0

I am new to this site so if I leave any information out or sound stupid I apologize. Google and Yahoo keeps redirecting me to other websites like edmunds.com or other search engines. My browsing speeds have started to slow down and I cannot visit sites like majorgeek.com or install SpyBot S&D. I'm using Firefox and a Compaq laptop Presario V6000. My system restore does not work (I click Next and nothing happens). I have successfully downloaded HiJackThis and Malwarebytes. My laptop makes a clicking sound (the sound of clicking on a google link) randomly even though I'm not using Firefox. This problem started yesterday (I noticed a java icon pop up in the bottom left corner but I ignored it and hid the icon). Also I cannot go into SafeMode. Can anyone help me fix this problem? Any help will be greatly appreciated. :)

Here is the HJT log.

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 11:05:25 PM, on 9/28/2008
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16705)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\hpq\HP Wireless Assistant\HP Wireless Assistant.exe
C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Program Files\HP\QuickPlay\QPService.exe
C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\Hewlett-Packard\HP Quick Launch Buttons\QlbCtrl.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\CursorXP\CursorXP.exe
C:\Program Files\Veoh Networks\Veoh\VeohClient.exe
C:\Program Files\Common Files\LightScribe\LSSrvc.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\HPZipm12.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\WINDOWS\system32\mqsvc.exe
C:\Program Files\Hewlett-Packard\Shared\hpqwmiex.exe
C:\WINDOWS\system32\mqtgsvc.exe
C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Internet Explorer\Iexplore.exe
C:\Program Files\Internet Explorer\Iexplore.exe
C:\WINDOWS\System32\svchost.exe
C:\PROGRA~1\HPQ\Shared\HPQTOA~1.EXE
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iesearch&locale=EN_US&c=Q306&bd=presario&pf=laptop
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page =
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=EN_US&c=Q306&bd=presario&pf=laptop
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
O3 - Toolbar: Veoh Browser Plug-in - {D0943516-5076-4020-A3B5-AEFAF26AB263} - C:\Program Files\Veoh Networks\Veoh\Plugins\reg\VeohToolbar.dll
O4 - HKLM\..\Run: [hpWirelessAssistant] C:\Program Files\hpq\HP Wireless Assistant\HP Wireless Assistant.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe"
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [nwiz] nwiz.exe /installquiet /nodetect
O4 - HKLM\..\Run: [MsmqIntCert] regsvr32 /s mqrt.dll
O4 - HKLM\..\Run: [High Definition Audio Property Page Shortcut] CHDAudPropShortcut.exe
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [QPService] "C:\Program Files\HP\QuickPlay\QPService.exe"
O4 - HKLM\..\Run: [HP Software Update] C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
O4 - HKLM\..\Run: [ISUSPM Startup] "C:\Program Files\Common Files\InstallShield\UpdateService\isuspm.exe" -startup
O4 - HKLM\..\Run: [ISUSScheduler] "C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" -start
O4 - HKLM\..\Run: [QlbCtrl] %ProgramFiles%\Hewlett-Packard\HP Quick Launch Buttons\QlbCtrl.exe /Start
O4 - HKLM\..\Run: [Cpqset] C:\Program Files\Hewlett-Packard\Default Settings\cpqset.exe
O4 - HKLM\..\Run: [RecGuard] C:\Windows\SMINST\RecGuard.exe
O4 - HKLM\..\Run: [WildTangent CDA] "C:\Program Files\WildTangent\Apps\CDA\GameDrvr.exe" /startup "C:\Program Files\WildTangent\Apps\CDA\cdaEngine0500.dll"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [CursorXP] C:\Program Files\CursorXP\CursorXP.exe
O4 - HKCU\..\Run: [Veoh] "C:\Program Files\Veoh Networks\Veoh\VeohClient.exe" /VeohHide
O4 - HKUS\S-1-5-18\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background (User 'Default user')
O4 - .DEFAULT User Startup: Vongo Tray.lnk = C:\Program Files\Vongo\Tray.exe (User 'Default user')
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O14 - IERESET.INF: START_PAGE_URL=http://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=EN_US&c=Q306&bd=presario&pf=laptop
O15 - Trusted Zone: http://*.sbs.co.kr
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://gfx1.mail.live.com/mail/w1/resources/MSNPUpld.cab
O16 - DPF: {68253470-5D4F-4CDF-8D9C-353C14A2F013} (SVPorsche Control) - http://img.yahoo.co.kr/multi/2005/tool/player/20060116/SVPorsche.cab
O16 - DPF: {9B75502C-BBED-4BBD-8FE2-822E5E0AD32C} (MagicLockOCX Control) - http://www.diodeo.com/ActiveDiodeoPlayer.cab
O16 - DPF: {9DA9609B-9237-40D3-A66D-24FE73CE3CD0} (IB_SiteSigning.IBSiteSigning) - http://img.sbs.co.kr/vobos/site/IB_SiteSigning.CAB
O16 - DPF: {A5F3B5CF-A05F-479E-B684-13AA512A7B93} (YGLauncher Control) - http://kr.pubbase.yahoo.com/gamesetup/YGLauncher2.cab
O16 - DPF: {B8C4B31D-6DCE-4DF0-BF73-44686849F67D} (PDRInst1 Class) - http://imgcdn.pandora.tv/pan_img/p3player/package/pdrinst.cab
O16 - DPF: {BD6BB450-7C69-43B8-96F3-689CAE57AB51} (SBSWebPlayer Class) - http://netv.sbs.co.kr/object/player/SBSWebPlayer.cab
O16 - DPF: {C9F2C949-1D30-43BF-A712-2D21048EFE1B} (SBSWebStudio Class) - http://netv.sbs.co.kr/object/editor/SBSWebStudio.cab
O16 - DPF: {CEE326E8-7571-4086-B347-3C0ACA9A9DE8} (PcubeSet Class) - http://muzic.sbs.co.kr/player/aod/dll/p3sbsset.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: avast! Antivirus - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
O23 - Service: avast! Web Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
O23 - Service: HP Port Resolver - Hewlett-Packard Company - C:\WINDOWS\system32\spool\drivers\w32x86\3\HPBPRO.EXE
O23 - Service: HP Status Server - Hewlett-Packard Company - C:\WINDOWS\system32\spool\drivers\w32x86\3\HPBOID.EXE
O23 - Service: hpqwmiex - Hewlett-Packard Development Company, L.P. - C:\Program Files\Hewlett-Packard\Shared\hpqwmiex.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: LightScribeService Direct Disc Labeling Service (LightScribeService) - Hewlett-Packard Company - C:\Program Files\Common Files\LightScribe\LSSrvc.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe
O23 - Service: Symantec Core LC - Unknown owner - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe

--
End of file - 9352 bytes

Here is the Malwarebytes log.

