HIJACKTHISLOG-Computer very slow

Hello, can someone look at my hijackthis log. My computer has been slowing down and now to a point where i can't open more than two internet tabs. By the way this computer is running on Windows 2000.

Here is my hijackthis log file:

Logfile of HijackThis v1.99.1
Scan saved at 3:43:20 PM, on 12/24/2006
Platform: Windows 2000 SP4 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\system32\spoolsv.exe
C:\Program Files\CA\eTrust EZ Armor\eTrust EZ Antivirus\ISafe.exe
C:\WINNT\System32\svchost.exe
C:\WINNT\system32\regsvc.exe
C:\WINNT\system32\MSTask.exe
C:\WINNT\System32\WBEM\WinMgmt.exe
C:\WINNT\system32\svchost.exe
C:\Program Files\CA\eTrust EZ Armor\eTrust EZ Antivirus\VetMsg.exe
C:\WINNT\Explorer.EXE
C:\BITWARE\NT\bwprnmon.exe
C:\WINNT\system32\ntvdm.exe
C:\Program Files\Microsoft IntelliPoint\point32.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Java\jre1.5.0_09\bin\jusched.exe
C:\Program Files\CA\eTrust EZ Armor\eTrust EZ Antivirus\CAVTray.exe
C:\Program Files\CA\eTrust EZ Armor\eTrust EZ Antivirus\CAVRID.exe
C:\WINNT\system32\n?pdb.exe
C:\WINNT\system32\SSTEM~1\iexplore.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Documents and Settings\test\Desktop\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.msn.co.in/Default.asp
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://rogers.yahoo.com
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,AutoConfigURL = http://localhost:9100/proxy.pac
R3 - URLSearchHook: (no name) - {DFA19D59-0AEF-6978-9B1F-78E52B181390} - C:\WINNT\system32\ewtmr.dll
R3 - URLSearchHook: (no name) - _{CFBFAE00-17A6-11D0-99CB-00C04FD64497} - (no file)
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_09\bin\ssv.dll
O2 - BHO: (no name) - {DFA19D59-0AEF-6978-9B1F-78E52B181390} - C:\WINNT\system32\ewtmr.dll
O2 - BHO: (no name) - {FDC72C3E-BAD8-8719-AB1D-CD5E111D69C2} - (no file)
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\System32\msdxm.ocx
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [bwprnmon.exe] C:\BITWARE\NT\bwprnmon.exe
O4 - HKLM\..\Run: [IntelliPoint] "C:\Program Files\Microsoft IntelliPoint\point32.exe "
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.5.0_09\bin\jusched.exe "
O4 - HKLM\..\Run: [CaAvTray] "C:\Program Files\CA\eTrust EZ Armor\eTrust EZ Antivirus\CAVTray.exe "
O4 - HKLM\..\Run: [CAVRID] "C:\Program Files\CA\eTrust EZ Armor\eTrust EZ Antivirus\CAVRID.exe "
O4 - HKLM\..\Run: [Adobe Photo Downloader] "C:\Program Files\Adobe\Photoshop Album Starter Edition\3.0\Apps\apdproxy.exe "
O4 - HKCU\..\Run: [Yahoo! Pager] "C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe" -quiet
O4 - HKCU\..\Run: [Pdb] C:\WINNT\system32\n?pdb.exe
O4 - HKCU\..\Run: [Uabt] "C:\WINNT\system32\SSTEM~1\iexplore.exe" -vt ndrv
O4 - HKCU\..\Run: [updateMgr] "C:\Program Files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe" AcRdB7_0_8 -reboot 1
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: EPSON Status Monitor 3 Environment Check.lnk = C:\WINNT\system32\spool\drivers\w32x86\3\E_SRCV03.EXE
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O4 - Global Startup: Trend Micro Anti-Spyware.lnk = C:\Program Files\Trend Micro\Tmas\Tmas.exe
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_09\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_09\bin\ssv.dll
O9 - Extra button: Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\PROGRA~1\Yahoo!\Common\yhexbmesca.dll
O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\PROGRA~1\Yahoo!\Common\yhexbmesca.dll
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {1D4DB7D2-6EC9-47A3-BD87-1E41684E07BB} - http://ak.imgfarm.com/images/nocache/funwebproducts/ei-2/MyFunCardsFWBInitialSetup1.0.0.8.cab
O16 - DPF: {28CE69A2-7736-4893-AB6D-575B3E738E34} (Project1.ctlProxy) - http://www.rogershelp.com/yahoo/connection/proxies/ctlProxy.cab
O16 - DPF: {2917297F-F02B-4B9D-81DF-494B6333150B} (Minesweeper Flags Class) - http://messenger.zone.msn.com/binary/MineSweeper.cab30149.cab
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (YInstStarter Class) - C:\Program Files\Yahoo!\Common\yinsthelper.dll
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://spaces.msn.com//PhotoUpload/MsnPUpld.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1159488642847
O16 - DPF: {886DDE35-E585-11D0-A707-000000521958} - http://69.56.176.76/webplugin.cab
O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/MessengerStatsClient.cab30149.cab
O20 - AppInit_DLLs: cpclccmd.dll mshta.dll
O23 - Service: CAISafe - Computer Associates International, Inc. - C:\Program Files\CA\eTrust EZ Armor\eTrust EZ Antivirus\ISafe.exe
O23 - Service: Logical Disk Manager Administrative Service (dmadmin) - VERITAS Software Corp. - C:\WINNT\System32\dmadmin.exe
O23 - Service: VET Message Service (VETMSGNT) - Computer Associates International, Inc. - C:\Program Files\CA\eTrust EZ Armor\eTrust EZ Antivirus\VetMsg.exe

 

Welcome to the forums.

Looks like some purity scan in that log, maybe some other stuff, lets run ComboFix.

