CPU Running at 80 to 100%

AGJr · May 1, 2009

Hello. My cpu has begun running at 75% to 100% with the “ieexplore.exe” and “system” processes eating up most of it. This has been happening for the last few weeks, but I can’t think of anything I did that may have brought it on. The computer is a Dell Latitude 620 with the XP operating system. I disabled Spybot, and have Symantic Antivirus Corporate Edition running right now. As per your instructions I am posting DDS.txt. I’m not a techie, so I may need to extra patience. Thanks for anything you can do to assist me.

DDS (Ver_09-03-16.01) - NTFSx86
Run by XXX at 20:49:22.23 on Thu 04/30/2009
Internet Explorer: 7.0.5730.13
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.1014.318 [GMT -4:00]

============== Running Processes ===============

C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
C:\Program Files\Intel\Wireless\Bin\WLKeeper.exe
svchost.exe
svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
svchost.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
svchost.exe
C:\Program Files\Symantec_Client_Security\Symantec AntiVirus\DefWatch.exe
C:\WINDOWS\system32\imapi.exe
C:\Program Files\Symantec_Client_Security\Symantec AntiVirus\Rtvscan.exe
C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
C:\WINDOWS\system32\svchost.exe -k imgsvc
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\system32\taskmgr.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Documents and Settings\XXX\Desktop\dds.scr

============== Pseudo HJT Report ===============

uStart Page = hxxp://news.google.com/news?ned=us
uSearch Page =
uSearch Bar =
mSearchAssistant =
BHO: AcroIEHlprObj Class: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program files\adobe\acrobat 5.0\reader\activex\AcroIEHelper.ocx
TB: {4E7BD74F-2B8D-469E-CCB0-B130EEDBE97C} - No File
uRun: [Uniblue RegistryBooster 2009] c:\program files\uniblue\registrybooster\RegistryBooster.exe /S
mRun: [BluetoothAuthenticationAgent] rundll32.exe bthprops.cpl,,BluetoothAuthenticationAgent
mRun: [igfxtray] c:\windows\system32\igfxtray.exe
mRun: [igfxhkcmd] c:\windows\system32\hkcmd.exe
mRun: [igfxpers] c:\windows\system32\igfxpers.exe
mRun: [IntelZeroConfig] "c:\program files\intel\wireless\bin\ZCfgSvc.exe"
mRun: [IntelWireless] "c:\program files\intel\wireless\bin\ifrmewrk.exe" /tf Intel PROSet/Wireless
mRun: [SigmatelSysTrayApp] stsystra.exe
mRun: [vptray] c:\progra~1\symant~1\symant~1\vptray.exe
mRun: [PDVDDXSrv] "c:\program files\cyberlink\powerdvd dx\PDVDDXSrv.exe"
mRun: [DropBoxUtility] "c:\program files\dropbox\dropbox\DropBox.exe" /s
mRun: [AppleSyncNotifier] c:\program files\common files\apple\mobile device support\bin\AppleSyncNotifier.exe
mRun: [QuickTime Task] "c:\program files\quicktime\qttask.exe" -atboottime
mRun: [iTunesHelper] "c:\program files\itunes\iTunesHelper.exe"
mRunOnce: [Delete_c:\windows\downloaded program files\connectorscriptengine.exe] command /c del c:\windows\downlo~1\CONNEC~1.EXE
mRunOnce: [Delete_c:\windows\downloaded program files\connectorbroker.exe] command /c del c:\windows\downlo~1\CONNEC~3.EXE
mRunOnce: [Delete_c:\windows\downloaded program files\connector.dll] command /c del c:\windows\downlo~1\CONNEC~2.DLL
mRunOnce: [Delete_c:\windows\downloaded program files\connector.exe] command /c del c:\windows\downlo~1\CONNEC~2.EXE
IE: E&xport to Microsoft Excel - c:\progra~1\micros~2\office12\EXCEL.EXE/3000
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~2\office12\REFIEBAR.DLL
Trusted Zone: turbotax.com
DPF: {01A88BB1-1174-41EC-ACCB-963509EAE56B} - hxxp://support.dell.com/systemprofiler/SysPro.CAB
DPF: {05CA9FB0-3E3E-4B36-BF41-0E3A5CAA8CD8} - hxxp://go.microsoft.com/fwlink/?linkid=58813
DPF: {406B5949-7190-4245-91A9-30A17DE16AD0} - hxxp://photo.walgreens.com/WalgreensActivia.cab
DPF: {4871A87A-BFDD-4106-8153-FFDE2BAC2967} - hxxp://dlm.tools.akamai.com/dlmanager/versions/activex/dlm-activex-2.2.4.1.cab
DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} - hxxp://www.update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1217816081640
DPF: {BA2D9665-D672-446F-98F4-E3E41FA12A01} - hxxp://www.mypccenter.com/CAB/PCA.cab
DPF: {C7DB51B4-BCF7-4923-8874-7F1A0DC92277} - hxxp://office.microsoft.com/officeupdate/content/opuc4.cab
DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
Notify: igfxcui - igfxdev.dll
Notify: NavLogon - c:\windows\system32\NavLogon.dll
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll
SecurityProviders: msapsspc.dll schannel.dll digest.dll msnsspc.dll

