Author Topic: XP PC Hanging, Freezing (Read 44008 times)

dc4580 · « **on:** January 08, 2012, 07:32:36 AM »

Problem is that no matter what I am doing, whether it is browsing using IE 8, emailing, or creating docs, I will experience a hang or freeze of the whole PC. Everything halts, no mouse, can't even refresh. Doesn't matter what the browser is, and it doesn't matter which AV software I am using. It isn't high CPU, but I do see high memory usage by IE within Task Manager. Page file size increases. Software environment is XP SP3, IE 8. AV and Firewall are Norton 360. Ran through the cleanup, and here are the three logs:

SuperAntiSpyware:

SUPERAntiSpyware Scan Log
http://www.superantispyware.com

Generated 01/08/2012 at 03:49 AM

Application Version : 5.0.1142

Core Rules Database Version : 8112
Trace Rules Database Version: 5924

Scan type : Complete Scan
Total Scan Time : 01:32:26

Operating System Information
Windows XP Professional 32-bit, Service Pack 3 (Build 5.01.2600)
Administrator

Memory items scanned : 555
Memory threats detected : 0
Registry items scanned : 38853
Registry threats detected : 0
File items scanned : 78468
File threats detected : 2

Adware.Tracking Cookie
   C:\Documents and Settings\david cox\Cookies\1IIAF4JA.txt [ /imrworldwide.com ]
   C:\Documents and Settings\david cox\Cookies\SPGH7VY7.txt [ /invitemedia.com ]

MBAM:

Malwarebytes Anti-Malware 1.60.0.1800
www.malwarebytes.org

Database version: v2012.01.08.02

Windows XP Service Pack 3 x86 NTFS
Internet Explorer 8.0.6001.18702
david cox :: DAVE-Q08ESS7TBC [administrator]

1/8/2012 5:52:44 AM
mbam-log-2012-01-08 (05-52-44).txt

Scan type: Quick scan
Scan options enabled: Memory | Startup | Registry | File System | Heuristics/Extra | Heuristics/Shuriken | PUP | PUM
Scan options disabled: P2P
Objects scanned: 186546
Time elapsed: 20 minute(s), 15 second(s)

Memory Processes Detected: 0
(No malicious items detected)

Memory Modules Detected: 0
(No malicious items detected)

Registry Keys Detected: 0
(No malicious items detected)

Registry Values Detected: 0
(No malicious items detected)

Registry Data Items Detected: 0
(No malicious items detected)

Folders Detected: 0
(No malicious items detected)

Files Detected: 0
(No malicious items detected)

(end)

First DD log:

.
DDS (Ver_2011-08-26.01) - NTFSx86
Internet Explorer: 8.0.6001.18702
Run by david cox at 7:57:19 on 2012-01-08
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.447.94 [GMT -6:00]
.
AV: Norton 360 *Enabled/Updated* {E10A9785-9598-4754-B552-92431C1C35F8}
FW: Norton 360 *Enabled*
.
============== Running Processes ===============
.
C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
svchost.exe
svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\RTHDCPL.EXE
C:\Program Files\Common Files\Roxio Shared\10.0\SharedCOM\RoxWatchTray10.exe
C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe
C:\Program Files\Common Files\Pure Networks Shared\Platform\nmctxth.exe
C:\PROGRA~1\CYBERL~1\INSTAN~1\Win2K\IBurn.exe
C:\Program Files\Roxio\CinePlayer\DMXLauncher.exe
C:\Program Files\Citrix\ICA Client\concentr.exe
C:\Program Files\CyberLink\Power2Go\CLMLSvc.exe
C:\Program Files\Citrix\ICA Client\wfcrun32.exe
C:\Program Files\Common Files\Adobe\ARM\1.0\AdobeARM.exe
C:\WINDOWS\system32\ctfmon.exe
svchost.exe
C:\Program Files\SUPERAntiSpyware\SASCORE.EXE
C:\Program Files\Common Files\LightScribe\LSSrvc.exe
C:\Program Files\Linksys\Linksys Updater\bin\LinksysUpdater.exe
C:\Program Files\Norton 360\Engine\5.1.0.29\ccSvcHst.exe
C:\Program Files\CyberLink\Shared Files\RichVideo.exe
C:\WINDOWS\system32\java.exe
C:\Program Files\Common Files\VMware\USB\vmware-usbarbitrator.exe
C:\Program Files\Common Files\Pure Networks Shared\Platform\nmsrvc.exe
C:\Program Files\VMware\VMware Player\vmware-authd.exe
C:\Program Files\Norton 360\Engine\5.1.0.29\ccSvcHst.exe
C:\Program Files\Common Files\Roxio Shared\10.0\SharedCOM\CPSHelpRunner10.exe
C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\WINDOWS\system32\NOTEPAD.EXE
.
============== Pseudo HJT Report ===============
.
uStart Page = hxxp://www.yahoo.com/
uWindow Title = Internet Explorer, optimized for Bing and MSN
BHO: Adobe PDF Reader Link Helper: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelper.dll
BHO: Symantec NCO BHO: {602adb0e-4aff-4217-8aa1-95dac4dfa408} - c:\program files\norton 360\engine\5.1.0.29\coIEPlg.dll
BHO: Symantec Intrusion Prevention: {6d53ec84-6aae-4787-aeee-f4628f01010c} - c:\program files\norton 360\engine\5.1.0.29\ips\IPSBHO.DLL
BHO: Java(tm) Plug-In SSV Helper: {761497bb-d6f0-462c-b6eb-d4daf1d92d43} - c:\program files\java\jre6\bin\ssv.dll
BHO: Java(tm) Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
TB: Norton Toolbar: {7febefe3-6b19-4349-98d2-ffb09d4b49ca} - c:\program files\norton 360\engine\5.1.0.29\coIEPlg.dll
TB: {D4027C7F-154A-4066-A1AD-4243D8127440} - No File
EB: {32683183-48a0-441b-a342-7c2a440a9478} - No File
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
uRun: [Power2GoExpress] c:\windows\system32\ctfmon.exe
mRun: [UpdatePPShortCut] "c:\program files\cyberlink\powerproducer\muitransfer\muistartmenu.exe" "c:\program files\cyberlink\powerproducer" update "software\cyberlink\powerproducer\4.0"
mRun: [RTHDCPL] RTHDCPL.EXE
mRun: [RoxWatchTray] "c:\program files\common files\roxio shared\10.0\sharedcom\RoxWatchTray10.exe"
mRun: [RemoteControl] "c:\program files\cyberlink\powerdvd\PDVDServ.exe"
mRun: [QuickTime Task] "c:\program files\quicktime\qttask.exe" -atboottime
mRun: [nmctxth] "c:\program files\common files\pure networks shared\platform\nmctxth.exe"
mRun: [MBkLogonHook]
mRun: [LanguageShortcut] "c:\program files\cyberlink\powerdvd\language\Language.exe"
mRun: [iTunesHelper] "c:\program files\itunes\iTunesHelper.exe"
mRun: [InstantBurn] c:\progra~1\cyberl~1\instan~1\win2k\IBurn.exe
mRun: [googletalk] c:\program files\google\google talk\googletalk.exe /autostart
mRun: [DMXLauncher] "c:\program files\roxio\cineplayer\DMXLauncher.exe"
mRun: [ConnectionCenter] "c:\program files\citrix\ica client\concentr.exe" /startup
mRun: [CLMLServer] "c:\program files\cyberlink\power2go\CLMLSvc.exe"
mRun: [Alcmtr] ALCMTR.EXE
mRun: [Adobe Reader Speed Launcher] "c:\program files\adobe\reader 8.0\reader\Reader_sl.exe"
mRun: [Adobe ARM] "c:\program files\common files\adobe\arm\1.0\AdobeARM.exe"
mRun: [SunJavaUpdateSched] "c:\program files\common files\java\java update\jusched.exe"
mRunOnce: [Malwarebytes Anti-Malware] c:\program files\malwarebytes' anti-malware\mbamgui.exe /install /silent
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\window~1.lnk - c:\program files\windows desktop search\WindowsSearch.exe
IE: E&xport to Microsoft Excel - c:\progra~1\micros~3\office11\EXCEL.EXE/3000
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~3\office11\REFIEBAR.DLL
LSP: c:\program files\vmware\vmware player\vsocklib.dll
Trusted Zone: internet
Trusted Zone: live.com\onecare
Trusted Zone: mcafee.com
Trusted Zone: microsoft.com\download.windowsupdate
Trusted Zone: microsoft.com\update
Trusted Zone: microsoft.com\www.update
Trusted Zone: ussco.com\myportal
DPF: DirectAnimation Java Classes - file://c:\windows\java\classes\dajava.cab
DPF: Microsoft XML Parser for Java - file://c:\windows\java\classes\xmldso.cab
DPF: {037790A6-1576-11D6-903D-00105AABADD3} - hxxps://myportal.ussco.com/bluezone/controls/,DanaInfo=intranet.ussco.com+sglw2hcm.ocx
DPF: {05CA9FB0-3E3E-4B36-BF41-0E3A5CAA8CD8} - hxxp://download.microsoft.com/download/E/3/9/E39C664F-A8E3-4F69-A109-1AE9849204EE/OGAControl.cab
DPF: {5AE58FCF-6F6A-49B2-B064-02492C66E3F4} - hxxp://catalog.update.microsoft.com/v7/site/ClientControl/en/x86/MuCatalogWebControl.cab?1212120081468
DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} - hxxp://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1208918393375
DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} - hxxp://www.update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1208921940093
DPF: {73ECB3AA-4717-450C-A2AB-D00DAD9EE203} - hxxp://h20270.www2.hp.com/ediags/gmn2/install/HPProductDetection2.cab
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_30-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0030-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_30-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_30-windows-i586.cab
DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
DPF: {F27237D7-93C8-44C2-AC6E-D6057B9A918F} - hxxps://myportal.ussco.com/dana-cached/sc/JuniperSetupClient.cab
DPF: {FFB3A759-98B1-446F-BDA9-909C6EB18CC7} - hxxp://utilities.pcpitstop.com/Optimize3/pcpitstop2.dll
TCP: DhcpNameServer = 192.168.0.1
TCP: Interfaces\{98F51424-7F98-4109-9E22-2025B352A261} : DhcpNameServer = 192.168.0.1
Handler: pure-go - {4746C79A-2042-4332-8650-48966E44ABA8} - c:\program files\common files\pure networks shared\platform\puresp4.dll
Notify: !SASWinLogon - c:\program files\superantispyware\SASWINLO.DLL
Notify: AtiExtEvent - Ati2evxx.dll
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll
SEH: SABShellExecuteHook Class: {5ae067d3-9afb-48e0-853a-ebb7f4a000da} - c:\program files\superantispyware\SASSEH.DLL
mASetup: {10880D85-AAD9-4558-ABDC-2AB1552D831F} - "c:\program files\common files\lightscribe\LSRunOnce.exe"
Hosts: 127.0.0.1   www.spywareinfo.com
.
============= SERVICES / DRIVERS ===============
.
R0 SymDS;Symantec Data Store;c:\windows\system32\drivers\n360\0501000.01d\SymDS.sys [2011-12-6 340088]
R0 SymEFA;Symantec Extended File Attributes;c:\windows\system32\drivers\n360\0501000.01d\SymEFA.sys [2011-12-6 744568]
R1 BHDrvx86;BHDrvx86;c:\documents and settings\all users\application data\norton\{0c55c096-0f1d-4f28-aaa2-85ef591126e7}\n360_5.1.0.29\definitions\bashdefs\20111221.003\BHDrvx86.sys [2011-12-21 819320]
R1 CLBStor;InstantBurn Storage Helper Driver;c:\windows\system32\drivers\CLBStor.sys [2008-6-3 15784]
R1 ctxusbm;Citrix USB Monitor Driver;c:\windows\system32\drivers\ctxusbm.sys [2009-9-8 65584]
R1 SASDIFSV;SASDIFSV;c:\program files\superantispyware\sasdifsv.sys [2011-7-22 12880]
R1 SASKUTIL;SASKUTIL;c:\program files\superantispyware\SASKUTIL.SYS [2011-7-12 67664]
R1 SymIRON;Symantec Iron Driver;c:\windows\system32\drivers\n360\0501000.01d\Ironx86.sys [2011-12-6 136312]
R2 !SASCORE;SAS Core Service;c:\program files\superantispyware\SASCore.exe [2011-8-11 116608]
R2 ASTRA32;ASTRA32 Kernel Driver 5.2.1.0;c:\program files\astra32\astra32.sys [2007-2-22 30864]
R2 CLBUDF;CyberLink InstantBurn UDF Filesystem;c:\windows\system32\drivers\CLBUDF.sys [2008-6-3 162344]
R2 LinksysUpdater;Linksys Updater;c:\program files\linksys\linksys updater\bin\LinksysUpdater.exe [2008-11-13 204800]
R2 N360;Norton 360;c:\program files\norton 360\engine\5.1.0.29\ccSvcHst.exe [2011-12-6 130008]
R2 vmci;VMware vmci;c:\windows\system32\drivers\vmci.sys [2010-11-11 70768]
R2 VMUSBArbService;VMware USB Arbitration Service;c:\program files\common files\vmware\usb\vmware-usbarbitrator.exe [2010-11-11 539248]
R3 EraserUtilRebootDrv;EraserUtilRebootDrv;c:\program files\common files\symantec shared\eengine\EraserUtilRebootDrv.sys [2011-12-18 106104]
R3 IDSxpx86;IDSxpx86;c:\documents and settings\all users\application data\norton\{0c55c096-0f1d-4f28-aaa2-85ef591126e7}\n360_5.1.0.29\definitions\ipsdefs\20120106.002\IDSXpx86.sys [2012-1-6 356280]
R3 NAVENG;NAVENG;c:\documents and settings\all users\application data\norton\{0c55c096-0f1d-4f28-aaa2-85ef591126e7}\n360_5.1.0.29\definitions\virusdefs\20120107.009\NAVENG.SYS [2012-1-7 86136]
R3 NAVEX15;NAVEX15;c:\documents and settings\all users\application data\norton\{0c55c096-0f1d-4f28-aaa2-85ef591126e7}\n360_5.1.0.29\definitions\virusdefs\20120107.009\NAVEX15.SYS [2012-1-7 1576312]
S2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;c:\windows\microsoft.net\framework\v4.0.30319\mscorsvw.exe [2010-3-18 130384]
S2 gupdate;Google Update Service (gupdate);c:\program files\google\update\GoogleUpdate.exe [2010-12-21 136176]
S2 Roxio Upnp Server 10;Roxio Upnp Server 10;c:\program files\roxio\digital home 10\RoxioUpnpService10.exe [2007-8-24 362992]
S2 RoxLiveShare10;LiveShare P2P Server 10;c:\program files\common files\roxio shared\10.0\sharedcom\RoxLiveShare10.exe [2007-8-24 309744]
S2 RoxWatch10;Roxio Hard Drive Watcher 10;c:\program files\common files\roxio shared\10.0\sharedcom\RoxWatch10.exe [2007-8-24 166384]
S3 gupdatem;Google Update Service (gupdatem);c:\program files\google\update\GoogleUpdate.exe [2010-12-21 136176]
S3 PROCEXP150;PROCEXP150;\??\c:\windows\system32\drivers\procexp150.sys --> c:\windows\system32\drivers\PROCEXP150.SYS [?]
S3 PROCEXP151;PROCEXP151;\??\c:\windows\system32\drivers\procexp151.sys --> c:\windows\system32\drivers\PROCEXP151.SYS [?]
S3 Roxio UPnP Renderer 10;Roxio UPnP Renderer 10;c:\program files\roxio\digital home 10\RoxioUPnPRenderer10.exe [2007-8-24 72176]
S3 RoxMediaDB10;RoxMediaDB10;c:\program files\common files\roxio shared\10.0\sharedcom\RoxMediaDB10.exe [2007-8-24 1083888]
S3 WinRM;Windows Remote Management (WS-Management);c:\windows\system32\svchost.exe -k WINRM [2002-8-29 14336]
S3 WPFFontCache_v0400;Windows Presentation Foundation Font Cache 4.0.0.0;c:\windows\microsoft.net\framework\v4.0.30319\wpf\WPFFontCache_v0400.exe [2010-3-18 753504]
S4 PCPitstop Scheduling;PCPitstop Scheduling;c:\program files\pcpitstop\PCPitstopScheduleService.exe [2011-8-18 86016]
S4 SessionLauncher;SessionLauncher;c:\docume~1\davidc~1\locals~1\temp\dx9\sessionlauncher.exe --> c:\docume~1\davidc~1\locals~1\temp\dx9\SessionLauncher.exe [?]
.
=============== Created Last 30 ================
.
2012-01-07 14:47:04   --------   d-----w-   c:\program files\CCleaner
2012-01-07 06:39:12   --------   d-----w-   c:\program files\SUPERAntiSpyware
2012-01-06 15:10:50   --------   d-----w-   c:\documents and settings\david cox\local settings\application data\Symantec
2012-01-06 14:54:52   --------   d-----w-   c:\windows\system32\wbem\repository\FS
2012-01-06 14:54:52   --------   d-----w-   c:\windows\system32\wbem\Repository
2011-12-28 13:19:28   --------   d--h--w-   c:\windows\PIF
2011-12-28 13:17:46   --------   d-----w-   c:\documents and settings\david cox\application data\Windows Search
2011-12-25 00:46:51   --------   d-----w-   c:\program files\common files\Windows Live
2011-12-25 00:43:19   --------   d-----w-   c:\windows\system32\winrm
2011-12-25 00:43:03   --------   dc-h--w-   c:\windows\$968930Uinstall_KB968930$
2011-12-25 00:36:15   --------   d-----w-   c:\windows\system32\GroupPolicy
2011-12-25 00:36:15   --------   d-----w-   c:\program files\Windows Desktop Search
2011-12-24 13:36:09   --------   d-----w-   c:\program files\ASTRA32
2011-12-22 06:29:09   --------   d-----w-   c:\program files\Microsoft Windows Performance Toolkit
2011-12-22 06:27:47   --------   d-----w-   c:\program files\Debugging Tools for Windows (x86)
.
==================== Find3M ====================
.
2011-12-10 21:24:06   20464   ----a-w-   c:\windows\system32\drivers\mbam.sys
2011-12-07 05:43:20   60872   ----a-w-   c:\windows\system32\S32EVNT1.DLL
2011-12-07 05:43:20   126584   ----a-w-   c:\windows\system32\drivers\SYMEVENT.SYS
2011-11-28 00:24:37   103784   ----a-w-   c:\documents and settings\david cox\GoToAssistDownloadHelper.exe
2011-11-23 13:25:32   1859584   ----a-w-   c:\windows\system32\win32k.sys
2011-11-23 08:55:11   414368   ----a-w-   c:\windows\system32\FlashPlayerCPLApp.cpl
2011-11-10 11:54:13   472808   ----a-w-   c:\windows\system32\deployJava1.dll
2011-11-10 09:27:10   73728   ----a-w-   c:\windows\system32\javacpl.cpl
2011-11-04 19:20:51   916992   ----a-w-   c:\windows\system32\wininet.dll
2011-11-04 19:20:51   43520   ------w-   c:\windows\system32\licmgr10.dll
2011-11-04 19:20:51   1469440   ------w-   c:\windows\system32\inetcpl.cpl
2011-11-04 11:23:59   385024   ------w-   c:\windows\system32\html.iec
2011-11-01 16:07:10   1288704   ----a-w-   c:\windows\system32\ole32.dll
2011-10-28 05:31:48   33280   ----a-w-   c:\windows\system32\csrsrv.dll
2011-10-25 13:33:08   2192768   ----a-w-   c:\windows\system32\ntoskrnl.exe
2011-10-25 12:52:03   2069376   ----a-w-   c:\windows\system32\ntkrnlpa.exe
2011-10-18 11:13:22   186880   ----a-w-   c:\windows\system32\encdec.dll
2011-10-10 14:22:41   692736   ----a-w-   c:\windows\system32\inetcomm.dll
.
============= FINISH: 7:59:23.78 ===============

