Jump to content

Welcome to Geeks to Go - Register now for FREE

Geeks To Go is a helpful hub, where thousands of volunteer geeks quickly serve friendly answers and support. Check out the forums and get free advice from the experts. Register now to gain access to all of our features, it's FREE and only takes one minute. Once registered and logged in, you will be able to create topics, post replies to existing threads, give reputation to your fellow members, get your own private messenger, post status updates, manage your profile and so much more.

Create Account How it Works
Photo

My Netbook's CPU usage is 100%when idle and too slow!


  • Please log in to reply

#31
polepole

polepole

    Member

  • Topic Starter
  • Member
  • PipPipPip
  • 102 posts
Hi it has finished the full scan and it found no threat. I also run the msconfig and followed the instructions you gave but the CPU usage was unchanged i.e. it didnt go down.
Please what next?
Regards
  • 0

Advertisements


#32
RKinner

RKinner

    Malware Expert

  • Expert
  • 20,647 posts
  • MVP
Does aswmbr find anything?

Start Run, msconfig, OK
Go to Services tab and click on the box to hide Microsoft Services then uncheck
everything that remains. Go to Startup tab and uncheck everything. OK and
reboot. Now run Process Explorer and look at the CPU for System Idle. Is it over 95 %? If it helps then go back and turn on a few items each
time until you find the culprit that makes System Idle drop down low.
  • 0

#33
polepole

polepole

    Member

  • Topic Starter
  • Member
  • PipPipPip
  • 102 posts
hi
can I run it in safe mode?
  • 0

#34
RKinner

RKinner

    Malware Expert

  • Expert
  • 20,647 posts
  • MVP
I think aswmbr will run in safe mode. msconfig will certainly work in safe mode but after you uncheck everything you need to go into regular mode to see if that makes things better.
  • 0

#35
polepole

polepole

    Member

  • Topic Starter
  • Member
  • PipPipPip
  • 102 posts
Hi
I have run the aswmbr and this is its log

aswMBR version 0.9.8.986 Copyright© 2011 AVAST Software
Run date: 2011-11-08 20:36:17
-----------------------------
20:36:17.468 OS Version: Windows 5.1.2600 Service Pack 3
20:36:17.484 Number of processors: 2 586 0x1C02
20:36:17.484 ComputerName: COMPUTER_1 UserName:
20:36:39.734 Initialize success
21:06:01.890 AVAST engine defs: 11110801
21:09:51.484 Disk 0 (boot) \Device\Harddisk0\DR0 -> \Device\Ide\IdeDeviceP0T0L0-3
21:09:51.515 Disk 0 Vendor: ST9160827AS 3.AHC Size: 152627MB BusType: 3
21:09:53.625 Disk 0 MBR read successfully
21:09:53.656 Disk 0 MBR scan
21:09:53.781 Disk 0 Windows XP default MBR code
21:09:53.859 Disk 0 scanning sectors +312576705
21:09:53.984 Disk 0 scanning C:\WINDOWS\system32\drivers
21:11:09.484 Service scanning
21:11:25.953 Modules scanning
21:12:00.828 AVAST engine scan C:\
03:12:14.093 File: C:\_OTL\MovedFiles\11062011_073354\C_Program Files\IDT\WDM\AESTFl64.exe **INFECTED** Win64:Vitro
03:12:18.687 File: C:\_OTL\MovedFiles\11062011_073354\C_Program Files\IDT\WDM\AESTFltr.exe **INFECTED** Win32:Vitro
03:12:30.171 File: C:\_OTL\MovedFiles\11062011_073354\C_Program Files\IDT\WDM\stacsv.exe **INFECTED** Win32:Vitro
03:12:31.312 File: C:\_OTL\MovedFiles\11062011_073354\C_Program Files\IDT\WDM\stacsv64.exe **INFECTED** Win64:Vitro
03:13:55.609 File: C:\_OTL\MovedFiles\11062011_073354\C_Program Files\IDT\WDM\sttray.exe **INFECTED** Win32:Vitro
03:13:59.218 File: C:\_OTL\MovedFiles\11062011_073354\C_Program Files\IDT\WDM\sttray64.exe **INFECTED** Win64:Vitro
03:14:06.843 File: C:\_OTL\MovedFiles\11062011_073354\C_WINDOWS\sttray.exe **INFECTED** Win32:Vitro
03:14:11.187 File: C:\_OTL\MovedFiles\11062011_073354\C_WINDOWS\system32\AESTFltr.exe **INFECTED** Win32:Vitro
03:14:14.171 File: C:\_OTL\MovedFiles\11062011_073354\C_WINDOWS\system32\Atheros_L1e\DriUpdate32.exe **INFECTED** Win32:Vitro
03:14:18.078 File: C:\_OTL\MovedFiles\11062011_073354\C_WINDOWS\system32\DRVSTORE\kit13056_65C27B76837EEBC0B54E44D12ECE965DC870DE93\igfxext.exe **INFECTED** Win32:Vitro
03:14:20.046 File: C:\_OTL\MovedFiles\11062011_073354\C_WINDOWS\system32\DRVSTORE\kit13056_65C27B76837EEBC0B54E44D12ECE965DC870DE93\igfxsrvc.exe **INFECTED** Win32:Vitro
03:14:22.328 File: C:\_OTL\MovedFiles\11062011_073354\C_WINDOWS\system32\igfxext.exe **INFECTED** Win32:Vitro
03:14:23.375 File: C:\_OTL\MovedFiles\11062011_073354\C_WINDOWS\system32\stacsv.exe **INFECTED** Win32:Vitro
03:14:25.000 File: C:\_OTL\MovedFiles\11062011_100657\C_WINDOWS\system32\igfxsrvc.exe **INFECTED** Win32:Vitro
03:14:25.703 Scan finished successfully
05:57:13.750 Disk 0 MBR has been saved successfully to "C:\Documents and Settings\Administrator\Desktop\MBR.dat"
05:57:14.250 The log file has been saved successfully to "C:\Documents and Settings\Administrator\Desktop\aswMBR7.txt"
  • 0

#36
polepole

polepole

    Member

  • Topic Starter
  • Member
  • PipPipPip
  • 102 posts
I have also run msconfig in the normal mode but the cpu usage is still between 96 and 100%. I i disabled everything and rebooted. This is the log of process explorer

Process PID CPU Private Bytes Working Set Description Company Name
alg.exe 976 1,124 K 3,472 K Application Layer Gateway Service Microsoft Corporation
lsass.exe 1728 3,680 K 1,512 K LSA Shell (Export Version) Microsoft Corporation
msfeedssync.exe 2084 2,520 K 7,020 K Microsoft Feeds Synchronization Microsoft Corporation
smss.exe 1600 168 K 388 K Windows NT Session Manager Microsoft Corporation
spoolsv.exe 984 3,228 K 4,860 K Spooler SubSystem App Microsoft Corporation
svchost.exe 416 1,300 K 3,468 K Generic Host Process for Win32 Services Microsoft Corporation
svchost.exe 512 1,748 K 4,664 K Generic Host Process for Win32 Services Microsoft Corporation
svchost.exe 1996 1,704 K 4,128 K Generic Host Process for Win32 Services Microsoft Corporation
svchost.exe 1912 2,972 K 4,712 K Generic Host Process for Win32 Services Microsoft Corporation
svchost.exe 712 1,232 K 3,472 K Generic Host Process for Win32 Services Microsoft Corporation
System Idle Process 0 0 K 28 K
winlogon.exe 1672 6,948 K 4,904 K Windows NT Logon Application Microsoft Corporation
wmiprvse.exe 1088 2,388 K 4,744 K WMI Microsoft Corporation
wscntfy.exe 300 524 K 2,148 K Windows Security Center Notification App Microsoft Corporation
wuauclt.exe 936 6,468 K 6,620 K Automatic Updates Microsoft Corporation
Interrupts n/a 0.77 0 K 0 K Hardware Interrupts and DPCs
svchost.exe 244 0.77 18,092 K 22,912 K Generic Host Process for Win32 Services Microsoft Corporation
csrss.exe 1648 1.54 1,396 K 3,248 K Client Server Runtime Process Microsoft Corporation
procexp.exe 1512 1.54 9,288 K 11,432 K Sysinternals Process Explorer Sysinternals - www.sysinternals.com
System 4 2.31 0 K 264 K
firefox.exe 472 3.08 79,232 K 84,960 K Firefox Mozilla Corporation
explorer.exe 1628 4.62 17,108 K 21,808 K Windows Explorer Microsoft Corporation
services.exe 1716 85.38 2,076 K 3,676 K Services and Controller app Microsoft Corporation



