No bsod's, seems like it happens under heavy cpu load, not too sure though. ran through the 8 step sticky, not sure what to do next.
Inactive Freezing with windows xp sp3
- Thread starter sickoftheshit
- Start date
- Status
Bobbye
Posts: 16,313 +36
Welcome to TechSpot. I don't know that your freezes have anything to do with malware and you are very short of information to work on.
1. How much RAM do you have?
2. What processes are running at high CPU usage when the system freezes?
3. Open the Task Manager and look on the lower left corner> how many processes are running?
Edit: According to DDS, you have 3 copies of AV: AntiVir PersonalEdition Classic Virus Protection *On-access on the system and running. You also have AV: avast! Antivirus *On-access scanning. One of the AV programs needs to be removed and if you keep Avira, you only need one program.
1. How much RAM do you have?
2. What processes are running at high CPU usage when the system freezes?
3. Open the Task Manager and look on the lower left corner> how many processes are running?
Edit: According to DDS, you have 3 copies of AV: AntiVir PersonalEdition Classic Virus Protection *On-access on the system and running. You also have AV: avast! Antivirus *On-access scanning. One of the AV programs needs to be removed and if you keep Avira, you only need one program.
1. i have 1.5 gigs of RAM
2. cant really tell what is running with the highest cpu usage, what usually uses the most is chrome, second to TeaTimer (spybot's registry change monitor), then explorer.
3. task manager says the are 50 processes running currently.
Edit: forgot that i also uninstalled avira last week and replaced with avast. i don't understand why it is still running since i did a full uninstall on it.
2. cant really tell what is running with the highest cpu usage, what usually uses the most is chrome, second to TeaTimer (spybot's registry change monitor), then explorer.
3. task manager says the are 50 processes running currently.
Edit: forgot that i also uninstalled avira last week and replaced with avast. i don't understand why it is still running since i did a full uninstall on it.
Bobbye
Posts: 16,313 +36
RAM: 1.5GB of RAM for Windows XP should be enough> If all the chips are good.
Running Processes:
Open the Task Manager: Right click on Taskbar> Task Manager> Processes tab> double click top frame of CPU column. This will sort in Descending order and allow you to see which processes are using excess CPU.
Best baseline is this:
Prepare the system for shutdown by closing any active Windows and email> but don't shutdown yet> open the Task Manager and check the CPU column> the only processes you should see running at this point are taskmgr, system and System Idle. These 3 should add up to 100%.
50 running processes is excessive. I have 36 usually, with email minimized but open and Firefox running with 6-7 tabs loaded. FF runs at 2-3% CPU but is a high memory user.
None of the following need to start on boot and run in the background:
Java
Calmain- Canon
BitTorrent
Windows Media Player
Adobe Reader
MS Works Update
QuickTime
Picassa
Printer or Al;-in-one
Camera
Scanner
Any auto up[dates except for antivirus
Cyberlink
Any processes for these and related media can be stopped from starting up by unchecking them on the Startup Menu:
To remove entries from Startup using the msconfig utility:
NOTE:When you reboot the system the first time after making changes using the msconfig utility, a nag message comes up that can be ignored and closed after checking 'don't show this message again.' Once you make changes to the Startup menu, you must remain in Selective Startup to retain those changed. If you go back to Normal Startup, everything you unchecked will be checked again and start on boot.
Recommend you disable Tea Timer. These 'Real Time' processes are all big resource hogs! Go ahead and make any changes you want, then run the following program> if there are 'left over' entries, I can remove them using script in Combofix:
==========================================
Please download ComboFix from Here and save to your Desktop.
Note: Make sure you re-enable your security programs, when you're done with Combofix..
Running Processes:
Open the Task Manager: Right click on Taskbar> Task Manager> Processes tab> double click top frame of CPU column. This will sort in Descending order and allow you to see which processes are using excess CPU.
Best baseline is this:
Prepare the system for shutdown by closing any active Windows and email> but don't shutdown yet> open the Task Manager and check the CPU column> the only processes you should see running at this point are taskmgr, system and System Idle. These 3 should add up to 100%.
50 running processes is excessive. I have 36 usually, with email minimized but open and Firefox running with 6-7 tabs loaded. FF runs at 2-3% CPU but is a high memory user.
None of the following need to start on boot and run in the background:
Java
Calmain- Canon
BitTorrent
Windows Media Player
Adobe Reader
MS Works Update
QuickTime
Picassa
Printer or Al;-in-one
Camera
Scanner
Any auto up[dates except for antivirus
Cyberlink
Any processes for these and related media can be stopped from starting up by unchecking them on the Startup Menu:
To remove entries from Startup using the msconfig utility:
- Click on Start> Run> type in msconfig> enter>
- Click on Selective Startup
- Choose the Startup tab:
This is where you UNCHECK the Startup items. This does not remove the item or uninstall anything> it just stops it from starting on boot. It can be rechecked at any time if wanted. - To expand the Command Column, (this shows what the process 'belongs' to) hold left mouse button down on the dividing line on frame above Location and move to the right to expand.
- Click on Apply> OK when finished.
NOTE:When you reboot the system the first time after making changes using the msconfig utility, a nag message comes up that can be ignored and closed after checking 'don't show this message again.' Once you make changes to the Startup menu, you must remain in Selective Startup to retain those changed. If you go back to Normal Startup, everything you unchecked will be checked again and start on boot.
Recommend you disable Tea Timer. These 'Real Time' processes are all big resource hogs! Go ahead and make any changes you want, then run the following program> if there are 'left over' entries, I can remove them using script in Combofix:
==========================================
Please download ComboFix from Here and save to your Desktop.
[1]. Do NOT rename Combofix unless instructed.
[2].Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.
[3].Close any open browsers.
[4]. Double click combofix.exe & follow the prompts to run.- NOTE: Combofix will disconnect your machine from the Internet as soon as it starts. The connection is automatically restored before CF completes its run. If it does not, restart your computer to restore your connection.
[5]. If Combofix asks you to install Recovery Console, please allow it.
[6]. If Combofix asks you to update the program, always allow. - Please do not attempt to re-connect your machine back to the Internet until Combofix has completely finished.
[7]. A report will be generated after the scan. Please PASTE the C:\ComboFix.txt in next reply.
Note: Make sure you re-enable your security programs, when you're done with Combofix..
