slow firefox and boot

ramando · 06-04-2009, 11:55 AM

My PC's performance is poor. Even some local functions are 1/2 the speed I used to enjoy. I notice that the hard drive will sometimes start running after boot as if I had launched a program. Task mgr reports 99% usage during boot. For some time I had Audio files randomly playing. Cyber Defender seems to have controlled the the audio bug. AV scans have reported Sonebot-b and Acid Reign. I have a credit card that I use only for online purchases. I have had to cancel and reissue with the bank twice since this started for charges that were not done by me. Do I have a backdoor virus that is picking up my card #?

DDS (Ver_09-05-14.01) - NTFSx86
Run by Administrator at 10:23:15.92 on Thu 06/04/2009
Internet Explorer: 8.0.6001.18702 BrowserJavaVersion: 1.6.0_13
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.2046.1361 [GMT -7:00]

AV: Webroot AntiVirus with AntiSpyware *On-access scanning disabled* (Updated) {77E10C7F-2CCA-4187-9394-BDBC267AD597}
AV: CyberDefender Internet Security *On-access scanning enabled* (Updated) {3EEDC569-EF87-4322-B72F-AEE65FC1BAD5}

============== Running Processes ===============

C:\WINNT\system32\svchost -k DcomLaunch
svchost.exe
C:\WINNT\System32\svchost.exe -k netsvcs
svchost.exe
svchost.exe
C:\WINNT\system32\spoolsv.exe
C:\Program Files\Google\Update\GoogleUpdate.exe
C:\WINNT\Explorer.EXE
C:\Program Files\Common Files\AOL\1158673236\ee\AOLSoftware.exe
C:\WINNT\sttray.exe
C:\WINNT\system32\RUNDLL32.EXE
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Java\jre6\bin\jusched.exe
C:\WINNT\system32\ctfmon.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\Program Files\CyberDefender\AntiSpyware\cdas2ad.exe
C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
C:\Program Files\SEC\Natural Color\NaturalColorLoad.exe
E:\AOL 9.5\waol.exe
C:\Program Files\Microsoft Office\Office\OSA.EXE
C:\Program Files\Common Files\AOL\ACS\AOLAcsd.exe
C:\Program Files\Common Files\AOL\TopSpeed\2.0\aoltsmon.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\WINNT\system32\svchost.exe -k hpdevmgmt
C:\Program Files\Java\jre6\bin\jqs.exe
C:\WINNT\System32\svchost.exe -k HPZ12
C:\WINNT\system32\nvsvc32.exe
C:\WINNT\System32\svchost.exe -k HPZ12
C:\WINNT\system32\STacSV.exe
C:\WINNT\system32\svchost.exe -k imgsvc
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\HP\Digital Imaging\bin\hpqSTE08.exe
C:\Program Files\HP\Digital Imaging\bin\hpqbam08.exe
C:\Program Files\HP\Digital Imaging\bin\hpqgpc01.exe
E:\AOL 9.5\shellmon.exe
C:\Documents and Settings\Administrator\Desktop\FIX\gmer.exe
C:\Program Files\Common Files\Adobe\Updater5\AdobeUpdater.exe
C:\Documents and Settings\Administrator\Desktop\dds.scr

============== Pseudo HJT Report ===============

uSearchMigratedDefaultURL = hxxp://www.google.com/search?q={searchTerms}&sourceid=ie7&rls=com.microsoft:en-US&ie=utf8&oe=utf8
uStart Page = hxxp://www.aol.com
uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
uURLSearchHooks: MyIdentityDefender: {a26503fe-b3b8-4910-a9dc-9cbd25c6b8d6} - c:\documents and settings\administrator\local settings\application data\cyberdefender\cdmyidd.dll
uURLSearchHooks: H - No File
mURLSearchHooks: H - No File
BHO: HP Print Enhancer: {0347c33e-8762-4905-bf09-768834316c61} - c:\program files\hp\digital imaging\smart web printing\hpswp_printenhancer.dll
BHO: MyIdentityDefender: {a26503fe-b3b8-4910-a9dc-9cbd25c6b8d6} - c:\documents and settings\administrator\local settings\application data\cyberdefender\cdmyidd.dll
BHO: Java(tm) Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
BHO: HP Smart BHO Class: {ffffffff-cf4e-4f2b-bdc2-0e72e116a856} - c:\program files\hp\digital imaging\smart web printing\hpswp_BHO.dll
TB: MyIdentityDefender: {a26503fe-b3b8-4910-a9dc-9cbd25c6b8d6} - c:\documents and settings\administrator\local settings\application data\cyberdefender\cdmyidd.dll
TB: Google Toolbar: {2318c2b1-4965-11d4-9b18-009027a5cd4f} - c:\program files\google\google toolbar\GoogleToolbar.dll
TB: {4982D40A-C53B-4615-B15B-B5B5E98D167C} - No File
TB: AOL Radio Toolbar: {9167da98-6f9b-46f1-991d-826cae46cab6} - c:\program files\aol radio toolbar\aolradiotb.dll
TB: AOL Toolbar: {de9c389f-3316-41a7-809b-aa305ed9d922} - c:\program files\aol toolbar\aoltb.dll
uRun: [ctfmon.exe] c:\winnt\system32\ctfmon.exe
uRun: [swg] c:\program files\google\googletoolbarnotifier\GoogleToolbarNotifier.exe
uRun: [AOL Fast Start] "e:\aol 9.5\AOL.EXE" -b
uRun: [CyberDefender Early Detection Center] "c:\program files\cyberdefender\antispyware\cdas2ad.exe" /minimize
mRun: [Synchronization Manager] "mobsync.exe" /logon
mRun: [RoxioEngineUtility] "c:\program files\common files\roxio shared\system\EngUtil.exe"
mRun: [HostManager] c:\program files\common files\aol\1158673236\ee\AOLSoftware.exe
mRun: [SigmatelSysTrayApp] "sttray.exe"
mRun: [hpqSRMon] "c:\program files\hp\digital imaging\bin\hpqSRMon.exe"
mRun: [NvCplDaemon] "RUNDLL32.EXE" c:\winnt\system32\NvCpl.dll,NvStartup
mRun: [NvMediaCenter] "RUNDLL32.EXE" c:\winnt\system32\NvMcTray.dll,NvTaskbarInit
mRun: [QuickTime Task] "c:\program files\quicktime\QTTask.exe" -atboottime
mRun: [iTunesHelper] "c:\program files\itunes\iTunesHelper.exe"
mRun: [AppleSyncNotifier] c:\program files\common files\apple\mobile device support\bin\AppleSyncNotifier.exe
mRun: [SunJavaUpdateSched] "c:\program files\java\jre6\bin\jusched.exe"
StartupFolder: c:\docume~1\admini~1\startm~1\programs\startup\adobeg~1.lnk - c:\program files\common files\adobe\calibration\Adobe Gamma Loader.exe
StartupFolder: c:\docume~1\admini~1\startm~1\programs\startup\micros~1.lnk - c:\program files\microsoft office\office\FINDFAST.EXE
StartupFolder: c:\docume~1\admini~1\startm~1\programs\startup\office~1.lnk - c:\program files\microsoft office\office\OSA.EXE
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\hpdigi~1.lnk - c:\program files\hp\digital imaging\bin\hpqtra08.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\natura~1.lnk - c:\program files\sec\natural color\NaturalColorLoad.exe
IE: Add to Google Photos Screensa&ver - c:\winnt\system32\GPhotos.scr/200
IE: {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - {FE54FA40-D68C-11d2-98FA-00C0F0318AFE} - c:\winnt\system32\Shdocvw.dll
Trusted Zone: 168.1.1\www.192
DPF: DirectAnimation Java Classes - file://c:\winnt\java\classes\dajava.cab
DPF: Microsoft XML Parser for Java - file://c:\winnt\java\classes\xmldso.cab
DPF: {33564D57-0000-0010-8000-00AA00389B71} - hxxp://download.microsoft.com/download/F/6/E/F6E491A6-77E1-4E20-9F5F-94901338C922/wmv9VCM.CAB
DPF: {41564D57-9980-0010-8000-00AA00389B71} - hxxp://download.microsoft.com/download/0/A/9/0A9F8B32-9F8C-4D74-A130-E4CAB36EB01F/wmvadvd.cab
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_13-windows-i586.cab
DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} - hxxp://fpdownload.macromedia.com/get/flashplayer/current/polarbear/ultrashim.cab
DPF: {CAFEEFAC-0016-0000-0013-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_13-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_13-windows-i586.cab
DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://active.macromedia.com/flash4/cabs/swflash.cab
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\winnt\system32\WPDShServiceObj.dll

================= FIREFOX ===================

FF - ProfilePath - c:\docume~1\admini~1\applic~1\mozilla\firefox\profiles\tjrgrj1w.default\
FF - prefs.js: browser.search.selectedEngine - eBay
FF - prefs.js: browser.startup.homepage - hxxp://www.aol.com/
FF - prefs.js: network.proxy.type - 1
FF - plugin: c:\program files\google\google updater\2.4.1601.7122\npCIDetect13.dll
FF - plugin: c:\program files\google\picasa3\npPicasa3.dll
FF - plugin: c:\program files\google\update\1.2.145.5\npGoogleOneClick8.dll
FF - plugin: c:\program files\viewpoint\viewpoint experience technology\npViewpoint.dll

============= SERVICES / DRIVERS ===============

R3 CDAVFS;CDAVFS;c:\winnt\system32\drivers\CDAVFS.sys [2009-6-3 67424]
S0 TfFsMon;TfFsMon;c:\winnt\system32\drivers\tffsmon.sys --> c:\winnt\system32\drivers\TfFsMon.sys [?]
S0 TfSysMon;TfSysMon;c:\winnt\system32\drivers\tfsysmon.sys --> c:\winnt\system32\drivers\TfSysMon.sys [?]
S2 gupdate1c9e126a6976e9e;Google Update Service (gupdate1c9e126a6976e9e);c:\program files\google\update\GoogleUpdate.exe [2009-5-30 133104]
S3 fd_dbus;FutureDial USB Composite Device driver (WDM);c:\winnt\system32\drivers\fd_dbus.sys [2006-11-1 51040]
S3 fd_dmdfl;FutureDial USB Modem Filter;c:\winnt\system32\drivers\fd_dmdfl.sys [2006-11-1 6000]
S3 fd_dmdm;FutureDial USB Modem Drivers;c:\winnt\system32\drivers\fd_dmdm.sys [2006-11-1 73984]
S3 pctplsg;pctplsg;\??\c:\winnt\system32\drivers\pctplsg.sys --> c:\winnt\system32\drivers\pctplsg.sys [?]
S3 SUSTUCAM;Susteen USB Cable Modem Driver;c:\winnt\system32\drivers\sustucam.sys [2006-4-12 47360]
S3 SUSTUCAP;Susteen USB Cable Port Driver;c:\winnt\system32\drivers\sustucap.sys [2006-4-12 47360]
S3 SUSTUCAU;Susteen USB Cable USB Driver;c:\winnt\system32\drivers\sustucau.sys [2006-4-12 28032]
S3 TfNetMon;TfNetMon;\??\c:\winnt\system32\drivers\tfnetmon.sys --> c:\winnt\system32\drivers\TfNetMon.sys [?]
S3 usbhub20;USB Hub Support;c:\winnt\system32\drivers\usbhub20.sys [2006-9-12 49776]

