View Full Version : System Running Slow + SpyBot Crash
fluorescent
2007-08-01, 15:07
Recently I noticed my system running a little slower than usually so I ran Spybot S&D and it's test was fine.Then I was advised to turn off system restore and retry the same scan in safe mode.It was at this point SpyBot S&D v1.4 contineously crashed out.
I followed the tips on the SpyBot forums as per link which advises on how to deal with SpyBot crashes.I followed the steps but no improvement.
I have the XP log dump file and the Trend Micro Hijack output log which are hereunder.Any help or pointers would be greatly appreicated.
Loading dump file C:\WINDOWS\Minidump\Mini073107-01.dmp
----- 32 bit Kernel Mini Dump Analysis
DUMP_HEADER32:
MajorVersion 0000000f
MinorVersion 00000a28
DirectoryTableBase 00039000
PfnDataBase 81b93000
PsLoadedModuleList 8055a620
PsActiveProcessHead 805606d8
MachineImageType 0000014c
NumberProcessors 00000001
BugCheckCode 1000000a
BugCheckParameter1 0007ffe2
BugCheckParameter2 00000002
BugCheckParameter3 00000000
BugCheckParameter4 804e63a1
PaeEnabled 00000000
KdDebuggerDataBlock 8054c260
MiniDumpFields 00000dff
TRIAGE_DUMP32:
ServicePackBuild 00000200
SizeOfDump 00010000
ValidOffset 0000fffc
ContextOffset 00000320
ExceptionOffset 000007d0
MmOffset 00001068
UnloadedDriversOffset 000010a0
PrcbOffset 00001878
ProcessOffset 000024c8
ThreadOffset 00002728
CallStackOffset 00002980
SizeOfCallStack 00000348
DriverListOffset 00002f58
DriverCount 00000087
StringPoolOffset 00005770
StringPoolSize 000012a8
BrokenDriverOffset 00000000
TriageOptions 00000041
TopOfStack f7b3fcb8
DebuggerDataOffset 00002cc8
DebuggerDataSize 00000290
DataBlocksOffset 00006a18
DataBlocksCount 00000001
Windows XP Kernel Version 2600 (Service Pack 2) UP Free x86 compatible
Kernel base = 0x804d7000 PsLoadedModuleList = 0x8055a620
Debug session time: Tue Jul 31 20:32:29 2007
System Uptime: 0 days 3:03:32
start end module name
804d7000 806eb500 nt Checksum: 0021EF64 Timestamp: Wed Feb 28 09:
10:41 2007 (45E54711)
Unloaded modules:
a431b000 a4536000 w29n51.sys Timestamp: unavailable (00000000)
a4536000 a4561000 kmixer.sys Timestamp: unavailable (00000000)
aacbb000 aacd3000 dump_atapi.s Timestamp: unavailable (00000000)
a8cfc000 a8f17000 w29n51.sys Timestamp: unavailable (00000000)
a4536000 a4561000 kmixer.sys Timestamp: unavailable (00000000)
a4f3e000 a4f69000 kmixer.sys Timestamp: unavailable (00000000)
a5009000 a5034000 kmixer.sys Timestamp: unavailable (00000000)
a8cd1000 a8cfc000 kmixer.sys Timestamp: unavailable (00000000)
a8cd1000 a8cfc000 kmixer.sys Timestamp: unavailable (00000000)
a8f29000 a8f54000 kmixer.sys Timestamp: unavailable (00000000)
aa43c000 aa467000 kmixer.sys Timestamp: unavailable (00000000)
f7d41000 f7d42000 drmkaud.sys Timestamp: unavailable (00000000)
f6c07000 f6c14000 DMusic.sys Timestamp: unavailable (00000000)
aa83e000 aa84c000 swmidi.sys Timestamp: unavailable (00000000)
aa467000 aa48a000 aec.sys Timestamp: unavailable (00000000)
f7bfa000 f7bfc000 splitter.sys Timestamp: unavailable (00000000)
f780c000 f781c000 Serial.SYS Timestamp: unavailable (00000000)
aa8e2000 aa8f6000 Parport.SYS Timestamp: unavailable (00000000)
f7037000 f703b000 kbdhid.sys Timestamp: unavailable (00000000)
f7a3c000 f7a41000 Cdaudio.SYS Timestamp: unavailable (00000000)
f7a34000 f7a39000 Flpydisk.SYS Timestamp: unavailable (00000000)
f7a2c000 f7a33000 Fdc.SYS Timestamp: unavailable (00000000)
Finished dump check
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 13:30:34, on 01/08/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16473)
Boot mode: Normal
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\PC Tools Firewall Plus\FWService.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
C:\WINDOWS\system32\cisvc.exe
C:\Program Files\Hand-Crafted Software\FreeProxy\FreeProxy.exe
C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
C:\WINDOWS\system32\ssoftsrv.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe
C:\WINDOWS\AGRSMMSG.exe
C:\Program Files\PC Tools Firewall Plus\FirewallGUI.exe
C:\Program Files\Java\jre1.5.0_09\bin\jusched.exe
C:\Program Files\Analog Devices\SoundMAX\SMax4PNP.exe
C:\Program Files\Analog Devices\SoundMAX\Smax4.exe
C:\Program Files\QuickTime\qttask.exe
C:\WINDOWS\system32\RunDLL32.exe
C:\Program Files\ltmoh\Ltmoh.exe
C:\WINDOWS\system32\igfxtray.exe
C:\WINDOWS\system32\igfxpers.exe
C:\WINDOWS\system32\hkcmd.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\SpeedswitchXP\SpeedswitchXP.exe
C:\Program Files\PeerGuardian2\pg2.exe
C:\WINDOWS\system32\cidaemon.exe
C:\WINDOWS\system32\cidaemon.exe
D:\DeproDownloads\Security\Trend Micro HijackThis\HiJackThis.exe
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.co.uk/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://go.microsoft.com/fwlink/?LinkId=74005
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = depromoos:8080
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_09\bin\ssv.dll
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: EpsonToolBandKicker Class - {E99421FB-68DD-40F0-B4AC-B7027CAE2F1A} - C:\Program Files\EPSON\EPSON Web-To-Page\EPSON Web-To-Page.dll
O3 - Toolbar: EPSON Web-To-Page - {EE5D279F-081B-4404-994D-C6B60AAEBA6D} - C:\Program Files\EPSON\EPSON Web-To-Page\EPSON Web-To-Page.dll
O4 - HKLM\..\Run: [EPSON Stylus Photo RX420 Series] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_FATI9CE.EXE /P31 "EPSON Stylus Photo RX420 Series" /O6 "USB001" /M "Stylus Photo RX420"
O4 - HKLM\..\Run: [SynTPLpr] C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [AGRSMMSG] AGRSMMSG.exe
O4 - HKLM\..\Run: [00PCTFW] "C:\Program Files\PC Tools Firewall Plus\FirewallGUI.exe" -s
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.5.0_09\bin\jusched.exe"
O4 - HKLM\..\Run: [SoundMAXPnP] C:\Program Files\Analog Devices\SoundMAX\SMax4PNP.exe
O4 - HKLM\..\Run: [SoundMAX] "C:\Program Files\Analog Devices\SoundMAX\Smax4.exe" /tray
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [PD0620 STISvc] RunDLL32.exe P0620Pin.dll,RunDLL32EP 513
O4 - HKLM\..\Run: [PCSuiteTrayApplication] C:\Program Files\Nokia\Nokia PC Suite 6\LaunchApplication.exe -startup
O4 - HKLM\..\Run: [LtMoh] C:\Program Files\ltmoh\Ltmoh.exe
O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
O4 - HKLM\..\Run: [igfxtray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [igfxpers] C:\WINDOWS\system32\igfxpers.exe
O4 - HKLM\..\Run: [igfxhkcmd] C:\WINDOWS\system32\hkcmd.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [SpeedswitchXP] C:\Program Files\SpeedswitchXP\SpeedswitchXP.exe
O4 - HKCU\..\Run: [PeerGuardian] C:\Program Files\PeerGuardian2\pg2.exe
O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-19\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVGFRE~1\avgw.exe /RUNONCE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_09\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_09\bin\ssv.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~3\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe
O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1182851031140
O16 - DPF: {7B297BFD-85E4-4092-B2AF-16A91B2EA103} (WScanCtl Class) - http://www.ca.com/us/securityadvisor/virusinfo/webscan.cab
O16 - DPF: {A90A5822-F108-45AD-8482-9BC8B12DD539} (Crucial cpcScan) - http://www.crucial.com/controls/cpcScanner.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{7C5D209A-EF82-4B51-B51D-F00BC62C5A1F}: NameServer = 212.104.130.9,212.104.130.65
O17 - HKLM\System\CCS\Services\Tcpip\..\{E9A88A5D-74B7-4040-8B56-AB324BF64478}: NameServer = 212.104.130.9,212.104.130.65
O23 - Service: Adobe LM Service - Unknown owner - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
O23 - Service: Free Proxy Service (FreeProxy) - Hand-Crafted Software - C:\Program Files\Hand-Crafted Software\FreeProxy\FreeProxy.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1150\Intel 32\IDriverT.exe
O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: MSCSPTISRV - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\MSCSPTISRV.exe
O23 - Service: PACSPTISVR - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\PACSPTISVR.exe
O23 - Service: PC Tools Firewall Plus (PCToolsFirewallPlus) - PC Tools - C:\Program Files\PC Tools Firewall Plus\FWService.exe
O23 - Service: Remote Packet Capture Protocol v.0 (experimental) (rpcapd) - CACE Technologies - C:\Program Files\WinPcap\rpcapd.exe
O23 - Service: ServiceLayer - Nokia. - C:\Program Files\PC Connectivity Solution\ServiceLayer.exe
O23 - Service: SoundMAX Agent Service (SoundMAX Agent Service (default)) - Analog Devices, Inc. - C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
O23 - Service: Sony SPTI Service (SPTISRV) - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\SPTISRV.exe
O23 - Service: Cryptainer service (ssoftservice) - Cypherix - C:\WINDOWS\SYSTEM32\ssoftsrv.exe
O23 - Service: SonicStage SCSI Service (SSScsiSV) - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\SSScsiSV.exe
--
End of file - 9819 bytes
pskelley
2007-08-05, 01:18
Welcome to Safer Networking, I wish to be sure you have viewed and understand this information.
"BEFORE you POST" (READ this Procedure before Requesting Assistance)
http://forums.spybot.info/showthread.php?t=288
All advice given is taken at your own risk.
Please make sure you have read this information so we are on the same page.
Let me first say if you have not resolved your problem, I have no idea what is causing this and the HJT log tells me little. I can make no promises, but I will do all I can. If you still need help, review the instructions, post only what I request and let's start like this:
Thanks to sUBs and anyone else who helped with this fix.
Download ComboFix from Here (http://www.techsupportforum.com/sectools/sUBs/ComboFix.exe) or Here (http://download.bleepingcomputer.com/sUBs/ComboFix.exe) to your Desktop.
Double click combofix.exe and follow the prompts.
When finished, it shall produce a log for you. Post that log and a HiJackthis log in your next reply
Note: Do not mouseclick combofix's window while its running. That may cause it to stall
Thanks
fluorescent
2007-08-05, 13:10
Hi,
Just to clarify what the missing web link was for in the initial post in this tread http://forums.spybot.info/showthread.php?t=4799&highlight=spybot+crash (Crashing or Shut Down)
Right so, thanks for your help. The XP system is running critically slow, but it did manage to run the ComboFix program where the log file is hereunder. Once the log appeared an error message was generated as per the attached image.
Essentially the Error stated:
nircmd.cfexe - Unable To Locate Component
This application has failed to start because ConnAPI.DLL was not found. Re-installing the application may fix the problem.
Also I noticed at the end of the ComboFix log:
"please note that you need administrator rights to perform deep scan" – I was logged on as an administrator!
ComboFix 07-07-30.2 - "Home" 2007-08-05 10:45:32.1 [GMT 1:00] - NTFS
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.True
* Created a new restore point
((((((((((((((((((((((((( Files Created from 2007-07-05 to 2007-08-05 )))))))))))))))))))))))))))))))
2007-08-05 10:43 51,200 --a------ C:\WINDOWS\nircmd.exe
2007-08-02 03:10 102,912 --------- C:\WINDOWS\system32\drivers\FWDRV.SYS
2007-08-02 03:10 <DIR> d-------- C:\Program Files\Kerio
2007-08-01 18:14 <DIR> d-------- C:\DOCUME~1\Home\APPLIC~1\Comodo
2007-08-01 18:14 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\Comodo
2007-08-01 18:07 <DIR> d-------- C:\Program Files\Comodo
2007-08-01 15:37 83,096 --a------ C:\WINDOWS\system32\SSSensor.dll
2007-07-31 21:08 92,160 --a------ C:\WINDOWS\system32\evntwin.exe
2007-07-31 21:08 8,704 --a------ C:\WINDOWS\system32\snmptrap.exe
2007-07-31 21:08 6,144 --a------ C:\WINDOWS\system32\snmpmib.dll
2007-07-31 21:08 39,936 --a------ C:\WINDOWS\system32\hostmib.dll
2007-07-31 21:08 33,792 --a------ C:\WINDOWS\system32\lmmib2.dll
2007-07-31 21:08 33,280 --a------ C:\WINDOWS\system32\snmp.exe
2007-07-31 21:08 24,064 --a------ C:\WINDOWS\system32\evntcmd.exe
2007-07-31 21:08 101,888 --a------ C:\WINDOWS\system32\evntagnt.dll
2007-07-31 21:06 <DIR> d-------- C:\Program Files\Support Tools
2007-07-31 16:58 <DIR> d-------- C:\Program Files\SpeedswitchXP
2007-07-31 16:14 <DIR> d-------- C:\Program Files\Autoplay Repair
2007-07-11 20:31 <DIR> d-------- C:\Program Files\PeerGuardian2
2007-07-11 15:32 <DIR> d-------- C:\Program Files\Proxymizer
2007-07-11 13:55 <DIR> d-------- C:\Program Files\WinPcap
2007-07-11 13:54 <DIR> d-------- C:\Program Files\Wireshark
2007-07-10 15:01 <DIR> d-------- C:\Program Files\SocksCap32
2007-07-10 15:00 299,520 --a------ C:\WINDOWS\uninst.exe
2007-07-10 14:59 <DIR> d-------- C:\DOCUME~1\Home\WINDOWS
2007-07-09 13:05 <DIR> d-------- C:\DOCUME~1\Home\APPLIC~1\dvdcss
2007-07-09 13:00 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\AVS4YOU
2007-07-09 12:59 974,848 --a------ C:\WINDOWS\system32\mfc70.dll
2007-07-09 12:59 524,288 --a------ C:\WINDOWS\system32\xvidcore.dll
2007-07-09 12:59 487,424 --a------ C:\WINDOWS\system32\msvcp70.dll
2007-07-09 12:59 261,632 --a------ C:\WINDOWS\system32\mcdvd_32.dll
2007-07-09 12:59 24,576 --a------ C:\WINDOWS\system32\msxml3a.dll
2007-07-09 12:59 139,264 --a------ C:\WINDOWS\system32\xvidvfw.dll
2007-07-09 12:59 <DIR> d-------- C:\Program Files\Common Files\AVSMedia
2007-07-09 12:59 <DIR> d-------- C:\Program Files\AVS4YOU
2007-07-09 12:52 <DIR> d-------- C:\DOCUME~1\Home\APPLIC~1\vlc
2007-07-09 12:47 <DIR> d-------- C:\Program Files\VideoLAN
2007-07-09 11:53 413,760 --a------ C:\WINDOWS\system32\mpg4c32.dll
2007-07-09 10:56 <DIR> d-------- C:\DOCUME~1\Home\APPLIC~1\DivX
2007-07-09 10:55 <DIR> d-------- C:\Program Files\DivX
2007-07-09 10:44 <DIR> d-------- C:\Program Files\DECCHECK
2007-07-06 18:46 <DIR> d-------- C:\DOCUME~1\Home\Hidi's Home
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
2007-08-02 04:38 --------- d-------- C:\Program Files\Mozilla Thunderbird
2007-08-02 03:10 --------- d--h----- C:\Program Files\InstallShield Installation Information
2007-08-01 15:36 --------- d-------- C:\Program Files\Common Files\Wise Installation Wizard
2007-07-11 15:03 --------- d-------- C:\DOCUME~1\Home\APPLIC~1\Wireshark
2007-07-09 12:38 --------- d-------- C:\Program Files\Tansee iPod Transfer
2007-07-09 12:37 --------- d-------- C:\Program Files\WindSolutions
2007-07-09 12:27 --------- d-------- C:\DOCUME~1\Home\APPLIC~1\Apple Computer
2007-07-03 16:41 --------- d-------- C:\Program Files\Red Chair Software
2007-07-03 16:40 --------- d-------- C:\DOCUME~1\Home\APPLIC~1\iCloner
2007-06-29 01:01 88696 --a------ C:\WINDOWS\system32\Packet.dll
2007-06-29 01:01 68224 --a------ C:\WINDOWS\system32\WanPacket.dll
2007-06-29 01:01 53299 --a------ C:\WINDOWS\system32\pthreadVC.dll
2007-06-29 01:01 42512 --a------ C:\WINDOWS\system32\drivers\npf.sys
2007-06-29 01:01 240240 --a------ C:\WINDOWS\system32\wpcap.dll
2007-06-05 22:12 --------- d-------- C:\Program Files\mIRC
2007-06-05 12:33 --------- d-------- C:\Program Files\Active Ports
2007-05-16 16:12 683520 --a------ C:\WINDOWS\system32\inetcomm.dll
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
*Note* empty entries & legit default entries are not shown
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SynTPLpr"="C:\Program Files\Synaptics\SynTP\SynTPLpr.exe" [2004-11-04 10:40]
"SynTPEnh"="C:\Program Files\Synaptics\SynTP\SynTPEnh.exe" [2004-11-04 10:38]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.5.0_09\bin\jusched.exe" [2006-09-07 15:51]
"SoundMAXPnP"="C:\Program Files\Analog Devices\SoundMAX\SMax4PNP.exe" [2004-06-30 13:33]
"SoundMAX"="C:\Program Files\Analog Devices\SoundMAX\Smax4.exe" [2004-07-07 14:56]
"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [2006-10-25 17:25]
"PD0620 STISvc"="P0620Pin.dll" [2005-05-10 18:03 C:\WINDOWS\system32\P0620Pin.dll]
"PCSuiteTrayApplication"="C:\Program Files\Nokia\Nokia PC Suite 6\LaunchApplication.exe" [2006-11-08 14:27]
"LtMoh"="C:\Program Files\ltmoh\Ltmoh.exe" [2004-05-26 00:46]
"AVG7_CC"="C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe" [2007-07-31 17:07]
"AGRSMMSG"="AGRSMMSG.exe" [2004-07-22 22:38 C:\WINDOWS\AGRSMMSG.exe]
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2006-02-28 13:00]
"SpeedswitchXP"="C:\Program Files\SpeedswitchXP\SpeedswitchXP.exe" [2006-07-14 22:56]
"PeerGuardian"="C:\Program Files\PeerGuardian2\pg2.exe" [2007-01-30 00:39]
[HKEY_USERS\.default\software\microsoft\windows\currentversion\run]
"PcSync"=C:\Program Files\Nokia\Nokia PC Suite 6\PcSync2.exe /NoDialog
C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
Adobe Gamma Loader.lnk - C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe [2006-11-26 22:34:41]
Adobe Reader Speed Launch.lnk - C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe [2005-09-23 23:05:26]
