1. You are viewing our forum as a guest. For full access please Register. WindowsBBS.com is completely free, paid for by advertisers and donations.

Solved Hard drive 'grinds' when trying to open email

Discussion in 'Malware and Virus Removal Archive' started by pilotgal8, 2009/07/19.

Page 1 of 3
  1. 2009/07/19
    pilotgal8 Lifetime Subscription

    pilotgal8 Well-Known Member Thread Starter

    Joined:
    2002/01/07
    Messages:
    459
    Likes Received:
    0
    [Resolved] Hard drive 'grinds' when trying to open email

    According to the user, other programs work well. I've scrubbed the system with Spybot, Adaware, and System mechanic for unnecessary files & registry clutter.

    I'd appreciate an analysis of this HijackThis file.

    Logfile of Trend Micro HijackThis v2.0.2
    Scan saved at 4:15:48 PM, on 7/18/2009
    Platform: Windows XP SP3 (WinNT 5.01.2600)
    MSIE: Internet Explorer v7.00 (7.00.6000.16850)
    Boot mode: Normal

    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
    C:\WINDOWS\system32\spoolsv.exe
    C:\Program Files\Symantec\LiveUpdate\AluSchedulerSvc.exe
    C:\Program Files\Bonjour\mDNSResponder.exe
    C:\Program Files\Common Files\EPSON\EBAPI\eEBSVC.exe
    C:\Program Files\Common Files\EPSON\EBAPI\SAgent2.exe
    C:\Program Files\IBM\IBM Rapid Restore Ultra\rrpcsb.exe
    C:\Program Files\Common Files\LightScribe\LSSrvc.exe
    C:\Program Files\Trend Micro\OfficeScan Client\ntrtscan.exe
    C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
    C:\Program Files\Trend Micro\OfficeScan Client\tmlisten.exe
    C:\Program Files\Trend Micro\OfficeScan Client\ofcdog.exe
    C:\WINDOWS\Explorer.EXE
    C:\Program Files\Trend Micro\OfficeScan Client\PCCNTMON.EXE
    C:\WINDOWS\system32\wuauclt.exe
    C:\IBMTOOLS\UTILS\ibmprc.exe
    C:\WINDOWS\system32\ICO.EXE
    C:\WINDOWS\system32\FSRremoS.EXE
    C:\Program Files\QuickTime\qttask.exe
    C:\WINDOWS\System32\DLA\DLACTRLW.EXE
    C:\WINDOWS\system32\Pelmiced.exe
    C:\Program Files\Adobe\Acrobat 8.0\Acrobat\Acrotray.exe
    C:\WINDOWS\system32\hkcmd.exe
    C:\WINDOWS\system32\igfxpers.exe
    C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
    C:\PROGRA~1\COMMON~1\INSTAL~1\UPDATE~1\issch.exe
    C:\Program Files\Messenger\msmsgs.exe
    C:\Program Files\Extensis\Portfolio 8.5\Portfolio Express.exe
    C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
    C:\PROGRA~1\iolo\SYSTEM~1\SysMech4.exe
    C:\PROGRA~1\COMMON~1\SYMANT~1\CCPD-LC\symlcsvc.exe
    C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
    C:\WINDOWS\System32\msiexec.exe
    C:\WINDOWS\system32\ctfmon.exe
    C:\WINDOWS\System32\svchost.exe
    C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
    C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
    R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://go.microsoft.com/fwlink/?LinkId=74005
    F2 - REG:system.ini: UserInit=C:\WINDOWS\system32\userinit.exe
    O2 - BHO: WormRadar.com IESiteBlocker.NavFilter - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - C:\Program Files\AVG\AVG8\avgssie.dll (file missing)
    O2 - BHO: NCO 2.0 IE BHO - {602ADB0E-4AFF-4217-8AA1-95DAC4DFA408} - C:\Program Files\Common Files\Symantec Shared\coShared\Browser\2.6\coIEPlg.dll
    O2 - BHO: Symantec Intrusion Prevention - {6D53EC84-6AAE-4787-AEEE-F4628F01010C} - C:\PROGRA~1\COMMON~1\SYMANT~1\IDS\IPSBHO.dll
    O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - C:\Program Files\Google\Google Toolbar\GoogleToolbar.dll
    O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\5.1.1309.15642\swg.dll
    O2 - BHO: Google Dictionary Compression sdch - {C84D72FE-E17D-4195-BB24-76C02E2E7C4E} - C:\Program Files\Google\Google Toolbar\Component\fastsearch_A8904FB862BD9564.dll
    O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll
    O3 - Toolbar: Show Norton Toolbar - {7FEBEFE3-6B19-4349-98D2-FFB09D4B49CA} - C:\Program Files\Common Files\Symantec Shared\coShared\Browser\2.6\CoIEPlg.dll
    O3 - Toolbar: Google Toolbar - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - C:\Program Files\Google\Google Toolbar\GoogleToolbar.dll
    O4 - HKLM\..\Run: [BluetoothAuthenticationAgent] rundll32.exe irprops.cpl,,BluetoothAuthenticationAgent
    O4 - HKLM\..\Run: [IBMPRC] C:\IBMTOOLS\UTILS\ibmprc.exe
    O4 - HKLM\..\Run: [Mouse Suite 98 Daemon] ICO.EXE
    O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
    O4 - HKLM\..\Run: [DLA] C:\WINDOWS\System32\DLA\DLACTRLW.EXE
    O4 - HKLM\..\Run: [ISUSPM Startup] C:\PROGRA~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe -startup
    O4 - HKLM\..\Run: [ISUSScheduler] "C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" -start
    O4 - HKLM\..\Run: [Acrobat Assistant 8.0] "C:\Program Files\Adobe\Acrobat 8.0\Acrobat\Acrotray.exe "
    O4 - HKLM\..\Run: [igfxtray] C:\WINDOWS\system32\igfxtray.exe
    O4 - HKLM\..\Run: [igfxhkcmd] C:\WINDOWS\system32\hkcmd.exe
    O4 - HKLM\..\Run: [igfxpers] C:\WINDOWS\system32\igfxpers.exe
    O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe "
    O4 - HKLM\..\Run: [osCheck] "C:\Program Files\Norton 360\osCheck.exe "
    O4 - HKLM\..\Run: [OfficeScanNT Monitor] "C:\Program Files\Trend Micro\OfficeScan Client\pccntmon.exe" -HideWindow
    O4 - HKCU\..\Run: [ibmmessages] C:\Program Files\IBM\Messages By IBM\ibmmessages.exe
    O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
    O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
    O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
    O4 - Global Startup: Portfolio Express 8.5.lnk = C:\Program Files\Extensis\Portfolio 8.5\Portfolio Express.exe
    O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
    O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_02\bin\npjpi160_02.dll
    O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_02\bin\npjpi160_02.dll
    O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
    O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
    O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
    O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
    O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
    O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://v5.windowsupdate.microsoft.c...ls/en/x86/client/wuweb_site.cab?1101156915875
    O16 - DPF: {8E66A776-A350-4D69-8783-906DB0E6DF14} (Jaunt Class) - http://download.jaunt.com/public/jaunt.cab
    O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = AOS-MAIN.local
    O17 - HKLM\Software\..\Telephony: DomainName = AOS-MAIN.local
    O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = AOS-MAIN.local
    O18 - Filter: x-sdch - {B1759355-3EEC-4C1E-B0F1-B719FE26E377} - C:\Program Files\Google\Google Toolbar\Component\fastsearch_A8904FB862BD9564.dll
    O20 - AppInit_DLLs: karina.dat??z?5.1
    O23 - Service: Lavasoft Ad-Aware Service (aawservice) - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
    O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
    O23 - Service: Automatic LiveUpdate Scheduler - Symantec Corporation - C:\Program Files\Symantec\LiveUpdate\AluSchedulerSvc.exe
    O23 - Service: Bonjour Service - Apple Computer, Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
    O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
    O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
    O23 - Service: Symantec Lic NetConnect service (CLTNetCnService) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
    O23 - Service: COM Host (comHost) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\VAScanner\comHost.exe
    O23 - Service: EpsonBidirectionalService - Unknown owner - C:\Program Files\Common Files\EPSON\EBAPI\eEBSVC.exe
    O23 - Service: EPSON Printer Status Agent2 (EPSONStatusAgent2) - SEIKO EPSON CORPORATION - C:\Program Files\Common Files\EPSON\EBAPI\SAgent2.exe
    O23 - Service: FLEXnet Licensing Service - Macrovision Europe Ltd. - C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
    O23 - Service: Google Software Updater (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
    O23 - Service: IBM Rapid Restore Ultra Service - Unknown owner - C:\Program Files\IBM\IBM Rapid Restore Ultra\rrpcsb.exe
    O23 - Service: LightScribeService Direct Disc Labeling Service (LightScribeService) - Hewlett-Packard Company - C:\Program Files\Common Files\LightScribe\LSSrvc.exe
    O23 - Service: LiveUpdate - Symantec Corporation - C:\Program Files\Symantec\LiveUpdate\LuComServer_3_4.EXE
    O23 - Service: LiveUpdate Notice - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
    O23 - Service: OfficeScanNT RealTime Scan (ntrtscan) - Trend Micro Inc. - C:\Program Files\Trend Micro\OfficeScan Client\ntrtscan.exe
    O23 - Service: IBM PSA Access Driver Control (PsaSrv) - Unknown owner - (no file)
    O23 - Service: SoundMAX Agent Service (SoundMAX Agent Service (default)) - Analog Devices, Inc. - C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
    O23 - Service: Symantec Core LC - Unknown owner - C:\PROGRA~1\COMMON~1\SYMANT~1\CCPD-LC\symlcsvc.exe
    O23 - Service: OfficeScanNT Listener (tmlisten) - Trend Micro Inc. - C:\Program Files\Trend Micro\OfficeScan Client\tmlisten.exe
    End of file - 9823 bytes
     