============= SERVICES / DRIVERS ===============

R2 NAVAPEL;NAVAPEL;c:\program files\symantec_client_security\symantec antivirus\Navapel.sys [2002-6-20 29184]
R2 Norton AntiVirus Server;Symantec AntiVirus Client;c:\program files\symantec_client_security\symantec antivirus\Rtvscan.exe [2002-7-30 573440]
R3 NAVAP;NAVAP;c:\program files\symantec_client_security\symantec antivirus\Navap.sys [2002-6-20 218112]
R3 NAVENG;NAVENG;c:\progra~1\common~1\symant~1\virusd~1\20090424.003\NAVENG.sys [2009-4-24 89104]
R3 NAVEX15;NAVEX15;c:\progra~1\common~1\symant~1\virusd~1\20090424.003\NAVEX15.sys [2009-4-24 876144]
R4 AvgTdiX;AVG Free8 Network Redirector;c:\windows\system32\drivers\avgtdix.sys --> c:\windows\system32\drivers\avgtdix.sys [?]

============== File Associations ===============

regfile=regedit.exe "%1" %*
scrfile="%1" %*

=============== Created Last 30 ================

2009-04-24 11:33 10,520 -------- c:\windows\system32\avgrsstx.dll.install_backup
2009-04-24 11:33 <DIR> --d----- c:\program files\AVG
2009-04-21 11:38 <DIR> --d----- c:\docume~1\alluse~1\applic~1\Spybot - Search & Destroy
2009-04-20 21:04 <DIR> --d----- c:\windows\sytem32
2009-04-14 19:41 284,160 -c------ c:\windows\system32\dllcache\pdh.dll
2009-04-14 19:41 227,840 -c------ c:\windows\system32\dllcache\wmiprvse.exe
2009-04-14 19:41 110,592 -c------ c:\windows\system32\dllcache\services.exe
2009-04-14 19:41 729,088 -c------ c:\windows\system32\dllcache\lsasrv.dll
2009-04-14 19:41 453,120 -c------ c:\windows\system32\dllcache\wmiprvsd.dll
2009-04-14 19:38 1,203,922 -c------ c:\windows\system32\dllcache\sysmain.sdb
2009-04-14 19:38 215,552 -c------ c:\windows\system32\dllcache\wordpad.exe
2009-04-14 19:38 2,560 -------- c:\windows\system32\xpsp4res.dll
2009-04-09 06:41 1,089,593 -c------ c:\windows\system32\dllcache\ntprint.cat
2009-04-08 21:57 <DIR> --d----- c:\windows\system32\XPSViewer
2009-04-08 21:56 89,088 -c------ c:\windows\system32\dllcache\filterpipelineprintproc.dll
2009-04-08 21:56 117,760 -------- c:\windows\system32\prntvpt.dll
2009-04-08 21:56 1,676,288 -c------ c:\windows\system32\dllcache\xpssvcs.dll
2009-04-08 21:56 597,504 -c------ c:\windows\system32\dllcache\printfilterpipelinesvc.exe
2009-04-08 21:56 575,488 -c------ c:\windows\system32\dllcache\xpsshhdr.dll
2009-04-08 21:56 <DIR> --d----- C:\fa141494af48b1f216921b
2009-04-08 21:56 1,676,288 -------- c:\windows\system32\xpssvcs.dll
2009-04-08 21:56 575,488 -------- c:\windows\system32\xpsshhdr.dll
2009-04-08 21:55 <DIR> --d----- c:\windows\SxsCaPendDel
2009-03-31 23:48 107,368 a------- c:\windows\system32\GEARAspi.dll
2009-03-31 23:48 23,848 a------- c:\windows\system32\drivers\GEARAspiWDM.sys
2009-03-31 23:48 <DIR> --d----- c:\program files\iPod
2009-03-31 23:48 <DIR> --d----- c:\program files\iTunes
2009-03-31 23:48 <DIR> --d----- c:\docume~1\alluse~1\applic~1\{00D89592-F643-4D8D-8F0F-AFAE0F14D4C3}
2009-03-31 23:43 1,900,544 a------- c:\windows\system32\usbaaplrc.dll
2009-03-31 23:43 36,864 a------- c:\windows\system32\drivers\usbaapl.sys

