[Resolved] Slow Computer

**townsbg** · 27-06-2009

I've been working on a computer reported by the owner as being slow for the past month and half. First thing I did was to install CC Cleaner and delete over a gig of temporary files. This is a computer used by numerous personnel with out any user control so I also had to uninstall some games and it had a suspicious entry on add/remove panel called something related to coupons which I removed. Once I was done cleaning it up and stopping unneeded programs from running I started scanning the computer. AVG [v 8.x] is set to run daily & recent logs showed nothing. First I ran Spybot and got 20 or so threats and I got most of the way through scanning before I had to stop. I removed the threats but I couldn't find the log. SuperAntiSpyware found almost 200 threats. I then installed MBAM and it found some more. Completing a scan of Spybot found 1 more threat called WildTangant. I am pasting the SuperAntiSpyware, MBAM, uninstall_list, & HijackThis logs. I have also updated Java which I believe was at v. 6 update 11 but I don't remember for sure. What I need to know is if this is now "clean" which I'm guessing isn't. The computer is performing better considering it's specs.

HijackThis

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 2:41:49 PM, on 6/27/2009
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v8.00 (8.00.6001.18702)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\SYSTEM32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
C:\WINDOWS\System32\svchost.exe
C:\PROGRA~1\AVG\AVG8\avgrsx.exe
C:\PROGRA~1\AVG\AVG8\avgnsx.exe
C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S4I2G 1.EXE
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = Yahoo!
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = about:blank
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = Yahoo!
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = MSN.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = Bing
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = Bing
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = MSN.com
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://www.sandboxer.com/redirect.as...3KQ4MT%40C%23W
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Windows Internet Explorer provided by Yahoo!
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O2 - BHO: &Yahoo! Toolbar Helper - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O2 - BHO: WormRadar.com IESiteBlocker.NavFilter - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - C:\Program Files\AVG\AVG8\avgssie.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: AVG Security Toolbar - {A057A204-BACC-4D26-9990-79A187E2698E} - C:\PROGRA~1\AVG\AVG8\AVGTOO~1.DLL
O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
O2 - BHO: SingleInstance Class - {FDAD4DA1-61A2-4FD8-9C17-86F7AC245081} - C:\Program Files\Yahoo!\Companion\Installs\cpn\YTSingleInstan ce.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O3 - Toolbar: AVG Security Toolbar - {A057A204-BACC-4D26-9990-79A187E2698E} - C:\PROGRA~1\AVG\AVG8\AVGTOO~1.DLL
O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb0 4.exe
O4 - HKLM\..\Run: [EPSON Stylus CX5400] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S4I2G 1.EXE /P19 "EPSON Stylus CX5400" /O6 "USB002" /M "Stylus CX5400"
O4 - HKLM\..\Run: [AVG8_TRAY] C:\PROGRA~1\AVG\AVG8\avgtray.exe
O4 - HKLM\..\RunOnce: [Malwarebytes' Anti-Malware] C:\Program Files\Malwarebytes' Anti-Malware\mbamgui.exe /install /silent
O4 - HKLM\..\RunOnce: [Malwarebytes Anti-Malware (reboot)] "C:\Program Files\Malwarebytes' Anti-Malware\mbam.exe" /runcleanupscript
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKUS\S-1-5-18\..\Run: [Eaut] "C:\PROGRA~1\COMMON~1\CURITY~1\explorer.exe" -vt ndrv (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [Eaut] "C:\PROGRA~1\COMMON~1\CURITY~1\explorer.exe" -vt ndrv (User 'Default user')
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office12\EXCEL.EXE/3000
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\Office12\REFIEBAR.DLL
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: MoneySide - {E023F504-0C5A-4750-A1E7-A9046DEA8A21} - C:\Program Files\Microsoft Money\System\mnyviewer.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe (file missing)
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe (file missing)
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O14 - IERESET.INF: START_PAGE_URL=http://www.emachines.com
O16 - DPF: {0CCA191D-13A6-4E29-B746-314DEE697D83} (Facebook Photo Uploader 5 Control) - http://upload.facebook.com/controls/...oUploader5.cab
O16 - DPF: {48DD0448-9209-4F81-9F6D-D83562940134} (MySpace Uploader Control) - http://lads.myspace.com/upload/MySpaceUploader1006.cab
O18 - Protocol: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - C:\Program Files\AVG\AVG8\avgpp.dll
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
O20 - Winlogon Notify: avgrsstarter - C:\WINDOWS\SYSTEM32\avgrsstx.dll
O23 - Service: AVG Free8 WatchDog (avg8wd) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
O23 - Service: SmartLinkService (SLService) - - C:\WINDOWS\SYSTEM32\slserv.exe
--
End of file - 6166 bytes