    pilotgal8,
    #1
  2. 2009/07/19
    Steve R Jones

    Steve R Jones SuperGeek Staff

    Joined:
    2001/12/30
    Messages:
    12,315
    Likes Received:
    252
    What do you mean when you say: "Hardfile 'grinds' when trying to open email."

    I'm not sure what a hardfile is?
     
    Steve R Jones,
    #2


  3. to hide this advert.

  4. 2009/07/19
    pilotgal8 Lifetime Subscription

    pilotgal8 Well-Known Member Thread Starter

    Joined:
    2002/01/07
    Messages:
    459
    Likes Received:
    0
    Hardfile = disk
    Makes a noise and doesn't open the email.

    Can you provide an analysis of this log to determine what program may be causing a problem on this machine?
     
    pilotgal8,
    #3
  5. 2009/07/19
    PeteC

    PeteC SuperGeek Staff

    Joined:
    2002/05/10
    Messages:
    28,896
    Likes Received:
    389
    pilotgal

    Please read this as indicated at the head of the forum and post the logs requested in this thread.

    An HJT log is no longer sufficient.
     
    PeteC,
    #4
  6. 2009/07/19
    pilotgal8 Lifetime Subscription

    pilotgal8 Well-Known Member Thread Starter

    Joined:
    2002/01/07
    Messages:
    459
    Likes Received:
    0
    Thanks for the correction to the format of the post. I'll speak to the user Monday to determine what seems to be the problem.
     
    pilotgal8,
    #5
  7. 2009/07/25
    pilotgal8 Lifetime Subscription

    pilotgal8 Well-Known Member Thread Starter

    Joined:
    2002/01/07
    Messages:
    459
    Likes Received:
    0
    User machine Task manager shows 100% utilization with 2 iexplore.exe processes running. This happened when trying to scrolldown an email window.

    Any help would be appreciated.
     
    pilotgal8,
    #6
  8. 2009/07/25
    Arie

    Arie Administrator Administrator Staff

    Joined:
    2001/12/27
    Messages:
    15,174
    Likes Received:
    412
    You would have to follow our Malware Posting Rules as indicated at the top of this forum in order to receive help.
     
    Arie,
    #7
  9. 2009/07/25
    mailman Lifetime Subscription

    mailman Geek Member

    Joined:
    2004/01/17
    Messages:
    1,901
    Likes Received:
    11
    pilotgal8,

    In case you're still wondering or "the user" is in denial ;), the HijackThis log does indeed indicate the computer may have malware.

    For example,
    I suggest you or "the user" carefully follow the advice provided above by PeteC (Staff) and Arie (Administrator). :) The malware issue might not be related to the "grinding hard drive" but it certainly needs attention IMHO.
     
    mailman,
    #8
  10. 2009/07/26
    PeteC

    PeteC SuperGeek Staff

    Joined:
    2002/05/10
    Messages:
    28,896
    Likes Received:
    389
    It would appear that your user has 2 antivirus programs loaded - Symantec/Norton and Trend Micro (there is also a trace of AVG) which will conflict one with another. Two av's, apart from conflicting with each other, give no additional protection and may indeed reduce it.

    It is suggested that either Norton or Trend Micro is removed.
     
