Major Problems!!!

[(Omega)]

I used all spyware removal tools and used nearly all virus removal programs, I scanned using Norton Internet Security and ZERO Viruses found. No spyware found at all. The Pie Graph shows at least 75% free memory. When I connect to the internet everything is fine, when I close the window and click on the Internet Explorer Icon on the quick launch, the screen freezes and it takes almost 30 seconds to open the browser or any website for that matter. Can't seem to figure this out??????? Also when I click on the favorites button, it takes at least 5 seconds for the list to show???? The Paint program takes a minute to begin and a minute to close??? When Windows starts up my wallpaper displays, then goes black for about 25 seconds before it appears again, at the same time the little icons on the bottom right begin to appear. This is really frustrating!!!!! When I disconnect from the Internet, Norton warns me that someones trying to access my ports, when I look at the details, it shows 3 types of I.P ADDRESSES which are my "DEFAULTS", this shows up when I am DISCONNECTED.

Logfile of HijackThis v1.99.1
Scan saved at 5:23:38 PM, on 4/13/2005
Platform: Windows XP (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 (6.00.2600.0000)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccProxy.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Norton Internet Security\ISSVC.exe
C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Norton Internet Security\Norton AntiVirus\navapsvc.exe
C:\WINDOWS\System32\ezSP_Px.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\WINDOWS\System32\wuauclt.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Common Files\Symantec Shared\AdBlocking\NSMdtr.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Documents and Settings\Danny Oh\Local Settings\Temporary Internet Files\Content.IE5\4D1UV681\HijackThis[1].exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://www.yahoo.com/search/ie.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://www.yahoo.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.sony.com/vaiopeople
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://search.yahoo.com/search?p=%s
O2 - BHO: Yahoo! Companion BHO - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn0\ycomp5_5_5_0.dll
O2 - BHO: myBar BHO - {0494D0D1-F8E0-41ad-92A3-14154ECE70AC} - C:\Program Files\MyWay\myBar\2.bin\MYBAR.DLL
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\adobe\acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: Norton Internet Security - {9ECB9560-04F9-4bbc-943D-298DDF1699E1} - C:\Program Files\Common Files\Symantec Shared\AdBlocking\NISShExt.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar2.dll
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton Internet Security\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: Yahoo! Companion - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn0\ycomp5_5_5_0.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll
O3 - Toolbar: Norton Internet Security - {0B53EAC3-8D69-4b9e-9B19-A37C9A5676A7} - C:\Program Files\Common Files\Symantec Shared\AdBlocking\NISShExt.dll
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton Internet Security\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: My &Search Bar - {0494D0D9-F8E0-41ad-92A3-14154ECE70AC} - C:\Program Files\MyWay\myBar\2.bin\MYBAR.DLL
O4 - HKLM\..\Run: [ezShieldProtector for Px] C:\WINDOWS\System32\ezSP_Px.exe
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O8 - Extra context menu item: &Google Search - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsearch.html
O8 - Extra context menu item: Backward &Links - res://C:\Program Files\Google\GoogleToolbar1.dll/cmbacklinks.html
O8 - Extra context menu item: Cac&hed Snapshot of Page - res://C:\Program Files\Google\GoogleToolbar1.dll/cmcache.html
O8 - Extra context menu item: Si&milar Pages - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsimilar.html
O8 - Extra context menu item: Translate into English - res://C:\Program Files\Google\GoogleToolbar1.dll/cmtrans.html
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\PROGRA~1\AIM\aim.exe
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O14 - IERESET.INF: START_PAGE_URL=http://www.sony.com/vaiopeople
O16 - DPF: {0E5F0222-96B9-11D3-8997-00104BD12D94} (PCPitstop Utility) - http://www.pcpitstop.com/pcpitstop/PCPitStop.CAB
O16 - DPF: {1F2F4C9E-6F09-47BC-970D-3C54734667FE} (LSSupCtl Class) - https://www-secure.symantec.com/tech...a/LSSupCtl.cab
O16 - DPF: {30528230-99F7-4BB4-88D8-FA1D4F56A2AB} (YInstStarter Class) - http://us.dl1.yimg.com/download.yaho...st20040510.cab
O16 - DPF: {5D9E4B6D-CD17-4D85-99D4-6A52B394EC3B} - http://www.webshots.com/samplers/WSDownloader.ocx
O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.symantec.com/sscv6/S.../bin/cabsa.cab
O16 - DPF: {CE28D5D2-60CF-4C7D-9FE8-0F47A3308078} (ActiveDataInfo Class) - https://www-secure.symantec.com/tech...a/SymAData.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{16AB19C0-F0C3-42FC-92B4-361D56A78DC8}: NameServer = 206.13.28.12 206.13.29.12
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Network Proxy (ccProxy) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccProxy.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: ISSvc (ISSVC) - Symantec Corporation - C:\Program Files\Norton Internet Security\ISSVC.exe
O23 - Service: Norton AntiVirus Auto-Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton Internet Security\Norton AntiVirus\navapsvc.exe
O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: SAVScan - Symantec Corporation - C:\Program Files\Norton Internet Security\Norton AntiVirus\SAVScan.exe
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Symantec SPBBCSvc (SPBBCSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
O23 - Service: Sony SPTI Service (SPTISRV) - Sony Corporation - C:\PROGRA~1\COMMON~1\SONYSH~1\AVLib\Sptisrv.exe
O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
O23 - Service: SymWMI Service (SymWSC) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe

Can someone please help me?

[greyknight17]

Before you do anything else, please create a folder for HijackThis and put it in a permanent folder (like C:\HJT) instead of the Temp folder. This is required because HijackThis will create backups and we don't want them to be deleted.

Please print out or copy this page to Notepad. Make sure to work through the fixes in the exact order it is mentioned below. If there's anything that you don't understand, ask your question(s) before proceeding with the fixes. You should not have any open browsers when you are following the procedures below.

Go to My Computer->Tools/View->Folder Options->View tab and make sure that 'Show hidden files and folders' (or 'Show all files') is enabled. Also make sure that 'Display the contents of system folders' is checked. Windows XP's search feature is a little different. When you click on 'All files and folders' on the left pane, click on the 'More advanced options' at the bottom. Make sure that Search system folders, Search hidden files and folders, and Search subfolders are checked.

For the options that you checked/enabled earlier, you may uncheck them after your log is clean. If we ask you to fix a program that you use or want to keep, please post back saying that (we don't know every program that exists, so we may tell you to delete a program that we think is bad to keep).

Reboot into Safe Mode (hit F8 key until menu shows up). Make sure to close any open browsers. Uninstall the following via the Add/Remove Panel (Start->(Settings)->Control Panel->Add/Remove Programs) if they exist:

MyWay

Run a scan in HijackThis. Check each of the following and hit 'Fix checked' (after checking them) if they still exist (make sure not to miss any):

O2 - BHO: myBar BHO - {0494D0D1-F8E0-41ad-92A3-14154ECE70AC} - C:\Program Files\MyWay\myBar\2.bin\MYBAR.DLL
O3 - Toolbar: My &Search Bar - {0494D0D9-F8E0-41ad-92A3-14154ECE70AC} - C:\Program Files\MyWay\myBar\2.bin\MYBAR.DLL

Delete the following Files/Folders (delete folders if no filename is specified) according to their directory (if none, just do a search for them) and delete them if they exist:

C:\Program Files\MyWay\

Reboot into Normal Mode and run new HijackThis scan. If there were some entries that didn't show up in Safe Mode, you may check and fix those that appear now in normal mode (if you do that, make sure to run a new scan again). Save the log file and run KRC HijackThis Analyzer in the same folder to get the result.txt log. Just post the contents of the result.txt file in the forum.