Also:
Please follow these instructions, exactly, for proper HJT installation. Please place HJT into ITS OWN PERMANANT FOLDER. It also needs to be removed from the desktop.
You can do this by going to My Computer (Windows key+e) then double click on C: then right click and select New then Folder and name it HJT. (C:\HJT\HijackThis.exe)Move HijackThis.exe into this folder. When you run HijackThis.exe from C:\HJT folder and have it "Fixed checked" it will create a backup file of modifications to use if restore is necessary which is easily accessible.

Download from ComboFix from here. Save it to your desktop
Double click combofix.exe & follow the prompts. Do not click the ComboFix window while it is scanning, this may cause it to stop.

When finished, it shall produce a log for you, post that log here. It may take more than one post to get it all in.

Once ComboFix has run, also give me a new HJT log file as well.

 

Here is the ComboFix log

Here is the ComboFix log. I followed the instructions you gave

test - Sun 12/24/2006 19:47:14.91 Service Pack 4
ComboFix 06.11.27 - Running from: "C:\Documents and Settings\test\Desktop "

(((((((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))



~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ Purity ~ ~ ~ ~ ~ ~ ~ ~~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~

Folders Quarantined:

C:\QooBox\Purity\Documents and Settings\test\Application Data\CURITY~1
C:\QooBox\Purity\Documents and Settings\test\Application Data\DOBE~1
C:\QooBox\Purity\Documents and Settings\test\Application Data\ICROSO~1
C:\QooBox\Purity\Documents and Settings\test\Application Data\ICROSO~2
C:\QooBox\Purity\Documents and Settings\test\Application Data\MCROSO~1.NET
C:\QooBox\Purity\Documents and Settings\test\Application Data\PPPATC~1
C:\QooBox\Purity\Documents and Settings\test\Application Data\SMANTE~1
C:\QooBox\Purity\Documents and Settings\test\Application Data\STEM32~1
C:\QooBox\Purity\Documents and Settings\test\Application Data\WNSXS~1
C:\QooBox\Purity\Documents and Settings\test\Application Data\YMANTE~1
C:\QooBox\Purity\Documents and Settings\test\Application Data\YMBOLS~1
C:\QooBox\Purity\Documents and Settings\test\My Documents\ASKS~1
C:\QooBox\Purity\Documents and Settings\test\My Documents\CURITY~1
C:\QooBox\Purity\Documents and Settings\test\My Documents\DOBE~1
C:\QooBox\Purity\Documents and Settings\test\My Documents\ICROSO~1
C:\QooBox\Purity\Documents and Settings\test\My Documents\SKS~1
C:\QooBox\Purity\Documents and Settings\test\My Documents\SMBOLS~1
C:\QooBox\Purity\Documents and Settings\test\My Documents\SSEMBL~1
C:\QooBox\Purity\Documents and Settings\test\My Documents\YMANTE~1
C:\QooBox\Purity\Program Files\FNTS~1
C:\QooBox\Purity\Program Files\MCROSO~1.NET
C:\QooBox\Purity\Program Files\PPATCH~1
C:\QooBox\Purity\Program Files\PPPATC~1
C:\QooBox\Purity\Program Files\RACLE~1
C:\QooBox\Purity\Program Files\SSEMBL~1
C:\QooBox\Purity\Program Files\STEM32~1
C:\QooBox\Purity\Program Files\STEM~1
C:\QooBox\Purity\Program Files\WNSXS~1
C:\QooBox\Purity\Program Files\YMBOLS~1
C:\QooBox\Purity\Program Files\YSTEM3~1
C:\QooBox\Purity\Program Files\Common Files\CROSOF~1.NET
C:\QooBox\Purity\Program Files\Common Files\MANTEC~1
C:\QooBox\Purity\Program Files\Common Files\SCURIT~1
C:\QooBox\Purity\Program Files\Common Files\SEMBLY~1
C:\QooBox\Purity\Program Files\Common Files\SMANTE~1
C:\QooBox\Purity\Program Files\Common Files\SSTEM~1
C:\QooBox\Purity\Program Files\Common Files\STEM32~1
C:\QooBox\Purity\Program Files\Common Files\WNSXS~1
C:\QooBox\Purity\Program Files\Common Files\YMBOLS~1
C:\QooBox\Purity\WINNT\ASKS~1
C:\QooBox\Purity\WINNT\ECURIT~1
C:\QooBox\Purity\WINNT\ICROSO~1
C:\QooBox\Purity\WINNT\ICROSO~1.NET
C:\QooBox\Purity\WINNT\RACLE~1
C:\QooBox\Purity\WINNT\SSTEM3~1
C:\QooBox\Purity\WINNT\system32\ASEMBL~1
C:\QooBox\Purity\WINNT\system32\DOBE~2
C:\QooBox\Purity\WINNT\system32\ICROSO~1
C:\QooBox\Purity\WINNT\system32\ICROSO~1.NET
C:\QooBox\Purity\WINNT\system32\PPATCH~1
C:\QooBox\Purity\WINNT\system32\SSTEM~1
C:\QooBox\Purity\WINNT\system32\STEM32~1
C:\QooBox\Purity\WINNT\system32\YMANTE~1
C:\QooBox\Purity\WINNT\system32\SSTEM~1\iexplore.exe
C:\QooBox\Purity\WINNT\system32\SSTEM~1\SSTEM~1
C:\QooBox\Purity\WINNT\system32\SSTEM~1\SSTEM~1\ctxad-517.0000
C:\QooBox\Purity\WINNT\system32\SSTEM~1\SSTEM~1\ctxad-517.0001
C:\QooBox\Purity\WINNT\system32\SSTEM~1\SSTEM~1\ctxad-519.0000
C:\QooBox\Purity\WINNT\system32\SSTEM~1\SSTEM~1\ctxad-519.0001
C:\QooBox\Purity\WINNT\system32\SSTEM~1\SSTEM~1\ctxad-519.0002


((((((((((((((((((((((((((((((( Files Created from 2006-11-24 to 2006-12-24 ))))))))))))))))))))))))))))))))))


