TechSpot

Freezing with windows xp sp3

By sickoftheshit
Sep 28, 2010
  1. no bsod's, seems like it happens under heavy cpu load, not too sure though. ran through the 8 step sticky, not sure what to do next.
     

    Attached Files:

  2. Bobbye

    Bobbye Helper on the Fringe Posts: 16,335   +36

    Welcome to TechSpot. I don't know that your freezes have anything to do with malware and you are very short of information to work on.

    1. How much RAM do you have?
    2. What processes are running at high CPU usage when the system freezes?
    3. Open the Task Manager and look on the lower left corner> how many processes are running?


    Edit: According to DDS, you have 3 copies of AV: AntiVir PersonalEdition Classic Virus Protection *On-access on the system and running. You also have AV: avast! Antivirus *On-access scanning. One of the AV programs needs to be removed and if you keep Avira, you only need one program.
     
  3. sickoftheshit

    sickoftheshit TS Rookie Topic Starter

    1. i have 1.5 gigs of RAM
    2. cant really tell what is running with the highest cpu usage, what usually uses the most is chrome, second to TeaTimer (spybot's registry change monitor), then explorer.
    3. task manager says the are 50 processes running currently.


    Edit: forgot that i also uninstalled avira last week and replaced with avast. i don't understand why it is still running since i did a full uninstall on it.
     
  4. Bobbye

    Bobbye Helper on the Fringe Posts: 16,335   +36

    RAM: 1.5GB of RAM for Windows XP should be enough> If all the chips are good.
    Running Processes:
    Open the Task Manager: Right click on Taskbar> Task Manager> Processes tab> double click top frame of CPU column. This will sort in Descending order and allow you to see which processes are using excess CPU.

    Best baseline is this:
    Prepare the system for shutdown by closing any active Windows and email> but don't shutdown yet> open the Task Manager and check the CPU column> the only processes you should see running at this point are taskmgr, system and System Idle. These 3 should add up to 100%.

    50 running processes is excessive. I have 36 usually, with email minimized but open and Firefox running with 6-7 tabs loaded. FF runs at 2-3% CPU but is a high memory user.
    None of the following need to start on boot and run in the background:
    Java
    Calmain- Canon
    BitTorrent
    Windows Media Player
    Adobe Reader
    MS Works Update
    QuickTime
    Picassa
    Printer or Al;-in-one
    Camera
    Scanner
    Any auto up[dates except for antivirus
    Cyberlink


    Any processes for these and related media can be stopped from starting up by unchecking them on the Startup Menu:

    To remove entries from Startup using the msconfig utility:
    • Click on Start> Run> type in msconfig> enter>
    • Click on Selective Startup
    • Choose the Startup tab:
      This is where you UNCHECK the Startup items. This does not remove the item or uninstall anything> it just stops it from starting on boot. It can be rechecked at any time if wanted.
    • To expand the Command Column, (this shows what the process 'belongs' to) hold left mouse button down on the dividing line on frame above Location and move to the right to expand.
    • Click on Apply> OK when finished.

    NOTE:When you reboot the system the first time after making changes using the msconfig utility, a nag message comes up that can be ignored and closed after checking 'don't show this message again.' Once you make changes to the Startup menu, you must remain in Selective Startup to retain those changed. If you go back to Normal Startup, everything you unchecked will be checked again and start on boot.

    Recommend you disable Tea Timer. These 'Real Time' processes are all big resource hogs! Go ahead and make any changes you want, then run the following program> if there are 'left over' entries, I can remove them using script in Combofix:
    ==========================================
    Please download ComboFix from Here and save to your Desktop.