uninstall_list

2007 Microsoft Office Suite Service Pack 1 (SP1)
2007 Microsoft Office Suite Service Pack 1 (SP1)
2007 Microsoft Office Suite Service Pack 1 (SP1)
2007 Microsoft Office Suite Service Pack 1 (SP1)
2007 Microsoft Office Suite Service Pack 1 (SP1)
2007 Microsoft Office Suite Service Pack 1 (SP1)
2007 Microsoft Office Suite Service Pack 1 (SP1)
2007 Microsoft Office Suite Service Pack 1 (SP1)
2007 Microsoft Office Suite Service Pack 1 (SP1)
2007 Microsoft Office Suite Service Pack 1 (SP1)
2007 Microsoft Office Suite Service Pack 1 (SP1)
2007 Microsoft Office Suite Service Pack 1 (SP1)
2007 Microsoft Office Suite Service Pack 1 (SP1)
2007 Microsoft Office Suite Service Pack 1 (SP1)
2007 Microsoft Office Suite Service Pack 1 (SP1)
56Kbps Internal Modem
Adobe Acrobat and Reader 8.1.2 Security Update 1 (KB403742)
Adobe Flash Player 10 ActiveX
Adobe Flash Player 10 Plugin
Adobe Flash Player 9 ActiveX
Adobe Reader 8.1.2
AVG Free 8.5
BigFix
Canon i550
CCleaner (remove only)
CD Burning 4
CleanUp!
CompuServe
EPSON Printer Software
HighMAT Extension to Microsoft Windows XP CD Writing Wizard
HijackThis 2.0.2
Hotfix for Windows Internet Explorer 7 (KB947864)
Hotfix for Windows Media Format SDK (KB902344)
Hotfix for Windows XP (KB952287)
IE Host
Indeo® software
Intel Application Accelerator
Intel(R) Extreme Graphics Driver Software
Intel(R) PRO Network Adapters and Drivers
Java(TM) 6 Update 13
LiveReg (Symantec Corporation)
LiveUpdate 1.80 (Symantec Corporation)
Macromedia Shockwave Player
Malwarebytes' Anti-Malware
Microsoft .NET Framework 1.1
Microsoft .NET Framework 1.1
Microsoft .NET Framework 1.1 Hotfix (KB928366)
Microsoft Data Access Components KB870669
Microsoft Internationalized Domain Names Mitigation APIs
Microsoft Money 2002
Microsoft Money 2002 System Pack
Microsoft National Language Support Downlevel APIs
Microsoft Office Access MUI (English) 2007
Microsoft Office Access Setup Metadata MUI (English) 2007
Microsoft Office Excel MUI (English) 2007
Microsoft Office InfoPath MUI (English) 2007
Microsoft Office Outlook MUI (English) 2007
Microsoft Office PowerPoint MUI (English) 2007
Microsoft Office Professional Plus 2007
Microsoft Office Professional Plus 2007
Microsoft Office Proof (English) 2007
Microsoft Office Proof (French) 2007
Microsoft Office Proof (Spanish) 2007
Microsoft Office Proofing (English) 2007
Microsoft Office Publisher 2007
Microsoft Office Publisher 2007
Microsoft Office Publisher MUI (English) 2007
Microsoft Office Shared MUI (English) 2007
Microsoft Office Shared Setup Metadata MUI (English) 2007
Microsoft Office Word MUI (English) 2007
Microsoft Office XP Professional with FrontPage
Microsoft Visual C++ 2005 Redistributable
MSXML 4.0 SP2 (KB925672)
MSXML 4.0 SP2 (KB927978)
MSXML 4.0 SP2 (KB936181)
MSXML 4.0 SP2 (KB954430)
Multimedia Keyboard Driver Ver1.1
My Web Search (Outlook and Outlook Express)
Notification Utility
Notification Utility
p2pnetworks
PowerDVD
RealPlayer Basic
Realtek AC'97 Audio
Security Update for 2007 Microsoft Office System (KB951550)
Security Update for 2007 Microsoft Office System (KB951550)
Security Update for 2007 Microsoft Office System (KB951944)
Security Update for 2007 Microsoft Office System (KB951944)
Security Update for 2007 Microsoft Office System (KB969559)
Security Update for 2007 Microsoft Office System (KB969559)
Security Update for 2007 Microsoft Office System (KB969679)
Security Update for Microsoft Office Excel 2007 (KB969682)
Security Update for Microsoft Office PowerPoint 2007 (KB957789)
Security Update for Microsoft Office Publisher 2007 (KB950114)
Security Update for Microsoft Office Publisher 2007 (KB950114)
Security Update for Microsoft Office system 2007 (KB954326)
Security Update for Microsoft Office system 2007 (KB954326)
Security Update for Microsoft Office system 2007 (KB969613)
Security Update for Microsoft Office system 2007 (KB969613)
Security Update for Microsoft Office Word 2007 (KB969604)
Security Update for Windows Internet Explorer 7 (KB938127)
Security Update for Windows Internet Explorer 7 (KB942615)
Security Update for Windows Internet Explorer 7 (KB944533)
Security Update for Windows Internet Explorer 7 (KB953838)
Security Update for Windows Internet Explorer 7 (KB956390)
Security Update for Windows Internet Explorer 7 (KB958215)
Security Update for Windows Internet Explorer 7 (KB960714)
Security Update for Windows Internet Explorer 7 (KB961260)
Security Update for Windows Internet Explorer 8 (KB969897)
Security Update for Windows Media Player (KB952069)
Security Update for Windows Media Player 10 (KB911565)
Security Update for Windows Media Player 10 (KB917734)
Security Update for Windows Media Player 10 (KB936782)
Security Update for Windows XP (KB923561)
Security Update for Windows XP (KB938464)
Security Update for Windows XP (KB938464-v2)
Security Update for Windows XP (KB941569)
Security Update for Windows XP (KB946648)
Security Update for Windows XP (KB950762)
Security Update for Windows XP (KB950974)
Security Update for Windows XP (KB951066)
Security Update for Windows XP (KB951376-v2)
Security Update for Windows XP (KB951698)
Security Update for Windows XP (KB951748)
Security Update for Windows XP (KB952004)
Security Update for Windows XP (KB952954)
Security Update for Windows XP (KB953839)
Security Update for Windows XP (KB954211)
Security Update for Windows XP (KB954459)
Security Update for Windows XP (KB954600)
Security Update for Windows XP (KB955069)
Security Update for Windows XP (KB956391)
Security Update for Windows XP (KB956572)
Security Update for Windows XP (KB956802)
Security Update for Windows XP (KB956803)
Security Update for Windows XP (KB956841)
Security Update for Windows XP (KB957095)
Security Update for Windows XP (KB957097)
Security Update for Windows XP (KB958644)
Security Update for Windows XP (KB958687)
Security Update for Windows XP (KB958690)
Security Update for Windows XP (KB959426)
Security Update for Windows XP (KB960225)
Security Update for Windows XP (KB960715)
Security Update for Windows XP (KB960803)
Security Update for Windows XP (KB961373)
Security Update for Windows XP (KB961501)
Security Update for Windows XP (KB968537)
Security Update for Windows XP (KB969898)
Security Update for Windows XP (KB970238)
Spybot - Search & Destroy
SUPERAntiSpyware Free Edition
System Requirements Lab
Uninstall Tool
Update for 2007 Microsoft Office System (KB967642)
Update for 2007 Microsoft Office System (KB967642)
Update for Microsoft Office Outlook 2007 (KB969907)
Update for Outlook 2007 Junk Email Filter (kb970012)
Update for Windows Internet Explorer 8 (KB969497)
Update for Windows XP (KB951072-v2)
Update for Windows XP (KB951978)
Update for Windows XP (KB955839)
Update for Windows XP (KB967715)
Viewpoint Media Player
Windows Backup Utility
Windows Genuine Advantage v1.3.0254.0
Windows Installer Clean Up
Windows Internet Explorer 8
Windows Media Connect
Windows Media Connect
Windows Media Format Runtime
Windows Media Format SDK Hotfix - KB891122
Windows Media Player 10
Windows XP Service Pack 3
XMLinst
Yahoo! Software Update
Yahoo! Toolbar

mbam

Malwarebytes' Anti-Malware 1.38
Database version: 2343
Windows 5.1.2600 Service Pack 3

6/27/2009 2:13:06 PM
mbam-log-2009-06-27 (14-13-06).txt

Scan type: Full Scan (C:\|)
Objects scanned: 161991
Time elapsed: 51 minute(s), 33 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 8
Registry Values Infected: 0
Registry Data Items Infected: 1
Folders Infected: 0
Files Infected: 1

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\Curr entVersion\ModuleUsage\c:/windows/downloaded program files/popcaploader.dll (Adware.PopCap) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\TypeLib\{c9c5deaf-0a1f-4660-8279-9edfad6fefe1} (Adware.PopCap) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Interface\{e4e3e0f8-cd30-4380-8ce9-b96904bdefca} (Adware.PopCap) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Interface\{fe8a736f-4124-4d9c-b4b1-3b12381efabe} (Adware.PopCap) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\CLSID\{df780f87-ff2b-4df8-92d0-73db16a1543a} (Adware.PopCap) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\popcaploader.popcaploaderctrl2 (Adware.PopCap) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\popcaploader.popcaploaderctrl2.1 (Adware.PopCap) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Refog Software (Refog.Keylogger) -> Quarantined and deleted successfully.