Download StartDreck http://www.greyknight17.com/spy/StartDreck.zip

Unzip to its own folder and start the program:
Press 'Config'
Press 'mark all'

Uncheck the following boxes only:
System/Running Process -> List Modules
System/Drivers -> NT Services
System/Drivers -> NT Kernel- and FS-drivers
Press 'OK'

Press 'Save' and select the location to save the log file (default is the same folder as the application)

Post the log in this thread.

Let's use a program to scan for any trojans that may exist. Download TDS-3. Learn how to use it here. Make sure to update it after you installed it. You can get the manual updates here. When you launch the program, it will scan your memory for running processes. This will take less than 30 seconds. Next go to System Testing on the menu and choose Full System Scan. After that's finished, post the log file by selecting everything on the top pane (select from bottom to top). If any alarms are found, it will be listed in the bottom window. Please copy and paste that here also if it applies.

[(Omega)]

I really appreciate your help but theres just one problem, when I reboot in safe mode the monitor says "OUT OF SCAN, OUT OF AREA" and windows will not start up. What do you recommend?

Thanks.

[greyknight17]

Never encountered that error before.

OK, do this in normal mode. Restart and post back a new log when ready.

For that safe mode problem, create a new thread in the Windows section and see if any of the helpers there have encountered this error before.

[(Omega)]

On Startdreck, I am not sure how to post the log. I can't copy and paste it like hijack. Any suggestions?

[greyknight17]

Did you press the Save button? Hit that save button and save it somewhere. Now go to the location where you saved it and open up that startdreck file. Copy the contents here.

[(Omega)]

StartDreck (build 2.1.7 public stable) - 2005-04-14 @ 1703 (GMT -07:00)
Platform: Windows XP (Win NT 5.1.2600 )
Internet Explorer: 6.0.2600.0000
Logged in as Daniel O at VALUED-CB7D4C82