What next please. Do i reformat?
Regards
  • 0

#37
RKinner

RKinner

    Malware Expert

  • Expert
  • 20,647 posts
  • MVP
Can you run OTL in this mode? Click the ALL button in the Services category then hit Run Scan.
  • 0

#38
polepole

polepole

    Member

  • Topic Starter
  • Member
  • PipPipPip
  • 102 posts
Hi
It cant run in the normal mode. I waited for almost 30 min and it hang. But i have run it in safe mode and this is the log in

OTL logfile created on: 11/9/2011 8:49:26 AM - Run 3
OTL by OldTimer - Version 3.2.31.0 Folder = C:\Documents and Settings\Administrator\Desktop
Windows XP Professional Edition Service Pack 3 (Version = 5.1.2600) - Type = NTWorkstation
Internet Explorer (Version = 8.0.6001.18702)
Locale: 00000409 | Country: United States | Language: ENU | Date Format: M/d/yyyy

1015.23 Mb Total Physical Memory | 795.91 Mb Available Physical Memory | 78.40% Memory free
2.38 Gb Paging File | 2.30 Gb Available in Paging File | 96.73% Paging File free
Paging file location(s): C:\pagefile.sys 1524 3048 [binary data]

%SystemDrive% = C: | %SystemRoot% = C:\WINDOWS | %ProgramFiles% = C:\Program Files
Drive C: | 70.13 Gb Total Space | 24.36 Gb Free Space | 34.74% Space Free | Partition Type: NTFS
Drive D: | 78.91 Gb Total Space | 21.16 Gb Free Space | 26.81% Space Free | Partition Type: NTFS
Drive E: | 1.88 Gb Total Space | 0.33 Gb Free Space | 17.39% Space Free | Partition Type: FAT32

Computer Name: COMPUTER_1 | User Name: Administrator | Logged in as Administrator.
Boot Mode: SafeMode with Networking | Scan Mode: Current user
Company Name Whitelist: Off | Skip Microsoft Files: Off | No Company Name Whitelist: On | File Age = 30 Days

========== Processes (SafeList) ==========

PRC - [2011/10/30 21:01:17 | 000,584,192 | ---- | M] (OldTimer Tools) -- C:\Documents and Settings\Administrator\Desktop\OTL.scr
PRC - [2008/04/14 01:42:20 | 001,033,728 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\explorer.exe


