Jump to content

Strange File I Can't Delete


Jsmtty
 Share

Recommended Posts

Hello,

My machine is moving very slowly and has me a little worried. Especially when I start up IE. Also, I've also found a file I can't delete. Looks like this:

C:\Documents and Settings\ShannonC\Local Settings\Temp\Temporary Internet Files\Content.IE5\4DAF8HUJ\activity;src=998766;met=1;v=1;pid=14258645... ...;ecn2=1;etm2=0;eid3=11;e[1].gif

I'm not really sure how to proceed, so I figured I'd come ask the expert first. Thanks for any advice you can offer.

Here is an mbam-log:

Malwarebytes' Anti-Malware 1.05

Database version: 404

Scan type: Full Scan (C:\|)

Objects scanned: 47823

Time elapsed: 24 minute(s), 7 second(s)

Memory Processes Infected: 0

Memory Modules Infected: 0

Registry Keys Infected: 0

Registry Values Infected: 0

Registry Data Items Infected: 0

Folders Infected: 0

Files Infected: 0

Memory Processes Infected:

(No malicious items detected)

Memory Modules Infected:

(No malicious items detected)

Registry Keys Infected:

(No malicious items detected)

Registry Values Infected:

(No malicious items detected)

Registry Data Items Infected:

(No malicious items detected)

Folders Infected:

(No malicious items detected)

Files Infected:

(No malicious items detected)

**************************************************************************

Here is the Panda Scan log:

Incident Status Location

Spyware:Cookie/Atlas DMT Not disinfected C:\Documents and Settings\PaulaW\Cookies\paulaw@atdmt[2].txt

Spyware:Cookie/Com.com Not disinfected C:\Documents and Settings\PaulaW\Cookies\paulaw@com[2].txt

Spyware:Cookie/Overture Not disinfected C:\Documents and Settings\PaulaW\Cookies\paulaw@perf.overture[1].txt

Spyware:Cookie/RealMedia Not disinfected C:\Documents and Settings\PaulaW\Cookies\paulaw@realmedia[2].txt

Spyware:Cookie/Server.iad.Liveperson Not disinfected C:\Documents and Settings\PaulaW\Cookies\paulaw@server.iad.liveperson[2].txt

********************************************************************************

*

Here is the HJT log:

Logfile of Trend Micro HijackThis v2.0.2

Scan saved at 4:55:33 PM, on 2/25/2008

Platform: Windows 2000 SP4 (WinNT 5.00.2195)

MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Boot mode: Normal

Running processes:

C:\WINNT\System32\smss.exe

C:\WINNT\system32\winlogon.exe

C:\WINNT\system32\services.exe

C:\WINNT\system32\lsass.exe

C:\WINNT\system32\svchost.exe

C:\WINNT\system32\spoolsv.exe

C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe

C:\Program Files\Symantec\pcAnywhere\awhost32.exe

C:\Program Files\NavNT\defwatch.exe

C:\WINNT\System32\svchost.exe

C:\Program Files\NavNT\rtvscan.exe

C:\WINNT\System32\svchost.exe

C:\WINNT\system32\regsvc.exe

C:\WINNT\system32\MSTask.exe

C:\WINNT\System32\WBEM\WinMgmt.exe

C:\WINNT\system32\svchost.exe

C:\WINNT\System32\svchost.exe

C:\WINNT\Explorer.EXE

C:\Program Files\NavNT\vptray.exe

C:\WINNT\system32\spool\drivers\w32x86\3\hpztsb09.exe

C:\Program Files\HP\hpcoretech\hpcmpmgr.exe

C:\WINNT\system32\hphmon05.exe

C:\Program Files\Hewlett-Packard\HP Software Update\HPWuSchd2.exe

C:\Program Files\Java\jre1.6.0_02\bin\jusched.exe

C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe

C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\YacsMon.exe

C:\Program Files\Java\jre1.6.0_02\bin\jucheck.exe

C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

O1 - Hosts: 90.0.1.42 mainserver

O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll

O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll

O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll

O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar4.dll

O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\2.0.1121.2472\swg.dll

O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\System32\msdxm.ocx

O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar4.dll

O4 - HKLM\..\Run: [synchronization Manager] mobsync.exe /logon

O4 - HKLM\..\Run: [TCASUTIEXE] TCAUDIAG -off

O4 - HKLM\..\Run: [vptray] C:\Program Files\NavNT\vptray.exe

O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINNT\system32\spool\drivers\w32x86\3\hpztsb09.exe

