xp pro laptop seems to be infected, can't find source

adaniel · 08-May-2008, 11:02 AM #1

Within the past few days, I noticed my laptop's fan always running high. As I tried to determine the cause, I noticed the following, in order of discovery:

--IE address bar missing, though checked. Searched, found fix. That much is working now.

--When I click My Computer, flashlight displays for up to a minute before drives display.

--Typing an address in IE and hitting GO or <ENTER> seems not to work; but after a minute or so site comes up.

--Windows updates won't run

--Trying to pull down address history takes up to a minute to dispay.

--Using Google, sites come up immediately.

I have run Adaware, Spybot and my McAfee AV scan. The only thing found were tracking cookies.

Thank you in advance for your assistance.

adaniel

Deckard's System Scanner v20071014.68
Run by Administrator on 2008-05-07 00:07:54
Computer is in Normal Mode.
--------------------------------------------------------------------------------

-- System Restore --------------------------------------------------------------

Unable to create WMI object; The operation completed successfully.

Backed up registry hives.
Performed disk cleanup.

Total Physical Memory: 447 MiB (512 MiB recommended).

-- HijackThis (run as Administrator.exe) ---------------------------------------

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 12:10:10 AM, on 5/7/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Cisco Systems\VPN Client\cvpnd.exe
C:\Program Files\Network Associates\Common Framework\FrameworkService.exe
C:\Program Files\Network Associates\VirusScan\Mcshield.exe
C:\Program Files\Network Associates\VirusScan\VsTskMgr.exe
C:\Program Files\Linksys\Wireless-G Notebook Adapter\NICServ.exe
C:\WINDOWS\System32\svchost.exe
C:\UBL\bin\UBLServ.exe
C:\Program Files\TightVNC\WinVNC.exe
C:\Program Files\VERITAS\Backup Exec\RANT\beremote.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\WINDOWS\system32\carpserv.exe
C:\Program Files\HPQ\One-Touch\OneTouch.EXE
C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mm_tray.exe
C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe
C:\Program Files\Network Associates\VirusScan\SHSTAT.EXE
C:\Program Files\Adobe\Photoshop Album Starter Edition\3.0\Apps\apdproxy.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Linksys\Wireless-G Notebook Adapter\Gcc.exe
C:\Program Files\Linksys\Wireless-G Notebook Adapter\OdHost.exe
C:\download\dss.exe
C:\PROGRA~1\TRENDM~1\HIJACK~1\Administrator.exe
C:\Program Files\Adobe\Acrobat 7.0\Reader\AcroRd32Info.exe

