Firefox using 100% CPU after a few minutes of use

Microsoft Windows xp professional w/serv...
December 4, 2012 at 08:46:33
Specs: Windows XP Pro, 1272 MB RAM
Hey, this happened all of a sudden and I've been trying to fix it, but I'm stumped.

Tech specs: IBM Thinkpad R51 running Windows XP SP 3.

Sunday evening, my computer did not want to shut down properly. I tried restoring it to the day before, and my antivirus had an error and wouldn't start up. I tried restoring again, and in the end had to do 2 more restores to get to where I had started.

Monday morning, everything seemed back to normal and fine. Monday evening, when I woke it back up from hibernation, firefox started using all my CPU randomly. As in, I would just be scrolling down a page, and it's using 100% CPU. It started using all of it as I'm typing this, actually. The only way to make it stop is to open it in Cacheman and kill the process.

I have restored it to Sunday evening, a restore that took a full hour, and it didn't help. I'm going to run a full Malwarebytes scan, as I already ran a full virus scan.

As I said, it was fine yesterday morning, didn't have a thing wrong, and now I can't surf the web at all. I really hope someone can help me.

Forgot to mention - I have not updated or added any add-ons since the last time it worked, nor have I downloaded anything new to the computer. I did install a new jump/flash drive, but that should not have caused this.

Edit - Before I restored, I had 3.95 free space - now it's down to 2.35. That...doesn't seem right. The same thing happened when I did it before, going from 4.95 to 3.11.

Edit 2: Malwarebytes found nothing, however, when I opened it, it said that the database was 'missing or corrupt' and it had to download it again. Also took an hour less than usual.

See More: Firefox using 100% CPU after a few minutes of use

Report •

December 4, 2012 at 11:05:28
"Edit 2: Malwarebytes found nothing, however, when I opened it, it said that the database was 'missing or corrupt' and it had to download it again"

You have a major infection, the malware is doing it's job.

1: Run ESET & post the log please. This scan may take a very long while, so please be patient. Start it before going to work or bed.
You may have to download ESET from a good computer, put it on a thumb drive & run it from there.
Create a ESET SysRescue CD or USB drive
How do I use my ESET SysRescue CD or USB flash drive to scan and clean my system?
Configure ESET this way & disable your AV.
How to Temporarily Disable your Anti-virus
Why Would I Ever Need an Online Virus Scanner?
I already have an antivirus program installed, isn't that enough?
Once onto a machine, malware can disable antivirus programs, prevent antimalware programs from downloading updates, or prevent a user from running antivirus scans or installing new antivirus software or malware removal tools. At this point even though you are aware the computer is infected, removal is very difficult.
5: Why does the ESET Online Scanner run slowly on my computer?
If you have other antivirus, antispyware or anti-malware programs running on your computer, they may intercept the scan being performed by the ESET Online Scanner and hinder performance. You may wish to disable the real-time protection components of your other security software before running the ESET Online Scanner. Remember to turn them back on after you are finished.
17: How can I view the log file from ESET Online Scanner?
The ESET Online Scanner saves a log file after running, which can be examined or sent in to ESET for further analysis. The path to the log file is "C:\Program Files\EsetOnlineScanner\log.txt". You can view this file by navigating to the directory and double-clicking on it in Windows Explorer, or by copying and pasting the path specification above (including the quotation marks) into the Start ? Run dialog box from the Start Menu on the desktop.

Report •

December 4, 2012 at 12:55:50
Here's the log - it said under 'threats detected' that is found Win32/OpenCandy

ESETSmartInstaller@High as CAB hook log:
OnlineScanner.ocx - registred OK
# version=8
# iexplore.exe=8.00.6001.18702 (longhorn_ie8_rtm(wmbla).090308-0339)
# OnlineScanner.ocx=
# api_version=3.0.2
# EOSSerial=ec653f548132744f8c721b69ffdace52
# end=finished
# remove_checked=true
# archives_checked=false
# unwanted_checked=true
# unsafe_checked=true
# antistealth_checked=true
# utc_time=2012-12-04 08:51:23
# local_time=2012-12-04 03:51:23 (-0500, Eastern Standard Time)
# country="United States"
# lang=1033
# osver=5.1.2600 NT Service Pack 3
# compatibility_mode=1799 16775165 100 100 0 124382388 0 0
# scanned=87908
# found=1
# cleaned=1
# scan_time=4037
C:\Documents and Settings\Thiel User\Local Settings\Application Data\Mozilla\Firefox\Profiles\62e1rsjk.default\Cache(12)(2)\B84BF740d01 Win32/OpenCandy application (cleaned by deleting - quarantined) 6B24D90FB942CF817E5008B74C067E74ADD69E4E C

Report •

December 4, 2012 at 13:12:21
2: Run AdwCleaner
Please download AdwCleaner by Xplode onto your desktop.
Close all open programs and internet browsers.
Double click on AdwCleaner.exe to run the tool.
Click on Delete.
Confirm each time with Ok.
Your computer will be rebooted automatically. A text file will open after the restart.
Please post the content of that logfile with your next answer.
You can find the logfile at C:\AdwCleaner[S1].txt as well.