    PeteC,
    #9
  11. 2009/08/01
    pilotgal8 Lifetime Subscription

    pilotgal8 Well-Known Member Thread Starter

    Joined:
    2002/01/07
    Messages:
    459
    Likes Received:
    0
    DDS ATTACH log as requested

    UNLESS SPECIFICALLY INSTRUCTED, DO NOT POST THIS LOG.
    IF REQUESTED, ZIP IT UP & ATTACH IT

    DDS (Ver_09-07-30.01)

    Microsoft Windows XP Professional
    Boot Device: \Device\HarddiskVolume1
    Install Date: 11/22/2004 5:44:36 PM
    System Uptime: 8/1/2009 10:35:05 AM (1 hours ago)

    Motherboard: Intel | | D865GKD
    Processor: Intel(R) Pentium(R) 4 CPU 2.80GHz | WMT478/NWD | 2793/133mhz

    ==== Disk Partitions =========================

    A: is Removable
    C: is FIXED (NTFS) - 34 GiB total, 12.731 GiB free.
    D: is CDROM ()
    E: is CDROM ()
    F: is Removable

    ==== Disabled Device Manager Items =============

    ==== System Restore Points ===================

    RP1024: 5/4/2009 9:54:17 AM - System Checkpoint
    RP1025: 5/5/2009 2:51:55 PM - System Checkpoint
    RP1026: 5/6/2009 3:17:03 PM - System Checkpoint
    RP1027: 5/8/2009 11:58:42 AM - System Checkpoint
    RP1028: 5/11/2009 8:19:25 AM - System Checkpoint
    RP1029: 5/12/2009 9:56:09 AM - System Checkpoint
    RP1030: 5/12/2009 4:00:18 PM - Software Distribution Service 3.0
    RP1031: 5/13/2009 4:00:18 PM - Software Distribution Service 3.0
    RP1032: 5/14/2009 4:41:45 PM - System Checkpoint
    RP1033: 5/17/2009 11:46:27 AM - System Checkpoint
    RP1034: 5/18/2009 12:14:45 PM - System Checkpoint
    RP1035: 5/20/2009 11:56:06 AM - System Checkpoint
    RP1036: 5/22/2009 9:15:02 AM - System Checkpoint
    RP1037: 5/26/2009 11:43:31 AM - System Checkpoint
    RP1038: 5/27/2009 11:49:13 AM - System Checkpoint
    RP1039: 5/28/2009 12:43:18 PM - System Checkpoint
    RP1040: 6/1/2009 12:04:56 PM - System Checkpoint
    RP1041: 6/2/2009 1:00:56 PM - System Checkpoint
    RP1042: 6/3/2009 1:16:31 PM - System Checkpoint
    RP1043: 6/4/2009 2:46:19 PM - System Checkpoint
    RP1044: 6/7/2009 1:28:08 PM - System Checkpoint
    RP1045: 6/8/2009 3:31:52 PM - System Checkpoint
    RP1046: 6/10/2009 12:06:08 PM - System Checkpoint
    RP1047: 6/11/2009 1:53:44 PM - System Checkpoint
    RP1048: 6/11/2009 3:08:01 PM - Software Distribution Service 3.0
    RP1049: 6/12/2009 4:11:09 PM - System Checkpoint
    RP1050: 6/15/2009 10:49:19 AM - System Checkpoint
    RP1051: 6/16/2009 4:33:24 PM - System Checkpoint
    RP1052: 6/18/2009 12:09:41 PM - System Checkpoint
    RP1053: 6/22/2009 10:31:13 AM - System Checkpoint
    RP1054: 6/30/2009 12:09:39 PM - System Checkpoint
    RP1055: 7/1/2009 1:40:18 PM - System Checkpoint
    RP1056: 7/2/2009 4:22:08 PM - System Checkpoint
    RP1057: 7/6/2009 11:48:38 AM - System Checkpoint
    RP1058: 7/7/2009 12:26:20 PM - System Checkpoint
    RP1059: 7/8/2009 12:36:10 PM - System Checkpoint
    RP1060: 7/9/2009 1:53:44 PM - System Checkpoint
    RP1061: 7/10/2009 2:36:27 PM - System Checkpoint
    RP1062: 7/14/2009 12:28:47 PM - System Checkpoint
    RP1063: 7/15/2009 3:12:03 PM - System Checkpoint
    RP1064: 7/15/2009 4:01:21 PM - Software Distribution Service 3.0
    RP1065: 7/17/2009 8:52:05 AM - System Checkpoint
    RP1066: 7/18/2009 9:40:22 AM - Installed EasyCleaner
    RP1067: 7/18/2009 11:26:38 AM - Installed Ad-Aware
    RP1068: 7/18/2009 4:20:32 PM - Removed Ad-Aware
    RP1069: 7/18/2009 4:28:20 PM - Removed EasyCleaner
    RP1070: 7/20/2009 1:48:46 PM - System Checkpoint
    RP1071: 7/22/2009 3:34:41 PM - System Checkpoint
    RP1072: 7/23/2009 4:39:12 PM - System Checkpoint
    RP1073: 7/29/2009 11:45:53 AM - System Checkpoint
    RP1074: 7/29/2009 4:57:00 PM - Software Distribution Service 3.0
    RP1075: 7/31/2009 11:50:40 AM - System Checkpoint
    RP1076: 8/1/2009 11:19:40 AM - Installed AVG Free 8.0

