Copmuter is slow, CPU usage is high

**comp_see** · September 8th, 2010, 08:38 PM

My friend's shop has a computer for recording surveillance video. It runs slowly recently. I took it home and found that both C: (system, 78GB, 65GB free) and D: (video, 219GB, 4GB free) required defrag. I ran Windows defragmenter. Defrag for C is done. Before defrag on D, I moved 40GB video clips to C to give sufficient space but it still took a day and now still is in progress.

When I opened the task mgr, I noticed that the system idle process was 95%+, defarg is about 2% to 3% but the CPU usage below the task list is 45% to 50% always. I then closed the defragmenter and ran jkdefrag about 3 hrs ago. Now it's working the D: and show about 30% and CPU usage is still around 50%.

Is it possible that some viruses or spywares are working behind? Thanks for your advice.

CPU - P4 dualCore 2.5G, RAM - 2GB DDR2, Hard drive - WD 300GB, SATA
Windows SP3

hijackthis log:

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 1:29:19 PM, on 9/8/2010
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v8.00 (8.00.6001.18702)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\AVG\AVG9\avgchsvx.exe
C:\Program Files\AVG\AVG9\avgrsx.exe
C:\Program Files\AVG\AVG9\avgcsrvx.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\APACHE\Apache.exe
C:\Program Files\AVG\AVG9\avgwdsvc.exe
C:\APACHE\Apache.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\AVG\AVG9\avgemc.exe
C:\Program Files\AVG\AVG9\avgnsx.exe
C:\Program Files\AVG\AVG9\avgcsrvx.exe
C:\WINDOWS\system32\taskmgr.exe
E:\HiJackThis\HijackThis_Runtime.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://ca.yahoo.com/?fr=fp-yie8
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.ca/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Windows Internet Explorer provided by Yahoo!
R3 - URLSearchHook: (no name) - CFBFAE00-17A6-11D0-99CB-00C04FD64497} - (no file)
R3 - URLSearchHook: (no name) - EF99BD32-C1FB-11D2-892F-0090271D4F88} - (no file)
O2 - BHO: &Yahoo! Toolbar Helper - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: AskBar BHO - {201f27d4-3704-41d6-89c1-aa35e39143ed} - C:\Program Files\AskBarDis\bar\bin\askBar.dll
O2 - BHO: WormRadar.com IESiteBlocker.NavFilter - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - C:\Program Files\AVG\AVG9\avgssie.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - C:\Program Files\Google\Google Toolbar\GoogleToolbar_32.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\5.5.5126.1836\swg.dll
O2 - BHO: Gamevance Text - {BEAC7DC8-E106-4C6A-931E-5A42E7362883} - C:\Program Files\Gamevance\gvtl.dll
O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
O2 - BHO: SingleInstance Class - {FDAD4DA1-61A2-4FD8-9C17-86F7AC245081} - C:\Program Files\Yahoo!\Companion\Installs\cpn\YTSingleInstance.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O3 - Toolbar: (no name) - {CCC7A320-B3CA-4199-B1A6-9F516DD69829} - (no file)
O3 - Toolbar: Ask Toolbar - {3041d03e-fd4b-44e0-b742-2d9b88305f98} - C:\Program Files\AskBarDis\bar\bin\askBar.dll
O3 - Toolbar: Google Toolbar - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - C:\Program Files\Google\Google Toolbar\GoogleToolbar_32.dll
O4 - HKLM\..\Run: [PPort11reminder] "C:\Program Files\ScanSoft\PaperPort\Ereg\Ereg.exe" -r "C:\Documents and Settings\All Users\Application Data\ScanSoft\PaperPort\11\Config\Ereg\Ereg.ini"
O4 - Global Startup: Status Monitor.lnk = C:\Program Files\Brother\Brmfcmon\BrMfcWnd.exe
O8 - Extra context menu item: Google Sidewiki... - res://C:\Program Files\Google\Google Toolbar\Component\GoogleToolbarDynamic_mui_en_89D8574934B26AC4.dll/cmsidewiki.html
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} (Symantec AntiVirus scanner) - http://security.symantec.com/sscv6/S...in/AvSniff.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.microsoft.com/wind...?1235707567043
O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.symantec.com/sscv6/S.../bin/cabsa.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/ge...sh/swflash.cab
O18 - Protocol: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - C:\Program Files\AVG\AVG9\avgpp.dll
O20 - Winlogon Notify: avgrsstarter - C:\WINDOWS\SYSTEM32\avgrsstx.dll
O23 - Service: Apache - Unknown owner - C:\APACHE\Apache.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: AVG Free E-mail Scanner (avg9emc) - AVG Technologies CZ, s.r.o. - C:\Program Files\AVG\AVG9\avgemc.exe
O23 - Service: AVG Free WatchDog (avg9wd) - AVG Technologies CZ, s.r.o. - C:\Program Files\AVG\AVG9\avgwdsvc.exe
O23 - Service: Google Update Service (gupdate) (gupdate) - Google Inc. - C:\Program Files\Google\Update\GoogleUpdate.exe
O23 - Service: Google Software Updater (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe

--
End of file - 6336 bytes

**Broni** · September 8th, 2010, 11:32 PM

Please, read here: http://discussions.virtualdr.com/sho...d.php?t=167915, and post required logs.

**comp_see** · September 11th, 2010, 06:55 PM

I ran MBAMsuccessfully with 1 threat-webview.exe detected. I think that it's the program for view the surveillance over the Internet. I did not remove it.

However, I encountered 2 failures on GMER scans. I don't know whether there are some malwares block the scanning because I rename the exe file as GMER.exe (because I overlook the recommendation),. I re-download the gmer.exe with it's random name kept. The scan was then done successfully.

The mbam log:

Malwarebytes' Anti-Malware 1.46
www.malwarebytes.org

Database version: 4595

Windows 5.1.2600 Service Pack 3
Internet Explorer 8.0.6001.18702

9/11/2010 3:19:15 PM
mbam-log-2010-09-11 (15-19-15).txt

Scan type: Full scan (C:\|D:\|)
Objects scanned: 276116
Time elapsed: 1 hour(s), 22 minute(s), 40 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 1

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
C:\DVR\webview.exe (Trojan.Dropper) -> No action taken.

The gmer log:
GMER 1.0.15.15281 - http://www.gmer.net
Rootkit scan 2010-09-11 00:06:24
Windows 5.1.2600 Service Pack 3
Running: ejleig6y.exe; Driver: C:\DOCUME~1\Ashiq\LOCALS~1\Temp\ugdirpob.sys

---- Kernel code sections - GMER 1.0.15 ----

init C:\WINDOWS\system32\drivers\monfilt.sys entry point in "init" section [0xB18EE280]

---- User code sections - GMER 1.0.15 ----

.text C:\Program Files\Internet Explorer\iexplore.exe[584] USER32.dll!DialogBoxParamW 7E4247AB 5 Bytes JMP 3E215501 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[584] USER32.dll!SetWindowsHookExW 7E42820F 5 Bytes JMP 3E2E9AD5 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[584] USER32.dll!CallNextHookEx 7E42B3C6 5 Bytes JMP 3E2DD135 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[584] USER32.dll!CreateWindowExW 7E42D0A3 5 Bytes JMP 3E2EDB24 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[584] USER32.dll!UnhookWindowsHookEx 7E42D5F3 5 Bytes JMP 3E254666 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[584] USER32.dll!DialogBoxIndirectParamW 7E432072 5 Bytes JMP 3E3E4B6F C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[584] USER32.dll!MessageBoxIndirectA 7E43A082 5 Bytes JMP 3E3E4AA1 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[584] USER32.dll!DialogBoxParamA 7E43B144 5 Bytes JMP 3E3E4B0C C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[584] USER32.dll!MessageBoxExW 7E450838 5 Bytes JMP 3E3E4972 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[584] USER32.dll!MessageBoxExA 7E45085C 5 Bytes JMP 3E3E49D4 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[584] USER32.dll!DialogBoxIndirectParamA 7E456D7D 5 Bytes JMP 3E3E4BD2 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[584] USER32.dll!MessageBoxIndirectW 7E4664D5 5 Bytes JMP 3E3E4A36 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[584] ole32.dll!CoCreateInstance 7750057E 5 Bytes JMP 3E2EDB80 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[584] ole32.dll!OleLoadFromStream 77529C85 5 Bytes JMP 3E3E4EF0 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[1016] USER32.dll!DialogBoxParamW 7E4247AB 5 Bytes JMP 3E215501 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[1016] USER32.dll!CreateWindowExW 7E42D0A3 5 Bytes JMP 3E2EDB24 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[1016] USER32.dll!DialogBoxIndirectParamW 7E432072 5 Bytes JMP 3E3E4B6F C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[1016] USER32.dll!MessageBoxIndirectA 7E43A082 5 Bytes JMP 3E3E4AA1 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[1016] USER32.dll!DialogBoxParamA 7E43B144 5 Bytes JMP 3E3E4B0C C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[1016] USER32.dll!MessageBoxExW 7E450838 5 Bytes JMP 3E3E4972 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[1016] USER32.dll!MessageBoxExA 7E45085C 5 Bytes JMP 3E3E49D4 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[1016] USER32.dll!DialogBoxIndirectParamA 7E456D7D 5 Bytes JMP 3E3E4BD2 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[1016] USER32.dll!MessageBoxIndirectW 7E4664D5 5 Bytes JMP 3E3E4A36 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)

---- User IAT/EAT - GMER 1.0.15 ----

IAT C:\Program Files\Internet Explorer\iexplore.exe[584] @ C:\WINDOWS\system32\ole32.dll [KERNEL32.dll!LoadLibraryExW] [451F1ACB] C:\Program Files\Internet Explorer\xpshims.dll (Internet Explorer Compatibility Shims for XP/Microsoft Corporation)

---- Devices - GMER 1.0.15 ----

AttachedDevice \Driver\Tcpip \Device\Ip avgtdix.sys (AVG Network connection watcher/AVG Technologies CZ, s.r.o.)
AttachedDevice \Driver\Tcpip \Device\Tcp avgtdix.sys (AVG Network connection watcher/AVG Technologies CZ, s.r.o.)
AttachedDevice \Driver\Tcpip \Device\Udp avgtdix.sys (AVG Network connection watcher/AVG Technologies CZ, s.r.o.)
AttachedDevice \Driver\Tcpip \Device\RawIp avgtdix.sys (AVG Network connection watcher/AVG Technologies CZ, s.r.o.)
AttachedDevice \FileSystem\Fastfat \Fat fltMgr.sys (Microsoft Filesystem Filter Manager/Microsoft Corporation)

---- EOF - GMER 1.0.15 ----

Your advice is much appreciated.

