very slooooooooowwww

jagzee · 04-17-2009, 02:17 AM

Hello and thank you for helping. My friend’s computer is running excruciatingly slow, to the point where launching Outlook Express, (any program) takes longer than 5 minutes after a 3 minute startup. Spybot Search and Destroy detected Smitfraud and Myweb, and it appears as though they have been removed but the sluggishness remains. Here are the logs requested.

I'm not sure that GMER ran correctly. It generated a report as soon as it opened. After unchecking items as per instructions, the "scan" button didn't seem to work. I've attached what was generated anyway. Hope that's OK

DDS (Ver_09-03-16.01) - NTFSx86
Run by Mike at 3:30:22.85 on Fri 04/17/2009
Internet Explorer: 8.0.6001.18702 BrowserJavaVersion: 1.6.0_10
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.510.122 [GMT -4:00]

AV: avast! antivirus 4.8.1335 [VPS 090415-0] *On-access scanning enabled* (Updated)

============== Running Processes ===============

C:\Program Files\Webroot\Spy Sweeper\WRConsumerService.exe
C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\Program Files\Windows Defender\MsMpEng.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
C:\WINDOWS\system32\svchost.exe -k WudfServiceGroup
svchost.exe
svchost.exe
C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\spoolsv.exe
svchost.exe
C:\WINDOWS\System32\CTsvcCDA.EXE
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe
C:\Program Files\UltraVNC\winvnc.exe
C:\WINDOWS\System32\MsPMSPSv.exe
c:\WINDOWS\system32\ZuneBusEnum.exe
C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
C:\Program Files\Windows Live\Messenger\usnsvc.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Creative\Sound Blaster Live! 24-bit\Surround Mixer\CTSysVol.exe
C:\Program Files\Dell\Media Experience\PCMService.exe
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\Program Files\Google\Quick Search Box\GoogleQuickSearchBox.exe
C:\Program Files\Webroot\Spy Sweeper\SpySweeperUI.exe
C:\WINDOWS\system32\lexpps.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Webroot\Spy Sweeper\SSU.EXE
C:\Documents and Settings\Mike\Desktop\dds.scr

============== Pseudo HJT Report ===============

uDefault_Page_URL = hxxp://www.dell.com
BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll
BHO: DriveLetterAccess: {5ca3d70e-1895-11cf-8e15-001234567890} - c:\windows\system32\dla\tfswshx.dll
BHO: Java(tm) Plug-In SSV Helper: {761497bb-d6f0-462c-b6eb-d4daf1d92d43} - c:\program files\java\jre6\bin\ssv.dll
BHO: {7E853D72-626A-48EC-A868-BA8D5E23E045} - No File
BHO: Windows Live Sign-in Helper: {9030d464-4c02-4abf-8ecc-5164760863c6} - c:\program files\common files\microsoft shared\windows live\WindowsLiveLogin.dll
BHO: Google Toolbar Helper: {aa58ed58-01dd-4d91-8333-cf10577473f7} - c:\program files\google\google toolbar\GoogleToolbar.dll
BHO: Google Toolbar Notifier BHO: {af69de43-7d58-4638-b6fa-ce66b5ad205d} - c:\program files\google\googletoolbarnotifier\5.1.1309.3572\swg.dll
BHO: Windows Live Toolbar Helper: {bdbd1dad-c946-4a17-adc1-64b5b4ff55d0} - c:\program files\windows live toolbar\msntb.dll
BHO: 1 (0x1) - No File
BHO: Google Dictionary Compression sdch: {c84d72fe-e17d-4195-bb24-76c02e2e7c4e} - c:\program files\google\google toolbar\component\fastsearch_A8904FB862BD9564.dll
BHO: Java(tm) Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
TB: Windows Live Toolbar: {bdad1dad-c946-4a17-adc1-64b5b4ff55d0} - c:\program files\windows live toolbar\msntb.dll
TB: Google Toolbar: {2318c2b1-4965-11d4-9b18-009027a5cd4f} - c:\program files\google\google toolbar\GoogleToolbar.dll
TB: {C4069E3A-68F1-403E-B40E-20066696354B} - No File
EB: {32683183-48a0-441b-a342-7c2a440a9478} - No File
uRun: [ctfmon.exe] "c:\windows\system32\ctfmon.exe"
mRun: [CTSysVol] "c:\program files\creative\sound blaster live! 24-bit\surround mixer\CTSysVol.exe" /r
mRun: [PCMService] "c:\program files\dell\media experience\PCMService.exe"
mRun: [avast!] c:\progra~1\alwils~1\avast4\ashDisp.exe
mRun: [Adobe Reader Speed Launcher] "c:\program files\adobe\reader 9.0\reader\Reader_sl.exe"
mRun: [Google Quick Search Box] "c:\program files\google\quick search box\GoogleQuickSearchBox.exe" /autorun
mRun: [WinVNC] "c:\program files\ultravnc\winvnc.exe" -servicehelper
mRun: [SpySweeper] "c:\program files\webroot\spy sweeper\SpySweeperUI.exe" /startintray
dRun: [DWQueuedReporting] "c:\progra~1\common~1\micros~1\dw\dwtrig20.exe" -t
IE: &Windows Live Search - c:\program files\windows live toolbar\msntb.dll/search.htm
IE: Add to Windows &Live Favorites - http://favorites.live.com/quickadd.aspx
IE: E&xport to Microsoft Excel - c:\progra~1\micros~3\office11\EXCEL.EXE/3000
IE: {3AD14F0C-ED16-4e43-B6D8-661B03F6A1EF} - c:\program files\pokerstars\PokerStarsUpdate.exe
IE: {CD67F990-D8E9-11d2-98FE-00C0F0318AFE}
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FA9B9510-9FCB-4ca0-818C-5D0987B47C4D} - c:\program files\pokerstars.net\PokerStarsUpdate.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~3\office11\REFIEBAR.DLL
DPF: {05CA9FB0-3E3E-4B36-BF41-0E3A5CAA8CD8} - hxxp://download.microsoft.com/download/e/7/3/e7345c16-80aa-4488-ae10-9ac6be844f99/OGAControl.cab
DPF: {0B79F48A-E8D6-11DB-9283-E25056D89593} - hxxp://support.f-secure.com/ols/fscax.cab
DPF: {166B1BCA-3F9C-11CF-8075-444553540000} - hxxp://download.macromedia.com/pub/shockwave/cabs/director/sw.cab
DPF: {17492023-C23A-453E-A040-C7C580BBF700} - hxxp://download.microsoft.com/download/5/b/0/5b0d4654-aa20-495c-b89f-c1c34c691085/LegitCheckControl.cab
DPF: {1A1F56AA-3401-46F9-B277-D57F3421F821} - hxxp://mypoints.worldwinner.com/games/v47/shared/FunGamesLoader.cab
DPF: {233C1507-6A77-46A4-9443-F871F945D258} - hxxp://download.macromedia.com/pub/shockwave/cabs/director/sw.cab
DPF: {2D8ED06D-3C30-438B-96AE-4D110FDC1FB8} - hxxp://acs.pandasoftware.com/activescan/cabs/as2stubie.cab
DPF: {615F158E-D5CA-422F-A8E7-F6A5EED7063B} - hxxp://www.worldwinner.com/games/v46/bejeweled/bejeweled.cab
DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} - hxxp://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1179092775906
DPF: {67DABFBF-D0AB-41FA-9C46-CC0F21721616} - hxxp://download.divx.com/player/DivXBrowserPlugin.cab
DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} - hxxp://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1220446952328
DPF: {8A94C905-FF9D-43B6-8708-F0F22D22B1CB} - hxxp://www.worldwinner.com/games/shared/wwlaunch.cab
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_10-windows-i586.cab
DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} - hxxp://fpdownload.macromedia.com/get/flashplayer/current/ultrashim.cab
DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} - hxxp://cdn2.zone.msn.com/binFramework/v10/ZIntro.cab56649.cab
DPF: {C7DB51B4-BCF7-4923-8874-7F1A0DC92277} - hxxp://office.microsoft.com/officeupdate/content/opuc4.cab
DPF: {CAFEEFAC-0014-0002-0003-ABCDEFFEDCBA} - hxxp://java.sun.com/products/plugin/autodl/jinstall-142-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0001-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_01-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0005-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_05-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0007-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_07-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0010-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_10-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_10-windows-i586.cab
DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://fpdownload2.macromedia.com/get/flashplayer/current/swflash.cab
DPF: {D8089245-3211-40F6-819B-9E5E92CD61A2} - hxxps://signin3.valueactive.com/Register/Branding/olr3313/OCX/v1018/flashax.cab
DPF: {E008A543-CEFB-4559-912F-C27C2B89F13B} - hxxps://fn2win.fusonet2.com/dwa7W.cab
DPF: {FD0B6769-6490-4A91-AA0A-B5AE0DC75AC9} - hxxps://secure.logmein.com/activex/RACtrl.cab
Filter: x-sdch - {B1759355-3EEC-4C1E-B0F1-B719FE26E377} - c:\program files\google\google toolbar\component\fastsearch_A8904FB862BD9564.dll
Handler: belarc - {6318E0AB-2E93-11D1-B8ED-00608CC9A71F} - c:\program files\belarc\advisor\system\BAVoilaX.dll
Notify: igfxcui - igfxsrvc.dll
Notify: LMIinit - LMIinit.dll
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll
SEH: Microsoft AntiMalware ShellExecuteHook: {091eb208-39dd-417d-a5dd-7e2c2d8fb9cb} - c:\progra~1\window~4\MpShHook.dll
LSA: Notification Packages = :\windows\syste

================= FIREFOX ===================

FF - ProfilePath - c:\docume~1\mike\applic~1\mozilla\firefox\profiles\afwuemba.default\
FF - prefs.js: browser.search.defaulturl - hxxp://www.google.com/search?lr=&ie=UTF-8&oe=UTF-8&q=
FF - prefs.js: browser.startup.homepage - hxxp://www.msn.com/
FF - plugin: c:\documents and settings\mike\application data\mozilla\firefox\profiles\afwuemba.default\extensions\firefox@tvunetworks.com\plugins\npTVUAx.dll
FF - plugin: c:\program files\mozilla firefox\plugins\npclntax_ZangoSA.dll
FF - plugin: c:\program files\viewpoint\viewpoint experience technology\npViewpoint.dll

============= SERVICES / DRIVERS ===============

R0 ssfs0bbc;ssfs0bbc;c:\windows\system32\drivers\ssfs0bbc.sys [2008-8-9 29808]
R1 aswSP;avast! Self Protection;c:\windows\system32\drivers\aswSP.sys [2008-10-30 114768]
R2 aawservice;Lavasoft Ad-Aware Service;c:\program files\lavasoft\ad-aware\aawservice.exe [2008-5-12 611664]
R2 aswFsBlk;aswFsBlk;c:\windows\system32\drivers\aswFsBlk.sys [2008-10-30 20560]
R2 avast! Antivirus;avast! Antivirus;c:\program files\alwil software\avast4\ashServ.exe [2008-10-30 138680]
R2 LMIRfsDriver;LogMeIn Remote File System Driver;c:\windows\system32\drivers\LMIRfsDriver.sys [2008-1-8 46112]
R2 WebrootSpySweeperService;Webroot Spy Sweeper Engine;c:\program files\webroot\spy sweeper\SpySweeper.exe [2008-10-2 3667304]
R2 WinDefend;Windows Defender;c:\program files\windows defender\MsMpEng.exe [2006-11-3 13592]
R2 WRConsumerService;Webroot Client Service;c:\program files\webroot\spy sweeper\WRConsumerService.exe [2008-11-5 1066360]
R3 avast! Mail Scanner;avast! Mail Scanner;c:\program files\alwil software\avast4\ashMaiSv.exe [2008-10-30 254040]
R3 avast! Web Scanner;avast! Web Scanner;c:\program files\alwil software\avast4\ashWebSv.exe [2008-10-30 352920]
S2 LMIInfo;LogMeIn Kernel Information Provider;\??\c:\program files\logmein\x86\rainfo.sys --> c:\program files\logmein\x86\RaInfo.sys [?]
S4 LMIRfsClientNP;LMIRfsClientNP; [x]

=============== Created Last 30 ================

2009-04-15 18:10 1,203,922 -------- c:\windows\system32\dllcache\sysmain.sdb
2009-04-15 18:10 2,560 -------- c:\windows\system32\xpsp4res.dll
2009-04-15 18:10 215,552 -------- c:\windows\system32\dllcache\wordpad.exe
2009-04-07 16:45 <DIR> --dsh--- c:\documents and settings\mike\IETldCache
2009-04-06 19:51 <DIR> -cd-h--- c:\windows\ie8
2009-04-06 19:47 105,984 -------- c:\windows\system32\dllcache\iecompat.dll
2009-03-21 10:06 989,696 -------- c:\windows\system32\dllcache\kernel32.dll

==================== Find3M ====================

2009-03-08 14:09 638,816 a------- c:\windows\system32\dllcache\iexplore.exe
2009-03-08 14:09 391,536 a------- c:\windows\system32\dllcache\iedkcs32.dll
2009-03-08 04:41 5,937,152 a------- c:\windows\system32\dllcache\mshtml.dll
2009-03-08 04:39 11,063,808 a------- c:\windows\system32\dllcache\ieframe.dll
2009-03-08 04:34 914,944 a------- c:\windows\system32\wininet.dll
2009-03-08 04:34 914,944 a------- c:\windows\system32\dllcache\wininet.dll
2009-03-08 04:34 1,206,784 a------- c:\windows\system32\dllcache\urlmon.dll
2009-03-08 04:34 236,544 a------- c:\windows\system32\dllcache\webcheck.dll
2009-03-08 04:34 43,008 a------- c:\windows\system32\licmgr10.dll
2009-03-08 04:34 43,008 a------- c:\windows\system32\dllcache\licmgr10.dll
2009-03-08 04:34 105,984 a------- c:\windows\system32\dllcache\url.dll
2009-03-08 04:34 193,536 a------- c:\windows\system32\dllcache\msrating.dll
2009-03-08 04:34 109,568 a------- c:\windows\system32\dllcache\occache.dll
2009-03-08 04:33 759,296 a------- c:\windows\system32\dllcache\VGX.dll
2009-03-08 04:33 18,944 a------- c:\windows\system32\corpol.dll
2009-03-08 04:33 18,944 -------- c:\windows\system32\dllcache\corpol.dll
2009-03-08 04:33 25,600 a------- c:\windows\system32\dllcache\jsproxy.dll
2009-03-08 04:33 726,528 a------- c:\windows\system32\dllcache\jscript.dll
2009-03-08 04:33 229,376 a------- c:\windows\system32\dllcache\ieaksie.dll
2009-03-08 04:33 420,352 a------- c:\windows\system32\vbscript.dll
2009-03-08 04:33 420,352 a------- c:\windows\system32\dllcache\vbscript.dll
2009-03-08 04:33 125,952 a------- c:\windows\system32\dllcache\ieakeng.dll
2009-03-08 04:32 72,704 a------- c:\windows\system32\dllcache\admparse.dll
2009-03-08 04:32 72,704 a------- c:\windows\system32\admparse.dll
2009-03-08 04:32 173,056 a------- c:\windows\system32\dllcache\ie4uinit.exe
2009-03-08 04:32 163,840 a------- c:\windows\system32\dllcache\ieakui.dll
2009-03-08 04:32 71,680 a------- c:\windows\system32\iesetup.dll
2009-03-08 04:32 71,680 a------- c:\windows\system32\dllcache\iesetup.dll
2009-03-08 04:32 55,808 a------- c:\windows\system32\dllcache\iernonce.dll
2009-03-08 04:32 128,512 a------- c:\windows\system32\dllcache\advpack.dll
2009-03-08 04:32 94,720 a------- c:\windows\system32\dllcache\inseng.dll
2009-03-08 04:32 594,432 a------- c:\windows\system32\dllcache\msfeeds.dll
2009-03-08 04:32 1,985,024 a------- c:\windows\system32\dllcache\iertutil.dll
2009-03-08 04:32 611,840 a------- c:\windows\system32\dllcache\mstime.dll
2009-03-08 04:24 68,608 a------- c:\windows\system32\dllcache\hmmapi.dll
2009-03-08 04:22 156,160 a------- c:\windows\system32\msls31.dll
2009-03-08 04:22 156,160 a------- c:\windows\system32\dllcache\msls31.dll
2009-03-08 04:11 445,952 a------- c:\windows\system32\dllcache\ieapfltr.dll
2009-03-06 10:22 284,160 a------- c:\windows\system32\pdh.dll
2009-03-06 10:22 284,160 -------- c:\windows\system32\dllcache\pdh.dll
2009-02-09 08:10 729,088 a------- c:\windows\system32\lsasrv.dll
2009-02-09 08:10 729,088 -------- c:\windows\system32\dllcache\lsasrv.dll
2009-02-09 08:10 714,752 a------- c:\windows\system32\ntdll.dll
2009-02-09 08:10 617,472 a------- c:\windows\system32\advapi32.dll
2009-02-09 08:10 401,408 a------- c:\windows\system32\rpcss.dll
2009-02-09 08:10 714,752 -------- c:\windows\system32\dllcache\ntdll.dll
2009-02-09 08:10 617,472 -------- c:\windows\system32\dllcache\advapi32.dll
2009-02-09 08:10 473,600 -------- c:\windows\system32\dllcache\fastprox.dll
2009-02-09 08:10 453,120 -------- c:\windows\system32\dllcache\wmiprvsd.dll
2009-02-09 08:10 401,408 -------- c:\windows\system32\dllcache\rpcss.dll
2009-02-09 07:13 1,846,784 a------- c:\windows\system32\win32k.sys
2009-02-09 07:13 1,846,784 -------- c:\windows\system32\dllcache\win32k.sys
2009-02-07 19:02 2,066,048 -------- c:\windows\system32\dllcache\ntkrnlpa.exe
2009-02-06 21:07 3,698,584 a------- c:\windows\system32\dllcache\ieapfltr.dat
2009-02-06 07:11 110,592 a------- c:\windows\system32\services.exe
2009-02-06 07:11 110,592 -------- c:\windows\system32\dllcache\services.exe
2009-02-06 07:08 2,189,056 -------- c:\windows\system32\dllcache\ntoskrnl.exe
2009-02-06 07:06 2,145,280 a------- c:\windows\system32\ntoskrnl.exe
2009-02-06 07:06 2,145,280 -------- c:\windows\system32\dllcache\ntkrnlmp.exe
2009-02-06 06:39 35,328 a------- c:\windows\system32\sc.exe
2009-02-06 06:39 35,328 -------- c:\windows\system32\dllcache\sc.exe
2009-02-06 06:32 2,023,936 a------- c:\windows\system32\ntkrnlpa.exe
2009-02-06 06:32 2,023,936 -------- c:\windows\system32\dllcache\ntkrpamp.exe
2009-02-06 06:10 227,840 -------- c:\windows\system32\dllcache\wmiprvse.exe
2009-02-03 15:59 56,832 a------- c:\windows\system32\secur32.dll
2009-02-03 15:59 56,832 -------- c:\windows\system32\dllcache\secur32.dll
2008-09-04 10:58 32,768 a--sh--- c:\windows\system32\config\systemprofile\local settings\history\history.ie5\mshist012008090420080905\index.dat

============= FINISH: 3:32:52.75 ===============

Ried · 04-18-2009, 08:40 PM

Hello jagzee,

Read through this entire procedure and if you have any questions, please ask them before you begin. Then either print out, or copy this page to Notepad and save to your desktop for reference as you will not have any browsers open while you are carrying out portions of these instructions.

