Member Avatar for fruehling

Hi all,


I hope someone can help. I've been all over the net trying to find a fix for this. At random times (usually in the evening to early morning) both my processors (Dell Inspiron E1505 core 2 duo) will max out at 100% usage (noticed with a sidebar gadget). When checking with the task manager there can be a few different culprits.

It varies between these three:

- Taskmgr
- Audiodg
- Svchost

I found a thread somewhere showing how to fix the Audiodg issue by disabling advance sound options. Since I did that, Audiodg has been cool.

I found another thread somewhere that listed the following fix for a problem:
"Run all these commands in a command prompt one after the other
regsvr32 MSXML3.dll
regsvr32 WUAUENG1.dll
regsvr32 WUAPI.DLL
regsvr32 WUAUENG.DLL
regsvr32 WUAUENG1.DLL
regsvr32 ATL.DLL
regsvr32 WUCLTUI.DLL
regsvr32 WUPS.DLL
regsvr32 WUPS2.DLL
regsvr32 WUWEB.DLL
net stop WuAuServ
rename %windir%\SoftwareDistribution SoftwareDistribution_buggy
net start WuAuServ "
So I did that, but a few of those commands couldn't find the dll (the above seems to be for XP, so maybe that is why). And since doing that, now at start up my computer will go to 100% cpus for 3 minutes. So I would like to undo the above somehow.

That's as far as I have gotten with solving this issue. Please anyone help if you can. Thanks!! Here is the Hijackthis log:


Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 9:50:57 AM, on 8/23/2008
Platform: Windows Vista (WinNT 6.00.1904)
MSIE: Internet Explorer v7.00 (7.00.6000.16711)
Boot mode: Normal

Running processes:
C:\Windows\system32\Dwm.exe
C:\Windows\Explorer.EXE
C:\Program Files\Windows Defender\MSASCui.exe
C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe
C:\Program Files\Alwil Software\Avast4\ashDisp.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Windows\system32\taskeng.exe
C:\Windows\sttray.exe
C:\Program Files\Windows Sidebar\sidebar.exe
C:\Program Files\AutoHotkey\AutoHotkey.exe
C:\Program Files\Windows Sidebar\sidebar.exe
C:\Windows\system32\wbem\unsecapp.exe
C:\Windows\System32\notepad.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Windows\system32\SearchFilterHost.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
O1 - Hosts: ::1 localhost
O2 - BHO: AcroIEHelperStub - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O4 - HKLM\..\Run: [Windows Defender] %ProgramFiles%\Windows Defender\MSASCui.exe -hide
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe"
O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [SigmatelSysTrayApp] sttray.exe
O4 - HKCU\..\Run: [Sidebar] C:\Program Files\Windows Sidebar\sidebar.exe /autoRun
O4 - HKUS\S-1-5-19\..\Run: [Sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /detectMem (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-19\..\Run: [WindowsWelcomeCenter] rundll32.exe oobefldr.dll,ShowWelcomeCenter (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [Sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /detectMem (User 'NETWORK SERVICE')
O4 - Startup: CCC.lnk = ?
O4 - Global Startup: AutoHotkey.lnk = C:\Program Files\AutoHotkey\AutoHotkey.exe
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\PROGRA~1\Java\JRE16~2.0_0\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\PROGRA~1\Java\JRE16~2.0_0\bin\ssv.dll
O13 - Gopher Prefix:
O17 - HKLM\System\CCS\Services\Tcpip\..\{6342C9DD-4FC1-4AC6-9352-4B82D9A0FA19}: NameServer = 217.199.126.2
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: Ati External Event Utility - ATI Technologies Inc. - C:\Windows\system32\Ati2evxx.exe
O23 - Service: avast! Antivirus - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
O23 - Service: avast! Web Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
O23 - Service: DellAMBrokerService - Unknown owner - C:\Program Files\DellAutomatedPCTuneUp\brkrsvc.exe
O23 - Service: LicCtrl Service (LicCtrlService) - Unknown owner - rundll32.exe (file missing)
O23 - Service: SigmaTel Audio Service (STacSV) - SigmaTel, Inc. - C:\Program Files\SigmaTel\C-Major Audio\WDM\STacSV.exe

--
End of file - 4259 bytes

  • 2 Contributors
  • 16 Replies
  • 179 Views
  • 1 Week Discussion Span
  • Latest Post Latest Post by fruehling

Recommended Answers

All 16 Replies

Member Avatar for Cyber Punk

I find nothing wrong with your HijackThis log.

