910-246
O2 - BHO: (no name) - {FDD3B846-8D59-4ffb-8758-209B6AD74ACC} - (no file)
backup-20070119-060910-204
O1 - Hosts: 1.1.1.1 download.mcafee.com
backup-20070119-060910-593
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.virushelpzone.com/
backup-20070119-060910-610
O1 - Hosts: 1.1.1.1 ewido.net
backup-20070119-060910-627
O1 - Hosts: 1.1.1.1 networkassociates.com
backup-20070119-060910-644
O1 - Hosts: 1.1.1.1 services.google.com
backup-20070119-060910-648
O1 - Hosts: 1.1.1.1 www.viruslist.com
backup-20070119-060910-655
O1 - Hosts: 1.1.1.1 www.sophos.com
backup-20070119-060910-673
O1 - Hosts: 1.1.1.1 www.merijn.org
backup-20070119-060910-685
O1 - Hosts: 1.1.1.1 f-secure.com
backup-20070119-060910-705
O1 - Hosts: 1.1.1.1 sophos.com
backup-20070119-060910-719
O1 - Hosts: 1.1.1.1 usa.kaspersky.com
backup-20070119-060910-720
O1 - Hosts: 1.1.1.1 avast.com
backup-20070119-060910-788
O1 - Hosts: 1.1.1.1 liveupdate.symantec.com
backup-20070119-060910-813
O1 - Hosts: 1.1.1.1 merijn.org
backup-20070119-060910-833
O1 - Hosts: 1.1.1.1 www.symantec.com
backup-20070119-060910-841
O1 - Hosts: 1.1.1.1 upgrade.bitdefender.com
backup-20070119-060910-843
O2 - BHO: (no name) - {549B5CA7-4A86-11D7-A4DF-000874180BB3} - (no file)
backup-20070119-060910-890
O1 - Hosts: 1.1.1.1 symantec.com
backup-20070119-060910-895
O1 - Hosts: 1.1.1.1 my-etrust.com
backup-20070119-060910-912
O1 - Hosts: 1.1.1.1 paretologic.com
backup-20070119-060910-923
O1 - Hosts: 1.1.1.1 safety.live.com
backup-20070119-060910-926
O1 - Hosts: 1.1.1.1 trendmicro.com
backup-20070119-060910-933
O1 - Hosts: 1.1.1.1 service1.symantec.com
backup-20070119-060910-941
O1 - Hosts: 1.1.1.1 rads.mcafee.com
backup-20070119-060910-947
O1 - Hosts: 1.1.1.1 onguardonline.gov
backup-20070119-060910-968
O1 - Hosts: 1.1.1.1 www.paretologic.com
backup-20070119-060910-975
O1 - Hosts: 1.1.1.1 download.bitdefender.com
backup-20070119-060910-980
O1 - Hosts: 1.1.1.1 spywareinfo.com
backup-20070119-060910-983
O1 - Hosts: 1.1.1.1 sysinternals.com
backup-20070119-060910-189
O1 - Hosts: 1.1.1.1 zonelabs.com
backup-20070119-060910-228
O1 - Hosts: 1.1.1.1 www.trendmicro.com
backup-20070119-060910-168
O1 - Hosts: 1.1.1.1 bitdefender.com
backup-20070119-060910-589
O1 - Hosts: 1.1.1.1 ftp.sophos.com
backup-20070119-060910-200
O1 - Hosts: 1.1.1.1 www.zonelabs.com
backup-20070119-060910-153
O1 - Hosts: 1.1.1.1 us.mcafee.com
backup-20070119-060910-136
O1 - Hosts: 1.1.1.1 www.my-etrust.com
backup-20070119-060910-588
O1 - Hosts: 1.1.1.1 pandasoftware.com
backup-20070119-060910-107
O1 - Hosts: 1.1.1.1 www.sysinternals.com

Contents of the 'Scheduled Tasks' folder
C:\WINDOWS\tasks\AppleSoftwareUpdate.job
C:\WINDOWS\tasks\Disk Cleanup.job
C:\WINDOWS\tasks\Symantec NetDetect.job

********************************************************************

catchme 0.2 W2K/XP/Vista - userland rootkit detector by Gmer, 17 October 2006
http://www.gmer.net

scanning hidden processes ...

scanning hidden services ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden processes: 0
hidden services: 0
hidden files: 0

********************************************************************

Completion time: 07-04-11 20:53:47
C:\ComboFix-quarantined-files.txt ... 07-04-11 20:53

My dss/ hjt log...

Logfile of HijackThis v1.99.1
Scan saved at 9:53:21 PM, on 4/11/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16414)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\PROGRA~1\Logitech\Video\FxSvr2.exe
C:\Documents and Settings\HJT\hijackthis\B. HARL ROMINE.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = localhost
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: DriveLetterAccess - {5CA3D70E-1895-11CF-8E15-001234567890} - C:\WINDOWS\system32\dla\tfswshx.dll
O2 - BHO: ST - {9394EDE7-C8B5-483E-8773-474BF36AF6E4} - C:\Program Files\MSN Apps\ST\01.03.0000.1005\en-xu\stmain.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar2.dll
O2 - BHO: MSNToolBandBHO - {BDBD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\MSN Apps\MSN Toolbar\MSN Toolbar\01.02.5000.1021\en-us\msntb.dll
O3 - Toolbar: MSN - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\MSN Apps\MSN Toolbar\MSN Toolbar\01.02.5000.1021\en-us\msntb.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll
O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\SYMANT~1\SYMANT~1\vptray.exe
O4 - HKLM\..\Run: [UpdReg] C:\WINDOWS\UpdReg.EXE
O4 - HKLM\..\Run: [UpdateManager] "C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe" /r
O4 - HKLM\..\Run: [PCMService] "C:\Program Files\Dell\Media Experience\PCMService.exe"
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [MMTray] "C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mm_tray.exe"
O4 - HKLM\..\Run: [MimBoot] C:\PROGRA~1\MUSICM~1\MUSICM~2\mimboot.exe
O4 - HKLM\..\Run: [LogitechVideoTray] C:\Program Files\Logitech\Video\LogiTray.exe
O4 - HKLM\..\Run: [LogitechVideoRepair] C:\Program Files\Logitech\Video\ISStart.exe
O4 - HKLM\..\Run: [iamapp] C:\PROGRA~1\SYMANT~1\SYMANT~2\IAMAPP.EXE
O4 - HKLM\..\Run: [HP Software Update] C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
O4 - HKLM\..\Run: [DVDSentry] C:\WINDOWS\System32\DSentry.exe
O4 - HKLM\..\Run: [dla] C:\WINDOWS\system32\dla\tfswctrl.exe
O4 - HKLM\..\Run: [diagent] "C:\Program Files\Creative\SBLive\Diagnostics\diagent.exe" startup
O4 - HKLM\..\Run: [HostManager] C:\Program Files\Common Files\AOL\1158009876\ee\AOLSoftware.exe
O4 - HKLM\..\Run: [IPHSend] C:\Program Files\Common Files\AOL\IPHSend\IPHSend.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [LDM] C:\Program Files\Logitech\Desktop Messenger\8876480\Program\LogitechDesktopMessenger.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [Aim6] "C:\Program Files\Common Files\AOL\Launch\AOLLaunch.exe" /d locale=en-US ee://aol/imApp
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\1.2.908.5008\GoogleToolbarNotifier.exe
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: Billminder.lnk = C:\QUICKENW\BILLMIND.EXE
O4 - Global Startup: Digital Line Detect.lnk = ?
O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
O4 - Global Startup: HP Image Zone Fast Start.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqthb08.exe
O4 - Global Startup: Logitech Desktop Messenger.lnk = C:\Program Files\Logitech\Desktop Messenger\8876480\Program\LogitechDesktopMessenger.exe
O4 - Global Startup: Quicken Startup.lnk = C:\QUICKENW\QWDLLS.EXE
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Restrictions present
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll (file missing)
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll (file missing)
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~3\OFFICE11\REFIEBAR.DLL
O9 - Extra button: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - C:\Program Files\PartyPoker\PartyPoker.exe (file missing)
O9 - Extra 'Tools' menuitem: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - C:\Program Files\PartyPoker\PartyPoker.exe (file missing)
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O11 - Options group: [INTERNATIONAL] International*
O16 - DPF: {01113300-3E00-11D2-8470-0060089874ED} (Support.com Configuration Class) - https://activatemyfios.verizon.net/s...ad/tgctlcm.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsof...?1128800440916
O17 - HKLM\System\CCS\Services\Tcpip\..\{5B2810EE-DB61-4823-9417-35E4A236CF8D}: NameServer = 209.165.131.12,209.165.131.13
O18 - Protocol: bwfile-8876480 - {9462A756-7B47-47BC-8C80-C34B9B80B32B} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\GAPlugProtocol-8876480.dll
O18 - Protocol: livecall - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O20 - Winlogon Notify: NavLogon - C:\WINDOWS\system32\NavLogon.dll
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O21 - SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - C:\WINDOWS\system32\WPDShServiceObj.dll
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\System32\CTsvcCDA.exe
O23 - Service: DefWatch - Symantec Corporation - C:\Program Files\Symantec_Client_Security\Symantec AntiVirus\DefWatch.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: MSSQLServerADHelper - Unknown owner - C:\Program Files\Microsoft SQL Server\80\Tools\Binn\sqladhlp.exe (file missing)
O23 - Service: Intel NCS NetService (NetSvc) - Intel(R) Corporation - C:\Program Files\Intel\NCS\Sync\NetSvc.exe
O23 - Service: Symantec Client Firewall Service (NISSERV) - Symantec Corporation - C:\Program Files\Symantec_Client_Security\Symantec Client Firewall\NISSERV.EXE
O23 - Service: Symantec Client Firewall Accounts Manager (NISUM) - Symantec Corporation - C:\Program Files\Symantec_Client_Security\Symantec Client Firewall\NISUM.EXE
O23 - Service: Symantec AntiVirus Client (Norton AntiVirus Server) - Symantec Corporation - C:\Program Files\Symantec_Client_Security\Symantec AntiVirus\Rtvscan.exe
O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe
O23 - Service: Symantec Client Firewall Proxy Service (SymPxSvc) - Symantec Corporation - C:\Program Files\Symantec_Client_Security\Symantec Client Firewall\SymPxSvc.exe

With regard to a status update...still seems to be relatively stable in safe mode, but can not operate in normal...any time I try to do anything, something is using all my processor capacity so it takes forever to do even the simplist commands.

