System Running Slow & Black Hole Threats?

View previous topic View next topic Go down

System Running Slow & Black Hole Threats?

Post by seanandre on Mon 26 Mar 2012, 9:23 am

Hi, this is my first time here. Not sure to what to make of this one, it's got me extremely ticked off, I've never come across it and don't know where else to turn. Yesterday my computer started beeping for no reason. Couldn't figure out what it was, but I didn't pay it no mind, sometimes I get a stuck key on my keyboard every so often, and it happens. But then the beeping began to persist and get very annoying. Couldn't figure out what was causing it, so I just turned the sound off and paid it no mind. But then last night is when I started to notice the problem. My machine was running very slow. It would take forever for something to open up, even a web page. I've rebooted several times, and each time AVG has picked up and blocked a black hole threat. I'm glad it's blocking them, but every time I reboot AVG kept picking them up. So I decided to run a full virus scan. It didn't pick up anything. I got ticked off at it last night and decided to shut everything down and try running a defrag, which usually cures slowness in my case. But when I woke up this morning and rebooted the system again, AVG picked up and blocked another black hole threat. I decided to install and run Spyware Terminator. Took a couple of hours to scan, and in that time, it only picked up 2 problems and fixed them. Thinking that would work, I rebooted and began to start up all my programs again as normal. The slowness thing kept on persisting. At this point I decided to get rid of Spyware Terminator and try something that has never failed me in the past. XoftSpySE v6.0. I ran a full scan with that, and it picked up 3 bad cookies and an adware. I figured this would fix the problem. NOPE! When I rebooted, AVG picked up and blocked yet ANOTHER black hole threat. Then. I gave up for a while and decided to move on to other things and let it sit for a while. Figured maybe it would work itself out. Came back to it just a little bit ago to see what was going on, because it started beeping again. I can NOT figure this out. The only way my computer works smoothly now, is by running it in the Administrator account, but access is limited to how much I can do, because not everything I run will work in SAFEMODE, and in Windows XP Home Edition, the only way you can log into the Administrator account is to go into SAFEMODE. I had to run my computer in SAFEMODE With Networking in order to get here and tell you about my problem. It's been quite annoying. Please help.

The Security Checker thing didn't do anything, probably because I'm in Safe Mode, so nothing is running.

My log files are attached as file attachments because it put the message characters into -21981

Thanks,
Sean

seanandre

Newbie Surfer
Newbie Surfer

Posts : 9
Joined : 2012-03-26
Operating System : Multiple OS's (XP, 7, 2000)

View user profile

Back to top Go down

Re: System Running Slow & Black Hole Threats?

Post by seanandre on Mon 26 Mar 2012, 9:24 am

OTL:

OTL logfile created on: 3/25/2012 4:40:40 PM - Run 1
OTL by OldTimer - Version 3.2.39.1 Folder = C:\Documents and Settings\Administrator\Desktop
Windows XP Home Edition Service Pack 3 (Version = 5.1.2600) - Type = NTWorkstation
Internet Explorer (Version = 8.0.6001.18702)
Locale: 00000409 | Country: United States | Language: ENU | Date Format: M/d/yyyy

2.98 Gb Total Physical Memory | 1.50 Gb Available Physical Memory | 50.24% Memory free
4.83 Gb Paging File | 3.54 Gb Available in Paging File | 73.29% Paging File free
Paging file location(s): c:\pagefile.sys 2046 4092 [binary data]

%SystemDrive% = C: | %SystemRoot% = C:\WINDOWS | %ProgramFiles% = C:\Program Files
Drive C: | 74.52 Gb Total Space | 39.97 Gb Free Space | 53.63% Space Free | Partition Type: NTFS
Drive D: | 111.78 Gb Total Space | 10.02 Gb Free Space | 8.96% Space Free | Partition Type: NTFS

Computer Name: SMA | User Name: Administrator | Logged in as Administrator.
Boot Mode: SafeMode with Networking | Scan Mode: Current user
Company Name Whitelist: Off | Skip Microsoft Files: Off | No Company Name Whitelist: On | File Age = 30 Days

========== Processes (SafeList) ==========

PRC - [2012/03/25 16:39:24 | 000,594,432 | ---- | M] (OldTimer Tools) -- C:\Documents and Settings\Administrator\Desktop\OTL.com
PRC - [2010/08/13 19:38:48 | 001,101,152 | ---- | M] (AVG Technologies CZ, s.r.o.) -- C:\Program Files\AVG\AVG9\avgchsvx.exe
PRC - [2008/04/14 06:42:20 | 001,033,728 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\explorer.exe


========== Modules (No Company Name) ==========

MOD - [2003/03/31 07:00:00 | 000,015,360 | ---- | M] () -- C:\WINDOWS\system32\tsd32.dll


========== Win32 Services (SafeList) ==========

SRV - File not found [Auto | Stopped] -- C:\WINDOWS\system32\spoolsv.exe -- (Spooler)
SRV - File not found [On_Demand | Stopped] -- %SystemRoot%\System32\appmgmts.dll -- (AppMgmt)
SRV - [2011/12/11 17:41:41 | 000,057,344 | ---- | M] (Lanovation) [Auto | Stopped] -- C:\Program Files\Common Files\Lanovation\PrismXL\PRISMXL.SYS -- (PrismXL)
SRV - [2010/08/13 19:37:41 | 000,308,136 | ---- | M] (AVG Technologies CZ, s.r.o.) [Auto | Stopped] -- C:\Program Files\AVG\AVG9\avgwdsvc.exe -- (avg9wd)
SRV - [2010/08/13 19:37:24 | 005,897,808 | ---- | M] (AVG Technologies CZ, s.r.o.) [Auto | Stopped] -- C:\Program Files\AVG\AVG9\Identity Protection\Agent\Bin\AVGIDSAgent.exe -- (AVGIDSAgent)
SRV - [2009/08/28 16:15:30 | 000,582,424 | ---- | M] (ParetoLogic Inc.) [On_Demand | Stopped] -- C:\Program Files\Common Files\XoftSpySE\6\xoftspyservice.exe -- (XoftSpyService)
SRV - [2008/09/05 13:10:00 | 000,136,568 | ---- | M] (Symantec Corporation) [Auto | Stopped] -- C:\Program Files\Symantec\pcAnywhere\awhost32.exe -- (awhost32)
SRV - [2008/06/30 17:36:35 | 003,093,872 | ---- | M] (Symantec Corporation) [On_Demand | Stopped] -- C:\Program Files\Symantec\LiveUpdate\LuComServer_3_3.EXE -- (LiveUpdate)
SRV - [2004/09/29 12:14:36 | 000,069,632 | ---- | M] (HP) [Auto | Stopped] -- C:\WINDOWS\system32\HPZipm12.exe -- (Pml Driver HPZ12)
SRV - [2003/03/03 13:33:40 | 000,143,360 | ---- | M] (Intel(R) Corporation) [On_Demand | Stopped] -- C:\Program Files\Intel\NCS\Sync\NetSvc.exe -- (NetSvc)


========== Driver Services (SafeList) ==========

DRV - File not found [Kernel | On_Demand | Stopped] -- -- (WDICA)
DRV - File not found [Kernel | On_Demand | Stopped] -- -- (PDRFRAME)
DRV - File not found [Kernel | On_Demand | Stopped] -- -- (PDRELI)
DRV - File not found [Kernel | On_Demand | Stopped] -- -- (PDFRAME)
DRV - File not found [Kernel | On_Demand | Stopped] -- -- (PDCOMP)
DRV - File not found [Kernel | System | Stopped] -- -- (PCIDump)
DRV - File not found [Kernel | System | Stopped] -- -- (lbrtfdc)
DRV - File not found [Kernel | System | Stopped] -- -- (i2omgmt)
DRV - File not found [Kernel | System | Stopped] -- -- (Changer)
DRV - File not found [Kernel | On_Demand | Stopped] -- system32\DRIVERS\appliand.sys -- (appliandMP)
DRV - [2012/02/02 12:09:50 | 000,242,240 | ---- | M] (DT Soft Ltd) [Kernel | System | Running] -- C:\WINDOWS\system32\drivers\dtsoftbus01.sys -- (dtsoftbus01)
DRV - [2011/09/13 08:41:49 | 000,029,712 | ---- | M] (AVG Technologies CZ, s.r.o.) [File_System | System | Stopped] -- C:\WINDOWS\system32\drivers\avgmfx86.sys -- (AvgMfx86)
DRV - [2011/05/06 08:08:44 | 000,243,152 | ---- | M] (AVG Technologies CZ, s.r.o.) [Kernel | System | Running] -- C:\WINDOWS\system32\drivers\avgtdix.sys -- (AvgTdiX)
DRV - [2010/09/14 22:25:30 | 000,074,832 | ---- | M] (AVG Technologies CZ, s.r.o. ) [Kernel | Auto | Stopped] -- C:\WINDOWS\system32\SVKP.SYS -- (SVKP)
DRV - [2010/08/13 21:42:47 | 000,691,696 | ---- | M] (Duplex Secure Ltd.) [Kernel | Boot | Stopped] -- C:\WINDOWS\system32\drivers\sptd.sys -- (sptd)
DRV - [2010/08/13 19:39:52 | 000,052,872 | ---- | M] (AVG Technologies CZ, s.r.o.) [File_System | Boot | Running] -- C:\WINDOWS\system32\drivers\avgrkx86.sys -- (AvgRkx86)
DRV - [2010/08/13 19:39:52 | 000,025,168 | ---- | M] (AVG Technologies CZ, s.r.o. ) [Kernel | Boot | Running] -- C:\WINDOWS\system32\drivers\AVGIDSxx.sys -- (AVGIDSErHrxpx)
DRV - [2010/08/13 19:39:41 | 000,216,400 | ---- | M] (AVG Technologies CZ, s.r.o.) [Kernel | System | Stopped] -- C:\WINDOWS\system32\drivers\avgldx86.sys -- (AvgLdx86)
DRV - [2010/08/13 19:37:28 | 000,122,448 | ---- | M] (AVG Technologies CZ, s.r.o. ) [Kernel | On_Demand | Stopped] -- C:\Program Files\AVG\AVG9\Identity Protection\Agent\Driver\Platform_XP\AVGIDSDriver.sys -- (AVGIDSDriverxpx)
DRV - [2010/08/13 19:37:28 | 000,030,288 | ---- | M] (AVG Technologies CZ, s.r.o. ) [Kernel | On_Demand | Stopped] -- C:\Program Files\AVG\AVG9\Identity Protection\Agent\Driver\Platform_XP\AVGIDSFilter.sys -- (AVGIDSFilterxpx)
DRV - [2010/08/13 19:37:27 | 000,026,192 | ---- | M] (AVG Technologies CZ, s.r.o. ) [Kernel | On_Demand | Stopped] -- C:\Program Files\AVG\AVG9\Identity Protection\Agent\Driver\Platform_XP\AVGIDSShim.sys -- (AVGIDSShimxpx)
DRV - [2010/04/26 21:25:20 | 000,132,424 | ---- | M] (MCCI Corporation) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\sscdmdm.sys -- (sscdmdm)
DRV - [2010/04/26 21:25:20 | 000,110,280 | ---- | M] (MCCI Corporation) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\sscdserd.sys -- (sscdserd) SAMSUNG Mobile Modem Diagnostic Serial Port (WDM)
DRV - [2010/04/26 21:25:20 | 000,104,648 | ---- | M] (MCCI Corporation) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\sscdbus.sys -- (sscdbus) SAMSUNG USB Composite Device driver (WDM)
DRV - [2010/04/26 21:25:20 | 000,014,920 | ---- | M] (MCCI Corporation) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\sscdmdfl.sys -- (sscdmdfl)
DRV - [2008/10/09 15:42:42 | 000,017,408 | ---- | M] (Windows (R) Codename Longhorn DDK provider) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\KMWDFILTER.sys -- (KMWDFILTER)
DRV - [2008/04/14 01:26:08 | 000,088,320 | ---- | M] (Microsoft Corporation) [Kernel | Auto | Stopped] -- C:\WINDOWS\system32\drivers\nwlnkipx.sys -- (NwlnkIpx)
DRV - [2008/04/14 01:16:24 | 000,015,232 | ---- | M] (Microsoft Corporation) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\mpe.sys -- (MPE)
DRV - [2007/06/15 03:47:26 | 001,127,936 | ---- | M] (Creative Technology Ltd.) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\P17.sys -- (P17)
DRV - [2007/04/20 00:34:53 | 000,674,048 | R--- | M] (Philips Semiconductors GmbH) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\3xHybrid.sys -- (3xHybrid)
DRV - [2007/03/30 21:48:02 | 000,018,232 | R--- | M] (Symantec Corporation) [Kernel | System | Stopped] -- C:\WINDOWS\system32\drivers\AW_HOST5.sys -- (AW_HOST)
DRV - [2007/03/30 21:46:50 | 000,013,368 | R--- | M] (Symantec Corporation) [Kernel | System | Stopped] -- C:\WINDOWS\system32\drivers\awechomd.sys -- (awecho)
DRV - [2007/03/30 21:44:22 | 000,020,536 | R--- | M] (Symantec Corporation) [Kernel | Boot | Running] -- C:\WINDOWS\System32\drivers\GERNUWA.sys -- (Gernuwa)
DRV - [2007/02/27 05:03:00 | 000,044,928 | ---- | M] (Cirque Corporation) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\glideusb.sys -- (glideusb)
DRV - [2007/02/15 19:57:04 | 000,034,760 | ---- | M] (SlySoft, Inc.) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\ElbyCDFL.sys -- (ElbyCDFL)
DRV - [2006/11/02 07:00:08 | 000,039,368 | ---- | M] (Microsoft Corporation) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\winusb.sys -- (winusb)
DRV - [2005/01/11 09:25:10 | 000,923,826 | ---- | M] (Motorola Inc.) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\smserial.sys -- (smserial)
DRV - [2005/01/10 11:15:30 | 000,106,496 | ---- | M] (Creative Technology Ltd.) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\ctoss2k.sys -- (ossrv)
DRV - [2005/01/10 11:15:24 | 000,138,752 | ---- | M] (Creative Technology Ltd) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\ctsfm2k.sys -- (ctsfm2k)
DRV - [2004/04/01 16:30:46 | 000,010,368 | ---- | M] (Padus, Inc.) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\pfc.sys -- (pfc)
DRV - [2003/03/31 07:00:00 | 000,063,232 | ---- | M] (Microsoft Corporation) [Kernel | Auto | Stopped] -- C:\WINDOWS\system32\drivers\nwlnknb.sys -- (NwlnkNb)
DRV - [2003/03/31 07:00:00 | 000,055,936 | ---- | M] (Microsoft Corporation) [Kernel | Auto | Stopped] -- C:\WINDOWS\system32\drivers\nwlnkspx.sys -- (NwlnkSpx)


========== Standard Registry (SafeList) ==========


========== Internet Explorer ==========

IE - HKLM\..\SearchScopes,DefaultScope = {0633EE93-D776-472f-A0FF-E1416B8B2E3A}
IE - HKLM\..\SearchScopes\{0633EE93-D776-472f-A0FF-E1416B8B2E3A}: "URL" = [You must be registered and logged in to see this link.]

IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page Redirect Cache = [You must be registered and logged in to see this link.]
IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page Redirect Cache_TIMESTAMP = FE 31 86 6F CE 0A CD 01 [binary data]
IE - HKCU\..\SearchScopes,DefaultScope = {0633EE93-D776-472f-A0FF-E1416B8B2E3A}
IE - HKCU\..\SearchScopes\{0633EE93-D776-472f-A0FF-E1416B8B2E3A}: "URL" = [You must be registered and logged in to see this link.]
IE - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0


========== FireFox ==========

FF - HKLM\Software\MozillaPlugins\@divx.com/DivX Browser Plugin,version=1.0.0: C:\Program Files\DivX\DivX Plus Web Player\npdivx32.dll (DivX, LLC)
FF - HKLM\Software\MozillaPlugins\@divx.com/DivX VOD Helper,version=1.0.0: C:\Program Files\DivX\DivX OVS Helper\npovshelper.dll (DivX, LLC.)
FF - HKLM\Software\MozillaPlugins\@java.com/JavaPlugin: C:\Program Files\Java\jre6\bin\new_plugin\npjp2.dll (Sun Microsystems, Inc.)
FF - HKLM\Software\MozillaPlugins\@Microsoft.com/NpCtrl,version=1.0: c:\Program Files\Microsoft Silverlight\4.1.10111.0\npctrl.dll ( Microsoft Corporation)
FF - HKLM\Software\MozillaPlugins\@microsoft.com/WPF,version=3.5: c:\WINDOWS\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\NPWPF.dll (Microsoft Corporation)
FF - HKLM\Software\MozillaPlugins\@real.com/nppl3260;version=6.0.12.450: C:\Program Files\Real Alternative\browser\plugins\nppl3260.dll (RealNetworks, Inc.)
FF - HKLM\Software\MozillaPlugins\@real.com/nprpjplug;version=6.0.12.448: C:\Program Files\Real Alternative\browser\plugins\nprpjplug.dll (RealNetworks, Inc.)
FF - HKLM\Software\MozillaPlugins\@real.com/nsJSRealPlayerPlugin;version=: File not found
FF - HKLM\Software\MozillaPlugins\Adobe Reader: C:\Program Files\Adobe\Reader 9.0\Reader\AIR\nppdf32.dll (Adobe Systems Inc.)

