Computer is Really Slow...Any Help Appreciated!

[kimmelm]

First of all, I am a first-time poster on this website and I am a huge fan of what you all are doing. You all are saving people endless amounts of stress and frustration!

Second of all, I've followed the 5 steps to posting a log and the only one that I wasn't able to complete was the operating system update. I am currently running XP with SP2 so I'm not sure if it is necessary to roll back to an earlier version, or even how to do that in the first place.

The main issue that I'm having is that my computer is running much slower than normal, especially when I have left it on for a while. Also, I feel like I am accumulating more processes than are normal including some that look like redundancies.

I've attached the Panda Scan and the Deckard's System Scan (extra.txt) info to this post and the main.txt info is pasted as the following.

Thank you very much for your help!!

Deckard's System Scanner v20070328.36
Run by Administrator on 2007-04-01 at 15:07:43
Computer is in Normal Mode.
--------------------------------------------------------------------------------

-- System Restore --------------------------------------------------------------

Successfully created a Deckard's System Scanner Restore Point.


-- Last 5 Restore Point(s) --
40: 2007-04-01 19:07:56 UTC - RP809 - Deckard's System Scanner Restore Point
39: 2007-03-31 22:26:15 UTC - RP808 - System Checkpoint
38: 2007-03-30 22:04:24 UTC - RP807 - System Checkpoint
37: 2007-03-29 19:15:17 UTC - RP806 - System Checkpoint
36: 2007-03-28 17:20:56 UTC - RP805 - Spybot-S&D Spyware removal


-- First Restore Point --
1: 2007-02-21 21:58:15 UTC - RP770 - System Checkpoint


Backed up registry hives.

Performed disk cleanup.


-- HijackThis Clone ------------------------------------------------------------

Emulating logfile of HijackThis v1.99.1
Scan saved at 2007-04-01 15:09:30
Platform: Windows XP Service Pack 2 (5.01.2600)
MSIE: Internet Explorer (7.0.5730.11)

Running processes:
C:\WINDOWS\system32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\ibmpmsvc.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\S24EvMon.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\ati2evxx.exe
C:\Program Files\Xpoint\PE\Skin\rrpcsb.exe
C:\Program Files\Network Associates\Common Framework\FrameworkService.exe
C:\Program Files\Xpoint\PE\PCRecSA.exe
C:\Program Files\Network Associates\VirusScan\Mcshield.exe
C:\Program Files\Network Associates\VirusScan\VsTskMgr.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\WINDOWS\system32\QCONSVC.EXE
C:\WINDOWS\system32\RegSrvc.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Xpoint\xpadmin\xpadmin.exe
C:\Program Files\Xpoint\agent\Xpagent.exe
C:\Program Files\Xpoint\EEClient\Xpclient.exe
C:\WINDOWS\system32\cmd.exe
C:\Program Files\Xpoint\SAS\JRE\bin\javaw.exe
C:\WINDOWS\explorer.exe
C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Program Files\ThinkPad\PkgMgr\HOTKEY\TPHKMGR.exe
C:\Program Files\ThinkPad\ConnectUtilities\QCWLICON.EXE
C:\Program Files\ThinkPad\Utilities\TpKmapMn.exe
C:\Program Files\ThinkPad\PkgMgr\HOTKEY\TPONSCR.exe
C:\Program Files\ThinkPad\Utilities\EzEjMnAp.Exe
C:\Program Files\ThinkPad\PkgMgr\HOTKEY_1\TpScrex.exe
C:\WINDOWS\AGRSMMSG.exe
C:\Program Files\ThinkPad\ConnectUtilities\QCTRAY.EXE
C:\Program Files\Network Associates\Common Framework\UpdaterUI.exe
C:\Program Files\DIGStream\digstream.exe
C:\WINDOWS\system32\dla\DLACTRLW.EXE
C:\Program Files\Network Associates\VirusScan\shstat.exe
C:\Program Files\Common Files\Network Associates\TalkBack\TBMon.exe
C:\Program Files\Java\jre1.5.0_10\bin\jusched.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\QuickTime\qttask.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\FinePixViewer\QuickDCF.exe
C:\Program Files\SpywareGuard\sgmain.exe
C:\Program Files\SpywareGuard\sgbhp.exe
C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\S08FYVNN\dss[1].exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://www.google.com/ie
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://www.google.com
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.comcast.net/
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://www.google.com/ie
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://www.google.com/search?q=%s
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page_bak = http://www.bc.edu/bcinfo
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Windows Internet Explorer provided by Comcast
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.comcast.net/
R1 - HKLM\Software\Microsoft\Internet Explorer\Search,Default_Search_URL = http://www.google.com/ie
R1 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://www.google.com/ie
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Window Title = Windows Internet Explorer provided by Comcast
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: SpywareGuard Download Protection - {4A368E80-174F-4872-96B5-0B27DDD11DB2} - C:\Program Files\SpywareGuard\dlprotect.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: DriveLetterAccess - {5CA3D70E-1895-11CF-8E15-001234567890} - C:\WINDOWS\system32\dla\DLASHX_W.DLL
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_10\bin\ssv.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - C:\Program Files\Google\GoogleToolbar1.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - C:\Program Files\Google\GoogleToolbar1.dll
O4 - HKLM\..\Run: [S3TRAY2] S3Tray2.exe
O4 - HKLM\..\Run: [SynTPLpr] C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [ATIModeChange] Ati2mdxx.exe
O4 - HKLM\..\Run: [BluetoothAuthenticationAgent] rundll32.exe irprops.cpl,,BluetoothAuthenticationAgent
O4 - HKLM\..\Run: [TPHOTKEY] C:\PROGRA~1\ThinkPad\PkgMgr\HOTKEY\TPHKMGR.exe
O4 - HKLM\..\Run: [BMMLREF] C:\Program Files\ThinkPad\Utilities\BMMLREF.EXE
O4 - HKLM\..\Run: [QCWLICON] C:\Program Files\ThinkPad\ConnectUtilities\QCWLICON.EXE
O4 - HKLM\..\Run: [TPKMAPMN] C:\Program Files\ThinkPad\Utilities\TpKmapMn.exe
O4 - HKLM\..\Run: [TP4EX] tp4ex.exe
O4 - HKLM\..\Run: [EZEJMNAP] C:\PROGRA~1\ThinkPad\UTILIT~1\EzEjMnAp.Exe
O4 - HKLM\..\Run: [AGRSMMSG] AGRSMMSG.exe
O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [StorageGuard] "c:\Program Files\VERITAS Software\Update Manager\sgtray.exe" /r
O4 - HKLM\..\Run: [QCTray] C:\PROGRA~1\ThinkPad\CONNEC~1\QCTray.exe
O4 - HKLM\..\Run: [McAfeeUpdaterUI] "C:\Program Files\Network Associates\Common Framework\UpdaterUI.exe" /StartedFromRunKey
O4 - HKLM\..\Run: [DIGStream] C:\Program Files\DIGStream\digstream.exe
O4 - HKLM\..\Run: [REGSHAVE] C:\Program Files\REGSHAVE\REGSHAVE.EXE /AUTORUN
O4 - HKLM\..\Run: [DLA] C:\WINDOWS\System32\DLA\DLACTRLW.EXE
O4 - HKLM\..\Run: [ShStatEXE] "C:\Program Files\Network Associates\VirusScan\SHSTAT.EXE" /STANDALONE
O4 - HKLM\..\Run: [Network Associates Error Reporting Service] "C:\Program Files\Common Files\Network Associates\TalkBack\TBMon.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.5.0_10\bin\jusched.exe"
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [Aim6] "C:\Program Files\AIM6\aim6.exe" /d locale=en-US ee://aol/imApp
O4 - Startup: SpywareGuard.lnk = C:\Program Files\SpywareGuard\sgmain.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: Exif Launcher.lnk = C:\Program Files\FinePixViewer\QuickDCF.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O8 - Extra context menu item: &Google Search - res://c:\program files\google\googletoolbar1.dll/cmsearch.html
O8 - Extra context menu item: &Translate English Word - res://c:\program files\google\googletoolbar1.dll/cmwordtrans.html
O8 - Extra context menu item: Backward Links - res://c:\program files\google\googletoolbar1.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://c:\program files\google\googletoolbar1.dll/cmcache.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O8 - Extra context menu item: Similar Pages - res://c:\program files\google\googletoolbar1.dll/cmsimilar.html
O8 - Extra context menu item: Translate Page into English - res://c:\program files\google\googletoolbar1.dll/cmtrans.html
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_10\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_10\bin\ssv.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\network diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\network diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {166B1BCA-3F9C-11CF-8075-444553540000} (Shockwave ActiveX Control) - http://download.macromedia.com/pub/s...irector/sw.cab
O16 - DPF: {41F17733-B041-4099-A042-B518BB6A408C} () - http://a1540.g.akamai.net/7/1540/52/...eInstaller.exe
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/actives...ree/asinst.cab
O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} () - http://v4.windowsupdate.microsoft.co...762.2682986111
O16 - DPF: {CE8267C2-D41A-4A50-A69D-F32B5C289F14} (FoInstaller Class) - http://plugin.fileopen.com/current/FileOpen.CAB
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/s...sh/swflash.cab
O18 - Protocol: cdo - {CD00020A-8B95-11D1-82DB-00C04FB1625D} - C:\Program Files\Common Files\Microsoft Shared\Web Folders\PKMCDO.DLL
O18 - Protocol: mso-offdap - {3D9F03FA-7A94-11D3-BE81-0050048385D1} - C:\Program Files\Common Files\Microsoft Shared\Web Components\10\OWC10.DLL
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\system32\WgaLogon.dll
O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINDOWS\system32\ati2evxx.exe
O23 - Service: Logical Disk Manager Administrative Service (dmadmin) - Microsoft Corp., Veritas Software - C:\WINDOWS\System32\dmadmin.exe /com
O23 - Service: IBM Rapid Restore Ultra Service - Unknown owner - C:\Program Files\Xpoint\PE\Skin\rrpcsb.exe
O23 - Service: IBM PM Service (IBMPMSVC) - Unknown owner - C:\WINDOWS\system32\ibmpmsvc.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - "C:\Program Files\Common Files\InstallShield\Driver\1150\Intel 32\IDriverT.exe"
O23 - Service: iPod Service - Apple Inc. - "C:\Program Files\iPod\bin\iPodService.exe"
O23 - Service: McAfee Framework Service (McAfeeFramework) - McAfee, Inc. - "C:\Program Files\Network Associates\Common Framework\FrameworkService.exe" /ServiceStart
O23 - Service: Network Associates McShield (McShield) - Network Associates, Inc. - "C:\Program Files\Network Associates\VirusScan\Mcshield.exe"
O23 - Service: Network Associates Task Manager (McTaskManager) - Network Associates, Inc. - "C:\Program Files\Network Associates\VirusScan\VsTskMgr.exe"
O23 - Service: Xpoint PCRadmin Server (PCRadminServer) - Unknown owner - C:\Program Files\Xpoint\PE\pcradmin.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe
O23 - Service: IBM PSA Access Driver Control (PsaSrv) - Unknown owner - C:\WINDOWS\system32\Psasrv.exe
O23 - Service: QCONSVC - Unknown owner - C:\WINDOWS\system32\QCONSVC.EXE
O23 - Service: RegSrvc - Intel Corporation - C:\WINDOWS\system32\RegSrvc.exe
O23 - Service: Spectrum24 Event Monitor (S24EventMonitor) - Intel Corporation - C:\WINDOWS\system32\S24EvMon.exe
O23 - Service: Xpoint Admin Server (XPadminServer) - Unknown owner - C:\Program Files\Xpoint\xpadmin\xpadmin.exe
O23 - Service: Xpoint Agent Server (xpAgentServer) - Unknown owner - C:\Program Files\Xpoint\agent\Xpagent.exe


