Author Topic: "System" in task Manager using a lot of memory. (Read 36683 times)

Sylverkitti · « **on:** March 02, 2009, 04:03:25 AM »

I have never see the system jump to the top of the memory usage section, usually its at the bottom with system Idle process. Other things started acting up before I opened task manager to see what happened. My mouse froze, I had to disconnect it and reconnect it to work, and it keeps freezing for a quick sec, then jumping to where i pull it. Things are slower to load, other than that, nothing odd. I ran all scans, nothing came up on any except for the bear share, I removed it I never use it anymore but nothing has changed its still doing it, see if you see anything, let me know if theses anything else I should do. Thanks!

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 4:54:53 AM, on 3/2/2009
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v8.00 (8.00.6001.18372)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Google\Update\GoogleUpdate.exe
C:\PROGRA~1\AVG\AVG8\avgtray.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Atomic Alarm

Clock\AtomicAlarmClock.exe
C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
C:\Program Files\Common Files\Microsoft

Shared\VS7DEBUG\MDM.EXE
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\Pen_Tablet.exe
C:\WINDOWS\system32\WTablet\Pen_TabletUser.exe
C:\WINDOWS\system32\Pen_Tablet.exe
C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe
C:\PROGRA~1\AVG\AVG8\avgemc.exe
C:\PROGRA~1\AVG\AVG8\avgrsx.exe
C:\PROGRA~1\AVG\AVG8\avgnsx.exe
C:\Program Files\AVG\AVG8\avgcsrvx.exe
C:\Documents and Settings\Sylverkitti\Local

Settings\Application

Data\Google\Update\GoogleUpdate.exe
C:\WINDOWS\system32\msiexec.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\WINDOWS\system32\taskmgr.exe
C:\Program Files\Trend Micro\sniper.exe\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet

Explorer\Main,Start Page =

https://www.ocwencustomers.com/home.cfm
R1 - HKLM\Software\Microsoft\Internet

Explorer\Main,Default_Page_URL =

http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet

Explorer\Main,Default_Search_URL =

http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet

Explorer\Main,Search Bar =

http://us.rd.yahoo.com/customize/ie/defaults/sb/msgr8/*

http://www.yahoo.com/ext/search/search.html
R1 - HKLM\Software\Microsoft\Internet

Explorer\Main,Search Page =

http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet

Explorer\Main,Start Page =

http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Internet

Explorer\SearchURL,(Default) =

http://us.rd.yahoo.com/customize/ie/defaults/su/msgr8/*

http://www.yahoo.com
R1 -

HKCU\Software\Microsoft\Windows\CurrentVersion\Internet

Settings,ProxyOverride = *.local
R3 - URLSearchHook: Yahoo! Toolbar -

{EF99BD32-C1FB-11D2-892F-0090271D4F88} -

C:\PROGRA~1\Yahoo!\Companion\Installs\cpn\yt.dll
N3 - Netscape 7: user_pref("browser.startup.homepage",

"http://home.netscape.com/bookmark/7_2/home.html");

(C:\Documents and Settings\SYLVERKITTI\Application

Data\Mozilla\Profiles\default\n77ayi80.slt\prefs.js)
N3 - Netscape 7:

user_pref("browser.search.defaultengine",

"engine://C%3A%5CProgram%20Files%5CNetscape%5CNetscape%

5Csearchplugins%5CSBWeb_01.src"); (C:\Documents and

Settings\SYLVERKITTI\Application

Data\Mozilla\Profiles\default\n77ayi80.slt\prefs.js)
O2 - BHO: &Yahoo! Toolbar Helper -

{02478D38-C3F9-4EFB-9B51-7695ECA05670} -

C:\PROGRA~1\Yahoo!\Companion\Installs\cpn\yt.dll
O2 - BHO: Adobe PDF Reader Link Helper -

{06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program

Files\Common

Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: WormRadar.com IESiteBlocker.NavFilter -

{3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - C:\Program

Files\AVG\AVG8\avgssie.dll
O2 - BHO: (no name) -

{7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
O2 - BHO: Google Toolbar Helper -

{AA58ED58-01DD-4d91-8333-CF10577473F7} - C:\Program

Files\Google\Google Toolbar\GoogleToolbar.dll
O2 - BHO: (no name) -

{AE40EBA0-2D49-48C9-BA8D-E9F046240F5F} - (no file)
O2 - BHO: Google Toolbar Notifier BHO -

{AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program

Files\Google\GoogleToolbarNotifier\5.0.926.3450\swg.dll
O2 - BHO: Google Dictionary Compression sdch -

{C84D72FE-E17D-4195-BB24-76C02E2E7C4E} - C:\Program

Files\Google\Google

Toolbar\Component\fastsearch_219B3E1547538286.dll
O2 - BHO: CBrowserHelperObject Object -

{CA6319C0-31B7-401E-A518-A07C3DB8F777} - c:\Program

Files\GoogleAFE\GoogleAE.dll
O2 - BHO: Java(tm) Plug-In 2 SSV Helper -

{DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program

Files\Java\jre6\bin\jp2ssv.dll
O2 - BHO: JQSIEStartDetectorImpl -

{E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program

Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
O2 - BHO: SingleInstance Class -

{FDAD4DA1-61A2-4FD8-9C17-86F7AC245081} -

C:\PROGRA~1\Yahoo!\Companion\Installs\cpn\YTSingleInsta

nce.dll
O3 - Toolbar: &Google Toolbar -

{2318C2B1-4965-11d4-9B18-009027A5CD4F} - C:\Program

Files\Google\Google Toolbar\GoogleToolbar.dll
O3 - Toolbar: Yahoo! Toolbar -

{EF99BD32-C1FB-11D2-892F-0090271D4F88} -

C:\PROGRA~1\Yahoo!\Companion\Installs\cpn\yt.dll
O4 - HKLM\..\Run: [LXCGCATS] rundll32

C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\LXCGtime.dll

,_RunDLLEntry@16
O4 - HKLM\..\Run: [AVG8_TRAY]

C:\PROGRA~1\AVG\AVG8\avgtray.exe
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher]

"C:\Program Files\Adobe\Reader

8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program

Files\Java\jre6\bin\jusched.exe"
O4 - HKCU\..\Run: [ctfmon.exe]

C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [SkinClock] C:\Program Files\Atomic

Alarm Clock\AtomicAlarmClock.exe
O4 - HKCU\..\Run: [SUPERAntiSpyware] C:\Program

Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
O9 - Extra button: Research -

{92780B25-18CC-41C8-B9BE-3C9C571A8263} -

C:\PROGRA~1\MICROS~4\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Real.com -

{CD67F990-D8E9-11d2-98FE-00C0F0318AFE} -

C:\WINDOWS\system32\Shdocvw.dll
O9 - Extra button: (no name) -

{e2e2dd38-d088-4134-82b7-f2ba38496583} -

C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 -

{e2e2dd38-d088-4134-82b7-f2ba38496583} -

C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger -

{FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program

Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger -

{FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program

Files\Messenger\msmsgs.exe
O16 - DPF: {01A88BB1-1174-41EC-ACCB-963509EAE56B}

(SysProWmi Class) -

https://support.dell.com/systemprofiler/SysPro.CAB
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} -

C:\Program Files\Yahoo!\Common\Yinsthelper.dll
O16 - DPF: {48DD0448-9209-4F81-9F6D-D83562940134}

(MySpace Uploader Control) -

http://lads.myspace.com/upload/MySpaceUploader1006.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1}

(ActiveScan Installer Class) -

http://acs.pandasoftware.com/activescan/as5free/asinst.

cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000}

(Shockwave Flash Object) -

https://fpdownload.macromedia.com/get/shockwave/cabs/fl

ash/swflash.cab
O17 -

HKLM\System\CCS\Services\Tcpip\..\{F1AC1131-1A94-4922-8

2BE-EC2D80A6CCA7}: NameServer =

205.171.3.65,205.171.2.65
O18 - Protocol: linkscanner -

{F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - C:\Program

Files\AVG\AVG8\avgpp.dll
O20 - Winlogon Notify: !SASWinLogon - C:\Program

Files\SUPERAntiSpyware\SASWINLO.dll
O20 - Winlogon Notify: avgrsstarter -

C:\WINDOWS\SYSTEM32\avgrsstx.dll
O23 - Service: Adobe LM Service - Adobe Systems -

C:\Program Files\Common Files\Adobe Systems

Shared\Service\Adobelmsvc.exe
O23 - Service: AVG8 E-mail Scanner (avg8emc) - AVG

Technologies CZ, s.r.o. -

C:\PROGRA~1\AVG\AVG8\avgemc.exe
O23 - Service: AVG8 WatchDog (avg8wd) - AVG

Technologies CZ, s.r.o. -

C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
O23 - Service: FLEXnet Licensing Service - Macrovision

Europe Ltd. - C:\Program Files\Common Files\Macrovision

Shared\FLEXnet Publisher\FNPLicensingService.exe
O23 - Service: Google Update Service

(gupdate1c987f0bc4cae14) (gupdate1c987f0bc4cae14) -

Google Inc. - C:\Program

Files\Google\Update\GoogleUpdate.exe
O23 - Service: Google Software Updater (gusvc) - Google

