Solved PC suddenly slow, lagging, stops responding

[jaimo]

Hi,

My PC is suddenly slow and laggy, and occasionally it stops responding when I am online. I haven't had very many issues before recently. There are only a handful of websites that I visit when I am online.

I have perused the 6-step guide posted in this forum, and I will paste my logs below.

Any help would be greatly appreciated.

Malwarebytes' Anti-Malware 1.51.1.1800
www.malwarebytes.org

Database version: 7555

Windows 5.1.2600 Service Pack 3
Internet Explorer 8.0.6001.18702

8/24/2011 3:09:37 PM
mbam-log-2011-08-24 (15-09-37).txt

Scan type: Quick scan
Objects scanned: 169137
Time elapsed: 15 minute(s), 3 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)

GMER 1.0.15.15641 - http://www.gmer.net
Rootkit quick scan 2011-08-26 00:15:31
Windows 5.1.2600 Service Pack 3 Harddisk0\DR0 -> \Device\Ide\IdeDeviceP1T0L0-e ST380815AS rev.4.ADA
Running: v6jqg6lj[1].exe; Driver: C:\DOCUME~1\JAIMO\LOCALS~1\Temp\ufddypog.sys


---- Disk sectors - GMER 1.0.15 ----

Disk \Device\Harddisk0\DR0 malicious Win32:MBRoot code @ sector 156232128
Disk \Device\Harddisk0\DR0 PE file @ sector 156232150

---- System - GMER 1.0.15 ----

SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwEnumerateKey [0xAA18BBF2]
SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwEnumerateValueKey [0xAA18BA5D]

Code \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/AVAST Software) ZwCreateProcessEx [0xAA1E3398]
Code \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/AVAST Software) ObInsertObject
Code \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/AVAST Software) ObMakeTemporaryObject

---- Devices - GMER 1.0.15 ----

Device \FileSystem\Ntfs \Ntfs aswSP.SYS (avast! self protection module/AVAST Software)

AttachedDevice \FileSystem\Ntfs \Ntfs aswMon2.SYS (avast! File System Filter Driver for Windows XP/AVAST Software)
AttachedDevice \FileSystem\Fastfat \Fat fltmgr.sys (Microsoft Filesystem Filter Manager/Microsoft Corporation)
AttachedDevice \FileSystem\Fastfat \Fat aswMon2.SYS (avast! File System Filter Driver for Windows XP/AVAST Software)
AttachedDevice \Driver\Tcpip \Device\Ip aswTdi.SYS (avast! TDI Filter Driver/AVAST Software)
AttachedDevice \Driver\Tcpip \Device\Tcp aswTdi.SYS (avast! TDI Filter Driver/AVAST Software)
AttachedDevice \Driver\Tcpip \Device\Udp aswTdi.SYS (avast! TDI Filter Driver/AVAST Software)
AttachedDevice \Driver\Tcpip \Device\RawIp aswTdi.SYS (avast! TDI Filter Driver/AVAST Software)

---- EOF - GMER 1.0.15 ----

.
DDS (Ver_2011-08-26.01) - NTFSx86
Internet Explorer: 8.0.6001.18702
Run by JAIMO at 0:53:17 on 2011-08-26
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.1014.464 [GMT -4:00]
.
AV: avast! Antivirus *Disabled/Updated* {7591DB91-41F0-48A3-B128-1A293FD8233D}
.
============== Running Processes ===============
.
C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
C:\WINDOWS\system32\svchost.exe -k WudfServiceGroup
svchost.exe
svchost.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\AVAST Software\Avast\AvastSvc.exe
C:\Program Files\Common Files\Java\Java Update\jusched.exe
C:\Program Files\AVAST Software\Avast\avastUI.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Windows Media Player\WMPNSCFG.exe
C:\WINDOWS\system32\spoolsv.exe
svchost.exe
C:\WINDOWS\System32\svchost.exe -k HTTPFilter
C:\Program Files\Java\jre6\bin\jqs.exe
C:\WINDOWS\System32\svchost.exe -k imgsvc
C:\WINDOWS\system32\SearchIndexer.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\system32\drwtsn32.exe
C:\WINDOWS\system32\drwtsn32.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\WINDOWS\system32\SearchProtocolHost.exe
.
============== Pseudo HJT Report ===============
.
uStart Page = hxxp://www.google.com/
BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll
BHO: WormRadar.com IESiteBlocker.NavFilter: {3ca2f312-6f6e-4b53-a66e-4e65e497c8c0} - AVG Safe Search
BHO: avast! WebRep: {8e5e2654-ad2d-48bf-ac2d-d17f00898d06} - c:\program files\avast software\avast\aswWebRepIE.dll
BHO: Java(tm) Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
TB: avast! WebRep: {8e5e2654-ad2d-48bf-ac2d-d17f00898d06} - c:\program files\avast software\avast\aswWebRepIE.dll
TB: {D4027C7F-154A-4066-A1AD-4243D8127440} - No File
TB: {7FEBEFE3-6B19-4349-98D2-FFB09D4B49CA} - No File
EB: {32683183-48a0-441b-a342-7c2a440a9478} - No File
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
uRun: [WMPNSCFG] c:\program files\windows media player\WMPNSCFG.exe
mRun: [QuickTime Task] "c:\program files\quicktime\qttask.exe" -atboottime
mRun: [SunJavaUpdateSched] "c:\program files\common files\java\java update\jusched.exe"
mRun: [avast] "c:\program files\avast software\avast\avastUI.exe" /nogui
mRun: [Adobe ARM] "c:\program files\common files\adobe\arm\1.0\AdobeARM.exe"
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
DPF: {17492023-C23A-453E-A040-C7C580BBF700} - hxxp://go.microsoft.com/fwlink/?linkid=39204
DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} - hxxp://security.symantec.com/sscv6/SharedContent/vc/bin/AvSniff.cab
DPF: {32C3FEAE-0877-4767-8C20-62A5829A0945} - hxxp://static.ak.facebook.com/fbplugin/win32/axfbootloader.cab
DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} - hxxp://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1270398471859
DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} - hxxp://security.symantec.com/sscv6/SharedContent/common/bin/cabsa.cab
DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} - hxxp://www.update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1270422002265
DPF: {CAFEEFAC-0016-0000-0020-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_20-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0023-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_23-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_23-windows-i586.cab
DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab
DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - hxxp://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab
TCP: DhcpNameServer = 68.87.71.230 68.87.73.246
TCP: Interfaces\{52408063-6109-4531-B654-7716CD04BAF4} : DhcpNameServer = 68.87.71.230 68.87.73.246
Notify: igfxcui - igfxdev.dll
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll
SEH: Windows Desktop Search Namespace Manager: {56f9679e-7826-4c84-81f3-532071a8bcc5} - c:\program files\windows desktop search\MSNLNamespaceMgr.dll
.
============= SERVICES / DRIVERS ===============
.
R1 aswSnx;aswSnx;c:\windows\system32\drivers\aswSnx.sys [2011-8-22 441176]
R1 aswSP;aswSP;c:\windows\system32\drivers\aswSP.sys [2011-8-22 309848]
R2 aswFsBlk;aswFsBlk;c:\windows\system32\drivers\aswFsBlk.sys [2011-8-22 19544]
R2 avast! Antivirus;avast! Antivirus;c:\program files\avast software\avast\AvastSvc.exe [2011-8-22 42184]
S2 gupdate;Google Update Service (gupdate);c:\program files\google\update\GoogleUpdate.exe [2010-5-12 136176]
S3 EraserUtilDrv11113;EraserUtilDrv11113;\??\c:\program files\common files\symantec shared\eengine\eraserutildrv11113.sys --> c:\program files\common files\symantec shared\eengine\EraserUtilDrv11113.sys [?]
S3 gupdatem;Google Update Service (gupdatem);c:\program files\google\update\GoogleUpdate.exe [2010-5-12 136176]
.
=============== Created Last 30 ================
.
2011-08-24 18:53:47 -------- d-----w- c:\documents and settings\jaimo\application data\Malwarebytes
2011-08-24 18:53:38 41272 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2011-08-24 18:53:37 -------- d-----w- c:\documents and settings\all users\application data\Malwarebytes
2011-08-24 18:53:33 22712 ----a-w- c:\windows\system32\drivers\mbam.sys
2011-08-24 18:53:33 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2011-08-24 16:54:10 404640 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl
2011-08-22 20:08:03 441176 ----a-w- c:\windows\system32\drivers\aswSnx.sys
2011-08-22 20:07:40 40112 ----a-w- c:\windows\avastSS.scr
2011-08-22 20:07:25 -------- d-----w- c:\program files\AVAST Software
2011-08-22 20:07:25 -------- d-----w- c:\documents and settings\all users\application data\AVAST Software
2011-08-11 19:40:11 26600 ----a-w- c:\windows\system32\drivers\GEARAspiWDM.sys
2011-08-11 19:39:30 106928 ----a-w- c:\windows\system32\GEARAspi.dll
2011-08-10 03:19:29 139656 -c----w- c:\windows\system32\dllcache\rdpwd.sys
2011-08-10 03:19:16 10496 -c----w- c:\windows\system32\dllcache\ndistapi.sys
.
==================== Find3M ====================
.
2011-08-10 10:48:56 81984 ----a-w- c:\windows\system32\bdod.bin
2011-07-15 13:29:31 456320 ----a-w- c:\windows\system32\drivers\mrxsmb.sys
2011-07-08 14:02:00 10496 ----a-w- c:\windows\system32\drivers\ndistapi.sys
2011-06-24 14:10:36 139656 ----a-w- c:\windows\system32\drivers\rdpwd.sys
2011-06-23 18:36:30 916480 ----a-w- c:\windows\system32\wininet.dll
2011-06-23 18:36:30 43520 ------w- c:\windows\system32\licmgr10.dll
2011-06-23 18:36:30 1469440 ------w- c:\windows\system32\inetcpl.cpl
2011-06-23 12:05:13 385024 ----a-w- c:\windows\system32\html.iec
2011-06-20 17:44:52 293376 ----a-w- c:\windows\system32\winsrv.dll
2011-06-02 14:02:05 1858944 ----a-w- c:\windows\system32\win32k.sys
2010-07-24 21:12:55 81408 -c--a-w- c:\program files\taskkill.exe
.
============= FINISH: 0:54:10.32 ===============

