Pc very slow please help

Resolved
By wolfblitz
Mar 21, 2011
Topic Status:
Not open for further replies.
  1. when i first switch on it takes a long time to boot up when it does finally get there it runs really slow and takes ages to access internet pages and sometimes it freezes
    Please help Thanks

    Attached Files:

  2. Bobbye

    Bobbye Helper on the Fringe Posts: 16,392   +34

    The problem you describe can also be caused by too many processes loading at boot and running in the background. There can also be a problem with the ISP. But I will check for malware.

    But: NOTE: Logs must be pasted in the replies. Attached logs will not be reviewed.

    Here are the rest of the steps in the Preliminary Virus and Malware Removal thread HERE.

    Leave the logs for review pasted in your next reply . You may use more than 1 post if needed.

    Please do not use any other cleaning programs or scans while I'm helping you, unless I direct you to. Do not use a Registry cleaner or make any changes in the Registry.
  3. wolfblitz

    wolfblitz TechSpot Enthusiast Topic Starter Posts: 111

    Thanks for your reply Bobbye,

    .
    DDS (Ver_11-03-05.01) - NTFSx86
    Run by Geoff at 19:43:21.34 on 20-03-2011
    Internet Explorer: 8.0.6001.18702 BrowserJavaVersion: 1.6.0_24
    Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.991.608 [GMT 0:00]
    .
    AV: AntiVir Desktop *Disabled/Updated* {AD166499-45F9-482A-A743-FDD3350758C7}
    .
    ============== Running Processes ===============
    .
    C:\WINDOWS\system32\svchost -k DcomLaunch
    svchost.exe
    C:\WINDOWS\System32\svchost.exe -k netsvcs
    svchost.exe
    svchost.exe
    C:\WINDOWS\system32\spoolsv.exe
    C:\Program Files\Avira\AntiVir Desktop\sched.exe
    svchost.exe
    C:\Program Files\Avira\AntiVir Desktop\avguard.exe
    C:\Program Files\Java\jre6\bin\jqs.exe
    C:\Program Files\Avira\AntiVir Desktop\avshadow.exe
    C:\WINDOWS\system32\svchost.exe -k imgsvc
    C:\WINDOWS\Explorer.EXE
    C:\WINDOWS\system32\VTTimer.exe
    C:\Program Files\Avira\AntiVir Desktop\avgnt.exe
    C:\Program Files\HP\hpcoretech\hpcmpmgr.exe
    C:\Program Files\Common Files\Java\Java Update\jusched.exe
    C:\WINDOWS\system32\ctfmon.exe
    C:\Program Files\Mozilla Firefox\firefox.exe
    C:\Program Files\Mozilla Firefox\plugin-container.exe
    C:\WINDOWS\system32\wscntfy.exe
    C:\Documents and Settings\Geoff\Desktop\dds.scr
    .
    ============== Pseudo HJT Report ===============
    .
    uStart Page = hxxp://www.google.co.uk/
    BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll
    BHO: Java(tm) Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
    BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
    uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
    mRun: [VTTimer] VTTimer.exe
    mRun: [avgnt] "c:\program files\avira\antivir desktop\avgnt.exe" /min
    mRun: [HP Component Manager] "c:\program files\hp\hpcoretech\hpcmpmgr.exe"
    mRun: [Adobe Reader Speed Launcher] "c:\program files\adobe\reader 9.0\reader\Reader_sl.exe"
    mRun: [Adobe ARM] "c:\program files\common files\adobe\arm\1.0\AdobeARM.exe"
    mRun: [SunJavaUpdateSched] "c:\program files\common files\java\java update\jusched.exe"
    dRun: [CTFMON.EXE] c:\windows\system32\CTFMON.EXE
    IE: E&xport to Microsoft Excel - c:\progra~1\micros~2\office11\EXCEL.EXE/3000
    IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
    IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
    IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~2\office11\REFIEBAR.DLL
    DPF: {149E45D8-163E-4189-86FC-45022AB2B6C9} - file:///C:/Program%20Files/King%20Arthur/Images/stg_drm.ocx
    DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} - hxxp://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1283514510468
    DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_24-windows-i586.cab
    DPF: {CAFEEFAC-0016-0000-0024-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_24-windows-i586.cab
    DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_24-windows-i586.cab
    Handler: cetihpz - {CF184AD3-CDCB-4168-A3F7-8E447D129300} - c:\program files\hp\hpcoretech\comp\hpuiprot.dll
    SSODL: IconPackager Repair - {1799460C-0BC8-4865-B9DF-4A36CD703FF0} - c:\documents and settings\all users\documents\my music\stardock\object desktop\iconpackager\iprepair.dll
    SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll
    .
    ================= FIREFOX ===================
    .
    FF - ProfilePath - c:\docume~1\geoff\applic~1\mozilla\firefox\profiles\sg7wto9z.default\
    FF - prefs.js: browser.startup.homepage - hxxp://www.google.co.uk/
    FF - prefs.js: network.proxy.type - 0
    FF - plugin: c:\program files\google\update\1.2.183.39\npGoogleOneClick8.dll
    FF - plugin: c:\program files\java\jre6\bin\new_plugin\npdeployJava1.dll
    FF - plugin: c:\program files\veetle\player\npvlc.dll
    FF - plugin: c:\program files\veetle\plugins\npVeetle.dll
    FF - plugin: c:\program files\veetle\vlcbroadcast\npvbp.dll
    FF - Ext: Default: {972ce4c6-7e08-4474-a285-3208198ce6fd} - c:\program files\mozilla firefox\extensions\{972ce4c6-7e08-4474-a285-3208198ce6fd}
    FF - Ext: Java Console: {CAFEEFAC-0016-0000-0021-ABCDEFFEDCBA} - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0021-ABCDEFFEDCBA}
    FF - Ext: Java Console: {CAFEEFAC-0016-0000-0022-ABCDEFFEDCBA} - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0022-ABCDEFFEDCBA}
    FF - Ext: Java Console: {CAFEEFAC-0016-0000-0023-ABCDEFFEDCBA} - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0023-ABCDEFFEDCBA}
    FF - Ext: Java Console: {CAFEEFAC-0016-0000-0024-ABCDEFFEDCBA} - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0024-ABCDEFFEDCBA}
    FF - Ext: Java Quick Starter: jqs@sun.com - c:\program files\java\jre6\lib\deploy\jqs\ff
    FF - Ext: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\microsoft.net\framework\v3.5\windows presentation foundation\DotNetAssistantExtension
    FF - Ext: Download Statusbar: {D4DD63FA-01E4-46a7-B6B1-EDAB7D6AD389} - %profile%\extensions\{D4DD63FA-01E4-46a7-B6B1-EDAB7D6AD389}
    FF - Ext: DownloadHelper: {b9db16a4-6edc-47ec-a1f4-b86292ed211d} - %profile%\extensions\{b9db16a4-6edc-47ec-a1f4-b86292ed211d}
    FF - Ext: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - %profile%\extensions\{20a82645-c095-46ed-80e3-08825760534b}
    .
    ============= SERVICES / DRIVERS ===============
    .
    R1 avgio;avgio;c:\program files\avira\antivir desktop\avgio.sys [2010-9-10 11608]
    R2 AntiVirSchedulerService;Avira AntiVir Scheduler;c:\program files\avira\antivir desktop\sched.exe [2010-9-10 135336]
    R2 AntiVirService;Avira AntiVir Guard;c:\program files\avira\antivir desktop\avguard.exe [2010-9-10 267944]
    R2 avgntflt;avgntflt;c:\windows\system32\drivers\avgntflt.sys [2010-9-10 61960]
    S2 gupdate;Google Update Service (gupdate);c:\program files\google\update\GoogleUpdate.exe [2010-10-27 136176]
    S3 iadusb;MT882;c:\windows\system32\drivers\glauiad.sys [2010-9-3 30336]
    .
    =============== Created Last 30 ================
    .
    2011-03-02 17:31:15 -------- d-----w- c:\windows\system32\XPSViewer
    2011-03-02 17:30:48 89088 ----a-w- c:\windows\system32\spool\prtprocs\w32x86\filterpipelineprintproc.dll
    2011-03-02 17:30:30 89088 -c----w- c:\windows\system32\dllcache\filterpipelineprintproc.dll
    2011-03-02 17:30:30 597504 -c----w- c:\windows\system32\dllcache\printfilterpipelinesvc.exe
    2011-03-02 17:30:30 597504 ------w- c:\windows\system32\spool\prtprocs\w32x86\printfilterpipelinesvc.exe
    2011-03-02 17:30:30 575488 -c----w- c:\windows\system32\dllcache\xpsshhdr.dll
    2011-03-02 17:30:30 575488 ------w- c:\windows\system32\xpsshhdr.dll
    2011-03-02 17:30:30 1676288 -c----w- c:\windows\system32\dllcache\xpssvcs.dll
    2011-03-02 17:30:30 1676288 ------w- c:\windows\system32\xpssvcs.dll
    2011-03-02 17:30:30 117760 ------w- c:\windows\system32\prntvpt.dll
    2011-03-02 17:30:29 -------- d-----w- C:\7e1c48bd6a9b2dc97bfb770e77d353
    2011-02-27 18:40:54 -------- d-----w- c:\docume~1\alluse~1\applic~1\PC Drivers HeadQuarters
    .
    ==================== Find3M ====================
    .
    2011-02-09 13:53:52 270848 ----a-w- c:\windows\system32\sbe.dll
    2011-02-09 13:53:52 186880 ----a-w- c:\windows\system32\encdec.dll
    2011-02-02 21:40:23 472808 ----a-w- c:\windows\system32\deployJava1.dll
    2011-02-02 19:19:39 73728 ----a-w- c:\windows\system32\javacpl.cpl
    2011-02-02 07:58:35 2067456 ----a-w- c:\windows\system32\mstscax.dll
    2011-01-27 11:57:06 677888 ----a-w- c:\windows\system32\mstsc.exe
    2011-01-21 14:44:37 439296 ----a-w- c:\windows\system32\shimgvw.dll
    2011-01-07 14:09:02 290048 ----a-w- c:\windows\system32\atmfd.dll
    2010-12-31 13:10:33 1854976 ----a-w- c:\windows\system32\win32k.sys
    2010-12-22 12:34:28 301568 ----a-w- c:\windows\system32\kerberos.dll
    2010-12-20 23:59:20 916480 ----a-w- c:\windows\system32\wininet.dll
    2010-12-20 23:59:19 43520 ----a-w- c:\windows\system32\licmgr10.dll
    2010-12-20 23:59:19 1469440 ------w- c:\windows\system32\inetcpl.cpl
    .
    ============= FINISH: 19:44:11.20 ===============