=============== Created Last 30 ================

2009-06-03 07:56 60 a------- c:\winnt\av_affiliate.ini
2009-06-03 07:56 60 a------- c:\winnt\as_affiliate.ini
2009-06-03 07:55 67,424 a------- c:\winnt\system32\drivers\CDAVFS.sys
2009-06-03 07:55 <DIR> --d----- c:\program files\CyberDefender
2009-06-02 23:26 410,984 a------- c:\winnt\system32\deploytk.dll
2009-06-02 23:26 73,728 a------- c:\winnt\system32\javacpl.cpl
2009-05-28 07:08 <DIR> --d----- c:\program files\MagicISO
2009-05-27 10:46 <DIR> a-dshr-- C:\cmdcons
2009-05-27 10:43 154,624 a------- c:\winnt\PEV.exe
2009-05-25 06:30 <DIR> --d----- c:\docume~1\admini~1\applic~1\CyberDefender
2009-05-20 05:41 70 a------- c:\winnt\st_affiliate.ini
2009-05-19 19:14 <DIR> --d----- c:\program files\Microsoft CAPICOM 2.1.0.2
2009-05-19 06:29 <DIR> --d----- c:\docume~1\alluse~1\applic~1\SecTaskMan
2009-05-15 05:59 <DIR> --d----- c:\docume~1\alluse~1\applic~1\Doctor Web
2009-05-15 05:59 <DIR> --d----- c:\program files\DrWeb
2009-05-10 16:43 <DIR> --d----- C:\spoolerlogs

==================== Find3M ====================

2009-05-01 11:30 3,366,912 a------- c:\winnt\system32\GPhotos.scr
2009-04-13 22:58 553,240 a------- C:\WindowsXP-KB839017-x86-ENU.EXE
2009-04-13 22:58 548,120 a------- C:\WINDOWSXP-KB839017-X86-ENU-Symbols.EXE
2009-03-08 04:34 914,944 a------- c:\winnt\system32\wininet.dll
2009-03-08 04:34 43,008 a------- c:\winnt\system32\licmgr10.dll
2009-03-08 04:33 18,944 a------- c:\winnt\system32\corpol.dll
2009-03-08 04:33 420,352 a------- c:\winnt\system32\vbscript.dll
2009-03-08 04:32 72,704 a------- c:\winnt\system32\admparse.dll
2009-03-08 04:32 71,680 a------- c:\winnt\system32\iesetup.dll
2009-03-08 04:31 34,816 a------- c:\winnt\system32\imgutil.dll
2009-03-08 04:31 48,128 a------- c:\winnt\system32\mshtmler.dll
2009-03-08 04:31 45,568 a------- c:\winnt\system32\mshta.exe
2009-03-08 04:22 156,160 a------- c:\winnt\system32\msls31.dll
2006-08-15 10:51 21,952 ac--h--- c:\program files\folder.htt
2006-08-15 10:51 271 ---sh--- c:\program files\desktop.ini

============= FINISH: 10:23:28.76 ===============

**Glaswegian** · 06-06-2009, 10:54 AM

Hi and welcome to TSF.

My name is Iain and I will be helping you clean your system.

You may wish to Subscribe to this thread (Thread Tools > Subscribe to this thread) so that you are notified when you receive a reply.

Please read these instructions carefully and then print out or copy this page to Notepad in order to assist you when carrying out the fix. You should not have any open browsers or live internet connections when you are following the procedures below.

Note that the fix may take several posts. Please continue to respond to my instructions until I confirm that your logs are clean. Remember that although your symptoms may vanish, this does NOT mean that your system is clean.

If there is anything you don't understand, please ask BEFORE proceeding with the fixes.

Please ensure that you follow the instructions in the order I have them listed.

Please do not install or uninstall any programmes, or run any other scanners or software, unless I specifically ask you to do so.

Combofix
We will begin with ComboFix.exe. Please visit this webpage for download links, and instructions for running the tool:

http://www.bleepingcomputer.com/comb...o-use-combofix

Please read all the information carefully!

You MUST disable your AntiVirus and AntiSpyware applications - please read this thread as a guide. They may otherwise interfere with our tools and interrupt the cleansing process.

Please include the log C:\ComboFix.txt in your next reply for further review.

ramando · 06-06-2009, 12:08 PM

Hi Iain! Thanks for helping me. Here is the CF log. I didn't mention but my Windows update is not working. Don't know if it is related to my infection...

ComboFix 09-06-05.09 - Administrator 06/06/2009 10:46.2 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.2046.1499 [GMT -7:00]
Running from: c:\documents and settings\Administrator\Desktop\FIX\ComboFix.exe
AV: Webroot AntiVirus with AntiSpyware *On-access scanning disabled* (Updated) {77E10C7F-2CCA-4187-9394-BDBC267AD597}
.

((((((((((((((((((((((((( Files Created from 2009-05-06 to 2009-06-06 )))))))))))))))))))))))))))))))
.

2009-06-06 13:09 . 2009-06-06 13:09 -------- d-----w- c:\program files\Smart Projects
2009-06-04 21:30 . 2009-06-04 21:30 -------- d-----w- c:\documents and settings\Administrator\Local Settings\Application Data\AOL OCP
2009-06-03 06:34 . 2009-06-03 06:34 -------- d-----w- c:\winnt\Sun
2009-06-03 06:26 . 2009-06-03 06:26 410984 ----a-w- c:\winnt\system32\deploytk.dll
2009-06-03 06:26 . 2009-06-03 06:26 -------- d-----w- c:\program files\Java
2009-06-03 06:25 . 2009-06-03 06:31 152576 ----a-w- c:\documents and settings\Administrator\Application Data\Sun\Java\jre1.6.0_13\lzma.dll
2009-05-31 12:36 . 2009-05-31 12:36 -------- d-----w- c:\documents and settings\NetworkService\Local Settings\Application Data\Google
2009-05-30 12:58 . 2009-05-30 12:58 -------- d-----w- c:\documents and settings\All Users\Application Data\Google Updater
2009-05-28 14:08 . 2009-05-28 14:08 -------- d-----w- c:\program files\MagicISO
2009-05-25 13:30 . 2009-05-25 13:30 -------- d-----w- c:\documents and settings\Administrator\Application Data\CyberDefender
2009-05-20 02:14 . 2009-05-20 02:14 -------- d-----w- c:\program files\Microsoft CAPICOM 2.1.0.2
2009-05-19 14:10 . 2009-06-06 17:43 -------- d-----w- c:\documents and settings\Administrator\Local Settings\Application Data\CyberDefender
2009-05-19 13:29 . 2009-05-28 04:01 -------- d-----w- c:\documents and settings\All Users\Application Data\SecTaskMan
2009-05-17 17:28 . 2009-05-17 17:28 -------- d-----w- c:\documents and settings\RAYMOND\Local Settings\Application Data\Mozilla
2009-05-16 12:48 . 2009-05-17 16:05 -------- d-----w- c:\documents and settings\RAYMOND\DoctorWeb
2009-05-16 01:32 . 2009-05-16 01:32 -------- d-----w- c:\documents and settings\BIRDIEE\DoctorWeb
2009-05-15 12:59 . 2009-05-19 14:57 -------- d-----w- c:\documents and settings\All Users\Application Data\Doctor Web
2009-05-15 12:59 . 2009-05-19 14:57 -------- d-----w- c:\program files\DrWeb
2009-05-11 03:36 . 2009-05-11 03:36 -------- d-----w- c:\documents and settings\BIRDIEE\Local Settings\Application Data\Mozilla
2009-05-10 23:43 . 2009-05-10 23:43 -------- d-----w- C:\spoolerlogs

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-06-06 17:43 . 2008-05-20 22:30 -------- d-----w- c:\documents and settings\Administrator\Application Data\HPAppData
2009-06-06 14:57 . 2006-08-16 04:53 -------- d-----w- c:\program files\DYMO Label
2009-06-04 21:34 . 2006-09-19 13:37 -------- d---a-w- c:\program files\Common Files\AOL
2009-06-04 21:29 . 2007-09-19 20:32 370496 ----a-w- c:\documents and settings\All Users\Application Data\AOL Downloads\ccu_suite\4.3.38.1\ccu_suite_4.3.38.1\CCUInst.exe
2009-06-04 21:07 . 2006-09-19 13:40 -------- d-----w- c:\documents and settings\All Users\Application Data\AOL
2009-06-04 21:07 . 2006-09-19 13:41 -------- d-----w- c:\documents and settings\Administrator\Application Data\AOL
2009-06-04 19:04 . 2009-02-28 14:45 -------- d-----w- c:\program files\CleanUp!
2009-05-30 13:01 . 2006-08-16 01:33 -------- d-----w- c:\program files\Google
2009-05-27 04:32 . 2009-04-01 15:08 -------- d-----w- c:\program files\AOL Toolbar
2009-05-25 02:17 . 2009-01-28 02:37 -------- d-----w- c:\documents and settings\BIRDIEE\Application Data\HPAppData
2009-05-23 05:21 . 2007-04-08 01:07 -------- d-----w- c:\documents and settings\Administrator\Application Data\Orbit
2009-05-15 12:54 . 2009-01-20 14:56 -------- d-----w- c:\program files\Common Files\PC Tools
2009-05-15 12:49 . 2006-12-15 21:11 -------- d---a-w- c:\documents and settings\All Users\Application Data\TEMP
2009-05-15 04:54 . 2006-12-22 17:15 -------- d-----w- c:\program files\Common Files\Scanner
2009-05-01 18:30 . 2009-05-01 18:30 3366912 ----a-w- c:\winnt\system32\GPhotos.scr
2009-04-30 14:34 . 2009-04-30 14:34 -------- d-----w- c:\program files\2BrightSparks
2009-04-30 14:31 . 2009-04-30 14:31 -------- d-----w- c:\documents and settings\All Users\Application Data\WinZipSE
2009-04-30 14:31 . 2009-04-30 14:31 -------- d-----w- c:\program files\WinZip Self-Extractor
2009-04-30 14:16 . 2009-02-17 00:41 -------- d-----w- c:\documents and settings\All Users\Application Data\WinZip
2009-04-25 05:03 . 2009-01-28 02:37 -------- d-----w- c:\documents and settings\BIRDIEE\Application Data\Orbit
2009-04-22 15:37 . 2009-04-22 15:36 -------- d-----w- c:\documents and settings\All Users\Application Data\{8CD7F5AF-ECFA-4793-BF40-D8F42DBFF906}
2009-04-22 15:37 . 2009-04-22 15:36 -------- d-----w- c:\program files\iTunes
2009-04-22 15:36 . 2009-04-22 15:36 -------- d-----w- c:\program files\iPod
2009-04-22 15:36 . 2007-07-01 15:06 -------- d-----w- c:\program files\Common Files\Apple
2009-04-22 15:27 . 2009-04-22 15:27 75048 ----a-w- c:\documents and settings\All Users\Application Data\Apple Computer\Installer Cache\iTunes 8.1.1.10\SetupAdmin.exe
2009-04-22 15:21 . 2008-03-19 14:33 -------- d-----w- c:\program files\Safari
2009-04-14 05:58 . 2009-04-15 13:25 553240 ----a-w- C:\WindowsXP-KB839017-x86-ENU.EXE
2009-04-14 05:58 . 2009-04-15 13:25 548120 ----a-w- C:\WINDOWSXP-KB839017-X86-ENU-Symbols.EXE
2009-04-01 14:57 . 2009-04-01 14:49 57261736 ----a-w- c:\documents and settings\All Users\Application Data\AOL Downloads\waol\0.4337.29.1\setup.exe
2009-03-24 21:43 . 2009-04-30 15:18 43008 ----a-w- c:\documents and settings\Administrator\Application Data\Mozilla\Firefox\Profiles\tjrgrj1w.default\extensions\{3112ca9c-de6d-4884-a869-9855de68056c}\components\metricsloader.dll
2009-03-24 21:43 . 2009-04-30 15:18 43008 ----a-w- c:\documents and settings\Administrator\Application Data\Mozilla\Firefox\Profiles\tjrgrj1w.default\extensions\{3112ca9c-de6d-4884-a869-9855de68056c}\components\googletoolbarloader.dll
2009-03-24 21:43 . 2009-04-30 15:18 235520 ----a-w- c:\documents and settings\Administrator\Application Data\Mozilla\Firefox\Profiles\tjrgrj1w.default\extensions\{3112ca9c-de6d-4884-a869-9855de68056c}\libraries\metrics-ff2.dll
2009-03-24 21:43 . 2009-04-30 15:18 338432 ----a-w- c:\documents and settings\Administrator\Application Data\Mozilla\Firefox\Profiles\tjrgrj1w.default\extensions\{3112ca9c-de6d-4884-a869-9855de68056c}\libraries\googletoolbar-ff2.dll
2009-03-24 21:42 . 2009-04-30 15:18 235008 ----a-w- c:\documents and settings\Administrator\Application Data\Mozilla\Firefox\Profiles\tjrgrj1w.default\extensions\{3112ca9c-de6d-4884-a869-9855de68056c}\libraries\metrics-ff3.dll
2009-03-24 21:42 . 2009-04-30 15:18 345088 ----a-w- c:\documents and settings\Administrator\Application Data\Mozilla\Firefox\Profiles\tjrgrj1w.default\extensions\{3112ca9c-de6d-4884-a869-9855de68056c}\libraries\googletoolbar-ff3.dll
2009-03-19 23:32 . 2009-03-19 23:32 23400 ----a-w- c:\documents and settings\All Users\Application Data\{8CD7F5AF-ECFA-4793-BF40-D8F42DBFF906}\x86\x86\GEARAspiWDM.sys
2009-03-19 23:32 . 2008-01-29 19:01 23400 ----a-w- c:\winnt\system32\drivers\GEARAspiWDM.sys
2009-03-12 17:57 . 2009-03-12 17:57 1039736 ----a-w- c:\documents and settings\Administrator\Application Data\U3\0000060426043244\Temporary\tmp0\updater.exe
2006-08-15 17:51 . 2006-08-15 17:51 21952 -c-ha-w- c:\program files\folder.htt
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{A26503FE-B3B8-4910-A9DC-9CBD25C6B8D6}]
2009-06-03 14:54 3962184 ----a-w- c:\documents and settings\Administrator\Local Settings\Application Data\CyberDefender\cdmyidd.dll