Please re-open HijackThis and click on Do a system scan only. Locate the following entries and place a check against them.


O4 - HKCU\..\Run: [Sidebar] C:\Program Files\Windows Sidebar\sidebar.exe /autoRun
O4 - HKUS\S-1-5-19\..\Run: [Sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /detectMem (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-19\..\Run: [WindowsWelcomeCenter] rundll32.exe oobefldr.dll,ShowWelcomeCenter (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [Sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /detectMem (User 'NETWORK SERVICE')

Please download Malwarebytes' Anti-Malware to your desktop.

  • Double-click mbam-setup.exe and follow the prompts to install the program.
  • At the end, be sure a checkmark is placed next to
    • Update Malwarebytes' Anti-Malware
    • and Launch Malwarebytes' Anti-Malware
  • then click Finish.
  • If an update is found, it will download and install the latest version.
  • Once the program has loaded, select Perform full scan, then click Scan.
  • When the scan is complete, click OK, then Show Results to view the results.
  • Be sure that everything is checked, and click Remove Selected.
  • When MBA-M finishes, Notepad will open with the log. Please save it where you can find it easily. The log can also be opened by going to Start > All Programs > Malwarebytes' Anti-Malware > Logs > log-date.txt.

Please post this log in your reply.

Member Avatar for fruehling

Thanks for the reply! Doing the above now. Quick question: After putting the check next to the entries in hijackthis, should I also "Fix Checked"?

Member Avatar for fruehling

Ok. I just went ahead and did "fix checked" for hijackthis. And here is the log file for malwarebytes:

Malwarebytes' Anti-Malware 1.25
Database version: 1078
Windows 6.0.6000

2:07:29 PM 8/23/2008
mbam-log-08-23-2008 (14-07-29).txt

Scan type: Full Scan (C:\|)
Objects scanned: 89651
Time elapsed: 38 minute(s), 5 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 2
Registry Values Infected: 0
Registry Data Items Infected: 1
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Internet Explorer\SearchScopes\{afdbddaa-5d3f-42ee-b79c-185a7020515b} (Adware.Agent) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\SearchScopes\{afdbddaa-5d3f-42ee-b79c-185a7020515b} (Adware.Agent) -> Quarantined and deleted successfully.

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\Start_ShowMyComputer (Hijack.StartMenu) -> Bad: (0) Good: (1) -> Quarantined and deleted successfully.

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)

Member Avatar for Cyber Punk

Ah, sorry. Yes you must click Fix Checked.
I was in a hurry but I picked up your log on the way.

How is your computer now?

Member Avatar for fruehling

Thanks for the reply. Well, no problems yet, but it's a random and periodic problem. Hopefully it helps though. One thing is that now my sidebar is gone. Do you think the sidebar itself was causing this problem?

A friend of mine said that the laptop may be overheating, and somehow that causes the CPUs to max out. That seems unlikely to me.

Member Avatar for Cyber Punk

No, it's because it's been fixed in HijackThis.

Just copy paste this into notepad and then select File > Save as... and save it as Sidebar.reg

Under Save as type, select, All file(*.*).

REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN]
"Sidebar"="C:\Program Files\Windows Sidebar\sidebar.exe /autoRun"

Save it in your desktop and double click on it and merge it with the registry.
I added this in the fix by mistake, forgive me.

Member Avatar for fruehling

Hi! Thanks. I got the sidebar back running with your .reg merge.

Bad news is that the problem is still there. It happened before I put the sidebar back. Any other ideas? :-(

Could this actually be from the laptop overheating?

Member Avatar for Cyber Punk

Could this actually be from the laptop overheating?

I'll give it one more try before I answer that question.

Please download Combofix by sUbs and save it to your Desktop.

  • Now physically disconnect from the internet and STOP all your monitoring programs (Antivirus/Antispyware, Guards and Shields)
  • Click Start and choose Run. Then copy the entire content of the following quotebox and paste it into the run box.
    "%userprofile%\desktop\ComboFix.exe" /KillAll
  • Click OK and this will start ComboFix.
  • When finished, it will produce a log. Please save that log to a Notepad File to post in your next reply along with a fresh HJT log.

    Note:
    Do not mouse-click combofix's window while it is running. That may cause it to stall.