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]
"ForceStartMenuLogOff"=1 (0x1)
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"AVG Anti-Spyware Guard"=2 (0x2)
R0 R592;R592;C:\WINDOWS\system32\DRIVERS\R592.sys
R0 sbp2port;SBP-2 Transport/Protocol Bus Driver;C:\WINDOWS\system32\DRIVERS\sbp2port.sys
R1 fwdrv;Kerio Personal Firewall Driver;C:\WINDOWS\system32\Drivers\fwdrv.sys
R2 FreeProxy;Free Proxy Service;C:\Program Files\Hand-Crafted Software\FreeProxy\FreeProxy.exe -{BeginFreeProxyService} -C"C:\Documents and Settings\Home\Hidi's Home\Internet Proxy Settings 100707.cfg"
R2 SNMP;SNMP Service;C:\WINDOWS\System32\snmp.exe
R2 SoundMAX Agent Service (default);SoundMAX Agent Service;C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
R2 ssoftnt4;ssoftnt4;\??\C:\WINDOWS\system32\Drivers\ssoftnt4.sys
R2 windrvNT;windrvNT;\??\C:\WINDOWS\system32\windrvNT.sys
R3 pgfilter;pgfilter;\??\C:\Program Files\PeerGuardian2\pgfilter.sys
R3 sdbus;sdbus;C:\WINDOWS\system32\DRIVERS\sdbus.sys
R3 SynTP;Synaptics TouchPad Driver;C:\WINDOWS\system32\DRIVERS\SynTP.sys
R3 w29n51;Intel(R) PRO/Wireless 2200BG Network Connection Driver for Windows XP;C:\WINDOWS\system32\DRIVERS\w29n51.sys
S3 bcm4sbxp;Broadcom 440x 10/100 Integrated Controller XP Driver;C:\WINDOWS\system32\DRIVERS\bcm4sbxp.sys
S3 NETMDUSB;Net MD;C:\WINDOWS\system32\Drivers\NETMD033.sys
S3 nm;Network Monitor Driver;C:\WINDOWS\system32\DRIVERS\NMnt.sys
S3 Nokia USB Generic;Nokia USB Generic;C:\WINDOWS\system32\drivers\nmwcdc.sys
S3 Nokia USB Modem;Nokia USB Modem;C:\WINDOWS\system32\drivers\nmwcdcm.sys
S3 Nokia USB Phone Parent;Nokia USB Phone Parent;C:\WINDOWS\system32\drivers\nmwcd.sys
S3 Nokia USB Port;Nokia USB Port;C:\WINDOWS\system32\drivers\nmwcdcj.sys
S3 NPF;NetGroup Packet Filter Driver;C:\WINDOWS\system32\drivers\npf.sys
S3 PD0620VID;Creative WebCam Instant;C:\WINDOWS\system32\DRIVERS\P0620Vid.sys
S3 sffdisk;SFF Storage Class Driver;C:\WINDOWS\system32\DRIVERS\sffdisk.sys
S3 sffp_sd;SFF Storage Protocol Driver for SDBus;C:\WINDOWS\system32\DRIVERS\sffp_sd.sys
S3 SNMPTRAP;SNMP Trap Service;C:\WINDOWS\System32\snmptrap.exe
*Newly Created Service* - PGFILTER
**************************************************************************
catchme 0.3.1061 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2007-08-05 11:12:57
Windows 5.1.2600 Service Pack 2 NTFS
scanning hidden processes ...
scanning hidden registry entries ...
disk error: C:\WINDOWS\system32\config\software
disk error: C:\Documents and Settings\Home\ntuser.dat
scanning hidden files ...
disk error: C:\WINDOWS\
please note that you need administrator rights to perform deep scan
**************************************************************************
Completion time: 2007-08-05 11:25:39
--- E O F ---
fluorescent
2007-08-05, 13:20
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 12:14:23, on 05/08/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16473)
Boot mode: Normal
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
C:\WINDOWS\system32\cisvc.exe
C:\Program Files\Hand-Crafted Software\FreeProxy\FreeProxy.exe
C:\Program Files\Kerio\Personal Firewall\persfw.exe
C:\WINDOWS\System32\snmp.exe
C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
C:\WINDOWS\system32\ssoftsrv.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Program Files\Java\jre1.5.0_09\bin\jusched.exe
C:\Program Files\Analog Devices\SoundMAX\SMax4PNP.exe
C:\Program Files\Analog Devices\SoundMAX\Smax4.exe
C:\Program Files\QuickTime\qttask.exe
C:\WINDOWS\system32\RunDLL32.exe
C:\Program Files\ltmoh\Ltmoh.exe
C:\WINDOWS\system32\igfxtray.exe
C:\WINDOWS\system32\igfxpers.exe
C:\WINDOWS\system32\hkcmd.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe
C:\WINDOWS\AGRSMMSG.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\SpeedswitchXP\SpeedswitchXP.exe
C:\Program Files\PeerGuardian2\pg2.exe
C:\WINDOWS\system32\cidaemon.exe
C:\WINDOWS\system32\cidaemon.exe
C:\WINDOWS\explorer.exe
D:\DeproDownloads\Security\Trend Micro HijackThis\HiJackThis.exe
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.co.uk/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://go.microsoft.com/fwlink/?LinkId=74005
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = depromoos:8080
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_09\bin\ssv.dll
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: EpsonToolBandKicker Class - {E99421FB-68DD-40F0-B4AC-B7027CAE2F1A} - C:\Program Files\EPSON\EPSON Web-To-Page\EPSON Web-To-Page.dll
O3 - Toolbar: EPSON Web-To-Page - {EE5D279F-081B-4404-994D-C6B60AAEBA6D} - C:\Program Files\EPSON\EPSON Web-To-Page\EPSON Web-To-Page.dll
O4 - HKLM\..\Run: [SynTPLpr] C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.5.0_09\bin\jusched.exe"
O4 - HKLM\..\Run: [SoundMAXPnP] C:\Program Files\Analog Devices\SoundMAX\SMax4PNP.exe
O4 - HKLM\..\Run: [SoundMAX] "C:\Program Files\Analog Devices\SoundMAX\Smax4.exe" /tray
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [PD0620 STISvc] RunDLL32.exe P0620Pin.dll,RunDLL32EP 513
O4 - HKLM\..\Run: [PCSuiteTrayApplication] C:\Program Files\Nokia\Nokia PC Suite 6\LaunchApplication.exe -startup
O4 - HKLM\..\Run: [LtMoh] C:\Program Files\ltmoh\Ltmoh.exe
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [AGRSMMSG] AGRSMMSG.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [SpeedswitchXP] C:\Program Files\SpeedswitchXP\SpeedswitchXP.exe
O4 - HKCU\..\Run: [PeerGuardian] C:\Program Files\PeerGuardian2\pg2.exe
O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-19\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVGFRE~1\avgw.exe /RUNONCE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_09\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_09\bin\ssv.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~3\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1182851031140
O16 - DPF: {7B297BFD-85E4-4092-B2AF-16A91B2EA103} (WScanCtl Class) - http://www.ca.com/us/securityadvisor/virusinfo/webscan.cab
O16 - DPF: {A90A5822-F108-45AD-8482-9BC8B12DD539} (Crucial cpcScan) - http://www.crucial.com/controls/cpcScanner.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{7C5D209A-EF82-4B51-B51D-F00BC62C5A1F}: NameServer = 212.104.130.9,212.104.130.65
O17 - HKLM\System\CCS\Services\Tcpip\..\{E9A88A5D-74B7-4040-8B56-AB324BF64478}: NameServer = 212.104.130.9,212.104.130.65
O23 - Service: Adobe LM Service - Unknown owner - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
O23 - Service: Free Proxy Service (FreeProxy) - Hand-Crafted Software - C:\Program Files\Hand-Crafted Software\FreeProxy\FreeProxy.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1150\Intel 32\IDriverT.exe
O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: MSCSPTISRV - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\MSCSPTISRV.exe
O23 - Service: PACSPTISVR - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\PACSPTISVR.exe
O23 - Service: Kerio Personal Firewall (PersFw) - Kerio Technologies - C:\Program Files\Kerio\Personal Firewall\persfw.exe
O23 - Service: Remote Packet Capture Protocol v.0 (experimental) (rpcapd) - CACE Technologies - C:\Program Files\WinPcap\rpcapd.exe
O23 - Service: ServiceLayer - Nokia. - C:\Program Files\PC Connectivity Solution\ServiceLayer.exe
O23 - Service: SoundMAX Agent Service (SoundMAX Agent Service (default)) - Analog Devices, Inc. - C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
O23 - Service: Sony SPTI Service (SPTISRV) - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\SPTISRV.exe
O23 - Service: Cryptainer service (ssoftservice) - Cypherix - C:\WINDOWS\SYSTEM32\ssoftsrv.exe
O23 - Service: SonicStage SCSI Service (SSScsiSV) - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\SSScsiSV.exe
--
End of file - 8731 bytes
pskelley
2007-08-05, 13:43
Thanks for returning the information and the feedback. The link you provided just returns me to Windows Live Search.
First I want you to understand that this is probably not a malware issue. Lacking information I ran combofix, which looks for several types of malware and which found none.
You have an out of date Java program:
http://forums.spybot.info/showpost.php?p=12880&postcount=2
C:\Program Files\Java\jre1.5.0_09\ <<< update to the newest version and uninstall all versions in Add Remove Programs.
Let's remove some stuff from HJT that may help.
1) Please download ATF Cleaner by Atribune
http://www.atribune.org/content/view/25/2/
Save it to your Desktop. We will use this later.
2) Open HijackThis and choose "Do a system scan only" then check the box in front of these line items:
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
O4 - HKLM\..\Run: [PD0620 STISvc] RunDLL32.exe P0620Pin.dll,RunDLL32EP 513
Close all programs but HJT and all browser windows, then click on "Fix Checked"
3) Run ATF Cleaner
Double-click ATF-Cleaner.exe to run the program.
Click Select All found at the bottom of the list.
Click the Empty Selected button.
Click Exit on the Main menu to close the program.
Have a look at this information:
http://www.google.com/search?hl=en&q=ConnAPI.DLL+&btnG=Search
Including this: http://www.bleepingcomputer.com/forums/topic58655.html
that missing .dll might have to do with Nokia?
Try running System File Checker, even though that does not appear to be a Windows file, if one file is missing or corrupt, others may be.
(two looks at SFC)
http://dwightblackburn.com/winxp/
http://www.updatexp.com/scannow-sfc.html
Assure me this is your IP information:
http://whois.domaintools.com/212.104.130.9
Some of this information may help.
http://www.castlecops.com/postitle175256-0-0-.html
http://users.telenet.be/bluepatchy/miekiemoes/slowcomputer.html
http://www.microsoft.com/atwork/getstarted/speed.mspx?wt_svl=20292a&mg_id=20292b
Keep me posted
fluorescent
2007-08-06, 00:30
Hi again,
One last time I will try to post the link which shows how to remedy a PC which crashes out while running SpyBot S&D http://forums.spybot.info/showthread.php?t=4799&highlight=spybot+crash
Following on from this point here are how things stand:
1. Removed the old Java JRE and installed the latest version.
2. Removed the three items listed in the Hijack This log.
3. Executed the ATF Cleaner and selected the “all” option to remove the temp files.
4. Regarding the missing .dll file, I decided to remove this Nokia package along with several other programs which are not in use.
5. Ran the system file checker which found no errors but took nearly 5 hours to complete.
6. Yes the IP Whois information is correct and pertains to my ISP.
7. I checked out the additional links which you provided and there were some of the recommendations offered.I searched within these sites based on explorer.exe + srchost.exe keywords. Reason for this is that both of these processes are chocking the CPU.
7a.Tried logging in under a different XP user profile as sometimes a corrupt user profile can cause these issues. This made no difference as I logged into a clean administrator account and both these processes still went into overload!
Please find hereunder the most recent log files from HJT and CBF (ComboFix). Some of these web sites suggested that when explorer.exe + srchost.exe go into overload it can imply a system trojan infection or stealth rookit remote monitoring technology. The svchost.exe is responsible for controlling processes executed by dll files which support third party software (so I can gather). Where to go from here? I really do not want to rebuild to system as this is admitting defeat!
When the CBF log was generated the system crashed out with a BSOD (Blue Screen of Death) and reported the following stop error: fwdrv.sys I checked this error out at http://www.file.net/process/fwdrv.sys.html which points it's ownership to the Kerio Personal Firewall but some malware can camouflage themselves under this system file also.
Here is the HJT log and I will try again to generate the CBF log.
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 22:21, on 2007-08-05
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16473)
Boot mode: Normal
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
C:\Program Files\Hand-Crafted Software\FreeProxy\FreeProxy.exe
C:\Program Files\Kerio\Personal Firewall\persfw.exe
C:\WINDOWS\System32\snmp.exe
C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
C:\WINDOWS\system32\ssoftsrv.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Program Files\Analog Devices\SoundMAX\SMax4PNP.exe
C:\Program Files\Analog Devices\SoundMAX\Smax4.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\ltmoh\Ltmoh.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe
C:\WINDOWS\AGRSMMSG.exe
C:\Program Files\Java\jre1.6.0_02\bin\jusched.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\PeerGuardian2\pg2.exe
C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
D:\DeproDownloads\Security\Trend Micro HijackThis\HiJackThis.exe
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.co.uk/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://go.microsoft.com/fwlink/?LinkId=74005
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = depromoos:8080
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: EpsonToolBandKicker Class - {E99421FB-68DD-40F0-B4AC-B7027CAE2F1A} - C:\Program Files\EPSON\EPSON Web-To-Page\EPSON Web-To-Page.dll
O3 - Toolbar: EPSON Web-To-Page - {EE5D279F-081B-4404-994D-C6B60AAEBA6D} - C:\Program Files\EPSON\EPSON Web-To-Page\EPSON Web-To-Page.dll
O4 - HKLM\..\Run: [SynTPLpr] C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [SoundMAXPnP] C:\Program Files\Analog Devices\SoundMAX\SMax4PNP.exe
O4 - HKLM\..\Run: [SoundMAX] "C:\Program Files\Analog Devices\SoundMAX\Smax4.exe" /tray
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [LtMoh] C:\Program Files\ltmoh\Ltmoh.exe
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [AGRSMMSG] AGRSMMSG.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_02\bin\jusched.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [PeerGuardian] C:\Program Files\PeerGuardian2\pg2.exe
O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-19\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVGFRE~1\avgw.exe /RUNONCE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_02\bin\npjpi160_02.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_02\bin\npjpi160_02.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~3\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1182851031140
O16 - DPF: {7B297BFD-85E4-4092-B2AF-16A91B2EA103} (WScanCtl Class) - http://www.ca.com/us/securityadvisor/virusinfo/webscan.cab
O16 - DPF: {A90A5822-F108-45AD-8482-9BC8B12DD539} (Crucial cpcScan) - http://www.crucial.com/controls/cpcScanner.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{7C5D209A-EF82-4B51-B51D-F00BC62C5A1F}: NameServer = 212.104.130.9,212.104.130.65
O17 - HKLM\System\CCS\Services\Tcpip\..\{E9A88A5D-74B7-4040-8B56-AB324BF64478}: NameServer = 212.104.130.9,212.104.130.65
O23 - Service: Adobe LM Service - Unknown owner - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
O23 - Service: Free Proxy Service (FreeProxy) - Hand-Crafted Software - C:\Program Files\Hand-Crafted Software\FreeProxy\FreeProxy.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1150\Intel 32\IDriverT.exe
O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: MSCSPTISRV - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\MSCSPTISRV.exe
O23 - Service: PACSPTISVR - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\PACSPTISVR.exe
O23 - Service: Kerio Personal Firewall (PersFw) - Kerio Technologies - C:\Program Files\Kerio\Personal Firewall\persfw.exe
O23 - Service: Remote Packet Capture Protocol v.0 (experimental) (rpcapd) - CACE Technologies - C:\Program Files\WinPcap\rpcapd.exe
O23 - Service: SoundMAX Agent Service (SoundMAX Agent Service (default)) - Analog Devices, Inc. - C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
O23 - Service: Sony SPTI Service (SPTISRV) - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\SPTISRV.exe
O23 - Service: Cryptainer service (ssoftservice) - Cypherix - C:\WINDOWS\SYSTEM32\ssoftsrv.exe
O23 - Service: SonicStage SCSI Service (SSScsiSV) - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\SSScsiSV.exe
--
End of file - 8104 bytes
pskelley
2007-08-06, 01:44
Thanks you for posting that information about Spybot:
http://forums.spybot.info/showthread.php?t=4799&highlight=spybot+crash
I did review it but I must let you know this is the malware removal forum. If you have issues with Spybot, those experts would be glad to advise you here:
http://forums.spybot.info/forumdisplay.php?f=4
I see nothing in the HJT log that should be causing these problems, this is the only program I do not know:
C:\Program Files\Hand-Crafted Software\FreeProxy\FreeProxy.exe
http://www.dirfile.com/publisher/hand-crafted-software.html
appears to be some kind of internet sharing software?