Hope this helps...

thanks, harl

Ried · 04-11-2007, 08:28 PM

Those registry entries are gone so there's nothing to see at the moment. Let's try another tool.

Please download SREng.

**You may receive a message "The bandwidth limit for this site has been exceeded", please keep trying--eventually you'll get through.

1. Extract it to Desktop & double click SREng.exe to run it

2. Select 'Smart Scan' & tick "Verify Digital Signatures"

3. Click on the [Scan] button

4. When finished, click on the [Save Reports] button & save the log to Desktop

5. Attach the log in your next reply. Dont post it.

You may have to rename SREngLOG.log to SREngLOG.txt to upload it.

harl · 04-12-2007, 04:54 AM

Thank you. Here is the SReng log

Have a good one, Harl

Ried · 04-12-2007, 06:40 PM

Ok Harl, I'm not seeing anything in the logs. Since this worm spreads via file sharing, let's try disabling all File Sharing and see if we can get you to operate in Normal Mode:

Open notepad and copy/paste the entire text in the quotebox below: (don't forget to copy and paste REGEDIT4)

Quote:

REGEDIT4

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\lanmanserver\parameters]
"AutoShareWks"=dword:00000000
"AutoShareServer"=dword:00000000
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\lanmanworkstation\parameters]
"AutoShareWks"=dword:00000000
"AutoShareServer"=dword:00000000

Go to File on the top bar and choose Save As... , Name it Fixshares.reg then change the save as type to all files and save it to your desktop.

It should look like this:

Double click Fixshares.reg and allow it to be merged into the registry.

--------------------------------------------------------------------

Next go to Start > Settings > Control Panel > Administrative Tools > Computer Management

Expand Shared Folders by clicking the [+] beside it then click Shares

Right click all the shares listed and choose Stop Sharing then OK at the prompt

--------------------------------------------------------------------

Finally goto Start > Run > and type

services.msc

Press OK and the services screen will open, scroll down to the Server service then double click it to open the properties pane (or right click and choose properties) , on the Service Status area click Stop then click Yes at the prompt for also stopping the Computer Browser service.

Then on the Server service that you stopped change the Startup type from Automatic to Disabled then click Apply and OK.

--------------------------------------------------------------------

Reboot your system.

--------------------------------------------------------------------

If you can operate in Normal Mode:

Go here and do the BitDefender online virus scan.

Click "I Agree" to agree to the EULA.
Allow the ActiveX control to install when prompted.
Leave the scanning options at default and press "Click here to scan" to begin the scan.
Please refrain from using the computer until the scan is finished.
When the scan is finished, click on "Click here to export the scan results"
Save the report to your desktop then come back here and post it in your next reply along with a new Hijack This log

----------------------------------------------------------------

Run a scan with dss.exe and post the main.txt here along with the results of the BitDefender scan.

If you still cannot operate in Normal Mode, while in Normal Mode press Ctrl Alt Del to bring up the Task Manager.

Quote:

something is using all my processor capacity so it takes forever to do even the simplist commands.

Please take note and tell me what seems to be taking up the cpu.

harl · 04-12-2007, 08:21 PM

Okay Ried,
I was able to do the fix shares. When I went to the sharing prompt, the properties said there was no sharing.

When I worked through the steps following the services.msc command prompt it allows me to change automatic to disabled but when I reboot and start, it still sounds like the processor is running warp speed and all I get when I click on icon on the desktop is the hourglass...

When I access the task manager, there are no programs listed..it just doesnt do anything except display the hourglass.

Ried · 04-13-2007, 08:34 PM

Hello harl,

Try doing a Diagnostic Startup to reach Normal Mode:

Click Start>Run and type in msconfig in the Run box and click OK.
On the General Tab, select Diagnostic Startup
Click Apply
Click Ok and reboot

If you can get to Normal Mode, uninstall Symantec via the Add/Remove programs & we'll see if that makes the difference.

Before you proceed with the uninstall, go back to msconfig (following the previous steps) and select Normal Startup>Apply>OK but restart later.

Now uninstall Symantec via the Add/Remove programs and reboot.

If you are able to run in Normal Mode with Symantec uninstalled--that would be the main problem. Try reinstalling Symantec.

Let me know how all that went.

harl · 04-14-2007, 05:58 AM

Phew....thanks Ried, thought you might have grown bored with this one...

Okay, I was able to use msconfig to start in normal mode and it seems to be operating better (not quite normal) but better. I tried to run DSS it hung up about 44% of the way through the first time. The second time it worked and I was able to get an HJT that is posted below.

thanks a bunch, harl

Deckard's System Scanner v20070328.36
Run by B. HARL ROMINE on 2007-04-14 at 07:42:38
Computer is in Normal Mode.
--------------------------------------------------------------------------------

-- HijackThis (run as B. HARL ROMINE.exe) --------------------------------------

Logfile of HijackThis v1.99.1
Scan saved at 7:43:05 AM, on 4/14/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16414)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\System32\CTsvcCDA.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Program Files\Symantec_Client_Security\Symantec Client Firewall\NISUM.EXE
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Symantec_Client_Security\Symantec Client Firewall\SymPxSvc.exe
C:\Program Files\Symantec_Client_Security\Symantec Client Firewall\NISSERV.EXE
C:\WINDOWS\Explorer.EXE
C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Dell\Media Experience\PCMService.exe
C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mm_tray.exe
C:\Program Files\Logitech\Video\LogiTray.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\PROGRA~1\MUSICM~1\MUSICM~2\MMDiag.exe
C:\PROGRA~1\SYMANT~1\SYMANT~2\IAMAPP.EXE
C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
C:\Program Files\Common Files\AOL\1158009876\ee\AOLSoftware.exe
C:\WINDOWS\System32\DSentry.exe
C:\WINDOWS\system32\dla\tfswctrl.exe
C:\Program Files\Google\GoogleToolbarNotifier\1.2.908.5008\GoogleToolbarNotifier.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\Program Files\Logitech\Desktop Messenger\8876480\Program\LogitechDesktopMessenger.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mim.exe
C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
C:\Program Files\Digital Line Detect\DLG.exe
C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\QUICKENW\QWDLLS.EXE
C:\WINDOWS\System32\LVComS.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\HP\Digital Imaging\bin\hpqgalry.exe
C:\Program Files\Creative\SBLive\Diagnostics\diagent.exe
C:\WINDOWS\system32\msiexec.exe
C:\Documents and Settings\B. HARL ROMINE\Desktop\dss.exe
C:\DOCUME~1\HJT\HIJACK~1\BHARLR~1.EXE

