System Hangs While Browsing Web... Help, Thank You Please.

ArnPrdu · #1 15th Oct 2009, 15:13

I am running XP sp3 and have developed an annoying little issue over the last week. My system hangs while I'm web browsing, but only on very specific web pages. For instance, I cannot visit ebay.com at all, or I'm stuck...

A second condition is that the web sites that seem to trigger the issue change by web browser. I have tried IE, FireFox, and Chrome, all with the latest updates. In IE, XP hangs on facebook and myspace. In Firefox, on Wikipedia and youtube. Chrome hangs on myspace as well, and a few other sites.

Point of interest:
These are all sites I visit often and/or have bookmarked.

Next:
I've tried cleaning my cache, deleting bookmarks, and starting new user profiles on these browsers. No effect whatsoever.

Also:
I installed the Lunescape browser and tried flipping through the engines, and found that each engine retained their "own" sites that trigger the hang up. E.G., Gecko hangs on Wikipedia, Trident hangs on facebook, etc.

I'm lost. Google searches have turned up nothing. Any help?

**evilfantasy** · #2 15th Oct 2009, 15:16

Have you tried any virus and malware scans?

Download TrendMicro HijackThis.exe (HJT) to the Desktop.

Double-click on HJTInstall.
Click on the Install button.
It will automatically place HJT in C:\Program Files\TrendMicro\HijackThis\HijackThis.exe.
Upon install, HijackThis should open for you.
Click on the Do a system scan and save a log file button
HijackThis will scan and then a log will open in notepad.
Copy and then paste the entire contents of the log in your post.
Do not have HijackThis fix anything yet. Most of what it finds will be harmless or even required.

