Computer slowing down over time

Inactive
By dmcrx7
Sep 17, 2010
Topic Status:
Not open for further replies.
  1. My computer has been getting gradually slower.

    Here are my logs.

    GMR finds two files, then locks up on fatal exception, I have a screen grab.

    Malwarebytes' Anti-Malware 1.46
    www.malwarebytes.org

    Database version: 4052

    Windows 5.1.2600 Service Pack 2
    Internet Explorer 6.0.2900.2180

    9/14/2010 9:30:00 AM
    mbam-log-2010-09-14 (09-30-00).txt

    Scan type: Quick scan
    Objects scanned: 118863
    Time elapsed: 17 minute(s), 22 second(s)

    Memory Processes Infected: 0
    Memory Modules Infected: 0
    Registry Keys Infected: 0
    Registry Values Infected: 1
    Registry Data Items Infected: 4
    Folders Infected: 0
    Files Infected: 0

    Memory Processes Infected:
    (No malicious items detected)

    Memory Modules Infected:
    (No malicious items detected)

    Registry Keys Infected:
    (No malicious items detected)

    Registry Values Infected:
    HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\forceclassiccontrolpanel (Hijack.ControlPanelStyle) -> Quarantined and deleted successfully.

    Registry Data Items Infected:
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\AntiVirusDisableNotify (Disabled.SecurityCenter) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\FirewallDisableNotify (Disabled.SecurityCenter) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\UpdatesDisableNotify (Disabled.SecurityCenter) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.
    HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoSMHelp (Hijack.Help) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.

    Folders Infected:
    (No malicious items detected)

    Files Infected:
    (No malicious items detected)





    DDS (Ver_10-03-17.01) - NTFSx86
    Run by Admin at 11:21:44.00 on Fri 09/17/2010
    Internet Explorer: 6.0.2900.2180 BrowserJavaVersion: 1.6.0_11
    Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.480.184 [GMT -4:00]

    AV: Panda Cloud Antivirus *On-access scanning disabled* (Updated) {5AD27692-540A-464E-B625-78275FA38393}

    ============== Running Processes ===============

    C:\WINDOWS\system32\svchost -k DcomLaunch
    svchost.exe
    C:\WINDOWS\System32\svchost.exe -k netsvcs
    svchost.exe
    svchost.exe
    C:\WINDOWS\Explorer.EXE
    C:\WINDOWS\system32\spoolsv.exe
    C:\Program Files\Common Files\ArcSoft\Connection Service\Bin\ACService.exe
    C:\WINDOWS\System32\svchost.exe -k HTTPFilter
    C:\Program Files\Common Files\Intuit\Update Service\IntuitUpdateService.exe
    C:\Program Files\Java\jre6\bin\jqs.exe
    H:\Program Files\LeapFrog Connect\CommandService.exe
    C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\mdm.exe
    C:\Program Files\Panda Security\Panda Cloud Antivirus\PSANHost.exe
    C:\WINDOWS\system32\svchost.exe -k imgsvc
    C:\WINDOWS\SOUNDMAN.EXE
    C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe
    C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb07.exe
    C:\WINDOWS\system32\hphmon04.exe
    H:\Program Files\LeapFrog Connect\Monitor.exe
    C:\Program Files\Panda Security\Panda Cloud Antivirus\PSUNMain.exe
    C:\WINDOWS\system32\ctfmon.exe
    C:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe
    C:\Program Files\Windows Media Player\WMPNSCFG.exe
    C:\Program Files\Common Files\Ahead\Lib\NMIndexStoreSvr.exe
    C:\Program Files\Panda Security\Panda Cloud Antivirus\PSANToManager.exe
    C:\WINDOWS\Explorer.EXE
    C:\Documents and Settings\Admin\My Documents\Downloads\dds.scr

    ============== Pseudo HJT Report ===============

    uStart Page = hxxp://www.google.com/
    mWinlogon: SfcDisable=-99 (0xffffff9d)
    BHO: Spybot-S&D IE Protection: {53707962-6f74-2d53-2644-206d7942484f} - c:\progra~1\spybot~1\SDHelper.dll
    BHO: SSVHelper Class: {761497bb-d6f0-462c-b6eb-d4daf1d92d43} - c:\program files\java\jre6\bin\ssv.dll
    BHO: Panda Security Toolbar: {b821bf60-5c2d-41eb-92dc-3e4ccd3a22e4} - c:\program files\panda security\panda security toolbar\PandaSecurityDx.dll
    BHO: Java(tm) Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
    BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
    TB: Panda Security Toolbar: {b821bf60-5c2d-41eb-92dc-3e4ccd3a22e4} - c:\program files\panda security\panda security toolbar\PandaSecurityDx.dll
    TB: Foxit Toolbar: {3041d03e-fd4b-44e0-b742-2d9b88305f98} - c:\program files\askbardis\bar\bin\askBar.dll
    uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
    uRun: [BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}] "c:\program files\common files\ahead\lib\NMBgMonitor.exe"
    uRun: [WMPNSCFG] c:\program files\windows media player\WMPNSCFG.exe
    uRun: [Start WingMan Profiler]
    mRun: [SoundMan] SOUNDMAN.EXE
    mRun: [SiSUSBRG] c:\windows\SiSUSBrg.exe
    mRun: [GrooveMonitor] "c:\program files\microsoft office\office12\GrooveMonitor.exe"
    mRun: [HPDJ Taskbar Utility] c:\windows\system32\spool\drivers\w32x86\3\hpztsb07.exe
    mRun: [HPHmon04] c:\windows\system32\hphmon04.exe
    mRun: [HPHUPD04] "c:\program files\hp photosmart 11\hphinstall\unipatch\hphupd04.exe"
    mRun: [Monitor] "h:\program files\leapfrog connect\Monitor.exe"
    mRun: [AmazonGSDownloaderTray] c:\program files\amazon\amazon games & software downloader\AmazonGSDownloaderTray.exe
    mRun: [PSUNMain] "c:\program files\panda security\panda cloud antivirus\PSUNMain.exe" /Traybar
    dRunOnce: [nltide_3] rundll32 advpack.dll,LaunchINFSectionEx nLite.inf,C,,4,N
    uPolicies-explorer: NoResolveTrack = 1 (0x1)
    uPolicies-explorer: NoSMConfigurePrograms = 1 (0x1)
    dPolicies-explorer: ForceClassicControlPanel = 1 (0x1)
    dPolicies-explorer: NoResolveTrack = 1 (0x1)


    UNLESS SPECIFICALLY INSTRUCTED, DO NOT POST THIS LOG.
    IF REQUESTED, ZIP IT UP & ATTACH IT

    DDS (Ver_10-03-17.01)

    Microsoft Windows XP Professional
    Boot Device: \Device\HarddiskVolume1
    Install Date: 6/8/2007 6:18:54 PM
    System Uptime: 9/17/2010 9:10:33 AM (2 hours ago)

    Motherboard: ASUSTeK Computer INC. | | P4S533VX
    Processor: Intel(R) Pentium(R) 4 CPU 2.40GHz | PGA 478 | 2390/133mhz

    ==== Disk Partitions =========================


    ==== Installed Programs ======================


    ĀµTorrent
    7-Zip 4.31
    AAC Decoder
    Ad-Aware SE Professional
    Adobe Flash Player 10 ActiveX
    Adobe Flash Player 10 Plugin
    Adobe Photoshop CS2
    Adobe Shockwave Player 11.5
    Advanced Photo Editor
    Amazon Games & Software Downloader
    ArcSoft Print Creations
    ArcSoft Print Creations - Album Page
    ArcSoft Print Creations - Funhouse
    ArcSoft Print Creations - Greeting Card
    ArcSoft Print Creations - Photo Book
    ArcSoft Print Creations - Photo Calendar
    ArcSoft Print Creations - Scrapbook
    ArcSoft Print Creations - Slimline Card
    Autodesk MapGuide(R) Viewer ActiveX Control Release 6.5
    AutoUpdate
    CCleaner
    CCScore
    Digital Camera
    DivX Codec
    DivX Converter
    DivX Player
    DivX Plus DirectShow Filters
    DivX Version Checker
    DivX Web Player
    ESSBrwr
    ESSCDBK
    ESScore
    ESSgui
    ESSini
    ESSPCD
    ESSPDock
    ESSTOOLS
    essvatgt
    Foxit Reader
    Foxit Toolbar
    Google SketchUp 7
    H.264 Decoder
    HD-DV decoder
    HijackThis 2.0.2
    Hotfix for Microsoft .NET Framework 3.5 SP1 (KB953595)
    Hotfix for Windows XP (KB926239)
    Hotfix for Windows XP (KB932716-v2)
    Hotfix for Windows XP (KB945060-v3)
    Hotfix for Windows XP (KB954550-v5)
    Icatch(IV) Camera Driver
    InterVideo WinDVD 8
    iSEEK AnswerWorks English Runtime
    Java(TM) 6 Update 11
    K-Lite Codec Pack 2.80 Full
    Kodak EasyShare software
    LeapFrog Connect
    LeapFrog Tag Plugin
    Logitech Harmony Remote Software 7
    Lucent Technologies Soft Modem AMR
    Malwarebytes' Anti-Malware
    Memory Stick Formatter
    Microsoft .NET Framework 1.1
    Microsoft .NET Framework 2.0 Service Pack 2
    Microsoft .NET Framework 3.0 Service Pack 2
    Microsoft .NET Framework 3.5 SP1
    Microsoft Compression Client Pack 1.0 for Windows XP
    Microsoft Office Access MUI (English) 2007
    Microsoft Office Access Setup Metadata MUI (English) 2007
    Microsoft Office Enterprise 2007
    Microsoft Office Excel MUI (English) 2007
    Microsoft Office Groove MUI (English) 2007
    Microsoft Office Groove Setup Metadata MUI (English) 2007
    Microsoft Office InfoPath MUI (English) 2007
    Microsoft Office OneNote MUI (English) 2007
    Microsoft Office Outlook MUI (English) 2007
    Microsoft Office PowerPoint MUI (English) 2007
    Microsoft Office Proof (English) 2007
    Microsoft Office Proof (French) 2007
    Microsoft Office Proof (Spanish) 2007
    Microsoft Office Proofing (English) 2007
    Microsoft Office Publisher MUI (English) 2007
    Microsoft Office Shared MUI (English) 2007
    Microsoft Office Shared Setup Metadata MUI (English) 2007
    Microsoft Office Word MUI (English) 2007
    Microsoft Silverlight
    Microsoft Software Update for Web Folders (English) 12
    Microsoft User-Mode Driver Framework Feature Pack 1.0
    Microsoft Visual C++ 2005 Redistributable
    Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.17
    Midnight Outlaw Illegal Street Drag
    MKV Splitter
    Move Media Player
    Mozilla Firefox (3.5.12)
    MSN
    MSXML 6.0 Parser
    Nero 7 Premium
    netbrdg
    Norton PartitionMagic
    Norton PartitionMagic 8.0
    OfotoXMI
    OpenOffice.org 2.1
    Panda Cloud Antivirus
    Panda Identity Protect 3.0.44
    Panda Security Toolbar
    Photosmart 130,230,7150,7345,7350,7550 (Remove only)
    PokerStars.net
    QuickTime Alternative 1.70
    Real Alternative 1.49
    Realtek AC'97 Audio
    Remote Control USB Driver
    rFactor (remove only)
    RocketDock 1.3.0
    Security Update for Excel 2007 (KB934670)
    Security Update for Office 2007 (KB934062)
    Security Update for Windows XP (KB918118)
    Security Update for Windows XP (KB924667)
    Security Update for Windows XP (KB925902)
    Security Update for Windows XP (KB926436)
    Security Update for Windows XP (KB927779)
    Security Update for Windows XP (KB927802)
    Security Update for Windows XP (KB928255)
    Security Update for Windows XP (KB928843)
    Security Update for Windows XP (KB929969)
    Security Update for Windows XP (KB930178)
    Security Update for Windows XP (KB931261)
    Security Update for Windows XP (KB931768)
    Security Update for Windows XP (KB931784)
    Security Update for Windows XP (KB932168)
    SEGA RALLY 2
    SFR
    SHASTA
    skin0001
    SKINXSDK
    Software Update for Web Folders
    Sports Car GT
    Spybot - Search & Destroy
    staticcr
    SUPERAntiSpyware Free Edition
    tooltips
    TurboTax 2009
    TurboTax 2009 WinPerFedFormset
    TurboTax 2009 WinPerReleaseEngine
    TurboTax 2009 WinPerTaxSupport
    TurboTax 2009 wrapper
    TurboTax 2009 wvaiper
    Update for Office 2007 (KB932080)
    Update for Office 2007 (KB933688)
    Update for Office 2007 (KB934393)
    Update for Outlook 2007 Junk Email Filter (KB934655)
    Update for Windows XP (KB927891)
    Update for Windows XP (KB930916)
    Update for Windows XP (KB931836)
    Update for Word 2007 (KB934173)
    URGE
    Use the entry named LeapFrog Connect to uninstall (LeapFrog Tag Plugin)
    VC80CRTRedist - 8.0.50727.762
    VPRINTOL
    Windows Driver Package - LeapFrog (FlyUsb) USB (06/15/2007 1.0.0.6)
    Windows Driver Package - LeapFrog (FlyUsb) USB (11/05/2008 1.1.1.0)
    Windows Genuine Advantage Notifications (KB905474)
    Windows Genuine Advantage Validation Tool (KB892130)
    Windows Imaging Component
    Windows Media Format 11 runtime
    Windows Media Player 11
    Windows Sidebar
    WingMan Software
    WIRELESS

