Resolved Pc very slow please help

[wolfblitz]

When I first switch on it takes a long time to boot up when it does finally get there it runs really slow and takes ages to access internet pages and sometimes it freezes
Please help Thanks

 

[Bobbye]

The problem you describe can also be caused by too many processes loading at boot and running in the background. There can also be a problem with the ISP. But I will check for malware.

But: NOTE: Logs must be pasted in the replies. Attached logs will not be reviewed.

Here are the rest of the steps in the Preliminary Virus and Malware Removal thread HERE.

Leave the logs for review pasted in your next reply . You may use more than 1 post if needed.

Please do not use any other cleaning programs or scans while I'm helping you, unless I direct you to. Do not use a Registry cleaner or make any changes in the Registry.

 

[wolfblitz]

Thanks for your reply Bobbye,

.
DDS (Ver_11-03-05.01) - NTFSx86
Run by Geoff at 19:43:21.34 on 20-03-2011
Internet Explorer: 8.0.6001.18702 BrowserJavaVersion: 1.6.0_24
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.991.608 [GMT 0:00]
.
AV: AntiVir Desktop *Disabled/Updated* {AD166499-45F9-482A-A743-FDD3350758C7}
.
============== Running Processes ===============
.
C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
svchost.exe
svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Avira\AntiVir Desktop\sched.exe
svchost.exe
C:\Program Files\Avira\AntiVir Desktop\avguard.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\Avira\AntiVir Desktop\avshadow.exe
C:\WINDOWS\system32\svchost.exe -k imgsvc
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\VTTimer.exe
C:\Program Files\Avira\AntiVir Desktop\avgnt.exe
C:\Program Files\HP\hpcoretech\hpcmpmgr.exe
C:\Program Files\Common Files\Java\Java Update\jusched.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Mozilla Firefox\plugin-container.exe
C:\WINDOWS\system32\wscntfy.exe
C:\Documents and Settings\Geoff\Desktop\dds.scr
.
============== Pseudo HJT Report ===============
.
uStart Page = hxxp://www.google.co.uk/
BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll
BHO: Java(tm) Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
mRun: [VTTimer] VTTimer.exe
mRun: [avgnt] "c:\program files\avira\antivir desktop\avgnt.exe" /min
mRun: [HP Component Manager] "c:\program files\hp\hpcoretech\hpcmpmgr.exe"
mRun: [Adobe Reader Speed Launcher] "c:\program files\adobe\reader 9.0\reader\Reader_sl.exe"
mRun: [Adobe ARM] "c:\program files\common files\adobe\arm\1.0\AdobeARM.exe"
mRun: [SunJavaUpdateSched] "c:\program files\common files\java\java update\jusched.exe"
dRun: [CTFMON.EXE] c:\windows\system32\CTFMON.EXE
IE: E&xport to Microsoft Excel - c:\progra~1\micros~2\office11\EXCEL.EXE/3000
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~2\office11\REFIEBAR.DLL
DPF: {149E45D8-163E-4189-86FC-45022AB2B6C9} - file:///C:/Program%20Files/King%20Arthur/Images/stg_drm.ocx
DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} - hxxp://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1283514510468
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_24-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0024-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_24-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_24-windows-i586.cab
Handler: cetihpz - {CF184AD3-CDCB-4168-A3F7-8E447D129300} - c:\program files\hp\hpcoretech\comp\hpuiprot.dll
SSODL: IconPackager Repair - {1799460C-0BC8-4865-B9DF-4A36CD703FF0} - c:\documents and settings\all users\documents\my music\stardock\object desktop\iconpackager\iprepair.dll
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll
.
================= FIREFOX ===================
.
FF - ProfilePath - c:\docume~1\geoff\applic~1\mozilla\firefox\profiles\sg7wto9z.default\
FF - prefs.js: browser.startup.homepage - hxxp://www.google.co.uk/
FF - prefs.js: network.proxy.type - 0
FF - plugin: c:\program files\google\update\1.2.183.39\npGoogleOneClick8.dll
FF - plugin: c:\program files\java\jre6\bin\new_plugin\npdeployJava1.dll
FF - plugin: c:\program files\veetle\player\npvlc.dll
FF - plugin: c:\program files\veetle\plugins\npVeetle.dll
FF - plugin: c:\program files\veetle\vlcbroadcast\npvbp.dll
FF - Ext: Default: {972ce4c6-7e08-4474-a285-3208198ce6fd} - c:\program files\mozilla firefox\extensions\{972ce4c6-7e08-4474-a285-3208198ce6fd}
FF - Ext: Java Console: {CAFEEFAC-0016-0000-0021-ABCDEFFEDCBA} - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0021-ABCDEFFEDCBA}
FF - Ext: Java Console: {CAFEEFAC-0016-0000-0022-ABCDEFFEDCBA} - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0022-ABCDEFFEDCBA}
FF - Ext: Java Console: {CAFEEFAC-0016-0000-0023-ABCDEFFEDCBA} - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0023-ABCDEFFEDCBA}
FF - Ext: Java Console: {CAFEEFAC-0016-0000-0024-ABCDEFFEDCBA} - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0024-ABCDEFFEDCBA}
FF - Ext: Java Quick Starter: jqs@sun.com - c:\program files\java\jre6\lib\deploy\jqs\ff
FF - Ext: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\microsoft.net\framework\v3.5\windows presentation foundation\DotNetAssistantExtension
FF - Ext: Download Statusbar: {D4DD63FA-01E4-46a7-B6B1-EDAB7D6AD389} - %profile%\extensions\{D4DD63FA-01E4-46a7-B6B1-EDAB7D6AD389}
FF - Ext: DownloadHelper: {b9db16a4-6edc-47ec-a1f4-b86292ed211d} - %profile%\extensions\{b9db16a4-6edc-47ec-a1f4-b86292ed211d}
FF - Ext: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - %profile%\extensions\{20a82645-c095-46ed-80e3-08825760534b}
.
============= SERVICES / DRIVERS ===============
.
R1 avgio;avgio;c:\program files\avira\antivir desktop\avgio.sys [2010-9-10 11608]
R2 AntiVirSchedulerService;Avira AntiVir Scheduler;c:\program files\avira\antivir desktop\sched.exe [2010-9-10 135336]
R2 AntiVirService;Avira AntiVir Guard;c:\program files\avira\antivir desktop\avguard.exe [2010-9-10 267944]
R2 avgntflt;avgntflt;c:\windows\system32\drivers\avgntflt.sys [2010-9-10 61960]
S2 gupdate;Google Update Service (gupdate);c:\program files\google\update\GoogleUpdate.exe [2010-10-27 136176]
S3 iadusb;MT882;c:\windows\system32\drivers\glauiad.sys [2010-9-3 30336]
.
=============== Created Last 30 ================
.
2011-03-02 17:31:15 -------- d-----w- c:\windows\system32\XPSViewer
2011-03-02 17:30:48 89088 ----a-w- c:\windows\system32\spool\prtprocs\w32x86\filterpipelineprintproc.dll
2011-03-02 17:30:30 89088 -c----w- c:\windows\system32\dllcache\filterpipelineprintproc.dll
2011-03-02 17:30:30 597504 -c----w- c:\windows\system32\dllcache\printfilterpipelinesvc.exe
2011-03-02 17:30:30 597504 ------w- c:\windows\system32\spool\prtprocs\w32x86\printfilterpipelinesvc.exe
2011-03-02 17:30:30 575488 -c----w- c:\windows\system32\dllcache\xpsshhdr.dll
2011-03-02 17:30:30 575488 ------w- c:\windows\system32\xpsshhdr.dll
2011-03-02 17:30:30 1676288 -c----w- c:\windows\system32\dllcache\xpssvcs.dll
2011-03-02 17:30:30 1676288 ------w- c:\windows\system32\xpssvcs.dll
2011-03-02 17:30:30 117760 ------w- c:\windows\system32\prntvpt.dll
2011-03-02 17:30:29 -------- d-----w- C:\7e1c48bd6a9b2dc97bfb770e77d353
2011-02-27 18:40:54 -------- d-----w- c:\docume~1\alluse~1\applic~1\PC Drivers HeadQuarters
.
==================== Find3M ====================
.
2011-02-09 13:53:52 270848 ----a-w- c:\windows\system32\sbe.dll
2011-02-09 13:53:52 186880 ----a-w- c:\windows\system32\encdec.dll
2011-02-02 21:40:23 472808 ----a-w- c:\windows\system32\deployJava1.dll
2011-02-02 19:19:39 73728 ----a-w- c:\windows\system32\javacpl.cpl
2011-02-02 07:58:35 2067456 ----a-w- c:\windows\system32\mstscax.dll
2011-01-27 11:57:06 677888 ----a-w- c:\windows\system32\mstsc.exe
2011-01-21 14:44:37 439296 ----a-w- c:\windows\system32\shimgvw.dll
2011-01-07 14:09:02 290048 ----a-w- c:\windows\system32\atmfd.dll
2010-12-31 13:10:33 1854976 ----a-w- c:\windows\system32\win32k.sys
2010-12-22 12:34:28 301568 ----a-w- c:\windows\system32\kerberos.dll
2010-12-20 23:59:20 916480 ----a-w- c:\windows\system32\wininet.dll
2010-12-20 23:59:19 43520 ----a-w- c:\windows\system32\licmgr10.dll
2010-12-20 23:59:19 1469440 ------w- c:\windows\system32\inetcpl.cpl
.
============= FINISH: 19:44:11.20 ===============