FF - HKEY_LOCAL_MACHINE\software\mozilla\Firefox\extensions\\{23fcfd51-4958-4f00-80a3-ae97e717ed8b}: C:\Program Files\DivX\DivX Plus Web Player\firefox\DivXHTML5 [2011/12/17 14:38:06 | 000,000,000 | ---D | M]


O1 HOSTS File: ([2011/08/13 13:58:48 | 000,000,832 | ---- | M]) - C:\WINDOWS\system32\drivers\etc\hosts
O1 - Hosts: 127.0.0.1 localhost
O1 - Hosts: 127.0.0.1 activate.adobe.com
O1 - Hosts: 127.0.0.1 practivate.adobe.com
O2 - BHO: (DivX Plus Web Player HTML5

seanandre

Newbie Surfer
Newbie Surfer

Posts : 9
Joined : 2012-03-26
Operating System : Multiple OS's (XP, 7, 2000)

View user profile

Back to top Go down

Re: System Running Slow & Black Hole Threats?

Post by seanandre on Mon 26 Mar 2012, 9:27 am

Extras:

OTL Extras logfile created on: 3/25/2012 4:40:40 PM - Run 1
OTL by OldTimer - Version 3.2.39.1 Folder = C:\Documents and Settings\Administrator\Desktop
Windows XP Home Edition Service Pack 3 (Version = 5.1.2600) - Type = NTWorkstation
Internet Explorer (Version = 8.0.6001.18702)
Locale: 00000409 | Country: United States | Language: ENU | Date Format: M/d/yyyy

2.98 Gb Total Physical Memory | 1.50 Gb Available Physical Memory | 50.24% Memory free
4.83 Gb Paging File | 3.54 Gb Available in Paging File | 73.29% Paging File free
Paging file location(s): c:\pagefile.sys 2046 4092 [binary data]

%SystemDrive% = C: | %SystemRoot% = C:\WINDOWS | %ProgramFiles% = C:\Program Files
Drive C: | 74.52 Gb Total Space | 39.97 Gb Free Space | 53.63% Space Free | Partition Type: NTFS
Drive D: | 111.78 Gb Total Space | 10.02 Gb Free Space | 8.96% Space Free | Partition Type: NTFS

Computer Name: SMA | User Name: Administrator | Logged in as Administrator.
Boot Mode: SafeMode with Networking | Scan Mode: Current user
Company Name Whitelist: Off | Skip Microsoft Files: Off | No Company Name Whitelist: On | File Age = 30 Days

========== Extra Registry (SafeList) ==========


========== File Associations ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\]
.cpl [@ = cplfile] -- rundll32.exe shell32.dll,Control_RunDLL "%1",%*

========== Shell Spawning ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\\shell\[command]\command]
batfile [open] -- "%1" %*
cmdfile [open] -- "%1" %*
comfile [open] -- "%1" %*
cplfile [cplopen] -- rundll32.exe shell32.dll,Control_RunDLL "%1",%*
exefile [open] -- "%1" %*
htmlfile [edit] -- "C:\Program Files\Microsoft Office\Office\msohtmed.exe" %1 (Microsoft Corporation)
htmlfile [print] -- "C:\Program Files\Microsoft Office\Office\msohtmed.exe" /p %1 (Microsoft Corporation)
piffile [open] -- "%1" %*
regfile [merge] -- Reg Error: Key error.
scrfile [config] -- "%1"
scrfile [install] -- rundll32.exe desk.cpl,InstallScreenSaver %l
scrfile [open] -- "%1" /S
txtfile [edit] -- Reg Error: Key error.
Unknown [openas] -- %SystemRoot%\system32\rundll32.exe %SystemRoot%\system32\shell32.dll,OpenAs_RunDLL %1
Directory [find] -- %SystemRoot%\Explorer.exe (Microsoft Corporation)
Directory [TrackTool] -- C:\Program Files\StationPlaylist\TrackTool.exe /f "%1" (StationPlaylist.com)
Directory [Winamp.Bookmark] -- "C:\Program Files\Winamp\winamp.exe" /BOOKMARK "%1" (Nullsoft, Inc.)
Directory [Winamp.Enqueue] -- "C:\Program Files\Winamp\winamp.exe" /ADD "%1" (Nullsoft, Inc.)
Directory [Winamp.Play] -- "C:\Program Files\Winamp\winamp.exe" "%1" (Nullsoft, Inc.)
Folder [open] -- %SystemRoot%\Explorer.exe /idlist,%I,%L (Microsoft Corporation)
Folder [explore] -- %SystemRoot%\Explorer.exe /e,/idlist,%I,%L (Microsoft Corporation)
Drive [find] -- %SystemRoot%\Explorer.exe (Microsoft Corporation)

========== Security Center Settings ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center]
"FirstRunDisabled" = 1
"AntiVirusDisableNotify" = 1
"FirewallDisableNotify" = 1
"UpdatesDisableNotify" = 1
"AntiVirusOverride" = 1
"FirewallOverride" = 1

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\AhnlabAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\ComputerAssociatesAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\KasperskyAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\McAfeeAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\McAfeeFirewall]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\PandaAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\PandaFirewall]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\SophosAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\SymantecAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\SymantecFirewall]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\TinyFirewall]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\TrendAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\TrendFirewall]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\ZoneLabsFirewall]

========== System Restore Settings ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SystemRestore]
"DisableSR" = 0

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Sr]
"Start" = 0

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SrService]
"Start" = 2

========== Firewall Settings ==========

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile]
"EnableFirewall" = 1
"DoNotAllowExceptions" = 0
"DisableNotifications" = 1

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\GloballyOpenPorts\List]
"139:TCP" = 139:TCP:*:Enabled:@xpsp2res.dll,-22004
"445:TCP" = 445:TCP:*:Enabled:@xpsp2res.dll,-22005
"137:UDP" = 137:UDP:*:Enabled:@xpsp2res.dll,-22001
"138:UDP" = 138:UDP:*:Enabled:@xpsp2res.dll,-22002

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile]
"EnableFirewall" = 1
"DoNotAllowExceptions" = 0
"DisableNotifications" = 1

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\GloballyOpenPorts\List]
"139:TCP" = 139:TCP:LocalSubNet:Enabled:@xpsp2res.dll,-22004
"445:TCP" = 445:TCP:LocalSubNet:Enabled:@xpsp2res.dll,-22005
"137:UDP" = 137:UDP:LocalSubNet:Enabled:@xpsp2res.dll,-22001
"138:UDP" = 138:UDP:LocalSubNet:Enabled:@xpsp2res.dll,-22002
"2593:TCP" = 2593:TCP:*:Enabled:Ultima Online Server
"1900:UDP" = 1900:UDP:LocalSubNet:Disabled:@xpsp2res.dll,-22007
"2869:TCP" = 2869:TCP:LocalSubNet:Disabled:@xpsp2res.dll,-22008
"5985:TCP" = 5985:TCP:*:Disabled:Windows Remote Management
"80:TCP" = 80:TCP:*:Disabled:Windows Remote Management - Compatibility Mode (HTTP-In)

========== Authorized Applications List ==========

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\AuthorizedApplications\List]
"C:\Program Files\FlashFXP 4\FlashFXP.exe" = C:\Program Files\FlashFXP 4\FlashFXP.exe:*:Enabled:FlashFXP v3 -- (OpenSight Software, LLC)

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List]
"C:\Program Files\AVG\AVG9\avgam.exe" = C:\Program Files\AVG\AVG9\avgam.exe:*:Enabled:avgam.exe -- (AVG Technologies CZ, s.r.o.)
"C:\Program Files\AVG\AVG9\avgdiagex.exe" = C:\Program Files\AVG\AVG9\avgdiagex.exe:*:Enabled:avgdiagex.exe -- (AVG Technologies CZ, s.r.o.)
"C:\Program Files\AVG\AVG9\avgupd.exe" = C:\Program Files\AVG\AVG9\avgupd.exe:*:Enabled:avgupd.exe -- (AVG Technologies CZ, s.r.o.)
"C:\Program Files\AVG\AVG9\avgnsx.exe" = C:\Program Files\AVG\AVG9\avgnsx.exe:*:Enabled:avgnsx.exe -- (AVG Technologies CZ, s.r.o.)
"C:\Internet\mIRC\mirc.exe" = C:\Internet\mIRC\mirc.exe:*:Enabled:mIRC -- (mIRC Co. Ltd.)
"C:\Internet\SHOUTcast\sc_serv.exe" = C:\Internet\SHOUTcast\sc_serv.exe:*:Enabled:sc_serv -- ()
"C:\Program Files\Symantec\pcAnywhere\Winaw32.exe" = C:\Program Files\Symantec\pcAnywhere\Winaw32.exe:*:Enabled:pcAnywhere Main Executable -- (Symantec Corporation)
"C:\Program Files\Symantec\pcAnywhere\awhost32.exe" = C:\Program Files\Symantec\pcAnywhere\awhost32.exe:*:Enabled:pcAnywhere Host Service -- (Symantec Corporation)
"C:\Program Files\Symantec\pcAnywhere\awrem32.exe" = C:\Program Files\Symantec\pcAnywhere\awrem32.exe:*:Enabled:pcAnywhere Remote Service -- (Symantec Corporation)
"C:\Program Files\Java\jre6\bin\javaw.exe" = C:\Program Files\Java\jre6\bin\javaw.exe:*:Enabled:Java(TM) Platform SE binary -- (Sun Microsystems, Inc.)
"C:\Games\Ultima Online Mondain's Legacy\client.exe" = C:\Games\Ultima Online Mondain's Legacy\client.exe:*:Enabled:Ultima Online Client -- (Electronic Arts)
"C:\RunUO 2.0\RunUO.exe" = C:\RunUO 2.0\RunUO.exe:*:Enabled:RunUO.exe -- (The RunUO Team)
"D:\Temp\RunUO 2.0\RunUO.exe" = D:\Temp\RunUO 2.0\RunUO.exe:*:Enabled:RunUO Server Core
"C:\Games\Ultima Online Stygian Abyss\client.exe" = C:\Games\Ultima Online Stygian Abyss\client.exe:*:Enabled:Ultima Online Client
"C:\Documents and Settings\Owner\Application Data\Dropbox\bin\Dropbox.exe" = C:\Documents and Settings\Owner\Application Data\Dropbox\bin\Dropbox.exe:*:Enabled:Dropbox -- (Dropbox, Inc.)
"C:\Program Files\StationPlaylist\Studio\SPLStudio.exe" = C:\Program Files\StationPlaylist\Studio\SPLStudio.exe:*:Enabled:StationPlaylist Studio -- (StationPlaylist.com)
"C:\RunUO 2.0 SA\RunUOsvnServer.exe" = C:\RunUO 2.0 SA\RunUOsvnServer.exe:*:Enabled:RunUO Server Core
"C:\Games\Ultima Online Stygian Abyss Classic\client.exe" = C:\Games\Ultima Online Stygian Abyss Classic\client.exe:*:Enabled:Ultima Online Client
"C:\Games\Diablo II\Diablo II.exe" = C:\Games\Diablo II\Diablo II.exe:*:Enabled:Diablo II - Lord of Destruction -- (Blizzard North)
"C:\Program Files\HP\Digital Imaging\bin\hpofxm08.exe" = C:\Program Files\HP\Digital Imaging\bin\hpofxm08.exe:*:Enabled:hpofxm08.exe -- (Hewlett-Packard Co.)
"C:\Program Files\HP\Digital Imaging\bin\hposfx08.exe" = C:\Program Files\HP\Digital Imaging\bin\hposfx08.exe:*:Enabled:hposfx08.exe -- (Hewlett-Packard Co.)
"C:\Program Files\HP\Digital Imaging\bin\hposid01.exe" = C:\Program Files\HP\Digital Imaging\bin\hposid01.exe:*:Enabled:hposid01.exe -- (Hewlett-Packard Co.)
"C:\Program Files\HP\Digital Imaging\bin\hpqCopy.exe" = C:\Program Files\HP\Digital Imaging\bin\hpqCopy.exe:*:Enabled:hpqcopy.exe -- (Hewlett-Packard Co.)
"C:\Program Files\HP\Digital Imaging\bin\hpfccopy.exe" = C:\Program Files\HP\Digital Imaging\bin\hpfccopy.exe:*:Enabled:hpfccopy.exe -- (Hewlett-Packard)
"C:\Program Files\HP\Digital Imaging\bin\hpzwiz01.exe" = C:\Program Files\HP\Digital Imaging\bin\hpzwiz01.exe:*:Enabled:hpzwiz01.exe -- (Hewlett-Packard Co.)
"C:\Program Files\HP\Digital Imaging\Unload\HpqPhUnl.exe" = C:\Program Files\HP\Digital Imaging\Unload\HpqPhUnl.exe:*:Enabled:hpqphunl.exe -- ()
"C:\Program Files\HP\Digital Imaging\Unload\HpqDIA.exe" = C:\Program Files\HP\Digital Imaging\Unload\HpqDIA.exe:*:Enabled:hpqdia.exe -- ( )
"C:\Program Files\HP\Digital Imaging\bin\hpoews01.exe" = C:\Program Files\HP\Digital Imaging\bin\hpoews01.exe:*:Enabled:hpoews01.exe -- (Hewlett-Packard Co.)
"C:\Program Files\FlashFXP 4\FlashFXP.exe" = C:\Program Files\FlashFXP 4\FlashFXP.exe:*:Enabled:FlashFXP v3 -- (OpenSight Software, LLC)


