Author Topic: Background process almost brings computer to a halt (Read 26349 times)

Dronfieldman · « **on:** February 05, 2011, 11:17:25 AM »

My PC has a background process running for a while each day which almost brings the computer to a standstill. I've discussed this with Advisors in the Windows XP section of this forum (the post has the same Subject as that used for this thread). The outcome of the dialogue there was that the problem was probably caused by malware and they advised me to pursue the matter in this section.

Superantispyware Scan Log

SUPERAntiSpyware Scan Log
http://www.superantispyware.com

Generated 02/05/2011 at 04:43 PM

Application Version : 4.48.1000

Core Rules Database Version : 6348
Trace Rules Database Version: 4160

Scan type : Complete Scan
Total Scan Time : 01:47:05

Memory items scanned : 586
Memory threats detected : 0
Registry items scanned : 9655
Registry threats detected : 0
File items scanned : 148345
File threats detected : 4

Adware.Tracking Cookie
   C:\Documents and Settings\Administrator\Cookies\administrator@adtech[1].txt
   C:\Documents and Settings\Administrator\Cookies\[email protected][1].txt
   C:\Documents and Settings\Administrator\Cookies\[email protected][2].txt
   C:\Documents and Settings\Administrator\Cookies\administrator@adviva[1].txt

Malware Bytes log

Malwarebytes' Anti-Malware 1.46
www.malwarebytes.org

Database version: 4052

Windows 5.1.2600 Service Pack 3
Internet Explorer 8.0.6001.18702

05/02/2011 17:21:35
mbam-log-2011-02-05 (17-21-35).txt

Scan type: Quick scan
Objects scanned: 119924
Time elapsed: 5 minute(s), 28 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 1
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
HKEY_CLASSES_ROOT\regfile\shell\open\command\(default) (Broken.OpenCommand) -> Bad: (NOTEPAD.EXE %1) Good: (regedit.exe "%1") -> Quarantined and deleted successfully.

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)

Hijack This log

Logfile of Trend Micro HijackThis v2.0.4
Scan saved at 17:39:34, on 05/02/2011
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v8.00 (8.00.6001.18702)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Trusteer\Rapport\bin\RapportMgmtService.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
C:\Program Files\CheckPoint\ZAForceField\IswSvc.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\AskBarDis\bar\bin\AskService.exe
C:\Program Files\BLIMP\wrapper.exe
C:\WINDOWS\system32\drivers\CDAC11BA.EXE
C:\Program Files\Canon\IJPLM\IJPLMSVC.EXE
C:\Program Files\Java\jre1.6.0_15\bin\java.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\Common Files\LightScribe\LSSrvc.exe
C:\Program Files\Norton AntiVirus\Engine\18.5.0.125\ccSvcHst.exe
C:\Program Files\Norton Safe Web Lite\Engine\1.2.0.6\ccSvcHst.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Canon\CAL\CALMAIN.exe
C:\Program Files\Norton AntiVirus\Engine\18.5.0.125\ccSvcHst.exe
C:\Program Files\Trusteer\Rapport\bin\RapportService.exe
C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Canon\MyPrinter\BJMyPrt.exe
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\Program Files\QuickTime\qttask.exe
C:\program files\real\realplayer\update\realsched.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe
C:\Program Files\Common Files\Ahead\Lib\NMIndexingService.exe
C:\Program Files\PIXELA\ImageMixer 3 SE for SD\CameraMonitor.exe
C:\Program Files\Common Files\Ahead\Lib\NMIndexStoreSvr.exe
C:\Program Files\CheckPoint\ZAForceField\ForceField.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\WINDOWS\system32\msiexec.exe
C:\Program Files\Trend Micro\HiJackThis\HiJackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.skybroadband.com
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://www.wanadoo.co.uk/iesearch/default.htm
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.sky.com/portal/site/skycom/home
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://go.microsoft.com/fwlink/?LinkId=374
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Internet Explorer Provided By Sky Broadband
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = http=http://www-cache.wanadoo.co.uk:8080;ftp=http://www-cache.wanadoo.co.uk:8080
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = http://localhost;tests;<local>
R3 - URLSearchHook: ZoneAlarm Toolbar - {66f2e20d-0da8-4c11-a9c8-dd8477b88acd} - C:\Program Files\ZoneAlarm\tbZone.dll
F2 - REG:system.ini: UserInit=C:\WINDOWS\system32\userinit.exe
O2 - BHO: AcroIEHelperStub - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
O2 - BHO: AskBar BHO - {201f27d4-3704-41d6-89c1-aa35e39143ed} - C:\Program Files\AskBarDis\bar\bin\askBar.dll
O2 - BHO: RealPlayer Download and Record Plugin for Internet Explorer - {3049C3E9-B461-4BC5-8870-4C09146192CA} - C:\Documents and Settings\All Users\Application Data\Real\RealPlayer\BrowserRecordPlugin\IE\rpbrowserrecordplugin.dll
O2 - BHO: (no name) - {5C255C8A-E604-49b4-9D64-90988571CECB} - (no file)
O2 - BHO: Symantec Intrusion Prevention - {6D53EC84-6AAE-4787-AEEE-F4628F01010C} - C:\Program Files\Norton AntiVirus\Engine\18.5.0.125\IPS\IPSBHO.DLL
O2 - BHO: ZoneAlarm Security Engine Registrar - {8A4A36C2-0535-4D2C-BD3D-496CB7EED6E3} - C:\Program Files\CheckPoint\ZAForceField\TrustChecker\bin\TrustCheckerIEPlugin.dll
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - C:\Program Files\Google\Google Toolbar\GoogleToolbar_32.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\5.6.5805.1910\swg.dll
O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
O2 - BHO: Norton Safe Web Lite BHO - {F0DA78E9-6B60-42fb-BC26-EF2CFB8C8FF3} - C:\Program Files\Norton Safe Web Lite\Engine\1.2.0.6\coIEPlg.dll
O3 - Toolbar: Wanadoo - {8B68564D-53FD-4293-B80C-993A9F3988EE} - C:\WINDOWS\system32\WSBar.dll
O3 - Toolbar: ZoneAlarm Spy Blocker Toolbar - {3041d03e-fd4b-44e0-b742-2d9b88305f98} - C:\Program Files\AskBarDis\bar\bin\askBar.dll
O3 - Toolbar: ZoneAlarm Security Engine - {EE2AC4E5-B0B0-4EC6-88A9-BCA1A32AB107} - C:\Program Files\CheckPoint\ZAForceField\TrustChecker\bin\TrustCheckerIEPlugin.dll
O3 - Toolbar: Google Toolbar - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - C:\Program Files\Google\Google Toolbar\GoogleToolbar_32.dll
O3 - Toolbar: Norton Safe Web Lite - {30CEEEA2-3742-40e4-85DD-812BF1CBB83D} - C:\Program Files\Norton Safe Web Lite\Engine\1.2.0.6\coIEPlg.dll
O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [SetRefresh] C:\Program Files\Compaq\SetRefresh\SetRefresh.exe
O4 - HKLM\..\Run: [Easy-PrintToolBox] C:\Program Files\Canon\Easy-PrintToolBox\BJPSMAIN.EXE /logon
O4 - HKLM\..\Run: [NeroFilterCheck] C:\Program Files\Common Files\Ahead\Lib\NeroCheck.exe
O4 - HKLM\..\Run: [CanonSolutionMenu] C:\Program Files\Canon\SolutionMenu\CNSLMAIN.exe /logon
O4 - HKLM\..\Run: [CanonMyPrinter] C:\Program Files\Canon\MyPrinter\BJMyPrt.exe /logon
O4 - HKLM\..\Run: [ZoneAlarm Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"
O4 - HKLM\..\Run: [ISW] "C:\Program Files\CheckPoint\ZAForceField\ForceField.exe" /icon="hidden"
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 9.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [Adobe ARM] "C:\Program Files\Common Files\Adobe\ARM\1.0\AdobeARM.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [TkBellExe] "C:\program files\real\realplayer\update\realsched.exe" -osboot
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre6\bin\jusched.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [swg] "C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe"
O4 - HKCU\..\Run: [BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}] "C:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe"
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: ImageMixer 3 SE Camera Monitor for SD.lnk = ?
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O8 - Extra context menu item: Easy-WebPrint Add To Print List - res://C:\Program Files\Canon\Easy-WebPrint\Resource.dll/RC_AddToList.html
O8 - Extra context menu item: Easy-WebPrint High Speed Print - res://C:\Program Files\Canon\Easy-WebPrint\Resource.dll/RC_HSPrint.html
O8 - Extra context menu item: Easy-WebPrint Preview - res://C:\Program Files\Canon\Easy-WebPrint\Resource.dll/RC_Preview.html
O8 - Extra context menu item: Easy-WebPrint Print - res://C:\Program Files\Canon\Easy-WebPrint\Resource.dll/RC_Print.html
O8 - Extra context menu item: Google Sidewiki... - res://C:\Program Files\Google\Google Toolbar\Component\GoogleToolbarDynamic_mui_en_E11712C84EA7E12B.dll/cmsidewiki.html
O8 - Extra context menu item: Search with Wanadoo - res://C:\WINDOWS\system32\WSBar.dll/VSearch.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre6\bin\jp2iexp.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre6\bin\jp2iexp.dll
O9 - Extra button: Sky - {08E730A4-FB02-45BD-A900-01E4AD8016F6} - http://www.skybroadband.com (file missing)
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O14 - IERESET.INF: START_PAGE_URL=http://www.wanadoo.co.uk/
O16 - DPF: {0972B098-DEE9-4279-AC7E-4BAAA029102D} (PhotoboxPhotowaysUploader5 Control) - http://assets.photobox.com/assets/aurigma/ImageUploader5.cab?20091113165757
O16 - DPF: {1E2941E3-8E63-11D4-9D5A-00902742D6E0} (iNotes Class) - https://extranet.xansa.com/,DanaInfo=eurmail01,CT=java+iNotes.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1147547209312
O16 - DPF: {6A344D34-5231-452A-8A57-D064AC9B7862} (Symantec Download Manager) - https://webdl.symantec.com/activex/symdlmgr.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1168293326359
O16 - DPF: {75AA409D-05F9-4F27-BD53-C7339D4B1D0A} (IBM Lotus iNotes 8.5 Control) - https://extranet2.steria.co.uk/,DanaInfo=mailxone.xansa.com,CT=java+dwa85W.cab
O16 - DPF: {7F8C8173-AD80-4807-AA75-5672F22B4582} (ICSScanner Class) - http://download.zonelabs.com/bin/promotions/spywaredetector/ICSScanner371110.cab
O16 - DPF: {BA3BAF69-72B1-4BCE-BE96-A4D304EAFBB4} (PhotoBox uploader) - http://static.photobox.co.uk/sg/common/ImageUploader4.cab
O16 - DPF: {BFF1950D-B1B4-4AE8-B842-B2CCF06D9A1B} (Zylom Games Player) - http://game02.zylom.com/activex/zylomgamesplayer.cab
O16 - DPF: {CE3409C4-9E26-4F8E-83E4-778498F9E7B4} (PB_Uploader Class) - http://static.photobox.co.uk/sg/common/uploader_uni.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.DLL
O22 - SharedTaskScheduler: Browseui preloader - {438755C2-A8BA-11D1-B96B-00A0C90312E1} - C:\WINDOWS\system32\browseui.dll
O22 - SharedTaskScheduler: Component Categories cache daemon - {8C7461EF-2B13-11d2-BE35-3078302C2030} - C:\WINDOWS\system32\browseui.dll
O23 - Service: ASKService - Unknown owner - C:\Program Files\AskBarDis\bar\bin\AskService.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: BLIMP TestBot (blimptestbot) - Unknown owner - C:\Program Files\BLIMP\wrapper.exe
O23 - Service: C-DillaCdaC11BA - Macrovision - C:\WINDOWS\system32\drivers\CDAC11BA.EXE
O23 - Service: Canon Camera Access Library 8 (CCALib8) - Canon Inc. - C:\Program Files\Canon\CAL\CALMAIN.exe
O23 - Service: Google Update Service (gupdate1c9aaffb3322e44) (gupdate1c9aaffb3322e44) - Google Inc. - C:\Program Files\Google\Update\GoogleUpdate.exe
O23 - Service: Google Software Updater (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: PIXMA Extended Survey Program (IJPLMSVC) - Unknown owner - C:\Program Files\Canon\IJPLM\IJPLMSVC.EXE
O23 - Service: ZoneAlarm Toolbar IswSvc (IswSvc) - Check Point Software Technologies - C:\Program Files\CheckPoint\ZAForceField\IswSvc.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
O23 - Service: LightScribeService Direct Disc Labeling Service (LightScribeService) - Unknown owner - C:\Program Files\Common Files\LightScribe\LSSrvc.exe
O23 - Service: Norton AntiVirus (NAV) - Symantec Corporation - C:\Program Files\Norton AntiVirus\Engine\18.5.0.125\ccSvcHst.exe
O23 - Service: NBService - Nero AG - C:\Program Files\Nero\Nero 7\Nero BackItUp\NBService.exe
O23 - Service: NMIndexingService - Nero AG - C:\Program Files\Common Files\Ahead\Lib\NMIndexingService.exe
O23 - Service: Norton Safe Web Lite (NSL) - Symantec Corporation - C:\Program Files\Norton Safe Web Lite\Engine\1.2.0.6\ccSvcHst.exe
O23 - Service: Rapport Management Service (RapportMgmtService) - Trusteer Ltd. - C:\Program Files\Trusteer\Rapport\bin\RapportMgmtService.exe
O23 - Service: RoxMediaDB9 - Sonic Solutions - C:\Program Files\Common Files\Roxio Shared\9.0\SharedCOM\RoxMediaDB9.exe
O23 - Service: ServiceLayer - Nokia - C:\Program Files\PC Connectivity Solution\ServiceLayer.exe
O23 - Service: stllssvr - MicroVision Development, Inc. - C:\Program Files\Common Files\SureThing Shared\stllssvr.exe
O23 - Service: Symantec RemoteAssist - Symantec, Inc. - C:\Program Files\Common Files\Symantec Shared\Support Controls\ssrc.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Check Point Software Technologies LTD - C:\WINDOWS\system32\ZoneLabs\vsmon.exe

--
End of file - 14576 bytes

As can be seen, Superantispyware and Malware Bytes did find and remove suspect items. Do you think this is sufficient to cure the problem or, if not, can you please advise what else I need to do? Please note that the last log was produced by running Hijack This, as per the instructions in this forum; however, I'm not sure whether that was the correct thing to do or whether I should have used sniper to produce the log. If the latter, please advise and I'll rerun it.

SuperDave · « **Reply #1 on:** February 06, 2011, 01:21:55 PM »

Hello and welcome to Computer Hope Forum. My name is Dave. I will be helping you out with your particular problem on your computer.

1. I will be working on your Malware issues. This may or may not solve other issues you have with your machine.
2. The fixes are specific to your problem and should only be used for this issue on this machine.
3. If you don't know or understand something, please don't hesitate to ask.
4. Please DO NOT run any other tools or scans while I am helping you.
5. It is important that you reply to this thread. Do not start a new topic.
6. Your security programs may give warnings for some of the tools I will ask you to use. Be assured, any links I give are safe.
7. Absence of symptoms does not mean that everything is clear.

If you can't access the internet with your infected computer you will have to download and transfer any programs to the computer you're using now and transfer them to the infected computer with a CD-RW or a USB storage device. I prefer a CD because a storage device can get infected. If you use a storage device hold the shift key down while inserting the USB storage device for about 10 secs. You will also have to transfer the logs you receive back to the good computer using the same method until we can get the computer back on-line.
***************************************
I strongly recommend that you remove Ask from your computer because it;

•Promotes its toolbars on sites targeted to kids.

•Promotes its toolbars through ads that appear to be part of other companies' sites.

•Promotes its toolbars through other companies' spyware.

•Installs without any disclosure whatsoever and without any consent whatsoever.

•Solicits installations via "deceptive door openers" that do not accurately describe the offer; failing to affirmatively show a license agreement; linking to a EULA via an off-screen link.

•Makes confusing changes to users' browsers -- increasing Ask's revenues while taking users to pages they didn't intend to visit.

See Here for more info.

If you choose to follow my recommendation then please go to Start > Control Panel > Add/Remove Programs and remove the following programs if present.

•AskBarDis or anything related to Ask

Then please find and delete this folder in bold (if present):
C:\Program Files\AskBarDis. or anything related to Ask.
********************************************************
Open HijackThis and select Do a system scan only

Place a check mark next to the following entries: (if there)

O2 - BHO: (no name) - {5C255C8A-E604-49b4-9D64-90988571CECB} - (no file)
O4 - HKLM\..\Run: [TkBellExe] "C:\program files\real\realplayer\update\realsched.exe" -osboot
O9 - Extra button: Sky - {08E730A4-FB02-45BD-A900-01E4AD8016F6} - http://www.skybroadband.com (file missing)

Important: Close all open windows except for HijackThis and then click Fix checked.