Attach Log:

.
UNLESS SPECIFICALLY INSTRUCTED, DO NOT POST THIS LOG.
IF REQUESTED, ZIP IT UP & ATTACH IT
.
DDS (Ver_2011-08-26.01)
.
Microsoft Windows XP Professional
Boot Device: \Device\HarddiskVolume1
Install Date: 4/20/2008 10:26:55 PM
System Uptime: 1/7/2012 6:19:44 AM (25 hours ago)
.
Motherboard: ECS | | Alhena5
Processor: Intel(R) Celeron(R) D CPU 3.33GHz | CPU 1 | 3325/133mhz
.
==== Disk Partitions =========================
.
C: is FIXED (NTFS) - 104 GiB total, 82.542 GiB free.
D: is CDROM ()
.
==== Disabled Device Manager Items =============
.
Class GUID: {4D36E968-E325-11CE-BFC1-08002BE10318}
Description: ATI RADEON XPRESS 200 Series
Device ID: PCI\VEN_1002&DEV_5A61&SUBSYS_2A4F103C&REV_00\4&1CF2FBB4&0&2808
Manufacturer: ATI Technologies Inc.
Name: ATI RADEON XPRESS 200 Series
PNP Device ID: PCI\VEN_1002&DEV_5A61&SUBSYS_2A4F103C&REV_00\4&1CF2FBB4&0&2808
Service: ati2mtag
.
==== System Restore Points ===================
.
RP1: 12/8/2011 3:31:16 AM - System Checkpoint
RP2: 12/19/2011 1:53:28 AM - System Checkpoint
RP3: 12/19/2011 3:00:50 AM - Software Distribution Service 3.0
RP4: 12/20/2011 3:40:52 AM - System Checkpoint
RP5: 12/21/2011 4:06:16 AM - System Checkpoint
RP6: 12/22/2011 5:02:17 AM - System Checkpoint
RP7: 12/23/2011 5:40:28 AM - System Checkpoint
RP8: 12/24/2011 9:00:10 AM - System Checkpoint
RP9: 12/24/2011 4:31:54 PM - Software Distribution Service 3.0
RP10: 12/24/2011 5:22:28 PM - Software Distribution Service 3.0
RP11: 12/24/2011 6:31:53 PM - Software Distribution Service 3.0
RP12: 12/25/2011 6:59:04 PM - System Checkpoint
RP13: 12/26/2011 12:21:45 AM - Software Distribution Service 3.0
RP14: 12/27/2011 1:21:38 AM - System Checkpoint
RP15: 12/28/2011 1:33:06 AM - System Checkpoint
RP16: 12/29/2011 2:07:23 AM - System Checkpoint
RP17: 12/30/2011 2:23:40 AM - System Checkpoint
RP18: 12/31/2011 3:19:41 AM - System Checkpoint