========== HKEY_LOCAL_MACHINE Uninstall List ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall]
"{00000409-78E1-11D2-B60F-006097C998E7}" = Microsoft Office 2000 Premium
"{033E378E-6AD3-4AD5-BDEB-CBD69B31046C}" = Microsoft_VC90_ATL_x86
"{03B1B42B-F6DE-41d9-8CFF-DC44E895C7A7}" = PhotoGallery
"{0611BD4E-4FE4-4a62-B0C0-18A4CC463428}" = CP_Package_Variety1
"{08D2E121-7F6A-43EB-97FD-629B44903403}" = Microsoft_VC90_CRT_x86
"{09984AEC-6B9F-4ca7-B78D-CB44D4771DA3}" = Destinations
"{0A0CADCF-78DA-33C4-A350-CD51849B9702}" = Microsoft .NET Framework 4 Extended
"{0B33B738-AD79-4E32-90C5-E67BFB10BBFF}" = AiO_Scan
"{125E8183-866A-11D3-97DF-0000F8D8F2E9}" = Symantec pcAnywhere
"{15EE79F4-4ED1-4267-9B0F-351009325D7D}" = HP Software Update
"{172975EB-9465-4861-95B5-C7BB6D3DE62A}" = DocumentViewer
"{193DB24F-9A66-4896-8404-22D53EA89075}" = 1400_Help
"{1C139D7D-9FEA-468d-A9C8-2A6E3BDE564A}" = CP_Package_Variety3
"{1F1C2DFC-2D24-3E06-BCB8-725134ADF989}" = Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.4148
"{21DB3D90-D816-4092-A260-CA3F6B55A6DD}" = Sonic_PrimoSDK
"{23A7B376-BBEC-4e76-BBD7-0F155E70D74B}" = CP_Panorama1Config
"{266959FA-0AEE-41D0-A88E-F1EAC10A7C14}" = 1400
"{26A24AE4-039D-4CA4-87B4-2F83216020FF}" = Java(TM) 6 Update 26
"{2CADCEAB-D5DA-44D6-B5FC-7DEE87AB3C0C}" = Unload
"{2E0C1913-886B-4C5C-8DAF-D1E649CE5FCC}" = Creative MediaSource
"{30C19FF2-7FBA-4d09-B9DE-1659977F64F6}" = TrayApp
"{32BDCCB8-9DC8-496d-9DB1-F77510775BDB}" = InstantShareDevices
"{350C97B0-3D7C-4EE8-BAA9-00BCB3D54227}" = WebFldrs XP
"{36E47DA1-10E1-45d9-8B19-14D19607CDCF}" = CP_CalendarTemplates1
"{3C3901C5-3455-3E0A-A214-0B093A5070A6}" = Microsoft .NET Framework 4 Client Profile
"{43663B4D-4004-4C95-91F4-42D97F3EB184}" = Sound Blaster Live! 24-Bit
"{4769E972-2E92-49C5-B6F9-465EFD0C4D94}" = VirtualDJ PRO Full
"{49F864F5-1A85-4E69-8764-C7E4EABD8BA0}" = KWorld TV Tuner Card Utilities
"{4A03706F-666A-4037-7777-5F2748764D10}" = Java Auto Updater
"{4BB05099-1963-4268-A3BB-9153964750ED}" = XoftSpySE
"{53EE9E42-CECB-4C92-BF76-9CA65DAF8F1C}" = FullDPAppQFolder
"{54E3707F-808E-4fd4-95C9-15D1AB077E5D}" = NewCopy
"{56EE8B17-8274-418d-89AC-C057C5DB251E}" = RandMap
"{56F8AFC3-FA98-4ff1-9673-8A026CBF85BE}" = WebReg
"{57752979-A1C9-4C02-856B-FBB27AC4E02C}" = QuickTime
"{5A01C58E-B0EC-49b9-AD71-7C0468688087}" = CP_Package_Basic1
"{5B622B7A-60FB-4630-B11D-F121D20BCCD6}" = MarketResearch
"{5B79CFD1-6845-4158-9D7D-6BE89DF2C135}" = HP PSC & OfficeJet 5.3.B
"{5F26311C-B135-4F7F-B11E-8E650F83651E}" = DeviceFunctionQFolder
"{635FED5B-2C6D-49BE-87E6-7A6FCD22BC5A}" = Microsoft_VC90_MFC_x86
"{66BA8C26-AFE4-4408-807B-43E76B57EF53}" = SkinsHP1
"{66E6CE0C-5A1E-430C-B40A-0C90FF1804A8}" = eSupportQFolder
"{6AE9A059-6372-435D-A5FE-0568A3B67F19}" = HyperMediaCenter
"{6BB6627C-694F-4FDC-A3E5-C7F4BED4C724}" = DocProc
"{6F5E2F4A-377D-4700-B0E3-8F7F7507EA15}" = CustomerResearchQFolder
"{710f4c1c-cc18-4c49-8cbf-51240c89a1a2}" = Microsoft Visual C++ 2005 Redistributable
"{7148F0A8-6813-11D6-A77B-00B0D0142000}" = Java 2 Runtime Environment, SE v1.4.2
"{770657D0-A123-3C07-8E44-1C83EC895118}" = Microsoft Visual C++ 2005 ATL Update kb973923 - x86 8.0.50727.4053
"{7850A6D2-CBEA-4728-9877-F1BEDEA9F619}" = AiOSoftware
"{7C03270C-4FAB-4F5C-B10D-52FEDA190790}" = DocumentViewerQFolder
"{7C9B95B7-B598-4398-B30F-7F6827192E6C}" = ProductContext
"{7E27304E-BAA2-4d90-A34E-76641FAFABB4}" = CP_AtenaShokunin1Config
"{86CE85E6-DBAC-3FFD-B977-E4B79F83C909}" = Microsoft Visual C++ 2008 Redistributable - KB2467174 - x86 9.0.30729.5570
"{86EF9FC4-F209-4520-B7E1-C7FF0EEBDFFF}" = Adobe Audition 1.5
"{89F4137D-6C26-4A84-BDB8-2E5A4BB71E00}" = Microsoft Silverlight
"{8A708DD8-A5E6-11D4-A706-000629E95E20}" = Intel(R) Extreme Graphics 2 Driver
"{8B9852AF-B0B0-47B7-9BC5-89A95D77B6C9}" = AMV Conversion Tool
"{8E79F5DD-4A0A-452B-B3F8-0651E4D24854}" = Media Player Utilities 5.22
"{8ED6F771-FB0F-4B34-8DAD-757A20F6A27D}" = TMPGEnc 4.0 XPress
"{923A7F5A-1E8C-4FBE-8DF6-85940A60A79F}" = Readme
"{933B4015-4618-4716-A828-5289FC03165F}" = VC80CRTRedist - 8.0.50727.6195
"{96E3AED5-3D0B-4BB0-84C2-1EDADB204487}" = FlashFXP v4.0
"{9BE518E6-ECC6-35A9-88E4-87755C07200F}" = Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.6161
"{A03775BE-8AC6-4E8E-A80A-D112E373D6E2}" = Movie Joiner v4
"{A195B13E-A5E3-4BAF-A995-7F70F445CD06}" = ScannerCopy
"{A3051CD0-2F64-3813-A88D-B8DCCDE8F8C7}" = Microsoft .NET Framework 3.0 Service Pack 2
"{A5BB5365-EFB4-44c3-A7E2-EB59B7EFD23D}" = CueTour
"{A790BEB1-BCCF-4EC6-807B-5708B36E8A79}" = Intel(R) PROSet
"{AB5D51AE-EBC3-438D-872C-705C7C2084B0}" = DeviceManagementQFolder
"{AC76BA86-7AD7-1033-7B44-A94000000001}" = Adobe Reader 9.4.7
"{B194272D-1F92-46DF-99EB-8D5CE91CB4EC}" = Adobe AIR
"{B2F83792-DA53-487F-B2F8-84A98E51B7FD}_is1" = Power CD+G to Video Karaoke Converter
"{B3575D00-27EF-49C2-B9E0-14B3D954E992}" = Apple Application Support
"{B4D279F1-4309-49cc-A4B5-3A0D2E59C7B5}" = PanoStandAlone
"{B7CDE13C-6940-4C67-9ADD-B5373A327B2F}" = Replay Media Catcher 4
"{B824B5C9-849F-4b9e-9EA7-6FD8CD8116DA}" = CP_Package_Variety2
"{B996AE66-10DB-4ac5-B151-E8B4BFBC42FC}" = BufferChm
"{BF8B5213-0FE5-4809-91DC-1FE7DAB45DD7}" = Troubadour Karaoke
"{C09FB3CD-3D0C-3F2D-899A-6A1D67F2073F}" = Microsoft .NET Framework 2.0 Service Pack 2
"{C23CD6DA-1958-43A5-ADD0-59396572E02E}" = Apple Mobile Device Support
"{C3ABE126-2BB2-4246-BFE1-6797679B3579}" = LG USB Modem driver
"{C506A18C-1469-4678-B094-F4EC9DAE6DB7}" = Scan
"{C510CA36-98D6-4F07-8AFF-81E7399A075B}" = 1400Trb
"{C615B4A6-DDE8-4325-BCF8-E53E913D95E9}_is1" = AMR to MP3 Converter 1.4
"{C6579A65-9CAE-4B31-8B6B-3306E0630A66}" = Apple Software Update
"{CB2F7EDD-9D1F-43C1-90FC-4F52EAE172A1}" = Microsoft .NET Framework 1.1
"{CE24344F-DFD8-40C8-8FD8-C9740B5F25AC}" = Fax
"{CE2CDD62-0124-36CA-84D3-9F4DCF5C5BD9}" = Microsoft .NET Framework 3.5 SP1
"{D03482C5-9AD8-496D-B388-692AE04C93AF}" = Bonjour
"{D0795B21-0CDA-4a92-AB9E-6E92D8111E44}" = SAMSUNG USB Driver for Mobile Phones
"{D1A19B02-817E-4296-A45B-07853FD74D57}" = Microsoft_VC80_MFC_x86
"{D7BF3B76-EEF9-4868-9B2B-42ABF60B279A}" = Microsoft_VC80_CRT_x86
"{D92BBB52-82FF-42ED-8A3C-4E062F944AB7}" = Microsoft_VC80_MFCLOC_x86
"{DF7B213D-2065-41ED-BB51-7A3EED31EA7B}" = Ultima Online: Mondain's Legacy
"{E3F90083-80D4-4b5a-87C7-E97E12F5516D}" = HPProductAssistant
"{EA103B64-C0E4-4C0E-A506-751590E1653D}" = SolutionCenter
"{F4831EF4-0B03-436A-9230-C01C182D9284}" = USB Universal Driver
"{F4C2E5F5-2970-45f4-ABD3-C180C4D961C4}" = Status
"{F50A4470-7A45-4A5A-97F8-806990B736C2}" = MP3+G Toolz
"{F7A5973E-836B-4228-BF8F-E4234D848F20}" = Video surveillance monitor
"{F843C6A3-224D-4615-94F8-3C461BD9AEA0}" = Jasc Paint Shop Pro 9
"{FA0BBB87-91A1-4BFD-9005-EB058BBA0E14}_is1" = StreamTransport version: 1.0.2.2171
"Adobe AIR" = Adobe AIR
"Adobe Flash Player ActiveX" = Adobe Flash Player 11 ActiveX
"All To MP4 Converter_is1" = OpoSoft All To MP4 Converter v8.0
"Audacity_is1" = Audacity 1.2.6
"AutoGK" = Auto Gordian Knot 2.55
"AVG9Uninstall" = AVG 9.0
"AviSynth" = AviSynth 2.5
"AVS Update Manager_is1" = AVS Update Manager 1.0
"AVS4YOU Software Navigator_is1" = AVS4YOU Software Navigator 1.4
"AVS4YOU Video Converter 7_is1" = AVS Video Converter 7
"CloneCD" = CloneCD
"DAEMON Tools Lite" = DAEMON Tools Lite
"dBpoweramp Music Converter" = dBpoweramp Music Converter
"Diablo II" = Diablo II
"DivX Setup" = DivX Setup
"DVD Decrypter" = DVD Decrypter (Remove Only)
"Easy Video Joiner_is1" = Easy Video Joiner 5.21
"Forte Agent" = Forté Agent
"Gateway Drivers and Applications Recovery" = Gateway Drivers and Applications Recovery
"Gateway IE Customizations" = Gateway IE Customizations
"HP Document Viewer" = HP Document Viewer 5.3
"HP Imaging Device Functions" = HP Imaging Device Functions 5.3
"HP Photo & Imaging" = HP Image Zone 5.3
"HP Solution Center & Imaging Support Tools" = HP Solution Center & Imaging Support Tools 5.3
"HPExtendedCapabilities" = HP Extended Capabilities 5.3
"ie8" = Windows Internet Explorer 8
"InstallShield_{F4831EF4-0B03-436A-9230-C01C182D9284}" = USB Universal Driver
"JDownloader" = JDownloader
"Karaoke Builder Studio 3.x" = Karaoke Builder Studio 3.x
"KJ Pro" = KJ Pro
"LiveReg" = LiveReg (Symantec Corporation)
"LiveUpdate" = LiveUpdate 3.3 (Symantec Corporation)
"Microsoft .NET Framework 1.1 (1033)" = Microsoft .NET Framework 1.1
"Microsoft .NET Framework 3.5 SP1" = Microsoft .NET Framework 3.5 SP1
"Microsoft .NET Framework 4 Client Profile" = Microsoft .NET Framework 4 Client Profile
"Microsoft .NET Framework 4 Extended" = Microsoft .NET Framework 4 Extended
"mIRC" = mIRC
"MSCompPackV1" = Microsoft Compression Client Pack 1.0 for Windows XP
"Nero - Burning Rom!UninstallKey" = Nero 6 Enterprise Edition
"NeroVision!UninstallKey" = Nero Digital
"PROSet" = Intel(R) Network Connections Drivers
"RealAlt_is1" = Real Alternative 2.0.2
"SCDNAS" = SHOUTcast DNAS (remove only)
"SHOUTcast" = SHOUTcast DNAS Server v2
"SMSERIAL" = Motorola SM56 Speakerphone Modem
"Sound Normalizer_is1" = Sound Normalizer 2.99
"StationPlaylist Creator_is1" = StationPlaylist Creator v4.33
"StationPlaylist Studio_is1" = StationPlaylist Studio v4.33
"Total Video Converter 3.71_is1" = Total Video Converter 3.71 100812
"Troubadour Karaoke" = Troubadour Karaoke
"TVP3XDrv" = KWorld TV713X BDA Driver
"VideoReDo-Plus_is1" = VideoReDo/Plus Version 2.5.4.507
"VobSub" = VobSub v2.23 (Remove Only)
"WAV MP3 Converter" = WAV MP3 Converter 3.8 build 968
"Wdf01007" = Microsoft Kernel-Mode Driver Framework Feature Pack 1.7
"Winamp" = Winamp
"WinCDG_Pro_2_2.50" = WinCDG Pro 2 2.503
"Windows Media Format Runtime" = Windows Media Format 11 runtime
"Windows Media Player" = Windows Media Player 11
"Windows XP Service Pack" = Windows XP Service Pack 3
"WinRAR archiver" = WinRAR archiver
"winusb0100" = Microsoft WinUsb 1.0
"WMFDist11" = Windows Media Format 11 runtime
"wmp11" = Windows Media Player 11
"Wondershare Video to DVD Burner_is1" = Wondershare Video to DVD Burner(Build 2.5.8.3)
"Wudf01007" = Microsoft User-Mode Driver Framework Feature Pack 1.7
"XviD MPEG4 Video Codec" = XviD MPEG4 Video Codec (remove only)
"Xvid_is1" = Xvid 1.2.1 final uninstall

========== Last 10 Event Log Errors ==========

[ Application Events ]
Error - 2/21/2012 8:49:27 PM | Computer Name = SMA | Source = Windows Search Service | ID = 3013
Description = The entry in the hash map cannot be
updated. Context: Application, SystemIndex Catalog Details: A device attached to
the system is not functioning. (0x8007001f)

Error - 2/21/2012 8:49:27 PM | Computer Name = SMA | Source = Windows Search Service | ID = 3013
Description = The entry in the hash map cannot be
updated. Context: Application, SystemIndex Catalog Details: A device attached to
the system is not functioning. (0x8007001f)

Error - 2/21/2012 8:49:27 PM | Computer Name = SMA | Source = Windows Search Service | ID = 3013
Description = The entry in the hash map cannot be
updated. Context: Application, SystemIndex Catalog Details: A device attached to the
system is not functioning. (0x8007001f)

Error - 2/21/2012 8:49:27 PM | Computer Name = SMA | Source = Windows Search Service | ID = 3013
Description = The entry in the hash map cannot be
updated. Context: Application, SystemIndex Catalog Details: A device attached to the
system is not functioning. (0x8007001f)

Error - 2/21/2012 8:49:30 PM | Computer Name = SMA | Source = Windows Search Service | ID = 3013
Description = The entry in the hash map
cannot be updated. Context: Application, SystemIndex Catalog Details: A device attached
to the system is not functioning. (0x8007001f)

Error - 2/21/2012 8:49:30 PM | Computer Name = SMA | Source = Windows Search Service | ID = 3013
Description = The entry in the hash map
cannot be updated. Context: Application, SystemIndex Catalog Details: A device attached
to the system is not functioning. (0x8007001f)

Error - 2/21/2012 8:49:31 PM | Computer Name = SMA | Source = Windows Search Service | ID = 3013
Description = The entry in the hash map cannot
be updated. Context: Application, SystemIndex Catalog Details: A device attached to
the system is not functioning. (0x8007001f)

Error - 2/21/2012 8:49:31 PM | Computer Name = SMA | Source = Windows Search Service | ID = 3013
Description = The entry in the hash map cannot
be updated. Context: Application, SystemIndex Catalog Details: A device attached to
the system is not functioning. (0x8007001f)

Error - 2/21/2012 8:49:31 PM | Computer Name = SMA | Source = Windows Search Service | ID = 3013
Description = The entry in the
hash map cannot be updated. Context: Application, SystemIndex Catalog Details: A device
attached to the system is not functioning. (0x8007001f)

Error - 2/21/2012 8:49:31 PM | Computer Name = SMA | Source = Windows Search Service | ID = 3013
Description = The entry in the
hash map cannot be updated. Context: Application, SystemIndex Catalog Details: A device
attached to the system is not functioning. (0x8007001f)

[ System Events ]
Error - 3/25/2012 4:25:51 PM | Computer Name = SMA | Source = DCOM | ID = 10005
Description = DCOM got error "%1084" attempting to start the service StiSvc with
arguments "" in order to run the server: {A1F4E726-8CF1-11D1-BF92-0060081ED811}

Error - 3/25/2012 4:26:35 PM | Computer Name = SMA | Source = DCOM | ID = 10005
Description = DCOM got error "%1084" attempting to start the service EventSystem
with arguments "" in order to run the server: {1BE1F766-5536-11D1-B726-00C04FB926AF}

Error - 3/25/2012 4:28:12 PM | Computer Name = SMA | Source = sptd | ID = 262148
Description = Driver detected an internal error in its data structures for .

Error - 3/25/2012 4:28:31 PM | Computer Name = SMA | Source = Service Control Manager | ID = 7000
Description = The Print Spooler service failed to start due to the following error:
%%2

Error - 3/25/2012 4:28:31 PM | Computer Name = SMA | Source = Service Control Manager | ID = 7001
Description = The Fax service depends on the Print Spooler service which failed
to start because of the following error: %%2

Error - 3/25/2012 4:29:15 PM | Computer Name = SMA | Source = Service Control Manager | ID = 7026
Description = The following boot-start or system-start driver(s) failed to load:
sptd

Error - 3/25/2012 5:25:36 PM | Computer Name = SMA | Source = sptd | ID = 262148
Description = Driver detected an internal error in its data structures for .

