Jump to content

Help with undetected problem, please


RJC

Recommended Posts

I can usually remove problems with a combination of tools but this one has me stumped.  I think I should ask for some assistance.

 

On Jan 2, I got the message "DCOM Server Process Launcher Service terminated unexpectly" and the PC rebooted.  Since then I have set the action to restart the service instead of reboot so I could complete scans, etc.  PC performance is very slow now.  Takes forever to reboot.

 

I have done full scans with McAfee, Microsoft Security Essentials, ESET online scanner, Spybot S&D: all came up clean.

 

I did a full scan with Malware Bytes: It deleted some registry entries that I believe were old.  Since then the scans are clean.

 

I keep getting a blocked website message, outoging, 66.45.56.109, even when no programs are running.

 

DDS logs. The Attach.txt was kind of big so I attached it.

 

DDS (Ver_2012-11-20.01) - NTFS_x86
Internet Explorer: 8.0.6001.18702  BrowserJavaVersion: 10.45.2
Run by Wraithchilde at 11:14:49 on 2014-01-05
Microsoft Windows XP Professional  5.1.2600.3.1252.1.1033.18.3583.2671 [GMT -6:00]
.
AV: Microsoft Security Essentials *Disabled/Updated* {EDB4FA23-53B8-4AFA-8C5D-99752CCA7095}
AV: McAfee Anti-Virus and Anti-Spyware *Enabled/Updated* {84B5EE75-6421-4CDE-A33A-DD43BA9FAD83}
AV: Microsoft Security Essentials *Disabled/Updated* {BCF43643-A118-4432-AEDE-D861FCBCFCDF}
FW: McAfee Firewall *Enabled*
.
============== Running Processes ================
.
C:\Program Files\Microsoft Security Client\Antimalware\MsMpEng.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\ehome\ehtray.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
C:\Program Files\Creative\Shared Files\Module Loader\DLLML.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\Cobian Backup 10\cbVSCService.exe
C:\WINDOWS\system32\CTsvcCDA.exe
C:\Program Files\Cobian Backup 10\Cobian.exe
C:\Program Files\Microsoft Security Client\msseces.exe
C:\Program Files\VIA\VIAudioi\HDADeck\HDeck.exe
E:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Dell\Media Experience\DMXLauncher.exe
C:\Program Files\Common Files\McAfee\Platform\mcuicnt.exe
C:\WINDOWS\eHome\ehRecvr.exe
C:\WINDOWS\System32\DLA\DLACTRLW.EXE
C:\Program Files\Creative\Sound Blaster X-Fi\DVDAudio\CTDVDDET.EXE
C:\WINDOWS\eHome\ehSched.exe
C:\Program Files\Common Files\Java\Java Update\jusched.exe
C:\Program Files\Java\jre7\bin\jqs.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Cobian Backup 10\cbInterface.exe
E:\Program Files\MalwarebytesAnti-Malware\mbamscheduler.exe
E:\Program Files\MalwarebytesAnti-Malware\mbamservice.exe
c:\PROGRA~1\mcafee\SITEAD~1\mcsacore.exe
E:\Program Files\MalwarebytesAnti-Malware\mbamgui.exe
C:\Program Files\Common Files\McAfee\Platform\McSvcHost\McSvHost.exe
C:\WINDOWS\system32\mfevtps.exe
C:\Program Files\Autodesk\3ds Max Design 2011\mentalimages\satellite\raysat_3dsmax2011_32server.exe
C:\Program Files\NVIDIA Corporation\nTune\nTuneService.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\wdfmgr.exe
C:\Program Files\VMware\VMware View\Client\bin\wsnm.exe
C:\Program Files\McAfee\MSC\McAPExe.exe
C:\WINDOWS\ehome\mcrdsvc.exe
C:\Program Files\Common Files\McAfee\AMCore\mcshield.exe
C:\Program Files\Common Files\McAfee\SystemCore\mfefire.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\eHome\ehmsas.exe
C:\WINDOWS\system32\rundll32.exe
C:\WINDOWS\system32\dllhost.exe
C:\WINDOWS\System32\alg.exe
C:\WINDOWS\system32\wbem\wmiprvse.exe
C:\WINDOWS\system32\svchost.exe -k DcomLaunch
C:\WINDOWS\system32\svchost.exe -k rpcss
C:\WINDOWS\System32\svchost.exe -k netsvcs
C:\WINDOWS\system32\svchost.exe -k NetworkService
C:\WINDOWS\system32\svchost.exe -k LocalService
C:\WINDOWS\system32\svchost.exe -k LocalService
C:\WINDOWS\system32\svchost.exe -k LocalService
C:\WINDOWS\system32\svchost.exe -k imgsvc
.
============== Pseudo HJT Report ===============
.
uStart Page = about:blank

uProxyOverride = <local>;*.local


BHO: DivX Plus Web Player HTML5 <video>: {326E768D-4182-46FD-9C16-1449A49795F4} - c:\program files\divx\divx plus web player\ie\divxhtml5\DivXHTML5.dll
BHO: Java Plug-In SSV Helper: {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - c:\program files\java\jre7\bin\ssv.dll
BHO: McAfee SiteAdvisor BHO: {B164E929-A1B6-4A06-B104-2CD0E90A88FF} - c:\program files\mcafee\siteadvisor\McIEPlg.dll
BHO: CBrowserHelperObject Object: {CA6319C0-31B7-401E-A518-A07C3DB8F777} - c:\program files\bae\BAE.dll
BHO: Java Plug-In 2 SSV Helper: {DBC80044-A445-435b-BC74-9C25C1C588A9} - c:\program files\java\jre7\bin\jp2ssv.dll
TB: McAfee SiteAdvisor Toolbar: {0EBBBE48-BAD4-4B4C-8E5A-516ABECAE064} - c:\program files\mcafee\siteadvisor\McIEPlg.dll
uRun: [NVIDIA nTune] "c:\program files\nvidia corporation\ntune\nTuneCmd.exe" clear
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
uRun: [MSMSGS] "c:\program files\messenger\msmsgs.exe" /background
mRun: [ehTray] c:\windows\ehome\ehtray.exe
mRun: [AudioDrvEmulator] "c:\program files\creative\shared files\module loader\dllml.exe" -1 audiodrvemulator "c:\program files\creative\shared files\module loader\audio emulator\AudDrvEm.dll"
mRun: [igfxTray] c:\windows\system32\igfxtray.exe
mRun: [HotKeysCmds] c:\windows\system32\hkcmd.exe
mRun: [Persistence] c:\windows\system32\igfxpers.exe
mRun: [Cobian Backup 10] "c:\program files\cobian backup 10\Cobian.exe"
mRun: [MSC] "c:\program files\microsoft security client\msseces.exe" -hide -runkey
mRun: [HDAudDeck] c:\program files\via\viaudioi\hdadeck\HDeck.exe 1
mRun: [NvCplDaemon] RUNDLL32.EXE c:\windows\system32\NvCpl.dll,NvStartup
mRun: [NvMediaCenter] RUNDLL32.EXE c:\windows\system32\NvMcTray.dll,NvTaskbarInit
mRun: [nwiz] c:\program files\nvidia corporation\nview\nwiz.exe /installquiet
mRun: [mcpltui_exe] "c:\program files\mcafee.com\agent\mcagent.exe" /runkey
mRun: [APSDaemon] "c:\program files\common files\apple\apple application support\APSDaemon.exe"
mRun: [iTunesHelper] "e:\program files\itunes\iTunesHelper.exe"
mRun: [VolPanel] "c:\program files\creative\sound blaster x-fi\volume panel\VolPanel.exe" /r
mRun: [updReg] c:\windows\UpdReg.EXE
mRun: [DMXLauncher] c:\program files\dell\media experience\DMXLauncher.exe
mRun: [DLA] c:\windows\system32\dla\DLACTRLW.EXE
mRun: [CTDVDDET] "c:\program files\creative\sound blaster x-fi\dvdaudio\CTDVDDET.EXE"
mRun: [sunJavaUpdateSched] "c:\program files\common files\java\java update\jusched.exe"
dRun: [DWQueuedReporting] "c:\progra~1\common~1\micros~1\dw\dwtrig20.exe" -t
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\adobeg~2.lnk - c:\program files\common files\adobe\calibration\Adobe Gamma Loader.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\adobeg~1.lnk - c:\program files\common files\adobe\calibration\Adobe Gamma Loader.exe
uPolicies-Explorer: NoDriveAutoRun = dword:67108863
uPolicies-Explorer: NoDriveTypeAutoRun = dword:323
uPolicies-Explorer: NoDrives = dword:0
mPolicies-Explorer: NoDriveAutoRun = dword:67108863
mPolicies-Explorer: NoDriveTypeAutoRun = dword:323
mPolicies-Explorer: NoDrives = dword:0
mPolicies-Windows\System: Allow-LogonScript-NetbiosDisabled = dword:1
mPolicies-Explorer: NoDriveAutoRun = dword:67108863
mPolicies-Explorer: NoDriveTypeAutoRun = dword:323
IE: {2670000A-7350-4f3c-8081-5663EE0C6C49} - {48E73304-E1D6-4330-914C-F5F514E3486C} - c:\program files\microsoft office\office12\ONBttnIE.dll
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503}
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
Trusted Zone: soe.com
Trusted Zone: sony.com






TCP: NameServer = 24.196.64.53 68.113.206.10 24.178.162.3
TCP: Interfaces\{57B888B6-65B4-428C-A4E9-B64B0F66E308} : DHCPNameServer = 24.196.64.53 68.113.206.10 24.178.162.3
Filter: application/x-mfe-ipt - {3EF5086B-5478-4598-A054-786C45D75692} - c:\program files\mcafee\msc\McSnIePl.dll
Handler: dssrequest - {5513F07E-936B-4E52-9B00-067394E91CC5} - c:\program files\mcafee\siteadvisor\McIEPlg.dll
Handler: sacore - {5513F07E-936B-4E52-9B00-067394E91CC5} - c:\program files\mcafee\siteadvisor\McIEPlg.dll
Notify: igfxcui - igfxdev.dll
LSA: Security Packages =  kerberos msv1_0 schannel wdigest wsauth
.
============= SERVICES / DRIVERS ===============
.
R?2 mcbootdelaystartsvc;McAfee Boot Delay Start Service;c:\program files\common files\mcafee\platform\mcsvchost\McSvHost.exe [2013-8-26 281560]
R1 dtsoftbus01;DAEMON Tools Virtual Bus Driver;c:\windows\system32\drivers\dtsoftbus01.sys [2012-1-21 239168]
R1 mfetdi2k;McAfee Inc. mfetdi2k;c:\windows\system32\drivers\mfetdi2k.sys [2013-4-3 91736]
R1 MpFilter;Microsoft Malware Protection Driver;c:\windows\system32\drivers\MpFilter.sys [2009-12-2 165264]
R2 cbVSCService;Cobian Backup 10 Volume Shadow Copy service;c:\program files\cobian backup 10\cbVSCService.exe [2011-1-28 67584]
R2 HomeNetSvc;McAfee Home Network;c:\program files\common files\mcafee\platform\mcsvchost\McSvHost.exe [2013-8-26 281560]
R2 MBAMScheduler;MBAMScheduler;e:\program files\malwarebytesanti-malware\mbamscheduler.exe [2014-1-3 418376]
R2 MBAMService;MBAMService;e:\program files\malwarebytesanti-malware\mbamservice.exe [2014-1-3 701512]
R2 McAfee SiteAdvisor Service;McAfee SiteAdvisor Service;c:\progra~1\mcafee\sitead~1\mcsacore.exe [2013-8-26 103112]
R2 McAPExe;McAfee AP Service;c:\program files\mcafee\msc\McAPExe.exe [2013-8-26 145088]
R2 McMPFSvc;McAfee Personal Firewall Service;c:\program files\common files\mcafee\platform\mcsvchost\McSvHost.exe [2013-8-26 281560]
R2 McNaiAnn;McAfee VirusScan Announcer;c:\program files\common files\mcafee\platform\mcsvchost\McSvHost.exe [2013-8-26 281560]
R2 mcpltsvc;McAfee Platform Services;c:\program files\common files\mcafee\platform\mcsvchost\McSvHost.exe [2013-8-26 281560]
R2 McProxy;McAfee Proxy Service;c:\program files\common files\mcafee\platform\mcsvchost\McSvHost.exe [2013-8-26 281560]
R2 McrdSvc;Media Center Extender Service;c:\windows\ehome\mcrdsvc.exe [2005-8-5 99328]
R2 mfeavfk;McAfee Inc. mfeavfk;c:\windows\system32\drivers\mfeavfk.sys [2013-4-3 236000]
R2 mfecore;McAfee Anti-Malware Core;c:\program files\common files\mcafee\amcore\mcshield.exe [2013-8-26 643608]
R2 mfefire;McAfee Firewall Core Service;c:\program files\common files\mcafee\systemcore\mfefire.exe [2013-8-26 169320]
R2 mfehidk;McAfee Inc. mfehidk;c:\windows\system32\drivers\mfehidk.sys [2012-12-26 572528]
R2 mfevtp;McAfee Validation Trust Protection Service;c:\windows\system32\mfevtps.exe [2013-8-26 172416]
R2 mi-raysat_3dsmax2011_32;mental ray 3.8 Satellite for Autodesk 3ds Max Design 2011 32-bit 32-bit;c:\program files\autodesk\3ds max design 2011\mentalimages\satellite\raysat_3dsmax2011_32server.exe [2010-3-10 86016]
R2 wsnm;VMware View Client;c:\program files\vmware\vmware view\client\bin\wsnm.exe [2011-9-7 494192]
R3 cfwids;McAfee Inc. cfwids;c:\windows\system32\drivers\cfwids.sys [2013-4-3 60920]
R3 MBAMProtector;MBAMProtector;c:\windows\system32\drivers\mbam.sys [2014-1-3 22856]
R3 mfefirek;McAfee Inc. mfefirek;c:\windows\system32\drivers\mfefirek.sys [2013-4-3 365416]
R3 mfencbdc;McAfee Inc. mfencbdc;c:\windows\system32\drivers\mfencbdc.sys [2013-2-18 319808]
R3 mfendiskmp;mfendiskmp;c:\windows\system32\drivers\mfendisk.sys [2013-8-26 85064]
R3 SCREAMINGBDRIVER;Screaming Bee Audio;c:\windows\system32\drivers\ScreamingBAudio.sys [2008-11-22 23064]
R3 VIAHdAudAddService;VIA High Definition Audio Driver Service;c:\windows\system32\drivers\viahduaa.sys [2011-1-27 1374464]
R3 vmwvusb;VMware View Generic USB Driver;c:\windows\system32\drivers\vmwvusb.sys [2012-6-25 40048]
S2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;c:\windows\microsoft.net\framework\v4.0.30319\mscorsvw.exe [2010-3-18 130384]
S2 DAZContentManagementService;DAZ Content Management Service;e:\program files\daz 3d\content management service\ContentManagementServer.exe [2012-3-10 18432]
S2 vmhnavixan;vmhnavixan;\??\c:\windows\system32\drivers\mmdzrgupcuxacl.sys --> c:\windows\system32\drivers\mmdzrgupcuxacl.sys [?]
S2 wsnm_usbctrl;VMware View USB Control;c:\program files\vmware\vmware view\client\bin\wsnm_usbctrl.exe [2011-9-7 797296]
S3 apf003;apf003;c:\windows\system32\apf003.sys [2013-4-9 13232]
S3 HipShieldK;McAfee Inc. HipShieldK;c:\windows\system32\drivers\HipShieldK.sys [2012-11-19 147912]
S3 IntuitUpdateServiceV4;Intuit Update Service v4;c:\program files\common files\intuit\update service v4\IntuitUpdateService.exe [2012-8-23 13672]
S3 mfebopk;McAfee Inc. mfebopk;c:\windows\system32\drivers\mfebopk.sys [2013-4-3 65928]
S3 mfencrk;McAfee Inc. mfencrk;c:\windows\system32\drivers\mfencrk.sys [2013-2-18 80752]
S3 mfendisk;McAfee Core NDIS Intermediate Filter;c:\windows\system32\drivers\mfendisk.sys [2013-8-26 85064]
S3 WPFFontCache_v0400;Windows Presentation Foundation Font Cache 4.0.0.0;c:\windows\microsoft.net\framework\v4.0.30319\wpf\WPFFontCache_v0400.exe [2010-3-18 753504]
S3 XDva398;XDva398;\??\c:\windows\system32\xdva398.sys --> c:\windows\system32\XDva398.sys [?]
.
=============== File Associations ===============
.
ShellExec: DAZStudio.exe: open="e:\program files\daz 3d\DAZStudio4/DAZStudio.exe" "%1"
.
=============== Created Last 30 ================
.
2014-01-05 14:20:54 -------- d-----w- c:\documents and settings\wraithchilde\local settings\application data\Sun
2014-01-05 14:10:06 145408 ----a-w- c:\windows\system32\javacpl.cpl
2014-01-05 14:09:48 94632 ----a-w- c:\windows\system32\WindowsAccessBridge.dll
2014-01-05 12:10:21 7760024 ----a-w- c:\documents and settings\all users\application data\microsoft\microsoft antimalware\definition updates\{65de4406-9ff0-4c7b-8dac-eabd97619033}\mpengine.dll
2014-01-03 12:08:41 -------- d-----w- c:\documents and settings\wraithchilde\application data\Malwarebytes
2014-01-03 12:08:27 -------- d-----w- c:\documents and settings\all users\application data\Malwarebytes
2014-01-03 12:08:26 22856 ----a-w- c:\windows\system32\drivers\mbam.sys
2014-01-03 02:15:41 -------- d-----w- c:\program files\ESET
2014-01-03 00:11:18 98816 ----a-w- c:\windows\sed.exe
2014-01-03 00:11:18 256000 ----a-w- c:\windows\PEV.exe
2014-01-03 00:11:18 208896 ----a-w- c:\windows\MBR.exe
.
==================== Find3M  ====================
.
2014-01-05 16:26:12 1098252 ----a-w- c:\windows\system32\nvdrsdb1.bin
2014-01-05 16:26:12 1 ----a-w- c:\windows\system32\nvdrssel.bin
2014-01-05 14:35:25 1098252 ----a-w- c:\windows\system32\nvdrsdb0.bin
2013-11-27 04:06:42 10152 ----a-w- c:\windows\system32\drivers\mfeclnrk.sys
2013-11-27 04:06:22 80752 ----a-w- c:\windows\system32\drivers\mfencrk.sys
2013-11-27 04:06:00 319808 ----a-w- c:\windows\system32\drivers\mfencbdc.sys
2013-11-19 10:21:30 230048 ------w- c:\windows\system32\MpSigStub.exe
2013-11-04 23:22:36 60920 ----a-w- c:\windows\system32\drivers\cfwids.sys
2013-11-04 23:16:54 172416 ----a-w- c:\windows\system32\mfevtps.exe
2013-11-04 23:16:14 91736 ----a-w- c:\windows\system32\drivers\mfetdi2k.sys
2013-11-04 23:12:26 572528 ----a-w- c:\windows\system32\drivers\mfehidk.sys
2013-11-04 23:11:04 85064 ----a-w- c:\windows\system32\drivers\mfendisk.sys
2013-11-04 23:10:42 365416 ----a-w- c:\windows\system32\drivers\mfefirek.sys
2013-11-04 23:10:02 65928 ----a-w- c:\windows\system32\drivers\mfebopk.sys
2013-11-04 23:09:20 236000 ----a-w- c:\windows\system32\drivers\mfeavfk.sys
2013-11-04 23:08:22 133992 ----a-w- c:\windows\system32\drivers\mfeapfk.sys
2013-10-13 07:25:38 920064 ----a-w- c:\windows\system32\wininet.dll
2013-10-13 07:25:08 43520 ----a-w- c:\windows\system32\licmgr10.dll
2013-10-13 07:25:02 1469440 ----a-w- c:\windows\system32\inetcpl.cpl
2013-10-13 07:24:17 18944 ----a-w- c:\windows\system32\corpol.dll
2013-10-13 06:57:59 385024 ----a-w- c:\windows\system32\html.iec
.
============= FINISH: 11:17:23.07 ===============

 

attach.txt

Link to post
Share on other sites

Hello! Welcome to Malwarebytes Forums! welcome.gif
My name is Georgi and and I will be helping you with your computer problems.

