everything is very slow-HJI log attached.

**Jepinto** · 20th August 2008

Pentium 4, 2 GHz, 2 G ram. Computer is exhibiting very slow start up on Quicken-not unexpected as files date back at least 6 years, and IE 7 takes 1-2 minutes to render any page.

Tried to run AVGfree 8 this morning, says it needed to be reinstalled. Downloaded a fresh AVGfree 8, disconnected the wireless, uninstalled, when trying to reinstall says I have another anti vius running on the machine. I don't. Uninstalled McAfee six months ago, as the firewall kept turning itself on and blocking GoToMyPC.

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 11:51:52 AM, on 08/20/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16674)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Acronis\Schedule2\schedul2.exe
C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
C:\Program Files\Citrix\GoToMyPC\g2svc.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\Program Files\Citrix\GoToMyPC\g2comm.exe
C:\Program Files\Common Files\Intuit\QuickBooks\QBCFMonitorService.exe
C:\Program Files\Citrix\GoToMyPC\g2pre.exe
C:\Program Files\Citrix\GoToMyPC\g2tray.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Acronis\Fomatik\TrueImageTryStartService.exe
C:\Program Files\Linksys Wireless-G USB Wireless Network Monitor\WLService.exe
C:\Program Files\Linksys Wireless-G USB Wireless Network Monitor\WUSB54Gv4.exe
C:\PROGRA~1\AVG\AVG8\avgrsx.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe
C:\Program Files\Intuit\QuickBooks Customer Manager\QBCMAgent.exe
C:\HP\KBD\KBD.EXE
C:\windows\system\hpsysdrv.exe
C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb10.exe
C:\Program Files\Acronis\TrueImageHome\TrueImageMonitor.exe
C:\Program Files\Acronis\TrueImageHome\TimounterMonitor.exe
C:\Program Files\Common Files\Acronis\Schedule2\schedhlp.exe
C:\PROGRA~1\AVG\AVG8\avgtray.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Intuit\QuickBooks Pro New 2002\Components\QBAgent\qbdagent2002.exe
C:\Program Files\Common Files\Intuit\QuickBooks\QBUpdate\qbupdate.exe
C:\Program Files\Parsons Technology\Screen Shot\Sshot.exe
C:\Program Files\Common Files\Intuit\DatabaseServer\QBDBMgr.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Documents and Settings\Owner\Application Data\U3\00001753A8604376\LaunchPad.exe
C:\Program Files\REFN\PDF-X\PDFSaver.EXE
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://msn.com/
O2 - BHO: WormRadar.com IESiteBlocker.NavFilter - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - C:\Program Files\AVG\AVG8\avgssie.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe"
O4 - HKLM\..\Run: [Recguard] C:\WINDOWS\SMINST\RECGUARD.EXE
O4 - HKLM\..\Run: [QBCMAgent] C:\Program Files\Intuit\QuickBooks Customer Manager\QBCMAgent.exe
O4 - HKLM\..\Run: [PS2] C:\WINDOWS\system32\ps2.exe
O4 - HKLM\..\Run: [KBD] C:\HP\KBD\KBD.EXE
O4 - HKLM\..\Run: [hpsysdrv] c:\windows\system\hpsysdrv.exe
O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb10.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe
O4 - HKLM\..\Run: [GoToMyPC] "C:\Program Files\Citrix\GoToMyPC\g2svc.exe" -logon
O4 - HKLM\..\Run: [TrueImageMonitor.exe] C:\Program Files\Acronis\TrueImageHome\TrueImageMonitor.exe
O4 - HKLM\..\Run: [AcronisTimounterMonitor] C:\Program Files\Acronis\TrueImageHome\TimounterMonitor.exe
O4 - HKLM\..\Run: [Acronis Scheduler2 Service] "C:\Program Files\Common Files\Acronis\Schedule2\schedhlp.exe"
O4 - HKLM\..\Run: [AVG8_TRAY] C:\PROGRA~1\AVG\AVG8\avgtray.exe
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKUS\S-1-5-21-3091673561-2619313026-2317538923-1007\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background (User 'QBDataServiceUser17')
O4 - Startup: Screen Shot.lnk = C:\Program Files\Parsons Technology\Screen Shot\Sshot.exe
O4 - Global Startup: QuickBooks 2002 Delivery Agent.lnk = QuickBooks Pro New 2002\Components\QBAgent\qbdagent2002.exe
O4 - Global Startup: QuickBooks Update Agent.lnk = C:\Program Files\Common Files\Intuit\QuickBooks\QBUpdate\qbupdate.exe
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O16 - DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} (QuickTime Object) -
O16 - DPF: {CAFEEFAC-0014-0001-0001-ABCDEFFEDCBA} (Java Plug-in 1.4.1_01) -
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/ge...sh/swflash.cab
O18 - Protocol: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - C:\Program Files\AVG\AVG8\avgpp.dll
O20 - AppInit_DLLs: avgrsstx.dll
O23 - Service: Acronis Scheduler2 Service (AcrSch2Svc) - Acronis - C:\Program Files\Common Files\Acronis\Schedule2\schedul2.exe
O23 - Service: AVG Free8 WatchDog (avg8wd) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
O23 - Service: GoToMyPC - Citrix Online, a division of Citrix Systems, Inc. - C:\Program Files\Citrix\GoToMyPC\g2svc.exe
O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: QuickBooks Database Manager Service (QBCFMonitorService) - Intuit - C:\Program Files\Common Files\Intuit\QuickBooks\QBCFMonitorService.exe
O23 - Service: Intuit QuickBooks FCS (QBFCService) - Intuit Inc. - C:\Program Files\Common Files\Intuit\QuickBooks\FCS\Intuit.QuickBooks.FCS.exe
O23 - Service: QuickBooksDB17 - iAnywhere Solutions, Inc. - C:\PROGRA~1\Intuit\QUICKB~1\QBDBMgrN.exe
O23 - Service: Acronis Try And Decide Service (TryAndDecideService) - Unknown owner - C:\Program Files\Common Files\Acronis\Fomatik\TrueImageTryStartService.exe
O23 - Service: WUSB54Gv4SVC - GEMTEKS - C:\Program Files\Linksys Wireless-G USB Wireless Network Monitor\WLService.exe