==================== Find3M ====================

2009-03-28 14:39 1,754 a------- c:\windows\EReg196.dat
2009-03-06 10:22 284,160 a------- c:\windows\system32\pdh.dll
2009-03-02 20:18 826,368 a------- c:\windows\system32\wininet.dll
2009-02-20 14:09 78,336 a------- c:\windows\system32\ieencode.dll
2009-02-09 08:10 729,088 a------- c:\windows\system32\lsasrv.dll
2009-02-09 08:10 714,752 a------- c:\windows\system32\ntdll.dll
2009-02-09 08:10 617,472 a------- c:\windows\system32\advapi32.dll
2009-02-09 08:10 401,408 a------- c:\windows\system32\rpcss.dll
2009-02-09 07:13 1,846,784 a------- c:\windows\system32\win32k.sys
2009-02-06 07:11 110,592 a------- c:\windows\system32\services.exe
2009-02-06 07:06 2,145,280 a------- c:\windows\system32\ntoskrnl.exe
2009-02-06 06:39 35,328 a------- c:\windows\system32\sc.exe
2009-02-06 06:32 2,023,936 a------- c:\windows\system32\ntkrnlpa.exe
2009-02-03 15:59 56,832 a------- c:\windows\system32\secur32.dll
2008-08-19 11:20 3,585,312 a------- c:\program files\InstallGarminCommunicatorPlugin_261.exe
2008-07-06 21:32 1,939,160 a------- c:\program files\SetupImgBurn_2.4.1.0.exe
2008-07-03 09:45 2,788,800 a------- c:\program files\FLV PlayerFCSetup.exe
2008-07-03 09:36 411,248 a------- c:\program files\FLV PlayerRCSetup.exe
2008-10-17 21:25 32,768 a--sh--- c:\windows\system32\config\systemprofile\local settings\history\history.ie5\mshist012008101720081018\index.dat

============= FINISH: 20:49:54.51 ===============

chemist · May 3, 2009

Hello and Welcome to TSF.

Please Subscribe to this Thread to get immediate notification of replies as soon as they are posted. To do this click Thread Tools, then click Subscribe to this Thread. Make sure it is set to Instant notification by email, then click Add Subscription.

Please note that the forum is very busy and if I don't hear from you within three days this thread will be closed.

------------------------------------------------------

We need to see all 3 logs in order to help you.

------------------------------------------------------

Please follow our pre-posting process outlined here:

http://www.techsupportforum.com/f50...-posting-for-malware-removal-help-305963.html

After running through all the steps, you shall have a proper set of logs.

If you have trouble with one of the steps, simply move on to the next one, and make note of it in your reply.

------------------------------------------------------

AGJr · May 3, 2009

Hello. My cpu has begun running at 75% to 100% with the “ieexplore.exe” and “system” processes eating up most of it. This has been happening for the last few weeks, but I can’t think of anything I did that may have brought it on. The computer is a Dell Latitude 620 with the XP operating system. I disabled Spybot, and have Symantic Antivirus Corporate Edition running right now. As per your instructions I am posting DDS.txt. I’m not a techie, so I may need to extra patience. Thanks for anything you can do to assist me.

DDS (Ver_09-03-16.01) - NTFSx86
Run by XXX at 10:01:57.48 on Sun 05/03/2009
Internet Explorer: 7.0.5730.13
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.1014.281 [GMT -4:00]

============== Running Processes ===============

C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
C:\Program Files\Intel\Wireless\Bin\WLKeeper.exe
svchost.exe
svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
svchost.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
svchost.exe
C:\Program Files\Symantec_Client_Security\Symantec AntiVirus\DefWatch.exe
C:\WINDOWS\system32\imapi.exe
C:\Program Files\Symantec_Client_Security\Symantec AntiVirus\Rtvscan.exe
C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
C:\WINDOWS\system32\svchost.exe -k imgsvc
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Microsoft Office\Office12\WINWORD.EXE
C:\Program Files\Internet Explorer\iexplore.exe
C:\WINDOWS\system32\rundll32.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Documents and Settings\XXX\My Documents\dds.scr