========== Modules (No Company Name) ==========


========== Win32 Services (All) ==========

SRV - File not found [Disabled | Stopped] -- -- (STacSV)
SRV - File not found [Disabled | Stopped] -- -- (HWDeviceService.exe)
SRV - File not found [Disabled | Stopped] -- -- (HidServ)
SRV - [2011/08/31 17:00:48 | 000,366,152 | ---- | M] (Malwarebytes Corporation) [Disabled | Stopped] -- C:\Program Files\Malwarebytes' Anti-Malware\mbamservice.exe -- (MBAMService)
SRV - [2011/08/11 10:53:34 | 000,218,624 | ---- | M] () [Disabled | Stopped] -- C:\Program Files\Internet Everywhere 3G+\UpdateDog\ouc.exe -- (Internet Everywhere 3G+. RunOuc)
SRV - [2011/02/02 21:40:41 | 000,153,376 | ---- | M] (Sun Microsystems, Inc.) [Disabled | Stopped] -- C:\Program Files\Java\jre6\bin\jqs.exe -- (JavaQuickStarterService)
SRV - [2010/09/24 20:12:15 | 000,352,976 | ---- | M] (Kaspersky Lab ZAO) [Disabled | Stopped] -- C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 2011\avp.exe -- (AVP)
SRV - [2010/03/18 13:16:28 | 000,753,504 | ---- | M] (Microsoft Corporation) [On_Demand | Stopped] -- C:\WINDOWS\Microsoft.NET\Framework\v4.0.30319\WPF\WPFFontCache_v0400.exe -- (WPFFontCache_v0400)
SRV - [2010/03/18 13:16:28 | 000,130,384 | ---- | M] (Microsoft Corporation) [Auto | Stopped] -- C:\WINDOWS\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -- (clr_optimization_v4.0.30319_32)
SRV - [2009/12/21 09:53:26 | 000,512,000 | ---- | M] () [Disabled | Stopped] -- C:\Program Files\ZTEMT UI\bin\MonServiceUDisk.exe -- (UDisk Monitor)
SRV - [2008/05/19 01:57:42 | 000,095,744 | ---- | M] (Microsoft Corporation) [On_Demand | Stopped] -- C:\WINDOWS\System32\msiexec.exe -- (MSIServer)
SRV - [2008/04/14 01:51:44 | 000,483,840 | ---- | M] (Microsoft Corporation) [Auto | Running] -- C:\WINDOWS\system32\wzcsvc.dll -- (WZCSVC)
SRV - [2008/04/14 01:42:42 | 000,126,464 | ---- | M] (Microsoft Corporation) [On_Demand | Stopped] -- C:\WINDOWS\system32\wbem\wmiapsrv.exe -- (WmiApSrv)
SRV - [2008/04/14 01:42:40 | 000,289,792 | ---- | M] (Microsoft Corporation) [On_Demand | Stopped] -- C:\WINDOWS\system32\vssvc.exe -- (VSS)
SRV - [2008/04/14 01:42:40 | 000,073,216 | ---- | M] (Microsoft Corporation) [On_Demand | Stopped] -- C:\WINDOWS\system32\tlntsvr.exe -- (TlntSvr)
SRV - [2008/04/14 01:42:40 | 000,018,432 | ---- | M] (Microsoft Corporation) [On_Demand | Stopped] -- C:\WINDOWS\system32\ups.exe -- (UPS)
SRV - [2008/04/14 01:42:38 | 000,057,856 | ---- | M] (Microsoft Corporation) [Auto | Stopped] -- C:\WINDOWS\system32\spoolsv.exe -- (Spooler)
SRV - [2008/04/14 01:42:36 | 000,141,312 | ---- | M] (Microsoft Corporation) [On_Demand | Stopped] -- C:\WINDOWS\system32\sessmgr.exe -- (RDSessMgr)
SRV - [2008/04/14 01:42:36 | 000,108,544 | ---- | M] (Microsoft Corporation) [Auto | Running] -- C:\WINDOWS\system32\services.exe -- (PlugPlay)
SRV - [2008/04/14 01:42:36 | 000,108,544 | ---- | M] (Microsoft Corporation) [Auto | Running] -- C:\WINDOWS\system32\services.exe -- (Eventlog)
SRV - [2008/04/14 01:42:36 | 000,089,600 | ---- | M] (Microsoft Corporation) [On_Demand | Stopped] -- C:\WINDOWS\system32\smlogsvc.exe -- (SysmonLog)
SRV - [2008/04/14 01:42:34 | 000,095,744 | ---- | M] (Microsoft Corporation) [On_Demand | Stopped] -- C:\WINDOWS\system32\scardsvr.exe -- (SCardSvr)
SRV - [2008/04/14 01:42:30 | 000,111,104 | ---- | M] (Microsoft Corporation) [Disabled | Stopped] -- C:\WINDOWS\system32\netdde.exe -- (NetDDEdsdm)
SRV - [2008/04/14 01:42:30 | 000,111,104 | ---- | M] (Microsoft Corporation) [Disabled | Stopped] -- C:\WINDOWS\system32\netdde.exe -- (NetDDE)
SRV - [2008/04/14 01:42:28 | 000,006,144 | ---- | M] (Microsoft Corporation) [On_Demand | Stopped] -- C:\WINDOWS\system32\msdtc.exe -- (MSDTC)
SRV - [2008/04/14 01:42:26 | 000,075,264 | ---- | M] (Microsoft Corporation) [On_Demand | Stopped] -- C:\WINDOWS\system32\locator.exe -- (RpcLocator) Remote Procedure Call (RPC)
SRV - [2008/04/14 01:42:26 | 000,032,768 | ---- | M] (Microsoft Corporation) [On_Demand | Stopped] -- C:\WINDOWS\system32\mnmsrvc.exe -- (mnmsrvc)
SRV - [2008/04/14 01:42:26 | 000,013,312 | ---- | M] (Microsoft Corporation) [Auto | Stopped] -- C:\WINDOWS\system32\lsass.exe -- (SamSs)
SRV - [2008/04/14 01:42:26 | 000,013,312 | ---- | M] (Microsoft Corporation) [Auto | Stopped] -- C:\WINDOWS\system32\lsass.exe -- (ProtectedStorage)
SRV - [2008/04/14 01:42:26 | 000,013,312 | ---- | M] (Microsoft Corporation) [Auto | Stopped] -- C:\WINDOWS\system32\lsass.exe -- (PolicyAgent)
SRV - [2008/04/14 01:42:26 | 000,013,312 | ---- | M] (Microsoft Corporation) [On_Demand | Stopped] -- C:\WINDOWS\system32\lsass.exe -- (NtLmSsp)
SRV - [2008/04/14 01:42:26 | 000,013,312 | ---- | M] (Microsoft Corporation) [On_Demand | Stopped] -- C:\WINDOWS\system32\lsass.exe -- (Netlogon)
SRV - [2008/04/14 01:42:24 | 000,150,528 | ---- | M] (Microsoft Corporation) [On_Demand | Stopped] -- C:\WINDOWS\system32\imapi.exe -- (ImapiService)
SRV - [2008/04/14 01:42:18 | 000,224,768 | ---- | M] (Microsoft Corp., Veritas Software) [On_Demand | Stopped] -- C:\WINDOWS\System32\dmadmin.exe -- (dmadmin)
SRV - [2008/04/14 01:42:18 | 000,005,120 | ---- | M] (Microsoft Corporation) [On_Demand | Stopped] -- C:\WINDOWS\System32\dllhost.exe -- (SwPrv)
SRV - [2008/04/14 01:42:18 | 000,005,120 | ---- | M] (Microsoft Corporation) [On_Demand | Stopped] -- C:\WINDOWS\System32\dllhost.exe -- (COMSysApp)
SRV - [2008/04/14 01:42:16 | 000,033,280 | ---- | M] (Microsoft Corporation) [On_Demand | Stopped] -- C:\WINDOWS\system32\clipsrv.exe -- (ClipSrv)
SRV - [2008/04/14 01:42:16 | 000,005,632 | ---- | M] (Microsoft Corporation) [On_Demand | Stopped] -- C:\WINDOWS\system32\cisvc.exe -- (CiSvc)
SRV - [2008/04/14 01:42:14 | 000,044,544 | ---- | M] (Microsoft Corporation) [On_Demand | Stopped] -- C:\WINDOWS\system32\alg.exe -- (ALG)
SRV - [2008/04/14 01:42:12 | 000,129,024 | ---- | M] (Microsoft Corporation) [On_Demand | Stopped] -- C:\WINDOWS\system32\xmlprov.dll -- (xmlprov)
SRV - [2008/04/14 01:42:12 | 000,080,896 | ---- | M] (Microsoft Corporation) [Auto | Stopped] -- C:\WINDOWS\system32\wscsvc.dll -- (wscsvc)
SRV - [2008/04/14 01:42:12 | 000,006,656 | ---- | M] (Microsoft Corporation) [Auto | Stopped] -- C:\WINDOWS\system32\wuauserv.dll -- (wuauserv)
SRV - [2008/04/14 01:42:10 | 000,333,824 | ---- | M] (Microsoft Corporation) [Auto | Stopped] -- C:\WINDOWS\system32\wiaservc.dll -- (stisvc) Windows Image Acquisition (WIA)
SRV - [2008/04/14 01:42:10 | 000,185,856 | ---- | M] (Microsoft Corporation) [On_Demand | Stopped] -- C:\WINDOWS\system32\upnphost.dll -- (upnphost)
SRV - [2008/04/14 01:42:10 | 000,175,104 | ---- | M] (Microsoft Corporation) [Auto | Stopped] -- C:\WINDOWS\system32\w32time.dll -- (W32Time)
SRV - [2008/04/14 01:42:10 | 000,144,896 | ---- | M] (Microsoft Corporation) [Auto | Running] -- C:\WINDOWS\system32\wbem\wmisvc.dll -- (winmgmt)
SRV - [2008/04/14 01:42:10 | 000,132,096 | ---- | M] (Microsoft Corporation) [Auto | Running] -- C:\WINDOWS\system32\wkssvc.dll -- (lanmanworkstation)
SRV - [2008/04/14 01:42:10 | 000,068,096 | ---- | M] (Microsoft Corporation) [Auto | Stopped] -- C:\WINDOWS\system32\webclnt.dll -- (WebClient)
SRV - [2008/04/14 01:42:10 | 000,015,872 | ---- | M] (Microsoft Corporation) [On_Demand | Stopped] -- C:\WINDOWS\system32\w3ssl.dll -- (HTTPFilter)
SRV - [2008/04/14 01:42:08 | 000,295,424 | ---- | M] (Microsoft Corporation) [On_Demand | Running] -- C:\WINDOWS\system32\termsrv.dll -- (TermService)
SRV - [2008/04/14 01:42:08 | 000,249,856 | ---- | M] (Microsoft Corporation) [On_Demand | Stopped] -- C:\WINDOWS\system32\tapisrv.dll -- (TapiSrv)
SRV - [2008/04/14 01:42:08 | 000,171,008 | ---- | M] (Microsoft Corporation) [Auto | Running] -- C:\WINDOWS\system32\srsvc.dll -- (srservice)
SRV - [2008/04/14 01:42:08 | 000,096,768 | ---- | M] (Microsoft Corporation) [Auto | Running] -- C:\WINDOWS\system32\srvsvc.dll -- (LanmanServer)
SRV - [2008/04/14 01:42:08 | 000,090,112 | ---- | M] (Microsoft Corporation) [Auto | Stopped] -- C:\WINDOWS\system32\trkwks.dll -- (TrkWks)
SRV - [2008/04/14 01:42:08 | 000,071,680 | ---- | M] (Microsoft Corporation) [On_Demand | Stopped] -- C:\WINDOWS\system32\ssdpsrv.dll -- (SSDPSRV)
SRV - [2008/04/14 01:42:06 | 000,399,360 | ---- | M] (Microsoft Corporation) [Auto | Running] -- C:\WINDOWS\system32\rpcss.dll -- (RpcSs) Remote Procedure Call (RPC)
SRV - [2008/04/14 01:42:06 | 000,399,360 | ---- | M] (Microsoft Corporation) [Auto | Running] -- C:\WINDOWS\system32\rpcss.dll -- (DcomLaunch)
SRV - [2008/04/14 01:42:06 | 000,192,512 | ---- | M] (Microsoft Corporation) [Auto | Stopped] -- C:\WINDOWS\system32\schedsvc.dll -- (Schedule)
SRV - [2008/04/14 01:42:06 | 000,135,168 | ---- | M] (Microsoft Corporation) [Auto | Stopped] -- C:\WINDOWS\system32\shsvcs.dll -- (Themes)
SRV - [2008/04/14 01:42:06 | 000,135,168 | ---- | M] (Microsoft Corporation) [Auto | Stopped] -- C:\WINDOWS\system32\shsvcs.dll -- (ShellHWDetection)
SRV - [2008/04/14 01:42:06 | 000,135,168 | ---- | M] (Microsoft Corporation) [On_Demand | Stopped] -- C:\WINDOWS\system32\shsvcs.dll -- (FastUserSwitchingCompatibility)
SRV - [2008/04/14 01:42:06 | 000,059,904 | ---- | M] (Microsoft Corporation) [Auto | Stopped] -- C:\WINDOWS\system32\regsvc.dll -- (RemoteRegistry)
SRV - [2008/04/14 01:42:06 | 000,039,424 | ---- | M] (Microsoft Corporation) [Auto | Stopped] -- C:\WINDOWS\system32\sens.dll -- (SENS)
SRV - [2008/04/14 01:42:06 | 000,018,944 | ---- | M] (Microsoft Corporation) [Auto | Stopped] -- C:\WINDOWS\system32\seclogon.dll -- (seclogon)
SRV - [2008/04/14 01:42:04 | 000,435,200 | ---- | M] (Microsoft Corporation) [On_Demand | Stopped] -- C:\WINDOWS\system32\ntmssvc.dll -- (NtmsSvc)
SRV - [2008/04/14 01:42:04 | 000,409,088 | ---- | M] (Microsoft Corporation) [Auto | Stopped] -- C:\WINDOWS\system32\qmgr.dll -- (BITS)
SRV - [2008/04/14 01:42:04 | 000,291,328 | ---- | M] (Microsoft Corporation) [On_Demand | Stopped] -- C:\WINDOWS\system32\qagentrt.dll -- (napagent)
SRV - [2008/04/14 01:42:04 | 000,186,368 | ---- | M] (Microsoft Corporation) [On_Demand | Stopped] -- C:\WINDOWS\system32\rasmans.dll -- (RasMan)
SRV - [2008/04/14 01:42:04 | 000,088,576 | ---- | M] (Microsoft Corporation) [On_Demand | Stopped] -- C:\WINDOWS\system32\rasauto.dll -- (RasAuto)
SRV - [2008/04/14 01:42:04 | 000,038,400 | ---- | M] (Microsoft Corporation) [Auto | Running] -- C:\WINDOWS\pchealth\helpctr\binaries\pchsvc.dll -- (helpsvc)
SRV - [2008/04/14 01:42:02 | 000,245,248 | ---- | M] (Microsoft Corporation) [On_Demand | Stopped] -- C:\WINDOWS\system32\mswsock.dll -- (Nla) Network Location Awareness (NLA)
SRV - [2008/04/14 01:42:02 | 000,198,144 | ---- | M] (Microsoft Corporation) [On_Demand | Running] -- C:\WINDOWS\system32\netman.dll -- (Netman)
SRV - [2008/04/14 01:42:02 | 000,052,224 | ---- | M] (Microsoft Corporation) [On_Demand | Stopped] -- C:\WINDOWS\system32\mspmsnsv.dll -- (WmdmPmSN)
SRV - [2008/04/14 01:42:00 | 000,033,792 | ---- | M] (Microsoft Corporation) [Disabled | Stopped] -- C:\WINDOWS\system32\msgsvc.dll -- (Messenger)
SRV - [2008/04/14 01:41:58 | 000,061,440 | ---- | M] (Microsoft Corporation) [On_Demand | Stopped] -- C:\WINDOWS\system32\kmsvc.dll -- (hkmsvc)
SRV - [2008/04/14 01:41:58 | 000,053,248 | ---- | M] (Microsoft Corporation) [Disabled | Stopped] -- C:\WINDOWS\system32\mprdim.dll -- (RemoteAccess)
SRV - [2008/04/14 01:41:58 | 000,013,824 | ---- | M] (Microsoft Corporation) [Auto | Running] -- C:\WINDOWS\system32\lmhsvc.dll -- (LmHosts)
SRV - [2008/04/14 01:41:56 | 000,331,264 | ---- | M] (Microsoft Corporation) [Auto | Running] -- C:\WINDOWS\system32\ipnathlp.dll -- (SharedAccess) Windows Firewall/Internet Connection Sharing (ICS)
SRV - [2008/04/14 01:41:54 | 000,246,272 | ---- | M] (Microsoft Corporation) [On_Demand | Stopped] -- C:\WINDOWS\system32\es.dll -- (EventSystem)
SRV - [2008/04/14 01:41:54 | 000,132,096 | ---- | M] (Microsoft Corporation) [On_Demand | Stopped] -- C:\WINDOWS\system32\dot3svc.dll -- (Dot3svc)
SRV - [2008/04/14 01:41:54 | 000,045,568 | ---- | M] (Microsoft Corporation) [Auto | Running] -- C:\WINDOWS\system32\dnsrslvr.dll -- (Dnscache)
SRV - [2008/04/14 01:41:54 | 000,033,792 | ---- | M] (Microsoft Corporation) [On_Demand | Stopped] -- C:\WINDOWS\system32\eapsvc.dll -- (EapHost)
SRV - [2008/04/14 01:41:54 | 000,023,552 | ---- | M] (Microsoft Corp.) [Auto | Running] -- C:\WINDOWS\system32\dmserver.dll -- (dmserver)
SRV - [2008/04/14 01:41:54 | 000,023,040 | ---- | M] (Microsoft Corporation) [Auto | Stopped] -- C:\WINDOWS\system32\ersvc.dll -- (ERSvc)
SRV - [2008/04/14 01:41:52 | 000,126,976 | ---- | M] (Microsoft Corporation) [Auto | Running] -- C:\WINDOWS\system32\dhcpcsvc.dll -- (Dhcp)
SRV - [2008/04/14 01:41:52 | 000,077,824 | ---- | M] (Microsoft Corporation) [Auto | Running] -- C:\WINDOWS\system32\browser.dll -- (Browser)
SRV - [2008/04/14 01:41:52 | 000,062,464 | ---- | M] (Microsoft Corporation) [Auto | Running] -- C:\WINDOWS\system32\cryptsvc.dll -- (CryptSvc)
SRV - [2008/04/14 01:41:52 | 000,042,496 | ---- | M] (Microsoft Corporation) [Auto | Stopped] -- C:\WINDOWS\system32\audiosrv.dll -- (AudioSrv)
SRV - [2008/04/14 01:41:50 | 000,617,472 | ---- | M] (Microsoft Corporation) [On_Demand | Stopped] -- C:\WINDOWS\system32\advapi32.dll -- (Wmi)
SRV - [2008/04/14 01:41:50 | 000,167,936 | ---- | M] (Microsoft Corporation) [On_Demand | Stopped] -- C:\WINDOWS\system32\appmgmts.dll -- (AppMgmt)
SRV - [2008/04/14 01:41:50 | 000,017,408 | ---- | M] (Microsoft Corporation) [Disabled | Stopped] -- C:\WINDOWS\system32\alrsvc.dll -- (Alerter)
SRV - [2007/11/06 23:22:26 | 000,092,792 | ---- | M] (CACE Technologies) [Disabled | Stopped] -- C:\Program Files\WinPcap\rpcapd.exe -- (rpcapd) Remote Packet Capture Protocol v.0 (experimental)
SRV - [2007/10/24 01:47:40 | 000,070,144 | ---- | M] (Microsoft Corporation) [On_Demand | Stopped] -- C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe -- (clr_optimization_v2.0.50727_32)
SRV - [2007/10/24 01:47:22 | 000,033,800 | ---- | M] (Microsoft Corporation) [On_Demand | Stopped] -- C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\aspnet_state.exe -- (aspnet_state)
SRV - [2006/10/27 05:49:34 | 000,441,136 | ---- | M] (Microsoft Corporation) [Disabled | Stopped] -- C:\Program Files\Common Files\Microsoft Shared\OFFICE12\ODSERV.EXE -- (odserv)
SRV - [2006/10/27 00:03:08 | 000,145,184 | ---- | M] (Microsoft Corporation) [Disabled | Stopped] -- C:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE -- (ose)
SRV - [2005/04/04 00:41:10 | 000,069,632 | ---- | M] (Macrovision Corporation) [Disabled | Stopped] -- C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe -- (IDriverT)
SRV - [2001/08/23 08:00:00 | 000,132,608 | ---- | M] (Microsoft Corporation) [On_Demand | Stopped] -- C:\WINDOWS\system32\rsvp.exe -- (RSVP)