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = localhost
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: DriveLetterAccess - {5CA3D70E-1895-11CF-8E15-001234567890} - C:\WINDOWS\system32\dla\tfswshx.dll
O2 - BHO: ST - {9394EDE7-C8B5-483E-8773-474BF36AF6E4} - C:\Program Files\MSN Apps\ST\01.03.0000.1005\en-xu\stmain.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar2.dll
O2 - BHO: MSNToolBandBHO - {BDBD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\MSN Apps\MSN Toolbar\MSN Toolbar\01.02.5000.1021\en-us\msntb.dll
O3 - Toolbar: MSN - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\MSN Apps\MSN Toolbar\MSN Toolbar\01.02.5000.1021\en-us\msntb.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll
O4 - HKLM\..\Run: [UpdReg] C:\WINDOWS\UpdReg.EXE
O4 - HKLM\..\Run: [UpdateManager] "C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe" /r
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [PCMService] "C:\Program Files\Dell\Media Experience\PCMService.exe"
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [MMTray] "C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mm_tray.exe"
O4 - HKLM\..\Run: [MimBoot] C:\PROGRA~1\MUSICM~1\MUSICM~2\mimboot.exe
O4 - HKLM\..\Run: [LogitechVideoTray] C:\Program Files\Logitech\Video\LogiTray.exe
O4 - HKLM\..\Run: [LogitechVideoRepair] C:\Program Files\Logitech\Video\ISStart.exe
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [IPHSend] C:\Program Files\Common Files\AOL\IPHSend\IPHSend.exe
O4 - HKLM\..\Run: [iamapp] C:\PROGRA~1\SYMANT~1\SYMANT~2\IAMAPP.EXE
O4 - HKLM\..\Run: [HP Software Update] C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
O4 - HKLM\..\Run: [HostManager] C:\Program Files\Common Files\AOL\1158009876\ee\AOLSoftware.exe
O4 - HKLM\..\Run: [DVDSentry] C:\WINDOWS\System32\DSentry.exe
O4 - HKLM\..\Run: [dla] C:\WINDOWS\system32\dla\tfswctrl.exe
O4 - HKLM\..\Run: [diagent] "C:\Program Files\Creative\SBLive\Diagnostics\diagent.exe" startup
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\1.2.908.5008\GoogleToolbarNotifier.exe
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [LDM] C:\Program Files\Logitech\Desktop Messenger\8876480\Program\LogitechDesktopMessenger.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [Aim6] "C:\Program Files\Common Files\AOL\Launch\AOLLaunch.exe" /d locale=en-US ee://aol/imApp
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: Billminder.lnk = C:\QUICKENW\BILLMIND.EXE
O4 - Global Startup: Digital Line Detect.lnk = ?
O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
O4 - Global Startup: HP Image Zone Fast Start.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqthb08.exe
O4 - Global Startup: Logitech Desktop Messenger.lnk = C:\Program Files\Logitech\Desktop Messenger\8876480\Program\LogitechDesktopMessenger.exe
O4 - Global Startup: Quicken Startup.lnk = C:\QUICKENW\QWDLLS.EXE
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Restrictions present
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll (file missing)
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll (file missing)
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~3\OFFICE11\REFIEBAR.DLL
O9 - Extra button: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - C:\Program Files\PartyPoker\PartyPoker.exe (file missing)
O9 - Extra 'Tools' menuitem: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - C:\Program Files\PartyPoker\PartyPoker.exe (file missing)
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O11 - Options group: [INTERNATIONAL] International*
O16 - DPF: {01113300-3E00-11D2-8470-0060089874ED} (Support.com Configuration Class) - https://activatemyfios.verizon.net/s...ad/tgctlcm.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsof...?1128800440916
O17 - HKLM\System\CCS\Services\Tcpip\..\{5B2810EE-DB61-4823-9417-35E4A236CF8D}: NameServer = 209.165.131.12,209.165.131.13
O18 - Protocol: bwfile-8876480 - {9462A756-7B47-47BC-8C80-C34B9B80B32B} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\GAPlugProtocol-8876480.dll
O18 - Protocol: livecall - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O21 - SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - C:\WINDOWS\system32\WPDShServiceObj.dll
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\System32\CTsvcCDA.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: MSSQLServerADHelper - Unknown owner - C:\Program Files\Microsoft SQL Server\80\Tools\Binn\sqladhlp.exe (file missing)
O23 - Service: Intel NCS NetService (NetSvc) - Intel(R) Corporation - C:\Program Files\Intel\NCS\Sync\NetSvc.exe
O23 - Service: Symantec Client Firewall Service (NISSERV) - Symantec Corporation - C:\Program Files\Symantec_Client_Security\Symantec Client Firewall\NISSERV.EXE
O23 - Service: Symantec Client Firewall Accounts Manager (NISUM) - Symantec Corporation - C:\Program Files\Symantec_Client_Security\Symantec Client Firewall\NISUM.EXE
O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe
O23 - Service: Symantec Client Firewall Proxy Service (SymPxSvc) - Symantec Corporation - C:\Program Files\Symantec_Client_Security\Symantec Client Firewall\SymPxSvc.exe

-- Files created between 2007-03-14 and 2007-04-14 -----------------------------

2007-04-11 19:33:32 0 d-------- C:\Documents and Settings\B. HARL ROMINE\DoctorWeb<DOCTOR~1>
2007-03-31 06:27:01 0 d-------- C:\Documents and Settings\B. HARL ROMINE\Application Data\GTek

-- Find3M Report ---------------------------------------------------------------

2007-04-14 07:26:25 0 d-------- C:\Program Files\Symantec_Client_Security<SYMANT~1>
2007-04-14 07:24:31 0 d-------- C:\Program Files\Symantec
2007-04-14 07:23:00 0 d-------- C:\Program Files\Common Files\Symantec Shared<SYMANT~1>
2007-03-31 08

25 0 d-------- C:\Program Files\WatchDog
2007-03-29 17:52:41 0 d---s---- C:\Documents and Settings\B. HARL ROMINE\Application Data\Microsoft<MICROS~1>
2007-03-27 08:08:54 0 d-------- C:\Documents and Settings\B. HARL ROMINE\Application Data\AdobeUM
2007-03-17 08:55:24 0 d-------- C:\Program Files\Microsoft Money<MICROS~2>
2007-02-13 17:45:47 28672 --a------ C:\WINDOWS\system32\f3PSSavr.scr

-- Registry Dump ---------------------------------------------------------------

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\run]
"swg"="C:\\Program Files\\Google\\GoogleToolbarNotifier\\1.2.908.5008\\GoogleToolbarNotifier.exe"
"SpybotSD TeaTimer"="C:\\Program Files\\Spybot - Search & Destroy\\TeaTimer.exe"
"Sonic RecordNow!"=""
"MsnMsgr"="\"C:\\Program Files\\MSN Messenger\\MsnMsgr.Exe\" /background"
"LDM"="C:\\Program Files\\Logitech\\Desktop Messenger\\8876480\\Program\\LogitechDesktopMessenger.exe"
"ctfmon.exe"="C:\\WINDOWS\\system32\\ctfmon.exe"
"Aim6"="\"C:\\Program Files\\Common Files\\AOL\\Launch\\AOLLaunch.exe\" /d locale=en-US ee://aol/imApp"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run]
"UpdReg"="C:\\WINDOWS\\UpdReg.EXE"
"UpdateManager"="\"C:\\Program Files\\Common Files\\Sonic\\Update Manager\\sgtray.exe\" /r"
"TkBellExe"="\"C:\\Program Files\\Common Files\\Real\\Update_OB\\realsched.exe\" -osboot"
"QuickTime Task"="\"C:\\Program Files\\QuickTime\\qttask.exe\" -atboottime"
"PCMService"="\"C:\\Program Files\\Dell\\Media Experience\\PCMService.exe\""
"NvCplDaemon"="RUNDLL32.EXE C:\\WINDOWS\\System32\\NvCpl.dll,NvStartup"
"MMTray"="\"C:\\Program Files\\MUSICMATCH\\MUSICMATCH Jukebox\\mm_tray.exe\""
"MimBoot"="C:\\PROGRA~1\\MUSICM~1\\MUSICM~2\\mimboot.exe"
"LogitechVideoTray"="C:\\Program Files\\Logitech\\Video\\LogiTray.exe"
"LogitechVideoRepair"="C:\\Program Files\\Logitech\\Video\\ISStart.exe"
"iTunesHelper"="\"C:\\Program Files\\iTunes\\iTunesHelper.exe\""
"IPHSend"="C:\\Program Files\\Common Files\\AOL\\IPHSend\\IPHSend.exe"
"iamapp"="C:\\PROGRA~1\\SYMANT~1\\SYMANT~2\\IAMAPP.EXE"
"HP Software Update"="C:\\Program Files\\HP\\HP Software Update\\HPWuSchd2.exe"
"HostManager"="C:\\Program Files\\Common Files\\AOL\\1158009876\\ee\\AOLSoftware.exe"
"DVDSentry"="C:\\WINDOWS\\System32\\DSentry.exe"
"dla"="C:\\WINDOWS\\system32\\dla\\tfswctrl.exe"
"diagent"="\"C:\\Program Files\\Creative\\SBLive\\Diagnostics\\diagent.exe\" startup"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\OptionalComponents]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\OptionalComponents\IMAIL]
"Installed"="1"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\OptionalComponents\MAPI]
"Installed"="1"
"NoChange"="1"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\OptionalComponents\MSFS]
"Installed"="1"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\runonce]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\runonce\C:]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\runonce\C:\Program Files]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\runonce\C:\Program Files\LEGO Media]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\runonce\C:\Program Files\LEGO Media\LEGO Stunt Rally]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\runonce\C:\Program Files\LEGO Media\LEGO Stunt Rally\StuntRally.exe]
@="C:\\Program Files\\LEGO Media\\LEGO Stunt Rally\\StuntRally.exe"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\shellserviceobjectdelayload]
"WPDShServiceObj"="{AAA288BA-9A4C-45B0-95D7-94D524869DB5}"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\explorer]
"NoCDBurning"=dword:00000000

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\explorer\Run]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]
"NoFavoritesMenu"=dword:00000000

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer\run]

[HKEY_CURRENT_USER\software\microsoft\internet explorer\desktop\components\0]
Source REG_SZ http://www.edhelperclipart.com/clipart/edhelp2.gif

[HKEY_CURRENT_USER\software\microsoft\internet explorer\desktop\components\1]
Source REG_SZ http://64.128.93.12/projects/broadca..._broadcast.jpg

[HKEY_CURRENT_USER\software\microsoft\internet explorer\desktop\components\2]
Source REG_SZ http://www.joycemeyer.org/projects/h...cast_title.gif

[HKEY_CURRENT_USER\software\microsoft\internet explorer\desktop\components\3]
Source REG_SZ http://joycemeyer.org/NR/rdonlyres/2.../hdr_Media.gif

[HKEY_CURRENT_USER\software\microsoft\internet explorer\desktop\components\4]
Source REG_SZ https://www.parellisavvyclub.com/images/login_image.jpg

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\securityproviders]
"SecurityProviders"="msapsspc.dll, schannel.dll, digest.dll, msnsspc.dll"

[HKEY_LOCAL_MACHINE\software\Microsoft\Windows NT\CurrentVersion\Svchost]
LocalService REG_MULTI_SZ Alerter\0WebClient\0LmHosts\0RemoteRegistry\0upnphost\0SSDPSRV\0\0
NetworkService REG_MULTI_SZ DnsCache\0\0
rpcss REG_MULTI_SZ RpcSs\0\0
imgsvc REG_MULTI_SZ StiSvc\0\0
termsvcs REG_MULTI_SZ TermService\0\0
HTTPFilter REG_MULTI_SZ HTTPFilter\0\0
DcomLaunch REG_MULTI_SZ DcomLaunch\0TermService\0\0
Usnsvc REG_MULTI_SZ usnsvc\0\0
WudfServiceGroup REG_MULTI_SZ WUDFSvc\0\0

-- End of Deckard's System Scanner: finished at 2007-04-14 at 07:49:27 ---------

04-02-2007, 04:32 AM	#2 (permalink)
harl Registered User Join Date: Jan 2007 Posts: 92 OS: winxp	Re: Bump...computer slow, Need help, thanks in advance Have looked through some of the other threads that are having problems with slow computers and tried some of the fixes...but can't run anything...even Decker unless I'm in the safe mode and don't know if I should... think at least one of my issues is the "sandman" line in the HJT, but not sure? Thanks

04-03-2007, 02:48 PM	#3 (permalink)
harl Registered User Join Date: Jan 2007 Posts: 92 OS: winxp	Re:bump... Need help, thanks in advance Hello, It's been almost 4 days and nothing heard. Am I doing something wrong?...if its a backlog then I'll happily wait my turn... just checking... Thank you.

