TechSpot

PC suddenly slow, lagging, stops responding

Solved
By jaimo
Aug 26, 2011
  1. Hi,

    My PC is suddenly slow and laggy, and occasionally it stops responding when I am online. I haven't had very many issues before recently. There are only a handful of websites that I visit when I am online.

    I have perused the 6-step guide posted in this forum, and I will paste my logs below.

    Any help would be greatly appreciated.

    Malwarebytes' Anti-Malware 1.51.1.1800
    www.malwarebytes.org

    Database version: 7555

    Windows 5.1.2600 Service Pack 3
    Internet Explorer 8.0.6001.18702

    8/24/2011 3:09:37 PM
    mbam-log-2011-08-24 (15-09-37).txt

    Scan type: Quick scan
    Objects scanned: 169137
    Time elapsed: 15 minute(s), 3 second(s)

    Memory Processes Infected: 0
    Memory Modules Infected: 0
    Registry Keys Infected: 0
    Registry Values Infected: 0
    Registry Data Items Infected: 0
    Folders Infected: 0
    Files Infected: 0

    Memory Processes Infected:
    (No malicious items detected)

    Memory Modules Infected:
    (No malicious items detected)

    Registry Keys Infected:
    (No malicious items detected)

    Registry Values Infected:
    (No malicious items detected)

    Registry Data Items Infected:
    (No malicious items detected)

    Folders Infected:
    (No malicious items detected)

    Files Infected:
    (No malicious items detected)

    GMER 1.0.15.15641 - http://www.gmer.net
    Rootkit quick scan 2011-08-26 00:15:31
    Windows 5.1.2600 Service Pack 3 Harddisk0\DR0 -> \Device\Ide\IdeDeviceP1T0L0-e ST380815AS rev.4.ADA
    Running: v6jqg6lj[1].exe; Driver: C:\DOCUME~1\JAIMO\LOCALS~1\Temp\ufddypog.sys


    ---- Disk sectors - GMER 1.0.15 ----

    Disk \Device\Harddisk0\DR0 malicious Win32:MBRoot code @ sector 156232128
    Disk \Device\Harddisk0\DR0 PE file @ sector 156232150

    ---- System - GMER 1.0.15 ----

    SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwEnumerateKey [0xAA18BBF2]
    SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwEnumerateValueKey [0xAA18BA5D]

    Code \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/AVAST Software) ZwCreateProcessEx [0xAA1E3398]
    Code \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/AVAST Software) ObInsertObject
    Code \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/AVAST Software) ObMakeTemporaryObject

    ---- Devices - GMER 1.0.15 ----

    Device \FileSystem\Ntfs \Ntfs aswSP.SYS (avast! self protection module/AVAST Software)

    AttachedDevice \FileSystem\Ntfs \Ntfs aswMon2.SYS (avast! File System Filter Driver for Windows XP/AVAST Software)
    AttachedDevice \FileSystem\Fastfat \Fat fltmgr.sys (Microsoft Filesystem Filter Manager/Microsoft Corporation)
    AttachedDevice \FileSystem\Fastfat \Fat aswMon2.SYS (avast! File System Filter Driver for Windows XP/AVAST Software)
    AttachedDevice \Driver\Tcpip \Device\Ip aswTdi.SYS (avast! TDI Filter Driver/AVAST Software)
    AttachedDevice \Driver\Tcpip \Device\Tcp aswTdi.SYS (avast! TDI Filter Driver/AVAST Software)
    AttachedDevice \Driver\Tcpip \Device\Udp aswTdi.SYS (avast! TDI Filter Driver/AVAST Software)
    AttachedDevice \Driver\Tcpip \Device\RawIp aswTdi.SYS (avast! TDI Filter Driver/AVAST Software)

    ---- EOF - GMER 1.0.15 ----

    .
    DDS (Ver_2011-08-26.01) - NTFSx86
    Internet Explorer: 8.0.6001.18702
    Run by JAIMO at 0:53:17 on 2011-08-26
    Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.1014.464 [GMT -4:00]
    .
    AV: avast! Antivirus *Disabled/Updated* {7591DB91-41F0-48A3-B128-1A293FD8233D}
    .
    ============== Running Processes ===============
    .
    C:\WINDOWS\system32\svchost -k DcomLaunch
    svchost.exe
    C:\WINDOWS\System32\svchost.exe -k netsvcs
    C:\WINDOWS\system32\svchost.exe -k WudfServiceGroup
    svchost.exe
    svchost.exe
    C:\WINDOWS\Explorer.EXE
    C:\Program Files\AVAST Software\Avast\AvastSvc.exe
    C:\Program Files\Common Files\Java\Java Update\jusched.exe
    C:\Program Files\AVAST Software\Avast\avastUI.exe
    C:\WINDOWS\system32\ctfmon.exe
    C:\Program Files\Windows Media Player\WMPNSCFG.exe
    C:\WINDOWS\system32\spoolsv.exe
    svchost.exe
    C:\WINDOWS\System32\svchost.exe -k HTTPFilter
    C:\Program Files\Java\jre6\bin\jqs.exe
    C:\WINDOWS\System32\svchost.exe -k imgsvc
    C:\WINDOWS\system32\SearchIndexer.exe
    C:\Program Files\Internet Explorer\iexplore.exe
    C:\Program Files\Internet Explorer\iexplore.exe
    C:\WINDOWS\system32\wscntfy.exe
    C:\WINDOWS\system32\drwtsn32.exe
    C:\WINDOWS\system32\drwtsn32.exe
    C:\Program Files\Internet Explorer\iexplore.exe
    C:\WINDOWS\system32\SearchProtocolHost.exe
    .
    ============== Pseudo HJT Report ===============
    .
    uStart Page = hxxp://www.google.com/
    BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll
    BHO: WormRadar.com IESiteBlocker.NavFilter: {3ca2f312-6f6e-4b53-a66e-4e65e497c8c0} - AVG Safe Search
    BHO: avast! WebRep: {8e5e2654-ad2d-48bf-ac2d-d17f00898d06} - c:\program files\avast software\avast\aswWebRepIE.dll
    BHO: Java(tm) Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
    BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
    TB: avast! WebRep: {8e5e2654-ad2d-48bf-ac2d-d17f00898d06} - c:\program files\avast software\avast\aswWebRepIE.dll
    TB: {D4027C7F-154A-4066-A1AD-4243D8127440} - No File
    TB: {7FEBEFE3-6B19-4349-98D2-FFB09D4B49CA} - No File
    EB: {32683183-48a0-441b-a342-7c2a440a9478} - No File
    uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
    uRun: [WMPNSCFG] c:\program files\windows media player\WMPNSCFG.exe
    mRun: [QuickTime Task] "c:\program files\quicktime\qttask.exe" -atboottime
    mRun: [SunJavaUpdateSched] "c:\program files\common files\java\java update\jusched.exe"
    mRun: [avast] "c:\program files\avast software\avast\avastUI.exe" /nogui
    mRun: [Adobe ARM] "c:\program files\common files\adobe\arm\1.0\AdobeARM.exe"
    IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
    IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
    DPF: {17492023-C23A-453E-A040-C7C580BBF700} - hxxp://go.microsoft.com/fwlink/?linkid=39204
    DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} - hxxp://security.symantec.com/sscv6/SharedContent/vc/bin/AvSniff.cab
    DPF: {32C3FEAE-0877-4767-8C20-62A5829A0945} - hxxp://static.ak.facebook.com/fbplugin/win32/axfbootloader.cab
    DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} - hxxp://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1270398471859
    DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} - hxxp://security.symantec.com/sscv6/SharedContent/common/bin/cabsa.cab
    DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} - hxxp://www.update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1270422002265
    DPF: {CAFEEFAC-0016-0000-0020-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_20-windows-i586.cab
    DPF: {CAFEEFAC-0016-0000-0023-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_23-windows-i586.cab
    DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_23-windows-i586.cab
    DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab
    DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - hxxp://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab
    TCP: DhcpNameServer = 68.87.71.230 68.87.73.246
    TCP: Interfaces\{52408063-6109-4531-B654-7716CD04BAF4} : DhcpNameServer = 68.87.71.230 68.87.73.246
    Notify: igfxcui - igfxdev.dll
    SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll
    SEH: Windows Desktop Search Namespace Manager: {56f9679e-7826-4c84-81f3-532071a8bcc5} - c:\program files\windows desktop search\MSNLNamespaceMgr.dll
    .
    ============= SERVICES / DRIVERS ===============
    .
    R1 aswSnx;aswSnx;c:\windows\system32\drivers\aswSnx.sys [2011-8-22 441176]
    R1 aswSP;aswSP;c:\windows\system32\drivers\aswSP.sys [2011-8-22 309848]
    R2 aswFsBlk;aswFsBlk;c:\windows\system32\drivers\aswFsBlk.sys [2011-8-22 19544]
    R2 avast! Antivirus;avast! Antivirus;c:\program files\avast software\avast\AvastSvc.exe [2011-8-22 42184]
    S2 gupdate;Google Update Service (gupdate);c:\program files\google\update\GoogleUpdate.exe [2010-5-12 136176]
    S3 EraserUtilDrv11113;EraserUtilDrv11113;\??\c:\program files\common files\symantec shared\eengine\eraserutildrv11113.sys --> c:\program files\common files\symantec shared\eengine\EraserUtilDrv11113.sys [?]
    S3 gupdatem;Google Update Service (gupdatem);c:\program files\google\update\GoogleUpdate.exe [2010-5-12 136176]
    .
    =============== Created Last 30 ================
    .
    2011-08-24 18:53:47 -------- d-----w- c:\documents and settings\jaimo\application data\Malwarebytes
    2011-08-24 18:53:38 41272 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
    2011-08-24 18:53:37 -------- d-----w- c:\documents and settings\all users\application data\Malwarebytes
    2011-08-24 18:53:33 22712 ----a-w- c:\windows\system32\drivers\mbam.sys
    2011-08-24 18:53:33 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
    2011-08-24 16:54:10 404640 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl
    2011-08-22 20:08:03 441176 ----a-w- c:\windows\system32\drivers\aswSnx.sys
    2011-08-22 20:07:40 40112 ----a-w- c:\windows\avastSS.scr
    2011-08-22 20:07:25 -------- d-----w- c:\program files\AVAST Software
    2011-08-22 20:07:25 -------- d-----w- c:\documents and settings\all users\application data\AVAST Software
    2011-08-11 19:40:11 26600 ----a-w- c:\windows\system32\drivers\GEARAspiWDM.sys
    2011-08-11 19:39:30 106928 ----a-w- c:\windows\system32\GEARAspi.dll
    2011-08-10 03:19:29 139656 -c----w- c:\windows\system32\dllcache\rdpwd.sys
    2011-08-10 03:19:16 10496 -c----w- c:\windows\system32\dllcache\ndistapi.sys
    .
    ==================== Find3M ====================
    .
    2011-08-10 10:48:56 81984 ----a-w- c:\windows\system32\bdod.bin
    2011-07-15 13:29:31 456320 ----a-w- c:\windows\system32\drivers\mrxsmb.sys
    2011-07-08 14:02:00 10496 ----a-w- c:\windows\system32\drivers\ndistapi.sys
    2011-06-24 14:10:36 139656 ----a-w- c:\windows\system32\drivers\rdpwd.sys
    2011-06-23 18:36:30 916480 ----a-w- c:\windows\system32\wininet.dll
    2011-06-23 18:36:30 43520 ------w- c:\windows\system32\licmgr10.dll
    2011-06-23 18:36:30 1469440 ------w- c:\windows\system32\inetcpl.cpl
    2011-06-23 12:05:13 385024 ----a-w- c:\windows\system32\html.iec
    2011-06-20 17:44:52 293376 ----a-w- c:\windows\system32\winsrv.dll
    2011-06-02 14:02:05 1858944 ----a-w- c:\windows\system32\win32k.sys
    2010-07-24 21:12:55 81408 -c--a-w- c:\program files\taskkill.exe
    .
    ============= FINISH: 0:54:10.32 ===============