    GMER 1.0.15.15570 - http://www.gmer.net
    Rootkit scan 2011-03-20 23:38:24
    Windows 5.1.2600 Service Pack 3 Harddisk0\DR0 -> \Device\Ide\IdeDeviceP0T0L0-3 HDS728080PLAT20 rev.PF2OA21B
    Running: bc5808b7.exe; Driver: C:\DOCUME~1\Geoff\LOCALS~1\Temp\kwqoykod.sys


    ---- System - GMER 1.0.15 ----

    SSDT F7B6F896 ZwCreateKey
    SSDT F7B6F88C ZwCreateThread
    SSDT F7B6F89B ZwDeleteKey
    SSDT F7B6F8A5 ZwDeleteValueKey
    SSDT F7B6F8AA ZwLoadKey
    SSDT F7B6F878 ZwOpenProcess
    SSDT F7B6F87D ZwOpenThread
    SSDT F7B6F8B4 ZwReplaceKey
    SSDT F7B6F8AF ZwRestoreKey
    SSDT F7B6F8A0 ZwSetValueKey

    ---- Kernel code sections - GMER 1.0.15 ----

    init C:\WINDOWS\system32\drivers\ALCXSENS.SYS entry point in "init" section [0xF708B900]
    ? C:\DOCUME~1\Geoff\LOCALS~1\Temp\mbr.sys The system cannot find the file specified. !

    ---- User code sections - GMER 1.0.15 ----

    .text C:\Program Files\Mozilla Firefox\firefox.exe[3108] ntdll.dll!LdrLoadDll 7C91632D 5 Bytes JMP 004013F0 C:\Program Files\Mozilla Firefox\firefox.exe (Firefox/Mozilla Corporation)
    .text C:\Program Files\Mozilla Firefox\plugin-container.exe[3280] USER32.dll!TrackPopupMenu 7E46531E 5 Bytes JMP 10402342 C:\Program Files\Mozilla Firefox\xul.dll (Mozilla Foundation)

    ---- EOF - GMER 1.0.15 ----


    Malwarebytes' Anti-Malware 1.50.1.1100
    www.malwarebytes.org

    Database version: 6116

    Windows 5.1.2600 Service Pack 3
    Internet Explorer 8.0.6001.18702

    21-03-2011 08:58:44
    mbam-log-2011-03-21 (08-58-44).txt

    Scan type: Full scan (C:\|)
    Objects scanned: 205116
    Time elapsed: 1 hour(s), 43 minute(s), 24 second(s)

    Memory Processes Infected: 0
    Memory Modules Infected: 0
    Registry Keys Infected: 0
    Registry Values Infected: 0
    Registry Data Items Infected: 0
    Folders Infected: 0
    Files Infected: 0

    Memory Processes Infected:
    (No malicious items detected)

    Memory Modules Infected:
    (No malicious items detected)

    Registry Keys Infected:
    (No malicious items detected)

    Registry Values Infected:
    (No malicious items detected)

    Registry Data Items Infected:
    (No malicious items detected)

    Folders Infected:
    (No malicious items detected)

    Files Infected:
    (No malicious items detected)
  4. Bobbye

    Bobbye Helper on the Fringe Posts: 16,392   +34

    Okay, that's better. We need to do one rootkit scan:

    Please download MBRCheck.exe to your desktop.
    • Be sure to disable your security programs
    • Double click on the file to run it (Vista and Windows 7 users will have to confirm the UAC prompt)
    • A small window should open on your desktop
    • If no unknown bootcode is found press N>Enter twice to exit:
    • If "Found non-standard or infected MBRunknown bootcode" is found Enter 'Y' and hit ENTER for more options:
      If none> press N then press Enter twice.
      If ].
      Enter 'Y' and hit ENTER for more options
    • If nothing unusual is found just press Enter
    • A .txt file named MBRCheck_mm.dd.yy_hh.mm.ss should appear on your desktop. Please post the contents of that file.
    ======================================
    Save that log and paste it in next reply. So far- other that a possible MBR problem, I don't see any bad entries and the system looks pretty lean, but let's check further:

    Run Eset NOD32 Online AntiVirus scan HERE
    1. Tick the box next to YES, I accept the Terms of Use.
    2. Click Start
    3. When asked, allow the Active X control to install
    4. Disable your current Antivirus software. You can usually do this with its Notification Tray icon near the clock.
    5. Click Start
    6. Make sure that the option "Remove found threats" is Unchecked, and the option "Scan unwanted applications" is checked
    7. Click Scan
    8. Wait for the scan to finish
    9. Click on "Copy to Clipboard"> (you won't see the 'clipboard')
    10. Click anywhere in the post where you want the logs to go, the do Ctrl V. The log will be sent from the clipboard and pasted in the post.
    11. Re-enable your Antivirus software.
      NOTE: If you forget to copy to the clipboard you can find the log here:
      C:\Program Files\EsetOnlineScanner\log.txt. Please include this on your post.
    ==================================
    Download Combofix from HERE or HERE and save to the desktop
    • Double click combofix.exe & follow the prompts.
    • ComboFix will check to see if the Microsoft Windows Recovery Console is installed. It is recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode if needed.
      **Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.
    • Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.
    • Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:
    • Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:
      [​IMG]
    • .Click on Yes, to continue scanning for malware
    • .If Combofix asks you to update the program, allow
    • .Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.
    • .Close any open browsers.
    • .Double click combofix.exe[​IMG] & follow the prompts to run.
    • When the scan completes , a report will be generated-it will open a text window. Please paste the C:\ComboFix.txt in next reply..
    Re-enable your Antivirus software.
    Notes:
    1. Do not mouse-click Combofix's window while it is running. That may cause it to stall.
    2. ComboFix may reset a number of Internet Explorer's settings, including making I-E the default browser.
    3. Combofix prevents autorun of ALL CD, floppy and USB devices to assist with malware removal & increase security. If this is an issue or makes it difficult for you -- please tell your helper.
    4. CF disconnects your machine from the internet. The connection is automatically restored before CF completes its run. If CF runs into difficulty and terminates prematurely, the connection can be manually restored by restarting your machine.

    Note: okay to use another post if needed for logs.
  5. wolfblitz

    wolfblitz TechSpot Enthusiast Topic Starter Posts: 111

    Thanks for your reply Bobbye,
    Eset found nothing so didnt produce a log.


    MBRCheck, version 1.2.3
    (c) 2010, AD

    Command-line:
    Windows Version: Windows XP Professional
    Windows Information: Service Pack 3 (build 2600)
    Logical Drives Mask: 0x0000000d