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="c:\winnt\system32\ctfmon.exe" [2004-08-04 15360]
"swg"="c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2007-06-24 68856]
"AOL Fast Start"="e:\aol 9.5\AOL.EXE" [2009-02-11 50472]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"RoxioEngineUtility"="c:\program files\Common Files\Roxio Shared\System\EngUtil.exe" [2003-01-13 69632]
"HostManager"="c:\program files\Common Files\AOL\1158673236\ee\AOLSoftware.exe" [2008-11-06 41264]
"hpqSRMon"="c:\program files\HP\Digital Imaging\bin\hpqSRMon.exe" [2007-08-22 80896]
"NvCplDaemon"="c:\winnt\system32\NvCpl.dll" [2009-01-15 13680640]
"NvMediaCenter"="c:\winnt\system32\NvMcTray.dll" [2009-01-15 86016]
"QuickTime Task"="c:\program files\QuickTime\QTTask.exe" [2009-01-06 413696]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2009-04-02 342312]
"AppleSyncNotifier"="c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleSyncNotifier.exe" [2009-03-26 177472]
"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2009-06-03 148888]
"Synchronization Manager"="mobsync.exe" - c:\winnt\system32\mobsync.exe [2004-08-04 143360]
"SigmatelSysTrayApp"="sttray.exe" - c:\winnt\sttray.exe [2006-07-27 282624]

c:\documents and settings\Administrator\Start Menu\Programs\Startup\
Adobe Gamma.lnk - c:\program files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe [2005-3-16 113664]
Microsoft Find Fast.lnk - c:\program files\Microsoft Office\Office\FINDFAST.EXE [1996-11-17 111376]
Office Startup.lnk - c:\program files\Microsoft Office\Office\OSA.EXE [1996-11-17 51984]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
HP Digital Imaging Monitor.lnk - c:\program files\HP\Digital Imaging\bin\hpqtra08.exe [2007-10-14 214360]
NaturalColorLoad.lnk - c:\program files\SEC\Natural Color\NaturalColorLoad.exe [2006-8-15 155715]

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusDisableNotify"=dword:00000001
"UpdatesDisableNotify"=dword:00000001
"AntiVirusOverride"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"e:\\Documents and Settings\\RAYMOND\\My Documents\\My Videos\\Orbitdownloader\\orbitdm.exe"=
"c:\\Program Files\\Common Files\\AOL\\ACS\\AOLDial.exe"=
"c:\\Program Files\\Common Files\\AOL\\ACS\\AOLacsd.exe"=
"c:\\Program Files\\Common Files\\AOL\\1158673236\\EE\\aolsoftware.exe"=
"c:\\Program Files\\Common Files\\AOL\\TopSpeed\\3.0\\aoltpsd3.exe"=
"c:\\Program Files\\Common Files\\AOL\\1158673236\\EE\\AOLServiceHost.exe"=
"c:\\Program Files\\Common Files\\AOL\\Loader\\aolload.exe"=
"c:\\Program Files\\Common Files\\AOL\\System Information\\sinf.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqtra08.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqste08.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpofxm08.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hposfx08.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hposid01.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqkygrp.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpzwiz01.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpoews01.exe"=
"c:\\AVIMARK\\Update.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"e:\\AOL 9.5\\waol.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=

S0 TfFsMon;TfFsMon;c:\winnt\system32\drivers\TfFsMon.sys --> c:\winnt\system32\drivers\TfFsMon.sys [?]
S0 TfSysMon;TfSysMon;c:\winnt\system32\drivers\TfSysMon.sys --> c:\winnt\system32\drivers\TfSysMon.sys [?]
S3 fd_dbus;FutureDial USB Composite Device driver (WDM);c:\winnt\system32\drivers\fd_dbus.sys [11/1/2006 8:18 AM 51040]
S3 fd_dmdfl;FutureDial USB Modem Filter;c:\winnt\system32\drivers\fd_dmdfl.sys [11/1/2006 8:19 AM 6000]
S3 fd_dmdm;FutureDial USB Modem Drivers;c:\winnt\system32\drivers\fd_dmdm.sys [11/1/2006 8:19 AM 73984]
S3 pctplsg;pctplsg;\??\c:\winnt\system32\drivers\pctplsg.sys --> c:\winnt\system32\drivers\pctplsg.sys [?]
S3 SUSTUCAM;Susteen USB Cable Modem Driver;c:\winnt\system32\drivers\sustucam.sys [4/12/2006 2:01 PM 47360]
S3 SUSTUCAP;Susteen USB Cable Port Driver;c:\winnt\system32\drivers\sustucap.sys [4/12/2006 2:01 PM 47360]
S3 SUSTUCAU;Susteen USB Cable USB Driver;c:\winnt\system32\drivers\sustucau.sys [4/12/2006 11:24 AM 28032]
S3 TfNetMon;TfNetMon;\??\c:\winnt\system32\drivers\TfNetMon.sys --> c:\winnt\system32\drivers\TfNetMon.sys [?]
S3 usbhub20;USB Hub Support;c:\winnt\system32\drivers\usbhub20.sys [9/12/2006 7:15 AM 49776]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
HPZ12 REG_MULTI_SZ Pml Driver HPZ12 Net Driver HPZ12
hpdevmgmt REG_MULTI_SZ hpqcxs08 hpqddsvc

[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\>{60B49E34-C7CC-11D0-8953-00A0C90347FF}]
"c:\winnt\system32\rundll32.exe" "c:\winnt\system32\iedkcs32.dll",BrandIEActiveSetup SIGNUP
.
Contents of the 'Scheduled Tasks' folder

2009-06-01 c:\winnt\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-04-12 19:34]

2009-06-06 c:\winnt\Tasks\Google Software Updater.job
- c:\program files\Google\Common\Google Updater\GoogleUpdaterService.exe [2006-12-15 12:58]

2009-06-06 c:\winnt\Tasks\GoogleUpdateTaskMachine.job
- c:\program files\Google\Update\GoogleUpdate.exe [2009-05-30 13:00]
.
- - - - ORPHANS REMOVED - - - -

SafeBoot-procexp90.Sys

.
------- Supplementary Scan -------
.
uSearchMigratedDefaultURL = hxxp://www.google.com/search?q={searchTerms}&sourceid=ie7&rls=com.microsoft:en-US&ie=utf8&oe=utf8
uStart Page = hxxp://www.aol.com
uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
IE: Add to Google Photos Screensa&ver - c:\winnt\system32\GPhotos.scr/200
Trusted Zone: 168.1.1\www.192
DPF: DirectAnimation Java Classes - file://c:\winnt\Java\classes\dajava.cab
DPF: Microsoft XML Parser for Java - file://c:\winnt\Java\classes\xmldso.cab
FF - ProfilePath - c:\documents and settings\Administrator\Application Data\Mozilla\Firefox\Profiles\tjrgrj1w.default\
FF - prefs.js: browser.search.selectedEngine - eBay
FF - prefs.js: browser.startup.homepage - hxxp://www.aol.com/
FF - prefs.js: network.proxy.type - 1
FF - plugin: c:\program files\Google\Google Updater\2.4.1601.7122\npCIDetect13.dll
FF - plugin: c:\program files\Google\Picasa3\npPicasa3.dll
FF - plugin: c:\program files\Google\Update\1.2.145.5\npGoogleOneClick8.dll
FF - plugin: c:\program files\Viewpoint\Viewpoint Experience Technology\npViewpoint.dll
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-06-06 10:53
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_USERS\S-1-5-21-1757981266-507921405-725345543-500\Software\Microsoft\Internet Explorer\User Preferences]
@Denied: (2) (Administrator)
"88D7D0879DAB32E14DE5B3A805A34F98AFF34F5977"=hex:01,00,00,00,d0,8c,9d,df,01,15,
d1,11,8c,7a,00,c0,4f,c2,97,eb,01,00,00,00,64,d8,0c,a2,d1,c2,d7,4b,9c,c2,0c,\
"2D53CFFC5C1A3DD2E97B7979AC2A92BD59BC839E81"=hex:01,00,00,00,d0,8c,9d,df,01,15,
d1,11,8c,7a,00,c0,4f,c2,97,eb,01,00,00,00,64,d8,0c,a2,d1,c2,d7,4b,9c,c2,0c,\
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'explorer.exe'(3300)
c:\winnt\system32\ieframe.dll
c:\winnt\system32\webcheck.dll
c:\winnt\system32\WPDShServiceObj.dll
c:\winnt\system32\PortableDeviceTypes.dll
c:\winnt\system32\PortableDeviceApi.dll
.
Completion time: 2009-06-06 11:00
ComboFix-quarantined-files.txt 2009-06-06 17:58

Pre-Run: 21,231,706,112 bytes free
Post-Run: 21,223,149,568 bytes free

204 --- E O F --- 2009-05-20 02:14

**Glaswegian** · 06-07-2009, 10:03 AM

Hi again

Please read these instructions carefully and then print out or copy this page to Notepad in order to assist you when carrying out the fix. You should not have any open browsers or live internet connections when you are following the procedures below.

