# My laptop running XP SP3 is super slow.



## skos

My laptop running XP SP3 is super slow. (XP sr3, Office 2010)

It takes forever to load any programs.  It takes forever to do anything.  Loading the internet is the longest

I ran run TDSSkiller, Malwarebytes' Anti-Malware, Microsoft Fix It, Avast Anti-virus, Obit Malware Fighter and SUPERAntiSpyware.  No problems were found.

Ran ComboFix and here is the file.

ComboFix 12-08-04.02 - SJK05CC 08/04/2012  11:12:45.3.1 - x86
Microsoft Windows XP Professional  5.1.2600.3.1252.1.1033.18.1023.372 [GMT -5:00]
Running from: c:\documents and settings\sjk05cc\My Documents\Koscielak\Computer\ComboFix\ComboFix.exe
AV: avast! Antivirus *Disabled/Updated* {7591DB91-41F0-48A3-B128-1A293FD8233D}
.
.
(((((((((((((((((((((((((((((((((((((((   Other Deletions   )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
c:\windows\isRS-000.tmp
c:\windows\system32\URTTemp
c:\windows\system32\URTTemp\fusion.dll
c:\windows\system32\URTTemp\mscoree.dll
c:\windows\system32\URTTemp\mscoree.dll.local
c:\windows\system32\URTTemp\mscorsn.dll
c:\windows\system32\URTTemp\mscorwks.dll
c:\windows\system32\URTTemp\msvcr71.dll
c:\windows\system32\URTTemp\regtlib.exe
.
.
(((((((((((((((((((((((((   Files Created from 2012-07-04 to 2012-08-04  )))))))))))))))))))))))))))))))
.
.
2012-07-08 17:16 . 2012-07-08 17:16	--------	d-----w-	c:\documents and settings\sjk05cc\Local Settings\Application Data\WinZip
2012-07-08 16:58 . 2012-07-08 17:25	--------	d-----w-	c:\documents and settings\All Users\Application Data\WinZip
.
.
.
((((((((((((((((((((((((((((((((((((((((   Find3M Report   ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2012-07-03 18:46 . 2010-07-17 14:01	22344	----a-w-	c:\windows\system32\drivers\mbam.sys
2012-06-23 02:02 . 2011-04-21 15:26	529562	----a-w-	c:\windows\system32\PerfStringBackup.TMP
2012-06-04 22:35 . 2007-07-31 00:18	222448	----a-w-	c:\windows\system32\muweb.dll
.
.
(((((((((((((((((((((((((((((   SnapShot_2012-07-25_02.57.16   )))))))))))))))))))))))))))))))))))))))))
.
- 2012-03-04 01:08 . 2012-07-25 00:44	49152              c:\windows\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\index.dat
+ 2012-03-04 01:08 . 2012-08-04 14:22	49152              c:\windows\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\index.dat
+ 2007-02-05 14:41 . 2012-08-04 14:22	65536              c:\windows\system32\config\systemprofile\Local Settings\History\History.IE5\index.dat
- 2007-02-05 14:41 . 2012-07-22 20:54	65536              c:\windows\system32\config\systemprofile\Local Settings\History\History.IE5\index.dat
+ 2011-09-02 02:44 . 2012-08-01 00:46	16384              c:\windows\system32\config\systemprofile\IETldCache\index.dat
- 2011-09-02 02:44 . 2012-07-25 00:44	16384              c:\windows\system32\config\systemprofile\IETldCache\index.dat
+ 2012-06-24 13:13 . 2012-08-04 14:22	16384              c:\windows\system32\config\systemprofile\Cookies\index.dat
- 2012-06-24 13:13 . 2012-07-22 20:54	16384              c:\windows\system32\config\systemprofile\Cookies\index.dat
.
(((((((((((((((((((((((((((((((((((((   Reg Loading Points   ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown 
REGEDIT4
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\00avast]
@="{472083B0-C522-11CF-8763-00608CC02F24}"
[HKEY_CLASSES_ROOT\CLSID\{472083B0-C522-11CF-8763-00608CC02F24}]
2012-02-23 16:23	123536	----a-w-	c:\program files\AVAST Software\Avast\ashShell.dll
.
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"swg"="c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2010-10-30 39408]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Anti-phishing Domain Advisor"="c:\documents and settings\All Users\Application Data\Anti-phishing Domain Advisor\visicom_antiphishing.exe" [2012-05-03 217256]
"Malwarebytes' Anti-Malware"="c:\program files\Malwarebytes' Anti-Malware\mbamgui.exe" [2012-04-04 462408]
"avast"="c:\program files\AVAST Software\Avast\avastUI.exe" [2012-02-23 4031368]
"IObit Malware Fighter"="c:\program files\IObit\IObit Malware Fighter\IMF.exe" [2012-05-09 4464472]
.
[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= "c:\program files\SUPERAntiSpyware\SASSEH.DLL" [2011-09-05 113024]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
2009-09-03 22:21	548352	----a-w-	c:\program files\SUPERAntiSpyware\SASWINLO.DLL
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\ckpNotify]
2004-04-01 22:48	24668	---ha-w-	c:\windows\system32\ckpNotify.dll
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-1123561945-1715567821-839522115-2218\Scripts\Logon\0\0]
"Script"=\\northamerica.gbcglobal.local\SysVol\northamerica.gbcglobal.local\scripts\SMSINST.bat
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-1123561945-1715567821-839522115-2218\Scripts\Logon\1\0]
"Script"=\\northamerica.gbcglobal.local\SysVol\northamerica.gbcglobal.local\scripts\DST_Patch.bat
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\!SASCORE]
@=""
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\IMFservice]
@="Service"
.
[HKLM\~\startupfolder\C:^Documents and Settings^sjk05cc^Start Menu^Programs^Startup^eFax 4.4.lnk]
path=c:\documents and settings\sjk05cc\Start Menu\Programs\Startup\eFax 4.4.lnk
backup=c:\windows\pss\eFax 4.4.lnkStartup
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe Reader Speed Launcher]
2008-10-15 07:04	39792	----a-w-	c:\program files\Adobe\Reader 8.0\Reader\reader_sl.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\APSDaemon]
2012-02-21 02:28	59240	----a-w-	c:\program files\Common Files\Apple\Apple Application Support\APSDaemon.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AutoStartNPSAgent]
2010-07-29 07:47	95576	----a-w-	c:\program files\Samsung\Samsung New PC Studio\NPSAgent.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\CanonMyPrinter]
2011-03-15 02:09	2565520	----a-w-	c:\program files\Canon\MyPrinter\BJMYPRT.EXE
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\CanonSolutionMenuEx]
2011-03-28 17:40	1611160	----a-w-	c:\program files\Canon\Solution Menu EX\CNSEMAIN.EXE
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\eFax 4.4]
2010-07-02 18:24	95744	----a-w-	c:\program files\eFax Messenger 4.4\J2GDllCmd.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\IJNetworkScannerSelectorEX]
2011-01-15 22:48	452016	----a-w-	c:\program files\Canon\IJ Network Scanner Selector EX\CNMNSST.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\IObit Malware Fighter]
2012-05-09 21:28	4464472	----a-w-	c:\program files\IObit\IObit Malware Fighter\IMF.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iTunesHelper]
2012-03-27 10:09	421736	----a-w-	c:\program files\iTunes\iTunesHelper.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched]
2012-01-18 20:02	254696	----a-w-	c:\program files\Common Files\Java\Java Update\jusched.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\swg]
2010-10-30 13:47	39408	----a-w-	c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\TomTomHOME.exe]
2011-03-09 12:30	247728	----a-w-	c:\program files\TomTom HOME 2\TomTomHOMERunner.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"SR_WatchDog"=2 (0x2)
"SR_Service"=2 (0x2)
"Bonjour Service"=2 (0x2)
"YahooAUService"=2 (0x2)
"idsvc"=3 (0x3)
"Apple Mobile Device"=2 (0x2)
"TomTomHOMEService"=2 (0x2)
"ServiceLayer"=3 (0x3)
"SeaPort"=2 (0x2)
"S24EventMonitor"=2 (0x2)
"ose"=3 (0x3)
"MDM"=2 (0x2)
"MatSvc"=3 (0x3)
"JavaQuickStarterService"=2 (0x2)
"gusvc"=3 (0x3)
"gupdatem"=3 (0x3)
"gupdate"=2 (0x2)
"FsUsbExService"=2 (0x2)
"Ati HotKey Poller"=2 (0x2)
"WudfSvc"=3 (0x3)
"WmdmPmSN"=3 (0x3)
"UPS"=3 (0x3)
"TrkWks"=2 (0x2)
"Fax"=2 (0x2)
"avast! Antivirus"=2 (0x2)
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\CheckPoint\\SecuRemote\\bin\\SR_GUI.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\Yahoo!\\Messenger\\YahooMessenger.exe"=
"c:\\Program Files\\Samsung\\Samsung New PC Studio\\npsasvr.exe"=
"c:\\Program Files\\Samsung\\Samsung New PC Studio\\npsvsvr.exe"=
"c:\\Program Files\\Common Files\\Apple\\Apple Application Support\\WebKit2WebProcess.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\Microsoft Office\\Office14\\GROOVE.EXE"=
"c:\\Program Files\\Microsoft Office\\Office14\\ONENOTE.EXE"=
"c:\\Program Files\\Microsoft Office\\Office14\\OUTLOOK.EXE"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"3389:TCP"= 3389:TCP:*isabledxpsp2res.dll,-22009
.
R1 aswSnx;aswSnx;c:\windows\system32\drivers\aswSnx.sys [3/3/2012 9:33 AM 610648]
R1 aswSP;aswSP;c:\windows\system32\drivers\aswSP.sys [3/3/2012 9:33 AM 337112]
R1 SASDIFSV;SASDIFSV;c:\program files\SUPERAntiSpyware\SASDIFSV.SYS [2/17/2010 1:25 PM 12880]
R1 SASKUTIL;SASKUTIL;c:\program files\SUPERAntiSpyware\SASKUTIL.SYS [5/10/2010 1:41 PM 67664]
R2 !SASCORE;SAS Core Service;c:\program files\SUPERAntiSpyware\SASCORE.EXE [6/29/2010 12:48 PM 116608]
R2 aswFsBlk;aswFsBlk;c:\windows\system32\drivers\aswFsBlk.sys [3/3/2012 9:33 AM 20696]
R2 IMFservice;IMF Service;c:\program files\IObit\IObit Malware Fighter\IMFsrv.exe [6/24/2012 12:05 AM 821592]
R2 MBAMService;MBAMService;c:\program files\Malwarebytes' Anti-Malware\mbamservice.exe [2/26/2012 10:59 AM 654408]
R2 Scap;SecureClient Application Policy Module;c:\windows\system32\drivers\scap.sys [5/30/2008 6:03 PM 17424]
R2 VPN-1;VPN-1 Module;c:\windows\system32\drivers\vpn.sys [5/30/2008 6:03 PM 670128]
R3 FileMonitor;FileMonitor;c:\program files\IObit\IObit Malware Fighter\Drivers\wxp_x86\FileMonitor.sys [6/24/2012 12:05 AM 246816]
R3 FW1;SecuRemote Miniport;c:\windows\system32\drivers\fw.sys [5/30/2008 6:03 PM 2041744]
R3 MBAMProtector;MBAMProtector;c:\windows\system32\drivers\mbam.sys [7/17/2010 9:01 AM 22344]
R3 osppsvc;Office Software Protection Platform;c:\program files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\OSPPSVC.EXE [1/9/2010 9:37 PM 4640000]
R3 OZSCR;O2Micro SmartCardBus Smartcard Reader;c:\windows\system32\drivers\ozscr.sys [4/21/2005 10:58 PM 92550]
R3 RegFilter;RegFilter;c:\program files\IObit\IObit Malware Fighter\Drivers\wxp_x86\RegFilter.sys [6/24/2012 12:05 AM 30368]
R3 stdriver;Sound Tap Upper Class Filter Driver v2.0.0.0;c:\windows\system32\drivers\stdriver32.sys [7/11/2010 4:06 PM 49208]
S0 TfFsMon;TfFsMon;c:\windows\system32\drivers\TfFsMon.sys --> c:\windows\system32\drivers\TfFsMon.sys [?]
S0 TfSysMon;TfSysMon;c:\windows\system32\drivers\TfSysMon.sys --> c:\windows\system32\drivers\TfSysMon.sys [?]
S0 vqgs;vqgs;c:\windows\system32\drivers\olwil.sys --> c:\windows\system32\drivers\olwil.sys [?]
S1 SABKUTIL;SABKUTIL;\??\c:\program files\SUPERAntiSpyware\SABKUTIL.sys --> c:\program files\SUPERAntiSpyware\SABKUTIL.sys [?]
S2 gupdate;Google Update Service (gupdate);c:\program files\Google\Update\GoogleUpdate.exe [10/30/2010 8:47 AM 135664]
S3 AdobeFlashPlayerUpdateSvc;Adobe Flash Player Update Service;c:\windows\system32\Macromed\Flash\FlashPlayerUpdateService.exe [2/27/2012 9:07 PM 253600]
S3 FsUsbExDisk;FsUsbExDisk;c:\windows\system32\FsUsbExDisk.Sys [9/6/2011 4:34 PM 36608]
S3 gupdatem;Google Update Service (gupdatem);c:\program files\Google\Update\GoogleUpdate.exe [10/30/2010 8:47 AM 135664]
S3 Microsoft SharePoint Workspace Audit Service;Microsoft SharePoint Workspace Audit Service;c:\program files\Microsoft Office\Office14\GROOVE.EXE [12/27/2010 11:50 PM 30969208]
S3 OMVA;VPN-1 SecureClient Adapter;c:\windows\system32\drivers\OMVA.sys [5/30/2008 6:03 PM 14924]
S3 UrlFilter;UrlFilter;c:\program files\IObit\IObit Malware Fighter\Drivers\wxp_x86\UrlFilter.sys [6/24/2012 12:05 AM 16208]
S4 FsUsbExService;FsUsbExService;c:\windows\system32\FsUsbExService.Exe [9/6/2011 4:34 PM 238952]
S4 TomTomHOMEService;TomTomHOMEService;c:\program files\TomTom HOME 2\TomTomHOMEService.exe [3/9/2011 7:30 AM 92592]
.
--- Other Services/Drivers In Memory ---
.
*Deregistered* - MBAMSwissArmy
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
HPZ12	REG_MULTI_SZ   	Pml Driver HPZ12 Net Driver HPZ12
hpdevmgmt	REG_MULTI_SZ   	hpqcxs08 hpqddsvc
.
Contents of the 'Scheduled Tasks' folder
.
2012-08-04 c:\windows\Tasks\Adobe Flash Player Updater.job
- c:\windows\system32\Macromed\Flash\FlashPlayerUpdateService.exe [2012-02-28 02:07]
.
2012-08-01 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2011-06-01 23:57]
.
2010-08-26 c:\windows\Tasks\expressburnShakeIcon.job
- c:\program files\NCH Swift Sound\ExpressBurn\expressburn.exe [2010-08-26 01:09]
.
2010-08-26 c:\windows\Tasks\expressripDowngrade.job
- c:\program files\NCH Swift Sound\ExpressRip\expressrip.exe [2010-07-11 21:08]
.
2010-09-01 c:\windows\Tasks\expressripShakeIcon.job
- c:\program files\NCH Swift Sound\ExpressRip\expressrip.exe [2010-07-11 21:08]
.
2012-08-04 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\program files\Google\Update\GoogleUpdate.exe [2010-10-30 13:47]
.
2012-08-04 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\program files\Google\Update\GoogleUpdate.exe [2010-10-30 13:47]
.
2010-07-21 c:\windows\Tasks\soundtapShakeIcon.job
- c:\program files\NCH Swift Sound\SoundTap\soundtap.exe [2010-07-11 21:07]
.
2011-09-18 c:\windows\Tasks\switchShakeIcon.job
- c:\program files\NCH Swift Sound\Switch\switch.exe [2010-07-11 21:05]
.
2010-07-21 c:\windows\Tasks\wavepadShakeIcon.job
- c:\program files\NCH Swift Sound\WavePad\wavepad.exe [2010-07-11 21:06]
.
.
------- Supplementary Scan -------
.
uStart Page = https://mail.google.com/mail/?shva=1#inbox
uInternet Connection Wizard,ShellNext = hxxp://myacco/
uInternet Settings,ProxyOverride = *.local
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\Office14\EXCEL.EXE/3000
IE: Se&nd to OneNote - c:\progra~1\MICROS~2\Office14\ONBttnIE.dll/105
Trusted Zone: adobe.com
Trusted Zone: computerforum.com
Trusted Zone: microsoft.com\update
Trusted Zone: microsoft.com\v4.update
Trusted Zone: microsoft.com\www
TCP: DhcpNameServer = 192.168.1.254
DPF: Microsoft XML Parser for Java - file:///C:/WINDOWS/Java/classes/xmldso.cab
.
.
**************************************************************************
.
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2012-08-04 11:27
Windows 5.1.2600 Service Pack 3 NTFS
.
scanning hidden processes ...  
.
scanning hidden autostart entries ... 
.
scanning hidden files ...  
.
.
C:\avast! sandbox
.
scan completed successfully
hidden files: 1
.
**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------
.
- - - - - - - > 'winlogon.exe'(588)
c:\program files\SUPERAntiSpyware\SASWINLO.DLL
c:\windows\system32\WININET.dll
c:\windows\system32\Ati2evxx.dll
.
Completion time: 2012-08-04  11:33:42
ComboFix-quarantined-files.txt  2012-08-04 16:33
ComboFix2.txt  2012-07-25 03:01
ComboFix3.txt  2012-06-24 03:59
ComboFix4.txt  2012-06-09 05:11
ComboFix5.txt  2012-08-04 16:08
.
Pre-Run: 1,536,196,608 bytes free
Post-Run: 1,571,598,336 bytes free
.
- - End Of File - - A1A615B125A38C606B2BC4D970901AF4