At this point, could you go over again what exactly the problem is. If it deals with Spybot, please take that to the Spybot S&D forum.
One suggestion I might make, if the problem is occuring when you run Spybot, try uninstalling Spybot and see what happens.
Thanks
fluorescent
2007-08-06, 13:35
Hi,
The issue originally started with SpyBot crashing out during a scan. I followed the advice as per link http://forums.spybot.info/showthread.php?t=4799&highlight=spybot+crash which advised in how to deal with this type of issue. I followed the advice given in this link from which I managed to get SpyBot to finish its scan successfully. There were two items detected which were DoubleClick and HitBox.
Next day the system is running slow and I looked at the system processes which identified explorer.exe and one of the svchost.exe processes to be using about 90% of the processor time. This is why I think I have an infection of some type.
The FreeProxy program is a proxy server which is used on the local machine but not essential, if it's a thing it needs to be removed?
Last night I removed the Kerio Personal Firewall and the BSOD stop error is no longer occurring. The BSOD resulted from the ComboFix program conflicting with Kerio Personal Firewall. Since the firewalls removal, ComboFix has ran fine and produced the following log.
ComboFix 07-07-30.2 - "Home" 2007-08-06 9:54:40.5 [GMT 1:00] - NTFS
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.True
((((((((((((((((((((((((( Files Created from 2007-07-06 to 2007-08-06 )))))))))))))))))))))))))))))))
2007-08-05 10:43 51,200 --a------ C:\WINDOWS\nircmd.exe
2007-08-02 03:10 <DIR> d-------- C:\Program Files\Kerio
2007-08-01 18:14 <DIR> d-------- C:\DOCUME~1\Home\APPLIC~1\Comodo
2007-08-01 18:14 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\Comodo
2007-08-01 18:07 <DIR> d-------- C:\Program Files\Comodo
2007-08-01 15:37 83,096 --a------ C:\WINDOWS\system32\SSSensor.dll
2007-07-31 21:08 92,160 --a------ C:\WINDOWS\system32\evntwin.exe
2007-07-31 21:08 8,704 --a------ C:\WINDOWS\system32\snmptrap.exe
2007-07-31 21:08 6,144 --a------ C:\WINDOWS\system32\snmpmib.dll
2007-07-31 21:08 39,936 --a------ C:\WINDOWS\system32\hostmib.dll
2007-07-31 21:08 33,792 --a------ C:\WINDOWS\system32\lmmib2.dll
2007-07-31 21:08 33,280 --a------ C:\WINDOWS\system32\snmp.exe
2007-07-31 21:08 24,064 --a------ C:\WINDOWS\system32\evntcmd.exe
2007-07-31 21:08 101,888 --a------ C:\WINDOWS\system32\evntagnt.dll
2007-07-31 21:06 <DIR> d-------- C:\Program Files\Support Tools
2007-07-11 20:31 <DIR> d-------- C:\Program Files\PeerGuardian2
2007-07-11 15:32 <DIR> d-------- C:\Program Files\Proxymizer
2007-07-11 13:55 <DIR> d-------- C:\Program Files\WinPcap
2007-07-11 13:54 <DIR> d-------- C:\Program Files\Wireshark
2007-07-10 15:01 <DIR> d-------- C:\Program Files\SocksCap32
2007-07-10 15:00 299,520 --a------ C:\WINDOWS\uninst.exe
2007-07-10 14:59 <DIR> d-------- C:\DOCUME~1\Home\WINDOWS
2007-07-09 13:05 <DIR> d-------- C:\DOCUME~1\Home\APPLIC~1\dvdcss
2007-07-09 13:00 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\AVS4YOU
2007-07-09 12:59 974,848 --a------ C:\WINDOWS\system32\mfc70.dll
2007-07-09 12:59 524,288 --a------ C:\WINDOWS\system32\xvidcore.dll
2007-07-09 12:59 487,424 --a------ C:\WINDOWS\system32\msvcp70.dll
2007-07-09 12:59 261,632 --a------ C:\WINDOWS\system32\mcdvd_32.dll
2007-07-09 12:59 24,576 --a------ C:\WINDOWS\system32\msxml3a.dll
2007-07-09 12:59 139,264 --a------ C:\WINDOWS\system32\xvidvfw.dll
2007-07-09 12:59 <DIR> d-------- C:\Program Files\Common Files\AVSMedia
2007-07-09 12:59 <DIR> d-------- C:\Program Files\AVS4YOU
2007-07-09 12:52 <DIR> d-------- C:\DOCUME~1\Home\APPLIC~1\vlc
2007-07-09 12:47 <DIR> d-------- C:\Program Files\VideoLAN
2007-07-09 11:53 413,760 --a------ C:\WINDOWS\system32\mpg4c32.dll
2007-07-09 10:56 <DIR> d-------- C:\DOCUME~1\Home\APPLIC~1\DivX
2007-07-09 10:55 <DIR> d-------- C:\Program Files\DivX
2007-07-09 10:44 <DIR> d-------- C:\Program Files\DECCHECK
2007-07-06 18:46 <DIR> d-------- C:\DOCUME~1\Home\Hidi's Home
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
2007-08-05 14:33 --------- d--h----- C:\Program Files\InstallShield Installation Information
2007-08-02 04:38 --------- d-------- C:\Program Files\Mozilla Thunderbird
2007-08-01 15:36 --------- d-------- C:\Program Files\Common Files\Wise Installation Wizard
2007-07-11 15:03 --------- d-------- C:\DOCUME~1\Home\APPLIC~1\Wireshark
2007-07-09 12:38 --------- d-------- C:\Program Files\Tansee iPod Transfer
2007-07-09 12:37 --------- d-------- C:\Program Files\WindSolutions
2007-07-09 12:27 --------- d-------- C:\DOCUME~1\Home\APPLIC~1\Apple Computer
2007-07-03 16:41 --------- d-------- C:\Program Files\Red Chair Software
2007-07-03 16:40 --------- d-------- C:\DOCUME~1\Home\APPLIC~1\iCloner
2007-06-29 01:01 88696 --a------ C:\WINDOWS\system32\Packet.dll
2007-06-29 01:01 68224 --a------ C:\WINDOWS\system32\WanPacket.dll
2007-06-29 01:01 53299 --a------ C:\WINDOWS\system32\pthreadVC.dll
2007-06-29 01:01 42512 --a------ C:\WINDOWS\system32\drivers\npf.sys
2007-06-29 01:01 240240 --a------ C:\WINDOWS\system32\wpcap.dll
2007-05-16 16:12 683520 --a------ C:\WINDOWS\system32\inetcomm.dll
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
*Note* empty entries & legit default entries are not shown
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"COMODO Firewall Pro"="C:\Program Files\Comodo\Firewall\CPF.exe" [2007-08-06 00:34]
"SynTPLpr"="C:\Program Files\Synaptics\SynTP\SynTPLpr.exe" [2004-11-04 10:40]
"SynTPEnh"="C:\Program Files\Synaptics\SynTP\SynTPEnh.exe" [2004-11-04 10:38]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_02\bin\jusched.exe" [2007-07-12 04:00]
"SoundMAXPnP"="C:\Program Files\Analog Devices\SoundMAX\SMax4PNP.exe" [2004-06-30 13:33]
"SoundMAX"="C:\Program Files\Analog Devices\SoundMAX\Smax4.exe" [2004-07-07 14:56]
"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [2006-10-25 17:25]
"LtMoh"="C:\Program Files\ltmoh\Ltmoh.exe" [2004-05-26 00:46]
"AVG7_CC"="C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe" [2007-07-31 17:07]
"AGRSMMSG"="AGRSMMSG.exe" [2004-07-22 22:38 C:\WINDOWS\AGRSMMSG.exe]
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2006-02-28 13:00]
"PeerGuardian"="C:\Program Files\PeerGuardian2\pg2.exe" [2007-01-30 00:39]
C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
Adobe Gamma Loader.lnk - C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe [2006-11-26 22:34:41]
Adobe Reader Speed Launch.lnk - C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe [2005-09-23 23:05:26]
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]
"ForceStartMenuLogOff"=1 (0x1)
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"AVG Anti-Spyware Guard"=2 (0x2)
R0 Inspect;Comodo Network Engine;C:\WINDOWS\system32\DRIVERS\inspect.sys
R0 R592;R592;C:\WINDOWS\system32\DRIVERS\R592.sys
R0 sbp2port;SBP-2 Transport/Protocol Bus Driver;C:\WINDOWS\system32\DRIVERS\sbp2port.sys
R1 CmdMon;Comodo Application Engine;C:\WINDOWS\system32\DRIVERS\cmdmon.sys
R2 FreeProxy;Free Proxy Service;C:\Program Files\Hand-Crafted Software\FreeProxy\FreeProxy.exe -{BeginFreeProxyService} -C"C:\Documents and Settings\Home\Hidi's Home\Internet Proxy Settings 100707.cfg"
R2 SNMP;SNMP Service;C:\WINDOWS\System32\snmp.exe
R2 SoundMAX Agent Service (default);SoundMAX Agent Service;C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
R2 ssoftnt4;ssoftnt4;\??\C:\WINDOWS\system32\Drivers\ssoftnt4.sys
R2 windrvNT;windrvNT;\??\C:\WINDOWS\system32\windrvNT.sys
R3 bcm4sbxp;Broadcom 440x 10/100 Integrated Controller XP Driver;C:\WINDOWS\system32\DRIVERS\bcm4sbxp.sys
R3 pgfilter;pgfilter;\??\C:\Program Files\PeerGuardian2\pgfilter.sys
R3 sdbus;sdbus;C:\WINDOWS\system32\DRIVERS\sdbus.sys
R3 SynTP;Synaptics TouchPad Driver;C:\WINDOWS\system32\DRIVERS\SynTP.sys
R3 w29n51;Intel(R) PRO/Wireless 2200BG Network Connection Driver for Windows XP;C:\WINDOWS\system32\DRIVERS\w29n51.sys
S3 NETMDUSB;Net MD;C:\WINDOWS\system32\Drivers\NETMD033.sys
S3 nm;Network Monitor Driver;C:\WINDOWS\system32\DRIVERS\NMnt.sys
S3 NPF;NetGroup Packet Filter Driver;C:\WINDOWS\system32\drivers\npf.sys
S3 PD0620VID;Creative WebCam Instant;C:\WINDOWS\system32\DRIVERS\P0620Vid.sys
S3 sffdisk;SFF Storage Class Driver;C:\WINDOWS\system32\DRIVERS\sffdisk.sys
S3 sffp_sd;SFF Storage Protocol Driver for SDBus;C:\WINDOWS\system32\DRIVERS\sffp_sd.sys
S3 SNMPTRAP;SNMP Trap Service;C:\WINDOWS\System32\snmptrap.exe
*Newly Created Service* - PGFILTER
**************************************************************************
catchme 0.3.1061 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2007-08-06 10:19:51
Windows 5.1.2600 Service Pack 2 NTFS
scanning hidden processes ...
scanning hidden registry entries ...
disk error: C:\WINDOWS\system32\config\software
disk error: C:\Documents and Settings\Home\ntuser.dat
scanning hidden files ...
disk error: C:\WINDOWS\
please note that you need administrator rights to perform deep scan
**************************************************************************
Completion time: 2007-08-06 10:34:13
C:\ComboFix2.txt ... 2007-08-05 11:25
--- E O F ---
pskelley
2007-08-06, 14:04
There were two items detected which were DoubleClick and HitBox.Those sound like cookies, in case I have not posted tutorials for using Spybot S&D to remove cookies, here they are:
http://spyware-free.us/tutorials/spybot/
http://www.bleepingcomputer.com/forums/tutorial43.html
http://www.safer-networking.org/en/tutorial/index.html
explorer.exe: Open your Task Manager and on the Processes Tab click above Mem Usage until the processes are arranged in the order they are using the most. My explorer is using 77,000K right now and the next nearest item is my antivirus program at 40,000K
svchost.exe is going to vary considering how many service you have running at the time:
http://support.microsoft.com/kb/314056
Here is some good troubleshooting information for CPU Usage:
http://kadaitcha.cx/high_cpu.html
So many things besides malware can cause this. An out of date drive for one of your programs can cause it. Like looking for a needle in the proverbial haystack.
1) Let's have a look for a hidden rootkit infection:
Please download F-Secure BlackLight Beta:
https://europe.f-secure.com/exclude/blacklight/index.shtml
Save it to its own folder in the Desktop
Double-click blbeta.exe to run the program
Click : Scan
A list of all items found is created
The list is in the BlackLight folder on the Desktop, and named fsbl.xxxxxxx.log (xxxxxxx are numbers).
Please provide the log created by BlackLight in your next reply.
(do not delete anything, most if not all files will be valid)
2) Please post your uninstall list:
Open Hijackthis.
Click the "Open the Misc Tools" section Button.
Click the "Open Uninstall Manager" Button.
Click the "Save list..." Button.
Save it to your desktop. Copy and paste the contents into your reply.
(You may edit out Microsoft, Hotfixes, Security Update for Windows XP, Update for Windows XP and Windows XP Hotfix to shorten the list)
3) combofix is indicating a disk error, please go here: http://www.pcpitstop.com/ and run a free diagnostic.
elp with results: http://pcpitstop.invisionzone.com/index.php?showforum=6
Tutorial: http://www.pcpitstop.com/techexpress/howto1.asp
Post a link to the test results in this topic.
Recap: post log from BlackLight, the uninstall list and a link to the test results at PCPitStop.
Thanks
fluorescent
2007-08-06, 15:33
Hi,
The BlackLight Rootkit and HJT uninstall logs are here. BlackLight didn’t identify anything.
