Computer Hope
Software => Computer viruses and spyware => Virus and spyware removal => Topic started by: dc4580 on January 08, 2012, 07:32:36 AM
-
Problem is that no matter what I am doing, whether it is browsing using IE 8, emailing, or creating docs, I will experience a hang or freeze of the whole PC. Everything halts, no mouse, can't even refresh. Doesn't matter what the browser is, and it doesn't matter which AV software I am using. It isn't high CPU, but I do see high memory usage by IE within Task Manager. Page file size increases. Software environment is XP SP3, IE 8. AV and Firewall are Norton 360. Ran through the cleanup, and here are the three logs:
SuperAntiSpyware:
SUPERAntiSpyware Scan Log
http://www.superantispyware.com
Generated 01/08/2012 at 03:49 AM
Application Version : 5.0.1142
Core Rules Database Version : 8112
Trace Rules Database Version: 5924
Scan type : Complete Scan
Total Scan Time : 01:32:26
Operating System Information
Windows XP Professional 32-bit, Service Pack 3 (Build 5.01.2600)
Administrator
Memory items scanned : 555
Memory threats detected : 0
Registry items scanned : 38853
Registry threats detected : 0
File items scanned : 78468
File threats detected : 2
Adware.Tracking Cookie
C:\Documents and Settings\david cox\Cookies\1IIAF4JA.txt [ /imrworldwide.com ]
C:\Documents and Settings\david cox\Cookies\SPGH7VY7.txt [ /invitemedia.com ]
MBAM:
Malwarebytes Anti-Malware 1.60.0.1800
www.malwarebytes.org
Database version: v2012.01.08.02
Windows XP Service Pack 3 x86 NTFS
Internet Explorer 8.0.6001.18702
david cox :: DAVE-Q08ESS7TBC [administrator]
1/8/2012 5:52:44 AM
mbam-log-2012-01-08 (05-52-44).txt
Scan type: Quick scan
Scan options enabled: Memory | Startup | Registry | File System | Heuristics/Extra | Heuristics/Shuriken | PUP | PUM
Scan options disabled: P2P
Objects scanned: 186546
Time elapsed: 20 minute(s), 15 second(s)
Memory Processes Detected: 0
(No malicious items detected)
Memory Modules Detected: 0
(No malicious items detected)
Registry Keys Detected: 0
(No malicious items detected)
Registry Values Detected: 0
(No malicious items detected)
Registry Data Items Detected: 0
(No malicious items detected)
Folders Detected: 0
(No malicious items detected)
Files Detected: 0
(No malicious items detected)
(end)
First DD log:
.
DDS (Ver_2011-08-26.01) - NTFSx86
Internet Explorer: 8.0.6001.18702
Run by david cox at 7:57:19 on 2012-01-08
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.447.94 [GMT -6:00]
.
AV: Norton 360 *Enabled/Updated* {E10A9785-9598-4754-B552-92431C1C35F8}
FW: Norton 360 *Enabled*
.
============== Running Processes ===============
.
C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
svchost.exe
svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\RTHDCPL.EXE
C:\Program Files\Common Files\Roxio Shared\10.0\SharedCOM\RoxWatchTray10.exe
C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe
C:\Program Files\Common Files\Pure Networks Shared\Platform\nmctxth.exe
C:\PROGRA~1\CYBERL~1\INSTAN~1\Win2K\IBurn.exe
C:\Program Files\Roxio\CinePlayer\DMXLauncher.exe
C:\Program Files\Citrix\ICA Client\concentr.exe
C:\Program Files\CyberLink\Power2Go\CLMLSvc.exe
C:\Program Files\Citrix\ICA Client\wfcrun32.exe
C:\Program Files\Common Files\Adobe\ARM\1.0\AdobeARM.exe
C:\WINDOWS\system32\ctfmon.exe
svchost.exe
C:\Program Files\SUPERAntiSpyware\SASCORE.EXE
C:\Program Files\Common Files\LightScribe\LSSrvc.exe
C:\Program Files\Linksys\Linksys Updater\bin\LinksysUpdater.exe
C:\Program Files\Norton 360\Engine\5.1.0.29\ccSvcHst.exe
C:\Program Files\CyberLink\Shared Files\RichVideo.exe
C:\WINDOWS\system32\java.exe
C:\Program Files\Common Files\VMware\USB\vmware-usbarbitrator.exe
C:\Program Files\Common Files\Pure Networks Shared\Platform\nmsrvc.exe
C:\Program Files\VMware\VMware Player\vmware-authd.exe
C:\Program Files\Norton 360\Engine\5.1.0.29\ccSvcHst.exe
C:\Program Files\Common Files\Roxio Shared\10.0\SharedCOM\CPSHelpRunner10.exe
C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\WINDOWS\system32\NOTEPAD.EXE
.
============== Pseudo HJT Report ===============
.
uStart Page = hxxp://www.yahoo.com/
uWindow Title = Internet Explorer, optimized for Bing and MSN
BHO: Adobe PDF Reader Link Helper: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelper.dll
BHO: Symantec NCO BHO: {602adb0e-4aff-4217-8aa1-95dac4dfa408} - c:\program files\norton 360\engine\5.1.0.29\coIEPlg.dll
BHO: Symantec Intrusion Prevention: {6d53ec84-6aae-4787-aeee-f4628f01010c} - c:\program files\norton 360\engine\5.1.0.29\ips\IPSBHO.DLL
BHO: Java(tm) Plug-In SSV Helper: {761497bb-d6f0-462c-b6eb-d4daf1d92d43} - c:\program files\java\jre6\bin\ssv.dll
BHO: Java(tm) Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
TB: Norton Toolbar: {7febefe3-6b19-4349-98d2-ffb09d4b49ca} - c:\program files\norton 360\engine\5.1.0.29\coIEPlg.dll
TB: {D4027C7F-154A-4066-A1AD-4243D8127440} - No File
EB: {32683183-48a0-441b-a342-7c2a440a9478} - No File
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
uRun: [Power2GoExpress] c:\windows\system32\ctfmon.exe
mRun: [UpdatePPShortCut] "c:\program files\cyberlink\powerproducer\muitransfer\muistartmenu.exe" "c:\program files\cyberlink\powerproducer" update "software\cyberlink\powerproducer\4.0"
mRun: [RTHDCPL] RTHDCPL.EXE
mRun: [RoxWatchTray] "c:\program files\common files\roxio shared\10.0\sharedcom\RoxWatchTray10.exe"
mRun: [RemoteControl] "c:\program files\cyberlink\powerdvd\PDVDServ.exe"
mRun: [QuickTime Task] "c:\program files\quicktime\qttask.exe" -atboottime
mRun: [nmctxth] "c:\program files\common files\pure networks shared\platform\nmctxth.exe"
mRun: [MBkLogonHook]
mRun: [LanguageShortcut] "c:\program files\cyberlink\powerdvd\language\Language.exe"
mRun: [iTunesHelper] "c:\program files\itunes\iTunesHelper.exe"
mRun: [InstantBurn] c:\progra~1\cyberl~1\instan~1\win2k\IBurn.exe
mRun: [googletalk] c:\program files\google\google talk\googletalk.exe /autostart
mRun: [DMXLauncher] "c:\program files\roxio\cineplayer\DMXLauncher.exe"
mRun: [ConnectionCenter] "c:\program files\citrix\ica client\concentr.exe" /startup
mRun: [CLMLServer] "c:\program files\cyberlink\power2go\CLMLSvc.exe"
mRun: [Alcmtr] ALCMTR.EXE
mRun: [Adobe Reader Speed Launcher] "c:\program files\adobe\reader 8.0\reader\Reader_sl.exe"
mRun: [Adobe ARM] "c:\program files\common files\adobe\arm\1.0\AdobeARM.exe"
mRun: [SunJavaUpdateSched] "c:\program files\common files\java\java update\jusched.exe"
mRunOnce: [Malwarebytes Anti-Malware] c:\program files\malwarebytes' anti-malware\mbamgui.exe /install /silent
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\window~1.lnk - c:\program files\windows desktop search\WindowsSearch.exe
IE: E&xport to Microsoft Excel - c:\progra~1\micros~3\office11\EXCEL.EXE/3000
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~3\office11\REFIEBAR.DLL
LSP: c:\program files\vmware\vmware player\vsocklib.dll
Trusted Zone: internet
Trusted Zone: live.com\onecare
Trusted Zone: mcafee.com
Trusted Zone: microsoft.com\download.windowsupdate
Trusted Zone: microsoft.com\update
Trusted Zone: microsoft.com\www.update
Trusted Zone: ussco.com\myportal
DPF: DirectAnimation Java Classes - file://c:\windows\java\classes\dajava.cab
DPF: Microsoft XML Parser for Java - file://c:\windows\java\classes\xmldso.cab
DPF: {037790A6-1576-11D6-903D-00105AABADD3} - hxxps://myportal.ussco.com/bluezone/controls/,DanaInfo=intranet.ussco.com+sglw2hcm.ocx
DPF: {05CA9FB0-3E3E-4B36-BF41-0E3A5CAA8CD8} - hxxp://download.microsoft.com/download/E/3/9/E39C664F-A8E3-4F69-A109-1AE9849204EE/OGAControl.cab
DPF: {5AE58FCF-6F6A-49B2-B064-02492C66E3F4} - hxxp://catalog.update.microsoft.com/v7/site/ClientControl/en/x86/MuCatalogWebControl.cab?1212120081468
DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} - hxxp://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1208918393375
DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} - hxxp://www.update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1208921940093
DPF: {73ECB3AA-4717-450C-A2AB-D00DAD9EE203} - hxxp://h20270.www2.hp.com/ediags/gmn2/install/HPProductDetection2.cab
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_30-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0030-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_30-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_30-windows-i586.cab
DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
DPF: {F27237D7-93C8-44C2-AC6E-D6057B9A918F} - hxxps://myportal.ussco.com/dana-cached/sc/JuniperSetupClient.cab
DPF: {FFB3A759-98B1-446F-BDA9-909C6EB18CC7} - hxxp://utilities.pcpitstop.com/Optimize3/pcpitstop2.dll
TCP: DhcpNameServer = 192.168.0.1
TCP: Interfaces\{98F51424-7F98-4109-9E22-2025B352A261} : DhcpNameServer = 192.168.0.1
Handler: pure-go - {4746C79A-2042-4332-8650-48966E44ABA8} - c:\program files\common files\pure networks shared\platform\puresp4.dll
Notify: !SASWinLogon - c:\program files\superantispyware\SASWINLO.DLL
Notify: AtiExtEvent - Ati2evxx.dll
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll
SEH: SABShellExecuteHook Class: {5ae067d3-9afb-48e0-853a-ebb7f4a000da} - c:\program files\superantispyware\SASSEH.DLL
mASetup: {10880D85-AAD9-4558-ABDC-2AB1552D831F} - "c:\program files\common files\lightscribe\LSRunOnce.exe"
Hosts: 127.0.0.1 www.spywareinfo.com
.
============= SERVICES / DRIVERS ===============
.
R0 SymDS;Symantec Data Store;c:\windows\system32\drivers\n360\0501000.01d\SymDS.sys [2011-12-6 340088]
R0 SymEFA;Symantec Extended File Attributes;c:\windows\system32\drivers\n360\0501000.01d\SymEFA.sys [2011-12-6 744568]
R1 BHDrvx86;BHDrvx86;c:\documents and settings\all users\application data\norton\{0c55c096-0f1d-4f28-aaa2-85ef591126e7}\n360_5.1.0.29\definitions\bashdefs\20111221.003\BHDrvx86.sys [2011-12-21 819320]
R1 CLBStor;InstantBurn Storage Helper Driver;c:\windows\system32\drivers\CLBStor.sys [2008-6-3 15784]
R1 ctxusbm;Citrix USB Monitor Driver;c:\windows\system32\drivers\ctxusbm.sys [2009-9-8 65584]
R1 SASDIFSV;SASDIFSV;c:\program files\superantispyware\sasdifsv.sys [2011-7-22 12880]
R1 SASKUTIL;SASKUTIL;c:\program files\superantispyware\SASKUTIL.SYS [2011-7-12 67664]
R1 SymIRON;Symantec Iron Driver;c:\windows\system32\drivers\n360\0501000.01d\Ironx86.sys [2011-12-6 136312]
R2 !SASCORE;SAS Core Service;c:\program files\superantispyware\SASCore.exe [2011-8-11 116608]
R2 ASTRA32;ASTRA32 Kernel Driver 5.2.1.0;c:\program files\astra32\astra32.sys [2007-2-22 30864]
R2 CLBUDF;CyberLink InstantBurn UDF Filesystem;c:\windows\system32\drivers\CLBUDF.sys [2008-6-3 162344]
R2 LinksysUpdater;Linksys Updater;c:\program files\linksys\linksys updater\bin\LinksysUpdater.exe [2008-11-13 204800]
R2 N360;Norton 360;c:\program files\norton 360\engine\5.1.0.29\ccSvcHst.exe [2011-12-6 130008]
R2 vmci;VMware vmci;c:\windows\system32\drivers\vmci.sys [2010-11-11 70768]
R2 VMUSBArbService;VMware USB Arbitration Service;c:\program files\common files\vmware\usb\vmware-usbarbitrator.exe [2010-11-11 539248]
R3 EraserUtilRebootDrv;EraserUtilRebootDrv;c:\program files\common files\symantec shared\eengine\EraserUtilRebootDrv.sys [2011-12-18 106104]
R3 IDSxpx86;IDSxpx86;c:\documents and settings\all users\application data\norton\{0c55c096-0f1d-4f28-aaa2-85ef591126e7}\n360_5.1.0.29\definitions\ipsdefs\20120106.002\IDSXpx86.sys [2012-1-6 356280]
R3 NAVENG;NAVENG;c:\documents and settings\all users\application data\norton\{0c55c096-0f1d-4f28-aaa2-85ef591126e7}\n360_5.1.0.29\definitions\virusdefs\20120107.009\NAVENG.SYS [2012-1-7 86136]
R3 NAVEX15;NAVEX15;c:\documents and settings\all users\application data\norton\{0c55c096-0f1d-4f28-aaa2-85ef591126e7}\n360_5.1.0.29\definitions\virusdefs\20120107.009\NAVEX15.SYS [2012-1-7 1576312]
S2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;c:\windows\microsoft.net\framework\v4.0.30319\mscorsvw.exe [2010-3-18 130384]
S2 gupdate;Google Update Service (gupdate);c:\program files\google\update\GoogleUpdate.exe [2010-12-21 136176]
S2 Roxio Upnp Server 10;Roxio Upnp Server 10;c:\program files\roxio\digital home 10\RoxioUpnpService10.exe [2007-8-24 362992]
S2 RoxLiveShare10;LiveShare P2P Server 10;c:\program files\common files\roxio shared\10.0\sharedcom\RoxLiveShare10.exe [2007-8-24 309744]
S2 RoxWatch10;Roxio Hard Drive Watcher 10;c:\program files\common files\roxio shared\10.0\sharedcom\RoxWatch10.exe [2007-8-24 166384]
S3 gupdatem;Google Update Service (gupdatem);c:\program files\google\update\GoogleUpdate.exe [2010-12-21 136176]
S3 PROCEXP150;PROCEXP150;\??\c:\windows\system32\drivers\procexp150.sys --> c:\windows\system32\drivers\PROCEXP150.SYS [?]
