View Full Version : iexplorer.exe at 100% or Firefox.exe at 100%
celluloidheros
2011-08-06, 01:39
Hello, my computer is locking when using a browser. i sure could use some help. thanks.
here is my DDS log.
.
DDS (Ver_2011-06-23.01) - NTFSx86
Internet Explorer: 8.0.6001.18372 BrowserJavaVersion: 1.6.0_18
Run by djc at 18:27:14 on 2011-08-05
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.1023.437 [GMT -4:00]
.
AV: AVG Internet Security 2011 *Enabled/Updated* {17DDD097-36FF-435F-9E1B-52D74245D6BF}
FW: AVG Firewall *Enabled*
.
============== Running Processes ===============
.
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\svchost.exe -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
svchost.exe
svchost.exe
C:\WINDOWS\system32\spoolsv.exe
svchost.exe
C:\Program Files\Common Files\Acronis\Schedule2\schedul2.exe
C:\Program Files\Common Files\Intuit\Update Service\IntuitUpdateService.exe
C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\Program Files\Common Files\Nero\Nero BackItUp 4\NBService.exe
C:\Program Files\Alcohol Soft\Alcohol 120\StarWind\StarWindServiceAE.exe
C:\WINDOWS\system32\svchost.exe -k imgsvc
C:\Program Files\UPHClean\uphclean.exe
C:\Program Files\Western Digital\WD Drive Manager\WDBtnMgrSvc.exe
C:\Program Files\AVG\AVG10\avgwdsvc.exe
C:\Program Files\AVG\AVG10\avgchsvx.exe
C:\Program Files\AVG\AVG10\avgrsx.exe
C:\Program Files\AVG\AVG10\avgam.exe
C:\Program Files\AVG\AVG10\avgnsx.exe
C:\Program Files\AVG\AVG10\avgcsrvx.exe
C:\WINDOWS\explorer.exe
C:\Program Files\Windows NT\Accessories\WORDPAD.EXE
C:\Program Files\AVG\AVG10\avgcsrvx.exe
C:\Program Files\internet explorer\iexplore.exe
C:\Program Files\internet explorer\iexplore.exe
C:\Program Files\internet explorer\iexplore.exe
.
============== Pseudo HJT Report ===============
.
uStart Page = about:blank
uInternet Settings,ProxyServer = http=127.0.0.1:1051
uInternet Settings,ProxyOverride = <local>
BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll
BHO: AVG Safe Search: {3ca2f312-6f6e-4b53-a66e-4e65e497c8c0} - c:\program files\avg\avg10\avgssie.dll
BHO: Search Helper: {6ebf7485-159f-4bff-a14f-b9e3aac4465b} - c:\program files\microsoft\search enhancement pack\search helper\SearchHelper.dll
BHO: Groove GFS Browser Helper: {72853161-30c5-4d22-b7f9-0bbc1d38a37e} - c:\program files\microsoft office\office12\GrooveShellExtensions.dll
BHO: Windows Live Sign-in Helper: {9030d464-4c02-4abf-8ecc-5164760863c6} - c:\program files\common files\microsoft shared\windows live\WindowsLiveLogin.dll
BHO: Google Toolbar Helper: {aa58ed58-01dd-4d91-8333-cf10577473f7} - c:\program files\google\google toolbar\GoogleToolbar_32.dll
BHO: Google Toolbar Notifier BHO: {af69de43-7d58-4638-b6fa-ce66b5ad205d} - c:\program files\google\googletoolbarnotifier\5.6.6209.1142\swg.dll
BHO: Windows Live Toolbar Helper: {e15a8dc0-8516-42a1-81ea-dc94ec1acf10} - c:\program files\windows live\toolbar\wltcore.dll
TB: &Windows Live Toolbar: {21fa44ef-376d-4d53-9b0f-8a89d3229068} - c:\program files\windows live\toolbar\wltcore.dll
TB: Google Toolbar: {2318c2b1-4965-11d4-9b18-009027a5cd4f} - c:\program files\google\google toolbar\GoogleToolbar_32.dll
uRun: [swg] "c:\program files\google\googletoolbarnotifier\GoogleToolbarNotifier.exe"
mRun: [Adobe Reader Speed Launcher] "c:\program files\adobe\reader 9.0\reader\Reader_sl.exe"
mRun: [Adobe ARM] "c:\program files\common files\adobe\arm\1.0\AdobeARM.exe"
mRun: [NvCplDaemon] RUNDLL32.EXE c:\windows\system32\NvCpl.dll,NvStartup
mRun: [GrooveMonitor] "c:\program files\microsoft office\office12\GrooveMonitor.exe"
mRun: [AVG_TRAY] c:\program files\avg\avg10\avgtray.exe
mRun: [Logitech Utility] Logi_MwX.Exe
dRun: [DWQueuedReporting] "c:\progra~1\common~1\micros~1\dw\dwtrig20.exe" -t
StartupFolder: c:\docume~1\djc\startm~1\programs\startup\erunta~1.lnk - c:\program files\erunt\AUTOBACK.EXE
IE: Add to Google Photos Screensa&ver - c:\windows\system32\GPhotos.scr/200
IE: E&xport to Microsoft Excel - c:\progra~1\micros~2\office12\EXCEL.EXE/3000
IE: Google Sidewiki... - c:\program files\google\google toolbar\component\GoogleToolbarDynamic_mui_en_D183CA64F05FDD98.dll/cmsidewiki.html
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - {5F7B1267-94A9-47F5-98DB-E99415F33AEC} - c:\program files\windows live\writer\WriterBrowserExtension.dll
IE: {2670000A-7350-4f3c-8081-5663EE0C6C49} - {48E73304-E1D6-4330-914C-F5F514E3486C} - c:\progra~1\micros~2\office12\ONBttnIE.dll
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~2\office12\REFIEBAR.DLL
Trusted Zone: flashboot.ru\www
Trusted Zone: intuit.com
Trusted Zone: intuit.com\ttlc
TCP: Interfaces\{206B4A61-2D05-47EF-A451-62CE0561ABC9} : NameServer = 24.92.226.40,24.92.226.41
Handler: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - c:\program files\microsoft office\office12\GrooveSystemServices.dll
Handler: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - c:\program files\avg\avg10\avgpp.dll
Notify: !SASWinLogon - c:\program files\superantispyware\SASWINLO.DLL
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll
SEH: Groove GFS Stub Execution Hook: {b5a7f190-dda6-4420-b3ba-52453494e6cd} - c:\program files\microsoft office\office12\GrooveShellExtensions.dll
.
================= FIREFOX ===================
.
FF - ProfilePath - c:\documents and settings\djc\application data\mozilla\firefox\profiles\7xv9dzxk.default\
FF - prefs.js: browser.search.defaulturl - hxxp://search.conduit.com/ResultsExt.aspx?ctid=CT2611275&SearchSource=3&q={searchTerms}
FF - prefs.js: browser.search.selectedEngine - ZoneAlarm Customized Web Search
FF - prefs.js: browser.search.selectedengine - Google
FF - prefs.js: browser.startup.homepage - about:blank
FF - prefs.js: keyword.URL - hxxp://search.conduit.com/ResultsExt.aspx?ctid=CT2611275&q=
FF - component: c:\documents and settings\djc\application data\mozilla\firefox\profiles\7xv9dzxk.default\extensions\{3112ca9c-de6d-4884-a869-9855de68056c}\components\frozen.dll
FF - component: c:\program files\avg\avg10\firefox\components\avgssff.dll
FF - component: c:\program files\mozilla firefox\components\GoogleDesktopMozilla.dll
FF - plugin: c:\documents and settings\djc\local settings\application data\google\update\1.3.21.65\npGoogleUpdate3.dll
FF - plugin: c:\program files\adobe\reader 9.0\reader\air\nppdf32.dll
FF - plugin: c:\program files\google\picasa3\npPicasa3.dll
FF - plugin: c:\program files\google\update\1.3.21.57\npGoogleUpdate3.dll
FF - plugin: c:\program files\microsoft\office live\npOLW.dll
FF - plugin: c:\program files\mozilla firefox\plugins\npwachk.dll
FF - plugin: c:\program files\mozilla firefox\plugins\NPZoneSB.dll
FF - Ext: Default: {972ce4c6-7e08-4474-a285-3208198ce6fd} - c:\program files\mozilla firefox\extensions\{972ce4c6-7e08-4474-a285-3208198ce6fd}
FF - Ext: Java Console: {CAFEEFAC-0016-0000-0012-ABCDEFFEDCBA} - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0012-ABCDEFFEDCBA}
FF - Ext: Java Console: {CAFEEFAC-0016-0000-0013-ABCDEFFEDCBA} - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0013-ABCDEFFEDCBA}
FF - Ext: Java Console: {CAFEEFAC-0016-0000-0015-ABCDEFFEDCBA} - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0015-ABCDEFFEDCBA}
FF - Ext: Java Console: {CAFEEFAC-0016-0000-0017-ABCDEFFEDCBA} - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0017-ABCDEFFEDCBA}
FF - Ext: Java Console: {CAFEEFAC-0016-0000-0018-ABCDEFFEDCBA} - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0018-ABCDEFFEDCBA}
FF - Ext: Google Toolbar for Firefox: {3112ca9c-de6d-4884-a869-9855de68056c} - c:\documents and settings\all users\application data\google\toolbar for firefox\{3112ca9c-de6d-4884-a869-9855de68056c}
FF - Ext: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\microsoft.net\framework\v3.5\windows presentation foundation\DotNetAssistantExtension
FF - Ext: AVG Safe Search: {3f963a5b-e555-4543-90e2-c3908898db71} - c:\program files\avg\avg10\Firefox
FF - Ext: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - %profile%\extensions\{20a82645-c095-46ed-80e3-08825760534b}
FF - Ext: Google Toolbar for Firefox: {3112ca9c-de6d-4884-a869-9855de68056c} - %profile%\extensions\{3112ca9c-de6d-4884-a869-9855de68056c}
.
============= SERVICES / DRIVERS ===============
.
R0 AVGIDSEH;AVGIDSEH;c:\windows\system32\drivers\AVGIDSEH.sys [2010-9-13 22992]
R0 Avgrkx86;AVG Anti-Rootkit Driver;c:\windows\system32\drivers\avgrkx86.sys [2010-9-7 32592]
R0 tdrpman147;Acronis Try&Decide and Restore Points filter (build 147);c:\windows\system32\drivers\tdrpm147.sys [2009-3-8 971232]
R1 Avgldx86;AVG AVI Loader Driver;c:\windows\system32\drivers\avgldx86.sys [2010-9-7 248656]
R1 Avgmfx86;AVG Mini-Filter Resident Anti-Virus Shield;c:\windows\system32\drivers\avgmfx86.sys [2010-9-7 34896]
R1 Avgtdix;AVG TDI Driver;c:\windows\system32\drivers\avgtdix.sys [2010-9-7 297168]
R1 SASDIFSV;SASDIFSV;c:\program files\superantispyware\sasdifsv.sys [2010-2-17 12872]
R1 SASKUTIL;SASKUTIL;c:\program files\superantispyware\SASKUTIL.SYS [2010-5-10 67656]
R2 avgwd;AVG WatchDog;c:\program files\avg\avg10\avgwdsvc.exe [2011-2-8 269520]
R2 SBKUPNT;SBKUPNT;c:\windows\system32\drivers\SBKUPNT.SYS [2010-2-19 14976]
R2 StarWindServiceAE;StarWind AE Service;c:\program files\alcohol soft\alcohol 120\starwind\StarWindServiceAE.exe [2007-5-28 275968]
R2 WDBtnMgrSvc.exe;WD Drive Manager Service;c:\program files\western digital\wd drive manager\WDBtnMgrSvc.exe [2008-7-24 102400]
R3 Avgfwdx;Avgfwdx;c:\windows\system32\drivers\avgfwdx.sys [2010-7-12 30432]
R3 AVGIDSDriver;AVGIDSDriver;c:\windows\system32\drivers\AVGIDSDriver.sys [2010-8-19 134480]
R3 AVGIDSFilter;AVGIDSFilter;c:\windows\system32\drivers\AVGIDSFilter.sys [2010-8-19 24144]
R3 AVGIDSShim;AVGIDSShim;c:\windows\system32\drivers\AVGIDSShim.sys [2010-8-19 27216]
S0 Lbd;Lbd;c:\windows\system32\drivers\lbd.sys --> c:\windows\system32\drivers\Lbd.sys [?]
S0 TfFsMon;TfFsMon; [x]
S0 TfSysMon;TfSysMon; [x]
S2 avgfws;AVG Firewall;c:\program files\avg\avg10\avgfws.exe [2011-3-9 2708024]
S2 AVGIDSAgent;AVGIDSAgent;c:\program files\avg\avg10\identity protection\agent\bin\AVGIDSAgent.exe [2011-4-18 7398752]
S2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;c:\windows\microsoft.net\framework\v4.0.30319\mscorsvw.exe [2010-3-18 130384]
S2 gupdate;Google Update Service (gupdate);c:\program files\google\update\GoogleUpdate.exe [2010-2-7 135664]
S3 Avgfwfd;AVG network filter service;c:\windows\system32\drivers\avgfwdx.sys [2010-7-12 30432]
S3 gupdatem;Google Update Service (gupdatem);c:\program files\google\update\GoogleUpdate.exe [2010-2-7 135664]
S3 TfNetMon;TfNetMon; [x]
S3 WPFFontCache_v0400;Windows Presentation Foundation Font Cache 4.0.0.0;c:\windows\microsoft.net\framework\v4.0.30319\wpf\WPFFontCache_v0400.exe [2010-3-18 753504]
.
=============== Created Last 30 ================
.
2011-08-05 22:13:51 388096 ----a-r- c:\documents and settings\djc\application data\microsoft\installer\{45a66726-69bc-466b-a7a4-12fcba4883d7}\HiJackThis.exe
2011-07-31 16:01:03 41272 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2011-07-31 16:00:57 22712 ----a-w- c:\windows\system32\drivers\mbam.sys
2011-07-31 16:00:57 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
.
==================== Find3M ====================
.
2011-06-26 06:45:56 256000 ----a-w- c:\windows\PEV.exe
2011-06-02 14:02:05 1858944 ----a-w- c:\windows\system32\win32k.sys
.
============= FINISH: 18:28:00.35 ===============
Hi,
IMPORTANT I notice there are signs of one or more P2P (Peer to Peer) File Sharing Programs on your computer.
µTorrent
I'd like you to read this thread (http://forums.spybot.info/showthread.php?t=282).
Please go to Control Panel > Add/Remove Programs and uninstall the programs listed above (in red). Uninstall Rapidshare auto downloader too. Post fresh dds logs when done.
celluloidheros
2011-08-13, 14:02
Hello, Thanks for the help, I appreciate your time. CH
.
DDS (Ver_2011-06-23.01) - NTFSx86
Internet Explorer: 8.0.6001.18372 BrowserJavaVersion: 1.6.0_18
Run by djc at 6:48:54 on 2011-08-13
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.1023.535 [GMT -4:00]
.
AV: AVG Internet Security 2011 *Enabled/Updated* {17DDD097-36FF-435F-9E1B-52D74245D6BF}
FW: AVG Firewall *Enabled*
.
============== Running Processes ===============
.
C:\PROGRA~1\AVG\AVG10\avgchsvx.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\svchost.exe -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
svchost.exe
svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
svchost.exe
C:\Program Files\Common Files\Acronis\Schedule2\schedul2.exe
C:\Program Files\AVG\AVG10\avgfws.exe
C:\Program Files\AVG\AVG10\avgwdsvc.exe
C:\Program Files\Common Files\Intuit\Update Service\IntuitUpdateService.exe
C:\Program Files\AVG\AVG10\avgtray.exe
C:\Program Files\Common Files\Nero\Nero BackItUp 4\NBService.exe
C:\Program Files\AVG\AVG10\Identity Protection\agent\bin\avgidsmonitor.exe
C:\Program Files\Alcohol Soft\Alcohol 120\StarWind\StarWindServiceAE.exe
C:\WINDOWS\system32\svchost.exe -k imgsvc
C:\Program Files\UPHClean\uphclean.exe
C:\Program Files\Western Digital\WD Drive Manager\WDBtnMgrSvc.exe
C:\Program Files\AVG\AVG10\avgam.exe
C:\Program Files\AVG\AVG10\avgnsx.exe
C:\Program Files\AVG\AVG10\Identity Protection\Agent\Bin\AVGIDSAgent.exe
C:\Program Files\AVG\AVG10\avgcsrvx.exe
C:\PROGRA~1\AVG\AVG10\avgrsx.exe
C:\Program Files\AVG\AVG10\avgcsrvx.exe
C:\Program Files\internet explorer\iexplore.exe
C:\Program Files\internet explorer\iexplore.exe
C:\Program Files\internet explorer\iexplore.exe
C:\WINDOWS\system32\msiexec.exe
C:\WINDOWS\system32\wuauclt.exe
.
============== Pseudo HJT Report ===============
.
uStart Page = about:blank
uInternet Settings,ProxyServer = http=127.0.0.1:1051
uInternet Settings,ProxyOverride = <local>
BHO: AVG Safe Search: {3ca2f312-6f6e-4b53-a66e-4e65e497c8c0} - c:\program files\avg\avg10\avgssie.dll
TB: &Windows Live Toolbar: {21fa44ef-376d-4d53-9b0f-8a89d3229068} - c:\program files\windows live\toolbar\wltcore.dll
TB: Google Toolbar: {2318c2b1-4965-11d4-9b18-009027a5cd4f} - c:\program files\google\google toolbar\GoogleToolbar_32.dll
mRun: [AVG_TRAY] c:\program files\avg\avg10\avgtray.exe
mRun: [NvCplDaemon] RUNDLL32.EXE c:\windows\system32\NvCpl.dll,NvStartup
dRun: [DWQueuedReporting] "c:\progra~1\common~1\micros~1\dw\dwtrig20.exe" -t
mPolicies-system: DisableStatusMessages = 1 (0x1)
IE: Add to Google Photos Screensa&ver - c:\windows\system32\GPhotos.scr/200
IE: E&xport to Microsoft Excel - c:\progra~1\micros~2\office12\EXCEL.EXE/3000
IE: Google Sidewiki... - c:\program files\google\google toolbar\component\GoogleToolbarDynamic_mui_en_D183CA64F05FDD98.dll/cmsidewiki.html
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - {5F7B1267-94A9-47F5-98DB-E99415F33AEC} - c:\program files\windows live\writer\WriterBrowserExtension.dll
IE: {2670000A-7350-4f3c-8081-5663EE0C6C49} - {48E73304-E1D6-4330-914C-F5F514E3486C} - c:\progra~1\micros~2\office12\ONBttnIE.dll
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~2\office12\REFIEBAR.DLL
Trusted Zone: flashboot.ru\www
Trusted Zone: intuit.com
Trusted Zone: intuit.com\ttlc
DPF: {B1E2B96C-12FE-45E2-BEF1-44A219113CDD} - hxxp://www.superadblocker.com/activex/sabspx.cab
TCP: Interfaces\{206B4A61-2D05-47EF-A451-62CE0561ABC9} : NameServer = 24.92.226.40,24.92.226.41
Handler: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - c:\program files\microsoft office\office12\GrooveSystemServices.dll
Handler: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - c:\program files\avg\avg10\avgpp.dll
Notify: !SASWinLogon - c:\program files\superantispyware\SASWINLO.DLL
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll
SEH: Groove GFS Stub Execution Hook: {b5a7f190-dda6-4420-b3ba-52453494e6cd} - c:\program files\microsoft office\office12\GrooveShellExtensions.dll
.