Malwarebytes' Anti-Malware 1.28
Database version: 1221
Windows 5.1.2600 Service Pack 3

9/28/2008 9:31:10 PM
mbam-log-2008-09-28 (21-31-10).txt

Scan type: Full Scan (C:\|D:\|)
Objects scanned: 126365
Time elapsed: 31 minute(s), 8 second(s)

Memory Processes Infected: 1
Memory Modules Infected: 0
Registry Keys Infected: 2
Registry Values Infected: 1
Registry Data Items Infected: 4
Folders Infected: 0
Files Infected: 3

Memory Processes Infected:
C:\WINDOWS\system32\drivers\svchost.exe (Heuristics.Reserved.Word.Exploit) -> Failed to unload process.

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\tdssdata (Trojan.Agent) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\tdss (Trojan.Agent) -> Quarantined and deleted successfully.

Registry Values Infected:
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\svchost.exe (Trojan.Agent) -> Quarantined and deleted successfully.

Registry Data Items Infected:
HKEY_CLASSES_ROOT\regfile\shell\open\command\ (Broken.OpenCommand) -> Bad: ("regedit.exe" "%1") Good: (regedit.exe "%1") -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit (Trojan.Agent) -> Data: c:\windows\system32\ -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit (Trojan.Agent) -> Data: system32\ -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\StartMenuLogOff (Hijack.StartMenu) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.

Folders Infected:
(No malicious items detected)

Files Infected:
C:\WINDOWS\system32\drivers\svchost.exe (Trojan.Agent) -> Delete on reboot.
C:\WINDOWS\system32\ (Trojan.Agent) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\drivers\ (Trojan.Agent) -> Quarantined and deleted successfully.

4
Contributors
24
Replies
25
Views
9 Years
Discussion Span
Last Post by jholland1964
Featured Replies
  • Looks good but that Spybot TeaTimer is running. Believe me, it is more trouble than it is worth. Disable that from running automatically at start up by opening the program. Choose Mode, Advanced. Then you should click Tools at the bottom. When Tools opens you will see a row of … Read More

  • Thanks so much jsong. I am so happy I could help. Judy Read More

0

Hi jsong and welcome to daniweb. Give me a few to look through your logs. DON'T worry right now about System Restore, that is NOT the way to remove an infection. What exactly happens when you try to boot to Safe Mode? Did you add that Trusted Site? http://*.sbs.co.kr
Judy

0

Hey Judy, thanks for replying. When I try to boot into Safemode I use F8 on startup when the vertical line thing flashes (don't know what its called but its the thing that shows up when you type). A list pops up with the option of Safemode, Safemode with Networking and some other things. I have tried Safemode with Networking and Safemode both with the same results. After I select it with the arrow key I press Enter and a black background shows up with a wall of white letters that look something like this.

C:\WINDOWS\system32\drivers\svchost.exe

Except the ending is different for each one. I know that the last one says "mup.exe" or something like that and it stays like that and the desktop never shows up so I just take out the battery for my laptop and when I reboot the options come up for Safemode, Safemode with Networking and the usuals. This time I pick the option "Load from last working settings" or something similar to that. My father added that trusted site.

I got a few questions.
Is this virus removable?
Is the HJT log clean?
What is this clicking sound I randomly hear from time to time? (the sound of clicking on a link even though my computer is idle)

Thanks for your help. Reply soon. :)

0

THE FIRST ONE IS EXPLAINED WRONG!!
EDITED:

Hey Judy, thanks for replying. When I try to boot into Safemode I use F8 on startup when the vertical line thing flashes (don't know what its called but its the thing that shows up when you type). A list pops up with the option of Safemode, Safemode with Networking and some other things. I have tried Safemode with Networking and Safemode both with the same results. After I select it with the arrow key I press Enter and the loading bar on the bottom shows up and it just freezes. I reboot my computer by holding the power button after it reboots then the list of options shows up again and when I pick Safemode it shows a black background with a wall of white letters that look something like this.

Multi(0)disk(0)rdisk(0)partition(1)\windows\system32\drivers\mup.sys

Except the ending is different for each one. I know that the last one says "mup.sys" and it stays like that and the desktop never shows up so I just take out the battery for my laptop and when I reboot the options come up for Safemode, Safemode with Networking and the usuals. This time I pick the option "Start windows normally".

0

I think I know why my laptop is not booting to Safemode.

I found this on bleepingcomputer.com (I'm on my desktop right now because my laptop can not go to bleepingcomputer.com)

"On a computer that is operating properly this is normally not a problem. Unfortunately, though, a new trick that some of the more recent malware are using is to delete certain Windows Registry keys so that your computer can not properly boot into safe mode. It is in these situations that using the System Configuration utility to boot into safe mode can cause the computer to become inoperable for many users."

0

Try using this option to go to Safe Mode;
Using the F8 Method

1. Restart your computer.
2. When the machine first starts again it will generally list some equipment that is installed in your machine, amount of memory, hard drives installed etc. At this point you should gently tap the F8 key repeatedly until you are presented with a Windows XP Advanced Options menu.
3. Select the option for Safe Mode using the arrow keys.
4. Then press enter on your keyboard to boot into Safe Mode

0

It still doesn't work. I think the problem can be explained in this paragraph from bleepingcomputers.com

"On a computer that is operating properly this is normally not a problem. Unfortunately, though, a new trick that some of the more recent malware are using is to delete certain Windows Registry keys so that your computer can not properly boot into safe mode. It is in these situations that using the System Configuration utility to boot into safe mode can cause the computer to become inoperable for many users."