04-04-2007, 07:27 AM	#4 (permalink)
Ried Assistant Manager, TSF Academy; Moderator/Analyst Security Team Join Date: Jan 2005 Location: Ohio Posts: 26,995 OS: WinXP and Vista	Re: Need help, thanks in advance Hello harl, Yes--just backlog. Thank you for your kind patience. Please copy this page to Notepad and save to your desktop for reference as you will not have any browsers open while you are carrying out portions of these instructions. Also be sure to carry out the instructions in the sequence listed below. ************************************************* Using Internet Explorer, download ResetTeaTimer.bat. If you are using Firefox, right click the above link and choose ‘Save As’. Save it to your desktop. Double click ResetTeaTimer.bat to remove all entries set by TeaTimer. -------------------------------------------------------------------- From Safe Mode: Open HijackThis and click on 'Do a System Scan Only'. 'Check' the following entries: O1 - Hosts: 64.233.167.104 sandbox.norman.no O2 - BHO: (no name) - {549B5CA7-4A86-11D7-A4DF-000874180BB3} - (no file) O2 - BHO: (no name) - {FDD3B846-8D59-4ffb-8758-209B6AD74ACC} - (no file) O3 - Toolbar: (no name) - {BA52B914-B692-46c4-B683-905236F6F655} - (no file) O4 - HKLM\..\Run: [serpe] C:\WINDOWS\system32\formatsys.exe O4 - HKLM\..\Run: [avnort] C:\WINDOWS\msmbw.exe O4 - HKLM\..\RunServices: [avnort] C:\WINDOWS\msmbw.exe O4 - HKLM\..\RunServices: [serpe] C:\WINDOWS\system32\formatsys.exe O4 - Startup: PowerReg Scheduler V3.exe Click 'Fix Checked' and close HijackThis. -------------------------------------------------------------------- Go to My Computer->Tools->Folder Options->View** tab: * Under the Hidden files and folders heading: * select Show hidden files and folders. * Uncheck Hide protected operating system files (recommended) option. Also, make sure there is no checkmark beside Hide file extensions for known file types. Click OK. -------------------------------------------------------------------- Using 'My Computer', navigate to and delete the following Files C:\WINDOWS\ msmbw.exe C:\WINDOWS\system32\ formatsys.exe -------------------------------------------------------------------- Reboot your system into Normal Mode. -------------------------------------------------------------------- If the system is stable, please run this online scan to search for any remnants. It can take some time, so please be patient and allow it to run it's full course: Perform an online scan with Internet Explorer with Panda ActiveScan Click on located at the bottom of the page. A "pop up" window will appear. * Please ensure that your pop up blocker doesn't block it * Enter your e-mail address, country, and state & click "Free Online Scan" The download of the 8 MB Panda's ActiveX control will take place Begin the scan by selecting If it finds any malware, it will offer you a report. Please ignore any entry it finds and the offer to buy the program to remove the entry, as we will address this later. Click on then click * You needn't remain online while it's doing the scan but you have to re-connect after it has finished to see the report. * Turn off the real time scanner of any existing antivirus program while performing the online scan -------------------------------------------------------------------- Run a scan with dss.exe -------------------------------------------------------------------- Please include the following in your next reply: Panda results main.txt an attached extra.txt Update on system behavior __________________ Member of ASAP since 2005 Member of UNITE since 2006 "It is one life whether we spend it laughing or weeping." "Take the time to laugh--it is the music of the soul."

04-09-2007, 05:46 PM	#5 (permalink)
harl Registered User Join Date: Jan 2007 Posts: 92 OS: winxp	Re: Need help, thanks in advance Thanks Reid, Just returned from being out of town...I'll take a try with these fixes and get back to you quickly.

04-09-2007, 06:25 PM	#6 (permalink)
harl Registered User Join Date: Jan 2007 Posts: 92 OS: winxp	Re: Need help, thanks in advance Here is the update... I can only operate in Safe mode...the computer just responds so slow that I can't even open a normal window like the start window. I was able to run the HJT and fix the checked items, but could not find the two .exe files C:\WINDOWS\msmbw.exe C:\WINDOWS\system32\formatsys.exe I can not get onto the internet in either the safe or the normal mode so no luck with the online scan... Thanks again.

04-09-2007, 06:43 PM	#7 (permalink)
Ried Assistant Manager, TSF Academy; Moderator/Analyst Security Team Join Date: Jan 2005 Location: Ohio Posts: 26,995 OS: WinXP and Vista	Re: Need help, thanks in advance Ok harl--can you use another computer to download the following tool and post the logs it produces: Download Deckard's System Scanner (DSS) to your Desktop. What DSS will do: create a new System Restore point in Windows XP and Vista. clean your Temporary Files, Downloaded Program Files, and Internet Cache Files, and also empty the Recycle Bin on all drives. check some important areas of your system and produce a report for your analyst to review. DSS automatically runs HijackThis for you, but it will also install and place a shortcut to HijackThis on your desktop if you do not already have HijackThis installed. Note: You must be logged onto an account with administrator privileges. Close all applications and windows. Double-click on dss.exe to run it, and follow the prompts. When the scan is complete, two text files will open - main.txt <- this one will be maximized and extra.txt <-this one will be minimized Copy (Ctrl+A then Ctrl+C) and paste (Ctrl+V) the contents of main.txt in your thread in the HijackThis Log Help Forum. Please attach extra.txt to your post. To attach a file to a new post, simply Click the[Manage Attachments] button under Additional Options > Attach Files on the post composition page, and copy and paste the following into the "Upload File from your Computer" box: C:\Deckard\System Scanner\extra.txt Click Upload. Please include the following in your next reply: Panda results main.txt an attached extra.txt __________________ Member of ASAP since 2005 Member of UNITE since 2006 "It is one life whether we spend it laughing or weeping." "Take the time to laugh--it is the music of the soul."

04-09-2007, 07:04 PM	#8 (permalink)
harl Registered User Join Date: Jan 2007 Posts: 92 OS: winxp	Re: Need help, thanks in advance Reid, when I start to run it in Safe mode, it cautions me that it should be run in Normal Mode...should I just go ahead and run DSS in safe mode? Thanks

04-09-2007, 08:04 PM	#9 (permalink)
Ried Assistant Manager, TSF Academy; Moderator/Analyst Security Team Join Date: Jan 2005 Location: Ohio Posts: 26,995 OS: WinXP and Vista	Re: Need help, thanks in advance Yes, please run it in Safe Mode if you have to. __________________ Member of ASAP since 2005 Member of UNITE since 2006 "It is one life whether we spend it laughing or weeping." "Take the time to laugh--it is the music of the soul."

04-10-2007, 09:31 AM	#11 (permalink)
Ried Assistant Manager, TSF Academy; Moderator/Analyst Security Team Join Date: Jan 2005 Location: Ohio Posts: 26,995 OS: WinXP and Vista	Re: Need help, thanks in advance Hiya, Now I see it. Let's try Symantec's removal tool and see how good a job it can do. Download FixSFlog.exe and save it to your desktop. -------------------------------------------------------------------- Disconnect this PC from the internet. -------------------------------------------------------------------- Double-click the FixSflog.exe file to start the removal tool. Click Start to begin the process, and then allow the tool to run. Restart the computer. Run the removal tool again to ensure that the system is clean. When the tool has finished running, you will see a message indicating whether W32.Serflog has infected the computer. Please copy/paste that report in your next reply. -------------------------------------------------------------------- Run dss.exe and post the main.txt in your next reply. How is the system behaving now? __________________ Member of ASAP since 2005 Member of UNITE since 2006 "It is one life whether we spend it laughing or weeping." "Take the time to laugh--it is the music of the soul."