BlackLight log:
08/06/07 13:51:21 [Info]: BlackLight Engine 1.0.64 initialized
08/06/07 13:51:21 [Info]: OS: 5.1 build 2600 (Service Pack 2)
08/06/07 13:51:21 [Note]: 7019 4
08/06/07 13:51:21 [Note]: 7005 0
08/06/07 13:51:46 [Note]: 7006 0
08/06/07 13:51:46 [Note]: 7011 1596
08/06/07 13:51:49 [Note]: 7026 0
08/06/07 13:51:52 [Note]: 7026 0
08/06/07 13:52:14 [Note]: FSRAW library version 1.7.1022
08/06/07 13:52:14 [Note]: 2000 1006
08/06/07 13:52:14 [Note]: 2000 1006
08/06/07 13:52:14 [Note]: 2000 1006
08/06/07 13:52:14 [Note]: 2000 1006
08/06/07 13:52:14 [Note]: 2000 1006
08/06/07 13:52:15 [Note]: 2000 1006
08/06/07 13:52:15 [Note]: 2000 1006
08/06/07 13:52:15 [Note]: 2000 1006
08/06/07 13:52:15 [Note]: 2000 1006
08/06/07 13:52:15 [Note]: 2000 1006
08/06/07 13:52:15 [Note]: 2000 1006
08/06/07 13:52:15 [Note]: 2000 1006
08/06/07 13:52:15 [Note]: 2000 1006
08/06/07 13:52:15 [Note]: 2000 1006
08/06/07 13:52:15 [Note]: 2000 1006
08/06/07 13:52:15 [Note]: 2000 1006
08/06/07 13:52:16 [Note]: 2000 1006
08/06/07 13:52:16 [Note]: 2000 1006
08/06/07 13:52:16 [Note]: 2000 1006
08/06/07 13:52:16 [Note]: 2000 1006
08/06/07 13:52:16 [Note]: 2000 1006
08/06/07 13:52:16 [Note]: 2000 1006
08/06/07 13:52:16 [Note]: 2000 1006
08/06/07 13:52:16 [Note]: 2000 1006
08/06/07 13:52:16 [Note]: 2000 1006
08/06/07 13:52:16 [Note]: 2000 1006
08/06/07 13:52:16 [Note]: 2000 1006
08/06/07 13:52:17 [Note]: 2000 1006
08/06/07 13:52:17 [Note]: 2000 1006
08/06/07 13:52:17 [Note]: 2000 1006
08/06/07 13:52:17 [Note]: 2000 1006
08/06/07 13:52:17 [Note]: 2000 1006
08/06/07 13:52:17 [Note]: 2000 1006
08/06/07 13:52:17 [Note]: 2000 1006
08/06/07 13:52:17 [Note]: 2000 1006
08/06/07 13:52:17 [Note]: 2000 1006
08/06/07 13:52:17 [Note]: 2000 1006
08/06/07 13:52:17 [Note]: 2000 1006
08/06/07 13:52:18 [Note]: 2000 1006
08/06/07 13:52:18 [Note]: 2000 1006
08/06/07 13:52:18 [Note]: 2000 1006
08/06/07 13:52:18 [Note]: 2000 1006
08/06/07 13:52:18 [Note]: 2000 1006
08/06/07 13:52:18 [Note]: 2000 1006
08/06/07 13:52:18 [Note]: 2000 1006
08/06/07 13:52:18 [Note]: 2000 1006
08/06/07 13:52:18 [Note]: 2000 1006
08/06/07 13:52:18 [Note]: 2000 1006
08/06/07 13:52:18 [Note]: 2000 1006
08/06/07 13:52:18 [Note]: 2000 1006
08/06/07 13:52:19 [Note]: 2000 1006
08/06/07 13:52:19 [Note]: 2000 1006
08/06/07 13:52:19 [Note]: 2000 1006
08/06/07 13:52:19 [Note]: 2000 1006
08/06/07 13:52:19 [Note]: 2000 1006
08/06/07 13:52:19 [Note]: 2000 1006
08/06/07 13:52:19 [Note]: 2000 1006
08/06/07 13:52:19 [Note]: 2000 1006
08/06/07 13:52:19 [Note]: 2000 1006
08/06/07 13:52:19 [Note]: 2000 1006
08/06/07 13:52:19 [Note]: 2000 1006
08/06/07 13:52:20 [Note]: 2000 1006
08/06/07 13:52:20 [Note]: 2000 1006
08/06/07 13:52:20 [Note]: 2000 1006
08/06/07 13:52:20 [Note]: 2000 1006
08/06/07 13:52:20 [Note]: 2000 1006
08/06/07 13:52:20 [Note]: 2000 1006
08/06/07 13:52:20 [Note]: 2000 1006
08/06/07 13:52:20 [Note]: 2000 1006
08/06/07 13:52:20 [Note]: 2000 1006
08/06/07 13:52:20 [Note]: 2000 1006
08/06/07 13:52:20 [Note]: 2000 1006
08/06/07 13:52:21 [Note]: 2000 1006
08/06/07 13:52:21 [Note]: 2000 1006
08/06/07 13:52:21 [Note]: 2000 1006
08/06/07 13:52:21 [Note]: 2000 1006
08/06/07 13:52:21 [Note]: 2000 1006
08/06/07 13:52:21 [Note]: 2000 1006
08/06/07 13:52:21 [Note]: 2000 1006
08/06/07 13:52:21 [Note]: 2000 1006
08/06/07 13:52:21 [Note]: 2000 1006
08/06/07 13:52:21 [Note]: 2000 1006
08/06/07 13:52:21 [Note]: 2000 1006
08/06/07 13:52:21 [Note]: 2000 1006
08/06/07 13:52:22 [Note]: 2000 1006
08/06/07 13:52:22 [Note]: 2000 1006
08/06/07 13:52:22 [Note]: 2000 1006
08/06/07 13:52:22 [Note]: 2000 1006
08/06/07 13:52:22 [Note]: 2000 1006
08/06/07 13:52:22 [Note]: 2000 1006
08/06/07 13:52:22 [Note]: 2000 1006
08/06/07 13:52:22 [Note]: 2000 1006
08/06/07 13:52:22 [Note]: 2000 1006
08/06/07 13:52:22 [Note]: 2000 1006
08/06/07 13:52:22 [Note]: 2000 1006
08/06/07 13:52:23 [Note]: 2000 1006
08/06/07 13:52:23 [Note]: 2000 1006
08/06/07 13:52:23 [Note]: 2000 1006
08/06/07 13:52:23 [Note]: 2000 1006
08/06/07 13:52:23 [Note]: 2000 1006
08/06/07 13:52:23 [Note]: 2000 1006
08/06/07 13:52:23 [Note]: 2000 1006
08/06/07 13:52:23 [Note]: 2000 1006
08/06/07 13:52:23 [Note]: 2000 1006
08/06/07 13:52:23 [Note]: 2000 1006
08/06/07 13:52:23 [Note]: 2000 1006
08/06/07 13:52:24 [Note]: 2000 1006
08/06/07 13:52:24 [Note]: 2000 1006
08/06/07 13:52:24 [Note]: 2000 1006
08/06/07 13:52:24 [Note]: 2000 1006
08/06/07 13:52:24 [Note]: 2000 1006
08/06/07 13:52:24 [Note]: 2000 1006
08/06/07 13:52:24 [Note]: 2000 1006
08/06/07 13:52:24 [Note]: 2000 1006
08/06/07 13:52:24 [Note]: 2000 1006
08/06/07 13:52:24 [Note]: 2000 1006
08/06/07 13:52:24 [Note]: 2000 1006
08/06/07 13:52:24 [Note]: 2000 1006
08/06/07 13:52:25 [Note]: 2000 1006
08/06/07 13:52:25 [Note]: 2000 1006
08/06/07 13:52:25 [Note]: 2000 1006
08/06/07 13:52:25 [Note]: 2000 1006
08/06/07 13:52:25 [Note]: 2000 1006
08/06/07 13:52:25 [Note]: 2000 1006
08/06/07 13:52:25 [Note]: 2000 1006
08/06/07 13:52:25 [Note]: 2000 1006
08/06/07 13:52:25 [Note]: 2000 1006
08/06/07 13:52:25 [Note]: 2000 1006
08/06/07 13:52:25 [Note]: 2000 1006
08/06/07 13:52:26 [Note]: 2000 1006
08/06/07 13:52:26 [Note]: 2000 1006
08/06/07 13:52:26 [Note]: 2000 1006
08/06/07 13:52:26 [Note]: 2000 1006
08/06/07 13:52:26 [Note]: 2000 1006
08/06/07 13:52:26 [Note]: 2000 1006
08/06/07 13:52:26 [Note]: 2000 1006
08/06/07 13:52:26 [Note]: 2000 1006
08/06/07 13:52:26 [Note]: 2000 1006
08/06/07 13:52:26 [Note]: 2000 1006
08/06/07 13:52:26 [Note]: 2000 1006
08/06/07 13:52:27 [Note]: 2000 1006
08/06/07 13:52:27 [Note]: 2000 1006
08/06/07 13:52:27 [Note]: 2000 1006
08/06/07 13:52:27 [Note]: 2000 1006
08/06/07 13:52:27 [Note]: 2000 1006
08/06/07 13:52:27 [Note]: 2000 1006
08/06/07 13:52:27 [Note]: 2000 1006
08/06/07 13:52:27 [Note]: 2000 1006
08/06/07 13:52:27 [Note]: 2000 1006
08/06/07 13:52:27 [Note]: 2000 1006
08/06/07 13:52:27 [Note]: 2000 1006
08/06/07 13:52:27 [Note]: 2000 1006
08/06/07 13:52:28 [Note]: 2000 1006
08/06/07 13:52:28 [Note]: 2000 1006
08/06/07 13:52:28 [Note]: 2000 1006
08/06/07 13:52:28 [Note]: 2000 1006
08/06/07 13:52:28 [Note]: 2000 1006
08/06/07 13:52:28 [Note]: 2000 1006
08/06/07 13:52:28 [Note]: 2000 1006
08/06/07 13:52:28 [Note]: 2000 1006
08/06/07 13:52:28 [Note]: 2000 1006
08/06/07 13:52:28 [Note]: 2000 1006
08/06/07 13:52:28 [Note]: 2000 1006
08/06/07 13:52:29 [Note]: 2000 1006
08/06/07 13:52:29 [Note]: 2000 1006
08/06/07 13:52:29 [Note]: 2000 1006
08/06/07 13:52:29 [Note]: 2000 1006
08/06/07 13:52:29 [Note]: 2000 1006
08/06/07 13:52:29 [Note]: 2000 1006
08/06/07 13:52:29 [Note]: 2000 1006
08/06/07 13:52:29 [Note]: 2000 1006
08/06/07 13:52:29 [Note]: 2000 1006
08/06/07 13:52:29 [Note]: 2000 1006
08/06/07 13:52:29 [Note]: 2000 1006
08/06/07 13:52:30 [Note]: 2000 1006
08/06/07 13:52:30 [Note]: 2000 1006
08/06/07 13:52:30 [Note]: 2000 1006
08/06/07 13:52:30 [Note]: 2000 1006
08/06/07 13:52:30 [Note]: 2000 1006
08/06/07 13:52:30 [Note]: 2000 1006
08/06/07 13:52:30 [Note]: 2000 1006
08/06/07 13:52:30 [Note]: 2000 1006
08/06/07 13:52:30 [Note]: 2000 1006
08/06/07 13:52:30 [Note]: 2000 1006
08/06/07 13:52:30 [Note]: 2000 1006
08/06/07 13:52:31 [Note]: 2000 1006
08/06/07 13:52:31 [Note]: 2000 1006
08/06/07 13:52:31 [Note]: 2000 1006
08/06/07 13:52:31 [Note]: 2000 1006
08/06/07 13:52:31 [Note]: 2000 1006
08/06/07 13:52:31 [Note]: 2000 1006
08/06/07 13:52:31 [Note]: 2000 1006
08/06/07 13:52:31 [Note]: 2000 1006
08/06/07 13:52:31 [Note]: 2000 1006
08/06/07 13:52:31 [Note]: 2000 1006
08/06/07 13:52:31 [Note]: 2000 1006
08/06/07 13:52:31 [Note]: 2000 1006
08/06/07 13:52:32 [Note]: 2000 1006
08/06/07 13:52:32 [Note]: 2000 1006
08/06/07 13:52:32 [Note]: 2000 1006
08/06/07 13:52:32 [Note]: 2000 1006
08/06/07 13:52:32 [Note]: 2000 1006
08/06/07 13:52:32 [Note]: 2000 1006
08/06/07 13:52:32 [Note]: 2000 1006
08/06/07 13:52:32 [Note]: 2000 1006
08/06/07 13:52:32 [Note]: 2000 1006
08/06/07 13:52:32 [Note]: 2000 1006
08/06/07 13:52:32 [Note]: 2000 1006
08/06/07 13:52:33 [Note]: 2000 1006
08/06/07 13:52:33 [Note]: 2000 1006
08/06/07 13:52:33 [Note]: 2000 1006
08/06/07 13:52:33 [Note]: 2000 1006
08/06/07 13:52:33 [Note]: 2000 1006
08/06/07 13:52:33 [Note]: 2000 1006
08/06/07 13:52:33 [Note]: 2000 1006
08/06/07 13:52:33 [Note]: 2000 1006
08/06/07 13:52:33 [Note]: 2000 1006
08/06/07 13:52:33 [Note]: 2000 1006
08/06/07 13:52:33 [Note]: 2000 1006
08/06/07 13:52:34 [Note]: 2000 1006
08/06/07 13:52:34 [Note]: 2000 1006
08/06/07 13:52:34 [Note]: 2000 1006
08/06/07 13:52:34 [Note]: 2000 1006
08/06/07 13:52:34 [Note]: 2000 1006
08/06/07 13:52:34 [Note]: 2000 1006
08/06/07 13:52:34 [Note]: 2000 1006
08/06/07 13:52:34 [Note]: 2000 1006
08/06/07 13:52:34 [Note]: 2000 1006
08/06/07 13:52:34 [Note]: 2000 1006
08/06/07 13:52:34 [Note]: 2000 1006
08/06/07 13:52:35 [Note]: 2000 1006
08/06/07 13:52:35 [Note]: 2000 1006
08/06/07 13:52:35 [Note]: 2000 1006
08/06/07 13:52:35 [Note]: 2000 1006
08/06/07 13:52:35 [Note]: 2000 1006
08/06/07 13:52:35 [Note]: 2000 1006
08/06/07 13:52:35 [Note]: 2000 1006
08/06/07 13:52:35 [Note]: 2000 1006
08/06/07 13:52:35 [Note]: 2000 1006
08/06/07 13:52:35 [Note]: 2000 1006
08/06/07 13:52:36 [Note]: 2000 1006
08/06/07 13:52:36 [Note]: 2000 1006
08/06/07 13:52:36 [Note]: 2000 1006
08/06/07 13:52:36 [Note]: 2000 1006
08/06/07 13:52:36 [Note]: 2000 1006
08/06/07 13:52:36 [Note]: 2000 1006
08/06/07 13:52:36 [Note]: 2000 1006
08/06/07 13:52:36 [Note]: 2000 1006
08/06/07 13:52:36 [Note]: 2000 1006
08/06/07 13:52:36 [Note]: 2000 1006
08/06/07 13:52:36 [Note]: 2000 1006
08/06/07 13:52:37 [Note]: 2000 1006
08/06/07 13:52:37 [Note]: 2000 1006
08/06/07 13:52:37 [Note]: 2000 1006
08/06/07 13:52:37 [Note]: 2000 1006
08/06/07 13:52:37 [Note]: 2000 1006
08/06/07 13:52:37 [Note]: 2000 1006
08/06/07 13:52:37 [Note]: 2000 1006
08/06/07 13:52:37 [Note]: 2000 1006
08/06/07 13:52:37 [Note]: 2000 1006
08/06/07 13:52:37 [Note]: 2000 1006
08/06/07 13:52:37 [Note]: 2000 1006
08/06/07 13:52:38 [Note]: 2000 1006
08/06/07 13:52:38 [Note]: 2000 1006
08/06/07 13:52:38 [Note]: 2000 1006
08/06/07 13:52:38 [Note]: 2000 1006
08/06/07 13:52:38 [Note]: 2000 1006
08/06/07 13:52:38 [Note]: 2000 1006
08/06/07 13:52:38 [Note]: 2000 1006
08/06/07 13:52:38 [Note]: 2000 1006
08/06/07 13:52:38 [Note]: 2000 1006
08/06/07 13:52:38 [Note]: 2000 1006
08/06/07 13:52:38 [Note]: 2000 1006
08/06/07 13:52:39 [Note]: 2000 1006
08/06/07 13:52:39 [Note]: 2000 1006
08/06/07 13:52:39 [Note]: 2000 1006
08/06/07 13:52:39 [Note]: 2000 1006
08/06/07 13:52:39 [Note]: 2000 1006
08/06/07 13:52:39 [Note]: 2000 1006
08/06/07 13:52:39 [Note]: 2000 1006
08/06/07 13:52:39 [Note]: 2000 1006
08/06/07 13:52:39 [Note]: 2000 1006
08/06/07 13:52:39 [Note]: 2000 1006
08/06/07 13:52:39 [Note]: 2000 1006
08/06/07 13:52:40 [Note]: 2000 1006
08/06/07 13:52:40 [Note]: 2000 1006
08/06/07 13:52:40 [Note]: 2000 1006
08/06/07 13:52:40 [Note]: 2000 1006
08/06/07 13:52:40 [Note]: 2000 1006
08/06/07 13:52:40 [Note]: 2000 1006
08/06/07 13:52:40 [Note]: 2000 1006
08/06/07 13:52:40 [Note]: 2000 1006
08/06/07 13:52:40 [Note]: 2000 1006
08/06/07 13:52:40 [Note]: 2000 1006
08/06/07 13:52:41 [Note]: 2000 1006
08/06/07 13:52:41 [Note]: 2000 1006
08/06/07 13:52:41 [Note]: 2000 1006
08/06/07 13:52:41 [Note]: 2000 1006
08/06/07 13:52:41 [Note]: 2000 1006
08/06/07 13:52:41 [Note]: 2000 1006
08/06/07 13:52:41 [Note]: 2000 1006
08/06/07 13:52:41 [Note]: 2000 1006
08/06/07 13:52:41 [Note]: 2000 1006
08/06/07 13:52:41 [Note]: 2000 1006
08/06/07 13:52:42 [Note]: 2000 1006
08/06/07 13:52:42 [Note]: 2000 1006
08/06/07 13:52:42 [Note]: 2000 1006
08/06/07 13:52:42 [Note]: 2000 1006
08/06/07 13:52:42 [Note]: 2000 1006
08/06/07 13:52:42 [Note]: 2000 1006
08/06/07 13:52:42 [Note]: 2000 1006
08/06/07 13:52:42 [Note]: 2000 1006
08/06/07 13:52:42 [Note]: 2000 1006
08/06/07 13:52:42 [Note]: 2000 1006
08/06/07 13:52:42 [Note]: 2000 1006
08/06/07 13:52:43 [Note]: 2000 1006
08/06/07 13:52:43 [Note]: 2000 1006
08/06/07 13:52:43 [Note]: 2000 1006
08/06/07 13:52:43 [Note]: 2000 1006
08/06/07 13:52:43 [Note]: 2000 1006
08/06/07 13:52:43 [Note]: 2000 1006
08/06/07 13:52:43 [Note]: 2000 1006
08/06/07 13:52:43 [Note]: 2000 1006
08/06/07 13:52:43 [Note]: 2000 1006
08/06/07 13:52:43 [Note]: 2000 1006
08/06/07 13:52:44 [Note]: 2000 1006
08/06/07 13:52:44 [Note]: 2000 1006
08/06/07 13:52:44 [Note]: 2000 1006
08/06/07 13:52:44 [Note]: 2000 1006
08/06/07 13:52:44 [Note]: 2000 1006
08/06/07 13:52:44 [Note]: 2000 1006
08/06/07 13:52:44 [Note]: 2000 1006
08/06/07 13:52:45 [Note]: 2000 1006
08/06/07 13:52:45 [Note]: 2000 1006
08/06/07 13:52:45 [Note]: 2000 1006
08/06/07 13:52:45 [Note]: 2000 1006
08/06/07 13:52:45 [Note]: 2000 1006
08/06/07 13:52:45 [Note]: 2000 1006
08/06/07 13:52:45 [Note]: 2000 1006
08/06/07 13:52:45 [Note]: 2000 1006
08/06/07 13:52:45 [Note]: 2000 1006
08/06/07 13:52:45 [Note]: 2000 1006
08/06/07 13:52:45 [Note]: 2000 1006
08/06/07 13:52:45 [Note]: 2000 1006
08/06/07 13:52:46 [Note]: 2000 1006
08/06/07 13:52:46 [Note]: 2000 1006
08/06/07 13:52:47 [Note]: 2000 1012
08/06/07 13:52:47 [Note]: 2000 1012
08/06/07 13:52:47 [Note]: 2000 1012
08/06/07 13:52:47 [Note]: 2000 1012
08/06/07 13:52:47 [Note]: 2000 1012
08/06/07 13:52:47 [Note]: 2000 1012
08/06/07 13:52:47 [Note]: 2000 1012
08/06/07 13:53:28 [Note]: 7007 0
HJT Uninstall log with Microsoft, Hotfixes, Security Update for Windows XP, Update for Windows XP and Windows XP Hotfix edited out.