============== Pseudo HJT Report ===============

uStart Page = hxxp://news.google.com/news?ned=us
uSearch Page =
uSearch Bar =
mSearchAssistant =
BHO: AcroIEHlprObj Class: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program files\adobe\acrobat 5.0\reader\activex\AcroIEHelper.ocx
TB: {4E7BD74F-2B8D-469E-CCB0-B130EEDBE97C} - No File
uRun: [Uniblue RegistryBooster 2009] c:\program files\uniblue\registrybooster\RegistryBooster.exe /S
mRun: [BluetoothAuthenticationAgent] rundll32.exe bthprops.cpl,,BluetoothAuthenticationAgent
mRun: [igfxtray] c:\windows\system32\igfxtray.exe
mRun: [igfxhkcmd] c:\windows\system32\hkcmd.exe
mRun: [igfxpers] c:\windows\system32\igfxpers.exe
mRun: [IntelZeroConfig] "c:\program files\intel\wireless\bin\ZCfgSvc.exe"
mRun: [IntelWireless] "c:\program files\intel\wireless\bin\ifrmewrk.exe" /tf Intel PROSet/Wireless
mRun: [SigmatelSysTrayApp] stsystra.exe
mRun: [vptray] c:\progra~1\symant~1\symant~1\vptray.exe
mRun: [PDVDDXSrv] "c:\program files\cyberlink\powerdvd dx\PDVDDXSrv.exe"
mRun: [DropBoxUtility] "c:\program files\dropbox\dropbox\DropBox.exe" /s
mRun: [AppleSyncNotifier] c:\program files\common files\apple\mobile device support\bin\AppleSyncNotifier.exe
mRun: [QuickTime Task] "c:\program files\quicktime\qttask.exe" -atboottime
mRun: [iTunesHelper] "c:\program files\itunes\iTunesHelper.exe"
mRunOnce: [Delete_c:\windows\downloaded program files\connectorscriptengine.exe] command /c del c:\windows\downlo~1\CONNEC~1.EXE
mRunOnce: [Delete_c:\windows\downloaded program files\connectorbroker.exe] command /c del c:\windows\downlo~1\CONNEC~3.EXE
mRunOnce: [Delete_c:\windows\downloaded program files\connector.dll] command /c del c:\windows\downlo~1\CONNEC~2.DLL
mRunOnce: [Delete_c:\windows\downloaded program files\connector.exe] command /c del c:\windows\downlo~1\CONNEC~2.EXE
IE: E&xport to Microsoft Excel - c:\progra~1\micros~2\office12\EXCEL.EXE/3000
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~2\office12\REFIEBAR.DLL
Trusted Zone: turbotax.com
DPF: {01A88BB1-1174-41EC-ACCB-963509EAE56B} - hxxp://support.dell.com/systemprofiler/SysPro.CAB
DPF: {05CA9FB0-3E3E-4B36-BF41-0E3A5CAA8CD8} - hxxp://go.microsoft.com/fwlink/?linkid=58813
DPF: {406B5949-7190-4245-91A9-30A17DE16AD0} - hxxp://photo.walgreens.com/WalgreensActivia.cab
DPF: {4871A87A-BFDD-4106-8153-FFDE2BAC2967} - hxxp://dlm.tools.akamai.com/dlmanager/versions/activex/dlm-activex-2.2.4.1.cab
DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} - hxxp://www.update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1217816081640
DPF: {BA2D9665-D672-446F-98F4-E3E41FA12A01} - hxxp://www.mypccenter.com/CAB/PCA.cab
DPF: {C7DB51B4-BCF7-4923-8874-7F1A0DC92277} - hxxp://office.microsoft.com/officeupdate/content/opuc4.cab
DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
Notify: igfxcui - igfxdev.dll
Notify: NavLogon - c:\windows\system32\NavLogon.dll
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll
SecurityProviders: msapsspc.dll schannel.dll digest.dll msnsspc.dll

============= SERVICES / DRIVERS ===============

R2 NAVAPEL;NAVAPEL;c:\program files\symantec_client_security\symantec antivirus\Navapel.sys [2002-6-20 29184]
R2 Norton AntiVirus Server;Symantec AntiVirus Client;c:\program files\symantec_client_security\symantec antivirus\Rtvscan.exe [2002-7-30 573440]
R3 NAVAP;NAVAP;c:\program files\symantec_client_security\symantec antivirus\Navap.sys [2002-6-20 218112]
R3 NAVENG;NAVENG;c:\progra~1\common~1\symant~1\virusd~1\20090501.017\NAVENG.sys [2009-5-1 89104]
R3 NAVEX15;NAVEX15;c:\progra~1\common~1\symant~1\virusd~1\20090501.017\NAVEX15.sys [2009-5-1 876144]
R4 AvgTdiX;AVG Free8 Network Redirector;c:\windows\system32\drivers\avgtdix.sys --> c:\windows\system32\drivers\avgtdix.sys [?]

============== File Associations ===============

regfile=regedit.exe "%1" %*
scrfile="%1" %*

=============== Created Last 30 ================

2009-04-24 11:33 10,520 -------- c:\windows\system32\avgrsstx.dll.install_backup
2009-04-24 11:33 <DIR> --d----- c:\program files\AVG
2009-04-21 11:38 <DIR> --d----- c:\docume~1\alluse~1\applic~1\Spybot - Search & Destroy
2009-04-20 21:04 <DIR> --d----- c:\windows\sytem32
2009-04-14 19:41 284,160 -c------ c:\windows\system32\dllcache\pdh.dll
2009-04-14 19:41 227,840 -c------ c:\windows\system32\dllcache\wmiprvse.exe
2009-04-14 19:41 110,592 -c------ c:\windows\system32\dllcache\services.exe
2009-04-14 19:41 729,088 -c------ c:\windows\system32\dllcache\lsasrv.dll
2009-04-14 19:41 453,120 -c------ c:\windows\system32\dllcache\wmiprvsd.dll
2009-04-14 19:38 1,203,922 -c------ c:\windows\system32\dllcache\sysmain.sdb
2009-04-14 19:38 215,552 -c------ c:\windows\system32\dllcache\wordpad.exe
2009-04-14 19:38 2,560 -------- c:\windows\system32\xpsp4res.dll
2009-04-09 06:41 1,089,593 -c------ c:\windows\system32\dllcache\ntprint.cat
2009-04-08 21:57 <DIR> --d----- c:\windows\system32\XPSViewer
2009-04-08 21:56 89,088 -c------ c:\windows\system32\dllcache\filterpipelineprintproc.dll
2009-04-08 21:56 117,760 -------- c:\windows\system32\prntvpt.dll
2009-04-08 21:56 1,676,288 -c------ c:\windows\system32\dllcache\xpssvcs.dll
2009-04-08 21:56 597,504 -c------ c:\windows\system32\dllcache\printfilterpipelinesvc.exe
2009-04-08 21:56 575,488 -c------ c:\windows\system32\dllcache\xpsshhdr.dll
2009-04-08 21:56 <DIR> --d----- C:\fa141494af48b1f216921b
2009-04-08 21:56 1,676,288 -------- c:\windows\system32\xpssvcs.dll
2009-04-08 21:56 575,488 -------- c:\windows\system32\xpsshhdr.dll
2009-04-08 21:55 <DIR> --d----- c:\windows\SxsCaPendDel

