BleepingComputer.com: Malware Infection Remnant?

Good Day Bleeping Computer!

Dell Dimension 2400, WinXP Home SP3, Celeron CPU @ 2.2GHz, 1.0GB RAM, integrated graphics and sound.

I’ll mention upfront that this PC got a Vundo infection about 1.5 years ago and it only seemed to be eradicated. I have performed a lot of work on it since that time, including all the work in Slow Computer/browser? Check Here First; It May Not Be Malware, but it has never been performing as it was before the virus.

When I do periodic maintenance, I run Sammsoft’s Advanced Registry Optimizer 2008 retail version 5.3. Is that recommended or not? I have also used Piriform’s CCleaner Registry Cleaner. Again, is that recommended or not?

Because they are left over programs from the work a hired network technician did to sort of fix the Vundo virus, upon start up the PC loads Spybot Search& Destroy and AdAware, in addition to my Symantec Endpoint Protection anti-virus. MalwareBytes is also installed but I stopped that from loading at startup. These are free versions and so rely on manual update, which means they are usually not too up to date. I used to update frequently, but it didn’t seems to help my performance; it just cost me time. Also, I think they may be slowing down my system.

Current symptoms include:
o Slow typing while composing webmail. This means that when I type at normal speed into a new email, the first character will appear but it may take 30 seconds for the next few letters to appear. If I type at a rate of about 1 character every two seconds, the letters appear as I type them. This persists despite everything I have tried, including starting IE8 without add-ons. As a test, I rolled back to IE7 and it did not happen. When I rolled forward again to IE8, typing at normal speed worked for one short e-mail, then went right back to ultra-slow response.
o Internet Explorer consuming 50+% of CPU. When I force close IE8 and sending the dumpprep to Microsoft, I get the Error Reporting window after where there is a more information link which states “It's hard to determine exactly what causes Internet Explorer to stop responding, but it's usually due to one of the following reasons:
• Spyware, adware, or other malicious software. If you have downloaded free software from the Internet, you might have inadvertently downloaded spyware with it. Spyware is software that can display advertisements (such as pop-up ads), collect information about you, or change settings on your computer, usually without your permission.
• Internet Explorer add-ons: Add-ons are software that add features or tools (an Internet toolbar for example) to Internet Explorer.
• Computer viruses: If your computer has a virus, the virus can cause Internet Explorer to stop responding.”
o PC takes about 30 minutes from a cold boot for the HDD to stop lighting up almost constantly. I have edited my startup and processes so many times to try to deal with slow startup and general CPU demand that I am no longer sure where the system stands in terms of what is “on” versus what should be or needs to be “on.” I also run Norton Ghost 15, but have disabled it service because it too was a CPU hog.

Thanks to every potential helping BC member who reads this. Especially thank you to the person who picks this up for being willing to try helping. It’s awesome that there are people like you (for example, especially nasdaq who fixed me up on two other PC's!). It makes up for the people who hijack PC’s.