"Minimal SYStem 1.0.10"
Ad-Aware SE Personal
Adobe Flash Player 9 ActiveX
Adobe Photoshop CS
Adobe Reader 7.0.9
Adobe Shockwave Player
AVG Free Edition
Casper RAM Cleaner 2.3
CDBurnerXP Pro 3
Cool Edit Pro 2.1
Creative Photo Manager
Creative WebCam Center
Creative WebCam Instant Driver (1.03.02.0425)
Creative WebCam Instant User's Guide (English)
Cryptainer LE
DJ Java Decompiler v.3.9.9.91
EPSON CardMonitor
EPSON Copy Utility 3
EPSON PhotoQuicker3.5
EPSON PhotoStarter3.1
EPSON PRINT Image Framer Tool2.1
EPSON Printer Software
EPSON Scan
EPSON Smart Panel
EPSON Web-To-Page
Eraser 5.82
ESPRX420 Reference Guide
ESPRX420 Software Guide
Folder Lock
FreeProxy version 3.92
GNU Privacy Guard
Google Earth
HijackThis 2.0.2
Intel(R) Graphics Media Accelerator Driver for Mobile
Intel(R) PROSet/Wireless Software
iTunes
J2SE Development Kit 5.0 Update 9
Java(TM) 6 Update 2
LimeWire 4.12.6
MD Simple Burner 2.0.03
mDriver
MinGW 3.1.0
mIRC
Mozilla Firefox (2.0)
Mozilla Thunderbird (1.5)
MSXML 4.0 SP2 (KB927978)
MultiMemoryCardDriver
Nero Suite
NetBeans IDE 5.5 Beta 2
OpenMG Secure Module 4.6.01
OpenOffice.org 2.0
PeerGuardian 2.0
PhotoImpression 5
Qnext
QuickTime
ScanToWeb
SENS LT56ADW Modem
SonicStage 4.2
SoundMAX
Spybot - Search & Destroy 1.4
Synaptics Pointing Device Driver
VideoLAN VLC media player 0.8.6c
WebCam Instant Product Registration
What's Running 2.2
WinPcap 4.0.1
WinRAR archiver
Wireshark 0.99.6a
Yahoo! Messenger
fluorescent
2007-08-06, 15:35
Hi,
The PC Pitstop Disk Check logs are here.The disk check found fragments greater than 100 which it suggests is not good. The disk where it found these fragments was on the D drive which hosts my Linux OS and data but the problem is located with the XP OS which is located on the C drive and this disk got the thumbs up.
PC Pitstop C Disk log:
Defrag Analysis Report, Generated by PC Pitstop Disk MD on 06/08/2007 14:01:44:
Volume Information for C:\
Volume Size: 24.41 GB
Cluster Size: 4.00 KB
Used Space: 12.98 GB
Free Space: 11.43 GB
Percent Free Space: 46%
Volume Fragmentation:
Total Fragmentation: 0%
Data Fragmentation: 0%
File Fragmentation: 0%
Folder Fragmentation: 0%
File Fragmentation:
Total Files: 0
Average File Size: 0.00 KB
Total Fragmented Files: 0
Total Excess Fragments: 0
Average Fragments per File: 0.000000
Folder Fragmentation:
Total Folders: 0
Fragmented Folders: 0
Excess Folder Fragments: 0
Average Fragments per Folder: 0.000000
Page File Information:
Page File Size: 0.00 KB
Total Fragments: 0
MFT Fragmentation:
Total MFT Size: 0.00 KB
MFT Record Count: 0
Percent MFT in Use: 0%
Total MFT Fragments: 0
Most Fragmented Files:
PC Pitstop D Disk log:
Defrag Analysis Report, Generated by PC Pitstop Disk MD on 06/08/2007 14:08:08:
Volume Information for D:\
Volume Size: 30.06 GB
Cluster Size: 16.00 KB
Used Space: 25.22 GB
Free Space: 4.85 GB
Percent Free Space: 16%
Volume Fragmentation:
Total Fragmentation: 14%
Data Fragmentation: 28%
File Fragmentation: 28%
Folder Fragmentation: 0%
File Fragmentation:
Total Files: 37,084
Average File Size: 698.34 KB
Total Fragmented Files: 1,259
Total Excess Fragments: 5,177
Average Fragments per File: 1.139602
Folder Fragmentation:
Total Folders: 7,124
Fragmented Folders: 7
Excess Folder Fragments: 10
Average Fragments per Folder: 1.001404
Page File Information:
Page File Size: 0.00 KB
Total Fragments: 0
Most Fragmented Files:
File: \DEPROM~1\TECKTO~1\012-20~1.WAV
Fragments: 175 Size: 49.86 MB (52,281,388 bytes)
File: \TECKTO~2\DAVELO~1\PHOTO2~1.JPG
Fragments: 158 Size: 24.23 MB (25,411,839 bytes)
File: \DEPROM~1\COMPIL~1\PROGRA~1\13EXER~1.MP3
Fragments: 127 Size: 6.29 MB (6,597,604 bytes)
File: \DEPROD~1\MICROS~1\OFFICE\M4561403.CAB
Fragments: 115 Size: 11.48 MB (12,037,546 bytes)
File: \DEPROM~1\COMPIL~1\PROGRA~1\12ALWA~1.MP3
Fragments: 100 Size: 12.65 MB (13,263,840 bytes)
File: \TECKTO~2\TECKTO~1\TECKTO~2.PSD
Fragments: 89 Size: 12.92 MB (13,552,493 bytes)
File: \DEPROM~1\COMPIL~1\UNIVER~1\1-02'E~1.MP3
Fragments: 86 Size: 7.25 MB (7,603,216 bytes)
File: \DEPROM~1\THEBAN~1\UNKNOW~1\WALKLI~1.MP3
Fragments: 78 Size: 4.68 MB (4,904,146 bytes)
File: \DEPROM~1\MARILY~1\UNKNOW~1\LIKEAV~1.MP3
Fragments: 67 Size: 7.05 MB (7,397,504 bytes)
File: \DEPROM~1\TECKTO~1\HI-MD2~2\002-20~1.OMA
Fragments: 65 Size: 55.84 MB (58,555,968 bytes)
File: \SD4\RESEAR~1\THESIS\SY7710~1.DOC
Fragments: 64 Size: 137.79 MB (144,487,424 bytes)
File: \DEPROM~1\DEATHI~1\MILKIT~1\2-04SC~1.MP3
Fragments: 64 Size: 7.14 MB (7,483,548 bytes)
File: \DEPROD~1\ADOBES~1\ADOBEP~1\ADOBEP~1\DATA2.CAB
Fragments: 58 Size: 148.45 MB (155,663,913 bytes)
File: \DEPROM~1\TECKTO~1\MYSTIC~2\006-20~1.MP3
Fragments: 53 Size: 5.52 MB (5,788,170 bytes)
File: \PHOTOS\ALBERTO\POLISH~1\P1010225.JPG
Fragments: 48 Size: 2.34 MB (2,451,312 bytes)
File: \DEPROM~1\UCIEF\UNKNOW~1\001-20~1.MP3
Fragments: 47 Size: 13.67 MB (14,334,574 bytes)
File: \DEPROM~1\UNKNOW~1\UNKNOW~1\04MELO~1.MP3
Fragments: 46 Size: 45.03 MB (47,221,884 bytes)
File: \MSC\PROJECT\PROGRE~1\~WRL0821.TMP
Fragments: 45 Size: 1.24 MB (1,302,528 bytes)
File: \PHOTOS\ALBERTO\POLISH~1\P1010213.JPG
Fragments: 44 Size: 2.70 MB (2,836,010 bytes)
File: \DEPROM~1\COMPIL~1\UNIVER~2\2-13WO~1.MP3
Fragments: 42 Size: 4.89 MB (5,127,451 bytes)
File: \DEPROM~1\TECKTO~1\HI-MD2~1\037-20~1.OMA
Fragments: 41 Size: 3.73 MB (3,910,656 bytes)
File: \DEPROM~1\DURAND~1\UNKNOW~1\AVIEWT~1.MP3
Fragments: 40 Size: 4.93 MB (5,168,082 bytes)
File: \PHOTOS\ALBERTO\POLISH~1\P1010212.JPG
Fragments: 40 Size: 2.51 MB (2,636,815 bytes)
File: \PHOTOS\LONDON~1\IMGP0829.JPG
Fragments: 40 Size: 1.46 MB (1,530,647 bytes)
File: \PHOTOS\CLAIRE\IMGP0788.JPG
Fragments: 39 Size: 1.45 MB (1,516,000 bytes)
File: \DEPROM~1\COMPIL~1\UNIVER~2\2-11DO~1.MP3
Fragments: 37 Size: 10.30 MB (10,805,000 bytes)
File: \DEPROM~1\COMPIL~1\UNIVER~2\2-12AN~1.MP3
Fragments: 36 Size: 5.97 MB (6,264,089 bytes)
File: \DEPROM~1\COMPIL~1\PROGRA~1\05INVI~1.MP3
Fragments: 35 Size: 8.80 MB (9,225,741 bytes)
File: \PHOTOS\ALBERTO\CURRAB~1\IMG_0856.JPG
Fragments: 35 Size: 843.52 KB (863,767 bytes)
File: \DEPROM~1\THEFLA~1\YOSHIM~1\09DOYO~1.MP3
Fragments: 34 Size: 4.87 MB (5,107,417 bytes)
File: \DEPROD~1\MEDIAP~1\AVSDVD~1\AVSDVD~1.EXE
Fragments: 33 Size: 25.34 MB (26,569,624 bytes)
File: \DEPROM~1\TECKTO~1\MYSTIC~2\005-20~1.MP3
Fragments: 33 Size: 16.46 MB (17,261,777 bytes)
File: \DEPROD~1\MICROS~1\VISIO\YS561401.CAB
Fragments: 32 Size: 45.46 MB (47,671,800 bytes)
File: \PHOTOS\ALBERTO\POLISH~1\P1010249.JPG
Fragments: 32 Size: 2.70 MB (2,829,171 bytes)
File: \PHOTOS\ALBERTO\CURRAB~1\IMG_0892.JPG
Fragments: 30 Size: 1.02 MB (1,067,110 bytes)
File: \LIT_OC~1\OC_200~1\DISCOU~1\TIMBER~3.DOC
Fragments: 29 Size: 3.36 MB (3,526,656 bytes)
File: \PHOTOS\ALBERTO\CURRAB~1\IMG_0882.JPG
Fragments: 29 Size: 1.04 MB (1,092,856 bytes)
File: \DEPROM~1\GREENS~1\FELIXD~1\10KEEP~1.MP3
Fragments: 28 Size: 15.54 MB (16,291,524 bytes)
File: \PHOTOS\ALBERTO\POLISH~1\P1010211.JPG
Fragments: 28 Size: 2.47 MB (2,588,422 bytes)
File: \DEPROM~1\DEATHI~1\MILKIT~1\2-03HA~1.MP3
Fragments: 26 Size: 7.58 MB (7,944,333 bytes)
File: \DEPROM~1\TECKTO~1\HI-MD2~1\035-20~1.OMA
Fragments: 26 Size: 6.16 MB (6,455,136 bytes)
File: \PHOTOS\ALBERTO\CURRAB~1\IMG_0855.JPG
Fragments: 26 Size: 1.17 MB (1,224,532 bytes)
File: \DEPROD~1\ADOBES~1\ADOBEP~1.ZIP
Fragments: 24 Size: 151.56 MB (158,917,352 bytes)
File: \DEPROM~1\TECKTO~1\HI-MD2~1\036-20~1.OMA
Fragments: 23 Size: 5.42 MB (5,687,328 bytes)
File: \DEPROM~1\PRINCE\THEVER~1\06PURP~1.MP3
Fragments: 22 Size: 11.92 MB (12,498,995 bytes)
File: \PHOTOS\ALBERTO\CURRAB~1\IMG_0893.JPG
Fragments: 22 Size: 746.25 KB (764,157 bytes)
File: \DEPROM~1\2PAC\02SEXY~1.PK
Fragments: 22 Size: 602.62 KB (617,080 bytes)
File: \DEPROD~1\ADOBES~1\FLASHM~1\FLASHP~1\FLASHP~1\FLASH_~1.ZIP
Fragments: 21 Size: 16.10 MB (16,879,466 bytes)
File: \DEPROM~1\COMPIL~1\UNIVER~2\2-10BO~1.MP3
Fragments: 21 Size: 8.46 MB (8,874,650 bytes)
File: \DEPROM~1\GREENS~1\PLEETCH\11DOTS~1.MP3
Fragments: 21 Size: 7.36 MB (7,712,285 bytes)
File: \LIT_OC~1\OC_200~1\DISCOU~1\TIMBER~2.DOC
Fragments: 20 Size: 3.36 MB (3,525,632 bytes)
File: \MSC\PROJECT\PROGRE~1\~WRL2835.TMP
Fragments: 20 Size: 1.24 MB (1,302,016 bytes)
File: \PHOTOS\THUMBS.DB
Fragments: 20 Size: 620.00 KB (634,880 bytes)
File: \DEPROM~1\COMPIL~1\SINGLE~1\1-03LE~1.MP3
Fragments: 19 Size: 7.01 MB (7,351,238 bytes)
File: \DEPROD~1\MICROS~1\OFFICE\M9561403.CAB
Fragments: 19 Size: 3.40 MB (3,563,686 bytes)
File: \PHOTOS\ALBERTO\POLISH~1\P1010210.JPG
Fragments: 19 Size: 2.64 MB (2,764,305 bytes)
File: \DEPROM~1\DFA\DFACOM~1\10LCDS~1.MP3
Fragments: 18 Size: 12.94 MB (13,572,139 bytes)
File: \DEPROD~1\MICROS~1\OFFICE\L2561403.CAB
Fragments: 18 Size: 10.14 MB (10,629,703 bytes)
File: \DEPROM~1\DEATHI~1\MILKIT~1\2-02HA~1.MP3
Fragments: 18 Size: 7.42 MB (7,785,092 bytes)
File: \DEPROM~1\BASEME~2\ROOTY\08GETM~1.MP3
Fragments: 18 Size: 6.64 MB (6,958,080 bytes)
File: \SD4\RESEAR~1\THESIS\SY971C~1.DOC
Fragments: 18 Size: 3.42 MB (3,590,656 bytes)
File: \PHOTOS\ALBERTO\POLISH~1\P1010193.JPG
Fragments: 18 Size: 2.35 MB (2,461,198 bytes)
File: \DEPROM~1\UCIEF\UNKNOW~1\002-20~1.MP3
Fragments: 17 Size: 41.83 MB (43,861,509 bytes)
File: \DEPROM~1\COMPIL~1\TOURIST\2-03RO~1.MP3
Fragments: 17 Size: 11.60 MB (12,164,217 bytes)
File: \DEPROM~1\CANNED~1\ONTHER~1\01ONTH~1.MP3
Fragments: 17 Size: 6.79 MB (7,114,838 bytes)
File: \DEPROM~1\GREENS~1\PLEETCH\10GETI~1.MP3
Fragments: 17 Size: 6.19 MB (6,495,398 bytes)
File: \DEPROM~1\TECKTO~1\STARTL~1\003-20~1.MP3
Fragments: 16 Size: 31.74 MB (33,283,830 bytes)
File: \PHOTOS\ALBERTO\POLISH~1\P1010237.JPG
Fragments: 16 Size: 2.48 MB (2,601,264 bytes)
File: \PHOTOS\ALBERTO\CURRAB~1\IMG_0854.JPG
Fragments: 16 Size: 1.12 MB (1,169,421 bytes)
File: \PHOTOS\OCXMAS~1\IMG_2433.JPG
Fragments: 16 Size: 829.76 KB (849,677 bytes)
File: \DEPROM~1\UCIEF\UNKNOW~1\008-20~1.MP3
Fragments: 15 Size: 39.32 MB (41,227,740 bytes)
File: \DEPROM~1\QUEENS~1\RATEDR~1\12ITHI~1.MP3
Fragments: 15 Size: 11.91 MB (12,490,235 bytes)
File: \DEPROM~1\DOTALL~1\DANCEA~1\08WERE~2.MP3
Fragments: 15 Size: 7.45 MB (7,811,343 bytes)
File: \DEPROM~1\TECKTO~1\010-20~1.WAV
Fragments: 14 Size: 48.98 MB (51,355,692 bytes)
File: \DEPROD~1\MICROS~1\OFFICE\M3561404.CAB
Fragments: 14 Size: 5.04 MB (5,279,842 bytes)
File: \PHOTOS\ALBERTO\POLISH~1\P1010192.JPG
Fragments: 14 Size: 2.29 MB (2,403,534 bytes)
File: \DEPROM~1\UNKNOW~1\UNKNOW~1\02MIXE~1.MP3
Fragments: 13 Size: 16.74 MB (17,554,514 bytes)
File: \DEPROM~1\DJSNEA~1\HOUSEK~1\04FIXM~1.MP3
Fragments: 13 Size: 4.69 MB (4,913,613 bytes)
File: \DEPROM~1\TECKTO~1\HI-MD2~2\008-20~1.OMA
Fragments: 12 Size: 52.49 MB (55,039,824 bytes)
File: \DEPROD~1\MICROS~1\OFFICE\IU561401.CAB
Fragments: 12 Size: 13.02 MB (13,650,283 bytes)
File: \DEPROM~1\COMPIL~1\UNIVER~2\2-08SY~1.MP3
Fragments: 12 Size: 8.44 MB (8,852,718 bytes)
File: \DEPROM~1\QUEENS~1\RATEDR~1\05BETT~1.MP3
Fragments: 12 Size: 8.00 MB (8,384,417 bytes)
File: \DEPROM~1\DEATHI~1\MILKIT~1\2-01AI~1.MP3
Fragments: 12 Size: 7.27 MB (7,623,979 bytes)
File: \DEPROM~1\COMPIL~1\UNIVER~2\2-09RO~1.MP3
Fragments: 12 Size: 6.20 MB (6,496,049 bytes)
File: \PHOTOS\ALBERTO\POLISH~1\P1010209.JPG
Fragments: 12 Size: 2.43 MB (2,548,293 bytes)
File: \DEPROM~1\PRINCE\THEVER~1\17MONE~1.MP3
Fragments: 11 Size: 6.58 MB (6,899,831 bytes)
File: \DEPROD~1\MICROS~1\PROJECT\PRJPROE.MSI
Fragments: 11 Size: 2.04 MB (2,141,696 bytes)
File: \DEPROM~1\UNKNOW~1\UNKNOW~1\NICKWA~2.MP3
Fragments: 10 Size: 104.01 MB (109,061,222 bytes)
File: \DEPROD~1\ITUNES\ITUNES~1\ITUNES~1.EXE
Fragments: 10 Size: 47.37 MB (49,673,528 bytes)
File: \DEPROM~1\UNKNOW~1\STINGA~1\12BRAN~1.MP3
Fragments: 10 Size: 7.29 MB (7,647,659 bytes)
File: \DEPROD~1\MICROS~1\PROJECT\PR308242.CAB
Fragments: 10 Size: 7.29 MB (7,645,762 bytes)
File: \DEPROM~1\GREENS~1\PLEETCH\07KEEP~1.MP3
Fragments: 10 Size: 6.49 MB (6,806,365 bytes)
File: \DEPROM~1\COMPIL~1\UNIVER~2\2-07DE~1.MP3
Fragments: 10 Size: 6.08 MB (6,371,308 bytes)
File: \DEPROM~1\COMPIL~1\COSMOS~2\1-02CR~1.MP3
Fragments: 10 Size: 5.97 MB (6,262,871 bytes)
File: \DEPROM~1\PRINCE\THEVER~1\16DIAM~1.MP3
Fragments: 10 Size: 5.95 MB (6,244,046 bytes)
File: \DEPROM~1\EUMIRD~1\UNKNOW~1\UNCLEF~1.MP3
Fragments: 10 Size: 5.89 MB (6,175,936 bytes)
File: \DEPROM~1\QUEENS~1\RATEDR~1\08INTH~1.MP3
Fragments: 10 Size: 5.29 MB (5,547,499 bytes)
File: \DEPROM~1\VANESS~1\UNKNOW~1\TANDEM.MP3
Fragments: 10 Size: 4.77 MB (4,996,936 bytes)
File: \PHOTOS\ALBERTO\POLISH~1\P1010248.JPG
Fragments: 10 Size: 2.60 MB (2,728,567 bytes)
File: \PHOTOS\ALBERTO\POLISH~1\P1010208.JPG
Fragments: 10 Size: 2.50 MB (2,626,357 bytes)
pskelley
2007-08-06, 16:56
I asked for a link to the diagnostic report, not what you posted. Look at the tutorial I provided: http://www.pcpitstop.com/techexpress/howto1.asp
I am looking for the "TechExpress link for your current results".
