got a virus i cant see

Viruses and worms
21

Microsoft Works → MsiExec.exe /I{416D80BA-6F6D-4672-B7CF-F54DA2F80B44}
Might and Magic VI: The Mandate of Heaven → C:\WINDOWS\IsUninst.exe -f"C:\Program Files\3DO\Might and Magic VI\Might and Magic® VI.isu" -c"C:\Program Files\Common Files\3DO Shared\3DOUnInst.dll
Might and Magic VII, For Blood and Honor → C:\WINDOWS\IsUninst.exe -f"C:\Program Files\3DO\Might and Magic VII\Might and Magic VII.isu" -c"C:\Program Files\Common Files\3DO Shared\3DOUnInst.dll
Might and Magic VIII: Day of the Destroyer → C:\WINDOWS\IsUninst.exe -f"C:\Program Files\3DO\Might and Magic VIII\Might and Magic Day of the Destroyer.isu" -c"C:\Program Files\Common Files\3DO Shared\3DOUnInst.dll
Monster Buck Pack, DH2 & DH2 Extended Season → C:\WINDOWS\IsUninst.exe -f"c:\Program Files\Deer Hunter 2\Uninst.isu"
MS Access 97 SP2 → C:\Program Files\Microsoft Office\setup\setup.exe
MSN → C:\Program Files\MSN\MsnInstaller\msninst.exe /Action:ARP
muvee autoProducer 4.5 → RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\0701\Intel32\Ctor.dll,LaunchSetup “C:\Program Files\InstallShield Installation Information{286F29AF-0BE2-4D5F-AB17-B7631A810553}\setup.exe” -l0x9
MyDsc2 → RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\0701\Intel32\Ctor.dll,LaunchSetup “C:\Program Files\InstallShield Installation Information{83D96ED0-98AA-4515-8DDC-816F3EFDD104}\Setup.exe” -l0x9
MySpaceIM → MsiExec.exe /I{3BA59EE1-6D83-4CAE-A0B9-6B91BD44A14B}
Netscape Browser (remove only) → “C:\Program Files\Netscape\Netscape Browser\NSUninst.exe”
Oasis from Hewlett-Packard Laptops (remove only) → “C:\Program Files\WildTangent\Apps\GameChannel\Games\E332F38A-75F6-4EF2-88CC-246E8A1CB5D7\Uninstall.exe”
Office 2003 Trial Assistant → MsiExec.exe /I{47D2103B-FD51-4017-9C20-DD408B17D726}
Opera 9.10 → MsiExec.exe /X{5D582D33-EB35-4D77-B7AF-403322D947E6}
Opera 9.23 → MsiExec.exe /X{E9EEE4CB-CB2B-4273-9AF5-7E12022B444B}
Pinball → MsiExec.exe /X{0187C675-40EC-4DDB-8ED9-A4A65F44C24E}
Polar Bowler from Hewlett-Packard Laptops (remove only) → “C:\Program Files\WildTangent\Apps\GameChannel\Games\7F8C5718-1BA9-4AAE-96D2-2B04D05F2D54\Uninstall.exe”
Polar Golfer from Hewlett-Packard Laptops (remove only) → “C:\Program Files\WildTangent\Apps\GameChannel\Games\D2E44AA4-8665-4490-A6C9-2D0744B47B27\Uninstall.exe”
Project64 1.6 → MsiExec.exe /X{9559F7CA-5E34-4237-A2D9-D856464AD727}
Puzzle Express from Hewlett-Packard Laptops (remove only) → “C:\Program Files\WildTangent\Apps\GameChannel\Games\EF860173-4FB7-4DE1-8BE8-5400F05A0DC5\Uninstall.exe”
Quick Launch Buttons 5.20 F2 → RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\0701\Intel32\Ctor.dll,LaunchSetup “C:\Program Files\InstallShield Installation Information{CEB326EC-8F40-47B2-BA22-BB092565D66F}\setup.exe” -l0x9 -uninst
Quicken 2006 → MsiExec.exe /X{2818095F-FB6C-42C8-827E-0A406CC9AFF5}
QuickTime → C:\PROGRA~1\COMMON~1\INSTAL~1\Driver\11\INTEL3~1\IDriver.exe /M{C21D5524-A970-42FA-AC8A-59B8C7CDCA31} /l1033
Rhapsody Player Engine → MsiExec.exe /I{2DFF31F9-7893-4922-AF66-C9A1EB4EBB31}
Rocky Mountain Trophy Hunter → C:\WINDOWS\IsUninst.exe -f"C:\Program Files\Rocky Mountain Trophy Hunter\Uninst.isu"
Rocky Mountain Trophy Hunter 2 → C:\WINDOWS\IsUninst.exe -f"C:\Program Files\Rocky Mountain Trophy Hunter 2\Uninst.isu"
Rocky Mountain Trophy Hunter 3 → C:\WINDOWS\IsUninst.exe -f"C:\Program Files\Rocky Mountain Trophy Hunter 3\Uninst.isu"
Rocky Mountain Trophy Hunter Alaskan Expedition → C:\WINDOWS\ISUNINST.EXE -f"C:\Program Files\Rocky Mountain Trophy Hunter\RMTH2.isu" -c"C:\Program Files\Rocky Mountain Trophy Hunter\RMTH2UIS.dll"
RollerCoaster Tycoon Deluxe → RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\0701\Intel32\Ctor.dll,LaunchSetup “C:\Program Files\InstallShield Installation Information{924EAD66-F854-4605-8493-696DD59A113B}\Setup.exe” -l0x9
SCRABBLE from Hewlett-Packard Laptops (remove only) → “C:\Program Files\WildTangent\Apps\GameChannel\Games\103EFD47-9F2C-4490-95DD-AE6C442AFB92\Uninstall.exe”
Security Update for CAPICOM (KB931906) → MsiExec.exe /I{0EFDF2F9-836D-4EB7-A32D-038BD3F1FB2A}
Security Update for CAPICOM (KB931906) → MsiExec.exe /X{0EFDF2F9-836D-4EB7-A32D-038BD3F1FB2A}
Security Update for Step By Step Interactive Training (KB898458) → “C:\WINDOWS$NtUninstallKB898458$\spuninst\spuninst.exe”
Security Update for Step By Step Interactive Training (KB923723) → “C:\WINDOWS$NtUninstallKB923723$\spuninst\spuninst.exe”
Sierra Utilities → C:\Program Files\Sierra On-Line\sutil32.exe uninstall

