5 replies to this topic

[phatrolla]

Hi there

Requesting a check of my hijack this log. Ive been using spyware doctor and kaspersky a/v for some time and nothing showed up on scans. Having some problems with kaspersky and registy mechanic (wouldnt load any startup programs in system tray) so uninstalled kaspersky. Anyway enough of that, recently I scan with zonealarm anti spyware and found Adware registry cleaner, win32 coupons, and win 32 fuj... or something so I quarantined then deleted GREAT!! But now my system seems slow. I would appreciate any help and thanking anyone in advance for checking my Hijack this log


Regards to all
Phatrolla


Logfile of HijackThis v1.99.1
Scan saved at 1:24:05 PM, on 29/05/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16441)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\VTTimer.exe
C:\WINDOWS\system32\svchost.exe
C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\PROGRA~1\Grisoft\AVG7\avgcc.exe
C:\Program Files\Spyware Doctor\swdoctor.exe
C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
C:\Program Files\Windows Media Player\WMPNSCFG.exe
C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\system32\HPZipm12.exe
C:\Program Files\Spyware Doctor\sdhelp.exe
C:\Program Files\TrayIconsOK\TrayIconsOK.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\alg.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Hijackthis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com.au/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft....k/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft....k/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft....k/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft....k/?LinkId=69157
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = AAPT
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: QFX Software KeyScrambler - {2B9F5787-88A5-4945-90E7-C4B18563BC5E} - C:\Program Files\KeyScrambler\keyscramblerIE.dll
O2 - BHO: PCTools Site Guard - {5C8B2A36-3DB1-42A4-A3CB-D426709BBFEB} - C:\PROGRA~1\SPYWAR~2\tools\iesdsg.dll
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
O2 - BHO: PCTools Browser Monitor - {B56A7D7D-6927-48C8-A975-17DF180C71AC} - C:\PROGRA~1\SPYWAR~2\tools\iesdpb.dll
O2 - BHO: EpsonToolBandKicker Class - {E99421FB-68DD-40F0-B4AC-B7027CAE2F1A} - C:\Program Files\EPSON\EPSON Web-To-Page\EPSON Web-To-Page.dll
O3 - Toolbar: EPSON Web-To-Page - {EE5D279F-081B-4404-994D-C6B60AAEBA6D} - C:\Program Files\EPSON\EPSON Web-To-Page\EPSON Web-To-Page.dll
O4 - HKLM\..\Run: [VTTimer] VTTimer.exe
O4 - HKLM\..\Run: [ATICCC] "C:\Program Files\ATI Technologies\ATI.ACE\cli.exe" runtime -Delay
O4 - HKLM\..\Run: [ZoneAlarm Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVG7\avgcc.exe /STARTUP
O4 - HKCU\..\Run: [Spyware Doctor] "C:\Program Files\Spyware Doctor\swdoctor.exe" /Q
O4 - HKCU\..\Run: [WMPNSCFG] C:\Program Files\Windows Media Player\WMPNSCFG.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - Startup: TrayIconsOK.lnk = C:\Program Files\TrayIconsOK\TrayIconsOK.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_04\bin\npjpi150_04.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_04\bin\npjpi150_04.dll
O9 - Extra button: Spyware Doctor - {2D663D1A-8670-49D9-A1A5-4C56B4E14E84} - C:\PROGRA~1\SPYWAR~2\tools\iesdpb.dll
O9 - Extra button: (no name) - {5C106A59-CC3C-4caa-81A4-6D909B5ACE23} - C:\Program Files\KeyScrambler\keyscramblerIE.dll
O9 - Extra 'Tools' menuitem: &KeyScrambler... - {5C106A59-CC3C-4caa-81A4-6D909B5ACE23} - C:\Program Files\KeyScrambler\keyscramblerIE.dll
O9 - Extra button: (no name) - {85d1f590-48f4-11d9-9669-0800200c9a66} - %windir%\bdoscandel.exe (file missing)
O9 - Extra 'Tools' menuitem: Uninstall BitDefender Online Scanner v8 - {85d1f590-48f4-11d9-9669-0800200c9a66} - %windir%\bdoscandel.exe (file missing)
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~3\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O11 - Options group: [INTERNATIONAL] International*
O16 - DPF: {193C772A-87BE-4B19-A7BB-445B226FE9A1} (ewidoOnlineScan Control) - http://downloads.ewi...oOnlineScan.cab
O16 - DPF: {5ED80217-570B-4DA9-BF44-BE107C0EC166} (Windows Live Safety Center Base Module) - http://cdn.scan.onec...lscbase8300.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.micros...b?1172217137015
O16 - DPF: {B1826A9F-4AA0-4510-BA77-9013E74E4B9B} - http://www.trendmicr...scan/as4web.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{A372BFD6-CA05-423A-BEF9-9071F99DCB9C}: NameServer = 10.1.1.1
O18 - Protocol: livecall - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O21 - SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - C:\WINDOWS\system32\WPDShServiceObj.dll
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe
O23 - Service: PC Tools Spyware Doctor (SDhelper) - PC Tools Research Pty Ltd - C:\Program Files\Spyware Doctor\sdhelp.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINDOWS\system32\ZoneLabs\vsmon.exe