RP19: 1/1/2012 4:19:40 AM - System Checkpoint
RP20: 1/2/2012 4:47:05 AM - System Checkpoint
RP21: 1/3/2012 5:34:07 AM - System Checkpoint
RP22: 1/4/2012 6:36:53 AM - System Checkpoint
RP23: 1/5/2012 7:34:08 AM - System Checkpoint
RP24: 1/6/2012 8:50:57 AM - Restore Operation
RP25: 1/6/2012 11:59:26 PM - Removed Apple Application Support
RP26: 1/7/2012 12:01:34 AM - Removed Apple Software Update
RP27: 1/7/2012 12:02:29 AM - Removed Bonjour
RP28: 1/7/2012 12:04:11 AM - Removed Support.com Toolbar.
RP29: 1/7/2012 9:13:26 AM - Installed Java(TM) 6 Update 30
.
==== Installed Programs ======================
.
Adobe Flash Player 11 ActiveX
Adobe Reader 8.2.6
Adobe Reader 8.3.1
AMD APP SDK Runtime
ASTRA32 - Advanced System Information Tool 2.12
ATI - Software Uninstall Utility
ATI AVIVO Codecs
ATI Catalyst Control Center
ATI Catalyst Install Manager
ATI Display Driver
ATI Parental Control & Encoder
AVIVO Codecs
Catalyst Control Center Core Implementation
Catalyst Control Center Graphics Full Existing
Catalyst Control Center Graphics Full New
Catalyst Control Center Graphics Light
Catalyst Control Center Graphics Previews Common
ccc-core-preinstall
ccc-core-static
ccc-utility
CCC Help English
CCleaner
Citrix online plug-in - web
Citrix online plug-in (DV)
Citrix online plug-in (HDX)
Citrix online plug-in (USB)
Citrix online plug-in (Web)
Compatibility Pack for the 2007 Office system
CyberLink InstantBurn
CyberLink PhotoNow
CyberLink Power2Go
CyberLink PowerStarter
Data Fax SoftModem with SmartCP
Debugging Tools for Windows (x86)
DirectXInstallService
Driver Detective
DriverGuide DriverScan
EMC 10 Content
Free Games Offer, Desktop Shortcut
Google Update Helper
HijackThis 2.0.2
Hotfix for Microsoft .NET Framework 3.5 SP1 (KB953595)
Hotfix for Microsoft .NET Framework 3.5 SP1 (KB958484)
Hotfix for Windows Internet Explorer 7 (KB947864)
Hotfix for Windows XP (KB2570791)
Hotfix for Windows XP (KB2633952)
Hotfix for Windows XP (KB915800-v4)
Hotfix for Windows XP (KB954550-v5)
HP Product Detection
InfraRecorder
Internet Explorer (Enable DEP)
Java(TM) 6 Update 30
Juniper Citrix Services Client
Juniper Networks Host Checker
Juniper Networks Setup Client
Juniper Terminal Services Client
LabelPrint
LightScribe Diagnostic Utility
LightScribe System Software 1.14.16.1
Linksys EasyLink Advisor
LiveUpdate 3.2 (Symantec Corporation)
Malwarebytes Anti-Malware version 1.60.0.1800
MediaShow
Microsoft .NET Framework 1.1
Microsoft .NET Framework 1.1 Security Update (KB2572067)
Microsoft .NET Framework 1.1 Security Update (KB979906)
Microsoft .NET Framework 2.0 Service Pack 2
Microsoft .NET Framework 3.0 Service Pack 2
Microsoft .NET Framework 3.5 SP1
Microsoft .NET Framework 4 Client Profile
Microsoft Application Error Reporting
Microsoft Base Smart Card Cryptographic Service Provider Package
Microsoft Internationalized Domain Names Mitigation APIs
Microsoft National Language Support Downlevel APIs
Microsoft Office File Validation Add-In
Microsoft Office Professional Edition 2003
Microsoft SQL Server 2005 Compact Edition [ENU]
Microsoft Visual C++ 2005 ATL Update kb973923 - x86 8.0.50727.4053
Microsoft Visual C++ 2005 Redistributable
Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.17
Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.6161
Microsoft Visual C++ 2010 x86 Redistributable - 10.0.30319
Microsoft Windows Performance Toolkit
Microsoft Windows SDK for Windows 7 (7.1)
MSXML 4.0 SP2 (KB936181)
MSXML 4.0 SP2 (KB954430)
MSXML 4.0 SP2 (KB973688)
Norton 360
Octoshape add-in for Adobe Flash Player
OGA Notifier 2.0.0048.0
Opera 11.50
PC Pitstop Optimize3 3.0
PowerBackup
PowerDVD
PowerDVD Copy
PowerProducer
Pure Networks Platform
Realtek High Definition Audio Driver
Roxio Activation Module
Roxio BackOnTrack
Roxio Central Audio
Roxio Central Copy
Roxio Central Core
Roxio Central Data
Roxio Central Tools
Roxio CinePlayer
Roxio CinePlayer Decoder Pack
Roxio Disc Gallery
Roxio Easy Media Creator 10 Suite
Roxio File Backup
Roxio MediaShare
Roxio Update Manager
Security Update for Microsoft .NET Framework 3.5 SP1 (KB2416473)
Security Update for Microsoft .NET Framework 4 Client Profile (KB2518870)
Security Update for Microsoft .NET Framework 4 Client Profile (KB2539636)
Security Update for Microsoft .NET Framework 4 Client Profile (KB2572078)
Security Update for Microsoft Windows (KB2564958)
Security Update for Windows Internet Explorer 7 (KB938127)
Security Update for Windows Internet Explorer 7 (KB944533)
Security Update for Windows Internet Explorer 7 (KB963027)
Security Update for Windows Internet Explorer 8 (KB2510531)
Security Update for Windows Internet Explorer 8 (KB2544521)
Security Update for Windows Internet Explorer 8 (KB2559049)
Security Update for Windows Internet Explorer 8 (KB2586448)
Security Update for Windows Internet Explorer 8 (KB2618444)
Security Update for Windows Internet Explorer 8 (KB982381)
Security Update for Windows Media Player (KB911564)
Security Update for Windows Media Player (KB954155)
Security Update for Windows Media Player (KB975558)
Security Update for Windows Media Player 6.4 (KB925398)
Security Update for Windows Media Player 9 (KB936782)
Security Update for Windows Search 4 - KB963093
Security Update for Windows XP (KB2476490)
Security Update for Windows XP (KB2503665)
Security Update for Windows XP (KB2507938)
Security Update for Windows XP (KB2510581)
Security Update for Windows XP (KB2535512)
Security Update for Windows XP (KB2536276-v2)
Security Update for Windows XP (KB2536276)
Security Update for Windows XP (KB2544893-v2)
Security Update for Windows XP (KB2544893)
Security Update for Windows XP (KB2555917)
Security Update for Windows XP (KB2562937)
Security Update for Windows XP (KB2566454)
Security Update for Windows XP (KB2567053)
Security Update for Windows XP (KB2567680)
Security Update for Windows XP (KB2570222)
Security Update for Windows XP (KB2570947)
Security Update for Windows XP (KB2592799)
Security Update for Windows XP (KB2618451)
Security Update for Windows XP (KB2619339)
Security Update for Windows XP (KB2620712)
Security Update for Windows XP (KB2624667)
Security Update for Windows XP (KB2633171)
Security Update for Windows XP (KB2639417)
Skins
SmartSound Quicktracks Plugin
Steam
Suite
SUPERAntiSpyware
Symantec Technical Support Web Controls
tools-linux
Update for Microsoft .NET Framework 3.5 SP1 (KB963707)
Update for Windows Internet Explorer 8 (KB2447568)
Update for Windows XP (KB2541763)
Update for Windows XP (KB2607712)
Update for Windows XP (KB2616676)
Update for Windows XP (KB2641690)
USB Video Driver
Visual C++ 2008 x86 Runtime - (v9.0.30729)
Visual C++ 2008 x86 Runtime - v9.0.30729.01
VMware Player
WebEx Support Manager for Internet Explorer
WebFldrs XP
Windows Driver Package - Advanced Micro Devices, Inc. (USB28xxBGA) Media (04/27/2007 5.7.0427.0)
Windows Driver Package - eMPIA Technology Inc, (emAudio) MEDIA (04/27/2007 5.7.0427.0)
Windows Genuine Advantage Notifications (KB905474)
Windows Genuine Advantage Validation Tool (KB892130)
Windows Internet Explorer 7
Windows Internet Explorer 8
Windows Live Mail
Windows Management Framework Core
Windows Media Format 11 runtime
Windows Media Player 11
Windows XP Service Pack 3
.
==== Event Viewer Messages From Past Week ========
.
1/6/2012 8:49:30 AM, error: DCOM [10005] - DCOM got error "%1084" attempting to start the service netman with arguments "" in order to run the server: {BA126AE5-2166-11D1-B1D0-00805FC1270E}
1/6/2012 8:48:56 AM, error: DCOM [10005] - DCOM got error "%1084" attempting to start the service EventSystem with arguments "" in order to run the server: {1BE1F766-5536-11D1-B726-00C04FB926AF}
1/6/2012 8:48:55 AM, error: Service Control Manager [7026] - The following boot-start or system-start driver(s) failed to load: AFD BHDrvx86 ctxusbm eeCtrl Fips intelppm IPSec MRxSmb NetBIOS NetBT RasAcd Rdbss SRTSPX SymIRON SYMTDI Tcpip WS2IFSL
1/6/2012 8:48:55 AM, error: Service Control Manager [7001] - The TCP/IP NetBIOS Helper service depends on the AFD Networking Support Environment service which failed to start because of the following error: A device attached to the system is not functioning.
1/6/2012 8:48:55 AM, error: Service Control Manager [7001] - The IPSEC Services service depends on the IPSEC driver service which failed to start because of the following error: A device attached to the system is not functioning.
1/6/2012 8:48:55 AM, error: Service Control Manager [7001] - The DNS Client service depends on the TCP/IP Protocol Driver service which failed to start because of the following error: A device attached to the system is not functioning.
1/6/2012 8:48:55 AM, error: Service Control Manager [7001] - The DHCP Client service depends on the NetBios over Tcpip service which failed to start because of the following error: A device attached to the system is not functioning.
1/6/2012 7:37:35 AM, error: Service Control Manager [7034] - The Cyberlink RichVideo Service(CRVS) service terminated unexpectedly. It has done this 1 time(s).
1/6/2012 7:20:03 AM, error: Service Control Manager [7009] - Timeout (30000 milliseconds) waiting for the VMware Authorization Service service to connect.
1/6/2012 7:20:03 AM, error: Service Control Manager [7000] - The VMware Authorization Service service failed to start due to the following error: The service did not respond to the start or control request in a timely fashion.
1/5/2012 10:03:18 PM, error: atapi [11] - The driver detected a controller error on \Device\Ide\IdePort0.
1/5/2012 10:02:12 PM, error: atapi [9] - The device, \Device\Ide\IdePort0, did not respond within the timeout period.
1/2/2012 12:30:28 AM, error: VMnetDHCP [2] - Can't open C:\Documents and Settings\All Users\Application Data\VMware\vmnetdhcp.conf: The system cannot find the file specified. / The system cannot find the file specified
1/2/2012 12:30:11 AM, error: Cdrom [11] - The driver detected a controller error on \Device\CdRom0.
.
==== End Of File ===========================

If you could help me with this issue, I would appreciate it.

Thanks,
Dave

dc4580 · « **Reply #1 on:** January 08, 2012, 08:44:50 AM »

I received word from a relative in my address book ( Outlook Express ) that she had received spam email from me. Another item to work on?

Allan · « **Reply #2 on:** January 08, 2012, 08:57:55 AM »

Please wait for a response from our Malware Expert

SuperDave · « **Reply #3 on:** January 08, 2012, 11:02:18 AM »

Hello and welcome to Computer Hope Forum. My name is Dave. I will be helping you out with your particular problem on your computer.

1. I will be working on your Malware issues. This may or may not solve other issues you have with your machine.
2. The fixes are specific to your problem and should only be used for this issue on this machine.
3. If you don't know or understand something, please don't hesitate to ask.
4. Please DO NOT run any other tools or scans while I am helping you.
5. It is important that you reply to this thread. Do not start a new topic.
6. Your security programs may give warnings for some of the tools I will ask you to use. Be assured, any links I give are safe.
7. Absence of symptoms does not mean that everything is clear.

If you can't access the internet with your infected computer you will have to download and transfer any programs to the computer you're using now and transfer them to the infected computer with a CD-RW or a USB storage device. I prefer a CD because a storage device can get infected. If you use a storage device hold the shift key down while inserting the USB storage device for about 10 secs. You will also have to transfer the logs you receive back to the good computer using the same method until we can get the computer back on-line.
*************************************************************************
Download OTL to your desktop.

* Open OTL
* Copy and Paste the following text in the codebox into the Custom Scans/Fixes window.

Code: [Select]

:OTL

TB: {D4027C7F-154A-4066-A1AD-4243D8127440} - No File
EB: {32683183-48a0-441b-a342-7c2a440a9478} - No File
Trusted Zone: internet
Trusted Zone: live.com\onecare
Trusted Zone: mcafee.com
Trusted Zone: microsoft.com\download.windowsupdate
Trusted Zone: microsoft.com\update
Trusted Zone: microsoft.com\www.update
Trusted Zone: ussco.com\myportal

:COMMANDS
[resethosts]
[purity]
[start explorer]

* Click Run Fix
* OTLI2 may ask to reboot the machine. Please do so if asked.
* Click OK
* A report will open. Copy and Paste that report in your next reply.
***************************************************************

Please download aswMBR.exe ( 511KB ) to your desktop.

Double click the aswMBR.exe to run it

Click the "Scan" button to start scan

Note: Do not take action against any **Rootkit** entries until I have reviewed the log. Often there are false positives

On completion of the scan click save log, save it to your desktop and post in your next reply
****************************************************
Please download ComboFix

from BleepingComputer.com

Alternate link: GeeksToGo.com

and save it to your Desktop.
It would be easiest to download using Internet Explorer.
If you want to use Firefox, make sure that your download settings are as follows:

* Tools->Options->Main tab
* Set to "Always ask me where to Save the files".

Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools A guide to do this can be found here
Double click ComboFix.exe & follow the prompts.
As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.
Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console

Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.

Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:

Click on Yes, to continue scanning for malware.
When finished, it shall produce a log for you. Please include the contents of C:\ComboFix.txt in your next reply.

If you have problems with ComboFix usage, see How to use ComboFix

dc4580 · « **Reply #4 on:** January 08, 2012, 10:21:34 PM »

OTL -

========== OTL ==========
========== COMMANDS ==========
C:\WINDOWS\System32\drivers\etc\Hosts moved successfully.
HOSTS file reset successfully

OTL by OldTimer - Version 3.2.31.0 log created on 01082012_220057

ASWMBR -

aswMBR version 0.9.9.1297 Copyright(c) 2011 AVAST Software
Run date: 2012-01-08 22:04:10
-----------------------------
22:04:10.860 OS Version: Windows 5.1.2600 Service Pack 3
22:04:10.860 Number of processors: 1 586 0x605
22:04:10.860 ComputerName: DAVE-Q08ESS7TBC UserName: david cox
22:04:15.985 Initialize success
22:04:38.860 Disk 0 (boot) \Device\Harddisk0\DR0 -> \Device\Ide\IdeDeviceP0T0L0-3
22:04:38.876 Disk 0 Vendor: ST3120213AS 3.AHL Size: 114473MB BusType: 3
22:04:38.891 Disk 0 MBR read successfully
22:04:38.907 Disk 0 MBR scan
22:04:38.923 Disk 0 Windows XP default MBR code
22:04:38.938 Disk 0 Partition 1 80 (A) 07 HPFS/NTFS NTFS 105999 MB offset 63
22:04:38.969 Disk 0 scanning sectors +217086345
22:04:39.048 Disk 0 scanning C:\WINDOWS\system32\drivers
22:05:02.298 Service scanning
22:05:04.985 Modules scanning
22:05:37.032 Disk 0 trace - called modules:
22:05:37.079 ntkrnlpa.exe CLASSPNP.SYS disk.sys ACPI.sys hal.dll atapi.sys pciide.sys PCIIDEX.SYS
22:05:37.094 1 nt!IofCallDriver -> \Device\Harddisk0\DR0[0x84f77608]
22:05:37.110 3 CLASSPNP.SYS[f76b6fd7] -> nt!IofCallDriver -> \Device\00000078[0x84f212b8]
22:05:37.126 5 ACPI.sys[f754d620] -> nt!IofCallDriver -> \Device\Ide\IdeDeviceP0T0L0-3[0x84f64d98]
22:05:37.219 Scan finished successfully
22:06:13.329 Disk 0 MBR has been saved successfully to "C:\Documents and Settings\david cox\Desktop\MBR.dat"
22:06:13.344 The log file has been saved successfully to "C:\Documents and Settings\david cox\Desktop\aswMBR.txt"

When I ran COMBOFIX, it completed stage 23 and went to a reboot. No report.

SuperDave · « **Reply #5 on:** January 09, 2012, 01:33:58 PM »

Quote

When I ran COMBOFIX, it completed stage 23 and went to a reboot. No report.

Please try running it again. If it doesn't work, delete ComboFix and try this.

Please download ComboFix

from BleepingComputer.com

Alternate link: GeeksToGo.com
If you are using Firefox, make sure that your download settings are as follows:

* Tools->Options->Main tab
* Set to "Always ask me where to Save the files".

Rename ComboFix.exe to commy.exe before you save it to your Desktop
Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools A guide to do this can be found here
Click Start>Run then copy paste the following command into the Run box & click OK "%userprofile%\desktop\commy.exe" /stepdel
As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.
Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console[/list]

Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.

Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:

Click on Yes, to continue scanning for malware.
When finished, it shall produce a log for you. Please include the contents of C:\ComboFix.txt in your next reply.