O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [CARPService] carpserv.exe
O4 - HKLM\..\Run: [Display Settings] C:\Program Files\HPQ\Notebook Utilities\hptasks.exe /s
O4 - HKLM\..\Run: [QT4HPOT] C:\Program Files\HPQ\One-Touch\OneTouch.EXE
O4 - HKLM\..\Run: [SynTPLpr] C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [ATIModeChange] Ati2mdxx.exe
O4 - HKLM\..\Run: [MMTray] C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mm_tray.exe
O4 - HKLM\..\Run: [Cpqset] C:\Program Files\HPQ\Default Settings\cpqset.exe
O4 - HKLM\..\Run: [AdaptecDirectCD] "C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe"
O4 - HKLM\..\Run: [ShStatEXE] "C:\Program Files\Network Associates\VirusScan\SHSTAT.EXE" /STANDALONE
O4 - HKLM\..\Run: [McAfeeUpdaterUI] "C:\Program Files\Network Associates\Common Framework\UpdaterUI.exe" /StartedFromRunKey
O4 - HKLM\..\Run: [Adobe Photo Downloader] "C:\Program Files\Adobe\Photoshop Album Starter Edition\3.0\Apps\apdproxy.exe"
O4 - HKLM\..\Run: [WinVNC] "C:\Program Files\TightVNC\WinVNC.exe" -servicehelper
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - HKUS\S-1-5-21-796845957-861567501-839522115-500\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background (User '?')
O4 - HKUS\S-1-5-21-796845957-861567501-839522115-500\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe (User '?')
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: VPN Client.lnk = ?
O4 - Global Startup: Wireless-G Notebook Adapter.lnk = C:\Program Files\Linksys\Wireless-G Notebook Adapter\Gcc.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search && Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {00140000-B1BA-11CE-ABC6-F5B2E79D9E3F} (LEAD Main Control (14.0)) - http://www.daviencrod.org/controls/LTOCX14N.cab
O16 - DPF: {01113300-3E00-11D2-8470-0060089874ED} (Support.com Configuration Class) - http://help.bellsouth.net/sdccommon/...ad/tgctlcm.cab
O16 - DPF: {14C1B87C-3342-445F-9B5E-365FF330A3AC} (Hewlett-Packard Online Support Services) - https://h50203.www5.hp.com/HPISWeb/C...ataManager.CAB
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {200B3EE9-7242-4EFD-B1E4-D97EE825BA53} (VerifyGMN Class) - http://h20270.www2.hp.com/ediags/gmn...taller_gmn.cab
O16 - DPF: {2D8ED06D-3C30-438B-96AE-4D110FDC1FB8} (ActiveScan 2.0 Installer Class) - http://acs.pandasoftware.com/actives.../as2stubie.cab
O16 - DPF: {406B5949-7190-4245-91A9-30A17DE16AD0} (Snapfish Activia) - http://photo.walgreens.com/WalgreensActivia.cab
O16 - DPF: {49232000-16E4-426C-A231-62846947304B} - http://ipgweb.cce.hp.com/rdqnbk/downloads/sysinfo.cab
O16 - DPF: {7E980B9B-8AE5-466A-B6D6-DA8CF814E78A} (MJLauncherCtrl Class) - http://zone.msn.com/bingame/luxr/def...jolauncher.cab
O16 - DPF: {88D969C0-F192-11D4-A65F-0040963251E5} (XML DOM Document 4.0) - http://ipgweb.cce.hp.com/rdqnbk/downloads/msxml4.cab
O16 - DPF: {9841D1AE-9C0B-11D3-9452-00105A098C21} (Pegasus PrintPRO Control v2.0) - http://www.daviencrod.org/controls/prntpro2.CAB
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = adasbsw2k.local
O17 - HKLM\Software\..\Telephony: DomainName = adasbsw2k.local
O17 - HKLM\System\CCS\Services\Tcpip\..\{237BBED6-6359-47F4-98E9-8990EE67E7E2}: NameServer = 10.0.100.4,208.216.228.253,205.152.37.23
O17 - HKLM\System\CCS\Services\Tcpip\..\{70B5FB41-8C88-4273-8DCD-936E0154093A}: NameServer = 10.0.100.4
O17 - HKLM\System\CCS\Services\Tcpip\..\{85B98F4F-034D-42C5-B177-273EAA6CF856}: NameServer = 208.216.228.253,208.216.228.221
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = adasbsw2k.local
O17 - HKLM\System\CS1\Services\Tcpip\..\{237BBED6-6359-47F4-98E9-8990EE67E7E2}: NameServer = 10.0.100.4,208.216.228.253,205.152.37.23
O23 - Service: Backup Exec Remote Agent for Windows Servers (BackupExecAgentAccelerator) - VERITAS Software Corporation - C:\Program Files\VERITAS\Backup Exec\RANT\beremote.exe
O23 - Service: Cisco Systems, Inc. VPN Service (CVPND) - Cisco Systems, Inc. - C:\Program Files\Cisco Systems\VPN Client\cvpnd.exe
O23 - Service: HP Configuration Interface Service (HPConfig) - Hewlett-Packard - C:\WINDOWS\system32\HPConfig.exe
O23 - Service: HPWirelessMgr - Hewlett-Packard Co. - C:\Program Files\HPQ\Notebook Utilities\HPWirelessMgr.exe
O23 - Service: McAfee Framework Service (McAfeeFramework) - Network Associates, Inc. - C:\Program Files\Network Associates\Common Framework\FrameworkService.exe
O23 - Service: Network Associates McShield (McShield) - Network Associates, Inc. - C:\Program Files\Network Associates\VirusScan\Mcshield.exe
O23 - Service: Network Associates Task Manager (McTaskManager) - Network Associates, Inc. - C:\Program Files\Network Associates\VirusScan\VsTskMgr.exe
O23 - Service: NICSer_WPC54G - Unknown owner - C:\Program Files\Linksys\Wireless-G Notebook Adapter\NICServ.exe
O23 - Service: U/BL Server (UBLService5) - Unknown owner - C:\UBL\bin\UBLServ.exe
O23 - Service: VNC Server (winvnc) - TightVNC Group - C:\Program Files\TightVNC\WinVNC.exe