S3 PROCEXP151;PROCEXP151;\??\c:\windows\system32\drivers\procexp151.sys --> c:\windows\system32\drivers\PROCEXP151.SYS [?]
S3 Roxio UPnP Renderer 10;Roxio UPnP Renderer 10;c:\program files\roxio\digital home 10\RoxioUPnPRenderer10.exe [2007-8-24 72176]
S3 RoxMediaDB10;RoxMediaDB10;c:\program files\common files\roxio shared\10.0\sharedcom\RoxMediaDB10.exe [2007-8-24 1083888]
S3 WinRM;Windows Remote Management (WS-Management);c:\windows\system32\svchost.exe -k WINRM [2002-8-29 14336]
S3 WPFFontCache_v0400;Windows Presentation Foundation Font Cache 4.0.0.0;c:\windows\microsoft.net\framework\v4.0.30319\wpf\WPFFontCache_v0400.exe [2010-3-18 753504]
S4 PCPitstop Scheduling;PCPitstop Scheduling;c:\program files\pcpitstop\PCPitstopScheduleService.exe [2011-8-18 86016]
S4 SessionLauncher;SessionLauncher;c:\docume~1\davidc~1\locals~1\temp\dx9\sessionlauncher.exe --> c:\docume~1\davidc~1\locals~1\temp\dx9\SessionLauncher.exe [?]
.
=============== Created Last 30 ================
.
2012-01-07 14:47:04 -------- d-----w- c:\program files\CCleaner
2012-01-07 06:39:12 -------- d-----w- c:\program files\SUPERAntiSpyware
2012-01-06 15:10:50 -------- d-----w- c:\documents and settings\david cox\local settings\application data\Symantec
2012-01-06 14:54:52 -------- d-----w- c:\windows\system32\wbem\repository\FS
2012-01-06 14:54:52 -------- d-----w- c:\windows\system32\wbem\Repository
2011-12-28 13:19:28 -------- d--h--w- c:\windows\PIF
2011-12-28 13:17:46 -------- d-----w- c:\documents and settings\david cox\application data\Windows Search
2011-12-25 00:46:51 -------- d-----w- c:\program files\common files\Windows Live
2011-12-25 00:43:19 -------- d-----w- c:\windows\system32\winrm
2011-12-25 00:43:03 -------- dc-h--w- c:\windows\$968930Uinstall_KB968930$
2011-12-25 00:36:15 -------- d-----w- c:\windows\system32\GroupPolicy
2011-12-25 00:36:15 -------- d-----w- c:\program files\Windows Desktop Search
2011-12-24 13:36:09 -------- d-----w- c:\program files\ASTRA32
2011-12-22 06:29:09 -------- d-----w- c:\program files\Microsoft Windows Performance Toolkit
2011-12-22 06:27:47 -------- d-----w- c:\program files\Debugging Tools for Windows (x86)
.
==================== Find3M ====================
.
2011-12-10 21:24:06 20464 ----a-w- c:\windows\system32\drivers\mbam.sys
2011-12-07 05:43:20 60872 ----a-w- c:\windows\system32\S32EVNT1.DLL
2011-12-07 05:43:20 126584 ----a-w- c:\windows\system32\drivers\SYMEVENT.SYS
2011-11-28 00:24:37 103784 ----a-w- c:\documents and settings\david cox\GoToAssistDownloadHelper.exe
2011-11-23 13:25:32 1859584 ----a-w- c:\windows\system32\win32k.sys
2011-11-23 08:55:11 414368 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl
2011-11-10 11:54:13 472808 ----a-w- c:\windows\system32\deployJava1.dll
2011-11-10 09:27:10 73728 ----a-w- c:\windows\system32\javacpl.cpl
2011-11-04 19:20:51 916992 ----a-w- c:\windows\system32\wininet.dll
2011-11-04 19:20:51 43520 ------w- c:\windows\system32\licmgr10.dll
2011-11-04 19:20:51 1469440 ------w- c:\windows\system32\inetcpl.cpl
2011-11-04 11:23:59 385024 ------w- c:\windows\system32\html.iec
2011-11-01 16:07:10 1288704 ----a-w- c:\windows\system32\ole32.dll
2011-10-28 05:31:48 33280 ----a-w- c:\windows\system32\csrsrv.dll
2011-10-25 13:33:08 2192768 ----a-w- c:\windows\system32\ntoskrnl.exe
2011-10-25 12:52:03 2069376 ----a-w- c:\windows\system32\ntkrnlpa.exe
2011-10-18 11:13:22 186880 ----a-w- c:\windows\system32\encdec.dll
2011-10-10 14:22:41 692736 ----a-w- c:\windows\system32\inetcomm.dll
.
============= FINISH: 7:59:23.78 ===============
Attach Log:
.
UNLESS SPECIFICALLY INSTRUCTED, DO NOT POST THIS LOG.
IF REQUESTED, ZIP IT UP & ATTACH IT
.
DDS (Ver_2011-08-26.01)
.
Microsoft Windows XP Professional
Boot Device: \Device\HarddiskVolume1
Install Date: 4/20/2008 10:26:55 PM
System Uptime: 1/7/2012 6:19:44 AM (25 hours ago)
.
Motherboard: ECS | | Alhena5
Processor: Intel(R) Celeron(R) D CPU 3.33GHz | CPU 1 | 3325/133mhz
.
==== Disk Partitions =========================
.
C: is FIXED (NTFS) - 104 GiB total, 82.542 GiB free.
D: is CDROM ()
.
==== Disabled Device Manager Items =============
.
Class GUID: {4D36E968-E325-11CE-BFC1-08002BE10318}
Description: ATI RADEON XPRESS 200 Series
Device ID: PCI\VEN_1002&DEV_5A61&SUBSYS_2A4F103C&REV_00\4&1CF2FBB4&0&2808
Manufacturer: ATI Technologies Inc.
Name: ATI RADEON XPRESS 200 Series
PNP Device ID: PCI\VEN_1002&DEV_5A61&SUBSYS_2A4F103C&REV_00\4&1CF2FBB4&0&2808
Service: ati2mtag
.
==== System Restore Points ===================
.
RP1: 12/8/2011 3:31:16 AM - System Checkpoint
RP2: 12/19/2011 1:53:28 AM - System Checkpoint
RP3: 12/19/2011 3:00:50 AM - Software Distribution Service 3.0
RP4: 12/20/2011 3:40:52 AM - System Checkpoint
RP5: 12/21/2011 4:06:16 AM - System Checkpoint
RP6: 12/22/2011 5:02:17 AM - System Checkpoint
RP7: 12/23/2011 5:40:28 AM - System Checkpoint
RP8: 12/24/2011 9:00:10 AM - System Checkpoint
RP9: 12/24/2011 4:31:54 PM - Software Distribution Service 3.0
RP10: 12/24/2011 5:22:28 PM - Software Distribution Service 3.0
RP11: 12/24/2011 6:31:53 PM - Software Distribution Service 3.0
RP12: 12/25/2011 6:59:04 PM - System Checkpoint
RP13: 12/26/2011 12:21:45 AM - Software Distribution Service 3.0
RP14: 12/27/2011 1:21:38 AM - System Checkpoint
RP15: 12/28/2011 1:33:06 AM - System Checkpoint
RP16: 12/29/2011 2:07:23 AM - System Checkpoint
RP17: 12/30/2011 2:23:40 AM - System Checkpoint
RP18: 12/31/2011 3:19:41 AM - System Checkpoint
RP19: 1/1/2012 4:19:40 AM - System Checkpoint
RP20: 1/2/2012 4:47:05 AM - System Checkpoint
RP21: 1/3/2012 5:34:07 AM - System Checkpoint
RP22: 1/4/2012 6:36:53 AM - System Checkpoint
RP23: 1/5/2012 7:34:08 AM - System Checkpoint
RP24: 1/6/2012 8:50:57 AM - Restore Operation
RP25: 1/6/2012 11:59:26 PM - Removed Apple Application Support
RP26: 1/7/2012 12:01:34 AM - Removed Apple Software Update
RP27: 1/7/2012 12:02:29 AM - Removed Bonjour
RP28: 1/7/2012 12:04:11 AM - Removed Support.com Toolbar.
RP29: 1/7/2012 9:13:26 AM - Installed Java(TM) 6 Update 30
.
==== Installed Programs ======================
.
Adobe Flash Player 11 ActiveX
Adobe Reader 8.2.6
Adobe Reader 8.3.1
AMD APP SDK Runtime
ASTRA32 - Advanced System Information Tool 2.12
ATI - Software Uninstall Utility
ATI AVIVO Codecs
ATI Catalyst Control Center
ATI Catalyst Install Manager
ATI Display Driver
ATI Parental Control & Encoder
AVIVO Codecs
Catalyst Control Center Core Implementation
Catalyst Control Center Graphics Full Existing
Catalyst Control Center Graphics Full New
Catalyst Control Center Graphics Light
Catalyst Control Center Graphics Previews Common
ccc-core-preinstall
ccc-core-static
ccc-utility
CCC Help English
CCleaner
Citrix online plug-in - web
Citrix online plug-in (DV)
Citrix online plug-in (HDX)
Citrix online plug-in (USB)
Citrix online plug-in (Web)
Compatibility Pack for the 2007 Office system
CyberLink InstantBurn
CyberLink PhotoNow
CyberLink Power2Go
CyberLink PowerStarter
Data Fax SoftModem with SmartCP
Debugging Tools for Windows (x86)
DirectXInstallService
Driver Detective
DriverGuide DriverScan
EMC 10 Content
Free Games Offer, Desktop Shortcut
Google Update Helper
HijackThis 2.0.2
Hotfix for Microsoft .NET Framework 3.5 SP1 (KB953595)
Hotfix for Microsoft .NET Framework 3.5 SP1 (KB958484)
Hotfix for Windows Internet Explorer 7 (KB947864)
Hotfix for Windows XP (KB2570791)
Hotfix for Windows XP (KB2633952)
Hotfix for Windows XP (KB915800-v4)
Hotfix for Windows XP (KB954550-v5)
HP Product Detection
InfraRecorder
Internet Explorer (Enable DEP)
Java(TM) 6 Update 30
Juniper Citrix Services Client
Juniper Networks Host Checker
Juniper Networks Setup Client
Juniper Terminal Services Client
LabelPrint
LightScribe Diagnostic Utility
LightScribe System Software 1.14.16.1
Linksys EasyLink Advisor
LiveUpdate 3.2 (Symantec Corporation)
Malwarebytes Anti-Malware version 1.60.0.1800
MediaShow
Microsoft .NET Framework 1.1
Microsoft .NET Framework 1.1 Security Update (KB2572067)
Microsoft .NET Framework 1.1 Security Update (KB979906)
Microsoft .NET Framework 2.0 Service Pack 2
Microsoft .NET Framework 3.0 Service Pack 2
Microsoft .NET Framework 3.5 SP1
Microsoft .NET Framework 4 Client Profile
Microsoft Application Error Reporting
Microsoft Base Smart Card Cryptographic Service Provider Package
Microsoft Internationalized Domain Names Mitigation APIs
Microsoft National Language Support Downlevel APIs
Microsoft Office File Validation Add-In
Microsoft Office Professional Edition 2003
Microsoft SQL Server 2005 Compact Edition [ENU]
Microsoft Visual C++ 2005 ATL Update kb973923 - x86 8.0.50727.4053
Microsoft Visual C++ 2005 Redistributable
Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.17
Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.6161
Microsoft Visual C++ 2010 x86 Redistributable - 10.0.30319
Microsoft Windows Performance Toolkit
Microsoft Windows SDK for Windows 7 (7.1)
MSXML 4.0 SP2 (KB936181)
MSXML 4.0 SP2 (KB954430)
MSXML 4.0 SP2 (KB973688)
Norton 360
Octoshape add-in for Adobe Flash Player
OGA Notifier 2.0.0048.0
Opera 11.50
PC Pitstop Optimize3 3.0
PowerBackup
PowerDVD
PowerDVD Copy
PowerProducer
Pure Networks Platform
Realtek High Definition Audio Driver
Roxio Activation Module
Roxio BackOnTrack
Roxio Central Audio
Roxio Central Copy
Roxio Central Core
Roxio Central Data
Roxio Central Tools
Roxio CinePlayer
Roxio CinePlayer Decoder Pack
Roxio Disc Gallery
Roxio Easy Media Creator 10 Suite
Roxio File Backup
Roxio MediaShare
Roxio Update Manager
Security Update for Microsoft .NET Framework 3.5 SP1 (KB2416473)
Security Update for Microsoft .NET Framework 4 Client Profile (KB2518870)
Security Update for Microsoft .NET Framework 4 Client Profile (KB2539636)
Security Update for Microsoft .NET Framework 4 Client Profile (KB2572078)
Security Update for Microsoft Windows (KB2564958)
Security Update for Windows Internet Explorer 7 (KB938127)
Security Update for Windows Internet Explorer 7 (KB944533)
Security Update for Windows Internet Explorer 7 (KB963027)
Security Update for Windows Internet Explorer 8 (KB2510531)
Security Update for Windows Internet Explorer 8 (KB2544521)
Security Update for Windows Internet Explorer 8 (KB2559049)
Security Update for Windows Internet Explorer 8 (KB2586448)
Security Update for Windows Internet Explorer 8 (KB2618444)
Security Update for Windows Internet Explorer 8 (KB982381)
Security Update for Windows Media Player (KB911564)
Security Update for Windows Media Player (KB954155)
Security Update for Windows Media Player (KB975558)
Security Update for Windows Media Player 6.4 (KB925398)
Security Update for Windows Media Player 9 (KB936782)
Security Update for Windows Search 4 - KB963093
Security Update for Windows XP (KB2476490)
Security Update for Windows XP (KB2503665)
Security Update for Windows XP (KB2507938)
Security Update for Windows XP (KB2510581)
Security Update for Windows XP (KB2535512)
Security Update for Windows XP (KB2536276-v2)
Security Update for Windows XP (KB2536276)
Security Update for Windows XP (KB2544893-v2)
Security Update for Windows XP (KB2544893)
Security Update for Windows XP (KB2555917)
Security Update for Windows XP (KB2562937)
Security Update for Windows XP (KB2566454)
Security Update for Windows XP (KB2567053)
Security Update for Windows XP (KB2567680)
Security Update for Windows XP (KB2570222)
Security Update for Windows XP (KB2570947)
Security Update for Windows XP (KB2592799)
Security Update for Windows XP (KB2618451)
Security Update for Windows XP (KB2619339)
Security Update for Windows XP (KB2620712)
Security Update for Windows XP (KB2624667)
Security Update for Windows XP (KB2633171)
Security Update for Windows XP (KB2639417)
Skins
SmartSound Quicktracks Plugin
Steam
Suite
SUPERAntiSpyware
Symantec Technical Support Web Controls
tools-linux
Update for Microsoft .NET Framework 3.5 SP1 (KB963707)
Update for Windows Internet Explorer 8 (KB2447568)
Update for Windows XP (KB2541763)
Update for Windows XP (KB2607712)
Update for Windows XP (KB2616676)
Update for Windows XP (KB2641690)
USB Video Driver
Visual C++ 2008 x86 Runtime - (v9.0.30729)
Visual C++ 2008 x86 Runtime - v9.0.30729.01
VMware Player
WebEx Support Manager for Internet Explorer
WebFldrs XP
Windows Driver Package - Advanced Micro Devices, Inc. (USB28xxBGA) Media (04/27/2007 5.7.0427.0)
Windows Driver Package - eMPIA Technology Inc, (emAudio) MEDIA (04/27/2007 5.7.0427.0)
Windows Genuine Advantage Notifications (KB905474)
Windows Genuine Advantage Validation Tool (KB892130)
Windows Internet Explorer 7
Windows Internet Explorer 8
Windows Live Mail
Windows Management Framework Core
Windows Media Format 11 runtime
Windows Media Player 11
Windows XP Service Pack 3
.