================= FIREFOX ===================
.
FF - ProfilePath - c:\documents and settings\djc\application data\mozilla\firefox\profiles\7xv9dzxk.default\
FF - prefs.js: browser.search.defaulturl - hxxp://search.conduit.com/ResultsExt.aspx?ctid=CT2611275&SearchSource=3&q={searchTerms}
FF - prefs.js: browser.search.selectedEngine - ZoneAlarm Customized Web Search
FF - prefs.js: browser.search.selectedengine - Google
FF - prefs.js: browser.startup.homepage - hxxp://www.google.com/
FF - prefs.js: keyword.URL - hxxp://search.conduit.com/ResultsExt.aspx?ctid=CT2611275&q=
FF - plugin: c:\documents and settings\djc\local settings\application data\google\update\1.3.21.65\npGoogleUpdate3.dll
FF - plugin: c:\program files\adobe\reader 9.0\reader\air\nppdf32.dll
FF - plugin: c:\program files\google\picasa3\npPicasa3.dll
FF - plugin: c:\program files\google\update\1.3.21.57\npGoogleUpdate3.dll
FF - plugin: c:\program files\microsoft\office live\npOLW.dll
FF - plugin: c:\program files\mozilla firefox\plugins\npwachk.dll
FF - plugin: c:\program files\mozilla firefox\plugins\NPZoneSB.dll
.
============= SERVICES / DRIVERS ===============
.
R0 AVGIDSEH;AVGIDSEH;c:\windows\system32\drivers\AVGIDSEH.sys [2010-9-13 22992]
R0 Avgrkx86;AVG Anti-Rootkit Driver;c:\windows\system32\drivers\avgrkx86.sys [2010-9-7 32592]
R0 tdrpman147;Acronis Try&Decide and Restore Points filter (build 147);c:\windows\system32\drivers\tdrpm147.sys [2009-3-8 971232]
R1 Avgldx86;AVG AVI Loader Driver;c:\windows\system32\drivers\avgldx86.sys [2010-9-7 248656]
R1 Avgmfx86;AVG Mini-Filter Resident Anti-Virus Shield;c:\windows\system32\drivers\avgmfx86.sys [2010-9-7 34896]
R1 Avgtdix;AVG TDI Driver;c:\windows\system32\drivers\avgtdix.sys [2010-9-7 297168]
R1 SASDIFSV;SASDIFSV;c:\program files\superantispyware\sasdifsv.sys [2010-2-17 12872]
R1 SASKUTIL;SASKUTIL;c:\program files\superantispyware\SASKUTIL.SYS [2010-5-10 67656]
R2 avgfws;AVG Firewall;c:\program files\avg\avg10\avgfws.exe [2011-3-9 2708024]
R2 AVGIDSAgent;AVGIDSAgent;c:\program files\avg\avg10\identity protection\agent\bin\AVGIDSAgent.exe [2011-4-18 7398752]
R2 avgwd;AVG WatchDog;c:\program files\avg\avg10\avgwdsvc.exe [2011-2-8 269520]
R2 SBKUPNT;SBKUPNT;c:\windows\system32\drivers\SBKUPNT.SYS [2010-2-19 14976]
R2 StarWindServiceAE;StarWind AE Service;c:\program files\alcohol soft\alcohol 120\starwind\StarWindServiceAE.exe [2007-5-28 275968]
R2 WDBtnMgrSvc.exe;WD Drive Manager Service;c:\program files\western digital\wd drive manager\WDBtnMgrSvc.exe [2008-7-24 102400]
R3 Avgfwdx;Avgfwdx;c:\windows\system32\drivers\avgfwdx.sys [2010-7-12 30432]
R3 AVGIDSDriver;AVGIDSDriver;c:\windows\system32\drivers\AVGIDSDriver.sys [2010-8-19 134480]
R3 AVGIDSFilter;AVGIDSFilter;c:\windows\system32\drivers\AVGIDSFilter.sys [2010-8-19 24144]
R3 AVGIDSShim;AVGIDSShim;c:\windows\system32\drivers\AVGIDSShim.sys [2010-8-19 27216]
S0 Lbd;Lbd;c:\windows\system32\drivers\lbd.sys --> c:\windows\system32\drivers\Lbd.sys [?]
S0 TfFsMon;TfFsMon; [x]
S0 TfSysMon;TfSysMon; [x]
S2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;c:\windows\microsoft.net\framework\v4.0.30319\mscorsvw.exe [2010-3-18 130384]
S2 gupdate;Google Update Service (gupdate);c:\program files\google\update\GoogleUpdate.exe [2010-2-7 135664]
S3 Avgfwfd;AVG network filter service;c:\windows\system32\drivers\avgfwdx.sys [2010-7-12 30432]
S3 gupdatem;Google Update Service (gupdatem);c:\program files\google\update\GoogleUpdate.exe [2010-2-7 135664]
S3 TfNetMon;TfNetMon; [x]
S3 WPFFontCache_v0400;Windows Presentation Foundation Font Cache 4.0.0.0;c:\windows\microsoft.net\framework\v4.0.30319\wpf\WPFFontCache_v0400.exe [2010-3-18 753504]
.
=============== Created Last 30 ================
.
2011-08-10 07:42:00 139656 -c----w- c:\windows\system32\dllcache\rdpwd.sys
2011-08-10 07:41:51 10496 -c----w- c:\windows\system32\dllcache\ndistapi.sys
2011-08-06 09:08:14 -------- d-----w- c:\documents and settings\djc\application data\Pegasys Inc
2011-08-06 08:48:32 -------- d-----w- c:\program files\Emsisoft Anti-Malware
2011-08-06 08:36:21 -------- d-----w- c:\windows\$regcmp$
2011-08-06 08:34:55 2588 ----a-w- c:\windows\system32\tmp.reg
2011-08-06 08:24:04 78336 ----a-w- c:\windows\system32\Agent.OMZ.Fix.exe
2011-08-06 08:24:03 80384 ----a-w- c:\windows\system32\o4Patch.exe
2011-08-06 08:24:02 82944 ----a-w- c:\windows\system32\IEDFix.C.exe
2011-08-06 08:24:01 87552 ----a-w- c:\windows\system32\VACFix.exe
2011-08-06 08:24:01 82432 ----a-w- c:\windows\system32\404Fix.exe
2011-08-06 08:24:00 82944 ----a-w- c:\windows\system32\IEDFix.exe
2011-08-06 08:23:59 75776 ----a-w- c:\windows\system32\WS2Fix.exe
2011-08-06 08:23:59 289144 ----a-w- c:\windows\system32\VCCLSID.exe
2011-08-06 08:23:58 79360 ----a-w- c:\windows\system32\swxcacls.exe
2011-08-06 08:23:57 51200 ----a-w- c:\windows\system32\dumphive.exe
2011-08-06 08:23:57 288417 ----a-w- c:\windows\system32\SrchSTS.exe
2011-08-06 08:23:56 135168 ----a-w- c:\windows\system32\swreg.exe
2011-08-06 08:23:55 53248 ----a-w- c:\windows\system32\Process.exe
2011-08-06 08:04:49 -------- d-----w- c:\documents and settings\djc\application data\QUAD Backups
2011-08-06 01:10:42 781272 ----a-w- c:\program files\mozilla firefox\mozsqlite3.dll
2011-08-06 01:10:42 16856 ----a-w- c:\program files\mozilla firefox\plugin-container.exe
2011-08-06 01:10:42 142296 ----a-w- c:\program files\mozilla firefox\components\browsercomps.dll
2011-08-06 01:10:41 89048 ----a-w- c:\program files\mozilla firefox\libEGL.dll
2011-08-06 01:10:41 719832 ----a-w- c:\program files\mozilla firefox\mozcpp19.dll
2011-08-06 01:10:41 465880 ----a-w- c:\program files\mozilla firefox\libGLESv2.dll
2011-08-06 01:10:41 2106216 ----a-w- c:\program files\mozilla firefox\D3DCompiler_43.dll
2011-08-06 01:10:41 1998168 ----a-w- c:\program files\mozilla firefox\d3dx9_43.dll
2011-08-06 01:10:41 1850328 ----a-w- c:\program files\mozilla firefox\mozjs.dll
2011-08-06 01:10:41 15832 ----a-w- c:\program files\mozilla firefox\mozalloc.dll
2011-08-05 22:13:51 388096 ----a-r- c:\documents and settings\djc\application data\microsoft\installer\{45a66726-69bc-466b-a7a4-12fcba4883d7}\HiJackThis.exe
2011-07-31 16:01:03 41272 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2011-07-31 16:00:57 22712 ----a-w- c:\windows\system32\drivers\mbam.sys
2011-07-31 16:00:57 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
.
==================== Find3M ====================
.
2011-07-15 13:29:31 456320 ----a-w- c:\windows\system32\drivers\mrxsmb.sys
2011-07-08 14:02:00 10496 ----a-w- c:\windows\system32\drivers\ndistapi.sys
2011-06-26 06:45:56 256000 ----a-w- c:\windows\PEV.exe
2011-06-24 14:10:36 139656 ----a-w- c:\windows\system32\drivers\rdpwd.sys
2011-06-20 17:44:52 293376 ----a-w- c:\windows\system32\winsrv.dll
2011-06-02 14:02:05 1858944 ----a-w- c:\windows\system32\win32k.sys
2011-05-16 13:45:30 7040 ----a-w- c:\windows\system32\sabprocenum.sys
.
============= FINISH: 6:50:20.82 ===============
Hi
Please visit this webpage for download links, and instructions for running ComboFix tool:
http://www.bleepingcomputer.com/combofix/how-to-use-combofix
Please ensure you read this guide carefully first.
Please continue as follows:
Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix, link (http://www.bleepingcomputer.com/forums/topic114351.html)
Remember to re-enable them afterwards.
Click Yes to allow ComboFix to continue scanning for malware.
When the tool is finished, it will produce a report for you.
Please include the following reports for further review, and so we may continue cleansing the system:
C:\ComboFix.txt
New dds log.
A word of warning: Neither I nor sUBs are responsible for any damage you may have caused your machine by running ComboFix. This tool is not a toy and not for everyday use.
celluloidheros
2011-08-14, 07:04
.
DDS (Ver_2011-06-23.01) - NTFSx86
Internet Explorer: 8.0.6001.18372 BrowserJavaVersion: 1.6.0_18
Run by djc at 23:59:43 on 2011-08-13
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.1023.474 [GMT -4:00]
.
AV: AVG Internet Security 2011 *Enabled/Updated* {17DDD097-36FF-435F-9E1B-52D74245D6BF}
FW: AVG Firewall *Enabled*
.
============== Running Processes ===============
.
C:\PROGRA~1\AVG\AVG10\avgchsvx.exe
C:\PROGRA~1\AVG\AVG10\avgrsx.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\svchost.exe -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
svchost.exe
svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
svchost.exe
C:\Program Files\Common Files\Acronis\Schedule2\schedul2.exe
C:\Program Files\AVG\AVG10\avgfws.exe
C:\Program Files\AVG\AVG10\avgwdsvc.exe
C:\Program Files\Common Files\Intuit\Update Service\IntuitUpdateService.exe
C:\Program Files\AVG\AVG10\avgtray.exe
C:\Program Files\Common Files\Nero\Nero BackItUp 4\NBService.exe
C:\Program Files\AVG\AVG10\Identity Protection\agent\bin\avgidsmonitor.exe
C:\Program Files\Alcohol Soft\Alcohol 120\StarWind\StarWindServiceAE.exe
C:\WINDOWS\system32\svchost.exe -k imgsvc
C:\Program Files\UPHClean\uphclean.exe
C:\Program Files\AVG\AVG10\avgam.exe
C:\Program Files\Western Digital\WD Drive Manager\WDBtnMgrSvc.exe
C:\Program Files\AVG\AVG10\avgnsx.exe
C:\Program Files\AVG\AVG10\Identity Protection\Agent\Bin\AVGIDSAgent.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\AVG\AVG10\avgcsrvx.exe
.
============== Pseudo HJT Report ===============
.
uStart Page = about:blank
uInternet Settings,ProxyServer = http=127.0.0.1:1051
uInternet Settings,ProxyOverride = <local>
BHO: AVG Safe Search: {3ca2f312-6f6e-4b53-a66e-4e65e497c8c0} - c:\program files\avg\avg10\avgssie.dll
TB: &Windows Live Toolbar: {21fa44ef-376d-4d53-9b0f-8a89d3229068} - c:\program files\windows live\toolbar\wltcore.dll
TB: Google Toolbar: {2318c2b1-4965-11d4-9b18-009027a5cd4f} - c:\program files\google\google toolbar\GoogleToolbar_32.dll
mRun: [AVG_TRAY] c:\program files\avg\avg10\avgtray.exe
mRun: [NvCplDaemon] RUNDLL32.EXE c:\windows\system32\NvCpl.dll,NvStartup
dRun: [DWQueuedReporting] "c:\progra~1\common~1\micros~1\dw\dwtrig20.exe" -t
mPolicies-system: DisableStatusMessages = 1 (0x1)
IE: Add to Google Photos Screensa&ver - c:\windows\system32\GPhotos.scr/200
IE: E&xport to Microsoft Excel - c:\progra~1\micros~2\office12\EXCEL.EXE/3000
IE: Google Sidewiki... - c:\program files\google\google toolbar\component\GoogleToolbarDynamic_mui_en_D183CA64F05FDD98.dll/cmsidewiki.html
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - {5F7B1267-94A9-47F5-98DB-E99415F33AEC} - c:\program files\windows live\writer\WriterBrowserExtension.dll
IE: {2670000A-7350-4f3c-8081-5663EE0C6C49} - {48E73304-E1D6-4330-914C-F5F514E3486C} - c:\progra~1\micros~2\office12\ONBttnIE.dll
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~2\office12\REFIEBAR.DLL
Trusted Zone: flashboot.ru\www
Trusted Zone: intuit.com
Trusted Zone: intuit.com\ttlc
DPF: {B1E2B96C-12FE-45E2-BEF1-44A219113CDD} - hxxp://www.superadblocker.com/activex/sabspx.cab
TCP: Interfaces\{206B4A61-2D05-47EF-A451-62CE0561ABC9} : NameServer = 24.92.226.40,24.92.226.41
Handler: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - c:\program files\microsoft office\office12\GrooveSystemServices.dll
Handler: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - c:\program files\avg\avg10\avgpp.dll
Notify: !SASWinLogon - c:\program files\superantispyware\SASWINLO.DLL
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll
SEH: Groove GFS Stub Execution Hook: {b5a7f190-dda6-4420-b3ba-52453494e6cd} - c:\program files\microsoft office\office12\GrooveShellExtensions.dll
.
================= FIREFOX ===================
.
FF - ProfilePath - c:\documents and settings\djc\application data\mozilla\firefox\profiles\7xv9dzxk.default\
FF - prefs.js: browser.search.defaulturl - hxxp://search.conduit.com/ResultsExt.aspx?ctid=CT2611275&SearchSource=3&q={searchTerms}
FF - prefs.js: browser.search.selectedEngine - ZoneAlarm Customized Web Search
FF - prefs.js: browser.search.selectedengine - Google
FF - prefs.js: browser.startup.homepage - hxxp://www.google.com/
FF - prefs.js: keyword.URL - hxxp://search.conduit.com/ResultsExt.aspx?ctid=CT2611275&q=
.
============= SERVICES / DRIVERS ===============
.
R0 AVGIDSEH;AVGIDSEH;c:\windows\system32\drivers\AVGIDSEH.sys [2010-9-13 22992]
R0 Avgrkx86;AVG Anti-Rootkit Driver;c:\windows\system32\drivers\avgrkx86.sys [2010-9-7 32592]
R0 tdrpman147;Acronis Try&Decide and Restore Points filter (build 147);c:\windows\system32\drivers\tdrpm147.sys [2009-3-8 971232]
R1 Avgldx86;AVG AVI Loader Driver;c:\windows\system32\drivers\avgldx86.sys [2010-9-7 248656]
R1 Avgmfx86;AVG Mini-Filter Resident Anti-Virus Shield;c:\windows\system32\drivers\avgmfx86.sys [2010-9-7 34896]
R1 Avgtdix;AVG TDI Driver;c:\windows\system32\drivers\avgtdix.sys [2010-9-7 297168]
R1 SASDIFSV;SASDIFSV;c:\program files\superantispyware\sasdifsv.sys [2010-2-17 12872]
R1 SASKUTIL;SASKUTIL;c:\program files\superantispyware\SASKUTIL.SYS [2010-5-10 67656]
R2 avgfws;AVG Firewall;c:\program files\avg\avg10\avgfws.exe [2011-3-9 2708024]
R2 AVGIDSAgent;AVGIDSAgent;c:\program files\avg\avg10\identity protection\agent\bin\AVGIDSAgent.exe [2011-4-18 7398752]
R2 avgwd;AVG WatchDog;c:\program files\avg\avg10\avgwdsvc.exe [2011-2-8 269520]
R2 SBKUPNT;SBKUPNT;c:\windows\system32\drivers\SBKUPNT.SYS [2010-2-19 14976]
R2 StarWindServiceAE;StarWind AE Service;c:\program files\alcohol soft\alcohol 120\starwind\StarWindServiceAE.exe [2007-5-28 275968]
R2 WDBtnMgrSvc.exe;WD Drive Manager Service;c:\program files\western digital\wd drive manager\WDBtnMgrSvc.exe [2008-7-24 102400]
R3 Avgfwdx;Avgfwdx;c:\windows\system32\drivers\avgfwdx.sys [2010-7-12 30432]
R3 AVGIDSDriver;AVGIDSDriver;c:\windows\system32\drivers\AVGIDSDriver.sys [2010-8-19 134480]
R3 AVGIDSFilter;AVGIDSFilter;c:\windows\system32\drivers\AVGIDSFilter.sys [2010-8-19 24144]
R3 AVGIDSShim;AVGIDSShim;c:\windows\system32\drivers\AVGIDSShim.sys [2010-8-19 27216]
S0 Lbd;Lbd;c:\windows\system32\drivers\lbd.sys --> c:\windows\system32\drivers\Lbd.sys [?]