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\AntiVirusDisableNotify (Disabled.SecurityCenter) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.

Folders Infected:
(No malicious items detected)

Files Infected:
c:\WINDOWS\downloaded program files\popcaploader.dll (Adware.PopCap) -> Quarantined and deleted successfully.

SUPERAntiSpyware Scan Log

SUPERAntiSpyware Scan Log
SUPERAntiSpyware.com | Remove Malware | Remove Spyware - AntiMalware, AntiSpyware, AntiAdware!

Generated 06/25/2009 at 05:55 PM

Application Version : 4.26.1006

Core Rules Database Version : 3952
Trace Rules Database Version: 1894

Scan type : Complete Scan
Total Scan Time : 01:11:25

Memory items scanned : 371
Memory threats detected : 0
Registry items scanned : 5925
Registry threats detected : 76
File items scanned : 19793
File threats detected : 100

Adware.Lycos/SideSearch
HKU\.DEFAULT\Software\Microsoft\Windows\CurrentVer sion\Ext\Stats\{C5183ABC-EB6E-4E05-B8C9-500A16B6CF94}
HKU\S-1-5-21-2108299385-3034611472-3672641707-1007\Software\Microsoft\Windows\CurrentVersion\Ext \Stats\{C5183ABC-EB6E-4E05-B8C9-500A16B6CF94}
HKU\S-1-5-18\Software\Microsoft\Windows\CurrentVersion\Ext\S tats\{C5183ABC-EB6E-4E05-B8C9-500A16B6CF94}

ESyndicate BHO
HKU\.DEFAULT\Software\Microsoft\Windows\CurrentVer sion\Ext\Stats\{CC378B83-9577-44D0-B4F8-0DD965E176FC}
HKU\S-1-5-21-2108299385-3034611472-3672641707-1007\Software\Microsoft\Windows\CurrentVersion\Ext \Stats\{CC378B83-9577-44D0-B4F8-0DD965E176FC}
HKU\S-1-5-18\Software\Microsoft\Windows\CurrentVersion\Ext\S tats\{CC378B83-9577-44D0-B4F8-0DD965E176FC}

Adware.WildMedia/Midaddle
HKU\.DEFAULT\Software\Microsoft\Windows\CurrentVer sion\Ext\Stats\{E8EAEB34-F7B5-4C55-87FF-720FAF53D841}
HKU\S-1-5-21-2108299385-3034611472-3672641707-1007\Software\Microsoft\Windows\CurrentVersion\Ext \Stats\{E8EAEB34-F7B5-4C55-87FF-720FAF53D841}
HKU\S-1-5-18\Software\Microsoft\Windows\CurrentVersion\Ext\S tats\{E8EAEB34-F7B5-4C55-87FF-720FAF53D841}
C:\WINDOWS\UNINSTALLER.EXE

ZSERV.DLL BHO
HKU\S-1-5-21-2108299385-3034611472-3672641707-1007\Software\Microsoft\Windows\CurrentVersion\Ext \Stats\{00000000-C1EC-0345-6EC2-4D0300000000}

Adware.IncrediFind
HKU\S-1-5-21-2108299385-3034611472-3672641707-1007\Software\Microsoft\Windows\CurrentVersion\Ext \Stats\{0026AD90-C86F-4269-97F3-DAB4897C6D06}

MultiMPPObj Class BHO
HKU\S-1-5-21-2108299385-3034611472-3672641707-1007\Software\Microsoft\Windows\CurrentVersion\Ext \Stats\{002EB272-2590-4693-B166-FBD5D9B6FEA6}

Adware.Apropos Media/CxtPls
HKU\S-1-5-21-2108299385-3034611472-3672641707-1007\Software\Microsoft\Windows\CurrentVersion\Ext \Stats\{016235BE-59D4-4CEB-ADD5-E2378282A1D9}

Adware.IE Plugin Variant
HKU\S-1-5-21-2108299385-3034611472-3672641707-1007\Software\Microsoft\Windows\CurrentVersion\Ext \Stats\{01F44A8A-8C97-4325-A378-76E68DC4AB2E}

Adware.EliteBar
HKU\S-1-5-21-2108299385-3034611472-3672641707-1007\Software\Microsoft\Windows\CurrentVersion\Ext \Stats\{28CAEFF3-0F18-4036-B504-51D73BD81ABC}
HKU\S-1-5-21-2108299385-3034611472-3672641707-1007\Software\Microsoft\Windows\CurrentVersion\Ext \Stats\{825CF5BD-8862-4430-B771-0C15C5CA8DEF}
HKU\S-1-5-21-2108299385-3034611472-3672641707-1007\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser#{825CF5BD-8862-4430-B771-0C15C5CA8DEF}

Unknown BHO (LMF32V.DLL)
HKU\S-1-5-21-2108299385-3034611472-3672641707-1007\Software\Microsoft\Windows\CurrentVersion\Ext \Stats\{6A6E50DC-BFA8-4B40-AB1B-159E03E829FD}

AdRoar Module Toolbar
HKU\S-1-5-21-2108299385-3034611472-3672641707-1007\Software\Microsoft\Windows\CurrentVersion\Ext \Stats\{BDF6CE3D-F5C5-4462-9814-3C8EAC330CA8}