**Broni** · September 11th, 2010, 07:22 PM

DDS?

**comp_see** · September 11th, 2010, 11:10 PM

Sorry, Broni, what do you mean by the DDS?

**Broni** · September 12th, 2010, 12:54 AM

Please, read here: http://discussions.virtualdr.com/sho...d.php?t=167915, and post required logs.

.

**comp_see** · September 12th, 2010, 03:26 PM

I apologize for overlooking step 3. The dds logs are below

attach.txt

UNLESS SPECIFICALLY INSTRUCTED, DO NOT POST THIS LOG.
IF REQUESTED, ZIP IT UP & ATTACH IT

DDS (Ver_10-03-17.01)

Microsoft Windows XP Home Edition
Boot Device: \Device\HarddiskVolume1
Install Date: 2/26/2009 5:54:45 PM
System Uptime: 9/12/2010 11:10:10 AM (0 hours ago)

Motherboard: ASUSTeK Computer INC. | | P5QL
Processor: Intel Pentium III Xeon processor | LGA775 | 2520/200mhz

==== Disk Partitions =========================

A: is Removable
C: is FIXED (NTFS) - 78 GiB total, 25.853 GiB free.
D: is FIXED (NTFS) - 220 GiB total, 44.222 GiB free.
E: is Removable

==== Disabled Device Manager Items =============

==== System Restore Points ===================

RP447: 6/15/2010 6:02:14 AM - System Checkpoint
RP448: 6/16/2010 7:45:30 AM - System Checkpoint
RP449: 6/17/2010 9:09:36 AM - System Checkpoint
RP450: 6/18/2010 10:02:12 AM - System Checkpoint
RP451: 6/19/2010 11:02:11 AM - System Checkpoint
RP452: 6/20/2010 12:02:10 PM - System Checkpoint
RP453: 6/21/2010 12:39:14 PM - System Checkpoint
RP454: 6/22/2010 1:03:24 PM - System Checkpoint
RP455: 6/23/2010 3:00:25 AM - Software Distribution Service 3.0
RP456: 6/24/2010 3:02:13 AM - System Checkpoint
RP457: 6/24/2010 9:32:19 AM - Avg Update
RP458: 6/25/2010 9:35:36 AM - System Checkpoint
RP459: 6/26/2010 10:05:52 AM - System Checkpoint
RP460: 6/27/2010 10:06:42 AM - System Checkpoint
RP461: 6/28/2010 10:19:46 AM - System Checkpoint
RP462: 7/15/2010 3:00:27 AM - Software Distribution Service 3.0
RP463: 7/15/2010 9:00:42 AM - Avg Update
RP464: 7/15/2010 9:04:19 AM - Avg Update
RP465: 7/20/2010 8:31:52 AM - Avg Update
RP466: 8/4/2010 3:00:26 AM - Software Distribution Service 3.0
RP467: 8/13/2010 3:00:26 AM - Software Distribution Service 3.0
RP468: 8/16/2010 7:41:39 AM - Avg Update
RP469: 9/7/2010 12:45:28 AM - System Checkpoint
RP470: 9/8/2010 1:26:33 AM - System Checkpoint
RP471: 9/9/2010 3:00:30 AM - Software Distribution Service 3.0
RP472: 9/10/2010 4:06:30 PM - System Checkpoint
RP473: 9/11/2010 4:18:21 PM - System Checkpoint

==== Installed Programs ======================

Adobe Flash Player 10 ActiveX
Adobe Reader 8.2.4
Apache HTTP Server
Apple Software Update
Ask Toolbar
ASUSUpdate
ATI - Software Uninstall Utility
ATI AVIVO Codecs
ATI Display Driver
ATI HYDRAVISION
AVG Free 9.0
BlackBerry Desktop Software 4.2
Brother MFL-Pro Suite MFC-5490CN
Canon MP240 series MP Drivers
Critical Update for Windows Media Player 11 (KB959772)
Deer Drive 1.51T
DvrNet 880
Google Toolbar for Internet Explorer
Google Update Helper
HijackThis 2.0.2
Hotfix for Microsoft .NET Framework 3.5 SP1 (KB953595)
Hotfix for Microsoft .NET Framework 3.5 SP1 (KB958484)
Hotfix for Windows Media Format 11 SDK (KB929399)
Hotfix for Windows Media Player 11 (KB939683)
Hotfix for Windows XP (KB952287)
Hotfix for Windows XP (KB954550-v5)
Hotfix for Windows XP (KB961118)
Hotfix for Windows XP (KB970653-v3)
Hotfix for Windows XP (KB976098-v2)
Hotfix for Windows XP (KB979306)
Hotfix for Windows XP (KB981793)
Java Auto Updater
Java(TM) 6 Update 20
Java(TM) 6 Update 7
Malwarebytes' Anti-Malware
Microsoft .NET Framework 1.1
Microsoft .NET Framework 1.1 Security Update (KB979906)
Microsoft .NET Framework 2.0 Service Pack 2
Microsoft .NET Framework 3.0 Service Pack 2
Microsoft .NET Framework 3.5 SP1
Microsoft Compression Client Pack 1.0 for Windows XP
Microsoft Internationalized Domain Names Mitigation APIs
Microsoft National Language Support Downlevel APIs
Microsoft Silverlight
Microsoft User-Mode Driver Framework Feature Pack 1.0
Microsoft Visual C++ 2005 Redistributable
MSXML 4.0 SP2 (KB954430)
MSXML 4.0 SP2 (KB973688)
OpenOffice.org 3.0
PaperPort Image Printer
PC Probe II
Platform
QuickTime
REALTEK GbE & FE Ethernet PCI-E NIC Driver
ScanSoft PaperPort 11
SeaTools for Windows
Security Update for Windows Internet Explorer 7 (KB938127-v2)
Security Update for Windows Internet Explorer 7 (KB956390)
Security Update for Windows Internet Explorer 7 (KB961260)
Security Update for Windows Internet Explorer 8 (KB2183461)
Security Update for Windows Internet Explorer 8 (KB969897)
Security Update for Windows Internet Explorer 8 (KB971961)
Security Update for Windows Internet Explorer 8 (KB972260)
Security Update for Windows Internet Explorer 8 (KB974455)
Security Update for Windows Internet Explorer 8 (KB976325)
Security Update for Windows Internet Explorer 8 (KB978207)
Security Update for Windows Internet Explorer 8 (KB981332)
Security Update for Windows Internet Explorer 8 (KB982381)
Security Update for Windows Media Player (KB952069)
Security Update for Windows Media Player (KB954155)
Security Update for Windows Media Player (KB968816)
Security Update for Windows Media Player (KB973540)
Security Update for Windows Media Player (KB978695)
Security Update for Windows Media Player 11 (KB936782)
Security Update for Windows Media Player 11 (KB954154)
Security Update for Windows XP (KB2079403)
Security Update for Windows XP (KB2115168)
Security Update for Windows XP (KB2160329)
Security Update for Windows XP (KB2229593)
Security Update for Windows XP (KB2286198)
Security Update for Windows XP (KB923561)
Security Update for Windows XP (KB923789)
Security Update for Windows XP (KB938464)
Security Update for Windows XP (KB941569)
Security Update for Windows XP (KB946648)
Security Update for Windows XP (KB950760)
Security Update for Windows XP (KB950762)
Security Update for Windows XP (KB950974)
Security Update for Windows XP (KB951066)
Security Update for Windows XP (KB951376-v2)
Security Update for Windows XP (KB951698)
Security Update for Windows XP (KB951748)
Security Update for Windows XP (KB952004)
Security Update for Windows XP (KB952954)
Security Update for Windows XP (KB954211)
Security Update for Windows XP (KB954459)
Security Update for Windows XP (KB954600)
Security Update for Windows XP (KB955069)
Security Update for Windows XP (KB956572)
Security Update for Windows XP (KB956744)
Security Update for Windows XP (KB956802)
Security Update for Windows XP (KB956803)
Security Update for Windows XP (KB956841)
Security Update for Windows XP (KB956844)
Security Update for Windows XP (KB957097)
Security Update for Windows XP (KB958644)
Security Update for Windows XP (KB958687)
Security Update for Windows XP (KB958690)
Security Update for Windows XP (KB958869)
Security Update for Windows XP (KB959426)
Security Update for Windows XP (KB960225)
Security Update for Windows XP (KB960715)
Security Update for Windows XP (KB960803)
Security Update for Windows XP (KB960859)
Security Update for Windows XP (KB961371)
Security Update for Windows XP (KB961373)
Security Update for Windows XP (KB961501)
Security Update for Windows XP (KB968537)
Security Update for Windows XP (KB969059)
Security Update for Windows XP (KB969947)
Security Update for Windows XP (KB970238)
Security Update for Windows XP (KB970430)
Security Update for Windows XP (KB971468)
Security Update for Windows XP (KB971486)
Security Update for Windows XP (KB971557)
Security Update for Windows XP (KB971633)
Security Update for Windows XP (KB971657)
Security Update for Windows XP (KB972270)
Security Update for Windows XP (KB973346)
Security Update for Windows XP (KB973354)
Security Update for Windows XP (KB973507)
Security Update for Windows XP (KB973525)
Security Update for Windows XP (KB973869)
Security Update for Windows XP (KB973904)
Security Update for Windows XP (KB974112)
Security Update for Windows XP (KB974318)
Security Update for Windows XP (KB974392)
Security Update for Windows XP (KB974571)
Security Update for Windows XP (KB975025)
Security Update for Windows XP (KB975467)
Security Update for Windows XP (KB975560)
Security Update for Windows XP (KB975561)
Security Update for Windows XP (KB975562)
Security Update for Windows XP (KB975713)
Security Update for Windows XP (KB977165)
Security Update for Windows XP (KB977816)
Security Update for Windows XP (KB977914)
Security Update for Windows XP (KB978037)
Security Update for Windows XP (KB978251)
Security Update for Windows XP (KB978262)
Security Update for Windows XP (KB978338)
Security Update for Windows XP (KB978542)
Security Update for Windows XP (KB978601)
Security Update for Windows XP (KB978706)
Security Update for Windows XP (KB979309)
Security Update for Windows XP (KB979482)
Security Update for Windows XP (KB979559)
Security Update for Windows XP (KB979683)
Security Update for Windows XP (KB980195)
Security Update for Windows XP (KB980218)
Security Update for Windows XP (KB980232)
Security Update for Windows XP (KB980436)
Security Update for Windows XP (KB981852)
Security Update for Windows XP (KB981997)
Security Update for Windows XP (KB982214)
Security Update for Windows XP (KB982665)
Ulead Burn.Now 4.5
Ulead Burn.Now 4.5 SE
Ulead PhotoImpact 12
Update for Microsoft .NET Framework 3.5 SP1 (KB963707)
Update for Windows Internet Explorer 8 (KB968220)
Update for Windows Internet Explorer 8 (KB976662)
Update for Windows Internet Explorer 8 (KB976749)
Update for Windows Internet Explorer 8 (KB980182)
Update for Windows XP (KB898461)
Update for Windows XP (KB951978)
Update for Windows XP (KB955759)
Update for Windows XP (KB955839)
Update for Windows XP (KB967715)
Update for Windows XP (KB968389)
Update for Windows XP (KB971737)
Update for Windows XP (KB973687)
Update for Windows XP (KB973815)
VIA Platform Device Manager
VLC media player 0.9.8a
WebFldrs XP
Windows Genuine Advantage Validation Tool (KB892130)
Windows Internet Explorer 7
Windows Internet Explorer 8
Windows Media Format 11 runtime
Windows Media Player 11
WinRAR archiver
WinZip 11.2
Yahoo! Toolbar