--
End of file - 8218 bytes

-- File Associations -----------------------------------------------------------

.bat - batfile - DefaultIcon - unable to read value
.bat - batfile - shell\open\command - unable to read value
.bat - batfile - shell\edit\command - unable to read value

-- Drivers: 0-Boot, 1-System, 2-Auto, 3-Demand, 4-Disabled ---------------------

1 BANTExt (Belarc SMBios Access) - c:\windows\system32\drivers\bantext.sys
2 BrPar - c:\windows\system32\drivers\brpar.sys <Not Verified; Brother Industries Ltd.; Brother Parallel Class Driver>
3 CBTNDIS5 (CBTNDIS5 NDIS Protocol Driver) - c:\windows\system32\cbtndis5.sys <Not Verified; Printing Communications Assoc., Inc. (PCAUSA); PCAUSA Rawether for Windows>
3 sshvnic (SSH Virtual Network Adapter (sshvnic)) - system32\drivers\sshvnic5.sys (file missing)
2 W55U01 (WINBOND W55U01 USB) - c:\windows\system32\drivers\w55u01.sys <Not Verified; Windows (R) 2000 DDK provider; Windows (R) 2000 DDK driver>

-- Services: 0-Boot, 1-System, 2-Auto, 3-Demand, 4-Disabled --------------------

2 BackupExecAgentAccelerator (Backup Exec Remote Agent for Windows Servers) - c:\program files\veritas\backup exec\rant\beremote.exe
2 CVPND (Cisco Systems, Inc. VPN Service) - c:\program files\cisco systems\vpn client\cvpnd.exe
2 HPConfig (HP Configuration Interface Service) - c:\windows\system32\hpconfig.exe <Not Verified; Hewlett-Packard; HPConfig Module>
2 HPWirelessMgr - c:\program files\hpq\notebook utilities\hpwirelessmgr.exe <Not Verified; Hewlett-Packard Co.; HPWirelessMgr Module>
2 Irmon (Infrared Monitor) - c:\windows\system32\svchost.exe
2 McAfeeFramework (McAfee Framework Service) - c:\program files\network associates\common framework\frameworkservice.exe
2 McTaskManager (Network Associates Task Manager) - c:\program files\network associates\virusscan\vstskmgr.exe
2 NICSer_WPC54G - c:\program files\linksys\wireless-g notebook adapter\nicserv.exe
2 UBLService5 (U/BL Server) - c:\ubl\bin\ublserv.exe
2 winvnc (VNC Server) - c:\program files\tightvnc\winvnc.exe

-- Device Manager: Disabled ----------------------------------------------------

Unable to create WMI object.

-- Files created between 2008-04-07 and 2008-05-07 -----------------------------

2008-05-07 00:09:50 0 d-------- C:\Program Files\Trend Micro
2008-05-06 23:55:12 0 d-------- C:\ie-spyad_zo
2008-05-06 23:50:16 0 d-------- C:\Documents and Settings\All Users\Application Data\TEMP
2008-05-06 23:49:57 0 d-------- C:\Program Files\SpywareBlaster
2008-05-06 16:27:00 3840 --a------ C:\WINDOWS\system32\drivers\BANTExt.sys
2008-05-06 16:27:00 0 d-------- C:\Program Files\Belarc
2008-05-06 14:43:07 0 d-------- C:\Program Files\Panda Security
2008-05-06 14:43:03 0 d-------- C:\WINDOWS\LastGood
2008-05-06 00:10:57 691545 --a------ C:\WINDOWS\unins000.exe
2008-05-06 00:10:56 2549 --a------ C:\WINDOWS\unins000.dat
2008-05-04 09:42:27 0 d-------- C:\Documents and Settings\Administrator\Application Data\Lavasoft
2008-05-04 09:42:23 0 d---s---- C:\Documents and Settings\Administrator\Cookies
2008-05-04 09:36:46 0 d-------- C:\Program Files\Common Files\Wise Installation Wizard
2008-05-01 00:01:18 21879 --a------ C:\TX4210.COM
2008-04-30 23:59:10 18653 --a------ C:\TX4210