ComboFix 10-09-29.04 - Owner 09/30/2010 14:21:34.1.1 - x86
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.1534.1112 [GMT -4:00]
Running from: c:\documents and settings\Owner\Desktop\ComboFix.exe
AV: AntiVir PersonalEdition Classic Virus Protection *On-access scanning enabled* (Updated) {00000000-0000-0000-0000-000000000000}
AV: AntiVir PersonalEdition Classic Virus Protection *On-access scanning enabled* (Updated) {804FD0EC-FFA4-00C8-0D24-347CA8A3377C}
AV: AntiVir PersonalEdition Classic Virus Protection *On-access scanning enabled* (Updated) {804FD2B8-FFA4-00C8-0D24-347CA8A3377C}
AV: AntiVir PersonalEdition Classic Virus Protection *On-access scanning enabled* (Updated) {804FD2B8-FFA4-00EB-0D24-347CA8A3377C}
AV: avast! Antivirus *On-access scanning disabled* (Updated) {7591DB91-41F0-48A3-B128-1A293FD8233D}
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
c:\windows\system32\skinboxer43.dll
I:\Autorun.inf
.
((((((((((((((((((((((((( Files Created from 2010-08-28 to 2010-09-30 )))))))))))))))))))))))))))))))
.
2010-09-27 15:57 . 2010-09-27 15:57 -------- d-----w- c:\documents and settings\Owner\Application Data\Malwarebytes
2010-09-27 15:57 . 2010-04-29 19:39 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2010-09-27 15:57 . 2010-09-27 15:57 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes
2010-09-27 15:57 . 2010-09-27 15:57 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2010-09-27 15:57 . 2010-04-29 19:39 20952 ----a-w- c:\windows\system32\drivers\mbam.sys
2010-09-24 22:45 . 2010-09-24 22:45 -------- d-----w- c:\documents and settings\Owner\Application Data\.minecraft server
2010-09-24 22:41 . 2010-09-20 09:55 232504 ----a-w- c:\documents and settings\Owner\Application Data\.minecraft\minecraft.exe
2010-09-24 22:41 . 2010-09-20 04:30 195072 ----a-w- c:\documents and settings\Owner\Application Data\.minecraft\bin\natives\OpenAL64.dll
2010-09-24 22:41 . 2010-09-20 04:30 108032 ----a-w- c:\documents and settings\Owner\Application Data\.minecraft\bin\natives\OpenAL32.dll
2010-09-24 22:41 . 2010-09-20 04:30 237568 ----a-w- c:\documents and settings\Owner\Application Data\.minecraft\bin\natives\lwjgl.dll
2010-09-24 22:41 . 2010-09-20 04:30 65024 ----a-w- c:\documents and settings\Owner\Application Data\.minecraft\bin\natives\jinput-dx8_64.dll
2010-09-24 22:41 . 2010-09-20 04:30 62464 ----a-w- c:\documents and settings\Owner\Application Data\.minecraft\bin\natives\jinput-raw_64.dll
2010-09-24 22:41 . 2010-09-20 04:30 61952 ----a-w- c:\documents and settings\Owner\Application Data\.minecraft\bin\natives\jinput-dx8.dll
2010-09-24 22:41 . 2010-09-20 04:30 59392 ----a-w- c:\documents and settings\Owner\Application Data\.minecraft\bin\natives\jinput-raw.dll
2010-09-24 22:41 . 2010-09-20 04:30 248832 ----a-w- c:\documents and settings\Owner\Application Data\.minecraft\bin\natives\lwjgl64.dll
2010-09-24 22:35 . 2010-09-19 18:18 71 ----a-w- c:\documents and settings\Owner\Application Data\.minecraft server\bin\server_nogui.bat
2010-09-24 22:35 . 2010-09-19 18:18 65 ----a-w- c:\documents and settings\Owner\Application Data\.minecraft server\bin\server_gui.bat
2010-09-24 04:54 . 2010-09-27 05:07 -------- d-----w- c:\documents and settings\Owner\Application Data\.minecraft
2010-09-22 19:32 . 2010-09-22 19:33 -------- d-----w- c:\documents and settings\Owner\Application Data\acccore
2010-09-22 19:32 . 2010-09-22 19:32 -------- d-----w- c:\documents and settings\Owner\Local Settings\Application Data\AOL
2010-09-22 19:32 . 2010-09-22 19:35 -------- d-----w- c:\documents and settings\Owner\Local Settings\Application Data\AIM
2010-09-22 19:32 . 2010-09-22 19:32 -------- d-----w- c:\documents and settings\All Users\Application Data\AIM
2010-09-22 19:32 . 2010-09-22 19:32 -------- d-----w- c:\program files\AIM7
2010-09-22 19:32 . 2010-09-22 19:32 -------- d-----w- c:\program files\Common Files\Software Update Utility
2010-09-22 19:32 . 2010-09-22 19:32 -------- d-----w- c:\program files\Common Files\AOL
2010-09-19 06:58 . 2010-09-07 14:47 17744 ----a-w- c:\windows\system32\drivers\aswFsBlk.sys
2010-09-19 06:58 . 2010-09-07 14:52 165584 ----a-w- c:\windows\system32\drivers\aswSP.sys
2010-09-19 06:58 . 2010-09-07 14:47 23376 ----a-w- c:\windows\system32\drivers\aswRdr.sys
2010-09-19 06:58 . 2010-09-07 14:52 46672 ----a-w- c:\windows\system32\drivers\aswTdi.sys
2010-09-19 06:58 . 2010-09-07 14:47 100176 ----a-w- c:\windows\system32\drivers\aswmon2.sys
2010-09-19 06:58 . 2010-09-07 14:47 94544 ----a-w- c:\windows\system32\drivers\aswmon.sys
2010-09-19 06:58 . 2010-09-07 14:46 28880 ----a-w- c:\windows\system32\drivers\aavmker4.sys
2010-09-19 06:58 . 2010-09-07 15:12 38848 ----a-w- c:\windows\avastSS.scr
2010-09-19 06:58 . 2010-09-07 15:11 167592 ----a-w- c:\windows\system32\aswBoot.exe
2010-09-19 06:58 . 2010-09-19 06:58 -------- d-----w- c:\program files\Alwil Software
2010-09-19 06:58 . 2010-09-19 06:58 -------- d-----w- c:\documents and settings\All Users\Application Data\Alwil Software
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-09-30 18:10 . 2009-10-15 23:44 -------- d-----w- c:\program files\PeerBlock
2010-09-30 18:03 . 2008-07-17 08:32 -------- d-----w- c:\documents and settings\Owner\Application Data\DNA
2010-09-30 17:52 . 2008-07-17 08:32 -------- d-----w- c:\program files\DNA
2010-09-30 02:45 . 2008-07-05 00:05 -------- d-----w- c:\documents and settings\All Users\Application Data\Google Updater
2010-09-24 22:31 . 2008-07-17 08:32 -------- d-----w- c:\documents and settings\Owner\Application Data\BitTorrent
2010-09-20 19:56 . 2010-06-01 00:04 -------- d-----w- c:\documents and settings\All Users\Application Data\Blizzard Entertainment
2010-09-20 19:55 . 2008-10-06 09:11 -------- d-----w- c:\program files\Steam