If you have problems with ComboFix usage, see How to use ComboFix

dc4580 · « **Reply #6 on:** January 09, 2012, 07:19:27 PM »

COMBOFIX worked after the rename. Here is the log:

ComboFix 12-01-09.06 - david cox 01/09/2012 19:45:36.2.1 - x86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.447.174 [GMT -6:00]
Running from: c:\documents and settings\david cox\desktop\commy.exe
Command switches used :: /stepdel
AV: Norton 360 *Disabled/Updated* {E10A9785-9598-4754-B552-92431C1C35F8}
FW: Norton 360 *Disabled* {7C21A4C9-F61F-4AC4-B722-A6E19C16F220}
.
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
c:\documents and settings\All Users\Application Data\TEMP
c:\documents and settings\david cox\GoToAssistDownloadHelper.exe
c:\windows\system32\ccrpTmr6.dll
.
.
((((((((((((((((((((((((( Files Created from 2011-12-10 to 2012-01-10 )))))))))))))))))))))))))))))))
.
.
2012-01-09 04:00 . 2012-01-09 04:00   --------   d-----w-   C:\_OTL
2012-01-07 14:47 . 2012-01-07 14:47   --------   d-----w-   c:\program files\CCleaner
2012-01-07 06:39 . 2012-01-07 06:41   --------   d-----w-   c:\program files\SUPERAntiSpyware
2012-01-06 15:10 . 2012-01-06 15:10   --------   d-----w-   c:\documents and settings\david cox\Local Settings\Application Data\Symantec
2012-01-06 14:54 . 2012-01-06 14:54   --------   d-----w-   c:\windows\system32\wbem\Repository
2011-12-28 13:19 . 2011-12-28 13:19   --------   d--h--w-   c:\windows\PIF
2011-12-28 13:17 . 2011-12-28 13:17   --------   d-----w-   c:\documents and settings\david cox\Application Data\Windows Search
2011-12-25 00:46 . 2011-12-25 00:46   --------   d-----w-   c:\program files\Common Files\Windows Live
2011-12-25 00:43 . 2011-12-25 00:43   --------   d-----w-   c:\windows\system32\winrm
2011-12-25 00:43 . 2011-12-25 00:43   --------   dc-h--w-   c:\windows\$968930Uinstall_KB968930$
2011-12-25 00:36 . 2011-12-29 09:17   --------   d-----w-   c:\program files\Windows Desktop Search
2011-12-25 00:36 . 2011-12-25 00:36   --------   d-----w-   c:\windows\system32\GroupPolicy
2011-12-24 13:36 . 2011-12-25 01:56   --------   d-----w-   c:\program files\ASTRA32
2011-12-22 06:29 . 2011-12-22 06:29   --------   d-----w-   c:\program files\Microsoft Windows Performance Toolkit
2011-12-22 06:27 . 2011-12-22 06:28   --------   d-----w-   c:\program files\Debugging Tools for Windows (x86)
2011-12-22 06:25 . 2011-12-22 06:25   --------   d-----w-   c:\program files\Microsoft SDKs
.
.
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2011-12-10 21:24 . 2011-08-22 05:55   20464   ----a-w-   c:\windows\system32\drivers\mbam.sys
2011-12-07 05:43 . 2011-12-07 05:43   60872   ----a-w-   c:\windows\system32\S32EVNT1.DLL
2011-12-07 05:43 . 2011-12-07 05:43   126584   ----a-w-   c:\windows\system32\drivers\SYMEVENT.SYS
2011-11-23 13:25 . 2002-08-29 12:00   1859584   ----a-w-   c:\windows\system32\win32k.sys
2011-11-23 08:55 . 2011-07-13 10:55   414368   ----a-w-   c:\windows\system32\FlashPlayerCPLApp.cpl
2011-11-10 11:54 . 2010-05-09 12:30   472808   ----a-w-   c:\windows\system32\deployJava1.dll
2011-11-10 09:27 . 2011-01-11 02:35   73728   ----a-w-   c:\windows\system32\javacpl.cpl
2011-11-04 19:20 . 2002-08-29 12:00   916992   ----a-w-   c:\windows\system32\wininet.dll
2011-11-04 19:20 . 2002-08-29 12:00   43520   ------w-   c:\windows\system32\licmgr10.dll
2011-11-04 19:20 . 2002-08-29 12:00   1469440   ------w-   c:\windows\system32\inetcpl.cpl
2011-11-04 11:23 . 2004-08-04 05:59   385024   ------w-   c:\windows\system32\html.iec
2011-11-01 16:07 . 2002-08-29 12:00   1288704   ----a-w-   c:\windows\system32\ole32.dll
2011-10-28 05:31 . 2002-08-29 12:00   33280   ----a-w-   c:\windows\system32\csrsrv.dll
2011-10-25 13:33 . 2002-08-29 12:00   2192768   ----a-w-   c:\windows\system32\ntoskrnl.exe
2011-10-25 12:52 . 2002-08-29 01:04   2069376   ----a-w-   c:\windows\system32\ntkrnlpa.exe
2011-10-18 11:13 . 2002-08-29 12:00   186880   ----a-w-   c:\windows\system32\encdec.dll
.
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Power2GoExpress"="c:\windows\system32\ctfmon.exe" [2008-04-14 15360]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"UpdatePPShortCut"="c:\program files\CyberLink\PowerProducer\MUITransfer\MUIStartMenu.exe" [2007-09-13 222504]
"RTHDCPL"="RTHDCPL.EXE" [2009-02-03 18085888]
"RoxWatchTray"="c:\program files\Common Files\Roxio Shared\10.0\SharedCOM\RoxWatchTray10.exe" [2007-08-24 240112]
"RemoteControl"="c:\program files\CyberLink\PowerDVD\PDVDServ.exe" [2007-03-15 71216]
"nmctxth"="c:\program files\Common Files\Pure Networks Shared\Platform\nmctxth.exe" [2008-12-12 642856]
"LanguageShortcut"="c:\program files\CyberLink\PowerDVD\Language\Language.exe" [2007-01-09 52256]
"InstantBurn"="c:\progra~1\CYBERL~1\INSTAN~1\Win2K\IBurn.exe" [2007-10-26 681256]
"DMXLauncher"="c:\program files\Roxio\CinePlayer\DMXLauncher.exe" [2007-08-14 113136]
"ConnectionCenter"="c:\program files\Citrix\ICA Client\concentr.exe" [2009-09-13 103768]
"CLMLServer"="c:\program files\CyberLink\Power2Go\CLMLSvc.exe" [2007-10-17 128296]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2011-08-31 40368]
"Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2011-03-30 937920]
"SunJavaUpdateSched"="c:\program files\Common Files\Java\Java Update\jusched.exe" [2011-06-09 254696]
.
c:\documents and settings\All Users\Start Menu\Programs\Startup\
Windows Search.lnk - c:\program files\Windows Desktop Search\WindowsSearch.exe [N/A]
.
[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= "c:\program files\SUPERAntiSpyware\SASSEH.DLL" [2011-07-19 113024]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
2011-05-04 17:54   551296   ----a-w-   c:\program files\SUPERAntiSpyware\SASWINLO.DLL
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\!SASCORE]
@=""
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\MCODS]
@=""
.
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring]
"DisableMonitoring"=dword:00000001
.
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=dword:00000001
.
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]
"DisableMonitoring"=dword:00000001
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\CyberLink\\PowerDVD\\PowerDVD.exe"=
"c:\\Program Files\\VMware\\VMware Player\\vmware-authd.exe"=
"c:\\Program Files\\Opera\\opera.exe"=
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"67:UDP"= 67:UDP:DHCP Discovery Service
"5985:TCP"= 5985:TCP:*:Disabled:Windows Remote Management
.
R0 SymDS;Symantec Data Store;c:\windows\system32\drivers\N360\0501000.01D\SymDS.sys [12/6/2011 11:42 PM 340088]
R0 SymEFA;Symantec Extended File Attributes;c:\windows\system32\drivers\N360\0501000.01D\SymEFA.sys [12/6/2011 11:42 PM 744568]
R1 BHDrvx86;BHDrvx86;c:\documents and settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\N360_5.1.0.29\Definitions\BASHDefs\20111223.001\BHDrvx86.sys [11/30/2011 8:25 PM 820344]
R1 CLBStor;InstantBurn Storage Helper Driver;c:\windows\system32\drivers\CLBStor.sys [6/3/2008 11:44 PM 15784]
R1 ctxusbm;Citrix USB Monitor Driver;c:\windows\system32\drivers\ctxusbm.sys [9/8/2009 6:13 PM 65584]
R1 SASDIFSV;SASDIFSV;c:\program files\SUPERAntiSpyware\sasdifsv.sys [7/22/2011 10:27 AM 12880]
R1 SASKUTIL;SASKUTIL;c:\program files\SUPERAntiSpyware\SASKUTIL.SYS [7/12/2011 3:55 PM 67664]
R1 SymIRON;Symantec Iron Driver;c:\windows\system32\drivers\N360\0501000.01D\Ironx86.sys [12/6/2011 11:42 PM 136312]
R2 !SASCORE;SAS Core Service;c:\program files\SUPERAntiSpyware\SASCore.exe [8/11/2011 5:38 PM 116608]
R2 ASTRA32;ASTRA32 Kernel Driver 5.2.1.0;c:\program files\ASTRA32\astra32.sys [2/22/2007 11:28 AM 30864]
R2 CLBUDF;CyberLink InstantBurn UDF Filesystem;c:\windows\system32\drivers\CLBUDF.sys [6/3/2008 11:44 PM 162344]
R2 N360;Norton 360;c:\program files\Norton 360\Engine\5.1.0.29\ccSvcHst.exe [12/6/2011 11:42 PM 130008]
R2 vmci;VMware vmci;c:\windows\system32\drivers\vmci.sys [11/11/2010 1:32 PM 70768]
R2 VMUSBArbService;VMware USB Arbitration Service;c:\program files\Common Files\VMware\USB\vmware-usbarbitrator.exe [11/11/2010 12:31 PM 539248]
R3 EraserUtilRebootDrv;EraserUtilRebootDrv;c:\program files\Common Files\Symantec Shared\EENGINE\EraserUtilRebootDrv.sys [12/18/2011 9:46 PM 106104]
R3 IDSxpx86;IDSxpx86;c:\documents and settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\N360_5.1.0.29\Definitions\IPSDefs\20120107.001\IDSXpx86.sys [1/9/2012 6:08 PM 356280]
S2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;c:\windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe [3/18/2010 1:16 PM 130384]
S2 gupdate;Google Update Service (gupdate);c:\program files\Google\Update\GoogleUpdate.exe [12/21/2010 12:52 AM 136176]
S2 LinksysUpdater;Linksys Updater;c:\program files\Linksys\Linksys Updater\bin\LinksysUpdater.exe [11/13/2008 1:43 PM 204800]
S2 Roxio Upnp Server 10;Roxio Upnp Server 10;c:\program files\Roxio\Digital Home 10\RoxioUpnpService10.exe [8/24/2007 2:53 PM 362992]
S2 RoxLiveShare10;LiveShare P2P Server 10;c:\program files\Common Files\Roxio Shared\10.0\SharedCOM\RoxLiveShare10.exe [8/24/2007 2:52 PM 309744]
S2 RoxWatch10;Roxio Hard Drive Watcher 10;c:\program files\Common Files\Roxio Shared\10.0\SharedCOM\RoxWatch10.exe [8/24/2007 2:52 PM 166384]
S3 gupdatem;Google Update Service (gupdatem);c:\program files\Google\Update\GoogleUpdate.exe [12/21/2010 12:52 AM 136176]
S3 PROCEXP150;PROCEXP150;\??\c:\windows\system32\Drivers\PROCEXP150.SYS --> c:\windows\system32\Drivers\PROCEXP150.SYS [?]
S3 PROCEXP151;PROCEXP151;\??\c:\windows\system32\Drivers\PROCEXP151.SYS --> c:\windows\system32\Drivers\PROCEXP151.SYS [?]
S3 Roxio UPnP Renderer 10;Roxio UPnP Renderer 10;c:\program files\Roxio\Digital Home 10\RoxioUPnPRenderer10.exe [8/24/2007 2:53 PM 72176]
S3 RoxMediaDB10;RoxMediaDB10;c:\program files\Common Files\Roxio Shared\10.0\SharedCOM\RoxMediaDB10.exe [8/24/2007 2:52 PM 1083888]
S3 WinRM;Windows Remote Management (WS-Management);c:\windows\system32\svchost.exe -k WINRM [8/29/2002 6:00 AM 14336]
S3 WPFFontCache_v0400;Windows Presentation Foundation Font Cache 4.0.0.0;c:\windows\Microsoft.NET\Framework\v4.0.30319\WPF\WPFFontCache_v0400.exe [3/18/2010 1:16 PM 753504]
S4 PCPitstop Scheduling;PCPitstop Scheduling;c:\program files\PCPitstop\PCPitstopScheduleService.exe [8/18/2011 10:16 PM 86016]
S4 SessionLauncher;SessionLauncher;c:\docume~1\DAVIDC~1\LOCALS~1\Temp\DX9\SessionLauncher.exe --> c:\docume~1\DAVIDC~1\LOCALS~1\Temp\DX9\SessionLauncher.exe [?]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
WINRM   REG_MULTI_SZ     WINRM
.
[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{10880D85-AAD9-4558-ABDC-2AB1552D831F}]
2008-05-23 18:49   451872   ----a-w-   c:\program files\Common Files\LightScribe\LSRunOnce.exe
.
Contents of the 'Scheduled Tasks' folder
.
2012-01-09 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\program files\Google\Update\GoogleUpdate.exe [2010-12-21 06:51]
.
2012-01-10 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\program files\Google\Update\GoogleUpdate.exe [2010-12-21 06:51]
.
2012-01-09 c:\windows\Tasks\User_Feed_Synchronization-{18A67AB4-86CC-47A1-B51A-C739DECF0A30}.job
- c:\windows\system32\msfeedssync.exe [2007-08-13 09:31]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.yahoo.com/
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~3\OFFICE11\EXCEL.EXE/3000
LSP: c:\program files\VMware\VMware Player\vsocklib.dll
Trusted Zone: internet
Trusted Zone: live.com\onecare
Trusted Zone: mcafee.com
Trusted Zone: microsoft.com\download.windowsupdate
Trusted Zone: microsoft.com\update
Trusted Zone: microsoft.com\www.update
Trusted Zone: ussco.com\myportal
TCP: DhcpNameServer = 192.168.0.1
DPF: DirectAnimation Java Classes - file://c:\windows\Java\classes\dajava.cab
DPF: Microsoft XML Parser for Java - file://c:\windows\Java\classes\xmldso.cab
DPF: {037790A6-1576-11D6-903D-00105AABADD3} - hxxps://myportal.ussco.com/bluezone/controls/,DanaInfo=intranet.ussco.com+sglw2hcm.ocx
.
- - - - ORPHANS REMOVED - - - -
.
WebBrowser-{D4027C7F-154A-4066-A1AD-4243D8127440} - (no file)
HKLM-Run-QuickTime Task - c:\program files\QuickTime\qttask.exe
HKLM-Run-MBkLogonHook - (no file)
HKLM-Run-iTunesHelper - c:\program files\iTunes\iTunesHelper.exe
HKLM-Run-googletalk - c:\program files\Google\Google Talk\googletalk.exe
.
.
.
**************************************************************************
.
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2012-01-09 20:03
Windows 5.1.2600 Service Pack 3 NTFS
.
scanning hidden processes ...
.
scanning hidden autostart entries ...
.
scanning hidden files ...
.
scan completed successfully
hidden files: 0
.
**************************************************************************
.
[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\N360]
"ImagePath"="\"c:\program files\Norton 360\Engine\5.1.0.29\ccSvcHst.exe\" /s \"N360\" /m \"c:\program files\Norton 360\Engine\5.1.0.29\diMaster.dll\" /prefetch:1"
.
--------------------- LOCKED REGISTRY KEYS ---------------------
.
[HKEY_USERS\.Default\Software\Microsoft\Internet Explorer\User Preferences]
@Denied: (2) (LocalSystem)
"88D7D0879DAB32E14DE5B3A805A34F98AFF34F5 977"=hex:01,00,00,00,d0,8c,9d,df,01,15,
d1,11,8c,7a,00,c0,4f,c2,97,eb,01,00,00,00,75,98,35,2b,66,3f,83,4f,a8,fa,40,\
"2D53CFFC5C1A3DD2E97B7979AC2A92BD59BC839 E81"=hex:01,00,00,00,d0,8c,9d,df,01,15,
d1,11,8c,7a,00,c0,4f,c2,97,eb,01,00,00,00,75,98,35,2b,66,3f,83,4f,a8,fa,40,\
.
[HKEY_USERS\S-1-5-21-484763869-1060284298-682003330-1003\Software\Microsoft\SystemCertificates\AddressBook*]
@Allowed: (Read) (RestrictedCode)
@Allowed: (Read) (RestrictedCode)
.
--------------------- DLLs Loaded Under Running Processes ---------------------
.
- - - - - - - > 'winlogon.exe'(852)
c:\program files\SUPERAntiSpyware\SASWINLO.DLL
c:\windows\system32\WININET.dll
c:\windows\system32\Ati2evxx.dll
.
Completion time: 2012-01-09 20:13:54
ComboFix-quarantined-files.txt 2012-01-10 02:13
.
Pre-Run: 88,419,586,048 bytes free
Post-Run: 88,767,119,360 bytes free
.
WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
UnsupportedDebug="do not select this" /debug
multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Professional" /fastdetect /NoExecute=OptIn
.
- - End Of File - - 0DF1C78CC8AC13A3E9A74204A37E68B6

dc4580 · « **Reply #7 on:** January 10, 2012, 07:19:41 AM »

Problem of PC freezing still exists. No other reports of email issue.