GMER 1.0.15.15570 - http://www.gmer.net
Rootkit scan 2011-03-20 23:38:24
Windows 5.1.2600 Service Pack 3 Harddisk0\DR0 -> \Device\Ide\IdeDeviceP0T0L0-3 HDS728080PLAT20 rev.PF2OA21B
Running: bc5808b7.exe; Driver: C:\DOCUME~1\Geoff\LOCALS~1\Temp\kwqoykod.sys


---- System - GMER 1.0.15 ----

SSDT F7B6F896 ZwCreateKey
SSDT F7B6F88C ZwCreateThread
SSDT F7B6F89B ZwDeleteKey
SSDT F7B6F8A5 ZwDeleteValueKey
SSDT F7B6F8AA ZwLoadKey
SSDT F7B6F878 ZwOpenProcess
SSDT F7B6F87D ZwOpenThread
SSDT F7B6F8B4 ZwReplaceKey
SSDT F7B6F8AF ZwRestoreKey
SSDT F7B6F8A0 ZwSetValueKey

---- Kernel code sections - GMER 1.0.15 ----

init C:\WINDOWS\system32\drivers\ALCXSENS.SYS entry point in "init" section [0xF708B900]
? C:\DOCUME~1\Geoff\LOCALS~1\Temp\mbr.sys The system cannot find the file specified. !

---- User code sections - GMER 1.0.15 ----

.text C:\Program Files\Mozilla Firefox\firefox.exe[3108] ntdll.dll!LdrLoadDll 7C91632D 5 Bytes JMP 004013F0 C:\Program Files\Mozilla Firefox\firefox.exe (Firefox/Mozilla Corporation)
.text C:\Program Files\Mozilla Firefox\plugin-container.exe[3280] USER32.dll!TrackPopupMenu 7E46531E 5 Bytes JMP 10402342 C:\Program Files\Mozilla Firefox\xul.dll (Mozilla Foundation)

---- EOF - GMER 1.0.15 ----


Malwarebytes' Anti-Malware 1.50.1.1100
www.malwarebytes.org

Database version: 6116

Windows 5.1.2600 Service Pack 3
Internet Explorer 8.0.6001.18702

21-03-2011 08:58:44
mbam-log-2011-03-21 (08-58-44).txt

Scan type: Full scan (C:\|)
Objects scanned: 205116
Time elapsed: 1 hour(s), 43 minute(s), 24 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)

 

[Bobbye]

Okay, that's better. We need to do one rootkit scan:

Please download MBRCheck.exe to your desktop.

• Be sure to disable your security programs
• Double click on the file to run it (Vista and Windows 7 users will have to confirm the UAC prompt)
• A small window should open on your desktop
• If no unknown bootcode is found press N>Enter twice to exit:
• If "Found non-standard or infected MBRunknown bootcode" is found Enter 'Y' and hit ENTER for more options:
  If none> press N then press Enter twice.
  If ].
  Enter 'Y' and hit ENTER for more options
• If nothing unusual is found just press Enter
• A .txt file named MBRCheck_mm.dd.yy_hh.mm.ss should appear on your desktop. Please post the contents of that file.

======================================
Save that log and paste it in next reply. So far- other that a possible MBR problem, I don't see any bad entries and the system looks pretty lean, but let's check further:

Run Eset NOD32 Online AntiVirus scan HEREhttp://www.eset.eu/online-scanner

1. Tick the box next to YES, I accept the Terms of Use.
2. Click Start
3. When asked, allow the Active X control to install
4. Disable your current Antivirus software. You can usually do this with its Notification Tray icon near the clock.
5. Click Start
6. Make sure that the option "Remove found threats" is Unchecked, and the option "Scan unwanted applications" is checked
7. Click Scan
8. Wait for the scan to finish
9. Click on "Copy to Clipboard"> (you won't see the 'clipboard')
10. Click anywhere in the post where you want the logs to go, the do Ctrl V. The log will be sent from the clipboard and pasted in the post.
11. Re-enable your Antivirus software.
    NOTE: If you forget to copy to the clipboard you can find the log here:
    C:\Program Files\EsetOnlineScanner\log.txt. Please include this on your post.

==================================
Download Combofix from HERE or HEREhttp://www.forospyware.com/sUBs/ComboFix.exe and save to the desktop

• Double click combofix.exe & follow the prompts.
• ComboFix will check to see if the Microsoft Windows Recovery Console is installed. It is recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode if needed.
  **Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.
• Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.
• Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:
• Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:
  
  
• .Click on Yes, to continue scanning for malware
• .If Combofix asks you to update the program, allow
• .Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.
• .Close any open browsers.
• .Double click combofix.exe
  
  & follow the prompts to run.
• When the scan completes , a report will be generated-it will open a text window. Please paste the C:\ComboFix.txt in next reply..

Re-enable your Antivirus software.
Notes:
1. Do not mouse-click Combofix's window while it is running. That may cause it to stall.
2. ComboFix may reset a number of Internet Explorer's settings, including making I-E the default browser.
3. Combofix prevents autorun of ALL CD, floppy and USB devices to assist with malware removal & increase security. If this is an issue or makes it difficult for you -- please tell your helper.
4. CF disconnects your machine from the internet. The connection is automatically restored before CF completes its run. If CF runs into difficulty and terminates prematurely, the connection can be manually restored by restarting your machine.

Note: okay to use another post if needed for logs.

 

[wolfblitz]

Thanks for your reply Bobbye,
Eset found nothing so didnt produce a log.


MBRCheck, version 1.2.3
(c) 2010, AD

Command-line:
Windows Version: Windows XP Professional
Windows Information: Service Pack 3 (build 2600)
Logical Drives Mask: 0x0000000d