2010-09-13 02:52 . 2005-10-07 05:43 -------- d-----w- c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy
2010-09-12 23:30 . 2005-10-07 05:43 -------- d-----w- c:\program files\Spybot - Search & Destroy
2010-08-17 13:17 . 2004-08-04 12:00 58880 ----a-w- c:\windows\system32\spoolsv.exe
2010-07-29 05:20 . 2010-07-29 05:20 10134 ----a-r- c:\documents and settings\Owner\Application Data\Microsoft\Installer\{9FD6F1A8-5550-46AF-8509-271DF0E768B5}\ARPPRODUCTICON.exe
2010-07-22 15:49 . 2004-08-04 12:00 590848 ----a-w- c:\windows\system32\rpcrt4.dll
2010-07-22 05:57 . 2010-06-06 07:52 5120 ----a-w- c:\windows\system32\xpsp4res.dll
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"PeerBlock"="c:\program files\PeerBlock\peerblock.exe" [2009-09-28 1524824]
"Google Update"="c:\documents and settings\Owner\Local Settings\Application Data\Google\Update\GoogleUpdate.exe" [2009-10-31 135664]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SoundMan"="SOUNDMAN.EXE" [2004-12-22 77824]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2010-04-03 13670504]
"NvMediaCenter"="c:\windows\system32\NvMcTray.dll" [2010-04-03 110696]
"amd_dc_opt"="c:\program files\AMD\Dual-Core Optimizer\amd_dc_opt.exe" [2008-07-22 77824]
"avast5"="c:\program files\Alwil Software\Avast5\avastUI.exe" [2010-09-07 2838912]
[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"Picasa Media Detector"="c:\program files\Picasa2\PicasaMediaDetector.exe" [2008-08-21 443968]
[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Windows Desktop Search.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Windows Desktop Search.lnk
backup=c:\windows\pss\Windows Desktop Search.lnkCommon Startup
[HKLM\~\startupfolder\C:^Documents and Settings^Owner^Start Menu^Programs^Startup^IMVU.lnk]
path=c:\documents and settings\Owner\Start Menu\Programs\Startup\IMVU.lnk
backup=c:\windows\pss\IMVU.lnkStartup
[HKLM\~\startupfolder\C:^Documents and Settings^Owner^Start Menu^Programs^Startup^OneNote 2007 Screen Clipper and Launcher.lnk]
path=c:\documents and settings\Owner\Start Menu\Programs\Startup\OneNote 2007 Screen Clipper and Launcher.lnk
backup=c:\windows\pss\OneNote 2007 Screen Clipper and Launcher.lnkStartup
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe ARM]
2010-06-09 08:06 976832 ----a-w- c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe Reader Speed Launcher]
2010-06-20 02:04 35760 ----a-w- c:\program files\Adobe\Reader 9.0\Reader\reader_sl.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AppleSyncNotifier]
2008-10-01 16:57 111936 ----a-w- c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleSyncNotifier.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ATIPTA]
2005-09-15 02:05 344064 -c--a-w- c:\program files\ATI Technologies\ATI Control Panel\atiptaxx.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\BitTorrent DNA]
2009-11-26 07:32 323392 ----a-w- c:\program files\DNA\btdna.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\GrooveMonitor]
2006-10-27 04:47 31016 ----a-w- c:\program files\Microsoft Office\Office12\GrooveMonitor.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\masqform.exe]
2003-12-03 16:43 1052672 ----a-w- c:\program files\PureEdge\Viewer 6.0\masqform.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Microsoft Works Update Detection]
2003-09-14 01:36 50688 ----a-w- c:\program files\Common Files\Microsoft Shared\Works Shared\WkUFind.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NBJ]
2004-09-22 23:10 1871872 ------w- c:\program files\Ahead\Nero BackItUp\NBJ.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NeroFilterCheck]
2001-07-09 18:50 155648 -c--a-w- c:\windows\system32\NeroCheck.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
2008-11-04 15:30 413696 ----a-w- c:\program files\QuickTime\QTTask.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\RemoteControl]
2003-11-01 03:42 32768 ----a-w- c:\program files\CyberLink\PowerDVD\PDVDServ.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SpybotSD TeaTimer]
2009-03-05 20:07 2260480 ------w- c:\program files\Spybot - Search & Destroy\TeaTimer.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched]
2010-02-18 15:43 248040 ----a-w- c:\program files\Common Files\Java\Java Update\jusched.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Windows Media Connect 2]
2006-10-19 02:58 8704 ------w- c:\program files\Windows Media Connect 2\WMCCFG.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\WMPNSCFG]
2006-10-19 01:05 204288 ------w- c:\program files\Windows Media Player\wmpnscfg.exe
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Mozilla Firefox\\firefox.exe"=
"c:\\WINDOWS\\system32\\dxdiag.exe"=
"c:\\WINDOWS\\system32\\dpnsvr.exe"=
"c:\\Program Files\\MSN Messenger\\msnmsgr.exe"=
"c:\\Program Files\\Java\\jre1.5.0_04\\bin\\javaw.exe"=
"c:\\Program Files\\Java\\jre1.5.0_06\\bin\\javaw.exe"=
"c:\\Program Files\\AIM\\aim.exe"=
"c:\\Program Files\\Flock\\flock\\flock.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqscnvw.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqkygrp.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqnrs08.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\BitTorrent\\bittorrent.exe"=
"c:\\Program Files\\Java\\jre1.6.0_05\\bin\\javaw.exe"=
"c:\\Program Files\\City of Heroes\\CohUpdater.exe"=
"c:\\Program Files\\City of Heroes\\CovUpdater.exe"=
"c:\\Program Files\\DNA\\btdna.exe"=
"c:\\Program Files\\Microsoft Office\\Office12\\OUTLOOK.EXE"=
"c:\\Program Files\\Microsoft Office\\Office12\\GROOVE.EXE"=
"c:\\Program Files\\Microsoft Office\\Office12\\ONENOTE.EXE"=
"c:\\Program Files\\Diablo II\\Game.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\Last.fm\\LastFM.exe"=