***************************************************

Download ComboFix from one of these locations:

Link 1
Link 2
Link 3

* IMPORTANT- Save ComboFix.exe to your Desktop

--------------------------------------------

Open notepad and copy/paste the text in the code box below into it:

Quote:

FireFox::
FF - plugin: c:\program files\mozilla firefox\plugins\npclntax_ZangoSA.dll

Save this as "CFScript.txt", and as Type: All Files (*.*)
in the same location as ComboFix.exe

=================================

Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools

=================================

Refering to the picture above, drag CFScript into ComboFix.exe

*Be sure to follow any prompts you may receive to allow ComboFix to download the Microsoft Windows Recovery Console. Once downloaded, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.

When finished, it shall produce a log for you at C:\ComboFix.txt. Please post that here for further review.

jagzee · 04-20-2009, 11:23 AM

Thank you Ried, here is the log:

ComboFix 09-04-19.01 - Mike 04/20/2009 12:25.1 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.510.198 [GMT -4:00]
Running from: c:\documents and settings\Mike\Desktop\ComboFix.exe
Command switches used :: c:\documents and settings\Mike\Desktop\CFScript.txt
AV: avast! antivirus 4.8.1335 [VPS 090419-0] *On-access scanning disabled* (Updated)
* Created a new restore point
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\program files\Mozilla Firefox\plugins\npclntax_ZangoSA.dll
c:\windows\jestertb.dll

.
((((((((((((((((((((((((( Files Created from 2009-03-20 to 2009-04-20 )))))))))))))))))))))))))))))))
.

2009-04-20 12:49 . 2009-04-20 12:49 -------- d-sh--w c:\documents and settings\Lyle\IECompatCache
2009-04-19 20:00 . 2009-04-19 20:02 26 ----a-w c:\windows\Zone.Identifier
2009-04-15 22:11 . 2009-03-06 14:22 284160 ------w c:\windows\system32\dllcache\pdh.dll
2009-04-15 22:11 . 2009-02-09 12:10 473600 ------w c:\windows\system32\dllcache\fastprox.dll
2009-04-15 22:11 . 2009-02-09 12:10 401408 ------w c:\windows\system32\dllcache\rpcss.dll
2009-04-15 22:11 . 2009-02-06 11:11 110592 ------w c:\windows\system32\dllcache\services.exe
2009-04-15 22:11 . 2009-02-06 10:39 35328 ------w c:\windows\system32\dllcache\sc.exe
2009-04-15 22:11 . 2009-02-09 12:10 729088 ------w c:\windows\system32\dllcache\lsasrv.dll
2009-04-15 22:11 . 2009-02-09 12:10 714752 ------w c:\windows\system32\dllcache\ntdll.dll
2009-04-15 22:11 . 2009-02-09 12:10 617472 ------w c:\windows\system32\dllcache\advapi32.dll
2009-04-15 22:11 . 2009-02-09 12:10 453120 ------w c:\windows\system32\dllcache\wmiprvsd.dll
2009-04-15 22:11 . 2009-02-06 10:10 227840 ------w c:\windows\system32\dllcache\wmiprvse.exe
2009-04-15 22:10 . 2009-03-27 06:58 1203922 ------w c:\windows\system32\dllcache\sysmain.sdb
2009-04-15 22:10 . 2008-05-03 11:55 2560 ------w c:\windows\system32\xpsp4res.dll
2009-04-15 22:10 . 2008-04-21 12:08 215552 ------w c:\windows\system32\dllcache\wordpad.exe
2009-04-07 20:56 . 2009-04-07 20:56 -------- d-sh--w c:\documents and settings\Nadines Work\PrivacIE
2009-04-07 20:55 . 2009-04-07 20:55 -------- d-sh--w c:\documents and settings\Nadines Work\IETldCache
2009-04-07 20:45 . 2009-04-07 20:45 -------- d-sh--w c:\documents and settings\Mike\IETldCache
2009-04-07 00:10 . 2009-04-07 00:10 -------- d-sh--w c:\windows\system32\config\systemprofile\IETldCache
2009-04-07 00:08 . 2009-04-07 00:08 -------- d-sh--w c:\documents and settings\Lyle\IETldCache
2009-04-06 23:51 . 2009-04-06 23:54 -------- dc-h--w c:\windows\ie8
2009-04-06 23:47 . 2009-02-28 04:55 105984 ------w c:\windows\system32\dllcache\iecompat.dll

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-04-20 15:49 . 2007-05-20 15:58 268 ---ha-w C:\sqmdata18.sqm
2009-04-20 15:49 . 2007-05-20 15:58 244 ---ha-w C:\sqmnoopt18.sqm
2009-04-18 12:26 . 2007-05-18 12:06 268 ---ha-w C:\sqmdata17.sqm
2009-04-18 12:26 . 2007-05-18 12:06 244 ---ha-w C:\sqmnoopt17.sqm
2009-04-17 12:02 . 2007-05-18 01:05 268 ---ha-w C:\sqmdata16.sqm
2009-04-17 12:02 . 2007-05-18 01:05 244 ---ha-w C:\sqmnoopt16.sqm
2009-04-17 00:34 . 2007-05-17 01:41 268 ---ha-w C:\sqmdata15.sqm
2009-04-17 00:34 . 2007-05-17 01:41 244 ---ha-w C:\sqmnoopt15.sqm
2009-04-16 02:24 . 2007-05-17 00:49 268 ---ha-w C:\sqmdata14.sqm
2009-04-16 02:24 . 2007-05-17 00:49 244 ---ha-w C:\sqmnoopt14.sqm
2009-04-16 01:16 . 2007-05-13 23:35 -------- d-----w c:\documents and settings\Lyle\Application Data\Sonic
2009-04-16 01:10 . 2007-05-13 23:35 54248 ----a-w c:\documents and settings\Lyle\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2009-04-14 23:13 . 2008-09-26 01:31 -------- d-----w c:\program files\Spybot - Search & Destroy
2009-04-14 23:12 . 2007-05-16 04:05 268 ---ha-w C:\sqmdata13.sqm
2009-04-14 23:12 . 2007-05-16 04:05 244 ---ha-w C:\sqmnoopt13.sqm
2009-04-14 12:56 . 2008-09-26 01:31 -------- d-----w c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy
2009-04-14 01:59 . 2007-05-15 22:04 268 ---ha-w C:\sqmdata12.sqm
2009-04-14 01:59 . 2007-05-15 22:04 244 ---ha-w C:\sqmnoopt12.sqm
2009-04-13 13:29 . 2007-05-15 21:18 268 ---ha-w C:\sqmdata11.sqm
2009-04-13 13:29 . 2007-05-15 21:18 244 ---ha-w C:\sqmnoopt11.sqm
2009-04-12 11:36 . 2007-05-15 20:33 268 ---ha-w C:\sqmdata10.sqm
2009-04-12 11:36 . 2007-05-15 20:33 244 ---ha-w C:\sqmnoopt10.sqm
2009-04-10 00:38 . 2007-05-15 20:27 268 ---ha-w C:\sqmdata09.sqm
2009-04-10 00:38 . 2007-05-15 20:27 244 ---ha-w C:\sqmnoopt09.sqm
2009-04-09 01:51 . 2007-05-15 20:19 268 ---ha-w C:\sqmdata08.sqm
2009-04-09 01:51 . 2007-05-15 20:19 244 ---ha-w C:\sqmnoopt08.sqm
2009-04-09 01:50 . 2007-12-11 01:06 -------- d-----w c:\program files\Google
2009-04-08 20:33 . 2007-05-14 21:10 268 ---ha-w C:\sqmdata07.sqm
2009-04-08 20:33 . 2007-05-14 21:10 244 ---ha-w C:\sqmnoopt07.sqm
2009-04-08 02:41 . 2007-05-14 21:02 268 ---ha-w C:\sqmdata06.sqm
2009-04-08 02:41 . 2007-05-14 21:02 244 ---ha-w C:\sqmnoopt06.sqm
2009-04-07 23:52 . 2007-05-14 14:33 268 ---ha-w C:\sqmdata05.sqm
2009-04-07 23:52 . 2007-05-14 14:33 244 ---ha-w C:\sqmnoopt05.sqm
2009-04-07 21:28 . 2008-11-16 07:16 -------- d-----w c:\program files\Mozilla Thunderbird
2009-04-07 03:31 . 2007-05-13 23:45 268 ---ha-w C:\sqmdata04.sqm
2009-04-07 03:31 . 2007-05-13 23:45 244 ---ha-w C:\sqmnoopt04.sqm
2009-04-06 23:43 . 2007-05-13 23:41 268 ---ha-w C:\sqmdata03.sqm
2009-04-06 23:43 . 2007-05-13 23:41 244 ---ha-w C:\sqmnoopt03.sqm
2009-04-06 15:35 . 2007-05-13 23:13 268 ---ha-w C:\sqmdata02.sqm
2009-04-06 15:35 . 2007-05-13 23:13 244 ---ha-w C:\sqmnoopt02.sqm
2009-04-06 14:21 . 2007-05-13 22:46 268 ---ha-w C:\sqmdata01.sqm
2009-04-06 14:21 . 2007-05-13 22:46 244 ---ha-w C:\sqmnoopt01.sqm
2009-04-06 12:29 . 2007-05-13 22:39 268 ---ha-w C:\sqmdata00.sqm
2009-04-06 12:29 . 2007-05-13 22:39 244 ---ha-w C:\sqmnoopt00.sqm
2009-04-06 01:14 . 2007-05-20 17:23 268 ---ha-w C:\sqmdata19.sqm
2009-04-06 01:14 . 2007-05-20 17:23 244 ---ha-w C:\sqmnoopt19.sqm
2009-03-29 19:26 . 2007-05-13 21:19 -------- d-----w c:\program files\Common Files\Adobe
2009-03-21 14:06 . 2009-03-21 14:06 989696 ------w c:\windows\SYSTEM32\DLLCACHE\kernel32.dll
2009-03-08 18:09 . 2006-10-17 17:04 638816 ----a-w c:\windows\SYSTEM32\DLLCACHE\iexplore.exe
2009-03-08 18:09 . 2006-10-17 17:01 391536 ----a-w c:\windows\SYSTEM32\DLLCACHE\iedkcs32.dll
2009-03-08 08:41 . 2006-10-17 17:33 5937152 ----a-w c:\windows\SYSTEM32\DLLCACHE\mshtml.dll
2009-03-08 08:39 . 2007-05-14 06:22 11063808 ----a-w c:\windows\SYSTEM32\DLLCACHE\ieframe.dll
2009-03-08 08:34 . 2006-10-17 17:33 914944 ----a-w c:\windows\SYSTEM32\DLLCACHE\wininet.dll
2009-03-08 08:34 . 2006-06-23 15:33 914944 ----a-w c:\windows\SYSTEM32\wininet.dll
2009-03-08 08:34 . 2006-10-17 17:33 1206784 ----a-w c:\windows\SYSTEM32\DLLCACHE\urlmon.dll
2009-03-08 08:34 . 2006-10-17 17:33 236544 ----a-w c:\windows\SYSTEM32\DLLCACHE\webcheck.dll
2009-03-08 08:34 . 2006-10-17 17:05 43008 ----a-w c:\windows\SYSTEM32\DLLCACHE\licmgr10.dll
2009-03-08 08:34 . 2002-08-29 10:00 43008 ----a-w c:\windows\SYSTEM32\licmgr10.dll
2009-03-08 08:34 . 2006-10-17 17:05 105984 ----a-w c:\windows\SYSTEM32\DLLCACHE\url.dll
2009-03-08 08:34 . 2006-10-17 17:05 193536 ----a-w c:\windows\SYSTEM32\DLLCACHE\msrating.dll
2009-03-08 08:34 . 2006-10-17 17:04 109568 ----a-w c:\windows\SYSTEM32\DLLCACHE\occache.dll
2009-03-08 08:33 . 2006-10-17 17:33 759296 ----a-w c:\windows\SYSTEM32\DLLCACHE\VGX.dll
2009-03-08 08:33 . 2009-03-08 08:33 18944 ------w c:\windows\SYSTEM32\DLLCACHE\corpol.dll
2009-03-08 08:33 . 2002-08-29 10:00 18944 ----a-w c:\windows\SYSTEM32\corpol.dll
2009-03-08 08:33 . 2006-10-17 17:33 25600 ----a-w c:\windows\SYSTEM32\DLLCACHE\jsproxy.dll
2009-03-08 08:33 . 2008-05-09 10:53 726528 ----a-w c:\windows\SYSTEM32\DLLCACHE\jscript.dll
2009-03-08 08:33 . 2006-10-17 17:01 229376 ----a-w c:\windows\SYSTEM32\DLLCACHE\ieaksie.dll
2009-03-08 08:33 . 2008-05-09 10:53 420352 ----a-w c:\windows\SYSTEM32\DLLCACHE\vbscript.dll
2009-03-08 08:33 . 2002-08-29 10:00 420352 ----a-w c:\windows\SYSTEM32\vbscript.dll
2009-03-08 08:33 . 2006-10-17 17:01 125952 ----a-w c:\windows\SYSTEM32\DLLCACHE\ieakeng.dll
2009-03-08 08:32 . 2006-10-17 17:01 72704 ----a-w c:\windows\SYSTEM32\DLLCACHE\admparse.dll
2009-03-08 08:32 . 2002-08-29 10:00 72704 ----a-w c:\windows\SYSTEM32\admparse.dll
2009-03-08 08:32 . 2006-10-17 17:00 173056 ----a-w c:\windows\SYSTEM32\DLLCACHE\ie4uinit.exe
2009-03-08 08:32 . 2006-10-17 16:23 163840 ----a-w c:\windows\SYSTEM32\DLLCACHE\ieakui.dll
2009-03-08 08:32 . 2006-10-17 17:01 71680 ----a-w c:\windows\SYSTEM32\DLLCACHE\iesetup.dll
2009-03-08 08:32 . 2006-10-17 17:00 55808 ----a-w c:\windows\SYSTEM32\DLLCACHE\iernonce.dll
2009-03-08 08:32 . 2002-08-29 10:00 71680 ----a-w c:\windows\SYSTEM32\iesetup.dll
2009-03-08 08:32 . 2006-10-17 17:00 128512 ----a-w c:\windows\SYSTEM32\DLLCACHE\advpack.dll
2009-03-08 08:32 . 2006-10-17 17:00 94720 ----a-w c:\windows\SYSTEM32\DLLCACHE\inseng.dll
2009-03-08 08:32 . 2007-05-14 06:22 594432 ----a-w c:\windows\SYSTEM32\DLLCACHE\msfeeds.dll
2009-03-08 08:32 . 2007-05-14 06:22 1985024 ----a-w c:\windows\SYSTEM32\DLLCACHE\iertutil.dll
2009-03-08 08:32 . 2006-10-17 17:33 611840 ----a-w c:\windows\SYSTEM32\DLLCACHE\mstime.dll
2009-03-08 08:24 . 2006-10-17 16:44 68608 ----a-w c:\windows\SYSTEM32\DLLCACHE\hmmapi.dll
2009-03-08 08:22 . 2006-10-17 17:33 156160 ----a-w c:\windows\SYSTEM32\DLLCACHE\msls31.dll
2009-03-08 08:22 . 2002-08-29 10:00 156160 ----a-w c:\windows\SYSTEM32\msls31.dll
2009-03-08 08:11 . 2007-05-14 06:22 445952 ----a-w c:\windows\SYSTEM32\DLLCACHE\ieapfltr.dll
2009-03-06 14:22 . 2002-08-29 10:00 284160 ----a-w c:\windows\SYSTEM32\pdh.dll
2009-02-09 12:10 . 2004-03-30 01:48 729088 ----a-w c:\windows\SYSTEM32\lsasrv.dll
2009-02-09 12:10 . 2005-07-26 04:31 401408 ----a-w c:\windows\SYSTEM32\rpcss.dll
2009-02-09 12:10 . 2002-08-29 10:00 714752 ----a-w c:\windows\SYSTEM32\ntdll.dll
2009-02-09 12:10 . 2002-08-29 10:00 617472 ----a-w c:\windows\SYSTEM32\advapi32.dll
2009-02-09 11:13 . 2008-10-15 07:03 1846784 ------w c:\windows\SYSTEM32\DLLCACHE\win32k.sys
2009-02-09 11:13 . 2002-08-29 10:00 1846784 ----a-w c:\windows\SYSTEM32\win32k.sys
2009-02-07 23:02 . 2008-10-15 07:03 2066048 ------w c:\windows\SYSTEM32\DLLCACHE\ntkrnlpa.exe
2009-02-07 01:07 . 2007-05-14 06:22 3698584 ----a-w c:\windows\SYSTEM32\DLLCACHE\ieapfltr.dat
2009-02-06 11:11 . 2002-08-29 10:00 110592 ----a-w c:\windows\SYSTEM32\services.exe
2009-02-06 11:08 . 2008-10-15 07:03 2189056 ------w c:\windows\SYSTEM32\DLLCACHE\ntoskrnl.exe
2009-02-06 11:06 . 2008-10-15 07:03 2145280 ------w c:\windows\SYSTEM32\DLLCACHE\ntkrnlmp.exe
2009-02-06 11:06 . 1980-01-01 05:00 2145280 ----a-w c:\windows\SYSTEM32\ntoskrnl.exe
2009-02-06 10:39 . 2002-08-29 10:00 35328 ----a-w c:\windows\SYSTEM32\sc.exe
2008-09-04 14:58 . 2008-09-04 14:59 32768 --sha-w c:\windows\SYSTEM32\CONFIG\systemprofile\Local Settings\History\History.IE5\MSHist012008090420080905\index.dat
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\BackupIconOverlayId]
@="{2EE61E5C-8F94-4AAB-8A80-D2A8CD1FEDAD}"
[HKEY_CLASSES_ROOT\CLSID\{2EE61E5C-8F94-4AAB-8A80-D2A8CD1FEDAD}]
2008-10-12 18:11 238968 ----a-w c:\program files\Webroot\Spy Sweeper\Backup\CtxMenu_1_0_0_9.dll