[silver]

Hi phatrolla,

Can't see too much wrong with your log, but that doesn't mean the machine is clean so we'll do some scans to check, but first some cleaning with HijackThis:

Temporarily disable Spyware Doctor

• From within Spyware Doctor, click the OnGuard button on the left side
• Uncheck Activate OnGuard

Then, open HijackThis, choose Do a system scan only and place a checkmark next to the following line:
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)

If you want to remove the custom Internet Explorer Title AAPT you can also check this line:
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = AAPT

Then close all open windows apart from HijackThis, press Fix checked, OK the prompt and close HijackThis.

Re-enable Spyware Doctor

• From within Spyware Doctor, click the OnGuard button on the left side
• Check Activate OnGuard

Scan with F-Secure Online Scanner

• Open this page in Internet Explorer:
  http://support.f-sec.../home/ols.shtml
• Press Start scanning - this will open a new window
• Allow the ActiveX control to install and run
• Accept the license terms and click Full System Scan
• The scanner will now download, then it will fully scan your computer for malware - this will take some time to complete
• Press Automatic cleaning (recommended)
• Once it has finished the cleaning process, click Show Report
• Select File->Save As..., change Save as type: to Text File and save the report to your Desktop
• Post a copy of the report in your next response

Then download Deckard's System Scanner (DSS)

• Close all applications and windows.
• Double-click on dss.exe to run it, and follow the prompts.
• When the scan is complete, two text files will open - main.txt <- this one will be maximized and extra.txt<-this one will be minimized
• Make sure Format->Word Wrap is unchecked
• Copy (Ctrl+A then Ctrl+C) and paste (Ctrl+V) the contents of main.txt and extra.txt in your reply

Once complete, please post the F-Secure log and the DSS reports, I won't need a new HijackThis log as DSS includes one.

[phatrolla]

Hi there silver

I followed all instructions given. No problem with the fsecure log but the dss scanner only opened the main txt file. Please inform me if this is right or what I am doing wrong. Thanks again for your support on this one...


Kind regards
Phatrolla


F-Secure Online Scanner 3.1.5 - Scanning Report - Wednesday, May 30, 2007 21:15:03Scanning
Report
Wednesday, May 30, 2007 20:43:30 - 21:15:01
Computer name: YOUR-C45A6B3786
Scanning type: Scan system for viruses, rootkits, spyware
Target: C:\



Result: 1 malware found
Possible Browser Hijack attempt (spyware)
System (Disinfected)



Statistics
Scanned:
Files: 27979
System: 4170
Not scanned: 85
Actions:
Disinfected: 1
Renamed: 0
Deleted: 0
None: 0
Submitted: 0
Files not scanned:
�r�



Options
Scanning engines:
F-Secure Libra: 2.4.2, 2007-05-26
F-Secure AVP: 7.0.171, 2007-05-30
F-Secure Orion: 1.2.37, 2007-05-30
F-Secure Blacklight: 1.0.53
F-Secure Draco: 1.0.35, 2007-05-14
F-Secure Pegasus: 1.19.0, 2007-04-28
Scanning options:
Scan defined files: COM EXE SYS OV? BIN SCR DLL SHS HTM HTML HTT VBS JS INF
VXD DO? XL? RTF CPL WIZ HTA PP? PWZ P?T MSO PIF . ACM ASP AX CNV CSC DRV INI
MDB MPD MPP MPT OBD OBT OCX PCI TLB TSP WBK WBT WPC WSH VWP WML BOO HLP TD0
TT6 MSG ASD JSE VBE WSC CHM EML PRC SHB BAT LNK ANI AVB CEO CMD LSP MAP MHT
MIF PDF PHP POT WMF NWS TAR TGZ WSF ZL? {* ZIP JAR ARJ LZH TAR TGZ GZ CAB RAR
BZ2 HQX
Use Advanced heuristics



Copyright © 1998-2006 Product support |Send virus sample to F-Secure
F-Secure assumes no responsibility for material created or published by third
parties that F-Secure World Wide Web pages have a link to. Unless you have
clearly stated otherwise, by submitting material to any of our servers, for
example by E-mail or via our F-Secure's CGI E-mail, you agree that the
material you make available may be published in the F-Secure World Wide Pages
or hard-copy publications. You will reach F-Secure public web site by clicking
on underlined links. While doing this, your access will be logged to our
private access statistics with your domain name.This information will not be
given to any third party. You agree not to take action against us in relation
to material that you submit. Unless you have clearly stated otherwise, by
submitting material you warrant that F-Secure may incorporate any concepts
described in it in the F-Secure products/publications without liability.




Deckard's System Scanner v20070426.43
Run by Mark on 2007-05-30 at 21:40:29
Computer is in Normal Mode.
--------------------------------------------------------------------------------