==== Event Viewer Messages From Past Week ========
.
1/6/2012 8:49:30 AM, error: DCOM [10005] - DCOM got error "%1084" attempting to start the service netman with arguments "" in order to run the server: {BA126AE5-2166-11D1-B1D0-00805FC1270E}
1/6/2012 8:48:56 AM, error: DCOM [10005] - DCOM got error "%1084" attempting to start the service EventSystem with arguments "" in order to run the server: {1BE1F766-5536-11D1-B726-00C04FB926AF}
1/6/2012 8:48:55 AM, error: Service Control Manager [7026] - The following boot-start or system-start driver(s) failed to load: AFD BHDrvx86 ctxusbm eeCtrl Fips intelppm IPSec MRxSmb NetBIOS NetBT RasAcd Rdbss SRTSPX SymIRON SYMTDI Tcpip WS2IFSL
1/6/2012 8:48:55 AM, error: Service Control Manager [7001] - The TCP/IP NetBIOS Helper service depends on the AFD Networking Support Environment service which failed to start because of the following error: A device attached to the system is not functioning.
1/6/2012 8:48:55 AM, error: Service Control Manager [7001] - The IPSEC Services service depends on the IPSEC driver service which failed to start because of the following error: A device attached to the system is not functioning.
1/6/2012 8:48:55 AM, error: Service Control Manager [7001] - The DNS Client service depends on the TCP/IP Protocol Driver service which failed to start because of the following error: A device attached to the system is not functioning.
1/6/2012 8:48:55 AM, error: Service Control Manager [7001] - The DHCP Client service depends on the NetBios over Tcpip service which failed to start because of the following error: A device attached to the system is not functioning.
1/6/2012 7:37:35 AM, error: Service Control Manager [7034] - The Cyberlink RichVideo Service(CRVS) service terminated unexpectedly. It has done this 1 time(s).
1/6/2012 7:20:03 AM, error: Service Control Manager [7009] - Timeout (30000 milliseconds) waiting for the VMware Authorization Service service to connect.
1/6/2012 7:20:03 AM, error: Service Control Manager [7000] - The VMware Authorization Service service failed to start due to the following error: The service did not respond to the start or control request in a timely fashion.
1/5/2012 10:03:18 PM, error: atapi [11] - The driver detected a controller error on \Device\Ide\IdePort0.
1/5/2012 10:02:12 PM, error: atapi [9] - The device, \Device\Ide\IdePort0, did not respond within the timeout period.
1/2/2012 12:30:28 AM, error: VMnetDHCP [2] - Can't open C:\Documents and Settings\All Users\Application Data\VMware\vmnetdhcp.conf: The system cannot find the file specified. / The system cannot find the file specified
1/2/2012 12:30:11 AM, error: Cdrom [11] - The driver detected a controller error on \Device\CdRom0.
.
==== End Of File ===========================
If you could help me with this issue, I would appreciate it.
Thanks,
Dave
-
I received word from a relative in my address book ( Outlook Express ) that she had received spam email from me. Another item to work on?
-
Please wait for a response from our Malware Expert
-
Hello and welcome to Computer Hope Forum. My name is Dave. I will be helping you out with your particular problem on your computer.
1. I will be working on your Malware issues. This may or may not solve other issues you have with your machine.
2. The fixes are specific to your problem and should only be used for this issue on this machine.
3. If you don't know or understand something, please don't hesitate to ask.
4. Please DO NOT run any other tools or scans while I am helping you.
5. It is important that you reply to this thread. Do not start a new topic.
6. Your security programs may give warnings for some of the tools I will ask you to use. Be assured, any links I give are safe.
7. Absence of symptoms does not mean that everything is clear.
If you can't access the internet with your infected computer you will have to download and transfer any programs to the computer you're using now and transfer them to the infected computer with a CD-RW or a USB storage device. I prefer a CD because a storage device can get infected. If you use a storage device hold the shift key down while inserting the USB storage device for about 10 secs. You will also have to transfer the logs you receive back to the good computer using the same method until we can get the computer back on-line.
*************************************************************************
Download OTL (http://oldtimer.geekstogo.com/OTL.exe) to your desktop.
* Open OTL
* Copy and Paste the following text in the codebox into the Custom Scans/Fixes window.
:OTL
TB: {D4027C7F-154A-4066-A1AD-4243D8127440} - No File
EB: {32683183-48a0-441b-a342-7c2a440a9478} - No File
Trusted Zone: internet
Trusted Zone: live.com\onecare
Trusted Zone: mcafee.com
Trusted Zone: microsoft.com\download.windowsupdate
Trusted Zone: microsoft.com\update
Trusted Zone: microsoft.com\www.update
Trusted Zone: ussco.com\myportal
:COMMANDS
[resethosts]
[purity]
[start explorer]
* Click Run Fix
* OTLI2 may ask to reboot the machine. Please do so if asked.
* Click OK
* A report will open. Copy and Paste that report in your next reply.
***************************************************************
Please download aswMBR.exe (http://public.avast.com/%7Egmerek/aswMBR.exe) ( 511KB ) to your desktop.
Double click the aswMBR.exe to run it
(http://i424.photobucket.com/albums/pp322/digistar/aswMBR_Scan.jpg)
Click the "Scan" button to start scan
Note: Do not take action against any **Rootkit** entries until I have reviewed the log. Often there are false positives
(http://i424.photobucket.com/albums/pp322/digistar/aswMBR_SaveLog.png)
On completion of the scan click save log, save it to your desktop and post in your next reply
****************************************************
Please download ComboFix (http://img7.imageshack.us/img7/4930/combofix.gif) from BleepingComputer.com (http://download.bleepingcomputer.com/sUBs/ComboFix.exe)
Alternate link: GeeksToGo.com (http://subs.geekstogo.com/ComboFix.exe)
and save it to your Desktop.
It would be easiest to download using Internet Explorer.
If you want to use Firefox, make sure that your download settings are as follows:
* Tools->Options->Main tab
* Set to "Always ask me where to Save the files".
Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools A guide to do this can be found here (http://www.bleepingcomputer.com/forums/topic114351.html)
Double click ComboFix.exe & follow the prompts.
As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.
Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console
(http://i424.photobucket.com/albums/pp322/digistar/Query_RC.gif)
Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.
Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:
(http://i424.photobucket.com/albums/pp322/digistar/RC_successful.gif)
Click on Yes, to continue scanning for malware.
When finished, it shall produce a log for you. Please include the contents of C:\ComboFix.txt in your next reply.
If you have problems with ComboFix usage, see How to use ComboFix (http://www.bleepingcomputer.com/combofix/how-to-use-combofix)
-
OTL -
========== OTL ==========
========== COMMANDS ==========
C:\WINDOWS\System32\drivers\etc\Hosts moved successfully.
HOSTS file reset successfully
OTL by OldTimer - Version 3.2.31.0 log created on 01082012_220057
ASWMBR -
aswMBR version 0.9.9.1297 Copyright(c) 2011 AVAST Software
Run date: 2012-01-08 22:04:10
-----------------------------
22:04:10.860 OS Version: Windows 5.1.2600 Service Pack 3
22:04:10.860 Number of processors: 1 586 0x605
22:04:10.860 ComputerName: DAVE-Q08ESS7TBC UserName: david cox
22:04:15.985 Initialize success
22:04:38.860 Disk 0 (boot) \Device\Harddisk0\DR0 -> \Device\Ide\IdeDeviceP0T0L0-3
22:04:38.876 Disk 0 Vendor: ST3120213AS 3.AHL Size: 114473MB BusType: 3
22:04:38.891 Disk 0 MBR read successfully
22:04:38.907 Disk 0 MBR scan
22:04:38.923 Disk 0 Windows XP default MBR code
22:04:38.938 Disk 0 Partition 1 80 (A) 07 HPFS/NTFS NTFS 105999 MB offset 63
22:04:38.969 Disk 0 scanning sectors +217086345
22:04:39.048 Disk 0 scanning C:\WINDOWS\system32\drivers
22:05:02.298 Service scanning
22:05:04.985 Modules scanning
22:05:37.032 Disk 0 trace - called modules:
22:05:37.079 ntkrnlpa.exe CLASSPNP.SYS disk.sys ACPI.sys hal.dll atapi.sys pciide.sys PCIIDEX.SYS
22:05:37.094 1 nt!IofCallDriver -> \Device\Harddisk0\DR0[0x84f77608]
22:05:37.110 3 CLASSPNP.SYS[f76b6fd7] -> nt!IofCallDriver -> \Device\00000078[0x84f212b8]
22:05:37.126 5 ACPI.sys[f754d620] -> nt!IofCallDriver -> \Device\Ide\IdeDeviceP0T0L0-3[0x84f64d98]
22:05:37.219 Scan finished successfully
22:06:13.329 Disk 0 MBR has been saved successfully to "C:\Documents and Settings\david cox\Desktop\MBR.dat"
22:06:13.344 The log file has been saved successfully to "C:\Documents and Settings\david cox\Desktop\aswMBR.txt"
When I ran COMBOFIX, it completed stage 23 and went to a reboot. No report.
-
When I ran COMBOFIX, it completed stage 23 and went to a reboot. No report.
Please try running it again. If it doesn't work, delete ComboFix and try this.
Please download ComboFix (http://img7.imageshack.us/img7/4930/combofix.gif) from BleepingComputer.com (http://download.bleepingcomputer.com/sUBs/ComboFix.exe)
Alternate link: GeeksToGo.com (http://subs.geekstogo.com/ComboFix.exe)
If you are using Firefox, make sure that your download settings are as follows:
* Tools->Options->Main tab
* Set to "Always ask me where to Save the files".
Rename ComboFix.exe to commy.exe before you save it to your Desktop
Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools A guide to do this can be found here (http://www.bleepingcomputer.com/forums/topic114351.html)
Click Start>Run then copy paste the following command into the Run box & click OK "%userprofile%\desktop\commy.exe" /stepdel
As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.
Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console[/list]
(http://img.photobucket.com/albums/v666/sUBs/Query_RC.gif)
Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.
Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:
(http://img.photobucket.com/albums/v666/sUBs/RC_successful.gif)
Click on Yes, to continue scanning for malware.
When finished, it shall produce a log for you. Please include the contents of C:\ComboFix.txt in your next reply.
