[Resolved] Follow Up With 2nd PC On Network: Re ADS/Possible Trojan

geff · 13th June 2009

This is a follow up to this thread
[Resolved] Alternate Data Stream Attatched To C:\Windows Folder
to make sure the xp machine networked to the infected machine with file sharing is not infected.

This machine also has the file inst.exe, BUT it turns out a program I use VSO ConvertXtoDVD legitimately creates that file.

This machine is now showing the 2 ads per folder that the other cleaned machine is; I SUSPECT that has something to do with Tuesday's MS patches.

This machine has limited use, & to be honest I don't pay as much attention to detail on it as I do on the other.

Logs to follow, & THANKS AGAIN!

geff · 13th June 2009

DDS (Ver_09-05-14.01) - NTFSx86
Run by Geff at 10:57:50.37 on Sat 06/13/2009
Internet Explorer: 8.0.6001.18702 BrowserJavaVersion: 1.6.0_13
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.511.248 [GMT -7:00]

AV: avast! antivirus 4.8.1335 [VPS 090613-0] *On-access scanning disabled* (Updated) {7591DB91-41F0-48A3-B128-1A293FD8233D}

============== Running Processes ===============

C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
svchost.exe
svchost.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\WINDOWS\system32\spoolsv.exe
svchost.exe
C:\WINDOWS\System32\dllhost.exe
C:\WINDOWS\system32\svchost.exe -k hpdevmgmt
C:\Program Files\Java\jre6\bin\jqs.exe
C:\WINDOWS\System32\svchost.exe -k HPZ12
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\System32\svchost.exe -k HPZ12
C:\WINDOWS\System32\tcpsvcs.exe
C:\WINDOWS\System32\svchost.exe -k imgsvc
C:\WINDOWS\System32\dmadmin.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\RUNDLL32.EXE
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\PROGRA~1\Greatis\REGRUN~1\WatchDog.exe
C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
C:\Program Files\Microsoft IntelliPoint\ipoint.exe
C:\Program Files\SlySoft\AnyDVD\AnyDVDtray.exe
C:\Program Files\PhraseExpress\phrase.exe
C:\Program Files\Microsoft IntelliPoint\dpupdchk.exe
C:\Program Files\HP\Digital Imaging\bin\hpqSTE08.exe
C:\Program Files\HP\Digital Imaging\bin\hpqbam08.exe
C:\Documents and Settings\Geff\Desktop\dds.pif

============== Pseudo HJT Report ===============

uStart Page = about:blank
uInternet Connection Wizard,ShellNext = hxxp://www.avast.com/eng/faq-red-circle.html
EB: {32683183-48a0-441b-a342-7c2a440a9478} - No File
uRun: [AnyDVD] c:\program files\slysoft\anydvd\AnyDVD.exe
uRun: [Regrun2] c:\progra~1\greatis\regrun~1\WatchDog.exe
mRun: [NvCplDaemon] RUNDLL32.EXE c:\windows\system32\NvCpl.dll,NvStartup
mRun: [nwiz] nwiz.exe /install
mRun: [NvMediaCenter] RUNDLL32.EXE c:\windows\system32\NvMcTray.dll,NvTaskbarInit
mRun: [NeroFilterCheck] c:\windows\system32\NeroCheck.exe
mRun: [RegRun WinBait] c:\windows\winbait.exe
mRun: [@RegRunOnSecure] c:\progra~1\greatis\regrun~1\OnSecure.exe
mRun: [UserFaultCheck] %systemroot%\system32\dumprep 0 -u
mRun: [avast!] c:\progra~1\alwils~1\avast4\ashDisp.exe
mRunOnce: [KB923561] rundll32.exe apphelp.dll,ShimFlushCache
StartupFolder: c:\docume~1\geff\startm~1\programs\startup\secuni~1.lnk - c:\program files\secunia\psi\psi.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\hpdigi~1.lnk - c:\program files\hp\digital imaging\bin\hpqtra08.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\ipoint~1.lnk - c:\program files\microsoft intellipoint\ipoint.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\phrase~1.lnk - c:\program files\phraseexpress\phrase.exe
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - {53707962-6F74-2D53-2644-206D7942484F} - c:\program files\spybot - search & destroy\SDHelper.dll
Trusted Zone: aol.com\free
DPF: Microsoft XML Parser for Java - file://c:\windows\java\classes\xmldso.cab
DPF: {05CA9FB0-3E3E-4B36-BF41-0E3A5CAA8CD8} - hxxp://download.microsoft.com/download/e/4/9/e494c802-dd90-4c6b-a074-469358f075a6/OGAControl.cab
DPF: {2D8ED06D-3C30-438B-96AE-4D110FDC1FB8} - hxxp://acs.pandasoftware.com/activescan/cabs/as2stubie.cab
DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} - hxxp://www.update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1207441726093
DPF: {67A5F8DC-1A4B-4D66-9F24-A704AD929EEE} - hxxp://www.nvidia.com/content/DriverDownload/srl/2.0.0.1/sysreqlab2.cab
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_13-windows-i586.cab
DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} - hxxp://fpdownload.macromedia.com/get/flashplayer/current/polarbear/ultrashim.cab
DPF: {C7DB51B4-BCF7-4923-8874-7F1A0DC92277} - hxxp://office.microsoft.com/officeupdate/content/opuc4.cab
DPF: {CAFEEFAC-0016-0000-0013-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_13-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_13-windows-i586.cab
DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab
SEH: ShellObj Class: {f552dde6-2090-4bf4-b924-6141e87789a5} - c:\program files\greatis\regrunsuite\RRShell.dll
SEH: Microsoft AntiMalware ShellExecuteHook: {091eb208-39dd-417d-a5dd-7e2c2d8fb9cb} - c:\progra~1\wifd1f~1\MpShHook.dll