2006-12-24 19:40 <DIR> d----c--- C:\HJT
2006-12-24 17:24 58,880 --a------ C:\WINNT\system32\nggstr.dll
2006-12-24 17:23 <DIR> d-------- C:\Program Files\Spybot - Search & Destroy
2006-12-24 17:23 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
2006-12-14 17:10 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\CA
2006-11-27 22:53 <DIR> d-------- C:\WINNT\Downloaded Installations
2006-11-25 23:52 <DIR> d-a------ C:\Documents and Settings\All Users\Application Data\Adobe


(((((((((((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))))


2006-12-24 19:48 -------- d-a------ C:\Program Files\Common Files
2006-12-24 19:37 -------- d-------- C:\Program Files\Mozilla Firefox
2006-12-24 17:24 2 --a------ C:\WINNT\system32\wcpsvsu.exe
2006-12-24 16:12 -------- d-------- C:\Program Files\Common Files\Adobe
2006-12-22 14:53 -------- d-------- C:\Documents and Settings\test\Application Data\AdobeUM
2006-12-16 11:49 -------- d-------- C:\Program Files\Common Files\System
2006-12-07 20:02 2174976 --a------ C:\WINNT\system32\wmvcore.dll
2006-12-07 01:28 -------- d-------- C:\Program Files\Java
2006-12-07 01:23 381 --a--c--- C:\Documents and Settings\test\Application Data\turing_files.ini
2006-12-07 00:47 148 --a------ C:\Documents and Settings\test\Application Data\turing.ini
2006-11-27 23:11 -------- d-------- C:\Documents and Settings\test\Application Data\Adobe
2006-11-27 22:54 -------- d-------- C:\Program Files\Adobe
2006-11-06 12:47 596480 --a------ C:\WINNT\system32\INETCOMM.DLL
2006-11-04 14:14 1245696 --a------ C:\WINNT\system32\msxml4.dll


(((((((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))

*Note* empty entries are not shown

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\run]
"Yahoo! Pager "= "\ "C:\\Program Files\\Yahoo!\\Messenger\\YahooMessenger.exe\" -quiet "
"Pdb "= "C:\\WINNT\\system32\\n?pdb.exe "
"Uabt "= "\ "C:\\WINNT\\system32\\SSTEM~1\\iexplore.exe\" -vt ndrv "
"updateMgr "= "\ "C:\\Program Files\\Adobe\\Acrobat 7.0\\Reader\\AdobeUpdateManager.exe\" AcRdB7_0_8 -reboot 1 "

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run]
"Synchronization Manager "= "mobsync.exe /logon "
"bwprnmon.exe "= "C:\\BITWARE\\NT\\bwprnmon.exe "
"IntelliPoint "= "\ "C:\\Program Files\\Microsoft IntelliPoint\\point32.exe\" "
"QuickTime Task "= "\ "C:\\Program Files\\QuickTime\\qttask.exe\" -atboottime "
"TkBellExe "= "\ "C:\\Program Files\\Common Files\\Real\\Update_OB\\realsched.exe\" -osboot "
"SunJavaUpdateSched "= "\ "C:\\Program Files\\Java\\jre1.5.0_09\\bin\\jusched.exe\" "
"CaAvTray "= "\ "C:\\Program Files\\CA\\eTrust EZ Armor\\eTrust EZ Antivirus\\CAVTray.exe\" "
"CAVRID "= "\ "C:\\Program Files\\CA\\eTrust EZ Armor\\eTrust EZ Antivirus\\CAVRID.exe\" "
"Adobe Photo Downloader "= "\ "C:\\Program Files\\Adobe\\Photoshop Album Starter Edition\\3.0\\Apps\\apdproxy.exe\" "

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\OptionalComponents]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\OptionalComponents\IMAIL]
"Installed "= "1 "

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\OptionalComponents\MAPI]
"NoChange "= "1 "
"Installed "= "1 "

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\OptionalComponents\MSFS]
"Installed "= "1 "

[HKEY_CURRENT_USER\software\microsoft\internet explorer\desktop\components]
"DeskHtmlVersion "=dword:00000110
"DeskHtmlMinorVersion "=dword:00000003
"Settings "=dword:00000001
"GeneralFlags "=dword:00000000

[HKEY_CURRENT_USER\software\microsoft\internet explorer\desktop\components\0]
"Source "= "About:Home "
"SubscribedURL "= "About:Home "
"FriendlyName "= "My Current Home Page "
"Flags "=dword:00000002
"Position "=hex:2c,00,00,00,a0,00,00,00,00,00,00,00,80,02,00,00,3c,02,00,00,00,\
00,00,00,01,00,00,00,01,00,00,00,01,00,00,00,00,00,00,00,00,00,00,00
"CurrentState "=dword:40000004
"OriginalStateInfo "=hex:18,00,00,00,ff,ff,00,00,ff,ff,00,00,ff,ff,ff,ff,ff,ff,\
ff,ff,04,00,00,00
"RestoredStateInfo "=hex:18,00,00,00,f0,01,00,00,1f,00,00,00,80,00,00,00,76,00,\
00,00,01,00,00,00

[HKEY_USERS\.default\software\microsoft\windows\currentversion\runonce]
"^SetupICWDesktop "= "C:\\Program Files\\Internet Explorer\\Connection Wizard\\icwconn1.exe /desktop "

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\sharedtaskscheduler]
"{438755C2-A8BA-11D1-B96B-00A0C90312E1} "= "Browseui preloader "
"{8C7461EF-2B13-11d2-BE35-3078302C2030} "= "Component Categories cache daemon "

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shellexecutehooks]
"{AEB6717E-7E19-11d0-97EE-00C04FD91972} "=" "
"{03A80B1D-5C6A-42c2-9DFB-81B6005D8023} "= "Trend Micro Anti-Spyware Shell Extension "

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]
"NoDriveTypeAutoRun "=dword:00000095
"CDRAutoRun "=dword:00000000