SuperDave · « **Reply #8 on:** January 10, 2012, 12:38:24 PM »

Quote

Problem of PC freezing still exists.

Please describe this freezing to me. Is it just momentary freezing? How long does it last? Do you have to do a hard reboot to get the computer working again? How much RAM do you have?

Re-running ComboFix to remove infections:

Close any open browsers.
Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.
Open notepad and copy/paste the text in the quotebox below into it:
Quote
KillAll::

Firefox::

Trusted Zone: internet
Trusted Zone: live.com\onecare
Trusted Zone: mcafee.com
Trusted Zone: microsoft.com\download.windowsupdate
Trusted Zone: microsoft.com\update
Trusted Zone: microsoft.com\www.update
Trusted Zone: ussco.com\myportal

DDS::

Trusted Zone: internet
Trusted Zone: live.com\onecare
Trusted Zone: mcafee.com
Trusted Zone: microsoft.com\download.windowsupdate
Trusted Zone: microsoft.com\update
Trusted Zone: microsoft.com\www.update
Trusted Zone: ussco.com\myportal
Save this as CFScript.txt, in the same location as ComboFix.exe
Referring to the picture above, drag CFScript into ComboFix.exe
When finished, it shall produce a log for you at C:\ComboFix.txt

I don't need to see the log from this script.
**************************************************
SysProt Antirootkit

Download
SysProt Antirootkit from the link below (you will find it at the bottom
of the page under attachments, or you can get it from one of the
mirrors).

http://sites.google.com/site/sysprotantirootkit/

Unzip it into a folder on your desktop.

Double click Sysprot.exe to start the program.
Click on the Log tab.
In the Write to log box select the following items.

Process << Selected
Kernel Modules << Selected
SSDT << Selected
Kernel Hooks << Selected
IRP Hooks << NOT Selected
Ports << NOT Selected
Hidden Files << Selected

At the bottom of the page

Hidden Objects Only << Selected

Click on the Create Log button on the bottom right.
After a few seconds a new window should appear.
Select Scan Root Drive. Click on the Start button.
When it is complete a new window will appear to indicate that the scan is finished.
The log will be saved automatically in the same folder Sysprot.exe was extracted to. Open the text file and copy/paste the log here.

dc4580 · « **Reply #9 on:** January 11, 2012, 05:07:08 AM »

The hang or freeze can be momentary or for a duration of several minutes. There is no pattern in duration. During the freeze, whether on a browser page, emailing or creating a doc, can't use any buttons like refresh and nothing responds. If the duration is long enough, I will receive the Not Responding comment up top. If I leave things alone, the Not Responding goes away and soon I have response again. No hard reboot is necessary usually, unless the freeze is lengthy, then I will manually reboot. RAM=512M.

Completed the Combofix with CFScript successfully.

Sysprot.exe has not completed successfully, and I have attempted several runs. When the create log button is selected, the progress bar runs across, then the PC reboots. Doesn't create any log. No new window.

SuperDave · « **Reply #10 on:** January 11, 2012, 01:08:08 PM »

I suspect that the freezing problem is caused by running XP with only 512M's of Ram.

Please download RootRepeal from GooglePages.com.

Extract the program file to your Desktop.
Run the program RootRepeal.exe and go to the Report tab and click on the Scan button.
Select ALL of the checkboxes and then click OK and it will start scanning your system.
If you have multiple drives you only need to check the C: drive or the one Windows is installed on.
When done, click on Save Report
Save it to the Desktop.
Please copy/paste the contents of the report in your next reply.

Please remove any e-mail address in the RootRepeal report (if present).

dc4580 · « **Reply #11 on:** January 11, 2012, 07:09:02 PM »

Rootrepeal report:

ROOTREPEAL (c) AD, 2007-2009
==================================================
Scan Start Time:      2012/01/11 19:55
Program Version:      Version 1.3.5.0
Windows Version:      Windows XP SP3
==================================================

Drivers
-------------------
Name: dump_atapi.sys
Image Path: C:\WINDOWS\System32\Drivers\dump_atapi.sys
Address: 0xF3C8E000   Size: 98304   File Visible: No   Signed: -
Status: -

Name: dump_WMILIB.SYS
Image Path: C:\WINDOWS\System32\Drivers\dump_WMILIB.SYS
Address: 0xF7BDE000   Size: 8192   File Visible: No   Signed: -
Status: -

Name: rootrepeal.sys
Image Path: C:\WINDOWS\system32\drivers\rootrepeal.sys
Address: 0xF32B1000   Size: 49152   File Visible: No   Signed: -
Status: -

Name: SYMDS.SYS
Image Path: SYMDS.SYS
Address: 0xF7462000   Size: 356352   File Visible: No   Signed: -
Status: -

Name: SYMEFA.SYS
Image Path: SYMEFA.SYS
Address: 0xF7395000   Size: 765952   File Visible: No   Signed: -
Status: -

Hidden/Locked Files
-------------------
Path: c:\system volume information\efadata\sdmys_dce0e3549948cfe54642a4c9
Status: Allocation size mismatch (API: 4096, Raw: 0)

Path: c:\documents and settings\david cox\local settings\temp\~df2d07.tmp
Status: Allocation size mismatch (API: 16384, Raw: 0)

Path: c:\documents and settings\david cox\local settings\temp\~df256a.tmp
Status: Allocation size mismatch (API: 16384, Raw: 0)

Path: c:\documents and settings\david cox\local settings\temp\~df2b28.tmp
Status: Allocation size mismatch (API: 16384, Raw: 0)

Path: c:\documents and settings\david cox\local settings\temp\~df3993.tmp
Status: Allocation size mismatch (API: 16384, Raw: 0)

Path: c:\documents and settings\david cox\local settings\temp\~df516.tmp
Status: Allocation size mismatch (API: 16384, Raw: 0)

Path: c:\documents and settings\david cox\local settings\temp\~df576f.tmp
Status: Allocation size mismatch (API: 16384, Raw: 0)

Path: c:\documents and settings\david cox\local settings\temp\~df63f9.tmp
Status: Allocation size mismatch (API: 16384, Raw: 0)

Path: c:\documents and settings\david cox\local settings\temp\~df685b.tmp
Status: Allocation size mismatch (API: 16384, Raw: 0)

Path: c:\documents and settings\david cox\local settings\temp\~df88f5.tmp
Status: Allocation size mismatch (API: 16384, Raw: 0)

Path: c:\documents and settings\david cox\local settings\temp\~df8f30.tmp
Status: Allocation size mismatch (API: 16384, Raw: 0)

Path: c:\documents and settings\david cox\local settings\temp\~df91c9.tmp
Status: Allocation size mismatch (API: 16384, Raw: 0)

Path: c:\documents and settings\david cox\local settings\temp\~dfeb58.tmp
Status: Allocation size mismatch (API: 16384, Raw: 0)

Path: c:\documents and settings\david cox\local settings\temp\~dffab8.tmp
Status: Allocation size mismatch (API: 16384, Raw: 0)

Path: c:\documents and settings\david cox\local settings\temp\~romfn_000006c4
Status: Allocation size mismatch (API: 4096, Raw: 0)

Path: c:\documents and settings\all users\application data\norton\{0c55c096-0f1d-4f28-aaa2-85ef591126e7}\n360_5.1.0.29\symds\temp\musdmys_pzsvjdwlbhu2hwaxq0fg
Status: Allocation size mismatch (API: 4096, Raw: 0)

Path: c:\documents and settings\all users\application data\norton\{0c55c096-0f1d-4f28-aaa2-85ef591126e7}\n360_5.1.0.29\symds\temp\musdmys_szkkqbvv3cvchjhhrtqs
Status: Allocation size mismatch (API: 512, Raw: 0)

Path: c:\documents and settings\all users\application data\norton\{0c55c096-0f1d-4f28-aaa2-85ef591126e7}\n360_5.1.0.29\symds\temp\musdmys_wi4vouyhxyt8toj74dz3
Status: Allocation size mismatch (API: 512, Raw: 0)

Path: c:\documents and settings\all users\application data\norton\{0c55c096-0f1d-4f28-aaa2-85ef591126e7}\n360_5.1.0.29\symds\temp\musdmys_xfgmmyih6pe9sfhh1xgr
Status: Allocation size mismatch (API: 4096, Raw: 0)

Path: c:\documents and settings\all users\application data\norton\{0c55c096-0f1d-4f28-aaa2-85ef591126e7}\n360_5.1.0.29\symds\temp\musdmys_8g9k2e2wabt9ochlcjul
Status: Allocation size mismatch (API: 4096, Raw: 0)

Path: c:\documents and settings\all users\application data\norton\{0c55c096-0f1d-4f28-aaa2-85ef591126e7}\n360_5.1.0.29\symds\temp\musdmys_ao1xpqbbbo0700ktwfx4
Status: Allocation size mismatch (API: 512, Raw: 0)

Path: c:\documents and settings\all users\application data\norton\{0c55c096-0f1d-4f28-aaa2-85ef591126e7}\n360_5.1.0.29\symds\temp\musdmys_cffjd9uzxprhtxtxhyig
Status: Allocation size mismatch (API: 512, Raw: 0)

Path: c:\documents and settings\all users\application data\norton\{0c55c096-0f1d-4f28-aaa2-85ef591126e7}\n360_5.1.0.29\symds\temp\musdmys_fhjshje6ljlknfuc5lag
Status: Allocation size mismatch (API: 4096, Raw: 0)

SSDT
-------------------
#: 012   Function Name: NtAlertResumeThread
Status: Hooked by "<unknown>" at address 0x84a80978

#: 013   Function Name: NtAlertThread
Status: Hooked by "<unknown>" at address 0x84a788d0

#: 017   Function Name: NtAllocateVirtualMemory
Status: Hooked by "<unknown>" at address 0x845e6140

#: 019   Function Name: NtAssignProcessToJobObject
Status: Hooked by "<unknown>" at address 0x84aa0cf8

#: 031   Function Name: NtConnectPort
Status: Hooked by "<unknown>" at address 0x849c66f0

#: 041   Function Name: NtCreateKey
Status: Hooked by "C:\WINDOWS\system32\Drivers\SYMEVENT.SYS" at address 0xf408c710

#: 043   Function Name: NtCreateMutant
Status: Hooked by "<unknown>" at address 0x84921770

#: 052   Function Name: NtCreateSymbolicLinkObject
Status: Hooked by "<unknown>" at address 0x84a4c5c8

#: 053   Function Name: NtCreateThread
Status: Hooked by "<unknown>" at address 0x84af6008

#: 057   Function Name: NtDebugActiveProcess
Status: Hooked by "<unknown>" at address 0x84aa0b80

#: 063   Function Name: NtDeleteKey
Status: Hooked by "C:\WINDOWS\system32\Drivers\SYMEVENT.SYS" at address 0xf408c990

#: 065   Function Name: NtDeleteValueKey
Status: Hooked by "C:\WINDOWS\system32\Drivers\SYMEVENT.SYS" at address 0xf408cef0

#: 068   Function Name: NtDuplicateObject
Status: Hooked by "<unknown>" at address 0x84a8b5e0

#: 083   Function Name: NtFreeVirtualMemory
Status: Hooked by "<unknown>" at address 0x84ad4848

#: 089   Function Name: NtImpersonateAnonymousToken
Status: Hooked by "<unknown>" at address 0x84a82b10

#: 091   Function Name: NtImpersonateThread
Status: Hooked by "<unknown>" at address 0x84a81db0

#: 097   Function Name: NtLoadDriver
Status: Hooked by "<unknown>" at address 0x84980e58

#: 108   Function Name: NtMapViewOfSection
Status: Hooked by "<unknown>" at address 0x84af8cd8

#: 114   Function Name: NtOpenEvent
Status: Hooked by "<unknown>" at address 0x84a99110

#: 122   Function Name: NtOpenProcess
Status: Hooked by "<unknown>" at address 0x84c8a1f0

#: 123   Function Name: NtOpenProcessToken
Status: Hooked by "<unknown>" at address 0x84a67b68

#: 125   Function Name: NtOpenSection
Status: Hooked by "<unknown>" at address 0x84a9a650

#: 128   Function Name: NtOpenThread
Status: Hooked by "<unknown>" at address 0x84a6d738

#: 137   Function Name: NtProtectVirtualMemory
Status: Hooked by "<unknown>" at address 0x84a4b710