================= FIREFOX ===================

FF - ProfilePath - c:\docume~1\geff\applic~1\mozilla\firefox\profiles\elbl3scp.default\
FF - prefs.js: browser.startup.homepage - hxxp://www.dandylionrecords.com/
FF - plugin: c:\progra~1\netscape\commun~1\program\plugins\npdrmv2.dll
FF - plugin: c:\progra~1\netscape\commun~1\program\plugins\npdsplay.dll
FF - plugin: c:\progra~1\netscape\commun~1\program\plugins\npnul32.dll
FF - plugin: c:\progra~1\netscape\commun~1\program\plugins\npqtplugin.dll
FF - plugin: c:\progra~1\netscape\commun~1\program\plugins\npqtplugin2.dll
FF - plugin: c:\progra~1\netscape\commun~1\program\plugins\npqtplugin3.dll
FF - plugin: c:\progra~1\netscape\commun~1\program\plugins\npqtplugin4.dll
FF - plugin: c:\progra~1\netscape\commun~1\program\plugins\npqtplugin5.dll
FF - plugin: c:\progra~1\netscape\commun~1\program\plugins\npqtplugin6.dll
FF - plugin: c:\progra~1\netscape\commun~1\program\plugins\npwmsdrm.dll
FF - plugin: c:\program files\mozilla firefox\plugins\npFoxitReaderPlugin.dll
FF - plugin: c:\program files\netscape\communicator\program\plugins\npdrmv2.dll
FF - plugin: c:\program files\netscape\communicator\program\plugins\npdsplay.dll
FF - plugin: c:\program files\netscape\communicator\program\plugins\npnul32.dll
FF - plugin: c:\program files\netscape\communicator\program\plugins\npqtplugin.dll
FF - plugin: c:\program files\netscape\communicator\program\plugins\npqtplugin2.dll
FF - plugin: c:\program files\netscape\communicator\program\plugins\npqtplugin3.dll
FF - plugin: c:\program files\netscape\communicator\program\plugins\npqtplugin4.dll
FF - plugin: c:\program files\netscape\communicator\program\plugins\npqtplugin5.dll
FF - plugin: c:\program files\netscape\communicator\program\plugins\npqtplugin6.dll
FF - plugin: c:\program files\netscape\communicator\program\plugins\npwmsdrm.dll
FF - plugin: c:\program files\opera\program\plugins\npdivx32.dll
FF - plugin: c:\program files\opera\program\plugins\npFoxitReaderPlugin.dll

============= SERVICES / DRIVERS ===============

R0 Partizan;Partizan;c:\windows\system32\drivers\Partizan.sys [2008-4-9 30946]
R1 aswSP;avast! Self Protection;c:\windows\system32\drivers\aswSP.sys [2009-2-2 114768]
R1 GhPciScan;GhostPciScanner;c:\program files\norton systemworks\norton ghost\GhPciScan.sys [2002-8-14 5632]
R2 aswFsBlk;aswFsBlk;c:\windows\system32\drivers\aswFsBlk.sys [2009-2-2 20560]
R2 avast! Antivirus;avast! Antivirus;c:\program files\alwil software\avast4\ashServ.exe [2009-2-2 155160]
R3 RegGuard;RegGuard;c:\windows\system32\drivers\regguard.sys [2008-4-9 25773]
S3 aawservice;Ad-Aware 2007 Service;c:\program files\lavasoft\ad-aware 2007\aawservice.exe [2007-6-18 607576]
S3 avast! Mail Scanner;avast! Mail Scanner;c:\program files\alwil software\avast4\ashMaiSv.exe [2009-2-2 254040]
S3 avast! Web Scanner;avast! Web Scanner;c:\program files\alwil software\avast4\ashWebSv.exe [2009-2-2 352920]
S3 NProtectService;Norton Unerase Protection;c:\program files\norton systemworks\norton utilities\NPROTECT.EXE [2008-12-5 135168]
S3 PSI;PSI;c:\windows\system32\drivers\psi_mf.sys [2009-3-24 7808]
S3 WinDefend;Windows Defender;c:\program files\windows defender\MsMpEng.exe [2006-11-3 13592]

============== File Associations ===============

txtfile="c:\program files\jgsoft\editpadlite\EditPadLite.exe" "%1"

=============== Created Last 30 ================

2009-06-12 06:51 <DIR> --d----- c:\program files\Safer Networking
2009-06-12 04:22 <DIR> --dsh--- c:\documents and settings\geff\PrivacIE
2009-06-12 04:22 <DIR> --dsh--- c:\documents and settings\geff\IECompatCache
2009-06-12 04:19 <DIR> --d----- C:\Bookmarks
2009-06-12 03:28 <DIR> --dsh--- c:\documents and settings\geff\IETldCache
2009-06-12 03:07 12,800 -c------ c:\windows\system32\dllcache\xpshims.dll
2009-06-12 03:07 246,272 -c------ c:\windows\system32\dllcache\ieproxy.dll
2009-06-12 03:07 <DIR> --d----- c:\windows\ie8updates
2009-06-12 03:06 102,912 -c------ c:\windows\system32\dllcache\iecompat.dll
2009-06-12 03:01 <DIR> -cd-h--- c:\windows\ie8
2009-05-26 17:18 90,112 a------- c:\windows\system32\QuickTimeVR.qtx
2009-05-26 17:18 57,344 a------- c:\windows\system32\QuickTime.qts
2009-05-26 14:56 104,384 a------- c:\windows\system32\drivers\AnyDVD.sys
2009-05-25 05:01 89,256 a------- c:\windows\system32\ElbyCDIO.dll
2009-05-20 23:04 1,184,984 a------- c:\windows\system32\wvc1dmod.dll
2009-05-20 23:04 626,688 a------- c:\windows\system32\vp7vfw.dll
2009-05-20 23:04 217,127 a------- c:\windows\system32\drv43260.dll
2009-05-20 23:04 208,935 a------- c:\windows\system32\drv33260.dll
2009-05-20 23:04 176,165 a------- c:\windows\system32\drv23260.dll
2009-05-20 23:04 102,439 a------- c:\windows\system32\sipr3260.dll
2009-05-20 23:04 65,602 a------- c:\windows\system32\cook3260.dll

