Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Random CPU Spikes to 100%


  • This topic is locked This topic is locked
14 replies to this topic

#1 OpenWaterEric

OpenWaterEric

  • Members
  • 58 posts
  • OFFLINE
  •  
  • Local time:05:20 AM

Posted 22 July 2013 - 04:23 PM

I've had this computer for about a year and until about 3 days ago it was working perfectly.  Not sure what happened, but now I'll get random CPU spikes up to 100% for a few seconds for no reason obvious to me.  When I get a spike everything freezes up for 1-5 seconds, such as the cursor, typing in word, streaming music, etc. and then goes back to normal.  I'm wondering if I picked up some malware or if something else is wrong.  I've tried a disk defrag, virus scan with AVG free edition, and shutting down some of the startup processes without any luck.  Any assistance would be greatly appreciated.  Log below......

-----------------------------------------------------------------------------------------------------------------------------

DDS (Ver_2012-11-20.01) - NTFS_x86 
Internet Explorer: 8.0.6001.18702  BrowserJavaVersion: 10.25.2
Run by Owner at 14:16:49 on 2013-07-22
#Option MBR scan  is disabled.
Microsoft Windows XP Professional  5.1.2600.3.1252.1.1033.18.3326.2047 [GMT -7:00]
.
AV: AVG AntiVirus Free Edition 2013 *Enabled/Updated* {17DDD097-36FF-435F-9E1B-52D74245D6BF}
.
============== Running Processes ================
.
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Java\jre7\bin\jqs.exe
C:\Program Files\Common Files\LightScribe\LSSrvc.exe
C:\Program Files\LogMeIn\x86\LMIGuardianSvc.exe
C:\Program Files\LogMeIn\x86\RaMaint.exe
C:\Program Files\LogMeIn\x86\LogMeIn.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\WINDOWS\system32\nvsvc32.exe
C:\Program Files\NVIDIA Corporation\NVIDIA Update Core\daemonu.exe
C:\Program Files\Common Files\AVG Secure Search\vToolbarUpdater\15.3.0\ToolbarUpdater.exe
C:\Program Files\Common Files\AVG Secure Search\vToolbarUpdater\15.3.0\loggingserver.exe
C:\WINDOWS\System32\alg.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Astaro\Astaro SSL VPN Client\bin\openvpn-gui.exe
C:\Program Files\AVG Secure Search\vprot.exe
C:\WINDOWS\system32\RunDLL32.exe
C:\Program Files\Box Sync\BoxSyncHelper.exe
C:\WINDOWS\system32\rundll32.exe
C:\PROGRA~1\RINGCE~1\RINGCE~1\RCUI.exe
C:\PROGRA~1\RINGCE~1\RINGCE~1\RCHotKey.exe
C:\Program Files\Box Sync\BoxSync.exe
C:\Documents and Settings\Owner\Local Settings\Application Data\Google\Chrome\Application\chrome.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Documents and Settings\Owner\Local Settings\Application Data\Google\Chrome\Application\chrome.exe
C:\Documents and Settings\Owner\Local Settings\Application Data\Google\Chrome\Application\chrome.exe
C:\WINDOWS\system32\wbem\wmiprvse.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
C:\WINDOWS\system32\svchost.exe -k NetworkService
C:\WINDOWS\system32\svchost.exe -k LocalService
C:\WINDOWS\system32\svchost.exe -k LocalService
C:\WINDOWS\System32\svchost.exe -k HPZ12
C:\WINDOWS\System32\svchost.exe -k HPZ12
C:\WINDOWS\system32\svchost.exe -k imgsvc
C:\WINDOWS\System32\svchost.exe -k HTTPFilter
.
============== Pseudo HJT Report ===============
.
uStart Page = hxxp://www.google.com/
uURLSearchHooks: {A3BC75A2-1F87-4686-AA43-5347D756017C} - <orphaned>
BHO: Adobe PDF Link Helper: {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll
BHO: AVG Safe Search: {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - 
BHO: Java™ Plug-In SSV Helper: {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - c:\program files\java\jre7\bin\ssv.dll
BHO: AVG Security Toolbar: {95B7759C-8C7F-4BF1-B163-73684A933233} - 
BHO: Adobe PDF Conversion Toolbar Helper: {AE7CD045-E861-484f-8273-0445EE161910} - c:\program files\common files\adobe\acrobat\activex\AcroIEFavClient.dll
BHO: Google Toolbar Notifier BHO: {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - c:\program files\google\googletoolbarnotifier\5.2.4204.1700\swg.dll
BHO: Java™ Plug-In 2 SSV Helper: {DBC80044-A445-435b-BC74-9C25C1C588A9} - c:\program files\java\jre7\bin\jp2ssv.dll
BHO: SmartSelect Class: {F4971EE7-DAA0-4053-9964-665D8EE6A077} - c:\program files\common files\adobe\acrobat\activex\AcroIEFavClient.dll
TB: Adobe PDF: {47833539-D0C5-4125-9FA8-0819E2EAAC93} - c:\program files\common files\adobe\acrobat\activex\AcroIEFavClient.dll
TB: <No Name>: {E7DF6BFF-55A5-4EB7-A673-4ED3E9456D39} - LocalServer32 - <no file>
TB: Adobe PDF: {47833539-D0C5-4125-9FA8-0819E2EAAC93} - c:\program files\common files\adobe\acrobat\activex\AcroIEFavClient.dll
TB: AVG Security Toolbar: {95B7759C-8C7F-4BF1-B163-73684A933233} - 
uRun: [RCUI] "c:\progra~1\ringce~1\ringce~1\RCUI.exe"
uRun: [RCHotKey] "c:\progra~1\ringce~1\ringce~1\RCHotKey.exe"
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
mRun: [Alcmtr] ALCMTR.EXE
mRun: [openvpn-gui] c:\program files\astaro\astaro ssl vpn client\bin\openvpn-gui.exe
mRun: [AVG_UI] "c:\program files\avg\avg2013\avgui.exe" /TRAYONLY
mRun: [vProt] "c:\program files\avg secure search\vprot.exe"
mRun: [NvCplDaemon] RUNDLL32.EXE c:\windows\system32\NvCpl.dll,NvStartup
mRun: [NvMediaCenter] RunDLL32.exe NvMCTray.dll,NvTaskbarInit -login
mRun: [nwiz] c:\program files\nvidia corporation\nview\nwiz.exe /installquiet
mRun: [BoxSyncHelper] "c:\program files\box sync\BoxSyncHelper.exe"
mRun: [MSConfig] c:\windows\pchealth\helpctr\binaries\MSConfig.exe /auto
mRunOnce: [AvgUninstallURL] cmd.exe /c start http://www.avg.com/ww.special-uninstallation-feedback-appf?lic=NFVWSzItQUxZTUYtU0xLTFUtQVoyVUItNkdPS0ItSkhGTkg"&"inst=NzctNTExMzQwNDc3LVQxLUtWMys3LUJBKzEtVUNBTEwrMS1CQVI4RysxLVVDQUxMMisyLVRCOCsyLUZMKzgtUUlYMSs0LVgyMDEwKzItRjEwTSs1LUYxME0xMEQrMQ"&"prod=90"&"ver=10.0.1187
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\boxsyn~1.lnk - c:\program files\box sync\BoxSync.exe
uPolicies-Explorer: NoDriveTypeAutoRun = dword:145
mPolicies-Explorer: NoDriveTypeAutoRun = dword:145
IE: Append Link Target to Existing PDF - c:\program files\common files\adobe\acrobat\activex\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
IE: Append to Existing PDF - c:\program files\common files\adobe\acrobat\activex\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convert Link Target to Adobe PDF - c:\program files\common files\adobe\acrobat\activex\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
IE: Convert to Adobe PDF - c:\program files\common files\adobe\acrobat\activex\AcroIEFavClient.dll/AcroIECapture.html
IE: E&xport to Microsoft Excel - c:\progra~1\micros~2\office12\EXCEL.EXE/3000
IE: {2EAF5BB1-070F-11D3-9307-00C04FAE2D4F} - {2EAF5BB0-070F-11D3-9307-00C04FAE2D4F} - c:\program files\microsoft activesync\INetRepl.dll