If you have problems with ComboFix usage, see How to use ComboFix (http://www.bleepingcomputer.com/combofix/how-to-use-combofix)
-
COMBOFIX worked after the rename. Here is the log:
ComboFix 12-01-09.06 - david cox 01/09/2012 19:45:36.2.1 - x86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.447.174 [GMT -6:00]
Running from: c:\documents and settings\david cox\desktop\commy.exe
Command switches used :: /stepdel
AV: Norton 360 *Disabled/Updated* {E10A9785-9598-4754-B552-92431C1C35F8}
FW: Norton 360 *Disabled* {7C21A4C9-F61F-4AC4-B722-A6E19C16F220}
.
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
c:\documents and settings\All Users\Application Data\TEMP
c:\documents and settings\david cox\GoToAssistDownloadHelper.exe
c:\windows\system32\ccrpTmr6.dll
.
.
((((((((((((((((((((((((( Files Created from 2011-12-10 to 2012-01-10 )))))))))))))))))))))))))))))))
.
.
2012-01-09 04:00 . 2012-01-09 04:00 -------- d-----w- C:\_OTL
2012-01-07 14:47 . 2012-01-07 14:47 -------- d-----w- c:\program files\CCleaner
2012-01-07 06:39 . 2012-01-07 06:41 -------- d-----w- c:\program files\SUPERAntiSpyware
2012-01-06 15:10 . 2012-01-06 15:10 -------- d-----w- c:\documents and settings\david cox\Local Settings\Application Data\Symantec
2012-01-06 14:54 . 2012-01-06 14:54 -------- d-----w- c:\windows\system32\wbem\Repository
2011-12-28 13:19 . 2011-12-28 13:19 -------- d--h--w- c:\windows\PIF
2011-12-28 13:17 . 2011-12-28 13:17 -------- d-----w- c:\documents and settings\david cox\Application Data\Windows Search
2011-12-25 00:46 . 2011-12-25 00:46 -------- d-----w- c:\program files\Common Files\Windows Live
2011-12-25 00:43 . 2011-12-25 00:43 -------- d-----w- c:\windows\system32\winrm
2011-12-25 00:43 . 2011-12-25 00:43 -------- dc-h--w- c:\windows\$968930Uinstall_KB968930$
2011-12-25 00:36 . 2011-12-29 09:17 -------- d-----w- c:\program files\Windows Desktop Search
2011-12-25 00:36 . 2011-12-25 00:36 -------- d-----w- c:\windows\system32\GroupPolicy
2011-12-24 13:36 . 2011-12-25 01:56 -------- d-----w- c:\program files\ASTRA32
2011-12-22 06:29 . 2011-12-22 06:29 -------- d-----w- c:\program files\Microsoft Windows Performance Toolkit
2011-12-22 06:27 . 2011-12-22 06:28 -------- d-----w- c:\program files\Debugging Tools for Windows (x86)
2011-12-22 06:25 . 2011-12-22 06:25 -------- d-----w- c:\program files\Microsoft SDKs
.
.
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2011-12-10 21:24 . 2011-08-22 05:55 20464 ----a-w- c:\windows\system32\drivers\mbam.sys
2011-12-07 05:43 . 2011-12-07 05:43 60872 ----a-w- c:\windows\system32\S32EVNT1.DLL
2011-12-07 05:43 . 2011-12-07 05:43 126584 ----a-w- c:\windows\system32\drivers\SYMEVENT.SYS
2011-11-23 13:25 . 2002-08-29 12:00 1859584 ----a-w- c:\windows\system32\win32k.sys
2011-11-23 08:55 . 2011-07-13 10:55 414368 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl
2011-11-10 11:54 . 2010-05-09 12:30 472808 ----a-w- c:\windows\system32\deployJava1.dll
2011-11-10 09:27 . 2011-01-11 02:35 73728 ----a-w- c:\windows\system32\javacpl.cpl
2011-11-04 19:20 . 2002-08-29 12:00 916992 ----a-w- c:\windows\system32\wininet.dll
2011-11-04 19:20 . 2002-08-29 12:00 43520 ------w- c:\windows\system32\licmgr10.dll
2011-11-04 19:20 . 2002-08-29 12:00 1469440 ------w- c:\windows\system32\inetcpl.cpl
2011-11-04 11:23 . 2004-08-04 05:59 385024 ------w- c:\windows\system32\html.iec
2011-11-01 16:07 . 2002-08-29 12:00 1288704 ----a-w- c:\windows\system32\ole32.dll
2011-10-28 05:31 . 2002-08-29 12:00 33280 ----a-w- c:\windows\system32\csrsrv.dll
2011-10-25 13:33 . 2002-08-29 12:00 2192768 ----a-w- c:\windows\system32\ntoskrnl.exe
2011-10-25 12:52 . 2002-08-29 01:04 2069376 ----a-w- c:\windows\system32\ntkrnlpa.exe
2011-10-18 11:13 . 2002-08-29 12:00 186880 ----a-w- c:\windows\system32\encdec.dll
.
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Power2GoExpress"="c:\windows\system32\ctfmon.exe" [2008-04-14 15360]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"UpdatePPShortCut"="c:\program files\CyberLink\PowerProducer\MUITransfer\MUIStartMenu.exe" [2007-09-13 222504]
"RTHDCPL"="RTHDCPL.EXE" [2009-02-03 18085888]
"RoxWatchTray"="c:\program files\Common Files\Roxio Shared\10.0\SharedCOM\RoxWatchTray10.exe" [2007-08-24 240112]
"RemoteControl"="c:\program files\CyberLink\PowerDVD\PDVDServ.exe" [2007-03-15 71216]
"nmctxth"="c:\program files\Common Files\Pure Networks Shared\Platform\nmctxth.exe" [2008-12-12 642856]
"LanguageShortcut"="c:\program files\CyberLink\PowerDVD\Language\Language.exe" [2007-01-09 52256]
"InstantBurn"="c:\progra~1\CYBERL~1\INSTAN~1\Win2K\IBurn.exe" [2007-10-26 681256]
"DMXLauncher"="c:\program files\Roxio\CinePlayer\DMXLauncher.exe" [2007-08-14 113136]
"ConnectionCenter"="c:\program files\Citrix\ICA Client\concentr.exe" [2009-09-13 103768]
"CLMLServer"="c:\program files\CyberLink\Power2Go\CLMLSvc.exe" [2007-10-17 128296]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2011-08-31 40368]
"Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2011-03-30 937920]
"SunJavaUpdateSched"="c:\program files\Common Files\Java\Java Update\jusched.exe" [2011-06-09 254696]
.
c:\documents and settings\All Users\Start Menu\Programs\Startup\
Windows Search.lnk - c:\program files\Windows Desktop Search\WindowsSearch.exe [N/A]
.
[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= "c:\program files\SUPERAntiSpyware\SASSEH.DLL" [2011-07-19 113024]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
2011-05-04 17:54 551296 ----a-w- c:\program files\SUPERAntiSpyware\SASWINLO.DLL
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\!SASCORE]
@=""
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\MCODS]
@=""
.
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring]
"DisableMonitoring"=dword:00000001
.
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=dword:00000001
.
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]
"DisableMonitoring"=dword:00000001
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\CyberLink\\PowerDVD\\PowerDVD.exe"=
"c:\\Program Files\\VMware\\VMware Player\\vmware-authd.exe"=
"c:\\Program Files\\Opera\\opera.exe"=
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"67:UDP"= 67:UDP:DHCP Discovery Service
"5985:TCP"= 5985:TCP:*:Disabled:Windows Remote Management
.
R0 SymDS;Symantec Data Store;c:\windows\system32\drivers\N360\0501000.01D\SymDS.sys [12/6/2011 11:42 PM 340088]
R0 SymEFA;Symantec Extended File Attributes;c:\windows\system32\drivers\N360\0501000.01D\SymEFA.sys [12/6/2011 11:42 PM 744568]
R1 BHDrvx86;BHDrvx86;c:\documents and settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\N360_5.1.0.29\Definitions\BASHDefs\20111223.001\BHDrvx86.sys [11/30/2011 8:25 PM 820344]
R1 CLBStor;InstantBurn Storage Helper Driver;c:\windows\system32\drivers\CLBStor.sys [6/3/2008 11:44 PM 15784]
R1 ctxusbm;Citrix USB Monitor Driver;c:\windows\system32\drivers\ctxusbm.sys [9/8/2009 6:13 PM 65584]
R1 SASDIFSV;SASDIFSV;c:\program files\SUPERAntiSpyware\sasdifsv.sys [7/22/2011 10:27 AM 12880]
R1 SASKUTIL;SASKUTIL;c:\program files\SUPERAntiSpyware\SASKUTIL.SYS [7/12/2011 3:55 PM 67664]
R1 SymIRON;Symantec Iron Driver;c:\windows\system32\drivers\N360\0501000.01D\Ironx86.sys [12/6/2011 11:42 PM 136312]
R2 !SASCORE;SAS Core Service;c:\program files\SUPERAntiSpyware\SASCore.exe [8/11/2011 5:38 PM 116608]
R2 ASTRA32;ASTRA32 Kernel Driver 5.2.1.0;c:\program files\ASTRA32\astra32.sys [2/22/2007 11:28 AM 30864]
R2 CLBUDF;CyberLink InstantBurn UDF Filesystem;c:\windows\system32\drivers\CLBUDF.sys [6/3/2008 11:44 PM 162344]
R2 N360;Norton 360;c:\program files\Norton 360\Engine\5.1.0.29\ccSvcHst.exe [12/6/2011 11:42 PM 130008]
R2 vmci;VMware vmci;c:\windows\system32\drivers\vmci.sys [11/11/2010 1:32 PM 70768]
R2 VMUSBArbService;VMware USB Arbitration Service;c:\program files\Common Files\VMware\USB\vmware-usbarbitrator.exe [11/11/2010 12:31 PM 539248]
R3 EraserUtilRebootDrv;EraserUtilRebootDrv;c:\program files\Common Files\Symantec Shared\EENGINE\EraserUtilRebootDrv.sys [12/18/2011 9:46 PM 106104]
R3 IDSxpx86;IDSxpx86;c:\documents and settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\N360_5.1.0.29\Definitions\IPSDefs\20120107.001\IDSXpx86.sys [1/9/2012 6:08 PM 356280]
S2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;c:\windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe [3/18/2010 1:16 PM 130384]
S2 gupdate;Google Update Service (gupdate);c:\program files\Google\Update\GoogleUpdate.exe [12/21/2010 12:52 AM 136176]
S2 LinksysUpdater;Linksys Updater;c:\program files\Linksys\Linksys Updater\bin\LinksysUpdater.exe [11/13/2008 1:43 PM 204800]
S2 Roxio Upnp Server 10;Roxio Upnp Server 10;c:\program files\Roxio\Digital Home 10\RoxioUpnpService10.exe [8/24/2007 2:53 PM 362992]
S2 RoxLiveShare10;LiveShare P2P Server 10;c:\program files\Common Files\Roxio Shared\10.0\SharedCOM\RoxLiveShare10.exe [8/24/2007 2:52 PM 309744]
S2 RoxWatch10;Roxio Hard Drive Watcher 10;c:\program files\Common Files\Roxio Shared\10.0\SharedCOM\RoxWatch10.exe [8/24/2007 2:52 PM 166384]
S3 gupdatem;Google Update Service (gupdatem);c:\program files\Google\Update\GoogleUpdate.exe [12/21/2010 12:52 AM 136176]
S3 PROCEXP150;PROCEXP150;\??\c:\windows\system32\Drivers\PROCEXP150.SYS --> c:\windows\system32\Drivers\PROCEXP150.SYS [?]
S3 PROCEXP151;PROCEXP151;\??\c:\windows\system32\Drivers\PROCEXP151.SYS --> c:\windows\system32\Drivers\PROCEXP151.SYS [?]
S3 Roxio UPnP Renderer 10;Roxio UPnP Renderer 10;c:\program files\Roxio\Digital Home 10\RoxioUPnPRenderer10.exe [8/24/2007 2:53 PM 72176]
S3 RoxMediaDB10;RoxMediaDB10;c:\program files\Common Files\Roxio Shared\10.0\SharedCOM\RoxMediaDB10.exe [8/24/2007 2:52 PM 1083888]
S3 WinRM;Windows Remote Management (WS-Management);c:\windows\system32\svchost.exe -k WINRM [8/29/2002 6:00 AM 14336]
S3 WPFFontCache_v0400;Windows Presentation Foundation Font Cache 4.0.0.0;c:\windows\Microsoft.NET\Framework\v4.0.30319\WPF\WPFFontCache_v0400.exe [3/18/2010 1:16 PM 753504]
S4 PCPitstop Scheduling;PCPitstop Scheduling;c:\program files\PCPitstop\PCPitstopScheduleService.exe [8/18/2011 10:16 PM 86016]
S4 SessionLauncher;SessionLauncher;c:\docume~1\DAVIDC~1\LOCALS~1\Temp\DX9\SessionLauncher.exe --> c:\docume~1\DAVIDC~1\LOCALS~1\Temp\DX9\SessionLauncher.exe [?]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
WINRM REG_MULTI_SZ WINRM
.
[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{10880D85-AAD9-4558-ABDC-2AB1552D831F}]
2008-05-23 18:49 451872 ----a-w- c:\program files\Common Files\LightScribe\LSRunOnce.exe
.
Contents of the 'Scheduled Tasks' folder
.
2012-01-09 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\program files\Google\Update\GoogleUpdate.exe [2010-12-21 06:51]
.
2012-01-10 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\program files\Google\Update\GoogleUpdate.exe [2010-12-21 06:51]
.