    ==== End Of File ===========================
  2. Bobbye

    Bobbye Helper on the Fringe Posts: 16,392   +32

    Welcome back! I helped you a year ago with a slow browser and gave you some pointers on speeding it up. So I ask that you review this: http://www.techspot.com/vb/topic135296.html

    Even if this is not the same system, there are many reasons for 'slow.' Please tell me how much RAM you have installed in this system.

    Then I would like you to run the following:

    Please download ComboFix from Here and save to your Desktop.

    • [1]. Do NOT rename Combofix unless instructed.
      [2].Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.
      [3].Close any open browsers.
      [4]. Double click combofix.exe & follow the prompts to run.
    • NOTE: Combofix will disconnect your machine from the Internet as soon as it starts. The connection is automatically restored before CF completes its run. If it does not, restart your computer to restore your connection.
      [5]. If Combofix asks you to install Recovery Console, please allow it.
      [6]. If Combofix asks you to update the program, always allow.
    • Please do not attempt to re-connect your machine back to the Internet until Combofix has completely finished.
      [7]. A report will be generated after the scan. Please post the C:\ComboFix.txt in next reply.
    Note: Do not mouseclick combofix's window while it's running. That may cause it to stall.
    Note: Make sure you re-enable your security programs, when you're done with Combofix..


    Run Eset NOD32 Online AntiVirus scan HERE
    1. Tick the box next to YES, I accept the Terms of Use.
    2. Click Start
    3. When asked, allow the Active X control to install
    4. Disable your current Antivirus software. You can usually do this with its Notification Tray icon near the clock.
    5. Click Start
    6. Make sure that the option "Remove found threats" is Unchecked, and the option "Scan unwanted applications" is checked
    7. Click Scan
    8. Wait for the scan to finish
    9. Re-enable your Antivirus software.
    10. A logfile is created and located at C:\Program Files\EsetOnlineScanner\log.txt. Please include this on your post.

    Important:
    Please do not use any other cleaning programs or scans while I'm helping you, unless I direct you to. Do not use a Registry cleaner or make any changes in the Registry.

    Edit: I'm going to have to check on the use of the Randa Cloud AV. I don't know whether it gives full time and updating features to the system.
  3. dmcrx7

    dmcrx7 Newcomer, in training Topic Starter Posts: 42

    combofix logs

    tks, the computer ran well after the last set of fixes. 2 ghz, 480 mb ram, that's why I try to keep my virus prot and other programs as simple as possible.

    ComboFix 10-09-17.03 - Admin 09/17/2010 19:58:43.1.1 - x86
    Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.480.279 [GMT -4:00]
    Running from: c:\documents and settings\Admin\My Documents\Downloads\ComboFix.exe
    AV: Panda Cloud Antivirus *On-access scanning disabled* (Updated) {5AD27692-540A-464E-B625-78275FA38393}

    WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
    .

    ((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
    .

    c:\windows\msconfig.exe

    .
    ((((((((((((((((((((((((( Files Created from 2010-08-18 to 2010-09-18 )))))))))))))))))))))))))))))))
    .

    2010-09-12 03:11 . 2010-09-12 03:11 323824 ----a-w- c:\documents and settings\All Users\Application Data\Panda Security\Panda Cloud Antivirus\Download\0x04015000\GlobalExe.exe
    2010-09-12 02:52 . 2010-09-12 02:52 -------- d-----w- c:\documents and settings\Admin\Application Data\Panda Security
    2010-09-12 02:51 . 2010-09-12 02:51 -------- d-----w- c:\documents and settings\Admin\Application Data\SurfSecret Privacy Suite
    2010-09-12 02:50 . 2010-09-12 02:50 -------- d-----w- c:\documents and settings\Admin\Application Data\pandasecuritytb
    2010-09-12 02:50 . 2010-09-12 02:50 264 ----a-w- c:\windows\system32\PSUNCpl.dat
    2010-09-12 02:48 . 2010-09-12 02:50 -------- d-----w- c:\program files\Panda Security
    2010-09-12 02:48 . 2010-09-12 02:48 -------- d-----w- c:\documents and settings\All Users\Application Data\Panda Security
    2010-09-12 01:00 . 2010-09-12 01:01 -------- d-----w- c:\program files\Common Files\Remote Control Software Common

    .
    (((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
    .
    2010-09-17 13:13 . 2009-02-21 20:16 720 ----a-w- c:\documents and settings\All Users\Application Data\ArcSoft\kodak-printcreations-22-080812-oem\acforall.dll
    2010-09-14 12:55 . 2008-12-06 05:45 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
    2010-09-14 03:16 . 2008-12-05 06:41 -------- d-----w- c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy
    2010-09-14 02:53 . 2008-12-06 05:37 -------- d-----w- c:\program files\CCleaner
    2010-09-12 00:59 . 2007-12-21 05:24 -------- d-----w- c:\program files\Logitech
    2010-07-21 22:12 . 2010-07-21 22:12 -------- d-----w- c:\program files\ValuSoft
    2010-07-21 22:12 . 2007-06-08 23:54 -------- d--h--w- c:\program files\InstallShield Installation Information
    2010-06-28 16:44 . 2010-06-28 16:44 71680 ----a-w- c:\documents and settings\All Users\Application Data\NOS\Adobe_Downloads\arh.exe
    2009-02-24 19:34 . 2009-02-24 19:34 1044480 ----a-w- c:\program files\mozilla firefox\plugins\libdivx.dll
    2009-02-24 19:34 . 2009-02-24 19:34 200704 ----a-w- c:\program files\mozilla firefox\plugins\ssldivx.dll
    2008-12-05 16:56 . 2008-12-05 16:56 2098 --sha-w- c:\windows\system32\vutofudi.exe
    2008-12-05 19:38 . 2008-12-05 19:38 2098 --sha-w- c:\windows\system32\wayumabe.exe
    2008-12-06 14:47 . 2008-12-06 14:47 2098 --sh--w- c:\windows\system32\yahosuze.exe
    .

    ------- Sigcheck -------

    [-] 2006-12-28 . C5E8C53A50767F016B539D946ED8B121 . 360576 . . [5.1.2600.2892] . . c:\windows\system32\drivers\tcpip.sys
    .
    ((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
    .
    .
    *Note* empty entries & legit default entries are not shown
    REGEDIT4

    [HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{B821BF60-5C2D-41EB-92DC-3E4CCD3A22E4}]
    2010-06-15 13:46 86696 ----a-w- c:\program files\Panda Security\Panda Security Toolbar\PandaSecurityDx.dll

    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar]
    "{B821BF60-5C2D-41EB-92DC-3E4CCD3A22E4}"= "c:\program files\Panda Security\Panda Security Toolbar\PandaSecurityDx.dll" [2010-06-15 86696]

    [HKEY_CLASSES_ROOT\clsid\{b821bf60-5c2d-41eb-92dc-3e4ccd3a22e4}]

    [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\Panda Malware Icon]
    @="{F5D1CF73-C196-48F8-AAAC-B9181E22B4E6}"
    [HKEY_CLASSES_ROOT\CLSID\{F5D1CF73-C196-48F8-AAAC-B9181E22B4E6}]
    2010-05-14 19:04 320832 ----a-w- c:\program files\Panda Security\Panda Cloud Antivirus\PSUNShell.dll

    [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\Panda Suspect Icon]
    @="{9AE343CB-BA45-4618-AF6A-0230EE6FC793}"
    [HKEY_CLASSES_ROOT\CLSID\{9AE343CB-BA45-4618-AF6A-0230EE6FC793}]
    2010-05-14 19:04 320832 ----a-w- c:\program files\Panda Security\Panda Cloud Antivirus\PSUNShell.dll

    [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}"="c:\program files\Common Files\Ahead\Lib\NMBgMonitor.exe" [2006-11-17 139264]
    "WMPNSCFG"="c:\program files\Windows Media Player\WMPNSCFG.exe" [2006-10-19 204288]

    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "SoundMan"="SOUNDMAN.EXE" [2006-08-03 577536]
    "SiSUSBRG"="c:\windows\SiSUSBrg.exe" [2002-04-27 102400]
    "GrooveMonitor"="c:\program files\Microsoft Office\Office12\GrooveMonitor.exe" [2006-10-27 31016]
    "HPDJ Taskbar Utility"="c:\windows\system32\spool\drivers\w32x86\3\hpztsb07.exe" [2006-01-06 188416]
    "HPHmon04"="c:\windows\system32\hphmon04.exe" [2006-01-06 348160]
    "Monitor"="h:\program files\LeapFrog Connect\Monitor.exe" [2009-11-10 443728]
    "AmazonGSDownloaderTray"="c:\program files\Amazon\Amazon Games & Software Downloader\AmazonGSDownloaderTray.exe" [2009-10-23 326144]
    "PSUNMain"="c:\program files\Panda Security\Panda Cloud Antivirus\PSUNMain.exe" [2010-05-14 406848]

    [HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\RunOnce]
    "nltide_3"="advpack.dll" [2004-08-04 99840]

    [HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]
    "NoResolveTrack"= 1 (0x1)
    "NoSMConfigurePrograms"= 1 (0x1)

    [HKEY_USERS\.default\software\microsoft\windows\currentversion\policies\explorer]
    "ForceClassicControlPanel"= 1 (0x1)
    "NoResolveTrack"= 1 (0x1)
    "NoSMHelp"= 1 (0x1)
    "StartMenuLogoff"= 1 (0x1)
    "NoSMConfigurePrograms"= 1 (0x1)

    [hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
    "{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= "c:\program files\SUPERAntiSpyware\SASSEH.DLL" [2008-05-13 77824]

    [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
    2008-12-03 22:56 352256 ----a-w- c:\program files\SUPERAntiSpyware\SASWINLO.dll

    [HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Kodak EasyShare software.lnk]
    path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Kodak EasyShare software.lnk
    backup=c:\windows\pss\Kodak EasyShare software.lnkCommon Startup

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ArcSoft Connection Service]
    2008-11-20 18:06 178688 ----a-w- c:\program files\Common Files\ArcSoft\Connection Service\Bin\ACDaemon.exe

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ISUSPM]
    2006-03-21 00:34 213936 ----a-w- c:\program files\Common Files\InstallShield\UpdateService\ISUSPM.exe

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\LTSMMSG]
    2002-07-20 16:22 32768 ----a-w- c:\windows\LTSMMSG.exe