Best Regards,

Steve

.
DDS (Ver_2011-08-26.01) - NTFSx86
Internet Explorer: 8.0.6001.18702
Run by Steve at 0:33:42 on 2011-09-09
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.1022.97 [GMT -4:00]
.
AV: Lavasoft Ad-Watch Live! Anti-Virus *Enabled/Updated* {A1C4F2E0-7FDE-4917-AFAE-013EFC3EDE33}
AV: Symantec Endpoint Protection *Enabled/Updated* {FB06448E-52B8-493A-90F3-E43226D3305C}
.
============== Running Processes ===============
.
C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
C:\Program Files\Symantec\Symantec Endpoint Protection\Smc.exe
svchost.exe
svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
C:\Program Files\Lavasoft\Ad-Aware\AAWService.exe
C:\WINDOWS\system32\spoolsv.exe
svchost.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\Common Files\LogiShrd\LVMVFM\LVPrcSrv.exe
C:\Program Files\McAfee\SiteAdvisor\McSACore.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\WINDOWS\System32\svchost.exe -k imgsvc
C:\Program Files\Symantec\Symantec Endpoint Protection\Rtvscan.exe
C:\Program Files\UPHClean\uphclean.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\rundll32.exe
C:\WINDOWS\system32\svchost.exe -k netsvcs
C:\Program Files\Norton Ghost\Agent\VProTray.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\Common Files\Java\Java Update\jusched.exe
C:\program files\real\realplayer\update\realsched.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\Program Files\Lavasoft\Ad-Aware\AAWTray.exe
C:\Program Files\Symantec\Symantec Endpoint Protection\SmcGui.exe
C:\PROGRA~1\MICROS~4\rapimgr.exe
C:\Program Files\Microsoft ActiveSync\wcescomm.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\palmOne\Palm.exe
C:\Program Files\palmOne\Hotsync.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
.
============== Pseudo HJT Report ===============
.
uStart Page = about:blank
uInternet Connection Wizard,ShellNext = hxxp://www.dell.com/
uSearchURL,(Default) = hxxp://search.yahoo.com/search?fr=mcafee&p=%s%s
uURLSearchHooks: McAfee SiteAdvisor Toolbar: {0ebbbe48-bad4-4b4c-8e5a-516abecae064} - c:\progra~1\mcafee\sitead~1\mcieplg.dll
BHO: AcroIEHlprObj Class: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program files\adobe\adobe acrobat 7.0\activex\AcroIEHelper.dll
BHO: RealPlayer Download and Record Plugin for Internet Explorer: {3049c3e9-b461-4bc5-8870-4c09146192ca} - c:\documents and settings\all users\application data\real\realplayer\browserrecordplugin\ie\rpbrowserrecordplugin.dll
BHO: Spybot-S&D IE Protection: {53707962-6f74-2d53-2644-206d7942484f} - c:\progra~1\spybot~1\SDHelper.dll
BHO: McAfee SiteAdvisor BHO: {b164e929-a1b6-4a06-b104-2cd0e90a88ff} - c:\progra~1\mcafee\sitead~1\mcieplg.dll
BHO: Java™ Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
TB: McAfee SiteAdvisor Toolbar: {0ebbbe48-bad4-4b4c-8e5a-516abecae064} - c:\progra~1\mcafee\sitead~1\mcieplg.dll
TB: {C7768536-96F8-4001-B1A2-90EE21279187} - No File
TB: {EBF2BA02-9094-4C5A-858B-BB198F3D8DE2} - No File
TB: {47833539-D0C5-4125-9FA8-0819E2EAAC93} - No File
EB: {32683183-48a0-441b-a342-7c2a440a9478} - No File
uRun: [SpybotSD TeaTimer] c:\program files\spybot - search & destroy\TeaTimer.exe
uRun: [Google Update] "c:\documents and settings\steve.dimension2400-1\local settings\application data\google\update\GoogleUpdate.exe" /c
mRun: [Norton Ghost 15.0] "c:\program files\norton ghost\agent\VProTray.exe"
mRun: [ccApp] "c:\program files\common files\symantec shared\ccApp.exe"
mRun: [QuickTime Task] "c:\program files\quicktime\qttask.exe" -atboottime
mRun: [SunJavaUpdateSched] "c:\program files\common files\java\java update\jusched.exe"
mRun: [TkBellExe] "c:\program files\real\realplayer\update\realsched.exe" -osboot
dRunOnce: [WUAppSetup] c:\program files\common files\logishrd\WUApp32.exe -v 0x046d -p 0x08ce -f video -m logitech -d 10.5.1.2023
IE: E&xport to Microsoft Excel - c:\progra~1\micros~2\office10\EXCEL.EXE/3000
IE: {CD67F990-D8E9-11d2-98FE-00C0F0318AFE}
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {2EAF5BB1-070F-11D3-9307-00C04FAE2D4F} - {2EAF5BB0-070F-11D3-9307-00C04FAE2D4F} - c:\progra~1\micros~4\INetRepl.dll
IE: {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - {2EAF5BB0-070F-11D3-9307-00C04FAE2D4F} - c:\progra~1\micros~4\INetRepl.dll
IE: {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - {53707962-6F74-2D53-2644-206D7942484F} - c:\progra~1\spybot~1\SDHelper.dll
Trusted Zone: microsoft.com\download.windowsupdate
Trusted Zone: microsoft.com\update
DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} - hxxp://download.mcafee.com/molbin/shared/mcinsctl/4,0,0,101/mcinsctl.cab