22

SimCity 2000® CD Collection → C:\WINDOWS\uninst.exe -f"C:\Program Files\Maxis\SimCity 2000\DeIsL1.isu"
SimCity 3000 Unlimited → C:\WINDOWS\IsUninst.exe -f"C:\Program Files\Maxis\SimCity 3000 Unlimited\DeIsL1.isu" -c"C:\Program Files\Maxis\SimCity 3000 Unlimited_UnInstall.dll"
SimCity 4 Rush Hour → C:\Documents and Settings\Ritalee\My Documents\EAUninstall.exe
Slingo Deluxe from Hewlett-Packard Laptops (remove only) → “C:\Program Files\WildTangent\Apps\GameChannel\Games\C264D692-8E15-4141-96A2-5621332E5DD0\Uninstall.exe”
Slyder from Hewlett-Packard Laptops (remove only) → “C:\Program Files\WildTangent\Apps\GameChannel\Games\B0202B33-E73D-4FCD-AC88-0B2971AFC116\Uninstall.exe”
Smart Menus (Windows Live Toolbar) → MsiExec.exe /X{F084395C-40FB-4DB3-981C-B51E74E1E83D}
Snowboard SuperJam → “C:\Program Files\WildTangent\Apps\GameChannel\Games\DED8E2B5-BA9F-448F-84E8-0AEF79876F95\Uninstall.exe”
Sonic Audio Module → MsiExec.exe /I{AB708C9B-97C8-4AC9-899B-DBF226AC9382}
Sonic Copy Module → MsiExec.exe /I{B12665F4-4E93-4AB4-B7FC-37053B524629}
Sonic Data Module → MsiExec.exe /I{075473F5-846A-448B-BCB3-104AA1760205}
Sonic Express Labeler → MsiExec.exe /I{6675CA7F-E51B-4F6A-99D4-F8F0124C6EAA}
Sonic MyDVD Plus → MsiExec.exe /I{21657574-BD54-48A2-9450-EB03B2C7FC29}
Sonic Update Manager → MsiExec.exe /I{30465B6C-B53F-49A1-9EBA-A3F187AD502E}
Spybot - Search & Destroy → “C:\Program Files\Spybot - Search & Destroy\unins001.exe”
Spybot - Search & Destroy 1.5.2.20 → “C:\WINDOWS\unins000.exe”
Starcraft → C:\WINDOWS\SCunin.exe C:\WINDOWS\SCunin.dat
Super Granny from Hewlett-Packard Laptops (remove only) → “C:\Program Files\WildTangent\Apps\GameChannel\Games\7ED8A70C-9597-40BE-AEA0-0573182F1F51\Uninstall.exe”
Synaptics Pointing Device Driver → rundll32.exe “C:\Program Files\Synaptics\SynTP\SynISDLL.dll”,standAloneUninstall
TeraNet → RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup “C:\Program Files\InstallShield Installation Information{40139BDF-B715-4994-A1BA-6B452DB3FC7B}\Setup.exe” -l0x9
Terayon DOCSIS Modem → RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup “C:\Program Files\InstallShield Installation Information{C98F2FE6-5AF5-11D6-8209-00D0B701C7B5}\Setup.exe” -l0x9
Texas Instruments PCIxx21/x515/xx12 drivers. → C:\PROGRA~1\COMMON~1\INSTAL~1\Driver\7\INTEL3~1\IDriver.exe /M{7B6CF9EB-CB2B-4A1A-81A9-BE1A9044690A} /l1033
TOSHIBA gigabeat applications 2.0.2 → RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup “C:\Program Files\InstallShield Installation Information{33DF47F1-B83A-4EB5-AA56-EAB28A1EAE14}\setup.exe” UNINSTALLUNINSTALL
TourSetup → MsiExec.exe /I{A01FC76F-CC09-4658-9E37-5C2F635EE708}
Tradewinds from Hewlett-Packard Laptops (remove only) → “C:\Program Files\WildTangent\Apps\GameChannel\Games\1C3FDBBA-EBF7-4CDB-AD8A-A1125734AF86\Uninstall.exe”
Tudoo 3.0.1 → “C:\Program Files\Tudoo\unins000.exe”
Viewpoint Manager (Remove Only) → C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgrInstaller.exe /u /k
Viewpoint Media Player → C:\Program Files\Viewpoint\Viewpoint Media Player\mtsAxInstaller.exe /u
Viewpoint Toolbar V35 (Remove Only) → C:\Program Files\Viewpoint\Viewpoint Toolbar V35\ViewBarInstaller.exe /u /k
Warcraft II BNE → C:\WINDOWS\W2BNEUnin.exe C:\WINDOWS\W2BNEUnin.dat
Windows Live Messenger → MsiExec.exe /I{571700F0-DB9D-4B3A-B03D-35A14BB5939F}
Windows Live Sign-in Assistant → MsiExec.exe /I{F652D238-5F29-42D5-BAF3-0115EF977EC2}
Windows Live Toolbar → “C:\Program Files\Windows Live Toolbar\UnInstall.exe” {D5A145FC-D00C-4F1A-9119-EB4D9D659750}
Windows Live Toolbar → MsiExec.exe /X{D5A145FC-D00C-4F1A-9119-EB4D9D659750}
Wireless Home Network Setup → RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\10\50\Intel32\Ctor.dll,LaunchSetup “C:\Program Files\InstallShield Installation Information{09D8492A-C8E2-421E-927D-46800FB327A3}\setup.exe” -l0x9 -removeonly
Yahoo! Browser Services → C:\PROGRA~1\Yahoo!\Common\unyext.exe
Yahoo! Internet Mail → C:\WINDOWS\system32\regsvr32 /u /s C:\PROGRA~1\Yahoo!\Common\ymmapi.dll
Yahoo! Messenger → C:\PROGRA~1\Yahoo!\MESSEN~1\UNWISE.EXE C:\PROGRA~1\Yahoo!\MESSEN~1\INSTALL.LOG
Yahoo! Toolbar → C:\PROGRA~1\Yahoo!\Common\unyt.exe
YAMAHA SoftSynthesizer S-YXG70 → C:\WINDOWS\uninst.exe -fC:\WINDOWS\DeIsL1.isu -c"C:\WINDOWS\system32\sxgunins.dll