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer\Run]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"dontdisplaylastusername "=dword:00000000
"legalnoticecaption "=" "
"legalnoticetext "=" "
"shutdownwithoutlogon "=dword:00000001

[HKEY_USERS\.default\software\microsoft\windows\currentversion\policies\explorer]
"NoDriveTypeAutoRun "=dword:00000095

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\shellserviceobjectdelayload]
"Network.ConnectionTray "= "{7007ACCF-3202-11D1-AAD2-00805FC1270E} "
"WebCheck "= "{E6FB5E20-DE35-11CF-9C87-00AA005127ED} "
"SysTray "= "{35CEC8A3-2BE6-11D2-8773-92E220524153} "

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\securityproviders]
"SecurityProviders "= "msapsspc.dll, schannel.dll, digest.dll, msnsspc.dll "

Completion time: Sun 2006-12-24 19:49:32.47
C:\ComboFix.txt ... 06-12-24 19:49

 

Here is the new Hijack log

This is the hijack log made after i moved it to my C drive and after i scaned the computer with Combofix:


Logfile of HijackThis v1.99.1
Scan saved at 7:54:40 PM, on 12/24/2006
Platform: Windows 2000 SP4 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\system32\spoolsv.exe
C:\Program Files\CA\eTrust EZ Armor\eTrust EZ Antivirus\ISafe.exe
C:\WINNT\System32\svchost.exe
C:\WINNT\system32\regsvc.exe
C:\WINNT\system32\MSTask.exe
C:\WINNT\System32\WBEM\WinMgmt.exe
C:\WINNT\system32\svchost.exe
C:\Program Files\CA\eTrust EZ Armor\eTrust EZ Antivirus\VetMsg.exe
C:\WINNT\Explorer.EXE
C:\BITWARE\NT\bwprnmon.exe
C:\WINNT\system32\ntvdm.exe
C:\Program Files\Microsoft IntelliPoint\point32.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Java\jre1.5.0_09\bin\jusched.exe
C:\Program Files\CA\eTrust EZ Armor\eTrust EZ Antivirus\CAVTray.exe
C:\Program Files\CA\eTrust EZ Armor\eTrust EZ Antivirus\CAVRID.exe
C:\WINNT\system32\n?pdb.exe
C:\WINNT\system32\SSTEM~1\iexplore.exe
C:\WINNT\system32\NOTEPAD.EXE
C:\Program Files\Mozilla Firefox\firefox.exe
C:\HJT\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.msn.co.in/Default.asp
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://rogers.yahoo.com
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,AutoConfigURL = http://localhost:9100/proxy.pac
R3 - URLSearchHook: (no name) - {D8AB9E5A-08B9-6D7B-9B1F-78E52B1813C6} - C:\WINNT\system32\nggstr.dll
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_09\bin\ssv.dll
O2 - BHO: (no name) - {D8AB9E5A-08B9-6D7B-9B1F-78E52B1813C6} - C:\WINNT\system32\nggstr.dll
O2 - BHO: (no name) - {FDC72C3E-BAD8-8719-AB1D-CD5E111D69C2} - (no file)
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\System32\msdxm.ocx
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [bwprnmon.exe] C:\BITWARE\NT\bwprnmon.exe
O4 - HKLM\..\Run: [IntelliPoint] "C:\Program Files\Microsoft IntelliPoint\point32.exe "
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.5.0_09\bin\jusched.exe "
O4 - HKLM\..\Run: [CaAvTray] "C:\Program Files\CA\eTrust EZ Armor\eTrust EZ Antivirus\CAVTray.exe "
O4 - HKLM\..\Run: [CAVRID] "C:\Program Files\CA\eTrust EZ Armor\eTrust EZ Antivirus\CAVRID.exe "
O4 - HKLM\..\Run: [Adobe Photo Downloader] "C:\Program Files\Adobe\Photoshop Album Starter Edition\3.0\Apps\apdproxy.exe "
O4 - HKCU\..\Run: [Yahoo! Pager] "C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe" -quiet
O4 - HKCU\..\Run: [Pdb] C:\WINNT\system32\n?pdb.exe
O4 - HKCU\..\Run: [Uabt] "C:\WINNT\system32\SSTEM~1\iexplore.exe" -vt ndrv
O4 - HKCU\..\Run: [updateMgr] "C:\Program Files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe" AcRdB7_0_8 -reboot 1
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: EPSON Status Monitor 3 Environment Check.lnk = C:\WINNT\system32\spool\drivers\w32x86\3\E_SRCV03.EXE
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O4 - Global Startup: Trend Micro Anti-Spyware.lnk = C:\Program Files\Trend Micro\Tmas\Tmas.exe
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_09\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_09\bin\ssv.dll
O9 - Extra button: Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\PROGRA~1\Yahoo!\Common\yhexbmesca.dll
O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\PROGRA~1\Yahoo!\Common\yhexbmesca.dll
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {28CE69A2-7736-4893-AB6D-575B3E738E34} (Project1.ctlProxy) - http://www.rogershelp.com/yahoo/connection/proxies/ctlProxy.cab
O16 - DPF: {2917297F-F02B-4B9D-81DF-494B6333150B} (Minesweeper Flags Class) - http://messenger.zone.msn.com/binary/MineSweeper.cab30149.cab
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (YInstStarter Class) - C:\Program Files\Yahoo!\Common\yinsthelper.dll
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://spaces.msn.com//PhotoUpload/MsnPUpld.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1159488642847
O16 - DPF: {886DDE35-E585-11D0-A707-000000521958} - http://69.56.176.76/webplugin.cab
O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/MessengerStatsClient.cab30149.cab
O20 - AppInit_DLLs: cpclccmd.dll mshta.dll
O23 - Service: CAISafe - Computer Associates International, Inc. - C:\Program Files\CA\eTrust EZ Armor\eTrust EZ Antivirus\ISafe.exe
O23 - Service: Logical Disk Manager Administrative Service (dmadmin) - VERITAS Software Corp. - C:\WINNT\System32\dmadmin.exe
O23 - Service: VET Message Service (VETMSGNT) - Computer Associates International, Inc. - C:\Program Files\CA\eTrust EZ Armor\eTrust EZ Antivirus\VetMsg.exe

 

Excellent work, looks like we got quite a bit removed with that one pass...gotta love that ComboFix!!