--
End of file - 6560 bytes

Have tried on line scans in previous months, as this is an ongoing problem, but can only be worked on when machine is free from it's full time work load. The operator can and does live with the slowness, but if anyone else needs to use it...we go

TIA

**Geri** · 20th August 2008

Hi Jepinto
Did you go into add/remove and remove the old AVG first?

That would be my best guess as what it is seeing.

Download and run this to get rid of all the temp garbage and see if it helps with the slowness.

Please download ATF Cleaner by Atribune.
This program is for XP and Windows 2000 only

Double-click ATF-Cleaner.exe to run the program.
Under Main choose: Select All
Click the Empty Selected button.

If you use Firefox browser

Click Firefox at the top and choose: Select All
Click the Empty Selected button.
NOTE: If you would like to keep your saved passwords, please click No at the prompt.

If you use Opera browser

Click Opera at the top and choose: Select All
Click the Empty Selected button.
NOTE: If you would like to keep your saved passwords, please click No at the prompt.

Click Exit on the Main menu to close the program.
For Technical Support, double-click the e-mail address located at the bottom of each menu.

When was the last Defrag and CHKDISK ran? That may help also but will take a while to run and complete, so some down time will be needed.

Let me know how that goes.

Geri

**Jepinto** · 20th August 2008

Thank you for your response.

Yes, I removed AVG from the Add/Remove CP first. Should have mentioned that upon the recommended restart, there was a tray balloon saying McAfee was out of date, followed by the AVG installer message about two AV programs.

Ran ATF Cleaner, took a goodly number of files, just in Fire/fox-which is seldom to never used-it said 12,000 KB.

Ran chkdsk, removed a large number of gif files. Am defraging now, it is, as you said, slow, so allowing it to do its thing.

I think both chkdsk and defrag were done within the past 6 months, defrag shows, graphically, very little fragmentation, but this time I am following the directions

**Geri** · 20th August 2008

Hi

Quote:

there was a tray balloon saying McAfee was out of date

OK, well no McAfee showing in the HJT log.

Let's see if this will show anything.

Download ComboFix by sUBs from here, saving the file to your desktop.

Important! ComboFix.exe must be on your desktop!

Close all open programs and windows
Click Start>Run and type or paste the following command.

"%userprofile%\desktop\combofix.exe" /skipfix
ComboFix will run ..... follow the prompts.
It may reboot your computer and resume running when you logon. Wait for it to complete. When finished, it will open a log for you. Post that log in your next reply.

Note: Do not mouseclick combofix's window while its running. That may cause it to stall

Thanks
Geri

**Jepinto** · 21st August 2008

Geri-Thank you for your help so far. It'll be a day or two before I can do more with the box. We're on the outer edges of Fay and, while not directly affected, are staying preoccupied.

I will try again in two days to get back with updates.

**Geri** · 22nd August 2008

Hi Jepinto
Ok, no problem. I'll be here.