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_26-windows-i586.cab
DPF: {BCC0FF27-31D9-4614-A68E-C18E1ADA4389} - hxxp://download.mcafee.com/molbin/shared/mcgdmgr/en-us/1,0,0,23/mcgdmgr.cab
DPF: {CAFEEFAC-0016-0000-0026-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_26-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_26-windows-i586.cab
DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://fpdownload.macromedia.com/get/flashplayer/current/swflash.cab
TCP: DhcpNameServer = 192.168.2.1 209.18.47.61 209.18.47.62
TCP: Interfaces\{6D925946-DC3F-465E-97A0-7297ADADF69F} : DhcpNameServer = 192.168.2.1 209.18.47.61 209.18.47.62
Handler: dssrequest - {5513F07E-936B-4E52-9B00-067394E91CC5} - c:\progra~1\mcafee\sitead~1\McIEPlg.dll
Handler: sacore - {5513F07E-936B-4E52-9B00-067394E91CC5} - c:\progra~1\mcafee\sitead~1\McIEPlg.dll
Handler: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - c:\progra~1\common~1\skype\SKYPE4~1.DLL
Notify: igfxcui - igfxsrvc.dll
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll
Hosts: 127.0.0.1 www.spywareinfo.com
Hosts: 192.168.212.246 OU SEPM
Hosts: 129.15.34.70 OU SEPM
Hosts: 192.168.242.245 OU SEPM
.
============= SERVICES / DRIVERS ===============
.
R0 Lbd;Lbd;c:\windows\system32\drivers\Lbd.sys [2011-3-6 64512]
R2 ccEvtMgr;Symantec Event Manager;c:\program files\common files\symantec shared\ccSvcHst.exe [2010-11-4 108392]
R2 ccSetMgr;Symantec Settings Manager;c:\program files\common files\symantec shared\ccSvcHst.exe [2010-11-4 108392]
R2 Lavasoft Ad-Aware Service;Lavasoft Ad-Aware Service;c:\program files\lavasoft\ad-aware\AAWService.exe [2011-3-4 2152152]
R2 McAfee SiteAdvisor Service;McAfee SiteAdvisor Service;c:\program files\mcafee\siteadvisor\McSACore.exe [2009-12-27 94880]
R2 Symantec AntiVirus;Symantec Endpoint Protection;c:\program files\symantec\symantec endpoint protection\Rtvscan.exe [2010-11-4 1832072]
R3 EraserUtilRebootDrv;EraserUtilRebootDrv;c:\program files\common files\symantec shared\eengine\EraserUtilRebootDrv.sys [2011-8-11 105592]
R3 GenericMount;Generic Mount Driver;c:\windows\system32\drivers\GenericMount.sys [2009-9-21 57840]
R3 NAVENG;NAVENG;c:\progra~1\common~1\symant~1\virusd~1\20110906.002\NAVENG.SYS [2011-9-6 86136]
R3 NAVEX15;NAVEX15;c:\progra~1\common~1\symant~1\virusd~1\20110906.002\NAVEX15.SYS [2011-9-6 1576312]
S1 AEC671X;AEC671X;c:\windows\system32\drivers\aec671x.sys [2003-1-6 12128]
S1 DMX3191;DMX3191;c:\windows\system32\drivers\dmx3191.sys [2003-1-6 17700]
S3 COH_Mon;COH_Mon;c:\windows\system32\drivers\COH_Mon.sys [2010-11-4 23888]
S3 GenericMount Helper Service;GenericMount Helper Service;c:\program files\norton ghost\shared\drivers\GenericMountHelper.exe [2009-9-21 1574408]
S3 PLCNDIS5;PLCNDIS5 NDIS Protocol Driver;c:\windows\system32\PLCNDIS5.SYS [2003-1-20 17018]
S3 scsiscan;SCSI Scanner Driver;c:\windows\system32\drivers\scsiscan.sys [2004-7-27 11520]
S3 Symantec SymSnap VSS Provider;Symantec SymSnap VSS Provider;c:\windows\system32\dllhost.exe [2002-8-29 5120]
S3 SymSnapService;SymSnapService;c:\program files\norton ghost\shared\drivers\SymSnapService.exe [2009-9-21 1964528]
S4 mrtRate;mrtRate;c:\windows\system32\drivers\MrtRate.sys [2004-7-12 34712]
.
=============== Created Last 30 ================
.
2011-09-06 03:40:38 -------- d-----w- c:\program files\common files\xing shared
2011-09-06 03:07:38 650752 ----a-w- c:\windows\system32\xvidcore.dll
2011-09-06 03:07:38 240640 ----a-w- c:\windows\system32\xvidvfw.dll
2011-09-06 03:07:38 152064 ----a-w- c:\windows\system32\xvid.ax
2011-09-06 03:07:13 -------- d-----w- c:\program files\Xvid
2011-09-06 01:47:32 -------- d-----w- c:\documents and settings\steve.dimension2400-1\local settings\application data\Deployment
.
==================== Find3M ====================
.
2011-09-05 02:37:21 101720 ----a-w- c:\windows\system32\drivers\SBREDrv.sys
2011-09-03 10:17:37 599040 ----a-w- c:\windows\system32\crypt32.dll
2011-07-15 13:29:31 456320 ----a-w- c:\windows\system32\drivers\mrxsmb.sys
2011-07-08 14:02:00 10496 ----a-w- c:\windows\system32\drivers\ndistapi.sys
2011-06-24 14:10:36 139656 ----a-w- c:\windows\system32\drivers\rdpwd.sys
2011-06-23 18:36:30 916480 ----a-w- c:\windows\system32\wininet.dll
2011-06-23 18:36:30 43520 ------w- c:\windows\system32\licmgr10.dll
2011-06-23 18:36:30 1469440 ------w- c:\windows\system32\inetcpl.cpl
2011-06-23 12:05:13 385024 ------w- c:\windows\system32\html.iec
2011-06-20 17:44:52 293376 ----a-w- c:\windows\system32\winsrv.dll
2011-06-19 01:57:53 1409 ----a-w- c:\windows\QTFont.for
.
============= FINISH: 0:35:42.20 ===============

