Jsmtty Posted February 25, 2008 ID:13779 Share Posted February 25, 2008 Hello,My machine is moving very slowly and has me a little worried. Especially when I start up IE. Also, I've also found a file I can't delete. Looks like this:C:\Documents and Settings\ShannonC\Local Settings\Temp\Temporary Internet Files\Content.IE5\4DAF8HUJ\activity;src=998766;met=1;v=1;pid=14258645... ...;ecn2=1;etm2=0;eid3=11;e[1].gifI'm not really sure how to proceed, so I figured I'd come ask the expert first. Thanks for any advice you can offer.Here is an mbam-log:Malwarebytes' Anti-Malware 1.05Database version: 404Scan type: Full Scan (C:\|)Objects scanned: 47823Time elapsed: 24 minute(s), 7 second(s)Memory Processes Infected: 0Memory Modules Infected: 0Registry Keys Infected: 0Registry Values Infected: 0Registry Data Items Infected: 0Folders Infected: 0Files Infected: 0Memory Processes Infected:(No malicious items detected)Memory Modules Infected:(No malicious items detected)Registry Keys Infected:(No malicious items detected)Registry Values Infected:(No malicious items detected)Registry Data Items Infected:(No malicious items detected)Folders Infected:(No malicious items detected)Files Infected:(No malicious items detected)**************************************************************************Here is the Panda Scan log:Incident Status Location Spyware:Cookie/Atlas DMT Not disinfected C:\Documents and Settings\PaulaW\Cookies\paulaw@atdmt[2].txt Spyware:Cookie/Com.com Not disinfected C:\Documents and Settings\PaulaW\Cookies\paulaw@com[2].txt Spyware:Cookie/Overture Not disinfected C:\Documents and Settings\PaulaW\Cookies\paulaw@perf.overture[1].txt Spyware:Cookie/RealMedia Not disinfected C:\Documents and Settings\PaulaW\Cookies\paulaw@realmedia[2].txt Spyware:Cookie/Server.iad.Liveperson Not disinfected C:\Documents and Settings\PaulaW\Cookies\paulaw@server.iad.liveperson[2].txt *********************************************************************************Here is the HJT log:Logfile of Trend Micro HijackThis v2.0.2Scan saved at 4:55:33 PM, on 2/25/2008Platform: Windows 2000 SP4 (WinNT 5.00.2195)MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)Boot mode: NormalRunning processes:C:\WINNT\System32\smss.exeC:\WINNT\system32\winlogon.exeC:\WINNT\system32\services.exeC:\WINNT\system32\lsass.exeC:\WINNT\system32\svchost.exeC:\WINNT\system32\spoolsv.exeC:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exeC:\Program Files\Symantec\pcAnywhere\awhost32.exeC:\Program Files\NavNT\defwatch.exeC:\WINNT\System32\svchost.exeC:\Program Files\NavNT\rtvscan.exeC:\WINNT\System32\svchost.exeC:\WINNT\system32\regsvc.exeC:\WINNT\system32\MSTask.exeC:\WINNT\System32\WBEM\WinMgmt.exeC:\WINNT\system32\svchost.exeC:\WINNT\System32\svchost.exeC:\WINNT\Explorer.EXEC:\Program Files\NavNT\vptray.exeC:\WINNT\system32\spool\drivers\w32x86\3\hpztsb09.exeC:\Program Files\HP\hpcoretech\hpcmpmgr.exeC:\WINNT\system32\hphmon05.exeC:\Program Files\Hewlett-Packard\HP Software Update\HPWuSchd2.exeC:\Program Files\Java\jre1.6.0_02\bin\jusched.exeC:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exeC:\Program Files\Spybot - Search & Destroy\TeaTimer.exeC:\Documents and Settings\All Users\Start Menu\Programs\Startup\YacsMon.exeC:\Program Files\Java\jre1.6.0_02\bin\jucheck.exeC:\Program Files\Trend Micro\HijackThis\HijackThis.exeO1 - Hosts: 90.0.1.42 mainserverO2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dllO2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dllO2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dllO2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar4.dllO2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\2.0.1121.2472\swg.dllO3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\System32\msdxm.ocxO3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar4.dllO4 - HKLM\..\Run: [synchronization Manager] mobsync.exe /logonO4 - HKLM\..\Run: [TCASUTIEXE] TCAUDIAG -offO4 - HKLM\..\Run: [vptray] C:\Program Files\NavNT\vptray.exeO4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINNT\system32\spool\drivers\w32x86\3\hpztsb09.exeO4 - HKLM\..