    • [1]. Do NOT rename Combofix unless instructed.
      [2].Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.
      [3].Close any open browsers.
      [4]. Double click combofix.exe & follow the prompts to run.
    • NOTE: Combofix will disconnect your machine from the Internet as soon as it starts. The connection is automatically restored before CF completes its run. If it does not, restart your computer to restore your connection.
      [5]. If Combofix asks you to install Recovery Console, please allow it.
      [6]. If Combofix asks you to update the program, always allow.
    • Please do not attempt to re-connect your machine back to the Internet until Combofix has completely finished.
      [7]. A report will be generated after the scan. Please PASTE the C:\ComboFix.txt in next reply.
    Note: Do not mouseclick combofix's window while it's running. That may cause it to stall.
    Note: Make sure you re-enable your security programs, when you're done with Combofix..
     
  5. sickoftheshit

    sickoftheshit TS Rookie Topic Starter

    ComboFix 10-09-29.04 - Owner 09/30/2010 14:21:34.1.1 - x86
    Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.1534.1112 [GMT -4:00]
    Running from: c:\documents and settings\Owner\Desktop\ComboFix.exe
    AV: AntiVir PersonalEdition Classic Virus Protection *On-access scanning enabled* (Updated) {00000000-0000-0000-0000-000000000000}
    AV: AntiVir PersonalEdition Classic Virus Protection *On-access scanning enabled* (Updated) {804FD0EC-FFA4-00C8-0D24-347CA8A3377C}
    AV: AntiVir PersonalEdition Classic Virus Protection *On-access scanning enabled* (Updated) {804FD2B8-FFA4-00C8-0D24-347CA8A3377C}
    AV: AntiVir PersonalEdition Classic Virus Protection *On-access scanning enabled* (Updated) {804FD2B8-FFA4-00EB-0D24-347CA8A3377C}
    AV: avast! Antivirus *On-access scanning disabled* (Updated) {7591DB91-41F0-48A3-B128-1A293FD8233D}
    .

    ((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
    .

    c:\windows\system32\skinboxer43.dll
    I:\Autorun.inf

    .
    ((((((((((((((((((((((((( Files Created from 2010-08-28 to 2010-09-30 )))))))))))))))))))))))))))))))
    .