O4 - HKLM\..\Run: [HPHUPD05] C:\Program Files\Hewlett-Packard\{5372B9A6-6E51-4f90-9B40-E0A3B8475C4E}\hphupd05.exe

O4 - HKLM\..\Run: [HP Component Manager] "C:\Program Files\HP\hpcoretech\hpcmpmgr.exe"

O4 - HKLM\..\Run: [HPHmon05] C:\WINNT\system32\hphmon05.exe

O4 - HKLM\..\Run: [HP Software Update] C:\Program Files\Hewlett-Packard\HP Software Update\HPWuSchd2.exe

O4 - HKLM\..\Run: [sunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_02\bin\jusched.exe"

O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"

O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe

O4 - HKCU\..\Run: [spybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe

O4 - HKUS\.DEFAULT\..\RunOnce: [^SetupICWDesktop] C:\Program Files\Internet Explorer\Connection Wizard\icwconn1.exe /desktop (User 'Default user')

O4 - Global Startup: YacsMon.exe

O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000

O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll

O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll

O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL

O9 - Extra button: Related - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINNT\web\related.htm

O9 - Extra 'Tools' menuitem: Show &Related Links - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINNT\web\related.htm

O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll

O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll

O16 - DPF: {037790A6-1576-11D6-903D-00105AABADD3} (Seagull Web-to-Host Control Module v4) - https://www.ussco.com/bluezone/controls/sglw2hcm.ocx

O16 - DPF: {05CA9FB0-3E3E-4B36-BF41-0E3A5CAA8CD8} (Office Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=58813

O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?LinkID=39204

O16 - DPF: {1754A1BA-A1DF-4F10-B199-AA55AA1A120F} (InstallerBehaviorFactory Class) - https://signup.msn.com/pages/MsnInstC.cab

O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab

O16 - DPF: {AB86CE53-AC9F-449F-9399-D8ABCA09EC09} (Get_ActiveX Control) - https://h17000.www1.hp.com/ewfrf-JAVA/Secur...loadManager.ocx

O16 - DPF: {C02226EB-A5D7-4B1F-BD7E-635E46C2288D} (Toontown Installer ActiveX Control) - http://download.toontown.com/sv1.0.14.48/ttinst.cab

O17 - HKLM\System\CCS\Services\Tcpip\..\{0BFA9236-E346-42FF-BC7E-66C7F96BCCE3}: NameServer = 90.0.1.42,65.17.128.3

O17 - HKLM\System\CS1\Services\Tcpip\..\{0BFA9236-E346-42FF-BC7E-66C7F96BCCE3}: NameServer = 90.0.1.42,65.17.128.3

O17 - HKLM\System\CS2\Services\Tcpip\..\{0BFA9236-E346-42FF-BC7E-66C7F96BCCE3}: NameServer = 90.0.1.42,65.17.128.3

O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft AB - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe

O23 - Service: pcAnywhere Host Service (awhost32) - Symantec Corporation - C:\Program Files\Symantec\pcAnywhere\awhost32.exe

O23 - Service: DefWatch - Symantec Corporation - C:\Program Files\NavNT\defwatch.exe

O23 - Service: Logical Disk Manager Administrative Service (dmadmin) - VERITAS Software Corp. - C:\WINNT\System32\dmadmin.exe

O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe

O23 - Service: Norton AntiVirus Client (Norton AntiVirus Server) - Symantec Corporation - C:\Program Files\NavNT\rtvscan.exe

--

End of file - 6553 bytes

Link to post
Share on other sites

OK I need to know if this item YacsMon.exe comes from DeRamp Software or another source. It can be safe and harmless or it can be a nasty infection known as LOP. The file you can't delete has an image extension. You can scan both files and I would love that here http://www.virustotal.com/ upload them scan and post the results here.

Link to post
Share on other sites

Hi Jean,

The YacsMon program is from DeRamp. It was intentionally installed on this machine. I scanned it at virustotal.com anyway. It looked clean. The other file is acting like it doesn't even "exist". I can't even upload it at virustotal.com. Like it's not even there.