The log is clean.

Run the SecurityCheck on this one and post the log.

Results of screen317's Security Check version 0.99.18
Windows XP Service Pack 3
Internet Explorer 8
``````````````````````````````
Antivirus/Firewall Check:
Windows Firewall Enabled!
Symantec Endpoint Protection
```````````````````````````````
Anti-malware/Other Utilities Check:
Ad-Aware
MVPS Hosts File
Malwarebytes' Anti-Malware
CCleaner
Java™ 6 Update 27
Adobe Flash Player
````````````````````````````````
Process Check:
objlist.exe by Laurent
Norton ccSvcHst.exe
Ad-Aware AAWService.exe is disabled!
Ad-Aware AAWTray.exe is disabled!
``````````End of Log````````````

nasdaq,

Based on the log below and our prior conversations on other posts, this looks ok.

Any suggestions for looking at my some of my symptoms and concerns?

• Which security programs to run on a slower CPU
  
• Slow typing while composing webmail -- disabling add-ons did not help
  
• Internet Explorer consuming 50+% of CPU
  
• PC takes about 30 minutes from a cold boot for the HDD to stop lighting up almost constantly
  
• Is cntinued used of registry cleaners ok or not?

Of course I can, should and will research these myself, but perhaps your have some pointers.

Regards,

Steve

Results of screen317's Security Check version 0.99.18
Windows XP Service Pack 3
Internet Explorer 8
``````````````````````````````
Antivirus/Firewall Check:
Windows Firewall Enabled!
Symantec Endpoint Protection
```````````````````````````````
Anti-malware/Other Utilities Check:
Ad-Aware
MVPS Hosts File
Malwarebytes' Anti-Malware
CCleaner
Java™ 6 Update 27
Adobe Flash Player
````````````````````````````````
Process Check:
objlist.exe by Laurent
Norton ccSvcHst.exe
Ad-Aware AAWService.exe is disabled!
Ad-Aware AAWTray.exe is disabled!
``````````End of Log````````````

.

This post has been edited by Steve23: 22 September 2011 - 08:29 PM

Run ComboFix on this computer.

Please download ComboFix from one of these locations:

Link 1
Link 2

* IMPORTANT !!! Save ComboFix.exe to your Desktop

• Disable your Anti-Virus and Anti-Spyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools
  
  
• Double click on ComboFix.exe & follow the prompts.
  
  
• As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.
  
  
• Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.
  
  
• Some Rookit infection may damage your boot sector. The Windows Recovery Console may be needed to restore it. Do not bypass this installation. You may regret it.

**Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.



Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:



Click on Yes, to continue scanning for malware.

When finished, it shall produce a log for you. Please include the C:\ComboFix.txt in your next reply.

Note: If you have difficulty properly disabling your protection programs, refer to this link --> http://www.bleepingcomputer.com/forums/topic114351.html

Do not mouse click ComboFix's window while it's running. That may cause it to stall

nasdaq,
with regards to ComboFix reporting "AV: Symantec Endpoint Protection *Enabled/Updated* {FB06448E-52B8-493A-90F3-E43226D3305C}"
I disabled it twice but it came back on.

Let me know if I need to re-run ComboFix.

