Author Topic: Computer runs very very very Slooooow (Read 22797 times)

srose · « **on:** August 21, 2011, 08:31:29 AM »

My computer is an older computer, but I did max the Ram out on it, but it still seems to run slow. Almost immidiatly as soon as you open a browser the fan comes on and 100% of the CPU will be running. Even when you close the browser it will take 5 to 10 min before the fan shuts off and the CPU usage comes down. I have taken a lot of programs off if I don't use them, and actually removed ones that I use not recognizing them. I run CCleaner, and have for years, I have the WOT set up to not go to sites that are not good, I have Microsoft essentials running and online armor set up. When I ran the super anti spy there were a few things but it still didn't speed anything up. When I ran the anti malware it showed nothing. I think it may be some programs competing against each other or something, can you please help me get my computer to run faster?

Here are my logs:

Malwarebytes' Anti-Malware 1.46
www.malwarebytes.org

Database version: 4052

Windows 5.1.2600 Service Pack 3
Internet Explorer 8.0.6001.18702

8/20/2011 6:40:17 PM
mbam-log-2011-08-20 (18-40-17).txt

Scan type: Full scan (C:\|D:\|)
Objects scanned: 252097
Time elapsed: 1 hour(s), 56 minute(s), 31 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)

SUPERAntiSpyware Scan Log
http://www.superantispyware.com

Generated 08/20/2011 at 02:44 PM

Application Version : 5.0.1118

Core Rules Database Version : 7585
Trace Rules Database Version: 5397

Scan type : Complete Scan
Total Scan Time : 01:33:18

Operating System Information
Windows XP Professional 32-bit, Service Pack 3 (Build 5.01.2600)
Administrator

Memory items scanned : 529
Memory threats detected : 0
Registry items scanned : 38292
Registry threats detected : 0
File items scanned : 113967
File threats detected : 18

Adware.MyWebSearch/FunWebProducts
   ZIP ARCHIVE( C:\DOCUMENTS AND SETTINGS\ALL USERS\APPLICATION DATA\SPYBOT - SEARCH & DESTROY\RECOVERY\FUNWEBPRODUCTS44.ZIP )/F3PSSAVR.SCR
   C:\DOCUMENTS AND SETTINGS\ALL USERS\APPLICATION DATA\SPYBOT - SEARCH & DESTROY\RECOVERY\FUNWEBPRODUCTS44.ZIP
   ZIP ARCHIVE( C:\DOCUMENTS AND SETTINGS\ALL USERS\APPLICATION DATA\SPYBOT - SEARCH & DESTROY\RECOVERY\FUNWEBPRODUCTS50.ZIP )/PROGRAM FILES/MYWEBSEARCH/BAR/1.BIN/F3PSSAVR.SCR
   C:\DOCUMENTS AND SETTINGS\ALL USERS\APPLICATION DATA\SPYBOT - SEARCH & DESTROY\RECOVERY\FUNWEBPRODUCTS50.ZIP
   ZIP ARCHIVE( C:\DOCUMENTS AND SETTINGS\ALL USERS\APPLICATION DATA\SPYBOT - SEARCH & DESTROY\RECOVERY\FUNWEBPRODUCTS51.ZIP )/PROGRAM FILES/MYWEBSEARCH/BAR/1.BIN/F3PSSAVR.SCR
   C:\DOCUMENTS AND SETTINGS\ALL USERS\APPLICATION DATA\SPYBOT - SEARCH & DESTROY\RECOVERY\FUNWEBPRODUCTS51.ZIP
   ZIP ARCHIVE( C:\DOCUMENTS AND SETTINGS\ALL USERS\APPLICATION DATA\SPYBOT - SEARCH & DESTROY\RECOVERY\MYWAYMYWEBSEARCH66.ZIP )/PROGRAM FILES/MYWEBSEARCH/BAR/1.BIN/F3PSSAVR.SCR
   C:\DOCUMENTS AND SETTINGS\ALL USERS\APPLICATION DATA\SPYBOT - SEARCH & DESTROY\RECOVERY\MYWAYMYWEBSEARCH66.ZIP

Logfile of Trend Micro HijackThis v2.0.4
Scan saved at 9:53:42 AM, on 8/21/2011
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v8.00 (8.00.6001.18702)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
c:\Program Files\Microsoft Security Client\Antimalware\MsMpEng.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Tall Emu\Online Armor\OAcat.exe
C:\Program Files\Tall Emu\Online Armor\oasrv.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\SUPERAntiSpyware\SASCORE.EXE
C:\WINDOWS\ehome\ehSched.exe
C:\WINDOWS\system32\inetsrv\inetinfo.exe
C:\Program Files\Common Files\Intuit\Update Service\IntuitUpdateService.exe
C:\Program Files\Common Files\InterVideo\RegMgr\iviRegMgr.exe
C:\Program Files\Common Files\Protexis\License Service\PsiService_2.exe
C:\WINDOWS\System32\snmp.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE
C:\Program Files\Tall Emu\Online Armor\oaui.exe
C:\WINDOWS\system32\SearchIndexer.exe
C:\Program Files\Microsoft Security Client\msseces.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\Program Files\Secunia\PSI\psi.exe
C:\Program Files\Tall Emu\Online Armor\OAhlp.exe
C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSvcM.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\system32\calc.exe
C:\WINDOWS\system32\msiexec.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\Trend Micro\sniper.exe\HiJackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://go.microsoft.com/fwlink/?LinkId=74005
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = localhost
O2 - BHO: (no name) - {02478D38-C3F9-4efb-9B51-7695ECA05670} - (no file)
O2 - BHO: AcroIEHelperStub - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
O2 - BHO: Windows Live ID Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\5.6.5612.1312\swg.dll
O2 - BHO: WOT Helper - {C920E44A-7F78-4E64-BDD7-A57026E7FEB7} - C:\Program Files\WOT\WOT.dll
O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
O3 - Toolbar: WOT - {71576546-354D-41c9-AAE8-31F2EC22BF0D} - C:\Program Files\WOT\WOT.dll
O4 - HKLM\..\Run: [@OnlineArmor GUI] "C:\Program Files\Tall Emu\Online Armor\oaui.exe"
O4 - HKLM\..\Run: [MSC] "c:\Program Files\Microsoft Security Client\msseces.exe" -hide -runkey
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Common Files\Java\Java Update\jusched.exe"
O4 - HKCU\..\Run: [ccleaner] "C:\Program Files\CCleaner\CCleaner.exe" /AUTO
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [swg] "C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe"
O4 - HKCU\..\RunOnce: [FlashPlayerUpdate] C:\WINDOWS\system32\Macromed\Flash\FlashUtil10k_ActiveX.exe -update activex
O4 - HKUS\S-1-5-18\..\Run: [DWQueuedReporting] "c:\PROGRA~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" -t (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [DWQueuedReporting] "c:\PROGRA~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" -t (User 'Default user')
O4 - Startup: Secunia PSI.lnk = C:\Program Files\Secunia\PSI\psi.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MI1933~1\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: Blog This - {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - C:\Program Files\Windows Live\Writer\WriterBrowserExtension.dll
O9 - Extra 'Tools' menuitem: &Blog This in Windows Live Writer - {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - C:\Program Files\Windows Live\Writer\WriterBrowserExtension.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MI1933~1\OFFICE11\REFIEBAR.DLL
O16 - DPF: {0854D220-A90A-466D-BC02-6683183802B7} (PrintPreview Class) - http://cgmls.fnismls.com/Paragon/Codebase/FNISPrintControl.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {2042B57E-6336-459E-B7CE-2A0F6C9E6AF8} -
O16 - DPF: {2ED9BC2B-4DF1-472E-9B5E-55477D2C97F5} (Microsoft Data Collection Control) - https://support.microsoft.com/OAS/ActiveX/odc.cab
O16 - DPF: {4A3CF76B-EC7A-405D-A67D-8DC6B52AB35B} (QDiagAOLCCUpdateObj Class) - http://aolcc.aol.com/computercheckup/qdiagcc.cab
O16 - DPF: {54823A9D-6BAE-11D5-B519-0050BA2413EB} (ChkDVDCtl Class) - http://www.cyberlink.com/winxp/CheckDVD.cab
O16 - DPF: {5ED80217-570B-4DA9-BF44-BE107C0EC166} (Windows Live Safety Center Base Module) - http://cdn.scan.onecare.live.com/resource/download/scanner/wlscbase370.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1126482186562
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://www.update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1204817669703
O16 - DPF: {7530BFB8-7293-4D34-9923-61A11451AFC5} - http://download.eset.com/special/eos/OnlineScanner.cab
O16 - DPF: {9191F686-7F0A-441D-8A98-2FE3AC1BD913} (ActiveScan 2.0 Installer Class) - http://acs.pandasoftware.com/activescan/cabs/as2stubie.cab
O16 - DPF: {B1E2B96C-12FE-45E2-BEF1-44A219113CDD} (SABScanProcesses Class) - http://www.superadblocker.com/activex/sabspx.cab
O16 - DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} (get_atlcom Class) - http://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab
O18 - Protocol: wot - {C2A44D6B-CB9F-4663-88A6-DF2F26E4D952} - C:\Program Files\WOT\WOT.dll
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.DLL
O22 - SharedTaskScheduler: Browseui preloader - {438755C2-A8BA-11D1-B96B-00A0C90312E1} - C:\WINDOWS\System32\browseui.dll
O22 - SharedTaskScheduler: Component Categories cache daemon - {8C7461EF-2B13-11d2-BE35-3078302C2030} - C:\WINDOWS\System32\browseui.dll
O23 - Service: SAS Core Service (!SASCORE) - SUPERAntiSpyware.com - C:\Program Files\SUPERAntiSpyware\SASCORE.EXE
O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: Google Software Updater (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: Intuit Update Service (IntuitUpdateService) - Intuit Inc. - C:\Program Files\Common Files\Intuit\Update Service\IntuitUpdateService.exe
O23 - Service: IviRegMgr - InterVideo - C:\Program Files\Common Files\InterVideo\RegMgr\iviRegMgr.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
O23 - Service: Online Armor Helper Service (OAcat) - Unknown owner - C:\Program Files\Tall Emu\Online Armor\OAcat.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\System32\HPZipm12.exe
O23 - Service: Protexis Licensing V2 (PSI_SVC_2) - Protexis Inc. - C:\Program Files\Common Files\Protexis\License Service\PsiService_2.exe
O23 - Service: Online Armor (SvcOnlineArmor) - Unknown owner - C:\Program Files\Tall Emu\Online Armor\oasrv.exe

--
End of file - 8509 bytes

SuperDave · « **Reply #1 on:** August 21, 2011, 04:43:46 PM »

Hello and welcome to Computer Hope Forum. My name is Dave. I will be helping you out with your particular problem on your computer.

1. I will be working on your Malware issues. This may or may not solve other issues you have with your machine.
2. The fixes are specific to your problem and should only be used for this issue on this machine.
3. If you don't know or understand something, please don't hesitate to ask.
4. Please DO NOT run any other tools or scans while I am helping you.
5. It is important that you reply to this thread. Do not start a new topic.
6. Your security programs may give warnings for some of the tools I will ask you to use. Be assured, any links I give are safe.
7. Absence of symptoms does not mean that everything is clear.

If you can't access the internet with your infected computer you will have to download and transfer any programs to the computer you're using now and transfer them to the infected computer with a CD-RW or a USB storage device. I prefer a CD because a storage device can get infected. If you use a storage device hold the shift key down while inserting the USB storage device for about 10 secs. You will also have to transfer the logs you receive back to the good computer using the same method until we can get the computer back on-line.
*************************************************************************
Download Security Check by screen317 from one of the following links and save it to your desktop.

Link 1
Link 2

* Unzip SecurityCheck.zip and a folder named Security Check should appear.
* Open the Security Check folder and double-click Security Check.bat
* Follow the on-screen instructions inside of the black box.
* A Notepad document should open automatically called checkup.txt
* Post the contents of that document in your next reply.

Note: If a security program requests permission from dig.exe to access the Internet, allow it to do so.
**********************************************************
Download DDS from HERE or HERE and save it to your desktop.

Vista users right click on dds and select Run as administrator (you will receive a UAC prompt, please allow it)

* XP users Double click on dds to run it.
* If your antivirus or firewall try to block DDS then please allow it to run.
* When finished DDS will open two (2) logs.
* Save both reports to your desktop.
* The instructions here ask you to attach the Attach.txt.