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\LxrAutorun]
    2007-03-07 17:51 24576 ----a-w- c:\documents and settings\Admin\Local Settings\Application Data\Lexar Media\LxrAutorun.exe

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Monitor]
    2009-11-10 15:14 443728 ----a-w- h:\program files\LeapFrog Connect\Monitor.exe

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NeroFilterCheck]
    2006-01-12 22:40 155648 ----a-w- c:\program files\Common Files\Ahead\Lib\NeroCheck.exe

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched]
    2008-12-08 03:30 136600 ----a-w- c:\program files\Java\jre6\bin\jusched.exe

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\WMPNSCFG]
    2006-10-19 04:05 204288 ------w- c:\program files\Windows Media Player\wmpnscfg.exe

    [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
    "EnableFirewall"= 0 (0x0)

    [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
    "%windir%\\Network Diagnostic\\xpnetdiag.exe"=
    "%windir%\\system32\\sessmgr.exe"=
    "c:\\Program Files\\Microsoft Office\\Office12\\OUTLOOK.EXE"=
    "c:\\Program Files\\Microsoft Office\\Office12\\GROOVE.EXE"=
    "c:\\Program Files\\Microsoft Office\\Office12\\ONENOTE.EXE"=
    "c:\\Program Files\\Logitech\\Logitech Harmony Remote Software 7\\HarmonyRemote.exe"=
    "h:\\Electronic Arts\\Sports Car GT\\Spcar.exe"=
    "c:\\Program Files\\InterVideo\\DVD8\\WinDVD.exe"=
    "c:\\Program Files\\uTorrent\\uTorrent.exe"=
    "h:\\Sports Car GT\\Spcar.exe"=
    "h:\\Program Files\\Easyshare\\Kodak EasyShare software\\bin\\EasyShare.exe"=
    "c:\\Program Files\\Mozilla Firefox\\firefox.exe"=



    ESETSmartInstaller@High as downloader log:
    all ok
    # version=7
    # OnlineScannerApp.exe=1.0.0.1
    # OnlineScanner.ocx=1.0.0.6211
    # api_version=3.0.2
    # EOSSerial=455178debaf4d1498d95d2ca738cbb19
    # end=finished
    # remove_checked=false
    # archives_checked=false
    # unwanted_checked=true
    # unsafe_checked=true
    # antistealth_checked=true
    # utc_time=2010-09-18 02:09:51
    # local_time=2010-09-17 10:09:51 (-0500, Eastern Daylight Time)
    # country="United States"
    # lang=1033
    # osver=5.1.2600 NT Service Pack 2
    # compatibility_mode=512 16777215 100 0 55310138 55310138 0 0
    # compatibility_mode=1538 16774118 20 3 274007 112377355 0 0
    # compatibility_mode=8192 67108863 100 0 0 0 0 0
    # scanned=70097
    # found=3
    # cleaned=0
    # scan_time=4732
    C:\Documents and Settings\All Users\Desktop\KEYGENS FOR PROGRAMS\WInRAR Patch\Patch.exe a variant of Win32/HackTool.Patcher.A application 00000000000000000000000000000000 I
    C:\Program Files\Angry IP Scanner\Angry IP Scanner 2.21.exe Win32/NetTool.Portscan.C application 00000000000000000000000000000000 I
    H:\AOL Instant Messenger\AIM.exe Win32/Adware.WBug.A application 00000000000000000000000000000000 I
  4. dmcrx7

    dmcrx7 Newcomer, in training Topic Starter Posts: 42

    by the way, this is a different computer, it,s 2,4 ghz, 480 mb ram
    it was on here a couple years ago, cleaned it up and ran well, now its time to get rid of the bloat once again.
  5. Bobbye

    Bobbye Helper on the Fringe Posts: 16,392   +32

    Let's handle the Eset entries first:

    Please download OTMovit by Old Timer and save to your desktop.
    • Double-click OTMoveIt3.exe to run it. (Vista users, please right click on OTMoveit3.exe and select "Run as an Administrator")
    • Copy the file paths below to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose Copy)
      Code:
      :Processes	
      :Services
      
      :Reg
      
      :Files  
      C:\Documents and Settings\All Users\Desktop\KEYGENS FOR PROGRAMS\WInRAR Patch\Patch.exe 
      C:\Program Files\Angry IP Scanner\Angry IP Scanner 2.21.exe 
      H:\AOL Instant Messenger\AIM.exe 
      :Commands
      [purity]
      [emptytemp]
      [start explorer]
      [Reboot]
    • Return to OTMoveIt3, right click in the "Paste Instructions for Items to be Moved" window and choose Paste.
    • Click the red Moveit! button.
    • A log of files and folders moved will be created in the c:\_OTMoveIt\MovedFiles folder in the form of Date and Time (mmddyyyy_hhmmss.log). Please open this log in Notepad and post its contents in your next reply.
    • Close OTMoveIt3
    If a file or folder cannot be moved immediately you may be asked to reboot the machine to finish the move process. If you are asked to reboot the machine choose Yes.
    =========================================
    Download CKScanner and save to your desktop.
    • Doubleclick CKScanner.exe and click Search For Files.
    • When the cursor hourglass disappears, click [b/]Save List To File.[/b]
    • A message box will verify that the file is saved.
    • Double-click the [/b]CKFiles.txt icon[/b] on your desktop and copy/paste the contents
      in your next reply.
  6. dmcrx7

    dmcrx7 Newcomer, in training Topic Starter Posts: 42

    Error: Unable to interpret <C:\Documents and Settings\All Users\Desktop\KEYGENS FOR PROGRAMS\WInRAR Patch\Patch.exe > in the current context!
    Error: Unable to interpret <C:\Program Files\Angry IP Scanner\Angry IP Scanner 2.21.exe > in the current context!
    Error: Unable to interpret <H:\AOL Instant Messenger\AIM.exe > in the current context!

    OTM by OldTimer - Version 3.1.16.1 log created on 09192010_232439


    CKScanner - Additional Security Risks - These are not necessarily bad
    c:\documents and settings\all users\desktop\keygens for programs\desktop.ini
    c:\documents and settings\all users\desktop\keygens for programs\oo.defrag.server-kg.rar
    c:\documents and settings\all users\desktop\keygens for programs\registry.mechanic.v6.0.0.750_patch.exe
    c:\documents and settings\all users\desktop\keygens for programs\sonysoundforge80dbuild128keygen.rar
    c:\documents and settings\all users\desktop\keygens for programs\vmware.prod.kg.exe
    c:\documents and settings\all users\desktop\keygens for programs\zonealarmkeygen.exe
    c:\documents and settings\all users\desktop\keygens for programs\bs player\keygen.exe
    c:\documents and settings\all users\desktop\keygens for programs\diskeeper 11 activation patch\ahteam.nfo
    c:\documents and settings\all users\desktop\keygens for programs\diskeeper 11 activation patch\crack notes.txt
    c:\documents and settings\all users\desktop\keygens for programs\diskeeper 11 activation patch\crack_aht.exe
    c:\documents and settings\all users\desktop\keygens for programs\diskeeper 11 activation patch\file_id.diz
    c:\documents and settings\all users\desktop\keygens for programs\nod32 fix\nod32.fix.v2.1-nsane.exe
    c:\documents and settings\all users\desktop\keygens for programs\oodefrag85professional\keygen.exe
    c:\documents and settings\all users\desktop\keygens for programs\poweriso keygen\keygen.exe
    c:\documents and settings\all users\desktop\keygens for programs\poweriso keygen\poweriso v3.5.txt
    c:\documents and settings\all users\desktop\keygens for programs\sound forge\sony sound forge 8.0d build 128.txt
    c:\documents and settings\all users\desktop\keygens for programs\tuneup utilities 2007\keygen.exe
    c:\documents and settings\all users\desktop\keygens for programs\tuneup utilities 2007\tsrh.nfo
    c:\documents and settings\all users\desktop\keygens for programs\tweaknow serial\key\serial.txt
    c:\documents and settings\all users\desktop\keygens for programs\ultraiso\ultraiso8serial.txt
    c:\documents and settings\all users\desktop\keygens for programs\ultraiso\keygen\brd.nfo
    c:\documents and settings\all users\desktop\keygens for programs\ultraiso premium edition 8.6.0 build 1936\ultraiso-patch.exe
    c:\documents and settings\all users\desktop\keygens for programs\webroot\serial.txt
    c:\documents and settings\all users\desktop\keygens for programs\windvd8platinum\intervideo windvd platinum v8.0.b06.072.txt
    c:\documents and settings\all users\desktop\keygens for programs\winrar patch\patch.exe
    c:\documents and settings\all users\desktop\keygens for programs\winzip 11\keygen_1.exe
    c:\documents and settings\all users\desktop\keygens for programs\winzip 11\wzcou10.exe
    c:\documents and settings\all users\desktop\keygens for programs\winzip 11\wzipse30.exe
    scanner sequence 3.ZZ.11
    ----- EOF -----
  7. Bobbye

    Bobbye Helper on the Fringe Posts: 16,392   +32

    The program I had you run shows a large number of pirated programs. They will all need to be removed to continue support. This was why I had you run the CK scan:
    C:\Documents and Settings\All Users\Desktop\KEYGENS FOR PROGRAMS\WInRAR Patch\Patch.exe

    It pretty much looks like almost everything on the system is pirated.
  8. dmcrx7

    dmcrx7 Newcomer, in training Topic Starter Posts: 42

    programs

    I don't use any of those programs, so I'll get them off of there.

    A lot of useless stuff was added when I lost my harddrive years ago.

    Winzip, the only one I would use, I use the free version anyway.
  9. dmcrx7

    dmcrx7 Newcomer, in training Topic Starter Posts: 42

    programs

    Ok, I just went to remove them, and only one was left anyway.

    How do I get rid of the keygens? just delete?
  10. Bobbye

    Bobbye Helper on the Fringe Posts: 16,392   +32

    Keygens and cracks are use to get serial number and license numbers to use when a program is installed. The purpose is to steal (pirate) the program so you don't have to pay for it. It's illegal. Someone has to go after them- they don't just appear on a system.

    You can try doing this to remove them- I'm not sure it will work- maybe you downloaded to keys to have on hand although most of these are the executables:

    Run this Custom CFScript


    • [1]. Close any open browsers.
      [2]. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.
      [3]. Open notepad and copy/paste the text in the code below into it:
    Code:
    KillAll::
    File::
    c:\documents and settings\all users\desktop\keygens for programs\desktop.ini
    c:\documents and settings\all users\desktop\keygens for programs\oo.defrag.server-kg.rar
    c:\documents and settings\all users\desktop\keygens for programs\registry.mechanic.v6.0.0.750_patch.exe
    c:\documents and settings\all users\desktop\keygens for programs\sonysoundforge80dbuild128keygen.rar
    c:\documents and settings\all users\desktop\keygens for programs\vmware.prod.kg.exe
    c:\documents and settings\all users\desktop\keygens for programs\zonealarmkeygen.exe
    c:\documents and settings\all users\desktop\keygens for programs\bs player\keygen.exe
    c:\documents and settings\all users\desktop\keygens for programs\diskeeper 11 activation patch\ahteam.nfo
    c:\documents and settings\all users\desktop\keygens for programs\diskeeper 11 activation patch\crack notes.txt
    c:\documents and settings\all users\desktop\keygens for programs\diskeeper 11 activation patch\crack_aht.exe
    c:\documents and settings\all users\desktop\keygens for programs\diskeeper 11 activation patch\file_id.diz
    c:\documents and settings\all users\desktop\keygens for programs\nod32 fix\nod32.fix.v2.1-nsane.exe
    c:\documents and settings\all users\desktop\keygens for programs\oodefrag85professional\keygen.exe
    c:\documents and settings\all users\desktop\keygens for programs\poweriso keygen\keygen.exe
    c:\documents and settings\all users\desktop\keygens for programs\poweriso keygen\poweriso v3.5.txt
    c:\documents and settings\all users\desktop\keygens for programs\sound forge\sony sound forge 8.0d build 128.txt
    c:\documents and settings\all users\desktop\keygens for programs\tuneup utilities 2007\keygen.exe
    c:\documents and settings\all users\desktop\keygens for programs\tuneup utilities 2007\tsrh.nfo
    c:\documents and settings\all users\desktop\keygens for programs\tweaknow serial\key\serial.txt
    c:\documents and settings\all users\desktop\keygens for programs\ultraiso\ultraiso8serial.txt
    c:\documents and settings\all users\desktop\keygens for programs\ultraiso\keygen\brd.nfo
    c:\documents and settings\all users\desktop\keygens for programs\ultraiso premium edition 8.6.0 build 1936\ultraiso-patch.exe
    c:\documents and settings\all users\desktop\keygens for programs\webroot\serial.txt
    c:\documents and settings\all users\desktop\keygens for programs\windvd8platinum\intervideo windvd platinum v8.0.b06.072.txt
    c:\documents and settings\all users\desktop\keygens for programs\winrar patch\patch.exe
    c:\documents and settings\all users\desktop\keygens for programs\winzip 11\keygen_1.exe
    c:\documents and settings\all users\desktop\keygens for programs\winzip 11\wzcou10.exe
    c:\documents and settings\all users\desktop\keygens for programs\winzip 11\wzipse30.exe
    
    
    Save this as CFScript.txt, in the same location as ComboFix.exe
    [​IMG]

    Referring to the picture above, drag CFScript into ComboFix.exe

    When finished, it will produce a log for you at C:\ComboFix.txt . Please paste into to your next reply.
    ====================
    Part of the Combofix log is missing.