Before we begin, please note the following:

  • I will working be on your Malware issues, this may or may not, solve other issues you have with your machine.
  • The logs can take some time to research, so please be patient with me.
  • Stay with the topic until I tell you that your system is clean. Missing symptoms does not mean that everything is okay.
  • Instructions that I give are for your system only!
  • Please do not run any tools until requested ! The reason for this is so I know what is going on with the machine at any time. Some programs can interfere with others and hamper the recovery process.
  • Please perform all steps in the order received. If you can't understand something don't hesitate to ask.
  • Again I would like to remind you to make no further changes to your computer unless I direct you to do so. I will not help you if you do not follow my instructions.

 

 

Please download Farbar Recovery Scan Tool and save it to your desktop.

Note: You need to run the version compatibale with your system. If you are not sure which version applies to your system download both of them and try to run them. Only one of them will run on your system, that will be the right version.

  • Double-click to run it. When the tool opens click Yes to disclaimer.
  • Press Scan button.
  • It will make a log (FRST.txt) in the same directory the tool is run. Please copy and paste it to your reply.
  • The first time the tool is run, it makes also another log (Addition.txt). Please attach it to your reply.

Also

  • Please re-run FRST again and type the following in the edit box after Search: rpcss.dll
  • Click the Search button
  • It will make a log (Search.txt)- please post the log into your reply to me. (you can use pastebin as well).

 

 

Regards,

Georgi

Link to post
Share on other sites

Thank you Georgi

 

Scan result of Farbar Recovery Scan Tool (FRST) (x86) Version: 04-01-2014
Ran by Wraithchilde (administrator) on BOB on 05-01-2014 13:11:54
Running from C:\Documents and Settings\Wraithchilde\Desktop
Microsoft Windows XP Service Pack 3 (X86) OS Language: English(US)
Internet Explorer Version 8
Boot Mode: Normal

ATTENTION: If processes are not listed WMI should be repaired.

==================== Processes (Whitelisted) ===================

 

 

==================== Registry (Whitelisted) ==================

HKLM\...\Run: [ehTray] - C:\WINDOWS\ehome\ehtray.exe [59392 2004-08-10] (Microsoft Corporation)
HKLM\...\Run: [AudioDrvEmulator] - C:\Program Files\Creative\Shared Files\Module Loader\DLLML.exe [49152 2005-11-04] (Creative Technology Ltd.)
HKLM\...\Run: [Cobian Backup 10] - C:\Program Files\Cobian Backup 10\Cobian.exe [421376 2010-04-21] (Luis Cobian, CobianSoft)
HKLM\...\Run: [MSC] - C:\Program Files\Microsoft Security Client\msseces.exe [997408 2010-11-30] (Microsoft Corporation)
HKLM\...\Run: [HDAudDeck] - C:\Program Files\VIA\VIAudioi\HDADeck\HDeck.exe [33628160 2009-06-05] (VIA Technologies, Inc.)
HKLM\...\Run: [NvCplDaemon] - RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
HKLM\...\Run: [NvMediaCenter] - RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
HKLM\...\Run: [nwiz] - C:\Program Files\NVIDIA Corporation\nview\nwiz.exe [2586912 2013-06-21] ()
HKLM\...\Run: [mcpltui_exe] - C:\Program Files\McAfee.com\Agent\mcagent.exe [516912 2013-09-24] (McAfee, Inc.)
HKLM\...\Run: [APSDaemon] - C:\Program Files\Common Files\Apple\Apple Application Support\APSDaemon.exe [59720 2013-09-13] (Apple Inc.)
HKLM\...\Run: [iTunesHelper] - E:\Program Files\iTunes\iTunesHelper.exe [152392 2013-10-01] (Apple Inc.)
HKLM\...\Run: [VolPanel] - C:\Program Files\Creative\Sound Blaster X-Fi\Volume Panel\VolPanel.exe [122880 2005-10-14] (Creative Technology Ltd)
HKLM\...\Run: [updReg] - C:\WINDOWS\Updreg.EXE [90112 2000-05-11] (Creative Technology Ltd.)
HKLM\...\Run: [DMXLauncher] - C:\Program Files\Dell\Media Experience\DMXLauncher.exe [94208 2005-10-05] ()
HKLM\...\Run: [DLA] - C:\WINDOWS\system32\DLA\DLACTRLW.EXE [122940 2005-09-08] (Sonic Solutions)
HKLM\...\Run: [CTDVDDET] - C:\Program Files\Creative\Sound Blaster X-Fi\DVDAudio\CTDVDDET.exe [45056 2003-06-18] (Creative Technology Ltd)
HKLM\...\Run: [sunJavaUpdateSched] - C:\Program Files\Common Files\Java\Java Update\jusched.exe [254336 2013-07-02] (Oracle Corporation)
HKLM\...\Policies\Explorer: [NoCDBurning] 0
HKLM\...\Policies\Explorer: [NoControlPanel] 0
HKCU\...\Run: [NVIDIA nTune] - C:\Program Files\NVIDIA Corporation\nTune\nTuneCmd.exe [81920 2007-04-04] (NVIDIA)
HKCU\...\Run: [MSMSGS] - C:\Program Files\Messenger\msmsgs.exe [1695232 2008-04-13] (Microsoft Corporation)
Startup: C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Adobe Gamma Loader.exe.lnk
ShortcutTarget: Adobe Gamma Loader.exe.lnk -> C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe (Adobe Systems, Inc.)
Startup: C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Adobe Gamma Loader.lnk
ShortcutTarget: Adobe Gamma Loader.lnk -> C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe (Adobe Systems, Inc.)

==================== Internet (Whitelisted) ====================

HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://www.microsoft.com/isapi/redir.dll?prd=ie&ar=iesearch
HKCU\Software\Microsoft\Internet Explorer\Main,SearchMigratedDefaultURL = http://www.google.com/search?q={searchTerms}&sourceid=ie7&rls=com.microsoft:en-US&ie=utf8&oe=utf8
HKCU\Software\Microsoft\Internet Explorer\Main,Start Page Redirect Cache_TIMESTAMP = 0xC6E91084900DCB01
HKCU\Software\Microsoft\Internet Explorer\Main,Start Page Redirect Cache AcceptLangs = en-us
HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
BHO: DivX Plus Web Player HTML5 <video> - {326E768D-4182-46FD-9C16-1449A49795F4} - C:\Program Files\DivX\DivX Plus Web Player\ie\DivXHTML5\DivXHTML5.dll (DivX, LLC)
BHO: Java Plug-In SSV Helper - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre7\bin\ssv.dll (Oracle Corporation)
BHO: McAfee SiteAdvisor BHO - {B164E929-A1B6-4A06-B104-2CD0E90A88FF} - C:\Program Files\McAfee\SiteAdvisor\McIEPlg.dll (McAfee, Inc.)
BHO: CBrowserHelperObject Object - {CA6319C0-31B7-401E-A518-A07C3DB8F777} - C:\Program Files\BAE\BAE.dll (Dell Inc.)
BHO: Java Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre7\bin\jp2ssv.dll (Oracle Corporation)
Toolbar: HKLM - McAfee SiteAdvisor Toolbar - {0EBBBE48-BAD4-4B4C-8E5A-516ABECAE064} - C:\Program Files\McAfee\SiteAdvisor\McIEPlg.dll (McAfee, Inc.)
Toolbar: HKCU - &Address - {01E04581-4EEE-11D0-BFE9-00AA005B4383} - C:\WINDOWS\system32\browseui.dll (Microsoft Corporation)
Toolbar: HKCU - &Links - {0E5CBF21-D15F-11D0-8301-00AA005B4383} - C:\WINDOWS\system32\shell32.dll (Microsoft Corporation)
Toolbar: HKCU - No Name - {2318C2B1-4965-11D4-9B18-009027A5CD4F} -  No File
DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} http://www.apple.com/qtactivex/qtplugin.cab
DPF: {17492023-C23A-453E-A040-C7C580BBF700} http://download.microsoft.com/download/E/5/6/E5611B10-0D6D-4117-8430-A67417AA88CD/LegitCheckControl.cab
DPF: {1E54D648-B804-468d-BC78-4AFFED8E262E} http://www.nvidia.com/content/DriverDownload/srl/3.0.0.0/srl_bin/sysreqlab3.cab
DPF: {7530BFB8-7293-4D34-9923-61A11451AFC5} http://download.eset.com/special/eos/OnlineScanner.cab
DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} http://fpdownload2.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
DPF: {EF791A6B-FC12-4C68-99EF-FB9E207A39E6} http://download.mcafee.com/molbin/iss-loc/mcfscan/2,2,0,5854/mcfscan.cab
Handler: dssrequest - {5513F07E-936B-4E52-9B00-067394E91CC5} - C:\Program Files\McAfee\SiteAdvisor\McIEPlg.dll (McAfee, Inc.)
Handler: sacore - {5513F07E-936B-4E52-9B00-067394E91CC5} - C:\Program Files\McAfee\SiteAdvisor\McIEPlg.dll (McAfee, Inc.)
Filter: application/x-mfe-ipt - {3EF5086B-5478-4598-A054-786C45D75692} - C:\Program Files\McAfee\MSC\McSnIePl.dll (McAfee, Inc.)
Winsock: Catalog5 04 C:\Program Files\Bonjour\mdnsNSP.dll [121704] (Apple Inc.)
Tcpip\Parameters: [DhcpNameServer] 24.196.64.53 68.113.206.10 24.178.162.3

========================== Services (Whitelisted) =================

R2 cbVSCService; C:\Program Files\Cobian Backup 10\cbVSCService.exe [67584 2010-04-21] (CobianSoft, Luis Cobian)
R2 Creative Service for CDROM Access; C:\WINDOWS\system32\CTsvcCDA.exe [44032 1999-12-13] (Creative Technology Ltd)
S2 DAZContentManagementService; E:\Program Files\DAZ 3D\Content Management Service\ContentManagementServer.exe [18432 2011-05-05] ()
R2 HomeNetSvc; C:\Program Files\Common Files\Mcafee\Platform\McSvcHost\McSvHost.exe [281560 2013-07-30] (McAfee, Inc.)
R2 MBAMScheduler; E:\Program Files\MalwarebytesAnti-Malware\mbamscheduler.exe [418376 2013-04-04] (Malwarebytes Corporation)
R2 MBAMService; E:\Program Files\MalwarebytesAnti-Malware\mbamservice.exe [701512 2013-04-04] (Malwarebytes Corporation)
R2 McAfee SiteAdvisor Service; C:\Program Files\McAfee\SiteAdvisor\McSACore.exe [103112 2013-11-07] (McAfee, Inc.)
R2 McAPExe; C:\Program Files\McAfee\MSC\McAPExe.exe [145088 2013-11-28] (McAfee, Inc.)
R2 mcbootdelaystartsvc; C:\Program Files\Common Files\McAfee\Platform\McSvcHost\McSvHost.exe [281560 2013-07-30] (McAfee, Inc.)
R2 McMPFSvc; C:\Program Files\Common Files\Mcafee\Platform\McSvcHost\McSvHost.exe [281560 2013-07-30] (McAfee, Inc.)
R2 McNaiAnn; C:\Program Files\Common Files\McAfee\Platform\McSvcHost\McSvHost.exe [281560 2013-07-30] (McAfee, Inc.)
S3 McODS; C:\Program Files\McAfee\VirusScan\mcods.exe [471592 2013-08-02] (McAfee, Inc.)
R2 mcpltsvc; C:\Program Files\Common Files\McAfee\Platform\McSvcHost\McSvHost.exe [281560 2013-07-30] (McAfee, Inc.)
R2 McProxy; C:\Program Files\Common Files\McAfee\Platform\McSvcHost\McSvHost.exe [281560 2013-07-30] (McAfee, Inc.)
R2 McrdSvc; C:\WINDOWS\ehome\mcrdsvc.exe [99328 2005-08-05] (Microsoft Corporation)
R2 mfecore; C:\Program Files\Common Files\McAfee\AMCore\mcshield.exe [643608 2013-11-26] (McAfee, Inc.)
R2 mfefire; C:\Program Files\Common Files\McAfee\SystemCore\\mfefire.exe [169320 2013-11-04] (McAfee, Inc.)
R2 mfevtp; C:\WINDOWS\system32\mfevtps.exe [172416 2013-11-04] (McAfee, Inc.)
R2 mi-raysat_3dsmax2011_32; C:\Program Files\Autodesk\3ds Max Design 2011\mentalimages\satellite\raysat_3dsmax2011_32server.exe [86016 2010-03-10] ()
R2 MSK80Service; C:\Program Files\Common Files\Mcafee\Platform\McSvcHost\McSvHost.exe [281560 2013-07-30] (McAfee, Inc.)
R2 MsMpSvc; C:\Program Files\Microsoft Security Client\Antimalware\MsMpEng.exe [11736 2010-11-11] (Microsoft Corporation)
R2 nTuneService; C:\Program Files\NVIDIA Corporation\nTune\nTuneService.exe [126976 2007-04-04] (NVIDIA)
S3 usprserv; C:\Windows\System32\svchost.exe [14336 2008-04-13] (Microsoft Corporation)
R2 wsnm; C:\Program Files\VMware\VMware View\Client\bin\wsnm.exe [494192 2011-09-07] (VMware, Inc.)
S2 wsnm_usbctrl; C:\Program Files\VMware\VMware View\Client\bin\wsnm_usbctrl.exe [797296 2011-09-07] (VMware, Inc.)
R2 JavaQuickStarterService; "C:\Program Files\Java\jre7\bin\jqs.exe" -service -config "C:\Program Files\Java\jre7\lib\deploy\jqs\jqs.conf"