==================== Find3M ====================

2009-06-13 10:34 25,773 a------- c:\windows\system32\drivers\regguard.sys
2009-05-12 22:15 915,456 a------- c:\windows\system32\wininet.dll
2009-05-07 08:32 345,600 a------- c:\windows\system32\localspl.dll
2009-04-17 05:26 1,847,168 a------- c:\windows\system32\win32k.sys
2009-04-15 13:24 90,112 a------- c:\windows\system32\dpl100.dll
2009-04-15 13:24 823,296 a------- c:\windows\system32\divx_xx0c.dll
2009-04-15 13:24 823,296 a------- c:\windows\system32\divx_xx07.dll
2009-04-15 13:24 815,104 a------- c:\windows\system32\divx_xx0a.dll
2009-04-15 13:24 802,816 a------- c:\windows\system32\divx_xx11.dll
2009-04-15 13:24 684,032 a------- c:\windows\system32\DivX.dll
2009-04-15 07:51 585,216 a------- c:\windows\system32\rpcrt4.dll
2007-07-05 19:18 87,608 a------- c:\docume~1\geff\applic~1\inst.exe
2007-07-05 19:18 47,360 a------- c:\docume~1\geff\applic~1\pcouffin.sys
2009-02-11 07:11 2 a--shrot c:\windows\winstart.bat
2008-12-05 19:50 32 a--sh--- c:\windows\{6BD07999-72C9-4686-8BA8-98B21BF2F81E}.dat
2008-12-05 19:52 32 a--sh--- c:\windows\{C2B5C6FD-3AE9-425D-9128-6922E1CCC4BB}.dat
2008-12-05 19:51 32 a--sh--- c:\windows\{D03415C0-5E5B-45EB-BCEE-251B910EAE75}.dat
2008-12-05 19:52 32 a--sh--- c:\windows\system32\{C229D828-755E-4428-9FB6-CF22892BFEBE}.dat
2008-12-05 19:50 32 a--sh--- c:\windows\system32\{CED793A7-4A13-43BE-B65F-A642DC1E851C}.dat
2008-12-05 19:51 32 a--sh--- c:\windows\system32\{F054AE12-4D42-49EF-AA98-A90AEFD60C89}.dat
2008-05-16 02:57 32,768 a--sh--- c:\windows\system32\config\systemprofile\local settings\history\history.ie5\mshist012008051620080517\index.dat
2009-01-27 19:31 11,964,448 a--sh--- c:\windows\system32\drivers\fidbox.dat

============= FINISH: 10:58:38.59 ===============

geff · 13th June 2009

UNLESS SPECIFICALLY INSTRUCTED, DO NOT POST THIS LOG.
IF REQUESTED, ZIP IT UP & ATTACH IT

DDS (Ver_09-05-14.01)

Microsoft Windows XP Home Edition
Boot Device: \Device\HarddiskVolume1
Install Date: 6/26/2007 11:33:49 AM
System Uptime: 6/13/2009 10:31:41 AM (0 hours ago)

Motherboard: Dell Computer Corporation | | Dimension 8200
Processor: Intel(R) Pentium(R) 4 CPU 1.90GHz | Microprocessor | 1894/100mhz

==== Disk Partitions =========================

A: is Removable
C: is FIXED (NTFS) - 37 GiB total, 24.121 GiB free.
D: is Removable
E: is CDROM ()
F: is CDROM ()
G: is Removable
H: is Removable