==================== Find3M ====================

2009-03-28 14:39 1,754 a------- c:\windows\EReg196.dat
2009-03-06 10:22 284,160 a------- c:\windows\system32\pdh.dll
2009-03-05 23:59 1,900,544 a------- c:\windows\system32\usbaaplrc.dll
2009-03-05 23:59 36,864 a------- c:\windows\system32\drivers\usbaapl.sys
2009-03-02 20:18 826,368 a------- c:\windows\system32\wininet.dll
2009-02-20 14:09 78,336 a------- c:\windows\system32\ieencode.dll
2009-02-09 08:10 729,088 a------- c:\windows\system32\lsasrv.dll
2009-02-09 08:10 714,752 a------- c:\windows\system32\ntdll.dll
2009-02-09 08:10 617,472 a------- c:\windows\system32\advapi32.dll
2009-02-09 08:10 401,408 a------- c:\windows\system32\rpcss.dll
2009-02-09 07:13 1,846,784 a------- c:\windows\system32\win32k.sys
2009-02-06 07:11 110,592 a------- c:\windows\system32\services.exe
2009-02-06 07:06 2,145,280 a------- c:\windows\system32\ntoskrnl.exe
2009-02-06 06:39 35,328 a------- c:\windows\system32\sc.exe
2009-02-06 06:32 2,023,936 a------- c:\windows\system32\ntkrnlpa.exe
2009-02-03 15:59 56,832 a------- c:\windows\system32\secur32.dll
2008-08-19 11:20 3,585,312 a------- c:\program files\InstallGarminCommunicatorPlugin_261.exe
2008-07-06 21:32 1,939,160 a------- c:\program files\SetupImgBurn_2.4.1.0.exe
2008-07-03 09:45 2,788,800 a------- c:\program files\FLV PlayerFCSetup.exe
2008-07-03 09:36 411,248 a------- c:\program files\FLV PlayerRCSetup.exe
2008-10-17 21:25 32,768 a--sh--- c:\windows\system32\config\systemprofile\local settings\history\history.ie5\mshist012008101720081018\index.dat

============= FINISH: 10:02:46.75 ===============

chemist · May 3, 2009

Hello AGJr.

Please note that these fixes are not instantaneous. Most infections require more than one round to properly eradicate.

Please stay with me until given the 'all clear' even if symptoms seemingly abate.

Kindly follow my instructions and please do no fixing on your own or running of scanners unless requested by a helper.

------------------------------------------------------

Please download the AVG Remover and Save it to your Desktop.

Close all programs and double-click avgremover.exe then click Run
Follow the on-screen instructions.
Restart the computer if asked.
Then delete avgremover.exe from your desktop.

------------------------------------------------------

Please visit this webpage for download links, and instructions for running ComboFix:

http://www.bleepingcomputer.com/combofix/how-to-use-combofix

* Ensure you have disabled all antivirus and antimalware programs so they do not interfere with the running of ComboFix.

Get help here

Please post the C:\ComboFix.txt in your next reply for further review.

------------------------------------------------------

AGJr · May 4, 2009

OK Thanks. Here is the log

ComboFix 09-05-03.1 - XXX 05/03/2009 22:25.1 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.1014.532 [GMT -4:00]
Running from: c:\documents and settings\XXX\Desktop\ComboFix.exe
.

((((((((((((((((((((((((( Files Created from 2009-04-04 to 2009-05-04 )))))))))))))))))))))))))))))))
.

2009-04-24 15:33 . 2009-04-24 15:33 -------- d-----w c:\program files\AVG
2009-04-21 15:38 . 2009-05-03 13:59 -------- d-----w c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy
2009-04-21 01:04 . 2009-04-21 01:04 -------- d-----w c:\windows\sytem32
2009-04-14 23:41 . 2009-03-06 14:22 284160 -c----w c:\windows\system32\dllcache\pdh.dll
2009-04-14 23:41 . 2009-02-06 11:11 110592 -c----w c:\windows\system32\dllcache\services.exe
2009-04-14 23:41 . 2009-02-06 10:10 227840 -c----w c:\windows\system32\dllcache\wmiprvse.exe
2009-04-14 23:41 . 2009-02-09 12:10 453120 -c----w c:\windows\system32\dllcache\wmiprvsd.dll
2009-04-14 23:41 . 2009-02-09 12:10 729088 -c----w c:\windows\system32\dllcache\lsasrv.dll
2009-04-14 23:38 . 2008-05-03 11:55 2560 ------w c:\windows\system32\xpsp4res.dll
2009-04-14 23:38 . 2008-04-21 12:08 215552 -c----w c:\windows\system32\dllcache\wordpad.exe
2009-04-09 01:57 . 2009-04-09 01:57 -------- d-----w c:\windows\system32\XPSViewer
2009-04-09 01:57 . 2009-04-09 01:57 -------- d-----w c:\program files\Reference Assemblies
2009-04-09 01:56 . 2008-07-06 12:06 117760 ------w c:\windows\system32\prntvpt.dll
2009-04-09 01:56 . 2008-07-06 12:06 89088 -c----w c:\windows\system32\dllcache\filterpipelineprintproc.dll
2009-04-09 01:56 . 2008-07-06 10:50 597504 -c----w c:\windows\system32\dllcache\printfilterpipelinesvc.exe
2009-04-09 01:56 . 2008-07-06 12:06 575488 -c----w c:\windows\system32\dllcache\xpsshhdr.dll
2009-04-09 01:56 . 2008-07-06 12:06 575488 ------w c:\windows\system32\xpsshhdr.dll
2009-04-09 01:56 . 2008-07-06 12:06 1676288 -c----w c:\windows\system32\dllcache\xpssvcs.dll
2009-04-09 01:56 . 2008-07-06 12:06 1676288 ------w c:\windows\system32\xpssvcs.dll
2009-04-09 01:56 . 2009-04-09 01:56 -------- d-----w C:\fa141494af48b1f216921b
2009-04-09 01:55 . 2009-04-10 04:21 -------- d-----w c:\windows\SxsCaPendDel