Report •

Related Solutions

December 4, 2012 at 14:33:29
I will run AdwCleaner now - I was running a SuperAntiSpyware scan.

This is the logfile from SuperAntiSpyware:

Memory items scanned : 503
Memory threats detected : 0
Registry items scanned : 38437
Registry threats detected : 0
File items scanned : 58983
File threats detected : 11

Adware.Tracking Cookie
C:\Documents and Settings\Thiel User\Cookies\RSJH474R.txt [ / ]
C:\Documents and Settings\Thiel User\Cookies\VR2X8Q6K.txt [ / ]
C:\Documents and Settings\Thiel User\Cookies\IOB6Y5H8.txt [ / ]
C:\Documents and Settings\Thiel User\Cookies\W6A53I75.txt [ / ]
C:\Documents and Settings\Thiel User\Cookies\SRIOSUVO.txt [ / ]
C:\Documents and Settings\Thiel User\Cookies\2XKNA0FZ.txt [ / ]
C:\Documents and Settings\Thiel User\Cookies\HHWGOQXW.txt [ / ]
C:\Documents and Settings\Thiel User\Cookies\CFYTS8BW.txt [ / ]
C:\Documents and Settings\Thiel User\Cookies\N91YUY3U.txt [ / ]
C:\Documents and Settings\Thiel User\Cookies\SGDN1JT2.txt [ / ]
C:\Documents and Settings\Thiel User\Cookies\T8X0H9WL.txt [ / ]

Report •

December 4, 2012 at 14:42:33
Here's the log from AdwCleaner. It seems to have uninstalled the toolbar for Avira as well as everything else it got, which interferes with my web protection.

It took it awhile to start up - I had a PerfNet error, of Unable to Open Server Service, in the eventviewer.

# AdwCleaner v2.007 - Logfile created 12/04/2012 at 17:34:52
# Updated 06/11/2012 by Xplode
# Operating system : Microsoft Windows XP Service Pack 3 (32 bits)
# User : Thiel User - TC-1A36733F16D7
# Boot Mode : Normal
# Running from : C:\Documents and Settings\Thiel User\Desktop\AdwCleaner.exe
# Option [Delete]

***** [Services] *****

***** [Files / Folders] *****

File Deleted : C:\Program Files\Mozilla Firefox\plugins\npdnu.dll
File Deleted : C:\Program Files\Mozilla Firefox\plugins\npdnu.xpt
File Deleted : C:\Program Files\Mozilla Firefox\plugins\npdnupdater2.dll
File Deleted : C:\Program Files\Mozilla Firefox\plugins\npdnupdater2.xpt
File Deleted : C:\WINDOWS\Tasks\Scheduled Update for Ask Toolbar.job
Folder Deleted : C:\Documents and Settings\Thiel User\Application Data\AskToolbar
Folder Deleted : C:\Documents and Settings\Thiel User\Application Data\Mozilla\Firefox\Profiles\62e1rsjk.default\extensions\
Folder Deleted : C:\Documents and Settings\Thiel User\Local Settings\Application Data\AskToolbar
Folder Deleted : C:\Program Files\
Folder Deleted : C:\Program Files\Common Files\Software Update Utility
Folder Deleted : C:\WINDOWS\Installer\{86D4B82A-ABED-442A-BE86-96357B70F4FE}