ArnPrdu · #3 15th Oct 2009, 15:24

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 6:23:18 PM, on 10/15/2009
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16876)
Boot mode: Normal
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\Alcohol Soft\Alcohol 52\StarWind\StarWindServiceAE.exe
C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
C:\WINDOWS\system32\wscntfy.exe
C:\Program Files\VIA\RAID\raid_tool.exe
C:\WINDOWS\SOUNDMAN.EXE
C:\WINDOWS\system32\RunDLL32.exe
C:\Program Files\Adobe\Photoshop Album Starter Edition\3.0\Apps\apdproxy.exe
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\Program Files\Jetico\Jetico Personal Firewall\fwsrv.exe
C:\WINDOWS\CTHELPER.EXE
C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe
C:\Program Files\QuickTime\QTTask.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Java\jre6\bin\jusched.exe
C:\Program Files\Creative\Shared Files\CamTray.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Valve\Steam\Steam.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Creative Professional\Digital Audio System\E-MU PatchMix DSP\EmuPatchMixDSP.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\Program Files\Lunascape\Lunascape5\Luna.exe
C:\Program Files\MagicDisc\MagicDisc.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\OpenOffice.org 2.4\program\soffice.exe
C:\Program Files\OpenOffice.org 2.4\program\soffice.BIN
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Int ernet Settings,ProxyOverride = *.local
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar2.dll
O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll
O4 - HKLM\..\Run: [RaidTool] C:\Program Files\VIA\RAID\raid_tool.exe
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [ATICCC] "C:\Program Files\ATI Technologies\ATI.ACE\cli.exe" runtime -Delay
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [PD0630 STISvc] RunDLL32.exe P0630Pin.dll,RunDLL32EP 513
O4 - HKLM\..\Run: [Adobe Photo Downloader] "C:\Program Files\Adobe\Photoshop Album Starter Edition\3.0\Apps\apdproxy.exe"
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKLM\..\Run: [JeticoPFStartup] "C:\Program Files\Jetico\Jetico Personal Firewall\fwsrv.exe"
O4 - HKLM\..\Run: [CTHelper] CTHELPER.EXE
O4 - HKLM\..\Run: [CTxfiHlp] CTXFIHLP.EXE
O4 - HKLM\..\Run: [UpdReg] C:\WINDOWS\UpdReg.EXE
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [UserFaultCheck] %systemroot%\system32\dumprep 0 -u
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime
O4 - HKLM\..\Run: [AppleSyncNotifier] C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleSyncNotifier.exe
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre6\bin\jusched.exe"
O4 - HKLM\..\RunOnce: [symPCCheckup] "C:\WINDOWS\system32\Adobe\Shockwave 11\symcheckupstub.exe" /task /reboot
O4 - HKCU\..\Run: [Creative WebCam Tray] "C:\Program Files\Creative\Shared Files\CamTray.exe"
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [Steam] C:\Program Files\Valve\Steam\\Steam.exe -silent
O4 - HKCU\..\Run: [BitTorrent] "C:\Program Files\BitTorrent\bittorrent.exe" --force_start_minimized
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [AlcoholAutomount] "C:\Program Files\Alcohol Soft\Alcohol 52\axcmd.exe" /automount
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - HKCU\..\Run: [SetDefaultMIDI] MIDIDef.exe
O4 - Startup: Adobe Gamma.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Startup: MagicDisc.lnk = C:\Program Files\MagicDisc\MagicDisc.exe
O4 - Startup: OpenOffice.org 2.4.lnk = C:\Program Files\OpenOffice.org 2.4\program\quickstart.exe
O4 - Global Startup: Lunascape5.lnk = C:\Program Files\Lunascape\Lunascape5\Luna.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O8 - Extra context menu item: &Google Search - res://c:\program files\google\GoogleToolbar2.dll/cmsearch.html
O8 - Extra context menu item: &Translate English Word - res://c:\program files\google\GoogleToolbar2.dll/cmwordtrans.html
O8 - Extra context menu item: Backward Links - res://c:\program files\google\GoogleToolbar2.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://c:\program files\google\GoogleToolbar2.dll/cmcache.html
O8 - Extra context menu item: Similar Pages - res://c:\program files\google\GoogleToolbar2.dll/cmsimilar.html
O8 - Extra context menu item: Translate Page into English - res://c:\program files\google\GoogleToolbar2.dll/cmtrans.html
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {8A0019EB-51FA-4AE5-A40B-C0496BBFC739} (Verizon Wireless Media Upload) - http://www.vzwpix.com/activex/Verizo...oadControl.cab
O16 - DPF: {917623D1-D8E5-11D2-BE8B-00104B06BDE3} (CamImage Class) - http://www.hornsrev.dk/live/AxisCamControl.ocx
O16 - DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - http://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: avast! Antivirus - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
O23 - Service: avast! Web Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: Google Update Service (gupdate1c9d28e785a0808) (gupdate1c9d28e785a0808) - Google Inc. - C:\Program Files\Google\Update\GoogleUpdate.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: StarWind AE Service (StarWindServiceAE) - Rocket Division Software - C:\Program Files\Alcohol Soft\Alcohol 52\StarWind\StarWindServiceAE.exe
O24 - Desktop Component 0: (no name) - file:///C:/DOCUME~1/Owner/LOCALS~1/T...p_image002.jpg
--
End of file - 10111 bytes

**evilfantasy** · #4 15th Oct 2009, 15:35

Did you set this as your desktop?

Quote:

O24 - Desktop Component 0: (no name) - file:///C:/DOCUME~1/Owner/LOCALS~1/T...p_image002.jpg

----------

Disable Spybot's TeaTimer

While TeaTimer is an excellent tool for the prevention of spyware, it can also interfere with HijackThis fixes. Please disable TeaTimer for now until you are clean.

1. Right click Spybot in the System Tray (looks like a calendar with a padlock symbol). Choose Exit Spybot S&D Resident
2. Run Spybot S&D
3. Go to the Mode menu, and make sure Advanced Mode is selected.
4. On the left hand side, choose Tools > Resident
uncheck Resident TeaTimer and OK any prompt and Restart your computer.

Note: If TeaTimer gives you a warning afterwards that some changes were made, allow this instead of blocking it.

If TeaTimer will not turn off then uninstall Spybot until we are done cleaning.

----------

Open HijackThis and select Do a system scan only

Place a check mark next to the following entries: (if there)

R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Int ernet Settings,ProxyOverride = *.local

Important: Close all open windows except for HijackThis and then click Fix checked.

Once completed, exit HijackThis.

----------

If you already have Malwarebytes be sure to update it before running the scan!