1) DDS.txt
2) Attach.txt
Instead of attaching, please copy/past both logs into your Thread

Note: DDS will instruct you to post the Attach.txt log as an attachment.
Please just post it as you would any other log by copying and pasting it into the reply.

•Close the program window, and delete the program from your desktop.

Please note: You may have to disable any script protection running if the scan fails to run.
After downloading the tool, disconnect from the internet and disable all antivirus protection.
Run the scan, enable your A/V and reconnect to the internet.
Information on A/V control HERE .Then post your DDS logs. (DDS.txt and Attach.txt )

srose · « **Reply #2 on:** August 23, 2011, 03:03:18 PM »

Here are the logs that you requested:

Security Check:

Results of screen317's Security Check version 0.99.18
Windows XP Service Pack 3
Internet Explorer 8
``````````````````````````````
Antivirus/Firewall Check:
Windows Firewall Disabled!
Antivirus up to date! (On Access scanning disabled!)
```````````````````````````````
Anti-malware/Other Utilities Check:
Out of date HijackThis installed!
Malwarebytes' Anti-Malware
HijackThis 1.99.1
CCleaner
Java(TM) 6 Update 26
Flash Player Out of Date!
Adobe Flash Player    10.1.85.3
Mozilla Firefox (3.6.18) Firefox Out of Date!
````````````````````````````````
Process Check:
objlist.exe by Laurent
Windows Defender MSMpEng.exe
Tall Emu Online Armor OAcat.exe
Tall Emu Online Armor oasrv.exe
Tall Emu Online Armor oaui.exe
Tall Emu Online Armor OAhlp.exe
Microsoft Security Essentials msseces.exe
Microsoft Security Client Antimalware MsMpEng.exe
``````````End of Log````````````

DDS:

.
DDS (Ver_2011-06-23.01) - NTFSx86
Internet Explorer: 8.0.6001.18702 BrowserJavaVersion: 1.6.0_26
Run by Sean and Wylene at 16:48:16 on 2011-08-23
.
============== Running Processes ===============
.
C:\WINDOWS\system32\Ati2evxx.exe
c:\Program Files\Microsoft Security Client\Antimalware\MsMpEng.exe
C:\Program Files\Tall Emu\Online Armor\OAcat.exe
C:\Program Files\Tall Emu\Online Armor\oasrv.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\SUPERAntiSpyware\SASCORE.EXE
C:\WINDOWS\ehome\ehSched.exe
C:\WINDOWS\system32\inetsrv\inetinfo.exe
C:\Program Files\Common Files\Intuit\Update Service\IntuitUpdateService.exe
C:\Program Files\Common Files\InterVideo\RegMgr\iviRegMgr.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\Common Files\Protexis\License Service\PsiService_2.exe
C:\WINDOWS\System32\snmp.exe
C:\WINDOWS\system32\wdfmgr.exe
C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE
C:\WINDOWS\system32\SearchIndexer.exe
C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSvcM.exe
C:\WINDOWS\System32\alg.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Tall Emu\Online Armor\oaui.exe
C:\Program Files\Microsoft Security Client\msseces.exe
C:\Program Files\Common Files\Java\Java Update\jusched.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\Program Files\Secunia\PSI\psi.exe
C:\Program Files\Tall Emu\Online Armor\OAhlp.exe
C:\Program Files\Common Files\Adobe\ARM\1.0\AdobeARM.exe
C:\WINDOWS\System32\dllhost.exe
C:\WINDOWS\system32\inetsrv\DavCData.exe
C:\WINDOWS\system32\wscntfy.exe
C:\Documents and Settings\Sean and Wylene\Desktop\dds.scr
C:\WINDOWS\system32\REGSVR32.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
C:\WINDOWS\System32\svchost.exe -k NetworkService
C:\WINDOWS\system32\svchost.exe -k LocalService
C:\WINDOWS\System32\svchost.exe -k LocalService
C:\WINDOWS\System32\svchost.exe -k imgsvc
.
============== Pseudo HJT Report ===============
.
uInternet Settings,ProxyOverride = localhost
BHO: {02478D38-C3F9-4efb-9B51-7695ECA05670} - No File
BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll
BHO: Windows Live ID Sign-in Helper: {9030d464-4c02-4abf-8ecc-5164760863c6} - c:\program files\common files\microsoft shared\windows live\WindowsLiveLogin.dll
BHO: Google Toolbar Notifier BHO: {af69de43-7d58-4638-b6fa-ce66b5ad205d} - c:\program files\google\googletoolbarnotifier\5.6.5612.1312\swg.dll
BHO: WOT Helper: {c920e44a-7f78-4e64-bdd7-a57026e7feb7} - c:\program files\wot\WOT.dll
BHO: Java(tm) Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
TB: WOT: {71576546-354d-41c9-aae8-31f2ec22bf0d} - c:\program files\wot\WOT.dll
uRun: [ccleaner] "c:\program files\ccleaner\CCleaner.exe" /AUTO
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
uRun: [swg] "c:\program files\google\googletoolbarnotifier\GoogleToolbarNotifier.exe"
mRun: [@OnlineArmor GUI] "c:\program files\tall emu\online armor\oaui.exe"
mRun: [<NO NAME>]
mRun: [MSC] "c:\program files\microsoft security client\msseces.exe" -hide -runkey
mRun: [SunJavaUpdateSched] "c:\program files\common files\java\java update\jusched.exe"
dRun: [DWQueuedReporting] "c:\progra~1\common~1\micros~1\dw\dwtrig20.exe" -t
IE: E&xport to Microsoft Excel - c:\progra~1\mi1933~1\office11\EXCEL.EXE/3000
IE: {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - {5F7B1267-94A9-47F5-98DB-E99415F33AEC} - c:\program files\windows live\writer\WriterBrowserExtension.dll
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\mi1933~1\office11\REFIEBAR.DLL
Trusted Zone: intuit.com\ttlc
DPF: Microsoft XML Parser for Java - file://c:\windows\java\classes\xmldso.cab
DPF: {0854D220-A90A-466D-BC02-6683183802B7} - hxxp://cgmls.fnismls.com/Paragon/Codebase/FNISPrintControl.cab
DPF: {166B1BCA-3F9C-11CF-8075-444553540000} - hxxp://download.macromedia.com/pub/shockwave/cabs/director/sw.cab
DPF: {17492023-C23A-453E-A040-C7C580BBF700} - hxxp://go.microsoft.com/fwlink/?linkid=39204
DPF: {2042B57E-6336-459E-B7CE-2A0F6C9E6AF8}
DPF: {233C1507-6A77-46A4-9443-F871F945D258} - hxxp://download.macromedia.com/pub/shockwave/cabs/director/sw.cab
DPF: {2ED9BC2B-4DF1-472E-9B5E-55477D2C97F5} - hxxps://support.microsoft.com/OAS/ActiveX/odc.cab
DPF: {4A3CF76B-EC7A-405D-A67D-8DC6B52AB35B} - hxxp://aolcc.aol.com/computercheckup/qdiagcc.cab
DPF: {54823A9D-6BAE-11D5-B519-0050BA2413EB} - hxxp://www.cyberlink.com/winxp/CheckDVD.cab
DPF: {5ED80217-570B-4DA9-BF44-BE107C0EC166} - hxxp://cdn.scan.onecare.live.com/resource/download/scanner/wlscbase370.cab
DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} - hxxp://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1126482186562
DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} - hxxp://www.update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1204817669703
DPF: {7530BFB8-7293-4D34-9923-61A11451AFC5} - hxxp://download.eset.com/special/eos/OnlineScanner.cab
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_26-windows-i586.cab
DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} - hxxp://fpdownload.macromedia.com/get/flashplayer/current/polarbear/ultrashim.cab
DPF: {9191F686-7F0A-441D-8A98-2FE3AC1BD913} - hxxp://acs.pandasoftware.com/activescan/cabs/as2stubie.cab
DPF: {B1E2B96C-12FE-45E2-BEF1-44A219113CDD} - hxxp://www.superadblocker.com/activex/sabspx.cab
DPF: {CAFEEFAC-0016-0000-0026-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_26-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_26-windows-i586.cab
DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - hxxp://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab
TCP: DhcpNameServer = 192.168.1.1
TCP: Interfaces\{2B987C66-96AD-4C12-9E82-7CC0DBF430EF} : DhcpNameServer = 192.168.1.1
Handler: cetihpz - {CF184AD3-CDCB-4168-A3F7-8E447D129300} - c:\program files\hp\hpcoretech\comp\hpuiprot.dll
Handler: wot - {C2A44D6B-CB9F-4663-88A6-DF2F26E4D952} - c:\program files\wot\WOT.dll
Notify: !SASWinLogon - c:\program files\superantispyware\SASWINLO.DLL
Notify: igfxcui - igfxsrvc.dll
SEH: Windows Desktop Search Namespace Manager: {56f9679e-7826-4c84-81f3-532071a8bcc5} - c:\program files\windows desktop search\MSNLNamespaceMgr.dll
SEH: SABShellExecuteHook Class: {5ae067d3-9afb-48e0-853a-ebb7f4a000da} - c:\program files\superantispyware\SASSEH.DLL
SEH: OA Shell Helper: {4f07da45-8170-4859-9b5f-037ef2970034} - c:\progra~1\tallem~1\online~1\oaevent.dll
Hosts: 127.0.0.1   www.spywareinfo.com
.
================= FIREFOX ===================
.
FF - ProfilePath - c:\documents and settings\sean and wylene\application data\mozilla\firefox\profiles\614r5ppc.default\
FF - prefs.js: keyword.URL - hxxp://www.ask.com/web?&o=13048&l=dis&q=
FF - plugin: c:\documents and settings\sean and wylene\application data\mozilla\firefox\profiles\614r5ppc.default\extensions\{e2883e8f-472f-4fb0-9522-ac9bf37916a7}\plugins\np_gp.dll
FF - plugin: c:\program files\java\jre6\bin\new_plugin\npdeployJava1.dll
FF - plugin: c:\program files\microsoft\office live\npOLW.dll
FF - Ext: Default: {972ce4c6-7e08-4474-a285-3208198ce6fd} - c:\program files\mozilla firefox\extensions\{972ce4c6-7e08-4474-a285-3208198ce6fd}
FF - Ext: Java Console: {CAFEEFAC-0016-0000-0016-ABCDEFFEDCBA} - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0016-ABCDEFFEDCBA}
FF - Ext: Java Console: {CAFEEFAC-0016-0000-0017-ABCDEFFEDCBA} - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0017-ABCDEFFEDCBA}
FF - Ext: Java Console: {CAFEEFAC-0016-0000-0020-ABCDEFFEDCBA} - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0020-ABCDEFFEDCBA}
FF - Ext: Java Console: {CAFEEFAC-0016-0000-0022-ABCDEFFEDCBA} - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0022-ABCDEFFEDCBA}
FF - Ext: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\microsoft.net\framework\v3.5\windows presentation foundation\DotNetAssistantExtension
FF - Ext: Java Quick Starter: [email protected] - c:\program files\java\jre6\lib\deploy\jqs\ff
FF - Ext: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - %profile%\extensions\{20a82645-c095-46ed-80e3-08825760534b}
FF - Ext: Adobe DLM (powered by getPlus(R)): {E2883E8F-472F-4fb0-9522-AC9BF37916A7} - %profile%\extensions\{E2883E8F-472F-4fb0-9522-AC9BF37916A7}
.
---- FIREFOX POLICIES ----
FF - user.js: yahoo.homepage.dontask - true
============= SERVICES / DRIVERS ===============
.
R? azt2320;Aztech 2320 Audio Driver (WDM)
R? clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86
R? fsssvc;Windows Live Family Safety
R? HidCom;USB-HID -> COM Driver Service
R? MpKsl270bd62d;MpKsl270bd62d
R? MpKsl657b5787;MpKsl657b5787
R? MpKsl77223706;MpKsl77223706
R? MpKsl80889e0e;MpKsl80889e0e
R? MpKsl900ce35f;MpKsl900ce35f
R? MpKsla64cc5a6;MpKsla64cc5a6
R? MpKslc242287c;MpKslc242287c
R? MpKslc3cfb65c;MpKslc3cfb65c
R? MpKslcfe8629b;MpKslcfe8629b
R? MpKsld0c3b2d3;MpKsld0c3b2d3
R? MpKsle16118fb;MpKsle16118fb
R? MpKsle1868d84;MpKsle1868d84
R? MpKslfceee1bd;MpKslfceee1bd
R? MpKslfd546ba9;MpKslfd546ba9
R? nosGetPlusHelper;getPlus(R) Helper 3004
R? omoecx;omoecx
R? SASENUM;SASENUM
R? WPFFontCache_v0400;Windows Presentation Foundation Font Cache 4.0.0.0
S? !SASCORE;SAS Core Service
S? CX88XBAR;Conexant 2388x Crossbar Dual Input
S? fssfltr;fssfltr
S? MpFilter;Microsoft Malware Protection Driver
S? MpKsl001a1d8d;MpKsl001a1d8d
S? MpKsl34bff400;MpKsl34bff400
S? OAcat;Online Armor Helper Service
S? OADevice;OADriver
S? OAmon;OAmon
S? OAnet;OAnet
S? pavboot;pavboot
S? PSI;PSI
S? regi;regi
S? SASDIFSV;SASDIFSV
S? SASKUTIL;SASKUTIL
S? SvcOnlineArmor;Online Armor
.
=============== Created Last 30 ================
.
2011-08-23 17:59:46   28752   ----a-w-   c:\documents and settings\all users\application data\microsoft\microsoft antimalware\definition updates\{3fb03576-5a49-4f50-8342-d74b4cf97f80}\MpKsl001a1d8d.sys
2011-08-23 17:59:09   7152464   ----a-w-   c:\documents and settings\all users\application data\microsoft\microsoft antimalware\definition updates\{3fb03576-5a49-4f50-8342-d74b4cf97f80}\mpengine.dll
2011-08-21 13:48:42   388096   ----a-r-   c:\documents and settings\sean and wylene\application data\microsoft\installer\{45a66726-69bc-466b-a7a4-12fcba4883d7}\HiJackThis.exe
2011-08-11 07:23:53   --------   d-----w-   C:\66f67a257b88457a6cbc1c5fc357e6
2011-08-03 18:27:33   6881616   ----a-w-   c:\documents and settings\all users\application data\microsoft\microsoft antimalware\definition updates\updates\mpengine.dll
.
==================== Find3M ====================
.
2011-07-15 13:29:31   456320   ----a-w-   c:\windows\system32\drivers\mrxsmb.sys
2011-07-08 14:02:00   10496   ----a-w-   c:\windows\system32\drivers\ndistapi.sys
2011-06-24 14:10:36   139656   ----a-w-   c:\windows\system32\drivers\rdpwd.sys
2011-06-23 18:36:30   916480   ----a-w-   c:\windows\system32\wininet.dll
2011-06-23 18:36:30   43520   ----a-w-   c:\windows\system32\licmgr10.dll
2011-06-23 18:36:30   1469440   ----a-w-   c:\windows\system32\inetcpl.cpl
2011-06-23 12:05:13   385024   ----a-w-   c:\windows\system32\html.iec
2011-06-20 17:44:52   293376   ----a-w-   c:\windows\system32\winsrv.dll
2011-06-02 14:02:05   1858944   ----a-w-   c:\windows\system32\win32k.sys
.
============= FINISH: 16:51:41.95 ===============