Once completed, exit HijackThis.
******************************************

You're running an old version of MBAM. Please do this:

Re-run MBAM:

Please re-open Malwarebytes, click the Update tab, and click Check for Updates. Then, click the Scanner tab, select Perform Quick Scan, and press Scan. Remove selected, and post the log in your next reply.
***************************************************
Download Security Check by screen317 from one of the following links and save it to your desktop.

Link 1
Link 2

* Unzip SecurityCheck.zip and a folder named Security Check should appear.
* Open the Security Check folder and double-click Security Check.bat
* Follow the on-screen instructions inside of the black box.
* A Notepad document should open automatically called checkup.txt
* Post the contents of that document in your next reply.

Note: If a security program requests permission from dig.exe to access the Internet, allow it to do so.
*****************************************
Please download ComboFix

from BleepingComputer.com

Alternate link: GeeksToGo.com

and save it to your Desktop.
If you are using Firefox, make sure that your download settings are as follows:

* Tools->Options->Main tab
* Set to "Always ask me where to Save the files".

Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools A guide to do this can be found here
Double click ComboFix.exe & follow the prompts.
As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.
Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console

Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.

Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:

Click on Yes, to continue scanning for malware.
When finished, it shall produce a log for you. Please include the contents of C:\ComboFix.txt in your next reply.

If you have problems with ComboFix usage, see How to use ComboFix

Dronfieldman · « **Reply #2 on:** February 11, 2011, 03:12:21 AM »

I tried removing the Ask folder but it said "cannot delete askbar.dll: Access is denied.".

I had in fact already run an update to get the latest version of Malwarebytes but have now done it again, as requested.

MALWARE BYTES LOG:-

Malwarebytes' Anti-Malware 1.50.1.1100
www.malwarebytes.org

Database version: 5739

Windows 5.1.2600 Service Pack 3
Internet Explorer 8.0.6001.18702

11/02/2011 09:40:59
mbam-log-2011-02-11 (09-40-59).txt

Scan type: Quick scan
Objects scanned: 154011
Time elapsed: 9 minute(s), 32 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 1

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
c:\WINDOWS\REG.REG (Malware.Trace) -> Quarantined and deleted successfully.

I used link 1 to download Security Check by Screen 317 but it didn't place a SecurityCheck.zip on the desktop - it
placed a SecurityCheck.exe there instead. No Security Check folder appeared. I was not therefore able to follow
the instructions in regard to this program.

I thought I ought not to proceed with ComboFix until you advise what to do with the SecurityCheck.exe, so that I don't
do things out of order.

Incidentally, I confirm that the original problem of a background process running was still occurring prior to my following
your latest instructions - sometimes it is accompanied by a 'Win32 Services high memory usage' message (which I think is
produced by Norton AV).

SuperDave · « **Reply #3 on:** February 11, 2011, 04:47:08 PM »

Please download AskRemover from here[/URL]
Extract the zip file to your Desktop, then run AskRemover.bat
Allow it to run, and select yes to the registry merge prompt
Copy and paste the resulting log into your next post.

****************************************

Quote

I used link 1 to download Security Check by Screen 317 but it didn't place a SecurityCheck.zip on the desktop - it
placed a SecurityCheck.exe there instead. No Security Check folder appeared. I was not therefore able to follow
the instructions in regard to this program.

Please try link 2. If it doesn't work, forget about it and continue with ComboFix.

Dronfieldman · « **Reply #4 on:** February 18, 2011, 05:01:26 AM »

I tried clicking on the AskRemover link but it produced an error panel saying that Internet Explorer could not find the link.

I tried SecurityCheck by Screen 317 link 2 but it still put a SecurityCheck.exe on the desktop instead of a zipped file.

I then ran Combofix and it produced the following log:-

ComboFix 11-02-17.02 - Administrator 18/02/2011 11:13:57.1.1 - x86
Microsoft Windows XP Professional 5.1.2600.3.1252.44.1033.18.958.343 [GMT 0:00]
Running from: c:\documents and settings\Administrator\Desktop\ComboFix.exe
AV: Norton AntiVirus *Disabled/Updated* {E10A9785-9598-4754-B552-92431C1C35F8}
FW: ZoneAlarm Firewall *Enabled* {829BDA32-94B3-44F4-8446-F8FCFF809F8B}
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\windows\system32\Thumbs.db

.
((((((((((((((((((((((((( Files Created from 2011-01-18 to 2011-02-18 )))))))))))))))))))))))))))))))
.

2011-02-05 17:39 . 2011-02-05 17:39   388096   ----a-r-   c:\documents and settings\Administrator\Application Data\Microsoft\Installer\{45A66726-69BC-466B-A7A4-12FCBA4883D7}\HiJackThis.exe
2011-02-05 17:35 . 2011-02-05 17:35   --------   d-----w-   c:\program files\Trend Micro
2011-02-05 14:46 . 2011-02-05 14:46   --------   d-----w-   c:\documents and settings\All Users\Application Data\SUPERAntiSpyware.com
2011-02-05 14:46 . 2011-02-05 14:46   --------   d-----w-   c:\documents and settings\Administrator\Application Data\SUPERAntiSpyware.com
2011-02-05 14:45 . 2011-02-05 14:46   --------   d-----w-   c:\program files\SUPERAntiSpyware
2011-02-05 14:20 . 2011-02-05 14:20   --------   d-----w-   c:\program files\CCleaner
2011-01-30 14:57 . 2011-01-30 14:57   103864   ----a-w-   c:\program files\Internet Explorer\PLUGINS\nppdf32.dll
2011-01-21 14:44 . 2011-01-21 14:44   439296   ------w-   c:\windows\system32\dllcache\shimgvw.dll

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2011-01-21 14:44 . 2004-08-04 08:00   439296   ----a-w-   c:\windows\system32\shimgvw.dll
2011-01-07 14:09 . 2004-08-04 08:00   290048   ----a-w-   c:\windows\system32\atmfd.dll
2011-01-06 19:16 . 2011-01-06 19:16   10832208   ----a-w-   c:\program files\nortonsafeweblite.exe
2010-12-31 13:10 . 2004-08-04 08:00   1854976   ----a-w-   c:\windows\system32\win32k.sys
2010-12-22 12:34 . 2004-08-04 08:00   301568   ----a-w-   c:\windows\system32\kerberos.dll
2010-12-20 23:59 . 2004-08-04 08:00   916480   ----a-w-   c:\windows\system32\wininet.dll
2010-12-20 23:59 . 2004-08-04 08:00   43520   ----a-w-   c:\windows\system32\licmgr10.dll
2010-12-20 23:59 . 2004-08-04 08:00   1469440   ------w-   c:\windows\system32\inetcpl.cpl
2010-12-20 18:09 . 2009-10-15 10:51   38224   ----a-w-   c:\windows\system32\drivers\mbamswissarmy.sys
2010-12-20 18:08 . 2009-10-15 10:51   20952   ----a-w-   c:\windows\system32\drivers\mbam.sys
2010-12-20 17:26 . 2004-08-04 08:00   730112   ----a-w-   c:\windows\system32\lsasrv.dll
2010-12-20 12:55 . 2004-08-04 08:00   385024   ----a-w-   c:\windows\system32\html.iec
2010-12-09 15:15 . 2004-08-04 08:00   718336   ----a-w-   c:\windows\system32\ntdll.dll
2010-12-09 14:30 . 2004-08-04 08:00   33280   ----a-w-   c:\windows\system32\csrsrv.dll
2010-12-09 13:38 . 2004-08-04 08:00   2192768   ----a-w-   c:\windows\system32\ntoskrnl.exe
2010-12-09 13:07 . 2004-08-04 08:00   2069376   ----a-w-   c:\windows\system32\ntkrnlpa.exe
2010-12-01 05:24 . 2011-01-07 09:23   368248   ----a-w-   c:\windows\system32\drivers\NAV\1205000.07D\symtdi.sys
2010-12-01 05:24 . 2011-01-07 09:23   295032   ----a-w-   c:\windows\system32\drivers\NAV\1205000.07D\symnets.sys
2010-12-01 05:23 . 2011-01-07 09:23   330360   ----a-w-   c:\windows\system32\drivers\NAV\1205000.07D\symtdiv.sys
2010-11-23 04:08 . 2011-01-07 09:23   509560   ----a-w-   c:\windows\system32\drivers\NAV\1205000.07D\srtsp.sys
2010-11-23 04:08 . 2011-01-07 09:23   50168   ----a-w-   c:\windows\system32\drivers\NAV\1205000.07D\srtspx.sys
2010-08-11 14:35 . 2010-08-11 14:35   459696   ----a-w-   c:\program files\sm_dm.exe
2010-02-19 11:34 . 2010-02-19 11:34   818200   ----a-w-   c:\program files\RealPlayerSPGold.exe
2009-12-29 15:01 . 2009-12-29 15:00   12951423   ----a-w-   c:\program files\dvdflick_setup_1.3.0.7.exe
2009-08-01 10:22 . 2009-08-01 10:22   8825808   ----a-w-   c:\program files\DigiGuide-TV-Guide-Setup-w_eyre-sky-com.exe
2008-03-04 19:06 . 2008-03-04 19:06   2243840   ----a-w-   c:\program files\FoxitReader22_setup.exe
2007-09-23 21:00 . 2007-09-23 20:59   25755448   ----a-w-   c:\program files\wmp11-windowsxp-x86-enu.exe
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\URLSearchHooks]
"{66f2e20d-0da8-4c11-a9c8-dd8477b88acd}"= "c:\program files\ZoneAlarm\tbZone.dll" [2010-05-09 2517088]

[HKEY_CLASSES_ROOT\clsid\{66f2e20d-0da8-4c11-a9c8-dd8477b88acd}]

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{201f27d4-3704-41d6-89c1-aa35e39143ed}]
2008-10-16 18:22   333192   ----a-w-   c:\program files\AskBarDis\bar\bin\askBar.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar]
"{3041d03e-fd4b-44e0-b742-2d9b88305f98}"= "c:\program files\AskBarDis\bar\bin\askBar.dll" [2008-10-16 333192]

[HKEY_CLASSES_ROOT\clsid\{3041d03e-fd4b-44e0-b742-2d9b88305f98}]
[HKEY_CLASSES_ROOT\TypeLib\{4b1c1e16-6b34-430e-b074-5928eca4c150}]

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\Webbrowser]
"{3041D03E-FD4B-44E0-B742-2D9B88305F98}"= "c:\program files\AskBarDis\bar\bin\askBar.dll" [2008-10-16 333192]

[HKEY_CLASSES_ROOT\clsid\{3041d03e-fd4b-44e0-b742-2d9b88305f98}]
[HKEY_CLASSES_ROOT\TypeLib\{4b1c1e16-6b34-430e-b074-5928eca4c150}]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"swg"="c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2008-10-14 68856]
"BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}"="c:\program files\Common Files\Ahead\Lib\NMBgMonitor.exe" [2007-03-12 153136]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ATIPTA"="c:\program files\ATI Technologies\ATI Control Panel\atiptaxx.exe" [2005-02-09 339968]
"SetRefresh"="c:\program files\Compaq\SetRefresh\SetRefresh.exe" [2003-11-20 525824]
"Easy-PrintToolBox"="c:\program files\Canon\Easy-PrintToolBox\BJPSMAIN.EXE" [2004-01-14 409600]
"NeroFilterCheck"="c:\program files\Common Files\Ahead\Lib\NeroCheck.exe" [2007-03-09 153136]
"CanonSolutionMenu"="c:\program files\Canon\SolutionMenu\CNSLMAIN.exe" [2007-10-26 652624]
"CanonMyPrinter"="c:\program files\Canon\MyPrinter\BJMyPrt.exe" [2007-09-14 1603152]
"ZoneAlarm Client"="c:\program files\Zone Labs\ZoneAlarm\zlclient.exe" [2010-06-23 1043968]
"ISW"="c:\program files\CheckPoint\ZAForceField\ForceField.exe" [2010-05-26 730600]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2011-01-31 35760]
"Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2010-09-20 932288]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2006-11-17 282624]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
Adobe Gamma Loader.lnk - c:\program files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe [2006-6-28 113664]
ImageMixer 3 SE Camera Monitor for SD.lnk - c:\program files\PIXELA\ImageMixer 3 SE for SD\CameraMonitor.exe [2009-6-7 253952]

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= "c:\program files\SUPERAntiSpyware\SASSEH.DLL" [2008-05-13 77824]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
2009-09-03 22:21   548352   ----a-w-   c:\program files\SUPERAntiSpyware\SASWINLO.DLL

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Wdf01000.sys]
@="Driver"

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\ZoneLabsFirewall]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Messenger\\msmsgs.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\wlcsdk.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"=
"c:\\WINDOWS\\system32\\ZoneLabs\\vsmon.exe"=

R0 SymDS;Symantec Data Store;c:\windows\system32\drivers\NAV\1205000.07D\symds.sys [07/01/2011 09:23 340016]
R0 SymEFA;Symantec Extended File Attributes;c:\windows\system32\drivers\NAV\1205000.07D\symefa.sys [07/01/2011 09:23 652336]
R1 BHDrvx86;BHDrvx86;c:\documents and settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\NAV_18.1.0.37\Definitions\BASHDefs\20110114.001\BHDrvx86.sys [19/01/2011 19:19 691248]
R1 RapportBuka;RapportBuka;c:\windows\system32\drivers\RapportBuka.sys [16/02/2010 19:12 390528]
R1 RapportCerberus_19917;RapportCerberus_19917;c:\documents and settings\All Users\Application Data\Trusteer\Rapport\store\exts\RapportCerberus\19917\RapportCerberus_19917.sys [03/10/2010 22:54 34792]
R1 RapportPG;RapportPG;c:\program files\Trusteer\Rapport\bin\RapportPG.sys [03/10/2010 22:43 169320]
R1 SASDIFSV;SASDIFSV;c:\program files\SUPERAntiSpyware\sasdifsv.sys [17/02/2010 18:25 12872]
R1 SASKUTIL;SASKUTIL;c:\program files\SUPERAntiSpyware\SASKUTIL.SYS [10/05/2010 18:41 67656]
R1 SymIRON;Symantec Iron Driver;c:\windows\system32\drivers\NAV\1205000.07D\ironx86.sys [07/01/2011 09:23 136312]
R2 ASKService;ASKService;c:\program files\AskBarDis\bar\bin\AskService.exe [27/03/2009 23:43 464264]
R2 ISWKL;ZoneAlarm Toolbar ISWKL;c:\program files\CheckPoint\ZAForceField\ISWKL.sys [26/05/2010 13:35 26352]
R2 IswSvc;ZoneAlarm Toolbar IswSvc;c:\program files\CheckPoint\ZAForceField\ISWSVC.exe [26/05/2010 13:35 493032]
R2 NAV;Norton AntiVirus;c:\program files\Norton AntiVirus\Engine\18.5.0.125\ccsvchst.exe [07/01/2011 09:23 130000]
R2 NSL;Norton Safe Web Lite;c:\program files\Norton Safe Web Lite\Engine\1.2.0.6\ccSvcHst.exe [06/01/2011 19:30 130000]
R2 RapportMgmtService;Rapport Management Service;c:\program files\Trusteer\Rapport\bin\RapportMgmtService.exe [03/10/2010 22:43 767208]
R3 EraserUtilRebootDrv;EraserUtilRebootDrv;c:\program files\Common Files\Symantec Shared\EENGINE\EraserUtilRebootDrv.sys [11/08/2010 14:05 102448]
R3 IDSxpx86;IDSxpx86;c:\documents and settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\NAV_18.1.0.37\Definitions\IPSDefs\20110217.001\IDSXpx86.sys [18/02/2011 10:17 341944]
R3 RapportIaso;RapportIaso;c:\documents and settings\All Users\Application Data\Trusteer\Rapport\store\exts\RapportMS\21923\RapportIaso.sys [19/12/2010 15:27 12928]
S1 RapportKELL;RapportKELL;\??\c:\program files\Trusteer\Rapport\bin\RapportKELL.sys --> c:\program files\Trusteer\Rapport\bin\RapportKELL.sys [?]
S2 blimptestbot;BLIMP TestBot;c:\program files\BLIMP\wrapper.exe [10/06/2010 09:49 204800]
S2 gupdate1c9aaffb3322e44;Google Update Service (gupdate1c9aaffb3322e44);c:\program files\Google\Update\GoogleUpdate.exe [22/03/2009 15:05 133104]
.
Contents of the 'Scheduled Tasks' folder

2011-02-18 c:\windows\Tasks\Google Software Updater.job
- c:\program files\Google\Common\Google Updater\GoogleUpdaterService.exe [2008-10-09 15:04]

2011-02-18 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\program files\Google\Update\GoogleUpdate.exe [2009-03-22 15:05]

2011-02-18 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\program files\Google\Update\GoogleUpdate.exe [2009-03-22 15:05]