==== Event Viewer Messages From Past Week ========

9/8/2010 11:10:31 PM, error: System Error [1003] - Error code 10000050, parameter1 aedeab30, parameter2 00000001, parameter3 adf5ffa6, parameter4 00000000.
9/7/2010 9:15:33 AM, error: Ntfs [55] - The file system structure on the disk is corrupt and unusable. Please run the chkdsk utility on the volume D:.
9/7/2010 6:38:56 PM, error: Service Control Manager [7034] - The WebClient service terminated unexpectedly. It has done this 1 time(s).
9/7/2010 6:38:53 PM, error: Service Control Manager [7031] - The Remote Procedure Call (RPC) service terminated unexpectedly. It has done this 1 time(s). The following corrective action will be taken in 60000 milliseconds: Reboot the machine.
9/7/2010 6:38:50 PM, error: Service Control Manager [7034] - The Application Layer Gateway Service service terminated unexpectedly. It has done this 1 time(s).
9/7/2010 6:38:11 PM, error: Service Control Manager [7031] - The AVG Free WatchDog service terminated unexpectedly. It has done this 1 time(s). The following corrective action will be taken in 0 milliseconds: Restart the service.
9/7/2010 6:37:59 PM, error: Service Control Manager [7034] - The AVG Free E-mail Scanner service terminated unexpectedly. It has done this 1 time(s).
9/7/2010 1:00:58 AM, error: System Error [1003] - Error code 000000f4, parameter1 00000003, parameter2 89ba19e0, parameter3 89ba1b54, parameter4 805d2954.
9/6/2010 9:08:27 PM, error: System Error [1003] - Error code 000000f4, parameter1 00000003, parameter2 89beb9e0, parameter3 89bebb54, parameter4 805d2954.
9/10/2010 3:47:13 PM, error: System Error [1003] - Error code 10000050, parameter1 e418f000, parameter2 00000000, parameter3 ae464c3e, parameter4 00000001.

==== End Of File ===========================

dds.txt -----------------------------------------------------------------

DDS (Ver_10-03-17.01) - NTFSx86
Run by Ashiq at 11:17:44.04 on Sun 09/12/2010
Internet Explorer: 8.0.6001.18702
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.2047.1584 [GMT -7:00]

AV: AVG Anti-Virus Free *On-access scanning enabled* (Updated) {17DDD097-36FF-435F-9E1B-52D74245D6BF}

============== Running Processes ===============

C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
svchost.exe
C:\Program Files\AVG\AVG9\avgchsvx.exe
C:\Program Files\AVG\AVG9\avgrsx.exe
svchost.exe
C:\Program Files\AVG\AVG9\avgcsrvx.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
svchost.exe
C:\APACHE\Apache.exe
C:\APACHE\Apache.exe
C:\Program Files\AVG\AVG9\avgwdsvc.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\WINDOWS\system32\svchost.exe -k imgsvc
C:\Program Files\AVG\AVG9\avgnsx.exe
C:\Program Files\AVG\AVG9\avgemc.exe
C:\Program Files\AVG\AVG9\avgcsrvx.exe
C:\Program Files\Brother\Brmfcmon\BrMfcWnd.exe
C:\Program Files\Brother\Brmfcmon\BrMfcmon.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\System32\svchost.exe -k HTTPFilter
E:\Pitt Meadows\dds.scr

============== Pseudo HJT Report ===============

uStart Page = hxxp://www.yahoo.ca/
uWindow Title = Windows Internet Explorer provided by Yahoo!
uDefault_Page_URL = hxxp://ca.yahoo.com/?fr=fp-yie8
uInternet Connection Wizard,ShellNext = iexplore
uURLSearchHooks: H - No File
uURLSearchHooks: H - No File
mURLSearchHooks: H - No File
BHO: &Yahoo! Toolbar Helper: {02478d38-c3f9-4efb-9b51-7695eca05670} - c:\program files\yahoo!\companion\installs\cpn\yt.dll
BHO: Adobe PDF Reader Link Helper: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelper.dll
BHO: AskBar BHO: {201f27d4-3704-41d6-89c1-aa35e39143ed} - c:\program files\askbardis\bar\bin\askBar.dll
BHO: AVG Safe Search: {3ca2f312-6f6e-4b53-a66e-4e65e497c8c0} - c:\program files\avg\avg9\avgssie.dll
BHO: Google Toolbar Helper: {aa58ed58-01dd-4d91-8333-cf10577473f7} - c:\program files\google\google toolbar\GoogleToolbar_32.dll
BHO: Google Toolbar Notifier BHO: {af69de43-7d58-4638-b6fa-ce66b5ad205d} - c:\program files\google\googletoolbarnotifier\5.5.5126.1836\swg.dll
BHO: Java(tm) Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
BHO: SingleInstance Class: {fdad4da1-61a2-4fd8-9c17-86f7ac245081} - c:\program files\yahoo!\companion\installs\cpn\YTSingleInstance.dll
TB: Yahoo! Toolbar: {ef99bd32-c1fb-11d2-892f-0090271d4f88} - c:\program files\yahoo!\companion\installs\cpn\yt.dll
TB: {CCC7A320-B3CA-4199-B1A6-9F516DD69829} - No File
TB: Ask Toolbar: {3041d03e-fd4b-44e0-b742-2d9b88305f98} - c:\program files\askbardis\bar\bin\askBar.dll
TB: Google Toolbar: {2318c2b1-4965-11d4-9b18-009027a5cd4f} - c:\program files\google\google toolbar\GoogleToolbar_32.dll
TB: {A057A204-BACC-4D26-9990-79A187E2698E} - No File
uRun: [swg] "c:\program files\google\googletoolbarnotifier\GoogleToolbarNotifier.exe"
mRun: [PPort11reminder] "c:\program files\scansoft\paperport\ereg\ereg.exe" -r "c:\documents and settings\all users\application data\scansoft\paperport\11\config\ereg\Ereg.ini"
mRun: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\status~1.lnk - c:\program files\brother\brmfcmon\BrMfcWnd.exe
IE: Google Sidewiki... - c:\program files\google\google toolbar\component\GoogleToolbarDynamic_mui_en_89D8574934B26AC4.dll/cmsidewiki.html
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
DPF: {17492023-C23A-453E-A040-C7C580BBF700} - hxxp://download.microsoft.com/download/C/0/C/C0CBBA88-A6F2-48D9-9B0E-1719D1177202/LegitCheckControl.cab
DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} - hxxp://security.symantec.com/sscv6/SharedContent/vc/bin/AvSniff.cab
DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} - hxxp://www.update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1235707567043
DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} - hxxp://security.symantec.com/sscv6/SharedContent/common/bin/cabsa.cab
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_20-windows-i586.cab
DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} - hxxp://fpdownload.macromedia.com/get/flashplayer/current/polarbear/ultrashim.cab
DPF: {CAFEEFAC-0016-0000-0007-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_07-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0020-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_20-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_20-windows-i586.cab
DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab
Handler: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - c:\program files\avg\avg9\avgpp.dll
Notify: AtiExtEvent - Ati2evxx.dll
Notify: avgrsstarter - avgrsstx.dll
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll
mASetup: {A509B1FF-37FF-4bFF-8CFF-4F3A747040FF} - c:\windows\system32\rundll32.exe c:\windows\system32\advpack.dll,launchinfsectionex c:\program files\internet explorer\clrtour.inf,DefaultInstall.ResetTour,,12