.
UNLESS SPECIFICALLY INSTRUCTED, DO NOT POST THIS LOG.
IF REQUESTED, ZIP IT UP & ATTACH IT
.
DDS (Ver_2011-08-26.01)
.
Microsoft Windows XP Professional
Boot Device: \Device\HarddiskVolume1
Install Date: 4/3/2010 1:19:54 AM
System Uptime: 8/25/2011 9:20:43 AM (15 hours ago)
.
Motherboard: Dell Inc. | | 0WJ772
Processor: Intel(R) Celeron(R) CPU 2.80GHz | Microprocessor | 2792/533mhz
.
==== Disk Partitions =========================
.
C: is FIXED (NTFS) - 74 GiB total, 15.05 GiB free.
D: is CDROM (CDFS)
.
==== Disabled Device Manager Items =============
.
==== System Restore Points ===================
.
RP534: 6/8/2011 8:10:55 AM - System Checkpoint
RP535: 6/9/2011 9:12:00 AM - System Checkpoint
RP536: 6/10/2011 10:10:55 AM - System Checkpoint
RP537: 6/10/2011 10:32:50 PM - Installed Portfolio Browser
RP538: 6/11/2011 11:26:33 PM - System Checkpoint
RP539: 6/13/2011 12:10:55 AM - System Checkpoint
RP540: 6/14/2011 1:10:55 AM - System Checkpoint
RP541: 6/15/2011 2:28:36 AM - System Checkpoint
RP542: 6/16/2011 3:00:23 AM - Software Distribution Service 3.0
RP543: 6/17/2011 4:09:25 AM - System Checkpoint
RP544: 6/18/2011 4:41:42 AM - System Checkpoint
RP545: 6/19/2011 5:41:43 AM - System Checkpoint
RP546: 6/20/2011 6:41:43 AM - System Checkpoint
RP547: 6/21/2011 7:41:43 AM - System Checkpoint
RP548: 6/22/2011 8:41:31 AM - System Checkpoint
RP549: 6/23/2011 12:53:24 AM - Removed Portfolio Browser
RP550: 6/24/2011 12:55:02 AM - System Checkpoint
RP551: 6/25/2011 1:05:32 AM - System Checkpoint
RP552: 6/25/2011 9:11:03 AM - Removed Google Earth.
RP553: 6/25/2011 9:12:28 AM - Removed Google Earth Plug-in.
RP554: 6/26/2011 9:41:32 AM - System Checkpoint
RP555: 6/27/2011 9:48:10 AM - System Checkpoint
RP556: 6/28/2011 10:42:37 AM - System Checkpoint
RP557: 6/29/2011 3:00:23 AM - Software Distribution Service 3.0
RP558: 6/30/2011 3:00:24 AM - Software Distribution Service 3.0
RP559: 7/1/2011 4:09:25 AM - System Checkpoint
RP560: 7/2/2011 4:31:55 AM - System Checkpoint
RP561: 7/3/2011 5:31:54 AM - System Checkpoint
RP562: 7/4/2011 6:31:54 AM - System Checkpoint
RP563: 7/5/2011 6:48:16 AM - System Checkpoint
RP564: 7/5/2011 11:39:32 PM - Restore Operation
RP565: 7/5/2011 11:42:53 PM - Restore Operation
RP566: 7/5/2011 11:44:25 PM - avast! Free Antivirus Setup
RP567: 7/5/2011 11:51:29 PM - Avira AntiVir Personal - 7/5/2011 23:50
RP568: 7/7/2011 12:50:14 AM - System Checkpoint
RP569: 7/8/2011 1:14:23 AM - System Checkpoint
RP570: 7/9/2011 1:50:02 AM - System Checkpoint
RP571: 7/10/2011 2:50:03 AM - System Checkpoint
RP572: 7/11/2011 2:51:07 AM - System Checkpoint
RP573: 7/12/2011 4:37:07 AM - System Checkpoint
RP574: 7/13/2011 4:50:04 AM - System Checkpoint
RP575: 7/14/2011 3:00:33 AM - Software Distribution Service 3.0
RP576: 7/15/2011 4:09:01 AM - System Checkpoint
RP577: 7/16/2011 4:18:42 AM - System Checkpoint
RP578: 7/17/2011 4:33:02 AM - System Checkpoint
RP579: 7/18/2011 5:33:00 AM - System Checkpoint
RP580: 7/19/2011 6:33:00 AM - System Checkpoint
RP581: 7/20/2011 7:33:01 AM - System Checkpoint
RP582: 7/21/2011 8:15:44 AM - System Checkpoint
RP583: 7/22/2011 9:15:44 AM - System Checkpoint
RP584: 7/23/2011 10:15:44 AM - System Checkpoint
RP585: 7/24/2011 11:27:43 AM - System Checkpoint
RP586: 7/25/2011 12:15:29 PM - System Checkpoint
RP587: 7/25/2011 8:28:32 PM - Installed BitDefender Free Edition 2009
RP588: 7/26/2011 8:56:17 PM - System Checkpoint
RP589: 7/27/2011 10:27:49 PM - System Checkpoint
RP590: 7/28/2011 10:56:16 PM - System Checkpoint
RP591: 7/30/2011 - System Checkpoint
RP592: 7/31/2011 12:31:39 AM - System Checkpoint
RP593: 8/1/2011 12:56:08 AM - System Checkpoint
RP594: 8/2/2011 12:56:55 AM - System Checkpoint
RP595: 8/3/2011 12:57:14 AM - System Checkpoint
RP596: 8/4/2011 2:58:08 AM - System Checkpoint
RP597: 8/5/2011 3:00:37 AM - System Checkpoint
RP598: 8/6/2011 3:56:08 AM - System Checkpoint
RP599: 8/7/2011 4:43:23 AM - System Checkpoint
RP600: 8/8/2011 5:08:23 AM - System Checkpoint
RP601: 8/9/2011 5:43:22 AM - System Checkpoint
RP602: 8/10/2011 3:00:17 AM - Software Distribution Service 3.0
RP603: 8/10/2011 6:48:46 AM - Removed BitDefender Free Edition 2009
RP604: 8/11/2011 6:56:35 AM - System Checkpoint
RP605: 8/12/2011 7:42:42 AM - System Checkpoint
RP606: 8/13/2011 7:48:26 AM - System Checkpoint
RP607: 8/14/2011 8:42:43 AM - System Checkpoint
RP608: 8/15/2011 10:06:14 AM - System Checkpoint
RP609: 8/16/2011 10:42:41 AM - System Checkpoint
RP610: 8/17/2011 12:25:17 PM - System Checkpoint
RP611: 8/17/2011 2:26:17 PM - Removed Adobe Reader X (10.0.1).
RP612: 8/17/2011 2:26:58 PM - Removed Adobe Flash Player 10 Plugin.
RP613: 8/18/2011 2:36:22 PM - System Checkpoint
RP614: 8/19/2011 2:37:26 PM - System Checkpoint
RP615: 8/20/2011 3:36:21 PM - System Checkpoint
RP616: 8/21/2011 3:41:46 PM - System Checkpoint
RP617: 8/22/2011 4:07:25 PM - avast! Free Antivirus Setup
RP618: 8/22/2011 8:15:49 PM - Installed Adobe Reader X (10.1.0).
RP619: 8/23/2011 9:05:33 PM - System Checkpoint
RP620: 8/24/2011 11:05:45 PM - System Checkpoint
RP621: 8/25/2011 3:00:15 AM - Software Distribution Service 3.0
.
==== Installed Programs ======================
.
Adobe AIR
Adobe Flash Player 10 ActiveX
Adobe Reader X (10.1.0)
avast! Free Antivirus
Dell Driver Download Manager
Facebook Plug-In
Google Update Helper
Hotfix for Microsoft .NET Framework 3.5 SP1 (KB953595)
Hotfix for Microsoft .NET Framework 3.5 SP1 (KB958484)
Hotfix for Windows Media Format 11 SDK (KB929399)
Hotfix for Windows Media Player 11 (KB939683)
Hotfix for Windows XP (KB2158563)
Hotfix for Windows XP (KB2443685)
Hotfix for Windows XP (KB2570791)
Hotfix for Windows XP (KB915800-v4)
Hotfix for Windows XP (KB952287)
Hotfix for Windows XP (KB954550-v5)
Hotfix for Windows XP (KB961118)
Hotfix for Windows XP (KB979306)
Hotfix for Windows XP (KB981793)
HP Photo and Imaging 2.0 - All-in-One
HP Photo and Imaging 2.0 - All-in-One Drivers
Intel(R) Graphics Media Accelerator Driver
Intel(R) PRO Network Connections Drivers
Java Auto Updater
Java(TM) 6 Update 20
Java(TM) 6 Update 23
Malwarebytes' Anti-Malware version 1.51.1.1800
Media Player Codec Pack 3.9.5
Microsoft .NET Framework 1.1
Microsoft .NET Framework 1.1 Security Update (KB2416447)
Microsoft .NET Framework 1.1 Security Update (KB979906)
Microsoft .NET Framework 2.0 Service Pack 2
Microsoft .NET Framework 3.0 Service Pack 2
Microsoft .NET Framework 3.5 SP1
Microsoft Application Error Reporting
Microsoft Base Smart Card Cryptographic Service Provider Package
Microsoft Compression Client Pack 1.0 for Windows XP
Microsoft Silverlight
Microsoft User-Mode Driver Framework Feature Pack 1.0
Microsoft Visual C++ 2005 Redistributable
Microsoft Visual C++ 2008 Redistributable - KB2467174 - x86 9.0.30729.5570
Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.4148
Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.6161
MSXML 4.0 SP2 (KB954430)
MSXML 4.0 SP2 (KB973688)
OpenOffice.org 3.2
Pando Media Booster
QuickTime
RealPlayer
Realtek High Definition Audio Driver
RealUpgrade 1.0
runtime
Security Update for Microsoft .NET Framework 3.5 SP1 (KB2416473)
Security Update for Windows Internet Explorer 8 (KB2360131)
Security Update for Windows Internet Explorer 8 (KB2416400)
Security Update for Windows Internet Explorer 8 (KB2482017)
Security Update for Windows Internet Explorer 8 (KB2497640)
Security Update for Windows Internet Explorer 8 (KB2510531)
Security Update for Windows Internet Explorer 8 (KB2530548)
Security Update for Windows Internet Explorer 8 (KB2544521)
Security Update for Windows Internet Explorer 8 (KB2559049)
Security Update for Windows Internet Explorer 8 (KB971961)
Security Update for Windows Internet Explorer 8 (KB981332)
Security Update for Windows Internet Explorer 8 (KB982381)
Security Update for Windows Media Player (KB2378111)
Security Update for Windows Media Player (KB952069)
Security Update for Windows Media Player (KB954155)
Security Update for Windows Media Player (KB968816)
Security Update for Windows Media Player (KB973540)
Security Update for Windows Media Player (KB975558)
Security Update for Windows Media Player (KB978695)
Security Update for Windows Media Player 11 (KB954154)
Security Update for Windows Search 4 - KB963093
Security Update for Windows XP (KB2079403)
Security Update for Windows XP (KB2115168)
Security Update for Windows XP (KB2121546)
Security Update for Windows XP (KB2160329)
Security Update for Windows XP (KB2183461)
Security Update for Windows XP (KB2229593)
Security Update for Windows XP (KB2259922)
Security Update for Windows XP (KB2279986)
Security Update for Windows XP (KB2286198)
Security Update for Windows XP (KB2296011)
Security Update for Windows XP (KB2296199)
Security Update for Windows XP (KB2347290)
Security Update for Windows XP (KB2360131)
Security Update for Windows XP (KB2360937)
Security Update for Windows XP (KB2387149)
Security Update for Windows XP (KB2393802)
Security Update for Windows XP (KB2412687)
Security Update for Windows XP (KB2419632)
Security Update for Windows XP (KB2423089)
Security Update for Windows XP (KB2436673)
Security Update for Windows XP (KB2440591)
Security Update for Windows XP (KB2443105)
Security Update for Windows XP (KB2476490)
Security Update for Windows XP (KB2476687)
Security Update for Windows XP (KB2478960)
Security Update for Windows XP (KB2478971)
Security Update for Windows XP (KB2479628)
Security Update for Windows XP (KB2479943)
Security Update for Windows XP (KB2481109)
Security Update for Windows XP (KB2483185)
Security Update for Windows XP (KB2485376)
Security Update for Windows XP (KB2485663)
Security Update for Windows XP (KB2503658)
Security Update for Windows XP (KB2503665)
Security Update for Windows XP (KB2506212)
Security Update for Windows XP (KB2506223)
Security Update for Windows XP (KB2507618)
Security Update for Windows XP (KB2507938)
Security Update for Windows XP (KB2508272)
Security Update for Windows XP (KB2508429)
Security Update for Windows XP (KB2509553)
Security Update for Windows XP (KB2511455)
Security Update for Windows XP (KB2524375)
Security Update for Windows XP (KB2535512)
Security Update for Windows XP (KB2536276-v2)
Security Update for Windows XP (KB2536276)
Security Update for Windows XP (KB2544893)
Security Update for Windows XP (KB2555917)
Security Update for Windows XP (KB2562937)
Security Update for Windows XP (KB2566454)
Security Update for Windows XP (KB2567680)
Security Update for Windows XP (KB2570222)
Security Update for Windows XP (KB923561)
Security Update for Windows XP (KB923789)
Security Update for Windows XP (KB941569)
Security Update for Windows XP (KB946648)
Security Update for Windows XP (KB950760)
Security Update for Windows XP (KB950762)
Security Update for Windows XP (KB950974)
Security Update for Windows XP (KB951066)
Security Update for Windows XP (KB951376-v2)
Security Update for Windows XP (KB951748)
Security Update for Windows XP (KB952004)
Security Update for Windows XP (KB952954)
Security Update for Windows XP (KB954459)
Security Update for Windows XP (KB955069)
Security Update for Windows XP (KB956572)
Security Update for Windows XP (KB956744)
Security Update for Windows XP (KB956802)
Security Update for Windows XP (KB956803)
Security Update for Windows XP (KB956844)
Security Update for Windows XP (KB958644)
Security Update for Windows XP (KB958869)
Security Update for Windows XP (KB959426)
Security Update for Windows XP (KB960225)
Security Update for Windows XP (KB960803)
Security Update for Windows XP (KB960859)
Security Update for Windows XP (KB961501)
Security Update for Windows XP (KB969059)
Security Update for Windows XP (KB969947)
Security Update for Windows XP (KB970238)
Security Update for Windows XP (KB970430)
Security Update for Windows XP (KB971468)
Security Update for Windows XP (KB971657)
Security Update for Windows XP (KB971961)
Security Update for Windows XP (KB972270)
Security Update for Windows XP (KB973354)
Security Update for Windows XP (KB973507)
Security Update for Windows XP (KB973869)
Security Update for Windows XP (KB973904)
Security Update for Windows XP (KB974112)
Security Update for Windows XP (KB974318)
Security Update for Windows XP (KB974392)
Security Update for Windows XP (KB974571)
Security Update for Windows XP (KB975025)
Security Update for Windows XP (KB975467)
Security Update for Windows XP (KB975560)
Security Update for Windows XP (KB975561)
Security Update for Windows XP (KB975562)
Security Update for Windows XP (KB975713)
Security Update for Windows XP (KB977165-v2)
Security Update for Windows XP (KB977816)
Security Update for Windows XP (KB977914)
Security Update for Windows XP (KB978037)
Security Update for Windows XP (KB978251)
Security Update for Windows XP (KB978262)
Security Update for Windows XP (KB978338)
Security Update for Windows XP (KB978542)
Security Update for Windows XP (KB978601)
Security Update for Windows XP (KB978706)
Security Update for Windows XP (KB979309)
Security Update for Windows XP (KB979482)
Security Update for Windows XP (KB979559)
Security Update for Windows XP (KB979683)
Security Update for Windows XP (KB979687)
Security Update for Windows XP (KB980195)
Security Update for Windows XP (KB980218)
Security Update for Windows XP (KB980232)
Security Update for Windows XP (KB980436)
Security Update for Windows XP (KB981322)
Security Update for Windows XP (KB981349)
Security Update for Windows XP (KB981852)
Security Update for Windows XP (KB981957)
Security Update for Windows XP (KB981997)
Security Update for Windows XP (KB982132)
Security Update for Windows XP (KB982214)
Security Update for Windows XP (KB982665)
Security Update for Windows XP (KB982802)
SigmaTel Audio
Update for Microsoft .NET Framework 3.5 SP1 (KB963707)
Update for Microsoft Windows (KB971513)
Update for Windows Internet Explorer 8 (KB2362765)
Update for Windows Internet Explorer 8 (KB976662)
Update for Windows XP (KB2141007)
Update for Windows XP (KB2345886)
Update for Windows XP (KB2467659)
Update for Windows XP (KB2541763)
Update for Windows XP (KB951978)
Update for Windows XP (KB955759)
Update for Windows XP (KB967715)
Update for Windows XP (KB968389)
Update for Windows XP (KB971029)
Update for Windows XP (KB971737)
Update for Windows XP (KB973687)
Update for Windows XP (KB973815)
Update for Windows XP (KB980182)
VS10Runtime
WebFldrs XP
Windows Genuine Advantage Validation Tool (KB892130)
Windows Internet Explorer 8
Windows Media Format 11 runtime
Windows Media Player 11
Windows Search 4.0
Windows XP Service Pack 3
.
==== Event Viewer Messages From Past Week ========
.
8/23/2011 7:57:45 AM, error: Dhcp [1002] - The IP address lease 192.168.1.101 for the Network Card with network address 001676B192DD has been denied by the DHCP server 192.168.1.1 (The DHCP Server sent a DHCPNACK message).
8/23/2011 7:56:28 AM, error: W32Time [17] - Time Provider NtpClient: An error occurred during DNS lookup of the manually configured peer 'time.windows.com,0x1'. NtpClient will try the DNS lookup again in 15 minutes. The error was: A socket operation was attempted to an unreachable host. (0x80072751)
8/22/2011 12:13:41 PM, error: Service Control Manager [7011] - Timeout (30000 milliseconds) waiting for a transaction response from the stisvc service.
8/19/2011 2:32:41 PM, error: Dhcp [1002] - The IP address lease 192.168.1.100 for the Network Card with network address 001676B192DD has been denied by the DHCP server 192.168.1.1 (The DHCP Server sent a DHCPNACK message).
.
==== End Of File ===========================

 

[jaimo]

new problems today

Today when I was closing my browser, it shut down, then popped back open with 3 sessions opened up, all showing the Yahoo homepage. Every time I tried to X out of it, a new session would open up.