Once you post that link, let's run a good online scan to see what it shows:
Run this online scan using Internet Explorer:
Kaspersky Online Scanner from http://www.kaspersky.com/virusscanner
Next Click on Launch Kaspersky Online Scanner
You will be prompted to install an ActiveX component from Kaspersky, Click Yes.
* The program will launch and then begin downloading the latest definition files:
* Once the files have been downloaded click on NEXT
* Now click on Scan Settings
* In the scan settings make that the following are selected:
* Scan using the following Anti-Virus database:
* Standard
* Scan Options:
* Scan Archives
* Scan Mail Bases
* Click OK
* Now under select a target to scan:
* Select My Computer
* This will program will start and scan your system.
* The scan will take a while so be patient and let it run.
* Once the scan is complete it will display if your system has been infected.
* Now click on the Save as Text button:
* Save the file to your desktop.
Then post it here.
Thanks
fluorescent
2007-08-07, 14:24
Hi,
Apologies for the delay as the Kaspersky test took over 5 hours and the log is hereunder.The link to the PC Pitstop test is here also http://www.pcpitstop.com/pcpitstop/detailedsummary.asp
-------------------------------------------------------------------------------
KASPERSKY ONLINE SCANNER REPORT
Tuesday, August 07, 2007 12:53:03 AM
Operating System: Microsoft Windows XP Professional, Service Pack 2 (Build 2600)
Kaspersky Online Scanner version: 5.0.83.0
Kaspersky Anti-Virus database last update: 6/08/2007
Kaspersky Anti-Virus database records: 352893
-------------------------------------------------------------------------------
Scan Settings:
Scan using the following antivirus database: standard
Scan Archives: true
Scan Mail Bases: true
Scan Target - My Computer:
C:\
D:\
F:\
G:\
Scan Statistics:
Total number of scanned objects: 89681
Number of viruses found: 0
Number of infected objects: 0 / 0
Number of suspicious objects: 0
Duration of the scan process: 05:24:44
Infected Object Name / Virus Name / Last Action
C:\Documents and Settings\All Users\Application Data\avg7\Log\emc_0.log Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Grisoft\Avg7Data\avg7log.log Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Grisoft\Avg7Data\avg7log.log.lck Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Microsoft\Crypto\RSA\MachineKeys\035da951cbf67f1644d5ca4f985eaeeb_b5c28b0d-296f-436c-9638-bd78452c32e8 Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Microsoft\Crypto\RSA\MachineKeys\1117bf79309f51cc1bf770f6fc16db31_b5c28b0d-296f-436c-9638-bd78452c32e8 Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Microsoft\Crypto\RSA\MachineKeys\175f3a91fc57cfd446e199cdba3cdf67_b5c28b0d-296f-436c-9638-bd78452c32e8 Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Microsoft\Crypto\RSA\MachineKeys\2750e202083186401e247624aa015c60_b5c28b0d-296f-436c-9638-bd78452c32e8 Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Microsoft\Crypto\RSA\MachineKeys\2d4c7f647368b36b3f014c3681a42d7f_b5c28b0d-296f-436c-9638-bd78452c32e8 Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Microsoft\Crypto\RSA\MachineKeys\306a2b29b397c8c8aab2fdb7daa13d9c_b5c28b0d-296f-436c-9638-bd78452c32e8 Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Microsoft\Crypto\RSA\MachineKeys\3127dcdad368673dc452960fb9ed3f29_b5c28b0d-296f-436c-9638-bd78452c32e8 Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Microsoft\Crypto\RSA\MachineKeys\3bd6096dbeb7b76d347007468682e04a_b5c28b0d-296f-436c-9638-bd78452c32e8 Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Microsoft\Crypto\RSA\MachineKeys\5d6ff1aeaffa60c6b31d14319abc90de_b5c28b0d-296f-436c-9638-bd78452c32e8 Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Microsoft\Crypto\RSA\MachineKeys\842c593f3e3f96bf7e003d78fb26e0c3_b5c28b0d-296f-436c-9638-bd78452c32e8 Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Microsoft\Crypto\RSA\MachineKeys\87259e64a8adc360f4554f6fbf8de557_b5c28b0d-296f-436c-9638-bd78452c32e8 Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Microsoft\Crypto\RSA\MachineKeys\ab9b37d9b3e5607b22f7d5f14e5eed15_b5c28b0d-296f-436c-9638-bd78452c32e8 Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Microsoft\Crypto\RSA\MachineKeys\b09ba8c0f6dbb54e67e9d29d373cb1bb_b5c28b0d-296f-436c-9638-bd78452c32e8 Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Microsoft\Crypto\RSA\MachineKeys\bed15599d1addea8b40d012d28617911_b5c28b0d-296f-436c-9638-bd78452c32e8 Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Microsoft\Crypto\RSA\MachineKeys\ccb11fc3cff5a4007341c596a3d3fc65_b5c28b0d-296f-436c-9638-bd78452c32e8 Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Microsoft\Crypto\RSA\MachineKeys\e16812c1a3e1bcdb5242384a20e1bcde_b5c28b0d-296f-436c-9638-bd78452c32e8 Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Microsoft\Crypto\RSA\MachineKeys\ebc85ea2c22c06f3d0034bf86541e87c_b5c28b0d-296f-436c-9638-bd78452c32e8 Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Microsoft\Crypto\RSA\MachineKeys\fd04dbafab10f84b762fd003aa01ae5e_b5c28b0d-296f-436c-9638-bd78452c32e8 Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Microsoft\Dr Watson\user.dmp Object is locked skipped
C:\Documents and Settings\Home\Cookies\index.dat Object is locked skipped
C:\Documents and Settings\Home\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\Home\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\Home\Local Settings\History\History.IE5\index.dat Object is locked skipped
C:\Documents and Settings\Home\Local Settings\Temp\~DF57C.tmp Object is locked skipped
C:\Documents and Settings\Home\Local Settings\Temp\~DF589.tmp Object is locked skipped
C:\Documents and Settings\Home\Local Settings\Temporary Internet Files\AntiPhishing\B3BB5BBA-E7D5-40AB-A041-A5B1C0B26C8F.dat Object is locked skipped
C:\Documents and Settings\Home\Local Settings\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped
C:\Documents and Settings\Home\ntuser.dat Object is locked skipped
C:\Documents and Settings\Home\ntuser.dat.LOG Object is locked skipped
C:\Documents and Settings\LocalService\Cookies\index.dat Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\History\History.IE5\index.dat Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped
C:\Documents and Settings\LocalService\NTUSER.DAT Object is locked skipped
C:\Documents and Settings\LocalService\ntuser.dat.LOG Object is locked skipped
C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\NetworkService\NTUSER.DAT Object is locked skipped
C:\Documents and Settings\NetworkService\ntuser.dat.LOG Object is locked skipped
C:\Program Files\InstallShield Installation Information\{23EFDB58-0874-4883-9810-EDA510B19FAE}\setup.ilg Object is locked skipped
C:\Program Files\InstallShield Installation Information\{2BB79C8D-9DCC-4861-8A23-AE1B0B45E2B6}\setup.ilg Object is locked skipped
C:\Program Files\InstallShield Installation Information\{6C11D561-620B-47DA-A693-4C597F3CDF40}\setup.ilg Object is locked skipped
C:\Program Files\InstallShield Installation Information\{775FFF70-4A8C-4500-908D-3C34DBEB11D5}\setup.ilg Object is locked skipped
C:\Program Files\InstallShield Installation Information\{83021AC3-086F-4B77-ACCD-1BD7C9AB211E}\setup.ilg Object is locked skipped
C:\Program Files\InstallShield Installation Information\{B14F9B26-D695-4C4A-8B11-0FE6CDCC797B}\setup.ilg Object is locked skipped
C:\Program Files\InstallShield Installation Information\{E213C271-AEFA-481D-A9B4-914D88925B8D}\setup.ilg Object is locked skipped
C:\Program Files\InstallShield Installation Information\{EBAE381B-60A6-4863-AA9F-FCAB755BC9E5}\setup.ilg Object is locked skipped
C:\Program Files\PeerGuardian2\history.db Object is locked skipped
C:\System Volume Information\MountPointManagerRemoteDatabase Object is locked skipped
C:\System Volume Information\_restore{46848F25-FBC6-4C02-908C-22025BE56C8F}\RP1\change.log Object is locked skipped
C:\WINDOWS\CSC\00000001 Object is locked skipped
C:\WINDOWS\Debug\PASSWD.LOG Object is locked skipped
C:\WINDOWS\SchedLgU.Txt Object is locked skipped
C:\WINDOWS\SoftwareDistribution\ReportingEvents.log Object is locked skipped
C:\WINDOWS\Sti_Trace.log Object is locked skipped
C:\WINDOWS\system32\CatRoot2\edb.log Object is locked skipped
C:\WINDOWS\system32\CatRoot2\tmp.edb Object is locked skipped
C:\WINDOWS\system32\config\AppEvent.Evt Object is locked skipped
C:\WINDOWS\system32\config\default Object is locked skipped
C:\WINDOWS\system32\config\default.LOG Object is locked skipped
C:\WINDOWS\system32\config\Internet.evt Object is locked skipped
C:\WINDOWS\system32\config\SAM Object is locked skipped
C:\WINDOWS\system32\config\SAM.LOG Object is locked skipped
C:\WINDOWS\system32\config\SecEvent.Evt Object is locked skipped
C:\WINDOWS\system32\config\SECURITY Object is locked skipped
C:\WINDOWS\system32\config\SECURITY.LOG Object is locked skipped
C:\WINDOWS\system32\config\software Object is locked skipped
C:\WINDOWS\system32\config\software.LOG Object is locked skipped
C:\WINDOWS\system32\config\SysEvent.Evt Object is locked skipped
C:\WINDOWS\system32\config\system Object is locked skipped
C:\WINDOWS\system32\config\system.LOG Object is locked skipped
C:\WINDOWS\system32\h323log.txt Object is locked skipped
C:\WINDOWS\system32\LogFiles\WUDF\WUDFTrace.etl Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\INDEX.BTR Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\INDEX.MAP Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\MAPPING.VER Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\MAPPING1.MAP Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\MAPPING2.MAP Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\OBJECTS.DATA Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\OBJECTS.MAP Object is locked skipped
C:\WINDOWS\Temp\Perflib_Perfdata_77c.dat Object is locked skipped
C:\WINDOWS\wiadebug.log Object is locked skipped
C:\WINDOWS\wiaservc.log Object is locked skipped
C:\WINDOWS\WindowsUpdate.log Object is locked skipped
Scan process completed.
fluorescent
2007-08-07, 14:43
I noticed the previous PC Pitstop link was not working so I am posting it here again
http://www.pcpitstop.com/techexpress.asp?id=W3XRHWGCDZVSECRW
This link has been tested at time of posting and is working!
pskelley
2007-08-07, 14:53
Thanks, first, the link you are providing is worthless, click it to see.
Next Kaspersky, which is one of the best scans available, says you are clean. We can run more scans, but I think you would be wasting your time. Have you posted in the Spybot S&D forum to see if they can suggest a reason for the Spybot problems.
http://forums.spybot.info/forumdisplay.php?f=4
I was hoping, even though it is not my area, that the diagnostic report might show something to help me better direct you. I am believing more an more that your issue is not malware related, but either hardware or even software related.
See if you can post a link to that report, I am not sure it will help, but I am out of ideas.
Post a new HJT log so I can take one last look also.
Oops, just saw your addon and this is what I see:
http://www.pcpitstop.com/pcpitstop/Summary.asp?TechExpress=W3XRHWGCDZVSECRW
You have minor issues with your Disk, Internet and Windows. Click those links and follow through with the advice given.
You have a major issue with Video. Make sure to read all information and click through all links like this: • Unusually low video performance. A new driver may fix your problems. This is not my area and if you wish me to look for a good free forum where you can ask questions about these issues, let me know and I will see what I can find.
Thanks
fluorescent
2007-08-07, 21:48
Hi,
I followed the main recommendations from the PC Pitstop report:
1. Defragmented the C drive.
2. Installed the newest driver for the graphics card.
3. Uninstalled the programs which a lookup references could not be found (free proxy).
4. Shutdown services which would aid spyware (telnet).
5. Removed encryption programs such as Folder Lock (I think generated the ComboFix disk errors).
6. Disabled paging file via system control panel (supposed to enhance performance) ?
7. Disabled fonts with smooth edges via system control panel (supposed to enhance performance) ?
The system is still running slow but two strange occurrences which keeps pointing me back to the possibility of a spyware / stealth infection. My local router had it’s setting tampered with yesterday and my ISP stated that they had noted a high volume of resets on the router over the past few days.This resulted in a loss of internet connection until I reset the router with correct settings! Also when I attempt to logon to this SpyBot S&D malware forum, I cannot with the system under investigation but can login fine with another pc using the same router.
Anyway it’s just all very frustrating but I do really appreciate your help and please find both ComboFix and HJT logs hereunder.
I just took a look through the system processes in msconfig one last time and there are a few which I do not recognise and are in the attached image.