S0 TfFsMon;TfFsMon; [x]
S0 TfSysMon;TfSysMon; [x]
S2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;c:\windows\microsoft.net\framework\v4.0.30319\mscorsvw.exe [2010-3-18 130384]
S2 gupdate;Google Update Service (gupdate);c:\program files\google\update\GoogleUpdate.exe [2010-2-7 135664]
S3 Avgfwfd;AVG network filter service;c:\windows\system32\drivers\avgfwdx.sys [2010-7-12 30432]
S3 gupdatem;Google Update Service (gupdatem);c:\program files\google\update\GoogleUpdate.exe [2010-2-7 135664]
S3 TfNetMon;TfNetMon; [x]
S3 WPFFontCache_v0400;Windows Presentation Foundation Font Cache 4.0.0.0;c:\windows\microsoft.net\framework\v4.0.30319\wpf\WPFFontCache_v0400.exe [2010-3-18 753504]
.
=============== Created Last 30 ================
.
2011-08-10 07:42:00 139656 -c----w- c:\windows\system32\dllcache\rdpwd.sys
2011-08-10 07:41:51 10496 -c----w- c:\windows\system32\dllcache\ndistapi.sys
2011-08-06 09:08:14 -------- d-----w- c:\documents and settings\djc\application data\Pegasys Inc
2011-08-06 08:48:32 -------- d-----w- c:\program files\Emsisoft Anti-Malware
2011-08-06 08:36:21 -------- d-----w- c:\windows\$regcmp$
2011-08-06 01:10:42 781272 ----a-w- c:\program files\mozilla firefox\mozsqlite3.dll
2011-08-06 01:10:42 16856 ----a-w- c:\program files\mozilla firefox\plugin-container.exe
2011-08-06 01:10:42 142296 ----a-w- c:\program files\mozilla firefox\components\browsercomps.dll
2011-08-06 01:10:41 89048 ----a-w- c:\program files\mozilla firefox\libEGL.dll
2011-08-06 01:10:41 719832 ----a-w- c:\program files\mozilla firefox\mozcpp19.dll
2011-08-06 01:10:41 465880 ----a-w- c:\program files\mozilla firefox\libGLESv2.dll
2011-08-06 01:10:41 2106216 ----a-w- c:\program files\mozilla firefox\D3DCompiler_43.dll
2011-08-06 01:10:41 1998168 ----a-w- c:\program files\mozilla firefox\d3dx9_43.dll
2011-08-06 01:10:41 1850328 ----a-w- c:\program files\mozilla firefox\mozjs.dll
2011-08-06 01:10:41 15832 ----a-w- c:\program files\mozilla firefox\mozalloc.dll
2011-08-05 22:13:51 388096 ----a-r- c:\documents and settings\djc\application data\microsoft\installer\{45a66726-69bc-466b-a7a4-12fcba4883d7}\HiJackThis.exe
2011-07-31 16:01:03 41272 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2011-07-31 16:00:57 22712 ----a-w- c:\windows\system32\drivers\mbam.sys
2011-07-31 16:00:57 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
.
==================== Find3M ====================
.
2011-07-15 13:29:31 456320 ----a-w- c:\windows\system32\drivers\mrxsmb.sys
2011-07-08 14:02:00 10496 ----a-w- c:\windows\system32\drivers\ndistapi.sys
2011-06-26 06:45:56 256000 ----a-w- c:\windows\PEV.exe
2011-06-24 14:10:36 139656 ----a-w- c:\windows\system32\drivers\rdpwd.sys
2011-06-20 17:44:52 293376 ----a-w- c:\windows\system32\winsrv.dll
2011-06-02 14:02:05 1858944 ----a-w- c:\windows\system32\win32k.sys
2011-05-16 13:45:30 7040 ----a-w- c:\windows\system32\sabprocenum.sys
.
============= FINISH: 0:01:35.92 ===============
ComboFix 11-08-14.01 - djc 08/13/2011 23:36:44.21.1 - x86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.1023.507 [GMT -4:00]
Running from: c:\documents and settings\djc\My Documents\Installed programs\Combofix\Schauber.exe
AV: AVG Internet Security 2011 *Disabled/Updated* {17DDD097-36FF-435F-9E1B-52D74245D6BF}
FW: AVG Firewall *Disabled* {8decf618-9569-4340-b34a-d78d28969b66}
.
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
c:\documents and settings\djc\Application Data\QUAD Backups
c:\documents and settings\djc\Application Data\QUAD Backups\08.06.2011,04-34-46\Automatic.reg
c:\windows\system32\404Fix.exe
c:\windows\system32\Agent.OMZ.Fix.exe
c:\windows\system32\dumphive.exe
c:\windows\system32\IEDFix.C.exe
c:\windows\system32\IEDFix.exe
c:\windows\system32\o4Patch.exe
c:\windows\system32\Process.exe
c:\windows\system32\SrchSTS.exe
c:\windows\system32\tmp.reg
c:\windows\system32\VACFix.exe
c:\windows\system32\VCCLSID.exe
c:\windows\system32\WS2Fix.exe
.
.
((((((((((((((((((((((((( Files Created from 2011-07-14 to 2011-08-14 )))))))))))))))))))))))))))))))
.
.
2011-08-10 07:42 . 2011-06-24 14:10 139656 -c----w- c:\windows\system32\dllcache\rdpwd.sys
2011-08-10 07:41 . 2011-07-08 14:02 10496 -c----w- c:\windows\system32\dllcache\ndistapi.sys
2011-08-06 09:08 . 2011-08-06 09:08 -------- d-----w- c:\documents and settings\djc\Application Data\Pegasys Inc
2011-08-06 08:48 . 2011-08-06 10:34 -------- d-----w- c:\program files\Emsisoft Anti-Malware
2011-08-06 08:36 . 2011-08-06 08:36 -------- d-----w- c:\windows\$regcmp$
2011-08-06 01:10 . 2011-07-08 07:16 781272 ----a-w- c:\program files\Mozilla Firefox\mozsqlite3.dll
2011-08-06 01:10 . 2011-07-08 07:16 16856 ----a-w- c:\program files\Mozilla Firefox\plugin-container.exe
2011-08-06 01:10 . 2011-07-08 07:16 142296 ----a-w- c:\program files\Mozilla Firefox\components\browsercomps.dll
2011-08-06 01:10 . 2011-07-08 07:16 89048 ----a-w- c:\program files\Mozilla Firefox\libEGL.dll
2011-08-06 01:10 . 2011-07-08 07:16 719832 ----a-w- c:\program files\Mozilla Firefox\mozcpp19.dll
2011-08-06 01:10 . 2011-07-08 07:16 465880 ----a-w- c:\program files\Mozilla Firefox\libGLESv2.dll
2011-08-06 01:10 . 2011-07-08 07:16 1850328 ----a-w- c:\program files\Mozilla Firefox\mozjs.dll
2011-08-06 01:10 . 2011-07-08 07:16 15832 ----a-w- c:\program files\Mozilla Firefox\mozalloc.dll
2011-08-06 01:10 . 2010-01-01 08:00 2106216 ----a-w- c:\program files\Mozilla Firefox\D3DCompiler_43.dll
2011-08-06 01:10 . 2010-01-01 08:00 1998168 ----a-w- c:\program files\Mozilla Firefox\d3dx9_43.dll
2011-08-05 22:25 . 2011-08-05 22:25 -------- d-----w- c:\program files\ERUNT
2011-08-05 22:13 . 2011-08-05 22:13 388096 ----a-r- c:\documents and settings\djc\Application Data\Microsoft\Installer\{45A66726-69BC-466B-A7A4-12FCBA4883D7}\HiJackThis.exe
2011-07-31 16:01 . 2011-07-06 23:52 41272 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2011-07-31 16:00 . 2011-07-31 16:01 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2011-07-31 16:00 . 2011-07-06 23:52 22712 ----a-w- c:\windows\system32\drivers\mbam.sys
.
.
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2011-07-15 13:29 . 2004-08-04 12:00 456320 ----a-w- c:\windows\system32\drivers\mrxsmb.sys
2011-07-08 14:02 . 2004-08-04 12:00 10496 ----a-w- c:\windows\system32\drivers\ndistapi.sys
2011-06-24 14:10 . 2009-02-07 07:40 139656 ----a-w- c:\windows\system32\drivers\rdpwd.sys
2011-06-20 17:44 . 2004-08-04 12:00 293376 ----a-w- c:\windows\system32\winsrv.dll
2011-06-02 14:02 . 2004-08-04 12:00 1858944 ----a-w- c:\windows\system32\win32k.sys
2011-05-16 13:45 . 2011-05-16 13:45 7040 ----a-w- c:\windows\system32\sabprocenum.sys
2011-07-08 07:16 . 2011-08-06 01:10 142296 ----a-w- c:\program files\mozilla firefox\components\browsercomps.dll
2010-02-19 03:30 . 2010-02-19 03:30 135680 ----a-w- c:\program files\mozilla firefox\components\GoogleDesktopMozilla.dll
.
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"AVG_TRAY"="c:\program files\AVG\AVG10\avgtray.exe" [2011-04-18 2334560]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2009-11-21 12669544]
.
[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"DWQueuedReporting"="c:\progra~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" [2008-11-04 435096]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"DisableStatusMessages"= 1 (0x1)
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
2009-09-03 22:21 548352 ----a-w- c:\program files\SUPERAntiSpyware\SASWINLO.DLL
.
[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\session manager]
BootExecute REG_MULTI_SZ autocheck autochk *\0c:\progra~1\AVG\AVG10\avgchsvx.exe /sync\0c:\progra~1\AVG\AVG10\avgrsx.exe /sync /restart
.
[HKLM\~\startupfolder\C:^Documents and Settings^djc^Start Menu^Programs^Startup^ERUNT AutoBackup.lnk]
path=c:\documents and settings\djc\Start Menu\Programs\Startup\ERUNT AutoBackup.lnk
backup=c:\windows\pss\ERUNT AutoBackup.lnkStartup
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Acronis Scheduler2 Service]
2008-10-13 16:16 165144 ----a-w- c:\program files\Common Files\Acronis\Schedule2\schedhlp.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AcronisTimounterMonitor]
2008-10-13 16:22 960376 ----a-w- c:\program files\Acronis\TrueImageHome\TimounterMonitor.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe ARM]
2011-03-30 04:59 937920 ----a-r- c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe Reader Speed Launcher]
2011-06-08 04:02 37296 ----a-w- c:\program files\Adobe\Reader 9.0\Reader\reader_sl.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ctfmon.exe]
2008-04-14 10:42 15360 ------w- c:\windows\system32\ctfmon.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\GrooveMonitor]
2008-10-25 16:44 31072 ----a-w- c:\program files\Microsoft Office\Office12\GrooveMonitor.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Logitech Utility]
2002-11-08 10:50 19968 ------w- c:\windows\LOGI_MWX.EXE
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NvCplDaemon]
2009-11-21 01:32 12669544 ----a-w- c:\windows\system32\nvcpl.dll
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Registry Cleaner Scheduler]
2010-02-22 03:05 471650 ----a-w- c:\program files\CleanMyPC\Registry Cleaner\RCHelper.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched]
2010-01-11 20:21 246504 ----a-w- c:\program files\Common Files\Java\Java Update\jusched.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SUPERAntiSpyware]
2011-08-06 08:07 2424192 ----a-w- c:\program files\SUPERAntiSpyware\SUPERANTISPYWARE.EXE
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\swg]
2009-02-22 00:41 39408 ----a-w- c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\TrueImageMonitor.exe]
2008-10-13 16:00 4344472 ----a-w- c:\program files\Acronis\TrueImageHome\TrueImageMonitor.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\WD Drive Manager]
2008-07-24 20:22 450560 ----a-w- c:\program files\Western Digital\WD Drive Manager\WDBtnMgrUI.exe
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)
"DisableNotifications"= 1 (0x1)
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Microsoft Office\\Office12\\OUTLOOK.EXE"=
"c:\\Program Files\\Microsoft Office\\Office12\\GROOVE.EXE"=
"c:\\Program Files\\Microsoft Office\\Office12\\ONENOTE.EXE"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\wlcsdk.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"=
"c:\\Program Files\\AVG\\AVG10\\avgmfapx.exe"=
"c:\\Program Files\\AVG\\AVG10\\avgdiagex.exe"=
"c:\\Program Files\\AVG\\AVG10\\avgnsx.exe"=
"c:\\Program Files\\AVG\\AVG10\\avgam.exe"=
"c:\\Program Files\\AVG\\AVG10\\avgemcx.exe"=
.
R0 AVGIDSEH;AVGIDSEH;c:\windows\system32\drivers\AVGIDSEH.sys [9/13/2010 04:27 PM 22992]
R0 Avgrkx86;AVG Anti-Rootkit Driver;c:\windows\system32\drivers\avgrkx86.sys [9/7/2010 03:48 AM 32592]
R0 tdrpman147;Acronis Try&Decide and Restore Points filter (build 147);c:\windows\system32\drivers\tdrpm147.sys [3/8/2009 07:06 PM 971232]
R1 Avgldx86;AVG AVI Loader Driver;c:\windows\system32\drivers\avgldx86.sys [9/7/2010 03:48 AM 248656]
R1 Avgtdix;AVG TDI Driver;c:\windows\system32\drivers\avgtdix.sys [9/7/2010 03:49 AM 297168]
R1 SASDIFSV;SASDIFSV;c:\program files\SUPERAntiSpyware\sasdifsv.sys [2/17/2010 02:25 PM 12872]
R1 SASKUTIL;SASKUTIL;c:\program files\SUPERAntiSpyware\SASKUTIL.SYS [5/10/2010 02:41 PM 67656]
R2 avgfws;AVG Firewall;c:\program files\AVG\AVG10\avgfws.exe [3/9/2011 07:24 PM 2708024]
R2 AVGIDSAgent;AVGIDSAgent;c:\program files\AVG\AVG10\Identity Protection\Agent\Bin\AVGIDSAgent.exe [4/18/2011 05:39 PM 7398752]
R2 avgwd;AVG WatchDog;c:\program files\AVG\AVG10\avgwdsvc.exe [2/8/2011 05:33 AM 269520]
R2 SBKUPNT;SBKUPNT;c:\windows\system32\drivers\SBKUPNT.SYS [2/19/2010 02:04 AM 14976]
R2 WDBtnMgrSvc.exe;WD Drive Manager Service;c:\program files\Western Digital\WD Drive Manager\WDBtnMgrSvc.exe [7/24/2008 04:22 PM 102400]
R3 Avgfwdx;Avgfwdx;c:\windows\system32\drivers\avgfwdx.sys [7/12/2010 04:33 AM 30432]
R3 AVGIDSDriver;AVGIDSDriver;c:\windows\system32\drivers\AVGIDSDriver.sys [8/19/2010 09:42 PM 134480]
R3 AVGIDSFilter;AVGIDSFilter;c:\windows\system32\drivers\AVGIDSFilter.sys [8/19/2010 09:42 PM 24144]
R3 AVGIDSShim;AVGIDSShim;c:\windows\system32\drivers\AVGIDSShim.sys [8/19/2010 09:42 PM 27216]
S0 Lbd;Lbd;c:\windows\system32\DRIVERS\Lbd.sys --> c:\windows\system32\DRIVERS\Lbd.sys [?]
S0 TfFsMon;TfFsMon; [x]
S0 TfSysMon;TfSysMon; [x]
S2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;c:\windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe [3/18/2010 01:16 PM 130384]
S2 gupdate;Google Update Service (gupdate);c:\program files\Google\Update\GoogleUpdate.exe [2/7/2010 02:20 PM 135664]
S3 Avgfwfd;AVG network filter service;c:\windows\system32\drivers\avgfwdx.sys [7/12/2010 04:33 AM 30432]
S3 gupdatem;Google Update Service (gupdatem);c:\program files\Google\Update\GoogleUpdate.exe [2/7/2010 02:20 PM 135664]
S3 TfNetMon;TfNetMon; [x]
S3 WPFFontCache_v0400;Windows Presentation Foundation Font Cache 4.0.0.0;c:\windows\Microsoft.NET\Framework\v4.0.30319\WPF\WPFFontCache_v0400.exe [3/18/2010 01:16 PM 753504]
S4 sptd;sptd;c:\windows\system32\drivers\sptd.sys [2/14/2009 08:50 PM 685816]
.
--- Other Services/Drivers In Memory ---
.
*Deregistered* - uphcleanhlp
.
Contents of the 'Scheduled Tasks' folder
.
2011-08-13 c:\windows\Tasks\AVG PC Tuneup 2011 Integrator Scan and Repair.job
- c:\program files\AVG\AVG PC Tuneup 2011\BoostSpeed.exe [2011-04-01 21:26]
.
2011-08-13 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\program files\Google\Update\GoogleUpdate.exe [2010-02-07 18:20]
.
2011-08-14 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\program files\Google\Update\GoogleUpdate.exe [2010-02-07 18:20]
.
2011-08-13 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-1275210071-573735546-725345543-1003Core.job
- c:\documents and settings\djc\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2011-02-02 15:48]
.
2011-08-14 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-1275210071-573735546-725345543-1003UA.job
- c:\documents and settings\djc\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2011-02-02 15:48]
.
.
------- Supplementary Scan -------
.
uStart Page = about:blank
uInternet Settings,ProxyServer = http=127.0.0.1:1051
uInternet Settings,ProxyOverride = <local>
IE: Add to Google Photos Screensa&ver - c:\windows\system32\GPhotos.scr/200
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\Office12\EXCEL.EXE/3000
IE: Google Sidewiki... - c:\program files\Google\Google Toolbar\Component\GoogleToolbarDynamic_mui_en_D183CA64F05FDD98.dll/cmsidewiki.html
Trusted Zone: flashboot.ru\www
Trusted Zone: intuit.com
Trusted Zone: intuit.com\ttlc
TCP: Interfaces\{206B4A61-2D05-47EF-A451-62CE0561ABC9}: NameServer = 24.92.226.40,24.92.226.41
FF - ProfilePath - c:\documents and settings\djc\Application Data\Mozilla\Firefox\Profiles\7xv9dzxk.default\
FF - prefs.js: browser.search.defaulturl - hxxp://search.conduit.com/ResultsExt.aspx?ctid=CT2611275&SearchSource=3&q={searchTerms}
FF - prefs.js: browser.search.selectedEngine - ZoneAlarm Customized Web Search
FF - prefs.js: browser.search.selectedengine - Google
FF - prefs.js: browser.startup.homepage - hxxp://www.google.com/
FF - prefs.js: keyword.URL - hxxp://search.conduit.com/ResultsExt.aspx?ctid=CT2611275&q=
.
- - - - ORPHANS REMOVED - - - -
.
AddRemove-uTorrent - c:\program files\uTorrent\uTorrent.exe
.
.
.
**************************************************************************
.
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2011-08-13 23:45
Windows 5.1.2600 Service Pack 3 NTFS
.
scanning hidden processes ...
.
scanning hidden autostart entries ...
.
scanning hidden files ...
.
scan completed successfully
hidden files: 0
.
**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------
.