I also notice some of my lockups seem to occur when I am on yahoo. Also, the iexplore.exe process skyrockets to around 97%.

 

[Bobbye]

Welcome to TechSpot! I'll help you sort this out.

My Guidelines: please read and follow:

• Be patient. Malware cleaning takes time and I am also working with other members while I am helping you.
• Read my instructions carefully. If you don't understand or have a problem, ask me.
• If you have questions, or if a program doesn't work, stop and tell me about it. Don't try to get around it yourself.
• Follow the order of the tasks I give you. Order is crucial in cleaning process.
• File sharing programs should be uninstalled or disabled during the cleaning process..
• Observe these:
  [o] Don't use any other cleaning programs or scans while I'm helping you.
  [o] Don't use a Registry cleaner or make any changes in the Registry.
  [o] Don't download and install new programs- except those I give you.
• Please let me know if there is any change in the system.

If I don't get a reply from you in 5 days, the thread will be closed. If your problem persist, you can send a PM to reopen it.
=====================================
You have malicious code on the MBR:
Please download MBRCheck and save to your desktop

• Double click on MBRCheck.exeto run.(Vista and Windows 7 users will have to confirm the UAC prompt)
• It will show a Black screen with some information that will contain either the below line if no problem is found:
  [o] Done! Press ENTER to exit...
• Or you will see more information like below if a problem is found:
  [o] Found non-standard or infected MBR.
  [o] Enter 'Y' and hit ENTER for more options, or 'N' to exit:
• Either way, just choose to exit the program at this point since we want to see only the scan results to begin with.
• MBRCheck will create a log named similar to MBRCheck_07.16.10_00.32.33.txt which is random based on date and time.
• Paste this log to your next message.

==========================================
Looks like you were trying to find an antivirus program you liked. It appears that at one time, you had the Norton/Symantec AV. There are still processes running for it, so please run Norton Removal Tool

Be sure to reboot when finished.
===============================================
The Java is out of date. This is a vulnerability. Please update to the current version, v6u26 now: Java Updates
Note: Uncheck 'Install Yahoo Toolbar' on the download screen before you do the update.

Then uninstall Java(TM) 6 Update 20 and Java(TM) 6 Update 23 in Add/Remove Programs.
===============================================
You will have malware in the Java cache due to the outdated programs:

To clear the Java Plug-in cache:

• 
  [1]. Click Start > Control Panel.
  [2]. Double-click the Java icon in the control panel.
  
  The Java Control Panel appears.
  
  
  
  [3].Click Settings under Temporary Internet Files.The Temporary Files Settings dialog box appears.
  
  
  
  [4] Click Delete Files.The Delete Temporary Files dialog box appears.
  
  
  
  [5]. Click OK on Delete Temporary Files window.
  Note: This deletes all the Downloaded Applications and Applets from the cache.
  [6]. Click Apply> OK on Temporary Files Settings window.

Images courtesy java.com
=============================================
Please note: If you have previously run Combofix and it's still on the system, please uninstall it. Then download the current version and do the scan: Uninstall directions, if needed

• Click START> then RUN
• Now type Combofix /Uninstall in the runbox and click OK. Note the space between the X and the U, it needs to be there.

--------------------------------------
Download Combofix from HERE or HEREhttp://www.forospyware.com/sUBs/ComboFix.exe and save to the desktop

• Double click combofix.exe & follow the prompts.
• ComboFix will check to see if the Microsoft Windows Recovery Console is installed. It is recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode if needed.
  **Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.
• Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.
• Once installed, you should see a blue screen prompt that says:
  The Recovery Console was successfully installed.
• .Click on Yes, to continue scanning for malware
• .If Combofix asks you to update the program, allow
• .Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.
• .Close any open browsers.
• .Double click combofix.exe
  
  & follow the prompts to run.
• When the scan completes , a report will be generated-it will open a text window. Please paste the C:\ComboFix.txt in next reply..

Re-enable your Antivirus software.

Note 1:Do not mouse-click Combofix's window while it is running. That may cause it to stall.
Note 2: ComboFix may reset a number of Internet Explorer's settings, including making I-E the default browser.
Note 3: Combofix prevents autorun of ALL CD, floppy and USB devices to assist with malware removal & increase security. If this is an issue or makes it difficult for you -- please tell your helper.
Note 4: CF disconnects your machine from the internet. The connection is automatically restored before CF completes its run. If CF runs into difficulty and terminates prematurely, the connection can be manually restored by restarting your machine.
Note 5: If you receive an error "Illegal operation attempted on a registry key that has been marked for deletion", restart computer to fix the issue.
=======================================
Please leave the logs for the MBR check and Combofix in your next reply.

 

[jaimo]

Hi Bobbye,

Thank you for your assistance.

I have followed the steps up to: The Java Is Out Of Date. I have updated so I have the current version, and I have uninstalled Java 6 update 20. There is no update 23 shown in add/remove programs, but there is an update 27.

Should I unintall update 27? Below is the MBR log. I have not proceeded beyond the removal of Java update 20.

MBRCheck, version 1.2.3
(c) 2010, AD

Command-line:
Windows Version: Windows XP Professional
Windows Information: Service Pack 3 (build 2600)
Logical Drives Mask: 0x0000000c

Kernel Drivers (total 128):
0x804D7000 \WINDOWS\system32\ntkrnlpa.exe
0x806D1000 \WINDOWS\system32\hal.dll
0xF7ABE000 \WINDOWS\system32\KDCOM.DLL
0xF79CE000 \WINDOWS\system32\BOOTVID.dll
0xF748F000 ACPI.sys
0xF7AC0000 \WINDOWS\System32\DRIVERS\WMILIB.SYS
0xF747E000 pci.sys
0xF75BE000 isapnp.sys
0xF7B86000 pciide.sys
0xF783E000 \WINDOWS\System32\DRIVERS\PCIIDEX.SYS
0xF75CE000 MountMgr.sys
0xF745F000 ftdisk.sys
0xF7AC2000 dmload.sys
0xF7439000 dmio.sys
0xF7846000 PartMgr.sys
0xF75DE000 VolSnap.sys
0xF7421000 atapi.sys
0xF75EE000 disk.sys
0xF75FE000 \WINDOWS\System32\DRIVERS\CLASSPNP.SYS
0xF7401000 fltmgr.sys
0xF73EF000 sr.sys
0xF73D8000 KSecDD.sys
0xF73C5000 WudfPf.sys
0xF7338000 Ntfs.sys
0xF730B000 NDIS.sys
0xF72F1000 Mup.sys
0xF774E000 \SystemRoot\System32\DRIVERS\intelppm.sys
0xF717B000 \SystemRoot\system32\DRIVERS\ialmnt5.sys
0xF7167000 \SystemRoot\system32\DRIVERS\VIDEOPRT.SYS
0xF713F000 \SystemRoot\system32\DRIVERS\HDAudBus.sys
0xF793E000 \SystemRoot\System32\DRIVERS\usbuhci.sys
0xF711B000 \SystemRoot\System32\DRIVERS\USBPORT.SYS
0xF7946000 \SystemRoot\System32\DRIVERS\usbehci.sys
0xF70F5000 \SystemRoot\System32\DRIVERS\e100b325.sys
0xF70E1000 \SystemRoot\System32\DRIVERS\parport.sys
0xF775E000 \SystemRoot\System32\DRIVERS\serial.sys
0xF7A82000 \SystemRoot\System32\DRIVERS\serenum.sys
0xF776E000 \SystemRoot\System32\DRIVERS\imapi.sys
0xF777E000 \SystemRoot\System32\DRIVERS\cdrom.sys
0xF778E000 \SystemRoot\System32\DRIVERS\redbook.sys
0xF70BE000 \SystemRoot\System32\DRIVERS\ks.sys
0xF794E000 \SystemRoot\system32\DRIVERS\GEARAspiWDM.sys
0xF7CA0000 \SystemRoot\System32\DRIVERS\audstub.sys
0xF779E000 \SystemRoot\System32\DRIVERS\rasl2tp.sys
0xF7A8A000 \SystemRoot\System32\DRIVERS\ndistapi.sys
0xF70A7000 \SystemRoot\System32\DRIVERS\ndiswan.sys
0xF77AE000 \SystemRoot\System32\DRIVERS\raspppoe.sys
0xF77BE000 \SystemRoot\System32\DRIVERS\raspptp.sys
0xF7956000 \SystemRoot\System32\DRIVERS\TDI.SYS
0xF7096000 \SystemRoot\System32\DRIVERS\psched.sys
0xF77CE000 \SystemRoot\System32\DRIVERS\msgpc.sys
0xF795E000 \SystemRoot\System32\DRIVERS\ptilink.sys
0xF7966000 \SystemRoot\System32\DRIVERS\raspti.sys
0xF7066000 \SystemRoot\System32\DRIVERS\rdpdr.sys
0xF77DE000 \SystemRoot\System32\DRIVERS\termdd.sys
0xF796E000 \SystemRoot\System32\DRIVERS\kbdclass.sys
0xF7976000 \SystemRoot\System32\DRIVERS\mouclass.sys
0xF7AE0000 \SystemRoot\System32\DRIVERS\swenum.sys
0xF6FE0000 \SystemRoot\System32\DRIVERS\update.sys
0xF7AAA000 \SystemRoot\System32\DRIVERS\mssmbios.sys
0xF780E000 \SystemRoot\System32\Drivers\NDProxy.SYS
0xAA56D000 \SystemRoot\system32\drivers\sthda.sys
0xAA549000 \SystemRoot\system32\drivers\portcls.sys
0xF781E000 \SystemRoot\system32\drivers\drmk.sys
0xF761E000 \SystemRoot\System32\DRIVERS\usbhub.sys
0xF7AE8000 \SystemRoot\System32\DRIVERS\USBD.SYS
0xF7AEA000 \SystemRoot\System32\Drivers\Fs_Rec.SYS
0xF7BB1000 \SystemRoot\System32\Drivers\Null.SYS
0xF7AEC000 \SystemRoot\System32\Drivers\Beep.SYS
0xF799E000 \SystemRoot\System32\DRIVERS\HIDPARSE.SYS
0xF79A6000 \SystemRoot\System32\drivers\vga.sys
0xF7AEE000 \SystemRoot\System32\Drivers\mnmdd.SYS
0xF7AF0000 \SystemRoot\System32\DRIVERS\RDPCDD.sys
0xF79AE000 \SystemRoot\System32\Drivers\Msfs.SYS
0xF79B6000 \SystemRoot\System32\Drivers\Npfs.SYS
0xF7A52000 \SystemRoot\System32\DRIVERS\rasacd.sys
0xAA44E000 \SystemRoot\System32\DRIVERS\ipsec.sys
0xAA3F5000 \SystemRoot\System32\DRIVERS\tcpip.sys
0xF763E000 \SystemRoot\System32\Drivers\aswTdi.SYS
0xAA382000 \SystemRoot\System32\DRIVERS\ipnat.sys
0xF764E000 \SystemRoot\System32\DRIVERS\wanarp.sys
0xAA35A000 \SystemRoot\System32\DRIVERS\netbt.sys
0xF79C6000 \SystemRoot\System32\Drivers\aswRdr.SYS
0xAA338000 \SystemRoot\System32\drivers\afd.sys
0xF765E000 \SystemRoot\System32\DRIVERS\netbios.sys
0xAA30D000 \SystemRoot\System32\DRIVERS\rdbss.sys
0xAA29D000 \SystemRoot\System32\DRIVERS\mrxsmb.sys
0xF767E000 \SystemRoot\System32\Drivers\Fips.SYS
0xAA1C4000 \SystemRoot\System32\Drivers\aswSP.SYS
0xF705E000 \SystemRoot\System32\DRIVERS\hidusb.sys
0xF769E000 \SystemRoot\System32\DRIVERS\HIDCLASS.SYS
0xF789E000 \SystemRoot\System32\DRIVERS\usbccgp.sys
0xF7056000 \SystemRoot\System32\DRIVERS\mouhid.sys
0xF7046000 \SystemRoot\System32\DRIVERS\kbdhid.sys
0xAA154000 \SystemRoot\System32\Drivers\aswSnx.SYS
0xF7AA6000 \SystemRoot\system32\DRIVERS\usbscan.sys
0xF78B6000 \SystemRoot\System32\DRIVERS\usbprint.sys
0xF78BE000 \SystemRoot\system32\DRIVERS\HPZius12.sys
0xF76AE000 \SystemRoot\system32\DRIVERS\HPZid412.sys
0xF7ABA000 \SystemRoot\system32\DRIVERS\HPZipr12.sys
0xF78CE000 \SystemRoot\System32\Drivers\Aavmker4.SYS
0xF770E000 \SystemRoot\System32\Drivers\Cdfs.SYS
0xAA114000 \SystemRoot\System32\Drivers\dump_atapi.sys
0xF7B70000 \SystemRoot\System32\Drivers\dump_WMILIB.SYS
0xBF800000 \SystemRoot\System32\win32k.sys
0xAA12C000 \SystemRoot\System32\drivers\Dxapi.sys
0xF791E000 \SystemRoot\System32\watchdog.sys
0xBF000000 \SystemRoot\System32\drivers\dxg.sys
0xF7C80000 \SystemRoot\System32\drivers\dxgthk.sys
0xBF021000 \SystemRoot\System32\ialmdnt5.dll
0xBF012000 \SystemRoot\System32\ialmrnt5.dll
0xBF043000 \SystemRoot\System32\ialmdev5.DLL
0xBF07E000 \SystemRoot\System32\ialmdd5.DLL
0xBF16E000 \SystemRoot\System32\ATMFD.DLL
0xAA48D000 \SystemRoot\System32\Drivers\aswFsBlk.SYS
0xA9FDC000 \SystemRoot\System32\DRIVERS\ndisuio.sys
0xA9D65000 \SystemRoot\System32\Drivers\aswMon2.SYS
0xA99E0000 \SystemRoot\system32\drivers\wdmaud.sys
0xA9A35000 \SystemRoot\system32\drivers\sysaudio.sys
0xA97A5000 \SystemRoot\System32\DRIVERS\mrxdav.sys
0xF7AC6000 \SystemRoot\System32\Drivers\ParVdm.SYS
0xA973C000 \SystemRoot\System32\Drivers\HTTP.sys
0xA95CC000 \SystemRoot\System32\DRIVERS\srv.sys
0xA8DCF000 \SystemRoot\System32\Drivers\Fastfat.SYS
0xA8CEB000 \??\C:\DOCUME~1\JAIMO\LOCALS~1\Temp\ufddypog.sys
0xF78F6000 \??\C:\DOCUME~1\JAIMO\LOCALS~1\Temp\mbr.sys
0xA8A9A000 \SystemRoot\system32\drivers\kmixer.sys
0x7C900000 \WINDOWS\system32\ntdll.dll