Kernel Drivers (total 123):
0x804D7000 \WINDOWS\system32\ntoskrnl.exe
0x806EF000 \WINDOWS\system32\hal.dll
0xF7A0F000 \WINDOWS\system32\KDCOM.DLL
0xF791F000 \WINDOWS\system32\BOOTVID.dll
0xF74C0000 ACPI.sys
0xF7A11000 \WINDOWS\system32\DRIVERS\WMILIB.SYS
0xF74AF000 pci.sys
0xF750F000 isapnp.sys
0xF7A13000 viaide.sys
0xF778F000 \WINDOWS\system32\DRIVERS\PCIIDEX.SYS
0xF751F000 MountMgr.sys
0xF7490000 ftdisk.sys
0xF7A15000 dmload.sys
0xF746A000 dmio.sys
0xF7797000 PartMgr.sys
0xF752F000 VolSnap.sys
0xF7452000 atapi.sys
0xF743F000 viamraid.sys
0xF7427000 \WINDOWS\system32\DRIVERS\SCSIPORT.SYS
0xF753F000 disk.sys
0xF754F000 \WINDOWS\system32\DRIVERS\CLASSPNP.SYS
0xF7407000 fltmgr.sys
0xF73F5000 sr.sys
0xF73DE000 KSecDD.sys
0xF7351000 Ntfs.sys
0xF7324000 NDIS.sys
0xF755F000 uagp35.sys
0xF779F000 viaagp1.sys
0xF730A000 Mup.sys
0xF76DF000 \SystemRoot\system32\DRIVERS\amdk7.sys
0xF72A0000 \SystemRoot\system32\DRIVERS\vtmini.sys
0xF728C000 \SystemRoot\system32\DRIVERS\VIDEOPRT.SYS
0xF76EF000 \SystemRoot\system32\DRIVERS\cdrom.sys
0xF76FF000 \SystemRoot\system32\DRIVERS\redbook.sys
0xF7269000 \SystemRoot\system32\DRIVERS\ks.sys
0xF77FF000 \SystemRoot\system32\DRIVERS\usbuhci.sys
0xF7245000 \SystemRoot\system32\DRIVERS\USBPORT.SYS
0xF7A33000 \SystemRoot\System32\Drivers\vulfnth.sys
0xF7807000 \SystemRoot\system32\DRIVERS\usbehci.sys
0xF71AB000 \SystemRoot\system32\drivers\ALCXWDM.SYS
0xF7187000 \SystemRoot\system32\drivers\portcls.sys
0xF770F000 \SystemRoot\system32\drivers\drmk.sys
0xF7125000 \SystemRoot\system32\drivers\ALCXSENS.SYS
0xF771F000 \SystemRoot\system32\DRIVERS\fetnd5b.sys
0xF780F000 \SystemRoot\system32\DRIVERS\fdc.sys
0xF772F000 \SystemRoot\system32\DRIVERS\serial.sys
0xF79EF000 \SystemRoot\system32\DRIVERS\serenum.sys
0xF7111000 \SystemRoot\system32\DRIVERS\parport.sys
0xF773F000 \SystemRoot\system32\DRIVERS\i8042prt.sys
0xF7817000 \SystemRoot\system32\DRIVERS\kbdclass.sys
0xF7B36000 \SystemRoot\system32\DRIVERS\audstub.sys
0xF774F000 \SystemRoot\system32\DRIVERS\rasl2tp.sys
0xF79F3000 \SystemRoot\system32\DRIVERS\ndistapi.sys
0xF70FA000 \SystemRoot\system32\DRIVERS\ndiswan.sys
0xF775F000 \SystemRoot\system32\DRIVERS\raspppoe.sys
0xF776F000 \SystemRoot\system32\DRIVERS\raspptp.sys
0xF781F000 \SystemRoot\system32\DRIVERS\TDI.SYS
0xF70E9000 \SystemRoot\system32\DRIVERS\psched.sys
0xF777F000 \SystemRoot\system32\DRIVERS\msgpc.sys
0xF7877000 \SystemRoot\system32\DRIVERS\ptilink.sys
0xF78E7000 \SystemRoot\system32\DRIVERS\raspti.sys
0xF59D7000 \SystemRoot\system32\DRIVERS\rdpdr.sys
0xF76CF000 \SystemRoot\system32\DRIVERS\termdd.sys
0xF78EF000 \SystemRoot\system32\DRIVERS\mouclass.sys
0xF7A5D000 \SystemRoot\system32\DRIVERS\swenum.sys
0xF5979000 \SystemRoot\system32\DRIVERS\update.sys
0xF79B3000 \SystemRoot\system32\DRIVERS\mssmbios.sys
0xF7081000 \SystemRoot\System32\Drivers\NDProxy.SYS
0xF79DB000 \SystemRoot\System32\Drivers\vulfntr.sys
0xF7041000 \SystemRoot\system32\DRIVERS\usbhub.sys
0xF7A65000 \SystemRoot\system32\DRIVERS\USBD.SYS
0xF78C7000 \SystemRoot\system32\DRIVERS\flpydisk.sys
0xF7A73000 \SystemRoot\System32\Drivers\Fs_Rec.SYS
0xF7B3B000 \SystemRoot\System32\Drivers\Null.SYS
0xF7A77000 \SystemRoot\System32\Drivers\Beep.SYS
0xF77CF000 \SystemRoot\System32\drivers\vga.sys
0xF7A79000 \SystemRoot\System32\Drivers\mnmdd.SYS
0xF7A7D000 \SystemRoot\System32\DRIVERS\RDPCDD.sys
0xF77EF000 \SystemRoot\System32\Drivers\Msfs.SYS
0xF77F7000 \SystemRoot\System32\Drivers\Npfs.SYS
0xF6374000 \SystemRoot\system32\DRIVERS\rasacd.sys
0xF080D000 \SystemRoot\system32\DRIVERS\ipsec.sys
0xF07B4000 \SystemRoot\system32\DRIVERS\tcpip.sys
0xF078C000 \SystemRoot\system32\DRIVERS\netbt.sys
0xF076A000 \SystemRoot\System32\drivers\afd.sys
0xF5904000 \SystemRoot\system32\DRIVERS\netbios.sys
0xF7867000 \SystemRoot\System32\Drivers\StarOpen.SYS
0xF640F000 \SystemRoot\system32\DRIVERS\ssmdrv.sys
0xF073F000 \SystemRoot\system32\DRIVERS\rdbss.sys
0xF06CF000 \SystemRoot\system32\DRIVERS\mrxsmb.sys
0xF58D4000 \SystemRoot\System32\Drivers\Fips.SYS
0xF053F000 \SystemRoot\system32\DRIVERS\ipnat.sys
0xF75CF000 \SystemRoot\system32\DRIVERS\wanarp.sys
0xF0519000 \SystemRoot\system32\DRIVERS\avipbb.sys
0xF7A99000 \??\C:\Program Files\Avira\AntiVir Desktop\avgio.sys
0xF637C000 \SystemRoot\system32\DRIVERS\hidusb.sys
0xF759F000 \SystemRoot\system32\DRIVERS\HIDCLASS.SYS
0xF78A7000 \SystemRoot\system32\DRIVERS\HIDPARSE.SYS
0xF78AF000 \SystemRoot\system32\DRIVERS\NuidFltr.sys
0xF7071000 \SystemRoot\system32\DRIVERS\WDFLDR.SYS
0xF049E000 \SystemRoot\system32\DRIVERS\Wdf01000.sys
0xF0844000 \SystemRoot\system32\DRIVERS\mouhid.sys
0xEEA0C000 \SystemRoot\System32\Drivers\Cdfs.SYS
0xED713000 \SystemRoot\System32\Drivers\dump_atapi.sys
0xF7A6B000 \SystemRoot\System32\Drivers\dump_WMILIB.SYS
0xBF800000 \SystemRoot\System32\win32k.sys
0xEDF0B000 \SystemRoot\System32\drivers\Dxapi.sys
0xEE6B2000 \SystemRoot\System32\watchdog.sys
0xBF000000 \SystemRoot\System32\drivers\dxg.sys
0xF7AF0000 \SystemRoot\System32\drivers\dxgthk.sys
0xBF14B000 \SystemRoot\System32\ATMFD.DLL
0xEB2DE000 \SystemRoot\system32\DRIVERS\avgntflt.sys
0xEFFFC000 \SystemRoot\system32\DRIVERS\ndisuio.sys
0xEB239000 \SystemRoot\system32\DRIVERS\mrxdav.sys
0xF7A81000 \SystemRoot\System32\Drivers\ParVdm.SYS
0xEB1AC000 \SystemRoot\system32\drivers\wdmaud.sys
0xEFB0E000 \SystemRoot\system32\drivers\sysaudio.sys
0xED7BC000 \SystemRoot\system32\DRIVERS\srv.sys
0xEDD5A000 \SystemRoot\System32\Drivers\HTTP.sys
0xBFF50000 \SystemRoot\System32\TSDDD.dll
0xBF012000 \SystemRoot\System32\vtdisp.dll
0xEB181000 \SystemRoot\system32\drivers\kmixer.sys
0x7C900000 \WINDOWS\system32\ntdll.dll

Processes (total 38):
0 System Idle Process
4 System
580 C:\WINDOWS\system32\smss.exe
644 csrss.exe
668 C:\WINDOWS\system32\winlogon.exe
712 C:\WINDOWS\system32\services.exe
724 C:\WINDOWS\system32\lsass.exe
896 C:\WINDOWS\system32\svchost.exe
972 svchost.exe
1068 C:\WINDOWS\system32\svchost.exe
1144 svchost.exe
1264 svchost.exe
1404 C:\WINDOWS\system32\spoolsv.exe
1460 C:\Program Files\Avira\AntiVir Desktop\sched.exe
1528 svchost.exe
1640 C:\Program Files\Avira\AntiVir Desktop\avguard.exe
1796 C:\Program Files\Java\jre6\bin\jqs.exe
1924 C:\Program Files\Avira\AntiVir Desktop\avshadow.exe
128 C:\WINDOWS\system32\svchost.exe
1016 explorer.exe
1588 VTTimer.exe
1576 avgnt.exe
1752 jusched.exe
2308 alg.exe
3620 utorrent.exe
3756 csrss.exe
3784 C:\WINDOWS\system32\winlogon.exe
1188 C:\WINDOWS\explorer.exe
492 C:\WINDOWS\system32\VTTimer.exe
456 C:\Program Files\Avira\AntiVir Desktop\avgnt.exe
760 C:\Program Files\HP\hpcoretech\hpcmpmgr.exe
2112 C:\Program Files\Common Files\Java\Java Update\jusched.exe
2008 C:\WINDOWS\system32\ctfmon.exe
2436 C:\Program Files\Mozilla Firefox\firefox.exe
2656 C:\Program Files\Mozilla Firefox\plugin-container.exe
2584 wscntfy.exe
2564 C:\WINDOWS\system32\wscntfy.exe
2640 C:\Documents and Settings\Geoff\Desktop\MBRCheck.exe

\\.\C: --> \\.\PhysicalDrive0 at offset 0x00000000`00007e00 (NTFS)

PhysicalDrive0 Model Number: HDS728080PLAT20, Rev: PF2OA21B

Size Device Name MBR Status
--------------------------------------------
76 GB \\.\PhysicalDrive0 Windows XP MBR code detected
SHA1: DA38B874B7713D1B51CBC449F4EF809B0DEC644A


Done!