    Kernel Drivers (total 123):
    0x804D7000 \WINDOWS\system32\ntoskrnl.exe
    0x806EF000 \WINDOWS\system32\hal.dll
    0xF7A0F000 \WINDOWS\system32\KDCOM.DLL
    0xF791F000 \WINDOWS\system32\BOOTVID.dll
    0xF74C0000 ACPI.sys
    0xF7A11000 \WINDOWS\system32\DRIVERS\WMILIB.SYS
    0xF74AF000 pci.sys
    0xF750F000 isapnp.sys
    0xF7A13000 viaide.sys
    0xF778F000 \WINDOWS\system32\DRIVERS\PCIIDEX.SYS
    0xF751F000 MountMgr.sys
    0xF7490000 ftdisk.sys
    0xF7A15000 dmload.sys
    0xF746A000 dmio.sys
    0xF7797000 PartMgr.sys
    0xF752F000 VolSnap.sys
    0xF7452000 atapi.sys
    0xF743F000 viamraid.sys
    0xF7427000 \WINDOWS\system32\DRIVERS\SCSIPORT.SYS
    0xF753F000 disk.sys
    0xF754F000 \WINDOWS\system32\DRIVERS\CLASSPNP.SYS
    0xF7407000 fltmgr.sys
    0xF73F5000 sr.sys
    0xF73DE000 KSecDD.sys
    0xF7351000 Ntfs.sys
    0xF7324000 NDIS.sys
    0xF755F000 uagp35.sys
    0xF779F000 viaagp1.sys
    0xF730A000 Mup.sys
    0xF76DF000 \SystemRoot\system32\DRIVERS\amdk7.sys
    0xF72A0000 \SystemRoot\system32\DRIVERS\vtmini.sys
    0xF728C000 \SystemRoot\system32\DRIVERS\VIDEOPRT.SYS
    0xF76EF000 \SystemRoot\system32\DRIVERS\cdrom.sys
    0xF76FF000 \SystemRoot\system32\DRIVERS\redbook.sys
    0xF7269000 \SystemRoot\system32\DRIVERS\ks.sys
    0xF77FF000 \SystemRoot\system32\DRIVERS\usbuhci.sys
    0xF7245000 \SystemRoot\system32\DRIVERS\USBPORT.SYS
    0xF7A33000 \SystemRoot\System32\Drivers\vulfnth.sys
    0xF7807000 \SystemRoot\system32\DRIVERS\usbehci.sys
    0xF71AB000 \SystemRoot\system32\drivers\ALCXWDM.SYS
    0xF7187000 \SystemRoot\system32\drivers\portcls.sys
    0xF770F000 \SystemRoot\system32\drivers\drmk.sys
    0xF7125000 \SystemRoot\system32\drivers\ALCXSENS.SYS
    0xF771F000 \SystemRoot\system32\DRIVERS\fetnd5b.sys
    0xF780F000 \SystemRoot\system32\DRIVERS\fdc.sys
    0xF772F000 \SystemRoot\system32\DRIVERS\serial.sys
    0xF79EF000 \SystemRoot\system32\DRIVERS\serenum.sys
    0xF7111000 \SystemRoot\system32\DRIVERS\parport.sys
    0xF773F000 \SystemRoot\system32\DRIVERS\i8042prt.sys
    0xF7817000 \SystemRoot\system32\DRIVERS\kbdclass.sys
    0xF7B36000 \SystemRoot\system32\DRIVERS\audstub.sys
    0xF774F000 \SystemRoot\system32\DRIVERS\rasl2tp.sys
    0xF79F3000 \SystemRoot\system32\DRIVERS\ndistapi.sys
    0xF70FA000 \SystemRoot\system32\DRIVERS\ndiswan.sys
    0xF775F000 \SystemRoot\system32\DRIVERS\raspppoe.sys
    0xF776F000 \SystemRoot\system32\DRIVERS\raspptp.sys
    0xF781F000 \SystemRoot\system32\DRIVERS\TDI.SYS
    0xF70E9000 \SystemRoot\system32\DRIVERS\psched.sys
    0xF777F000 \SystemRoot\system32\DRIVERS\msgpc.sys
    0xF7877000 \SystemRoot\system32\DRIVERS\ptilink.sys
    0xF78E7000 \SystemRoot\system32\DRIVERS\raspti.sys
    0xF59D7000 \SystemRoot\system32\DRIVERS\rdpdr.sys
    0xF76CF000 \SystemRoot\system32\DRIVERS\termdd.sys
    0xF78EF000 \SystemRoot\system32\DRIVERS\mouclass.sys
    0xF7A5D000 \SystemRoot\system32\DRIVERS\swenum.sys
    0xF5979000 \SystemRoot\system32\DRIVERS\update.sys
    0xF79B3000 \SystemRoot\system32\DRIVERS\mssmbios.sys
    0xF7081000 \SystemRoot\System32\Drivers\NDProxy.SYS
    0xF79DB000 \SystemRoot\System32\Drivers\vulfntr.sys
    0xF7041000 \SystemRoot\system32\DRIVERS\usbhub.sys
    0xF7A65000 \SystemRoot\system32\DRIVERS\USBD.SYS
    0xF78C7000 \SystemRoot\system32\DRIVERS\flpydisk.sys
    0xF7A73000 \SystemRoot\System32\Drivers\Fs_Rec.SYS
    0xF7B3B000 \SystemRoot\System32\Drivers\Null.SYS
    0xF7A77000 \SystemRoot\System32\Drivers\Beep.SYS
    0xF77CF000 \SystemRoot\System32\drivers\vga.sys
    0xF7A79000 \SystemRoot\System32\Drivers\mnmdd.SYS
    0xF7A7D000 \SystemRoot\System32\DRIVERS\RDPCDD.sys
    0xF77EF000 \SystemRoot\System32\Drivers\Msfs.SYS
    0xF77F7000 \SystemRoot\System32\Drivers\Npfs.SYS
    0xF6374000 \SystemRoot\system32\DRIVERS\rasacd.sys
    0xF080D000 \SystemRoot\system32\DRIVERS\ipsec.sys
    0xF07B4000 \SystemRoot\system32\DRIVERS\tcpip.sys
    0xF078C000 \SystemRoot\system32\DRIVERS\netbt.sys
    0xF076A000 \SystemRoot\System32\drivers\afd.sys
    0xF5904000 \SystemRoot\system32\DRIVERS\netbios.sys
    0xF7867000 \SystemRoot\System32\Drivers\StarOpen.SYS
    0xF640F000 \SystemRoot\system32\DRIVERS\ssmdrv.sys
    0xF073F000 \SystemRoot\system32\DRIVERS\rdbss.sys
    0xF06CF000 \SystemRoot\system32\DRIVERS\mrxsmb.sys
    0xF58D4000 \SystemRoot\System32\Drivers\Fips.SYS
    0xF053F000 \SystemRoot\system32\DRIVERS\ipnat.sys
    0xF75CF000 \SystemRoot\system32\DRIVERS\wanarp.sys
    0xF0519000 \SystemRoot\system32\DRIVERS\avipbb.sys
    0xF7A99000 \??\C:\Program Files\Avira\AntiVir Desktop\avgio.sys
    0xF637C000 \SystemRoot\system32\DRIVERS\hidusb.sys
    0xF759F000 \SystemRoot\system32\DRIVERS\HIDCLASS.SYS
    0xF78A7000 \SystemRoot\system32\DRIVERS\HIDPARSE.SYS
    0xF78AF000 \SystemRoot\system32\DRIVERS\NuidFltr.sys
    0xF7071000 \SystemRoot\system32\DRIVERS\WDFLDR.SYS
    0xF049E000 \SystemRoot\system32\DRIVERS\Wdf01000.sys
    0xF0844000 \SystemRoot\system32\DRIVERS\mouhid.sys
    0xEEA0C000 \SystemRoot\System32\Drivers\Cdfs.SYS
    0xED713000 \SystemRoot\System32\Drivers\dump_atapi.sys
    0xF7A6B000 \SystemRoot\System32\Drivers\dump_WMILIB.SYS
    0xBF800000 \SystemRoot\System32\win32k.sys
    0xEDF0B000 \SystemRoot\System32\drivers\Dxapi.sys
    0xEE6B2000 \SystemRoot\System32\watchdog.sys
    0xBF000000 \SystemRoot\System32\drivers\dxg.sys
    0xF7AF0000 \SystemRoot\System32\drivers\dxgthk.sys
    0xBF14B000 \SystemRoot\System32\ATMFD.DLL
    0xEB2DE000 \SystemRoot\system32\DRIVERS\avgntflt.sys
    0xEFFFC000 \SystemRoot\system32\DRIVERS\ndisuio.sys
    0xEB239000 \SystemRoot\system32\DRIVERS\mrxdav.sys
    0xF7A81000 \SystemRoot\System32\Drivers\ParVdm.SYS
    0xEB1AC000 \SystemRoot\system32\drivers\wdmaud.sys
    0xEFB0E000 \SystemRoot\system32\drivers\sysaudio.sys
    0xED7BC000 \SystemRoot\system32\DRIVERS\srv.sys
    0xEDD5A000 \SystemRoot\System32\Drivers\HTTP.sys
    0xBFF50000 \SystemRoot\System32\TSDDD.dll
    0xBF012000 \SystemRoot\System32\vtdisp.dll
    0xEB181000 \SystemRoot\system32\drivers\kmixer.sys
    0x7C900000 \WINDOWS\system32\ntdll.dll

    Processes (total 38):
    0 System Idle Process
    4 System
    580 C:\WINDOWS\system32\smss.exe
    644 csrss.exe
    668 C:\WINDOWS\system32\winlogon.exe
    712 C:\WINDOWS\system32\services.exe
    724 C:\WINDOWS\system32\lsass.exe
    896 C:\WINDOWS\system32\svchost.exe
    972 svchost.exe
    1068 C:\WINDOWS\system32\svchost.exe
    1144 svchost.exe
    1264 svchost.exe
    1404 C:\WINDOWS\system32\spoolsv.exe
    1460 C:\Program Files\Avira\AntiVir Desktop\sched.exe
    1528 svchost.exe
    1640 C:\Program Files\Avira\AntiVir Desktop\avguard.exe
    1796 C:\Program Files\Java\jre6\bin\jqs.exe
    1924 C:\Program Files\Avira\AntiVir Desktop\avshadow.exe
    128 C:\WINDOWS\system32\svchost.exe
    1016 explorer.exe
    1588 VTTimer.exe
    1576 avgnt.exe
    1752 jusched.exe
    2308 alg.exe
    3620 utorrent.exe
    3756 csrss.exe
    3784 C:\WINDOWS\system32\winlogon.exe
    1188 C:\WINDOWS\explorer.exe
    492 C:\WINDOWS\system32\VTTimer.exe
    456 C:\Program Files\Avira\AntiVir Desktop\avgnt.exe
    760 C:\Program Files\HP\hpcoretech\hpcmpmgr.exe
    2112 C:\Program Files\Common Files\Java\Java Update\jusched.exe
    2008 C:\WINDOWS\system32\ctfmon.exe
    2436 C:\Program Files\Mozilla Firefox\firefox.exe
    2656 C:\Program Files\Mozilla Firefox\plugin-container.exe
    2584 wscntfy.exe
    2564 C:\WINDOWS\system32\wscntfy.exe
    2640 C:\Documents and Settings\Geoff\Desktop\MBRCheck.exe

    \\.\C: --> \\.\PhysicalDrive0 at offset 0x00000000`00007e00 (NTFS)

    PhysicalDrive0 Model Number: HDS728080PLAT20, Rev: PF2OA21B

    Size Device Name MBR Status
    --------------------------------------------
    76 GB \\.\PhysicalDrive0 Windows XP MBR code detected
    SHA1: DA38B874B7713D1B51CBC449F4EF809B0DEC644A


    Done!