"c:\\Program Files\\Starcraft\\StarCraft.exe"=
"c:\\Program Files\\Trillian\\trillian.exe"=
"c:\\Program Files\\Messenger\\msmsgs.exe"=
"c:\\Program Files\\Yahoo!\\Messenger\\YServer.exe"=
"c:\\Program Files\\Yahoo!\\Messenger\\YPager.exe"=
"c:\\Program Files\\Steam\\steamapps\\common\\world of goo demo\\WorldOfGoo.exe"=
"c:\\Program Files\\Steam\\steamapps\\common\\alien swarm\\srcds.exe"=
"c:\\Program Files\\Steam\\steamapps\\common\\coil\\coil.exe"=
"c:\\Program Files\\Steam\\steamapps\\common\\battleforge\\Bootstrapper.exe"=
"c:\\Program Files\\Steam\\steamapps\\common\\battleforge\\Support\\EA Help\\Electronic_Arts_Technical_Support.htm"=
"c:\\Program Files\\Steam\\steam.exe"=
"c:\\Program Files\\Steam\\steamapps\\common\\beat hazard\\BeatHazard.exe"=
"c:\\Program Files\\Steam\\steamapps\\common\\alien swarm\\swarm.exe"=
"c:\\Program Files\\AIM7\\aim.exe"=
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"54235:TCP"= 54235:TCP:utorrent
"3724:TCP"= 3724:TCP:Blizzard Downloader: 3724
"6112:TCP"= 6112:TCP:Blizzard Downloader
"1119:TCP"= 1119:TCP:Blizzard Downloader
"1120:TCP"= 1120:TCP:Blizzard Downloader
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\IcmpSettings]
"AllowInboundRouterRequest"= 1 (0x1)
"AllowOutboundParameterProblem"= 1 (0x1)
R1 aswSP;aswSP;c:\windows\system32\drivers\aswSP.sys [9/19/2010 2:58 AM 165584]
R2 aswFsBlk;aswFsBlk;c:\windows\system32\drivers\aswFsBlk.sys [9/19/2010 2:58 AM 17744]
S2 gupdate;Google Update Service (gupdate);c:\program files\Google\Update\GoogleUpdate.exe [10/19/2009 11:17 PM 133104]
S3 ms6823;IEEE802.11b Wireless USB Adapter;c:\windows\system32\drivers\ms6823.sys [6/10/2004 11:47 AM 55168]
S3 pbfilter;pbfilter;c:\program files\PeerBlock\pbfilter.sys [10/15/2009 7:44 PM 14424]
S3 ZD1201U;ZyDAS ZD1201 IEEE 802.11b Wireless LAN Driver (USB);c:\windows\system32\drivers\ZD1201U.sys [10/9/2005 9:13 PM 38656]
S3 ZDNDIS5;ZDNDIS5 Protocol Driver;\??\c:\windows\system32\ZDNDIS5.SYS --> c:\windows\system32\ZDNDIS5.SYS [?]
S4 sptd;sptd;c:\windows\system32\drivers\sptd.sys [4/17/2006 5:10 PM 685816]
.
Contents of the 'Scheduled Tasks' folder
2010-09-30 c:\windows\Tasks\Google Software Updater.job
- c:\program files\Google\Common\Google Updater\GoogleUpdaterService.exe [2008-03-02 17:59]
2010-09-30 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\program files\Google\Update\GoogleUpdate.exe [2009-10-20 03:17]
2010-09-30 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\program files\Google\Update\GoogleUpdate.exe [2009-10-20 03:17]
2010-09-30 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-515967899-527237240-839522115-1003Core.job
- c:\documents and settings\Owner\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2010-02-12 19:22]
2010-09-30 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-515967899-527237240-839522115-1003UA.job
- c:\documents and settings\Owner\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2010-02-12 19:22]
2010-09-30 c:\windows\Tasks\User_Feed_Synchronization-{1E9CDD39-C4DE-4C7A-A50E-909F4FD9036D}.job
- c:\windows\system32\msfeedssync.exe [2009-03-08 08:31]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://reddit.com/
uInternet Settings,ProxyOverride = *.local
uSearchURL,(Default) = hxxp://www.google.com/keyword/%s
IE: &Yahoo! Search - file:///c:\program files\Yahoo!\Common/ycsrch.htm
IE: Add to Google Photos Screensa&ver - c:\windows\system32\GPhotos.scr/200
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~3\Office12\EXCEL.EXE/3000
IE: Open in new background tab - c:\program files\MSN Toolbar Suite\TAB\02.05.0000.1110\en-us\msntabres.dll/229?3a0ccd14859942adaad3686a121d424c
IE: Open in new foreground tab - c:\program files\MSN Toolbar Suite\TAB\02.05.0000.1110\en-us\msntabres.dll/230?3a0ccd14859942adaad3686a121d424c
IE: Yahoo! &Dictionary - file:///c:\program files\Yahoo!\Common/ycdict.htm
IE: Yahoo! &Maps - file:///c:\program files\Yahoo!\Common/ycmap.htm
IE: Yahoo! &SMS - file:///c:\program files\Yahoo!\Common/ycsms.htm
IE: {{d9288080-1baa-4bc4-9cf8-a92d743db949} - c:\documents and settings\Owner\Start Menu\Programs\IMVU\Run IMVU.lnk
DPF: vzTCPConfig - hxxp://www2.verizon.net/help/dsl_settings/include/vzTCPConfig.CAB
DPF: {DE3135A8-D948-49DC-ABBC-B2EFF418E5FD} - hxxp://www.iradiopop.com/IRD/pages/AIRJ01FPlayer.CAB
FF - ProfilePath - c:\documents and settings\Owner\Application Data\Mozilla\Firefox\Profiles\tfpn17v7.default\
FF - prefs.js: browser.search.selectedEngine - Google
FF - prefs.js: browser.startup.homepage - hxxp://www.google.com
FF - component: c:\documents and settings\Owner\Application Data\Mozilla\Firefox\Profiles\tfpn17v7.default\extensions\{463F6CA5-EE3C-4be1-B7E6-7FEE11953374}\platform\WINNT\components\FoxyTunes.dll
FF - component: c:\program files\Google\Google Gears\Firefox\lib\ff30\gears.dll
FF - plugin: c:\documents and settings\Owner\Local Settings\Application Data\Google\Update\1.2.183.29\npGoogleOneClick8.dll
FF - plugin: c:\program files\Google\Google Earth\plugin\npgeplugin.dll
FF - plugin: c:\program files\Google\Google Updater\2.4.1536.6592\npCIDetect13.dll
FF - plugin: c:\program files\Google\Update\1.2.183.29\npGoogleOneClick8.dll
FF - plugin: c:\program files\IGN\Download Manager\npfpdlm.dll
FF - plugin: c:\program files\Java\jre6\bin\new_plugin\npdeployJava1.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\npdeployJava1.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\npmozax.dll
FF - plugin: c:\program files\Picasa2\npPicasa2.dll
FF - plugin: c:\program files\Picasa2\npPicasa3.dll
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\
---- FIREFOX POLICIES ----
FF - user.js: network.protocol-handler.warn-external.dnupdate - false.