Download Malwarebytes' Anti-Malware (MBAM)

Alternate MBAM download link

* Double-click mbam-setup.exe and follow the prompts to install the program.
* At the end, be sure a checkmark is placed next to the following:

* Update Malwarebytes' Anti-Malware
* Launch Malwarebytes' Anti-Malware

* Then click Finish
* If an update is found, it will download and install the latest version.
* Once the program has loaded, select Perform quick scan, then click Scan.
* When the scan is complete, click OK, then Show Results to view the results.
* Be sure that everything is checked, and click Remove Selected.
* When disinfection is completed, a log will open in Notepad and you may be prompted to Restart.(See Extra Note)
* The log is automatically saved by MBAM and can be viewed by clicking the Logs tab in MBAM.
* Copy and Paste the entire report in your next reply.

Extra Note: If MBAM encounters a file that is difficult to remove, you will be presented with 1 of 2 prompts, click OK to either and let MBAM proceed with the disinfection process, if asked to restart the computer, please do so immediately.

ArnPrdu · #5 15th Oct 2009, 17:18

Malwarebytes' Anti-Malware 1.41
Database version: 2969
Windows 5.1.2600 Service Pack 3
10/15/2009 8:16:06 PM
mbam-log-2009-10-15 (20-16-06).txt
Scan type: Quick Scan
Objects scanned: 108761
Time elapsed: 8 minute(s), 33 second(s)
Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 1
Folders Infected: 0
Files Infected: 1
Memory Processes Infected:
(No malicious items detected)
Memory Modules Infected:
(No malicious items detected)
Registry Keys Infected:
(No malicious items detected)
Registry Values Infected:
(No malicious items detected)
Registry Data Items Infected:
HKEY_CLASSES_ROOT\regfile\shell\open\command\(defa ult) (Broken.OpenCommand) -> Bad: ("regedit.exe" "%1") Good: (regedit.exe "%1") -> Quarantined and deleted successfully.
Folders Infected:
(No malicious items detected)
Files Infected:
C:\Documents and Settings\Owner\results.txt (Malware.Trace) -> Quarantined and deleted successfully.

Just to interject on this process, I really appriciate your time and expertice. A+ High Five.

**evilfantasy** · #6 15th Oct 2009, 17:23

Your welcome.

If you already have ComboFix be sure to delete it and download a new copy.

Download ComboFix© by sUBs from one of the below links. Be sure top save it to the Desktop.

Link #1
Link #2

**Note: It is important that it is saved directly to your Desktop

Close any open Web browsers. (Firefox, Internet Explorer, etc) before starting ComboFix.

Temporarily disable your antivirus and any antispyware real time protection before performing a scan. Click this link to see a list of security programs that should be disabled and how to disable them.

Double click combofix.exe & follow the prompts.
Vista users Right-Click on ComboFix.exe and select Run as administrator (you will receive a UAC prompt, please allow it)
When finished ComboFix will produce a log for you.
Post the ComboFix log in your next reply.

Important: Do not mouseclick ComboFix's window while it is running. That may cause it to stall.

Remember to re-enable your antivirus and antispyware protection when ComboFix is complete.