==================== Drivers (Whitelisted) ====================

S4 abp480n5; C:\Windows\system32\DRIVERS\ABP480N5.SYS [23552 2001-08-17] (Microsoft Corporation)
S3 apf003; C:\WINDOWS\system32\apf003.sys [13232 2013-04-09] ()
R2 atksgt; C:\Windows\System32\DRIVERS\atksgt.sys [271360 2007-07-28] ()
R3 cfwids; C:\Windows\System32\drivers\cfwids.sys [60920 2013-11-04] (McAfee, Inc.)
S3 ctdvda2k; C:\Windows\System32\drivers\ctdvda2k.sys [340704 2005-07-13] (Creative Technology Ltd)
R2 DLABOIOM; C:\Windows\System32\DLA\DLABOIOM.SYS [25628 2005-09-08] (Sonic Solutions)
R1 DLACDBHM; C:\Windows\System32\Drivers\DLACDBHM.SYS [5628 2005-08-25] (Sonic Solutions)
R2 DLADResN; C:\Windows\System32\DLA\DLADResN.SYS [2496 2005-09-08] (Sonic Solutions)
R2 DLAIFS_M; C:\Windows\System32\DLA\DLAIFS_M.SYS [86524 2005-09-08] (Sonic Solutions)
R2 DLAOPIOM; C:\Windows\System32\DLA\DLAOPIOM.SYS [14684 2005-09-08] (Sonic Solutions)
R2 DLAPoolM; C:\Windows\System32\DLA\DLAPoolM.SYS [6364 2005-09-08] (Sonic Solutions)
R1 DLARTL_N; C:\Windows\System32\Drivers\DLARTL_N.SYS [22684 2005-08-25] (Sonic Solutions)
R2 DLAUDFAM; C:\Windows\System32\DLA\DLAUDFAM.SYS [94332 2005-09-08] (Sonic Solutions)
R2 DLAUDF_M; C:\Windows\System32\DLA\DLAUDF_M.SYS [87036 2005-09-08] (Sonic Solutions)
R2 DRVNDDM; C:\Windows\System32\Drivers\DRVNDDM.SYS [40544 2005-08-12] (Sonic Solutions)
R1 dtsoftbus01; C:\Windows\System32\DRIVERS\dtsoftbus01.sys [239168 2012-01-21] (DT Soft Ltd)
S3 HipShieldK; C:\Windows\System32\drivers\HipShieldK.sys [147912 2013-09-23] (McAfee, Inc.)
R2 lirsgt; C:\Windows\System32\DRIVERS\lirsgt.sys [18048 2007-07-28] ()
R3 MBAMProtector; C:\WINDOWS\system32\drivers\mbam.sys [22856 2013-04-04] (Malwarebytes Corporation)
R2 mfeapfk; C:\Windows\System32\drivers\mfeapfk.sys [133992 2013-11-04] (McAfee, Inc.)
R2 mfeavfk; C:\Windows\System32\drivers\mfeavfk.sys [236000 2013-11-04] (McAfee, Inc.)
S3 mfebopk; C:\Windows\System32\drivers\mfebopk.sys [65928 2013-11-04] (McAfee, Inc.)
R3 mfefirek; C:\Windows\System32\drivers\mfefirek.sys [365416 2013-11-04] (McAfee, Inc.)
R2 mfehidk; C:\Windows\System32\drivers\mfehidk.sys [572528 2013-11-04] (McAfee, Inc.)
R3 mfencbdc; C:\Windows\System32\DRIVERS\mfencbdc.sys [319808 2013-11-26] (McAfee, Inc.)
S3 mfencrk; C:\Windows\System32\DRIVERS\mfencrk.sys [80752 2013-11-26] (McAfee, Inc.)
S3 mfendisk; C:\Windows\System32\DRIVERS\mfendisk.sys [85064 2013-11-04] (McAfee, Inc.)
R3 mfendiskmp; C:\Windows\System32\DRIVERS\mfendisk.sys [85064 2013-11-04] (McAfee, Inc.)
R1 mfetdi2k; C:\Windows\System32\drivers\mfetdi2k.sys [91736 2013-11-04] (McAfee, Inc.)
R3 monfilt; C:\Windows\System32\drivers\monfilt.sys [1389056 2008-02-14] (Creative Technology Ltd.)
R1 MpFilter; C:\Windows\System32\DRIVERS\MpFilter.sys [165264 2010-10-24] (Microsoft Corporation)
R0 nvatabus; C:\Windows\System32\DRIVERS\NVATABUS.SYS [105472 2010-04-18] (NVIDIA Corporation)
S3 NVHDA; C:\Windows\System32\drivers\nvhda32.sys [124264 2013-02-18] (NVIDIA Corporation)
R3 NVR0Dev; C:\WINDOWS\nvoclock.sys [6912 2007-04-04] (NVidia Corp.)
R3 SCREAMINGBDRIVER; C:\Windows\System32\drivers\ScreamingBAudio.sys [23064 2008-11-22] (Screaming Bee LLC)
R3 VIAHdAudAddService; C:\Windows\System32\drivers\viahduaa.sys [1374464 2009-06-02] (VIA Technologies, Inc.)
R3 vmwvusb; C:\Windows\System32\Drivers\vmwvusb.sys [40048 2011-09-07] (VMware, Inc.)
R3 WmBEnum; C:\Windows\System32\drivers\WmBEnum.sys [10144 2005-04-12] (Logitech Inc.)
S3 WmFilter; C:\Windows\System32\drivers\WmFilter.sys [22240 2005-04-12] (Logitech Inc.)
S3 WmVirHid; C:\Windows\System32\drivers\WmVirHid.sys [5600 2005-04-12] (Logitech Inc.)
R3 WmXlCore; C:\Windows\System32\drivers\WmXlCore.sys [45504 2005-04-12] (Logitech Inc.)
S3 catchme; \??\C:\ComboFix\catchme.sys [x]
U2 mfewfpk;
U5 ScsiPort; C:\Windows\system32\drivers\scsiport.sys [96384 2008-04-13] (Microsoft Corporation)
S2 vmhnavixan; \??\C:\WINDOWS\system32\drivers\mmdzrgupcuxacl.sys [x]
S3 XDva398; \??\C:\WINDOWS\system32\XDva398.sys [x]
U3 mbr; \??\C:\DOCUME~1\WRAITH~1\LOCALS~1\Temp\mbr.sys [x]

==================== NetSvcs (Whitelisted) ===================

NETSVC: MHN -> C:\Windows\System32\mhn.dll (Microsoft Corporation)

==================== One Month Created Files and Folders ========

2014-01-05 13:05 - 2014-01-05 13:07 - 00023462 _____ C:\Documents and Settings\Wraithchilde\Desktop\Addition.txt
2014-01-05 13:01 - 2014-01-05 13:12 - 00013595 _____ C:\Documents and Settings\Wraithchilde\Desktop\FRST.txt
2014-01-05 12:59 - 2014-01-05 12:59 - 00000000 ____D C:\FRST
2014-01-05 12:58 - 2014-01-05 12:58 - 01064761 _____ (Farbar) C:\Documents and Settings\Wraithchilde\Desktop\FRST.exe
2014-01-05 10:55 - 2014-01-05 10:58 - 00012270 _____ C:\WINDOWS\KB2888505-IE8.log
2014-01-05 08:20 - 2014-01-05 08:20 - 00000000 ____D C:\Documents and Settings\Wraithchilde\Local Settings\Application Data\Sun
2014-01-05 08:10 - 2014-01-05 08:10 - 00000000 ____D C:\Program Files\Common Files\Java
2014-01-05 08:10 - 2014-01-05 08:09 - 00264616 _____ (Oracle Corporation) C:\WINDOWS\system32\javaws.exe
2014-01-05 08:10 - 2014-01-05 08:09 - 00145408 _____ (Oracle Corporation) C:\WINDOWS\system32\javacpl.cpl
2014-01-05 08:09 - 2014-01-05 08:09 - 00175016 _____ (Oracle Corporation) C:\WINDOWS\system32\javaw.exe
2014-01-05 08:09 - 2014-01-05 08:09 - 00174504 _____ (Oracle Corporation) C:\WINDOWS\system32\java.exe
2014-01-05 08:09 - 2014-01-05 08:09 - 00094632 _____ (Oracle Corporation) C:\WINDOWS\system32\WindowsAccessBridge.dll
2014-01-05 08:09 - 2014-01-05 08:09 - 00000000 ____D C:\Documents and Settings\All Users\Start Menu\Programs\Java
2014-01-04 06:10 - 2014-01-05 11:09 - 00000000 ____D C:\Documents and Settings\All Users\Start Menu\Programs\McAfee
2014-01-03 06:08 - 2014-01-03 06:08 - 00000650 _____ C:\Documents and Settings\All Users\Desktop\Malwarebytes Anti-Malware.lnk
2014-01-03 06:08 - 2014-01-03 06:08 - 00000000 ____D C:\Documents and Settings\Wraithchilde\Application Data\Malwarebytes
2014-01-03 06:08 - 2014-01-03 06:08 - 00000000 ____D C:\Documents and Settings\All Users\Application Data\Malwarebytes
2014-01-03 06:08 - 2013-04-04 14:50 - 00022856 _____ (Malwarebytes Corporation) C:\WINDOWS\system32\Drivers\mbam.sys
2014-01-02 20:15 - 2014-01-02 20:15 - 00000000 ____D C:\Program Files\ESET
2014-01-02 19:57 - 2014-01-05 11:17 - 00021817 _____ C:\Documents and Settings\Wraithchilde\Desktop\attach.txt
2014-01-02 19:57 - 2014-01-05 11:17 - 00016066 _____ C:\Documents and Settings\Wraithchilde\Desktop\dds.txt
2014-01-02 18:21 - 2014-01-02 18:21 - 00008192 ____H C:\WINDOWS\system32\config\SECURITY.tmp.LOG
2014-01-02 18:21 - 2014-01-02 18:21 - 00008192 ____H C:\WINDOWS\system32\config\DEFAULT.tmp.LOG
2014-01-02 18:21 - 2014-01-02 18:21 - 00000000 ____H C:\WINDOWS\system32\config\SYSTEM.tmp.LOG
2014-01-02 18:21 - 2014-01-02 18:21 - 00000000 ____H C:\WINDOWS\system32\config\SOFTWARE.tmp.LOG
2014-01-02 18:21 - 2014-01-02 18:21 - 00000000 ____H C:\WINDOWS\system32\config\SAM.tmp.LOG
2014-01-02 18:11 - 2011-06-26 00:45 - 00256000 _____ C:\WINDOWS\PEV.exe
2014-01-02 18:11 - 2010-11-07 11:20 - 00208896 _____ C:\WINDOWS\MBR.exe
2014-01-02 18:11 - 2009-04-19 22:56 - 00060416 _____ (NirSoft) C:\WINDOWS\NIRCMD.exe
2014-01-02 18:11 - 2000-08-30 18:00 - 00518144 _____ (SteelWerX) C:\WINDOWS\SWREG.exe
2014-01-02 18:11 - 2000-08-30 18:00 - 00406528 _____ (SteelWerX) C:\WINDOWS\SWSC.exe
2014-01-02 18:11 - 2000-08-30 18:00 - 00212480 _____ (SteelWerX) C:\WINDOWS\SWXCACLS.exe
2014-01-02 18:11 - 2000-08-30 18:00 - 00098816 _____ C:\WINDOWS\sed.exe
2014-01-02 18:11 - 2000-08-30 18:00 - 00080412 _____ C:\WINDOWS\grep.exe
2014-01-02 18:11 - 2000-08-30 18:00 - 00068096 _____ C:\WINDOWS\zip.exe
2014-01-02 18:09 - 2014-01-02 18:33 - 00000000 ____D C:\Qoobox
2014-01-02 18:08 - 2014-01-02 18:30 - 00000000 ____D C:\WINDOWS\erdnt
2014-01-02 12:44 - 2014-01-02 12:44 - 00028672 _____ C:\WINDOWS\system32\gwbxgwx.ner
2014-01-02 12:34 - 2014-01-05 12:10 - 00000081 _____ C:\WINDOWS\system32\wbwd.vmy
2014-01-02 12:31 - 2014-01-02 12:44 - 00000102 _____ C:\WINDOWS\system32\ryer.xah
2014-01-02 12:31 - 2014-01-02 12:31 - 00000064 _____ C:\WINDOWS\system32\pecdt.jfe
2014-01-01 15:22 - 2014-01-02 06:45 - 00065536 _____ C:\WINDOWS\system32\config\Cobian B.evt
2013-12-28 15:11 - 2013-12-28 15:11 - 00101213 ____S C:\WINDOWS\system32\pydray.bma
2013-12-28 07:36 - 2013-12-28 07:36 - 00000853 ____N C:\Documents and Settings\All Users\Desktop\Firestorm-Beta.lnk

==================== One Month Modified Files and Folders =======

2014-01-05 13:12 - 2014-01-05 13:01 - 00013595 _____ C:\Documents and Settings\Wraithchilde\Desktop\FRST.txt
2014-01-05 13:12 - 2013-05-10 14:01 - 00007252 _____ C:\WINDOWS\system32\nvAppTimestamps
2014-01-05 13:12 - 2010-03-01 08:19 - 00001324 _____ C:\WINDOWS\system32\d3d9caps.dat
2014-01-05 13:07 - 2014-01-05 13:05 - 00023462 _____ C:\Documents and Settings\Wraithchilde\Desktop\Addition.txt
2014-01-05 12:59 - 2014-01-05 12:59 - 00000000 ____D C:\FRST
2014-01-05 12:58 - 2014-01-05 12:58 - 01064761 _____ (Farbar) C:\Documents and Settings\Wraithchilde\Desktop\FRST.exe
2014-01-05 12:57 - 2012-01-30 12:56 - 00000000 ____D C:\Documents and Settings\Wraithchilde\Local Settings\Application Data\Firestorm
2014-01-05 12:50 - 2012-03-29 04:20 - 00000830 _____ C:\WINDOWS\Tasks\Adobe Flash Player Updater.job
2014-01-05 12:42 - 2013-07-11 09:46 - 01098252 _____ C:\WINDOWS\system32\nvdrsdb0.bin
2014-01-05 12:42 - 2013-07-11 09:46 - 00000001 _____ C:\WINDOWS\system32\nvdrssel.bin
2014-01-05 12:10 - 2014-01-02 12:34 - 00000081 _____ C:\WINDOWS\system32\wbwd.vmy
2014-01-05 11:17 - 2014-01-02 19:57 - 00021817 _____ C:\Documents and Settings\Wraithchilde\Desktop\attach.txt
2014-01-05 11:17 - 2014-01-02 19:57 - 00016066 _____ C:\Documents and Settings\Wraithchilde\Desktop\dds.txt
2014-01-05 11:09 - 2014-01-04 06:10 - 00000000 ____D C:\Documents and Settings\All Users\Start Menu\Programs\McAfee
2014-01-05 11:09 - 2013-08-26 17:29 - 00001611 _____ C:\Documents and Settings\All Users\Desktop\McAfee Security Center.lnk
2014-01-05 11:07 - 2011-01-29 12:24 - 00000424 ____H C:\WINDOWS\Tasks\MP Scheduled Scan.job
2014-01-05 11:07 - 2011-01-12 14:39 - 00000506 _____ C:\Documents and Settings\Wraithchilde\Desktop\Misc Notes.txt
2014-01-05 11:05 - 2005-08-16 03:38 - 00000000 ____D C:\WINDOWS\Registration
2014-01-05 11:03 - 2005-08-16 03:40 - 01259446 _____ C:\WINDOWS\WindowsUpdate.log
2014-01-05 11:01 - 2005-08-16 03:35 - 00000159 _____ C:\WINDOWS\wiadebug.log
2014-01-05 11:01 - 2005-08-16 03:35 - 00000048 _____ C:\WINDOWS\wiaservc.log
2014-01-05 11:00 - 2005-08-16 03:49 - 00000006 ____H C:\WINDOWS\Tasks\SA.DAT
2014-01-05 10:58 - 2014-01-05 10:55 - 00012270 _____ C:\WINDOWS\KB2888505-IE8.log
2014-01-05 10:58 - 2007-06-02 11:31 - 00000178 ___SH C:\Documents and Settings\Wraithchilde\ntuser.ini
2014-01-05 10:58 - 2005-08-16 03:49 - 00032422 _____ C:\WINDOWS\SchedLgU.Txt
2014-01-05 10:58 - 2005-08-16 03:33 - 01408683 _____ C:\WINDOWS\iis6.log
2014-01-05 10:58 - 2005-08-16 03:33 - 00563217 _____ C:\WINDOWS\tsoc.log
2014-01-05 10:58 - 2005-08-16 03:33 - 00410176 _____ C:\WINDOWS\comsetup.log
2014-01-05 10:58 - 2005-08-16 03:33 - 00249840 _____ C:\WINDOWS\ntdtcsetup.log
2014-01-05 10:58 - 2005-08-16 03:33 - 00179312 _____ C:\WINDOWS\MedCtrOC.log
2014-01-05 10:58 - 2005-08-16 03:33 - 00070146 _____ C:\WINDOWS\ehOCGen.log
2014-01-05 10:58 - 2005-08-16 03:33 - 00067313 _____ C:\WINDOWS\ocmsn.log
2014-01-05 10:58 - 2005-08-16 03:33 - 00060540 _____ C:\WINDOWS\tabletoc.log
2014-01-05 10:58 - 2005-08-16 03:33 - 00001355 _____ C:\WINDOWS\imsins.log
2014-01-05 10:57 - 2005-08-16 20:04 - 00244755 _____ C:\WINDOWS\updspapi.log
2014-01-05 10:57 - 2005-08-16 03:33 - 01220207 _____ C:\WINDOWS\FaxSetup.log
2014-01-05 10:57 - 2005-08-16 03:33 - 00606827 _____ C:\WINDOWS\ocgen.log
2014-01-05 10:57 - 2005-08-16 03:33 - 00385812 _____ C:\WINDOWS\msmqinst.log
2014-01-05 10:57 - 2005-08-16 03:33 - 00225716 _____ C:\WINDOWS\netfxocm.log
2014-01-05 10:57 - 2005-08-16 03:33 - 00144724 _____ C:\WINDOWS\plusoc.log
2014-01-05 10:57 - 2005-08-16 03:33 - 00061129 _____ C:\WINDOWS\msgsocm.log
2014-01-05 10:56 - 2010-04-15 15:16 - 00000000 ____D C:\WINDOWS\ie8updates
2014-01-05 10:49 - 2014-01-05 10:49 - 00003038 _____ C:\Documents and Settings\Wraithchilde\Desktop\fix_svchost.bat
2014-01-05 10:26 - 2013-07-11 09:46 - 01098252 _____ C:\WINDOWS\system32\nvdrsdb1.bin
2014-01-05 08:20 - 2014-01-05 08:20 - 00000000 ____D C:\Documents and Settings\Wraithchilde\Local Settings\Application Data\Sun
2014-01-05 08:10 - 2014-01-05 08:10 - 00000000 ____D C:\Program Files\Common Files\Java
2014-01-05 08:09 - 2014-01-05 08:10 - 00264616 _____ (Oracle Corporation) C:\WINDOWS\system32\javaws.exe
2014-01-05 08:09 - 2014-01-05 08:10 - 00145408 _____ (Oracle Corporation) C:\WINDOWS\system32\javacpl.cpl
2014-01-05 08:09 - 2014-01-05 08:09 - 00175016 _____ (Oracle Corporation) C:\WINDOWS\system32\javaw.exe
2014-01-05 08:09 - 2014-01-05 08:09 - 00174504 _____ (Oracle Corporation) C:\WINDOWS\system32\java.exe
2014-01-05 08:09 - 2014-01-05 08:09 - 00094632 _____ (Oracle Corporation) C:\WINDOWS\system32\WindowsAccessBridge.dll
2014-01-05 08:09 - 2014-01-05 08:09 - 00000000 ____D C:\Documents and Settings\All Users\Start Menu\Programs\Java
2014-01-05 08:08 - 2007-05-16 07:33 - 00000000 ____D C:\Program Files\Java
2014-01-05 08:00 - 2013-08-26 17:27 - 00000000 ____D C:\Program Files\McAfee
2014-01-05 08:00 - 2013-08-26 17:20 - 00000000 ____D C:\Documents and Settings\All Users\Application Data\McAfee
2014-01-05 06:36 - 2010-05-01 13:57 - 00000000 ____D C:\Documents and Settings\All Users\Application Data\Adobe
2014-01-05 06:36 - 2007-05-16 07:45 - 00000000 ____D C:\Program Files\Common Files\Adobe
2014-01-05 06:36 - 2007-05-16 07:45 - 00000000 ____D C:\Program Files\Adobe
2014-01-04 06:47 - 2009-04-11 06:23 - 00000000 ____D C:\Documents and Settings\Wraithchilde\My Documents\Second Life
2014-01-04 06:19 - 2007-05-16 07:21 - 00000209 ___SH C:\boot.ini
2014-01-04 06:19 - 2005-08-16 03:18 - 00000602 _____ C:\WINDOWS\win.ini
2014-01-04 06:19 - 2005-08-16 03:18 - 00000227 _____ C:\WINDOWS\system.ini
2014-01-04 05:53 - 2009-08-20 12:16 - 00000000 ____D C:\WINDOWS\pss
2014-01-03 16:14 - 2007-06-07 19:43 - 00000000 ____D C:\Documents and Settings\Wraithchilde\My Documents\Misc
2014-01-03 11:55 - 2012-01-22 04:18 - 00284373 _____ C:\WINDOWS\setupapi.log
2014-01-03 07:45 - 2005-08-16 03:22 - 00000000 ____D C:\WINDOWS\Resources
2014-01-03 06:08 - 2014-01-03 06:08 - 00000650 _____ C:\Documents and Settings\All Users\Desktop\Malwarebytes Anti-Malware.lnk
2014-01-03 06:08 - 2014-01-03 06:08 - 00000000 ____D C:\Documents and Settings\Wraithchilde\Application Data\Malwarebytes
2014-01-03 06:08 - 2014-01-03 06:08 - 00000000 ____D C:\Documents and Settings\All Users\Application Data\Malwarebytes
2014-01-03 01:07 - 2005-08-16 03:49 - 00000000 __SHD C:\Documents and Settings\NetworkService
2014-01-02 20:15 - 2014-01-02 20:15 - 00000000 ____D C:\Program Files\ESET
2014-01-02 19:03 - 2014-01-02 18:33 - 00020425 _____ C:\ComboFix1.txt
2014-01-02 18:33 - 2014-01-02 18:09 - 00000000 ____D C:\Qoobox
2014-01-02 18:30 - 2014-01-02 18:08 - 00000000 ____D C:\WINDOWS\erdnt
2014-01-02 18:21 - 2014-01-02 18:21 - 00008192 ____H C:\WINDOWS\system32\config\SECURITY.tmp.LOG
2014-01-02 18:21 - 2014-01-02 18:21 - 00008192 ____H C:\WINDOWS\system32\config\DEFAULT.tmp.LOG
2014-01-02 18:21 - 2014-01-02 18:21 - 00000000 ____H C:\WINDOWS\system32\config\SYSTEM.tmp.LOG
2014-01-02 18:21 - 2014-01-02 18:21 - 00000000 ____H C:\WINDOWS\system32\config\SOFTWARE.tmp.LOG
2014-01-02 18:21 - 2014-01-02 18:21 - 00000000 ____H C:\WINDOWS\system32\config\SAM.tmp.LOG
2014-01-02 18:21 - 2013-06-07 09:08 - 41943040 _____ C:\WINDOWS\system32\config\SOFTWARE.bak
2014-01-02 18:21 - 2007-05-16 14:19 - 14417920 _____ C:\WINDOWS\system32\config\SYSTEM.bak
2014-01-02 18:21 - 2005-08-15 22:27 - 01048576 _____ C:\WINDOWS\system32\config\DEFAULT.bak
2014-01-02 18:21 - 2005-08-15 22:27 - 00262144 _____ C:\WINDOWS\system32\config\SECURITY.bak
2014-01-02 18:21 - 2005-08-15 22:27 - 00262144 _____ C:\WINDOWS\system32\config\SAM.bak
2014-01-02 18:19 - 2007-06-02 11:31 - 00000000 ____D C:\Documents and Settings\Wraithchilde
2014-01-02 18:01 - 2010-08-07 22:06 - 00011958 _____ C:\Documents and Settings\Wraithchilde\My Documents\hijackthis.log
2014-01-02 17:12 - 2005-08-16 03:18 - 00013646 _____ C:\WINDOWS\system32\wpa.dbl
2014-01-02 15:00 - 2009-11-19 21:37 - 00000000 ____D C:\Documents and Settings\Wraithchilde\Application Data\vlc
2014-01-02 12:44 - 2014-01-02 12:44 - 00028672 _____ C:\WINDOWS\system32\gwbxgwx.ner
2014-01-02 12:44 - 2014-01-02 12:31 - 00000102 _____ C:\WINDOWS\system32\ryer.xah
2014-01-02 12:31 - 2014-01-02 12:31 - 00000064 _____ C:\WINDOWS\system32\pecdt.jfe
2014-01-02 06:45 - 2014-01-01 15:22 - 00065536 _____ C:\WINDOWS\system32\config\Cobian B.evt
2014-01-01 07:12 - 2005-08-16 03:22 - 00000000 ____D C:\WINDOWS\repair
2013-12-30 11:26 - 2007-06-03 04:00 - 00000000 ____D C:\Documents and Settings\Wraithchilde\Application Data\Adobe
2013-12-28 15:11 - 2013-12-28 15:11 - 00101213 ____S C:\WINDOWS\system32\pydray.bma
2013-12-28 07:36 - 2013-12-28 07:36 - 00000853 ____N C:\Documents and Settings\All Users\Desktop\Firestorm-Beta.lnk
2013-12-27 15:48 - 2013-08-26 17:20 - 00000000 ____D C:\Program Files\Common Files\McAfee
2013-12-23 12:26 - 2008-03-16 17:34 - 00000000 __SHD C:\WINDOWS\CSC
2013-12-20 06:42 - 2007-07-17 14:38 - 00000230 _____ C:\WINDOWS\CTWave32.ini
2013-12-20 06:37 - 2007-07-17 14:20 - 00000072 _____ C:\WINDOWS\sbwin.ini
2013-12-18 18:22 - 2005-08-16 03:33 - 00574102 _____ C:\WINDOWS\system32\PerfStringBackup.INI
2013-12-13 13:30 - 2007-06-03 07:21 - 00000000 ____D C:\Documents and Settings\Wraithchilde\My Documents\Projects