***** [Registry] *****

Key Deleted : HKCU\Software\APN
Key Deleted : HKCU\Software\
Key Deleted : HKCU\Software\
Key Deleted : HKCU\Software\AskToolbar
Key Deleted : HKCU\Software\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{A5AA24EA-11B8-4113-95AE-9ED71DEAF12A}
Key Deleted : HKCU\Software\Microsoft\Windows\CurrentVersion\Ext\Settings\{D4027C7F-154A-4066-A1AD-4243D8127440}
Key Deleted : HKCU\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{D4027C7F-154A-4066-A1AD-4243D8127440}
Key Deleted : HKCU\Software\TENCENT
Key Deleted : HKLM\Software\APN
Key Deleted : HKLM\Software\AskToolbar
Key Deleted : HKLM\SOFTWARE\Classes\AppID\{6C259840-5BA8-46E6-8ED1-EF3BA47D8BA1}
Key Deleted : HKLM\SOFTWARE\Classes\AppID\{9B0CB95C-933A-4B8C-B6D4-EDCD19A43874}
Key Deleted : HKLM\SOFTWARE\Classes\AppID\dnu.EXE
Key Deleted : HKLM\SOFTWARE\Classes\AppID\GenericAskToolbar.DLL
Key Deleted : HKLM\SOFTWARE\Classes\CLSID\{00000000-6E41-4FD3-8538-502F5495E5FC}
Key Deleted : HKLM\SOFTWARE\Classes\CLSID\{7B089B94-D1DC-4C6B-87E1-8156E22C1D96}
Key Deleted : HKLM\SOFTWARE\Classes\CLSID\{D4027C7F-154A-4066-A1AD-4243D8127440}
Key Deleted : HKLM\SOFTWARE\Classes\CLSID\{E15A9BFD-D16D-496D-8222-44CADF316E70}
Key Deleted : HKLM\SOFTWARE\Classes\dnUpdate
Key Deleted : HKLM\SOFTWARE\Classes\dnUpdater.DownloadUIBrowser
Key Deleted : HKLM\SOFTWARE\Classes\dnUpdater.DownloadUIBrowser.1
Key Deleted : HKLM\SOFTWARE\Classes\dnUpdater.DownloadUpdController
Key Deleted : HKLM\SOFTWARE\Classes\dnUpdater.DownloadUpdController.1
Key Deleted : HKLM\SOFTWARE\Classes\GenericAskToolbar.ToolbarWnd
Key Deleted : HKLM\SOFTWARE\Classes\GenericAskToolbar.ToolbarWnd.1
Key Deleted : HKLM\SOFTWARE\Classes\Installer\Features\A28B4D68DEBAA244EB686953B7074FEF
Key Deleted : HKLM\SOFTWARE\Classes\Installer\Products\A28B4D68DEBAA244EB686953B7074FEF
Key Deleted : HKLM\SOFTWARE\Classes\Interface\{660E6F4F-840D-436D-B668-433D9591BAC5}
Key Deleted : HKLM\SOFTWARE\Classes\Interface\{6C434537-053E-486D-B62A-160059D9D456}
Key Deleted : HKLM\SOFTWARE\Classes\Interface\{91CF619A-4686-4CA4-9232-3B2E6B63AA92}
Key Deleted : HKLM\SOFTWARE\Classes\Interface\{AC71B60E-94C9-4EDE-BA46-E146747BB67E}
Key Deleted : HKLM\SOFTWARE\Classes\Interface\{E7435878-65B9-44D1-A443-81754E5DFC90}
Key Deleted : HKLM\SOFTWARE\Classes\TypeLib\{2996F0E7-292B-4CAE-893F-47B8B1C05B56}
Key Deleted : HKLM\SOFTWARE\Classes\TypeLib\{92380354-381A-471F-BE2E-DD9ACD9777EA}
Key Deleted : HKLM\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{A5AA24EA-11B8-4113-95AE-9ED71DEAF12A}
Key Deleted : HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\App Management\ARPCache\{86D4B82A-ABED-442A-BE86-96357B70F4FE}
Key Deleted : HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\App Management\ARPCache\SoftwareUpdUtility
Key Deleted : HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{D4027C7F-154A-4066-A1AD-4243D8127440}
Key Deleted : HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\PreApproved\{7B089B94-D1DC-4C6B-87E1-8156E22C1D96}
Key Deleted : HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Products\A28B4D68DEBAA244EB686953B7074FEF
Key Deleted : HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{86D4B82A-ABED-442A-BE86-96357B70F4FE}
Key Deleted : HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\SoftwareUpdUtility
Key Deleted : HKLM\Software\Viewpoint
Value Deleted : HKCU\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser [{D4027C7F-154A-4066-A1AD-4243D8127440}]
Value Deleted : HKLM\SOFTWARE\Microsoft\Internet Explorer\Toolbar [{D4027C7F-154A-4066-A1AD-4243D8127440}]

***** [Internet Browsers] *****

-\\ Internet Explorer v8.0.6001.18702

[OK] Registry is clean.

-\\ Mozilla Firefox v12.0 (en-US)

Profile name : default
File : C:\Documents and Settings\Thiel User\Application Data\Mozilla\Firefox\Profiles\62e1rsjk.default\prefs.js

C:\Documents and Settings\Thiel User\Application Data\Mozilla\Firefox\Profiles\62e1rsjk.default\user.js ... Deleted !

Deleted : user_pref("de.soerenrinne.googlebuttons.userlist", "Mail,Docs,YouTube,Web Search,Calendar,Dashboard,[...]
Deleted : user_pref("extensions.asktb.AviraIDW-TS", "1354589245357");
Deleted : user_pref("extensions.asktb.AviraIDW-XML", "<?xml version=\"1.0\" encoding=\"UTF-8\"?>\r\n<button xm[...]
Deleted : user_pref("extensions.asktb.InstallDir", "C:\\Program Files\\\\");
Deleted : user_pref("extensions.asktb.cbid", "JM");
Deleted : user_pref("extensions.asktb.config-updated", true);
Deleted : user_pref("extensions.asktb.crumb", "2011.06.28+07.49.38-toolbar004iad-US-UGl0dHNidXJnaCxQQSxVbml0ZW[...]
Deleted : user_pref("extensions.asktb.default-channel-url-mask", "hxxp://{query}&o={o}&l={l}[...]
Deleted : user_pref("extensions.asktb.dtid", "YYYYYYYYUS");
Deleted : user_pref("extensions.asktb.dyn-weather-do-locid-lookup-weatherWidget", false);
Deleted : user_pref("extensions.asktb.dyn-weather-locid-weatherWidget", "USPA1290");
Deleted : user_pref("extensions.asktb.dyn-weather-tempunit-weatherWidget", "F");
Deleted : user_pref("extensions.asktb.fresh-install", false);
Deleted : user_pref("extensions.asktb.guid", "6cc8aa71-26f2-40b5-8e77-81de4b58070c");
Deleted : user_pref("extensions.asktb.hxxp-header-whitelist-hosts", "[\"\", \"[...]
Deleted : user_pref("extensions.asktb.if", "first");
Deleted : user_pref("extensions.asktb.l", "dis");
Deleted : user_pref("extensions.asktb.last-config-req", "1354583102811");
Deleted : user_pref("extensions.asktb.last-v", "");
Deleted : user_pref("extensions.asktb.locale", "en_US");
Deleted : user_pref("extensions.asktb.location", "Pittsburgh,PA,United States");
Deleted : user_pref("extensions.asktb.notification-shown", true);
Deleted : user_pref("extensions.asktb.o", "100000080");
Deleted : user_pref("extensions.asktb.overlay-reloaded-using-restart", true);
Deleted : user_pref("extensions.asktb.qsrc", "2871");
Deleted : user_pref("extensions.asktb.r", "4");
Deleted : user_pref("", "NO");
Deleted : user_pref("", true);
Deleted : user_pref("extensions.asktb.silent-upgrade", true);
Deleted : user_pref("extensions.asktb.silent-upgrade-from-pre-newtabs-build", false);
Deleted : user_pref("extensions.asktb.themeid", "");
Deleted : user_pref("", "");
Deleted : user_pref("extensions.asktb.v", "");
Deleted : user_pref("extensions.enabledAddons", ",[...]
Deleted : user_pref("foxytunes.player_class", ";1");