============= SERVICES / DRIVERS ===============

R1 AvgLdx86;AVG Free AVI Loader Driver x86;c:\windows\system32\drivers\avgldx86.sys [2009-5-3 216400]
R1 AvgMfx86;AVG Free On-access Scanner Minifilter Driver x86;c:\windows\system32\drivers\avgmfx86.sys [2009-5-3 29584]
R1 AvgTdiX;AVG Free8 Network Redirector;c:\windows\system32\drivers\avgtdix.sys [2009-5-3 243024]
R2 avg9emc;AVG Free E-mail Scanner;c:\program files\avg\avg9\avgemc.exe [2010-7-15 921952]
R2 avg9wd;AVG Free WatchDog;c:\program files\avg\avg9\avgwdsvc.exe [2010-7-15 308136]
R3 VIAHdAudAddService;VIA High Definition Audio Driver Service;c:\windows\system32\drivers\viahduaa.sys [2009-2-25 845184]
S2 gupdate;Google Update Service (gupdate);c:\program files\google\update\GoogleUpdate.exe [2010-2-6 135664]
S3 SAAVideo;% SAADriver%;c:\windows\system32\drivers\SAAVideo.sys [2009-2-26 26624]
S3 SDDrv;SDDrv;c:\windows\system32\drivers\SDDrv.sys [2009-7-13 39424]

=============== Created Last 30 ================

2010-09-08 05:26:56 0 d-----w- C:\10-07-25
2010-09-08 04:26:59 0 d-----w- C:\10-07-26
2010-09-08 03:33:16 0 d-----w- C:\10-07-22
2010-09-08 02:36:16 0 d-----w- C:\10-07-23
2010-09-08 01:49:48 0 d-----w- C:\10-07-24
2010-09-07 08:03:19 0 d-----w- C:\Video Jul 3-17
2010-09-07 07:15:08 0 d-----w- c:\docume~1\ashiq\applic~1\Malwarebytes
2010-09-07 07:15:02 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2010-09-07 07:15:00 20952 ----a-w- c:\windows\system32\drivers\mbam.sys
2010-09-07 07:15:00 0 d-----w- c:\program files\Malwarebytes' Anti-Malware
2010-09-07 07:15:00 0 d-----w- c:\docume~1\alluse~1\applic~1\Malwarebytes

==================== Find3M ====================

2010-07-15 16:03:48 243024 ----a-w- c:\windows\system32\drivers\avgtdix.sys
2010-07-15 16:03:41 12536 ----a-w- c:\windows\system32\avgrsstx.dll
2010-07-15 16:01:44 216400 ----a-w- c:\windows\system32\drivers\avgldx86.sys
2010-06-30 12:31:35 149504 ----a-w- c:\windows\system32\schannel.dll
2010-06-24 12:22:03 916480 ----a-w- c:\windows\system32\wininet.dll
2010-06-23 13:44:04 1851904 ----a-w- c:\windows\system32\win32k.sys
2010-06-17 14:03:00 80384 ----a-w- c:\windows\system32\iccvid.dll
2006-06-24 22:48:54 32768 ----a-w- c:\windows\inf\UpdateUSB.exe

============= FINISH: 11:18:11.68 ===============

**Broni** · September 12th, 2010, 03:29 PM

Download Process Explorer: http://technet.microsoft.com/en-us/s.../bb896653.aspx
Unzip ProcessExplorer.zip, and double click on procexp.exe to run the program.
Click on View > Select Colunms.
In addition to already pre-selected options, make sure, the Command Line is selected, and press OK.
Go File>Save As, and save the report as Procexp.txt.
Attach the file to your next reply.

===============================================================

Download MBRCheck to your desktop

Double click MBRCheck.exe to run (Vista and Windows 7 users, right click and select Run as Administrator).
It will show a black screen with some data on it.
Enter N to exit.
A report called MBRcheckxxxx.txt will be on your desktop
Open this report and post its content in your next reply.

==============================================================

Please download ComboFix from Here or Here to your Desktop.

**Note: In the event you already have Combofix, this is a new version that I need you to download. It is important that it is saved directly to your desktop**

Please, never rename Combofix unless instructed.
Close any open browsers.
Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.
- Very Important! Temporarily disable your anti-virus, script blocking and any anti-malware real-time protection before performing a scan. They can interfere with ComboFix or remove some of its embedded files which may cause "unpredictable results".
- Click on this link to see a list of programs that should be disabled. The list is not all inclusive. If yours is not listed and you don't know how to disable it, please ask.
NOTE1. If Combofix asks you to install Recovery Console, please allow it.
NOTE 2. If Combofix asks you to update the program, always do so.
- Close any open browsers.
- WARNING: Combofix will disconnect your machine from the Internet as soon as it starts
- Please do not attempt to re-connect your machine back to the Internet until Combofix has completely finished.
- If there is no internet connection after running Combofix, then restart your computer to restore back your connection.
Double click on combofix.exe & follow the prompts.
When finished, it will produce a report for you.
Please post the "C:\ComboFix.txt"

**Note: Do not mouseclick combofix's window while it's running. That may cause it to stall**

Make sure, you re-enable your security programs, when you're done with Combofix.

DO NOT make any other changes to your computer (like installing programs, using other cleaning tools, etc.), until it's officially declared clean!!!

**comp_see** · September 12th, 2010, 09:43 PM

procexp.txt:

Process PID CPU Private Bytes Working Set Description Company Name Command Line
System Idle Process 0 100.00 0 K 28 K
Interrupts n/a 0 K 0 K Hardware Interrupts
DPCs n/a 0 K 0 K Deferred Procedure Calls
System 4 0 K 104,952 K
smss.exe 568 172 K 416 K Windows NT Session Manager Microsoft Corporation \SystemRoot\System32\smss.exe
csrss.exe 636 1,608 K 3,508 K Client Server Runtime Process Microsoft Corporation C:\WINDOWS\system32\csrss.exe ObjectDirectory=\Windows SharedSection=1024,3072,512 Windows=On SubSystemType=Windows ServerDll=basesrv,1 ServerDll=winsrv:UserServerDllInitialization,3 ServerDll=winsrv:ConServerDllInitialization,2 ProfileControl=Off MaxRequestThreads=16
winlogon.exe 664 7,060 K 4,264 K Windows NT Logon Application Microsoft Corporation winlogon.exe
services.exe 708 1,704 K 3,448 K Services and Controller app Microsoft Corporation C:\WINDOWS\system32\services.exe
ati2evxx.exe 876 580 K 2,320 K ATI External Event Utility EXE Module ATI Technologies Inc. C:\WINDOWS\system32\Ati2evxx.exe
svchost.exe 908 3,116 K 5,072 K Generic Host Process for Win32 Services Microsoft Corporation C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe 1000 1,780 K 4,232 K Generic Host Process for Win32 Services Microsoft Corporation C:\WINDOWS\system32\svchost -k rpcss
svchost.exe 1100 16,620 K 24,016 K Generic Host Process for Win32 Services Microsoft Corporation C:\WINDOWS\System32\svchost.exe -k netsvcs
svchost.exe 1188 1,252 K 3,508 K Generic Host Process for Win32 Services Microsoft Corporation C:\WINDOWS\system32\svchost.exe -k NetworkService
svchost.exe 1372 4,712 K 6,500 K Generic Host Process for Win32 Services Microsoft Corporation C:\WINDOWS\system32\svchost.exe -k LocalService
spoolsv.exe 1864 3,424 K 5,108 K Spooler SubSystem App Microsoft Corporation C:\WINDOWS\system32\spoolsv.exe
svchost.exe 1312 1,324 K 3,732 K Generic Host Process for Win32 Services Microsoft Corporation C:\WINDOWS\system32\svchost.exe -k LocalService
Apache.exe 1532 692 K 2,288 K "C:\APACHE\Apache.exe" --ntservice
Apache.exe 1856 2,120 K 3,140 K "C:\APACHE\Apache.exe" -z ap1532_C1 -f "c:/apache/conf/httpd.conf" "-d" "c:/apache" "-f" "c:/apache/conf/httpd.conf"
avgwdsvc.exe 1904 5,344 K 2,388 K AVG Watchdog Service AVG Technologies CZ, s.r.o. "C:\Program Files\AVG\AVG9\avgwdsvc.exe"
avgnsx.exe 2312 7,984 K 1,756 K AVG Network scanner Service AVG Technologies CZ, s.r.o. "C:\Program Files\AVG\AVG9\avgnsx.exe"
jqs.exe 424 2,040 K 1,392 K Java(TM) Quick Starter Service Sun Microsystems, Inc. "C:\Program Files\Java\jre6\bin\jqs.exe" -service -config "C:\Program Files\Java\jre6\lib\deploy\jqs\jqs.conf"
svchost.exe 1212 2,492 K 4,304 K Generic Host Process for Win32 Services Microsoft Corporation C:\WINDOWS\system32\svchost.exe -k imgsvc
avgemc.exe 2260 4,588 K 836 K AVG E-Mail Scanner AVG Technologies CZ, s.r.o. "C:\Program Files\AVG\AVG9\avgemc.exe"
avgcsrvx.exe 2696 3,004 K 4,312 K AVG Scanning Core Module - Server Part AVG Technologies CZ, s.r.o. /pipeName=347b4d16-6efb-4873-b3dd-5014e2d5d47d /coreSdkOptions=0 /binaryPath="C:\Program Files\AVG\AVG9\"
alg.exe 3284 1,188 K 3,572 K Application Layer Gateway Service Microsoft Corporation C:\WINDOWS\System32\alg.exe
svchost.exe 3528 1,592 K 3,476 K Generic Host Process for Win32 Services Microsoft Corporation C:\WINDOWS\System32\svchost.exe -k HTTPFilter
lsass.exe 720 4,072 K 1,284 K LSA Shell (Export Version) Microsoft Corporation C:\WINDOWS\system32\lsass.exe
avgchsvx.exe 1316 9,804 K 320 K AVG Cache Server AVG Technologies CZ, s.r.o. "C:\Program Files\AVG\AVG9\avgchsvx.exe"
avgrsx.exe 1340 1,496 K 532 K AVG Resident Shield Service AVG Technologies CZ, s.r.o. "C:\Program Files\AVG\AVG9\avgrsx.exe"
avgcsrvx.exe 1468 7,080 K 360 K AVG Scanning Core Module - Server Part AVG Technologies CZ, s.r.o. /pipeName=7675084d-7446-4dd7-a8f7-7a9060e4ecce /coreSdkOptions=30 /logConfFile="C:\Documents and Settings\All Users\Application Data\avg9\temp\19773ff2-a93f-4948-94f5-75bf6eea4b5d-53c-oopp.tmp" /loggerName=AVG.RS.Core /binaryPath="C:\Program Files\AVG\AVG9\" /tempPath="C:\Documents and Settings\All Users\Application Data\avg9\temp\"
ati2evxx.exe 1908 684 K 2,852 K ATI External Event Utility EXE Module ATI Technologies Inc. Ati2evxx.exe -Client
explorer.exe 2004 20,216 K 27,672 K Windows Explorer Microsoft Corporation C:\WINDOWS\Explorer.EXE
BrMfcWnd.exe 120 2,292 K 4,224 K Brother Status Monitor Application Brother Industries, Ltd. "C:\Program Files\Brother\Brmfcmon\BrMfcWnd.exe" Brother MFC-5490CN /STARTUP
BrMfcMon.exe 2268 2,032 K 3,504 K Brother Status Monitor (Local) Brother Industries, Ltd. "C:\Program Files\Brother\Brmfcmon\BrMfcmon.exe"
procexp.exe 2108 8,584 K 13,656 K Sysinternals Process Explorer Sysinternals - www.sysinternals.com "E:\Pitt Meadows\Process Explorer\procexp.exe"

MBRcheck.txt:
MBRCheck, version 1.2.3
(c) 2010, AD

Command-line:
Windows Version: Windows XP Home Edition
Windows Information: Service Pack 3 (build 2600)
Logical Drives Mask: 0x0000001d

Kernel Drivers (total 112):
0x804D7000 \WINDOWS\system32\ntkrnlpa.exe
0x806E4000 \WINDOWS\system32\hal.dll
0xBA5A8000 \WINDOWS\system32\KDCOM.DLL
0xBA4B8000 \WINDOWS\system32\BOOTVID.dll
0xB9F79000 ACPI.sys
0xBA5AA000 \WINDOWS\system32\DRIVERS\WMILIB.SYS
0xB9F68000 pci.sys
0xBA0A8000 isapnp.sys
0xBA670000 pciide.sys
0xBA328000 \WINDOWS\system32\DRIVERS\PCIIDEX.SYS
0xBA0B8000 MountMgr.sys
0xB9F49000 ftdisk.sys
0xBA330000 PartMgr.sys
0xBA0C8000 VolSnap.sys
0xB9F31000 atapi.sys
0xBA0D8000 disk.sys
0xBA0E8000 \WINDOWS\system32\DRIVERS\CLASSPNP.SYS
0xB9F11000 fltMgr.sys
0xB9EFF000 sr.sys
0xB9EE8000 KSecDD.sys
0xB9E5B000 Ntfs.sys
0xB9E2E000 NDIS.sys
0xB9E14000 Mup.sys
0xBA218000 \SystemRoot\system32\DRIVERS\intelppm.sys
0xB9C87000 \SystemRoot\system32\DRIVERS\ati2mtag.sys
0xB9C73000 \SystemRoot\system32\DRIVERS\VIDEOPRT.SYS
0xBA3F8000 \SystemRoot\system32\DRIVERS\usbuhci.sys
0xB9C4F000 \SystemRoot\system32\DRIVERS\USBPORT.SYS
0xBA428000 \SystemRoot\system32\DRIVERS\usbehci.sys
0xB9C27000 \SystemRoot\system32\DRIVERS\HDAudBus.sys
0xB9C0C000 \SystemRoot\system32\DRIVERS\Rtenicxp.sys
0xBA488000 \SystemRoot\system32\DRIVERS\fdc.sys
0xBA5BE000 \SystemRoot\system32\DRIVERS\ASACPI.sys
0xBA228000 \SystemRoot\system32\DRIVERS\i8042prt.sys
0xBA4A8000 \SystemRoot\system32\DRIVERS\kbdclass.sys
0xBA340000 \SystemRoot\system32\DRIVERS\mouclass.sys
0xBA238000 \SystemRoot\system32\DRIVERS\serial.sys
0xBA584000 \SystemRoot\system32\DRIVERS\serenum.sys
0xBA796000 \SystemRoot\system32\DRIVERS\audstub.sys
0xBA5C2000 \SystemRoot\System32\Drivers\RootMdm.sys
0xBA390000 \SystemRoot\System32\Drivers\Modem.SYS
0xBA248000 \SystemRoot\system32\DRIVERS\rasl2tp.sys
0xBA58C000 \SystemRoot\system32\DRIVERS\ndistapi.sys
0xB9BF5000 \SystemRoot\system32\DRIVERS\ndiswan.sys
0xBA258000 \SystemRoot\system32\DRIVERS\raspppoe.sys
0xBA268000 \SystemRoot\system32\DRIVERS\raspptp.sys
0xBA3D8000 \SystemRoot\system32\DRIVERS\TDI.SYS
0xB9BE4000 \SystemRoot\system32\DRIVERS\psched.sys
0xBA278000 \SystemRoot\system32\DRIVERS\msgpc.sys
0xBA408000 \SystemRoot\system32\DRIVERS\ptilink.sys
0xBA418000 \SystemRoot\system32\DRIVERS\raspti.sys
0xBA430000 \SystemRoot\system32\DRIVERS\RimSerial.sys
0xBA288000 \SystemRoot\system32\DRIVERS\termdd.sys
0xBA5C8000 \SystemRoot\system32\DRIVERS\swenum.sys
0xB9BC1000 \SystemRoot\system32\DRIVERS\ks.sys
0xB9B63000 \SystemRoot\system32\DRIVERS\update.sys
0xB9DF0000 \SystemRoot\system32\DRIVERS\mssmbios.sys
0xBA298000 \SystemRoot\System32\Drivers\NDProxy.SYS
0xBA2C8000 \SystemRoot\system32\DRIVERS\usbhub.sys
0xBA5CE000 \SystemRoot\system32\DRIVERS\USBD.SYS
0xB19AA000 \SystemRoot\system32\drivers\viahduaa.sys
0xB1986000 \SystemRoot\system32\drivers\portcls.sys
0xBA2E8000 \SystemRoot\system32\drivers\drmk.sys
0xB1832000 \SystemRoot\system32\drivers\monfilt.sys
0xBA450000 \SystemRoot\system32\DRIVERS\flpydisk.sys
0xBA5D6000 \SystemRoot\System32\Drivers\Fs_Rec.SYS
0xBA7DD000 \SystemRoot\System32\Drivers\Null.SYS
0xBA5DA000 \SystemRoot\System32\Drivers\Beep.SYS
0xBA480000 \SystemRoot\System32\drivers\vga.sys
0xBA5DE000 \SystemRoot\System32\Drivers\mnmdd.SYS
0xBA5E2000 \SystemRoot\System32\DRIVERS\RDPCDD.sys
0xBA498000 \SystemRoot\System32\Drivers\Msfs.SYS
0xBA4B0000 \SystemRoot\System32\Drivers\Npfs.SYS
0xBA558000 \SystemRoot\system32\DRIVERS\rasacd.sys
0xB17D7000 \SystemRoot\system32\DRIVERS\ipsec.sys
0xB177E000 \SystemRoot\system32\DRIVERS\tcpip.sys
0xB1758000 \SystemRoot\system32\DRIVERS\ipnat.sys
0xB171E000 \SystemRoot\System32\Drivers\avgtdix.sys
0xBA318000 \SystemRoot\system32\DRIVERS\wanarp.sys
0xB16CE000 \SystemRoot\system32\DRIVERS\netbt.sys
0xB16AC000 \SystemRoot\System32\drivers\afd.sys
0xBA138000 \SystemRoot\system32\DRIVERS\netbios.sys
0xB1681000 \SystemRoot\system32\DRIVERS\rdbss.sys
0xB1611000 \SystemRoot\system32\DRIVERS\mrxsmb.sys
0xBA168000 \SystemRoot\System32\Drivers\Fips.SYS
0xBA400000 \SystemRoot\System32\Drivers\avgmfx86.sys
0xB15DD000 \SystemRoot\System32\Drivers\avgldx86.sys
0xBA600000 \SystemRoot\system32\drivers\AsIO.sys
0xB15C5000 \SystemRoot\System32\Drivers\dump_atapi.sys
0xBA610000 \SystemRoot\System32\Drivers\dump_WMILIB.SYS
0xBF800000 \SystemRoot\System32\win32k.sys
0xB1712000 \SystemRoot\System32\drivers\Dxapi.sys
0xBA438000 \SystemRoot\System32\watchdog.sys
0xBF000000 \SystemRoot\System32\drivers\dxg.sys
0xBA79C000 \SystemRoot\System32\drivers\dxgthk.sys
0xBF012000 \SystemRoot\System32\ati2dvag.dll
0xBF049000 \SystemRoot\System32\ati2cqag.dll
0xBF07D000 \SystemRoot\System32\atikvmag.dll
0xBF0B2000 \SystemRoot\System32\ati3duag.dll
0xBF2F4000 \SystemRoot\System32\ativvaxx.dll
0xBFFA0000 \SystemRoot\System32\ATMFD.DLL
0xBA5A0000 \SystemRoot\system32\DRIVERS\ndisuio.sys
0xAF088000 \SystemRoot\system32\drivers\wdmaud.sys
0xB1B09000 \SystemRoot\system32\drivers\sysaudio.sys
0xAECCB000 \SystemRoot\system32\DRIVERS\mrxdav.sys
0xAEA44000 \SystemRoot\system32\DRIVERS\srv.sys
0xAE908000 \SystemRoot\System32\Drivers\Fastfat.SYS
0xAE5F7000 \SystemRoot\System32\Drivers\HTTP.sys
0xBA4A0000 \SystemRoot\system32\DRIVERS\USBSTOR.SYS
0xAEABB000 \??\C:\WINDOWS\system32\Drivers\PROCEXP141.SYS
0xAE4DC000 \SystemRoot\system32\drivers\kmixer.sys
0x7C900000 \WINDOWS\system32\ntdll.dll