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2008-04-14 15360]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"CTSysVol"="c:\program files\Creative\Sound Blaster Live! 24-bit\Surround Mixer\CTSysVol.exe" [2003-09-17 57344]
"PCMService"="c:\program files\Dell\Media Experience\PCMService.exe" [2004-04-12 290816]
"avast!"="c:\progra~1\ALWILS~1\Avast4\ashDisp.exe" [2009-02-05 81000]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2009-02-27 35696]
"Google Quick Search Box"="c:\program files\Google\Quick Search Box\GoogleQuickSearchBox.exe" [2009-04-09 68592]
"WinVNC"="c:\program files\UltraVNC\winvnc.exe" [2005-08-06 974848]
"SpySweeper"="c:\program files\Webroot\Spy Sweeper\SpySweeperUI.exe" [2008-10-12 6272888]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"DWQueuedReporting"="c:\progra~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" [2007-02-26 437160]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\LMIinit]
2007-11-15 23:46 87352 ----a-w c:\windows\SYSTEM32\LMIinit.dll

HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32
"wave1"= serwvdrv.dll
"wave4"= serwvdrv.dll

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\WRConsumerService]
@="Service"

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusDisableNotify"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
"c:\\Program Files\\LimeWire\\LimeWire.exe"=
"c:\\Program Files\\UltraVNC\\winvnc.exe"=
"c:\\WINDOWS\\SYSTEM32\\LEXPPS.EXE"=
"c:\\Program Files\\Mozilla Firefox\\firefox.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\livecall.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"5900:TCP"= 5900:TCP:vnc
"1824:UDP"= 1824:UDP:Windows Media Format SDK (iexplore.exe)
"1842:UDP"= 1842:UDP:Windows Media Format SDK (iexplore.exe)
"1852:UDP"= 1852:UDP:Windows Media Format SDK (iexplore.exe)
"1868:UDP"= 1868:UDP:Windows Media Format SDK (iexplore.exe)

R2 LMIInfo;LogMeIn Kernel Information Provider; [x]
R4 LMIRfsClientNP;LMIRfsClientNP; [x]
S0 ssfs0bbc;ssfs0bbc;c:\windows\system32\DRIVERS\ssfs0bbc.sys [2008-10-02 29808]
S1 aswSP;avast! Self Protection; [x]
S2 aswFsBlk;aswFsBlk;c:\windows\system32\DRIVERS\aswFsBlk.sys [2009-02-05 20560]
S2 LMIRfsDriver;LogMeIn Remote File System Driver;c:\windows\system32\drivers\LMIRfsDriver.sys [2007-08-03 46112]
S2 WinDefend;Windows Defender;c:\program files\Windows Defender\MsMpEng.exe [2006-11-03 13592]
S2 WRConsumerService;Webroot Client Service;c:\program files\Webroot\Spy Sweeper\WRConsumerService.exe [2008-10-12 1066360]

[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\>{60B49E34-C7CC-11D0-8953-00A0C90347FF}]
"c:\windows\system32\rundll32.exe" "c:\windows\system32\iedkcs32.dll",BrandIEActiveSetup SIGNUP
.
Contents of the 'Scheduled Tasks' folder

2009-04-20 c:\windows\Tasks\Check Updates for Windows Live Toolbar.job
- c:\program files\Windows Live Toolbar\MSNTBUP.EXE [2007-10-19 16:20]

2009-04-20 c:\windows\Tasks\MP Scheduled Scan.job
- c:\program files\Windows Defender\MpCmdRun.exe [2006-11-03 22:20]

2009-04-13 c:\windows\Tasks\wrSpySweeper_L110CB1336ED145E1A698CAAB7FA63DAA.job
- c:\program files\Webroot\Spy Sweeper\SpySweeperUI.exe [2007-05-13 18:18]

2009-04-13 c:\windows\Tasks\wrSpySweeper_L110CB1336ED145E1A698CAAB7FA63DAA.job
- c:\program files\Webroot\Spy Sweeper\SpySweeperUI.exe [2007-05-13 18:18]

2009-04-14 c:\windows\Tasks\wrSpySweeper_L2CA85AFD8D3A4484ABCA663BD87696A5.job
- c:\program files\Webroot\Spy Sweeper\SpySweeperUI.exe [2007-05-13 18:18]

2009-04-14 c:\windows\Tasks\wrSpySweeper_L2CA85AFD8D3A4484ABCA663BD87696A5.job
- c:\program files\Webroot\Spy Sweeper\SpySweeperUI.exe [2007-05-13 18:18]

2009-04-20 c:\windows\Tasks\wrSpySweeper_L9F8A70F3660449AEBD846B3D342958CE.job
- c:\program files\Webroot\Spy Sweeper\SpySweeperUI.exe [2007-05-13 18:18]

2009-04-20 c:\windows\Tasks\wrSpySweeper_L9F8A70F3660449AEBD846B3D342958CE.job
- c:\program files\Webroot\Spy Sweeper\SpySweeperUI.exe [2007-05-13 18:18]

2009-04-17 c:\windows\Tasks\wrSpySweeper_LC5C8FE1475994F1F99D5F70ECBE14D0B.job
- c:\program files\Webroot\Spy Sweeper\SpySweeperUI.exe [2007-05-13 18:18]

2009-04-17 c:\windows\Tasks\wrSpySweeper_LC5C8FE1475994F1F99D5F70ECBE14D0B.job
- c:\program files\Webroot\Spy Sweeper\SpySweeperUI.exe [2007-05-13 18:18]
.
.
------- Supplementary Scan -------
.
IE: &Windows Live Search - c:\program files\Windows Live Toolbar\msntb.dll/search.htm
IE: Add to Windows &Live Favorites - http://favorites.live.com/quickadd.aspx
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~3\OFFICE11\EXCEL.EXE/3000
IE: **{FA9B9510-9FCB-4ca0-818C-5D0987B47C4D} - c:\program files\PokerStars.NET\PokerStarsUpdate.exe
Filter: x-sdch - {B1759355-3EEC-4C1E-B0F1-B719FE26E377} - c:\program files\Google\Google Toolbar\Component\fastsearch_A8904FB862BD9564.dll
FF - ProfilePath - c:\documents and settings\Mike\Application Data\Mozilla\Firefox\Profiles\afwuemba.default\
FF - prefs.js: browser.search.defaulturl - hxxp://www.google.com/search?lr=&ie=UTF-8&oe=UTF-8&q=
FF - prefs.js: browser.startup.homepage - hxxp://www.msn.com/
FF - plugin: c:\documents and settings\Mike\Application Data\Mozilla\Firefox\Profiles\afwuemba.default\extensions\firefox@tvunetworks.com\plugins\npTVUAx.dll
FF - plugin: c:\program files\Viewpoint\Viewpoint Experience Technology\npViewpoint.dll
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-04-20 12:59
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_USERS\S-1-5-21-615407094-731155592-2917792241-1007\Software\Microsoft\SystemCertificates\AddressBook*]
@Allowed: (Read) (RestrictedCode)
@Allowed: (Read) (RestrictedCode)
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(684)
c:\windows\system32\LMIinit.dll
c:\program files\UltraVNC\vnchooks.dll

- - - - - - - > 'explorer.exe'(3472)
c:\program files\UltraVNC\vnchooks.dll
c:\program files\Webroot\Spy Sweeper\Backup\CtxMenu_1_0_0_9.dll
c:\program files\Google\Quick Search Box\bin\1.1.1038.9122\qsb.dll
c:\windows\system32\ieframe.dll
c:\windows\system32\OneX.DLL
c:\windows\system32\eappprxy.dll
c:\windows\system32\webcheck.dll
c:\windows\system32\WPDShServiceObj.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
c:\windows\system32\LMIRfsClientNP.dll
.
------------------------ Other Running Processes ------------------------
.
c:\program files\Lavasoft\Ad-Aware\aawservice.exe
c:\program files\Alwil Software\Avast4\aswUpdSv.exe
c:\program files\Alwil Software\Avast4\ashServ.exe
c:\windows\SYSTEM32\LEXBCES.EXE
c:\windows\SYSTEM32\LEXPPS.EXE
c:\windows\SYSTEM32\CTSVCCDA.EXE
c:\program files\Java\jre6\bin\jqs.exe
c:\program files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
c:\program files\Webroot\Spy Sweeper\SpySweeper.exe
c:\windows\SYSTEM32\MsPMSPSv.exe
c:\windows\SYSTEM32\ZuneBusEnum.exe
c:\program files\Webroot\Spy Sweeper\SSU.exe
.
**************************************************************************
.
Completion time: 2009-04-20 13:08 - machine was rebooted
ComboFix-quarantined-files.txt 2009-04-20 17:08

Pre-Run: 129,299,787,776 bytes free
Post-Run: 129,692,860,416 bytes free

WindowsXP-KB310994-SP2-Home-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(2)\WINDOWS
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
multi(0)disk(0)rdisk(0)partition(2)\WINDOWS="Microsoft Windows XP Home Edition" /fastdetect /NoExecute=OptIn

301 --- E O F --- 2009-04-16 08:04

Ried · 04-20-2009, 08:17 PM

Hi jagzee,

Is there any improvement at all? I'd like you to run this online scan to search for any remnants. It can take some time, so please be patient and allow it to run it's full course:

**Vista users - right click on the IE icon and run as administrator

Using Internet Explorer or Firefox, visit http://www.kaspersky.com/kos/eng/par...avwebscan.html

1. Click Accept, when prompted to download and install the program files and database of malware definitions.

2. To optimize scanning time and produce a more sensible report for review:

Close any open programs
Turn off the real time scanner of any existing antivirus program while performing the online scan

3. Click Run at the Security prompt. The program will then begin downloading and installing and will also update the database. Please be patient as this can take several minutes.

Once the update is complete, click on My Computer under the green Scan bar to the left to start the scan.
Once the scan is complete, it will display if your system has been infected. It does not provide an option to clean/disinfect. We only require a report from it.
Do NOT be alarmed by what you see in the report. Many of the finds have likely been quarantined.
Click View scan report at the bottom.
Click the Save as Text button to save the file to your desktop so that you may post it in your next reply

jagzee · 04-21-2009, 07:22 PM

Thank you Ried. No there isn't any improvement. Here is the report you requested.

--------------------------------------------------------------------------------
KASPERSKY ONLINE SCANNER 7.0 REPORT
Tuesday, April 21, 2009
Operating System: Microsoft Windows XP Home Edition Service Pack 3 (build 2600)
Kaspersky Online Scanner version: 7.0.26.13
Program database last update: Tuesday, April 21, 2009 13:57:35
Records in database: 2066193
--------------------------------------------------------------------------------

Scan settings:
Scan using the following database: extended
Scan archives: yes
Scan mail databases: yes

Scan area - My Computer:
A:\
C:\
D:\
E:\

Scan statistics:
Files scanned: 126333
Threat name: 5
Infected objects: 8
Suspicious objects: 0
Duration of the scan: 02:09:00

File name / Threat name / Threats count
C:\Program Files\UltraVNC\winvnc.exe/C:\Program Files\UltraVNC\winvnc.exe Infected: not-a-virus:RemoteAdmin.Win32.WinVNC.e 1
C:\Documents and Settings\Lyle\My Documents\My Music\My Playlists\dave chapelle cute girl has orgasm on webcam.mpg Infected: Trojan-Downloader.WMA.GetCodec.e 1
C:\Documents and Settings\Lyle\My Documents\My Music\My Playlists\how come d 12.mp3 Infected: Trojan-Downloader.WMA.GetCodec.c 1
C:\Documents and Settings\Mike\Desktop\gmer\gmer.exe Infected: Trojan.Win32.Agent.ccfc 1
C:\Program Files\UltraVNC\vnchooks.dll Infected: not-a-virus:RemoteAdmin.Win32.WinVNC.e 1
C:\Program Files\UltraVNC\winvnc.exe Infected: not-a-virus:RemoteAdmin.Win32.WinVNC.e 1
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP124\A0045988.exe Infected: Trojan.Win32.Buzus.aebw 1
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP212\A0110194.exe Infected: Trojan.Win32.Agent.ccfc 1

The selected area was scanned.

Ried · 04-21-2009, 09:31 PM

Hi jagzee,

Read through this entire procedure and if you have any questions, please ask them before you begin. Then either print out, or copy this page to Notepad and save to your desktop for reference as you will not have any browsers open while you are carrying out portions of these instructions.

Download ComboFix from one of these locations:

Link 1
Link 2
Link 3

* IMPORTANT- Save ComboFix.exe to your Desktop

--------------------------------------------

Open notepad and copy/paste the text in the code box below into it:

Quote:

File::
C:\Documents and Settings\Lyle\My Documents\My Music\My Playlists\dave chapelle cute girl has orgasm on webcam.mpg
C:\Documents and Settings\Lyle\My Documents\My Music\My Playlists\how come d 12.mp3

Save this as "CFScript.txt", and as Type: All Files (*.*)
in the same location as ComboFix.exe

=================================

Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools

=================================

Refering to the picture above, drag CFScript into ComboFix.exe

*Be sure to follow any prompts you may receive to allow ComboFix to download the Microsoft Windows Recovery Console. Once downloaded, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.

When finished, it shall produce a log for you at C:\ComboFix.txt.

Please post that here for further review as well as update on system behavior - any improvement?

jagzee · 04-21-2009, 11:40 PM

Thanks Ried. The machine remains painfully slow. About 4 minutes to start up after logging in to user account. About 5 minutes to launch Outlook Express, same with Firefox. Other programs such as MS Office programs seem to start normally.

Here is the ComoFix report.

ComboFix 09-04-22.03 - Mike 04/22/2009 0:27.2 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.510.183 [GMT -4:00]
Running from: c:\documents and settings\Mike\Desktop\ComboFix.exe
Command switches used :: c:\documents and settings\Mike\Desktop\CFScript.txt
AV: avast! antivirus 4.8.1335 [VPS 090421-0] *On-access scanning disabled* (Updated)
* Created a new restore point

FILE ::
c:\documents and settings\Lyle\My Documents\My Music\My Playlists\dave chapelle cute girl has orgasm on webcam.mpg
c:\documents and settings\Lyle\My Documents\My Music\My Playlists\how come d 12.mp3
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\documents and settings\Lyle\My Documents\My Music\My Playlists\dave chapelle cute girl has orgasm on webcam.mpg
c:\documents and settings\Lyle\My Documents\My Music\My Playlists\how come d 12.mp3

.
((((((((((((((((((((((((( Files Created from 2009-03-22 to 2009-04-22 )))))))))))))))))))))))))))))))
.