----------



## johnb35

How much system memory is installed?  Have you ran a diagnostic on the hard drive?


----------



## skos

1g and yes.  also ran defrag


----------



## AntimatterAsh

I'd just back everything up and recover it


----------



## skos

thanks, but I have backed it up and I am sure there is a better fix then recovery


----------



## johnb35

Ok, there is an entry I think that may be causing this issue. There is a driver starting up that shouldn't be.  

I need you to do a couple things.  

1.

I need you to produce a log that combofix created but didn't show you.  Please navigate to C:\Qoobox and in that folder will be a file named add-remove programs.txt.  Please open that file and copy and paste the contents back here.

2.

Please download and run the ESET Online Scanner
Disable any antivirus/security programs.
IMPORTANT! UN-check Remove found threats 
Accept any security warnings from your browser. 
Check Scan archives 
Click Start 
ESET will then download updates, install and then start scanning your system. 
When the scan is done, push list of found threats 
Click on Export to text file , and save the file to your desktop using a file name, such as ESETlog. Include the contents of this report in your next reply. 
If no threats are found then it won't produce a log.

After I see the results of these 2 logs I will work on that entry.


----------



## skos

*johnb35 I truly appreciate all your help.*

johnb35 I truly appreciate all your help.  

I know PSSWCORE & BufferChm are part of the HP printer software.

There were no threats found when I ran ESET Online Scanner.  Here is the add-remove programs.txt


1-2-3PDFConverter
32 Bit HP CIO Components Installer
Adobe Flash Player 11 ActiveX
Adobe Reader 8.1.3
Adobe Shockwave Player
Advanced Excel Repair v1.4
AIO_Scan
Anti-phishing Domain Advisor
Apple Application Support
Apple Mobile Device Support
Apple Software Update
ATI Display Driver
avast! Free Antivirus
Bonjour
Broadcom NetXtreme Ethernet Controller
BufferChm
Canon Easy-PhotoPrint EX
Canon Easy-WebPrint EX
Canon IJ Network Scanner Selector EX
Canon IJ Network Tool
Canon Inkjet Printer/Scanner/Fax Extended Survey Program
Canon MG5300 series MP Drivers
Canon MG5300 series On-screen Manual
Canon MG5300 series User Registration
Canon MP Navigator EX 5.0
Canon My Printer
Canon Solution Menu EX
CCleaner
Compatibility Pack for the 2007 Office system
Conexant D480 MDC V.92 Modem
Copy
CoverPro
Critical Update for Windows Media Player 11 (KB959772)
Destination Component
DeviceDiscovery
DeviceManagementQFolder
DJ_AIO_ProductContext
DJ_AIO_Software
DJ_AIO_Software_min
doPDF 7.2 printer
Easy File Undelete
eFax Messenger
Express Burn Disc Burning Software
Express Rip
F4100
F4100_doccd
F4100_Help
Free Audio Converter version 2.0
Google Toolbar for Internet Explorer
Google Update Helper
GoToMeeting 4.8.0.723
HiJackThis
Hotfix for Microsoft .NET Framework 3.5 SP1 (KB953595)
Hotfix for Microsoft .NET Framework 3.5 SP1 (KB958484)
Hotfix for Windows Media Format 11 SDK (KB929399)
Hotfix for Windows Media Format SDK (KB902344)
Hotfix for Windows Media Player 11 (KB939683)
Hotfix for Windows XP (KB952287)
Hotfix for Windows XP (KB954550-v5)
Hotfix for Windows XP (KB961118)
Hotfix for Windows XP (KB970653-v3)
Hotfix for Windows XP (KB976098-v2)
Hotfix for Windows XP (KB979306)
Hotfix for Windows XP (KB981793)
HP Photosmart Essential2.01
HPDiagnosticAlert
Internet Explorer (Enable DEP)
IObit Malware Fighter
iolo technologies' System Mechanic 4
IsoBuster 2.8.5
iTunes
Java 2 Runtime Environment, SE v1.4.2_12
Java Auto Updater
Java(TM) 6 Update 31
Java(TM) 6 Update 5
Java(TM) 6 Update 7
Malwarebytes Anti-Malware version 1.62.0.1300
Microsoft .NET Framework 1.1
Microsoft .NET Framework 1.1 Security Update (KB979906)
Microsoft .NET Framework 2.0 Service Pack 2
Microsoft .NET Framework 3.0 Service Pack 2
Microsoft .NET Framework 3.5 SP1
Microsoft .NET Framework 4 Client Profile
Microsoft .NET Framework 4 Extended
Microsoft Application Error Reporting
Microsoft Base Smart Card Cryptographic Service Provider Package
Microsoft Compression Client Pack 1.0 for Windows XP
Microsoft Internationalized Domain Names Mitigation APIs
Microsoft National Language Support Downlevel APIs
Microsoft Office 2010 Service Pack 1 (SP1)
Microsoft Office Access MUI (English) 2010
Microsoft Office Access Setup Metadata MUI (English) 2010
Microsoft Office Excel MUI (English) 2010
Microsoft Office Groove MUI (English) 2010
Microsoft Office InfoPath MUI (English) 2010
Microsoft Office OneNote MUI (English) 2010
Microsoft Office Outlook MUI (English) 2010
Microsoft Office PowerPoint MUI (English) 2010
Microsoft Office Professional Plus 2010
Microsoft Office Proof (English) 2010
Microsoft Office Proof (French) 2010
Microsoft Office Proof (Spanish) 2010
Microsoft Office Proofing (English) 2010
Microsoft Office Publisher MUI (English) 2010
Microsoft Office Shared MUI (English) 2010
Microsoft Office Shared Setup Metadata MUI (English) 2010
Microsoft Office Word MUI (English) 2010
Microsoft Office XP Web Components
Microsoft Save as PDF Add-in for 2007 Microsoft Office programs
Microsoft Silverlight
Microsoft Software Update for Web Folders  (English) 14
Microsoft User-Mode Driver Framework Feature Pack 1.0
Microsoft Visual C++ 2005 Redistributable
Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.17
Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.4148
Microsoft Visual C++ 2010  x86 Redistributable - 10.0.30319
MSVC80_x86
MSXML 4.0 SP2 (KB954430)
MSXML 4.0 SP2 (KB973688)
OGA Notifier 2.0.0048.0
OpenOffice.org Installer 1.0
Oracle JInitiator 1.3.1.26
Power MP3 WMA Converter 2010, (ver 5.0)
PSSWCORE
QT Lite 4.1.0
Quicken 2010
Revo Uninstaller 1.89
Samsung New PC Studio
Samsung PC Studio 3 USB Driver Installer
SAMSUNG SYMBIAN USB Download Driver
SAMSUNG USB Driver for Mobile Phones
SamsungConnectivityCableDriver
Scan
Security Update for CAPICOM (KB931906)
Security Update for Windows Internet Explorer 7 (KB938127-v2)
Security Update for Windows Internet Explorer 7 (KB950759)
Security Update for Windows Internet Explorer 7 (KB953838)
Security Update for Windows Internet Explorer 7 (KB961260)
Security Update for Windows Internet Explorer 7 (KB969897)
Security Update for Windows Internet Explorer 7 (KB972260)
Security Update for Windows Internet Explorer 7 (KB974455)
Security Update for Windows Internet Explorer 7 (KB976325)
Security Update for Windows Internet Explorer 7 (KB978207)
Security Update for Windows Internet Explorer 7 (KB982381)
Security Update for Windows Internet Explorer 8 (KB2360131)
Security Update for Windows Internet Explorer 8 (KB982381)
Security Update for Windows Media Encoder (KB954156)
Security Update for Windows Media Encoder (KB979332)
Security Update for Windows Media Player (KB911564)
Security Update for Windows Media Player (KB952069)
Security Update for Windows Media Player (KB954155)
Security Update for Windows Media Player (KB968816)
Security Update for Windows Media Player (KB973540)
Security Update for Windows Media Player (KB978695)
Security Update for Windows Media Player 11 (KB936782)
Security Update for Windows Media Player 11 (KB954154)
Security Update for Windows Media Player 6.4 (KB925398)
Security Update for Windows Media Player 9 (KB917734)
Security Update for Windows Media Player 9 (KB936782)
Security Update for Windows XP (KB2229593)
Security Update for Windows XP (KB2286198)
Security Update for Windows XP (KB923561)
Security Update for Windows XP (KB923689)
Security Update for Windows XP (KB923789)
Security Update for Windows XP (KB938464)
Security Update for Windows XP (KB941569)
Security Update for Windows XP (KB946648)
Security Update for Windows XP (KB950759)
Security Update for Windows XP (KB950760)
Security Update for Windows XP (KB950762)
Security Update for Windows XP (KB950974)
Security Update for Windows XP (KB951066)
Security Update for Windows XP (KB951376-v2)
Security Update for Windows XP (KB951376)
Security Update for Windows XP (KB951698)
Security Update for Windows XP (KB951748)
Security Update for Windows XP (KB952004)
Security Update for Windows XP (KB952954)
Security Update for Windows XP (KB953839)
Security Update for Windows XP (KB954211)
Security Update for Windows XP (KB954459)
Security Update for Windows XP (KB954600)
Security Update for Windows XP (KB955069)
Security Update for Windows XP (KB956391)
Security Update for Windows XP (KB956572)
Security Update for Windows XP (KB956744)
Security Update for Windows XP (KB956802)
Security Update for Windows XP (KB956803)
Security Update for Windows XP (KB956841)
Security Update for Windows XP (KB956844)
Security Update for Windows XP (KB957095)
Security Update for Windows XP (KB957097)
Security Update for Windows XP (KB958644)
Security Update for Windows XP (KB958687)
Security Update for Windows XP (KB958869)
Security Update for Windows XP (KB959426)
Security Update for Windows XP (KB960225)
Security Update for Windows XP (KB960715)
Security Update for Windows XP (KB960803)
Security Update for Windows XP (KB960859)
Security Update for Windows XP (KB961371)
Security Update for Windows XP (KB961373)
Security Update for Windows XP (KB961501)
Security Update for Windows XP (KB968537)
Security Update for Windows XP (KB969059)
Security Update for Windows XP (KB969898)
Security Update for Windows XP (KB969947)
Security Update for Windows XP (KB970238)
Security Update for Windows XP (KB970430)
Security Update for Windows XP (KB971468)
Security Update for Windows XP (KB971486)
Security Update for Windows XP (KB971557)
Security Update for Windows XP (KB971633)
Security Update for Windows XP (KB971657)
Security Update for Windows XP (KB971961)
Security Update for Windows XP (KB972270)
Security Update for Windows XP (KB973346)
Security Update for Windows XP (KB973354)
Security Update for Windows XP (KB973507)
Security Update for Windows XP (KB973525)
Security Update for Windows XP (KB973869)
Security Update for Windows XP (KB973904)
Security Update for Windows XP (KB974112)
Security Update for Windows XP (KB974318)
Security Update for Windows XP (KB974392)
Security Update for Windows XP (KB974571)
Security Update for Windows XP (KB975025)
Security Update for Windows XP (KB975467)
Security Update for Windows XP (KB975560)
Security Update for Windows XP (KB975561)
Security Update for Windows XP (KB975562)
Security Update for Windows XP (KB975713)
Security Update for Windows XP (KB977165)
Security Update for Windows XP (KB977816)
Security Update for Windows XP (KB977914)
Security Update for Windows XP (KB978037)
Security Update for Windows XP (KB978251)
Security Update for Windows XP (KB978262)
Security Update for Windows XP (KB978338)
Security Update for Windows XP (KB978542)
Security Update for Windows XP (KB978601)
Security Update for Windows XP (KB978706)
Security Update for Windows XP (KB979309)
Security Update for Windows XP (KB979482)
Security Update for Windows XP (KB979559)
Security Update for Windows XP (KB979683)
Security Update for Windows XP (KB980195)
Security Update for Windows XP (KB980218)
Security Update for Windows XP (KB980232)
Security Update for Windows XP (KB981349)
SoundTap Streaming Audio Recorder
Status
SUPERAntiSpyware
Switch Sound File Converter
TomTom HOME 2.8.1.2218
TomTom HOME Visual Studio Merge Modules
Toolbox
TrayApp
Uninstall 1.0.0.1
UnloadSupport
Update for Microsoft .NET Framework 3.5 SP1 (KB963707)
Update for Windows Internet Explorer 7 (KB976749)
Update for Windows Internet Explorer 7 (KB980182)
Update for Windows Internet Explorer 8 (KB2362765)
Update for Windows XP (KB951072-v2)
Update for Windows XP (KB951978)
Update for Windows XP (KB955759)
Update for Windows XP (KB955839)
Update for Windows XP (KB967715)
Update for Windows XP (KB968389)
Update for Windows XP (KB971737)
Update for Windows XP (KB973687)
Update for Windows XP (KB973815)
Update Service
VideoToolkit01
WavePad Sound Editor
WebFldrs XP
WebReg
Windows Genuine Advantage Notifications (KB905474)
Windows Internet Explorer 8
Windows Media Encoder 9 Series
Windows Media Format 11 runtime
Windows Media Format SDK Hotfix - KB891122
Windows Media Player 11
Windows PowerShell(TM) 1.0
Windows XP Service Pack 3
WinZip 16.5
Yahoo! Messenger
Yahoo! Software Update
Yahoo! Toolbar


----------



## johnb35

I need you to go into add/remove programs and uninstall the following.