Lets finish things off and see how the logs look afterwards.


Download the Killbox from here and save it to the desktop.

• Double-click the KillBox icon on your desktop to open it
• Select "Delete on Reboot "
• Then select "All files ".

Copy the file names below to the clipboard by highlighting them and pressing Control-C:
C:\WINNT\system32\nggstr.dll
C:\WINNT\system32\wcpsvsu.exe
C:\Documents and Settings\test\Application Data\turing_files.ini
C:\Documents and Settings\test\Application Data\turing.ini
C:\WINNT\system32\n?pdb.exe
C:\WINNT\system32\cpclccmd.dll
C:\WINDOWS\system32\mshta.dll

Return to Killbox

• Go to the File menu, and choose "Paste from Clipboard ".
• Click the red-and-white [Delete File] button.
• Click "Yes" at the Delete on Reboot prompt. Click "No" at the 'Pending Operations' prompt.

Do not reboot yet.


Open Hijackthis, select the [Do a system scan only] button and look over the following entries I have listed, check the boxes [] next to them and press the [Fix Checked] button. When you are doing this, make sure you have No IE windows, nor any other browsers open, including this one. Reboot if I have specified below, and post a fresh HijackThis log.


R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.msn.co.in/Default.asp

R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =

R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Int ernet Settings,AutoConfigURL = http://localhost:9100/proxy.pac <<<<<<USER SET? IF SO, IGNORE FIX


R3 - URLSearchHook: (no name) - {D8AB9E5A-08B9-6D7B-9B1F-78E52B1813C6} - C:\WINNT\system32\nggstr.dll


O2 - BHO: (no name) - {D8AB9E5A-08B9-6D7B-9B1F-78E52B1813C6} - C:\WINNT\system32\nggstr.dll

O2 - BHO: (no name) - {FDC72C3E-BAD8-8719-AB1D-CD5E111D69C2} - (no file)


O4 - HKCU\..\Run: [Pdb] C:\WINNT\system32\n?pdb.exe

O4 - HKCU\..\Run: [Uabt] "C:\WINNT\system32\SSTEM~1\iexplore.exe" -vt ndrv


O16 - DPF: {886DDE35-E585-11D0-A707-000000521958} - http://69.56.176.76/webplugin.cab


O20 - AppInit_DLLs: cpclccmd.dll mshta.dll

Reboot, into safe mode, this way:
Turn on the computer
Immediately begin tapping the <F8> key.
Use the arrow keys to highlight Safe Mode and press the <Enter> key.

Also, enable the 'Show Hidden Folders' option, like this:
Click Start.
Open My Computer.
Select the Tools menu and click Folder Options.
Select the View Tab. Under the Hidden files and folders heading select Show hidden files and folders.
Uncheck the Hide protected operating system files (recommended) option.
Click Yes to confirm.
Click OK.

Open 'My Computer' and select the 'Search' feature. Then click the 'All files and folders' button. Click the 'More advanced search options' button and be sure the 'Search system folders', 'Search hidden files and folders' and 'Search subfolders' boxes are check marked then search for and delete, if found, (some may not be present after previous steps) the following files/folders:
C:\WINNT\system32\SSTEM~1<<<<--this folder

To exit Safe Mode, click the Start button, click Turn Off Computer, click Restart.

Once rebooted run ComboFix first, then HJT and post both logs back into this thread.

 

I will reply in the morning

I will continue this in the morning. Sorry for the inconvenience. Currently it is 1:42AM Dec 25th and I amtired. So I will follow the instructions you gave and will post the logs in the morning. Sorry for troubling you. You have already been a great assistance of help as I already feel the difference in the computers speed. Hopefully it will run like new again when this is done.

Merry Christmas!!

 

Combofix log

Here is the log file:

Logfile of HijackThis v1.99.1
Scan saved at 12:38:58 PM, on 12/25/2006
Platform: Windows 2000 SP4 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\system32\spoolsv.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
C:\WINNT\System32\svchost.exe
C:\WINNT\system32\regsvc.exe
C:\WINNT\system32\MSTask.exe
C:\WINNT\System32\WBEM\WinMgmt.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\Explorer.EXE
C:\BITWARE\NT\bwprnmon.exe
C:\Program Files\Microsoft IntelliPoint\point32.exe
C:\WINNT\system32\ntvdm.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe
C:\Program Files\Trend Micro\Tmas\Tmas.exe
C:\WINNT\system32\NOTEPAD.EXE
C:\HJT\HijackThis.exe