2009-04-20 21:56 . 2009-04-20 21:59 -------- d-----w c:\documents and settings\Mike\Local Settings\Application Data\Powercinema
2009-04-20 21:56 . 2009-04-20 21:57 -------- d-----w c:\documents and settings\Mike\Application Data\CyberLink
2009-04-20 12:49 . 2009-04-20 12:49 -------- d-sh--w c:\documents and settings\Lyle\IECompatCache
2009-04-19 20:00 . 2009-04-19 20:02 26 ----a-w c:\windows\Zone.Identifier
2009-04-15 22:11 . 2009-03-06 14:22 284160 ------w c:\windows\system32\dllcache\pdh.dll
2009-04-15 22:11 . 2009-02-09 12:10 473600 ------w c:\windows\system32\dllcache\fastprox.dll
2009-04-15 22:11 . 2009-02-09 12:10 401408 ------w c:\windows\system32\dllcache\rpcss.dll
2009-04-15 22:11 . 2009-02-06 11:11 110592 ------w c:\windows\system32\dllcache\services.exe
2009-04-15 22:11 . 2009-02-06 10:39 35328 ------w c:\windows\system32\dllcache\sc.exe
2009-04-15 22:11 . 2009-02-09 12:10 729088 ------w c:\windows\system32\dllcache\lsasrv.dll
2009-04-15 22:11 . 2009-02-09 12:10 714752 ------w c:\windows\system32\dllcache\ntdll.dll
2009-04-15 22:11 . 2009-02-09 12:10 617472 ------w c:\windows\system32\dllcache\advapi32.dll
2009-04-15 22:11 . 2009-02-09 12:10 453120 ------w c:\windows\system32\dllcache\wmiprvsd.dll
2009-04-15 22:11 . 2009-02-06 10:10 227840 ------w c:\windows\system32\dllcache\wmiprvse.exe
2009-04-15 22:10 . 2009-03-27 06:58 1203922 ------w c:\windows\system32\dllcache\sysmain.sdb
2009-04-15 22:10 . 2008-05-03 11:55 2560 ------w c:\windows\system32\xpsp4res.dll
2009-04-15 22:10 . 2008-04-21 12:08 215552 ------w c:\windows\system32\dllcache\wordpad.exe
2009-04-07 20:56 . 2009-04-07 20:56 -------- d-sh--w c:\documents and settings\Nadines Work\PrivacIE
2009-04-07 20:55 . 2009-04-07 20:55 -------- d-sh--w c:\documents and settings\Nadines Work\IETldCache
2009-04-07 20:45 . 2009-04-07 20:45 -------- d-sh--w c:\documents and settings\Mike\IETldCache
2009-04-07 00:10 . 2009-04-07 00:10 -------- d-sh--w c:\windows\system32\config\systemprofile\IETldCache
2009-04-07 00:08 . 2009-04-07 00:08 -------- d-sh--w c:\documents and settings\Lyle\IETldCache
2009-04-06 23:51 . 2009-04-06 23:54 -------- dc-h--w c:\windows\ie8
2009-04-06 23:47 . 2009-02-28 04:55 105984 ------w c:\windows\system32\dllcache\iecompat.dll

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-04-21 15:07 . 2007-05-20 17:23 268 ---ha-w C:\sqmdata19.sqm
2009-04-21 15:07 . 2007-05-20 17:23 244 ---ha-w C:\sqmnoopt19.sqm
2009-04-21 11:34 . 2008-09-26 01:31 -------- d-----w c:\program files\Spybot - Search & Destroy
2009-04-20 15:49 . 2007-05-20 15:58 268 ---ha-w C:\sqmdata18.sqm
2009-04-20 15:49 . 2007-05-20 15:58 244 ---ha-w C:\sqmnoopt18.sqm
2009-04-18 12:26 . 2007-05-18 12:06 268 ---ha-w C:\sqmdata17.sqm
2009-04-18 12:26 . 2007-05-18 12:06 244 ---ha-w C:\sqmnoopt17.sqm
2009-04-17 12:02 . 2007-05-18 01:05 268 ---ha-w C:\sqmdata16.sqm
2009-04-17 12:02 . 2007-05-18 01:05 244 ---ha-w C:\sqmnoopt16.sqm
2009-04-17 00:34 . 2007-05-17 01:41 268 ---ha-w C:\sqmdata15.sqm
2009-04-17 00:34 . 2007-05-17 01:41 244 ---ha-w C:\sqmnoopt15.sqm
2009-04-16 02:24 . 2007-05-17 00:49 268 ---ha-w C:\sqmdata14.sqm
2009-04-16 02:24 . 2007-05-17 00:49 244 ---ha-w C:\sqmnoopt14.sqm
2009-04-16 01:16 . 2007-05-13 23:35 -------- d-----w c:\documents and settings\Lyle\Application Data\Sonic
2009-04-16 01:10 . 2007-05-13 23:35 54248 ----a-w c:\documents and settings\Lyle\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2009-04-14 23:12 . 2007-05-16 04:05 268 ---ha-w C:\sqmdata13.sqm
2009-04-14 23:12 . 2007-05-16 04:05 244 ---ha-w C:\sqmnoopt13.sqm
2009-04-14 12:56 . 2008-09-26 01:31 -------- d-----w c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy
2009-04-14 01:59 . 2007-05-15 22:04 268 ---ha-w C:\sqmdata12.sqm
2009-04-14 01:59 . 2007-05-15 22:04 244 ---ha-w C:\sqmnoopt12.sqm
2009-04-13 13:29 . 2007-05-15 21:18 268 ---ha-w C:\sqmdata11.sqm
2009-04-13 13:29 . 2007-05-15 21:18 244 ---ha-w C:\sqmnoopt11.sqm
2009-04-12 11:36 . 2007-05-15 20:33 268 ---ha-w C:\sqmdata10.sqm
2009-04-12 11:36 . 2007-05-15 20:33 244 ---ha-w C:\sqmnoopt10.sqm
2009-04-10 00:38 . 2007-05-15 20:27 268 ---ha-w C:\sqmdata09.sqm
2009-04-10 00:38 . 2007-05-15 20:27 244 ---ha-w C:\sqmnoopt09.sqm
2009-04-09 01:51 . 2007-05-15 20:19 268 ---ha-w C:\sqmdata08.sqm
2009-04-09 01:51 . 2007-05-15 20:19 244 ---ha-w C:\sqmnoopt08.sqm
2009-04-09 01:50 . 2007-12-11 01:06 -------- d-----w c:\program files\Google
2009-04-08 20:33 . 2007-05-14 21:10 268 ---ha-w C:\sqmdata07.sqm
2009-04-08 20:33 . 2007-05-14 21:10 244 ---ha-w C:\sqmnoopt07.sqm
2009-04-08 02:41 . 2007-05-14 21:02 268 ---ha-w C:\sqmdata06.sqm
2009-04-08 02:41 . 2007-05-14 21:02 244 ---ha-w C:\sqmnoopt06.sqm
2009-04-07 23:52 . 2007-05-14 14:33 268 ---ha-w C:\sqmdata05.sqm
2009-04-07 23:52 . 2007-05-14 14:33 244 ---ha-w C:\sqmnoopt05.sqm
2009-04-07 21:28 . 2008-11-16 07:16 -------- d-----w c:\program files\Mozilla Thunderbird
2009-04-07 03:31 . 2007-05-13 23:45 268 ---ha-w C:\sqmdata04.sqm
2009-04-07 03:31 . 2007-05-13 23:45 244 ---ha-w C:\sqmnoopt04.sqm
2009-04-06 23:43 . 2007-05-13 23:41 268 ---ha-w C:\sqmdata03.sqm
2009-04-06 23:43 . 2007-05-13 23:41 244 ---ha-w C:\sqmnoopt03.sqm
2009-04-06 15:35 . 2007-05-13 23:13 268 ---ha-w C:\sqmdata02.sqm
2009-04-06 15:35 . 2007-05-13 23:13 244 ---ha-w C:\sqmnoopt02.sqm
2009-04-06 14:21 . 2007-05-13 22:46 268 ---ha-w C:\sqmdata01.sqm
2009-04-06 14:21 . 2007-05-13 22:46 244 ---ha-w C:\sqmnoopt01.sqm
2009-04-06 12:29 . 2007-05-13 22:39 268 ---ha-w C:\sqmdata00.sqm
2009-04-06 12:29 . 2007-05-13 22:39 244 ---ha-w C:\sqmnoopt00.sqm
2009-03-29 19:26 . 2007-05-13 21:19 -------- d-----w c:\program files\Common Files\Adobe
2009-03-21 14:06 . 2009-03-21 14:06 989696 ------w c:\windows\SYSTEM32\DLLCACHE\kernel32.dll
2009-03-08 18:09 . 2006-10-17 17:04 638816 ----a-w c:\windows\SYSTEM32\DLLCACHE\iexplore.exe
2009-03-08 18:09 . 2006-10-17 17:01 391536 ----a-w c:\windows\SYSTEM32\DLLCACHE\iedkcs32.dll
2009-03-08 08:41 . 2006-10-17 17:33 5937152 ----a-w c:\windows\SYSTEM32\DLLCACHE\mshtml.dll
2009-03-08 08:39 . 2007-05-14 06:22 11063808 ----a-w c:\windows\SYSTEM32\DLLCACHE\ieframe.dll
2009-03-08 08:34 . 2006-10-17 17:33 914944 ----a-w c:\windows\SYSTEM32\DLLCACHE\wininet.dll
2009-03-08 08:34 . 2006-06-23 15:33 914944 ----a-w c:\windows\SYSTEM32\wininet.dll
2009-03-08 08:34 . 2006-10-17 17:33 1206784 ----a-w c:\windows\SYSTEM32\DLLCACHE\urlmon.dll
2009-03-08 08:34 . 2006-10-17 17:33 236544 ----a-w c:\windows\SYSTEM32\DLLCACHE\webcheck.dll
2009-03-08 08:34 . 2006-10-17 17:05 43008 ----a-w c:\windows\SYSTEM32\DLLCACHE\licmgr10.dll
2009-03-08 08:34 . 2002-08-29 10:00 43008 ----a-w c:\windows\SYSTEM32\licmgr10.dll
2009-03-08 08:34 . 2006-10-17 17:05 105984 ----a-w c:\windows\SYSTEM32\DLLCACHE\url.dll
2009-03-08 08:34 . 2006-10-17 17:05 193536 ----a-w c:\windows\SYSTEM32\DLLCACHE\msrating.dll
2009-03-08 08:34 . 2006-10-17 17:04 109568 ----a-w c:\windows\SYSTEM32\DLLCACHE\occache.dll
2009-03-08 08:33 . 2006-10-17 17:33 759296 ----a-w c:\windows\SYSTEM32\DLLCACHE\VGX.dll
2009-03-08 08:33 . 2009-03-08 08:33 18944 ------w c:\windows\SYSTEM32\DLLCACHE\corpol.dll
2009-03-08 08:33 . 2002-08-29 10:00 18944 ----a-w c:\windows\SYSTEM32\corpol.dll
2009-03-08 08:33 . 2006-10-17 17:33 25600 ----a-w c:\windows\SYSTEM32\DLLCACHE\jsproxy.dll
2009-03-08 08:33 . 2008-05-09 10:53 726528 ----a-w c:\windows\SYSTEM32\DLLCACHE\jscript.dll
2009-03-08 08:33 . 2006-10-17 17:01 229376 ----a-w c:\windows\SYSTEM32\DLLCACHE\ieaksie.dll
2009-03-08 08:33 . 2008-05-09 10:53 420352 ----a-w c:\windows\SYSTEM32\DLLCACHE\vbscript.dll
2009-03-08 08:33 . 2002-08-29 10:00 420352 ----a-w c:\windows\SYSTEM32\vbscript.dll
2009-03-08 08:33 . 2006-10-17 17:01 125952 ----a-w c:\windows\SYSTEM32\DLLCACHE\ieakeng.dll
2009-03-08 08:32 . 2006-10-17 17:01 72704 ----a-w c:\windows\SYSTEM32\DLLCACHE\admparse.dll
2009-03-08 08:32 . 2002-08-29 10:00 72704 ----a-w c:\windows\SYSTEM32\admparse.dll
2009-03-08 08:32 . 2006-10-17 17:00 173056 ----a-w c:\windows\SYSTEM32\DLLCACHE\ie4uinit.exe
2009-03-08 08:32 . 2006-10-17 16:23 163840 ----a-w c:\windows\SYSTEM32\DLLCACHE\ieakui.dll
2009-03-08 08:32 . 2006-10-17 17:01 71680 ----a-w c:\windows\SYSTEM32\DLLCACHE\iesetup.dll
2009-03-08 08:32 . 2006-10-17 17:00 55808 ----a-w c:\windows\SYSTEM32\DLLCACHE\iernonce.dll
2009-03-08 08:32 . 2002-08-29 10:00 71680 ----a-w c:\windows\SYSTEM32\iesetup.dll
2009-03-08 08:32 . 2006-10-17 17:00 128512 ----a-w c:\windows\SYSTEM32\DLLCACHE\advpack.dll
2009-03-08 08:32 . 2006-10-17 17:00 94720 ----a-w c:\windows\SYSTEM32\DLLCACHE\inseng.dll
2009-03-08 08:32 . 2007-05-14 06:22 594432 ----a-w c:\windows\SYSTEM32\DLLCACHE\msfeeds.dll
2009-03-08 08:32 . 2007-05-14 06:22 1985024 ----a-w c:\windows\SYSTEM32\DLLCACHE\iertutil.dll
2009-03-08 08:32 . 2006-10-17 17:33 611840 ----a-w c:\windows\SYSTEM32\DLLCACHE\mstime.dll
2009-03-08 08:24 . 2006-10-17 16:44 68608 ----a-w c:\windows\SYSTEM32\DLLCACHE\hmmapi.dll
2009-03-08 08:22 . 2006-10-17 17:33 156160 ----a-w c:\windows\SYSTEM32\DLLCACHE\msls31.dll
2009-03-08 08:22 . 2002-08-29 10:00 156160 ----a-w c:\windows\SYSTEM32\msls31.dll
2009-03-08 08:11 . 2007-05-14 06:22 445952 ----a-w c:\windows\SYSTEM32\DLLCACHE\ieapfltr.dll
2009-03-06 14:22 . 2002-08-29 10:00 284160 ----a-w c:\windows\SYSTEM32\pdh.dll
2009-02-09 12:10 . 2004-03-30 01:48 729088 ----a-w c:\windows\SYSTEM32\lsasrv.dll
2009-02-09 12:10 . 2005-07-26 04:31 401408 ----a-w c:\windows\SYSTEM32\rpcss.dll
2009-02-09 12:10 . 2002-08-29 10:00 714752 ----a-w c:\windows\SYSTEM32\ntdll.dll
2009-02-09 12:10 . 2002-08-29 10:00 617472 ----a-w c:\windows\SYSTEM32\advapi32.dll
2009-02-09 11:13 . 2008-10-15 07:03 1846784 ------w c:\windows\SYSTEM32\DLLCACHE\win32k.sys
2009-02-09 11:13 . 2002-08-29 10:00 1846784 ----a-w c:\windows\SYSTEM32\win32k.sys
2009-02-07 23:02 . 2008-10-15 07:03 2066048 ------w c:\windows\SYSTEM32\DLLCACHE\ntkrnlpa.exe
2009-02-07 01:07 . 2007-05-14 06:22 3698584 ----a-w c:\windows\SYSTEM32\DLLCACHE\ieapfltr.dat
2009-02-06 11:11 . 2002-08-29 10:00 110592 ----a-w c:\windows\SYSTEM32\services.exe
2009-02-06 11:08 . 2008-10-15 07:03 2189056 ------w c:\windows\SYSTEM32\DLLCACHE\ntoskrnl.exe
2009-02-06 11:06 . 2008-10-15 07:03 2145280 ------w c:\windows\SYSTEM32\DLLCACHE\ntkrnlmp.exe
2009-02-06 11:06 . 1980-01-01 05:00 2145280 ----a-w c:\windows\SYSTEM32\ntoskrnl.exe
2009-02-06 10:39 . 2002-08-29 10:00 35328 ----a-w c:\windows\SYSTEM32\sc.exe
2008-09-04 14:58 . 2008-09-04 14:59 32768 --sha-w c:\windows\SYSTEM32\CONFIG\systemprofile\Local Settings\History\History.IE5\MSHist012008090420080905\index.dat
.