If you have problems with ComboFix usage, see How to use ComboFix

ArnPrdu · #7 15th Oct 2009, 19:16

ComboFix 09-10-15.02 - Owner 10/15/2009 22:03.1.2 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.1022.583 [GMT -4:00]
Running from: c:\documents and settings\Owner\Desktop\ComboFix.exe
AV: avast! antivirus 4.8.1351 [VPS 091015-0] *On-access scanning disabled* (Updated) {7591DB91-41F0-48A3-B128-1A293FD8233D}
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
C:\LOG1AF.tmp
c:\windows\Installer\9b4e2.msi
c:\windows\system32\_000006_.tmp.dll
c:\windows\system32\_000008_.tmp.dll
c:\windows\system32\_000009_.tmp.dll
c:\windows\system32\_000013_.tmp.dll
.
((((((((((((((((((((((((( Files Created from 2009-09-16 to 2009-10-16 )))))))))))))))))))))))))))))))
.
2009-10-16 00:05 . 2009-10-16 00:05 -------- d-----w- c:\documents and settings\Owner\Application Data\Malwarebytes
2009-10-16 00:05 . 2009-09-10 18:54 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2009-10-16 00:05 . 2009-10-16 00:05 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes
2009-10-16 00:05 . 2009-09-10 18:53 19160 ----a-w- c:\windows\system32\drivers\mbam.sys
2009-10-16 00:05 . 2009-10-16 00:05 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2009-10-15 22:22 . 2009-10-15 22:22 -------- d-----w- c:\program files\Trend Micro
2009-10-14 00:40 . 2007-07-19 22:14 444776 ----a-w- c:\windows\system32\d3dx10_35.dll
2009-10-14 00:40 . 2007-07-19 22:14 1358192 ----a-w- c:\windows\system32\D3DCompiler_35.dll
2009-10-14 00:40 . 2007-07-19 22:14 3727720 ----a-w- c:\windows\system32\d3dx9_35.dll
2009-10-14 00:08 . 2009-10-14 00:08 -------- d-----w- c:\documents and settings\Owner\Application Data\MozillaControl
2009-10-14 00:05 . 2009-10-14 00:05 -------- d-----w- c:\documents and settings\Owner\Application Data\Lunascape
2009-10-14 00:03 . 2009-10-14 00:04 -------- d-----w- c:\program files\Lunascape
2009-09-29 00:57 . 2009-10-13 22:02 -------- d-----w- c:\documents and settings\Owner\Local Settings\Application Data\Temp
2009-09-28 23:51 . 2009-09-28 23:51 -------- d-----w- c:\documents and settings\Owner\Local Settings\Application Data\Yahoo!
2009-09-28 02:07 . 2009-09-28 02:07 -------- d-----w- c:\documents and settings\All Users\Application Data\McAfee Security Scan
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))) ))
.
2009-10-16 00:21 . 2008-09-25 03:04 -------- d-----w- c:\documents and settings\Owner\Application Data\OpenOffice.org2
2009-10-15 00:13 . 2009-04-27 14:06 -------- d-----w- c:\documents and settings\Owner\Application Data\uTorrent
2009-09-12 02:58 . 2006-08-11 15:37 -------- d-----w- c:\program files\Java
2009-09-02 21:04 . 2006-08-19 20:34 -------- d-----w- c:\documents and settings\Owner\Application Data\Skype
2009-09-01 12:06 . 2007-12-31 19:25 -------- d-----w- c:\documents and settings\Owner\Application Data\skypePM
2009-08-17 16:10 . 2007-08-26 19:31 1279456 ----a-w- c:\windows\system32\aswBoot.exe
2009-08-17 16:06 . 2007-08-26 19:31 93392 -c--a-w- c:\windows\system32\drivers\aswmon.sys
2009-08-17 16:06 . 2007-08-26 19:31 94160 ----a-w- c:\windows\system32\drivers\aswmon2.sys
2009-08-17 16:05 . 2008-04-03 20:57 114768 ----a-w- c:\windows\system32\drivers\aswSP.sys
2009-08-17 16:05 . 2008-04-03 20:57 20560 ----a-w- c:\windows\system32\drivers\aswFsBlk.sys
2009-08-17 16:04 . 2007-08-26 19:31 51376 ----a-w- c:\windows\system32\drivers\aswTdi.sys
2009-08-17 16:04 . 2007-08-26 19:31 23152 ----a-w- c:\windows\system32\drivers\aswRdr.sys
2009-08-17 16:03 . 2007-08-26 19:31 26944 ----a-w- c:\windows\system32\drivers\aavmker4.sys
2009-08-17 16:02 . 2007-08-26 19:31 97480 ----a-w- c:\windows\system32\AvastSS.scr
2009-08-11 15:20 . 2006-08-11 15:19 75528 -c--a-w- c:\documents and settings\Owner\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2009-08-06 23:24 . 2006-08-11 00:36 327896 ----a-w- c:\windows\system32\wucltui.dll