»Registry
»Run Keys
»Current User
»Run
»RunOnce
»Default User
»Run
»RunOnce
»Local Machine
»Run
*ezShieldProtector for Px=C:\WINDOWS\System32\ezSP_Px.exe
*ccApp="C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
*TkBellExe="C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
*NvCplDaemon=RUNDLL32.EXE NvQTwk,NvCplDaemon initialize
»RunOnce
»RunServices
»RunServicesOnce
»RunOnceEx
»RunServicesOnceEx
»File Associations (CR)
+.bat
*batfile="%1" %*
+.com
*comfile="%1" %*
+.disabled
*SpybotSD.DisabledFile="C:\Program Files\Spybot - Search & Destroy\blindman.exe" "%1"
+.exe
*exefile="%1" %*
+.hta
*htafile=C:\WINDOWS\System32\mshta.exe "%1" %*
+.htm
*htmlfile="C:\Program Files\Internet Explorer\iexplore.exe" -nohome
+.html
*htmlfile="C:\Program Files\Internet Explorer\iexplore.exe" -nohome
+.js
*JSFile=%SystemRoot%\System32\WScript.exe "%1" %*
+.jse
*JSEFile=%SystemRoot%\System32\WScript.exe "%1" %*
+.pif
*piffile="%1" %*
+.reg
*regfile=regedit.exe "%1"
+.scr
*scrfile="%1" /S
+.txt
*txtfile=%SystemRoot%\system32\NOTEPAD.EXE %1
+.vbs
*VBSFile=%SystemRoot%\System32\WScript.exe "%1" %*
+.vbe
*VBEFile=%SystemRoot%\System32\WScript.exe "%1" %*
+.wsh
*WSHFile=%SystemRoot%\System32\WScript.exe "%1" %*
+.wsf
*WSFFile=%SystemRoot%\System32\WScript.exe "%1" %*
+.lnk
`lnkfile= [key or value does not exist]
»Active Setup (LM)
+Themes Setup/{2C7339CF-2B09-4501-B3F3-F3508C9228ED}
*StubPath=%SystemRoot%\system32\regsvr32.exe /s /n /i:/UserInstall %SystemRoot%\system32\themeui.dll
+Microsoft Outlook Express 6/{44BBA840-CC51-11CF-AAFA-00AA00B6015C}
*StubPath="%ProgramFiles%\Outlook Express\setup50.exe" /APP:OE /CALLER:WINNT /user /install
+NetMeeting 3.01/{44BBA842-CC51-11CF-AAFA-00AA00B6015B}
*StubPath=rundll32.exe advpack.dll,LaunchINFSection C:\WINDOWS\INF\msnetmtg.inf,NetMtg.Install.PerUser.NT
+Windows Messenger 4.0/{5945c046-1e7d-11d1-bc44-00c04fd912be}
*StubPath=rundll32.exe advpack.dll,LaunchINFSection C:\WINDOWS\INF\msmsgs.inf,BLC.Install.PerUser
+Microsoft Windows Media Player/{6BF52A52-394A-11d3-B153-00C04F79FAA6}
*StubPath=rundll32.exe advpack.dll,LaunchINFSection C:\WINDOWS\INF\wmp.inf,PerUserStub
+Address Book 6/{7790769C-0471-11d2-AF11-00C04FA35D02}
*StubPath="%ProgramFiles%\Outlook Express\setup50.exe" /APP:WAB /CALLER:WINNT /user /install
+Windows Desktop Update/{89820200-ECBD-11cf-8B85-00AA005B4340}
*StubPath=regsvr32.exe /s /n /i:U shell32.dll
+Internet Explorer 6/{89820200-ECBD-11cf-8B85-00AA005B4383}
*StubPath=%SystemRoot%\system32\ie4uinit.exe
+Internet Explorer Access/{ACC563BC-4266-43f0-B6ED-9D38C4202C7E}
*StubPath=rundll32 iesetup.dll,IEAccessUserInst
»Browser Helper Objects (LM)
*YBIOCtrl.CompanionBHO.4/{02478D38-C3F9-4efb-9B51-7695ECA05670}
`InprocServer32=C:\Program Files\Yahoo!\Companion\Installs\cpn0\ycomp5_5_5_0.dll
*AcroIEHelper.AcroIEHlprObj.1/{06849E9F-C8D7-4D59-B87D-784B7D6BE0B3}
`InprocServer32=C:\Program Files\adobe\acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
*{53707962-6F74-2D53-2644-206D7942484F}
`InprocServer32=C:\PROGRA~1\SPYBOT~1\SDHelper.dll
*Nisbho.CNisExtBho.1/{9ECB9560-04F9-4bbc-943D-298DDF1699E1}
`InprocServer32=C:\Program Files\Common Files\Symantec Shared\AdBlocking\NISShExt.dll
*Google Toolbar Helper/{AA58ED58-01DD-4d91-8333-CF10577473F7}
`InprocServer32=c:\program files\google\googletoolbar2.dll
*Navbho.CNavExtBho.1/{BDF3E430-B101-42AD-A544-FADC6B084872}
`InprocServer32=C:\Program Files\Norton Internet Security\Norton AntiVirus\NavShExt.dll
»Internet Explorer
»Current User
*Default_Page_URL=http://www.microsoft.com/isapi/redir.dll?prd=ie&pver=6&ar=msnhome
*Local Page=C:\WINDOWS\System32\blank.htm
*Search Bar=http://www.yahoo.com/search/ie.html
*Search Page=http://www.yahoo.com
*Start Page=http://www.google.com/
+SearchUrl
*provider=yaho
*=http://search.yahoo.com/search?p=%s
»Default User