Geri

**Jepinto** · 25th August 2008

ComboFix 08-08-24.03 - Owner 2008-08-25 16:57:49.2 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.1494 [GMT -4:00]
Running from: C:\Documents and Settings\Owner\desktop\combofix.exe
Command switches used :: /skipfix

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
.
- REDUCED FUNCTIONALITY MODE -
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
---- Previous Run -------
.
C:\Documents and Settings\Owner\Application Data\macromedia\Flash Player\#SharedObjects\X9ECKHC6\interclick.com
C:\Documents and Settings\Owner\Application Data\macromedia\Flash Player\#SharedObjects\X9ECKHC6\interclick.com\ud.sol
C:\Documents and Settings\Owner\Application Data\macromedia\Flash Player\macromedia.com\support\flashplayer\sys\#interclick.com
C:\Documents and Settings\Owner\Application Data\macromedia\Flash Player\macromedia.com\support\flashplayer\sys\#interclick.com\settings.sol
C:\WINDOWS\system\oeminfo.ini
C:\WINDOWS\system32\_006384_.tmp.dll
C:\WINDOWS\system32\_006385_.tmp.dll
C:\WINDOWS\system32\_006386_.tmp.dll
C:\WINDOWS\system32\_006387_.tmp.dll
C:\WINDOWS\system32\_006394_.tmp.dll
C:\WINDOWS\system32\_006395_.tmp.dll
C:\WINDOWS\system32\_006396_.tmp.dll
C:\WINDOWS\system32\_006397_.tmp.dll
C:\WINDOWS\system32\_006399_.tmp.dll
C:\WINDOWS\system32\_006400_.tmp.dll
C:\WINDOWS\system32\_006403_.tmp.dll
C:\WINDOWS\system32\_006404_.tmp.dll
C:\WINDOWS\system32\_006406_.tmp.dll
C:\WINDOWS\system32\_006407_.tmp.dll
C:\WINDOWS\system32\_006408_.tmp.dll
C:\WINDOWS\system32\_006410_.tmp.dll
C:\WINDOWS\system32\_006412_.tmp.dll
C:\WINDOWS\system32\_006413_.tmp.dll
C:\WINDOWS\system32\_006414_.tmp.dll
C:\WINDOWS\system32\_006418_.tmp.dll
C:\WINDOWS\system32\_006419_.tmp.dll
C:\WINDOWS\system32\_006421_.tmp.dll
C:\WINDOWS\system32\_006424_.tmp.dll
C:\WINDOWS\system32\_006426_.tmp.dll
C:\WINDOWS\system32\_006427_.tmp.dll
C:\WINDOWS\system32\_006428_.tmp.dll
C:\WINDOWS\system32\_006429_.tmp.dll
C:\WINDOWS\system32\_006430_.tmp.dll
C:\WINDOWS\system32\_006433_.tmp.dll
C:\WINDOWS\system32\_006434_.tmp.dll
C:\WINDOWS\system32\_006435_.tmp.dll
C:\WINDOWS\system32\_006436_.tmp.dll
C:\WINDOWS\system32\_006437_.tmp.dll
C:\WINDOWS\system32\_006442_.tmp.dll
C:\WINDOWS\system32\_006444_.tmp.dll
C:\WINDOWS\system32\_006445_.tmp.dll
C:\WINDOWS\system32\bszip.dll
C:\WINDOWS\system32\MabryObj.dll
H:\AUTORUN.INF

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Legacy_6TO4
-------\Service_6to4

((((((((((((((((((((((((( Files Created from 2008-07-25 to 2008-08-25 )))))))))))))))))))))))))))))))
.

2008-08-22 11:31 . 2008-08-22 11:31 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Motive
2008-08-21 11:34 . 2008-08-21 11:34 <DIR> d-------- C:\Documents and Settings\Owner\Application Data\Windows Search
2008-08-20 16:52 . 2008-08-20 16:52 <DIR> d-------- C:\Documents and Settings\Owner\Application Data\Windows Desktop Search
2008-08-20 16:50 . 2008-08-20 16:50 <DIR> d-------- C:\WINDOWS\SYSTEM32\GroupPolicy
2008-08-20 16:50 . 2008-08-20 16:51 <DIR> d-------- C:\Program Files\Windows Desktop Search
2008-08-20 16:50 . 2008-03-07 12:56 192,000 -----c--- C:\WINDOWS\SYSTEM32\dllcache\offfilt.dll
2008-08-20 16:50 . 2008-03-07 12:56 98,304 -----c--- C:\WINDOWS\SYSTEM32\dllcache\nlhtml.dll
2008-08-20 16:13 . 2008-08-20 16:13 <DIR> d-------- C:\Program Files\Windows Installer Clean Up
2008-08-20 16:12 . 2008-08-20 16:12 <DIR> d-------- C:\Program Files\MSECACHE
2008-08-20 12:14 . 2008-08-25 16:43 <DIR> d-------- C:\WINDOWS\SYSTEM32\drivers\Avg
2008-08-20 12:14 . 2008-08-20 12:14 96,520 --a------ C:\WINDOWS\SYSTEM32\drivers\avgldx86.sys
2008-08-20 12:14 . 2008-08-20 12:14 10,520 --a------ C:\WINDOWS\SYSTEM32\avgrsstx.dll
2008-08-20 11:42 . 2008-05-01 10:30 331,776 -----c--- C:\WINDOWS\SYSTEM32\dllcache\msadce.dll
2008-08-07 15:55 . 2008-08-07 15:55 476,160 --a------ C:\Jul08.xls
2008-07-25 13:27 . 2008-07-25 13:27 <DIR> d-------- C:\Documents and Settings\Owner\Application Data\Acronis