((((((((((((((((((((((((((((( SnapShot@2009-04-20_16.59.45 )))))))))))))))))))))))))))))))))))))))))
.
+ 2009-04-22 01:07 . 2009-04-22 01:07 16384 c:\windows\Temp\Perflib_Perfdata_66c.dat
- 2009-04-20 16:34 . 2009-04-20 16:34 16384 c:\windows\Temp\Perflib_Perfdata_66c.dat
+ 2009-04-22 01:08 . 2009-04-22 01:08 16384 c:\windows\Temp\Perflib_Perfdata_3c8.dat
+ 2002-09-03 07:08 . 2009-04-21 15:09 32768 c:\windows\SYSTEM32\CONFIG\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\INDEX.DAT
- 2002-09-03 07:08 . 2009-04-20 15:51 32768 c:\windows\SYSTEM32\CONFIG\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\INDEX.DAT
- 2002-09-03 07:08 . 2009-04-20 15:51 32768 c:\windows\SYSTEM32\CONFIG\systemprofile\Local Settings\History\History.IE5\INDEX.DAT
+ 2002-09-03 07:08 . 2009-04-21 15:09 32768 c:\windows\SYSTEM32\CONFIG\systemprofile\Local Settings\History\History.IE5\INDEX.DAT
+ 2002-09-03 07:08 . 2009-04-21 15:09 32768 c:\windows\SYSTEM32\CONFIG\systemprofile\Cookies\INDEX.DAT
- 2002-09-03 07:08 . 2009-04-20 15:51 32768 c:\windows\SYSTEM32\CONFIG\systemprofile\Cookies\INDEX.DAT
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\BackupIconOverlayId]
@="{2EE61E5C-8F94-4AAB-8A80-D2A8CD1FEDAD}"
[HKEY_CLASSES_ROOT\CLSID\{2EE61E5C-8F94-4AAB-8A80-D2A8CD1FEDAD}]
2008-10-12 18:11 238968 ----a-w c:\program files\Webroot\Spy Sweeper\Backup\CtxMenu_1_0_0_9.dll

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2008-04-14 15360]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"CTSysVol"="c:\program files\Creative\Sound Blaster Live! 24-bit\Surround Mixer\CTSysVol.exe" [2003-09-17 57344]
"PCMService"="c:\program files\Dell\Media Experience\PCMService.exe" [2004-04-12 290816]
"avast!"="c:\progra~1\ALWILS~1\Avast4\ashDisp.exe" [2009-02-05 81000]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2009-02-27 35696]
"Google Quick Search Box"="c:\program files\Google\Quick Search Box\GoogleQuickSearchBox.exe" [2009-04-09 68592]
"WinVNC"="c:\program files\UltraVNC\winvnc.exe" [2005-08-06 974848]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"DWQueuedReporting"="c:\progra~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" [2007-02-26 437160]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\LMIinit]
2007-11-15 23:46 87352 ----a-w c:\windows\SYSTEM32\LMIinit.dll

HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32
"wave1"= serwvdrv.dll
"wave4"= serwvdrv.dll

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\WRConsumerService]
@="Service"

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusDisableNotify"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
"c:\\Program Files\\LimeWire\\LimeWire.exe"=
"c:\\Program Files\\UltraVNC\\winvnc.exe"=
"c:\\WINDOWS\\SYSTEM32\\LEXPPS.EXE"=
"c:\\Program Files\\Mozilla Firefox\\firefox.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\livecall.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"5900:TCP"= 5900:TCP:vnc
"1824:UDP"= 1824:UDP:Windows Media Format SDK (iexplore.exe)
"1842:UDP"= 1842:UDP:Windows Media Format SDK (iexplore.exe)
"1852:UDP"= 1852:UDP:Windows Media Format SDK (iexplore.exe)
"1868:UDP"= 1868:UDP:Windows Media Format SDK (iexplore.exe)

R2 LMIInfo;LogMeIn Kernel Information Provider; [x]
R4 LMIRfsClientNP;LMIRfsClientNP; [x]
S0 ssfs0bbc;ssfs0bbc;c:\windows\system32\DRIVERS\ssfs0bbc.sys [2008-10-02 29808]
S1 aswSP;avast! Self Protection; [x]
S2 aswFsBlk;aswFsBlk;c:\windows\system32\DRIVERS\aswFsBlk.sys [2009-02-05 20560]
S2 LMIRfsDriver;LogMeIn Remote File System Driver;c:\windows\system32\drivers\LMIRfsDriver.sys [2007-08-03 46112]
S2 WinDefend;Windows Defender;c:\program files\Windows Defender\MsMpEng.exe [2006-11-03 13592]
S2 WRConsumerService;Webroot Client Service;c:\program files\Webroot\Spy Sweeper\WRConsumerService.exe [2008-10-12 1066360]

[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\>{60B49E34-C7CC-11D0-8953-00A0C90347FF}]
"c:\windows\system32\rundll32.exe" "c:\windows\system32\iedkcs32.dll",BrandIEActiveSetup SIGNUP
.
Contents of the 'Scheduled Tasks' folder

2009-04-22 c:\windows\Tasks\Check Updates for Windows Live Toolbar.job
- c:\program files\Windows Live Toolbar\MSNTBUP.EXE [2007-10-19 16:20]

2009-04-22 c:\windows\Tasks\MP Scheduled Scan.job
- c:\program files\Windows Defender\MpCmdRun.exe [2006-11-03 22:20]

2009-04-20 c:\windows\Tasks\wrSpySweeper_L110CB1336ED145E1A698CAAB7FA63DAA.job
- c:\program files\Webroot\Spy Sweeper\SpySweeperUI.exe [2007-05-13 18:18]

2009-04-20 c:\windows\Tasks\wrSpySweeper_L110CB1336ED145E1A698CAAB7FA63DAA.job
- c:\program files\Webroot\Spy Sweeper\SpySweeperUI.exe [2007-05-13 18:18]

2009-04-21 c:\windows\Tasks\wrSpySweeper_L2CA85AFD8D3A4484ABCA663BD87696A5.job
- c:\program files\Webroot\Spy Sweeper\SpySweeperUI.exe [2007-05-13 18:18]

2009-04-21 c:\windows\Tasks\wrSpySweeper_L2CA85AFD8D3A4484ABCA663BD87696A5.job
- c:\program files\Webroot\Spy Sweeper\SpySweeperUI.exe [2007-05-13 18:18]

2009-04-20 c:\windows\Tasks\wrSpySweeper_L9F8A70F3660449AEBD846B3D342958CE.job
- c:\program files\Webroot\Spy Sweeper\SpySweeperUI.exe [2007-05-13 18:18]

2009-04-20 c:\windows\Tasks\wrSpySweeper_L9F8A70F3660449AEBD846B3D342958CE.job
- c:\program files\Webroot\Spy Sweeper\SpySweeperUI.exe [2007-05-13 18:18]

2009-04-17 c:\windows\Tasks\wrSpySweeper_LC5C8FE1475994F1F99D5F70ECBE14D0B.job
- c:\program files\Webroot\Spy Sweeper\SpySweeperUI.exe [2007-05-13 18:18]

2009-04-17 c:\windows\Tasks\wrSpySweeper_LC5C8FE1475994F1F99D5F70ECBE14D0B.job
- c:\program files\Webroot\Spy Sweeper\SpySweeperUI.exe [2007-05-13 18:18]
.
.
------- Supplementary Scan -------
.
IE: &Windows Live Search - c:\program files\Windows Live Toolbar\msntb.dll/search.htm
IE: Add to Windows &Live Favorites - http://favorites.live.com/quickadd.aspx
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~3\OFFICE11\EXCEL.EXE/3000
IE: **{FA9B9510-9FCB-4ca0-818C-5D0987B47C4D} - c:\program files\PokerStars.NET\PokerStarsUpdate.exe
Filter: x-sdch - {B1759355-3EEC-4C1E-B0F1-B719FE26E377} - c:\program files\Google\Google Toolbar\Component\fastsearch_A8904FB862BD9564.dll
FF - ProfilePath - c:\documents and settings\Mike\Application Data\Mozilla\Firefox\Profiles\afwuemba.default\
FF - prefs.js: browser.search.defaulturl - hxxp://www.google.com/search?lr=&ie=UTF-8&oe=UTF-8&q=
FF - prefs.js: browser.startup.homepage - hxxp://www.msn.com/
FF - plugin: c:\documents and settings\Mike\Application Data\Mozilla\Firefox\Profiles\afwuemba.default\extensions\firefox@tvunetworks.com\plugins\npTVUAx.dll
FF - plugin: c:\program files\Viewpoint\Viewpoint Experience Technology\npViewpoint.dll
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-04-22 00:34
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

c:\windows\TEMP\TMP0000004B54AB024A5138FCCA 524288 bytes executable

scan completed successfully
hidden files: 1

**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_USERS\S-1-5-21-615407094-731155592-2917792241-1007\Software\Microsoft\SystemCertificates\AddressBook*]
@Allowed: (Read) (RestrictedCode)
@Allowed: (Read) (RestrictedCode)
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(680)
c:\windows\system32\LMIinit.dll
c:\windows\system32\LMIRfsClientNP.dll
c:\program files\UltraVNC\vnchooks.dll
.
Completion time: 2009-04-22 0:39
ComboFix-quarantined-files.txt 2009-04-22 04:39
ComboFix2.txt 2009-04-20 17:08

Pre-Run: 129,537,445,888 bytes free
Post-Run: 129,642,237,952 bytes free

284 --- E O F --- 2009-04-16 08:04

Ried · 04-22-2009, 09:17 PM

I'm not seeing any more malware here. You do have too many protective programs running. Uninstall or disable all but one:

Spy Sweeper
Windows Defender
Ad-Aware

Reboot. Any improvement?

jagzee · 04-23-2009, 08:47 AM

Thanks again Ried. Not really any improvement. The slowdown is so extreme on boot and not nearly as bad once it's up and running unless the program being launched is internet related. (email, browser) I wondered if there's some kind of problem in processes, services or who knows (obviously not an expert) what. That led me to try logging in to one of the other user accounts. The user account seemed to boot up fine and the programs seemed to launch fine as well. A return email from my friend confirms the problem is within the one user account.

I'm thinking of first trying to restore the system to an earlier date, or alternatively, backing up the account, deleting it and creating a new account. I'll first wait for any advise you might have.

Ried · 04-23-2009, 01:15 PM

Your plan sounds solid, as we could keep going in circles here trying to find the cause. Give that a go and let me know how it worked out for you.