\Run: [HPHUPD05] C:\Program Files\Hewlett-Packard\{5372B9A6-6E51-4f90-9B40-E0A3B8475C4E}\hphupd05.exeO4 - HKLM\..\Run: [HP Component Manager] "C:\Program Files\HP\hpcoretech\hpcmpmgr.exe"O4 - HKLM\..\Run: [HPHmon05] C:\WINNT\system32\hphmon05.exeO4 - HKLM\..\Run: [HP Software Update] C:\Program Files\Hewlett-Packard\HP Software Update\HPWuSchd2.exeO4 - HKLM\..\Run: [sunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_02\bin\jusched.exe"O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exeO4 - HKCU\..\Run: [spybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exeO4 - HKUS\.DEFAULT\..\RunOnce: [^SetupICWDesktop] C:\Program Files\Internet Explorer\Connection Wizard\icwconn1.exe /desktop (User 'Default user')O4 - Global Startup: YacsMon.exeO8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dllO9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dllO9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLLO9 - Extra button: Related - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINNT\web\related.htmO9 - Extra 'Tools' menuitem: Show &Related Links - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINNT\web\related.htmO9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dllO9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dllO16 - DPF: {037790A6-1576-11D6-903D-00105AABADD3} (Seagull Web-to-Host Control Module v4) - https://www.ussco.com/bluezone/controls/sglw2hcm.ocxO16 - DPF: {05CA9FB0-3E3E-4B36-BF41-0E3A5CAA8CD8} (Office Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=58813O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?LinkID=39204O16 - DPF: {1754A1BA-A1DF-4F10-B199-AA55AA1A120F} (InstallerBehaviorFactory Class) - https://signup.msn.com/pages/MsnInstC.cabO16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cabO16 - DPF: {AB86CE53-AC9F-449F-9399-D8ABCA09EC09} (Get_ActiveX Control) - https://h17000.www1.hp.com/ewfrf-JAVA/Secur...loadManager.ocxO16 - DPF: {C02226EB-A5D7-4B1F-BD7E-635E46C2288D} (Toontown Installer ActiveX Control) - http://download.toontown.com/sv1.0.14.48/ttinst.cabO17 - HKLM\System\CCS\Services\Tcpip\..\{0BFA9236-E346-42FF-BC7E-66C7F96BCCE3}: NameServer = 90.0.1.42,65.17.128.3O17 - HKLM\System\CS1\Services\Tcpip\..\{0BFA9236-E346-42FF-BC7E-66C7F96BCCE3}: NameServer = 90.0.1.42,65.17.128.3O17 - HKLM\System\CS2\Services\Tcpip\..\{0BFA9236-E346-42FF-BC7E-66C7F96BCCE3}: NameServer = 90.0.1.42,65.17.128.3O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft AB - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exeO23 - Service: pcAnywhere Host Service (awhost32) - Symantec Corporation - C:\Program Files\Symantec\pcAnywhere\awhost32.exeO23 - Service: DefWatch - Symantec Corporation - C:\Program Files\NavNT\defwatch.exeO23 - Service: Logical Disk Manager Administrative Service (dmadmin) - VERITAS Software Corp. - C:\WINNT\System32\dmadmin.exeO23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exeO23 - Service: Norton AntiVirus Client (Norton AntiVirus Server) - Symantec Corporation - C:\Program Files\NavNT\rtvscan.exe--End of file - 6553 bytes Link to post Share on other sites More sharing options...
JeanInMontana Posted February 26, 2008 ID:13849 Share Posted February 26, 2008 OK I need to know if this item YacsMon.exe comes from DeRamp Software or another source. It can be safe and harmless or it can be a nasty infection known as LOP. The file you can't delete has an image extension. You can scan both files and I would love that here http://www.virustotal.com/ upload them scan and post the results here. Link to post Share on other sites More sharing options...
Jsmtty Posted February 27, 2008 Author ID:13881 Share Posted February 27, 2008 Hi Jean,The YacsMon program is from DeRamp. It was intentionally installed on this machine. I scanned it at virustotal.com anyway. It looked clean. The other file is acting like it doesn't even "exist". I can't even upload it at virustotal.com. Like it's not even there.Any other ideas? Thanks for your help ! Link to post Share on other sites More sharing options...
