1. You are viewing our forum as a guest. For full access please Register. WindowsBBS.com is completely free, paid for by advertisers and donations.

Solved Follow Up With 2nd PC On Network: Re ADS/Possible Trojan

Discussion in 'Malware and Virus Removal Archive' started by geff, 2009/06/13.

  1. 2009/06/13
    geff

    geff Inactive Thread Starter

    Joined:
    2008/05/19
    Messages:
    40
    Likes Received:
    0
    [Resolved] Follow Up With 2nd PC On Network: Re ADS/Possible Trojan

    This is a follow up to this thread
    http://www.windowsbbs.com/malware-v...e-data-stream-attatched-c-windows-folder.html
    to make sure the xp machine networked to the infected machine with file sharing is not infected.

    This machine also has the file inst.exe, BUT it turns out a program I use VSO ConvertXtoDVD legitimately creates that file.

    This machine is now showing the 2 ads per folder that the other cleaned machine is; I SUSPECT that has something to do with Tuesday's MS patches.

    This machine has limited use, & to be honest I don't pay as much attention to detail on it as I do on the other.

    Logs to follow, & THANKS AGAIN!
     
    Last edited: 2009/06/13
    geff,
    #1
  2. 2009/06/13
    geff

    geff Inactive Thread Starter

    Joined:
    2008/05/19
    Messages:
    40
    Likes Received:
    0
    DDS (Ver_09-05-14.01) - NTFSx86
    Run by Geff at 10:57:50.37 on Sat 06/13/2009
    Internet Explorer: 8.0.6001.18702 BrowserJavaVersion: 1.6.0_13
    Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.511.248 [GMT -7:00]

    AV: avast! antivirus 4.8.1335 [VPS 090613-0] *On-access scanning disabled* (Updated) {7591DB91-41F0-48A3-B128-1A293FD8233D}

    ============== Running Processes ===============

    C:\WINDOWS\system32\svchost -k DcomLaunch
    svchost.exe
    C:\WINDOWS\System32\svchost.exe -k netsvcs
    svchost.exe
    svchost.exe
    C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
    C:\Program Files\Alwil Software\Avast4\ashServ.exe
    C:\WINDOWS\system32\spoolsv.exe
    svchost.exe
    C:\WINDOWS\System32\dllhost.exe
    C:\WINDOWS\system32\svchost.exe -k hpdevmgmt
    C:\Program Files\Java\jre6\bin\jqs.exe
    C:\WINDOWS\System32\svchost.exe -k HPZ12
    C:\WINDOWS\system32\nvsvc32.exe
    C:\WINDOWS\System32\svchost.exe -k HPZ12
    C:\WINDOWS\System32\tcpsvcs.exe
    C:\WINDOWS\System32\svchost.exe -k imgsvc
    C:\WINDOWS\System32\dmadmin.exe
    C:\WINDOWS\Explorer.EXE
    C:\WINDOWS\system32\RUNDLL32.EXE
    C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
    C:\PROGRA~1\Greatis\REGRUN~1\WatchDog.exe
    C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
    C:\Program Files\Microsoft IntelliPoint\ipoint.exe
    C:\Program Files\SlySoft\AnyDVD\AnyDVDtray.exe
    C:\Program Files\PhraseExpress\phrase.exe
    C:\Program Files\Microsoft IntelliPoint\dpupdchk.exe
    C:\Program Files\HP\Digital Imaging\bin\hpqSTE08.exe
    C:\Program Files\HP\Digital Imaging\bin\hpqbam08.exe
    C:\Documents and Settings\Geff\Desktop\dds.pif

    ============== Pseudo HJT Report ===============

    uStart Page = about:blank
    uInternet Connection Wizard,ShellNext = hxxp://www.avast.com/eng/faq-red-circle.html
    EB: {32683183-48a0-441b-a342-7c2a440a9478} - No File
    uRun: [AnyDVD] c:\program files\slysoft\anydvd\AnyDVD.exe
    uRun: [Regrun2] c:\progra~1\greatis\regrun~1\WatchDog.exe
    mRun: [NvCplDaemon] RUNDLL32.EXE c:\windows\system32\NvCpl.dll,NvStartup
    mRun: [nwiz] nwiz.exe /install
    mRun: [NvMediaCenter] RUNDLL32.EXE c:\windows\system32\NvMcTray.dll,NvTaskbarInit
    mRun: [NeroFilterCheck] c:\windows\system32\NeroCheck.exe
    mRun: [RegRun WinBait] c:\windows\winbait.exe
    mRun: [@RegRunOnSecure] c:\progra~1\greatis\regrun~1\OnSecure.exe
    mRun: [UserFaultCheck] %systemroot%\system32\dumprep 0 -u
    mRun: [avast!] c:\progra~1\alwils~1\avast4\ashDisp.exe
    mRunOnce: [KB923561] rundll32.exe apphelp.dll,ShimFlushCache
    StartupFolder: c:\docume~1\geff\startm~1\programs\startup\secuni~1.lnk - c:\program files\secunia\psi\psi.exe
    StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\hpdigi~1.lnk - c:\program files\hp\digital imaging\bin\hpqtra08.exe
    StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\ipoint~1.lnk - c:\program files\microsoft intellipoint\ipoint.exe
    StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\phrase~1.lnk - c:\program files\phraseexpress\phrase.exe
    IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
    IE: {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - {53707962-6F74-2D53-2644-206D7942484F} - c:\program files\spybot - search & destroy\SDHelper.dll
    Trusted Zone: aol.com\free
    DPF: Microsoft XML Parser for Java - file://c:\windows\java\classes\xmldso.cab
    DPF: {05CA9FB0-3E3E-4B36-BF41-0E3A5CAA8CD8} - hxxp://download.microsoft.com/download/e/4/9/e494c802-dd90-4c6b-a074-469358f075a6/OGAControl.cab
    DPF: {2D8ED06D-3C30-438B-96AE-4D110FDC1FB8} - hxxp://acs.pandasoftware.com/activescan/cabs/as2stubie.cab
    DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} - hxxp://www.update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1207441726093
    DPF: {67A5F8DC-1A4B-4D66-9F24-A704AD929EEE} - hxxp://www.nvidia.com/content/DriverDownload/srl/2.0.0.1/sysreqlab2.cab
    DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_13-windows-i586.cab
    DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} - hxxp://fpdownload.macromedia.com/get/flashplayer/current/polarbear/ultrashim.cab
    DPF: {C7DB51B4-BCF7-4923-8874-7F1A0DC92277} - hxxp://office.microsoft.com/officeupdate/content/opuc4.cab
    DPF: {CAFEEFAC-0016-0000-0013-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_13-windows-i586.cab
    DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_13-windows-i586.cab
    DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab
    SEH: ShellObj Class: {f552dde6-2090-4bf4-b924-6141e87789a5} - c:\program files\greatis\regrunsuite\RRShell.dll
    SEH: Microsoft AntiMalware ShellExecuteHook: {091eb208-39dd-417d-a5dd-7e2c2d8fb9cb} - c:\progra~1\wifd1f~1\MpShHook.dll