-- File Associations -----------------------------------------------------------

.js - JSFile - shell\open\command - unable to read value


-- Drivers: 0-Boot, 1-System, 2-Auto, 3-Demand, 4-Disabled ---------------------

R0 drvmcdb - c:\windows\system32\drivers\drvmcdb.sys
R1 DLACDBHM - c:\windows\system32\drivers\dlacdbhm.sys
R1 DLARTL_N - c:\windows\system32\drivers\dlartl_n.sys
R1 IBMTPCHK - c:\windows\system32\drivers\ibmbldid.sys
R1 NaiAvTdi1 - c:\windows\system32\drivers\mvstdi5x.sys
R1 Smapint - c:\windows\system32\drivers\smapint.sys
R1 TDSMAPI - c:\windows\system32\drivers\tdsmapi.sys
R1 TPHKDRV - c:\windows\system32\drivers\tphkdrv.sys
R1 TPPWR - c:\windows\system32\drivers\tppwr.sys
R1 TSMAPIP - c:\windows\system32\drivers\tsmapip.sys
R2 DLABOIOM - c:\windows\system32\dla\dlaboiom.sys
R2 DLADResN - c:\windows\system32\dla\dladresn.sys
R2 DLAIFS_M - c:\windows\system32\dla\dlaifs_m.sys
R2 DLAOPIOM - c:\windows\system32\dla\dlaopiom.sys
R2 DLAPoolM - c:\windows\system32\dla\dlapoolm.sys
R2 DLAUDF_M - c:\windows\system32\dla\dlaudf_m.sys
R2 DLAUDFAM - c:\windows\system32\dla\dlaudfam.sys
R2 drvnddm - c:\windows\system32\drivers\drvnddm.sys
R2 irda (IrDA Protocol) - c:\windows\system32\drivers\irda.sys
R2 MASPINT - c:\windows\system32\drivers\maspint.sys
R2 PMEM - c:\windows\system32\drivers\pmemnt.sys
R2 s24trans (WLAN Transport) - c:\windows\system32\drivers\s24trans.sys
R2 SRFilter - c:\windows\system32\drivers\srntflt.sys
R3 aeaudio - c:\windows\system32\drivers\aeaudio.sys
R3 AgereSoftModem (Agere Systems Soft Modem) - c:\windows\system32\drivers\agrsm.sys
R3 EntDrv51 - c:\windows\system32\drivers\entdrv51.sys
R3 IBMPMDRV - c:\windows\system32\drivers\ibmpmdrv.sys
R3 NaiAvFilter1 - c:\windows\system32\drivers\naiavf5x.sys
R3 NSCIRDA (NSC Infrared Device Driver) - c:\windows\system32\drivers\nscirda.sys
R3 Rasirda (WAN Miniport (IrDA)) - c:\windows\system32\drivers\rasirda.sys
R3 smwdm - c:\windows\system32\drivers\smwdm.sys
R3 w70n51 (Intel(R) PRO/Wireless 7100 Adapter Driver) - c:\windows\system32\drivers\w70n51.sys

S3 ac97intc (Intel(r) 82801 Audio Driver Install Service (WDM)) - c:\windows\system32\drivers\ac97intc.sys
S3 dtscsi - c:\windows\system32\drivers\dtscsi.sys (file missing)
S3 gv3 (Intel GV3 Processor Driver) - c:\windows\system32\drivers\gv3.sys
S3 ltmodem5 (LT Modem Driver) - c:\windows\system32\drivers\ltmdmnt.sys
S3 psadd (IBM PSA Access Driver) - c:\windows\system32\drivers\psadd.sys
S3 S3SSavage - c:\windows\system32\drivers\s3ssavm.sys
S3 TwoTrack (IBM PS/2 TrackPoint Filter Driver) - c:\windows\system32\drivers\twotrack.sys
S4 cbidf - c:\windows\system32\drivers\cbidf2k.sys
S4 dac2w2k - c:\windows\system32\drivers\dac2w2k.sys


-- Services: 0-Boot, 1-System, 2-Auto, 3-Demand, 4-Disabled --------------------

R2 IBM Rapid Restore Ultra Service - c:\program files\xpoint\pe\skin\rrpcsb.exe
R2 IBMPMSVC (IBM PM Service) - c:\windows\system32\ibmpmsvc.exe
R2 Irmon (Infrared Monitor) - c:\windows\system32\svchost.exe -k netsvcs
R2 McAfeeFramework (McAfee Framework Service) - "c:\program files\network associates\common framework\frameworkservice.exe" /servicestart
R2 McTaskManager (Network Associates Task Manager) - "c:\program files\network associates\virusscan\vstskmgr.exe"
R2 QCONSVC - system32\qconsvc.exe
R2 RegSrvc - c:\windows\system32\regsrvc.exe
R2 XPadminServer (Xpoint Admin Server) - c:\progra~1\xpoint\xpadmin\xpadmin.exe
R2 xpAgentServer (Xpoint Agent Server) - c:\progra~1\xpoint\agent\xpagent.exe

S2 PCRadminServer (Xpoint PCRadmin Server) - c:\progra~1\xpoint\pe\pcradmin.exe
S3 PsaSrv (IBM PSA Access Driver Control) - c:\windows\system32\psasrv.exe


-- Scheduled Tasks -------------------------------------------------------------

2007-03-26 16:51:00 284 --a------ C:\WINDOWS\Tasks\AppleSoftwareUpdate.job<APPLES~1.JOB>
2003-05-20 19:09:30 314 --a------ C:\WINDOWS\Tasks\BMMTask.job


-- Files created between 2007-03-01 and 2007-04-01 -----------------------------

2007-03-30 01:10:33 0 d-------- C:\ie-spyad
2007-03-30 0143 0 d-------- C:\Program Files\SpywareGuard<SPYWAR~2>
2007-03-30 01:00:46 0 d-------- C:\Program Files\SpywareBlaster<SPYWAR~1>
2007-03-29 19:40:06 0 d-------- C:\WINDOWS\system32\ActiveScan<ACTIVE~1>
2007-03-29 19:40:03 0 d-------- C:\WINDOWS\LastGood
2007-03-19 21:48:02 61440 --a------ C:\WINDOWS\diabswun.exe
2007-03-19 21:48:02 86528 --a------ C:\WINDOWS\bnetunin.exe
2007-03-19 21:48:02 0 d-------- C:\Diablo
2007-03-12 19:34:29 0 d-------- C:\Documents and Settings\Administrator\Application Data\acccore
2007-03-12 19:34:14 0 d-------- C:\Documents and Settings\All Users\Application Data\AOL OCP<AOLOCP~1>
2007-03-12 19:33:39 0 d-------- C:\Documents and Settings\All Users\Application Data\AOL
2007-03-12 19:33:00 0 d-------- C:\Program Files\Common Files\Nullsoft
2007-03-12 19:32:34 0 d-------- C:\Program Files\Common Files\AOL


-- Find3M Report ---------------------------------------------------------------

2007-03-31 15:23:40 0 d-------- C:\Program Files\Morpheus
2007-03-29 21:47:59 0 d-------- C:\Program Files\QuickTime<QUICKT~1>
2007-03-29 21:40:59 0 d-------- C:\Program Files\Messenger<MESSEN~1>
2007-03-29 21:39:39 0 d-------- C:\Program Files\iTunes
2007-03-29 21:38:22 0 d-------- C:\Program Files\Google
2007-03-29 20:22:13 0 d-------- C:\Program Files\FinePixViewer<FINEPI~1>
2007-03-29 20:21:07 0 d-------- C:\Program Files\DIGStream<DIGSTR~1>
2007-03-19 19:20:35 0 d-------- C:\Program Files\iPod
2007-03-12 21:18:42 0 d-------- C:\Program Files\AIM
2007-03-12 21:18:18 0 d-------- C:\Documents and Settings\Administrator\Application Data\Aim
2007-03-12 20:31:15 0 d-------- C:\Program Files\Java
2007-03-12 19:37:32 0 d-------- C:\Program Files\Apple Software Update<APPLES~1>
2007-03-12 19:34:08 0 d-------- C:\Program Files\AIM6
2007-03-06 00:54:31 0 d-------- C:\Program Files\Torrent Downloads<TORREN~1>
2007-01-25 15:04:49 34944 --a----c- C:\Documents and Settings\Administrator\Application Data\GDIPFONTCACHEV1.DAT<GDIPFO~1.DAT>
2007-01-08 20:01:14 17408 --a------ C:\WINDOWS\system32\corpol.dll