2011-02-17 c:\windows\Tasks\RealUpgradeLogonTaskS-1-5-21-3099453155-2084809982-284829022-500.job
- c:\program files\Real\RealUpgrade\realupgrade.exe [2010-11-05 11:33]

2011-02-17 c:\windows\Tasks\RealUpgradeScheduledTaskS-1-5-21-3099453155-2084809982-284829022-500.job
- c:\program files\Real\RealUpgrade\realupgrade.exe [2010-11-05 11:33]

2011-02-18 c:\windows\Tasks\User_Feed_Synchronization-{21CAA476-4FB2-4CAA-9859-7E83506EF2D0}.job
- c:\windows\system32\msfeedssync.exe [2006-10-17 03:31]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.sky.com/portal/site/skycom/home
uSearchMigratedDefaultURL = hxxp://search.orange.co.uk/all?brand=ouk&tab=web&p=_adr&q={searchTerms}
uInternet Settings,ProxyServer = http=hxxp://www-cache.wanadoo.co.uk:8080;ftp=http://www-cache.wanadoo.co.uk:8080
uInternet Settings,ProxyOverride = hxxp://localhost;tests;<local>
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
IE: Easy-WebPrint Add To Print List - c:\program files\Canon\Easy-WebPrint\Resource.dll/RC_AddToList.html
IE: Easy-WebPrint High Speed Print - c:\program files\Canon\Easy-WebPrint\Resource.dll/RC_HSPrint.html
IE: Easy-WebPrint Preview - c:\program files\Canon\Easy-WebPrint\Resource.dll/RC_Preview.html
IE: Easy-WebPrint Print - c:\program files\Canon\Easy-WebPrint\Resource.dll/RC_Print.html
IE: Google Sidewiki... - c:\program files\Google\Google Toolbar\Component\GoogleToolbarDynamic_mui_en_E11712C84EA7E12B.dll/cmsidewiki.html
IE: Search with Wanadoo - c:\windows\system32\WSBar.dll/VSearch.htm
DPF: {0972B098-DEE9-4279-AC7E-4BAAA029102D} - hxxp://assets.photobox.com/assets/aurigma/ImageUploader5.cab?20091113165757
DPF: {75AA409D-05F9-4F27-BD53-C7339D4B1D0A} - hxxps://extranet2.steria.co.uk/,DanaInfo=mailxone.xansa.com,CT=java+dwa85W.cab
DPF: {7F8C8173-AD80-4807-AA75-5672F22B4582} - hxxp://download.zonelabs.com/bin/promotions/spywaredetector/ICSScanner371110.cab
DPF: {BFF1950D-B1B4-4AE8-B842-B2CCF06D9A1B} - hxxp://game02.zylom.com/activex/zylomgamesplayer.cab
.
.
------- File Associations -------
.
JSEFile=NOTEPAD.EXE %1
.scr=AutoCADScriptFile
.
- - - - ORPHANS REMOVED - - - -

HKLM-Run-SunJavaUpdateSched - c:\program files\Java\jre6\bin\jusched.exe
AddRemove-BigBrotherTheGame - D:\

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2011-02-18 11:35
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\NAV]
"ImagePath"="\"c:\program files\Norton AntiVirus\Engine\18.5.0.125\ccSvcHst.exe\" /s \"NAV\" /m \"c:\program files\Norton AntiVirus\Engine\18.5.0.125\diMaster.dll\" /prefetch:1"
--

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\NSL]
"ImagePath"="\"c:\program files\Norton Safe Web Lite\Engine\1.2.0.6\ccSvcHst.exe\" /s \"NSL\" /m \"c:\program files\Norton Safe Web Lite\Engine\1.2.0.6\diMaster.dll\" /prefetch:1"
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_USERS\S-1-5-21-3099453155-2084809982-284829022-500\Software\Microsoft\Internet Explorer\User Preferences]
@Denied: (2) (Administrator)
"88D7D0879DAB32E14DE5B3A805A34F98AFF34F5 977"=hex:01,00,00,00,d0,8c,9d,df,01,15,
d1,11,8c,7a,00,c0,4f,c2,97,eb,01,00,00,00,c2,12,37,eb,2d,02,d2,4b,ae,ce,3a,\
"2D53CFFC5C1A3DD2E97B7979AC2A92BD59BC839 E81"=hex:01,00,00,00,d0,8c,9d,df,01,15,
d1,11,8c,7a,00,c0,4f,c2,97,eb,01,00,00,00,c2,12,37,eb,2d,02,d2,4b,ae,ce,3a,\

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}]
@Denied: (A 2) (Everyone)
@="FlashBroker"
"LocalizedString"="@c:\\WINDOWS\\system32\\Macromed\\Flash\\FlashUtil10m_ActiveX.exe,-101"

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\Elevation]
"Enabled"=dword:00000001

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\LocalServer32]
@="c:\\WINDOWS\\system32\\Macromed\\Flash\\FlashUtil10m_ActiveX.exe"

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"

[HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}]
@Denied: (A 2) (Everyone)
@="IFlashBroker4"

[HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\ProxyStubClsid32]
@="{00020424-0000-0000-C000-000000000046}"

[HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
"Version"="1.0"
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(692)
c:\program files\SUPERAntiSpyware\SASWINLO.DLL
c:\windows\system32\WININET.dll
c:\windows\system32\Ati2evxx.dll
c:\program files\CheckPoint\ZAForceField\Plugins\ISWSHEX.dll
c:\windows\WinSxS\x86_Microsoft.VC80.CRT_1fc8b3b9a1e18e3b_8.0.50727.4053_x-ww_e6967989\MSVCR80.dll

- - - - - - - > 'lsass.exe'(748)
c:\program files\CheckPoint\ZAForceField\Plugins\ISWSHEX.dll
.
Completion time: 2011-02-18 11:41:25
ComboFix-quarantined-files.txt 2011-02-18 11:41

Pre-Run: 114,737,029,120 bytes free
Post-Run: 115,140,444,160 bytes free

WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
UnsupportedDebug="do not select this" /debug
multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Professional" /noexecute=optin /fastdetect

- - End Of File - - 263D0C7F188135CF09670145F4FE02C9

SuperDave · « **Reply #5 on:** February 18, 2011, 12:15:13 PM »

Quote

I tried clicking on the AskRemover link but it produced an error panel saying that Internet Explorer could not find the link.

Sorry. I forgot that that tool doesn't work. We'll get rid of it another way.

Quote

I tried SecurityCheck by Screen 317 link 2 but it still put a SecurityCheck.exe on the desktop instead of a zipped file.

That's ok. Just double-click SecurityCheck.exe to run it.

Re-running ComboFix to remove infections:

Close any open browsers.
Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.
Open notepad and copy/paste the text in the quotebox below into it:
Quote
KillAll::

Folder::
c:\program files\AskBarDis

Registry::
[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{201f27d4-3704-41d6-89c1-aa35e39143ed}]
[-HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar]
[-HKEY_CLASSES_ROOT\clsid\{3041d03e-fd4b-44e0-b742-2d9b88305f98}]
[-HKEY_CLASSES_ROOT\TypeLib\{4b1c1e16-6b34-430e-b074-5928eca4c150}]
[-HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\Webbrowser]"{3041D03E-FD4B-44E0-B742-2D9B88305F98}"= -
[-HKEY_CLASSES_ROOT\clsid\{3041d03e-fd4b-44e0-b742-2d9b88305f98}]
[-HKEY_CLASSES_ROOT\TypeLib\{4b1c1e16-6b34-430e-b074-5928eca4c150}]

Driver::
ASKService
Save this as CFScript.txt, in the same location as ComboFix.exe
Referring to the picture above, drag CFScript into ComboFix.exe
When finished, it shall produce a log for you at C:\ComboFix.txt
Please post the contents of the log in your next reply.

***************************************************
SysProt Antirootkit

Download
SysProt Antirootkit from the link below (you will find it at the bottom
of the page under attachments, or you can get it from one of the
mirrors).

http://sites.google.com/site/sysprotantirootkit/

Unzip it into a folder on your desktop.

Double click Sysprot.exe to start the program.
Click on the Log tab.
In the Write to log box select the following items.

Process << Selected
Kernel Modules << Selected
SSDT << Selected
Kernel Hooks << Selected
IRP Hooks << NOT Selected
Ports << NOT Selected
Hidden Files << Selected

At the bottom of the page

Hidden Objects Only << Selected

Click on the Create Log button on the bottom right.
After a few seconds a new window should appear.
Select Scan Root Drive. Click on the Start button.
When it is complete a new window will appear to indicate that the scan is finished.
The log will be saved automatically in the same folder Sysprot.exe was extracted to. Open the text file and copy/paste the log here.

Dronfieldman · « **Reply #6 on:** February 25, 2011, 03:52:02 AM »

The spurious process was still running prior to following your latest instructions.

I ran Screen317 Security Check and this is the log:

Results of screen317's Security Check version 0.99.7
Windows XP Service Pack 3
Internet Explorer 8
``````````````````````````````
Antivirus/Firewall Check:
Windows Firewall Disabled!
Norton AntiVirus
ZoneAlarm Spy Blocker Toolbar
ZoneAlarm
ZoneAlarm Toolbar
Antivirus up to date!
```````````````````````````````
Anti-malware/Other Utilities Check:
Malwarebytes' Anti-Malware
CCleaner
Java(TM) 6 Update 15
Java(TM) 6 Update 23
Out of date Java installed!
Adobe Flash Player
Adobe Reader 9.4.2
Out of date Adobe Reader installed!
````````````````````````````````
Process Check:
objlist.exe by Laurent
Norton ccSvcHst.exe
Zone Labs ZoneAlarm zlclient.exe
``````````End of Log````````````

*******************************************************************************************
I ran ComboFix. It said the latest version wasn't installed, so I let it install the latest
version. It said the latest version of Windows Security Console wasn't installed, so I let
it intall that. This is the ComboFix log:

ComboFix 11-02-24.05 - Administrator 25/02/2011 9:55.2.1 - x86
Microsoft Windows XP Professional 5.1.2600.3.1252.44.1033.18.958.322 [GMT 0:00]
Running from: c:\documents and settings\Administrator\Desktop\ComboFix.exe
Command switches used :: c:\documents and settings\Administrator\Desktop\CFScript.txt
AV: Norton AntiVirus *Disabled/Updated* {E10A9785-9598-4754-B552-92431C1C35F8}
FW: ZoneAlarm Firewall *Enabled* {829BDA32-94B3-44F4-8446-F8FCFF809F8B}
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\program files\AskBarDis
c:\program files\AskBarDis\bar\bin\askBar.dll
c:\program files\AskBarDis\bar\bin\askPopStp.dll
c:\program files\AskBarDis\bar\bin\AskService.exe
c:\program files\AskBarDis\bar\bin\psvince.dll
c:\program files\AskBarDis\bar\Cache\003C45EE
c:\program files\AskBarDis\bar\Cache\003C4A92
c:\program files\AskBarDis\bar\Cache\003C4CC4.bin
c:\program files\AskBarDis\bar\Cache\003C4FE1.bin
c:\program files\AskBarDis\bar\Cache\003C5271.bin
c:\program files\AskBarDis\bar\Cache\003C54A4.bin
c:\program files\AskBarDis\bar\Cache\003C5928.bin
c:\program files\AskBarDis\bar\Cache\003C5A9F.bin
c:\program files\AskBarDis\bar\Cache\003C5C26.bin
c:\program files\AskBarDis\bar\Cache\003C5D9D.bin
c:\program files\AskBarDis\bar\Cache\003C5F04.bin
c:\program files\AskBarDis\bar\Cache\003C60D9.bin
c:\program files\AskBarDis\bar\Cache\files.ini
c:\program files\AskBarDis\bar\History\search
c:\program files\AskBarDis\bar\Settings\config.dat
c:\program files\AskBarDis\bar\Settings\prevcfg.htm
c:\program files\AskBarDis\unins000.dat
c:\program files\AskBarDis\unins000.exe
c:\windows\Temp\log.txt

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Legacy_ASKSERVICE
-------\Service_ASKService

((((((((((((((((((((((((( Files Created from 2011-01-25 to 2011-02-25 )))))))))))))))))))))))))))))))
.

2011-02-05 17:39 . 2011-02-05 17:39   388096   ----a-r-   c:\documents and settings\Administrator\Application Data\Microsoft\Installer\{45A66726-69BC-466B-A7A4-12FCBA4883D7}\HiJackThis.exe
2011-02-05 17:35 . 2011-02-05 17:35   --------   d-----w-   c:\program files\Trend Micro
2011-02-05 14:46 . 2011-02-05 14:46   --------   d-----w-   c:\documents and settings\All Users\Application Data\SUPERAntiSpyware.com
2011-02-05 14:46 . 2011-02-05 14:46   --------   d-----w-   c:\documents and settings\Administrator\Application Data\SUPERAntiSpyware.com
2011-02-05 14:45 . 2011-02-05 14:46   --------   d-----w-   c:\program files\SUPERAntiSpyware
2011-02-05 14:20 . 2011-02-05 14:20   --------   d-----w-   c:\program files\CCleaner
2011-01-30 14:57 . 2011-01-30 14:57   103864   ----a-w-   c:\program files\Internet Explorer\PLUGINS\nppdf32.dll

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2011-01-21 14:44 . 2004-08-04 08:00   439296   ----a-w-   c:\windows\system32\shimgvw.dll
2011-01-07 14:09 . 2004-08-04 08:00   290048   ----a-w-   c:\windows\system32\atmfd.dll
2011-01-06 19:16 . 2011-01-06 19:16   10832208   ----a-w-   c:\program files\nortonsafeweblite.exe
2010-12-31 13:10 . 2004-08-04 08:00   1854976   ----a-w-   c:\windows\system32\win32k.sys
2010-12-22 12:34 . 2004-08-04 08:00   301568   ----a-w-   c:\windows\system32\kerberos.dll
2010-12-20 23:59 . 2004-08-04 08:00   916480   ----a-w-   c:\windows\system32\wininet.dll
2010-12-20 23:59 . 2004-08-04 08:00   43520   ----a-w-   c:\windows\system32\licmgr10.dll
2010-12-20 23:59 . 2004-08-04 08:00   1469440   ------w-   c:\windows\system32\inetcpl.cpl
2010-12-20 18:09 . 2009-10-15 10:51   38224   ----a-w-   c:\windows\system32\drivers\mbamswissarmy.sys
2010-12-20 18:08 . 2009-10-15 10:51   20952   ----a-w-   c:\windows\system32\drivers\mbam.sys
2010-12-20 17:26 . 2004-08-04 08:00   730112   ----a-w-   c:\windows\system32\lsasrv.dll
2010-12-20 12:55 . 2004-08-04 08:00   385024   ----a-w-   c:\windows\system32\html.iec
2010-12-09 15:15 . 2004-08-04 08:00   718336   ----a-w-   c:\windows\system32\ntdll.dll
2010-12-09 14:30 . 2004-08-04 08:00   33280   ----a-w-   c:\windows\system32\csrsrv.dll
2010-12-09 13:38 . 2004-08-04 08:00   2192768   ----a-w-   c:\windows\system32\ntoskrnl.exe
2010-12-09 13:07 . 2004-08-04 08:00   2069376   ----a-w-   c:\windows\system32\ntkrnlpa.exe
2010-12-01 05:24 . 2011-01-07 09:23   368248   ----a-w-   c:\windows\system32\drivers\NAV\1205000.07D\symtdi.sys
2010-12-01 05:24 . 2011-01-07 09:23   295032   ----a-w-   c:\windows\system32\drivers\NAV\1205000.07D\symnets.sys
2010-12-01 05:23 . 2011-01-07 09:23   330360   ----a-w-   c:\windows\system32\drivers\NAV\1205000.07D\symtdiv.sys
2010-08-11 14:35 . 2010-08-11 14:35   459696   ----a-w-   c:\program files\sm_dm.exe
2010-02-19 11:34 . 2010-02-19 11:34   818200   ----a-w-   c:\program files\RealPlayerSPGold.exe
2009-12-29 15:01 . 2009-12-29 15:00   12951423   ----a-w-   c:\program files\dvdflick_setup_1.3.0.7.exe
2009-08-01 10:22 . 2009-08-01 10:22   8825808   ----a-w-   c:\program files\DigiGuide-TV-Guide-Setup-w_eyre-sky-com.exe
2008-03-04 19:06 . 2008-03-04 19:06   2243840   ----a-w-   c:\program files\FoxitReader22_setup.exe
2007-09-23 21:00 . 2007-09-23 20:59   25755448   ----a-w-   c:\program files\wmp11-windowsxp-x86-enu.exe
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\URLSearchHooks]
"{66f2e20d-0da8-4c11-a9c8-dd8477b88acd}"= "c:\program files\ZoneAlarm\tbZone.dll" [2010-05-09 2517088]