Files to move or delete:
====================
C:\Documents and Settings\Wraithchilde\random.dat

==================== Bamital & volsnap Check =================

C:\Windows\explorer.exe => MD5 is legit
C:\Windows\System32\winlogon.exe => MD5 is legit
C:\Windows\System32\svchost.exe => MD5 is legit
C:\Windows\System32\services.exe => MD5 is legit
C:\Windows\System32\User32.dll => MD5 is legit
C:\Windows\System32\userinit.exe => MD5 is legit
C:\Windows\System32\rpcss.dll
[2005-08-16 03:18] - [2009-02-09 06:10] - 0401408 ____A (Microsoft Corporation) 53685605a29b5ad32463b903ed7bb136

C:\Windows\System32\Drivers\volsnap.sys => MD5 is legit

==================== End Of Log ============================

 

Addition.txt

 

 

Farbar Recovery Scan Tool (x86) Version: 04-01-2014
Ran by Wraithchilde at 2014-01-05 13:14:25
Running from C:\Documents and Settings\Wraithchilde\Desktop
Boot Mode: Normal

================== Search: "rpcss.dll" ===================

C:\WINDOWS\system32\rpcss.dll
[2005-08-16 03:18] - [2009-02-09 06:10] - 0401408 ____A (Microsoft Corporation) 53685605a29b5ad32463b903ed7bb136

C:\WINDOWS\system32\dllcache\rpcss.dll
[2005-08-16 03:18] - [2009-02-09 06:10] - 0401408 ____A (Microsoft Corporation) a58eae6c65b8a66e6cd49ed1308050bf

C:\WINDOWS\ServicePackFiles\i386\rpcss.dll
[2009-05-01 21:55] - [2008-04-13 18:12] - 0399360 ____N (Microsoft Corporation) 2589fe6015a316c0f5d5112b4da7b509

C:\WINDOWS\$NtUninstallKB956572$\rpcss.dll
[2009-05-02 02:01] - [2008-04-13 18:12] - 0399360 ____C (Microsoft Corporation) 2589fe6015a316c0f5d5112b4da7b509

C:\WINDOWS\$NtUninstallKB902400$\rpcss.dll
[2007-06-04 02:01] - [2005-04-28 13:31] - 0395776 ____C (Microsoft Corporation) c8061f289e000703e7672916b7fe1571

C:\WINDOWS\$NtUninstallKB894391$\rpcss.dll
[2007-06-04 02:00] - [2004-08-10 04:00] - 0395776 ____C (Microsoft Corporation) 5c83a4408604f737717ab96371201680

C:\WINDOWS\$NtServicePackUninstall$\rpcss.dll
[2009-05-01 21:59] - [2005-07-25 22:39] - 0397824 ____C (Microsoft Corporation) ce94a2bd25e3e9f4d46a7373ff455c6d

C:\WINDOWS\$hf_mig$\KB956572\SP3QFE\rpcss.dll
[2009-05-02 00:31] - [2009-02-09 04:56] - 0401408 ____A (Microsoft Corporation) 9222562d44021b988b9f9f62207fb6f2

C:\WINDOWS\$hf_mig$\KB902400\SP2QFE\rpcss.dll
[2005-07-25 22:20] - [2005-07-25 22:20] - 0398336 ____A (Microsoft Corporation) c369df215d352b6f3a0b8c3469aa34f8

C:\WINDOWS\$hf_mig$\KB894391\SP2QFE\rpcss.dll
[2005-04-28 13:35] - [2005-04-28 13:35] - 0396288 ____A (Microsoft Corporation) da383fb39a6f1c445f3afc94b3eb1248

C:\i386\rpcss.dll
[2007-06-04 14:51] - [2005-07-25 22:39] - 0397824 ____A (Microsoft Corporation) ce94a2bd25e3e9f4d46a7373ff455c6d

=== End Of Search ===

 

Link to post
Share on other sites

Hello,

 

First please create a new System Restore Point

http://support.microsoft.com/kb/948247

 

If you have an installation CD with XP go ahead and install the Recovery Console for XP (just in case before you proceed):

http://support.microsoft.com/kb/307654

 

 

Next please download the following file => fixlist.txt and save it to the Desktop.
NOTE. It's important that both files, FRST and fixlist.txt are in the same location or the fix will not work.

Run FRST and press the Fix button just once and wait.
The tool will make a log on the Desktop (Fixlog.txt). Please post it to your reply.

 

 

Also please download Farbar Service Scanner and run it on the computer with the issue.

  • Make sure that all options are checked.
  • Press the "Scan" button.
  • It will create a log (FSS.txt) in the same directory the tool is run.
  • Please copy and paste the log to your reply.

 

 

Regards,

Georgi

Link to post
Share on other sites

A strange file with unicode characters for a name was created on the desktop.  Not sure where that came from.

 

CPU usage from System and svchost seems to have calmed down a bit.  Still took a very long time to reboot.

 

No blocked website message so far.

 

Fix result of Farbar Recovery Tool (FRST written by Farbar) (x86) Version: 04-01-2014
Ran by Wraithchilde at 2014-01-05 14:24:38 Run:1
Running from C:\Documents and Settings\Wraithchilde\Desktop
Boot Mode: Normal

==============================================

Content of fixlist:
*****************
start
Toolbar: HKCU - No Name - {2318C2B1-4965-11D4-9B18-009027A5CD4F} -  No File
S3 catchme; \??\C:\ComboFix\catchme.sys [x]
S2 vmhnavixan; \??\C:\WINDOWS\system32\drivers\mmdzrgupcuxacl.sys [x]
C:\WINDOWS\system32\drivers\mmdzrgupcuxacl.sys
U3 mbr; \??\C:\DOCUME~1\WRAITH~1\LOCALS~1\Temp\mbr.sys [x]
2014-01-02 12:44 - 2014-01-02 12:44 - 00028672 _____ C:\WINDOWS\system32\gwbxgwx.ner
2014-01-02 12:34 - 2014-01-05 12:10 - 00000081 _____ C:\WINDOWS\system32\wbwd.vmy
2014-01-02 12:31 - 2014-01-02 12:44 - 00000102 _____ C:\WINDOWS\system32\ryer.xah
2014-01-02 12:31 - 2014-01-02 12:31 - 00000064 _____ C:\WINDOWS\system32\pecdt.jfe
2013-12-28 15:11 - 2013-12-28 15:11 - 00101213 ____S C:\WINDOWS\system32\pydray.bma
Replace: C:\WINDOWS\$hf_mig$\KB956572\SP3QFE\rpcss.dll C:\WINDOWS\system32\rpcss.dll
Replace: C:\WINDOWS\$hf_mig$\KB956572\SP3QFE\rpcss.dll C:\WINDOWS\system32\dllcache\rpcss.dll
end
*****************

HKCU\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser\\{2318C2B1-4965-11D4-9B18-009027A5CD4F} => Value deleted successfully.
HKCR\CLSID\{2318C2B1-4965-11D4-9B18-009027A5CD4F} => Key not found.
catchme => Service deleted successfully.
vmhnavixan => Service deleted successfully.
"C:\WINDOWS\system32\drivers\mmdzrgupcuxacl.sys" => File/Directory not found.
mbr => Service deleted successfully.
C:\WINDOWS\system32\gwbxgwx.ner => Moved successfully.
C:\WINDOWS\system32\wbwd.vmy => Moved successfully.
C:\WINDOWS\system32\ryer.xah => Moved successfully.
C:\WINDOWS\system32\pecdt.jfe => Moved successfully.
Could not move "C:\WINDOWS\system32\pydray.bma" => Scheduled to move on reboot.
C:\WINDOWS\system32\rpcss.dll => Moved successfully.
C:\WINDOWS\$hf_mig$\KB956572\SP3QFE\rpcss.dll copied successfully to C:\WINDOWS\system32\rpcss.dll
"C:\WINDOWS\system32\dllcache\rpcss.dll" => Could not move.
C:\WINDOWS\$hf_mig$\KB956572\SP3QFE\rpcss.dll copied successfully to C:\WINDOWS\system32\dllcache\rpcss.dll

=> Result of Scheduled Files to move (Boot Mode: Normal) (Date&Time: 2014-01-05 14:28:29)<=

C:\WINDOWS\system32\pydray.bma => Is moved successfully.

==== End of Fixlog ====

 

 

 

Farbar Service Scanner Version: 05-12-2013
Ran by Wraithchilde (administrator) on 05-01-2014 at 14:47:12
Running from "C:\Documents and Settings\Wraithchilde\Desktop"
Microsoft Windows XP Professional Service Pack 3 (X86)
Boot Mode: Normal
****************************************************************

Internet Services:
============

Connection Status:
==============
Localhost is accessible.
LAN connected.
Google IP is accessible.
Google.com is accessible.
Yahoo.com is accessible.

Windows Firewall:
=============

Firewall Disabled Policy:
==================
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile]
"EnableFirewall"=DWORD:0

System Restore:
============

System Restore Disabled Policy:
========================

Security Center:
============

Windows Update:
============

Windows Autoupdate Disabled Policy:
============================

Other Services:
==============

File Check:
========
C:\WINDOWS\system32\dhcpcsvc.dll => MD5 is legit
C:\WINDOWS\system32\Drivers\afd.sys => MD5 is legit
C:\WINDOWS\system32\Drivers\netbt.sys => MD5 is legit
C:\WINDOWS\system32\Drivers\tcpip.sys => MD5 is legit
C:\WINDOWS\system32\Drivers\ipsec.sys => MD5 is legit
C:\WINDOWS\system32\dnsrslvr.dll => MD5 is legit
C:\WINDOWS\system32\ipnathlp.dll => MD5 is legit
C:\WINDOWS\system32\netman.dll => MD5 is legit
C:\WINDOWS\system32\wbem\WMIsvc.dll => MD5 is legit
C:\WINDOWS\system32\srsvc.dll => MD5 is legit
C:\WINDOWS\system32\Drivers\sr.sys => MD5 is legit
C:\WINDOWS\system32\wscsvc.dll => MD5 is legit
C:\WINDOWS\system32\wbem\WMIsvc.dll => MD5 is legit
C:\WINDOWS\system32\wuauserv.dll => MD5 is legit
C:\WINDOWS\system32\qmgr.dll => MD5 is legit
C:\WINDOWS\system32\es.dll => MD5 is legit
C:\WINDOWS\system32\cryptsvc.dll => MD5 is legit
C:\WINDOWS\system32\svchost.exe => MD5 is legit
C:\WINDOWS\system32\rpcss.dll => MD5 is legit
C:\WINDOWS\system32\services.exe => MD5 is legit

Extra List:
=======
Gpc(6) IPSec(4) mfetdi2k(8) NetBT(5) PSched(7) Tcpip(3)
0x080000000400000001000000020000000300000008000000050000000600000007000000
IpSec Tag value is correct.

**** End of log ****

Link to post
Share on other sites

Hi,

 

You can delete the unicode file from the desktop manually. It was created when we replaced the patched rpcss.dll with a clean copy.

As for the slow boot you can try the following:

 

 

Use Disk Cleanup to delete files you no longer need and reclaim storage space on your computer.


Open Disk Cleanup by clicking the Start button, clicking All Programs, clicking Accessories, clicking System Tools, and then clicking Disk Cleanup.