    ==== Installed Programs ======================

    Adobe Acrobat 8 Standard
    Adobe Acrobat 8.1.2 Security Update 1 (KB403742)
    Adobe Acrobat 8.1.2 Standard
    Adobe Acrobat and Reader 8.1.2 Security Update 1 (KB403742)
    Adobe Bridge 1.0
    Adobe Common File Installer
    Adobe Flash Player ActiveX
    Adobe Help Center 1.0
    Adobe InDesign CS2
    Adobe PageMaker 7.0
    Adobe Photoshop CS
    Adobe Reader 6.0
    Adobe Stock Photos 1.0
    Adobe Type Manager 4.1
    American Orchid Society 2005 Directory
    AppCore
    AQ Plus 3.1
    AVG Free 8.0
    Backup
    ccCommon
    EPSON Printer Software
    Extensis Portfolio 8.5.2
    GearDrvs
    Google Toolbar for Internet Explorer
    Hotfix for Windows XP (KB952287)
    IBM RecordNow
    IBM Rescue and Recovery with Rapid Restore
    IBM Themes
    Intel(R) Extreme Graphics 2 Driver
    Intel(R) PRO Network Adapters and Drivers
    Internet Explorer Q903235
    InterVideo WinDVD
    InterVideo WinDVD Creator 3
    Ipswitch WS_FTP Home
    J2SE Runtime Environment 5.0 Update 5
    J2SE Runtime Environment 5.0 Update 6
    Java(TM) 6 Update 2
    Java(TM) SE Runtime Environment 6 Update 1
    LightScribe 1.4.74.1
    LiveUpdate (Symantec Corporation)
    Microsoft .NET Framework 1.1
    Microsoft .NET Framework 1.1 Hotfix (KB928366)
    Microsoft Internationalized Domain Names Mitigation APIs
    Microsoft National Language Support Downlevel APIs
    Microsoft Office Professional Edition 2003
    Microsoft Visual C++ 2005 Redistributable
    Mouse Suite
    Mozilla Firefox (3.0.8)
    Norton 360
    Norton 360 (Symantec Corporation)
    Norton 360 HTMLHelp
    Norton Confidential Core
    nTeras Jaunt version 1.71
    PC-Doctor for Windows
    QuickTime
    RecordNow Audio
    RecordNow Copy
    RecordNow Data
    Remove Multimedia Center
    Security Update for Step By Step Interactive Training (KB898458)
    Security Update for Step By Step Interactive Training (KB923723)
    Security Update for Windows Internet Explorer 7 (KB938127)
    Security Update for Windows Internet Explorer 7 (KB950759)
    Security Update for Windows Internet Explorer 7 (KB953838)
    Security Update for Windows Internet Explorer 7 (KB956390)
    Security Update for Windows Internet Explorer 7 (KB958215)
    Security Update for Windows Internet Explorer 7 (KB960714)
    Security Update for Windows Internet Explorer 7 (KB961260)
    Security Update for Windows Internet Explorer 7 (KB963027)
    Security Update for Windows Internet Explorer 7 (KB969897)
    Security Update for Windows Internet Explorer 7 (KB972260)
    Security Update for Windows Media Player (KB911564)
    Security Update for Windows Media Player (KB952069)
    Security Update for Windows Media Player 6.4 (KB925398)
    Security Update for Windows Media Player 9 (KB911565)
    Security Update for Windows Media Player 9 (KB917734)
    Security Update for Windows Media Player 9 (KB936782)
    Security Update for Windows XP (KB923561)
    Security Update for Windows XP (KB923689)
    Security Update for Windows XP (KB938464)
    Security Update for Windows XP (KB941569)
    Security Update for Windows XP (KB946648)
    Security Update for Windows XP (KB950759)
    Security Update for Windows XP (KB950760)
    Security Update for Windows XP (KB950762)
    Security Update for Windows XP (KB950974)
    Security Update for Windows XP (KB951066)
    Security Update for Windows XP (KB951376-v2)
    Security Update for Windows XP (KB951376)
    Security Update for Windows XP (KB951698)
    Security Update for Windows XP (KB951748)
    Security Update for Windows XP (KB952004)
    Security Update for Windows XP (KB952954)
    Security Update for Windows XP (KB953839)
    Security Update for Windows XP (KB954211)
    Security Update for Windows XP (KB954459)
    Security Update for Windows XP (KB954600)
    Security Update for Windows XP (KB955069)
    Security Update for Windows XP (KB956391)
    Security Update for Windows XP (KB956572)
    Security Update for Windows XP (KB956802)
    Security Update for Windows XP (KB956803)
    Security Update for Windows XP (KB956841)
    Security Update for Windows XP (KB957095)
    Security Update for Windows XP (KB957097)
    Security Update for Windows XP (KB958644)
    Security Update for Windows XP (KB958687)
    Security Update for Windows XP (KB958690)
    Security Update for Windows XP (KB959426)
    Security Update for Windows XP (KB960225)
    Security Update for Windows XP (KB960715)
    Security Update for Windows XP (KB960803)
    Security Update for Windows XP (KB961371)
    Security Update for Windows XP (KB961373)
    Security Update for Windows XP (KB961501)
    Security Update for Windows XP (KB968537)
    Security Update for Windows XP (KB969898)
    Security Update for Windows XP (KB970238)
    Security Update for Windows XP (KB971633)
    Security Update for Windows XP (KB973346)
    Sonic DLA
    Sonic Express Labeler
    Sonic Update Manager
    SoundMAX
    SPBBC 32bit
    Spybot - Search & Destroy
    Symantec Real Time Storage Protection Component
    Symantec Technical Support Controls
    SymNet
    ThinkCentre Wallpaper
    Time Zone Data Update Tool for Microsoft Office Outlook
    Trend Micro OfficeScan Client
    Update for Windows XP (KB951072-v2)
    Update for Windows XP (KB951978)
    Update for Windows XP (KB955839)
    Update for Windows XP (KB967715)
    ViewSonic Monitor Drivers
    WebFldrs XP
    Windows Genuine Advantage Notifications (KB905474)
    Windows Installer Clean Up
    Windows Internet Explorer 7
    Windows Media Player 9 Hotfix [See KB885492 for more information]
    Windows XP Service Pack 3

    ==== Event Viewer Messages From Past Week ========

    7/27/2009 9:03:51 AM, error: Service Control Manager [7000] - The PMEM service failed to start due to the following error: The system cannot find the file specified.
    7/27/2009 9:03:51 AM, error: Service Control Manager [7000] - The Msardgon service failed to start due to the following error: The system cannot find the file specified.

    ==== End Of File ===========================
     
    pilotgal8,
    #10
  12. 2009/08/01
    pilotgal8 Lifetime Subscription

    pilotgal8 Well-Known Member Thread Starter

    Joined:
    2002/01/07
    Messages:
    459
    Likes Received:
    0
    DDA TXT as requested

    DDS (Ver_09-07-30.01) - NTFSx86
    Run by scanner at 11:23:45.35 on Sat 08/01/2009
    Internet Explorer: 7.0.5730.13
    Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.2039.1368 [GMT -4:00]

    AV: AVG Anti-Virus Free *On-access scanning enabled* (Outdated) {17DDD097-36FF-435F-9E1B-52D74245D6BF}
    AV: Norton 360 *On-access scanning enabled* (Updated) {A5F1BC7C-EA33-4247-961C-0217208396C4}
    FW: Norton 360 *enabled* {371C0A40-5A0C-4AD2-A6E5-69C02037FBF3}

    ============== Running Processes ===============

    C:\WINDOWS\system32\svchost -k DcomLaunch
    svchost.exe
    C:\WINDOWS\System32\svchost.exe -k netsvcs
    svchost.exe
    svchost.exe
    C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
    C:\WINDOWS\system32\spoolsv.exe
    svchost.exe
    C:\Program Files\Symantec\LiveUpdate\AluSchedulerSvc.exe
    C:\Program Files\Bonjour\mDNSResponder.exe
    C:\Program Files\Common Files\EPSON\EBAPI\eEBSVC.exe
    C:\Program Files\Common Files\EPSON\EBAPI\SAgent2.exe
    C:\Program Files\IBM\IBM Rapid Restore Ultra\rrpcsb.exe
    C:\Program Files\Common Files\LightScribe\LSSrvc.exe
    C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
    C:\WINDOWS\Explorer.EXE
    C:\Program Files\Trend Micro\OfficeScan Client\tmlisten.exe
    C:\Program Files\Trend Micro\OfficeScan Client\ntrtscan.exe
    C:\Program Files\Trend Micro\OfficeScan Client\ofcdog.exe
    C:\IBMTOOLS\UTILS\ibmprc.exe
    C:\WINDOWS\system32\ICO.EXE
    C:\WINDOWS\system32\FSRremoS.EXE
    C:\Program Files\QuickTime\qttask.exe
    C:\WINDOWS\System32\DLA\DLACTRLW.EXE
    C:\WINDOWS\system32\Pelmiced.exe
    C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe
    C:\Program Files\Adobe\Acrobat 8.0\Acrobat\Acrotray.exe
    C:\WINDOWS\system32\igfxpers.exe
    C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
    C:\Program Files\Trend Micro\OfficeScan Client\PCCNTMON.EXE
    C:\Program Files\Messenger\msmsgs.exe
    C:\WINDOWS\system32\ctfmon.exe
    C:\Program Files\Extensis\Portfolio 8.5\Portfolio Express.exe
    C:\WINDOWS\system32\wuauclt.exe
    C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
    c:\progra~1\common~1\instal~1\update~1\isuspm.exe
    C:\Program Files\Common Files\InstallShield\UpdateService\agent.exe
    C:\PROGRA~1\COMMON~1\SYMANT~1\CCPD-LC\symlcsvc.exe
    C:\WINDOWS\system32\taskmgr.exe
    C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
    C:\Program Files\Microsoft Office\OFFICE11\EXCEL.EXE
    C:\WINDOWS\System32\msiexec.exe
    C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
    C:\PROGRA~1\AVG\AVG8\avgrsx.exe
    C:\PROGRA~1\AVG\AVG8\avgnsx.exe
    C:\Program Files\AVG\AVG8\avgcsrvx.exe
    C:\Program Files\AVG\AVG8\avgfrw.exe
    C:\Program Files\AVG\AVG8\avgtray.exe
    C:\Program Files\AVG\AVG8\avgupd.exe
    F:\System Clean\dds.pif