Attatch Log:

.
UNLESS SPECIFICALLY INSTRUCTED, DO NOT POST THIS LOG.
IF REQUESTED, ZIP IT UP & ATTACH IT
.
DDS (Ver_2011-06-23.01)
.
Microsoft Windows XP Professional
Boot Device: \Device\HarddiskVolume2
Install Date: 7/7/2004 12:14:57 PM
System Uptime: 8/21/2011 2:10:47 PM (50 hours ago)
.
Motherboard: ASUSTeK Computer INC. | | 'P4SD-LA'
Processor: Intel(R) Pentium(R) 4 CPU 3.20GHz | CPU 1 | 3200/200mhz
.
==== Disk Partitions =========================
.
A: is Removable
C: is FIXED (NTFS) - 180 GiB total, 134.991 GiB free.
D: is FIXED (FAT32) - 6 GiB total, 1.123 GiB free.
E: is CDROM ()
F: is CDROM ()
G: is Removable
H: is Removable
I: is Removable
J: is Removable
.
==== Disabled Device Manager Items =============
.
Class GUID: {4D36E96C-E325-11CE-BFC1-08002BE10318}
Description: Microsoft MPU Audio Driver(WDM)
Device ID: ROOT\MEDIA\0002
Manufacturer: Aztech Systems
Name: Microsoft MPU Audio Driver(WDM)
PNP Device ID: ROOT\MEDIA\0002
Service: ms_mpu401
.
Class GUID: {4D36E96C-E325-11CE-BFC1-08002BE10318}
Description: Aztech 2320 Compatible PnP Audio (WDM)
Device ID: ROOT\MEDIA\0003
Manufacturer: Aztech Systems
Name: Aztech 2320 Compatible PnP Audio (WDM)
PNP Device ID: ROOT\MEDIA\0003
Service: azt2320
.
==== System Restore Points ===================
.
RP541: 5/24/2011 10:52:30 AM - Software Distribution Service 3.0
RP542: 5/25/2011 8:02:54 AM - Software Distribution Service 3.0
RP543: 5/26/2011 8:03:11 AM - Software Distribution Service 3.0
RP544: 5/27/2011 8:03:19 AM - Software Distribution Service 3.0
RP545: 5/30/2011 8:47:16 PM - Software Distribution Service 3.0
RP546: 5/31/2011 9:32:02 PM - System Checkpoint
RP547: 6/1/2011 5:55:12 AM - Software Distribution Service 3.0
RP548: 6/1/2011 8:42:44 PM - Software Distribution Service 3.0
RP549: 6/2/2011 8:43:03 PM - Software Distribution Service 3.0
RP550: 6/3/2011 8:42:09 PM - Software Distribution Service 3.0
RP551: 6/4/2011 9:12:42 PM - Software Distribution Service 3.0
RP552: 6/5/2011 9:39:19 PM - Software Distribution Service 3.0
RP553: 6/6/2011 8:43:04 PM - Software Distribution Service 3.0
RP554: 6/7/2011 8:44:28 PM - Software Distribution Service 3.0
RP555: 6/8/2011 8:43:10 PM - Software Distribution Service 3.0
RP556: 6/9/2011 8:43:19 PM - Software Distribution Service 3.0
RP557: 6/10/2011 8:44:00 PM - Software Distribution Service 3.0
RP558: 6/11/2011 8:44:06 PM - Software Distribution Service 3.0
RP559: 6/12/2011 10:28:01 PM - Software Distribution Service 3.0
RP560: 6/13/2011 8:27:23 AM - Software Distribution Service 3.0
RP561: 6/14/2011 8:28:03 AM - Software Distribution Service 3.0
RP562: 6/15/2011 8:28:22 AM - Software Distribution Service 3.0
RP563: 6/16/2011 3:00:38 AM - Software Distribution Service 3.0
RP564: 6/17/2011 9:45:25 AM - Software Distribution Service 3.0
RP565: 6/20/2011 9:46:35 AM - Software Distribution Service 3.0
RP566: 6/21/2011 10:03:00 AM - System Checkpoint
RP567: 6/21/2011 1:57:00 PM - Software Distribution Service 3.0
RP568: 6/22/2011 9:40:58 AM - Software Distribution Service 3.0
RP569: 6/23/2011 9:40:57 AM - Software Distribution Service 3.0
RP570: 6/24/2011 10:30:21 AM - System Checkpoint
RP571: 6/25/2011 2:29:41 AM - Software Distribution Service 3.0
RP572: 6/26/2011 3:45:25 AM - System Checkpoint
RP573: 6/26/2011 9:41:00 AM - Software Distribution Service 3.0
RP574: 6/26/2011 10:27:07 PM - Software Distribution Service 3.0
RP575: 6/27/2011 11:12:11 PM - System Checkpoint
RP576: 6/28/2011 12:57:28 AM - Software Distribution Service 3.0
RP577: 6/29/2011 7:04:19 AM - Software Distribution Service 3.0
RP578: 6/29/2011 3:16:40 PM - Software Distribution Service 3.0
RP579: 6/30/2011 3:11:28 PM - Software Distribution Service 3.0
RP580: 7/1/2011 5:21:42 PM - System Checkpoint
RP581: 7/2/2011 3:08:11 AM - Software Distribution Service 3.0
RP582: 7/2/2011 3:12:06 PM - Software Distribution Service 3.0
RP583: 7/3/2011 3:13:51 PM - Software Distribution Service 3.0
RP584: 7/3/2011 10:12:04 PM - Software Distribution Service 3.0
RP585: 7/5/2011 3:28:02 AM - Software Distribution Service 3.0
RP586: 7/6/2011 3:58:31 AM - System Checkpoint
RP587: 7/7/2011 3:12:41 PM - Software Distribution Service 3.0
RP588: 7/8/2011 3:13:01 PM - Software Distribution Service 3.0
RP589: 7/10/2011 11:36:24 AM - Software Distribution Service 3.0
RP590: 7/10/2011 10:29:32 PM - Software Distribution Service 3.0
RP591: 7/12/2011 11:38:51 AM - Software Distribution Service 3.0
RP592: 7/13/2011 3:00:26 AM - Software Distribution Service 3.0
RP593: 7/13/2011 1:02:03 PM - Software Distribution Service 3.0
RP594: 7/14/2011 5:50:18 PM - Software Distribution Service 3.0
RP595: 7/15/2011 7:29:45 AM - Software Distribution Service 3.0
RP596: 7/16/2011 5:39:27 PM - Software Distribution Service 3.0
RP597: 7/17/2011 7:28:58 AM - Software Distribution Service 3.0
RP598: 7/17/2011 10:05:28 PM - Software Distribution Service 3.0
RP599: 7/18/2011 7:30:28 AM - Software Distribution Service 3.0
RP600: 7/19/2011 7:30:14 AM - Software Distribution Service 3.0
RP601: 7/20/2011 7:33:49 AM - Software Distribution Service 3.0
RP602: 7/21/2011 8:10:09 AM - Software Distribution Service 3.0
RP603: 7/21/2011 2:29:49 PM - Removed Google Earth.
RP604: 7/22/2011 2:46:02 PM - Software Distribution Service 3.0
RP605: 7/23/2011 2:45:51 PM - Software Distribution Service 3.0
RP606: 7/24/2011 2:45:06 PM - Software Distribution Service 3.0
RP607: 7/26/2011 3:12:50 PM - Software Distribution Service 3.0
RP608: 7/27/2011 3:12:30 PM - Software Distribution Service 3.0
RP609: 7/28/2011 3:12:27 PM - Software Distribution Service 3.0
RP610: 7/29/2011 10:51:09 PM - Software Distribution Service 3.0
RP611: 7/30/2011 3:12:49 PM - Software Distribution Service 3.0
RP612: 7/31/2011 3:13:35 PM - Software Distribution Service 3.0
RP613: 7/31/2011 9:59:05 PM - Software Distribution Service 3.0
RP614: 8/2/2011 7:29:16 AM - Software Distribution Service 3.0
RP615: 8/3/2011 2:26:06 PM - Software Distribution Service 3.0
RP616: 8/4/2011 3:58:20 PM - System Checkpoint
RP617: 8/4/2011 5:26:54 PM - Software Distribution Service 3.0
RP618: 8/5/2011 2:34:33 PM - Software Distribution Service 3.0
RP619: 8/6/2011 2:34:01 PM - Software Distribution Service 3.0
RP620: 8/7/2011 2:34:30 PM - Software Distribution Service 3.0
RP621: 8/8/2011 2:34:50 PM - Software Distribution Service 3.0
RP622: 8/9/2011 2:34:51 PM - Software Distribution Service 3.0
RP623: 8/10/2011 2:34:11 PM - Software Distribution Service 3.0
RP624: 8/11/2011 3:00:26 AM - Software Distribution Service 3.0
RP625: 8/11/2011 12:20:43 PM - Software Distribution Service 3.0
RP626: 8/12/2011 5:07:33 PM - Software Distribution Service 3.0
RP627: 8/14/2011 11:16:36 AM - Software Distribution Service 3.0
RP628: 8/15/2011 8:40:00 PM - Software Distribution Service 3.0
RP629: 8/16/2011 7:29:01 PM - Software Distribution Service 3.0
RP630: 8/17/2011 7:28:54 PM - Software Distribution Service 3.0
RP631: 8/18/2011 7:29:17 PM - Software Distribution Service 3.0
RP632: 8/19/2011 7:29:14 PM - Software Distribution Service 3.0
RP633: 8/20/2011 8:11:35 PM - Software Distribution Service 3.0
RP634: 8/21/2011 9:36:15 AM - Installed Java(TM) 6 Update 26
RP635: 8/21/2011 9:48:39 AM - Installed HiJackThis
RP636: 8/22/2011 2:33:06 PM - Software Distribution Service 3.0
RP637: 8/23/2011 1:59:07 PM - Software Distribution Service 3.0
.
==== Installed Programs ======================
.
.
Acrobat.com
Adobe AIR
Adobe Download Manager
Adobe Flash Player 10 ActiveX
Adobe Flash Player 10 Plugin
Adobe Reader 9.4.3
Adobe Shockwave Player 11.5
Adobe SVG Viewer 6.0
ATI Display Driver
Autodesk MapGuide(R) Viewer ActiveX Control Release 6.5
CCleaner
CCScore
Choice Guard
Compatibility Pack for the 2007 Office system
Corel WinDVD 9
Defraggler (remove only)
ESSBrwr
ESSCDBK
ESScore
ESSgui
ESSini
ESSPCD
ESSPDock
ESSTOOLS
essvatgt
HighMAT Extension to Microsoft Windows XP CD Writing Wizard
HiJackThis
HijackThis 1.99.1
Hotfix for Microsoft .NET Framework 3.0 (KB932471)
Hotfix for Microsoft .NET Framework 3.5 SP1 (KB953595)
Hotfix for Microsoft .NET Framework 3.5 SP1 (KB958484)
Hotfix for Windows Internet Explorer 7 (KB947864)
Hotfix for Windows XP (KB954550-v5)
HP Deskjet 3050 J610 series Basic Device Software
HP Deskjet 3050 J610 series Help
HP Deskjet 3050 J610 series Product Improvement Study
HP Instant Support
HP Photo Creations
HP Update
hpmdtab
HpSdpAppCoreApp
Intel(R) Extreme Graphics 2 Driver
InterActual Player
InterVideo WinDVD 8
Java Auto Updater
Java(TM) 6 Update 26
Kodak EasyShare software
LG USB Drivers
Malwarebytes' Anti-Malware
Microsoft .NET Framework 1.1
Microsoft .NET Framework 1.1 Security Update (KB2416447)
Microsoft .NET Framework 1.1 Security Update (KB979906)
Microsoft .NET Framework 2.0 Service Pack 2
Microsoft .NET Framework 3.0 Service Pack 2
Microsoft .NET Framework 3.5 SP1
Microsoft .NET Framework 4 Client Profile
Microsoft .NET Framework 4 Extended
Microsoft Antimalware
Microsoft Application Error Reporting
Microsoft Base Smart Card Cryptographic Service Provider Package
Microsoft IntelliPoint 6.2
Microsoft IntelliType Pro 6.2
Microsoft Internationalized Domain Names Mitigation APIs
Microsoft Kernel-Mode Driver Framework Feature Pack 1.5
Microsoft National Language Support Downlevel APIs
Microsoft Office Live Add-in 1.4
Microsoft Office Outlook Connector
Microsoft Office Standard Edition 2003
Microsoft Plus! Digital Media Edition
Microsoft Security Client
Microsoft Security Essentials
Microsoft Silverlight
Microsoft Visual C++ 2005 ATL Update kb973923 - x86 8.0.50727.4053
Microsoft Visual C++ 2005 Redistributable
Microsoft Visual C++ 2008 ATL Update kb973924 - x86 9.0.30729.4148
Microsoft Visual C++ 2008 Redistributable - KB2467174 - x86 9.0.30729.5570
Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.17
Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.6161
Microsoft Web Publishing Wizard 1.52
Microsoft Windows XP Video Decoder Checkup Utility
Microsoft Works 7.0
Mozilla Firefox (3.6.18)
MSXML 4.0 SP2 (KB927978)
MSXML 4.0 SP2 (KB936181)
MSXML 4.0 SP2 (KB954430)
MSXML 4.0 SP2 (KB973688)
MSXML 4.0 SP2 Parser and SDK
MSXML 6.0 Parser (KB933579)
Multimedia Card Reader
netbrdg
OfotoXMI
Online Armor 4.0
Panda ActiveScan 2.0
Print Perfect Deluxe
Scan
Scan Manager 5.2
ScanSoft OmniPage 16
Secunia CSI
Secunia PSI
Security Update for CAPICOM (KB931906)
Security Update for Microsoft .NET Framework 3.5 SP1 (KB2416473)
Security Update for Microsoft .NET Framework 4 Client Profile (KB2446708)
Security Update for Microsoft .NET Framework 4 Client Profile (KB2478663)
Security Update for Microsoft .NET Framework 4 Client Profile (KB2518870)
Security Update for Microsoft .NET Framework 4 Client Profile (KB2539636)
Security Update for Microsoft .NET Framework 4 Extended (KB2416472)
Security Update for Microsoft .NET Framework 4 Extended (KB2487367)
Security Update for Windows Internet Explorer 7 (KB938127)
Security Update for Windows Internet Explorer 7 (KB939653)
Security Update for Windows Internet Explorer 7 (KB942615)
Security Update for Windows Internet Explorer 7 (KB944533)
Security Update for Windows Internet Explorer 7 (KB950759)
Security Update for Windows Internet Explorer 7 (KB953838)
Security Update for Windows Internet Explorer 7 (KB956390)
Security Update for Windows Internet Explorer 7 (KB958215)
Security Update for Windows Internet Explorer 7 (KB960714)
Security Update for Windows Internet Explorer 7 (KB961260)
Security Update for Windows Internet Explorer 7 (KB963027)
Security Update for Windows Internet Explorer 8 (KB2183461)
Security Update for Windows Internet Explorer 8 (KB2360131)
Security Update for Windows Internet Explorer 8 (KB2416400)
Security Update for Windows Internet Explorer 8 (KB2482017)
Security Update for Windows Internet Explorer 8 (KB2497640)
Security Update for Windows Internet Explorer 8 (KB2510531)
Security Update for Windows Internet Explorer 8 (KB2530548)
Security Update for Windows Internet Explorer 8 (KB2544521)
Security Update for Windows Internet Explorer 8 (KB2559049)
Security Update for Windows Internet Explorer 8 (KB969897)
Security Update for Windows Internet Explorer 8 (KB971961)
Security Update for Windows Internet Explorer 8 (KB972260)
Security Update for Windows Internet Explorer 8 (KB974455)
Security Update for Windows Internet Explorer 8 (KB976325)
Security Update for Windows Internet Explorer 8 (KB978207)
Security Update for Windows Internet Explorer 8 (KB981332)
Security Update for Windows Internet Explorer 8 (KB982381)
Segoe UI
SereneScene Marine Aquarium 2
SFR
SHASTA
skin0001
SKINXSDK
staticcr
SUPERAntiSpyware Free Edition
tooltips
TurboTax 2009
TurboTax 2009 wgaiper
TurboTax 2009 WinPerFedFormset
TurboTax 2009 WinPerReleaseEngine
TurboTax 2009 WinPerTaxSupport
TurboTax 2009 wrapper
TurboTax 2010
TurboTax 2010 wgaiper
TurboTax 2010 WinPerFedFormset
TurboTax 2010 WinPerReleaseEngine
TurboTax 2010 WinPerTaxSupport
TurboTax 2010 wrapper
Update for Microsoft .NET Framework 3.5 SP1 (KB963707)
Update for Microsoft .NET Framework 4 Client Profile (KB2473228)
Update for Windows Internet Explorer 8 (KB968220)
Update for Windows Internet Explorer 8 (KB972636)
Update for Windows Internet Explorer 8 (KB973874)
Update for Windows Internet Explorer 8 (KB976662)
Update for Windows Internet Explorer 8 (KB976749)
Update for Windows Internet Explorer 8 (KB978506)
Update for Windows Internet Explorer 8 (KB980182)
Updates from HP
Visual C++ 2008 x86 Runtime - (v9.0.30729)
Visual C++ 2008 x86 Runtime - v9.0.30729.01
VPRINTOL
VueScan
WebFldrs XP
Windows Genuine Advantage Notifications (KB905474)
Windows Genuine Advantage v1.3.0254.0
Windows Genuine Advantage Validation Tool (KB892130)
Windows Imaging Component
Windows Internet Explorer 7
Windows Internet Explorer 8
Windows Live Essentials
Windows Live Family Safety
Windows Live ID Sign-in Assistant
Windows Live Upload Tool
Windows Live Writer
Windows Media Connect
Windows Media Encoder 9 Series
Windows Media Format Runtime
Windows Media Player 10
Windows Media Player Hotfix [See Q828026 for more information]
Windows Presentation Foundation
Windows XP Service Pack 3
Winmail Opener 1.4
WIRELESS
WOT for Internet Explorer
XML Paper Specification Shared Components Pack 1.0
Yahoo! Detect
.
==== Event Viewer Messages From Past Week ========
.
8/21/2011 10:21:47 PM, error: Microsoft Antimalware [2001] - Microsoft Antimalware has encountered an error trying to update signatures.    New Signature Version:    Previous Signature Version: 1.111.339.0    Update Source: Microsoft Update Server    Update Stage: Search    Source Path: http://www.microsoft.com    Signature Type: AntiVirus    Update Type: Full    User: NT AUTHORITY\SYSTEM    Current Engine Version:    Previous Engine Version: 1.1.7604.0    Error code: 0x8024402c    Error description: An unexpected problem occurred while checking for updates. For information on installing or troubleshooting updates, see Help and Support.
8/20/2011 12:56:09 PM, error: Service Control Manager [7000] - The SASDIFSV service failed to start due to the following error: Cannot create a file when that file already exists.
8/20/2011 12:43:56 PM, error: Service Control Manager [7031] - The Microsoft Antimalware Service service terminated unexpectedly. It has done this 2 time(s). The following corrective action will be taken in 15000 milliseconds: Restart the service.
8/20/2011 12:43:22 PM, error: Service Control Manager [7031] - The Microsoft Antimalware Service service terminated unexpectedly. It has done this 1 time(s). The following corrective action will be taken in 15000 milliseconds: Restart the service.
.
==== End Of File ===========================

SuperDave · « **Reply #3 on:** August 23, 2011, 04:56:06 PM »

Download OTL to your desktop.

* Open OTL
* Copy and Paste the following text in the codebox into the Custom Scans/Fixes window.

Code: [Select]

:OTL
BHO: {02478D38-C3F9-4efb-9B51-7695ECA05670} - No File
mRun: [<NO NAME>] 
Trusted Zone: intuit.com\ttlc

:COMMANDS
[resethosts]
[purity]
[emptytemp]
[start explorer]

* Click Run Fix
* OTLI2 may ask to reboot the machine. Please do so if asked.
* Click OK
* A report will open. Copy and Paste that report in your next reply.
******************************************************
Please download ComboFix

from BleepingComputer.com

Alternate link: GeeksToGo.com

and save it to your Desktop.
It would be easiest to download using Internet Explorer.
If you insist on using Firefox, make sure that your download settings are as follows:

* Tools->Options->Main tab
* Set to "Always ask me where to Save the files".

Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools A guide to do this can be found here
Double click ComboFix.exe & follow the prompts.
As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.
Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console

Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.

Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:

Click on Yes, to continue scanning for malware.
When finished, it shall produce a log for you. Please include the contents of C:\ComboFix.txt in your next reply.