Processes (total 33):
0 System Idle Process
4 System
568 C:\WINDOWS\system32\smss.exe
636 csrss.exe
664 C:\WINDOWS\system32\winlogon.exe
708 C:\WINDOWS\system32\services.exe
720 C:\WINDOWS\system32\lsass.exe
876 C:\WINDOWS\system32\ati2evxx.exe
908 C:\WINDOWS\system32\svchost.exe
1000 svchost.exe
1100 C:\WINDOWS\system32\svchost.exe
1188 svchost.exe
1316 C:\Program Files\AVG\AVG9\avgchsvx.exe
1340 C:\Program Files\AVG\AVG9\avgrsx.exe
1372 svchost.exe
1468 C:\Program Files\AVG\AVG9\avgcsrvx.exe
1864 C:\WINDOWS\system32\spoolsv.exe
1908 C:\WINDOWS\system32\ati2evxx.exe
2004 C:\WINDOWS\explorer.exe
1312 svchost.exe
1532 C:\Apache\Apache.exe
1856 C:\Apache\Apache.exe
1904 C:\Program Files\AVG\AVG9\avgwdsvc.exe
120 C:\Program Files\Brother\Brmfcmon\BrMfcWnd.exe
424 C:\Program Files\Java\jre6\bin\jqs.exe
1212 C:\WINDOWS\system32\svchost.exe
2260 C:\Program Files\AVG\AVG9\avgemc.exe
2268 C:\Program Files\Brother\Brmfcmon\BrMfcMon.exe
2312 C:\Program Files\AVG\AVG9\avgnsx.exe
2696 C:\Program Files\AVG\AVG9\avgcsrvx.exe
3284 alg.exe
3528 C:\WINDOWS\system32\svchost.exe
2064 E:\Pitt Meadows\MBRCheck.exe

\\.\C: --> \\.\PhysicalDrive0 at offset 0x00000000`00007e00 (NTFS)
\\.\D: --> \\.\PhysicalDrive0 at offset 0x00000013`8836ac00 (NTFS)

PhysicalDrive0 Model Number: WDCWD3200AAKS-75L9A0, Rev: 01.03E01

Size Device Name MBR Status
--------------------------------------------
298 GB \\.\PhysicalDrive0 Windows XP MBR code detected
SHA1: DA38B874B7713D1B51CBC449F4EF809B0DEC644A

Thanks, Broni.

**comp_see** · September 12th, 2010, 09:44 PM

ComboFix 10-09-11.04 - Ashiq 09/12/2010 14:12:22.1.2 - x86
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.2047.1571 [GMT -7:00]
Running from: e:\pitt meadows\ComboFix.exe
AV: AVG Anti-Virus Free *On-access scanning enabled* (Updated) {17DDD097-36FF-435F-9E1B-52D74245D6BF}
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\data

.
((((((((((((((((((((((((( Files Created from 2010-08-12 to 2010-09-12 )))))))))))))))))))))))))))))))
.

2010-09-08 05:26 . 2010-09-08 05:45 -------- d-----w- C:\10-07-25
2010-09-08 04:26 . 2010-09-08 04:54 -------- d-----w- C:\10-07-26
2010-09-08 03:33 . 2010-09-08 03:56 -------- d-----w- C:\10-07-22
2010-09-08 02:36 . 2010-09-08 03:00 -------- d-----w- C:\10-07-23
2010-09-08 01:49 . 2010-09-08 02:05 -------- d-----w- C:\10-07-24
2010-09-07 08:03 . 2010-09-07 10:34 -------- d-----w- C:\Video Jul 3-17
2010-09-07 07:15 . 2010-09-07 07:15 -------- d-----w- c:\documents and settings\Ashiq\Application Data\Malwarebytes
2010-09-07 07:15 . 2010-04-29 22:39 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2010-09-07 07:15 . 2010-09-07 07:15 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2010-09-07 07:15 . 2010-09-07 07:15 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes
2010-09-07 07:15 . 2010-04-29 22:39 20952 ----a-w- c:\windows\system32\drivers\mbam.sys

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-09-12 20:50 . 2009-11-05 23:00 -------- d-----w- c:\documents and settings\All Users\Application Data\avg9
2010-09-09 10:01 . 2010-02-26 20:22 -------- d-----w- c:\program files\Microsoft Silverlight
2010-08-27 19:51 . 2009-03-10 21:43 1 ----a-w- c:\documents and settings\Ashiq\Application Data\OpenOffice.org\3\user\uno_packages\cache\stamp.sys
2010-08-07 17:11 . 2010-08-07 17:11 503808 ----a-w- c:\documents and settings\Ashiq\Application Data\Sun\Java\Deployment\SystemCache\6.0\4\7ec4bf04-6393c7ac-n\msvcp71.dll
2010-08-07 17:11 . 2010-08-07 17:11 499712 ----a-w- c:\documents and settings\Ashiq\Application Data\Sun\Java\Deployment\SystemCache\6.0\4\7ec4bf04-6393c7ac-n\jmc.dll
2010-08-07 17:11 . 2010-08-07 17:11 348160 ----a-w- c:\documents and settings\Ashiq\Application Data\Sun\Java\Deployment\SystemCache\6.0\4\7ec4bf04-6393c7ac-n\msvcr71.dll
2010-08-07 17:11 . 2010-08-07 17:11 61440 ----a-w- c:\documents and settings\Ashiq\Application Data\Sun\Java\Deployment\SystemCache\6.0\42\4488892a-387e9e61-n\decora-sse.dll
2010-08-07 17:11 . 2010-08-07 17:11 12800 ----a-w- c:\documents and settings\Ashiq\Application Data\Sun\Java\Deployment\SystemCache\6.0\42\4488892a-387e9e61-n\decora-d3d.dll
2010-07-15 16:03 . 2009-05-03 07:12 243024 ----a-w- c:\windows\system32\drivers\avgtdix.sys
2010-07-15 16:03 . 2010-07-15 16:03 12536 ----a-w- c:\windows\system32\avgrsstx.dll
2010-07-15 16:01 . 2009-05-03 07:12 216400 ----a-w- c:\windows\system32\drivers\avgldx86.sys
2010-06-30 14:58 . 2009-02-27 08:19 29904 ----a-w- c:\documents and settings\Ashiq\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2010-06-30 12:31 . 2008-04-14 12:00 149504 ----a-w- c:\windows\system32\schannel.dll
2010-06-24 12:22 . 2008-04-14 12:00 916480 ----a-w- c:\windows\system32\wininet.dll
2010-06-23 14:33 . 2010-06-23 14:33 501936 ----a-w- c:\documents and settings\All Users\Application Data\Google\Google Toolbar\Update\gtb1C3.tmp.exe
2010-06-23 13:44 . 2008-04-14 12:00 1851904 ----a-w- c:\windows\system32\win32k.sys
2010-06-21 15:27 . 2008-04-14 12:00 354304 ----a-w- c:\windows\system32\drivers\srv.sys
2010-06-17 14:03 . 2008-04-14 12:00 80384 ----a-w- c:\windows\system32\iccvid.dll
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{201f27d4-3704-41d6-89c1-aa35e39143ed}]
2008-07-18 00:20 279944 ----a-w- c:\program files\AskBarDis\bar\bin\askBar.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar]
"{3041d03e-fd4b-44e0-b742-2d9b88305f98}"= "c:\program files\AskBarDis\bar\bin\askBar.dll" [2008-07-18 279944]