IE: {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - {2EAF5BB0-070F-11D3-9307-00C04FAE2D4F} - c:\program files\microsoft activesync\INetRepl.dll
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503}
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} - hxxp://www.update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1220898614026
DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} - hxxp://www.update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1374526508265
DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} - hxxp://fpdownload.macromedia.com/get/flashplayer/current/ultrashim.cab
DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - hxxp://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab
TCP: NameServer = 66.60.130.158
TCP: Interfaces\{00EA53D8-0B1E-459E-B2BB-3C93FD665E81} : DHCPNameServer = 66.60.130.158
TCP: Interfaces\{7C097B24-F8AD-49A1-96F3-B899B743F8C5} : DHCPNameServer = 172.16.1.5
Handler: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - 
Handler: viprotocol - {B658800C-F66E-4EF3-AB85-6C0C227862A9} - c:\program files\common files\avg secure search\viprotocolinstaller\15.3.0\ViProtocol.dll
Notify: LMIinit - LMIinit.dll
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll
mASetup: {10880D85-AAD9-4558-ABDC-2AB1552D831F} - "c:\program files\common files\lightscribe\LSRunOnce.exe"
.
================= FIREFOX ===================
.
FF - ProfilePath - c:\documents and settings\owner\application data\mozilla\firefox\profiles\cokbnnz1.default\
FF - prefs.js: browser.search.selectedEngine - AVG Secure Search
FF - prefs.js: browser.startup.homepage - hxxp://www.google.com/
FF - prefs.js: keyword.URL - hxxp://search.avg.com/route/?d=4cc6f9ee&v=6.010.023.001&i=23&tp=ab&iy=&ychte=us&lng=en-US&q=
FF - component: c:\program files\avg\avg2012\firefox\components\avgssff.dll
FF - plugin: c:\documents and settings\owner\local settings\application data\google\update\1.3.21.115\npGoogleUpdate3.dll
FF - plugin: c:\program files\adobe\acrobat 9.0\acrobat\air\nppdf32.dll
FF - plugin: c:\program files\google\google earth\plugin\npgeplugin.dll
FF - plugin: c:\program files\google\google updater\2.4.2432.1652\npCIDetect14.dll
FF - plugin: c:\program files\google\update\1.3.21.115\npGoogleUpdate3.dll
FF - plugin: c:\program files\google\update\1.3.21.57\npGoogleUpdate3.dll
FF - plugin: c:\program files\google\update\1.3.21.65\npGoogleUpdate3.dll
FF - plugin: c:\program files\google\update\1.3.21.79\npGoogleUpdate3.dll
FF - plugin: c:\program files\java\jre7\bin\npjpi170_05.dll
FF - plugin: c:\program files\java\jre7\bin\npoji610.dll
FF - plugin: c:\program files\oracle\javafx 2.1 runtime\bin\plugin2\npjp2.dll
FF - plugin: c:\windows\system32\npDeployJava1.dll
.
============= SERVICES / DRIVERS ===============
.
R0 AVGIDSHX;AVGIDSHX;c:\windows\system32\drivers\avgidshx.sys [2012-4-19 60216]
R0 Avglogx;AVG Logging Driver;c:\windows\system32\drivers\avglogx.sys [2012-8-9 245048]
R0 Avgmfx86;AVG Mini-Filter Resident Anti-Virus Shield;c:\windows\system32\drivers\avgmfx86.sys [2011-8-8 96568]
R0 Avgrkx86;AVG Anti-Rootkit Driver;c:\windows\system32\drivers\avgrkx86.sys [2011-9-13 39224]
R1 AVGIDSDriver;AVGIDSDriver;c:\windows\system32\drivers\avgidsdriverx.sys [2011-12-23 208184]
R1 AVGIDSShim;AVGIDSShim;c:\windows\system32\drivers\avgidsshimx.sys [2011-12-23 22328]
R1 Avgldx86;AVG AVI Loader Driver;c:\windows\system32\drivers\avgldx86.sys [2011-10-7 170808]
R1 Avgtdix;AVG TDI Driver;c:\windows\system32\drivers\avgtdix.sys [2011-7-11 182072]
R1 avgtp;avgtp;c:\windows\system32\drivers\avgtpx86.sys [2012-9-25 37664]
R2 AVGIDSAgent;AVGIDSAgent;c:\program files\avg\avg2013\avgidsagent.exe [2013-5-14 4937264]
R2 avgwd;AVG WatchDog;c:\program files\avg\avg2013\avgwdsvc.exe [2013-4-18 283136]
R2 LMIGuardianSvc;LMIGuardianSvc;c:\program files\logmein\x86\LMIGuardianSvc.exe [2011-3-1 375120]
R2 LMIInfo;LogMeIn Kernel Information Provider;c:\program files\logmein\x86\rainfo.sys [2010-9-17 13624]
R2 LMIRfsDriver;LogMeIn Remote File System Driver;c:\windows\system32\drivers\LMIRfsDriver.sys [2011-6-15 47640]
R2 vToolbarUpdater15.3.0;vToolbarUpdater15.3.0;c:\program files\common files\avg secure search\vtoolbarupdater\15.3.0\ToolbarUpdater.exe [2013-6-26 1598128]
S2 gupdate1c9bebb812b5112;Google Update Service (gupdate1c9bebb812b5112);c:\program files\google\update\GoogleUpdate.exe [2009-4-16 133104]
S4 LMIRfsClientNP;LMIRfsClientNP; [x]
.
=============== Created Last 30 ================
.
2013-07-22 21:00:42 -------- d-----w- c:\windows\system32\MRT
2013-07-22 20:19:05 -------- d-----w- c:\windows\pss
2013-07-20 18:38:50 144896 ----a-w- c:\windows\system32\javacpl.cpl
2013-07-20 18:38:35 94632 ----a-w- c:\windows\system32\WindowsAccessBridge.dll
2013-07-20 18:24:23 106088 ----a-w- c:\program files\mozilla firefox\plugins\nppdf32.dll
.
==================== Find3M  ====================
.
2013-07-20 18:37:59 867240 ----a-w- c:\windows\system32\npDeployJava1.dll
2013-07-20 18:37:58 789416 ----a-w- c:\windows\system32\deployJava1.dll
2013-06-27 04:49:40 37664 ----a-w- c:\windows\system32\drivers\avgtpx86.sys
2013-06-12 01:59:11 71048 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl
2013-06-12 01:59:11 692104 ----a-w- c:\windows\system32\FlashPlayerApp.exe
2013-06-08 18:17:48 92488 ----a-w- c:\windows\system32\LMIinit.dll
2013-06-08 18:17:48 86888 ----a-w- c:\windows\system32\LMIRfsClientNP.dll
2013-06-08 18:17:48 53064 ----a-w- c:\windows\system32\spool\prtprocs\w32x86\LMIproc.dll
2013-06-08 18:17:48 31560 ----a-w- c:\windows\system32\LMIport.dll
2013-06-08 06:55:44 385024 ------w- c:\windows\system32\html.iec
2013-06-07 21:56:06 920064 ----a-w- c:\windows\system32\wininet.dll
2013-06-07 21:56:06 43520 ------w- c:\windows\system32\licmgr10.dll
2013-06-07 21:56:05 1469440 ------w- c:\windows\system32\inetcpl.cpl
2013-06-04 07:23:02 562688 ----a-w- c:\windows\system32\qedit.dll
2013-06-04 01:40:45 1876736 ----a-w- c:\windows\system32\win32k.sys
2013-05-25 01:06:42 92488 ----a-w- c:\windows\system32\LMIinit.dll.000.bak
2013-05-25 01:06:42 86888 ----a-w- c:\windows\system32\LMIRfsClientNP.dll.000.bak
2013-05-09 07:28:02 1543680 ------w- c:\windows\system32\wmvdecod.dll
2013-05-03 01:30:20 2149888 ----a-w- c:\windows\system32\ntoskrnl.exe
2013-05-03 00:38:17 2028544 ----a-w- c:\windows\system32\ntkrnlpa.exe
2001-08-22 05:24:10 645120 ----a-r- c:\program files\Converter.exe
.
============= FINISH: 14:17:42.92 ===============
 

 

Attached Files



BC AdBot (Login to Remove)

 


#2 nasdaq

nasdaq

  • Malware Response Team
  • 40,730 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Montreal, QC. Canada
  • Local time:07:20 AM

Posted 25 July 2013 - 08:26 AM

Hello, Welcome to BleepingComputer.
I'm nasdaq and will be helping you.