23

ZoneAlarm → C:\Program Files\Zone Labs\ZoneAlarm\zauninst.exe
ZoneAlarm Spy Blocker → rundll32 C:\PROGRA~1\ZONEAL~1\bar\1.bin\SpyBlock.dll,O
Zuma Deluxe from Hewlett-Packard Laptops (remove only) → “C:\Program Files\WildTangent\Apps\GameChannel\Games\074EEF5F-3BE8-4112-B253-C5D6CDE2924C\Uninstall.exe”

– Application Event Log -------------------------------------------------------

Event Record #/Type11711 / Error
Event Submitted/Written: 03/22/2008 03:49:10 PM
Event ID/Source: 11101 / MsiInstaller
Event Description:
Product: Java™ 6 Update 5 – Error 1101.Error reading from file: http://javadl-esd.sun.com/update/1.6.0/sp-1.6.0_05/sp1033.MST. System error 123. Verify that the file exists and that you can access it.

Event Record #/Type11710 / Error
Event Submitted/Written: 03/22/2008 03:47:23 PM
Event ID/Source: 1002 / Application Hang
Event Description:
Hanging application msiexec.exe, version 3.1.4000.1823, hang module hungapp, version 0.0.0.0, hang address 0x00000000.

Event Record #/Type11709 / Error
Event Submitted/Written: 03/22/2008 03:34:28 PM
Event ID/Source: 1002 / Application Hang
Event Description:
Hanging application netscape.exe, version 8.1.2.0, hang module hungapp, version 0.0.0.0, hang address 0x00000000.

Event Record #/Type11705 / Error
Event Submitted/Written: 03/22/2008 02:54:20 PM
Event ID/Source: 1002 / Application Hang
Event Description:
Hanging application TeaTimer.exe, version 1.5.2.16, hang module hungapp, version 0.0.0.0, hang address 0x00000000.

Event Record #/Type11696 / Error
Event Submitted/Written: 03/22/2008 06:58:38 AM
Event ID/Source: 1000 / Application Error
Event Description:
Faulting application aim.exe, version 5.9.3861.0, faulting module unknown, version 0.0.0.0, fault address 0x1221254f.
Processing media-specific event for [aim.exe!ws!]

24

– Security Event Log ----------------------------------------------------------

No Errors/Warnings found.

– System Event Log ------------------------------------------------------------

Event Record #/Type62464 / Error
Event Submitted/Written: 03/22/2008 05:35:47 PM
Event ID/Source: 7000 / Service Control Manager
Event Description:
The TrueVector Internet Monitor service failed to start due to the following error:
%%1053

Event Record #/Type62463 / Error
Event Submitted/Written: 03/22/2008 05:35:46 PM
Event ID/Source: 7009 / Service Control Manager
Event Description:
Timeout (30000 milliseconds) waiting for the TrueVector Internet Monitor service to connect.

Event Record #/Type62462 / Error
Event Submitted/Written: 03/22/2008 05:35:14 PM
Event ID/Source: 7000 / Service Control Manager
Event Description:
The TrueVector Internet Monitor service failed to start due to the following error:
%%1053

Event Record #/Type62461 / Error
Event Submitted/Written: 03/22/2008 05:35:14 PM
Event ID/Source: 7009 / Service Control Manager
Event Description:
Timeout (30000 milliseconds) waiting for the TrueVector Internet Monitor service to connect.

