So my sister calls me from another state to tell me her PC is not working; that it is crawling all of the sudden and it loads pages extremely slow. Moreover, it will not allow her to create a system restore point, whenever she attempts to restore to an earlier date it just gives the current date. She is running Vista as her OS. Here is her HijackThis log file: ogfile of Trend Micro HijackThis v2.0.2 Scan saved at 10:11:25 PM, on 2/1/2008 Platform: Windows Vista (WinNT 6.00.1904) MSIE: Internet Explorer v7.00 (7.00.6000.16575) Boot mode: Normal Running processes: C:\Windows\system32\taskeng.exe C:\Windows\Explorer.EXE C:\Windows\system32\Dwm.exe C:\Windows\RtHDVCpl.exe C:\Windows\System32\igfxtray.exe C:\Windows\System32\hkcmd.exe C:\Windows\System32\igfxpers.exe C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe C:\Program Files\Grisoft\AVG7\avgcc.exe C:\Program Files\Common Files\Real\Update_OB\realsched.exe C:\Program Files\Common Files\Nero\Lib\NMIndexStoreSvr.exe C:\Program Files\BigFix\bigfix.exe C:\Program Files\Windows Defender\MSASCui.exe C:\Program Files\Windows Media Player\wmpnscfg.exe C:\Program Files\Internet Explorer\ieuser.exe C:\Program Files\Internet Explorer\iexplore.exe C:\Windows\system32\Macromed\Flash\FlashUtil9d.exe C:\Program Files\Trend Micro\HijackThis\HijackThis.exe C:\Windows\system32\SearchFilterHost.exe R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://www.gateway.com/g/sidepanel.html?Ch=Retail&Br=EM&Loc=ENG_US&Sys=DTP&M=T3612 R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896 R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.gateway.com/g/startpage.html?Ch=Retail&Br=EM&Loc=ENG_US&Sys=DTP&M=T3612 R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896 R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896 R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.gateway.com/g/startpage.html?Ch=Retail&Br=EM&Loc=ENG_US&Sys=DTP&M=T3612 R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://www.gateway.com/g/sidepanel.html?Ch=Retail&Br=EM&Loc=ENG_US&Sys=DTP&M=T3612 R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = O1 - Hosts: ::1 localhost O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll O2 - BHO: RealPlayer Download and Record Plugin for Internet Explorer - {3049C3E9-B461-4BC5-8870-4C09146192CA} - C:\Program Files\Real\RealPlayer\rpbrowserrecordplugin.dll O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0\bin\ssv.dll O2 - BHO: Browser Address Error Redirector - {CA6319C0-31B7-401E-A518-A07C3DB8F777} - c:\google\BAE.dll O4 - HKLM\..\Run: [Windows Defender] %ProgramFiles%\Windows Defender\MSASCui.exe -hide O4 - HKLM\..\Run: [RtHDVCpl] RtHDVCpl.exe O4 - HKLM\..\Run: [IgfxTray] C:\Windows\system32\igfxtray.exe O4 - HKLM\..\Run: [HotKeysCmds] C:\Windows\system32\hkcmd.exe O4 - HKLM\..\Run: [Persistence] C:\Windows\system32\igfxpers.exe O4 - HKLM\..\Run: [RemoteControl] "C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe" O4 - HKLM\..\Run: [LanguageShortcut] "C:\Program Files\CyberLink\PowerDVD\Language\Language.exe" O4 - HKLM\..\Run: [NapsterShell] C:\Program Files\Napster\napster.exe /systray O4 - HKLM\..\Run: [BigFix] c:\program files\Bigfix\bigfix.exe /atstartup O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVG7\avgcc.exe /STARTUP O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot O4 - HKLM\..\Run: [NeroFilterCheck] C:\Program Files\Common Files\Nero\Lib\NeroCheck.exe O4 - HKLM\..\Run: [NBKeyScan] "C:\Program Files\Nero\Nero8\Nero BackItUp\NBKeyScan.exe" O4 - HKCU\..\Run: [WindowsWelcomeCenter] rundll32.exe oobefldr.dll,ShowWelcomeCenter O4 - HKCU\..\Run: [AdobeUpdater] C:\Program Files\Common Files\Adobe\Updater5\AdobeUpdater.exe O4 - HKCU\..\Run: [IndxStoreSvr_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}] "C:\Program Files\Common Files\Nero\Lib\NMIndexStoreSvr.exe" ASO-616B5711-6DAE-4795-A05F-39A1E5104020 O4 - HKCU\..\Run: [WMPNSCFG] C:\Program Files\Windows Media Player\WMPNSCFG.exe O4 - HKUS\S-1-5-19\..\Run: [Sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /detectMem (User 'LOCAL SERVICE') O4 - HKUS\S-1-5-19\..\Run: [WindowsWelcomeCenter] rundll32.exe oobefldr.dll,ShowWelcomeCenter (User 'LOCAL SERVICE') O4 - HKUS\S-1-5-19\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'LOCAL SERVICE') O4 - HKUS\S-1-5-20\..