Java 2 Runtime Environment, SE v1.4.2_12
Java Auto Updater
Java(TM) 6 Update 31
Java(TM) 6 Update 5
Java(TM) 6 Update 7
Uninstall 1.0.0.1

I also advise to uninstall anything you don't need anymore.

Have you ran ccleaner recently?  If not, please do so now.


Then install the latest version of java from here.

www.java.com

Next do this.

Move the combofix file to your desktop screen so you can perform the following procedure. 

1. Go to Start > Run > type Notepad.exe and click OK to open Notepad.
It must be Notepad, not Wordpad.
2. Copy the text in the below code box



		Code:
	

File::

c:\windows\system32\drivers\olwil.sys 

Driver::

vqgs


3. Go to the Notepad window and click Edit > Paste
4. Then click File > Save
5. Name the file CFScript.txt - Save the file to your Desktop
6. Then drag the CFScript (hold the left mouse button while dragging the file) and drop it (release the left mouse button) into ComboFix.exe as you see in the screenshot below. Important: Perform this instruction carefully!







ComboFix will begin to execute, just follow the prompts.
After reboot (in case it asks to reboot), it will produce a log for you.
Post that log (Combofix.txt) in your next reply.


----------



## skos

johnb35,

ok, all Java are uninstalled.  I then installed Java from your link.  I also run ccleaner about once a week

I also got rid of all Microsoft updates and security update as they were taking up so much room!  (Just kidding)

I also noticed I have a ton of subdir that start with "$NtUninstal".  They are subdir of "Windows".

Here is the log:

ComboFix 12-08-04.02 - SJK05CC 08/04/2012  22:40:32.4.1 - x86
Microsoft Windows XP Professional  5.1.2600.3.1252.1.1033.18.1023.493 [GMT -5:00]
Running from: c:\documents and settings\sjk05cc\My Documents\Koscielak\Computer\ComboFix\ComboFix.exe
Command switches used :: c:\documents and settings\sjk05cc\Desktop\CFScript.txt
AV: avast! Antivirus *Disabled/Updated* {7591DB91-41F0-48A3-B128-1A293FD8233D}
.
FILE ::
"c:\windows\system32\drivers\olwil.sys"
.
.
(((((((((((((((((((((((((((((((((((((((   Other Deletions   )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
.
(((((((((((((((((((((((((((((((((((((((   Drivers/Services   )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
-------\Service_vqgs
.
.
(((((((((((((((((((((((((   Files Created from 2012-07-05 to 2012-08-05  )))))))))))))))))))))))))))))))
.
.
2012-08-05 03:23 . 2012-08-05 03:23	--------	d-----w-	c:\documents and settings\sjk05cc\Application Data\Oracle
2012-08-05 03:23 . 2012-07-06 03:07	143872	----a-w-	c:\windows\system32\javacpl.cpl
2012-08-05 03:23 . 2012-07-06 03:06	772544	----a-w-	c:\windows\system32\npDeployJava1.dll
2012-08-05 03:22 . 2012-08-05 03:22	--------	d-----w-	c:\program files\Java
2012-08-05 02:57 . 2012-08-05 02:57	0	----a-w-	c:\windows\system32\RENFB4.tmp
2012-08-05 02:57 . 2012-08-05 02:57	0	----a-w-	c:\windows\system32\RENFB3.tmp
2012-08-05 02:54 . 2012-08-05 02:54	0	----a-w-	c:\windows\system32\RENFA0.tmp
2012-08-05 02:54 . 2012-08-05 02:54	0	----a-w-	c:\windows\system32\RENF9F.tmp
2012-08-05 02:54 . 2012-08-05 02:54	0	----a-w-	c:\windows\system32\RENF9E.tmp
2012-07-08 17:16 . 2012-07-08 17:16	--------	d-----w-	c:\documents and settings\sjk05cc\Local Settings\Application Data\WinZip
2012-07-08 16:58 . 2012-07-08 17:25	--------	d-----w-	c:\documents and settings\All Users\Application Data\WinZip
.
.
.
((((((((((((((((((((((((((((((((((((((((   Find3M Report   ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2012-07-03 18:46 . 2010-07-17 14:01	22344	----a-w-	c:\windows\system32\drivers\mbam.sys
2012-06-23 02:02 . 2011-04-21 15:26	529562	----a-w-	c:\windows\system32\PerfStringBackup.TMP
2012-06-04 22:35 . 2007-07-31 00:18	222448	----a-w-	c:\windows\system32\muweb.dll
.
.
(((((((((((((((((((((((((((((   SnapShot_2012-07-25_02.57.16   )))))))))))))))))))))))))))))))))))))))))
.
+ 2012-08-05 04:02 . 2012-08-05 04:02	16384              c:\windows\temp\Perflib_Perfdata_238.dat
- 2012-03-04 01:08 . 2012-07-25 00:44	49152              c:\windows\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\index.dat
+ 2012-03-04 01:08 . 2012-08-04 16:38	49152              c:\windows\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\index.dat
- 2007-02-05 14:41 . 2012-07-22 20:54	65536              c:\windows\system32\config\systemprofile\Local Settings\History\History.IE5\index.dat
+ 2007-02-05 14:41 . 2012-08-04 16:38	65536              c:\windows\system32\config\systemprofile\Local Settings\History\History.IE5\index.dat
- 2011-09-02 02:44 . 2012-07-25 00:44	16384              c:\windows\system32\config\systemprofile\IETldCache\index.dat
+ 2011-09-02 02:44 . 2012-08-01 00:46	16384              c:\windows\system32\config\systemprofile\IETldCache\index.dat
- 2012-06-24 13:13 . 2012-07-22 20:54	16384              c:\windows\system32\config\systemprofile\Cookies\index.dat
+ 2012-06-24 13:13 . 2012-08-04 16:38	16384              c:\windows\system32\config\systemprofile\Cookies\index.dat
+ 2012-08-05 03:23 . 2012-07-06 03:06	227760              c:\windows\system32\javaws.exe
+ 2012-08-05 03:23 . 2012-08-05 03:22	174064              c:\windows\system32\javaw.exe
+ 2012-08-05 03:23 . 2012-08-05 03:22	174064              c:\windows\system32\java.exe
+ 2012-08-05 03:25 . 2012-08-05 03:25	176128              c:\windows\Installer\24d4c40.msi
+ 2012-08-05 03:24 . 2012-08-05 03:25	457216              c:\windows\Installer\24d4c3b.msi
+ 2012-08-05 03:22 . 2012-08-05 03:22	863744              c:\windows\Installer\24d4c37.msi
.
(((((((((((((((((((((((((((((((((((((   Reg Loading Points   ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown 
REGEDIT4
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\00avast]
@="{472083B0-C522-11CF-8763-00608CC02F24}"
[HKEY_CLASSES_ROOT\CLSID\{472083B0-C522-11CF-8763-00608CC02F24}]
2012-02-23 16:23	123536	----a-w-	c:\program files\AVAST Software\Avast\ashShell.dll
.
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"swg"="c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2010-10-30 39408]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Anti-phishing Domain Advisor"="c:\documents and settings\All Users\Application Data\Anti-phishing Domain Advisor\visicom_antiphishing.exe" [2012-05-03 217256]
"Malwarebytes' Anti-Malware"="c:\program files\Malwarebytes' Anti-Malware\mbamgui.exe" [2012-07-03 462920]
"avast"="c:\program files\AVAST Software\Avast\avastUI.exe" [2012-02-23 4031368]
"IObit Malware Fighter"="c:\program files\IObit\IObit Malware Fighter\IMF.exe" [2012-05-09 4464472]
"SunJavaUpdateSched"="c:\program files\Common Files\Java\Java Update\jusched.exe" [2012-01-17 252296]
.
[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= "c:\program files\SUPERAntiSpyware\SASSEH.DLL" [2011-09-05 113024]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
2009-09-03 22:21	548352	----a-w-	c:\program files\SUPERAntiSpyware\SASWINLO.DLL
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\ckpNotify]
2004-04-01 22:48	24668	---ha-w-	c:\windows\system32\ckpNotify.dll
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-1123561945-1715567821-839522115-2218\Scripts\Logon\0\0]
"Script"=\\northamerica.gbcglobal.local\SysVol\northamerica.gbcglobal.local\scripts\SMSINST.bat
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-1123561945-1715567821-839522115-2218\Scripts\Logon\1\0]
"Script"=\\northamerica.gbcglobal.local\SysVol\northamerica.gbcglobal.local\scripts\DST_Patch.bat
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\!SASCORE]
@=""
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\IMFservice]
@="Service"
.
[HKLM\~\startupfolder\C:^Documents and Settings^sjk05cc^Start Menu^Programs^Startup^eFax 4.4.lnk]
path=c:\documents and settings\sjk05cc\Start Menu\Programs\Startup\eFax 4.4.lnk
backup=c:\windows\pss\eFax 4.4.lnkStartup
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe Reader Speed Launcher]
2008-10-15 07:04	39792	----a-w-	c:\program files\Adobe\Reader 8.0\Reader\reader_sl.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\APSDaemon]
2012-02-21 02:28	59240	----a-w-	c:\program files\Common Files\Apple\Apple Application Support\APSDaemon.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AutoStartNPSAgent]
2010-07-29 07:47	95576	----a-w-	c:\program files\Samsung\Samsung New PC Studio\NPSAgent.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\CanonMyPrinter]
2011-03-15 02:09	2565520	----a-w-	c:\program files\Canon\MyPrinter\BJMYPRT.EXE
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\CanonSolutionMenuEx]
2011-03-28 17:40	1611160	----a-w-	c:\program files\Canon\Solution Menu EX\CNSEMAIN.EXE
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\eFax 4.4]
2010-07-02 18:24	95744	----a-w-	c:\program files\eFax Messenger 4.4\J2GDllCmd.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\IJNetworkScannerSelectorEX]
2011-01-15 22:48	452016	----a-w-	c:\program files\Canon\IJ Network Scanner Selector EX\CNMNSST.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\IObit Malware Fighter]
2012-05-09 21:28	4464472	----a-w-	c:\program files\IObit\IObit Malware Fighter\IMF.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iTunesHelper]
2012-03-27 10:09	421736	----a-w-	c:\program files\iTunes\iTunesHelper.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched]
2012-01-17 16:07	252296	----a-w-	c:\program files\Common Files\Java\Java Update\jusched.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\swg]
2010-10-30 13:47	39408	----a-w-	c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\TomTomHOME.exe]
2011-03-09 12:30	247728	----a-w-	c:\program files\TomTom HOME 2\TomTomHOMERunner.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"SR_WatchDog"=2 (0x2)
"SR_Service"=2 (0x2)
"Bonjour Service"=2 (0x2)
"YahooAUService"=2 (0x2)
"idsvc"=3 (0x3)
"Apple Mobile Device"=2 (0x2)
"TomTomHOMEService"=2 (0x2)
"ServiceLayer"=3 (0x3)
"SeaPort"=2 (0x2)
"S24EventMonitor"=2 (0x2)
"ose"=3 (0x3)
"MDM"=2 (0x2)
"MatSvc"=3 (0x3)
"JavaQuickStarterService"=2 (0x2)
"gusvc"=3 (0x3)
"gupdatem"=3 (0x3)
"gupdate"=2 (0x2)
"FsUsbExService"=2 (0x2)
"Ati HotKey Poller"=2 (0x2)
"WudfSvc"=3 (0x3)
"WmdmPmSN"=3 (0x3)
"UPS"=3 (0x3)
"TrkWks"=2 (0x2)
"Fax"=2 (0x2)
"avast! Antivirus"=2 (0x2)
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\CheckPoint\\SecuRemote\\bin\\SR_GUI.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\Yahoo!\\Messenger\\YahooMessenger.exe"=
"c:\\Program Files\\Samsung\\Samsung New PC Studio\\npsasvr.exe"=
"c:\\Program Files\\Samsung\\Samsung New PC Studio\\npsvsvr.exe"=
"c:\\Program Files\\Common Files\\Apple\\Apple Application Support\\WebKit2WebProcess.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\Microsoft Office\\Office14\\GROOVE.EXE"=
"c:\\Program Files\\Microsoft Office\\Office14\\ONENOTE.EXE"=
"c:\\Program Files\\Microsoft Office\\Office14\\OUTLOOK.EXE"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"3389:TCP"= 3389:TCP:*isabledxpsp2res.dll,-22009
.
R1 aswSnx;aswSnx;c:\windows\system32\drivers\aswSnx.sys [3/3/2012 9:33 AM 610648]
R1 aswSP;aswSP;c:\windows\system32\drivers\aswSP.sys [3/3/2012 9:33 AM 337112]
R1 SASDIFSV;SASDIFSV;c:\program files\SUPERAntiSpyware\SASDIFSV.SYS [2/17/2010 1:25 PM 12880]
R1 SASKUTIL;SASKUTIL;c:\program files\SUPERAntiSpyware\SASKUTIL.SYS [5/10/2010 1:41 PM 67664]
R2 !SASCORE;SAS Core Service;c:\program files\SUPERAntiSpyware\SASCORE.EXE [6/29/2010 12:48 PM 116608]
R2 aswFsBlk;aswFsBlk;c:\windows\system32\drivers\aswFsBlk.sys [3/3/2012 9:33 AM 20696]
R2 IMFservice;IMF Service;c:\program files\IObit\IObit Malware Fighter\IMFsrv.exe [6/24/2012 12:05 AM 821592]
R2 MBAMService;MBAMService;c:\program files\Malwarebytes' Anti-Malware\mbamservice.exe [2/26/2012 10:59 AM 655944]
R2 Scap;SecureClient Application Policy Module;c:\windows\system32\drivers\scap.sys [5/30/2008 6:03 PM 17424]
R2 VPN-1;VPN-1 Module;c:\windows\system32\drivers\vpn.sys [5/30/2008 6:03 PM 670128]
R3 FileMonitor;FileMonitor;c:\program files\IObit\IObit Malware Fighter\Drivers\wxp_x86\FileMonitor.sys [6/24/2012 12:05 AM 246816]
R3 FW1;SecuRemote Miniport;c:\windows\system32\drivers\fw.sys [5/30/2008 6:03 PM 2041744]
R3 MBAMProtector;MBAMProtector;c:\windows\system32\drivers\mbam.sys [7/17/2010 9:01 AM 22344]
R3 OZSCR;O2Micro SmartCardBus Smartcard Reader;c:\windows\system32\drivers\ozscr.sys [4/21/2005 10:58 PM 92550]
R3 RegFilter;RegFilter;c:\program files\IObit\IObit Malware Fighter\Drivers\wxp_x86\RegFilter.sys [6/24/2012 12:05 AM 30368]
R3 stdriver;Sound Tap Upper Class Filter Driver v2.0.0.0;c:\windows\system32\drivers\stdriver32.sys [7/11/2010 4:06 PM 49208]
S0 TfFsMon;TfFsMon;c:\windows\system32\drivers\TfFsMon.sys --> c:\windows\system32\drivers\TfFsMon.sys [?]
S0 TfSysMon;TfSysMon;c:\windows\system32\drivers\TfSysMon.sys --> c:\windows\system32\drivers\TfSysMon.sys [?]
S1 SABKUTIL;SABKUTIL;\??\c:\program files\SUPERAntiSpyware\SABKUTIL.sys --> c:\program files\SUPERAntiSpyware\SABKUTIL.sys [?]
S2 gupdate;Google Update Service (gupdate);c:\program files\Google\Update\GoogleUpdate.exe [10/30/2010 8:47 AM 135664]
S3 AdobeFlashPlayerUpdateSvc;Adobe Flash Player Update Service;c:\windows\system32\Macromed\Flash\FlashPlayerUpdateService.exe [2/27/2012 9:07 PM 253600]
S3 FsUsbExDisk;FsUsbExDisk;c:\windows\system32\FsUsbExDisk.Sys [9/6/2011 4:34 PM 36608]
S3 gupdatem;Google Update Service (gupdatem);c:\program files\Google\Update\GoogleUpdate.exe [10/30/2010 8:47 AM 135664]
S3 Microsoft SharePoint Workspace Audit Service;Microsoft SharePoint Workspace Audit Service;c:\program files\Microsoft Office\Office14\GROOVE.EXE [12/27/2010 11:50 PM 30969208]
S3 OMVA;VPN-1 SecureClient Adapter;c:\windows\system32\drivers\OMVA.sys [5/30/2008 6:03 PM 14924]
S3 osppsvc;Office Software Protection Platform;c:\program files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\OSPPSVC.EXE [1/9/2010 9:37 PM 4640000]
S3 UrlFilter;UrlFilter;c:\program files\IObit\IObit Malware Fighter\Drivers\wxp_x86\UrlFilter.sys [6/24/2012 12:05 AM 16208]
S4 FsUsbExService;FsUsbExService;c:\windows\system32\FsUsbExService.Exe [9/6/2011 4:34 PM 238952]
S4 TomTomHOMEService;TomTomHOMEService;c:\program files\TomTom HOME 2\TomTomHOMEService.exe [3/9/2011 7:30 AM 92592]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
HPZ12	REG_MULTI_SZ   	Pml Driver HPZ12 Net Driver HPZ12
hpdevmgmt	REG_MULTI_SZ   	hpqcxs08 hpqddsvc
.
Contents of the 'Scheduled Tasks' folder
.
2012-08-05 c:\windows\Tasks\Adobe Flash Player Updater.job
- c:\windows\system32\Macromed\Flash\FlashPlayerUpdateService.exe [2012-02-28 02:07]
.
2012-08-01 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2011-06-01 23:57]
.
2010-08-26 c:\windows\Tasks\expressburnShakeIcon.job
- c:\program files\NCH Swift Sound\ExpressBurn\expressburn.exe [2010-08-26 01:09]
.
2010-08-26 c:\windows\Tasks\expressripDowngrade.job
- c:\program files\NCH Swift Sound\ExpressRip\expressrip.exe [2010-07-11 21:08]
.
2010-09-01 c:\windows\Tasks\expressripShakeIcon.job
- c:\program files\NCH Swift Sound\ExpressRip\expressrip.exe [2010-07-11 21:08]
.
2012-08-05 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\program files\Google\Update\GoogleUpdate.exe [2010-10-30 13:47]
.
2012-08-05 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\program files\Google\Update\GoogleUpdate.exe [2010-10-30 13:47]
.
2010-07-21 c:\windows\Tasks\soundtapShakeIcon.job
- c:\program files\NCH Swift Sound\SoundTap\soundtap.exe [2010-07-11 21:07]
.
2011-09-18 c:\windows\Tasks\switchShakeIcon.job
- c:\program files\NCH Swift Sound\Switch\switch.exe [2010-07-11 21:05]
.
2010-07-21 c:\windows\Tasks\wavepadShakeIcon.job
- c:\program files\NCH Swift Sound\WavePad\wavepad.exe [2010-07-11 21:06]
.
.
------- Supplementary Scan -------
.
uStart Page = https://mail.google.com/mail/?shva=1#inbox
uInternet Connection Wizard,ShellNext = hxxp://myacco/
uInternet Settings,ProxyOverride = *.local
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\Office14\EXCEL.EXE/3000
IE: Se&nd to OneNote - c:\progra~1\MICROS~2\Office14\ONBttnIE.dll/105
Trusted Zone: adobe.com
Trusted Zone: computerforum.com
Trusted Zone: microsoft.com\update
Trusted Zone: microsoft.com\v4.update
Trusted Zone: microsoft.com\www
TCP: DhcpNameServer = 192.168.1.254
DPF: Microsoft XML Parser for Java - file:///C:/WINDOWS/Java/classes/xmldso.cab
.
.
**************************************************************************
.
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2012-08-04 23:05
Windows 5.1.2600 Service Pack 3 NTFS
.
scanning hidden processes ...  
.
scanning hidden autostart entries ... 
.
scanning hidden files ...  
.
scan completed successfully
hidden files: 0
.
**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------
.
- - - - - - - > 'winlogon.exe'(592)
c:\program files\SUPERAntiSpyware\SASWINLO.DLL
c:\windows\system32\WININET.dll
c:\windows\system32\Ati2evxx.dll
.
- - - - - - - > 'explorer.exe'(1168)
c:\windows\system32\WININET.dll
c:\documents and settings\All Users\Application Data\Anti-phishing Domain Advisor\visicom_antiphishing.dll
c:\progra~1\COMMON~1\MICROS~1\OFFICE14\Cultures\office.odf
c:\progra~1\MICROS~2\Office14\1033\GrooveIntlResource.dll
c:\windows\system32\ieframe.dll
c:\windows\system32\webcheck.dll
c:\windows\system32\WPDShServiceObj.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
.
------------------------ Other Running Processes ------------------------
.
c:\program files\AVAST Software\Avast\AvastSvc.exe
c:\windows\System32\SCardSvr.exe
c:\windows\system32\crypserv.exe
c:\program files\Canon\IJPLM\IJPLMSVC.EXE
c:\program files\Oracle\JavaFX 2.1 Runtime\bin\jqs.exe
c:\windows\system32\CCM\CLICOMP\RemCtrl\Wuser32.exe
c:\windows\system32\CCM\CcmExec.exe
.
**************************************************************************
.
Completion time: 2012-08-04  23:16:49 - machine was rebooted
ComboFix-quarantined-files.txt  2012-08-05 04:16
ComboFix2.txt  2012-08-04 16:33
ComboFix3.txt  2012-07-25 03:01
ComboFix4.txt  2012-06-24 03:59
ComboFix5.txt  2012-08-05 03:37
.
Pre-Run: 875,638,784 bytes free
Post-Run: 771,104,768 bytes free
.
- - End Of File - - AE611301745FA20F3A6B9EAA70923CFB