    .
    UNLESS SPECIFICALLY INSTRUCTED, DO NOT POST THIS LOG.
    IF REQUESTED, ZIP IT UP & ATTACH IT
    .
    DDS (Ver_2011-08-26.01)
    .
    Microsoft Windows XP Professional
    Boot Device: \Device\HarddiskVolume1
    Install Date: 4/3/2010 1:19:54 AM
    System Uptime: 8/25/2011 9:20:43 AM (15 hours ago)
    .
    Motherboard: Dell Inc. | | 0WJ772
    Processor: Intel(R) Celeron(R) CPU 2.80GHz | Microprocessor | 2792/533mhz
    .
    ==== Disk Partitions =========================
    .
    C: is FIXED (NTFS) - 74 GiB total, 15.05 GiB free.
    D: is CDROM (CDFS)
    .
    ==== Disabled Device Manager Items =============
    .
    ==== System Restore Points ===================
    .
    RP534: 6/8/2011 8:10:55 AM - System Checkpoint
    RP535: 6/9/2011 9:12:00 AM - System Checkpoint
    RP536: 6/10/2011 10:10:55 AM - System Checkpoint
    RP537: 6/10/2011 10:32:50 PM - Installed Portfolio Browser
    RP538: 6/11/2011 11:26:33 PM - System Checkpoint
    RP539: 6/13/2011 12:10:55 AM - System Checkpoint
    RP540: 6/14/2011 1:10:55 AM - System Checkpoint
    RP541: 6/15/2011 2:28:36 AM - System Checkpoint
    RP542: 6/16/2011 3:00:23 AM - Software Distribution Service 3.0
    RP543: 6/17/2011 4:09:25 AM - System Checkpoint
    RP544: 6/18/2011 4:41:42 AM - System Checkpoint
    RP545: 6/19/2011 5:41:43 AM - System Checkpoint
    RP546: 6/20/2011 6:41:43 AM - System Checkpoint
    RP547: 6/21/2011 7:41:43 AM - System Checkpoint
    RP548: 6/22/2011 8:41:31 AM - System Checkpoint
    RP549: 6/23/2011 12:53:24 AM - Removed Portfolio Browser
    RP550: 6/24/2011 12:55:02 AM - System Checkpoint
    RP551: 6/25/2011 1:05:32 AM - System Checkpoint
    RP552: 6/25/2011 9:11:03 AM - Removed Google Earth.
    RP553: 6/25/2011 9:12:28 AM - Removed Google Earth Plug-in.
    RP554: 6/26/2011 9:41:32 AM - System Checkpoint
    RP555: 6/27/2011 9:48:10 AM - System Checkpoint
    RP556: 6/28/2011 10:42:37 AM - System Checkpoint
    RP557: 6/29/2011 3:00:23 AM - Software Distribution Service 3.0
    RP558: 6/30/2011 3:00:24 AM - Software Distribution Service 3.0
    RP559: 7/1/2011 4:09:25 AM - System Checkpoint
    RP560: 7/2/2011 4:31:55 AM - System Checkpoint
    RP561: 7/3/2011 5:31:54 AM - System Checkpoint
    RP562: 7/4/2011 6:31:54 AM - System Checkpoint
    RP563: 7/5/2011 6:48:16 AM - System Checkpoint
    RP564: 7/5/2011 11:39:32 PM - Restore Operation
    RP565: 7/5/2011 11:42:53 PM - Restore Operation
    RP566: 7/5/2011 11:44:25 PM - avast! Free Antivirus Setup
    RP567: 7/5/2011 11:51:29 PM - Avira AntiVir Personal - 7/5/2011 23:50
    RP568: 7/7/2011 12:50:14 AM - System Checkpoint
    RP569: 7/8/2011 1:14:23 AM - System Checkpoint
    RP570: 7/9/2011 1:50:02 AM - System Checkpoint
    RP571: 7/10/2011 2:50:03 AM - System Checkpoint
    RP572: 7/11/2011 2:51:07 AM - System Checkpoint
    RP573: 7/12/2011 4:37:07 AM - System Checkpoint
    RP574: 7/13/2011 4:50:04 AM - System Checkpoint
    RP575: 7/14/2011 3:00:33 AM - Software Distribution Service 3.0
    RP576: 7/15/2011 4:09:01 AM - System Checkpoint
    RP577: 7/16/2011 4:18:42 AM - System Checkpoint
    RP578: 7/17/2011 4:33:02 AM - System Checkpoint
    RP579: 7/18/2011 5:33:00 AM - System Checkpoint
    RP580: 7/19/2011 6:33:00 AM - System Checkpoint
    RP581: 7/20/2011 7:33:01 AM - System Checkpoint
    RP582: 7/21/2011 8:15:44 AM - System Checkpoint
    RP583: 7/22/2011 9:15:44 AM - System Checkpoint
    RP584: 7/23/2011 10:15:44 AM - System Checkpoint
    RP585: 7/24/2011 11:27:43 AM - System Checkpoint
    RP586: 7/25/2011 12:15:29 PM - System Checkpoint
    RP587: 7/25/2011 8:28:32 PM - Installed BitDefender Free Edition 2009
    RP588: 7/26/2011 8:56:17 PM - System Checkpoint
    RP589: 7/27/2011 10:27:49 PM - System Checkpoint
    RP590: 7/28/2011 10:56:16 PM - System Checkpoint
    RP591: 7/30/2011 - System Checkpoint
    RP592: 7/31/2011 12:31:39 AM - System Checkpoint
    RP593: 8/1/2011 12:56:08 AM - System Checkpoint
    RP594: 8/2/2011 12:56:55 AM - System Checkpoint
    RP595: 8/3/2011 12:57:14 AM - System Checkpoint
    RP596: 8/4/2011 2:58:08 AM - System Checkpoint
    RP597: 8/5/2011 3:00:37 AM - System Checkpoint
    RP598: 8/6/2011 3:56:08 AM - System Checkpoint
    RP599: 8/7/2011 4:43:23 AM - System Checkpoint
    RP600: 8/8/2011 5:08:23 AM - System Checkpoint
    RP601: 8/9/2011 5:43:22 AM - System Checkpoint
    RP602: 8/10/2011 3:00:17 AM - Software Distribution Service 3.0
    RP603: 8/10/2011 6:48:46 AM - Removed BitDefender Free Edition 2009
    RP604: 8/11/2011 6:56:35 AM - System Checkpoint
    RP605: 8/12/2011 7:42:42 AM - System Checkpoint
    RP606: 8/13/2011 7:48:26 AM - System Checkpoint
    RP607: 8/14/2011 8:42:43 AM - System Checkpoint
    RP608: 8/15/2011 10:06:14 AM - System Checkpoint
    RP609: 8/16/2011 10:42:41 AM - System Checkpoint
    RP610: 8/17/2011 12:25:17 PM - System Checkpoint
    RP611: 8/17/2011 2:26:17 PM - Removed Adobe Reader X (10.0.1).
    RP612: 8/17/2011 2:26:58 PM - Removed Adobe Flash Player 10 Plugin.
    RP613: 8/18/2011 2:36:22 PM - System Checkpoint
    RP614: 8/19/2011 2:37:26 PM - System Checkpoint
    RP615: 8/20/2011 3:36:21 PM - System Checkpoint
    RP616: 8/21/2011 3:41:46 PM - System Checkpoint
    RP617: 8/22/2011 4:07:25 PM - avast! Free Antivirus Setup
    RP618: 8/22/2011 8:15:49 PM - Installed Adobe Reader X (10.1.0).
    RP619: 8/23/2011 9:05:33 PM - System Checkpoint
    RP620: 8/24/2011 11:05:45 PM - System Checkpoint
    RP621: 8/25/2011 3:00:15 AM - Software Distribution Service 3.0
    .
    ==== Installed Programs ======================
    .
    Adobe AIR
    Adobe Flash Player 10 ActiveX
    Adobe Reader X (10.1.0)
    avast! Free Antivirus
    Dell Driver Download Manager
    Facebook Plug-In
    Google Update Helper
    Hotfix for Microsoft .NET Framework 3.5 SP1 (KB953595)
    Hotfix for Microsoft .NET Framework 3.5 SP1 (KB958484)
    Hotfix for Windows Media Format 11 SDK (KB929399)
    Hotfix for Windows Media Player 11 (KB939683)
    Hotfix for Windows XP (KB2158563)
    Hotfix for Windows XP (KB2443685)
    Hotfix for Windows XP (KB2570791)
    Hotfix for Windows XP (KB915800-v4)
    Hotfix for Windows XP (KB952287)
    Hotfix for Windows XP (KB954550-v5)
    Hotfix for Windows XP (KB961118)
    Hotfix for Windows XP (KB979306)
    Hotfix for Windows XP (KB981793)
    HP Photo and Imaging 2.0 - All-in-One
    HP Photo and Imaging 2.0 - All-in-One Drivers
    Intel(R) Graphics Media Accelerator Driver
    Intel(R) PRO Network Connections Drivers
    Java Auto Updater
    Java(TM) 6 Update 20
    Java(TM) 6 Update 23
    Malwarebytes' Anti-Malware version 1.51.1.1800
    Media Player Codec Pack 3.9.5
    Microsoft .NET Framework 1.1
    Microsoft .NET Framework 1.1 Security Update (KB2416447)
    Microsoft .NET Framework 1.1 Security Update (KB979906)
    Microsoft .NET Framework 2.0 Service Pack 2
    Microsoft .NET Framework 3.0 Service Pack 2
    Microsoft .NET Framework 3.5 SP1
    Microsoft Application Error Reporting
    Microsoft Base Smart Card Cryptographic Service Provider Package
    Microsoft Compression Client Pack 1.0 for Windows XP
    Microsoft Silverlight
    Microsoft User-Mode Driver Framework Feature Pack 1.0
    Microsoft Visual C++ 2005 Redistributable
    Microsoft Visual C++ 2008 Redistributable - KB2467174 - x86 9.0.30729.5570
    Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.4148
    Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.6161
    MSXML 4.0 SP2 (KB954430)
    MSXML 4.0 SP2 (KB973688)
    OpenOffice.org 3.2
    Pando Media Booster
    QuickTime
    RealPlayer
    Realtek High Definition Audio Driver
    RealUpgrade 1.0
    runtime
    Security Update for Microsoft .NET Framework 3.5 SP1 (KB2416473)
    Security Update for Windows Internet Explorer 8 (KB2360131)
    Security Update for Windows Internet Explorer 8 (KB2416400)
    Security Update for Windows Internet Explorer 8 (KB2482017)
    Security Update for Windows Internet Explorer 8 (KB2497640)
    Security Update for Windows Internet Explorer 8 (KB2510531)
    Security Update for Windows Internet Explorer 8 (KB2530548)
    Security Update for Windows Internet Explorer 8 (KB2544521)
    Security Update for Windows Internet Explorer 8 (KB2559049)
    Security Update for Windows Internet Explorer 8 (KB971961)
    Security Update for Windows Internet Explorer 8 (KB981332)
    Security Update for Windows Internet Explorer 8 (KB982381)
    Security Update for Windows Media Player (KB2378111)
    Security Update for Windows Media Player (KB952069)
    Security Update for Windows Media Player (KB954155)
    Security Update for Windows Media Player (KB968816)
    Security Update for Windows Media Player (KB973540)
    Security Update for Windows Media Player (KB975558)
    Security Update for Windows Media Player (KB978695)
    Security Update for Windows Media Player 11 (KB954154)
    Security Update for Windows Search 4 - KB963093
    Security Update for Windows XP (KB2079403)
    Security Update for Windows XP (KB2115168)
    Security Update for Windows XP (KB2121546)
    Security Update for Windows XP (KB2160329)
    Security Update for Windows XP (KB2183461)
    Security Update for Windows XP (KB2229593)
    Security Update for Windows XP (KB2259922)
    Security Update for Windows XP (KB2279986)
    Security Update for Windows XP (KB2286198)
    Security Update for Windows XP (KB2296011)
    Security Update for Windows XP (KB2296199)
    Security Update for Windows XP (KB2347290)
    Security Update for Windows XP (KB2360131)
    Security Update for Windows XP (KB2360937)
    Security Update for Windows XP (KB2387149)
    Security Update for Windows XP (KB2393802)
    Security Update for Windows XP (KB2412687)
    Security Update for Windows XP (KB2419632)
    Security Update for Windows XP (KB2423089)
    Security Update for Windows XP (KB2436673)
    Security Update for Windows XP (KB2440591)
    Security Update for Windows XP (KB2443105)
    Security Update for Windows XP (KB2476490)
    Security Update for Windows XP (KB2476687)
    Security Update for Windows XP (KB2478960)
    Security Update for Windows XP (KB2478971)
    Security Update for Windows XP (KB2479628)
    Security Update for Windows XP (KB2479943)
    Security Update for Windows XP (KB2481109)
    Security Update for Windows XP (KB2483185)
    Security Update for Windows XP (KB2485376)
    Security Update for Windows XP (KB2485663)
    Security Update for Windows XP (KB2503658)
    Security Update for Windows XP (KB2503665)
    Security Update for Windows XP (KB2506212)
    Security Update for Windows XP (KB2506223)
    Security Update for Windows XP (KB2507618)
    Security Update for Windows XP (KB2507938)
    Security Update for Windows XP (KB2508272)
    Security Update for Windows XP (KB2508429)
    Security Update for Windows XP (KB2509553)
    Security Update for Windows XP (KB2511455)
    Security Update for Windows XP (KB2524375)
    Security Update for Windows XP (KB2535512)
    Security Update for Windows XP (KB2536276-v2)
    Security Update for Windows XP (KB2536276)
    Security Update for Windows XP (KB2544893)
    Security Update for Windows XP (KB2555917)
    Security Update for Windows XP (KB2562937)
    Security Update for Windows XP (KB2566454)
    Security Update for Windows XP (KB2567680)
    Security Update for Windows XP (KB2570222)
    Security Update for Windows XP (KB923561)
    Security Update for Windows XP (KB923789)
    Security Update for Windows XP (KB941569)
    Security Update for Windows XP (KB946648)
    Security Update for Windows XP (KB950760)
    Security Update for Windows XP (KB950762)
    Security Update for Windows XP (KB950974)
    Security Update for Windows XP (KB951066)
    Security Update for Windows XP (KB951376-v2)
    Security Update for Windows XP (KB951748)
    Security Update for Windows XP (KB952004)
    Security Update for Windows XP (KB952954)
    Security Update for Windows XP (KB954459)
    Security Update for Windows XP (KB955069)
    Security Update for Windows XP (KB956572)
    Security Update for Windows XP (KB956744)
    Security Update for Windows XP (KB956802)
    Security Update for Windows XP (KB956803)
    Security Update for Windows XP (KB956844)
    Security Update for Windows XP (KB958644)
    Security Update for Windows XP (KB958869)
    Security Update for Windows XP (KB959426)
    Security Update for Windows XP (KB960225)
    Security Update for Windows XP (KB960803)
    Security Update for Windows XP (KB960859)
    Security Update for Windows XP (KB961501)
    Security Update for Windows XP (KB969059)
    Security Update for Windows XP (KB969947)
    Security Update for Windows XP (KB970238)
    Security Update for Windows XP (KB970430)
    Security Update for Windows XP (KB971468)
    Security Update for Windows XP (KB971657)
    Security Update for Windows XP (KB971961)
    Security Update for Windows XP (KB972270)
    Security Update for Windows XP (KB973354)
    Security Update for Windows XP (KB973507)
    Security Update for Windows XP (KB973869)
    Security Update for Windows XP (KB973904)
    Security Update for Windows XP (KB974112)
    Security Update for Windows XP (KB974318)
    Security Update for Windows XP (KB974392)
    Security Update for Windows XP (KB974571)
    Security Update for Windows XP (KB975025)
    Security Update for Windows XP (KB975467)
    Security Update for Windows XP (KB975560)
    Security Update for Windows XP (KB975561)
    Security Update for Windows XP (KB975562)
    Security Update for Windows XP (KB975713)
    Security Update for Windows XP (KB977165-v2)
    Security Update for Windows XP (KB977816)
    Security Update for Windows XP (KB977914)
    Security Update for Windows XP (KB978037)
    Security Update for Windows XP (KB978251)
    Security Update for Windows XP (KB978262)
    Security Update for Windows XP (KB978338)
    Security Update for Windows XP (KB978542)
    Security Update for Windows XP (KB978601)
    Security Update for Windows XP (KB978706)
    Security Update for Windows XP (KB979309)
    Security Update for Windows XP (KB979482)
    Security Update for Windows XP (KB979559)
    Security Update for Windows XP (KB979683)
    Security Update for Windows XP (KB979687)
    Security Update for Windows XP (KB980195)
    Security Update for Windows XP (KB980218)
    Security Update for Windows XP (KB980232)
    Security Update for Windows XP (KB980436)
    Security Update for Windows XP (KB981322)
    Security Update for Windows XP (KB981349)
    Security Update for Windows XP (KB981852)
    Security Update for Windows XP (KB981957)
    Security Update for Windows XP (KB981997)
    Security Update for Windows XP (KB982132)
    Security Update for Windows XP (KB982214)
    Security Update for Windows XP (KB982665)
    Security Update for Windows XP (KB982802)
    SigmaTel Audio
    Update for Microsoft .NET Framework 3.5 SP1 (KB963707)
    Update for Microsoft Windows (KB971513)
    Update for Windows Internet Explorer 8 (KB2362765)
    Update for Windows Internet Explorer 8 (KB976662)
    Update for Windows XP (KB2141007)
    Update for Windows XP (KB2345886)
    Update for Windows XP (KB2467659)
    Update for Windows XP (KB2541763)
    Update for Windows XP (KB951978)
    Update for Windows XP (KB955759)
    Update for Windows XP (KB967715)
    Update for Windows XP (KB968389)
    Update for Windows XP (KB971029)
    Update for Windows XP (KB971737)
    Update for Windows XP (KB973687)
    Update for Windows XP (KB973815)
    Update for Windows XP (KB980182)
    VS10Runtime
    WebFldrs XP
    Windows Genuine Advantage Validation Tool (KB892130)
    Windows Internet Explorer 8
    Windows Media Format 11 runtime
    Windows Media Player 11
    Windows Search 4.0
    Windows XP Service Pack 3
    .
    ==== Event Viewer Messages From Past Week ========
    .
    8/23/2011 7:57:45 AM, error: Dhcp [1002] - The IP address lease 192.168.1.101 for the Network Card with network address 001676B192DD has been denied by the DHCP server 192.168.1.1 (The DHCP Server sent a DHCPNACK message).
    8/23/2011 7:56:28 AM, error: W32Time [17] - Time Provider NtpClient: An error occurred during DNS lookup of the manually configured peer 'time.windows.com,0x1'. NtpClient will try the DNS lookup again in 15 minutes. The error was: A socket operation was attempted to an unreachable host. (0x80072751)
    8/22/2011 12:13:41 PM, error: Service Control Manager [7011] - Timeout (30000 milliseconds) waiting for a transaction response from the stisvc service.
    8/19/2011 2:32:41 PM, error: Dhcp [1002] - The IP address lease 192.168.1.100 for the Network Card with network address 001676B192DD has been denied by the DHCP server 192.168.1.1 (The DHCP Server sent a DHCPNACK message).
    .
    ==== End Of File ===========================
     
  2. jaimo

    jaimo TS Rookie Topic Starter Posts: 17

    new problems today

    Today when I was closing my browser, it shut down, then popped back open with 3 sessions opened up, all showing the Yahoo homepage. Every time I tried to X out of it, a new session would open up.