-- HijackThis (run as Mark.exe) ------------------------------------------------

Logfile of HijackThis v1.99.1
Scan saved at 9:40:32 PM, on 30/05/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16441)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\svchost.exe
C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\HPZipm12.exe
C:\Program Files\Spyware Doctor\sdhelp.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\VTTimer.exe
C:\WINDOWS\System32\alg.exe
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\PROGRA~1\Grisoft\AVG7\avgcc.exe
C:\Program Files\Spyware Doctor\swdoctor.exe
C:\Program Files\Windows Media Player\WMPNSCFG.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\TrayIconsOK\TrayIconsOK.exe
C:\Documents and Settings\Mark\Local Settings\Temporary Internet Files\Content.IE5\60QS7YH2\dss[1].exe
C:\PROGRA~1\HIJACK~1\Mark.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com.au/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft....k/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft....k/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft....k/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft....k/?LinkId=69157
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: QFX Software KeyScrambler - {2B9F5787-88A5-4945-90E7-C4B18563BC5E} - C:\Program Files\KeyScrambler\keyscramblerIE.dll
O2 - BHO: PCTools Site Guard - {5C8B2A36-3DB1-42A4-A3CB-D426709BBFEB} - C:\PROGRA~1\SPYWAR~2\tools\iesdsg.dll
O2 - BHO: PCTools Browser Monitor - {B56A7D7D-6927-48C8-A975-17DF180C71AC} - C:\PROGRA~1\SPYWAR~2\tools\iesdpb.dll
O2 - BHO: EpsonToolBandKicker Class - {E99421FB-68DD-40F0-B4AC-B7027CAE2F1A} - C:\Program Files\EPSON\EPSON Web-To-Page\EPSON Web-To-Page.dll
O3 - Toolbar: EPSON Web-To-Page - {EE5D279F-081B-4404-994D-C6B60AAEBA6D} - C:\Program Files\EPSON\EPSON Web-To-Page\EPSON Web-To-Page.dll
O4 - HKLM\..\Run: [VTTimer] VTTimer.exe
O4 - HKLM\..\Run: [ATICCC] "C:\Program Files\ATI Technologies\ATI.ACE\cli.exe" runtime -Delay
O4 - HKLM\..\Run: [ZoneAlarm Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVG7\avgcc.exe /STARTUP
O4 - HKCU\..\Run: [Spyware Doctor] "C:\Program Files\Spyware Doctor\swdoctor.exe" /Q
O4 - HKCU\..\Run: [WMPNSCFG] C:\Program Files\Windows Media Player\WMPNSCFG.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - Startup: TrayIconsOK.lnk = C:\Program Files\TrayIconsOK\TrayIconsOK.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_04\bin\npjpi150_04.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_04\bin\npjpi150_04.dll
O9 - Extra button: Spyware Doctor - {2D663D1A-8670-49D9-A1A5-4C56B4E14E84} - C:\PROGRA~1\SPYWAR~2\tools\iesdpb.dll
O9 - Extra button: (no name) - {5C106A59-CC3C-4caa-81A4-6D909B5ACE23} - C:\Program Files\KeyScrambler\keyscramblerIE.dll
O9 - Extra 'Tools' menuitem: &KeyScrambler... - {5C106A59-CC3C-4caa-81A4-6D909B5ACE23} - C:\Program Files\KeyScrambler\keyscramblerIE.dll
O9 - Extra button: (no name) - {85d1f590-48f4-11d9-9669-0800200c9a66} - %windir%\bdoscandel.exe (file missing)
O9 - Extra 'Tools' menuitem: Uninstall BitDefender Online Scanner v8 - {85d1f590-48f4-11d9-9669-0800200c9a66} - %windir%\bdoscandel.exe (file missing)
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~3\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O11 - Options group: [INTERNATIONAL] International*
O16 - DPF: {0B79F48A-E8D6-11DB-9283-E25056D89593} (F-Secure Online Scanner 3.1) - http://support.f-sec...m/ols/fscax.cab
O16 - DPF: {5D86DDB5-BDF9-441B-9E9E-D4730F4EE499} (BDSCANONLINE Control) - http://download.bitd...can8/oscan8.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.micros...b?1172217137015
O16 - DPF: {B1826A9F-4AA0-4510-BA77-9013E74E4B9B} - http://www.trendmicr...scan/as4web.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{A372BFD6-CA05-423A-BEF9-9071F99DCB9C}: NameServer = 10.1.1.1
O18 - Protocol: livecall - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O21 - SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - C:\WINDOWS\system32\WPDShServiceObj.dll
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe
O23 - Service: PC Tools Spyware Doctor (SDhelper) - PC Tools Research Pty Ltd - C:\Program Files\Spyware Doctor\sdhelp.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINDOWS\system32\ZoneLabs\vsmon.exe