    ============== Pseudo HJT Report ===============

    mDefault_Search_URL = hxxp://www.google.com/ie
    mSearch Page = hxxp://www.google.com
    mStart Page = hxxp://www.google.com
    mSearchAssistant = hxxp://www.google.com
    mWinlogon: Userinit=c:\windows\system32\userinit.exe
    BHO: AVG Safe Search: {3ca2f312-6f6e-4b53-a66e-4e65e497c8c0} - c:\program files\avg\avg8\avgssie.dll
    BHO: Spybot-S&D IE Protection: {53707962-6f74-2d53-2644-206d7942484f} - c:\program files\spybot - search & destroy\SDHelper.dll
    BHO: NCO 2.0 IE BHO: {602adb0e-4aff-4217-8aa1-95dac4dfa408} - c:\program files\common files\symantec shared\coshared\browser\2.6\coIEPlg.dll
    BHO: Symantec Intrusion Prevention: {6d53ec84-6aae-4787-aeee-f4628f01010c} - c:\progra~1\common~1\symant~1\ids\IPSBHO.dll
    BHO: Google Toolbar Helper: {aa58ed58-01dd-4d91-8333-cf10577473f7} - c:\program files\google\google toolbar\GoogleToolbar.dll
    BHO: Google Toolbar Notifier BHO: {af69de43-7d58-4638-b6fa-ce66b5ad205d} - c:\program files\google\googletoolbarnotifier\5.1.1309.15642\swg.dll
    BHO: Google Dictionary Compression sdch: {c84d72fe-e17d-4195-bb24-76c02e2e7c4e} - c:\program files\google\google toolbar\component\fastsearch_A8904FB862BD9564.dll
    TB: Adobe PDF: {47833539-d0c5-4125-9fa8-0819e2eaac93} - c:\program files\adobe\acrobat 8.0\acrobat\AcroIEFavClient.dll
    TB: Show Norton Toolbar: {7febefe3-6b19-4349-98d2-ffb09d4b49ca} - c:\program files\common files\symantec shared\coshared\browser\2.6\CoIEPlg.dll
    TB: Google Toolbar: {2318c2b1-4965-11d4-9b18-009027a5cd4f} - c:\program files\google\google toolbar\GoogleToolbar.dll
    EB: Adobe PDF: {182ec0be-5110-49c8-a062-beb1d02a220b} - c:\program files\adobe\acrobat 8.0\acrobat\AcroIEFavClient.dll
    EB: {32683183-48a0-441b-a342-7c2a440a9478} - No File
    uRun: [ibmmessages] c:\program files\ibm\messages by ibm\ibmmessages.exe
    uRun: [MSMSGS] "c:\program files\messenger\msmsgs.exe" /background
    uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
    uRun: [swg] c:\program files\google\googletoolbarnotifier\GoogleToolbarNotifier.exe
    uRun: [SpybotSD TeaTimer] c:\program files\spybot - search & destroy\TeaTimer.exe
    mRun: [BluetoothAuthenticationAgent] rundll32.exe irprops.cpl,,BluetoothAuthenticationAgent
    mRun: [IBMPRC] c:\ibmtools\utils\ibmprc.exe
    mRun: [Mouse Suite 98 Daemon] ICO.EXE
    mRun: [QuickTime Task] "c:\program files\quicktime\qttask.exe" -atboottime
    mRun: [DLA] c:\windows\system32\dla\DLACTRLW.EXE
    mRun: [ISUSPM Startup] c:\progra~1\common~1\instal~1\update~1\ISUSPM.exe -startup
    mRun: [ISUSScheduler] "c:\program files\common files\installshield\updateservice\issch.exe" -start
    mRun: [Acrobat Assistant 8.0] "c:\program files\adobe\acrobat 8.0\acrobat\Acrotray.exe "
    mRun: [<NO NAME>]
    mRun: [igfxtray] c:\windows\system32\igfxtray.exe
    mRun: [igfxhkcmd] c:\windows\system32\hkcmd.exe
    mRun: [igfxpers] c:\windows\system32\igfxpers.exe
    mRun: [ccApp] "c:\program files\common files\symantec shared\ccApp.exe "
    mRun: [osCheck] "c:\program files\norton 360\osCheck.exe "
    mRun: [OfficeScanNT Monitor] "c:\program files\trend micro\officescan client\pccntmon.exe" -HideWindow
    mRun: [AVG8_TRAY] c:\progra~1\avg\avg8\avgtray.exe
    StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\adobeg~1.lnk - c:\program files\common files\adobe\calibration\Adobe Gamma Loader.exe
    StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\portfo~1.lnk - c:\program files\extensis\portfolio 8.5\Portfolio Express.exe
    IE: E&xport to Microsoft Excel - c:\progra~1\micros~2\office11\EXCEL.EXE/3000
    IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
    IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
    IE: {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - {CAFEEFAC-0016-0000-0002-ABCDEFFEDCBC} - c:\program files\java\jre1.6.0_02\bin\npjpi160_02.dll
    IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~2\office11\REFIEBAR.DLL
    IE: {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - {53707962-6F74-2D53-2644-206D7942484F} - c:\program files\spybot - search & destroy\SDHelper.dll
    DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} - hxxp://v5.windowsupdate.microsoft.com/v5consumer/V5Controls/en/x86/client/wuweb_site.cab?1101156915875
    DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_02-windows-i586.cab
    DPF: {8E66A776-A350-4D69-8783-906DB0E6DF14} - hxxp://download.jaunt.com/public/jaunt.cab
    DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} - hxxp://fpdownload.macromedia.com/get/flashplayer/current/ultrashim.cab
    Filter: x-sdch - {B1759355-3EEC-4C1E-B0F1-B719FE26E377} - c:\program files\google\google toolbar\component\fastsearch_A8904FB862BD9564.dll
    Handler: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - c:\program files\avg\avg8\avgpp.dll
    Notify: avgrsstarter - avgrsstx.dll
    Notify: igfxcui - igfxdev.dll
    AppInit_DLLs: karina.dat??z?5.1
    LSA: Notification Packages = scecli pwdmon