    ================= FIREFOX ===================

    FF - ProfilePath - c:\docume~1\geff\applic~1\mozilla\firefox\profiles\elbl3scp.default\
    FF - prefs.js: browser.startup.homepage - hxxp://www.dandylionrecords.com/
    FF - plugin: c:\progra~1\netscape\commun~1\program\plugins\npdrmv2.dll
    FF - plugin: c:\progra~1\netscape\commun~1\program\plugins\npdsplay.dll
    FF - plugin: c:\progra~1\netscape\commun~1\program\plugins\npnul32.dll
    FF - plugin: c:\progra~1\netscape\commun~1\program\plugins\npqtplugin.dll
    FF - plugin: c:\progra~1\netscape\commun~1\program\plugins\npqtplugin2.dll
    FF - plugin: c:\progra~1\netscape\commun~1\program\plugins\npqtplugin3.dll
    FF - plugin: c:\progra~1\netscape\commun~1\program\plugins\npqtplugin4.dll
    FF - plugin: c:\progra~1\netscape\commun~1\program\plugins\npqtplugin5.dll
    FF - plugin: c:\progra~1\netscape\commun~1\program\plugins\npqtplugin6.dll
    FF - plugin: c:\progra~1\netscape\commun~1\program\plugins\npwmsdrm.dll
    FF - plugin: c:\program files\mozilla firefox\plugins\npFoxitReaderPlugin.dll
    FF - plugin: c:\program files\netscape\communicator\program\plugins\npdrmv2.dll
    FF - plugin: c:\program files\netscape\communicator\program\plugins\npdsplay.dll
    FF - plugin: c:\program files\netscape\communicator\program\plugins\npnul32.dll
    FF - plugin: c:\program files\netscape\communicator\program\plugins\npqtplugin.dll
    FF - plugin: c:\program files\netscape\communicator\program\plugins\npqtplugin2.dll
    FF - plugin: c:\program files\netscape\communicator\program\plugins\npqtplugin3.dll
    FF - plugin: c:\program files\netscape\communicator\program\plugins\npqtplugin4.dll
    FF - plugin: c:\program files\netscape\communicator\program\plugins\npqtplugin5.dll
    FF - plugin: c:\program files\netscape\communicator\program\plugins\npqtplugin6.dll
    FF - plugin: c:\program files\netscape\communicator\program\plugins\npwmsdrm.dll
    FF - plugin: c:\program files\opera\program\plugins\npdivx32.dll
    FF - plugin: c:\program files\opera\program\plugins\npFoxitReaderPlugin.dll

    ============= SERVICES / DRIVERS ===============

    R0 Partizan;Partizan;c:\windows\system32\drivers\Partizan.sys [2008-4-9 30946]
    R1 aswSP;avast! Self Protection;c:\windows\system32\drivers\aswSP.sys [2009-2-2 114768]
    R1 GhPciScan;GhostPciScanner;c:\program files\norton systemworks\norton ghost\GhPciScan.sys [2002-8-14 5632]
    R2 aswFsBlk;aswFsBlk;c:\windows\system32\drivers\aswFsBlk.sys [2009-2-2 20560]
    R2 avast! Antivirus;avast! Antivirus;c:\program files\alwil software\avast4\ashServ.exe [2009-2-2 155160]
    R3 RegGuard;RegGuard;c:\windows\system32\drivers\regguard.sys [2008-4-9 25773]
    S3 aawservice;Ad-Aware 2007 Service;c:\program files\lavasoft\ad-aware 2007\aawservice.exe [2007-6-18 607576]
    S3 avast! Mail Scanner;avast! Mail Scanner;c:\program files\alwil software\avast4\ashMaiSv.exe [2009-2-2 254040]
    S3 avast! Web Scanner;avast! Web Scanner;c:\program files\alwil software\avast4\ashWebSv.exe [2009-2-2 352920]
    S3 NProtectService;Norton Unerase Protection;c:\program files\norton systemworks\norton utilities\NPROTECT.EXE [2008-12-5 135168]
    S3 PSI;PSI;c:\windows\system32\drivers\psi_mf.sys [2009-3-24 7808]
    S3 WinDefend;Windows Defender;c:\program files\windows defender\MsMpEng.exe [2006-11-3 13592]

    ============== File Associations ===============

    txtfile= "c:\program files\jgsoft\editpadlite\EditPadLite.exe" "%1 "

    =============== Created Last 30 ================

    2009-06-12 06:51 <DIR> --d----- c:\program files\Safer Networking
    2009-06-12 04:22 <DIR> --dsh--- c:\documents and settings\geff\PrivacIE
    2009-06-12 04:22 <DIR> --dsh--- c:\documents and settings\geff\IECompatCache
    2009-06-12 04:19 <DIR> --d----- C:\Bookmarks
    2009-06-12 03:28 <DIR> --dsh--- c:\documents and settings\geff\IETldCache
    2009-06-12 03:07 12,800 -c------ c:\windows\system32\dllcache\xpshims.dll
    2009-06-12 03:07 246,272 -c------ c:\windows\system32\dllcache\ieproxy.dll
    2009-06-12 03:07 <DIR> --d----- c:\windows\ie8updates
    2009-06-12 03:06 102,912 -c------ c:\windows\system32\dllcache\iecompat.dll
    2009-06-12 03:01 <DIR> -cd-h--- c:\windows\ie8
    2009-05-26 17:18 90,112 a------- c:\windows\system32\QuickTimeVR.qtx
    2009-05-26 17:18 57,344 a------- c:\windows\system32\QuickTime.qts
    2009-05-26 14:56 104,384 a------- c:\windows\system32\drivers\AnyDVD.sys
    2009-05-25 05:01 89,256 a------- c:\windows\system32\ElbyCDIO.dll
    2009-05-20 23:04 1,184,984 a------- c:\windows\system32\wvc1dmod.dll
    2009-05-20 23:04 626,688 a------- c:\windows\system32\vp7vfw.dll
    2009-05-20 23:04 217,127 a------- c:\windows\system32\drv43260.dll
    2009-05-20 23:04 208,935 a------- c:\windows\system32\drv33260.dll
    2009-05-20 23:04 176,165 a------- c:\windows\system32\drv23260.dll
    2009-05-20 23:04 102,439 a------- c:\windows\system32\sipr3260.dll
    2009-05-20 23:04 65,602 a------- c:\windows\system32\cook3260.dll