Steve

ComboFix 11-09-23.03 - Steve 09/23/2011 10:50:40.2.1 - x86
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.1022.373 [GMT -4:00]
Running from: c:\documents and settings\Steve.DIMENSION2400-1\Desktop\ComboFix.exe
AV: Lavasoft Ad-Watch Live! Anti-Virus *Disabled/Updated* {A1C4F2E0-7FDE-4917-AFAE-013EFC3EDE33}
AV: Symantec Endpoint Protection *Enabled/Updated* {FB06448E-52B8-493A-90F3-E43226D3305C}
.
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
c:\documents and settings\Administrator\WINDOWS
c:\documents and settings\All Users\Application Data\DirectCDUserNameE.txt
c:\documents and settings\Default User\WINDOWS
c:\documents and settings\Jonna\WINDOWS
c:\documents and settings\Megan\WINDOWS
c:\documents and settings\Sara\atmo212_enu.exe
c:\documents and settings\Sara\WINDOWS
c:\documents and settings\Steve.DIMENSION2400-1\GoToAssistDownloadHelper.exe
c:\documents and settings\Steve.DIMENSION2400-1\WINDOWS
c:\windows\system32\config\systemprofile\WINDOWS
.
.
((((((((((((((((((((((((( Files Created from 2011-08-23 to 2011-09-23 )))))))))))))))))))))))))))))))
.
.
2011-09-18 17:45 . 2011-09-18 17:45 -------- d-----w- c:\program files\Common Files\Java
2011-09-18 17:44 . 2011-09-18 17:44 73728 ----a-w- c:\windows\system32\javacpl.cpl
2011-09-15 00:36 . 2011-09-15 00:36 -------- d-----w- c:\documents and settings\All Users\Application Data\Minitab
2011-09-15 00:34 . 2011-09-15 00:34 -------- d-----w- c:\documents and settings\All Users\Application Data\FLEXnet
2011-09-15 00:33 . 2011-09-15 00:33 -------- d-----w- c:\program files\Minitab
2011-09-15 00:32 . 2011-09-15 00:34 -------- d-----w- c:\program files\Common Files\Minitab Shared
2011-09-15 00:27 . 2011-09-15 00:30 -------- d-----w- c:\documents and settings\Steve.DIMENSION2400-1\Application Data\Minitab
2011-09-06 03:40 . 2011-09-06 03:40 -------- d-----w- c:\program files\Common Files\xing shared
2011-09-06 03:07 . 2011-03-21 13:58 152064 ----a-w- c:\windows\system32\xvid.ax
2011-09-06 03:07 . 2011-03-19 15:06 240640 ----a-w- c:\windows\system32\xvidvfw.dll
2011-09-06 03:07 . 2011-03-19 15:04 650752 ----a-w- c:\windows\system32\xvidcore.dll
2011-09-06 03:07 . 2011-09-06 03:08 -------- d-----w- c:\program files\Xvid
2011-09-06 01:47 . 2011-09-06 01:48 -------- d-----w- c:\documents and settings\Steve.DIMENSION2400-1\Local Settings\Application Data\Deployment
2011-08-26 20:51 . 2011-08-26 20:51 -------- d-----w- c:\documents and settings\Megan\Local Settings\Application Data\Symantec
.
.
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2011-09-18 17:44 . 2011-02-27 05:39 472808 ----a-w- c:\windows\system32\deployJava1.dll
2011-09-09 09:12 . 2004-07-12 19:14 599040 ----a-w- c:\windows\system32\crypt32.dll
2011-09-05 02:37 . 2011-03-07 03:59 101720 ----a-w- c:\windows\system32\drivers\SBREDrv.sys
2011-07-15 13:29 . 2002-08-29 10:00 456320 ----a-w- c:\windows\system32\drivers\mrxsmb.sys
2011-07-08 14:02 . 2002-08-29 10:00 10496 ----a-w- c:\windows\system32\drivers\ndistapi.sys
.
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ccApp"="c:\program files\Common Files\Symantec Shared\ccApp.exe" [2010-11-04 115560]
"TkBellExe"="c:\program files\real\realplayer\update\realsched.exe" [2011-09-06 273528]
"SunJavaUpdateSched"="c:\program files\Common Files\Java\Java Update\jusched.exe" [2011-06-09 254696]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2006-08-12 282624]
"Norton Ghost 15.0"="c:\program files\Norton Ghost\Agent\VProTray.exe" [2010-03-03 2598760]
.
[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\RunOnce]
"WUAppSetup"="c:\program files\Common Files\logishrd\WUApp32.exe" [2008-12-17 443664]
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\ccEvtMgr]
@="Service"
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\ccSetMgr]
@="Service"
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Lavasoft Ad-Aware Service]
@="Service"
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\MCODS]
@=""
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Symantec Antivirus]
@="Service"
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Wdf01000.sys]
@="Driver"
.
[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Colorific.lnk]
backup=c:\windows\pss\Colorific.lnkCommon Startup
.
[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^SonnReg.lnk]
backup=c:\windows\pss\SonnReg.lnkCommon Startup
HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\TkBellExe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Acrobat Assistant 7.0]
2008-04-23 06:08 483328 ----a-w- c:\program files\Adobe\Adobe Acrobat 7.0\Distillr\acrotray.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AdaptecDirectCD]
2005-03-28 00:46 684032 ----a-w- c:\program files\Adaptec\Easy CD Creator 5\DirectCD\Directcd.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ctfmon.exe]