-- Registry Dump ---------------------------------------------------------------


[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\run]
"ctfmon.exe"="C:\\WINDOWS\\system32\\ctfmon.exe"
"MSMSGS"="\"C:\\Program Files\\Messenger\\msmsgs.exe\" /background"
"Aim6"="\"C:\\Program Files\\AIM6\\aim6.exe\" /d locale=en-US ee://aol/imApp"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run]
"S3TRAY2"="S3Tray2.exe"
"SynTPLpr"="C:\\Program Files\\Synaptics\\SynTP\\SynTPLpr.exe"
"SynTPEnh"="C:\\Program Files\\Synaptics\\SynTP\\SynTPEnh.exe"
"ATIModeChange"="Ati2mdxx.exe"
"BluetoothAuthenticationAgent"="rundll32.exe irprops.cpl,,BluetoothAuthenticationAgent"
"TPHOTKEY"="C:\\PROGRA~1\\ThinkPad\\PkgMgr\\HOTKEY\\TPHKMGR.exe"
"BMMLREF"="C:\\Program Files\\ThinkPad\\Utilities\\BMMLREF.EXE"
"QCWLICON"="C:\\Program Files\\ThinkPad\\ConnectUtilities\\QCWLICON.EXE"
"TPKMAPMN"="C:\\Program Files\\ThinkPad\\Utilities\\TpKmapMn.exe"
"TP4EX"="tp4ex.exe"
"EZEJMNAP"="C:\\PROGRA~1\\ThinkPad\\UTILIT~1\\EzEjMnAp.Exe"
"AGRSMMSG"="AGRSMMSG.exe"
"ATIPTA"="C:\\Program Files\\ATI Technologies\\ATI Control Panel\\atiptaxx.exe"
"UC_SMB"=""
"StorageGuard"="\"c:\\Program Files\\VERITAS Software\\Update Manager\\sgtray.exe\" /r"
"QCTray"="C:\\PROGRA~1\\ThinkPad\\CONNEC~1\\QCTray.exe"
"McAfeeUpdaterUI"="\"C:\\Program Files\\Network Associates\\Common Framework\\UpdaterUI.exe\" /StartedFromRunKey"
"DIGStream"="C:\\Program Files\\DIGStream\\digstream.exe"
"REGSHAVE"="C:\\Program Files\\REGSHAVE\\REGSHAVE.EXE /AUTORUN"
"DLA"="C:\\WINDOWS\\System32\\DLA\\DLACTRLW.EXE"
"ShStatEXE"="\"C:\\Program Files\\Network Associates\\VirusScan\\SHSTAT.EXE\" /STANDALONE"
"Network Associates Error Reporting Service"="\"C:\\Program Files\\Common Files\\Network Associates\\TalkBack\\TBMon.exe\""
"SunJavaUpdateSched"="\"C:\\Program Files\\Java\\jre1.5.0_10\\bin\\jusched.exe\""
"TkBellExe"="\"C:\\Program Files\\Common Files\\Real\\Update_OB\\realsched.exe\" -osboot"
"iTunesHelper"="\"C:\\Program Files\\iTunes\\iTunesHelper.exe\""
"QuickTime Task"="\"C:\\Program Files\\QuickTime\\qttask.exe\" -atboottime"
"KernelFaultCheck"=hex(2):25,73,79,73,74,65,6d,72,6f,6f,74,25,5c,73,79,73,74,\
65,6d,33,32,5c,64,75,6d,70,72,65,70,20,30,20,2d,6b,00

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\OptionalComponents]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\OptionalComponents\IMAIL]
"Installed"="1"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\OptionalComponents\MAPI]
"Installed"="1"
"NoChange"="1"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\OptionalComponents\MSFS]
"Installed"="1"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AIM]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="aim"
"hkey"="HKCU"
"command"="C:\\Program Files\\AIM\\aim.exe -cnetwait.odl"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ares]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="Ares"
"hkey"="HKCU"
"command"="\"C:\\Program Files\\Ares Lite Edition\\Ares.exe\" -h"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSMSGS]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="msmsgs"
"hkey"="HKCU"
"command"="\"C:\\Program Files\\Messenger\\msmsgs.exe\" /background"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="qttask"
"hkey"="HKLM"
"command"="\"C:\\Program Files\\QuickTime\\qttask.exe\" -atboottime"
"inimapping"="0"


[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shellexecutehooks]
"{81559C35-8464-49F7-BB0E-07A383BEF910}"=""

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\explorer]
"NoCDBurning"=dword:00000000

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\explorer\run]

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\securityproviders]
"SecurityProviders"="msapsspc.dll, schannel.dll, digest.dll, msnsspc.dll"

[HKEY_LOCAL_MACHINE\software\Microsoft\Windows NT\CurrentVersion\Svchost]
LocalService REG_MULTI_SZ Alerter\0WebClient\0LmHosts\0RemoteRegistry\0upnphost\0SSDPSRV\0\0
NetworkService REG_MULTI_SZ DnsCache\0\0
rpcss REG_MULTI_SZ RpcSs\0\0
imgsvc REG_MULTI_SZ StiSvc\0\0
termsvcs REG_MULTI_SZ TermService\0\0
HTTPFilter REG_MULTI_SZ HTTPFilter\0\0
DcomLaunch REG_MULTI_SZ DcomLaunch\0TermService\0\0

*newlycreated* - HKEY_LOCAL_MACHINE\system\currentcontrolset\enum\root\LEGACY_ENTDRV51


-- Hosts -----------------------------------------------------------------------

127.0.0.1 localhost.localdomain
127.0.0.1 sitefinder.Verisign.com # Verisign has joined the game
127.0.0.1 sitefinder-idn.Verisign.com # of trying to hijack mistyped
127.0.0.1 # URLs to their site.
127.0.0.1 ad.doubleclick.net # This may interefere with www.sears.com
127.0.0.1 # and potentially other sites.
127.0.0.1 media.fastclick.net # Likewise, this may interefer with some
127.0.0.1 # sites.
127.0.0.1 #up CSS on livejournal
127.0.0.1 # problems with NPR.org

4592 more entries in hosts file.


-- End of Deckard's System Scanner: finished at 2007-04-01 at 15:10:08 ---------

[kimmelm]

bump bump

[kimmelm]

bumpin

[kimmelm]

I'd really appreciate it if someone could take a look at the posted info. Any help would be great!

[Sempurna]

Hi kimmelm,

Welcome to Tech Support Forum!

I apologize for the delay getting to your log. The helpers here are all volunteers and we have been very busy here lately. If you are still having malware problems, I will be glad to help.

OK, let’s check whether malware is causing your problems. If not, it could be some hardware or driver or software incompatibility problem.

Let’s do this first.

Please download DAFT and save it to your desktop:

• Double-click the daft.exe icon. Read the disclaimer and click OK.
• Click on the Scan button.
• Place a checkmark next to the following entries:
  
  .js
  
  
• Click the Fix button.
• Re-scan and save a logfile. By default, it will save as daft.txt.
• Post the contents of that logfile with your next post.

NEXT:

Please run HijackThis and click "Scan". Place a check (tick) next to the following entries (if present):

O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 –k
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE


Close ALL programs and browsers (including this one), leaving ONLY HijackThis open, then click "Fix checked".

Then please exit HijackThis.


NEXT:

Please download HostsXpert and save it to your desktop:

• Extract the zip file to your desktop or a permanent folder on your hard drive.
• Open the folder and double-click on HostsXpert.exe.
• Make sure that the "Make Writable?" button in the upper left corner is enabled. By default the button should be showing "Make ReadOnly?" (if it is, leave it alone).
• Click "Backup / Restore" and select "Create Backup".
• Click "Restore MS Hosts File".
• Click "OK" and exit the program.

NEXT:

Please download OTMoveIt by OldTimer:

• Save it to your desktop.
• Please double-click OTMoveIt.exe to run it.
• Copy the file paths below to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose Copy):
  
  c:\windows\inf\localNrd.inf
  C:\WINDOWS\oeunist.exe
  C:\WINDOWS\system32\xmltok.dll
  c:\windows\system32\SBUtils
  
  
• Return to OTMoveIt, right-click on the Paste List of Files/Folders to be Moved window and choose Paste.
• Click the red MoveIt! button.
• Close OTMoveIt.
• Please post the log from OTMoveIt, located here:
  
  C:\_OTMoveIt\MovedFiles\mmddyyyy_hhmmss.log
  
  Where mmddyyyy_hhmmss is the date of the tool run.

Note: If a file or folder cannot be moved immediately you may be asked to reboot the machine to finish the move process. If you are asked to reboot the machine choose Yes.


NEXT:

Let's run some cleanup and diagnostic scans to make sure we're not leaving anything behind.

Please download CCleaner (freeware) and save it to your desktop:

1. Run the CCleaner installer.
2. During installation process, please UNCHECK "Add CCleaner Yahoo! Toolbar".
3. Once installed, run CCleaner and click the Windows tab.
4. Select the following:
   • Check everything under the Internet Explorer section.
   • Check everything under the Windows Explorer section.
   • Check everything under the System section.
   • Check ONLY Old Prefetch data under the Advanced section.
5. Then, click the Applications tab:
   • UNCHECK everything there.
6. Next, click the Options button, then click the Advanced button:
   • UNCHECK : "Only delete files in Windows Temp folders older than 48 hours".
7. Next, click the Cleaner button, then click the Run Cleaner button (bottom right), then Exit.