0

Hi jsong, I sincerely apologize for not getting back to you yesterday, personal appointments kept me away much of the day. For now, don't worry about Safe Mode.
I would like you to try to do the following;

Please download ComboFix by sUBs from HERE or HERE

* You must download it to and run it from your Desktop
* Physically disconnect from the internet.
* Now STOP all your monitoring programs (Antivirus/Antispyware, Guards and Shields) as they could easily interfere with ComboFix.
* Double click combofix.exe & follow the prompts.
* When finished, it will produce a log. Please save that log to post in your next reply along with a fresh HJT log
* Re-enable all the programs that were disabled during the running of ComboFix..


Note:
Do not mouse-click combofix's window while it is running. That may cause it to stall.

CF disconnects your machine from the internet. The connection is automatically restored before CF completes its run. If CF runs into difficulty and terminates prematurely, the connection can be manually restored by restarting your machine.

0

In the interest of being thorough, you might see if your situation parallels what is described here:

http://www.daniweb.com/forums/thread148035-8.html

The issue described therein has been resolved -- I've merely summarized the effects and a solution as best I can.

I apologize if this qualifies as hijacking the thread. If this is judged to be so, I shall withdraw.

Best of luck.

0

My laptop will not start anymore. It gets to the Windows XP screen and shows that its loading but after that it shows a blank screen and the desktop never shows up.

0

If that is what you choose to do then that is fine. Be sure you have all the disks which came with the computer as you will also need to re-install all drivers.
Judy

0

What disks do I need? The laptop did not come with any disks. I figured out how to turn my laptop back on but it takes a while. I have to reboot the computer 6-8 times in advanced options before it actually starts. What should I do? Do I run HJT?

0

This is from my Laptop. I had a rootkit. Is this log clean?

ComboFix 08-10-02.04 - jacob 2008-10-02 7:40:05.2 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.615 [GMT -4:00]
Running from: C:\Documents and Settings\jacob\Desktop\ComboFix.exe

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\WINDOWS\system32\TDSSadw.dll
C:\WINDOWS\system32\TDSSerrors.log
C:\WINDOWS\system32\tdssinit.dll
C:\WINDOWS\system32\tdssl.dll
C:\WINDOWS\system32\tdsslog.dll
C:\WINDOWS\system32\TDSSmain.dll
C:\WINDOWS\system32\tdssserf.dll
C:\WINDOWS\system32\TDSSserf1.dll
C:\WINDOWS\system32\tdssservers.dat
C:\WINDOWS\system32\windows_update.exe
.
---- Previous Run -------
.
C:\WINDOWS\system32\drivers\tdssserv.sys
D:\Autorun.inf

.
((((((((((((((((((((((((( Files Created from 2008-09-02 to 2008-10-02 )))))))))))))))))))))))))))))))
.

2008-09-29 21:55 . 2008-10-02 07:12 <DIR> d-a------ C:\Documents and Settings\All Users\Application Data\TEMP
2008-09-29 21:13 . 2008-09-29 21:13 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\MailFrontier
2008-09-29 21:13 . 2004-04-27 04:40 11,264 --a------ C:\WINDOWS\system32\SpOrder.dll
2008-09-29 21:13 . 2008-09-29 21:15 4,212 ---h----- C:\WINDOWS\system32\zllictbl.dat
2008-09-29 21:11 . 2008-09-29 21:47 <DIR> d-------- C:\WINDOWS\Internet Logs
2008-09-29 21:05 . 2008-09-29 21:05 <DIR> d-------- C:\Program Files\Windows Defender
2008-09-29 21:01 . 2008-09-29 21:01 <DIR> d-------- C:\Program Files\SpywareBlaster
2008-09-29 20:19 . 2008-09-29 20:19 <DIR> d-------- C:\Program Files\CCleaner
2008-09-28 22:40 . 2008-09-28 22:40 <DIR> d-------- C:\Program Files\Trend Micro
2008-09-28 20:51 . 2008-09-28 20:51 <DIR> d-------- C:\Program Files\Malwarebytes' Anti-Malware
2008-09-28 20:51 . 2008-09-28 20:51 <DIR> d-------- C:\Documents and Settings\jacob\Application Data\Malwarebytes
2008-09-28 20:51 . 2008-09-28 20:51 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Malwarebytes
2008-09-28 20:51 . 2008-09-10 00:04 38,528 --a------ C:\WINDOWS\system32\drivers\mbamswissarmy.sys
2008-09-28 20:51 . 2008-09-10 00:03 17,200 --a------ C:\WINDOWS\system32\drivers\mbam.sys
2008-09-20 11:40 . 2008-09-20 11:40 <DIR> d-------- C:\WINDOWS\system32\scripting
2008-09-20 11:40 . 2008-09-20 11:40 <DIR> d-------- C:\WINDOWS\system32\en
2008-09-20 11:40 . 2008-09-20 11:40 <DIR> d-------- C:\WINDOWS\system32\bits
2008-09-20 11:40 . 2008-09-20 11:40 <DIR> d-------- C:\WINDOWS\l2schemas
2008-09-20 11:36 . 2008-09-20 11:40 <DIR> d-------- C:\WINDOWS\ServicePackFiles
2008-09-20 01:22 . 2008-04-13 20:12 1,737,856 --------- C:\WINDOWS\system32\mtxparhd.dll
2008-09-20 01:21 . 2004-08-03 22:41 1,041,536 --------- C:\WINDOWS\system32\drivers\hsfdpsp2.sys
2008-09-20 01:20 . 2008-04-13 20:11 1,888,992 --------- C:\WINDOWS\system32\ati3duag.dll