========== Driver Services (SafeList) ==========

DRV - [2011/08/31 17:00:50 | 000,022,216 | ---- | M] (Malwarebytes Corporation) [File_System | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\mbam.sys -- (MBAMProtector)
DRV - [2011/08/11 10:53:37 | 000,102,784 | ---- | M] (Huawei Technologies Co., Ltd.) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\ew_hwusbdev.sys -- (ew_hwusbdev)
DRV - [2011/08/11 10:53:37 | 000,073,216 | ---- | M] (Huawei Technologies Co., Ltd.) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\ew_jubusenum.sys -- (huawei_enumerator)
DRV - [2011/08/11 10:53:36 | 000,235,392 | ---- | M] (Huawei Technologies Co., Ltd.) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\ewusbnet.sys -- (ewusbnet)
DRV - [2011/08/11 10:53:36 | 000,193,792 | ---- | M] (Huawei Technologies Co., Ltd.) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\ewusbmdm.sys -- (hwdatacard)
DRV - [2010/11/09 14:56:12 | 000,098,392 | ---- | M] (Sunbelt Software) [Kernel | System | Running] -- C:\WINDOWS\system32\drivers\SBREDrv.sys -- (SBRE)
DRV - [2010/09/24 20:12:15 | 000,475,736 | ---- | M] (Kaspersky Lab) [File_System | System | Stopped] -- C:\WINDOWS\system32\drivers\klif.sys -- (KLIF)
DRV - [2010/09/08 08:56:50 | 000,107,776 | ---- | M] (ZTE Incorporated) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\ZTEusbnmea.sys -- (ZTEusbnmea)
DRV - [2010/09/08 08:56:50 | 000,107,776 | ---- | M] (ZTE Incorporated) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\ZTEusbmdm6k.sys -- (ZTEusbmdm6k)
DRV - [2010/09/08 08:56:48 | 000,107,776 | ---- | M] (ZTE Incorporated) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\ZTEusbser6k.sys -- (ZTEusbser6k)
DRV - [2010/09/04 01:24:40 | 000,032,768 | ---- | M] (AnchorFree Inc) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\taphss.sys -- (taphss)
DRV - [2010/07/17 22:22:49 | 001,746,432 | ---- | M] (Broadcom Corporation) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\BCMWL5.SYS -- (BCM43XX)
DRV - [2010/07/15 18:44:20 | 000,013,192 | ---- | M] () [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\epmntdrv.sys -- (epmntdrv)
DRV - [2010/07/15 18:44:20 | 000,008,456 | ---- | M] () [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\EuGdiDrv.sys -- (EuGdiDrv)
DRV - [2010/06/09 17:43:52 | 000,011,352 | ---- | M] (Kaspersky Lab ZAO) [Kernel | System | Running] -- C:\WINDOWS\system32\drivers\kl2.sys -- (kl2)
DRV - [2010/06/09 17:43:50 | 000,132,184 | ---- | M] (Kaspersky Lab ZAO) [Kernel | Boot | Running] -- C:\WINDOWS\system32\DRIVERS\kl1.sys -- (KL1)
DRV - [2010/05/07 12:06:26 | 000,032,856 | ---- | M] (Kaspersky Lab ZAO) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\klim5.sys -- (klim5)
DRV - [2009/11/25 14:51:28 | 000,104,704 | ---- | M] (ZTEMT Incorporated) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\CT_ZTEMT_U_USBSER.sys -- (ztemtusbser)
DRV - [2009/11/02 20:27:24 | 000,019,472 | ---- | M] (Kaspersky Lab) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\klmouflt.sys -- (klmouflt)
DRV - [2009/06/29 23:44:38 | 001,642,931 | ---- | M] (IDT, Inc.) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\sthda.sys -- (STHDA)
DRV - [2009/04/21 20:13:34 | 000,113,664 | ---- | M] (Andrea Electronics Corporation) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\AESTAud.sys -- (AESTAud)
DRV - [2009/03/31 23:11:44 | 000,039,424 | ---- | M] (Atheros Communications, Inc.) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\l1c51x86.sys -- (L1c)
DRV - [2008/04/13 20:23:10 | 000,040,320 | ---- | M] (Microsoft Corporation) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\nmnt.sys -- (nm)
DRV - [2007/11/06 23:22:06 | 000,034,064 | ---- | M] (CACE Technologies) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\npf.sys -- (NPF)