Processes (total 33):
0 System Idle Process
4 System
620 C:\WINDOWS\system32\smss.exe
668 csrss.exe
692 C:\WINDOWS\system32\winlogon.exe
736 C:\WINDOWS\system32\services.exe
748 C:\WINDOWS\system32\lsass.exe
908 C:\WINDOWS\system32\svchost.exe
972 svchost.exe
1068 C:\WINDOWS\system32\svchost.exe
1100 C:\WINDOWS\system32\svchost.exe
1232 svchost.exe
1388 svchost.exe
1524 C:\WINDOWS\explorer.exe
1632 C:\Program Files\AVAST Software\Avast\AvastSvc.exe
1792 C:\Program Files\Common Files\Java\Java Update\jusched.exe
1800 C:\Program Files\AVAST Software\Avast\AvastUI.exe
1820 C:\WINDOWS\system32\ctfmon.exe
1864 C:\Program Files\Windows Media Player\wmpnscfg.exe
660 C:\WINDOWS\system32\spoolsv.exe
1512 svchost.exe
1740 C:\WINDOWS\system32\svchost.exe
1848 C:\Program Files\Java\jre6\bin\jqs.exe
2404 C:\WINDOWS\system32\svchost.exe
2468 wmpnetwk.exe
3012 C:\WINDOWS\system32\searchindexer.exe
3664 alg.exe
1216 C:\WINDOWS\system32\drwtsn32.exe
272 C:\WINDOWS\system32\drwtsn32.exe
560 C:\Program Files\Internet Explorer\iexplore.exe
1928 C:\Program Files\Internet Explorer\iexplore.exe
4064 C:\WINDOWS\system32\wscntfy.exe
2308 C:\Documents and Settings\JAIMO\Desktop\MBRCheck.exe

\\.\C: --> \\.\PhysicalDrive0 at offset 0x00000000`00007e00 (NTFS)

PhysicalDrive0 Model Number: ST380815AS, Rev: 4.ADA

Size Device Name MBR Status
--------------------------------------------
74 GB \\.\PhysicalDrive0 Windows XP MBR code detected
SHA1: DA38B874B7713D1B51CBC449F4EF809B0DEC644A


Done!

 

[jaimo]

Son added itunes

My apologies. My son got a new ipod and added the itunes software to my computer last night.

Do I need to uninstall?

 

[Bobbye]

Yes, if Java is now up to v6u27, you should install that version.

About QuickTime, just open the program and uncheck the auto-updater. If he gets iTunes on the iPod, he will need !QuickTime, then program.

MBR check is okay. Please run the following to finish up:

• Hold down Control and click on the following link to open ESET OnlineScan in a new window.
  ESETOnlineScan
• For alternate browsers only: (Microsoft Internet Explorer users can skip these steps)
  [o] Click on Posted Image to download the ESET Smart Installer. Save it to your desktop.
  [o] Double click on the
  
  on your desktop.
• Check 'Yes I accept terms of use.'
• Click Start button
• Accept any security warnings from your browser.
  
  
• Uncheck 'Remove found threats'
• Check 'Scan archives/
• Leave remaining settings as is.
• Press the Start button.
• ESET will then download updates for itself, install itself, and begin scanning your computer. Please wait for the scan to finish.
• When the scan completes, press List of found threats
• Push Export of text file and save the file to your desktop using a unique name, such as ESETScan. Paste this log in your next reply.
• Push the Back button
• Push Finish

NOTE: If no malware is found then no log will be produced. Let me know if this is the case.
=======================================
Please note: If you have previously run Combofix and it's still on the system, please uninstall it. Then download the current version and do the scan: Uninstall directions, if needed

• Click START> then RUN
• Now type Combofix /Uninstall in the runbox and click OK. Note the space between the X and the U, it needs to be there.

--------------------------------------
Download Combofix from HERE or HEREhttp://www.forospyware.com/sUBs/ComboFix.exe and save to the desktop

• Double click combofix.exe & follow the prompts.
• ComboFix will check to see if the Microsoft Windows Recovery Console is installed. It is recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode if needed.
  **Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.
• Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.
• Once installed, you should see a blue screen prompt that says:
  The Recovery Console was successfully installed.
• .Click on Yes, to continue scanning for malware
• .If Combofix asks you to update the program, allow
• .Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.
• .Close any open browsers.
• .Double click combofix.exe
  
  & follow the prompts to run.
• When the scan completes , a report will be generated-it will open a text window. Please paste the C:\ComboFix.txt in next reply..

Re-enable your Antivirus software.

Note 1:Do not mouse-click Combofix's window while it is running. That may cause it to stall.
Note 2: ComboFix may reset a number of Internet Explorer's settings, including making I-E the default browser.
Note 3: Combofix prevents autorun of ALL CD, floppy and USB devices to assist with malware removal & increase security. If this is an issue or makes it difficult for you -- please tell your helper.
Note 4: CF disconnects your machine from the internet. The connection is automatically restored before CF completes its run. If CF runs into difficulty and terminates prematurely, the connection can be manually restored by restarting your machine.
Note 5: If you receive an error "Illegal operation attempted on a registry key that has been marked for deletion", restart computer to fix the issue.

 

[jaimo]