- C:\Program Files\Google\Common\Google

Updater\GoogleUpdaterService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) -

Macrovision Corporation - C:\Program Files\Common

Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: Java Quick Starter

(JavaQuickStarterService) - Sun Microsystems, Inc. -

C:\Program Files\Java\jre6\bin\jqs.exe
O23 - Service: Jesuk Service (JesukSrv) - Unknown owner

- C:\WINDOWS\system32\jesuk.exe (file missing)
O23 - Service: lxcg_device - -

C:\WINDOWS\system32\lxcgcoms.exe
O23 - Service: Mocugyk Service (MocugykSrv) - Unknown

owner - C:\WINDOWS\system32\mocugyk.exe (file missing)
O23 - Service: Intel NCS NetService (NetSvc) - Intel(R)

Corporation - C:\Program

Files\Intel\PROSetWired\NCS\Sync\NetSvc.exe
O23 - Service: SupportSoft RemoteAssist - Unknown owner

- C:\Program Files\Common

Files\SupportSoft\bin\ssrc.exe (file missing)
O23 - Service: TabletServicePen - Wacom Technology,

Corp. - C:\WINDOWS\system32\Pen_Tablet.exe

--
End of file - 8871 bytes

***********************************************

SUPERAntiSpyware Scan Log
http://www.superantispyware.com

Generated 03/02/2009 at 02:39 AM

Application Version : 4.1.1046

Core Rules Database Version : 3780
Trace Rules Database Version: 1738

Scan type : Complete Scan
Total Scan Time : 00:52:45

Memory items scanned : 186
Memory threats detected : 0
Registry items scanned : 5754
Registry threats detected : 0
File items scanned : 87479
File threats detected : 1

BearShare File Sharing Client
C:\PROGRAM FILES\BEARSHARE APPLICATIONS\BEARSHARE\BEARSHARE.EXE

***************************************************

Malwarebytes' Anti-Malware 1.34
Database version: 1814
Windows 5.1.2600 Service Pack 2

3/2/2009 4:41:50 AM
mbam-log-2009-03-02 (04-41-50).txt

Scan type: Quick Scan
Objects scanned: 63040
Time elapsed: 3 minute(s), 54 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)

evilfantasy · « **Reply #1 on:** March 02, 2009, 11:12:08 AM »

Please download Wrapper.exe to your desktop

* Double click the program to run it. It will only take a few seconds to run.
* If any of your security programs try to block it please allow it to run.
* When prompted, press any key to exit the program

Now run a new HijackThis scan and post the log.

Sylverkitti · « **Reply #2 on:** March 02, 2009, 07:07:47 PM »

I get a 404 Not Found when i click that link you gave me.

evilfantasy · « **Reply #3 on:** March 02, 2009, 07:15:00 PM »

Run a new HijackThis scan. Before copying the log in Notepad go to Format and click Word Wrap.

Then copy and paste the log.

Sylverkitti · « **Reply #4 on:** March 03, 2009, 12:26:16 AM »

I hope you meant you wanted word wrap chosen, it was already chosen so I just left it? Let me know if that was wrong :

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 1:17:39 AM, on 3/3/2009
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v8.00 (8.00.6001.18372)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Google\Update\GoogleUpdate.exe
C:\PROGRA~1\AVG\AVG8\avgtray.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Atomic Alarm Clock\AtomicAlarmClock.exe
C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\Pen_Tablet.exe
C:\WINDOWS\system32\WTablet\Pen_TabletUser.exe
C:\WINDOWS\system32\Pen_Tablet.exe
C:\PROGRA~1\AVG\AVG8\avgemc.exe
C:\PROGRA~1\AVG\AVG8\avgrsx.exe
C:\PROGRA~1\AVG\AVG8\avgnsx.exe
C:\Program Files\AVG\AVG8\avgcsrvx.exe
C:\Documents and Settings\Sylverkitti\Local Settings\Application Data\Google\Update\GoogleUpdate.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\PROGRA~1\Yahoo!\MESSEN~1\YAHOOM~1.EXE
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Trend Micro\sniper.exe\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = https://www.ocwencustomers.com/home.cfm
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://us.rd.yahoo.com/customize/ie/defaults/sb/msgr8/*http://www.yahoo.com/ext/search/search.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://us.rd.yahoo.com/customize/ie/defaults/su/msgr8/*http://www.yahoo.com
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\PROGRA~1\Yahoo!\Companion\Installs\cpn\yt.dll
N3 - Netscape 7: user_pref("browser.startup.homepage", "http://home.netscape.com/bookmark/7_2/home.html"); (C:\Documents and Settings\SYLVERKITTI\Application Data\Mozilla\Profiles\default\n77ayi80.slt\prefs.js)
N3 - Netscape 7: user_pref("browser.search.defaultengine", "engine://C%3A%5CProgram%20Files%5CNetscape%5CNetscape%5Csearchplugins%5CSBWeb_01.src"); (C:\Documents and Settings\SYLVERKITTI\Application Data\Mozilla\Profiles\default\n77ayi80.slt\prefs.js)
O2 - BHO: &Yahoo! Toolbar Helper - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - C:\PROGRA~1\Yahoo!\Companion\Installs\cpn\yt.dll
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: WormRadar.com IESiteBlocker.NavFilter - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - C:\Program Files\AVG\AVG8\avgssie.dll
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - C:\Program Files\Google\Google Toolbar\GoogleToolbar.dll
O2 - BHO: (no name) - {AE40EBA0-2D49-48C9-BA8D-E9F046240F5F} - (no file)
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\5.0.926.3450\swg.dll
O2 - BHO: Google Dictionary Compression sdch - {C84D72FE-E17D-4195-BB24-76C02E2E7C4E} - C:\Program Files\Google\Google Toolbar\Component\fastsearch_219B3E1547538286.dll
O2 - BHO: CBrowserHelperObject Object - {CA6319C0-31B7-401E-A518-A07C3DB8F777} - c:\Program Files\GoogleAFE\GoogleAE.dll
O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
O2 - BHO: SingleInstance Class - {FDAD4DA1-61A2-4FD8-9C17-86F7AC245081} - C:\PROGRA~1\Yahoo!\Companion\Installs\cpn\YTSingleInstance.dll
O3 - Toolbar: &Google Toolbar - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - C:\Program Files\Google\Google Toolbar\GoogleToolbar.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\PROGRA~1\Yahoo!\Companion\Installs\cpn\yt.dll
O4 - HKLM\..\Run: [LXCGCATS] rundll32 C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\LXCGtime.dll,_RunDLLEntry@16
O4 - HKLM\..\Run: [AVG8_TRAY] C:\PROGRA~1\AVG\AVG8\avgtray.exe
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre6\bin\jusched.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [SkinClock] C:\Program Files\Atomic Alarm Clock\AtomicAlarmClock.exe
O4 - HKCU\..\Run: [SUPERAntiSpyware] C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~4\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\system32\Shdocvw.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {01A88BB1-1174-41EC-ACCB-963509EAE56B} (SysProWmi Class) - https://support.dell.com/systemprofiler/SysPro.CAB
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} - C:\Program Files\Yahoo!\Common\Yinsthelper.dll
O16 - DPF: {48DD0448-9209-4F81-9F6D-D83562940134} (MySpace Uploader Control) - http://lads.myspace.com/upload/MySpaceUploader1006.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - https://fpdownload.macromedia.com/get/shockwave/cabs/flash/swflash.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{F1AC1131-1A94-4922-82BE-EC2D80A6CCA7}: NameServer = 205.171.3.65,205.171.2.65
O18 - Protocol: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - C:\Program Files\AVG\AVG8\avgpp.dll
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
O20 - Winlogon Notify: avgrsstarter - C:\WINDOWS\SYSTEM32\avgrsstx.dll
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: AVG8 E-mail Scanner (avg8emc) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgemc.exe
O23 - Service: AVG8 WatchDog (avg8wd) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
O23 - Service: FLEXnet Licensing Service - Macrovision Europe Ltd. - C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
O23 - Service: Google Update Service (gupdate1c987f0bc4cae14) (gupdate1c987f0bc4cae14) - Google Inc. - C:\Program Files\Google\Update\GoogleUpdate.exe
O23 - Service: Google Software Updater (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
O23 - Service: Jesuk Service (JesukSrv) - Unknown owner - C:\WINDOWS\system32\jesuk.exe (file missing)
O23 - Service: lxcg_device - - C:\WINDOWS\system32\lxcgcoms.exe
O23 - Service: Mocugyk Service (MocugykSrv) - Unknown owner - C:\WINDOWS\system32\mocugyk.exe (file missing)
O23 - Service: Intel NCS NetService (NetSvc) - Intel(R) Corporation - C:\Program Files\Intel\PROSetWired\NCS\Sync\NetSvc.exe
O23 - Service: SupportSoft RemoteAssist - Unknown owner - C:\Program Files\Common Files\SupportSoft\bin\ssrc.exe (file missing)
O23 - Service: TabletServicePen - Wacom Technology, Corp. - C:\WINDOWS\system32\Pen_Tablet.exe

--
End of file - 8793 bytes

evilfantasy · « **Reply #5 on:** March 03, 2009, 10:30:16 AM »

Open HijackThis and select Do a system scan only.