2012-01-09 c:\windows\Tasks\User_Feed_Synchronization-{18A67AB4-86CC-47A1-B51A-C739DECF0A30}.job
- c:\windows\system32\msfeedssync.exe [2007-08-13 09:31]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.yahoo.com/
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~3\OFFICE11\EXCEL.EXE/3000
LSP: c:\program files\VMware\VMware Player\vsocklib.dll
Trusted Zone: internet
Trusted Zone: live.com\onecare
Trusted Zone: mcafee.com
Trusted Zone: microsoft.com\download.windowsupdate
Trusted Zone: microsoft.com\update
Trusted Zone: microsoft.com\www.update
Trusted Zone: ussco.com\myportal
TCP: DhcpNameServer = 192.168.0.1
DPF: DirectAnimation Java Classes - file://c:\windows\Java\classes\dajava.cab
DPF: Microsoft XML Parser for Java - file://c:\windows\Java\classes\xmldso.cab
DPF: {037790A6-1576-11D6-903D-00105AABADD3} - hxxps://myportal.ussco.com/bluezone/controls/,DanaInfo=intranet.ussco.com+sglw2hcm.ocx
.
- - - - ORPHANS REMOVED - - - -
.
WebBrowser-{D4027C7F-154A-4066-A1AD-4243D8127440} - (no file)
HKLM-Run-QuickTime Task - c:\program files\QuickTime\qttask.exe
HKLM-Run-MBkLogonHook - (no file)
HKLM-Run-iTunesHelper - c:\program files\iTunes\iTunesHelper.exe
HKLM-Run-googletalk - c:\program files\Google\Google Talk\googletalk.exe
.
.
.
**************************************************************************
.
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2012-01-09 20:03
Windows 5.1.2600 Service Pack 3 NTFS
.
scanning hidden processes ...
.
scanning hidden autostart entries ...
.
scanning hidden files ...
.
scan completed successfully
hidden files: 0
.
**************************************************************************
.
[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\N360]
"ImagePath"="\"c:\program files\Norton 360\Engine\5.1.0.29\ccSvcHst.exe\" /s \"N360\" /m \"c:\program files\Norton 360\Engine\5.1.0.29\diMaster.dll\" /prefetch:1"
.
--------------------- LOCKED REGISTRY KEYS ---------------------
.
[HKEY_USERS\.Default\Software\Microsoft\Internet Explorer\User Preferences]
@Denied: (2) (LocalSystem)
"88D7D0879DAB32E14DE5B3A805A34F98AFF34F5 977"=hex:01,00,00,00,d0,8c,9d,df,01,15,
d1,11,8c,7a,00,c0,4f,c2,97,eb,01,00,00,00,75,98,35,2b,66,3f,83,4f,a8,fa,40,\
"2D53CFFC5C1A3DD2E97B7979AC2A92BD59BC839 E81"=hex:01,00,00,00,d0,8c,9d,df,01,15,
d1,11,8c,7a,00,c0,4f,c2,97,eb,01,00,00,00,75,98,35,2b,66,3f,83,4f,a8,fa,40,\
.
[HKEY_USERS\S-1-5-21-484763869-1060284298-682003330-1003\Software\Microsoft\SystemCertificates\AddressBook*]
@Allowed: (Read) (RestrictedCode)
@Allowed: (Read) (RestrictedCode)
.
--------------------- DLLs Loaded Under Running Processes ---------------------
.
- - - - - - - > 'winlogon.exe'(852)
c:\program files\SUPERAntiSpyware\SASWINLO.DLL
c:\windows\system32\WININET.dll
c:\windows\system32\Ati2evxx.dll
.
Completion time: 2012-01-09 20:13:54
ComboFix-quarantined-files.txt 2012-01-10 02:13
.
Pre-Run: 88,419,586,048 bytes free
Post-Run: 88,767,119,360 bytes free
.
WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
UnsupportedDebug="do not select this" /debug
multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Professional" /fastdetect /NoExecute=OptIn
.
- - End Of File - - 0DF1C78CC8AC13A3E9A74204A37E68B6
-
Problem of PC freezing still exists. No other reports of email issue.
-
Problem of PC freezing still exists.
Please describe this freezing to me. Is it just momentary freezing? How long does it last? Do you have to do a hard reboot to get the computer working again? How much RAM do you have?
Re-running ComboFix to remove infections:
- Close any open browsers.
- Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.
- Open notepad and copy/paste the text in the quotebox below into it:
KillAll::
Firefox::
Trusted Zone: internet
Trusted Zone: live.com\onecare
Trusted Zone: mcafee.com
Trusted Zone: microsoft.com\download.windowsupdate
Trusted Zone: microsoft.com\update
Trusted Zone: microsoft.com\www.update
Trusted Zone: ussco.com\myportal
DDS::
Trusted Zone: internet
Trusted Zone: live.com\onecare
Trusted Zone: mcafee.com
Trusted Zone: microsoft.com\download.windowsupdate
Trusted Zone: microsoft.com\update
Trusted Zone: microsoft.com\www.update
Trusted Zone: ussco.com\myportal
- Save this as CFScript.txt, in the same location as ComboFix.exe
(http://i424.photobucket.com/albums/pp322/digistar/cfscriptb4.gif)
- Referring to the picture above, drag CFScript into ComboFix.exe
- When finished, it shall produce a log for you at C:\ComboFix.txt
I don't need to see the log from this script.
**************************************************
SysProt Antirootkit
Download
SysProt Antirootkit from the link below (you will find it at the bottom
of the page under attachments, or you can get it from one of the
mirrors).
http://sites.google.com/site/sysprotantirootkit/ (http://sites.google.com/site/sysprotantirootkit/)
Unzip it into a folder on your desktop.
- Double click Sysprot.exe to start the program.
- Click on the Log tab.
- In the Write to log box select the following items.
- Process << Selected
- Kernel Modules << Selected
- SSDT << Selected
- Kernel Hooks << Selected
- IRP Hooks << NOT Selected
- Ports << NOT Selected
- Hidden Files << Selected
- At the bottom of the page
- Hidden Objects Only << Selected
- Click on the Create Log button on the bottom right.
- After a few seconds a new window should appear.
- Select Scan Root Drive. Click on the Start button.
- When it is complete a new window will appear to indicate that the scan is finished.
- The log will be saved automatically in the same folder Sysprot.exe was extracted to. Open the text file and copy/paste the log here.
-
The hang or freeze can be momentary or for a duration of several minutes. There is no pattern in duration. During the freeze, whether on a browser page, emailing or creating a doc, can't use any buttons like refresh and nothing responds. If the duration is long enough, I will receive the Not Responding comment up top. If I leave things alone, the Not Responding goes away and soon I have response again. No hard reboot is necessary usually, unless the freeze is lengthy, then I will manually reboot. RAM=512M.
Completed the Combofix with CFScript successfully.
Sysprot.exe has not completed successfully, and I have attempted several runs. When the create log button is selected, the progress bar runs across, then the PC reboots. Doesn't create any log. No new window.
-
I suspect that the freezing problem is caused by running XP with only 512M's of Ram.
Please download RootRepeal from GooglePages.com (http://rootrepeal.googlepages.com/RootRepeal.zip).- Extract the program file to your Desktop.
- Run the program RootRepeal.exe and go to the Report tab and click on the Scan button.
(http://i39.tinypic.com/nclahc.gif)
- Select ALL of the checkboxes and then click OK and it will start scanning your system.
(http://i39.tinypic.com/2j5lb6.gif)
- If you have multiple drives you only need to check the C: drive or the one Windows is installed on.
- When done, click on Save Report
- Save it to the Desktop.
- Please copy/paste the contents of the report in your next reply.
Please remove any e-mail address in the RootRepeal report (if present).
-
Rootrepeal report:
ROOTREPEAL (c) AD, 2007-2009
==================================================
Scan Start Time: 2012/01/11 19:55
Program Version: Version 1.3.5.0
Windows Version: Windows XP SP3
==================================================
Drivers
-------------------
Name: dump_atapi.sys
Image Path: C:\WINDOWS\System32\Drivers\dump_atapi.sys
Address: 0xF3C8E000 Size: 98304 File Visible: No Signed: -
Status: -
Name: dump_WMILIB.SYS
Image Path: C:\WINDOWS\System32\Drivers\dump_WMILIB.SYS
Address: 0xF7BDE000 Size: 8192 File Visible: No Signed: -
Status: -
Name: rootrepeal.sys
Image Path: C:\WINDOWS\system32\drivers\rootrepeal.sys
Address: 0xF32B1000 Size: 49152 File Visible: No Signed: -
Status: -
Name: SYMDS.SYS
Image Path: SYMDS.SYS
Address: 0xF7462000 Size: 356352 File Visible: No Signed: -
Status: -
Name: SYMEFA.SYS
Image Path: SYMEFA.SYS
Address: 0xF7395000 Size: 765952 File Visible: No Signed: -
Status: -
Hidden/Locked Files
-------------------
Path: c:\system volume information\efadata\sdmys_dce0e3549948cfe54642a4c9
Status: Allocation size mismatch (API: 4096, Raw: 0)
Path: c:\documents and settings\david cox\local settings\temp\~df2d07.tmp
Status: Allocation size mismatch (API: 16384, Raw: 0)
Path: c:\documents and settings\david cox\local settings\temp\~df256a.tmp
Status: Allocation size mismatch (API: 16384, Raw: 0)
Path: c:\documents and settings\david cox\local settings\temp\~df2b28.tmp
Status: Allocation size mismatch (API: 16384, Raw: 0)
Path: c:\documents and settings\david cox\local settings\temp\~df3993.tmp
Status: Allocation size mismatch (API: 16384, Raw: 0)
Path: c:\documents and settings\david cox\local settings\temp\~df516.tmp
Status: Allocation size mismatch (API: 16384, Raw: 0)
Path: c:\documents and settings\david cox\local settings\temp\~df576f.tmp
Status: Allocation size mismatch (API: 16384, Raw: 0)
Path: c:\documents and settings\david cox\local settings\temp\~df63f9.tmp
Status: Allocation size mismatch (API: 16384, Raw: 0)
Path: c:\documents and settings\david cox\local settings\temp\~df685b.tmp
Status: Allocation size mismatch (API: 16384, Raw: 0)
Path: c:\documents and settings\david cox\local settings\temp\~df88f5.tmp
Status: Allocation size mismatch (API: 16384, Raw: 0)
Path: c:\documents and settings\david cox\local settings\temp\~df8f30.tmp
Status: Allocation size mismatch (API: 16384, Raw: 0)
Path: c:\documents and settings\david cox\local settings\temp\~df91c9.tmp
Status: Allocation size mismatch (API: 16384, Raw: 0)
Path: c:\documents and settings\david cox\local settings\temp\~dfeb58.tmp
Status: Allocation size mismatch (API: 16384, Raw: 0)
Path: c:\documents and settings\david cox\local settings\temp\~dffab8.tmp
Status: Allocation size mismatch (API: 16384, Raw: 0)
Path: c:\documents and settings\david cox\local settings\temp\~romfn_000006c4
Status: Allocation size mismatch (API: 4096, Raw: 0)
Path: c:\documents and settings\all users\application data\norton\{0c55c096-0f1d-4f28-aaa2-85ef591126e7}\n360_5.1.0.29\symds\temp\musdmys_pzsvjdwlbhu2hwaxq0fg
Status: Allocation size mismatch (API: 4096, Raw: 0)
Path: c:\documents and settings\all users\application data\norton\{0c55c096-0f1d-4f28-aaa2-85ef591126e7}\n360_5.1.0.29\symds\temp\musdmys_szkkqbvv3cvchjhhrtqs
Status: Allocation size mismatch (API: 512, Raw: 0)
Path: c:\documents and settings\all users\application data\norton\{0c55c096-0f1d-4f28-aaa2-85ef591126e7}\n360_5.1.0.29\symds\temp\musdmys_wi4vouyhxyt8toj74dz3
Status: Allocation size mismatch (API: 512, Raw: 0)
Path: c:\documents and settings\all users\application data\norton\{0c55c096-0f1d-4f28-aaa2-85ef591126e7}\n360_5.1.0.29\symds\temp\musdmys_xfgmmyih6pe9sfhh1xgr
Status: Allocation size mismatch (API: 4096, Raw: 0)
Path: c:\documents and settings\all users\application data\norton\{0c55c096-0f1d-4f28-aaa2-85ef591126e7}\n360_5.1.0.29\symds\temp\musdmys_8g9k2e2wabt9ochlcjul
Status: Allocation size mismatch (API: 4096, Raw: 0)
Path: c:\documents and settings\all users\application data\norton\{0c55c096-0f1d-4f28-aaa2-85ef591126e7}\n360_5.1.0.29\symds\temp\musdmys_ao1xpqbbbo0700ktwfx4
Status: Allocation size mismatch (API: 512, Raw: 0)
Path: c:\documents and settings\all users\application data\norton\{0c55c096-0f1d-4f28-aaa2-85ef591126e7}\n360_5.1.0.29\symds\temp\musdmys_cffjd9uzxprhtxtxhyig
Status: Allocation size mismatch (API: 512, Raw: 0)
Path: c:\documents and settings\all users\application data\norton\{0c55c096-0f1d-4f28-aaa2-85ef591126e7}\n360_5.1.0.29\symds\temp\musdmys_fhjshje6ljlknfuc5lag
Status: Allocation size mismatch (API: 4096, Raw: 0)
SSDT
-------------------
#: 012 Function Name: NtAlertResumeThread
Status: Hooked by "<unknown>" at address 0x84a80978
#: 013 Function Name: NtAlertThread
Status: Hooked by "<unknown>" at address 0x84a788d0
#: 017 Function Name: NtAllocateVirtualMemory
Status: Hooked by "<unknown>" at address 0x845e6140
#: 019 Function Name: NtAssignProcessToJobObject
Status: Hooked by "<unknown>" at address 0x84aa0cf8
#: 031 Function Name: NtConnectPort
Status: Hooked by "<unknown>" at address 0x849c66f0
#: 041 Function Name: NtCreateKey
Status: Hooked by "C:\WINDOWS\system32\Drivers\SYMEVENT.SYS" at address 0xf408c710
#: 043 Function Name: NtCreateMutant
Status: Hooked by "<unknown>" at address 0x84921770
#: 052 Function Name: NtCreateSymbolicLinkObject
Status: Hooked by "<unknown>" at address 0x84a4c5c8