========== Standard Registry (SafeList) ==========


========== Internet Explorer ==========


IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = http://search.condui...&ctid=CT2790392
IE - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0

========== FireFox ==========

FF - prefs.js..browser.search.defaultthis.engineName: "TVfree Customized Web Search"
FF - prefs.js..browser.search.defaulturl: "http://search.condui...={searchTerms}"
FF - prefs.js..browser.search.selectedEngine: "TVfree Customized Web Search"
FF - prefs.js..keyword.URL: "chrome://browser-region/locale/region.properties"

FF - HKLM\Software\MozillaPlugins\@adobe.com/FlashPlayer: C:\WINDOWS\system32\Macromed\Flash\NPSWF32.dll ()
FF - HKLM\Software\MozillaPlugins\@java.com/JavaPlugin: C:\Program Files\Java\jre6\bin\new_plugin\npjp2.dll (Sun Microsystems, Inc.)
FF - HKLM\Software\MozillaPlugins\@Microsoft.com/NpCtrl,version=1.0: C:\Program Files\Microsoft Silverlight\4.0.60531.0\npctrl.dll ( Microsoft Corporation)
FF - HKLM\Software\MozillaPlugins\@pages.tvunetworks.com/WebPlayer: C:\Program Files\TVUPlayer\npTVUAx.dll (TVU networks)
FF - HKLM\Software\MozillaPlugins\@palmsource.com/installer,version=1.0: C:\PROGRA~1\Palm\PACKAG~1\NPInstal.dll ()
FF - HKLM\Software\MozillaPlugins\@real.com/nppl3260;version=12.0.1.647: C:\Program Files\Real\RealPlayer\Netscape6\nppl3260.dll (RealNetworks, Inc.)
FF - HKLM\Software\MozillaPlugins\@real.com/nprpjplug;version=12.0.1.647: C:\Program Files\Real\RealPlayer\Netscape6\nprpjplug.dll (RealNetworks, Inc.)
FF - HKLM\Software\MozillaPlugins\@real.com/nsJSRealPlayerPlugin;version=: File not found
FF - HKLM\Software\MozillaPlugins\@videolan.org/vlc,version=1.1.11: C:\Program Files\VideoLAN\VLC\npvlc.dll (the VideoLAN Team)
FF - HKCU\Software\MozillaPlugins\@Skype Limited.com/Facebook Video Calling Plugin: C:\Documents and Settings\Administrator\Local Settings\Application Data\Facebook\Video\Skype\npFacebookVideoCalling.dll (Skype Limited)
FF - HKCU\Software\MozillaPlugins\@talk.google.com/GoogleTalkPlugin: C:\Documents and Settings\Administrator\Application Data\Mozilla\plugins\npgoogletalk.dll (Google)
FF - HKCU\Software\MozillaPlugins\@talk.google.com/O3DPlugin: C:\Documents and Settings\Administrator\Application Data\Mozilla\plugins\npgtpo3dautoplugin.dll ()
FF - HKCU\Software\MozillaPlugins\@tools.google.com/Google Update;version=3: C:\Documents and Settings\Administrator\Local Settings\Application Data\Google\Update\1.3.21.79\npGoogleUpdate3.dll (Google Inc.)
FF - HKCU\Software\MozillaPlugins\@tools.google.com/Google Update;version=9: C:\Documents and Settings\Administrator\Local Settings\Application Data\Google\Update\1.3.21.79\npGoogleUpdate3.dll (Google Inc.)

FF - HKEY_LOCAL_MACHINE\software\mozilla\Mozilla Firefox 3.6.22\extensions\\Components: C:\Program Files\Mozilla Firefox\components [2011/09/28 21:06:12 | 000,000,000 | ---D | M]
FF - HKEY_LOCAL_MACHINE\software\mozilla\Mozilla Firefox 3.6.22\extensions\\Plugins: C:\Program Files\Mozilla Firefox\plugins [2011/09/28 21:06:12 | 000,000,000 | ---D | M]
FF - HKEY_LOCAL_MACHINE\software\mozilla\Mozilla Firefox 7.0.1\extensions\\Components: C:\Documents and Settings\Administrator\Local Settings\Application Data\Mozilla Firefox\components [2011/10/01 21:54:26 | 000,000,000 | ---D | M]
FF - HKEY_LOCAL_MACHINE\software\mozilla\Mozilla Firefox 7.0.1\extensions\\Plugins: C:\Documents and Settings\Administrator\Local Settings\Application Data\Mozilla Firefox\plugins
FF - HKEY_LOCAL_MACHINE\software\mozilla\Thunderbird\Extensions\\{eea12ec4-729d-4703-bc37-106ce9879ce2}: C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 2011\THBExt [2010/09/21 06:37:27 | 000,000,000 | ---D | M]
FF - HKEY_CURRENT_USER\software\mozilla\SeaMonkey\Extensions\\[email protected]: C:\Documents and Settings\Administrator\Application Data\IDM\idmmzcc3

[2011/07/11 18:47:02 | 000,000,000 | ---D | M] (No name found) -- C:\Documents and Settings\Administrator\Application Data\Mozilla\Extensions
[2011/10/26 23:43:05 | 000,000,000 | ---D | M] (No name found) -- C:\Documents and Settings\Administrator\Application Data\Mozilla\Firefox\Profiles\xnismpp1.default\extensions
[2011/10/26 23:43:04 | 000,000,000 | ---D | M] (TVfree Community Toolbar) -- C:\Documents and Settings\Administrator\Application Data\Mozilla\Firefox\Profiles\xnismpp1.default\extensions\{c66f6b8c-7cdb-437c-b9db-9a7a7d9cdd1b}
[2011/06/19 12:16:08 | 000,000,915 | ---- | M] () -- C:\Documents and Settings\Administrator\Application Data\Mozilla\Firefox\Profiles\xnismpp1.default\searchplugins\conduit.xml
[2011/11/04 20:41:27 | 000,000,000 | ---D | M] (No name found) -- C:\Program Files\Mozilla Firefox\extensions
[2011/01/18 19:48:51 | 000,000,000 | ---D | M] (Skype extension) -- C:\Program Files\Mozilla Firefox\extensions\{AB2CE124-6272-4b12-94A9-7303C7397BD1}
[2010/09/21 06:38:47 | 000,000,000 | ---D | M] (Anti-Banner) -- C:\Program Files\Mozilla Firefox\extensions\[email protected]
[2010/07/27 11:09:47 | 000,000,000 | ---D | M] (Kaspersky URL Advisor) -- C:\Program Files\Mozilla Firefox\extensions\[email protected]
[2010/10/01 00:05:15 | 000,000,000 | ---D | M] (Java Quick Starter) -- C:\PROGRAM FILES\JAVA\JRE6\LIB\DEPLOY\JQS\FF
[2011/02/02 21:40:24 | 000,472,808 | ---- | M] (Sun Microsystems, Inc.) -- C:\Program Files\mozilla firefox\plugins\npdeployJava1.dll