04-11-2007, 05:17 AM	#12 (permalink)
harl Registered User Join Date: Jan 2007 Posts: 92 OS: winxp	Re: Need help, thanks in advance Hi Ried I've run the removal tool and DSS...the logs are included. It found serflog on the first run, but nothing found on the second. No significant change in performance, still won't boot normally. My computer seems to boot and work normally in Safe mode, but when I try to open it in Normal Mode, after it loads my personal settings, it takes 30 minutes or more to show any desktop icons. Once the desktop looks normal, if I try to open any program...nothing. here are my logs... Symantec W32.Serflog Removal Tool 1.1.2 W32.Serflog has not been found on your computer. Deckard's System Scanner v20070328.36 Run by B. HARL ROMINE on 2007-04-11 at 07:11:15 Computer is in Safe Mode. -------------------------------------------------------------------------------- -- HijackThis (run as B. HARL ROMINE.exe) -------------------------------------- Logfile of HijackThis v1.99.1 Scan saved at 7:11:21 AM, on 4/11/2007 Platform: Windows XP SP2 (WinNT 5.01.2600) MSIE: Internet Explorer v7.00 (7.00.6000.16414) Running processes: C:\WINDOWS\System32\smss.exe C:\WINDOWS\system32\winlogon.exe C:\WINDOWS\system32\services.exe C:\WINDOWS\system32\lsass.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\Explorer.EXE C:\Documents and Settings\B. HARL ROMINE\Desktop\dss.exe C:\DOCUME~1\HJT\HIJACK~1\BHARLR~1.EXE R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.dell.com R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/ R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157 R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896 R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896 R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157 R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = localhost O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll O2 - BHO: DriveLetterAccess - {5CA3D70E-1895-11CF-8E15-001234567890} - C:\WINDOWS\system32\dla\tfswshx.dll O2 - BHO: ST - {9394EDE7-C8B5-483E-8773-474BF36AF6E4} - C:\Program Files\MSN Apps\ST\01.03.0000.1005\en-xu\stmain.dll O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar2.dll O2 - BHO: MSNToolBandBHO - {BDBD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\MSN Apps\MSN Toolbar\MSN Toolbar\01.02.5000.1021\en-us\msntb.dll O3 - Toolbar: MSN - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\MSN Apps\MSN Toolbar\MSN Toolbar\01.02.5000.1021\en-us\msntb.dll O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\SYMANT~1\SYMANT~1\vptray.exe O4 - HKLM\..\Run: [UpdReg] C:\WINDOWS\UpdReg.EXE O4 - HKLM\..\Run: [UpdateManager] "C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe" /r O4 - HKLM\..\Run: [PCMService] "C:\Program Files\Dell\Media Experience\PCMService.exe" O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup O4 - HKLM\..\Run: [MMTray] "C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mm_tray.exe" O4 - HKLM\..\Run: [MimBoot] C:\PROGRA~1\MUSICM~1\MUSICM~2\mimboot.exe O4 - HKLM\..\Run: [LogitechVideoTray] C:\Program Files\Logitech\Video\LogiTray.exe O4 - HKLM\..\Run: [LogitechVideoRepair] C:\Program Files\Logitech\Video\ISStart.exe O4 - HKLM\..\Run: [iamapp] C:\PROGRA~1\SYMANT~1\SYMANT~2\IAMAPP.EXE O4 - HKLM\..\Run: [HP Software Update] C:\Program Files\HP\HP Software Update\HPWuSchd2.exe O4 - HKLM\..\Run: [DVDSentry] C:\WINDOWS\System32\DSentry.exe O4 - HKLM\..\Run: [dla] C:\WINDOWS\system32\dla\tfswctrl.exe O4 - HKLM\..\Run: [diagent] "C:\Program Files\Creative\SBLive\Diagnostics\diagent.exe" startup O4 - HKLM\..\Run: [HostManager] C:\Program Files\Common Files\AOL\1158009876\ee\AOLSoftware.exe O4 - HKLM\..\Run: [IPHSend] C:\Program Files\Common Files\AOL\IPHSend\IPHSend.exe O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe" O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background O4 - HKCU\..\Run: [LDM] C:\Program Files\Logitech\Desktop Messenger\8876480\Program\LogitechDesktopMessenger.exe O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe O4 - HKCU\..\Run: [Aim6] "C:\Program Files\Common Files\AOL\Launch\AOLLaunch.exe" /d locale=en-US ee://aol/imApp O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\1.2.908.5008\GoogleToolbarNotifier.exe O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe O4 - Global Startup: Billminder.lnk = C:\QUICKENW\BILLMIND.EXE O4 - Global Startup: Digital Line Detect.lnk = ? O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe O4 - Global Startup: HP Image Zone Fast Start.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqthb08.exe O4 - Global Startup: Logitech Desktop Messenger.lnk = C:\Program Files\Logitech\Desktop Messenger\8876480\Program\LogitechDesktopMessenger.exe O4 - Global Startup: Quicken Startup.lnk = C:\QUICKENW\QWDLLS.EXE O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Restrictions present O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\OFFICE11\EXCEL.EXE/3000 O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll (file missing) O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll (file missing) O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~3\OFFICE11\REFIEBAR.DLL O9 - Extra button: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - C:\Program Files\PartyPoker\PartyPoker.exe (file missing) O9 - Extra 'Tools' menuitem: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - C:\Program Files\PartyPoker\PartyPoker.exe (file missing) O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing) O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing) O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe O11 - Options group: [INTERNATIONAL] International* O16 - DPF: {01113300-3E00-11D2-8470-0060089874ED} (Support.com Configuration Class) - https://activatemyfios.verizon.net/s...ad/tgctlcm.cab O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204 O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsof...?1128800440916 O17 - HKLM\System\CCS\Services\Tcpip\..\{5B2810EE-DB61-4823-9417-35E4A236CF8D}: NameServer = 209.165.131.12,209.165.131.13 O18 - Protocol: bwfile-8876480 - {9462A756-7B47-47BC-8C80-C34B9B80B32B} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\GAPlugProtocol-8876480.dll O18 - Protocol: livecall - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL O20 - Winlogon Notify: NavLogon - C:\WINDOWS\system32\NavLogon.dll O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll O21 - SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - C:\WINDOWS\system32\WPDShServiceObj.dll O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\System32\CTsvcCDA.exe O23 - Service: DefWatch - Symantec Corporation - C:\Program Files\Symantec_Client_Security\Symantec AntiVirus\DefWatch.exe O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe O23 - Service: iPod Service - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe O23 - Service: MSSQLServerADHelper - Unknown owner - C:\Program Files\Microsoft SQL Server\80\Tools\Binn\sqladhlp.exe (file missing) O23 - Service: Intel NCS NetService (NetSvc) - Intel(R) Corporation - C:\Program Files\Intel\NCS\Sync\NetSvc.exe O23 - Service: Symantec Client Firewall Service (NISSERV) - Symantec Corporation - C:\Program Files\Symantec_Client_Security\Symantec Client Firewall\NISSERV.EXE O23 - Service: Symantec Client Firewall Accounts Manager (NISUM) - Symantec Corporation - C:\Program Files\Symantec_Client_Security\Symantec Client Firewall\NISUM.EXE O23 - Service: Symantec AntiVirus Client (Norton AntiVirus Server) - Symantec Corporation - C:\Program Files\Symantec_Client_Security\Symantec AntiVirus\Rtvscan.exe O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe O23 - Service: Symantec Client Firewall Proxy Service (SymPxSvc) - Symantec Corporation - C:\Program Files\Symantec_Client_Security\Symantec Client Firewall\SymPxSvc.exe -- Files created between 2007-03-11 and 2007-04-11 ----------------------------- 2007-03-31 06:27:01 0 d-------- C:\Documents and Settings\B. HARL ROMINE\Application Data\GTek 2007-03-30 22:03:35 0 --a------ C:\Documents and Settings\B. HARL ROMINE\Application Data\Install.dat -- Find3M Report --------------------------------------------------------------- 2007-03-31 0825 0 d-------- C:\Program Files\WatchDog 2007-03-29 17:52:41 0 d---s---- C:\Documents and Settings\B. HARL ROMINE\Application Data\Microsoft<MICROS~1> 2007-03-27 08:08:54 0 d-------- C:\Documents and Settings\B. HARL ROMINE\Application Data\AdobeUM 2007-03-17 08:55:24 0 d-------- C:\Program Files\Microsoft Money<MICROS~2> 2007-02-13 19:55:21 0 d-------- C:\Program Files\IncrediMail<INCRED~1> 2007-02-13 17:45:50 0 d-------- C:\Program Files\MSN Messenger<MSNMES~1> 2007-02-13 17:45:47 28672 --a------ C:\WINDOWS\system32\f3PSSavr.scr -- Registry Dump --------------------------------------------------------------- [HKEY_CURRENT_USER\software\microsoft\windows\currentversion\run] "MsnMsgr"="\"C:\\Program Files\\MSN Messenger\\MsnMsgr.Exe\" /background" "Sonic RecordNow!"="" "LDM"="C:\\Program Files\\Logitech\\Desktop Messenger\\8876480\\Program\\LogitechDesktopMessenger.exe" "ctfmon.exe"="C:\\WINDOWS\\system32\\ctfmon.exe" "Aim6"="\"C:\\Program Files\\Common Files\\AOL\\Launch\\AOLLaunch.exe\" /d locale=en-US ee://aol/imApp" "swg"="C:\\Program Files\\Google\\GoogleToolbarNotifier\\1.2.908.5008\\GoogleToolbarNotifier.exe" "SpybotSD TeaTimer"="C:\\Program Files\\Spybot - Search & Destroy\\TeaTimer.exe" [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run] "vptray"="C:\\PROGRA~1\\SYMANT~1\\SYMANT~1\\vptray.exe" "UpdReg"="C:\\WINDOWS\\UpdReg.EXE" "UpdateManager"="\"C:\\Program Files\\Common Files\\Sonic\\Update Manager\\sgtray.exe\" /r" "PCMService"="\"C:\\Program Files\\Dell\\Media Experience\\PCMService.exe\"" "NvCplDaemon"="RUNDLL32.EXE C:\\WINDOWS\\System32\\NvCpl.dll,NvStartup" "MMTray"="\"C:\\Program Files\\MUSICMATCH\\MUSICMATCH Jukebox\\mm_tray.exe\"" "MimBoot"="C:\\PROGRA~1\\MUSICM~1\\MUSICM~2\\mimboot.exe" "LogitechVideoTray"="C:\\Program Files\\Logitech\\Video\\LogiTray.exe" "LogitechVideoRepair"="C:\\Program Files\\Logitech\\Video\\ISStart.exe" "iamapp"="C:\\PROGRA~1\\SYMANT~1\\SYMANT~2\\IAMAPP.EXE" "HP Software Update"="C:\\Program Files\\HP\\HP Software Update\\HPWuSchd2.exe" "DVDSentry"="C:\\WINDOWS\\System32\\DSentry.exe" "dla"="C:\\WINDOWS\\system32\\dla\\tfswctrl.exe" "diagent"="\"C:\\Program Files\\Creative\\SBLive\\Diagnostics\\diagent.exe\" startup" "HostManager"="C:\\Program Files\\Common Files\\AOL\\1158009876\\ee\\AOLSoftware.exe" "IPHSend"="C:\\Program Files\\Common Files\\AOL\\IPHSend\\IPHSend.exe" "TkBellExe"="\"C:\\Program Files\\Common Files\\Real\\Update_OB\\realsched.exe\" -osboot" "QuickTime Task"="\"C:\\Program Files\\QuickTime\\qttask.exe\" -atboottime" "iTunesHelper"="\"C:\\Program Files\\iTunes\\iTunesHelper.exe\"" [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\OptionalComponents] [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\OptionalComponents\IMAIL] "Installed"="1" [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\OptionalComponents\MAPI] "Installed"="1" "NoChange"="1" [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\OptionalComponents\MSFS] "Installed"="1" [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\runonce] [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\runonce\C:] [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\runonce\C:\Program Files] [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\runonce\C:\Program Files\LEGO Media] [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\runonce\C:\Program Files\LEGO Media\LEGO Stunt Rally] [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\runonce\C:\Program Files\LEGO Media\LEGO Stunt Rally\StuntRally.exe] @="C:\\Program Files\\LEGO Media\\LEGO Stunt Rally\\StuntRally.exe" [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\shellserviceobjectdelayload] "WPDShServiceObj"="{AAA288BA-9A4C-45B0-95D7-94D524869DB5}" [HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\system] "DisableTaskMgr"=dword:00000000 "NoDispAppearancePage"=dword:00000000 "NoDispBackgroundPage"=dword:00000000 "NoDispScrSavPage"=dword:00000000 "NoDispSettingsPage"=dword:00000000 "NoDispCPL"=dword:00000000 "DisableRegistryTools"=dword:00000000 "DisableLockWorkstation"=dword:00000000 "DisableChangePassword"=dword:00000000 "NoVisualStyleChoice"=dword:00000000 "NoColorChoice"=dword:00000000 "NoSizeChoice"=dword:00000000 [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\explorer] @="" "NoCDBurning"=dword:00000000 [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\explorer\Run] "avnort"="C:\\WINDOWS\\msmbw.exe" "serpe"="C:\\WINDOWS\\system32\\formatsys.exe" [HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer] "NoFavoritesMenu"=dword:00000000 "NoCommonGroups"=dword:00000000 "NoLogOff"=dword:00000000 "StartMenuLogoff"=dword:00000000 "NoFind"=dword:00000000 "NoStartMenuSubFolders"=dword:00000000 "NoSetTaskBar"=dword:00000000 "NoSetFolders"=dword:00000000 "NoDesktop"=dword:00000000 "NoRecentDocsMenu"=dword:00000000 "NoSMHelp"=dword:00000000 "NoNetworkConnections"=dword:00000000 "NoSMMyDocs"=dword:00000000 "NoSetActiveDesktop"=dword:00000000 "NoFolderOptions"=dword:00000000 "NoActiveDesktopChanges"=dword:00000000 "NoSaveSettings"=dword:00000000 "NoRun"=dword:00000000 "NoClose"=dword:00000000 "NoNetConnectDisconnect"=dword:00000000 "NoTrayContextMenu"=dword:00000000 "NoViewContextMenu"=dword:00000000 "NoWinKeys"=dword:00000000 "NoThemesTab"=dword:00000000 "NoChangeKeyboardNavigationIndicators"=dword:00000000 "NoChangeAnimation"=dword:00000000 "NoDFSTab"=dword:00000000 "NoSecurityTab"=dword:00000000 "NoHardwareTab"=dword:00000000 "NoToolbarCustomize"=dword:00000000 "NoBandCustomize"=dword:00000000 "NoShellSearchButton"=dword:00000000 "NoPropertiesMyComputer"=dword:00000000 "NoFileAssociate"=dword:00000000 "NoFileUrl"=dword:00000000 "NoSMMyPictures"=dword:00000000 "NoStartMenuMyMusic"=dword:00000000 "NoTrayItemsDisplay"=dword:00000000 "NoToolbarsOnTaskbar"=dword:00000000 "LockTaskbar"=dword:00000000 "HideClock"=dword:00000000 "NoCDBurning"=dword:00000000 "NoStartMenuMFUprogramsList"=dword:00000000 "NoStartMenuPinnedList"=dword:00000000 "NoStartMenuMorePrograms"=dword:00000000 "NoViewOnDrive"=dword:00000000 [HKEY_CURRENT_USER\software\microsoft\internet explorer\desktop\components\0] Source REG_SZ http://www.edhelperclipart.com/clipart/edhelp2.gif [HKEY_CURRENT_USER\software\microsoft\internet explorer\desktop\components\1] Source REG_SZ http://64.128.93.12/projects/broadca..._broadcast.jpg [HKEY_CURRENT_USER\software\microsoft\internet explorer\desktop\components\2] Source REG_SZ http://www.joycemeyer.org/projects/h...cast_title.gif [HKEY_CURRENT_USER\software\microsoft\internet explorer\desktop\components\3] Source REG_SZ http://joycemeyer.org/NR/rdonlyres/2.../hdr_Media.gif [HKEY_CURRENT_USER\software\microsoft\internet explorer\desktop\components\4] Source REG_SZ https://www.parellisavvyclub.com/images/login_image.jpg [HKEY_LOCAL_MACHINE\system\currentcontrolset\control\securityproviders] "SecurityProviders"="msapsspc.dll, schannel.dll, digest.dll, msnsspc.dll" [HKEY_LOCAL_MACHINE\software\Microsoft\Windows NT\CurrentVersion\Svchost] LocalService REG_MULTI_SZ Alerter\0WebClient\0LmHosts\0RemoteRegistry\0upnphost\0SSDPSRV\0\0 NetworkService REG_MULTI_SZ DnsCache\0\0 rpcss REG_MULTI_SZ RpcSs\0\0 imgsvc REG_MULTI_SZ StiSvc\0\0 termsvcs REG_MULTI_SZ TermService\0\0 HTTPFilter REG_MULTI_SZ HTTPFilter\0\0 DcomLaunch REG_MULTI_SZ DcomLaunch\0TermService\0\0 Usnsvc REG_MULTI_SZ usnsvc\0\0 WudfServiceGroup REG_MULTI_SZ WUDFSvc\0\0 -- End of Deckard's System Scanner: finished at 2007-04-11 at 07:11:39 ---------