If the Disk Cleanup: Drive Selection dialog box appears, select the hard disk drive that you want to clean up, and then click OK.

Click the Disk Cleanup tab, and then select the check boxes for the files you want to delete.

When you finish selecting the files you want to delete, click OK, and then click Delete files to confirm the operation. Disk Cleanup proceeds to remove all unnecessary files from your computer.



You can do a defragmentation to rearrange files and unused space on your hard disk so that programs run faster


Please download MyDefrag.

Double-click the file to install the program, then double-click the "MyDefrag.exe" to run the program

.
Click on "System Disk Monthly" and check the box for your C: drive. Next, click the Run button at the bottom.

 

Uz41hCj.png

This process can take up to an hour or even more!

When it is done, it will display finished on the screen.

 

Close the program by clicking on the red cross.

 

How+do+I+consolidate+free+space+using+My

Please remember to reboot when the scan completes.




Use MSConfig to disable any processes that you do not want running in the background of the computer.



Please type msconfig in the start => Run box, then hit enter.

Go to the startup tab and then uncheck any programs that you don't need to load with Windows.

Click the "Apply" button and click "OK" to close the MSCONFIG window.

Restart your computer to save the changes you made to the Startup.

You might have a popup window when you log on. This is typical. Just click ok. You can also make the popup window not come up anymore by checking the box there.

The programs you removed will no longer automatically launch once Windows starts up.
 

 

 

When done please reboot the computer and see if there any differences.

 

 

Next let's try to fix the WMI service:

 

Backup Your Registry
 

 

Now download the following files and save them to your desktop:

Wmi.reg

 

Now double click on it. An information box will pop up asking if you want to merge the information in the file into the registry, click YES.

 

Reboot the computer and run a new scan with FRST then post the logs in your next reply.

 

 

 

Also please download the Process Explorer from the following link
Extract the zip file and double click the procexp.exe file.
From the View menu, please point to "Lower Pane view" and select DLLs.

From the View menu, please point to "Select Columns" and put a checkbox beside the following:

Description, Company Name, Image Path, Command Line, Autostart Location and click OK

Now select the process which uses high cpu and double click it.

Click on the Threads tab and make a screenshot of the window.

Now click  click on Stack button and make a screenshot of the window.

Click on the Services tab (if such is available for the selected process) and make a screenshot of the window.

Click OK and from the File menu, please select Save as to save the log file from process explorer.
Next please post that log along with the screenshots in your next reply for my review.

 

 

Regards,

Georgi

Link to post
Share on other sites

Disk cleanup: After about 4 hours the PC crashed with "Unknown hard error".  It rebooted ok.  This is an old PC and the HD is a bit slow.  I will get a Windows 8 PC in a few months (since XP will no longer be supported) so I'm not concerned much about the HD performance.

 

msconfig: There is nothing I want to remove.  Some things I do after reboot, like sync my tablet and backup, then I kill the processes manually.

 

Process explorer:  System idle process is at 99% now so there is nothing to show.  The svchost problem seems to be gone.

 

FRST: Merged the Wmi.reg and scanned.  Here is the log.

Scan result of Farbar Recovery Scan Tool (FRST) (x86) Version: 05-01-2014
Ran by Wraithchilde (administrator) on BOB on 06-01-2014 09:23:57
Running from C:\Documents and Settings\Wraithchilde\Desktop
Microsoft Windows XP Professional Service Pack 3 (X86) OS Language: English(US)
Internet Explorer Version 8
Boot Mode: Normal

==================== Processes (Whitelisted) ===================

(Microsoft Corporation) C:\Program Files\Microsoft Security Client\Antimalware\MsMpEng.exe
(Apple Inc.) C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
(Microsoft Corporation) C:\WINDOWS\ehome\ehtray.exe
(Creative Technology Ltd.) C:\Program Files\Creative\Shared Files\Module Loader\DLLML.exe
(Microsoft Corporation) C:\Program Files\Microsoft Security Client\msseces.exe
(VIA Technologies, Inc.) C:\Program Files\VIA\VIAudioi\HDADeck\HDeck.exe
(Apple Inc.) C:\Program Files\Bonjour\mDNSResponder.exe
(CobianSoft, Luis Cobian) C:\Program Files\Cobian Backup 10\cbVSCService.exe
(Creative Technology Ltd) C:\WINDOWS\system32\CTSVCCDA.EXE
(Microsoft Corporation) C:\WINDOWS\ehome\ehrecvr.exe
(Microsoft Corporation) C:\WINDOWS\ehome\ehSched.exe
(Oracle Corporation) C:\Program Files\Java\jre7\bin\jqs.exe
(Apple Inc.) E:\Program Files\iTunes\iTunesHelper.exe
() C:\Program Files\Dell\Media Experience\DMXLauncher.exe
(Sonic Solutions) C:\WINDOWS\system32\DLA\DLACTRLW.EXE
(McAfee, Inc.) C:\Program Files\Common Files\McAfee\Platform\McUICnt.exe
(Creative Technology Ltd) C:\Program Files\Creative\Sound Blaster X-Fi\DVDAudio\CTDVDDET.exe
(Oracle Corporation) C:\Program Files\Common Files\Java\Java Update\jusched.exe
(Malwarebytes Corporation) E:\Program Files\MalwarebytesAnti-Malware\mbamscheduler.exe
(Malwarebytes Corporation) E:\Program Files\MalwarebytesAnti-Malware\mbamservice.exe
(McAfee, Inc.) C:\Program Files\McAfee\SiteAdvisor\McSACore.exe
(McAfee, Inc.) C:\Program Files\Common Files\McAfee\Platform\McSvcHost\McSvHost.exe
(Malwarebytes Corporation) E:\Program Files\MalwarebytesAnti-Malware\mbamgui.exe
(McAfee, Inc.) C:\WINDOWS\system32\mfevtps.exe
() C:\Program Files\Autodesk\3ds Max Design 2011\mentalimages\satellite\raysat_3dsmax2011_32server.exe
(NVIDIA) C:\Program Files\NVIDIA Corporation\nTune\nTuneService.exe
(NVIDIA Corporation) C:\WINDOWS\system32\nvsvc32.exe
(VMware, Inc.) C:\Program Files\VMware\VMware View\Client\bin\wsnm.exe
(McAfee, Inc.) C:\Program Files\McAfee\MSC\McAPExe.exe
(Microsoft Corporation) C:\WINDOWS\ehome\mcrdsvc.exe
(McAfee, Inc.) C:\Program Files\Common Files\McAfee\AMCore\mcshield.exe
(McAfee, Inc.) C:\Program Files\Common Files\McAfee\SystemCore\mfefire.exe
(VMware, Inc.) C:\Program Files\VMware\VMware View\Client\bin\wsnm_usbctrl.exe
(Apple Inc.) C:\Program Files\iPod\bin\iPodService.exe
(Microsoft Corporation) C:\WINDOWS\ehome\ehmsas.exe

==================== Registry (Whitelisted) ==================

HKLM\...\Run: [ehTray] - C:\WINDOWS\ehome\ehtray.exe [59392 2004-08-10] (Microsoft Corporation)
HKLM\...\Run: [AudioDrvEmulator] - C:\Program Files\Creative\Shared Files\Module Loader\DLLML.exe [49152 2005-11-04] (Creative Technology Ltd.)
HKLM\...\Run: [Cobian Backup 10] - C:\Program Files\Cobian Backup 10\Cobian.exe [421376 2010-04-21] (Luis Cobian, CobianSoft)
HKLM\...\Run: [MSC] - C:\Program Files\Microsoft Security Client\msseces.exe [997408 2010-11-30] (Microsoft Corporation)
HKLM\...\Run: [HDAudDeck] - C:\Program Files\VIA\VIAudioi\HDADeck\HDeck.exe [33628160 2009-06-05] (VIA Technologies, Inc.)
HKLM\...\Run: [NvCplDaemon] - RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
HKLM\...\Run: [NvMediaCenter] - RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
HKLM\...\Run: [nwiz] - C:\Program Files\NVIDIA Corporation\nview\nwiz.exe [2586912 2013-06-21] ()
HKLM\...\Run: [mcpltui_exe] - C:\Program Files\McAfee.com\Agent\mcagent.exe [516912 2013-09-24] (McAfee, Inc.)
HKLM\...\Run: [APSDaemon] - C:\Program Files\Common Files\Apple\Apple Application Support\APSDaemon.exe [59720 2013-09-13] (Apple Inc.)
HKLM\...\Run: [iTunesHelper] - E:\Program Files\iTunes\iTunesHelper.exe [152392 2013-10-01] (Apple Inc.)
HKLM\...\Run: [VolPanel] - C:\Program Files\Creative\Sound Blaster X-Fi\Volume Panel\VolPanel.exe [122880 2005-10-14] (Creative Technology Ltd)
HKLM\...\Run: [updReg] - C:\WINDOWS\Updreg.EXE [90112 2000-05-11] (Creative Technology Ltd.)
HKLM\...\Run: [DMXLauncher] - C:\Program Files\Dell\Media Experience\DMXLauncher.exe [94208 2005-10-05] ()
HKLM\...\Run: [DLA] - C:\WINDOWS\system32\DLA\DLACTRLW.EXE [122940 2005-09-08] (Sonic Solutions)
HKLM\...\Run: [CTDVDDET] - C:\Program Files\Creative\Sound Blaster X-Fi\DVDAudio\CTDVDDET.exe [45056 2003-06-18] (Creative Technology Ltd)
HKLM\...\Run: [sunJavaUpdateSched] - C:\Program Files\Common Files\Java\Java Update\jusched.exe [254336 2013-07-02] (Oracle Corporation)
HKLM\...\Policies\Explorer: [NoCDBurning] 0
HKLM\...\Policies\Explorer: [NoControlPanel] 0
HKCU\...\Run: [NVIDIA nTune] - C:\Program Files\NVIDIA Corporation\nTune\nTuneCmd.exe [81920 2007-04-04] (NVIDIA)
HKCU\...\Run: [MSMSGS] - C:\Program Files\Messenger\msmsgs.exe [1695232 2008-04-13] (Microsoft Corporation)
Startup: C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Adobe Gamma Loader.exe.lnk
ShortcutTarget: Adobe Gamma Loader.exe.lnk -> C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe (Adobe Systems, Inc.)
Startup: C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Adobe Gamma Loader.lnk
ShortcutTarget: Adobe Gamma Loader.lnk -> C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe (Adobe Systems, Inc.)

==================== Internet (Whitelisted) ====================

HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://www.microsoft.com/isapi/redir.dll?prd=ie&ar=iesearch
HKCU\Software\Microsoft\Internet Explorer\Main,SearchMigratedDefaultURL = http://www.google.com/search?q={searchTerms}&sourceid=ie7&rls=com.microsoft:en-US&ie=utf8&oe=utf8
HKCU\Software\Microsoft\Internet Explorer\Main,Start Page Redirect Cache_TIMESTAMP = 0xC6E91084900DCB01
HKCU\Software\Microsoft\Internet Explorer\Main,Start Page Redirect Cache AcceptLangs = en-us
HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
BHO: DivX Plus Web Player HTML5 <video> - {326E768D-4182-46FD-9C16-1449A49795F4} - C:\Program Files\DivX\DivX Plus Web Player\ie\DivXHTML5\DivXHTML5.dll (DivX, LLC)
BHO: Java Plug-In SSV Helper - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre7\bin\ssv.dll (Oracle Corporation)
BHO: McAfee SiteAdvisor BHO - {B164E929-A1B6-4A06-B104-2CD0E90A88FF} - C:\Program Files\McAfee\SiteAdvisor\McIEPlg.dll (McAfee, Inc.)
BHO: CBrowserHelperObject Object - {CA6319C0-31B7-401E-A518-A07C3DB8F777} - C:\Program Files\BAE\BAE.dll (Dell Inc.)
BHO: Java Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre7\bin\jp2ssv.dll (Oracle Corporation)
Toolbar: HKLM - McAfee SiteAdvisor Toolbar - {0EBBBE48-BAD4-4B4C-8E5A-516ABECAE064} - C:\Program Files\McAfee\SiteAdvisor\McIEPlg.dll (McAfee, Inc.)
Toolbar: HKCU - &Address - {01E04581-4EEE-11D0-BFE9-00AA005B4383} - C:\WINDOWS\system32\browseui.dll (Microsoft Corporation)
Toolbar: HKCU - &Links - {0E5CBF21-D15F-11D0-8301-00AA005B4383} - C:\WINDOWS\system32\shell32.dll (Microsoft Corporation)
DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} http://www.apple.com/qtactivex/qtplugin.cab
DPF: {17492023-C23A-453E-A040-C7C580BBF700} http://download.microsoft.com/download/E/5/6/E5611B10-0D6D-4117-8430-A67417AA88CD/LegitCheckControl.cab
DPF: {1E54D648-B804-468d-BC78-4AFFED8E262E} http://www.nvidia.com/content/DriverDownload/srl/3.0.0.0/srl_bin/sysreqlab3.cab
DPF: {7530BFB8-7293-4D34-9923-61A11451AFC5} http://download.eset.com/special/eos/OnlineScanner.cab
DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} http://fpdownload2.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
DPF: {EF791A6B-FC12-4C68-99EF-FB9E207A39E6} http://download.mcafee.com/molbin/iss-loc/mcfscan/2,2,0,5854/mcfscan.cab
Handler: dssrequest - {5513F07E-936B-4E52-9B00-067394E91CC5} - C:\Program Files\McAfee\SiteAdvisor\McIEPlg.dll (McAfee, Inc.)
Handler: sacore - {5513F07E-936B-4E52-9B00-067394E91CC5} - C:\Program Files\McAfee\SiteAdvisor\McIEPlg.dll (McAfee, Inc.)
Filter: application/x-mfe-ipt - {3EF5086B-5478-4598-A054-786C45D75692} - C:\Program Files\McAfee\MSC\McSnIePl.dll (McAfee, Inc.)
Winsock: Catalog5 04 C:\Program Files\Bonjour\mdnsNSP.dll [121704] (Apple Inc.)
Tcpip\Parameters: [DhcpNameServer] 24.196.64.53 68.113.206.10 24.178.162.3

========================== Services (Whitelisted) =================

R2 cbVSCService; C:\Program Files\Cobian Backup 10\cbVSCService.exe [67584 2010-04-21] (CobianSoft, Luis Cobian)
R2 Creative Service for CDROM Access; C:\WINDOWS\system32\CTsvcCDA.exe [44032 1999-12-13] (Creative Technology Ltd)
S2 DAZContentManagementService; E:\Program Files\DAZ 3D\Content Management Service\ContentManagementServer.exe [18432 2011-05-05] ()
R2 HomeNetSvc; C:\Program Files\Common Files\Mcafee\Platform\McSvcHost\McSvHost.exe [281560 2013-07-30] (McAfee, Inc.)
R2 MBAMScheduler; E:\Program Files\MalwarebytesAnti-Malware\mbamscheduler.exe [418376 2013-04-04] (Malwarebytes Corporation)
R2 MBAMService; E:\Program Files\MalwarebytesAnti-Malware\mbamservice.exe [701512 2013-04-04] (Malwarebytes Corporation)
R2 McAfee SiteAdvisor Service; C:\Program Files\McAfee\SiteAdvisor\McSACore.exe [103112 2013-11-07] (McAfee, Inc.)
R2 McAPExe; C:\Program Files\McAfee\MSC\McAPExe.exe [145088 2013-11-28] (McAfee, Inc.)
R2 mcbootdelaystartsvc; C:\Program Files\Common Files\McAfee\Platform\McSvcHost\McSvHost.exe [281560 2013-07-30] (McAfee, Inc.)
R2 McMPFSvc; C:\Program Files\Common Files\Mcafee\Platform\McSvcHost\McSvHost.exe [281560 2013-07-30] (McAfee, Inc.)
R2 McNaiAnn; C:\Program Files\Common Files\McAfee\Platform\McSvcHost\McSvHost.exe [281560 2013-07-30] (McAfee, Inc.)
S3 McODS; C:\Program Files\McAfee\VirusScan\mcods.exe [471592 2013-08-02] (McAfee, Inc.)
R2 mcpltsvc; C:\Program Files\Common Files\McAfee\Platform\McSvcHost\McSvHost.exe [281560 2013-07-30] (McAfee, Inc.)
R2 McProxy; C:\Program Files\Common Files\McAfee\Platform\McSvcHost\McSvHost.exe [281560 2013-07-30] (McAfee, Inc.)
R2 McrdSvc; C:\WINDOWS\ehome\mcrdsvc.exe [99328 2005-08-05] (Microsoft Corporation)
R2 mfecore; C:\Program Files\Common Files\McAfee\AMCore\mcshield.exe [643608 2013-11-26] (McAfee, Inc.)
R2 mfefire; C:\Program Files\Common Files\McAfee\SystemCore\\mfefire.exe [169320 2013-11-04] (McAfee, Inc.)
R2 mfevtp; C:\WINDOWS\system32\mfevtps.exe [172416 2013-11-04] (McAfee, Inc.)
R2 mi-raysat_3dsmax2011_32; C:\Program Files\Autodesk\3ds Max Design 2011\mentalimages\satellite\raysat_3dsmax2011_32server.exe [86016 2010-03-10] ()
R2 MSK80Service; C:\Program Files\Common Files\Mcafee\Platform\McSvcHost\McSvHost.exe [281560 2013-07-30] (McAfee, Inc.)
R2 MsMpSvc; C:\Program Files\Microsoft Security Client\Antimalware\MsMpEng.exe [11736 2010-11-11] (Microsoft Corporation)
R2 nTuneService; C:\Program Files\NVIDIA Corporation\nTune\nTuneService.exe [126976 2007-04-04] (NVIDIA)
S3 usprserv; C:\Windows\System32\svchost.exe [14336 2008-04-13] (Microsoft Corporation)
R2 wsnm; C:\Program Files\VMware\VMware View\Client\bin\wsnm.exe [494192 2011-09-07] (VMware, Inc.)
R2 wsnm_usbctrl; C:\Program Files\VMware\VMware View\Client\bin\wsnm_usbctrl.exe [797296 2011-09-07] (VMware, Inc.)
R2 JavaQuickStarterService; "C:\Program Files\Java\jre7\bin\jqs.exe" -service -config "C:\Program Files\Java\jre7\lib\deploy\jqs\jqs.conf"