O1 HOSTS File: ([2011/11/05 00:49:46 | 000,000,027 | ---- | M]) - C:\WINDOWS\system32\drivers\etc\hosts
O1 - Hosts: 127.0.0.1 localhost
O2 - BHO: (SnagIt Toolbar Loader) - {00C6482D-C502-44C8-8409-FCE54AD9C208} - C:\Program Files\TechSmith\Snagit 10\SnagitBHO.dll (TechSmith Corporation)
O2 - BHO: (IEVkbdBHO Class) - {59273AB4-E7D3-40F9-A1A8-6FA9CCA1862C} - C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 2011\ievkbd.dll (Kaspersky Lab ZAO)
O2 - BHO: (Skype Plug-In) - {AE805869-2E5C-4ED4-8F7B-F1F7851A4497} - C:\Program Files\Skype\Toolbars\Internet Explorer\skypeieplugin.dll (Skype Technologies S.A.)
O2 - BHO: (FilterBHO Class) - {E33CF602-D945-461A-83F0-819F76A199F8} - C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 2011\klwtbbho.dll (Kaspersky Lab ZAO)
O3 - HKLM\..\Toolbar: (Snagit) - {8FF5E183-ABDE-46EB-B09E-D2AAB95CABE3} - C:\Program Files\TechSmith\Snagit 10\SnagitIEAddin.dll (TechSmith Corporation)
O6 - HKLM\Software\Policies\Microsoft\Internet Explorer\Restrictions present
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveAutoRun = 67108863
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 323
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDrives = 0
O7 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O7 - HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 323
O7 - HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveAutoRun = 67108863
O7 - HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDrives = 0
O9 - Extra Button: &Virtual Keyboard - {4248FE82-7FCB-46AC-B270-339F08212110} - C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 2011\klwtbbho.dll (Kaspersky Lab ZAO)
O9 - Extra Button: Skype Plug-In - {898EA8C8-E7FF-479B-8935-AEC46303B9E5} - C:\Program Files\Skype\Toolbars\Internet Explorer\skypeieplugin.dll (Skype Technologies S.A.)
O9 - Extra 'Tools' menuitem : Skype Plug-In - {898EA8C8-E7FF-479B-8935-AEC46303B9E5} - C:\Program Files\Skype\Toolbars\Internet Explorer\skypeieplugin.dll (Skype Technologies S.A.)
O9 - Extra Button: URLs c&heck - {CCF151D8-D089-449F-A5A4-D9909053F20F} - C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 2011\klwtbbho.dll (Kaspersky Lab ZAO)
O16 - DPF: {7530BFB8-7293-4D34-9923-61A11451AFC5} http://download.eset...lineScanner.cab (OnlineScanner Control)
O16 - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} http://java.sun.com/...indows-i586.cab (Java Plug-in 1.6.0_24)
O16 - DPF: {CAFEEFAC-0016-0000-0024-ABCDEFFEDCBA} http://java.sun.com/...indows-i586.cab (Java Plug-in 1.6.0_24)
O16 - DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} http://java.sun.com/...indows-i586.cab (Java Plug-in 1.6.0_24)
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} http://download.macr...ash/swflash.cab (Shockwave Flash Object)
O16 - DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} http://platformdl.ad...Plus/1.6/gp.cab (Reg Error: Key error.)
O17 - HKLM\System\CCS\Services\Tcpip\Parameters\Interfaces\{6B77C15E-2662-49C1-BA87-4398E0F21B5C}: NameServer = 41.220.238.4,196.201.231.167
O17 - HKLM\System\CCS\Services\Tcpip\Parameters\Interfaces\{8541A0A8-C403-47D8-AC89-C34BB98AEEB7}: NameServer = 41.220.238.4,196.201.231.167
O18 - Protocol\Handler\skype4com {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\Program Files\Common Files\Skype\Skype4COM.dll (Skype Technologies)
O18 - Protocol\Handler\skype-ie-addon-data {91774881-D725-4E58-B298-07617B9B86A8} - C:\Program Files\Skype\Toolbars\Internet Explorer\skypeieplugin.dll (Skype Technologies S.A.)
O20 - HKLM Winlogon: Shell - (Explorer.exe) -C:\WINDOWS\explorer.exe (Microsoft Corporation)
O20 - HKLM Winlogon: UserInit - (C:\WINDOWS\system32\userinit.exe) -C:\WINDOWS\system32\userinit.exe (Microsoft Corporation)
O20 - Winlogon\Notify\klogon: DllName - (C:\WINDOWS\system32\klogon.dll) - C:\WINDOWS\system32\klogon.dll (Kaspersky Lab ZAO)
O24 - Desktop WallPaper: C:\WINDOWS\Web\Wallpaper\Bliss.bmp
O24 - Desktop BackupWallPaper: C:\WINDOWS\Web\Wallpaper\Bliss.bmp
O32 - HKLM CDRom: AutoRun - 1
O32 - AutoRun File - [2010/07/17 22:06:29 | 000,000,000 | ---- | M] () - C:\AUTOEXEC.BAT -- [ NTFS ]
O32 - AutoRun File - [2011/11/04 07:51:40 | 000,000,000 | ---D | M] - C:\autorun.inf -- [ NTFS ]
O32 - AutoRun File - [2011/11/04 07:51:40 | 000,000,000 | R--D | M] - D:\autorun.inf -- [ NTFS ]
O32 - AutoRun File - [2011/11/04 07:51:42 | 000,000,000 | RHSD | M] - E:\autorun.inf -- [ FAT32 ]
O34 - HKLM BootExecute: (autocheck autochk *)
O35 - HKLM\..comfile [open] -- "%1" %*
O35 - HKLM\..exefile [open] -- "%1" %*
O37 - HKLM\...com [@ = ComFile] -- "%1" %*
O37 - HKLM\...exe [@ = exefile] -- "%1" %*

========== Files/Folders - Created Within 30 Days ==========

[2011/11/06 00:45:39 | 000,000,000 | ---D | C] -- C:\Program Files\ESET
[2011/11/05 07:03:01 | 000,000,000 | -HSD | C] -- C:\RECYCLER
[2011/11/05 00:47:42 | 000,000,000 | ---D | C] -- C:\WINDOWS\temp
[2011/11/05 00:38:26 | 000,000,000 | RHSD | C] -- C:\cmdcons
[2011/11/05 00:33:31 | 000,518,144 | ---- | C] (SteelWerX) -- C:\WINDOWS\SWREG.exe
[2011/11/05 00:33:31 | 000,406,528 | ---- | C] (SteelWerX) -- C:\WINDOWS\SWSC.exe
[2011/11/05 00:33:31 | 000,212,480 | ---- | C] (SteelWerX) -- C:\WINDOWS\SWXCACLS.exe
[2011/11/05 00:33:31 | 000,060,416 | ---- | C] (NirSoft) -- C:\WINDOWS\NIRCMD.exe
[2011/11/05 00:33:18 | 000,000,000 | ---D | C] -- C:\WINDOWS\ERDNT
[2011/11/05 00:33:15 | 000,000,000 | ---D | C] -- C:\ComboFix
[2011/11/05 00:33:04 | 000,000,000 | ---D | C] -- C:\Qoobox
[2011/11/05 00:32:54 | 000,000,000 | R--D | C] -- C:\Documents and Settings\Administrator\My Documents\My Videos
[2011/11/05 00:32:54 | 000,000,000 | R--D | C] -- C:\Documents and Settings\Administrator\Start Menu\Programs\Administrative Tools
[2011/11/05 00:16:36 | 004,284,246 | R--- | C] (Swearware) -- C:\Documents and Settings\Administrator\Desktop\ComboFix.exe
[2011/11/04 21:41:18 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Start Menu\Programs\Malwarebytes' Anti-Malware
[2011/11/04 21:40:45 | 000,022,216 | ---- | C] (Malwarebytes Corporation) -- C:\WINDOWS\System32\drivers\mbam.sys
[2011/11/04 21:40:44 | 000,000,000 | ---D | C] -- C:\Program Files\Malwarebytes' Anti-Malware
[2011/11/04 20:41:14 | 000,000,000 | ---D | C] -- C:\_OTL
[2011/11/04 20:35:40 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Application Data\Autorun Eater
[2011/11/04 20:35:35 | 000,000,000 | ---D | C] -- C:\Program Files\Autorun Eater
[2011/11/04 20:35:35 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Start Menu\Programs\Autorun Eater
[2011/11/04 07:51:40 | 000,000,000 | ---D | C] -- C:\autorun.inf
[2011/10/31 20:44:20 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Administrator\Application Data\Malwarebytes
[2011/10/31 20:35:37 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Application Data\Malwarebytes
[2011/10/30 21:00:15 | 000,584,192 | ---- | C] (OldTimer Tools) -- C:\Documents and Settings\Administrator\Desktop\OTL.scr
[2011/10/29 18:44:00 | 000,027,984 | ---- | C] (Sunbelt Software) -- C:\WINDOWS\System32\sbbd.exe
[2011/10/29 18:43:59 | 000,098,392 | ---- | C] (Sunbelt Software) -- C:\WINDOWS\System32\drivers\SBREDrv.sys
[2011/10/29 18:40:30 | 000,000,000 | ---D | C] -- C:\VIPRERESCUE
[2011/10/29 10:47:38 | 000,000,000 | -HSD | C] -- C:\WINDOWS\CSC
[2011/10/28 10:10:49 | 000,000,000 | ---D | C] -- C:\ubuntu
[2011/10/27 19:50:57 | 000,584,192 | ---- | C] (OldTimer Tools) -- C:\Documents and Settings\Administrator\Desktop\OTL.exe
[2011/10/25 22:13:20 | 000,000,000 | RH-D | C] -- C:\Documents and Settings\Administrator\Recent
[2011/10/23 10:42:48 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Administrator\Local Settings\Application Data\Facebook
[3 C:\WINDOWS\*.tmp files -> C:\WINDOWS\*.tmp -> ]
[2 C:\WINDOWS\System32\*.tmp files -> C:\WINDOWS\System32\*.tmp -> ]