-- Files created between 2007-04-30 and 2007-05-30 -----------------------------

2007-05-30 20:41:44 0 d-------- C:\WINDOWS\LastGood
2007-05-30 15:28:01 0 dr-h----- C:\Documents and Settings\Mark\Recent
2007-05-29 16:12:14 0 d-------- C:\WINDOWS\system32\ActiveScan
2007-05-28 17:31:30 0 d-------- C:\Program Files\Windows Live Safety Center
2007-05-27 22:00:37 0 d-------- C:\Program Files\Xilisoft
2007-05-27 20:34:26 0 dr-h----- C:\$VAULT$.AVG
2007-05-27 20:16:09 49664 --a------ C:\WINDOWS\system32\isxdl.dll <Not Verified; Bjørnar Henden; ISX Download DLL>
2007-05-27 00:42:11 0 d-------- C:\Documents and Settings\Mark\Application Data\AVG7
2007-05-27 00:42:03 0 d-------- C:\Documents and Settings\LocalService\Application Data\AVG7
2007-05-27 00:41:48 0 d-------- C:\Documents and Settings\All Users\Application Data\Grisoft
2007-05-27 00:41:48 0 d-------- C:\Documents and Settings\All Users\Application Data\avg7
2007-05-25 19:27:51 0 d-------- C:\Program Files\TrayIconsOK
2007-05-22 20:04:33 0 d-------- C:\WINDOWS\BDOSCAN8
2007-05-22 17:05:09 0 d-------- C:\Program Files\Alcohol Soft
2007-05-21 14:13:51 0 d-------- C:\Program Files\Rockstar Games
2007-05-20 19:30:52 162304 --a------ C:\UNWISE.EXE
2007-05-20 07:38:12 0 d-------- C:\Documents and Settings\Mark\Application Data\1ClickDVDCopy
2007-05-20 06:36:35 0 d-------- C:\Program Files\LG Software Innovations
2007-05-18 15:46:10 0 d-------- C:\Documents and Settings\Mark\Application Data\uTorrent
2007-05-18 15:10:35 25992 --a------ C:\WINDOWS\system32\pgdfgsvc.exe <Not Verified; Sysinternals - www.sysinternals.com; Page File Defragmenter>
2007-05-17 17:13:47 0 d-------- C:\b6576a7b443887f4bcdaac3f17e6c5
2007-05-17 15:22:20 0 d-------- C:\Documents and Settings\Administrator\Application Data\Mozilla
2007-05-17 15:01:25 0 d-------- C:\$WIN_NT$.~BT
2007-05-16 21:06:25 0 d-------- C:\7158b4050aaae922b28a
2007-05-16 21:04:44 0 d-------- C:\520653923043eba61012e6
2007-05-16 14:13:20 0 d-------- C:\Program Files\MSXML 6.0
2007-05-16 14:03:04 0 d-------- C:\Program Files\MSBuild
2007-05-16 13:59:20 0 d-------- C:\WINDOWS\system32\XPSViewer
2007-05-16 13:58:16 0 d-------- C:\Program Files\Reference Assemblies
2007-05-16 13:55:53 0 d-------- C:\fa4a9a89c00f93bdfee430
2007-05-16 13:15:40 0 d-------- C:\WINDOWS\system32\NtmsData
2007-05-15 22:20:33 3670016 --a------ C:\Documents and Settings\Mark\ntuser.dat
2007-05-15 22:20:31 704512 --a------ C:\Documents and Settings\LocalService\ntuser.dat
2007-05-15 20:48:40 0 d-------- C:\WINDOWS\Prefetch
2007-05-15 20:13:22 0 dr------- C:\Documents and Settings\Administrator\Favorites
2007-05-15 20:13:22 0 d-------- C:\Documents and Settings\Administrator\Desktop
2007-05-15 20:13:22 0 d--hs---- C:\Documents and Settings\Administrator\Cookies
2007-05-15 20:13:22 0 dr-h----- C:\Documents and Settings\Administrator\Application Data
2007-05-15 20:13:22 0 d---s---- C:\Documents and Settings\Administrator\Application Data\Microsoft
2007-05-15 20:13:22 0 d-------- C:\Documents and Settings\Administrator\Application Data\Identities
2007-05-15 20:13:21 0 d-------- C:\Documents and Settings\Administrator\WINDOWS
2007-05-15 20:13:21 0 d--h----- C:\Documents and Settings\Administrator\Templates
2007-05-15 20:13:21 0 dr------- C:\Documents and Settings\Administrator\Start Menu
2007-05-15 20:13:21 0 dr-h----- C:\Documents and Settings\Administrator\SendTo
2007-05-15 20:13:21 0 dr-h----- C:\Documents and Settings\Administrator\Recent
2007-05-15 20:13:21 0 d--h----- C:\Documents and Settings\Administrator\PrintHood
2007-05-15 20:13:21 704512 --a------ C:\Documents and Settings\Administrator\NTUSER.DAT
2007-05-15 20:13:21 0 d--h----- C:\Documents and Settings\Administrator\NetHood
2007-05-15 20:13:21 0 dr------- C:\Documents and Settings\Administrator\My Documents
2007-05-15 20:13:21 0 d--h----- C:\Documents and Settings\Administrator\Local Settings
2007-05-14 19:02:14 8192 --a------ C:\WINDOWS\d3dx.dat
2007-05-12 21:15:17 0 d-------- C:\Temp
2007-05-09 16:54:00 0 d-------- C:\WUTemp
2007-05-03 20:53:07 0 d-------- C:\Program Files\PCPitstop
2007-05-02 14:28:16 737280 --a------ C:\WINDOWS\iun6002.exe <Not Verified; Indigo Rose Corporation; Setup Factory 6.0 Runtime Module>
2007-04-30 13:54:41 0 d-------- C:\Program Files\Common Files\DistributeShield
2007-04-30 12:53:40 45056 --a------ C:\WINDOWS\system32\WNASPI32.DLL <Not Verified; Adaptec; Adaptec's ASPI Layer>
2007-04-30 12:53:40 25244 --a------ C:\WINDOWS\system32\drivers\ASPI32.SYS <Not Verified; Adaptec; Adaptec's ASPI Layer>
2007-04-30 12:53:40 4672 --a------ C:\WINDOWS\system\WOWPOST.EXE <Not Verified; Adaptec; Adaptec's ASPI Layer>
2007-04-30 12:53:40 5600 --a------ C:\WINDOWS\system\WINASPI.DLL <Not Verified; Adaptec; Adaptec's ASPI Layer>