    ==================== Find3M ====================

    2009-06-13 10:34 25,773 a------- c:\windows\system32\drivers\regguard.sys
    2009-05-12 22:15 915,456 a------- c:\windows\system32\wininet.dll
    2009-05-07 08:32 345,600 a------- c:\windows\system32\localspl.dll
    2009-04-17 05:26 1,847,168 a------- c:\windows\system32\win32k.sys
    2009-04-15 13:24 90,112 a------- c:\windows\system32\dpl100.dll
    2009-04-15 13:24 823,296 a------- c:\windows\system32\divx_xx0c.dll
    2009-04-15 13:24 823,296 a------- c:\windows\system32\divx_xx07.dll
    2009-04-15 13:24 815,104 a------- c:\windows\system32\divx_xx0a.dll
    2009-04-15 13:24 802,816 a------- c:\windows\system32\divx_xx11.dll
    2009-04-15 13:24 684,032 a------- c:\windows\system32\DivX.dll
    2009-04-15 07:51 585,216 a------- c:\windows\system32\rpcrt4.dll
    2007-07-05 19:18 87,608 a------- c:\docume~1\geff\applic~1\inst.exe
    2007-07-05 19:18 47,360 a------- c:\docume~1\geff\applic~1\pcouffin.sys
    2009-02-11 07:11 2 a--shrot c:\windows\winstart.bat
    2008-12-05 19:50 32 a--sh--- c:\windows\{6BD07999-72C9-4686-8BA8-98B21BF2F81E}.dat
    2008-12-05 19:52 32 a--sh--- c:\windows\{C2B5C6FD-3AE9-425D-9128-6922E1CCC4BB}.dat
    2008-12-05 19:51 32 a--sh--- c:\windows\{D03415C0-5E5B-45EB-BCEE-251B910EAE75}.dat
    2008-12-05 19:52 32 a--sh--- c:\windows\system32\{C229D828-755E-4428-9FB6-CF22892BFEBE}.dat
    2008-12-05 19:50 32 a--sh--- c:\windows\system32\{CED793A7-4A13-43BE-B65F-A642DC1E851C}.dat
    2008-12-05 19:51 32 a--sh--- c:\windows\system32\{F054AE12-4D42-49EF-AA98-A90AEFD60C89}.dat
    2008-05-16 02:57 32,768 a--sh--- c:\windows\system32\config\systemprofile\local settings\history\history.ie5\mshist012008051620080517\index.dat
    2009-01-27 19:31 11,964,448 a--sh--- c:\windows\system32\drivers\fidbox.dat

    ============= FINISH: 10:58:38.59 ===============
     
    geff,
    #2


  3. to hide this advert.

  4. 2009/06/13
    geff

    geff Inactive Thread Starter

    Joined:
    2008/05/19
    Messages:
    40
    Likes Received:
    0
    UNLESS SPECIFICALLY INSTRUCTED, DO NOT POST THIS LOG.
    IF REQUESTED, ZIP IT UP & ATTACH IT

    DDS (Ver_09-05-14.01)

    Microsoft Windows XP Home Edition
    Boot Device: \Device\HarddiskVolume1
    Install Date: 6/26/2007 11:33:49 AM
    System Uptime: 6/13/2009 10:31:41 AM (0 hours ago)

    Motherboard: Dell Computer Corporation | | Dimension 8200
    Processor: Intel(R) Pentium(R) 4 CPU 1.90GHz | Microprocessor | 1894/100mhz

    ==== Disk Partitions =========================

    A: is Removable
    C: is FIXED (NTFS) - 37 GiB total, 24.121 GiB free.
    D: is Removable
    E: is CDROM ()
    F: is CDROM ()
    G: is Removable
    H: is Removable

    ==== Disabled Device Manager Items =============

    ==== System Restore Points ===================

    RP369: 3/14/2009 12:45:07 PM - Software Distribution Service 3.0
    RP370: 3/17/2009 11:31:22 AM - Software Distribution Service 3.0
    RP371: 3/18/2009 8:35:47 PM - System Checkpoint
    RP372: 3/19/2009 9:04:29 PM - Software Distribution Service 3.0
    RP373: 3/23/2009 5:54:57 PM - Software Distribution Service 3.0
    RP374: 3/25/2009 10:41:12 PM - System Checkpoint
    RP375: 3/27/2009 3:33:51 PM - Software Distribution Service 3.0
    RP376: 3/29/2009 2:06:44 AM - Installed Java(TM) 6 Update 13
    RP377: 3/31/2009 1:37:10 AM - Software Distribution Service 3.0
    RP378: 4/1/2009 11:58:32 AM - System Checkpoint
    RP379: 4/2/2009 11:45:44 PM - Software Distribution Service 3.0
    RP380: 4/7/2009 9:49:01 AM - Software Distribution Service 3.0
    RP381: 4/9/2009 2:37:29 PM - System Checkpoint
    RP382: 4/10/2009 8:19:29 PM - System Checkpoint
    RP383: 4/13/2009 5:46:40 PM - Software Distribution Service 3.0
    RP384: 4/14/2009 9:03:18 PM - Software Distribution Service 3.0
    RP385: 4/21/2009 2:11:22 PM - Software Distribution Service 3.0
    RP386: 4/23/2009 8:42:42 PM - Software Distribution Service 3.0
    RP387: 4/25/2009 6:58:03 PM - System Checkpoint
    RP388: 4/27/2009 11:55:50 PM - Software Distribution Service 3.0
    RP389: 4/28/2009 12:01:00 AM - Software Distribution Service 3.0
    RP390: 4/30/2009 1:44:17 AM - System Checkpoint
    RP391: 5/1/2009 5:47:44 AM - System Checkpoint
    RP392: 5/3/2009 4:13:28 AM - Software Distribution Service 3.0
    RP393: 5/5/2009 12:08:00 PM - System Checkpoint
    RP394: 5/6/2009 4:26:10 PM - Software Distribution Service 3.0
    RP395: 5/6/2009 4:28:23 PM - Software Distribution Service 3.0
    RP396: 5/8/2009 7:29:06 AM - Software Distribution Service 3.0
    RP397: 5/9/2009 12:05:35 PM - System Checkpoint
    RP398: 5/11/2009 8:28:35 PM - Software Distribution Service 3.0
    RP399: 5/12/2009 8:35:13 PM - System Checkpoint
    RP400: 5/13/2009 3:00:17 AM - Software Distribution Service 3.0
    RP401: 5/14/2009 8:09:23 PM - System Checkpoint
    RP402: 5/15/2009 5:54:13 PM - Software Distribution Service 3.0
    RP403: 5/15/2009 5:56:23 PM - Software Distribution Service 3.0
    RP404: 5/18/2009 4:47:01 PM - Software Distribution Service 3.0
    RP405: 5/21/2009 4:59:02 AM - System Checkpoint
    RP406: 5/22/2009 12:05:55 AM - Software Distribution Service 3.0
    RP407: 5/26/2009 6:59:57 AM - Software Distribution Service 3.0
    RP408: 5/29/2009 9:58:05 AM - Software Distribution Service 3.0
    RP409: 6/1/2009 9:30:32 PM - Software Distribution Service 3.0
    RP410: 6/4/2009 10:01:40 PM - Software Distribution Service 3.0
    RP411: 6/4/2009 10:23:34 PM - Installed QuickTime
    RP412: 6/7/2009 5:16:18 PM - System Checkpoint
    RP413: 6/9/2009 7:33:35 PM - Installed Enable advisory 971778
    RP414: 6/9/2009 7:44:34 PM - Software Distribution Service 3.0
    RP415: 6/9/2009 7:46:58 PM - Software Distribution Service 3.0
    RP416: 6/12/2009 2:49:08 AM - Software Distribution Service 3.0