- - - - ORPHANS REMOVED - - - -
HKLM-Run-nwiz - nwiz.exe
MSConfigStartUp-MySpaceIM - c:\program files\MySpace\IM\MySpaceIM.exe
MSConfigStartUp-nwiz - nwiz.exe
AddRemove-NVIDIA Display Control Panel - c:\program files\NVIDIA Corporation\Uninstall\nvuninst.exe
**************************************************************************
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2010-09-30 14:26
Windows 5.1.2600 Service Pack 3 NTFS
scanning hidden processes ...
scanning hidden autostart entries ...
scanning hidden files ...
scan completed successfully
hidden files: 0
**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------
- - - - - - - > 'winlogon.exe'(492)
c:\windows\system32\Ati2evxx.dll
.
Completion time: 2010-09-30 14:29:29
ComboFix-quarantined-files.txt 2010-09-30 18:29
Pre-Run: 51,920,400,384 bytes free
Post-Run: 51,882,348,544 bytes free
WindowsXP-KB310994-SP2-Home-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
UnsupportedDebug="do not select this" /debug
multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Home Edition" /noexecute=optin /fastdetect /usepmtimer
- - End Of File - - E1E7DFEC3AF59352AC6ADCFE1D3D70F0
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.1534.1112 [GMT -4:00]
Running from: c:\documents and settings\Owner\Desktop\ComboFix.exe
AV: AntiVir PersonalEdition Classic Virus Protection *On-access scanning enabled* (Updated) {00000000-0000-0000-0000-000000000000}
AV: AntiVir PersonalEdition Classic Virus Protection *On-access scanning enabled* (Updated) {804FD0EC-FFA4-00C8-0D24-347CA8A3377C}
AV: AntiVir PersonalEdition Classic Virus Protection *On-access scanning enabled* (Updated) {804FD2B8-FFA4-00C8-0D24-347CA8A3377C}
AV: AntiVir PersonalEdition Classic Virus Protection *On-access scanning enabled* (Updated) {804FD2B8-FFA4-00EB-0D24-347CA8A3377C}
AV: avast! Antivirus *On-access scanning disabled* (Updated) {7591DB91-41F0-48A3-B128-1A293FD8233D}
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
c:\windows\system32\skinboxer43.dll
I:\Autorun.inf
.
((((((((((((((((((((((((( Files Created from 2010-08-28 to 2010-09-30 )))))))))))))))))))))))))))))))
.
2010-09-27 15:57 . 2010-09-27 15:57 -------- d-----w- c:\documents and settings\Owner\Application Data\Malwarebytes
2010-09-27 15:57 . 2010-04-29 19:39 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2010-09-27 15:57 . 2010-09-27 15:57 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes
2010-09-27 15:57 . 2010-09-27 15:57 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2010-09-27 15:57 . 2010-04-29 19:39 20952 ----a-w- c:\windows\system32\drivers\mbam.sys
2010-09-24 22:45 . 2010-09-24 22:45 -------- d-----w- c:\documents and settings\Owner\Application Data\.minecraft server
2010-09-24 22:41 . 2010-09-20 09:55 232504 ----a-w- c:\documents and settings\Owner\Application Data\.minecraft\minecraft.exe
2010-09-24 22:41 . 2010-09-20 04:30 195072 ----a-w- c:\documents and settings\Owner\Application Data\.minecraft\bin\natives\OpenAL64.dll
2010-09-24 22:41 . 2010-09-20 04:30 108032 ----a-w- c:\documents and settings\Owner\Application Data\.minecraft\bin\natives\OpenAL32.dll
2010-09-24 22:41 . 2010-09-20 04:30 237568 ----a-w- c:\documents and settings\Owner\Application Data\.minecraft\bin\natives\lwjgl.dll
2010-09-24 22:41 . 2010-09-20 04:30 65024 ----a-w- c:\documents and settings\Owner\Application Data\.minecraft\bin\natives\jinput-dx8_64.dll
2010-09-24 22:41 . 2010-09-20 04:30 62464 ----a-w- c:\documents and settings\Owner\Application Data\.minecraft\bin\natives\jinput-raw_64.dll
2010-09-24 22:41 . 2010-09-20 04:30 61952 ----a-w- c:\documents and settings\Owner\Application Data\.minecraft\bin\natives\jinput-dx8.dll
2010-09-24 22:41 . 2010-09-20 04:30 59392 ----a-w- c:\documents and settings\Owner\Application Data\.minecraft\bin\natives\jinput-raw.dll
2010-09-24 22:41 . 2010-09-20 04:30 248832 ----a-w- c:\documents and settings\Owner\Application Data\.minecraft\bin\natives\lwjgl64.dll
2010-09-24 22:35 . 2010-09-19 18:18 71 ----a-w- c:\documents and settings\Owner\Application Data\.minecraft server\bin\server_nogui.bat
2010-09-24 22:35 . 2010-09-19 18:18 65 ----a-w- c:\documents and settings\Owner\Application Data\.minecraft server\bin\server_gui.bat
2010-09-24 04:54 . 2010-09-27 05:07 -------- d-----w- c:\documents and settings\Owner\Application Data\.minecraft
2010-09-22 19:32 . 2010-09-22 19:33 -------- d-----w- c:\documents and settings\Owner\Application Data\acccore
2010-09-22 19:32 . 2010-09-22 19:32 -------- d-----w- c:\documents and settings\Owner\Local Settings\Application Data\AOL
2010-09-22 19:32 . 2010-09-22 19:35 -------- d-----w- c:\documents and settings\Owner\Local Settings\Application Data\AIM
2010-09-22 19:32 . 2010-09-22 19:32 -------- d-----w- c:\documents and settings\All Users\Application Data\AIM
2010-09-22 19:32 . 2010-09-22 19:32 -------- d-----w- c:\program files\AIM7
2010-09-22 19:32 . 2010-09-22 19:32 -------- d-----w- c:\program files\Common Files\Software Update Utility
2010-09-22 19:32 . 2010-09-22 19:32 -------- d-----w- c:\program files\Common Files\AOL
2010-09-19 06:58 . 2010-09-07 14:47 17744 ----a-w- c:\windows\system32\drivers\aswFsBlk.sys
2010-09-19 06:58 . 2010-09-07 14:52 165584 ----a-w- c:\windows\system32\drivers\aswSP.sys
2010-09-19 06:58 . 2010-09-07 14:47 23376 ----a-w- c:\windows\system32\drivers\aswRdr.sys
2010-09-19 06:58 . 2010-09-07 14:52 46672 ----a-w- c:\windows\system32\drivers\aswTdi.sys
2010-09-19 06:58 . 2010-09-07 14:47 100176 ----a-w- c:\windows\system32\drivers\aswmon2.sys
2010-09-19 06:58 . 2010-09-07 14:47 94544 ----a-w- c:\windows\system32\drivers\aswmon.sys
2010-09-19 06:58 . 2010-09-07 14:46 28880 ----a-w- c:\windows\system32\drivers\aavmker4.sys
2010-09-19 06:58 . 2010-09-07 15:12 38848 ----a-w- c:\windows\avastSS.scr
2010-09-19 06:58 . 2010-09-07 15:11 167592 ----a-w- c:\windows\system32\aswBoot.exe
2010-09-19 06:58 . 2010-09-19 06:58 -------- d-----w- c:\program files\Alwil Software
2010-09-19 06:58 . 2010-09-19 06:58 -------- d-----w- c:\documents and settings\All Users\Application Data\Alwil Software