[HKEY_CLASSES_ROOT\clsid\{66f2e20d-0da8-4c11-a9c8-dd8477b88acd}]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"swg"="c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2008-10-14 68856]
"BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}"="c:\program files\Common Files\Ahead\Lib\NMBgMonitor.exe" [2007-03-12 153136]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ATIPTA"="c:\program files\ATI Technologies\ATI Control Panel\atiptaxx.exe" [2005-02-09 339968]
"SetRefresh"="c:\program files\Compaq\SetRefresh\SetRefresh.exe" [2003-11-20 525824]
"Easy-PrintToolBox"="c:\program files\Canon\Easy-PrintToolBox\BJPSMAIN.EXE" [2004-01-14 409600]
"NeroFilterCheck"="c:\program files\Common Files\Ahead\Lib\NeroCheck.exe" [2007-03-09 153136]
"CanonSolutionMenu"="c:\program files\Canon\SolutionMenu\CNSLMAIN.exe" [2007-10-26 652624]
"CanonMyPrinter"="c:\program files\Canon\MyPrinter\BJMyPrt.exe" [2007-09-14 1603152]
"ZoneAlarm Client"="c:\program files\Zone Labs\ZoneAlarm\zlclient.exe" [2010-06-23 1043968]
"ISW"="c:\program files\CheckPoint\ZAForceField\ForceField.exe" [2010-05-26 730600]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2011-01-31 35760]
"Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2010-09-20 932288]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2006-11-17 282624]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
Adobe Gamma Loader.lnk - c:\program files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe [2006-6-28 113664]
ImageMixer 3 SE Camera Monitor for SD.lnk - c:\program files\PIXELA\ImageMixer 3 SE for SD\CameraMonitor.exe [2009-6-7 253952]

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= "c:\program files\SUPERAntiSpyware\SASSEH.DLL" [2008-05-13 77824]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
2009-09-03 22:21   548352   ----a-w-   c:\program files\SUPERAntiSpyware\SASWINLO.DLL

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Wdf01000.sys]
@="Driver"

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\ZoneLabsFirewall]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Messenger\\msmsgs.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\wlcsdk.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"=
"c:\\WINDOWS\\system32\\ZoneLabs\\vsmon.exe"=

R0 SymDS;Symantec Data Store;c:\windows\system32\drivers\NAV\1205000.07D\symds.sys [07/01/2011 09:23 340016]
R0 SymEFA;Symantec Extended File Attributes;c:\windows\system32\drivers\NAV\1205000.07D\symefa.sys [07/01/2011 09:23 652336]
R1 BHDrvx86;BHDrvx86;c:\documents and settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\NAV_18.1.0.37\Definitions\BASHDefs\20110114.001\BHDrvx86.sys [19/01/2011 19:19 691248]
R1 RapportBuka;RapportBuka;c:\windows\system32\drivers\RapportBuka.sys [16/02/2010 19:12 390528]
R1 RapportCerberus_23945;RapportCerberus_23945;c:\documents and settings\All Users\Application Data\Trusteer\Rapport\store\exts\RapportCerberus\23945\RapportCerberus_23945.sys [24/02/2011 21:38 55224]
R1 RapportPG;RapportPG;c:\program files\Trusteer\Rapport\bin\RapportPG.sys [03/10/2010 22:43 169320]
R1 SASDIFSV;SASDIFSV;c:\program files\SUPERAntiSpyware\sasdifsv.sys [17/02/2010 18:25 12872]
R1 SASKUTIL;SASKUTIL;c:\program files\SUPERAntiSpyware\SASKUTIL.SYS [10/05/2010 18:41 67656]
R1 SymIRON;Symantec Iron Driver;c:\windows\system32\drivers\NAV\1205000.07D\ironx86.sys [07/01/2011 09:23 136312]
R2 blimptestbot;BLIMP TestBot;c:\program files\BLIMP\wrapper.exe [10/06/2010 09:49 204800]
R2 ISWKL;ZoneAlarm Toolbar ISWKL;c:\program files\CheckPoint\ZAForceField\ISWKL.sys [26/05/2010 13:35 26352]
R2 IswSvc;ZoneAlarm Toolbar IswSvc;c:\program files\CheckPoint\ZAForceField\ISWSVC.exe [26/05/2010 13:35 493032]
R2 NAV;Norton AntiVirus;c:\program files\Norton AntiVirus\Engine\18.5.0.125\ccsvchst.exe [07/01/2011 09:23 130000]
R2 NSL;Norton Safe Web Lite;c:\program files\Norton Safe Web Lite\Engine\1.2.0.6\ccSvcHst.exe [06/01/2011 19:30 130000]
R2 RapportMgmtService;Rapport Management Service;c:\program files\Trusteer\Rapport\bin\RapportMgmtService.exe [03/10/2010 22:43 767208]
R3 EraserUtilRebootDrv;EraserUtilRebootDrv;c:\program files\Common Files\Symantec Shared\EENGINE\EraserUtilRebootDrv.sys [11/08/2010 14:05 102448]
R3 IDSxpx86;IDSxpx86;c:\documents and settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\NAV_18.1.0.37\Definitions\IPSDefs\20110224.001\IDSXpx86.sys [25/02/2011 09:38 341944]
S1 RapportKELL;RapportKELL;\??\c:\program files\Trusteer\Rapport\bin\RapportKELL.sys --> c:\program files\Trusteer\Rapport\bin\RapportKELL.sys [?]
S2 gupdate1c9aaffb3322e44;Google Update Service (gupdate1c9aaffb3322e44);c:\program files\Google\Update\GoogleUpdate.exe [22/03/2009 15:05 133104]
S3 RapportIaso;RapportIaso;c:\documents and settings\All Users\Application Data\Trusteer\Rapport\store\exts\RapportMS\21923\RapportIaso.sys [19/12/2010 15:27 12928]
.
Contents of the 'Scheduled Tasks' folder

2011-02-25 c:\windows\Tasks\Google Software Updater.job
- c:\program files\Google\Common\Google Updater\GoogleUpdaterService.exe [2008-10-09 15:04]

2011-02-25 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\program files\Google\Update\GoogleUpdate.exe [2009-03-22 15:05]

2011-02-25 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\program files\Google\Update\GoogleUpdate.exe [2009-03-22 15:05]

2011-02-25 c:\windows\Tasks\RealUpgradeLogonTaskS-1-5-21-3099453155-2084809982-284829022-500.job
- c:\program files\Real\RealUpgrade\realupgrade.exe [2010-11-05 11:33]

2011-02-25 c:\windows\Tasks\RealUpgradeScheduledTaskS-1-5-21-3099453155-2084809982-284829022-500.job
- c:\program files\Real\RealUpgrade\realupgrade.exe [2010-11-05 11:33]

2011-02-25 c:\windows\Tasks\User_Feed_Synchronization-{21CAA476-4FB2-4CAA-9859-7E83506EF2D0}.job
- c:\windows\system32\msfeedssync.exe [2006-10-17 03:31]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.sky.com/portal/site/skycom/home
uSearchMigratedDefaultURL = hxxp://search.orange.co.uk/all?brand=ouk&tab=web&p=_adr&q={searchTerms}
uInternet Settings,ProxyServer = http=hxxp://www-cache.wanadoo.co.uk:8080;ftp=http://www-cache.wanadoo.co.uk:8080
uInternet Settings,ProxyOverride = hxxp://localhost;tests;<local>
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
IE: Easy-WebPrint Add To Print List - c:\program files\Canon\Easy-WebPrint\Resource.dll/RC_AddToList.html
IE: Easy-WebPrint High Speed Print - c:\program files\Canon\Easy-WebPrint\Resource.dll/RC_HSPrint.html
IE: Easy-WebPrint Preview - c:\program files\Canon\Easy-WebPrint\Resource.dll/RC_Preview.html
IE: Easy-WebPrint Print - c:\program files\Canon\Easy-WebPrint\Resource.dll/RC_Print.html
IE: Google Sidewiki... - c:\program files\Google\Google Toolbar\Component\GoogleToolbarDynamic_mui_en_E11712C84EA7E12B.dll/cmsidewiki.html
IE: Search with Wanadoo - c:\windows\system32\WSBar.dll/VSearch.htm
DPF: {0972B098-DEE9-4279-AC7E-4BAAA029102D} - hxxp://assets.photobox.com/assets/aurigma/ImageUploader5.cab?20091113165757
DPF: {75AA409D-05F9-4F27-BD53-C7339D4B1D0A} - hxxps://extranet2.steria.co.uk/,DanaInfo=mailxone.xansa.com,CT=java+dwa85W.cab
DPF: {7F8C8173-AD80-4807-AA75-5672F22B4582} - hxxp://download.zonelabs.com/bin/promotions/spywaredetector/ICSScanner371110.cab
DPF: {BFF1950D-B1B4-4AE8-B842-B2CCF06D9A1B} - hxxp://game02.zylom.com/activex/zylomgamesplayer.cab
.
- - - - ORPHANS REMOVED - - - -

WebBrowser-{3041D03E-FD4B-44E0-B742-2D9B88305F98} - (no file)
AddRemove-Ask Toolbar_is1 - c:\program files\AskBarDis\unins000.exe

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2011-02-25 10:17
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

c:\windows\system.ini 227 bytes

scan completed successfully
hidden files: 1

**************************************************************************

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\NAV]
"ImagePath"="\"c:\program files\Norton AntiVirus\Engine\18.5.0.125\ccSvcHst.exe\" /s \"NAV\" /m \"c:\program files\Norton AntiVirus\Engine\18.5.0.125\diMaster.dll\" /prefetch:1"
--

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\NSL]
"ImagePath"="\"c:\program files\Norton Safe Web Lite\Engine\1.2.0.6\ccSvcHst.exe\" /s \"NSL\" /m \"c:\program files\Norton Safe Web Lite\Engine\1.2.0.6\diMaster.dll\" /prefetch:1"
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_USERS\S-1-5-21-3099453155-2084809982-284829022-500\Software\Microsoft\Internet Explorer\User Preferences]
@Denied: (2) (Administrator)
"88D7D0879DAB32E14DE5B3A805A34F98AFF34F5 977"=hex:01,00,00,00,d0,8c,9d,df,01,15,
d1,11,8c,7a,00,c0,4f,c2,97,eb,01,00,00,00,c2,12,37,eb,2d,02,d2,4b,ae,ce,3a,\
"2D53CFFC5C1A3DD2E97B7979AC2A92BD59BC839 E81"=hex:01,00,00,00,d0,8c,9d,df,01,15,
d1,11,8c,7a,00,c0,4f,c2,97,eb,01,00,00,00,c2,12,37,eb,2d,02,d2,4b,ae,ce,3a,\

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}]
@Denied: (A 2) (Everyone)
@="FlashBroker"
"LocalizedString"="@c:\\WINDOWS\\system32\\Macromed\\Flash\\FlashUtil10m_ActiveX.exe,-101"

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\Elevation]
"Enabled"=dword:00000001

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\LocalServer32]
@="c:\\WINDOWS\\system32\\Macromed\\Flash\\FlashUtil10m_ActiveX.exe"

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"

[HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}]
@Denied: (A 2) (Everyone)
@="IFlashBroker4"

[HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\ProxyStubClsid32]
@="{00020424-0000-0000-C000-000000000046}"

[HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
"Version"="1.0"
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(700)
c:\program files\SUPERAntiSpyware\SASWINLO.DLL
c:\windows\system32\WININET.dll
c:\windows\system32\Ati2evxx.dll
c:\program files\CheckPoint\ZAForceField\Plugins\ISWSHEX.dll
c:\windows\WinSxS\x86_Microsoft.VC80.CRT_1fc8b3b9a1e18e3b_8.0.50727.4053_x-ww_e6967989\MSVCR80.dll

- - - - - - - > 'lsass.exe'(756)
c:\program files\CheckPoint\ZAForceField\Plugins\ISWSHEX.dll

- - - - - - - > 'explorer.exe'(7292)
c:\windows\system32\WININET.dll
c:\program files\CheckPoint\ZAForceField\Plugins\ISWSHEX.dll
c:\windows\WinSxS\x86_Microsoft.VC80.CRT_1fc8b3b9a1e18e3b_8.0.50727.4053_x-ww_e6967989\MSVCR80.dll
c:\program files\Trusteer\Rapport\bin\rooksbas.dll
c:\progra~1\WINDOW~1\wmpband.dll
c:\program files\Common Files\Ahead\Lib\NeroSearchBar.dll
c:\program files\Common Files\Ahead\Lib\MFC71U.DLL
c:\program files\Common Files\Ahead\Lib\BCGCBPRO860un71.dll
c:\windows\system32\ieframe.dll
c:\windows\system32\webcheck.dll
c:\windows\system32\WPDShServiceObj.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
.
------------------------ Other Running Processes ------------------------
.
c:\windows\system32\Ati2evxx.exe
c:\windows\system32\Ati2evxx.exe
c:\windows\system32\drivers\CDAC11BA.EXE
c:\program files\Java\jre1.6.0_15\bin\java.exe
c:\program files\Canon\IJPLM\IJPLMSVC.EXE
c:\program files\Java\jre6\bin\jqs.exe
c:\program files\Common Files\LightScribe\LSSrvc.exe
c:\program files\Canon\CAL\CALMAIN.exe
c:\program files\Common Files\Ahead\Lib\NMIndexingService.exe
c:\program files\Common Files\Ahead\Lib\NMIndexStoreSvr.exe
.
**************************************************************************
.
Completion time: 2011-02-25 10:26:11 - machine was rebooted
ComboFix-quarantined-files.txt 2011-02-25 10:25
ComboFix2.txt 2011-02-18 11:41

Pre-Run: 114,864,951,296 bytes free
Post-Run: 115,074,445,312 bytes free

WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
UnsupportedDebug="do not select this" /debug
multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Professional" /noexecute=optin /fastdetect

- - End Of File - - A38B6E53A26DC8E772C886C3005D2B31
*******************************************************************************************

I ran SysProt AntiRootkit and the log is here:

SysProt AntiRootkit v1.0.1.0
by swatkat

******************************************************************************************
******************************************************************************************

No Hidden Processes found

******************************************************************************************
******************************************************************************************
Kernel Modules:
Module Name: SYMDS.SYS
Service Name: SymDS
Module Base: F744E000
Module End: F74A5000
Hidden: Yes

Module Name: SYMEFA.SYS
Service Name: SymEFA
Module Base: F7398000
Module End: F743C000
Hidden: Yes

Module Name: \SystemRoot\System32\Drivers\dump_atapi.sys
Service Name: ---
Module Base: F1E32000
Module End: F1E4A000
Hidden: Yes

Module Name: \SystemRoot\System32\Drivers\dump_WMILIB.SYS
Service Name: ---
Module Base: F7BD2000
Module End: F7BD4000
Hidden: Yes

Module Name: \??\C:\ComboFix\catchme.sys
Service Name: catchme
Module Base: F799A000
Module End: F79A2000
Hidden: Yes

Module Name: \??\C:\WINDOWS\system32\Drivers\PROCEXP113.SYS
Service Name: ---
Module Base: F7BDE000
Module End: F7BE0000
Hidden: Yes

******************************************************************************************
******************************************************************************************
SSDT:
Function Name: ZwAlertResumeThread
Address: 85EF8518
Driver Base: 0
Driver End: 0
Driver Name: _unknown_

Function Name: ZwAlertThread
Address: 861D8C48
Driver Base: 0
Driver End: 0
Driver Name: _unknown_

Function Name: ZwAllocateVirtualMemory
Address: 860DF610
Driver Base: 0
Driver End: 0
Driver Name: _unknown_

Function Name: ZwAssignProcessToJobObject
Address: 860A27F8
Driver Base: 0
Driver End: 0
Driver Name: _unknown_

Function Name: ZwConnectPort
Address: F21E6534
Driver Base: F21C5000
Driver End: F2246000
Driver Name: \SystemRoot\System32\vsdatant.sys

Function Name: ZwCreateFile
Address: F210A996
Driver Base: F2109000
Driver End: F2132000
Driver Name: \??\C:\Program Files\Trusteer\Rapport\bin\RapportPG.sys

Function Name: ZwCreateKey
Address: F232A720
Driver Base: F2314000
Driver End: F233A000
Driver Name: \??\C:\WINDOWS\system32\Drivers\SYMEVENT.SYS

Function Name: ZwCreateMutant
Address: 860A2C80
Driver Base: 0
Driver End: 0
Driver Name: _unknown_

Function Name: ZwCreatePort
Address: F21E6CC0
Driver Base: F21C5000
Driver End: F2246000
Driver Name: \SystemRoot\System32\vsdatant.sys

Function Name: ZwCreateProcess
Address: F21F9EB4
Driver Base: F21C5000
Driver End: F2246000
Driver Name: \SystemRoot\System32\vsdatant.sys

Function Name: ZwCreateProcessEx
Address: F21FA2A2
Driver Base: F21C5000
Driver End: F2246000
Driver Name: \SystemRoot\System32\vsdatant.sys

Function Name: ZwCreateSection
Address: F2203916
Driver Base: F21C5000
Driver End: F2246000
Driver Name: \SystemRoot\System32\vsdatant.sys