JeanInMontana Posted February 27, 2008 ID:13911 Share Posted February 27, 2008 OK if you can't find it how do you know it was ever there? Do you have the system set to show hidden files and folders?Please set your system to show all files; Click Start.Open My Computer.Select the Tools menu and click Folder Options.Select the View Tab.Under the Hidden files and folders heading select Show hidden files and folders.Uncheck the Hide protected operating system files (recommended) option.Click Yes to confirm.Click OK.Or did you empty temp files and it is gone? Get this program and run a good clean up with it http://www.ccleaner.com/download Then lets have a look with this:1. Download this file :http://download.bleepingcomputer.com/sUBs/combofix.exeOr from here:http://www.techsupportforum.com/sectools/combofix.exe2. Double click combofix.exe. It will be a red icon with a white X on your desktop. Follow the prompts you will get a blue cmd prompt screen and a choice to choose Y or N. Choose Y and hit enter.3. When finished, it shall produce a log for you. This logfile is located at C:\ComboFix.txt.Post that log and a HiJack log in your next replyNote:Do not mouseclick combofix's window while its running. That may cause it to stall. Link to post Share on other sites More sharing options...
Jsmtty Posted February 28, 2008 Author ID:14034 Share Posted February 28, 2008 Ok...first of all...The "strange" file that I can't delete is keeping me from removing a user account on this machine. I can locate the file in Windows Explorer...I just can't "do" anything with it...including uploading it to virustotal.com. Does that describe the first problem a little better?Ok - the second thing is the speed. This machine just seems to be running abnormally slow. I ran ccleaner.Here is the ComboFix Log...You'll see more than me...but I do want to get rid of the Yahoo toolbar I see:ComboFix 08-02-25.3 - PaulaW 02/28/2008 16:40:27.1 - NTFSx86Running from: C:\Documents and Settings\All Users\Desktop\DownLoads\MalwareBytes\ComboFix.exeWARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!.((((((((((((((((((((((((((((((((((((((( Other Deletions ))))))))))))))))))))))))))))))))))))))))))))))))).C:\WINNT\Web\default.htt.((((((((((((((((((((((((( Files Created from 2008-01-28 to 2008-02-28 ))))))))))))))))))))))))))))))).2008-02-28 16:40 . 02/28/08 04:40p 16,384 --a----t- C:\WINNT\system32\Perflib_Perfdata_334.dat2008-02-28 15:42 . 02/28/08 03:43p <DIR> d-------- C:\Program Files\CCleaner2008-02-25 15:12 . 02/25/08 03:12p <DIR> d-------- C:\Program Files\Trend Micro2008-02-25 14:27 . 02/25/08 02:27p <DIR> d-------- C:\Program Files\Malwarebytes' Anti-Malware2008-02-25 14:27 . 02/25/08 02:27p <DIR> d-------- C:\Documents and Settings\PaulaW\Application Data\Malwarebytes2008-02-25 14:27 . 02/25/08 02:27p <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Malwarebytes2008-02-25 12:56 . 06/05/07 10:56a 44,928 --a------ C:\WINNT\system32\drivers\SDTHOOK.SYS2008-02-25 12:40 . 02/25/08 01:55p <DIR> d-------- C:\WINNT\system32\ActiveScan2008-02-25 12:40 . 02/25/08 12:51p 30,590 --a------ C:\WINNT\system32\pavas.ico2008-02-25 12:40 . 02/25/08 12:51p 2,550 --a------ C:\WINNT\system32\Uninstall.ico2008-02-25 12:40 . 02/25/08 12:51p 1,406 --a------ C:\WINNT\system32\Help.ico2008-02-22 17:06 . 02/22/08 05:04p 691,545 --a------ C:\WINNT\unins000.exe2008-02-22 17:06 . 02/22/08 05:06p 2,542 --a------ C:\WINNT\unins000.dat2008-02-22 16:25 . 02/22/08 04:25p <DIR> d-------- C:\Documents and Settings\PaulaW\Application Data\Basta Computing2008-02-22 16:24 . 02/22/08 04:24p <DIR> d-------- C:\Program Files\Basta Computing2008-02-18 09:47 . 02/18/08 09:47a <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Hewlett-Packard2008-02-18 09:47 . 02/13/07 08:23p 103,424 --a------ C:\WINNT\system32\hpzpnp.dll2008-02-18 09:47 . 08/31/06 07:34p 33,792 --a------ C:\WINNT\system32\HPZIPR12.DLL2008-02-18 09:47 . 09/01/06 02:29p 30,208 --a------ C:\WINNT\system32\HPZIPT12.DLL2008-02-18 09:47 . 09/01/06 03:18p 20,480 --a------ C:\WINNT\system32\HPZISN12.DLL.