ComboFix 11-03-22.02 - Geoff 22-03-2011 20:45:32.1.1 - x86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.991.679 [GMT 0:00]
Running from: c:\documents and settings\Geoff\Desktop\ComboFix.exe
AV: AntiVir Desktop *Disabled/Updated* {AD166499-45F9-482A-A743-FDD3350758C7}
* Created a new restore point
.
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
c:\windows\system32\components
.
.
((((((((((((((((((((((((( Files Created from 2011-02-22 to 2011-03-22 )))))))))))))))))))))))))))))))
.
.
2011-03-22 19:33 . 2011-03-22 19:33 -------- d-----w- c:\program files\ESET
2011-03-18 20:38 . 2011-03-18 20:38 -------- d-----w- c:\documents and settings\bon\Local Settings\Application Data\Unity
2011-03-08 11:43 . 2011-03-22 19:35 -------- d-----w- c:\documents and settings\bon\Application Data\uTorrent
2011-03-02 17:31 . 2011-03-02 17:31 -------- d-----w- c:\windows\system32\XPSViewer
2011-03-02 17:31 . 2011-03-02 17:31 -------- d-----w- c:\program files\MSBuild
2011-03-02 17:31 . 2011-03-02 17:31 -------- d-----w- c:\program files\Reference Assemblies
2011-03-02 17:30 . 2008-07-06 12:06 89088 ----a-w- c:\windows\system32\Spool\prtprocs\w32x86\filterpipelineprintproc.dll
2011-03-02 17:30 . 2008-07-06 12:06 89088 -c----w- c:\windows\system32\dllcache\filterpipelineprintproc.dll
2011-03-02 17:30 . 2008-07-06 12:06 575488 -c----w- c:\windows\system32\dllcache\xpsshhdr.dll
2011-03-02 17:30 . 2008-07-06 12:06 575488 ------w- c:\windows\system32\xpsshhdr.dll
2011-03-02 17:30 . 2008-07-06 12:06 1676288 -c----w- c:\windows\system32\dllcache\xpssvcs.dll
2011-03-02 17:30 . 2008-07-06 12:06 1676288 ------w- c:\windows\system32\xpssvcs.dll
2011-03-02 17:30 . 2008-07-06 12:06 117760 ------w- c:\windows\system32\prntvpt.dll
2011-03-02 17:30 . 2008-07-06 10:50 597504 -c----w- c:\windows\system32\dllcache\printfilterpipelinesvc.exe
2011-03-02 17:30 . 2008-07-06 10:50 597504 ------w- c:\windows\system32\Spool\prtprocs\w32x86\printfilterpipelinesvc.exe
2011-03-02 17:30 . 2011-03-02 17:30 -------- d-----w- C:\7e1c48bd6a9b2dc97bfb770e77d353
2011-02-27 18:40 . 2011-02-27 18:40 -------- d-----w- c:\documents and settings\All Users\Application Data\PC Drivers HeadQuarters
2011-02-27 14:18 . 2011-02-27 14:18 -------- d-----w- c:\program files\Common Files\Java
2011-02-27 14:17 . 2011-02-27 14:17 -------- d-----w- c:\documents and settings\All Users\Application Data\McAfee
.
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2011-03-22 08:23 . 2010-09-05 10:37 664 ----a-w- c:\documents and settings\bon\Local Settings\Application Data\d3d9caps.tmp
2011-02-09 13:53 . 2006-02-28 12:00 270848 ----a-w- c:\windows\system32\sbe.dll
2011-02-09 13:53 . 2006-02-28 12:00 186880 ----a-w- c:\windows\system32\encdec.dll
2011-02-02 21:40 . 2010-09-03 15:41 472808 ----a-w- c:\windows\system32\deployJava1.dll
2011-02-02 19:19 . 2010-09-03 15:41 73728 ----a-w- c:\windows\system32\javacpl.cpl
2011-02-02 07:58 . 2010-09-03 09:42 2067456 ----a-w- c:\windows\system32\mstscax.dll
2011-01-27 11:57 . 2010-09-03 09:42 677888 ----a-w- c:\windows\system32\mstsc.exe
2011-01-21 14:44 . 2006-02-28 12:00 439296 ----a-w- c:\windows\system32\shimgvw.dll
2011-01-07 14:09 . 2006-02-28 12:00 290048 ----a-w- c:\windows\system32\atmfd.dll
2010-12-31 13:10 . 2006-02-28 12:00 1854976 ----a-w- c:\windows\system32\win32k.sys
.
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"VTTimer"="VTTimer.exe" [2004-01-15 49152]
"avgnt"="c:\program files\Avira\AntiVir Desktop\avgnt.exe" [2010-11-14 281768]
"HP Component Manager"="c:\program files\HP\hpcoretech\hpcmpmgr.exe" [2004-05-12 241664]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2011-01-31 35760]
"Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2010-09-20 932288]
"SunJavaUpdateSched"="c:\program files\Common Files\Java\Java Update\jusched.exe" [2010-10-29 249064]
.
[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="c:\windows\system32\CTFMON.EXE" [2008-04-14 15360]
.
[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^HP Digital Imaging Monitor.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\HP Digital Imaging Monitor.lnk
backup=c:\windows\pss\HP Digital Imaging Monitor.lnkCommon Startup
.
[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^HP Image Zone Fast Start.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\HP Image Zone Fast Start.lnk
backup=c:\windows\pss\HP Image Zone Fast Start.lnkCommon Startup
.
[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^VIA RAID TOOL.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\VIA RAID TOOL.lnk
backup=c:\windows\pss\VIA RAID TOOL.lnkCommon Startup
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\CTFMON.EXE]
2008-04-14 00:12 15360 ----a-w- c:\windows\system32\ctfmon.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HP Component Manager]
2004-05-12 14:18 241664 ----a-w- c:\program files\HP\hpcoretech\hpcmpmgr.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SoundMan]
2004-08-30 05:48 69632 ----a-w- c:\windows\SOUNDMAN.EXE
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\VTTimer]
2004-01-15 12:33 49152 ----a-r- c:\windows\system32\VTTimer.exe
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"c:\\WINDOWS\\system32\\sessmgr.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Mozilla Firefox\\firefox.exe"=
"c:\\Documents and Settings\\Geoff\\Desktop\\utorrent.exe"=
"c:\\Program Files\\Vuze\\Azureus.exe"=
"c:\\Program Files\\SopCast\\adv\\SopAdver.exe"=
"c:\\Program Files\\SopCast\\SopCast.exe"=
"c:\\Documents and Settings\\bon\\Desktop\\utorrent.exe"=
.
R2 AntiVirSchedulerService;Avira AntiVir Scheduler;c:\program files\Avira\AntiVir Desktop\sched.exe [10-09-2010 10:49 135336]
S2 gupdate;Google Update Service (gupdate);c:\program files\Google\Update\GoogleUpdate.exe [27-10-2010 18:52 136176]
S3 iadusb;MT882;c:\windows\system32\drivers\glauiad.sys [03-09-2010 10:00 30336]
.
Contents of the 'Scheduled Tasks' folder
.
2011-03-22 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\program files\Google\Update\GoogleUpdate.exe [2010-10-27 18:52]
.
2011-03-22 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\program files\Google\Update\GoogleUpdate.exe [2010-10-27 18:52]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.google.co.uk/
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
FF - ProfilePath - c:\documents and settings\Geoff\Application Data\Mozilla\Firefox\Profiles\sg7wto9z.default\
FF - prefs.js: browser.startup.homepage - hxxp://www.google.co.uk/
FF - prefs.js: network.proxy.type - 0
FF - Ext: Default: {972ce4c6-7e08-4474-a285-3208198ce6fd} - c:\program files\Mozilla Firefox\extensions\{972ce4c6-7e08-4474-a285-3208198ce6fd}
FF - Ext: Java Console: {CAFEEFAC-0016-0000-0021-ABCDEFFEDCBA} - c:\program files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0021-ABCDEFFEDCBA}
FF - Ext: Java Console: {CAFEEFAC-0016-0000-0022-ABCDEFFEDCBA} - c:\program files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0022-ABCDEFFEDCBA}
FF - Ext: Java Console: {CAFEEFAC-0016-0000-0023-ABCDEFFEDCBA} - c:\program files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0023-ABCDEFFEDCBA}
FF - Ext: Java Console: {CAFEEFAC-0016-0000-0024-ABCDEFFEDCBA} - c:\program files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0024-ABCDEFFEDCBA}
FF - Ext: Java Quick Starter: jqs@sun.com - c:\program files\Java\jre6\lib\deploy\jqs\ff
FF - Ext: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension
FF - Ext: Download Statusbar: {D4DD63FA-01E4-46a7-B6B1-EDAB7D6AD389} - %profile%\extensions\{D4DD63FA-01E4-46a7-B6B1-EDAB7D6AD389}
FF - Ext: DownloadHelper: {b9db16a4-6edc-47ec-a1f4-b86292ed211d} - %profile%\extensions\{b9db16a4-6edc-47ec-a1f4-b86292ed211d}
FF - Ext: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - %profile%\extensions\{20a82645-c095-46ed-80e3-08825760534b}
.
- - - - ORPHANS REMOVED - - - -
.
MSConfigStartUp-HP Software Update - c:\program files\HP\HP Software Update\HPWuSchd2.exe
.
.
.
**************************************************************************
.
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2011-03-22 20:51
Windows 5.1.2600 Service Pack 3 NTFS
.
scanning hidden processes ...
.
scanning hidden autostart entries ...
.
scanning hidden files ...
.
scan completed successfully
hidden files: 0
.
**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------
.
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}]
@Denied: (A 2) (Everyone)
@="FlashBroker"
"LocalizedString"="@c:\\WINDOWS\\system32\\Macromed\\Flash\\FlashUtil10k_ActiveX.exe,-101"
.
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\Elevation]
"Enabled"=dword:00000001
.
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\LocalServer32]
@="c:\\WINDOWS\\system32\\Macromed\\Flash\\FlashUtil10k_ActiveX.exe"
.
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
.
[HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}]
@Denied: (A 2) (Everyone)
@="IFlashBroker4"
.
[HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\ProxyStubClsid32]
@="{00020424-0000-0000-C000-000000000046}"
.
[HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
"Version"="1.0"
.
--------------------- DLLs Loaded Under Running Processes ---------------------
.
- - - - - - - > 'explorer.exe'(2260)
c:\windows\system32\WININET.dll
c:\windows\system32\ieframe.dll
c:\windows\system32\webcheck.dll
c:\windows\system32\WPDShServiceObj.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
.
- - - - - - - > 'explorer.exe'(3512)
c:\windows\system32\WININET.dll
c:\windows\system32\ieframe.dll
c:\windows\system32\webcheck.dll
c:\windows\system32\WPDShServiceObj.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
.
Completion time: 2011-03-22 20:54:18
ComboFix-quarantined-files.txt 2011-03-22 20:54
.
Pre-Run: 31,521,017,856 bytes free
Post-Run: 32,743,604,224 bytes free
.
WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
UnsupportedDebug="do not select this" /debug
multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Professional" /noexecute=optin /fastdetect
.
- - End Of File - - 537FEC28141E8CC74CD6F23D0B27921A