-- Find3M Report ---------------------------------------------------------------

2007-05-30 16:27:57 0 d-------- C:\Program Files\Spyware Doctor
2007-05-29 16:32:58 0 d-------- C:\Program Files\Messenger
2007-05-29 16:32:48 0 d-------- C:\Program Files\KeyScrambler
2007-05-27 20:55:09 0 d-------- C:\Program Files\PeerGuardian2
2007-05-21 14:13:56 0 d--h----- C:\Program Files\InstallShield Installation Information
2007-05-21 14:09:14 0 d-------- C:\Documents and Settings\Mark\Application Data\Vso
2007-05-20 06:36:53 34 --a----c- C:\Documents and Settings\Mark\Application Data\pcouffin.log
2007-05-20 06:36:40 47360 --a----c- C:\Documents and Settings\Mark\Application Data\pcouffin.sys <Not Verified; VSO Software; Patin couffin engine>
2007-05-20 06:36:40 1144 --a----c- C:\Documents and Settings\Mark\Application Data\pcouffin.inf
2007-05-20 06:36:40 7176 --a----c- C:\Documents and Settings\Mark\Application Data\pcouffin.cat
2007-05-20 06:36:40 81920 --a----c- C:\Documents and Settings\Mark\Application Data\ezpinst.exe
2007-05-17 20:14:45 0 d-------- C:\Program Files\del
2007-05-15 20:41:07 23444 --a------ C:\WINDOWS\system32\emptyregdb.dat
2007-05-09 16:51:54 4151 --a----c- C:\WINDOWS\mozver.dat
2007-04-30 14:55:09 0 d-------- C:\Program Files\vso
2007-04-25 10:03:38 4212 --ah----- C:\WINDOWS\system32\zllictbl.dat
2007-04-19 15:34:18 0 d-------- C:\Program Files\HP
2007-04-08 16:25:36 0 d-------- C:\Documents and Settings\Mark\Application Data\PlayFirst
2007-03-31 15:13:12 0 d-------- C:\Program Files\D-Tools
2007-03-23 17:09:16 552 --a------ C:\WINDOWS\system32\d3d8caps.dat
2007-03-22 20:25:02 124928 -------c- C:\WINDOWS\system32\prntvpt.dll <Not Verified; Microsoft Corporation; Microsoft® Windows® Operating System>


-- Registry Dump ---------------------------------------------------------------

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects]
{2B9F5787-88A5-4945-90E7-C4B18563BC5E} C:\Program Files\KeyScrambler\keyscramblerIE.dll
{5C8B2A36-3DB1-42A4-A3CB-D426709BBFEB} C:\PROGRA~1\SPYWAR~2\tools\iesdsg.dll
{B56A7D7D-6927-48C8-A975-17DF180C71AC} C:\PROGRA~1\SPYWAR~2\tools\iesdpb.dll
{E99421FB-68DD-40F0-B4AC-B7027CAE2F1A} C:\Program Files\EPSON\EPSON Web-To-Page\EPSON Web-To-Page.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run]
"VTTimer"="VTTimer.exe"
"ATICCC"="\"C:\\Program Files\\ATI Technologies\\ATI.ACE\\cli.exe\" runtime -Delay"
"ZoneAlarm Client"="\"C:\\Program Files\\Zone Labs\\ZoneAlarm\\zlclient.exe\""
"AVG7_CC"="C:\\PROGRA~1\\Grisoft\\AVG7\\avgcc.exe /STARTUP"