-- Find3M Report ---------------------------------------------------------------

2008-05-04 09:36:46 0 d-------- C:\Program Files\Common Files
2008-03-29 18:28:44 0 d-------- C:\Documents and Settings\Administrator.ADASBSW2K\Application Data\Adobe

-- Registry Dump ---------------------------------------------------------------

*Note* empty entries & legit default entries are not shown

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ATIPTA"="C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe" [08/14/2002 06:29 PM]
"CARPService"="carpserv.exe" [05/21/2003 04:35 PM C:\WINDOWS\system32\carpserv.exe]
"Display Settings"="C:\Program Files\HPQ\Notebook Utilities\hptasks.exe" [08/15/2002 07:26 AM]
"QT4HPOT"="C:\Program Files\HPQ\One-Touch\OneTouch.EXE" [01/30/2003 11:53 PM]
"SynTPLpr"="C:\Program Files\Synaptics\SynTP\SynTPLpr.exe" [04/18/2003 11:03 PM]
"SynTPEnh"="C:\Program Files\Synaptics\SynTP\SynTPEnh.exe" [04/18/2003 10:57 PM]
"ATIModeChange"="Ati2mdxx.exe" [08/15/2002 06:18 PM C:\WINDOWS\system32\Ati2mdxx.exe]
"MMTray"="C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mm_tray.exe" [08/26/2002 07:08 PM]
"Cpqset"="C:\Program Files\HPQ\Default Settings\cpqset.exe" [02/26/2003 05:25 PM]
"AdaptecDirectCD"="C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe" [12/17/2002 01:28 PM]
"ShStatEXE"="C:\Program Files\Network Associates\VirusScan\SHSTAT.exe" [09/29/2003 08:10 AM]
"McAfeeUpdaterUI"="C:\Program Files\Network Associates\Common Framework\UpdaterUI.exe" [09/10/2003 04:11 AM]
"Adobe Photo Downloader"="C:\Program Files\Adobe\Photoshop Album Starter Edition\3.0\Apps\apdproxy.exe" [06/07/2005 12:46 AM]
"WinVNC"="C:\Program Files\TightVNC\WinVNC.exe" [05/07/2007 08:28 PM]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"MSMSGS"="C:\Program Files\Messenger\msmsgs.exe" [10/13/2004 12:24 PM]
"SpybotSD TeaTimer"="C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe" [01/28/2008 11:43 AM]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\vds]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\{533C5 B84-EC70-11D2-9505-00C04F79DEAF}]
@="Volume shadow copy"

*Newly Created Service* - BANTEXT
*Newly Created Service* - RKPAVPROC

-- End of Deckard's System Scanner: finished at 2008-05-07 00:11:01 ------------

**cybertech** · 09-May-2008, 03:29 PM #2

Hi, welcome to TSG!

I see you have also posted here: http://www.techsupportforum.com/secu...-changing.html

Request for that thread to be closed and I'll help you here, other wise I will close this thread.

adaniel · 09-May-2008, 04:36 PM #3

Good afternoon, cybertech. I have marked the thread at techsupportforum 'solved'. I have used them several times with great success, but still have an open post from back in early April that I have not received help on; so when this one went a couple days with no response, I thought i would seek help elsewhere and found you guys. Thank you for your help.

adaniel

**cybertech** · 09-May-2008, 04:48 PM #4

Download Flash_Disinfector.exe by sUBs and save it to your desktop.

Double-click Flash_Disinfector.exe to run it and follow any prompts that may appear.
The utility may ask you to insert your flash drive and/or other removable drives including your mobile phone. Please do so and allow the utility to clean up those drives as well.
Wait until it has finished scanning and then exit the program.
Reboot your computer when done.

Note: Flash_Disinfector will create a hidden folder named autorun.inf in each partition and every USB drive plugged in when you ran it. Don't delete this folder...it will help protect your drives from future infection.

adaniel · 09-May-2008, 05:04 PM #5

The only thing I ever attach to this notebook is a flash drive. I have done as requested. It came back momentarily and said "Done!". No indication of results.

There seems to be no change in the symptoms

**cybertech** · 09-May-2008, 05:59 PM #6

Please download Malwarebytes Anti-Malware from Here or Here
Double Click mbam-setup.exe to install the application.