\Run: [Sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /detectMem (User 'NETWORK SERVICE') O4 - HKUS\S-1-5-18\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'SYSTEM') O4 - HKUS\.DEFAULT\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'Default user') O4 - Global Startup: BigFix.lnk = C:\Program Files\BigFix\bigfix.exe O4 - Global Startup: hpoddt01.exe.lnk = ? O4 - Global Startup: Kodak EasyShare software.lnk = C:\Program Files\Kodak\Kodak EasyShare software\bin\EasyShare.exe O4 - Global Startup: Kodak software updater.lnk = C:\Program Files\Kodak\KODAK Software Updater\7288971\Program\Kodak Software Updater.exe O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office12\EXCEL.EXE/3000 O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0\bin\ssv.dll O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0\bin\ssv.dll O9 - Extra button: Send to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll O9 - Extra 'Tools' menuitem: S&end to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\Office12\REFIEBAR.DLL O9 - Extra button: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - C:\Programs\PartyGaming\PartyPoker\RunApp.exe (file missing) O9 - Extra 'Tools' menuitem: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - C:\Programs\PartyGaming\PartyPoker\RunApp.exe (file missing) O13 - Gopher Prefix: O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab O20 - Winlogon Notify: avgwlntf - C:\Windows\SYSTEM32\avgwlntf.dll O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe O23 - Service: AVG7 Resident Shield Service (AvgCoreSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgrssvc.exe O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgemc.exe O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe O23 - Service: Nero BackItUp Scheduler 3 - Nero AG - C:\Program Files\Nero\Nero8\Nero BackItUp\NBService.exe O23 - Service: NMIndexingService - Nero AG - C:\Program Files\Common Files\Nero\Lib\NMIndexingService.exe O23 - Service: Cyberlink RichVideo Service(CRVS) (RichVideo) - Unknown owner - C:\Program Files\CyberLink\Shared Files\RichVideo.exe O23 - Service: XAudioService - Conexant Systems, Inc. - C:\Windows\system32\DRIVERS\xaudio.exe -- End of file - 7759 bytes If you can see anything please let me know. If you have any advice or recommendations please let me know. I had her run Malwarebyes as well. I will post a log of that below. Thanks in advance!
Malwarebytes' Anti-Malware 1.50.1.1100 www.malwarebytes.org Database version: 6668 Windows 6.0.6000 Internet Explorer 7.0.6000.17037 5/24/2011 8:11:45 PM mbam-log-2011-05-24 (20-11-45).txt Scan type: Quick scan Objects scanned: 164245 Time elapsed: 7 minute(s), 17 second(s) Memory Processes Infected: 0 Memory Modules Infected: 0 Registry Keys Infected: 32 Registry Values Infected: 0 Registry Data Items Infected: 0 Folders Infected: 3 Files Infected: 10 Memory Processes Infected: (No malicious items detected) Memory Modules Infected: (No malicious items detected) Registry Keys Infected: HKEY_CLASSES_ROOT\AppID\{4A40E8FC-C7E4-4F57-9FA4-85DD77402897} (Adware.Seekmo) -> Quarantined and deleted successfully. HKEY_CLASSES_ROOT\CLSID\{1F158A1E-A687-4a11-9679-B3AC64B86A1C} (Adware.Seekmo) -> Quarantined and deleted successfully. HKEY_CLASSES_ROOT\TypeLib\{FBB40FDF-B715-4342-AB82-244ECC66E979} (Adware.Seekmo) -> Quarantined and deleted successfully. HKEY_CLASSES_ROOT\Interface\{067C6A37-72EA-4437-863A-5BE20C246F3C} (Adware.Seekmo) -> Quarantined and deleted successfully. HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{1F158A1E-A687-4A11-9679-B3AC64B86A1C} (Adware.Seekmo) -> Quarantined and deleted successfully. HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\PreApproved\{1F158A1E-A687-4A11-9679-B3AC64B86A1C} (Adware.Seekmo) -> Quarantined and deleted successfully. HKEY_CLASSES_ROOT\CLSID\{E313F5DC-CFE7-4568-84A4-C76653547571} (Adware.Seekmo) -> Quarantined and deleted successfully. HKEY_CLASSES_ROOT\SeekmoAX.UserProfiles.1 (Adware.Seekmo) -> Quarantined and deleted successfully. HKEY_CLASSES_ROOT\SeekmoAX.UserProfiles (Adware.Seekmo) -> Quarantined and deleted