04-11-2007, 10:58 AM	#13 (permalink)
Ried Assistant Manager, TSF Academy; Moderator/Analyst Security Team Join Date: Jan 2005 Location: Ohio Posts: 26,995 OS: WinXP and Vista	Re: Need help, thanks in advance Apparently Symantec's tool didn't do a very good job as those entries have returned again. There are likely additonal files that need to be taken care of that I cannot see yet, so I was hoping Symantec's tool would find and eliminate those for us. We need to be able to use tools other than dss.exe. An online scan would be best, but is not an option just yet. Let's see if we can knock it out enough to get Normal Mode and the internet. Please copy this page to Notepad and save to your desktop for reference as you will not have any browsers open while you are carrying out portions of these instructions. Also be sure to carry out the instructions in the sequence listed below. ************************************************* Download Combofix and save it to your desktop. Do not run it yet. Note: It is important that it is saved directly to your desktop -------------------------------------------------------------------- Download Dr.Web CureIt to the desktop: ftp://ftp.drweb.com/pub/drweb/cureit/cureit.exe -------------------------------------------------------------------- Download the attached harl.zip file to your desktop. -------------------------------------------------------------------- Disconnect this PC from the internet. -------------------------------------------------------------------- Double click on the harl.zip folder, then double click on the .reg file within. Click yes to allow it to merge into your registry. -------------------------------------------------------------------- Delete these files if they still exist: C:\WINDOWS\ msmbw.exe C:\WINDOWS\system32\ formatsys.exe -------------------------------------------------------------------- Doubleclick the drweb-cureit.exe file and Allow** the express scan[]This will scan the files currently running in memory and when something is found, click the yes button when it asks you if you want to cure it. This is only a short scan. Once the short scan has finished, mark the drives that you want to scan. Select all drives. A red dot shows which drives have been chosen. Click the green arrow* at the right, and the scan will start. Click 'Yes to all' if it asks if you want to cure/move the file. When the scan has finished, look if you can click next icon next to the files found: If so, click it and then click the next icon right below and select Move incurable as you'll see in next image: This will move it to the %userprofile%DoctorWebquarantaine-folder if it can't be cured. (this in case if we need samples) After selecting, in the Dr.Web CureIt menu on top, click file and choose save report list Save the report to your desktop. The report will be called DrWeb.csv Close Dr.Web Cureit. Reboot your computer!! Because it could be possible that files in use will be moved/deleted during reboot. After reboot, post the contents of the log from Dr.Web you saved previously in your next reply. -------------------------------------------------------------------- Double click on combofix.exe & follow the prompts. When finished, it shall produce a log for you. Note: Do not mouseclick combofix's window while it's running. That may cause it to stall Post the ComboFix.txt in your next reply. -------------------------------------------------------------------- Run a scan with HijackThis and save the log. --------------------------------------------------------------------[/ Please include the following in your next reply: Dr Web report C:\ComboFix.txt New HijackThis log Update on system behavior __________________ Member of ASAP since 2005 Member of UNITE since 2006 "It is one life whether we spend it laughing or weeping." "Take the time to laugh--it is the music of the soul." Last edited by Ried; 10-31-2009 at 07:40 PM.