Event Record #/Type62457 / Error
Event Submitted/Written: 03/22/2008 05:34:38 PM
Event ID/Source: 7000 / Service Control Manager
Event Description:
The TrueVector Internet Monitor service failed to start due to the following error:
%%1053

– End of Deckard’s System Scanner: finished at 2008-03-22 17:48:17 ------------

25

ok, I got the logs. Have to go out for awhile. I’ll check them when I get back.

26

ok i will be here reading or doing ebay. :smiley: hopefully i can keep connected i keep loosing my connection.

27

I’ve gone over the logs, including what you sent from the avast warning log.

3/20/2008 12:03:31 PM 1206039811 Ritalee 3428 Sign of "Win32:Trojan-gen {VC}" has been found in "C:\Program Files\HPQ\Default Settings\CpqsetVer.exe" file. 3/20/2008 2:26:00 PM 1206048360 Ritalee 3428 Sign of "Win32:WebSearch-M [Adw]" has been found in "C:\Program Files\Netscape\Netscape Browser\plugins\NPMyWebS.dll" file. 3/20/2008 10:14:55 PM 1206076495 Ritalee 3428 Sign of "Win32:Trojan-gen {VC}" has been found in "C:\System Volume Information\_restore{D5341F9C-33F7-43CF-8BD2-1AE937C9BA1B}\RP509\A0210172.exe" file. 3/20/2008 10:26:47 PM 1206077207 Ritalee 3428 Sign of "Win32:WebSearch-M [Adw]" has been found in "C:\System Volume Information\_restore{D5341F9C-33F7-43CF-8BD2-1AE937C9BA1B}\RP509\A0210184.dll" file. 3/22/2008 12:08:06 AM 1206169686 Ritalee 1164 Sign of "Win32:WebSearch-M [Adw]" has been found in "C:\System Volume Information\_restore{D5341F9C-33F7-43CF-8BD2-1AE937C9BA1B}\RP509\A0210184.dll" file

These are your latest detections. One has been confirmed a false positive by Avira. We’ll check that one out after. 3 in system restore. which is most likely the same ones only in a restore point.

Did you try to install IncrediMail recently? I see an entry in HJT that doesn’t look quite right.

28

hello, no i didnt install incredimail it kept asking me to log onto the net and when i did it wouldnt do anything so every day i get a log in later icon on my desktop.

so is these 4 trojans causing me to have a slow boot up time of 7 to 10 minutes?

29

No, as I said they probably are false positives. We will deal with those after we check a couple of things out.

So we do a little house cleaning.

Open HJT, run a system scan only, check mark these lines if present

O4 - HKLM..\Run: [zzz_ImInstaller_IncrediMail] C:\Documents and Settings\Ritalee\Local Settings\Temp\ImInstaller\IncrediMail\incredimail_install.exe -startup -product IncrediMail

Close all other browsers/windows, click fix, close HJT.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

Download and run this clean up utility. You can use it regularly. When it’s first run, it is in demo mode to show you what it will remove. Review it and then rerun in real mode. It is configurable.

CleanUp

Please download Malwarebytes’ Anti-Malware from Here or Here

Double Click mbam-setup.exe to install the application.
[*]Make sure a checkmark is placed next to Update Malwarebytes’ Anti-Malware and Launch Malwarebytes’ Anti-Malware, then click Finish.
[*]If an update is found, it will download and install the latest version.
[*]Once the program has loaded, select “Perform Quick Scan”, then click Scan.
[*]The scan may take some time to finish,so please be patient.
[*]When the scan is complete, click OK, then Show Results to view the results.
[*]Make sure that everything is checked, and click Remove Selected.
[]When disinfection is completed, a log will open in Notepad and you may be prompted to Restart.(See Extra Note)
[]The log is automatically saved by MBAM and can be viewed by clicking the Logs tab in MBAM.
[*]Copy&Paste the entire report in your next reply.