==================== Drivers (Whitelisted) ====================

S4 abp480n5; C:\Windows\system32\DRIVERS\ABP480N5.SYS [23552 2001-08-17] (Microsoft Corporation)
S3 apf003; C:\WINDOWS\system32\apf003.sys [13232 2013-04-09] ()
R2 atksgt; C:\Windows\System32\DRIVERS\atksgt.sys [271360 2007-07-28] ()
R3 cfwids; C:\Windows\System32\drivers\cfwids.sys [60920 2013-11-04] (McAfee, Inc.)
S3 ctdvda2k; C:\Windows\System32\drivers\ctdvda2k.sys [340704 2005-07-13] (Creative Technology Ltd)
R2 DLABOIOM; C:\Windows\System32\DLA\DLABOIOM.SYS [25628 2005-09-08] (Sonic Solutions)
R1 DLACDBHM; C:\Windows\System32\Drivers\DLACDBHM.SYS [5628 2005-08-25] (Sonic Solutions)
R2 DLADResN; C:\Windows\System32\DLA\DLADResN.SYS [2496 2005-09-08] (Sonic Solutions)
R2 DLAIFS_M; C:\Windows\System32\DLA\DLAIFS_M.SYS [86524 2005-09-08] (Sonic Solutions)
R2 DLAOPIOM; C:\Windows\System32\DLA\DLAOPIOM.SYS [14684 2005-09-08] (Sonic Solutions)
R2 DLAPoolM; C:\Windows\System32\DLA\DLAPoolM.SYS [6364 2005-09-08] (Sonic Solutions)
R1 DLARTL_N; C:\Windows\System32\Drivers\DLARTL_N.SYS [22684 2005-08-25] (Sonic Solutions)
R2 DLAUDFAM; C:\Windows\System32\DLA\DLAUDFAM.SYS [94332 2005-09-08] (Sonic Solutions)
R2 DLAUDF_M; C:\Windows\System32\DLA\DLAUDF_M.SYS [87036 2005-09-08] (Sonic Solutions)
R2 DRVNDDM; C:\Windows\System32\Drivers\DRVNDDM.SYS [40544 2005-08-12] (Sonic Solutions)
R1 dtsoftbus01; C:\Windows\System32\DRIVERS\dtsoftbus01.sys [239168 2012-01-21] (DT Soft Ltd)
S3 HipShieldK; C:\Windows\System32\drivers\HipShieldK.sys [147912 2013-09-23] (McAfee, Inc.)
R2 lirsgt; C:\Windows\System32\DRIVERS\lirsgt.sys [18048 2007-07-28] ()
R3 MBAMProtector; C:\WINDOWS\system32\drivers\mbam.sys [22856 2013-04-04] (Malwarebytes Corporation)
R2 mfeapfk; C:\Windows\System32\drivers\mfeapfk.sys [133992 2013-11-04] (McAfee, Inc.)
R2 mfeavfk; C:\Windows\System32\drivers\mfeavfk.sys [236000 2013-11-04] (McAfee, Inc.)
S3 mfebopk; C:\Windows\System32\drivers\mfebopk.sys [65928 2013-11-04] (McAfee, Inc.)
R3 mfefirek; C:\Windows\System32\drivers\mfefirek.sys [365416 2013-11-04] (McAfee, Inc.)
R2 mfehidk; C:\Windows\System32\drivers\mfehidk.sys [572528 2013-11-04] (McAfee, Inc.)
R3 mfencbdc; C:\Windows\System32\DRIVERS\mfencbdc.sys [319808 2013-11-26] (McAfee, Inc.)
S3 mfencrk; C:\Windows\System32\DRIVERS\mfencrk.sys [80752 2013-11-26] (McAfee, Inc.)
S3 mfendisk; C:\Windows\System32\DRIVERS\mfendisk.sys [85064 2013-11-04] (McAfee, Inc.)
R3 mfendiskmp; C:\Windows\System32\DRIVERS\mfendisk.sys [85064 2013-11-04] (McAfee, Inc.)
R1 mfetdi2k; C:\Windows\System32\drivers\mfetdi2k.sys [91736 2013-11-04] (McAfee, Inc.)
R3 monfilt; C:\Windows\System32\drivers\monfilt.sys [1389056 2008-02-14] (Creative Technology Ltd.)
R1 MpFilter; C:\Windows\System32\DRIVERS\MpFilter.sys [165264 2010-10-24] (Microsoft Corporation)
R0 nvatabus; C:\Windows\System32\DRIVERS\NVATABUS.SYS [105472 2010-04-18] (NVIDIA Corporation)
S3 NVHDA; C:\Windows\System32\drivers\nvhda32.sys [124264 2013-02-18] (NVIDIA Corporation)
R3 NVR0Dev; C:\WINDOWS\nvoclock.sys [6912 2007-04-04] (NVidia Corp.)
R3 SCREAMINGBDRIVER; C:\Windows\System32\drivers\ScreamingBAudio.sys [23064 2008-11-22] (Screaming Bee LLC)
R3 VIAHdAudAddService; C:\Windows\System32\drivers\viahduaa.sys [1374464 2009-06-02] (VIA Technologies, Inc.)
R3 vmwvusb; C:\Windows\System32\Drivers\vmwvusb.sys [40048 2011-09-07] (VMware, Inc.)
R3 WmBEnum; C:\Windows\System32\drivers\WmBEnum.sys [10144 2005-04-12] (Logitech Inc.)
S3 WmFilter; C:\Windows\System32\drivers\WmFilter.sys [22240 2005-04-12] (Logitech Inc.)
S3 WmVirHid; C:\Windows\System32\drivers\WmVirHid.sys [5600 2005-04-12] (Logitech Inc.)
R3 WmXlCore; C:\Windows\System32\drivers\WmXlCore.sys [45504 2005-04-12] (Logitech Inc.)
U2 mfewfpk;
U5 ScsiPort; C:\Windows\system32\drivers\scsiport.sys [96384 2008-04-13] (Microsoft Corporation)
S3 XDva398; \??\C:\WINDOWS\system32\XDva398.sys [x]

==================== NetSvcs (Whitelisted) ===================

NETSVC: MHN -> C:\Windows\System32\mhn.dll (Microsoft Corporation)

==================== One Month Created Files and Folders ========

2014-01-06 09:23 - 2014-01-06 09:23 - 00000000 ____D C:\Documents and Settings\Wraithchilde\Desktop\FRST-OlderVersion
2014-01-06 09:02 - 2014-01-06 09:03 - 140022632 _____ C:\Documents and Settings\Wraithchilde\My Documents\1-1-14-reg backup.reg
2014-01-05 16:53 - 2014-01-05 16:53 - 00003274 _____ C:\Documents and Settings\Wraithchilde\Desktop\Wmi.reg
2014-01-05 16:28 - 2014-01-05 16:28 - 00000623 _____ C:\Documents and Settings\All Users\Desktop\MyDefrag.lnk
2014-01-05 14:47 - 2014-01-05 14:47 - 00002247 _____ C:\Documents and Settings\Wraithchilde\Desktop\FSS.txt
2014-01-05 14:11 - 2014-01-05 14:11 - 00708597 _____ (Farbar) C:\Documents and Settings\Wraithchilde\Desktop\FSS.exe
2014-01-05 13:14 - 2014-01-05 13:17 - 00002003 _____ C:\Documents and Settings\Wraithchilde\Desktop\Search.txt
2014-01-05 13:05 - 2014-01-05 13:13 - 00023462 _____ C:\Documents and Settings\Wraithchilde\Desktop\Addition.txt
2014-01-05 13:01 - 2014-01-06 09:24 - 00015758 _____ C:\Documents and Settings\Wraithchilde\Desktop\FRST.txt
2014-01-05 12:59 - 2014-01-06 09:23 - 00000000 ____D C:\FRST
2014-01-05 12:58 - 2014-01-06 09:23 - 01064805 _____ (Farbar) C:\Documents and Settings\Wraithchilde\Desktop\FRST.exe
2014-01-05 10:55 - 2014-01-05 10:58 - 00012270 _____ C:\WINDOWS\KB2888505-IE8.log
2014-01-05 08:20 - 2014-01-05 08:20 - 00000000 ____D C:\Documents and Settings\Wraithchilde\Local Settings\Application Data\Sun
2014-01-05 08:10 - 2014-01-05 08:10 - 00000000 ____D C:\Program Files\Common Files\Java
2014-01-05 08:10 - 2014-01-05 08:09 - 00264616 _____ (Oracle Corporation) C:\WINDOWS\system32\javaws.exe
2014-01-05 08:10 - 2014-01-05 08:09 - 00145408 _____ (Oracle Corporation) C:\WINDOWS\system32\javacpl.cpl
2014-01-05 08:09 - 2014-01-05 08:09 - 00175016 _____ (Oracle Corporation) C:\WINDOWS\system32\javaw.exe
2014-01-05 08:09 - 2014-01-05 08:09 - 00174504 _____ (Oracle Corporation) C:\WINDOWS\system32\java.exe
2014-01-05 08:09 - 2014-01-05 08:09 - 00094632 _____ (Oracle Corporation) C:\WINDOWS\system32\WindowsAccessBridge.dll
2014-01-05 08:09 - 2014-01-05 08:09 - 00000000 ____D C:\Documents and Settings\All Users\Start Menu\Programs\Java
2014-01-04 06:10 - 2014-01-06 09:19 - 00000000 ____D C:\Documents and Settings\All Users\Start Menu\Programs\McAfee
2014-01-03 06:08 - 2014-01-03 06:08 - 00000650 _____ C:\Documents and Settings\All Users\Desktop\Malwarebytes Anti-Malware.lnk
2014-01-03 06:08 - 2014-01-03 06:08 - 00000000 ____D C:\Documents and Settings\Wraithchilde\Application Data\Malwarebytes
2014-01-03 06:08 - 2014-01-03 06:08 - 00000000 ____D C:\Documents and Settings\All Users\Application Data\Malwarebytes
2014-01-03 06:08 - 2013-04-04 14:50 - 00022856 _____ (Malwarebytes Corporation) C:\WINDOWS\system32\Drivers\mbam.sys
2014-01-02 20:15 - 2014-01-02 20:15 - 00000000 ____D C:\Program Files\ESET
2014-01-02 19:57 - 2014-01-05 11:17 - 00021817 _____ C:\Documents and Settings\Wraithchilde\Desktop\attach.txt
2014-01-02 19:57 - 2014-01-05 11:17 - 00016066 _____ C:\Documents and Settings\Wraithchilde\Desktop\dds.txt
2014-01-02 18:21 - 2014-01-02 18:21 - 00008192 ____H C:\WINDOWS\system32\config\SECURITY.tmp.LOG
2014-01-02 18:21 - 2014-01-02 18:21 - 00008192 ____H C:\WINDOWS\system32\config\DEFAULT.tmp.LOG
2014-01-02 18:21 - 2014-01-02 18:21 - 00000000 ____H C:\WINDOWS\system32\config\SYSTEM.tmp.LOG
2014-01-02 18:21 - 2014-01-02 18:21 - 00000000 ____H C:\WINDOWS\system32\config\SOFTWARE.tmp.LOG
2014-01-02 18:21 - 2014-01-02 18:21 - 00000000 ____H C:\WINDOWS\system32\config\SAM.tmp.LOG
2014-01-02 18:11 - 2011-06-26 00:45 - 00256000 _____ C:\WINDOWS\PEV.exe
2014-01-02 18:11 - 2010-11-07 11:20 - 00208896 _____ C:\WINDOWS\MBR.exe
2014-01-02 18:11 - 2009-04-19 22:56 - 00060416 _____ (NirSoft) C:\WINDOWS\NIRCMD.exe
2014-01-02 18:11 - 2000-08-30 18:00 - 00518144 _____ (SteelWerX) C:\WINDOWS\SWREG.exe
2014-01-02 18:11 - 2000-08-30 18:00 - 00406528 _____ (SteelWerX) C:\WINDOWS\SWSC.exe
2014-01-02 18:11 - 2000-08-30 18:00 - 00212480 _____ (SteelWerX) C:\WINDOWS\SWXCACLS.exe
2014-01-02 18:11 - 2000-08-30 18:00 - 00098816 _____ C:\WINDOWS\sed.exe
2014-01-02 18:11 - 2000-08-30 18:00 - 00080412 _____ C:\WINDOWS\grep.exe
2014-01-02 18:11 - 2000-08-30 18:00 - 00068096 _____ C:\WINDOWS\zip.exe
2014-01-02 18:09 - 2014-01-02 18:33 - 00000000 ____D C:\Qoobox
2014-01-02 18:08 - 2014-01-02 18:30 - 00000000 ____D C:\WINDOWS\erdnt
2014-01-01 15:22 - 2014-01-02 06:45 - 00065536 _____ C:\WINDOWS\system32\config\Cobian B.evt
2013-12-28 07:36 - 2013-12-28 07:36 - 00000853 ____N C:\Documents and Settings\All Users\Desktop\Firestorm-Beta.lnk