----------



## johnb35

Did you use to have Threatfire installed from PC tools?  These 2 entries relate to that.

S0 TfFsMon;TfFsMon;c:\windows\system32\drivers\TfFsMo n.sys --> c:\windows\system32\drivers\TfFsMon.sys [?]
S0 TfSysMon;TfSysMon;c:\windows\system32\drivers\TfSy sMon.sys --> c:\windows\system32\drivers\TfSysMon.sys [?]


If so, lets remove them along with some others.

1. Go to Start > Run > type Notepad.exe and click OK to open Notepad.
It must be Notepad, not Wordpad.
2. Copy the text in the below code box



		Code:
	

File::

c:\windows\system32\RENFB4.tmp
c:\windows\system32\RENFB3.tmp
c:\windows\system32\RENFA0.tmp
c:\windows\system32\RENF9F.tmp
c:\windows\system32\RENF9E.tmp
c:\windows\system32\drivers\TfFsMon.sys 
c:\windows\system32\drivers\TfSysMon.sys 

Driver::

TfFsMon
TfSysMon



3. Go to the Notepad window and click Edit > Paste
4. Then click File > Save
5. Name the file CFScript.txt - Save the file to your Desktop
6. Then drag the CFScript (hold the left mouse button while dragging the file) and drop it (release the left mouse button) into ComboFix.exe as you see in the screenshot below. Important: Perform this instruction carefully!







ComboFix will begin to execute, just follow the prompts.
After reboot (in case it asks to reboot), it will produce a log for you.
Post that log (Combofix.txt) in your next reply.

Afterwards post a fresh hijackthis log.

Download the *HijackThis* installer from *here*.  
Run the installer and choose *Install*, indicating that you accept the licence agreement.  The installer will place a shortcut on your desktop and launch HijackThis.

*Vista and Windows 7 users must right click on the hijackthis icon and click on run as.  If the run as option doesn't appear then press and hold the shift key while right clicking on the icon to get it to appear.* 


Click *Do a system scan and save a logfile*

_Most of what HijackThis lists will be harmless or even essential, don't fix anything yet._

When the hijackthis log appears in a notepad file, click on the edit menu, click select all, then click on the edit menu again and click on copy.  Come back to your reply and right click on your mouse and click on paste.

Post the logfile that HijackThis produces


----------



## skos

here is the Hijack file

Logfile of Trend Micro HijackThis v2.0.4
Scan saved at 2:03:01 PM, on 8/5/2012
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v8.00 (8.00.6001.18702)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\AVAST Software\Avast\AvastSvc.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\IObit\IObit Malware Fighter\IMFsrv.exe
C:\Program Files\SUPERAntiSpyware\SASCORE.EXE
C:\WINDOWS\system32\crypserv.exe
C:\Program Files\Canon\IJPLM\IJPLMSVC.EXE
C:\Program Files\Oracle\JavaFX 2.1 Runtime\bin\jqs.exe
C:\Program Files\Malwarebytes' Anti-Malware\mbamservice.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\CCM\CLICOMP\RemCtrl\Wuser32.exe
C:\WINDOWS\system32\CCM\CcmExec.exe
C:\WINDOWS\Explorer.EXE
C:\Documents and Settings\All Users\Application Data\Anti-phishing Domain Advisor\visicom_antiphishing.exe
C:\Program Files\Malwarebytes' Anti-Malware\mbamgui.exe
C:\Program Files\AVAST Software\Avast\avastUI.exe
C:\Program Files\Common Files\Java\Java Update\jusched.exe
C:\Program Files\Microsoft Office\Office14\OUTLOOK.EXE
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Trend Micro\HiJackThis\HiJackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = https://mail.google.com/mail/?shva=1#inbox
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = 
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = 
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://myacco/
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
O2 - BHO: &Yahoo! Toolbar Helper - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn1\yt.dll
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: Canon Easy-WebPrint EX BHO - {3785D0AD-BFFF-47F6-BF5B-A587C162FED9} - C:\Program Files\Canon\Easy-WebPrint EX\ewpexbho.dll
O2 - BHO: Groove GFS Browser Helper - {72853161-30C5-4D22-B7F9-0BBC1D38A37E} - C:\PROGRA~1\MICROS~2\Office14\GROOVEEX.DLL
O2 - BHO: Java(tm) Plug-In SSV Helper - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Oracle\JavaFX 2.1 Runtime\bin\ssv.dll
O2 - BHO: avast! WebRep - {8E5E2654-AD2D-48bf-AC2D-D17F00898D06} - C:\Program Files\AVAST Software\Avast\aswWebRepIE.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - C:\Program Files\Google\Google Toolbar\GoogleToolbar_32.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\5.7.7227.1100\swg.dll
O2 - BHO: URLRedirectionBHO - {B4F3A835-0E21-4959-BA22-42B3008E02FF} - C:\PROGRA~1\MICROS~2\Office14\URLREDIR.DLL
O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Oracle\JavaFX 2.1 Runtime\bin\jp2ssv.dll
O2 - BHO: SingleInstance Class - {FDAD4DA1-61A2-4FD8-9C17-86F7AC245081} - C:\Program Files\Yahoo!\Companion\Installs\cpn1\YTSingleInstance.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn1\yt.dll
O3 - Toolbar: Canon Easy-WebPrint EX - {759D9886-0C6F-4498-BAB6-4A5F47C6C72F} - C:\Program Files\Canon\Easy-WebPrint EX\ewpexhlp.dll
O3 - Toolbar: avast! WebRep - {8E5E2654-AD2D-48bf-AC2D-D17F00898D06} - C:\Program Files\AVAST Software\Avast\aswWebRepIE.dll
O3 - Toolbar: Google Toolbar - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - C:\Program Files\Google\Google Toolbar\GoogleToolbar_32.dll
O4 - HKLM\..\Run: [Anti-phishing Domain Advisor] "C:\Documents and Settings\All Users\Application Data\Anti-phishing Domain Advisor\visicom_antiphishing.exe"
O4 - HKLM\..\Run: [Malwarebytes' Anti-Malware] "C:\Program Files\Malwarebytes' Anti-Malware\mbamgui.exe" /starttray
O4 - HKLM\..\Run: [avast] "C:\Program Files\AVAST Software\Avast\avastUI.exe" /nogui
O4 - HKLM\..\Run: [IObit Malware Fighter] "C:\Program Files\IObit\IObit Malware Fighter\IMF.exe" /autostart
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Common Files\Java\Java Update\jusched.exe"
O4 - HKCU\..\Run: [swg] "C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe"
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office14\EXCEL.EXE/3000
O8 - Extra context menu item: Se&nd to OneNote - res://C:\PROGRA~1\MICROS~2\Office14\ONBttnIE.dll/105
O9 - Extra button: Send to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\Program Files\Microsoft Office\Office14\ONBttnIE.dll
O9 - Extra 'Tools' menuitem: Se&nd to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\Program Files\Microsoft Office\Office14\ONBttnIE.dll
O9 - Extra button: OneNote Lin&ked Notes - {789FE86F-6FC4-46A1-9849-EDE0DB0C95CA} - C:\Program Files\Microsoft Office\Office14\ONBttnIELinkedNotes.dll
O9 - Extra 'Tools' menuitem: OneNote Lin&ked Notes - {789FE86F-6FC4-46A1-9849-EDE0DB0C95CA} - C:\Program Files\Microsoft Office\Office14\ONBttnIELinkedNotes.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O14 - IERESET.INF: START_PAGE_URL=http:\\myacco
O15 - Trusted Zone: http://*.computerforum.com
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://www.update.microsoft.com/mic...ls/en/x86/client/muweb_site.cab?1340505368450
O16 - DPF: {7530BFB8-7293-4D34-9923-61A11451AFC5} - http://download.eset.com/special/eos/OnlineScanner.cab
O16 - DPF: {CAFECAFE-0013-0001-0026-ABCDEFABCDEF} (JInitiator 1.3.1.26) - 
O16 - DPF: {CF40ACC5-E1BB-4AFF-AC72-04C2F616BCA7} - 
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = northamerica.gbcglobal.local
O17 - HKLM\Software\..\Telephony: DomainName = northamerica.gbcglobal.local
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = northamerica.gbcglobal.local
O18 - Filter hijack: text/xml - {807573E5-5146-11D5-A672-00B0D022E945} - C:\Program Files\Common Files\Microsoft Shared\OFFICE14\MSOXMLMF.DLL
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.DLL
O22 - SharedTaskScheduler: Browseui preloader - {438755C2-A8BA-11D1-B96B-00A0C90312E1} - C:\WINDOWS\system32\browseui.dll
O22 - SharedTaskScheduler: Component Categories cache daemon - {8C7461EF-2B13-11d2-BE35-3078302C2030} - C:\WINDOWS\system32\browseui.dll
O23 - Service: SAS Core Service (!SASCORE) - SUPERAntiSpyware.com - C:\Program Files\SUPERAntiSpyware\SASCORE.EXE
O23 - Service: Adobe Flash Player Update Service (AdobeFlashPlayerUpdateSvc) - Adobe Systems Incorporated - C:\WINDOWS\system32\Macromed\Flash\FlashPlayerUpdateService.exe
O23 - Service: avast! Antivirus - AVAST Software - C:\Program Files\AVAST Software\Avast\AvastSvc.exe
O23 - Service: Crypkey License - CrypKey (Canada) Ltd. - C:\WINDOWS\SYSTEM32\crypserv.exe
O23 - Service: Google Update Service (gupdate) (gupdate) - Google Inc. - C:\Program Files\Google\Update\GoogleUpdate.exe
O23 - Service: Google Update Service (gupdatem) (gupdatem) - Google Inc. - C:\Program Files\Google\Update\GoogleUpdate.exe
O23 - Service: Canon Inkjet Printer/Scanner/Fax Extended Survey Program (IJPLMSVC) - Unknown owner - C:\Program Files\Canon\IJPLM\IJPLMSVC.EXE
O23 - Service: IMF Service (IMFservice) - IObit - C:\Program Files\IObit\IObit Malware Fighter\IMFsrv.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Oracle Corporation - C:\Program Files\Oracle\JavaFX 2.1 Runtime\bin\jqs.exe
O23 - Service: MBAMService - Malwarebytes Corporation - C:\Program Files\Malwarebytes' Anti-Malware\mbamservice.exe