*Start Page=http://www.sony.com/vaiopeople
»Local Machine
*Default_Page_URL=http://www.sony.com/vaiopeople
*Local Page=%SystemRoot%\system32\blank.htm
*Search Bar=
*Search Page=http://www.google.com
*Start Page=http://www.msn.com/
*CustomizeSearch=http://ie.search.msn.com/{SUB_RFC1766}/srchasst/srchcust.htm
*SearchAssistant=http://ie.search.msn.com/{SUB_RFC1766}/srchasst/srchasst.htm
»ShellServiceObjectDelayLoad (LM)
*PostBootReminder={7849596a-48ea-486e-8937-a2a3009f31a9}
`InprocServer32=%SystemRoot%\system32\SHELL32.dll
*CDBurn={fbeb8a05-beee-4442-804e-409d6c4515e9}
`InprocServer32=%SystemRoot%\system32\SHELL32.dll
*WebCheck={E6FB5E20-DE35-11CF-9C87-00AA005127ED}
`InprocServer32=%SystemRoot%\System32\webcheck.dll
*SysTray={35CEC8A3-2BE6-11D2-8773-92E220524153}
`InprocServer32=C:\WINDOWS\System32\stobject.dll
»Special NT Values
»Current User
*Load=
*Run=
*Programs=com exe bat pif cmd
*SHELL=
»Default User
*Load=
*Run=
*Programs=com exe bat pif cmd
*SHELL=
»Local Machine
*AppInit_DLLs=
*SHELL=Explorer.exe
*Userinit=C:\WINDOWS\system32\userinit.exe,
»Files
»Autostart Folders
»Current User
*C:\Documents and Settings\Danny Oh\Start Menu\Programs\Startup\desktop.ini
»Default User
*C:\WINDOWS\system32\config\systemprofile\Start Menu\Programs\Startup\desktop.ini
»Local Machine
*C:\Documents and Settings\All Users\Start Menu\Programs\Startup\desktop.ini
»INI-Files
»WIN.INI\[windows]
*LOAD=
*RUN=
»SYSTEM.INI\[boot]
*SHELL=Explorer.exe
»Text Files
*C:\boot.ini
`[boot loader]
`timeout=30
`default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS
`[operating systems]
`multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Home Edition" /fastdetect
*C:\msdos.sys
*C:\config.sys
*C:\WINDOWS\System32\config.nt
`dos=high, umb
`device=%SystemRoot%\system32\himem.sys
`files=40
*C:\WINDOWS\wininit.ini
`[Rename]
`NUL=C:\temp\bdl74125.exe
*C:\WINDOWS\System32\drivers\etc\hosts
`127.0.0.1 localhost
»Program Files
*C:\ntldr
*C:\ntdetect.com
*C:\io.sys
*C:\WINDOWS\System32\win.com
*C:\WINDOWS\explorer.exe
»%PATH% Companion Files
+C:\WINDOWS\System32\hh.exe
*C:\WINDOWS\hh.exe
+C:\WINDOWS\System32\ltremove.exe
*C:\WINDOWS\ltremove.exe
+C:\WINDOWS\System32\notepad.exe
*C:\WINDOWS\NOTEPAD.EXE
+C:\WINDOWS\System32\taskman.exe
*C:\WINDOWS\TASKMAN.EXE
+C:\WINDOWS\System32\winhlp32.exe
*C:\WINDOWS\winhlp32.exe
»System/Drivers
»Running Processes
+0=<idle>
+4=<system>
+608=\SystemRoot\System32\smss.exe
+672=\??\C:\WINDOWS\system32\csrss.exe
+696=\??\C:\WINDOWS\system32\winlogon.exe
+740=C:\WINDOWS\system32\services.exe
+752=C:\WINDOWS\system32\lsass.exe
+944=C:\WINDOWS\system32\svchost.exe
+1064=C:\WINDOWS\System32\svchost.exe
+1164=C:\WINDOWS\System32\svchost.exe
+1244=C:\WINDOWS\System32\svchost.exe
+1352=C:\Program Files\Common Files\Symantec Shared\ccProxy.exe
+1364=C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
+1376=C:\Program Files\Norton Internet Security\ISSVC.exe
+1392=C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
+1412=C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
+1528=C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
+1820=C:\WINDOWS\Explorer.EXE
+1932=C:\WINDOWS\system32\spoolsv.exe
+2020=C:\WINDOWS\System32\alg.exe
+156=C:\Program Files\Norton Internet Security\Norton AntiVirus\navapsvc.exe
+520=C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
+2040=C:\WINDOWS\System32\ezSP_Px.exe
+184=C:\Program Files\Common Files\Symantec Shared\ccApp.exe
+272=C:\Program Files\Common Files\Real\Update_OB\realsched.exe
+2872=C:\Program Files\Corel\WordPerfect Office 2002\Programs\wpwin10.exe
+3484=C:\unzipped\StartDreck[1]\StartDreck.exe
»VMM32Files (LM)
»%System%\VMM32
»%System%\IOSUBSYS
»Application specific
»MS Office 97/8.0 STARTUP-PATH
»Current User
»Default User
»Local Machine
»ICQ NetDetect
»Current User
»Default User