ComboFix 07-07-30.2 - "Home" 2007-08-07 20:06:57.7 [GMT 1:00] - NTFS
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.True
((((((((((((((((((((((((( Files Created from 2007-07-07 to 2007-08-07 )))))))))))))))))))))))))))))))
2007-08-07 16:35 <DIR> d-------- C:\Program Files\X20,25,50_MS Drv_WinXP
2007-08-07 16:35 <DIR> d-------- C:\Program Files\X20,25,50_440x LAN_WinXP
2007-08-07 16:04 172,032 --a------ C:\WINDOWS\system32\igfxres.dll
2007-08-07 15:54 57,344 --a------ C:\WINDOWS\system32\igxprd32.dll
2007-08-07 15:54 5,672,032 --a------ C:\WINDOWS\system32\drivers\igxpmp32.sys
2007-08-07 15:54 389,120 --a------ C:\WINDOWS\system32\igxpun.exe
2007-08-07 15:54 319,456 --a------ C:\WINDOWS\system32\difxapi.dll
2007-08-07 15:54 204,800 --a------ C:\WINDOWS\system32\igfxCoIn_v4764.dll
2007-08-07 15:54 2,482,688 --a------ C:\WINDOWS\system32\igxpdx32.dll
2007-08-07 15:54 149,504 --a------ C:\WINDOWS\system32\igxpgd32.dll
2007-08-07 15:54 1,563,776 --a------ C:\WINDOWS\system32\igxpdv32.dll
2007-08-07 15:54 <DIR> d-------- C:\WINDOWS\system32\Lang
2007-08-07 15:53 <DIR> d-------- C:\Intel
2007-08-07 15:02 <DIR> d-------- C:\Program Files\Intel Corporation
2007-08-07 14:18 23,600 --a------ C:\WINDOWS\system32\drivers\TVICHW32.SYS
2007-08-06 19:00 <DIR> d-------- C:\WINDOWS\system32\Kaspersky Lab
2007-08-06 14:01 <DIR> d-------- C:\Program Files\PCPitstop
2007-08-05 10:43 51,200 --a------ C:\WINDOWS\nircmd.exe
2007-08-02 03:10 <DIR> d-------- C:\Program Files\Kerio
2007-08-01 18:14 <DIR> d-------- C:\DOCUME~1\Home\APPLIC~1\Comodo
2007-08-01 18:14 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\Comodo
2007-08-01 18:07 <DIR> d-------- C:\Program Files\Comodo
2007-08-01 15:37 83,096 --a------ C:\WINDOWS\system32\SSSensor.dll
2007-07-31 21:08 92,160 --a------ C:\WINDOWS\system32\evntwin.exe
2007-07-31 21:08 8,704 --a------ C:\WINDOWS\system32\snmptrap.exe
2007-07-31 21:08 6,144 --a------ C:\WINDOWS\system32\snmpmib.dll
2007-07-31 21:08 39,936 --a------ C:\WINDOWS\system32\hostmib.dll
2007-07-31 21:08 33,792 --a------ C:\WINDOWS\system32\lmmib2.dll
2007-07-31 21:08 33,280 --a------ C:\WINDOWS\system32\snmp.exe
2007-07-31 21:08 24,064 --a------ C:\WINDOWS\system32\evntcmd.exe
2007-07-31 21:08 101,888 --a------ C:\WINDOWS\system32\evntagnt.dll
2007-07-31 21:06 <DIR> d-------- C:\Program Files\Support Tools
2007-07-18 12:11 4,096 --a------ C:\WINDOWS\system32\sysres.dll
2007-07-18 12:11 38,567 --a------ C:\WINDOWS\system32\pcpbios.exe
2007-07-11 20:31 <DIR> d-------- C:\Program Files\PeerGuardian2
2007-07-11 15:32 <DIR> d-------- C:\Program Files\Proxymizer
2007-07-11 13:55 <DIR> d-------- C:\Program Files\WinPcap
2007-07-11 13:54 <DIR> d-------- C:\Program Files\Wireshark
2007-07-10 15:01 <DIR> d-------- C:\Program Files\SocksCap32
2007-07-10 15:00 299,520 --a------ C:\WINDOWS\uninst.exe
2007-07-10 14:59 <DIR> d-------- C:\DOCUME~1\Home\WINDOWS
2007-07-09 13:05 <DIR> d-------- C:\DOCUME~1\Home\APPLIC~1\dvdcss
2007-07-09 13:00 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\AVS4YOU
2007-07-09 12:59 974,848 --a------ C:\WINDOWS\system32\mfc70.dll
2007-07-09 12:59 524,288 --a------ C:\WINDOWS\system32\xvidcore.dll
2007-07-09 12:59 487,424 --a------ C:\WINDOWS\system32\msvcp70.dll
2007-07-09 12:59 261,632 --a------ C:\WINDOWS\system32\mcdvd_32.dll
2007-07-09 12:59 24,576 --a------ C:\WINDOWS\system32\msxml3a.dll
2007-07-09 12:59 139,264 --a------ C:\WINDOWS\system32\xvidvfw.dll
2007-07-09 12:59 <DIR> d-------- C:\Program Files\Common Files\AVSMedia
2007-07-09 12:59 <DIR> d-------- C:\Program Files\AVS4YOU
2007-07-09 12:52 <DIR> d-------- C:\DOCUME~1\Home\APPLIC~1\vlc
2007-07-09 12:47 <DIR> d-------- C:\Program Files\VideoLAN
2007-07-09 11:53 413,760 --a------ C:\WINDOWS\system32\mpg4c32.dll
2007-07-09 10:56 <DIR> d-------- C:\DOCUME~1\Home\APPLIC~1\DivX
2007-07-09 10:55 <DIR> d-------- C:\Program Files\DivX
2007-07-09 10:44 <DIR> d-------- C:\Program Files\DECCHECK
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
2007-08-07 19:46 --------- d-------- C:\Program Files\QuickTime
2007-08-06 18:49 --------- d-------- C:\Program Files\Mozilla Thunderbird
2007-08-06 18:48 --------- d-------- C:\Program Files\Folder Lock
2007-08-05 14:33 --------- d--h----- C:\Program Files\InstallShield Installation Information
2007-08-01 15:36 --------- d-------- C:\Program Files\Common Files\Wise Installation Wizard
2007-07-11 15:03 --------- d-------- C:\DOCUME~1\Home\APPLIC~1\Wireshark
2007-07-09 12:38 --------- d-------- C:\Program Files\Tansee iPod Transfer
2007-07-09 12:37 --------- d-------- C:\Program Files\WindSolutions
2007-07-09 12:27 --------- d-------- C:\DOCUME~1\Home\APPLIC~1\Apple Computer
2007-07-03 16:41 --------- d-------- C:\Program Files\Red Chair Software
2007-07-03 16:40 --------- d-------- C:\DOCUME~1\Home\APPLIC~1\iCloner
2007-06-29 01:01 88696 --a------ C:\WINDOWS\system32\Packet.dll
2007-06-29 01:01 68224 --a------ C:\WINDOWS\system32\WanPacket.dll
2007-06-29 01:01 53299 --a------ C:\WINDOWS\system32\pthreadVC.dll
2007-06-29 01:01 42512 --a------ C:\WINDOWS\system32\drivers\npf.sys
2007-06-29 01:01 240240 --a------ C:\WINDOWS\system32\wpcap.dll
2007-05-16 16:12 683520 --a------ C:\WINDOWS\system32\inetcomm.dll
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
*Note* empty entries & legit default entries are not shown
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SynTPLpr"="C:\Program Files\Synaptics\SynTP\SynTPLpr.exe" [2004-11-04 10:40]
"SynTPEnh"="C:\Program Files\Synaptics\SynTP\SynTPEnh.exe" [2004-11-04 10:38]
"SoundMAXPnP"="C:\Program Files\Analog Devices\SoundMAX\SMax4PNP.exe" [2004-06-30 13:33]
"SoundMAX"="C:\Program Files\Analog Devices\SoundMAX\Smax4.exe" [2004-07-07 14:56]
"LtMoh"="C:\Program Files\ltmoh\Ltmoh.exe" [2004-05-26 00:46]
"AVG7_CC"="C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe" [2007-07-31 17:07]
"AGRSMMSG"="AGRSMMSG.exe" [2004-07-22 22:38 C:\WINDOWS\AGRSMMSG.exe]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_02\bin\jusched.exe" [2007-07-12 04:00]
"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" []
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2006-02-28 13:00]
"PeerGuardian"="C:\Program Files\PeerGuardian2\pg2.exe" []
C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
Adobe Gamma Loader.lnk - C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe [2006-11-26 22:34:41]
Adobe Reader Speed Launch.lnk - C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe [2005-09-23 23:05:26]
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]
"ForceStartMenuLogOff"=1 (0x1)
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"AVG Anti-Spyware Guard"=2 (0x2)
R0 R592;R592;C:\WINDOWS\system32\DRIVERS\R592.sys
R0 sbp2port;SBP-2 Transport/Protocol Bus Driver;C:\WINDOWS\system32\DRIVERS\sbp2port.sys
R2 SNMP;SNMP Service;C:\WINDOWS\System32\snmp.exe
R2 SoundMAX Agent Service (default);SoundMAX Agent Service;C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
R3 sdbus;sdbus;C:\WINDOWS\system32\DRIVERS\sdbus.sys
R3 SynTP;Synaptics TouchPad Driver;C:\WINDOWS\system32\DRIVERS\SynTP.sys
R3 w29n51;Intel(R) PRO/Wireless 2200BG Network Connection Driver for Windows XP;C:\WINDOWS\system32\DRIVERS\w29n51.sys
S2 windrvNT;windrvNT;\??\C:\WINDOWS\system32\windrvNT.sys
S3 bcm4sbxp;Broadcom 440x 10/100 Integrated Controller XP Driver;C:\WINDOWS\system32\DRIVERS\bcm4sbxp.sys
S3 NETMDUSB;Net MD;C:\WINDOWS\system32\Drivers\NETMD033.sys
S3 nm;Network Monitor Driver;C:\WINDOWS\system32\DRIVERS\NMnt.sys
S3 NPF;NetGroup Packet Filter Driver;C:\WINDOWS\system32\drivers\npf.sys
S3 PD0620VID;Creative WebCam Instant;C:\WINDOWS\system32\DRIVERS\P0620Vid.sys
S3 pgfilter;pgfilter;\??\C:\Program Files\PeerGuardian2\pgfilter.sys
S3 sffdisk;SFF Storage Class Driver;C:\WINDOWS\system32\DRIVERS\sffdisk.sys
S3 sffp_sd;SFF Storage Protocol Driver for SDBus;C:\WINDOWS\system32\DRIVERS\sffp_sd.sys
S3 SNMPTRAP;SNMP Trap Service;C:\WINDOWS\System32\snmptrap.exe
S3 TVICHW32;TVICHW32;\??\C:\WINDOWS\system32\DRIVERS\TVICHW32.SYS
**************************************************************************
catchme 0.3.1061 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2007-08-07 20:16:14
Windows 5.1.2600 Service Pack 2 NTFS
scanning hidden processes ...
scanning hidden registry entries ...
scanning hidden files ...
scan completed successfully
hidden files: 0
**************************************************************************
Completion time: 2007-08-07 20:20:18
C:\ComboFix2.txt ... 2007-08-07 18:40
C:\ComboFix3.txt ... 2007-08-06 10:34
--- E O F ---
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 20:05:54, on 07/08/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16473)
Boot mode: Normal
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
C:\WINDOWS\System32\snmp.exe
C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Program Files\Analog Devices\SoundMAX\SMax4PNP.exe
C:\Program Files\Analog Devices\SoundMAX\Smax4.exe
C:\Program Files\ltmoh\Ltmoh.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe
C:\WINDOWS\AGRSMMSG.exe
C:\Program Files\Java\jre1.6.0_02\bin\jusched.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
D:\DeproDownloads\Security\Trend Micro HijackThis\HiJackThis.exe
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.co.uk/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://go.microsoft.com/fwlink/?LinkId=74005
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = depromoos:8080
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: EpsonToolBandKicker Class - {E99421FB-68DD-40F0-B4AC-B7027CAE2F1A} - C:\Program Files\EPSON\EPSON Web-To-Page\EPSON Web-To-Page.dll
O3 - Toolbar: EPSON Web-To-Page - {EE5D279F-081B-4404-994D-C6B60AAEBA6D} - C:\Program Files\EPSON\EPSON Web-To-Page\EPSON Web-To-Page.dll
O4 - HKLM\..\Run: [SynTPLpr] C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [SoundMAXPnP] C:\Program Files\Analog Devices\SoundMAX\SMax4PNP.exe
O4 - HKLM\..\Run: [SoundMAX] "C:\Program Files\Analog Devices\SoundMAX\Smax4.exe" /tray
O4 - HKLM\..\Run: [LtMoh] C:\Program Files\ltmoh\Ltmoh.exe
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [AGRSMMSG] AGRSMMSG.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_02\bin\jusched.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [PeerGuardian] C:\Program Files\PeerGuardian2\pg2.exe
O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-19\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVGFRE~1\avgw.exe /RUNONCE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~3\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {0E5F0222-96B9-11D3-8997-00104BD12D94} (PCPitstop Utility) - http://www.pcpitstop.com/pcpitstop/PCPitStop.CAB
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/eng/partner/default/kavwebscan_unicode.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1182851031140
O16 - DPF: {7B297BFD-85E4-4092-B2AF-16A91B2EA103} (WScanCtl Class) - http://www.ca.com/us/securityadvisor/virusinfo/webscan.cab
O16 - DPF: {A90A5822-F108-45AD-8482-9BC8B12DD539} (Crucial cpcScan) - http://www.crucial.com/controls/cpcScanner.cab
O16 - DPF: {E8F628B5-259A-4734-97EE-BA914D7BE941} (Driver Agent ActiveX Control) - http://driveragent.com/files/driveragent.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{E9A88A5D-74B7-4040-8B56-AB324BF64478}: NameServer = 212.104.130.9,212.104.130.65
O23 - Service: Adobe LM Service - Unknown owner - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1150\Intel 32\IDriverT.exe
O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: MSCSPTISRV - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\MSCSPTISRV.exe
O23 - Service: PACSPTISVR - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\PACSPTISVR.exe
O23 - Service: Remote Packet Capture Protocol v.0 (experimental) (rpcapd) - CACE Technologies - C:\Program Files\WinPcap\rpcapd.exe
O23 - Service: SoundMAX Agent Service (SoundMAX Agent Service (default)) - Analog Devices, Inc. - C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
O23 - Service: Sony SPTI Service (SPTISRV) - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\SPTISRV.exe
O23 - Service: SonicStage SCSI Service (SSScsiSV) - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\SSScsiSV.exe
--
End of file - 7779 bytes
pskelley
2007-08-07, 22:22
Has me puzzled, please run another diagnostic and let me see how it has improved.
So you have two operating systems installed on this computer, XP and Linux?
Use Google to find out what those servises are: http://www.google.com/ search for InstallDriver Table Manager =
http://www.google.com/search?hl=en&q=InstallDriver+Table+Manager&btnG=Google+Search
Tell me what this is: R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = depromoos:8080
Kaspersky shows nothing, combofix show nothing and the HJT log shows nothing.
Please run this rootkit scan:
Click here to download AVG Anti Rootkit and save it to your desktop.
http://free.grisoft.com/softw/70free/setup/avgarkt-setup-1.1.0.42.exe
Double-click on the AVG_AntiRootkit_1.0.0.13.exe file to run it.
Click "I Agree" to agree to the EULA.
By default it will install to "G:\Program Files\GRISOFT\AVG Anti-Rootkit Beta".
Click "Next" to begin the installation then click "Install".
It will then ask you to reboot now to finish the installation.
Click "Finish" and your computer will reboot.
After it reboots, double-click on the AVG Anti-Rootkit Beta shortcut that is now on your desktop.
Click on the "Perform in-depth search" button to begin the scan.
The scan will take a while so be patient and let it complete.
When the scan is finished, click the "Save result to file" button.
Save the scan results to your desktop then come back here to copy
and paste the results in your next reply to this thread.
You can remove combofix from your computer. Let's take a look with Smitfraudfix, follow the instructions exactly:
http://siri.geekstogo.com/SmitfraudFix.php <<< download Smitfraudfix from here and follow ONLY these directions.
Search:
Double-click SmitfraudFix.exe
Select 1 and hit Enter to create a report of the infected files. The report can be found at the root of the system drive, usually at C:\rapport.txt
Note: process.exe is detected by some antivirus programs (AntiVir, Dr.Web, Kaspersky) as a "RiskTool". It is not a virus, but a program used to stop system processes. Antivirus programs cannot distinguish between "good" and "malicious" use of such programs, therefore they may alert the user.
http://www.beyondlogic.org/consulting/processutil/processutil.htm
Post the link to the diagnostic results, any information I requested, the AVG Anti Rootkit scan results and the C:\rapport.txt from Smitfraudfix.
Thanks
fluorescent
2007-08-08, 13:44
Hi again,
The first thing to mention is that the XP system was crashing out with more BSOD stop errors. This occurred when I unplugged a USB device. I checked the system log files which recommended doing a system disk error check on the C drive. Since completing the disk error check the system is running faster and less volatile.
PC Pitstop I think only allows one scan per day as once a new day commenced the option to rescan was offered once more. The results from this second scan are very good and the link can be found here http://www.pcpitstop.com/techexpress.asp?id=B7TRHWGCDZVSUMRW
The AVG AntiRootkit application link which you pointed me to was for version 1.1.0.42 which I downloaded and it found no rootkits but would not let me save a report. I then searched for Beta versions. I found the Beta version 1.0.0.13 at http://beta.grisoft.cz/beta/betarep.files/antirootkit/AVG_AntiRootkit_1.0.0.13.exe.But again it would not let me save a report and I ran it twice to be sure – it found no threats either!