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\run]
"Spyware Doctor"="\"C:\\Program Files\\Spyware Doctor\\swdoctor.exe\" /Q"
"WMPNSCFG"="C:\\Program Files\\Windows Media Player\\WMPNSCFG.exe"
"ctfmon.exe"="C:\\WINDOWS\\system32\\ctfmon.exe"

[HKEY_USERS\.default\software\microsoft\windows\currentversion\run]
"CTFMON.EXE"="C:\\WINDOWS\\system32\\CTFMON.EXE"
"DWQueuedReporting"="\"C:\\PROGRA~1\\COMMON~1\\MICROS~1\\DW\\dwtrig20.exe\" -t"
"Spyware Doctor"="\"C:\\Program Files\\Spyware Doctor\\swdoctor.exe\" /Q"

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\system]
"DisableRegistryTools"=dword:00000000

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]
"NoLowDiskSpaceChecks"=dword:00000001
"NoRecentDocsMenu"=dword:00000001

[HKEY_USERS\.default\software\microsoft\windows\currentversion\policies\explorer]
"NoLowDiskSpaceChecks"=dword:00000001
"NoRecentDocsMenu"=dword:00000001

HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa
Authentication Packages REG_MULTI_SZ msv1_0\
Security Packages REG_MULTI_SZ kerberosmsv1_0schannelwdigest\
Notification Packages REG_MULTI_SZ scecli\


[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Reader Speed Launch.lnk]
"backup"="C:\\WINDOWS\\pss\\Adobe Reader Speed Launch.lnkCommon Startup"
"location"="Common Startup"
"command"="C:\\PROGRA~1\\Adobe\\READER~1.0\\Reader\\READER~1.EXE "
"item"="Adobe Reader Speed Launch"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Reader Synchronizer.lnk]
"backup"="C:\\WINDOWS\\pss\\Adobe Reader Synchronizer.lnkCommon Startup"
"location"="Common Startup"
"command"="C:\\PROGRA~1\\Adobe\\READER~1.0\\Reader\\ADOBEC~1.EXE "
"item"="Adobe Reader Synchronizer"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^HP Digital Imaging Monitor.lnk]
"backup"="C:\\WINDOWS\\pss\\HP Digital Imaging Monitor.lnkCommon Startup"
"location"="Common Startup"
"command"="C:\\PROGRA~1\\HP\\DIGITA~1\\bin\\hpqtra08.exe "
"item"="HP Digital Imaging Monitor"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HP Software Update]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="HPWuSchd2"
"hkey"="HKLM"
"command"="\"C:\\Program Files\\HP\\HP Software Update\\HPWuSchd2.exe\""
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\IMJPMIG8.1]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="IMJPMIG"
"hkey"="HKLM"
"command"="\"C:\\WINDOWS\\IME\\imjp8_1\\IMJPMIG.EXE\" /Spoil /RemAdvDef /Migration32"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NeroCheck]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="NeroCheck"
"hkey"="HKLM"
"command"="C:\\WINDOWS\\system32\\NeroCheck.exe"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PC Pitstop Optimize Scheduler]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="PCPOptimize"
"hkey"="HKLM"
"command"="C:\\Program Files\\PCPitstop\\Optimize\\PCPOptimize.exe -boot"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\RemoteControl]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="PDVDServ"
"hkey"="HKLM"
"command"="\"C:\\Program Files\\CyberLink DVD Solution\\PowerDVD\\PDVDServ.exe\""
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\WMPNSCFG]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="WMPNSCFG"
"hkey"="HKCU"
"command"="C:\\Program Files\\Windows Media Player\\WMPNSCFG.exe"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"wwSecSvc"=dword:00000002
"WMPNetworkSvc"=dword:00000002
"usnjsvc"=dword:00000003
"StarWindService"=dword:00000002
"Pml Driver HPZ12"=dword:00000002