 

[Bobbye]

Please check and see if you have Folder Options set to show hidden files and folders If you do, please rehide them:

Show Hidden Folders/Files

• Access Folder Options>> either through Tools or the Control Pane.
• Go to Tools > Folder Options.
• Select the View tab.
• Scroll down to Hidden files and folders.
• Select Show hidden files and folders.<<-- Uncheck if Checked.
• Uncheck (untick) Hide extensions of known file types.<<-- Check if unchecked
• Uncheck (untick) Hide protected operating system files (Recommended).<<---Check of unchecked.

When finished, click on Apply> OK
========================================
Please download SystemLook from one of the links below and save it to your Desktop.
Download Mirror #1
Download Mirror #2

• Double-click SystemLook.exe to run it.
• Copy the content of the following codebox into the main textfield:
  

  :filefind
  explore.exe (3512)
  explore.exe (2260)

• Click the Look button to start the scan.
• When finished, a notepad window will open with the results of the scan. Please post this log in your next reply.

Note: The log can also be found on your Desktop entitled SystemLook.txt
=======================================
I'm sorry for the delay, but my internet was down since last night- again#(%&%)@$

 

[Bobbye]

By the way, since "slow" is the name of the game, do you realize you have all of the following file sharing set for globally open ports in the Firewall?

"c:\\Documents and Settings\\Geoff\\Desktop\\utorrent.exe"=
"c:\\Program Files\\Vuze\\Azureus.exe"=
"c:\\Program Files\\SopCast\\adv\\SopAdver.exe"=
"c:\\Program Files\\SopCast\\SopCast.exe"=
"c:\\Documents and Settings\\bon\\Desktop\\utorrent.exe"=

OR if you're helping a young person clean up their computer, I can give you information about why these programs shouldn't be used!

 

[wolfblitz]

Thanks for your reply Bobbye

SystemLook 04.09.10 by jpshortstuff
Log created at 08:42 on 26/03/2011 by bon
(Limited User)

========== filefind ==========

Searching for "explore.exe (3512)"
No files found.

Searching for "explore.exe (2260)"
No files found.

-= EOF =-

 

[Bobbye]

You're welcome. But I made a careless mistake! My apology. Gosh, every time I thinl I'm perfect, I make a stupod mistake and leave off a letter! If it's not too much trouble, could you please run this again with the right spelling?

Please download SystemLook from one of the links below and save it to your Desktop.
Download Mirror #1
Download Mirror #2

• Double-click SystemLook.exe to run it.
• Copy the content of the following codebox into the main textfield:
  

  :filefind
  explorer.exe (2260)
  explorer.exe (3512)

• Click the Look button to start the scan.
• When finished, a notepad window will open with the results of the scan. Please post this log in your next reply.

Note: The log can also be found on your Desktop entitled SystemLook.txt
=====================================
I'd also like to check the two files this way:Please run this Custom CFScript:

• 
  [1]. Close any open browsers.
  [2]. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.
  [3]. Open notepad> click on Format> Uncheck 'Word Wrap> and copy/paste the text in the code below into it:

FileLook::
explorer.exe (3512)
explorer.exe (2260)

Save this as CFScript.txt, in the same location as ComboFix.exe

Referring to the picture above, drag CFScript into ComboFix.exe

When finished, it will produce a log for you at C:\ComboFix.txt . Please paste into to your next reply.
====================
I'd also like you to see if there are 2 of these file> the legitimate one is in C:\Windows directory. Malware can run under this name but that would be in the C:\Windows\System32.\ directory.

Use Windows Explorer: Windows key + E> My Computer> Double click on Local Drive(C)> Windows> Look for explorer.exe on the right screen> right click on the file> Properties> Type of file should show Application> It should be named Windows Explorer

Then do the same thing but choose the System 32 folder in Windows. If there is a explorer.exe file there, do the right click> Properties and give me what info you see.

Please verify that for me. Any identifying information would be helpful, including the size. You may see the single word 'explorer' right above it. Ignore that one- look only for the .exe file. It would be best if you had the hidden files showing.

 

[Bobbye]

Thread will be closed in 2 days if there is no reply.

 

[wolfblitz]

Thanks for your reply Bobbye running pograms now will get back to you later (been busy)

 

[wolfblitz]

Bobbye,
here's one of the logs you asked for..........when I ran the combofix one a the message
"were you trying to run CFScript. The name CFScript appears to be incorrectly spelt" appeared, I clicked OK and combofix stopped ????

SystemLook 04.09.10 by jpshortstuff
Log created at 17:41 on 01/04/2011 by Geoff
Administrator - Elevation successful

========== filefind ==========

Searching for "explorer.exe (2260)"
No files found.

Searching for "explorer.exe (3512)"
No files found.

-= EOF =-

 

[Bobbye]

The name CFScript appears to be incorrectly spelt" appeared, I clicked OK and combofix stopped ????

I think the "spelt: part being referred to is the number after each entry. There are 2 explorer.exe with identical processes running under them but each had a different number. I may have put the cart before the horse, so I'd like you to do this part first:

I'd also like you to see if there are 2 of these file> the legitimate one is in C:\Windows directory. Malware can run under this name but that would be in the C:\Windows\System32.\ directory.

Use Windows Explorer: Windows key + E> My Computer> Double click on Local Drive(C)> Windows> Look for explorer.exe on the right screen> right click on the file> Properties> Type of file should show Application> It should be named Windows Explorer

Then do the same thing but choose the System 32 folder in Windows. If there is a explorer.exe file there, do the right click> Properties and give me what info you see.

Please verify that for me. Any identifying information would be helpful, including the size. You may see the single word 'explorer' right above it. Ignore that one- look only for the .exe file. It would be best if you had the hidden files showing.