Please download GooredFix and save it to your Desktop.

Double-click Goored.exe to run it.
Select 1. Find Goored (no fix) by typing 1 and pressing Enter.
A log will open, please post the contents of that log in your next reply (it can also be found on your desktop, called GooredLog.txt).

Note: Do not run Option #2 yet.

ramando · 06-07-2009, 11:49 AM

Iain here is the log. Thanks for working on the weekend!

GooredFix v1.92 by jpshortstuff
Log created at 10:44 on 07/06/2009 running Option #1 (Administrator)
Firefox version 3.0.10 (en-US)

=====Suspect Goored Entries=====

=====Dumping Registry Values=====

[HKEY_LOCAL_MACHINE\SOFTWARE\Mozilla\Mozilla Firefox 3.0.10\extensions]
"Plugins"="C:\Program Files\Mozilla Firefox\plugins"

[HKEY_LOCAL_MACHINE\SOFTWARE\Mozilla\Mozilla Firefox 3.0.10\extensions]
"Components"="C:\Program Files\Mozilla Firefox\components"

[HKEY_LOCAL_MACHINE\SOFTWARE\Mozilla\Firefox\extensions]
"jqs@sun.com"="C:\Program Files\Java\jre6\lib\deploy\jqs\ff"

[HKEY_LOCAL_MACHINE\SOFTWARE\Mozilla\Firefox\extensions]
"smartwebprinting@hp.com"="C:\Program Files\HP\Digital Imaging\Smart Web Printing\MozillaAddOn2"

**Glaswegian** · 06-07-2009, 02:14 PM

Hi again

Logs look OK – how is your system running now?

Online Scan
Perform an online scan with Panda ActiveScan

Click on Scan Your PC Now
A "pop up" window will appear, or a new tab will open.
Click on Register
Choose the option you like most, but we recommend the Free Registration.
Click on Register
Enter your e-mail address, and create a password.
Select "I do not want to receive any type of information". (unless you want to receive such information)
Click on Send
Confirm registration, and continue by entering your user name and password, then click on Enter
Select Full Scan, then Click on Scan Now
Wait for the components to be loaded and installed. Don't close this window or go to another page while it is downloading. You can continue using the Internet by opening another window in your browser.
If it finds any malware it can disinfect, the Disinfect button will be enabled. Click on Disinfect
Please ignore the offer to buy the program. Click on Export To
Export the log and save it to your desktop.
Please attach the contents of that log to your reply.

* Turn off the real time scanner of any existing antivirus program while performing the online scan.

Avast users note:

Please do continue with the online scan at Panda if you receive an alert. It is a false positive from Avast because Panda Antivirus does not encrypt its virus database.

ramando · 06-07-2009, 11:56 PM

Browser speed has improved. Boot time seems too long... most processes load in a reasonable time, then there is about a 20 second pause before the remainder of the boot is carried out.

;***********************************************************************************************************************************************************************************
ANALYSIS: 2009-06-07 22:50:05
PROTECTIONS: 1
MALWARE: 10
SUSPECTS: 28
;***********************************************************************************************************************************************************************************
PROTECTIONS
Description Version Active Updated
;===================================================================================================================================================================================
Webroot AntiVirus with AntiSpyware 6.1.0.100 No Yes
;===================================================================================================================================================================================
MALWARE
Id Description Type Active Severity Disinfectable Disinfected Location
;===================================================================================================================================================================================
00139059 Cookie/Traffic Marketplace TrackingCookie No 0 Yes No C:\Documents and Settings\BIRDIEE\Cookies\birdiee@trafficmp[1].txt
00139059 Cookie/Traffic Marketplace TrackingCookie No 0 Yes No C:\Documents and Settings\Administrator\Cookies\administrator@trafficmp[2].txt
00139061 Cookie/Doubleclick TrackingCookie No 0 Yes No C:\Documents and Settings\BIRDIEE\Cookies\birdiee@doubleclick[1].txt
00139061 Cookie/Doubleclick TrackingCookie No 0 Yes No C:\Documents and Settings\Administrator\Cookies\administrator@doubleclick[2].txt
00139064 Cookie/Atlas DMT TrackingCookie No 0 Yes No C:\Documents and Settings\BIRDIEE\Cookies\birdiee@atdmt[1].txt
00139064 Cookie/Atlas DMT TrackingCookie No 0 Yes No C:\Documents and Settings\Administrator\Cookies\administrator@atdmt[1].txt
00145457 Cookie/FastClick TrackingCookie No 0 Yes No C:\Documents and Settings\Administrator\Cookies\administrator@fastclick[1].txt
00168056 Cookie/YieldManager TrackingCookie No 0 Yes No C:\Documents and Settings\Administrator\Cookies\administrator@ad.yieldmanager[2].txt
00168056 Cookie/YieldManager TrackingCookie No 0 Yes No C:\Documents and Settings\BIRDIEE\Cookies\birdiee@ad.yieldmanager[1].txt
00169190 Cookie/Advertising TrackingCookie No 0 Yes No C:\Documents and Settings\Administrator\Cookies\administrator@advertising[1].txt
00169190 Cookie/Advertising TrackingCookie No 0 Yes No C:\Documents and Settings\BIRDIEE\Cookies\birdiee@advertising[1].txt
00170556 Cookie/RealMedia TrackingCookie No 0 Yes No C:\Documents and Settings\Administrator\Cookies\administrator@realmedia[2].txt
00171982 Cookie/QuestionMarket TrackingCookie No 0 Yes No C:\Documents and Settings\BIRDIEE\Cookies\birdiee@questionmarket[1].txt
00262020 Cookie/Atwola TrackingCookie No 0 Yes No C:\Documents and Settings\Administrator\Cookies\administrator@atwola[1].txt
00262020 Cookie/Atwola TrackingCookie No 0 Yes No C:\Documents and Settings\BIRDIEE\Cookies\birdiee@atwola[1].txt
02885963 Rootkit/Booto.C Virus/Worm No 0 Yes Yes C:\System Volume Information\_restore{085E8257-B78B-4AB8-BD19-1A6D51FD6CC9}\RP108\A0030507.sys
;===================================================================================================================================================================================
SUSPECTS
Sent Location aU
;===================================================================================================================================================================================
No C:\Documents and Settings\Administrator\Desktop\ComboFix.exe[32788R22FWJFW\n.com] aU
No C:\Documents and Settings\Administrator\Desktop\ComboFix.exe[32788R22FWJFW\NirCmd.cfexe] aU
No C:\Documents and Settings\Administrator\Desktop\FIX\ComboFix.exe[32788R22FWJFW\n.com] aU
No C:\Documents and Settings\Administrator\Desktop\FIX\ComboFix.exe[32788R22FWJFW\NirCmd.cfexe] aU
No C:\Documents and Settings\Administrator\Local Settings\Application Data\Mozilla\Firefox\Profiles\tjrgrj1w.default\Cache\C2152591d01[32788R22FWJFW\NirCmd.cfexe]
No C:\Documents and Settings\Administrator\Local Settings\Application Data\Mozilla\Firefox\Profiles\tjrgrj1w.default\Cache\C2152591d01[32788R22FWJFW\n.com]
No C:\System Volume Information\_restore{085E8257-B78B-4AB8-BD19-1A6D51FD6CC9}\RP108\A0030103.com aU
No C:\System Volume Information\_restore{085E8257-B78B-4AB8-BD19-1A6D51FD6CC9}\RP108\A0030105.com aU
No C:\System Volume Information\_restore{085E8257-B78B-4AB8-BD19-1A6D51FD6CC9}\RP108\A0030166.com aU
No C:\System Volume Information\_restore{085E8257-B78B-4AB8-BD19-1A6D51FD6CC9}\RP108\A0030168.com aU
No C:\System Volume Information\_restore{085E8257-B78B-4AB8-BD19-1A6D51FD6CC9}\RP108\A0030229.com aU
No C:\System Volume Information\_restore{085E8257-B78B-4AB8-BD19-1A6D51FD6CC9}\RP108\A0030231.com aU
No C:\System Volume Information\_restore{085E8257-B78B-4AB8-BD19-1A6D51FD6CC9}\RP108\A0030293.com aU
No C:\System Volume Information\_restore{085E8257-B78B-4AB8-BD19-1A6D51FD6CC9}\RP108\A0030295.com aU
No C:\System Volume Information\_restore{085E8257-B78B-4AB8-BD19-1A6D51FD6CC9}\RP108\A0030466.com aU
No C:\System Volume Information\_restore{085E8257-B78B-4AB8-BD19-1A6D51FD6CC9}\RP108\A0030468.com aU
No C:\System Volume Information\_restore{085E8257-B78B-4AB8-BD19-1A6D51FD6CC9}\RP108\A0030564.com aU
No C:\System Volume Information\_restore{085E8257-B78B-4AB8-BD19-1A6D51FD6CC9}\RP108\A0030566.com aU
No C:\System Volume Information\_restore{085E8257-B78B-4AB8-BD19-1A6D51FD6CC9}\RP112\A0031748.exe[32788R22FWJFW\NirCmd.cfexe]
No C:\System Volume Information\_restore{085E8257-B78B-4AB8-BD19-1A6D51FD6CC9}\RP112\A0031748.exe[32788R22FWJFW\n.com]
No C:\System Volume Information\_restore{085E8257-B78B-4AB8-BD19-1A6D51FD6CC9}\RP112\A0031752.exe aU
No C:\System Volume Information\_restore{085E8257-B78B-4AB8-BD19-1A6D51FD6CC9}\RP120\A0033571.exe[32788R22FWJFW\NirCmd.cfexe]
No C:\System Volume Information\_restore{085E8257-B78B-4AB8-BD19-1A6D51FD6CC9}\RP120\A0033571.exe[32788R22FWJFW\n.com]
No C:\System Volume Information\_restore{085E8257-B78B-4AB8-BD19-1A6D51FD6CC9}\RP120\A0033613.com aU
No C:\System Volume Information\_restore{085E8257-B78B-4AB8-BD19-1A6D51FD6CC9}\RP120\A0033615.com aU
No C:\System Volume Information\_restore{085E8257-B78B-4AB8-BD19-1A6D51FD6CC9}\RP120\A0033688.com aU
No C:\System Volume Information\_restore{085E8257-B78B-4AB8-BD19-1A6D51FD6CC9}\RP120\A0033690.com aU
No C:\WINNT\NIRCMD.exe aU
;===================================================================================================================================================================================
VULNERABILITIES
Id Severity Description aU
;===================================================================================================================================================================================
;===================================================================================================================================================================================

**Glaswegian** · 06-08-2009, 03:42 PM

Hi again

Nothing untoward in the scan.

Clear your Firefox cache.