R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://rogers.yahoo.com
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,AutoConfigURL = http://localhost:9100/proxy.pac
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_09\bin\ssv.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\System32\msdxm.ocx
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [bwprnmon.exe] C:\BITWARE\NT\bwprnmon.exe
O4 - HKLM\..\Run: [IntelliPoint] "C:\Program Files\Microsoft IntelliPoint\point32.exe "
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [Adobe Photo Downloader] "C:\Program Files\Adobe\Photoshop Album Starter Edition\3.0\Apps\apdproxy.exe "
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O4 - HKCU\..\Run: [Yahoo! Pager] "C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe" -quiet
O4 - HKCU\..\Run: [updateMgr] "C:\Program Files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe" AcRdB7_0_8 -reboot 1
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: EPSON Status Monitor 3 Environment Check.lnk = C:\WINNT\system32\spool\drivers\w32x86\3\E_SRCV03.EXE
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O4 - Global Startup: Trend Micro Anti-Spyware.lnk = C:\Program Files\Trend Micro\Tmas\Tmas.exe
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_09\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_09\bin\ssv.dll
O9 - Extra button: Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\PROGRA~1\Yahoo!\Common\yhexbmesca.dll
O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\PROGRA~1\Yahoo!\Common\yhexbmesca.dll
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {28CE69A2-7736-4893-AB6D-575B3E738E34} (Project1.ctlProxy) - http://www.rogershelp.com/yahoo/connection/proxies/ctlProxy.cab
O16 - DPF: {2917297F-F02B-4B9D-81DF-494B6333150B} (Minesweeper Flags Class) - http://messenger.zone.msn.com/binary/MineSweeper.cab30149.cab
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (YInstStarter Class) - C:\Program Files\Yahoo!\Common\yinsthelper.dll
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://spaces.msn.com//PhotoUpload/MsnPUpld.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1159488642847
O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/MessengerStatsClient.cab30149.cab
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
O23 - Service: Logical Disk Manager Administrative Service (dmadmin) - VERITAS Software Corp. - C:\WINNT\System32\dmadmin.exe

 

Sorry the previous is the Hijack this log

Sorry. Had both logs opened. Just made a copying mistake. Well here is the combofix log:

test - Mon 12/25/2006 12:36:36.09 Service Pack 4
ComboFix 06.11.27 - Running from: "C:\Documents and Settings\test\Desktop "

(((((((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))



~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ Purity ~ ~ ~ ~ ~ ~ ~ ~~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~

Folders Quarantined:

C:\QooBox\Purity\Documents and Settings\test\Application Data\CURITY~1
C:\QooBox\Purity\Documents and Settings\test\Application Data\DOBE~1
C:\QooBox\Purity\Documents and Settings\test\Application Data\ICROSO~1
C:\QooBox\Purity\Documents and Settings\test\Application Data\ICROSO~2
C:\QooBox\Purity\Documents and Settings\test\Application Data\MCROSO~1.NET
C:\QooBox\Purity\Documents and Settings\test\Application Data\PPPATC~1
C:\QooBox\Purity\Documents and Settings\test\Application Data\SMANTE~1
C:\QooBox\Purity\Documents and Settings\test\Application Data\STEM32~1
C:\QooBox\Purity\Documents and Settings\test\Application Data\WNSXS~1
C:\QooBox\Purity\Documents and Settings\test\Application Data\YMANTE~1
C:\QooBox\Purity\Documents and Settings\test\Application Data\YMBOLS~1
C:\QooBox\Purity\Documents and Settings\test\My Documents\ASKS~1
C:\QooBox\Purity\Documents and Settings\test\My Documents\CURITY~1
C:\QooBox\Purity\Documents and Settings\test\My Documents\DOBE~1
C:\QooBox\Purity\Documents and Settings\test\My Documents\ICROSO~1
C:\QooBox\Purity\Documents and Settings\test\My Documents\SKS~1
C:\QooBox\Purity\Documents and Settings\test\My Documents\SMBOLS~1
C:\QooBox\Purity\Documents and Settings\test\My Documents\SSEMBL~1
C:\QooBox\Purity\Documents and Settings\test\My Documents\YMANTE~1
C:\QooBox\Purity\Program Files\FNTS~1
C:\QooBox\Purity\Program Files\MCROSO~1.NET
C:\QooBox\Purity\Program Files\PPATCH~1
C:\QooBox\Purity\Program Files\PPPATC~1
C:\QooBox\Purity\Program Files\RACLE~1
C:\QooBox\Purity\Program Files\SSEMBL~1
C:\QooBox\Purity\Program Files\STEM32~1
C:\QooBox\Purity\Program Files\STEM~1
C:\QooBox\Purity\Program Files\WNSXS~1
C:\QooBox\Purity\Program Files\YMBOLS~1
C:\QooBox\Purity\Program Files\YSTEM3~1
C:\QooBox\Purity\Program Files\Common Files\CROSOF~1.NET
C:\QooBox\Purity\Program Files\Common Files\MANTEC~1
C:\QooBox\Purity\Program Files\Common Files\SCURIT~1
C:\QooBox\Purity\Program Files\Common Files\SEMBLY~1
C:\QooBox\Purity\Program Files\Common Files\SMANTE~1
C:\QooBox\Purity\Program Files\Common Files\SSTEM~1
C:\QooBox\Purity\Program Files\Common Files\STEM32~1
C:\QooBox\Purity\Program Files\Common Files\WNSXS~1
C:\QooBox\Purity\Program Files\Common Files\YMBOLS~1
C:\QooBox\Purity\WINNT\ASKS~1
C:\QooBox\Purity\WINNT\ECURIT~1
C:\QooBox\Purity\WINNT\ICROSO~1
C:\QooBox\Purity\WINNT\ICROSO~1.NET
C:\QooBox\Purity\WINNT\RACLE~1
C:\QooBox\Purity\WINNT\SSTEM3~1
C:\QooBox\Purity\WINNT\system32\ASEMBL~1
C:\QooBox\Purity\WINNT\system32\DOBE~2
C:\QooBox\Purity\WINNT\system32\ICROSO~1
C:\QooBox\Purity\WINNT\system32\ICROSO~1.NET
C:\QooBox\Purity\WINNT\system32\PPATCH~1
C:\QooBox\Purity\WINNT\system32\SSTEM~1
C:\QooBox\Purity\WINNT\system32\STEM32~1
C:\QooBox\Purity\WINNT\system32\YMANTE~1
C:\QooBox\Purity\WINNT\system32\SSTEM~1\iexplore.exe
C:\QooBox\Purity\WINNT\system32\SSTEM~1\SSTEM~1
C:\QooBox\Purity\WINNT\system32\SSTEM~1\SSTEM~1\ctxad-517.0000
C:\QooBox\Purity\WINNT\system32\SSTEM~1\SSTEM~1\ctxad-517.0001
C:\QooBox\Purity\WINNT\system32\SSTEM~1\SSTEM~1\ctxad-519.0000
C:\QooBox\Purity\WINNT\system32\SSTEM~1\SSTEM~1\ctxad-519.0001
C:\QooBox\Purity\WINNT\system32\SSTEM~1\SSTEM~1\ctxad-519.0002