  • After you have saved the logs, restart your system to re-enable all the programs that were disabled during the running of ComboFix.
  • Reconnect to the internet
  • Post the following logs/Reports:

  • ComboFix.txt
  • Fresh HijackThis log run after all the other tools have performed their cleanup.

Also, please include an MBAM scan result in a seperate post.

Member Avatar for fruehling

Ok. Here is Combo log:

ComboFix 08-08-25.01 - Jake 2008-08-26 10:43:13.1 - NTFSx86
Microsoft® Windows Vista™ Home Premium 6.0.6000.0.1252.1.1033.18.1386 [GMT -7:00]
Running from: C:\Users\Jake\Desktop\ComboFix.exe
Command switches used :: /KillAll
* Created a new restore point
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\Users\Jake\AppData\Roaming\macromedia\Flash Player\macromedia.com\support\flashplayer\sys\#static.youku.com
C:\Users\Jake\AppData\Roaming\macromedia\Flash Player\macromedia.com\support\flashplayer\sys\#static.youku.com\settings.sol
C:\Users\Jake\AppData\Roaming\Microsoft\Windows\Cookies\jacob@ad.yieldmanager[1].txt
C:\Users\Jake\AppData\Roaming\Microsoft\Windows\Cookies\jacob@insightexpressai[2].txt
C:\Users\Jake\AppData\Roaming\Microsoft\Windows\Cookies\jacob@revsci[2].txt
C:\Users\Jake\AppData\Roaming\Microsoft\Windows\Cookies\jake@live[1].txt

.
((((((((((((((((((((((((( Files Created from 2008-07-26 to 2008-08-26 )))))))))))))))))))))))))))))))
.