#: 053 Function Name: NtCreateThread
Status: Hooked by "<unknown>" at address 0x84af6008
#: 057 Function Name: NtDebugActiveProcess
Status: Hooked by "<unknown>" at address 0x84aa0b80
#: 063 Function Name: NtDeleteKey
Status: Hooked by "C:\WINDOWS\system32\Drivers\SYMEVENT.SYS" at address 0xf408c990
#: 065 Function Name: NtDeleteValueKey
Status: Hooked by "C:\WINDOWS\system32\Drivers\SYMEVENT.SYS" at address 0xf408cef0
#: 068 Function Name: NtDuplicateObject
Status: Hooked by "<unknown>" at address 0x84a8b5e0
#: 083 Function Name: NtFreeVirtualMemory
Status: Hooked by "<unknown>" at address 0x84ad4848
#: 089 Function Name: NtImpersonateAnonymousToken
Status: Hooked by "<unknown>" at address 0x84a82b10
#: 091 Function Name: NtImpersonateThread
Status: Hooked by "<unknown>" at address 0x84a81db0
#: 097 Function Name: NtLoadDriver
Status: Hooked by "<unknown>" at address 0x84980e58
#: 108 Function Name: NtMapViewOfSection
Status: Hooked by "<unknown>" at address 0x84af8cd8
#: 114 Function Name: NtOpenEvent
Status: Hooked by "<unknown>" at address 0x84a99110
#: 122 Function Name: NtOpenProcess
Status: Hooked by "<unknown>" at address 0x84c8a1f0
#: 123 Function Name: NtOpenProcessToken
Status: Hooked by "<unknown>" at address 0x84a67b68
#: 125 Function Name: NtOpenSection
Status: Hooked by "<unknown>" at address 0x84a9a650
#: 128 Function Name: NtOpenThread
Status: Hooked by "<unknown>" at address 0x84a6d738
#: 137 Function Name: NtProtectVirtualMemory
Status: Hooked by "<unknown>" at address 0x84a4b710
#: 206 Function Name: NtResumeThread
Status: Hooked by "<unknown>" at address 0x84a70838
#: 213 Function Name: NtSetContextThread
Status: Hooked by "<unknown>" at address 0x84a68868
#: 228 Function Name: NtSetInformationProcess
Status: Hooked by "<unknown>" at address 0x84a990c8
#: 240 Function Name: NtSetSystemInformation
Status: Hooked by "<unknown>" at address 0x84aa0b48
#: 247 Function Name: NtSetValueKey
Status: Hooked by "C:\WINDOWS\system32\Drivers\SYMEVENT.SYS" at address 0xf408d140
#: 253 Function Name: NtSuspendProcess
Status: Hooked by "<unknown>" at address 0x84a9a578
#: 254 Function Name: NtSuspendThread
Status: Hooked by "<unknown>" at address 0x84a6dba0
#: 257 Function Name: NtTerminateProcess
Status: Hooked by "<unknown>" at address 0x84a63cc0
#: 258 Function Name: NtTerminateThread
Status: Hooked by "<unknown>" at address 0x84a6bc28
#: 267 Function Name: NtUnmapViewOfSection
Status: Hooked by "<unknown>" at address 0x84a69a70
#: 277 Function Name: NtWriteVirtualMemory
Status: Hooked by "<unknown>" at address 0x84acfe18
Shadow SSDT
-------------------
#: 307 Function Name: NtUserAttachThreadInput
Status: Hooked by "<unknown>" at address 0x84a48d98
#: 383 Function Name: NtUserGetAsyncKeyState
Status: Hooked by "<unknown>" at address 0x84993668
#: 414 Function Name: NtUserGetKeyboardState
Status: Hooked by "<unknown>" at address 0x84a09e08
#: 416 Function Name: NtUserGetKeyState
Status: Hooked by "<unknown>" at address 0x84bbb840
#: 428 Function Name: NtUserGetRawInputData
Status: Hooked by "<unknown>" at address 0x849d2b78
#: 460 Function Name: NtUserMessageCall
Status: Hooked by "<unknown>" at address 0x84b8b510
#: 475 Function Name: NtUserPostMessage
Status: Hooked by "<unknown>" at address 0x84a7f240
#: 476 Function Name: NtUserPostThreadMessage
Status: Hooked by "<unknown>" at address 0x84933b20
#: 549 Function Name: NtUserSetWindowsHookEx
Status: Hooked by "<unknown>" at address 0x84970c58
#: 552 Function Name: NtUserSetWinEventHook
Status: Hooked by "<unknown>" at address 0x84bd9cf0
==EOF==
-
Please give me an update about your computer.
I'd like to scan your machine with ESET OnlineScan
•Hold down Control and click on the following link to open ESET OnlineScan in a new window.
ESET OnlineScan (http://eset.com/onlinescan)
•Click the (http://i424.photobucket.com/albums/pp322/digistar/esetOnline.png) button.
•For alternate browsers only: (Microsoft Internet Explorer users can skip these steps)
- Click on (http://i424.photobucket.com/albums/pp322/digistar/esetSmartInstall.png) to download the ESET Smart Installer. Save it to your desktop.
- Double click on the (http://i424.photobucket.com/albums/pp322/digistar/esetSmartInstallDesktopIcon-1.png) icon on your desktop.
•Check (http://i424.photobucket.com/albums/pp322/digistar/esetAcceptTerms.png)
•Click the (http://i424.photobucket.com/albums/pp322/digistar/esetStart.png) button.
•Accept any security warnings from your browser.
•Check (http://i424.photobucket.com/albums/pp322/digistar/esetScanArchives.png)
•Push the Start button.
•ESET will then download updates for itself, install itself, and begin scanning your computer. Please be patient as this can take some time.
•When the scan completes, push (http://i424.photobucket.com/albums/pp322/digistar/esetListThreats.png)
•Push (http://i424.photobucket.com/albums/pp322/digistar/esetExport.png), and save the file to your desktop using a unique name, such as ESETScan. Include the contents of this report in your next reply.
•Push the (http://i424.photobucket.com/albums/pp322/digistar/esetBack.png) button.
•Push (http://i424.photobucket.com/albums/pp322/digistar/esetFinish.png)
A log file will be saved here: C:\Program Files\ESET\ESET Online Scanner\log.txt
-
The latest is that ESET will not run. As soon as the add-on click message shows and I click, it will hang and go into a state of Not Responding.
The problem still exists. It began in May of 2010 and continued through October of 2010, until McAfee put out a fix that really did fix the problem. I was good from October through May of 2011, then the same problem started with the same symptoms and has continued through now. I am not the only person using McAfee that had the same experience. Just Google mcshield.exe high cpu and you will eventually reach that complaint room. Back in December, after trying to get McAfee Tier 2.5 support to grab debug data and watching them stumble around for months, I cut them off and am currently on Norton for AV and firewall.
These tools you are using are all scanners. Is there a tool that can start a trace before actively recording my activity ( usual browse, email, etc. ) ?
-
I cut them off and am currently on Norton for AV and firewall.
And, the problem still exists with Norton?
Is there a tool that can start a trace before actively recording my activity ( usual browse, email, etc. ) ?
I'm not sure what you mean here.
-
Yes, problem still exists with Norton. That was just irritation with McAfee. Doesn't matter which, Norton or McAfee, problem still occurs.
While I was working with McAfee Tier 2.5, they were collecting logs and also wanted to get Debug Diagnosis running so they could trap data when a given threshold would be reached. They could never get it set up correctly. That's why I was asking if you knew of such a tool that could be set up to trip on a threshold and collect data while the problem was occurring.
-
Please try this: Download and install MicroSoft Security Essentials and activate it. Next, disable your Norton AV and try running MSE as your AV for a few days and see if the problem goes away.
Microsoft Security Essentials for Windows Vista\Windows 7 (http://majorgeeks.com/Microsoft_Security_Essentials_for_Windows_VistaWindows_7_d6242.html) - 64 bit Download (http://majorgeeks.com/downloadget.php?id=6242&file=5&evp=9112d44b71f157fc5d7fcd7724b088ca)
Microsoft Security Essentials for Windows XP (http://www.microsoft.com/security_essentials/)
-
Ok, I'll install it and update you either Monday or Tuesday.
-
Ok, I'll install it and update you either Monday or Tuesday.
I'll be watching for it.
-
MSE didn't make any difference. The problem occurred as soon as I had MSE up and tried browsing. I am back on Norton now.
-
Run the BitDefender Online scanner (http://www.bitdefender.com/scanner/online/free.html)
Agree to the license and then select Scan. DO NOT CHANGE THE OPTIONS TO SHOW ALL FILES SCANNED. That will make your logs huge and we don't need to see clean files.
Once Bitdefender completes the scan:
Click-on the Detected Problems tab.
Then select Click here to export the scan report.
When the window comes up to save the report, change the Save as type: box to:
Text (Tab Delimited) (*.txt) and then in the File name box enter change to bdscan then click Save.
This will save a file named bdscan.txt. I would suggest saving it to the Desktop so you can easily find it. (take notice of where you save it so you can find it later).
This bdcan.txt file will actually contain HTML code that we can easily view later while reviewing your log. All we have to do is rename the file to bdscan.html.
If you do not follow these step, you will have an incorrect log or worse a log summary which is useless to us.
Post the bdscan.txt file as an Attachment.
-
Dave,
can you give me the best way to attach into a post?
Thanks.
-
Dave,
can you give me the best way to attach into a post?
Thanks.
Why can't you copy and paste it?
-
Bitdefender not producing the activex control install popup. Just says Loading Bitdefender Quickscan in red and sits there. I will try this again tomorrow.
My last question was asked because in my work with vendors, their sites often have an upload facility that allows for documents pertaining to an issue to be attached to the issue, and I didn't see anything like that on this forum.
-
My last question was asked because in my work with vendors, their sites often have an upload facility that allows for documents pertaining to an issue to be attached to the issue, and I didn't see anything like that on this forum.
I would rather see the logs copied and pasted in your reply. I don't want to go looking for them at another site.
-
Slight miscommunication here. I never said that I was going to locate any logs elsewhere. I was discussing attachments and how they are attached to issues.
As I said, I will retry the bitdefender when I get home.
-
Ok Sorry. I'll will watch for the log.
-
I reach the point where quickscan prompts for the add-on of qsax.cab, which is blue background for short time, then goes to creme-colored background. If clicked, it will not give install menu. That's as far as I can get. I tried this a number of times, failing each time.
-
Ok. Let's try another one.
Please go to Kaspersky website (http://www.kaspersky.com/kos/eng/partner/default/kavwebscan.html) and perform an online antivirus scan.
1. Read through the requirements and privacy statement and click on Accept button.
2. It will start downloading and installing the scanner and virus definitions. You will be prompted to install an application from Kaspersky. Click Run.
3. When the downloads have finished, click on Settings.
4. Make sure these boxes are checked (ticked). If they are not, please tick them and click on the Save button:
Spyware, Adware, Dialers, and other potentially dangerous programs
Archives
5. Click on My Computer under Scan.
6. Once the scan is complete, it will display the results. Click on View Scan Report.
7. You will see a list of infected items there. Click on Save Report As....
8. Save this report to a convenient place. Change the Files of type to Text file (.txt) before clicking on the Save button.
9. Please post this log in your next reply along with a fresh HijackThis log.
-
Custom scan is what you are looking for. It is running right now. When I get home later on today, I will post the results along with a HijackThis report.
-
I don't need to see HiJackThis log.
-
The link http://www.kaspersky.com/kos/eng/partner/default/kavwebscan.html didn't work. Got a 404. So, I went to the Kaspersky site and hit the free virus scan link. The custom scan ran and produced no detected threats, no malicious objects and no applications that showed vulnerabilities, adware or " other " anomalies. It doesn't create a report, just a display.
-
Ok. How's your computer working now? Any other issues?
-
The freezing and hanging are still occurring. Is there anything to the number of svchost.exe running at the same time? When I look at Task Manager, I can see six executing at the same time.
-
Download Process Explorer: http://technet.microsoft.com/en-us/sysinternals/bb896653.aspx (http://technet.microsoft.com/en-us/sysinternals/bb896653.aspx)
Unzip ProcessExplorer.zip, and double click on procexp.exe to run the program.
Click on View > Select Colunms.
In addition to already pre-selected options, make sure, the Command Line is selected, and press OK.
Go File>Save As, and save the report as Procexp.txt.
Attach the file to your next reply.