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-08-20 16:13 --------- d-----w C:\Documents and Settings\All Users\Application Data\avg8
2008-08-15 17:03 --------- d-----w C:\Documents and Settings\Owner\Application Data\U3
2008-08-12 17:37 --------- d---a-w C:\Documents and Settings\All Users\Application Data\TEMP
2008-07-25 19:59 1,885,464 ----a-w C:\WINDOWS\SYSTEM32\AutoPartNt.exe
2008-07-23 19:53 --------- d-----w C:\Documents and Settings\Owner\Application Data\SpinTop
2008-07-22 16:47 --------- d-----w C:\Program Files\Intuit
2008-07-19 02:10 94,920 ----a-w C:\WINDOWS\SYSTEM32\cdm.dll
2008-07-19 02:10 53,448 ----a-w C:\WINDOWS\SYSTEM32\wuauclt.exe
2008-07-19 02:10 45,768 ----a-w C:\WINDOWS\SYSTEM32\wups2.dll
2008-07-19 02:10 36,552 ----a-w C:\WINDOWS\SYSTEM32\wups.dll
2008-07-19 02:09 563,912 ----a-w C:\WINDOWS\SYSTEM32\wuapi.dll
2008-07-19 02:09 325,832 ----a-w C:\WINDOWS\SYSTEM32\wucltui.dll
2008-07-19 02:09 205,000 ----a-w C:\WINDOWS\SYSTEM32\wuweb.dll
2008-07-19 02:09 1,811,656 ----a-w C:\WINDOWS\SYSTEM32\wuaueng.dll
2008-07-15 18:18 --------- d-----w C:\Program Files\Microsoft Works
2008-07-15 15:45 --------- d-----w C:\Documents and Settings\All Users\Application Data\Kodak
2008-07-14 13:40 --------- d-----w C:\Program Files\Trend Micro
2008-07-13 14:31 --------- d-----w C:\Program Files\Java
2008-07-13 14:20 --------- d-----w C:\Documents and Settings\Owner\Application Data\MSN6
2008-07-12 17:14 --------- d-----w C:\Program Files\PC-Doctor for Windows XP
2008-07-10 20:40 --------- d-----w C:\Documents and Settings\QBDataServiceUser17\Application Data\Acronis
2008-07-10 18:02 441,760 ----a-w C:\WINDOWS\system32\drivers\timntr.sys
2008-07-10 18:02 44,384 ----a-w C:\WINDOWS\system32\drivers\tifsfilt.sys
2008-07-10 18:02 --------- d-----w C:\Documents and Settings\All Users\Application Data\Acronis
2008-07-10 18:01 368,480 ----a-w C:\WINDOWS\system32\drivers\tdrpman.sys
2008-07-10 18:01 132,224 ----a-w C:\WINDOWS\system32\drivers\snapman.sys
2008-07-10 18:00 --------- d-----w C:\Program Files\Common Files\Acronis
2008-07-10 17:59 --------- d-----w C:\Program Files\Acronis
2008-07-07 20:32 253,952 ----a-w C:\WINDOWS\SYSTEM32\es.dll
2008-06-24 16:23 74,240 ----a-w C:\WINDOWS\SYSTEM32\mscms.dll
2008-06-23 16:57 826,368 ----a-w C:\WINDOWS\SYSTEM32\wininet.dll
2008-06-20 17:41 245,248 ----a-w C:\WINDOWS\SYSTEM32\mswsock.dll
2008-06-20 17:41 245,248 ----a-w C:\WINDOWS\SYSTEM32\dllcache\mswsock.dll
2008-06-20 17:41 148,992 ----a-w C:\WINDOWS\SYSTEM32\dllcache\dnsapi.dll
2008-06-20 10:45 360,320 ----a-w C:\WINDOWS\SYSTEM32\dllcache\tcpip.sys
2008-06-20 10:44 138,368 ----a-w C:\WINDOWS\SYSTEM32\dllcache\afd.sys
2008-06-20 09:52 225,920 ----a-w C:\WINDOWS\SYSTEM32\dllcache\tcpip6.sys
2008-06-13 13:10 272,128 ----a-w C:\WINDOWS\SYSTEM32\dllcache\bthport.sys
2008-05-27 02:21 1,582,592 ------w C:\WINDOWS\SYSTEM32\tquery.dll
2008-05-27 02:21 1,418,240 ------w C:\WINDOWS\SYSTEM32\mssrch.dll
2008-05-27 02:19 97,792 ------w C:\WINDOWS\SYSTEM32\UncCplExt.dll
2008-05-27 02:19 273,408 ------w C:\WINDOWS\SYSTEM32\oeph.dll
2008-05-27 02:19 2,048 ------w C:\WINDOWS\SYSTEM32\UncRes.dll
2008-05-27 02:19 143,872 ------w C:\WINDOWS\SYSTEM32\UncDMS.dll
2008-05-27 02:19 131,072 ------w C:\WINDOWS\SYSTEM32\UncPH.dll
2008-05-27 02:19 11,264 ------w C:\WINDOWS\SYSTEM32\oephRes.dll
2008-05-27 02:19 108,032 ------w C:\WINDOWS\SYSTEM32\UncNE.dll
2008-05-27 02:18 71,680 ------w C:\WINDOWS\SYSTEM32\propdefs.dll
2008-05-27 02:18 56,320 ------w C:\WINDOWS\SYSTEM32\xmlfilter.dll