    Do a new scan with Combofix when finished to above. Be sure to reboot after running the script before you do the new scan.

    KEYGENS FOR PROGRAMS is the name of a program. It also need to be removed. This includes in Add/Remove Programs, Startup menu, program folders and application data.

    There is at least a Vundo infection on the system.


    Is the operating system legitimate?
  11. dmcrx7

    dmcrx7 Newcomer, in training Topic Starter Posts: 42

    operating system

    I don't know.

    It has windows XP, and came new with windows XP. It did not come with a cd, and I don't know how to obtain a replacement now, since the computer and operating system are no longer supported.
  12. dmcrx7

    dmcrx7 Newcomer, in training Topic Starter Posts: 42

    could the script kill the OS?
  13. Bobbye

    Bobbye Helper on the Fringe Posts: 16,392   +32

    IF you mean could the script I wrote kill the OS? No reason it should. But if you have a pirated OS, anything can happen.

    If you ordered or bought a new computer from a reputable manufacturer or dealer new, the Os should be legitimate.
    I addressed this in my Reply #10.
     
  14. dmcrx7

    dmcrx7 Newcomer, in training Topic Starter Posts: 42

    Here's the one from the script

    ComboFix 10-09-24.03 - Admin 09/24/2010 19:29:29.2.1 - x86
    Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.480.270 [GMT -4:00]
    Running from: c:\documents and settings\Admin\My Documents\Downloads\ComboFix.exe
    Command switches used :: c:\documents and settings\Admin\My Documents\Downloads\CFScript.txt
    AV: Panda Cloud Antivirus *On-access scanning disabled* (Updated) {5AD27692-540A-464E-B625-78275FA38393}

    FILE ::
    "c:\documents and settings\all users\desktop\keygens for programs\bs player\keygen.exe"
    "c:\documents and settings\all users\desktop\keygens for programs\diskeeper 11 activation patch\ahteam.nfo"
    "c:\documents and settings\all users\desktop\keygens for programs\diskeeper 11 activation patch\crack notes.txt"
    "c:\documents and settings\all users\desktop\keygens for programs\diskeeper 11 activation patch\crack_aht.exe"
    "c:\documents and settings\all users\desktop\keygens for programs\diskeeper 11 activation patch\file_id.diz"
    "c:\documents and settings\all users\desktop\keygens for programs\oo.defrag.server-kg.rar"
    "c:\documents and settings\all users\desktop\keygens for programs\oodefrag85professional\keygen.exe"
    "c:\documents and settings\all users\desktop\keygens for programs\poweriso keygen\keygen.exe"
    "c:\documents and settings\all users\desktop\keygens for programs\poweriso keygen\poweriso v3.5.txt"
    "c:\documents and settings\all users\desktop\keygens for programs\registry.mechanic.v6.0.0.750_patch.exe"
    "c:\documents and settings\all users\desktop\keygens for programs\sonysoundforge80dbuild128keygen.rar"
    "c:\documents and settings\all users\desktop\keygens for programs\sound forge\sony sound forge 8.0d build 128.txt"
    "c:\documents and settings\all users\desktop\keygens for programs\tuneup utilities 2007\keygen.exe"
    "c:\documents and settings\all users\desktop\keygens for programs\tuneup utilities 2007\tsrh.nfo"
    "c:\documents and settings\all users\desktop\keygens for programs\tweaknow serial\key\serial.txt"
    "c:\documents and settings\all users\desktop\keygens for programs\ultraiso premium edition 8.6.0 build 1936\ultraiso-patch.exe"
    "c:\documents and settings\all users\desktop\keygens for programs\ultraiso\keygen\brd.nfo"
    "c:\documents and settings\all users\desktop\keygens for programs\ultraiso\ultraiso8serial.txt"
    "c:\documents and settings\all users\desktop\keygens for programs\vmware.prod.kg.exe"
    "c:\documents and settings\all users\desktop\keygens for programs\webroot\serial.txt"
    "c:\documents and settings\all users\desktop\keygens for programs\windvd8platinum\intervideo windvd platinum v8.0.b06.072.txt"
    "c:\documents and settings\all users\desktop\keygens for programs\winzip 11\keygen_1.exe"
    "c:\documents and settings\all users\desktop\keygens for programs\winzip 11\wzcou10.exe"
    "c:\documents and settings\all users\desktop\keygens for programs\winzip 11\wzipse30.exe"
    "c:\documents and settings\all users\desktop\keygens for programs\zonealarmkeygen.exe"
    .

    ((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
    .

    c:\docume~1\Admin\LOCALS~1\Temp\286.tmp
    c:\documents and settings\Admin\Local Settings\temp\286.tmp
    c:\documents and settings\all users\desktop\keygens for programs\bs player\keygen.exe
    c:\documents and settings\all users\desktop\keygens for programs\diskeeper 11 activation patch\ahteam.nfo
    c:\documents and settings\all users\desktop\keygens for programs\diskeeper 11 activation patch\crack notes.txt
    c:\documents and settings\all users\desktop\keygens for programs\diskeeper 11 activation patch\crack_aht.exe
    c:\documents and settings\all users\desktop\keygens for programs\diskeeper 11 activation patch\file_id.diz
    c:\documents and settings\all users\desktop\keygens for programs\oo.defrag.server-kg.rar
    c:\documents and settings\all users\desktop\keygens for programs\poweriso keygen\keygen.exe
    c:\documents and settings\all users\desktop\keygens for programs\poweriso keygen\poweriso v3.5.txt
    c:\documents and settings\all users\desktop\keygens for programs\registry.mechanic.v6.0.0.750_patch.exe
    c:\documents and settings\all users\desktop\keygens for programs\sonysoundforge80dbuild128keygen.rar
    c:\documents and settings\all users\desktop\keygens for programs\tuneup utilities 2007\keygen.exe
    c:\documents and settings\all users\desktop\keygens for programs\tuneup utilities 2007\tsrh.nfo
    c:\documents and settings\all users\desktop\keygens for programs\tweaknow serial\key\serial.txt
    c:\documents and settings\all users\desktop\keygens for programs\ultraiso premium edition 8.6.0 build 1936\ultraiso-patch.exe
    c:\documents and settings\all users\desktop\keygens for programs\ultraiso\keygen\brd.nfo
    c:\documents and settings\all users\desktop\keygens for programs\ultraiso\ultraiso8serial.txt
    c:\documents and settings\all users\desktop\keygens for programs\vmware.prod.kg.exe
    c:\documents and settings\all users\desktop\keygens for programs\webroot\serial.txt
    c:\documents and settings\all users\desktop\keygens for programs\zonealarmkeygen.exe

    .
    ((((((((((((((((((((((((( Files Created from 2010-08-24 to 2010-09-24 )))))))))))))))))))))))))))))))
    .

    2010-09-24 03:45 . 2010-09-24 03:45 -------- d-----w- c:\windows\system32\GroupPolicy
    2010-09-24 03:45 . 2010-09-24 03:45 -------- d-----w- c:\windows\system32\GroupPolicy\Machine\Scripts\Shutdown\Pan229.tmp
    2010-09-20 03:23 . 2010-09-20 03:23 -------- d-----w- C:\_OTM
    2010-09-18 03:42 . 2010-09-18 03:42 -------- d-----w- c:\windows\system32\wbem\snmp
    2010-09-18 03:42 . 2010-09-18 03:42 -------- d-----w- c:\windows\system32\xircom
    2010-09-18 03:42 . 2010-09-18 03:42 -------- d-----w- c:\program files\microsoft frontpage
    2010-09-18 00:45 . 2010-09-18 00:45 -------- d-----w- c:\program files\ESET
    2010-09-12 03:11 . 2010-09-23 09:26 323840 ----a-w- c:\documents and settings\All Users\Application Data\Panda Security\Panda Cloud Antivirus\Download\0x04015000\GlobalExe.exe
    2010-09-12 02:52 . 2010-09-12 02:52 -------- d-----w- c:\documents and settings\Admin\Application Data\Panda Security
    2010-09-12 02:51 . 2010-09-12 02:51 -------- d-----w- c:\documents and settings\Admin\Application Data\SurfSecret Privacy Suite
    2010-09-12 02:50 . 2010-09-12 02:50 -------- d-----w- c:\documents and settings\Admin\Application Data\pandasecuritytb
    2010-09-12 02:50 . 2010-09-12 02:50 264 ----a-w- c:\windows\system32\PSUNCpl.dat
    2010-09-12 02:48 . 2010-09-12 02:50 -------- d-----w- c:\program files\Panda Security
    2010-09-12 02:48 . 2010-09-12 02:48 -------- d-----w- c:\documents and settings\All Users\Application Data\Panda Security
    2010-09-12 01:00 . 2010-09-12 01:01 -------- d-----w- c:\program files\Common Files\Remote Control Software Common

    .
    (((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
    .
    2010-09-18 11:38 . 2007-06-09 03:07 74272 ----a-w- c:\documents and settings\Admin\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
    2010-09-18 02:46 . 2007-06-08 23:47 -------- d-----w- c:\documents and settings\All Users\Application Data\Microsoft Help
    2010-09-18 02:42 . 2007-06-08 23:52 -------- d-----w- c:\program files\MSBuild
    2010-09-17 13:13 . 2009-02-21 20:16 720 ----a-w- c:\documents and settings\All Users\Application Data\ArcSoft\kodak-printcreations-22-080812-oem\acforall.dll
    2010-09-14 12:55 . 2008-12-06 05:45 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
    2010-09-14 03:16 . 2008-12-05 06:41 -------- d-----w- c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy
    2010-09-14 02:53 . 2008-12-06 05:37 -------- d-----w- c:\program files\CCleaner
    2010-09-12 00:59 . 2007-12-21 05:24 -------- d-----w- c:\program files\Logitech
    2010-06-28 16:44 . 2010-06-28 16:44 71680 ----a-w- c:\documents and settings\All Users\Application Data\NOS\Adobe_Downloads\arh.exe
    2009-02-24 19:34 . 2009-02-24 19:34 1044480 ----a-w- c:\program files\mozilla firefox\plugins\libdivx.dll
    2009-02-24 19:34 . 2009-02-24 19:34 200704 ----a-w- c:\program files\mozilla firefox\plugins\ssldivx.dll
    2008-12-05 16:56 . 2008-12-05 16:56 2098 --sha-w- c:\windows\system32\vutofudi.exe
    2008-12-05 19:38 . 2008-12-05 19:38 2098 --sha-w- c:\windows\system32\wayumabe.exe
    2008-12-06 14:47 . 2008-12-06 14:47 2098 --sh--w- c:\windows\system32\yahosuze.exe
    .