(((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))).2008-02-28 20:43 --------- d-----w C:\Program Files\Yahoo!2008-02-28 19:54 --------- d--h--w C:\Program Files\InstallShield Installation Information2008-02-25 18:27 --------- d-----w C:\Program Files\Spybot - Search & Destroy2008-02-25 18:26 --------- d-----w C:\Program Files\NavNT2008-02-25 18:19 --------- d-----w C:\Program Files\Google2008-02-22 22:13 --------- d---a-w C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy2008-02-21 16:37 --------- d-----w C:\Program Files\MailFrontier2008-02-20 20:32 --------- d-----w C:\Program Files\Common Files\Adobe2007-12-10 17:39 575,488 ----a-w C:\WINNT\system32\WININET.DLL2007-12-05 10:40 631,056 ----a-w C:\WINNT\system32\OLEAUT32.DLL2004-07-15 14:37 271 ---h--w C:\Program Files\desktop.ini2004-07-15 14:37 21,952 ---h--w C:\Program Files\folder.htt2000-07-26 17:00 32,528 ----a-w C:\WINNT\inf\wbfirdma.sys.((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))..*Note* empty entries & legit default entries are not shown REGEDIT4[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]"swg"="C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [05/18/07 04:59p 68856]"SpybotSD TeaTimer"="C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe" [01/28/08 11:43a 2097488][HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]"Synchronization Manager"="mobsync.exe" [06/19/03 02:05p 111376 C:\WINNT\system32\mobsync.exe]"TCASUTIEXE"="TCAUDIAG -off" []"vptray"="C:\Program Files\NavNT\vptray.exe" [09/24/01 07:59a 73728]"HPDJ Taskbar Utility"="C:\WINNT\system32\spool\drivers\w32x86\3\hpztsb09.exe" [05/04/04 02:21a 176128]"HPHUPD05"="C:\Program Files\Hewlett-Packard\{5372B9A6-6E51-4f90-9B40-E0A3B8475C4E}\hphupd05.exe" [03/31/04 11:34p 49152]"HP Component Manager"="C:\Program Files\HP\hpcoretech\hpcmpmgr.exe" [12/22/03 08:38a 241664]"HPHmon05"="C:\WINNT\system32\hphmon05.exe" [05/04/04 05:17p 491520]"HP Software Update"="C:\Program Files\Hewlett-Packard\HP Software Update\HPWuSchd2.exe" [02/16/05 10:11p 49152]"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_02\bin\jusched.exe" [07/12/07 03:00a 132496]"Adobe Reader Speed Launcher"="C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [01/11/08 10:16p 39792][HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\RunOnce]"^SetupICWDesktop"="C:\Program Files\Internet Explorer\Connection Wizard\icwconn1.exe" [06/19/03 02:05p 186640][HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\PCANotify]PCANotify.dll 11/02/01 09:50a 24636 C:\WINNT\system32\PCANotify.dll[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]HPZ12 REG_MULTI_SZ Pml Driver HPZ12 Net Driver HPZ12.Contents of the 'Scheduled Tasks' folder"2008-02-28 20:36:03 C:\WINNT\Tasks\HP Usg Daily.job"- C:\Program Files\Hewlett-Packard\{5372B9A6-6E51-4f90-9B40-E0A3B8475C4E}\pexpress\hphped05.exe.**************************************************************************catchme 0.3.1344 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.netRootkit scan 2008-02-28 16:42:29Windows 5.0.2195 Service Pack 4 NTFSscanning hidden processes ... scanning hidden autostart entries ...scanning hidden files ... scan completed successfully hidden files: 0 **************************************************************************.--------------------- DLLs Loaded Under Running Processes ---------------------PROCESS: C:\WINNT\system32\winlogon.exe-> C:\WINNT\system32\NavLogon.dll.Completion time: 02/28/2008 16:43:25ComboFix-quarantined-files.txt 2008-02-28 21:43:08.2008-02-13 08:03:59 --- E O F --- *************************************************************************************************Here is the HJT Log:Logfile of Trend Micro HijackThis v2.0.2Scan saved at 4:51:10 PM, on 2/28/2008Platform: Windows 2000 SP4 (WinNT 5.00.2195)MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)Boot mode: NormalRunning processes:C:\WINNT\System32\smss.exeC:\WINNT\system32\winlogon.exeC:\WINNT\system32\services.exeC:\WINNT\system32\lsass.exeC:\WINNT\system32\svchost.exeC:\WINNT\system32\spoolsv.exeC:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exeC:\Program Files\Symantec\pcAnywhere\awhost32.exeC:\Program