    ==== Installed Programs ======================

    32 Bit HP CIO Components Installer
    AAC Decoder
    Ad-Aware 2007
    Adobe Flash Player 10 ActiveX
    Adobe Flash Player 10 Plugin
    Alt-Tab Task Switcher Powertoy for Windows XP
    AnyDVD
    Apple Software Update
    AutoUpdate
    avast! Antivirus
    Avery® Wizard 2.1 forMicrosoft® Word 2000
    AviSynth 2.5
    BufferChm
    C4400
    C4400_Help
    Calculator Powertoy for Windows XP
    CDEdit version 1.145
    ClearType Tuning Control Panel Applet
    CmdHere Powertoy For Windows XP
    ConvertXtoDVD 3.5.3.139
    Copy
    Critical Update for Windows Media Player 11 (KB959772)
    DAZzle
    Destination Component
    DeviceDiscovery
    DeviceManagementQFolder
    Digital Camera Enhancer 1.3
    DivX Codec
    DivX Converter
    DivX Player
    DivX Plus DirectShow Filters
    DivX Version Checker
    DivX Web Player
    DVD and CD Cover Print
    DVD Decrypter (Remove Only)
    DVD Identifier
    DVD Shrink 3.2
    DVD slideshow GUI 0.9.0.7
    DVDFab (Platinum/Gold/HD Decrypter) (Option: Mobile) 5.2.3.2
    DVDFab 6.0.0.2 Beta
    DVDFab Gold 2.9.8.3
    DVDFab Platinum 4.0.1.0
    DVDFab Platinum 4.1.0.2
    eSupportQFolder
    Exact Audio Copy 0.99pb4
    FileAlyzer
    Foxit Reader
    H.264 Decoder
    HijackThis 2.0.2
    Hot CPU Tester Pro 4.4.1
    Hotfix for Windows Internet Explorer 7 (KB947864)
    Hotfix for Windows Media Format 11 SDK (KB929399)
    Hotfix for Windows Media Player 11 (KB939683)
    Hotfix for Windows XP (KB952287)
    HP Imaging Device Functions 11.0
    HP Photosmart C4400 All-In-One Driver Software 11.0 Rel .3
    HP Update
    HPProductAssistant
    ImTOO DVD Audio Ripper 5
    IrfanView (remove only)
    IsoBuster 2.0
    Java(TM) 6 Update 13
    JGsoft EditPad Pro 4.5.5
    Just Great Software EditPad Lite 6.4.5
    jv16 PowerTools 2008
    K-Lite Codec Pack 3.4.0 Standard
    Kremlin 2.21
    LiveReg (Symantec Corporation)
    LiveUpdate 1.80 (Symantec Corporation)
    Magnifier Powertoy for Windows XP
    Microsoft Application Error Reporting
    Microsoft Compression Client Pack 1.0 for Windows XP
    Microsoft IntelliPoint 6.2
    Microsoft Internationalized Domain Names Mitigation APIs
    Microsoft National Language Support Downlevel APIs
    Microsoft Office 2000 SR-1 Premium
    Microsoft Tool Web Package:WntIpcfg.exe
    Microsoft User-Mode Driver Framework Feature Pack 1.0
    Microsoft Visual C++ 2005 Redistributable
    MKV Splitter
    Mozilla Firefox (2.0.0.18)
    Mozilla Firefox (3.0.10)
    MSXML 4.0 SP2 (KB954430)
    Multi Virus Cleaner 2008
    Nero 6 Ultra Edition
    Nero Digital
    Nero Media Player
    NeroMIX
    NeroVision Express Content
    Netscape Communicator 4.79
    Norton Speed Disk 7.0 for Windows NT
    Norton SystemWorks 2003
    Norton Utilities 2003 for Windows
    NVIDIA Drivers
    Opera 9.64
    Panda ActiveScan 2.0
    PanoStandAlone
    PhraseExpress
    PS_AIO_03_C4400_ProductContext
    PS_AIO_03_C4400_Software
    PS_AIO_03_C4400_Software_Min
    QuickTime
    RegRun Security Suite Gold
    SanDisk USB SSFDC Ver 1.01
    Scan
    Secunia PSI
    Security Update for Windows Internet Explorer 7 (KB938127)
    Security Update for Windows Internet Explorer 7 (KB944533)
    Security Update for Windows Internet Explorer 7 (KB950759)
    Security Update for Windows Internet Explorer 7 (KB953838)
    Security Update for Windows Internet Explorer 7 (KB956390)
    Security Update for Windows Internet Explorer 7 (KB958215)
    Security Update for Windows Internet Explorer 7 (KB960714)
    Security Update for Windows Internet Explorer 7 (KB961260)
    Security Update for Windows Internet Explorer 7 (KB963027)
    Security Update for Windows Internet Explorer 7 (KB969897)
    Security Update for Windows Internet Explorer 8 (KB969897)
    Security Update for Windows Media Player (KB911564)
    Security Update for Windows Media Player (KB952069)
    Security Update for Windows Media Player 11 (KB936782)
    Security Update for Windows Media Player 11 (KB954154)
    Security Update for Windows Media Player 6.4 (KB925398)
    Security Update for Windows Media Player 9 (KB936782)
    Security Update for Windows XP (KB923561)
    Security Update for Windows XP (KB938464)
    Security Update for Windows XP (KB941569)
    Security Update for Windows XP (KB946648)
    Security Update for Windows XP (KB950760)
    Security Update for Windows XP (KB950762)
    Security Update for Windows XP (KB950974)
    Security Update for Windows XP (KB951066)
    Security Update for Windows XP (KB951376-v2)
    Security Update for Windows XP (KB951376)
    Security Update for Windows XP (KB951698)
    Security Update for Windows XP (KB951748)
    Security Update for Windows XP (KB952004)
    Security Update for Windows XP (KB952954)
    Security Update for Windows XP (KB953839)
    Security Update for Windows XP (KB954211)
    Security Update for Windows XP (KB954459)
    Security Update for Windows XP (KB954600)
    Security Update for Windows XP (KB955069)
    Security Update for Windows XP (KB956391)
    Security Update for Windows XP (KB956572)
    Security Update for Windows XP (KB956802)
    Security Update for Windows XP (KB956803)
    Security Update for Windows XP (KB956841)
    Security Update for Windows XP (KB957095)
    Security Update for Windows XP (KB957097)
    Security Update for Windows XP (KB958644)
    Security Update for Windows XP (KB958687)
    Security Update for Windows XP (KB958690)
    Security Update for Windows XP (KB959426)
    Security Update for Windows XP (KB960225)
    Security Update for Windows XP (KB960715)
    Security Update for Windows XP (KB960803)
    Security Update for Windows XP (KB961373)
    Security Update for Windows XP (KB961501)
    Security Update for Windows XP (KB968537)
    Security Update for Windows XP (KB969898)
    Security Update for Windows XP (KB970238)
    Spybot - Search & Destroy
    Status
    System Requirements Lab
    Toolbox
    TrayApp
    Tweak UI
    UltimateZip 3.0 Beta 2
    UnloadSupport
    Update for Windows Internet Explorer 8 (KB971180)
    Update for Windows XP (KB951072-v2)
    Update for Windows XP (KB951978)
    Update for Windows XP (KB955839)
    Update for Windows XP (KB967715)
    VC80CRTRedist - 8.0.50727.762
    Virtual Desktop Manager Powertoy for Windows XP
    WebFldrs XP
    WebReg
    Winamp
    WinAVI Video Converter
    Windows Defender
    Windows Genuine Advantage Validation Tool (KB892130)
    Windows Internet Explorer 7
    Windows Internet Explorer 8
    Windows Media Format 11 runtime
    Windows Media Format SDK Hotfix - KB891122
    Windows Media Player 11
    Windows XP Service Pack 3
    WINner Tweak Registry Cleaner XP 1.0.2
    WinRAR archiver
    Xvid 1.1.3 final uninstall