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-09-30 18:10 . 2009-10-15 23:44 -------- d-----w- c:\program files\PeerBlock
2010-09-30 18:03 . 2008-07-17 08:32 -------- d-----w- c:\documents and settings\Owner\Application Data\DNA
2010-09-30 17:52 . 2008-07-17 08:32 -------- d-----w- c:\program files\DNA
2010-09-30 02:45 . 2008-07-05 00:05 -------- d-----w- c:\documents and settings\All Users\Application Data\Google Updater
2010-09-24 22:31 . 2008-07-17 08:32 -------- d-----w- c:\documents and settings\Owner\Application Data\BitTorrent
2010-09-20 19:56 . 2010-06-01 00:04 -------- d-----w- c:\documents and settings\All Users\Application Data\Blizzard Entertainment
2010-09-20 19:55 . 2008-10-06 09:11 -------- d-----w- c:\program files\Steam
2010-09-13 02:52 . 2005-10-07 05:43 -------- d-----w- c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy
2010-09-12 23:30 . 2005-10-07 05:43 -------- d-----w- c:\program files\Spybot - Search & Destroy
2010-08-17 13:17 . 2004-08-04 12:00 58880 ----a-w- c:\windows\system32\spoolsv.exe
2010-07-29 05:20 . 2010-07-29 05:20 10134 ----a-r- c:\documents and settings\Owner\Application Data\Microsoft\Installer\{9FD6F1A8-5550-46AF-8509-271DF0E768B5}\ARPPRODUCTICON.exe
2010-07-22 15:49 . 2004-08-04 12:00 590848 ----a-w- c:\windows\system32\rpcrt4.dll
2010-07-22 05:57 . 2010-06-06 07:52 5120 ----a-w- c:\windows\system32\xpsp4res.dll
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"PeerBlock"="c:\program files\PeerBlock\peerblock.exe" [2009-09-28 1524824]
"Google Update"="c:\documents and settings\Owner\Local Settings\Application Data\Google\Update\GoogleUpdate.exe" [2009-10-31 135664]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SoundMan"="SOUNDMAN.EXE" [2004-12-22 77824]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2010-04-03 13670504]
"NvMediaCenter"="c:\windows\system32\NvMcTray.dll" [2010-04-03 110696]
"amd_dc_opt"="c:\program files\AMD\Dual-Core Optimizer\amd_dc_opt.exe" [2008-07-22 77824]
"avast5"="c:\program files\Alwil Software\Avast5\avastUI.exe" [2010-09-07 2838912]
[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"Picasa Media Detector"="c:\program files\Picasa2\PicasaMediaDetector.exe" [2008-08-21 443968]
[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Windows Desktop Search.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Windows Desktop Search.lnk
backup=c:\windows\pss\Windows Desktop Search.lnkCommon Startup
[HKLM\~\startupfolder\C:^Documents and Settings^Owner^Start Menu^Programs^Startup^IMVU.lnk]
path=c:\documents and settings\Owner\Start Menu\Programs\Startup\IMVU.lnk
backup=c:\windows\pss\IMVU.lnkStartup
[HKLM\~\startupfolder\C:^Documents and Settings^Owner^Start Menu^Programs^Startup^OneNote 2007 Screen Clipper and Launcher.lnk]
path=c:\documents and settings\Owner\Start Menu\Programs\Startup\OneNote 2007 Screen Clipper and Launcher.lnk
backup=c:\windows\pss\OneNote 2007 Screen Clipper and Launcher.lnkStartup
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe ARM]
2010-06-09 08:06 976832 ----a-w- c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe Reader Speed Launcher]
2010-06-20 02:04 35760 ----a-w- c:\program files\Adobe\Reader 9.0\Reader\reader_sl.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AppleSyncNotifier]
2008-10-01 16:57 111936 ----a-w- c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleSyncNotifier.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ATIPTA]
2005-09-15 02:05 344064 -c--a-w- c:\program files\ATI Technologies\ATI Control Panel\atiptaxx.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\BitTorrent DNA]
2009-11-26 07:32 323392 ----a-w- c:\program files\DNA\btdna.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\GrooveMonitor]
2006-10-27 04:47 31016 ----a-w- c:\program files\Microsoft Office\Office12\GrooveMonitor.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\masqform.exe]
2003-12-03 16:43 1052672 ----a-w- c:\program files\PureEdge\Viewer 6.0\masqform.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Microsoft Works Update Detection]
2003-09-14 01:36 50688 ----a-w- c:\program files\Common Files\Microsoft Shared\Works Shared\WkUFind.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NBJ]
2004-09-22 23:10 1871872 ------w- c:\program files\Ahead\Nero BackItUp\NBJ.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NeroFilterCheck]
2001-07-09 18:50 155648 -c--a-w- c:\windows\system32\NeroCheck.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
2008-11-04 15:30 413696 ----a-w- c:\program files\QuickTime\QTTask.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\RemoteControl]
2003-11-01 03:42 32768 ----a-w- c:\program files\CyberLink\PowerDVD\PDVDServ.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SpybotSD TeaTimer]
2009-03-05 20:07 2260480 ------w- c:\program files\Spybot - Search & Destroy\TeaTimer.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched]
2010-02-18 15:43 248040 ----a-w- c:\program files\Common Files\Java\Java Update\jusched.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Windows Media Connect 2]
2006-10-19 02:58 8704 ------w- c:\program files\Windows Media Connect 2\WMCCFG.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\WMPNSCFG]
2006-10-19 01:05 204288 ------w- c:\program files\Windows Media Player\wmpnscfg.exe
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Mozilla Firefox\\firefox.exe"=
"c:\\WINDOWS\\system32\\dxdiag.exe"=
"c:\\WINDOWS\\system32\\dpnsvr.exe"=
"c:\\Program Files\\MSN Messenger\\msnmsgr.exe"=
"c:\\Program Files\\Java\\jre1.5.0_04\\bin\\javaw.exe"=
"c:\\Program Files\\Java\\jre1.5.0_06\\bin\\javaw.exe"=
"c:\\Program Files\\AIM\\aim.exe"=
"c:\\Program Files\\Flock\\flock\\flock.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqscnvw.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqkygrp.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqnrs08.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\BitTorrent\\bittorrent.exe"=
"c:\\Program Files\\Java\\jre1.6.0_05\\bin\\javaw.exe"=
"c:\\Program Files\\City of Heroes\\CohUpdater.exe"=