-
Process PID CPU Description Company Name Command Line
System Idle Process 0 100.00
System 4
Interrupts n/a < 0.01 Hardware Interrupts and DPCs
smss.exe 768 Windows NT Session Manager Microsoft Corporation \SystemRoot\System32\smss.exe
csrss.exe 824 Client Server Runtime Process Microsoft Corporation C:\WINDOWS\system32\csrss.exe ObjectDirectory=\Windows SharedSection=1024,3072,512 Windows=On SubSystemType=Windows ServerDll=basesrv,1 ServerDll=winsrv:UserServerDllInitialization,3 ServerDll=winsrv:ConServerDllInitialization,2 ProfileControl=Off MaxRequestThreads=16
winlogon.exe 848 Windows NT Logon Application Microsoft Corporation winlogon.exe
services.exe 892 Services and Controller app Microsoft Corporation C:\WINDOWS\system32\services.exe
svchost.exe 1112 Generic Host Process for Win32 Services Microsoft Corporation C:\WINDOWS\system32\svchost.exe -k DcomLaunch
wfcrun32.exe 1816 Citrix Citrix Systems, Inc. "C:\Program Files\Citrix\ICA Client\wfcrun32.exe" -Embedding
wmiprvse.exe 2492 WMI Microsoft Corporation C:\WINDOWS\system32\wbem\wmiprvse.exe
svchost.exe 1200 Generic Host Process for Win32 Services Microsoft Corporation C:\WINDOWS\system32\svchost.exe -k rpcss
svchost.exe 1848 Generic Host Process for Win32 Services Microsoft Corporation C:\WINDOWS\System32\svchost.exe -k netsvcs
svchost.exe 204 Generic Host Process for Win32 Services Microsoft Corporation C:\WINDOWS\System32\svchost.exe -k NetworkService
svchost.exe 600 Generic Host Process for Win32 Services Microsoft Corporation C:\WINDOWS\system32\svchost.exe -k LocalService
spoolsv.exe 760 Spooler SubSystem App Microsoft Corporation C:\WINDOWS\system32\spoolsv.exe
svchost.exe 1644 Generic Host Process for Win32 Services Microsoft Corporation C:\WINDOWS\System32\svchost.exe -k LocalService
SASCore.exe 1728 Core Service SUPERAntiSpyware.com "C:\Program Files\SUPERAntiSpyware\SASCORE.EXE"
jqs.exe 312 Java(TM) Quick Starter Service Sun Microsystems, Inc. "C:\Program Files\Java\jre6\bin\jqs.exe" -service -config "C:\Program Files\Java\jre6\lib\deploy\jqs\jqs.conf"
LSSrvc.exe 420 LightScribe Service Hewlett-Packard Company "C:\Program Files\Common Files\LightScribe\LSSrvc.exe"
LinksysUpdater.exe 536 "C:\Program Files\Linksys\Linksys Updater\bin\LinksysUpdater.exe" -s "C:\Program Files\Linksys\Linksys Updater\conf\wrapper.conf"
java.exe 1980 Java(TM) Platform SE binary Oracle Corporation "C:\WINDOWS\system32\java.exe" -Xmx100m -Djava.library.path="../lib" -classpath "../lib/agent-2.5.8318.2077.jar;../lib/wrapper.jar;../lib/commons-lang-2.3.jar;../lib/commons-logging-1.1.jar;../lib/spring-2.0.6.jar;../lib/spring-ws-core-1.0.2.jar;../lib/spring-xml-1.0.2.jar;../lib/jdom-1.0.jar;../lib/jaxen-1.1.1.jar;../lib/xpp3_min-1.1.3.4.O.jar;../lib/xstream-1.2.2.jar" -Dwrapper.key="KXkElE5tty3F0CbB" -Dwrapper.port=32000 -Dwrapper.jvm.port.min=31000 -Dwrapper.jvm.port.max=31999 -Dwrapper.pid=536 -Dwrapper.version="3.2.3" -Dwrapper.native_library="wrapper" -Dwrapper.service="TRUE" -Dwrapper.cpu.timeout="10" -Dwrapper.jvmid=1 com.linksys.agent.Main
ccSvcHst.exe 1940 Symantec Service Framework Symantec Corporation "C:\Program Files\Norton 360\Engine\5.1.0.29\ccSvcHst.exe" /s "N360" /m "C:\Program Files\Norton 360\Engine\5.1.0.29\diMaster.dll" /prefetch:1
ccSvcHst.exe 2308 Symantec Service Framework Symantec Corporation "C:\Program Files\Norton 360\Engine\5.1.0.29\ccSvcHst.exe" /c /a /s UserSession
RichVideo.exe 2148 RichVideo Module "C:\Program Files\CyberLink\Shared Files\RichVideo.exe"
vmware-usbarbitrator.exe 2916 VMware USB Arbitration Service VMware, Inc. "C:\Program Files\Common Files\VMware\USB\vmware-usbarbitrator.exe"
searchindexer.exe 3080 Microsoft Windows Search Indexer Microsoft Corporation C:\WINDOWS\system32\SearchIndexer.exe /Embedding
nmsrvc.exe 3188 Pure Networks Platform Service Cisco Systems, Inc. "C:\Program Files\Common Files\Pure Networks Shared\Platform\nmsrvc.exe"
vmware-authd.exe 3452 VMware Authorization Service VMware, Inc. "C:\Program Files\VMware\VMware Player\vmware-authd.exe"
alg.exe 3120 Application Layer Gateway Service Microsoft Corporation C:\WINDOWS\System32\alg.exe
lsass.exe 904 LSA Shell (Export Version) Microsoft Corporation C:\WINDOWS\system32\lsass.exe
taskmgr.exe 3868 Windows TaskManager Microsoft Corporation taskmgr.exe
explorer.exe 1560 Windows Explorer Microsoft Corporation C:\WINDOWS\Explorer.EXE
RTHDCPL.EXE 1304 Realtek HD Audio Control Panel Realtek Semiconductor Corp. "C:\WINDOWS\RTHDCPL.EXE"
RoxWatchTray10.exe 1452 RoxMMTrayApp Module Sonic Solutions "C:\Program Files\Common Files\Roxio Shared\10.0\SharedCOM\RoxWatchTray10.exe"
CPSHelpRunner10.exe 1148 ROXHelpRunner Module Sonic Solutions "C:\Program Files\Common Files\Roxio Shared\10.0\SharedCOM\CPSHelpRunner10.exe" Local\{B5C5AE51-F57E-48B4-ADD8-1F440EF4FD87}
PDVDServ.exe 1460 PowerDVD RC Service Cyberlink Corp. "C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe"
nmctxth.exe 1284 Pure Networks Platform Assistant Cisco Systems, Inc. "C:\Program Files\Common Files\Pure Networks Shared\Platform\nmctxth.exe"
IBurn.exe 1544 InstantBurn UDF Tool CyberLink Corporation. "C:\PROGRA~1\CYBERL~1\INSTAN~1\Win2K\IBurn.exe"
DMXLauncher.exe 868 "C:\Program Files\Roxio\CinePlayer\DMXLauncher.exe"
concentr.exe 1500 Citrix online plug-in Connection Center Citrix Systems, Inc. "C:\Program Files\Citrix\ICA Client\concentr.exe" /startup
CLMLSvc.exe 1724 CyberLink MediaLibray Service CyberLink "C:\Program Files\CyberLink\Power2Go\CLMLSvc.exe"
jusched.exe 1964 Java(TM) Update Scheduler Sun Microsystems, Inc. "C:\Program Files\Common Files\Java\Java Update\jusched.exe"
ctfmon.exe 1988 CTF Loader Microsoft Corporation "C:\WINDOWS\system32\ctfmon.exe"
WindowsSearch.exe 2432 Windows Search System Tray Microsoft Corporation "C:\Program Files\Windows Desktop Search\WindowsSearch.exe" /startup
iexplore.exe 3964 Internet Explorer Microsoft Corporation "C:\Program Files\Internet Explorer\iexplore.exe"
iexplore.exe 1008 Internet Explorer Microsoft Corporation "C:\Program Files\Internet Explorer\iexplore.exe" SCODEF:3964 CREDAT:79889
procexp.exe 2472 Sysinternals Process Explorer Sysinternals - www.sysinternals.com "C:\Documents and Settings\david cox\Local Settings\Temporary Internet Files\Content.IE5\5BDKUUF3\ProcessExplorer[1]\procexp.exe"
-
svchost.exe 1112 Generic Host Process for Win32 Services Microsoft Corporation C:\WINDOWS\system32\svchost.exe -k DcomLaunch
svchost.exe 1200 Generic Host Process for Win32 Services Microsoft Corporation C:\WINDOWS\system32\svchost.exe -k rpcss
svchost.exe 1848 Generic Host Process for Win32 Services Microsoft Corporation C:\WINDOWS\System32\svchost.exe -k netsvcs
svchost.exe 204 Generic Host Process for Win32 Services Microsoft Corporation C:\WINDOWS\System32\svchost.exe -k NetworkService
svchost.exe 600 Generic Host Process for Win32 Services Microsoft Corporation C:\WINDOWS\system32\svchost.exe -k LocalService
svchost.exe 1644 Generic Host Process for Win32 Services Microsoft Corporation C:\WINDOWS\System32\svchost.exe -k LocalService
As you can see all the svchost.exe are running legit processes. I noticed this is your DDS log.
1/6/2012 8:48:55 AM, error: Service Control Manager [7001] - The DHCP Client service depends on the NetBios over Tcpip service which failed to start because of the following error: A device attached to the system is not functioning.This has occurred a number of times. Could you check your Device Manager to see if there are any yellow alerts? How much RAM do you have?
-
448M of RAM.
Device manager showed Display Adapter in disabled state. I enabled it. Checked for more current drivers, but said was current. I will be going to ati.com later in the morning to see if there is anything out on their website that would reference hanging or freezing.
Problem happening occasionally tonight. Page file usage is up to 1.25 G and climbing. I will have to get off here soon and reboot. Let you know tomorrow if I find anything on ati.com.
Thanks again for your help.
-
Ran Driver Detective and found some out-of-date drivers. I am in the process of completing these updates which I will probably complete when I get home tonight.
-
Installed the drivers. The original problem still exists.
-
Please try this: While you're operating the computer start the Task Manager and leave it on. CTRL, ALT, Delete will start it. You will notice a small dark green screen in the bottom, right corner of the screen. When the usuage gets close to 100% it will turn a bright green color. That's usually when it will hang. Check the process which is causing the highest usuage. You can toggle between the least and the most by clicking Mem usuage. Please make note of the process. Do this over a period of days and see if it's the same process each time.
-
Thanks Dave. Yes, I have been using Task Manager since the start of this problem. Sometimes, if I start it, the startup of it will cause the PC to un-freeze. The app that is usually with the most mem usage is IE. Times I can see Page File usage from this display at over 1 Gig. Sometimes, the Norton executables will be up high on the mem usage display, usually just under IE. This is IE 8 by the way. I will track and see if there are any differences to what I am used to seeing.
-
I have been monitoring through Task Manager. Here's the short list ( no order here ):
RTHDCPL.EXE - Realtek
IEXPLORE.EXE
CCSVCHST.EXE - Norton
SVCHOST.EXE
WUAUCLT.EXE - Win Update
The three searchindex tasks. I turned off WSEARCH.
Do I need to have a Windows Update task running ?
I sent an email to Realtek Support regarding their executable.
-
Do I need to have a Windows Update task running ?
Not necessarily but you will have to set yourself a schedule to go and check for your updates.
Please download MBRCheck.exe by a_d_13 from one of the links provided below and save it to your desktop.
Link 1 (http://download.bleepingcomputer.com/rootrepeal/MBRCheck.exe)
Link 2 (http://ad13.geekstogo.com/MBRCheck.exe)
Link 3 (http://www.kernelmode.info/MBRCheck.exe)
•Double-click on MBRCheck.exe to run it.
•It will open a black window...please do not fix anything (if it gives you an option).
•When complete, you should see Done! Press ENTER to exit.... Press Enter on the keyboard.
•A log named MBRCheck_date_time.txt (i.e. MBRCheck_07.21.10_10.22.51.txt) will appear on the desktop.
•Please copy and paste the contents of that log in your next reply.