#: 206   Function Name: NtResumeThread
Status: Hooked by "<unknown>" at address 0x84a70838

#: 213   Function Name: NtSetContextThread
Status: Hooked by "<unknown>" at address 0x84a68868

#: 228   Function Name: NtSetInformationProcess
Status: Hooked by "<unknown>" at address 0x84a990c8

#: 240   Function Name: NtSetSystemInformation
Status: Hooked by "<unknown>" at address 0x84aa0b48

#: 247   Function Name: NtSetValueKey
Status: Hooked by "C:\WINDOWS\system32\Drivers\SYMEVENT.SYS" at address 0xf408d140

#: 253   Function Name: NtSuspendProcess
Status: Hooked by "<unknown>" at address 0x84a9a578

#: 254   Function Name: NtSuspendThread
Status: Hooked by "<unknown>" at address 0x84a6dba0

#: 257   Function Name: NtTerminateProcess
Status: Hooked by "<unknown>" at address 0x84a63cc0

#: 258   Function Name: NtTerminateThread
Status: Hooked by "<unknown>" at address 0x84a6bc28

#: 267   Function Name: NtUnmapViewOfSection
Status: Hooked by "<unknown>" at address 0x84a69a70

#: 277   Function Name: NtWriteVirtualMemory
Status: Hooked by "<unknown>" at address 0x84acfe18

Shadow SSDT
-------------------
#: 307   Function Name: NtUserAttachThreadInput
Status: Hooked by "<unknown>" at address 0x84a48d98

#: 383   Function Name: NtUserGetAsyncKeyState
Status: Hooked by "<unknown>" at address 0x84993668

#: 414   Function Name: NtUserGetKeyboardState
Status: Hooked by "<unknown>" at address 0x84a09e08

#: 416   Function Name: NtUserGetKeyState
Status: Hooked by "<unknown>" at address 0x84bbb840

#: 428   Function Name: NtUserGetRawInputData
Status: Hooked by "<unknown>" at address 0x849d2b78

#: 460   Function Name: NtUserMessageCall
Status: Hooked by "<unknown>" at address 0x84b8b510

#: 475   Function Name: NtUserPostMessage
Status: Hooked by "<unknown>" at address 0x84a7f240

#: 476   Function Name: NtUserPostThreadMessage
Status: Hooked by "<unknown>" at address 0x84933b20

#: 549   Function Name: NtUserSetWindowsHookEx
Status: Hooked by "<unknown>" at address 0x84970c58

#: 552   Function Name: NtUserSetWinEventHook
Status: Hooked by "<unknown>" at address 0x84bd9cf0

==EOF==

SuperDave · « **Reply #12 on:** January 12, 2012, 12:16:18 PM »

Please give me an update about your computer.

I'd like to scan your machine with ESET OnlineScan

•Hold down Control and click on the following link to open ESET OnlineScan in a new window.
ESET OnlineScan
•Click the

button.
•For alternate browsers only: (Microsoft Internet Explorer users can skip these steps)

Click on to download the ESET Smart Installer. Save it to your desktop.
Double click on the icon on your desktop.

•Check

•Click the

button.
•Accept any security warnings from your browser.
•Check

•Push the Start button.
•ESET will then download updates for itself, install itself, and begin scanning your computer. Please be patient as this can take some time.
•When the scan completes, push

•Push

, and save the file to your desktop using a unique name, such as ESETScan. Include the contents of this report in your next reply.
•Push the

button.
•Push

A log file will be saved here: C:\Program Files\ESET\ESET Online Scanner\log.txt

dc4580 · « **Reply #13 on:** January 13, 2012, 07:11:46 AM »

The latest is that ESET will not run. As soon as the add-on click message shows and I click, it will hang and go into a state of Not Responding.

The problem still exists. It began in May of 2010 and continued through October of 2010, until McAfee put out a fix that really did fix the problem. I was good from October through May of 2011, then the same problem started with the same symptoms and has continued through now. I am not the only person using McAfee that had the same experience. Just Google mcshield.exe high cpu and you will eventually reach that complaint room. Back in December, after trying to get McAfee Tier 2.5 support to grab debug data and watching them stumble around for months, I cut them off and am currently on Norton for AV and firewall.

These tools you are using are all scanners. Is there a tool that can start a trace before actively recording my activity ( usual browse, email, etc. ) ?

SuperDave · « **Reply #14 on:** January 13, 2012, 01:13:14 PM »

Quote

I cut them off and am currently on Norton for AV and firewall.

And, the problem still exists with Norton?

Quote

Is there a tool that can start a trace before actively recording my activity ( usual browse, email, etc. ) ?

I'm not sure what you mean here.

dc4580 · « **Reply #15 on:** January 13, 2012, 04:03:14 PM »

Yes, problem still exists with Norton. That was just irritation with McAfee. Doesn't matter which, Norton or McAfee, problem still occurs.

While I was working with McAfee Tier 2.5, they were collecting logs and also wanted to get Debug Diagnosis running so they could trap data when a given threshold would be reached. They could never get it set up correctly. That's why I was asking if you knew of such a tool that could be set up to trip on a threshold and collect data while the problem was occurring.

SuperDave · « **Reply #16 on:** January 13, 2012, 07:38:24 PM »

Please try this: Download and install MicroSoft Security Essentials and activate it. Next, disable your Norton AV and try running MSE as your AV for a few days and see if the problem goes away.

Microsoft Security Essentials for Windows Vista\Windows 7 - 64 bit Download
Microsoft Security Essentials for Windows XP

dc4580 · « **Reply #17 on:** January 13, 2012, 09:29:44 PM »

Ok, I'll install it and update you either Monday or Tuesday.

SuperDave · « **Reply #18 on:** January 14, 2012, 11:01:12 AM »

Quote from: dc4580 on January 13, 2012, 09:29:44 PM

Ok, I'll install it and update you either Monday or Tuesday.

I'll be watching for it.

dc4580 · « **Reply #19 on:** January 16, 2012, 12:01:05 PM »

MSE didn't make any difference. The problem occurred as soon as I had MSE up and tried browsing. I am back on Norton now.

SuperDave · « **Reply #20 on:** January 16, 2012, 12:48:21 PM »

Run the BitDefender Online scanner

Agree to the license and then select Scan. DO NOT CHANGE THE OPTIONS TO SHOW ALL FILES SCANNED. That will make your logs huge and we don't need to see clean files.

Once Bitdefender completes the scan:
Click-on the Detected Problems tab.
Then select Click here to export the scan report.

When the window comes up to save the report, change the Save as type: box to:
Text (Tab Delimited) (*.txt) and then in the File name box enter change to bdscan then click Save.

This will save a file named bdscan.txt. I would suggest saving it to the Desktop so you can easily find it. (take notice of where you save it so you can find it later).
This bdcan.txt file will actually contain HTML code that we can easily view later while reviewing your log. All we have to do is rename the file to bdscan.html.

If you do not follow these step, you will have an incorrect log or worse a log summary which is useless to us.

Post the bdscan.txt file as an Attachment.

dc4580 · « **Reply #21 on:** January 16, 2012, 03:49:44 PM »

Dave,
can you give me the best way to attach into a post?

Thanks.

SuperDave · « **Reply #22 on:** January 16, 2012, 04:23:43 PM »

Quote from: dc4580 on January 16, 2012, 03:49:44 PM

Dave,
can you give me the best way to attach into a post?

Thanks.

Why can't you copy and paste it?

dc4580 · « **Reply #23 on:** January 16, 2012, 09:32:51 PM »

Bitdefender not producing the activex control install popup. Just says Loading Bitdefender Quickscan in red and sits there. I will try this again tomorrow.

My last question was asked because in my work with vendors, their sites often have an upload facility that allows for documents pertaining to an issue to be attached to the issue, and I didn't see anything like that on this forum.

SuperDave · « **Reply #24 on:** January 17, 2012, 11:59:54 AM »

Quote

My last question was asked because in my work with vendors, their sites often have an upload facility that allows for documents pertaining to an issue to be attached to the issue, and I didn't see anything like that on this forum.

I would rather see the logs copied and pasted in your reply. I don't want to go looking for them at another site.

dc4580 · « **Reply #25 on:** January 17, 2012, 03:25:52 PM »

Slight miscommunication here. I never said that I was going to locate any logs elsewhere. I was discussing attachments and how they are attached to issues.

As I said, I will retry the bitdefender when I get home.

SuperDave · « **Reply #26 on:** January 17, 2012, 04:34:31 PM »

Ok Sorry. I'll will watch for the log.

dc4580 · « **Reply #27 on:** January 17, 2012, 10:01:54 PM »

I reach the point where quickscan prompts for the add-on of qsax.cab, which is blue background for short time, then goes to creme-colored background. If clicked, it will not give install menu. That's as far as I can get. I tried this a number of times, failing each time.

SuperDave · « **Reply #28 on:** January 18, 2012, 12:26:09 PM »

Ok. Let's try another one.

Please go to Kaspersky website and perform an online antivirus scan.

1. Read through the requirements and privacy statement and click on Accept button.
2. It will start downloading and installing the scanner and virus definitions. You will be prompted to install an application from Kaspersky. Click Run.
3. When the downloads have finished, click on Settings.
4. Make sure these boxes are checked (ticked). If they are not, please tick them and click on the Save button:
Spyware, Adware, Dialers, and other potentially dangerous programs
Archives

5. Click on My Computer under Scan.
6. Once the scan is complete, it will display the results. Click on View Scan Report.
7. You will see a list of infected items there. Click on Save Report As....
8. Save this report to a convenient place. Change the Files of type to Text file (.txt) before clicking on the Save button.
9. Please post this log in your next reply along with a fresh HijackThis log.

dc4580 · « **Reply #29 on:** January 19, 2012, 07:03:18 AM »

Custom scan is what you are looking for. It is running right now. When I get home later on today, I will post the results along with a HijackThis report.

SuperDave · « **Reply #30 on:** January 19, 2012, 11:18:39 AM »

I don't need to see HiJackThis log.

dc4580 · « **Reply #31 on:** January 19, 2012, 07:24:14 PM »

The link http://www.kaspersky.com/kos/eng/partner/default/kavwebscan.html didn't work. Got a 404. So, I went to the Kaspersky site and hit the free virus scan link. The custom scan ran and produced no detected threats, no malicious objects and no applications that showed vulnerabilities, adware or " other " anomalies. It doesn't create a report, just a display.

SuperDave · « **Reply #32 on:** January 20, 2012, 11:49:13 AM »

Ok. How's your computer working now? Any other issues?

dc4580 · « **Reply #33 on:** January 20, 2012, 11:59:16 AM »

The freezing and hanging are still occurring. Is there anything to the number of svchost.exe running at the same time? When I look at Task Manager, I can see six executing at the same time.

SuperDave · « **Reply #34 on:** January 21, 2012, 11:50:08 AM »

Download Process Explorer: http://technet.microsoft.com/en-us/sysinternals/bb896653.aspx
Unzip ProcessExplorer.zip, and double click on procexp.exe to run the program.
Click on View > Select Colunms.
In addition to already pre-selected options, make sure, the Command Line is selected, and press OK.
Go File>Save As, and save the report as Procexp.txt.
Attach the file to your next reply.

dc4580 · « **Reply #35 on:** January 21, 2012, 04:40:45 PM »