Error - 3/25/2012 5:26:01 PM | Computer Name = SMA | Source = DCOM | ID = 10005
Description = DCOM got error "%1084" attempting to start the service EventSystem
with arguments "" in order to run the server: {1BE1F766-5536-11D1-B726-00C04FB926AF}

Error - 3/25/2012 5:27:04 PM | Computer Name = SMA | Source = Service Control Manager | ID = 7026
Description = The following boot-start or system-start driver(s) failed to load:
AvgLdx86 AvgMfx86 ElbyCDIO Fips Processor sptd

Error - 3/25/2012 5:39:10 PM | Computer Name = SMA | Source = DCOM | ID = 10005
Description = DCOM got error "%1084" attempting to start the service StiSvc with
arguments "" in order to run the server: {A1F4E726-8CF1-11D1-BF92-0060081ED811}


< End of report >

aswMBR:

aswMBR version 0.9.9.1665 Copyright(c) 2011 AVAST Software
Run date: 2012-03-25 16:54:39
-----------------------------
16:54:39.062 OS Version: Windows 5.1.2600 Service Pack 3
16:54:39.062 Number of processors: 2 586 0x303
16:54:39.062 ComputerName: SMA UserName:
16:54:40.000 Initialize success
16:54:45.484 Disk 0 (boot) \Device\Harddisk0\DR0 -> \Device\Ide\IdeDeviceP0T0L0-4
16:54:45.500 Disk 0 Vendor: WDC_WD800BB-00CJA1 17.07W17 Size: 76319MB BusType: 3
16:54:45.515 Disk 1 \Device\Harddisk1\DR1 -> \Device\Ide\IdeDeviceP0T1L0-c
16:54:45.531 Disk 1 Vendor: WDC_WD1200BB-22FTA0 15.05R15 Size: 114473MB BusType: 3
16:54:45.546 Device \Driver\atapi -> DriverStartIo 8ac832c6
16:54:45.578 Disk 0 MBR read successfully
16:54:45.593 Disk 0 MBR scan
16:54:45.609 Disk 0 Windows XP default MBR code
16:54:45.625 Disk 0 MBR hidden
16:54:45.640 Disk 0 Partition 1 80 (A) 07 HPFS/NTFS NTFS 114463 MB offset 63
16:54:45.656 Disk 0 scanning sectors +156280320
16:54:45.718 Disk 0 scanning C:\WINDOWS\system32\drivers
16:54:45.734 Service scanning
16:55:01.812 Modules scanning
16:55:02.531 Disk 0 trace - called modules:
16:55:02.625 ntoskrnl.exe CLASSPNP.SYS disk.sys ACPI.sys hal.dll >>UNKNOWN [0x8ac8349f]<<
16:55:02.703 1 nt!IofCallDriver -> \Device\Harddisk0\DR0[0x8ae48ab8]
16:55:02.765 3 CLASSPNP.SYS[f7637fd7] -> nt!IofCallDriver -> \Device\00000066[0x8ae729e8]
16:55:02.843 5 ACPI.sys[f75ae620] -> nt!IofCallDriver -> [0x8ae96d98]
16:55:02.906 \Driver\atapi[0x8ad76cc8] -> IRP_MJ_CREATE -> 0x8ac8349f
16:55:02.984 Scan finished successfully
16:55:24.218 Disk 0 MBR has been saved successfully to "C:\Documents and Settings\Administrator\Desktop\MBR.dat"
16:55:24.250 The log file has been saved successfully to "C:\Documents and Settings\Administrator\Desktop\aswMBR.txt

seanandre

Newbie Surfer
Newbie Surfer

Posts : 9
Joined : 2012-03-26
Operating System : Multiple OS's (XP, 7, 2000)

View user profile

Back to top Go down

Re: System Running Slow & Black Hole Threats?

Post by Superdave on Tue 27 Mar 2012, 9:49 am

Hello and welcome to GeekPolice.Net My name is Dave. I will be helping you out with your particular problem on your computer.

1. I will be working on your Malware issues. This may or may not solve other issues you have with your machine.
2. The fixes are specific to your problem and should only be used for this issue on this machine.
3. If you don't know or understand something, please don't hesitate to ask.
4. Please DO NOT run any other tools or scans while I am helping you.
5. It is important that you reply to this thread. Do not start a new topic.
6. Your security programs may give warnings for some of the tools I will ask you to use. Be assured, any links I give are safe.
7. Absence of symptoms does not mean that everything is clear.

If you can't access the internet with your infected computer you will have to download and transfer any programs to the computer you're using now and transfer them to the infected computer with a CD-RW or a USB storage device. I prefer a CD because a storage device can get infected. If you use a storage device hold the shift key down while inserting the USB storage device for about 10 secs. You will also have to transfer the logs you receive back to the good computer using the same method until we can get the computer back on-line.
*****************************************************************
* Open OTL
* Copy and Paste the following text in the codebox into the Custom Scans/Fixes window.

Code:
:OTL

O3 - HKLM\..\Toolbar: (no name) - Locked - No CLSID value found.
O9 - Extra 'Tools' menuitem : Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - Reg Error: Key error. File not found
O10 - Protocol_Catalog9\Catalog_Entries\000000000004 - %SystemRoot%\System32\mswsock.dll File not found
O10 - Protocol_Catalog9\Catalog_Entries\000000000005 - %SystemRoot%\System32\mswsock.dll File not found

:COMMANDS
[resethosts]
[purity]
[start explorer]

* Click Run Fix
* OTLI2 may ask to reboot the machine. Please do so if asked.
* Click OK
* A report will open. Copy and Paste that report in your next reply.
*************************************************************
SUPERAntiSpyware

If you already have SUPERAntiSpyware be sure to check for updates before scanning!


Download SuperAntispyware Free Edition (SAS)
* Double-click the icon on your desktop to run the installer.
* When asked to Update the program definitions, click Yes
* If you encounter any problems while downloading the updates, manually download and unzip them from here
* Next click the Preferences button.

•Under Start-Up Options uncheck Start SUPERAntiSpyware when Windows starts
* Click the Scanning Control tab.
* Under Scanner Options make sure only the following are checked:

•Close browsers before scanning
•Scan for tracking cookies
•Terminate memory threats before quarantining
Please leave the others unchecked

•Click the Close button to leave the control center screen.

* On the main screen click Scan your computer
* On the left check the box for the drive you are scanning.
* On the right choose Perform Complete Scan
* Click Next to start the scan. Please be patient while it scans your computer.
* After the scan is complete a summary box will appear. Click OK
* Make sure everything in the white box has a check next to it, then click Next
* It will quarantine what it found and if it asks if you want to reboot, click Yes

•To retrieve the removal information please do the following:
•After reboot, double-click the SUPERAntiSpyware icon on your desktop.
•Click Preferences. Click the Statistics/Logs tab.

•Under Scanner Logs, double-click SUPERAntiSpyware Scan Log.

•It will open in your default text editor (preferably Notepad).
•Save the notepad file to your desktop by clicking (in notepad) File > Save As...

* Save the log somewhere you can easily find it. (normally the desktop)
* Click close and close again to exit the program.
*Copy and Paste the log in your post.
*********************************************
Please download Malwarebytes Anti-Malware from here.
Double Click mbam-setup.exe to install the application.

  • Make sure a checkmark is placed next to Update Malwarebytes' Anti-Malware and Launch Malwarebytes Anti-Malware, then click Finish.
  • If an update is found, it will download and install the latest version.
  • Once the program has loaded, select "Perform Full Scan", then click Scan.
  • The scan may take some time to finish,so please be patient.
  • When the scan is complete, click OK, then Show Results to view the results.
  • Make sure that everything is checked, and click Remove Selected.
  • When disinfection is completed, a log will open in Notepad and you may be prompted to Restart. (See Extra Note)
  • Please save the log to a location you will remember.
  • The log is automatically saved by MBAM and can be viewed by clicking the Logs tab in MBAM.
  • Copy and paste the entire report in your next reply.

Extra Note:

If MBAM encounters a file that is difficult to remove,you will be presented with 1 of 2 prompts,click OK to either and let MBAM proceed with the disinfection process. If asked to restart the computer, please do so immediately.

Superdave
Tech Staff


Tech Staff

Posts : 4193
Joined : 2010-02-01
Operating System : Windows 8.1 and a dual-boot with XP Home SP3

View user profile

Back to top Go down

Re: System Running Slow & Black Hole Threats?

Post by seanandre on Wed 28 Mar 2012, 5:28 am

My goodness! I never realized I had so many Spyware and Malwares on my machine. I guess AVG and XoftSpy ain't doing their jobs. Here are the results of the scans and removals:

OTL:

========== OTL ==========
Registry value HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\Toolbar\\Locked deleted successfully.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Extensions\{08B0E5C0-4FCB-11CF-AAA5-00401C608501}\ deleted successfully.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{08B0E5C0-4FCB-11CF-AAA5-00401C608501}\ deleted successfully.
Registry key HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\WinSock2\Parameters\Protocol_Catalog9\Catalog_Entries\000000000004\ deleted successfully.
Registry key HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\WinSock2\Parameters\Protocol_Catalog9\Catalog_Entries\000000000005\ deleted successfully.
========== COMMANDS ==========
C:\WINDOWS\System32\drivers\etc\Hosts moved successfully.
HOSTS file reset successfully
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\WinSock2\Parameters\Protocol_Catalog9\: LSP stack updated.

OTL by OldTimer - Version 3.2.39.1 log created on 03262012_221430

SUPERAntiSpyware:

SUPERAntiSpyware Scan Log
[You must be registered and logged in to see this link.]

Generated 03/26/2012 at 11:11 PM

Application Version : 5.0.1146

Core Rules Database Version : 8383
Trace Rules Database Version: 6195

Scan type : Quick Scan
Total Scan Time : 00:48:45

Operating System Information
Windows XP Home Edition 32-bit, Service Pack 3 (Build 5.01.2600)
Administrator

Memory items scanned : 338
Memory threats detected : 0
Registry items scanned : 30607
Registry threats detected : 3
File items scanned : 36712
File threats detected : 87

Disabled.SecurityCenterOption
HKLM\SOFTWARE\MICROSOFT\SECURITY CENTER#ANTIVIRUSDISABLENOTIFY
HKLM\SOFTWARE\MICROSOFT\SECURITY CENTER#FIREWALLDISABLENOTIFY
HKLM\SOFTWARE\MICROSOFT\SECURITY CENTER#UPDATESDISABLENOTIFY

Adware.Tracking Cookie
C:\Documents and Settings\Administrator\Cookies\NQ6GWC95.txt [ /atdmt.com ]
C:\Documents and Settings\Administrator\Cookies\T5M92PWI.txt [ /media6degrees.com ]
C:\Documents and Settings\Administrator\Cookies\HK4YAM23.txt [ /network.realmedia.com ]
C:\Documents and Settings\Administrator\Cookies\BPH2TF0Q.txt [ /ru4.com ]
C:\Documents and Settings\Administrator\Cookies\SHM99KYF.txt [ /adbrite.com ]
C:\Documents and Settings\Administrator\Cookies\MMY8LNJR.txt [ /revsci.net ]
C:\Documents and Settings\Administrator\Cookies\3TTG70A1.txt [ /at.atwola.com ]
C:\Documents and Settings\Administrator\Cookies\8KR2FR4B.txt [ /invitemedia.com ]
C:\Documents and Settings\Administrator\Cookies\GGG763NZ.txt [ /interclick.com ]
C:\Documents and Settings\Administrator\Cookies\F4MEG7SX.txt [ /doubleclick.net ]
C:\Documents and Settings\Administrator\Cookies\J3ZVFOL6.txt [ /statcounter.com ]
C:\Documents and Settings\Administrator\Cookies\36KLL2L4.txt [ /serving-sys.com ]
C:\Documents and Settings\Administrator\Cookies\T2K92VG1.txt [ /a1.interclick.com ]
C:\Documents and Settings\Administrator\Cookies\2D7QD4TE.txt [ /collective-media.net ]
C:\Documents and Settings\Administrator\Cookies\YJ13SLDB.txt [ /ad.yieldmanager.com ]
C:\Documents and Settings\Administrator\Cookies\ENC83XPJ.txt [ /realmedia.com ]
C:\DOCUMENTS AND SETTINGS\NETWORKSERVICE\Cookies\CAD566YI.txt [ Cookie:system@imrworldwide.com/cgi-bin ]
C:\DOCUMENTS AND SETTINGS\NETWORKSERVICE\Cookies\2CSO0E6V.txt [ Cookie:system@ru4.com/ ]
C:\DOCUMENTS AND SETTINGS\NETWORKSERVICE\Cookies\CQMOPA2J.txt [ Cookie:system@fastclick.net/ ]
C:\DOCUMENTS AND SETTINGS\NETWORKSERVICE\Cookies\CLY5HO9P.txt [ Cookie:system@[You must be registered and logged in to see this link.] ]
C:\DOCUMENTS AND SETTINGS\NETWORKSERVICE\Cookies\2DX7AD7R.txt [ Cookie:system@dc.tremormedia.com/ ]
C:\DOCUMENTS AND SETTINGS\NETWORKSERVICE\Cookies\W0HJM6K7.txt [ Cookie:system@networldmedia.net/ ]
C:\DOCUMENTS AND SETTINGS\NETWORKSERVICE\Cookies\I5KWXPMJ.txt [ Cookie:system@tacoda.at.atwola.com/ ]
C:\DOCUMENTS AND SETTINGS\NETWORKSERVICE\Cookies\AGR5F8SJ.txt [ Cookie:system@stat.onestat.com/ ]
C:\DOCUMENTS AND SETTINGS\NETWORKSERVICE\Cookies\A20BBC6O.txt [ Cookie:system@s2.trafficno.com/ ]
C:\DOCUMENTS AND SETTINGS\NETWORKSERVICE\Cookies\0JF4SX9G.txt [ Cookie:system@ox-d.enveromedia.com/ ]
C:\DOCUMENTS AND SETTINGS\NETWORKSERVICE\Cookies\XKSV5C18.txt [ Cookie:system@pointroll.com/ ]
C:\DOCUMENTS AND SETTINGS\NETWORKSERVICE\Cookies\CCKQPJ00.txt [ Cookie:system@myroitracking.com/ ]
C:\DOCUMENTS AND SETTINGS\NETWORKSERVICE\Cookies\3JSP8VLZ.txt [ Cookie:system@media6degrees.com/ ]
C:\DOCUMENTS AND SETTINGS\NETWORKSERVICE\Cookies\EID17BN7.txt [ Cookie:system@ar.atwola.com/ ]
C:\DOCUMENTS AND SETTINGS\NETWORKSERVICE\Cookies\7545G5GI.txt [ Cookie:system@revsci.net/ ]
C:\DOCUMENTS AND SETTINGS\NETWORKSERVICE\Cookies\FV0TPW9X.txt [ Cookie:system@a1.interclick.com/ ]
C:\DOCUMENTS AND SETTINGS\NETWORKSERVICE\Cookies\2F2Y7JBY.txt [ Cookie:system@atdmt.com/ ]
C:\DOCUMENTS AND SETTINGS\NETWORKSERVICE\Cookies\8A9ZVVH1.txt [ Cookie:system@adsonar.com/adserving ]
C:\DOCUMENTS AND SETTINGS\NETWORKSERVICE\Cookies\RMXQ3GEM.txt [ Cookie:system@doubleclick.net/ ]
C:\DOCUMENTS AND SETTINGS\NETWORKSERVICE\Cookies\0VTLJKTR.txt [ Cookie:system@eyeviewads.com/ ]
C:\DOCUMENTS AND SETTINGS\NETWORKSERVICE\Cookies\G7VSZNKG.txt [ Cookie:system@lucidmedia.com/ ]
C:\DOCUMENTS AND SETTINGS\NETWORKSERVICE\Cookies\G0SB6ZVB.txt [ Cookie:system@adinterax.com/ ]
C:\DOCUMENTS AND SETTINGS\NETWORKSERVICE\Cookies\7T8PF2MC.txt [ Cookie:system@vitamine.networldmedia.net/ ]
C:\DOCUMENTS AND SETTINGS\NETWORKSERVICE\Cookies\777FZG00.txt [ Cookie:system@collective-media.net/ ]
C:\DOCUMENTS AND SETTINGS\NETWORKSERVICE\Cookies\4SR36Y9J.txt [ Cookie:system@ads.pointroll.com/ ]
C:\DOCUMENTS AND SETTINGS\NETWORKSERVICE\Cookies\HVQC304J.txt [ Cookie:system@amazon-adsystem.com/ ]
C:\DOCUMENTS AND SETTINGS\NETWORKSERVICE\Cookies\XISGK1OT.txt [ Cookie:system@realmedia.com/ ]
C:\DOCUMENTS AND SETTINGS\NETWORKSERVICE\Cookies\OH4Z9L7F.txt [ Cookie:system@uiadserver.com/ ]
C:\DOCUMENTS AND SETTINGS\NETWORKSERVICE\Cookies\CL0I25PK.txt [ Cookie:system@burstnet.com/ ]
C:\DOCUMENTS AND SETTINGS\NETWORKSERVICE\Cookies\R7O0JQ04.txt [ Cookie:system@ghmedia.com/ ]
C:\DOCUMENTS AND SETTINGS\NETWORKSERVICE\Cookies\SFY1YF3J.txt [ Cookie:system@adbrite.com/ ]
C:\DOCUMENTS AND SETTINGS\NETWORKSERVICE\Cookies\NGDYC15R.txt [ Cookie:system@yieldmanager.net/ ]
C:\DOCUMENTS AND SETTINGS\NETWORKSERVICE\Cookies\99ODSOXS.txt [ Cookie:system@apmebf.com/ ]
C:\DOCUMENTS AND SETTINGS\NETWORKSERVICE\Cookies\VR37UVQV.txt [ Cookie:system@adxpose.com/ ]
C:\DOCUMENTS AND SETTINGS\NETWORKSERVICE\Cookies\D5HTG622.txt [ Cookie:system@ox-d.fondnessmedia.com/ ]
C:\DOCUMENTS AND SETTINGS\NETWORKSERVICE\Cookies\29JMD461.txt [ Cookie:system@ox-d.adservermedia.com/ ]
C:\DOCUMENTS AND SETTINGS\NETWORKSERVICE\Cookies\IHB9YJCX.txt [ Cookie:system@bs.serving-sys.com/ ]
C:\DOCUMENTS AND SETTINGS\NETWORKSERVICE\Cookies\4QTOVS2M.txt [ Cookie:system@ad2.adfarm1.adition.com/ ]
C:\DOCUMENTS AND SETTINGS\NETWORKSERVICE\Cookies\DD3FR8F3.txt [ Cookie:system@pro-market.net/ ]
C:\DOCUMENTS AND SETTINGS\NETWORKSERVICE\Cookies\K8UFDZTN.txt [ Cookie:system@t.pointroll.com/ ]
C:\DOCUMENTS AND SETTINGS\NETWORKSERVICE\Cookies\CTY1EU73.txt [ Cookie:system@entrepreneur.com/ ]
C:\DOCUMENTS AND SETTINGS\NETWORKSERVICE\Cookies\LDM99X2H.txt [ Cookie:system@bizzclick.com/ ]
C:\DOCUMENTS AND SETTINGS\NETWORKSERVICE\Cookies\8QWUU1QH.txt [ Cookie:system@casalemedia.com/ ]
C:\DOCUMENTS AND SETTINGS\NETWORKSERVICE\Cookies\83XLRWKD.txt [ Cookie:system@adserver.adtechus.com/ ]
C:\DOCUMENTS AND SETTINGS\NETWORKSERVICE\Cookies\EXADZV5S.txt [ Cookie:system@questionmarket.com/ ]
C:\DOCUMENTS AND SETTINGS\NETWORKSERVICE\Cookies\U43919YD.txt [ Cookie:system@network.realmedia.com/ ]
C:\DOCUMENTS AND SETTINGS\NETWORKSERVICE\Cookies\I3BO5BKB.txt [ Cookie:system@unrulymedia.com/blank.gif ]
C:\DOCUMENTS AND SETTINGS\NETWORKSERVICE\Cookies\ETUJ4QWM.txt [ Cookie:system@server.cpmstar.com/ ]
C:\DOCUMENTS AND SETTINGS\NETWORKSERVICE\Cookies\372NNAPG.txt [ Cookie:system@[You must be registered and logged in to see this link.] ]
C:\DOCUMENTS AND SETTINGS\NETWORKSERVICE\Cookies\LEHSWZ69.txt [ Cookie:system@statcounter.com/ ]
C:\DOCUMENTS AND SETTINGS\NETWORKSERVICE\Cookies\RLDXPO59.txt [ Cookie:system@adtech.de/ ]
C:\DOCUMENTS AND SETTINGS\NETWORKSERVICE\Cookies\P97DUOPV.txt [ Cookie:system@cdn.jemamedia.com/ ]
C:\DOCUMENTS AND SETTINGS\NETWORKSERVICE\Cookies\FWNB3VCE.txt [ Cookie:system@advertising.com/ ]
C:\DOCUMENTS AND SETTINGS\NETWORKSERVICE\Cookies\L6IASI6K.txt [ Cookie:system@ads.networldmedia.net/ ]
C:\DOCUMENTS AND SETTINGS\NETWORKSERVICE\Cookies\Z7L21R69.txt [ Cookie:system@adup.rotator.hadj7.adjuggler.net/ ]
C:\DOCUMENTS AND SETTINGS\OWNER\Cookies\YDTE1EWN.txt [ Cookie:owner@247realmedia.com/ ]
C:\DOCUMENTS AND SETTINGS\OWNER\Cookies\Y723T850.txt [ Cookie:owner@media6degrees.com/ ]
C:\DOCUMENTS AND SETTINGS\OWNER\Cookies\YRI8VZP0.txt [ Cookie:owner@realmedia.com/ ]
C:\DOCUMENTS AND SETTINGS\OWNER\Cookies\6DCCDN2C.txt [ Cookie:owner@tribalfusion.com/ ]
C:\DOCUMENTS AND SETTINGS\OWNER\Cookies\Z5V29E1V.txt [ Cookie:owner@statcounter.com/ ]
C:\DOCUMENTS AND SETTINGS\OWNER\Cookies\SC7Y3BKV.txt [ Cookie:owner@revsci.net/ ]
C:\DOCUMENTS AND SETTINGS\OWNER\Cookies\RMRIXMIM.txt [ Cookie:owner@collective-media.net/ ]
C:\DOCUMENTS AND SETTINGS\OWNER\Cookies\YG8CSBPQ.txt [ Cookie:owner@adbrite.com/ ]
C:\DOCUMENTS AND SETTINGS\OWNER\Cookies\WVHZDV54.txt [ Cookie:owner@accounts.google.com/ ]
C:\DOCUMENTS AND SETTINGS\OWNER\Cookies\95RN70CQ.txt [ Cookie:owner@network.realmedia.com/ ]
C:\DOCUMENTS AND SETTINGS\OWNER\Cookies\U8RA9OYU.txt [ Cookie:owner@casalemedia.com/ ]
C:\DOCUMENTS AND SETTINGS\OWNER\Cookies\UTRWHOO9.txt [ Cookie:owner@ru4.com/ ]
C:\DOCUMENTS AND SETTINGS\OWNER\Cookies\FYV11T61.txt [ Cookie:owner@doubleclick.net/ ]
C:\DOCUMENTS AND SETTINGS\OWNER\Cookies\NFLC037J.txt [ Cookie:owner@mediaoutfit.com/ ]
C:\DOCUMENTS AND SETTINGS\OWNER\Cookies\7174UJ6D.txt [ Cookie:owner@serving-sys.com/ ]
C:\DOCUMENTS AND SETTINGS\OWNER\Cookies\V0LUCBRN.txt [ Cookie:owner@invitemedia.com/ ]