CAUTION: Please do NOT use the Issues button. This is a built-in registry cleaner. If you don’t know how to use it, you may cause irreparable damage to your system.


NEXT:

Please download ComboFix by sUBs:

NOTE: In the event you already have ComboFix, this is a new version that I need you to download.

• Save it to your desktop.
• Double-click combofix.exe and follow the prompts.
• When finished, it shall produce a log for you. Copy and paste the contents of the log in your next reply.

CAUTION: Do not mouse-click ComboFix's window while it is running. That may cause it to stall.


NEXT:

Please do an online scan with Kaspersky Online Scanner using Internet Explorer (this online scanner only works with IE):

1. Click on Kaspersky Online Scanner.
2. You will be prompted to install an ActiveX component from Kaspersky, click Yes.
3. The program will launch and then begin downloading the latest definition files.
4. Once the files have been downloaded click on Next.
5. Now click on Scan Settings.
6. In the scan settings make sure that the following are selected:
   • Scan using the following Anti-Virus database:
     Extended
   • Scan Options:
     Scan Archives
     Scan Mail Bases
7. Click OK.
8. Now under select a target to scan:
   • Select My Computer.
9. This program will start and scan your system.
10. The scan will take a while so be patient and let it run.
11. Once the scan is complete it will display if your system has been infected.
    • Now click on the Save Report As button.
    • In the File name: field, type kavscan.
    • In the Save as type: field, select Text file (*.txt).
12. Save the file to your desktop.
13. Copy and paste that information in your next post.

Note for Internet Explorer 7 users: If at any time you have trouble with the Accept button of the license, click on the Zoom tool located at the bottom right of the IE window and set the zoom to 75 %. Once the license has been accepted, reset to 100%.


NEXT:

Please REBOOT your computer normally into Windows and post these logs in your next reply:

1. The log from DAFT.
2. The log from OTMoveIt.
3. The log from the ComboFix scan.
4. The log from the Kaspersky scan.
5. A new HijackThis log.

(You might have to paste the logs in multiple posts in the event they are too long and breach the post length restrictions of the forum software).

Also, please let me know how things are running now and if you encountered any problems while you were following the directions I posted.

[kimmelm]

Hi,

Thanks for responding! The only step I had trouble with was with HostsXpert. When I enabled the MakeWiritable button, the Backup?Restore button wouldn't click so I had to disable it before I could create the Backup or restore the MS Hosts file. Here's the log from DAFT:

DAFT Log saved on 2007-05-07 16:47:12
-----------------------------------------------------------------------
All associations okay!


From OTMoveIt:

c:\windows\inf\localNrd.inf moved successfully.
C:\WINDOWS\oeunist.exe moved successfully.
DllUnregisterServer procedure not found in C:\WINDOWS\system32\xmltok.dll
C:\WINDOWS\system32\xmltok.dll NOT unregistered.
C:\WINDOWS\system32\xmltok.dll moved successfully.
c:\windows\system32\SBUtils moved successfully.

Created on 05/07/2007 17:17:07


From ComboFix:

"Administrator" - 2007-05-07 17:23:20 Service Pack 2
ComboFix 07-05.07.3.V - Running from: "C:\Documents and Settings\Administrator\Desktop\"


((((((((((((((((((((((((((((((( Files Created from 2007-04-07 to 2007-05-07 ))))))))))))))))))))))))))))))))))


2007-05-07 17:19 <DIR> d-------- C:\Program Files\CCleaner
2007-04-24 16:52 1,495,552 --a------ C:\WINDOWS\system32\epoPGPsdk.dll
2007-04-23 22:49 9,600 --a------ C:\WINDOWS\system32\drivers\hidusb.sys
2007-04-23 22:49 12,160 --a------ C:\WINDOWS\system32\drivers\mouhid.sys
2007-04-18 15:10 2,716 --a------ C:\WINDOWS\system32\d3d9caps.dat


(((((((((((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))))


2007-05-07 21:22:42 -------- d-----w C:\Program Files\SpywareGuard
2007-05-07 21:10:39 -------- d-----w C:\Program Files\Morpheus
2007-03-30 05:03:10 -------- d-----w C:\Program Files\SpywareBlaster
2007-03-30 01:47:59 -------- d-----w C:\Program Files\QuickTime
2007-03-30 01:40:59 -------- d-----w C:\Program Files\Messenger
2007-03-30 01:39:39 -------- d-----w C:\Program Files\iTunes
2007-03-30 01:38:22 -------- d-----w C:\Program Files\Google
2007-03-30 00:22:13 -------- d-----w C:\Program Files\FinePixViewer
2007-03-30 00:21:07 -------- d-----w C:\Program Files\DIGStream
2007-03-20 01:48:02 86,528 ----a-w C:\WINDOWS\bnetunin.exe
2007-03-20 01:48:02 61,440 ----a-w C:\WINDOWS\diabswun.exe
2007-03-19 23:20:35 -------- d-----w C:\Program Files\iPod
2007-03-17 13:43:01 292,864 ----a-w C:\WINDOWS\system32\winsrv.dll
2007-03-13 01:18:42 -------- d-----w C:\Program Files\AIM
2007-03-13 01:18:18 -------- d-----w C:\DOCUME~1\ADMINI~1\APPLIC~1.\Aim
2007-03-13 00:12:31 -------- d-----w C:\Program Files\Common Files\AOL
2007-03-12 23:37:32 -------- d-----w C:\Program Files\Apple Software Update
2007-03-12 23:34:30 -------- d-----w C:\DOCUME~1\ADMINI~1\APPLIC~1.\acccore
2007-03-12 23:34:08 -------- d-----w C:\Program Files\AIM6
2007-03-12 23:33:00 -------- d-----w C:\Program Files\Common Files\Nullsoft
2007-03-08 15:36:28 577,536 ----a-w C:\WINDOWS\system32\user32.dll
2007-03-08 15:36:28 40,960 ----a-w C:\WINDOWS\system32\mf3216.dll
2007-03-08 15:36:28 281,600 ----a-w C:\WINDOWS\system32\gdi32.dll
2007-03-08 13:47:48 1,843,584 ----a-w C:\WINDOWS\system32\win32k.sys


(((((((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))


*Note* empty entries & legit default entries are not shown

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects]
"{4A368E80-174F-4872-96B5-0B27DDD11DB2}"="C:\Program Files\SpywareGuard\dlprotect.dll"
"{53707962-6F74-2D53-2644-206D7942484F}"="C:\PROGRA~1\SPYBOT~1\SDHelper.dll"
"{5CA3D70E-1895-11CF-8E15-001234567890}"="C:\WINDOWS\System32\DLA\DLASHX_W.DLL"
"{761497BB-D6F0-462C-B6EB-D4DAF1D92D43}"="C:\Program Files\Java\jre1.5.0_11\bin\ssv.dll"
"{AA58ED58-01DD-4d91-8333-CF10577473F7}"="c:\program files\google\googletoolbar1.dll"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run]
"S3TRAY2"="S3Tray2.exe"
"SynTPLpr"="C:\\Program Files\\Synaptics\\SynTP\\SynTPLpr.exe"
"SynTPEnh"="C:\\Program Files\\Synaptics\\SynTP\\SynTPEnh.exe"
"ATIModeChange"="Ati2mdxx.exe"
"BluetoothAuthenticationAgent"="rundll32.exe irprops.cpl,,BluetoothAuthenticationAgent"
"TPHOTKEY"="C:\\PROGRA~1\\ThinkPad\\PkgMgr\\HOTKEY\\TPHKMGR.exe"
"BMMLREF"="C:\\Program Files\\ThinkPad\\Utilities\\BMMLREF.EXE"
"QCWLICON"="C:\\Program Files\\ThinkPad\\ConnectUtilities\\QCWLICON.EXE"
"TPKMAPMN"="C:\\Program Files\\ThinkPad\\Utilities\\TpKmapMn.exe"
"TP4EX"="tp4ex.exe"
"EZEJMNAP"="C:\\PROGRA~1\\ThinkPad\\UTILIT~1\\EzEjMnAp.Exe"
"AGRSMMSG"="AGRSMMSG.exe"
"ATIPTA"="C:\\Program Files\\ATI Technologies\\ATI Control Panel\\atiptaxx.exe"
"UC_SMB"=""
"StorageGuard"="\"c:\\Program Files\\VERITAS Software\\Update Manager\\sgtray.exe\" /r"
"QCTray"="C:\\PROGRA~1\\ThinkPad\\CONNEC~1\\QCTray.exe"
"McAfeeUpdaterUI"="\"C:\\Program Files\\Network Associates\\Common Framework\\UdaterUI.exe\" /StartedFromRunKey"
"DIGStream"="C:\\Program Files\\DIGStream\\digstream.exe"
"REGSHAVE"="C:\\Program Files\\REGSHAVE\\REGSHAVE.EXE /AUTORUN"
"DLA"="C:\\WINDOWS\\System32\\DLA\\DLACTRLW.EXE"
"ShStatEXE"="\"C:\\Program Files\\Network Associates\\VirusScan\\SHSTAT.EXE\" /STANDALONE"
"Network Associates Error Reporting Service"="\"C:\\Program Files\\Common Files\\Network Associates\\TalkBack\\TBMon.exe\""
"SunJavaUpdateSched"="\"C:\\Program Files\\Java\\jre1.5.0_11\\bin\\jusched.exe\""
"TkBellExe"="\"C:\\Program Files\\Common Files\\Real\\Update_OB\\realsched.exe\" -osboot"
"iTunesHelper"="\"C:\\Program Files\\iTunes\\iTunesHelper.exe\""
"QuickTime Task"="\"C:\\Program Files\\QuickTime\\qttask.exe\" -atboottime"