Adware.MovieLand/MediaPipe
HKLM\Software\ITBILL
HKLM\Software\ITBILL#PROV
HKLM\Software\ITBILL#Product
HKLM\Software\ITBILL#ProductFamily
HKLM\Software\ITBILL#TRAFFIC_TYPE
HKLM\Software\ITBILL#InstallTime
HKLM\Software\ITBILL#GUID
HKLM\Software\ITBILL#METADATA
HKLM\Software\ITBILL\CONFIG
HKLM\Software\ITBILL\FSUPPORT
HKLM\Software\ITBILL\FSUPPORT#install_date
HKLM\Software\ITBILL\FSUPPORT#install_time
HKLM\Software\ITBILL\FSUPPORT#ip_addr
HKLM\Software\ITBILL\FSUPPORT#user_country
HKLM\Software\ITBILL\FSUPPORT#dir_country
HKLM\Software\ITBILL\FSUPPORT#userid
HKLM\Software\ITBILL\FSUPPORT#cid
HKLM\Software\ITBILL\FSUPPORT#guid
HKLM\Software\ITBILL\FSUPPORT#ts
HKLM\Software\ITBILL\FSUPPORT#tss
HKLM\Software\ITBILL\FSUPPORT#idelta
HKLM\Software\ITBILL\FSUPPORT#traffic_type
HKLM\Software\ITBILL\FSUPPORT#altpay
HKLM\Software\ITBILL\FSUPPORT#product
HKLM\Software\ITBILL\UPDATE
HKLM\Software\ITBILL\UPDATE#Module
HKLM\Software\ITBILL\UPDATE#Config
HKLM\Software\MediaPipe
HKLM\Software\MediaPipe\Prefs
HKLM\Software\MediaPipe\Prefs#version
HKLM\Software\MediaPipe\Prefs#AltPayments
HKLM\Software\MediaPipe\Prefs#ProductFamily
HKLM\Software\MediaPipe\Prefs#Country
HKLM\Software\MediaPipe\Prefs#Provider
HKLM\Software\MediaPipe\Prefs#TRAFFIC_COUNTRY
HKLM\Software\MediaPipe\Prefs#TRAFFIC_PROGRAM
HKLM\Software\MediaPipe\Prefs#TRAFFIC_SOURCE
HKLM\Software\MediaPipe\Prefs#TRAFFIC_SUBSOURCE
HKLM\Software\MediaPipe\Prefs#JOIN_FORM_ID
HKLM\Software\MediaPipe\Prefs#modem
HKLM\Software\MediaPipe\Prefs#GUID
HKLM\Software\MediaPipe\Prefs#Filename
HKLM\Software\MediaPipe\Prefs\altpayments
HKLM\Software\MediaPipe\Prefs\altpayments#Provider
HKCR\TypeLib\{AFDBB222-DEA9-4C12-B3A3-A13C2985E3EE}
HKCR\TypeLib\{AFDBB222-DEA9-4C12-B3A3-A13C2985E3EE}\1.0
HKCR\TypeLib\{AFDBB222-DEA9-4C12-B3A3-A13C2985E3EE}\1.0\0
HKCR\TypeLib\{AFDBB222-DEA9-4C12-B3A3-A13C2985E3EE}\1.0\0\win32
HKCR\TypeLib\{AFDBB222-DEA9-4C12-B3A3-A13C2985E3EE}\1.0\FLAGS
HKCR\TypeLib\{AFDBB222-DEA9-4C12-B3A3-A13C2985E3EE}\1.0\HELPDIR
C:\Program Files\ItBill
C:\Program Files\MediaPipe\Agent.dll
C:\Program Files\MediaPipe\altpayments_terms.txt
C:\Program Files\MediaPipe\install.log
C:\Program Files\MediaPipe\MediaPipe.ini
C:\Program Files\MediaPipe
C:\PROGRAM FILES\FSUPPORT\NOTIFIER.EXE
HKCR\Interface\{CF1E4638-637F-499D-8309-FD71B9750ABC}
HKCR\Interface\{CF1E4638-637F-499D-8309-FD71B9750ABC}\ProxyStubClsid
HKCR\Interface\{CF1E4638-637F-499D-8309-FD71B9750ABC}\ProxyStubClsid32
HKCR\Interface\{CF1E4638-637F-499D-8309-FD71B9750ABC}\TypeLib
HKCR\Interface\{CF1E4638-637F-499D-8309-FD71B9750ABC}\TypeLib#Version