--
End of file - 9001 bytes


----------



## johnb35

Did you perform that new combofix script yet?  I need you to post the log for it.


----------



## skos

Sorry, here you go

ComboFix 12-08-04.02 - SJK05CC 08/05/2012  12:14:32.5.1 - x86
Microsoft Windows XP Professional  5.1.2600.3.1252.1.1033.18.1023.568 [GMT -5:00]
Running from: c:\documents and settings\sjk05cc\My Documents\Koscielak\Computer\ComboFix\ComboFix.exe
Command switches used :: c:\documents and settings\sjk05cc\Desktop\CFScript.txt
AV: avast! Antivirus *Disabled/Updated* {7591DB91-41F0-48A3-B128-1A293FD8233D}
.
FILE ::
"c:\windows\system32\drivers\TfFsMon.sys"
"c:\windows\system32\drivers\TfSysMon.sys"
"c:\windows\system32\RENF9E.tmp"
"c:\windows\system32\RENF9F.tmp"
"c:\windows\system32\RENFA0.tmp"
"c:\windows\system32\RENFB3.tmp"
"c:\windows\system32\RENFB4.tmp"
.
.
(((((((((((((((((((((((((((((((((((((((   Other Deletions   )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
.
(((((((((((((((((((((((((((((((((((((((   Drivers/Services   )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
-------\Legacy_TFFSMON
-------\Legacy_TFSYSMON
-------\Service_TfFsMon
-------\Service_TfSysMon
.
.
(((((((((((((((((((((((((   Files Created from 2012-07-05 to 2012-08-05  )))))))))))))))))))))))))))))))
.
.
2012-08-05 03:23 . 2012-08-05 03:23	--------	d-----w-	c:\documents and settings\sjk05cc\Application Data\Oracle
2012-08-05 03:23 . 2012-07-06 03:07	143872	----a-w-	c:\windows\system32\javacpl.cpl
2012-08-05 03:23 . 2012-07-06 03:06	772544	----a-w-	c:\windows\system32\npDeployJava1.dll
2012-08-05 03:22 . 2012-08-05 03:22	--------	d-----w-	c:\program files\Java
2012-08-05 02:57 . 2012-08-05 02:57	0	----a-w-	c:\windows\system32\RENFB4.tmp
2012-08-05 02:57 . 2012-08-05 02:57	0	----a-w-	c:\windows\system32\RENFB3.tmp
2012-08-05 02:54 . 2012-08-05 02:54	0	----a-w-	c:\windows\system32\RENFA0.tmp
2012-08-05 02:54 . 2012-08-05 02:54	0	----a-w-	c:\windows\system32\RENF9F.tmp
2012-08-05 02:54 . 2012-08-05 02:54	0	----a-w-	c:\windows\system32\RENF9E.tmp
2012-07-08 17:16 . 2012-07-08 17:16	--------	d-----w-	c:\documents and settings\sjk05cc\Local Settings\Application Data\WinZip
2012-07-08 16:58 . 2012-07-08 17:25	--------	d-----w-	c:\documents and settings\All Users\Application Data\WinZip
.
.
.
((((((((((((((((((((((((((((((((((((((((   Find3M Report   ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2012-07-03 18:46 . 2010-07-17 14:01	22344	----a-w-	c:\windows\system32\drivers\mbam.sys
2012-06-23 02:02 . 2011-04-21 15:26	529562	----a-w-	c:\windows\system32\PerfStringBackup.TMP
2012-06-04 22:35 . 2007-07-31 00:18	222448	----a-w-	c:\windows\system32\muweb.dll
.
.
(((((((((((((((((((((((((((((   SnapShot_2012-07-25_02.57.16   )))))))))))))))))))))))))))))))))))))))))
.
+ 2012-08-05 17:38 . 2012-08-05 17:38	16384              c:\windows\temp\Perflib_Perfdata_7d4.dat
+ 2012-08-05 14:31 . 2012-08-05 04:01	32768              c:\windows\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\index.dat
- 2007-02-05 14:41 . 2012-07-22 20:54	65536              c:\windows\system32\config\systemprofile\Local Settings\History\History.IE5\index.dat
+ 2007-02-05 14:41 . 2012-08-05 04:01	65536              c:\windows\system32\config\systemprofile\Local Settings\History\History.IE5\index.dat
- 2011-09-02 02:44 . 2012-07-25 00:44	16384              c:\windows\system32\config\systemprofile\IETldCache\index.dat
+ 2011-09-02 02:44 . 2012-08-01 00:46	16384              c:\windows\system32\config\systemprofile\IETldCache\index.dat
- 2012-06-24 13:13 . 2012-07-22 20:54	16384              c:\windows\system32\config\systemprofile\Cookies\index.dat
+ 2012-08-05 14:31 . 2012-08-05 04:01	16384              c:\windows\system32\config\systemprofile\Cookies\index.dat
+ 2012-08-05 03:23 . 2012-07-06 03:06	227760              c:\windows\system32\javaws.exe
+ 2012-08-05 03:23 . 2012-08-05 03:22	174064              c:\windows\system32\javaw.exe
+ 2012-08-05 03:23 . 2012-08-05 03:22	174064              c:\windows\system32\java.exe
+ 2012-08-05 03:25 . 2012-08-05 03:25	176128              c:\windows\Installer\24d4c40.msi
+ 2012-08-05 03:24 . 2012-08-05 03:25	457216              c:\windows\Installer\24d4c3b.msi
+ 2012-08-05 03:22 . 2012-08-05 03:22	863744              c:\windows\Installer\24d4c37.msi
.
(((((((((((((((((((((((((((((((((((((   Reg Loading Points   ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown 
REGEDIT4
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\00avast]
@="{472083B0-C522-11CF-8763-00608CC02F24}"
[HKEY_CLASSES_ROOT\CLSID\{472083B0-C522-11CF-8763-00608CC02F24}]
2012-02-23 16:23	123536	----a-w-	c:\program files\AVAST Software\Avast\ashShell.dll
.
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"swg"="c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2010-10-30 39408]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Anti-phishing Domain Advisor"="c:\documents and settings\All Users\Application Data\Anti-phishing Domain Advisor\visicom_antiphishing.exe" [2012-05-03 217256]
"Malwarebytes' Anti-Malware"="c:\program files\Malwarebytes' Anti-Malware\mbamgui.exe" [2012-07-03 462920]
"avast"="c:\program files\AVAST Software\Avast\avastUI.exe" [2012-02-23 4031368]
"IObit Malware Fighter"="c:\program files\IObit\IObit Malware Fighter\IMF.exe" [2012-05-09 4464472]
"SunJavaUpdateSched"="c:\program files\Common Files\Java\Java Update\jusched.exe" [2012-01-17 252296]
.
[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= "c:\program files\SUPERAntiSpyware\SASSEH.DLL" [2011-09-05 113024]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
2009-09-03 22:21	548352	----a-w-	c:\program files\SUPERAntiSpyware\SASWINLO.DLL
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\ckpNotify]
2004-04-01 22:48	24668	---ha-w-	c:\windows\system32\ckpNotify.dll
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-1123561945-1715567821-839522115-2218\Scripts\Logon\0\0]
"Script"=\\northamerica.gbcglobal.local\SysVol\northamerica.gbcglobal.local\scripts\SMSINST.bat
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-1123561945-1715567821-839522115-2218\Scripts\Logon\1\0]
"Script"=\\northamerica.gbcglobal.local\SysVol\northamerica.gbcglobal.local\scripts\DST_Patch.bat
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\!SASCORE]
@=""
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\IMFservice]
@="Service"
.
[HKLM\~\startupfolder\C:^Documents and Settings^sjk05cc^Start Menu^Programs^Startup^eFax 4.4.lnk]
path=c:\documents and settings\sjk05cc\Start Menu\Programs\Startup\eFax 4.4.lnk
backup=c:\windows\pss\eFax 4.4.lnkStartup
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe Reader Speed Launcher]
2008-10-15 07:04	39792	----a-w-	c:\program files\Adobe\Reader 8.0\Reader\reader_sl.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\APSDaemon]
2012-02-21 02:28	59240	----a-w-	c:\program files\Common Files\Apple\Apple Application Support\APSDaemon.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AutoStartNPSAgent]
2010-07-29 07:47	95576	----a-w-	c:\program files\Samsung\Samsung New PC Studio\NPSAgent.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\CanonMyPrinter]
2011-03-15 02:09	2565520	----a-w-	c:\program files\Canon\MyPrinter\BJMYPRT.EXE
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\CanonSolutionMenuEx]
2011-03-28 17:40	1611160	----a-w-	c:\program files\Canon\Solution Menu EX\CNSEMAIN.EXE
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\eFax 4.4]
2010-07-02 18:24	95744	----a-w-	c:\program files\eFax Messenger 4.4\J2GDllCmd.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\IJNetworkScannerSelectorEX]
2011-01-15 22:48	452016	----a-w-	c:\program files\Canon\IJ Network Scanner Selector EX\CNMNSST.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\IObit Malware Fighter]
2012-05-09 21:28	4464472	----a-w-	c:\program files\IObit\IObit Malware Fighter\IMF.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iTunesHelper]
2012-03-27 10:09	421736	----a-w-	c:\program files\iTunes\iTunesHelper.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched]
2012-01-17 16:07	252296	----a-w-	c:\program files\Common Files\Java\Java Update\jusched.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\swg]
2010-10-30 13:47	39408	----a-w-	c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\TomTomHOME.exe]
2011-03-09 12:30	247728	----a-w-	c:\program files\TomTom HOME 2\TomTomHOMERunner.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"SR_WatchDog"=2 (0x2)
"SR_Service"=2 (0x2)
"Bonjour Service"=2 (0x2)
"YahooAUService"=2 (0x2)
"idsvc"=3 (0x3)
"Apple Mobile Device"=2 (0x2)
"TomTomHOMEService"=2 (0x2)
"ServiceLayer"=3 (0x3)
"SeaPort"=2 (0x2)
"S24EventMonitor"=2 (0x2)
"ose"=3 (0x3)
"MDM"=2 (0x2)
"MatSvc"=3 (0x3)
"JavaQuickStarterService"=2 (0x2)
"gusvc"=3 (0x3)
"gupdatem"=3 (0x3)
"gupdate"=2 (0x2)
"FsUsbExService"=2 (0x2)
"Ati HotKey Poller"=2 (0x2)
"WudfSvc"=3 (0x3)
"WmdmPmSN"=3 (0x3)
"UPS"=3 (0x3)
"TrkWks"=2 (0x2)
"Fax"=2 (0x2)
"avast! Antivirus"=2 (0x2)
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\CheckPoint\\SecuRemote\\bin\\SR_GUI.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\Yahoo!\\Messenger\\YahooMessenger.exe"=
"c:\\Program Files\\Samsung\\Samsung New PC Studio\\npsasvr.exe"=
"c:\\Program Files\\Samsung\\Samsung New PC Studio\\npsvsvr.exe"=
"c:\\Program Files\\Common Files\\Apple\\Apple Application Support\\WebKit2WebProcess.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\Microsoft Office\\Office14\\GROOVE.EXE"=
"c:\\Program Files\\Microsoft Office\\Office14\\ONENOTE.EXE"=
"c:\\Program Files\\Microsoft Office\\Office14\\OUTLOOK.EXE"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"3389:TCP"= 3389:TCP:*isabledxpsp2res.dll,-22009
.
R1 aswSnx;aswSnx;c:\windows\system32\drivers\aswSnx.sys [3/3/2012 9:33 AM 610648]
R1 aswSP;aswSP;c:\windows\system32\drivers\aswSP.sys [3/3/2012 9:33 AM 337112]
R1 SASDIFSV;SASDIFSV;c:\program files\SUPERAntiSpyware\SASDIFSV.SYS [2/17/2010 1:25 PM 12880]
R1 SASKUTIL;SASKUTIL;c:\program files\SUPERAntiSpyware\SASKUTIL.SYS [5/10/2010 1:41 PM 67664]
R2 !SASCORE;SAS Core Service;c:\program files\SUPERAntiSpyware\SASCORE.EXE [6/29/2010 12:48 PM 116608]
R2 aswFsBlk;aswFsBlk;c:\windows\system32\drivers\aswFsBlk.sys [3/3/2012 9:33 AM 20696]
R2 IMFservice;IMF Service;c:\program files\IObit\IObit Malware Fighter\IMFsrv.exe [6/24/2012 12:05 AM 821592]
R2 MBAMService;MBAMService;c:\program files\Malwarebytes' Anti-Malware\mbamservice.exe [2/26/2012 10:59 AM 655944]
R2 Scap;SecureClient Application Policy Module;c:\windows\system32\drivers\scap.sys [5/30/2008 6:03 PM 17424]
R2 VPN-1;VPN-1 Module;c:\windows\system32\drivers\vpn.sys [5/30/2008 6:03 PM 670128]
R3 FileMonitor;FileMonitor;c:\program files\IObit\IObit Malware Fighter\Drivers\wxp_x86\FileMonitor.sys [6/24/2012 12:05 AM 246816]
R3 FW1;SecuRemote Miniport;c:\windows\system32\drivers\fw.sys [5/30/2008 6:03 PM 2041744]
R3 MBAMProtector;MBAMProtector;c:\windows\system32\drivers\mbam.sys [7/17/2010 9:01 AM 22344]
R3 OZSCR;O2Micro SmartCardBus Smartcard Reader;c:\windows\system32\drivers\ozscr.sys [4/21/2005 10:58 PM 92550]
R3 RegFilter;RegFilter;c:\program files\IObit\IObit Malware Fighter\Drivers\wxp_x86\RegFilter.sys [6/24/2012 12:05 AM 30368]
R3 stdriver;Sound Tap Upper Class Filter Driver v2.0.0.0;c:\windows\system32\drivers\stdriver32.sys [7/11/2010 4:06 PM 49208]
S1 SABKUTIL;SABKUTIL;\??\c:\program files\SUPERAntiSpyware\SABKUTIL.sys --> c:\program files\SUPERAntiSpyware\SABKUTIL.sys [?]
S2 gupdate;Google Update Service (gupdate);c:\program files\Google\Update\GoogleUpdate.exe [10/30/2010 8:47 AM 135664]
S3 AdobeFlashPlayerUpdateSvc;Adobe Flash Player Update Service;c:\windows\system32\Macromed\Flash\FlashPlayerUpdateService.exe [2/27/2012 9:07 PM 253600]
S3 FsUsbExDisk;FsUsbExDisk;c:\windows\system32\FsUsbExDisk.Sys [9/6/2011 4:34 PM 36608]
S3 gupdatem;Google Update Service (gupdatem);c:\program files\Google\Update\GoogleUpdate.exe [10/30/2010 8:47 AM 135664]
S3 Microsoft SharePoint Workspace Audit Service;Microsoft SharePoint Workspace Audit Service;c:\program files\Microsoft Office\Office14\GROOVE.EXE [12/27/2010 11:50 PM 30969208]
S3 OMVA;VPN-1 SecureClient Adapter;c:\windows\system32\drivers\OMVA.sys [5/30/2008 6:03 PM 14924]
S3 osppsvc;Office Software Protection Platform;c:\program files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\OSPPSVC.EXE [1/9/2010 9:37 PM 4640000]
S3 UrlFilter;UrlFilter;c:\program files\IObit\IObit Malware Fighter\Drivers\wxp_x86\UrlFilter.sys [6/24/2012 12:05 AM 16208]
S4 FsUsbExService;FsUsbExService;c:\windows\system32\FsUsbExService.Exe [9/6/2011 4:34 PM 238952]
S4 TomTomHOMEService;TomTomHOMEService;c:\program files\TomTom HOME 2\TomTomHOMEService.exe [3/9/2011 7:30 AM 92592]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
HPZ12	REG_MULTI_SZ   	Pml Driver HPZ12 Net Driver HPZ12
hpdevmgmt	REG_MULTI_SZ   	hpqcxs08 hpqddsvc
.
Contents of the 'Scheduled Tasks' folder
.
2012-08-05 c:\windows\Tasks\Adobe Flash Player Updater.job
- c:\windows\system32\Macromed\Flash\FlashPlayerUpdateService.exe [2012-02-28 02:07]
.
2012-08-01 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2011-06-01 23:57]
.
2010-08-26 c:\windows\Tasks\expressburnShakeIcon.job
- c:\program files\NCH Swift Sound\ExpressBurn\expressburn.exe [2010-08-26 01:09]
.
2010-08-26 c:\windows\Tasks\expressripDowngrade.job
- c:\program files\NCH Swift Sound\ExpressRip\expressrip.exe [2010-07-11 21:08]
.
2010-09-01 c:\windows\Tasks\expressripShakeIcon.job
- c:\program files\NCH Swift Sound\ExpressRip\expressrip.exe [2010-07-11 21:08]
.
2012-08-05 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\program files\Google\Update\GoogleUpdate.exe [2010-10-30 13:47]
.
2012-08-05 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\program files\Google\Update\GoogleUpdate.exe [2010-10-30 13:47]
.
2010-07-21 c:\windows\Tasks\soundtapShakeIcon.job
- c:\program files\NCH Swift Sound\SoundTap\soundtap.exe [2010-07-11 21:07]
.
2011-09-18 c:\windows\Tasks\switchShakeIcon.job
- c:\program files\NCH Swift Sound\Switch\switch.exe [2010-07-11 21:05]
.
2010-07-21 c:\windows\Tasks\wavepadShakeIcon.job
- c:\program files\NCH Swift Sound\WavePad\wavepad.exe [2010-07-11 21:06]
.
.
------- Supplementary Scan -------
.
uStart Page = https://mail.google.com/mail/?shva=1#inbox
uInternet Connection Wizard,ShellNext = hxxp://myacco/
uInternet Settings,ProxyOverride = *.local
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\Office14\EXCEL.EXE/3000
IE: Se&nd to OneNote - c:\progra~1\MICROS~2\Office14\ONBttnIE.dll/105
Trusted Zone: adobe.com
Trusted Zone: computerforum.com
Trusted Zone: microsoft.com\update
Trusted Zone: microsoft.com\v4.update
Trusted Zone: microsoft.com\www
TCP: DhcpNameServer = 192.168.1.254
DPF: Microsoft XML Parser for Java - file:///C:/WINDOWS/Java/classes/xmldso.cab
.
.
**************************************************************************
.
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2012-08-05 12:40
Windows 5.1.2600 Service Pack 3 NTFS
.
scanning hidden processes ...  
.
scanning hidden autostart entries ... 
.
scanning hidden files ...  
.
scan completed successfully
hidden files: 0
.
**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------
.
- - - - - - - > 'winlogon.exe'(596)
c:\program files\SUPERAntiSpyware\SASWINLO.DLL
c:\windows\system32\WININET.dll
c:\windows\system32\Ati2evxx.dll
.
- - - - - - - > 'explorer.exe'(3964)
c:\windows\system32\WININET.dll
c:\documents and settings\All Users\Application Data\Anti-phishing Domain Advisor\visicom_antiphishing.dll
c:\progra~1\COMMON~1\MICROS~1\OFFICE14\Cultures\office.odf
c:\progra~1\MICROS~2\Office14\1033\GrooveIntlResource.dll
c:\windows\system32\ieframe.dll
c:\windows\system32\webcheck.dll
c:\windows\system32\WPDShServiceObj.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
.
------------------------ Other Running Processes ------------------------
.
c:\program files\AVAST Software\Avast\AvastSvc.exe
c:\windows\System32\SCardSvr.exe
c:\windows\system32\crypserv.exe
c:\program files\Canon\IJPLM\IJPLMSVC.EXE
c:\program files\Oracle\JavaFX 2.1 Runtime\bin\jqs.exe
c:\windows\system32\CCM\CLICOMP\RemCtrl\Wuser32.exe
c:\windows\system32\CCM\CcmExec.exe
.
**************************************************************************
.
Completion time: 2012-08-05  12:52:20 - machine was rebooted
ComboFix-quarantined-files.txt  2012-08-05 17:52
ComboFix2.txt  2012-08-04 16:33
ComboFix3.txt  2012-07-25 03:01
ComboFix4.txt  2012-06-24 03:59
ComboFix5.txt  2012-08-05 03:37
.
Pre-Run: 256,888,832 bytes free
Post-Run: 693,186,560 bytes free
.
- - End Of File - - C006E72EC988FA20C49BF0E9707E5407