[HKEY_USERS\.Default\Software\Microsoft\Internet Explorer\User Preferences]
@Denied: (2) (LocalSystem)
"88D7D0879DAB32E14DE5B3A805A34F98AFF34F5977"=hex:01,00,00,00,d0,8c,9d,df,01,15,
d1,11,8c,7a,00,c0,4f,c2,97,eb,01,00,00,00,b9,90,9b,90,79,57,39,4c,97,b7,de,\
"2D53CFFC5C1A3DD2E97B7979AC2A92BD59BC839E81"=hex:01,00,00,00,d0,8c,9d,df,01,15,
d1,11,8c,7a,00,c0,4f,c2,97,eb,01,00,00,00,b9,90,9b,90,79,57,39,4c,97,b7,de,\
.
[HKEY_USERS\S-1-5-21-1275210071-573735546-725345543-1003\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\{9232C35D-9292-D49A-189D-3420934CCCAC}*]
@Allowed: (Read) (RestrictedCode)
@Allowed: (Read) (RestrictedCode)
"oaopkmjigmpgeafnbiamghnkpgdgij"=hex:6a,61,68,6e,6f,68,6e,66,62,6c,66,64,70,68,
6e,70,69,67,65,61,00,00
"naebnccolgllahpndepkajjkhfeg"=hex:69,61,6a,6e,63,6c,61,61,65,6c,6b,61,69,6a,
68,67,66,64,00,00
.
--------------------- DLLs Loaded Under Running Processes ---------------------
.
- - - - - - - > 'winlogon.exe'(1592)
c:\program files\SUPERAntiSpyware\SASWINLO.DLL
.
Completion time: 2011-08-13 23:48:55
ComboFix-quarantined-files.txt 2011-08-14 03:48
.
Pre-Run: 52,471,099,392 bytes free
Post-Run: 52,579,041,280 bytes free
.
Current=4 Default=4 Failed=3 LastKnownGood=5 Sets=1,2,3,4,5
- - End Of File - - 428C228684598565616CB8E956255E3B
Hi again,
Open notepad and copy/paste the text in the quotebox below into it:
DDS::
uInternet Settings,ProxyServer = http=127.0.0.1:1051
uInternet Settings,ProxyOverride = <local>
RegNull::
[HKEY_USERS\S-1-5-21-1275210071-573735546-725345543-1003\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\{9232C35D-9292-D49A-189D-3420934CCCAC}*]
Save this as
CFScript
A word of warning: Neither I nor sUBs are responsible for any damage you may have caused your machine. This tool is not a toy and not for everyday use.
http://img.photobucket.com/albums/v666/sUBs/CFScriptB-4.gif
Close all browser windows and refering to the picture above, drag CFScript into ComboFix.exe
Then post the resultant log.
Your Java is out of date. Older versions have vulnerabilities that malware can use to infect your system. Please follow these steps to remove older version Java components and update to the latest version...
Updating Java:
Download the latest version of Java Runtime Environment (JRE) 7 (http://www.oracle.com/technetwork/java/javase/downloads/index.html).
Click the
Download
button to the right.
Select Windows on platform combobox and check the box that says:
Accept License Agreement. Click continue.
The page will refresh.
Click on the link to download Windows Offline Installation with or without Multi-language and save to your desktop.
Close any programs you may have running - especially your web browser.
Go to Start > Control Panel double-click on Add/Remove programs and remove all older versions of Java.
Check any item with Java Runtime Environment (JRE or J2SE) in the name.
Click the Remove or Change/Remove button.
Repeat as many times as necessary to remove each Java versions.
Reboot your computer once all Java components are removed.
Then from your desktop double-click on jre-7-windows-i586.exe to install the newest version. Uncheck Carbonite online backup trial if it's offered there.
* Go here (http://www.eset.eu/online-scanner) to run an online scanner from ESET.
Note: You will need to use Internet explorer for this scan
Tick the box next to YES, I accept the Terms of Use.
Click Start
When asked, allow the activex control to install
Click Start
Make sure that the option Remove found threats is UNchecked and the option Scan unwanted applications is checkmarked.
Click Scan
Wait for the scan to finish.
Post back its report, a fresh dds.txt log and above mentioned ComboFix resultant log. How's the system running?
celluloidheros
2011-08-15, 00:16
Hi Blade,
First off, thanks for your help, I apreciate it deeply .
The computer is running OK but I think there is still an issue, IE still sometimes runs at 80 to 100 % CPU and seems to lock-up, The other browsers were doing it too.
I updated my Java, ran combofix with the CFScript that you provided.
That MyWebSearch application and Adware.ADON application seem to keep coming back. I do have EAC installed and I wonder if this is causing issues.
Thanks again, CH
esets_scanner_update returned -1 esets_gle=53251
# version=7
# iexplore.exe=8.00.6001.18372 (longhorn_ie8_rc1(wmbla).090115-0053)
# OnlineScanner.ocx=1.0.0.6528
# api_version=3.0.2
# EOSSerial=9e59d5cbdf9288428c83bdb1cc33e2e5
# end=finished
# remove_checked=true
# archives_checked=false
# unwanted_checked=true
# unsafe_checked=false
# antistealth_checked=true
# utc_time=2011-08-14 08:56:57
# local_time=2011-08-14 04:56:57 (-0500, Eastern Daylight Time)
# country="United States"
# lang=9
# osver=5.1.2600 NT Service Pack 3
# compatibility_mode=770 16774142 0 2 15524110 15524110 0 0
# compatibility_mode=1032 16777173 100 98 0 56410821 0 0
# compatibility_mode=8192 67108863 100 0 0 0 0 0
# scanned=73913
# found=5
# cleaned=5
# scan_time=4342
C:\System Volume Information\_restore{C3EA854B-A3D1-47F6-BC74-F962DBA52E6A}\RP775\A0146794.DLL Win32/Toolbar.MyWebSearch application (cleaned by deleting - quarantined) 00000000000000000000000000000000 C
C:\System Volume Information\_restore{C3EA854B-A3D1-47F6-BC74-F962DBA52E6A}\RP775\A0146799.DLL a variant of Win32/Toolbar.MyWebSearch application (cleaned by deleting - quarantined) 00000000000000000000000000000000 C
C:\System Volume Information\_restore{C3EA854B-A3D1-47F6-BC74-F962DBA52E6A}\RP786\A0148977.lnk Win32/Adware.ADON application (cleaned by deleting - quarantined) 00000000000000000000000000000000 C
C:\System Volume Information\_restore{C3EA854B-A3D1-47F6-BC74-F962DBA52E6A}\RP786\A0149756.lnk Win32/Adware.ADON application (cleaned by deleting - quarantined) 00000000000000000000000000000000 C
C:\System Volume Information\_restore{C3EA854B-A3D1-47F6-BC74-F962DBA52E6A}\RP786\A0149757.dll Win32/Toolbar.MyWebSearch application (cleaned by deleting - quarantined) 00000000000000000000000000000000 C
esets_scanner_update returned -1 esets_gle=53251
# version=7
# iexplore.exe=8.00.6001.18372 (longhorn_ie8_rc1(wmbla).090115-0053)
# OnlineScanner.ocx=1.0.0.6528
# api_version=3.0.2
# EOSSerial=9e59d5cbdf9288428c83bdb1cc33e2e5
# end=finished
# remove_checked=true
# archives_checked=false
# unwanted_checked=true
# unsafe_checked=false
# antistealth_checked=true
# utc_time=2011-08-14 08:56:57
# local_time=2011-08-14 04:56:57 (-0500, Eastern Daylight Time)
# country="United States"
# lang=9
# osver=5.1.2600 NT Service Pack 3
# compatibility_mode=770 16774142 0 2 15524110 15524110 0 0
# compatibility_mode=1032 16777173 100 98 0 56410821 0 0
# compatibility_mode=8192 67108863 100 0 0 0 0 0
# scanned=73913
# found=5
# cleaned=5
# scan_time=4342
C:\System Volume Information\_restore{C3EA854B-A3D1-47F6-BC74-F962DBA52E6A}\RP775\A0146794.DLL Win32/Toolbar.MyWebSearch application (cleaned by deleting - quarantined) 00000000000000000000000000000000 C
C:\System Volume Information\_restore{C3EA854B-A3D1-47F6-BC74-F962DBA52E6A}\RP775\A0146799.DLL a variant of Win32/Toolbar.MyWebSearch application (cleaned by deleting - quarantined) 00000000000000000000000000000000 C
C:\System Volume Information\_restore{C3EA854B-A3D1-47F6-BC74-F962DBA52E6A}\RP786\A0148977.lnk Win32/Adware.ADON application (cleaned by deleting - quarantined) 00000000000000000000000000000000 C
C:\System Volume Information\_restore{C3EA854B-A3D1-47F6-BC74-F962DBA52E6A}\RP786\A0149756.lnk Win32/Adware.ADON application (cleaned by deleting - quarantined) 00000000000000000000000000000000 C
C:\System Volume Information\_restore{C3EA854B-A3D1-47F6-BC74-F962DBA52E6A}\RP786\A0149757.dll Win32/Toolbar.MyWebSearch application (cleaned by deleting - quarantined) 00000000000000000000000000000000 C
.
DDS (Ver_2011-06-23.01) - NTFSx86
Internet Explorer: 8.0.6001.18372 BrowserJavaVersion: 10.0.0
Run by djc at 17:11:07 on 2011-08-14
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.1023.398 [GMT -4:00]
.
AV: AVG Internet Security 2011 *Enabled/Updated* {17DDD097-36FF-435F-9E1B-52D74245D6BF}
FW: AVG Firewall *Enabled*
.
============== Running Processes ===============
.
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\svchost.exe -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
svchost.exe
svchost.exe
C:\WINDOWS\system32\spoolsv.exe
svchost.exe
C:\Program Files\AVG\AVG10\avgwdsvc.exe
C:\Program Files\Java\jre7\bin\jqs.exe
C:\WINDOWS\system32\svchost.exe -k imgsvc
C:\Program Files\UPHClean\uphclean.exe
C:\Program Files\AVG\AVG10\avgtray.exe
C:\Program Files\Common Files\Java\Java Update\jusched.exe
C:\Program Files\AVG\AVG10\Identity Protection\agent\bin\avgidsmonitor.exe
C:\Program Files\Microsoft Office\Office12\WINWORD.EXE
C:\Program Files\Microsoft\Office Live\OfficeLiveSignIn.exe
C:\WINDOWS\explorer.exe
C:\Program Files\Common Files\Nero\Nero BackItUp 4\NBService.exe
C:\Program Files\internet explorer\iexplore.exe
C:\Program Files\internet explorer\iexplore.exe
C:\Program Files\internet explorer\iexplore.exe
C:\Program Files\AVG\AVG10\Identity Protection\Agent\Bin\AVGIDSAgent.exe
C:\Program Files\AVG\AVG10\avgfws.exe
C:\Program Files\AVG\AVG10\avgnsx.exe
C:\Program Files\AVG\AVG10\avgchsvx.exe
C:\Program Files\AVG\AVG10\avgrsx.exe
C:\Program Files\AVG\AVG10\avgcsrvx.exe
C:\Program Files\AVG\AVG10\avgam.exe
C:\Program Files\AVG\AVG10\avgcsrvx.exe
C:\Program Files\Windows NT\Accessories\WORDPAD.EXE
.
============== Pseudo HJT Report ===============
.
uStart Page = about:blank
BHO: AVG Safe Search: {3ca2f312-6f6e-4b53-a66e-4e65e497c8c0} - c:\program files\avg\avg10\avgssie.dll
BHO: Java(tm) Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre7\bin\jp2ssv.dll
TB: &Windows Live Toolbar: {21fa44ef-376d-4d53-9b0f-8a89d3229068} - c:\program files\windows live\toolbar\wltcore.dll
TB: Google Toolbar: {2318c2b1-4965-11d4-9b18-009027a5cd4f} - c:\program files\google\google toolbar\GoogleToolbar_32.dll
mRun: [AVG_TRAY] c:\program files\avg\avg10\avgtray.exe
mRun: [NvCplDaemon] RUNDLL32.EXE c:\windows\system32\NvCpl.dll,NvStartup
mRun: [SunJavaUpdateSched] "c:\program files\common files\java\java update\jusched.exe"
dRun: [DWQueuedReporting] "c:\progra~1\common~1\micros~1\dw\dwtrig20.exe" -t
mPolicies-system: DisableStatusMessages = 1 (0x1)
IE: Add to Google Photos Screensa&ver - c:\windows\system32\GPhotos.scr/200
IE: E&xport to Microsoft Excel - c:\progra~1\micros~2\office12\EXCEL.EXE/3000
IE: Google Sidewiki... - c:\program files\google\google toolbar\component\GoogleToolbarDynamic_mui_en_D183CA64F05FDD98.dll/cmsidewiki.html
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - {5F7B1267-94A9-47F5-98DB-E99415F33AEC} - c:\program files\windows live\writer\WriterBrowserExtension.dll
IE: {2670000A-7350-4f3c-8081-5663EE0C6C49} - {48E73304-E1D6-4330-914C-F5F514E3486C} - c:\progra~1\micros~2\office12\ONBttnIE.dll
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~2\office12\REFIEBAR.DLL
Trusted Zone: flashboot.ru\www
Trusted Zone: intuit.com
Trusted Zone: intuit.com\ttlc
DPF: {7530BFB8-7293-4D34-9923-61A11451AFC5} - hxxp://download.eset.com/special/eos/OnlineScanner.cab
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.7.0/jinstall-1_7_0-windows-i586.cab
DPF: {B1E2B96C-12FE-45E2-BEF1-44A219113CDD} - hxxp://www.superadblocker.com/activex/sabspx.cab
DPF: {CAFEEFAC-0017-0000-0000-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.7.0/jinstall-1_7_0-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.7.0/jinstall-1_7_0-windows-i586.cab
TCP: Interfaces\{206B4A61-2D05-47EF-A451-62CE0561ABC9} : NameServer = 24.92.226.40,24.92.226.41
Handler: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - c:\program files\microsoft office\office12\GrooveSystemServices.dll
Handler: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - c:\program files\avg\avg10\avgpp.dll
Notify: !SASWinLogon - c:\program files\superantispyware\SASWINLO.DLL
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll
SEH: Groove GFS Stub Execution Hook: {b5a7f190-dda6-4420-b3ba-52453494e6cd} - c:\program files\microsoft office\office12\GrooveShellExtensions.dll
.
================= FIREFOX ===================
.
FF - ProfilePath - c:\documents and settings\djc\application data\mozilla\firefox\profiles\7xv9dzxk.default\
FF - prefs.js: browser.search.defaulturl - hxxp://search.conduit.com/ResultsExt.aspx?ctid=CT2611275&SearchSource=3&q={searchTerms}
FF - prefs.js: browser.search.selectedEngine - ZoneAlarm Customized Web Search
FF - prefs.js: browser.search.selectedengine - Google
FF - prefs.js: browser.startup.homepage - hxxp://www.google.com/
FF - prefs.js: keyword.URL - hxxp://search.conduit.com/ResultsExt.aspx?ctid=CT2611275&q=
FF - plugin: c:\documents and settings\djc\local settings\application data\google\update\1.3.21.65\npGoogleUpdate3.dll
FF - plugin: c:\program files\adobe\reader 9.0\reader\air\nppdf32.dll
FF - plugin: c:\program files\google\picasa3\npPicasa3.dll
FF - plugin: c:\program files\google\update\1.3.21.65\npGoogleUpdate3.dll
FF - plugin: c:\program files\java\jre7\bin\new_plugin\npdeployJava1.dll
FF - plugin: c:\program files\java\jre7\bin\new_plugin\npjp2.dll
FF - plugin: c:\program files\microsoft\office live\npOLW.dll
FF - plugin: c:\program files\mozilla firefox\plugins\npdeployJava1.dll
FF - plugin: c:\program files\mozilla firefox\plugins\npwachk.dll
.
============= SERVICES / DRIVERS ===============
.
R0 AVGIDSEH;AVGIDSEH;c:\windows\system32\drivers\AVGIDSEH.sys [2010-9-13 22992]
R0 Avgrkx86;AVG Anti-Rootkit Driver;c:\windows\system32\drivers\avgrkx86.sys [2010-9-7 32592]
R1 Avgldx86;AVG AVI Loader Driver;c:\windows\system32\drivers\avgldx86.sys [2010-9-7 248656]
R1 Avgmfx86;AVG Mini-Filter Resident Anti-Virus Shield;c:\windows\system32\drivers\avgmfx86.sys [2010-9-7 34896]
R1 Avgtdix;AVG TDI Driver;c:\windows\system32\drivers\avgtdix.sys [2010-9-7 297168]
R1 SASDIFSV;SASDIFSV;c:\program files\superantispyware\sasdifsv.sys [2010-2-17 12872]
R1 SASKUTIL;SASKUTIL;c:\program files\superantispyware\SASKUTIL.SYS [2010-5-10 67656]
R2 avgfws;AVG Firewall;c:\program files\avg\avg10\avgfws.exe [2011-3-9 2708024]
R2 AVGIDSAgent;AVGIDSAgent;c:\program files\avg\avg10\identity protection\agent\bin\AVGIDSAgent.exe [2011-4-18 7398752]
R2 avgwd;AVG WatchDog;c:\program files\avg\avg10\avgwdsvc.exe [2011-2-8 269520]
R2 SBKUPNT;SBKUPNT;c:\windows\system32\drivers\SBKUPNT.SYS [2010-2-19 14976]
R3 Avgfwdx;Avgfwdx;c:\windows\system32\drivers\avgfwdx.sys [2010-7-12 30432]
R3 AVGIDSDriver;AVGIDSDriver;c:\windows\system32\drivers\AVGIDSDriver.sys [2010-8-19 134480]
R3 AVGIDSFilter;AVGIDSFilter;c:\windows\system32\drivers\AVGIDSFilter.sys [2010-8-19 24144]
R3 AVGIDSShim;AVGIDSShim;c:\windows\system32\drivers\AVGIDSShim.sys [2010-8-19 27216]
R4 tdrpman147;Acronis Try&Decide and Restore Points filter (build 147);c:\windows\system32\drivers\tdrpm147.sys [2009-3-8 971232]
S0 Lbd;Lbd;c:\windows\system32\drivers\lbd.sys --> c:\windows\system32\drivers\Lbd.sys [?]
S0 TfFsMon;TfFsMon; [x]
S0 TfSysMon;TfSysMon; [x]
S2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;c:\windows\microsoft.net\framework\v4.0.30319\mscorsvw.exe [2010-3-18 130384]
S2 gupdate;Google Update Service (gupdate);c:\program files\google\update\GoogleUpdate.exe [2010-2-7 135664]
S3 Avgfwfd;AVG network filter service;c:\windows\system32\drivers\avgfwdx.sys [2010-7-12 30432]
S3 gupdatem;Google Update Service (gupdatem);c:\program files\google\update\GoogleUpdate.exe [2010-2-7 135664]
S3 StarWindServiceAE;StarWind AE Service;c:\program files\alcohol soft\alcohol 120\starwind\starwindserviceae.exe --> c:\program files\alcohol soft\alcohol 120\starwind\StarWindServiceAE.exe [?]
