Hi All,

I am at my daughter's apartment at college in Phoenix, and her computer is running real slow and balky. I took a load of garbage off her drive, but I suspect the three 016-DPF entrys in the log below. I have had no experience with this particular thing, and I have to leave tomorrow afternoon. I would research it on the internet, but she can go to some pages and not others. Yes, I know, she is not updated, and I am going to take care of that soon with a new computer I am building for her. I will update the SPs tomorrow morning.

If anyone could fill me in on these DPFs (or anything else you see) I would appreciate it. Thanks friends!


Logfile of HijackThis v1.99.1
Scan saved at 2:39:06 PM, on 5/7/2005
Platform: Windows XP (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 (6.00.2600.0000)

Running processes:
F:\WINDOWS\System32\smss.exe
F:\WINDOWS\system32\winlogon.exe
F:\WINDOWS\system32\services.exe
F:\WINDOWS\system32\lsass.exe
F:\WINDOWS\system32\svchost.exe
F:\WINDOWS\System32\svchost.exe
F:\WINDOWS\system32\spoolsv.exe
F:\WINDOWS\Explorer.EXE
F:\Program Files\Trend Micro\PC-cillin 2000\Pop3trap.exe
F:\Program Files\Trend Micro\PC-cillin 2000\WebTrapNT.exe
F:\WINDOWS\Mixer.exe
F:\WINDOWS\System32\carpserv.exe
F:\Program Files\D-Link\Air Utility\AirCFG.exe
F:\Program Files\iTunes\iTunesHelper.exe
F:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
F:\Program Files\D-Link AirPlus G\AirPlus.exe
F:\WINDOWS\System32\svchost.exe
F:\Program Files\Trend Micro\PC-cillin 2000\Tmntsrv.exe
F:\Program Files\WZCBDL Service\WZCBDLS.exe
F:\Program Files\iPod\bin\iPodService.exe
C:\aaaSECURITY\HijackThis.exe

O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - F:\PROGRA~1\SPYBOT~1\SDHelper.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - F:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [Pop3trap.exe] "F:\Program Files\Trend Micro\PC-cillin 2000\Pop3trap.exe"
O4 - HKLM\..\Run: [WebTrapNT.exe] "F:\Program Files\Trend Micro\PC-cillin 2000\WebTrapNT.exe"
O4 - HKLM\..\Run: [C-Media Mixer] Mixer.exe /startup
O4 - HKLM\..\Run: [CARPService] carpserv.exe
O4 - HKLM\..\Run: [D-Link Air Utility] F:\Program Files\D-Link\Air Utility\AirCFG.exe
O4 - HKLM\..\Run: [iTunesHelper] F:\Program Files\iTunes\iTunesHelper.exe
O4 - HKCU\..\Run: [SpybotSD TeaTimer] F:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - Global Startup: D-Link AirPlus G Configuration Utility.lnk = ?
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - F:\Program Files\AIM\aim.exe
O16 - DPF: {166B1BCA-3F9C-11CF-8075-444553540000} -
O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} -
O16 - DPF: {AE1C01E3-0283-11D3-9B3F-00C04F8EF466} -
O23 - Service: iPod Service (iPodService) - Apple Computer, Inc. - F:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Trend NT Realtime Service (Tmntsrv) - Trend Micro Inc. - F:\Program Files\Trend Micro\PC-cillin 2000\Tmntsrv.exe
O23 - Service: WZCBDL Service (WZCBDLService) - D-Link - F:\Program Files\WZCBDL Service\WZCBDLS.exe

Hi Bob...that's very clean despite there being no updates installed.

The DPF CLSIDs are not going anywhere - they have no associated files. I Googled one of them and it was casino-related. You can fix them (disable TeaTimer first), but I doubt they have anything to do with the slowness.

Run a SilentRunners log by me so I can check for anything that may be lurking in the depths.

Thanks Ed, much appreciated. My daughter standing next to me says "thanks" also.

These DPFs keep coming back on reboot, that makes me suspicious. And when I fix them with HT, the computer visibly starts to run faster. That also makes me suspicious. Anyway, here is Silent Runner log:


"Silent Runners.vbs", revision 36, http://www.silentrunners.org/
Operating System: Windows XP
Output limited to non-default values, except where indicated by "{++}"


Startup items buried in registry:
---------------------------------

HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ {++}
"SpybotSD TeaTimer" = "F:\Program Files\Spybot - Search & Destroy\TeaTimer.exe" ["Safer Networking Limited"]

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ {++}
"Pop3trap.exe" = ""F:\Program Files\Trend Micro\PC-cillin 2000\Pop3trap.exe"" ["Trend Micro Inc."]
"WebTrapNT.exe" = ""F:\Program Files\Trend Micro\PC-cillin 2000\WebTrapNT.exe"" ["Trend Micro Inc."]
"C-Media Mixer" = "Mixer.exe /startup" ["C-Media Electronic Inc."]
"CARPService" = "carpserv.exe" ["Conexant Systems"]
"D-Link Air Utility" = "F:\Program Files\D-Link\Air Utility\AirCFG.exe" ["D-Link"]
"iTunesHelper" = "F:\Program Files\iTunes\iTunesHelper.exe" ["Apple Computer, Inc."]