2008-04-14 00:12 15360 ------w- c:\windows\SYSTEM32\ctfmon.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HotKeysCmds]
2005-10-19 13:59 126976 ----a-w- c:\windows\SYSTEM32\hkcmd.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\IgfxTray]
2005-10-19 13:59 155648 ----a-w- c:\windows\SYSTEM32\igfxtray.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\IndexSearch]
2002-09-23 14:50 36864 ----a-w- c:\program files\Scansoft\PaperPort\IndexSearch.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\InstantAccess]
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ISUSPM Startup]
2005-02-16 20:15 221184 ----a-w- c:\progra~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ISUSScheduler]
2005-02-16 20:15 81920 ----a-w- c:\program files\Common Files\InstallShield\UpdateService\issch.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\LogitechQuickCamRibbon]
2008-12-20 12:50 2656528 ----a-w- c:\program files\Logitech\QuickCam\Quickcam.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
2006-08-12 01:09 282624 ----a-w- c:\program files\QuickTime\qttask.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\RegisterDropHandler]
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SoundMAXPnP]
2004-10-14 18:42 1404928 ----a-w- c:\program files\Analog Devices\Core\smax4pnp.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SSBkgdUpdate]
2006-10-25 13:03 210472 ----a-w- c:\program files\Common Files\ScanSoft Shared\SSBkgdUpdate\SSBkgdUpdate.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\updateMgr]
2006-03-30 20:45 313472 ----a-r- c:\program files\Adobe\Adobe Acrobat 7.0\Acrobat\AdobeUpdateManager.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"LVSrvLauncher"=2 (0x2)
"LVCOMSer"=2 (0x2)
"GhostStartService"=2 (0x2)
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run-]
"TkBellExe"="c:\program files\real\realplayer\update\realsched.exe" -osboot
.
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=dword:00000001
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\WINDOWS\\SYSTEM32\\fxsclnt.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\WINDOWS\\SYSTEM32\\mmc.exe"=
"c:\\Program Files\\Messenger\\msmsgs.exe"=
"c:\\WINDOWS\\SYSTEM32\\dpvsetup.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\program files\Microsoft ActiveSync\rapimgr.exe"= c:\program files\Microsoft ActiveSync\rapimgr.exe:169.254.2.0/255.255.255.0:Enabled:ActiveSync RAPI Manager
"c:\program files\Microsoft ActiveSync\wcescomm.exe"= c:\program files\Microsoft ActiveSync\wcescomm.exe:169.254.2.0/255.255.255.0:Enabled:ActiveSync Connection Manager
"c:\program files\Microsoft ActiveSync\WCESMgr.exe"= c:\program files\Microsoft ActiveSync\WCESMgr.exe:169.254.2.0/255.255.255.0:Enabled:ActiveSync Application
"c:\\Program Files\\Real\\RealPlayer\\realplay.exe"=
"c:\\Program Files\\Skype\\Plugin Manager\\skypePM.exe"=
"c:\\Program Files\\Symantec\\Symantec Endpoint Protection\\Smc.exe"=
"c:\\Program Files\\Symantec\\Symantec Endpoint Protection\\SNAC.EXE"=
"c:\\Program Files\\Common Files\\Symantec Shared\\ccApp.exe"=
"c:\\Program Files\\Skype\\Phone\\Skype.exe"=
"c:\\Program Files\\Microsoft Office\\Office10\\EXCEL.EXE"=
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"26675:TCP"= 26675:TCP:169.254.2.0/255.255.255.0:Enabled:ActiveSync Service
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\IcmpSettings]
"AllowInboundTimestampRequest"= 0 (0x0)
"AllowInboundMaskRequest"= 0 (0x0)
"AllowInboundRouterRequest"= 0 (0x0)
"AllowOutboundDestinationUnreachable"= 0 (0x0)
"AllowOutboundSourceQuench"= 0 (0x0)
"AllowOutboundParameterProblem"= 0 (0x0)
"AllowOutboundTimeExceeded"= 0 (0x0)
"AllowRedirect"= 0 (0x0)
"AllowOutboundPacketTooBig"= 0 (0x0)
.
R0 Lbd;Lbd;c:\windows\SYSTEM32\DRIVERS\Lbd.sys [3/6/2011 11:59 PM 64512]
R3 EraserUtilRebootDrv;EraserUtilRebootDrv;c:\program files\Common Files\Symantec Shared\EENGINE\EraserUtilRebootDrv.sys [8/11/2011 7:09 AM 105592]
R3 GenericMount;Generic Mount Driver;c:\windows\SYSTEM32\DRIVERS\GenericMount.sys [9/21/2009 8:26 PM 57840]
S1 AEC671X;AEC671X;c:\windows\SYSTEM32\DRIVERS\aec671x.sys [1/6/2003 9:54 AM 12128]
S1 DMX3191;DMX3191;c:\windows\SYSTEM32\DRIVERS\dmx3191.sys [1/6/2003 9:54 AM 17700]
S2 Lavasoft Ad-Aware Service;Lavasoft Ad-Aware Service;c:\program files\Lavasoft\Ad-Aware\AAWService.exe [3/4/2011 4:20 AM 2152152]
S3 COH_Mon;COH_Mon;c:\windows\SYSTEM32\DRIVERS\COH_Mon.sys [11/4/2010 10:48 AM 23888]
S3 GenericMount Helper Service;GenericMount Helper Service;c:\program files\Norton Ghost\Shared\Drivers\GenericMountHelper.exe [9/21/2009 8:25 PM 1574408]
S3 PLCNDIS5;PLCNDIS5 NDIS Protocol Driver;c:\windows\SYSTEM32\PLCNDIS5.SYS [1/20/2003 10:30 AM 17018]
S3 scsiscan;SCSI Scanner Driver;c:\windows\SYSTEM32\DRIVERS\scsiscan.sys [7/27/2004 7:11 PM 11520]