Place a check mark next to the following entries: (if there)

- O2 - BHO: (no name) - {AE40EBA0-2D49-48C9-BA8D-E9F046240F5F} - (no file)

Important: Close all windows except for HijackThis and then click Fix checked.

Exit HijackThis but do not restart when it asks you to.

----------

Download the OTMoveIt3 by OldTimer

Note: If you are running on Vista, right-click on OTMoveIt3.exe and choose Run As Administrator.

* Save it to your Desktop.
* Double-click OTMoveIt3.exe to run it.
* Copy the lines in the codebox below to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose Copy)

Code: [Select]

:Processes
explorer.exe

:services
JesukSrv
MocugykSrv

:files
C:\WINDOWS\system32\jesuk.exe
C:\WINDOWS\system32\mocugyk.exe

:Commands
[purity]
[emptytemp]
[start explorer]
[Reboot]

* Return to OTMoveIt3, right click in the "Paste Instructions for Items to be Moved" window (under the yellow bar) and choose Paste.
* Click the red Moveit! button.
* Copy everything in the Results window (under the green bar) to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose copy), and paste it in your next reply.
Close OTMoveIt3

Note: If a file or folder cannot be moved immediately you may be asked to reboot your computer in order to finish the move process. If asked to reboot, choose Yes. If not, reboot anyway.

----------

Download ComboFix© by sUBs from one of the below links. Be sure top save it to the Desktop.

Link #1
Link #2

**Note: It is important that it is saved directly to your Desktop

Close any open Web browsers. (Firefox, Internet Explorer, etc) before starting ComboFix.

Temporarily disable your antivirus, and any antispyware real time protection before performing a scan. Click this link to see a list of security programs that should be disabled and how to disable them.

Double click combofix.exe & follow the prompts.
When finished ComboFix will produce a log for you.
Post the ComboFix log in your next reply.

Important: Do not mouseclick ComboFix's window while it is running. That may cause it to stall.

Remember to re-enable your antivirus and antispyware protection when ComboFix is complete.

If you have problems with ComboFix usage, see How to use ComboFix

----------

Also let me know how the computer is running now.

Sylverkitti · « **Reply #6 on:** March 03, 2009, 05:10:03 PM »

========== PROCESSES ==========
Process explorer.exe killed successfully.
========== SERVICES/DRIVERS ==========
Service JesukSrv stopped successfully.
Service JesukSrv deleted successfully.
Service MocugykSrv stopped successfully.
Service MocugykSrv deleted successfully.
========== FILES ==========
File/Folder C:\WINDOWS\system32\jesuk.exe not found.
File/Folder C:\WINDOWS\system32\mocugyk.exe not found.
========== COMMANDS ==========
File delete failed. C:\DOCUME~1\SYLVER~1\LOCALS~1\Temp\etilqs_tbM1fc3gCFC5nDUYcmWu scheduled to be deleted on reboot.
File delete failed. C:\DOCUME~1\SYLVER~1\LOCALS~1\Temp\Perflib_Perfdata_194.dat scheduled to be deleted on reboot.
File delete failed. C:\DOCUME~1\SYLVER~1\LOCALS~1\Temp\~DFF135.tmp scheduled to be deleted on reboot.
User's Temp folder emptied.
User's Temporary Internet Files folder emptied.
User's Internet Explorer cache folder emptied.
Local Service Temp folder emptied.
File delete failed. C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\index.dat scheduled to be deleted on reboot.
Local Service Temporary Internet Files folder emptied.
File delete failed. C:\WINDOWS\temp\Perflib_Perfdata_648.dat scheduled to be deleted on reboot.
File delete failed. C:\WINDOWS\temp\Perflib_Perfdata_e6c.dat scheduled to be deleted on reboot.
Windows Temp folder emptied.
Java cache emptied.
File delete failed. C:\Documents and Settings\Sylverkitti\Local Settings\Application Data\Mozilla\Firefox\Profiles\uzfbhp9e.default\Cache\_CACHE_001_ scheduled to be deleted on reboot.
File delete failed. C:\Documents and Settings\Sylverkitti\Local Settings\Application Data\Mozilla\Firefox\Profiles\uzfbhp9e.default\Cache\_CACHE_002_ scheduled to be deleted on reboot.
File delete failed. C:\Documents and Settings\Sylverkitti\Local Settings\Application Data\Mozilla\Firefox\Profiles\uzfbhp9e.default\Cache\_CACHE_003_ scheduled to be deleted on reboot.
File delete failed. C:\Documents and Settings\Sylverkitti\Local Settings\Application Data\Mozilla\Firefox\Profiles\uzfbhp9e.default\Cache\_CACHE_MAP_ scheduled to be deleted on reboot.
File delete failed. C:\Documents and Settings\Sylverkitti\Local Settings\Application Data\Mozilla\Firefox\Profiles\uzfbhp9e.default\urlclassifier3.sqlite scheduled to be deleted on reboot.
File delete failed. C:\Documents and Settings\Sylverkitti\Local Settings\Application Data\Mozilla\Firefox\Profiles\uzfbhp9e.default\XUL.mfl scheduled to be deleted on reboot.
FireFox cache emptied.
Temp folders emptied.
Explorer started successfully

OTMoveIt3 by OldTimer - Version 1.0.8.0 log created on 03032009_180712

Re-booting and moving on to the next part.....

Sylverkitti · « **Reply #7 on:** March 03, 2009, 05:44:45 PM »

After the 1st restart, after using Move it, everything was real slow to start up, the blue welcome page was stuck for a while then the desktop came up empty...it finally all came up but scared me for a sec.
System is still taking up a lot of memory.

Combo file attached

[attachment deleted by admin]

evilfantasy · « **Reply #8 on:** March 03, 2009, 05:56:09 PM »

Why was ComboFix run 5 times?

evilfantasy · « **Reply #9 on:** March 03, 2009, 06:02:02 PM »

Delete these files/folders, as follows:

1. Go to Start > Run > type Notepad.exe and click OK to open Notepad.
It must be Notepad, not Wordpad.
2. Copy the text in the below code box by highlighting all the text and pressing Ctrl+C

Code: [Select]

KillAll::

Driver::
JesukDriver
MocugykDriver

File::
c:\windows\system32\jesuk.sys
c:\windows\system32\mocugyk.sys

Registry::
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{284b41dd-ccdc-11dd-9fb7-001320bc3e08}]

3. Go to the Notepad window and click Edit > Paste
4. Then click File > Save
5. Name the file CFScript.txt - Save the file to your Desktop
6. Then drag the CFScript (hold the left mouse button while dragging the file) and drop it (release the left mouse button) into ComboFix.exe as you see in the screenshot below. Important: Perform this instruction carefully!

ComboFix will begin to execute, just follow the prompts.
After reboot (in case it asks to reboot), it will produce a log for you.
Post that log (Combofix.txt) in your next reply.

Note: Do not mouseclick ComboFix's window while it is running. That may cause your system to freeze

Sylverkitti · « **Reply #10 on:** March 03, 2009, 07:00:07 PM »

I am not sure why it would say it was run 5 times...i clicked it once...wierd.

ComboFix 09-03-02.03 - Sylverkitti 2009-03-03 19:51:31.6 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.1022.535 [GMT -6:00]
Running from: c:\documents and settings\Sylverkitti\Desktop\ComboFix.exe
Command switches used :: c:\documents and settings\Sylverkitti\Desktop\CFScript.txt
AV: AVG Anti-Virus Free *On-access scanning disabled* (Updated)
* Created a new restore point

FILE ::
c:\windows\system32\jesuk.sys
c:\windows\system32\mocugyk.sys
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Legacy_JESUKDRIVER
-------\Legacy_MOCUGYKDRIVER
-------\Service_JesukDriver
-------\Service_MocugykDriver

((((((((((((((((((((((((( Files Created from 2009-02-04 to 2009-03-04 )))))))))))))))))))))))))))))))
.