2009-08-06 23:24 . 2006-08-11 00:36 209632 ----a-w- c:\windows\system32\wuweb.dll
2009-08-06 23:24 . 2006-08-11 00:36 35552 ----a-w- c:\windows\system32\wups.dll
2009-08-06 23:24 . 2005-05-26 08:16 44768 ----a-w- c:\windows\system32\wups2.dll
2009-08-06 23:24 . 2006-08-11 00:36 53472 ----a-w- c:\windows\system32\wuauclt.exe
2009-08-06 23:24 . 2004-08-04 12:00 96480 ----a-w- c:\windows\system32\cdm.dll
2009-08-06 23:23 . 2006-08-11 00:36 575704 ----a-w- c:\windows\system32\wuapi.dll
2009-08-06 23:23 . 2006-08-11 00:36 1929952 ----a-w- c:\windows\system32\wuaueng.dll
2009-08-05 09:01 . 2004-08-04 12:00 204800 ----a-w- c:\windows\system32\mswebdvd.dll
2009-07-31 19:23 . 2009-07-26 13:43 411368 ----a-w- c:\windows\system32\deploytk.dll
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\Curre ntVersion\Run]
"Creative WebCam Tray"="c:\program files\Creative\Shared Files\CamTray.exe" [2005-03-29 258048]
"MSMSGS"="c:\program files\Messenger\msmsgs.exe" [2008-04-14 1695232]
"Steam"="c:\program files\Valve\Steam\\Steam.exe" [2009-06-11 1217784]
"AlcoholAutomount"="c:\program files\Alcohol Soft\Alcohol 52\axcmd.exe" [2007-07-02 219008]
"SetDefaultMIDI"="MIDIDef.exe" - c:\windows\MIDIDEF.EXE [2006-08-04 25600]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\Curr entVersion\Run]
"UserFaultCheck"="c:\windows\system32\dumprep 0 -u" [X]
"RaidTool"="c:\program files\VIA\RAID\raid_tool.exe" [2004-10-11 589824]
"ATICCC"="c:\program files\ATI Technologies\ATI.ACE\cli.exe" [2005-08-12 45056]
"NeroFilterCheck"="c:\windows\system32\NeroCheck.e xe" [2001-07-09 155648]
"Adobe Photo Downloader"="c:\program files\Adobe\Photoshop Album Starter Edition\3.0\Apps\apdproxy.exe" [2005-06-07 57344]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2006-04-28 7573504]
"NvMediaCenter"="c:\windows\system32\NvMcTray. dll" [2006-04-28 86016]
"avast!"="c:\progra~1\ALWILS~1\Avast4\ashDisp. exe" [2009-08-17 81000]
"JeticoPFStartup"="c:\program files\Jetico\Jetico Personal Firewall\fwsrv.exe" [2005-07-19 118784]
"UpdReg"="c:\windows\UpdReg.EXE" [2000-05-11 90112]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2008-01-12 39792]
"QuickTime Task"="c:\program files\QuickTime\QTTask.exe" [2008-11-04 413696]
"AppleSyncNotifier"="c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleSyncNotifier.exe" [2008-11-07 111936]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2008-11-20 290088]
"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2009-07-31 149280]
"Malwarebytes Anti-Malware (reboot)"="c:\program files\Malwarebytes' Anti-Malware\mbam.exe" [2009-09-10 1312080]
"SoundMan"="SOUNDMAN.EXE" - c:\windows\SOUNDMAN.EXE [2005-11-11 90112]
"PD0630 STISvc"="P0630Pin.dll" - c:\windows\system32\P0630Pin.dll [2005-06-05 36864]
"nwiz"="nwiz.exe" - c:\windows\system32\nwiz.exe [2006-04-28 1519616]
"CTHelper"="CTHELPER.EXE" - c:\windows\CTHELPER.EXE [2006-08-04 17920]
"CTxfiHlp"="CTXFIHLP.EXE" - c:\windows\system32\CTXFIHLP.EXE [2006-08-04 18944]
c:\documents and settings\Owner\Start Menu\Programs\Startup\
Adobe Gamma.lnk - c:\program files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe [2005-3-16 113664]
MagicDisc.lnk - c:\program files\MagicDisc\MagicDisc.exe [2008-4-18 546816]
OpenOffice.org 2.4.lnk - c:\program files\OpenOffice.org 2.4\program\quickstart.exe [2008-1-21 393216]
c:\documents and settings\All Users\Start Menu\Programs\Startup\
Lunascape5.lnk - c:\program files\Lunascape\Lunascape5\Luna.exe [2009-9-10 95576]
Microsoft Office.lnk - c:\program files\Microsoft Office\Office\OSA9.EXE [1999-2-17 65588]
[HKLM\~\services\sharedaccess\parameters\firewallpo licy\standardprofile]
"EnableFirewall"= 0 (0x0)
[HKLM\~\services\sharedaccess\parameters\firewallpo licy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\LimeWire\\LimeWire.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\Valve\\Steam\\Steam.exe"=
"c:\\Program Files\\Total War\\Medieval - Total War\\Medieval_TW.exe"=