2008-08-25 19:47 . 2007-02-15 19:46 311,296 --a------ C:\Windows\System32\mswmdm.dll
2008-08-25 19:47 . 2007-02-15 19:48 36,864 --a------ C:\Windows\System32\wmdmps.dll
2008-08-25 19:47 . 2007-02-15 19:48 31,744 --a------ C:\Windows\System32\wmdmlog.dll
2008-08-23 13:20 . 2008-08-23 13:20 <DIR> d-------- C:\Users\Jake\AppData\Roaming\Malwarebytes
2008-08-23 13:20 . 2008-08-23 13:20 <DIR> d-------- C:\Users\All Users\Malwarebytes
2008-08-23 13:20 . 2008-08-23 13:20 <DIR> d-------- C:\ProgramData\Malwarebytes
2008-08-23 13:20 . 2008-08-23 13:20 <DIR> d-------- C:\Program Files\Malwarebytes' Anti-Malware
2008-08-23 13:20 . 2008-08-17 15:01 38,472 --a------ C:\Windows\System32\drivers\mbamswissarmy.sys
2008-08-23 13:20 . 2008-08-17 15:01 17,144 --a------ C:\Windows\System32\drivers\mbam.sys
2008-08-23 09:50 . 2008-08-23 09:50 <DIR> d-------- C:\Program Files\Trend Micro
2008-08-19 04:42 . 2008-07-18 22:09 1,811,656 --a------ C:\Windows\System32\wuaueng.dll
2008-08-19 04:42 . 2008-07-18 20:44 1,524,736 --a------ C:\Windows\System32\wucltux.dll
2008-08-19 04:42 . 2008-07-18 22:09 563,912 --a------ C:\Windows\System32\wuapi.dll
2008-08-19 04:42 . 2008-07-18 22:08 163,904 --a------ C:\Windows\System32\wuwebv.dll
2008-08-19 04:42 . 2008-07-18 20:44 83,456 --a------ C:\Windows\System32\wudriver.dll
2008-08-19 04:42 . 2008-07-18 22:10 53,448 --a------ C:\Windows\System32\wuauclt.exe
2008-08-19 04:42 . 2008-07-18 22:10 45,768 --a------ C:\Windows\System32\wups2.dll
2008-08-19 04:42 . 2008-07-18 22:10 36,552 --a------ C:\Windows\System32\wups.dll
2008-08-19 04:42 . 2008-07-18 20:44 31,232 --a------ C:\Windows\System32\wuapp.exe
2008-08-16 10:07 . 2008-08-25 14:17 <DIR> d-------- C:\Users\Jake\AppData\Roaming\skypePM
2008-08-16 10:07 . 2008-08-16 10:07 56 --ah----- C:\Windows\System32\ezsidmv.dat
2008-08-15 17:49 . 2008-08-25 14:20 <DIR> d-------- C:\Users\Jake\AppData\Roaming\Skype
2008-08-15 11:58 . 2008-08-15 11:58 <DIR> d-------- C:\Users\All Users\Skype
2008-08-15 11:58 . 2008-08-15 11:58 <DIR> d-------- C:\ProgramData\Skype
2008-08-15 11:58 . 2008-08-15 11:58 <DIR> d-------- C:\Program Files\Skype
2008-08-15 11:58 . 2008-08-15 11:58 <DIR> d-------- C:\Program Files\Common Files\Skype
2008-08-14 01:01 . 2008-07-15 16:48 2,048 --a------ C:\Windows\System32\tzres.dll
2008-08-13 11:22 . 2008-06-18 20:25 361,984 --a------ C:\Windows\System32\IPSECSVC.DLL
2008-08-13 11:22 . 2008-06-18 20:25 272,896 --a------ C:\Windows\System32\polstore.dll
2008-08-13 11:22 . 2008-04-19 01:13 268,800 --a------ C:\Windows\System32\es.dll
2008-08-13 11:22 . 2008-06-18 20:25 61,440 --a------ C:\Windows\System32\winipsec.dll
2008-08-13 11:22 . 2008-06-18 20:25 28,672 --a------ C:\Windows\System32\FwRemoteSvr.dll
2008-08-13 11:20 . 2008-04-09 22:01 737,792 --a------ C:\Windows\System32\inetcomm.dll
2008-08-13 11:20 . 2008-04-09 19:43 84,480 --a------ C:\Windows\System32\INETRES.dll
2008-08-01 10:40 . 2008-08-01 10:40 <DIR> d-------- C:\Users\Jake\AppData\Roaming\Prish
2008-08-01 10:40 . 2008-08-01 10:40 <DIR> d-------- C:\Program Files\Prish Image Resizer
2008-07-31 19:40 . 2008-08-04 21:21 237,568 --a------ C:\Windows\System32\rmc_rtspdl.dll
2008-07-31 19:40 . 2008-08-04 21:21 156,672 --a------ C:\Windows\System32\rmc_fixasf.exe
2008-07-31 19:38 . 2008-07-31 19:40 323,584 --a------ C:\Windows\System32\AUDIOGENIE2.DLL
2008-07-31 19:37 . 2008-07-31 19:37 <DIR> d-------- C:\Windows\Replay Media Catcher
2008-07-31 19:12 . 2008-07-31 19:41 <DIR> d-------- C:\Program Files\Replay Media Catcher
2008-07-31 10:22 . 2008-07-31 10:22 <DIR> d--h----- C:\Users\All Users\CanonBJ
2008-07-31 10:22 . 2008-07-31 10:22 <DIR> d--h----- C:\ProgramData\CanonBJ