2009-03-03 18:07 . 2009-03-03 18:07   <DIR>   d--------   C:\_OTMoveIt
2009-03-02 04:47 . 2009-03-02 04:47   <DIR>   d--------   c:\program files\Java
2009-03-02 04:47 . 2009-03-02 04:47   73,728   --a------   c:\windows\system32\javacpl.cpl
2009-03-02 02:55 . 2009-03-02 02:55   <DIR>   d--------   c:\program files\Spybot - Search & Destroy
2009-02-28 04:18 . 2009-02-28 04:18   <DIR>   d--------   c:\program files\EwisoftWeb
2009-02-28 04:18 . 2009-02-28 04:18   <DIR>   d--------   c:\documents and settings\All Users\Application Data\EwisoftWeb
2009-02-21 17:28 . 2009-02-21 17:28   <DIR>   d--------   c:\program files\Memcorp
2009-02-20 13:50 . 2009-02-20 13:50   <DIR>   d--------   c:\program files\Common Files\SWF Studio
2009-02-19 05:09 . 2009-02-19 05:14   <DIR>   d--------   c:\program files\Folder Marker
2009-02-11 19:41 . 2009-02-11 19:41   <DIR>   d--------   c:\documents and settings\Sylverkitti\Application Data\Yahoo!
2009-02-11 19:41 . 2009-02-12 23:54   <DIR>   d--------   c:\documents and settings\All Users\Application Data\Yahoo! Companion
2009-02-11 19:40 . 2009-02-11 19:41   <DIR>   d--------   c:\program files\Yahoo!
2009-02-08 17:26 . 2009-02-08 17:26   <DIR>   d--------   c:\program files\GrandmasterChess
2009-02-05 20:33 . 2009-02-05 20:33   <DIR>   d--hs----   c:\documents and settings\Sylverkitti\IECompatCache
2009-02-05 20:31 . 2009-02-05 20:31   <DIR>   d--hs----   c:\documents and settings\Sylverkitti\IETldCache
2009-02-05 18:19 . 2009-03-02 19:44   <DIR>   d--------   c:\documents and settings\All Users\Application Data\Google Updater

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-03-04 01:54   ---------   d-----w   c:\documents and settings\Sylverkitti\Application Data\WTablet
2009-03-02 10:51   ---------   d-----w   c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy
2009-03-02 00:45   ---------   d-----w   c:\documents and settings\Sylverkitti\Application Data\FrostWire
2009-03-01 00:27   ---------   d-----w   c:\program files\Lx_cats
2009-02-25 22:44   325,128   ----a-w   c:\windows\system32\drivers\avgldx86.sys
2009-02-25 22:44   107,272   ----a-w   c:\windows\system32\drivers\avgtdix.sys
2009-02-25 22:44   ---------   d-----w   c:\documents and settings\All Users\Application Data\avg8
2009-02-19 11:39   ---------   d-----w   c:\program files\Bee Icons
2009-02-12 23:32   ---------   d-----w   c:\program files\Malwarebytes' Anti-Malware
2009-02-12 01:40   ---------   d-----w   c:\documents and settings\All Users\Application Data\Yahoo!
2009-02-11 16:46   ---------   d-----w   c:\program files\Google
2009-02-11 16:19   38,496   ----a-w   c:\windows\system32\drivers\mbamswissarmy.sys
2009-02-11 16:19   15,504   ----a-w   c:\windows\system32\drivers\mbam.sys
2009-01-29 06:05   ---------   d---a-w   c:\documents and settings\All Users\Application Data\TEMP
2009-01-29 05:13   ---------   d-----w   c:\documents and settings\Sylverkitti\Application Data\RecoveryInfo
2009-01-24 02:33   ---------   d-----w   c:\program files\Common Files\xing shared
2009-01-24 02:33   ---------   d-----w   c:\program files\Common Files\Real
2009-01-24 02:32   ---------   d-----w   c:\program files\Real
2009-01-20 10:18   ---------   d-----w   c:\program files\iMoneysoft
2009-01-17 21:48   ---------   d-----w   c:\program files\Uconomix
2009-01-17 05:05   ---------   d--h--w   c:\program files\InstallShield Installation Information
2009-01-17 05:05   ---------   d-----w   c:\program files\Qwest
2009-01-17 05:04   ---------   d-----w   c:\documents and settings\Sylverkitti\Application Data\InstallShield
2009-01-16 18:35   ---------   d-----w   c:\program files\Curvy3D
2009-01-14 11:18   ---------   d-----w   c:\program files\Common Files\Adobe
2009-01-14 01:47   ---------   d-----w   c:\program files\PDFZilla
2009-01-10 17:20   ---------   d-----w   c:\program files\BFG
2009-01-10 10:48   ---------   d-----w   c:\program files\CoffeeCup Software
2009-01-07 01:53   ---------   d-----w   c:\program files\Edraw Max
2009-01-05 02:50   ---------   d-----w   c:\program files\MusicIP
2009-01-05 02:43   ---------   d-----w   c:\program files\MSXML 4.0
2009-01-05 02:43   ---------   d-----w   c:\program files\Citrix
2009-01-05 02:43   ---------   d-----w   c:\program files\AvailaSoft
2008-12-04 03:44   25,600   ----a-w   c:\documents and settings\Sylverkitti\usbsermptxp.sys
2008-12-04 03:44   22,768   ----a-w   c:\documents and settings\Sylverkitti\usbsermpt.sys
2007-11-30 12:01   4,890,632   ----a-w   c:\program files\NapsterPlugin3205.exe
2007-11-27 08:45   32,279,040   ----a-w   c:\program files\dell_support_center.msi
2007-05-25 04:23   56   --sh--r   c:\windows\system32\F8D855B7D7.sys
2007-05-25 04:23   3,350   --sha-w   c:\windows\system32\KGyGaAvL.sys
.

((((((((((((((((((((((((((((( SnapShot_2009-03-03_18.27.48.07 )))))))))))))))))))))))))))))))))))))))))
.
+ 2009-03-04 01:54:20   16,384   ----atw   c:\windows\Temp\Perflib_Perfdata_31c.dat
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2004-08-04 15360]
"SkinClock"="c:\program files\Atomic Alarm Clock\AtomicAlarmClock.exe" [2008-09-11 1739264]
"SUPERAntiSpyware"="c:\program files\SUPERAntiSpyware\SUPERAntiSpyware.exe" [2008-05-24 1510640]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"LXCGCATS"="c:\windows\System32\spool\DRIVERS\W32X86\3\LXCGtime.dll" [2005-07-20 73728]
"AVG8_TRAY"="c:\progra~1\AVG\AVG8\avgtray.exe" [2009-02-25 1601304]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2008-10-15 39792]
"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2009-03-02 148888]

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= "c:\program files\SUPERAntiSpyware\SASSEH.DLL" [2008-05-24 77824]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
2007-04-19 12:41 294912 c:\program files\SUPERAntiSpyware\SASWINLO.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\avgrsstarter]
2009-02-25 16:44 10520 c:\windows\system32\avgrsstx.dll

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\session manager]
BootExecute   REG_MULTI_SZ     \0

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ccleaner]
--a------ 2009-01-20 10:00 1451248 c:\program files\CCleaner\CCleaner.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Google Update]
--a----t- 2008-10-24 22:25 133104 c:\documents and settings\Sylverkitti\Local Settings\Application Data\Google\Update\GoogleUpdate.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ISUSPM Startup]
--a------ 2005-06-10 10:44 249856 c:\program files\Common Files\InstallShield\UpdateService\ISUSPM.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ISUSScheduler]
--a------ 2005-06-10 10:44 81920 c:\program files\Common Files\InstallShield\UpdateService\issch.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Malwarebytes' Anti-Malware]
--a------ 2009-02-11 10:19 399504 c:\program files\Malwarebytes' Anti-Malware\mbamgui.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\swg]
--a------ 2008-09-15 05:53 39408 c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\TkBellExe]
--a------ 2009-01-23 20:32 185896 c:\program files\Common Files\Real\Update_OB\realsched.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Yahoo! Pager]
--a------ 2009-02-04 16:57 4363504 c:\progra~1\Yahoo!\MESSEN~1\YAHOOM~1.EXE

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\run-]
"EA Core"=c:\program files\Electronic Arts\EADM\Core.exe -silent
"Yahoo! Pager"="c:\progra~1\Yahoo!\MESSEN~1\YAHOOM~1.EXE" -quiet

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run-]
"LogMeIn GUI"="c:\program files\LogMeIn\x86\LogMeInSystray.exe"

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Yahoo!\\Messenger\\YahooMessenger.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\livecall.exe"=
"c:\\Program Files\\AVG\\AVG8\\avgupd.exe"=
"c:\\Program Files\\AVG\\AVG8\\avgemc.exe"=
"c:\\Program Files\\Mozilla Firefox\\firefox.exe"=
"c:\\Program Files\\FrostWire\\FrostWire.exe"=
"c:\\Program Files\\Qwest\\QuickConnect\\QuickConnect.exe"=