"c:\\Program Files\\City of Heroes\\CovUpdater.exe"=
"c:\\Program Files\\DNA\\btdna.exe"=
"c:\\Program Files\\Microsoft Office\\Office12\\OUTLOOK.EXE"=
"c:\\Program Files\\Microsoft Office\\Office12\\GROOVE.EXE"=
"c:\\Program Files\\Microsoft Office\\Office12\\ONENOTE.EXE"=
"c:\\Program Files\\Diablo II\\Game.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\Last.fm\\LastFM.exe"=
"c:\\Program Files\\Starcraft\\StarCraft.exe"=
"c:\\Program Files\\Trillian\\trillian.exe"=
"c:\\Program Files\\Messenger\\msmsgs.exe"=
"c:\\Program Files\\Yahoo!\\Messenger\\YServer.exe"=
"c:\\Program Files\\Yahoo!\\Messenger\\YPager.exe"=
"c:\\Program Files\\Steam\\steamapps\\common\\world of goo demo\\WorldOfGoo.exe"=
"c:\\Program Files\\Steam\\steamapps\\common\\alien swarm\\srcds.exe"=
"c:\\Program Files\\Steam\\steamapps\\common\\coil\\coil.exe"=
"c:\\Program Files\\Steam\\steamapps\\common\\battleforge\\Bootstrapper.exe"=
"c:\\Program Files\\Steam\\steamapps\\common\\battleforge\\Support\\EA Help\\Electronic_Arts_Technical_Support.htm"=
"c:\\Program Files\\Steam\\steam.exe"=
"c:\\Program Files\\Steam\\steamapps\\common\\beat hazard\\BeatHazard.exe"=
"c:\\Program Files\\Steam\\steamapps\\common\\alien swarm\\swarm.exe"=
"c:\\Program Files\\AIM7\\aim.exe"=
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"54235:TCP"= 54235:TCP:utorrent
"3724:TCP"= 3724:TCP:Blizzard Downloader: 3724
"6112:TCP"= 6112:TCP:Blizzard Downloader
"1119:TCP"= 1119:TCP:Blizzard Downloader
"1120:TCP"= 1120:TCP:Blizzard Downloader
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\IcmpSettings]
"AllowInboundRouterRequest"= 1 (0x1)
"AllowOutboundParameterProblem"= 1 (0x1)
R1 aswSP;aswSP;c:\windows\system32\drivers\aswSP.sys [9/19/2010 2:58 AM 165584]
R2 aswFsBlk;aswFsBlk;c:\windows\system32\drivers\aswFsBlk.sys [9/19/2010 2:58 AM 17744]
S2 gupdate;Google Update Service (gupdate);c:\program files\Google\Update\GoogleUpdate.exe [10/19/2009 11:17 PM 133104]
S3 ms6823;IEEE802.11b Wireless USB Adapter;c:\windows\system32\drivers\ms6823.sys [6/10/2004 11:47 AM 55168]
S3 pbfilter;pbfilter;c:\program files\PeerBlock\pbfilter.sys [10/15/2009 7:44 PM 14424]
S3 ZD1201U;ZyDAS ZD1201 IEEE 802.11b Wireless LAN Driver (USB);c:\windows\system32\drivers\ZD1201U.sys [10/9/2005 9:13 PM 38656]
S3 ZDNDIS5;ZDNDIS5 Protocol Driver;\??\c:\windows\system32\ZDNDIS5.SYS --> c:\windows\system32\ZDNDIS5.SYS [?]
S4 sptd;sptd;c:\windows\system32\drivers\sptd.sys [4/17/2006 5:10 PM 685816]
.
Contents of the 'Scheduled Tasks' folder
2010-09-30 c:\windows\Tasks\Google Software Updater.job
- c:\program files\Google\Common\Google Updater\GoogleUpdaterService.exe [2008-03-02 17:59]
2010-09-30 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\program files\Google\Update\GoogleUpdate.exe [2009-10-20 03:17]
2010-09-30 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\program files\Google\Update\GoogleUpdate.exe [2009-10-20 03:17]
2010-09-30 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-515967899-527237240-839522115-1003Core.job
- c:\documents and settings\Owner\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2010-02-12 19:22]
2010-09-30 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-515967899-527237240-839522115-1003UA.job
- c:\documents and settings\Owner\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2010-02-12 19:22]
2010-09-30 c:\windows\Tasks\User_Feed_Synchronization-{1E9CDD39-C4DE-4C7A-A50E-909F4FD9036D}.job
- c:\windows\system32\msfeedssync.exe [2009-03-08 08:31]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://reddit.com/
uInternet Settings,ProxyOverride = *.local
uSearchURL,(Default) = hxxp://www.google.com/keyword/%s
IE: &Yahoo! Search - file:///c:\program files\Yahoo!\Common/ycsrch.htm
IE: Add to Google Photos Screensa&ver - c:\windows\system32\GPhotos.scr/200
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~3\Office12\EXCEL.EXE/3000
IE: Open in new background tab - c:\program files\MSN Toolbar Suite\TAB\02.05.0000.1110\en-us\msntabres.dll/229?3a0ccd14859942adaad3686a121d424c
IE: Open in new foreground tab - c:\program files\MSN Toolbar Suite\TAB\02.05.0000.1110\en-us\msntabres.dll/230?3a0ccd14859942adaad3686a121d424c
IE: Yahoo! &Dictionary - file:///c:\program files\Yahoo!\Common/ycdict.htm
IE: Yahoo! &Maps - file:///c:\program files\Yahoo!\Common/ycmap.htm
IE: Yahoo! &SMS - file:///c:\program files\Yahoo!\Common/ycsms.htm
IE: {{d9288080-1baa-4bc4-9cf8-a92d743db949} - c:\documents and settings\Owner\Start Menu\Programs\IMVU\Run IMVU.lnk
DPF: vzTCPConfig - hxxp://www2.verizon.net/help/dsl_settings/include/vzTCPConfig.CAB
DPF: {DE3135A8-D948-49DC-ABBC-B2EFF418E5FD} - hxxp://www.iradiopop.com/IRD/pages/AIRJ01FPlayer.CAB
FF - ProfilePath - c:\documents and settings\Owner\Application Data\Mozilla\Firefox\Profiles\tfpn17v7.default\
FF - prefs.js: browser.search.selectedEngine - Google
FF - prefs.js: browser.startup.homepage - hxxp://www.google.com
FF - component: c:\documents and settings\Owner\Application Data\Mozilla\Firefox\Profiles\tfpn17v7.default\extensions\{463F6CA5-EE3C-4be1-B7E6-7FEE11953374}\platform\WINNT\components\FoxyTunes.dll
FF - component: c:\program files\Google\Google Gears\Firefox\lib\ff30\gears.dll
FF - plugin: c:\documents and settings\Owner\Local Settings\Application Data\Google\Update\1.2.183.29\npGoogleOneClick8.dll
FF - plugin: c:\program files\Google\Google Earth\plugin\npgeplugin.dll
FF - plugin: c:\program files\Google\Google Updater\2.4.1536.6592\npCIDetect13.dll
FF - plugin: c:\program files\Google\Update\1.2.183.29\npGoogleOneClick8.dll
FF - plugin: c:\program files\IGN\Download Manager\npfpdlm.dll
FF - plugin: c:\program files\Java\jre6\bin\new_plugin\npdeployJava1.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\npdeployJava1.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\npmozax.dll
FF - plugin: c:\program files\Picasa2\npPicasa2.dll
FF - plugin: c:\program files\Picasa2\npPicasa3.dll
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\
---- FIREFOX POLICIES ----
FF - user.js: network.protocol-handler.warn-external.dnupdate - false.