    2010-09-27 15:57 . 2010-09-27 15:57 -------- d-----w- c:\documents and settings\Owner\Application Data\Malwarebytes
    2010-09-27 15:57 . 2010-04-29 19:39 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
    2010-09-27 15:57 . 2010-09-27 15:57 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes
    2010-09-27 15:57 . 2010-09-27 15:57 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
    2010-09-27 15:57 . 2010-04-29 19:39 20952 ----a-w- c:\windows\system32\drivers\mbam.sys
    2010-09-24 22:45 . 2010-09-24 22:45 -------- d-----w- c:\documents and settings\Owner\Application Data\.minecraft server
    2010-09-24 22:41 . 2010-09-20 09:55 232504 ----a-w- c:\documents and settings\Owner\Application Data\.minecraft\minecraft.exe
    2010-09-24 22:41 . 2010-09-20 04:30 195072 ----a-w- c:\documents and settings\Owner\Application Data\.minecraft\bin\natives\OpenAL64.dll
    2010-09-24 22:41 . 2010-09-20 04:30 108032 ----a-w- c:\documents and settings\Owner\Application Data\.minecraft\bin\natives\OpenAL32.dll
    2010-09-24 22:41 . 2010-09-20 04:30 237568 ----a-w- c:\documents and settings\Owner\Application Data\.minecraft\bin\natives\lwjgl.dll
    2010-09-24 22:41 . 2010-09-20 04:30 65024 ----a-w- c:\documents and settings\Owner\Application Data\.minecraft\bin\natives\jinput-dx8_64.dll
    2010-09-24 22:41 . 2010-09-20 04:30 62464 ----a-w- c:\documents and settings\Owner\Application Data\.minecraft\bin\natives\jinput-raw_64.dll
    2010-09-24 22:41 . 2010-09-20 04:30 61952 ----a-w- c:\documents and settings\Owner\Application Data\.minecraft\bin\natives\jinput-dx8.dll
    2010-09-24 22:41 . 2010-09-20 04:30 59392 ----a-w- c:\documents and settings\Owner\Application Data\.minecraft\bin\natives\jinput-raw.dll
    2010-09-24 22:41 . 2010-09-20 04:30 248832 ----a-w- c:\documents and settings\Owner\Application Data\.minecraft\bin\natives\lwjgl64.dll
    2010-09-24 22:35 . 2010-09-19 18:18 71 ----a-w- c:\documents and settings\Owner\Application Data\.minecraft server\bin\server_nogui.bat
    2010-09-24 22:35 . 2010-09-19 18:18 65 ----a-w- c:\documents and settings\Owner\Application Data\.minecraft server\bin\server_gui.bat
    2010-09-24 04:54 . 2010-09-27 05:07 -------- d-----w- c:\documents and settings\Owner\Application Data\.minecraft
    2010-09-22 19:32 . 2010-09-22 19:33 -------- d-----w- c:\documents and settings\Owner\Application Data\acccore
    2010-09-22 19:32 . 2010-09-22 19:32 -------- d-----w- c:\documents and settings\Owner\Local Settings\Application Data\AOL
    2010-09-22 19:32 . 2010-09-22 19:35 -------- d-----w- c:\documents and settings\Owner\Local Settings\Application Data\AIM
    2010-09-22 19:32 . 2010-09-22 19:32 -------- d-----w- c:\documents and settings\All Users\Application Data\AIM
    2010-09-22 19:32 . 2010-09-22 19:32 -------- d-----w- c:\program files\AIM7
    2010-09-22 19:32 . 2010-09-22 19:32 -------- d-----w- c:\program files\Common Files\Software Update Utility
    2010-09-22 19:32 . 2010-09-22 19:32 -------- d-----w- c:\program files\Common Files\AOL
    2010-09-19 06:58 . 2010-09-07 14:47 17744 ----a-w- c:\windows\system32\drivers\aswFsBlk.sys
    2010-09-19 06:58 . 2010-09-07 14:52 165584 ----a-w- c:\windows\system32\drivers\aswSP.sys
    2010-09-19 06:58 . 2010-09-07 14:47 23376 ----a-w- c:\windows\system32\drivers\aswRdr.sys
    2010-09-19 06:58 . 2010-09-07 14:52 46672 ----a-w- c:\windows\system32\drivers\aswTdi.sys
    2010-09-19 06:58 . 2010-09-07 14:47 100176 ----a-w- c:\windows\system32\drivers\aswmon2.sys
    2010-09-19 06:58 . 2010-09-07 14:47 94544 ----a-w- c:\windows\system32\drivers\aswmon.sys
    2010-09-19 06:58 . 2010-09-07 14:46 28880 ----a-w- c:\windows\system32\drivers\aavmker4.sys
    2010-09-19 06:58 . 2010-09-07 15:12 38848 ----a-w- c:\windows\avastSS.scr
    2010-09-19 06:58 . 2010-09-07 15:11 167592 ----a-w- c:\windows\system32\aswBoot.exe
    2010-09-19 06:58 . 2010-09-19 06:58 -------- d-----w- c:\program files\Alwil Software
    2010-09-19 06:58 . 2010-09-19 06:58 -------- d-----w- c:\documents and settings\All Users\Application Data\Alwil Software