"c:\\Program Files\\Valve\\Steam\\SteamApps\\aaron725\\counter-strike source\\hl2.exe"=
"c:\\Program Files\\Defcon\\defcon.exe"=
"c:\\Program Files\\Microsoft Games\\Age of Empires II\\age2_x1\\age2_x1.icd"=
"c:\\Program Files\\GameSpy Arcade\\Aphex.exe"=
[HKLM\~\Services\\_common\\RWVoice.exe"=]
"c:\\WINDOWS\\system32\\dplaysvr.exe"=
"c:\\Program Files\\Valve\\Steam\\SteamApps\\aaron725\\half-life 2 deathmatch\\hl2.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
"c:\\Program Files\\uTorrent\\uTorrent.exe"=
"c:\\Program Files\\Pinnacle\\VideoSpin\\Programs\\RM.exe"=
"c:\\Program Files\\Pinnacle\\VideoSpin\\Programs\\umi.exe"=
"c:\\Program Files\\Pinnacle\\VideoSpin\\Programs\\VideoSpin.ex e"=
"c:\\Program Files\\Skype\\Phone\\Skype.exe"=
"c:\\Program Files\\Valve\\Steam\\SteamApps\\common\\peggle deluxe\\Peggle.exe"=
"c:\\Program Files\\Valve\\Steam\\SteamApps\\common\\peggle extreme\\PeggleExtreme.exe"=
"c:\\Program Files\\Valve\\Steam\\SteamApps\\common\\bioshock\\ Builds\\Release\\Bioshock.exe"=
"c:\\Program Files\\Valve\\Steam\\SteamApps\\common\\last remnant - demo sei\\Binaries\\TLRDemo.exe"=
R1 aswSP;avast! Self Protection;c:\windows\system32\drivers\aswSP.sys [4/3/2008 4:57 PM 114768]
R2 aswFsBlk;aswFsBlk;c:\windows\system32\drivers\aswF sBlk.sys [4/3/2008 4:57 PM 20560]
R3 P0630VID;Creative WebCam Live!;c:\windows\system32\drivers\P0630Vid.sys [8/11/2006 5:56 PM 91841]
S2 gupdate1c9d28e785a0808;Google Update Service (gupdate1c9d28e785a0808);c:\program files\Google\Update\GoogleUpdate.exe [5/11/2009 7:16 PM 133104]
S3 DNINDIS5;DNINDIS5 NDIS Protocol Driver;c:\windows\system32\DNINDIS5.sys [8/19/2006 4:00 PM 17149]
.
Contents of the 'Scheduled Tasks' folder
2009-10-14 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 16:34]
2009-10-16 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\program files\Google\Update\GoogleUpdate.exe [2009-05-11 23:15]
2009-10-16 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\program files\Google\Update\GoogleUpdate.exe [2009-05-11 23:15]
2009-10-15 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-1390067357-796845957-839522115-1001Core.job
- c:\documents and settings\Owner\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2009-09-29 22:54]
2009-10-16 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-1390067357-796845957-839522115-1001UA.job
- c:\documents and settings\Owner\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2009-09-29 22:54]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.google.com/
uSearchMigratedDefaultURL = hxxp://www.google.com/search?q={searchTerms}&sourceid=ie7&rls=com.micros oft:en-US&ie=utf8&oe=utf8
uSearchURL,(Default) = hxxp://www.google.com/keyword/%s
IE: &Google Search - c:\program files\google\GoogleToolbar2.dll/cmsearch.html
IE: &Translate English Word - c:\program files\google\GoogleToolbar2.dll/cmwordtrans.html
IE: Backward Links - c:\program files\google\GoogleToolbar2.dll/cmbacklinks.html
IE: Cached Snapshot of Page - c:\program files\google\GoogleToolbar2.dll/cmcache.html
IE: Similar Pages - c:\program files\google\GoogleToolbar2.dll/cmsimilar.html
IE: Translate Page into English - c:\program files\google\GoogleToolbar2.dll/cmtrans.html
FF - ProfilePath - c:\documents and settings\Owner\Application Data\Mozilla\Firefox\Profiles\hilpe3l0.default\
FF - prefs.js: browser.startup.homepage - hxxp://www.google.com/
FF - plugin: c:\documents and settings\Owner\Local Settings\Application Data\Google\Update\1.2.183.7\npGoogleOneClick8.dll
FF - plugin: c:\documents and settings\Owner\Local Settings\Application Data\Yahoo!\BrowserPlus\2.4.17\Plugins\npybrowserp lus_2.4.17.dll
FF - plugin: c:\program files\Google\Update\1.2.183.7\npGoogleOneClick8.dl l
FF - plugin: c:\program files\Mozilla Firefox\plugins\NPSFDMGR.dll
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\
.
- - - - ORPHANS REMOVED - - - -
HKCU-Run-BitTorrent - c:\program files\BitTorrent\bittorrent.exe