Process   PID   CPU   Description   Company Name   Command Line
System Idle Process   0   100.00
System   4
Interrupts   n/a   < 0.01   Hardware Interrupts and DPCs
smss.exe   768      Windows NT Session Manager   Microsoft Corporation   \SystemRoot\System32\smss.exe
csrss.exe   824      Client Server Runtime Process   Microsoft Corporation   C:\WINDOWS\system32\csrss.exe ObjectDirectory=\Windows SharedSection=1024,3072,512 Windows=On SubSystemType=Windows ServerDll=basesrv,1 ServerDll=winsrv:UserServerDllInitialization,3 ServerDll=winsrv:ConServerDllInitialization,2 ProfileControl=Off MaxRequestThreads=16
winlogon.exe   848      Windows NT Logon Application   Microsoft Corporation   winlogon.exe
services.exe   892      Services and Controller app   Microsoft Corporation   C:\WINDOWS\system32\services.exe
svchost.exe   1112      Generic Host Process for Win32 Services   Microsoft Corporation   C:\WINDOWS\system32\svchost.exe -k DcomLaunch
wfcrun32.exe   1816      Citrix   Citrix Systems, Inc.   "C:\Program Files\Citrix\ICA Client\wfcrun32.exe" -Embedding
wmiprvse.exe   2492      WMI   Microsoft Corporation   C:\WINDOWS\system32\wbem\wmiprvse.exe
svchost.exe   1200      Generic Host Process for Win32 Services   Microsoft Corporation   C:\WINDOWS\system32\svchost.exe -k rpcss
svchost.exe   1848      Generic Host Process for Win32 Services   Microsoft Corporation   C:\WINDOWS\System32\svchost.exe -k netsvcs
svchost.exe   204      Generic Host Process for Win32 Services   Microsoft Corporation   C:\WINDOWS\System32\svchost.exe -k NetworkService
svchost.exe   600      Generic Host Process for Win32 Services   Microsoft Corporation   C:\WINDOWS\system32\svchost.exe -k LocalService
spoolsv.exe   760      Spooler SubSystem App   Microsoft Corporation   C:\WINDOWS\system32\spoolsv.exe
svchost.exe   1644      Generic Host Process for Win32 Services   Microsoft Corporation   C:\WINDOWS\System32\svchost.exe -k LocalService
SASCore.exe   1728      Core Service   SUPERAntiSpyware.com   "C:\Program Files\SUPERAntiSpyware\SASCORE.EXE"
jqs.exe   312      Java(TM) Quick Starter Service   Sun Microsystems, Inc.   "C:\Program Files\Java\jre6\bin\jqs.exe" -service -config "C:\Program Files\Java\jre6\lib\deploy\jqs\jqs.conf"
LSSrvc.exe   420      LightScribe Service   Hewlett-Packard Company   "C:\Program Files\Common Files\LightScribe\LSSrvc.exe"
LinksysUpdater.exe   536            "C:\Program Files\Linksys\Linksys Updater\bin\LinksysUpdater.exe" -s "C:\Program Files\Linksys\Linksys Updater\conf\wrapper.conf"
java.exe   1980      Java(TM) Platform SE binary   Oracle Corporation   "C:\WINDOWS\system32\java.exe" -Xmx100m -Djava.library.path="../lib" -classpath "../lib/agent-2.5.8318.2077.jar;../lib/wrapper.jar;../lib/commons-lang-2.3.jar;../lib/commons-logging-1.1.jar;../lib/spring-2.0.6.jar;../lib/spring-ws-core-1.0.2.jar;../lib/spring-xml-1.0.2.jar;../lib/jdom-1.0.jar;../lib/jaxen-1.1.1.jar;../lib/xpp3_min-1.1.3.4.O.jar;../lib/xstream-1.2.2.jar" -Dwrapper.key="KXkElE5tty3F0CbB" -Dwrapper.port=32000 -Dwrapper.jvm.port.min=31000 -Dwrapper.jvm.port.max=31999 -Dwrapper.pid=536 -Dwrapper.version="3.2.3" -Dwrapper.native_library="wrapper" -Dwrapper.service="TRUE" -Dwrapper.cpu.timeout="10" -Dwrapper.jvmid=1 com.linksys.agent.Main
ccSvcHst.exe   1940      Symantec Service Framework   Symantec Corporation   "C:\Program Files\Norton 360\Engine\5.1.0.29\ccSvcHst.exe" /s "N360" /m "C:\Program Files\Norton 360\Engine\5.1.0.29\diMaster.dll" /prefetch:1
ccSvcHst.exe   2308      Symantec Service Framework   Symantec Corporation   "C:\Program Files\Norton 360\Engine\5.1.0.29\ccSvcHst.exe" /c /a /s UserSession
RichVideo.exe   2148      RichVideo Module      "C:\Program Files\CyberLink\Shared Files\RichVideo.exe"
vmware-usbarbitrator.exe   2916      VMware USB Arbitration Service   VMware, Inc.   "C:\Program Files\Common Files\VMware\USB\vmware-usbarbitrator.exe"
searchindexer.exe   3080      Microsoft Windows Search Indexer   Microsoft Corporation   C:\WINDOWS\system32\SearchIndexer.exe /Embedding
nmsrvc.exe   3188      Pure Networks Platform Service   Cisco Systems, Inc.   "C:\Program Files\Common Files\Pure Networks Shared\Platform\nmsrvc.exe"
vmware-authd.exe   3452      VMware Authorization Service   VMware, Inc.   "C:\Program Files\VMware\VMware Player\vmware-authd.exe"
alg.exe   3120      Application Layer Gateway Service   Microsoft Corporation   C:\WINDOWS\System32\alg.exe
lsass.exe   904      LSA Shell (Export Version)   Microsoft Corporation   C:\WINDOWS\system32\lsass.exe
taskmgr.exe   3868      Windows TaskManager   Microsoft Corporation   taskmgr.exe
explorer.exe   1560      Windows Explorer   Microsoft Corporation   C:\WINDOWS\Explorer.EXE
RTHDCPL.EXE   1304      Realtek HD Audio Control Panel   Realtek Semiconductor Corp.   "C:\WINDOWS\RTHDCPL.EXE"
RoxWatchTray10.exe   1452      RoxMMTrayApp Module   Sonic Solutions   "C:\Program Files\Common Files\Roxio Shared\10.0\SharedCOM\RoxWatchTray10.exe"
CPSHelpRunner10.exe   1148      ROXHelpRunner Module   Sonic Solutions   "C:\Program Files\Common Files\Roxio Shared\10.0\SharedCOM\CPSHelpRunner10.exe" Local\{B5C5AE51-F57E-48B4-ADD8-1F440EF4FD87}
PDVDServ.exe   1460      PowerDVD RC Service   Cyberlink Corp.   "C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe"
nmctxth.exe   1284      Pure Networks Platform Assistant   Cisco Systems, Inc.   "C:\Program Files\Common Files\Pure Networks Shared\Platform\nmctxth.exe"
IBurn.exe   1544      InstantBurn UDF Tool   CyberLink Corporation.   "C:\PROGRA~1\CYBERL~1\INSTAN~1\Win2K\IBurn.exe"
DMXLauncher.exe   868            "C:\Program Files\Roxio\CinePlayer\DMXLauncher.exe"
concentr.exe   1500      Citrix online plug-in Connection Center   Citrix Systems, Inc.   "C:\Program Files\Citrix\ICA Client\concentr.exe" /startup
CLMLSvc.exe   1724      CyberLink MediaLibray Service   CyberLink   "C:\Program Files\CyberLink\Power2Go\CLMLSvc.exe"
jusched.exe   1964      Java(TM) Update Scheduler   Sun Microsystems, Inc.   "C:\Program Files\Common Files\Java\Java Update\jusched.exe"
ctfmon.exe   1988      CTF Loader   Microsoft Corporation   "C:\WINDOWS\system32\ctfmon.exe"
WindowsSearch.exe   2432      Windows Search System Tray   Microsoft Corporation   "C:\Program Files\Windows Desktop Search\WindowsSearch.exe" /startup
iexplore.exe   3964      Internet Explorer   Microsoft Corporation   "C:\Program Files\Internet Explorer\iexplore.exe"
iexplore.exe   1008      Internet Explorer   Microsoft Corporation   "C:\Program Files\Internet Explorer\iexplore.exe" SCODEF:3964 CREDAT:79889
procexp.exe   2472      Sysinternals Process Explorer   Sysinternals - www.sysinternals.com   "C:\Documents and Settings\david cox\Local Settings\Temporary Internet Files\Content.IE5\5BDKUUF3\ProcessExplorer[1]\procexp.exe"

SuperDave · « **Reply #36 on:** January 21, 2012, 08:01:47 PM »

Quote

svchost.exe 1112 Generic Host Process for Win32 Services Microsoft Corporation C:\WINDOWS\system32\svchost.exe -k DcomLaunch
svchost.exe 1200 Generic Host Process for Win32 Services Microsoft Corporation C:\WINDOWS\system32\svchost.exe -k rpcss
svchost.exe 1848 Generic Host Process for Win32 Services Microsoft Corporation C:\WINDOWS\System32\svchost.exe -k netsvcs
svchost.exe 204 Generic Host Process for Win32 Services Microsoft Corporation C:\WINDOWS\System32\svchost.exe -k NetworkService
svchost.exe 600 Generic Host Process for Win32 Services Microsoft Corporation C:\WINDOWS\system32\svchost.exe -k LocalService
svchost.exe 1644 Generic Host Process for Win32 Services Microsoft Corporation C:\WINDOWS\System32\svchost.exe -k LocalService

As you can see all the svchost.exe are running legit processes. I noticed this is your DDS log.

Code: [Select]

1/6/2012 8:48:55 AM, error: Service Control Manager [7001]  - The DHCP Client service depends on the NetBios over Tcpip service which failed to start because of the following error:  A device attached to the system is not functioning.

This has occurred a number of times. Could you check your Device Manager to see if there are any yellow alerts? How much RAM do you have?

dc4580 · « **Reply #37 on:** January 21, 2012, 09:18:01 PM »

448M of RAM.

Device manager showed Display Adapter in disabled state. I enabled it. Checked for more current drivers, but said was current. I will be going to ati.com later in the morning to see if there is anything out on their website that would reference hanging or freezing.

Problem happening occasionally tonight. Page file usage is up to 1.25 G and climbing. I will have to get off here soon and reboot. Let you know tomorrow if I find anything on ati.com.

Thanks again for your help.

dc4580 · « **Reply #38 on:** January 23, 2012, 09:32:48 AM »

Ran Driver Detective and found some out-of-date drivers. I am in the process of completing these updates which I will probably complete when I get home tonight.

dc4580 · « **Reply #39 on:** January 24, 2012, 07:51:22 AM »

Installed the drivers. The original problem still exists.

SuperDave · « **Reply #40 on:** January 24, 2012, 04:44:38 PM »

Please try this: While you're operating the computer start the Task Manager and leave it on. CTRL, ALT, Delete will start it. You will notice a small dark green screen in the bottom, right corner of the screen. When the usuage gets close to 100% it will turn a bright green color. That's usually when it will hang. Check the process which is causing the highest usuage. You can toggle between the least and the most by clicking Mem usuage. Please make note of the process. Do this over a period of days and see if it's the same process each time.

dc4580 · « **Reply #41 on:** January 24, 2012, 05:16:42 PM »

Thanks Dave. Yes, I have been using Task Manager since the start of this problem. Sometimes, if I start it, the startup of it will cause the PC to un-freeze. The app that is usually with the most mem usage is IE. Times I can see Page File usage from this display at over 1 Gig. Sometimes, the Norton executables will be up high on the mem usage display, usually just under IE. This is IE 8 by the way. I will track and see if there are any differences to what I am used to seeing.

dc4580 · « **Reply #42 on:** January 27, 2012, 09:09:06 PM »

I have been monitoring through Task Manager. Here's the short list ( no order here ):

RTHDCPL.EXE - Realtek
IEXPLORE.EXE
CCSVCHST.EXE - Norton
SVCHOST.EXE
WUAUCLT.EXE - Win Update
The three searchindex tasks. I turned off WSEARCH.

Do I need to have a Windows Update task running ?

I sent an email to Realtek Support regarding their executable.

SuperDave · « **Reply #43 on:** January 28, 2012, 12:00:25 PM »

Quote

Do I need to have a Windows Update task running ?

Not necessarily but you will have to set yourself a schedule to go and check for your updates.

Please download MBRCheck.exe by a_d_13 from one of the links provided below and save it to your desktop.

Link 1
Link 2
Link 3

•Double-click on MBRCheck.exe to run it.

•It will open a black window...please do not fix anything (if it gives you an option).

•When complete, you should see Done! Press ENTER to exit.... Press Enter on the keyboard.

•A log named MBRCheck_date_time.txt (i.e. MBRCheck_07.21.10_10.22.51.txt) will appear on the desktop.
•Please copy and paste the contents of that log in your next reply.

dc4580 · « **Reply #44 on:** January 28, 2012, 07:35:34 PM »

MBRCheck, version 1.2.3
(c) 2010, AD

Command-line:
Windows Version:      Windows XP Professional
Windows Information:      Service Pack 3 (build 2600)
Logical Drives Mask:      0x0000000c