==== Disabled Device Manager Items =============

==== System Restore Points ===================

RP369: 3/14/2009 12:45:07 PM - Software Distribution Service 3.0
RP370: 3/17/2009 11:31:22 AM - Software Distribution Service 3.0
RP371: 3/18/2009 8:35:47 PM - System Checkpoint
RP372: 3/19/2009 9:04:29 PM - Software Distribution Service 3.0
RP373: 3/23/2009 5:54:57 PM - Software Distribution Service 3.0
RP374: 3/25/2009 10:41:12 PM - System Checkpoint
RP375: 3/27/2009 3:33:51 PM - Software Distribution Service 3.0
RP376: 3/29/2009 2:06:44 AM - Installed Java(TM) 6 Update 13
RP377: 3/31/2009 1:37:10 AM - Software Distribution Service 3.0
RP378: 4/1/2009 11:58:32 AM - System Checkpoint
RP379: 4/2/2009 11:45:44 PM - Software Distribution Service 3.0
RP380: 4/7/2009 9:49:01 AM - Software Distribution Service 3.0
RP381: 4/9/2009 2:37:29 PM - System Checkpoint
RP382: 4/10/2009 8:19:29 PM - System Checkpoint
RP383: 4/13/2009 5:46:40 PM - Software Distribution Service 3.0
RP384: 4/14/2009 9:03:18 PM - Software Distribution Service 3.0
RP385: 4/21/2009 2:11:22 PM - Software Distribution Service 3.0
RP386: 4/23/2009 8:42:42 PM - Software Distribution Service 3.0
RP387: 4/25/2009 6:58:03 PM - System Checkpoint
RP388: 4/27/2009 11:55:50 PM - Software Distribution Service 3.0
RP389: 4/28/2009 12:01:00 AM - Software Distribution Service 3.0
RP390: 4/30/2009 1:44:17 AM - System Checkpoint
RP391: 5/1/2009 5:47:44 AM - System Checkpoint
RP392: 5/3/2009 4:13:28 AM - Software Distribution Service 3.0
RP393: 5/5/2009 12:08:00 PM - System Checkpoint
RP394: 5/6/2009 4:26:10 PM - Software Distribution Service 3.0
RP395: 5/6/2009 4:28:23 PM - Software Distribution Service 3.0
RP396: 5/8/2009 7:29:06 AM - Software Distribution Service 3.0
RP397: 5/9/2009 12:05:35 PM - System Checkpoint
RP398: 5/11/2009 8:28:35 PM - Software Distribution Service 3.0
RP399: 5/12/2009 8:35:13 PM - System Checkpoint
RP400: 5/13/2009 3:00:17 AM - Software Distribution Service 3.0
RP401: 5/14/2009 8:09:23 PM - System Checkpoint
RP402: 5/15/2009 5:54:13 PM - Software Distribution Service 3.0
RP403: 5/15/2009 5:56:23 PM - Software Distribution Service 3.0
RP404: 5/18/2009 4:47:01 PM - Software Distribution Service 3.0
RP405: 5/21/2009 4:59:02 AM - System Checkpoint
RP406: 5/22/2009 12:05:55 AM - Software Distribution Service 3.0
RP407: 5/26/2009 6:59:57 AM - Software Distribution Service 3.0
RP408: 5/29/2009 9:58:05 AM - Software Distribution Service 3.0
RP409: 6/1/2009 9:30:32 PM - Software Distribution Service 3.0
RP410: 6/4/2009 10:01:40 PM - Software Distribution Service 3.0
RP411: 6/4/2009 10:23:34 PM - Installed QuickTime
RP412: 6/7/2009 5:16:18 PM - System Checkpoint
RP413: 6/9/2009 7:33:35 PM - Installed Enable advisory 971778
RP414: 6/9/2009 7:44:34 PM - Software Distribution Service 3.0
RP415: 6/9/2009 7:46:58 PM - Software Distribution Service 3.0
RP416: 6/12/2009 2:49:08 AM - Software Distribution Service 3.0

==== Installed Programs ======================

32 Bit HP CIO Components Installer
AAC Decoder
Ad-Aware 2007
Adobe Flash Player 10 ActiveX
Adobe Flash Player 10 Plugin
Alt-Tab Task Switcher Powertoy for Windows XP
AnyDVD
Apple Software Update
AutoUpdate
avast! Antivirus
Avery® Wizard 2.1 forMicrosoft® Word 2000
AviSynth 2.5
BufferChm
C4400
C4400_Help
Calculator Powertoy for Windows XP
CDEdit version 1.145
ClearType Tuning Control Panel Applet
CmdHere Powertoy For Windows XP
ConvertXtoDVD 3.5.3.139
Copy
Critical Update for Windows Media Player 11 (KB959772)
DAZzle
Destination Component
DeviceDiscovery
DeviceManagementQFolder
Digital Camera Enhancer 1.3
DivX Codec
DivX Converter
DivX Player
DivX Plus DirectShow Filters
DivX Version Checker
DivX Web Player
DVD and CD Cover Print
DVD Decrypter (Remove Only)
DVD Identifier
DVD Shrink 3.2
DVD slideshow GUI 0.9.0.7
DVDFab (Platinum/Gold/HD Decrypter) (Option: Mobile) 5.2.3.2
DVDFab 6.0.0.2 Beta
DVDFab Gold 2.9.8.3
DVDFab Platinum 4.0.1.0
DVDFab Platinum 4.1.0.2
eSupportQFolder
Exact Audio Copy 0.99pb4
FileAlyzer
Foxit Reader
H.264 Decoder
HijackThis 2.0.2
Hot CPU Tester Pro 4.4.1
Hotfix for Windows Internet Explorer 7 (KB947864)
Hotfix for Windows Media Format 11 SDK (KB929399)
Hotfix for Windows Media Player 11 (KB939683)
Hotfix for Windows XP (KB952287)
HP Imaging Device Functions 11.0
HP Photosmart C4400 All-In-One Driver Software 11.0 Rel .3
HP Update
HPProductAssistant
ImTOO DVD Audio Ripper 5
IrfanView (remove only)
IsoBuster 2.0
Java(TM) 6 Update 13
JGsoft EditPad Pro 4.5.5
Just Great Software EditPad Lite 6.4.5
jv16 PowerTools 2008
K-Lite Codec Pack 3.4.0 Standard
Kremlin 2.21
LiveReg (Symantec Corporation)
LiveUpdate 1.80 (Symantec Corporation)
Magnifier Powertoy for Windows XP
Microsoft Application Error Reporting
Microsoft Compression Client Pack 1.0 for Windows XP
Microsoft IntelliPoint 6.2
Microsoft Internationalized Domain Names Mitigation APIs
Microsoft National Language Support Downlevel APIs
Microsoft Office 2000 SR-1 Premium
Microsoft Tool Web Package:WntIpcfg.exe
Microsoft User-Mode Driver Framework Feature Pack 1.0
Microsoft Visual C++ 2005 Redistributable
MKV Splitter
Mozilla Firefox (2.0.0.18)
Mozilla Firefox (3.0.10)
MSXML 4.0 SP2 (KB954430)
Multi Virus Cleaner 2008
Nero 6 Ultra Edition
Nero Digital
Nero Media Player
NeroMIX
NeroVision Express Content
Netscape Communicator 4.79
Norton Speed Disk 7.0 for Windows NT
Norton SystemWorks 2003
Norton Utilities 2003 for Windows
NVIDIA Drivers
Opera 9.64
Panda ActiveScan 2.0
PanoStandAlone
PhraseExpress
PS_AIO_03_C4400_ProductContext
PS_AIO_03_C4400_Software
PS_AIO_03_C4400_Software_Min
QuickTime
RegRun Security Suite Gold
SanDisk USB SSFDC Ver 1.01
Scan
Secunia PSI
Security Update for Windows Internet Explorer 7 (KB938127)
Security Update for Windows Internet Explorer 7 (KB944533)
Security Update for Windows Internet Explorer 7 (KB950759)
Security Update for Windows Internet Explorer 7 (KB953838)
Security Update for Windows Internet Explorer 7 (KB956390)
Security Update for Windows Internet Explorer 7 (KB958215)
Security Update for Windows Internet Explorer 7 (KB960714)
Security Update for Windows Internet Explorer 7 (KB961260)
Security Update for Windows Internet Explorer 7 (KB963027)
Security Update for Windows Internet Explorer 7 (KB969897)
Security Update for Windows Internet Explorer 8 (KB969897)
Security Update for Windows Media Player (KB911564)
Security Update for Windows Media Player (KB952069)
Security Update for Windows Media Player 11 (KB936782)
Security Update for Windows Media Player 11 (KB954154)
Security Update for Windows Media Player 6.4 (KB925398)
Security Update for Windows Media Player 9 (KB936782)
Security Update for Windows XP (KB923561)
Security Update for Windows XP (KB938464)
Security Update for Windows XP (KB941569)
Security Update for Windows XP (KB946648)
Security Update for Windows XP (KB950760)
Security Update for Windows XP (KB950762)
Security Update for Windows XP (KB950974)
Security Update for Windows XP (KB951066)
Security Update for Windows XP (KB951376-v2)
Security Update for Windows XP (KB951376)
Security Update for Windows XP (KB951698)
Security Update for Windows XP (KB951748)
Security Update for Windows XP (KB952004)
Security Update for Windows XP (KB952954)
Security Update for Windows XP (KB953839)
Security Update for Windows XP (KB954211)
Security Update for Windows XP (KB954459)
Security Update for Windows XP (KB954600)
Security Update for Windows XP (KB955069)
Security Update for Windows XP (KB956391)
Security Update for Windows XP (KB956572)
Security Update for Windows XP (KB956802)
Security Update for Windows XP (KB956803)
Security Update for Windows XP (KB956841)
Security Update for Windows XP (KB957095)
Security Update for Windows XP (KB957097)
Security Update for Windows XP (KB958644)
Security Update for Windows XP (KB958687)
Security Update for Windows XP (KB958690)
Security Update for Windows XP (KB959426)
Security Update for Windows XP (KB960225)
Security Update for Windows XP (KB960715)
Security Update for Windows XP (KB960803)
Security Update for Windows XP (KB961373)
Security Update for Windows XP (KB961501)
Security Update for Windows XP (KB968537)
Security Update for Windows XP (KB969898)
Security Update for Windows XP (KB970238)
Spybot - Search & Destroy
Status
System Requirements Lab
Toolbox
TrayApp
Tweak UI
UltimateZip 3.0 Beta 2
UnloadSupport
Update for Windows Internet Explorer 8 (KB971180)
Update for Windows XP (KB951072-v2)
Update for Windows XP (KB951978)
Update for Windows XP (KB955839)
Update for Windows XP (KB967715)
VC80CRTRedist - 8.0.50727.762
Virtual Desktop Manager Powertoy for Windows XP
WebFldrs XP
WebReg
Winamp
WinAVI Video Converter
Windows Defender
Windows Genuine Advantage Validation Tool (KB892130)
Windows Internet Explorer 7
Windows Internet Explorer 8
Windows Media Format 11 runtime
Windows Media Format SDK Hotfix - KB891122
Windows Media Player 11
Windows XP Service Pack 3
WINner Tweak Registry Cleaner XP 1.0.2
WinRAR archiver
Xvid 1.1.3 final uninstall