AdwCleaner[R1].txt - [7850 octets] - [04/12/2012 17:34:19]
AdwCleaner[S1].txt - [8084 octets] - [04/12/2012 17:34:52]

########## EOF - C:\AdwCleaner[S1].txt - [8144 octets] ##########

Report •

December 4, 2012 at 14:59:53
3: Run ComboFix
A guide and tutorial on using ComboFix
Do not mouseclick combofix's window while it is running. That may cause it to stall.
If after running Combofix you discover none of your programs will open up, and you recieve the following error: "Illegal operation attempted on a registry key that has been marked for deletion". Then the answer is to REBOOT the machine, and all will be corrected.
Can't Install an Antivirus - Windows Security Center still detects previous AV
We are almost ready to start ComboFix, but before we do so, we need to take some preventative measures so that there are no conflicts with other programs when running ComboFix. At this point you should do the following:
* Close all open Windows including this one.
* Close or disable all running Antivirus, Antispyware, and Firewall programs as they may interfere with the proper running of ComboFix. Instructions on disabling these type of programs can be found in this topic.
Once these two steps have been completed, double-click on the ComboFix icon found on your desktop. Please note, that once you start ComboFix you should not click anywhere on the ComboFix window as it can cause the program to stall. In fact, when ComboFix is running, do not touch your computer at all. The scan could take a while, so please be patient.

Report •

December 4, 2012 at 15:06:03
"Here's the log from AdwCleaner. It seems to have uninstalled the toolbar for Avira as well as everything else it got, which interferes with my web protection"

As we dismantle the infection bit by bit, that may allow the repeat use of programs, which may in turn pick up more.
Removal of infected parts of the system, may cause other parts to stop working, such as your Internet connection or Services. These then we have to repair later.

Report •

December 4, 2012 at 15:08:34
"Adware.Tracking Cookie"
These can be stopped, so we are not side tracked now, shall get back to that later.

Report •

December 4, 2012 at 15:31:52
Here's the ComboFix log. I'm missing my main internet icon and cacheman at this point. Had a popup to make Firefox my default browser when it was done as well.