If you can please print this topic it will make it easier for you to follow the instructions and complete all of the necessary steps.
===
Search and delete the AdWare, PUP (Potentially Unwanted Program) installed on your computer.

Please download AdwCleaner by Xplode onto your Desktop.
  • Close all open programs and internet browsers.
  • Double click on AdwCleaner.exe to run the tool.
  • Click on Delete tab follow the prompts.
  • A log file will automatically open after the scan has finished.
  • Please post the content of that log file with your next answer.
  • You can find the log file at C:\AdwCleaner[Rn].txt (n is a number).
===

thisisujrt.gif Please download
Junkware Removal Tool to your Desktop.
  • Please close your security software to avoid potential conflicts.
  • Run the tool by double-clicking it. If you are using Windows Vista or 7, right-mouse click it and select Run as administrator.
  • The tool will open and start scanning your system.
  • Please be patient as this can take a while to complete, depending on your system's specifications.
  • On completion, a log (JRT.txt) is saved to your Desktop and will automatically open.
  • Please post the contents of JRT.txt into your reply.
===

Please download ComboFix from one of these locations:
Link 1
Link 2
IMPORTANT !!! Save ComboFix.exe to your Desktop
  • Disable your Anti-Virus and Anti-Spyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools.
  • Double click on ComboFix.exe & follow the prompts.
  • As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.
  • Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.
  • Some Rookit infection may damage your boot sector. The Windows Recovery Console may be needed to restore it. Do not bypass this installation. You may regret it.
**Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.
RcAuto1.gif
Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:
whatnext.png
Click on Yes, to continue scanning for malware.
When finished, it shall produce a log for you. Please include the C:\ComboFix.txt in your next reply.

Note: If you have difficulty properly disabling your protection programs, refer to this link --> http://www.bleepingcomputer.com/forums/topic114351.html

Do not mouse click ComboFix's window while it's running. That may cause it to stall

Note: If after running ComboFix you get this error message "Illegal operation attempted on a registry key that has been marked for deletion." when attempting to run a program all you need to do is restart the computer to reset the registry.
===

Third party programs if not up to date can be the cause of infiltration an infection.

Please restart the computer before running this security check..

Download Security Check by screen317 from here.
  • Save it to your Desktop.
  • Double click SecurityCheck.exe and follow the onscreen instructions inside of the black box.
  • A Notepad document should open automatically called checkup.txt; please post the contents of that document.
p.s.
If the SecurityCheck program fails to run for any reason, run it as an Administrator.
===

Please paste the logs in your next reply, DO NOT ATTACH THEM
Let me know what problem persists.

#3 OpenWaterEric

OpenWaterEric
  • Topic Starter

  • Members
  • 58 posts
  • OFFLINE
  •  
  • Local time:05:20 AM

Posted 25 July 2013 - 01:27 PM

Thank you for your help, below are the various logs.  Problem might be a bit better, I'm not getting freezes when typing, but I get "hick-ups" when watching videos (Youtube) or music (Pandora) when I move the mouse around.  I'm watching the "Performance" tab in Windows Task Manager and the CPU usage is steady around 10% with spikes up to 80% every 10 seconds or so.  Once again than you for your help.

 

.............AdwCleaner Log..........

# AdwCleaner v2.306 - Logfile created 07/25/2013 at 09:50:25
# Updated 19/07/2013 by Xplode
# Operating system : Microsoft Windows XP Service Pack 3 (32 bits)
# User : Owner - OWNER-A4DD72032
# Boot Mode : Normal
# Running from : C:\Documents and Settings\Owner\Desktop\adwcleaner.exe
# Option [Delete]
 
 
***** [Services] *****
 
 
***** [Files / Folders] *****
 
Deleted on reboot : C:\Documents and Settings\Owner\Local Settings\Application Data\Google\Chrome\User Data\Default\Extensions\ndibdjnfmopecpmkdieinmbadjfpblof
Deleted on reboot : C:\Program Files\Common Files\AVG Secure Search
File Deleted : C:\Program Files\Mozilla Firefox\.autoreg
File Deleted : C:\Program Files\Mozilla Firefox\searchplugins\avg-secure-search.xml
Folder Deleted : C:\DOCUME~1\Owner\LOCALS~1\Temp\avg@toolbar
Folder Deleted : C:\Documents and Settings\All Users\Application Data\AVG Secure Search
Folder Deleted : C:\Documents and Settings\Owner\Application Data\AVG Secure Search
Folder Deleted : C:\Documents and Settings\Owner\Local Settings\Application Data\AVG Secure Search
Folder Deleted : C:\Documents and Settings\Owner\Local Settings\Application Data\AVG Security Toolbar
Folder Deleted : C:\Program Files\AVG Secure Search
 