    ==== Event Viewer Messages From Past Week ========

    6/9/2009 8:27:17 PM, error: MRxSmb [8003] - The master browser has received a server announcement from the computer GEFF that believes that it is the master browser for the domain on transport NetBT_Tcpip_{5A4CEC20-D299-46F7-B489. The master browser is stopping or an election is being forced.
    6/9/2009 4:34:29 PM, error: Service Control Manager [7023] - The Windows Driver Foundation - User-mode Driver Framework service terminated with the following error: A device attached to the system is not functioning.
    6/9/2009 4:34:29 PM, error: Service Control Manager [7023] - The Application Management service terminated with the following error: The specified module could not be found.

    ==== End Of File ===========================
     
    geff,
    #3
  5. 2009/06/13
    broni

    broni Moderator Malware Analyst

    Joined:
    2002/08/01
    Messages:
    21,701
    Likes Received:
    116
    Hello again :)
    I also use ConvertXtoDVD, and I can also see inst.exe file in C:\Users\Broni\AppData\Roaming (Vista).

    Navigate to c:\docume~1\geff\applic~1\, right click on inst.exe, click Properties, and see, if the file belongs to VSO Software.
     
    broni,
    #4
  6. 2009/06/13
    geff

    geff Inactive Thread Starter

    Joined:
    2008/05/19
    Messages:
    40
    Likes Received:
    0
    yes, it does. Sorry i didn't specify that earlier.
     
    geff,
    #5
  7. 2009/06/14
    broni

    broni Moderator Malware Analyst

    Joined:
    2002/08/01
    Messages:
    21,701
    Likes Received:
    116
    Alrighty then. Let's run regular scans...

    Print these instructions out.

    NOTE. If any of the programs listed below refuse to run, try renaming executive file to something else; for instance, rename hijackthis.exe to scanner.exe

    ***VERY IMPORTANT! Make sure, you update Superantispyware, and Malwarebytes before running the scans.***

    STEP 1. Download SUPERAntiSpyware Free for Home Users:
    http://www.superantispyware.com/

    * Double-click SUPERAntiSpyware.exe and use the default settings for installation.
    * An icon will be created on your desktop. Double-click that icon to launch the program.
    * If asked to update the program definitions, click "Yes ". If not, update the definitions before scanning by selecting "Check for Updates ". (If you encounter any problems while downloading the updates, manually download and unzip them from here: http://www.superantispyware.com/definitions.html.)
    * Close SUPERAntiSpyware.

    PHYSICALLY DISCONNECT FROM THE INTERNET

    Restart computer in Safe Mode.
    To enter Safe Mode, restart computer, and keep tapping F8 key, until menu appears; select Safe Mode; you'll see "Safe Mode" in all four corners of your screen

    * Open SUPERAntiSpyware.
    * Click Scan your Computer... button.
    * Click Scanning Preferences/Control Center... button.
    * Under General and Startup tab, make sure, Start SUPERAntiSpyware when Windows starts option is UN-checked.
    * Click the Scanning Control tab.
    * Under Scanner Options make sure the following are checked (leave all others unchecked):
    - Close browsers before scanning.
    - Terminate memory threats before quarantining.
    * Click the Close button to leave the control center screen.
    * On the left, make sure you check C:\Fixed Drive.
    * On the right, choose Perform Complete Scan.
    * Click Next to start the scan. Please be patient while it scans your computer.
    * After the scan is complete, a Scan Summary box will appear with potentially harmful items that were detected. Click OK.
    * Make sure everything has a checkmark next to it and click Next.
    * A notification will appear that Quarantine and Removal is Complete. Click OK and then click the Finish button to return to the main menu.
    * If asked if you want to reboot, click Yes.
    * To retrieve the removal information after reboot, launch SUPERAntispyware again.
    - Click Preferences, then click the Statistics/Logs tab.
    - Under Scanner Logs, double-click SUPERAntiSpyware Scan Log.
    - If there are several logs, click the current dated log and press View log. A text file will open in your default text editor.
    - Please copy and paste the Scan Log results in your next reply.
    * Click Close to exit the program.
    Post SUPERAntiSpyware log.

    RECONNECT TO THE INTERNET

    RESTART COMPUTER!

    STEP 2. Download Malwarebytes' Anti-Malware: http://www.malwarebytes.org/mbam.php to your desktop.
    (Malwarebytes is free to use as a manual scanner. Payment is only required if you wish to have it run and update automatically which is not necessary for our purposes)

    * Double-click mbam-setup.exe and follow the prompts to install the program.
    * At the end, be sure a checkmark is placed next to Update Malwarebytes' Anti-Malware and Launch Malwarebytes' Anti-Malware, then click Finish.
    * If an update is found, it will download and install the latest version.
    * Once the program has loaded, select Perform full scan, then click Scan.
    * When the scan is complete, click OK, then Show Results to view the results.
    * Be sure that everything is checked, and click Remove Selected.
    * When completed, a log will open in Notepad.
    * Post the log back here.