S3 TfNetMon;TfNetMon; [x]
S3 WPFFontCache_v0400;Windows Presentation Foundation Font Cache 4.0.0.0;c:\windows\microsoft.net\framework\v4.0.30319\wpf\WPFFontCache_v0400.exe [2010-3-18 753504]
.
=============== Created Last 30 ================
.
2011-08-14 16:02:59 -------- d-----w- c:\program files\ESET
2011-08-14 15:56:36 -------- d-----w- c:\documents and settings\djc\local settings\application data\Sun
2011-08-14 15:39:15 98816 ----a-w- c:\windows\sed.exe
2011-08-14 15:39:15 518144 ----a-w- c:\windows\SWREG.exe
2011-08-14 15:39:15 256000 ----a-w- c:\windows\PEV.exe
2011-08-14 15:39:15 208896 ----a-w- c:\windows\MBR.exe
2011-08-14 15:32:41 611224 ----a-w- c:\program files\mozilla firefox\plugins\npdeployJava1.dll
2011-08-14 15:32:41 544656 ----a-w- c:\windows\system32\deployJava1.dll
2011-08-14 15:32:41 128000 ----a-w- c:\windows\system32\javacpl.cpl
2011-08-10 07:42:00 139656 -c----w- c:\windows\system32\dllcache\rdpwd.sys
2011-08-10 07:41:51 10496 -c----w- c:\windows\system32\dllcache\ndistapi.sys
2011-08-06 09:08:14 -------- d-----w- c:\documents and settings\djc\application data\Pegasys Inc
2011-08-06 08:48:32 -------- d-----w- c:\program files\Emsisoft Anti-Malware
2011-08-06 08:36:21 -------- d-----w- c:\windows\$regcmp$
2011-08-06 01:10:42 781272 ----a-w- c:\program files\mozilla firefox\mozsqlite3.dll
2011-08-06 01:10:42 16856 ----a-w- c:\program files\mozilla firefox\plugin-container.exe
2011-08-06 01:10:42 142296 ----a-w- c:\program files\mozilla firefox\components\browsercomps.dll
2011-08-06 01:10:41 89048 ----a-w- c:\program files\mozilla firefox\libEGL.dll
2011-08-06 01:10:41 719832 ----a-w- c:\program files\mozilla firefox\mozcpp19.dll
2011-08-06 01:10:41 465880 ----a-w- c:\program files\mozilla firefox\libGLESv2.dll
2011-08-06 01:10:41 2106216 ----a-w- c:\program files\mozilla firefox\D3DCompiler_43.dll
2011-08-06 01:10:41 1998168 ----a-w- c:\program files\mozilla firefox\d3dx9_43.dll
2011-08-06 01:10:41 1850328 ----a-w- c:\program files\mozilla firefox\mozjs.dll
2011-08-06 01:10:41 15832 ----a-w- c:\program files\mozilla firefox\mozalloc.dll
2011-07-31 16:01:03 41272 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2011-07-31 16:00:57 22712 ----a-w- c:\windows\system32\drivers\mbam.sys
2011-07-31 16:00:57 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
.
==================== Find3M ====================
.
2011-07-15 13:29:31 456320 ----a-w- c:\windows\system32\drivers\mrxsmb.sys
2011-07-08 14:02:00 10496 ----a-w- c:\windows\system32\drivers\ndistapi.sys
2011-06-24 14:10:36 139656 ----a-w- c:\windows\system32\drivers\rdpwd.sys
2011-06-20 17:44:52 293376 ----a-w- c:\windows\system32\winsrv.dll
2011-06-02 14:02:05 1858944 ----a-w- c:\windows\system32\win32k.sys
.
============= FINISH: 17:12:25.53 ===============
Hi,
Please post ComboFix log too.
celluloidheros
2011-08-15, 20:25
I'm sorry Blade, I did copy and paste combofix log in but i guess it didn't take. I will post it when I get home.
celluloidheros
2011-08-16, 00:39
Here's two combofix logs.
ComboFix 11-08-15.01 - djc 08/14/2011 11:41:05.23.1 - x86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.1023.444 [GMT -4:00]
Running from: c:\documents and settings\djc\My Documents\Installed programs\Combofix\Schauber.exe
Command switches used :: c:\documents and settings\djc\My Documents\Installed programs\Combofix\CFScript.txt
AV: AVG Internet Security 2011 *Disabled/Updated* {17DDD097-36FF-435F-9E1B-52D74245D6BF}
FW: AVG Firewall *Disabled* {8decf618-9569-4340-b34a-d78d28969b66}
.
.
((((((((((((((((((((((((( Files Created from 2011-07-14 to 2011-08-14 )))))))))))))))))))))))))))))))
.
.
2011-08-14 15:33 . 2011-08-14 15:33 -------- d-----w- c:\program files\Common Files\Java
2011-08-14 15:32 . 2011-08-14 15:32 611224 ----a-w- c:\program files\Mozilla Firefox\plugins\npdeployJava1.dll
2011-08-14 15:32 . 2011-08-14 15:32 544656 ----a-w- c:\windows\system32\deployJava1.dll
2011-08-14 15:32 . 2011-08-14 15:32 128000 ----a-w- c:\windows\system32\javacpl.cpl
2011-08-14 15:32 . 2011-08-14 15:32 -------- d-----w- c:\program files\Java
2011-08-10 07:42 . 2011-06-24 14:10 139656 -c----w- c:\windows\system32\dllcache\rdpwd.sys
2011-08-10 07:41 . 2011-07-08 14:02 10496 -c----w- c:\windows\system32\dllcache\ndistapi.sys
2011-08-06 09:08 . 2011-08-06 09:08 -------- d-----w- c:\documents and settings\djc\Application Data\Pegasys Inc
2011-08-06 08:48 . 2011-08-06 10:34 -------- d-----w- c:\program files\Emsisoft Anti-Malware
2011-08-06 08:36 . 2011-08-06 08:36 -------- d-----w- c:\windows\$regcmp$
2011-08-06 01:10 . 2011-07-08 07:16 781272 ----a-w- c:\program files\Mozilla Firefox\mozsqlite3.dll
2011-08-06 01:10 . 2011-07-08 07:16 16856 ----a-w- c:\program files\Mozilla Firefox\plugin-container.exe
2011-08-06 01:10 . 2011-07-08 07:16 142296 ----a-w- c:\program files\Mozilla Firefox\components\browsercomps.dll
2011-08-06 01:10 . 2011-07-08 07:16 89048 ----a-w- c:\program files\Mozilla Firefox\libEGL.dll
2011-08-06 01:10 . 2011-07-08 07:16 719832 ----a-w- c:\program files\Mozilla Firefox\mozcpp19.dll
2011-08-06 01:10 . 2011-07-08 07:16 465880 ----a-w- c:\program files\Mozilla Firefox\libGLESv2.dll
2011-08-06 01:10 . 2011-07-08 07:16 1850328 ----a-w- c:\program files\Mozilla Firefox\mozjs.dll
2011-08-06 01:10 . 2011-07-08 07:16 15832 ----a-w- c:\program files\Mozilla Firefox\mozalloc.dll
2011-08-06 01:10 . 2010-01-01 08:00 2106216 ----a-w- c:\program files\Mozilla Firefox\D3DCompiler_43.dll
2011-08-06 01:10 . 2010-01-01 08:00 1998168 ----a-w- c:\program files\Mozilla Firefox\d3dx9_43.dll
2011-08-05 22:25 . 2011-08-05 22:25 -------- d-----w- c:\program files\ERUNT
2011-07-31 16:01 . 2011-07-06 23:52 41272 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2011-07-31 16:00 . 2011-07-31 16:01 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2011-07-31 16:00 . 2011-07-06 23:52 22712 ----a-w- c:\windows\system32\drivers\mbam.sys
.
.
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2011-07-15 13:29 . 2004-08-04 12:00 456320 ----a-w- c:\windows\system32\drivers\mrxsmb.sys
2011-07-08 14:02 . 2004-08-04 12:00 10496 ----a-w- c:\windows\system32\drivers\ndistapi.sys
2011-06-24 14:10 . 2009-02-07 07:40 139656 ----a-w- c:\windows\system32\drivers\rdpwd.sys
2011-06-20 17:44 . 2004-08-04 12:00 293376 ----a-w- c:\windows\system32\winsrv.dll
2011-06-02 14:02 . 2004-08-04 12:00 1858944 ----a-w- c:\windows\system32\win32k.sys
2011-07-08 07:16 . 2011-08-06 01:10 142296 ----a-w- c:\program files\mozilla firefox\components\browsercomps.dll
2010-02-19 03:30 . 2010-02-19 03:30 135680 ----a-w- c:\program files\mozilla firefox\components\GoogleDesktopMozilla.dll
.
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"AVG_TRAY"="c:\program files\AVG\AVG10\avgtray.exe" [2011-04-18 2334560]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2009-11-21 12669544]
"SunJavaUpdateSched"="c:\program files\Common Files\Java\Java Update\jusched.exe" [2011-05-04 252136]
.
[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"DWQueuedReporting"="c:\progra~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" [2008-11-04 435096]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"DisableStatusMessages"= 1 (0x1)
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
2009-09-03 22:21 548352 ----a-w- c:\program files\SUPERAntiSpyware\SASWINLO.DLL
.
[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\session manager]
BootExecute REG_MULTI_SZ autocheck autochk *\0c:\progra~1\AVG\AVG10\avgchsvx.exe /sync\0c:\progra~1\AVG\AVG10\avgrsx.exe /sync /restart
.
[HKLM\~\startupfolder\C:^Documents and Settings^djc^Start Menu^Programs^Startup^ERUNT AutoBackup.lnk]
path=c:\documents and settings\djc\Start Menu\Programs\Startup\ERUNT AutoBackup.lnk
backup=c:\windows\pss\ERUNT AutoBackup.lnkStartup
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Acronis Scheduler2 Service]
2008-10-13 16:16 165144 ----a-w- c:\program files\Common Files\Acronis\Schedule2\schedhlp.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AcronisTimounterMonitor]
2008-10-13 16:22 960376 ----a-w- c:\program files\Acronis\TrueImageHome\TimounterMonitor.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe ARM]
2011-03-30 04:59 937920 ----a-r- c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe Reader Speed Launcher]
2011-06-08 04:02 37296 ----a-w- c:\program files\Adobe\Reader 9.0\Reader\reader_sl.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ctfmon.exe]
2008-04-14 10:42 15360 ------w- c:\windows\system32\ctfmon.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\GrooveMonitor]
2008-10-25 16:44 31072 ----a-w- c:\program files\Microsoft Office\Office12\GrooveMonitor.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Logitech Utility]
2002-11-08 10:50 19968 ------w- c:\windows\LOGI_MWX.EXE
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NvCplDaemon]
2009-11-21 01:32 12669544 ----a-w- c:\windows\system32\nvcpl.dll
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Registry Cleaner Scheduler]
2010-02-22 03:05 471650 ----a-w- c:\program files\CleanMyPC\Registry Cleaner\RCHelper.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched]
2011-05-04 17:59 252136 ----a-w- c:\program files\Common Files\Java\Java Update\jusched.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SUPERAntiSpyware]
2011-08-06 08:07 2424192 ----a-w- c:\program files\SUPERAntiSpyware\SUPERANTISPYWARE.EXE
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\swg]
2009-02-22 00:41 39408 ----a-w- c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\TrueImageMonitor.exe]
2008-10-13 16:00 4344472 ----a-w- c:\program files\Acronis\TrueImageHome\TrueImageMonitor.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\WD Drive Manager]
2008-07-24 20:22 450560 ----a-w- c:\program files\Western Digital\WD Drive Manager\WDBtnMgrUI.exe
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)
"DisableNotifications"= 1 (0x1)
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Microsoft Office\\Office12\\OUTLOOK.EXE"=
"c:\\Program Files\\Microsoft Office\\Office12\\GROOVE.EXE"=
"c:\\Program Files\\Microsoft Office\\Office12\\ONENOTE.EXE"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\wlcsdk.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"=
"c:\\Program Files\\AVG\\AVG10\\avgmfapx.exe"=
"c:\\Program Files\\AVG\\AVG10\\avgdiagex.exe"=
"c:\\Program Files\\AVG\\AVG10\\avgnsx.exe"=
"c:\\Program Files\\AVG\\AVG10\\avgam.exe"=
"c:\\Program Files\\AVG\\AVG10\\avgemcx.exe"=
.
R0 AVGIDSEH;AVGIDSEH;c:\windows\system32\drivers\AVGIDSEH.sys [9/13/2010 04:27 PM 22992]
R0 Avgrkx86;AVG Anti-Rootkit Driver;c:\windows\system32\drivers\avgrkx86.sys [9/7/2010 03:48 AM 32592]
R0 tdrpman147;Acronis Try&Decide and Restore Points filter (build 147);c:\windows\system32\drivers\tdrpm147.sys [3/8/2009 07:06 PM 971232]
R1 Avgldx86;AVG AVI Loader Driver;c:\windows\system32\drivers\avgldx86.sys [9/7/2010 03:48 AM 248656]
R1 Avgtdix;AVG TDI Driver;c:\windows\system32\drivers\avgtdix.sys [9/7/2010 03:49 AM 297168]
R1 SASDIFSV;SASDIFSV;c:\program files\SUPERAntiSpyware\sasdifsv.sys [2/17/2010 02:25 PM 12872]
R1 SASKUTIL;SASKUTIL;c:\program files\SUPERAntiSpyware\SASKUTIL.SYS [5/10/2010 02:41 PM 67656]
R2 avgwd;AVG WatchDog;c:\program files\AVG\AVG10\avgwdsvc.exe [2/8/2011 05:33 AM 269520]
R2 SBKUPNT;SBKUPNT;c:\windows\system32\drivers\SBKUPNT.SYS [2/19/2010 02:04 AM 14976]
R2 WDBtnMgrSvc.exe;WD Drive Manager Service;c:\program files\Western Digital\WD Drive Manager\WDBtnMgrSvc.exe [7/24/2008 04:22 PM 102400]
R3 Avgfwdx;Avgfwdx;c:\windows\system32\drivers\avgfwdx.sys [7/12/2010 04:33 AM 30432]
R3 AVGIDSDriver;AVGIDSDriver;c:\windows\system32\drivers\AVGIDSDriver.sys [8/19/2010 09:42 PM 134480]
R3 AVGIDSFilter;AVGIDSFilter;c:\windows\system32\drivers\AVGIDSFilter.sys [8/19/2010 09:42 PM 24144]
R3 AVGIDSShim;AVGIDSShim;c:\windows\system32\drivers\AVGIDSShim.sys [8/19/2010 09:42 PM 27216]
S0 Lbd;Lbd;c:\windows\system32\DRIVERS\Lbd.sys --> c:\windows\system32\DRIVERS\Lbd.sys [?]
S0 TfFsMon;TfFsMon; [x]
S0 TfSysMon;TfSysMon; [x]
S2 avgfws;AVG Firewall;c:\program files\AVG\AVG10\avgfws.exe [3/9/2011 07:24 PM 2708024]
S2 AVGIDSAgent;AVGIDSAgent;c:\program files\AVG\AVG10\Identity Protection\Agent\Bin\AVGIDSAgent.exe [4/18/2011 05:39 PM 7398752]
S2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;c:\windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe [3/18/2010 01:16 PM 130384]
S2 gupdate;Google Update Service (gupdate);c:\program files\Google\Update\GoogleUpdate.exe [2/7/2010 02:20 PM 135664]
S3 Avgfwfd;AVG network filter service;c:\windows\system32\drivers\avgfwdx.sys [7/12/2010 04:33 AM 30432]
S3 gupdatem;Google Update Service (gupdatem);c:\program files\Google\Update\GoogleUpdate.exe [2/7/2010 02:20 PM 135664]
S3 TfNetMon;TfNetMon; [x]
S3 WPFFontCache_v0400;Windows Presentation Foundation Font Cache 4.0.0.0;c:\windows\Microsoft.NET\Framework\v4.0.30319\WPF\WPFFontCache_v0400.exe [3/18/2010 01:16 PM 753504]
S4 sptd;sptd;c:\windows\system32\drivers\sptd.sys [2/14/2009 08:50 PM 685816]
.
--- Other Services/Drivers In Memory ---
.
*Deregistered* - uphcleanhlp
.
Contents of the 'Scheduled Tasks' folder
.
2011-08-14 c:\windows\Tasks\AVG PC Tuneup 2011 Integrator Scan and Repair.job
- c:\program files\AVG\AVG PC Tuneup 2011\BoostSpeed.exe [2011-04-01 21:26]
.
2011-08-14 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\program files\Google\Update\GoogleUpdate.exe [2010-02-07 18:20]
.
2011-08-14 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\program files\Google\Update\GoogleUpdate.exe [2010-02-07 18:20]
.
2011-08-14 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-1275210071-573735546-725345543-1003Core.job
- c:\documents and settings\djc\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2011-02-02 15:48]
.
2011-08-14 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-1275210071-573735546-725345543-1003UA.job
- c:\documents and settings\djc\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2011-02-02 15:48]
.
.
------- Supplementary Scan -------
.
uStart Page = about:blank
IE: Add to Google Photos Screensa&ver - c:\windows\system32\GPhotos.scr/200
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\Office12\EXCEL.EXE/3000
IE: Google Sidewiki... - c:\program files\Google\Google Toolbar\Component\GoogleToolbarDynamic_mui_en_D183CA64F05FDD98.dll/cmsidewiki.html
Trusted Zone: flashboot.ru\www
Trusted Zone: intuit.com
Trusted Zone: intuit.com\ttlc
TCP: Interfaces\{206B4A61-2D05-47EF-A451-62CE0561ABC9}: NameServer = 24.92.226.40,24.92.226.41
FF - ProfilePath - c:\documents and settings\djc\Application Data\Mozilla\Firefox\Profiles\7xv9dzxk.default\
FF - prefs.js: browser.search.defaulturl - hxxp://search.conduit.com/ResultsExt.aspx?ctid=CT2611275&SearchSource=3&q={searchTerms}
FF - prefs.js: browser.search.selectedEngine - ZoneAlarm Customized Web Search
FF - prefs.js: browser.search.selectedengine - Google
FF - prefs.js: browser.startup.homepage - hxxp://www.google.com/
FF - prefs.js: keyword.URL - hxxp://search.conduit.com/ResultsExt.aspx?ctid=CT2611275&q=
.
- - - - ORPHANS REMOVED - - - -
.
BHO-{EA5CA8B6-9B9C-4994-A7A1-947B6C631BE7} - c:\program files\RegTweaker\key.dll
.
.
.
**************************************************************************
.
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2011-08-14 11:51
Windows 5.1.2600 Service Pack 3 NTFS
.
scanning hidden processes ...