----------



## skos

also there must be a script running some where as some times the laptop run fine by then it drags.  Even when I only have one internet session with only one page open and outlook open.  Its very random where it will speed up for maybe 4 mins then go back to dragging.


----------



## johnb35

Sorry for the late reply.  These files didn't get deleted.  See if you can manually delete them.

c:\windows\system32\RENFB4.tmp
c:\windows\system32\RENFB3.tmp
c:\windows\system32\RENFA0.tmp
c:\windows\system32\RENF9F.tmp
c:\windows\system32\RENF9E.tmp

Also uninstall superantispyware, iobit malwarefighter and Anti-phishing Domain Advisor

Lets see if we can't pinpoint if this is software related or not.


----------



## skos

ok, deleted all those .tmp files and uninstalled iobit malwarefighter and Anti-phishing Domain Advisor.

I will reboot and see if that makes a difference.  I had no issues when I had superantispyware installed before.  Laptop ran fine with that installed so I will try it with out uninstalling it first. If it is still slow I will uninstalling superantispyware.


----------



## johnb35

The only reason I said to uninstall Superantispyware is because Malwarebytes alone should be good enough to remove any malware you have.  I very seldom have to run Superantispyware anymore to finish removing infections.  Usually the only thing it finds after running Malwarebytes is tracking cookies.

If its still slow the only other things I can think of is to check the hard drive for errors and also check the event viewer for any signs of errors.  To get to event viewer, right click on my computer and click on manage, then on the left hand side click on event viewer.  Look under system and application for errors.


----------



## skos

so it increased maybe 10%.  I just uninstalled Superantispyware.  I will let you know the out come.  Thanks for all your help do far.


----------



## skos

still very slow.  It take 10 sec or more to do anything.  I ran comgo fix after uninstalling Superantispyware.