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-10-02 03:33 3,642 ----a-w C:\Documents and Settings\jacob\Application Data\wklnhst.dat
2008-09-29 02:24 90,112 ----a-w C:\WINDOWS\DUMP2673.tmp
2008-07-19 02:10 94,920 ----a-w C:\WINDOWS\system32\dllcache\cdm.dll
2008-07-19 02:10 94,920 ----a-w C:\WINDOWS\system32\cdm.dll
2008-07-19 02:10 53,448 ----a-w C:\WINDOWS\system32\wuauclt.exe
2008-07-19 02:10 53,448 ----a-w C:\WINDOWS\system32\dllcache\wuauclt.exe
2008-07-19 02:10 45,768 ----a-w C:\WINDOWS\system32\wups2.dll
2008-07-19 02:10 36,552 ----a-w C:\WINDOWS\system32\wups.dll
2008-07-19 02:10 36,552 ----a-w C:\WINDOWS\system32\dllcache\wups.dll
2008-07-19 02:09 563,912 ----a-w C:\WINDOWS\system32\wuapi.dll
2008-07-19 02:09 563,912 ----a-w C:\WINDOWS\system32\dllcache\wuapi.dll
2008-07-19 02:09 325,832 ----a-w C:\WINDOWS\system32\wucltui.dll
2008-07-19 02:09 325,832 ----a-w C:\WINDOWS\system32\dllcache\wucltui.dll
2008-07-19 02:09 205,000 ----a-w C:\WINDOWS\system32\wuweb.dll
2008-07-19 02:09 205,000 ----a-w C:\WINDOWS\system32\dllcache\wuweb.dll
2008-07-19 02:09 1,811,656 ----a-w C:\WINDOWS\system32\wuaueng.dll
2008-07-19 02:09 1,811,656 ----a-w C:\WINDOWS\system32\dllcache\wuaueng.dll
2008-07-07 20:26 253,952 ----a-w C:\WINDOWS\system32\es.dll
2008-07-07 20:26 253,952 ------w C:\WINDOWS\system32\dllcache\es.dll
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2008-04-13 15360]
"CursorXP"="C:\Program Files\CursorXP\CursorXP.exe" [2005-01-19 128000]
"Veoh"="C:\Program Files\Veoh Networks\Veoh\VeohClient.exe" [2008-08-28 3660848]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"hpWirelessAssistant"="C:\Program Files\hpq\HP Wireless Assistant\HP Wireless Assistant.exe" [2006-05-04 458752]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe" [2008-06-10 144784]
"NvCplDaemon"="C:\WINDOWS\system32\NvCpl.dll" [2006-04-26 7561216]
"NvMediaCenter"="C:\WINDOWS\system32\NvMcTray.dll" [2006-04-26 86016]
"SynTPEnh"="C:\Program Files\Synaptics\SynTP\SynTPEnh.exe" [2006-04-01 761946]
"QPService"="C:\Program Files\HP\QuickPlay\QPService.exe" [2006-04-12 102400]
"HP Software Update"="C:\Program Files\HP\HP Software Update\HPWuSchd2.exe" [2006-02-19 49152]
"ISUSScheduler"="C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" [2005-08-11 81920]
"QlbCtrl"="C:\Program Files\Hewlett-Packard\HP Quick Launch Buttons\QlbCtrl.exe" [2006-03-07 131072]
"Cpqset"="C:\Program Files\Hewlett-Packard\Default Settings\cpqset.exe" [2006-05-02 40960]
"RecGuard"="C:\Windows\SMINST\RecGuard.exe" [2005-10-11 1187840]
"WildTangent CDA"="C:\Program Files\WildTangent\Apps\CDA\GameDrvr.exe" [2005-03-28 28616]
"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [2007-02-16 282624]
"iTunesHelper"="C:\Program Files\iTunes\iTunesHelper.exe" [2007-03-14 257088]
"avast!"="C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe" [2008-07-19 78008]
"nwiz"="nwiz.exe" [2006-04-26 C:\WINDOWS\system32\nwiz.exe]
"MsmqIntCert"="mqrt.dll" [2008-04-13 C:\WINDOWS\system32\mqrt.dll]
"High Definition Audio Property Page Shortcut"="CHDAudPropShortcut.exe" [2006-04-17 C:\WINDOWS\system32\CHDAudPropShortcut.exe]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"MSMSGS"="C:\Program Files\Messenger\msmsgs.exe" [2008-04-13 1695232]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\_ishieldA.sys]
@=""

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\_ishieldB.sys]
@=""

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusDisableNotify"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"C:\\WINDOWS\\system32\\mqsvc.exe"=
"C:\\Program Files\\Messenger\\msmsgs.exe"=
"C:\\Program Files\\LimeWire\\LimeWire.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"C:\\WINDOWS\\system32\\muz.exe"=
"C:\\Program Files\\HP\\Digital Imaging\\bin\\hpofxm08.exe"=
"C:\\Program Files\\HP\\Digital Imaging\\bin\\hposfx08.exe"=
"C:\\Program Files\\HP\\Digital Imaging\\bin\\hposid01.exe"=
"C:\\Program Files\\HP\\Digital Imaging\\bin\\hpqscnvw.exe"=
"C:\\Program Files\\HP\\Digital Imaging\\bin\\hpqkygrp.exe"=
"C:\\Program Files\\HP\\Digital Imaging\\bin\\hpzwiz01.exe"=
"C:\\Program Files\\HP\\Digital Imaging\\bin\\hpoews01.exe"=
"C:\\Program Files\\HP\\Digital Imaging\\bin\\hpqnrs08.exe"=
"C:\\Program Files\\iTunes\\iTunes.exe"=
"C:\\Documents and Settings\\All Users\\Application Data\\NexonUS\\NGM\\NGM.exe"=
"C:\\Program Files\\MSN Messenger\\msnmsgr.exe"=
"C:\\Program Files\\MSN Messenger\\livecall.exe"=
"C:\\Program Files\\Wizet\\MapleStory\\Patcher.exe"=
"C:\\Program Files\\Valve\\Steam\\SteamApps\\korean4sh0\\condition zero\\hl.exe"=
"C:\\Program Files\\Valve\\Steam\\SteamApps\\korean4sh0\\counter-strike\\hl.exe"=
"C:\\Program Files\\Veoh Networks\\Veoh\\VeohClient.exe"=
"C:\\WINDOWS\\system32\\dpvsetup.exe"=