04-20-2009, 11:23 AM	#3 (permalink)
jagzee Registered User Join Date: Jan 2006 Posts: 85 OS: WinXP	Re: very slooooooooowwww Thank you Ried, here is the log: ComboFix 09-04-19.01 - Mike 04/20/2009 12:25.1 - NTFSx86 Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.510.198 [GMT -4:00] Running from: c:\documents and settings\Mike\Desktop\ComboFix.exe Command switches used :: c:\documents and settings\Mike\Desktop\CFScript.txt AV: avast! antivirus 4.8.1335 [VPS 090419-0] On-access scanning disabled (Updated) * Created a new restore point . ((((((((((((((((((((((((((((((((((((((( Other Deletions ))))))))))))))))))))))))))))))))))))))))))))))))) . c:\program files\Mozilla Firefox\plugins\npclntax_ZangoSA.dll c:\windows\jestertb.dll . ((((((((((((((((((((((((( Files Created from 2009-03-20 to 2009-04-20 ))))))))))))))))))))))))))))))) . 2009-04-20 12:49 . 2009-04-20 12:49 -------- d-sh--w c:\documents and settings\Lyle\IECompatCache 2009-04-19 20:00 . 2009-04-19 20:02 26 ----a-w c:\windows\Zone.Identifier 2009-04-15 22:11 . 2009-03-06 14:22 284160 ------w c:\windows\system32\dllcache\pdh.dll 2009-04-15 22:11 . 2009-02-09 12:10 473600 ------w c:\windows\system32\dllcache\fastprox.dll 2009-04-15 22:11 . 2009-02-09 12:10 401408 ------w c:\windows\system32\dllcache\rpcss.dll 2009-04-15 22:11 . 2009-02-06 11:11 110592 ------w c:\windows\system32\dllcache\services.exe 2009-04-15 22:11 . 2009-02-06 10:39 35328 ------w c:\windows\system32\dllcache\sc.exe 2009-04-15 22:11 . 2009-02-09 12:10 729088 ------w c:\windows\system32\dllcache\lsasrv.dll 2009-04-15 22:11 . 2009-02-09 12:10 714752 ------w c:\windows\system32\dllcache\ntdll.dll 2009-04-15 22:11 . 2009-02-09 12:10 617472 ------w c:\windows\system32\dllcache\advapi32.dll 2009-04-15 22:11 . 2009-02-09 12:10 453120 ------w c:\windows\system32\dllcache\wmiprvsd.dll 2009-04-15 22:11 . 2009-02-06 10:10 227840 ------w c:\windows\system32\dllcache\wmiprvse.exe 2009-04-15 22:10 . 2009-03-27 06:58 1203922 ------w c:\windows\system32\dllcache\sysmain.sdb 2009-04-15 22:10 . 2008-05-03 11:55 2560 ------w c:\windows\system32\xpsp4res.dll 2009-04-15 22:10 . 2008-04-21 12:08 215552 ------w c:\windows\system32\dllcache\wordpad.exe 2009-04-07 20:56 . 2009-04-07 20:56 -------- d-sh--w c:\documents and settings\Nadines Work\PrivacIE 2009-04-07 20:55 . 2009-04-07 20:55 -------- d-sh--w c:\documents and settings\Nadines Work\IETldCache 2009-04-07 20:45 . 2009-04-07 20:45 -------- d-sh--w c:\documents and settings\Mike\IETldCache 2009-04-07 00:10 . 2009-04-07 00:10 -------- d-sh--w c:\windows\system32\config\systemprofile\IETldCache 2009-04-07 00:08 . 2009-04-07 00:08 -------- d-sh--w c:\documents and settings\Lyle\IETldCache 2009-04-06 23:51 . 2009-04-06 23:54 -------- dc-h--w c:\windows\ie8 2009-04-06 23:47 . 2009-02-28 04:55 105984 ------w c:\windows\system32\dllcache\iecompat.dll . (((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))) . 2009-04-20 15:49 . 2007-05-20 15:58 268 ---ha-w C:\sqmdata18.sqm 2009-04-20 15:49 . 2007-05-20 15:58 244 ---ha-w C:\sqmnoopt18.sqm 2009-04-18 12:26 . 2007-05-18 12:06 268 ---ha-w C:\sqmdata17.sqm 2009-04-18 12:26 . 2007-05-18 12:06 244 ---ha-w C:\sqmnoopt17.sqm 2009-04-17 12:02 . 2007-05-18 01:05 268 ---ha-w C:\sqmdata16.sqm 2009-04-17 12:02 . 2007-05-18 01:05 244 ---ha-w C:\sqmnoopt16.sqm 2009-04-17 00:34 . 2007-05-17 01:41 268 ---ha-w C:\sqmdata15.sqm 2009-04-17 00:34 . 2007-05-17 01:41 244 ---ha-w C:\sqmnoopt15.sqm 2009-04-16 02:24 . 2007-05-17 00:49 268 ---ha-w C:\sqmdata14.sqm 2009-04-16 02:24 . 2007-05-17 00:49 244 ---ha-w C:\sqmnoopt14.sqm 2009-04-16 01:16 . 2007-05-13 23:35 -------- d-----w c:\documents and settings\Lyle\Application Data\Sonic 2009-04-16 01:10 . 2007-05-13 23:35 54248 ----a-w c:\documents and settings\Lyle\Local Settings\Application Data\GDIPFONTCACHEV1.DAT 2009-04-14 23:13 . 2008-09-26 01:31 -------- d-----w c:\program files\Spybot - Search & Destroy 2009-04-14 23:12 . 2007-05-16 04:05 268 ---ha-w C:\sqmdata13.sqm 2009-04-14 23:12 . 2007-05-16 04:05 244 ---ha-w C:\sqmnoopt13.sqm 2009-04-14 12:56 . 2008-09-26 01:31 -------- d-----w c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy 2009-04-14 01:59 . 2007-05-15 22:04 268 ---ha-w C:\sqmdata12.sqm 2009-04-14 01:59 . 2007-05-15 22:04 244 ---ha-w C:\sqmnoopt12.sqm 2009-04-13 13:29 . 2007-05-15 21:18 268 ---ha-w C:\sqmdata11.sqm 2009-04-13 13:29 . 2007-05-15 21:18 244 ---ha-w C:\sqmnoopt11.sqm 2009-04-12 11:36 . 2007-05-15 20:33 268 ---ha-w C:\sqmdata10.sqm 2009-04-12 11:36 . 2007-05-15 20:33 244 ---ha-w C:\sqmnoopt10.sqm 2009-04-10 00:38 . 2007-05-15 20:27 268 ---ha-w C:\sqmdata09.sqm 2009-04-10 00:38 . 2007-05-15 20:27 244 ---ha-w C:\sqmnoopt09.sqm 2009-04-09 01:51 . 2007-05-15 20:19 268 ---ha-w C:\sqmdata08.sqm 2009-04-09 01:51 . 2007-05-15 20:19 244 ---ha-w C:\sqmnoopt08.sqm 2009-04-09 01:50 . 2007-12-11 01:06 -------- d-----w c:\program files\Google 2009-04-08 20:33 . 2007-05-14 21:10 268 ---ha-w C:\sqmdata07.sqm 2009-04-08 20:33 . 2007-05-14 21:10 244 ---ha-w C:\sqmnoopt07.sqm 2009-04-08 02:41 . 2007-05-14 21:02 268 ---ha-w C:\sqmdata06.sqm 2009-04-08 02:41 . 2007-05-14 21:02 244 ---ha-w C:\sqmnoopt06.sqm 2009-04-07 23:52 . 2007-05-14 14:33 268 ---ha-w C:\sqmdata05.sqm 2009-04-07 23:52 . 2007-05-14 14:33 244 ---ha-w C:\sqmnoopt05.sqm 2009-04-07 21:28 . 2008-11-16 07:16 -------- d-----w c:\program files\Mozilla Thunderbird 2009-04-07 03:31 . 2007-05-13 23:45 268 ---ha-w C:\sqmdata04.sqm 2009-04-07 03:31 . 2007-05-13 23:45 244 ---ha-w C:\sqmnoopt04.sqm 2009-04-06 23:43 . 2007-05-13 23:41 268 ---ha-w C:\sqmdata03.sqm 2009-04-06 23:43 . 2007-05-13 23:41 244 ---ha-w C:\sqmnoopt03.sqm 2009-04-06 15:35 . 2007-05-13 23:13 268 ---ha-w C:\sqmdata02.sqm 2009-04-06 15:35 . 2007-05-13 23:13 244 ---ha-w C:\sqmnoopt02.sqm 2009-04-06 14:21 . 2007-05-13 22:46 268 ---ha-w C:\sqmdata01.sqm 2009-04-06 14:21 . 2007-05-13 22:46 244 ---ha-w C:\sqmnoopt01.sqm 2009-04-06 12:29 . 2007-05-13 22:39 268 ---ha-w C:\sqmdata00.sqm 2009-04-06 12:29 . 2007-05-13 22:39 244 ---ha-w C:\sqmnoopt00.sqm 2009-04-06 01:14 . 2007-05-20 17:23 268 ---ha-w C:\sqmdata19.sqm 2009-04-06 01:14 . 2007-05-20 17:23 244 ---ha-w C:\sqmnoopt19.sqm 2009-03-29 19:26 . 2007-05-13 21:19 -------- d-----w c:\program files\Common Files\Adobe 2009-03-21 14:06 . 2009-03-21 14:06 989696 ------w c:\windows\SYSTEM32\DLLCACHE\kernel32.dll 2009-03-08 18:09 . 2006-10-17 17:04 638816 ----a-w c:\windows\SYSTEM32\DLLCACHE\iexplore.exe 2009-03-08 18:09 . 2006-10-17 17:01 391536 ----a-w c:\windows\SYSTEM32\DLLCACHE\iedkcs32.dll 2009-03-08 08:41 . 2006-10-17 17:33 5937152 ----a-w c:\windows\SYSTEM32\DLLCACHE\mshtml.dll 2009-03-08 08:39 . 2007-05-14 06:22 11063808 ----a-w c:\windows\SYSTEM32\DLLCACHE\ieframe.dll 2009-03-08 08:34 . 2006-10-17 17:33 914944 ----a-w c:\windows\SYSTEM32\DLLCACHE\wininet.dll 2009-03-08 08:34 . 2006-06-23 15:33 914944 ----a-w c:\windows\SYSTEM32\wininet.dll 2009-03-08 08:34 . 2006-10-17 17:33 1206784 ----a-w c:\windows\SYSTEM32\DLLCACHE\urlmon.dll 2009-03-08 08:34 . 2006-10-17 17:33 236544 ----a-w c:\windows\SYSTEM32\DLLCACHE\webcheck.dll 2009-03-08 08:34 . 2006-10-17 17:05 43008 ----a-w c:\windows\SYSTEM32\DLLCACHE\licmgr10.dll 2009-03-08 08:34 . 2002-08-29 10:00 43008 ----a-w c:\windows\SYSTEM32\licmgr10.dll 2009-03-08 08:34 . 2006-10-17 17:05 105984 ----a-w c:\windows\SYSTEM32\DLLCACHE\url.dll 2009-03-08 08:34 . 2006-10-17 17:05 193536 ----a-w c:\windows\SYSTEM32\DLLCACHE\msrating.dll 2009-03-08 08:34 . 2006-10-17 17:04 109568 ----a-w c:\windows\SYSTEM32\DLLCACHE\occache.dll 2009-03-08 08:33 . 2006-10-17 17:33 759296 ----a-w c:\windows\SYSTEM32\DLLCACHE\VGX.dll 2009-03-08 08:33 . 2009-03-08 08:33 18944 ------w c:\windows\SYSTEM32\DLLCACHE\corpol.dll 2009-03-08 08:33 . 2002-08-29 10:00 18944 ----a-w c:\windows\SYSTEM32\corpol.dll 2009-03-08 08:33 . 2006-10-17 17:33 25600 ----a-w c:\windows\SYSTEM32\DLLCACHE\jsproxy.dll 2009-03-08 08:33 . 2008-05-09 10:53 726528 ----a-w c:\windows\SYSTEM32\DLLCACHE\jscript.dll 2009-03-08 08:33 . 2006-10-17 17:01 229376 ----a-w c:\windows\SYSTEM32\DLLCACHE\ieaksie.dll 2009-03-08 08:33 . 2008-05-09 10:53 420352 ----a-w c:\windows\SYSTEM32\DLLCACHE\vbscript.dll 2009-03-08 08:33 . 2002-08-29 10:00 420352 ----a-w c:\windows\SYSTEM32\vbscript.dll 2009-03-08 08:33 . 2006-10-17 17:01 125952 ----a-w c:\windows\SYSTEM32\DLLCACHE\ieakeng.dll 2009-03-08 08:32 . 2006-10-17 17:01 72704 ----a-w c:\windows\SYSTEM32\DLLCACHE\admparse.dll 2009-03-08 08:32 . 2002-08-29 10:00 72704 ----a-w c:\windows\SYSTEM32\admparse.dll 2009-03-08 08:32 . 2006-10-17 17:00 173056 ----a-w c:\windows\SYSTEM32\DLLCACHE\ie4uinit.exe 2009-03-08 08:32 . 2006-10-17 16:23 163840 ----a-w c:\windows\SYSTEM32\DLLCACHE\ieakui.dll 2009-03-08 08:32 . 2006-10-17 17:01 71680 ----a-w c:\windows\SYSTEM32\DLLCACHE\iesetup.dll 2009-03-08 08:32 . 2006-10-17 17:00 55808 ----a-w c:\windows\SYSTEM32\DLLCACHE\iernonce.dll 2009-03-08 08:32 . 2002-08-29 10:00 71680 ----a-w c:\windows\SYSTEM32\iesetup.dll 2009-03-08 08:32 . 2006-10-17 17:00 128512 ----a-w c:\windows\SYSTEM32\DLLCACHE\advpack.dll 2009-03-08 08:32 . 2006-10-17 17:00 94720 ----a-w c:\windows\SYSTEM32\DLLCACHE\inseng.dll 2009-03-08 08:32 . 2007-05-14 06:22 594432 ----a-w c:\windows\SYSTEM32\DLLCACHE\msfeeds.dll 2009-03-08 08:32 . 2007-05-14 06:22 1985024 ----a-w c:\windows\SYSTEM32\DLLCACHE\iertutil.dll 2009-03-08 08:32 . 2006-10-17 17:33 611840 ----a-w c:\windows\SYSTEM32\DLLCACHE\mstime.dll 2009-03-08 08:24 . 2006-10-17 16:44 68608 ----a-w c:\windows\SYSTEM32\DLLCACHE\hmmapi.dll 2009-03-08 08:22 . 2006-10-17 17:33 156160 ----a-w c:\windows\SYSTEM32\DLLCACHE\msls31.dll 2009-03-08 08:22 . 2002-08-29 10:00 156160 ----a-w c:\windows\SYSTEM32\msls31.dll 2009-03-08 08:11 . 2007-05-14 06:22 445952 ----a-w c:\windows\SYSTEM32\DLLCACHE\ieapfltr.dll 2009-03-06 14:22 . 2002-08-29 10:00 284160 ----a-w c:\windows\SYSTEM32\pdh.dll 2009-02-09 12:10 . 2004-03-30 01:48 729088 ----a-w c:\windows\SYSTEM32\lsasrv.dll 2009-02-09 12:10 . 2005-07-26 04:31 401408 ----a-w c:\windows\SYSTEM32\rpcss.dll 2009-02-09 12:10 . 2002-08-29 10:00 714752 ----a-w c:\windows\SYSTEM32\ntdll.dll 2009-02-09 12:10 . 2002-08-29 10:00 617472 ----a-w c:\windows\SYSTEM32\advapi32.dll 2009-02-09 11:13 . 2008-10-15 07:03 1846784 ------w c:\windows\SYSTEM32\DLLCACHE\win32k.sys 2009-02-09 11:13 . 2002-08-29 10:00 1846784 ----a-w c:\windows\SYSTEM32\win32k.sys 2009-02-07 23:02 . 2008-10-15 07:03 2066048 ------w c:\windows\SYSTEM32\DLLCACHE\ntkrnlpa.exe 2009-02-07 01:07 . 2007-05-14 06:22 3698584 ----a-w c:\windows\SYSTEM32\DLLCACHE\ieapfltr.dat 2009-02-06 11:11 . 2002-08-29 10:00 110592 ----a-w c:\windows\SYSTEM32\services.exe 2009-02-06 11:08 . 2008-10-15 07:03 2189056 ------w c:\windows\SYSTEM32\DLLCACHE\ntoskrnl.exe 2009-02-06 11:06 . 2008-10-15 07:03 2145280 ------w c:\windows\SYSTEM32\DLLCACHE\ntkrnlmp.exe 2009-02-06 11:06 . 1980-01-01 05:00 2145280 ----a-w c:\windows\SYSTEM32\ntoskrnl.exe 2009-02-06 10:39 . 2002-08-29 10:00 35328 ----a-w c:\windows\SYSTEM32\sc.exe 2008-09-04 14:58 . 2008-09-04 14:59 32768 --sha-w c:\windows\SYSTEM32\CONFIG\systemprofile\Local Settings\History\History.IE5\MSHist012008090420080905\index.dat . ((((((((((((((((((((((((((((((((((((( Reg Loading Points )))))))))))))))))))))))))))))))))))))))))))))))))) . . Note empty entries & legit default entries are not shown REGEDIT4 [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\BackupIconOverlayId] @="{2EE61E5C-8F94-4AAB-8A80-D2A8CD1FEDAD}" [HKEY_CLASSES_ROOT\CLSID\{2EE61E5C-8F94-4AAB-8A80-D2A8CD1FEDAD}] 2008-10-12 18:11 238968 ----a-w c:\program files\Webroot\Spy Sweeper\Backup\CtxMenu_1_0_0_9.dll [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2008-04-14 15360] [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "CTSysVol"="c:\program files\Creative\Sound Blaster Live! 24-bit\Surround Mixer\CTSysVol.exe" [2003-09-17 57344] "PCMService"="c:\program files\Dell\Media Experience\PCMService.exe" [2004-04-12 290816] "avast!"="c:\progra~1\ALWILS~1\Avast4\ashDisp.exe" [2009-02-05 81000] "Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2009-02-27 35696] "Google Quick Search Box"="c:\program files\Google\Quick Search Box\GoogleQuickSearchBox.exe" [2009-04-09 68592] "WinVNC"="c:\program files\UltraVNC\winvnc.exe" [2005-08-06 974848] "SpySweeper"="c:\program files\Webroot\Spy Sweeper\SpySweeperUI.exe" [2008-10-12 6272888] [HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run] "DWQueuedReporting"="c:\progra~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" [2007-02-26 437160] [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\LMIinit] 2007-11-15 23:46 87352 ----a-w c:\windows\SYSTEM32\LMIinit.dll HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32 "wave1"= serwvdrv.dll "wave4"= serwvdrv.dll [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\WRConsumerService] @="Service" [HKEY_LOCAL_MACHINE\software\microsoft\security center] "AntiVirusDisableNotify"=dword:00000001 [HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring] "DisableMonitoring"=dword:00000001 [HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus] "DisableMonitoring"=dword:00000001 [HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall] "DisableMonitoring"=dword:00000001 [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List] "%windir%\\system32\\sessmgr.exe"= "%windir%\\Network Diagnostic\\xpnetdiag.exe"= "c:\\Program Files\\iTunes\\iTunes.exe"= "c:\\Program Files\\LimeWire\\LimeWire.exe"= "c:\\Program Files\\UltraVNC\\winvnc.exe"= "c:\\WINDOWS\\SYSTEM32\\LEXPPS.EXE"= "c:\\Program Files\\Mozilla Firefox\\firefox.exe"= "c:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"= "c:\\Program Files\\Windows Live\\Messenger\\livecall.exe"= [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List] "5900:TCP"= 5900:TCP:vnc "1824:UDP"= 1824:UDP:Windows Media Format SDK (iexplore.exe) "1842:UDP"= 1842:UDP:Windows Media Format SDK (iexplore.exe) "1852:UDP"= 1852:UDP:Windows Media Format SDK (iexplore.exe) "1868:UDP"= 1868:UDP:Windows Media Format SDK (iexplore.exe) R2 LMIInfo;LogMeIn Kernel Information Provider; [x] R4 LMIRfsClientNP;LMIRfsClientNP; [x] S0 ssfs0bbc;ssfs0bbc;c:\windows\system32\DRIVERS\ssfs0bbc.sys [2008-10-02 29808] S1 aswSP;avast! Self Protection; [x] S2 aswFsBlk;aswFsBlk;c:\windows\system32\DRIVERS\aswFsBlk.sys [2009-02-05 20560] S2 LMIRfsDriver;LogMeIn Remote File System Driver;c:\windows\system32\drivers\LMIRfsDriver.sys [2007-08-03 46112] S2 WinDefend;Windows Defender;c:\program files\Windows Defender\MsMpEng.exe [2006-11-03 13592] S2 WRConsumerService;Webroot Client Service;c:\program files\Webroot\Spy Sweeper\WRConsumerService.exe [2008-10-12 1066360] [HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\>{60B49E34-C7CC-11D0-8953-00A0C90347FF}] "c:\windows\system32\rundll32.exe" "c:\windows\system32\iedkcs32.dll",BrandIEActiveSetup SIGNUP . Contents of the 'Scheduled Tasks' folder 2009-04-20 c:\windows\Tasks\Check Updates for Windows Live Toolbar.job - c:\program files\Windows Live Toolbar\MSNTBUP.EXE [2007-10-19 16:20] 2009-04-20 c:\windows\Tasks\MP Scheduled Scan.job - c:\program files\Windows Defender\MpCmdRun.exe [2006-11-03 22:20] 2009-04-13 c:\windows\Tasks\wrSpySweeper_L110CB1336ED145E1A698CAAB7FA63DAA.job - c:\program files\Webroot\Spy Sweeper\SpySweeperUI.exe [2007-05-13 18:18] 2009-04-13 c:\windows\Tasks\wrSpySweeper_L110CB1336ED145E1A698CAAB7FA63DAA.job - c:\program files\Webroot\Spy Sweeper\SpySweeperUI.exe [2007-05-13 18:18] 2009-04-14 c:\windows\Tasks\wrSpySweeper_L2CA85AFD8D3A4484ABCA663BD87696A5.job - c:\program files\Webroot\Spy Sweeper\SpySweeperUI.exe [2007-05-13 18:18] 2009-04-14 c:\windows\Tasks\wrSpySweeper_L2CA85AFD8D3A4484ABCA663BD87696A5.job - c:\program files\Webroot\Spy Sweeper\SpySweeperUI.exe [2007-05-13 18:18] 2009-04-20 c:\windows\Tasks\wrSpySweeper_L9F8A70F3660449AEBD846B3D342958CE.job - c:\program files\Webroot\Spy Sweeper\SpySweeperUI.exe [2007-05-13 18:18] 2009-04-20 c:\windows\Tasks\wrSpySweeper_L9F8A70F3660449AEBD846B3D342958CE.job - c:\program files\Webroot\Spy Sweeper\SpySweeperUI.exe [2007-05-13 18:18] 2009-04-17 c:\windows\Tasks\wrSpySweeper_LC5C8FE1475994F1F99D5F70ECBE14D0B.job - c:\program files\Webroot\Spy Sweeper\SpySweeperUI.exe [2007-05-13 18:18] 2009-04-17 c:\windows\Tasks\wrSpySweeper_LC5C8FE1475994F1F99D5F70ECBE14D0B.job - c:\program files\Webroot\Spy Sweeper\SpySweeperUI.exe [2007-05-13 18:18] . . ------- Supplementary Scan ------- . IE: &Windows Live Search - c:\program files\Windows Live Toolbar\msntb.dll/search.htm IE: Add to Windows &Live Favorites - http://favorites.live.com/quickadd.aspx IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~3\OFFICE11\EXCEL.EXE/3000 IE: {FA9B9510-9FCB-4ca0-818C-5D0987B47C4D} - c:\program files\PokerStars.NET\PokerStarsUpdate.exe Filter: x-sdch - {B1759355-3EEC-4C1E-B0F1-B719FE26E377} - c:\program files\Google\Google Toolbar\Component\fastsearch_A8904FB862BD9564.dll FF - ProfilePath - c:\documents and settings\Mike\Application Data\Mozilla\Firefox\Profiles\afwuemba.default\ FF - prefs.js: browser.search.defaulturl - hxxp://www.google.com/search?lr=&ie=UTF-8&oe=UTF-8&q= FF - prefs.js: browser.startup.homepage - hxxp://www.msn.com/ FF - plugin: c:\documents and settings\Mike\Application Data\Mozilla\Firefox\Profiles\afwuemba.default\extensions\firefox@tvunetworks.com\plugins\npTVUAx.dll FF - plugin: c:\program files\Viewpoint\Viewpoint Experience Technology\npViewpoint.dll . ********************************************************************** catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net Rootkit scan 2009-04-20 12:59 Windows 5.1.2600 Service Pack 3 NTFS scanning hidden processes ... scanning hidden autostart entries ... scanning hidden files ... scan completed successfully hidden files: 0 ************************************************************************ . --------------------- LOCKED REGISTRY KEYS --------------------- [HKEY_USERS\S-1-5-21-615407094-731155592-2917792241-1007\Software\Microsoft\SystemCertificates\AddressBook] @Allowed: (Read) (RestrictedCode) @Allowed: (Read) (RestrictedCode) . --------------------- DLLs Loaded Under Running Processes --------------------- - - - - - - - > 'winlogon.exe'(684) c:\windows\system32\LMIinit.dll c:\program files\UltraVNC\vnchooks.dll - - - - - - - > 'explorer.exe'(3472) c:\program files\UltraVNC\vnchooks.dll c:\program files\Webroot\Spy Sweeper\Backup\CtxMenu_1_0_0_9.dll c:\program files\Google\Quick Search Box\bin\1.1.1038.9122\qsb.dll c:\windows\system32\ieframe.dll c:\windows\system32\OneX.DLL c:\windows\system32\eappprxy.dll c:\windows\system32\webcheck.dll c:\windows\system32\WPDShServiceObj.dll c:\windows\system32\PortableDeviceTypes.dll c:\windows\system32\PortableDeviceApi.dll c:\windows\system32\LMIRfsClientNP.dll . ------------------------ Other Running Processes ------------------------ . c:\program files\Lavasoft\Ad-Aware\aawservice.exe c:\program files\Alwil Software\Avast4\aswUpdSv.exe c:\program files\Alwil Software\Avast4\ashServ.exe c:\windows\SYSTEM32\LEXBCES.EXE c:\windows\SYSTEM32\LEXPPS.EXE c:\windows\SYSTEM32\CTSVCCDA.EXE c:\program files\Java\jre6\bin\jqs.exe c:\program files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE c:\program files\Webroot\Spy Sweeper\SpySweeper.exe c:\windows\SYSTEM32\MsPMSPSv.exe c:\windows\SYSTEM32\ZuneBusEnum.exe c:\program files\Webroot\Spy Sweeper\SSU.exe . ************************************************************************* . Completion time: 2009-04-20 13:08 - machine was rebooted ComboFix-quarantined-files.txt 2009-04-20 17:08 Pre-Run: 129,299,787,776 bytes free Post-Run: 129,692,860,416 bytes free WindowsXP-KB310994-SP2-Home-BootDisk-ENU.exe [boot loader] timeout=2 default=multi(0)disk(0)rdisk(0)partition(2)\WINDOWS [operating systems] c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons multi(0)disk(0)rdisk(0)partition(2)\WINDOWS="Microsoft Windows XP Home Edition" /fastdetect /NoExecute=OptIn 301 --- E O F --- 2009-04-16 08:04