R0 pavboot;pavboot;c:\windows\system32\drivers\pavboot.sys [2008-09-21 28544]
R1 AvgLdx86;AVG AVI Loader Driver x86;c:\windows\system32\drivers\avgldx86.sys [2008-06-02 325128]
R1 AvgTdiX;AVG8 Network Redirector;c:\windows\system32\drivers\avgtdix.sys [2008-06-02 107272]
R1 SASDIFSV;SASDIFSV;c:\program files\SUPERAntiSpyware\SASDIFSV.SYS [2008-02-29 8944]
R1 SASKUTIL;SASKUTIL;c:\program files\SUPERAntiSpyware\SASKUTIL.SYS [2008-02-29 55024]
R2 avg8emc;AVG8 E-mail Scanner;c:\progra~1\AVG\AVG8\avgemc.exe [2008-07-10 903960]
R2 avg8wd;AVG8 WatchDog;c:\progra~1\AVG\AVG8\avgwdsvc.exe [2008-07-10 298264]
R2 TabletServicePen;TabletServicePen;c:\windows\system32\Pen_Tablet.exe [2008-05-27 1373480]
R3 SASENUM;SASENUM;c:\program files\SUPERAntiSpyware\SASENUM.SYS [2006-02-16 4096]
S2 DVDRIVER;DVdriver;c:\windows\system32\drivers\dvdriver.sys [2007-12-21 30296]
S2 gupdate1c987f0bc4cae14;Google Update Service (gupdate1c987f0bc4cae14);c:\program files\Google\Update\GoogleUpdate.exe [2009-02-05 133104]
S3 PortlUSB;PortlUSB;c:\windows\system32\drivers\YH-925.sys [2008-02-13 7552]
S3 rt2870;Linksys 802.11n USB Wireless LAN Card Driver;c:\windows\system32\DRIVERS\rt2870.sys --> c:\windows\system32\DRIVERS\rt2870.sys [?]
S3 SDTHOOK;SDTHOOK;c:\windows\system32\drivers\SDTHOOK.SYS [2008-01-12 44928]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{284b41dd-ccdc-11dd-9fb7-001320bc3e08}]
\Shell\AutoRun\command - E:\start.exe

[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\>{60B49E34-C7CC-11D0-8953-00A0C90347FF}]
"c:\windows\system32\rundll32.exe" "c:\windows\system32\iedkcs32.dll",BrandIEActiveSetup SIGNUP
.
Contents of the 'Scheduled Tasks' folder

2009-03-04 c:\windows\Tasks\1-Click Maintenance.job
- c:\program files\TuneUp Utilities 2008\OneClickStarter.exe []

2009-02-25 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe []

2009-03-04 c:\windows\Tasks\Google Software Updater.job
- c:\program files\Google\Common\Google Updater\GoogleUpdaterService.exe [2009-02-05 18:19]

2009-03-04 c:\windows\Tasks\GoogleUpdateTaskMachine.job
- c:\program files\Google\Update\GoogleUpdate.exe [2009-02-05 18:20]

2009-03-04 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-692654395-3000326154-1624883120-1006.job
- c:\documents and settings\Sylverkitti\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2008-10-24 22:25]

2009-02-27 c:\windows\Tasks\Norton Security Scan.job
- c:\program files\Norton Security Scan\Nss.exe []

2009-03-04 c:\windows\Tasks\Symantec NetDetect.job
- c:\program files\Symantec\LiveUpdate\NDETECT.EXE [2003-08-13 17:38]
.
.
------- Supplementary Scan -------
.
uStart Page = https://www.ocwencustomers.com/home.cfm
uSearchMigratedDefaultURL = hxxp://search.yahoo.com/search?p={searchTerms}&ei=utf-8&fr=b1ie7
mSearch Bar = hxxp://us.rd.yahoo.com/customize/ie/defaults/sb/msgr8/*http://www.yahoo.com/ext/search/search.html
uInternet Connection Wizard,ShellNext = iexplore
uInternet Settings,ProxyOverride = *.local
uSearchURL,(Default) = hxxp://us.rd.yahoo.com/customize/ie/defaults/su/msgr8/*http://www.yahoo.com
TCP: {F1AC1131-1A94-4922-82BE-EC2D80A6CCA7} = 205.171.3.65,205.171.2.65
FF - ProfilePath - c:\documents and settings\Sylverkitti\Application Data\Mozilla\Firefox\Profiles\uzfbhp9e.default\
FF - prefs.js: browser.search.defaulturl - hxxp://search.yahoo.com/search?fr=ffsp1&p=
FF - prefs.js: browser.search.selectedEngine - Yahoo
FF - prefs.js: browser.startup.homepage - hxxp://www.GoodSearch.com/
FF - prefs.js: keyword.URL - hxxp://search.yahoo.com/search?fr=ffds1&p=
FF - plugin: c:\documents and settings\Sylverkitti\Local Settings\Application Data\Google\Update\1.2.141.5\npGoogleOneClick7.dll
FF - plugin: c:\program files\Google\Google Updater\2.4.1487.6512\npCIDetect13.dll
FF - plugin: c:\program files\Google\Update\1.2.141.5\npGoogleOneClick7.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\np-mswmp.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\npyaxmpb.dll
.

**************************************************************************

catchme 0.3.1367 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-03-03 19:54:38
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

HKLM\Software\Microsoft\Windows\CurrentVersion\Run
LXCGCATS = rundll32 c:\windows\System32\spool\DRIVERS\W32X86\3\LXCGtime.dll,_RunDLLEntry@16?

?

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_USERS\S-1-5-21-692654395-3000326154-1624883120-1006\Software\Microsoft\Windows\CurrentVersion\Explorer\CLSID]
@Denied: (Full) (LocalSystem)
@SACL=
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(736)
c:\program files\SUPERAntiSpyware\SASWINLO.dll
.
------------------------ Other Running Processes ------------------------
.
c:\program files\Java\jre6\bin\jqs.exe
c:\program files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
c:\program files\AVG\AVG8\avgrsx.exe
c:\progra~1\AVG\AVG8\avgnsx.exe
c:\windows\system32\WTablet\Pen_TabletUser.exe
c:\program files\AVG\AVG8\avgcsrvx.exe
c:\windows\system32\wscntfy.exe
.
**************************************************************************
.
Completion time: 2009-03-03 19:58:52 - machine was rebooted
ComboFix-quarantined-files.txt 2009-03-04 01:58:49
ComboFix2.txt 2009-03-04 00:29:11
ComboFix3.txt 2009-01-25 07:20:56

Pre-Run: 131,702,693,888 bytes free
Post-Run: 131,687,944,192 bytes free

234 --- E O F --- 2009-02-25 03:01:05

evilfantasy · « **Reply #11 on:** March 03, 2009, 07:24:16 PM »

Click START then RUN
Now type Combofix /u in the runbox
Make sure there's a space between Combofix and /u
Then hit Enter.

The above procedure will:
Delete the following:
ComboFix and its associated files and folders.
Reset the clock settings.
Hide file extensions, if required.
Hide System/Hidden files, if required.
Set a new, clean Restore Point.

Sylverkitti · « **Reply #12 on:** March 03, 2009, 09:43:49 PM »

Nothings changed...I really hope this isn't a lost cause and REALLY hope its nothing serious.

evilfantasy · « **Reply #13 on:** March 04, 2009, 10:46:11 AM »

Download Lop S&D by Eric_71 and save it to your Desktop. Lop S&D will only run on Windows XP and Windows Vista

Disable your antivirus and antimalware programs so they do not interfere with the running of Lop S&D. If needed see: How To Temporarily Disable Your Anti-virus, Firewall And Anti-malware Programs

Double click LopSD.exe - If you are using Windows Vista, right-click on the LopSD icon and select Run as administrator to perform this scan.

Choose the language by typing of the corresponding letter and press Enter
Click OK at the informative window
Type 1, to choose Option 1 (Search) then press Enter
Wait until the end of the scan
A report will be generated, post the contents of it in your next reply.

A copy of the report can be found at this location: %systemdrive%\lopR.txt, in most cases C:\lopR.txt
.
----------

Download random's system information tool (RSIT) by random/random from and save it to your Desktop.

Double click on RSIT.exe to run.
Click Continue at the disclaimer screen.
Once it has finished, two logs will open.
log.txt <will be maximized and info.txt <will be minimized
Please post the contents of both logs in the next reply.

Sylverkitti · « **Reply #14 on:** March 06, 2009, 12:11:17 AM »

OK all are attached, they were too big to post.

[attachment deleted by admin]

evilfantasy · « **Reply #15 on:** March 06, 2009, 12:31:22 AM »

You will have to remove the cracks before I can continue helping.

* Double-click OTMoveIt3.exe to run it.
* Copy the lines in the codebox below to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose Copy)

Code: [Select]

:Processes
explorer.exe

:files
C:\DOCUME~1\SYLVER~1\Application Data\LimeWire\.AppSpecialShare\Adobe Photoshop Pro CS2 v9.0 Full ISO + WORKING Keygen.torrent.bak
C:\DOCUME~1\SYLVER~1\Incomplete\GJSC3JB4CRS4LWHRG57DMKAZVEAF6DTQ\.datAdobe Photoshop Pro CS2 v9.0 Full ISO + WORKING Keygen
C:\DOCUME~1\SYLVER~1\Incomplete\GJSC3JB4CRS4LWHRG57DMKAZVEAF6DTQ\Adobe Photoshop Pro CS2 v9.0 Full ISO + WORKING Keygen

:Commands
[purity]
[emptytemp]
[start explorer]
[Reboot]

* Return to OTMoveIt3, right click in the "Paste Instructions for Items to be Moved" window (under the yellow bar) and choose Paste.
* Click the red Moveit! button.
* Copy everything in the Results window (under the green bar) to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose copy), and paste it in your next reply.
Close OTMoveIt3

Note: If a file or folder cannot be moved immediately you may be asked to reboot your computer in order to finish the move process. If asked to reboot, choose Yes. If not, reboot anyway.