==================== One Month Modified Files and Folders =======

2014-01-06 09:24 - 2014-01-05 13:01 - 00015758 _____ C:\Documents and Settings\Wraithchilde\Desktop\FRST.txt
2014-01-06 09:24 - 2005-08-16 03:40 - 01279946 _____ C:\WINDOWS\WindowsUpdate.log
2014-01-06 09:23 - 2014-01-06 09:23 - 00000000 ____D C:\Documents and Settings\Wraithchilde\Desktop\FRST-OlderVersion
2014-01-06 09:23 - 2014-01-05 12:59 - 00000000 ____D C:\FRST
2014-01-06 09:23 - 2014-01-05 12:58 - 01064805 _____ (Farbar) C:\Documents and Settings\Wraithchilde\Desktop\FRST.exe
2014-01-06 09:19 - 2014-01-04 06:10 - 00000000 ____D C:\Documents and Settings\All Users\Start Menu\Programs\McAfee
2014-01-06 09:19 - 2013-08-26 17:29 - 00001611 _____ C:\Documents and Settings\All Users\Desktop\McAfee Security Center.lnk
2014-01-06 09:19 - 2011-01-29 12:24 - 00000424 ____H C:\WINDOWS\Tasks\MP Scheduled Scan.job
2014-01-06 09:18 - 2013-05-10 14:01 - 00007518 _____ C:\WINDOWS\system32\nvAppTimestamps
2014-01-06 09:16 - 2005-08-16 03:38 - 00000000 ____D C:\WINDOWS\Registration
2014-01-06 09:13 - 2005-08-16 03:35 - 00000159 _____ C:\WINDOWS\wiadebug.log
2014-01-06 09:13 - 2005-08-16 03:35 - 00000048 _____ C:\WINDOWS\wiaservc.log
2014-01-06 09:12 - 2005-08-16 03:49 - 00000006 ____H C:\WINDOWS\Tasks\SA.DAT
2014-01-06 09:11 - 2007-06-02 11:31 - 00000178 ___SH C:\Documents and Settings\Wraithchilde\ntuser.ini
2014-01-06 09:11 - 2005-08-16 03:49 - 00032500 _____ C:\WINDOWS\SchedLgU.Txt
2014-01-06 09:03 - 2014-01-06 09:02 - 140022632 _____ C:\Documents and Settings\Wraithchilde\My Documents\1-1-14-reg backup.reg
2014-01-06 08:58 - 2007-06-07 19:43 - 00000000 ____D C:\Documents and Settings\Wraithchilde\My Documents\Misc
2014-01-06 08:50 - 2012-03-29 04:20 - 00000830 _____ C:\WINDOWS\Tasks\Adobe Flash Player Updater.job
2014-01-06 08:11 - 2009-03-25 10:49 - 00000000 ____D C:\Documents and Settings\Wraithchilde\My Documents\TurboTax
2014-01-06 08:07 - 2007-06-03 04:00 - 00000000 ____D C:\Documents and Settings\Wraithchilde\Application Data\Adobe
2014-01-06 07:17 - 2005-08-16 03:18 - 00013646 _____ C:\WINDOWS\system32\wpa.dbl
2014-01-06 03:16 - 2008-03-16 17:34 - 00000000 __SHD C:\WINDOWS\CSC
2014-01-05 16:53 - 2014-01-05 16:53 - 00003274 _____ C:\Documents and Settings\Wraithchilde\Desktop\Wmi.reg
2014-01-05 16:28 - 2014-01-05 16:28 - 00000623 _____ C:\Documents and Settings\All Users\Desktop\MyDefrag.lnk
2014-01-05 15:27 - 2012-01-30 12:56 - 00000000 ____D C:\Documents and Settings\Wraithchilde\Local Settings\Application Data\Firestorm
2014-01-05 15:20 - 2013-07-11 09:46 - 01098252 _____ C:\WINDOWS\system32\nvdrsdb0.bin
2014-01-05 15:20 - 2013-07-11 09:46 - 00000001 _____ C:\WINDOWS\system32\nvdrssel.bin
2014-01-05 14:47 - 2014-01-05 14:47 - 00002247 _____ C:\Documents and Settings\Wraithchilde\Desktop\FSS.txt
2014-01-05 14:41 - 2013-07-11 09:46 - 01098252 _____ C:\WINDOWS\system32\nvdrsdb1.bin
2014-01-05 14:11 - 2014-01-05 14:11 - 00708597 _____ (Farbar) C:\Documents and Settings\Wraithchilde\Desktop\FSS.exe
2014-01-05 13:29 - 2010-03-01 08:19 - 00001324 _____ C:\WINDOWS\system32\d3d9caps.dat
2014-01-05 13:17 - 2014-01-05 13:14 - 00002003 _____ C:\Documents and Settings\Wraithchilde\Desktop\Search.txt
2014-01-05 13:13 - 2014-01-05 13:05 - 00023462 _____ C:\Documents and Settings\Wraithchilde\Desktop\Addition.txt
2014-01-05 11:17 - 2014-01-02 19:57 - 00021817 _____ C:\Documents and Settings\Wraithchilde\Desktop\attach.txt
2014-01-05 11:17 - 2014-01-02 19:57 - 00016066 _____ C:\Documents and Settings\Wraithchilde\Desktop\dds.txt
2014-01-05 11:07 - 2011-01-12 14:39 - 00000506 _____ C:\Documents and Settings\Wraithchilde\Desktop\Misc Notes.txt
2014-01-05 10:58 - 2014-01-05 10:55 - 00012270 _____ C:\WINDOWS\KB2888505-IE8.log
2014-01-05 10:58 - 2005-08-16 03:33 - 01408683 _____ C:\WINDOWS\iis6.log
2014-01-05 10:58 - 2005-08-16 03:33 - 00563217 _____ C:\WINDOWS\tsoc.log
2014-01-05 10:58 - 2005-08-16 03:33 - 00410176 _____ C:\WINDOWS\comsetup.log
2014-01-05 10:58 - 2005-08-16 03:33 - 00249840 _____ C:\WINDOWS\ntdtcsetup.log
2014-01-05 10:58 - 2005-08-16 03:33 - 00179312 _____ C:\WINDOWS\MedCtrOC.log
2014-01-05 10:58 - 2005-08-16 03:33 - 00070146 _____ C:\WINDOWS\ehOCGen.log
2014-01-05 10:58 - 2005-08-16 03:33 - 00067313 _____ C:\WINDOWS\ocmsn.log
2014-01-05 10:58 - 2005-08-16 03:33 - 00060540 _____ C:\WINDOWS\tabletoc.log
2014-01-05 10:58 - 2005-08-16 03:33 - 00001355 _____ C:\WINDOWS\imsins.log
2014-01-05 10:57 - 2005-08-16 20:04 - 00244755 _____ C:\WINDOWS\updspapi.log
2014-01-05 10:57 - 2005-08-16 03:33 - 01220207 _____ C:\WINDOWS\FaxSetup.log
2014-01-05 10:57 - 2005-08-16 03:33 - 00606827 _____ C:\WINDOWS\ocgen.log
2014-01-05 10:57 - 2005-08-16 03:33 - 00385812 _____ C:\WINDOWS\msmqinst.log
2014-01-05 10:57 - 2005-08-16 03:33 - 00225716 _____ C:\WINDOWS\netfxocm.log
2014-01-05 10:57 - 2005-08-16 03:33 - 00144724 _____ C:\WINDOWS\plusoc.log
2014-01-05 10:57 - 2005-08-16 03:33 - 00061129 _____ C:\WINDOWS\msgsocm.log
2014-01-05 10:56 - 2010-04-15 15:16 - 00000000 ____D C:\WINDOWS\ie8updates
2014-01-05 08:20 - 2014-01-05 08:20 - 00000000 ____D C:\Documents and Settings\Wraithchilde\Local Settings\Application Data\Sun
2014-01-05 08:10 - 2014-01-05 08:10 - 00000000 ____D C:\Program Files\Common Files\Java
2014-01-05 08:09 - 2014-01-05 08:10 - 00264616 _____ (Oracle Corporation) C:\WINDOWS\system32\javaws.exe
2014-01-05 08:09 - 2014-01-05 08:10 - 00145408 _____ (Oracle Corporation) C:\WINDOWS\system32\javacpl.cpl
2014-01-05 08:09 - 2014-01-05 08:09 - 00175016 _____ (Oracle Corporation) C:\WINDOWS\system32\javaw.exe
2014-01-05 08:09 - 2014-01-05 08:09 - 00174504 _____ (Oracle Corporation) C:\WINDOWS\system32\java.exe
2014-01-05 08:09 - 2014-01-05 08:09 - 00094632 _____ (Oracle Corporation) C:\WINDOWS\system32\WindowsAccessBridge.dll
2014-01-05 08:09 - 2014-01-05 08:09 - 00000000 ____D C:\Documents and Settings\All Users\Start Menu\Programs\Java
2014-01-05 08:08 - 2007-05-16 07:33 - 00000000 ____D C:\Program Files\Java
2014-01-05 08:00 - 2013-08-26 17:27 - 00000000 ____D C:\Program Files\McAfee
2014-01-05 08:00 - 2013-08-26 17:20 - 00000000 ____D C:\Documents and Settings\All Users\Application Data\McAfee
2014-01-05 06:36 - 2010-05-01 13:57 - 00000000 ____D C:\Documents and Settings\All Users\Application Data\Adobe
2014-01-05 06:36 - 2007-05-16 07:45 - 00000000 ____D C:\Program Files\Common Files\Adobe
2014-01-05 06:36 - 2007-05-16 07:45 - 00000000 ____D C:\Program Files\Adobe
2014-01-04 06:47 - 2009-04-11 06:23 - 00000000 ____D C:\Documents and Settings\Wraithchilde\My Documents\Second Life
2014-01-04 06:19 - 2007-05-16 07:21 - 00000209 ___SH C:\boot.ini
2014-01-04 06:19 - 2005-08-16 03:18 - 00000602 _____ C:\WINDOWS\win.ini
2014-01-04 06:19 - 2005-08-16 03:18 - 00000227 _____ C:\WINDOWS\system.ini
2014-01-04 05:53 - 2009-08-20 12:16 - 00000000 ____D C:\WINDOWS\pss
2014-01-03 11:55 - 2012-01-22 04:18 - 00284373 _____ C:\WINDOWS\setupapi.log
2014-01-03 07:45 - 2005-08-16 03:22 - 00000000 ____D C:\WINDOWS\Resources
2014-01-03 06:08 - 2014-01-03 06:08 - 00000650 _____ C:\Documents and Settings\All Users\Desktop\Malwarebytes Anti-Malware.lnk
2014-01-03 06:08 - 2014-01-03 06:08 - 00000000 ____D C:\Documents and Settings\Wraithchilde\Application Data\Malwarebytes
2014-01-03 06:08 - 2014-01-03 06:08 - 00000000 ____D C:\Documents and Settings\All Users\Application Data\Malwarebytes
2014-01-03 01:07 - 2005-08-16 03:49 - 00000000 __SHD C:\Documents and Settings\NetworkService
2014-01-02 20:15 - 2014-01-02 20:15 - 00000000 ____D C:\Program Files\ESET
2014-01-02 18:33 - 2014-01-02 18:09 - 00000000 ____D C:\Qoobox
2014-01-02 18:30 - 2014-01-02 18:08 - 00000000 ____D C:\WINDOWS\erdnt
2014-01-02 18:21 - 2014-01-02 18:21 - 00008192 ____H C:\WINDOWS\system32\config\SECURITY.tmp.LOG
2014-01-02 18:21 - 2014-01-02 18:21 - 00008192 ____H C:\WINDOWS\system32\config\DEFAULT.tmp.LOG
2014-01-02 18:21 - 2014-01-02 18:21 - 00000000 ____H C:\WINDOWS\system32\config\SYSTEM.tmp.LOG
2014-01-02 18:21 - 2014-01-02 18:21 - 00000000 ____H C:\WINDOWS\system32\config\SOFTWARE.tmp.LOG
2014-01-02 18:21 - 2014-01-02 18:21 - 00000000 ____H C:\WINDOWS\system32\config\SAM.tmp.LOG
2014-01-02 18:21 - 2013-06-07 09:08 - 41943040 _____ C:\WINDOWS\system32\config\SOFTWARE.bak
2014-01-02 18:21 - 2007-05-16 14:19 - 14417920 _____ C:\WINDOWS\system32\config\SYSTEM.bak
2014-01-02 18:21 - 2005-08-15 22:27 - 01048576 _____ C:\WINDOWS\system32\config\DEFAULT.bak
2014-01-02 18:21 - 2005-08-15 22:27 - 00262144 _____ C:\WINDOWS\system32\config\SECURITY.bak
2014-01-02 18:21 - 2005-08-15 22:27 - 00262144 _____ C:\WINDOWS\system32\config\SAM.bak
2014-01-02 18:19 - 2007-06-02 11:31 - 00000000 ____D C:\Documents and Settings\Wraithchilde
2014-01-02 18:01 - 2010-08-07 22:06 - 00011958 _____ C:\Documents and Settings\Wraithchilde\My Documents\hijackthis.log
2014-01-02 15:00 - 2009-11-19 21:37 - 00000000 ____D C:\Documents and Settings\Wraithchilde\Application Data\vlc
2014-01-02 06:45 - 2014-01-01 15:22 - 00065536 _____ C:\WINDOWS\system32\config\Cobian B.evt
2014-01-01 07:12 - 2005-08-16 03:22 - 00000000 ____D C:\WINDOWS\repair
2013-12-28 07:36 - 2013-12-28 07:36 - 00000853 ____N C:\Documents and Settings\All Users\Desktop\Firestorm-Beta.lnk
2013-12-27 15:48 - 2013-08-26 17:20 - 00000000 ____D C:\Program Files\Common Files\McAfee
2013-12-20 06:42 - 2007-07-17 14:38 - 00000230 _____ C:\WINDOWS\CTWave32.ini
2013-12-20 06:37 - 2007-07-17 14:20 - 00000072 _____ C:\WINDOWS\sbwin.ini
2013-12-18 18:22 - 2005-08-16 03:33 - 00574102 _____ C:\WINDOWS\system32\PerfStringBackup.INI
2013-12-13 13:30 - 2007-06-03 07:21 - 00000000 ____D C:\Documents and Settings\Wraithchilde\My Documents\Projects

Files to move or delete:
====================
C:\Documents and Settings\Wraithchilde\random.dat

==================== Bamital & volsnap Check =================

C:\Windows\explorer.exe => MD5 is legit
C:\Windows\System32\winlogon.exe => MD5 is legit
C:\Windows\System32\svchost.exe => MD5 is legit
C:\Windows\System32\services.exe => MD5 is legit
C:\Windows\System32\User32.dll => MD5 is legit
C:\Windows\System32\userinit.exe => MD5 is legit
C:\Windows\System32\rpcss.dll
[2005-08-16 03:18] - [2009-02-09 04:56] - 0401408 ____A (Microsoft Corporation) 9222562d44021b988b9f9f62207fb6f2

C:\Windows\System32\Drivers\volsnap.sys => MD5 is legit

==================== End Of Log ============================

 

 

This is odd.  I have no idea what this is or where it comes from.  The file doesn't exist.

S3 XDva398; \??\C:\WINDOWS\system32\XDva398.sys [x]

Link to post
Share on other sites

Hello,

 

I am sorry about the delay but I had a busy day at the office.

 

 

Disk cleanup: After about 4 hours the PC crashed with "Unknown hard error".  It rebooted ok.

 

Did you meant MyDefrag instead of Disk Cleanup because Disk Cleanup usually complete very fast (unless you have "compress old files" checked) this is the only one feature that can slow down the Disk Cleanup process.

 

9ljpY.gif

 

 

msconfig: There is nothing I want to remove.  Some things I do after reboot, like sync my tablet and backup, then I kill the processes manually.

 

I understand...however you can still keep your programs and save loading time by installing Startup Delayer, WinPatrol or Soluto

 

Process explorer:  System idle process is at 99% now so there is nothing to show.  The svchost problem seems to be gone.

 

I am glad to hear that! Usually on Windows XP (the Automatic Updates service can cause high cpu usage and I wanted to verify that's not the reason for the issue you described below:).

 

CPU usage from System and svchost seems to have calmed down a bit.  Still took a very long time to reboot.

 

FRST: Merged the Wmi.reg and scanned.  Here is the log.

 

Good...we repaired the WMI service and now FRST was able to list the running processes. :)

 

This is odd.  I have no idea what this is or where it comes from.  The file doesn't exist.

S3 XDva398; \??\C:\WINDOWS\system32\XDva398.sys [x]

 

The entry is harmless and part of a game crack protection.

XDva3 is xtrap's driver, it's used to perform SSDT hooks to prevent hacktools from working.

 

The FRST log is clean as well.

 

If you want to make sure that there is nothing lurking on the system you can go through these steps:
 

 

STEP 1

 

 

  • Please download RogueKiller.exe and save to the desktop.
  • Close all windows and browsers
  • Right-click the program and select 'Run as Administrator'
  • Press the scan button.
  • A report opens on the desktop named - RKreport.txt
  • Please copy and past the results at pastebin.com and post the link to the log in your next reply.

 

 

STEP 2
 

 

Please download the latest version of TDSSKiller from here and save it to your Desktop.

  • Doubleclick on TDSSKiller.exe to run the application, then click on Change parameters.
     
  • Put a checkmark beside loaded modules.
    Sbf88.png
  • A reboot will be needed to apply the changes. Do it.
  • TDSSKiller will launch automatically after the reboot. Also your computer may seem very slow and unusable. This is normal. Give it enough time to load your background programs.
  • Then click on Change parameters in TDSSKiller.
  • Check all boxes then click OK.
     
  • Click the Start Scan button.
     
  • The scan should take no longer than 2 minutes.
  • If a suspicious object is detected, the default action will be Skip, click on Continue.
     
  • If malicious objects are found, they will show in the Scan results - Select action for found objects and offer three options.
    Ensure Cure (default) is selected, then click Continue > Reboot now to finish the cleaning process.

    Note: If Cure is not available, please choose Skip instead, do not choose Delete unless instructed.
  • A report will be created in your root directory, (usually C:\ folder) in the form of "TDSSKiller.[Version]_[Date]_[Time]_log.txt". Please copy and past the results at pastebin.com and post the link to the log in your next reply.

 

 

STEP 3

 

 

Please download Malwarebytes Anti-Rootkit and save it to your desktop.

  • Be sure to print out and follow these instructions for performing a scan.
  • Caution: This is a beta version so also read the disclaimer and back up all your data before using.
  • When the scan completes, click on the Cleanup button to remove any threats found and reboot the computer if prompted to do so.
  • Perform another scan with Malwarebytes Anti-Rootkit to verify that no threats remain. If they do, then click Cleanup once more and repeat the process.
  • If there are problems with Internet access, Windows Update, Windows Firewall or other system issues, run the fixdamage tool located in the folder Malwarebytes Anti-Rootkit was run from and reboot your computer.
  • Two files (mbar-log-YYYY-MM-DD, system-log.txt) will be created and saved within that same folder.
  • Copy and paste the contents of these two log files in your next reply.

Note: Further documentation on this tool can be found in the ReadMe.rtf file which is located in the Malwarebytes Anti-Rootkit (mbar) folder.

 

 

STEP 4

 

 

1.Please download HitmanPro.

  • For 32-bit Operating System - dEMD6.gif.
  • This is the mirror - dEMD6.gif
  • For 64-bit Operating System - dEMD6.gif
  • This is the mirror - dEMD6.gif

2.Launch the program by double clicking on the 5vo5F.jpg icon. (Windows Vista/7 users right click on the HitmanPro icon and select run as administrator).

Note: If the program won't run please then open the program while holding down the left CTRL key until the program is loaded.

3.Click on the next button. You must agree with the terms of EULA. (if asked)

4.Check the box beside "No, I only want to perform a one-time scan to check this computer".

5.Click on the next button.

6.The program will start to scan the computer. The scan will typically take no more than 2-3 minutes.

7.When the scan is done click on drop-down menu of the found entries (if any) and choose - Apply to all => Ignore <= IMPORTANT!!!
 
8.Click on the next button.

9.Click on the "Save Log" button.

10.Save that file to your desktop and post the content of that file in your next reply.
 
Note: if there isn't a dropdown menu when the scan is done then please don't delete anything and close HitmanPro

Navigate to C:\ProgramData\HitmanPro\Logs open the report and copy and paste it to your next reply.

 

 

 

STEP 5

 

 

Download Security Check by screen317 from here.

  • Save it to your Desktop.
  • Double click SecurityCheck.exe and follow the onscreen instructions inside of the black box.
  • A Notepad document should open automatically called checkup.txt; please post the contents of that document.

 

and then if there aren't any issues left I'll give you my final recommendations. smile.png

 

If you think that the HDD is too old and shouldn't be stressed like this let me know to give you my recommendations directly. :)

 

 

 

Regards,

Georgi

Link to post
Share on other sites

STEP 1 RogueKiller
RogueKiller V8.8.0 [Dec 27 2013] by Tigzy
mail : tigzyRK<at>gmail<dot>com
Feedback : http://www.adlice.com/forum/
Website : http://www.adlice.com/softwares/roguekiller/
Blog : http://www.adlice.com

Operating System : Windows XP (5.1.2600 Service Pack 3) 32 bits version
Started in : Normal mode
User : Wraithchilde [Admin rights]
Mode : Scan -- Date : 01/06/2014 19:43:26
| ARK || FAK || MBR |

¤¤¤ Bad processes : 0 ¤¤¤

¤¤¤ Registry Entries : 4 ¤¤¤
[HJ POL][PUM] HKLM\[...]\System : DisableTaskMgr (0) -> FOUND
[HJ POL][PUM] HKLM\[...]\System : DisableRegistryTools (0) -> FOUND
[HJ SECU][PUM] HKLM\[...]\Security Center : UpdatesDisableNotify (1) -> FOUND
[HJ DESK][PUM] HKLM\[...]\NewStartPanel : {20D04FE0-3AEA-1069-A2D8-08002B30309D} (1) -> FOUND

¤¤¤ Scheduled tasks : 0 ¤¤¤

¤¤¤ Startup Entries : 0 ¤¤¤

¤¤¤ Web browsers : 0 ¤¤¤

¤¤¤ Browser Addons : 0 ¤¤¤

¤¤¤ Particular Files / Folders: ¤¤¤

¤¤¤ Driver : [NOT LOADED 0xc0000033] ¤¤¤

¤¤¤ External Hives: ¤¤¤

¤¤¤ Infection :  ¤¤¤

¤¤¤ HOSTS File: ¤¤¤
--> %SystemRoot%\System32\drivers\etc\hosts

127.0.0.1       localhost

¤¤¤ MBR Check: ¤¤¤

+++++ PhysicalDrive0: (\\.\PHYSICALDRIVE0 @ IDE) ST3320620AS +++++
--- User ---
[MBR] d3ad061161be7bb8170b6b511eda71ee
[bSP] 0865dbc3033a5b0d1557ae0b87d99f0b : Windows XP MBR Code
Partition table:
0 - [XXXXXX] DELL-UTIL (0xde) [VISIBLE] Offset (sectors): 63 | Size: 47 Mo
1 - [ACTIVE] NTFS (0x07) [VISIBLE] Offset (sectors): 96390 | Size: 300442 Mo
2 - [XXXXXX] UNKNOWN (0x00) [VISIBLE] Offset (sectors): 615401955 | Size: 4753 Mo
User = LL1 ... OK!
User = LL2 ... OK!