Adware.IEPlugin
HKCR\Remove

Adware.MyWebSearch/FunWebProducts
HKU\PE_C_JOHNNY GENTRY\SOFTWARE\FunWebProducts

Adware.Tracking Cookie
C:\Documents and Settings\Johnny Gentry\Cookies\johnny gentry@belnk[1].txt
C:\Documents and Settings\Johnny Gentry\Cookies\johnny gentry@order.jamster[2].txt
C:\Documents and Settings\Johnny Gentry\Cookies\johnny gentry@adrevolver[2].txt
C:\Documents and Settings\Johnny Gentry\Cookies\johnny gentry@ads.monster[1].txt
C:\Documents and Settings\Johnny Gentry\Cookies\johnny gentry@ehg-randomhouse.hitbox[2].txt
C:\Documents and Settings\Johnny Gentry\Cookies\johnny gentry@ehg-foxinteractive.hitbox[1].txt
C:\Documents and Settings\Johnny Gentry\Cookies\johnny gentry@adopt.specificclick[2].txt
C:\Documents and Settings\Johnny Gentry\Cookies\johnny gentry@ads.mediamayhemcorp[1].txt
C:\Documents and Settings\Johnny Gentry\Cookies\johnny gentry@server.iad.liveperson[1].txt
C:\Documents and Settings\Johnny Gentry\Cookies\johnny gentry@www.drivecleaner[1].txt
C:\Documents and Settings\Johnny Gentry\Cookies\johnny gentry@onlinerewardcenter[2].txt
C:\Documents and Settings\Johnny Gentry\Cookies\johnny gentry@nextag[1].txt
C:\Documents and Settings\Johnny Gentry\Cookies\johnny gentry@coolsavings[1].txt
C:\Documents and Settings\Johnny Gentry\Cookies\johnny gentry@tripod[1].txt
C:\Documents and Settings\Johnny Gentry\Cookies\johnny gentry@as.casalemedia[2].txt
C:\Documents and Settings\Johnny Gentry\Cookies\johnny gentry@rotator.adjuggler[1].txt
C:\Documents and Settings\Johnny Gentry\Cookies\johnny gentry@adinterax[1].txt
C:\Documents and Settings\Johnny Gentry\Cookies\johnny gentry@sales.liveperson[1].txt
C:\Documents and Settings\Johnny Gentry\Cookies\johnny gentry@ehg-dig.hitbox[2].txt
C:\Documents and Settings\Johnny Gentry\Cookies\johnny gentry@try.starware[1].txt
C:\Documents and Settings\Johnny Gentry\Cookies\johnny gentry@twci.coremetrics[1].txt
C:\Documents and Settings\Johnny Gentry\Cookies\johnny gentry@maxserving[2].txt
C:\Documents and Settings\Johnny Gentry\Cookies\johnny gentry@qnsr[2].txt
C:\Documents and Settings\Johnny Gentry\Cookies\johnny gentry@serving.rpowermedia[1].txt
C:\Documents and Settings\Johnny Gentry\Cookies\johnny gentry@videoegg.adbureau[1].txt
C:\Documents and Settings\Johnny Gentry\Cookies\johnny gentry@eztracks.aavalue[1].txt
C:\Documents and Settings\Johnny Gentry\Cookies\johnny gentry@adecn[1].txt
C:\Documents and Settings\Johnny Gentry\Cookies\johnny gentry@adopt.hbmediapro[2].txt
C:\Documents and Settings\Johnny Gentry\Cookies\johnny gentry@partner2profit[2].txt
C:\Documents and Settings\Johnny Gentry\Cookies\johnny gentry@clickshift[2].txt
C:\Documents and Settings\Johnny Gentry\Cookies\johnny gentry@adultactioncam[1].txt
C:\Documents and Settings\Johnny Gentry\Cookies\johnny gentry@stats.espinthebottle[2].txt
C:\Documents and Settings\Johnny Gentry\Cookies\johnny gentry@apmebf[1].txt
C:\Documents and Settings\Johnny Gentry\Cookies\johnny gentry@stat.onestat[2].txt
C:\Documents and Settings\Johnny Gentry\Cookies\johnny gentry@ads.addynamix[2].txt
C:\Documents and Settings\Johnny Gentry\Cookies\johnny gentry@stats[1].txt
C:\Documents and Settings\Johnny Gentry\Cookies\johnny gentry@data.coremetrics[1].txt
C:\Documents and Settings\Johnny Gentry\Cookies\johnny gentry@atwola[1].txt
C:\Documents and Settings\Johnny Gentry\Cookies\johnny gentry@reduxads.valuead[1].txt
C:\Documents and Settings\Johnny Gentry\Cookies\johnny gentry@azoogleads[2].txt
C:\Documents and Settings\Johnny Gentry\Cookies\johnny gentry@ads.hi5[2].txt
C:\Documents and Settings\Johnny Gentry\Cookies\johnny gentry@media303[2].txt
C:\Documents and Settings\Johnny Gentry\Cookies\johnny gentry@www.xctrk[2].txt
C:\Documents and Settings\Johnny Gentry\Cookies\johnny gentry@metacafe.122.2o7[1].txt
C:\Documents and Settings\Johnny Gentry\Cookies\johnny gentry@ads.as4x.tmcs[1].txt
C:\Documents and Settings\Johnny Gentry\Cookies\johnny gentry@teensforcash[2].txt
C:\Documents and Settings\Johnny Gentry\Cookies\johnny gentry@a.as-us.falkag[1].txt
C:\Documents and Settings\Johnny Gentry\Cookies\johnny gentry@ads.cnn[1].txt
C:\Documents and Settings\Johnny Gentry\Cookies\johnny gentry@login.tracking101[2].txt
C:\Documents and Settings\Johnny Gentry\Cookies\johnny gentry@anad.tacoda[1].txt
C:\Documents and Settings\Johnny Gentry\Cookies\johnny gentry@www.adultactioncam[1].txt
C:\Documents and Settings\Johnny Gentry\Cookies\johnny gentry@ads.realtechnetwork[1].txt
C:\Documents and Settings\Johnny Gentry\Cookies\johnny gentry@adknowledge[2].txt
C:\Documents and Settings\Johnny Gentry\Cookies\johnny gentry@ads.pointroll[1].txt
C:\Documents and Settings\Johnny Gentry\Cookies\johnny gentry@adserver[1].txt
C:\Documents and Settings\Johnny Gentry\Cookies\johnny gentry@as-us.falkag[1].txt
C:\Documents and Settings\Johnny Gentry\Cookies\johnny gentry@jumps.ez-tracks[1].txt
C:\Documents and Settings\Johnny Gentry\Cookies\johnny gentry@ads.bridgetrack[1].txt
C:\Documents and Settings\Johnny Gentry\Cookies\johnny gentry@insightexpressai[2].txt
C:\Documents and Settings\Johnny Gentry\Cookies\johnny gentry@bluestreak[1].txt
C:\Documents and Settings\Johnny Gentry\Cookies\johnny gentry@roiservice[1].txt
C:\Documents and Settings\Johnny Gentry\Cookies\johnny gentry@tracker.myspacemaps[2].txt
C:\Documents and Settings\Johnny Gentry\Cookies\johnny gentry@interclick[2].txt
C:\Documents and Settings\Johnny Gentry\Cookies\johnny gentry@ad.yieldmanager[1].txt
C:\Documents and Settings\Johnny Gentry\Cookies\johnny gentry@ad.yieldmanager[2].txt
C:\Documents and Settings\Johnny Gentry\Cookies\johnny gentry@ez-tracks[2].txt
C:\Documents and Settings\Johnny Gentry\Cookies\johnny gentry@h.starware[1].txt
C:\Documents and Settings\Johnny Gentry\Cookies\johnny gentry@drivecleaner[1].txt
C:\Documents and Settings\Johnny Gentry\Cookies\johnny gentry@media.snapvine[1].txt
C:\Documents and Settings\Johnny Gentry\Cookies\johnny gentry@jamster[1].txt
C:\Documents and Settings\Johnny Gentry\Cookies\johnny gentry@dist.belnk[2].txt
C:\Documents and Settings\Johnny Gentry\Cookies\johnny gentry@counter.hitslink[1].txt
C:\Documents and Settings\Johnny Gentry\Cookies\johnny gentry@ads.glispa[2].txt
C:\Documents and Settings\Johnny Gentry\Cookies\johnny gentry@lynxtrack[1].txt
C:\Documents and Settings\Johnny Gentry\Cookies\johnny gentry@stats1.reliablestats[1].txt
C:\Documents and Settings\Johnny Gentry\Cookies\johnny gentry@edge.ru4[1].txt
C:\Documents and Settings\Johnny Gentry\Cookies\johnny gentry@ads.ecrush[1].txt
C:\Documents and Settings\Johnny Gentry\Cookies\johnny gentry@cochranfirm.122.2o7[1].txt
C:\Documents and Settings\Johnny Gentry\Cookies\johnny gentry@statcounter[1].txt
C:\Documents and Settings\Johnny Gentry\Cookies\johnny gentry@adserve.webtoolcafe[1].txt
C:\Documents and Settings\Johnny Gentry\Cookies\johnny gentry@offers.intermediainteractive[1].txt
C:\Documents and Settings\Johnny Gentry\Cookies\johnny gentry@a.websponsors[1].txt
C:\Documents and Settings\Johnny Gentry\Cookies\johnny gentry@aff.primaryads[2].txt
C:\Documents and Settings\Johnny Gentry\Cookies\johnny gentry@cbs.112.2o7[1].txt
C:\Documents and Settings\Johnny Gentry\Cookies\johnny gentry@stats.drivecleaner[2].txt
C:\Documents and Settings\Johnny Gentry\Cookies\johnny gentry@countrymusic.about[1].txt
C:\Documents and Settings\Johnny Gentry\Cookies\johnny gentry@www.burstbeacon[2].txt
C:\WINDOWS\system32\config\systemprofile\Cookies\s ystem@server.cpmstar[1].txt
C:\WINDOWS\system32\config\systemprofile\Cookies\s ystem@adknowledge[1].txt
C:\WINDOWS\system32\config\systemprofile\Cookies\s ystem@hits.clickandtrack[1].txt

Trojan.BitSprX2/System
C:\WINDOWS\SYSTEM32\BITSPRX2.EXE

Trojan.Unknown Origin
C:\WINDOWS\SYSTEM32\WNSTSTR.EXE

**broni** · 28-06-2009

AVG [v 8.x] is set to run daily

This is not necessary, and it'll tremendously slow down everyday computer operation.