    I also notice some of my lockups seem to occur when I am on yahoo. Also, the iexplore.exe process skyrockets to around 97%.
     
  3. Bobbye

    Bobbye Helper on the Fringe Posts: 16,392   +36

    Welcome to TechSpot! I'll help you sort this out.

    My Guidelines: please read and follow:
    • Be patient. Malware cleaning takes time and I am also working with other members while I am helping you.
    • Read my instructions carefully. If you don't understand or have a problem, ask me.
    • If you have questions, or if a program doesn't work, stop and tell me about it. Don't try to get around it yourself.
    • Follow the order of the tasks I give you. Order is crucial in cleaning process.
    • File sharing programs should be uninstalled or disabled during the cleaning process..
    • Observe these:
      [o] Don't use any other cleaning programs or scans while I'm helping you.
      [o] Don't use a Registry cleaner or make any changes in the Registry.
      [o] Don't download and install new programs- except those I give you.
    • Please let me know if there is any change in the system.

    If I don't get a reply from you in 5 days, the thread will be closed. If your problem persist, you can send a PM to reopen it.
    =====================================
    You have malicious code on the MBR:
    Please download MBRCheck and save to your desktop
    • Double click on MBRCheck.exeto run.(Vista and Windows 7 users will have to confirm the UAC prompt)
    • It will show a Black screen with some information that will contain either the below line if no problem is found:
      [o] Done! Press ENTER to exit...
    • Or you will see more information like below if a problem is found:
      [o] Found non-standard or infected MBR.
      [o] Enter 'Y' and hit ENTER for more options, or 'N' to exit:
    • Either way, just choose to exit the program at this point since we want to see only the scan results to begin with.
    • MBRCheck will create a log named similar to MBRCheck_07.16.10_00.32.33.txt which is random based on date and time.
    • Paste this log to your next message.
    ==========================================
    Looks like you were trying to find an antivirus program you liked. It appears that at one time, you had the Norton/Symantec AV. There are still processes running for it, so please run Norton Removal Tool

    Be sure to reboot when finished.
    ===============================================
    The Java is out of date. This is a vulnerability. Please update to the current version, v6u26 now: Java Updates
    Note: Uncheck 'Install Yahoo Toolbar' on the download screen before you do the update.

    Then uninstall Java(TM) 6 Update 20 and Java(TM) 6 Update 23 in Add/Remove Programs.
    ===============================================
    You will have malware in the Java cache due to the outdated programs:

    To clear the Java Plug-in cache:

    • [1]. Click Start > Control Panel.
      [2]. Double-click the Java icon in the control panel. [​IMG] The Java Control Panel appears.
      [​IMG]
      [3].Click Settings under Temporary Internet Files.The Temporary Files Settings dialog box appears.
      [​IMG]
      [4] Click Delete Files.The Delete Temporary Files dialog box appears.
      [​IMG]
      [5]. Click OK on Delete Temporary Files window.
      Note: This deletes all the Downloaded Applications and Applets from the cache.
      [6]. Click Apply> OK on Temporary Files Settings window.
    Images courtesy java.com
    =============================================
    Please note: If you have previously run Combofix and it's still on the system, please uninstall it. Then download the current version and do the scan: Uninstall directions, if needed
    • Click START> then RUN
    • Now type Combofix /Uninstall in the runbox and click OK. Note the space between the X and the U, it needs to be there.
    --------------------------------------
    Download Combofix from HERE or HERE and save to the desktop
    • Double click combofix.exe & follow the prompts.
    • ComboFix will check to see if the Microsoft Windows Recovery Console is installed. It is recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode if needed.
      **Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.
    • Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.
    • Once installed, you should see a blue screen prompt that says:
      The Recovery Console was successfully installed.
    • .Click on Yes, to continue scanning for malware
    • .If Combofix asks you to update the program, allow
    • .Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.
    • .Close any open browsers.
    • .Double click combofix.exe[​IMG] & follow the prompts to run.
    • When the scan completes , a report will be generated-it will open a text window. Please paste the C:\ComboFix.txt in next reply..
    Re-enable your Antivirus software.

    Note 1:Do not mouse-click Combofix's window while it is running. That may cause it to stall.
    Note 2: ComboFix may reset a number of Internet Explorer's settings, including making I-E the default browser.
    Note 3: Combofix prevents autorun of ALL CD, floppy and USB devices to assist with malware removal & increase security. If this is an issue or makes it difficult for you -- please tell your helper.
    Note 4: CF disconnects your machine from the internet. The connection is automatically restored before CF completes its run. If CF runs into difficulty and terminates prematurely, the connection can be manually restored by restarting your machine.
    Note 5: If you receive an error "Illegal operation attempted on a registry key that has been marked for deletion", restart computer to fix the issue.
    =======================================
    Please leave the logs for the MBR check and Combofix in your next reply.
     
  4. jaimo

    jaimo TS Rookie Topic Starter Posts: 17

    Hi Bobbye,

    Thank you for your assistance.

    I have followed the steps up to: The Java Is Out Of Date. I have updated so I have the current version, and I have uninstalled Java 6 update 20. There is no update 23 shown in add/remove programs, but there is an update 27.

    Should I unintall update 27? Below is the MBR log. I have not proceeded beyond the removal of Java update 20.

    MBRCheck, version 1.2.3
    (c) 2010, AD

    Command-line:
    Windows Version: Windows XP Professional
    Windows Information: Service Pack 3 (build 2600)
    Logical Drives Mask: 0x0000000c

    Kernel Drivers (total 128):
    0x804D7000 \WINDOWS\system32\ntkrnlpa.exe
    0x806D1000 \WINDOWS\system32\hal.dll
    0xF7ABE000 \WINDOWS\system32\KDCOM.DLL
    0xF79CE000 \WINDOWS\system32\BOOTVID.dll
    0xF748F000 ACPI.sys
    0xF7AC0000 \WINDOWS\System32\DRIVERS\WMILIB.SYS
    0xF747E000 pci.sys
    0xF75BE000 isapnp.sys
    0xF7B86000 pciide.sys
    0xF783E000 \WINDOWS\System32\DRIVERS\PCIIDEX.SYS
    0xF75CE000 MountMgr.sys
    0xF745F000 ftdisk.sys
    0xF7AC2000 dmload.sys
    0xF7439000 dmio.sys
    0xF7846000 PartMgr.sys
    0xF75DE000 VolSnap.sys
    0xF7421000 atapi.sys
    0xF75EE000 disk.sys
    0xF75FE000 \WINDOWS\System32\DRIVERS\CLASSPNP.SYS
    0xF7401000 fltmgr.sys
    0xF73EF000 sr.sys
    0xF73D8000 KSecDD.sys
    0xF73C5000 WudfPf.sys
    0xF7338000 Ntfs.sys
    0xF730B000 NDIS.sys
    0xF72F1000 Mup.sys
    0xF774E000 \SystemRoot\System32\DRIVERS\intelppm.sys
    0xF717B000 \SystemRoot\system32\DRIVERS\ialmnt5.sys
    0xF7167000 \SystemRoot\system32\DRIVERS\VIDEOPRT.SYS
    0xF713F000 \SystemRoot\system32\DRIVERS\HDAudBus.sys
    0xF793E000 \SystemRoot\System32\DRIVERS\usbuhci.sys
    0xF711B000 \SystemRoot\System32\DRIVERS\USBPORT.SYS
    0xF7946000 \SystemRoot\System32\DRIVERS\usbehci.sys
    0xF70F5000 \SystemRoot\System32\DRIVERS\e100b325.sys
    0xF70E1000 \SystemRoot\System32\DRIVERS\parport.sys
    0xF775E000 \SystemRoot\System32\DRIVERS\serial.sys
    0xF7A82000 \SystemRoot\System32\DRIVERS\serenum.sys
    0xF776E000 \SystemRoot\System32\DRIVERS\imapi.sys
    0xF777E000 \SystemRoot\System32\DRIVERS\cdrom.sys
    0xF778E000 \SystemRoot\System32\DRIVERS\redbook.sys
    0xF70BE000 \SystemRoot\System32\DRIVERS\ks.sys
    0xF794E000 \SystemRoot\system32\DRIVERS\GEARAspiWDM.sys
    0xF7CA0000 \SystemRoot\System32\DRIVERS\audstub.sys
    0xF779E000 \SystemRoot\System32\DRIVERS\rasl2tp.sys
    0xF7A8A000 \SystemRoot\System32\DRIVERS\ndistapi.sys
    0xF70A7000 \SystemRoot\System32\DRIVERS\ndiswan.sys
    0xF77AE000 \SystemRoot\System32\DRIVERS\raspppoe.sys
    0xF77BE000 \SystemRoot\System32\DRIVERS\raspptp.sys
    0xF7956000 \SystemRoot\System32\DRIVERS\TDI.SYS
    0xF7096000 \SystemRoot\System32\DRIVERS\psched.sys
    0xF77CE000 \SystemRoot\System32\DRIVERS\msgpc.sys
    0xF795E000 \SystemRoot\System32\DRIVERS\ptilink.sys
    0xF7966000 \SystemRoot\System32\DRIVERS\raspti.sys
    0xF7066000 \SystemRoot\System32\DRIVERS\rdpdr.sys
    0xF77DE000 \SystemRoot\System32\DRIVERS\termdd.sys
    0xF796E000 \SystemRoot\System32\DRIVERS\kbdclass.sys
    0xF7976000 \SystemRoot\System32\DRIVERS\mouclass.sys
    0xF7AE0000 \SystemRoot\System32\DRIVERS\swenum.sys
    0xF6FE0000 \SystemRoot\System32\DRIVERS\update.sys
    0xF7AAA000 \SystemRoot\System32\DRIVERS\mssmbios.sys
    0xF780E000 \SystemRoot\System32\Drivers\NDProxy.SYS
    0xAA56D000 \SystemRoot\system32\drivers\sthda.sys
    0xAA549000 \SystemRoot\system32\drivers\portcls.sys
    0xF781E000 \SystemRoot\system32\drivers\drmk.sys
    0xF761E000 \SystemRoot\System32\DRIVERS\usbhub.sys
    0xF7AE8000 \SystemRoot\System32\DRIVERS\USBD.SYS
    0xF7AEA000 \SystemRoot\System32\Drivers\Fs_Rec.SYS
    0xF7BB1000 \SystemRoot\System32\Drivers\Null.SYS
    0xF7AEC000 \SystemRoot\System32\Drivers\Beep.SYS
    0xF799E000 \SystemRoot\System32\DRIVERS\HIDPARSE.SYS
    0xF79A6000 \SystemRoot\System32\drivers\vga.sys
    0xF7AEE000 \SystemRoot\System32\Drivers\mnmdd.SYS
    0xF7AF0000 \SystemRoot\System32\DRIVERS\RDPCDD.sys
    0xF79AE000 \SystemRoot\System32\Drivers\Msfs.SYS
    0xF79B6000 \SystemRoot\System32\Drivers\Npfs.SYS
    0xF7A52000 \SystemRoot\System32\DRIVERS\rasacd.sys
    0xAA44E000 \SystemRoot\System32\DRIVERS\ipsec.sys
    0xAA3F5000 \SystemRoot\System32\DRIVERS\tcpip.sys
    0xF763E000 \SystemRoot\System32\Drivers\aswTdi.SYS
    0xAA382000 \SystemRoot\System32\DRIVERS\ipnat.sys
    0xF764E000 \SystemRoot\System32\DRIVERS\wanarp.sys
    0xAA35A000 \SystemRoot\System32\DRIVERS\netbt.sys
    0xF79C6000 \SystemRoot\System32\Drivers\aswRdr.SYS
    0xAA338000 \SystemRoot\System32\drivers\afd.sys
    0xF765E000 \SystemRoot\System32\DRIVERS\netbios.sys
    0xAA30D000 \SystemRoot\System32\DRIVERS\rdbss.sys
    0xAA29D000 \SystemRoot\System32\DRIVERS\mrxsmb.sys
    0xF767E000 \SystemRoot\System32\Drivers\Fips.SYS
    0xAA1C4000 \SystemRoot\System32\Drivers\aswSP.SYS
    0xF705E000 \SystemRoot\System32\DRIVERS\hidusb.sys
    0xF769E000 \SystemRoot\System32\DRIVERS\HIDCLASS.SYS
    0xF789E000 \SystemRoot\System32\DRIVERS\usbccgp.sys
    0xF7056000 \SystemRoot\System32\DRIVERS\mouhid.sys
    0xF7046000 \SystemRoot\System32\DRIVERS\kbdhid.sys
    0xAA154000 \SystemRoot\System32\Drivers\aswSnx.SYS
    0xF7AA6000 \SystemRoot\system32\DRIVERS\usbscan.sys
    0xF78B6000 \SystemRoot\System32\DRIVERS\usbprint.sys
    0xF78BE000 \SystemRoot\system32\DRIVERS\HPZius12.sys
    0xF76AE000 \SystemRoot\system32\DRIVERS\HPZid412.sys
    0xF7ABA000 \SystemRoot\system32\DRIVERS\HPZipr12.sys
    0xF78CE000 \SystemRoot\System32\Drivers\Aavmker4.SYS
    0xF770E000 \SystemRoot\System32\Drivers\Cdfs.SYS
    0xAA114000 \SystemRoot\System32\Drivers\dump_atapi.sys
    0xF7B70000 \SystemRoot\System32\Drivers\dump_WMILIB.SYS
    0xBF800000 \SystemRoot\System32\win32k.sys
    0xAA12C000 \SystemRoot\System32\drivers\Dxapi.sys
    0xF791E000 \SystemRoot\System32\watchdog.sys
    0xBF000000 \SystemRoot\System32\drivers\dxg.sys
    0xF7C80000 \SystemRoot\System32\drivers\dxgthk.sys
    0xBF021000 \SystemRoot\System32\ialmdnt5.dll
    0xBF012000 \SystemRoot\System32\ialmrnt5.dll
    0xBF043000 \SystemRoot\System32\ialmdev5.DLL
    0xBF07E000 \SystemRoot\System32\ialmdd5.DLL
    0xBF16E000 \SystemRoot\System32\ATMFD.DLL
    0xAA48D000 \SystemRoot\System32\Drivers\aswFsBlk.SYS
    0xA9FDC000 \SystemRoot\System32\DRIVERS\ndisuio.sys
    0xA9D65000 \SystemRoot\System32\Drivers\aswMon2.SYS
    0xA99E0000 \SystemRoot\system32\drivers\wdmaud.sys
    0xA9A35000 \SystemRoot\system32\drivers\sysaudio.sys
    0xA97A5000 \SystemRoot\System32\DRIVERS\mrxdav.sys
    0xF7AC6000 \SystemRoot\System32\Drivers\ParVdm.SYS
    0xA973C000 \SystemRoot\System32\Drivers\HTTP.sys
    0xA95CC000 \SystemRoot\System32\DRIVERS\srv.sys
    0xA8DCF000 \SystemRoot\System32\Drivers\Fastfat.SYS
    0xA8CEB000 \??\C:\DOCUME~1\JAIMO\LOCALS~1\Temp\ufddypog.sys
    0xF78F6000 \??\C:\DOCUME~1\JAIMO\LOCALS~1\Temp\mbr.sys
    0xA8A9A000 \SystemRoot\system32\drivers\kmixer.sys
    0x7C900000 \WINDOWS\system32\ntdll.dll