+++++ PhysicalDrive1: (\\.\PHYSICALDRIVE1 @ IDE) ST31500341AS +++++
--- User ---
[MBR] 164bf18ef624175da2f198bf9765a4e2
[bSP] 84bed909411e513407b4f1e9ef90eb3b : Windows XP MBR Code
Partition table:
0 - [XXXXXX] NTFS (0x07) [VISIBLE] Offset (sectors): 63 | Size: 1430796 Mo
User = LL1 ... OK!
User = LL2 ... OK!

Finished : << RKreport[0]_S_01062014_194326.txt >>
 

STEP 2 TDSKiller
I ran this prior to asking for help here, so I know this is clean.
 

STEP 3 Malwarebytes Anti-Rootkit
I currently have no way to backup my HDD including boot sector, so I don't feel comfortable using this tool.
 

STEP 4 HitmanPro

HitmanPro 3.7.8.208www.hitmanpro.com   Computer name . . . . : BOB   Windows . . . . . . . : 5.1.3.2600.X86/2   User name . . . . . . : BOB\Wraithchilde   License . . . . . . . : Free   Scan date . . . . . . : 2014-01-07 07:47:58   Scan mode . . . . . . : Normal   Scan duration . . . . : 12m 43s   Disk access mode  . . : Direct disk access (SRB)   Cloud . . . . . . . . : Internet   Reboot  . . . . . . . : No   Threats . . . . . . . : 0   Traces  . . . . . . . : 33   Objects scanned . . . : 1,259,710   Files scanned . . . . : 50,806   Remnants scanned  . . : 510,334 files / 698,570 keysCookies _____________________________________________________________________   C:\Documents and Settings\Wraithchilde\Cookies\03K2Q6DT.txt   C:\Documents and Settings\Wraithchilde\Cookies\05250RMU.txt   C:\Documents and Settings\Wraithchilde\Cookies\1KHLJUQ3.txt   C:\Documents and Settings\Wraithchilde\Cookies\2WN3I5I8.txt   C:\Documents and Settings\Wraithchilde\Cookies\44TYXD3I.txt   C:\Documents and Settings\Wraithchilde\Cookies\4CZD9391.txt   C:\Documents and Settings\Wraithchilde\Cookies\4ZTFYDHG.txt   C:\Documents and Settings\Wraithchilde\Cookies\5KRSXK9A.txt   C:\Documents and Settings\Wraithchilde\Cookies\5Q0WTL4X.txt   C:\Documents and Settings\Wraithchilde\Cookies\5X526CV1.txt   C:\Documents and Settings\Wraithchilde\Cookies\5Z7DUT4H.txt   C:\Documents and Settings\Wraithchilde\Cookies\AZAF1891.txt   C:\Documents and Settings\Wraithchilde\Cookies\BDRD7M8F.txt   C:\Documents and Settings\Wraithchilde\Cookies\BJ3TSBG6.txt   C:\Documents and Settings\Wraithchilde\Cookies\CDYQT0HI.txt   C:\Documents and Settings\Wraithchilde\Cookies\DUEJSGCS.txt   C:\Documents and Settings\Wraithchilde\Cookies\EAP0FR92.txt   C:\Documents and Settings\Wraithchilde\Cookies\HHPTZ1K4.txt   C:\Documents and Settings\Wraithchilde\Cookies\IYNMNSRP.txt   C:\Documents and Settings\Wraithchilde\Cookies\KGLISOEU.txt   C:\Documents and Settings\Wraithchilde\Cookies\LH2HHDUV.txt   C:\Documents and Settings\Wraithchilde\Cookies\OYNEDPJK.txt   C:\Documents and Settings\Wraithchilde\Cookies\QTNCNGOF.txt   C:\Documents and Settings\Wraithchilde\Cookies\R2MKT8ID.txt   C:\Documents and Settings\Wraithchilde\Cookies\S4VDJJAV.txt   C:\Documents and Settings\Wraithchilde\Cookies\SQSDL46L.txt   C:\Documents and Settings\Wraithchilde\Cookies\SWVUG0TP.txt   C:\Documents and Settings\Wraithchilde\Cookies\TGDC4RBX.txt   C:\Documents and Settings\Wraithchilde\Cookies\U2LOSX7Y.txt   C:\Documents and Settings\Wraithchilde\Cookies\UJ3VYR93.txt   C:\Documents and Settings\Wraithchilde\Cookies\XCQ2GSPC.txt   C:\Documents and Settings\Wraithchilde\Cookies\XXD3UVK8.txt   C:\Documents and Settings\Wraithchilde\Cookies\YPAEXAK3.txt
 

STEP 5 Security Check by screen317
 Results of screen317's Security Check version 0.99.78 
 Windows XP Service Pack 3 x86  
 Internet Explorer 8 
``````````````Antivirus/Firewall Check:``````````````
 Windows Firewall Disabled! 
Microsoft Security Essentials       
McAfee Anti-Virus and Anti-Spyware  
Microsoft Security Essentials       
 Antivirus up to date! (On Access scanning disabled!)
`````````Anti-malware/Other Utilities Check:`````````
 Out of date HijackThis  installed!
 Spybot - Search & Destroy
 Malwarebytes Anti-Malware version 1.75.0.1300 
 HijackThis 2.0.2   
 Java 7 Update 45 
````````Process Check: objlist.exe by Laurent```````` 
 Microsoft Security Essentials msseces.exe
 Windows Defender MSMpEng.exe
 Malwarebytes Anti-Malware mbamservice.exe 
 Malwarebytes Anti-Malware mbamgui.exe 
 Microsoft Security Client Antimalware MsMpEng.exe 
 MalwarebytesAnti-Malware mbamscheduler.exe  
`````````````````System Health check`````````````````
 Total Fragmentation on Drive C:: 6%
````````````````````End of Log``````````````````````

 

I'm pretty confident the PC is clean now, thanks to you.

Link to post
Share on other sites

Hi,

 

 

McAfee Anti-Virus and Anti-Spyware  
Microsoft Security Essentials     

 

 

I do not recommend that you have more than one anti virus product installed and running on your computer at a time.  The reason for this is that if both products have their automatic (Real-Time) protection switched on, then those products which do not encrypt the virus strings within them can cause other anti virus products to cause "false alarms".  It can also lead to a clash as both products fight for access to files which are opened again this is the resident/automatic protection. In general terms, the two programs may conflict and cause:
1) False Alarms: When the anti virus software tells you that your PC has a virus when it actually doesn't.
2) System Performance Problems: Your system may lock up due to both products attempting to access the same file at the same time.
Therefore please go to add/remove in the control panel and remove either McAfee Anti-Virus and Anti-Spyware or Microsoft Security Essentials.

 

 

 

Nicely done ! icon_bananas.gif This is the end of our journey if you don't have any more questions.
I have some final words for you.
All Clean !
Your machine appears to be clean, please take the time to read below on how to secure the machine and take the necessary steps to keep it Clean.

 

 

 

STEP 1 - CLEANUP


To remove all of the tools we used and the files and folders they created, please do the following:

 

 

Download the following file => fixlist.txt and save it to the Desktop.
NOTE. It's important that both files, FRST and fixlist.txt are in the same location or the fix will not work.

Run FRST/FRST64 and press the Fix button just once and wait.
It's no needed to post the log this time.

 

 

Please download OTC.exe by OldTimer and save it to your desktop.
 

  • Right-click the OTC.exe and choose Run as Administrator.
  • Click on CleanUp! button.
  • If you are prompted to Reboot during the cleanup, select Yes.
  • The tool will delete itself once it finishes.

 

  • Next please download Delfix.exe by Xplode and save it to your desktop.
  • Please start it and check the box next to "Remove disinfection tools" and click on the run button.
  • The tool will delete itself once it finishes.

 

Note: If any tool, file, log file or folder (belonging to the program we have used) hasn't been deleted, please delete it manually. smile.png



STEP 2 SECURITY ADVICES



Change all your passwords !


Since your computer was infected for peace of mind, I would however advise you that all your passwords be changed immediately !! (just in case).
Use different passwords for all your accounts. Also don't use easy passwords such as your favorite teams, bands or pets because this will allow people to guess your password.
You can use PC Tools Password Generator to create random passwords and then install an application like KeePass Password Safe to store them for easy access.If you do Online Banikng please read this article: Online Banking Protection Against Identity Theft



Keep your antivirus software turned on and up-to-date

 

  • Make sure your antivirus software is turned on and up-to-date.
  • New viruses come out every minute, so it is essential that you have the latest signatures for your antivirus program to provide you with the best possible protection from malicious software.
    Note:
  • You should only have one antivirus installed at a time. Having more than one antivirus program installed at once is likely to cause conflicts and may well decrease your overall protection as well as impairing the performance of your PC.
  • You should scan your computer with an AntiSpyware program like Malwarebytes' Anti-Malware on a regular basis just as you would an antivirus software.
  • Be sure to check for and download any definition updates prior to performing a scan.

 

 

 

Install HIPS based software if needed (or use Limited Account for everyday use)


HIPS based software controls what an application is allowed to do and not allowed to do.
It monitors what each application tries to do, how it use the internet and give you the ability to block any suspicious activity occurring on your computer.
In my opinion the best way to prevent an unknown malware from gaining access is to use some HIPS programs (like COMODO, PrivateFirewall, Online Armor etc.) to control the access rights of legitimate applications, although this would only be advisable for experienced users. (so if you don't feel comfortable using such software then you can skip this advice)
However, you should be aware though that (if you install Comodo Firewall and not the whole package Comodo Internet Security) this is not an replacement for a standard antivirus application. It's a great tool to add another layer of protection to your existent antivirus application. It takes some time and knowledge to configure it for individual purposes but once done, you should not have a problems with it.
There are so many reviews on YouTube and blogs about all these programs.
Keep in mind to choose carefully in order to avoid conflicts or instability caused by incompatible security programs.
Also having more than one "real-time" program can be a drain on your PC's efficiency so please refrain doing so.

More information about HIPS can be found here: What is Host Intrusion Prevention System (HIPS) and how does it work?

 
If you like Comodo you should choose for yourself which version of Comodo you will use 5 or 6. Personally I stick to version 5 at least for now.
COMODO V5 & V6 Users Count Poll

 

 

 

Be prepared for CryptoLocker:

 

 

CryptoLocker Ransomware Information Guide and FAQ

Cryptolocker Ransomware: What You Need To Know

 

Since the prevention is better than cure you can use gpedit built-in Windows or CryptoPrevent (described in the first link) to secure the PC against this locker.

Another way is to use Comodo Firewall and to add all local disks to Protected Files and Folders

Panda Antivirus Cloud added a new feature called data shield which should work as well (don't install it if already have another antivirus solution on board).

You may want to check HitmanPro.Alert.CryptoGuard and add install it to be safe when surfing the net.

 

 

 

Practice Safe Internet


One of the main reasons people get infected in the first place is that they are not practicing Safe Internet. You practice Safe Internet when you educate yourself on how to properly use the Internet through the use of security tools and good practice. Knowing how you can get infected and what types of files and sites to avoid will be the most crucial step in keeping your computer malware free. The reality is that the majority of people who are infected with malware are ones who click on things they shouldn't be clicking on. Whether these things are files or sites it doesn't really matter. If something is out to get you, and you click on it, it most likely will.  Below are a list of simple precautions to take to keep your computer clean and running securely:
 

  • If you receive an attachment from someone you do not know, DO NOT OPEN IT! Simple as that.  Opening attachments from people you do not know is a very common method for viruses or worms to infect your computer.
  • .exe, .com, .bat, .pif, .scr or .cmd do not open the attachment unless you know for a fact that it is clean.  For the casual computer user, you will almost never receive a valid attachment of this type.
  • If you receive an attachment from someone you know, and it looks suspicious, then it probably is.  The email could be from someone you know infected with a malware that is trying to infect everyone in their address book.
  • If you are browsing the Internet and a popup appears saying that you are infected, ignore it!. These are, as far as I am concerned, scams that are being used to scare you into purchasing a piece of software. For an example of these types of popups, or Foistware, you should read this article:
    Foistware, And how to avoid it. There are also programs that disguise themselves as Anti-Spyware or security products but are instead scams.  For a list of these types of programs we recommend you visit this link: About Malwares, Rogues, Scarewares, SmitfraudFix
  • Another tactic to fool you on the web is when a site displays a popup that looks like a normal Windows message  or alert. When you click on them, though, they instead bring you to another site that is trying to push a product on you.  We suggest that you close these windows by clicking on the X instead of the OK button. Alternatively, you can check to see if it's a real alert by right-clicking on the window.  If there is a menu that comes up saying Add to Favorites... you know it's a fake.
  • Do not go to adult sites. I know this may bother some of you, but the fact is that a large amount of malware is pushed through these types of sites. I am not saying all adult sites do this, but a lot do.
  • When using an Instant Messaging program be cautious about clicking on links people send to you. It is not uncommon for infections to send a message to everyone in the infected person's contact list that contains a link to an infection. Instead when you receive a message that contains a link, message back to the person asking if it is legit before you click on it.
  • Stay away from Warez and Crack sites! In addition to the obvious copyright issues, the downloads from these sites are typically overrun with infections. Avoid using cracks and unknown programs from sources you don't trust. There are MANY alternative open-source applications. Malware writers just love cracks and keygens, and will often attach malicious code into them. By using cracks and/or keygens, you are asking for problems. So my advice is - stay away from them!
  • Be careful of what you download off of web sites and Peer-2-Peer networks. Some sites disguise malware as legitimate software to trick you into installing them and Peer-2-Peer networks are crawling with it. If you want to download a piece of software a from a site, and are not sure if they are legitimate, you can use McAfee Siteadvisor to look up info on the site. Note: skip this advice if your antivirus have a Web Guard.
  • DO NOT INSTALL any software without first reading the End User License Agreement, otherwise known as the EULA. A tactic that some developers use is to offer their software for free, but have spyware and other programs you do not want bundled with it. This is where they make their money. By reading the agreement there is a good chance you can spot this and not install the software.

 

 

Tweak your browsers
 
 
MOZILLA FIREFOX


To prevent further infections be sure to install the following add-ons NoScript and AdBlock Plus

 

Adblock Plus hides all those annoying (and potentially dangerous) advertisements on websites that try and tempt you to buy or download something. AdBlock not only speeds up your browsing and makes it easier on your eyes, but also makes it safer.

 

Adblock Plus can be found here.

 

NoScript is only for advanced users as it blocks all the interactive parts of a webpage, such as login options. Obviously you wouldn’t want to block your ability to log on to your internet banking or your webmail, but thankfully you can tell NoScript to allow certain websites and block others. This is very useful to ensure that the website you’re visiting is not trying to tempt you to interact with another, more dangerous website.

 

NoScript can be found here
 

 

Google Chrome

 
If you like Google Chrome there are many similar extensions for this browser as well. Since I am not a Google Chrome user I can't tell you which of them are good and how they work. You should find out by yourself.

However Google Chrome can block a lot of unknown malware because of his sandbox.Beware of the fact that Google Chrome doesn't provide master password protection for your saved in the browser passwords. Check this out: Google Chrome security flaw offers unrestricted password access

 

 

For Internet Explorer 8 read the articles below:
 

Securing Your Web Browser
Security and privacy features in Internet Explorer 8

 

 

Immunize your browsers with SpywareBlaster 5.

Also MBAM acquired the following software Malwarebytes Anti-Exploit and it should work with the most popular browsers. Beware the product is in beta stage.

Changelog can be seen here and known issues here.

 

 

It's a good idea to disable the autorun functionality using the following tool to prevent spreading of the infections from USB flash drives.


 
Make the extensions for known file types visible:
 
 
Be wary of files with a double extension such as jpg.exe. As a default setting, Windows often hides common file extensions, meaning that a program like image.jpg.exe will appear to you as simply image.jpg. Double extensions exploit this by hiding the second, dangerous extension and reassuring you with the first one.Check this out - Show or hide file name extensions.

 

 

 

Create an image of your system (you can use the built-in Windows software as well if you prefere)

 

  • Now when your pc is malware free it is a good idea to do a backup of all important files just in case something happens it.
  • Macrium Reflect is very good choice that enables you to create an image of your system drive which can be restored in case of problems.
  • The download link is here.
  • The tutorial on how to create an system image can be found here.
  • The tutorial on how to restore an system image can be found here.
  • Be sure to read the tutorial first.

 

 

Follow this list and your potential for being infected again will reduce dramatically.

Safe Surfing! smile.png

 

 

Regards,

Georgi

Link to post
Share on other sites

  • Root Admin

Glad we could help. :)

If you need this topic reopened, please send a Private Message to any one of the moderating team members. Please include a link to this thread with your request. This applies only to the originator of this thread.

Other members who need assistance please start your own topic in a new thread. Thanks!

Link to post
Share on other sites

Guest
This topic is now closed to further replies.
  • Recently Browsing   0 members

    • No registered users viewing this page.
Back to top
×
×
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.