    ------- Sigcheck -------

    [-] 2006-12-28 . C5E8C53A50767F016B539D946ED8B121 . 360576 . . [5.1.2600.2892] . . c:\windows\system32\drivers\tcpip.sys
    .
    ((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
    .
    .
    *Note* empty entries & legit default entries are not shown
    REGEDIT4

    [HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{B821BF60-5C2D-41EB-92DC-3E4CCD3A22E4}]
    2010-06-15 13:46 86696 ----a-w- c:\program files\Panda Security\Panda Security Toolbar\PandaSecurityDx.dll

    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar]
    "{B821BF60-5C2D-41EB-92DC-3E4CCD3A22E4}"= "c:\program files\Panda Security\Panda Security Toolbar\PandaSecurityDx.dll" [2010-06-15 86696]

    [HKEY_CLASSES_ROOT\clsid\{b821bf60-5c2d-41eb-92dc-3e4ccd3a22e4}]

    [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\Panda Malware Icon]
    @="{F5D1CF73-C196-48F8-AAAC-B9181E22B4E6}"
    [HKEY_CLASSES_ROOT\CLSID\{F5D1CF73-C196-48F8-AAAC-B9181E22B4E6}]
    2010-05-14 19:04 320832 ----a-w- c:\program files\Panda Security\Panda Cloud Antivirus\PSUNShell.dll

    [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\Panda Suspect Icon]
    @="{9AE343CB-BA45-4618-AF6A-0230EE6FC793}"
    [HKEY_CLASSES_ROOT\CLSID\{9AE343CB-BA45-4618-AF6A-0230EE6FC793}]
    2010-05-14 19:04 320832 ----a-w- c:\program files\Panda Security\Panda Cloud Antivirus\PSUNShell.dll

    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "SoundMan"="SOUNDMAN.EXE" [2006-08-03 577536]
    "SiSUSBRG"="c:\windows\SiSUSBrg.exe" [2002-04-27 102400]
    "HPDJ Taskbar Utility"="c:\windows\system32\spool\drivers\w32x86\3\hpztsb07.exe" [2006-01-06 188416]
    "HPHmon04"="c:\windows\system32\hphmon04.exe" [2006-01-06 348160]
    "PSUNMain"="c:\program files\Panda Security\Panda Cloud Antivirus\PSUNMain.exe" [2010-05-14 406848]

    [HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\RunOnce]
    "nltide_3"="advpack.dll" [2004-08-04 99840]

    [HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]
    "NoResolveTrack"= 1 (0x1)
    "NoSMConfigurePrograms"= 1 (0x1)

    [HKEY_USERS\.default\software\microsoft\windows\currentversion\policies\explorer]
    "ForceClassicControlPanel"= 1 (0x1)
    "NoResolveTrack"= 1 (0x1)
    "NoSMHelp"= 1 (0x1)
    "StartMenuLogoff"= 1 (0x1)
    "NoSMConfigurePrograms"= 1 (0x1)

    [hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
    "{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= "c:\program files\SUPERAntiSpyware\SASSEH.DLL" [2008-05-13 77824]

    [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
    2008-12-03 22:56 352256 ----a-w- c:\program files\SUPERAntiSpyware\SASWINLO.dll

    [HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Kodak EasyShare software.lnk]
    path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Kodak EasyShare software.lnk
    backup=c:\windows\pss\Kodak EasyShare software.lnkCommon Startup

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AmazonGSDownloaderTray]
    2009-10-23 17:31 326144 ----a-w- c:\program files\Amazon\Amazon Games & Software Downloader\AmazonGSDownloaderTray.exe

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ArcSoft Connection Service]
    2008-11-20 18:06 178688 ----a-w- c:\program files\Common Files\ArcSoft\Connection Service\Bin\ACDaemon.exe

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}]
    2006-11-17 02:04 139264 ----a-w- c:\program files\Common Files\Ahead\Lib\NMBgMonitor.exe

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\LTSMMSG]
    2002-07-20 16:22 32768 ----a-w- c:\windows\LTSMMSG.exe

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\LxrAutorun]
    2007-03-07 17:51 24576 ----a-w- c:\documents and settings\Admin\Local Settings\Application Data\Lexar Media\LxrAutorun.exe

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Monitor]
    2009-11-10 15:14 443728 ----a-w- h:\program files\LeapFrog Connect\Monitor.exe

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NeroFilterCheck]
    2006-01-12 22:40 155648 ----a-w- c:\program files\Common Files\Ahead\Lib\NeroCheck.exe

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched]
    2008-12-08 03:30 136600 ----a-w- c:\program files\Java\jre6\bin\jusched.exe

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\WMPNSCFG]
    2006-10-19 04:05 204288 ------w- c:\program files\Windows Media Player\wmpnscfg.exe

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
    "Amazon Download Agent"=3 (0x3)
    "Adobe LM Service"=3 (0x3)
    "ACDaemon"=2 (0x2)
    "LxrSII1s"=3 (0x3)
    "LeapFrog Connect Device Service"=2 (0x2)
    "IntuitUpdateService"=2 (0x2)

    [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
    "%windir%\\Network Diagnostic\\xpnetdiag.exe"=
    "%windir%\\system32\\sessmgr.exe"=
    "c:\\Program Files\\Logitech\\Logitech Harmony Remote Software 7\\HarmonyRemote.exe"=
    "h:\\Electronic Arts\\Sports Car GT\\Spcar.exe"=
    "h:\\Sports Car GT\\Spcar.exe"=
    "h:\\Program Files\\Easyshare\\Kodak EasyShare software\\bin\\EasyShare.exe"=
    "c:\\Program Files\\Mozilla Firefox\\firefox.exe"=

    R1 PSINKNC;PSINKNC;c:\windows\system32\drivers\PSINKNC.sys [5/4/2010 8:36 AM 129928]
    R1 SASDIFSV;SASDIFSV;c:\program files\SUPERAntiSpyware\sasdifsv.sys [12/4/2008 5:50 PM 8944]
    R1 SASKUTIL;SASKUTIL;c:\program files\SUPERAntiSpyware\SASKUTIL.SYS [12/4/2008 5:50 PM 55024]
    R2 LxrSII1d;Secure II Driver;c:\windows\system32\drivers\LxrSII1d.sys [12/13/2008 3:25 AM 72672]
    R2 NanoServiceMain;Panda Cloud Antivirus Service;c:\program files\Panda Security\Panda Cloud Antivirus\PSANHost.exe [4/30/2010 1:47 PM 136448]
    R2 PSINAflt;PSINAflt;c:\windows\system32\drivers\PSINAflt.sys [5/27/2010 6:39 PM 141384]
    R2 PSINFile;PSINFile;c:\windows\system32\drivers\PSINFile.sys [4/30/2010 1:46 PM 97032]
    R2 PSINProc;PSINProc;c:\windows\system32\drivers\PSINProc.sys [4/30/2010 1:46 PM 111624]
    R2 PSINProt;PSINProt;c:\windows\system32\drivers\PSINProt.sys [5/12/2010 10:58 AM 110920]
    R3 LucentSoftModem;Lucent Technologies Soft Modem;c:\windows\system32\drivers\LTSM.sys [6/8/2007 8:46 PM 815819]
    S2 Ca533av;Icatch(IV) Video Camera Device;c:\windows\system32\drivers\Ca533av.sys [9/26/2008 11:53 PM 515803]
    S3 FlyUsb;FLY Fusion;c:\windows\system32\drivers\FlyUsb.sys [12/25/2008 1:35 AM 18560]
    S3 SASENUM;SASENUM;c:\program files\SUPERAntiSpyware\SASENUM.SYS [12/4/2008 5:50 PM 7408]
    S4 Amazon Download Agent;Amazon Download Agent;c:\program files\Amazon\Amazon Games & Software Downloader\AmazonGSDownloaderService.exe [2/20/2010 10:11 AM 401920]

    [HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{34A19196-274E-4D75-9D30-D7A45A0A4178}]
    2004-08-04 04:00 11776 ----a-w- c:\program files\Windows Sidebar\regsvr32.exe

    [HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{6B9228DA-9C15-419e-856C-19E768A13BDC}]
    2004-08-04 04:00 11776 ----a-w- c:\program files\Windows Sidebar\regsvr32.exe

    [HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{BADA65A0-86B7-462B-B720-CE66655C73F5}]
    2006-11-09 04:57 38912 ----a-w- c:\vaio\vshellext.dll
    .
    .
    ------- Supplementary Scan -------
    .
    uStart Page = hxxp://www.google.com/
    IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~1\Office12\EXCEL.EXE/3000
    Trusted Zone: cmicompany.com\mail
    Trusted Zone: intuit.com\ttlc
    Trusted Zone: mazdamotorsports.com\www
    Trusted Zone: vanguard.com\personal
    DPF: Microsoft XML Parser for Java - file://c:\windows\Java\classes\xmldso.cab
    FF - ProfilePath - c:\documents and settings\Admin\Application Data\Mozilla\Firefox\Profiles\hge8xhz3.default\
    FF - prefs.js: browser.search.defaulturl - hxxp://www.google.com/search?lr=&ie=UTF-8&oe=UTF-8&q=
    FF - prefs.js: browser.startup.homepage - hxxp://en-us.start.mozilla.com/firefox?client=firefox-a&rls=org.mozilla:en-US:eek:fficial
    FF - prefs.js: keyword.URL - hxxp://search.yahoo.com/search?fr=panda&type=panda1_0yatb&p=
    FF - component: c:\documents and settings\Admin\Application Data\Mozilla\Firefox\Profiles\hge8xhz3.default\extensions\{B821BF60-5C2D-41EB-92DC-3E4CCD3A22E4}\components\dtTransparency.dll
    FF - component: c:\documents and settings\Admin\Application Data\Mozilla\Firefox\Profiles\hge8xhz3.default\extensions\{B821BF60-5C2D-41EB-92DC-3E4CCD3A22E4}\components\dtTransparency3.5.dll
    FF - component: c:\documents and settings\Admin\Application Data\Mozilla\Firefox\Profiles\hge8xhz3.default\extensions\{B821BF60-5C2D-41EB-92DC-3E4CCD3A22E4}\components\dtTransparency3.6.dll
    FF - component: c:\program files\Panda Security\Panda ID Protect\Firefox\components\FFKeypad.dll
    FF - plugin: c:\documents and settings\Admin\Application Data\Move Networks\plugins\npqmp071701000002.dll
    FF - plugin: c:\program files\Mozilla Firefox\plugins\npFoxitReaderPlugin.dll
    FF - plugin: h:\program files\DivX\DivX Player\npDivxPlayerPlugin.dll
    FF - plugin: h:\program files\DivX\DivX Web Player\npdivx32.dll

    ---- FIREFOX POLICIES ----
    c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgbaam7a8h", true);
    c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgberp4a5d4ar", true);
    .
    - - - - ORPHANS REMOVED - - - -

    MSConfigStartUp-ISUSPM - c:\program files\Common Files\InstallShield\UpdateService\ISUSPM.exe



    **************************************************************************

    catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
    Rootkit scan 2010-09-24 19:44
    Windows 5.1.2600 Service Pack 2 NTFS

    scanning hidden processes ...

    scanning hidden autostart entries ...

    scanning hidden files ...

    scan completed successfully
    hidden files: 0

    **************************************************************************
    .
    --------------------- DLLs Loaded Under Running Processes ---------------------

    - - - - - - - > 'winlogon.exe'(768)
    c:\program files\SUPERAntiSpyware\SASWINLO.dll

    - - - - - - - > 'explorer.exe'(2408)
    c:\program files\Panda Security\Panda Cloud Antivirus\PSUNShell.DLL
    c:\program files\Panda Security\Panda Cloud Antivirus\PSNCGP.dll
    c:\program files\Panda Security\Panda Cloud Antivirus\PSNCIPC.dll
    c:\windows\system32\WPDShServiceObj.dll
    c:\windows\system32\PortableDeviceTypes.dll
    c:\windows\system32\PortableDeviceApi.dll
    .
    ------------------------ Other Running Processes ------------------------
    .
    c:\program files\Java\jre6\bin\jqs.exe
    c:\program files\Common Files\Microsoft Shared\VS7DEBUG\mdm.exe
    c:\program files\Windows Media Player\WMPNetwk.exe
    c:\windows\SOUNDMAN.EXE
    c:\windows\system32\wscntfy.exe
    .
    **************************************************************************
    .
    Completion time: 2010-09-24 19:51:56 - machine was rebooted
    ComboFix-quarantined-files.txt 2010-09-24 23:51
    ComboFix2.txt 2010-09-18 00:13



    WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe
    [boot loader]
    timeout=2
    default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS
    [operating systems]
    c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
    UnsupportedDebug="do not select this" /debug
    multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Professional" /noexecute=optin /fastdetect
  15. dmcrx7

    dmcrx7 Newcomer, in training Topic Starter Posts: 42

    Here's the after

    ComboFix 10-09-24.03 - Admin 09/24/2010 23:00:53.3.1 - x86
    Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.480.168 [GMT -4:00]
    Running from: c:\documents and settings\Admin\My Documents\Downloads\ComboFix.exe
    AV: Panda Cloud Antivirus *On-access scanning disabled* (Updated) {5AD27692-540A-464E-B625-78275FA38393}
    .