In Firefox, go to Tools > Options > Privacy and click the Clear Now button.

You may have quite a few unnecessary processes running at boot time. Have a look here and try some suggestions

Is your PC running slow...?

Let me know if anything there helps. Then we can finish up here.

ramando · 06-09-2009, 08:21 AM

Iain
I ran [Autorun] and did remove some line entries that were reported as [no file found]. I also noticed that Cyberdefender seems to be what has increased my boot time. When I remove it to run you scans, boot time is much quicker. I will live with the longer boot...
mike

ramando · 06-09-2009, 12:13 PM

Iain
Since my last post, Cyberdefender reported the following. I guess this is a new infection?

Spyware Details

Name: AdvancedRemoteInfo
Type: Registry
Level: HIGH RISK
Location: HKEY_CURRENT_USER\Software\Sysinternals

Description: Spyware may monitor your activity on the Internet and transmit that information, in the background, to someone else. Spyware can also gather information about e-mail addresses, passwords and credit card numbers.

Advice: You have removed this Spyware item. If this is not a risk item for you, select it and click Restore Selected Item button.

ramando · 06-09-2009, 12:14 PM

Iain
Since my last post, Cyberdefender reported the following. I guess this is a new infection?

Spyware Details

Name: AdvancedRemoteInfo
Type: Registry
Level: HIGH RISK
Location: HKEY_CURRENT_USER\Software\Sysinternals

Description: Spyware may monitor your activity on the Internet and transmit that information, in the background, to someone else. Spyware can also gather information about e-mail addresses, passwords and credit card numbers.

Advice: You have removed this Spyware item. If this is not a risk item for you, select it and click Restore Selected Item button.

**Glaswegian** · 06-09-2009, 03:01 PM

Hi again

Sysinternals is a legit application, used to monitor system resources etc

http://technet.microsoft.com/en-us/s...s/default.aspx

Sounds as though you might want to consider changing Cyberdefender if it's causing problems.

Other than that your logs are clean. If there are no more problems we’ll just tidy up and I’ll let you go, along with my recommendations for staying safe and secure.

The following procedure will clear out the tools we've used as well as the backups and quarantines created by the fix. It will also reset your System Restore by flushing out previous restore points (which contain the infections) and create a new restore point.

Referring to the image below

Click Start > Run and copy/paste, or type the following bold text into the Run box and click OK:

ComboFix /u

Now that you are clean, to help protect your computer in the future I recommend that you get the following free programs:

General Protection
Spyware Blaster to help prevent spyware from installing in the first place.
Spyware Guard to catch and block spyware before it can execute.
Spybot - Search & Destroy with its TeaTimer option. This will provide realtime spyware & hijacker protection on your computer alongside your virus protection. You should also scan your computer with the program on a regular basis just as you would an antivirus software. A tutorial on installing & using this product can be found here.

Ad-aware 2008 Free Edition
Download and install Ad-Aware 2008 Free Edition. You should use this program to scan your computer on a regular basis just as you would an antivirus software in conjunction with Spybot. A tutorial on installing & using this product can be found here.

SnoopFree
SnoopFree is a real time monitor that notifies you when a programme wants to record your keystrokes or read your screen. Note that SnoopFree is only for XP systems.

MVPS Hosts File
The MVPS Hosts file replaces your current HOSTS file with one that will restrict known ad sites from serving you unsolicited advertisements. Basically, this prevents your computer from connecting to those sites by redirecting them to 127.0.0.1 which is the IP of your local computer. Note that if you use a company provided HOSTS file you should not use the MVPS HOSTS file.

Alternate Browsers
Try the following free alternate browsers rather than Internet Explorer
Firefox
Opera
Maxthon

Firewalls
A good firewall will monitor incoming and outgoing traffic. NOTE: Microsoft's Firewall for XP does not monitor outgoing traffic. If you do not have a firewall, here are 3 free ones available for personal use:
Comodo Personal Firewall
Sygate Personal Firewall
ZoneAlarm

Other Protection
Winpatrol - Download and install the free version of Winpatrol. A tutorial for this product is located here:
Using Winpatrol to protect your computer.

ERUNT & NTREGOPT
ERUNT is a programme that will create automatic backups of your Registry. These backups can be used to help restore your system in the event of a serious crash.
NTREGOPT will compact and optimise your Registry, to assist the smooth running of your system.

Additional Reading
In light of your recent troubles, I'm sure you'll like to avoid any future infections. Please take a look at these well written articles

PC Safety & Security - What Do I Need?.
Making Internet Explorer Safer.
Think Prevention!

Have a look here if your PC is still running a bit slow
Is your PC running slow...?

Keep clean and safe and enjoy your computing!

Please respond to this thread one more time so we can mark this thread as resolved.

ramando · 06-09-2009, 04:44 PM

THANK YOU Iain. Your expertise is impressive. I am so lucky you were there to help me with a problem I could not have solved on my own. You saved me a format c: and lots of time!

with kindest regards and admiration....

mike

06-06-2009, 10:54 AM	#2 (permalink)
Glaswegian Moderator/ Rangemaster TSF Academy; Analyst, Security Team; Oor Wullie; TSF Surgeon and Resident Comic Join Date: Sep 2005 Location: Glasgow Posts: 25,390 OS: Win XP Pro SP3 / Win 7 Pro My System Blog Entries: 10	Re: slow firefox and boot Hi and welcome to TSF. My name is Iain and I will be helping you clean your system. You may wish to Subscribe to this thread (Thread Tools > Subscribe to this thread) so that you are notified when you receive a reply. Please read these instructions carefully and then print out or copy this page to Notepad in order to assist you when carrying out the fix. You should not have any open browsers or live internet connections when you are following the procedures below. Note that the fix may take several posts. Please continue to respond to my instructions until I confirm that your logs are clean. Remember that although your symptoms may vanish, this does NOT mean that your system is clean. If there is anything you don't understand, please ask BEFORE proceeding with the fixes. Please ensure that you follow the instructions in the order I have them listed. Please do not install or uninstall any programmes, or run any other scanners or software, unless I specifically ask you to do so. Combofix We will begin with ComboFix.exe. Please visit this webpage for download links, and instructions for running the tool: http://www.bleepingcomputer.com/comb...o-use-combofix Please read all the information carefully! You MUST disable your AntiVirus and AntiSpyware applications - please read this thread as a guide. They may otherwise interfere with our tools and interrupt the cleansing process. Please include the log C:\ComboFix.txt in your next reply for further review. __________________ Iain - Defender of the Haggis and all things Scottish. I don't help by PM - post in the Forums. PC Safety & Security::PC running a bit slow?::Donate::Photographers Corner