==== Event Viewer Messages From Past Week ========

6/9/2009 8:27:17 PM, error: MRxSmb [8003] - The master browser has received a server announcement from the computer GEFF that believes that it is the master browser for the domain on transport NetBT_Tcpip_{5A4CEC20-D299-46F7-B489. The master browser is stopping or an election is being forced.
6/9/2009 4:34:29 PM, error: Service Control Manager [7023] - The Windows Driver Foundation - User-mode Driver Framework service terminated with the following error: A device attached to the system is not functioning.
6/9/2009 4:34:29 PM, error: Service Control Manager [7023] - The Application Management service terminated with the following error: The specified module could not be found.

==== End Of File ===========================

**broni** · 14th June 2009

Hello again

I also use ConvertXtoDVD, and I can also see inst.exe file in C:\Users\Broni\AppData\Roaming (Vista).

Navigate to c:\docume~1\geff\applic~1\, right click on inst.exe, click Properties, and see, if the file belongs to VSO Software.

geff · 14th June 2009

Quote:

Originally Posted by broni

Hello again

I also use ConvertXtoDVD, and I can also see inst.exe file in C:\Users\Broni\AppData\Roaming (Vista).

Navigate to c:\docume~1\geff\applic~1\, right click on inst.exe, click Properties, and see, if the file belongs to VSO Software.

yes, it does. Sorry i didn't specify that earlier.

**broni** · 14th June 2009

Alrighty then. Let's run regular scans...

Print these instructions out.

NOTE. If any of the programs listed below refuse to run, try renaming executive file to something else; for instance, rename hijackthis.exe to scanner.exe

***VERY IMPORTANT! Make sure, you update Superantispyware, and Malwarebytes before running the scans.***

STEP 1. Download SUPERAntiSpyware Free for Home Users:
http://www.superantispyware.com/

* Double-click SUPERAntiSpyware.exe and use the default settings for installation.
* An icon will be created on your desktop. Double-click that icon to launch the program.
* If asked to update the program definitions, click "Yes". If not, update the definitions before scanning by selecting "Check for Updates". (If you encounter any problems while downloading the updates, manually download and unzip them from here: http://www.superantispyware.com/definitions.html.)
* Close SUPERAntiSpyware.