    ((((((((((((((((((((((((( Files Created from 2010-08-25 to 2010-09-25 )))))))))))))))))))))))))))))))
    .

    2010-09-24 03:45 . 2010-09-24 03:45 -------- d-----w- c:\windows\system32\GroupPolicy
    2010-09-24 03:45 . 2010-09-24 03:45 -------- d-----w- c:\windows\system32\GroupPolicy\Machine\Scripts\Shutdown\Pan229.tmp
    2010-09-20 03:23 . 2010-09-20 03:23 -------- d-----w- C:\_OTM
    2010-09-18 03:42 . 2010-09-18 03:42 -------- d-----w- c:\windows\system32\wbem\snmp
    2010-09-18 03:42 . 2010-09-18 03:42 -------- d-----w- c:\windows\system32\xircom
    2010-09-18 03:42 . 2010-09-18 03:42 -------- d-----w- c:\program files\microsoft frontpage
    2010-09-18 00:45 . 2010-09-18 00:45 -------- d-----w- c:\program files\ESET
    2010-09-12 03:11 . 2010-09-23 09:26 323840 ----a-w- c:\documents and settings\All Users\Application Data\Panda Security\Panda Cloud Antivirus\Download\0x04015000\GlobalExe.exe
    2010-09-12 02:52 . 2010-09-12 02:52 -------- d-----w- c:\documents and settings\Admin\Application Data\Panda Security
    2010-09-12 02:51 . 2010-09-12 02:51 -------- d-----w- c:\documents and settings\Admin\Application Data\SurfSecret Privacy Suite
    2010-09-12 02:50 . 2010-09-12 02:50 -------- d-----w- c:\documents and settings\Admin\Application Data\pandasecuritytb
    2010-09-12 02:50 . 2010-09-12 02:50 264 ----a-w- c:\windows\system32\PSUNCpl.dat
    2010-09-12 02:48 . 2010-09-12 02:50 -------- d-----w- c:\program files\Panda Security
    2010-09-12 02:48 . 2010-09-12 02:48 -------- d-----w- c:\documents and settings\All Users\Application Data\Panda Security
    2010-09-12 01:00 . 2010-09-12 01:01 -------- d-----w- c:\program files\Common Files\Remote Control Software Common

    .
    (((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
    .
    2010-09-18 11:38 . 2007-06-09 03:07 74272 ----a-w- c:\documents and settings\Admin\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
    2010-09-18 02:46 . 2007-06-08 23:47 -------- d-----w- c:\documents and settings\All Users\Application Data\Microsoft Help
    2010-09-18 02:42 . 2007-06-08 23:52 -------- d-----w- c:\program files\MSBuild
    2010-09-17 13:13 . 2009-02-21 20:16 720 ----a-w- c:\documents and settings\All Users\Application Data\ArcSoft\kodak-printcreations-22-080812-oem\acforall.dll
    2010-09-14 12:55 . 2008-12-06 05:45 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
    2010-09-14 03:16 . 2008-12-05 06:41 -------- d-----w- c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy
    2010-09-14 02:53 . 2008-12-06 05:37 -------- d-----w- c:\program files\CCleaner
    2010-09-12 00:59 . 2007-12-21 05:24 -------- d-----w- c:\program files\Logitech
    2010-06-28 16:44 . 2010-06-28 16:44 71680 ----a-w- c:\documents and settings\All Users\Application Data\NOS\Adobe_Downloads\arh.exe
    2009-02-24 19:34 . 2009-02-24 19:34 1044480 ----a-w- c:\program files\mozilla firefox\plugins\libdivx.dll
    2009-02-24 19:34 . 2009-02-24 19:34 200704 ----a-w- c:\program files\mozilla firefox\plugins\ssldivx.dll
    2008-12-05 16:56 . 2008-12-05 16:56 2098 --sha-w- c:\windows\system32\vutofudi.exe
    2008-12-05 19:38 . 2008-12-05 19:38 2098 --sha-w- c:\windows\system32\wayumabe.exe
    2008-12-06 14:47 . 2008-12-06 14:47 2098 --sh--w- c:\windows\system32\yahosuze.exe
    .

    ------- Sigcheck -------

    [-] 2006-12-28 . C5E8C53A50767F016B539D946ED8B121 . 360576 . . [5.1.2600.2892] . . c:\windows\system32\drivers\tcpip.sys
    .
    ((((((((((((((((((((((((((((( SnapShot@2010-09-18_00.07.25 )))))))))))))))))))))))))))))))))))))))))
    .
    + 2010-09-25 02:46 . 2010-09-25 02:46 16384 c:\windows\temp\Perflib_Perfdata_754.dat
    + 2010-09-18 02:45 . 2010-09-18 02:45 80696 c:\windows\assembly\GAC\Microsoft.Office.Interop.Access.Dao\12.0.0.0__71e9bce111e9429c\Microsoft.Office.interop.access.dao.dll
    + 2010-09-24 03:45 . 2010-07-16 20:31 714048 c:\windows\system32\GroupPolicy\Machine\Scripts\Shutdown\Pan229.tmp\setup.exe
    + 2007-06-08 13:57 . 2010-09-24 23:40 279744 c:\windows\system32\FNTCACHE.DAT
    .
    ((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
    .
    .
    *Note* empty entries & legit default entries are not shown
    REGEDIT4

    [HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{B821BF60-5C2D-41EB-92DC-3E4CCD3A22E4}]
    2010-06-15 13:46 86696 ----a-w- c:\program files\Panda Security\Panda Security Toolbar\PandaSecurityDx.dll

    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar]
    "{B821BF60-5C2D-41EB-92DC-3E4CCD3A22E4}"= "c:\program files\Panda Security\Panda Security Toolbar\PandaSecurityDx.dll" [2010-06-15 86696]

    [HKEY_CLASSES_ROOT\clsid\{b821bf60-5c2d-41eb-92dc-3e4ccd3a22e4}]

    [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\Panda Malware Icon]
    @="{F5D1CF73-C196-48F8-AAAC-B9181E22B4E6}"
    [HKEY_CLASSES_ROOT\CLSID\{F5D1CF73-C196-48F8-AAAC-B9181E22B4E6}]
    2010-05-14 19:04 320832 ----a-w- c:\program files\Panda Security\Panda Cloud Antivirus\PSUNShell.dll

    [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\Panda Suspect Icon]
    @="{9AE343CB-BA45-4618-AF6A-0230EE6FC793}"
    [HKEY_CLASSES_ROOT\CLSID\{9AE343CB-BA45-4618-AF6A-0230EE6FC793}]
    2010-05-14 19:04 320832 ----a-w- c:\program files\Panda Security\Panda Cloud Antivirus\PSUNShell.dll

    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "SoundMan"="SOUNDMAN.EXE" [2006-08-03 577536]
    "SiSUSBRG"="c:\windows\SiSUSBrg.exe" [2002-04-27 102400]
    "HPDJ Taskbar Utility"="c:\windows\system32\spool\drivers\w32x86\3\hpztsb07.exe" [2006-01-06 188416]
    "HPHmon04"="c:\windows\system32\hphmon04.exe" [2006-01-06 348160]
    "PSUNMain"="c:\program files\Panda Security\Panda Cloud Antivirus\PSUNMain.exe" [2010-05-14 406848]

    [HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\RunOnce]
    "nltide_3"="advpack.dll" [2004-08-04 99840]

    [HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]
    "NoResolveTrack"= 1 (0x1)
    "NoSMConfigurePrograms"= 1 (0x1)

    [HKEY_USERS\.default\software\microsoft\windows\currentversion\policies\explorer]
    "ForceClassicControlPanel"= 1 (0x1)
    "NoResolveTrack"= 1 (0x1)
    "NoSMHelp"= 1 (0x1)
    "StartMenuLogoff"= 1 (0x1)
    "NoSMConfigurePrograms"= 1 (0x1)

    [hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
    "{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= "c:\program files\SUPERAntiSpyware\SASSEH.DLL" [2008-05-13 77824]

    [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
    2008-12-03 22:56 352256 ----a-w- c:\program files\SUPERAntiSpyware\SASWINLO.dll

    [HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Kodak EasyShare software.lnk]
    path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Kodak EasyShare software.lnk
    backup=c:\windows\pss\Kodak EasyShare software.lnkCommon Startup

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AmazonGSDownloaderTray]
    2009-10-23 17:31 326144 ----a-w- c:\program files\Amazon\Amazon Games & Software Downloader\AmazonGSDownloaderTray.exe

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ArcSoft Connection Service]
    2008-11-20 18:06 178688 ----a-w- c:\program files\Common Files\ArcSoft\Connection Service\Bin\ACDaemon.exe

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}]
    2006-11-17 02:04 139264 ----a-w- c:\program files\Common Files\Ahead\Lib\NMBgMonitor.exe

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\LTSMMSG]
    2002-07-20 16:22 32768 ----a-w- c:\windows\LTSMMSG.exe

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\LxrAutorun]
    2007-03-07 17:51 24576 ----a-w- c:\documents and settings\Admin\Local Settings\Application Data\Lexar Media\LxrAutorun.exe

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Monitor]
    2009-11-10 15:14 443728 ----a-w- h:\program files\LeapFrog Connect\Monitor.exe

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NeroFilterCheck]
    2006-01-12 22:40 155648 ----a-w- c:\program files\Common Files\Ahead\Lib\NeroCheck.exe

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched]
    2008-12-08 03:30 136600 ----a-w- c:\program files\Java\jre6\bin\jusched.exe

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\WMPNSCFG]
    2006-10-19 04:05 204288 ------w- c:\program files\Windows Media Player\wmpnscfg.exe

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
    "Amazon Download Agent"=3 (0x3)
    "Adobe LM Service"=3 (0x3)
    "ACDaemon"=2 (0x2)
    "LxrSII1s"=3 (0x3)
    "LeapFrog Connect Device Service"=2 (0x2)
    "IntuitUpdateService"=2 (0x2)

    [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
    "%windir%\\Network Diagnostic\\xpnetdiag.exe"=
    "%windir%\\system32\\sessmgr.exe"=
    "c:\\Program Files\\Logitech\\Logitech Harmony Remote Software 7\\HarmonyRemote.exe"=
    "h:\\Electronic Arts\\Sports Car GT\\Spcar.exe"=
    "h:\\Sports Car GT\\Spcar.exe"=
    "h:\\Program Files\\Easyshare\\Kodak EasyShare software\\bin\\EasyShare.exe"=
    "c:\\Program Files\\Mozilla Firefox\\firefox.exe"=