.
scanning hidden autostart entries ...
.
scanning hidden files ...
.
scan completed successfully
hidden files: 0
.
**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------
.
[HKEY_USERS\.Default\Software\Microsoft\Internet Explorer\User Preferences]
@Denied: (2) (LocalSystem)
"88D7D0879DAB32E14DE5B3A805A34F98AFF34F5977"=hex:01,00,00,00,d0,8c,9d,df,01,15,
d1,11,8c,7a,00,c0,4f,c2,97,eb,01,00,00,00,b9,90,9b,90,79,57,39,4c,97,b7,de,\
"2D53CFFC5C1A3DD2E97B7979AC2A92BD59BC839E81"=hex:01,00,00,00,d0,8c,9d,df,01,15,
d1,11,8c,7a,00,c0,4f,c2,97,eb,01,00,00,00,b9,90,9b,90,79,57,39,4c,97,b7,de,\
.
--------------------- DLLs Loaded Under Running Processes ---------------------
.
- - - - - - - > 'winlogon.exe'(1628)
c:\program files\SUPERAntiSpyware\SASWINLO.DLL
.
- - - - - - - > 'explorer.exe'(3268)
c:\progra~1\WINDOW~2\wmpband.dll
c:\windows\system32\ieframe.dll
c:\windows\system32\OneX.DLL
c:\windows\system32\eappprxy.dll
c:\windows\system32\webcheck.dll
c:\windows\system32\WPDShServiceObj.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
.
------------------------ Other Running Processes ------------------------
.
c:\windows\system32\nvsvc32.exe
c:\program files\Common Files\Acronis\Schedule2\schedul2.exe
c:\program files\Common Files\Intuit\Update Service\IntuitUpdateService.exe
c:\program files\Java\jre7\bin\jqs.exe
c:\program files\Common Files\Nero\Nero BackItUp 4\NBService.exe
c:\program files\Alcohol Soft\Alcohol 120\StarWind\StarWindServiceAE.exe
c:\program files\UPHClean\uphclean.exe
c:\program files\AVG\AVG10\Identity Protection\agent\bin\avgidsmonitor.exe
c:\program files\Microsoft Office\Office12\WINWORD.EXE
c:\program files\Microsoft\Office Live\OfficeLiveSignIn.exe
c:\program files\Java\jre7\bin\javaws.exe
c:\program files\Java\jre7\bin\javaw.exe
c:\program files\Java\jre7\bin\javaw.exe
.
**************************************************************************
.
Completion time: 2011-08-14 11:56:39 - machine was rebooted
ComboFix-quarantined-files.txt 2011-08-14 15:56
.
Pre-Run: 52,367,138,816 bytes free
Post-Run: 52,356,988,928 bytes free
.
- - End Of File - - D927C2B3C59CC3ED099FFA59139CE6FE
ComboFix 11-08-15.07 - djc 08/14/2011 23:10:27.24.1 - x86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.1023.432 [GMT -4:00]
Running from: c:\documents and settings\djc\My Documents\Installed programs\Combofix\Schauber.exe
AV: AVG Internet Security 2011 *Disabled/Updated* {17DDD097-36FF-435F-9E1B-52D74245D6BF}
FW: AVG Firewall *Disabled* {8decf618-9569-4340-b34a-d78d28969b66}
.
.
((((((((((((((((((((((((( Files Created from 2011-07-15 to 2011-08-15 )))))))))))))))))))))))))))))))
.
.
2011-08-14 16:02 . 2011-08-14 16:02 -------- d-----w- c:\program files\ESET
2011-08-14 15:56 . 2011-08-14 15:56 -------- d-----w- c:\documents and settings\djc\Local Settings\Application Data\Sun
2011-08-14 15:33 . 2011-08-14 15:33 -------- d-----w- c:\program files\Common Files\Java
2011-08-14 15:32 . 2011-08-14 15:32 611224 ----a-w- c:\program files\Mozilla Firefox\plugins\npdeployJava1.dll
2011-08-14 15:32 . 2011-08-14 15:32 544656 ----a-w- c:\windows\system32\deployJava1.dll
2011-08-14 15:32 . 2011-08-14 15:32 128000 ----a-w- c:\windows\system32\javacpl.cpl
2011-08-14 15:32 . 2011-08-14 15:32 -------- d-----w- c:\program files\Java
2011-08-10 07:42 . 2011-06-24 14:10 139656 -c----w- c:\windows\system32\dllcache\rdpwd.sys
2011-08-10 07:41 . 2011-07-08 14:02 10496 -c----w- c:\windows\system32\dllcache\ndistapi.sys
2011-08-06 09:08 . 2011-08-06 09:08 -------- d-----w- c:\documents and settings\djc\Application Data\Pegasys Inc
2011-08-06 08:48 . 2011-08-06 10:34 -------- d-----w- c:\program files\Emsisoft Anti-Malware
2011-08-06 08:36 . 2011-08-06 08:36 -------- d-----w- c:\windows\$regcmp$
2011-08-06 01:10 . 2011-07-08 07:16 781272 ----a-w- c:\program files\Mozilla Firefox\mozsqlite3.dll
2011-08-06 01:10 . 2011-07-08 07:16 16856 ----a-w- c:\program files\Mozilla Firefox\plugin-container.exe
2011-08-06 01:10 . 2011-07-08 07:16 142296 ----a-w- c:\program files\Mozilla Firefox\components\browsercomps.dll
2011-08-06 01:10 . 2011-07-08 07:16 89048 ----a-w- c:\program files\Mozilla Firefox\libEGL.dll
2011-08-06 01:10 . 2011-07-08 07:16 719832 ----a-w- c:\program files\Mozilla Firefox\mozcpp19.dll
2011-08-06 01:10 . 2011-07-08 07:16 465880 ----a-w- c:\program files\Mozilla Firefox\libGLESv2.dll
2011-08-06 01:10 . 2011-07-08 07:16 1850328 ----a-w- c:\program files\Mozilla Firefox\mozjs.dll
2011-08-06 01:10 . 2011-07-08 07:16 15832 ----a-w- c:\program files\Mozilla Firefox\mozalloc.dll
2011-08-06 01:10 . 2010-01-01 08:00 2106216 ----a-w- c:\program files\Mozilla Firefox\D3DCompiler_43.dll
2011-08-06 01:10 . 2010-01-01 08:00 1998168 ----a-w- c:\program files\Mozilla Firefox\d3dx9_43.dll
2011-08-05 22:25 . 2011-08-05 22:25 -------- d-----w- c:\program files\ERUNT
2011-07-31 16:01 . 2011-07-06 23:52 41272 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2011-07-31 16:00 . 2011-07-31 16:01 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2011-07-31 16:00 . 2011-07-06 23:52 22712 ----a-w- c:\windows\system32\drivers\mbam.sys
.
.
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2011-07-15 13:29 . 2004-08-04 12:00 456320 ----a-w- c:\windows\system32\drivers\mrxsmb.sys
2011-07-08 14:02 . 2004-08-04 12:00 10496 ----a-w- c:\windows\system32\drivers\ndistapi.sys
2011-06-24 14:10 . 2009-02-07 07:40 139656 ----a-w- c:\windows\system32\drivers\rdpwd.sys
2011-06-20 17:44 . 2004-08-04 12:00 293376 ----a-w- c:\windows\system32\winsrv.dll
2011-06-02 14:02 . 2004-08-04 12:00 1858944 ----a-w- c:\windows\system32\win32k.sys
2011-07-08 07:16 . 2011-08-06 01:10 142296 ----a-w- c:\program files\mozilla firefox\components\browsercomps.dll
2010-02-19 03:30 . 2010-02-19 03:30 135680 ----a-w- c:\program files\mozilla firefox\components\GoogleDesktopMozilla.dll
.
.
((((((((((((((((((((((((((((( SnapShot@2011-08-14_15.50.29 )))))))))))))))))))))))))))))))))))))))))
.
+ 2011-08-14 21:34 . 2011-08-14 21:34 16384 c:\windows\temp\Perflib_Perfdata_7b8.dat
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"AVG_TRAY"="c:\program files\AVG\AVG10\avgtray.exe" [2011-04-18 2334560]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2009-11-21 12669544]
"SunJavaUpdateSched"="c:\program files\Common Files\Java\Java Update\jusched.exe" [2011-05-04 252136]
.
[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"DWQueuedReporting"="c:\progra~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" [2008-11-04 435096]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"DisableStatusMessages"= 1 (0x1)
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
2009-09-03 22:21 548352 ----a-w- c:\program files\SUPERAntiSpyware\SASWINLO.DLL
.
[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\session manager]
BootExecute REG_MULTI_SZ autocheck autochk *\0c:\progra~1\AVG\AVG10\avgchsvx.exe /sync\0c:\progra~1\AVG\AVG10\avgrsx.exe /sync /restart
.
[HKLM\~\startupfolder\C:^Documents and Settings^djc^Start Menu^Programs^Startup^ERUNT AutoBackup.lnk]
path=c:\documents and settings\djc\Start Menu\Programs\Startup\ERUNT AutoBackup.lnk
backup=c:\windows\pss\ERUNT AutoBackup.lnkStartup
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe ARM]
2011-03-30 04:59 937920 ----a-r- c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe Reader Speed Launcher]
2011-06-08 04:02 37296 ----a-w- c:\program files\Adobe\Reader 9.0\Reader\reader_sl.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ctfmon.exe]
2008-04-14 10:42 15360 ------w- c:\windows\system32\ctfmon.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\GrooveMonitor]
2008-10-25 16:44 31072 ----a-w- c:\program files\Microsoft Office\Office12\GrooveMonitor.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Logitech Utility]
2002-11-08 10:50 19968 ------w- c:\windows\LOGI_MWX.EXE
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NvCplDaemon]
2009-11-21 01:32 12669544 ----a-w- c:\windows\system32\nvcpl.dll
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Registry Cleaner Scheduler]
2010-02-22 03:05 471650 ----a-w- c:\program files\CleanMyPC\Registry Cleaner\RCHelper.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched]
2011-05-04 17:59 252136 ----a-w- c:\program files\Common Files\Java\Java Update\jusched.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SUPERAntiSpyware]
2011-08-06 08:07 2424192 ----a-w- c:\program files\SUPERAntiSpyware\SUPERANTISPYWARE.EXE
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\swg]
2009-02-22 00:41 39408 ----a-w- c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)
"DisableNotifications"= 1 (0x1)
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Microsoft Office\\Office12\\OUTLOOK.EXE"=
"c:\\Program Files\\Microsoft Office\\Office12\\GROOVE.EXE"=
"c:\\Program Files\\Microsoft Office\\Office12\\ONENOTE.EXE"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\wlcsdk.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"=
"c:\\Program Files\\AVG\\AVG10\\avgmfapx.exe"=
"c:\\Program Files\\AVG\\AVG10\\avgdiagex.exe"=
"c:\\Program Files\\AVG\\AVG10\\avgnsx.exe"=
"c:\\Program Files\\AVG\\AVG10\\avgam.exe"=
"c:\\Program Files\\AVG\\AVG10\\avgemcx.exe"=
.
R0 AVGIDSEH;AVGIDSEH;c:\windows\system32\drivers\AVGIDSEH.sys [9/13/2010 04:27 PM 22992]
R0 Avgrkx86;AVG Anti-Rootkit Driver;c:\windows\system32\drivers\avgrkx86.sys [9/7/2010 03:48 AM 32592]
R1 Avgldx86;AVG AVI Loader Driver;c:\windows\system32\drivers\avgldx86.sys [9/7/2010 03:48 AM 248656]
R1 Avgtdix;AVG TDI Driver;c:\windows\system32\drivers\avgtdix.sys [9/7/2010 03:49 AM 297168]
R1 SASDIFSV;SASDIFSV;c:\program files\SUPERAntiSpyware\sasdifsv.sys [2/17/2010 02:25 PM 12872]
R1 SASKUTIL;SASKUTIL;c:\program files\SUPERAntiSpyware\SASKUTIL.SYS [5/10/2010 02:41 PM 67656]
R2 avgfws;AVG Firewall;c:\program files\AVG\AVG10\avgfws.exe [3/9/2011 07:24 PM 2708024]
R2 AVGIDSAgent;AVGIDSAgent;c:\program files\AVG\AVG10\Identity Protection\Agent\Bin\AVGIDSAgent.exe [4/18/2011 05:39 PM 7398752]
R2 avgwd;AVG WatchDog;c:\program files\AVG\AVG10\avgwdsvc.exe [2/8/2011 05:33 AM 269520]
R2 SBKUPNT;SBKUPNT;c:\windows\system32\drivers\SBKUPNT.SYS [2/19/2010 02:04 AM 14976]
R3 Avgfwdx;Avgfwdx;c:\windows\system32\drivers\avgfwdx.sys [7/12/2010 04:33 AM 30432]
R3 AVGIDSDriver;AVGIDSDriver;c:\windows\system32\drivers\AVGIDSDriver.sys [8/19/2010 09:42 PM 134480]
R3 AVGIDSFilter;AVGIDSFilter;c:\windows\system32\drivers\AVGIDSFilter.sys [8/19/2010 09:42 PM 24144]
R3 AVGIDSShim;AVGIDSShim;c:\windows\system32\drivers\AVGIDSShim.sys [8/19/2010 09:42 PM 27216]
R4 MBAMSwissArmy;MBAMSwissArmy;c:\windows\system32\drivers\mbamswissarmy.sys [7/31/2011 12:01 PM 41272]
S0 Lbd;Lbd;c:\windows\system32\DRIVERS\Lbd.sys --> c:\windows\system32\DRIVERS\Lbd.sys [?]
S0 TfFsMon;TfFsMon; [x]
S0 TfSysMon;TfSysMon; [x]
S2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;c:\windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe [3/18/2010 01:16 PM 130384]
S2 gupdate;Google Update Service (gupdate);c:\program files\Google\Update\GoogleUpdate.exe [2/7/2010 02:20 PM 135664]
S3 Avgfwfd;AVG network filter service;c:\windows\system32\drivers\avgfwdx.sys [7/12/2010 04:33 AM 30432]
S3 gupdatem;Google Update Service (gupdatem);c:\program files\Google\Update\GoogleUpdate.exe [2/7/2010 02:20 PM 135664]
S3 TfNetMon;TfNetMon; [x]
S3 WPFFontCache_v0400;Windows Presentation Foundation Font Cache 4.0.0.0;c:\windows\Microsoft.NET\Framework\v4.0.30319\WPF\WPFFontCache_v0400.exe [3/18/2010 01:16 PM 753504]
S4 sptd;sptd;c:\windows\system32\drivers\sptd.sys [2/14/2009 08:50 PM 685816]
.
--- Other Services/Drivers In Memory ---
.
*NewlyCreated* - MBAMSWISSARMY
*Deregistered* - uphcleanhlp
.
Contents of the 'Scheduled Tasks' folder
.
2011-08-14 c:\windows\Tasks\AVG PC Tuneup 2011 Integrator Scan and Repair.job
- c:\program files\AVG\AVG PC Tuneup 2011\BoostSpeed.exe [2011-04-01 21:26]
.
2011-08-14 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\program files\Google\Update\GoogleUpdate.exe [2010-02-07 18:20]
.
2011-08-15 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\program files\Google\Update\GoogleUpdate.exe [2010-02-07 18:20]
.
2011-08-14 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-1275210071-573735546-725345543-1003Core.job
- c:\documents and settings\djc\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2011-02-02 15:48]
.
2011-08-15 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-1275210071-573735546-725345543-1003UA.job
- c:\documents and settings\djc\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2011-02-02 15:48]
.
.
------- Supplementary Scan -------
.
uStart Page = about:blank
IE: Add to Google Photos Screensa&ver - c:\windows\system32\GPhotos.scr/200
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\Office12\EXCEL.EXE/3000
IE: Google Sidewiki... - c:\program files\Google\Google Toolbar\Component\GoogleToolbarDynamic_mui_en_D183CA64F05FDD98.dll/cmsidewiki.html
Trusted Zone: flashboot.ru\www
Trusted Zone: intuit.com
Trusted Zone: intuit.com\ttlc
TCP: Interfaces\{206B4A61-2D05-47EF-A451-62CE0561ABC9}: NameServer = 24.92.226.40,24.92.226.41
FF - ProfilePath - c:\documents and settings\djc\Application Data\Mozilla\Firefox\Profiles\7xv9dzxk.default\
FF - prefs.js: browser.search.defaulturl - hxxp://search.conduit.com/ResultsExt.aspx?ctid=CT2611275&SearchSource=3&q={searchTerms}
FF - prefs.js: browser.search.selectedEngine - ZoneAlarm Customized Web Search
FF - prefs.js: browser.search.selectedengine - Google
FF - prefs.js: browser.startup.homepage - hxxp://www.google.com/
FF - prefs.js: keyword.URL - hxxp://search.conduit.com/ResultsExt.aspx?ctid=CT2611275&q=
.
- - - - ORPHANS REMOVED - - - -
.
MSConfigStartUp-Acronis Scheduler2 Service - c:\program files\Common Files\Acronis\Schedule2\schedhlp.exe
MSConfigStartUp-AcronisTimounterMonitor - c:\program files\Acronis\TrueImageHome\TimounterMonitor.exe
MSConfigStartUp-TrueImageMonitor - c:\program files\Acronis\TrueImageHome\TrueImageMonitor.exe
MSConfigStartUp-WD Drive Manager - c:\program files\Western Digital\WD Drive Manager\WDBtnMgrUI.exe
.
.
.
**************************************************************************
.
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2011-08-14 23:22
Windows 5.1.2600 Service Pack 3 NTFS
.
scanning hidden processes ...
.
scanning hidden autostart entries ...
.
scanning hidden files ...
.
scan completed successfully
hidden files: 0
.
**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------
.
[HKEY_USERS\.Default\Software\Microsoft\Internet Explorer\User Preferences]
@Denied: (2) (LocalSystem)
"88D7D0879DAB32E14DE5B3A805A34F98AFF34F5977"=hex:01,00,00,00,d0,8c,9d,df,01,15,
d1,11,8c,7a,00,c0,4f,c2,97,eb,01,00,00,00,b9,90,9b,90,79,57,39,4c,97,b7,de,\
"2D53CFFC5C1A3DD2E97B7979AC2A92BD59BC839E81"=hex:01,00,00,00,d0,8c,9d,df,01,15,
d1,11,8c,7a,00,c0,4f,c2,97,eb,01,00,00,00,b9,90,9b,90,79,57,39,4c,97,b7,de,\
.
--------------------- DLLs Loaded Under Running Processes ---------------------
.
- - - - - - - > 'winlogon.exe'(1500)
c:\program files\SUPERAntiSpyware\SASWINLO.DLL
.
- - - - - - - > 'explorer.exe'(620)
c:\progra~1\WINDOW~2\wmpband.dll
c:\windows\system32\ieframe.dll
c:\windows\system32\webcheck.dll
c:\windows\system32\OneX.DLL
c:\windows\system32\eappprxy.dll
c:\windows\system32\WPDShServiceObj.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
.