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\run]
"ctfmon.exe"="C:\\WINDOWS\\system32\\ctfmon.exe"
"MSMSGS"="\"C:\\Program Files\\Messenger\\msmsgs.exe\" /background"
"Aim6"=""

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\explorer]
"NoCDBurning"=dword:00000000

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\explorer\run]


HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa
Authentication Packages msv1_0\0\0
Security Packages kerberos\0msv1_0\0schannel\0wdigest\0\0
Notification Packages scecli\0\0

HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\aim
C:\Program Files\AIM\aim.exe -cnetwait.odl

HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ares
"C:\Program Files\Ares Lite Edition\Ares.exe" -h

HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\msmsgs
"C:\Program Files\Messenger\msmsgs.exe" /background

HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\quicktime task
"C:\Program Files\QuickTime\qttask.exe" -atboottime


[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Svchost]
LocalService Alerter\0WebClient\0LmHosts\0RemoteRegistry\0upnphost\0SSDPSRV\0\0
NetworkService DnsCache\0\0
rpcss RpcSs\0\0
imgsvc StiSvc\0\0
termsvcs TermService\0\0
HTTPFilter HTTPFilter\0\0
DcomLaunch DcomLaunch\0TermService\0\0

HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost

*newlycreated* - HKEY_LOCAL_MACHINE\system\currentcontrolset\enum\root\LEGACY_ENTDRV51


Contents of the 'Scheduled Tasks' folder
C:\WINDOWS\tasks\AppleSoftwareUpdate.job
C:\WINDOWS\tasks\BMMTask.job

********************************************************************

catchme 0.3.660 W2K/XP/Vista - userland rootkit detector by Gmer, http://www.gmer.net
Rootkit scan 2007-05-07 17:26:47
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden services ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden processes: 0
hidden services: 0
hidden files: 0


********************************************************************

Completion time: 2007-05-07 17:26:52
C:\ComboFix-quarantined-files.txt ... 2007-05-07 17:26


From the Kaspersky scan:

-------------------------------------------------------------------------------
KASPERSKY ONLINE SCANNER REPORT
Monday, May 07, 2007 7:39:27 PM
Operating System: Microsoft Windows XP Professional, Service Pack 2 (Build 2600)
Kaspersky Online Scanner version: 5.0.83.0
Kaspersky Anti-Virus database last update: 8/05/2007
Kaspersky Anti-Virus database records: 315180
-------------------------------------------------------------------------------

Scan Settings:
Scan using the following antivirus database: extended
Scan Archives: true
Scan Mail Bases: true

Scan Target - My Computer:
C:\
D:\
E:\

Scan Statistics:
Total number of scanned objects: 57577
Number of viruses found: 6
Number of infected objects: 11 / 0
Number of suspicious objects: 4
Duration of the scan process: 01:33:18

Infected Object Name / Virus Name / Last Action
C:\Documents and Settings\Administrator\Cookies\index.dat Object is locked skipped
C:\Documents and Settings\Administrator\Local Settings\Application Data\Microsoft\Feeds Cache\index.dat Object is locked skipped
C:\Documents and Settings\Administrator\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\Administrator\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\Administrator\Local Settings\History\History.IE5\index.dat Object is locked skipped
C:\Documents and Settings\Administrator\Local Settings\History\History.IE5\MSHist012007050720070508\index.dat Object is locked skipped
C:\Documents and Settings\Administrator\Local Settings\Temp\NAILogs\UpdaterUI_BOSTON-HOGC3FJ7.log Object is locked skipped
C:\Documents and Settings\Administrator\Local Settings\Temp\~DFAAAE.tmp Object is locked skipped
C:\Documents and Settings\Administrator\Local Settings\Temp\~DFCAA5.tmp Object is locked skipped
C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\AntiPhishing\B3BB5BBA-E7D5-40AB-A041-A5B1C0B26C8F.dat Object is locked skipped
C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped
C:\Documents and Settings\Administrator\ntuser.dat Object is locked skipped
C:\Documents and Settings\Administrator\ntuser.dat.LOG Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr0.dat Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr1.dat Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Network Associates\BOPDATA\_Date-20070507_Time-031722444_EnterceptExceptions.dat Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Network Associates\BOPDATA\_Date-20070507_Time-031722444_EnterceptRules.dat Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Network Associates\Common Framework\Db\Agent_BOSTON-HOGC3FJ7.log Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Network Associates\Common Framework\Db\PrdMgr_BOSTON-HOGC3FJ7.log Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Network Associates\VirusScan\AccessProtectionLog.txt Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Network Associates\VirusScan\BufferOverflowProtectionLog.txt Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Network Associates\VirusScan\OnAccessScanLog.txt Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\eXactAdvertisingBargainsBuddy23.zip/msexreg.exe Suspicious: Password-protected-EXE skipped
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\eXactAdvertisingBargainsBuddy23.zip ZIP: suspicious - 1 skipped
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\eXactAdvertisingBargainsBuddy3.zip/trkgif.exe Suspicious: Password-protected-EXE skipped
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\eXactAdvertisingBargainsBuddy3.zip ZIP: suspicious - 1 skipped
C:\Documents and Settings\LocalService\Cookies\index.dat Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\History\History.IE5\index.dat Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped
C:\Documents and Settings\LocalService\NTUSER.DAT Object is locked skipped
C:\Documents and Settings\LocalService\ntuser.dat.LOG Object is locked skipped
C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\NetworkService\NTUSER.DAT Object is locked skipped
C:\Documents and Settings\NetworkService\ntuser.dat.LOG Object is locked skipped
C:\IBMTOOLS\APPS\RRU301US\rrpc\superinstall.EXE/IGWSE2SAS2.1WM2.1.EXE/HOTVIEW.EXE Infected: not-a-virus:RemoteAdmin.Win32.WinVNC.333 skipped
C:\IBMTOOLS\APPS\RRU301US\rrpc\superinstall.EXE/IGWSE2SAS2.1WM2.1.EXE/VNCHOOKS.DLL Infected: not-a-virus:RemoteAdmin.Win32.WinVNC.333 skipped
C:\IBMTOOLS\APPS\RRU301US\rrpc\superinstall.EXE/IGWSE2SAS2.1WM2.1.EXE Infected: not-a-virus:RemoteAdmin.Win32.WinVNC.333 skipped
C:\IBMTOOLS\APPS\RRU301US\rrpc\superinstall.EXE ZIP: infected - 3 skipped
C:\Program Files\DIGStream\digstream.exe Infected: not-a-virus:Downloader.Win32.DigStream.a skipped
C:\Program Files\Morpheus\morpheustoolbar.exe/stream/data0009 Infected: not-a-virus:AdWare.Win32.Softomate.t skipped
C:\Program Files\Morpheus\morpheustoolbar.exe/stream Infected: not-a-virus:AdWare.Win32.Softomate.t skipped
C:\Program Files\Morpheus\morpheustoolbar.exe NSIS: infected - 2 skipped
C:\Program Files\Morpheus\mymorpheusToolbar.exe Infected: not-a-virus:AdTool.Win32.MyWebSearch skipped
C:\Program Files\Network Associates\System Compliance Profiler\PtchScan.log Object is locked skipped
C:\Program Files\Xpoint\agent\log\xpagent.log Object is locked skipped
C:\Program Files\Xpoint\agent\pages\lurknote.txt Object is locked skipped
C:\Program Files\Xpoint\SAS\dat\ASYNCH-TSS\left\Admin.redolog Object is locked skipped
C:\Program Files\Xpoint\SAS\dat\ASYNCH-TSS\left\Galaxy.redolog Object is locked skipped
C:\Program Files\Xpoint\SAS\dat\ASYNCH-TSS\right\DISCO_ASYNCH_TSIN.redolog Object is locked skipped
C:\Program Files\Xpoint\SAS\dat\ASYNCH-TSS\right\DISCO_ASYNCH_TSMSG.redolog Object is locked skipped
C:\Program Files\Xpoint\SAS\dat\ASYNCH-TSS\right\DISCO_ASYNCH_TSOUT.redolog Object is locked skipped
C:\Program Files\Xpoint\SAS\logfile1.log Object is locked skipped
C:\Program Files\Xpoint\SAS\tssdebug.log Object is locked skipped
C:\Program Files\Xpoint\SAS\tsserver.log Object is locked skipped
C:\System Volume Information\_restore{14157744-4FA2-4CAF-BAFB-72CC49941087}\RP839\change.log Object is locked skipped
C:\WINDOWS\CSC\00000001 Object is locked skipped
C:\WINDOWS\Debug\Netlogon.log Object is locked skipped
C:\WINDOWS\Debug\PASSWD.LOG Object is locked skipped
C:\WINDOWS\SchedLgU.Txt Object is locked skipped
C:\WINDOWS\SoftwareDistribution\ReportingEvents.log Object is locked skipped
C:\WINDOWS\Sti_Trace.log Object is locked skipped
C:\WINDOWS\system32\CatRoot2\edb.log Object is locked skipped
C:\WINDOWS\system32\CatRoot2\tmp.edb Object is locked skipped
C:\WINDOWS\system32\config\AppEvent.Evt Object is locked skipped
C:\WINDOWS\system32\config\DEFAULT Object is locked skipped
C:\WINDOWS\system32\config\default.LOG Object is locked skipped
C:\WINDOWS\system32\config\Internet.evt Object is locked skipped
C:\WINDOWS\system32\config\SAM Object is locked skipped
C:\WINDOWS\system32\config\SAM.LOG Object is locked skipped
C:\WINDOWS\system32\config\SecEvent.Evt Object is locked skipped
C:\WINDOWS\system32\config\SECURITY Object is locked skipped
C:\WINDOWS\system32\config\SECURITY.LOG Object is locked skipped
C:\WINDOWS\system32\config\SOFTWARE Object is locked skipped
C:\WINDOWS\system32\config\software.LOG Object is locked skipped
C:\WINDOWS\system32\config\SysEvent.Evt Object is locked skipped
C:\WINDOWS\system32\config\SYSTEM Object is locked skipped
C:\WINDOWS\system32\config\system.LOG Object is locked skipped
C:\WINDOWS\system32\drivers\sptd.sys Object is locked skipped
C:\WINDOWS\system32\h323log.txt Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\INDEX.BTR Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\INDEX.MAP Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\MAPPING.VER Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\MAPPING1.MAP Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\MAPPING2.MAP Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\OBJECTS.DATA Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\OBJECTS.MAP Object is locked skipped
C:\WINDOWS\wiadebug.log Object is locked skipped
C:\WINDOWS\wiaservc.log Object is locked skipped
C:\WINDOWS\WindowsUpdate.log Object is locked skipped
C:\_OTMoveIt\MovedFiles\windows\oeunist.exe/data0002 Infected: Trojan-Downloader.Win32.IstBar.er skipped
C:\_OTMoveIt\MovedFiles\windows\oeunist.exe NSIS: infected - 1 skipped