06-06-2009, 12:08 PM	#3 (permalink)
ramando Registered User Join Date: Jun 2009 Posts: 8 OS: xp pro sp 3	Re: slow firefox and boot Hi Iain! Thanks for helping me. Here is the CF log. I didn't mention but my Windows update is not working. Don't know if it is related to my infection... ComboFix 09-06-05.09 - Administrator 06/06/2009 10:46.2 - NTFSx86 Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.2046.1499 [GMT -7:00] Running from: c:\documents and settings\Administrator\Desktop\FIX\ComboFix.exe AV: Webroot AntiVirus with AntiSpyware On-access scanning disabled (Updated) {77E10C7F-2CCA-4187-9394-BDBC267AD597} . ((((((((((((((((((((((((( Files Created from 2009-05-06 to 2009-06-06 ))))))))))))))))))))))))))))))) . 2009-06-06 13:09 . 2009-06-06 13:09 -------- d-----w- c:\program files\Smart Projects 2009-06-04 21:30 . 2009-06-04 21:30 -------- d-----w- c:\documents and settings\Administrator\Local Settings\Application Data\AOL OCP 2009-06-03 06:34 . 2009-06-03 06:34 -------- d-----w- c:\winnt\Sun 2009-06-03 06:26 . 2009-06-03 06:26 410984 ----a-w- c:\winnt\system32\deploytk.dll 2009-06-03 06:26 . 2009-06-03 06:26 -------- d-----w- c:\program files\Java 2009-06-03 06:25 . 2009-06-03 06:31 152576 ----a-w- c:\documents and settings\Administrator\Application Data\Sun\Java\jre1.6.0_13\lzma.dll 2009-05-31 12:36 . 2009-05-31 12:36 -------- d-----w- c:\documents and settings\NetworkService\Local Settings\Application Data\Google 2009-05-30 12:58 . 2009-05-30 12:58 -------- d-----w- c:\documents and settings\All Users\Application Data\Google Updater 2009-05-28 14:08 . 2009-05-28 14:08 -------- d-----w- c:\program files\MagicISO 2009-05-25 13:30 . 2009-05-25 13:30 -------- d-----w- c:\documents and settings\Administrator\Application Data\CyberDefender 2009-05-20 02:14 . 2009-05-20 02:14 -------- d-----w- c:\program files\Microsoft CAPICOM 2.1.0.2 2009-05-19 14:10 . 2009-06-06 17:43 -------- d-----w- c:\documents and settings\Administrator\Local Settings\Application Data\CyberDefender 2009-05-19 13:29 . 2009-05-28 04:01 -------- d-----w- c:\documents and settings\All Users\Application Data\SecTaskMan 2009-05-17 17:28 . 2009-05-17 17:28 -------- d-----w- c:\documents and settings\RAYMOND\Local Settings\Application Data\Mozilla 2009-05-16 12:48 . 2009-05-17 16:05 -------- d-----w- c:\documents and settings\RAYMOND\DoctorWeb 2009-05-16 01:32 . 2009-05-16 01:32 -------- d-----w- c:\documents and settings\BIRDIEE\DoctorWeb 2009-05-15 12:59 . 2009-05-19 14:57 -------- d-----w- c:\documents and settings\All Users\Application Data\Doctor Web 2009-05-15 12:59 . 2009-05-19 14:57 -------- d-----w- c:\program files\DrWeb 2009-05-11 03:36 . 2009-05-11 03:36 -------- d-----w- c:\documents and settings\BIRDIEE\Local Settings\Application Data\Mozilla 2009-05-10 23:43 . 2009-05-10 23:43 -------- d-----w- C:\spoolerlogs . (((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))) . 2009-06-06 17:43 . 2008-05-20 22:30 -------- d-----w- c:\documents and settings\Administrator\Application Data\HPAppData 2009-06-06 14:57 . 2006-08-16 04:53 -------- d-----w- c:\program files\DYMO Label 2009-06-04 21:34 . 2006-09-19 13:37 -------- d---a-w- c:\program files\Common Files\AOL 2009-06-04 21:29 . 2007-09-19 20:32 370496 ----a-w- c:\documents and settings\All Users\Application Data\AOL Downloads\ccu_suite\4.3.38.1\ccu_suite_4.3.38.1\CCUInst.exe 2009-06-04 21:07 . 2006-09-19 13:40 -------- d-----w- c:\documents and settings\All Users\Application Data\AOL 2009-06-04 21:07 . 2006-09-19 13:41 -------- d-----w- c:\documents and settings\Administrator\Application Data\AOL 2009-06-04 19:04 . 2009-02-28 14:45 -------- d-----w- c:\program files\CleanUp! 2009-05-30 13:01 . 2006-08-16 01:33 -------- d-----w- c:\program files\Google 2009-05-27 04:32 . 2009-04-01 15:08 -------- d-----w- c:\program files\AOL Toolbar 2009-05-25 02:17 . 2009-01-28 02:37 -------- d-----w- c:\documents and settings\BIRDIEE\Application Data\HPAppData 2009-05-23 05:21 . 2007-04-08 01:07 -------- d-----w- c:\documents and settings\Administrator\Application Data\Orbit 2009-05-15 12:54 . 2009-01-20 14:56 -------- d-----w- c:\program files\Common Files\PC Tools 2009-05-15 12:49 . 2006-12-15 21:11 -------- d---a-w- c:\documents and settings\All Users\Application Data\TEMP 2009-05-15 04:54 . 2006-12-22 17:15 -------- d-----w- c:\program files\Common Files\Scanner 2009-05-01 18:30 . 2009-05-01 18:30 3366912 ----a-w- c:\winnt\system32\GPhotos.scr 2009-04-30 14:34 . 2009-04-30 14:34 -------- d-----w- c:\program files\2BrightSparks 2009-04-30 14:31 . 2009-04-30 14:31 -------- d-----w- c:\documents and settings\All Users\Application Data\WinZipSE 2009-04-30 14:31 . 2009-04-30 14:31 -------- d-----w- c:\program files\WinZip Self-Extractor 2009-04-30 14:16 . 2009-02-17 00:41 -------- d-----w- c:\documents and settings\All Users\Application Data\WinZip 2009-04-25 05:03 . 2009-01-28 02:37 -------- d-----w- c:\documents and settings\BIRDIEE\Application Data\Orbit 2009-04-22 15:37 . 2009-04-22 15:36 -------- d-----w- c:\documents and settings\All Users\Application Data\{8CD7F5AF-ECFA-4793-BF40-D8F42DBFF906} 2009-04-22 15:37 . 2009-04-22 15:36 -------- d-----w- c:\program files\iTunes 2009-04-22 15:36 . 2009-04-22 15:36 -------- d-----w- c:\program files\iPod 2009-04-22 15:36 . 2007-07-01 15:06 -------- d-----w- c:\program files\Common Files\Apple 2009-04-22 15:27 . 2009-04-22 15:27 75048 ----a-w- c:\documents and settings\All Users\Application Data\Apple Computer\Installer Cache\iTunes 8.1.1.10\SetupAdmin.exe 2009-04-22 15:21 . 2008-03-19 14:33 -------- d-----w- c:\program files\Safari 2009-04-14 05:58 . 2009-04-15 13:25 553240 ----a-w- C:\WindowsXP-KB839017-x86-ENU.EXE 2009-04-14 05:58 . 2009-04-15 13:25 548120 ----a-w- C:\WINDOWSXP-KB839017-X86-ENU-Symbols.EXE 2009-04-01 14:57 . 2009-04-01 14:49 57261736 ----a-w- c:\documents and settings\All Users\Application Data\AOL Downloads\waol\0.4337.29.1\setup.exe 2009-03-24 21:43 . 2009-04-30 15:18 43008 ----a-w- c:\documents and settings\Administrator\Application Data\Mozilla\Firefox\Profiles\tjrgrj1w.default\extensions\{3112ca9c-de6d-4884-a869-9855de68056c}\components\metricsloader.dll 2009-03-24 21:43 . 2009-04-30 15:18 43008 ----a-w- c:\documents and settings\Administrator\Application Data\Mozilla\Firefox\Profiles\tjrgrj1w.default\extensions\{3112ca9c-de6d-4884-a869-9855de68056c}\components\googletoolbarloader.dll 2009-03-24 21:43 . 2009-04-30 15:18 235520 ----a-w- c:\documents and settings\Administrator\Application Data\Mozilla\Firefox\Profiles\tjrgrj1w.default\extensions\{3112ca9c-de6d-4884-a869-9855de68056c}\libraries\metrics-ff2.dll 2009-03-24 21:43 . 2009-04-30 15:18 338432 ----a-w- c:\documents and settings\Administrator\Application Data\Mozilla\Firefox\Profiles\tjrgrj1w.default\extensions\{3112ca9c-de6d-4884-a869-9855de68056c}\libraries\googletoolbar-ff2.dll 2009-03-24 21:42 . 2009-04-30 15:18 235008 ----a-w- c:\documents and settings\Administrator\Application Data\Mozilla\Firefox\Profiles\tjrgrj1w.default\extensions\{3112ca9c-de6d-4884-a869-9855de68056c}\libraries\metrics-ff3.dll 2009-03-24 21:42 . 2009-04-30 15:18 345088 ----a-w- c:\documents and settings\Administrator\Application Data\Mozilla\Firefox\Profiles\tjrgrj1w.default\extensions\{3112ca9c-de6d-4884-a869-9855de68056c}\libraries\googletoolbar-ff3.dll 2009-03-19 23:32 . 2009-03-19 23:32 23400 ----a-w- c:\documents and settings\All Users\Application Data\{8CD7F5AF-ECFA-4793-BF40-D8F42DBFF906}\x86\x86\GEARAspiWDM.sys 2009-03-19 23:32 . 2008-01-29 19:01 23400 ----a-w- c:\winnt\system32\drivers\GEARAspiWDM.sys 2009-03-12 17:57 . 2009-03-12 17:57 1039736 ----a-w- c:\documents and settings\Administrator\Application Data\U3\0000060426043244\Temporary\tmp0\updater.exe 2006-08-15 17:51 . 2006-08-15 17:51 21952 -c-ha-w- c:\program files\folder.htt . ((((((((((((((((((((((((((((((((((((( Reg Loading Points )))))))))))))))))))))))))))))))))))))))))))))))))) . . Note empty entries & legit default entries are not shown REGEDIT4 [HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{A26503FE-B3B8-4910-A9DC-9CBD25C6B8D6}] 2009-06-03 14:54 3962184 ----a-w- c:\documents and settings\Administrator\Local Settings\Application Data\CyberDefender\cdmyidd.dll [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "ctfmon.exe"="c:\winnt\system32\ctfmon.exe" [2004-08-04 15360] "swg"="c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2007-06-24 68856] "AOL Fast Start"="e:\aol 9.5\AOL.EXE" [2009-02-11 50472] [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "RoxioEngineUtility"="c:\program files\Common Files\Roxio Shared\System\EngUtil.exe" [2003-01-13 69632] "HostManager"="c:\program files\Common Files\AOL\1158673236\ee\AOLSoftware.exe" [2008-11-06 41264] "hpqSRMon"="c:\program files\HP\Digital Imaging\bin\hpqSRMon.exe" [2007-08-22 80896] "NvCplDaemon"="c:\winnt\system32\NvCpl.dll" [2009-01-15 13680640] "NvMediaCenter"="c:\winnt\system32\NvMcTray.dll" [2009-01-15 86016] "QuickTime Task"="c:\program files\QuickTime\QTTask.exe" [2009-01-06 413696] "iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2009-04-02 342312] "AppleSyncNotifier"="c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleSyncNotifier.exe" [2009-03-26 177472] "SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2009-06-03 148888] "Synchronization Manager"="mobsync.exe" - c:\winnt\system32\mobsync.exe [2004-08-04 143360] "SigmatelSysTrayApp"="sttray.exe" - c:\winnt\sttray.exe [2006-07-27 282624] c:\documents and settings\Administrator\Start Menu\Programs\Startup\ Adobe Gamma.lnk - c:\program files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe [2005-3-16 113664] Microsoft Find Fast.lnk - c:\program files\Microsoft Office\Office\FINDFAST.EXE [1996-11-17 111376] Office Startup.lnk - c:\program files\Microsoft Office\Office\OSA.EXE [1996-11-17 51984] c:\documents and settings\All Users\Start Menu\Programs\Startup\ HP Digital Imaging Monitor.lnk - c:\program files\HP\Digital Imaging\bin\hpqtra08.exe [2007-10-14 214360] NaturalColorLoad.lnk - c:\program files\SEC\Natural Color\NaturalColorLoad.exe [2006-8-15 155715] [HKEY_LOCAL_MACHINE\software\microsoft\security center] "AntiVirusDisableNotify"=dword:00000001 "UpdatesDisableNotify"=dword:00000001 "AntiVirusOverride"=dword:00000001 [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List] "%windir%\\system32\\sessmgr.exe"= "e:\\Documents and Settings\\RAYMOND\\My Documents\\My Videos\\Orbitdownloader\\orbitdm.exe"= "c:\\Program Files\\Common Files\\AOL\\ACS\\AOLDial.exe"= "c:\\Program Files\\Common Files\\AOL\\ACS\\AOLacsd.exe"= "c:\\Program Files\\Common Files\\AOL\\1158673236\\EE\\aolsoftware.exe"= "c:\\Program Files\\Common Files\\AOL\\TopSpeed\\3.0\\aoltpsd3.exe"= "c:\\Program Files\\Common Files\\AOL\\1158673236\\EE\\AOLServiceHost.exe"= "c:\\Program Files\\Common Files\\AOL\\Loader\\aolload.exe"= "c:\\Program Files\\Common Files\\AOL\\System Information\\sinf.exe"= "%windir%\\Network Diagnostic\\xpnetdiag.exe"= "c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqtra08.exe"= "c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqste08.exe"= "c:\\Program Files\\HP\\Digital Imaging\\bin\\hpofxm08.exe"= "c:\\Program Files\\HP\\Digital Imaging\\bin\\hposfx08.exe"= "c:\\Program Files\\HP\\Digital Imaging\\bin\\hposid01.exe"= "c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqkygrp.exe"= "c:\\Program Files\\HP\\Digital Imaging\\bin\\hpzwiz01.exe"= "c:\\Program Files\\HP\\Digital Imaging\\bin\\hpoews01.exe"= "c:\\AVIMARK\\Update.exe"= "c:\\Program Files\\Bonjour\\mDNSResponder.exe"= "e:\\AOL 9.5\\waol.exe"= "c:\\Program Files\\iTunes\\iTunes.exe"= S0 TfFsMon;TfFsMon;c:\winnt\system32\drivers\TfFsMon.sys --> c:\winnt\system32\drivers\TfFsMon.sys [?] S0 TfSysMon;TfSysMon;c:\winnt\system32\drivers\TfSysMon.sys --> c:\winnt\system32\drivers\TfSysMon.sys [?] S3 fd_dbus;FutureDial USB Composite Device driver (WDM);c:\winnt\system32\drivers\fd_dbus.sys [11/1/2006 8:18 AM 51040] S3 fd_dmdfl;FutureDial USB Modem Filter;c:\winnt\system32\drivers\fd_dmdfl.sys [11/1/2006 8:19 AM 6000] S3 fd_dmdm;FutureDial USB Modem Drivers;c:\winnt\system32\drivers\fd_dmdm.sys [11/1/2006 8:19 AM 73984] S3 pctplsg;pctplsg;\??\c:\winnt\system32\drivers\pctplsg.sys --> c:\winnt\system32\drivers\pctplsg.sys [?] S3 SUSTUCAM;Susteen USB Cable Modem Driver;c:\winnt\system32\drivers\sustucam.sys [4/12/2006 2:01 PM 47360] S3 SUSTUCAP;Susteen USB Cable Port Driver;c:\winnt\system32\drivers\sustucap.sys [4/12/2006 2:01 PM 47360] S3 SUSTUCAU;Susteen USB Cable USB Driver;c:\winnt\system32\drivers\sustucau.sys [4/12/2006 11:24 AM 28032] S3 TfNetMon;TfNetMon;\??\c:\winnt\system32\drivers\TfNetMon.sys --> c:\winnt\system32\drivers\TfNetMon.sys [?] S3 usbhub20;USB Hub Support;c:\winnt\system32\drivers\usbhub20.sys [9/12/2006 7:15 AM 49776] [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost] HPZ12 REG_MULTI_SZ Pml Driver HPZ12 Net Driver HPZ12 hpdevmgmt REG_MULTI_SZ hpqcxs08 hpqddsvc [HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\>{60B49E34-C7CC-11D0-8953-00A0C90347FF}] "c:\winnt\system32\rundll32.exe" "c:\winnt\system32\iedkcs32.dll",BrandIEActiveSetup SIGNUP . Contents of the 'Scheduled Tasks' folder 2009-06-01 c:\winnt\Tasks\AppleSoftwareUpdate.job - c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-04-12 19:34] 2009-06-06 c:\winnt\Tasks\Google Software Updater.job - c:\program files\Google\Common\Google Updater\GoogleUpdaterService.exe [2006-12-15 12:58] 2009-06-06 c:\winnt\Tasks\GoogleUpdateTaskMachine.job - c:\program files\Google\Update\GoogleUpdate.exe [2009-05-30 13:00] . - - - - ORPHANS REMOVED - - - - SafeBoot-procexp90.Sys . ------- Supplementary Scan ------- . uSearchMigratedDefaultURL = hxxp://www.google.com/search?q={searchTerms}&sourceid=ie7&rls=com.microsoft:en-US&ie=utf8&oe=utf8 uStart Page = hxxp://www.aol.com uSearchURL,(Default) = hxxp://www.google.com/search?q=%s IE: Add to Google Photos Screensa&ver - c:\winnt\system32\GPhotos.scr/200 Trusted Zone: 168.1.1\www.192 DPF: DirectAnimation Java Classes - file://c:\winnt\Java\classes\dajava.cab DPF: Microsoft XML Parser for Java - file://c:\winnt\Java\classes\xmldso.cab FF - ProfilePath - c:\documents and settings\Administrator\Application Data\Mozilla\Firefox\Profiles\tjrgrj1w.default\ FF - prefs.js: browser.search.selectedEngine - eBay FF - prefs.js: browser.startup.homepage - hxxp://www.aol.com/ FF - prefs.js: network.proxy.type - 1 FF - plugin: c:\program files\Google\Google Updater\2.4.1601.7122\npCIDetect13.dll FF - plugin: c:\program files\Google\Picasa3\npPicasa3.dll FF - plugin: c:\program files\Google\Update\1.2.145.5\npGoogleOneClick8.dll FF - plugin: c:\program files\Viewpoint\Viewpoint Experience Technology\npViewpoint.dll . ************************************************************************ catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net Rootkit scan 2009-06-06 10:53 Windows 5.1.2600 Service Pack 3 NTFS scanning hidden processes ... scanning hidden autostart entries ... scanning hidden files ... scan completed successfully hidden files: 0 ************************************************************************ . --------------------- LOCKED REGISTRY KEYS --------------------- [HKEY_USERS\S-1-5-21-1757981266-507921405-725345543-500\Software\Microsoft\Internet Explorer\User Preferences] @Denied: (2) (Administrator) "88D7D0879DAB32E14DE5B3A805A34F98AFF34F5977"=hex:01,00,00,00,d0,8c,9d,df,01,15, d1,11,8c,7a,00,c0,4f,c2,97,eb,01,00,00,00,64,d8,0c,a2,d1,c2,d7,4b,9c,c2,0c,\ "2D53CFFC5C1A3DD2E97B7979AC2A92BD59BC839E81"=hex:01,00,00,00,d0,8c,9d,df,01,15, d1,11,8c,7a,00,c0,4f,c2,97,eb,01,00,00,00,64,d8,0c,a2,d1,c2,d7,4b,9c,c2,0c,\ . --------------------- DLLs Loaded Under Running Processes --------------------- - - - - - - - > 'explorer.exe'(3300) c:\winnt\system32\ieframe.dll c:\winnt\system32\webcheck.dll c:\winnt\system32\WPDShServiceObj.dll c:\winnt\system32\PortableDeviceTypes.dll c:\winnt\system32\PortableDeviceApi.dll . Completion time: 2009-06-06 11:00 ComboFix-quarantined-files.txt 2009-06-06 17:58 Pre-Run: 21,231,706,112 bytes free Post-Run: 21,223,149,568 bytes free 204 --- E O F --- 2009-05-20 02:14