Make sure a checkmark is placed next to Update Malwarebytes' Anti-Malware and Launch Malwarebytes Anti-Malware, then click Finish.
If an update is found, it will download and install the latest version.
Once the program has loaded, select Perform Quick Scan, then click Scan.
The scan may take some time to finish,so please be patient.
When the scan is complete, click OK, then Show Results to view the results.
Make sure that everything is checked, and click Remove Selected.
When disinfection is completed, a log will open in Notepad and you may be prompted to Restart.(See Extra Note)
The log is automatically saved by MBAM and can be viewed by clicking the Logs tab in MBAM.
Copy the entire report and paste it in your next reply with a new Hijackthis log.

Extra Note:

If MBAM encounters a file that is difficult to remove, you will be presented with 1 of 2 prompts, click OK to either and let MBAM proceed with the disinfection process, if asked to restart the computer, please do so immediately.

adaniel · 09-May-2008, 06:39 PM #7

Thank you for your help. I have downloaded and run the scan. As the log appeared on-screen, so did a warning from Spybot.

"Spybot S&D has detected an important registry entry that has been changed. Category: BAT extension handler. Change: Value added: "%1" %* Allow or Deny

How shall I respond?

Getting ready to sit down to dinner with family. Back soon to post MBAM log and new hijack this log

Thanks again

adaniel

**cybertech** · 09-May-2008, 07:32 PM #8

Disable Spybot and run Malwarebytes' .

adaniel · 09-May-2008, 09:45 PM #9

I disabled spybot an reran MBAM. I have included both MBAM logs and a new HJT log. The first MBAM contains references to MyWay; the second scan found no infections.

Thank you for your assistance.