    Processes (total 33):
    0 System Idle Process
    4 System
    620 C:\WINDOWS\system32\smss.exe
    668 csrss.exe
    692 C:\WINDOWS\system32\winlogon.exe
    736 C:\WINDOWS\system32\services.exe
    748 C:\WINDOWS\system32\lsass.exe
    908 C:\WINDOWS\system32\svchost.exe
    972 svchost.exe
    1068 C:\WINDOWS\system32\svchost.exe
    1100 C:\WINDOWS\system32\svchost.exe
    1232 svchost.exe
    1388 svchost.exe
    1524 C:\WINDOWS\explorer.exe
    1632 C:\Program Files\AVAST Software\Avast\AvastSvc.exe
    1792 C:\Program Files\Common Files\Java\Java Update\jusched.exe
    1800 C:\Program Files\AVAST Software\Avast\AvastUI.exe
    1820 C:\WINDOWS\system32\ctfmon.exe
    1864 C:\Program Files\Windows Media Player\wmpnscfg.exe
    660 C:\WINDOWS\system32\spoolsv.exe
    1512 svchost.exe
    1740 C:\WINDOWS\system32\svchost.exe
    1848 C:\Program Files\Java\jre6\bin\jqs.exe
    2404 C:\WINDOWS\system32\svchost.exe
    2468 wmpnetwk.exe
    3012 C:\WINDOWS\system32\searchindexer.exe
    3664 alg.exe
    1216 C:\WINDOWS\system32\drwtsn32.exe
    272 C:\WINDOWS\system32\drwtsn32.exe
    560 C:\Program Files\Internet Explorer\iexplore.exe
    1928 C:\Program Files\Internet Explorer\iexplore.exe
    4064 C:\WINDOWS\system32\wscntfy.exe
    2308 C:\Documents and Settings\JAIMO\Desktop\MBRCheck.exe

    \\.\C: --> \\.\PhysicalDrive0 at offset 0x00000000`00007e00 (NTFS)

    PhysicalDrive0 Model Number: ST380815AS, Rev: 4.ADA

    Size Device Name MBR Status
    --------------------------------------------
    74 GB \\.\PhysicalDrive0 Windows XP MBR code detected
    SHA1: DA38B874B7713D1B51CBC449F4EF809B0DEC644A


    Done!
     
  5. jaimo

    jaimo TS Rookie Topic Starter Posts: 17

    Son added itunes

    My apologies. My son got a new ipod and added the itunes software to my computer last night.

    Do I need to uninstall?
     
  6. Bobbye

    Bobbye Helper on the Fringe Posts: 16,392   +36

    Yes, if Java is now up to v6u27, you should install that version.

    About QuickTime, just open the program and uncheck the auto-updater. If he gets iTunes on the iPod, he will need !QuickTime, then program.

    MBR check is okay. Please run the following to finish up:
    • Hold down Control and click on the following link to open ESET OnlineScan in a new window.
      ESETOnlineScan
    • For alternate browsers only: (Microsoft Internet Explorer users can skip these steps)
      [o] Click on Posted Image to download the ESET Smart Installer. Save it to your desktop.
      [o] Double click on the [​IMG]on your desktop.
    • Check 'Yes I accept terms of use.'
    • Click Start button
    • Accept any security warnings from your browser.
      [​IMG]
    • Uncheck 'Remove found threats'
    • Check 'Scan archives/
    • Leave remaining settings as is.
    • Press the Start button.
    • ESET will then download updates for itself, install itself, and begin scanning your computer. Please wait for the scan to finish.
    • When the scan completes, press List of found threats
    • Push Export of text file and save the file to your desktop using a unique name, such as ESETScan. Paste this log in your next reply.
    • Push the Back button
    • Push Finish

    NOTE: If no malware is found then no log will be produced. Let me know if this is the case.
    =======================================
    Please note: If you have previously run Combofix and it's still on the system, please uninstall it. Then download the current version and do the scan: Uninstall directions, if needed
    • Click START> then RUN
    • Now type Combofix /Uninstall in the runbox and click OK. Note the space between the X and the U, it needs to be there.
    --------------------------------------
    Download Combofix from HERE or HERE and save to the desktop
    • Double click combofix.exe & follow the prompts.
    • ComboFix will check to see if the Microsoft Windows Recovery Console is installed. It is recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode if needed.
      **Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.
    • Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.
    • Once installed, you should see a blue screen prompt that says:
      The Recovery Console was successfully installed.
    • .Click on Yes, to continue scanning for malware
    • .If Combofix asks you to update the program, allow
    • .Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.
    • .Close any open browsers.
    • .Double click combofix.exe[​IMG] & follow the prompts to run.
    • When the scan completes , a report will be generated-it will open a text window. Please paste the C:\ComboFix.txt in next reply..
    Re-enable your Antivirus software.

    Note 1:Do not mouse-click Combofix's window while it is running. That may cause it to stall.
    Note 2: ComboFix may reset a number of Internet Explorer's settings, including making I-E the default browser.
    Note 3: Combofix prevents autorun of ALL CD, floppy and USB devices to assist with malware removal & increase security. If this is an issue or makes it difficult for you -- please tell your helper.
    Note 4: CF disconnects your machine from the internet. The connection is automatically restored before CF completes its run. If CF runs into difficulty and terminates prematurely, the connection can be manually restored by restarting your machine.
    Note 5: If you receive an error "Illegal operation attempted on a registry key that has been marked for deletion", restart computer to fix the issue.
     