    .
    (((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
    .
    2010-09-30 18:10 . 2009-10-15 23:44 -------- d-----w- c:\program files\PeerBlock
    2010-09-30 18:03 . 2008-07-17 08:32 -------- d-----w- c:\documents and settings\Owner\Application Data\DNA
    2010-09-30 17:52 . 2008-07-17 08:32 -------- d-----w- c:\program files\DNA
    2010-09-30 02:45 . 2008-07-05 00:05 -------- d-----w- c:\documents and settings\All Users\Application Data\Google Updater
    2010-09-24 22:31 . 2008-07-17 08:32 -------- d-----w- c:\documents and settings\Owner\Application Data\BitTorrent
    2010-09-20 19:56 . 2010-06-01 00:04 -------- d-----w- c:\documents and settings\All Users\Application Data\Blizzard Entertainment
    2010-09-20 19:55 . 2008-10-06 09:11 -------- d-----w- c:\program files\Steam
    2010-09-13 02:52 . 2005-10-07 05:43 -------- d-----w- c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy
    2010-09-12 23:30 . 2005-10-07 05:43 -------- d-----w- c:\program files\Spybot - Search & Destroy
    2010-08-17 13:17 . 2004-08-04 12:00 58880 ----a-w- c:\windows\system32\spoolsv.exe
    2010-07-29 05:20 . 2010-07-29 05:20 10134 ----a-r- c:\documents and settings\Owner\Application Data\Microsoft\Installer\{9FD6F1A8-5550-46AF-8509-271DF0E768B5}\ARPPRODUCTICON.exe
    2010-07-22 15:49 . 2004-08-04 12:00 590848 ----a-w- c:\windows\system32\rpcrt4.dll
    2010-07-22 05:57 . 2010-06-06 07:52 5120 ----a-w- c:\windows\system32\xpsp4res.dll
    .

    ((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
    .
    .
    *Note* empty entries & legit default entries are not shown
    REGEDIT4

    [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "PeerBlock"="c:\program files\PeerBlock\peerblock.exe" [2009-09-28 1524824]
    "Google Update"="c:\documents and settings\Owner\Local Settings\Application Data\Google\Update\GoogleUpdate.exe" [2009-10-31 135664]

    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "SoundMan"="SOUNDMAN.EXE" [2004-12-22 77824]
    "NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2010-04-03 13670504]
    "NvMediaCenter"="c:\windows\system32\NvMcTray.dll" [2010-04-03 110696]
    "amd_dc_opt"="c:\program files\AMD\Dual-Core Optimizer\amd_dc_opt.exe" [2008-07-22 77824]
    "avast5"="c:\program files\Alwil Software\Avast5\avastUI.exe" [2010-09-07 2838912]

    [HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
    "Picasa Media Detector"="c:\program files\Picasa2\PicasaMediaDetector.exe" [2008-08-21 443968]

    [HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Windows Desktop Search.lnk]
    path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Windows Desktop Search.lnk
    backup=c:\windows\pss\Windows Desktop Search.lnkCommon Startup

    [HKLM\~\startupfolder\C:^Documents and Settings^Owner^Start Menu^Programs^Startup^IMVU.lnk]
    path=c:\documents and settings\Owner\Start Menu\Programs\Startup\IMVU.lnk
    backup=c:\windows\pss\IMVU.lnkStartup

    [HKLM\~\startupfolder\C:^Documents and Settings^Owner^Start Menu^Programs^Startup^OneNote 2007 Screen Clipper and Launcher.lnk]
    path=c:\documents and settings\Owner\Start Menu\Programs\Startup\OneNote 2007 Screen Clipper and Launcher.lnk
    backup=c:\windows\pss\OneNote 2007 Screen Clipper and Launcher.lnkStartup

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe ARM]
    2010-06-09 08:06 976832 ----a-w- c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe Reader Speed Launcher]
    2010-06-20 02:04 35760 ----a-w- c:\program files\Adobe\Reader 9.0\Reader\reader_sl.exe

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AppleSyncNotifier]
    2008-10-01 16:57 111936 ----a-w- c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleSyncNotifier.exe

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ATIPTA]
    2005-09-15 02:05 344064 -c--a-w- c:\program files\ATI Technologies\ATI Control Panel\atiptaxx.exe

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\BitTorrent DNA]
    2009-11-26 07:32 323392 ----a-w- c:\program files\DNA\btdna.exe

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\GrooveMonitor]
    2006-10-27 04:47 31016 ----a-w- c:\program files\Microsoft Office\Office12\GrooveMonitor.exe

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\masqform.exe]
    2003-12-03 16:43 1052672 ----a-w- c:\program files\PureEdge\Viewer 6.0\masqform.exe