combofix log

ComboFix 11-08-27.01 - JAIMO 08/27/2011 22:52:17.1.1 - x86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.1014.529 [GMT -4:00]
Running from: c:\documents and settings\JAIMO\Desktop\ComboFix.exe
AV: avast! Antivirus *Disabled/Updated* {7591DB91-41F0-48A3-B128-1A293FD8233D}
.
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
c:\program files\messenger\msmsgsin.exe
c:\windows\iun6002.exe
.
Infected copy of c:\windows\system32\Drivers\atapi.sys was found and disinfected
Restored copy from - c:\windows\ServicePackFiles\i386\atapi.sys
.
.
((((((((((((((((((((((((( Files Created from 2011-07-28 to 2011-08-28 )))))))))))))))))))))))))))))))
.
.
2011-08-27 03:08 . 2011-08-27 03:08 -------- d-----w- c:\program files\iPod
2011-08-27 03:08 . 2011-08-27 03:09 -------- d-----w- c:\program files\iTunes
2011-08-27 03:07 . 2011-08-27 03:07 159744 ----a-w- c:\program files\Internet Explorer\PLUGINS\npqtplugin7.dll
2011-08-27 03:07 . 2011-08-27 03:07 159744 ----a-w- c:\program files\Internet Explorer\PLUGINS\npqtplugin6.dll
2011-08-27 03:07 . 2011-08-27 03:07 159744 ----a-w- c:\program files\Internet Explorer\PLUGINS\npqtplugin5.dll
2011-08-27 03:07 . 2011-08-27 03:07 159744 ----a-w- c:\program files\Internet Explorer\PLUGINS\npqtplugin4.dll
2011-08-27 03:07 . 2011-08-27 03:07 159744 ----a-w- c:\program files\Internet Explorer\PLUGINS\npqtplugin3.dll
2011-08-27 03:07 . 2011-08-27 03:07 159744 ----a-w- c:\program files\Internet Explorer\PLUGINS\npqtplugin2.dll
2011-08-27 03:07 . 2011-08-27 03:07 159744 ----a-w- c:\program files\Internet Explorer\PLUGINS\npqtplugin.dll
2011-08-27 03:07 . 2011-08-27 03:07 -------- d-----w- c:\program files\QuickTime
2011-08-27 03:05 . 2011-08-27 03:05 -------- d-----w- c:\program files\Apple Software Update
2011-08-27 03:05 . 2011-08-27 03:05 -------- d-----w- c:\documents and settings\LocalService\Application Data\Apple Computer
2011-08-27 03:05 . 2011-05-10 12:06 42496 ----a-w- c:\windows\system32\drivers\usbaapl.sys
2011-08-27 03:05 . 2011-05-10 12:06 4517664 ----a-w- c:\windows\system32\usbaaplrc.dll
2011-08-27 03:04 . 2011-08-27 03:04 -------- d-----w- c:\program files\Bonjour
2011-08-27 02:59 . 2001-08-18 02:36 5632 ----a-w- c:\windows\system32\ptpusb.dll
2011-08-27 02:59 . 2008-04-14 00:12 159232 ----a-w- c:\windows\system32\ptpusd.dll
2011-08-26 20:50 . 2011-08-26 20:50 -------- d-----w- c:\program files\Common Files\Java
2011-08-24 23:32 . 2011-08-24 23:36 -------- d-----w- c:\documents and settings\Guest
2011-08-24 18:53 . 2011-08-24 18:53 -------- d-----w- c:\documents and settings\JAIMO\Application Data\Malwarebytes
2011-08-24 18:53 . 2011-07-06 23:52 41272 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2011-08-24 18:53 . 2011-08-24 18:53 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes
2011-08-24 18:53 . 2011-08-24 18:53 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2011-08-24 18:53 . 2011-07-06 23:52 22712 ----a-w- c:\windows\system32\drivers\mbam.sys
2011-08-24 16:54 . 2011-08-24 16:54 404640 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl
2011-08-23 00:15 . 2011-08-23 00:16 -------- d-----w- c:\program files\Common Files\Adobe
2011-08-23 00:14 . 2011-08-23 00:14 -------- d-----w- c:\program files\Common Files\Adobe AIR
2011-08-22 20:08 . 2011-07-04 11:32 19544 ----a-w- c:\windows\system32\drivers\aswFsBlk.sys
2011-08-22 20:08 . 2011-07-04 11:36 309848 ----a-w- c:\windows\system32\drivers\aswSP.sys
2011-08-22 20:08 . 2011-07-04 11:35 43608 ----a-w- c:\windows\system32\drivers\aswTdi.sys
2011-08-22 20:08 . 2011-07-04 11:32 25432 ----a-w- c:\windows\system32\drivers\aswRdr.sys
2011-08-22 20:08 . 2011-07-04 11:36 441176 ----a-w- c:\windows\system32\drivers\aswSnx.sys
2011-08-22 20:08 . 2011-07-04 11:35 102616 ----a-w- c:\windows\system32\drivers\aswmon2.sys
2011-08-22 20:08 . 2011-07-04 11:35 96344 ----a-w- c:\windows\system32\drivers\aswmon.sys
2011-08-22 20:08 . 2011-07-04 11:32 30808 ----a-w- c:\windows\system32\drivers\aavmker4.sys
2011-08-22 20:07 . 2011-07-04 11:43 40112 ----a-w- c:\windows\avastSS.scr
2011-08-22 20:07 . 2011-07-04 11:43 199304 ----a-w- c:\windows\system32\aswBoot.exe
2011-08-22 20:07 . 2011-08-22 20:07 -------- d-----w- c:\program files\AVAST Software
2011-08-22 20:07 . 2011-08-22 20:07 -------- d-----w- c:\documents and settings\All Users\Application Data\AVAST Software
2011-08-11 19:40 . 2009-05-18 17:17 26600 ----a-w- c:\windows\system32\drivers\GEARAspiWDM.sys
2011-08-11 19:39 . 2008-04-17 16:12 107368 ----a-w- c:\windows\system32\GEARAspi.dll
2011-08-10 03:19 . 2011-06-24 14:10 139656 -c----w- c:\windows\system32\dllcache\rdpwd.sys
2011-08-10 03:19 . 2011-07-08 14:02 10496 -c----w- c:\windows\system32\dllcache\ndistapi.sys
.
.
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2011-07-19 09:05 . 2010-09-12 05:37 472808 ----a-w- c:\windows\system32\deployJava1.dll
2011-07-19 06:40 . 2010-04-05 17:25 73728 ----a-w- c:\windows\system32\javacpl.cpl
2011-07-15 13:29 . 2003-03-31 12:00 456320 ----a-w- c:\windows\system32\drivers\mrxsmb.sys
2011-07-12 15:20 . 2011-07-12 15:20 83816 ----a-w- c:\windows\system32\dns-sd.exe
2011-07-12 15:20 . 2011-07-12 15:20 73064 ----a-w- c:\windows\system32\dnssd.dll
2011-07-12 15:20 . 2011-07-12 15:20 50536 ----a-w- c:\windows\system32\jdns_sd.dll
2011-07-12 15:20 . 2011-07-12 15:20 178536 ----a-w- c:\windows\system32\dnssdX.dll
2011-07-08 14:02 . 2003-03-31 12:00 10496 ----a-w- c:\windows\system32\drivers\ndistapi.sys
2011-07-05 22:37 . 2011-07-05 22:37 94208 ----a-w- c:\windows\system32\QuickTimeVR.qtx
2011-07-05 22:37 . 2011-07-05 22:37 69632 ----a-w- c:\windows\system32\QuickTime.qts
2011-06-24 14:10 . 2010-04-03 05:14 139656 ----a-w- c:\windows\system32\drivers\rdpwd.sys
2011-06-23 18:36 . 2003-03-31 12:00 916480 ----a-w- c:\windows\system32\wininet.dll
2011-06-23 18:36 . 2003-03-31 12:00 43520 ------w- c:\windows\system32\licmgr10.dll
2011-06-23 18:36 . 2003-03-31 12:00 1469440 ------w- c:\windows\system32\inetcpl.cpl
2011-06-23 12:05 . 2004-08-04 05:59 385024 ----a-w- c:\windows\system32\html.iec
2011-06-20 17:44 . 2003-03-31 12:00 293376 ----a-w- c:\windows\system32\winsrv.dll
2011-06-02 14:02 . 2003-03-31 12:00 1858944 ----a-w- c:\windows\system32\win32k.sys
2010-07-24 21:12 . 2010-07-24 21:12 81408 -c--a-w- c:\program files\taskkill.exe
.
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\00avast]
@="{472083B0-C522-11CF-8763-00608CC02F24}"
[HKEY_CLASSES_ROOT\CLSID\{472083B0-C522-11CF-8763-00608CC02F24}]
2011-07-04 11:43 122512 ----a-w- c:\program files\AVAST Software\Avast\ashShell.dll
.
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"WMPNSCFG"="c:\program files\Windows Media Player\WMPNSCFG.exe" [2006-10-19 204288]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"avast"="c:\program files\AVAST Software\Avast\avastUI.exe" [2011-07-04 3493720]
"Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2011-06-06 937920]
"QuickTime Task"="c:\program files\QuickTime\QTTask.exe" [2011-07-05 421888]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2011-08-19 421736]
.
[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{56F9679E-7826-4C84-81F3-532071A8BCC5}"= "c:\program files\Windows Desktop Search\MSNLNamespaceMgr.dll" [2009-05-25 304128]
.
[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^hpoddt01.exe.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\hpoddt01.exe.lnk
backup=c:\windows\pss\hpoddt01.exe.lnkCommon Startup
.
[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Windows Search.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Windows Search.lnk
backup=c:\windows\pss\Windows Search.lnkCommon Startup
.
[HKLM\~\startupfolder\C:^Documents and Settings^JAIMO^Start Menu^Programs^Startup^LimeWire On Startup.lnk]
path=c:\documents and settings\JAIMO\Start Menu\Programs\Startup\LimeWire On Startup.lnk
backup=c:\windows\pss\LimeWire On Startup.lnkStartup
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ctfmon.exe]
2008-04-14 00:12 15360 ----a-w- c:\windows\system32\ctfmon.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\CTRegRun]
2006-10-05 22:17 53248 -c----w- c:\windows\Ctregrun.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\IDTSysTrayApp]
2007-09-06 01:24 405504 -c--a-w- c:\windows\sttray.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\igfxhkcmd]
2006-03-24 00:13 77824 -c--a-w- c:\windows\system32\hkcmd.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\igfxpers]
2006-03-24 00:17 118784 -c--a-w- c:\windows\system32\igfxpers.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\igfxtray]
2006-03-24 00:17 94208 -c--a-w- c:\windows\system32\igfxtray.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PMX Daemon]
2006-06-09 16:47 47104 -c--a-w- c:\windows\system32\ico.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
2011-07-05 22:36 421888 ----a-w- c:\program files\QuickTime\QTTask.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched]
2011-06-09 17:06 254696 ----a-w- c:\program files\Common Files\Java\Java Update\jusched.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\TkBellExe]
2010-06-03 11:25 202256 -c--a-w- c:\program files\Common Files\Real\Update_OB\realsched.exe
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"c:\\WINDOWS\\system32\\usmt\\migwiz.exe"=
"c:\\WINDOWS\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\WINDOWS\\system32\\sessmgr.exe"=
"c:\\Program Files\\Pando Networks\\Media Booster\\PMB.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"56644:TCP"= 56644:TCPando Media Booster
"56644:UDP"= 56644:UDPando Media Booster
.
R1 aswSnx;aswSnx;c:\windows\system32\drivers\aswSnx.sys [8/22/2011 4:08 PM 441176]
R1 aswSP;aswSP;c:\windows\system32\drivers\aswSP.sys [8/22/2011 4:08 PM 309848]
R2 aswFsBlk;aswFsBlk;c:\windows\system32\drivers\aswFsBlk.sys [8/22/2011 4:08 PM 19544]
S2 gupdate;Google Update Service (gupdate);c:\program files\Google\Update\GoogleUpdate.exe [5/12/2010 8:13 AM 136176]
S3 EraserUtilDrv11113;EraserUtilDrv11113;\??\c:\program files\Common Files\Symantec Shared\EENGINE\EraserUtilDrv11113.sys --> c:\program files\Common Files\Symantec Shared\EENGINE\EraserUtilDrv11113.sys [?]
S3 gupdatem;Google Update Service (gupdatem);c:\program files\Google\Update\GoogleUpdate.exe [5/12/2010 8:13 AM 136176]
.
Contents of the 'Scheduled Tasks' folder
.
2011-08-28 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\program files\Google\Update\GoogleUpdate.exe [2010-05-12 12:13]
.
2011-08-28 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\program files\Google\Update\GoogleUpdate.exe [2010-05-12 12:13]
.
2011-08-28 c:\windows\Tasks\RealUpgradeLogonTaskS-1-5-21-1177238915-562591055-725345543-1003.job
- c:\program files\Real\RealUpgrade\realupgrade.exe [2010-02-25 02:09]
.
2011-08-27 c:\windows\Tasks\RealUpgradeScheduledTaskS-1-5-21-1177238915-562591055-725345543-1003.job
- c:\program files\Real\RealUpgrade\realupgrade.exe [2010-02-25 02:09]
.
2011-08-27 c:\windows\Tasks\User_Feed_Synchronization-{3AD81087-C49C-42C4-976E-2EA0AA257C02}.job
- c:\windows\system32\msfeedssync.exe [2009-03-08 08:31]
.
2011-08-28 c:\windows\Tasks\WGASetup.job
- c:\windows\system32\KB905474\wgasetup.exe [2010-04-04 02:18]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.google.com/
uInternet Settings,ProxyOverride = *.local
TCP: DhcpNameServer = 68.87.71.230 68.87.73.246
.
- - - - ORPHANS REMOVED - - - -
.
WebBrowser-{D4027C7F-154A-4066-A1AD-4243D8127440} - (no file)
MSConfigStartUp-AVG9_TRAY - c:\progra~1\AVG\AVG9\avgtray.exe
MSConfigStartUp-Skype - c:\program files\Skype\Phone\Skype.exe
MSConfigStartUp-UIUCU - c:\docume~1\JAIMO\LOCALS~1\Temp\UIUCU.EXE
.
.
.
**************************************************************************
.
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2011-08-27 23:11
Windows 5.1.2600 Service Pack 3 NTFS
.
scanning hidden processes ...
.
scanning hidden autostart entries ...
.
scanning hidden files ...
.
scan completed successfully
hidden files: 0
.
**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------
.
- - - - - - - > 'explorer.exe'(1164)
c:\windows\system32\WININET.dll
c:\windows\WinSxS\x86_Microsoft.VC80.CRT_1fc8b3b9a1e18e3b_8.0.50727.6195_x-ww_44262b86\MSVCR80.dll
c:\windows\system32\ieframe.dll
c:\windows\system32\webcheck.dll
c:\windows\system32\WPDShServiceObj.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
.
------------------------ Other Running Processes ------------------------
.
c:\program files\AVAST Software\Avast\AvastSvc.exe
c:\program files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
c:\program files\Bonjour\mDNSResponder.exe
c:\windows\system32\SearchIndexer.exe
c:\program files\Windows Media Player\WMPNetwk.exe
c:\windows\system32\wscntfy.exe
c:\program files\iPod\bin\iPodService.exe
.
**************************************************************************
.
Completion time: 2011-08-27 23:16:43 - machine was rebooted
ComboFix-quarantined-files.txt 2011-08-28 03:16
.
Pre-Run: 15,534,104,576 bytes free
Post-Run: 16,024,313,856 bytes free
.
WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
UnsupportedDebug="do not select this" /debug
multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Professional" /fastdetect /NoExecute=OptIn
.
- - End Of File - - 9790E42F0650FC9A3534DC195E2D7D63

 

[jaimo]

The ESET Online scan link brought me to a website to purchase their AV software. I didn't see a link for the online scanner.

Also, "NOTE #2: ComboFix may fix a number of internet explorers settings, including making IE the default browser." After running CF, it did tell me IE was not my default browser, and would I like to make it my default? I selected YES. Was that the correct selection?

After running the CF scan and rebooting, a new IE icon appeared on my desktop.

 

[jaimo]

Limewire?

I noticed this in the CF log...I haven't had Limewire on my pc in a while. Is this is process that is still running?

[HKLM\~\startupfolder\C:^Documents and Settings^JAIMO^Start Menu^Programs^Startup^LimeWire On Startup.lnk]
path=c:\documents and settings\JAIMO\Start Menu\Programs\Startup\LimeWire On Startup.lnk
backup=c:\windows\pss\LimeWire On Startup.lnkStartup

 

[Bobbye]

For Eset: Perhaps you didn't read the directions carefully:

Your logs shows you're using Internet Explorer: 8.0.6001.18702, is that correct? It should take to right to the free scan.

# Hold down Control and click on the following link to open ESET OnlineScan in a new window. The link is embedded in this>>>ESETOnlineScan

# For alternate browsers only: (Microsoft Internet Explorer users can skip these steps)
[o] Click on Posted Image to download the ESET Smart Installer. Save it to your desktop.

I use Firefox and tried both just clicking on the link itself and then holding down Control and clicking on link per instruction. It took me to the page where it shows:

Get a FREE Online Virus Scan <<<<<on the left side
STEP ONE: Run free on-demand scan

(Purchase for full time AV is to the right)

Try it again please.
=====================================
"I selected YES. Was that the correct selection?" Yes, if IE is the default.
-------------------------------
"I haven't had Limewire on my pc in a while. Is this is process that is still running?" Yes, it was loading from the Registry.
========================================
I'm going to take a look at this with the script. While I know what the purpose is as it's obvious, it is usually done from a command prompt, not a program.
2010-07-24 21:12 81408 -c--a-w- c:\program files\taskkill.exe
=========================================
Please run this Custom CFScript:

• 
  [1]. Close any open browsers.
  [2]. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.
  [3]. Open notepad> click on Format> Uncheck 'Word Wrap'> and copy/paste the text in the code below into it:Be sure to scroll down to include ALL lines.

File::
FileLook::
c:\program files\taskkill.exe

Registry::
[HKLM\~\startupfolder\C:^Documents and Settings^JAIMO^Start Menu^Programs^Startup^LimeWire On Startup.lnk]
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\CTRegRun]
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\IDTSysTrayApp]
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\TkBellExe]

Save this as CFScript.txt, in the same location as ComboFix.exe

Referring to the picture above, drag CFScript into ComboFix.exe

When finished, it will produce a log for you at C:\ComboFix.txt . Please paste in your next reply.
========================================
I have removed reigstry entries for the following:
1. CTRegRun: Description: For Creative Soundblaster Live! series soundcards. Reminds you to register your card with Creative. 2006

2. IDTSysTrayApp: Description: Related to Sigmatel System tray icon from audio driver for cards made by Sigmatel/IDT. Uses excessive system and memory resources with no corresponding benefit. Located in \%Program Files%\Sigmatel\C-Major Audio\WDM\ 2007

3. TkBellExe/realsched.exe: Description: The purpose of realsched is to look for automatic updates for Real Player. Realsched.exe runs in the background on your computer and may appear at computer startup time, running each time your system is rebooted. 2010

4. LimeWire: path=c:\documents and settings\JAIMO\Start Menu\Programs\Startup\LimeWire On Startup.lnk
backup=c:\windows\pss\LimeWire On Startup.lnkStartup
Check your Startup menu for LimeWire.
==========================================
Recommend you stop these Scheduled Tasks
Remove Tasks:
2011-08-28 c:\windows\Tasks\RealUpgradeLogonTaskS-1-5-21-1177238915-562591055-725345543-1003.job
- c:\program files\Real\RealUpgrade\realupgrade.exe [2010-02-25 02:09]
.
2011-08-27 c:\windows\Tasks\RealUpgradeScheduledTaskS-1-5-21-1177238915-562591055-725345543-1003.job
- c:\program files\Real\RealUpgrade\realupgrade.exe [2010-02-25 02:09]
------------------------
Path: All Programs> Accessories> System Tools> Task Scheduler> Right click> End on each task.

I don't recommend any auto-updates except for the AV program

 

[jaimo]

OK, ESET scan was clean. Strange, but I followed your instructions exactly and got the same thing...the main screen was selling me 3 types of AV scan; I found a link for "Online Scan" on the right side of the page, followed it and then found the:

Quote:
Get a FREE Online Virus Scan <<<<<on the left side
STEP ONE: Run free on-demand scan
(Purchase for full time AV is to the right).

Regardless of that, ESET came up clean. Below is the CF scan, done per your instructions. I will go ahead and stop the scheduled tasks you recommended.