    ComboFix 11-03-22.02 - Geoff 22-03-2011 20:45:32.1.1 - x86
    Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.991.679 [GMT 0:00]
    Running from: c:\documents and settings\Geoff\Desktop\ComboFix.exe
    AV: AntiVir Desktop *Disabled/Updated* {AD166499-45F9-482A-A743-FDD3350758C7}
    * Created a new restore point
    .
    .
    ((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
    .
    .
    c:\windows\system32\components
    .
    .
    ((((((((((((((((((((((((( Files Created from 2011-02-22 to 2011-03-22 )))))))))))))))))))))))))))))))
    .
    .
    2011-03-22 19:33 . 2011-03-22 19:33 -------- d-----w- c:\program files\ESET
    2011-03-18 20:38 . 2011-03-18 20:38 -------- d-----w- c:\documents and settings\bon\Local Settings\Application Data\Unity
    2011-03-08 11:43 . 2011-03-22 19:35 -------- d-----w- c:\documents and settings\bon\Application Data\uTorrent
    2011-03-02 17:31 . 2011-03-02 17:31 -------- d-----w- c:\windows\system32\XPSViewer
    2011-03-02 17:31 . 2011-03-02 17:31 -------- d-----w- c:\program files\MSBuild
    2011-03-02 17:31 . 2011-03-02 17:31 -------- d-----w- c:\program files\Reference Assemblies
    2011-03-02 17:30 . 2008-07-06 12:06 89088 ----a-w- c:\windows\system32\Spool\prtprocs\w32x86\filterpipelineprintproc.dll
    2011-03-02 17:30 . 2008-07-06 12:06 89088 -c----w- c:\windows\system32\dllcache\filterpipelineprintproc.dll
    2011-03-02 17:30 . 2008-07-06 12:06 575488 -c----w- c:\windows\system32\dllcache\xpsshhdr.dll
    2011-03-02 17:30 . 2008-07-06 12:06 575488 ------w- c:\windows\system32\xpsshhdr.dll
    2011-03-02 17:30 . 2008-07-06 12:06 1676288 -c----w- c:\windows\system32\dllcache\xpssvcs.dll
    2011-03-02 17:30 . 2008-07-06 12:06 1676288 ------w- c:\windows\system32\xpssvcs.dll
    2011-03-02 17:30 . 2008-07-06 12:06 117760 ------w- c:\windows\system32\prntvpt.dll
    2011-03-02 17:30 . 2008-07-06 10:50 597504 -c----w- c:\windows\system32\dllcache\printfilterpipelinesvc.exe
    2011-03-02 17:30 . 2008-07-06 10:50 597504 ------w- c:\windows\system32\Spool\prtprocs\w32x86\printfilterpipelinesvc.exe
    2011-03-02 17:30 . 2011-03-02 17:30 -------- d-----w- C:\7e1c48bd6a9b2dc97bfb770e77d353
    2011-02-27 18:40 . 2011-02-27 18:40 -------- d-----w- c:\documents and settings\All Users\Application Data\PC Drivers HeadQuarters
    2011-02-27 14:18 . 2011-02-27 14:18 -------- d-----w- c:\program files\Common Files\Java
    2011-02-27 14:17 . 2011-02-27 14:17 -------- d-----w- c:\documents and settings\All Users\Application Data\McAfee
    .
    .
    (((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
    .
    2011-03-22 08:23 . 2010-09-05 10:37 664 ----a-w- c:\documents and settings\bon\Local Settings\Application Data\d3d9caps.tmp
    2011-02-09 13:53 . 2006-02-28 12:00 270848 ----a-w- c:\windows\system32\sbe.dll
    2011-02-09 13:53 . 2006-02-28 12:00 186880 ----a-w- c:\windows\system32\encdec.dll
    2011-02-02 21:40 . 2010-09-03 15:41 472808 ----a-w- c:\windows\system32\deployJava1.dll
    2011-02-02 19:19 . 2010-09-03 15:41 73728 ----a-w- c:\windows\system32\javacpl.cpl
    2011-02-02 07:58 . 2010-09-03 09:42 2067456 ----a-w- c:\windows\system32\mstscax.dll
    2011-01-27 11:57 . 2010-09-03 09:42 677888 ----a-w- c:\windows\system32\mstsc.exe
    2011-01-21 14:44 . 2006-02-28 12:00 439296 ----a-w- c:\windows\system32\shimgvw.dll
    2011-01-07 14:09 . 2006-02-28 12:00 290048 ----a-w- c:\windows\system32\atmfd.dll
    2010-12-31 13:10 . 2006-02-28 12:00 1854976 ----a-w- c:\windows\system32\win32k.sys
    .
    .
    ((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
    .
    .
    *Note* empty entries & legit default entries are not shown
    REGEDIT4
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "VTTimer"="VTTimer.exe" [2004-01-15 49152]
    "avgnt"="c:\program files\Avira\AntiVir Desktop\avgnt.exe" [2010-11-14 281768]
    "HP Component Manager"="c:\program files\HP\hpcoretech\hpcmpmgr.exe" [2004-05-12 241664]
    "Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2011-01-31 35760]
    "Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2010-09-20 932288]
    "SunJavaUpdateSched"="c:\program files\Common Files\Java\Java Update\jusched.exe" [2010-10-29 249064]
    .
    [HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
    "CTFMON.EXE"="c:\windows\system32\CTFMON.EXE" [2008-04-14 15360]
    .
    [HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^HP Digital Imaging Monitor.lnk]
    path=c:\documents and settings\All Users\Start Menu\Programs\Startup\HP Digital Imaging Monitor.lnk
    backup=c:\windows\pss\HP Digital Imaging Monitor.lnkCommon Startup
    .
    [HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^HP Image Zone Fast Start.lnk]
    path=c:\documents and settings\All Users\Start Menu\Programs\Startup\HP Image Zone Fast Start.lnk
    backup=c:\windows\pss\HP Image Zone Fast Start.lnkCommon Startup
    .
    [HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^VIA RAID TOOL.lnk]
    path=c:\documents and settings\All Users\Start Menu\Programs\Startup\VIA RAID TOOL.lnk
    backup=c:\windows\pss\VIA RAID TOOL.lnkCommon Startup
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\CTFMON.EXE]
    2008-04-14 00:12 15360 ----a-w- c:\windows\system32\ctfmon.exe
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HP Component Manager]
    2004-05-12 14:18 241664 ----a-w- c:\program files\HP\hpcoretech\hpcmpmgr.exe
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SoundMan]
    2004-08-30 05:48 69632 ----a-w- c:\windows\SOUNDMAN.EXE
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\VTTimer]
    2004-01-15 12:33 49152 ----a-r- c:\windows\system32\VTTimer.exe
    .
    [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
    "c:\\WINDOWS\\system32\\sessmgr.exe"=
    "%windir%\\Network Diagnostic\\xpnetdiag.exe"=
    "%windir%\\system32\\sessmgr.exe"=
    "c:\\Program Files\\Mozilla Firefox\\firefox.exe"=
    "c:\\Documents and Settings\\Geoff\\Desktop\\utorrent.exe"=
    "c:\\Program Files\\Vuze\\Azureus.exe"=
    "c:\\Program Files\\SopCast\\adv\\SopAdver.exe"=
    "c:\\Program Files\\SopCast\\SopCast.exe"=
    "c:\\Documents and Settings\\bon\\Desktop\\utorrent.exe"=
    .
    R2 AntiVirSchedulerService;Avira AntiVir Scheduler;c:\program files\Avira\AntiVir Desktop\sched.exe [10-09-2010 10:49 135336]
    S2 gupdate;Google Update Service (gupdate);c:\program files\Google\Update\GoogleUpdate.exe [27-10-2010 18:52 136176]
    S3 iadusb;MT882;c:\windows\system32\drivers\glauiad.sys [03-09-2010 10:00 30336]
    .
    Contents of the 'Scheduled Tasks' folder
    .
    2011-03-22 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
    - c:\program files\Google\Update\GoogleUpdate.exe [2010-10-27 18:52]
    .
    2011-03-22 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
    - c:\program files\Google\Update\GoogleUpdate.exe [2010-10-27 18:52]
    .
    .
    ------- Supplementary Scan -------
    .
    uStart Page = hxxp://www.google.co.uk/
    IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
    FF - ProfilePath - c:\documents and settings\Geoff\Application Data\Mozilla\Firefox\Profiles\sg7wto9z.default\
    FF - prefs.js: browser.startup.homepage - hxxp://www.google.co.uk/
    FF - prefs.js: network.proxy.type - 0
    FF - Ext: Default: {972ce4c6-7e08-4474-a285-3208198ce6fd} - c:\program files\Mozilla Firefox\extensions\{972ce4c6-7e08-4474-a285-3208198ce6fd}
    FF - Ext: Java Console: {CAFEEFAC-0016-0000-0021-ABCDEFFEDCBA} - c:\program files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0021-ABCDEFFEDCBA}
    FF - Ext: Java Console: {CAFEEFAC-0016-0000-0022-ABCDEFFEDCBA} - c:\program files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0022-ABCDEFFEDCBA}
    FF - Ext: Java Console: {CAFEEFAC-0016-0000-0023-ABCDEFFEDCBA} - c:\program files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0023-ABCDEFFEDCBA}
    FF - Ext: Java Console: {CAFEEFAC-0016-0000-0024-ABCDEFFEDCBA} - c:\program files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0024-ABCDEFFEDCBA}
    FF - Ext: Java Quick Starter: jqs@sun.com - c:\program files\Java\jre6\lib\deploy\jqs\ff
    FF - Ext: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension
    FF - Ext: Download Statusbar: {D4DD63FA-01E4-46a7-B6B1-EDAB7D6AD389} - %profile%\extensions\{D4DD63FA-01E4-46a7-B6B1-EDAB7D6AD389}
    FF - Ext: DownloadHelper: {b9db16a4-6edc-47ec-a1f4-b86292ed211d} - %profile%\extensions\{b9db16a4-6edc-47ec-a1f4-b86292ed211d}
    FF - Ext: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - %profile%\extensions\{20a82645-c095-46ed-80e3-08825760534b}
    .
    - - - - ORPHANS REMOVED - - - -
    .
    MSConfigStartUp-HP Software Update - c:\program files\HP\HP Software Update\HPWuSchd2.exe
    .
    .
    .
    **************************************************************************
    .
    catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
    Rootkit scan 2011-03-22 20:51
    Windows 5.1.2600 Service Pack 3 NTFS
    .
    scanning hidden processes ...
    .
    scanning hidden autostart entries ...
    .
    scanning hidden files ...
    .
    scan completed successfully
    hidden files: 0
    .
    **************************************************************************
    .
    --------------------- LOCKED REGISTRY KEYS ---------------------
    .
    [HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}]
    @Denied: (A 2) (Everyone)
    @="FlashBroker"
    "LocalizedString"="@c:\\WINDOWS\\system32\\Macromed\\Flash\\FlashUtil10k_ActiveX.exe,-101"
    .
    [HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\Elevation]
    "Enabled"=dword:00000001
    .
    [HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\LocalServer32]
    @="c:\\WINDOWS\\system32\\Macromed\\Flash\\FlashUtil10k_ActiveX.exe"
    .
    [HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\TypeLib]
    @="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
    .
    [HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}]
    @Denied: (A 2) (Everyone)
    @="IFlashBroker4"
    .
    [HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\ProxyStubClsid32]
    @="{00020424-0000-0000-C000-000000000046}"
    .
    [HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\TypeLib]
    @="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
    "Version"="1.0"
    .
    --------------------- DLLs Loaded Under Running Processes ---------------------
    .
    - - - - - - - > 'explorer.exe'(2260)
    c:\windows\system32\WININET.dll
    c:\windows\system32\ieframe.dll
    c:\windows\system32\webcheck.dll
    c:\windows\system32\WPDShServiceObj.dll
    c:\windows\system32\PortableDeviceTypes.dll
    c:\windows\system32\PortableDeviceApi.dll
    .
    - - - - - - - > 'explorer.exe'(3512)
    c:\windows\system32\WININET.dll
    c:\windows\system32\ieframe.dll
    c:\windows\system32\webcheck.dll
    c:\windows\system32\WPDShServiceObj.dll
    c:\windows\system32\PortableDeviceTypes.dll
    c:\windows\system32\PortableDeviceApi.dll
    .
    Completion time: 2011-03-22 20:54:18
    ComboFix-quarantined-files.txt 2011-03-22 20:54
    .
    Pre-Run: 31,521,017,856 bytes free
    Post-Run: 32,743,604,224 bytes free
    .
    WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe
    [boot loader]
    timeout=2
    default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS
    [operating systems]
    c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
    UnsupportedDebug="do not select this" /debug
    multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Professional" /noexecute=optin /fastdetect
    .
    - - End Of File - - 537FEC28141E8CC74CD6F23D0B27921A
  6. Bobbye