HKLM\Software\Microsoft\Active Setup\Installed Components\
{306D6C21-C1B6-4629-986C-E59E1875B8AF}\(Default) = (no title provided)
\StubPath = ""F:\WINDOWS\System32\rundll32.exe" "F:\Program Files\Messenger\msgsc.dll",ShowIconsUser" [MS]

HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\
{53707962-6F74-2D53-2644-206D7942484F}\(Default) = (no title provided)
-> {CLSID}\InProcServer32\(Default) = "F:\PROGRA~1\SPYBOT~1\SDHelper.dll" ["Safer Networking Limited"]

HKLM\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\
"{42071714-76d4-11d1-8b24-00a0c9068ff3}" = "Display Panning CPL Extension"
-> {CLSID}\InProcServer32\(Default) = "deskpan.dll" [file not found]
"{88895560-9AA2-1069-930E-00AA0030EBC8}" = "HyperTerminal Icon Ext"
-> {CLSID}\InProcServer32\(Default) = "F:\WINDOWS\System32\hticons.dll" ["Hilgraeve, Inc."]
"{48F45200-91E6-11CE-8A4F-0080C81A28D4}" = "TMD Shell Extension"
-> {CLSID}\InProcServer32\(Default) = "F:\Program Files\Trend Micro\PC-cillin 2000\Tmdshell.dll" ["Trend Micro Inc."]
"{771A9DA0-731A-11CE-993C-00AA004ADB6C}" = "VBPropSheet"
-> {CLSID}\InProcServer32\(Default) = "F:\Program Files\Trend Micro\PC-cillin 2000\VBProp.dll" ["Trend Micro Inc."]
"{B41DB860-8EE4-11D2-9906-E49FADC173CA}" = "WinRAR shell extension"
-> {CLSID}\InProcServer32\(Default) = "F:\Program Files\WinRAR\rarext.dll" [null data]
"{B9E1D2CB-CCFF-4AA6-9579-D7A4754030EF}" = "iTunes"
-> {CLSID}\InProcServer32\(Default) = "F:\Program Files\iTunes\iTunesMiniPlayer.dll" ["Apple Computer, Inc."]


Enabled Wallpaper and Active Desktop:
-------------------------------------

Active Desktop is disabled.

HKCU\Control Panel\Desktop\
"Wallpaper" = "F:\Documents and Settings\Ellena Phillips\Local Settings\Application Data\Microsoft\Wallpaper1.bmp"


Startup items in "Ellena Phillips" & "All Users" startup folders:
-----------------------------------------------------------------

F:\Documents and Settings\All Users\Start Menu\Programs\Startup
"D-Link AirPlus G Configuration Utility" -> shortcut to: "F:\Program Files\D-Link AirPlus G\AirPlus.exe" ["D-Link"]


Enabled Scheduled Tasks:
------------------------

"Symantec NetDetect" -> launches: "F:\Program Files\Symantec\LiveUpdate\NDETECT.EXE" ["Symantec Corporation"]


Winsock2 Service Provider DLLs:
-------------------------------

Namespace Service Providers

HKLM\System\CurrentControlSet\Services\Winsock2\Parameters\NameSpace_Catalog5\Catalog_Entries\ {++}
000000000001\LibraryPath = "%SystemRoot%\System32\mswsock.dll" [MS]
000000000002\LibraryPath = "%SystemRoot%\System32\winrnr.dll" [MS]
000000000003\LibraryPath = "%SystemRoot%\System32\mswsock.dll" [MS]

Transport Service Providers

HKLM\System\CurrentControlSet\Services\Winsock2\Parameters\Protocol_Catalog9\Catalog_Entries\ {++}
0000000000##\PackedCatalogItem (contains) DLL [Company Name], (at) ## range:
%SystemRoot%\system32\mswsock.dll [MS], 01 - 03, 06 - 15
%SystemRoot%\system32\rsvpsp.dll [MS], 04 - 05


Toolbars, Explorer Bars, Extensions:
------------------------------------

Extensions (Tools menu items, main toolbar menu buttons)

HKLM\Software\Microsoft\Internet Explorer\Extensions\
{AC9E2541-2814-11D5-BC6D-00B0D0A1DE45}\
"ButtonText" = "AIM"
"Exec" = "F:\Program Files\AIM\aim.exe" ["America Online, Inc."]


Running Services (Display Name, Service Name, Path {Service DLL}):
------------------------------------------------------------------

iPod Service, iPodService, "F:\Program Files\iPod\bin\iPodService.exe" ["Apple Computer, Inc."]
Trend NT Realtime Service, Tmntsrv, ""F:\Program Files\Trend Micro\PC-cillin 2000\Tmntsrv.exe"" ["Trend Micro Inc."]
WZCBDL Service, WZCBDLService, "F:\Program Files\WZCBDL Service\WZCBDLS.exe" ["D-Link"]


----------
This report excludes default entries except where indicated.
To see *everywhere* the script checks and *everything* it finds,
launch it from a command prompt or a shortcut with the -all parameter.
----------

Hi to your daughter.

TeaTimer prevents changes to the registry. That's why those 016s come back. They never went away.

Here's how to disable it:

http://russelltexas.com/malware/teatimer.htm

Thanks again, Ed. That did it. I forgot Teatimer was activated.

Yer welcome.