((((((((((((((((((((((((((((((( Files Created from 2006-11-25 to 2006-12-25 ))))))))))))))))))))))))))))))))))


2006-12-25 10:45 <DIR> dr-h-c--- C:\$VAULT$.AVG
2006-12-25 01:35 <DIR> d----c--- C:\!KillBox
2006-12-25 00:27 816,672 --a------ C:\WINNT\system32\drivers\avg7core.sys
2006-12-25 00:27 4,960 --a------ C:\WINNT\system32\drivers\avgtdi.sys
2006-12-25 00:27 4,224 --a------ C:\WINNT\system32\drivers\avg7rsw.sys
2006-12-25 00:27 3,968 --a------ C:\WINNT\system32\drivers\avgclean.sys
2006-12-25 00:27 28,416 --a------ C:\WINNT\system32\drivers\avg7rsxp.sys
2006-12-25 00:27 26,880 --a------ C:\WINNT\system32\drivers\avg7rsnt.sys
2006-12-25 00:27 <DIR> d-------- C:\Documents and Settings\test\Application Data\AVG7
2006-12-25 00:26 <DIR> d-------- C:\Program Files\Grisoft
2006-12-25 00:26 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Grisoft
2006-12-24 19:40 <DIR> d----c--- C:\HJT
2006-12-24 17:23 <DIR> d-------- C:\Program Files\Spybot - Search & Destroy
2006-12-24 17:23 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
2006-12-14 17:10 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\CA
2006-11-27 22:53 <DIR> d-------- C:\WINNT\Downloaded Installations
2006-11-25 23:52 <DIR> d-a------ C:\Documents and Settings\All Users\Application Data\Adobe


(((((((((((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))))


2006-12-25 12:33 -------- d-------- C:\Program Files\Mozilla Firefox
2006-12-25 11:07 -------- d-a------ C:\Program Files\Common Files
2006-12-25 11:07 -------- d-------- C:\Program Files\Common Files\Real
2006-12-25 11:06 -------- d-------- C:\Documents and Settings\test\Application Data\Real
2006-12-25 11:05 -------- d-------- C:\Program Files\Adobe
2006-12-24 16:12 -------- d-------- C:\Program Files\Common Files\Adobe
2006-12-22 14:53 -------- d-------- C:\Documents and Settings\test\Application Data\AdobeUM
2006-12-16 11:49 -------- d-------- C:\Program Files\Common Files\System
2006-12-07 20:02 2174976 --a------ C:\WINNT\system32\wmvcore.dll
2006-12-07 01:28 -------- d-------- C:\Program Files\Java
2006-11-27 23:11 -------- d-------- C:\Documents and Settings\test\Application Data\Adobe
2006-11-06 12:47 596480 --a------ C:\WINNT\system32\INETCOMM.DLL
2006-11-04 14:14 1245696 --a------ C:\WINNT\system32\msxml4.dll


(((((((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))

*Note* empty entries are not shown

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\run]
"Yahoo! Pager "= "\ "C:\\Program Files\\Yahoo!\\Messenger\\YahooMessenger.exe\" -quiet "
"updateMgr "= "\ "C:\\Program Files\\Adobe\\Acrobat 7.0\\Reader\\AdobeUpdateManager.exe\" AcRdB7_0_8 -reboot 1 "

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run]
"Synchronization Manager "= "mobsync.exe /logon "
"bwprnmon.exe "= "C:\\BITWARE\\NT\\bwprnmon.exe "
"IntelliPoint "= "\ "C:\\Program Files\\Microsoft IntelliPoint\\point32.exe\" "
"QuickTime Task "= "\ "C:\\Program Files\\QuickTime\\qttask.exe\" -atboottime "
"Adobe Photo Downloader "= "\ "C:\\Program Files\\Adobe\\Photoshop Album Starter Edition\\3.0\\Apps\\apdproxy.exe\" "
"AVG7_CC "= "C:\\PROGRA~1\\Grisoft\\AVGFRE~1\\avgcc.exe /STARTUP "

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\OptionalComponents]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\OptionalComponents\IMAIL]
"Installed "= "1 "

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\OptionalComponents\MAPI]
"NoChange "= "1 "
"Installed "= "1 "

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\OptionalComponents\MSFS]
"Installed "= "1 "

[HKEY_CURRENT_USER\software\microsoft\internet explorer\desktop\components]
"DeskHtmlVersion "=dword:00000110
"DeskHtmlMinorVersion "=dword:00000003
"Settings "=dword:00000001
"GeneralFlags "=dword:00000001

[HKEY_CURRENT_USER\software\microsoft\internet explorer\desktop\components\0]
"Source "= "About:Home "
"SubscribedURL "= "About:Home "
"FriendlyName "= "My Current Home Page "
"Flags "=dword:00000002
"Position "=hex:2c,00,00,00,a0,00,00,00,00,00,00,00,80,02,00,00,3c,02,00,00,00,\
00,00,00,01,00,00,00,01,00,00,00,01,00,00,00,00,00,00,00,00,00,00,00
"CurrentState "=hex:04,00,00,40
"OriginalStateInfo "=hex:18,00,00,00,ff,ff,00,00,ff,ff,00,00,ff,ff,ff,ff,ff,ff,\
ff,ff,04,00,00,00
"RestoredStateInfo "=hex:18,00,00,00,f0,01,00,00,1f,00,00,00,80,00,00,00,76,00,\
00,00,01,00,00,00

[HKEY_USERS\.default\software\microsoft\windows\currentversion\run]
"AVG7_Run "= "C:\\PROGRA~1\\Grisoft\\AVGFRE~1\\avgw.exe /RUNONCE "