    Bobbye Helper on the Fringe Posts: 16,392   +34

    Please check and see if you have Folder Options set to show hidden files and folders If you do, please rehide them:

    Show Hidden Folders/Files
    • Access Folder Options>> either through Tools or the Control Pane.
    • Go to Tools > Folder Options.
    • Select the View tab.
    • Scroll down to Hidden files and folders.
    • Select Show hidden files and folders.<<-- Uncheck if Checked.
    • Uncheck (untick) Hide extensions of known file types.<<-- Check if unchecked
    • Uncheck (untick) Hide protected operating system files (Recommended).<<---Check of unchecked.
    When finished, click on Apply> OK
    ========================================
    Please download SystemLook from one of the links below and save it to your Desktop.
    Download Mirror #1
    Download Mirror #2

    • Double-click SystemLook.exe to run it.
    • Copy the content of the following codebox into the main textfield:
      Code:
      
      :filefind
      explore.exe (3512)
      explore.exe (2260)
      
    • Click the Look button to start the scan.
    • When finished, a notepad window will open with the results of the scan. Please post this log in your next reply.
    Note: The log can also be found on your Desktop entitled SystemLook.txt
    =======================================
    I'm sorry for the delay, but my internet was down since last night- again#(%&%)@$
  7. Bobbye

    Bobbye Helper on the Fringe Posts: 16,392   +34

    By the way, since "slow" is the name of the game, do you realize you have all of the following file sharing set for globally open ports in the Firewall?
    OR if you're helping a young person clean up their computer, I can give you information about why these programs shouldn't be used!
  8. wolfblitz

    wolfblitz TechSpot Enthusiast Topic Starter Posts: 111

    Thanks for your reply Bobbye

    SystemLook 04.09.10 by jpshortstuff
    Log created at 08:42 on 26/03/2011 by bon
    (Limited User)

    ========== filefind ==========

    Searching for "explore.exe (3512)"
    No files found.

    Searching for "explore.exe (2260)"
    No files found.

    -= EOF =-
  9. Bobbye

    Bobbye Helper on the Fringe Posts: 16,392   +34

    You're welcome. But I made a careless mistake! My apology. Gosh, every time I thinl I'm perfect, I make a stupod mistake and leave off a letter!:rolleyes: If it's not too much trouble, could you please run this again with the right spelling?

    Please download SystemLook from one of the links below and save it to your Desktop.
    Download Mirror #1
    Download Mirror #2

    • Double-click SystemLook.exe to run it.
    • Copy the content of the following codebox into the main textfield:
      Code:
      
      :filefind
      explorer.exe (2260)
      explorer.exe (3512)
      
      
    • Click the Look button to start the scan.
    • When finished, a notepad window will open with the results of the scan. Please post this log in your next reply.
    Note: The log can also be found on your Desktop entitled SystemLook.txt
    =====================================
    I'd also like to check the two files this way:Please run this Custom CFScript:

    • [1]. Close any open browsers.
      [2]. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.
      [3]. Open notepad> click on Format> Uncheck 'Word Wrap> and copy/paste the text in the code below into it:
    Code:
    
    FileLook::
    explorer.exe (3512)
    explorer.exe (2260)
    
    
    Save this as CFScript.txt, in the same location as ComboFix.exe
    [​IMG]

    Referring to the picture above, drag CFScript into ComboFix.exe

    When finished, it will produce a log for you at C:\ComboFix.txt . Please paste into to your next reply.
    ====================
    I'd also like you to see if there are 2 of these file> the legitimate one is in C:\Windows directory. Malware can run under this name but that would be in the C:\Windows\System32.\ directory.

    Use Windows Explorer: Windows key + E> My Computer> Double click on Local Drive(C)> Windows> Look for explorer.exe on the right screen> right click on the file> Properties> Type of file should show Application> It should be named Windows Explorer

    Then do the same thing but choose the System 32 folder in Windows. If there is a explorer.exe file there, do the right click> Properties and give me what info you see.

    Please verify that for me. Any identifying information would be helpful, including the size. You may see the single word 'explorer' right above it. Ignore that one- look only for the .exe file. It would be best if you had the hidden files showing.
  10. Bobbye

    Bobbye Helper on the Fringe Posts: 16,392   +34

    Thread will be closed in 2 days if there is no reply.
  11. wolfblitz

    wolfblitz TechSpot Enthusiast Topic Starter Posts: 111

    Thanks for your reply Bobbye running pograms now will get back to you later (been busy)
  12. wolfblitz

    wolfblitz TechSpot Enthusiast Topic Starter Posts: 111

    Bobbye,
    here's one of the logs you asked for..........when I ran the combofix one a the message
    "were you trying to run CFScript. The name CFScript appears to be incorrectly spelt" appeared, I clicked OK and combofix stopped ????

    SystemLook 04.09.10 by jpshortstuff
    Log created at 17:41 on 01/04/2011 by Geoff
    Administrator - Elevation successful

    ========== filefind ==========

    Searching for "explorer.exe (2260)"
    No files found.

    Searching for "explorer.exe (3512)"
    No files found.

    -= EOF =-
  13. Bobbye

    Bobbye Helper on the Fringe Posts: 16,392   +34

    I think the "spelt: part being referred to is the number after each entry. There are 2 explorer.exe with identical processes running under them but each had a different number. I may have put the cart before the horse, so I'd like you to do this part first:
    Then I can enter the full path of each and find out what it is- such as:
    C:\Windows\System32\explorer.exe
    C:\Windows\explorer.exe
     
  14. wolfblitz

    wolfblitz TechSpot Enthusiast Topic Starter Posts: 111

    Thanks for your reply Bobbye,
    I looked where you asked but ther is no explorer.exe, there are however 2 entries for explorer-(explorer windows command 1Kb,when this is double clicked it returns to the local disk C window) and(windows explorer microsoft corporation) also explorer.exe is listed in taskmanager and has a memory usage of 21.064K.
  15. Bobbye

    Bobbye Helper on the Fringe Posts: 16,392   +34

    But I asked you to look in 2 places! You mean you didn't see the executable, right> I

    A right click on explorer.exe> Properties in the Windows directory should show name Windows Explorer. Right click on just the word explorer> Properties should show Windows Explorer Command

    I have this following and I did the search to make sure all were showing:
    explorer.exe> Application, 1008kb> Windows Directory> for Windows Explorer
    explore> command, 80b bytes> Windows Directory> For Windows explorer Command

    I wanted you to follow the path I gave you. You would not have needed to double click to know it was in the C:\Windows Directory because that's where I asked you to go initially

    explorer.exe is listed in task manager has to be coming from somewhere. Please go to Tools> Folder Options> View tab> Uncheck 'hide extensions for known file types', then do the search again.