ComboFix 11-08-28.01 - JAIMO 08/28/2011 21:12:50.2.1 - x86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.1014.546 [GMT -4:00]
Running from: c:\documents and settings\JAIMO\Desktop\ComboFix.exe
Command switches used :: c:\documents and settings\JAIMO\Desktop\CFScript.txt
AV: avast! Antivirus *Disabled/Updated* {7591DB91-41F0-48A3-B128-1A293FD8233D}
.
.
((((((((((((((((((((((((( Files Created from 2011-07-28 to 2011-08-29 )))))))))))))))))))))))))))))))
.
.
2011-08-28 23:51 . 2011-08-28 23:51 -------- d-----w- c:\program files\ESET
2011-08-27 03:08 . 2011-08-27 03:08 -------- d-----w- c:\program files\iPod
2011-08-27 03:08 . 2011-08-27 03:09 -------- d-----w- c:\program files\iTunes
2011-08-27 03:07 . 2011-08-27 03:07 159744 ----a-w- c:\program files\Internet Explorer\PLUGINS\npqtplugin7.dll
2011-08-27 03:07 . 2011-08-27 03:07 159744 ----a-w- c:\program files\Internet Explorer\PLUGINS\npqtplugin6.dll
2011-08-27 03:07 . 2011-08-27 03:07 159744 ----a-w- c:\program files\Internet Explorer\PLUGINS\npqtplugin5.dll
2011-08-27 03:07 . 2011-08-27 03:07 159744 ----a-w- c:\program files\Internet Explorer\PLUGINS\npqtplugin4.dll
2011-08-27 03:07 . 2011-08-27 03:07 159744 ----a-w- c:\program files\Internet Explorer\PLUGINS\npqtplugin3.dll
2011-08-27 03:07 . 2011-08-27 03:07 159744 ----a-w- c:\program files\Internet Explorer\PLUGINS\npqtplugin2.dll
2011-08-27 03:07 . 2011-08-27 03:07 159744 ----a-w- c:\program files\Internet Explorer\PLUGINS\npqtplugin.dll
2011-08-27 03:07 . 2011-08-27 03:07 -------- d-----w- c:\program files\QuickTime
2011-08-27 03:05 . 2011-08-27 03:05 -------- d-----w- c:\program files\Apple Software Update
2011-08-27 03:05 . 2011-08-27 03:05 -------- d-----w- c:\documents and settings\LocalService\Application Data\Apple Computer
2011-08-27 03:05 . 2011-05-10 12:06 42496 ----a-w- c:\windows\system32\drivers\usbaapl.sys
2011-08-27 03:05 . 2011-05-10 12:06 4517664 ----a-w- c:\windows\system32\usbaaplrc.dll
2011-08-27 03:04 . 2011-08-27 03:04 -------- d-----w- c:\program files\Bonjour
2011-08-27 02:59 . 2001-08-18 02:36 5632 ----a-w- c:\windows\system32\ptpusb.dll
2011-08-27 02:59 . 2008-04-14 00:12 159232 ----a-w- c:\windows\system32\ptpusd.dll
2011-08-26 20:50 . 2011-08-26 20:50 -------- d-----w- c:\program files\Common Files\Java
2011-08-24 23:32 . 2011-08-24 23:36 -------- d-----w- c:\documents and settings\Guest
2011-08-24 18:53 . 2011-08-24 18:53 -------- d-----w- c:\documents and settings\JAIMO\Application Data\Malwarebytes
2011-08-24 18:53 . 2011-07-06 23:52 41272 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2011-08-24 18:53 . 2011-08-24 18:53 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes
2011-08-24 18:53 . 2011-08-24 18:53 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2011-08-24 18:53 . 2011-07-06 23:52 22712 ----a-w- c:\windows\system32\drivers\mbam.sys
2011-08-24 16:54 . 2011-08-24 16:54 404640 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl
2011-08-23 00:15 . 2011-08-23 00:16 -------- d-----w- c:\program files\Common Files\Adobe
2011-08-23 00:14 . 2011-08-23 00:14 -------- d-----w- c:\program files\Common Files\Adobe AIR
2011-08-22 20:08 . 2011-07-04 11:32 19544 ----a-w- c:\windows\system32\drivers\aswFsBlk.sys
2011-08-22 20:08 . 2011-07-04 11:36 309848 ----a-w- c:\windows\system32\drivers\aswSP.sys
2011-08-22 20:08 . 2011-07-04 11:35 43608 ----a-w- c:\windows\system32\drivers\aswTdi.sys
2011-08-22 20:08 . 2011-07-04 11:32 25432 ----a-w- c:\windows\system32\drivers\aswRdr.sys
2011-08-22 20:08 . 2011-07-04 11:36 441176 ----a-w- c:\windows\system32\drivers\aswSnx.sys
2011-08-22 20:08 . 2011-07-04 11:35 102616 ----a-w- c:\windows\system32\drivers\aswmon2.sys
2011-08-22 20:08 . 2011-07-04 11:35 96344 ----a-w- c:\windows\system32\drivers\aswmon.sys
2011-08-22 20:08 . 2011-07-04 11:32 30808 ----a-w- c:\windows\system32\drivers\aavmker4.sys
2011-08-22 20:07 . 2011-07-04 11:43 40112 ----a-w- c:\windows\avastSS.scr
2011-08-22 20:07 . 2011-07-04 11:43 199304 ----a-w- c:\windows\system32\aswBoot.exe
2011-08-22 20:07 . 2011-08-22 20:07 -------- d-----w- c:\program files\AVAST Software
2011-08-22 20:07 . 2011-08-22 20:07 -------- d-----w- c:\documents and settings\All Users\Application Data\AVAST Software
2011-08-11 19:40 . 2009-05-18 17:17 26600 ----a-w- c:\windows\system32\drivers\GEARAspiWDM.sys
2011-08-11 19:39 . 2008-04-17 16:12 107368 ----a-w- c:\windows\system32\GEARAspi.dll
2011-08-10 03:19 . 2011-06-24 14:10 139656 -c----w- c:\windows\system32\dllcache\rdpwd.sys
2011-08-10 03:19 . 2011-07-08 14:02 10496 -c----w- c:\windows\system32\dllcache\ndistapi.sys
.
.
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2011-07-19 09:05 . 2010-09-12 05:37 472808 ----a-w- c:\windows\system32\deployJava1.dll
2011-07-19 06:40 . 2010-04-05 17:25 73728 ----a-w- c:\windows\system32\javacpl.cpl
2011-07-15 13:29 . 2003-03-31 12:00 456320 ----a-w- c:\windows\system32\drivers\mrxsmb.sys
2011-07-12 15:20 . 2011-07-12 15:20 83816 ----a-w- c:\windows\system32\dns-sd.exe
2011-07-12 15:20 . 2011-07-12 15:20 73064 ----a-w- c:\windows\system32\dnssd.dll
2011-07-12 15:20 . 2011-07-12 15:20 50536 ----a-w- c:\windows\system32\jdns_sd.dll
2011-07-12 15:20 . 2011-07-12 15:20 178536 ----a-w- c:\windows\system32\dnssdX.dll
2011-07-08 14:02 . 2003-03-31 12:00 10496 ----a-w- c:\windows\system32\drivers\ndistapi.sys
2011-07-05 22:37 . 2011-07-05 22:37 94208 ----a-w- c:\windows\system32\QuickTimeVR.qtx
2011-07-05 22:37 . 2011-07-05 22:37 69632 ----a-w- c:\windows\system32\QuickTime.qts
2011-06-24 14:10 . 2010-04-03 05:14 139656 ----a-w- c:\windows\system32\drivers\rdpwd.sys
2011-06-23 18:36 . 2003-03-31 12:00 916480 ----a-w- c:\windows\system32\wininet.dll
2011-06-23 18:36 . 2003-03-31 12:00 43520 ------w- c:\windows\system32\licmgr10.dll
2011-06-23 18:36 . 2003-03-31 12:00 1469440 ------w- c:\windows\system32\inetcpl.cpl
2011-06-23 12:05 . 2004-08-04 05:59 385024 ----a-w- c:\windows\system32\html.iec
2011-06-20 17:44 . 2003-03-31 12:00 293376 ----a-w- c:\windows\system32\winsrv.dll
2011-06-02 14:02 . 2003-03-31 12:00 1858944 ----a-w- c:\windows\system32\win32k.sys
2010-07-24 21:12 . 2010-07-24 21:12 81408 -c--a-w- c:\program files\taskkill.exe
.
.
(((((((((((((((((((((((((((((((((((((((((((( Look )))))))))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
--- c:\program files\taskkill.exe ---
Company: Microsoft Corporation
File Description: Kill Process
File Version: 5.1.2600.0 (XPClient.010817-1148)
Product Name: Microsoft® Windows® Operating System
Copyright: © Microsoft Corporation. All rights reserved.
Original Filename: TaskKill.exe
File size: 81408
Created time: 2010-07-24 21:12
Modified time: 2010-07-24 21:12
MD5: A38A71FE7F4F44624F43DA7166C3B177
SHA1: AFC4B8EBA8C2B4A2AC85D53C85C5FDDF88F2737F
.
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\00avast]
@="{472083B0-C522-11CF-8763-00608CC02F24}"
[HKEY_CLASSES_ROOT\CLSID\{472083B0-C522-11CF-8763-00608CC02F24}]
2011-07-04 11:43 122512 ----a-w- c:\program files\AVAST Software\Avast\ashShell.dll
.
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"WMPNSCFG"="c:\program files\Windows Media Player\WMPNSCFG.exe" [2006-10-19 204288]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"avast"="c:\program files\AVAST Software\Avast\avastUI.exe" [2011-07-04 3493720]
"Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2011-06-06 937920]
"QuickTime Task"="c:\program files\QuickTime\QTTask.exe" [2011-07-05 421888]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2011-08-19 421736]
.
[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{56F9679E-7826-4C84-81F3-532071A8BCC5}"= "c:\program files\Windows Desktop Search\MSNLNamespaceMgr.dll" [2009-05-25 304128]
.
[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^hpoddt01.exe.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\hpoddt01.exe.lnk
backup=c:\windows\pss\hpoddt01.exe.lnkCommon Startup
.
[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Windows Search.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Windows Search.lnk
backup=c:\windows\pss\Windows Search.lnkCommon Startup
.
[HKLM\~\startupfolder\C:^Documents and Settings^JAIMO^Start Menu^Programs^Startup^LimeWire On Startup.lnk]
path=c:\documents and settings\JAIMO\Start Menu\Programs\Startup\LimeWire On Startup.lnk
backup=c:\windows\pss\LimeWire On Startup.lnkStartup
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ctfmon.exe]
2008-04-14 00:12 15360 ----a-w- c:\windows\system32\ctfmon.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\CTRegRun]
2006-10-05 22:17 53248 -c----w- c:\windows\Ctregrun.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\IDTSysTrayApp]
2007-09-06 01:24 405504 -c--a-w- c:\windows\sttray.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\igfxhkcmd]
2006-03-24 00:13 77824 -c--a-w- c:\windows\system32\hkcmd.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\igfxpers]
2006-03-24 00:17 118784 -c--a-w- c:\windows\system32\igfxpers.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\igfxtray]
2006-03-24 00:17 94208 -c--a-w- c:\windows\system32\igfxtray.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PMX Daemon]
2006-06-09 16:47 47104 -c--a-w- c:\windows\system32\ico.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
2011-07-05 22:36 421888 ----a-w- c:\program files\QuickTime\QTTask.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched]
2011-06-09 17:06 254696 ----a-w- c:\program files\Common Files\Java\Java Update\jusched.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\TkBellExe]
2010-06-03 11:25 202256 -c--a-w- c:\program files\Common Files\Real\Update_OB\realsched.exe
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"c:\\WINDOWS\\system32\\usmt\\migwiz.exe"=
"c:\\WINDOWS\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\WINDOWS\\system32\\sessmgr.exe"=
"c:\\Program Files\\Pando Networks\\Media Booster\\PMB.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"56644:TCP"= 56644:TCPando Media Booster
"56644:UDP"= 56644:UDPando Media Booster
.
R1 aswSnx;aswSnx;c:\windows\system32\drivers\aswSnx.sys [8/22/2011 4:08 PM 441176]
R1 aswSP;aswSP;c:\windows\system32\drivers\aswSP.sys [8/22/2011 4:08 PM 309848]
R2 aswFsBlk;aswFsBlk;c:\windows\system32\drivers\aswFsBlk.sys [8/22/2011 4:08 PM 19544]
S2 gupdate;Google Update Service (gupdate);c:\program files\Google\Update\GoogleUpdate.exe [5/12/2010 8:13 AM 136176]
S3 EraserUtilDrv11113;EraserUtilDrv11113;\??\c:\program files\Common Files\Symantec Shared\EENGINE\EraserUtilDrv11113.sys --> c:\program files\Common Files\Symantec Shared\EENGINE\EraserUtilDrv11113.sys [?]
S3 gupdatem;Google Update Service (gupdatem);c:\program files\Google\Update\GoogleUpdate.exe [5/12/2010 8:13 AM 136176]
.
Contents of the 'Scheduled Tasks' folder
.
2011-08-28 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\program files\Google\Update\GoogleUpdate.exe [2010-05-12 12:13]
.
2011-08-29 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\program files\Google\Update\GoogleUpdate.exe [2010-05-12 12:13]
.
2011-08-28 c:\windows\Tasks\RealUpgradeLogonTaskS-1-5-21-1177238915-562591055-725345543-1003.job
- c:\program files\Real\RealUpgrade\realupgrade.exe [2010-02-25 02:09]
.
2011-08-27 c:\windows\Tasks\RealUpgradeScheduledTaskS-1-5-21-1177238915-562591055-725345543-1003.job
- c:\program files\Real\RealUpgrade\realupgrade.exe [2010-02-25 02:09]
.
2011-08-28 c:\windows\Tasks\User_Feed_Synchronization-{3AD81087-C49C-42C4-976E-2EA0AA257C02}.job
- c:\windows\system32\msfeedssync.exe [2009-03-08 08:31]
.
2011-08-28 c:\windows\Tasks\WGASetup.job
- c:\windows\system32\KB905474\wgasetup.exe [2010-04-04 02:18]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.google.com/
uInternet Settings,ProxyOverride = *.local
TCP: DhcpNameServer = 68.87.71.230 68.87.73.246
.
.
**************************************************************************
.
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2011-08-28 21:25
Windows 5.1.2600 Service Pack 3 NTFS
.
scanning hidden processes ...
.
scanning hidden autostart entries ...
.
scanning hidden files ...
.
scan completed successfully
hidden files: 0
.
**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------
.
- - - - - - - > 'explorer.exe'(820)
c:\windows\system32\WININET.dll
c:\windows\WinSxS\x86_Microsoft.VC80.CRT_1fc8b3b9a1e18e3b_8.0.50727.6195_x-ww_44262b86\MSVCR80.dll
c:\windows\system32\ieframe.dll
c:\windows\system32\webcheck.dll
c:\windows\system32\WPDShServiceObj.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
.
Completion time: 2011-08-28 21:28:15
ComboFix-quarantined-files.txt 2011-08-29 01:28
ComboFix2.txt 2011-08-28 03:16
.
Pre-Run: 15,721,283,584 bytes free
Post-Run: 15,777,652,736 bytes free
.
- - End Of File - - 746C9BC34AA24E1D442B794F43D9F5D5

 

[jaimo]

Cannot stop tasks

When I follow the path to end the scheduled tasks you recommended, I cannot click on "End Task", it is there but in grey and won't allow me to change them.