ComboFix 12-12-04.01 - Thiel User 12/04/2012 18:15:03.1.1 - x86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.1270.844 [GMT -5:00]
Running from: c:\documents and settings\Thiel User\Desktop\ComboFix.exe
AV: Avira Desktop *Disabled/Updated* {AD166499-45F9-482A-A743-FDD3350758C7}
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
c:\documents and settings\All Users\Application Data\TEMP
c:\program files\Java\jre7\bin\ssv.dll
((((((((((((((((((((((((( Files Created from 2012-11-04 to 2012-12-04 )))))))))))))))))))))))))))))))
2012-12-04 19:28 . 2012-12-04 19:28 -------- d-----w- c:\program files\ESET
2012-12-04 16:26 . 2012-12-04 16:26 -------- d-----w- c:\windows\system32\wbem\Repository
2012-12-04 02:35 . 2008-04-14 04:11 20736 -c--a-w- c:\windows\system32\dllcache\OLD9C5.tmp
2012-12-04 02:34 . 2001-08-18 03:36 116736 -c--a-w- c:\windows\system32\dllcache\OLD8E9.tmp
2012-12-04 02:33 . 2001-08-17 17:11 65278 -c--a-w- c:\windows\system32\dllcache\OLD8A3.tmp
2012-12-04 02:32 . 2001-08-17 19:02 35200 -c--a-w- c:\windows\system32\dllcache\OLD846.tmp
2012-12-04 02:31 . 2008-04-14 03:09 20864 -c--a-w- c:\windows\system32\dllcache\OLD7F8.tmp
2012-12-04 02:30 . 2001-08-17 19:55 5632 -c--a-w- c:\windows\system32\dllcache\OLD72E.tmp
2012-12-04 02:29 . 2008-04-14 03:04 161020 -c--a-w- c:\windows\system32\dllcache\OLD65C.tmp
2012-12-04 02:28 . 2001-08-17 18:51 82304 -c--a-w- c:\windows\system32\dllcache\OLD5B0.tmp
2012-12-04 02:27 . 2001-08-18 03:36 34816 -c--a-w- c:\windows\system32\dllcache\OLD4EE.tmp
2012-12-04 02:26 . 2001-08-18 03:36 236060 -c--a-w- c:\windows\system32\dllcache\OLD42C.tmp
2012-12-04 02:25 . 2001-08-17 18:51 6656 -c--a-w- c:\windows\system32\dllcache\OLD35A.tmp
2012-12-04 02:24 . 2001-08-17 18:51 13824 -c--a-w- c:\windows\system32\dllcache\OLD238.tmp
2012-12-04 02:23 . 2001-08-17 18:57 77568 -c--a-w- c:\windows\system32\dllcache\OLD16D.tmp
2012-12-04 02:21 . 2008-04-14 09:41 829440 -c--a-w- c:\windows\system32\dllcache\OLDA0.tmp
2012-11-23 18:33 . 2012-11-23 18:33 -------- d-----w- c:\windows\InCD
2012-11-23 18:33 . 2012-11-23 18:33 -------- d-----w- c:\documents and settings\All Users\Application Data\CyberLink
2012-11-23 18:32 . 2012-11-23 18:33 -------- d-----w- c:\program files\CyberLink
2012-11-13 23:37 . 2012-11-13 23:37 -------- d-----w- c:\program files\BurnAware Free
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
2012-11-16 02:15 . 2012-04-03 02:45 697272 ----a-w- c:\windows\system32\FlashPlayerApp.exe
2012-11-16 02:15 . 2011-05-17 01:29 73656 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl
2012-10-22 08:37 . 2004-08-04 04:17 1866368 ----a-w- c:\windows\system32\win32k.sys
2012-10-02 18:04 . 2004-08-04 05:56 58368 ----a-w- c:\windows\system32\synceng.dll
2012-09-30 00:54 . 2012-04-14 22:44 22856 ----a-w- c:\windows\system32\drivers\mbam.sys
2012-09-25 03:16 . 2012-10-17 16:50 93672 ----a-w- c:\windows\system32\WindowsAccessBridge.dll
2004-10-01 20:00 . 2010-04-24 19:36 40960 ----a-w- c:\program files\Uninstall_CDS.exe
2012-05-06 01:02 . 2012-01-01 01:27 97208 ----a-w- c:\program files\mozilla firefox\components\browsercomps.dll
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
*Note* empty entries & legit default entries are not shown
"SynTPLpr"="c:\program files\Synaptics\SynTP\SynTPLpr.exe" [2004-11-08 110592]
"SynTPEnh"="c:\program files\Synaptics\SynTP\SynTPEnh.exe" [2004-11-08 512000]
"QCWLICON"="c:\program files\ThinkPad\ConnectUtilities\QCWLICON.EXE" [2005-03-18 86016]
"BMMGAG"="c:\progra~1\ThinkPad\UTILIT~1\pwrmonit.dll" [2005-04-20 110592]
"BMMMONWND"="c:\progra~1\ThinkPad\UTILIT~1\BatInfEx.dll" [2005-04-20 396288]
"BLOG"="c:\progra~1\ThinkPad\UTILIT~1\BatLogEx.DLL" [2005-04-20 208896]
"TPHOTKEY"="c:\progra~1\ThinkPad\PkgMgr\HOTKEY\TPHKMGR.exe" [2005-03-03 94208]
"TpShocks"="TpShocks.exe" [2005-01-24 106496]
"TP4EX"="tp4ex.exe" [2004-11-12 40960]
"UnlockerAssistant"="c:\program files\Unlocker\UnlockerAssistant.exe" [2010-03-09 15872]
"QCTray"="c:\progra~1\ThinkPad\CONNEC~1\QCTray.exe" [2005-03-18 745472]
"WService"="WService.EXE" [2002-09-07 28672]
"avgnt"="c:\program files\Avira\AntiVir Desktop\avgnt.exe" [2012-08-16 348664]
"igfxtray"="c:\windows\system32\igfxtray.exe" [2005-09-20 94208]
"igfxhkcmd"="c:\windows\system32\hkcmd.exe" [2005-09-20 77824]
"igfxpers"="c:\windows\system32\igfxpers.exe" [2005-09-20 114688]
"WinPatrol"="c:\program files\BillP Studios\WinPatrol\winpatrol.exe" [2009-10-10 320832]
"dlcxmon.exe"="c:\program files\Dell Photo AIO Printer 926\dlcxmon.exe" [2007-01-12 292336]
"DLCXCATS"="c:\windows\System32\spool\DRIVERS\W32X86\3\DLCXtime.dll" [2006-10-16 106496]
"InCD"="c:\program files\Ahead\InCD\InCD.exe" [2005-07-08 1397760]
"NeroFilterCheck"="c:\windows\system32\NeroCheck.exe" [2001-07-09 155648]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= "c:\program files\SUPERAntiSpyware\SASSEH.DLL" [2011-09-07 113024]
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\QConGina]
2005-03-18 07:07 262144 ----a-w- c:\windows\system32\QConGina.dll
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\tphotkey]
2004-08-13 00:11 24576 ----a-w- c:\windows\system32\tphklock.dll
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\FaxCenterServer]