    There is only 1 explorer.exe in the Task Manager, correct.

    Wolf, is it possible you copied this section twice?
    The problem is that each of the explorer.exe has a different numerical after it and I can't identify either of them as the PID for this process.
  16. wolfblitz

    wolfblitz TechSpot Enthusiast Topic Starter Posts: 111

    Thanks for your reply Bobbye

    I found explorer.exe and I hope this helps
    explorer.exe,Application,Windows Explorer,C:\Windows,0.98MB(1,033,728 bytes)

    This is the first time Ive seen this.........................

    - - - - - - - > 'explorer.exe'(2260)
    c:\windows\system32\WININET.dll
    c:\windows\system32\ieframe.dll
    c:\windows\system32\webcheck.dll
    c:\windows\system32\WPDShServiceObj.dll
    c:\windows\system32\PortableDeviceTypes.dll
    c:\windows\system32\PortableDeviceApi.dll
    .
    - - - - - - - > 'explorer.exe'(3512)
    c:\windows\system32\WININET.dll
    c:\windows\system32\ieframe.dll
    c:\windows\system32\webcheck.dll
    c:\windows\system32\WPDShServiceObj.dll
    c:\windows\system32\PortableDeviceTypes.dll
    c:\windows\system32\PortableDeviceApi.dll

    Ive only seen this................

    FileLook::
    explorer.exe (3512)
    explorer.exe (2260)
  17. Bobbye

    Bobbye Helper on the Fringe Posts: 16,392   +34

    Please run this Custom CFScript

    • [1]. Close any open browsers.
      [2]. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.
      [3]. Open notepad> click on Format> Uncheck 'Word Wrap> and copy/paste the text in the code below into it:
    Code:
    FileLook::
    C:\Windows\Explorer.exe
    
    Save this as CFScript.txt, in the same location as ComboFix.exe
    [​IMG]

    Referring to the picture above, drag CFScript into ComboFix.exe

    When finished, it will produce a log for you at C:\ComboFix.txt . Please paste into to your next reply.
    ====================
  18. wolfblitz

    wolfblitz TechSpot Enthusiast Topic Starter Posts: 111

    Thanks for your reply Bobbye

    ComboFix 11-04-10.04 - Geoff 11-04-2011 18:20:43.2.1 - x86
    Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.991.707 [GMT 1:00]
    Running from: c:\documents and settings\Geoff\Desktop\ComboFix.exe
    Command switches used :: c:\documents and settings\Geoff\Desktop\CFScript.txt
    AV: AntiVir Desktop *Disabled/Updated* {AD166499-45F9-482A-A743-FDD3350758C7}
    * Created a new restore point
    .
    .
    ((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
    .
    .
    c:\documents and settings\Geoff\WINDOWS
    .
    .
    ((((((((((((((((((((((((( Files Created from 2011-03-11 to 2011-04-11 )))))))))))))))))))))))))))))))
    .
    .
    2011-04-05 10:17 . 2011-04-05 10:17 2855 ----a-w- c:\windows\system32\edit.PIF
    2011-04-05 10:17 . 2011-04-05 10:17 -------- d--h--w- c:\windows\PIF
    2011-03-18 20:38 . 2011-03-18 20:38 -------- d-----w- c:\documents and settings\bon\Local Settings\Application Data\Unity
    .
    .
    (((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
    .
    2011-04-11 04:09 . 2010-09-05 10:37 664 ----a-w- c:\documents and settings\bon\Local Settings\Application Data\d3d9caps.tmp
    2011-02-09 13:53 . 2006-02-28 12:00 270848 ----a-w- c:\windows\system32\sbe.dll
    2011-02-09 13:53 . 2006-02-28 12:00 186880 ----a-w- c:\windows\system32\encdec.dll
    2011-02-02 21:40 . 2010-09-03 15:41 472808 ----a-w- c:\windows\system32\deployJava1.dll
    2011-02-02 19:19 . 2010-09-03 15:41 73728 ----a-w- c:\windows\system32\javacpl.cpl
    2011-02-02 07:58 . 2010-09-03 09:42 2067456 ----a-w- c:\windows\system32\mstscax.dll
    2011-01-27 11:57 . 2010-09-03 09:42 677888 ----a-w- c:\windows\system32\mstsc.exe
    2011-01-21 14:44 . 2006-02-28 12:00 439296 ----a-w- c:\windows\system32\shimgvw.dll
    .
    .
    (((((((((((((((((((((((((((((((((((((((((((( Look )))))))))))))))))))))))))))))))))))))))))))))))))))))))))
    .
    .
    --- c:\windows\Explorer.exe ---
    Company: Microsoft Corporation
    File Description: Windows Explorer
    File Version: 6.00.2900.5512 (xpsp.080413-2105)
    Product Name: Microsoft® Windows® Operating System
    Copyright: © Microsoft Corporation. All rights reserved.
    Original Filename: EXPLORER.EXE
    File size: 1033728
    Created time: 2006-02-28 12:00
    Modified time: 2008-04-14 00:12
    MD5: 12896823FB95BFB3DC9B46BCAEDC9923
    SHA1: 9D2BF84874ABC5B6E9A2744B7865C193C08D362F
    .
    .
    ((((((((((((((((((((((((((((( SnapShot@2011-03-22_20.51.26 )))))))))))))))))))))))))))))))))))))))))
    .
    + 2011-04-11 17:00 . 2011-04-11 17:00 16384 c:\windows\Temp\Perflib_Perfdata_6b8.dat
    - 2011-02-07 11:01 . 2008-07-08 13:02 17272 c:\windows\system32\spmsg.dll
    + 2011-02-07 11:01 . 2010-07-05 13:15 17272 c:\windows\system32\spmsg.dll
    + 2006-02-28 12:00 . 2011-03-27 19:20 71060 c:\windows\system32\perfc009.dat
    - 2006-02-28 12:00 . 2011-03-10 22:03 71060 c:\windows\system32\perfc009.dat
    + 2006-02-28 12:00 . 2011-03-27 19:20 441124 c:\windows\system32\perfh009.dat
    - 2006-02-28 12:00 . 2011-03-10 22:03 441124 c:\windows\system32\perfh009.dat
    + 2011-03-13 01:02 . 2011-03-13 01:02 15139328 c:\windows\Installer\fe6c0.msp
    .
    ((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
    .
    .
    *Note* empty entries & legit default entries are not shown
    REGEDIT4
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "VTTimer"="VTTimer.exe" [2004-01-15 49152]
    "avgnt"="c:\program files\Avira\AntiVir Desktop\avgnt.exe" [2010-11-14 281768]
    "HP Component Manager"="c:\program files\HP\hpcoretech\hpcmpmgr.exe" [2004-05-12 241664]
    "Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2011-01-31 35760]
    "Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2010-09-20 932288]
    "SunJavaUpdateSched"="c:\program files\Common Files\Java\Java Update\jusched.exe" [2010-10-29 249064]
    .
    [HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
    "CTFMON.EXE"="c:\windows\system32\CTFMON.EXE" [2008-04-14 15360]
    .
    [HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^HP Digital Imaging Monitor.lnk]
    path=c:\documents and settings\All Users\Start Menu\Programs\Startup\HP Digital Imaging Monitor.lnk
    backup=c:\windows\pss\HP Digital Imaging Monitor.lnkCommon Startup
    .
    [HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^HP Image Zone Fast Start.lnk]
    path=c:\documents and settings\All Users\Start Menu\Programs\Startup\HP Image Zone Fast Start.lnk
    backup=c:\windows\pss\HP Image Zone Fast Start.lnkCommon Startup
    .
    [HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^VIA RAID TOOL.lnk]
    path=c:\documents and settings\All Users\Start Menu\Programs\Startup\VIA RAID TOOL.lnk
    backup=c:\windows\pss\VIA RAID TOOL.lnkCommon Startup
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\CTFMON.EXE]
    2008-04-14 00:12 15360 ----a-w- c:\windows\system32\ctfmon.exe
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HP Component Manager]
    2004-05-12 14:18 241664 ----a-w- c:\program files\HP\hpcoretech\hpcmpmgr.exe
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SoundMan]
    2004-08-30 05:48 69632 ----a-w- c:\windows\SOUNDMAN.EXE
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\VTTimer]
    2004-01-15 12:33 49152 ----a-r- c:\windows\system32\VTTimer.exe
    .
    [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
    "c:\\WINDOWS\\system32\\sessmgr.exe"=
    "%windir%\\Network Diagnostic\\xpnetdiag.exe"=
    "%windir%\\system32\\sessmgr.exe"=
    "c:\\Program Files\\Mozilla Firefox\\firefox.exe"=
    "c:\\Documents and Settings\\Geoff\\Desktop\\utorrent.exe"=
    "c:\\Program Files\\Vuze\\Azureus.exe"=
    "c:\\Program Files\\SopCast\\adv\\SopAdver.exe"=
    "c:\\Program Files\\SopCast\\SopCast.exe"=
    "c:\\Documents and Settings\\bon\\Desktop\\utorrent.exe"=
    .
    R2 AntiVirSchedulerService;Avira AntiVir Scheduler;c:\program files\Avira\AntiVir Desktop\sched.exe [10-09-2010 11:49 135336]
    S2 gupdate;Google Update Service (gupdate);c:\program files\Google\Update\GoogleUpdate.exe [27-10-2010 19:52 136176]
    S3 iadusb;MT882;c:\windows\system32\drivers\glauiad.sys [03-09-2010 11:00 30336]
    .
    Contents of the 'Scheduled Tasks' folder
    .
    2011-04-11 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
    - c:\program files\Google\Update\GoogleUpdate.exe [2010-10-27 18:52]
    .
    2011-04-11 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
    - c:\program files\Google\Update\GoogleUpdate.exe [2010-10-27 18:52]
    .
    .
    ------- Supplementary Scan -------
    .
    uStart Page = hxxp://www.google.co.uk/
    IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
    FF - ProfilePath - c:\documents and settings\Geoff\Application Data\Mozilla\Firefox\Profiles\sg7wto9z.default\
    FF - prefs.js: browser.startup.homepage - hxxp://www.google.co.uk/
    FF - prefs.js: network.proxy.type - 0
    FF - Ext: Default: {972ce4c6-7e08-4474-a285-3208198ce6fd} - c:\program files\Mozilla Firefox\extensions\{972ce4c6-7e08-4474-a285-3208198ce6fd}
    FF - Ext: Java Console: {CAFEEFAC-0016-0000-0021-ABCDEFFEDCBA} - c:\program files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0021-ABCDEFFEDCBA}
    FF - Ext: Java Console: {CAFEEFAC-0016-0000-0022-ABCDEFFEDCBA} - c:\program files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0022-ABCDEFFEDCBA}
    FF - Ext: Java Console: {CAFEEFAC-0016-0000-0023-ABCDEFFEDCBA} - c:\program files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0023-ABCDEFFEDCBA}
    FF - Ext: Java Console: {CAFEEFAC-0016-0000-0024-ABCDEFFEDCBA} - c:\program files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0024-ABCDEFFEDCBA}
    FF - Ext: Java Quick Starter: jqs@sun.com - c:\program files\Java\jre6\lib\deploy\jqs\ff
    FF - Ext: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension
    FF - Ext: Download Statusbar: {D4DD63FA-01E4-46a7-B6B1-EDAB7D6AD389} - %profile%\extensions\{D4DD63FA-01E4-46a7-B6B1-EDAB7D6AD389}
    FF - Ext: DownloadHelper: {b9db16a4-6edc-47ec-a1f4-b86292ed211d} - %profile%\extensions\{b9db16a4-6edc-47ec-a1f4-b86292ed211d}
    FF - Ext: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - %profile%\extensions\{20a82645-c095-46ed-80e3-08825760534b}
    .
    .
    **************************************************************************
    .
    catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
    Rootkit scan 2011-04-11 18:28
    Windows 5.1.2600 Service Pack 3 NTFS
    .
    scanning hidden processes ...
    .
    scanning hidden autostart entries ...
    .
    scanning hidden files ...
    .
    scan completed successfully
    hidden files: 0
    .
    **************************************************************************
    .
    --------------------- LOCKED REGISTRY KEYS ---------------------
    .
    [HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}]
    @Denied: (A 2) (Everyone)
    @="FlashBroker"
    "LocalizedString"="@c:\\WINDOWS\\system32\\Macromed\\Flash\\FlashUtil10k_ActiveX.exe,-101"
    .
    [HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\Elevation]
    "Enabled"=dword:00000001
    .
    [HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\LocalServer32]
    @="c:\\WINDOWS\\system32\\Macromed\\Flash\\FlashUtil10k_ActiveX.exe"
    .
    [HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\TypeLib]
    @="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
    .
    [HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}]
    @Denied: (A 2) (Everyone)
    @="IFlashBroker4"
    .
    [HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\ProxyStubClsid32]
    @="{00020424-0000-0000-C000-000000000046}"
    .
    [HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\TypeLib]
    @="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
    "Version"="1.0"
    .
    --------------------- DLLs Loaded Under Running Processes ---------------------
    .
    - - - - - - - > 'explorer.exe'(2456)
    c:\windows\system32\WININET.dll
    c:\windows\system32\ieframe.dll
    c:\windows\system32\webcheck.dll
    c:\windows\system32\WPDShServiceObj.dll
    c:\windows\system32\PortableDeviceTypes.dll
    c:\windows\system32\PortableDeviceApi.dll
    .
    Completion time: 2011-04-11 18:33:58
    ComboFix-quarantined-files.txt 2011-04-11 17:33
    ComboFix2.txt 2011-03-22 20:54
    .
    Pre-Run: 30,528,937,984 bytes free
    Post-Run: 31,635,615,744 bytes free
    .
    - - End Of File - - 35AAC812657287FEEA7DD8CC19A2B375
  19. Bobbye