PHYSICALLY DISCONNECT FROM THE INTERNET

Restart computer in Safe Mode.
To enter Safe Mode, restart computer, and keep tapping F8 key, until menu appears; select Safe Mode; you'll see "Safe Mode" in all four corners of your screen

* Open SUPERAntiSpyware.
* Click Scan your Computer... button.
* Click Scanning Preferences/Control Center... button.
* Under General and Startup tab, make sure, Start SUPERAntiSpyware when Windows starts option is UN-checked.
* Click the Scanning Control tab.
* Under Scanner Options make sure the following are checked (leave all others unchecked):
- Close browsers before scanning.
- Terminate memory threats before quarantining.
* Click the Close button to leave the control center screen.
* On the left, make sure you check C:\Fixed Drive.
* On the right, choose Perform Complete Scan.
* Click Next to start the scan. Please be patient while it scans your computer.
* After the scan is complete, a Scan Summary box will appear with potentially harmful items that were detected. Click OK.
* Make sure everything has a checkmark next to it and click Next.
* A notification will appear that Quarantine and Removal is Complete. Click OK and then click the Finish button to return to the main menu.
* If asked if you want to reboot, click Yes.
* To retrieve the removal information after reboot, launch SUPERAntispyware again.
- Click Preferences, then click the Statistics/Logs tab.
- Under Scanner Logs, double-click SUPERAntiSpyware Scan Log.
- If there are several logs, click the current dated log and press View log. A text file will open in your default text editor.
- Please copy and paste the Scan Log results in your next reply.
* Click Close to exit the program.
Post SUPERAntiSpyware log.

RECONNECT TO THE INTERNET

RESTART COMPUTER!

STEP 2. Download Malwarebytes' Anti-Malware: http://www.malwarebytes.org/mbam.php to your desktop.
(Malwarebytes is free to use as a manual scanner. Payment is only required if you wish to have it run and update automatically which is not necessary for our purposes)

* Double-click mbam-setup.exe and follow the prompts to install the program.
* At the end, be sure a checkmark is placed next to Update Malwarebytes' Anti-Malware and Launch Malwarebytes' Anti-Malware, then click Finish.
* If an update is found, it will download and install the latest version.
* Once the program has loaded, select Perform full scan, then click Scan.
* When the scan is complete, click OK, then Show Results to view the results.
* Be sure that everything is checked, and click Remove Selected.
* When completed, a log will open in Notepad.
* Post the log back here.

The log can also be found here:
C:\Documents and Settings\Username\Application Data\Malwarebytes\Malwarebytes' Anti-Malware\Logs\log-date.txt
Or at C:\Program Files\Malwarebytes' Anti-Malware\Logs\log-date.txt

RESTART COMPUTER!

STEP 3. Download GMER: http://www.gmer.net/files.php, by clicking on Download EXE button.
Alternative downloads:
- http://majorgeeks.com/GMER_d5198.html
- http://www.softpedia.com/get/Interne...ers/GMER.shtml
Double click on downloaded .exe file, select Rootkit tab and click the Scan button.
When scan is completed, click Save button, and save the results as gmer.log
Warning ! Please, do not select the "Show all" checkbox during the scan.
Post the log to your next reply.

RESTART COMPUTER

STEP 4. Download HijackThis:
http://www.trendsecure.com/portal/en...kthis/download
by clicking on Download HijackThis Installer
Install, and run it.
Post HijackThis log.
Do NOT attempt to "fix" anything!

DO NOT make any other changes to your computer (like installing programs, using other cleaning tools, etc.), until it's officially declared clean!!!

geff · 15th June 2009

Hi Broni - Thanks again for all your help. Just 1 fyi: this machine is VERY SLOW, & while I don't remember for 100% certain, I'm pretty sure I intentionally turned off the no a-v notification. I have to turn off av if i want the machine to run with any soeed at all. I've assumed the problem is trying to run XP on a P4 with 512 ram (rambus).

Logs to follow:

geff · 15th June 2009

SUPERAntiSpyware Scan Log
http://www.superantispyware.com

Generated 06/14/2009 at 12:34 PM

Application Version : 4.26.1004

Core Rules Database Version : 3910
Trace Rules Database Version: 1854

Scan type : Complete Scan
Total Scan Time : 01:45:25

Memory items scanned : 234
Memory threats detected : 0
Registry items scanned : 4836
Registry threats detected : 0
File items scanned : 61426
File threats detected : 0

geff · 15th June 2009

Malwarebytes' Anti-Malware 1.37
Database version: 2182
Windows 5.1.2600 Service Pack 3

6/14/2009 1:50:03 PM
mbam-log-2009-06-14 (13-50-03).txt

Scan type: Full Scan (C:\|)
Objects scanned: 154505
Time elapsed: 32 minute(s), 48 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 1
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\AntiVirusDisableNotify (Disabled.SecurityCenter) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)

geff · 15th June 2009

GMER 1.0.15.14972 - http://www.gmer.net
Rootkit scan 2009-06-15 02:44:50
Windows 5.1.2600 Service Pack 3