Function Name: ZwCreateSymbolicLinkObject
Address: 85F23488
Driver Base: 0
Driver End: 0
Driver Name: _unknown_

Function Name: ZwCreateThread
Address: 85F373F0
Driver Base: 0
Driver End: 0
Driver Name: _unknown_

Function Name: ZwCreateWaitablePort
Address: F21E6DF6
Driver Base: F21C5000
Driver End: F2246000
Driver Name: \SystemRoot\System32\vsdatant.sys

Function Name: ZwDebugActiveProcess
Address: 85FF5410
Driver Base: 0
Driver End: 0
Driver Name: _unknown_

Function Name: ZwDeleteFile
Address: F78259F8
Driver Base: F7822000
Driver End: F782F000
Driver Name: \??\C:\Documents and Settings\All Users\Application Data\Trusteer\Rapport\store\exts\RapportCerberus\23945\RapportCerberus_23945.sys

Function Name: ZwDeleteKey
Address: F232A9A0
Driver Base: F2314000
Driver End: F233A000
Driver Name: \??\C:\WINDOWS\system32\Drivers\SYMEVENT.SYS

Function Name: ZwDeleteValueKey
Address: F232AF00
Driver Base: F2314000
Driver End: F233A000
Driver Name: \??\C:\WINDOWS\system32\Drivers\SYMEVENT.SYS

Function Name: ZwDuplicateObject
Address: F21F8DF0
Driver Base: F21C5000
Driver End: F2246000
Driver Name: \SystemRoot\System32\vsdatant.sys

Function Name: ZwFreeVirtualMemory
Address: 85F01230
Driver Base: 0
Driver End: 0
Driver Name: _unknown_

Function Name: ZwImpersonateAnonymousToken
Address: 85F255A8
Driver Base: 0
Driver End: 0
Driver Name: _unknown_

Function Name: ZwImpersonateThread
Address: 85EF8458
Driver Base: 0
Driver End: 0
Driver Name: _unknown_

Function Name: ZwLoadDriver
Address: 86022A30
Driver Base: 0
Driver End: 0
Driver Name: _unknown_

Function Name: ZwLoadKey
Address: F210E500
Driver Base: F2109000
Driver End: F2132000
Driver Name: \??\C:\Program Files\Trusteer\Rapport\bin\RapportPG.sys

Function Name: ZwLoadKey2
Address: F2201B44
Driver Base: F21C5000
Driver End: F2246000
Driver Name: \SystemRoot\System32\vsdatant.sys

Function Name: ZwMapViewOfSection
Address: 860D8950
Driver Base: 0
Driver End: 0
Driver Name: _unknown_

Function Name: ZwOpenEvent
Address: 86011838
Driver Base: 0
Driver End: 0
Driver Name: _unknown_

Function Name: ZwOpenFile
Address: F210AA5A
Driver Base: F2109000
Driver End: F2132000
Driver Name: \??\C:\Program Files\Trusteer\Rapport\bin\RapportPG.sys

Function Name: ZwOpenProcess
Address: F21FC1CE
Driver Base: F21C5000
Driver End: F2246000
Driver Name: \SystemRoot\System32\vsdatant.sys

Function Name: ZwOpenProcessToken
Address: 85F92A28
Driver Base: 0
Driver End: 0
Driver Name: _unknown_

Function Name: ZwOpenSection
Address: 85FF5D20
Driver Base: 0
Driver End: 0
Driver Name: _unknown_

Function Name: ZwOpenThread
Address: F21FBDF8
Driver Base: F21C5000
Driver End: F2246000
Driver Name: \SystemRoot\System32\vsdatant.sys

Function Name: ZwProtectVirtualMemory
Address: 86014DB8
Driver Base: 0
Driver End: 0
Driver Name: _unknown_

Function Name: ZwQueryValueKey
Address: F210E476
Driver Base: F2109000
Driver End: F2132000
Driver Name: \??\C:\Program Files\Trusteer\Rapport\bin\RapportPG.sys

Function Name: ZwRenameKey
Address: F210E3E0
Driver Base: F2109000
Driver End: F2132000
Driver Name: \??\C:\Program Files\Trusteer\Rapport\bin\RapportPG.sys

Function Name: ZwReplaceKey
Address: F210E412
Driver Base: F2109000
Driver End: F2132000
Driver Name: \??\C:\Program Files\Trusteer\Rapport\bin\RapportPG.sys

Function Name: ZwRequestWaitReplyPort
Address: F21E60F4
Driver Base: F21C5000
Driver End: F2246000
Driver Name: \SystemRoot\System32\vsdatant.sys

Function Name: ZwRestoreKey
Address: F210E444
Driver Base: F2109000
Driver End: F2132000
Driver Name: \??\C:\Program Files\Trusteer\Rapport\bin\RapportPG.sys

Function Name: ZwResumeThread
Address: 85F082C0
Driver Base: 0
Driver End: 0
Driver Name: _unknown_

Function Name: ZwSecureConnectPort
Address: F21E67DC
Driver Base: F21C5000
Driver End: F2246000
Driver Name: \SystemRoot\System32\vsdatant.sys

Function Name: ZwSetContextThread
Address: 85F20DC8
Driver Base: 0
Driver End: 0
Driver Name: _unknown_

Function Name: ZwSetInformationFile
Address: F7825A6C
Driver Base: F7822000
Driver End: F782F000
Driver Name: \??\C:\Documents and Settings\All Users\Application Data\Trusteer\Rapport\store\exts\RapportCerberus\23945\RapportCerberus_23945.sys

Function Name: ZwSetInformationProcess
Address: 85F128A8
Driver Base: 0
Driver End: 0
Driver Name: _unknown_

Function Name: ZwSetSecurityObject
Address: F2202E12
Driver Base: F21C5000
Driver End: F2246000
Driver Name: \SystemRoot\System32\vsdatant.sys

Function Name: ZwSetSystemInformation
Address: 85FF5868
Driver Base: 0
Driver End: 0
Driver Name: _unknown_

Function Name: ZwSetValueKey
Address: F232B150
Driver Base: F2314000
Driver End: F233A000
Driver Name: \??\C:\WINDOWS\system32\Drivers\SYMEVENT.SYS

Function Name: ZwSuspendProcess
Address: 86011758
Driver Base: 0
Driver End: 0
Driver Name: _unknown_

Function Name: ZwSuspendThread
Address: 85FD0B48
Driver Base: 0
Driver End: 0
Driver Name: _unknown_

Function Name: ZwSystemDebugControl
Address: F21FAF0A
Driver Base: F21C5000
Driver End: F2246000
Driver Name: \SystemRoot\System32\vsdatant.sys

Function Name: ZwTerminateProcess
Address: F21FAC86
Driver Base: F21C5000
Driver End: F2246000
Driver Name: \SystemRoot\System32\vsdatant.sys

Function Name: ZwTerminateThread
Address: 85F20CE8
Driver Base: 0
Driver End: 0
Driver Name: _unknown_

Function Name: ZwUnmapViewOfSection
Address: 85EEE4D0
Driver Base: 0
Driver End: 0
Driver Name: _unknown_

Function Name: ZwWriteVirtualMemory
Address: 85F01300
Driver Base: 0
Driver End: 0
Driver Name: _unknown_

******************************************************************************************
******************************************************************************************
No Kernel Hooks found

******************************************************************************************
******************************************************************************************
Hidden files/folders:
Object: C:\Documents and Settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\SRTSP\SrtETmp\F24C4B15.TMP
Status: Access denied

Object: C:\Documents and Settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\SRTSP\SrtETmp\FCDA03A2.TMP
Status: Access denied

Object: C:\Qoobox\BackEnv\AppData.folder.dat
Status: Access denied

Object: C:\Qoobox\BackEnv\Cache.folder.dat
Status: Access denied

Object: C:\Qoobox\BackEnv\Cookies.folder.dat
Status: Access denied

Object: C:\Qoobox\BackEnv\Desktop.folder.dat
Status: Access denied

Object: C:\Qoobox\BackEnv\Favorites.folder.dat
Status: Access denied

Object: C:\Qoobox\BackEnv\History.folder.dat
Status: Access denied

Object: C:\Qoobox\BackEnv\LocalAppData.folder.dat
Status: Access denied

Object: C:\Qoobox\BackEnv\LocalSettings.folder.dat
Status: Access denied

Object: C:\Qoobox\BackEnv\Music.folder.dat
Status: Access denied

Object: C:\Qoobox\BackEnv\NetHood.folder.dat
Status: Access denied

Object: C:\Qoobox\BackEnv\Personal.folder.dat
Status: Access denied

Object: C:\Qoobox\BackEnv\Pictures.folder.dat
Status: Access denied

Object: C:\Qoobox\BackEnv\PrintHood.folder.dat
Status: Access denied

Object: C:\Qoobox\BackEnv\Profiles.Folder.dat
Status: Access denied

Object: C:\Qoobox\BackEnv\Profiles.Folder.folder.dat
Status: Access denied

Object: C:\Qoobox\BackEnv\Programs.folder.dat
Status: Access denied

Object: C:\Qoobox\BackEnv\Recent.folder.dat
Status: Access denied

Object: C:\Qoobox\BackEnv\SendTo.folder.dat
Status: Access denied

Object: C:\Qoobox\BackEnv\SetPath.bat
Status: Access denied

Object: C:\Qoobox\BackEnv\StartMenu.folder.dat
Status: Access denied

Object: C:\Qoobox\BackEnv\StartUp.folder.dat
Status: Access denied

Object: C:\Qoobox\BackEnv\SysPath.dat
Status: Access denied

Object: C:\Qoobox\BackEnv\Templates.folder.dat
Status: Access denied

Object: C:\Qoobox\BackEnv\VikPev00
Status: Access denied

SuperDave · « **Reply #7 on:** February 25, 2011, 12:56:51 PM »

Update Your Java (JRE)

Old versions of Java have vulnerabilities that malware can use to infect your system.

First Verify your Java Version

If there are any other version(s) installed then update now.

Get the new version (if needed)

If your version is out of date install the newest version of the Sun Java Runtime Environment.

Note: UNCHECK any pre-checked toolbar and/or software offered with the Java update. The pre-checked toolbars/software are not part of the Java update.

Be sure to close ALL open web browsers before starting the installation.

Remove any old versions

1. Download JavaRa and unzip the file to your Desktop.
2. Open JavaRA.exe and choose Remove Older Versions
3. Once complete exit JavaRA.
4. Run CCleaner.

Additional Note: The Java Quick Starter (JQS.exe) adds a service to improve the initial startup time of Java applets and applications. To disable the JQS service if you don't want to use it, go to Start > Control Panel > Java > Advanced > Miscellaneous and uncheck the box for Java Quick Starter. Click OK and reboot your computer.
*******************************************
Download DDS from HERE or HERE and save it to your desktop.

Vista users right click on dds and select Run as administrator (you will receive a UAC prompt, please allow it)

* XP users Double click on dds to run it.
* If your antivirus or firewall try to block DDS then please allow it to run.
* When finished DDS will open two (2) logs.

1) DDS.txt
2) Attach.txt

* Save both logs to your desktop.
* Please copy and paste the entire contents of both logs in your next reply.

Note: DDS will instruct you to post the Attach.txt log as an attachment.
Please just post it as you would any other log by copy and pasting it into the reply.

Dronfieldman · « **Reply #8 on:** March 07, 2011, 09:38:50 AM »

The nuisance background process was still running prior to carrying out your latest instructions. The penultimate time that it ran
Norton AV displayed a warning message "High memory usage - Java TM Quick Starter Service". On the latest occasion, Norton warned that
the high memory usage was being caused by SVCHOST.exe.

I have now downloaded the latest version of Java and removed old versions.

I have deactivated the Java Quick Starter.

DDS.txtlog is below.