2008-05-27 02:18 44,032 ------w C:\WINDOWS\SYSTEM32\msstrc.dll
2008-05-27 02:18 439,808 ------w C:\WINDOWS\SYSTEM32\searchindexer.exe
2008-05-27 02:18 38,400 ------w C:\WINDOWS\SYSTEM32\rtffilt.dll
2008-05-27 02:18 350,208 ------w C:\WINDOWS\SYSTEM32\mssph.dll
2008-05-27 02:18 231,936 ------w C:\WINDOWS\SYSTEM32\msshsq.dll
2008-05-27 02:18 203,776 ------w C:\WINDOWS\SYSTEM32\mssphtb.dll
2008-05-27 02:18 184,832 ------w C:\WINDOWS\SYSTEM32\searchprotocolhost.exe
2008-05-27 02:17 87,552 ------w C:\WINDOWS\SYSTEM32\searchfilterhost.exe
2008-05-27 02:17 87,552 ------w C:\WINDOWS\SYSTEM32\mssitlb.dll
2008-05-27 02:17 754,176 ------w C:\WINDOWS\SYSTEM32\propsys.dll
2008-05-27 02:17 60,416 ------w C:\WINDOWS\SYSTEM32\msscntrs.dll
2008-05-27 02:17 34,816 ------w C:\WINDOWS\SYSTEM32\msscb.dll
2008-05-27 02:17 32,768 ------w C:\WINDOWS\SYSTEM32\mssprxy.dll
2008-05-27 02:17 301,568 ------w C:\WINDOWS\SYSTEM32\srchadmin.dll
2008-05-27 02:17 11,776 ------w C:\WINDOWS\SYSTEM32\msshooks.dll
2008-05-27 01:59 18,904 ------w C:\WINDOWS\SYSTEM32\structuredqueryschematrivial.bin
2008-05-27 01:59 106,605 ------w C:\WINDOWS\SYSTEM32\structuredqueryschema.bin
2008-04-04 15:47 108,528 ----a-w C:\Documents and Settings\Owner\Application Data\GDIPFONTCACHEV1.DAT
2008-03-18 16:03 0 ----a-w C:\Program Files\temp01
2007-12-21 17:17 3,902,784 ----a-w C:\Documents and Settings\Owner\gosetup.exe
2007-03-09 16:25 424,081 -c--a-w C:\Program Files\07Rent.qpw
2007-01-09 20:17 470,528 ----a-w C:\Program Files\Dec06.xls
2006-12-07 19:59 471,040 ----a-w C:\Program Files\Nov06.xls
2006-07-27 14:25 479,744 ----a-w C:\Program Files\June06.xls
2005-08-01 18:43 619 ----a-w C:\Program Files\Shortcut to Jul05 (version 1).lnk
2005-02-09 18:34 463,360 ----a-w C:\Program Files\Jan05.xls
2004-03-03 19:48 461,824 -c--a-w C:\Program Files\Feb04.xls
2004-01-23 16:52 526,848 ----a-w C:\Program Files\July03.xls
2003-07-08 15:44 456,704 ----a-w C:\Program Files\Jun03.xls
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SpybotSD TeaTimer"="C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe" [2008-01-28 12:43 2097488]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 03:56 15360]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe" [2008-06-10 04:27 144784]
"Recguard"="C:\WINDOWS\SMINST\RECGUARD.EXE" [2001-06-16 02:34 212992]
"QBCMAgent"="C:\Program Files\Intuit\QuickBooks Customer Manager\QBCMAgent.exe" [2003-11-25 11:23 32768]
"PS2"="C:\WINDOWS\system32\ps2.exe" [2001-07-04 00:13 81920]
"KBD"="C:\HP\KBD\KBD.EXE" [2001-07-07 00:56 61440]
"hpsysdrv"="c:\windows\system\hpsysdrv.exe" [1998-05-07 20:04 52736]
"HPDJ Taskbar Utility"="C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb10.exe" [2004-03-04 10:46 172032]
"HotKeysCmds"="C:\WINDOWS\System32\hkcmd.exe" [2001-08-08 03:36 90112]
"GoToMyPC"="C:\Program Files\Citrix\GoToMyPC\g2svc.exe" [2007-06-20 11:09 258856]
"TrueImageMonitor.exe"="C:\Program Files\Acronis\TrueImageHome\TrueImageMonitor.exe" [2008-04-09 20:11 2595792]
"AcronisTimounterMonitor"="C:\Program Files\Acronis\TrueImageHome\TimounterMonitor.exe" [2008-04-09 20:23 909208]
"Acronis Scheduler2 Service"="C:\Program Files\Common Files\Acronis\Schedule2\schedhlp.exe" [2008-04-09 20:14 136472]
"AVG8_TRAY"="C:\PROGRA~1\AVG\AVG8\avgtray.exe" [2008-08-20 12:13 1232152]
"NvCplDaemon"="C:\WINDOWS\system32\NvCpl.dll" [2003-07-28 14:19 4841472]
"nwiz"="nwiz.exe" [2003-07-28 14:19 323584 C:\WINDOWS\SYSTEM32\nwiz.exe]
"LTMSG"="LTMSG.exe" [2003-07-14 10:52 40960 C:\WINDOWS\ltmsg.exe]
"Cmaudio"="cmicnfg.cpl" [BU]