The R1 entry in the previous HJT log was for the localhost to connect via the FreeProxy application which has now been removed. The current HJT log is hereunder.
All of the previous msconfig services which were posted in a previous image attachment have proven to be valid - no threat to the system.
SmitFraudFix report is also here.
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 12:11:27, on 08/08/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16473)
Boot mode: Normal
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
C:\WINDOWS\System32\snmp.exe
C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Program Files\Analog Devices\SoundMAX\SMax4PNP.exe
C:\Program Files\Analog Devices\SoundMAX\Smax4.exe
C:\Program Files\ltmoh\Ltmoh.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe
C:\WINDOWS\AGRSMMSG.exe
C:\Program Files\Java\jre1.6.0_02\bin\jusched.exe
C:\WINDOWS\system32\ctfmon.exe
D:\DeproDownloads\Security\Trend Micro HijackThis\HiJackThis.exe
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.co.uk/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://go.microsoft.com/fwlink/?LinkId=74005
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: EpsonToolBandKicker Class - {E99421FB-68DD-40F0-B4AC-B7027CAE2F1A} - C:\Program Files\EPSON\EPSON Web-To-Page\EPSON Web-To-Page.dll
O3 - Toolbar: EPSON Web-To-Page - {EE5D279F-081B-4404-994D-C6B60AAEBA6D} - C:\Program Files\EPSON\EPSON Web-To-Page\EPSON Web-To-Page.dll
O4 - HKLM\..\Run: [SynTPLpr] C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [SoundMAXPnP] C:\Program Files\Analog Devices\SoundMAX\SMax4PNP.exe
O4 - HKLM\..\Run: [SoundMAX] "C:\Program Files\Analog Devices\SoundMAX\Smax4.exe" /tray
O4 - HKLM\..\Run: [LtMoh] C:\Program Files\ltmoh\Ltmoh.exe
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [AGRSMMSG] AGRSMMSG.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_02\bin\jusched.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [PeerGuardian] C:\Program Files\PeerGuardian2\pg2.exe
O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-19\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVGFRE~1\avgw.exe /RUNONCE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~3\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {0E5F0222-96B9-11D3-8997-00104BD12D94} (PCPitstop Utility) - http://www.pcpitstop.com/pcpitstop/PCPitStop.CAB
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/eng/partner/default/kavwebscan_unicode.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1182851031140
O16 - DPF: {7B297BFD-85E4-4092-B2AF-16A91B2EA103} (WScanCtl Class) - http://www.ca.com/us/securityadvisor/virusinfo/webscan.cab
O16 - DPF: {A90A5822-F108-45AD-8482-9BC8B12DD539} (Crucial cpcScan) - http://www.crucial.com/controls/cpcScanner.cab
O16 - DPF: {E8F628B5-259A-4734-97EE-BA914D7BE941} (Driver Agent ActiveX Control) - http://driveragent.com/files/driveragent.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{7C5D209A-EF82-4B51-B51D-F00BC62C5A1F}: NameServer = 212.104.130.9,212.104.130.65
O17 - HKLM\System\CCS\Services\Tcpip\..\{E9A88A5D-74B7-4040-8B56-AB324BF64478}: NameServer = 212.104.130.9,212.104.130.65
O23 - Service: Adobe LM Service - Unknown owner - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1150\Intel 32\IDriverT.exe
O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: MSCSPTISRV - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\MSCSPTISRV.exe
O23 - Service: PACSPTISVR - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\PACSPTISVR.exe
O23 - Service: Remote Packet Capture Protocol v.0 (experimental) (rpcapd) - CACE Technologies - C:\Program Files\WinPcap\rpcapd.exe
O23 - Service: SoundMAX Agent Service (SoundMAX Agent Service (default)) - Analog Devices, Inc. - C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
O23 - Service: Sony SPTI Service (SPTISRV) - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\SPTISRV.exe
O23 - Service: SonicStage SCSI Service (SSScsiSV) - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\SSScsiSV.exe
--
End of file - 7712 bytes
SmitFraudFix v2.210
Scan done at 11:55:41.46, 08/08/2007
Run from D:\DeproDownloads\Security\Spyware\SmitFraudFix v2.210\SmitfraudFix
OS: Microsoft Windows XP [Version 5.1.2600] - Windows_NT
The filesystem type is NTFS
Fix run in normal mode
»»»»»»»»»»»»»»»»»»»»»»»» Process
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
C:\WINDOWS\System32\snmp.exe
C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Program Files\Analog Devices\SoundMAX\SMax4PNP.exe
C:\Program Files\Analog Devices\SoundMAX\Smax4.exe
C:\Program Files\ltmoh\Ltmoh.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe
C:\WINDOWS\AGRSMMSG.exe
C:\Program Files\Java\jre1.6.0_02\bin\jusched.exe
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\system32\cmd.exe
»»»»»»»»»»»»»»»»»»»»»»»» hosts
»»»»»»»»»»»»»»»»»»»»»»»» C:\
»»»»»»»»»»»»»»»»»»»»»»»» C:\WINDOWS
»»»»»»»»»»»»»»»»»»»»»»»» C:\WINDOWS\system
»»»»»»»»»»»»»»»»»»»»»»»» C:\WINDOWS\Web
»»»»»»»»»»»»»»»»»»»»»»»» C:\WINDOWS\system32
»»»»»»»»»»»»»»»»»»»»»»»» C:\WINDOWS\system32\LogFiles
»»»»»»»»»»»»»»»»»»»»»»»» C:\Documents and Settings\Home
»»»»»»»»»»»»»»»»»»»»»»»» C:\Documents and Settings\Home\Application Data
»»»»»»»»»»»»»»»»»»»»»»»» Start Menu
»»»»»»»»»»»»»»»»»»»»»»»» C:\DOCUME~1\Home\FAVORI~1
»»»»»»»»»»»»»»»»»»»»»»»» Desktop
»»»»»»»»»»»»»»»»»»»»»»»» C:\Program Files
»»»»»»»»»»»»»»»»»»»»»»»» Corrupted keys
»»»»»»»»»»»»»»»»»»»»»»»» Desktop Components
[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Desktop\Components\0]
"Source"="About:Home"
"SubscribedURL"="About:Home"
"FriendlyName"="My Current Home Page"
»»»»»»»»»»»»»»»»»»»»»»»» Sharedtaskscheduler
!!!Attention, following keys are not inevitably infected!!!
SrchSTS.exe by S!Ri
Search SharedTaskScheduler's .dll
»»»»»»»»»»»»»»»»»»»»»»»» AppInit_DLLs
!!!Attention, following keys are not inevitably infected!!!
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows]
"AppInit_DLLs"=""
»»»»»»»»»»»»»»»»»»»»»»»» Winlogon.System
!!!Attention, following keys are not inevitably infected!!!
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon]
"System"=""
»»»»»»»»»»»»»»»»»»»»»»»» Rustock
»»»»»»»»»»»»»»»»»»»»»»»» DNS
Description: Intel(R) PRO/Wireless 2200BG Network Connection - Packet Scheduler Miniport
DNS Server Search Order: 212.104.130.9
DNS Server Search Order: 212.104.130.65
HKLM\SYSTEM\CCS\Services\Tcpip\..\{7C5D209A-EF82-4B51-B51D-F00BC62C5A1F}: NameServer=212.104.130.9,212.104.130.65
HKLM\SYSTEM\CCS\Services\Tcpip\..\{E9A88A5D-74B7-4040-8B56-AB324BF64478}: NameServer=212.104.130.9,212.104.130.65
HKLM\SYSTEM\CS1\Services\Tcpip\..\{E9A88A5D-74B7-4040-8B56-AB324BF64478}: DhcpNameServer=83.147.160.146 83.147.160.3 83.147.160.2
HKLM\SYSTEM\CS2\Services\Tcpip\..\{7C5D209A-EF82-4B51-B51D-F00BC62C5A1F}: NameServer=212.104.130.9,212.104.130.65
HKLM\SYSTEM\CS2\Services\Tcpip\..\{E9A88A5D-74B7-4040-8B56-AB324BF64478}: NameServer=212.104.130.9,212.104.130.65
HKLM\SYSTEM\CS3\Services\Tcpip\..\{E9A88A5D-74B7-4040-8B56-AB324BF64478}: NameServer=212.104.130.9,212.104.130.65
HKLM\SYSTEM\CS1\Services\Tcpip\Parameters: DhcpNameServer=83.147.160.146 83.147.160.3 83.147.160.2
»»»»»»»»»»»»»»»»»»»»»»»» Scanning for wininet.dll infection
»»»»»»»»»»»»»»»»»»»»»»»» End
pskelley
2007-08-08, 15:04
Could you please post all errors "word for word" I don't know that it will help, but I can not use them any other way.
I am thinking more and more that you may want to consider a fresh install of your operating system. Something may be corrupt and I am just not qualified to help you with this.
http://www.google.com/search?hl=en&q=reinstall+windows+XP&btnG=Google+Search
I think we have just about beat all of my ideas to death, not that I won't continue, it is just because of my limited knowledge in this area I am really doing you a disservice. If I have not already done so, just ask and I will point you towards folks very knowledgeable with Operating System issues.
I think you said you did defrag, I will suggest you do this:
Start > MyComputer > C:\ > Right Click and choose Properties > click the Tools tab.
I suggest you first run Error-checking. I can tell you it will say it can not do it but would you like to do it the next time you start the computer. Tell it yes. Be prepared for a long maintenance period, it can take a couple of hours for this to complete.
Once that is done, the restart your computer in SAFE MODE: http://spyware-free.us/tutorials/safemode/
and defrag again, it will do a much better job when nothing is running but a few drivers.
Smitfraudfix is clean, remove the tool from your computer.
As is the HJT log, I may have asked before, but assure me this is your valid IP:
http://whois.domaintools.com/212.104.130.9
This occurred when I unplugged a USB device <<< could you have a bad device there?
Thanks
fluorescent
2007-08-08, 15:31
The BSOD stop errors were:
0x0000000a IRQL_NOT_LESS_OR_EQUAL occurred after unplugging a USB device. This device works fine with another PC and is currently working fine with the system under scrutiny.
0x000000c4 occurred went shutting down on another occassion. Cannot think why this error occurred.
I did run the chkdsk error program which seems to have improved the system performance i.e. the choppy mouse movements no longer occurs and the system responds immediately to user requests rather than taking 5 to 10 seconds. And the BSOD errors no longer occur.
Yes I do have Linux also installed on the same machine but it has a separate partition which XP cannot access.
Yes the Whois IP refers to my ISP provider.
And no you’re not doing me a disservice, actually to the contrary where things are improving substantially with the system.I am currently running the chkdsk and disk defragger on both discs and will do the same in safe mode afterwards.
One last thing, I still cannot figure out why logon to this forum with PC in question is not working? Maybe it has something to do with IExplorer settings?
Rite so, once these tests are finished I will get back to you. Thanks again for prompt and excellent advice!
pskelley
2007-08-08, 15:50
Thanks for the feedback, for logon issues you would have to contact admin: http://www.spybot.info/en/contact/index.html
We volunteer our time gladly but do not work for Spybot S&D.
http://www.updatexp.com/stop-messages.html
http://support.microsoft.com/kb/311564
http://www.smartcomputing.com/techsupport/detail.aspx?guid=&ErrorID=21131
http://www.google.com/search?hl=en&q=0x0000000a+IRQL_NOT_LESS_OR_EQUAL+&btnG=Google+Search
Hope that helps.
fluorescent
2007-08-09, 17:16
Hi,
Just spent the day testing the system with a media player, web browser, email client and word processor all on the go at the same time and the system is flying. This is quite amazing as only two days ago I thought we were facing a loosing the battle.
To revise the primary points which cumulatively helped resolve a limping XP Pro system.
System Services:
I restored previously shutdown services as sometimes due to dependencies this can cause applications or other processes to become volatile.
Encryptions Programs:
There were two installed on the system and these were causing conflict with the spyware scanners as there is a online article pointing to where Trend Mico scanner crashed out systems when Folder Lock encryption program was installed.
Firewalls:
Currently using Jetico and seems to be running okay but not as gui friendly as Comodo, PC Tools or Zone Alarm firewalls. Comodo could not detect the pc’s internet connections / adapters and I tried hard to find a resolve on their online forums but to no avail. The ZoneAlarm version that I had installed didn't offer the option to create port rules. PC Tools firewall had a file which was recognised as spyware / malware and their tech team have not came back with a reply to date as per link http://www.pctools.com/forum/showthread.php?p=169102#post169102
Kerio firewall had files which were coming back as malware suspect also. This is why I removed these two later firewalls but I do think if Comodo was system compatible, it is currently offering the best freeware firewall protection.
PC Pitstop:
A very big shout out to these guys who really have an excellent service, but from what I can see only one scan per day is possible with an individual system. Their test pin pointed system errors and conflicts that were not otherwise detected. The errors identified in red were resolved by installing new system graphic drivers.
XP Tools:
BSOD (Blue Screen of Death) without this XP option, a resolve would not have been found as this is an excellent debugging tool and simple to set under the system applet in the control panel. Also using the verifier.exe tool helped to identify corrupt drivers. And also chkdsk and disk defragmenter tools also sorted out major issues.
Uninstalling software which was not in use or where it was showing as having missing files or potential malware files was also an important step, even though as pkelly has already pointed out that sometimes files get misdiagnosed when they are actually legitimate.
Also the online virus and rootkit scanners and application tools like HJT, ComboFix and SmithFraudFix but to mention a few have all combined to achieving resolve with this XP system.
This issue has been resolved through perseverance, excellent supervision and advice that was all offered in this Spybot forum via pskelley, who I would like to say a very big thank to. Take care amigo!
fluorescent
2007-08-09, 17:33
Hi,
Just spent the day testing the system with a media player, web browser, email client and word processor all on the go at the same time and the system is flying. This is quite amazing as only two days ago I thought we were facing a loosing the battle.
To revise the primary points which cumulatively helped resolve a limping XP Pro system.
System Services:
I restored previously shutdown services as sometimes due to system dependencies applications or other processes to become volatile when services are manually shutdown.
Encryptions Programs:
There were two installed on the system and these were causing conflict with the spyware scanners as there is a online article pointing to where Trend Mico scanner crashed out systems when Folder Lock encryption program was installed.Also the previous threads will show that there were disk errors at one point,this was resolved after the encrption programs were uninstalled.
Firewalls:
Currently using Jetico and seems to be running okay but not as gui friendly as Comodo, PC Tools or Zone Alarm firewalls. Comodo could not detect the pc’s internet connections / adapters and I tried hard to find a resolve on their online forums but to no avail. The ZoneAlarm version that I had installed didn't offer the option to create port rules. PC Tools firewall had a file which was recognised as spyware / malware and their tech team have not came back with a reply to date as per link http://www.pctools.com/forum/showthread.php?p=169102#post169102
Kerio firewall had files which were coming back as malware suspect also. This is why I removed these two later firewalls but I do think if Comodo was system compatible it is potentially offering the best freeware firewall protection.
PC Pitstop:
A very big shout out to these guys who really have an excellent service, but form what I can see only one scan per day is possible with an individual system. Their test pin pointed system errors and conflicts that were otherwise undetected. The errors identified in red were resolved by installing new system graphic card drivers from the Intel web site.
XP Tools:
The BSOD (Blue Screen of Death) XP option is an excellent debugging tool and simple to setup under the system applet in the control panel. Also using the verifier tool helped to identify corrupt drivers. And also chkdsk and disk defragmenter tools also sorted out major issues.These tools may need to be installed from your XP setup disk, under the support tools file directory.
Uninstalling software which was not in use or where it was showing signs of missing files or potential malware files was also an important step, even though as pkelly has already pointed out that sometimes files get misdiagnosed when they are actually legitimate.Be careful when removing system files or shutdown system services.
Also the online virus and rootkit scanners and application tools like HJT, ComboFix and SmithFraudFix but to mention a few have all combined in achieving this resolve.
This issue has been resolved through perseverance, excellent supervision and advice that was all offered in this Spybot forum via pskelley, who I would like to say a very big thank you to. Take care amigo!
pskelley
2007-08-09, 18:10
Thanks for the feedback, If you have not already done so, this information should be read:
System Restore does not know the good files from the bad. In case bad stuff has gotten into your System Restore files, follow the instructions in this link to get clean System Restore files. Turn it off, reboot then turn it back on:
http://www.microsoft.com/windowsxp/using/helpandsupport/learnmore/tips/mcgill1.mspx
Some good information for you:
http://users.telenet.be/bluepatchy/miekiemoes/slowcomputer.html
http://users.telenet.be/bluepatchy/miekiemoes/prevention.html
Here is some great information from Tony Klein, Texruss, ChrisRLG and Grinler to help you stay clean and safe online:
http://forums.spybot.info/showthread.php?t=279
http://russelltexas.com/malware/allclear.htm
http://forum.malwareremoval.com/viewtopic.php?t=14
http://www.bleepingcomputer.com/forums/topict2520.html
http://cybercoyote.org/security/not-admin.shtml
Thanks...pskelley
Safer Networking Forums
http://www.spybot.info/en/donate/index.html
If you are reading this information...thank a teacher,
If you are reading it in English...thank a soldier.
pskelley
2007-08-18, 02:31
As the problem appears to be resolved this topic has been closed.
If you need it re-opened please send me or a forum staff member a private message (pm) and provide a link to the thread; this applies only to the original topic starter.
Anyone else with similar problems please start a new topic.