06-07-2009, 10:03 AM	#4 (permalink)
Glaswegian Moderator/ Rangemaster TSF Academy; Analyst, Security Team; Oor Wullie; TSF Surgeon and Resident Comic Join Date: Sep 2005 Location: Glasgow Posts: 25,390 OS: Win XP Pro SP3 / Win 7 Pro My System Blog Entries: 10	Re: slow firefox and boot Hi again Please read these instructions carefully and then print out or copy this page to Notepad in order to assist you when carrying out the fix. You should not have any open browsers or live internet connections when you are following the procedures below. Please download GooredFix and save it to your Desktop. Double-click Goored.exe to run it. Select 1. Find Goored (no fix) by typing 1 and pressing Enter. A log will open, please post the contents of that log in your next reply (it can also be found on your desktop, called GooredLog.txt). Note: Do not run Option #2 yet. __________________ Iain - Defender of the Haggis and all things Scottish. I don't help by PM - post in the Forums. PC Safety & Security::PC running a bit slow?::Donate::Photographers Corner

06-07-2009, 11:49 AM	#5 (permalink)
ramando Registered User Join Date: Jun 2009 Posts: 8 OS: xp pro sp 3	Re: slow firefox and boot Iain here is the log. Thanks for working on the weekend! GooredFix v1.92 by jpshortstuff Log created at 10:44 on 07/06/2009 running Option #1 (Administrator) Firefox version 3.0.10 (en-US) =====Suspect Goored Entries===== =====Dumping Registry Values===== [HKEY_LOCAL_MACHINE\SOFTWARE\Mozilla\Mozilla Firefox 3.0.10\extensions] "Plugins"="C:\Program Files\Mozilla Firefox\plugins" [HKEY_LOCAL_MACHINE\SOFTWARE\Mozilla\Mozilla Firefox 3.0.10\extensions] "Components"="C:\Program Files\Mozilla Firefox\components" [HKEY_LOCAL_MACHINE\SOFTWARE\Mozilla\Firefox\extensions] "jqs@sun.com"="C:\Program Files\Java\jre6\lib\deploy\jqs\ff" [HKEY_LOCAL_MACHINE\SOFTWARE\Mozilla\Firefox\extensions] "smartwebprinting@hp.com"="C:\Program Files\HP\Digital Imaging\Smart Web Printing\MozillaAddOn2"

06-07-2009, 02:14 PM	#6 (permalink)
Glaswegian Moderator/ Rangemaster TSF Academy; Analyst, Security Team; Oor Wullie; TSF Surgeon and Resident Comic Join Date: Sep 2005 Location: Glasgow Posts: 25,390 OS: Win XP Pro SP3 / Win 7 Pro My System Blog Entries: 10	Re: slow firefox and boot Hi again Logs look OK – how is your system running now? Online Scan Perform an online scan with Panda ActiveScan Click on Scan Your PC Now A "pop up" window will appear, or a new tab will open. Click on Register Choose the option you like most, but we recommend the Free Registration. Click on Register Enter your e-mail address, and create a password. Select "I do not want to receive any type of information". (unless you want to receive such information) Click on Send Confirm registration, and continue by entering your user name and password, then click on Enter Select Full Scan, then Click on Scan Now Wait for the components to be loaded and installed. Don't close this window or go to another page while it is downloading. You can continue using the Internet by opening another window in your browser. If it finds any malware it can disinfect, the Disinfect button will be enabled. Click on Disinfect Please ignore the offer to buy the program. Click on Export To Export the log and save it to your desktop. Please attach the contents of that log to your reply. * Turn off the real time scanner of any existing antivirus program while performing the online scan. Avast users note: Please do continue with the online scan at Panda if you receive an alert. It is a false positive from Avast because Panda Antivirus does not encrypt its virus database. __________________ Iain - Defender of the Haggis and all things Scottish. I don't help by PM - post in the Forums. PC Safety & Security::PC running a bit slow?::Donate::Photographers Corner