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-08-23 01:56 --------- d-----w C:\Users\Jake\AppData\Roaming\OpenOffice.org2
2008-08-22 18:13 --------- d-----w C:\Program Files\DivX
2008-08-14 08:01 --------- d-----w C:\Program Files\Windows Mail
2008-08-04 14:34 --------- d-----w C:\Users\Jake\AppData\Roaming\VoipCheapCom
2008-07-19 14:36 51,280 ----a-w C:\Windows\system32\drivers\aswMonFlt.sys
2008-07-18 16:03 71,680 ----a-w C:\Windows\mmfs.dll
2008-07-18 07:30 --------- d-----w C:\Program Files\Paint.NET
2008-07-15 18:54 --------- d-----w C:\Program Files\DOSBox-0.72
2008-07-14 09:09 --------- d-----w C:\Program Files\flv to avi
2008-07-13 17:17 --------- d-----w C:\Program Files\Common Files\wsm
2008-07-13 17:16 --------- d-----w C:\Program Files\Quick AVI Joiner
2008-07-13 17:16 --------- d-----w C:\Program Files\Kate's Video Joiner
2008-07-13 17:11 --------- d-----w C:\Users\Jake\AppData\Roaming\Download Manager
2008-07-13 17:04 --------- d-----w C:\Program Files\Ordix
2008-07-13 05:57 --------- d-----w C:\Program Files\ATI Technologies
2008-07-12 08:47 --------- d-----w C:\Users\Jake\AppData\Roaming\vlc
2008-07-12 08:36 --------- d-----w C:\Program Files\VideoLAN
2008-07-12 08:11 --------- d-----w C:\Program Files\Dell
2008-07-12 07:32 --------- d-----w C:\Program Files\Intel
2008-07-12 07:29 --------- d--h--w C:\Users\Jake\AppData\Roaming\GTek
2008-07-12 07:28 --------- d-----w C:\ProgramData\Gtek
2008-07-12 07:28 --------- d-----w C:\Program Files\DellAutomatedPCTuneUp
2008-07-12 07:22 --------- d--h--w C:\Program Files\InstallShield Installation Information
2008-07-12 07:22 --------- d-----w C:\Program Files\SigmaTel
2008-07-12 07:22 --------- d-----w C:\Program Files\Common Files\InstallShield
2008-07-12 07:12 0 ---ha-w C:\Windows\system32\drivers\Msft_Kernel_SynTP_01000.Wdf
2008-07-12 07:11 --------- d-----w C:\Program Files\Synaptics
2008-07-12 07:07 50,792 ----a-w C:\Windows\system32\drivers\termdd.sys
2008-07-12 07:07 50,280 ----a-w C:\Windows\system32\drivers\volmgr.sys
2008-07-12 07:07 28,776 ----a-w C:\Windows\system32\drivers\mssmbios.sys
2008-07-12 07:07 140,392 ----a-w C:\Windows\system32\drivers\pci.sys
2008-07-12 07:07 13,928 ----a-w C:\Windows\system32\drivers\msisadrv.sys
2008-07-12 07:07 12,776 ----a-w C:\Windows\system32\drivers\swenum.sys
2008-07-12 07:01 --------- d-----w C:\ProgramData\Dell
2008-07-12 06:59 --------- d-----w C:\ProgramData\SupportSoft
2008-07-12 06:59 --------- d-----w C:\Program Files\Dell Support Center
2008-07-12 06:58 --------- d-----w C:\Program Files\Common Files\supportsoft
2008-07-12 06:53 --------- d-----w C:\Program Files\Roxio
2008-07-12 06:50 --------- d-----w C:\Users\Jake\AppData\Roaming\ATI
2008-07-12 06:45 --------- d-----w C:\Program Files\ATI
2008-07-12 06:32 --------- d-----w C:\Users\Jake\AppData\Roaming\DivX
2008-07-12 04:46 174 --sha-w C:\Program Files\desktop.ini
2008-07-12 04:42 --------- d-----w C:\Program Files\Windows Sidebar
2008-07-12 04:42 --------- d-----w C:\Program Files\Windows Defender
2008-07-12 04:42 --------- d-----w C:\Program Files\Windows Calendar
2008-07-11 22:45 70,144 ----a-w C:\Windows\system32\drivers\pacer.sys
2008-07-11 22:45 619,008 ----a-w C:\Windows\system32\drivers\dxgkrnl.sys
2008-07-11 22:45 61,952 ----a-w C:\Windows\system32\drivers\wanarp.sys
2008-07-11 22:45 48,640 ----a-w C:\Windows\system32\drivers\ndproxy.sys
2008-07-11 22:45 20,480 ----a-w C:\Windows\system32\drivers\ndistapi.sys
2008-07-11 22:43 28,344 ----a-w C:\Windows\system32\drivers\battc.sys
2008-07-11 22:43 258,232 ----a-w C:\Windows\system32\drivers\acpi.sys