R1 aswSP;avast! Self Protection;C:\WINDOWS\system32\drivers\aswSP.sys [2008-07-19 78416]
R2 aswFsBlk;aswFsBlk;C:\WINDOWS\system32\DRIVERS\aswFsBlk.sys [2008-07-19 20560]
S0 ulwb;ulwb;C:\WINDOWS\system32\drivers\ckbamnff.sys [ ]
S1 _ishieldA;_ishieldA;C:\WINDOWS\system32\drivers\_ishieldA.sys [ ]
S1 _ishieldB;_ishieldB;C:\WINDOWS\system32\drivers\_ishieldB.sys [ ]
S3 CBTNDIS5;CBTNDIS5 NDIS Protocol Driver;C:\WINDOWS\system32\CBTNDIS5.SYS [2003-07-16 17142]
S3 odysseyIM4;Odyssey Network Agent Miniport;C:\WINDOWS\system32\DRIVERS\odysseyIM4.sys [2004-09-25 173056]
S3 zenx1;zenx1;C:\Documents and Settings\jacob\Desktop\ZenxEngine_LATEST_3\ZenxEngine_LATEST\zenx.sys [ ]

*Newly Created Service* - CATCHME
.
Contents of the 'Scheduled Tasks' folder
.
- - - - ORPHANS REMOVED - - - -

HKLM-Run-ISUSPM Startup - C:\Program Files\Common Files\InstallShield\UpdateService\isuspm.exe


.
------- Supplementary Scan -------
.
FireFox -: Profile - C:\Documents and Settings\jacob\Application Data\Mozilla\Firefox\Profiles\1oyuiesy.default\
FireFox -: prefs.js - STARTUP.HOMEPAGE - hxxp://www.myspace.com/
FF -: plugin - C:\Program Files\Adobe\Acrobat 6.0\Reader\browser\nppdf32.dll
FF -: plugin - C:\Program Files\DivX\DivX Content Uploader\npUpload.dll
FF -: plugin - C:\Program Files\Veoh Networks\Veoh\Plugins\noreg\NPVeohVersion.dll
.

**************************************************************************

catchme 0.3.1361 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-10-02 07:41:48
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

HKLM\Software\Microsoft\Windows\CurrentVersion\Run
Cpqset = C:\Program Files\Hewlett-Packard\Default Settings\cpqset.exe????????????,?@? ????}??????R?@?????,?@

scanning hidden files ...


C:\DOCUME~1\jacob\LOCALS~1\Temp\RGI3.tmp 6932 bytes

scan completed successfully
hidden files: 1

**************************************************************************
.
Completion time: 2008-10-02 7:43:42
ComboFix-quarantined-files.txt 2008-10-02 11:43:22

Pre-Run: 88,716,156,928 bytes free
Post-Run: 88,906,227,712 bytes free

173 --- E O F --- 2008-09-20 23:27:20

0

Do another scan with MBA-M. Be sure to update first then do the scan and have it fix everything it finds. Save that log. Reboot.
Then run HJT again and post that log along with the MBA-M log
Judy

0

MBA-M LOG

Malwarebytes' Anti-Malware 1.28
Database version: 1226
Windows 5.1.2600 Service Pack 3

10/4/2008 12:29:26 AM
mbam-log-2008-10-04 (00-29-26).txt

Scan type: Full Scan (C:\|D:\|)
Objects scanned: 112705
Time elapsed: 50 minute(s), 0 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 2

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
C:\Program Files\WinRAR\Default.SFX (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{02AB5DEF-1097-4711-A644-97E93C8F5D09}\RP420\A0136272.sys (Trojan.Agent) -> Quarantined and deleted successfully.