adaniel

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 9:38:35 PM, on 5/9/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Cisco Systems\VPN Client\cvpnd.exe
C:\Program Files\Network Associates\Common Framework\FrameworkService.exe
C:\Program Files\Network Associates\VirusScan\Mcshield.exe
C:\Program Files\Network Associates\VirusScan\VsTskMgr.exe
C:\Program Files\Linksys\Wireless-G Notebook Adapter\NICServ.exe
C:\WINDOWS\System32\svchost.exe
C:\UBL\bin\UBLServ.exe
C:\Program Files\TightVNC\WinVNC.exe
C:\Program Files\VERITAS\Backup Exec\RANT\beremote.exe
C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\WINDOWS\system32\carpserv.exe
C:\Program Files\HPQ\One-Touch\OneTouch.EXE
C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mm_tray.exe
C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe
C:\Program Files\Network Associates\VirusScan\SHSTAT.EXE
C:\Program Files\Adobe\Photoshop Album Starter Edition\3.0\Apps\apdproxy.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Linksys\Wireless-G Notebook Adapter\Gcc.exe
C:\Program Files\Linksys\Wireless-G Notebook Adapter\OdHost.exe
C:\WINDOWS\explorer.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [CARPService] carpserv.exe
O4 - HKLM\..\Run: [Display Settings] C:\Program Files\HPQ\Notebook Utilities\hptasks.exe /s
O4 - HKLM\..\Run: [QT4HPOT] C:\Program Files\HPQ\One-Touch\OneTouch.EXE
O4 - HKLM\..\Run: [SynTPLpr] C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [ATIModeChange] Ati2mdxx.exe
O4 - HKLM\..\Run: [MMTray] C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mm_tray.exe
O4 - HKLM\..\Run: [Cpqset] C:\Program Files\HPQ\Default Settings\cpqset.exe
O4 - HKLM\..\Run: [AdaptecDirectCD] "C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe"
O4 - HKLM\..\Run: [ShStatEXE] "C:\Program Files\Network Associates\VirusScan\SHSTAT.EXE" /STANDALONE
O4 - HKLM\..\Run: [McAfeeUpdaterUI] "C:\Program Files\Network Associates\Common Framework\UpdaterUI.exe" /StartedFromRunKey
O4 - HKLM\..\Run: [Adobe Photo Downloader] "C:\Program Files\Adobe\Photoshop Album Starter Edition\3.0\Apps\apdproxy.exe"
O4 - HKLM\..\Run: [WinVNC] "C:\Program Files\TightVNC\WinVNC.exe" -servicehelper
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKUS\S-1-5-21-796845957-861567501-839522115-500\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background (User '?')
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: VPN Client.lnk = ?
O4 - Global Startup: Wireless-G Notebook Adapter.lnk = C:\Program Files\Linksys\Wireless-G Notebook Adapter\Gcc.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {00140000-B1BA-11CE-ABC6-F5B2E79D9E3F} (LEAD Main Control (14.0)) - http://www.daviencrod.org/controls/LTOCX14N.cab
O16 - DPF: {01113300-3E00-11D2-8470-0060089874ED} (Support.com Configuration Class) - http://help.bellsouth.net/sdccommon/...ad/tgctlcm.cab
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/eng/par...an_unicode.cab
O16 - DPF: {14C1B87C-3342-445F-9B5E-365FF330A3AC} (Hewlett-Packard Online Support Services) - https://h50203.www5.hp.com/HPISWeb/C...ataManager.CAB
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {200B3EE9-7242-4EFD-B1E4-D97EE825BA53} (VerifyGMN Class) - http://h20270.www2.hp.com/ediags/gmn...taller_gmn.cab
O16 - DPF: {2D8ED06D-3C30-438B-96AE-4D110FDC1FB8} (ActiveScan 2.0 Installer Class) - http://acs.pandasoftware.com/actives.../as2stubie.cab
O16 - DPF: {406B5949-7190-4245-91A9-30A17DE16AD0} (Snapfish Activia) - http://photo.walgreens.com/WalgreensActivia.cab
O16 - DPF: {49232000-16E4-426C-A231-62846947304B} - http://ipgweb.cce.hp.com/rdqnbk/downloads/sysinfo.cab
O16 - DPF: {7E980B9B-8AE5-466A-B6D6-DA8CF814E78A} (MJLauncherCtrl Class) - http://zone.msn.com/bingame/luxr/def...jolauncher.cab
O16 - DPF: {88D969C0-F192-11D4-A65F-0040963251E5} (XML DOM Document 4.0) - http://ipgweb.cce.hp.com/rdqnbk/downloads/msxml4.cab
O16 - DPF: {9841D1AE-9C0B-11D3-9452-00105A098C21} (Pegasus PrintPRO Control v2.0) - http://www.daviencrod.org/controls/prntpro2.CAB
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = adasbsw2k.local
O17 - HKLM\Software\..\Telephony: DomainName = adasbsw2k.local
O17 - HKLM\System\CCS\Services\Tcpip\..\{237BBED6-6359-47F4-98E9-8990EE67E7E2}: NameServer = 10.0.100.4,208.216.228.253,205.152.37.23
O17 - HKLM\System\CCS\Services\Tcpip\..\{70B5FB41-8C88-4273-8DCD-936E0154093A}: NameServer = 10.0.100.4
O17 - HKLM\System\CCS\Services\Tcpip\..\{85B98F4F-034D-42C5-B177-273EAA6CF856}: NameServer = 208.216.228.253,208.216.228.221
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = adasbsw2k.local
O17 - HKLM\System\CS1\Services\Tcpip\..\{237BBED6-6359-47F4-98E9-8990EE67E7E2}: NameServer = 10.0.100.4,208.216.228.253,205.152.37.23
O17 - HKLM\System\CS3\Services\Tcpip\Parameters: Domain = adasbsw2k.local
O17 - HKLM\System\CS3\Services\Tcpip\..\{237BBED6-6359-47F4-98E9-8990EE67E7E2}: NameServer = 10.0.100.4,208.216.228.253,205.152.37.23
O23 - Service: Backup Exec Remote Agent for Windows Servers (BackupExecAgentAccelerator) - VERITAS Software Corporation - C:\Program Files\VERITAS\Backup Exec\RANT\beremote.exe
O23 - Service: Cisco Systems, Inc. VPN Service (CVPND) - Cisco Systems, Inc. - C:\Program Files\Cisco Systems\VPN Client\cvpnd.exe
O23 - Service: HP Configuration Interface Service (HPConfig) - Hewlett-Packard - C:\WINDOWS\system32\HPConfig.exe
O23 - Service: HPWirelessMgr - Hewlett-Packard Co. - C:\Program Files\HPQ\Notebook Utilities\HPWirelessMgr.exe
O23 - Service: McAfee Framework Service (McAfeeFramework) - Network Associates, Inc. - C:\Program Files\Network Associates\Common Framework\FrameworkService.exe
O23 - Service: Network Associates McShield (McShield) - Network Associates, Inc. - C:\Program Files\Network Associates\VirusScan\Mcshield.exe
O23 - Service: Network Associates Task Manager (McTaskManager) - Network Associates, Inc. - C:\Program Files\Network Associates\VirusScan\VsTskMgr.exe
O23 - Service: NICSer_WPC54G - Unknown owner - C:\Program Files\Linksys\Wireless-G Notebook Adapter\NICServ.exe
O23 - Service: U/BL Server (UBLService5) - Unknown owner - C:\UBL\bin\UBLServ.exe
O23 - Service: VNC Server (winvnc) - TightVNC Group - C:\Program Files\TightVNC\WinVNC.exe