[HKEY_LOCAL_MACHINE\software\Microsoft\Windows NT\CurrentVersion\Svchost]
HTTPFilter REG_MULTI_SZ HTTPFilter\
LocalService REG_MULTI_SZ AlerterWebClientLmHostsRemoteRegistryupnphostSSDPSRV\
NetworkService REG_MULTI_SZ DnsCache\
DcomLaunch REG_MULTI_SZ DcomLaunchTermService\
rpcss REG_MULTI_SZ RpcSs\
imgsvc REG_MULTI_SZ StiSvc\
termsvcs REG_MULTI_SZ TermService\
WudfServiceGroup REG_MULTI_SZ WUDFSvc\



-- End of Deckard's System Scanner: finished at 2007-05-30 at 21:41:25 ---------

[silver]

Hi phatrolla,

Don't worry about the other DSS report, it's not necessary in this case. I can't say precisely what the F-Secure scanner found because it didn't appear in the log, however other than that your computer appears clean. So at this stage I think it's likely that the slowdown problem is non-malware related, and unless you have further concerns or reasons for suspecting malware as the cause, I suggest you look for non-malware causes of the problem.

Some suggestions for pinning it down:

• Uninstall unnecessary applications via Start->Control Panel->Add/Remove Programs
• Turn off unnecessary auto-starting applications. Look at your HijackThis log for programs which automatically start - many are listed in the O4 section of the log, and turn of the automatic starting functionality from within the program. Note: Please do not useHijackThis to remove the entries.
• Use Process Explorer to monitor resources on your system. Run Process Explorer minimized and when a slowdown occurs, switch to the Process Explorer window to see which process is using a high percentage of CPU.
• Post in the Other computer problems forum here at Tom Coyote to get more help.

Your Java is outdated and is now a security risk
Go to Start » Control Panel » Add/Remove Programs
Search for all previous installed versions of Java. (J2SE Runtime Environment.... )
(It should have this icon next to it: )
Click that entry and then click on the Change/Remove button and follow the instructions to remove Java.
Repeat to remove all versions of Java.
Download and install the newest version of Java Runtime Environment (JRE), from here:
http://java.sun.com/...loads/index.jsp

Some tips to help you stay clean:

Operating system vulnerabilities can easily be exploited by malware so please ensure your operating system is automatically kept up to date by using Windows Update:
Go to Start->Control Panel->Automatic Updates
Select Automatic and select a suitable schedule

You have good protection software installed however please ensure it is kept up to date. Check that your antivirus and antispyware programs are set to automatically update themselves daily, and that your firewall is the latest version.

Spywareblaster is a free program which prevents the download and installation of Internet Explorer ActiveX based malware by immunizing your system against it. You can download Spywareblaster from here and a tutorial to help you get started is available here.

Consider a custom hosts file such as MVPS HOSTS. This custom hosts file effectively blocks a wide range of unwanted ads, banners, 3rd party Cookies, 3rd party page counters, web bugs, and many hijackers.
For information on how to download and install, please read this tutorial by WinHelp2002
If you install this, be sure to follow the DNS Client service instructions before doing so.

Find out more about how to prevent infection in the future
http://forum.malware...pic.php?p=33687

Please post back to let me know you have read this, and if you have further concerns about malware or any other issues please let me know.

[phatrolla]

Hello again silver I followed all requests,removing javaruntime and installing spyware blaster and MVPS hosts. Anyway its great to know my system is clean from malware. Many thanks to you again for your support on my topics. You have restored my faith in online security... Kind Regards Phatrolla

[silver]

Glad we could be of assistance. This topic has been closed. If you are the topic starter and need this topic reopened, please PM a staff member with a link to this thread and we will reopen it for you. Anyone else who needs assistance should begin a new topic.