========== Files - Modified Within 30 Days ==========

[2011/11/09 08:47:30 | 000,002,048 | --S- | M] () -- C:\WINDOWS\bootstat.dat
[2011/11/09 08:46:22 | 000,000,438 | -H-- | M] () -- C:\WINDOWS\tasks\User_Feed_Synchronization-{B104C796-8274-4204-92E1-E8EF1497D78A}.job
[2011/11/09 07:49:15 | 000,001,010 | ---- | M] () -- C:\WINDOWS\tasks\GoogleUpdateTaskUserS-1-5-21-1935655697-2077806209-515967899-500UA.job
[2011/11/09 06:58:37 | 000,000,354 | RHS- | M] () -- C:\boot.ini
[2011/11/09 05:57:14 | 000,000,512 | ---- | M] () -- C:\Documents and Settings\Administrator\Desktop\MBR.dat
[2011/11/08 16:38:44 | 000,767,302 | ---- | M] () -- C:\WINDOWS\System32\perfh009.dat
[2011/11/08 16:38:44 | 000,262,118 | ---- | M] () -- C:\WINDOWS\System32\perfc009.dat
[2011/11/08 08:47:43 | 000,002,206 | ---- | M] () -- C:\WINDOWS\System32\wpa.dbl
[2011/11/07 23:50:49 | 000,000,958 | ---- | M] () -- C:\WINDOWS\tasks\GoogleUpdateTaskUserS-1-5-21-1935655697-2077806209-515967899-500Core.job
[2011/11/06 10:10:26 | 000,001,324 | ---- | M] () -- C:\WINDOWS\System32\d3d9caps.dat
[2011/11/05 00:49:46 | 000,000,027 | ---- | M] () -- C:\WINDOWS\System32\drivers\etc\hosts
[2011/11/05 00:18:32 | 004,284,246 | R--- | M] (Swearware) -- C:\Documents and Settings\Administrator\Desktop\ComboFix.exe
[2011/11/04 21:41:20 | 000,000,802 | ---- | M] () -- C:\Documents and Settings\Administrator\Application Data\Microsoft\Internet Explorer\Quick Launch\Malwarebytes' Anti-Malware.lnk
[2011/11/04 21:41:20 | 000,000,784 | ---- | M] () -- C:\Documents and Settings\All Users\Desktop\Malwarebytes' Anti-Malware.lnk
[2011/11/04 20:35:35 | 000,000,670 | ---- | M] () -- C:\Documents and Settings\All Users\Desktop\Autorun Eater.lnk
[2011/10/30 21:01:17 | 000,584,192 | ---- | M] (OldTimer Tools) -- C:\Documents and Settings\Administrator\Desktop\OTL.scr
[2011/10/29 18:48:23 | 000,000,000 | ---- | M] () -- C:\WINDOWS\System32\SBRC.dat
[2011/10/28 16:14:39 | 000,134,978 | ---- | M] () -- C:\wubildr
[2011/10/28 16:14:14 | 000,000,238 | ---- | M] () -- C:\Boot.bak
[2011/10/28 16:12:48 | 000,008,192 | ---- | M] () -- C:\wubildr.mbr
[2011/10/27 19:51:25 | 000,584,192 | ---- | M] (OldTimer Tools) -- C:\Documents and Settings\Administrator\Desktop\OTL.exe
[2011/10/22 00:11:04 | 000,001,882 | ---- | M] () -- C:\Documents and Settings\Administrator\Desktop\fxTrade Practice.lnk
[2011/10/20 14:03:17 | 000,000,284 | ---- | M] () -- C:\WINDOWS\tasks\AppleSoftwareUpdate.job
[2011/10/20 08:27:35 | 000,160,768 | ---- | M] () -- C:\Documents and Settings\Administrator\Local Settings\Application Data\DCBC2A71-70D8-4DAN-EHR8-E0D61DEA3FDF.ini
[3 C:\WINDOWS\*.tmp files -> C:\WINDOWS\*.tmp -> ]
[2 C:\WINDOWS\System32\*.tmp files -> C:\WINDOWS\System32\*.tmp -> ]