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-05-04 02:20 . 2008-03-26 02:35 6 ---ha-w c:\windows\Tasks\SA.DAT
2009-05-03 13:59 . 2008-07-05 01:56 -------- d-----w c:\program files\Spybot - Search & Destroy
2009-04-21 20:37 . 2008-08-10 02:28 284 ----a-w c:\windows\Tasks\AppleSoftwareUpdate.job
2009-04-11 00:14 . 2008-11-04 15:08 664 ----a-w c:\windows\system32\d3d9caps.dat
2009-04-10 21:33 . 2008-03-26 02:49 71776 ----a-w c:\documents and settings\XXX\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2009-04-09 01:57 . 2008-03-27 17:39 -------- d-----w c:\program files\MSBuild
2009-04-01 03:48 . 2009-04-01 03:48 -------- d-----w c:\program files\iTunes
2009-04-01 03:48 . 2009-04-01 03:48 -------- d-----w c:\program files\iPod
2009-04-01 03:48 . 2008-05-05 01:23 -------- d-----w c:\program files\Common Files\Apple
2009-04-01 03:47 . 2008-10-17 14:21 -------- d-----w c:\program files\QuickTime
2009-03-29 23:10 . 2008-12-18 03:17 -------- d-----w c:\program files\Google
2009-03-28 18:39 . 2009-03-28 18:39 1754 ----a-w c:\windows\EReg196.dat
2009-03-28 18:38 . 2009-03-28 18:38 -------- d-----w c:\program files\TLI
2009-03-11 02:29 . 2009-03-11 02:29 -------- d-----w c:\program files\Trend Micro
2009-03-06 14:22 . 2004-08-04 10:00 284160 ----a-w c:\windows\system32\pdh.dll
2009-03-06 03:59 . 2009-04-01 03:43 36864 ----a-w c:\windows\system32\drivers\usbaapl.sys
2009-03-06 03:59 . 2009-04-01 03:43 1900544 ----a-w c:\windows\system32\usbaaplrc.dll
2009-03-03 00:18 . 2006-03-04 03:33 826368 ----a-w c:\windows\system32\wininet.dll
2009-02-20 18:09 . 2004-08-04 10:00 78336 ----a-w c:\windows\system32\ieencode.dll
2009-02-09 12:10 . 2004-08-04 10:00 729088 ----a-w c:\windows\system32\lsasrv.dll
2009-02-09 12:10 . 2004-08-04 10:00 714752 ----a-w c:\windows\system32\ntdll.dll
2009-02-09 12:10 . 2004-08-04 10:00 617472 ----a-w c:\windows\system32\advapi32.dll
2009-02-09 12:10 . 2004-08-04 10:00 401408 ----a-w c:\windows\system32\rpcss.dll
2009-02-09 11:13 . 2004-08-04 10:00 1846784 ----a-w c:\windows\system32\win32k.sys
2009-02-06 11:11 . 2004-08-04 10:00 110592 ----a-w c:\windows\system32\services.exe
2009-02-06 11:06 . 2005-03-30 01:21 2145280 ----a-w c:\windows\system32\ntoskrnl.exe
2009-02-06 10:39 . 2004-08-04 10:00 35328 ----a-w c:\windows\system32\sc.exe
2009-02-06 10:32 . 2005-03-30 01:01 2023936 ----a-w c:\windows\system32\ntkrnlpa.exe
2009-02-03 19:59 . 2004-08-04 10:00 56832 ----a-w c:\windows\system32\secur32.dll
2008-08-19 15:20 . 2008-08-19 15:19 3585312 ----a-w c:\program files\InstallGarminCommunicatorPlugin_261.exe
2008-07-07 01:32 . 2008-07-07 01:30 1939160 ----a-w c:\program files\SetupImgBurn_2.4.1.0.exe
2008-07-03 13:45 . 2008-07-03 13:45 2788800 ----a-w c:\program files\FLV PlayerFCSetup.exe
2008-07-03 13:36 . 2008-07-03 13:36 411248 ----a-w c:\program files\FLV PlayerRCSetup.exe
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"igfxtray"="c:\windows\system32\igfxtray.exe" [2006-07-15 94208]
"igfxhkcmd"="c:\windows\system32\hkcmd.exe" [2006-07-15 77824]
"igfxpers"="c:\windows\system32\igfxpers.exe" [2006-07-15 118784]
"IntelZeroConfig"="c:\program files\Intel\Wireless\bin\ZCfgSvc.exe" [2006-10-19 802816]
"IntelWireless"="c:\program files\Intel\Wireless\Bin\ifrmewrk.exe" [2006-10-19 696320]
"vptray"="c:\progra~1\SYMANT~1\SYMANT~1\vptray.exe" [2002-07-30 77824]
"PDVDDXSrv"="c:\program files\CyberLink\PowerDVD DX\PDVDDXSrv.exe" [2007-09-17 124200]
"DropBoxUtility"="c:\program files\DropBox\DropBox\DropBox.exe" [2008-02-10 405504]
"AppleSyncNotifier"="c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleSyncNotifier.exe" [2009-03-06 177472]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2009-01-05 413696]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2009-03-13 342312]
"BluetoothAuthenticationAgent"="bthprops.cpl" - c:\windows\system32\bthprops.cpl [2008-04-14 110592]
"SigmatelSysTrayApp"="stsystra.exe" - c:\windows\stsystra.exe [2006-03-25 282624]