2008-07-11 22:43 20,920 ----a-w C:\Windows\system32\drivers\compbatt.sys
2008-07-11 22:43 2,923,520 ----a-w C:\Windows\explorer.exe
2008-07-11 22:43 14,208 ----a-w C:\Windows\system32\drivers\CmBatt.sys
2008-07-11 22:43 11,264 ----a-w C:\Windows\system32\drivers\wmiacpi.sys
2008-07-11 22:40 110,080 ----a-w C:\Windows\system32\drivers\mrxdav.sys
2008-07-11 22:33 41,984 ----a-w C:\Windows\system32\drivers\monitor.sys
2008-07-11 22:33 1,060,920 ----a-w C:\Windows\system32\drivers\ntfs.sys
2008-07-11 22:27 63,488 ----a-w C:\Windows\system32\drivers\mpsdrv.sys
2008-07-11 22:27 23,040 ----a-w C:\Windows\system32\drivers\tunnel.sys
2008-07-11 22:27 15,360 ----a-w C:\Windows\system32\drivers\TUNMP.SYS
2008-07-11 22:25 45,112 ----a-w C:\Windows\system32\drivers\pciidex.sys
2008-07-11 22:25 211,000 ----a-w C:\Windows\system32\drivers\volsnap.sys
2008-07-11 22:25 21,560 ----a-w C:\Windows\system32\drivers\atapi.sys
2008-07-11 22:25 17,464 ----a-w C:\Windows\system32\drivers\intelide.sys
2008-07-11 22:25 154,624 ----a-w C:\Windows\system32\drivers\nwifi.sys
2008-07-11 22:25 109,624 ----a-w C:\Windows\system32\drivers\ataport.sys
2008-07-11 22:23 5,888 ----a-w C:\Windows\system32\drivers\usbd.sys
2008-07-11 22:23 38,400 ----a-w C:\Windows\system32\drivers\usbehci.sys
2008-07-11 22:23 23,040 ----a-w C:\Windows\system32\drivers\usbuhci.sys
2008-07-11 22:23 224,768 ----a-w C:\Windows\system32\drivers\usbport.sys
2008-07-11 22:23 193,536 ----a-w C:\Windows\system32\drivers\usbhub.sys
2008-07-11 22:22 803,328 ----a-w C:\Windows\system32\drivers\tcpip.sys
2008-07-11 22:22 216,632 ----a-w C:\Windows\system32\drivers\netio.sys
2008-07-11 22:16 54,784 ----a-w C:\Windows\system32\drivers\i8042prt.sys
2008-07-11 22:16 495,160 ----a-w C:\Windows\system32\drivers\Wdf01000.sys
2008-07-11 22:16 35,384 ----a-w C:\Windows\system32\drivers\WdfLdr.sys
2008-07-11 22:16 35,384 ----a-w C:\Windows\system32\drivers\kbdclass.sys
2008-07-11 22:16 34,360 ----a-w C:\Windows\system32\drivers\mouclass.sys
2008-07-11 22:16 19,968 ----a-w C:\Windows\system32\drivers\sermouse.sys
2008-07-11 22:14 82,432 ----a-w C:\Windows\system32\drivers\sdbus.sys
2008-07-11 22:14 13,312 ----a-w C:\Windows\system32\drivers\sffdisk.sys
2008-07-11 22:14 12,800 ----a-w C:\Windows\system32\drivers\sffp_sd.sys
2008-07-11 22:10 113,664 ----a-w C:\Windows\system32\drivers\rmcast.sys
2008-07-11 22:08 449,536 ----a-w C:\Windows\AppPatch\AcSpecfc.dll
2008-07-11 22:08 2,144,256 ----a-w C:\Windows\AppPatch\AcGenral.dll
2008-07-11 22:06 53,760 ----a-w C:\Windows\system32\drivers\hdaudbus.sys
2008-07-11 22:05 84,992 ----a-w C:\Windows\system32\drivers\srvnet.sys
2008-07-11 22:05 58,368 ----a-w C:\Windows\system32\drivers\mrxsmb20.sys
2008-07-11 22:05 130,048 ----a-w C:\Windows\system32\drivers\srv2.sys
2008-07-11 22:05 101,888 ----a-w C:\Windows\system32\drivers\mrxsmb.sys
2008-07-11 22:04 12,800 ----a-w C:\Windows\system32\drivers\fs_rec.sys
2008-07-11 21:27 --------- d-----w C:\Program Files\Java
2008-07-11 21:14 --------- d-----w C:\ProgramData\NOS
2008-07-11 21:14 --------- d-----w C:\Program Files\NOS
2008-07-11 21:14 --------- d-----w C:\Program Files\Alwil Software
2008-07-11 21:09 --------- d-----w C:\Program Files\OpenOffice.org 2.4
2008-07-11 21:08 --------- d-----w C:\Program Files\Common Files\Java
2008-07-11 21:06 --------- d-----w C:\Program Files\Common Files\PX Storage Engine
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe" [2008-06-09 18:27 144784]
"SynTPEnh"="C:\Program Files\Synaptics\SynTP\SynTPEnh.exe" [2006-11-15 09:06 815104]
"SigmatelSysTrayApp"="sttray.exe" [2007-01-12 00:51 303104 C:\Windows\sttray.exe]