[HKEY_CLASSES_ROOT\clsid\{3041d03e-fd4b-44e0-b742-2d9b88305f98}]
[HKEY_CLASSES_ROOT\TypeLib\{4b1c1e16-6b34-430e-b074-5928eca4c150}]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"swg"="c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2009-12-21 39408]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"PPort11reminder"="c:\program files\ScanSoft\PaperPort\Ereg\Ereg.exe" [2007-08-31 328992]
"Ulead AutoDetector v2"="c:\program files\Common Files\Ulead Systems\AutoDetector\monitor.exe" [2006-11-29 90112]
"SunJavaUpdateSched"="c:\program files\Common Files\Java\Java Update\jusched.exe" [2010-02-18 248040]
"SSBkgdUpdate"="c:\program files\Common Files\Scansoft Shared\SSBkgdUpdate\SSBkgdupdate.exe" [2006-10-25 210472]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2009-01-06 413696]
"PaperPort PTD"="c:\program files\ScanSoft\PaperPort\pptd40nt.exe" [2007-10-12 29984]
"IndexSearch"="c:\program files\ScanSoft\PaperPort\IndexSearch.exe" [2007-10-12 46368]
"HDAudDeck"="c:\program files\VIA\VIAudioi\HDADeck\HDeck.exe" [2008-08-15 30003200]
"ControlCenter3"="c:\program files\Brother\ControlCenter3\brctrcen.exe" [2007-12-22 86016]
"BrMfcWnd"="c:\program files\Brother\Brmfcmon\BrMfcWnd.exe" [2008-04-11 1085440]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2010-06-17 40368]
"Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2010-06-09 976832]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
DVR.lnk - c:\dvr\DVR.exe [2009-7-13 28672]
WinZip Quick Pick.lnk - c:\program files\WinZip\WZQKPICK.EXE [2008-9-23 415072]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\avgrsstarter]
2010-07-15 16:03 12536 ----a-w- c:\windows\system32\avgrsstx.dll

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AVG9_TRAY]
2010-07-15 16:03 2065760 ----a-w- c:\progra~1\AVG\AVG9\avgtray.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"avg9wd"=2 (0x2)
"avg9emc"=2 (0x2)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"%windir%\\system32\\sessmgr.exe"=
"c:\\DVR\\Encode.exe"=
"c:\\DvrNet\\P2P.exe"=
"c:\\IntelliUpSite\\IntelliUpSite.exe"=
"c:\\DvrNet\\DvrNet.exe"=
"c:\\Program Files\\AVG\\AVG9\\avgemc.exe"=
"c:\\Program Files\\AVG\\AVG9\\avgupd.exe"=
"c:\\Program Files\\AVG\\AVG9\\avgnsx.exe"=

R1 AvgLdx86;AVG Free AVI Loader Driver x86;c:\windows\system32\drivers\avgldx86.sys [5/3/2009 12:12 AM 216400]
R1 AvgTdiX;AVG Free8 Network Redirector;c:\windows\system32\drivers\avgtdix.sys [5/3/2009 12:12 AM 243024]
R3 VIAHdAudAddService;VIA High Definition Audio Driver Service;c:\windows\system32\drivers\viahduaa.sys [2/25/2009 2:05 AM 845184]
S2 gupdate;Google Update Service (gupdate);c:\program files\Google\Update\GoogleUpdate.exe [2/6/2010 11:37 AM 135664]
S3 SAAVideo;% SAADriver%;c:\windows\system32\drivers\SAAVideo.sys [2/26/2009 7:36 PM 26624]
S3 SDDrv;SDDrv;c:\windows\system32\drivers\SDDrv.sys [7/13/2009 11:13 AM 39424]
S4 avg9emc;AVG Free E-mail Scanner;c:\program files\AVG\AVG9\avgemc.exe [7/15/2010 9:01 AM 921952]
S4 avg9wd;AVG Free WatchDog;c:\program files\AVG\AVG9\avgwdsvc.exe [7/15/2010 9:03 AM 308136]

[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{A509B1FF-37FF-4bFF-8CFF-4F3A747040FF}]
2009-03-08 11:32 128512 ----a-w- c:\windows\system32\advpack.dll
.
Contents of the 'Scheduled Tasks' folder

2010-09-12 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\program files\Google\Update\GoogleUpdate.exe [2010-02-06 18:37]

2010-09-12 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\program files\Google\Update\GoogleUpdate.exe [2010-02-06 18:37]

2010-09-12 c:\windows\Tasks\User_Feed_Synchronization-{690B4CCB-394C-4EEA-89FE-3C1A44ACF66C}.job
- c:\windows\system32\msfeedssync.exe [2007-08-14 11:31]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.yahoo.ca/
uInternet Connection Wizard,ShellNext = iexplore
IE: Google Sidewiki... - c:\program files\Google\Google Toolbar\Component\GoogleToolbarDynamic_mui_en_89D8574934B26AC4.dll/cmsidewiki.html
.
- - - - ORPHANS REMOVED - - - -

URLSearchHooks-CFBFAE00-17A6-11D0-99CB-00C04FD64497} - (no file)
URLSearchHooks-EF99BD32-C1FB-11D2-892F-0090271D4F88} - (no file)
Toolbar-{CCC7A320-B3CA-4199-B1A6-9F516DD69829} - (no file)
WebBrowser-{CCC7A320-B3CA-4199-B1A6-9F516DD69829} - (no file)
HKLM-Run-Gamevance - c:\program files\Gamevance\gamevance32.exe
AddRemove-HijackThis - e:\hijackthis\HijackThis.exe

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2010-09-12 14:18
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}]
@Denied: (A 2) (Everyone)
@="FlashBroker"
"LocalizedString"="@c:\\WINDOWS\\system32\\Macromed\\Flash\\FlashUtil10i_ActiveX.exe,-101"

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\Elevation]
"Enabled"=dword:00000001

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\LocalServer32]
@="c:\\WINDOWS\\system32\\Macromed\\Flash\\FlashUtil10i_ActiveX.exe"

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"

[HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}]
@Denied: (A 2) (Everyone)
@="IFlashBroker4"

[HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\ProxyStubClsid32]
@="{00020424-0000-0000-C000-000000000046}"

[HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
"Version"="1.0"
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(648)
c:\windows\system32\Ati2evxx.dll

- - - - - - - > 'explorer.exe'(124)
c:\windows\system32\WININET.dll
c:\windows\system32\ieframe.dll
c:\windows\system32\webcheck.dll
c:\windows\system32\WPDShServiceObj.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
.
Completion time: 2010-09-12 14:20:06
ComboFix-quarantined-files.txt 2010-09-12 21:20

Pre-Run: 27,678,007,296 bytes free
Post-Run: 30,799,355,904 bytes free

WindowsXP-KB310994-SP2-Home-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
UnsupportedDebug="do not select this" /debug
multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Home Edition" /noexecute=optin /fastdetect

- - End Of File - - 2893A9D354DC7A1880645599535A66C1

Thanks again.

**Broni** · September 12th, 2010, 09:51 PM

System Idle Process 100.00%

CPU NOT used at 100%? It's better, than perfect

I don't think, I've ever seen that good result....

MBRCheck log looks good

Nothing in Combofix

Uninstall AskBarDis, known adware.

Download OTL to your Desktop.

Double click on the icon to run it. Make sure all other windows are closed and to let it run uninterrupted.
Under the Custom Scan box paste this in:

netsvcs
drivers32
%SYSTEMDRIVE%\*.*
%systemroot%\Fonts\*.com
%systemroot%\Fonts\*.dll
%systemroot%\Fonts\*.ini
%systemroot%\Fonts\*.ini2
%systemroot%\Fonts\*.exe
%systemroot%\system32\spool\prtprocs\w32x86\*.*
%systemroot%\REPAIR\*.bak1
%systemroot%\REPAIR\*.ini
%systemroot%\system32\*.jpg
%systemroot%\*.jpg
%systemroot%\*.png
%systemroot%\*.scr
%systemroot%\*._sy
%APPDATA%\Adobe\Update\*.*
%ALLUSERSPROFILE%\Favorites\*.*
%APPDATA%\Microsoft\*.*
%PROGRAMFILES%\*.*
%APPDATA%\Update\*.*
%systemroot%\*. /mp /s
CREATERESTOREPOINT
%systemroot%\System32\config\*.sav
%PROGRAMFILES%\bak. /s
%systemroot%\system32\bak. /s
%ALLUSERSPROFILE%\Start Menu\*.lnk /x
%systemroot%\system32\config\systemprofile\*.dat /x
%systemroot%\*.config
%systemroot%\system32\*.db
%APPDATA%\Microsoft\Internet Explorer\Quick Launch\*.lnk /x
%USERPROFILE%\Desktop\*.exe
%PROGRAMFILES%\Common Files\*.*
%systemroot%\*.src
%systemroot%\install\*.*
%systemroot%\system32\DLL\*.*
%systemroot%\system32\HelpFiles\*.*
%systemroot%\system32\rundll\*.*
%systemroot%\winn32\*.*
%systemroot%\Java\*.*
%systemroot%\system32\test\*.*
%systemroot%\system32\Rundll32\*.*
%systemroot%\AppPatch\Custom\*.*
%APPDATA%\Roaming\Microsoft\Windows\Recent\*.lnk /x
%PROGRAMFILES%\PC-Doctor\Downloads\*.*
%PROGRAMFILES%\Internet Explorer\*.tmp
%PROGRAMFILES%\Internet Explorer\*.dat
%USERPROFILE%\My Documents\*.exe
%USERPROFILE%\*.exe
%systemroot%\ADDINS\*.*
%systemroot%\assembly\*.bak2
%systemroot%\Config\*.*
%systemroot%\REPAIR\*.bak2
%systemroot%\SECURITY\Database\*.sdb /x
%systemroot%\SYSTEM\*.bak2
%systemroot%\Web\*.bak2
%systemroot%\Driver Cache\*.*
%PROGRAMFILES%\Mozilla Firefox*.exe
%ProgramFiles%\Microsoft Common\*.*
%ProgramFiles%\TinyProxy.
%USERPROFILE%\Favorites\*.url /x
%systemroot%\system32\*.bk
%systemroot%\*.te
%systemroot%\system32\system32\*.*
%ALLUSERSPROFILE%\*.dat /x
%systemroot%\system32\drivers\*.rmv
dir /b "%systemroot%\system32\*.exe" | find /i " " /c
dir /b "%systemroot%\*.exe" | find /i " " /c
%PROGRAMFILES%\Microsoft\*.*
%systemroot%\System32\Wbem\proquota.exe
%PROGRAMFILES%\Mozilla Firefox\*.dat
%USERPROFILE%\Cookies\*.txt /x
%SystemRoot%\system32\fonts\*.*
%systemroot%\system32\winlog\*.*
%systemroot%\system32\Language\*.*
%systemroot%\system32\Settings\*.*
%systemroot%\system32\*.quo
%SYSTEMROOT%\AppPatch\*.exe
%SYSTEMROOT%\inf\*.exe
%SYSTEMROOT%\Installer\*.exe
%systemroot%\system32\config\*.bak2
%systemroot%\system32\Computers\*.*
%SystemRoot%\system32\Sound\*.*
%SystemRoot%\system32\SpecialImg\*.*
%SystemRoot%\system32\code\*.*
%SystemRoot%\system32\draft\*.*
%SystemRoot%\system32\MSSSys\*.*
%ProgramFiles%\Javascript\*.*
%systemroot%\pchealth\helpctr\System\*.exe /s
%systemroot%\Web\*.exe
%systemroot%\system32\msn\*.*
%systemroot%\system32\*.tro
%AppData%\Microsoft\Installer\msupdates\*.*
%ProgramFiles%\Messenger\*.*
%systemroot%\system32\systhem32\*.*
%systemroot%\system\*.exe
HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\WindowsUpdate\Auto Update\Results\Install|LastSuccessTime /rs
/md5start
/md5stop

Click the Quick Scan button. Do not change any settings unless otherwise told to do so. The scan wont take long.
When the scan completes, it will open two notepad windows: OTL.txt and Extras.txt. These are saved in the same location as OTL.
Please copy (Edit->Select All, Edit->Copy) the contents of these files, one at a time, and post them back here.

**comp_see** · September 13th, 2010, 03:00 AM

Broni, I encounter some problems.
1. After runing the OTL.exe, I paste your custom scan settings in the the concerned box. But I click the [Run Scan] button instead of [Quick Scan]. After the scanning, 2 txt files were created. I deleted both to the Recycle Bin. I then re-run with [Quick Scan]. However, these time only the OTL.txt was created.

2. I restored the Extras.txt from the Recycle Bin and tried to paste back in the forum. The forum blocks it saying that I include 6 images. But it is a text file and I do not make any changes. Is there any fault I made during the process?

Thanks.

**comp_see** · September 13th, 2010, 02:43 PM

I would like to add some more information about the computer.

As the computer is used to record surveillance video, it's used 24/7. The video clips are stored in the D partition. The surveillance program will delete those oldest clips when the drive (220G) is full.

When I pick the computer up, the computer didn't boot. I connected the hard drive to my notebook via a SATA/USB adapter and ran the Windows Explorer. I can see the folders in it. I ran Norton Disk Doctor on C: and then put it back to the desktop. It boots up but runs veryyyyyy slowly. I open the Task Manager and find that even nothing is opened, the CPU usage is always 40%+.

I went to Windows defragmenter for D: partition - all red. I move some video clips (about 40GB) to the C partition which has about 80GB capacity and 60GB free and then tried to defrag with Win defragmenter. The process is so slow, it takes whole day to complete only 25%. I stopped the process, ran jkdefrag, similar situation. I took the hard drive out of the computer and connected it to my notebook via a SATA/USB adapter. I ran Norton disk doctor and the last 2 items (can't remember what are they) were not performed. I then ran Speed Disk, the task is completed in half day. I put it back to the desktop but it still has 15% CPU usage even though nothing is opened.

With your advices, I ran MABM, etc. It now comes down to below 10% and sometimes 5%. I clone the whole system to another hard drive - just has a spare of similar size at hand. I usage now stay down to 1% or even 0 under similar situation.

I don't know whether the problem is a combination of viruses, defective hard drive and too fragmented files. But now the system looks much better.

**Broni** · September 13th, 2010, 07:27 PM

Post OTL.txt and attach Extras.txt.

**comp_see** · September 13th, 2010, 09:04 PM

OTL Extras logfile created on: 9/12/2010 11:27:52 PM - Run 1
OTL by OldTimer - Version 3.2.12.0 Folder = C:\Documents and Settings\Ashiq\Desktop
Windows XP Home Edition Service Pack 3 (Version = 5.1.2600) - Type = NTWorkstation
Internet Explorer (Version = 8.0.6001.18702)
Locale: 00000409 | Country: United States | Language: ENU | Date Format: M/d/yyyy

2.00 Gb Total Physical Memory | 2.00 Gb Available Physical Memory | 77.00% Memory free
4.00 Gb Paging File | 4.00 Gb Available in Paging File | 92.00% Paging File free
Paging file location(s): C:\pagefile.sys 0 0 [binary data]

%SystemDrive% = C: | %SystemRoot% = C:\WINDOWS | %ProgramFiles% = C:\Program Files
Drive C: | 78.90 Gb Total Space | 29.14 Gb Free Space | 36.93% Space Free | Partition Type: NTFS
D: Drive not present or media not loaded
Drive E: | 219.19 Gb Total Space | 219.12 Gb Free Space | 99.97% Space Free | Partition Type: NTFS
Drive F: | 7.45 Gb Total Space | 2.01 Gb Free Space | 26.98% Space Free | Partition Type: FAT32
G: Drive not present or media not loaded
H: Drive not present or media not loaded
I: Drive not present or media not loaded

Computer Name: SURVEILLANCE
Current User Name: Ashiq
Logged in as Administrator.

Current Boot Mode: Normal
Scan Mode: Current user
Company Name Whitelist: Off
Skip Microsoft Files: Off
File Age = 30 Days
Output = Standard

========== Extra Registry (SafeList) ==========

========== File Associations ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\<extension>]

========== Shell Spawning ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\<key>\shell\[command]\command]
batfile [open] -- "%1" %*
cmdfile [open] -- "%1" %*
comfile [open] -- "%1" %*
exefile [open] -- "%1" %*
htmlfile [edit] -- Reg Error: Key error.
piffile [open] -- "%1" %*
regfile [merge] -- Reg Error: Key error.
scrfile [config] -- "%1"
scrfile [install] -- rundll32.exe desk.cpl,InstallScreenSaver %l (Microsoft Corporation)
scrfile [open] -- "%1" /S
txtfile [edit] -- Reg Error: Key error.
Unknown [openas] -- %SystemRoot%\system32\rundll32.exe %SystemRoot%\system32\shell32.dll,OpenAs_RunDLL %1
Directory [AddToPlaylistVLC] -- C:\Program Files\VideoLAN\VLC\vlc.exe --started-from-file --playlist-enqueue "%1" ()
Directory [find] -- %SystemRoot%\Explorer.exe (Microsoft Corporation)
Directory [PlayWithVLC] -- C:\Program Files\VideoLAN\VLC\vlc.exe --started-from-file --no-playlist-enqueue "%1" ()
Folder [open] -- %SystemRoot%\Explorer.exe /idlist,%I,%L (Microsoft Corporation)
Folder [explore] -- %SystemRoot%\Explorer.exe /e,/idlist,%I,%L (Microsoft Corporation)
Drive [find] -- %SystemRoot%\Explorer.exe (Microsoft Corporation)

========== Security Center Settings ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center]
"FirstRunDisabled" = 1
"AntiVirusDisableNotify" = 0
"FirewallDisableNotify" = 0
"UpdatesDisableNotify" = 0
"AntiVirusOverride" = 0
"FirewallOverride" = 0

Thread: Copmuter is slow, CPU usage is high

Thread Tools

Search Thread

Display

Copmuter is slow, CPU usage is high

mbam and gmer logs

dds logs

Logs

combofix.log

OTL logs problem

Extras.txt - part 1

Thread Information

Users Browsing this Thread

Posting Permissions