  7. jaimo

    jaimo TS Rookie Topic Starter Posts: 17

    combofix log

    ComboFix 11-08-27.01 - JAIMO 08/27/2011 22:52:17.1.1 - x86
    Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.1014.529 [GMT -4:00]
    Running from: c:\documents and settings\JAIMO\Desktop\ComboFix.exe
    AV: avast! Antivirus *Disabled/Updated* {7591DB91-41F0-48A3-B128-1A293FD8233D}
    .
    .
    ((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
    .
    .
    c:\program files\messenger\msmsgsin.exe
    c:\windows\iun6002.exe
    .
    Infected copy of c:\windows\system32\Drivers\atapi.sys was found and disinfected
    Restored copy from - c:\windows\ServicePackFiles\i386\atapi.sys
    .
    .
    ((((((((((((((((((((((((( Files Created from 2011-07-28 to 2011-08-28 )))))))))))))))))))))))))))))))
    .
    .
    2011-08-27 03:08 . 2011-08-27 03:08 -------- d-----w- c:\program files\iPod
    2011-08-27 03:08 . 2011-08-27 03:09 -------- d-----w- c:\program files\iTunes
    2011-08-27 03:07 . 2011-08-27 03:07 159744 ----a-w- c:\program files\Internet Explorer\PLUGINS\npqtplugin7.dll
    2011-08-27 03:07 . 2011-08-27 03:07 159744 ----a-w- c:\program files\Internet Explorer\PLUGINS\npqtplugin6.dll
    2011-08-27 03:07 . 2011-08-27 03:07 159744 ----a-w- c:\program files\Internet Explorer\PLUGINS\npqtplugin5.dll
    2011-08-27 03:07 . 2011-08-27 03:07 159744 ----a-w- c:\program files\Internet Explorer\PLUGINS\npqtplugin4.dll
    2011-08-27 03:07 . 2011-08-27 03:07 159744 ----a-w- c:\program files\Internet Explorer\PLUGINS\npqtplugin3.dll
    2011-08-27 03:07 . 2011-08-27 03:07 159744 ----a-w- c:\program files\Internet Explorer\PLUGINS\npqtplugin2.dll
    2011-08-27 03:07 . 2011-08-27 03:07 159744 ----a-w- c:\program files\Internet Explorer\PLUGINS\npqtplugin.dll
    2011-08-27 03:07 . 2011-08-27 03:07 -------- d-----w- c:\program files\QuickTime
    2011-08-27 03:05 . 2011-08-27 03:05 -------- d-----w- c:\program files\Apple Software Update
    2011-08-27 03:05 . 2011-08-27 03:05 -------- d-----w- c:\documents and settings\LocalService\Application Data\Apple Computer
    2011-08-27 03:05 . 2011-05-10 12:06 42496 ----a-w- c:\windows\system32\drivers\usbaapl.sys
    2011-08-27 03:05 . 2011-05-10 12:06 4517664 ----a-w- c:\windows\system32\usbaaplrc.dll
    2011-08-27 03:04 . 2011-08-27 03:04 -------- d-----w- c:\program files\Bonjour
    2011-08-27 02:59 . 2001-08-18 02:36 5632 ----a-w- c:\windows\system32\ptpusb.dll
    2011-08-27 02:59 . 2008-04-14 00:12 159232 ----a-w- c:\windows\system32\ptpusd.dll
    2011-08-26 20:50 . 2011-08-26 20:50 -------- d-----w- c:\program files\Common Files\Java
    2011-08-24 23:32 . 2011-08-24 23:36 -------- d-----w- c:\documents and settings\Guest
    2011-08-24 18:53 . 2011-08-24 18:53 -------- d-----w- c:\documents and settings\JAIMO\Application Data\Malwarebytes
    2011-08-24 18:53 . 2011-07-06 23:52 41272 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
    2011-08-24 18:53 . 2011-08-24 18:53 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes
    2011-08-24 18:53 . 2011-08-24 18:53 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
    2011-08-24 18:53 . 2011-07-06 23:52 22712 ----a-w- c:\windows\system32\drivers\mbam.sys
    2011-08-24 16:54 . 2011-08-24 16:54 404640 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl
    2011-08-23 00:15 . 2011-08-23 00:16 -------- d-----w- c:\program files\Common Files\Adobe
    2011-08-23 00:14 . 2011-08-23 00:14 -------- d-----w- c:\program files\Common Files\Adobe AIR
    2011-08-22 20:08 . 2011-07-04 11:32 19544 ----a-w- c:\windows\system32\drivers\aswFsBlk.sys
    2011-08-22 20:08 . 2011-07-04 11:36 309848 ----a-w- c:\windows\system32\drivers\aswSP.sys
    2011-08-22 20:08 . 2011-07-04 11:35 43608 ----a-w- c:\windows\system32\drivers\aswTdi.sys
    2011-08-22 20:08 . 2011-07-04 11:32 25432 ----a-w- c:\windows\system32\drivers\aswRdr.sys
    2011-08-22 20:08 . 2011-07-04 11:36 441176 ----a-w- c:\windows\system32\drivers\aswSnx.sys
    2011-08-22 20:08 . 2011-07-04 11:35 102616 ----a-w- c:\windows\system32\drivers\aswmon2.sys
    2011-08-22 20:08 . 2011-07-04 11:35 96344 ----a-w- c:\windows\system32\drivers\aswmon.sys
    2011-08-22 20:08 . 2011-07-04 11:32 30808 ----a-w- c:\windows\system32\drivers\aavmker4.sys
    2011-08-22 20:07 . 2011-07-04 11:43 40112 ----a-w- c:\windows\avastSS.scr
    2011-08-22 20:07 . 2011-07-04 11:43 199304 ----a-w- c:\windows\system32\aswBoot.exe
    2011-08-22 20:07 . 2011-08-22 20:07 -------- d-----w- c:\program files\AVAST Software
    2011-08-22 20:07 . 2011-08-22 20:07 -------- d-----w- c:\documents and settings\All Users\Application Data\AVAST Software
    2011-08-11 19:40 . 2009-05-18 17:17 26600 ----a-w- c:\windows\system32\drivers\GEARAspiWDM.sys
    2011-08-11 19:39 . 2008-04-17 16:12 107368 ----a-w- c:\windows\system32\GEARAspi.dll
    2011-08-10 03:19 . 2011-06-24 14:10 139656 -c----w- c:\windows\system32\dllcache\rdpwd.sys
    2011-08-10 03:19 . 2011-07-08 14:02 10496 -c----w- c:\windows\system32\dllcache\ndistapi.sys
    .
    .
    .
    (((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
    .
    2011-07-19 09:05 . 2010-09-12 05:37 472808 ----a-w- c:\windows\system32\deployJava1.dll
    2011-07-19 06:40 . 2010-04-05 17:25 73728 ----a-w- c:\windows\system32\javacpl.cpl
    2011-07-15 13:29 . 2003-03-31 12:00 456320 ----a-w- c:\windows\system32\drivers\mrxsmb.sys
    2011-07-12 15:20 . 2011-07-12 15:20 83816 ----a-w- c:\windows\system32\dns-sd.exe
    2011-07-12 15:20 . 2011-07-12 15:20 73064 ----a-w- c:\windows\system32\dnssd.dll
    2011-07-12 15:20 . 2011-07-12 15:20 50536 ----a-w- c:\windows\system32\jdns_sd.dll
    2011-07-12 15:20 . 2011-07-12 15:20 178536 ----a-w- c:\windows\system32\dnssdX.dll
    2011-07-08 14:02 . 2003-03-31 12:00 10496 ----a-w- c:\windows\system32\drivers\ndistapi.sys
    2011-07-05 22:37 . 2011-07-05 22:37 94208 ----a-w- c:\windows\system32\QuickTimeVR.qtx
    2011-07-05 22:37 . 2011-07-05 22:37 69632 ----a-w- c:\windows\system32\QuickTime.qts
    2011-06-24 14:10 . 2010-04-03 05:14 139656 ----a-w- c:\windows\system32\drivers\rdpwd.sys
    2011-06-23 18:36 . 2003-03-31 12:00 916480 ----a-w- c:\windows\system32\wininet.dll
    2011-06-23 18:36 . 2003-03-31 12:00 43520 ------w- c:\windows\system32\licmgr10.dll
    2011-06-23 18:36 . 2003-03-31 12:00 1469440 ------w- c:\windows\system32\inetcpl.cpl
    2011-06-23 12:05 . 2004-08-04 05:59 385024 ----a-w- c:\windows\system32\html.iec
    2011-06-20 17:44 . 2003-03-31 12:00 293376 ----a-w- c:\windows\system32\winsrv.dll
    2011-06-02 14:02 . 2003-03-31 12:00 1858944 ----a-w- c:\windows\system32\win32k.sys
    2010-07-24 21:12 . 2010-07-24 21:12 81408 -c--a-w- c:\program files\taskkill.exe
    .
    .
    ((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
    .
    .
    *Note* empty entries & legit default entries are not shown
    REGEDIT4
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\00avast]
    @="{472083B0-C522-11CF-8763-00608CC02F24}"
    [HKEY_CLASSES_ROOT\CLSID\{472083B0-C522-11CF-8763-00608CC02F24}]
    2011-07-04 11:43 122512 ----a-w- c:\program files\AVAST Software\Avast\ashShell.dll
    .
    [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "WMPNSCFG"="c:\program files\Windows Media Player\WMPNSCFG.exe" [2006-10-19 204288]
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "avast"="c:\program files\AVAST Software\Avast\avastUI.exe" [2011-07-04 3493720]
    "Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2011-06-06 937920]
    "QuickTime Task"="c:\program files\QuickTime\QTTask.exe" [2011-07-05 421888]
    "iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2011-08-19 421736]
    .
    [hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
    "{56F9679E-7826-4C84-81F3-532071A8BCC5}"= "c:\program files\Windows Desktop Search\MSNLNamespaceMgr.dll" [2009-05-25 304128]
    .
    [HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^hpoddt01.exe.lnk]
    path=c:\documents and settings\All Users\Start Menu\Programs\Startup\hpoddt01.exe.lnk
    backup=c:\windows\pss\hpoddt01.exe.lnkCommon Startup
    .
    [HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Windows Search.lnk]
    path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Windows Search.lnk
    backup=c:\windows\pss\Windows Search.lnkCommon Startup
    .
    [HKLM\~\startupfolder\C:^Documents and Settings^JAIMO^Start Menu^Programs^Startup^LimeWire On Startup.lnk]
    path=c:\documents and settings\JAIMO\Start Menu\Programs\Startup\LimeWire On Startup.lnk
    backup=c:\windows\pss\LimeWire On Startup.lnkStartup
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ctfmon.exe]
    2008-04-14 00:12 15360 ----a-w- c:\windows\system32\ctfmon.exe
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\CTRegRun]
    2006-10-05 22:17 53248 -c----w- c:\windows\Ctregrun.exe
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\IDTSysTrayApp]
    2007-09-06 01:24 405504 -c--a-w- c:\windows\sttray.exe
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\igfxhkcmd]
    2006-03-24 00:13 77824 -c--a-w- c:\windows\system32\hkcmd.exe
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\igfxpers]
    2006-03-24 00:17 118784 -c--a-w- c:\windows\system32\igfxpers.exe
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\igfxtray]
    2006-03-24 00:17 94208 -c--a-w- c:\windows\system32\igfxtray.exe
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PMX Daemon]
    2006-06-09 16:47 47104 -c--a-w- c:\windows\system32\ico.exe
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
    2011-07-05 22:36 421888 ----a-w- c:\program files\QuickTime\QTTask.exe
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched]
    2011-06-09 17:06 254696 ----a-w- c:\program files\Common Files\Java\Java Update\jusched.exe
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\TkBellExe]
    2010-06-03 11:25 202256 -c--a-w- c:\program files\Common Files\Real\Update_OB\realsched.exe
    .
    [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
    "EnableFirewall"= 0 (0x0)
    .
    [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
    "c:\\WINDOWS\\system32\\usmt\\migwiz.exe"=
    "c:\\WINDOWS\\Network Diagnostic\\xpnetdiag.exe"=
    "c:\\WINDOWS\\system32\\sessmgr.exe"=
    "c:\\Program Files\\Pando Networks\\Media Booster\\PMB.exe"=
    "c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
    "c:\\Program Files\\iTunes\\iTunes.exe"=
    .
    [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
    "56644:TCP"= 56644:TCP:pando Media Booster
    "56644:UDP"= 56644:UDP:pando Media Booster
    .
    R1 aswSnx;aswSnx;c:\windows\system32\drivers\aswSnx.sys [8/22/2011 4:08 PM 441176]
    R1 aswSP;aswSP;c:\windows\system32\drivers\aswSP.sys [8/22/2011 4:08 PM 309848]
    R2 aswFsBlk;aswFsBlk;c:\windows\system32\drivers\aswFsBlk.sys [8/22/2011 4:08 PM 19544]
    S2 gupdate;Google Update Service (gupdate);c:\program files\Google\Update\GoogleUpdate.exe [5/12/2010 8:13 AM 136176]
    S3 EraserUtilDrv11113;EraserUtilDrv11113;\??\c:\program files\Common Files\Symantec Shared\EENGINE\EraserUtilDrv11113.sys --> c:\program files\Common Files\Symantec Shared\EENGINE\EraserUtilDrv11113.sys [?]
    S3 gupdatem;Google Update Service (gupdatem);c:\program files\Google\Update\GoogleUpdate.exe [5/12/2010 8:13 AM 136176]
    .
    Contents of the 'Scheduled Tasks' folder
    .
    2011-08-28 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
    - c:\program files\Google\Update\GoogleUpdate.exe [2010-05-12 12:13]
    .
    2011-08-28 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
    - c:\program files\Google\Update\GoogleUpdate.exe [2010-05-12 12:13]
    .
    2011-08-28 c:\windows\Tasks\RealUpgradeLogonTaskS-1-5-21-1177238915-562591055-725345543-1003.job
    - c:\program files\Real\RealUpgrade\realupgrade.exe [2010-02-25 02:09]
    .
    2011-08-27 c:\windows\Tasks\RealUpgradeScheduledTaskS-1-5-21-1177238915-562591055-725345543-1003.job
    - c:\program files\Real\RealUpgrade\realupgrade.exe [2010-02-25 02:09]
    .
    2011-08-27 c:\windows\Tasks\User_Feed_Synchronization-{3AD81087-C49C-42C4-976E-2EA0AA257C02}.job
    - c:\windows\system32\msfeedssync.exe [2009-03-08 08:31]
    .
    2011-08-28 c:\windows\Tasks\WGASetup.job
    - c:\windows\system32\KB905474\wgasetup.exe [2010-04-04 02:18]
    .
    .
    ------- Supplementary Scan -------
    .
    uStart Page = hxxp://www.google.com/
    uInternet Settings,ProxyOverride = *.local
    TCP: DhcpNameServer = 68.87.71.230 68.87.73.246
    .
    - - - - ORPHANS REMOVED - - - -
    .
    WebBrowser-{D4027C7F-154A-4066-A1AD-4243D8127440} - (no file)
    MSConfigStartUp-AVG9_TRAY - c:\progra~1\AVG\AVG9\avgtray.exe
    MSConfigStartUp-Skype - c:\program files\Skype\Phone\Skype.exe
    MSConfigStartUp-UIUCU - c:\docume~1\JAIMO\LOCALS~1\Temp\UIUCU.EXE
    .
    .
    .
    **************************************************************************
    .
    catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
    Rootkit scan 2011-08-27 23:11
    Windows 5.1.2600 Service Pack 3 NTFS
    .
    scanning hidden processes ...
    .
    scanning hidden autostart entries ...
    .
    scanning hidden files ...
    .
    scan completed successfully
    hidden files: 0
    .
    **************************************************************************
    .
    --------------------- DLLs Loaded Under Running Processes ---------------------
    .
    - - - - - - - > 'explorer.exe'(1164)
    c:\windows\system32\WININET.dll
    c:\windows\WinSxS\x86_Microsoft.VC80.CRT_1fc8b3b9a1e18e3b_8.0.50727.6195_x-ww_44262b86\MSVCR80.dll
    c:\windows\system32\ieframe.dll
    c:\windows\system32\webcheck.dll
    c:\windows\system32\WPDShServiceObj.dll
    c:\windows\system32\PortableDeviceTypes.dll
    c:\windows\system32\PortableDeviceApi.dll
    .
    ------------------------ Other Running Processes ------------------------
    .
    c:\program files\AVAST Software\Avast\AvastSvc.exe
    c:\program files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
    c:\program files\Bonjour\mDNSResponder.exe
    c:\windows\system32\SearchIndexer.exe
    c:\program files\Windows Media Player\WMPNetwk.exe
    c:\windows\system32\wscntfy.exe
    c:\program files\iPod\bin\iPodService.exe
    .
    **************************************************************************
    .
    Completion time: 2011-08-27 23:16:43 - machine was rebooted
    ComboFix-quarantined-files.txt 2011-08-28 03:16
    .
    Pre-Run: 15,534,104,576 bytes free
    Post-Run: 16,024,313,856 bytes free
    .
    WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe
    [boot loader]
    timeout=2
    default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS
    [operating systems]
    c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
    UnsupportedDebug="do not select this" /debug
    multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Professional" /fastdetect /NoExecute=OptIn
    .
    - - End Of File - - 9790E42F0650FC9A3534DC195E2D7D63
     
  8. jaimo

    jaimo TS Rookie Topic Starter Posts: 17

    The ESET Online scan link brought me to a website to purchase their AV software. I didn't see a link for the online scanner.

    Also, "NOTE #2: ComboFix may fix a number of internet explorers settings, including making IE the default browser." After running CF, it did tell me IE was not my default browser, and would I like to make it my default? I selected YES. Was that the correct selection?

    After running the CF scan and rebooting, a new IE icon appeared on my desktop.
     
  9. jaimo

    jaimo TS Rookie Topic Starter Posts: 17

    Limewire?

    I noticed this in the CF log...I haven't had Limewire on my pc in a while. Is this is process that is still running?

    [HKLM\~\startupfolder\C:^Documents and Settings^JAIMO^Start Menu^Programs^Startup^LimeWire On Startup.lnk]
    path=c:\documents and settings\JAIMO\Start Menu\Programs\Startup\LimeWire On Startup.lnk
    backup=c:\windows\pss\LimeWire On Startup.lnkStartup
     
  10. Bobbye

    Bobbye Helper on the Fringe Posts: 16,392   +36

    For Eset: Perhaps you didn't read the directions carefully:

    Your logs shows you're using Internet Explorer: 8.0.6001.18702, is that correct? It should take to right to the free scan.
    I use Firefox and tried both just clicking on the link itself and then holding down Control and clicking on link per instruction. It took me to the page where it shows:
    (Purchase for full time AV is to the right)

    Try it again please.
    =====================================
    "I selected YES. Was that the correct selection?" Yes, if IE is the default.
    -------------------------------
    "I haven't had Limewire on my pc in a while. Is this is process that is still running?" Yes, it was loading from the Registry.
    ========================================
    I'm going to take a look at this with the script. While I know what the purpose is as it's obvious, it is usually done from a command prompt, not a program.
    2010-07-24 21:12 81408 -c--a-w- c:\program files\taskkill.exe
    =========================================
    Please run this Custom CFScript:

    • [1]. Close any open browsers.
      [2]. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.
      [3]. Open notepad> click on Format> Uncheck 'Word Wrap'> and copy/paste the text in the code below into it:Be sure to scroll down to include ALL lines.
    Code:
    File::
    FileLook::
    c:\program files\taskkill.exe
    
    Registry::
    [HKLM\~\startupfolder\C:^Documents and Settings^JAIMO^Start Menu^Programs^Startup^LimeWire On Startup.lnk]
    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\CTRegRun]
    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\IDTSysTrayApp]
    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\TkBellExe]
    
    
    Save this as CFScript.txt, in the same location as ComboFix.exe
    [​IMG]

    Referring to the picture above, drag CFScript into ComboFix.exe

    When finished, it will produce a log for you at C:\ComboFix.txt . Please paste in your next reply.
    ========================================
    I have removed reigstry entries for the following:
    1. CTRegRun: Description: For Creative Soundblaster Live! series soundcards. Reminds you to register your card with Creative. 2006

    2. IDTSysTrayApp: Description: Related to Sigmatel System tray icon from audio driver for cards made by Sigmatel/IDT. Uses excessive system and memory resources with no corresponding benefit. Located in \%Program Files%\Sigmatel\C-Major Audio\WDM\ 2007

    3. TkBellExe/realsched.exe: Description: The purpose of realsched is to look for automatic updates for Real Player. Realsched.exe runs in the background on your computer and may appear at computer startup time, running each time your system is rebooted. 2010

    4. LimeWire: path=c:\documents and settings\JAIMO\Start Menu\Programs\Startup\LimeWire On Startup.lnk
    backup=c:\windows\pss\LimeWire On Startup.lnkStartup
    Check your Startup menu for LimeWire.
    ==========================================
    Recommend you stop these Scheduled Tasks
    Remove Tasks:
    2011-08-28 c:\windows\Tasks\RealUpgradeLogonTaskS-1-5-21-1177238915-562591055-725345543-1003.job
    - c:\program files\Real\RealUpgrade\realupgrade.exe [2010-02-25 02:09]
    .
    2011-08-27 c:\windows\Tasks\RealUpgradeScheduledTaskS-1-5-21-1177238915-562591055-725345543-1003.job
    - c:\program files\Real\RealUpgrade\realupgrade.exe [2010-02-25 02:09]
    ------------------------
    Path: All Programs> Accessories> System Tools> Task Scheduler> Right click> End on each task.