***** [Registry] *****
 
Key Deleted : HKCU\Software\AVG Secure Search
Key Deleted : HKCU\Software\AVG Security Toolbar
Key Deleted : HKCU\Software\Microsoft\Internet Explorer\SearchScopes\{95B7759C-8C7F-4BF1-B163-73684A933233}
Key Deleted : HKCU\Software\Microsoft\Windows\CurrentVersion\Ext\Settings\{3CA2F312-6F6E-4B53-A66E-4E65E497C8C0}
Key Deleted : HKCU\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{3CA2F312-6F6E-4B53-A66E-4E65E497C8C0}
Key Deleted : HKCU\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{95B7759C-8C7F-4BF1-B163-73684A933233}
Key Deleted : HKCU\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{F25AF245-4A81-40DC-92F9-E9021F207706}
Key Deleted : HKLM\Software\AVG Secure Search
Key Deleted : HKLM\Software\AVG Security Toolbar
Key Deleted : HKLM\SOFTWARE\Classes\AppID\{1FDFF5A2-7BB1-48E1-8081-7236812B12B2}
Key Deleted : HKLM\SOFTWARE\Classes\AppID\{BB711CB0-C70B-482E-9852-EC05EBD71DBB}
Key Deleted : HKLM\SOFTWARE\Classes\AppID\ScriptHelper.EXE
Key Deleted : HKLM\SOFTWARE\Classes\AppID\ViProtocol.DLL
Key Deleted : HKLM\SOFTWARE\Classes\AVG Secure Search.BrowserWndAPI
Key Deleted : HKLM\SOFTWARE\Classes\AVG Secure Search.BrowserWndAPI.1
Key Deleted : HKLM\SOFTWARE\Classes\AVG Secure Search.PugiObj
Key Deleted : HKLM\SOFTWARE\Classes\AVG Secure Search.PugiObj.1
Key Deleted : HKLM\SOFTWARE\Classes\CLSID\{3CA2F312-6F6E-4B53-A66E-4E65E497C8C0}
Key Deleted : HKLM\SOFTWARE\Classes\CLSID\{4E92DB5F-AAD9-49D3-8EAB-B40CBE5B1FF7}
Key Deleted : HKLM\SOFTWARE\Classes\CLSID\{933B95E2-E7B7-4AD9-B952-7AC336682AE3}
Key Deleted : HKLM\SOFTWARE\Classes\CLSID\{94496571-6AC5-4836-82D5-D46260C44B17}
Key Deleted : HKLM\SOFTWARE\Classes\CLSID\{95B7759C-8C7F-4BF1-B163-73684A933233}
Key Deleted : HKLM\SOFTWARE\Classes\CLSID\{B658800C-F66E-4EF3-AB85-6C0C227862A9}
Key Deleted : HKLM\SOFTWARE\Classes\CLSID\{BC9FD17D-30F6-4464-9E53-596A90AFF023}
Key Deleted : HKLM\SOFTWARE\Classes\CLSID\{DE9028D0-5FFA-4E69-94E3-89EE8741F468}
Key Deleted : HKLM\SOFTWARE\Classes\CLSID\{E7DF6BFF-55A5-4EB7-A673-4ED3E9456D39}
Key Deleted : HKLM\SOFTWARE\Classes\CLSID\{F25AF245-4A81-40DC-92F9-E9021F207706}
Key Deleted : HKLM\SOFTWARE\Classes\Interface\{03E2A1F3-4402-4121-8B35-733216D61217}
Key Deleted : HKLM\SOFTWARE\Classes\Interface\{4E92DB5F-AAD9-49D3-8EAB-B40CBE5B1FF7}
Key Deleted : HKLM\SOFTWARE\Classes\Interface\{9E3B11F6-4179-4603-A71B-A55F4BCB0BEC}
Key Deleted : HKLM\SOFTWARE\Classes\Interface\{C401D2CE-DC27-45C7-BC0C-8E6EA7F085D6}
Key Deleted : HKLM\SOFTWARE\Classes\PROTOCOLS\Handler\viprotocol
Key Deleted : HKLM\SOFTWARE\Classes\S
Key Deleted : HKLM\SOFTWARE\Classes\ScriptHelper.ScriptHelperApi
Key Deleted : HKLM\SOFTWARE\Classes\ScriptHelper.ScriptHelperApi.1
Key Deleted : HKLM\SOFTWARE\Classes\TypeLib\{13ABD093-D46F-40DF-A608-47E162EC799D}
Key Deleted : HKLM\SOFTWARE\Classes\TypeLib\{74FB6AFD-DD77-4CEB-83BD-AB2B63E63C93}
Key Deleted : HKLM\SOFTWARE\Classes\TypeLib\{9C049BA6-EA47-4AC3-AED6-A66D8DC9E1D8}
Key Deleted : HKLM\SOFTWARE\Classes\TypeLib\{C2AC8A0E-E48E-484B-A71C-C7A937FAAB94}
Key Deleted : HKLM\SOFTWARE\Classes\ViProtocol.ViProtocolOLE
Key Deleted : HKLM\SOFTWARE\Classes\ViProtocol.ViProtocolOLE.1
Key Deleted : HKLM\SOFTWARE\Google\Chrome\Extensions\ndibdjnfmopecpmkdieinmbadjfpblof
Key Deleted : HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\App Management\ARPCache\AVG Secure Search
Key Deleted : HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{3CA2F312-6F6E-4B53-A66E-4E65E497C8C0}
Key Deleted : HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{95B7759C-8C7F-4BF1-B163-73684A933233}
Key Deleted : HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\PreApproved\{C6FDD0C3-266A-4DC3-B459-28C697C44CDC}
Key Deleted : HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\PreApproved\{F25AF245-4A81-40DC-92F9-E9021F207706}
Key Deleted : HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\AVG Secure Search
Key Deleted : HKLM\SOFTWARE\MozillaPlugins\@avg.com/AVG SiteSafety plugin,version=11.0.0.1,application/x-avg-sitesafety-plugin
Value Deleted : HKCU\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser [{E7DF6BFF-55A5-4EB7-A673-4ED3E9456D39}]
Value Deleted : HKLM\SOFTWARE\Microsoft\Internet Explorer\Toolbar [{95B7759C-8C7F-4BF1-B163-73684A933233}]
Value Deleted : HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run [vProt]
Value Deleted : HKLM\SOFTWARE\Mozilla\Firefox\Extensions [Avg@toolbar]
 
***** [Internet Browsers] *****
 
-\\ Internet Explorer v8.0.6001.18702
 
[OK] Registry is clean.
 
-\\ Mozilla Firefox v3.5.15 (en-US)
 
File : C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\cokbnnz1.default\prefs.js
 
Deleted : user_pref("browser.search.defaultenginename", "AVG Secure Search");
Deleted : user_pref("browser.search.selectedEngine", "AVG Secure Search");
 
-\\ Google Chrome v28.0.1500.72
 
File : C:\Documents and Settings\Owner\Local Settings\Application Data\Google\Chrome\User Data\Default\Preferences
 
[OK] File is clean.
 
*************************
 
AdwCleaner[S1].txt - [6333 octets] - [25/07/2013 09:50:25]
 
########## EOF - C:\AdwCleaner[S1].txt - [6393 octets] ##########
 

 

 

-----Junkware Log----------------

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Junkware Removal Tool (JRT) by Thisisu
Version: 5.2.2 (07.22.2013:2)
OS: Microsoft Windows XP x86
Ran by Owner on Thu 07/25/2013 at 10:26:58.48
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
 
 
 
 
~~~ Services
 
 
 
~~~ Registry Values
 
 
 
 
~~~ Registry Keys
 
Successfully deleted: [Registry Key] HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\SearchScopes\{CCC7A320-B3CA-4199-B1A6-9F516DD69829}
 
 
 
~~~ Files
 
 
 
~~~ Folders
 
 
 
~~~ FireFox
 
Successfully deleted: [File] "C:\Program Files\Mozilla Firefox\searchplugins\avg_igeared.xml"
Successfully deleted the following from C:\Documents and Settings\Owner\Application Data\mozilla\firefox\profiles\cokbnnz1.default\prefs.js
 
user_pref("keyword.URL", "hxxp://search.avg.com/route/?d=4cc6f9ee&v=6.010.023.001&i=23&tp=ab&iy=&ychte=us&lng=en-US&q=");
 
 
 
 
 
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Scan was completed on Thu 07/25/2013 at 10:30:38.76
Computer was rebooted
End of JRT log
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
 