-
MBRCheck, version 1.2.3
(c) 2010, AD
Command-line:
Windows Version: Windows XP Professional
Windows Information: Service Pack 3 (build 2600)
Logical Drives Mask: 0x0000000c
Kernel Drivers (total 142):
0x804D7000 \WINDOWS\system32\ntkrnlpa.exe
0x806D1000 \WINDOWS\system32\hal.dll
0xF7B76000 \WINDOWS\system32\KDCOM.DLL
0xF7A86000 \WINDOWS\system32\BOOTVID.dll
0xF7547000 ACPI.sys
0xF7B78000 \WINDOWS\System32\DRIVERS\WMILIB.SYS
0xF7536000 pci.sys
0xF7676000 isapnp.sys
0xF7C3E000 pciide.sys
0xF78F6000 \WINDOWS\System32\DRIVERS\PCIIDEX.SYS
0xF7686000 MountMgr.sys
0xF7517000 ftdisk.sys
0xF7B7A000 dmload.sys
0xF74F1000 dmio.sys
0xF78FE000 PartMgr.sys
0xF7696000 VolSnap.sys
0xF74D9000 atapi.sys
0xF76A6000 disk.sys
0xF76B6000 \WINDOWS\System32\DRIVERS\CLASSPNP.SYS
0xF74B9000 fltmgr.sys
0xF7462000 SYMDS.SYS
0xF7450000 sr.sys
0xF7395000 SYMEFA.SYS
0xF76C6000 PxHelp20.sys
0xF737E000 KSecDD.sys
0xF72F1000 Ntfs.sys
0xF72C4000 NDIS.sys
0xF72AA000 Mup.sys
0xF7736000 \SystemRoot\System32\DRIVERS\intelppm.sys
0xF4EAC000 \SystemRoot\system32\DRIVERS\ati2mtag.sys
0xF4E98000 \SystemRoot\system32\DRIVERS\VIDEOPRT.SYS
0xF793E000 \SystemRoot\System32\DRIVERS\usbohci.sys
0xF4E74000 \SystemRoot\System32\DRIVERS\USBPORT.SYS
0xF7946000 \SystemRoot\System32\DRIVERS\usbehci.sys
0xF7756000 \SystemRoot\System32\DRIVERS\imapi.sys
0xF7766000 \SystemRoot\System32\DRIVERS\cdrom.sys
0xF7776000 \SystemRoot\System32\DRIVERS\redbook.sys
0xF4E51000 \SystemRoot\System32\DRIVERS\ks.sys
0xF795E000 \SystemRoot\system32\DRIVERS\GEARAspiWDM.sys
0xF4E29000 \SystemRoot\system32\DRIVERS\HDAudBus.sys
0xF7786000 \SystemRoot\System32\DRIVERS\i8042prt.sys
0xF796E000 \SystemRoot\System32\DRIVERS\kbdclass.sys
0xF797E000 \??\C:\WINDOWS\system32\drivers\VMkbd.sys
0xF7986000 \SystemRoot\System32\DRIVERS\mouclass.sys
0xF4DF3000 \SystemRoot\system32\DRIVERS\HSFHWBS2.sys
0xF4CF5000 \SystemRoot\system32\DRIVERS\HSF_DP.sys
0xF4C49000 \SystemRoot\system32\DRIVERS\HSF_CNXT.sys
0xF79A6000 \SystemRoot\System32\Drivers\Modem.SYS
0xF4C29000 \SystemRoot\system32\DRIVERS\Rtnicxp.sys
0xF7D68000 \SystemRoot\System32\DRIVERS\audstub.sys
0xF7796000 \SystemRoot\System32\DRIVERS\rasl2tp.sys
0xF7B22000 \SystemRoot\System32\DRIVERS\ndistapi.sys
0xF4C12000 \SystemRoot\System32\DRIVERS\ndiswan.sys
0xF77A6000 \SystemRoot\System32\DRIVERS\raspppoe.sys
0xF77B6000 \SystemRoot\System32\DRIVERS\raspptp.sys
0xF79CE000 \SystemRoot\System32\DRIVERS\TDI.SYS
0xF4C01000 \SystemRoot\System32\DRIVERS\psched.sys
0xF77C6000 \SystemRoot\System32\DRIVERS\msgpc.sys
0xF79DE000 \SystemRoot\System32\DRIVERS\ptilink.sys
0xF79EE000 \SystemRoot\System32\DRIVERS\raspti.sys
0xF4B31000 \SystemRoot\System32\DRIVERS\rdpdr.sys
0xF77D6000 \SystemRoot\System32\DRIVERS\termdd.sys
0xF7B8A000 \SystemRoot\System32\DRIVERS\swenum.sys
0xF4AD3000 \SystemRoot\System32\DRIVERS\update.sys
0xF7B46000 \SystemRoot\System32\DRIVERS\mssmbios.sys
0xF7B4A000 \SystemRoot\system32\DRIVERS\vmnetadapter.sys
0xF7B4E000 \SystemRoot\system32\DRIVERS\VMNET.SYS
0xF77E6000 \SystemRoot\System32\Drivers\NDProxy.SYS
0xF7816000 \SystemRoot\System32\DRIVERS\usbhub.sys
0xF7B90000 \SystemRoot\System32\DRIVERS\USBD.SYS
0xF037C000 \SystemRoot\system32\drivers\RtkHDAud.sys
0xF0330000 \SystemRoot\system32\drivers\portcls.sys
0xF7836000 \SystemRoot\system32\drivers\drmk.sys
0xF4AC7000 \SystemRoot\System32\Drivers\CLBStor.SYS
0xF7B96000 \SystemRoot\System32\Drivers\Fs_Rec.SYS
0xF7DBB000 \SystemRoot\System32\Drivers\Null.SYS
0xF7B9A000 \SystemRoot\System32\Drivers\Beep.SYS
0xF7A6E000 \SystemRoot\System32\drivers\vga.sys
0xF7B9E000 \SystemRoot\System32\Drivers\mnmdd.SYS
0xF7BA2000 \SystemRoot\System32\DRIVERS\RDPCDD.sys
0xF7A7E000 \SystemRoot\System32\Drivers\Msfs.SYS
0xF7936000 \SystemRoot\System32\Drivers\Npfs.SYS
0xF4ABF000 \SystemRoot\System32\DRIVERS\rasacd.sys
0xF02D5000 \SystemRoot\system32\DRIVERS\ipsec.sys
0xF027C000 \SystemRoot\System32\DRIVERS\tcpip.sys
0xF01FB000 \SystemRoot\system32\drivers\N360\0501000.01D\SYMTDI.SYS
0xF01D5000 \SystemRoot\System32\DRIVERS\ipnat.sys
0xF7846000 \SystemRoot\System32\DRIVERS\wanarp.sys
0xF01AF000 \??\C:\WINDOWS\system32\Drivers\SYMEVENT.SYS
0xF0154000 \??\C:\Documents and Settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\N360_5.1.0.29\Definitions\IPSDefs\20120126.003\IDSxpx86.sys
0xF012C000 \SystemRoot\System32\DRIVERS\netbt.sys
0xF0378000 \SystemRoot\System32\drivers\ws2ifsl.sys
0xF010A000 \SystemRoot\System32\drivers\afd.sys
0xF7856000 \SystemRoot\System32\DRIVERS\netbios.sys
0xF0046000 \SystemRoot\system32\drivers\N360\0501000.01D\Ironx86.SYS
0xF7876000 \SystemRoot\system32\drivers\N360\0501000.01D\SRTSPX.SYS
0xF0024000 \??\C:\Program Files\SUPERAntiSpyware\SASKUTIL.SYS
0xF798E000 \??\C:\Program Files\SUPERAntiSpyware\SASDIFSV.SYS
0xEFFF9000 \SystemRoot\System32\DRIVERS\rdbss.sys
0xEFF89000 \SystemRoot\System32\DRIVERS\mrxsmb.sys
0xF7886000 \SystemRoot\System32\Drivers\Fips.SYS
0xEFF2B000 \??\C:\Program Files\Common Files\Symantec Shared\EENGINE\eeCtrl.sys
0xEFF0D000 \??\C:\Program Files\Common Files\Symantec Shared\EENGINE\EraserUtilRebootDrv.sys
0xEFEF9000 \SystemRoot\system32\DRIVERS\ctxusbm.sys
0xEFE2D000 \??\C:\Documents and Settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\N360_5.1.0.29\Definitions\BASHDefs\20120121.002\BHDrvx86.sys
0xF78C6000 \SystemRoot\System32\Drivers\Cdfs.SYS
0xEFDB5000 \SystemRoot\System32\Drivers\dump_atapi.sys
0xF7BB6000 \SystemRoot\System32\Drivers\dump_WMILIB.SYS
0xBF800000 \SystemRoot\System32\win32k.sys
0xF7B2A000 \SystemRoot\System32\drivers\Dxapi.sys
0xF79C6000 \SystemRoot\System32\watchdog.sys
0xBF000000 \SystemRoot\System32\drivers\dxg.sys
0xF7D67000 \SystemRoot\System32\drivers\dxgthk.sys
0xBF012000 \SystemRoot\System32\ati2dvag.dll
0xBF065000 \SystemRoot\System32\ati2cqag.dll
0xBF0FE000 \SystemRoot\System32\atikvmag.dll
0xBF182000 \SystemRoot\System32\atiok3x2.dll
0xBF1CD000 \SystemRoot\System32\ati3duag.dll
0xBF572000 \SystemRoot\System32\ativvaxx.dll
0xBF9C6000 \SystemRoot\System32\ATMFD.DLL
0xED86C000 \SystemRoot\System32\Drivers\CLBUDF.SYS
0xED85B000 \SystemRoot\System32\Drivers\Udfs.SYS
0xF79FE000 \SystemRoot\system32\DRIVERS\vmnetbridge.sys
0xED8AB000 \SystemRoot\System32\DRIVERS\ndisuio.sys
0xF7A06000 \SystemRoot\system32\DRIVERS\pnarp.sys
0xF7A0E000 \SystemRoot\system32\DRIVERS\purendis.sys
0xED526000 \SystemRoot\system32\drivers\wdmaud.sys
0xF007A000 \SystemRoot\system32\drivers\sysaudio.sys
0xED2C9000 \SystemRoot\System32\DRIVERS\mrxdav.sys
0xED37E000 \??\C:\WINDOWS\system32\drivers\hcmon.sys
0xED35E000 \??\C:\WINDOWS\system32\Drivers\vmci.sys
0xED1FA000 \??\C:\WINDOWS\system32\Drivers\vmx86.sys
0xF7A36000 \??\C:\Program Files\ASTRA32\ASTRA32.sys
0xECEAA000 \SystemRoot\System32\DRIVERS\srv.sys
0xED1B2000 \SystemRoot\system32\DRIVERS\mdmxsdk.sys
0xF7A66000 \??\C:\WINDOWS\system32\drivers\vmnetuserif.sys
0xECD21000 \??\C:\Program Files\VMware\VMware Player\vstor2-ws60.sys
0xEC5D4000 \SystemRoot\system32\drivers\N360\0501000.01D\SRTSP.SYS
0xEBF9A000 \??\C:\Documents and Settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\N360_5.1.0.29\Definitions\VirusDefs\20120128.009\NAVEX15.SYS
0xEBF86000 \??\C:\Documents and Settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\N360_5.1.0.29\Definitions\VirusDefs\20120128.009\NAVENG.SYS
0xEBF5B000 \SystemRoot\system32\drivers\kmixer.sys
0x7C900000 \WINDOWS\system32\ntdll.dll
Processes (total 42):
0 System Idle Process
4 System
764 C:\WINDOWS\system32\smss.exe
812 csrss.exe
844 C:\WINDOWS\system32\winlogon.exe
888 C:\WINDOWS\system32\services.exe
900 C:\WINDOWS\system32\lsass.exe
1072 C:\WINDOWS\system32\ati2evxx.exe
1092 C:\WINDOWS\system32\svchost.exe
1180 svchost.exe
1844 C:\WINDOWS\system32\svchost.exe
184 C:\WINDOWS\system32\ati2evxx.exe
296 svchost.exe
620 svchost.exe
804 C:\WINDOWS\system32\spoolsv.exe
1588 C:\WINDOWS\explorer.exe
1780 svchost.exe
1904 C:\Program Files\SUPERAntiSpyware\SASCore.exe
508 C:\Program Files\Common Files\Roxio Shared\10.0\SharedCOM\RoxWatchTray10.exe
516 C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe
572 C:\Program Files\Common Files\Pure Networks Shared\Platform\nmctxth.exe
644 C:\Program Files\Roxio\CinePlayer\DMXLauncher.exe
1264 C:\Program Files\Citrix\ICA Client\concentr.exe
1348 C:\Program Files\Java\jre6\bin\jqs.exe
1540 C:\Program Files\CyberLink\Power2Go\CLMLSvc.exe
316 C:\Program Files\Citrix\ICA Client\wfcrun32.exe
1256 C:\Program Files\Linksys\Linksys Updater\bin\LinksysUpdater.exe
2008 C:\WINDOWS\system32\java.exe
2012 C:\Program Files\Norton 360\Engine\5.1.0.29\ccSvcHst.exe
432 C:\Program Files\Common Files\Java\Java Update\jusched.exe
632 C:\WINDOWS\RTHDCPL.EXE
1816 C:\Program Files\CyberLink\Shared Files\RichVideo.exe
2088 C:\WINDOWS\system32\ctfmon.exe
2592 C:\Program Files\Common Files\VMware\USB\vmware-usbarbitrator.exe
2780 C:\Program Files\Common Files\Pure Networks Shared\Platform\nmsrvc.exe
3756 C:\Program Files\VMware\VMware Player\vmware-authd.exe
3368 C:\Program Files\Norton 360\Engine\5.1.0.29\ccSvcHst.exe
2472 alg.exe
1988 C:\Program Files\Common Files\Roxio Shared\10.0\SharedCOM\CPSHelpRunner10.exe
4048 C:\Program Files\Internet Explorer\iexplore.exe
3776 C:\Program Files\Internet Explorer\iexplore.exe
2352 C:\Documents and Settings\david cox\Desktop\MBRCheck.exe
\\.\C: --> \\.\PhysicalDrive0 at offset 0x00000000`00007e00 (NTFS)
PhysicalDrive0 Model Number: ST3120213AS, Rev: 3.AHL
Size Device Name MBR Status
--------------------------------------------
111 GB \\.\PhysicalDrive0 Windows XP MBR code detected
SHA1: DA38B874B7713D1B51CBC449F4EF809B0DEC644 A
Done!
-
I can't find any malware that would be causing this problem. The only thing I can suggest is to keep Task Manager open and when it freezes, try to see which process is causing it and stop the process to see if will correct the problem.
-
Thanks Dave. Got me stumped here too. As far as keeping an eye on things through Task Manager, sure, if it is IE 8, then I will kill it if the CPU% doesn't go down after a while. I hesitate to do the same with svchost.exe, but I suppose it won't do any harm. Norton tasks are a little less intense, so I just usually leave them alone.
Any suggestions on where to go from this point? If you were to have any other recommendations, I would be happy to follow through.
-
I hesitate to do the same with svchost.exe, but I suppose it won't do any harm.
It won't do any harm
Any suggestions on where to go from this point? If you were to have any other recommendations, I would be happy to follow through.
The only thing I could suggest at this point is to start a new thread in one of the software forums.
-
I will. Thanks much for all your help in trying to find the cause of this problem. I appreciate it!
-
I will. Thanks much for all your help in trying to find the cause of this problem. I appreciate it!
I'll leave this thread unlocked so you can come back to let me know how things turn out.
-
I will. Thanks.
-
Hi Dave,
Quick update to run down what I have gone through in the last month or so:
1.) Ran a number of different scans which didn't find anything malicious.
2.) Ran through an XP repair, which helped, but didn't get rid of the hang.
3.) Added RAM so that I am now at just under 2Gig. Made quite a noticable difference in response, but again didn't get rid of the hang.
4.) Replaced a DVD drive, which took those CD ROM errors out of the mix, but didn't get rid of the hang.
5.) Removed VMWare from my PC ( around 500 files and registry entries ). That was done using IOBIT.Uninstaller. I recommend that one for stubborn stuff. The removal of VMWare seems to be what removed the hangs and freezes.
So, as you can see, it wasn't AV or any one particular thing, but a combination of things happening over time, some of which I believe we had discussed, like the RAM and hardware.
My PC is now very clean, and response is very good. I hope to keep it that way for a while. I intend to do a hardware and software refresh in about a year or so.
I just wanted to let you know the status now, and say thanks for getting me on the right path here. I appreciate all your help. Thank you very much. If you want to close out this issue, i would be be fine with that.
DC4580.
-
You're welcome. I will lock this thread. If you need it re-opened, please send me a pm.