    I don't recommend any auto-updates except for the AV program
     
  11. jaimo

    jaimo TS Rookie Topic Starter Posts: 17

    OK, ESET scan was clean. Strange, but I followed your instructions exactly and got the same thing...the main screen was selling me 3 types of AV scan; I found a link for "Online Scan" on the right side of the page, followed it and then found the:

    Quote:
    Get a FREE Online Virus Scan <<<<<on the left side
    STEP ONE: Run free on-demand scan
    (Purchase for full time AV is to the right).

    Regardless of that, ESET came up clean. Below is the CF scan, done per your instructions. I will go ahead and stop the scheduled tasks you recommended.


    ComboFix 11-08-28.01 - JAIMO 08/28/2011 21:12:50.2.1 - x86
    Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.1014.546 [GMT -4:00]
    Running from: c:\documents and settings\JAIMO\Desktop\ComboFix.exe
    Command switches used :: c:\documents and settings\JAIMO\Desktop\CFScript.txt
    AV: avast! Antivirus *Disabled/Updated* {7591DB91-41F0-48A3-B128-1A293FD8233D}
    .
    .
    ((((((((((((((((((((((((( Files Created from 2011-07-28 to 2011-08-29 )))))))))))))))))))))))))))))))
    .
    .
    2011-08-28 23:51 . 2011-08-28 23:51 -------- d-----w- c:\program files\ESET
    2011-08-27 03:08 . 2011-08-27 03:08 -------- d-----w- c:\program files\iPod
    2011-08-27 03:08 . 2011-08-27 03:09 -------- d-----w- c:\program files\iTunes
    2011-08-27 03:07 . 2011-08-27 03:07 159744 ----a-w- c:\program files\Internet Explorer\PLUGINS\npqtplugin7.dll
    2011-08-27 03:07 . 2011-08-27 03:07 159744 ----a-w- c:\program files\Internet Explorer\PLUGINS\npqtplugin6.dll
    2011-08-27 03:07 . 2011-08-27 03:07 159744 ----a-w- c:\program files\Internet Explorer\PLUGINS\npqtplugin5.dll
    2011-08-27 03:07 . 2011-08-27 03:07 159744 ----a-w- c:\program files\Internet Explorer\PLUGINS\npqtplugin4.dll
    2011-08-27 03:07 . 2011-08-27 03:07 159744 ----a-w- c:\program files\Internet Explorer\PLUGINS\npqtplugin3.dll
    2011-08-27 03:07 . 2011-08-27 03:07 159744 ----a-w- c:\program files\Internet Explorer\PLUGINS\npqtplugin2.dll
    2011-08-27 03:07 . 2011-08-27 03:07 159744 ----a-w- c:\program files\Internet Explorer\PLUGINS\npqtplugin.dll
    2011-08-27 03:07 . 2011-08-27 03:07 -------- d-----w- c:\program files\QuickTime
    2011-08-27 03:05 . 2011-08-27 03:05 -------- d-----w- c:\program files\Apple Software Update
    2011-08-27 03:05 . 2011-08-27 03:05 -------- d-----w- c:\documents and settings\LocalService\Application Data\Apple Computer
    2011-08-27 03:05 . 2011-05-10 12:06 42496 ----a-w- c:\windows\system32\drivers\usbaapl.sys
    2011-08-27 03:05 . 2011-05-10 12:06 4517664 ----a-w- c:\windows\system32\usbaaplrc.dll
    2011-08-27 03:04 . 2011-08-27 03:04 -------- d-----w- c:\program files\Bonjour
    2011-08-27 02:59 . 2001-08-18 02:36 5632 ----a-w- c:\windows\system32\ptpusb.dll
    2011-08-27 02:59 . 2008-04-14 00:12 159232 ----a-w- c:\windows\system32\ptpusd.dll
    2011-08-26 20:50 . 2011-08-26 20:50 -------- d-----w- c:\program files\Common Files\Java
    2011-08-24 23:32 . 2011-08-24 23:36 -------- d-----w- c:\documents and settings\Guest
    2011-08-24 18:53 . 2011-08-24 18:53 -------- d-----w- c:\documents and settings\JAIMO\Application Data\Malwarebytes
    2011-08-24 18:53 . 2011-07-06 23:52 41272 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
    2011-08-24 18:53 . 2011-08-24 18:53 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes
    2011-08-24 18:53 . 2011-08-24 18:53 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
    2011-08-24 18:53 . 2011-07-06 23:52 22712 ----a-w- c:\windows\system32\drivers\mbam.sys
    2011-08-24 16:54 . 2011-08-24 16:54 404640 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl
    2011-08-23 00:15 . 2011-08-23 00:16 -------- d-----w- c:\program files\Common Files\Adobe
    2011-08-23 00:14 . 2011-08-23 00:14 -------- d-----w- c:\program files\Common Files\Adobe AIR
    2011-08-22 20:08 . 2011-07-04 11:32 19544 ----a-w- c:\windows\system32\drivers\aswFsBlk.sys
    2011-08-22 20:08 . 2011-07-04 11:36 309848 ----a-w- c:\windows\system32\drivers\aswSP.sys
    2011-08-22 20:08 . 2011-07-04 11:35 43608 ----a-w- c:\windows\system32\drivers\aswTdi.sys
    2011-08-22 20:08 . 2011-07-04 11:32 25432 ----a-w- c:\windows\system32\drivers\aswRdr.sys
    2011-08-22 20:08 . 2011-07-04 11:36 441176 ----a-w- c:\windows\system32\drivers\aswSnx.sys
    2011-08-22 20:08 . 2011-07-04 11:35 102616 ----a-w- c:\windows\system32\drivers\aswmon2.sys
    2011-08-22 20:08 . 2011-07-04 11:35 96344 ----a-w- c:\windows\system32\drivers\aswmon.sys
    2011-08-22 20:08 . 2011-07-04 11:32 30808 ----a-w- c:\windows\system32\drivers\aavmker4.sys
    2011-08-22 20:07 . 2011-07-04 11:43 40112 ----a-w- c:\windows\avastSS.scr
    2011-08-22 20:07 . 2011-07-04 11:43 199304 ----a-w- c:\windows\system32\aswBoot.exe
    2011-08-22 20:07 . 2011-08-22 20:07 -------- d-----w- c:\program files\AVAST Software
    2011-08-22 20:07 . 2011-08-22 20:07 -------- d-----w- c:\documents and settings\All Users\Application Data\AVAST Software
    2011-08-11 19:40 . 2009-05-18 17:17 26600 ----a-w- c:\windows\system32\drivers\GEARAspiWDM.sys
    2011-08-11 19:39 . 2008-04-17 16:12 107368 ----a-w- c:\windows\system32\GEARAspi.dll
    2011-08-10 03:19 . 2011-06-24 14:10 139656 -c----w- c:\windows\system32\dllcache\rdpwd.sys
    2011-08-10 03:19 . 2011-07-08 14:02 10496 -c----w- c:\windows\system32\dllcache\ndistapi.sys
    .
    .
    .
    (((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
    .
    2011-07-19 09:05 . 2010-09-12 05:37 472808 ----a-w- c:\windows\system32\deployJava1.dll
    2011-07-19 06:40 . 2010-04-05 17:25 73728 ----a-w- c:\windows\system32\javacpl.cpl
    2011-07-15 13:29 . 2003-03-31 12:00 456320 ----a-w- c:\windows\system32\drivers\mrxsmb.sys
    2011-07-12 15:20 . 2011-07-12 15:20 83816 ----a-w- c:\windows\system32\dns-sd.exe
    2011-07-12 15:20 . 2011-07-12 15:20 73064 ----a-w- c:\windows\system32\dnssd.dll
    2011-07-12 15:20 . 2011-07-12 15:20 50536 ----a-w- c:\windows\system32\jdns_sd.dll
    2011-07-12 15:20 . 2011-07-12 15:20 178536 ----a-w- c:\windows\system32\dnssdX.dll
    2011-07-08 14:02 . 2003-03-31 12:00 10496 ----a-w- c:\windows\system32\drivers\ndistapi.sys
    2011-07-05 22:37 . 2011-07-05 22:37 94208 ----a-w- c:\windows\system32\QuickTimeVR.qtx
    2011-07-05 22:37 . 2011-07-05 22:37 69632 ----a-w- c:\windows\system32\QuickTime.qts
    2011-06-24 14:10 . 2010-04-03 05:14 139656 ----a-w- c:\windows\system32\drivers\rdpwd.sys
    2011-06-23 18:36 . 2003-03-31 12:00 916480 ----a-w- c:\windows\system32\wininet.dll
    2011-06-23 18:36 . 2003-03-31 12:00 43520 ------w- c:\windows\system32\licmgr10.dll
    2011-06-23 18:36 . 2003-03-31 12:00 1469440 ------w- c:\windows\system32\inetcpl.cpl
    2011-06-23 12:05 . 2004-08-04 05:59 385024 ----a-w- c:\windows\system32\html.iec
    2011-06-20 17:44 . 2003-03-31 12:00 293376 ----a-w- c:\windows\system32\winsrv.dll
    2011-06-02 14:02 . 2003-03-31 12:00 1858944 ----a-w- c:\windows\system32\win32k.sys
    2010-07-24 21:12 . 2010-07-24 21:12 81408 -c--a-w- c:\program files\taskkill.exe
    .
    .
    (((((((((((((((((((((((((((((((((((((((((((( Look )))))))))))))))))))))))))))))))))))))))))))))))))))))))))
    .
    .
    --- c:\program files\taskkill.exe ---
    Company: Microsoft Corporation
    File Description: Kill Process
    File Version: 5.1.2600.0 (XPClient.010817-1148)
    Product Name: Microsoft® Windows® Operating System
    Copyright: © Microsoft Corporation. All rights reserved.
    Original Filename: TaskKill.exe
    File size: 81408
    Created time: 2010-07-24 21:12
    Modified time: 2010-07-24 21:12
    MD5: A38A71FE7F4F44624F43DA7166C3B177
    SHA1: AFC4B8EBA8C2B4A2AC85D53C85C5FDDF88F2737F
    .
    .
    ((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
    .
    .
    *Note* empty entries & legit default entries are not shown
    REGEDIT4
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\00avast]
    @="{472083B0-C522-11CF-8763-00608CC02F24}"
    [HKEY_CLASSES_ROOT\CLSID\{472083B0-C522-11CF-8763-00608CC02F24}]
    2011-07-04 11:43 122512 ----a-w- c:\program files\AVAST Software\Avast\ashShell.dll
    .
    [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "WMPNSCFG"="c:\program files\Windows Media Player\WMPNSCFG.exe" [2006-10-19 204288]
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "avast"="c:\program files\AVAST Software\Avast\avastUI.exe" [2011-07-04 3493720]
    "Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2011-06-06 937920]
    "QuickTime Task"="c:\program files\QuickTime\QTTask.exe" [2011-07-05 421888]
    "iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2011-08-19 421736]
    .
    [hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
    "{56F9679E-7826-4C84-81F3-532071A8BCC5}"= "c:\program files\Windows Desktop Search\MSNLNamespaceMgr.dll" [2009-05-25 304128]
    .
    [HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^hpoddt01.exe.lnk]
    path=c:\documents and settings\All Users\Start Menu\Programs\Startup\hpoddt01.exe.lnk
    backup=c:\windows\pss\hpoddt01.exe.lnkCommon Startup
    .
    [HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Windows Search.lnk]
    path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Windows Search.lnk
    backup=c:\windows\pss\Windows Search.lnkCommon Startup
    .
    [HKLM\~\startupfolder\C:^Documents and Settings^JAIMO^Start Menu^Programs^Startup^LimeWire On Startup.lnk]
    path=c:\documents and settings\JAIMO\Start Menu\Programs\Startup\LimeWire On Startup.lnk
    backup=c:\windows\pss\LimeWire On Startup.lnkStartup
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ctfmon.exe]
    2008-04-14 00:12 15360 ----a-w- c:\windows\system32\ctfmon.exe
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\CTRegRun]
    2006-10-05 22:17 53248 -c----w- c:\windows\Ctregrun.exe
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\IDTSysTrayApp]
    2007-09-06 01:24 405504 -c--a-w- c:\windows\sttray.exe
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\igfxhkcmd]
    2006-03-24 00:13 77824 -c--a-w- c:\windows\system32\hkcmd.exe
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\igfxpers]
    2006-03-24 00:17 118784 -c--a-w- c:\windows\system32\igfxpers.exe
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\igfxtray]
    2006-03-24 00:17 94208 -c--a-w- c:\windows\system32\igfxtray.exe
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PMX Daemon]
    2006-06-09 16:47 47104 -c--a-w- c:\windows\system32\ico.exe
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
    2011-07-05 22:36 421888 ----a-w- c:\program files\QuickTime\QTTask.exe
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched]
    2011-06-09 17:06 254696 ----a-w- c:\program files\Common Files\Java\Java Update\jusched.exe
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\TkBellExe]
    2010-06-03 11:25 202256 -c--a-w- c:\program files\Common Files\Real\Update_OB\realsched.exe
    .
    [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
    "EnableFirewall"= 0 (0x0)
    .
    [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
    "c:\\WINDOWS\\system32\\usmt\\migwiz.exe"=
    "c:\\WINDOWS\\Network Diagnostic\\xpnetdiag.exe"=
    "c:\\WINDOWS\\system32\\sessmgr.exe"=
    "c:\\Program Files\\Pando Networks\\Media Booster\\PMB.exe"=
    "c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
    "c:\\Program Files\\iTunes\\iTunes.exe"=
    .
    [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
    "56644:TCP"= 56644:TCP:pando Media Booster
    "56644:UDP"= 56644:UDP:pando Media Booster
    .
    R1 aswSnx;aswSnx;c:\windows\system32\drivers\aswSnx.sys [8/22/2011 4:08 PM 441176]
    R1 aswSP;aswSP;c:\windows\system32\drivers\aswSP.sys [8/22/2011 4:08 PM 309848]
    R2 aswFsBlk;aswFsBlk;c:\windows\system32\drivers\aswFsBlk.sys [8/22/2011 4:08 PM 19544]
    S2 gupdate;Google Update Service (gupdate);c:\program files\Google\Update\GoogleUpdate.exe [5/12/2010 8:13 AM 136176]
    S3 EraserUtilDrv11113;EraserUtilDrv11113;\??\c:\program files\Common Files\Symantec Shared\EENGINE\EraserUtilDrv11113.sys --> c:\program files\Common Files\Symantec Shared\EENGINE\EraserUtilDrv11113.sys [?]
    S3 gupdatem;Google Update Service (gupdatem);c:\program files\Google\Update\GoogleUpdate.exe [5/12/2010 8:13 AM 136176]
    .
    Contents of the 'Scheduled Tasks' folder
    .
    2011-08-28 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
    - c:\program files\Google\Update\GoogleUpdate.exe [2010-05-12 12:13]
    .
    2011-08-29 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
    - c:\program files\Google\Update\GoogleUpdate.exe [2010-05-12 12:13]
    .
    2011-08-28 c:\windows\Tasks\RealUpgradeLogonTaskS-1-5-21-1177238915-562591055-725345543-1003.job
    - c:\program files\Real\RealUpgrade\realupgrade.exe [2010-02-25 02:09]
    .
    2011-08-27 c:\windows\Tasks\RealUpgradeScheduledTaskS-1-5-21-1177238915-562591055-725345543-1003.job
    - c:\program files\Real\RealUpgrade\realupgrade.exe [2010-02-25 02:09]
    .
    2011-08-28 c:\windows\Tasks\User_Feed_Synchronization-{3AD81087-C49C-42C4-976E-2EA0AA257C02}.job
    - c:\windows\system32\msfeedssync.exe [2009-03-08 08:31]
    .
    2011-08-28 c:\windows\Tasks\WGASetup.job
    - c:\windows\system32\KB905474\wgasetup.exe [2010-04-04 02:18]
    .
    .
    ------- Supplementary Scan -------
    .
    uStart Page = hxxp://www.google.com/
    uInternet Settings,ProxyOverride = *.local
    TCP: DhcpNameServer = 68.87.71.230 68.87.73.246
    .
    .
    **************************************************************************
    .
    catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
    Rootkit scan 2011-08-28 21:25
    Windows 5.1.2600 Service Pack 3 NTFS
    .
    scanning hidden processes ...
    .
    scanning hidden autostart entries ...
    .
    scanning hidden files ...
    .
    scan completed successfully
    hidden files: 0
    .
    **************************************************************************
    .
    --------------------- DLLs Loaded Under Running Processes ---------------------
    .
    - - - - - - - > 'explorer.exe'(820)
    c:\windows\system32\WININET.dll
    c:\windows\WinSxS\x86_Microsoft.VC80.CRT_1fc8b3b9a1e18e3b_8.0.50727.6195_x-ww_44262b86\MSVCR80.dll
    c:\windows\system32\ieframe.dll
    c:\windows\system32\webcheck.dll
    c:\windows\system32\WPDShServiceObj.dll
    c:\windows\system32\PortableDeviceTypes.dll
    c:\windows\system32\PortableDeviceApi.dll
    .
    Completion time: 2011-08-28 21:28:15
    ComboFix-quarantined-files.txt 2011-08-29 01:28
    ComboFix2.txt 2011-08-28 03:16
    .
    Pre-Run: 15,721,283,584 bytes free
    Post-Run: 15,777,652,736 bytes free
    .
    - - End Of File - - 746C9BC34AA24E1D442B794F43D9F5D5
     