    The log can also be found here:
    C:\Documents and Settings\Username\Application Data\Malwarebytes\Malwarebytes' Anti-Malware\Logs\log-date.txt
    Or at C:\Program Files\Malwarebytes' Anti-Malware\Logs\log-date.txt

    RESTART COMPUTER!

    STEP 3. Download GMER: http://www.gmer.net/files.php, by clicking on Download EXE button.
    Alternative downloads:
    - http://majorgeeks.com/GMER_d5198.html
    - http://www.softpedia.com/get/Interne...ers/GMER.shtml
    Double click on downloaded .exe file, select Rootkit tab and click the Scan button.
    When scan is completed, click Save button, and save the results as gmer.log
    Warning ! Please, do not select the "Show all" checkbox during the scan.
    Post the log to your next reply.

    RESTART COMPUTER

    STEP 4. Download HijackThis:
    http://www.trendsecure.com/portal/en-US/tools/security_tools/hijackthis/download
    by clicking on Download HijackThis Installer
    Install, and run it.
    Post HijackThis log.
    Do NOT attempt to "fix" anything!


    DO NOT make any other changes to your computer (like installing programs, using other cleaning tools, etc.), until it's officially declared clean!!!
     
    broni,
    #6
  8. 2009/06/15
    geff

    geff Inactive Thread Starter

    Joined:
    2008/05/19
    Messages:
    40
    Likes Received:
    0
    Hi Broni - Thanks again for all your help. Just 1 fyi: this machine is VERY SLOW, & while I don't remember for 100% certain, I'm pretty sure I intentionally turned off the no a-v notification. I have to turn off av if i want the machine to run with any soeed at all. I've assumed the problem is trying to run XP on a P4 with 512 ram (rambus).

    Logs to follow:
     
    geff,
    #7
  9. 2009/06/15
    geff

    geff Inactive Thread Starter

    Joined:
    2008/05/19
    Messages:
    40
    Likes Received:
    0
    SUPERAntiSpyware Scan Log
    http://www.superantispyware.com

    Generated 06/14/2009 at 12:34 PM

    Application Version : 4.26.1004

    Core Rules Database Version : 3910
    Trace Rules Database Version: 1854

    Scan type : Complete Scan
    Total Scan Time : 01:45:25

    Memory items scanned : 234
    Memory threats detected : 0
    Registry items scanned : 4836
    Registry threats detected : 0
    File items scanned : 61426
    File threats detected : 0
     
    geff,
    #8
  10. 2009/06/15
    geff

    geff Inactive Thread Starter

    Joined:
    2008/05/19
    Messages:
    40
    Likes Received:
    0
    Malwarebytes' Anti-Malware 1.37
    Database version: 2182
    Windows 5.1.2600 Service Pack 3

    6/14/2009 1:50:03 PM
    mbam-log-2009-06-14 (13-50-03).txt

    Scan type: Full Scan (C:\|)
    Objects scanned: 154505
    Time elapsed: 32 minute(s), 48 second(s)

    Memory Processes Infected: 0
    Memory Modules Infected: 0
    Registry Keys Infected: 0
    Registry Values Infected: 0
    Registry Data Items Infected: 1
    Folders Infected: 0
    Files Infected: 0

    Memory Processes Infected:
    (No malicious items detected)

    Memory Modules Infected:
    (No malicious items detected)

    Registry Keys Infected:
    (No malicious items detected)

    Registry Values Infected:
    (No malicious items detected)

    Registry Data Items Infected:
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\AntiVirusDisableNotify (Disabled.SecurityCenter) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.

    Folders Infected:
    (No malicious items detected)

    Files Infected:
    (No malicious items detected)
     
    geff,
    #9
  11. 2009/06/15
    geff

    geff Inactive Thread Starter

    Joined:
    2008/05/19
    Messages:
    40
    Likes Received:
    0
    GMER 1.0.15.14972 - http://www.gmer.net
    Rootkit scan 2009-06-15 02:44:50
    Windows 5.1.2600 Service Pack 3


    ---- System - GMER 1.0.15 ----

    SSDT \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/ALWIL Software) ZwClose [0xF597D6B8]
    SSDT \??\C:\WINDOWS\system32\Drivers\regguard.sys (Registry Guard - registry keys protection driver for Windows NT/2000/XP/2003/Vista/Greatis Software) ZwCreateKey [0xF8927800]
    SSDT \??\C:\WINDOWS\system32\Drivers\regguard.sys (Registry Guard - registry keys protection driver for Windows NT/2000/XP/2003/Vista/Greatis Software) ZwDeleteKey [0xF8927A00]
    SSDT \??\C:\WINDOWS\system32\Drivers\regguard.sys (Registry Guard - registry keys protection driver for Windows NT/2000/XP/2003/Vista/Greatis Software) ZwDeleteValueKey [0xF8927BE0]
    SSDT \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/ALWIL Software) ZwDuplicateObject [0xF597D14C]
    SSDT \??\C:\WINDOWS\system32\Drivers\regguard.sys (Registry Guard - registry keys protection driver for Windows NT/2000/XP/2003/Vista/Greatis Software) ZwOpenKey [0xF8927900]
    SSDT \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/ALWIL Software) ZwOpenProcess [0xF597D08C]
    SSDT \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/ALWIL Software) ZwOpenThread [0xF597D0F0]
    SSDT \??\C:\WINDOWS\system32\Drivers\regguard.sys (Registry Guard - registry keys protection driver for Windows NT/2000/XP/2003/Vista/Greatis Software) ZwQueryValueKey [0xF8927CC0]
    SSDT \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/ALWIL Software) ZwRestoreKey [0xF597D72E]
    SSDT \??\C:\WINDOWS\system32\Drivers\regguard.sys (Registry Guard - registry keys protection driver for Windows NT/2000/XP/2003/Vista/Greatis Software) ZwSetValueKey [0xF8927AF0]

    ---- User IAT/EAT - GMER 1.0.15 ----

    IAT C:\WINDOWS\system32\services.exe[588] @ C:\WINDOWS\system32\services.exe [ADVAPI32.dll!CreateProcessAsUserW] 00380002
    IAT C:\WINDOWS\system32\services.exe[588] @ C:\WINDOWS\system32\services.exe [KERNEL32.dll!CreateProcessW] 00380000