S4 mrtRate;mrtRate;c:\windows\SYSTEM32\DRIVERS\MrtRate.sys [7/12/2004 3:24 PM 34712]
.
--- Other Services/Drivers In Memory ---
.
*Deregistered* - uphcleanhlp
.
Contents of the 'Scheduled Tasks' folder
.
2011-09-23 c:\windows\Tasks\Ad-Aware Update (Weekly).job
- c:\program files\Lavasoft\Ad-Aware\Ad-AwareAdmin.exe [2011-03-04 07:40]
.
2011-09-22 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-3201968490-2153201169-4238752199-1006Core.job
- c:\documents and settings\Steve.DIMENSION2400-1\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2011-09-06 01:48]
.
2011-09-23 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-3201968490-2153201169-4238752199-1006UA.job
- c:\documents and settings\Steve.DIMENSION2400-1\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2011-09-06 01:48]
.
2011-09-15 c:\windows\Tasks\Minitab Software Update Manager.job
- c:\program files\Common Files\Minitab Shared\Software Manager\SoftwareManager.exe [2010-11-05 14:49]
.
2011-09-23 c:\windows\Tasks\RealUpgradeLogonTaskS-1-5-21-3201968490-2153201169-4238752199-1006.job
- c:\program files\Real\RealUpgrade\realupgrade.exe [2011-08-11 19:22]
.
2011-08-26 c:\windows\Tasks\RealUpgradeLogonTaskS-1-5-21-3201968490-2153201169-4238752199-1007.job
- c:\program files\Real\RealUpgrade\realupgrade.exe [2011-08-11 19:22]
.
2011-08-26 c:\windows\Tasks\RealUpgradeLogonTaskS-1-5-21-3201968490-2153201169-4238752199-1008.job
- c:\program files\Real\RealUpgrade\realupgrade.exe [2011-08-11 19:22]
.
2011-09-03 c:\windows\Tasks\RealUpgradeLogonTaskS-1-5-21-3201968490-2153201169-4238752199-1009.job
- c:\program files\Real\RealUpgrade\realupgrade.exe [2011-08-11 19:22]
.
2011-09-23 c:\windows\Tasks\RealUpgradeScheduledTaskS-1-5-21-3201968490-2153201169-4238752199-1006.job
- c:\program files\Real\RealUpgrade\realupgrade.exe [2011-08-11 19:22]
.
2011-09-09 c:\windows\Tasks\RealUpgradeScheduledTaskS-1-5-21-3201968490-2153201169-4238752199-1007.job
- c:\program files\Real\RealUpgrade\realupgrade.exe [2011-08-11 19:22]
.
2011-09-02 c:\windows\Tasks\RealUpgradeScheduledTaskS-1-5-21-3201968490-2153201169-4238752199-1008.job
- c:\program files\Real\RealUpgrade\realupgrade.exe [2011-08-11 19:22]
.
2011-09-03 c:\windows\Tasks\RealUpgradeScheduledTaskS-1-5-21-3201968490-2153201169-4238752199-1009.job
- c:\program files\Real\RealUpgrade\realupgrade.exe [2011-08-11 19:22]
.
2011-09-14 c:\windows\Tasks\STR's delete all temp files.job
- c:\windows\SYSTEM32\cleanmgr.exe [2002-08-29 00:12]
.
2011-09-23 c:\windows\Tasks\User_Feed_Synchronization-{79962F99-97AF-4104-A023-2E19BCCB15CB}.job
- c:\windows\system32\msfeedssync.exe [2007-08-13 08:31]
.
.
------- Supplementary Scan -------
.
uStart Page = about:blank
uInternet Connection Wizard,ShellNext = hxxp://www.dell.com/
uSearchURL,(Default) = hxxp://search.yahoo.com/search?fr=mcafee&p=%s%s
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\Office10\EXCEL.EXE/3000
Trusted Zone: microsoft.com\download.windowsupdate
Trusted Zone: microsoft.com\update
TCP: DhcpNameServer = 192.168.2.1 209.18.47.61 209.18.47.62
.
- - - - ORPHANS REMOVED - - - -
.
SafeBoot-Symantec Antvirus
MSConfigStartUp-SsAAD - c:\progra~1\Sony\SONICS~1\SsAAD.exe
.
.
.
**************************************************************************
.
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2011-09-23 11:03
Windows 5.1.2600 Service Pack 3 NTFS
.
scanning hidden processes ...
.
scanning hidden autostart entries ...
.
scanning hidden files ...
.
scan completed successfully
hidden files: 0
.
**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------
.
[HKEY_USERS\.Default\Software\Microsoft\Internet Explorer\User Preferences]
@Denied: (2) (LocalSystem)
"88D7D0879DAB32E14DE5B3A805A34F98AFF34F5977"=hex:01,00,00,00,d0,8c,9d,df,01,15,
d1,11,8c,7a,00,c0,4f,c2,97,eb,01,00,00,00,a7,c4,42,56,06,95,df,44,98,f2,58,\
"2D53CFFC5C1A3DD2E97B7979AC2A92BD59BC839E81"=hex:01,00,00,00,d0,8c,9d,df,01,15,
d1,11,8c,7a,00,c0,4f,c2,97,eb,01,00,00,00,a7,c4,42,56,06,95,df,44,98,f2,58,\
.
[HKEY_USERS\S-1-5-21-3201968490-2153201169-4238752199-1006\Software\Microsoft\SystemCertificates\AddressBook*]
@Allowed: (Read) (RestrictedCode)
@Allowed: (Read) (RestrictedCode)
.
--------------------- DLLs Loaded Under Running Processes ---------------------
.
- - - - - - - > 'winlogon.exe'(668)
c:\windows\system32\igfxsrvc.dll
c:\windows\system32\hccutils.DLL
.
Completion time: 2011-09-23 11:08:47
ComboFix-quarantined-files.txt 2011-09-23 15:08
ComboFix2.txt 2010-03-16 03:11
.
Pre-Run: 117,928,230,912 bytes free
Post-Run: 118,245,675,008 bytes free
.
WindowsXP-KB310994-SP2-Home-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
UnsupportedDebug="do not select this" /debug
multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Windows XP Home Edition" /fastdetect /NoExecute=OptIn
.
- - End Of File - - EC00BB680BC939EDA7305A7BBD85564F