Recommend you stop these Scheduled Tasks
Remove Tasks:
2011-08-28 c:\windows\Tasks\RealUpgradeLogonTaskS-1-5-21-1177238915-562591055-725345543-1003.job
- c:\program files\Real\RealUpgrade\realupgrade.exe [2010-02-25 02:09]
.
2011-08-27 c:\windows\Tasks\RealUpgradeScheduledTaskS-1-5-21-1177238915-562591055-725345543-1003.job
- c:\program files\Real\RealUpgrade\realupgrade.exe [2010-02-25 02:09]
------------------------
Path: All Programs> Accessories> System Tools> Task Scheduler> Right click> End on each task.

 

[Bobbye]

Okay, you should be able to stop the Tasks as below> I see you have2010-07-24 21:12 81408 -c--a-w- c:\program files\ taskkill.exe running.

I did a 'look' on this and it's a legitimate MS program. It appears to be set from a Command Prompt:
Click on Start> Run> type in cmd> enter> at the blinking C Prompt type in each of the following with 'enter after each:
Note: there is a space before each /

schtasks /end /RealUpgradeLogon

schtasks /end /RealUpgradeScheduledTasks

In response, SchTasks.exe stops the instance of Notepad.exe that the task started, and it displays the following success message:

SUCCESS: The Scheduled Task "xxxxxx" has been terminated successfully.

If you have a problem or want to see other options, check HERE for the specific Commands.
/schtasks.mspx?mfr=true

 

[Bobbye]

Please run this Custom CFScript:

• 
  [1]. Close any open browsers.
  [2]. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.
  [3]. Open notepad> click on Format> Uncheck 'Word Wrap'> and copy/paste the text in the code below into it:Be sure to scroll down to include ALL lines.

File::
Registry::
[HKLM\~\startupfolder\C:^Documents and Settings^JAIMO^Start Menu^Programs^Startup^LimeWire On Startup.lnk]
path=c:\documents and settings\JAIMO\Start Menu\Programs\Startup\LimeWire On Startup.lnk
backup=c:\windows\pss\LimeWire On Startup.lnkStartup
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\CTRegRun]
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\TkBellExe]

Save this as CFScript.txt, in the same location as ComboFix.exe

Referring to the picture above, drag CFScript into ComboFix.exe

When finished, it will produce a log for you at C:\ComboFix.txt . Please paste in your next reply.
====================
I still see the LimeWire entry. It indicates that a shortcut in Docs & Settings for JAIMO, in the Starr Programs. It also indicates a backup shortcut. I'm putting the Registry entry in the script again for removal but you will need to search the system and delete the LimeWire entries.. Be sure to go into Windows Exlorer> My Computer> Local Drive4> Programs and do a right click> delete on the program folder.

You should also remove entry CTRegRub from the Startup menu. It was created 5 years ago, a reminder to register the Creative Sound card.

Has there been any improvement in the system?

 

[jaimo]

ComboFix 11-08-31.04 - JAIMO 08/31/2011 15:25:23.3.1 - x86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.1014.482 [GMT -4:00]
Running from: c:\documents and settings\JAIMO\Desktop\ComboFix.exe
Command switches used :: c:\documents and settings\JAIMO\Desktop\CFScript.txt
AV: avast! Antivirus *Disabled/Updated* {7591DB91-41F0-48A3-B128-1A293FD8233D}
.
.
((((((((((((((((((((((((( Files Created from 2011-07-28 to 2011-08-31 )))))))))))))))))))))))))))))))
.
.
2011-08-28 23:51 . 2011-08-28 23:51 -------- d-----w- c:\program files\ESET
2011-08-27 03:08 . 2011-08-27 03:08 -------- d-----w- c:\program files\iPod
2011-08-27 03:08 . 2011-08-27 03:09 -------- d-----w- c:\program files\iTunes
2011-08-27 03:07 . 2011-08-27 03:07 159744 ----a-w- c:\program files\Internet Explorer\PLUGINS\npqtplugin7.dll
2011-08-27 03:07 . 2011-08-27 03:07 159744 ----a-w- c:\program files\Internet Explorer\PLUGINS\npqtplugin6.dll
2011-08-27 03:07 . 2011-08-27 03:07 159744 ----a-w- c:\program files\Internet Explorer\PLUGINS\npqtplugin5.dll
2011-08-27 03:07 . 2011-08-27 03:07 159744 ----a-w- c:\program files\Internet Explorer\PLUGINS\npqtplugin4.dll
2011-08-27 03:07 . 2011-08-27 03:07 159744 ----a-w- c:\program files\Internet Explorer\PLUGINS\npqtplugin3.dll
2011-08-27 03:07 . 2011-08-27 03:07 159744 ----a-w- c:\program files\Internet Explorer\PLUGINS\npqtplugin2.dll
2011-08-27 03:07 . 2011-08-27 03:07 159744 ----a-w- c:\program files\Internet Explorer\PLUGINS\npqtplugin.dll
2011-08-27 03:07 . 2011-08-27 03:07 -------- d-----w- c:\program files\QuickTime
2011-08-27 03:05 . 2011-08-27 03:05 -------- d-----w- c:\program files\Apple Software Update
2011-08-27 03:05 . 2011-08-27 03:05 -------- d-----w- c:\documents and settings\LocalService\Application Data\Apple Computer
2011-08-27 03:05 . 2011-05-10 12:06 42496 ----a-w- c:\windows\system32\drivers\usbaapl.sys
2011-08-27 03:05 . 2011-05-10 12:06 4517664 ----a-w- c:\windows\system32\usbaaplrc.dll
2011-08-27 03:04 . 2011-08-27 03:04 -------- d-----w- c:\program files\Bonjour
2011-08-27 02:59 . 2001-08-18 02:36 5632 ----a-w- c:\windows\system32\ptpusb.dll
2011-08-27 02:59 . 2008-04-14 00:12 159232 ----a-w- c:\windows\system32\ptpusd.dll
2011-08-26 20:50 . 2011-08-26 20:50 -------- d-----w- c:\program files\Common Files\Java
2011-08-24 23:32 . 2011-08-24 23:36 -------- d-----w- c:\documents and settings\Guest
2011-08-24 18:53 . 2011-08-24 18:53 -------- d-----w- c:\documents and settings\JAIMO\Application Data\Malwarebytes
2011-08-24 18:53 . 2011-07-06 23:52 41272 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2011-08-24 18:53 . 2011-08-24 18:53 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes
2011-08-24 18:53 . 2011-08-24 18:53 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2011-08-24 18:53 . 2011-07-06 23:52 22712 ----a-w- c:\windows\system32\drivers\mbam.sys
2011-08-24 16:54 . 2011-08-24 16:54 404640 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl
2011-08-23 00:15 . 2011-08-23 00:16 -------- d-----w- c:\program files\Common Files\Adobe
2011-08-23 00:14 . 2011-08-23 00:14 -------- d-----w- c:\program files\Common Files\Adobe AIR
2011-08-22 20:08 . 2011-07-04 11:32 19544 ----a-w- c:\windows\system32\drivers\aswFsBlk.sys
2011-08-22 20:08 . 2011-07-04 11:36 309848 ----a-w- c:\windows\system32\drivers\aswSP.sys
2011-08-22 20:08 . 2011-07-04 11:35 43608 ----a-w- c:\windows\system32\drivers\aswTdi.sys
2011-08-22 20:08 . 2011-07-04 11:32 25432 ----a-w- c:\windows\system32\drivers\aswRdr.sys
2011-08-22 20:08 . 2011-07-04 11:36 441176 ----a-w- c:\windows\system32\drivers\aswSnx.sys
2011-08-22 20:08 . 2011-07-04 11:35 102616 ----a-w- c:\windows\system32\drivers\aswmon2.sys
2011-08-22 20:08 . 2011-07-04 11:35 96344 ----a-w- c:\windows\system32\drivers\aswmon.sys
2011-08-22 20:08 . 2011-07-04 11:32 30808 ----a-w- c:\windows\system32\drivers\aavmker4.sys
2011-08-22 20:07 . 2011-07-04 11:43 40112 ----a-w- c:\windows\avastSS.scr
2011-08-22 20:07 . 2011-07-04 11:43 199304 ----a-w- c:\windows\system32\aswBoot.exe
2011-08-22 20:07 . 2011-08-22 20:07 -------- d-----w- c:\program files\AVAST Software
2011-08-22 20:07 . 2011-08-22 20:07 -------- d-----w- c:\documents and settings\All Users\Application Data\AVAST Software
2011-08-11 19:40 . 2009-05-18 17:17 26600 ----a-w- c:\windows\system32\drivers\GEARAspiWDM.sys
2011-08-11 19:39 . 2008-04-17 16:12 107368 ----a-w- c:\windows\system32\GEARAspi.dll
2011-08-10 03:19 . 2011-06-24 14:10 139656 -c----w- c:\windows\system32\dllcache\rdpwd.sys
2011-08-10 03:19 . 2011-07-08 14:02 10496 -c----w- c:\windows\system32\dllcache\ndistapi.sys
.
.
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2011-07-19 09:05 . 2010-09-12 05:37 472808 ----a-w- c:\windows\system32\deployJava1.dll
2011-07-19 06:40 . 2010-04-05 17:25 73728 ----a-w- c:\windows\system32\javacpl.cpl
2011-07-15 13:29 . 2003-03-31 12:00 456320 ----a-w- c:\windows\system32\drivers\mrxsmb.sys
2011-07-12 15:20 . 2011-07-12 15:20 83816 ----a-w- c:\windows\system32\dns-sd.exe
2011-07-12 15:20 . 2011-07-12 15:20 73064 ----a-w- c:\windows\system32\dnssd.dll
2011-07-12 15:20 . 2011-07-12 15:20 50536 ----a-w- c:\windows\system32\jdns_sd.dll
2011-07-12 15:20 . 2011-07-12 15:20 178536 ----a-w- c:\windows\system32\dnssdX.dll
2011-07-08 14:02 . 2003-03-31 12:00 10496 ----a-w- c:\windows\system32\drivers\ndistapi.sys
2011-07-05 22:37 . 2011-07-05 22:37 94208 ----a-w- c:\windows\system32\QuickTimeVR.qtx
2011-07-05 22:37 . 2011-07-05 22:37 69632 ----a-w- c:\windows\system32\QuickTime.qts
2011-06-24 14:10 . 2010-04-03 05:14 139656 ----a-w- c:\windows\system32\drivers\rdpwd.sys
2011-06-23 18:36 . 2003-03-31 12:00 916480 ----a-w- c:\windows\system32\wininet.dll
2011-06-23 18:36 . 2003-03-31 12:00 43520 ------w- c:\windows\system32\licmgr10.dll
2011-06-23 18:36 . 2003-03-31 12:00 1469440 ------w- c:\windows\system32\inetcpl.cpl
2011-06-23 12:05 . 2004-08-04 05:59 385024 ----a-w- c:\windows\system32\html.iec
2011-06-20 17:44 . 2003-03-31 12:00 293376 ----a-w- c:\windows\system32\winsrv.dll
2010-07-24 21:12 . 2010-07-24 21:12 81408 -c--a-w- c:\program files\taskkill.exe
.
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\00avast]
@="{472083B0-C522-11CF-8763-00608CC02F24}"
[HKEY_CLASSES_ROOT\CLSID\{472083B0-C522-11CF-8763-00608CC02F24}]
2011-07-04 11:43 122512 ----a-w- c:\program files\AVAST Software\Avast\ashShell.dll
.
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"WMPNSCFG"="c:\program files\Windows Media Player\WMPNSCFG.exe" [2006-10-19 204288]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"avast"="c:\program files\AVAST Software\Avast\avastUI.exe" [2011-07-04 3493720]
"Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2011-06-06 937920]
"QuickTime Task"="c:\program files\QuickTime\QTTask.exe" [2011-07-05 421888]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2011-08-19 421736]
.
[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{56F9679E-7826-4C84-81F3-532071A8BCC5}"= "c:\program files\Windows Desktop Search\MSNLNamespaceMgr.dll" [2009-05-25 304128]
.
[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^hpoddt01.exe.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\hpoddt01.exe.lnk
backup=c:\windows\pss\hpoddt01.exe.lnkCommon Startup
.
[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Windows Search.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Windows Search.lnk
backup=c:\windows\pss\Windows Search.lnkCommon Startup
.
[HKLM\~\startupfolder\C:^Documents and Settings^JAIMO^Start Menu^Programs^Startup^LimeWire On Startup.lnk]
path=c:\documents and settings\JAIMO\Start Menu\Programs\Startup\LimeWire On Startup.lnk
backup=c:\windows\pss\LimeWire On Startup.lnkStartup
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ctfmon.exe]
2008-04-14 00:12 15360 ----a-w- c:\windows\system32\ctfmon.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\CTRegRun]
2006-10-05 22:17 53248 -c----w- c:\windows\Ctregrun.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\IDTSysTrayApp]
2007-09-06 01:24 405504 -c--a-w- c:\windows\sttray.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\igfxhkcmd]
2006-03-24 00:13 77824 -c--a-w- c:\windows\system32\hkcmd.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\igfxpers]
2006-03-24 00:17 118784 -c--a-w- c:\windows\system32\igfxpers.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\igfxtray]
2006-03-24 00:17 94208 -c--a-w- c:\windows\system32\igfxtray.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PMX Daemon]
2006-06-09 16:47 47104 -c--a-w- c:\windows\system32\ico.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
2011-07-05 22:36 421888 ----a-w- c:\program files\QuickTime\QTTask.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched]
2011-06-09 17:06 254696 ----a-w- c:\program files\Common Files\Java\Java Update\jusched.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\TkBellExe]
2010-06-03 11:25 202256 -c--a-w- c:\program files\Common Files\Real\Update_OB\realsched.exe
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"c:\\WINDOWS\\system32\\usmt\\migwiz.exe"=
"c:\\WINDOWS\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\WINDOWS\\system32\\sessmgr.exe"=
"c:\\Program Files\\Pando Networks\\Media Booster\\PMB.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"56644:TCP"= 56644:TCPando Media Booster
"56644:UDP"= 56644:UDPando Media Booster
.
R1 aswSnx;aswSnx;c:\windows\system32\drivers\aswSnx.sys [8/22/2011 4:08 PM 441176]
R1 aswSP;aswSP;c:\windows\system32\drivers\aswSP.sys [8/22/2011 4:08 PM 309848]
R2 aswFsBlk;aswFsBlk;c:\windows\system32\drivers\aswFsBlk.sys [8/22/2011 4:08 PM 19544]
S2 gupdate;Google Update Service (gupdate);c:\program files\Google\Update\GoogleUpdate.exe [5/12/2010 8:13 AM 136176]
S3 EraserUtilDrv11113;EraserUtilDrv11113;\??\c:\program files\Common Files\Symantec Shared\EENGINE\EraserUtilDrv11113.sys --> c:\program files\Common Files\Symantec Shared\EENGINE\EraserUtilDrv11113.sys [?]
S3 gupdatem;Google Update Service (gupdatem);c:\program files\Google\Update\GoogleUpdate.exe [5/12/2010 8:13 AM 136176]
.
Contents of the 'Scheduled Tasks' folder
.
2011-08-31 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\program files\Google\Update\GoogleUpdate.exe [2010-05-12 12:13]
.
2011-08-31 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\program files\Google\Update\GoogleUpdate.exe [2010-05-12 12:13]
.
2011-08-29 c:\windows\Tasks\RealUpgradeLogonTaskS-1-5-21-1177238915-562591055-725345543-1003.job
- c:\program files\Real\RealUpgrade\realupgrade.exe [2010-02-25 02:09]
.
2011-08-27 c:\windows\Tasks\RealUpgradeScheduledTaskS-1-5-21-1177238915-562591055-725345543-1003.job
- c:\program files\Real\RealUpgrade\realupgrade.exe [2010-02-25 02:09]
.
2011-08-31 c:\windows\Tasks\User_Feed_Synchronization-{3AD81087-C49C-42C4-976E-2EA0AA257C02}.job
- c:\windows\system32\msfeedssync.exe [2009-03-08 08:31]
.
2011-08-29 c:\windows\Tasks\WGASetup.job
- c:\windows\system32\KB905474\wgasetup.exe [2010-04-04 02:18]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.google.com/
uInternet Settings,ProxyOverride = *.local
TCP: DhcpNameServer = 68.87.71.230 68.87.73.246
.
.
**************************************************************************
.
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2011-08-31 15:42
Windows 5.1.2600 Service Pack 3 NTFS
.
scanning hidden processes ...
.
scanning hidden autostart entries ...
.
scanning hidden files ...
.
scan completed successfully
hidden files: 0
.
**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------
.
- - - - - - - > 'explorer.exe'(544)
c:\windows\system32\WININET.dll
c:\windows\WinSxS\x86_Microsoft.VC80.CRT_1fc8b3b9a1e18e3b_8.0.50727.6195_x-ww_44262b86\MSVCR80.dll
c:\windows\system32\ieframe.dll
c:\windows\system32\webcheck.dll
c:\windows\system32\WPDShServiceObj.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
.
Completion time: 2011-08-31 15:46:24
ComboFix-quarantined-files.txt 2011-08-31 19:46
ComboFix2.txt 2011-08-29 01:28
ComboFix3.txt 2011-08-28 03:16
.
Pre-Run: 16,175,046,656 bytes free
Post-Run: 16,514,424,832 bytes free
.
- - End Of File - - FF633B6A5EA46D629779619A9AB14534