Scan process completed.


and from HijackThis:

Logfile of HijackThis v1.99.1
Scan saved at 9:13:55 PM, on 5/7/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16414)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\System32\ibmpmsvc.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\S24EvMon.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\System32\Ati2evxx.exe
C:\Program Files\Xpoint\PE\Skin\rrpcsb.exe
C:\Program Files\Network Associates\Common Framework\FrameworkService.exe
C:\Program Files\Xpoint\PE\pcrecsa.exe
C:\Program Files\Network Associates\VirusScan\Mcshield.exe
C:\Program Files\Network Associates\VirusScan\VsTskMgr.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\WINDOWS\System32\QCONSVC.EXE
C:\WINDOWS\System32\RegSrvc.exe
C:\WINDOWS\System32\svchost.exe
C:\PROGRA~1\Xpoint\xpadmin\xpadmin.exe
C:\PROGRA~1\Xpoint\agent\Xpagent.exe
C:\PROGRA~1\Xpoint\EEClient\xpclient.exe
C:\WINDOWS\system32\cmd.exe
C:\PROGRA~1\Xpoint\SAS\jre\bin\javaw.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\PROGRA~1\ThinkPad\PkgMgr\HOTKEY\TPHKMGR.exe
C:\Program Files\ThinkPad\ConnectUtilities\QCWLICON.EXE
C:\Program Files\ThinkPad\Utilities\TpKmapMn.exe
C:\PROGRA~1\ThinkPad\UTILIT~1\EzEjMnAp.Exe
C:\WINDOWS\AGRSMMSG.exe
C:\PROGRA~1\ThinkPad\CONNEC~1\QCTray.exe
C:\Program Files\ThinkPad\PkgMgr\HOTKEY\TPONSCR.exe
C:\Program Files\Network Associates\Common Framework\UdaterUI.exe
C:\Program Files\ThinkPad\PkgMgr\HOTKEY_1\TpScrex.exe
C:\Program Files\DIGStream\digstream.exe
C:\Program Files\Network Associates\Common Framework\McTray.exe
C:\WINDOWS\System32\DLA\DLACTRLW.EXE
C:\Program Files\Network Associates\VirusScan\SHSTAT.EXE
C:\Program Files\Common Files\Network Associates\TalkBack\TBMon.exe
C:\Program Files\Java\jre1.5.0_11\bin\jusched.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\QuickTime\qttask.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\FinePixViewer\QuickDCF.exe
C:\Program Files\SpywareGuard\sgmain.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\SpywareGuard\sgbhp.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Java\jre1.5.0_11\bin\jucheck.exe
C:\Documents and Settings\Administrator\Desktop\hijackthis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.comcast.net/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.comcast.net/
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page_bak = http://www.bc.edu/bcinfo
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = :0
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: SpywareGuard Download Protection - {4A368E80-174F-4872-96B5-0B27DDD11DB2} - C:\Program Files\SpywareGuard\dlprotect.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: DriveLetterAccess - {5CA3D70E-1895-11CF-8E15-001234567890} - C:\WINDOWS\System32\DLA\DLASHX_W.DLL
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_11\bin\ssv.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O4 - HKLM\..\Run: [S3TRAY2] S3Tray2.exe
O4 - HKLM\..\Run: [SynTPLpr] C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [ATIModeChange] Ati2mdxx.exe
O4 - HKLM\..\Run: [BluetoothAuthenticationAgent] rundll32.exe irprops.cpl,,BluetoothAuthenticationAgent
O4 - HKLM\..\Run: [TPHOTKEY] C:\PROGRA~1\ThinkPad\PkgMgr\HOTKEY\TPHKMGR.exe
O4 - HKLM\..\Run: [BMMLREF] C:\Program Files\ThinkPad\Utilities\BMMLREF.EXE
O4 - HKLM\..\Run: [QCWLICON] C:\Program Files\ThinkPad\ConnectUtilities\QCWLICON.EXE
O4 - HKLM\..\Run: [TPKMAPMN] C:\Program Files\ThinkPad\Utilities\TpKmapMn.exe
O4 - HKLM\..\Run: [TP4EX] tp4ex.exe
O4 - HKLM\..\Run: [EZEJMNAP] C:\PROGRA~1\ThinkPad\UTILIT~1\EzEjMnAp.Exe
O4 - HKLM\..\Run: [AGRSMMSG] AGRSMMSG.exe
O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [StorageGuard] "c:\Program Files\VERITAS Software\Update Manager\sgtray.exe" /r
O4 - HKLM\..\Run: [QCTray] C:\PROGRA~1\ThinkPad\CONNEC~1\QCTray.exe
O4 - HKLM\..\Run: [McAfeeUpdaterUI] "C:\Program Files\Network Associates\Common Framework\UdaterUI.exe" /StartedFromRunKey
O4 - HKLM\..\Run: [DIGStream] C:\Program Files\DIGStream\digstream.exe
O4 - HKLM\..\Run: [REGSHAVE] C:\Program Files\REGSHAVE\REGSHAVE.EXE /AUTORUN
O4 - HKLM\..\Run: [DLA] C:\WINDOWS\System32\DLA\DLACTRLW.EXE
O4 - HKLM\..\Run: [ShStatEXE] "C:\Program Files\Network Associates\VirusScan\SHSTAT.EXE" /STANDALONE
O4 - HKLM\..\Run: [Network Associates Error Reporting Service] "C:\Program Files\Common Files\Network Associates\TalkBack\TBMon.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.5.0_11\bin\jusched.exe"
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - Startup: SpywareGuard.lnk = C:\Program Files\SpywareGuard\sgmain.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: Exif Launcher.lnk = C:\Program Files\FinePixViewer\QuickDCF.exe
O8 - Extra context menu item: &Google Search - res://c:\program files\google\googletoolbar1.dll/cmsearch.html
O8 - Extra context menu item: &Translate English Word - res://c:\program files\google\googletoolbar1.dll/cmwordtrans.html
O8 - Extra context menu item: Backward Links - res://c:\program files\google\googletoolbar1.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://c:\program files\google\googletoolbar1.dll/cmcache.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O8 - Extra context menu item: Similar Pages - res://c:\program files\google\googletoolbar1.dll/cmsimilar.html
O8 - Extra context menu item: Translate Page into English - res://c:\program files\google\googletoolbar1.dll/cmtrans.html
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_11\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_11\bin\ssv.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O11 - Options group: [INTERNATIONAL] International*
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O14 - IERESET.INF: START_PAGE_URL=http://www.bc.edu/bcinfo/
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/eng/par...an_unicode.cab
O16 - DPF: {41F17733-B041-4099-A042-B518BB6A408C} - http://a1540.g.akamai.net/7/1540/52/...eInstaller.exe
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/actives...ree/asinst.cab
O16 - DPF: {CE8267C2-D41A-4A50-A69D-F32B5C289F14} (FileOpenInstaller) - http://plugin.fileopen.com/current/FileOpen.CAB
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINDOWS\System32\Ati2evxx.exe
O23 - Service: IBM Rapid Restore Ultra Service - Unknown owner - C:\Program Files\Xpoint\PE\Skin\rrpcsb.exe
O23 - Service: IBM PM Service (IBMPMSVC) - Unknown owner - C:\WINDOWS\System32\ibmpmsvc.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1150\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: McAfee Framework Service (McAfeeFramework) - Unknown owner - C:\Program Files\Network Associates\Common Framework\FrameworkService.exe" /ServiceStart (file missing)
O23 - Service: Network Associates McShield (McShield) - Network Associates, Inc. - C:\Program Files\Network Associates\VirusScan\Mcshield.exe
O23 - Service: Network Associates Task Manager (McTaskManager) - Network Associates, Inc. - C:\Program Files\Network Associates\VirusScan\VsTskMgr.exe
O23 - Service: Xpoint PCRadmin Server (PCRadminServer) - Unknown owner - C:\PROGRA~1\Xpoint\PE\pcradmin.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe
O23 - Service: IBM PSA Access Driver Control (PsaSrv) - Unknown owner - C:\WINDOWS\system32\PsaSrv.exe
O23 - Service: QCONSVC - Unknown owner - C:\WINDOWS\System32\QCONSVC.EXE
O23 - Service: RegSrvc - Intel Corporation - C:\WINDOWS\System32\RegSrvc.exe
O23 - Service: Spectrum24 Event Monitor (S24EventMonitor) - Intel Corporation - C:\WINDOWS\System32\S24EvMon.exe
O23 - Service: Xpoint Admin Server (XPadminServer) - Unknown owner - C:\PROGRA~1\Xpoint\xpadmin\xpadmin.exe
O23 - Service: Xpoint Agent Server (xpAgentServer) - Unknown owner - C:\PROGRA~1\Xpoint\agent\Xpagent.exe

Thank you very much, Sempurna.