C:\Documents and Settings\Owner\Start Menu\Programs\Startup\
Screen Shot.lnk - C:\Program Files\Parsons Technology\Screen Shot\Sshot.exe [2002-07-14 14:51:14 625664]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
QuickBooks 2002 Delivery Agent.lnk - C:\Program Files\Intuit\QuickBooks Pro New 2002\Components\QBAgent\qbdagent2002.exe [2003-08-19 15:21:41 315392]
QuickBooks Update Agent.lnk - C:\Program Files\Common Files\Intuit\QuickBooks\QBUpdate\qbupdate.exe [2008-03-18 21:41:30 972064]
Windows Search.lnk - C:\Program Files\Windows Desktop Search\WindowsSearch.exe [2008-05-26 22:19:14 123904]

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\Shell ExecuteHooks]
"{56F9679E-7826-4C84-81F3-532071A8BCC5}"= "C:\Program Files\Windows Desktop Search\MSNLNamespaceMgr.dll" [2008-05-26 22:19 304128]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\GoToMyPC]
2007-06-20 11:09 10536 C:\Program Files\Citrix\GoToMyPC\G2WinLogon.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"AppInit_DLLs"=avgrsstx.dll

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa]
Authentication Packages REG_MULTI_SZ msv1_0 relog_ap

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^hp center UI.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\hp center UI.lnk
backup=C:\WINDOWS\pss\hp center UI.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^hp center.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\hp center.lnk
backup=C:\WINDOWS\pss\hp center.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Microsoft Office.lnk.disabled]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Microsoft Office.lnk.disabled
backup=C:\WINDOWS\pss\Microsoft Office.lnk.disabledCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^Owner^Start Menu^Programs^Startup^HotSync Manager.lnk.disabled]
path=C:\Documents and Settings\Owner\Start Menu\Programs\Startup\HotSync Manager.lnk.disabled
backup=C:\WINDOWS\pss\HotSync Manager.lnk.disabledStartup

[HKLM\~\startupfolder\C:^Documents and Settings^Owner^Start Menu^Programs^Startup^McAfee.com SpamKiller.lnk.disabled]
path=C:\Documents and Settings\Owner\Start Menu\Programs\Startup\McAfee.com SpamKiller.lnk.disabled
backup=C:\WINDOWS\pss\McAfee.com SpamKiller.lnk.disabledStartup

[HKLM\~\startupfolder\C:^Documents and Settings^Owner^Start Menu^Programs^Startup^Registration-Studio 7SE.lnk.disabled]
path=C:\Documents and Settings\Owner\Start Menu\Programs\Startup\Registration-Studio 7SE.lnk.disabled
backup=C:\WINDOWS\pss\Registration-Studio 7SE.lnk.disabledStartup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\KernelFaultCheck]
C:\WINDOWS\system32\dumprep 0 -k [X]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe Photo Downloader]
--a------ 2005-06-07 00:46 57344 C:\Program Files\Adobe\Photoshop Album Starter Edition\3.0\Apps\apdproxy.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe Reader Speed Launcher]
--a------ 2007-10-10 19:51 39792 C:\Program Files\Adobe\Reader 8.0\Reader\Reader_SL.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HP Component Manager]
--a------ 2003-12-22 08:38 241664 C:\Program Files\HP\hpcoretech\hpcmpmgr.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\hp Silent Service]
--a------ 2001-11-29 23:49 32768 C:\WINDOWS\SYSTEM32\HpSrvUI.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HP Software Update]
--a------ 2005-02-16 23:11 49152 C:\Program Files\HP\HP Software Update\hpwuSchd2.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\IgfxTray]
--a------ 2001-08-08 04:25 143360 C:\WINDOWS\SYSTEM32\igfxtray.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSMSGS]
--a------ 2004-10-13 12:24 1694208 C:\Program Files\Messenger\msmsgs.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
--a------ 2007-12-20 14:20 286720 C:\Program Files\QuickTime\qttask.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\StxTrayMenu]
C:\Program Files\Seagate\SystemTray\StxMenuMgr.exe [BU]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\nwiz]
--a------ 2003-07-28 14:19 323584 C:\WINDOWS\SYSTEM32\nwiz.exe