     
  12. jaimo

    jaimo TS Rookie Topic Starter Posts: 17

    Cannot stop tasks

    When I follow the path to end the scheduled tasks you recommended, I cannot click on "End Task", it is there but in grey and won't allow me to change them.

    Recommend you stop these Scheduled Tasks
    Remove Tasks:
    2011-08-28 c:\windows\Tasks\RealUpgradeLogonTaskS-1-5-21-1177238915-562591055-725345543-1003.job
    - c:\program files\Real\RealUpgrade\realupgrade.exe [2010-02-25 02:09]
    .
    2011-08-27 c:\windows\Tasks\RealUpgradeScheduledTaskS-1-5-21-1177238915-562591055-725345543-1003.job
    - c:\program files\Real\RealUpgrade\realupgrade.exe [2010-02-25 02:09]
    ------------------------
    Path: All Programs> Accessories> System Tools> Task Scheduler> Right click> End on each task.
     
  13. Bobbye

    Bobbye Helper on the Fringe Posts: 16,392   +36

    Okay, you should be able to stop the Tasks as below> I see you have2010-07-24 21:12 81408 -c--a-w- c:\program files\ taskkill.exe running.

    I did a 'look' on this and it's a legitimate MS program. It appears to be set from a Command Prompt:
    Click on Start> Run> type in cmd> enter> at the blinking C Prompt type in each of the following with 'enter after each:
    Note: there is a space before each /
    Code:
    schtasks /end /RealUpgradeLogon
    
    schtasks /end /RealUpgradeScheduledTasks
    
    
    In response, SchTasks.exe stops the instance of Notepad.exe that the task started, and it displays the following success message:

    SUCCESS: The Scheduled Task "xxxxxx" has been terminated successfully.

    If you have a problem or want to see other options, check HERE for the specific Commands.
    /schtasks.mspx?mfr=true
     
  14. Bobbye

    Bobbye Helper on the Fringe Posts: 16,392   +36

    Please run this Custom CFScript:

    • [1]. Close any open browsers.
      [2]. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.
      [3]. Open notepad> click on Format> Uncheck 'Word Wrap'> and copy/paste the text in the code below into it:Be sure to scroll down to include ALL lines.
    Code:
    File::
    Registry::
    [HKLM\~\startupfolder\C:^Documents and Settings^JAIMO^Start Menu^Programs^Startup^LimeWire On Startup.lnk]
    path=c:\documents and settings\JAIMO\Start Menu\Programs\Startup\LimeWire On Startup.lnk
    backup=c:\windows\pss\LimeWire On Startup.lnkStartup
    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\CTRegRun]
    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\TkBellExe]
    
    
    Save this as CFScript.txt, in the same location as ComboFix.exe
    [​IMG]

    Referring to the picture above, drag CFScript into ComboFix.exe

    When finished, it will produce a log for you at C:\ComboFix.txt . Please paste in your next reply.
    ====================
    I still see the LimeWire entry. It indicates that a shortcut in Docs & Settings for JAIMO, in the Starr Programs. It also indicates a backup shortcut. I'm putting the Registry entry in the script again for removal but you will need to search the system and delete the LimeWire entries.. Be sure to go into Windows Exlorer> My Computer> Local Drive4> Programs and do a right click> delete on the program folder.

    You should also remove entry CTRegRub from the Startup menu. It was created 5 years ago, a reminder to register the Creative Sound card.

    Has there been any improvement in the system?
     