Kernel Drivers (total 142):
0x804D7000 \WINDOWS\system32\ntkrnlpa.exe
0x806D1000 \WINDOWS\system32\hal.dll
0xF7B76000 \WINDOWS\system32\KDCOM.DLL
0xF7A86000 \WINDOWS\system32\BOOTVID.dll
0xF7547000 ACPI.sys
0xF7B78000 \WINDOWS\System32\DRIVERS\WMILIB.SYS
0xF7536000 pci.sys
0xF7676000 isapnp.sys
0xF7C3E000 pciide.sys
0xF78F6000 \WINDOWS\System32\DRIVERS\PCIIDEX.SYS
0xF7686000 MountMgr.sys
0xF7517000 ftdisk.sys
0xF7B7A000 dmload.sys
0xF74F1000 dmio.sys
0xF78FE000 PartMgr.sys
0xF7696000 VolSnap.sys
0xF74D9000 atapi.sys
0xF76A6000 disk.sys
0xF76B6000 \WINDOWS\System32\DRIVERS\CLASSPNP.SYS
0xF74B9000 fltmgr.sys
0xF7462000 SYMDS.SYS
0xF7450000 sr.sys
0xF7395000 SYMEFA.SYS
0xF76C6000 PxHelp20.sys
0xF737E000 KSecDD.sys
0xF72F1000 Ntfs.sys
0xF72C4000 NDIS.sys
0xF72AA000 Mup.sys
0xF7736000 \SystemRoot\System32\DRIVERS\intelppm.sys
0xF4EAC000 \SystemRoot\system32\DRIVERS\ati2mtag.sys
0xF4E98000 \SystemRoot\system32\DRIVERS\VIDEOPRT.SYS
0xF793E000 \SystemRoot\System32\DRIVERS\usbohci.sys
0xF4E74000 \SystemRoot\System32\DRIVERS\USBPORT.SYS
0xF7946000 \SystemRoot\System32\DRIVERS\usbehci.sys
0xF7756000 \SystemRoot\System32\DRIVERS\imapi.sys
0xF7766000 \SystemRoot\System32\DRIVERS\cdrom.sys
0xF7776000 \SystemRoot\System32\DRIVERS\redbook.sys
0xF4E51000 \SystemRoot\System32\DRIVERS\ks.sys
0xF795E000 \SystemRoot\system32\DRIVERS\GEARAspiWDM.sys
0xF4E29000 \SystemRoot\system32\DRIVERS\HDAudBus.sys
0xF7786000 \SystemRoot\System32\DRIVERS\i8042prt.sys
0xF796E000 \SystemRoot\System32\DRIVERS\kbdclass.sys
0xF797E000 \??\C:\WINDOWS\system32\drivers\VMkbd.sys
0xF7986000 \SystemRoot\System32\DRIVERS\mouclass.sys
0xF4DF3000 \SystemRoot\system32\DRIVERS\HSFHWBS2.sys
0xF4CF5000 \SystemRoot\system32\DRIVERS\HSF_DP.sys
0xF4C49000 \SystemRoot\system32\DRIVERS\HSF_CNXT.sys
0xF79A6000 \SystemRoot\System32\Drivers\Modem.SYS
0xF4C29000 \SystemRoot\system32\DRIVERS\Rtnicxp.sys
0xF7D68000 \SystemRoot\System32\DRIVERS\audstub.sys
0xF7796000 \SystemRoot\System32\DRIVERS\rasl2tp.sys
0xF7B22000 \SystemRoot\System32\DRIVERS\ndistapi.sys
0xF4C12000 \SystemRoot\System32\DRIVERS\ndiswan.sys
0xF77A6000 \SystemRoot\System32\DRIVERS\raspppoe.sys
0xF77B6000 \SystemRoot\System32\DRIVERS\raspptp.sys
0xF79CE000 \SystemRoot\System32\DRIVERS\TDI.SYS
0xF4C01000 \SystemRoot\System32\DRIVERS\psched.sys
0xF77C6000 \SystemRoot\System32\DRIVERS\msgpc.sys
0xF79DE000 \SystemRoot\System32\DRIVERS\ptilink.sys
0xF79EE000 \SystemRoot\System32\DRIVERS\raspti.sys
0xF4B31000 \SystemRoot\System32\DRIVERS\rdpdr.sys
0xF77D6000 \SystemRoot\System32\DRIVERS\termdd.sys
0xF7B8A000 \SystemRoot\System32\DRIVERS\swenum.sys
0xF4AD3000 \SystemRoot\System32\DRIVERS\update.sys
0xF7B46000 \SystemRoot\System32\DRIVERS\mssmbios.sys
0xF7B4A000 \SystemRoot\system32\DRIVERS\vmnetadapter.sys
0xF7B4E000 \SystemRoot\system32\DRIVERS\VMNET.SYS
0xF77E6000 \SystemRoot\System32\Drivers\NDProxy.SYS
0xF7816000 \SystemRoot\System32\DRIVERS\usbhub.sys
0xF7B90000 \SystemRoot\System32\DRIVERS\USBD.SYS
0xF037C000 \SystemRoot\system32\drivers\RtkHDAud.sys
0xF0330000 \SystemRoot\system32\drivers\portcls.sys
0xF7836000 \SystemRoot\system32\drivers\drmk.sys
0xF4AC7000 \SystemRoot\System32\Drivers\CLBStor.SYS
0xF7B96000 \SystemRoot\System32\Drivers\Fs_Rec.SYS
0xF7DBB000 \SystemRoot\System32\Drivers\Null.SYS
0xF7B9A000 \SystemRoot\System32\Drivers\Beep.SYS
0xF7A6E000 \SystemRoot\System32\drivers\vga.sys
0xF7B9E000 \SystemRoot\System32\Drivers\mnmdd.SYS
0xF7BA2000 \SystemRoot\System32\DRIVERS\RDPCDD.sys
0xF7A7E000 \SystemRoot\System32\Drivers\Msfs.SYS
0xF7936000 \SystemRoot\System32\Drivers\Npfs.SYS
0xF4ABF000 \SystemRoot\System32\DRIVERS\rasacd.sys
0xF02D5000 \SystemRoot\system32\DRIVERS\ipsec.sys
0xF027C000 \SystemRoot\System32\DRIVERS\tcpip.sys
0xF01FB000 \SystemRoot\system32\drivers\N360\0501000.01D\SYMTDI.SYS
0xF01D5000 \SystemRoot\System32\DRIVERS\ipnat.sys
0xF7846000 \SystemRoot\System32\DRIVERS\wanarp.sys
0xF01AF000 \??\C:\WINDOWS\system32\Drivers\SYMEVENT.SYS
0xF0154000 \??\C:\Documents and Settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\N360_5.1.0.29\Definitions\IPSDefs\20120126.003\IDSxpx86.sys
0xF012C000 \SystemRoot\System32\DRIVERS\netbt.sys
0xF0378000 \SystemRoot\System32\drivers\ws2ifsl.sys
0xF010A000 \SystemRoot\System32\drivers\afd.sys
0xF7856000 \SystemRoot\System32\DRIVERS\netbios.sys
0xF0046000 \SystemRoot\system32\drivers\N360\0501000.01D\Ironx86.SYS
0xF7876000 \SystemRoot\system32\drivers\N360\0501000.01D\SRTSPX.SYS
0xF0024000 \??\C:\Program Files\SUPERAntiSpyware\SASKUTIL.SYS
0xF798E000 \??\C:\Program Files\SUPERAntiSpyware\SASDIFSV.SYS
0xEFFF9000 \SystemRoot\System32\DRIVERS\rdbss.sys
0xEFF89000 \SystemRoot\System32\DRIVERS\mrxsmb.sys
0xF7886000 \SystemRoot\System32\Drivers\Fips.SYS
0xEFF2B000 \??\C:\Program Files\Common Files\Symantec Shared\EENGINE\eeCtrl.sys
0xEFF0D000 \??\C:\Program Files\Common Files\Symantec Shared\EENGINE\EraserUtilRebootDrv.sys
0xEFEF9000 \SystemRoot\system32\DRIVERS\ctxusbm.sys
0xEFE2D000 \??\C:\Documents and Settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\N360_5.1.0.29\Definitions\BASHDefs\20120121.002\BHDrvx86.sys
0xF78C6000 \SystemRoot\System32\Drivers\Cdfs.SYS
0xEFDB5000 \SystemRoot\System32\Drivers\dump_atapi.sys
0xF7BB6000 \SystemRoot\System32\Drivers\dump_WMILIB.SYS
0xBF800000 \SystemRoot\System32\win32k.sys
0xF7B2A000 \SystemRoot\System32\drivers\Dxapi.sys
0xF79C6000 \SystemRoot\System32\watchdog.sys
0xBF000000 \SystemRoot\System32\drivers\dxg.sys
0xF7D67000 \SystemRoot\System32\drivers\dxgthk.sys
0xBF012000 \SystemRoot\System32\ati2dvag.dll
0xBF065000 \SystemRoot\System32\ati2cqag.dll
0xBF0FE000 \SystemRoot\System32\atikvmag.dll
0xBF182000 \SystemRoot\System32\atiok3x2.dll
0xBF1CD000 \SystemRoot\System32\ati3duag.dll
0xBF572000 \SystemRoot\System32\ativvaxx.dll
0xBF9C6000 \SystemRoot\System32\ATMFD.DLL
0xED86C000 \SystemRoot\System32\Drivers\CLBUDF.SYS
0xED85B000 \SystemRoot\System32\Drivers\Udfs.SYS
0xF79FE000 \SystemRoot\system32\DRIVERS\vmnetbridge.sys
0xED8AB000 \SystemRoot\System32\DRIVERS\ndisuio.sys
0xF7A06000 \SystemRoot\system32\DRIVERS\pnarp.sys
0xF7A0E000 \SystemRoot\system32\DRIVERS\purendis.sys
0xED526000 \SystemRoot\system32\drivers\wdmaud.sys
0xF007A000 \SystemRoot\system32\drivers\sysaudio.sys
0xED2C9000 \SystemRoot\System32\DRIVERS\mrxdav.sys
0xED37E000 \??\C:\WINDOWS\system32\drivers\hcmon.sys
0xED35E000 \??\C:\WINDOWS\system32\Drivers\vmci.sys
0xED1FA000 \??\C:\WINDOWS\system32\Drivers\vmx86.sys
0xF7A36000 \??\C:\Program Files\ASTRA32\ASTRA32.sys
0xECEAA000 \SystemRoot\System32\DRIVERS\srv.sys
0xED1B2000 \SystemRoot\system32\DRIVERS\mdmxsdk.sys
0xF7A66000 \??\C:\WINDOWS\system32\drivers\vmnetuserif.sys
0xECD21000 \??\C:\Program Files\VMware\VMware Player\vstor2-ws60.sys
0xEC5D4000 \SystemRoot\system32\drivers\N360\0501000.01D\SRTSP.SYS
0xEBF9A000 \??\C:\Documents and Settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\N360_5.1.0.29\Definitions\VirusDefs\20120128.009\NAVEX15.SYS
0xEBF86000 \??\C:\Documents and Settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\N360_5.1.0.29\Definitions\VirusDefs\20120128.009\NAVENG.SYS
0xEBF5B000 \SystemRoot\system32\drivers\kmixer.sys
0x7C900000 \WINDOWS\system32\ntdll.dll

Processes (total 42):
0 System Idle Process
4 System
764 C:\WINDOWS\system32\smss.exe
812 csrss.exe
844 C:\WINDOWS\system32\winlogon.exe
888 C:\WINDOWS\system32\services.exe
900 C:\WINDOWS\system32\lsass.exe
1072 C:\WINDOWS\system32\ati2evxx.exe
1092 C:\WINDOWS\system32\svchost.exe
1180 svchost.exe
1844 C:\WINDOWS\system32\svchost.exe
184 C:\WINDOWS\system32\ati2evxx.exe
296 svchost.exe
620 svchost.exe
804 C:\WINDOWS\system32\spoolsv.exe
1588 C:\WINDOWS\explorer.exe
1780 svchost.exe
1904 C:\Program Files\SUPERAntiSpyware\SASCore.exe
508 C:\Program Files\Common Files\Roxio Shared\10.0\SharedCOM\RoxWatchTray10.exe
516 C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe
572 C:\Program Files\Common Files\Pure Networks Shared\Platform\nmctxth.exe
644 C:\Program Files\Roxio\CinePlayer\DMXLauncher.exe
1264 C:\Program Files\Citrix\ICA Client\concentr.exe
1348 C:\Program Files\Java\jre6\bin\jqs.exe
1540 C:\Program Files\CyberLink\Power2Go\CLMLSvc.exe
316 C:\Program Files\Citrix\ICA Client\wfcrun32.exe
1256 C:\Program Files\Linksys\Linksys Updater\bin\LinksysUpdater.exe
2008 C:\WINDOWS\system32\java.exe
2012 C:\Program Files\Norton 360\Engine\5.1.0.29\ccSvcHst.exe
432 C:\Program Files\Common Files\Java\Java Update\jusched.exe
632 C:\WINDOWS\RTHDCPL.EXE
1816 C:\Program Files\CyberLink\Shared Files\RichVideo.exe
2088 C:\WINDOWS\system32\ctfmon.exe
2592 C:\Program Files\Common Files\VMware\USB\vmware-usbarbitrator.exe
2780 C:\Program Files\Common Files\Pure Networks Shared\Platform\nmsrvc.exe
3756 C:\Program Files\VMware\VMware Player\vmware-authd.exe
3368 C:\Program Files\Norton 360\Engine\5.1.0.29\ccSvcHst.exe
2472 alg.exe
1988 C:\Program Files\Common Files\Roxio Shared\10.0\SharedCOM\CPSHelpRunner10.exe
4048 C:\Program Files\Internet Explorer\iexplore.exe
3776 C:\Program Files\Internet Explorer\iexplore.exe
2352 C:\Documents and Settings\david cox\Desktop\MBRCheck.exe

\\.\C: --> \\.\PhysicalDrive0 at offset 0x00000000`00007e00 (NTFS)

PhysicalDrive0 Model Number: ST3120213AS, Rev: 3.AHL

Size Device Name MBR Status
--------------------------------------------
111 GB \\.\PhysicalDrive0 Windows XP MBR code detected
SHA1: DA38B874B7713D1B51CBC449F4EF809B0DEC644 A

Done!

SuperDave · « **Reply #45 on:** January 29, 2012, 12:15:20 PM »

I can't find any malware that would be causing this problem. The only thing I can suggest is to keep Task Manager open and when it freezes, try to see which process is causing it and stop the process to see if will correct the problem.

dc4580 · « **Reply #46 on:** January 30, 2012, 07:11:45 PM »

Thanks Dave. Got me stumped here too. As far as keeping an eye on things through Task Manager, sure, if it is IE 8, then I will kill it if the CPU% doesn't go down after a while. I hesitate to do the same with svchost.exe, but I suppose it won't do any harm. Norton tasks are a little less intense, so I just usually leave them alone.

Any suggestions on where to go from this point? If you were to have any other recommendations, I would be happy to follow through.

SuperDave · « **Reply #47 on:** January 30, 2012, 07:35:25 PM »

Quote

I hesitate to do the same with svchost.exe, but I suppose it won't do any harm.

It won't do any harm

Quote

Any suggestions on where to go from this point? If you were to have any other recommendations, I would be happy to follow through.

The only thing I could suggest at this point is to start a new thread in one of the software forums.

dc4580 · « **Reply #48 on:** January 30, 2012, 08:45:06 PM »

I will. Thanks much for all your help in trying to find the cause of this problem. I appreciate it!

SuperDave · « **Reply #49 on:** January 31, 2012, 11:55:31 AM »

Quote from: dc4580 on January 30, 2012, 08:45:06 PM

I will. Thanks much for all your help in trying to find the cause of this problem. I appreciate it!

I'll leave this thread unlocked so you can come back to let me know how things turn out.

dc4580 · « **Reply #50 on:** January 31, 2012, 01:00:24 PM »

I will. Thanks.

dc4580 · « **Reply #51 on:** March 10, 2012, 05:31:28 AM »

Hi Dave,
Quick update to run down what I have gone through in the last month or so:

1.) Ran a number of different scans which didn't find anything malicious.
2.) Ran through an XP repair, which helped, but didn't get rid of the hang.
3.) Added RAM so that I am now at just under 2Gig. Made quite a noticable difference in response, but again didn't get rid of the hang.
4.) Replaced a DVD drive, which took those CD ROM errors out of the mix, but didn't get rid of the hang.
5.) Removed VMWare from my PC ( around 500 files and registry entries ). That was done using IOBIT.Uninstaller. I recommend that one for stubborn stuff. The removal of VMWare seems to be what removed the hangs and freezes.

So, as you can see, it wasn't AV or any one particular thing, but a combination of things happening over time, some of which I believe we had discussed, like the RAM and hardware.

My PC is now very clean, and response is very good. I hope to keep it that way for a while. I intend to do a hardware and software refresh in about a year or so.

I just wanted to let you know the status now, and say thanks for getting me on the right path here. I appreciate all your help. Thank you very much. If you want to close out this issue, i would be be fine with that.

DC4580.

SuperDave · « **Reply #52 on:** March 10, 2012, 11:14:25 AM »

You're welcome. I will lock this thread. If you need it re-opened, please send me a pm.

Computer Hope Forum

News:

Author Topic: XP PC Hanging, Freezing (Read 44008 times)

dc4580

dc4580

Allan

SuperDave

dc4580

SuperDave

dc4580

dc4580

SuperDave

dc4580

SuperDave

dc4580

SuperDave

dc4580

SuperDave

dc4580

SuperDave

dc4580

SuperDave

dc4580

SuperDave

dc4580

SuperDave

dc4580

SuperDave

dc4580

SuperDave

dc4580

SuperDave

dc4580

SuperDave

dc4580

SuperDave

dc4580

SuperDave

dc4580

SuperDave

dc4580

dc4580

dc4580

SuperDave

dc4580

dc4580

SuperDave

dc4580

SuperDave

dc4580

SuperDave

dc4580

SuperDave

dc4580

dc4580

SuperDave