THANKS!

[greyknight17]

Where is the TDS-3 log? We need that also since you might have a trojan hidden here.

Go to C:\WINDOWS\ and double click on wininit.ini to open it. Then delete this line:

`NUL=C:\temp\bdl74125.exe

Save the file and close it.

The Temp folders should be cleaned out periodically as installation programs and hijack programs leave a lot of junk there. Download CleanUp! (Alternate Link if main link don't work) and install it. Run CleanUp! and click on CleanUp! button. When it asks you if you want to logoff, click on Yes.

[(Omega)]

Just a quick question before I start, is it necessary that I download TDS and scan for Trojans? Will it conflict with my Norton? I scanned using Norton Internet Security 2005 and it detected nothing, should I still use TDS?

Thanks sir!

[greyknight17]

Don't worry about running TDS-3 with Norton as this is not a program that will monitor your computer live. It will just do the scan and that's it.

Norton? I have nothing good to say about that program. Most of us here would agree that Norton is a huge resource hog and sometimes cause more problems than it's worth. We recommend using Grisoft AVG instead. Not only is it free (for personal use), it does a much better job than Norton.

Yes, we will need that TDS-3 log just to see if there are any trojans - and remove them if they exist.

[(Omega)]

16:24:03 [Init] Trojan Defence Suite v3.2.0 (UNLICENSED)
16:24:04 [Init] Started 15-04-05 16:24:04 Pacific Standard Time (UTC: 8), Internet Time @1016.71
16:24:04 [Init] Loading TDS-3 Systems ...
16:24:04 [Init] Token successfully adjusted.
16:24:04 [Init] • TDS Privileges : OK. Adjusted TDS-3 token privileges to maximum
16:24:04 [Init] • Plugins : OK. Loaded 13
16:24:04 [Init] • Exec Protection : Not Installed
16:24:04 [Init] WARNING: Your Radius.TD3 database needs to be updated!
16:24:04 [Init] Please download the latest from http://tds.diamondcs.com.au/radius.td3
16:24:04 [Init] Licensed users can use the Update facility from the TDS menu
16:24:04 [Init] Loading Radius Advanced Scanning Systems ... <R3 Engine, DCS Labs>
16:24:11 [Init] • Radius Advanced Specialist Extensions on standby for 13 trojan families
16:24:11 [Init] • Systems Initialised [39471 references - 16560 primaries/10873 traces/12038 variants/other]
16:24:11 [Init] Radius Systems loaded. <Databases updated 14-10-2004>
16:24:11 [Init] TDS-3 Ready. <Danny oh@67.123.80.15, 169.254.86.15, 127.0.0.1 - United States>
16:24:11 [Tip Of The Day] Using 127.0.0.1 as the Target Host, you can use the various port queries and utilities to test your own computer.
16:24:11 [TDS] Good afternoon Danny oh.
16:24:15 [Mutex Memory Scan] Started...
16:24:17 [Mutex Memory Scan] Finished (no trojan mutexes found).
16:24:17 [TDS-3] This is an EVALUATION demo of TDS-3. Please see the help file for help on registering.
16:25:01 [File Scan] Scanning in C:\ ...
16:30:59 [Init] Trojan Defence Suite v3.2.0 (UNLICENSED)
16:30:59 [Init] Started 15-04-05 16:30:59 Pacific Standard Time (UTC: 8), Internet Time @1021.52