nasdaq,
I have sent you a Personal Message conversation.

Steve

Your log is clean.

Get the latest version of the Adobe Reader.
http://get.adobe.com/reader/
Before your download I suggest you unckeck the box on the top right "Include in your download" this is not required. While the installation is in progress you can also deny the installation of any other programs that may be suggested.

When installed remove your old version of the Reader using the Add/Remove Programs applet if present.

===

Critical vulnerabilities have been identified in Adobe Flash Player 10.3.183.7 and earlier versions... being exploited in the wild in active targeted attacks... update to Adobe Flash Player 10.3.183.10 ... Flash Player for Android update to Adobe Flash Player for Android 10.3.186.7

Direct download current version - executable Flash Player installer... to your Desktop, then double-click to install.

Download for Internet Explorer

Download for Firefox and other browsers
<<<>>>

I was not on this computer very long yesterday as I had other obligations.

You personal message is not in my box.

Unless it's very personal please keep the conversation on this topic.
Thank you.

nasdaq,

All symptoms quoted below still exist.

Thanks for all of your help.

Steve

Steve23, on 22 September 2011 - 09:38 AM, said:

This post has been edited by Steve23: 27 September 2011 - 09:06 PM

Download the latest version of Kaspersky Virus Removal Tool

• Close all other applications and double-click and run the installer.
• When AVPTool starts, select all the scanable items except for CD-ROM drives.
• Then please choose Security level: Recommended and perform the following actions.
  
  
• Click the Start scan button.
  
• If malware is detected, place a checkmark in the Apply to all box, and click the Delete button (or Disinfect if the button is active).
• After the scan finishes, if any threat remains in the Scan window (Red exclamation point), click the Neutralize all button
• In the window that opens, place a checkmark in the Apply to all box, and click the Delete button (or Disinfect if the button is active).
• If advised that a special disinfection procedure is required which demands system reboot: click the Ok button to close the window.
• In the Scan window click the Reports button and select Save to file.
• Name the report AVPT.txt, and save it to the Desktop.
• Close AVPTool.
• You will be prompted if you want to uninstall the program; click Yes.
• You will then be prompted that to complete the uninstallation, the computer must be restarted. Select Yes to restart the system.
• Copy and paste the first part of the report (Detected) that you saved in your next reply. Do not include the longer list marked Events.

===

Keep me posted.

nasdaq,

From Kaspersky:
No threats detected
Automatic Scan report: 353002 events, 345169 objects, time 06:11:55
Do you still want AVPT.txt attached?

Kaspersky did not prompt for uninstall on exit and does not appear in Remove Programs applet. Is this ok?

On-going symptoms and concerns:
1. Slow typing while composing webmail -- disabling add-ons did not help
2. Internet Explorer consuming 50-90% of CPU for many minutes
3. PC takes about 30 minutes from a cold boot for the HDD to stop lighting up almost constantly -- need some help with start up processes?

Thanks,

Steve

This post has been edited by Steve23: 01 October 2011 - 10:27 PM

Find out if some drivers have been changed/modified.

From the Start menu, select Run.
In the Open field, type sfc /scannow (Note: There is a space between sfc and /scannow)
Select the OK button.
Follow the prompts throughout the System File Checker process.
Reboot the computer when System File Checker completes.

nasdaq,

I left System File Checker to run. Was there supposed to be a log file? There were no prompts beyond the initial startup and, although I was not there for the whole process, I found the system returned to the desktop. I rebooted.

All symptoms still the same:
1. Slow typing composing webmail
2. Internet Explorer at 50-90% of CPU
3. Slow boot -- need reference for help with start up processes?

Thanks again,

Steve

These are are the processes (in bold) that are started when you boot your computer.
They are all Not required unless you realy want to use the service. All can be started by running the .exe file associated with it.

uRun: [SpybotSD TeaTimer] c:\program files\spybot - search & destroy\TeaTimer.exe
uRun: [Google Update] "c:\documents and settings\steve.dimension2400-1\local settings\application data\google\update\GoogleUpdate.exe" /c
mRun: [Norton Ghost 15.0] "c:\program files\norton ghost\agent\VProTray.exe"
mRun: [QuickTime Task] "c:\program files\quicktime\qttask.exe" -atboottime
mRun: [SunJavaUpdateSched] "c:\program files\common files\java\java update\jusched.exe"
mRun: [TkBellExe] "c:\program files\real\realplayer\update\realsched.exe" -osboot
dRunOnce: [WUAppSetup] c:\program files\common files\logishrd\WUApp32.exe -v 0x046d -p 0x08ce -f video -m logitech -d 10.5.1.2023 <- this one is your web cam.

This one is your Symantec security program. If you disable it make sure you are not connected to the Internet.
mRun: [ccApp] "c:\program files\common files\symantec shared\ccApp.exe"

Run MsConfig and disable a few of them and restart the computer.
By trial and error you may be able to find out if one or more of these processes is/are the culprit.