If you have problems with ComboFix usage, see How to use ComboFix

srose · « **Reply #4 on:** August 24, 2011, 07:17:50 PM »

OTL Log:

All processes killed
========== OTL ==========
========== COMMANDS ==========
C:\WINDOWS\System32\drivers\etc\Hosts moved successfully.
HOSTS file reset successfully

[EMPTYTEMP]

User: Administrator
->Temp folder emptied: 80 bytes
->Temporary Internet Files folder emptied: 134 bytes
->Java cache emptied: 0 bytes
->Flash cache emptied: 521 bytes

User: All Users
->Flash cache emptied: 106 bytes

User: Default User
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 33170 bytes
->Flash cache emptied: 41661 bytes

User: Forrest
->Temp folder emptied: 59 bytes
->Temporary Internet Files folder emptied: 2345130 bytes
->Java cache emptied: 0 bytes
->FireFox cache emptied: 3732647 bytes
->Flash cache emptied: 498 bytes

User: LocalService
->Temp folder emptied: 65748 bytes
->Temporary Internet Files folder emptied: 3424125 bytes

User: NetworkService
->Temp folder emptied: 2007776 bytes
->Temporary Internet Files folder emptied: 725555 bytes

User: Sean and Wylene
->Temp folder emptied: 16595530 bytes
->Temporary Internet Files folder emptied: 20281618 bytes
->Java cache emptied: 0 bytes
->FireFox cache emptied: 39387417 bytes
->Flash cache emptied: 42135 bytes

User: Taylor
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 33170 bytes
->Java cache emptied: 0 bytes
->FireFox cache emptied: 41558009 bytes
->Flash cache emptied: 470 bytes

%systemdrive% .tmp files removed: 0 bytes
%systemroot% .tmp files removed: 0 bytes
%systemroot%\System32 .tmp files removed: 0 bytes
%systemroot%\System32\dllcache .tmp files removed: 0 bytes
%systemroot%\System32\drivers .tmp files removed: 0 bytes
Windows Temp folder emptied: 578358 bytes
%systemroot%\system32\config\systemprofile\Local Settings\Temp folder emptied: 245726913 bytes
%systemroot%\system32\config\systemprofile\Local Settings\Temporary Internet Files folder emptied: 33170 bytes
RecycleBin emptied: 2201947 bytes

Total Files Cleaned = 361.00 mb

OTL by OldTimer - Version 3.2.26.5 log created on 08242011_171959

Files\Folders moved on Reboot...
C:\Documents and Settings\NetworkService\Local Settings\Temp\MpCmdRun.log moved successfully.
C:\Documents and Settings\Sean and Wylene\Local Settings\Temporary Internet Files\Content.IE5\968ZUZ8T\topic,122660.0[1].html moved successfully.
C:\Documents and Settings\Sean and Wylene\Local Settings\Temporary Internet Files\AntiPhishing\2CEDBFBC-DBA8-43AA-B1FD-CC8E6316E3E2.dat moved successfully.
File\Folder C:\WINDOWS\temp\Perflib_Perfdata_1a0.dat not found!
File\Folder C:\WINDOWS\temp\TMP00000002A38B44CC36BD4B3D not found!
File\Folder C:\WINDOWS\temp\TMP000000040C84D882661A3459 not found!

Registry entries deleted on Reboot...

ComboFix Log:

ComboFix 11-08-24.06 - Sean and Wylene 08/24/2011 20:48:36.5.2 - x86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.2047.1496 [GMT -4:00]
Running from: c:\documents and settings\Sean and Wylene\Desktop\ComboFix.exe
AV: Microsoft Security Essentials *Disabled/Updated* {BCF43643-A118-4432-AEDE-D861FCBCFCDF}
AV: Microsoft Security Essentials *Disabled/Updated* {EDB4FA23-53B8-4AFA-8C5D-99752CCA7095}
FW: Online Armor Firewall *Disabled* {B797DAA0-7E2E-4711-8BB3-D12744F1922A}
.
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
---- Previous Run -------
.
c:\documents and settings\Administrator\My Documents\006.zip
c:\documents and settings\Administrator\My Documents\1002.zip
c:\documents and settings\Administrator\My Documents\1x1.bmp
c:\documents and settings\Sean and Wylene\My Documents\~WRL2523.tmp
c:\documents and settings\Sean and Wylene\My Documents\1766.doc
c:\documents and settings\Taylor\My Documents\~WRL0005.tmp
c:\program files\messenger\msmsgsin.exe
.
.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
-------\Service_USBAAPL
.
.
((((((((((((((((((((((((( Files Created from 2011-07-25 to 2011-08-25 )))))))))))))))))))))))))))))))
.
.
2011-08-24 22:24 . 2011-08-24 22:24   20719   ----a-w-   c:\documents and settings\All Users\Application Data\Microsoft\IdentityCRL\production\temp\wlidui_WLIDSVC\DIVWRAPPER.JS
2011-08-24 22:24 . 2011-08-24 22:24   7271   ----a-w-   c:\documents and settings\All Users\Application Data\Microsoft\IdentityCRL\production\temp\wlidui_WLIDSVC\CHECKBOX.JS
2011-08-24 22:24 . 2011-08-24 22:24   23327   ----a-w-   c:\documents and settings\All Users\Application Data\Microsoft\IdentityCRL\production\temp\wlidui_WLIDSVC\COMBOBOX.JS
2011-08-24 22:24 . 2011-08-24 22:24   8782   ----a-w-   c:\documents and settings\All Users\Application Data\Microsoft\IdentityCRL\production\temp\wlidui_WLIDSVC\BUTTON.JS
2011-08-24 21:49 . 2011-08-24 21:49   28752   ----a-w-   c:\documents and settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\{348C1909-398B-45BE-933E-9F1FC90C47E5}\MpKsl41b40909.sys
2011-08-24 21:19 . 2011-08-24 21:19   --------   d-----w-   C:\_OTL
2011-08-24 18:00 . 2011-08-12 02:44   7152464   ----a-w-   c:\documents and settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\{348C1909-398B-45BE-933E-9F1FC90C47E5}\mpengine.dll
2011-08-21 13:48 . 2011-08-21 13:48   388096   ----a-r-   c:\documents and settings\Sean and Wylene\Application Data\Microsoft\Installer\{45A66726-69BC-466B-A7A4-12FCBA4883D7}\HiJackThis.exe
2011-08-11 07:23 . 2011-08-11 07:24   --------   d-----w-   C:\66f67a257b88457a6cbc1c5fc357e6
2011-08-03 18:28 . 2011-08-03 18:28   --------   d-----w-   c:\documents and settings\LocalService\Local Settings\Application Data\PCHealth
2011-08-03 18:27 . 2011-07-13 03:39   6881616   ----a-w-   c:\documents and settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\Updates\mpengine.dll
.
.
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2011-08-12 02:44 . 2010-02-12 04:46   7152464   ----a-w-   c:\documents and settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\Backup\mpengine.dll
2011-07-15 13:29 . 2003-12-17 04:28   456320   ----a-w-   c:\windows\system32\drivers\mrxsmb.sys
2011-07-08 14:02 . 2004-01-20 18:08   10496   ----a-w-   c:\windows\system32\drivers\ndistapi.sys
2011-06-24 14:10 . 2004-01-20 17:32   139656   ----a-w-   c:\windows\system32\drivers\rdpwd.sys
2011-06-23 18:36 . 2005-06-18 03:49   916480   ----a-w-   c:\windows\system32\wininet.dll
2011-06-23 18:36 . 2004-01-20 18:06   43520   ----a-w-   c:\windows\system32\licmgr10.dll
2011-06-23 18:36 . 2004-01-20 18:05   1469440   ----a-w-   c:\windows\system32\inetcpl.cpl
2011-06-23 12:05 . 2004-08-04 05:59   385024   ----a-w-   c:\windows\system32\html.iec
2011-06-20 17:44 . 2003-12-17 04:29   293376   ----a-w-   c:\windows\system32\winsrv.dll
2011-06-02 14:02 . 2003-12-17 04:29   1858944   ----a-w-   c:\windows\system32\win32k.sys
.
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ccleaner"="c:\program files\CCleaner\CCleaner.exe" [2011-07-25 2585408]
"swg"="c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2009-02-04 39408]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"@OnlineArmor GUI"="c:\program files\Tall Emu\Online Armor\oaui.exe" [2009-12-05 6622920]
"MSC"="c:\program files\Microsoft Security Client\msseces.exe" [2011-06-15 997920]
"SunJavaUpdateSched"="c:\program files\Common Files\Java\Java Update\jusched.exe" [2011-04-08 254696]
.
[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"DWQueuedReporting"="c:\progra~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" [2007-02-26 437160]
.
c:\documents and settings\Sean and Wylene\Start Menu\Programs\Startup\
Secunia PSI.lnk - c:\program files\Secunia\PSI\psi.exe [2009-8-21 900816]
.
[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{56F9679E-7826-4C84-81F3-532071A8BCC5}"= "c:\program files\Windows Desktop Search\MSNLNamespaceMgr.dll" [2009-05-25 304128]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= "c:\program files\SUPERAntiSpyware\SASSEH.DLL" [2011-08-20 113024]
"{4F07DA45-8170-4859-9B5F-037EF2970034}"= "c:\progra~1\TALLEM~1\ONLINE~1\oaevent.dll" [2009-12-05 923336]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
2009-09-03 19:21   548352   ----a-w-   c:\program files\SUPERAntiSpyware\SASWINLO.dll
.
[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\session manager]
BootExecute   REG_MULTI_SZ     SDEarlyDelete \??\0autocheck autochk *\0pgdfgsvc C 1
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\!SASCORE]
@=""
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\MsMpSvc]
@="Service"
.
[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Reader Speed Launch.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Adobe Reader Speed Launch.lnk
backup=c:\windows\pss\Adobe Reader Speed Launch.lnkCommon Startup
.
[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^HotSync Manager.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\HotSync Manager.lnk
backup=c:\windows\pss\HotSync Manager.lnkCommon Startup
.
[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Kodak EasyShare software.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Kodak EasyShare software.lnk
backup=c:\windows\pss\Kodak EasyShare software.lnkCommon Startup
.
[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Quicken Scheduled Updates.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Quicken Scheduled Updates.lnk
backup=c:\windows\pss\Quicken Scheduled Updates.lnkCommon Startup
.
[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Updates from HP.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Updates from HP.lnk
backup=c:\windows\pss\Updates from HP.lnkCommon Startup
.
[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Windows Search.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Windows Search.lnk
backup=c:\windows\pss\Windows Search.lnkCommon Startup
.
[HKLM\~\startupfolder\C:^Documents and Settings^Sean and Wylene^Start Menu^Programs^Startup^reminder-ScanSoft Product Registration.lnk]
path=c:\documents and settings\Sean and Wylene\Start Menu\Programs\Startup\reminder-ScanSoft Product Registration.lnk
backup=c:\windows\pss\reminder-ScanSoft Product Registration.lnkStartup
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\KernelFaultCheck]
c:\windows\system32\dumprep 0 -k [X]
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe ARM]
2010-09-21 03:07   932288   ----a-r-   c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe Reader Speed Launcher]
2011-01-31 08:44   35760   ----a-w-   c:\program files\Adobe\Reader 9.0\Reader\reader_sl.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ATIModeChange]
2001-09-05 08:24   28672   ----a-w-   c:\windows\system32\Ati2mdxx.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\cdloader]
2009-04-10 13:53   50520   ----a-w-   c:\documents and settings\Sean and Wylene\Application Data\mjusbsp\cdloader2.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ctfmon.exe]
2008-04-14 00:12   15360   ------w-   c:\windows\system32\ctfmon.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HP Software Update]
2010-03-12 17:08   49208   ----a-w-   c:\program files\HP\HP Software Update\hpwuschd2.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSC]
2011-06-15 19:16   997920   ----a-w-   c:\program files\Microsoft Security Client\msseces.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ScanSoft OmniPage 16-reminder]
2007-07-20 13:50   328992   ----a-w-   c:\program files\ScanSoft\OmniPage16\Ereg\Ereg.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched]
2011-04-08 16:59   254696   ----a-w-   c:\program files\Common Files\Java\Java Update\jusched.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\swg]
2009-02-04 21:41   39408   ----a-w-   c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring]
"DisableMonitoring"=dword:00000001
.
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=dword:00000001
.
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]
"DisableMonitoring"=dword:00000001
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"c:\\WINDOWS\\system32\\fxsclnt.exe"=
"c:\\WINDOWS\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\WINDOWS\\system32\\sessmgr.exe"=
"c:\\Program Files\\Kodak\\Kodak EasyShare software\\bin\\EasyShare.exe"=
"c:\\Program Files\\Common Files\\AOL\\Loader\\aolload.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Corel\\DVD9\\WinDVD.exe"=
"c:\\Documents and Settings\\Sean and Wylene\\Application Data\\mjusbsp\\magicJack.exe"=
.
R0 pavboot;pavboot;c:\windows\system32\drivers\pavboot.sys [2/17/2010 1:11 PM 28552]
R1 MpKsl41b40909;MpKsl41b40909;c:\documents and settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\{348C1909-398B-45BE-933E-9F1FC90C47E5}\MpKsl41b40909.sys [8/24/2011 5:49 PM 28752]
R1 OADevice;OADriver;c:\windows\system32\drivers\OADriver.sys [3/10/2010 1:03 PM 223312]
R1 OAmon;OAmon;c:\windows\system32\drivers\OAmon.sys [3/10/2010 1:03 PM 24656]
R1 OAnet;OAnet;c:\windows\system32\drivers\OAnet.sys [3/10/2010 1:03 PM 29776]
R1 SASDIFSV;SASDIFSV;c:\program files\SUPERAntiSpyware\SASDIFSV.SYS [1/5/2010 8:56 AM 12880]
R1 SASKUTIL;SASKUTIL;c:\program files\SUPERAntiSpyware\SASKUTIL.SYS [1/5/2010 8:56 AM 67664]
R2 !SASCORE;SAS Core Service;c:\program files\SUPERAntiSpyware\SASCORE.EXE [9/22/2010 9:37 AM 116608]