************************************************** ************************
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-10-15 22:09
Windows 5.1.2600 Service Pack 3 NTFS
scanning hidden processes ...
scanning hidden autostart entries ...
scanning hidden files ...
scan completed successfully
hidden files: 0
************************************************** ************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------
- - - - - - - > 'winlogon.exe'(608)
c:\windows\system32\Ati2evxx.dll
c:\windows\system32\WINSPOOL.DRV
.
Completion time: 2009-10-16 22:12
ComboFix-quarantined-files.txt 2009-10-16 02:12
Pre-Run: 60,419,317,760 bytes free
Post-Run: 60,561,874,944 bytes free
WindowsXP-KB310994-SP2-Home-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(1)\WINDOW S
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Micro soft Windows XP Home Edition" /noexecute=optin /fastdetect
193 --- E O F --- 2009-09-10 04:01

**evilfantasy** · #8 15th Oct 2009, 20:20

Download Disable/Remove Windows Messenger to the desktop to remove Windows Messenger.

Do not confuse Windows Messenger with MSN Messenger because they are not the same. Windows Messenger is a frequent cause of popups.

Unzip the file on the desktop. Open the MessengerDisable.exe and choose the bottom box - Uninstall Windows Messenger and click Apply.

Exit out of MessengerDisable then delete the two files that were put on the desktop.

----------

* Click START then RUN - Vista users press the Windows Key and the R keys for the Run box.
* Now type Combofix /u in the runbox
* Make sure there's a space between Combofix and /u
* Then hit Enter

* The above procedure will:
* Delete the following:
* ComboFix and its associated files and folders.
* Reset the clock settings.
* Hide file extensions, if required.
* Hide System/Hidden files, if required.
* Set a new, clean Restore Point.

----------

Clean out your temporary internet files and temp files.

Download TFC by OldTimer to your desktop.

Double-click TFC.exe to run it.

Note: If you are running on Vista, right-click on the file and choose Run As Administrator

TFC will close all programs when run, so make sure you have saved all your work before you begin.

* Click the Start button to begin the cleaning process.
* Depending on how often you clean temp files, execution time should be anywhere from a few seconds to a minute or two.
* Please let TFC run uninterrupted until it is finished.

Once TFC is finished it should restart your computer. If it does not, please manually restart the computer yourself to ensure a complete cleaning.

----------

ESET Online Scan

Scan your computer with the ESET FREE Online Virus Scan

* Click the ESET Online Scanner button.

* For alternate browsers only: (Microsoft Internet Explorer users can skip these steps)
* Click on the esetsmartinstaller_enu.exe to download the ESET Smart Installer. Save it to your desktop
* Double click on the esetsmartinstaller_enu.exe icon on your desktop.
* Place a check mark next to YES, I accept the Terms of Use.

* Click the Start button.
* Accept any security warnings from your browser.
* Leave the check mark next to Remove found threats and place a check next to Scan archives.
* Click the Start button.
* ESET will then download updates, install, and begin scanning your computer. Please be patient as this can take some time.
* When the scan completes, click List of found threats.
* Next click Export to text file and save the file to your desktop using a name such as ESETScan. Include the contents of this report in your next reply.
* Click the <<Back button then click Finish.

In your next reply please include the ESET Online Scan Log

ArnPrdu · #9 17th Oct 2009, 12:25

C:\Program Files\Image-Line\Toxic Biohazard\Toxic Biohazard.dll
C:\Program Files\Image-Line\FL Studio 8\Plugins\Fruity\Generators\Toxic Biohazard\Toxic Biohazard.dll

**evilfantasy** · #10 17th Oct 2009, 12:26

How is the computer running now?