    ---- Devices - GMER 1.0.15 ----

    AttachedDevice \FileSystem\Ntfs \Ntfs aswMon2.SYS (avast! File System Filter Driver for Windows XP/ALWIL Software)
    AttachedDevice \Driver\Tcpip \Device\Ip aswTdi.SYS (avast! TDI Filter Driver/ALWIL Software)
    AttachedDevice \Driver\Tcpip \Device\Tcp aswTdi.SYS (avast! TDI Filter Driver/ALWIL Software)
    AttachedDevice \Driver\Tcpip \Device\Udp aswTdi.SYS (avast! TDI Filter Driver/ALWIL Software)
    AttachedDevice \Driver\Tcpip \Device\RawIp aswTdi.SYS (avast! TDI Filter Driver/ALWIL Software)
    AttachedDevice \FileSystem\Fastfat \Fat fltmgr.sys (Microsoft Filesystem Filter Manager/Microsoft Corporation)
    AttachedDevice \FileSystem\Fastfat \Fat aswMon2.SYS (avast! File System Filter Driver for Windows XP/ALWIL Software)

    ---- Registry - GMER 1.0.15 ----

    Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Print\Printers\HP Photosmart C4400 series@ChangeID 239343

    ---- EOF - GMER 1.0.15 ----
     
    geff,
    #10
  12. 2009/06/15
    geff

    geff Inactive Thread Starter

    Joined:
    2008/05/19
    Messages:
    40
    Likes Received:
    0
    Logfile of Trend Micro HijackThis v2.0.2
    Scan saved at 2:56:33 AM, on 6/15/2009
    Platform: Windows XP SP3 (WinNT 5.01.2600)
    MSIE: Internet Explorer v8.00 (8.00.6001.18702)
    Boot mode: Normal

    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
    C:\Program Files\Alwil Software\Avast4\ashServ.exe
    C:\WINDOWS\system32\spoolsv.exe
    C:\WINDOWS\System32\dllhost.exe
    C:\WINDOWS\system32\svchost.exe
    C:\Program Files\Java\jre6\bin\jqs.exe
    C:\WINDOWS\system32\msiexec.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\system32\nvsvc32.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\System32\tcpsvcs.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\System32\dmadmin.exe
    C:\WINDOWS\Explorer.EXE
    C:\WINDOWS\system32\RUNDLL32.EXE
    C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
    C:\PROGRA~1\Greatis\REGRUN~1\WatchDog.exe
    C:\Program Files\SlySoft\AnyDVD\AnyDVDtray.exe
    C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
    C:\Program Files\Microsoft IntelliPoint\ipoint.exe
    C:\Program Files\PhraseExpress\phrase.exe
    C:\WINDOWS\system32\wscntfy.exe
    C:\Program Files\Microsoft IntelliPoint\dpupdchk.exe
    C:\Program Files\HP\Digital Imaging\bin\hpqSTE08.exe
    C:\Program Files\HP\Digital Imaging\bin\hpqbam08.exe
    C:\Documents and Settings\Geff\Desktop\security\HiJackThis.exe

    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
    R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
    R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://www.avast.com/eng/faq-red-circle.html
    O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
    O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
    O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\System32\NvMcTray.dll,NvTaskbarInit
    O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
    O4 - HKLM\..\Run: [RegRun WinBait] C:\WINDOWS\winbait.exe
    O4 - HKLM\..\Run: [@RegRunOnSecure] C:\PROGRA~1\Greatis\REGRUN~1\OnSecure.exe
    O4 - HKLM\..\Run: [UserFaultCheck] %systemroot%\system32\dumprep 0 -u
    O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
    O4 - HKCU\..\Run: [AnyDVD] C:\Program Files\SlySoft\AnyDVD\AnyDVD.exe
    O4 - HKCU\..\Run: [Regrun2] C:\PROGRA~1\Greatis\REGRUN~1\WatchDog.exe
    O4 - Startup: Secunia PSI.lnk = C:\Program Files\Secunia\PSI\psi.exe
    O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
    O4 - Global Startup: ipoint.exe.lnk = C:\Program Files\Microsoft IntelliPoint\ipoint.exe
    O4 - Global Startup: PhraseExpress.lnk = C:\Program Files\PhraseExpress\phrase.exe
    O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
    O9 - Extra 'Tools' menuitem: Spybot - Search && Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
    O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
    O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
    O16 - DPF: {2D8ED06D-3C30-438B-96AE-4D110FDC1FB8} (ActiveScan 2.0 Installer Class) - http://acs.pandasoftware.com/activescan/cabs/as2stubie.cab
    O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.microsoft.com/win...ls/en/x86/client/wuweb_site.cab?1207441726093
    O16 - DPF: {67A5F8DC-1A4B-4D66-9F24-A704AD929EEE} (System Requirements Lab) - http://www.nvidia.com/content/DriverDownload/srl/2.0.0.1/sysreqlab2.cab
    O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab
    O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
    O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
    O23 - Service: avast! Antivirus - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashServ.exe
    O23 - Service: avast! Mail Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
    O23 - Service: avast! Web Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
    O23 - Service: GhostStartService - Symantec Corporation - C:\Program Files\Norton SystemWorks\Norton Ghost\GhostStartService.exe
    O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
    O23 - Service: Norton Unerase Protection (NProtectService) - Symantec Corporation - C:\Program Files\Norton SystemWorks\Norton Utilities\NPROTECT.EXE
    O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
    O23 - Service: Speed Disk service - Symantec Corporation - C:\PROGRA~1\NORTON~1\SPEEDD~1\nopdb.exe

    --
    End of file - 5591 bytes
     
    geff,
    #11
  13. 2009/06/15
    broni

    broni Moderator Malware Analyst

    Joined:
    2002/08/01
    Messages:
    21,701
    Likes Received:
    116
    To start with, I don't see any nasties there.

    Well, XP with 512MB of RAM won't be breaking any speed records, but it can't be painfully slow.
    You need to have some AV program running, so...
    My recommendations here would be:
    1. Uninstall Spybot.
    2. Uninstall Ad-aware
    3. Get rid of RegRun
    4. Get rid of both Norton utilities, Unerase, and SpeedDisk
    The above is obviously up to you, but it'll cut down number of startups, and services running.

    Now, let's disable some unnecessary startups.
    Open HJT, and checkmark:
    - O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
    - O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
    - O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
    - O4 - HKLM\..\Run: [UserFaultCheck] %systemroot%\system32\dumprep 0 -u
    - O4 - Startup: Secunia PSI.lnk = C:\Program Files\Secunia\PSI\psi.exe
    - O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
    Click "Fix checked" button.

    Restart computer.

    Download Temp File Cleaner (TFC)
    Double click on TFC.exe to run the program.
    Click on Start button to begin cleaning process.
    TFC will close all running programs, and it may ask you to restart computer.

    Run defrag.