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run-]
"Adobe Photo Downloader"="C:\Program Files\Adobe\Photoshop Album Starter Edition\3.0\Apps\apdproxy.exe"

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeAntiVirus]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeFirewall]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\Auth orizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"C:\\Program Files\\Intuit\\QuickBooks Pro\\QBDBMgrN.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"C:\\Program Files\\AVG\\AVG8\\avgupd.exe"=

R0 tdrpman;Acronis Try&Decide and Restore Points filter;C:\WINDOWS\system32\DRIVERS\tdrpman.sys [2008-07-10 14:01]
R1 AvgLdx86;AVG Free AVI Loader Driver x86;C:\WINDOWS\system32\Drivers\avgldx86.sys [2008-08-20 12:14]
R2 avg8wd;AVG Free8 WatchDog;C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe [2008-08-20 12:13]
R2 QuickBooksDB17;QuickBooksDB17;C:\PROGRA~1\Intuit\QUICKB~1\QBDBMgrN.exe [2006-09-13 11:32]
R2 TryAndDecideService;Acronis Try And Decide Service;C:\Program Files\Common Files\Acronis\Fomatik\TrueImageTryStartService.exe [2008-04-09 21:42]
R2 WUSB54Gv4SVC;WUSB54Gv4SVC;C:\Program Files\Linksys Wireless-G USB Wireless Network Monitor\WLService.exe WUSB54Gv4.exe []
S3 DPCNET5U;Satellite USB Driver;C:\WINDOWS\system32\DRIVERS\dpcnet5u.sys []
S3 SiS7012;Service for AC'97 Sample Driver (WDM);C:\WINDOWS\system32\drivers\sis7012.sys [2002-04-15 19:18]
S3 trid3d;trid3d;C:\WINDOWS\system32\DRIVERS\trid3dm.sys [2001-12-27 23:11]
S3 VisorUsb;Handspring USB;C:\WINDOWS\system32\DRIVERS\VisorUsb.sys []
S4 Seagate Sync Service;Seagate Sync Service;C:\Program Files\Seagate\Sync\SeaSyncServices.exe []

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountp oints2\F]
\Shell\AutoRun\command - F:\LaunchU3.exe

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountp oints2\{1333c601-9c9b-11da-950b-00e0186e5e30}]
\Shell\AutoRun\command - G:\JDSecure\Windows\JDSecure20.exe

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountp oints2\{305fe600-bdd0-11db-95a2-000c416a885c}]
\Shell\AutoRun\command - F:\LaunchU3.exe

*Newly Created Service* - GTNDIS5
.
Contents of the 'Scheduled Tasks' folder

2008-08-22 C:\WINDOWS\Tasks\AppleSoftwareUpdate.job
- C:\Program Files\Apple Software Update\SoftwareUpdate.exe [2007-08-29 15:57]

2008-08-12 C:\WINDOWS\Tasks\EasyShare Registration Task.job
- C:\WINDOWS\system32\rundll32.exe [2004-08-04 03:56]

2002-05-03 C:\WINDOWS\Tasks\ISP signup reminder 3.job
- C:\WINDOWS\System32\OOBE\oobebaln.exe [2004-08-04 03:56]

2002-05-03 C:\WINDOWS\Tasks\Registration reminder 2.job
- C:\WINDOWS\System32\OOBE\oobebaln.exe [2004-08-04 03:56]

2008-08-25 C:\WINDOWS\Tasks\Spybot - Search & Destroy - Scheduled Task.job
- C:\Program Files\Spybot - Search & Destroy\SpybotSD.exe [2008-01-28 12:43]
.
.
------- Supplementary Scan -------
.
FireFox -: Profile - C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\zkg5j64o.default\
FireFox -: prefs.js - STARTUP.HOMEPAGE - hxxp://msn.com/
.

**************************************************************************

catchme 0.3.1361 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-08-25 16:58:24
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
Completion time: 2008-08-25 17:01:52
ComboFix-quarantined-files.txt 2008-08-25 21:01:30

Pre-Run: 48,301,076,480 bytes free
Post-Run: 48,276,103,168 bytes free

304 --- E O F --- 2008-08-20 20:20:42

**Geri** · 26th August 2008

Hi Jepinto
OK evidently you've ran combofix before? as a fix?

Here are the only 2 entries of McAfee showing.

C:\Documents and Settings\Owner\Start Menu\Programs\Startup\McAfee.com
C:\WINDOWS\pss\McAfee.com

So follow those paths to delete McAfee.com

Do you know what all these are?
C:\Program Files\Dec06.xls
C:\Program Files\Nov06.xls
C:\Program Files\June06.xls

Are you getting any warnings from AVG, looks like it's been installed. or any other problems?

Geri

**Jepinto** · 26th August 2008

Well, Combofix ran because I opened it wrong. I thought to shut it down, but it was doing what seemed right, so I left it alone. (Note to self-read ALL the directions.)