R2 CX88XBAR;Conexant 2388x Crossbar Dual Input;c:\windows\system32\drivers\cx88xbardual.sys [2/17/2004 4:37 PM 7040]
R2 regi;regi;c:\windows\system32\drivers\regi.sys [4/17/2007 8:09 PM 11032]
R2 SvcOnlineArmor;Online Armor;c:\program files\Tall Emu\Online Armor\oasrv.exe [3/10/2010 1:03 PM 3291336]
R3 PSI;PSI;c:\windows\system32\drivers\psi_mf.sys [6/17/2009 8:20 AM 12648]
S0 omoecx;omoecx;c:\windows\system32\drivers\lncww.sys --> c:\windows\system32\drivers\lncww.sys [?]
S1 MpKsl00f9383a;MpKsl00f9383a;\??\c:\documents and settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\{348C1909-398B-45BE-933E-9F1FC90C47E5}\MpKsl00f9383a.sys --> c:\documents and settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\{348C1909-398B-45BE-933E-9F1FC90C47E5}\MpKsl00f9383a.sys [?]
S1 MpKsl270bd62d;MpKsl270bd62d;\??\c:\documents and settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\{D28A1DCA-AEEF-487D-B061-CEC821B7BE53}\MpKsl270bd62d.sys --> c:\documents and settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\{D28A1DCA-AEEF-487D-B061-CEC821B7BE53}\MpKsl270bd62d.sys [?]
S1 MpKsl657b5787;MpKsl657b5787;\??\c:\documents and settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\{51EDCA63-EE4C-4748-B5EA-BCC87192A850}\MpKsl657b5787.sys --> c:\documents and settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\{51EDCA63-EE4C-4748-B5EA-BCC87192A850}\MpKsl657b5787.sys [?]
S1 MpKsl77223706;MpKsl77223706;\??\c:\documents and settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\{3D6B4100-97F6-4331-AC1D-69E44D9AE9E6}\MpKsl77223706.sys --> c:\documents and settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\{3D6B4100-97F6-4331-AC1D-69E44D9AE9E6}\MpKsl77223706.sys [?]
S1 MpKsl80889e0e;MpKsl80889e0e;\??\c:\documents and settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\{0539C345-C00C-4295-9705-013F568BE341}\MpKsl80889e0e.sys --> c:\documents and settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\{0539C345-C00C-4295-9705-013F568BE341}\MpKsl80889e0e.sys [?]
S1 MpKsl900ce35f;MpKsl900ce35f;\??\c:\documents and settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\{01E24A79-4AC2-4D06-B097-F6B63E4E4892}\MpKsl900ce35f.sys --> c:\documents and settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\{01E24A79-4AC2-4D06-B097-F6B63E4E4892}\MpKsl900ce35f.sys [?]
S1 MpKsl97463d76;MpKsl97463d76;\??\c:\documents and settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\{348C1909-398B-45BE-933E-9F1FC90C47E5}\MpKsl97463d76.sys --> c:\documents and settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\{348C1909-398B-45BE-933E-9F1FC90C47E5}\MpKsl97463d76.sys [?]
S1 MpKsla64cc5a6;MpKsla64cc5a6;\??\c:\documents and settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\{E975A2E3-CD52-4870-A6B3-7149A9339549}\MpKsla64cc5a6.sys --> c:\documents and settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\{E975A2E3-CD52-4870-A6B3-7149A9339549}\MpKsla64cc5a6.sys [?]
S1 MpKslc242287c;MpKslc242287c;\??\c:\documents and settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\{3D6B4100-97F6-4331-AC1D-69E44D9AE9E6}\MpKslc242287c.sys --> c:\documents and settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\{3D6B4100-97F6-4331-AC1D-69E44D9AE9E6}\MpKslc242287c.sys [?]
S1 MpKslc3cfb65c;MpKslc3cfb65c;\??\c:\documents and settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\{1A80B47E-F452-4ED0-9450-85A7F1D00B69}\MpKslc3cfb65c.sys --> c:\documents and settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\{1A80B47E-F452-4ED0-9450-85A7F1D00B69}\MpKslc3cfb65c.sys [?]
S1 MpKslcfe8629b;MpKslcfe8629b;\??\c:\documents and settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\{DB24FE3D-BFD4-4FB1-8809-41E8B26780F2}\MpKslcfe8629b.sys --> c:\documents and settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\{DB24FE3D-BFD4-4FB1-8809-41E8B26780F2}\MpKslcfe8629b.sys [?]
S1 MpKsld0c3b2d3;MpKsld0c3b2d3;\??\c:\documents and settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\{3D6B4100-97F6-4331-AC1D-69E44D9AE9E6}\MpKsld0c3b2d3.sys --> c:\documents and settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\{3D6B4100-97F6-4331-AC1D-69E44D9AE9E6}\MpKsld0c3b2d3.sys [?]
S1 MpKsle16118fb;MpKsle16118fb;\??\c:\documents and settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\{8B5D8568-604A-48AC-875B-71DEC91AA17A}\MpKsle16118fb.sys --> c:\documents and settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\{8B5D8568-604A-48AC-875B-71DEC91AA17A}\MpKsle16118fb.sys [?]
S1 MpKsle1868d84;MpKsle1868d84;\??\c:\documents and settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\{47965311-9CA3-4343-B8B7-B563C5DA5437}\MpKsle1868d84.sys --> c:\documents and settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\{47965311-9CA3-4343-B8B7-B563C5DA5437}\MpKsle1868d84.sys [?]
S1 MpKslfceee1bd;MpKslfceee1bd;\??\c:\documents and settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\{98FEB847-44F1-4077-8516-9FD5269FB526}\MpKslfceee1bd.sys --> c:\documents and settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\{98FEB847-44F1-4077-8516-9FD5269FB526}\MpKslfceee1bd.sys [?]
S1 MpKslfd546ba9;MpKslfd546ba9;\??\c:\documents and settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\{010A649E-65DA-49A0-953A-CB922D17D950}\MpKslfd546ba9.sys --> c:\documents and settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\{010A649E-65DA-49A0-953A-CB922D17D950}\MpKslfd546ba9.sys [?]
S2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;c:\windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe [3/18/2010 2:16 PM 130384]
S2 OAcat;Online Armor Helper Service;c:\program files\Tall Emu\Online Armor\oacat.exe [3/10/2010 1:03 PM 1282248]
S3 azt2320;Aztech 2320 Audio Driver (WDM);c:\windows\system32\drivers\aztw2320.sys [8/20/2009 9:44 AM 36992]
S3 HidCom;USB-HID -> COM Driver Service;c:\windows\system32\drivers\BdHidCom.sys [7/23/2006 7:17 PM 17408]
S3 nosGetPlusHelper;getPlus(R) Helper 3004;c:\windows\System32\svchost.exe -k nosGetPlusHelper [1/20/2004 1:33 PM 14336]
S3 SASENUM;SASENUM;c:\program files\SUPERAntiSpyware\SASENUM.SYS [1/5/2010 8:56 AM 12872]
S3 WPFFontCache_v0400;Windows Presentation Foundation Font Cache 4.0.0.0;c:\windows\Microsoft.NET\Framework\v4.0.30319\WPF\WPFFontCache_v0400.exe [3/18/2010 2:16 PM 753504]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
nosGetPlusHelper   REG_MULTI_SZ     nosGetPlusHelper
.
Contents of the 'Scheduled Tasks' folder
.
2011-08-24 c:\windows\Tasks\At1.job
- c:\program files\HP\HP Deskjet 3050 J610 series\Bin\HPCustPartic.exe [2010-06-14 20:07]
.
2011-08-25 c:\windows\Tasks\At2.job
- c:\program files\HP\HP Deskjet 3050 J610 series\Bin\HPCustPartic.exe [2010-06-14 20:07]
.
2011-08-24 c:\windows\Tasks\At3.job
- c:\program files\HP\HP Deskjet 3050 J610 series\Bin\HPCustPartic.exe [2010-06-14 20:07]
.
2011-08-24 c:\windows\Tasks\At4.job
- c:\program files\HP\HP Deskjet 3050 J610 series\Bin\HPCustPartic.exe [2010-06-14 20:07]
.
2010-03-10 c:\windows\Tasks\User_Feed_Synchronization-{A4B2D6E0-A34D-4D32-B546-B1A3ACC18990}.job
- c:\windows\system32\msfeedssync.exe [2007-08-13 08:31]
.
.
------- Supplementary Scan -------
.
uInternet Settings,ProxyOverride = localhost
IE: E&xport to Microsoft Excel - c:\progra~1\MI1933~1\OFFICE11\EXCEL.EXE/3000
Trusted Zone: intuit.com\ttlc
TCP: DhcpNameServer = 192.168.1.1
DPF: Microsoft XML Parser for Java - file://c:\windows\Java\classes\xmldso.cab
FF - ProfilePath - c:\documents and settings\Sean and Wylene\Application Data\Mozilla\Firefox\Profiles\614r5ppc.default\
FF - prefs.js: keyword.URL - hxxp://www.ask.com/web?&o=13048&l=dis&q=
FF - Ext: Default: {972ce4c6-7e08-4474-a285-3208198ce6fd} - c:\program files\Mozilla Firefox\extensions\{972ce4c6-7e08-4474-a285-3208198ce6fd}
FF - Ext: Java Console: {CAFEEFAC-0016-0000-0016-ABCDEFFEDCBA} - c:\program files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0016-ABCDEFFEDCBA}
FF - Ext: Java Console: {CAFEEFAC-0016-0000-0017-ABCDEFFEDCBA} - c:\program files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0017-ABCDEFFEDCBA}
FF - Ext: Java Console: {CAFEEFAC-0016-0000-0020-ABCDEFFEDCBA} - c:\program files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0020-ABCDEFFEDCBA}
FF - Ext: Java Console: {CAFEEFAC-0016-0000-0022-ABCDEFFEDCBA} - c:\program files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0022-ABCDEFFEDCBA}
FF - Ext: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension
FF - Ext: Java Quick Starter: [email protected] - c:\program files\Java\jre6\lib\deploy\jqs\ff
FF - Ext: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - %profile%\extensions\{20a82645-c095-46ed-80e3-08825760534b}
FF - Ext: Adobe DLM (powered by getPlus(R)): {E2883E8F-472F-4fb0-9522-AC9BF37916A7} - %profile%\extensions\{E2883E8F-472F-4fb0-9522-AC9BF37916A7}
FF - user.js: yahoo.homepage.dontask - true
.
- - - - ORPHANS REMOVED - - - -
.
MSConfigStartUp-ATICCC - c:\program files\ATI Technologies\ATI.ACE\cli.exe
MSConfigStartUp-iTunesHelper - c:\program files\iTunes\iTunesHelper.exe
MSConfigStartUp-QuickTime Task - c:\program files\QuickTime\qttask.exe
.
.
.
**************************************************************************
.
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2011-08-24 21:01
Windows 5.1.2600 Service Pack 3 NTFS
.
scanning hidden processes ...
.
scanning hidden autostart entries ...
.
scanning hidden files ...
.
scan completed successfully
hidden files: 0
.
**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------
.
- - - - - - - > 'winlogon.exe'(528)
c:\program files\SUPERAntiSpyware\SASWINLO.DLL
c:\windows\system32\WININET.dll
.
- - - - - - - > 'explorer.exe'(3708)
c:\windows\system32\WININET.dll
c:\program files\Tall Emu\Online Armor\OAwatch.dll
c:\windows\system32\ieframe.dll
c:\windows\system32\webcheck.dll
.
Completion time: 2011-08-24 21:10:22
ComboFix-quarantined-files.txt 2011-08-25 01:10
ComboFix2.txt 2010-03-13 21:26
.
Pre-Run: 145,093,472,256 bytes free
Post-Run: 145,010,806,784 bytes free
.
- - End Of File - - 5D44781DD9712829F3F46A62D6047659

SuperDave · « **Reply #5 on:** August 25, 2011, 03:30:39 PM »

SysProt Antirootkit

Download
SysProt Antirootkit from the link below (you will find it at the bottom
of the page under attachments, or you can get it from one of the
mirrors).

http://sites.google.com/site/sysprotantirootkit/

Unzip it into a folder on your desktop.