16:30:59 [Init] Loading TDS-3 Systems ...
16:30:59 [Init] Token successfully adjusted.
16:30:59 [Init] • TDS Privileges : OK. Adjusted TDS-3 token privileges to maximum
16:30:59 [Init] • Plugins : OK. Loaded 13
16:30:59 [Init] • Exec Protection : Not Installed
16:30:59 [Init] WARNING: Your Radius.TD3 database needs to be updated!
16:30:59 [Init] Please download the latest from http://tds.diamondcs.com.au/radius.td3
16:30:59 [Init] Licensed users can use the Update facility from the TDS menu
16:30:59 [Init] Loading Radius Advanced Scanning Systems ... <R3 Engine, DCS Labs>
16:31:06 [Init] • Radius Advanced Specialist Extensions on standby for 13 trojan families
16:31:06 [Init] • Systems Initialised [39471 references - 16560 primaries/10873 traces/12038 variants/other]
16:31:06 [Init] Radius Systems loaded. <Databases updated 14-10-2004>
16:31:06 [Init] TDS-3 Ready. <Danny oh@67.123.80.15, 169.254.86.15, 127.0.0.1 - United States>
16:31:06 [Tip Of The Day] TDS-3 is the only anti-trojan system capable of detecting, enumerating and scanning in hidden NTFS Alternate Data Streams - you can enable this powerful capability in Scan Control
16:31:06 [TDS] Good afternoon Danny oh.
16:31:10 [Mutex Memory Scan] Started...
16:31:12 [Mutex Memory Scan] Finished (no trojan mutexes found).
16:31:12 [TDS-3] NOTICE - TDS-3 was not properly shut down.
16:31:12 [TDS-3] This is an EVALUATION demo of TDS-3. Please see the help file for help on registering.
16:31:37 [CRC32] Started - verifying 29 files ...
16:31:37 [CRC32] File doesn't exist: C:\autoexec.bat
16:31:46 [CRC32] Test finished.
16:32:51 [Memory Scan] Memory scan started, please wait a moment ...
16:32:52 [Memory Scan] Memory scan complete.
16:32:52 [Mutex Memory Scan] Started...
16:32:53 [Mutex Memory Scan] Finished (no trojan mutexes found).
16:32:53 [Trace Scan] Started...
16:33:02 [Trace Scan] Finished.
16:33:02 [Service\Driver Scan] Scanning for services and drivers ...
16:33:10 [Service\Driver Scan] Scanned 312 services and drivers.
16:33:10 [File Scan] Scanning in A:\ ...
16:33:11 [File Scan] Scanned 0 files: 0 alarms in 1.15625 seconds (Avg 1. files/sec)
16:33:11 [File Scan] Scanning in C:\ ...
17:00:18 [File Scan] Scanned 33862 files: 6 alarms in 1626.313 seconds (Avg 21.82 files/sec)
17:00:18 [File Scan] Scanning in D:\ ...
17:00:18 [Locked File] Couldn't open d:\7dec1ee7d784957ec2e7038d77a4\xpsp1hfm.exe for read access, file is locked
17:01:15 [File Scan] Scanned 819 files: 6 alarms in 56.59375 seconds (Avg 15.47 files/sec)
17:01:15 [File Scan] Scanning in E:\ ...
17:01:15 [File Scan] Scanned 0 files: 6 alarms in 0.03125 seconds (Avg 1. files/sec)
17:01:15 [File Scan] Scanning in F:\ ...
17:01:15 [File Scan] Scanned 0 files: 6 alarms in 0 seconds (Avg -1.#IND files/sec)
17:01:15 [File Scan] Scanning in G:\ ...
17:01:15 [File Scan] Scanned 0 files: 6 alarms in 0 seconds (Avg -1.#IND files/sec)
17:01:15 [Scan] Finished.
17:04:33 [Screen Text] Saved to C:\Program Files\TDS3\scr0.txt

[(Omega)]

This is what was found!