Those two files look to be some excel ss that mistakenly got saved in the wrong place, but I'll check tomorrow. I have to ask the creator of the ss.

I'll get those two McAfees out first thing!

IE will not load a page faster than I can go outside and come back in. But the operator of the machine says she can live with it... but that was where all this started, trying to get a browser to load page faster. Neither IE or Firefox will load except extremely slowly.

AVG is doing one strange thing, just started after Combofix. It keeps shutting Resident Shield off. When I check, it says it is on, but if I turn it off, then turn it back on, it says it is on, Did it twice after Combofix, but now I can't remember whether I've restarted since then.

**Jepinto** · 26th August 2008

Can you tell what

Quote:

2008-08-12 C:\WINDOWS\Tasks\EasyShare Registration Task.job
- C:\WINDOWS\system32\rundll32.exe [2004-08-04 03:56]

2002-05-03 C:\WINDOWS\Tasks\ISP signup reminder 3.job
- C:\WINDOWS\System32\OOBE\oobebaln.exe [2004-08-04 03:56]

2002-05-03 C:\WINDOWS\Tasks\Registration reminder 2.job
- C:\WINDOWS\System32\OOBE\oobebaln.exe [2004-08-04 03:56]

are?

**Geri** · 26th August 2008

Hi Jepinto

Quote:

Can you tell what are?
C:\WINDOWS\Tasks\EasyShare Registration Task.job

They could be for a number of programs, This would be my guess.
C:\Documents and Settings\Owner\Start Menu\Programs\Startup\Registration-Studio 7SE.lnk.disabled

See here for others, what she might have installed?
http://www.google.com/search?client=...=Google+Search

Here some info on these.
C:\WINDOWS\Tasks\ISP signup reminder 3.job
- C:\WINDOWS\System32\OOBE\oobebaln.exe
C:\WINDOWS\Tasks\Registration reminder 2.job
- C:\WINDOWS\System32\OOBE\oobebaln.exe
http://www.softwaretipsandtricks.com...bebalnexe.html

Quote:

AVG is doing one strange thing ...but now I can't remember whether I've restarted since then.

Try a reboot, haven't heard of that problem with combofix before.

When was the last defrag and chkdisk ran?

Lets also clean up the temps and get a on-line scan.

Please do this.

Download ATF Cleaner by Atribune and save it to your Desktop.
This is a good tool to get rid of the temporary garbage you pick up while surfing the net.
Double click ATF-Cleaner.exe to run the program.
Check the boxes to the left of:

Windows Temp
Current User Temp
All Users Temp
Cookies
Temporary Internet Files
Prefetch
Java Cache
Recycle bin

The rest are optional - if you want it to remove everything check "Select All".
Finally, click Empty Selected. When you get the "Done Cleaning" message, click OK.

Now a on-line scan.

Please do an online scan with Kaspersky WebScanner

Click on “Accept” If your pop –up blocker blocks any windows from opening.

Click Run on the window that opens.
Windows Vista users you must open the web browser using the Run as Administrator command.

The program will launch and then begin downloading the latest definition files:
Under Scan on the left side.Click on My Computer
This will start the program and scan your system.
Click the “Scan Report” On the left side.
The scan will take a while so be patient and let it run.
Once the scan is complete it will display if your system has been infected.
- Click the Save Report As button, and in the Browse dialog box, type a name for the scan report file that you want to create and select its type Text file. Click OK to save the file.:
Save the text file to your desktop.
Copy and paste that information in your next post.

Please post the Kaspersky results.

Geri

**Jepinto** · 27th August 2008

Cannot find C:\Documents and Settings\Owner\Start Menu\Programs\Startup\McAfee.com, it does not show up in that folder
C:\WINDOWS\pss\McAfee.com is now deleted.

ckdsk and defrag were run 6 days ago.

Reran ATF Cleaner, took 2,002 KB out.

Am running Kaspersky WebScanner now

Couple of oddities-AVG Resident Shield was running, said it had been running for 12 hours plus, but am still getting alerts that it is not active. AVG is turned off while Kaspersky WebScanner is running, so I'll look again in the morning.

Windows Security during the periods when Resident Shield is running gives no errors, but as soon as Resident Shield kicks off, Windows Security Center says "You may be at risk". Opening WSC, I get a message that there are several antivirus programs but all report they are either off or out of date.

Downloaded Malwarebytes' Anti-Malware, for future use. While trying to install it, kept getting another program's set up window. That program requires a CD to install, it is our MLS program, EZList MLS. Canceled the set up of EZList, it did, Malwarebyte's window comes back, click for next step, EZList comes back up, cancel EZ, Malwarebytes comes back, did this another 2 times.

Still very load loading the browser pages, but the machine seems to be starting up MUCH faster, and this is good.

Thank you for hanging with me through this-and yes, I will show my appreciation by utilizing the link click in your signature

Will post the next log upon completion, but I want to say thank you again.