HJT LOG

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 9:54:38 AM, on 10/4/2008
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16705)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Avira\AntiVir PersonalEdition Classic\sched.exe
C:\Program Files\Avira\AntiVir PersonalEdition Classic\avguard.exe
C:\Program Files\Common Files\LightScribe\LSSrvc.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\HPZipm12.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\WINDOWS\system32\mqsvc.exe
C:\Program Files\Hewlett-Packard\Shared\hpqwmiex.exe
C:\WINDOWS\system32\mqtgsvc.exe
C:\Program Files\hpq\HP Wireless Assistant\HP Wireless Assistant.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\HP\QuickPlay\QPService.exe
C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\Hewlett-Packard\HP Quick Launch Buttons\QlbCtrl.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe
C:\Program Files\Avira\AntiVir PersonalEdition Classic\avgnt.exe
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\CursorXP\CursorXP.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\PROGRA~1\HPQ\Shared\HPQTOA~1.EXE
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page =
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=EN_US&c=Q306&bd=presario&pf=laptop
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
O3 - Toolbar: Veoh Browser Plug-in - {D0943516-5076-4020-A3B5-AEFAF26AB263} - C:\Program Files\Veoh Networks\Veoh\Plugins\reg\VeohToolbar.dll
O4 - HKLM\..\Run: [hpWirelessAssistant] C:\Program Files\hpq\HP Wireless Assistant\HP Wireless Assistant.exe
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [nwiz] nwiz.exe /installquiet /nodetect
O4 - HKLM\..\Run: [MsmqIntCert] regsvr32 /s mqrt.dll
O4 - HKLM\..\Run: [High Definition Audio Property Page Shortcut] CHDAudPropShortcut.exe
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [QPService] "C:\Program Files\HP\QuickPlay\QPService.exe"
O4 - HKLM\..\Run: [HP Software Update] C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
O4 - HKLM\..\Run: [ISUSScheduler] "C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" -start
O4 - HKLM\..\Run: [QlbCtrl] %ProgramFiles%\Hewlett-Packard\HP Quick Launch Buttons\QlbCtrl.exe /Start
O4 - HKLM\..\Run: [Cpqset] C:\Program Files\Hewlett-Packard\Default Settings\cpqset.exe
O4 - HKLM\..\Run: [RecGuard] C:\Windows\SMINST\RecGuard.exe
O4 - HKLM\..\Run: [WildTangent CDA] "C:\Program Files\WildTangent\Apps\CDA\GameDrvr.exe" /startup "C:\Program Files\WildTangent\Apps\CDA\cdaEngine0500.dll"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe"
O4 - HKLM\..\Run: [avgnt] "C:\Program Files\Avira\AntiVir PersonalEdition Classic\avgnt.exe" /min
O4 - HKLM\..\Run: [ZoneAlarm Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [CursorXP] C:\Program Files\CursorXP\CursorXP.exe
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - HKUS\S-1-5-18\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background (User 'Default user')
O4 - .DEFAULT User Startup: Vongo Tray.lnk = C:\Program Files\Vongo\Tray.exe (User 'Default user')
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O14 - IERESET.INF: START_PAGE_URL=http://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=EN_US&c=Q306&bd=presario&pf=laptop
O15 - Trusted Zone: http://*.sbs.co.kr
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://gfx1.mail.live.com/mail/w1/resources/MSNPUpld.cab
O16 - DPF: {68253470-5D4F-4CDF-8D9C-353C14A2F013} (SVPorsche Control) - http://img.yahoo.co.kr/multi/2005/tool/player/20060116/SVPorsche.cab
O16 - DPF: {9B75502C-BBED-4BBD-8FE2-822E5E0AD32C} (MagicLockOCX Control) - http://www.diodeo.com/ActiveDiodeoPlayer.cab
O16 - DPF: {9DA9609B-9237-40D3-A66D-24FE73CE3CD0} (IB_SiteSigning.IBSiteSigning) - http://img.sbs.co.kr/vobos/site/IB_SiteSigning.CAB
O16 - DPF: {A5F3B5CF-A05F-479E-B684-13AA512A7B93} (YGLauncher Control) - http://kr.pubbase.yahoo.com/gamesetup/YGLauncher2.cab
O16 - DPF: {B8C4B31D-6DCE-4DF0-BF73-44686849F67D} (PDRInst1 Class) - http://imgcdn.pandora.tv/pan_img/p3player/package/pdrinst.cab
O16 - DPF: {BD6BB450-7C69-43B8-96F3-689CAE57AB51} (SBSWebPlayer Class) - http://netv.sbs.co.kr/object/player/SBSWebPlayer.cab
O16 - DPF: {C9F2C949-1D30-43BF-A712-2D21048EFE1B} (SBSWebStudio Class) - http://netv.sbs.co.kr/object/editor/SBSWebStudio.cab
O16 - DPF: {CEE326E8-7571-4086-B347-3C0ACA9A9DE8} (PcubeSet Class) - http://muzic.sbs.co.kr/player/aod/dll/p3sbsset.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab
O23 - Service: Avira AntiVir Personal - Free Antivirus Scheduler (AntiVirScheduler) - Avira GmbH - C:\Program Files\Avira\AntiVir PersonalEdition Classic\sched.exe
O23 - Service: Avira AntiVir Personal - Free Antivirus Guard (AntiVirService) - Avira GmbH - C:\Program Files\Avira\AntiVir PersonalEdition Classic\avguard.exe
O23 - Service: HP Port Resolver - Hewlett-Packard Company - C:\WINDOWS\system32\spool\drivers\w32x86\3\HPBPRO.EXE
O23 - Service: hpqwmiex - Hewlett-Packard Development Company, L.P. - C:\Program Files\Hewlett-Packard\Shared\hpqwmiex.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: LightScribeService Direct Disc Labeling Service (LightScribeService) - Hewlett-Packard Company - C:\Program Files\Common Files\LightScribe\LSSrvc.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe
O23 - Service: Symantec Core LC - Unknown owner - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINDOWS\system32\ZoneLabs\vsmon.exe

--
End of file - 8543 bytes

P.S. Google does not redirect anymore but my laptop is alot slower than what it use to be before this infection.

0

P.S. Google does not redirect anymore but my laptop is alot slower than what it use to be before this infection.

Ok, hopefully we can speed this up somewhat. Several things could be causing this.
First of all you need to go into Spybot and TURN OFF TeaTimer. It can interfere with any fixes we may choose to do with HJT.
To do this open the program. Click Mode at the top and choose Advanced.
Then at the bottom click Tools. When the list of tools opens on the left side click the Resident Button. When that opens take the Check Mark OUT of TeaTimer. Close the program and Reboot the computer.

One thing I see is you have at least a portion of Part of Norton AntiVirus 2004 running on the computer, did you use this at one time?
In Running Processes, which were the processes running at the time of the last HJT scan I see this entry;
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe>>>this is Part of Norton AntiVirus 2004
and it is starting as a service as shown by this entry;
O23 - Service: Symantec Core LC - Unknown owner - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
Services are programs that are loaded automatically by Windows on startup.
This portion of the Norton program could be part of the cause for the slowdown.
Did you have Norton Anti-virus on the computer at one time in the past? How did you Uninstall it? Via Add/Remove? Look there again and see if there is still a listing for Norton or Symantec. If so, click Remove or Uninstall.
If it is NOT listed there then go to Start, Search, Files and Folders and first type in Norton and click Search. If it finds any files or folders named Norton, delete them.
Next do the same thing but type Symantec. Click Search. If it finds any files or folders named Symantec, delete them.

Are you familiar with this listing in Trusted Zone and did you personally put it there? http://*.sbs.co.kr

Please download the program CodeStuff Starter.
Save it to the desktop for easy access.
This is a program you can use to easily control auto starts both via Startup Folder or services.
Once you have the program installed please open it and click the Start ups Tab.
Take the check mark out of the following as they are not needed to autostart and can easily be run manually if needed, and are NOT required for running the computer;
NvCplDaemon>>>Intializes the clock and memory settings on nVidia based graphics cards.
nwiz>>>Associated with the newer versions of nVidia graphics cards drivers.
QPService>>>Related to HP_QuickPlay. Whether or not you need to run this program on startup must be decided by you. If you feel that you want this program starting automatically so that you have it available as needed, then do not disable it, but it is not required.
HP Software Update>>>checks for HP updates, not required. It can easily be done manually.
ISUSScheduler>>>InstallShield Update Service Scheduler. Automatically searches for and performs any updates to the software. Not required and can consume resources.
Cpqset>>>Default settings software in Hewlett Packard notebook
WildTangent CDA>>>Part of the WildTangent on-line games system. This is not required for the games to work and can consume necessary resources.
QuickTime Task>>>System Tray access to Apple's "Quick Time" viewer from version 5 onwards
SunJavaUpdateSched>>>Checks with Sun's Java updates site to see if newer Java versions are available. Visit Sun's Java page or just run the Java Plug-In Control Panel.
SpybotSD TeaTimer>>>not required.
MSMSGS>>>Windows Messenger utility. If you don't use Windows Messenger, this can be annoying. This is NOT an Instant Messaging program. (there may be two listings for this, it is not needed to run the computer)
Remember REMOVE check marks from all noted above. Then click the Services Button.
You will see a list in alphabetical order. Scroll down to this one;
Symantec Core LC - or possibly symlcsvc.exe, double click on it. A box will open. In the Start Up Type be sure it is set to Disabled. Click Apply
Close the window and then the program. Reboot the computer.
Run a new HJT log and post it here. Please be certain to answer my question concerning the Trusted Zone entry.
Judy

0

Norton Antivrus came with the laptop and I tried to uninstall with Add/Remove. I used the search feature and found some folders of Norton and Symantec and deleted them. I did not put http://*.sbs.co.kr in the Trusted Zone.