---- System - GMER 1.0.15 ----

SSDT \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/ALWIL Software) ZwClose [0xF597D6B8]
SSDT \??\C:\WINDOWS\system32\Drivers\regguard.sys (Registry Guard - registry keys protection driver for Windows NT/2000/XP/2003/Vista/Greatis Software) ZwCreateKey [0xF8927800]
SSDT \??\C:\WINDOWS\system32\Drivers\regguard.sys (Registry Guard - registry keys protection driver for Windows NT/2000/XP/2003/Vista/Greatis Software) ZwDeleteKey [0xF8927A00]
SSDT \??\C:\WINDOWS\system32\Drivers\regguard.sys (Registry Guard - registry keys protection driver for Windows NT/2000/XP/2003/Vista/Greatis Software) ZwDeleteValueKey [0xF8927BE0]
SSDT \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/ALWIL Software) ZwDuplicateObject [0xF597D14C]
SSDT \??\C:\WINDOWS\system32\Drivers\regguard.sys (Registry Guard - registry keys protection driver for Windows NT/2000/XP/2003/Vista/Greatis Software) ZwOpenKey [0xF8927900]
SSDT \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/ALWIL Software) ZwOpenProcess [0xF597D08C]
SSDT \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/ALWIL Software) ZwOpenThread [0xF597D0F0]
SSDT \??\C:\WINDOWS\system32\Drivers\regguard.sys (Registry Guard - registry keys protection driver for Windows NT/2000/XP/2003/Vista/Greatis Software) ZwQueryValueKey [0xF8927CC0]
SSDT \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/ALWIL Software) ZwRestoreKey [0xF597D72E]
SSDT \??\C:\WINDOWS\system32\Drivers\regguard.sys (Registry Guard - registry keys protection driver for Windows NT/2000/XP/2003/Vista/Greatis Software) ZwSetValueKey [0xF8927AF0]

---- User IAT/EAT - GMER 1.0.15 ----

IAT C:\WINDOWS\system32\services.exe[588] @ C:\WINDOWS\system32\services.exe [ADVAPI32.dll!CreateProcessAsUserW] 00380002
IAT C:\WINDOWS\system32\services.exe[588] @ C:\WINDOWS\system32\services.exe [KERNEL32.dll!CreateProcessW] 00380000

---- Devices - GMER 1.0.15 ----

AttachedDevice \FileSystem\Ntfs \Ntfs aswMon2.SYS (avast! File System Filter Driver for Windows XP/ALWIL Software)
AttachedDevice \Driver\Tcpip \Device\Ip aswTdi.SYS (avast! TDI Filter Driver/ALWIL Software)
AttachedDevice \Driver\Tcpip \Device\Tcp aswTdi.SYS (avast! TDI Filter Driver/ALWIL Software)
AttachedDevice \Driver\Tcpip \Device\Udp aswTdi.SYS (avast! TDI Filter Driver/ALWIL Software)
AttachedDevice \Driver\Tcpip \Device\RawIp aswTdi.SYS (avast! TDI Filter Driver/ALWIL Software)
AttachedDevice \FileSystem\Fastfat \Fat fltmgr.sys (Microsoft Filesystem Filter Manager/Microsoft Corporation)
AttachedDevice \FileSystem\Fastfat \Fat aswMon2.SYS (avast! File System Filter Driver for Windows XP/ALWIL Software)

---- Registry - GMER 1.0.15 ----

Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Print\Printers\HP Photosmart C4400 series@ChangeID 239343

---- EOF - GMER 1.0.15 ----

geff · 15th June 2009

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 2:56:33 AM, on 6/15/2009
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v8.00 (8.00.6001.18702)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\System32\dllhost.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\WINDOWS\system32\msiexec.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\tcpsvcs.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\dmadmin.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\RUNDLL32.EXE
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\PROGRA~1\Greatis\REGRUN~1\WatchDog.exe
C:\Program Files\SlySoft\AnyDVD\AnyDVDtray.exe
C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
C:\Program Files\Microsoft IntelliPoint\ipoint.exe
C:\Program Files\PhraseExpress\phrase.exe
C:\WINDOWS\system32\wscntfy.exe
C:\Program Files\Microsoft IntelliPoint\dpupdchk.exe
C:\Program Files\HP\Digital Imaging\bin\hpqSTE08.exe
C:\Program Files\HP\Digital Imaging\bin\hpqbam08.exe
C:\Documents and Settings\Geff\Desktop\security\HiJackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://www.avast.com/eng/faq-red-circle.html
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\System32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [RegRun WinBait] C:\WINDOWS\winbait.exe
O4 - HKLM\..\Run: [@RegRunOnSecure] C:\PROGRA~1\Greatis\REGRUN~1\OnSecure.exe
O4 - HKLM\..\Run: [UserFaultCheck] %systemroot%\system32\dumprep 0 -u
O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKCU\..\Run: [AnyDVD] C:\Program Files\SlySoft\AnyDVD\AnyDVD.exe
O4 - HKCU\..\Run: [Regrun2] C:\PROGRA~1\Greatis\REGRUN~1\WatchDog.exe
O4 - Startup: Secunia PSI.lnk = C:\Program Files\Secunia\PSI\psi.exe
O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
O4 - Global Startup: ipoint.exe.lnk = C:\Program Files\Microsoft IntelliPoint\ipoint.exe
O4 - Global Startup: PhraseExpress.lnk = C:\Program Files\PhraseExpress\phrase.exe
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search && Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O16 - DPF: {2D8ED06D-3C30-438B-96AE-4D110FDC1FB8} (ActiveScan 2.0 Installer Class) - http://acs.pandasoftware.com/actives.../as2stubie.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.microsoft.com/wind...?1207441726093
O16 - DPF: {67A5F8DC-1A4B-4D66-9F24-A704AD929EEE} (System Requirements Lab) - http://www.nvidia.com/content/Driver...sysreqlab2.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/ge...sh/swflash.cab
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: avast! Antivirus - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
O23 - Service: avast! Web Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
O23 - Service: GhostStartService - Symantec Corporation - C:\Program Files\Norton SystemWorks\Norton Ghost\GhostStartService.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
O23 - Service: Norton Unerase Protection (NProtectService) - Symantec Corporation - C:\Program Files\Norton SystemWorks\Norton Utilities\NPROTECT.EXE
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: Speed Disk service - Symantec Corporation - C:\PROGRA~1\NORTON~1\SPEEDD~1\nopdb.exe

--
End of file - 5591 bytes

**broni** · 16th June 2009

To start with, I don't see any nasties there.