Extra Note:
If MBAM encounters a file that is difficult to remove,you will be presented with 1 of 2 prompts,click OK to either and let MBAM proceed with the disinfection process,if asked to restart the computer,please do so immediatly.

Please post the results of the scan along with a new HJT log aken after the scan.

Thanks.

30

witch cleanup folder do i click to download it?

31

452 is the newest, 451 comes in either zipped or unzipped.

32

well i cleaned up 214 mbs of space and now installing the other program

33

since i screwed up and didnt click ok to view the malwarebytes log i have to start over and since its 2:27 am and its late i will do it when i get outta bed.

so sometime tomarrow i will have the other logs for you.

i am sorry i screwed up.

34

here is the first log. sorry i decided to stay up for it them go to sleep.

Malwarebytes’ Anti-Malware 1.09
Database version: 522

Scan type: Quick Scan
Objects scanned: 34932
Time elapsed: 42 minute(s), 51 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 9
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\PreApproved{25560540-9571-4d7b-9389-0f166788785a} (Adware.MyWebSearch) → Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\PreApproved{2eff3cf7-99c1-4c29-bc2b-68e057e22340} (Adware.MyWebSearch) → Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\PreApproved{3dc201fb-e9c9-499c-a11f-23c360d7c3f8} (Adware.MyWebSearch) → Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\PreApproved{63d0ed2c-b45b-4458-8b3b-60c69bbbd83c} (Adware.MyWebSearch) → Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\PreApproved{98d9753d-d73b-42d5-8c85-4469cda897ab} (Adware.MyWebSearch) → Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\CLSID{9afb8248-617f-460d-9366-d71cdeda3179} (Adware.MyWebSearch) → Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\PreApproved{9ff05104-b030-46fc-94b8-81276e4e27df} (Adware.MyWebSearch) → Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\PreApproved{a6573479-9075-4a65-98a6-19fd29cf7374} (Adware.MyWebSearch) → Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Multimedia\WMPlayer\Schemes\f3pss (Adware.MyWebSearch) → Quarantined and deleted successfully.

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)

35

last log.

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 3:13:35 AM, on 3/23/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16608)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\Program Files\Common Files\LightScribe\LSSrvc.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Viewpoint\Common\ViewpointService.exe
C:\Program Files\Hewlett-Packard\Shared\hpqwmiex.exe
C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe
C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Program Files\hpq\HP Wireless Assistant\HP Wireless Assistant.exe
C:\Program Files\Hp\HP Software Update\HPWuSchd2.exe
C:\Program Files\HP\QuickPlay\QPService.exe
C:\Program Files\HPQ\Quick Launch Buttons\EabServr.exe
C:\Program Files\TOSHIBA\gigabeat room 2.0.2\TosGbWatcher.exe
C:\PROGRA~1\HPQ\SHARED\HPQTOA~1.EXE
C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\AIM\aim.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\Program Files\Microsoft Office\Office\OSA.EXE
C:\Program Files\HP\Digital Imaging\bin\hpqimzone.exe
C:\Program Files\Opera\Opera.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