Here is the log:
ComboFix 12-08-10.02 - SJK05CC 08/12/2012  20:57:51.6.1 - x86
Microsoft Windows XP Professional  5.1.2600.3.1252.1.1033.18.1023.605 [GMT -5:00]
Running from: c:\documents and settings\sjk05cc\My Documents\Koscielak\Computer\ComboFix\ComboFix.exe
AV: avast! Antivirus *Disabled/Updated* {7591DB91-41F0-48A3-B128-1A293FD8233D}
.
.
(((((((((((((((((((((((((((((((((((((((   Other Deletions   )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
c:\docume~1\sjk05cc\LOCALS~1\Temp\SAS8C.tmp
c:\documents and settings\sjk05cc\Local Settings\temp\SAS8C.tmp
.
.
(((((((((((((((((((((((((   Files Created from 2012-07-13 to 2012-08-13  )))))))))))))))))))))))))))))))
.
.
2012-08-05 17:48 . 2012-08-05 17:48	--------	d-----w-	c:\documents and settings\sjk05cc\Local Settings\Application Data\Sun
2012-08-05 03:23 . 2012-08-05 03:23	--------	d-----w-	c:\documents and settings\sjk05cc\Application Data\Oracle
2012-08-05 03:23 . 2012-07-06 03:07	143872	----a-w-	c:\windows\system32\javacpl.cpl
2012-08-05 03:23 . 2012-07-06 03:06	772544	----a-w-	c:\windows\system32\npDeployJava1.dll
2012-08-05 03:22 . 2012-08-05 03:22	--------	d-----w-	c:\program files\Java
.
.
.
((((((((((((((((((((((((((((((((((((((((   Find3M Report   ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2012-07-03 18:46 . 2010-07-17 14:01	22344	----a-w-	c:\windows\system32\drivers\mbam.sys
2012-06-23 02:02 . 2011-04-21 15:26	529562	----a-w-	c:\windows\system32\PerfStringBackup.TMP
2012-06-04 22:35 . 2007-07-31 00:18	222448	----a-w-	c:\windows\system32\muweb.dll
.
.
(((((((((((((((((((((((((((((   SnapShot_2012-07-25_02.57.16   )))))))))))))))))))))))))))))))))))))))))
.
+ 2012-08-05 19:32 . 2012-08-11 16:38	32768              c:\windows\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\index.dat
+ 2007-02-05 14:41 . 2012-08-11 16:38	65536              c:\windows\system32\config\systemprofile\Local Settings\History\History.IE5\index.dat
- 2007-02-05 14:41 . 2012-07-22 20:54	65536              c:\windows\system32\config\systemprofile\Local Settings\History\History.IE5\index.dat
+ 2011-09-02 02:44 . 2012-08-08 00:43	16384              c:\windows\system32\config\systemprofile\IETldCache\index.dat
- 2011-09-02 02:44 . 2012-07-25 00:44	16384              c:\windows\system32\config\systemprofile\IETldCache\index.dat
- 2012-06-24 13:13 . 2012-07-22 20:54	16384              c:\windows\system32\config\systemprofile\Cookies\index.dat
+ 2012-08-05 19:32 . 2012-08-11 16:38	16384              c:\windows\system32\config\systemprofile\Cookies\index.dat
+ 2012-08-05 03:23 . 2012-07-06 03:06	227760              c:\windows\system32\javaws.exe
+ 2012-08-05 03:23 . 2012-08-05 03:22	174064              c:\windows\system32\javaw.exe
+ 2012-08-05 03:23 . 2012-08-05 03:22	174064              c:\windows\system32\java.exe
+ 2012-08-05 03:25 . 2012-08-05 03:25	176128              c:\windows\Installer\24d4c40.msi
+ 2012-08-05 03:24 . 2012-08-05 03:25	457216              c:\windows\Installer\24d4c3b.msi
+ 2012-08-05 03:22 . 2012-08-05 03:22	863744              c:\windows\Installer\24d4c37.msi
.
(((((((((((((((((((((((((((((((((((((   Reg Loading Points   ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown 
REGEDIT4
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\00avast]
@="{472083B0-C522-11CF-8763-00608CC02F24}"
[HKEY_CLASSES_ROOT\CLSID\{472083B0-C522-11CF-8763-00608CC02F24}]
2012-02-23 16:23	123536	----a-w-	c:\program files\AVAST Software\Avast\ashShell.dll
.
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"swg"="c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2010-10-30 39408]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Malwarebytes' Anti-Malware"="c:\program files\Malwarebytes' Anti-Malware\mbamgui.exe" [2012-07-03 462920]
"avast"="c:\program files\AVAST Software\Avast\avastUI.exe" [2012-02-23 4031368]
"SunJavaUpdateSched"="c:\program files\Common Files\Java\Java Update\jusched.exe" [2012-01-17 252296]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\ckpNotify]
2004-04-01 22:48	24668	---ha-w-	c:\windows\system32\ckpNotify.dll
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-1123561945-1715567821-839522115-2218\Scripts\Logon\0\0]
"Script"=\\northamerica.gbcglobal.local\SysVol\northamerica.gbcglobal.local\scripts\SMSINST.bat
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-1123561945-1715567821-839522115-2218\Scripts\Logon\1\0]
"Script"=\\northamerica.gbcglobal.local\SysVol\northamerica.gbcglobal.local\scripts\DST_Patch.bat
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\!SASCORE]
@=""
.
[HKLM\~\startupfolder\C:^Documents and Settings^sjk05cc^Start Menu^Programs^Startup^eFax 4.4.lnk]
path=c:\documents and settings\sjk05cc\Start Menu\Programs\Startup\eFax 4.4.lnk
backup=c:\windows\pss\eFax 4.4.lnkStartup
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe Reader Speed Launcher]
2008-10-15 07:04	39792	----a-w-	c:\program files\Adobe\Reader 8.0\Reader\reader_sl.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\APSDaemon]
2012-02-21 02:28	59240	----a-w-	c:\program files\Common Files\Apple\Apple Application Support\APSDaemon.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AutoStartNPSAgent]
2010-07-29 07:47	95576	----a-w-	c:\program files\Samsung\Samsung New PC Studio\NPSAgent.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\CanonMyPrinter]
2011-03-15 02:09	2565520	----a-w-	c:\program files\Canon\MyPrinter\BJMYPRT.EXE
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\CanonSolutionMenuEx]
2011-03-28 17:40	1611160	----a-w-	c:\program files\Canon\Solution Menu EX\CNSEMAIN.EXE
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\eFax 4.4]
2010-07-02 18:24	95744	----a-w-	c:\program files\eFax Messenger 4.4\J2GDllCmd.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\IJNetworkScannerSelectorEX]
2011-01-15 22:48	452016	----a-w-	c:\program files\Canon\IJ Network Scanner Selector EX\CNMNSST.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iTunesHelper]
2012-03-27 10:09	421736	----a-w-	c:\program files\iTunes\iTunesHelper.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched]
2012-01-17 16:07	252296	----a-w-	c:\program files\Common Files\Java\Java Update\jusched.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\swg]
2010-10-30 13:47	39408	----a-w-	c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\TomTomHOME.exe]
2011-03-09 12:30	247728	----a-w-	c:\program files\TomTom HOME 2\TomTomHOMERunner.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"SR_WatchDog"=2 (0x2)
"SR_Service"=2 (0x2)
"Bonjour Service"=2 (0x2)
"YahooAUService"=2 (0x2)
"idsvc"=3 (0x3)
"Apple Mobile Device"=2 (0x2)
"TomTomHOMEService"=2 (0x2)
"ServiceLayer"=3 (0x3)
"SeaPort"=2 (0x2)
"S24EventMonitor"=2 (0x2)
"ose"=3 (0x3)
"MDM"=2 (0x2)
"MatSvc"=3 (0x3)
"JavaQuickStarterService"=2 (0x2)
"gusvc"=3 (0x3)
"gupdatem"=3 (0x3)
"gupdate"=2 (0x2)
"FsUsbExService"=2 (0x2)
"Ati HotKey Poller"=2 (0x2)
"WudfSvc"=3 (0x3)
"WmdmPmSN"=3 (0x3)
"UPS"=3 (0x3)
"TrkWks"=2 (0x2)
"Fax"=2 (0x2)
"avast! Antivirus"=2 (0x2)
"IMFservice"=2 (0x2)
"helpsvc"=2 (0x2)
"!SASCORE"=2 (0x2)
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\CheckPoint\\SecuRemote\\bin\\SR_GUI.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\Yahoo!\\Messenger\\YahooMessenger.exe"=
"c:\\Program Files\\Samsung\\Samsung New PC Studio\\npsasvr.exe"=
"c:\\Program Files\\Samsung\\Samsung New PC Studio\\npsvsvr.exe"=
"c:\\Program Files\\Common Files\\Apple\\Apple Application Support\\WebKit2WebProcess.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\Microsoft Office\\Office14\\GROOVE.EXE"=
"c:\\Program Files\\Microsoft Office\\Office14\\ONENOTE.EXE"=
"c:\\Program Files\\Microsoft Office\\Office14\\OUTLOOK.EXE"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"3389:TCP"= 3389:TCP:*isabledxpsp2res.dll,-22009
.
R1 aswSnx;aswSnx;c:\windows\system32\drivers\aswSnx.sys [3/3/2012 9:33 AM 610648]
R1 aswSP;aswSP;c:\windows\system32\drivers\aswSP.sys [3/3/2012 9:33 AM 337112]
R1 SASKUTIL;SASKUTIL;\??\c:\program files\SUPERAntiSpyware\SASKUTIL.SYS --> c:\program files\SUPERAntiSpyware\SASKUTIL.SYS [?]
R2 aswFsBlk;aswFsBlk;c:\windows\system32\drivers\aswFsBlk.sys [3/3/2012 9:33 AM 20696]
R2 MBAMService;MBAMService;c:\program files\Malwarebytes' Anti-Malware\mbamservice.exe [2/26/2012 10:59 AM 655944]
R2 Scap;SecureClient Application Policy Module;c:\windows\system32\drivers\scap.sys [5/30/2008 6:03 PM 17424]
R2 VPN-1;VPN-1 Module;c:\windows\system32\drivers\vpn.sys [5/30/2008 6:03 PM 670128]
R3 FW1;SecuRemote Miniport;c:\windows\system32\drivers\fw.sys [5/30/2008 6:03 PM 2041744]
R3 MBAMProtector;MBAMProtector;c:\windows\system32\drivers\mbam.sys [7/17/2010 9:01 AM 22344]
R3 osppsvc;Office Software Protection Platform;c:\program files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\OSPPSVC.EXE [1/9/2010 9:37 PM 4640000]
R3 OZSCR;O2Micro SmartCardBus Smartcard Reader;c:\windows\system32\drivers\ozscr.sys [4/21/2005 10:58 PM 92550]
R3 stdriver;Sound Tap Upper Class Filter Driver v2.0.0.0;c:\windows\system32\drivers\stdriver32.sys [7/11/2010 4:06 PM 49208]
S1 SABKUTIL;SABKUTIL;\??\c:\program files\SUPERAntiSpyware\SABKUTIL.sys --> c:\program files\SUPERAntiSpyware\SABKUTIL.sys [?]
S3 AdobeFlashPlayerUpdateSvc;Adobe Flash Player Update Service;c:\windows\system32\Macromed\Flash\FlashPlayerUpdateService.exe [2/27/2012 9:07 PM 253600]
S3 FsUsbExDisk;FsUsbExDisk;c:\windows\system32\FsUsbExDisk.Sys [9/6/2011 4:34 PM 36608]
S3 Microsoft SharePoint Workspace Audit Service;Microsoft SharePoint Workspace Audit Service;c:\program files\Microsoft Office\Office14\GROOVE.EXE [12/27/2010 11:50 PM 30969208]
S3 OMVA;VPN-1 SecureClient Adapter;c:\windows\system32\drivers\OMVA.sys [5/30/2008 6:03 PM 14924]
S4 !SASCORE;SAS Core Service;"c:\program files\SUPERAntiSpyware\SASCORE.EXE" --> c:\program files\SUPERAntiSpyware\SASCORE.EXE [?]
S4 FsUsbExService;FsUsbExService;c:\windows\system32\FsUsbExService.Exe [9/6/2011 4:34 PM 238952]
S4 gupdate;Google Update Service (gupdate);c:\program files\Google\Update\GoogleUpdate.exe [10/30/2010 8:47 AM 135664]
S4 gupdatem;Google Update Service (gupdatem);c:\program files\Google\Update\GoogleUpdate.exe [10/30/2010 8:47 AM 135664]
S4 TomTomHOMEService;TomTomHOMEService;c:\program files\TomTom HOME 2\TomTomHOMEService.exe [3/9/2011 7:30 AM 92592]
.
--- Other Services/Drivers In Memory ---
.
*Deregistered* - SASDIFSV
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
HPZ12	REG_MULTI_SZ   	Pml Driver HPZ12 Net Driver HPZ12
hpdevmgmt	REG_MULTI_SZ   	hpqcxs08 hpqddsvc
.
Contents of the 'Scheduled Tasks' folder
.
2012-08-13 c:\windows\Tasks\Adobe Flash Player Updater.job
- c:\windows\system32\Macromed\Flash\FlashPlayerUpdateService.exe [2012-02-28 02:07]
.
2012-08-08 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2011-06-01 23:57]
.
2010-08-26 c:\windows\Tasks\expressburnShakeIcon.job
- c:\program files\NCH Swift Sound\ExpressBurn\expressburn.exe [2010-08-26 01:09]
.
2010-08-26 c:\windows\Tasks\expressripDowngrade.job
- c:\program files\NCH Swift Sound\ExpressRip\expressrip.exe [2010-07-11 21:08]
.
2010-09-01 c:\windows\Tasks\expressripShakeIcon.job
- c:\program files\NCH Swift Sound\ExpressRip\expressrip.exe [2010-07-11 21:08]
.
2012-08-11 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\program files\Google\Update\GoogleUpdate.exe [2010-10-30 13:47]
.
2012-08-13 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\program files\Google\Update\GoogleUpdate.exe [2010-10-30 13:47]
.
2010-07-21 c:\windows\Tasks\soundtapShakeIcon.job
- c:\program files\NCH Swift Sound\SoundTap\soundtap.exe [2010-07-11 21:07]
.
2011-09-18 c:\windows\Tasks\switchShakeIcon.job
- c:\program files\NCH Swift Sound\Switch\switch.exe [2010-07-11 21:05]
.
2010-07-21 c:\windows\Tasks\wavepadShakeIcon.job
- c:\program files\NCH Swift Sound\WavePad\wavepad.exe [2010-07-11 21:06]
.
.
------- Supplementary Scan -------
.
uStart Page = https://mail.google.com/mail/?shva=1#inbox
uInternet Connection Wizard,ShellNext = hxxp://myacco/
uInternet Settings,ProxyOverride = *.local
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\Office14\EXCEL.EXE/3000
IE: Se&nd to OneNote - c:\progra~1\MICROS~2\Office14\ONBttnIE.dll/105
Trusted Zone: adobe.com
Trusted Zone: computerforum.com
Trusted Zone: microsoft.com\update
Trusted Zone: microsoft.com\v4.update
Trusted Zone: microsoft.com\www
TCP: DhcpNameServer = 192.168.1.254
DPF: Microsoft XML Parser for Java - file:///C:/WINDOWS/Java/classes/xmldso.cab
.
- - - - ORPHANS REMOVED - - - -
.
MSConfigStartUp-IObit Malware Fighter - c:\program files\IObit\IObit Malware Fighter\IMF.exe
.
.
.
**************************************************************************
.
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2012-08-12 21:09
Windows 5.1.2600 Service Pack 3 NTFS
.
scanning hidden processes ...  
.
scanning hidden autostart entries ... 
.
scanning hidden files ...  
.
.
C:\avast! sandbox
.
scan completed successfully
hidden files: 1
.
**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------
.
- - - - - - - > 'winlogon.exe'(592)
c:\program files\SUPERAntiSpyware\SASWINLO.DLL
c:\windows\system32\WININET.dll
c:\windows\system32\Ati2evxx.dll
.
Completion time: 2012-08-12  21:13:56
ComboFix-quarantined-files.txt  2012-08-13 02:13
ComboFix2.txt  2012-08-04 16:33
ComboFix3.txt  2012-07-25 03:01
ComboFix4.txt  2012-06-24 03:59
ComboFix5.txt  2012-08-05 03:37
.
Pre-Run: 799,535,104 bytes free
Post-Run: 786,243,584 bytes free
.
- - End Of File - - 3493237FC68DCC39756AE5C394AC5FBC


----------



## johnb35

According to the log, remnants of superantispyware remain.  I'm gonna have you run one more combofix script and see what happens.  I'm also curious if possibly all the windows tasks are maybe causing the issue.  You have a lot of them and not sure what they are for.  Navigate to C:\windows\tasks folder and delete all tasks.

1. Go to Start > Run > type Notepad.exe and click OK to open Notepad.
It must be Notepad, not Wordpad.
2. Copy the text in the below code box



		Code:
	

Driver::

SASKUTIL
SABKUTIL
!SASCORE


3. Go to the Notepad window and click Edit > Paste
4. Then click File > Save
5. Name the file CFScript.txt - Save the file to your Desktop
6. Then drag the CFScript (hold the left mouse button while dragging the file) and drop it (release the left mouse button) into ComboFix.exe as you see in the screenshot below. Important: Perform this instruction carefully!







ComboFix will begin to execute, just follow the prompts.
After reboot (in case it asks to reboot), it will produce a log for you.
Post that log (Combofix.txt) in your next reply.



If your system is still slow then your gonna be stuck with reinstalling windows.


----------



## skos

johhny said:


> Just re install the OS and before installing format the drive containing previous version of Windows. After re installation of OS install an antivirus program for data and for internet as well, i mean internet security.



Johhny I appreciate the advice but that's my last resort.  As anyone has ever done this it is time consuming.  I have a ton of software and files and that will take me days.

I would rather use "johnb35" advice and try to fix the problem 1st.