Any other ideas? Thanks for your help !

Link to post
Share on other sites

OK if you can't find it how do you know it was ever there? Do you have the system set to show hidden files and folders?

Please set your system to show

all files; Click Start.

Open My Computer.

Select the Tools menu and click Folder Options.

Select the View Tab.

Under the Hidden files and folders heading select Show hidden files and folders.

Uncheck the Hide protected operating system files (recommended) option.

Click Yes to confirm.

Click OK.

Or did you empty temp files and it is gone? Get this program and run a good clean up with it http://www.ccleaner.com/download

Then lets have a look with this:

1. Download this file :

http://download.bleepingcomputer.com/sUBs/combofix.exe

Or from here:

http://www.techsupportforum.com/sectools/combofix.exe

2. Double click combofix.exe. It will be a red icon with a white X on your desktop.

Follow the prompts you will get a blue cmd prompt screen and a choice to choose Y or N. Choose Y and hit enter.

3. When finished, it shall produce a log for you. This logfile is located at C:\ComboFix.txt.

Post that log and a HiJack log in your next reply

Note:

Do not mouseclick combofix's window while its running. That may cause it to stall.

Link to post
Share on other sites

Ok...first of all...The "strange" file that I can't delete is keeping me from removing a user account on this machine. I can locate the file in Windows Explorer...I just can't "do" anything with it...including uploading it to virustotal.com. Does that describe the first problem a little better?

Ok - the second thing is the speed. This machine just seems to be running abnormally slow.

I ran ccleaner.

Here is the ComboFix Log...You'll see more than me...but I do want to get rid of the Yahoo toolbar I see:

ComboFix 08-02-25.3 - PaulaW 02/28/2008 16:40:27.1 - NTFSx86

Running from: C:\Documents and Settings\All Users\Desktop\DownLoads\MalwareBytes\ComboFix.exe

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!

.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))

.

C:\WINNT\Web\default.htt

.

((((((((((((((((((((((((( Files Created from 2008-01-28 to 2008-02-28 )))))))))))))))))))))))))))))))

.

2008-02-28 16:40 . 02/28/08 04:40p 16,384 --a----t- C:\WINNT\system32\Perflib_Perfdata_334.dat

2008-02-28 15:42 . 02/28/08 03:43p <DIR> d-------- C:\Program Files\CCleaner

2008-02-25 15:12 . 02/25/08 03:12p <DIR> d-------- C:\Program Files\Trend Micro

2008-02-25 14:27 . 02/25/08 02:27p <DIR> d-------- C:\Program Files\Malwarebytes' Anti-Malware

2008-02-25 14:27 . 02/25/08 02:27p <DIR> d-------- C:\Documents and Settings\PaulaW\Application Data\Malwarebytes

2008-02-25 14:27 . 02/25/08 02:27p <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Malwarebytes

2008-02-25 12:56 . 06/05/07 10:56a 44,928 --a------ C:\WINNT\system32\drivers\SDTHOOK.SYS

2008-02-25 12:40 . 02/25/08 01:55p <DIR> d-------- C:\WINNT\system32\ActiveScan

2008-02-25 12:40 . 02/25/08 12:51p 30,590 --a------ C:\WINNT\system32\pavas.ico

2008-02-25 12:40 . 02/25/08 12:51p 2,550 --a------ C:\WINNT\system32\Uninstall.ico

2008-02-25 12:40 . 02/25/08 12:51p 1,406 --a------ C:\WINNT\system32\Help.ico

2008-02-22 17:06 . 02/22/08 05:04p 691,545 --a------ C:\WINNT\unins000.exe

2008-02-22 17:06 . 02/22/08 05:06p 2,542 --a------ C:\WINNT\unins000.dat

2008-02-22 16:25 . 02/22/08 04:25p <DIR> d-------- C:\Documents and Settings\PaulaW\Application Data\Basta Computing

2008-02-22 16:24 . 02/22/08 04:24p <DIR> d-------- C:\Program Files\Basta Computing

2008-02-18 09:47 . 02/18/08 09:47a <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Hewlett-Packard

2008-02-18 09:47 . 02/13/07 08:23p 103,424 --a------ C:\WINNT\system32\hpzpnp.dll

2008-02-18 09:47 . 08/31/06 07:34p 33,792 --a------ C:\WINNT\system32\HPZIPR12.DLL

2008-02-18 09:47 . 09/01/06 02:29p 30,208 --a------ C:\WINNT\system32\HPZIPT12.DLL

2008-02-18 09:47 . 09/01/06 03:18p 20,480 --a------ C:\WINNT\system32\HPZISN12.DLL

.