36

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://us.rd.yahoo.com/customize/ie/defaults/sp/msgr7/*http://www.yahoo.com
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://us.rd.yahoo.com/customize/ie/defaults/sb/msgr7/*http://www.yahoo.com/ext/search/search.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://us.rd.yahoo.com/customize/ie/defaults/su/msgr7/*http://www.yahoo.com
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
R3 - URLSearchHook: (no name) - {EA756889-2338-43DB-8F07-D1CA6FB9C90D} - (no file)
R3 - URLSearchHook: ICQ Toolbar - {855F3B16-6D32-4fe6-8A56-BBB695989046} - C:\Program Files\ICQToolbar\toolbaru.dll
O2 - BHO: Yahoo! Toolbar Helper - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O2 - BHO: XTTBPos00 - {055FD26D-3A88-4e15-963D-DC8493744B1D} - C:\Program Files\ICQToolbar\toolbaru.dll
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: Yahoo! IE Services Button - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_10\bin\ssv.dll
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar4.dll
O2 - BHO: Windows Live Toolbar Helper - {BDBD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\Windows Live Toolbar\msntb.dll
O2 - BHO: ZoneAlarm Spy Blocker BHO - {F0D4B231-DA4B-4daf-81E4-DFEE4931A4AA} - C:\Program Files\ZoneAlarmSB\bar\1.bin\SPYBLOCK.DLL
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O3 - Toolbar: ICQ Toolbar - {855F3B16-6D32-4fe6-8A56-BBB695989046} - C:\Program Files\ICQToolbar\toolbaru.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar4.dll
O3 - Toolbar: Windows Live Toolbar - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\Windows Live Toolbar\msntb.dll
O3 - Toolbar: ZoneAlarm Spy Blocker - {F0D4B239-DA4B-4daf-81E4-DFEE4931A4AA} - C:\Program Files\ZoneAlarmSB\bar\1.bin\SPYBLOCK.DLL
O4 - HKLM..\Run: [SynTPLpr] C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
O4 - HKLM..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM..\Run: [hpWirelessAssistant] C:\Program Files\hpq\HP Wireless Assistant\HP Wireless Assistant.exe
O4 - HKLM..\Run: [HP Software Update] C:\Program Files\Hp\HP Software Update\HPWuSchd2.exe
O4 - HKLM..\Run: [QPService] “C:\Program Files\HP\QuickPlay\QPService.exe”
O4 - HKLM..\Run: [eabconfg.cpl] C:\Program Files\HPQ\Quick Launch Buttons\EabServr.exe /Start
O4 - HKLM..\Run: [Cpqset] C:\Program Files\HPQ\Default Settings\cpqset.exe
O4 - HKLM..\Run: [RecGuard] C:\Windows\SMINST\RecGuard.exe
O4 - HKLM..\Run: [TosGbWatcher] “C:\Program Files\TOSHIBA\gigabeat room 2.0.2\TosGbWatcher.exe”
O4 - HKLM..\Run: [ISUSPM Startup] C:\PROGRA~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe -startup
O4 - HKLM..\Run: [ISUSScheduler] “C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe” -start
O4 - HKLM..\Run: [QuickTime Task] “C:\Program Files\QuickTime\qttask.exe” -atboottime
O4 - HKLM..\Run: [ZoneAlarm Client] “C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe”
O4 - HKLM..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKCU..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU..\Run: [AIM] C:\Program Files\AIM\aim.exe -cnetwait.odl
O4 - HKCU..\Run: [msnmsgr] “C:\Program Files\MSN Messenger\MsnMsgr.Exe” /background