========== Files Created - No Company Name ==========

[2011/11/05 08:36:39 | 000,000,512 | ---- | C] () -- C:\Documents and Settings\Administrator\Desktop\MBR.dat
[2011/11/05 00:38:31 | 000,000,238 | ---- | C] () -- C:\Boot.bak
[2011/11/05 00:38:28 | 000,260,272 | RHS- | C] () -- C:\cmldr
[2011/11/05 00:33:31 | 000,256,000 | ---- | C] () -- C:\WINDOWS\PEV.exe
[2011/11/05 00:33:31 | 000,208,896 | ---- | C] () -- C:\WINDOWS\MBR.exe
[2011/11/05 00:33:31 | 000,098,816 | ---- | C] () -- C:\WINDOWS\sed.exe
[2011/11/05 00:33:31 | 000,080,412 | ---- | C] () -- C:\WINDOWS\grep.exe
[2011/11/05 00:33:31 | 000,068,096 | ---- | C] () -- C:\WINDOWS\zip.exe
[2011/11/04 21:41:20 | 000,000,802 | ---- | C] () -- C:\Documents and Settings\Administrator\Application Data\Microsoft\Internet Explorer\Quick Launch\Malwarebytes' Anti-Malware.lnk
[2011/11/04 21:41:20 | 000,000,784 | ---- | C] () -- C:\Documents and Settings\All Users\Desktop\Malwarebytes' Anti-Malware.lnk
[2011/11/04 20:35:35 | 000,000,670 | ---- | C] () -- C:\Documents and Settings\All Users\Desktop\Autorun Eater.lnk
[2011/10/29 18:48:23 | 000,000,000 | ---- | C] () -- C:\WINDOWS\System32\SBRC.dat
[2011/10/28 16:12:48 | 000,008,192 | ---- | C] () -- C:\wubildr.mbr
[2011/10/28 16:12:47 | 000,134,978 | ---- | C] () -- C:\wubildr
[2011/10/25 23:22:32 | 000,000,861 | ---- | C] () -- C:\Documents and Settings\All Users\Start Menu\Programs\Express Burn Disc Burning Software.lnk
[2011/09/21 15:19:13 | 000,001,324 | ---- | C] () -- C:\WINDOWS\System32\d3d9caps.dat
[2011/09/08 23:10:00 | 000,000,088 | ---- | C] () -- C:\WINDOWS\Launcher.ini
[2011/07/23 09:28:39 | 000,002,528 | ---- | C] () -- C:\Documents and Settings\Administrator\Application Data\$_hpcst$.hpc
[2010/12/23 22:48:16 | 000,153,600 | ---- | C] () -- C:\WINDOWS\System32\AI_ContextMenu.dll
[2010/12/23 17:36:09 | 000,000,034 | -H-- | C] () -- C:\WINDOWS\System32\Converter_sysquict.dat
[2010/09/21 06:38:29 | 000,115,369 | ---- | C] () -- C:\WINDOWS\System32\drivers\klin.dat
[2010/09/21 06:38:29 | 000,097,961 | ---- | C] () -- C:\WINDOWS\System32\drivers\klick.dat
[2010/09/07 21:46:16 | 000,000,056 | -H-- | C] () -- C:\WINDOWS\System32\ezsidmv.dat
[2010/08/06 08:58:11 | 001,774,720 | ---- | C] () -- C:\WINDOWS\System32\BootMan.exe
[2010/08/06 08:58:11 | 000,086,408 | ---- | C] () -- C:\WINDOWS\System32\setupempdrv03.exe
[2010/08/06 08:58:11 | 000,014,848 | ---- | C] () -- C:\WINDOWS\System32\EuEpmGdi.dll
[2010/08/06 08:58:11 | 000,013,192 | ---- | C] () -- C:\WINDOWS\System32\epmntdrv.sys
[2010/08/06 08:58:11 | 000,008,456 | ---- | C] () -- C:\WINDOWS\System32\EuGdiDrv.sys
[2010/07/29 21:13:40 | 000,160,768 | ---- | C] () -- C:\Documents and Settings\Administrator\Local Settings\Application Data\DCBC2A71-70D8-4DAN-EHR8-E0D61DEA3FDF.ini
[2010/07/27 08:36:32 | 000,000,000 | ---- | C] () -- C:\WINDOWS\nsreg.dat
[2010/07/17 22:20:30 | 000,147,456 | ---- | C] () -- C:\WINDOWS\System32\igfxCoIn_v4926.dll
[2010/07/17 22:10:01 | 000,002,048 | --S- | C] () -- C:\WINDOWS\bootstat.dat
[2010/07/17 22:02:15 | 000,021,640 | ---- | C] () -- C:\WINDOWS\System32\emptyregdb.dat
[2010/07/17 14:55:30 | 000,004,161 | ---- | C] () -- C:\WINDOWS\ODBCINST.INI
[2010/07/17 14:53:49 | 000,263,824 | ---- | C] () -- C:\WINDOWS\System32\FNTCACHE.DAT
[2009/09/09 19:01:40 | 000,027,675 | ---- | C] () -- C:\WINDOWS\System32\drivers\klopp.dat
[2008/04/14 01:55:28 | 000,001,804 | ---- | C] () -- C:\WINDOWS\System32\Dcache.bin
[2007/11/06 23:19:28 | 000,053,299 | ---- | C] () -- C:\WINDOWS\System32\pthreadVC.dll
[2006/12/31 03:57:08 | 000,004,569 | ---- | C] () -- C:\WINDOWS\System32\secupd.dat
[2001/08/23 08:00:00 | 013,107,200 | ---- | C] () -- C:\WINDOWS\System32\oembios.bin
[2001/08/23 08:00:00 | 000,767,302 | ---- | C] () -- C:\WINDOWS\System32\perfh009.dat
[2001/08/23 08:00:00 | 000,673,088 | ---- | C] () -- C:\WINDOWS\System32\mlang.dat
[2001/08/23 08:00:00 | 000,272,128 | ---- | C] () -- C:\WINDOWS\System32\perfi009.dat
[2001/08/23 08:00:00 | 000,262,118 | ---- | C] () -- C:\WINDOWS\System32\perfc009.dat
[2001/08/23 08:00:00 | 000,218,003 | ---- | C] () -- C:\WINDOWS\System32\dssec.dat
[2001/08/23 08:00:00 | 000,046,258 | ---- | C] () -- C:\WINDOWS\System32\mib.bin
[2001/08/23 08:00:00 | 000,028,626 | ---- | C] () -- C:\WINDOWS\System32\perfd009.dat
[2001/08/23 08:00:00 | 000,004,463 | ---- | C] () -- C:\WINDOWS\System32\oembios.dat
[2001/08/23 08:00:00 | 000,000,741 | ---- | C] () -- C:\WINDOWS\System32\noise.dat

< End of report >
  • 0

#39
RKinner

RKinner

    Malware Expert

  • Expert
  • 20,647 posts
  • MVP
I had you hide Microsoft services but it appears that one of them is at fault so go back into MSCONFIG and unhide the Microsoft Services and uncheck them all. Then Apply and Reboot and run Process Explorer and let's see if it is one of them.
  • 0

#40
polepole

polepole

    Member

  • Topic Starter
  • Member
  • PipPipPip
  • 102 posts
I had clicked hide microsoft services so I will redo after work..
  • 0

Advertisements


#41
polepole

polepole

    Member

  • Topic Starter
  • Member
  • PipPipPip
  • 102 posts
Hi
I have done that the CPU usage has been reduced to below 10%. This is the log

Process PID CPU Private Bytes Working Set Description Company Name
explorer.exe 416 16,912 K 21,340 K Windows Explorer Microsoft Corporation
lsass.exe 1824 2,100 K 1,128 K LSA Shell (Export Version) Microsoft Corporation
services.exe 1812 1,336 K 2,700 K Services and Controller app Microsoft Corporation
smss.exe 1696 168 K 388 K Windows NT Session Manager Microsoft Corporation
svchost.exe 1980 1,256 K 3,200 K Generic Host Process for Win32 Services Microsoft Corporation
svchost.exe 184 1,612 K 3,988 K Generic Host Process for Win32 Services Microsoft Corporation
System 4 0 K 260 K
userinit.exe 396 968 K 2,924 K Userinit Logon Application Microsoft Corporation
winlogon.exe 1768 6,384 K 2,760 K Windows NT Logon Application Microsoft Corporation
csrss.exe 1744 0.78 1,364 K 2,992 K Client Server Runtime Process Microsoft Corporation
Interrupts n/a 0.78 0 K 0 K Hardware Interrupts and DPCs
procexp.exe 1412 0.78 8,424 K 9,480 K Sysinternals Process Explorer Sysinternals - www.sysinternals.com
firefox.exe 560 2.34 94,520 K 100,380 K Firefox Mozilla Corporation
System Idle Process 0 95.31 0 K 28 K



Then from here what do i do?
Has the virus been cleared also?

Regards
  • 0

#42
RKinner

RKinner

    Malware Expert

  • Expert
  • 20,647 posts
  • MVP
What we do now is go back in to msconfig, turn on half of the microsoft services you just unchecked and Apply and reboot then look at the CPU usage. If it shoots back up one of the services you just turned on is bad. Uncheck half of the ones you just checked, apply and reboot. If the CPU stays low then those were good and the bad service is in the ones we haven't checked so check about half of the microsoft services that remain, apply and reboot and check the cpu usage.

The idea is to keep this up until you identify exactly which service is causing the problem. Then we can look into its files and see what is going on.
  • 0

#43
polepole

polepole

    Member

  • Topic Starter
  • Member
  • PipPipPip
  • 102 posts
I have just found out what was causing the CPU usage to go up.
It is Plug and Play of Microsoft Corporation.

You can guide me on what i need to do.
I appreciate so much of your help, i wish i could also have such knowledge to help others.
Regards.
  • 0

#44
RKinner

RKinner

    Malware Expert

  • Expert
  • 20,647 posts
  • MVP
Do you have any usb devices plugged in to your netbook? If so, unplug and reboot.

Copy the next line:

reg query HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\PlugPlay > \junk.txt

Start, Programs, Accessories then right click on Command Prompt and Run As Admin.

notepad \junk.txt

Copy and paste the text from notepad into a reply.

Submit the file: C:\windows\system32\drivers\umpnpmgr.dll

to http://virustotal.com and see what they have to say about it.

If it doesn't say 0/43 (or so) then copy and paste the report into a reply.


I found where one guy with this problem suggested the following:


if i just disable Kaspersky Internet Security 2010's Self-Defense and the cpu usage drops, and enable it again it runs for weeks without a problem ^^

Open Kaspersky Internet Security-->Settings-->Options-->unclick Self-Defense and apply and they click it again and apply ^


Ron
  • 0

#45
polepole

polepole

    Member

  • Topic Starter
  • Member
  • PipPipPip
  • 102 posts
This is the reply

! REG.EXE VERSION 3.0

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\PlugPlay
Description REG_SZ Enables a computer to recognize and adapt to hardware changes with little or no user input. Stopping or disabling this service will result in system instability.
DisplayName REG_SZ Plug and Play
ErrorControl REG_DWORD 0x1
Group REG_SZ PlugPlay
ImagePath REG_EXPAND_SZ %SystemRoot%\system32\services.exe
ObjectName REG_SZ LocalSystem
PlugPlayServiceType REG_DWORD 0x3
Start REG_DWORD 0x4
Type REG_DWORD 0x20

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\PlugPlay\Security
  • 0






Similar Topics

0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

As Featured On:

Microsoft Yahoo BBC MSN PC Magazine Washington Post HP