04-11-2007, 08:28 PM	#15 (permalink)
Ried Assistant Manager, TSF Academy; Moderator/Analyst Security Team Join Date: Jan 2005 Location: Ohio Posts: 26,995 OS: WinXP and Vista	Re: Need help, thanks in advance Those registry entries are gone so there's nothing to see at the moment. Let's try another tool. Please download SREng. You may receive a message "The bandwidth limit for this site has been exceeded", please keep trying--eventually you'll get through. 1. Extract it to Desktop & double click SREng.exe to run it 2. Select 'Smart Scan' & tick "Verify Digital Signatures**" 3. Click on the [Scan] button 4. When finished, click on the [Save Reports] button & save the log to Desktop 5. Attach the log in your next reply. Dont post it. You may have to rename SREngLOG.log to SREngLOG.txt to upload it. __________________ Member of ASAP since 2005 Member of UNITE since 2006 "It is one life whether we spend it laughing or weeping." "Take the time to laugh--it is the music of the soul."

04-12-2007, 08:21 PM	#18 (permalink)
harl Registered User Join Date: Jan 2007 Posts: 92 OS: winxp	Re: Need help, thanks in advance Okay Ried, I was able to do the fix shares. When I went to the sharing prompt, the properties said there was no sharing. When I worked through the steps following the services.msc command prompt it allows me to change automatic to disabled but when I reboot and start, it still sounds like the processor is running warp speed and all I get when I click on icon on the desktop is the hourglass... When I access the task manager, there are no programs listed..it just doesnt do anything except display the hourglass.

04-13-2007, 08:34 PM	#19 (permalink)
Ried Assistant Manager, TSF Academy; Moderator/Analyst Security Team Join Date: Jan 2005 Location: Ohio Posts: 26,995 OS: WinXP and Vista	Re: Need help, thanks in advance Hello harl, Try doing a Diagnostic Startup to reach Normal Mode: Click Start>Run and type in msconfig in the Run box and click OK. On the General Tab, select Diagnostic Startup Click Apply Click Ok and reboot If you can get to Normal Mode, uninstall Symantec via the Add/Remove programs & we'll see if that makes the difference. Before you proceed with the uninstall, go back to msconfig (following the previous steps) and select Normal Startup>Apply>OK but restart later. Now uninstall Symantec via the Add/Remove programs and reboot. If you are able to run in Normal Mode with Symantec uninstalled--that would be the main problem. Try reinstalling Symantec. Let me know how all that went. __________________ Member of ASAP since 2005 Member of UNITE since 2006 "It is one life whether we spend it laughing or weeping." "Take the time to laugh--it is the music of the soul."