-----------ComboFix Log----------------

ComboFix 13-07-25.02 - Owner 07/25/2013  10:39:13.1.4 - x86
Microsoft Windows XP Professional  5.1.2600.3.1252.1.1033.18.3326.2761 [GMT -7:00]
Running from: c:\documents and settings\Owner\Desktop\ComboFix.exe
AV: AVG AntiVirus Free Edition 2013 *Disabled/Updated* {17DDD097-36FF-435F-9E1B-52D74245D6BF}
.
.
(((((((((((((((((((((((((((((((((((((((   Other Deletions   )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
c:\documents and settings\Owner\System
c:\documents and settings\Owner\System\win_qs8.jqx
c:\windows\system32\Cache
c:\windows\system32\Cache\26c630d098e22dd5.fb
c:\windows\system32\Cache\272512937d9e61a4.fb
c:\windows\system32\Cache\287204568329e189.fb
c:\windows\system32\Cache\28bc8f716fd76a47.fb
c:\windows\system32\Cache\31a0997e9a5b5eb3.fb
c:\windows\system32\Cache\32c84fe32bb74d60.fb
c:\windows\system32\Cache\3917078cb68ec657.fb
c:\windows\system32\Cache\41dad28e574d8ea5.fb
c:\windows\system32\Cache\590ba23ce359fd0c.fb
c:\windows\system32\Cache\610289e025a3ee9a.fb
c:\windows\system32\Cache\651c5d3cdbfb8bd1.fb
c:\windows\system32\Cache\68044a69b00c3f0f.fb
c:\windows\system32\Cache\6c59ac5e7e7a3ad0.fb
c:\windows\system32\Cache\6d03dad1035885d3.fb
c:\windows\system32\Cache\701bef60dcf01934.fb
c:\windows\system32\Cache\95f567698be8a182.fb
c:\windows\system32\Cache\98a591c1df2bdb3a.fb
c:\windows\system32\Cache\a8556537add6dfc5.fb
c:\windows\system32\Cache\ad10a52aff5e038d.fb
c:\windows\system32\Cache\c1fa887b03019701.fb
c:\windows\system32\Cache\c4d28dca2e7648be.fb
c:\windows\system32\Cache\d201ef9910cd39de.fb
c:\windows\system32\Cache\d2e94710a5708128.fb
c:\windows\system32\Cache\d79b9dfe81484ec4.fb
c:\windows\system32\Cache\e2d65dcd5907406f.fb
c:\windows\system32\Cache\e6ef6c6af4cca7cb.fb
c:\windows\system32\Cache\f998975c9cc711ee.fb
c:\windows\system32\SET30.tmp
c:\windows\system32\SET33.tmp
.
.
(((((((((((((((((((((((((   Files Created from 2013-06-25 to 2013-07-25  )))))))))))))))))))))))))))))))
.
.
2013-07-25 17:03 . 2013-07-25 17:03 -------- d-----w- c:\windows\ERUNT
2013-07-22 21:00 . 2013-07-22 21:05 -------- d-----w- c:\windows\system32\MRT
2013-07-20 18:38 . 2013-07-20 18:38 144896 ----a-w- c:\windows\system32\javacpl.cpl
2013-07-20 18:38 . 2013-07-20 18:38 94632 ----a-w- c:\windows\system32\WindowsAccessBridge.dll
2013-07-20 18:37 . 2013-07-20 18:37 -------- d-----w- c:\program files\Java
2013-07-20 18:24 . 2013-05-08 10:12 106088 ----a-w- c:\program files\Mozilla Firefox\plugins\nppdf32.dll
.
.
.
((((((((((((((((((((((((((((((((((((((((   Find3M Report   ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2013-07-20 18:37 . 2012-06-15 18:11 867240 ----a-w- c:\windows\system32\npDeployJava1.dll
2013-07-20 18:37 . 2012-06-15 18:11 789416 ----a-w- c:\windows\system32\deployJava1.dll
2013-06-27 04:49 . 2012-09-25 23:34 37664 ----a-w- c:\windows\system32\drivers\avgtpx86.sys
2013-06-08 18:17 . 2011-06-16 03:26 86888 ----a-w- c:\windows\system32\LMIRfsClientNP.dll
2013-06-08 18:17 . 2011-06-16 03:26 53064 ----a-w- c:\windows\system32\Spool\prtprocs\w32x86\LMIproc.dll
2013-06-08 18:17 . 2011-06-16 03:26 31560 ----a-w- c:\windows\system32\LMIport.dll
2013-06-08 18:17 . 2011-06-16 03:26 92488 ----a-w- c:\windows\system32\LMIinit.dll
2013-06-08 06:55 . 2008-04-14 12:00 385024 ------w- c:\windows\system32\html.iec
2013-06-07 21:56 . 2008-04-14 12:00 920064 ----a-w- c:\windows\system32\wininet.dll
2013-06-07 21:56 . 2008-04-14 12:00 43520 ------w- c:\windows\system32\licmgr10.dll
2013-06-07 21:56 . 2008-04-14 12:00 1469440 ------w- c:\windows\system32\inetcpl.cpl
2013-06-04 07:23 . 2008-04-14 12:00 562688 ----a-w- c:\windows\system32\qedit.dll
2013-06-04 01:40 . 2008-04-14 12:00 1876736 ----a-w- c:\windows\system32\win32k.sys
2013-05-25 01:06 . 2011-06-16 03:26 86888 ----a-w- c:\windows\system32\LMIRfsClientNP.dll.000.bak
2013-05-25 01:06 . 2011-06-16 03:26 92488 ----a-w- c:\windows\system32\LMIinit.dll.000.bak
2013-05-09 07:28 . 2006-10-19 04:47 1543680 ------w- c:\windows\system32\wmvdecod.dll
2013-05-03 01:30 . 2008-04-14 12:00 2149888 ----a-w- c:\windows\system32\ntoskrnl.exe
2013-05-03 00:38 . 2008-04-14 00:01 2028544 ----a-w- c:\windows\system32\ntkrnlpa.exe
2001-08-22 05:24 . 2008-11-18 17:46 645120 ----a-r- c:\program files\Converter.exe
.
.
(((((((((((((((((((((((((((((((((((((   Reg Loading Points   ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown 
REGEDIT4
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\000BoxDesktopFileLocked]
@="{C253B817-3A00-475f-A5A3-6F2DD704B48D}"
[HKEY_CLASSES_ROOT\CLSID\{C253B817-3A00-475f-A5A3-6F2DD704B48D}]
2009-11-07 08:07 297808 ----a-w- c:\windows\system32\mscoree.dll
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\000BoxDesktopNotSynced]
@="{19ACC806-F7AA-46AA-A80A-726A07CA6637}"
[HKEY_CLASSES_ROOT\CLSID\{19ACC806-F7AA-46AA-A80A-726A07CA6637}]
2009-11-07 08:07 297808 ----a-w- c:\windows\system32\mscoree.dll
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\000BoxDesktopNotSyncedCollabs]
@="{337D9DE0-3F8B-4430-AF0F-FFC24A95AE8F}"
[HKEY_CLASSES_ROOT\CLSID\{337D9DE0-3F8B-4430-AF0F-FFC24A95AE8F}]
2009-11-07 08:07 297808 ----a-w- c:\windows\system32\mscoree.dll
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\000BoxDesktopSynced]
@="{B7AC9C6D-F15B-4B1A-A88D-F518D13861D9}"
[HKEY_CLASSES_ROOT\CLSID\{B7AC9C6D-F15B-4B1A-A88D-F518D13861D9}]
2009-11-07 08:07 297808 ----a-w- c:\windows\system32\mscoree.dll
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\000BoxDesktopSyncedCollab]
@="{9E48C232-F601-4E41-BB3E-16CBAF317AA4}"
[HKEY_CLASSES_ROOT\CLSID\{9E48C232-F601-4E41-BB3E-16CBAF317AA4}]
2009-11-07 08:07 297808 ----a-w- c:\windows\system32\mscoree.dll
.
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"RCUI"="c:\progra~1\RINGCE~1\RINGCE~1\RCUI.exe" [2013-04-09 493872]
"RCHotKey"="c:\progra~1\RINGCE~1\RINGCE~1\RCHotKey.exe" [2013-04-09 39216]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"openvpn-gui"="c:\program files\Astaro\Astaro SSL VPN Client\bin\openvpn-gui.exe" [2007-10-05 90112]
"AVG_UI"="c:\program files\AVG\AVG2013\avgui.exe" [2013-04-29 4408368]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2012-12-29 15635896]
"NvMediaCenter"="NvMCTray.dll" [2012-12-29 108984]
"nwiz"="c:\program files\NVIDIA Corporation\nview\nwiz.exe" [2012-12-29 1982312]
"BoxSyncHelper"="c:\program files\Box Sync\BoxSyncHelper.exe" [2013-06-08 393216]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce]
.
c:\documents and settings\All Users\Start Menu\Programs\Startup\
Box Sync.lnk - c:\program files\Box Sync\BoxSync.exe -hidden [2013-6-7 7959552]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\LMIinit]
2013-06-08 18:17 92488 ----a-w- c:\windows\system32\LMIinit.dll
.
[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\session manager]
BootExecute REG_MULTI_SZ   autocheck autochk *\0c:\progra~1\AVG\AVG2013\avgrsx.exe /sync /restart
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Acrobat Assistant 8.0]
2013-05-08 10:17 642664 ----a-w- c:\program files\Adobe\Acrobat 9.0\Acrobat\acrotray.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe Acrobat Speed Launcher]
2013-05-08 21:14 44128 ----a-w- c:\program files\Adobe\Acrobat 9.0\Acrobat\acrobat_sl.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe ARM]
2013-04-04 21:06 958576 ----a-w- c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ctfmon.exe]
2008-04-14 12:00 15360 ----a-w- c:\windows\system32\ctfmon.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Google Update]
2011-06-03 16:27 136176 -----tw- c:\documents and settings\Owner\Local Settings\Application Data\Google\Update\GoogleUpdate.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\H/PC Connection Agent]