O4 - HKCU..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - Startup: Microsoft Find Fast.lnk = C:\Program Files\Microsoft Office\Office\FINDFAST.EXE
O4 - Startup: Office Startup.lnk = C:\Program Files\Microsoft Office\Office\OSA.EXE
O4 - Global Startup: HP Photosmart Premier Fast Start.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqthb08.exe
O8 - Extra context menu item: &Search - ?p=ZJ
O8 - Extra context menu item: &Viewpoint Search - res://C:\Program Files\Viewpoint\Viewpoint Toolbar V35\ViewBar.dll/CXTSEARCH.HTML
O8 - Extra context menu item: &Windows Live Search - res://C:\Program Files\Windows Live Toolbar\msntb.dll/search.htm
O8 - Extra context menu item: &Yahoo! Search - file:///C:\Program Files\Yahoo!\Common/ycsrch.htm
O8 - Extra context menu item: Yahoo! &Dictionary - file:///C:\Program Files\Yahoo!\Common/ycdict.htm
O8 - Extra context menu item: Yahoo! &Maps - file:///C:\Program Files\Yahoo!\Common/ycmap.htm
O8 - Extra context menu item: Yahoo! &SMS - file:///C:\Program Files\Yahoo!\Common/ycsms.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_10\bin\ssv.dll
O9 - Extra ‘Tools’ menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_10\bin\ssv.dll
O9 - Extra button: Yahoo! Services - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O9 - Extra button: ICQ Lite - {B863453A-26C3-4e1f-A54D-A2CD196348E9} - C:\Program Files\ICQLite\ICQLite.exe
O9 - Extra ‘Tools’ menuitem: ICQ Lite - {B863453A-26C3-4e1f-A54D-A2CD196348E9} - C:\Program Files\ICQLite\ICQLite.exe
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O9 - Extra ‘Tools’ menuitem: Spybot - Search && Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra ‘Tools’ menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe (file missing)
O9 - Extra ‘Tools’ menuitem: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe (file missing)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra ‘Tools’ menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O14 - IERESET.INF: START_PAGE_URL=http://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=EN_US&c=Q106&bd=presario&pf=laptop
O16 - DPF: {EF148DBB-5B6D-4130-B2A1-661571E86260} (Playtime Games Launcher) - http://download.games.yahoo.com/games/web_games/playtime/mahjongescape/PTGameLauncher.cab
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: avast! Antivirus - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
O23 - Service: avast! Web Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: HP WMI Interface (hpqwmi) - Hewlett-Packard Development Company, L.P. - C:\Program Files\HPQ\Shared\hpqwmi.exe
O23 - Service: hpqwmiex - Hewlett-Packard Development Company, L.P. - C:\Program Files\Hewlett-Packard\Shared\hpqwmiex.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: LightScribeService Direct Disc Labeling Service (LightScribeService) - Hewlett-Packard Company - C:\Program Files\Common Files\LightScribe\LSSrvc.exe
O23 - Service: Viewpoint Manager Service - Viewpoint Corporation - C:\Program Files\Viewpoint\Common\ViewpointService.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINDOWS\system32\ZoneLabs\vsmon.exe
O24 - Desktop Component 0: (no name) - C:\Documents and Settings\Ritalee\Desktop\tipi inside.jpg