[Sempurna]

Hi kimmeln,

You’re most welcome kimmeln.

OK, let’s do this next to pick up the leftovers.

Morpheus is a program with a dubious reputation. I recommend that you uninstall it and replace it with one of the more reputable P2P programs listed on this page:
http://p2p.malwareremoval.com/


NEXT:

Please launch OTMoveIt:

• Double-click OTMoveIt.exe to run it.
• Copy the file paths below to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose Copy):
  
  C:\WINDOWS\bnetunin.exe
  C:\Program Files\Morpheus
  
  
• Return to OTMoveIt, right-click on the Paste List of Files/Folders to be Moved window and choose Paste.
• Click the red MoveIt! button.
• Close OTMoveIt.
• Please post the log from OTMoveIt, located here:
  
  C:\_OTMoveIt\MovedFiles\mmddyyyy_hhmmss.log
  
  Where mmddyyyy_hhmmss is the date of the tool run.

Note: If a file or folder cannot be moved immediately you may be asked to reboot the machine to finish the move process. If you are asked to reboot the machine choose Yes.


NEXT:

Please go to: VirusTotal

• At the top of the page you'll find a "Browse" button. Click the "Browse" button and browse to next file:
  
  C:\WINDOWS\diabswun.exe
  
  
• Click "Open".
• Then click the "Send" button at the top of the VirusTotal page.
• This will scan the file. Please be patient.
• Once scanned, copy and paste the results in your next reply together with a new HijackThis log.

NEXT:

OK, let’s see if we can work out what else may be causing the slow behaviour on your system.

Please go to Start -> Run and type (or copy and paste):

devmgmt.msc

Click OK.


Your system’s Device Manager will now open:

• Double-click IDE ATA/ATAPI controllers.
• Right-click Primary IDE Channel, select Properties, and click on the Advanced Settings tab.
• In the Transfer Mode dropdown list, please ensure that you have DMA if available for Device 0 and Device 1.
• If the drop-down box already shows "DMA if available" but the current transfer mode is PIO, then you must toggle the settings. That is:
  • Change the selection from "DMA if available" to PIO Only, and click OK.
  • Then repeat the steps above to change the selection to "DMA if available".
• Once you have completed the steps above for the Primary IDE Channel, then do the same for the Secondary IDE Channel.

Reboot your computer for the change to take effect.


NEXT:

Please download Autoruns by Sysinternals and save it to your desktop:

• Unzip (extract) it to your desktop, open the Autoruns folder, and double-click autoruns.exe to run it.
• In the main Autoruns window, go to the Logon tab, and uncheck the following entries:
  
  TPKMAPMN
  EZEJMNAP
  StorageGuard
  DIGStream
  REGSHAVE
  SunJavaUpdateSched
  TkBellExe
  QuickTime Task
  MSMSGS
  
  
• Then please exit Autoruns.

You may also check with these websites about any programs on your system that can be stopped from running at startup without compromising performance or usage:

• StartupList Index
• Startup Programs Database
• Paul Collins’ Startup Applications List

Reboot your computer to set the new startup settings.


NEXT:

Please register (it's free, don't worry) with PC Pitstop and run the full tests here:
http://www.pcpitstop.com/pcpitstop/default.asp

When the tests are complete, a results page will pop up. Click "Share Results with TechExpress" on the top right-hand side. Then copy the URL provided and post it here for me.


NEXT:

Please REBOOT your computer normally into Windows and post these logs in your next reply:

1. The log from OTMoveIt.
2. The report from VirusTotal.
3. The report from PC Pitstop.
4. A new HijackThis log.

How are things running now?

[kimmelm]

Hi,

Here's the log from ITMoveIt:

C:\WINDOWS\bnetunin.exe moved successfully.
C:\Program Files\Morpheus\Torrents moved successfully.
C:\Program Files\Morpheus\Temp moved successfully.
C:\Program Files\Morpheus\SkinData\happy\xml moved successfully.
C:\Program Files\Morpheus\SkinData\happy\images moved successfully.
C:\Program Files\Morpheus\SkinData\happy moved successfully.
C:\Program Files\Morpheus\SkinData\default\xml moved successfully.
C:\Program Files\Morpheus\SkinData\default\mobile\xhtml\images moved successfully.
C:\Program Files\Morpheus\SkinData\default\mobile\xhtml moved successfully.
C:\Program Files\Morpheus\SkinData\default\mobile\template moved successfully.
C:\Program Files\Morpheus\SkinData\default\mobile\searches moved successfully.
C:\Program Files\Morpheus\SkinData\default\mobile\public moved successfully.
C:\Program Files\Morpheus\SkinData\default\mobile\monetization moved successfully.
C:\Program Files\Morpheus\SkinData\default\mobile\images moved successfully.
C:\Program Files\Morpheus\SkinData\default\mobile moved successfully.
C:\Program Files\Morpheus\SkinData\default\images moved successfully.
C:\Program Files\Morpheus\SkinData\default moved successfully.
C:\Program Files\Morpheus\SkinData\Common\Scripts moved successfully.
C:\Program Files\Morpheus\SkinData\Common moved successfully.
C:\Program Files\Morpheus\SkinData moved successfully.
C:\Program Files\Morpheus\Schemas moved successfully.
C:\Program Files\Morpheus\Partials moved successfully.
C:\Program Files\Morpheus\Offers moved successfully.
C:\Program Files\Morpheus\My Shared Folder moved successfully.
C:\Program Files\Morpheus\Downloads moved successfully.
C:\Program Files\Morpheus moved successfully.

Created on 05/08/2007 02:01:48

from VirusTotal:

Complete scanning result of "diabswun.exe", received in VirusTotal at 05.08.2007, 08:02:02 (CET).

Antivirus Version Update Result
AhnLab-V3 2007.5.8.0 05.07.2007 no virus found
AntiVir 7.4.0.15 05.07.2007 no virus found
Authentium 4.93.8 05.07.2007 no virus found
Avast 4.7.997.0 05.07.2007 no virus found
AVG 7.5.0.467 05.07.2007 no virus found
BitDefender 7.2 05.08.2007 no virus found
CAT-QuickHeal 9.00 05.07.2007 no virus found
ClamAV devel-20070416 05.07.2007 no virus found
DrWeb 4.33 05.07.2007 no virus found
eSafe 7.0.15.0 05.07.2007 no virus found
eTrust-Vet 30.7.3616 05.07.2007 no virus found
Ewido 4.0 05.07.2007 no virus found
FileAdvisor 1 05.08.2007 no virus found
Fortinet 2.85.0.0 05.08.2007 no virus found
F-Prot 4.3.2.48 05.07.2007 no virus found
F-Secure 6.70.13030.0 05.08.2007 no virus found
Ikarus T3.1.1.7 05.08.2007 no virus found
Kaspersky 4.0.2.24 05.08.2007 no virus found
McAfee 5025 05.07.2007 no virus found
Microsoft 1.2503 05.07.2007 no virus found
NOD32v2 2248 05.07.2007 no virus found
Norman 5.80.02 05.07.2007 no virus found
Panda 9.0.0.4 05.07.2007 no virus found
Prevx1 V2 05.08.2007 no virus found
Sophos 4.17.0 05.07.2007 no virus found
Sunbelt 2.2.907.0 05.05.2007 no virus found
Symantec 10 05.08.2007 no virus found
TheHacker 6.1.6.108 05.06.2007 no virus found
VBA32 3.11.4 05.07.2007 no virus found
VirusBuster 4.3.7:9 05.07.2007 no virus found
Webwasher-Gateway 6.0.1 05.08.2007 no virus found


Aditional Information
File size: 61440 bytes
MD5: 15bda206bad89cb1cbe91f7c7c078d63
SHA1: e01492109fee9cc66c6314c895429c26136ce386

the URL for PC PitStop:

http://www.pcpitstop.com/techexpress/default.asp


and the new log for HijackThis:

Logfile of HijackThis v1.99.1
Scan saved at 2:30:39 AM, on 5/8/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16414)