Then I can enter the full path of each and find out what it is- such as:
C:\Windows\System32\explorer.exe
C:\Windows\explorer.exe

 

[wolfblitz]

Thanks for your reply Bobbye,
I looked where you asked but ther is no explorer.exe, there are however 2 entries for explorer-(explorer windows command 1Kb,when this is double clicked it returns to the local disk C window) and(windows explorer microsoft corporation) also explorer.exe is listed in taskmanager and has a memory usage of 21.064K.

 

[Bobbye]

But I asked you to look in 2 places! You mean you didn't see the executable, right> I

A right click on explorer.exe> Properties in the Windows directory should show name Windows Explorer. Right click on just the word explorer> Properties should show Windows Explorer Command

I have this following and I did the search to make sure all were showing:
explorer.exe> Application, 1008kb> Windows Directory> for Windows Explorer
explore> command, 80b bytes> Windows Directory> For Windows explorer Command

I wanted you to follow the path I gave you. You would not have needed to double click to know it was in the C:\Windows Directory because that's where I asked you to go initially

explorer.exe is listed in task manager has to be coming from somewhere. Please go to Tools> Folder Options> View tab> Uncheck 'hide extensions for known file types', then do the search again.

There is only 1 explorer.exe in the Task Manager, correct.

Wolf, is it possible you copied this section twice?

- - - - - - - > 'explorer.exe'(2260)
c:\windows\system32\WININET.dll
c:\windows\system32\ieframe.dll
c:\windows\system32\webcheck.dll
c:\windows\system32\WPDShServiceObj.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
.
- - - - - - - > 'explorer.exe'(3512)
c:\windows\system32\WININET.dll
c:\windows\system32\ieframe.dll
c:\windows\system32\webcheck.dll
c:\windows\system32\WPDShServiceObj.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll

The problem is that each of the explorer.exe has a different numerical after it and I can't identify either of them as the PID for this process.

 

[wolfblitz]

Thanks for your reply Bobbye

I found explorer.exe and I hope this helps
explorer.exe,Application,Windows Explorer,C:\Windows,0.98MB(1,033,728 bytes)

This is the first time Ive seen this.........................

- - - - - - - > 'explorer.exe'(2260)
c:\windows\system32\WININET.dll
c:\windows\system32\ieframe.dll
c:\windows\system32\webcheck.dll
c:\windows\system32\WPDShServiceObj.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
.
- - - - - - - > 'explorer.exe'(3512)
c:\windows\system32\WININET.dll
c:\windows\system32\ieframe.dll
c:\windows\system32\webcheck.dll
c:\windows\system32\WPDShServiceObj.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll

Ive only seen this................

FileLook::
explorer.exe (3512)
explorer.exe (2260)

 

[Bobbye]

Please run this Custom CFScript

• 
  [1]. Close any open browsers.
  [2]. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.
  [3]. Open notepad> click on Format> Uncheck 'Word Wrap> and copy/paste the text in the code below into it:

FileLook::
C:\Windows\Explorer.exe

Save this as CFScript.txt, in the same location as ComboFix.exe

Referring to the picture above, drag CFScript into ComboFix.exe

When finished, it will produce a log for you at C:\ComboFix.txt . Please paste into to your next reply.
====================

 

[wolfblitz]

Thanks for your reply Bobbye

ComboFix 11-04-10.04 - Geoff 11-04-2011 18:20:43.2.1 - x86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.991.707 [GMT 1:00]
Running from: c:\documents and settings\Geoff\Desktop\ComboFix.exe
Command switches used :: c:\documents and settings\Geoff\Desktop\CFScript.txt
AV: AntiVir Desktop *Disabled/Updated* {AD166499-45F9-482A-A743-FDD3350758C7}
* Created a new restore point
.
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
c:\documents and settings\Geoff\WINDOWS
.
.
((((((((((((((((((((((((( Files Created from 2011-03-11 to 2011-04-11 )))))))))))))))))))))))))))))))
.
.
2011-04-05 10:17 . 2011-04-05 10:17 2855 ----a-w- c:\windows\system32\edit.PIF
2011-04-05 10:17 . 2011-04-05 10:17 -------- d--h--w- c:\windows\PIF
2011-03-18 20:38 . 2011-03-18 20:38 -------- d-----w- c:\documents and settings\bon\Local Settings\Application Data\Unity
.
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2011-04-11 04:09 . 2010-09-05 10:37 664 ----a-w- c:\documents and settings\bon\Local Settings\Application Data\d3d9caps.tmp
2011-02-09 13:53 . 2006-02-28 12:00 270848 ----a-w- c:\windows\system32\sbe.dll
2011-02-09 13:53 . 2006-02-28 12:00 186880 ----a-w- c:\windows\system32\encdec.dll
2011-02-02 21:40 . 2010-09-03 15:41 472808 ----a-w- c:\windows\system32\deployJava1.dll
2011-02-02 19:19 . 2010-09-03 15:41 73728 ----a-w- c:\windows\system32\javacpl.cpl
2011-02-02 07:58 . 2010-09-03 09:42 2067456 ----a-w- c:\windows\system32\mstscax.dll
2011-01-27 11:57 . 2010-09-03 09:42 677888 ----a-w- c:\windows\system32\mstsc.exe
2011-01-21 14:44 . 2006-02-28 12:00 439296 ----a-w- c:\windows\system32\shimgvw.dll
.
.
(((((((((((((((((((((((((((((((((((((((((((( Look )))))))))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
--- c:\windows\Explorer.exe ---
Company: Microsoft Corporation
File Description: Windows Explorer
File Version: 6.00.2900.5512 (xpsp.080413-2105)
Product Name: Microsoft® Windows® Operating System
Copyright: © Microsoft Corporation. All rights reserved.
Original Filename: EXPLORER.EXE
File size: 1033728
Created time: 2006-02-28 12:00
Modified time: 2008-04-14 00:12
MD5: 12896823FB95BFB3DC9B46BCAEDC9923
SHA1: 9D2BF84874ABC5B6E9A2744B7865C193C08D362F
.
.
((((((((((((((((((((((((((((( SnapShot@2011-03-22_20.51.26 )))))))))))))))))))))))))))))))))))))))))
.
+ 2011-04-11 17:00 . 2011-04-11 17:00 16384 c:\windows\Temp\Perflib_Perfdata_6b8.dat
- 2011-02-07 11:01 . 2008-07-08 13:02 17272 c:\windows\system32\spmsg.dll
+ 2011-02-07 11:01 . 2010-07-05 13:15 17272 c:\windows\system32\spmsg.dll
+ 2006-02-28 12:00 . 2011-03-27 19:20 71060 c:\windows\system32\perfc009.dat
- 2006-02-28 12:00 . 2011-03-10 22:03 71060 c:\windows\system32\perfc009.dat
+ 2006-02-28 12:00 . 2011-03-27 19:20 441124 c:\windows\system32\perfh009.dat
- 2006-02-28 12:00 . 2011-03-10 22:03 441124 c:\windows\system32\perfh009.dat
+ 2011-03-13 01:02 . 2011-03-13 01:02 15139328 c:\windows\Installer\fe6c0.msp
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"VTTimer"="VTTimer.exe" [2004-01-15 49152]
"avgnt"="c:\program files\Avira\AntiVir Desktop\avgnt.exe" [2010-11-14 281768]
"HP Component Manager"="c:\program files\HP\hpcoretech\hpcmpmgr.exe" [2004-05-12 241664]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2011-01-31 35760]
"Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2010-09-20 932288]
"SunJavaUpdateSched"="c:\program files\Common Files\Java\Java Update\jusched.exe" [2010-10-29 249064]
.
[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="c:\windows\system32\CTFMON.EXE" [2008-04-14 15360]
.
[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^HP Digital Imaging Monitor.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\HP Digital Imaging Monitor.lnk
backup=c:\windows\pss\HP Digital Imaging Monitor.lnkCommon Startup
.
[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^HP Image Zone Fast Start.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\HP Image Zone Fast Start.lnk
backup=c:\windows\pss\HP Image Zone Fast Start.lnkCommon Startup
.
[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^VIA RAID TOOL.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\VIA RAID TOOL.lnk
backup=c:\windows\pss\VIA RAID TOOL.lnkCommon Startup
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\CTFMON.EXE]
2008-04-14 00:12 15360 ----a-w- c:\windows\system32\ctfmon.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HP Component Manager]
2004-05-12 14:18 241664 ----a-w- c:\program files\HP\hpcoretech\hpcmpmgr.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SoundMan]
2004-08-30 05:48 69632 ----a-w- c:\windows\SOUNDMAN.EXE
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\VTTimer]
2004-01-15 12:33 49152 ----a-r- c:\windows\system32\VTTimer.exe
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"c:\\WINDOWS\\system32\\sessmgr.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Mozilla Firefox\\firefox.exe"=
"c:\\Documents and Settings\\Geoff\\Desktop\\utorrent.exe"=
"c:\\Program Files\\Vuze\\Azureus.exe"=
"c:\\Program Files\\SopCast\\adv\\SopAdver.exe"=
"c:\\Program Files\\SopCast\\SopCast.exe"=
"c:\\Documents and Settings\\bon\\Desktop\\utorrent.exe"=
.
R2 AntiVirSchedulerService;Avira AntiVir Scheduler;c:\program files\Avira\AntiVir Desktop\sched.exe [10-09-2010 11:49 135336]
S2 gupdate;Google Update Service (gupdate);c:\program files\Google\Update\GoogleUpdate.exe [27-10-2010 19:52 136176]
S3 iadusb;MT882;c:\windows\system32\drivers\glauiad.sys [03-09-2010 11:00 30336]
.
Contents of the 'Scheduled Tasks' folder
.
2011-04-11 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\program files\Google\Update\GoogleUpdate.exe [2010-10-27 18:52]
.
2011-04-11 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\program files\Google\Update\GoogleUpdate.exe [2010-10-27 18:52]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.google.co.uk/
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
FF - ProfilePath - c:\documents and settings\Geoff\Application Data\Mozilla\Firefox\Profiles\sg7wto9z.default\
FF - prefs.js: browser.startup.homepage - hxxp://www.google.co.uk/
FF - prefs.js: network.proxy.type - 0
FF - Ext: Default: {972ce4c6-7e08-4474-a285-3208198ce6fd} - c:\program files\Mozilla Firefox\extensions\{972ce4c6-7e08-4474-a285-3208198ce6fd}
FF - Ext: Java Console: {CAFEEFAC-0016-0000-0021-ABCDEFFEDCBA} - c:\program files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0021-ABCDEFFEDCBA}
FF - Ext: Java Console: {CAFEEFAC-0016-0000-0022-ABCDEFFEDCBA} - c:\program files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0022-ABCDEFFEDCBA}
FF - Ext: Java Console: {CAFEEFAC-0016-0000-0023-ABCDEFFEDCBA} - c:\program files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0023-ABCDEFFEDCBA}
FF - Ext: Java Console: {CAFEEFAC-0016-0000-0024-ABCDEFFEDCBA} - c:\program files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0024-ABCDEFFEDCBA}
FF - Ext: Java Quick Starter: jqs@sun.com - c:\program files\Java\jre6\lib\deploy\jqs\ff
FF - Ext: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension
FF - Ext: Download Statusbar: {D4DD63FA-01E4-46a7-B6B1-EDAB7D6AD389} - %profile%\extensions\{D4DD63FA-01E4-46a7-B6B1-EDAB7D6AD389}
FF - Ext: DownloadHelper: {b9db16a4-6edc-47ec-a1f4-b86292ed211d} - %profile%\extensions\{b9db16a4-6edc-47ec-a1f4-b86292ed211d}
FF - Ext: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - %profile%\extensions\{20a82645-c095-46ed-80e3-08825760534b}
.
.
**************************************************************************
.
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2011-04-11 18:28
Windows 5.1.2600 Service Pack 3 NTFS
.
scanning hidden processes ...
.
scanning hidden autostart entries ...
.
scanning hidden files ...
.
scan completed successfully
hidden files: 0
.
**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------
.
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}]
@Denied: (A 2) (Everyone)
@="FlashBroker"
"LocalizedString"="@c:\\WINDOWS\\system32\\Macromed\\Flash\\FlashUtil10k_ActiveX.exe,-101"
.
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\Elevation]
"Enabled"=dword:00000001
.
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\LocalServer32]
@="c:\\WINDOWS\\system32\\Macromed\\Flash\\FlashUtil10k_ActiveX.exe"
.
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
.
[HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}]
@Denied: (A 2) (Everyone)
@="IFlashBroker4"
.
[HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\ProxyStubClsid32]
@="{00020424-0000-0000-C000-000000000046}"
.
[HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
"Version"="1.0"
.
--------------------- DLLs Loaded Under Running Processes ---------------------
.
- - - - - - - > 'explorer.exe'(2456)
c:\windows\system32\WININET.dll
c:\windows\system32\ieframe.dll
c:\windows\system32\webcheck.dll
c:\windows\system32\WPDShServiceObj.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
.
Completion time: 2011-04-11 18:33:58
ComboFix-quarantined-files.txt 2011-04-11 17:33
ComboFix2.txt 2011-03-22 20:54
.
Pre-Run: 30,528,937,984 bytes free
Post-Run: 31,635,615,744 bytes free
.
- - End Of File - - 35AAC812657287FEEA7DD8CC19A2B375