Please, post some computer info:
- processor type, amount of RAM (hold Windows logo key, hit Pause/Break key)
- hard drive size/free space (open "My Computer", right click on hard drive letter, click "Properties")

Please download ComboFix from Here or Here to your Desktop.

**Note: In the event you already have Combofix, this is a new version that I need you to download. It is important that it is saved directly to your desktop**

Please, never rename Combofix unless instructed.
Close any open browsers.
Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.
- Very Important! Temporarily disable your anti-virus, script blocking and any anti-malware real-time protection before performing a scan. They can interfere with ComboFix or remove some of its embedded files which may cause "unpredictable results".
- Click on this link to see a list of programs that should be disabled. The list is not all inclusive. If yours is not listed and you don't know how to disable it, please ask.
- Close any open browsers.
- WARNING: Combofix will disconnect your machine from the Internet as soon as it starts
- Please do not attempt to re-connect your machine back to the Internet until Combofix has completely finished.
- If there is no internet connection after running Combofix, then restart your computer to restore back your connection.
Double click on combofix.exe & follow the prompts.
When finished, it will produce a report for you.
Please post the "C:\ComboFix.txt" along with a new HijackThis log for further review.

**Note: Do not mouseclick combofix's window while it's running. That may cause it to stall**

Make sure, you re-enable your security programs, when you're done with Combofix.

**townsbg** · 28-06-2009

Originally Posted by broni

Please, post some computer info:
- processor type, amount of RAM (hold Windows logo key, hit Pause/Break key)
- hard drive size/free space (open "My Computer", right click on hard drive letter, click "Properties")

All I know off the top of my head is that it's an eMachines with 258 mg of ram [248 recognized]. I don't remember anything else. I believe that it is a 40 gb hard drive with ~12 used after cleanup. I won't have access to it again until monday & I'll take note then.

This is not necessary, and it'll tremendously slow down everyday computer operation.

Yes I know but thats how it was set and that could have been part of the problem but I changed that to 12 am so it wouldn't interrupt anything.

I'll get back with you on Monday after I've run combofix. I'm just curious, what about the HJT indicates that it still has something? Or is it that you just want to be sure?

**broni** · 28-06-2009

256MB of RAM surely is part of the slowness problem.
AVG, which starting with ver. 8.0 became a hog will only add to the above problem.
I suggest adding more RAM, and until it's done, switching from AVG to something lighter, like Avast, or Avira.

HJT doesn't look bad, so I rather want to make sure, everything is fine.
I'm not sure, what these entries are:
O4 - HKUS\S-1-5-18\..\Run: [Eaut] "C:\PROGRA~1\COMMON~1\CURITY~1\explorer.exe" -vt ndrv (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [Eaut] "C:\PROGRA~1\COMMON~1\CURITY~1\explorer.exe" -vt ndrv (User 'Default user')
I don't like them.

**townsbg** · 28-06-2009

Originally Posted by broni

256MB of RAM surely is part of the slowness problem.
AVG, which starting with ver. 8.0 became a hog will only add to the above problem.
I suggest adding more RAM, and until it's done, switching from AVG to something lighter, like Avast, or Avira.

HJT doesn't look bad, so I rather want to make sure, everything is fine.
I'm not sure, what these entries are:
O4 - HKUS\S-1-5-18\..\Run: [Eaut] "C:\PROGRA~1\COMMON~1\CURITY~1\explorer.exe" -vt ndrv (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [Eaut] "C:\PROGRA~1\COMMON~1\CURITY~1\explorer.exe" -vt ndrv (User 'Default user')
I don't like them.

Its not my computer and I told him that the ram is part of the problem but I don't think that he can do anything about it due to the lack of money [he can't even afford to pay me

]. I'll switch the anti virus.

**broni** · 28-06-2009

That's OK. After cleaning it well....it won't be a speed demon, but it should be decent.

**townsbg** · 28-06-2009

It doesn't need to be a speed demon. It just needs to work.

**broni** · 28-06-2009

We'll fix it

**townsbg** · 29-06-2009

Ok I downloaded Combofix from the first link [the one on the left] and when I tried to run it I got the message attached below. A download from the other link didn't give that message. I just thought that you should know. Here are the logs you said to post. Now I ask you is it clean or do I have to do something else? BTW the computer is an emachines T2484 with a 2.4 ghz intel celeron, 256 mb of ram, an 80 gb hdd with 62.2 gb free, and intel extreme graphics 3d. With the exception of the ram (

), not a bad computer for all that they need. To be sure I deleted all of the restore points. I know that you'll probably say that that was unnecessary but I wanted to be sure.

Combofix

ComboFix 09-06-29.01 - Terry Gentry 06/29/2009 12:47.1 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.247.83 [GMT -5:00]
Running from: c:\documents and settings\Terry Gentry\Desktop\ComboFix.exe
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\documents and settings\Johnny Gentry\Favorites\.url
C:\lswmv.ini
c:\program files\Common Files\curity~1
c:\program files\Common Files\dobe~1
c:\program files\Common Files\smbols~1
c:\program files\Common Files\uninstall information
c:\program files\Common Files\wnsxs~1
c:\windows\crosof~1
c:\windows\fnts~1
c:\windows\stem32~1
c:\windows\system32\fnts~1
c:\windows\system32\uninstall.exe

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Legacy_SVCPROC

((((((((((((((((((((((((( Files Created from 2009-05-28 to 2009-06-29 )))))))))))))))))))))))))))))))
.

2009-06-29 14:15 . 2009-06-29 14:15 -------- d-sh--w- c:\documents and settings\LocalService\IETldCache
2009-06-27 18:26 . 2009-06-27 18:26 -------- d-----w- c:\program files\Trend Micro
2009-06-27 18:13 . 2009-06-27 18:13 -------- d-----w- c:\docume~1\TERRYG~1\APPLIC~1\Malwarebytes
2009-06-27 18:12 . 2009-06-27 18:12 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes
2009-06-25 19:52 . 2009-06-25 19:52 -------- d-----w- c:\documents and settings\All Users\Application Data\SUPERAntiSpyware.com
2009-06-25 19:51 . 2009-06-25 21:12 -------- d-----w- c:\program files\SUPERAntiSpyware
2009-06-25 19:51 . 2009-06-25 19:51 -------- d-----w- c:\docume~1\TERRYG~1\APPLIC~1\SUPERAntiSpyware.com
2009-06-25 19:51 . 2009-06-25 19:51 -------- d-----w- c:\program files\Common Files\Wise Installation Wizard
2009-06-25 19:12 . 2009-06-25 19:43 -------- d-----w- c:\program files\Spybot - Search & Destroy
2009-06-23 20:58 . 2009-06-23 20:58 -------- d-----w- c:\program files\CCleaner
2009-06-23 20:50 . 2009-06-27 19:55 -------- d-----w- c:\program files\MSECACHE
2009-06-12 16:57 . 2009-04-30 21:22 246272 -c----w- c:\windows\system32\dllcache\ieproxy.dll
2009-06-12 16:57 . 2009-04-30 21:22 12800 -c----w- c:\windows\system32\dllcache\xpshims.dll
2009-06-06 16:10 . 2009-06-06 16:10 -------- d-----w- c:\docume~1\TERRYG~1\APPLIC~1\aAvgApi