successfully. HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\PreApproved\{E313F5DC-CFE7-4568-84A4-C76653547571} (Adware.Seekmo) -> Quarantined and deleted successfully. HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{1A26F07F-0D60-4835-91CF-1E1766A0EC56} (Trojan.Agent) -> Quarantined and deleted successfully. HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{1E5B2693-D348-4CA7-8364-4F5E51BF9C6D} (Adware.Zango) -> Quarantined and deleted successfully. HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{6FD31ED6-7C94-4BBC-8E95-F927F4D3A949} (Adware.180Solutions) -> Quarantined and deleted successfully. HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{B64F4A7C-97C9-11DA-8BDE-F66BAD1E3F3A} (Rogue.WinAntiVirus) -> Quarantined and deleted successfully. HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{E596DF5F-4239-4D40-8367-EBADF0165917} (Rogue.Installer) -> Quarantined and deleted successfully. HKEY_CLASSES_ROOT\HBMain.CommBand (Adware.Zango) -> Quarantined and deleted successfully. HKEY_CLASSES_ROOT\HBMain.CommBand.1 (Adware.Zango) -> Quarantined and deleted successfully. HKEY_CLASSES_ROOT\hbr.HbMain (Adware.Zango) -> Quarantined and deleted successfully. HKEY_CLASSES_ROOT\hbr.HbMain.1 (Adware.Zango) -> Quarantined and deleted successfully. HKEY_CLASSES_ROOT\HostIE.Bho (Adware.Zango) -> Quarantined and deleted successfully. HKEY_CLASSES_ROOT\HostIE.Bho.1 (Adware.Zango) -> Quarantined and deleted successfully. HKEY_CLASSES_ROOT\Seekmo.DesktopFlash (Adware.Seekmo) -> Quarantined and deleted successfully. HKEY_CLASSES_ROOT\Seekmo.DesktopFlash.1 (Adware.Seekmo) -> Quarantined and deleted successfully. HKEY_CLASSES_ROOT\SeekmoAX.ClientDetector (Adware.Seekmo) -> Quarantined and deleted successfully. HKEY_CLASSES_ROOT\SeekmoAX.ClientDetector.1 (Adware.Seekmo) -> Quarantined and deleted successfully. HKEY_CLASSES_ROOT\AppID\SeekmoSA_df.exe (Adware.Seekmo) -> Quarantined and deleted successfully. HKEY_CLASSES_ROOT\CLSID\{645FF040-5081-101B-9F08-00AA002F954E}\Shell\Secure Delete (Rogue.SecurePCCleaner) -> Quarantined and deleted successfully. HKEY_CLASSES_ROOT\Directory\Background\shellex\ContextMenuHandlers\secure_del (Rogue.SecurePCCleaner) -> Quarantined and deleted successfully. HKEY_CLASSES_ROOT\SystemFileAssociations\Directory.Audio\shellex\ContextMenuHandlers\secure_del (Rogue.SecurePCCleaner) -> Quarantined and deleted successfully. HKEY_CLASSES_ROOT\SystemFileAssociations\Directory.Image\shellex\ContextMenuHandlers\secure_del (Rogue.SecurePCCleaner) -> Quarantined and deleted successfully. HKEY_CLASSES_ROOT\SystemFileAssociations\Directory.Video\shellex\ContextMenuHandlers\secure_del (Rogue.SecurePCCleaner) -> Quarantined and deleted successfully. HKEY_CURRENT_USER\SOFTWARE\seekmosa (Adware.Seekmo) -> Quarantined and deleted successfully. Registry Values Infected: (No malicious items detected) Registry Data Items Infected: (No malicious items detected) Folders Infected: c:\programdata\SeekmoSA (Adware.Seekmo) -> Quarantined and deleted successfully. c:\Users\jenn\AppData\Roaming\Seekmo (Adware.Seekmo) -> Delete on reboot. c:\programdata\microsoft\Windows\start menu\Programs\Seekmo (Adware.Seekmo) -> Quarantined and deleted successfully. Files Infected: c:\Users\jenn\AppData\Local\Temp\Low\h8srtca3e.tmp (Trojan.FakeAlert) -> Quarantined and deleted successfully. c:\Windows\Temp\tmp0000003db4fd0a9082a73284 (Trojan.Dropper) -> Quarantined and deleted successfully. c:\Users\jenn\downloads\Setup.exe (Adware.Seekmo) -> Quarantined and deleted successfully. c:\programdata\SeekmoSA\SeekmoSA.dat (Adware.Seekmo) -> Quarantined and deleted successfully. c:\programdata\SeekmoSA\seekmosaabout.mht (Adware.Seekmo) -> Quarantined and deleted successfully. c:\programdata\SeekmoSA\seekmosaau.dat (Adware.Seekmo) -> Quarantined and deleted successfully. c:\programdata\SeekmoSA\seekmosaeula.mht (Adware.Seekmo) -> Quarantined and deleted successfully. c:\programdata\SeekmoSA\seekmosa_kyf.dat (Adware.Seekmo) -> Quarantined and deleted successfully. c:\programdata\microsoft\Windows\start menu\Programs\Seekmo\reset cursor.lnk (Adware.Seekmo) -> Quarantined and deleted successfully. c:\programdata\microsoft\Windows\start menu\Programs\Seekmo\seekmo customer support center.lnk (Adware.Seekmo) -> Quarantined and deleted successfully.