2006-11-03 22:09 312200 ----a-w- c:\program files\Dell PC Fax\fm3032.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\IBM RecordNow!]
2008-04-14 09:42 15360 ----a-w- c:\windows\system32\ctfmon.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ISUSPM Startup]
2004-07-27 20:50 221184 ----a-w- c:\progra~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ISUSScheduler]
2004-07-27 20:50 81920 ----a-w- c:\program files\Common Files\InstallShield\UpdateService\issch.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\RemoteControl]
2003-12-08 22:35 32768 ----a-w- c:\program files\CyberLink DVD Solution\PowerDVD\PDVDServ.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched]
2012-07-03 13:04 252848 ----a-w- c:\program files\Common Files\Java\Java Update\jusched.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\WinPatrol]
2009-10-10 21:07 320832 ------w- c:\program files\BillP Studios\WinPatrol\WinPatrol.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"c:\\Program Files\\AIM\\aim.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
R0 hotcore3;hc3ServiceName;c:\windows\system32\drivers\hotcore3.sys [4/28/2010 4:03 PM 40560]
R1 avkmgr;avkmgr;c:\windows\system32\drivers\avkmgr.sys [10/23/2011 10:16 AM 36000]
R1 SASDIFSV;SASDIFSV;c:\program files\SUPERAntiSpyware\SASDIFSV.SYS [2/17/2010 10:25 AM 12880]
R1 SASKUTIL;SASKUTIL;c:\program files\SUPERAntiSpyware\SASKUTIL.SYS [2/17/2010 10:15 AM 67664]
R1 TPPWR;TPPWR;c:\windows\system32\drivers\TPPWR.SYS [5/26/2005 2:08 PM 16384]
R2 !SASCORE;SAS Core Service;c:\program files\SUPERAntiSpyware\SASCORE.EXE [7/1/2010 4:33 PM 116608]
R2 AntiVirSchedulerService;Avira Scheduler;c:\program files\Avira\AntiVir Desktop\sched.exe [10/23/2011 10:16 AM 86224]
R2 AntiVirWebService;Avira Web Protection;c:\program files\Avira\AntiVir Desktop\avwebgrd.exe [10/23/2011 10:16 AM 465360]
R2 dlcx_device;dlcx_device;c:\windows\system32\dlcxcoms.exe -service --> c:\windows\system32\dlcxcoms.exe -service [?]
S2 CachemanXPService;CachemanXP;c:\progra~1\CACHEM~1\CachemanXP.exe [5/7/2010 6:11 PM 316416]
S3 nosGetPlusHelper;getPlus(R) Helper 3004;c:\windows\System32\svchost.exe -k nosGetPlusHelper [8/4/2004 12:56 AM 14336]
S3 PROCEXP151;PROCEXP151;\??\c:\windows\system32\Drivers\PROCEXP151.SYS --> c:\windows\system32\Drivers\PROCEXP151.SYS [?]
S3 PTSimBus;PenTablet Bus Enumerator;c:\windows\system32\DRIVERS\PTSimBus.sys --> c:\windows\system32\DRIVERS\PTSimBus.sys [?]
S3 PTSimHid;PenTablet Simulated HID MiniDriver;c:\windows\system32\DRIVERS\PTSimHid.sys --> c:\windows\system32\DRIVERS\PTSimHid.sys [?]
S3 QCNDISIF;QCNDISIF;c:\windows\system32\drivers\qcndisif.sys [5/26/2005 1:36 PM 12288]
S3 SASENUM;SASENUM;c:\program files\SUPERAntiSpyware\SASENUM.SYS [2/17/2010 10:15 AM 12872]
S4 BackWeb Plug-in - 7681197;F-Secure Automatic Update;c:\progra~1\F-Secure\BackWeb\7681197\Program\SERVIC~1.EXE --> c:\progra~1\F-Secure\BackWeb\7681197\Program\SERVIC~1.EXE [?]
--- Other Services/Drivers In Memory ---
*Deregistered* - uphcleanhlp
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
nosGetPlusHelper REG_MULTI_SZ nosGetPlusHelper
[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{10880D85-AAD9-4558-ABDC-2AB1552D831F}]
2010-04-22 17:09 451872 ----a-w- c:\program files\Common Files\LightScribe\LSRunOnce.exe
Contents of the 'Scheduled Tasks' folder
2012-12-04 c:\windows\Tasks\BMMTask.job
- c:\progra~1\ThinkPad\UTILIT~1\BMMTASK.EXE [2005-05-26 05:38]
------- Supplementary Scan -------
uStart Page = hxxp://
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
LSP: c:\program files\Avira\AntiVir Desktop\avsda.dll
Trusted Zone:\*.update
Trusted Zone:\download
TCP: DhcpNameServer =
FF - ProfilePath - c:\documents and settings\Thiel User\Application Data\Mozilla\Firefox\Profiles\62e1rsjk.default\
FF - prefs.js: browser.startup.homepage - about:home
- - - - ORPHANS REMOVED - - - -
MSConfigStartUp-Adobe ARM - c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe
MSConfigStartUp-Adobe Reader Speed Launcher - c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe
MSConfigStartUp-updateMgr - c:\program files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe
AddRemove-Soft-Central SC-DiskInfo - c:\program files\SC-DiskInfo\Uninstall
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer,
Rootkit scan 2012-12-04 18:24
Windows 5.1.2600 Service Pack 3 NTFS
scanning hidden processes ...
scanning hidden autostart entries ...
DLCXCATS = rundll32 c:\windows\System32\spool\DRIVERS\W32X86\3\DLCXtime.dll,_RunDLLEntry@16???????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????
scanning hidden files ...
scan completed successfully
hidden files: 0
--------------------- DLLs Loaded Under Running Processes ---------------------
- - - - - - - > 'winlogon.exe'(772)
- - - - - - - > 'lsass.exe'(828)
c:\program files\Avira\AntiVir Desktop\avsda.dll
Completion time: 2012-12-04 18:28:37
ComboFix-quarantined-files.txt 2012-12-04 23:28
Pre-Run: 2,171,498,496 bytes free
Post-Run: 2,186,301,440 bytes free
[boot loader]
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
UnsupportedDebug="do not select this" /debug
multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Professional" /noexecute=optin /fastdetect
- - End Of File - - CFD8B5C4CFE316A24C7C619C4713842F