Completion time: 2011-08-14 23:28:05
ComboFix-quarantined-files.txt 2011-08-15 03:27
ComboFix2.txt 2011-08-14 15:56
.
Pre-Run: 53,347,848,192 bytes free
Post-Run: 53,369,720,832 bytes free
.
- - End Of File - - E15ACF3BC338DDA3A95B20B57B3BAB87
celluloidheros
2011-08-16, 01:08
here is a screen shot of iexplorer running at over 80%, it just locks up on many websites.
Hi,
Uninstall ZoneAlarm Spy Blocker. After that see if high cpu issue occurs if you launch browser in no addons enabled mode (for IE click start->all programs->accessories->system tools->internet explorer (no add-ons).
celluloidheros
2011-08-16, 13:56
Hello, I tried to use add/remove programs to remove the zone alarm spy blocker but it hgave an error and said it could not find the program. is there a better way to completeley remove it. I will try to run IE with add ons disabled when i get home tonigjht. thanks again for your help Blade, CH.
celluloidheros
2011-08-17, 13:25
hello, I have not had time to use the browser with add ons disabled. I will try it over the next few days. It does it intermittently.
celluloidheros
2011-08-17, 13:39
Hi Vlade, i just tried it with add ons diabled and windows task manager open, i do not think the problem is fixed, it still had high usage but seemed to bounce around more. I would go to a webpage and do nothing and watch the cpu usage for iexplorer.exe it would go from 2% to 99%, it uses about 86K of mem. It is a little better, i noticed it is much worse on certain websites. i was wondering if i should turn system restor off and on to dump any old infected files but i never do anything before Im told to by you. Thanks again blade81 for your help and expertise. what does your name mean ?
celluloidheros
2011-08-17, 13:53
Is it normal to have two instances of iexplorer.exe with only one webpage open, i realize that with each new page opened you get more iexplorer.exes opened. see jpgs.
celluloidheros
2011-08-17, 13:55
forgot this one
Is it normal to have two instances of iexplorer.exe with only one webpage open, i realize that with each new page opened you get more iexplorer.exes
Yes it is normal.
1. Download TDSSKiller (http://support.kaspersky.com/downloads/utils/tdsskiller.zip) and extract its contents into a folder in desired location (i.e. c:\tdsskiller).
2. Execute the file TDSSKiller.exe.
3. Click Start Scan. If threats are found, select cure and click Continue (tool may prompt for a reboot).
4. Post back contents of log file in c: drive root (name should be in UtilityName.Version_Date_Time_log.txt format)
celluloidheros
2011-08-18, 11:39
hello, TDSKiller only took 19 secs to run and found no viruses.
2011/08/18 04:37:22.0859 2828 TDSS rootkit removing tool 2.5.15.0 Aug 11 2011 16:32:13
2011/08/18 04:37:24.0859 2828 ================================================================================
2011/08/18 04:37:24.0859 2828 SystemInfo:
2011/08/18 04:37:24.0859 2828
2011/08/18 04:37:24.0859 2828 OS Version: 5.1.2600 ServicePack: 3.0
2011/08/18 04:37:24.0859 2828 Product type: Workstation
2011/08/18 04:37:24.0859 2828 ComputerName: DJC-34F1A3BDC7E
2011/08/18 04:37:24.0859 2828 UserName: djc
2011/08/18 04:37:24.0859 2828 Windows directory: C:\WINDOWS
2011/08/18 04:37:24.0859 2828 System windows directory: C:\WINDOWS
2011/08/18 04:37:24.0859 2828 Processor architecture: Intel x86
2011/08/18 04:37:24.0859 2828 Number of processors: 1
2011/08/18 04:37:24.0859 2828 Page size: 0x1000
2011/08/18 04:37:24.0859 2828 Boot type: Normal boot
2011/08/18 04:37:24.0859 2828 ================================================================================
2011/08/18 04:37:25.0828 2828 Initialize success
2011/08/18 04:37:30.0328 3852 ================================================================================
2011/08/18 04:37:30.0328 3852 Scan started
2011/08/18 04:37:30.0328 3852 Mode: Manual;
2011/08/18 04:37:30.0328 3852 ================================================================================
2011/08/18 04:37:31.0421 3852 ACPI (8fd99680a539792a30e97944fdaecf17) C:\WINDOWS\system32\DRIVERS\ACPI.sys
2011/08/18 04:37:31.0515 3852 ACPIEC (9859c0f6936e723e4892d7141b1327d5) C:\WINDOWS\system32\drivers\ACPIEC.sys
2011/08/18 04:37:31.0656 3852 aec (8bed39e3c35d6a489438b8141717a557) C:\WINDOWS\system32\drivers\aec.sys
2011/08/18 04:37:31.0750 3852 AFD (355556d9e580915118cd7ef736653a89) C:\WINDOWS\System32\drivers\afd.sys
2011/08/18 04:37:32.0140 3852 ALCXWDM (dd8520280304b6145a6be31008748c7c) C:\WINDOWS\system32\drivers\ALCXWDM.SYS
2011/08/18 04:37:32.0484 3852 AmdK7 (8fce268cdbdd83b23419d1f35f42c7b1) C:\WINDOWS\system32\DRIVERS\amdk7.sys
2011/08/18 04:37:32.0671 3852 AsyncMac (b153affac761e7f5fcfa822b9c4e97bc) C:\WINDOWS\system32\DRIVERS\asyncmac.sys
2011/08/18 04:37:32.0734 3852 atapi (9f3a2f5aa6875c72bf062c712cfa2674) C:\WINDOWS\system32\DRIVERS\atapi.sys
2011/08/18 04:37:32.0875 3852 Atmarpc (9916c1225104ba14794209cfa8012159) C:\WINDOWS\system32\DRIVERS\atmarpc.sys
2011/08/18 04:37:32.0968 3852 audstub (d9f724aa26c010a217c97606b160ed68) C:\WINDOWS\system32\DRIVERS\audstub.sys
2011/08/18 04:37:33.0125 3852 Avgfwdx (0c5941af0b6bf2fdf378937392865217) C:\WINDOWS\system32\DRIVERS\avgfwdx.sys
2011/08/18 04:37:33.0156 3852 Avgfwfd (0c5941af0b6bf2fdf378937392865217) C:\WINDOWS\system32\DRIVERS\avgfwdx.sys
2011/08/18 04:37:33.0312 3852 AVGIDSDriver (c403e7f715bb0a851a9dfae16ec4ae42) C:\WINDOWS\system32\DRIVERS\AVGIDSDriver.Sys
2011/08/18 04:37:33.0406 3852 AVGIDSEH (1af676db3f3d4cc709cfab2571cf5fc3) C:\WINDOWS\system32\DRIVERS\AVGIDSEH.Sys
2011/08/18 04:37:33.0484 3852 AVGIDSFilter (4c51e233c87f9ec7598551de554bc99d) C:\WINDOWS\system32\DRIVERS\AVGIDSFilter.Sys
2011/08/18 04:37:33.0578 3852 AVGIDSShim (c3fc426e54f55c1cc3219e415b88e10c) C:\WINDOWS\system32\DRIVERS\AVGIDSShim.Sys
2011/08/18 04:37:33.0671 3852 Avgldx86 (4e796d3d2c3182b13b3e3b5a2ad4ef0a) C:\WINDOWS\system32\DRIVERS\avgldx86.sys
2011/08/18 04:37:33.0750 3852 Avgmfx86 (5639de66b37d02bd22df4cf3155fba60) C:\WINDOWS\system32\DRIVERS\avgmfx86.sys
2011/08/18 04:37:33.0890 3852 Avgrkx86 (d1baf652eda0ae70896276a1fb32c2d4) C:\WINDOWS\system32\DRIVERS\avgrkx86.sys
2011/08/18 04:37:33.0984 3852 Avgtdix (aaf0ebcad95f2164cffb544e00392498) C:\WINDOWS\system32\DRIVERS\avgtdix.sys
2011/08/18 04:37:34.0125 3852 Beep (da1f27d85e0d1525f6621372e7b685e9) C:\WINDOWS\system32\drivers\Beep.sys
2011/08/18 04:37:34.0421 3852 cbidf2k (90a673fc8e12a79afbed2576f6a7aaf9) C:\WINDOWS\system32\drivers\cbidf2k.sys
2011/08/18 04:37:34.0546 3852 Cdaudio (c1b486a7658353d33a10cc15211a873b) C:\WINDOWS\system32\drivers\Cdaudio.sys
2011/08/18 04:37:34.0687 3852 Cdfs (c885b02847f5d2fd45a24e219ed93b32) C:\WINDOWS\system32\drivers\Cdfs.sys
2011/08/18 04:37:34.0828 3852 Cdrom (1f4260cc5b42272d71f79e570a27a4fe) C:\WINDOWS\system32\DRIVERS\cdrom.sys
2011/08/18 04:37:35.0218 3852 Disk (044452051f3e02e7963599fc8f4f3e25) C:\WINDOWS\system32\DRIVERS\disk.sys
2011/08/18 04:37:35.0343 3852 dmboot (d992fe1274bde0f84ad826acae022a41) C:\WINDOWS\system32\drivers\dmboot.sys
2011/08/18 04:37:35.0437 3852 dmio (7c824cf7bbde77d95c08005717a95f6f) C:\WINDOWS\system32\drivers\dmio.sys
2011/08/18 04:37:35.0500 3852 dmload (e9317282a63ca4d188c0df5e09c6ac5f) C:\WINDOWS\system32\drivers\dmload.sys
2011/08/18 04:37:35.0609 3852 DMusic (8a208dfcf89792a484e76c40e5f50b45) C:\WINDOWS\system32\drivers\DMusic.sys
2011/08/18 04:37:35.0718 3852 drmkaud (8f5fcff8e8848afac920905fbd9d33c8) C:\WINDOWS\system32\drivers\drmkaud.sys
2011/08/18 04:37:35.0828 3852 Fastfat (38d332a6d56af32635675f132548343e) C:\WINDOWS\system32\drivers\Fastfat.sys
2011/08/18 04:37:35.0890 3852 Fdc (92cdd60b6730b9f50f6a1a0c1f8cdc81) C:\WINDOWS\system32\DRIVERS\fdc.sys
2011/08/18 04:37:35.0921 3852 Fips (d45926117eb9fa946a6af572fbe1caa3) C:\WINDOWS\system32\drivers\Fips.sys
2011/08/18 04:37:35.0984 3852 Flpydisk (9d27e7b80bfcdf1cdd9b555862d5e7f0) C:\WINDOWS\system32\DRIVERS\flpydisk.sys
2011/08/18 04:37:36.0046 3852 FltMgr (b2cf4b0786f8212cb92ed2b50c6db6b0) C:\WINDOWS\system32\drivers\fltmgr.sys
2011/08/18 04:37:36.0125 3852 Fs_Rec (3e1e2bd4f39b0e2b7dc4f4d2bcc2779a) C:\WINDOWS\system32\drivers\Fs_Rec.sys
2011/08/18 04:37:36.0203 3852 Ftdisk (6ac26732762483366c3969c9e4d2259d) C:\WINDOWS\system32\DRIVERS\ftdisk.sys
2011/08/18 04:37:36.0265 3852 gagp30kx (3a74c423cf6bcca6982715878f450a3b) C:\WINDOWS\system32\DRIVERS\gagp30kx.sys
2011/08/18 04:37:36.0343 3852 gameenum (065639773d8b03f33577f6cdaea21063) C:\WINDOWS\system32\DRIVERS\gameenum.sys
2011/08/18 04:37:36.0453 3852 Gpc (0a02c63c8b144bd8c86b103dee7c86a2) C:\WINDOWS\system32\DRIVERS\msgpc.sys
2011/08/18 04:37:36.0578 3852 HidUsb (ccf82c5ec8a7326c3066de870c06daf1) C:\WINDOWS\system32\DRIVERS\hidusb.sys
2011/08/18 04:37:36.0734 3852 HTTP (f80a415ef82cd06ffaf0d971528ead38) C:\WINDOWS\system32\Drivers\HTTP.sys
2011/08/18 04:37:37.0078 3852 i8042prt (4a0b06aa8943c1e332520f7440c0aa30) C:\WINDOWS\system32\DRIVERS\i8042prt.sys
2011/08/18 04:37:37.0187 3852 Imapi (083a052659f5310dd8b6a6cb05edcf8e) C:\WINDOWS\system32\DRIVERS\imapi.sys
2011/08/18 04:37:37.0406 3852 Ip6Fw (3bb22519a194418d5fec05d800a19ad0) C:\WINDOWS\system32\drivers\ip6fw.sys
2011/08/18 04:37:37.0500 3852 IpFilterDriver (731f22ba402ee4b62748adaf6363c182) C:\WINDOWS\system32\DRIVERS\ipfltdrv.sys
2011/08/18 04:37:37.0562 3852 IpInIp (b87ab476dcf76e72010632b5550955f5) C:\WINDOWS\system32\DRIVERS\ipinip.sys
2011/08/18 04:37:37.0640 3852 IpNat (cc748ea12c6effde940ee98098bf96bb) C:\WINDOWS\system32\DRIVERS\ipnat.sys
2011/08/18 04:37:37.0687 3852 IPSec (23c74d75e36e7158768dd63d92789a91) C:\WINDOWS\system32\DRIVERS\ipsec.sys
2011/08/18 04:37:37.0750 3852 IRENUM (c93c9ff7b04d772627a3646d89f7bf89) C:\WINDOWS\system32\DRIVERS\irenum.sys
2011/08/18 04:37:37.0828 3852 isapnp (05a299ec56e52649b1cf2fc52d20f2d7) C:\WINDOWS\system32\DRIVERS\isapnp.sys
2011/08/18 04:37:37.0890 3852 itchfltr (936123d83e80c1cb3ea042d7fb98da25) C:\WINDOWS\system32\DRIVERS\itchfltr.sys
2011/08/18 04:37:37.0968 3852 Kbdclass (463c1ec80cd17420a542b7f36a36f128) C:\WINDOWS\system32\DRIVERS\kbdclass.sys
2011/08/18 04:37:38.0046 3852 kmixer (692bcf44383d056aed41b045a323d378) C:\WINDOWS\system32\drivers\kmixer.sys
2011/08/18 04:37:38.0140 3852 KSecDD (b467646c54cc746128904e1654c750c1) C:\WINDOWS\system32\drivers\KSecDD.sys
2011/08/18 04:37:38.0187 3852 L8042pr2 (733ececf4371ac99410ee0f00bfd51e7) C:\WINDOWS\system32\DRIVERS\L8042pr2.Sys
2011/08/18 04:37:38.0390 3852 LHidFlt2 (5bc552b8a4bb668ac169a24d7ff5b9b8) C:\WINDOWS\system32\DRIVERS\LHidFlt2.Sys
2011/08/18 04:37:38.0468 3852 LHidUsb (387cb1e73b17656f406fc13dc17eda6a) C:\WINDOWS\system32\Drivers\LHidUsb.Sys
2011/08/18 04:37:38.0500 3852 LMouFlt2 (128f0b4cd156872d440ae77202923a32) C:\WINDOWS\system32\DRIVERS\LMouFlt2.Sys
2011/08/18 04:37:38.0578 3852 mnmdd (4ae068242760a1fb6e1a44bf4e16afa6) C:\WINDOWS\system32\drivers\mnmdd.sys
2011/08/18 04:37:38.0656 3852 Modem (dfcbad3cec1c5f964962ae10e0bcc8e1) C:\WINDOWS\system32\drivers\Modem.sys
2011/08/18 04:37:38.0703 3852 Mouclass (35c9e97194c8cfb8430125f8dbc34d04) C:\WINDOWS\system32\DRIVERS\mouclass.sys
2011/08/18 04:37:38.0765 3852 mouhid (b1c303e17fb9d46e87a98e4ba6769685) C:\WINDOWS\system32\DRIVERS\mouhid.sys
2011/08/18 04:37:38.0859 3852 MountMgr (a80b9a0bad1b73637dbcbba7df72d3fd) C:\WINDOWS\system32\drivers\MountMgr.sys
2011/08/18 04:37:39.0000 3852 MRxDAV (11d42bb6206f33fbb3ba0288d3ef81bd) C:\WINDOWS\system32\DRIVERS\mrxdav.sys
2011/08/18 04:37:39.0125 3852 MRxSmb (7d304a5eb4344ebeeab53a2fe3ffb9f0) C:\WINDOWS\system32\DRIVERS\mrxsmb.sys
2011/08/18 04:37:39.0265 3852 Msfs (c941ea2454ba8350021d774daf0f1027) C:\WINDOWS\system32\drivers\Msfs.sys
2011/08/18 04:37:39.0359 3852 MSKSSRV (d1575e71568f4d9e14ca56b7b0453bf1) C:\WINDOWS\system32\drivers\MSKSSRV.sys
2011/08/18 04:37:39.0421 3852 MSPCLOCK (325bb26842fc7ccc1fcce2c457317f3e) C:\WINDOWS\system32\drivers\MSPCLOCK.sys
2011/08/18 04:37:39.0500 3852 MSPQM (bad59648ba099da4a17680b39730cb3d) C:\WINDOWS\system32\drivers\MSPQM.sys
2011/08/18 04:37:39.0578 3852 mssmbios (af5f4f3f14a8ea2c26de30f7a1e17136) C:\WINDOWS\system32\DRIVERS\mssmbios.sys
2011/08/18 04:37:39.0671 3852 ms_mpu401 (ca3e22598f411199adc2dfee76cd0ae0) C:\WINDOWS\system32\drivers\msmpu401.sys
2011/08/18 04:37:39.0750 3852 Mup (de6a75f5c270e756c5508d94b6cf68f5) C:\WINDOWS\system32\drivers\Mup.sys
2011/08/18 04:37:39.0890 3852 NDIS (1df7f42665c94b825322fae71721130d) C:\WINDOWS\system32\drivers\NDIS.sys
2011/08/18 04:37:39.0968 3852 NdisTapi (0109c4f3850dfbab279542515386ae22) C:\WINDOWS\system32\DRIVERS\ndistapi.sys
2011/08/18 04:37:40.0046 3852 Ndisuio (f927a4434c5028758a842943ef1a3849) C:\WINDOWS\system32\DRIVERS\ndisuio.sys
2011/08/18 04:37:40.0078 3852 NdisWan (edc1531a49c80614b2cfda43ca8659ab) C:\WINDOWS\system32\DRIVERS\ndiswan.sys
2011/08/18 04:37:40.0156 3852 NDProxy (9282bd12dfb069d3889eb3fcc1000a9b) C:\WINDOWS\system32\drivers\NDProxy.sys
2011/08/18 04:37:40.0281 3852 NetBIOS (5d81cf9a2f1a3a756b66cf684911cdf0) C:\WINDOWS\system32\DRIVERS\netbios.sys
2011/08/18 04:37:40.0375 3852 NetBT (74b2b2f5bea5e9a3dc021d685551bd3d) C:\WINDOWS\system32\DRIVERS\netbt.sys
2011/08/18 04:37:40.0515 3852 Npfs (3182d64ae053d6fb034f44b6def8034a) C:\WINDOWS\system32\drivers\Npfs.sys
2011/08/18 04:37:40.0609 3852 Ntfs (78a08dd6a8d65e697c18e1db01c5cdca) C:\WINDOWS\system32\drivers\Ntfs.sys
2011/08/18 04:37:40.0703 3852 Null (73c1e1f395918bc2c6dd67af7591a3ad) C:\WINDOWS\system32\drivers\Null.sys
2011/08/18 04:37:41.0187 3852 nv (a05d99cbf55eb493c9e82b4bca848ef5) C:\WINDOWS\system32\DRIVERS\nv4_mini.sys
2011/08/18 04:37:41.0625 3852 NwlnkFlt (b305f3fad35083837ef46a0bbce2fc57) C:\WINDOWS\system32\DRIVERS\nwlnkflt.sys