--
End of file - 7816 bytes

Malwarebytes' Anti-Malware 1.12
Database version: 737

Scan type: Quick Scan
Objects scanned: 48156
Time elapsed: 13 minute(s), 44 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 4
Files Infected: 5

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
C:\Program Files\MyWay (Adware.MyWay) -> Quarantined and deleted successfully.
C:\Program Files\MyWay\SrchAstt (Adware.MyWay) -> Quarantined and deleted successfully.
C:\Program Files\MyWay\SrchAstt\1.bin (Adware.MyWay) -> Quarantined and deleted successfully.
C:\Program Files\MyWay\SrchAstt\Cache (Adware.MyWay) -> Quarantined and deleted successfully.

Files Infected:
C:\Program Files\MyWay\SrchAstt\1.bin\MYSRCHAS.DLL (Adware.MyWay) -> Quarantined and deleted successfully.
C:\Program Files\MyWay\SrchAstt\1.bin\PARTNER.DAT (Adware.MyWay) -> Quarantined and deleted successfully.
C:\Program Files\MyWay\SrchAstt\Cache\2926623F (Adware.MyWay) -> Quarantined and deleted successfully.
C:\Program Files\MyWay\SrchAstt\Cache\29266510 (Adware.MyWay) -> Quarantined and deleted successfully.
C:\Program Files\MyWay\SrchAstt\Cache\files.ini (Adware.MyWay) -> Quarantined and deleted successfully.

Malwarebytes' Anti-Malware 1.12
Database version: 737

Scan type: Quick Scan
Objects scanned: 48187
Time elapsed: 11 minute(s), 7 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)

adaniel · 09-May-2008, 09:58 PM **#10**

cybertech,

Just a quick note to let you know that I rebooted after my last post. Despite what was found and fixed, the symptoms described in my original post remain.

Thank you for your help,
adaniel

**cybertech** · 10-May-2008, 01:04 PM **#11**

What is C:\TX4210.COM?

adaniel · 10-May-2008, 01:43 PM **#12**

There are several similar files in the root of c:. They are BASIC programs related to legacy applications I support. The extensions are meaningful to me - in this case it stands for "City of Marion". There are *.TOTB, *.TOP, *.ADA, etc; where the extension indicates the client.

Thanks again for taking the time to help me out.

Adaneil

**cybertech** · 10-May-2008, 02:52 PM **#13**

OK.

I don't see any thing in the logs. Are you having any problems?

adaniel · 10-May-2008, 04:29 PM **#14**

cybertech,

All the problems noted in my original post are still there.

--When I click My Computer, flashlight displays for up to a minute before drives display.

--Typing an address in IE and hitting GO or <ENTER> seems not to work; but after a minute or so site comes up.

--Windows updates won't run

--Trying to pull down address history takes up to a minute to display.

--Using Google, sites come up immediately.

The most worrisome, of course, is that Windows Update fails. The last successful update was 4/10/08. I didn't realize that until I started having the other problems last weekend.

Thank you for your help,
adaniel

adaniel · 10-May-2008, 04:49 PM **#15**

I have just noticed another problem. When I double-click events in the app and system event viewer, nothing happens. There are no entries in the Security group.

Thanks again,
adaniel

Search
Search in:
Show Threads Show Posts
Advanced Search

Currently Active Users Viewing This Thread: 1 (0 members and 1 guests)