.
DDS (Ver_11-03-05.01) - NTFSx86
Run by Administrator at 16:31:24.51 on 07/03/2011
Internet Explorer: 8.0.6001.18702
Microsoft Windows XP Professional 5.1.2600.3.1252.44.1033.18.958.207 [GMT 0:00]
.
AV: Norton AntiVirus *Enabled/Updated* {E10A9785-9598-4754-B552-92431C1C35F8}
FW: ZoneAlarm Firewall *Enabled*
.
============== Running Processes ===============
.
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\Program Files\Trusteer\Rapport\bin\RapportMgmtService.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
C:\WINDOWS\system32\svchost.exe -k WudfServiceGroup
svchost.exe
svchost.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\CheckPoint\ZAForceField\IswSvc.exe
C:\WINDOWS\system32\spoolsv.exe
svchost.exe
C:\Program Files\BLIMP\wrapper.exe
C:\WINDOWS\system32\drivers\CDAC11BA.EXE
C:\Program Files\Canon\IJPLM\IJPLMSVC.EXE
C:\Program Files\Java\jre1.6.0_15\bin\java.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\Common Files\LightScribe\LSSrvc.exe
C:\Program Files\Norton AntiVirus\Engine\18.5.0.125\ccSvcHst.exe
C:\Program Files\Norton Safe Web Lite\Engine\1.2.0.6\ccSvcHst.exe
C:\WINDOWS\system32\svchost.exe -k imgsvc
C:\Program Files\Canon\CAL\CALMAIN.exe
C:\Program Files\Norton AntiVirus\Engine\18.5.0.125\ccSvcHst.exe
C:\Program Files\Trusteer\Rapport\bin\RapportService.exe
C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\WINDOWS\System32\svchost.exe -k HTTPFilter
C:\Program Files\Canon\MyPrinter\BJMyPrt.exe
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\Program Files\QuickTime\qttask.exe
C:\program files\real\realplayer\update\realsched.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Common Files\Ahead\Lib\NMIndexingService.exe
C:\Program Files\PIXELA\ImageMixer 3 SE for SD\CameraMonitor.exe
C:\Program Files\Common Files\Ahead\Lib\NMIndexStoreSvr.exe
C:\Program Files\CheckPoint\ZAForceField\ForceField.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\WINDOWS\system32\notepad.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Documents and Settings\Administrator\Desktop\dds.pif
.
============== Pseudo HJT Report ===============
.
uStart Page = hxxp://www.sky.com/portal/site/skycom/home
uSearchMigratedDefaultURL = hxxp://search.orange.co.uk/all?brand=ouk&tab=web&p=_adr&q={searchTerms}
uInternet Settings,ProxyServer = http=hxxp://www-cache.wanadoo.co.uk:8080;ftp=http://www-cache.wanadoo.co.uk:8080
uInternet Settings,ProxyOverride = hxxp://localhost;tests;<local>
uURLSearchHooks: ZoneAlarm Toolbar: {66f2e20d-0da8-4c11-a9c8-dd8477b88acd} - c:\program files\zonealarm\tbZone.dll
BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll
BHO: RealPlayer Download and Record Plugin for Internet Explorer: {3049c3e9-b461-4bc5-8870-4c09146192ca} - c:\documents and settings\all users\application data\real\realplayer\browserrecordplugin\ie\rpbrowserrecordplugin.dll
BHO: Symantec Intrusion Prevention: {6d53ec84-6aae-4787-aeee-f4628f01010c} - c:\program files\norton antivirus\engine\18.5.0.125\ips\IPSBHO.DLL
BHO: ZoneAlarm Security Engine Registrar: {8a4a36c2-0535-4d2c-bd3d-496cb7eed6e3} - c:\program files\checkpoint\zaforcefield\trustchecker\bin\TrustCheckerIEPlugin.dll
BHO: Windows Live Sign-in Helper: {9030d464-4c02-4abf-8ecc-5164760863c6} - c:\program files\common files\microsoft shared\windows live\WindowsLiveLogin.dll
BHO: Google Toolbar Helper: {aa58ed58-01dd-4d91-8333-cf10577473f7} - c:\program files\google\google toolbar\GoogleToolbar_32.dll
BHO: Google Toolbar Notifier BHO: {af69de43-7d58-4638-b6fa-ce66b5ad205d} - c:\program files\google\googletoolbarnotifier\5.6.5805.1910\swg.dll
BHO: Java(tm) Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
BHO: Norton Safe Web Lite BHO: {f0da78e9-6b60-42fb-bc26-ef2cfb8c8ff3} - c:\program files\norton safe web lite\engine\1.2.0.6\coIEPlg.dll
TB: Norton Safe Web Lite: {30ceeea2-3742-40e4-85dd-812bf1cbb83d} - c:\program files\norton safe web lite\engine\1.2.0.6\coIEPlg.dll
TB: {4E7BD74F-2B8D-469E-84BA-B830E8D4E122} - No File
TB: Google Toolbar: {2318c2b1-4965-11d4-9b18-009027a5cd4f} - c:\program files\google\google toolbar\GoogleToolbar_32.dll
TB: ZoneAlarm Security Engine: {ee2ac4e5-b0b0-4ec6-88a9-bca1a32ab107} - c:\program files\checkpoint\zaforcefield\trustchecker\bin\TrustCheckerIEPlugin.dll
uRun: [swg] "c:\program files\google\googletoolbarnotifier\GoogleToolbarNotifier.exe"
uRun: [BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}] "c:\program files\common files\ahead\lib\NMBgMonitor.exe"
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
mRun: [ATIPTA] c:\program files\ati technologies\ati control panel\atiptaxx.exe
mRun: [SetRefresh] c:\program files\compaq\setrefresh\SetRefresh.exe
mRun: [Easy-PrintToolBox] c:\program files\canon\easy-printtoolbox\BJPSMAIN.EXE /logon
mRun: [NeroFilterCheck] c:\program files\common files\ahead\lib\NeroCheck.exe
mRun: [CanonSolutionMenu] c:\program files\canon\solutionmenu\CNSLMAIN.exe /logon
mRun: [CanonMyPrinter] c:\program files\canon\myprinter\BJMyPrt.exe /logon
mRun: [ZoneAlarm Client] "c:\program files\zone labs\zonealarm\zlclient.exe"
mRun: [ISW] "c:\program files\checkpoint\zaforcefield\ForceField.exe" /icon="hidden"
mRun: [Adobe Reader Speed Launcher] "c:\program files\adobe\reader 9.0\reader\Reader_sl.exe"
mRun: [Adobe ARM] "c:\program files\common files\adobe\arm\1.0\AdobeARM.exe"
mRun: [QuickTime Task] "c:\program files\quicktime\qttask.exe" -atboottime
mRun: [TkBellExe] "c:\program files\real\realplayer\update\realsched.exe" -osboot
mRun: [SunJavaUpdateSched] "c:\program files\common files\java\java update\jusched.exe"
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\adobeg~1.lnk - c:\program files\common files\adobe\calibration\Adobe Gamma Loader.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\imagem~1.lnk - c:\program files\pixela\imagemixer 3 se for sd\CameraMonitor.exe
IE: E&xport to Microsoft Excel - c:\progra~1\micros~2\office11\EXCEL.EXE/3000
IE: Easy-WebPrint Add To Print List - c:\program files\canon\easy-webprint\Resource.dll/RC_AddToList.html
IE: Easy-WebPrint High Speed Print - c:\program files\canon\easy-webprint\Resource.dll/RC_HSPrint.html
IE: Easy-WebPrint Preview - c:\program files\canon\easy-webprint\Resource.dll/RC_Preview.html
IE: Easy-WebPrint Print - c:\program files\canon\easy-webprint\Resource.dll/RC_Print.html
IE: Google Sidewiki... - c:\program files\google\google toolbar\component\GoogleToolbarDynamic_mui_en_E11712C84EA7E12B.dll/cmsidewiki.html
IE: Search with Wanadoo - c:\windows\system32\WSBar.dll/VSearch.htm
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~2\office11\REFIEBAR.DLL
DPF: {0972B098-DEE9-4279-AC7E-4BAAA029102D} - hxxp://assets.photobox.com/assets/aurigma/ImageUploader5.cab?20091113165757
DPF: {1E2941E3-8E63-11D4-9D5A-00902742D6E0} - hxxps://extranet.xansa.com/,DanaInfo=eurmail01,CT=java+iNotes.cab
DPF: {3E68E405-C6DE-49FF-83AE-41EE9F4C36CE} - hxxp://office.microsoft.com/officeupdate/content/opuc3.cab
DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} - hxxp://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1147547209312
DPF: {6A344D34-5231-452A-8A57-D064AC9B7862} - hxxps://webdl.symantec.com/activex/symdlmgr.cab
DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} - hxxp://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1168293326359
DPF: {75AA409D-05F9-4F27-BD53-C7339D4B1D0A} - hxxps://extranet2.steria.co.uk/,DanaInfo=mailxone.xansa.com,CT=java+dwa85W.cab
DPF: {7F8C8173-AD80-4807-AA75-5672F22B4582} - hxxp://download.zonelabs.com/bin/promotions/spywaredetector/ICSScanner371110.cab
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_24-windows-i586.cab
DPF: {BA3BAF69-72B1-4BCE-BE96-A4D304EAFBB4} - hxxp://static.photobox.co.uk/sg/common/ImageUploader4.cab
DPF: {BFF1950D-B1B4-4AE8-B842-B2CCF06D9A1B} - hxxp://game02.zylom.com/activex/zylomgamesplayer.cab
DPF: {CAFEEFAC-0016-0000-0015-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_15-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0024-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_24-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_24-windows-i586.cab
DPF: {CE3409C4-9E26-4F8E-83E4-778498F9E7B4} - hxxp://static.photobox.co.uk/sg/common/uploader_uni.cab
DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab
DPF: {DE22A7AB-A739-4C58-AD52-21F9CD6306B7} - hxxp://download.microsoft.com/download/7/E/6/7E6A8567-DFE4-4624-87C3-163549BE2704/clearadj.cab
Notify: !SASWinLogon - c:\program files\superantispyware\SASWINLO.DLL
Notify: AtiExtEvent - Ati2evxx.dll
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll
SEH: SABShellExecuteHook Class: {5ae067d3-9afb-48e0-853a-ebb7f4a000da} - c:\program files\superantispyware\SASSEH.DLL
.
============= SERVICES / DRIVERS ===============
.
R0 SymDS;Symantec Data Store;c:\windows\system32\drivers\nav\1205000.07d\symds.sys [2011-1-7 340016]
R0 SymEFA;Symantec Extended File Attributes;c:\windows\system32\drivers\nav\1205000.07d\symefa.sys [2011-1-7 652336]
R1 BHDrvx86;BHDrvx86;c:\documents and settings\all users\application data\norton\{0c55c096-0f1d-4f28-aaa2-85ef591126e7}\nav_18.1.0.37\definitions\bashdefs\20110225.002\BHDrvx86.sys [2011-2-25 800376]
R1 RapportBuka;RapportBuka;c:\windows\system32\drivers\RapportBuka.sys [2010-2-16 390528]
R1 RapportCerberus_23945;RapportCerberus_23945;c:\documents and settings\all users\application data\trusteer\rapport\store\exts\rapportcerberus\23945\RapportCerberus_23945.sys [2011-2-24 55224]
R1 RapportPG;RapportPG;c:\program files\trusteer\rapport\bin\RapportPG.sys [2010-10-3 169320]
R1 SASDIFSV;SASDIFSV;c:\program files\superantispyware\sasdifsv.sys [2010-2-17 12872]
R1 SASKUTIL;SASKUTIL;c:\program files\superantispyware\SASKUTIL.SYS [2010-5-10 67656]
R1 SymIRON;Symantec Iron Driver;c:\windows\system32\drivers\nav\1205000.07d\ironx86.sys [2011-1-7 136312]
R1 vsdatant;vsdatant;c:\windows\system32\vsdatant.sys [2008-10-25 532224]
R2 blimptestbot;BLIMP TestBot;c:\program files\blimp\wrapper.exe [2010-6-10 204800]
R2 ISWKL;ZoneAlarm Toolbar ISWKL;c:\program files\checkpoint\zaforcefield\ISWKL.sys [2010-5-26 26352]
R2 IswSvc;ZoneAlarm Toolbar IswSvc;c:\program files\checkpoint\zaforcefield\ISWSVC.exe [2010-5-26 493032]
R2 NAV;Norton AntiVirus;c:\program files\norton antivirus\engine\18.5.0.125\ccsvchst.exe [2011-1-7 130000]
R2 NSL;Norton Safe Web Lite;c:\program files\norton safe web lite\engine\1.2.0.6\ccSvcHst.exe [2011-1-6 130000]
R2 RapportMgmtService;Rapport Management Service;c:\program files\trusteer\rapport\bin\RapportMgmtService.exe [2010-10-3 767208]
R2 vsmon;TrueVector Internet Monitor;c:\windows\system32\zonelabs\vsmon.exe -service --> c:\windows\system32\zonelabs\vsmon.exe -service [?]
R3 EraserUtilRebootDrv;EraserUtilRebootDrv;c:\program files\common files\symantec shared\eengine\EraserUtilRebootDrv.sys [2010-8-11 102448]
R3 IDSxpx86;IDSxpx86;c:\documents and settings\all users\application data\norton\{0c55c096-0f1d-4f28-aaa2-85ef591126e7}\nav_18.1.0.37\definitions\ipsdefs\20110303.001\IDSXpx86.sys [2011-3-4 341944]
R3 NAVENG;NAVENG;c:\documents and settings\all users\application data\norton\{0c55c096-0f1d-4f28-aaa2-85ef591126e7}\nav_18.1.0.37\definitions\virusdefs\20110306.002\NAVENG.SYS [2011-3-6 86008]
R3 NAVEX15;NAVEX15;c:\documents and settings\all users\application data\norton\{0c55c096-0f1d-4f28-aaa2-85ef591126e7}\nav_18.1.0.37\definitions\virusdefs\20110306.002\NAVEX15.SYS [2011-3-6 1360760]
R3 RapportIaso;RapportIaso;c:\documents and settings\all users\application data\trusteer\rapport\store\exts\rapportms\23645\RapportIaso.sys [2011-2-11 18872]
S1 RapportKELL;RapportKELL;\??\c:\program files\trusteer\rapport\bin\rapportkell.sys --> c:\program files\trusteer\rapport\bin\RapportKELL.sys [?]
S2 gupdate1c9aaffb3322e44;Google Update Service (gupdate1c9aaffb3322e44);c:\program files\google\update\GoogleUpdate.exe [2009-3-22 133104]
S3 SysProtDrv.sys;SysProtDrv.sys;c:\documents and settings\administrator\desktop\sysprot\sysprot\SysProtDrv.sys [2011-2-25 44288]
.
=============== File Associations ===============
.
JSEFile=NOTEPAD.EXE %1
.scr=AutoCADScriptFile
.
=============== Created Last 30 ================
.
2011-02-25 09:51:21   --------   d-sha-r-   C:\cmdcons
2011-02-18 11:06:58   98816   ----a-w-   c:\windows\sed.exe
2011-02-18 11:06:58   89088   ----a-w-   c:\windows\MBR.exe
2011-02-18 11:06:58   256512   ----a-w-   c:\windows\PEV.exe
2011-02-18 11:06:58   161792   ----a-w-   c:\windows\SWREG.exe
2011-02-05 17:39:07   388096   ----a-r-   c:\docume~1\admini~1\applic~1\microsoft\installer\{45a66726-69bc-466b-a7a4-12fcba4883d7}\HiJackThis.exe
2011-02-05 17:35:29   --------   d-----w-   c:\program files\Trend Micro
.
==================== Find3M ====================
.
2011-02-02 21:40:23   472808   ----a-w-   c:\windows\system32\deployJava1.dll
2011-02-02 19:19:39   73728   ----a-w-   c:\windows\system32\javacpl.cpl
2011-01-21 14:44:37   439296   ----a-w-   c:\windows\system32\shimgvw.dll
2011-01-07 14:09:02   290048   ----a-w-   c:\windows\system32\atmfd.dll
2011-01-06 19:16:42   10832208   ----a-w-   c:\program files\nortonsafeweblite.exe
2010-12-31 13:10:33   1854976   ----a-w-   c:\windows\system32\win32k.sys
2010-12-22 12:34:28   301568   ----a-w-   c:\windows\system32\kerberos.dll
2010-12-20 23:59:20   916480   ----a-w-   c:\windows\system32\wininet.dll
2010-12-20 23:59:19   43520   ----a-w-   c:\windows\system32\licmgr10.dll
2010-12-20 23:59:19   1469440   ------w-   c:\windows\system32\inetcpl.cpl
2010-12-20 17:26:00   730112   ----a-w-   c:\windows\system32\lsasrv.dll
2010-12-20 12:55:26   385024   ----a-w-   c:\windows\system32\html.iec
2010-12-09 15:15:09   718336   ----a-w-   c:\windows\system32\ntdll.dll
2010-12-09 14:30:22   33280   ----a-w-   c:\windows\system32\csrsrv.dll
2010-12-09 13:38:47   2192768   ----a-w-   c:\windows\system32\ntoskrnl.exe
2010-12-09 13:07:05   2069376   ----a-w-   c:\windows\system32\ntkrnlpa.exe
2010-08-11 14:35:05   459696   ----a-w-   c:\program files\sm_dm.exe
2010-02-19 11:34:24   818200   ----a-w-   c:\program files\RealPlayerSPGold.exe
2009-12-29 15:01:23   12951423   ----a-w-   c:\program files\dvdflick_setup_1.3.0.7.exe
2009-08-01 10:22:57   8825808   ----a-w-   c:\program files\DigiGuide-TV-Guide-Setup-w_eyre-sky-com.exe
2008-03-04 19:06:37   2243840   ----a-w-   c:\program files\FoxitReader22_setup.exe
2007-09-23 21:00:14   25755448   ----a-w-   c:\program files\wmp11-windowsxp-x86-enu.exe
.
============= FINISH: 16:32:47.62 ===============

Attach.txt log is below.