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Microsoft Works Update Detection]
    2003-09-14 01:36 50688 ----a-w- c:\program files\Common Files\Microsoft Shared\Works Shared\WkUFind.exe

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NBJ]
    2004-09-22 23:10 1871872 ------w- c:\program files\Ahead\Nero BackItUp\NBJ.exe

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NeroFilterCheck]
    2001-07-09 18:50 155648 -c--a-w- c:\windows\system32\NeroCheck.exe

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
    2008-11-04 15:30 413696 ----a-w- c:\program files\QuickTime\QTTask.exe

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\RemoteControl]
    2003-11-01 03:42 32768 ----a-w- c:\program files\CyberLink\PowerDVD\PDVDServ.exe

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SpybotSD TeaTimer]
    2009-03-05 20:07 2260480 ------w- c:\program files\Spybot - Search & Destroy\TeaTimer.exe

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched]
    2010-02-18 15:43 248040 ----a-w- c:\program files\Common Files\Java\Java Update\jusched.exe

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Windows Media Connect 2]
    2006-10-19 02:58 8704 ------w- c:\program files\Windows Media Connect 2\WMCCFG.exe

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\WMPNSCFG]
    2006-10-19 01:05 204288 ------w- c:\program files\Windows Media Player\wmpnscfg.exe

    [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
    "%windir%\\system32\\sessmgr.exe"=
    "c:\\Program Files\\Mozilla Firefox\\firefox.exe"=
    "c:\\WINDOWS\\system32\\dxdiag.exe"=
    "c:\\WINDOWS\\system32\\dpnsvr.exe"=
    "c:\\Program Files\\MSN Messenger\\msnmsgr.exe"=
    "c:\\Program Files\\Java\\jre1.5.0_04\\bin\\javaw.exe"=
    "c:\\Program Files\\Java\\jre1.5.0_06\\bin\\javaw.exe"=
    "c:\\Program Files\\AIM\\aim.exe"=
    "c:\\Program Files\\Flock\\flock\\flock.exe"=
    "c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqscnvw.exe"=
    "c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqkygrp.exe"=
    "c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqnrs08.exe"=
    "%windir%\\Network Diagnostic\\xpnetdiag.exe"=
    "c:\\Program Files\\BitTorrent\\bittorrent.exe"=
    "c:\\Program Files\\Java\\jre1.6.0_05\\bin\\javaw.exe"=
    "c:\\Program Files\\City of Heroes\\CohUpdater.exe"=
    "c:\\Program Files\\City of Heroes\\CovUpdater.exe"=
    "c:\\Program Files\\DNA\\btdna.exe"=
    "c:\\Program Files\\Microsoft Office\\Office12\\OUTLOOK.EXE"=
    "c:\\Program Files\\Microsoft Office\\Office12\\GROOVE.EXE"=
    "c:\\Program Files\\Microsoft Office\\Office12\\ONENOTE.EXE"=
    "c:\\Program Files\\Diablo II\\Game.exe"=
    "c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
    "c:\\Program Files\\Last.fm\\LastFM.exe"=
    "c:\\Program Files\\Starcraft\\StarCraft.exe"=
    "c:\\Program Files\\Trillian\\trillian.exe"=
    "c:\\Program Files\\Messenger\\msmsgs.exe"=
    "c:\\Program Files\\Yahoo!\\Messenger\\YServer.exe"=
    "c:\\Program Files\\Yahoo!\\Messenger\\YPager.exe"=
    "c:\\Program Files\\Steam\\steamapps\\common\\world of goo demo\\WorldOfGoo.exe"=
    "c:\\Program Files\\Steam\\steamapps\\common\\alien swarm\\srcds.exe"=
    "c:\\Program Files\\Steam\\steamapps\\common\\coil\\coil.exe"=
    "c:\\Program Files\\Steam\\steamapps\\common\\battleforge\\Bootstrapper.exe"=
    "c:\\Program Files\\Steam\\steamapps\\common\\battleforge\\Support\\EA Help\\Electronic_Arts_Technical_Support.htm"=
    "c:\\Program Files\\Steam\\steam.exe"=
    "c:\\Program Files\\Steam\\steamapps\\common\\beat hazard\\BeatHazard.exe"=
    "c:\\Program Files\\Steam\\steamapps\\common\\alien swarm\\swarm.exe"=
    "c:\\Program Files\\AIM7\\aim.exe"=