04-20-2009, 08:17 PM	#4 (permalink)
Ried Assistant Manager, TSF Academy; Moderator/Analyst Security Team Join Date: Jan 2005 Location: Ohio Posts: 27,116 OS: WinXP and Vista	Re: very slooooooooowwww Hi jagzee, Is there any improvement at all? I'd like you to run this online scan to search for any remnants. It can take some time, so please be patient and allow it to run it's full course: Vista users - right click on the IE icon and run as administrator Using Internet Explorer or Firefox, visit http://www.kaspersky.com/kos/eng/par...avwebscan.html 1. Click Accept, when prompted to download and install the program files and database of malware definitions. 2. To optimize scanning time and produce a more sensible report for review: Close any open programs Turn off the real time scanner of any existing antivirus program while performing the online scan 3. Click Run at the Security prompt. The program will then begin downloading and installing and will also update the database. Please be patient as this can take several minutes. Once the update is complete, click on My Computer under the green Scan bar to the left to start the scan. Once the scan is complete, it will display if your system has been infected. It does not provide an option to clean/disinfect. We only require a report from it. Do NOT be alarmed by what you see in the report. Many of the finds have likely been quarantined. Click View scan report at the bottom. Click the Save as Text** button to save the file to your desktop so that you may post it in your next reply __________________ Member of ASAP since 2005 Member of UNITE since 2006 "It is one life whether we spend it laughing or weeping." "Take the time to laugh--it is the music of the soul."

04-21-2009, 07:22 PM	#5 (permalink)
jagzee Registered User Join Date: Jan 2006 Posts: 85 OS: WinXP	Re: very slooooooooowwww Thank you Ried. No there isn't any improvement. Here is the report you requested. -------------------------------------------------------------------------------- KASPERSKY ONLINE SCANNER 7.0 REPORT Tuesday, April 21, 2009 Operating System: Microsoft Windows XP Home Edition Service Pack 3 (build 2600) Kaspersky Online Scanner version: 7.0.26.13 Program database last update: Tuesday, April 21, 2009 13:57:35 Records in database: 2066193 -------------------------------------------------------------------------------- Scan settings: Scan using the following database: extended Scan archives: yes Scan mail databases: yes Scan area - My Computer: A:\ C:\ D:\ E:\ Scan statistics: Files scanned: 126333 Threat name: 5 Infected objects: 8 Suspicious objects: 0 Duration of the scan: 02:09:00 File name / Threat name / Threats count C:\Program Files\UltraVNC\winvnc.exe/C:\Program Files\UltraVNC\winvnc.exe Infected: not-a-virus:RemoteAdmin.Win32.WinVNC.e 1 C:\Documents and Settings\Lyle\My Documents\My Music\My Playlists\dave chapelle cute girl has orgasm on webcam.mpg Infected: Trojan-Downloader.WMA.GetCodec.e 1 C:\Documents and Settings\Lyle\My Documents\My Music\My Playlists\how come d 12.mp3 Infected: Trojan-Downloader.WMA.GetCodec.c 1 C:\Documents and Settings\Mike\Desktop\gmer\gmer.exe Infected: Trojan.Win32.Agent.ccfc 1 C:\Program Files\UltraVNC\vnchooks.dll Infected: not-a-virus:RemoteAdmin.Win32.WinVNC.e 1 C:\Program Files\UltraVNC\winvnc.exe Infected: not-a-virus:RemoteAdmin.Win32.WinVNC.e 1 C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP124\A0045988.exe Infected: Trojan.Win32.Buzus.aebw 1 C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP212\A0110194.exe Infected: Trojan.Win32.Agent.ccfc 1 The selected area was scanned.