Logfile of HijackThis v1.99.1
Scan saved at 2:45:31 AM, on 5/8/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16414)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\System32\ibmpmsvc.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\S24EvMon.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\WINDOWS\system32\rundll32.exe
C:\PROGRA~1\ThinkPad\PkgMgr\HOTKEY\TPHKMGR.exe
C:\Program Files\ThinkPad\ConnectUtilities\QCWLICON.EXE
C:\WINDOWS\AGRSMMSG.exe
C:\PROGRA~1\ThinkPad\CONNEC~1\QCTray.exe
C:\Program Files\Network Associates\Common Framework\UdaterUI.exe
C:\WINDOWS\System32\DLA\DLACTRLW.EXE
C:\Program Files\ThinkPad\PkgMgr\HOTKEY\TPONSCR.exe
C:\Program Files\Network Associates\VirusScan\SHSTAT.EXE
C:\Program Files\Network Associates\Common Framework\McTray.exe
C:\Program Files\ThinkPad\PkgMgr\HOTKEY_1\TpScrex.exe
C:\Program Files\Common Files\Network Associates\TalkBack\TBMon.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\FinePixViewer\QuickDCF.exe
C:\Program Files\SpywareGuard\sgmain.exe
C:\Program Files\SpywareGuard\sgbhp.exe
C:\WINDOWS\System32\Ati2evxx.exe
C:\Program Files\Xpoint\PE\Skin\rrpcsb.exe
C:\Program Files\Network Associates\Common Framework\FrameworkService.exe
C:\Program Files\Xpoint\PE\pcrecsa.exe
C:\Program Files\Network Associates\VirusScan\Mcshield.exe
C:\Program Files\Network Associates\VirusScan\VsTskMgr.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\WINDOWS\System32\QCONSVC.EXE
C:\WINDOWS\System32\RegSrvc.exe
C:\WINDOWS\System32\svchost.exe
C:\PROGRA~1\Xpoint\xpadmin\xpadmin.exe
C:\PROGRA~1\Xpoint\agent\Xpagent.exe
C:\PROGRA~1\Xpoint\EEClient\xpclient.exe
C:\WINDOWS\system32\cmd.exe
C:\PROGRA~1\Xpoint\SAS\jre\bin\javaw.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Documents and Settings\Administrator\Desktop\hijackthis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.comcast.net/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.comcast.net/
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page_bak = http://www.bc.edu/bcinfo
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = :0
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: SpywareGuard Download Protection - {4A368E80-174F-4872-96B5-0B27DDD11DB2} - C:\Program Files\SpywareGuard\dlprotect.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: DriveLetterAccess - {5CA3D70E-1895-11CF-8E15-001234567890} - C:\WINDOWS\System32\DLA\DLASHX_W.DLL
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_11\bin\ssv.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O4 - HKLM\..\Run: [S3TRAY2] S3Tray2.exe
O4 - HKLM\..\Run: [SynTPLpr] C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [ATIModeChange] Ati2mdxx.exe
O4 - HKLM\..\Run: [BluetoothAuthenticationAgent] rundll32.exe irprops.cpl,,BluetoothAuthenticationAgent
O4 - HKLM\..\Run: [TPHOTKEY] C:\PROGRA~1\ThinkPad\PkgMgr\HOTKEY\TPHKMGR.exe
O4 - HKLM\..\Run: [BMMLREF] C:\Program Files\ThinkPad\Utilities\BMMLREF.EXE
O4 - HKLM\..\Run: [QCWLICON] C:\Program Files\ThinkPad\ConnectUtilities\QCWLICON.EXE
O4 - HKLM\..\Run: [TP4EX] tp4ex.exe
O4 - HKLM\..\Run: [AGRSMMSG] AGRSMMSG.exe
O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [QCTray] C:\PROGRA~1\ThinkPad\CONNEC~1\QCTray.exe
O4 - HKLM\..\Run: [McAfeeUpdaterUI] "C:\Program Files\Network Associates\Common Framework\UdaterUI.exe" /StartedFromRunKey
O4 - HKLM\..\Run: [DLA] C:\WINDOWS\System32\DLA\DLACTRLW.EXE
O4 - HKLM\..\Run: [ShStatEXE] "C:\Program Files\Network Associates\VirusScan\SHSTAT.EXE" /STANDALONE
O4 - HKLM\..\Run: [Network Associates Error Reporting Service] "C:\Program Files\Common Files\Network Associates\TalkBack\TBMon.exe"
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - Startup: SpywareGuard.lnk = C:\Program Files\SpywareGuard\sgmain.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: Exif Launcher.lnk = C:\Program Files\FinePixViewer\QuickDCF.exe
O8 - Extra context menu item: &Google Search - res://c:\program files\google\googletoolbar1.dll/cmsearch.html
O8 - Extra context menu item: &Translate English Word - res://c:\program files\google\googletoolbar1.dll/cmwordtrans.html
O8 - Extra context menu item: Backward Links - res://c:\program files\google\googletoolbar1.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://c:\program files\google\googletoolbar1.dll/cmcache.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O8 - Extra context menu item: Similar Pages - res://c:\program files\google\googletoolbar1.dll/cmsimilar.html
O8 - Extra context menu item: Translate Page into English - res://c:\program files\google\googletoolbar1.dll/cmtrans.html
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_11\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_11\bin\ssv.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O11 - Options group: [INTERNATIONAL] International*
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O14 - IERESET.INF: START_PAGE_URL=http://www.bc.edu/bcinfo/
O16 - DPF: {0E5F0222-96B9-11D3-8997-00104BD12D94} (PCPitstop Utility) - http://www.pcpitstop.com/pcpitstop/PCPitStop.CAB
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/eng/par...an_unicode.cab
O16 - DPF: {41F17733-B041-4099-A042-B518BB6A408C} - http://a1540.g.akamai.net/7/1540/52/...eInstaller.exe
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/actives...ree/asinst.cab
O16 - DPF: {CE8267C2-D41A-4A50-A69D-F32B5C289F14} (FileOpenInstaller) - http://plugin.fileopen.com/current/FileOpen.CAB
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINDOWS\System32\Ati2evxx.exe
O23 - Service: IBM Rapid Restore Ultra Service - Unknown owner - C:\Program Files\Xpoint\PE\Skin\rrpcsb.exe
O23 - Service: IBM PM Service (IBMPMSVC) - Unknown owner - C:\WINDOWS\System32\ibmpmsvc.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1150\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: McAfee Framework Service (McAfeeFramework) - Unknown owner - C:\Program Files\Network Associates\Common Framework\FrameworkService.exe" /ServiceStart (file missing)
O23 - Service: Network Associates McShield (McShield) - Network Associates, Inc. - C:\Program Files\Network Associates\VirusScan\Mcshield.exe
O23 - Service: Network Associates Task Manager (McTaskManager) - Network Associates, Inc. - C:\Program Files\Network Associates\VirusScan\VsTskMgr.exe
O23 - Service: Xpoint PCRadmin Server (PCRadminServer) - Unknown owner - C:\PROGRA~1\Xpoint\PE\pcradmin.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe
O23 - Service: IBM PSA Access Driver Control (PsaSrv) - Unknown owner - C:\WINDOWS\system32\PsaSrv.exe
O23 - Service: QCONSVC - Unknown owner - C:\WINDOWS\System32\QCONSVC.EXE
O23 - Service: RegSrvc - Intel Corporation - C:\WINDOWS\System32\RegSrvc.exe
O23 - Service: Spectrum24 Event Monitor (S24EventMonitor) - Intel Corporation - C:\WINDOWS\System32\S24EvMon.exe
O23 - Service: Xpoint Admin Server (XPadminServer) - Unknown owner - C:\PROGRA~1\Xpoint\xpadmin\xpadmin.exe
O23 - Service: Xpoint Agent Server (xpAgentServer) - Unknown owner - C:\PROGRA~1\Xpoint\agent\Xpagent.exe


Thanks for all your help! Things seem to be running pretty smoothly now.

[Sempurna]

Hi kimmeln,

You’re most welcome, kimmeln. I’m glad to hear that things are running better now.

Just some loose ends to tie up, and then we can let you go home. :)

Your version of Sun Java is out-of-date. Older versions have vulnerabilities that malware can use to infect your system. Please follow these steps to remove older Java version components and update:

• CLICK HERE to download the offline installer.
  • Select Java Runtime Environment (JRE) 6u1 and click the Download button to the right.
  • Check the box that says Accept License Agreement.
  • Click on the link to download Windows Offline Installation, Multi-language.
  • Save the file to your desktop.
• Next, uninstall your currently installed version from Add/Remove Programs.
• If you have older versions listed uninstall them also. If you simply update to the new version it leaves the older versions still installed, complete with previous vulnerabilities.
• Examples of older versions in Add/Remove Programs:
  • Java 2 Runtime Environment, SE v1.4.2
  • J2SE Runtime Environment 5.0
  • J2SE Runtime Environment 5.0 Update 2
• Reboot your system.
• Install the new version by double-clicking on the file you downloaded.

NEXT:

Everything looks great --- your HijackThis log appears to be clean.

Please take some time reading this list; it is full of great tools and utilities to help you understand how you got infected and how to keep from getting infected again.

• Windows Updates (a must!)
  It is very important to make sure that both Internet Explorer and Windows are kept current with the latest critical security patches from Microsoft. You can either click on the link above and bookmark the updates page, or open Internet Explorer, then go to the Tools menu -> Windows Update, and follow the online instructions from there.
  
  
• Firewall (a must!)
  It is definitely a must have. Some good FREE versions are Comodo, Outpost, or ZoneAlarm.
  Note: You must only use 1 (one) firewall at a time because if you have 2 or more firewalls running at the same time, they will conflict with each other and make your security less reliable. Please also remember to turn off Windows Firewall once you have installed a new firewall.
  
  
• Also make sure to run your antivirus software regularly, and to keep it up-to-date.
  
  
• SpywareBlaster
  This is a great FREE prevention tool to keep nasties from installing on your system.
  Tutorial: How to use!
  
  
• IE-SPYAD
  This FREE tool puts over 5000 sites in your IE Restricted Zone so you'll be protected when you visit innocent-looking sites that aren't actually innocent at all.
  Tutorial: How to use!
  
  
• Spybot - Search & Destroy
  This is a very powerful FREE tool that can search for and annihilate nasties that make it onto your system. Please also remember to enable Spybot's "Immunize" and "TeaTimer" features for realtime protection.
  Tutorial: How to use!
  
  
• Ad-Aware SE
  This is another very powerful FREE tool that searches for and kills nasties that infect your system. Ad-Aware SE and Spybot Search & Destroy compliment each other very well.
  Tutorial: How to use!
  
  
• AVG Anti-Spyware
  This is an excellent FREE scanner to look for trojans and other nasties that might be residing in your system.
  User Manual: How to use!
  
  
• SUPERAntiSpyware
  This is another excellent FREE scanner to look for nasties that might be lurking in your system. SUPERAntiSpyware and AVG Anti-Spyware compliment each other very well.
  Quick Guide: How to use!

Please also read Tony Klein's excellent article How I got Infected in the First Place and this CastleCops article Malware Prevention: Prevent Re-infection.

Hopefully this should take care of your problems! Good luck!


Please respond one more time and let me know you received this post, so that it can be marked as resolved, unless you have other problems.

[kimmelm]

Thank you very much!