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))) ))
.
2009-06-29 17:27 . 2005-11-03 23:30 -------- d-----w- c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy
2009-06-25 20:07 . 2005-02-08 01:15 -------- d-----w- c:\program files\Microsoft Games
2009-06-25 19:28 . 2009-05-12 19:55 -------- d-----w- c:\program files\Java
2009-06-13 08:19 . 2009-02-09 20:32 -------- d-----w- c:\documents and settings\All Users\Application Data\Microsoft Help
2009-05-13 13:33 . 2005-07-19 18:16 -------- d-----w- c:\documents and settings\Johnny Gentry\Application Data\Lavasoft
2009-05-13 05:15 . 2004-02-06 23:05 915456 ----a-w- c:\windows\system32\wininet.dll
2009-05-11 20:32 . 2009-05-11 20:32 -------- d-----w- c:\program files\AVG
2009-05-11 20:25 . 2009-05-11 20:19 -------- d-----w- c:\documents and settings\All Users\Application Data\Yahoo! Companion
2009-05-11 20:19 . 2009-05-11 20:19 -------- d-----w- c:\documents and settings\All Users\Application Data\Yahoo!
2009-05-11 20:19 . 2005-01-29 23:45 -------- d-----w- c:\program files\Yahoo!
2009-05-11 20:19 . 2009-05-11 20:19 -------- d-----w- c:\docume~1\TERRYG~1\APPLIC~1\Yahoo!
2009-05-11 19:51 . 2003-05-31 16:40 -------- d-----w- c:\program files\Common Files\Adobe
2009-05-11 19:50 . 2009-03-03 14:55 -------- d-----w- c:\docume~1\TERRYG~1\APPLIC~1\Move Networks
2009-05-11 19:49 . 2003-05-31 16:38 -------- d-----w- c:\program files\Microsoft Works
2009-05-11 19:40 . 2006-07-20 00:22 -------- d-----w- c:\program files\Common Files\Scanner
2009-05-11 19:37 . 2003-05-31 16:41 -------- d-----w- c:\program files\ICQ
2009-05-07 15:32 . 2003-05-31 16:13 345600 ----a-w- c:\windows\system32\localspl.dll
2009-04-17 12:26 . 2003-05-31 16:13 1847168 ----a-w- c:\windows\system32\win32k.sys
2009-04-15 14:51 . 2004-04-16 15:50 585216 ----a-w- c:\windows\system32\rpcrt4.dll
2005-09-02 16:15 . 2005-01-14 16:53 475 -csh--w- c:\windows\system32\imfi.dll
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\Curre ntVersion\Run]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2008-04-14 15360]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\Curr entVersion\Run]
"HPDJ Taskbar Utility"="c:\windows\system32\spool\drivers\w32x86 \3\hpztsb04.exe" [2006-01-13 196608]
"EPSON Stylus CX5400"="c:\windows\System32\spool\DRIVERS\W32X86\ 3\E_S4I2G1.EXE" [2003-05-27 99840]

[hkey_local_machine\software\microsoft\windows\curr entversion\explorer\ShellExecuteHooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= "c:\program files\SUPERAntiSpyware\SASSEH.DLL" [2008-05-13 77824]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
2008-12-22 17:05 356352 ----a-w- c:\program files\SUPERAntiSpyware\SASWINLO.dll

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusDisableNotify"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpo licy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\Microsoft Office\\Office12\\OUTLOOK.EXE"=
"c:\\WINDOWS\\system32\\spool\\drivers\\w32x86\\3\ \SAGENT4.EXE"=

R1 SASDIFSV;SASDIFSV;c:\program files\SUPERAntiSpyware\sasdifsv.sys [6/23/2009 11:01 AM 9968]
R1 SASKUTIL;SASKUTIL;c:\program files\SUPERAntiSpyware\SASKUTIL.SYS [6/23/2009 11:01 AM 72944]
S3 bDMusicb;bDMusicb;\??\c:\docume~1\CODYGE~1\LOCALS~ 1\Temp\bDMusicb.sys --> c:\docume~1\CODYGE~1\LOCALS~1\Temp\bDMusicb.sys [?]
S3 SASENUM;SASENUM;c:\program files\SUPERAntiSpyware\SASENUM.SYS [6/23/2009 11:01 AM 7408]
S3 USBNET_XP;Instant Wireless XP USB Network Adapter ver.2.6 Driver;c:\windows\system32\drivers\netusbxp.sys [1/19/2004 10:05 PM 72576]

[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{A509B1FF-37FF-4bFF-8CFF-4F3A747040FF}]
c:\windows\system32\rundll32.exe c:\windows\system32\advpack.dll,LaunchINFSectionEx c:\program files\Internet Explorer\clrtour.inf,DefaultInstall.ResetTour,,12
.
Contents of the 'Scheduled Tasks' folder

2009-06-29 c:\windows\Tasks\Symantec NetDetect.job
- c:\program files\Symantec\LiveUpdate\NDETECT.EXE [2003-05-31 16:04]

2009-06-28 c:\windows\Tasks\User_Feed_Synchronization-{B70EC5FC-6D46-4E7F-8CBE-1CB32099EF79}.job
- c:\windows\system32\msfeedssync.exe [2007-08-14 09:31]
.
- - - - ORPHANS REMOVED - - - -

HKU-Default-Run-Eaut - c:\progra~1\COMMON~1\CURITY~1\explorer.exe

.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.yahoo.com/?fr=fp-yie8
uInternet Connection Wizard,ShellNext = hxxp://www.sandboxer.com/redirect.aspx?ID=21&MID=4L9T23T3HR%23BMD3EHB%406H2 FR727%232S%23H%23KQ4MT%40C%23W
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\Office12\EXCEL.EXE/3000
.