Double click Sysprot.exe to start the program.
Click on the Log tab.
In the Write to log box select the following items.

Process << Selected
Kernel Modules << Selected
SSDT << Selected
Kernel Hooks << Selected
IRP Hooks << NOT Selected
Ports << NOT Selected
Hidden Files << Selected

At the bottom of the page

Hidden Objects Only << Selected

Click on the Create Log button on the bottom right.
After a few seconds a new window should appear.
Select Scan Root Drive. Click on the Start button.
When it is complete a new window will appear to indicate that the scan is finished.
The log will be saved automatically in the same folder Sysprot.exe was extracted to. Open the text file and copy/paste the log here.

srose · « **Reply #6 on:** August 27, 2011, 06:45:25 AM »

Here is the sysprot log:

SysProt AntiRootkit v1.0.1.0
by swatkat

******************************************************************************************
******************************************************************************************

No Hidden Processes found

******************************************************************************************
******************************************************************************************
Kernel Modules:
Module Name: \??\c:\Documents and Settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\{348C1909-398B-45BE-933E-9F1FC90C47E5}\MpKsl41b40909.sys
Service Name: MpKsl41b40909
Module Base: F777F000
Module End: F7785000
Hidden: Yes

Module Name: \SystemRoot\System32\Drivers\dump_atapi.sys
Service Name: ---
Module Base: AB043000
Module End: AB05B000
Hidden: Yes

Module Name: \SystemRoot\System32\Drivers\dump_WMILIB.SYS
Service Name: ---
Module Base: F79D7000
Module End: F79D9000
Hidden: Yes

Module Name: \??\C:\WINDOWS\system32\Drivers\PROCEXP113.SYS
Service Name: ---
Module Base: AA849000
Module End: AA84B000
Hidden: Yes

Module Name: \??\C:\DOCUME~1\SEANAN~1\LOCALS~1\Temp\catchme.sys
Service Name: catchme
Module Base: F77BF000
Module End: F77C7000
Hidden: Yes

******************************************************************************************
******************************************************************************************
SSDT:
Function Name: ZwAllocateVirtualMemory
Address: AB274420
Driver Base: AB258000
Driver End: AB2A1000
Driver Name: \??\C:\WINDOWS\system32\drivers\OADriver.sys

Function Name: ZwAssignProcessToJobObject
Address: AB274C60
Driver Base: AB258000
Driver End: AB2A1000
Driver Name: \??\C:\WINDOWS\system32\drivers\OADriver.sys

Function Name: ZwConnectPort
Address: AB272A90
Driver Base: AB258000
Driver End: AB2A1000
Driver Name: \??\C:\WINDOWS\system32\drivers\OADriver.sys

Function Name: ZwCreateFile
Address: AB281CB0
Driver Base: AB258000
Driver End: AB2A1000
Driver Name: \??\C:\WINDOWS\system32\drivers\OADriver.sys

Function Name: ZwCreatePort
Address: AB272740
Driver Base: AB258000
Driver End: AB2A1000
Driver Name: \??\C:\WINDOWS\system32\drivers\OADriver.sys

Function Name: ZwCreateProcess
Address: AB26F320
Driver Base: AB258000
Driver End: AB2A1000
Driver Name: \??\C:\WINDOWS\system32\drivers\OADriver.sys

Function Name: ZwCreateProcessEx
Address: AB26F710
Driver Base: AB258000
Driver End: AB2A1000
Driver Name: \??\C:\WINDOWS\system32\drivers\OADriver.sys

Function Name: ZwCreateSection
Address: AB26EDE0
Driver Base: AB258000
Driver End: AB2A1000
Driver Name: \??\C:\WINDOWS\system32\drivers\OADriver.sys

Function Name: ZwCreateThread
Address: AB270CA0
Driver Base: AB258000
Driver End: AB2A1000
Driver Name: \??\C:\WINDOWS\system32\drivers\OADriver.sys

Function Name: ZwDebugActiveProcess
Address: AB271900
Driver Base: AB258000
Driver End: AB2A1000
Driver Name: \??\C:\WINDOWS\system32\drivers\OADriver.sys

Function Name: ZwDuplicateObject
Address: AB272410
Driver Base: AB258000
Driver End: AB2A1000
Driver Name: \??\C:\WINDOWS\system32\drivers\OADriver.sys

Function Name: ZwLoadDriver
Address: AB273B40
Driver Base: AB258000
Driver End: AB2A1000
Driver Name: \??\C:\WINDOWS\system32\drivers\OADriver.sys

Function Name: ZwOpenFile
Address: AB282420
Driver Base: AB258000
Driver End: AB2A1000
Driver Name: \??\C:\WINDOWS\system32\drivers\OADriver.sys

Function Name: ZwOpenProcess
Address: AB270630
Driver Base: AB258000
Driver End: AB2A1000
Driver Name: \??\C:\WINDOWS\system32\drivers\OADriver.sys

Function Name: ZwOpenSection
Address: AB26F080
Driver Base: AB258000
Driver End: AB2A1000
Driver Name: \??\C:\WINDOWS\system32\drivers\OADriver.sys

Function Name: ZwOpenThread
Address: AB2711C0
Driver Base: AB258000
Driver End: AB2A1000
Driver Name: \??\C:\WINDOWS\system32\drivers\OADriver.sys

Function Name: ZwProtectVirtualMemory
Address: AB2748A0
Driver Base: AB258000
Driver End: AB2A1000
Driver Name: \??\C:\WINDOWS\system32\drivers\OADriver.sys

Function Name: ZwQueryDirectoryFile
Address: AB273FB0
Driver Base: AB258000
Driver End: AB2A1000
Driver Name: \??\C:\WINDOWS\system32\drivers\OADriver.sys

Function Name: ZwQueueApcThread
Address: AB274E00
Driver Base: AB258000
Driver End: AB2A1000
Driver Name: \??\C:\WINDOWS\system32\drivers\OADriver.sys

Function Name: ZwRequestWaitReplyPort
Address: AB273690
Driver Base: AB258000
Driver End: AB2A1000
Driver Name: \??\C:\WINDOWS\system32\drivers\OADriver.sys

Function Name: ZwRestoreKey
Address: AB281940
Driver Base: AB258000
Driver End: AB2A1000
Driver Name: \??\C:\WINDOWS\system32\drivers\OADriver.sys

Function Name: ZwResumeThread
Address: AB272060
Driver Base: AB258000
Driver End: AB2A1000
Driver Name: \??\C:\WINDOWS\system32\drivers\OADriver.sys

Function Name: ZwSecureConnectPort
Address: AB272E80
Driver Base: AB258000
Driver End: AB2A1000
Driver Name: \??\C:\WINDOWS\system32\drivers\OADriver.sys

Function Name: ZwSetContextThread
Address: AB2716E0
Driver Base: AB258000
Driver End: AB2A1000
Driver Name: \??\C:\WINDOWS\system32\drivers\OADriver.sys

Function Name: ZwSetSystemInformation
Address: AB271AA0
Driver Base: AB258000
Driver End: AB2A1000
Driver Name: \??\C:\WINDOWS\system32\drivers\OADriver.sys

Function Name: ZwShutdownSystem
Address: AB273A10
Driver Base: AB258000
Driver End: AB2A1000
Driver Name: \??\C:\WINDOWS\system32\drivers\OADriver.sys

Function Name: ZwSuspendProcess
Address: AB272240
Driver Base: AB258000
Driver End: AB2A1000
Driver Name: \??\C:\WINDOWS\system32\drivers\OADriver.sys

Function Name: ZwSuspendThread
Address: AB271E60
Driver Base: AB258000
Driver End: AB2A1000
Driver Name: \??\C:\WINDOWS\system32\drivers\OADriver.sys

Function Name: ZwSystemDebugControl
Address: AB271C90
Driver Base: AB258000
Driver End: AB2A1000
Driver Name: \??\C:\WINDOWS\system32\drivers\OADriver.sys

Function Name: ZwTerminateProcess
Address: AB270A30
Driver Base: AB258000
Driver End: AB2A1000
Driver Name: \??\C:\WINDOWS\system32\drivers\OADriver.sys

Function Name: ZwTerminateThread
Address: AB2714B0
Driver Base: AB258000
Driver End: AB2A1000
Driver Name: \??\C:\WINDOWS\system32\drivers\OADriver.sys

Function Name: ZwUnloadDriver
Address: AB273D70
Driver Base: AB258000
Driver End: AB2A1000
Driver Name: \??\C:\WINDOWS\system32\drivers\OADriver.sys

Function Name: ZwWriteVirtualMemory
Address: AB274A70
Driver Base: AB258000
Driver End: AB2A1000
Driver Name: \??\C:\WINDOWS\system32\drivers\OADriver.sys

******************************************************************************************
******************************************************************************************

SuperDave · « **Reply #7 on:** August 27, 2011, 01:33:17 PM »

I'd like to scan your machine with ESET OnlineScan

•Hold down Control and click on the following link to open ESET OnlineScan in a new window.
ESET OnlineScan
•Click the

button.
•For alternate browsers only: (Microsoft Internet Explorer users can skip these steps)

Click on to download the ESET Smart Installer. Save it to your desktop.
Double click on the icon on your desktop.

•Check

•Click the

button.
•Accept any security warnings from your browser.
•Check

•Push the Start button.
•ESET will then download updates for itself, install itself, and begin scanning your computer. Please be patient as this can take some time.
•When the scan completes, push

•Push

, and save the file to your desktop using a unique name, such as ESETScan. Include the contents of this report in your next reply.
•Push the

button.
•Push

A log file will be saved here: C:\Program Files\ESET\ESET Online Scanner\log.txt

srose · « **Reply #8 on:** August 29, 2011, 06:01:16 AM »

Just FYI my computer seemed to be running better after the mini dump, but since the sprt was installed and ran it is back to running 100% CPU most of the time. I wasn't sure on the removal of the sprt since I didn't see it in the add/remove files or on my ccleaner. Can I just send the file from the desktop to the recycle bin and get rid of it?

Here is my ESET scan Log:

ESETSmartInstaller@High as CAB hook log:
OnlineScanner.ocx - registred OK
# version=7
# iexplore.exe=8.00.6001.18702 (longhorn_ie8_rtm(wmbla).090308-0339)
# OnlineScanner.ocx=1.0.0.6528
# api_version=3.0.2
# EOSSerial=d0ad1eb7936f7049ac389a8d5715c093
# end=finished
# remove_checked=true
# archives_checked=true
# unwanted_checked=true
# unsafe_checked=false
# antistealth_checked=true
# utc_time=2011-08-29 04:20:32
# local_time=2011-08-29 12:20:32 (-0500, Eastern Daylight Time)
# country="United States"
# lang=1033
# osver=5.1.2600 NT Service Pack 3
# compatibility_mode=512 16777215 100 0 0 0 0 0
# compatibility_mode=768 16777215 100 0 107442176 107442176 0 0
# compatibility_mode=1024 16777215 100 0 47417915 47417915 0 0
# compatibility_mode=1280 16777215 100 0 0 0 0 0
# compatibility_mode=5891 16776533 42 87 0 10508239 0 0
# compatibility_mode=6401 16777213 66 100 25813302 53641351 0 0
# compatibility_mode=8192 67108863 100 0 0 0 0 0
# scanned=109414
# found=0
# cleaned=0
# scan_time=14677

Thank You

SuperDave · « **Reply #9 on:** August 29, 2011, 04:53:28 PM »

Quote

but since the sprt was installed and ran it is back to running 100% CPU most of the time.