04-14-2007, 05:58 AM	#20 (permalink)
harl Registered User Join Date: Jan 2007 Posts: 92 OS: winxp	Re: Need help, thanks in advance Phew....thanks Ried, thought you might have grown bored with this one... Okay, I was able to use msconfig to start in normal mode and it seems to be operating better (not quite normal) but better. I tried to run DSS it hung up about 44% of the way through the first time. The second time it worked and I was able to get an HJT that is posted below. thanks a bunch, harl Deckard's System Scanner v20070328.36 Run by B. HARL ROMINE on 2007-04-14 at 07:42:38 Computer is in Normal Mode. -------------------------------------------------------------------------------- -- HijackThis (run as B. HARL ROMINE.exe) -------------------------------------- Logfile of HijackThis v1.99.1 Scan saved at 7:43:05 AM, on 4/14/2007 Platform: Windows XP SP2 (WinNT 5.01.2600) MSIE: Internet Explorer v7.00 (7.00.6000.16414) Running processes: C:\WINDOWS\System32\smss.exe C:\WINDOWS\system32\winlogon.exe C:\WINDOWS\system32\services.exe C:\WINDOWS\system32\lsass.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\System32\svchost.exe C:\WINDOWS\system32\spoolsv.exe C:\WINDOWS\System32\CTsvcCDA.exe C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE C:\Program Files\Symantec_Client_Security\Symantec Client Firewall\NISUM.EXE C:\WINDOWS\System32\nvsvc32.exe C:\WINDOWS\System32\svchost.exe C:\Program Files\Symantec_Client_Security\Symantec Client Firewall\SymPxSvc.exe C:\Program Files\Symantec_Client_Security\Symantec Client Firewall\NISSERV.EXE C:\WINDOWS\Explorer.EXE C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe C:\Program Files\Common Files\Real\Update_OB\realsched.exe C:\Program Files\QuickTime\qttask.exe C:\Program Files\Dell\Media Experience\PCMService.exe C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mm_tray.exe C:\Program Files\Logitech\Video\LogiTray.exe C:\Program Files\iTunes\iTunesHelper.exe C:\PROGRA~1\MUSICM~1\MUSICM~2\MMDiag.exe C:\PROGRA~1\SYMANT~1\SYMANT~2\IAMAPP.EXE C:\Program Files\HP\HP Software Update\HPWuSchd2.exe C:\Program Files\Common Files\AOL\1158009876\ee\AOLSoftware.exe C:\WINDOWS\System32\DSentry.exe C:\WINDOWS\system32\dla\tfswctrl.exe C:\Program Files\Google\GoogleToolbarNotifier\1.2.908.5008\GoogleToolbarNotifier.exe C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe C:\Program Files\Logitech\Desktop Messenger\8876480\Program\LogitechDesktopMessenger.exe C:\WINDOWS\system32\ctfmon.exe C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mim.exe C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe C:\Program Files\Digital Line Detect\DLG.exe C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe C:\Program Files\iPod\bin\iPodService.exe C:\QUICKENW\QWDLLS.EXE C:\WINDOWS\System32\LVComS.exe C:\WINDOWS\system32\wuauclt.exe C:\Program Files\HP\Digital Imaging\bin\hpqgalry.exe C:\Program Files\Creative\SBLive\Diagnostics\diagent.exe C:\WINDOWS\system32\msiexec.exe C:\Documents and Settings\B. HARL ROMINE\Desktop\dss.exe C:\DOCUME~1\HJT\HIJACK~1\BHARLR~1.EXE R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/ R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157 R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896 R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896 R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = localhost O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll O2 - BHO: DriveLetterAccess - {5CA3D70E-1895-11CF-8E15-001234567890} - C:\WINDOWS\system32\dla\tfswshx.dll O2 - BHO: ST - {9394EDE7-C8B5-483E-8773-474BF36AF6E4} - C:\Program Files\MSN Apps\ST\01.03.0000.1005\en-xu\stmain.dll O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar2.dll O2 - BHO: MSNToolBandBHO - {BDBD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\MSN Apps\MSN Toolbar\MSN Toolbar\01.02.5000.1021\en-us\msntb.dll O3 - Toolbar: MSN - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\MSN Apps\MSN Toolbar\MSN Toolbar\01.02.5000.1021\en-us\msntb.dll O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll O4 - HKLM\..\Run: [UpdReg] C:\WINDOWS\UpdReg.EXE O4 - HKLM\..\Run: [UpdateManager] "C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe" /r O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime O4 - HKLM\..\Run: [PCMService] "C:\Program Files\Dell\Media Experience\PCMService.exe" O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup O4 - HKLM\..\Run: [MMTray] "C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mm_tray.exe" O4 - HKLM\..\Run: [MimBoot] C:\PROGRA~1\MUSICM~1\MUSICM~2\mimboot.exe O4 - HKLM\..\Run: [LogitechVideoTray] C:\Program Files\Logitech\Video\LogiTray.exe O4 - HKLM\..\Run: [LogitechVideoRepair] C:\Program Files\Logitech\Video\ISStart.exe O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe" O4 - HKLM\..\Run: [IPHSend] C:\Program Files\Common Files\AOL\IPHSend\IPHSend.exe O4 - HKLM\..\Run: [iamapp] C:\PROGRA~1\SYMANT~1\SYMANT~2\IAMAPP.EXE O4 - HKLM\..\Run: [HP Software Update] C:\Program Files\HP\HP Software Update\HPWuSchd2.exe O4 - HKLM\..\Run: [HostManager] C:\Program Files\Common Files\AOL\1158009876\ee\AOLSoftware.exe O4 - HKLM\..\Run: [DVDSentry] C:\WINDOWS\System32\DSentry.exe O4 - HKLM\..\Run: [dla] C:\WINDOWS\system32\dla\tfswctrl.exe O4 - HKLM\..\Run: [diagent] "C:\Program Files\Creative\SBLive\Diagnostics\diagent.exe" startup O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\1.2.908.5008\GoogleToolbarNotifier.exe O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background O4 - HKCU\..\Run: [LDM] C:\Program Files\Logitech\Desktop Messenger\8876480\Program\LogitechDesktopMessenger.exe O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe O4 - HKCU\..\Run: [Aim6] "C:\Program Files\Common Files\AOL\Launch\AOLLaunch.exe" /d locale=en-US ee://aol/imApp O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe O4 - Global Startup: Billminder.lnk = C:\QUICKENW\BILLMIND.EXE O4 - Global Startup: Digital Line Detect.lnk = ? O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe O4 - Global Startup: HP Image Zone Fast Start.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqthb08.exe O4 - Global Startup: Logitech Desktop Messenger.lnk = C:\Program Files\Logitech\Desktop Messenger\8876480\Program\LogitechDesktopMessenger.exe O4 - Global Startup: Quicken Startup.lnk = C:\QUICKENW\QWDLLS.EXE O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Restrictions present O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\OFFICE11\EXCEL.EXE/3000 O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll (file missing) O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll (file missing) O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~3\OFFICE11\REFIEBAR.DLL O9 - Extra button: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - C:\Program Files\PartyPoker\PartyPoker.exe (file missing) O9 - Extra 'Tools' menuitem: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - C:\Program Files\PartyPoker\PartyPoker.exe (file missing) O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing) O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing) O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe O11 - Options group: [INTERNATIONAL] International* O16 - DPF: {01113300-3E00-11D2-8470-0060089874ED} (Support.com Configuration Class) - https://activatemyfios.verizon.net/s...ad/tgctlcm.cab O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204 O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsof...?1128800440916 O17 - HKLM\System\CCS\Services\Tcpip\..\{5B2810EE-DB61-4823-9417-35E4A236CF8D}: NameServer = 209.165.131.12,209.165.131.13 O18 - Protocol: bwfile-8876480 - {9462A756-7B47-47BC-8C80-C34B9B80B32B} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\GAPlugProtocol-8876480.dll O18 - Protocol: livecall - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll O21 - SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - C:\WINDOWS\system32\WPDShServiceObj.dll O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\System32\CTsvcCDA.exe O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe O23 - Service: iPod Service - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe O23 - Service: MSSQLServerADHelper - Unknown owner - C:\Program Files\Microsoft SQL Server\80\Tools\Binn\sqladhlp.exe (file missing) O23 - Service: Intel NCS NetService (NetSvc) - Intel(R) Corporation - C:\Program Files\Intel\NCS\Sync\NetSvc.exe O23 - Service: Symantec Client Firewall Service (NISSERV) - Symantec Corporation - C:\Program Files\Symantec_Client_Security\Symantec Client Firewall\NISSERV.EXE O23 - Service: Symantec Client Firewall Accounts Manager (NISUM) - Symantec Corporation - C:\Program Files\Symantec_Client_Security\Symantec Client Firewall\NISUM.EXE O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe O23 - Service: Symantec Client Firewall Proxy Service (SymPxSvc) - Symantec Corporation - C:\Program Files\Symantec_Client_Security\Symantec Client Firewall\SymPxSvc.exe -- Files created between 2007-03-14 and 2007-04-14 ----------------------------- 2007-04-11 19:33:32 0 d-------- C:\Documents and Settings\B. HARL ROMINE\DoctorWeb<DOCTOR~1> 2007-03-31 06:27:01 0 d-------- C:\Documents and Settings\B. HARL ROMINE\Application Data\GTek -- Find3M Report --------------------------------------------------------------- 2007-04-14 07:26:25 0 d-------- C:\Program Files\Symantec_Client_Security<SYMANT~1> 2007-04-14 07:24:31 0 d-------- C:\Program Files\Symantec 2007-04-14 07:23:00 0 d-------- C:\Program Files\Common Files\Symantec Shared<SYMANT~1> 2007-03-31 0825 0 d-------- C:\Program Files\WatchDog 2007-03-29 17:52:41 0 d---s---- C:\Documents and Settings\B. HARL ROMINE\Application Data\Microsoft<MICROS~1> 2007-03-27 08:08:54 0 d-------- C:\Documents and Settings\B. HARL ROMINE\Application Data\AdobeUM 2007-03-17 08:55:24 0 d-------- C:\Program Files\Microsoft Money<MICROS~2> 2007-02-13 17:45:47 28672 --a------ C:\WINDOWS\system32\f3PSSavr.scr -- Registry Dump --------------------------------------------------------------- [HKEY_CURRENT_USER\software\microsoft\windows\currentversion\run] "swg"="C:\\Program Files\\Google\\GoogleToolbarNotifier\\1.2.908.5008\\GoogleToolbarNotifier.exe" "SpybotSD TeaTimer"="C:\\Program Files\\Spybot - Search & Destroy\\TeaTimer.exe" "Sonic RecordNow!"="" "MsnMsgr"="\"C:\\Program Files\\MSN Messenger\\MsnMsgr.Exe\" /background" "LDM"="C:\\Program Files\\Logitech\\Desktop Messenger\\8876480\\Program\\LogitechDesktopMessenger.exe" "ctfmon.exe"="C:\\WINDOWS\\system32\\ctfmon.exe" "Aim6"="\"C:\\Program Files\\Common Files\\AOL\\Launch\\AOLLaunch.exe\" /d locale=en-US ee://aol/imApp" [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run] "UpdReg"="C:\\WINDOWS\\UpdReg.EXE" "UpdateManager"="\"C:\\Program Files\\Common Files\\Sonic\\Update Manager\\sgtray.exe\" /r" "TkBellExe"="\"C:\\Program Files\\Common Files\\Real\\Update_OB\\realsched.exe\" -osboot" "QuickTime Task"="\"C:\\Program Files\\QuickTime\\qttask.exe\" -atboottime" "PCMService"="\"C:\\Program Files\\Dell\\Media Experience\\PCMService.exe\"" "NvCplDaemon"="RUNDLL32.EXE C:\\WINDOWS\\System32\\NvCpl.dll,NvStartup" "MMTray"="\"C:\\Program Files\\MUSICMATCH\\MUSICMATCH Jukebox\\mm_tray.exe\"" "MimBoot"="C:\\PROGRA~1\\MUSICM~1\\MUSICM~2\\mimboot.exe" "LogitechVideoTray"="C:\\Program Files\\Logitech\\Video\\LogiTray.exe" "LogitechVideoRepair"="C:\\Program Files\\Logitech\\Video\\ISStart.exe" "iTunesHelper"="\"C:\\Program Files\\iTunes\\iTunesHelper.exe\"" "IPHSend"="C:\\Program Files\\Common Files\\AOL\\IPHSend\\IPHSend.exe" "iamapp"="C:\\PROGRA~1\\SYMANT~1\\SYMANT~2\\IAMAPP.EXE" "HP Software Update"="C:\\Program Files\\HP\\HP Software Update\\HPWuSchd2.exe" "HostManager"="C:\\Program Files\\Common Files\\AOL\\1158009876\\ee\\AOLSoftware.exe" "DVDSentry"="C:\\WINDOWS\\System32\\DSentry.exe" "dla"="C:\\WINDOWS\\system32\\dla\\tfswctrl.exe" "diagent"="\"C:\\Program Files\\Creative\\SBLive\\Diagnostics\\diagent.exe\" startup" [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\OptionalComponents] [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\OptionalComponents\IMAIL] "Installed"="1" [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\OptionalComponents\MAPI] "Installed"="1" "NoChange"="1" [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\OptionalComponents\MSFS] "Installed"="1" [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\runonce] [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\runonce\C:] [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\runonce\C:\Program Files] [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\runonce\C:\Program Files\LEGO Media] [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\runonce\C:\Program Files\LEGO Media\LEGO Stunt Rally] [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\runonce\C:\Program Files\LEGO Media\LEGO Stunt Rally\StuntRally.exe] @="C:\\Program Files\\LEGO Media\\LEGO Stunt Rally\\StuntRally.exe" [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\shellserviceobjectdelayload] "WPDShServiceObj"="{AAA288BA-9A4C-45B0-95D7-94D524869DB5}" [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\explorer] "NoCDBurning"=dword:00000000 [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\explorer\Run] [HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer] "NoFavoritesMenu"=dword:00000000 [HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer\run] [HKEY_CURRENT_USER\software\microsoft\internet explorer\desktop\components\0] Source REG_SZ http://www.edhelperclipart.com/clipart/edhelp2.gif [HKEY_CURRENT_USER\software\microsoft\internet explorer\desktop\components\1] Source REG_SZ http://64.128.93.12/projects/broadca..._broadcast.jpg [HKEY_CURRENT_USER\software\microsoft\internet explorer\desktop\components\2] Source REG_SZ http://www.joycemeyer.org/projects/h...cast_title.gif [HKEY_CURRENT_USER\software\microsoft\internet explorer\desktop\components\3] Source REG_SZ http://joycemeyer.org/NR/rdonlyres/2.../hdr_Media.gif [HKEY_CURRENT_USER\software\microsoft\internet explorer\desktop\components\4] Source REG_SZ https://www.parellisavvyclub.com/images/login_image.jpg [HKEY_LOCAL_MACHINE\system\currentcontrolset\control\securityproviders] "SecurityProviders"="msapsspc.dll, schannel.dll, digest.dll, msnsspc.dll" [HKEY_LOCAL_MACHINE\software\Microsoft\Windows NT\CurrentVersion\Svchost] LocalService REG_MULTI_SZ Alerter\0WebClient\0LmHosts\0RemoteRegistry\0upnphost\0SSDPSRV\0\0 NetworkService REG_MULTI_SZ DnsCache\0\0 rpcss REG_MULTI_SZ RpcSs\0\0 imgsvc REG_MULTI_SZ StiSvc\0\0 termsvcs REG_MULTI_SZ TermService\0\0 HTTPFilter REG_MULTI_SZ HTTPFilter\0\0 DcomLaunch REG_MULTI_SZ DcomLaunch\0TermService\0\0 Usnsvc REG_MULTI_SZ usnsvc\0\0 WudfServiceGroup REG_MULTI_SZ WUDFSvc\0\0 -- End of Deckard's System Scanner: finished at 2007-04-14 at 07:49:27 ---------