Scan Control Dumped @ 17:07:22 15-04-05
Suspicious Filename: Dual extensions
File: c:\documents and settings\danny oh\my documents\firefoxsetup-0.9.2.exe

(DELETED) Positive identification (embedded in file): TrojanDownloader.Win32.Agent.ab
File: c:\windows\system32\bdlds.dll

Positive identification: Adware.PurityScan.e
File: c:\windows\system32\unimt.exe

Positive identification: Adware.WildTangent
File: c:\windows\wt\backup\1.6.1.002\wcmdmgr.exe

Positive identification: Adware.WildTangent.a
File: c:\windows\wt\backup\1.6.1.002\wcmdmgrl.exe

Positive identification: Adware.WildTangent.a
File: c:\windows\wt\backup\1.6.2.003\wcmdmgrl.exe

Thank you sir!

[greyknight17]

Uninstall WildTangent from the Add/Remove panel if it's listed there.

Delete these files if found:

c:\windows\system32\bdlds.dll
c:\windows\system32\unimt.exe
c:\windows\wt\

Restart. Any problems now? If not:

Make sure to update Windows and Internet Explorer at http://v5.windowsupdate.microsoft.co....aspx?ln=en-us.

If you disabled System Restore, make sure to enable it now.

To help prevent future spyware installations/infections, please read the Anti-Spyware Tutorial http://www.greyknight17.com/spyware.htm#prevent and use the tools provided.

Are there any problems now? If not, you should be set to go.

[(Omega)]

I really appreciate all the help you have offered me.

My computer seems to be running at a faster pace now, There is only one or two minute problems. When Windows XP starts up, my wallpaper goes blank or the screen turns black before the Norton Internet Security Icon appears on the bottom right. And when I try to access the "Paint" program found in accessories, it takes about 3 minutes for it to appear and 3 minutes to close, and during this period everything freezes even in IE Browser, and sometimes it says Windows Virtual memory low, I have checked the amount of space I have on my hard drive and 75% is free. And lastly when I click on the favorites tab in IE, it delays a bit before the drop down list appears.

THANKS!

[greyknight17]

If you can, we recommend uninstalling Norton and get another antivirus and firewall program instead. I can't say for sure this is causing the problem, but I wouldn't leave it out either since many users were happy when Norton was removed from their system.

So if you want, uninstall all the Norton programs (Internet Security). Install this free antivirus program and this free firewall program

See if that improves the performance of things.

Just to check to make sure nothing is wrong here, right click on your Desktop and go to Properties. Then go to the Desktop tab and click on Customize Desktop. Click on the Web tab and make sure everything is unchecked. There also shouldn't be any other entries there besides My Current Home Page. If there is anything else, delete them.

[(Omega)]

I deleted the unwanted junk from my desktop, the problem with paint brush didn't occur when Norton Internet Security was installed, I installed NIS about 3 Months ago and the problem with the Paint program and Windows Virtual Memory occured about a month ago. My computer seems to be running faster and the rest of the problems I have aren't troublesome. I really appreciate all your help GreyKnight17, thanks a lot.

God Bless!

[(Omega)]

Thanks a lot GreyKnight, I uninstalled Norton Internet Security and installed the free Antivirus and Firewall Software and they work 10 times better then Norton. Norton Internet Security was one of the reasons why I had the problems I had with my computer. No more problems at Windows startup, and no problems at all.