MBAM:

Malwarebytes Anti-Malware (Trial) 1.60.1.1000
[You must be registered and logged in to see this link.]

Database version: v2012.03.27.01

Windows XP Service Pack 3 x86 NTFS (Safe Mode/Networking)
Internet Explorer 8.0.6001.18702
Administrator :: SMA [administrator]

Protection: Disabled

3/26/2012 11:59:46 PM
mbam-log-2012-03-26 (23-59-46).txt

Scan type: Full scan
Scan options enabled: Memory | Startup | Registry | File System | Heuristics/Extra | Heuristics/Shuriken | PUP | PUM
Scan options disabled: P2P
Objects scanned: 341852
Time elapsed: 1 hour(s), 16 second(s)

Memory Processes Detected: 0
(No malicious items detected)

Memory Modules Detected: 0
(No malicious items detected)

Registry Keys Detected: 7
HKCR\AppID\{0D82ACD6-A652-4496-A298-2BDE705F4227} (Adware.ClickPotato) -> Quarantined and deleted successfully.
HKCR\AppID\{7025E484-D4B0-441a-9F0B-69063BD679CE} (Adware.ClickPotato) -> Quarantined and deleted successfully.
HKCR\AppID\{8258B35C-05B8-4c0e-9525-9BCCC70F8F2D} (Adware.ClickPotato) -> Quarantined and deleted successfully.
HKCR\AppID\{A89256AD-EC17-4a83-BEF5-4B8BC4F39306} (Adware.ClickPotato) -> Quarantined and deleted successfully.
HKLM\SYSTEM\CurrentControlSet\Services\SVKP (Trojan.Agent) -> Quarantined and deleted successfully.
HKCR\ShopperReports.Reporter (Adware.ShopperReports) -> Quarantined and deleted successfully.
HKCR\ShopperReports.Reporter.1 (Adware.ShopperReports) -> Quarantined and deleted successfully.

Registry Values Detected: 1
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\User Agent\Post Platform|SRS_IT_E8790577B1765B5437AC93 (Malware.Trace) -> Data: -> Quarantined and deleted successfully.

Registry Data Items Detected: 3
HKLM\SOFTWARE\Microsoft\Security Center|AntiVirusDisableNotify (PUM.Disabled.SecurityCenter) -> Bad: (1) Good: (0) -> Quarantined and repaired successfully.
HKLM\SOFTWARE\Microsoft\Security Center|FirewallDisableNotify (PUM.Disabled.SecurityCenter) -> Bad: (1) Good: (0) -> Quarantined and repaired successfully.
HKLM\SOFTWARE\Microsoft\Security Center|UpdatesDisableNotify (PUM.Disabled.SecurityCenter) -> Bad: (1) Good: (0) -> Quarantined and repaired successfully.

Folders Detected: 0
(No malicious items detected)

Files Detected: 8
C:\Documents and Settings\Owner\Application Data\AccurateRip\AccurateRip\oexuquj.dll (Trojan.Tracur) -> Quarantined and deleted successfully.
C:\Documents and Settings\Owner\Application Data\Sun\Java\Deployment\cache\6.0\29\46c5549d-4a833415 (Trojan.FakeMS) -> Quarantined and deleted successfully.
C:\Documents and Settings\Owner\Local Settings\Temp\nsh442.tmp\oexuquj.dll (Trojan.Tracur) -> Quarantined and deleted successfully.
C:\Documents and Settings\Owner\Local Settings\Temp\nsh442.tmp\vubjh.dll (Trojan.Tracur) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{9DF109D7-E1CB-4DFB-BB63-02A70D2B7852}\RP140\A0034254.dll (Trojan.Tracur) -> Quarantined and deleted successfully.
C:\Documents and Settings\Owner\Application Data\svchost.exe (Trojan.Agent) -> Quarantined and deleted successfully.
C:\Documents and Settings\Owner\Local Settings\Temp\0.9908141701368605 (Exploit.Drop.9) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\SVKP.SYS (Trojan.Agent) -> Quarantined and deleted successfully.

(end)

seanandre

Newbie Surfer
Newbie Surfer

Posts : 9
Joined : 2012-03-26
Operating System : Multiple OS's (XP, 7, 2000)

View user profile

Back to top Go down

Re: System Running Slow & Black Hole Threats?

Post by Superdave on Wed 28 Mar 2012, 9:07 am

Download Combofix from any of the links below, and save it to your desktop.

Link 1
Link 2
Link 3

To prevent your anti-virus application interfering with ComboFix we need to disable it. See [URL="here[You must be registered and logged in to see this link.]here[/URL[/url]] for a tutorial regarding how to do so if you are unsure.

  • Close any open windows and double click ComboFix.exe to run it.

    You will see the following image:



Click I Agree to start the program.

ComboFix will then extract the necessary files and you will see this:



As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal. This will not occur in Windows Vista and 7

It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.

If you did not have it installed, you will see the prompt below. Choose YES.



Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.

**Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.

Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:



Click on Yes, to continue scanning for malware.

When finished, it will produce a report for you. Please post the contents of the log (C:\ComboFix.txt).

Leave your computer alone while ComboFix is running. ComboFix will restart your computer if malware is found; allow it to do so.

Note: Please Do NOT mouseclick combofix's window while its running because it may cause it to stall.

Superdave
Tech Staff


Tech Staff

Posts : 4193
Joined : 2010-02-01
Operating System : Windows 8.1 and a dual-boot with XP Home SP3

View user profile

Back to top Go down

Re: System Running Slow & Black Hole Threats?

Post by seanandre on Wed 28 Mar 2012, 11:13 am

This took a pretty long time. The computer found a Rootkit in TCP/IP stack during the first run, had to reboot and continue from there. Then after that, it kept popping up dialogue boxes saying that a lot of .TMP files were corrupted and I needed to run chkdsk to recover them. I didn't think it was necessary to do so since I always delete .TMP files every so often anyway, because they're temporary files and don't mean anything to the things I run on my machine anyway. During that scanning process, the last I checked it was up to stage 50, it probably had more, but I went out for a smoke while it dd it's thing and when I came back, the computer was in the reboot process again. Then, it finally prepared the log report, telling me not to run any program suntil CComboFix has finished. While that was going, I got a popup on my task bar saying "PEV.exe - Corrupt File - The file or directory CC:\WINDOWS|Temp\g36ukm2r.TMP is corrupt and unreadable. Please run Chkdsk utility." No clue what all that meant, but again, it was a TMP file, so I didn't think it was necessary to do anything with that. Log report is still preparing at this point, will post it when it's finished. Just wanted to catch you up on what's been going on at this point.

seanandre

Newbie Surfer
Newbie Surfer

Posts : 9
Joined : 2012-03-26
Operating System : Multiple OS's (XP, 7, 2000)

View user profile

Back to top Go down

Re: System Running Slow & Black Hole Threats?

Post by seanandre on Wed 28 Mar 2012, 11:20 am

ComboFix Log:

ComboFix 12-03-27.03 - Administrator 03/27/2012 18:38:34.1.2 - x86 NETWORK
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.3055.2768 [GMT -5:00]
Running from: c:\documents and settings\Administrator\Desktop\ComboFix.exe
AV: AVG Internet Security Network Edition *Enabled/Updated* {17DDD097-36FF-435F-9E1B-52D74245D6BF}
.
ADS - WINDOWS: deleted 24 bytes in 1 streams.
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
c:\documents and settings\All Users\Application Data\TEMP
c:\documents and settings\All Users\Start Menu\HP Image Zone .lnk
c:\documents and settings\Owner\WINDOWS
c:\windows\$NtUninstallKB26817$
c:\windows\$NtUninstallKB26817$\204756587
c:\windows\$NtUninstallKB26817$\2115704538\@
c:\windows\$NtUninstallKB26817$\2115704538\bckfg.tmp
c:\windows\$NtUninstallKB26817$\2115704538\cfg.ini
c:\windows\$NtUninstallKB26817$\2115704538\Desktop.ini
c:\windows\$NtUninstallKB26817$\2115704538\keywords
c:\windows\$NtUninstallKB26817$\2115704538\kwrd.dll
c:\windows\$NtUninstallKB26817$\2115704538\L\eopksnny
c:\windows\$NtUninstallKB26817$\2115704538\U\00000001.@
c:\windows\$NtUninstallKB26817$\2115704538\U\00000002.@
c:\windows\$NtUninstallKB26817$\2115704538\U\00000004.@
c:\windows\$NtUninstallKB26817$\2115704538\U\80000000.@
c:\windows\$NtUninstallKB26817$\2115704538\U\80000004.@
c:\windows\$NtUninstallKB26817$\2115704538\U\80000032.@
.
Infected copy of c:\windows\system32\drivers\bthport.sys was found and disinfected
Restored copy from - The cat found it
.
((((((((((((((((((((((((( Files Created from 2012-02-28 to 2012-03-28 )))))))))))))))))))))))))))))))
.
.
2012-03-27 22:54 . 2012-03-27 22:54 -------- d-----w- c:\documents and settings\Administrator\Local Settings\Application Data\ApplicationHistory
2012-03-27 04:55 . 2012-03-27 04:55 -------- d-----w- c:\documents and settings\Administrator\Application Data\Malwarebytes
2012-03-27 04:55 . 2012-03-27 18:37 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes
2012-03-27 04:55 . 2012-03-27 04:55 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2012-03-27 04:55 . 2011-12-10 20:24 20464 ----a-w- c:\windows\system32\drivers\mbam.sys
2012-03-27 03:18 . 2012-03-27 03:18 -------- d-----w- c:\documents and settings\Administrator\Application Data\SUPERAntiSpyware.com
2012-03-27 03:17 . 2012-03-27 03:18 -------- d-----w- c:\program files\SUPERAntiSpyware
2012-03-27 03:17 . 2012-03-27 03:17 -------- d-----w- c:\documents and settings\All Users\Application Data\SUPERAntiSpyware.com
2012-03-27 03:14 . 2012-03-27 03:14 -------- d-----w- C:\_OTL
2012-03-25 20:25 . 2012-03-25 20:25 -------- d-----w- c:\program files\Common Files\ParetoLogic
2012-03-25 20:25 . 2012-03-25 20:25 -------- d-----w- c:\documents and settings\All Users\Application Data\ParetoLogic
2012-03-25 20:25 . 2012-03-25 20:25 -------- d-----w- c:\program files\Common Files\XoftSpySE
2012-03-25 20:25 . 2012-03-25 20:25 -------- d-----w- c:\documents and settings\All Users\Application Data\XoftSpySE
2012-03-25 20:25 . 2012-03-25 20:25 -------- d-----w- c:\program files\XoftSpySE6
2012-03-25 17:33 . 2011-06-21 16:24 32768 ----a-w- c:\windows\system32\drivers\sp_rsdrv2.sys
.
.
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2012-02-22 00:48 . 2011-05-18 17:42 414368 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl
2012-02-20 15:17 . 2012-02-20 15:17 94208 ----a-w- c:\windows\DIIUnin.exe
2012-02-20 15:17 . 2012-02-20 15:17 2829 ----a-w- c:\windows\DIIUnin.pif
2012-02-03 09:22 . 2003-09-25 16:35 1860096 ----a-w- c:\windows\system32\win32k.sys
2012-02-02 17:09 . 2012-02-02 17:09 242240 ----a-w- c:\windows\system32\drivers\dtsoftbus01.sys
2012-02-02 04:23 . 2010-08-14 03:35 6936296 ----a-w- c:\windows\system32\SpoonUninstall.exe
2012-01-11 19:06 . 2012-02-16 03:18 3072 ------w- c:\windows\system32\iacenc.dll
2012-01-09 16:20 . 2011-12-11 19:26 139784 ----a-w- c:\windows\system32\drivers\rdpwd.sys
2012-01-04 00:48 . 2012-01-04 00:48 354176 ----a-w- c:\windows\system32\DivXControlPanelApplet.cpl
1998-12-09 03:53 . 1998-12-09 03:53 99840 ----a-w- c:\program files\Common Files\IRAABOUT.DLL
1998-12-09 03:53 . 1998-12-09 03:53 70144 ----a-w- c:\program files\Common Files\IRAMDMTR.DLL
1998-12-09 03:53 . 1998-12-09 03:53 48640 ----a-w- c:\program files\Common Files\IRALPTTR.DLL
1998-12-09 03:53 . 1998-12-09 03:53 31744 ----a-w- c:\program files\Common Files\IRAWEBTR.DLL
1998-12-09 03:53 . 1998-12-09 03:53 186368 ----a-w- c:\program files\Common Files\IRAREG.DLL
1998-12-09 03:53 . 1998-12-09 03:53 17920 ----a-w- c:\program files\Common Files\IRASRIAL.DLL
.
.
------- Sigcheck -------
Note: Unsigned files aren't necessarily malware.
.
[7] 2010-08-17 . 258DD5D4283FD9F9A7166BE9AE45CE73 . 58880 . . [5.1.2600.6024] . . c:\windows\$hf_mig$\KB2347290\SP3QFE\spoolsv.exe
[7] 2010-08-17 . 60784F891563FB1B767F70117FC2428F . 58880 . . [5.1.2600.6024] . . c:\windows\system32\dllcache\spoolsv.exe
[7] 2008-04-14 . D8E14A61ACC1D4A6CD0D38AEBAC7FA3B . 57856 . . [5.1.2600.5512] . . c:\windows\ServicePackFiles\i386\spoolsv.exe
[7] 2004-08-04 . 7435B108B935E42EA92CA94F59C8E717 . 57856 . . [5.1.2600.2180] . . c:\windows\SoftwareDistribution\Download\2d8407673ea9865ef7cd775540e3a36b\backup\spoolsv.exe
[7] 2004-08-04 . 7435B108B935E42EA92CA94F59C8E717 . 57856 . . [5.1.2600.2180] . . c:\windows\$NtServicePackUninstall$\spoolsv.exe
.
c:\windows\System32\spoolsv.exe ... is missing !!
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"AVG9_TRAY"="c:\progra~1\AVG\AVG9\avgtray.exe" [2012-01-26 2077536]
.
[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{56F9679E-7826-4C84-81F3-532071A8BCC5}"= "c:\program files\Windows Desktop Search\MSNLNamespaceMgr.dll" [2009-05-25 304128]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= "c:\program files\SUPERAntiSpyware\SASSEH.DLL" [2011-07-19 113024]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
2011-05-04 17:54 551296 ----a-w- c:\program files\SUPERAntiSpyware\SASWINLO.DLL
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\avgrsstarter]
2010-08-14 00:39 12536 ----a-w- c:\windows\system32\avgrsstx.dll
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\PCANotify]
2007-04-27 18:10 18744 ----a-w- c:\windows\system32\PCANotify.dll
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\!SASCORE]
@=""
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Wdf01000.sys]
@="Driver"
.
[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Microsoft Office.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Microsoft Office.lnk
backup=c:\windows\pss\Microsoft Office.lnkCommon Startup
.
[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Symantec Fax Starter Edition Port.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Symantec Fax Starter Edition Port.lnk
backup=c:\windows\pss\Symantec Fax Starter Edition Port.lnkCommon Startup
.
[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Windows Search.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Windows Search.lnk
backup=c:\windows\pss\Windows Search.lnkCommon Startup
.
[HKLM\~\startupfolder\C:^Documents and Settings^Owner^Start Menu^Programs^Startup^Dropbox.lnk]
path=c:\documents and settings\Owner\Start Menu\Programs\Startup\Dropbox.lnk
backup=c:\windows\pss\Dropbox.lnkStartup
HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\C:
HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\C:\Program Files
HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\c:\program files\StationPlaylist
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe ARM]
2012-01-03 07:37 843712 ----a-w- c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe Reader Speed Launcher]
2011-09-07 22:58 37296 ----a-w- c:\program files\Adobe\Reader 9.0\Reader\reader_sl.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\c:\program files\StationPlaylist\Studio]
2010-09-21 02:47 2461696 ----a-w- c:\program files\StationPlaylist\Studio\SPLStudio.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Center Agent]
2007-07-13 14:00 1435648 ----a-w- c:\program files\KWorld Multimedia\HyperMediaCenter\DTVR\Scheduled.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\CloneCDTray]
2009-01-29 22:20 57344 ----a-w- c:\program files\SlySoft\CloneCD\CloneCDTray.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ctfmon.exe]
2008-04-14 11:42 15360 ----a-w- c:\windows\system32\ctfmon.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\CTSysVol]
2005-02-15 22:10 57344 ------w- c:\program files\Creative\SBLive! 24-Bit\Surround Mixer\CTSysVol.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DivXUpdate]
2011-07-28 23:08 1259376 ----a-w- c:\program files\DivX\DivX Update\DivXUpdate.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HotKeysCmds]
2005-04-05 20:19 77824 ----a-w- c:\windows\system32\hkcmd.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HP Software Update]
2005-05-12 04:12 49152 ----a-w- c:\program files\HP\HP Software Update\hpwuSchd2.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\IgfxTray]
2005-04-05 20:22 94208 ----a-w- c:\windows\system32\igfxtray.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Malwarebytes' Anti-Malware]
2012-01-31 18:13 460872 ----a-w- c:\program files\Malwarebytes' Anti-Malware\mbamgui.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NeroFilterCheck]
2001-07-09 09:50 155648 ----a-w- c:\windows\system32\NeroCheck.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\P17Helper]
2005-05-03 16:38 64512 ----a-w- c:\windows\system32\P17.dll
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Persistence]
2005-04-05 20:23 114688 ----a-w- c:\windows\system32\igfxpers.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PRONoMgr.exe]
2003-03-11 21:24 86016 ----a-w- c:\program files\Intel\NCS\PROSet\PRONoMgr.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
2010-11-29 23:38 421888 ----a-w- c:\program files\QuickTime\QTTask.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SMSERIAL]
2004-12-29 13:01 544768 ----a-w- c:\windows\sm56hlpr.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched]
2011-04-08 17:59 254696 ----a-w- c:\program files\Common Files\Java\Java Update\jusched.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\UpdReg]
2000-05-11 07:00 90112 ------w- c:\windows\Updreg.EXE
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\XoftSpySE]
2009-09-05 07:46 3399168 ----a-w- c:\program files\XoftSpySE6\XoftSpySE.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusOverride"=dword:00000001
"FirewallOverride"=dword:00000001
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"DisableNotifications"= 1 (0x1)
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\AVG\\AVG9\\avgam.exe"=
"c:\\Program Files\\AVG\\AVG9\\avgdiagex.exe"=
"c:\\Program Files\\AVG\\AVG9\\avgupd.exe"=
"c:\\Program Files\\AVG\\AVG9\\avgnsx.exe"=
"c:\\Internet\\mIRC\\mirc.exe"=
"c:\\Internet\\SHOUTcast\\sc_serv.exe"=
"c:\\Program Files\\Symantec\\pcAnywhere\\Winaw32.exe"=
"c:\\Program Files\\Symantec\\pcAnywhere\\awhost32.exe"=
"c:\\Program Files\\Symantec\\pcAnywhere\\awrem32.exe"=
"c:\\Program Files\\Java\\jre6\\bin\\javaw.exe"=
"c:\\Documents and Settings\\Owner\\Application Data\\Dropbox\\bin\\Dropbox.exe"=
"c:\\Program Files\\StationPlaylist\\Studio\\SPLStudio.exe"=
"c:\\Games\\Diablo II\\Diablo II.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqtra08.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqste08.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpofxm08.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hposfx08.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hposid01.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqscnvw.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqkygrp.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqCopy.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpfccopy.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpzwiz01.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\Unload\\HpqPhUnl.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\Unload\\HpqDIA.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpoews01.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\FlashFXP 4\\FlashFXP.exe"=
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"2593:TCP"= 2593:TCP:Ultima Online Server
"5985:TCP"= 5985:TCP:*:Disabled:Windows Remote Management
.
R0 AVGIDSErHrxpx;AVG9IDSErHr;c:\windows\system32\drivers\AVGIDSxx.sys [8/13/2010 7:39 PM 25168]
R0 AvgRkx86;avgrkx86.sys;c:\windows\system32\drivers\avgrkx86.sys [8/13/2010 7:39 PM 52872]
R1 AvgTdiX;AVG Network Redirector;c:\windows\system32\drivers\avgtdix.sys [8/13/2010 7:39 PM 243152]
R1 dtsoftbus01;DAEMON Tools Virtual Bus Driver;c:\windows\system32\drivers\dtsoftbus01.sys [2/2/2012 12:09 PM 242240]
R2 !SASCORE;SAS Core Service;c:\program files\SUPERAntiSpyware\SASCore.exe [8/11/2011 6:38 PM 116608]
R3 glideusb;GlidePoint USB Touchpad Filter;c:\windows\system32\drivers\glideusb.sys [2/27/2007 5:03 AM 44928]
S0 sptd;sptd;c:\windows\system32\drivers\sptd.sys [8/13/2010 9:42 PM 691696]
S1 AvgLdx86;AVG AVI Loader Driver x86;c:\windows\system32\drivers\avgldx86.sys [8/13/2010 7:39 PM 216400]
S1 SASDIFSV;SASDIFSV;c:\program files\SUPERAntiSpyware\sasdifsv.sys [7/22/2011 11:27 AM 12880]
S1 SASKUTIL;SASKUTIL;c:\program files\SUPERAntiSpyware\SASKUTIL.SYS [7/12/2011 4:55 PM 67664]
S2 avg9wd;AVG WatchDog;c:\program files\AVG\AVG9\avgwdsvc.exe [8/13/2010 7:37 PM 308136]
S2 AVGIDSAgent;AVG9IDSAgent;c:\program files\AVG\AVG9\Identity Protection\Agent\Bin\AVGIDSAgent.exe [8/13/2010 7:37 PM 5897808]
S2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;c:\windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe [3/18/2010 1:16 PM 130384]
S2 MBAMService;MBAMService;c:\program files\Malwarebytes' Anti-Malware\mbamservice.exe [3/26/2012 11:55 PM 652360]
S3 3xHybrid;3xHybrid service;c:\windows\system32\drivers\3xHybrid.sys [8/14/2010 11:56 AM 674048]
S3 appliandMP;appliandMP;c:\windows\system32\DRIVERS\appliand.sys --> c:\windows\system32\DRIVERS\appliand.sys [?]
S3 AVGIDSDriverxpx;AVG9IDSDriver;c:\program files\AVG\AVG9\Identity Protection\Agent\Driver\Platform_XP\AVGIDSDriver.sys [8/13/2010 7:37 PM 122448]
S3 AVGIDSFilterxpx;AVG9IDSFilter;c:\program files\AVG\AVG9\Identity Protection\Agent\Driver\Platform_XP\AVGIDSFilter.sys [8/13/2010 7:37 PM 30288]
S3 AVGIDSShimxpx;AVG9IDSShim;c:\program files\AVG\AVG9\Identity Protection\Agent\Driver\Platform_XP\AVGIDSShim.sys [8/13/2010 7:37 PM 26192]
S3 MBAMProtector;MBAMProtector;c:\windows\system32\drivers\mbam.sys [3/26/2012 11:55 PM 20464]
S3 WinRM;Windows Remote Management (WS-Management);c:\windows\system32\svchost.exe -k WINRM [3/31/2003 7:00 AM 14336]
S3 WPFFontCache_v0400;Windows Presentation Foundation Font Cache 4.0.0.0;c:\windows\Microsoft.NET\Framework\v4.0.30319\WPF\WPFFontCache_v0400.exe [3/18/2010 1:16 PM 753504]
S3 XoftSpyService;XoftSpyService;c:\program files\Common Files\XoftSpySE\6\xoftspyservice.exe [8/28/2009 4:15 PM 582424]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
WINRM REG_MULTI_SZ WINRM
.
Contents of the 'Scheduled Tasks' folder
.
2012-03-21 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2011-06-01 22:57]
.
2012-03-25 c:\windows\Tasks\ParetoLogic Update Version3.job
- c:\program files\Common Files\ParetoLogic\UUS3\Pareto_Update3.exe [2009-08-28 21:15]
.
.
------- Supplementary Scan -------
.
uInternet Connection Wizard,ShellNext = "c:\program files\Outlook Express\msimn.exe"
TCP: Interfaces\{D63D9865-D171-4DE7-9A8F-5D2223285402}: NameServer = 207.91.5.20,207.91.5.202
DPF: {B5B8593C-89BC-44A7-BCE3-32FE4FED7C5C} - [You must be registered and logged in to see this link.]
.
- - - - ORPHANS REMOVED - - - -
.
Toolbar-Locked - (no file)
ShellIconOverlayIdentifiers-{FB314ED9-A251-47B7-93E1-CDD82E34AF8B} - (no file)
ShellIconOverlayIdentifiers-{FB314EDA-A251-47B7-93E1-CDD82E34AF8B} - (no file)
ShellIconOverlayIdentifiers-{FB314EDB-A251-47B7-93E1-CDD82E34AF8B} - (no file)
ShellIconOverlayIdentifiers-{FB314EDC-A251-47B7-93E1-CDD82E34AF8B} - (no file)
MSConfigStartUp-InCD - c:\program files\Ahead\InCD\InCD.exe
MSConfigStartUp-Starfield Updater - c:\program files\Starfield\StarfieldUpdate.exe
AddRemove-XviD MPEG4 Video Codec - c:\program files\XviD\xvid-uninstall.exe
AddRemove-Xvid_is1 - c:\program files\Xvid\unins000.exe
AddRemove-03_Swallowtail - c:\program files\SAMSUNG\USB Drivers\03_Swallowtail\Uninstall.exe
AddRemove-04_semseyite - c:\program files\SAMSUNG\USB Drivers\04_semseyite\Uninstall.exe
AddRemove-16_Shrewsbury - c:\program files\SAMSUNG\USB Drivers\16_Shrewsbury\Uninstall.exe
.
.
.
**************************************************************************
.
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, [You must be registered and logged in to see this link.]
Rootkit scan 2012-03-27 19:07
Windows 5.1.2600 Service Pack 3 NTFS
.
scanning hidden processes ...
.
scanning hidden autostart entries ...
.
scanning hidden files ...
.
scan completed successfully
hidden files: 0
.
**************************************************************************
.
Stealth MBR rootkit/Mebroot/Sinowal/TDL4 detector 0.4.2 by Gmer, [You must be registered and logged in to see this link.]
Windows 5.1.2600 Disk: WDC_WD800BB-00CJA1 rev.17.07W17 -> Harddisk0\DR0 -> \Device\Ide\IdeDeviceP0T0L0-4
.
device: opened successfully
user: MBR read successfully
error: Read A device attached to the system is not functioning.
kernel: MBR read successfully
detected disk devices:
detected hooks:
\Driver\atapi DriverStartIo -> 0x8AC772C6
user & kernel MBR OK
.
**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------
.
[HKEY_USERS\.Default\Software\Microsoft\Internet Explorer\User Preferences]
@Denied: (2) (LocalSystem)
"88D7D0879DAB32E14DE5B3A805A34F98AFF34F5977"=hex:01,00,00,00,d0,8c,9d,df,01,15,
d1,11,8c,7a,00,c0,4f,c2,97,eb,01,00,00,00,bd,b1,66,f4,06,bc,b9,4f,9e,af,84,\
"2D53CFFC5C1A3DD2E97B7979AC2A92BD59BC839E81"=hex:01,00,00,00,d0,8c,9d,df,01,15,
d1,11,8c,7a,00,c0,4f,c2,97,eb,01,00,00,00,bd,b1,66,f4,06,bc,b9,4f,9e,af,84,\
.
[HKEY_USERS\S-1-5-21-2025429265-1647877149-839522115-500\Software\Microsoft\Internet Explorer\User Preferences]
@Denied: (2) (Administrator)
"88D7D0879DAB32E14DE5B3A805A34F98AFF34F5977"=hex:01,00,00,00,d0,8c,9d,df,01,15,
d1,11,8c,7a,00,c0,4f,c2,97,eb,01,00,00,00,be,ae,94,6e,a6,5b,a7,4e,bf,31,76,\
"2D53CFFC5C1A3DD2E97B7979AC2A92BD59BC839E81"=hex:01,00,00,00,d0,8c,9d,df,01,15,
d1,11,8c,7a,00,c0,4f,c2,97,eb,01,00,00,00,be,ae,94,6e,a6,5b,a7,4e,bf,31,76,\
.
--------------------- DLLs Loaded Under Running Processes ---------------------
.
- - - - - - - > 'winlogon.exe'(632)
c:\windows\system32\WININET.dll
c:\program files\SUPERAntiSpyware\SASWINLO.DLL
c:\windows\system32\PCANotify.dll
c:\windows\WinSxS\x86_Microsoft.VC80.CRT_1fc8b3b9a1e18e3b_8.0.50727.6195_x-ww_44262b86\MSVCR80.dll
c:\windows\System32\l3codeca.acm
.
- - - - - - - > 'lsass.exe'(692)
c:\windows\system32\WININET.dll
.
- - - - - - - > 'explorer.exe'(3980)
c:\windows\system32\WININET.dll
c:\windows\system32\ieframe.dll
.
------------------------ Other Running Processes ------------------------
.
c:\program files\AVG\AVG9\avgchsvx.exe
.
**************************************************************************
.
Completion time: 2012-03-27 19:16:20 - machine was rebooted
ComboFix-quarantined-files.txt 2012-03-28 00:16
.
Pre-Run: 43,212,079,104 bytes free
Post-Run: 45,657,833,472 bytes free
.
WindowsXP-KB310994-SP2-Home-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
UnsupportedDebug="do not select this" /debug
multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Home Edition" /fastdetect /NoExecute=OptIn
.
- - End Of File - - 7CAB26B37AE5111269C6CE2BD71D58C7

seanandre

Newbie Surfer
Newbie Surfer

Posts : 9
Joined : 2012-03-26
Operating System : Multiple OS's (XP, 7, 2000)

View user profile

Back to top Go down

Re: System Running Slow & Black Hole Threats?