 

[Bobbye]

You are very patient- and polite. I appreciate that very much.

And the mystery grows again!
Combofix deleted c:\documents and settings\Geoff\WINDOWS
And newly created are: both on 2011-04-05 10:17
c:\windows\system32\edit.PIF
c:\windows\PIF

Program information files (PIFs) are for MS-DOS-based programs

Do you know what there files are for? Did you create them?

There are still outdated versions of Java in Firefox. They need to be removed as they are vulnerabilities to the system. They may also affect the running of Firefox. You do not need to add a separate Java extension to Firefox when you update. What you ut on the OS will also work for Firefox.

 

[wolfblitz]

You are more than welcome Bobbye, and thanks again for your reply.
Ive no idea what these files are and Im not capable of creating files like these on purpose, also how do I remove the outdated versions of java.

 

[Bobbye]

I started about 2.5 hours ago to try n get you finished up. My #@*$%)!@ internet went down, gain!$#*%!@)(
We'll remove those files. They should be on the version of the OS you have:

Remove outdated Java plugin files from the Firefox plugins folder:
Note: It is recommended that you do not copy Java plugins from other locations to the Firefox plugins folder. Outdated Java plugins can cause Java not to work if you update Java and then uninstall the older Java version, if plugins from the old Java version are still in the Firefox plugins folder.
1. Open Firefox> Tools> Add-ons. The Add-ons window will open.
2. In the Add-ons window> select the Plugins panel, to display a list of installed plugins.
3. Select each Java plugin listed to make sure that all are enabled.
4. Check if the Java plugins are correctly detected. All Java plugins listed in the Add-ons window should match the version number of the currently installed JRE. There should be no plugins for earlier versions of Java.
5. Java plugin files that do not match your current version means that the Firefox plugins folder contains outdated Java plugin files which should be removed. This folder is typically in the following location: Use Windows Explorer to access> My Computer> Local Drive> Programs>>>
C:\Program Files\Mozilla Firefox\plugins
Java files from older versions in the Firefox plugins folder can prevent Java from working correctly.
======================================
Since a slow system is your main complaint, I sugest you take all the HP entries off of the Startup Menu. You don't need the printer or the Digital Imaging processes to start on boot.
=====================================
Please run this Custom CFScript:

• 
  [1]. Close any open browsers.
  [2]. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.
  [3]. Open notepad> click on Format> Uncheck 'Word Wrap'> and copy/paste the text in the code below into it:Be sure to scroll down to include ALL lines.

File::
c:\windows\system32\edit.PIF
c:\windows\Temp\Perflib_Perfdata_6b8.dat
Folder::
c:\windows\PIF
c:\documents and settings\All Users\Application Data\McAfee

Save this as CFScript.txt, in the same location as ComboFix.exe

Referring to the picture above, drag CFScript into ComboFix.exe

When finished, it will produce a log for you at C:\ComboFix.txt . Please paste in your next reply.
====================
Last scan: Download HijackThis http://download.bleepingcomputer.com/hijackthis/HijackThis.zipand save to your desktop.

• Extract it to a directory on your hard drive called c:\HijackThis.
• Then navigate to that directory and double-click on the hijackthis.exe file.
• When started click on the Scan button and then the Save Log button to create a log of your information.
• The log file and then the log will open in notepad. Be sure to click on Format> Uncheck Word Wrap when you open Notepad
• Click on "Edit > Select All" then click on "Edit > Copy" to copy the entire contents of the log.
• Come back here to this thread and paste (Ctrl+V) the log in your next reply.

NOTE: Do NOT have HijackThis fix anything yet! Most of what it finds will be harmless or even required.
=============================
You need to update the Adobe Reader to v10(X):Visit this Adobe Reader site . Uninstall any earlier updates as they are vulnerabilities.