 

[jaimo]

Hi Bobbye,

There is some improvement. Although, yesterday the browser popped open on its own with 3 sessions after I closed out of a single session. This only seems to happen when I close it from Yahoo.

 

[jaimo]

iexplore.exe still high

iexplore.exe process is still running very high...mostly only on Yahoo.com when checking my mail and reading news articles. Also, yahoo was giving me a message yesterday saying my version of IE is out of date.

I have been unsuccessful trying to end the scheduled taks using the command prompt so far...I will use the link you provided for more info.

 

[Bobbye]

Question: Did you set up this directory?
2011-08-24 23:36 -------- d-----w- c:\documents and settings\Guest
Do a right click> Properties on it and see if there are any files in it.

I cannot account for the high CPU use of IE when on Yahoo. However, it must be something associated with either the site itself or the particular page you are on.
=============================================
All of the following registry entries are running because the process they run is on the Startup Menu. You can use the msconfig utility to uncheck them. Each can be removed from the Startup Menu:

These are valid programs but are is not required to run on startup.
--------------------------------
[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^hpoddt01.exe.lnk]>> Installed by the "HP Photo and Imaging Director" software.
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\hpoddt01.exe.lnk
backup=c:\windows\pss\hpoddt01.exe.lnkCommon Startup
.
[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Windows Search.lnk]>>System Tray access to Windows Search 4.0 for XP from Microsoft - which adds additional search options including a search box on the Taskbar. This version also includes the Windows Search (WSearch) service which indexes files and e-mails items so you can quickly find words and phrases. Disabling this entry does not affect the normal operation
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Windows Search.lnk
backup=c:\windows\pss\Windows Search.lnkCommon Startup
.
[HKLM\~\startupfolder\C:^Documents and Settings^JAIMO^Start Menu^Programs^Startup^LimeWire On Startup.lnk]>> LimeWire: path=c:\documents and settings\JAIMO\Start Menu\Programs\Startup\LimeWire On Startup.lnk
path=c:\documents and settings\JAIMO\Start Menu\Programs\Startup\LimeWire On Startup.lnk
backup=c:\windows\pss\LimeWire On Startup.lnkStartup
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\CTRegRun]>> Description: For Creative Soundblaster Live! series soundcards. Reminds you to register your card with Creative. 2006
2006-10-05 22:17 53248 -c----w- c:\windows\Ctregrun.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\IDTSysTrayApp]>> Related to Sigmatel System tray icon from audio driver for cards made by Sigmatel/IDT. Uses excessive system and memory resources with no corresponding benefit. Located in \%Program Files%\Sigmatel\C-Major Audio\WDM\ 2007
2007-09-06 01:24 405504 -c--a-w- c:\windows\sttray.exe

The following 3 are all related to the Intel graphics> none need to start on boot:
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\igfxhkcmd]>> Installed by the Intel 810 and 815 chipset graphic drivers. If you want the Ctrl+Alt+F12 or similar keypresses to access Intel's customised graphics
2006-03-24 00:13 77824 -c--a-w- c:\windows\system32\hkcmd.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\igfxpers]>> Associated with the Common User Interface module for Intel graphics cards
2006-03-24 00:17 118784 -c--a-w- c:\windows\system32\igfxpers.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\igfxtray]>> Quick access to the control panel via a System Tray icon for graphics based upon the Intel chipsets
2006-03-24 00:17 94208 -c--a-w- c:\windows\system32\igfxtray.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PMX Daemon]>> Mouse software that allows you to change a variety of options for your mouse. May cause problem with some DirectX games if it disabled.
2006-06-09 16:47 47104 -c--a-w- c:\windows\system32\ico.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]>> auto-updater
2011-07-05 22:36 421888 ----a-w- c:\program files\QuickTime\QTTask.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched]>> auto-updater
2011-06-09 17:06 254696 ----a-w- c:\program files\Common Files\Java\Java Update\jusched.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\TkBellExe]>> auto-updater
2010-06-03 11:25 202256 -c--a-w- c:\program files\Common Files\Real\Update_OB\realsched.exe

 

[jaimo]

Question: Did you set up this directory?
2011-08-24 23:36 -------- d-----w- c:\documents and settings\Guest
Do a right click> Properties on it and see if there are any files in it.

I believe that is from when I turned on the windows guest account so my son was able to use the computer without interfering with what I was doing. It has since been turned back off...there shouldn't be any needed files in it.

 

[jaimo]

Bobbye,

OK, I've used msconfig to uncheck what was checked.

I've followed the path and back up paths of the first three and deleted them. I also deleted CTregrun and STTray right from the Windows folder, but I'm not really sure if that's is what I was supposed to do with those.

As far as the rest of the items on the list of registry entires, should I follow the paths provided and just remove them? For example, the ones related to intel graphics. None of these are checked on the startup menu...they show up, but are unchecked. By following the paths and removing them, I will actually be removing them from the startup menu?

I downloaded Bandwidth Monitor Pro recently. It seems to be fairly unobtrusive. Should this be unchecked from the startup menu?

 

[Bobbye]

Handle all the startup processes you want< then let me know and I'll remove the registry entries and have you reset some of the Services to Manual.

The names of the processes on the Startup menu usually appeatr as the .exe or .dll entry at rhe end of the above file in list I gave you

 

[jaimo]

Bobbye,

I downloaded Mozilla Firefox and have been using it at my default browser...I haven't had any browsers pop open since I started using it and my computer is no longer slowing down on Yahoo.

Would you recommend that I delete Internet Explorer?

 

[Bobbye]

Don't delete IE- there are a few sites that still require it> But set Firefox as the default browser-and go to Internet Options in the Control Panel> Programs tab. at the bottom in default browser, be sure that IE is unchecked.

A tip for Firefox: I suggest using the following two add-on for Firefox. They will prevent the Tracking Cookies that come from ads and banners and other sources:
AdBlock Plus
Easy List

Did you do this?

Handle all the startup processes you want< then let me know and I'll remove the registry entries and have you reset some of the Services to Manual.
The names of the processes on the Startup menu usually appeatr as the .exe or .dll entry at rhe end of the above file in list I gave you

Did you want me to include the registry entries and change Services to manual?

 

[jaimo]

I think I'm good to go. I don't really know what else to do.

 

[Bobbye]

Recheck the scheduled Tasks again and make sure you're following this:
To change the settings for a task: right-click the Task> click Properties> do any of the following:

1. To change the schedule for the task, click the Schedule tab.
2. To customize the settings for the task, such as the maximum run time, idle time requirements, and power management options, click the Settings tab.
3. To delete a task> right-click the task> click Delete.
4. To prevent a task from running until you want to let it run again> right-click the task> Properties> On the General tab> clear the Enabled check box. Select the check box again to enable the task when you are ready to let the task scheduler run it again.

It' possible that if the task isn't running> you won't get an 'end task' option.
=======================================
Working with the msconfig utility

As far as the rest of the items on the list of registry entires, should I follow the paths provided and just remove them? NO For example, the ones related to intel graphics. None of these are checked on the startup menu...they show up, but are unchecked. If they are not checked< they won't start on bootBy following the paths and removing them, I will actually be removing them from the startup menu? There are always processes listed on the Startup Menu> If not checked, no start on boot

Caution: Be sure you know what the process runs before unchecking it on the Startup Menu.
---------------------------------------
Keep in mind that unchecking a process on boot does not uninstall the process or program it goes to. Uninstall should be done as follows:
1. If program has it's own uninstalles, use that.
2. If program does not have uninstaller, use Add/Remove Progrms in Control Panel.
3> If neirher of the above are available, use Windows Installer CleanupUtility.
=====================================

I downloaded Bandwidth Monitor Pro recently. It seems to be fairly unobtrusive. Should this be unchecked from the startup menu?

If it's important to you to know the following all of the time< keep it:
Bandwidth Monitor Pro

Do you ever wonder how much bandwidth you are using?
How fast you are downloading or uploading?
Or if you're closing in on your monthly transfer limit?

If, on the other hand, you decide this is a waste of system resources to have it always running and knowing that you can check these at any one of many internet sites, anytime, consider removing it.

My experience is that utilities like this can cause more of an obsession that any benefit needed to know.
=========================================
Removing all of the tools we used and the files and folders they created

• Uninstall ComboFix and all Backups of the files it deleted
• Click START> then RUN
• Now type Combofix /Uninstall in the runbox and click OK. Note the space between the X and the U, it needs to be there.
  
  

• Download OTCleanIt by OldTimer and save it to your Desktop.
• Double click OTCleanIt.exe.
• Click the CleanUp! button.
• Select Yes when the "Begin cleanup Process?" prompt appears.
• If you are prompted to Reboot during the cleanup, select Yes.
• The tool will delete itself once it finishes.

-----
Note: If you receive a warning from your firewall or other security programs regarding OTC attempting to contact the internet, please allow it to do so.

Note: If any tool, file or folder (belonging to the program we have used) hasn't been deleted, please delete it manually.
------------------------------------------

• You should now set a new Restore Point and remove the old restore points to prevent infection from any previous Restore Points.
• Go to Start > All Programs > Accessories > System Tools
• Click "System Restore".
• Choose "Create a Restore Point" on the first screen then click "Next".
• Give the Restore Point a name> click "Create".
  
• Go back and follow the path to > System Tools.
  [*]Choose Disc Cleanup
  [*]Click "OK" to select the partition or drive you want.
  [*]Click the "More Options" Tab.
  [*]Click "Clean Up" in the System Restore section to remove all previous Restore Points except the newly created one.

Empty the Recycle Bin

Let me know if you have any more questions.