Sylverkitti · « **Reply #16 on:** March 06, 2009, 01:11:25 AM »

========== PROCESSES ==========
Process explorer.exe killed successfully.
========== FILES ==========
C:\DOCUME~1\SYLVER~1\Application Data\LimeWire\.AppSpecialShare\Adobe Photoshop Pro CS2 v9.0 Full ISO + WORKING Keygen.torrent.bak moved successfully.
C:\DOCUME~1\SYLVER~1\Incomplete\GJSC3JB4CRS4LWHRG57DMKAZVEAF6DTQ\.datAdobe Photoshop Pro CS2 v9.0 Full ISO + WORKING Keygen moved successfully.
C:\DOCUME~1\SYLVER~1\Incomplete\GJSC3JB4CRS4LWHRG57DMKAZVEAF6DTQ\Adobe Photoshop Pro CS2 v9.0 Full ISO + WORKING Keygen moved successfully.
========== COMMANDS ==========
File delete failed. C:\DOCUME~1\SYLVER~1\LOCALS~1\Temp\etilqs_HZMPOWUTR3my1Dfscbth scheduled to be deleted on reboot.
File delete failed. C:\DOCUME~1\SYLVER~1\LOCALS~1\Temp\Perflib_Perfdata_960.dat scheduled to be deleted on reboot.
User's Temp folder emptied.
User's Temporary Internet Files folder emptied.
User's Internet Explorer cache folder emptied.
Local Service Temp folder emptied.
File delete failed. C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\index.dat scheduled to be deleted on reboot.
Local Service Temporary Internet Files folder emptied.
File delete failed. C:\WINDOWS\temp\Perflib_Perfdata_22c.dat scheduled to be deleted on reboot.
File delete failed. C:\WINDOWS\temp\Perflib_Perfdata_e4c.dat scheduled to be deleted on reboot.
Windows Temp folder emptied.
Java cache emptied.
File delete failed. C:\Documents and Settings\Sylverkitti\Local Settings\Application Data\Mozilla\Firefox\Profiles\uzfbhp9e.default\Cache\_CACHE_001_ scheduled to be deleted on reboot.
File delete failed. C:\Documents and Settings\Sylverkitti\Local Settings\Application Data\Mozilla\Firefox\Profiles\uzfbhp9e.default\Cache\_CACHE_002_ scheduled to be deleted on reboot.
File delete failed. C:\Documents and Settings\Sylverkitti\Local Settings\Application Data\Mozilla\Firefox\Profiles\uzfbhp9e.default\Cache\_CACHE_003_ scheduled to be deleted on reboot.
File delete failed. C:\Documents and Settings\Sylverkitti\Local Settings\Application Data\Mozilla\Firefox\Profiles\uzfbhp9e.default\Cache\_CACHE_MAP_ scheduled to be deleted on reboot.
File delete failed. C:\Documents and Settings\Sylverkitti\Local Settings\Application Data\Mozilla\Firefox\Profiles\uzfbhp9e.default\urlclassifier3.sqlite scheduled to be deleted on reboot.
File delete failed. C:\Documents and Settings\Sylverkitti\Local Settings\Application Data\Mozilla\Firefox\Profiles\uzfbhp9e.default\XUL.mfl scheduled to be deleted on reboot.
FireFox cache emptied.
Temp folders emptied.
Explorer started successfully

OTMoveIt3 by OldTimer - Version 1.0.8.0 log created on 03062009_020623

Files moved on Reboot...
File C:\DOCUME~1\SYLVER~1\LOCALS~1\Temp\etilqs_HZMPOWUTR3my1Dfscbth not found!
File C:\DOCUME~1\SYLVER~1\LOCALS~1\Temp\Perflib_Perfdata_960.dat not found!
C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\index.dat moved successfully.
File C:\WINDOWS\temp\Perflib_Perfdata_22c.dat not found!
C:\WINDOWS\temp\Perflib_Perfdata_e4c.dat moved successfully.
C:\Documents and Settings\Sylverkitti\Local Settings\Application Data\Mozilla\Firefox\Profiles\uzfbhp9e.default\Cache\_CACHE_001_ moved successfully.
C:\Documents and Settings\Sylverkitti\Local Settings\Application Data\Mozilla\Firefox\Profiles\uzfbhp9e.default\Cache\_CACHE_002_ moved successfully.
C:\Documents and Settings\Sylverkitti\Local Settings\Application Data\Mozilla\Firefox\Profiles\uzfbhp9e.default\Cache\_CACHE_003_ moved successfully.
C:\Documents and Settings\Sylverkitti\Local Settings\Application Data\Mozilla\Firefox\Profiles\uzfbhp9e.default\Cache\_CACHE_MAP_ moved successfully.
C:\Documents and Settings\Sylverkitti\Local Settings\Application Data\Mozilla\Firefox\Profiles\uzfbhp9e.default\urlclassifier3.sqlite moved successfully.
C:\Documents and Settings\Sylverkitti\Local Settings\Application Data\Mozilla\Firefox\Profiles\uzfbhp9e.default\XUL.mfl moved successfully.

evilfantasy · « **Reply #17 on:** March 06, 2009, 01:30:05 AM »

* Double-click OTMoveIt3.exe to run it.
* Copy the lines in the codebox below to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose Copy)

Code: [Select]

:Processes
explorer.exe

:reg
[-HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{284b41dd-ccdc-11dd-9fb7-001320bc3e08}]

[-HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\network\nm]

[-HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\network\nm.sys]

:Commands
[emptytemp]
[start explorer]
[Reboot]

* Return to OTMoveIt3, right click in the "Paste Instructions for Items to be Moved" window (under the yellow bar) and choose Paste.
* Click the red Moveit! button.
* Copy everything in the Results window (under the green bar) to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose copy), and paste it in your next reply.
Close OTMoveIt3

Note: If a file or folder cannot be moved immediately you may be asked to reboot your computer in order to finish the move process. If asked to reboot, choose Yes.

----------

Download Rooter.exe to your desktop

* Double click Rooter.exe to start the tool.
* A DOS window will appear and show the scan progress.
* Once complete a notepad file containing the report will open.
* Copy & paste the results in your next reply.
* Close notepad and Rooter will close.

A log will also save at %systemdrive%\Rooter.txt (Where %systemdrive% is usually C: or the drive that you have Windows installed).

----------

Also let me know how the computer is running now.

Sylverkitti · « **Reply #18 on:** March 06, 2009, 01:45:33 AM »

Still no difference, and its odd, the memory is always at 62,496, never seen it change. And the VM is at 88, but sometimes it goes to 110.....this is so weird...

========== PROCESSES ==========
Process explorer.exe killed successfully.
Error: Unable to interpret <:registry> in the current context!
Error: Unable to interpret <[-HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{284b41dd-ccdc-11dd-9fb7-001320bc3e08}]> in the current context!
Error: Unable to interpret <[-HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\network\nm]> in the current context!
Error: Unable to interpret <[-HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\network\nm.sys]> in the current context!
========== FILES ==========
C:\lopR.txt moved successfully.
C:\Lop SD moved successfully.
C:\ComboFix.txt moved successfully.
========== COMMANDS ==========
File delete failed. C:\DOCUME~1\SYLVER~1\LOCALS~1\Temp\etilqs_nibJQ9vFzGwaxGGSfGTX scheduled to be deleted on reboot.
File delete failed. C:\DOCUME~1\SYLVER~1\LOCALS~1\Temp\Perflib_Perfdata_f80.dat scheduled to be deleted on reboot.
User's Temp folder emptied.
User's Temporary Internet Files folder emptied.
User's Internet Explorer cache folder emptied.
Local Service Temp folder emptied.
File delete failed. C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\index.dat scheduled to be deleted on reboot.
Local Service Temporary Internet Files folder emptied.
File delete failed. C:\WINDOWS\temp\Perflib_Perfdata_cc.dat scheduled to be deleted on reboot.
File delete failed. C:\WINDOWS\temp\Perflib_Perfdata_f4.dat scheduled to be deleted on reboot.
Windows Temp folder emptied.
Java cache emptied.
File delete failed. C:\Documents and Settings\Sylverkitti\Local Settings\Application Data\Mozilla\Firefox\Profiles\uzfbhp9e.default\Cache\_CACHE_001_ scheduled to be deleted on reboot.
File delete failed. C:\Documents and Settings\Sylverkitti\Local Settings\Application Data\Mozilla\Firefox\Profiles\uzfbhp9e.default\Cache\_CACHE_002_ scheduled to be deleted on reboot.
File delete failed. C:\Documents and Settings\Sylverkitti\Local Settings\Application Data\Mozilla\Firefox\Profiles\uzfbhp9e.default\Cache\_CACHE_003_ scheduled to be deleted on reboot.
File delete failed. C:\Documents and Settings\Sylverkitti\Local Settings\Application Data\Mozilla\Firefox\Profiles\uzfbhp9e.default\Cache\_CACHE_MAP_ scheduled to be deleted on reboot.
File delete failed. C:\Documents and Settings\Sylverkitti\Local Settings\Application Data\Mozilla\Firefox\Profiles\uzfbhp9e.default\urlclassifier3.sqlite scheduled to be deleted on reboot.
FireFox cache emptied.
Temp folders emptied.
Explorer started successfully