HJT LOG

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 3:16:07 PM, on 10/5/2008
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16705)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Avira\AntiVir PersonalEdition Classic\sched.exe
C:\Program Files\Avira\AntiVir PersonalEdition Classic\avguard.exe
C:\Program Files\Common Files\LightScribe\LSSrvc.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\HPZipm12.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\mqsvc.exe
C:\Program Files\Hewlett-Packard\Shared\hpqwmiex.exe
C:\WINDOWS\system32\mqtgsvc.exe
C:\Program Files\hpq\HP Wireless Assistant\HP Wireless Assistant.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Program Files\Hewlett-Packard\HP Quick Launch Buttons\QlbCtrl.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe
C:\Program Files\Avira\AntiVir PersonalEdition Classic\avgnt.exe
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\CursorXP\CursorXP.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\PROGRA~1\HPQ\Shared\HPQTOA~1.EXE
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page =
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=EN_US&c=Q306&bd=presario&pf=laptop
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
O3 - Toolbar: Veoh Browser Plug-in - {D0943516-5076-4020-A3B5-AEFAF26AB263} - C:\Program Files\Veoh Networks\Veoh\Plugins\reg\VeohToolbar.dll
O4 - HKLM\..\Run: [hpWirelessAssistant] C:\Program Files\hpq\HP Wireless Assistant\HP Wireless Assistant.exe
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [MsmqIntCert] regsvr32 /s mqrt.dll
O4 - HKLM\..\Run: [High Definition Audio Property Page Shortcut] CHDAudPropShortcut.exe
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [QlbCtrl] %ProgramFiles%\Hewlett-Packard\HP Quick Launch Buttons\QlbCtrl.exe /Start
O4 - HKLM\..\Run: [RecGuard] C:\Windows\SMINST\RecGuard.exe
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe"
O4 - HKLM\..\Run: [avgnt] "C:\Program Files\Avira\AntiVir PersonalEdition Classic\avgnt.exe" /min
O4 - HKLM\..\Run: [ZoneAlarm Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [CursorXP] C:\Program Files\CursorXP\CursorXP.exe
O4 - .DEFAULT User Startup: Vongo Tray.lnk = C:\Program Files\Vongo\Tray.exe (User 'Default user')
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O14 - IERESET.INF: START_PAGE_URL=http://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=EN_US&c=Q306&bd=presario&pf=laptop
O15 - Trusted Zone: http://*.sbs.co.kr
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://gfx1.mail.live.com/mail/w1/resources/MSNPUpld.cab
O16 - DPF: {68253470-5D4F-4CDF-8D9C-353C14A2F013} (SVPorsche Control) - http://img.yahoo.co.kr/multi/2005/tool/player/20060116/SVPorsche.cab
O16 - DPF: {9B75502C-BBED-4BBD-8FE2-822E5E0AD32C} (MagicLockOCX Control) - http://www.diodeo.com/ActiveDiodeoPlayer.cab
O16 - DPF: {9DA9609B-9237-40D3-A66D-24FE73CE3CD0} (IB_SiteSigning.IBSiteSigning) - http://img.sbs.co.kr/vobos/site/IB_SiteSigning.CAB
O16 - DPF: {A5F3B5CF-A05F-479E-B684-13AA512A7B93} (YGLauncher Control) - http://kr.pubbase.yahoo.com/gamesetup/YGLauncher2.cab
O16 - DPF: {B8C4B31D-6DCE-4DF0-BF73-44686849F67D} (PDRInst1 Class) - http://imgcdn.pandora.tv/pan_img/p3player/package/pdrinst.cab
O16 - DPF: {BD6BB450-7C69-43B8-96F3-689CAE57AB51} (SBSWebPlayer Class) - http://netv.sbs.co.kr/object/player/SBSWebPlayer.cab
O16 - DPF: {C9F2C949-1D30-43BF-A712-2D21048EFE1B} (SBSWebStudio Class) - http://netv.sbs.co.kr/object/editor/SBSWebStudio.cab
O16 - DPF: {CEE326E8-7571-4086-B347-3C0ACA9A9DE8} (PcubeSet Class) - http://muzic.sbs.co.kr/player/aod/dll/p3sbsset.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab
O23 - Service: Avira AntiVir Personal - Free Antivirus Scheduler (AntiVirScheduler) - Avira GmbH - C:\Program Files\Avira\AntiVir PersonalEdition Classic\sched.exe
O23 - Service: Avira AntiVir Personal - Free Antivirus Guard (AntiVirService) - Avira GmbH - C:\Program Files\Avira\AntiVir PersonalEdition Classic\avguard.exe
O23 - Service: HP Port Resolver - Hewlett-Packard Company - C:\WINDOWS\system32\spool\drivers\w32x86\3\HPBPRO.EXE
O23 - Service: hpqwmiex - Hewlett-Packard Development Company, L.P. - C:\Program Files\Hewlett-Packard\Shared\hpqwmiex.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: LightScribeService Direct Disc Labeling Service (LightScribeService) - Hewlett-Packard Company - C:\Program Files\Common Files\LightScribe\LSSrvc.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINDOWS\system32\ZoneLabs\vsmon.exe