    When done with everything, let me know, what your decisions were, and, if you see any improvement.
     
    broni,
    #12
  14. 2009/06/16
    geff

    geff Inactive Thread Starter

    Joined:
    2008/05/19
    Messages:
    40
    Likes Received:
    0
    Broni, a question: I know that Reg Run does slow things down. Still, I consider it indispensable. Greatis support has told me they feel it's ok to run reg run with no av, as long as I have an av installed for on demand scanning (which I use). Do you disagree?
     
    geff,
    #13
  15. 2009/06/16
    geff

    geff Inactive Thread Starter

    Joined:
    2008/05/19
    Messages:
    40
    Likes Received:
    0
    Hi Broni - Thanks again for your help!!!! I've done everything you suggested OTHER then removing Reg Run that I was able to.

    Re Norton: LONG story, but have previously had problems with Norton hosing on uninstall & can't even remove it with Symantec's uninstall program at this point. I was able to stop the services from running EXCEPT Unerase.

    Also, I ran into an issue when I removed the Nvidia 04 run keys, Avast's icon disappeared & I could only get it back with system restore. I've dealt with similar problems with the Avast icon before, to the best of my knowledge, it's impossible to pause Avast without that icon.

    Being temporarily unable to disable Avast, I was reminded that while Reg Run does significantly slow the system down, Avast is a much worse offender. Fortunately, I don't have that issue on the other (Quad core) machine.

    Is there a different av that uses very low resources you'd recommend? Preferably free, but free is not required.

    Here's current log; it's some faster with Avast disabled, but still intensely slow with Avast running. The main thing that's slow is opening programs, they run pretty well once they've opened.

    Logfile of Trend Micro HijackThis v2.0.2
    Scan saved at 8:14:57 AM, on 6/16/2009
    Platform: Windows XP SP3 (WinNT 5.01.2600)
    MSIE: Internet Explorer v8.00 (8.00.6001.18702)
    Boot mode: Normal

    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
    C:\Program Files\Alwil Software\Avast4\ashServ.exe
    C:\WINDOWS\system32\spoolsv.exe
    C:\WINDOWS\System32\dllhost.exe
    C:\WINDOWS\system32\svchost.exe
    C:\Program Files\Java\jre6\bin\jqs.exe
    C:\WINDOWS\system32\msiexec.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\system32\nvsvc32.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\System32\tcpsvcs.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\System32\dmadmin.exe
    C:\WINDOWS\Explorer.EXE
    C:\WINDOWS\system32\wuauclt.exe
    C:\WINDOWS\system32\RUNDLL32.EXE
    C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
    C:\PROGRA~1\Greatis\REGRUN~1\WatchDog.exe
    C:\Program Files\Microsoft IntelliPoint\ipoint.exe
    C:\Program Files\SlySoft\AnyDVD\AnyDVDtray.exe
    C:\Program Files\PhraseExpress\phrase.exe
    C:\Program Files\Microsoft IntelliPoint\dpupdchk.exe
    C:\WINDOWS\system32\wscntfy.exe
    C:\Documents and Settings\Geff\Desktop\HiJackThis.exe

    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
    R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
    R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://www.avast.com/eng/faq-red-circle.html
    N1 - Netscape 4: user_pref( "browser.startup.homepage ", "http://www.dandylionrecords.com/ "); (J:\prefs.js)
    O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\System32\NvMcTray.dll,NvTaskbarInit
    O4 - HKLM\..\Run: [RegRun WinBait] C:\WINDOWS\winbait.exe
    O4 - HKLM\..\Run: [@RegRunOnSecure] C:\PROGRA~1\Greatis\REGRUN~1\OnSecure.exe
    O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
    O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
    O4 - HKCU\..\Run: [AnyDVD] C:\Program Files\SlySoft\AnyDVD\AnyDVD.exe
    O4 - HKCU\..\Run: [Regrun2] C:\PROGRA~1\Greatis\REGRUN~1\WatchDog.exe
    O4 - Global Startup: ipoint.exe.lnk = C:\Program Files\Microsoft IntelliPoint\ipoint.exe
    O4 - Global Startup: PhraseExpress.lnk = C:\Program Files\PhraseExpress\phrase.exe
    O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
    O9 - Extra 'Tools' menuitem: Spybot - Search && Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
    O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
    O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
    O16 - DPF: {2D8ED06D-3C30-438B-96AE-4D110FDC1FB8} (ActiveScan 2.0 Installer Class) - http://acs.pandasoftware.com/activescan/cabs/as2stubie.cab
    O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.microsoft.com/win...ls/en/x86/client/wuweb_site.cab?1207441726093
    O16 - DPF: {67A5F8DC-1A4B-4D66-9F24-A704AD929EEE} (System Requirements Lab) - http://www.nvidia.com/content/DriverDownload/srl/2.0.0.1/sysreqlab2.cab
    O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab
    O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
    O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
    O23 - Service: avast! Antivirus - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashServ.exe
    O23 - Service: avast! Mail Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
    O23 - Service: avast! Web Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
    O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
    O23 - Service: Norton Unerase Protection (NProtectService) - Symantec Corporation - C:\Program Files\Norton SystemWorks\Norton Utilities\NPROTECT.EXE
    O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe

    --
    End of file - 4966 bytes
     
    Last edited: 2009/06/16
    geff,
    #14
  16. 2009/06/16
    broni

    broni Moderator Malware Analyst

    Joined:
    2002/08/01
    Messages:
    21,701
    Likes Received:
    116
    Let's put it this way.
    You have a choice of trusting Greatis, which actually sold you RegRun, or trust me, who has no business whatsoever regarding your computer.
    In my opinion, RegRun goes, Avast stays.
    Avast is NOT known as resource hogger.

    As for Norton...

    Go Start>Run (Start search in Vista), type in:
    cmd
    Click OK (in Vista, hold CTRL, and SHIFT, hit Enter).

    At Command Prompt, type in:
    sc stop NProtectService
    Hit Enter.
    Wait for the service to be stopped.

    Type in:
    sc delete NProtectService
    Hit Enter.
    Wait for confirmation.

    Restart computer, and the service shouldn't be listed anymore.
     
    Last edited: 2009/06/17
    broni,
    #15
  17. 2009/06/17
    geff

    geff Inactive Thread Starter

    Joined:
    2008/05/19
    Messages:
    40
    Likes Received:
    0
    That killed Norton, thanks again!!!!
     
    geff,
    #16
  18. 2009/06/17
    broni

    broni Moderator Malware Analyst

    Joined:
    2002/08/01
    Messages:
    21,701
    Likes Received:
    116
    You're welcome :)

    That's about all we can do here, so I'll mark this thread as resolved.
     
    broni,
    #17

Share This Page

  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.
    Accept Learn More...