OTMoveIt3 by OldTimer - Version 1.0.8.0 log created on 03062009_023914

Files moved on Reboot...
File C:\DOCUME~1\SYLVER~1\LOCALS~1\Temp\etilqs_nibJQ9vFzGwaxGGSfGTX not found!
File C:\DOCUME~1\SYLVER~1\LOCALS~1\Temp\Perflib_Perfdata_f80.dat not found!
File move failed. C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\index.dat scheduled to be moved on reboot.
C:\WINDOWS\temp\Perflib_Perfdata_cc.dat moved successfully.
File C:\WINDOWS\temp\Perflib_Perfdata_f4.dat not found!
C:\Documents and Settings\Sylverkitti\Local Settings\Application Data\Mozilla\Firefox\Profiles\uzfbhp9e.default\Cache\_CACHE_001_ moved successfully.
C:\Documents and Settings\Sylverkitti\Local Settings\Application Data\Mozilla\Firefox\Profiles\uzfbhp9e.default\Cache\_CACHE_002_ moved successfully.
C:\Documents and Settings\Sylverkitti\Local Settings\Application Data\Mozilla\Firefox\Profiles\uzfbhp9e.default\Cache\_CACHE_003_ moved successfully.
C:\Documents and Settings\Sylverkitti\Local Settings\Application Data\Mozilla\Firefox\Profiles\uzfbhp9e.default\Cache\_CACHE_MAP_ moved successfully.
C:\Documents and Settings\Sylverkitti\Local Settings\Application Data\Mozilla\Firefox\Profiles\uzfbhp9e.default\urlclassifier3.sqlite moved successfully.

evilfantasy · « **Reply #19 on:** March 06, 2009, 01:52:40 AM »

The OTMoveIt fix didn't work. I edited the directions so please run it again and post the new log. Also don't forget the Rooter scan.

Sylverkitti · « **Reply #20 on:** March 06, 2009, 02:10:29 AM »

Still no change

========== PROCESSES ==========
Process explorer.exe killed successfully.
========== REGISTRY ==========
Registry key HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{284b41dd-ccdc-11dd-9fb7-001320bc3e08}\\ deleted successfully.
Registry key HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\network\nm\\ deleted successfully.
Registry key HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\network\nm.sys\\ deleted successfully.
========== COMMANDS ==========
File delete failed. C:\DOCUME~1\SYLVER~1\LOCALS~1\Temp\etilqs_cltTkBi4GK4oeygkgaiS scheduled to be deleted on reboot.
User's Temp folder emptied.
User's Temporary Internet Files folder emptied.
User's Internet Explorer cache folder emptied.
Local Service Temp folder emptied.
File delete failed. C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\index.dat scheduled to be deleted on reboot.
Local Service Temporary Internet Files folder emptied.
File delete failed. C:\WINDOWS\temp\Perflib_Perfdata_ac.dat scheduled to be deleted on reboot.
File delete failed. C:\WINDOWS\temp\Perflib_Perfdata_bb4.dat scheduled to be deleted on reboot.
Windows Temp folder emptied.
Java cache emptied.
File delete failed. C:\Documents and Settings\Sylverkitti\Local Settings\Application Data\Mozilla\Firefox\Profiles\uzfbhp9e.default\Cache\_CACHE_001_ scheduled to be deleted on reboot.
File delete failed. C:\Documents and Settings\Sylverkitti\Local Settings\Application Data\Mozilla\Firefox\Profiles\uzfbhp9e.default\Cache\_CACHE_002_ scheduled to be deleted on reboot.
File delete failed. C:\Documents and Settings\Sylverkitti\Local Settings\Application Data\Mozilla\Firefox\Profiles\uzfbhp9e.default\Cache\_CACHE_003_ scheduled to be deleted on reboot.
File delete failed. C:\Documents and Settings\Sylverkitti\Local Settings\Application Data\Mozilla\Firefox\Profiles\uzfbhp9e.default\Cache\_CACHE_MAP_ scheduled to be deleted on reboot.
File delete failed. C:\Documents and Settings\Sylverkitti\Local Settings\Application Data\Mozilla\Firefox\Profiles\uzfbhp9e.default\urlclassifier3.sqlite scheduled to be deleted on reboot.
File delete failed. C:\Documents and Settings\Sylverkitti\Local Settings\Application Data\Mozilla\Firefox\Profiles\uzfbhp9e.default\XUL.mfl scheduled to be deleted on reboot.
FireFox cache emptied.
Temp folders emptied.
Explorer started successfully

OTMoveIt3 by OldTimer - Version 1.0.8.0 log created on 03062009_030025

Files moved on Reboot...
File C:\DOCUME~1\SYLVER~1\LOCALS~1\Temp\etilqs_cltTkBi4GK4oeygkgaiS not found!
C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\index.dat moved successfully.
File C:\WINDOWS\temp\Perflib_Perfdata_ac.dat not found!
C:\WINDOWS\temp\Perflib_Perfdata_bb4.dat moved successfully.
C:\Documents and Settings\Sylverkitti\Local Settings\Application Data\Mozilla\Firefox\Profiles\uzfbhp9e.default\Cache\_CACHE_001_ moved successfully.
C:\Documents and Settings\Sylverkitti\Local Settings\Application Data\Mozilla\Firefox\Profiles\uzfbhp9e.default\Cache\_CACHE_002_ moved successfully.
C:\Documents and Settings\Sylverkitti\Local Settings\Application Data\Mozilla\Firefox\Profiles\uzfbhp9e.default\Cache\_CACHE_003_ moved successfully.
C:\Documents and Settings\Sylverkitti\Local Settings\Application Data\Mozilla\Firefox\Profiles\uzfbhp9e.default\Cache\_CACHE_MAP_ moved successfully.
C:\Documents and Settings\Sylverkitti\Local Settings\Application Data\Mozilla\Firefox\Profiles\uzfbhp9e.default\urlclassifier3.sqlite moved successfully.
C:\Documents and Settings\Sylverkitti\Local Settings\Application Data\Mozilla\Firefox\Profiles\uzfbhp9e.default\XUL.mfl moved successfully.

********************

Microsoft Windows XP Home Edition ( v5.1.2600 ) Service Pack 2
X86-based PC ( Uniprocessor Free : Intel(R) Celeron(R) CPU 2.66GHz )
BIOS : Phoenix ROM BIOS PLUS Version 1.10 A00
USER : Sylverkitti ( Administrator )
BOOT : Normal boot

Antivirus : AVG Anti-Virus Free 8.0 (Activated)

A:\ (USB)
C:\ (Local Disk) - NTFS - Total:145 Go (Free:122 Go)
D:\ (CD or DVD)

Fri 03/06/2009| 3:07

----------------------\\ Search..

No infections found !

1 - "C:\Rooter$\Rooter_1.txt" - Fri 03/06/2009| 3:07

----------------------\\ Scan completed at 3:07

evilfantasy · « **Reply #21 on:** March 06, 2009, 10:45:50 AM »

Scan with Panda ActiveScan 2.0

This scanner requires Internet Explorer

Once you are on the Panda site click the Scan your PC now button
A new window will open...click the Check Now button
Enter your Country
Enter your State/Province
Enter your e-mail address and click send
Select either Home User or Company
Select the appropriate Yes or No to receiving marketing information
Click the Free Online Scan button
If it wants to install an ActiveX component allow it
It will start downloading the files it requires for the scan (Note: It may take a couple of minutes)
When download is complete, click on My Computer to start the scan
When the scan completes, if anything malicious is detected, click the See Report button, then Save Report and save it to a convenient location.

.
Post the contents of the ActiveScan report in your next reply.

Sylverkitti · « **Reply #22 on:** March 07, 2009, 04:08:48 AM »

This actually would not work in IE, as I have 8, and it wants 6 or 7.....but works well with Firefox 1.5 or higher. Anywho....here is the results.