 

[wolfblitz]

Thanks for your reply Bobbye I'll get back to you ASAP

 

[wolfblitz]

Thanks Bobbye


ComboFix 11-04-10.04 - Geoff 18-04-2011 9:14.3.1 - x86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.991.723 [GMT 1:00]
Running from: c:\documents and settings\Geoff\Desktop\ComboFix.exe
Command switches used :: c:\documents and settings\Geoff\Desktop\CFScript.txt
AV: AntiVir Desktop *Disabled/Updated* {AD166499-45F9-482A-A743-FDD3350758C7}
.
- REDUCED FUNCTIONALITY MODE -
.
FILE ::
"c:\windows\system32\edit.PIF"
"c:\windows\Temp\Perflib_Perfdata_6b8.dat"
.
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
c:\documents and settings\All Users\Application Data\McAfee
c:\documents and settings\All Users\Application Data\McAfee\MCLOGS\Common\MsiExec\MsiExec000.log
c:\windows\system32\edit.PIF
.
.
((((((((((((((((((((((((( Files Created from 2011-03-18 to 2011-04-18 )))))))))))))))))))))))))))))))
.
.
2011-04-05 10:17 . 2011-04-05 10:17 -------- d--h--w- c:\windows\PIF
.
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2011-04-17 19:45 . 2010-09-05 10:37 664 ----a-w- c:\documents and settings\bon\Local Settings\Application Data\d3d9caps.tmp
2011-04-14 18:32 . 2010-09-10 10:49 137656 ----a-w- c:\windows\system32\drivers\avipbb.sys
2011-02-09 13:53 . 2006-02-28 12:00 270848 ----a-w- c:\windows\system32\sbe.dll
2011-02-09 13:53 . 2006-02-28 12:00 186880 ----a-w- c:\windows\system32\encdec.dll
2011-02-02 21:40 . 2010-09-03 15:41 472808 ----a-w- c:\windows\system32\deployJava1.dll
2011-02-02 19:19 . 2010-09-03 15:41 73728 ----a-w- c:\windows\system32\javacpl.cpl
2011-02-02 07:58 . 2010-09-03 09:42 2067456 ----a-w- c:\windows\system32\mstscax.dll
2011-01-27 11:57 . 2010-09-03 09:42 677888 ----a-w- c:\windows\system32\mstsc.exe
2011-01-21 14:44 . 2006-02-28 12:00 439296 ----a-w- c:\windows\system32\shimgvw.dll
.
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"VTTimer"="VTTimer.exe" [2004-01-15 49152]
"avgnt"="c:\program files\Avira\AntiVir Desktop\avgnt.exe" [2010-11-14 281768]
"HP Component Manager"="c:\program files\HP\hpcoretech\hpcmpmgr.exe" [2004-05-12 241664]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2011-01-31 35760]
"Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2010-09-20 932288]
"SunJavaUpdateSched"="c:\program files\Common Files\Java\Java Update\jusched.exe" [2010-10-29 249064]
.
[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="c:\windows\system32\CTFMON.EXE" [2008-04-14 15360]
.
[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^HP Digital Imaging Monitor.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\HP Digital Imaging Monitor.lnk
backup=c:\windows\pss\HP Digital Imaging Monitor.lnkCommon Startup
.
[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^HP Image Zone Fast Start.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\HP Image Zone Fast Start.lnk
backup=c:\windows\pss\HP Image Zone Fast Start.lnkCommon Startup
.
[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^VIA RAID TOOL.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\VIA RAID TOOL.lnk
backup=c:\windows\pss\VIA RAID TOOL.lnkCommon Startup
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\CTFMON.EXE]
2008-04-14 00:12 15360 ----a-w- c:\windows\system32\ctfmon.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HP Component Manager]
2004-05-12 14:18 241664 ----a-w- c:\program files\HP\hpcoretech\hpcmpmgr.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SoundMan]
2004-08-30 05:48 69632 ----a-w- c:\windows\SOUNDMAN.EXE
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\VTTimer]
2004-01-15 12:33 49152 ----a-r- c:\windows\system32\VTTimer.exe
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"c:\\WINDOWS\\system32\\sessmgr.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Mozilla Firefox\\firefox.exe"=
"c:\\Documents and Settings\\Geoff\\Desktop\\utorrent.exe"=
"c:\\Program Files\\Vuze\\Azureus.exe"=
"c:\\Program Files\\SopCast\\adv\\SopAdver.exe"=
"c:\\Program Files\\SopCast\\SopCast.exe"=
"c:\\Documents and Settings\\bon\\Desktop\\utorrent.exe"=
.
R2 AntiVirSchedulerService;Avira AntiVir Scheduler;c:\program files\Avira\AntiVir Desktop\sched.exe [10-09-2010 11:49 135336]
S2 gupdate;Google Update Service (gupdate);c:\program files\Google\Update\GoogleUpdate.exe [27-10-2010 19:52 136176]
S3 iadusb;MT882;c:\windows\system32\drivers\glauiad.sys [03-09-2010 11:00 30336]
.
Contents of the 'Scheduled Tasks' folder
.
2011-04-18 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\program files\Google\Update\GoogleUpdate.exe [2010-10-27 18:52]
.
2011-04-18 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\program files\Google\Update\GoogleUpdate.exe [2010-10-27 18:52]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.google.co.uk/
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
FF - ProfilePath - c:\documents and settings\Geoff\Application Data\Mozilla\Firefox\Profiles\sg7wto9z.default\
FF - prefs.js: browser.startup.homepage - hxxp://www.google.co.uk/
FF - prefs.js: network.proxy.type - 0
FF - Ext: Default: {972ce4c6-7e08-4474-a285-3208198ce6fd} - c:\program files\Mozilla Firefox\extensions\{972ce4c6-7e08-4474-a285-3208198ce6fd}
FF - Ext: Java Console: {CAFEEFAC-0016-0000-0021-ABCDEFFEDCBA} - c:\program files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0021-ABCDEFFEDCBA}
FF - Ext: Java Console: {CAFEEFAC-0016-0000-0022-ABCDEFFEDCBA} - c:\program files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0022-ABCDEFFEDCBA}
FF - Ext: Java Console: {CAFEEFAC-0016-0000-0023-ABCDEFFEDCBA} - c:\program files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0023-ABCDEFFEDCBA}
FF - Ext: Java Console: {CAFEEFAC-0016-0000-0024-ABCDEFFEDCBA} - c:\program files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0024-ABCDEFFEDCBA}
FF - Ext: Java Quick Starter: jqs@sun.com - c:\program files\Java\jre6\lib\deploy\jqs\ff
FF - Ext: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension
FF - Ext: Download Statusbar: {D4DD63FA-01E4-46a7-B6B1-EDAB7D6AD389} - %profile%\extensions\{D4DD63FA-01E4-46a7-B6B1-EDAB7D6AD389}
FF - Ext: DownloadHelper: {b9db16a4-6edc-47ec-a1f4-b86292ed211d} - %profile%\extensions\{b9db16a4-6edc-47ec-a1f4-b86292ed211d}
FF - Ext: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - %profile%\extensions\{20a82645-c095-46ed-80e3-08825760534b}
.
.
**************************************************************************
.
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2011-04-18 09:16
Windows 5.1.2600 Service Pack 3 NTFS
.
scanning hidden processes ...
.
scanning hidden autostart entries ...
.
scanning hidden files ...
.
scan completed successfully
hidden files: 0
.
**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------
.
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}]
@Denied: (A 2) (Everyone)
@="FlashBroker"
"LocalizedString"="@c:\\WINDOWS\\system32\\Macromed\\Flash\\FlashUtil10k_ActiveX.exe,-101"
.
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\Elevation]
"Enabled"=dword:00000001
.
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\LocalServer32]
@="c:\\WINDOWS\\system32\\Macromed\\Flash\\FlashUtil10k_ActiveX.exe"
.
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
.
[HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}]
@Denied: (A 2) (Everyone)
@="IFlashBroker4"
.
[HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\ProxyStubClsid32]
@="{00020424-0000-0000-C000-000000000046}"
.
[HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
"Version"="1.0"
.
Completion time: 2011-04-18 09:19:54
ComboFix-quarantined-files.txt 2011-04-18 08:19
ComboFix2.txt 2011-04-11 17:34
ComboFix3.txt 2011-03-22 20:54
.
Pre-Run: 31,046,086,656 bytes free
Post-Run: 31,047,200,768 bytes free
.
- - End Of File - - D5C6420E442FE704E7920C25DC50FEFB

 

[Bobbye]

Okay, we need to look into why Combofix ran in Reduced Functionality Mode I'm going to leave you references to check as you are the best one to determine the cause: Something has changed in or on the system between the first time you ran Combofix and the current scan:
1. Microsoft Office XP:
2. Activation Has Expired
3. WGA Validation Tool

In order to regaun the full functionality of the system, this will need to be resolved.

 

[wolfblitz]

Thanks for your reply Bobbye,
apart from running slow I cant say I've noticed anything out of the ordinary no pop up messages or programs not working