    ================= FIREFOX ===================

    FF - ProfilePath -

    ============= SERVICES / DRIVERS ===============

    R1 AvgLdx86;AVG Free AVI Loader Driver x86;c:\windows\system32\drivers\avgldx86.sys [2009-8-1 325128]
    R1 AvgMfx86;AVG Free On-access Scanner Minifilter Driver x86;c:\windows\system32\drivers\avgmfx86.sys [2009-8-1 27656]
    R1 AvgTdiX;AVG Free8 Network Redirector;c:\windows\system32\drivers\avgtdix.sys [2009-8-1 107272]
    R2 avg8wd;AVG Free8 WatchDog;c:\progra~1\avg\avg8\avgwdsvc.exe [2009-8-1 298264]
    R2 ccEvtMgr;Symantec Event Manager;c:\program files\common files\symantec shared\CCSVCHST.EXE [2008-2-18 149352]
    R2 ccSetMgr;Symantec Settings Manager;c:\program files\common files\symantec shared\CCSVCHST.EXE [2008-2-18 149352]
    R2 ibmfilter;ibmfilter;c:\windows\system32\drivers\ibmfilter.sys [2004-3-19 63872]
    R2 LiveUpdate Notice;LiveUpdate Notice;c:\program files\common files\symantec shared\CCSVCHST.EXE [2008-2-18 149352]
    R2 TmFilter;Trend Micro Filter;c:\program files\trend micro\officescan client\tmxpflt.sys [2003-8-22 205328]
    R2 TmPreFilter;Trend Micro PreFilter;c:\program files\trend micro\officescan client\tmpreflt.sys [2003-8-22 36368]
    R3 EraserUtilRebootDrv;EraserUtilRebootDrv;c:\program files\common files\symantec shared\eengine\EraserUtilRebootDrv.sys [2009-3-2 101936]
    R3 NAVENG;NAVENG;c:\progra~1\common~1\symant~1\virusd~1\20090801.003\NAVENG.SYS [2009-8-1 87888]
    R3 NAVEX15;NAVEX15;c:\progra~1\common~1\symant~1\virusd~1\20090801.003\NAVEX15.SYS [2009-8-1 875728]
    R3 pelmouse;Mouse Suite Driver;c:\windows\system32\drivers\PELMOUSE.SYS [2004-10-5 16384]
    R3 pelusblf;USB Mouse Low Filter Driver;c:\windows\system32\drivers\PELUSBLF.SYS [2004-10-5 9216]
    R3 Symantec Core LC;Symantec Core LC;c:\progra~1\common~1\symant~1\ccpd-lc\symlcsvc.exe [2008-7-31 1245064]
    S3 COH_Mon;COH_Mon;c:\windows\system32\drivers\COH_Mon.sys [2008-1-12 23888]
    S3 Dmbdu2kt;Dmbdu2kt;c:\windows\system32\drivers\irenum.sys [2003-2-19 11264]
    S3 Ligstat;Ligstat; [x]
    S3 Msardgon;Msardgon; [x]
    S3 Msptfdbrswia;Msptfdbrswia; [x]

    =============== Created Last 30 ================

    2009-08-01 11:20 107,272 a------- c:\windows\system32\drivers\avgtdix.sys
    2009-08-01 11:20 10,520 a------- c:\windows\system32\avgrsstx.dll
    2009-08-01 11:20 325,128 a------- c:\windows\system32\drivers\avgldx86.sys
    2009-08-01 11:19 <DIR> --d----- c:\windows\system32\drivers\Avg
    2009-08-01 11:19 <DIR> --d----- c:\program files\AVG
    2009-07-22 14:01 54,156 a---h--- c:\windows\QTFont.qfn
    2009-07-22 14:01 1,409 a------- c:\windows\QTFont.for
    2009-07-18 16:26 <DIR> --dsh--- C:\INCINERATE
    2009-07-18 09:41 <DIR> --d----- c:\program files\Spybot - Search & Destroy
    2009-07-18 09:41 <DIR> --d----- c:\docume~1\alluse~1\applic~1\Spybot - Search & Destroy
    2009-07-18 09:41 472,064 a------- c:\windows\system32\Incinerator.dll
    2009-07-18 09:41 14,848 a------- c:\windows\system32\smrgdf.exe
    2009-07-18 09:41 <DIR> --d----- c:\program files\iolo
    2009-07-18 09:40 <DIR> --d----- c:\program files\ToniArts
    2009-07-18 09:36 <DIR> --d----- c:\docume~1\scanner\applic~1\Symantec
    2009-07-18 09:36 <DIR> --d----- c:\documents and settings\scanner

    ==================== Find3M ====================

    2009-07-31 09:22 2,241 a------- c:\windows\panose.bin
    2009-07-19 09:33 3,597,824 -------- c:\windows\system32\dllcache\mshtml.dll
    2009-07-19 09:32 6,067,200 -------- c:\windows\system32\dllcache\ieframe.dll
    2009-06-29 07:07 13,824 -------- c:\windows\system32\dllcache\ieudinit.exe
    2009-06-29 07:07 70,656 -------- c:\windows\system32\dllcache\ie4uinit.exe
    2009-06-29 04:35 634,632 -------- c:\windows\system32\dllcache\iexplore.exe
    2009-06-29 04:33 2,452,872 -------- c:\windows\system32\dllcache\ieapfltr.dat
    2009-06-29 04:33 161,792 -------- c:\windows\system32\dllcache\ieakui.dll
    2009-06-16 10:36 119,808 a------- c:\windows\system32\t2embed.dll
    2009-06-16 10:36 81,920 a------- c:\windows\system32\fontsub.dll
    2009-06-16 10:36 119,808 -------- c:\windows\system32\dllcache\t2embed.dll
    2009-06-16 10:36 81,920 -------- c:\windows\system32\dllcache\fontsub.dll
    2009-06-03 15:09 1,291,264 a------- c:\windows\system32\quartz.dll
    2009-06-03 15:09 1,291,264 -------- c:\windows\system32\dllcache\quartz.dll
    2009-05-07 11:32 345,600 a------- c:\windows\system32\localspl.dll
    2009-05-07 11:32 345,600 -------- c:\windows\system32\dllcache\localspl.dll
    2002-09-11 10:26 63,730 a------- c:\program files\viewsonicinstruct_xp.pdf
    2008-08-05 10:54 32,768 a--sh--- c:\windows\system32\config\systemprofile\local settings\history\history.ie5\mshist012008080520080806\index.dat

    ============= FINISH: 11:24:48.10 ===============
     
    pilotgal8,
    #11
  13. 2009/08/01
    broni

    broni Moderator Malware Analyst

    Joined:
    2002/08/01
    Messages:
    21,701
    Likes Received:
    116
    Before we go any farther, as Pete said, there are three AV programs present.
    I need to know, which one you want to keep: AVG, Norton, or TrendMicro.
     
    broni,
    #12
  14. 2009/08/01
    pilotgal8 Lifetime Subscription

    pilotgal8 Well-Known Member Thread Starter

    Joined:
    2002/01/07
    Messages:
    459
    Likes Received:
    0
    More info.