;***********************************************************************************************************************************************************************************
ANALYSIS: 2009-03-07 05:00:44
PROTECTIONS: 1
MALWARE: 13
SUSPECTS: 2
;***********************************************************************************************************************************************************************************
PROTECTIONS
Description Version Active Updated
;===================================================================================================================================================================================
AVG Anti-Virus Free 8.0 Yes Yes
;===================================================================================================================================================================================
MALWARE
Id Description Type Active Severity Disinfectable Disinfected Location
;===================================================================================================================================================================================
00097389 Application/PerfectKeyLog.A HackTools No 0 No No C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP806\A0082887.exe[bpki.dll]
00211481 Application/FamilyKeylogger HackTools No 0 Yes No C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP806\A0082893.exe
00211481 Application/FamilyKeylogger HackTools No 0 Yes No C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP806\A0082480.exe
00381203 Application/PerfectKeyLog HackTools No 0 No No C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP806\A0082887.exe[inst.bin]
01185375 Application/Psexec.A HackTools No 0 Yes No C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP873\A0090023.EXE
01185375 Application/Psexec.A HackTools No 0 Yes No C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP872\A0089926.EXE
01514450 Application/PerfectKeyLog HackTools No 0 No No C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP806\A0082887.exe[bpkvw.exe]
02731820 Application/PerfectKeyLog.AJ HackTools No 0 No No C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP806\A0082887.exe[bpkun.exe]
02731822 Generic Malware Virus/Trojan No 0 No No C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP806\A0082887.exe[bpkwb.dll]
02731826 Trj/Keylog.LH Virus/Trojan No 1 No No C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP806\A0082887.exe[bpkr.exe]
02731829 Application/PerfectKeyLog.AJ HackTools No 0 No No C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP806\A0082887.exe[bpkhk.dll]
02731831 Generic Malware Virus/Trojan No 0 No No C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP806\A0082887.exe[Setup.exe]
02885963 Rootkit/Booto.C Virus/Worm No 0 Yes No C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP873\A0090003.sys
02885963 Rootkit/Booto.C Virus/Worm No 0 Yes No C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP872\A0089904.sys
02902714 Trj/Multidropper.RMA Virus/Trojan No 1 Yes No C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP806\A0082887.exe
02902746 Application/PerfectKeylogger.N HackTools No 0 No No C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP806\A0082887.exe[bpk.exe]
;===================================================================================================================================================================================
SUSPECTS
Sent Location V
;===================================================================================================================================================================================
No C:\Documents and Settings\Sylverkitti\Desktop\ComboFix.exe V
No C:\Program Files\Adolix\eCover Engineer\eCoverEngineer.exe V
;===================================================================================================================================================================================
VULNERABILITIES
Id Severity Description V
;===================================================================================================================================================================================
;===================================================================================================================================================================================

evilfantasy · « **Reply #23 on:** March 07, 2009, 11:56:08 AM »

Now type Combofix /u in the runbox
Make sure there's a space between Combofix and /u
Then hit Enter.

.
.
The above procedure will:

Delete:
ComboFix and its associated files and folders.
VundoFix backups, if present
The C:\Deckard folder, if present
The C:_OtMoveIt folder, if present

Reset the clock settings.
Hide file extensions, if required.
Hide System/Hidden files, if required.
Set a new, clean Restore Point.

.
----------

Set a New Restore Point to prevent possible reinfection from an old one
Setting a new restore point AFTER cleaning your system will enable your computer to roll-back to a clean working state if needed.

Go to Start > Programs > Accessories > System Tools and click System Restore
Choose the radio button marked Create a Restore Point on the first screen then click Next Give the Restore Point a name then click Create.
The new restore point will be stamped with the current date and time. Keep a log of this so you can find it easily should you need to use System Restore.
Next go to Start > Run and type Cleanmgr
Click OK
Click the More Options Tab.
Click Clean Up in the System Restore section to remove all previous restore points except the newly created clean one.

You can find instructions on how to enable and re-enable system restore here:

Windows XP System Restore Guide or Windows Vista System Restore Guide
.
----------

Use the Secunia Software Inspector to check for out of date software.

Click Start Now
Check the box next to Enable thorough system inspection.
Click Start
Allow the scan to finish and scroll down to see if any updates are needed.
Update anything listed.

.
----------

Go to Microsoft Windows Update and get all critical updates.

----------

How is the computer running now?

Sylverkitti · « **Reply #24 on:** March 09, 2009, 04:41:49 AM »

I have a bunch of different versions of flash...adobe and Macromedia......do I need all the different ones? or can they somehow be removed so all I have is one. I guess whatever i need is what i want, unneeded...no.

evilfantasy · « **Reply #25 on:** March 09, 2009, 06:15:22 AM »

Download the Flash Player Uninstaller and save it to your desktop.

Run the uninstaller program and then reboot your computer to complete the uninstall.

Download and install the latest version of Flash Player

Sylverkitti · « **Reply #26 on:** March 09, 2009, 11:57:02 PM »

Ok got that, but it still tells me theres a Java thats old on here, even tho I removed them all and updated.
Also, earlier, everything was hanging, and moving S L O W...so I pulled up my task manager, System still taking up a
bunch of memory but there was a wowexe.exe on there, I have seen this before but not for a while. As soon as
I end process things go back to normal, but this looks very weird to me, the way its indented like that, and not showing
what its using? Screen Copy attached.

[attachment deleted by admin]

evilfantasy · « **Reply #27 on:** March 10, 2009, 10:49:18 AM »

Quote

Wowexec.exe (Windows on Windows subsystem) and Ntvdm.exe (NT Virtual DOS
Machine) are used to run 16-bit programs (DOS programs) in a virtual
environment. If they are being used you will see the programs indented
under the Ntvdm.exe entry in the Task Manager. Ntvdm.exe and
Wowexec.exe will remain in memory after you close the 16-bit
application, "in case" you want to launch another 16-bit program. If
these items are started when you boot the computer, but no associated
program is shown under them, check your startup items, some 16-bit
program is set to start and do something when the computer starts. That
"16-bit something" could be anything.

I don't think it's malware but could be running due to malware.

Download DrWeb CureIt & save it to your desktop. Scan with DrWeb-CureIt as follows:

Double-click on drweb-cureit.exe and then click Start
An information notice will appear, click OK.
This starts a short scan that will scan the files currently running in memory.
If you get a prompt to buy the full version just exit out of the window. The scanner will still work without buying the full version
If or when something is found, click the Yes button when it asks you if you want to cure it.

Once the short scan has finished, Click Settings > Change Settings
Under the Scanning tab UNcheck Heuristic analysis and click OK
Back at the main window, select the Complete scan button and then click the Green Arrow Start Scanning button on the right and the scan will start.
- Click Yes to all if it asks if you want to cure/move any file(s).
When the scan is done.
In the Dr.Web CureIt menu on top left, click File and choose Save report list.
Save the DrWeb.csv report to your Desktop.
Exit Dr.Web Cureit.

Important! Reboot your computer because it could be possible that files in use will be moved/deleted during reboot.

[/COLOR]

After reboot, Right-click the Dr.Web log on the desktop and choose Open With > Notepad
Copy and paste that log in the next reply

[/list]

Sylverkitti · « **Reply #28 on:** March 12, 2009, 05:13:10 AM »

dead body man insane clown.mp3;C:\Documents and Settings\Sylverkitti\Desktop\MUSIC\ADAM\Playlist 3;Trojan.WMALoader;Cured.;

evilfantasy · « **Reply #29 on:** March 12, 2009, 11:31:32 AM »

Whatever issues remain are likely not malware related.

Try posting in the Windows forum for further help.

Sylverkitti · « **Reply #30 on:** March 15, 2009, 12:30:26 AM »

Ok I will do so, thanks for trying your best to help, your time was really appreciated.

Sylverkitti · « **Reply #31 on:** March 28, 2009, 12:51:35 AM »

Hey evilfantasy...I realized today that when I run in safe with networking my system runs fine, then when I switch back to normal there the system is running high again. Does this ring any bells? If not I will be posting like you said in the Windows forum.

Tcs · « **Reply #32 on:** March 28, 2009, 01:10:47 AM »

Try opening task manager and setting its priority to normal
that should do the trick

Sylverkitti · « **Reply #33 on:** April 01, 2009, 10:14:13 PM »

Well I think I finally have this solved. i tried going in and setting it to "normal" and found it was already at normal. I found this thread while browsing for others that had the same issue: http://apcmag.com/Forum.htm?g=posts&m=4596

So I un-installed AVG. And guess what the problem went away pronto. Well now the only prob is finding another anti-virus that covers as much as AVG did that I like. I am using a trial of Panda Internet Security 2009. I don't like it bc they have like 10 Process running at once hogging LOADS of memory and VM. I also cause one that was running at 62K+ and stated according to System Explorer it was "Panda Advertising" Not sure what that was about. So now I'm going to browse the threads here see what other Anti-Virus's are suggested.

evilfantasy · « **Reply #34 on:** April 01, 2009, 10:21:37 PM »

These are what we recommend here.

Avast! Home Free Edition

Avira AntiVir Personal

All free and as good or better than any paid software.

For a good free firewall.

Remember only install ONE firewall

1) Comodo (Uncheck during installation "Install Comodo SafeSurf..", Make Comodo my default search provider" and "Make Comodo Search my homepage" if you choose this one)
2) Online Armor
3) Sunbelt/Kerio
4) Agnitum
5) PC Tools Firewall Plus

Computer Hope Forum

News:

Author Topic: "System" in task Manager using a lot of memory. (Read 36683 times)

Sylverkitti

evilfantasy

Sylverkitti

evilfantasy

Sylverkitti

evilfantasy

Sylverkitti

Sylverkitti

evilfantasy

evilfantasy

Sylverkitti

evilfantasy

Sylverkitti

evilfantasy

Sylverkitti

evilfantasy

Sylverkitti

evilfantasy

Sylverkitti

evilfantasy

Sylverkitti

evilfantasy

Sylverkitti

evilfantasy

Sylverkitti

evilfantasy

Sylverkitti

evilfantasy

Sylverkitti

evilfantasy

Sylverkitti

Sylverkitti

Tcs

Sylverkitti

evilfantasy