************************************************** ************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, GMER - Rootkit Detector and Remover
Rootkit scan 2009-06-29 12:53
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

************************************************** ************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_LOCAL_MACHINE\software\Classes\Interface\{CF1 E4638-637F-499D-8309-FD71B9750ABC}\ProxyStubClsid]
@DACL=(02 0000)
@="{00020424-0000-0000-C000-000000000046}"

[HKEY_LOCAL_MACHINE\software\Classes\Interface\{CF1 E4638-637F-499D-8309-FD71B9750ABC}\ProxyStubClsid32]
@DACL=(02 0000)
@="{00020424-0000-0000-C000-000000000046}"

[HKEY_LOCAL_MACHINE\software\Classes\Interface\{CF1 E4638-637F-499D-8309-FD71B9750ABC}\TypeLib]
@DACL=(02 0000)
@="{AFDBB222-DEA9-4C12-B3A3-A13C2985E3EE}"
"Version"="1.0"

[HKEY_LOCAL_MACHINE\software\Classes\TypeLib\{AFDBB 222-DEA9-4C12-B3A3-A13C2985E3EE}\1.0]
@DACL=(02 0000)
@="AMNotifier 1.0 Type Library"

[HKEY_LOCAL_MACHINE\software\itbill\CONFIG]
@DACL=(02 0000)
"url"="u}G<<{|vsvr;nyovyy;p|z<{|vsvr<{|vsv r?;ptvLp|{svtJhP\\[SVTj3t‚vqJhTbVQj3}|q‚pJh]_\\cj3zrnJhZRaNQNaNj3Jha_NSSVPlaf]Rj3u‚onJ>"
"domain"=""
"tracker"=""
"updates"=""
"val1"=dword:00000000
"val2"=dword:0036ee80
"val3"=dword:00000000
"val4"=dword:00002710
"activity"=dword:00000001
"last"=dword:4432e03d
"freeze"=dword:00000000

[HKEY_LOCAL_MACHINE\software\itbill\FSUPPORT]
@DACL=(02 0000)
"install_date"="2005-11-12"
"install_time"="13:23"
"ip_addr"="12.222.169.98"
"user_country"="US"
"dir_country"="US"
"userid"="61339790"
"cid"=""
"guid"="OI3AC/E9KA3FKSDHIU1MJJYE9MT514RD"
"ts"="pythonexit"
"tss"="redplayer2"
"idelta"="125"
"traffic_type"="A"
"altpay"="1"
"product"="movieland"

[HKEY_LOCAL_MACHINE\software\itbill\UPDATE]
@DACL=(02 0000)
"Module"=dword:443297ef
"Config"=dword:443297f7

[HKEY_LOCAL_MACHINE\software\MediaPipe\Prefs]
@DACL=(02 0000)
"version"="3"
"AltPayments"="movieland"
"ProductFamily"="movienetworks"
"Country"="US"
"Provider"="MovieLand"
"TRAFFIC_COUNTRY"=""
"TRAFFIC_PROGRAM"=""
"TRAFFIC_SOURCE"="pythonexit"
"TRAFFIC_SUBSOURCE"="redplayer2"
"JOIN_FORM_ID"="150"
"modem"=""
"GUID"="OI3AC/E9KA3FKSDHIU1MJJYE9MT514RD"
"Filename"="c:\\Program Files\\MediaPipe\\MediaPipe.exe"
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(652)
c:\program files\SUPERAntiSpyware\SASWINLO.dll
c:\windows\system32\WININET.dll

- - - - - - - > 'explorer.exe'(4000)
c:\windows\system32\WININET.dll
c:\windows\system32\ieframe.dll
c:\windows\system32\webcheck.dll
.
------------------------ Other Running Processes ------------------------
.
c:\windows\system32\wdfmgr.exe
.
************************************************** ************************
.
Completion time: 2009-06-29 12:56 - machine was rebooted
ComboFix-quarantined-files.txt 2009-06-29 17:56

Pre-Run: 66,860,650,496 bytes free
Post-Run: 66,817,626,112 bytes free

WindowsXP-KB310994-SP2-Home-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(1)\WINDOW S
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Micro soft Windows XP Home Edition" /fastdetect /NoExecute=OptIn

206

New Hjackthis

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 12:58:56 PM, on 6/29/2009
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v8.00 (8.00.6001.18702)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\SYSTEM32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S4I2G 1.EXE
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\explorer.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = Yahoo!
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = MSN.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = Bing
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = Bing
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = MSN.com
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://www.sandboxer.com/redirect.as...3KQ4MT%40C%23W
R3 - URLSearchHook: (no name) - CFBFAE00-17A6-11D0-99CB-00C04FD64497} - (no file)
R3 - URLSearchHook: (no name) - EF99BD32-C1FB-11D2-892F-0090271D4F88} - (no file)
O2 - BHO: &Yahoo! Toolbar Helper - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
O2 - BHO: SingleInstance Class - {FDAD4DA1-61A2-4FD8-9C17-86F7AC245081} - C:\Program Files\Yahoo!\Companion\Installs\cpn\YTSingleInstan ce.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O3 - Toolbar: (no name) - {CCC7A320-B3CA-4199-B1A6-9F516DD69829} - (no file)
O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb0 4.exe
O4 - HKLM\..\Run: [EPSON Stylus CX5400] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S4I2G 1.EXE /P19 "EPSON Stylus CX5400" /O6 "USB002" /M "Stylus CX5400"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office12\EXCEL.EXE/3000
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\Office12\REFIEBAR.DLL
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: MoneySide - {E023F504-0C5A-4750-A1E7-A9046DEA8A21} - C:\Program Files\Microsoft Money\System\mnyviewer.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe (file missing)
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe (file missing)
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O14 - IERESET.INF: START_PAGE_URL=http://www.emachines.com
O16 - DPF: {0CCA191D-13A6-4E29-B746-314DEE697D83} (Facebook Photo Uploader 5 Control) - http://upload.facebook.com/controls/...oUploader5.cab
O16 - DPF: {48DD0448-9209-4F81-9F6D-D83562940134} (MySpace Uploader Control) - http://lads.myspace.com/upload/MySpaceUploader1006.cab
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
O23 - Service: SmartLinkService (SLService) - - C:\WINDOWS\SYSTEM32\slserv.exe

--
End of file - 4668 bytes

**broni** · 30-06-2009

How come AVG doesn't show anymore in HJT log?

1. Please open Notepad

Click Start , then Run
Type notepad .exe in the Run Box.

2. Now copy/paste the entire content of the codebox below into the Notepad window:

Code:

File::
c:\docume~1\CODYGE~1\LOCALS~1\Temp\bDMusicb.sys
c:\windows\Tasks\SymantecNetDetect.job


Folder::
c:\program files\Symantec

Driver::
bDMusicb

Registry::

RegLockDel::

3. Save the above as CFScript.txt

4. Then drag the CFScript.txt into ComboFix.exe as depicted in the animation below. This will start ComboFix again.

5. After reboot, (in case it asks to reboot), please post the following reports/logs into your next reply:

Combofix.txt
A new HijackThis log.

[Resolved] Slow Computer

[Resolved] Slow Computer

Similar Threads

Slow Computer

Need help please, my computer is very slow! (RESOLVED)

Need help please, my computer is very slow! (RESOLVED)

My Computer is SLOW! Please Help!(RESOLVED)

computer slow (RESOLVED)