- - - - ORPHANS REMOVED - - - -
HKLM-Run-nwiz - nwiz.exe
MSConfigStartUp-MySpaceIM - c:\program files\MySpace\IM\MySpaceIM.exe
MSConfigStartUp-nwiz - nwiz.exe
AddRemove-NVIDIA Display Control Panel - c:\program files\NVIDIA Corporation\Uninstall\nvuninst.exe
**************************************************************************
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2010-09-30 14:26
Windows 5.1.2600 Service Pack 3 NTFS
scanning hidden processes ...
scanning hidden autostart entries ...
scanning hidden files ...
scan completed successfully
hidden files: 0
**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------
- - - - - - - > 'winlogon.exe'(492)
c:\windows\system32\Ati2evxx.dll
.
Completion time: 2010-09-30 14:29:29
ComboFix-quarantined-files.txt 2010-09-30 18:29
Pre-Run: 51,920,400,384 bytes free
Post-Run: 51,882,348,544 bytes free
WindowsXP-KB310994-SP2-Home-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
UnsupportedDebug="do not select this" /debug
multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Home Edition" /noexecute=optin /fastdetect /usepmtimer
- - End Of File - - E1E7DFEC3AF59352AC6ADCFE1D3D70F0
Bobbye
Posts: 16,313 +36
The removal of this entry in Combofix indicates that you have used an infected USB Drive: I:\Autorun.inf That drive will also need to be infected.
Please tell me the use of and the download source for this and it's associated files:
c:\documents and settings\Owner\Application Data\.minecraft server
Please run this Custom CFScript:
Save this as CFScript.txt, in the same location as ComboFix.exe
Referring to the picture above, drag CFScript into ComboFix.exe
When finished, it will produce a log for you at C:\ComboFix.txt . Please paste in your next reply.
====================
You have 3 outdated versions of Java. These are all vulnerabilities. Check this site .Java Updates Stay current as most updates are for security. Uninstall any earlier versions in Add/Remove Programs.
================================
Run Eset NOD32 Online AntiVirus scan HEREhttp://www.eset.eu/online-scanner
P2P or 'file sharing' Warning:
I note that you are running both BitTorrent and uTorrent. These will keep you 'sick off'- guaranteed! I suggest that you uninstall both:
Please read the information on P2P Warning to help you better understand these dangers.
Please tell me the use of and the download source for this and it's associated files:
c:\documents and settings\Owner\Application Data\.minecraft server
Please run this Custom CFScript:
[1]. Close any open browsers.
[2]. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.
[3]. Open notepad and copy/paste the text in the code below into it:
Code:
File::
c:\windows\system32\ZDNDIS5.SYS
Registry::
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\Glob allyOpenPorts\List]
"54235:TCP"=-
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\Icmp Settings]
"AllowInboundRouterRequest"=-
"AllowOutboundParameterProblem"=-
[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Windows Desktop Search.lnk]
[HKLM\~\startupfolder\C:^Documents and Settings^Owner^Start Menu^Programs^Startup^IMVU.lnk]
[HKLM\~\startupfolder\C:^Documents and Settings^Owner^Start Menu^Programs^Startup^OneNote 2007 Screen Clipper and Launcher.lnk]
SecCenter::
{00000000-0000-0000-0000-000000000000}
{804FD0EC-FFA4-00C8-0D24-347CA8A3377C}
{804FD2B8-FFA4-00C8-0D24-347CA8A3377C}
{804FD2B8-FFA4-00EB-0D24-347CA8A3377C}
Driver::
ZDNDIS5Referring to the picture above, drag CFScript into ComboFix.exe
When finished, it will produce a log for you at C:\ComboFix.txt . Please paste in your next reply.
====================
You have 3 outdated versions of Java. These are all vulnerabilities. Check this site .Java Updates Stay current as most updates are for security. Uninstall any earlier versions in Add/Remove Programs.
================================
Run Eset NOD32 Online AntiVirus scan HEREhttp://www.eset.eu/online-scanner
- Tick the box next to YES, I accept the Terms of Use.
- Click Start
- When asked, allow the Active X control to install
- Disable your current Antivirus software. You can usually do this with its Notification Tray icon near the clock.
- Click Start
- Make sure that the option "Remove found threats" is Unchecked, and the option "Scan unwanted applications" is checked
- Click Scan
- Wait for the scan to finish
- Re-enable your Antivirus software.
- A logfile is created and located at C:\Program Files\EsetOnlineScanner\log.txt. Please include this on your post.
P2P or 'file sharing' Warning:
I note that you are running both BitTorrent and uTorrent. These will keep you 'sick off'- guaranteed! I suggest that you uninstall both:
- As long as you are using file sharing networks and programs which are from sources that are not documented, you cannot verity that a download is legitimate.
- Malware writers use these program to include malicious content.
- Fie sharing is usually unmonitored and there is a danger that your private files might be accessed.
- The 'sharing' also includes malware that the shared system has on it.
- Files that are illegal can be spread through file sharing.
Please read the information on P2P Warning to help you better understand these dangers.
- Status
Similar threads