    [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
    "54235:TCP"= 54235:TCP:utorrent
    "3724:TCP"= 3724:TCP:Blizzard Downloader: 3724
    "6112:TCP"= 6112:TCP:Blizzard Downloader
    "1119:TCP"= 1119:TCP:Blizzard Downloader
    "1120:TCP"= 1120:TCP:Blizzard Downloader

    [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\IcmpSettings]
    "AllowInboundRouterRequest"= 1 (0x1)
    "AllowOutboundParameterProblem"= 1 (0x1)

    R1 aswSP;aswSP;c:\windows\system32\drivers\aswSP.sys [9/19/2010 2:58 AM 165584]
    R2 aswFsBlk;aswFsBlk;c:\windows\system32\drivers\aswFsBlk.sys [9/19/2010 2:58 AM 17744]
    S2 gupdate;Google Update Service (gupdate);c:\program files\Google\Update\GoogleUpdate.exe [10/19/2009 11:17 PM 133104]
    S3 ms6823;IEEE802.11b Wireless USB Adapter;c:\windows\system32\drivers\ms6823.sys [6/10/2004 11:47 AM 55168]
    S3 pbfilter;pbfilter;c:\program files\PeerBlock\pbfilter.sys [10/15/2009 7:44 PM 14424]
    S3 ZD1201U;ZyDAS ZD1201 IEEE 802.11b Wireless LAN Driver (USB);c:\windows\system32\drivers\ZD1201U.sys [10/9/2005 9:13 PM 38656]
    S3 ZDNDIS5;ZDNDIS5 Protocol Driver;\??\c:\windows\system32\ZDNDIS5.SYS --> c:\windows\system32\ZDNDIS5.SYS [?]
    S4 sptd;sptd;c:\windows\system32\drivers\sptd.sys [4/17/2006 5:10 PM 685816]
    .
    Contents of the 'Scheduled Tasks' folder

    2010-09-30 c:\windows\Tasks\Google Software Updater.job
    - c:\program files\Google\Common\Google Updater\GoogleUpdaterService.exe [2008-03-02 17:59]

    2010-09-30 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
    - c:\program files\Google\Update\GoogleUpdate.exe [2009-10-20 03:17]

    2010-09-30 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
    - c:\program files\Google\Update\GoogleUpdate.exe [2009-10-20 03:17]

    2010-09-30 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-515967899-527237240-839522115-1003Core.job
    - c:\documents and settings\Owner\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2010-02-12 19:22]

    2010-09-30 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-515967899-527237240-839522115-1003UA.job
    - c:\documents and settings\Owner\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2010-02-12 19:22]