    On boot up got
    Trendmicro scan starting

    msg before the desktop was painted.

    Several times when using IE Norton presented a message about Phishing which I closed as I was accessing WindowsBBS.

    The machine got clower and slower, finally with a single IE window open the task list contained 6 occurences of svchost 2 net, 2 syst, 2 local
    also 2 occurance of iexplore.exe

    Final shutdown took > 5 min & I had to force svchost off.
     
    pilotgal8,
    #13
  15. 2009/08/01
    broni

    broni Moderator Malware Analyst

    Joined:
    2002/08/01
    Messages:
    21,701
    Likes Received:
    116
    .....
     
    broni,
    #14
  16. 2009/08/01
    pilotgal8 Lifetime Subscription

    pilotgal8 Well-Known Member Thread Starter

    Joined:
    2002/01/07
    Messages:
    459
    Likes Received:
    0
    We'd like to convert to entirely AVG
     
    pilotgal8,
    #15
  17. 2009/08/01
    broni

    broni Moderator Malware Analyst

    Joined:
    2002/08/01
    Messages:
    21,701
    Likes Received:
    116
    broni,
    #16
  18. 2009/08/02
    pilotgal8 Lifetime Subscription

    pilotgal8 Well-Known Member Thread Starter

    Joined:
    2002/01/07
    Messages:
    459
    Likes Received:
    0
    Unable to remove Trendmicro...needed password.
    Removed Norton, per your instructions.

    ON reboot, system seems to be working far better.

    HJT log here.
    Thanks in advance for all the help so far.

    Logfile of Trend Micro HijackThis v2.0.2
    Scan saved at 3:50:10 PM, on 8/2/2009
    Platform: Windows XP SP3 (WinNT 5.01.2600)
    MSIE: Internet Explorer v7.00 (7.00.6000.16876)
    Boot mode: Normal

    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\system32\spoolsv.exe
    C:\Program Files\Bonjour\mDNSResponder.exe
    C:\Program Files\Common Files\EPSON\EBAPI\eEBSVC.exe
    C:\Program Files\Common Files\EPSON\EBAPI\SAgent2.exe
    C:\Program Files\IBM\IBM Rapid Restore Ultra\rrpcsb.exe
    C:\Program Files\Common Files\LightScribe\LSSrvc.exe
    C:\Program Files\Trend Micro\OfficeScan Client\ntrtscan.exe
    C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
    C:\Program Files\Trend Micro\OfficeScan Client\tmlisten.exe
    C:\Program Files\Trend Micro\OfficeScan Client\ofcdog.exe
    C:\WINDOWS\Explorer.EXE
    C:\IBMTOOLS\UTILS\ibmprc.exe
    C:\WINDOWS\system32\ICO.EXE
    C:\WINDOWS\system32\FSRremoS.EXE
    C:\Program Files\QuickTime\qttask.exe
    C:\WINDOWS\System32\DLA\DLACTRLW.EXE
    C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe
    C:\Program Files\Adobe\Acrobat 8.0\Acrobat\Acrotray.exe
    C:\WINDOWS\system32\hkcmd.exe
    C:\WINDOWS\system32\Pelmiced.exe
    C:\WINDOWS\system32\igfxpers.exe
    C:\Program Files\Trend Micro\OfficeScan Client\pccntmon.exe
    C:\Program Files\Messenger\msmsgs.exe
    C:\WINDOWS\system32\ctfmon.exe
    C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
    C:\Program Files\iolo\System Mechanic Professional 6\SMSystemAnalyzer.exe
    C:\Program Files\Extensis\Portfolio 8.5\Portfolio Express.exe
    C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
    C:\WINDOWS\system32\wuauclt.exe
    C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
    R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =
    R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://go.microsoft.com/fwlink/?LinkId=74005
    F2 - REG:system.ini: UserInit=C:\WINDOWS\system32\userinit.exe
    O2 - BHO: WormRadar.com IESiteBlocker.NavFilter - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - C:\Program Files\AVG\AVG8\avgssie.dll (file missing)
    O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - C:\Program Files\Google\Google Toolbar\GoogleToolbar.dll
    O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\5.1.1309.15642\swg.dll
    O2 - BHO: Google Dictionary Compression sdch - {C84D72FE-E17D-4195-BB24-76C02E2E7C4E} - C:\Program Files\Google\Google Toolbar\Component\fastsearch_A8904FB862BD9564.dll
    O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll
    O3 - Toolbar: Google Toolbar - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - C:\Program Files\Google\Google Toolbar\GoogleToolbar.dll
    O4 - HKLM\..\Run: [BluetoothAuthenticationAgent] rundll32.exe irprops.cpl,,BluetoothAuthenticationAgent
    O4 - HKLM\..\Run: [IBMPRC] C:\IBMTOOLS\UTILS\ibmprc.exe
    O4 - HKLM\..\Run: [Mouse Suite 98 Daemon] ICO.EXE
    O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
    O4 - HKLM\..\Run: [DLA] C:\WINDOWS\System32\DLA\DLACTRLW.EXE
    O4 - HKLM\..\Run: [ISUSPM Startup] C:\PROGRA~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe -startup
    O4 - HKLM\..\Run: [ISUSScheduler] "C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" -start
    O4 - HKLM\..\Run: [Acrobat Assistant 8.0] "C:\Program Files\Adobe\Acrobat 8.0\Acrobat\Acrotray.exe "
    O4 - HKLM\..\Run: [igfxtray] C:\WINDOWS\system32\igfxtray.exe
    O4 - HKLM\..\Run: [igfxhkcmd] C:\WINDOWS\system32\hkcmd.exe
    O4 - HKLM\..\Run: [igfxpers] C:\WINDOWS\system32\igfxpers.exe
    O4 - HKLM\..\Run: [OfficeScanNT Monitor] "C:\Program Files\Trend Micro\OfficeScan Client\pccntmon.exe" -HideWindow
    O4 - HKCU\..\Run: [ibmmessages] C:\Program Files\IBM\Messages By IBM\ibmmessages.exe
    O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
    O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
    O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
    O4 - HKCU\..\Run: [Uniblue RegistryBooster 2009] C:\Program Files\Uniblue\RegistryBooster\RegistryBooster.exe /S
    O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
    O4 - Global Startup: Portfolio Express 8.5.lnk = C:\Program Files\Extensis\Portfolio 8.5\Portfolio Express.exe
    O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
    O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_02\bin\npjpi160_02.dll
    O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_02\bin\npjpi160_02.dll
    O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
    O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
    O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
    O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
    O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
    O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://v5.windowsupdate.microsoft.c...ls/en/x86/client/wuweb_site.cab?1101156915875
    O16 - DPF: {8E66A776-A350-4D69-8783-906DB0E6DF14} (Jaunt Class) - http://download.jaunt.com/public/jaunt.cab
    O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = AOS-MAIN.local
    O17 - HKLM\Software\..\Telephony: DomainName = AOS-MAIN.local
    O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = AOS-MAIN.local
    O18 - Filter: x-sdch - {B1759355-3EEC-4C1E-B0F1-B719FE26E377} - C:\Program Files\Google\Google Toolbar\Component\fastsearch_A8904FB862BD9564.dll
    O20 - AppInit_DLLs: karina.dat??z?5.1
    O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
    O23 - Service: Bonjour Service - Apple Computer, Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
    O23 - Service: EpsonBidirectionalService - Unknown owner - C:\Program Files\Common Files\EPSON\EBAPI\eEBSVC.exe
    O23 - Service: EPSON Printer Status Agent2 (EPSONStatusAgent2) - SEIKO EPSON CORPORATION - C:\Program Files\Common Files\EPSON\EBAPI\SAgent2.exe
    O23 - Service: FLEXnet Licensing Service - Macrovision Europe Ltd. - C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
    O23 - Service: Google Software Updater (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
    O23 - Service: IBM Rapid Restore Ultra Service - Unknown owner - C:\Program Files\IBM\IBM Rapid Restore Ultra\rrpcsb.exe
    O23 - Service: LightScribeService Direct Disc Labeling Service (LightScribeService) - Hewlett-Packard Company - C:\Program Files\Common Files\LightScribe\LSSrvc.exe
    O23 - Service: OfficeScanNT RealTime Scan (ntrtscan) - Trend Micro Inc. - C:\Program Files\Trend Micro\OfficeScan Client\ntrtscan.exe
    O23 - Service: IBM PSA Access Driver Control (PsaSrv) - Unknown owner - (no file)
    O23 - Service: SoundMAX Agent Service (SoundMAX Agent Service (default)) - Analog Devices, Inc. - C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
    O23 - Service: OfficeScanNT Listener (tmlisten) - Trend Micro Inc. - C:\Program Files\Trend Micro\OfficeScan Client\tmlisten.exe