  15. jaimo

    jaimo TS Rookie Topic Starter Posts: 17

    ComboFix 11-08-31.04 - JAIMO 08/31/2011 15:25:23.3.1 - x86
    Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.1014.482 [GMT -4:00]
    Running from: c:\documents and settings\JAIMO\Desktop\ComboFix.exe
    Command switches used :: c:\documents and settings\JAIMO\Desktop\CFScript.txt
    AV: avast! Antivirus *Disabled/Updated* {7591DB91-41F0-48A3-B128-1A293FD8233D}
    .
    .
    ((((((((((((((((((((((((( Files Created from 2011-07-28 to 2011-08-31 )))))))))))))))))))))))))))))))
    .
    .
    2011-08-28 23:51 . 2011-08-28 23:51 -------- d-----w- c:\program files\ESET
    2011-08-27 03:08 . 2011-08-27 03:08 -------- d-----w- c:\program files\iPod
    2011-08-27 03:08 . 2011-08-27 03:09 -------- d-----w- c:\program files\iTunes
    2011-08-27 03:07 . 2011-08-27 03:07 159744 ----a-w- c:\program files\Internet Explorer\PLUGINS\npqtplugin7.dll
    2011-08-27 03:07 . 2011-08-27 03:07 159744 ----a-w- c:\program files\Internet Explorer\PLUGINS\npqtplugin6.dll
    2011-08-27 03:07 . 2011-08-27 03:07 159744 ----a-w- c:\program files\Internet Explorer\PLUGINS\npqtplugin5.dll
    2011-08-27 03:07 . 2011-08-27 03:07 159744 ----a-w- c:\program files\Internet Explorer\PLUGINS\npqtplugin4.dll
    2011-08-27 03:07 . 2011-08-27 03:07 159744 ----a-w- c:\program files\Internet Explorer\PLUGINS\npqtplugin3.dll
    2011-08-27 03:07 . 2011-08-27 03:07 159744 ----a-w- c:\program files\Internet Explorer\PLUGINS\npqtplugin2.dll
    2011-08-27 03:07 . 2011-08-27 03:07 159744 ----a-w- c:\program files\Internet Explorer\PLUGINS\npqtplugin.dll
    2011-08-27 03:07 . 2011-08-27 03:07 -------- d-----w- c:\program files\QuickTime
    2011-08-27 03:05 . 2011-08-27 03:05 -------- d-----w- c:\program files\Apple Software Update
    2011-08-27 03:05 . 2011-08-27 03:05 -------- d-----w- c:\documents and settings\LocalService\Application Data\Apple Computer
    2011-08-27 03:05 . 2011-05-10 12:06 42496 ----a-w- c:\windows\system32\drivers\usbaapl.sys
    2011-08-27 03:05 . 2011-05-10 12:06 4517664 ----a-w- c:\windows\system32\usbaaplrc.dll
    2011-08-27 03:04 . 2011-08-27 03:04 -------- d-----w- c:\program files\Bonjour
    2011-08-27 02:59 . 2001-08-18 02:36 5632 ----a-w- c:\windows\system32\ptpusb.dll
    2011-08-27 02:59 . 2008-04-14 00:12 159232 ----a-w- c:\windows\system32\ptpusd.dll
    2011-08-26 20:50 . 2011-08-26 20:50 -------- d-----w- c:\program files\Common Files\Java
    2011-08-24 23:32 . 2011-08-24 23:36 -------- d-----w- c:\documents and settings\Guest
    2011-08-24 18:53 . 2011-08-24 18:53 -------- d-----w- c:\documents and settings\JAIMO\Application Data\Malwarebytes
    2011-08-24 18:53 . 2011-07-06 23:52 41272 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
    2011-08-24 18:53 . 2011-08-24 18:53 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes
    2011-08-24 18:53 . 2011-08-24 18:53 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
    2011-08-24 18:53 . 2011-07-06 23:52 22712 ----a-w- c:\windows\system32\drivers\mbam.sys
    2011-08-24 16:54 . 2011-08-24 16:54 404640 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl
    2011-08-23 00:15 . 2011-08-23 00:16 -------- d-----w- c:\program files\Common Files\Adobe
    2011-08-23 00:14 . 2011-08-23 00:14 -------- d-----w- c:\program files\Common Files\Adobe AIR
    2011-08-22 20:08 . 2011-07-04 11:32 19544 ----a-w- c:\windows\system32\drivers\aswFsBlk.sys
    2011-08-22 20:08 . 2011-07-04 11:36 309848 ----a-w- c:\windows\system32\drivers\aswSP.sys
    2011-08-22 20:08 . 2011-07-04 11:35 43608 ----a-w- c:\windows\system32\drivers\aswTdi.sys
    2011-08-22 20:08 . 2011-07-04 11:32 25432 ----a-w- c:\windows\system32\drivers\aswRdr.sys
    2011-08-22 20:08 . 2011-07-04 11:36 441176 ----a-w- c:\windows\system32\drivers\aswSnx.sys
    2011-08-22 20:08 . 2011-07-04 11:35 102616 ----a-w- c:\windows\system32\drivers\aswmon2.sys
    2011-08-22 20:08 . 2011-07-04 11:35 96344 ----a-w- c:\windows\system32\drivers\aswmon.sys
    2011-08-22 20:08 . 2011-07-04 11:32 30808 ----a-w- c:\windows\system32\drivers\aavmker4.sys
    2011-08-22 20:07 . 2011-07-04 11:43 40112 ----a-w- c:\windows\avastSS.scr
    2011-08-22 20:07 . 2011-07-04 11:43 199304 ----a-w- c:\windows\system32\aswBoot.exe
    2011-08-22 20:07 . 2011-08-22 20:07 -------- d-----w- c:\program files\AVAST Software
    2011-08-22 20:07 . 2011-08-22 20:07 -------- d-----w- c:\documents and settings\All Users\Application Data\AVAST Software
    2011-08-11 19:40 . 2009-05-18 17:17 26600 ----a-w- c:\windows\system32\drivers\GEARAspiWDM.sys
    2011-08-11 19:39 . 2008-04-17 16:12 107368 ----a-w- c:\windows\system32\GEARAspi.dll
    2011-08-10 03:19 . 2011-06-24 14:10 139656 -c----w- c:\windows\system32\dllcache\rdpwd.sys
    2011-08-10 03:19 . 2011-07-08 14:02 10496 -c----w- c:\windows\system32\dllcache\ndistapi.sys
    .
    .
    .
    (((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
    .
    2011-07-19 09:05 . 2010-09-12 05:37 472808 ----a-w- c:\windows\system32\deployJava1.dll
    2011-07-19 06:40 . 2010-04-05 17:25 73728 ----a-w- c:\windows\system32\javacpl.cpl
    2011-07-15 13:29 . 2003-03-31 12:00 456320 ----a-w- c:\windows\system32\drivers\mrxsmb.sys
    2011-07-12 15:20 . 2011-07-12 15:20 83816 ----a-w- c:\windows\system32\dns-sd.exe
    2011-07-12 15:20 . 2011-07-12 15:20 73064 ----a-w- c:\windows\system32\dnssd.dll
    2011-07-12 15:20 . 2011-07-12 15:20 50536 ----a-w- c:\windows\system32\jdns_sd.dll
    2011-07-12 15:20 . 2011-07-12 15:20 178536 ----a-w- c:\windows\system32\dnssdX.dll
    2011-07-08 14:02 . 2003-03-31 12:00 10496 ----a-w- c:\windows\system32\drivers\ndistapi.sys
    2011-07-05 22:37 . 2011-07-05 22:37 94208 ----a-w- c:\windows\system32\QuickTimeVR.qtx
    2011-07-05 22:37 . 2011-07-05 22:37 69632 ----a-w- c:\windows\system32\QuickTime.qts
    2011-06-24 14:10 . 2010-04-03 05:14 139656 ----a-w- c:\windows\system32\drivers\rdpwd.sys
    2011-06-23 18:36 . 2003-03-31 12:00 916480 ----a-w- c:\windows\system32\wininet.dll
    2011-06-23 18:36 . 2003-03-31 12:00 43520 ------w- c:\windows\system32\licmgr10.dll
    2011-06-23 18:36 . 2003-03-31 12:00 1469440 ------w- c:\windows\system32\inetcpl.cpl
    2011-06-23 12:05 . 2004-08-04 05:59 385024 ----a-w- c:\windows\system32\html.iec
    2011-06-20 17:44 . 2003-03-31 12:00 293376 ----a-w- c:\windows\system32\winsrv.dll
    2010-07-24 21:12 . 2010-07-24 21:12 81408 -c--a-w- c:\program files\taskkill.exe
    .
    .
    ((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
    .
    .
    *Note* empty entries & legit default entries are not shown
    REGEDIT4
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\00avast]
    @="{472083B0-C522-11CF-8763-00608CC02F24}"
    [HKEY_CLASSES_ROOT\CLSID\{472083B0-C522-11CF-8763-00608CC02F24}]
    2011-07-04 11:43 122512 ----a-w- c:\program files\AVAST Software\Avast\ashShell.dll
    .
    [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "WMPNSCFG"="c:\program files\Windows Media Player\WMPNSCFG.exe" [2006-10-19 204288]
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "avast"="c:\program files\AVAST Software\Avast\avastUI.exe" [2011-07-04 3493720]
    "Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2011-06-06 937920]
    "QuickTime Task"="c:\program files\QuickTime\QTTask.exe" [2011-07-05 421888]
    "iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2011-08-19 421736]
    .
    [hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
    "{56F9679E-7826-4C84-81F3-532071A8BCC5}"= "c:\program files\Windows Desktop Search\MSNLNamespaceMgr.dll" [2009-05-25 304128]
    .
    [HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^hpoddt01.exe.lnk]
    path=c:\documents and settings\All Users\Start Menu\Programs\Startup\hpoddt01.exe.lnk
    backup=c:\windows\pss\hpoddt01.exe.lnkCommon Startup
    .
    [HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Windows Search.lnk]
    path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Windows Search.lnk
    backup=c:\windows\pss\Windows Search.lnkCommon Startup
    .
    [HKLM\~\startupfolder\C:^Documents and Settings^JAIMO^Start Menu^Programs^Startup^LimeWire On Startup.lnk]
    path=c:\documents and settings\JAIMO\Start Menu\Programs\Startup\LimeWire On Startup.lnk
    backup=c:\windows\pss\LimeWire On Startup.lnkStartup
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ctfmon.exe]
    2008-04-14 00:12 15360 ----a-w- c:\windows\system32\ctfmon.exe
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\CTRegRun]
    2006-10-05 22:17 53248 -c----w- c:\windows\Ctregrun.exe
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\IDTSysTrayApp]
    2007-09-06 01:24 405504 -c--a-w- c:\windows\sttray.exe
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\igfxhkcmd]
    2006-03-24 00:13 77824 -c--a-w- c:\windows\system32\hkcmd.exe
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\igfxpers]
    2006-03-24 00:17 118784 -c--a-w- c:\windows\system32\igfxpers.exe
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\igfxtray]
    2006-03-24 00:17 94208 -c--a-w- c:\windows\system32\igfxtray.exe
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PMX Daemon]
    2006-06-09 16:47 47104 -c--a-w- c:\windows\system32\ico.exe
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
    2011-07-05 22:36 421888 ----a-w- c:\program files\QuickTime\QTTask.exe
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched]
    2011-06-09 17:06 254696 ----a-w- c:\program files\Common Files\Java\Java Update\jusched.exe
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\TkBellExe]
    2010-06-03 11:25 202256 -c--a-w- c:\program files\Common Files\Real\Update_OB\realsched.exe
    .
    [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
    "c:\\WINDOWS\\system32\\usmt\\migwiz.exe"=
    "c:\\WINDOWS\\Network Diagnostic\\xpnetdiag.exe"=
    "c:\\WINDOWS\\system32\\sessmgr.exe"=
    "c:\\Program Files\\Pando Networks\\Media Booster\\PMB.exe"=
    "c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
    "c:\\Program Files\\iTunes\\iTunes.exe"=
    .
    [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
    "56644:TCP"= 56644:TCP:pando Media Booster
    "56644:UDP"= 56644:UDP:pando Media Booster
    .
    R1 aswSnx;aswSnx;c:\windows\system32\drivers\aswSnx.sys [8/22/2011 4:08 PM 441176]
    R1 aswSP;aswSP;c:\windows\system32\drivers\aswSP.sys [8/22/2011 4:08 PM 309848]
    R2 aswFsBlk;aswFsBlk;c:\windows\system32\drivers\aswFsBlk.sys [8/22/2011 4:08 PM 19544]
    S2 gupdate;Google Update Service (gupdate);c:\program files\Google\Update\GoogleUpdate.exe [5/12/2010 8:13 AM 136176]
    S3 EraserUtilDrv11113;EraserUtilDrv11113;\??\c:\program files\Common Files\Symantec Shared\EENGINE\EraserUtilDrv11113.sys --> c:\program files\Common Files\Symantec Shared\EENGINE\EraserUtilDrv11113.sys [?]
    S3 gupdatem;Google Update Service (gupdatem);c:\program files\Google\Update\GoogleUpdate.exe [5/12/2010 8:13 AM 136176]
    .
    Contents of the 'Scheduled Tasks' folder
    .
    2011-08-31 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
    - c:\program files\Google\Update\GoogleUpdate.exe [2010-05-12 12:13]
    .
    2011-08-31 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
    - c:\program files\Google\Update\GoogleUpdate.exe [2010-05-12 12:13]
    .
    2011-08-29 c:\windows\Tasks\RealUpgradeLogonTaskS-1-5-21-1177238915-562591055-725345543-1003.job
    - c:\program files\Real\RealUpgrade\realupgrade.exe [2010-02-25 02:09]
    .
    2011-08-27 c:\windows\Tasks\RealUpgradeScheduledTaskS-1-5-21-1177238915-562591055-725345543-1003.job
    - c:\program files\Real\RealUpgrade\realupgrade.exe [2010-02-25 02:09]
    .
    2011-08-31 c:\windows\Tasks\User_Feed_Synchronization-{3AD81087-C49C-42C4-976E-2EA0AA257C02}.job
    - c:\windows\system32\msfeedssync.exe [2009-03-08 08:31]
    .
    2011-08-29 c:\windows\Tasks\WGASetup.job
    - c:\windows\system32\KB905474\wgasetup.exe [2010-04-04 02:18]
    .
    .
    ------- Supplementary Scan -------
    .
    uStart Page = hxxp://www.google.com/
    uInternet Settings,ProxyOverride = *.local
    TCP: DhcpNameServer = 68.87.71.230 68.87.73.246
    .
    .
    **************************************************************************
    .
    catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
    Rootkit scan 2011-08-31 15:42
    Windows 5.1.2600 Service Pack 3 NTFS
    .
    scanning hidden processes ...
    .
    scanning hidden autostart entries ...
    .
    scanning hidden files ...
    .
    scan completed successfully
    hidden files: 0
    .
    **************************************************************************
    .
    --------------------- DLLs Loaded Under Running Processes ---------------------
    .
    - - - - - - - > 'explorer.exe'(544)
    c:\windows\system32\WININET.dll
    c:\windows\WinSxS\x86_Microsoft.VC80.CRT_1fc8b3b9a1e18e3b_8.0.50727.6195_x-ww_44262b86\MSVCR80.dll
    c:\windows\system32\ieframe.dll
    c:\windows\system32\webcheck.dll
    c:\windows\system32\WPDShServiceObj.dll
    c:\windows\system32\PortableDeviceTypes.dll
    c:\windows\system32\PortableDeviceApi.dll
    .
    Completion time: 2011-08-31 15:46:24
    ComboFix-quarantined-files.txt 2011-08-31 19:46
    ComboFix2.txt 2011-08-29 01:28
    ComboFix3.txt 2011-08-28 03:16
    .
    Pre-Run: 16,175,046,656 bytes free
    Post-Run: 16,514,424,832 bytes free
    .
    - - End Of File - - FF633B6A5EA46D629779619A9AB14534
     
  16. jaimo

    jaimo TS Rookie Topic Starter Posts: 17

    Hi Bobbye,

    There is some improvement. Although, yesterday the browser popped open on its own with 3 sessions after I closed out of a single session. This only seems to happen when I close it from Yahoo.
     
  17. jaimo

    jaimo TS Rookie Topic Starter Posts: 17

    iexplore.exe still high

    iexplore.exe process is still running very high...mostly only on Yahoo.com when checking my mail and reading news articles. Also, yahoo was giving me a message yesterday saying my version of IE is out of date.

    I have been unsuccessful trying to end the scheduled taks using the command prompt so far...I will use the link you provided for more info.
     
  18. Bobbye

    Bobbye Helper on the Fringe Posts: 16,392   +36

    Question: Did you set up this directory?
    2011-08-24 23:36 -------- d-----w- c:\documents and settings\Guest
    Do a right click> Properties on it and see if there are any files in it.

    I cannot account for the high CPU use of IE when on Yahoo. However, it must be something associated with either the site itself or the particular page you are on.
    =============================================
    All of the following registry entries are running because the process they run is on the Startup Menu. You can use the msconfig utility to uncheck them. Each can be removed from the Startup Menu:
     
  19. jaimo

    jaimo TS Rookie Topic Starter Posts: 17

    I believe that is from when I turned on the windows guest account so my son was able to use the computer without interfering with what I was doing. It has since been turned back off...there shouldn't be any needed files in it.
     
  20. jaimo

    jaimo TS Rookie Topic Starter Posts: 17

    Bobbye,

    OK, I've used msconfig to uncheck what was checked.

    I've followed the path and back up paths of the first three and deleted them. I also deleted CTregrun and STTray right from the Windows folder, but I'm not really sure if that's is what I was supposed to do with those.

    As far as the rest of the items on the list of registry entires, should I follow the paths provided and just remove them? For example, the ones related to intel graphics. None of these are checked on the startup menu...they show up, but are unchecked. By following the paths and removing them, I will actually be removing them from the startup menu?

    I downloaded Bandwidth Monitor Pro recently. It seems to be fairly unobtrusive. Should this be unchecked from the startup menu?
     
  21. Bobbye

    Bobbye Helper on the Fringe Posts: 16,392   +36

    Handle all the startup processes you want< then let me know and I'll remove the registry entries and have you reset some of the Services to Manual.

    The names of the processes on the Startup menu usually appeatr as the .exe or .dll entry at rhe end of the above file in list I gave you
     
  22. jaimo

    jaimo TS Rookie Topic Starter Posts: 17

    Bobbye,

    I downloaded Mozilla Firefox and have been using it at my default browser...I haven't had any browsers pop open since I started using it and my computer is no longer slowing down on Yahoo.

    Would you recommend that I delete Internet Explorer?
     
  23. Bobbye

    Bobbye Helper on the Fringe Posts: 16,392   +36

    Don't delete IE- there are a few sites that still require it> But set Firefox as the default browser-and go to Internet Options in the Control Panel> Programs tab. at the bottom in default browser, be sure that IE is unchecked.

    A tip for Firefox: I suggest using the following two add-on for Firefox. They will prevent the Tracking Cookies that come from ads and banners and other sources:
    AdBlock Plus
    Easy List

    Did you do this?
    Did you want me to include the registry entries and change Services to manual?
     
  24. jaimo

    jaimo TS Rookie Topic Starter Posts: 17

    I think I'm good to go. I don't really know what else to do.
     
  25. Bobbye

    Bobbye Helper on the Fringe Posts: 16,392   +36

    Recheck the scheduled Tasks again and make sure you're following this:
    To change the settings for a task: right-click the Task> click Properties> do any of the following:
    1. To change the schedule for the task, click the Schedule tab.
    2. To customize the settings for the task, such as the maximum run time, idle time requirements, and power management options, click the Settings tab.
    3. To delete a task> right-click the task> click Delete.
    4. To prevent a task from running until you want to let it run again> right-click the task> Properties> On the General tab> clear the Enabled check box. Select the check box again to enable the task when you are ready to let the task scheduler run it again.

    It' possible that if the task isn't running> you won't get an 'end task' option.
    =======================================
    Working with the msconfig utility
    Caution: Be sure you know what the process runs before unchecking it on the Startup Menu.
    ---------------------------------------
    Keep in mind that unchecking a process on boot does not uninstall the process or program it goes to. Uninstall should be done as follows:
    1. If program has it's own uninstalles, use that.
    2. If program does not have uninstaller, use Add/Remove Progrms in Control Panel.
    3> If neirher of the above are available, use Windows Installer CleanupUtility.
    =====================================
    If it's important to you to know the following all of the time< keep it:
    Bandwidth Monitor Pro
    If, on the other hand, you decide this is a waste of system resources to have it always running and knowing that you can check these at any one of many internet sites, anytime, consider removing it.

    My experience is that utilities like this can cause more of an obsession that any benefit needed to know.
    =========================================
    Removing all of the tools we used and the files and folders they created
    • Uninstall ComboFix and all Backups of the files it deleted
    • Click START> then RUN
    • Now type Combofix /Uninstall in the runbox and click OK. Note the space between the X and the U, it needs to be there.
      [​IMG]
    • Download OTCleanIt by OldTimer and save it to your Desktop.
    • Double click OTCleanIt.exe.
    • Click the CleanUp! button.
    • Select Yes when the "Begin cleanup Process?" prompt appears.
    • If you are prompted to Reboot during the cleanup, select Yes.
    • The tool will delete itself once it finishes.
    -----
    Note: If you receive a warning from your firewall or other security programs regarding OTC attempting to contact the internet, please allow it to do so.

    Note: If any tool, file or folder (belonging to the program we have used) hasn't been deleted, please delete it manually.
    ------------------------------------------
    • You should now set a new Restore Point and remove the old restore points to prevent infection from any previous Restore Points.
    • Go to Start > All Programs > Accessories > System Tools
    • Click "System Restore".
    • Choose "Create a Restore Point" on the first screen then click "Next".
    • Give the Restore Point a name> click "Create".
    • Go back and follow the path to > System Tools.
      [*]Choose Disc Cleanup
      [*]Click "OK" to select the partition or drive you want.
      [*]Click the "More Options" Tab.
      [*]Click "Clean Up" in the System Restore section to remove all previous Restore Points except the newly created one.


    Empty the Recycle Bin

    Let me know if you have any more questions.
     
Topic Status:
Not open for further replies.


Add New Comment

TechSpot Members
Login or sign up for free,
it takes about 30 seconds.
You may also...


Get complete access to the TechSpot community. Join thousands of technology enthusiasts that contribute and share knowledge in our forum. Get a private inbox, upload your own photo gallery and more.