End of file - 11427 bytes

37

Still not seeing anything that indicates a major infection.

The malabytes’ scan shows some reg keys related to myweb search. Nothing serious, adware. But if you ran the scan twice, something may have been removed the first time. Have a look in the quaratine folder and see what’s there, just tell me what you see. It should be C:\Program Files\Malwarebytes’ Anti-Malware\quaratine

Check this location for this file aswboot.txt

C:\Program Files\ALWIL Software\Avast4\Data\Report

If present it will be the last boottime scan log.

Refering back to the avast warning log, the 4 detections on the 20th, would appear to be 2 detections. One for CpqsetVer.exe, which Avira has confirmed on their part as a false positive. One for NPMyWebS.dll. The other 2 are system restore points, which are probably the same 2 files.

So we look else where. DSS is reporting 383mb of ram, you said you had 512mb. Can you confirm this? Right click my computer icon, select properties. You should be able to see your OS, ram.

Which version of Zone Alarm are you using? DSS shows some errors related to ZA.

Have you added any programs, updates just prior to the slow down?

38

Hello and good morning or afternoon, i am using zone alarm 7.0.462.000

the malwarebytes doesnt have a quaratine program as i looked.

here is the avast report.

  • avast! Report

  • This file is generated automatically

  • Task ‘Resident protection’ used

  • Started on Saturday, March 22, 2008 11:11:36 PM

  • VPS: 080214-0, 02/14/2008

  • avast! Report

  • This file is generated automatically

  • Task ‘Resident protection’ used

  • Started on Sunday, March 23, 2008 12:33:04 PM

  • VPS: 080322-0, 03/22/2008

i was told i had 512mbs when i bought my laptop new.

the system says amd sempron 3000 1.8 ghz and 384 megs of memory.

i didnt add any programs before the slow down i was browsing the net looking up info on websites on how good a car is.

i also was going thru my spam folder on gmail and looked up some websites as well thru the spam but otherwise i havnt installed any new programs for a long while.

39

This is the resident log, not the boot time scanning one.

40

i didnt find the other log.