    R1 PSINKNC;PSINKNC;c:\windows\system32\drivers\PSINKNC.sys [5/4/2010 8:36 AM 129928]
    R1 SASDIFSV;SASDIFSV;c:\program files\SUPERAntiSpyware\sasdifsv.sys [12/4/2008 5:50 PM 8944]
    R1 SASKUTIL;SASKUTIL;c:\program files\SUPERAntiSpyware\SASKUTIL.SYS [12/4/2008 5:50 PM 55024]
    R2 LxrSII1d;Secure II Driver;c:\windows\system32\drivers\LxrSII1d.sys [12/13/2008 3:25 AM 72672]
    R2 NanoServiceMain;Panda Cloud Antivirus Service;c:\program files\Panda Security\Panda Cloud Antivirus\PSANHost.exe [4/30/2010 1:47 PM 136448]
    R2 PSINAflt;PSINAflt;c:\windows\system32\drivers\PSINAflt.sys [5/27/2010 6:39 PM 141384]
    R2 PSINFile;PSINFile;c:\windows\system32\drivers\PSINFile.sys [4/30/2010 1:46 PM 97032]
    R2 PSINProc;PSINProc;c:\windows\system32\drivers\PSINProc.sys [4/30/2010 1:46 PM 111624]
    R2 PSINProt;PSINProt;c:\windows\system32\drivers\PSINProt.sys [5/12/2010 10:58 AM 110920]
    R3 LucentSoftModem;Lucent Technologies Soft Modem;c:\windows\system32\drivers\LTSM.sys [6/8/2007 8:46 PM 815819]
    S2 Ca533av;Icatch(IV) Video Camera Device;c:\windows\system32\drivers\Ca533av.sys [9/26/2008 11:53 PM 515803]
    S3 FlyUsb;FLY Fusion;c:\windows\system32\drivers\FlyUsb.sys [12/25/2008 1:35 AM 18560]
    S3 SASENUM;SASENUM;c:\program files\SUPERAntiSpyware\SASENUM.SYS [12/4/2008 5:50 PM 7408]
    S4 Amazon Download Agent;Amazon Download Agent;c:\program files\Amazon\Amazon Games & Software Downloader\AmazonGSDownloaderService.exe [2/20/2010 10:11 AM 401920]

    [HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{34A19196-274E-4D75-9D30-D7A45A0A4178}]
    2004-08-04 04:00 11776 ----a-w- c:\program files\Windows Sidebar\regsvr32.exe

    [HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{6B9228DA-9C15-419e-856C-19E768A13BDC}]
    2004-08-04 04:00 11776 ----a-w- c:\program files\Windows Sidebar\regsvr32.exe

    [HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{BADA65A0-86B7-462B-B720-CE66655C73F5}]
    2006-11-09 04:57 38912 ----a-w- c:\vaio\vshellext.dll
    .
    .
    ------- Supplementary Scan -------
    .
    uStart Page = hxxp://www.google.com/
    IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~1\Office12\EXCEL.EXE/3000
    Trusted Zone: cmicompany.com\mail
    Trusted Zone: intuit.com\ttlc
    Trusted Zone: mazdamotorsports.com\www
    Trusted Zone: vanguard.com\personal
    DPF: Microsoft XML Parser for Java - file://c:\windows\Java\classes\xmldso.cab
    FF - ProfilePath - c:\documents and settings\Admin\Application Data\Mozilla\Firefox\Profiles\hge8xhz3.default\
    FF - prefs.js: browser.search.defaulturl - hxxp://www.google.com/search?lr=&ie=UTF-8&oe=UTF-8&q=
    FF - prefs.js: browser.startup.homepage - hxxp://en-us.start.mozilla.com/firefox?client=firefox-a&rls=org.mozilla:en-US:eek:fficial
    FF - prefs.js: keyword.URL - hxxp://search.yahoo.com/search?fr=panda&type=panda1_0yatb&p=
    FF - component: c:\documents and settings\Admin\Application Data\Mozilla\Firefox\Profiles\hge8xhz3.default\extensions\{B821BF60-5C2D-41EB-92DC-3E4CCD3A22E4}\components\dtTransparency.dll
    FF - component: c:\documents and settings\Admin\Application Data\Mozilla\Firefox\Profiles\hge8xhz3.default\extensions\{B821BF60-5C2D-41EB-92DC-3E4CCD3A22E4}\components\dtTransparency3.5.dll
    FF - component: c:\documents and settings\Admin\Application Data\Mozilla\Firefox\Profiles\hge8xhz3.default\extensions\{B821BF60-5C2D-41EB-92DC-3E4CCD3A22E4}\components\dtTransparency3.6.dll
    FF - component: c:\program files\Panda Security\Panda ID Protect\Firefox\components\FFKeypad.dll
    FF - plugin: c:\documents and settings\Admin\Application Data\Move Networks\plugins\npqmp071701000002.dll
    FF - plugin: c:\program files\Mozilla Firefox\plugins\npFoxitReaderPlugin.dll
    FF - plugin: h:\program files\DivX\DivX Player\npDivxPlayerPlugin.dll
    FF - plugin: h:\program files\DivX\DivX Web Player\npdivx32.dll

    ---- FIREFOX POLICIES ----
    c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgbaam7a8h", true);
    c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgberp4a5d4ar", true);
    .

    **************************************************************************

    catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
    Rootkit scan 2010-09-24 23:09
    Windows 5.1.2600 Service Pack 2 NTFS

    scanning hidden processes ...

    scanning hidden autostart entries ...

    scanning hidden files ...

    scan completed successfully
    hidden files: 0

    **************************************************************************
    .
    --------------------- DLLs Loaded Under Running Processes ---------------------

    - - - - - - - > 'winlogon.exe'(716)
    c:\program files\SUPERAntiSpyware\SASWINLO.dll

    - - - - - - - > 'explorer.exe'(3448)
    c:\program files\Panda Security\Panda Cloud Antivirus\PSUNShell.DLL
    c:\program files\Panda Security\Panda Cloud Antivirus\PSNCGP.dll
    c:\program files\Panda Security\Panda Cloud Antivirus\PSNCIPC.dll
    c:\windows\system32\WPDShServiceObj.dll
    c:\windows\system32\PortableDeviceTypes.dll
    c:\windows\system32\PortableDeviceApi.dll
    .
    Completion time: 2010-09-24 23:14:19
    ComboFix-quarantined-files.txt 2010-09-25 03:14
    ComboFix2.txt 2010-09-24 23:51
    ComboFix3.txt 2010-09-18 00:13

    Pre-Run: 2,017,071,104 bytes free
    Post-Run: 2,006,425,600 bytes free

    - - End Of File - - 5F3E03DE57F90F1B40FA943A26D271E0
  16. dmcrx7

    dmcrx7 Newcomer, in training Topic Starter Posts: 42

    Should I defrag?

    and should I use something other than MS defrag?
  17. Bobbye

    Bobbye Helper on the Fringe Posts: 16,392   +32

    You didn't need to run Combofx again. A log is generated after the script has been run. Then-if there are additional entries, I will set it up again.

    I am not comfortable with the very high number of programs you pirated. Although I moved some data from them, I did not uninstall any of the program you might have used the keygens on.

    Download the HijackThis Installer HERE and save to the desktop:
    1. Double-click on HJTInstall.exe to run the program.
    2. By default it will install to C:\Program Files\Trend Micro\HijackThis.
    3. Accept the license agreement by clicking the "I Accept" button."
    4. Click on the "Do a system scan and save a log file" button. It will scan and then ask you to save the log.
    5. Click "Save log" to save the log file and then the log will open in notepad.
    6. Click on "Edit > Select All" then click on "Edit > Copy" to copy the entire contents of the log. Save the log to your desktop- we will use it later

      To Use The Uninstall Manager
    7. Start HijackThis
    8. Click on the Config button
    9. Click on the Misc Tools button
    10. Click on the Open Uninstall Manager button.
      You will now be presented with a screen similar to the one below:
      [​IMG]
    11. Highlight program to be removed
      Uninstall any programs which used the keygens. you can look in the list of data from these programs in Reply #13 & 14.
    12. Click on the Delete this entry button.
    13. Click on the Save listWhen you press Save button a notepad will open with the contents of that file. Copy and paste the contents of that notepad into your next reply.

    Close HijackThis. Reboot the Computer. Empty the Recycle Bin

    One of the entries in the keygen group was the Win32/HackTool.Patcher.A HackTool:Win32/PatchA is an application-a generic detection for a series of hacking tools intended to "patch" programs that may be evaluation copies, or unregistered versions with limited features. a user interactive program that does not automatically run at Windows start, or run as a hidden process.

    Until I know that all pirated programs and the information from them is gone, I can't offer any more support. I would suggest that you do a clean reinstall if you can find an appropriate, legitimate disc.

    I also noted this entries from 9/12/2010:
    c:\program files\Common Files\Remote Control Software Common
  18. dmcrx7

    dmcrx7 Newcomer, in training Topic Starter Posts: 42

    thanks for your help

    As I have said, I do not use any of the programs the keygens were for. In fact only a couple were even in add programs, and they have been removed.

    My best guess, is that he loaded all keygens, in case I wanted to use any of those programs.

    Obviously, I cannot prove any of this, except to say that this old computer will only continue to run if I am diligent about keeping the minimum software needed to do the few things I use it for, I doubt it would even run those programs.

    I appreciate your help.

    I have moved my documents for c: to another drive and now need to defrag the c: drive. I was using 18 of 20 gb, and I think this is why the computer has been getting gradually slower.
  19. dmcrx7

    dmcrx7 Newcomer, in training Topic Starter Posts: 42

    I'm confused

    Above you said "Save this as CFScript.txt, in the same location as ComboFix.exe


    Referring to the picture above, drag CFScript into ComboFix.exe

    When finished, it will produce a log for you at C:\ComboFix.txt . Please paste into to your next reply.
    ====================
    Part of the Combofix log is missing.

    Do a new scan with Combofix when finished to above. Be sure to reboot after running the script before you do the new scan."