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\securityproviders]
SecurityProviders msapsspc.dll schannel.dll digest.dll msnsspc.dll

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusDisableNotify"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\K-Lite Codec Pack\\Filters\\ac3config.exe"=
"c:\\WINDOWS\\system32\\sessmgr.exe"=
"c:\\WINDOWS\\system32\\dpvsetup.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{8c998a51-0700-11dd-a25d-001641b3d146}]
\Shell\AutoRun\command - F:\LaunchU3.exe
.
Contents of the 'Scheduled Tasks' folder

2009-04-21 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2007-08-29 16:34]
.
- - - - ORPHANS REMOVED - - - -

HKCU-Run-Uniblue RegistryBooster 2009 - c:\program files\Uniblue\RegistryBooster\RegistryBooster.exe

.
------- Supplementary Scan -------
.
uStart Page = hxxp://news.google.com/news?ned=us
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\Office12\EXCEL.EXE/3000
Trusted Zone: turbotax.com
DPF: {BA2D9665-D672-446F-98F4-E3E41FA12A01} - hxxp://www.mypccenter.com/CAB/PCA.cab
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-05-03 22:27
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'explorer.exe'(2092)
c:\windows\system32\WPDShServiceObj.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
.
Completion time: 2009-05-04 22:29
ComboFix-quarantined-files.txt 2009-05-04 02:29

Pre-Run: 9,107,927,040 bytes free
Post-Run: 9,314,701,312 bytes free

WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Professional" /noexecute=optin /fastdetect

138 --- E O F --- 2009-04-29 15:17

chemist · May 4, 2009

Hello again, AGJr. Nothing is showing in your logs.

Please copy this page to Notepad and Save it to your Desktop in order to assist you when carrying out the following instructions.

Before beginning the fix, read this post completely. If there's anything that you do not understand, kindly ask your questions before proceeding.
Ensure that there aren't any opened browsers when you are carrying out the procedures below.

It is IMPORTANT that you don't miss a step & perform everything in the correct order/sequence.

------------------------------------------------------

Open Notepad and copy/paste the entire contents of the codebox below into Notepad (don't forget to copy and paste REGEDIT4):

Code:

REGEDIT4

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusDisableNotify"=dword:00000000

Save the file as fix.reg and choose to Save as type: - All Files then close the Notepad file.
It should look like this:

Double-click on fix.reg and choose Yes to merge/add it to the registry. Please delete the file afterwards.

------------------------------------------------------

We need to install Java on your machine in order to run an online scan with Kaspersky.

Download the latest version of Java Runtime Environment (JRE) 6 and Save it to your Desktop.
Scroll down to where it says Java Runtime Environment (JRE) 6 Update 13 The Java SE Runtime Environment (JRE) allows end-users to run Java applications.
Click the Download button to the right.
Select the Windows platform from the dropdown menu.
Read the License Agreement and then check the box that says: I agree to the Java SE Runtime Environment 6 with JavaFX License Agreement
Click Continue
Click on the link to download Windows Offline Installation and Save the file to your Desktop.
Close any programs you may have running - especially your web browser.
Then from your desktop double-click on jre-6u13-windows-i586-p.exe to install the newest version.

After the install is complete, go back to your Control Panel(using Classic View) and click the Java icon. (looks like a coffee cup)
- On the General tab, under Temporary Internet Files, click the Settings button.
- Next, click on the Delete Files button.
- There are two options in the window to clear the cache - Leave BOTH Checked
  - Applications and Applets
  - Trace and Log Files
- Click OK on Delete Temporary Files Window.
  Note: This deletes ALL the Downloaded Applications and Applets from the CACHE
- Click OK to leave the Temporary Files Window.
- Click OK to leave the Java Control Panel.
- Delete jre-6u13-windows-i586-p.exe from your desktop.