2006-11-13 21:39 1289000 ----a-w- c:\program files\Microsoft ActiveSync\wcescomm.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HotKeysCmds]
2008-03-03 03:42 159744 ----a-r- c:\windows\system32\hkcmd.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\IgfxTray]
2008-03-03 03:42 135168 ----a-r- c:\windows\system32\igfxtray.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\LightScribe Control Panel]
2007-10-18 22:27 455968 ----a-w- c:\program files\Common Files\LightScribe\LightScribeControlPanel.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\LogMeIn GUI]
2010-09-17 22:40 63048 ----a-w- c:\program files\LogMeIn\x86\LogMeInSystray.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NeroFilterCheck]
2007-03-01 21:57 153136 ----a-w- c:\program files\Common Files\Nero\Lib\NeroCheck.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Persistence]
2008-03-03 03:42 131072 ----a-r- c:\windows\system32\igfxpers.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched]
2013-03-12 14:32 253816 ----a-w- c:\program files\Common Files\Java\Java Update\jusched.exe
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"%windir%\\system32\\sessmgr.exe"=
"c:\program files\Microsoft ActiveSync\rapimgr.exe"= c:\program files\Microsoft ActiveSync\rapimgr.exe:169.254.2.0/255.255.255.0:Enabled:ActiveSync RAPI Manager
"c:\program files\Microsoft ActiveSync\wcescomm.exe"= c:\program files\Microsoft ActiveSync\wcescomm.exe:169.254.2.0/255.255.255.0:Enabled:ActiveSync Connection Manager
"c:\program files\Microsoft ActiveSync\WCESMgr.exe"= c:\program files\Microsoft ActiveSync\WCESMgr.exe:169.254.2.0/255.255.255.0:Enabled:ActiveSync Application
"c:\\Program Files\\Google\\Google Earth\\client\\googleearth.exe"=
"c:\\Program Files\\RingCentral\\RingCentral Call Controller\\RCUI.exe"=
"c:\\Program Files\\Pando Networks\\Media Booster\\PMB.exe"=
"c:\\Program Files\\Cryptic Studios\\Star Trek Online\\Live\\GameClient.exe"=
"c:\\WINDOWS\\system32\\dpvsetup.exe"=
"c:\\Program Files\\NVIDIA Corporation\\NVIDIA Update Core\\daemonu.exe"=
"c:\\Program Files\\AVG\\AVG2013\\avgmfapx.exe"=
"c:\\Program Files\\AVG\\AVG2013\\avgnsx.exe"=
"c:\\Program Files\\AVG\\AVG2013\\avgdiagex.exe"=
"c:\\Program Files\\AVG\\AVG2013\\avgemcx.exe"=
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"26675:TCP"= 26675:TCP:169.254.2.0/255.255.255.0:Enabled:ActiveSync Service
"56905:TCP"= 56905:TCP:Pando Media Booster
"56905:UDP"= 56905:UDP:Pando Media Booster
.
R0 AVGIDSHX;AVGIDSHX;c:\windows\system32\drivers\avgidshx.sys [4/19/2012 4:50 AM 60216]
R0 Avglogx;AVG Logging Driver;c:\windows\system32\drivers\avglogx.sys [8/9/2012 1:56 PM 245048]
R0 Avgrkx86;AVG Anti-Rootkit Driver;c:\windows\system32\drivers\avgrkx86.sys [9/13/2011 7:30 AM 39224]
R1 AVGIDSDriver;AVGIDSDriver;c:\windows\system32\drivers\avgidsdriverx.sys [12/23/2011 1:32 PM 208184]
R1 AVGIDSShim;AVGIDSShim;c:\windows\system32\drivers\avgidsshimx.sys [12/23/2011 1:32 PM 22328]
R1 Avgldx86;AVG AVI Loader Driver;c:\windows\system32\drivers\avgldx86.sys [10/7/2011 7:23 AM 170808]
R1 Avgtdix;AVG TDI Driver;c:\windows\system32\drivers\avgtdix.sys [7/11/2011 2:14 AM 182072]
R1 avgtp;avgtp;c:\windows\system32\drivers\avgtpx86.sys [9/25/2012 4:34 PM 37664]
R2 avgwd;AVG WatchDog;c:\program files\AVG\AVG2013\avgwdsvc.exe [4/18/2013 4:34 AM 283136]
R2 LMIGuardianSvc;LMIGuardianSvc;c:\program files\LogMeIn\x86\LMIGuardianSvc.exe [3/1/2011 12:11 PM 375120]
R2 LMIInfo;LogMeIn Kernel Information Provider;c:\program files\LogMeIn\x86\rainfo.sys [9/17/2010 3:40 PM 13624]
R2 vToolbarUpdater15.3.0;vToolbarUpdater15.3.0;c:\program files\Common Files\AVG Secure Search\vToolbarUpdater\15.3.0\ToolbarUpdater.exe [6/26/2013 9:49 PM 1598128]
S2 AVGIDSAgent;AVGIDSAgent;c:\program files\AVG\AVG2013\avgidsagent.exe [5/14/2013 12:54 AM 4937264]
S2 gupdate1c9bebb812b5112;Google Update Service (gupdate1c9bebb812b5112);c:\program files\Google\Update\GoogleUpdate.exe [4/16/2009 10:48 AM 133104]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
HPZ12 REG_MULTI_SZ   Pml Driver HPZ12 Net Driver HPZ12
.
[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{10880D85-AAD9-4558-ABDC-2AB1552D831F}]
2007-10-18 22:25 451872 ----a-w- c:\program files\Common Files\LightScribe\LSRunOnce.exe
.
Contents of the 'Scheduled Tasks' folder
.
2013-07-25 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\program files\Google\Update\GoogleUpdate.exe [2009-04-16 17:48]
.
2013-07-25 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\program files\Google\Update\GoogleUpdate.exe [2009-04-16 17:48]
.
2013-07-25 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-117609710-1767777339-1801674531-1003Core.job
- c:\documents and settings\Owner\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2011-06-22 16:27]
.
2013-07-25 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-117609710-1767777339-1801674531-1003UA.job
- c:\documents and settings\Owner\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2011-06-22 16:27]
.
2013-07-25 c:\windows\Tasks\Idle Backup.job
- c:\windows\system32\ntbackup.exe [2008-04-14 12:00]
.
2013-07-25 c:\windows\Tasks\User_Feed_Synchronization-{542E7624-76CB-48E0-A42D-4ECC51CFC0C3}.job
- c:\windows\system32\msfeedssync.exe [2009-03-08 12:31]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.google.com/
IE: Append Link Target to Existing PDF - c:\program files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
IE: Append to Existing PDF - c:\program files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convert Link Target to Adobe PDF - c:\program files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
IE: Convert to Adobe PDF - c:\program files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll/AcroIECapture.html
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\Office12\EXCEL.EXE/3000
TCP: DhcpNameServer = 66.60.130.158
FF - ProfilePath - c:\documents and settings\Owner\Application Data\Mozilla\Firefox\Profiles\cokbnnz1.default\
FF - prefs.js: browser.startup.homepage - hxxp://www.google.com/
.
- - - - ORPHANS REMOVED - - - -
.
URLSearchHooks-{A3BC75A2-1F87-4686-AA43-5347D756017C} - (no file)
Toolbar-{CCC7A320-B3CA-4199-B1A6-9F516DD69829} - (no file)
WebBrowser-{CCC7A320-B3CA-4199-B1A6-9F516DD69829} - (no file)
AddRemove-03_Swallowtail - c:\program files\SAMSUNG\USB Drivers\03_Swallowtail\Uninstall.exe
AddRemove-04_semseyite - c:\program files\SAMSUNG\USB Drivers\04_semseyite\Uninstall.exe
AddRemove-16_Shrewsbury - c:\program files\SAMSUNG\USB Drivers\16_Shrewsbury\Uninstall.exe
.
.
.
**************************************************************************
.
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2013-07-25 10:48
Windows 5.1.2600 Service Pack 3 NTFS
.
scanning hidden processes ...  
.
scanning hidden autostart entries ... 
.
scanning hidden files ...  
.
scan completed successfully
hidden files: 0
.
**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------
.
[HKEY_USERS\S-1-5-21-117609710-1767777339-1801674531-1003\Software\Microsoft\SystemCertificates\AddressBook*]
@Allowed: (Read) (RestrictedCode)
@Allowed: (Read) (RestrictedCode)
.
--------------------- DLLs Loaded Under Running Processes ---------------------
.
- - - - - - - > 'winlogon.exe'(1304)
c:\windows\system32\LMIinit.dll
c:\windows\system32\LMIRfsClientNP.dll
.
- - - - - - - > 'lsass.exe'(1364)
c:\windows\system32\LMIRfsClientNP.dll
.
Completion time: 2013-07-25  10:50:33
ComboFix-quarantined-files.txt  2013-07-25 17:50
.
Pre-Run: 351,531,831,296 bytes free
Post-Run: 357,469,970,432 bytes free
.
WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
UnsupportedDebug="do not select this" /debug
multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Professional" /noexecute=OptIn /fastdetect
.
- - End Of File - - C57D1E0BEDD6BADCC7EF9C220715E969
8F558EB6672622401DA993E1E865C861
 