Files\NavNT\defwatch.exeC:\WINNT\System32\svchost.exeC:\Program Files\NavNT\rtvscan.exeC:\WINNT\System32\svchost.exeC:\WINNT\system32\regsvc.exeC:\WINNT\system32\MSTask.exeC:\WINNT\System32\WBEM\WinMgmt.exeC:\WINNT\system32\svchost.exeC:\Program Files\NavNT\vptray.exeC:\WINNT\system32\spool\drivers\w32x86\3\hpztsb09.exeC:\Program Files\HP\hpcoretech\hpcmpmgr.exeC:\WINNT\system32\hphmon05.exeC:\Program Files\Hewlett-Packard\HP Software Update\HPWuSchd2.exeC:\Program Files\Java\jre1.6.0_02\bin\jusched.exeC:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exeC:\Documents and Settings\All Users\Start Menu\Programs\Startup\YacsMon.exeC:\Program Files\Java\jre1.6.0_02\bin\jucheck.exeC:\WINNT\System32\svchost.exeC:\Program Files\Spybot - Search & Destroy\TeaTimer.exeC:\WINNT\explorer.exeC:\Program Files\Trend Micro\HijackThis\HijackThis.exeR3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - (no file)O1 - Hosts: 90.0.1.42 mainserverO2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dllO2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dllO2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dllO2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar4.dllO2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\2.0.1121.2472\swg.dllO3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\System32\msdxm.ocxO3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar4.dllO3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - (no file)O4 - HKLM\..\Run: [synchronization Manager] mobsync.exe /logonO4 - HKLM\..\Run: [TCASUTIEXE] TCAUDIAG -offO4 - HKLM\..\Run: [vptray] C:\Program Files\NavNT\vptray.exeO4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINNT\system32\spool\drivers\w32x86\3\hpztsb09.exeO4 - HKLM\..\Run: [HPHUPD05] C:\Program Files\Hewlett-Packard\{5372B9A6-6E51-4f90-9B40-E0A3B8475C4E}\hphupd05.exeO4 - HKLM\..\Run: [HP Component Manager] "C:\Program Files\HP\hpcoretech\hpcmpmgr.exe"O4 - HKLM\..\Run: [HPHmon05] C:\WINNT\system32\hphmon05.exeO4 - HKLM\..\Run: [HP Software Update] C:\Program Files\Hewlett-Packard\HP Software Update\HPWuSchd2.exeO4 - HKLM\..\Run: [sunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_02\bin\jusched.exe"O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exeO4 - HKCU\..\Run: [spybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exeO4 - HKUS\.DEFAULT\..\RunOnce: [^SetupICWDesktop] C:\Program Files\Internet Explorer\Connection Wizard\icwconn1.exe /desktop (User 'Default user')O4 - Global Startup: YacsMon.exeO8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dllO9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dllO9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLLO9 - Extra button: Related - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINNT\web\related.htmO9 - Extra 'Tools' menuitem: Show &Related Links - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINNT\web\related.htmO9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dllO9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dllO16 - DPF: {037790A6-1576-11D6-903D-00105AABADD3} (Seagull Web-to-Host Control Module v4) - https://www.ussco.com/bluezone/controls/sglw2hcm.ocxO16 - DPF: {05CA9FB0-3E3E-4B36-BF41-0E3A5CAA8CD8} (Office Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=58813O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?LinkID=39204O16 - DPF: {1754A1BA-A1DF-4F10-B199-AA55AA1A120F} (InstallerBehaviorFactory Class) - https://signup.msn.com/pages/MsnInstC.cabO16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cabO16 - DPF: {AB86CE53-AC9F-449F-9399-D8ABCA09EC09} (Get_ActiveX Control) - https://h17000.www1.hp.com/ewfrf-JAVA/Secur...loadManager.ocxO16 - DPF: {C02226EB-A5D7-4B1F-BD7E-635E46C2288D} (Toontown Installer ActiveX Control) - http://download.toontown.com/sv1.0.14.48/ttinst.cabO17 - HKLM\System\CCS\Services\Tcpip\..\{0BFA9236-E346-42FF-BC7E-66C7F96BCCE3}: NameServer = 90.0.1.42,65.17.128.3O17 - HKLM\System\CS1\Services\Tcpip\..\{0BFA9236-E346-42FF-BC7E-66C7F96BCCE3}: NameServer = 90.0.1.42,65.17.128.3O17 - HKLM\System\CS2\Services\Tcpip\..