Quote:

I've assumed the problem is trying to run XP on a P4 with 512 ram

Well, XP with 512MB of RAM won't be breaking any speed records, but it can't be painfully slow.
You need to have some AV program running, so...
My recommendations here would be:
1. Uninstall Spybot.
2. Uninstall Ad-aware
3. Get rid of RegRun
4. Get rid of both Norton utilities, Unerase, and SpeedDisk
The above is obviously up to you, but it'll cut down number of startups, and services running.

Now, let's disable some unnecessary startups.
Open HJT, and checkmark:
- O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
- O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
- O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
- O4 - HKLM\..\Run: [UserFaultCheck] %systemroot%\system32\dumprep 0 -u
- O4 - Startup: Secunia PSI.lnk = C:\Program Files\Secunia\PSI\psi.exe
- O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
Click "Fix checked" button.

Restart computer.

Download Temp File Cleaner (TFC)
Double click on TFC.exe to run the program.
Click on Start button to begin cleaning process.
TFC will close all running programs, and it may ask you to restart computer.

Run defrag.

When done with everything, let me know, what your decisions were, and, if you see any improvement.

geff · 16th June 2009

Quote:

Originally Posted by broni

To start with, I don't see any nasties there.

Well, XP with 512MB of RAM won't be breaking any speed records, but it can't be painfully slow.
You need to have some AV program running, so...

3. Get rid of RegRun

Broni, a question: I know that Reg Run does slow things down. Still, I consider it indispensable. Greatis support has told me they feel it's ok to run reg run with no av, as long as I have an av installed for on demand scanning (which I use). Do you disagree?

geff · 16th June 2009

Hi Broni - Thanks again for your help!!!! I've done everything you suggested OTHER then removing Reg Run that I was able to.

Re Norton: LONG story, but have previously had problems with Norton hosing on uninstall & can't even remove it with Symantec's uninstall program at this point. I was able to stop the services from running EXCEPT Unerase.

Also, I ran into an issue when I removed the Nvidia 04 run keys, Avast's icon disappeared & I could only get it back with system restore. I've dealt with similar problems with the Avast icon before, to the best of my knowledge, it's impossible to pause Avast without that icon.

Being temporarily unable to disable Avast, I was reminded that while Reg Run does significantly slow the system down, Avast is a much worse offender. Fortunately, I don't have that issue on the other (Quad core) machine.

Is there a different av that uses very low resources you'd recommend? Preferably free, but free is not required.

Here's current log; it's some faster with Avast disabled, but still intensely slow with Avast running. The main thing that's slow is opening programs, they run pretty well once they've opened.

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 8:14:57 AM, on 6/16/2009
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v8.00 (8.00.6001.18702)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\System32\dllhost.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\WINDOWS\system32\msiexec.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\tcpsvcs.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\dmadmin.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\system32\RUNDLL32.EXE
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\PROGRA~1\Greatis\REGRUN~1\WatchDog.exe
C:\Program Files\Microsoft IntelliPoint\ipoint.exe
C:\Program Files\SlySoft\AnyDVD\AnyDVDtray.exe
C:\Program Files\PhraseExpress\phrase.exe
C:\Program Files\Microsoft IntelliPoint\dpupdchk.exe
C:\WINDOWS\system32\wscntfy.exe
C:\Documents and Settings\Geff\Desktop\HiJackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://www.avast.com/eng/faq-red-circle.html
N1 - Netscape 4: user_pref("browser.startup.homepage", "http://www.dandylionrecords.com/"); (J:\prefs.js)
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\System32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [RegRun WinBait] C:\WINDOWS\winbait.exe
O4 - HKLM\..\Run: [@RegRunOnSecure] C:\PROGRA~1\Greatis\REGRUN~1\OnSecure.exe
O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKCU\..\Run: [AnyDVD] C:\Program Files\SlySoft\AnyDVD\AnyDVD.exe
O4 - HKCU\..\Run: [Regrun2] C:\PROGRA~1\Greatis\REGRUN~1\WatchDog.exe
O4 - Global Startup: ipoint.exe.lnk = C:\Program Files\Microsoft IntelliPoint\ipoint.exe
O4 - Global Startup: PhraseExpress.lnk = C:\Program Files\PhraseExpress\phrase.exe
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search && Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O16 - DPF: {2D8ED06D-3C30-438B-96AE-4D110FDC1FB8} (ActiveScan 2.0 Installer Class) - http://acs.pandasoftware.com/actives.../as2stubie.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.microsoft.com/wind...?1207441726093
O16 - DPF: {67A5F8DC-1A4B-4D66-9F24-A704AD929EEE} (System Requirements Lab) - http://www.nvidia.com/content/Driver...sysreqlab2.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/ge...sh/swflash.cab
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: avast! Antivirus - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
O23 - Service: avast! Web Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
O23 - Service: Norton Unerase Protection (NProtectService) - Symantec Corporation - C:\Program Files\Norton SystemWorks\Norton Utilities\NPROTECT.EXE
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe

--
End of file - 4966 bytes

**broni** · 17th June 2009

Let's put it this way.
You have a choice of trusting Greatis, which actually sold you RegRun, or trust me, who has no business whatsoever regarding your computer.
In my opinion, RegRun goes, Avast stays.
Avast is NOT known as resource hogger.

As for Norton...

Go Start>Run (Start search in Vista), type in:
cmd
Click OK (in Vista, hold CTRL, and SHIFT, hit Enter).

At Command Prompt, type in:
sc stop NProtectService
Hit Enter.
Wait for the service to be stopped.

Type in:
sc delete NProtectService
Hit Enter.
Wait for confirmation.

Restart computer, and the service shouldn't be listed anymore.