(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))

.

2008-02-28 20:43 --------- d-----w C:\Program Files\Yahoo!

2008-02-28 19:54 --------- d--h--w C:\Program Files\InstallShield Installation Information

2008-02-25 18:27 --------- d-----w C:\Program Files\Spybot - Search & Destroy

2008-02-25 18:26 --------- d-----w C:\Program Files\NavNT

2008-02-25 18:19 --------- d-----w C:\Program Files\Google

2008-02-22 22:13 --------- d---a-w C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy

2008-02-21 16:37 --------- d-----w C:\Program Files\MailFrontier

2008-02-20 20:32 --------- d-----w C:\Program Files\Common Files\Adobe

2007-12-10 17:39 575,488 ----a-w C:\WINNT\system32\WININET.DLL

2007-12-05 10:40 631,056 ----a-w C:\WINNT\system32\OLEAUT32.DLL

2004-07-15 14:37 271 ---h--w C:\Program Files\desktop.ini

2004-07-15 14:37 21,952 ---h--w C:\Program Files\folder.htt

2000-07-26 17:00 32,528 ----a-w C:\WINNT\inf\wbfirdma.sys

.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))

.

.

*Note* empty entries & legit default entries are not shown

REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"swg"="C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [05/18/07 04:59p 68856]

"SpybotSD TeaTimer"="C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe" [01/28/08 11:43a 2097488]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"Synchronization Manager"="mobsync.exe" [06/19/03 02:05p 111376 C:\WINNT\system32\mobsync.exe]

"TCASUTIEXE"="TCAUDIAG -off" []

"vptray"="C:\Program Files\NavNT\vptray.exe" [09/24/01 07:59a 73728]

"HPDJ Taskbar Utility"="C:\WINNT\system32\spool\drivers\w32x86\3\hpztsb09.exe" [05/04/04 02:21a 176128]

"HPHUPD05"="C:\Program Files\Hewlett-Packard\{5372B9A6-6E51-4f90-9B40-E0A3B8475C4E}\hphupd05.exe" [03/31/04 11:34p 49152]

"HP Component Manager"="C:\Program Files\HP\hpcoretech\hpcmpmgr.exe" [12/22/03 08:38a 241664]

"HPHmon05"="C:\WINNT\system32\hphmon05.exe" [05/04/04 05:17p 491520]

"HP Software Update"="C:\Program Files\Hewlett-Packard\HP Software Update\HPWuSchd2.exe" [02/16/05 10:11p 49152]

"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_02\bin\jusched.exe" [07/12/07 03:00a 132496]

"Adobe Reader Speed Launcher"="C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [01/11/08 10:16p 39792]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\RunOnce]

"^SetupICWDesktop"="C:\Program Files\Internet Explorer\Connection Wizard\icwconn1.exe" [06/19/03 02:05p 186640]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\PCANotify]

PCANotify.dll 11/02/01 09:50a 24636 C:\WINNT\system32\PCANotify.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]

HPZ12 REG_MULTI_SZ Pml Driver HPZ12 Net Driver HPZ12

.

Contents of the 'Scheduled Tasks' folder

"2008-02-28 20:36:03 C:\WINNT\Tasks\HP Usg Daily.job"

- C:\Program Files\Hewlett-Packard\{5372B9A6-6E51-4f90-9B40-E0A3B8475C4E}\pexpress\hphped05.exe

.

**************************************************************************

catchme 0.3.1344 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net

Rootkit scan 2008-02-28 16:42:29

Windows 5.0.2195 Service Pack 4 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully

hidden files: 0

**************************************************************************

.

--------------------- DLLs Loaded Under Running Processes ---------------------

PROCESS: C:\WINNT\system32\winlogon.exe

-> C:\WINNT\system32\NavLogon.dll

.