-----Checkup Log-----------

 Results of screen317's Security Check version 0.99.71  
 Windows XP Service Pack 3 x86   
 Internet Explorer 8  
``````````````Antivirus/Firewall Check:`````````````` 
 Windows Firewall Enabled!  
Please wait while WMIC compiles updated MOF files.d 
ECHO is off.
ECHO is off.
ECHO is off.
ECHO is off.
ECHO is off.
ECHO is off.
 Antivirus up to date!  
`````````Anti-malware/Other Utilities Check:````````` 
 JavaFX 2.1.1    
 Java 7 Update 25  
 Mozilla Firefox (3.5.15) Firefox out of Date!  
````````Process Check: objlist.exe by Laurent````````  
 AVG avgwdsvc.exe 
 AVG avgrsx.exe 
 AVG avgnsx.exe 
 AVG avgemc.exe 
`````````````````System Health check````````````````` 
 Total Fragmentation on Drive C:: 1% 
````````````````````End of Log`````````````````````` 
 

 

 

 

 

 

Thanks Again!



#4 nasdaq

nasdaq

  • Malware Response Team
  • 40,730 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Montreal, QC. Canada
  • Local time:07:20 AM

Posted 26 July 2013 - 07:40 AM

Your logs are clean.

Run this scan and keep me posted.

Please scan your machine with ESET OnlineScan
  • Hold down Control and click on the following link to open ESET OnlineScan in a new window.
    ESET OnlineScan
  • Click the esetonlinebtn.png button.
  • For alternate browsers only: (Microsoft Internet Explorer users can skip these steps)
    • Click on esetsmartinstaller_enu.exe to download the ESET Smart Installer.
      Save it to your Desktop.
    • Double click on the esetsmartinstaller_enu.png to download the ESET Smart Installer. icon on your Desktop.
  • Check "YES, I accept the Terms of Use."
  • Click the Start button.
  • Accept any security warnings from your browser.
  • Under scan settings, check "Scan Archives" and "Remove found threats"
  • Click Advanced settings and select the following:
    • Scan potentially unwanted applications
    • Scan for potentially unsafe applications
    • Enable Anti-Stealth technology
  • ESET will then download updates for itself, install itself, and begin scanning your computer. Please be patient as this can take some time.
  • When the scan completes, click List Threats
  • Click Export, and save the file to your desktop using a unique name, such as ESETScan. Include the contents of this report in your next reply.
  • Click the Back button.
  • Click the Finish button.


#5 OpenWaterEric

OpenWaterEric
  • Topic Starter

  • Members
  • 58 posts
  • OFFLINE
  •  
  • Local time:05:20 AM

Posted 27 July 2013 - 09:43 AM

Ok, ESET scan complete.  There was no option for clicking on "List Threats" or Exporting, it says no threats were found.....

 

 

Scanned Files: 114799

Infected Files: 0

Cleaned Files: 0

Total Scan Time: 02:51:36

Scan Status: Finished

 

Thanks again!



#6 nasdaq

nasdaq

  • Malware Response Team
  • 40,730 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Montreal, QC. Canada
  • Local time:07:20 AM

Posted 27 July 2013 - 10:38 AM

The ESET log is clean. No report generated.

Download ATF Cleaner by Atribune from here hereand save it to your Desktop.
Follow the instructions for the browser you use.

Read the instructions about the cookies. Delete what you do not need.
Double click ATF-Cleaner.exe to run the program.
Check the boxes to the left of:

Windows Temp
Current User Temp
All Users Temp
Temporary Internet Files
*Prefetch (Windows XP) only.
Java Cache


The rest are optional - if you want to remove the lot, check "Select All".
Finally click Empty Selected. When you get the "Done Cleaning" message, click OK.

If you use the Firefox or Opera browsers, you can use this program as a quick way to tidy those up as well.

When you have finished, click on the Exit button in the Main menu.

For Technical Support, double-click the e-mail address located at the bottom of each menu.

* The purpose of Prefetch folder is to increase the speed at which you can access the programs that you use on your PC. Unfortunately, Windows doesn't differentiate between a program you use every day and one you use every blue moon, which means that it may be prefetching a lot of stuff that you rarely use, adding to your startup time.
You may find that the first time you boot up after cleaning out this folder, your PC takes longer to get into gear - the second, and subsequent, boots should be quicker.

#7 OpenWaterEric

OpenWaterEric
  • Topic Starter

  • Members
  • 58 posts
  • OFFLINE
  •  
  • Local time:05:20 AM

Posted 28 July 2013 - 02:31 PM

Ok, ran ATF cleaner and rebooted the system.  Performance has slowly improved since we began the cleaning process and now seems pretty close to normal.

 

Thanks



#8 nasdaq

nasdaq

  • Malware Response Team
  • 40,730 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Montreal, QC. Canada
  • Local time:07:20 AM

Posted 29 July 2013 - 06:53 AM

If all is well:

Time for some housekeeping
  • The following will implement some cleanup procedures as well as reset System Restore points:
  • Click Start > Run and copy/paste the following bold text into the Run box and click OK:
  • ComboFix /Uninstall
===

To remove AdwCleaner.

Please double click on AdwCleaner.exe to run the tool.
Click on Uninstall.
Confirm with Yes.

If you decide to keep the AdwCleaner tool make sure to delete your version and download the latest before running it.

Delete the other tools we used.
You can Keep the DDS tool as most forum will ask to see a log before suggesting a fix.
===

Please consider using these ideas to help secure your computer. While there is no way to guarantee safety when you use a computer, these steps will make it much less likely that you will need to endure another infection. While we really like to help people, we would rather help you protect yourself so that you won't need that help in the future.

Please either enable Automatic Updates under Start -> Control Panel -> Automatic Updates or get into the habit of checking Windows Update regularly. They usually have security updates every month. You can set Windows to notify you of Updates so that you can choose, but only do this if you believe you are able to understand which ones are needed. This is a crucial security measure.

Having an effective antivirus is a must for everyone.
In addition to many excellent commercial products there are plenty of good free antivirus programs available. I can recommend:

If you are satisfied with your current protection programs you can ignore the instructions on Antivirus or Firewall listed below.In addition to an antivirus I recommend using a firewall. A software firewall is a software program that helps screen out hackers, viruses, and worms that try to reach your computer over the Internet. I can recommend one of the following free products:Please note: Many installer offer third-party downloads that are installed automatically when you do not uncheck certain checkboxes. While most of the time not being malicious you usually do not want these on your computer. Be careful during the installation process and you will avoid seeing tons of new unwanted toolbars in your favorite web browser.

Please consider installing and running some of the following programs; they are either free or have free versions of commercial programs:

Malwarebytes Anti-Malware (MBAM)
The free version of MBAM can be used to scan the system for traces of malware. Scanning your system regularly will make it harder for malware to reside on your system.