C:\Users\Jake\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\
CCC.lnk - C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\CCC.exe [2006-09-28 23:57:36 49152]

C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup\
AutoHotkey.lnk - C:\Program Files\AutoHotkey\AutoHotkey.exe [2008-03-09 08:12:24 240640]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"EnableLUA"= 0 (0x0)

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\system]
"LogonHoursAction"= 2 (0x2)
"DontDisplayLogonHoursWarnings"= 1 (0x1)

[HKLM\~\startupfolder\C:^Users^Jake^AppData^Roaming^Microsoft^Windows^Start Menu^Programs^Startup^CCC.lnk]
path=C:\Users\Jake\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\CCC.lnk
backup=C:\Windows\pss\CCC.lnk.Startup
backupExtension=.Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe Reader Speed Launcher]
--a------ 2008-06-11 16:38 34672 C:\Program Files\Adobe\Reader 9.0\Reader\reader_sl.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DellAutomatedPCTuneUp]
--a------ 2007-10-10 23:49 465136 C:\Program Files\DellAutomatedPCTuneUp\PTAgnt.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DellSupportCenter]
--a------ 2008-03-11 02:44 202544 C:\Program Files\Dell Support Center\bin\sprtcmd.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\dscactivate]
--a------ 2008-03-11 02:44 16384 C:\Program Files\Dell Support Center\gs_agent\custom\dsca.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\StartCCC]
--a------ 2006-11-10 02:35 90112 C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Svc\S-1-5-21-2183261671-2244579172-1524993158-1000]
"EnableNotificationsRef"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\FirewallRules]
"{56A4CF55-5EAB-47EB-A5DF-06121F2068F0}"= UDP:C:\Program Files\VoipCheapCom\VoipCheapCom.exe:VoipCheapCom
"{306B3D93-6B38-4596-9729-86D723966CED}"= TCP:C:\Program Files\VoipCheapCom\VoipCheapCom.exe:VoipCheapCom
"{43619AD0-929A-4F3A-9600-EB512620DF82}"= UDP:C:\Program Files\Mozilla Firefox\firefox.exe:Mozilla Firefox
"{A1032EDC-8961-4CB2-ADB8-59FC6DADDDAD}"= TCP:C:\Program Files\Mozilla Firefox\firefox.exe:Mozilla Firefox
"{48D46A52-526F-4A2C-B6CC-F260B11B9A1E}"= C:\Program Files\Skype\Phone\Skype.exe:Skype
"{AFCEE012-FBA7-48C2-B14F-9CFD83E3C31C}"= UDP:990:LocalSubnet:LocalSubnet|IF={4F1DAECF-10FD-4158-B44F-2FB9059D6D7D}|%SystemRoot%\system32\svchost.exe|Svc=rapimgr:@%systemroot%\WindowsMobile\wmdSync.exe,-4001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\PublicProfile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\RestrictedServices\Static\System]
"DFSR-1"= RPort=5722|UDP:%SystemRoot%\system32\svchost.exe|Svc=DFSR:Allow inbound TCP traffic|

R1 aswSP;avast! Self Protection;C:\Windows\system32\drivers\aswSP.sys [2008-07-19 07:35]
R1 DLARTL_M;DLARTL_M;C:\Windows\system32\Drivers\DLARTL_M.SYS [2007-02-08 10:05]
R2 aswFsBlk;aswFsBlk;C:\Windows\system32\DRIVERS\aswFsBlk.sys [2008-07-19 07:37]
R2 aswMonFlt;aswMonFlt;C:\Windows\system32\DRIVERS\aswMonFlt.sys [2008-07-19 07:36]
R2 datunidr;DellAutomatedPCTuneUp UniDriver;C:\Windows\system32\DRIVERS\datunidr.sys [2007-08-23 08:29]
R3 atikmdag;atikmdag;C:\Windows\system32\DRIVERS\atikmdag.sys [2007-03-14 12:04]
S2 LicCtrlService;LicCtrl Service;rundll32.exe C:\Windows\mmfs.dll,Service []

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
WindowsMobile REG_MULTI_SZ wcescomm rapimgr
LocalServiceRestricted REG_MULTI_SZ WcesComm RapiMgr
.
.
------- Supplementary Scan -------
.
FireFox -: Profile - C:\Users\Jake\AppData\Roaming\Mozilla\Firefox\Profiles\8ypnaspl.default\
FireFox -: prefs.js - STARTUP.HOMEPAGE - google.com
.