2011/08/18 04:37:41.0718 3852 NwlnkFwd (c99b3415198d1aab7227f2c88fd664b9) C:\WINDOWS\system32\DRIVERS\nwlnkfwd.sys
2011/08/18 04:37:41.0859 3852 Parport (5575faf8f97ce5e713d108c2a58d7c7c) C:\WINDOWS\system32\DRIVERS\parport.sys
2011/08/18 04:37:41.0937 3852 PartMgr (beb3ba25197665d82ec7065b724171c6) C:\WINDOWS\system32\drivers\PartMgr.sys
2011/08/18 04:37:42.0015 3852 ParVdm (70e98b3fd8e963a6a46a2e6247e0bea1) C:\WINDOWS\system32\drivers\ParVdm.sys
2011/08/18 04:37:42.0062 3852 PCI (a219903ccf74233761d92bef471a07b1) C:\WINDOWS\system32\DRIVERS\pci.sys
2011/08/18 04:37:42.0171 3852 PCIIde (ccf5f451bb1a5a2a522a76e670000ff0) C:\WINDOWS\system32\DRIVERS\pciide.sys
2011/08/18 04:37:42.0265 3852 Pcmcia (9e89ef60e9ee05e3f2eef2da7397f1c1) C:\WINDOWS\system32\drivers\Pcmcia.sys
2011/08/18 04:37:42.0718 3852 PptpMiniport (efeec01b1d3cf84f16ddd24d9d9d8f99) C:\WINDOWS\system32\DRIVERS\raspptp.sys
2011/08/18 04:37:42.0812 3852 PQNTDrv (4228630829c0e521c43d882a00533374) C:\WINDOWS\system32\drivers\PQNTDrv.sys
2011/08/18 04:37:42.0937 3852 PSched (09298ec810b07e5d582cb3a3f9255424) C:\WINDOWS\system32\DRIVERS\psched.sys
2011/08/18 04:37:42.0984 3852 Ptilink (80d317bd1c3dbc5d4fe7b1678c60cadd) C:\WINDOWS\system32\DRIVERS\ptilink.sys
2011/08/18 04:37:43.0078 3852 PxHelp20 (153d02480a0a2f45785522e814c634b6) C:\WINDOWS\system32\Drivers\PxHelp20.sys
2011/08/18 04:37:43.0390 3852 RasAcd (fe0d99d6f31e4fad8159f690d68ded9c) C:\WINDOWS\system32\DRIVERS\rasacd.sys
2011/08/18 04:37:43.0468 3852 Rasl2tp (11b4a627bc9614b885c4969bfa5ff8a6) C:\WINDOWS\system32\DRIVERS\rasl2tp.sys
2011/08/18 04:37:43.0531 3852 RasPppoe (5bc962f2654137c9909c3d4603587dee) C:\WINDOWS\system32\DRIVERS\raspppoe.sys
2011/08/18 04:37:43.0593 3852 Raspti (fdbb1d60066fcfbb7452fd8f9829b242) C:\WINDOWS\system32\DRIVERS\raspti.sys
2011/08/18 04:37:43.0671 3852 Rdbss (7ad224ad1a1437fe28d89cf22b17780a) C:\WINDOWS\system32\DRIVERS\rdbss.sys
2011/08/18 04:37:43.0734 3852 RDPCDD (4912d5b403614ce99c28420f75353332) C:\WINDOWS\system32\DRIVERS\RDPCDD.sys
2011/08/18 04:37:43.0828 3852 rdpdr (15cabd0f7c00c47c70124907916af3f1) C:\WINDOWS\system32\DRIVERS\rdpdr.sys
2011/08/18 04:37:43.0937 3852 RDPWD (fc105dd312ed64eb66bff111e8ec6eac) C:\WINDOWS\system32\drivers\RDPWD.sys
2011/08/18 04:37:44.0046 3852 redbook (f828dd7e1419b6653894a8f97a0094c5) C:\WINDOWS\system32\DRIVERS\redbook.sys
2011/08/18 04:37:44.0296 3852 SASDIFSV (a3281aec37e0720a2bc28034c2df2a56) C:\Program Files\SUPERAntiSpyware\SASDIFSV.SYS
2011/08/18 04:37:44.0359 3852 SASKUTIL (61db0d0756a99506207fd724e3692b25) C:\Program Files\SUPERAntiSpyware\SASKUTIL.SYS
2011/08/18 04:37:44.0468 3852 SBKUPNT (729248b54aff21e740054acebfdbcb1c) C:\WINDOWS\system32\Drivers\SBKUPNT.SYS
2011/08/18 04:37:44.0703 3852 Secdrv (90a3935d05b494a5a39d37e71f09a677) C:\WINDOWS\system32\DRIVERS\secdrv.sys
2011/08/18 04:37:44.0781 3852 Ser2pl (95eeb5a6843238c829aaa9c05168c09c) C:\WINDOWS\system32\DRIVERS\ser2pl.sys
2011/08/18 04:37:44.0906 3852 serenum (0f29512ccd6bead730039fb4bd2c85ce) C:\WINDOWS\system32\DRIVERS\serenum.sys
2011/08/18 04:37:44.0984 3852 Serial (cca207a8896d4c6a0c9ce29a4ae411a7) C:\WINDOWS\system32\DRIVERS\serial.sys
2011/08/18 04:37:45.0125 3852 Sfloppy (8e6b8c671615d126fdc553d1e2de5562) C:\WINDOWS\system32\drivers\Sfloppy.sys
2011/08/18 04:37:45.0203 3852 SI3112 (2525f35d0a0e94bb0ca7b4b68117b453) C:\WINDOWS\system32\DRIVERS\SI3112.sys
2011/08/18 04:37:45.0281 3852 SiFilter (355a9f09eddcd5eed858c71a3b5ca70c) C:\WINDOWS\system32\DRIVERS\SiWinAcc.sys
2011/08/18 04:37:45.0375 3852 SiRemFil (ad3fc65cf8df75705394f568f1a15405) C:\WINDOWS\system32\DRIVERS\SiRemFil.sys
2011/08/18 04:37:45.0421 3852 SISAGP (f8150c74ff24bdbd19f47a6dfd05514a) C:\WINDOWS\system32\DRIVERS\SISAGPX.sys
2011/08/18 04:37:45.0484 3852 SiSide (b4485881bd8aed9b157a2e6cf43c2d51) C:\WINDOWS\system32\DRIVERS\siside.sys
2011/08/18 04:37:45.0562 3852 sisidex (6225224b8e846ac230f8d9b343635910) C:\WINDOWS\system32\drivers\sisidex.sys
2011/08/18 04:37:45.0671 3852 SISNIC (8204c49cde112f7b9c2f15707fe2cc5a) C:\WINDOWS\system32\DRIVERS\sisnic.sys
2011/08/18 04:37:45.0765 3852 SISNICXP (a1348a901a44760ccd76043525e851d0) C:\WINDOWS\system32\DRIVERS\sisnicxp.sys
2011/08/18 04:37:45.0859 3852 sisperf (596d4a7052002d2bd344d8937da6f66d) C:\WINDOWS\system32\drivers\sisperf.sys
2011/08/18 04:37:46.0062 3852 splitter (ab8b92451ecb048a4d1de7c3ffcb4a9f) C:\WINDOWS\system32\drivers\splitter.sys
2011/08/18 04:37:46.0187 3852 sptd (d390675b8ce45e5fb359338e5e649329) C:\WINDOWS\system32\Drivers\sptd.sys
2011/08/18 04:37:46.0328 3852 sr (76bb022c2fb6902fd5bdd4f78fc13a5d) C:\WINDOWS\system32\DRIVERS\sr.sys
2011/08/18 04:37:46.0468 3852 Srv (47ddfc2f003f7f9f0592c6874962a2e7) C:\WINDOWS\system32\DRIVERS\srv.sys
2011/08/18 04:37:46.0687 3852 swenum (3941d127aef12e93addf6fe6ee027e0f) C:\WINDOWS\system32\DRIVERS\swenum.sys
2011/08/18 04:37:46.0750 3852 swmidi (8ce882bcc6cf8a62f2b2323d95cb3d01) C:\WINDOWS\system32\drivers\swmidi.sys
2011/08/18 04:37:47.0062 3852 sysaudio (8b83f3ed0f1688b4958f77cd6d2bf290) C:\WINDOWS\system32\drivers\sysaudio.sys
2011/08/18 04:37:47.0203 3852 Tcpip (9aefa14bd6b182d61e3119fa5f436d3d) C:\WINDOWS\system32\DRIVERS\tcpip.sys
2011/08/18 04:37:47.0328 3852 TDPIPE (6471a66807f5e104e4885f5b67349397) C:\WINDOWS\system32\drivers\TDPIPE.sys
2011/08/18 04:37:47.0390 3852 TDTCP (c56b6d0402371cf3700eb322ef3aaf61) C:\WINDOWS\system32\drivers\TDTCP.sys
2011/08/18 04:37:47.0468 3852 TermDD (88155247177638048422893737429d9e) C:\WINDOWS\system32\DRIVERS\termdd.sys
2011/08/18 04:37:47.0812 3852 TVICHW32 (e266683fc95abdec17cd378564e1b54b) C:\WINDOWS\system32\DRIVERS\TVICHW32.SYS
2011/08/18 04:37:47.0921 3852 Udfs (5787b80c2e3c5e2f56c2a233d91fa2c9) C:\WINDOWS\system32\drivers\Udfs.sys
2011/08/18 04:37:48.0093 3852 Update (402ddc88356b1bac0ee3dd1580c76a31) C:\WINDOWS\system32\DRIVERS\update.sys
2011/08/18 04:37:48.0234 3852 usbccgp (173f317ce0db8e21322e71b7e60a27e8) C:\WINDOWS\system32\DRIVERS\usbccgp.sys
2011/08/18 04:37:48.0312 3852 usbehci (65dcf09d0e37d4c6b11b5b0b76d470a7) C:\WINDOWS\system32\DRIVERS\usbehci.sys
2011/08/18 04:37:48.0359 3852 usbhub (1ab3cdde553b6e064d2e754efe20285c) C:\WINDOWS\system32\DRIVERS\usbhub.sys
2011/08/18 04:37:48.0421 3852 usbohci (0daecce65366ea32b162f85f07c6753b) C:\WINDOWS\system32\DRIVERS\usbohci.sys
2011/08/18 04:37:48.0515 3852 usbscan (a0b8cf9deb1184fbdd20784a58fa75d4) C:\WINDOWS\system32\DRIVERS\usbscan.sys
2011/08/18 04:37:48.0593 3852 USBSTOR (a32426d9b14a089eaa1d922e0c5801a9) C:\WINDOWS\system32\DRIVERS\USBSTOR.SYS
2011/08/18 04:37:48.0671 3852 VgaSave (0d3a8fafceacd8b7625cd549757a7df1) C:\WINDOWS\System32\drivers\vga.sys
2011/08/18 04:37:48.0828 3852 VolSnap (4c8fcb5cc53aab716d810740fe59d025) C:\WINDOWS\system32\drivers\VolSnap.sys
2011/08/18 04:37:48.0968 3852 Wanarp (e20b95baedb550f32dd489265c1da1f6) C:\WINDOWS\system32\DRIVERS\wanarp.sys
2011/08/18 04:37:49.0093 3852 wdmaud (6768acf64b18196494413695f0c3a00f) C:\WINDOWS\system32\drivers\wdmaud.sys
2011/08/18 04:37:49.0312 3852 WS2IFSL (6abe6e225adb5a751622a9cc3bc19ce8) C:\WINDOWS\System32\drivers\ws2ifsl.sys
2011/08/18 04:37:49.0437 3852 WudfPf (f15feafffbb3644ccc80c5da584e6311) C:\WINDOWS\system32\DRIVERS\WudfPf.sys
2011/08/18 04:37:49.0515 3852 WudfRd (28b524262bce6de1f7ef9f510ba3985b) C:\WINDOWS\system32\DRIVERS\wudfrd.sys
2011/08/18 04:37:49.0625 3852 MBR (0x1B8) (8f558eb6672622401da993e1e865c861) \Device\Harddisk0\DR0
2011/08/18 04:37:49.0750 3852 MBR (0x1B8) (50a01ce279d6ed30f042bcdc36ae25de) \Device\Harddisk1\DR1
2011/08/18 04:37:49.0796 3852 Boot (0x1200) (731563e20624a0ba571990171710b6c0) \Device\Harddisk0\DR0\Partition0
2011/08/18 04:37:49.0828 3852 Boot (0x1200) (6f6b1c1cf58d34dfe34cf1eb3e794e26) \Device\Harddisk1\DR1\Partition0
2011/08/18 04:37:49.0859 3852 ================================================================================
2011/08/18 04:37:49.0859 3852 Scan finished
2011/08/18 04:37:49.0859 3852 ================================================================================
2011/08/18 04:37:49.0890 3744 Detected object count: 0
2011/08/18 04:37:49.0890 3744 Actual detected object count: 0
2011/08/18 04:38:08.0437 3232 Deinitialize success
Hi,
Could you check if those sites with high CPU use Flash? Also, if possible temporarily uninstall AVG (with Appremover (http://www.appremover.com/) for example) to see if it has any effect on situation.
celluloidheros
2011-08-18, 18:39
OK Blade81, will do, I need to have some time to use the computer and find the sites that have high CPU usage. it might take me a day or two. Have you ever tried OTL ?
Ok, I'll wait. And yes, I'm familiar with OTL tool.
celluloidheros
2011-08-19, 05:53
what is the best way to check for flash usage ?
For example YouTube uses Flash. You could test it.
celluloidheros
2011-08-20, 03:09
Hello, this forum locked me up pretty good.
http://www.hondaaccordforum.com/forum/
Hi,
There're Flash made ads there. Let's see what happens if we uninstall Flash. See here (http://kb2.adobe.com/cps/141/tn_14157.html) for uninstaller.
celluloidheros
2011-08-21, 16:39
HI blade81, success ! I used the adobe flash uninstaller and the iexplorer usage went way down, I think this fixed it. I am going to try firefox now. iexplorer usage is almost nothing, memeory usage is down too. the funny thing is that i don't notice much difference in the way websites appear.
Hi,
On some systems Flash puts CPU to run high cycles. Let's see how Firefox does.
celluloidheros
2011-08-21, 22:17
Okay, i'll try firefox, I have had this computer/op system and hardware in this configuration for quite awhile. I saw definite change one day going to websites that i am familiar with. Uninstralling flash made a big difference and I seem to be back to normal with IE.
Ok, glad to hear it had some effect on CPU load anyway :)
celluloidheros
2011-08-22, 01:17
Hello Blade81, thanks agin for your help, Firefox and IE both are improved after uninstalling Flash, how can I reinstall flash and get back to normal, Do I have some sort of malware that uses flash ?
You're welcome :)
You can try latest Flash version for IE (http://fpdownload.adobe.com/get/flashplayer/current/install_flash_player_ax.exe) and Firefox (http://fpdownload.adobe.com/get/flashplayer/current/install_flash_player.exe). Like I said of some reason Flash puts CPU usage to maximum on some systems. It's not malware related.
celluloidheros
2011-08-22, 18:14
I don't understand what changed in my system ? I have had flash installed for years and my computer ran fine, now it is slow, with flash not installed, i casn't view uitube videos etc...
I have been using the computer with flash uninstalled and on certainb websites, it still seems to be quirky, I think that the flash uninstall helps free up resources, but there might be more.
im at work now and I have a little faster computer but it uses way less resources.
Hi,
Did you try to reinstall Flash yet? See how browser behaves with it. If it's still slow then see what happens when you open a new tab to this site for example (leaving the other tab open background).
celluloidheros
2011-08-26, 11:54
Hi Blade81, I had to go away for work, I'm back now and I will test IE after reinstalling Flash at various sites opening a second tab.
celluloidheros
2011-08-26, 12:08
Hello, When i reinstalled Flash, it was still slow, no matter how many tabs i opened, also AVg seemed to be using up resources which may be normal. disabling AVG seemed to help. I have had issues in the past with antivirus conflicts. I'm a little stumpted right now.
Hi,
If you want to give some other antivirus solution a try below are some listed:
Good free antivirus programs are:
Antivir (http://free-av.com/en/download/1/download_avira_antivir_personal__free_antivirus.html) and
Avast! (http://www.avast.com/eng/download-avast-home.html)
Good commercial ones are from:
Kaspersky (http://www.kaspersky.com/homeuser) and
ESET (http://www.eset.com/products/index.php)
celluloidheros
2011-08-28, 14:15
I'll try Avira and see how it goes, I'll then try reinstalling Flash.
Let's hope it helps :bigthumb:
celluloidheros
2011-08-30, 03:59
hello, i installed avira and reinstalled Flash 10.3, i then checked IE opening a second page. unfortunately i still seem to have the issue. It seems to work better with flash uninstalled but I miss not having Flash. Could I still have some form of malware ?
Hi,
Nothing shows malware on board. These hints (http://forums.adobe.com/message/3299511) on Adobe Forum may help.
celluloidheros
2011-09-06, 16:53
ok, I'LL try those hints, It puzzles me as to what changed on my computer ? I have not added any new drivers or hardware.
celluloidheros
2011-09-07, 01:07
Hello Blade81,
I have had flash uninstalled but some pages still run at 99% and lock my computer up, this page is particularly troublesome:
http://forum.e46fanatics.com/showthread.php?t=868592&page=2
I'm still confused as to what might be causing this.
celluloidheros
2011-09-07, 01:37
I ran IE with add-ons disabled, even though it runs at 99%, it does it for a much shorter period of time, i wonder if there is an add-on that is corrupt.
Hard to say anything else than this issue likely isn't malware related. If Firefox runs in the same way like IE with addons enabled then it's not likely addon related (unless both browsers have some same addon installed). Anyway, you may want to post at Tech Support Guy (http://forums.techguy.org). They for example have areas for non malware problems too.
celluloidheros
2011-09-12, 00:18
OK Great, i'll try, thanks for the help.