Completion time: 02/28/2008 16:43:25

ComboFix-quarantined-files.txt 2008-02-28 21:43:08

.

2008-02-13 08:03:59 --- E O F ---

********************************************************************************

*****************

Here is the HJT Log:

Logfile of Trend Micro HijackThis v2.0.2

Scan saved at 4:51:10 PM, on 2/28/2008

Platform: Windows 2000 SP4 (WinNT 5.00.2195)

MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Boot mode: Normal

Running processes:

C:\WINNT\System32\smss.exe

C:\WINNT\system32\winlogon.exe

C:\WINNT\system32\services.exe

C:\WINNT\system32\lsass.exe

C:\WINNT\system32\svchost.exe

C:\WINNT\system32\spoolsv.exe

C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe

C:\Program Files\Symantec\pcAnywhere\awhost32.exe

C:\Program Files\NavNT\defwatch.exe

C:\WINNT\System32\svchost.exe

C:\Program Files\NavNT\rtvscan.exe

C:\WINNT\System32\svchost.exe

C:\WINNT\system32\regsvc.exe

C:\WINNT\system32\MSTask.exe

C:\WINNT\System32\WBEM\WinMgmt.exe

C:\WINNT\system32\svchost.exe

C:\Program Files\NavNT\vptray.exe

C:\WINNT\system32\spool\drivers\w32x86\3\hpztsb09.exe

C:\Program Files\HP\hpcoretech\hpcmpmgr.exe

C:\WINNT\system32\hphmon05.exe

C:\Program Files\Hewlett-Packard\HP Software Update\HPWuSchd2.exe

C:\Program Files\Java\jre1.6.0_02\bin\jusched.exe

C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\YacsMon.exe

C:\Program Files\Java\jre1.6.0_02\bin\jucheck.exe

C:\WINNT\System32\svchost.exe

C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe

C:\WINNT\explorer.exe

C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - (no file)

O1 - Hosts: 90.0.1.42 mainserver

O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll

O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll

O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll

O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar4.dll

O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\2.0.1121.2472\swg.dll

O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\System32\msdxm.ocx

O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar4.dll

O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - (no file)

O4 - HKLM\..\Run: [synchronization Manager] mobsync.exe /logon

O4 - HKLM\..\Run: [TCASUTIEXE] TCAUDIAG -off

O4 - HKLM\..\Run: [vptray] C:\Program Files\NavNT\vptray.exe

O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINNT\system32\spool\drivers\w32x86\3\hpztsb09.exe

O4 - HKLM\..\Run: [HPHUPD05] C:\Program Files\Hewlett-Packard\{5372B9A6-6E51-4f90-9B40-E0A3B8475C4E}\hphupd05.exe

O4 - HKLM\..\Run: [HP Component Manager] "C:\Program Files\HP\hpcoretech\hpcmpmgr.exe"

O4 - HKLM\..\Run: [HPHmon05] C:\WINNT\system32\hphmon05.exe

O4 - HKLM\..\Run: [HP Software Update] C:\Program Files\Hewlett-Packard\HP Software Update\HPWuSchd2.exe

O4 - HKLM\..\Run: [sunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_02\bin\jusched.exe"

O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"

O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe

O4 - HKCU\..\Run: [spybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe

O4 - HKUS\.DEFAULT\..\RunOnce: [^SetupICWDesktop] C:\Program Files\Internet Explorer\Connection Wizard\icwconn1.exe /desktop (User 'Default user')

O4 - Global Startup: YacsMon.exe

O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000

O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll

O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll

O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL

O9 - Extra button: Related - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINNT\web\related.htm

O9 - Extra 'Tools' menuitem: Show &Related Links - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINNT\web\related.htm

O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll

O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll

O16 - DPF: {037790A6-1576-11D6-903D-00105AABADD3} (Seagull Web-to-Host Control Module v4) - https://www.ussco.com/bluezone/controls/sglw2hcm.ocx

O16 - DPF: {05CA9FB0-3E3E-4B36-BF41-0E3A5CAA8CD8} (Office Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=58813

O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?LinkID=39204

O16 - DPF: {1754A1BA-A1DF-4F10-B199-AA55AA1A120F} (InstallerBehaviorFactory Class) - https://signup.msn.com/pages/MsnInstC.cab