    Bobbye Helper on the Fringe Posts: 16,392   +34

    You are very patient- and polite. I appreciate that very much.

    And the mystery grows again!
    Combofix deleted c:\documents and settings\Geoff\WINDOWS
    And newly created are: both on 2011-04-05 10:17
    c:\windows\system32\edit.PIF
    c:\windows\PIF


    Program information files (PIFs) are for MS-DOS-based programs

    Do you know what there files are for? Did you create them?

    There are still outdated versions of Java in Firefox. They need to be removed as they are vulnerabilities to the system. They may also affect the running of Firefox. You do not need to add a separate Java extension to Firefox when you update. What you ut on the OS will also work for Firefox.
  20. wolfblitz

    wolfblitz TechSpot Enthusiast Topic Starter Posts: 111

    You are more than welcome Bobbye, and thanks again for your reply.
    Ive no idea what these files are and Im not capable of creating files like these on purpose, also how do I remove the outdated versions of java.
  21. Bobbye

    Bobbye Helper on the Fringe Posts: 16,392   +34

    I started about 2.5 hours ago to try n get you finished up. My #@*$%)!@ internet went down, gain!$#*%!@)(
    We'll remove those files. They should be on the version of the OS you have:

    Remove outdated Java plugin files from the Firefox plugins folder:
    Note: It is recommended that you do not copy Java plugins from other locations to the Firefox plugins folder. Outdated Java plugins can cause Java not to work if you update Java and then uninstall the older Java version, if plugins from the old Java version are still in the Firefox plugins folder.
    1. Open Firefox> Tools> Add-ons. The Add-ons window will open.
    2. In the Add-ons window> select the Plugins panel, to display a list of installed plugins.
    3. Select each Java plugin listed to make sure that all are enabled.
    4. Check if the Java plugins are correctly detected. All Java plugins listed in the Add-ons window should match the version number of the currently installed JRE. There should be no plugins for earlier versions of Java.
    5. Java plugin files that do not match your current version means that the Firefox plugins folder contains outdated Java plugin files which should be removed. This folder is typically in the following location: Use Windows Explorer to access> My Computer> Local Drive> Programs>>>
    C:\Program Files\Mozilla Firefox\plugins
    Java files from older versions in the Firefox plugins folder can prevent Java from working correctly.
    ======================================
    Since a slow system is your main complaint, I sugest you take all the HP entries off of the Startup Menu. You don't need the printer or the Digital Imaging processes to start on boot.
    =====================================
    Please run this Custom CFScript:

    • [1]. Close any open browsers.
      [2]. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.
      [3]. Open notepad> click on Format> Uncheck 'Word Wrap'> and copy/paste the text in the code below into it:Be sure to scroll down to include ALL lines.
    Code:
    File::
    c:\windows\system32\edit.PIF
    c:\windows\Temp\Perflib_Perfdata_6b8.dat
    Folder::
    c:\windows\PIF
    c:\documents and settings\All Users\Application Data\McAfee
    
    Save this as CFScript.txt, in the same location as ComboFix.exe
    [​IMG]

    Referring to the picture above, drag CFScript into ComboFix.exe

    When finished, it will produce a log for you at C:\ComboFix.txt . Please paste in your next reply.
    ====================
    Last scan: Download HijackThis and save to your desktop.
    • Extract it to a directory on your hard drive called c:\HijackThis.
    • Then navigate to that directory and double-click on the hijackthis.exe file.
    • When started click on the Scan button and then the Save Log button to create a log of your information.
    • The log file and then the log will open in notepad. Be sure to click on Format> Uncheck Word Wrap when you open Notepad
    • Click on "Edit > Select All" then click on "Edit > Copy" to copy the entire contents of the log.
    • Come back here to this thread and paste (Ctrl+V) the log in your next reply.

    NOTE: Do NOT have HijackThis fix anything yet! Most of what it finds will be harmless or even required.
    =============================
    You need to update the Adobe Reader to v10(X):Visit this Adobe Reader site . Uninstall any earlier updates as they are vulnerabilities.
  22. wolfblitz