**************************************************************************

catchme 0.3.1361 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-08-26 10:46:34
Windows 6.0.6000 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

PROCESS: C:\Windows\Explorer.exe
-> C:\Windows\system32\DLAAPI_W.DLL
.
------------------------ Other Running Processes ------------------------
.
C:\Windows\System32\Ati2evxx.exe
C:\Windows\System32\audiodg.exe
C:\Windows\System32\Ati2evxx.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\Windows\WindowsMobile\wmdSync.exe
C:\Program Files\SigmaTel\C-Major Audio\WDM\stacsv.exe
C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
C:\Windows\System32\wbem\unsecapp.exe
C:\Windows\System32\dllhost.exe
.
**************************************************************************
.
Completion time: 2008-08-26 10:49:08 - machine was rebooted
ComboFix-quarantined-files.txt 2008-08-26 17:48:55

Pre-Run: 45,139,574,784 bytes free
Post-Run: 45,307,473,920 bytes free

261 --- E O F --- 2008-08-26 03:40:13

Member Avatar for fruehling

And here is HJT:

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 10:51, on 2008-08-26
Platform: Windows Vista (WinNT 6.00.1904)
MSIE: Internet Explorer v7.00 (7.00.6000.16711)
Boot mode: Normal

Running processes:
C:\Windows\system32\Dwm.exe
C:\Windows\system32\taskeng.exe
C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Windows\sttray.exe
C:\Windows\WindowsMobile\wmdSync.exe
C:\Program Files\AutoHotkey\AutoHotkey.exe
C:\Windows\system32\wbem\unsecapp.exe
C:\Windows\Explorer.exe
C:\Windows\system32\notepad.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Windows\system32\SearchFilterHost.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
O2 - BHO: AcroIEHelperStub - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe"
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [SigmatelSysTrayApp] sttray.exe
O4 - HKLM\..\Run: [Windows Mobile-based device management] %windir%\WindowsMobile\wmdSync.exe
O4 - HKUS\S-1-5-19\..\Run: [WindowsWelcomeCenter] rundll32.exe oobefldr.dll,ShowWelcomeCenter (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [WindowsWelcomeCenter] rundll32.exe oobefldr.dll,ShowWelcomeCenter (User 'NETWORK SERVICE')
O4 - Startup: CCC.lnk = ?
O4 - Global Startup: AutoHotkey.lnk = C:\Program Files\AutoHotkey\AutoHotkey.exe
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\PROGRA~1\Java\JRE16~2.0_0\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\PROGRA~1\Java\JRE16~2.0_0\bin\ssv.dll
O13 - Gopher Prefix:
O17 - HKLM\System\CCS\Services\Tcpip\..\{6342C9DD-4FC1-4AC6-9352-4B82D9A0FA19}: NameServer = 217.199.126.2
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: Ati External Event Utility - ATI Technologies Inc. - C:\Windows\system32\Ati2evxx.exe
O23 - Service: avast! Antivirus - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
O23 - Service: avast! Web Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
O23 - Service: DellAMBrokerService - Unknown owner - C:\Program Files\DellAutomatedPCTuneUp\brkrsvc.exe
O23 - Service: LicCtrl Service (LicCtrlService) - Unknown owner - rundll32.exe (file missing)
O23 - Service: SigmaTel Audio Service (STacSV) - SigmaTel, Inc. - C:\Program Files\SigmaTel\C-Major Audio\WDM\STacSV.exe

--
End of file - 3559 bytes

Member Avatar for fruehling

and here is MBAM:
Malwarebytes' Anti-Malware 1.25
Database version: 1078
Windows 6.0.6000

15:04:38 2008-08-26
mbam-log-08-26-2008 (15-04-38).txt

Scan type: Full Scan (C:\|)
Objects scanned: 87416
Time elapsed: 38 minute(s), 46 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)

Member Avatar for fruehling

Thanks for looking into this!

Member Avatar for fruehling

actually, the sidebar still isn't opening. and now my optical drive is gone.

Member Avatar for fruehling

update: Optical drive is back, but sidebar still missing.

Member Avatar for fruehling

And my clock is on 24hr time? I think that last program made a few changes to my computer.

Member Avatar for fruehling

Are you still there?

Be a part of the DaniWeb community

We're a friendly, industry-focused community of developers, IT pros, digital marketers, and technology enthusiasts meeting, networking, learning, and sharing knowledge.