O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab

O16 - DPF: {AB86CE53-AC9F-449F-9399-D8ABCA09EC09} (Get_ActiveX Control) - https://h17000.www1.hp.com/ewfrf-JAVA/Secur...loadManager.ocx

O16 - DPF: {C02226EB-A5D7-4B1F-BD7E-635E46C2288D} (Toontown Installer ActiveX Control) - http://download.toontown.com/sv1.0.14.48/ttinst.cab

O17 - HKLM\System\CCS\Services\Tcpip\..\{0BFA9236-E346-42FF-BC7E-66C7F96BCCE3}: NameServer = 90.0.1.42,65.17.128.3

O17 - HKLM\System\CS1\Services\Tcpip\..\{0BFA9236-E346-42FF-BC7E-66C7F96BCCE3}: NameServer = 90.0.1.42,65.17.128.3

O17 - HKLM\System\CS2\Services\Tcpip\..\{0BFA9236-E346-42FF-BC7E-66C7F96BCCE3}: NameServer = 90.0.1.42,65.17.128.3

O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft AB - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe

O23 - Service: pcAnywhere Host Service (awhost32) - Symantec Corporation - C:\Program Files\Symantec\pcAnywhere\awhost32.exe

O23 - Service: DefWatch - Symantec Corporation - C:\Program Files\NavNT\defwatch.exe

O23 - Service: Logical Disk Manager Administrative Service (dmadmin) - VERITAS Software Corp. - C:\WINNT\System32\dmadmin.exe

O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe

O23 - Service: Norton AntiVirus Client (Norton AntiVirus Server) - Symantec Corporation - C:\Program Files\NavNT\rtvscan.exe

--

End of file - 6725 bytes

********************************************************************************

********************

Thanks again for your help.

Link to post
Share on other sites

Hi you don't have anything showing for malware. You should be able to remove the file using the FileAssassin feature in MBAM. You will find it in the More Tools tab. Also try some basic maintenance stuff like a disk error check, then run defrag. I have been using a free defrag program that seems to do a better job than the built in one. http://www.auslogics.com/en/software

Run HJT in scan only mode and put a check next to these:

O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - (no file)

R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - (no file)

Your also running AdAware 2007 and it has a constant process running that uses a lot of resources.

Turn off TeaTimer for now, it may interfere with scanning see the program help files for how to do this.

Update MBAM and run a full scan see if anything comes from definition updates.

Link to post
Share on other sites

Thanks Jean,

I did all of this. Seems to be helping with the speed. And I'm happy you found no malware. I really appreciate your advice.

I am still unable to delete the file for some reason. It's the strangest thing. Since it's not really malware...it's not the end of the world. It's just keeping me from removing an old user from the machine.

In the Documents and Settings folder, there are several users. Each user has a + by their name...since their folder contains sub folders. But this one old user has no + by their name...indicating they have no sub-folders. But there IS one sub-folder...and it contains a sub-folder...etc...

I've never seen this before. If you have any other suggestions, please share. If you're stumped too...well it's not the end of the world.

Thanks again for all of your help.

Link to post
Share on other sites

Users aren't removed via Documents & Settings. You do it through the Control Panel and User Accounts. Are you logged on as Administrator? I would suggest you start a new topic on this problem in the PC Help forum. That way others will be able to contribute. HJT threads are restricted to one person responding to avoid confusing the victim of malware with several people giving instructions.

Link to post
Share on other sites

The programs below will help to avoid any infections in the future.

A firewall and antivirus are also essential. The Windows firewall in XP is not sufficient.

Preform Windows Updates monthly on the second Tuesday or use automatic updates, and use your scanners weekly at the least. Always update before you scan.

SpywareBlaster from Javacool Software

WinPatrol by BillPStudios

SiteHound by FireTrust

RogueRemover

hpHosts

Since this topic has been resolved it will now be closed..

Note: the fixes in this topic are for this system only. Applying them to your system can cause severe damage and result in utter system failure. If you need help start your own topic and someone will be happy to assist you.

Link to post
Share on other sites

Guest
This topic is now closed to further replies.
 Share

  • Recently Browsing   0 members

    • No registered users viewing this page.
Back to top
×
×
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.