What is this sprt that you're talking about?

srose · « **Reply #10 on:** August 30, 2011, 06:42:38 AM »

I am sorry it is the SysProt antiroot kit that you had me down load to my desk top and do a scan with it.

SuperDave · « **Reply #11 on:** August 30, 2011, 04:27:15 PM »

Ok. You can delete SysProt AntiRootkit.

Download Process Explorer: http://technet.microsoft.com/en-us/sysinternals/bb896653.aspx
Unzip ProcessExplorer.zip, and double click on procexp.exe to run the program.
Click on View > Select Colunms.
In addition to already pre-selected options, make sure, the Command Line is selected, and press OK.
Go File>Save As, and save the report as Procexp.txt.
Attach the file to your next reply.

srose · « **Reply #12 on:** September 19, 2011, 06:57:08 AM »

Super Dave,
I apologize that it has taken me so long, but here is the log:

Process   PID   CPU   Private Bytes   Working Set   Description   Company Name   Command Line
System Idle Process   0      0 K   16 K
System   4   49.23   0 K   244 K
Interrupts   n/a   < 0.01   0 K   0 K   Hardware Interrupts and DPCs
smss.exe   424      176 K   428 K   Windows NT Session Manager   Microsoft Corporation   \SystemRoot\System32\smss.exe
csrss.exe   508      1,932 K   5,148 K   Client Server Runtime Process   Microsoft Corporation   C:\WINDOWS\system32\csrss.exe ObjectDirectory=\Windows SharedSection=1024,3072,512 Windows=On SubSystemType=Windows ServerDll=basesrv,1 ServerDll=winsrv:UserServerDllInitialization,3 ServerDll=winsrv:ConServerDllInitialization,2 ProfileControl=Off MaxRequestThreads=16
winlogon.exe   532      10,504 K   3,096 K   Windows NT Logon Application   Microsoft Corporation   winlogon.exe
services.exe   576      1,984 K   3,796 K   Services and Controller app   Microsoft Corporation   C:\WINDOWS\system32\services.exe
ati2evxx.exe   760      592 K   2,472 K   ATI External Event Utility EXE Module   ATI Technologies Inc.   C:\WINDOWS\system32\Ati2evxx.exe
svchost.exe   776      3,424 K   5,644 K   Generic Host Process for Win32 Services   Microsoft Corporation   C:\WINDOWS\system32\svchost.exe -k DcomLaunch
svchost.exe   824      2,120 K   5,048 K   Generic Host Process for Win32 Services   Microsoft Corporation   C:\WINDOWS\system32\svchost.exe -k rpcss
svchost.exe   944   46.92   120,448 K   133,624 K   Generic Host Process for Win32 Services   Microsoft Corporation   C:\WINDOWS\System32\svchost.exe -k netsvcs
wuauclt.exe   3000      13,424 K   125,056 K   Windows Update   Microsoft Corporation   "C:\WINDOWS\system32\wuauclt.exe" /RunStoreAsComServer Local\[3b0]SUSDSf8f17ec3dcad2046b15ff9286110eddc
svchost.exe   1032      1,980 K   4,296 K   Generic Host Process for Win32 Services   Microsoft Corporation   C:\WINDOWS\System32\svchost.exe -k NetworkService
svchost.exe   1108      1,744 K   4,296 K   Generic Host Process for Win32 Services   Microsoft Corporation   C:\WINDOWS\system32\svchost.exe -k LocalService
oacat.exe   1172      2,424 K   2,816 K   Online Armor Component   Tall Emu   "C:\Program Files\Tall Emu\Online Armor\OAcat.exe"
oasrv.exe   1300      22,312 K   6,428 K   Online Armor Component   Tall Emu   "C:\Program Files\Tall Emu\Online Armor\oasrv.exe"
spoolsv.exe   1496      4,940 K   8,668 K   Spooler SubSystem App   Microsoft Corporation   C:\WINDOWS\system32\spoolsv.exe
svchost.exe   1988      2,408 K   5,764 K   Generic Host Process for Win32 Services   Microsoft Corporation   C:\WINDOWS\System32\svchost.exe -k LocalService
SASCORE.EXE   656      748 K   2,336 K   Core Service   SUPERAntiSpyware.com   "C:\Program Files\SUPERAntiSpyware\SASCORE.EXE"
ehsched.exe   1392      892 K   3,124 K   Media Center Scheduler Service   Microsoft Corporation   C:\WINDOWS\ehome\ehSched.exe
inetinfo.exe   1704      6,604 K   12,460 K   Internet Information Services   Microsoft Corporation   C:\WINDOWS\system32\inetsrv\inetinfo.exe
davcdata.exe   4060      496 K   1,500 K   HTTP-DAV common data   Microsoft Corporation   "C:\WINDOWS\system32\inetsrv\DavCData.exe"
IntuitUpdateService.exe   2036      21,388 K   468 K   Intuit Update Service   Intuit Inc.   "C:\Program Files\Common Files\Intuit\Update Service\IntuitUpdateService.exe"
iviRegMgr.exe   1260      708 K   2,460 K   RegMgr Module   InterVideo   "C:\Program Files\Common Files\InterVideo\RegMgr\iviRegMgr.exe"
jqs.exe   1216      2,464 K   2,180 K   Java(TM) Quick Starter Service   Sun Microsystems, Inc.   "C:\Program Files\Java\jre6\bin\jqs.exe" -service -config "C:\Program Files\Java\jre6\lib\deploy\jqs\jqs.conf"
PsiService_2.exe   652      688 K   2,232 K   PsiService PsiService   Protexis Inc.   "C:\Program Files\Common Files\Protexis\License Service\PsiService_2.exe"
snmp.exe   1740      1,628 K   4,124 K   SNMP Service   Microsoft Corporation   C:\WINDOWS\System32\snmp.exe
svchost.exe   2132      3,660 K   7,624 K   Generic Host Process for Win32 Services   Microsoft Corporation   C:\WINDOWS\System32\svchost.exe -k imgsvc
wdfmgr.exe   2460      1,660 K   1,972 K   Windows User Mode Driver Manager   Microsoft Corporation   C:\WINDOWS\system32\wdfmgr.exe
WLIDSVC.EXE   2736      8,868 K   14,368 K   Microsoft® Windows Live ID Service   Microsoft Corporation   "C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE"
WLIDSVCM.EXE   2272      716 K   2,232 K   Microsoft® Windows Live ID Service Monitor   Microsoft Corporation   WLIDSvcM.exe 2736
searchindexer.exe   3092      20,196 K   31,284 K   Microsoft Windows Search Indexer   Microsoft Corporation   C:\WINDOWS\system32\SearchIndexer.exe /Embedding
alg.exe   3244      1,280 K   3,744 K   Application Layer Gateway Service   Microsoft Corporation   C:\WINDOWS\System32\alg.exe
MsMpEng.exe   2812      109,040 K   80,692 K   Antimalware Service Executable   Microsoft Corporation   "c:\Program Files\Microsoft Security Client\Antimalware\MsMpEng.exe"
dllhost.exe   3840      2,368 K   6,420 K   COM Surrogate   Microsoft Corporation   C:\WINDOWS\SYSTEM32\DLLHOST.EXE /PROCESSID:{02D4B3F1-FD88-11D1-960D-00805FC79235}
lsass.exe   588      4,364 K   2,640 K   LSA Shell (Export Version)   Microsoft Corporation   C:\WINDOWS\system32\lsass.exe
taskmgr.exe   2732   0.77   2,556 K   1,528 K   Windows TaskManager   Microsoft Corporation   taskmgr.exe
explorer.exe   1788   0.77   28,856 K   37,452 K   Windows Explorer   Microsoft Corporation   C:\WINDOWS\Explorer.EXE
oaui.exe   1088   0.77   6,912 K   8,200 K   Online Armor Component   Tall Emu   "C:\Program Files\Tall Emu\Online Armor\oaui.exe"
oahlp.exe   3236      5,572 K   1,024 K   Online Armor Component   Tall Emu   "C:\Program Files\Tall Emu\Online Armor\OAhlp.exe"
msseces.exe   3652      7,576 K   12,356 K   Microsoft Security Client User Interface   Microsoft Corporation   "C:\Program Files\Microsoft Security Client\msseces.exe" -hide -runkey
jusched.exe   1468      1,996 K   4,420 K   Java(TM) Update Scheduler   Sun Microsystems, Inc.   "C:\Program Files\Common Files\Java\Java Update\jusched.exe"
GoogleToolbarNotifier.exe   1992      4,332 K   1,188 K   GoogleToolbarNotifier   Google Inc.   "C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe"
ctfmon.exe   2264      2,048 K   4,748 K   CTF Loader   Microsoft Corporation   "C:\WINDOWS\system32\ctfmon.exe"
iexplore.exe   220      11,876 K   2,120 K   Internet Explorer   Microsoft Corporation   "C:\Program Files\Internet Explorer\iexplore.exe"
iexplore.exe   3540      48,916 K   63,520 K   Internet Explorer   Microsoft Corporation   "C:\Program Files\Internet Explorer\iexplore.exe" SCODEF:220 CREDAT:79873
procexp.exe   2332      13,888 K   7,772 K   Sysinternals Process Explorer   Sysinternals - www.sysinternals.com   "C:\Documents and Settings\Sean and Wylene\My Documents\ProcessExplorer\procexp.exe"
psi.exe   3732   1.54   42,136 K   17,796 K   Secunia PSI   Secunia   "C:\Program Files\Secunia\PSI\psi.exe"

[regaining space - attachment deleted by admin]

SuperDave · « **Reply #13 on:** September 19, 2011, 04:21:47 PM »

Please download Bootkit Remover by eSage Lab from here.

NOTE: This is a file compressed with Winrar. If you do not have the means to unpack it, you can download and install 7-zip from here.

•Unpack remover.exe from the bootkit_remover.rar archive and save it to your Desktop
•Doubleclick remover.exe to run the tool
•A DOS window will open with the results of the scan
•Rightclick that window and choose Select all
•Simultaneously press [CTRL] + C (copy) and paste the text in your next reply.

srose · « **Reply #14 on:** September 23, 2011, 08:06:02 PM »

Dave,

I hope that I did this right. When I clicked on the link in the post it would give me an error 404 message, so I just went to the esage web site and got what I believe to be the right file. If it isn't right just let me know and I'll do it again.

Here is the copy of what came up when I ran that program:

Bootkit Remover
(c) 2009 Esage Lab
www.esagelab.com

Program version: 1.2.0.1
OS Version: Microsoft Windows XP Professional Service Pack 3 (build 2600)

System volume is \\.\C:
\\.\C: -> \\.\PhysicalDrive0 at offset 0x00000001`93494000
Boot sector MD5 is: 37ea57b12221900823ef1f8d148ac245

Size Device Name MBR Status
--------------------------------------------
186 GB \\.\PhysicalDrive0 Unknown boot code

Unknown boot code has been found on some of your physical disks.
To inspect the boot code manually, dump the master boot sector:
remover.exe dump <device_name> [output_file]
To disinfect the master boot sector, use the following command:
remover.exe fix <device_name>

Done;
Press any key to quit...

Computer Hope Forum

News:

Author Topic: Computer runs very very very Slooooow (Read 22797 times)

srose

Computer runs very very very Slooooow

SuperDave

Re: Computer runs very very very Slooooow

srose

Re: Computer runs very very very Slooooow

SuperDave

Re: Computer runs very very very Slooooow

srose

Re: Computer runs very very very Slooooow

SuperDave

Re: Computer runs very very very Slooooow

srose

Re: Computer runs very very very Slooooow

SuperDave

Re: Computer runs very very very Slooooow

srose

Re: Computer runs very very very Slooooow

SuperDave

Re: Computer runs very very very Slooooow

srose

Re: Computer runs very very very Slooooow

SuperDave

Re: Computer runs very very very Slooooow

srose

Re: Computer runs very very very Slooooow

SuperDave

Re: Computer runs very very very Slooooow

srose

Re: Computer runs very very very Slooooow