04-21-2009, 11:40 PM	#7 (permalink)
jagzee Registered User Join Date: Jan 2006 Posts: 85 OS: WinXP	Re: very slooooooooowwww Thanks Ried. The machine remains painfully slow. About 4 minutes to start up after logging in to user account. About 5 minutes to launch Outlook Express, same with Firefox. Other programs such as MS Office programs seem to start normally. Here is the ComoFix report. ComboFix 09-04-22.03 - Mike 04/22/2009 0:27.2 - NTFSx86 Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.510.183 [GMT -4:00] Running from: c:\documents and settings\Mike\Desktop\ComboFix.exe Command switches used :: c:\documents and settings\Mike\Desktop\CFScript.txt AV: avast! antivirus 4.8.1335 [VPS 090421-0] On-access scanning disabled (Updated) * Created a new restore point FILE :: c:\documents and settings\Lyle\My Documents\My Music\My Playlists\dave chapelle cute girl has orgasm on webcam.mpg c:\documents and settings\Lyle\My Documents\My Music\My Playlists\how come d 12.mp3 . ((((((((((((((((((((((((((((((((((((((( Other Deletions ))))))))))))))))))))))))))))))))))))))))))))))))) . c:\documents and settings\Lyle\My Documents\My Music\My Playlists\dave chapelle cute girl has orgasm on webcam.mpg c:\documents and settings\Lyle\My Documents\My Music\My Playlists\how come d 12.mp3 . ((((((((((((((((((((((((( Files Created from 2009-03-22 to 2009-04-22 ))))))))))))))))))))))))))))))) . 2009-04-20 21:56 . 2009-04-20 21:59 -------- d-----w c:\documents and settings\Mike\Local Settings\Application Data\Powercinema 2009-04-20 21:56 . 2009-04-20 21:57 -------- d-----w c:\documents and settings\Mike\Application Data\CyberLink 2009-04-20 12:49 . 2009-04-20 12:49 -------- d-sh--w c:\documents and settings\Lyle\IECompatCache 2009-04-19 20:00 . 2009-04-19 20:02 26 ----a-w c:\windows\Zone.Identifier 2009-04-15 22:11 . 2009-03-06 14:22 284160 ------w c:\windows\system32\dllcache\pdh.dll 2009-04-15 22:11 . 2009-02-09 12:10 473600 ------w c:\windows\system32\dllcache\fastprox.dll 2009-04-15 22:11 . 2009-02-09 12:10 401408 ------w c:\windows\system32\dllcache\rpcss.dll 2009-04-15 22:11 . 2009-02-06 11:11 110592 ------w c:\windows\system32\dllcache\services.exe 2009-04-15 22:11 . 2009-02-06 10:39 35328 ------w c:\windows\system32\dllcache\sc.exe 2009-04-15 22:11 . 2009-02-09 12:10 729088 ------w c:\windows\system32\dllcache\lsasrv.dll 2009-04-15 22:11 . 2009-02-09 12:10 714752 ------w c:\windows\system32\dllcache\ntdll.dll 2009-04-15 22:11 . 2009-02-09 12:10 617472 ------w c:\windows\system32\dllcache\advapi32.dll 2009-04-15 22:11 . 2009-02-09 12:10 453120 ------w c:\windows\system32\dllcache\wmiprvsd.dll 2009-04-15 22:11 . 2009-02-06 10:10 227840 ------w c:\windows\system32\dllcache\wmiprvse.exe 2009-04-15 22:10 . 2009-03-27 06:58 1203922 ------w c:\windows\system32\dllcache\sysmain.sdb 2009-04-15 22:10 . 2008-05-03 11:55 2560 ------w c:\windows\system32\xpsp4res.dll 2009-04-15 22:10 . 2008-04-21 12:08 215552 ------w c:\windows\system32\dllcache\wordpad.exe 2009-04-07 20:56 . 2009-04-07 20:56 -------- d-sh--w c:\documents and settings\Nadines Work\PrivacIE 2009-04-07 20:55 . 2009-04-07 20:55 -------- d-sh--w c:\documents and settings\Nadines Work\IETldCache 2009-04-07 20:45 . 2009-04-07 20:45 -------- d-sh--w c:\documents and settings\Mike\IETldCache 2009-04-07 00:10 . 2009-04-07 00:10 -------- d-sh--w c:\windows\system32\config\systemprofile\IETldCache 2009-04-07 00:08 . 2009-04-07 00:08 -------- d-sh--w c:\documents and settings\Lyle\IETldCache 2009-04-06 23:51 . 2009-04-06 23:54 -------- dc-h--w c:\windows\ie8 2009-04-06 23:47 . 2009-02-28 04:55 105984 ------w c:\windows\system32\dllcache\iecompat.dll . (((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))) . 2009-04-21 15:07 . 2007-05-20 17:23 268 ---ha-w C:\sqmdata19.sqm 2009-04-21 15:07 . 2007-05-20 17:23 244 ---ha-w C:\sqmnoopt19.sqm 2009-04-21 11:34 . 2008-09-26 01:31 -------- d-----w c:\program files\Spybot - Search & Destroy 2009-04-20 15:49 . 2007-05-20 15:58 268 ---ha-w C:\sqmdata18.sqm 2009-04-20 15:49 . 2007-05-20 15:58 244 ---ha-w C:\sqmnoopt18.sqm 2009-04-18 12:26 . 2007-05-18 12:06 268 ---ha-w C:\sqmdata17.sqm 2009-04-18 12:26 . 2007-05-18 12:06 244 ---ha-w C:\sqmnoopt17.sqm 2009-04-17 12:02 . 2007-05-18 01:05 268 ---ha-w C:\sqmdata16.sqm 2009-04-17 12:02 . 2007-05-18 01:05 244 ---ha-w C:\sqmnoopt16.sqm 2009-04-17 00:34 . 2007-05-17 01:41 268 ---ha-w C:\sqmdata15.sqm 2009-04-17 00:34 . 2007-05-17 01:41 244 ---ha-w C:\sqmnoopt15.sqm 2009-04-16 02:24 . 2007-05-17 00:49 268 ---ha-w C:\sqmdata14.sqm 2009-04-16 02:24 . 2007-05-17 00:49 244 ---ha-w C:\sqmnoopt14.sqm 2009-04-16 01:16 . 2007-05-13 23:35 -------- d-----w c:\documents and settings\Lyle\Application Data\Sonic 2009-04-16 01:10 . 2007-05-13 23:35 54248 ----a-w c:\documents and settings\Lyle\Local Settings\Application Data\GDIPFONTCACHEV1.DAT 2009-04-14 23:12 . 2007-05-16 04:05 268 ---ha-w C:\sqmdata13.sqm 2009-04-14 23:12 . 2007-05-16 04:05 244 ---ha-w C:\sqmnoopt13.sqm 2009-04-14 12:56 . 2008-09-26 01:31 -------- d-----w c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy 2009-04-14 01:59 . 2007-05-15 22:04 268 ---ha-w C:\sqmdata12.sqm 2009-04-14 01:59 . 2007-05-15 22:04 244 ---ha-w C:\sqmnoopt12.sqm 2009-04-13 13:29 . 2007-05-15 21:18 268 ---ha-w C:\sqmdata11.sqm 2009-04-13 13:29 . 2007-05-15 21:18 244 ---ha-w C:\sqmnoopt11.sqm 2009-04-12 11:36 . 2007-05-15 20:33 268 ---ha-w C:\sqmdata10.sqm 2009-04-12 11:36 . 2007-05-15 20:33 244 ---ha-w C:\sqmnoopt10.sqm 2009-04-10 00:38 . 2007-05-15 20:27 268 ---ha-w C:\sqmdata09.sqm 2009-04-10 00:38 . 2007-05-15 20:27 244 ---ha-w C:\sqmnoopt09.sqm 2009-04-09 01:51 . 2007-05-15 20:19 268 ---ha-w C:\sqmdata08.sqm 2009-04-09 01:51 . 2007-05-15 20:19 244 ---ha-w C:\sqmnoopt08.sqm 2009-04-09 01:50 . 2007-12-11 01:06 -------- d-----w c:\program files\Google 2009-04-08 20:33 . 2007-05-14 21:10 268 ---ha-w C:\sqmdata07.sqm 2009-04-08 20:33 . 2007-05-14 21:10 244 ---ha-w C:\sqmnoopt07.sqm 2009-04-08 02:41 . 2007-05-14 21:02 268 ---ha-w C:\sqmdata06.sqm 2009-04-08 02:41 . 2007-05-14 21:02 244 ---ha-w C:\sqmnoopt06.sqm 2009-04-07 23:52 . 2007-05-14 14:33 268 ---ha-w C:\sqmdata05.sqm 2009-04-07 23:52 . 2007-05-14 14:33 244 ---ha-w C:\sqmnoopt05.sqm 2009-04-07 21:28 . 2008-11-16 07:16 -------- d-----w c:\program files\Mozilla Thunderbird 2009-04-07 03:31 . 2007-05-13 23:45 268 ---ha-w C:\sqmdata04.sqm 2009-04-07 03:31 . 2007-05-13 23:45 244 ---ha-w C:\sqmnoopt04.sqm 2009-04-06 23:43 . 2007-05-13 23:41 268 ---ha-w C:\sqmdata03.sqm 2009-04-06 23:43 . 2007-05-13 23:41 244 ---ha-w C:\sqmnoopt03.sqm 2009-04-06 15:35 . 2007-05-13 23:13 268 ---ha-w C:\sqmdata02.sqm 2009-04-06 15:35 . 2007-05-13 23:13 244 ---ha-w C:\sqmnoopt02.sqm 2009-04-06 14:21 . 2007-05-13 22:46 268 ---ha-w C:\sqmdata01.sqm 2009-04-06 14:21 . 2007-05-13 22:46 244 ---ha-w C:\sqmnoopt01.sqm 2009-04-06 12:29 . 2007-05-13 22:39 268 ---ha-w C:\sqmdata00.sqm 2009-04-06 12:29 . 2007-05-13 22:39 244 ---ha-w C:\sqmnoopt00.sqm 2009-03-29 19:26 . 2007-05-13 21:19 -------- d-----w c:\program files\Common Files\Adobe 2009-03-21 14:06 . 2009-03-21 14:06 989696 ------w c:\windows\SYSTEM32\DLLCACHE\kernel32.dll 2009-03-08 18:09 . 2006-10-17 17:04 638816 ----a-w c:\windows\SYSTEM32\DLLCACHE\iexplore.exe 2009-03-08 18:09 . 2006-10-17 17:01 391536 ----a-w c:\windows\SYSTEM32\DLLCACHE\iedkcs32.dll 2009-03-08 08:41 . 2006-10-17 17:33 5937152 ----a-w c:\windows\SYSTEM32\DLLCACHE\mshtml.dll 2009-03-08 08:39 . 2007-05-14 06:22 11063808 ----a-w c:\windows\SYSTEM32\DLLCACHE\ieframe.dll 2009-03-08 08:34 . 2006-10-17 17:33 914944 ----a-w c:\windows\SYSTEM32\DLLCACHE\wininet.dll 2009-03-08 08:34 . 2006-06-23 15:33 914944 ----a-w c:\windows\SYSTEM32\wininet.dll 2009-03-08 08:34 . 2006-10-17 17:33 1206784 ----a-w c:\windows\SYSTEM32\DLLCACHE\urlmon.dll 2009-03-08 08:34 . 2006-10-17 17:33 236544 ----a-w c:\windows\SYSTEM32\DLLCACHE\webcheck.dll 2009-03-08 08:34 . 2006-10-17 17:05 43008 ----a-w c:\windows\SYSTEM32\DLLCACHE\licmgr10.dll 2009-03-08 08:34 . 2002-08-29 10:00 43008 ----a-w c:\windows\SYSTEM32\licmgr10.dll 2009-03-08 08:34 . 2006-10-17 17:05 105984 ----a-w c:\windows\SYSTEM32\DLLCACHE\url.dll 2009-03-08 08:34 . 2006-10-17 17:05 193536 ----a-w c:\windows\SYSTEM32\DLLCACHE\msrating.dll 2009-03-08 08:34 . 2006-10-17 17:04 109568 ----a-w c:\windows\SYSTEM32\DLLCACHE\occache.dll 2009-03-08 08:33 . 2006-10-17 17:33 759296 ----a-w c:\windows\SYSTEM32\DLLCACHE\VGX.dll 2009-03-08 08:33 . 2009-03-08 08:33 18944 ------w c:\windows\SYSTEM32\DLLCACHE\corpol.dll 2009-03-08 08:33 . 2002-08-29 10:00 18944 ----a-w c:\windows\SYSTEM32\corpol.dll 2009-03-08 08:33 . 2006-10-17 17:33 25600 ----a-w c:\windows\SYSTEM32\DLLCACHE\jsproxy.dll 2009-03-08 08:33 . 2008-05-09 10:53 726528 ----a-w c:\windows\SYSTEM32\DLLCACHE\jscript.dll 2009-03-08 08:33 . 2006-10-17 17:01 229376 ----a-w c:\windows\SYSTEM32\DLLCACHE\ieaksie.dll 2009-03-08 08:33 . 2008-05-09 10:53 420352 ----a-w c:\windows\SYSTEM32\DLLCACHE\vbscript.dll 2009-03-08 08:33 . 2002-08-29 10:00 420352 ----a-w c:\windows\SYSTEM32\vbscript.dll 2009-03-08 08:33 . 2006-10-17 17:01 125952 ----a-w c:\windows\SYSTEM32\DLLCACHE\ieakeng.dll 2009-03-08 08:32 . 2006-10-17 17:01 72704 ----a-w c:\windows\SYSTEM32\DLLCACHE\admparse.dll 2009-03-08 08:32 . 2002-08-29 10:00 72704 ----a-w c:\windows\SYSTEM32\admparse.dll 2009-03-08 08:32 . 2006-10-17 17:00 173056 ----a-w c:\windows\SYSTEM32\DLLCACHE\ie4uinit.exe 2009-03-08 08:32 . 2006-10-17 16:23 163840 ----a-w c:\windows\SYSTEM32\DLLCACHE\ieakui.dll 2009-03-08 08:32 . 2006-10-17 17:01 71680 ----a-w c:\windows\SYSTEM32\DLLCACHE\iesetup.dll 2009-03-08 08:32 . 2006-10-17 17:00 55808 ----a-w c:\windows\SYSTEM32\DLLCACHE\iernonce.dll 2009-03-08 08:32 . 2002-08-29 10:00 71680 ----a-w c:\windows\SYSTEM32\iesetup.dll 2009-03-08 08:32 . 2006-10-17 17:00 128512 ----a-w c:\windows\SYSTEM32\DLLCACHE\advpack.dll 2009-03-08 08:32 . 2006-10-17 17:00 94720 ----a-w c:\windows\SYSTEM32\DLLCACHE\inseng.dll 2009-03-08 08:32 . 2007-05-14 06:22 594432 ----a-w c:\windows\SYSTEM32\DLLCACHE\msfeeds.dll 2009-03-08 08:32 . 2007-05-14 06:22 1985024 ----a-w c:\windows\SYSTEM32\DLLCACHE\iertutil.dll 2009-03-08 08:32 . 2006-10-17 17:33 611840 ----a-w c:\windows\SYSTEM32\DLLCACHE\mstime.dll 2009-03-08 08:24 . 2006-10-17 16:44 68608 ----a-w c:\windows\SYSTEM32\DLLCACHE\hmmapi.dll 2009-03-08 08:22 . 2006-10-17 17:33 156160 ----a-w c:\windows\SYSTEM32\DLLCACHE\msls31.dll 2009-03-08 08:22 . 2002-08-29 10:00 156160 ----a-w c:\windows\SYSTEM32\msls31.dll 2009-03-08 08:11 . 2007-05-14 06:22 445952 ----a-w c:\windows\SYSTEM32\DLLCACHE\ieapfltr.dll 2009-03-06 14:22 . 2002-08-29 10:00 284160 ----a-w c:\windows\SYSTEM32\pdh.dll 2009-02-09 12:10 . 2004-03-30 01:48 729088 ----a-w c:\windows\SYSTEM32\lsasrv.dll 2009-02-09 12:10 . 2005-07-26 04:31 401408 ----a-w c:\windows\SYSTEM32\rpcss.dll 2009-02-09 12:10 . 2002-08-29 10:00 714752 ----a-w c:\windows\SYSTEM32\ntdll.dll 2009-02-09 12:10 . 2002-08-29 10:00 617472 ----a-w c:\windows\SYSTEM32\advapi32.dll 2009-02-09 11:13 . 2008-10-15 07:03 1846784 ------w c:\windows\SYSTEM32\DLLCACHE\win32k.sys 2009-02-09 11:13 . 2002-08-29 10:00 1846784 ----a-w c:\windows\SYSTEM32\win32k.sys 2009-02-07 23:02 . 2008-10-15 07:03 2066048 ------w c:\windows\SYSTEM32\DLLCACHE\ntkrnlpa.exe 2009-02-07 01:07 . 2007-05-14 06:22 3698584 ----a-w c:\windows\SYSTEM32\DLLCACHE\ieapfltr.dat 2009-02-06 11:11 . 2002-08-29 10:00 110592 ----a-w c:\windows\SYSTEM32\services.exe 2009-02-06 11:08 . 2008-10-15 07:03 2189056 ------w c:\windows\SYSTEM32\DLLCACHE\ntoskrnl.exe 2009-02-06 11:06 . 2008-10-15 07:03 2145280 ------w c:\windows\SYSTEM32\DLLCACHE\ntkrnlmp.exe 2009-02-06 11:06 . 1980-01-01 05:00 2145280 ----a-w c:\windows\SYSTEM32\ntoskrnl.exe 2009-02-06 10:39 . 2002-08-29 10:00 35328 ----a-w c:\windows\SYSTEM32\sc.exe 2008-09-04 14:58 . 2008-09-04 14:59 32768 --sha-w c:\windows\SYSTEM32\CONFIG\systemprofile\Local Settings\History\History.IE5\MSHist012008090420080905\index.dat . ((((((((((((((((((((((((((((( SnapShot@2009-04-20_16.59.45 ))))))))))))))))))))))))))))))))))))))))) . + 2009-04-22 01:07 . 2009-04-22 01:07 16384 c:\windows\Temp\Perflib_Perfdata_66c.dat - 2009-04-20 16:34 . 2009-04-20 16:34 16384 c:\windows\Temp\Perflib_Perfdata_66c.dat + 2009-04-22 01:08 . 2009-04-22 01:08 16384 c:\windows\Temp\Perflib_Perfdata_3c8.dat + 2002-09-03 07:08 . 2009-04-21 15:09 32768 c:\windows\SYSTEM32\CONFIG\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\INDEX.DAT - 2002-09-03 07:08 . 2009-04-20 15:51 32768 c:\windows\SYSTEM32\CONFIG\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\INDEX.DAT - 2002-09-03 07:08 . 2009-04-20 15:51 32768 c:\windows\SYSTEM32\CONFIG\systemprofile\Local Settings\History\History.IE5\INDEX.DAT + 2002-09-03 07:08 . 2009-04-21 15:09 32768 c:\windows\SYSTEM32\CONFIG\systemprofile\Local Settings\History\History.IE5\INDEX.DAT + 2002-09-03 07:08 . 2009-04-21 15:09 32768 c:\windows\SYSTEM32\CONFIG\systemprofile\Cookies\INDEX.DAT - 2002-09-03 07:08 . 2009-04-20 15:51 32768 c:\windows\SYSTEM32\CONFIG\systemprofile\Cookies\INDEX.DAT . ((((((((((((((((((((((((((((((((((((( Reg Loading Points )))))))))))))))))))))))))))))))))))))))))))))))))) . . Note empty entries & legit default entries are not shown REGEDIT4 [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\BackupIconOverlayId] @="{2EE61E5C-8F94-4AAB-8A80-D2A8CD1FEDAD}" [HKEY_CLASSES_ROOT\CLSID\{2EE61E5C-8F94-4AAB-8A80-D2A8CD1FEDAD}] 2008-10-12 18:11 238968 ----a-w c:\program files\Webroot\Spy Sweeper\Backup\CtxMenu_1_0_0_9.dll [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2008-04-14 15360] [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "CTSysVol"="c:\program files\Creative\Sound Blaster Live! 24-bit\Surround Mixer\CTSysVol.exe" [2003-09-17 57344] "PCMService"="c:\program files\Dell\Media Experience\PCMService.exe" [2004-04-12 290816] "avast!"="c:\progra~1\ALWILS~1\Avast4\ashDisp.exe" [2009-02-05 81000] "Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2009-02-27 35696] "Google Quick Search Box"="c:\program files\Google\Quick Search Box\GoogleQuickSearchBox.exe" [2009-04-09 68592] "WinVNC"="c:\program files\UltraVNC\winvnc.exe" [2005-08-06 974848] [HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run] "DWQueuedReporting"="c:\progra~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" [2007-02-26 437160] [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\LMIinit] 2007-11-15 23:46 87352 ----a-w c:\windows\SYSTEM32\LMIinit.dll HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32 "wave1"= serwvdrv.dll "wave4"= serwvdrv.dll [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\WRConsumerService] @="Service" [HKEY_LOCAL_MACHINE\software\microsoft\security center] "AntiVirusDisableNotify"=dword:00000001 [HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring] "DisableMonitoring"=dword:00000001 [HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus] "DisableMonitoring"=dword:00000001 [HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall] "DisableMonitoring"=dword:00000001 [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List] "%windir%\\system32\\sessmgr.exe"= "%windir%\\Network Diagnostic\\xpnetdiag.exe"= "c:\\Program Files\\iTunes\\iTunes.exe"= "c:\\Program Files\\LimeWire\\LimeWire.exe"= "c:\\Program Files\\UltraVNC\\winvnc.exe"= "c:\\WINDOWS\\SYSTEM32\\LEXPPS.EXE"= "c:\\Program Files\\Mozilla Firefox\\firefox.exe"= "c:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"= "c:\\Program Files\\Windows Live\\Messenger\\livecall.exe"= [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List] "5900:TCP"= 5900:TCP:vnc "1824:UDP"= 1824:UDP:Windows Media Format SDK (iexplore.exe) "1842:UDP"= 1842:UDP:Windows Media Format SDK (iexplore.exe) "1852:UDP"= 1852:UDP:Windows Media Format SDK (iexplore.exe) "1868:UDP"= 1868:UDP:Windows Media Format SDK (iexplore.exe) R2 LMIInfo;LogMeIn Kernel Information Provider; [x] R4 LMIRfsClientNP;LMIRfsClientNP; [x] S0 ssfs0bbc;ssfs0bbc;c:\windows\system32\DRIVERS\ssfs0bbc.sys [2008-10-02 29808] S1 aswSP;avast! Self Protection; [x] S2 aswFsBlk;aswFsBlk;c:\windows\system32\DRIVERS\aswFsBlk.sys [2009-02-05 20560] S2 LMIRfsDriver;LogMeIn Remote File System Driver;c:\windows\system32\drivers\LMIRfsDriver.sys [2007-08-03 46112] S2 WinDefend;Windows Defender;c:\program files\Windows Defender\MsMpEng.exe [2006-11-03 13592] S2 WRConsumerService;Webroot Client Service;c:\program files\Webroot\Spy Sweeper\WRConsumerService.exe [2008-10-12 1066360] [HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\>{60B49E34-C7CC-11D0-8953-00A0C90347FF}] "c:\windows\system32\rundll32.exe" "c:\windows\system32\iedkcs32.dll",BrandIEActiveSetup SIGNUP . Contents of the 'Scheduled Tasks' folder 2009-04-22 c:\windows\Tasks\Check Updates for Windows Live Toolbar.job - c:\program files\Windows Live Toolbar\MSNTBUP.EXE [2007-10-19 16:20] 2009-04-22 c:\windows\Tasks\MP Scheduled Scan.job - c:\program files\Windows Defender\MpCmdRun.exe [2006-11-03 22:20] 2009-04-20 c:\windows\Tasks\wrSpySweeper_L110CB1336ED145E1A698CAAB7FA63DAA.job - c:\program files\Webroot\Spy Sweeper\SpySweeperUI.exe [2007-05-13 18:18] 2009-04-20 c:\windows\Tasks\wrSpySweeper_L110CB1336ED145E1A698CAAB7FA63DAA.job - c:\program files\Webroot\Spy Sweeper\SpySweeperUI.exe [2007-05-13 18:18] 2009-04-21 c:\windows\Tasks\wrSpySweeper_L2CA85AFD8D3A4484ABCA663BD87696A5.job - c:\program files\Webroot\Spy Sweeper\SpySweeperUI.exe [2007-05-13 18:18] 2009-04-21 c:\windows\Tasks\wrSpySweeper_L2CA85AFD8D3A4484ABCA663BD87696A5.job - c:\program files\Webroot\Spy Sweeper\SpySweeperUI.exe [2007-05-13 18:18] 2009-04-20 c:\windows\Tasks\wrSpySweeper_L9F8A70F3660449AEBD846B3D342958CE.job - c:\program files\Webroot\Spy Sweeper\SpySweeperUI.exe [2007-05-13 18:18] 2009-04-20 c:\windows\Tasks\wrSpySweeper_L9F8A70F3660449AEBD846B3D342958CE.job - c:\program files\Webroot\Spy Sweeper\SpySweeperUI.exe [2007-05-13 18:18] 2009-04-17 c:\windows\Tasks\wrSpySweeper_LC5C8FE1475994F1F99D5F70ECBE14D0B.job - c:\program files\Webroot\Spy Sweeper\SpySweeperUI.exe [2007-05-13 18:18] 2009-04-17 c:\windows\Tasks\wrSpySweeper_LC5C8FE1475994F1F99D5F70ECBE14D0B.job - c:\program files\Webroot\Spy Sweeper\SpySweeperUI.exe [2007-05-13 18:18] . . ------- Supplementary Scan ------- . IE: &Windows Live Search - c:\program files\Windows Live Toolbar\msntb.dll/search.htm IE: Add to Windows &Live Favorites - http://favorites.live.com/quickadd.aspx IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~3\OFFICE11\EXCEL.EXE/3000 IE: {FA9B9510-9FCB-4ca0-818C-5D0987B47C4D} - c:\program files\PokerStars.NET\PokerStarsUpdate.exe Filter: x-sdch - {B1759355-3EEC-4C1E-B0F1-B719FE26E377} - c:\program files\Google\Google Toolbar\Component\fastsearch_A8904FB862BD9564.dll FF - ProfilePath - c:\documents and settings\Mike\Application Data\Mozilla\Firefox\Profiles\afwuemba.default\ FF - prefs.js: browser.search.defaulturl - hxxp://www.google.com/search?lr=&ie=UTF-8&oe=UTF-8&q= FF - prefs.js: browser.startup.homepage - hxxp://www.msn.com/ FF - plugin: c:\documents and settings\Mike\Application Data\Mozilla\Firefox\Profiles\afwuemba.default\extensions\firefox@tvunetworks.com\plugins\npTVUAx.dll FF - plugin: c:\program files\Viewpoint\Viewpoint Experience Technology\npViewpoint.dll . ********************************************************************** catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net Rootkit scan 2009-04-22 00:34 Windows 5.1.2600 Service Pack 3 NTFS scanning hidden processes ... scanning hidden autostart entries ... scanning hidden files ... c:\windows\TEMP\TMP0000004B54AB024A5138FCCA 524288 bytes executable scan completed successfully hidden files: 1 ************************************************************************ . --------------------- LOCKED REGISTRY KEYS --------------------- [HKEY_USERS\S-1-5-21-615407094-731155592-2917792241-1007\Software\Microsoft\SystemCertificates\AddressBook*] @Allowed: (Read) (RestrictedCode) @Allowed: (Read) (RestrictedCode) . --------------------- DLLs Loaded Under Running Processes --------------------- - - - - - - - > 'winlogon.exe'(680) c:\windows\system32\LMIinit.dll c:\windows\system32\LMIRfsClientNP.dll c:\program files\UltraVNC\vnchooks.dll . Completion time: 2009-04-22 0:39 ComboFix-quarantined-files.txt 2009-04-22 04:39 ComboFix2.txt 2009-04-20 17:08 Pre-Run: 129,537,445,888 bytes free Post-Run: 129,642,237,952 bytes free 284 --- E O F --- 2009-04-16 08:04

04-22-2009, 09:17 PM	#8 (permalink)
Ried Assistant Manager, TSF Academy; Moderator/Analyst Security Team Join Date: Jan 2005 Location: Ohio Posts: 27,116 OS: WinXP and Vista	Re: very slooooooooowwww I'm not seeing any more malware here. You do have too many protective programs running. Uninstall or disable all but one: Spy Sweeper Windows Defender Ad-Aware Reboot. Any improvement? __________________ Member of ASAP since 2005 Member of UNITE since 2006 "It is one life whether we spend it laughing or weeping." "Take the time to laugh--it is the music of the soul."

04-23-2009, 08:47 AM	#9 (permalink)
jagzee Registered User Join Date: Jan 2006 Posts: 85 OS: WinXP	Re: very slooooooooowwww Thanks again Ried. Not really any improvement. The slowdown is so extreme on boot and not nearly as bad once it's up and running unless the program being launched is internet related. (email, browser) I wondered if there's some kind of problem in processes, services or who knows (obviously not an expert) what. That led me to try logging in to one of the other user accounts. The user account seemed to boot up fine and the programs seemed to launch fine as well. A return email from my friend confirms the problem is within the one user account. I'm thinking of first trying to restore the system to an earlier date, or alternatively, backing up the account, deleting it and creating a new account. I'll first wait for any advise you might have.

04-23-2009, 01:15 PM	#10 (permalink)
Ried Assistant Manager, TSF Academy; Moderator/Analyst Security Team Join Date: Jan 2005 Location: Ohio Posts: 27,116 OS: WinXP and Vista	Re: very slooooooooowwww Your plan sounds solid, as we could keep going in circles here trying to find the cause. Give that a go and let me know how it worked out for you. __________________ Member of ASAP since 2005 Member of UNITE since 2006 "It is one life whether we spend it laughing or weeping." "Take the time to laugh--it is the music of the soul."