    2010-09-30 c:\windows\Tasks\User_Feed_Synchronization-{1E9CDD39-C4DE-4C7A-A50E-909F4FD9036D}.job
    - c:\windows\system32\msfeedssync.exe [2009-03-08 08:31]
    .
    .
    ------- Supplementary Scan -------
    .
    uStart Page = hxxp://reddit.com/
    uInternet Settings,ProxyOverride = *.local
    uSearchURL,(Default) = hxxp://www.google.com/keyword/%s
    IE: &Yahoo! Search - file:///c:\program files\Yahoo!\Common/ycsrch.htm
    IE: Add to Google Photos Screensa&ver - c:\windows\system32\GPhotos.scr/200
    IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~3\Office12\EXCEL.EXE/3000
    IE: Open in new background tab - c:\program files\MSN Toolbar Suite\TAB\02.05.0000.1110\en-us\msntabres.dll/229?3a0ccd14859942adaad3686a121d424c
    IE: Open in new foreground tab - c:\program files\MSN Toolbar Suite\TAB\02.05.0000.1110\en-us\msntabres.dll/230?3a0ccd14859942adaad3686a121d424c
    IE: Yahoo! &Dictionary - file:///c:\program files\Yahoo!\Common/ycdict.htm
    IE: Yahoo! &Maps - file:///c:\program files\Yahoo!\Common/ycmap.htm
    IE: Yahoo! &SMS - file:///c:\program files\Yahoo!\Common/ycsms.htm
    IE: {{d9288080-1baa-4bc4-9cf8-a92d743db949} - c:\documents and settings\Owner\Start Menu\Programs\IMVU\Run IMVU.lnk
    DPF: vzTCPConfig - hxxp://www2.verizon.net/help/dsl_settings/include/vzTCPConfig.CAB
    DPF: {DE3135A8-D948-49DC-ABBC-B2EFF418E5FD} - hxxp://www.iradiopop.com/IRD/pages/AIRJ01FPlayer.CAB
    FF - ProfilePath - c:\documents and settings\Owner\Application Data\Mozilla\Firefox\Profiles\tfpn17v7.default\
    FF - prefs.js: browser.search.selectedEngine - Google
    FF - prefs.js: browser.startup.homepage - hxxp://www.google.com
    FF - component: c:\documents and settings\Owner\Application Data\Mozilla\Firefox\Profiles\tfpn17v7.default\extensions\{463F6CA5-EE3C-4be1-B7E6-7FEE11953374}\platform\WINNT\components\FoxyTunes.dll
    FF - component: c:\program files\Google\Google Gears\Firefox\lib\ff30\gears.dll
    FF - plugin: c:\documents and settings\Owner\Local Settings\Application Data\Google\Update\1.2.183.29\npGoogleOneClick8.dll
    FF - plugin: c:\program files\Google\Google Earth\plugin\npgeplugin.dll
    FF - plugin: c:\program files\Google\Google Updater\2.4.1536.6592\npCIDetect13.dll
    FF - plugin: c:\program files\Google\Update\1.2.183.29\npGoogleOneClick8.dll
    FF - plugin: c:\program files\IGN\Download Manager\npfpdlm.dll
    FF - plugin: c:\program files\Java\jre6\bin\new_plugin\npdeployJava1.dll
    FF - plugin: c:\program files\Mozilla Firefox\plugins\npdeployJava1.dll
    FF - plugin: c:\program files\Mozilla Firefox\plugins\npmozax.dll
    FF - plugin: c:\program files\Picasa2\npPicasa2.dll
    FF - plugin: c:\program files\Picasa2\npPicasa3.dll
    FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\

    ---- FIREFOX POLICIES ----
    FF - user.js: network.protocol-handler.warn-external.dnupdate - false.
    - - - - ORPHANS REMOVED - - - -

    HKLM-Run-nwiz - nwiz.exe
    MSConfigStartUp-MySpaceIM - c:\program files\MySpace\IM\MySpaceIM.exe
    MSConfigStartUp-nwiz - nwiz.exe
    AddRemove-NVIDIA Display Control Panel - c:\program files\NVIDIA Corporation\Uninstall\nvuninst.exe



    **************************************************************************

    catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
    Rootkit scan 2010-09-30 14:26
    Windows 5.1.2600 Service Pack 3 NTFS

    scanning hidden processes ...

    scanning hidden autostart entries ...

    scanning hidden files ...

    scan completed successfully
    hidden files: 0

    **************************************************************************
    .
    --------------------- DLLs Loaded Under Running Processes ---------------------

    - - - - - - - > 'winlogon.exe'(492)
    c:\windows\system32\Ati2evxx.dll
    .
    Completion time: 2010-09-30 14:29:29
    ComboFix-quarantined-files.txt 2010-09-30 18:29