----------



## skos

johnb35,

thanks for all your help.  so far so good.  Here is the log


ComboFix 12-08-17.03 - SJK05CC 08/18/2012   8:03.7.1 - x86
Running from: c:\documents and settings\sjk05cc\My Documents\Koscielak\Computer\ComboFix\ComboFix.exe
Command switches used :: c:\documents and settings\sjk05cc\Desktop\CFScript.txt
AV: avast! Antivirus *Disabled/Updated* {7591DB91-41F0-48A3-B128-1A293FD8233D}
 * Created a new restore point
.
.
(((((((((((((((((((((((((((((((((((((((   Other Deletions   )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
.
(((((((((((((((((((((((((((((((((((((((   Drivers/Services   )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
-------\Legacy_!SASCORE
-------\Legacy_SASKUTIL
-------\Service_!SASCORE
-------\Service_SABKUTIL
-------\Service_SASKUTIL
.
.
(((((((((((((((((((((((((   Files Created from 2012-07-18 to 2012-08-18  )))))))))))))))))))))))))))))))
.
.
.
.
.
((((((((((((((((((((((((((((((((((((((((   Find3M Report   ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2012-07-03 18:46 . 2010-07-17 14:01	22344	----a-w-	c:\windows\system32\drivers\mbam.sys
2012-06-23 02:02 . 2011-04-21 15:26	529562	----a-w-	c:\windows\system32\PerfStringBackup.TMP
2012-06-04 22:35 . 2007-07-31 00:18	222448	----a-w-	c:\windows\system32\muweb.dll
.
.
(((((((((((((((((((((((((((((   SnapShot_2012-07-25_02.57.16   )))))))))))))))))))))))))))))))))))))))))
.
+ 2012-08-05 19:32 . 2012-08-17 01:17	32768              c:\windows\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\index.dat
+ 2007-02-05 14:41 . 2012-08-17 01:17	65536              c:\windows\system32\config\systemprofile\Local Settings\History\History.IE5\index.dat
- 2007-02-05 14:41 . 2012-07-22 20:54	65536              c:\windows\system32\config\systemprofile\Local Settings\History\History.IE5\index.dat
+ 2011-09-02 02:44 . 2012-08-15 00:43	16384              c:\windows\system32\config\systemprofile\IETldCache\index.dat
- 2011-09-02 02:44 . 2012-07-25 00:44	16384              c:\windows\system32\config\systemprofile\IETldCache\index.dat
- 2012-06-24 13:13 . 2012-07-22 20:54	16384              c:\windows\system32\config\systemprofile\Cookies\index.dat
+ 2012-08-05 19:32 . 2012-08-17 01:17	16384              c:\windows\system32\config\systemprofile\Cookies\index.dat
+ 2012-08-05 03:23 . 2012-07-06 03:06	772544              c:\windows\system32\npDeployJava1.dll
+ 2012-08-05 03:23 . 2012-07-06 03:06	227760              c:\windows\system32\javaws.exe
+ 2012-08-05 03:23 . 2012-08-05 03:22	174064              c:\windows\system32\javaw.exe
+ 2012-08-05 03:23 . 2012-08-05 03:22	174064              c:\windows\system32\java.exe
+ 2012-08-05 03:25 . 2012-08-05 03:25	176128              c:\windows\Installer\24d4c40.msi
+ 2012-08-05 03:24 . 2012-08-05 03:25	457216              c:\windows\Installer\24d4c3b.msi
+ 2012-08-05 03:22 . 2012-08-05 03:22	863744              c:\windows\Installer\24d4c37.msi
.
(((((((((((((((((((((((((((((((((((((   Reg Loading Points   ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown 
REGEDIT4
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\00avast]
@="{472083B0-C522-11CF-8763-00608CC02F24}"
[HKEY_CLASSES_ROOT\CLSID\{472083B0-C522-11CF-8763-00608CC02F24}]
2012-02-23 16:23	123536	----a-w-	c:\program files\AVAST Software\Avast\ashShell.dll
.
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"swg"="c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2010-10-30 39408]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Malwarebytes' Anti-Malware"="c:\program files\Malwarebytes' Anti-Malware\mbamgui.exe" [2012-07-03 462920]
"avast"="c:\program files\AVAST Software\Avast\avastUI.exe" [2012-02-23 4031368]
"SunJavaUpdateSched"="c:\program files\Common Files\Java\Java Update\jusched.exe" [2012-01-17 252296]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\ckpNotify]
2004-04-01 22:48	24668	---ha-w-	c:\windows\system32\ckpNotify.dll
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-1123561945-1715567821-839522115-2218\Scripts\Logon\0\0]
"Script"=\\northamerica.gbcglobal.local\SysVol\northamerica.gbcglobal.local\scripts\SMSINST.bat
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-1123561945-1715567821-839522115-2218\Scripts\Logon\1\0]
"Script"=\\northamerica.gbcglobal.local\SysVol\northamerica.gbcglobal.local\scripts\DST_Patch.bat
.
[HKLM\~\startupfolder\C:^Documents and Settings^sjk05cc^Start Menu^Programs^Startup^eFax 4.4.lnk]
path=c:\documents and settings\sjk05cc\Start Menu\Programs\Startup\eFax 4.4.lnk
backup=c:\windows\pss\eFax 4.4.lnkStartup
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe Reader Speed Launcher]
2008-10-15 07:04	39792	----a-w-	c:\program files\Adobe\Reader 8.0\Reader\reader_sl.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\APSDaemon]
2012-02-21 02:28	59240	----a-w-	c:\program files\Common Files\Apple\Apple Application Support\APSDaemon.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AutoStartNPSAgent]
2010-07-29 07:47	95576	----a-w-	c:\program files\Samsung\Samsung New PC Studio\NPSAgent.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\CanonMyPrinter]
2011-03-15 02:09	2565520	----a-w-	c:\program files\Canon\MyPrinter\BJMYPRT.EXE
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\CanonSolutionMenuEx]
2011-03-28 17:40	1611160	----a-w-	c:\program files\Canon\Solution Menu EX\CNSEMAIN.EXE
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\eFax 4.4]
2010-07-02 18:24	95744	----a-w-	c:\program files\eFax Messenger 4.4\J2GDllCmd.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\IJNetworkScannerSelectorEX]
2011-01-15 22:48	452016	----a-w-	c:\program files\Canon\IJ Network Scanner Selector EX\CNMNSST.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iTunesHelper]
2012-03-27 10:09	421736	----a-w-	c:\program files\iTunes\iTunesHelper.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched]
2012-01-17 16:07	252296	----a-w-	c:\program files\Common Files\Java\Java Update\jusched.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\swg]
2010-10-30 13:47	39408	----a-w-	c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\TomTomHOME.exe]
2011-03-09 12:30	247728	----a-w-	c:\program files\TomTom HOME 2\TomTomHOMERunner.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"SR_WatchDog"=2 (0x2)
"SR_Service"=2 (0x2)
"Bonjour Service"=2 (0x2)
"YahooAUService"=2 (0x2)
"idsvc"=3 (0x3)
"Apple Mobile Device"=2 (0x2)
"TomTomHOMEService"=2 (0x2)
"ServiceLayer"=3 (0x3)
"SeaPort"=2 (0x2)
"S24EventMonitor"=2 (0x2)
"ose"=3 (0x3)
"MDM"=2 (0x2)
"MatSvc"=3 (0x3)
"JavaQuickStarterService"=2 (0x2)
"gusvc"=3 (0x3)
"gupdatem"=3 (0x3)
"gupdate"=2 (0x2)
"FsUsbExService"=2 (0x2)
"Ati HotKey Poller"=2 (0x2)
"WudfSvc"=3 (0x3)
"WmdmPmSN"=3 (0x3)
"UPS"=3 (0x3)
"TrkWks"=2 (0x2)
"Fax"=2 (0x2)
"avast! Antivirus"=2 (0x2)
"IMFservice"=2 (0x2)
"helpsvc"=2 (0x2)
"!SASCORE"=2 (0x2)
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\CheckPoint\\SecuRemote\\bin\\SR_GUI.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\Yahoo!\\Messenger\\YahooMessenger.exe"=
"c:\\Program Files\\Samsung\\Samsung New PC Studio\\npsasvr.exe"=
"c:\\Program Files\\Samsung\\Samsung New PC Studio\\npsvsvr.exe"=
"c:\\Program Files\\Common Files\\Apple\\Apple Application Support\\WebKit2WebProcess.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\Microsoft Office\\Office14\\GROOVE.EXE"=
"c:\\Program Files\\Microsoft Office\\Office14\\ONENOTE.EXE"=
"c:\\Program Files\\Microsoft Office\\Office14\\OUTLOOK.EXE"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"3389:TCP"= 3389:TCP:*isabledxpsp2res.dll,-22009
.
R1 aswSnx;aswSnx;c:\windows\system32\drivers\aswSnx.sys [3/3/2012 9:33 AM 610648]
R1 aswSP;aswSP;c:\windows\system32\drivers\aswSP.sys [3/3/2012 9:33 AM 337112]
R2 aswFsBlk;aswFsBlk;c:\windows\system32\drivers\aswFsBlk.sys [3/3/2012 9:33 AM 20696]
R2 MBAMService;MBAMService;c:\program files\Malwarebytes' Anti-Malware\mbamservice.exe [2/26/2012 10:59 AM 655944]
R2 Scap;SecureClient Application Policy Module;c:\windows\system32\drivers\scap.sys [5/30/2008 6:03 PM 17424]
R2 VPN-1;VPN-1 Module;c:\windows\system32\drivers\vpn.sys [5/30/2008 6:03 PM 670128]
R3 FW1;SecuRemote Miniport;c:\windows\system32\drivers\fw.sys [5/30/2008 6:03 PM 2041744]
R3 MBAMProtector;MBAMProtector;c:\windows\system32\drivers\mbam.sys [7/17/2010 9:01 AM 22344]
R3 OZSCR;O2Micro SmartCardBus Smartcard Reader;c:\windows\system32\drivers\ozscr.sys [4/21/2005 10:58 PM 92550]
R3 stdriver;Sound Tap Upper Class Filter Driver v2.0.0.0;c:\windows\system32\drivers\stdriver32.sys [7/11/2010 4:06 PM 49208]
S3 AdobeFlashPlayerUpdateSvc;Adobe Flash Player Update Service;c:\windows\system32\Macromed\Flash\FlashPlayerUpdateService.exe [2/27/2012 9:07 PM 253600]
S3 FsUsbExDisk;FsUsbExDisk;c:\windows\system32\FsUsbExDisk.Sys [9/6/2011 4:34 PM 36608]
S3 Microsoft SharePoint Workspace Audit Service;Microsoft SharePoint Workspace Audit Service;c:\program files\Microsoft Office\Office14\GROOVE.EXE [12/27/2010 11:50 PM 30969208]
S3 OMVA;VPN-1 SecureClient Adapter;c:\windows\system32\drivers\OMVA.sys [5/30/2008 6:03 PM 14924]
S3 osppsvc;Office Software Protection Platform;c:\program files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\OSPPSVC.EXE [1/9/2010 9:37 PM 4640000]
S4 FsUsbExService;FsUsbExService;c:\windows\system32\FsUsbExService.Exe [9/6/2011 4:34 PM 238952]
S4 gupdate;Google Update Service (gupdate);c:\program files\Google\Update\GoogleUpdate.exe [10/30/2010 8:47 AM 135664]
S4 gupdatem;Google Update Service (gupdatem);c:\program files\Google\Update\GoogleUpdate.exe [10/30/2010 8:47 AM 135664]
S4 TomTomHOMEService;TomTomHOMEService;c:\program files\TomTom HOME 2\TomTomHOMEService.exe [3/9/2011 7:30 AM 92592]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
HPZ12	REG_MULTI_SZ   	Pml Driver HPZ12 Net Driver HPZ12
hpdevmgmt	REG_MULTI_SZ   	hpqcxs08 hpqddsvc
.
.
------- Supplementary Scan -------
.
uStart Page = https://mail.google.com/mail/?shva=1#inbox
uInternet Connection Wizard,ShellNext = hxxp://myacco/
uInternet Settings,ProxyOverride = *.local
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\Office14\EXCEL.EXE/3000
IE: Se&nd to OneNote - c:\progra~1\MICROS~2\Office14\ONBttnIE.dll/105
Trusted Zone: adobe.com
Trusted Zone: computerforum.com
Trusted Zone: microsoft.com\update
Trusted Zone: microsoft.com\v4.update
Trusted Zone: microsoft.com\www
TCP: DhcpNameServer = 192.168.1.254
DPF: Microsoft XML Parser for Java - file:///C:/WINDOWS/Java/classes/xmldso.cab
.
.
**************************************************************************
.
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2012-08-18 08:28
Windows 5.1.2600 Service Pack 3 NTFS
.
scanning hidden processes ...  
.
scanning hidden autostart entries ... 
.
scanning hidden files ...  
.
.
C:\avast! sandbox
.
scan completed successfully
hidden files: 1
.
**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------
.
- - - - - - - > 'winlogon.exe'(596)
c:\windows\system32\Ati2evxx.dll
.
- - - - - - - > 'explorer.exe'(1848)
c:\windows\system32\WININET.dll
c:\progra~1\COMMON~1\MICROS~1\OFFICE14\Cultures\office.odf
c:\progra~1\MICROS~2\Office14\1033\GrooveIntlResource.dll
c:\windows\system32\ieframe.dll
c:\windows\system32\webcheck.dll
c:\windows\system32\WPDShServiceObj.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
.
------------------------ Other Running Processes ------------------------
.
c:\program files\AVAST Software\Avast\AvastSvc.exe
c:\windows\System32\SCardSvr.exe
c:\windows\system32\crypserv.exe
c:\program files\Canon\IJPLM\IJPLMSVC.EXE
c:\windows\system32\CCM\CLICOMP\RemCtrl\Wuser32.exe
c:\windows\system32\CCM\CcmExec.exe
.
**************************************************************************
.
Completion time: 2012-08-18  08:40:16 - machine was rebooted
ComboFix-quarantined-files.txt  2012-08-18 13:40
ComboFix2.txt  2012-08-13 02:13
ComboFix3.txt  2012-08-04 16:33
ComboFix4.txt  2012-07-25 03:01
ComboFix5.txt  2012-08-18 12:59
.
Pre-Run: 1,797,857,280 bytes free
Post-Run: 1,989,730,304 bytes free
.
- - End Of File - - A636902512392C77A9E1711A1BDA5EBC


----------



## AntimatterAsh

skos said:


> thanks, but I have backed it up and I am sure there is a better fix then recovery



Sometimes it is just easier to format. If it has not been done for a while lol.


----------



## johnb35

So are you saying its running better now?


----------



## S.T.A.R.S.

Please answer these questions:

When your computer runs slow while you are doing something,is HDD led lighting all the time even though it's not supposed to light (read/write operations) so much for a small task that you are trying to perform such as loading a single WEB page?

How big is your PF usage while your computer runs slow?

Do you hear any loud / strange noises from your computer (reffering to the hard disk drive hardware) while your computer runs slow?


----------



## skos

johnb35 said:


> So are you saying its running better now?



it is running much faster, thanks.  However I don't feel I am back to 100%.  Anything MS Office 2010 takes forever to open and do.


----------



## skos

S.T.A.R.S. said:


> Please answer these questions:
> 
> When your computer runs slow while you are doing something,is HDD led lighting all the time even though it's not supposed to light (read/write operations) so much for a small task that you are trying to perform such as loading a single WEB page?
> 
> How big is your PF usage while your computer runs slow?
> 
> Do you hear any loud / strange noises from your computer (reffering to the hard disk drive hardware) while your computer runs slow?



Ok, the HDD led is NOT on all the time.

My Page File is 736MB when just Outlook and 1 session & 5 tabs are open in IE8

No strange noises of any kind.


----------



## claptonman

What is your CPU's temperature? Coretemp is a good program to see this.

Test your HDD and RAM?


----------



## Okedokey

Reformat IMO.


----------



## S.T.A.R.S.

Please check the SYSTEM temperature,CPU temperature,graphic card temperature and HDD temperature and report them back here.


----------



## johnb35

Try reinstalling office.


----------



## skos

Update, it just started going slow after opening my 9th tab in IE8

My Page File is at 1.68GB and system use is at 7%

I also only have Outlook, Word with 1 doc open and and Win Explorer open


----------



## skos

johnb35 said:


> Try reinstalling office.



I just reinstalled office


----------



## johnb35

You need more memory.  I doubt 1gb is enough for what you are doing.


----------



## S.T.A.R.S.

skos said:


> Update, it just started going slow after opening my 9th tab in IE8
> 
> My Page File is at 1.68GB and system use is at 7%
> 
> I also only have Outlook, Word with 1 doc open and and Win Explorer open



Your PF usage is WAAAAY high.Please go to the PROCESSES tab and look under MEM USAGE which process is using so much RAM memory and give us the name of the process.

By the way try closing all background (if any) and all foreground programs.Because some of them might be using your RAM memory a LOT and that causes PF to go hugh and high PF causes the system to work like crap lol.
By the way some programs (which we all call viruses mostly lol) are hidden and use RAM memory a LOT on purpose for no reason and that causes high PF so be sure to go to the PROCESSES tab and look under MEM USAGE which process is using so much RAM memory and give us the name of the process like I already said above.

And like I said in my previous port,give us the temperatures.


----------