A tutorial on using MBAM can be found here.
Please Note: Only the paid for version has real time capabilities.

SpywareBlaster
A tutorial on using SpywareBlaster to prevent malware from ever installing on your computer may be found here.

Please keep these programs up-to-date and run them whenever you suspect a problem to prevent malware problems. A number of programs have resident protection and it is a good idea to run the resident protection of one of each type of program to maintain protection. However, it is important to run only one resident program of each type since they can conflict and become less effective. That means only one antivirus, firewall and scanning anti-spyware program at a time. Passive protectors, like SpywareBlaster can be run with any of them.

Note that there are a lot of rogue programs out there that want to scare you into giving them your money and some malware actually claims to be security programs. If you get a popup for a security program that you did not install yourself, do NOT click on it and ask for help immediately. It is very important to run an antivirus and firewall, but you can't always rely on reviews and ads for information. Ask in a security forum that you trust if you are not sure. If you are unsure and looking for anti-spyware programs, you can find out if it is a rogue here:A similar category of programs is now called "scareware." Scareware programs are active infections that will pop-up on your computer and tell you that you are infected. If you look closely, it will usually have a name that looks like it might be legitimate, but it is NOT one of the programs you installed. It tells you to click and install it right away. If you click on any part of it, including the 'X' to close it, you may actually help it infect your computer further. Keeping protection updated and running resident protection can help prevent these infections. If it happens anyway, get offline as quickly as you can. Pull the internet connection cable or shut down the computer if you have to. Contact someone to help by using another computer if possible. These programs are also sometimes called 'rogues', but they are different than the older version of rogues mentioned above.

Please keep your programs up to date. This applies to Java, Adobe Flashplayer, Adobe Reader and your Internet Browsers in particular. Vulnerabilities in these programs are often exploited in order to install malware on your PC. Visiting a prepared web page suffices to infect your system.

In general Firefox, Opera and Google Chrome are considered to be more secure than Internet Explorer. In addition there are many useful addons that can protect you from possible risks:
  • WOT will warn you when you try to visit sites with poor reputation. The reputation is based on user ratings and is usually very accurate.
  • Script Blocker can help blocking many attempts to infect your system via malicious websites by only allowing scripts at sites you trust.
  • NoScript is a popular Firefox addon,
  • ScriptNo a popular Google Chrome addon.
For much more useful information, please also read Tony Klein's excellent article: How did I get infected in the first place

Hopefully these steps will help to keep you error free. If you run into more difficulty, we will certainly do what we can to help.
===

For your additional information.
Windows XP SP3 and Office 2003
Microsoft support Ends April 8, 2014

http://www.microsoft.com/en-us/windows/endofsupport.aspx

#9 nasdaq

nasdaq

  • Malware Response Team
  • 40,730 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Montreal, QC. Canada
  • Local time:07:20 AM

Posted 04 August 2013 - 08:04 AM

It appears that this issue is resolved, therefore I am closing the topic. If that is not the case and you need or wish to continue with this topic, please send me or any Moderator a Personal Message (PM) that you would like this topic re-opened.

#10 nasdaq

nasdaq

  • Malware Response Team
  • 40,730 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Montreal, QC. Canada
  • Local time:07:20 AM

Posted 04 August 2013 - 03:16 PM

This topic has been re-opened at the request of the person who originally posted.

#11 OpenWaterEric

OpenWaterEric
  • Topic Starter

  • Members
  • 58 posts
  • OFFLINE
  •  
  • Local time:05:20 AM

Posted 04 August 2013 - 05:37 PM

Thanks for re-opening the thread.

 

Before beginning the clean-up process, do you think there's anything else I can do to see why I'm getting these small CPU spikes that are disrupting video and music streaming?  Could some program update not have been successful?  I used Chrome, could that be cause?  If you think we've done all that we can do, I'll go ahead and finish up the clean-up process.

 

Thanks!



#12 nasdaq

nasdaq

  • Malware Response Team
  • 40,730 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Montreal, QC. Canada
  • Local time:07:20 AM

Posted 05 August 2013 - 07:53 AM

Try this.

Download this Process Explorer tool.
http://technet.microsoft.com/en-us/sysinternals/bb896653.aspx
RUN IT AND TRY to find the Process / file that is draining your CPU.
Instructions on the help file.

#13 OpenWaterEric

OpenWaterEric
  • Topic Starter

  • Members
  • 58 posts
  • OFFLINE
  •  
  • Local time:05:20 AM

Posted 05 August 2013 - 12:25 PM

Well, I'm not sure what happened, but booting up my computer today took 45 minutes from hitting the power button to being able to get to this thread.  It's never been this horribly slow before.  The freezes are back worse than ever now both working online and in offline programs.  I usually just leave my system running, but last night I decided to turn it off particular reason.

 

I did run the Process Explorer and only two things are standing out.  When the system freezes the line item under "system->interrupts" jumps from about 0.5 CPU usage up to about 62.  Using the graphs I also noticed that the slow downs happen when the I/O spikes with the program jps.exe.  Everything is made worse by playing music or video as before.  I get big spikes in disk usage and network as well when the I/O spikes.

 

Those are the only two things jumping out at me right now.  I'm going to reboot again to see if things improve.



#14 OpenWaterEric

OpenWaterEric
  • Topic Starter

  • Members
  • 58 posts
  • OFFLINE
  •  
  • Local time:05:20 AM

Posted 05 August 2013 - 04:22 PM

Hmm, well rebooting killed the computer.  It would no longer boot up to the desktop.  It would start-up and show the Intel screen and then the Windows XP screen and then reboot again after about 5 minutes.  I've gone ahead and dropped the computer off with a repair tech. to see about getting it fixed.  I'm writting this from my backup home computer.

 

At this time, I don't think there's anything else that can be done here, we'll have to wait and see what the shop says.



#15 nasdaq

nasdaq

  • Malware Response Team
  • 40,730 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Montreal, QC. Canada
  • Local time:07:20 AM

Posted 06 August 2013 - 09:04 AM

It appears that this issue is resolved, therefore I am closing the topic. If that is not the case and you need or wish to continue with this topic, please send me or any Moderator a Personal Message (PM) that you would like this topic re-opened.




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users