------------------------------------------------------

Please run this online scan to help look for remnants.

Establish an internet connection & perform an online scan at Kaspersky Online Scanner

Ensure your external and/or USB drives are inserted during the scan.

Click Accept, when prompted to download and install the program files and database of malware definitions.

Click Run at any Security prompt.
The program will then begin downloading and installing and will also update the database.
Please be patient as this can take several minutes.
Once the update is complete, click on My Computer under the green Scan bar to the left to start the scan.
Once the scan is complete, it will display if your system has been infected.
It does not provide an option to clean/disinfect. We only require a report from it.
Do NOT be alarmed by what you see in the report. Many of the finds have likely been quarantined.
Click View scan report at the bottom.
Click the Save Report As... button.
Click the Save as Text button to save the file to your desktop so that you may post it in your next reply.

**Note**

To optimize scanning time and produce a more sensible report for review:

Close any open programs.
Turn off the real-time scanner of all antivirus or antispyware programs while performing the online scan.

Note for Internet Explorer 7 users: If at any time you have trouble viewing the accept button of the license, click on the Zoom tool located at the bottom right of the IE window and set the zoom to 75%. Once the license is accepted, reset to 100%.

------------------------------------------------------

Please post the following in your next reply:

Kaspersky report
report on system behavior

AGJr · May 5, 2009

Kaspersky report
report on system behavior

Hi Again, Chemist. The Kaspersky scan is below:

--------------------------------------------------------------------------------
KASPERSKY ONLINE SCANNER 7.0 REPORT
Tuesday, May 5, 2009
Operating System: Microsoft Windows XP Professional Service Pack 3 (build 2600)
Kaspersky Online Scanner version: 7.0.26.13
Program database last update: Tuesday, May 05, 2009 03:57:46
Records in database: 2132665
--------------------------------------------------------------------------------

Scan settings:
Scan using the following database: extended
Scan archives: yes
Scan mail databases: yes

Scan area - My Computer:
C:\
D:\

Scan statistics:
Files scanned: 69014
Threat name: 0
Infected objects: 0
Suspicious objects: 0
Duration of the scan: 03:17:44

No malware has been detected. The scan area is clean.

The selected area was scanned.

chemist · May 5, 2009

How is your machine behaving? Let me know and I will give you some final instructions.

AGJr · May 6, 2009

Hi Again. It's still pretty much the same. It just hit 95%when I was googling something. My novice impression is that the Kaspersky scan didn't find anything either. What do you suggest next, Chemist?

chemist · May 6, 2009

What process is taking 95% when googling? And for how long?

AGJr · May 6, 2009

"System", "iexplore.exe" and "lsass.exe" seem to jump up pretty consistently. My homepage (Google News) starts up quickly, but I just clicked to read an article about Dick Cheney and it took 19 seconds for the article to open. That's a relatively short wait. Sometimes it could take a minute for a page to open

chemist · May 6, 2009

Hello again, AGJr. Your problem doesn't seem to be malware related. You may need to seek help in our Internet Explorer Forum

Have you tried an alternate browser?

http://www.mozilla.com/en-US/firefox/upgrade.html

Do you get the same behavior in Firefox?

------------------------------------------------------

AGJr · May 6, 2009

I haven't tried Firefox, Chemist, although I've read that a lot of people use it instead of IE. Up until now, I never had any issue with IE. But I'm going to give it a try as well as post my cpu problem to the IE Forum. Thank you so much for your help.

chemist · May 6, 2009

You're welcome, AGJr, but we're not done yet. We still haven't cleaned up and uninstalled ComboFix.

Let me know if FF behaves the same as IE. It might help pinpoint the problem.

AGJr · May 7, 2009

HI Again, Chemist. Well, your suggestion paid off. 've just spent the last 30 minutes on Firefox and it's much, much better. So is the problem with Internet Explorer or with the way my computer manages Internet Explorer? Why would there suddenly be a problem with it??

You also mentioned some cleaning up we have to do. (If you saw my house you'd know how much I hate cleaning up)

Muchos, muchos gracias

AGJr

chemist · May 7, 2009

Hello again, AGJr. Not sure what the problem is.

Go Start > Run and copy/paste the following single-line command into the Run box and click OK:

sc stop AvgTdiX

A DOS window will open and close again, this is normal.

Repeat for this command:

sc delete AvgTdiX

------------------------------------------------------

Reboot your computer, then open Internet Explorer.

Please run dds.scr again and post the first log, DDS.txt in your next reply.

------------------------------------------------------

chemist · May 15, 2009

Still with us, AGJr?

chemist · May 18, 2009

Due to lack of response, this topic will now be closed. If you need continued support, please begin a new thread, and provide a link to this topic. This applies only to the original topic starter. Everyone else please begin a New Topic, after following the steps outlined here:

IMPORTANT - Read This Before Posting For Malware Removal Help

------------------------------------------------------

CPU Running at 80 to 100%

AGJr

chemist

AGJr

Attachments

chemist

AGJr

chemist

AGJr

Attachments

chemist

AGJr

chemist

AGJr

chemist

AGJr

chemist

AGJr

chemist

chemist

chemist

Top Contributors this Month