06-07-2009, 11:56 PM	#7 (permalink)
ramando Registered User Join Date: Jun 2009 Posts: 8 OS: xp pro sp 3	Re: slow firefox and boot Browser speed has improved. Boot time seems too long... most processes load in a reasonable time, then there is about a 20 second pause before the remainder of the boot is carried out. ;********************************************************************************************************************************************************************************* ANALYSIS: 2009-06-07 22:50:05 PROTECTIONS: 1 MALWARE: 10 SUSPECTS: 28 ;********************************************************************************************************************************************************************************* PROTECTIONS Description Version Active Updated ;=================================================================================================================================================================================== Webroot AntiVirus with AntiSpyware 6.1.0.100 No Yes ;=================================================================================================================================================================================== MALWARE Id Description Type Active Severity Disinfectable Disinfected Location ;=================================================================================================================================================================================== 00139059 Cookie/Traffic Marketplace TrackingCookie No 0 Yes No C:\Documents and Settings\BIRDIEE\Cookies\birdiee@trafficmp[1].txt 00139059 Cookie/Traffic Marketplace TrackingCookie No 0 Yes No C:\Documents and Settings\Administrator\Cookies\administrator@trafficmp[2].txt 00139061 Cookie/Doubleclick TrackingCookie No 0 Yes No C:\Documents and Settings\BIRDIEE\Cookies\birdiee@doubleclick[1].txt 00139061 Cookie/Doubleclick TrackingCookie No 0 Yes No C:\Documents and Settings\Administrator\Cookies\administrator@doubleclick[2].txt 00139064 Cookie/Atlas DMT TrackingCookie No 0 Yes No C:\Documents and Settings\BIRDIEE\Cookies\birdiee@atdmt[1].txt 00139064 Cookie/Atlas DMT TrackingCookie No 0 Yes No C:\Documents and Settings\Administrator\Cookies\administrator@atdmt[1].txt 00145457 Cookie/FastClick TrackingCookie No 0 Yes No C:\Documents and Settings\Administrator\Cookies\administrator@fastclick[1].txt 00168056 Cookie/YieldManager TrackingCookie No 0 Yes No C:\Documents and Settings\Administrator\Cookies\administrator@ad.yieldmanager[2].txt 00168056 Cookie/YieldManager TrackingCookie No 0 Yes No C:\Documents and Settings\BIRDIEE\Cookies\birdiee@ad.yieldmanager[1].txt 00169190 Cookie/Advertising TrackingCookie No 0 Yes No C:\Documents and Settings\Administrator\Cookies\administrator@advertising[1].txt 00169190 Cookie/Advertising TrackingCookie No 0 Yes No C:\Documents and Settings\BIRDIEE\Cookies\birdiee@advertising[1].txt 00170556 Cookie/RealMedia TrackingCookie No 0 Yes No C:\Documents and Settings\Administrator\Cookies\administrator@realmedia[2].txt 00171982 Cookie/QuestionMarket TrackingCookie No 0 Yes No C:\Documents and Settings\BIRDIEE\Cookies\birdiee@questionmarket[1].txt 00262020 Cookie/Atwola TrackingCookie No 0 Yes No C:\Documents and Settings\Administrator\Cookies\administrator@atwola[1].txt 00262020 Cookie/Atwola TrackingCookie No 0 Yes No C:\Documents and Settings\BIRDIEE\Cookies\birdiee@atwola[1].txt 02885963 Rootkit/Booto.C Virus/Worm No 0 Yes Yes C:\System Volume Information\_restore{085E8257-B78B-4AB8-BD19-1A6D51FD6CC9}\RP108\A0030507.sys ;=================================================================================================================================================================================== SUSPECTS Sent Location aU ;=================================================================================================================================================================================== No C:\Documents and Settings\Administrator\Desktop\ComboFix.exe[32788R22FWJFW\n.com] aU No C:\Documents and Settings\Administrator\Desktop\ComboFix.exe[32788R22FWJFW\NirCmd.cfexe] aU No C:\Documents and Settings\Administrator\Desktop\FIX\ComboFix.exe[32788R22FWJFW\n.com] aU No C:\Documents and Settings\Administrator\Desktop\FIX\ComboFix.exe[32788R22FWJFW\NirCmd.cfexe] aU No C:\Documents and Settings\Administrator\Local Settings\Application Data\Mozilla\Firefox\Profiles\tjrgrj1w.default\Cache\C2152591d01[32788R22FWJFW\NirCmd.cfexe] No C:\Documents and Settings\Administrator\Local Settings\Application Data\Mozilla\Firefox\Profiles\tjrgrj1w.default\Cache\C2152591d01[32788R22FWJFW\n.com] No C:\System Volume Information\_restore{085E8257-B78B-4AB8-BD19-1A6D51FD6CC9}\RP108\A0030103.com aU No C:\System Volume Information\_restore{085E8257-B78B-4AB8-BD19-1A6D51FD6CC9}\RP108\A0030105.com aU No C:\System Volume Information\_restore{085E8257-B78B-4AB8-BD19-1A6D51FD6CC9}\RP108\A0030166.com aU No C:\System Volume Information\_restore{085E8257-B78B-4AB8-BD19-1A6D51FD6CC9}\RP108\A0030168.com aU No C:\System Volume Information\_restore{085E8257-B78B-4AB8-BD19-1A6D51FD6CC9}\RP108\A0030229.com aU No C:\System Volume Information\_restore{085E8257-B78B-4AB8-BD19-1A6D51FD6CC9}\RP108\A0030231.com aU No C:\System Volume Information\_restore{085E8257-B78B-4AB8-BD19-1A6D51FD6CC9}\RP108\A0030293.com aU No C:\System Volume Information\_restore{085E8257-B78B-4AB8-BD19-1A6D51FD6CC9}\RP108\A0030295.com aU No C:\System Volume Information\_restore{085E8257-B78B-4AB8-BD19-1A6D51FD6CC9}\RP108\A0030466.com aU No C:\System Volume Information\_restore{085E8257-B78B-4AB8-BD19-1A6D51FD6CC9}\RP108\A0030468.com aU No C:\System Volume Information\_restore{085E8257-B78B-4AB8-BD19-1A6D51FD6CC9}\RP108\A0030564.com aU No C:\System Volume Information\_restore{085E8257-B78B-4AB8-BD19-1A6D51FD6CC9}\RP108\A0030566.com aU No C:\System Volume Information\_restore{085E8257-B78B-4AB8-BD19-1A6D51FD6CC9}\RP112\A0031748.exe[32788R22FWJFW\NirCmd.cfexe] No C:\System Volume Information\_restore{085E8257-B78B-4AB8-BD19-1A6D51FD6CC9}\RP112\A0031748.exe[32788R22FWJFW\n.com] No C:\System Volume Information\_restore{085E8257-B78B-4AB8-BD19-1A6D51FD6CC9}\RP112\A0031752.exe aU No C:\System Volume Information\_restore{085E8257-B78B-4AB8-BD19-1A6D51FD6CC9}\RP120\A0033571.exe[32788R22FWJFW\NirCmd.cfexe] No C:\System Volume Information\_restore{085E8257-B78B-4AB8-BD19-1A6D51FD6CC9}\RP120\A0033571.exe[32788R22FWJFW\n.com] No C:\System Volume Information\_restore{085E8257-B78B-4AB8-BD19-1A6D51FD6CC9}\RP120\A0033613.com aU No C:\System Volume Information\_restore{085E8257-B78B-4AB8-BD19-1A6D51FD6CC9}\RP120\A0033615.com aU No C:\System Volume Information\_restore{085E8257-B78B-4AB8-BD19-1A6D51FD6CC9}\RP120\A0033688.com aU No C:\System Volume Information\_restore{085E8257-B78B-4AB8-BD19-1A6D51FD6CC9}\RP120\A0033690.com aU No C:\WINNT\NIRCMD.exe aU ;=================================================================================================================================================================================== VULNERABILITIES Id Severity Description aU ;=================================================================================================================================================================================== ;===================================================================================================================================================================================

06-08-2009, 03:42 PM	#8 (permalink)
Glaswegian Moderator/ Rangemaster TSF Academy; Analyst, Security Team; Oor Wullie; TSF Surgeon and Resident Comic Join Date: Sep 2005 Location: Glasgow Posts: 25,390 OS: Win XP Pro SP3 / Win 7 Pro My System Blog Entries: 10	Re: slow firefox and boot Hi again Nothing untoward in the scan. Clear your Firefox cache. In Firefox, go to Tools > Options > Privacy and click the Clear Now button. You may have quite a few unnecessary processes running at boot time. Have a look here and try some suggestions Is your PC running slow...? Let me know if anything there helps. Then we can finish up here. __________________ Iain - Defender of the Haggis and all things Scottish. I don't help by PM - post in the Forums. PC Safety & Security::PC running a bit slow?::Donate::Photographers Corner

06-09-2009, 08:21 AM	#9 (permalink)
ramando Registered User Join Date: Jun 2009 Posts: 8 OS: xp pro sp 3	Re: slow firefox and boot Iain I ran [Autorun] and did remove some line entries that were reported as [no file found]. I also noticed that Cyberdefender seems to be what has increased my boot time. When I remove it to run you scans, boot time is much quicker. I will live with the longer boot... mike

06-09-2009, 12:13 PM	#10 (permalink)
ramando Registered User Join Date: Jun 2009 Posts: 8 OS: xp pro sp 3	Re: slow firefox and boot Iain Since my last post, Cyberdefender reported the following. I guess this is a new infection? Spyware Details Name: AdvancedRemoteInfo Type: Registry Level: HIGH RISK Location: HKEY_CURRENT_USER\Software\Sysinternals Description: Spyware may monitor your activity on the Internet and transmit that information, in the background, to someone else. Spyware can also gather information about e-mail addresses, passwords and credit card numbers. Advice: You have removed this Spyware item. If this is not a risk item for you, select it and click Restore Selected Item button.

06-09-2009, 12:14 PM	#11 (permalink)
ramando Registered User Join Date: Jun 2009 Posts: 8 OS: xp pro sp 3	Re: slow firefox and boot Iain Since my last post, Cyberdefender reported the following. I guess this is a new infection? Spyware Details Name: AdvancedRemoteInfo Type: Registry Level: HIGH RISK Location: HKEY_CURRENT_USER\Software\Sysinternals Description: Spyware may monitor your activity on the Internet and transmit that information, in the background, to someone else. Spyware can also gather information about e-mail addresses, passwords and credit card numbers. Advice: You have removed this Spyware item. If this is not a risk item for you, select it and click Restore Selected Item button.

06-09-2009, 03:01 PM	#12 (permalink)
Glaswegian Moderator/ Rangemaster TSF Academy; Analyst, Security Team; Oor Wullie; TSF Surgeon and Resident Comic Join Date: Sep 2005 Location: Glasgow Posts: 25,390 OS: Win XP Pro SP3 / Win 7 Pro My System Blog Entries: 10	Re: slow firefox and boot Hi again Sysinternals is a legit application, used to monitor system resources etc http://technet.microsoft.com/en-us/s...s/default.aspx Sounds as though you might want to consider changing Cyberdefender if it's causing problems. Other than that your logs are clean. If there are no more problems we’ll just tidy up and I’ll let you go, along with my recommendations for staying safe and secure. The following procedure will clear out the tools we've used as well as the backups and quarantines created by the fix. It will also reset your System Restore by flushing out previous restore points (which contain the infections) and create a new restore point. Referring to the image below Click Start > Run and copy/paste, or type the following bold text into the Run box and click OK: ComboFix /u Now that you are clean, to help protect your computer in the future I recommend that you get the following free programs: General Protection Spyware Blaster to help prevent spyware from installing in the first place. Spyware Guard to catch and block spyware before it can execute. Spybot - Search & Destroy with its TeaTimer option. This will provide realtime spyware & hijacker protection on your computer alongside your virus protection. You should also scan your computer with the program on a regular basis just as you would an antivirus software. A tutorial on installing & using this product can be found here. Ad-aware 2008 Free Edition Download and install Ad-Aware 2008 Free Edition. You should use this program to scan your computer on a regular basis just as you would an antivirus software in conjunction with Spybot. A tutorial on installing & using this product can be found here. SnoopFree SnoopFree is a real time monitor that notifies you when a programme wants to record your keystrokes or read your screen. Note that SnoopFree is only for XP systems. MVPS Hosts File The MVPS Hosts file replaces your current HOSTS file with one that will restrict known ad sites from serving you unsolicited advertisements. Basically, this prevents your computer from connecting to those sites by redirecting them to 127.0.0.1 which is the IP of your local computer. Note that if you use a company provided HOSTS file you should not use the MVPS HOSTS file. Alternate Browsers Try the following free alternate browsers rather than Internet Explorer Firefox Opera Maxthon Firewalls A good firewall will monitor incoming and outgoing traffic. NOTE: Microsoft's Firewall for XP does not monitor outgoing traffic. If you do not have a firewall, here are 3 free ones available for personal use: Comodo Personal Firewall Sygate Personal Firewall ZoneAlarm Other Protection Winpatrol - Download and install the free version of Winpatrol. A tutorial for this product is located here: Using Winpatrol to protect your computer. ERUNT & NTREGOPT ERUNT is a programme that will create automatic backups of your Registry. These backups can be used to help restore your system in the event of a serious crash. NTREGOPT will compact and optimise your Registry, to assist the smooth running of your system. Additional Reading In light of your recent troubles, I'm sure you'll like to avoid any future infections. Please take a look at these well written articles PC Safety & Security - What Do I Need?. Making Internet Explorer Safer. Think Prevention! Have a look here if your PC is still running a bit slow Is your PC running slow...? Keep clean and safe and enjoy your computing! Please respond to this thread one more time so we can mark this thread as resolved. __________________ Iain - Defender of the Haggis and all things Scottish. I don't help by PM - post in the Forums. PC Safety & Security::PC running a bit slow?::Donate::Photographers Corner

06-09-2009, 04:44 PM	#13 (permalink)
ramando Registered User Join Date: Jun 2009 Posts: 8 OS: xp pro sp 3	Re: slow firefox and boot THANK YOU Iain. Your expertise is impressive. I am so lucky you were there to help me with a problem I could not have solved on my own. You saved me a format c: and lots of time! with kindest regards and admiration.... mike