Post by Superdave on Wed 28 Mar 2012, 12:37 pm

Open the Start Menu.

2. Click on the Computer button.

3. Right click on your hard drive and click on Properties.

4. Click on the Tools tab.

5. Click on Check Now under the Error checking section. (See circled in red below)



. Click on Continue in the UAC prompt.

7. Make sure both options are checked. (See screenshot below)
NOTE: The Automatically fix file system errors box will be checked by default.

8. Click on the Start button.



9. You will get a pop-up window saying, "Windows can't check this disk while it's use". (See screenshot below)

10. Click on the Schedule disk check button for chkdsk to run the next time you restart your computer.



11. Restart your computer.
******************************************
Please download SystemLook from one of the links below and save it to your desktop.

Link # 1
Link # 2

Temporarily disable your antivirus and any antispyware real time protection before performing a scan. Click this link to see a list of security programs that should be disabled and how to disable them.

Double-click SystemLook.exe to run it.

Copy the contents of the following codebox into the main textfield.
Code:
:filefind
spoolsv.exe

Click the Look button to start the scan.

Note: The scan may take some time so please just let it do its work and be patient (or do something else unrelated to the computer).

When finished, a notepad window will open with the results of the scan. Please post the log. The log can also be found on your desktop entitled SystemLook.txt
********************************************
Let's run a few more scans to see what turns up.

Please download aswMBR.exe ( 511KB ) to your desktop.

Double click the aswMBR.exe to run it



Click the "Scan" button to start scan

Note: Do not take action against any **Rootkit** entries until I have reviewed the log. Often there are false positives



On completion of the scan click save log, save it to your desktop and post in your next reply.

Superdave
Tech Staff


Tech Staff

Posts : 4193
Joined : 2010-02-01
Operating System : Windows 8.1 and a dual-boot with XP Home SP3

View user profile

Back to top Go down

Re: System Running Slow & Black Hole Threats?

Post by seanandre on Wed 28 Mar 2012, 1:22 pm

Chkdsk ran and replaced a lot of invalid security codes on a crapload of files with default ones. No idea what that meant. Here are the results of the scans:

SystemLook:

SystemLook 30.07.11 by jpshortstuff
Log created at 21:14 on 27/03/2012 by Administrator
Administrator - Elevation successful

========== filefind ==========

Searching for "spoolsv.exe"
C:\WINDOWS\$hf_mig$\KB2347290\SP3QFE\spoolsv.exe --a---- 58880 bytes [13:19 17/08/2010] [13:19 17/08/2010] 258DD5D4283FD9F9A7166BE9AE45CE73
C:\WINDOWS\$NtServicePackUninstall$\spoolsv.exe -----c- 57856 bytes [00:49 12/12/2011] [06:56 04/08/2004] 7435B108B935E42EA92CA94F59C8E717
C:\WINDOWS\ServicePackFiles\i386\spoolsv.exe ------- 57856 bytes [00:11 12/12/2011] [11:42 14/04/2008] D8E14A61ACC1D4A6CD0D38AEBAC7FA3B
C:\WINDOWS\SoftwareDistribution\Download\2d8407673ea9865ef7cd775540e3a36b\backup\spoolsv.exe ------- 57856 bytes [21:06 13/08/2010] [12:00 04/08/2004] 7435B108B935E42EA92CA94F59C8E717
C:\WINDOWS\system32\dllcache\spoolsv.exe -----c- 58880 bytes [13:17 17/08/2010] [13:17 17/08/2010] 60784F891563FB1B767F70117FC2428F

-= EOF =-

ASWMBR:

aswMBR version 0.9.9.1665 Copyright(c) 2011 AVAST Software
Run date: 2012-03-27 21:18:18
-----------------------------
21:18:18.703 OS Version: Windows 5.1.2600 Service Pack 3
21:18:18.703 Number of processors: 2 586 0x303
21:18:18.718 ComputerName: SMA UserName:
21:18:21.734 Initialize success
21:18:37.828 Disk 0 (boot) \Device\Harddisk0\DR0 -> \Device\Ide\IdeDeviceP0T0L0-4
21:18:37.843 Disk 0 Vendor: WDC_WD800BB-00CJA1 17.07W17 Size: 76319MB BusType: 3
21:18:37.859 Disk 1 \Device\Harddisk1\DR1 -> \Device\Ide\IdeDeviceP0T1L0-c
21:18:37.875 Disk 1 Vendor: WDC_WD1200BB-22FTA0 15.05R15 Size: 114473MB BusType: 3
21:18:37.890 Device \Driver\atapi -> DriverStartIo 8ac842c6
21:18:37.921 Disk 0 MBR read successfully
21:18:37.937 Disk 0 MBR scan
21:18:37.953 Disk 0 Windows XP default MBR code
21:18:37.968 Disk 0 MBR hidden
21:18:38.000 Disk 0 Partition 1 80 (A) 07 HPFS/NTFS NTFS 114463 MB offset 63
21:18:38.015 Disk 0 scanning sectors +156280320
21:18:38.093 Disk 0 scanning C:\WINDOWS\system32\drivers
21:18:38.109 Service scanning
21:19:10.125 Modules scanning
21:19:10.187 Disk 0 trace - called modules:
21:19:10.187 ntoskrnl.exe CLASSPNP.SYS disk.sys ACPI.sys hal.dll >>UNKNOWN [0x8ac8449f]<<
21:19:10.187 1 nt!IofCallDriver -> \Device\Harddisk0\DR0[0x8ae58ab8]
21:19:10.187 3 CLASSPNP.SYS[f7637fd7] -> nt!IofCallDriver -> \Device\0000006b[0x8ae40948]
21:19:10.187 5 ACPI.sys[f75ae620] -> nt!IofCallDriver -> [0x8ae5fd98]
21:19:10.187 \Driver\atapi[0x8acb15a0] -> IRP_MJ_CREATE -> 0x8ac8449f
21:19:10.187 Scan finished successfully
21:19:35.312 Disk 0 MBR has been saved successfully to "C:\Documents and Settings\Administrator\Desktop\MBR.dat"
21:19:35.328 The log file has been saved successfully to "C:\Documents and Settings\Administrator\Desktop\aswMBR.txt"

seanandre

Newbie Surfer
Newbie Surfer

Posts : 9
Joined : 2012-03-26
Operating System : Multiple OS's (XP, 7, 2000)

View user profile

Back to top Go down

Re: System Running Slow & Black Hole Threats?

Post by Superdave on Thu 29 Mar 2012, 5:40 am

Re-running ComboFix to remove infections:


  • Close any open browsers.
  • Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.
  • Open notepad and copy/paste the text in the quotebox below into it:

    KillAll::

    FCopy::
    C:\WINDOWS\ServicePackFiles\i386\spoolsv.exe |c:\windows\System32\spoolsv.exe

  • Save this as CFScript.txt, in the same location as ComboFix.exe



  • Referring to the picture above, drag CFScript into ComboFix.exe
  • When finished, it shall produce a log for you at C:\ComboFix.txt
  • Please post the contents of the log in your next reply.

*************************************************
Download Security Check by screen317 from one of the following links and save it to your desktop.

Link 1
Link 2

* Double-click Security Check.bat
* Follow the on-screen instructions inside of the black box.
* A Notepad document should open automatically called checkup.txt
* Post the contents of that document in your next reply.

Note: If a security program requests permission from dig.exe to access the Internet, allow it to do so.

Superdave
Tech Staff


Tech Staff

Posts : 4193
Joined : 2010-02-01
Operating System : Windows 8.1 and a dual-boot with XP Home SP3

View user profile

Back to top Go down

Re: System Running Slow & Black Hole Threats?

Post by seanandre on Thu 29 Mar 2012, 6:47 am

ComboFix:

ComboFix 12-03-27.03 - Administrator 03/28/2012 14:01:56.2.2 - x86 NETWORK
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.3055.2460 [GMT -5:00]
Running from: c:\documents and settings\Administrator\Desktop\ComboFix.exe
Command switches used :: c:\documents and settings\Administrator\Desktop\CFScript.txt
AV: AVG Internet Security Network Edition *Enabled/Updated* {17DDD097-36FF-435F-9E1B-52D74245D6BF}
.
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
.
--------------- FCopy ---------------
.
c:\windows\ServicePackFiles\i386\spoolsv.exe --> c:\windows\System32\spoolsv.exe
.
((((((((((((((((((((((((( Files Created from 2012-02-28 to 2012-03-28 )))))))))))))))))))))))))))))))
.
.
2012-03-28 19:01 . 2008-04-14 11:42 57856 ----a-w- c:\windows\system32\spoolsv.exe
2012-03-27 22:54 . 2012-03-27 22:54 -------- d-----w- c:\documents and settings\Administrator\Local Settings\Application Data\ApplicationHistory
2012-03-27 04:55 . 2012-03-27 04:55 -------- d-----w- c:\documents and settings\Administrator\Application Data\Malwarebytes
2012-03-27 04:55 . 2012-03-27 18:37 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes
2012-03-27 04:55 . 2012-03-27 04:55 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2012-03-27 04:55 . 2011-12-10 20:24 20464 ----a-w- c:\windows\system32\drivers\mbam.sys
2012-03-27 03:18 . 2012-03-27 03:18 -------- d-----w- c:\documents and settings\Administrator\Application Data\SUPERAntiSpyware.com
2012-03-27 03:17 . 2012-03-27 03:18 -------- d-----w- c:\program files\SUPERAntiSpyware
2012-03-27 03:17 . 2012-03-27 03:17 -------- d-----w- c:\documents and settings\All Users\Application Data\SUPERAntiSpyware.com
2012-03-27 03:14 . 2012-03-27 03:14 -------- d-----w- C:\_OTL
2012-03-25 20:25 . 2012-03-25 20:25 -------- d-----w- c:\program files\Common Files\ParetoLogic
2012-03-25 20:25 . 2012-03-25 20:25 -------- d-----w- c:\documents and settings\All Users\Application Data\ParetoLogic
2012-03-25 20:25 . 2012-03-25 20:25 -------- d-----w- c:\program files\Common Files\XoftSpySE
2012-03-25 20:25 . 2012-03-25 20:25 -------- d-----w- c:\documents and settings\All Users\Application Data\XoftSpySE
2012-03-25 20:25 . 2012-03-25 20:25 -------- d-----w- c:\program files\XoftSpySE6
2012-03-25 17:33 . 2011-06-21 16:24 32768 ----a-w- c:\windows\system32\drivers\sp_rsdrv2.sys
.
.
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2012-02-22 00:48 . 2011-05-18 17:42 414368 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl
2012-02-20 15:17 . 2012-02-20 15:17 94208 ----a-w- c:\windows\DIIUnin.exe
2012-02-20 15:17 . 2012-02-20 15:17 2829 ----a-w- c:\windows\DIIUnin.pif
2012-02-03 09:22 . 2003-09-25 16:35 1860096 ----a-w- c:\windows\system32\win32k.sys
2012-02-02 17:09 . 2012-02-02 17:09 242240 ----a-w- c:\windows\system32\drivers\dtsoftbus01.sys
2012-02-02 04:23 . 2010-08-14 03:35 6936296 ----a-w- c:\windows\system32\SpoonUninstall.exe
2012-01-11 19:06 . 2012-02-16 03:18 3072 ------w- c:\windows\system32\iacenc.dll
2012-01-09 16:20 . 2011-12-11 19:26 139784 ----a-w- c:\windows\system32\drivers\rdpwd.sys
2012-01-04 00:48 . 2012-01-04 00:48 354176 ----a-w- c:\windows\system32\DivXControlPanelApplet.cpl
1998-12-09 03:53 . 1998-12-09 03:53 99840 ----a-w- c:\program files\Common Files\IRAABOUT.DLL
1998-12-09 03:53 . 1998-12-09 03:53 70144 ----a-w- c:\program files\Common Files\IRAMDMTR.DLL
1998-12-09 03:53 . 1998-12-09 03:53 48640 ----a-w- c:\program files\Common Files\IRALPTTR.DLL
1998-12-09 03:53 . 1998-12-09 03:53 31744 ----a-w- c:\program files\Common Files\IRAWEBTR.DLL
1998-12-09 03:53 . 1998-12-09 03:53 186368 ----a-w- c:\program files\Common Files\IRAREG.DLL
1998-12-09 03:53 . 1998-12-09 03:53 17920 ----a-w- c:\program files\Common Files\IRASRIAL.DLL
.
.
((((((((((((((((((((((((((((( [You must be registered and logged in to see this link.] )))))))))))))))))))))))))))))))))))))))))
.
+ 2004-08-04 12:00 . 2012-03-28 19:20 547306 c:\windows\system32\perfh009.dat
- 2004-08-04 12:00 . 2012-03-28 00:11 547306 c:\windows\system32\perfh009.dat
+ 2004-08-04 12:00 . 2012-03-28 19:20 102876 c:\windows\system32\perfc009.dat
- 2004-08-04 12:00 . 2012-03-28 00:11 102876 c:\windows\system32\perfc009.dat
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"AVG9_TRAY"="c:\progra~1\AVG\AVG9\avgtray.exe" [2012-01-26 2077536]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2010-11-29 421888]
.
[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{56F9679E-7826-4C84-81F3-532071A8BCC5}"= "c:\program files\Windows Desktop Search\MSNLNamespaceMgr.dll" [2009-05-25 304128]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= "c:\program files\SUPERAntiSpyware\SASSEH.DLL" [2011-07-19 113024]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
2011-05-04 17:54 551296 ----a-w- c:\program files\SUPERAntiSpyware\SASWINLO.DLL
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\avgrsstarter]
2010-08-14 00:39 12536 ----a-w- c:\windows\system32\avgrsstx.dll
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\PCANotify]
2007-04-27 18:10 18744 ----a-w- c:\windows\system32\PCANotify.dll
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\!SASCORE]
@=""
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Wdf01000.sys]
@="Driver"
.
[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Microsoft Office.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Microsoft Office.lnk
backup=c:\windows\pss\Microsoft Office.lnkCommon Startup
.
[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Symantec Fax Starter Edition Port.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Symantec Fax Starter Edition Port.lnk
backup=c:\windows\pss\Symantec Fax Starter Edition Port.lnkCommon Startup
.
[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Windows Search.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Windows Search.lnk
backup=c:\windows\pss\Windows Search.lnkCommon Startup
.
[HKLM\~\startupfolder\C:^Documents and Settings^Owner^Start Menu^Programs^Startup^Dropbox.lnk]
path=c:\documents and settings\Owner\Start Menu\Programs\Startup\Dropbox.lnk
backup=c:\windows\pss\Dropbox.lnkStartup
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe ARM]
2012-01-03 07:37 843712 ----a-w- c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe Reader Speed Launcher]
2011-09-07 22:58 37296 ----a-w- c:\program files\Adobe\Reader 9.0\Reader\reader_sl.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Center Agent]
2007-07-13 14:00 1435648 ----a-w- c:\program files\KWorld Multimedia\HyperMediaCenter\DTVR\Scheduled.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\CloneCDTray]
2009-01-29 22:20 57344 ----a-w- c:\program files\SlySoft\CloneCD\CloneCDTray.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ctfmon.exe]
2008-04-14 11:42 15360 ----a-w- c:\windows\system32\ctfmon.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\CTSysVol]
2005-02-15 22:10 57344 ------w- c:\program files\Creative\SBLive! 24-Bit\Surround Mixer\CTSysVol.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DivXUpdate]
2011-07-28 23:08 1259376 ----a-w- c:\program files\DivX\DivX Update\DivXUpdate.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HotKeysCmds]
2005-04-05 20:19 77824 ----a-w- c:\windows\system32\hkcmd.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HP Software Update]
2005-05-12 04:12 49152 ----a-w- c:\program files\HP\HP Software Update\hpwuSchd2.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\IgfxTray]
2005-04-05 20:22 94208 ----a-w- c:\windows\system32\igfxtray.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Malwarebytes' Anti-Malware]
2012-01-31 18:13 460872 ----a-w- c:\program files\Malwarebytes' Anti-Malware\mbamgui.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NeroFilterCheck]
2001-07-09 09:50 155648 ----a-w- c:\windows\system32\NeroCheck.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\P17Helper]
2005-05-03 16:38 64512 ----a-w- c:\windows\system32\P17.dll
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Persistence]
2005-04-05 20:23 114688 ----a-w- c:\windows\system32\igfxpers.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PRONoMgr.exe]
2003-03-11 21:24 86016 ----a-w- c:\program files\Intel\NCS\PROSet\PRONoMgr.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
2010-11-29 23:38 421888 ----a-w- c:\program files\QuickTime\QTTask.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SMSERIAL]
2004-12-29 13:01 544768 ----a-w- c:\windows\sm56hlpr.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched]
2011-04-08 17:59 254696 ----a-w- c:\program files\Common Files\Java\Java Update\jusched.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\UpdReg]
2000-05-11 07:00 90112 ------w- c:\windows\Updreg.EXE
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\XoftSpySE]
2009-09-05 07:46 3399168 ----a-w- c:\program files\XoftSpySE6\XoftSpySE.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusOverride"=dword:00000001
"FirewallOverride"=dword:00000001
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"DisableNotifications"= 1 (0x1)
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\AVG\\AVG9\\avgam.exe"=
"c:\\Program Files\\AVG\\AVG9\\avgdiagex.exe"=
"c:\\Program Files\\AVG\\AVG9\\avgupd.exe"=
"c:\\Program Files\\AVG\\AVG9\\avgnsx.exe"=
"c:\\Internet\\mIRC\\mirc.exe"=
"c:\\Internet\\SHOUTcast\\sc_serv.exe"=
"c:\\Program Files\\Symantec\\pcAnywhere\\Winaw32.exe"=
"c:\\Program Files\\Symantec\\pcAnywhere\\awhost32.exe"=
"c:\\Program Files\\Symantec\\pcAnywhere\\awrem32.exe"=
"c:\\Program Files\\Java\\jre6\\bin\\javaw.exe"=
"c:\\Documents and Settings\\Owner\\Application Data\\Dropbox\\bin\\Dropbox.exe"=
"c:\\Program Files\\StationPlaylist\\Studio\\SPLStudio.exe"=
"c:\\Games\\Diablo II\\Diablo II.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqtra08.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqste08.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpofxm08.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hposfx08.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hposid01.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqscnvw.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqkygrp.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqCopy.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpfccopy.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpzwiz01.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\Unload\\HpqPhUnl.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\Unload\\HpqDIA.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpoews01.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\FlashFXP 4\\FlashFXP.exe"=
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"2593:TCP"= 2593:TCP:Ultima Online Server
"5985:TCP"= 5985:TCP:*:Disabled:Windows Remote Management
.
R0 AVGIDSErHrxpx;AVG9IDSErHr;c:\windows\system32\drivers\AVGIDSxx.sys [8/13/2010 7:39 PM 25168]
R0 AvgRkx86;avgrkx86.sys;c:\windows\system32\drivers\avgrkx86.sys [8/13/2010 7:39 PM 52872]
R1 AvgTdiX;AVG Network Redirector;c:\windows\system32\drivers\avgtdix.sys [8/13/2010 7:39 PM 243152]
R1 dtsoftbus01;DAEMON Tools Virtual Bus Driver;c:\windows\system32\drivers\dtsoftbus01.sys [2/2/2012 12:09 PM 242240]
R2 !SASCORE;SAS Core Service;c:\program files\SUPERAntiSpyware\SASCore.exe [8/11/2011 6:38 PM 116608]
R3 glideusb;GlidePoint USB Touchpad Filter;c:\windows\system32\drivers\glideusb.sys [2/27/2007 5:03 AM 44928]
S0 sptd;sptd;c:\windows\system32\drivers\sptd.sys [8/13/2010 9:42 PM 691696]
S1 AvgLdx86;AVG AVI Loader Driver x86;c:\windows\system32\drivers\avgldx86.sys [8/13/2010 7:39 PM 216400]
S1 SASDIFSV;SASDIFSV;c:\program files\SUPERAntiSpyware\sasdifsv.sys [7/22/2011 11:27 AM 12880]
S1 SASKUTIL;SASKUTIL;c:\program files\SUPERAntiSpyware\SASKUTIL.SYS [7/12/2011 4:55 PM 67664]
S2 avg9wd;AVG WatchDog;c:\program files\AVG\AVG9\avgwdsvc.exe [8/13/2010 7:37 PM 308136]
S2 AVGIDSAgent;AVG9IDSAgent;c:\program files\AVG\AVG9\Identity Protection\Agent\Bin\AVGIDSAgent.exe [8/13/2010 7:37 PM 5897808]
S2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;c:\windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe [3/18/2010 1:16 PM 130384]
S2 MBAMService;MBAMService;c:\program files\Malwarebytes' Anti-Malware\mbamservice.exe [3/26/2012 11:55 PM 652360]
S3 3xHybrid;3xHybrid service;c:\windows\system32\drivers\3xHybrid.sys [8/14/2010 11:56 AM 674048]
S3 appliandMP;appliandMP;c:\windows\system32\DRIVERS\appliand.sys --> c:\windows\system32\DRIVERS\appliand.sys [?]
S3 AVGIDSDriverxpx;AVG9IDSDriver;c:\program files\AVG\AVG9\Identity Protection\Agent\Driver\Platform_XP\AVGIDSDriver.sys [8/13/2010 7:37 PM 122448]
S3 AVGIDSFilterxpx;AVG9IDSFilter;c:\program files\AVG\AVG9\Identity Protection\Agent\Driver\Platform_XP\AVGIDSFilter.sys [8/13/2010 7:37 PM 30288]
S3 AVGIDSShimxpx;AVG9IDSShim;c:\program files\AVG\AVG9\Identity Protection\Agent\Driver\Platform_XP\AVGIDSShim.sys [8/13/2010 7:37 PM 26192]
S3 MBAMProtector;MBAMProtector;c:\windows\system32\drivers\mbam.sys [3/26/2012 11:55 PM 20464]
S3 WinRM;Windows Remote Management (WS-Management);c:\windows\system32\svchost.exe -k WINRM [3/31/2003 7:00 AM 14336]
S3 WPFFontCache_v0400;Windows Presentation Foundation Font Cache 4.0.0.0;c:\windows\Microsoft.NET\Framework\v4.0.30319\WPF\WPFFontCache_v0400.exe [3/18/2010 1:16 PM 753504]
S3 XoftSpyService;XoftSpyService;c:\program files\Common Files\XoftSpySE\6\xoftspyservice.exe [8/28/2009 4:15 PM 582424]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
WINRM REG_MULTI_SZ WINRM
.
Contents of the 'Scheduled Tasks' folder
.
2012-03-21 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2011-06-01 22:57]
.
2012-03-25 c:\windows\Tasks\ParetoLogic Update Version3.job
- c:\program files\Common Files\ParetoLogic\UUS3\Pareto_Update3.exe [2009-08-28 21:15]
.
.
------- Supplementary Scan -------
.
uInternet Connection Wizard,ShellNext = "c:\program files\Outlook Express\msimn.exe"
TCP: Interfaces\{D63D9865-D171-4DE7-9A8F-5D2223285402}: NameServer = 207.91.5.20,207.91.5.202
DPF: {B5B8593C-89BC-44A7-BCE3-32FE4FED7C5C} - [You must be registered and logged in to see this link.]
.
.
**************************************************************************
.
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, [You must be registered and logged in to see this link.]
Rootkit scan 2012-03-28 14:17
Windows 5.1.2600 Service Pack 3 NTFS
.
scanning hidden processes ...
.
scanning hidden autostart entries ...
.
scanning hidden files ...
.
scan completed successfully
hidden files: 0
.
**************************************************************************
.
Stealth MBR rootkit/Mebroot/Sinowal/TDL4 detector 0.4.2 by Gmer, [You must be registered and logged in to see this link.]
Windows 5.1.2600 Disk: WDC_WD800BB-00CJA1 rev.17.07W17 -> Harddisk0\DR0 -> \Device\Ide\IdeDeviceP0T0L0-4
.
device: opened successfully
user: MBR read successfully
error: Read A device attached to the system is not functioning.
kernel: MBR read successfully
detected disk devices:
detected hooks:
\Driver\atapi DriverStartIo -> 0x8AC782C6
user & kernel MBR OK
.
**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------
.
[HKEY_USERS\.Default\Software\Microsoft\Internet Explorer\User Preferences]
@Denied: (2) (LocalSystem)
"88D7D0879DAB32E14DE5B3A805A34F98AFF34F5977"=hex:01,00,00,00,d0,8c,9d,df,01,15,
d1,11,8c,7a,00,c0,4f,c2,97,eb,01,00,00,00,bd,b1,66,f4,06,bc,b9,4f,9e,af,84,\
"2D53CFFC5C1A3DD2E97B7979AC2A92BD59BC839E81"=hex:01,00,00,00,d0,8c,9d,df,01,15,
d1,11,8c,7a,00,c0,4f,c2,97,eb,01,00,00,00,bd,b1,66,f4,06,bc,b9,4f,9e,af,84,\
.
[HKEY_USERS\S-1-5-21-2025429265-1647877149-839522115-500\Software\Microsoft\Internet Explorer\User Preferences]
@Denied: (2) (Administrator)
"88D7D0879DAB32E14DE5B3A805A34F98AFF34F5977"=hex:01,00,00,00,d0,8c,9d,df,01,15,
d1,11,8c,7a,00,c0,4f,c2,97,eb,01,00,00,00,be,ae,94,6e,a6,5b,a7,4e,bf,31,76,\
"2D53CFFC5C1A3DD2E97B7979AC2A92BD59BC839E81"=hex:01,00,00,00,d0,8c,9d,df,01,15,
d1,11,8c,7a,00,c0,4f,c2,97,eb,01,00,00,00,be,ae,94,6e,a6,5b,a7,4e,bf,31,76,\
.
--------------------- DLLs Loaded Under Running Processes ---------------------
.
- - - - - - - > 'winlogon.exe'(632)
c:\windows\system32\WININET.dll
c:\program files\SUPERAntiSpyware\SASWINLO.DLL
c:\windows\system32\PCANotify.dll
c:\windows\WinSxS\x86_Microsoft.VC80.CRT_1fc8b3b9a1e18e3b_8.0.50727.6195_x-ww_44262b86\MSVCR80.dll
c:\windows\System32\l3codeca.acm
.
- - - - - - - > 'lsass.exe'(692)
c:\windows\system32\WININET.dll
.
- - - - - - - > 'explorer.exe'(164)
c:\windows\system32\WININET.dll
c:\windows\system32\ieframe.dll
.
------------------------ Other Running Processes ------------------------
.
c:\program files\AVG\AVG9\avgchsvx.exe
.
**************************************************************************
.
Completion time: 2012-03-28 14:25:27 - machine was rebooted
ComboFix-quarantined-files.txt 2012-03-28 19:25
ComboFix2.txt 2012-03-28 00:16
.
Pre-Run: 45,413,785,600 bytes free
Post-Run: 45,581,459,456 bytes free
.
- - End Of File - - B3DE6F1BBFFE2D8974B3A5FE930B1A6A

SecurityCheck:

Results of screen317's Security Check version 0.99.32
Windows XP Service Pack 3 x86
Internet Explorer 8
``````````````````````````````
Antivirus/Firewall Check:

Windows Security Center service is not running! This report may not be accurate!
Windows Firewall Enabled!
AVG 9.0
```````````````````````````````
Anti-malware/Other Utilities Check:

XoftSpySE
Java(TM) 6 Update 26
Java 2 Runtime Environment, SE v1.4.2
Java version out of date!
Adobe Reader 9 Adobe Reader out of date!
````````````````````````````````
Process Check:
objlist.exe by Laurent

AVG avgemc.exe
``````````End of Log````````````

seanandre

Newbie Surfer
Newbie Surfer

Posts : 9
Joined : 2012-03-26
Operating System : Multiple OS's (XP, 7, 2000)

View user profile

Back to top Go down

Re: System Running Slow & Black Hole Threats?

Post by Superdave on Thu 29 Mar 2012, 12:13 pm

Update Your Java (JRE)

Old versions of Java have vulnerabilities that malware can use to infect your system.


First Verify your Java Version

If there are any other version(s) installed then update now.

Get the new version (if needed)

If your version is out of date install the newest version of the Sun Java Runtime Environment.

Note: UNCHECK any pre-checked toolbar and/or software offered with the Java update. The pre-checked toolbars/software are not part of the Java update.

Be sure to close ALL open web browsers before starting the installation.

Remove any old versions

1. Download JavaRa and unzip the file to your Desktop.
2. Open JavaRA.exe and choose Remove Older Versions
3. Once complete exit JavaRA.

Additional Note: The Java Quick Starter (JQS.exe) adds a service to improve the initial startup time of Java applets and applications. To disable the JQS service if you don't want to use it, go to Start > Control Panel > Java > Advanced > Miscellaneous and uncheck the box for Java Quick Starter. Click OK and reboot your computer.
***********************************************
SysProt Antirootkit

Download
SysProt Antirootkit from the link below (you will find it at the bottom
of the page under attachments, or you can get it from one of the
mirrors).

[You must be registered and logged in to see this link.]

Unzip it into a folder on your desktop.

  • Double click Sysprot.exe to start the program.
  • Click on the Log tab.
  • In the Write to log box select the following items.

    • Process << Selected
    • Kernel Modules << Selected
    • SSDT << Selected
    • Kernel Hooks << Selected
    • IRP Hooks << NOT Selected
    • Ports << NOT Selected
    • Hidden Files << Selected

  • At the bottom of the page

    • Hidden Objects Only << Selected

  • Click on the Create Log button on the bottom right.
  • After a few seconds a new window should appear.
  • Select Scan Root Drive. Click on the Start button.
  • When it is complete a new window will appear to indicate that the scan is finished.
  • The log will be saved automatically in the same folder Sysprot.exe was extracted to. Open the text file and copy/paste the log here.

Superdave
Tech Staff


Tech Staff

Posts : 4193
Joined : 2010-02-01
Operating System : Windows 8.1 and a dual-boot with XP Home SP3

View user profile

Back to top Go down

Re: System Running Slow & Black Hole Threats?

Post by seanandre on Fri 30 Mar 2012, 5:10 am

Guys, this is taking too long. I don't mean to be impatient or anything, but good lord, this is a lot of stuff to have to go through just to get rid of a bunch of virus and malware and spyware. I need my computer. I realy appreciate everyone's hard work on here, but I think I'm just going to reformat the machine. It's a lot easier, and a lot less time consuming. I have no idea how to close this topc, I'm assuming the person handling it can. Thank you very much for your time.

Sean

seanandre

Newbie Surfer
Newbie Surfer

Posts : 9
Joined : 2012-03-26
Operating System : Multiple OS's (XP, 7, 2000)

View user profile

Back to top Go down

Re: System Running Slow & Black Hole Threats?

Post by Superdave on Fri 30 Mar 2012, 9:18 am

but good lord, this is a lot of stuff to have to go through just to get rid of a bunch of virus and malware and spyware. I need my computer. I really appreciate everyone's hard work on here, but I think I'm just going to reformat the machine. It's a lot easier, and a lot less time consuming.
It really depends on how much a machine is infected and some infection leaves the computer is such bad shape that re-format is the only recourse. Of course a re-format is the way to go but you must realize that not everyone has that option. Good luck.

Superdave
Tech Staff


Tech Staff

Posts : 4193
Joined : 2010-02-01
Operating System : Windows 8.1 and a dual-boot with XP Home SP3

View user profile

Back to top Go down

Re: System Running Slow & Black Hole Threats?

Post by Sponsored content Today at 2:48 am


Sponsored content


Back to top Go down

View previous topic View next topic Back to top


 
Permissions in this forum:
You cannot reply to topics in this forum