    But then you said I shouldn't have run it twice.
  20. dmcrx7

    dmcrx7 Newcomer, in training Topic Starter Posts: 42

    uninstall log

    7-Zip 4.31
    Ad-Aware SE Professional
    Adobe Flash Player 10 ActiveX
    Adobe Flash Player 10 Plugin
    Adobe Photoshop CS2
    Adobe Shockwave Player 11.5
    Advanced Photo Editor
    Amazon Games & Software Downloader
    ArcSoft Print Creations
    ArcSoft Print Creations - Album Page
    ArcSoft Print Creations - Funhouse
    ArcSoft Print Creations - Greeting Card
    ArcSoft Print Creations - Photo Book
    ArcSoft Print Creations - Photo Calendar
    ArcSoft Print Creations - Scrapbook
    ArcSoft Print Creations - Slimline Card
    Autodesk MapGuide(R) Viewer ActiveX Control Release 6.5
    CCleaner
    CCScore
    Digital Camera
    DivX Codec
    DivX Converter
    DivX Player
    DivX Plus DirectShow Filters
    DivX Web Player
    ESET Online Scanner v3
    ESSBrwr
    ESSCDBK
    ESScore
    ESSgui
    ESSini
    ESSPCD
    ESSPDock
    ESSTOOLS
    essvatgt
    Foxit Reader
    Foxit Toolbar
    Google SketchUp 7
    HD-DV decoder
    HiJackThis
    Hotfix for Microsoft .NET Framework 3.5 SP1 (KB953595)
    Hotfix for Windows XP (KB926239)
    Hotfix for Windows XP (KB932716-v2)
    Hotfix for Windows XP (KB945060-v3)
    Icatch(IV) Camera Driver
    iSEEK AnswerWorks English Runtime
    Java(TM) 6 Update 11
    K-Lite Codec Pack 2.80 Full
    Kodak EasyShare software
    LeapFrog Connect
    LeapFrog Connect
    LeapFrog Tag Plugin
    Logitech Harmony Remote Software 7
    Lucent Technologies Soft Modem AMR
    Malwarebytes' Anti-Malware
    Memory Stick Formatter
    Microsoft .NET Framework 1.1
    Microsoft .NET Framework 1.1
    Microsoft .NET Framework 2.0 Service Pack 2
    Microsoft .NET Framework 3.0 Service Pack 2
    Microsoft .NET Framework 3.5 SP1
    Microsoft .NET Framework 3.5 SP1
    Microsoft Compression Client Pack 1.0 for Windows XP
    Microsoft Office Enterprise 2007
    Microsoft Office Enterprise 2007
    Microsoft Office Excel MUI (English) 2007
    Microsoft Office PowerPoint MUI (English) 2007
    Microsoft Office Shared MUI (English) 2007
    Microsoft Office Shared Setup Metadata MUI (English) 2007
    Microsoft Office Word MUI (English) 2007
    Microsoft Silverlight
    Microsoft User-Mode Driver Framework Feature Pack 1.0
    Midnight Outlaw Illegal Street Drag
    Mozilla Firefox (3.5.13)
    MSN
    MSXML 6.0 Parser
    Nero 7 Premium
    netbrdg
    Norton PartitionMagic 8.0
    OfotoXMI
    OpenOffice.org 2.1
    Panda Cloud Antivirus
    Panda Cloud Antivirus
    Panda Identity Protect 3.0.44
    Panda Security Toolbar
    Photosmart 130,230,7150,7345,7350,7550 (Remove only)
    PokerStars.net
    QuickTime Alternative 1.70
    Real Alternative 1.49
    Realtek AC'97 Audio
    Remote Control USB Driver
    RocketDock 1.3.0
    Security Update for Excel 2007 (KB934670)
    Security Update for Office 2007 (KB934062)
    Security Update for Windows XP (KB918118)
    Security Update for Windows XP (KB924667)
    Security Update for Windows XP (KB925902)
    Security Update for Windows XP (KB926436)
    Security Update for Windows XP (KB927779)
    Security Update for Windows XP (KB927802)
    Security Update for Windows XP (KB928255)
    Security Update for Windows XP (KB928843)
    Security Update for Windows XP (KB929969)
    Security Update for Windows XP (KB930178)
    Security Update for Windows XP (KB931261)
    Security Update for Windows XP (KB931768)
    Security Update for Windows XP (KB931784)
    Security Update for Windows XP (KB932168)
    SEGA RALLY 2
    SFR
    SHASTA
    skin0001
    SKINXSDK
    Sports Car GT
    Spybot - Search & Destroy
    staticcr
    SUPERAntiSpyware Free Edition
    tooltips
    TurboTax 2009
    TurboTax 2009 WinPerFedFormset
    TurboTax 2009 WinPerReleaseEngine
    TurboTax 2009 WinPerTaxSupport
    TurboTax 2009 wrapper
    TurboTax 2009 wvaiper
    Update for Office 2007 (KB932080)
    Update for Office 2007 (KB933688)
    Update for Office 2007 (KB934393)
    Update for Outlook 2007 Junk Email Filter (KB934655)
    Update for Windows XP (KB927891)
    Update for Windows XP (KB930916)
    Update for Windows XP (KB931836)
    Update for Word 2007 (KB934173)
    Use the entry named LeapFrog Connect to uninstall (LeapFrog Tag Plugin)
    VC80CRTRedist - 8.0.50727.762
    VPRINTOL
    Windows Driver Package - LeapFrog (FlyUsb) USB (06/15/2007 1.0.0.6)
    Windows Driver Package - LeapFrog (FlyUsb) USB (11/05/2008 1.1.1.0)
    Windows Imaging Component
    Windows Media Format 11 runtime
    Windows Media Format 11 runtime
    Windows Media Player 11
    Windows Media Player 11
    Windows Sidebar
    WingMan Software
    WIRELESS
  21. dmcrx7

    dmcrx7 Newcomer, in training Topic Starter Posts: 42

    hijackthis log

    Logfile of Trend Micro HijackThis v2.0.4
    Scan saved at 2:16:34 PM, on 9/26/2010
    Platform: Windows XP SP2 (WinNT 5.01.2600)
    MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
    Boot mode: Normal

    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\system32\spoolsv.exe
    C:\WINDOWS\System32\svchost.exe
    C:\Program Files\Java\jre6\bin\jqs.exe
    C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\mdm.exe
    C:\Program Files\Panda Security\Panda Cloud Antivirus\PSANHost.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\SOUNDMAN.EXE
    C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb07.exe
    C:\Program Files\Panda Security\Panda Cloud Antivirus\PSUNMain.exe
    C:\WINDOWS\system32\WgaTray.exe
    C:\WINDOWS\system32\wuauclt.exe
    C:\WINDOWS\explorer.exe
    C:\WINDOWS\system32\DfrgNtfs.exe
    C:\Program Files\Mozilla Firefox\firefox.exe
    C:\WINDOWS\explorer.exe
    H:\Program Files\Trend Micro\HiJackThis\HiJackThis.exe

    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
    O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
    O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre6\bin\ssv.dll
    O2 - BHO: Panda Security Toolbar - {B821BF60-5C2D-41EB-92DC-3E4CCD3A22E4} - C:\Program Files\Panda Security\Panda Security Toolbar\PandaSecurityDx.dll
    O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
    O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
    O3 - Toolbar: Panda Security Toolbar - {B821BF60-5C2D-41EB-92DC-3E4CCD3A22E4} - C:\Program Files\Panda Security\Panda Security Toolbar\PandaSecurityDx.dll
    O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
    O4 - HKLM\..\Run: [SiSUSBRG] C:\WINDOWS\SiSUSBrg.exe
    O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb07.exe
    O4 - HKLM\..\Run: [HPHmon04] C:\WINDOWS\system32\hphmon04.exe
    O4 - HKLM\..\Run: [PSUNMain] "C:\Program Files\Panda Security\Panda Cloud Antivirus\PSUNMain.exe" /Traybar
    O4 - HKUS\S-1-5-18\..\RunOnce: [nltide_3] rundll32 advpack.dll,LaunchINFSectionEx nLite.inf,C,,4,N (User 'SYSTEM')
    O4 - HKUS\.DEFAULT\..\RunOnce: [nltide_3] rundll32 advpack.dll,LaunchINFSectionEx nLite.inf,C,,4,N (User 'Default user')
    O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~1\Office12\EXCEL.EXE/3000
    O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre6\bin\jp2iexp.dll
    O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre6\bin\jp2iexp.dll
    O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~1\Office12\REFIEBAR.DLL
    O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
    O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
    O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
    O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
    O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe (file missing)
    O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe (file missing)
    O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
    O22 - SharedTaskScheduler: Browseui preloader - {438755C2-A8BA-11D1-B96B-00A0C90312E1} - C:\WINDOWS\system32\browseui.dll
    O22 - SharedTaskScheduler: Component Categories cache daemon - {8C7461EF-2B13-11d2-BE35-3078302C2030} - C:\WINDOWS\system32\browseui.dll
    O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
    O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
    O23 - Service: Panda Cloud Antivirus Service (NanoServiceMain) - Panda Security, S.L. - C:\Program Files\Panda Security\Panda Cloud Antivirus\PSANHost.exe
    O23 - Service: NBService - Nero AG - C:\Program Files\Nero\Nero 7\Nero BackItUp\NBService.exe
    O23 - Service: Pml Driver HPH11 - HP - C:\WINDOWS\system32\HPHipm11.exe
  22. dmcrx7

    dmcrx7 Newcomer, in training Topic Starter Posts: 42

    What program should I use to defrag?
  23. dmcrx7

    dmcrx7 Newcomer, in training Topic Starter Posts: 42

    Help!

    Combofix quarantined my msconfig file
  24. Bobbye

    Bobbye Helper on the Fringe Posts: 16,392   +32

    Please reopen HijackThis to 'do system scan only.' Check each of the following, if present:
    None of these processes need to start on boot and run in the background.

    C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb07.exe
    C:\WINDOWS\system32\DfrgNtfs.exe
    O4 - HKLM\..\Run: [SiSUSBRG] C:\WINDOWS\SiSUSBrg.exe
    O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb07.exe
    O4 - HKLM\..\Run: [HPHmon04] C:\WINDOWS\system32\hphmon04.exe
    O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe (file missing)
    O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe (file missing)
    O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
    O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - O23 - Service: Pml Driver HPH11 - HP - C:\WINDOWS\system32\HPHipm11.exe


    Close all Windows except HijackThis and click on "Fix Checked."

    FYI
    DfrgNtfs.exe is the Windows Defragment utility. IF you do not want to use this, stop it and download another program from the internet.
    SiSUSBrg.exe is the USB Registry Patch File - fixes the undetectable problem with SiS USB controller on Windows XP
    hpztsb07.exe adds a system tray icon to your taskbar that will assist in diagnosing HPDJ Taskbar Utility is for HP Deskjet printers to do maintenance tasks and diagnostics.problems with your Hewlett Packard printer.

    You're already running a defrag in the background. Combofix did not remove msconfig. If the system isn't working as it should, it is most likely because it is not a legitimate version. You said it yourself that you do not have the OS that came with the computer, that the Sony processes were getting blocked, that you have 'your own' versions of the software you run.
    It is very possible that you also have a compatibility issue.

    I wanted Combofix rerun originally because part of it was missing. You then ran the script and it generated a log after that. Then you ran Combofix again. you did not need to run it again at that point.

    I'm sorry you aren't getting the results you wanted. I think there is a good chance that the OS itself it not legitimate. When we use software for which there is a charge, we are paying for the license to use it. It is not our own copy of the software. It still belongs to the author.

    I have spent too much time as it is working on your system. Once I saw the first indication of piracy I should have withdrawn my support. It is not a matter of 'trust.'

    Just do you know, you have a slim chance of finding a netbook that matches the speed of a laptop or desktop.
    Removing all of the tools we used and the files and folders they created
    • Uninstall ComboFix and all Backups of the files it deleted
    • Click START> then RUN
    • Now type Combofix /Uninstall in the runbox and click OK. Note the space between the X and the U, it needs to be there.
      [​IMG]
    • Download OTCleanIt by OldTimer and save it to your Desktop.
    • Double click OTCleanIt.exe.
    • Click the CleanUp! button.
    • If you are prompted to Reboot during the cleanup, select Yes.
    • The tool will delete itself once it finishes.

    Note: If you receive a warning from your firewall or other security programs regarding OTC attempting to contact the internet, please allow it to do so.
    • You should now set a new Restore Point and remove the old restore points to prevent infection from any previous Restore Points.
    • Go to Start > All Programs > Accessories > System Tools
    • Click "System Restore".
    • Choose "Create a Restore Point" on the first screen then click "Next".
    • Give the Restore Point a name> click "Create".
    • Go back and follow the path to > System Tools.
      [*]Choose Disc Cleanup
      [*]Click "OK" to select the partition or drive you want.
      [*]Click the "More Options" Tab.
      [*]Click "Clean Up" in the System Restore section to remove all previous Restore Points except the newly created one.


    Empty the Recycle Bin
  25. dmcrx7

    dmcrx7 Newcomer, in training Topic Starter Posts: 42

    Thank you for your help

    I found my msconfig file in c:/Qoobox/Quarantine/C/ with a .vir extension
    so assumed Combofix moved it there

    Now that that I have followed your instructions, moved My documents from the C: drive, and defragged the C: drive, the computer is running much better, so thank you.

    I am concerned about your post that I have a vundo infection, as I missed that in the logs.
Topic Status:
Not open for further replies.


Add New Comment

TechSpot Members
Login or sign up for free,
it takes about 30 seconds.
You may also...


Get complete access to the TechSpot community. Join thousands of technology enthusiasts that contribute and share knowledge in our forum. Get a private inbox, upload your own photo gallery and more.