\{0BFA9236-E346-42FF-BC7E-66C7F96BCCE3}: NameServer = 90.0.1.42,65.17.128.3O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft AB - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exeO23 - Service: pcAnywhere Host Service (awhost32) - Symantec Corporation - C:\Program Files\Symantec\pcAnywhere\awhost32.exeO23 - Service: DefWatch - Symantec Corporation - C:\Program Files\NavNT\defwatch.exeO23 - Service: Logical Disk Manager Administrative Service (dmadmin) - VERITAS Software Corp. - C:\WINNT\System32\dmadmin.exeO23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exeO23 - Service: Norton AntiVirus Client (Norton AntiVirus Server) - Symantec Corporation - C:\Program Files\NavNT\rtvscan.exe--End of file - 6725 bytes****************************************************************************************************Thanks again for your help. Link to post Share on other sites More sharing options...
JeanInMontana Posted February 29, 2008 ID:14095 Share Posted February 29, 2008 Hi you don't have anything showing for malware. You should be able to remove the file using the FileAssassin feature in MBAM. You will find it in the More Tools tab. Also try some basic maintenance stuff like a disk error check, then run defrag. I have been using a free defrag program that seems to do a better job than the built in one. http://www.auslogics.com/en/software Run HJT in scan only mode and put a check next to these:O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - (no file)R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - (no file)Your also running AdAware 2007 and it has a constant process running that uses a lot of resources.Turn off TeaTimer for now, it may interfere with scanning see the program help files for how to do this.Update MBAM and run a full scan see if anything comes from definition updates. Link to post Share on other sites More sharing options...
Jsmtty Posted March 6, 2008 Author ID:14413 Share Posted March 6, 2008 Thanks Jean,I did all of this. Seems to be helping with the speed. And I'm happy you found no malware. I really appreciate your advice.I am still unable to delete the file for some reason. It's the strangest thing. Since it's not really malware...it's not the end of the world. It's just keeping me from removing an old user from the machine.In the Documents and Settings folder, there are several users. Each user has a + by their name...since their folder contains sub folders. But this one old user has no + by their name...indicating they have no sub-folders. But there IS one sub-folder...and it contains a sub-folder...etc...I've never seen this before. If you have any other suggestions, please share. If you're stumped too...well it's not the end of the world.Thanks again for all of your help. Link to post Share on other sites More sharing options...
JeanInMontana Posted March 6, 2008 ID:14415 Share Posted March 6, 2008 Users aren't removed via Documents & Settings. You do it through the Control Panel and User Accounts. Are you logged on as Administrator? I would suggest you start a new topic on this problem in the PC Help forum. That way others will be able to contribute. HJT threads are restricted to one person responding to avoid confusing the victim of malware with several people giving instructions. Link to post Share on other sites More sharing options...
JeanInMontana Posted March 11, 2008 ID:14655 Share Posted March 11, 2008 The programs below will help to avoid any infections in the future.A firewall and antivirus are also essential. The Windows firewall in XP is not sufficient.Preform Windows Updates monthly on the second Tuesday or use automatic updates, and use your scanners weekly at the least. Always update before you scan.SpywareBlaster from Javacool SoftwareWinPatrol by BillPStudios SiteHound by FireTrustRogueRemoverhpHostsSince this topic has been resolved it will now be closed.. Note: the fixes in this topic are for this system only. Applying them to your system can cause severe damage and result in utter system failure. If you need help start your own topic and someone will be happy to assist you. Link to post Share on other sites More sharing options...
Recommended Posts