--
End of file - 7181 bytes

0

Ok looks better the Symantec listings are gone.
Now run HJT again and place a check mark next to the following entries;
O15 - Trusted Zone: http://*.sbs.co.kr
O16 - DPF: {68253470-5D4F-4CDF-8D9C-353C14A2F013} (SVPorsche Control) - http://img.yahoo.co.kr/multi/2005/to.../SVPorsche.cab
O16 - DPF: {9DA9609B-9237-40D3-A66D-24FE73CE3CD0} (IB_SiteSigning.IBSiteSigning) - http://img.sbs.co.kr/vobos/site/IB_SiteSigning.CAB
O16 - DPF: {A5F3B5CF-A05F-479E-B684-13AA512A7B93} (YGLauncher Control) - http://kr.pubbase.yahoo.com/gamesetup/YGLauncher2.cab
O16 - DPF: {BD6BB450-7C69-43B8-96F3-689CAE57AB51} (SBSWebPlayer Class) - http://netv.sbs.co.kr/object/player/SBSWebPlayer.cab
O16 - DPF: {C9F2C949-1D30-43BF-A712-2D21048EFE1B} (SBSWebStudio Class) - http://netv.sbs.co.kr/object/editor/SBSWebStudio.cab
O16 - DPF: {CEE326E8-7571-4086-B347-3C0ACA9A9DE8} (PcubeSet Class) - http://muzic.sbs.co.kr/player/aod/dll/p3sbsset.cab

When you have the check marks in place then click the Fix Checked button.
Exit HJT.
Reboot the computer and run one more HJT scan so we can be certain everything is cleaned up.
Judy

0

Is it clean?

HJT LOG

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 5:52:54 PM, on 10/6/2008
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16705)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Avira\AntiVir PersonalEdition Classic\sched.exe
C:\Program Files\Avira\AntiVir PersonalEdition Classic\avguard.exe
C:\Program Files\Common Files\LightScribe\LSSrvc.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\HPZipm12.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\mqsvc.exe
C:\Program Files\Hewlett-Packard\Shared\hpqwmiex.exe
C:\WINDOWS\system32\mqtgsvc.exe
C:\Program Files\hpq\HP Wireless Assistant\HP Wireless Assistant.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Program Files\Hewlett-Packard\HP Quick Launch Buttons\QlbCtrl.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe
C:\Program Files\Avira\AntiVir PersonalEdition Classic\avgnt.exe
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\CursorXP\CursorXP.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\PROGRA~1\HPQ\Shared\HPQTOA~1.EXE
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
C:\WINDOWS\system32\wuauclt.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page =
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=EN_US&c=Q306&bd=presario&pf=laptop
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
O3 - Toolbar: Veoh Browser Plug-in - {D0943516-5076-4020-A3B5-AEFAF26AB263} - C:\Program Files\Veoh Networks\Veoh\Plugins\reg\VeohToolbar.dll
O4 - HKLM\..\Run: [hpWirelessAssistant] C:\Program Files\hpq\HP Wireless Assistant\HP Wireless Assistant.exe
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [MsmqIntCert] regsvr32 /s mqrt.dll
O4 - HKLM\..\Run: [High Definition Audio Property Page Shortcut] CHDAudPropShortcut.exe
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [QlbCtrl] %ProgramFiles%\Hewlett-Packard\HP Quick Launch Buttons\QlbCtrl.exe /Start
O4 - HKLM\..\Run: [RecGuard] C:\Windows\SMINST\RecGuard.exe
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe"
O4 - HKLM\..\Run: [avgnt] "C:\Program Files\Avira\AntiVir PersonalEdition Classic\avgnt.exe" /min
O4 - HKLM\..\Run: [ZoneAlarm Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [CursorXP] C:\Program Files\CursorXP\CursorXP.exe
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - .DEFAULT User Startup: Vongo Tray.lnk = C:\Program Files\Vongo\Tray.exe (User 'Default user')
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O14 - IERESET.INF: START_PAGE_URL=http://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=EN_US&c=Q306&bd=presario&pf=laptop
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://gfx1.mail.live.com/mail/w1/resources/MSNPUpld.cab
O16 - DPF: {9B75502C-BBED-4BBD-8FE2-822E5E0AD32C} (MagicLockOCX Control) - http://www.diodeo.com/ActiveDiodeoPlayer.cab
O16 - DPF: {B8C4B31D-6DCE-4DF0-BF73-44686849F67D} (PDRInst1 Class) - http://imgcdn.pandora.tv/pan_img/p3player/package/pdrinst.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab
O23 - Service: Avira AntiVir Personal - Free Antivirus Scheduler (AntiVirScheduler) - Avira GmbH - C:\Program Files\Avira\AntiVir PersonalEdition Classic\sched.exe
O23 - Service: Avira AntiVir Personal - Free Antivirus Guard (AntiVirService) - Avira GmbH - C:\Program Files\Avira\AntiVir PersonalEdition Classic\avguard.exe
O23 - Service: HP Port Resolver - Hewlett-Packard Company - C:\WINDOWS\system32\spool\drivers\w32x86\3\HPBPRO.EXE
O23 - Service: hpqwmiex - Hewlett-Packard Development Company, L.P. - C:\Program Files\Hewlett-Packard\Shared\hpqwmiex.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: LightScribeService Direct Disc Labeling Service (LightScribeService) - Hewlett-Packard Company - C:\Program Files\Common Files\LightScribe\LSSrvc.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINDOWS\system32\ZoneLabs\vsmon.exe

--
End of file - 6513 bytes

1

Looks good but that Spybot TeaTimer is running. Believe me, it is more trouble than it is worth. Disable that from running automatically at start up by opening the program.
Choose Mode, Advanced. Then you should click Tools at the bottom. When Tools opens you will see a row of buttons on the left. Click Resident. When Resident opens take the check mark OUT of TeaTimer.
Click ok and close the program.

SpywareBlaster will do a much better protection job and it does NOT run in the background. Download, install and update. Then enable all protection including the Restricted sites portion.
Manually update it once a week and enable all the new protection.
If you feel all is corrected and the computer is running well then click the Solved button.
Judy

0

I stopped TeamTimer and updated SpywareBlaster. Thanks for helping me Judy. Added to your Reputation and marked as Solved.

This question has already been answered. Start a new discussion instead.
Have something to contribute to this discussion? Please be thoughtful, detailed and courteous, and be sure to adhere to our posting rules.