.
UNLESS SPECIFICALLY INSTRUCTED, DO NOT POST THIS LOG.
IF REQUESTED, ZIP IT UP & ATTACH IT
.
DDS (Ver_11-03-05.01)
.
Microsoft Windows XP Professional
Boot Device: \Device\HarddiskVolume1
Install Date: 13/05/2006 03:11:14
System Uptime: 07/03/2011 16:23:30 (0 hours ago)
.
Motherboard: MSI | | 09AC
Processor: AMD Athlon(tm) 64 Processor 3500+ | Socket 939 | 994/199mhz
.
==== Disk Partitions =========================
.
A: is Removable
C: is FIXED (NTFS) - 149 GiB total, 107.235 GiB free.
D: is CDROM ()
.
==== Disabled Device Manager Items =============
.
Class GUID: {4D36E96F-E325-11CE-BFC1-08002BE10318}
Description: PS/2 Compatible Mouse
Device ID: ACPI\PNP0F13\3&61AAA01&0
Manufacturer: Microsoft
Name: PS/2 Compatible Mouse
PNP Device ID: ACPI\PNP0F13\3&61AAA01&0
Service: i8042prt
.
Class GUID: {EEC5AD98-8080-425F-922A-DABF3DE3F69A}
Description: Nokia 6220 classic
Device ID: ROOT\WPD\0000
Manufacturer: Nokia
Name: Nokia 6220 classic
PNP Device ID: ROOT\WPD\0000
Service: WUDFRd
.
==== System Restore Points ===================
.
RP1275: 07/12/2010 20:06:53 - System Checkpoint
RP1276: 08/12/2010 21:13:24 - System Checkpoint
RP1277: 09/12/2010 22:04:44 - System Checkpoint
RP1278: 11/12/2010 10:53:16 - System Checkpoint
RP1279: 12/12/2010 11:14:32 - System Checkpoint
RP1280: 13/12/2010 13:38:45 - System Checkpoint
RP1281: 14/12/2010 19:20:55 - System Checkpoint
RP1282: 16/12/2010 20:25:24 - System Checkpoint
RP1283: 16/12/2010 23:29:39 - Software Distribution Service 3.0
RP1284: 17/12/2010 12:53:07 - Software Distribution Service 3.0
RP1285: 18/12/2010 15:28:42 - System Checkpoint
RP1286: 19/12/2010 18:20:47 - System Checkpoint
RP1287: 20/12/2010 21:19:04 - System Checkpoint
RP1288: 23/12/2010 21:09:47 - System Checkpoint
RP1289: 24/12/2010 21:30:35 - System Checkpoint
RP1290: 26/12/2010 13:14:58 - System Checkpoint
RP1291: 28/12/2010 13:08:52 - System Checkpoint
RP1292: 29/12/2010 14:09:14 - System Checkpoint
RP1293: 30/12/2010 17:34:04 - System Checkpoint
RP1294: 31/12/2010 17:44:56 - System Checkpoint
RP1295: 01/01/2011 18:16:34 - System Checkpoint
RP1296: 03/01/2011 14:28:42 - System Checkpoint
RP1297: 04/01/2011 22:06:51 - System Checkpoint
RP1298: 05/01/2011 22:07:01 - System Checkpoint
RP1299: 07/01/2011 11:18:39 - System Checkpoint
RP1300: 08/01/2011 10:51:53 - Installed Java(TM) 6 Update 23
RP1301: 08/01/2011 10:56:16 - Removed J2SE Runtime Environment 5.0
RP1302: 09/01/2011 11:30:07 - System Checkpoint
RP1303: 10/01/2011 19:27:04 - System Checkpoint
RP1304: 11/01/2011 14:19:27 - Removed RollerCoaster Tycoon 2
RP1305: 12/01/2011 22:08:47 - System Checkpoint
RP1306: 13/01/2011 22:12:18 - System Checkpoint
RP1307: 15/01/2011 10:30:10 - Software Distribution Service 3.0
RP1308: 16/01/2011 14:15:29 - System Checkpoint
RP1309: 17/01/2011 15:31:20 - System Checkpoint
RP1310: 18/01/2011 17:53:02 - System Checkpoint
RP1311: 19/01/2011 20:30:14 - System Checkpoint
RP1312: 20/01/2011 22:07:24 - System Checkpoint
RP1313: 22/01/2011 13:01:41 - System Checkpoint
RP1314: 23/01/2011 13:20:52 - System Checkpoint
RP1315: 24/01/2011 15:09:41 - System Checkpoint
RP1316: 25/01/2011 20:29:33 - System Checkpoint
RP1317: 27/01/2011 17:04:00 - System Checkpoint
RP1318: 28/01/2011 17:05:19 - System Checkpoint
RP1319: 29/01/2011 17:24:00 - System Checkpoint
RP1320: 30/01/2011 20:17:23 - System Checkpoint
RP1321: 31/01/2011 22:04:19 - System Checkpoint
RP1322: 01/02/2011 22:09:58 - System Checkpoint
RP1323: 02/02/2011 23:01:34 - System Checkpoint
RP1324: 04/02/2011 10:00:33 - System Checkpoint
RP1325: 05/02/2011 13:05:54 - System Checkpoint
RP1326: 05/02/2011 17:35:28 - Installed HiJackThis
RP1327: 06/02/2011 20:09:50 - System Checkpoint
RP1328: 08/02/2011 20:22:21 - System Checkpoint
RP1329: 09/02/2011 22:15:42 - System Checkpoint
RP1330: 10/02/2011 22:38:11 - System Checkpoint
RP1331: 11/02/2011 23:03:41 - Software Distribution Service 3.0
RP1332: 13/02/2011 12:39:10 - System Checkpoint
RP1333: 14/02/2011 22:07:55 - System Checkpoint
RP1334: 15/02/2011 22:19:39 - System Checkpoint
RP1335: 15/02/2011 22:51:30 - Software Distribution Service 3.0
RP1336: 17/02/2011 20:15:38 - System Checkpoint
RP1337: 18/02/2011 22:38:50 - System Checkpoint
RP1338: 20/02/2011 11:08:58 - System Checkpoint
RP1339: 21/02/2011 15:22:03 - System Checkpoint
RP1340: 22/02/2011 19:10:24 - System Checkpoint
RP1341: 24/02/2011 20:33:41 - System Checkpoint
RP1342: 25/02/2011 09:12:41 - Software Distribution Service 3.0
RP1343: 26/02/2011 13:55:36 - System Checkpoint
RP1344: 27/02/2011 17:43:19 - System Checkpoint
RP1345: 28/02/2011 18:37:32 - System Checkpoint
RP1346: 01/03/2011 22:05:01 - System Checkpoint
RP1347: 03/03/2011 20:30:07 - System Checkpoint
RP1348: 05/03/2011 11:06:33 - System Checkpoint
RP1349: 06/03/2011 22:10:43 - System Checkpoint
RP1350: 07/03/2011 15:46:25 - Installed Java(TM) 6 Update 24
.
==== Installed Programs ======================
.
Acrobat.com
Adobe AIR
Adobe Flash Player 10 ActiveX
Adobe Photoshop 7.0
Adobe Reader 9.4.2
Agere Systems PCI-SV92PP Soft Modem
Athlon 64 Processor Driver
ATI Control Panel
ATI Display Driver
AutoCAD 2004
Autodesk Express Viewer
Britannica Quiz Show 1.0
Britannica Ready Reference
Broadcom Management Programs
Canon Camera Access Library
Canon Camera Support Core Library
CANON iMAGE GATEWAY Registration Guide
CANON iMAGE GATEWAY Task for ZoomBrowser EX
Canon Internet Library for ZoomBrowser EX
Canon iP2600 series
Canon iP2600 series User Registration
Canon My Printer
Canon PhotoRecord
Canon PIXMA iP2000
Canon RAW Image Task for ZoomBrowser EX
Canon Utilities CameraWindow
Canon Utilities CameraWindow DC_DV 5 for ZoomBrowser EX
Canon Utilities CameraWindow DC_DV 6 for ZoomBrowser EX
Canon Utilities Easy-PhotoPrint
Canon Utilities Easy-PhotoPrint EX
Canon Utilities Easy-PrintToolBox
Canon Utilities EOS Utility
Canon Utilities MyCamera
Canon Utilities RemoteCapture Task for ZoomBrowser EX
Canon Utilities Solution Menu
Canon Utilities ZoomBrowser EX
Canon ZoomBrowser EX Memory Card Utility
CCleaner
Compatibility Pack for the 2007 Office system
Compton’s 3D World Atlas Deluxe
Critical Update for Windows Media Player 11 (KB959772)
Disney's Donald Duck
Disney's Extremely Goofy Skateboarding
Disney Interactive Global Compatibility Update June 2003
DVD Flick 1.3.0.7
Dynamic Learning - OCR Psychology for AS (Home Standalone)
Dynamic Learning (Home Standalone Edition)
Easy-WebPrint
Foxit Reader
Google Earth
Google Toolbar for Internet Explorer
Google Update Helper
Google Updater
Hemera Photo-Objects 3,000 Special Edition
HiJackThis
Hotfix for Windows Internet Explorer 7 (KB947864)
Hotfix for Windows Media Format 11 SDK (KB929399)
Hotfix for Windows Media Player 11 (KB939683)
Hotfix for Windows XP (KB2158563)
Hotfix for Windows XP (KB2443685)
Hotfix for Windows XP (KB952287)
Hotfix for Windows XP (KB970653-v3)
Hotfix for Windows XP (KB976002-v5)
Hotfix for Windows XP (KB976098-v2)
Hotfix for Windows XP (KB979306)
Hotfix for Windows XP (KB981793)
HP Help and Support
HP Safety and Comfort Guide
ImageMixer 3 SE for SD
InterVideo DiscLabel
InterVideo WinDVD
InterVideo WinDVD Creator
iWatermark 2.1.2
Java Auto Updater
Java(TM) 6 Update 15
Java(TM) 6 Update 24
Let's Find Out
LG PhoneManager
LG SyncManager
LG USB Modem driver
LS_HSI
Malwarebytes' Anti-Malware
Mango Plumo's Earth Adventure
Memory Loops
Microsoft .NET Framework 1.1
Microsoft .NET Framework 1.1 Security Update (KB2416447)
Microsoft .NET Framework 1.1 Security Update (KB979906)
Microsoft Application Error Reporting
Microsoft Choice Guard
Microsoft Compression Client Pack 1.0 for Windows XP
Microsoft Internationalized Domain Names Mitigation APIs
Microsoft Kernel-Mode Driver Framework Feature Pack 1.5
Microsoft Kernel-Mode Driver Framework Feature Pack 1.7
Microsoft National Language Support Downlevel APIs
Microsoft Office Standard Edition 2003
Microsoft Silverlight
Microsoft User-Mode Driver Framework Feature Pack 1.7
Microsoft Visual C++ 2005 ATL Update kb973923 - x86 8.0.50727.4053
Microsoft Visual C++ 2005 Redistributable
Monopoly
MSVC80_x86
MSVC80_x86_v2
MSVCRT
MSXML 4.0 SP2 (KB927978)
MSXML 4.0 SP2 (KB936181)
MSXML 4.0 SP2 (KB954430)
MSXML 4.0 SP2 (KB973688)
Nero 7 Ultra Edition
neroxml
Norton AntiVirus
Norton Safe Web Lite
OGA Notifier 2.0.0048.0
OLYMPUS CAMEDIA Master 4.2
Paradise Pet Salon
PC Connectivity Solution
PIXMA Extended Survey Program
Quicken Deluxe 98
QuickTime
Rapport
RealNetworks - Microsoft Visual C++ 2008 Runtime
RealPlayer
Realtek AC'97 Audio
RealUpgrade 1.1
REALVIZ Stitcher 4.0
Roxio PhotoSuite LE v9
SafeCast Shared Components
Security Update for CAPICOM (KB931906)
Security Update for Windows Internet Explorer 7 (KB928090)
Security Update for Windows Internet Explorer 7 (KB929969)
Security Update for Windows Internet Explorer 7 (KB931768)
Security Update for Windows Internet Explorer 7 (KB933566)
Security Update for Windows Internet Explorer 7 (KB937143)
Security Update for Windows Internet Explorer 7 (KB938127)
Security Update for Windows Internet Explorer 7 (KB939653)
Security Update for Windows Internet Explorer 7 (KB942615)
Security Update for Windows Internet Explorer 7 (KB944533)
Security Update for Windows Internet Explorer 7 (KB950759)
Security Update for Windows Internet Explorer 7 (KB953838)
Security Update for Windows Internet Explorer 7 (KB956390)
Security Update for Windows Internet Explorer 7 (KB958215)
Security Update for Windows Internet Explorer 7 (KB960714)
Security Update for Windows Internet Explorer 7 (KB961260)
Security Update for Windows Internet Explorer 7 (KB963027)
Security Update for Windows Internet Explorer 7 (KB969897)
Security Update for Windows Internet Explorer 8 (KB2183461)
Security Update for Windows Internet Explorer 8 (KB2360131)
Security Update for Windows Internet Explorer 8 (KB2416400)
Security Update for Windows Internet Explorer 8 (KB2482017)
Security Update for Windows Internet Explorer 8 (KB969897)
Security Update for Windows Internet Explorer 8 (KB971961)
Security Update for Windows Internet Explorer 8 (KB972260)
Security Update for Windows Internet Explorer 8 (KB974455)
Security Update for Windows Internet Explorer 8 (KB976325)
Security Update for Windows Internet Explorer 8 (KB978207)
Security Update for Windows Internet Explorer 8 (KB981332)
Security Update for Windows Internet Explorer 8 (KB982381)
Security Update for Windows Media Player (KB2378111)
Security Update for Windows Media Player (KB911564)
Security Update for Windows Media Player (KB952069)
Security Update for Windows Media Player (KB954155)
Security Update for Windows Media Player (KB968816)
Security Update for Windows Media Player (KB973540)
Security Update for Windows Media Player (KB975558)
Security Update for Windows Media Player (KB978695)
Security Update for Windows Media Player 11 (KB936782)
Security Update for Windows Media Player 11 (KB954154)
Security Update for Windows Media Player 9 (KB911565)
Security Update for Windows Media Player 9 (KB917734)
Security Update for Windows Media Player 9 (KB936782)
Security Update for Windows XP (KB2079403)
Security Update for Windows XP (KB2115168)
Security Update for Windows XP (KB2121546)
Security Update for Windows XP (KB2160329)
Security Update for Windows XP (KB2229593)
Security Update for Windows XP (KB2259922)
Security Update for Windows XP (KB2279986)
Security Update for Windows XP (KB2286198)
Security Update for Windows XP (KB2296011)
Security Update for Windows XP (KB2296199)
Security Update for Windows XP (KB2347290)
Security Update for Windows XP (KB2360937)
Security Update for Windows XP (KB2387149)
Security Update for Windows XP (KB2393802)
Security Update for Windows XP (KB2419632)
Security Update for Windows XP (KB2423089)
Security Update for Windows XP (KB2436673)
Security Update for Windows XP (KB2440591)
Security Update for Windows XP (KB2443105)
Security Update for Windows XP (KB2476687)
Security Update for Windows XP (KB2478960)
Security Update for Windows XP (KB2478971)
Security Update for Windows XP (KB2479628)
Security Update for Windows XP (KB2483185)
Security Update for Windows XP (KB2485376)
Security Update for Windows XP (KB913433)
Security Update for Windows XP (KB923561)
Security Update for Windows XP (KB938464-v2)
Security Update for Windows XP (KB938464)
Security Update for Windows XP (KB941569)
Security Update for Windows XP (KB946648)
Security Update for Windows XP (KB950760)
Security Update for Windows XP (KB950762)
Security Update for Windows XP (KB950974)
Security Update for Windows XP (KB951376-v2)
Security Update for Windows XP (KB951376)
Security Update for Windows XP (KB951698)
Security Update for Windows XP (KB951748)
Security Update for Windows XP (KB952004)
Security Update for Windows XP (KB952954)
Security Update for Windows XP (KB953839)
Security Update for Windows XP (KB954211)
Security Update for Windows XP (KB954459)
Security Update for Windows XP (KB954600)
Security Update for Windows XP (KB955069)
Security Update for Windows XP (KB956391)
Security Update for Windows XP (KB956572)
Security Update for Windows XP (KB956744)
Security Update for Windows XP (KB956802)
Security Update for Windows XP (KB956803)
Security Update for Windows XP (KB956841)
Security Update for Windows XP (KB956844)
Security Update for Windows XP (KB957095)
Security Update for Windows XP (KB957097)
Security Update for Windows XP (KB958644)
Security Update for Windows XP (KB958687)
Security Update for Windows XP (KB958690)
Security Update for Windows XP (KB958869)
Security Update for Windows XP (KB959426)
Security Update for Windows XP (KB960225)
Security Update for Windows XP (KB960715)
Security Update for Windows XP (KB960803)
Security Update for Windows XP (KB960859)
Security Update for Windows XP (KB961371)
Security Update for Windows XP (KB961373)
Security Update for Windows XP (KB961501)
Security Update for Windows XP (KB968537)
Security Update for Windows XP (KB969059)
Security Update for Windows XP (KB969898)
Security Update for Windows XP (KB969947)
Security Update for Windows XP (KB970238)
Security Update for Windows XP (KB970430)
Security Update for Windows XP (KB971468)
Security Update for Windows XP (KB971486)
Security Update for Windows XP (KB971557)
Security Update for Windows XP (KB971633)
Security Update for Windows XP (KB971657)
Security Update for Windows XP (KB972270)
Security Update for Windows XP (KB973346)
Security Update for Windows XP (KB973354)
Security Update for Windows XP (KB973507)
Security Update for Windows XP (KB973525)
Security Update for Windows XP (KB973869)
Security Update for Windows XP (KB973904)
Security Update for Windows XP (KB974112)
Security Update for Windows XP (KB974318)
Security Update for Windows XP (KB974392)
Security Update for Windows XP (KB974571)
Security Update for Windows XP (KB975025)
Security Update for Windows XP (KB975467)
Security Update for Windows XP (KB975560)
Security Update for Windows XP (KB975561)
Security Update for Windows XP (KB975562)
Security Update for Windows XP (KB975713)
Security Update for Windows XP (KB977165)
Security Update for Windows XP (KB977816)
Security Update for Windows XP (KB977914)
Security Update for Windows XP (KB978037)
Security Update for Windows XP (KB978251)
Security Update for Windows XP (KB978262)
Security Update for Windows XP (KB978338)
Security Update for Windows XP (KB978542)
Security Update for Windows XP (KB978601)
Security Update for Windows XP (KB978706)
Security Update for Windows XP (KB979309)
Security Update for Windows XP (KB979482)
Security Update for Windows XP (KB979559)
Security Update for Windows XP (KB979683)
Security Update for Windows XP (KB979687)
Security Update for Windows XP (KB980195)
Security Update for Windows XP (KB980218)
Security Update for Windows XP (KB980232)
Security Update for Windows XP (KB980436)
Security Update for Windows XP (KB981322)
Security Update for Windows XP (KB981852)
Security Update for Windows XP (KB981957)
Security Update for Windows XP (KB981997)
Security Update for Windows XP (KB982132)
Security Update for Windows XP (KB982214)
Security Update for Windows XP (KB982665)
Security Update for Windows XP (KB982802)
Segoe UI
Serif MontagePlus 1.0
Serif PagePlus 11
Serif PagePlus 11 Resources
Serif PhotoPlus 9.0
Serif PhotoPlus 9.0 Resource CD-ROM
Serif PhotoPlus Association File Formats
Sky Broadband
Software Setup
SUPERAntiSpyware
Symantec Technical Support Web Controls
Tarzan Activity Centre
Test Your Own IQ
Toy Story 2 Demo
Trivial Pursuit Millennium Edition
Ultimate Human Body 2
Update for Windows Internet Explorer 8 (KB971930)
Update for Windows Internet Explorer 8 (KB976662)
Update for Windows Internet Explorer 8 (KB976749)
Update for Windows Internet Explorer 8 (KB980182)
Update for Windows XP (KB2141007)
Update for Windows XP (KB2345886)
Update for Windows XP (KB2467659)
Update for Windows XP (KB951072-v2)
Update for Windows XP (KB951978)
Update for Windows XP (KB955759)
Update for Windows XP (KB955839)
Update for Windows XP (KB961503)
Update for Windows XP (KB967715)
Update for Windows XP (KB968389)
Update for Windows XP (KB971029)
Update for Windows XP (KB971737)
Update for Windows XP (KB973687)
Update for Windows XP (KB973815)
VC 9.0 Runtime
Walt Disney World Quest Magical Racing Tour
Wanadoo Connection Kit v1.5
Wanadoo Search Toolbar
WebFldrs XP
Who Wants To Be A Millionaire
Windows Driver Package - Nokia Modem (03/05/2008 3.7)
Windows Driver Package - Nokia Modem (03/13/2008 6.86.0.1)
Windows Driver Package - Nokia Modem (05/22/2008 3.