[HKEY_USERS\.default\software\microsoft\windows\currentversion\runonce]
"^SetupICWDesktop "= "C:\\Program Files\\Internet Explorer\\Connection Wizard\\icwconn1.exe /desktop "

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\sharedtaskscheduler]
"{438755C2-A8BA-11D1-B96B-00A0C90312E1} "= "Browseui preloader "
"{8C7461EF-2B13-11d2-BE35-3078302C2030} "= "Component Categories cache daemon "

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shellexecutehooks]
"{AEB6717E-7E19-11d0-97EE-00C04FD91972} "=" "
"{03A80B1D-5C6A-42c2-9DFB-81B6005D8023} "= "Trend Micro Anti-Spyware Shell Extension "

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]
"NoDriveTypeAutoRun "=dword:00000095
"CDRAutoRun "=dword:00000000

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer\Run]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"dontdisplaylastusername "=dword:00000000
"legalnoticecaption "=" "
"legalnoticetext "=" "
"shutdownwithoutlogon "=dword:00000001

[HKEY_USERS\.default\software\microsoft\windows\currentversion\policies\explorer]
"NoDriveTypeAutoRun "=dword:00000095

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\shellserviceobjectdelayload]
"Network.ConnectionTray "= "{7007ACCF-3202-11D1-AAD2-00805FC1270E} "
"WebCheck "= "{E6FB5E20-DE35-11CF-9C87-00AA005127ED} "
"SysTray "= "{35CEC8A3-2BE6-11D2-8773-92E220524153} "

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\securityproviders]
"SecurityProviders "= "msapsspc.dll, schannel.dll, digest.dll, msnsspc.dll "

Completion time: Mon 2006-12-25 12:37:51.63
C:\ComboFix.txt ... 06-12-25 12:37
C:\ComboFix2.txt ... 06-12-24 19:49

 

Everything looks clear, is the machine now running as it should be? Please let us know.

 

Thank you very much!!

I can't thank you enough. The computer is running fast and I am able to browse the internet and have more than one application running without any freezing up. In addition, the startup time is considerably shorter.
Just a few questions:

Should I keep Combofix and Killbox or do I uninstall them?

I have a few startup programs such as Bitware, Quicktime and Adobe Reader update making the computer take alittle longer to start. How do I proceed to remove them from my startup programs?

After this hassle, I managed to download some long needed antispyware and antivirus apps. Currently my arsenal is Ad-aware, SpyBot, AVG antivirus, Trend Micro anti-spyware with AVG and Trend Micro antispyware always running. And plus I use Firefox 2.0 as my browser. Is this enough considering this comp is a Pentium 2 and has 128MB RAM? Now do you recommend a firewall and if so, do you recommend the Free version of Zone Alarm? Is there any other security apps I require?

Thank you again for helping fix my computer.

 

Almost Forgot

I have another question:
I checked my C drive and when opened i found a folder called "QooBox" and in it contained a folder called "Purity" I did not proceed further. I know Combofix quaranteed it but was still hesistant to open the folder. Now what do I do with it? Should it be left or deleted?

 

KillBox is rarly updated, so you can keep it, it's not like it takes up any space, just don't use it 'unsupervised'.

ComboFix does get updated a bit more, but it's very specific in what it looks for\removes. Again, this one you can keep too, no space, or resources used.

But you don't have to keep either. Not really 'needed' per se for the average user.

WinPatrol v10.0.5.0 is a great start up manager and then some. Free too.

I'm not sure how juice TM anti-spy uses, but with 128MB RAM it may not be enough for it. If you find out it is, just use Spybot's TeaTimer option, very light weight.

Firefox is ok, I'm not big on it myself.

Firewalls here are a few to pick from:

• COMODO Personal Firewall
• Zone Alarm Firewall

All are free too, can't beat that with a stick.

Yes, those can be deleted no problems there.


We have 3 more things to do, mostly maintenance and then our recommendations:

Empty the TIF (Temporary Internet Files)
Delete all the files in (and any subfolders of) the C:\Windows\Temp folder
The app below will help with temp files.
Index.dat Suite

Also, delete all your cookies, and empty your recycle bin. But remember, by deleting your cookies, you will have to re-enter any passwords and log-in info for any sites you are usually required to do so with.

This would also be a good time to set a new system restore point for your machine.
Set New System Restore Point. Do not do this unless there are no other user accounts to be diagnosed.

Also, as you are an XP user, if there are any other accounts on this machine, they too, must be cleaned with AdAware, Spybot S&D, then HJT. Not all infections are global, nor are all the HJT fixes global. You can post each user account here into this thread, but please, do only one at a time to avoid confusion.

Here is a link which describes how security apps work with WIN XP machines.
XP User Accts Security Apps Operation

To further prevent the installation of ad/mal/spyware, DL the apps below, which are just as good the fight against ad/mal/spyware as AdAware & Spybot S&D:

SpywareBlaster
With SpywareBlaster v3.5.1 , just DL, install and check for updates, enable Internet Explorer protection, and your done! I don't recommend using IE restricted sites protection as it's not a very large database. Use IE-SPYADs below.

To avoid known malware infested sites from loading in IE install IESPY ADS.
And MVPS Hosts File will accomplish a similar tactic and provide another layer of protection.

Another thing I would suggest, is to install SiteAdvisor. It gives sites a few different 'ratings' and while not fool proof, a good additional layer of information about many sites.

Links for tutorials for all the apps I mentioned can be found on my site as well.

Confused about which apps are good or not? Read about Rogue/Approved Anti Security apps

And just because you have security apps installed, they are useless unless updated regularly. Keep track of updates for ALL your security needs here:
Calendar of Updates

Subscribe to update alerts for all the above security apps here.

You can also see my own ongoing security testing with all the above apps proving how securely you can safe with them installed.
TeMerc Test Box Forum

Happy surfing!!
Tom