    Pre-Run: 51,920,400,384 bytes free
    Post-Run: 51,882,348,544 bytes free

    WindowsXP-KB310994-SP2-Home-BootDisk-ENU.exe
    [boot loader]
    timeout=2
    default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS
    [operating systems]
    c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
    UnsupportedDebug="do not select this" /debug
    multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Home Edition" /noexecute=optin /fastdetect /usepmtimer

    - - End Of File - - E1E7DFEC3AF59352AC6ADCFE1D3D70F0
     
  6. Bobbye

    Bobbye Helper on the Fringe Posts: 16,335   +36

    The removal of this entry in Combofix indicates that you have used an infected USB Drive: I:\Autorun.inf That drive will also need to be infected.

    Please tell me the use of and the download source for this and it's associated files:
    c:\documents and settings\Owner\Application Data\.minecraft server

    Please run this Custom CFScript:

    • [1]. Close any open browsers.
      [2]. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.
      [3]. Open notepad and copy/paste the text in the code below into it:
    Code:
    File::
    c:\windows\system32\ZDNDIS5.SYS 
    
    Registry::
    [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\Glob allyOpenPorts\List]
    "54235:TCP"=-
    [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\Icmp Settings]
    "AllowInboundRouterRequest"=-
    "AllowOutboundParameterProblem"=-
    [HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Windows Desktop Search.lnk]
    [HKLM\~\startupfolder\C:^Documents and Settings^Owner^Start Menu^Programs^Startup^IMVU.lnk]
    [HKLM\~\startupfolder\C:^Documents and Settings^Owner^Start Menu^Programs^Startup^OneNote 2007 Screen Clipper and Launcher.lnk]
    
    SecCenter::
    {00000000-0000-0000-0000-000000000000}
    {804FD0EC-FFA4-00C8-0D24-347CA8A3377C}
    {804FD2B8-FFA4-00C8-0D24-347CA8A3377C}
    {804FD2B8-FFA4-00EB-0D24-347CA8A3377C}
    
    Driver::
    ZDNDIS5 
    
    Save this as CFScript.txt, in the same location as ComboFix.exe
    [​IMG]

    Referring to the picture above, drag CFScript into ComboFix.exe

    When finished, it will produce a log for you at C:\ComboFix.txt . Please paste in your next reply.
    ====================
    You have 3 outdated versions of Java. These are all vulnerabilities. Check this site .Java Updates Stay current as most updates are for security. Uninstall any earlier versions in Add/Remove Programs.
    ================================
    Run Eset NOD32 Online AntiVirus scan HERE
    1. Tick the box next to YES, I accept the Terms of Use.
    2. Click Start
    3. When asked, allow the Active X control to install
    4. Disable your current Antivirus software. You can usually do this with its Notification Tray icon near the clock.
    5. Click Start
    6. Make sure that the option "Remove found threats" is Unchecked, and the option "Scan unwanted applications" is checked
    7. Click Scan
    8. Wait for the scan to finish
    9. Re-enable your Antivirus software.
    10. A logfile is created and located at C:\Program Files\EsetOnlineScanner\log.txt. Please include this on your post.
    ===============================
    P2P or 'file sharing' Warning:
    I note that you are running both BitTorrent and uTorrent. These will keep you 'sick off'- guaranteed! I suggest that you uninstall both:
    • As long as you are using file sharing networks and programs which are from sources that are not documented, you cannot verity that a download is legitimate.
    • Malware writers use these program to include malicious content.
    • Fie sharing is usually unmonitored and there is a danger that your private files might be accessed.
    • The 'sharing' also includes malware that the shared system has on it.
    • Files that are illegal can be spread through file sharing.

    Please read the information on P2P Warning to help you better understand these dangers.
     
Topic Status:
Not open for further replies.

Similar Topics

Add New Comment

You need to be a member to leave a comment. Join thousands of tech enthusiasts and participate.
TechSpot Account You may also...