Windows Driver Package - Nokia Modem (05/22/2008 7.00.0.1)
Windows Driver Package - Nokia pccsmcfd (08/22/2008 7.0.0.0)
Windows Genuine Advantage Notifications (KB905474)
Windows Genuine Advantage Validation Tool (KB892130)
Windows Internet Explorer 7
Windows Internet Explorer 8
Windows Live Call
Windows Live Communications Platform
Windows Live Essentials
Windows Live Messenger
Windows Live Sign-in Assistant
Windows Live Upload Tool
Windows Media Format 11 runtime
Windows Media Player 11
Windows XP Service Pack 3
WinZip
ZoneAlarm
ZoneAlarm Toolbar
Zook Discovers the Seasons
.
==== Event Viewer Messages From Past Week ========
.
28/02/2011 20:48:20, error: W32Time [17] - Time Provider NtpClient: An error occurred during DNS lookup of the manually configured peer 'time.windows.com,0x1'. NtpClient will try the DNS lookup again in 15 minutes. The error was: A socket operation was attempted to an unreachable host. (0x80072751)
28/02/2011 18:46:35, error: SideBySide [59] - Resolve Partial Assembly failed for Microsoft.VC90.DebugCRT. Reference error message: The referenced assembly is not installed on your system. .
28/02/2011 18:46:35, error: SideBySide [59] - Generate Activation Context failed for c:\program files\real\realplayer\plugins\rmxrend.dll. Reference error message: The operation completed successfully. .
28/02/2011 18:46:34, error: SideBySide [32] - Dependent Assembly Microsoft.VC90.DebugCRT could not be found and Last Error was The referenced assembly is not installed on your system.
28/02/2011 14:34:03, error: Service Control Manager [7011] - Timeout (30000 milliseconds) waiting for a transaction response from the NAV service.
28/02/2011 14:33:57, error: Dhcp [1002] - The IP address lease 192.168.0.2 for the Network Card with network address 0016172AA408 has been denied by the DHCP server 192.168.0.1 (The DHCP Server sent a DHCPNACK message).
07/03/2011 15:46:15, error: Service Control Manager [7034] - The Java Quick Starter service terminated unexpectedly. It has done this 1 time(s).
04/03/2011 16:45:33, error: Service Control Manager [7011] - Timeout (30000 milliseconds) waiting for a transaction response from the NSL service.
.
==== End Of File ===========================

SuperDave · « **Reply #9 on:** March 07, 2011, 11:54:23 AM »

I'd like to scan your machine with ESET OnlineScan

•Hold down Control and click on the following link to open ESET OnlineScan in a new window.
ESET OnlineScan
•Click the

button.
•For alternate browsers only: (Microsoft Internet Explorer users can skip these steps)

Click on to download the ESET Smart Installer. Save it to your desktop.
Double click on the icon on your desktop.

•Check

•Click the

button.
•Accept any security warnings from your browser.
•Check

•Push the Start button.
•ESET will then download updates for itself, install itself, and begin scanning your computer. Please be patient as this can take some time.
•When the scan completes, push

•Push

, and save the file to your desktop using a unique name, such as ESETScan. Include the contents of this report in your next reply.
•Push the

button.
•Push

A log file will be saved here: C:\Program Files\ESET\ESET Online Scanner\log.txt

Dronfieldman · « **Reply #10 on:** March 14, 2011, 12:46:24 PM »

I held down CONTROL and clicked on the link for the scanner but the page it produced said "www.eset.com/onlinescan

We are sorry, the page you requested cannot be found."

SuperDave · « **Reply #11 on:** March 14, 2011, 12:56:40 PM »

Please try running it without the CTRL key.

Dronfieldman · « **Reply #12 on:** March 20, 2011, 09:28:39 AM »

ESET online scanner said "Initialisation ...Can not get update. Is proxy configured?" and displayed
a Back button. The progress bar remained on 0% half an hour later. Not sure what to do at this point.

SuperDave · « **Reply #13 on:** March 20, 2011, 06:56:12 PM »

Download OTL to your desktop.

* Open OTL
* Copy and Paste the following text in the codebox into the Custom Scans/Fixes window.

Code: [Select]

:OTL
uInternet Settings,ProxyServer = http=hxxp://www-cache.wanadoo.co.uk:8080;ftp=http://www-cache.wanadoo.co.uk:8080
uInternet Settings,ProxyOverride = hxxp://localhost;tests;<local>

:COMMANDS
[resethosts]
[purity]
[emptytemp]
[start explorer]

* Click Run Fix
* OTLI2 may ask to reboot the machine. Please do so if asked.
* Click OK
* A report will open. Copy and Paste that report in your next reply.

Dronfieldman · « **Reply #14 on:** March 31, 2011, 12:22:33 PM »

As per your instructions, I had configured Java Quick Starter but it carried on running. I
have once again unchecked the box for Java Quick Starter, pressed Apply, then OK, then
restarted the machine. However, the tick comes back in the Java Quick Starter box! So it
keeps on running every time the machine is booted up. After a while, it ends with "jusched.exe has encountered a problem and needs to close. We are sorry for the inconvenience."

OTL log below.

All processes killed
========== OTL ==========
========== COMMANDS ==========
C:\WINDOWS\System32\drivers\etc\Hosts moved successfully.
HOSTS file reset successfully

[EMPTYTEMP]

User: Administrator
->Temp folder emptied: 28368722 bytes
->Temporary Internet Files folder emptied: 585406707 bytes
->Java cache emptied: 199288889 bytes
->Flash cache emptied: 55053 bytes

User: All Users

User: Default User
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 32902 bytes
->Java cache emptied: 0 bytes
->Flash cache emptied: 41 bytes

User: LocalService
->Temp folder emptied: 1056168 bytes
->Temporary Internet Files folder emptied: 98438 bytes

User: NetworkService
->Temp folder emptied: 1985048 bytes
->Temporary Internet Files folder emptied: 32902 bytes

%systemdrive% .tmp files removed: 0 bytes
%systemroot% .tmp files removed: 0 bytes
%systemroot%\System32 .tmp files removed: 0 bytes
%systemroot%\System32\dllcache .tmp files removed: 0 bytes
%systemroot%\System32\drivers .tmp files removed: 0 bytes
Windows Temp folder emptied: 1410515 bytes
%systemroot%\system32\config\systemprofile\Local Settings\Temp folder emptied: 0 bytes
%systemroot%\system32\config\systemprofile\Local Settings\Temporary Internet Files folder emptied: 33170 bytes
RecycleBin emptied: 3575022 bytes

Total Files Cleaned = 783.00 mb

OTL by OldTimer - Version 3.2.22.3 log created on 03312011_190858

Files\Folders moved on Reboot...
C:\Documents and Settings\Administrator\Local Settings\Temp\~DF8612.tmp moved successfully.
C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\5MZRUPH1\topic,115849.0[1].html moved successfully.
C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\SuggestedSites.dat moved successfully.
File\Folder C:\WINDOWS\temp\Perflib_Perfdata_864.dat not found!
File\Folder C:\WINDOWS\temp\Perflib_Perfdata_8a8.dat not found!
File\Folder C:\WINDOWS\temp\ZLT04f38.TMP not found!

Registry entries deleted on Reboot...

SuperDave · « **Reply #15 on:** April 01, 2011, 11:27:05 AM »

Could you please try to run ESET again?

Dronfieldman · « **Reply #16 on:** April 16, 2011, 04:58:06 PM »

Would it be OK for me to stop the process wuauclt.exe when it runs, as this seems to be the process that brings the computer almost to a halt - or would that do more harm than good?

ESET ran and said there were no threats.

Dronfieldman · « **Reply #17 on:** April 16, 2011, 05:00:19 PM »

ESET log:

ESETSmartInstaller@High as CAB hook log:
OnlineScanner.ocx - registred OK
# version=7
# iexplore.exe=8.00.6001.18702 (longhorn_ie8_rtm(wmbla).090308-0339)
# OnlineScanner.ocx=1.0.0.6427
# api_version=3.0.2
# EOSSerial=43fa88dd6e114e4a953ecf35227219d2
# end=finished
# remove_checked=true
# archives_checked=true
# unwanted_checked=true
# unsafe_checked=false
# antistealth_checked=true
# utc_time=2011-04-16 09:11:44
# local_time=2011-04-16 10:11:44 (+0000, GMT Daylight Time)
# country="United Kingdom"
# lang=1033
# osver=5.1.2600 NT Service Pack 3
# compatibility_mode=512 16777215 100 0 6058035 6058035 0 0
# compatibility_mode=3584 16777175 100 0 0 0 0 0
# compatibility_mode=8192 67108863 100 0 2352769 2352769 0 0
# compatibility_mode=9217 16777214 100 70 4357047 25685842 0 0
# scanned=152208
# found=0
# cleaned=0
# scan_time=6543

SuperDave · « **Reply #18 on:** April 16, 2011, 06:27:10 PM »

Good. How's your computer running?

Dronfieldman · « **Reply #19 on:** May 05, 2011, 12:10:07 PM »

A spurious process is still running each day. It appears to be wuauclt.exe.

SuperDave · « **Reply #20 on:** May 05, 2011, 05:12:59 PM »

Quote

A spurious process is still running each day. It appears to be wuauclt.exe.

Are you getting a warning about this file?

Wuauclt.exe is the AutoUpdate Client of Windows Update and is used to check for available updates (for the various versions of the MS Windows platform) from Microsoft Update. The wuauclt.exe file is included in the Task Manager’s list of active processes when it is waiting for a response or an action to be performed by the user.

Dronfieldman · « **Reply #21 on:** May 07, 2011, 04:26:22 AM »

When the spurious process runs, it is sometimes accompanied by a warning message produced by (I think) Norton AV, saying "Win32 Services high memory usage".

SuperDave · « **Reply #22 on:** May 07, 2011, 05:08:43 PM »

Please download SystemLook from one of the links below and save it to your desktop.

Link # 1
Link # 2

Temporarily disable your antivirus and any antispyware real time protection before performing a scan. Click this link to see a list of security programs that should be disabled and how to disable them.

Double-click SystemLook.exe to run it.

Copy the contents of the following codebox into the main textfield.

Code: [Select]

:filefind
wuauclt.exe

Click the Look button to start the scan.

Note: The scan may take some time so please just let it do its work and be patient (or do something else unrelated to the computer).

When finished, a notepad window will open with the results of the scan. Please post the log. The log can also be found on your desktop entitled SystemLook.txt

Dronfieldman · « **Reply #23 on:** June 04, 2011, 03:34:38 AM »

SystemLook log:-
*********************************************************************************
SystemLook 04.09.10 by jpshortstuff
Log created at 10:21 on 04/06/2011 by Administrator
Administrator - Elevation successful

========== filefind ==========

Searching for "wuauclt.exe"
C:\WINDOWS\ERDNT\cache\wuauclt.exe   --a---- 53472 bytes   [11:39 18/02/2011]   [18:24 06/08/2009] 62BB79160F86CD962F312C68C6239BFD
C:\WINDOWS\ServicePackFiles\i386\wuauclt.exe   ------- 111104 bytes   [20:18 18/09/2008]   [00:12 14/04/2008] ED7262E52C31CF1625B65039102BC16C
C:\WINDOWS\system32\wuauclt.exe   --a---- 53472 bytes   [08:00 04/08/2004]   [18:24 06/08/2009] 62BB79160F86CD962F312C68C6239BFD
C:\WINDOWS\system32\dllcache\wuauclt.exe   --a---- 53472 bytes   [08:00 04/08/2004]   [18:24 06/08/2009] 62BB79160F86CD962F312C68C6239BFD

-= EOF =-
*************************************************************************

In the course of clicking on the Link in your post to find out how to temporarily disable my AV software, I noticed information on that website about how to fix corruptions of SVCHOST; so I bought that software (Paretologic PC Health Advisor) and ran it. It lets you do a scan without paying but I had to pay for the software to run the fix. Anyway, as one of the messages I was getting referred to high memory usage by SVCHOST, I thought this might fix the problem. In fact, it does seem to have gone quite a long way to fixing it, as SVCHOST now runs quickly and hardly slows the PC down while it's running. There is still one outstanding problem, which gives a 'Generic host process for Win 32 Services - high memory usage' message, which I think is the wuauclt.exe - but this seems to only occur only once every few days. So I think there were 2 problems, one of which has now been fixed and the other of which only happens every so often, rather than every day. I think we might be able to put up with this, unless you have a simple solution to it. If you think we have gone as far as is sensible with this, I would like to thank you for your efforts in dealing with this. Your involvement is appreciated.

SuperDave · « **Reply #24 on:** June 04, 2011, 05:32:14 PM »

Quote

In fact, it does seem to have gone quite a long way to fixing it, as SVCHOST now runs quickly and hardly slows the PC down while it's running. There is still one outstanding problem, which gives a 'Generic host process for Win 32 Services - high memory usage' message, which I think is the wuauclt.exe - but this seems to only occur only once every few days. So I think there were 2 problems, one of which has now been fixed and the other of which only happens every so often, rather than every day. I think we might be able to put up with this, unless you have a simple solution to it. If you think we have gone as far as is sensible with this, I would like to thank you for your efforts in dealing with this. Your involvement is appreciated.

I don't feel that this is a malware issue. Very little showed up in all the scans we've run on this computer. You could start a new thread in the appropriate software forum, if you wish.
We should do some cleanup.

To uninstall ComboFix

Click the Start button. Click Run. For Vista: type in Run in the Start search, and click on Run in the results pane.
In the field, type in ComboFix /uninstall

(Note: Make sure there's a space between the word ComboFix and the forward-slash.)

Then, press Enter, or click OK.
This will uninstall ComboFix, delete its folders and files, hides System files and folders, and resets System Restore.

****************************************************
To remove all of the tools we used and the files and folders they created do the following:
Double click OTL.exe.

Click the CleanUp button.
Select Yes when the "Begin cleanup Process?" prompt appears.
If you are prompted to Reboot during the cleanup, select Yes.
The tool will delete itself once it finishes.

Note: If any tool, file or folder (belonging to the program we have used) hasn't been deleted, please delete it manually.
****************************************************
Clean out your temporary internet files and temp files.

Download TFC by OldTimer to your desktop.

Double-click TFC.exe to run it.

Note: If you are running on Vista, right-click on the file and choose Run As Administrator

TFC will close all programs when run, so make sure you have saved all your work before you begin.

* Click the Start button to begin the cleaning process.
* Depending on how often you clean temp files, execution time should be anywhere from a few seconds to a minute or two.
* Please let TFC run uninterrupted until it is finished.

Once TFC is finished it should restart your computer. If it does not, please manually restart the computer yourself to ensure a complete cleaning.
******************************************************
Use the Secunia Software Inspector to check for out of date software.

•Click Start Now

•Check the box next to Enable thorough system inspection.

•Click Start

•Allow the scan to finish and scroll down to see if any updates are needed.
•Update anything listed.
.
----------

Go to Microsoft Windows Update and get all critical updates.

----------

I suggest using WOT - Web of Trust. WOT is a free Internet security addon for your browser. It will keep you safe from online scams, identity theft, spyware, spam, viruses and unreliable shopping sites. WOT warns you before you interact with a risky website. It's easy and it's free.

SpywareBlaster- Secure your Internet Explorer to make it harder for ActiveX programs to run on your computer. Also stop certain cookies from being added to your computer when running Mozilla based browsers like Firefox.
* Using SpywareBlaster to protect your computer from Spyware and Malware
* If you don't know what ActiveX controls are, see here

Protect yourself against spyware using the Immunize feature in Spybot - Search & Destroy. Guide: Use Spybot's Immunize Feature to prevent spyware infection in real-time. Note: To ensure you have the latest Immunizations always update Spybot - Search & Destroy before Immunizing. Spybot - Search & Destroy FAQ

Check out Keeping Yourself Safe On The Web for tips and free tools to help keep you safe in the future.

Also see Slow Computer? It may not be Malware for free cleaning/maintenance tools to help keep your computer running smoothly.
Safe Surfing!

Dronfieldman · « **Reply #25 on:** June 08, 2011, 02:27:54 PM »

OK - done that. Thanks for your help.

SuperDave · « **Reply #26 on:** June 08, 2011, 05:08:18 PM »

You're welcome. I will lock this thread. If you need it re-opened, please send me a pm or start a new thread.

Computer Hope Forum

News:

Author Topic: Background process almost brings computer to a halt (Read 26349 times)

Dronfieldman

SuperDave

Dronfieldman

SuperDave

Dronfieldman

SuperDave

Dronfieldman

SuperDave

Dronfieldman

SuperDave

Dronfieldman

SuperDave

Dronfieldman

SuperDave

Dronfieldman

SuperDave

Dronfieldman

Dronfieldman

SuperDave

Dronfieldman

SuperDave

Dronfieldman

SuperDave

Dronfieldman

SuperDave

Dronfieldman

SuperDave