    --
    End of file - 8092 bytes
     
    pilotgal8,
    #17
  19. 2009/08/02
    broni

    broni Moderator Malware Analyst

    Joined:
    2002/08/01
    Messages:
    21,701
    Likes Received:
    116
    Now, important question.
    Do you have valid license for TrendMicro, and is it up to date?


    Print these instructions out.

    NOTE. If any of the programs listed below refuse to run, try renaming executive file to something else; for instance, rename hijackthis.exe to scanner.exe

    ***VERY IMPORTANT! Make sure, you update Superantispyware, and Malwarebytes before running the scans.***

    STEP 1. Download SUPERAntiSpyware Free for Home Users:
    http://www.superantispyware.com/

    * Double-click SUPERAntiSpyware.exe and use the default settings for installation.
    * An icon will be created on your desktop. Double-click that icon to launch the program.
    * If asked to update the program definitions, click "Yes ". If not, update the definitions before scanning by selecting "Check for Updates ". (If you encounter any problems while downloading the updates, manually download and unzip them from here: http://www.superantispyware.com/definitions.html.)
    * Close SUPERAntiSpyware.

    PHYSICALLY DISCONNECT FROM THE INTERNET

    Restart computer in Safe Mode.
    To enter Safe Mode, restart computer, and keep tapping F8 key, until menu appears; select Safe Mode; you'll see "Safe Mode" in all four corners of your screen

    * Open SUPERAntiSpyware.
    * Click Scan your Computer... button.
    * Click Scanning Preferences/Control Center... button.
    * Under General and Startup tab, make sure, Start SUPERAntiSpyware when Windows starts option is UN-checked.
    * Click the Scanning Control tab.
    * Under Scanner Options make sure the following are checked (leave all others unchecked):
    - Close browsers before scanning.
    - Terminate memory threats before quarantining.
    * Click the Close button to leave the control center screen.
    * On the left, make sure you check C:\Fixed Drive.
    * On the right, choose Perform Complete Scan.
    * Click Next to start the scan. Please be patient while it scans your computer.
    * After the scan is complete, a Scan Summary box will appear with potentially harmful items that were detected. Click OK.
    * Make sure everything has a checkmark next to it and click Next.
    * A notification will appear that Quarantine and Removal is Complete. Click OK and then click the Finish button to return to the main menu.
    * If asked if you want to reboot, click Yes.
    * To retrieve the removal information after reboot, launch SUPERAntispyware again.
    - Click Preferences, then click the Statistics/Logs tab.
    - Under Scanner Logs, double-click SUPERAntiSpyware Scan Log.
    - If there are several logs, click the current dated log and press View log. A text file will open in your default text editor.
    - Please copy and paste the Scan Log results in your next reply.
    * Click Close to exit the program.
    Post SUPERAntiSpyware log.

    RECONNECT TO THE INTERNET

    RESTART COMPUTER!

    STEP 2. Download Malwarebytes' Anti-Malware: http://www.malwarebytes.org/mbam.php to your desktop.
    (Malwarebytes is free to use as a manual scanner. Payment is only required if you wish to have it run and update automatically which is not necessary for our purposes)

    * Double-click mbam-setup.exe and follow the prompts to install the program.
    * At the end, be sure a checkmark is placed next to Update Malwarebytes' Anti-Malware and Launch Malwarebytes' Anti-Malware, then click Finish.
    * If an update is found, it will download and install the latest version.
    * Once the program has loaded, select Perform full scan, then click Scan.
    * When the scan is complete, click OK, then Show Results to view the results.
    * Be sure that everything is checked, and click Remove Selected.
    * When completed, a log will open in Notepad.
    * Post the log back here.

    The log can also be found here:
    C:\Documents and Settings\Username\Application Data\Malwarebytes\Malwarebytes' Anti-Malware\Logs\log-date.txt
    Or at C:\Program Files\Malwarebytes' Anti-Malware\Logs\log-date.txt

    RESTART COMPUTER!

    STEP 3. Download GMER: http://www.gmer.net/files.php, by clicking on Download EXE button.
    Alternative downloads:
    - http://majorgeeks.com/GMER_d5198.html
    - http://www.softpedia.com/get/Interne...ers/GMER.shtml
    Double click on downloaded .exe file, select Rootkit tab and click the Scan button.
    When scan is completed, click Save button, and save the results as gmer.log
    Warning ! Please, do not select the "Show all" checkbox during the scan.
    Post the log to your next reply.

    RESTART COMPUTER

    STEP 4.
    Post fresh HijackThis log.
    Do NOT attempt to "fix" anything!


    DO NOT make any other changes to your computer (like installing programs, using other cleaning tools, etc.), until it's officially declared clean!!!
     
    broni,
    #18
  20. 2009/08/03
    pilotgal8 Lifetime Subscription

    pilotgal8 Well-Known Member Thread Starter

    Joined:
    2002/01/07
    Messages:
    459
    Likes Received:
    0
    TrendMicro licenses for software updates has expired, but still receiving virus library updates.
     
    pilotgal8,
    #19
  21. 2009/08/03
    broni

    broni Moderator Malware Analyst

    Joined:
    2002/08/01
    Messages:
    21,701
    Likes Received:
    116
    How is it possible?
     
    broni,
    #20
Page 1 of 3

Share This Page

  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.
    Accept Learn More...