    wolfblitz TechSpot Enthusiast Topic Starter Posts: 111

    Thanks for your reply Bobbye I'll get back to you ASAP
  23. wolfblitz

    wolfblitz TechSpot Enthusiast Topic Starter Posts: 111

    Thanks Bobbye


    ComboFix 11-04-10.04 - Geoff 18-04-2011 9:14.3.1 - x86
    Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.991.723 [GMT 1:00]
    Running from: c:\documents and settings\Geoff\Desktop\ComboFix.exe
    Command switches used :: c:\documents and settings\Geoff\Desktop\CFScript.txt
    AV: AntiVir Desktop *Disabled/Updated* {AD166499-45F9-482A-A743-FDD3350758C7}
    .
    - REDUCED FUNCTIONALITY MODE -
    .
    FILE ::
    "c:\windows\system32\edit.PIF"
    "c:\windows\Temp\Perflib_Perfdata_6b8.dat"
    .
    .
    ((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
    .
    .
    c:\documents and settings\All Users\Application Data\McAfee
    c:\documents and settings\All Users\Application Data\McAfee\MCLOGS\Common\MsiExec\MsiExec000.log
    c:\windows\system32\edit.PIF
    .
    .
    ((((((((((((((((((((((((( Files Created from 2011-03-18 to 2011-04-18 )))))))))))))))))))))))))))))))
    .
    .
    2011-04-05 10:17 . 2011-04-05 10:17 -------- d--h--w- c:\windows\PIF
    .
    .
    (((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
    .
    2011-04-17 19:45 . 2010-09-05 10:37 664 ----a-w- c:\documents and settings\bon\Local Settings\Application Data\d3d9caps.tmp
    2011-04-14 18:32 . 2010-09-10 10:49 137656 ----a-w- c:\windows\system32\drivers\avipbb.sys
    2011-02-09 13:53 . 2006-02-28 12:00 270848 ----a-w- c:\windows\system32\sbe.dll
    2011-02-09 13:53 . 2006-02-28 12:00 186880 ----a-w- c:\windows\system32\encdec.dll
    2011-02-02 21:40 . 2010-09-03 15:41 472808 ----a-w- c:\windows\system32\deployJava1.dll
    2011-02-02 19:19 . 2010-09-03 15:41 73728 ----a-w- c:\windows\system32\javacpl.cpl
    2011-02-02 07:58 . 2010-09-03 09:42 2067456 ----a-w- c:\windows\system32\mstscax.dll
    2011-01-27 11:57 . 2010-09-03 09:42 677888 ----a-w- c:\windows\system32\mstsc.exe
    2011-01-21 14:44 . 2006-02-28 12:00 439296 ----a-w- c:\windows\system32\shimgvw.dll
    .
    .
    ((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
    .
    .
    *Note* empty entries & legit default entries are not shown
    REGEDIT4
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "VTTimer"="VTTimer.exe" [2004-01-15 49152]
    "avgnt"="c:\program files\Avira\AntiVir Desktop\avgnt.exe" [2010-11-14 281768]
    "HP Component Manager"="c:\program files\HP\hpcoretech\hpcmpmgr.exe" [2004-05-12 241664]
    "Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2011-01-31 35760]
    "Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2010-09-20 932288]
    "SunJavaUpdateSched"="c:\program files\Common Files\Java\Java Update\jusched.exe" [2010-10-29 249064]
    .
    [HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
    "CTFMON.EXE"="c:\windows\system32\CTFMON.EXE" [2008-04-14 15360]
    .
    [HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^HP Digital Imaging Monitor.lnk]
    path=c:\documents and settings\All Users\Start Menu\Programs\Startup\HP Digital Imaging Monitor.lnk
    backup=c:\windows\pss\HP Digital Imaging Monitor.lnkCommon Startup
    .
    [HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^HP Image Zone Fast Start.lnk]
    path=c:\documents and settings\All Users\Start Menu\Programs\Startup\HP Image Zone Fast Start.lnk
    backup=c:\windows\pss\HP Image Zone Fast Start.lnkCommon Startup
    .
    [HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^VIA RAID TOOL.lnk]
    path=c:\documents and settings\All Users\Start Menu\Programs\Startup\VIA RAID TOOL.lnk
    backup=c:\windows\pss\VIA RAID TOOL.lnkCommon Startup
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\CTFMON.EXE]
    2008-04-14 00:12 15360 ----a-w- c:\windows\system32\ctfmon.exe
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HP Component Manager]
    2004-05-12 14:18 241664 ----a-w- c:\program files\HP\hpcoretech\hpcmpmgr.exe
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SoundMan]
    2004-08-30 05:48 69632 ----a-w- c:\windows\SOUNDMAN.EXE
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\VTTimer]
    2004-01-15 12:33 49152 ----a-r- c:\windows\system32\VTTimer.exe
    .
    [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
    "c:\\WINDOWS\\system32\\sessmgr.exe"=
    "%windir%\\Network Diagnostic\\xpnetdiag.exe"=
    "%windir%\\system32\\sessmgr.exe"=
    "c:\\Program Files\\Mozilla Firefox\\firefox.exe"=
    "c:\\Documents and Settings\\Geoff\\Desktop\\utorrent.exe"=
    "c:\\Program Files\\Vuze\\Azureus.exe"=
    "c:\\Program Files\\SopCast\\adv\\SopAdver.exe"=
    "c:\\Program Files\\SopCast\\SopCast.exe"=
    "c:\\Documents and Settings\\bon\\Desktop\\utorrent.exe"=
    .
    R2 AntiVirSchedulerService;Avira AntiVir Scheduler;c:\program files\Avira\AntiVir Desktop\sched.exe [10-09-2010 11:49 135336]
    S2 gupdate;Google Update Service (gupdate);c:\program files\Google\Update\GoogleUpdate.exe [27-10-2010 19:52 136176]
    S3 iadusb;MT882;c:\windows\system32\drivers\glauiad.sys [03-09-2010 11:00 30336]
    .
    Contents of the 'Scheduled Tasks' folder
    .
    2011-04-18 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
    - c:\program files\Google\Update\GoogleUpdate.exe [2010-10-27 18:52]
    .
    2011-04-18 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
    - c:\program files\Google\Update\GoogleUpdate.exe [2010-10-27 18:52]
    .
    .
    ------- Supplementary Scan -------
    .
    uStart Page = hxxp://www.google.co.uk/
    IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
    FF - ProfilePath - c:\documents and settings\Geoff\Application Data\Mozilla\Firefox\Profiles\sg7wto9z.default\
    FF - prefs.js: browser.startup.homepage - hxxp://www.google.co.uk/
    FF - prefs.js: network.proxy.type - 0
    FF - Ext: Default: {972ce4c6-7e08-4474-a285-3208198ce6fd} - c:\program files\Mozilla Firefox\extensions\{972ce4c6-7e08-4474-a285-3208198ce6fd}
    FF - Ext: Java Console: {CAFEEFAC-0016-0000-0021-ABCDEFFEDCBA} - c:\program files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0021-ABCDEFFEDCBA}
    FF - Ext: Java Console: {CAFEEFAC-0016-0000-0022-ABCDEFFEDCBA} - c:\program files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0022-ABCDEFFEDCBA}
    FF - Ext: Java Console: {CAFEEFAC-0016-0000-0023-ABCDEFFEDCBA} - c:\program files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0023-ABCDEFFEDCBA}
    FF - Ext: Java Console: {CAFEEFAC-0016-0000-0024-ABCDEFFEDCBA} - c:\program files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0024-ABCDEFFEDCBA}
    FF - Ext: Java Quick Starter: jqs@sun.com - c:\program files\Java\jre6\lib\deploy\jqs\ff
    FF - Ext: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension
    FF - Ext: Download Statusbar: {D4DD63FA-01E4-46a7-B6B1-EDAB7D6AD389} - %profile%\extensions\{D4DD63FA-01E4-46a7-B6B1-EDAB7D6AD389}
    FF - Ext: DownloadHelper: {b9db16a4-6edc-47ec-a1f4-b86292ed211d} - %profile%\extensions\{b9db16a4-6edc-47ec-a1f4-b86292ed211d}
    FF - Ext: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - %profile%\extensions\{20a82645-c095-46ed-80e3-08825760534b}
    .
    .
    **************************************************************************
    .
    catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
    Rootkit scan 2011-04-18 09:16
    Windows 5.1.2600 Service Pack 3 NTFS
    .
    scanning hidden processes ...
    .
    scanning hidden autostart entries ...
    .
    scanning hidden files ...
    .
    scan completed successfully
    hidden files: 0
    .
    **************************************************************************
    .
    --------------------- LOCKED REGISTRY KEYS ---------------------
    .
    [HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}]
    @Denied: (A 2) (Everyone)
    @="FlashBroker"
    "LocalizedString"="@c:\\WINDOWS\\system32\\Macromed\\Flash\\FlashUtil10k_ActiveX.exe,-101"
    .
    [HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\Elevation]
    "Enabled"=dword:00000001
    .
    [HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\LocalServer32]
    @="c:\\WINDOWS\\system32\\Macromed\\Flash\\FlashUtil10k_ActiveX.exe"
    .
    [HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\TypeLib]
    @="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
    .
    [HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}]
    @Denied: (A 2) (Everyone)
    @="IFlashBroker4"
    .
    [HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\ProxyStubClsid32]
    @="{00020424-0000-0000-C000-000000000046}"
    .
    [HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\TypeLib]
    @="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
    "Version"="1.0"
    .
    Completion time: 2011-04-18 09:19:54
    ComboFix-quarantined-files.txt 2011-04-18 08:19
    ComboFix2.txt 2011-04-11 17:34
    ComboFix3.txt 2011-03-22 20:54
    .
    Pre-Run: 31,046,086,656 bytes free
    Post-Run: 31,047,200,768 bytes free
    .
    - - End Of File - - D5C6420E442FE704E7920C25DC50FEFB
  24. Bobbye

    Bobbye Helper on the Fringe Posts: 16,392   +34

    Okay, we need to look into why Combofix ran in Reduced Functionality Mode I'm going to leave you references to check as you are the best one to determine the cause: Something has changed in or on the system between the first time you ran Combofix and the current scan:
    1. Microsoft Office XP:
    2. Activation Has Expired
    3. WGA Validation Tool

    In order to regaun the full functionality of the system, this will need to be resolved.
  25. wolfblitz

    wolfblitz TechSpot Enthusiast Topic Starter Posts: 111

    Thanks for your reply Bobbye,
    apart from running slow I cant say I've noticed anything out of the ordinary no pop up messages or programs not working
Topic Status:
Not open for further replies.


Add New Comment

TechSpot Members
Login or sign up for free,
it takes about 30 seconds.
You may also...


Get complete access to the TechSpot community. Join thousands of technology enthusiasts that contribute and share knowledge in our forum. Get a private inbox, upload your own photo gallery and more.