Report •

December 4, 2012 at 15:36:10
4: Run TFC
Please double-click TFC.exe to run it. (Note: If you are running on Vista/Windows 7, right-click on the file and choose Run As Administrator).
It will close all programs when run, so make sure you have saved all your work before you begin.
Click the Start button to begin the process. Depending on how often you clean temp files, execution time should be anywhere from a few seconds to a minute or two. Let it run uninterrupted to completion.
Once it's finished it should reboot your machine. If it does not, please manually reboot the machine yourself to ensure a complete clean.

Report •

December 4, 2012 at 15:45:37
5: Run TDSSKiller & post the log.
Anti-rootkit utility TDSSKiller
If TDSS dos'nt run, use FixTDSS
Download FixTDSS and save it to your desktop.
Double click on the FixTDSS.exe icon to run it.
Click the "I Accept" button, then the "Proceed" button to begin
The tool will restart your computer automatically - click OK to allow it to do so
The tool will begin it's scan on reboot > click "run" to begin
It will report if an infected MBR is found > click the "repair" button

Report •

December 4, 2012 at 15:53:39
When the TFC restarted the computer, it hung on the "Windows is shutting down". It hung for five minutes, and I had to hard shut it down. The restart took an extra full minute, and I have an event viewer error that the BITS service refused to start. Also, I always have to connect the internet myself, but it was already connected when I checked it. Looking at TDSSKiller now.

Edit: TDSSKiller says "No Threats Found".

Report •

December 4, 2012 at 16:02:11
6: Please download and run ListParts by Farbar (for 32-bit system):
Click on the Scan button.
The scan results will open in Notepad.
Post those results in your next reply.

7: Download Security Check by screen317 from one of the following links and save it to your desktop.
* Unzip and a folder named Security Check should appear.
* Save it to your Desktop.
* Double click SecurityCheck.exe. If you run Windows Vista or 7, right click and choose 'Run as Administrator'.
o If you are asked by Windows to run this program or not, please click 'Yes' or 'Run'.
o When you see a console window, press any key to continue scanning.
o Wait while it scans.
o If your firewall alerts you of Security Check, please press 'Allow' or similar.
* A Notepad document should open automatically after scan is completed. It will be called checkup.txt; please post the contents of that document.
Note: If a security program requests permission from dig.exe to access the Internet, allow it to do so.

Report •

December 4, 2012 at 16:06:30
The ListParts log:

ListParts by Farbar Version: 30-10-2012
Ran by Thiel User (administrator) on 04-12-2012 at 19:03:50
Windows XP (X86)
Running From: C:\Documents and Settings\Thiel User\Desktop
Language: 0409

========================= Memory info ======================

Percentage of memory in use: 33%
Total physical RAM: 1270.42 MB
Available physical RAM: 847.31 MB
Total Pagefile: 2396.2 MB
Available Pagefile: 2034.83 MB
Total Virtual: 2047.88 MB
Available Virtual: 1999 MB

======================= Partitions =========================

1 Drive c: () (Fixed) (Total:27.94 GB) (Free:2.98 GB) NTFS ==>[Drive with boot components (Windows XP)]

Disk ### Status Size Free Dyn Gpt
-------- ---------- ------- ------- --- ---
Disk 0 Online 28 GB 0 B

Partitions of Disk 0:

Partition ### Type Size Offset
------------- ---------------- ------- -------
Partition 1 Primary 28 GB 32 KB

Disk: 0
Partition 1
Type : 07
Hidden: No
Active: Yes

Volume ### Ltr Label Fs Type Size Status Info
---------- --- ----------- ----- ---------- ------- --------- --------
* Volume 1 C NTFS Partition 28 GB Healthy System (partition with boot components)

****** End Of Log ******

The SecurityCheck log:

Results of screen317's Security Check version 0.99.56
Windows XP Service Pack 3 x86
Internet Explorer 8
[b][u]``````````````Antivirus/Firewall Check:``````````````[/b][/u]
Windows Firewall Enabled!
Avira Desktop
Antivirus up to date!
[b][u]`````````Anti-malware/Other Utilities Check:`````````[/b][/u]
WinPatrol 2009 [color=red][b](Outdated! Latest version is WinPatrol 2012)[/color][/b]
[color=red][b]Out of date HijackThis installed![/b][/color]
SpywareBlaster v3.4
SUPERAntiSpyware Free Edition
Malwarebytes Anti-Malware version
HijackThis 2.0.2
JavaFX 2.1.1
Java 7 Update 9
Adobe Flash Player 11.5.502.110
Mozilla Firefox 12.0 [color=red][b]Firefox out of Date![/b][/color]
[b][u]````````Process Check: objlist.exe by Laurent````````[/b][/u]
WinPatrol winpatrol.exe
Avira Antivir avgnt.exe
Avira Antivir avguard.exe
BillP Studios WinPatrol winpatrol.exe
[b][u]`````````````````System Health check`````````````````[/b][/u]
Total Fragmentation on Drive C:: 7%
[b][u]````````````````````End of Log``````````````````````[/b][/u]

Report •

December 4, 2012 at 16:10:46
8: Update & Run Malwarebytes' Anti-Malware ( MBAM ) Use Quick scan. Post log.
Quick Scan versus Full Scan

Report •

December 4, 2012 at 16:24:32
Here's the Quick Scan Malwarebytes log:

Malwarebytes Anti-Malware

Database version: v2012.04.14.08

Windows XP Service Pack 3 x86 NTFS
Internet Explorer 8.0.6001.18702
Thiel User :: TC-1A36733F16D7 [administrator]

4/14/2012 6:47:09 PM
mbam-log-2012-04-14 (18-47-09).txt

Scan type: Quick scan
Scan options enabled: Memory | Startup | Registry | File System | Heuristics/Extra | Heuristics/Shuriken | PUP | PUM
Scan options disabled: P2P
Objects scanned: 198784
Time elapsed: 11 minute(s), 28 second(s)

Memory Processes Detected: 0
(No malicious items detected)

Memory Modules Detected: 0
(No malicious items detected)

Registry Keys Detected: 0
(No malicious items detected)

Registry Values Detected: 0
(No malicious items detected)

Registry Data Items Detected: 0
(No malicious items detected)

Folders Detected: 0
(No malicious items detected)

Files Detected: 0
(No malicious items detected)


Report •

December 4, 2012 at 16:28:01
Looking good to me, to recap, lots of corrupted files right up to TDSSKiller.
How is it running?

Report •

December 4, 2012 at 16:31:42
Forgot, Firefox is your main browser, to get better security, it needs updating.

Mozilla Firefox 12.0 [color=red][b]Firefox out of Date!

Report •

December 4, 2012 at 16:35:32
So far, so good on the running. I haven't been messing with Firefox much - just opening this page, wanted to be sure we'd hit all the steps before I tried anything - but so far it seems alright. I am a bit worried about the missing gig of space and the fact that it refused to shut down and took so much longer to start up, though. Could the missing gig be because of all the restores I did lately? What about the shut down?
I'll play with FF for a bit to be sure it's not going to 100% on me again, and keep an eye on it.

Report •

December 4, 2012 at 16:37:42
I know you have CCleaner, use these please.

9: Run Wise Disk Cleaner ( Run the 1st three tabs, left to right. I use default settings, leave boxes that are unchecked, unchecked ) Reboot when finished.

10: Run Wise Registry Cleaner ( Only use Registry Cleaner & with default settings ) Reboot when finished.

Report •

December 4, 2012 at 16:51:22
After you finish with the cleaners, how is the > DVD Burner?

Malware Prevention
"There is no magic involved. The majority of malware is installed by the user themselves"

Report •

December 4, 2012 at 17:10:12
11: Here is a repair tool that fixes problems after removing infections. - Windows Repair

Report •

December 4, 2012 at 17:10:57
12: If you want to block tracking cookies, use one or more of these, depending on how many browsers you use.
After installing, run SuperantiSpyware to remove the cookies that were already installed.
Internet Explorer
Privacy plug-in showdown: Do Not Track Plus vs. Ghostery
Protect your privacy. See who's tracking your web browsing and block them with Ghostery.
Ghostery sees the invisible web - tags, web bugs, pixels and beacons. Ghostery tracks the trackers and gives you a roll-call of the ad networks, behavioral data providers, web publishers, and other companies interested in your activity.
After showing you who's tracking you, Ghostery also gives you a chance to learn more about each company it identifies. How they describe themselves, a link to their privacy policies, and a sampling of pages where we've found them are just a click away.
Ghostery allows you to block scripts from companies that you don't trust, delete local shared objects, and even block images and iframes. Ghostery puts your web privacy back in your hands.
Mozilla Labs: Prospector - about:trackers
Mozilla Labs: Prospector - about:trackers is a handy and reliable Firefox extension designed to block known trackers.
The addon will prevent companies from tracking your browsing habbits by blocking cookies or connections from suspicious websites. The Options window includes a predefined list of trackers that can be further populated with items that you suspect are dangerous.
Requirements: Firefox 14.0 and later.
Do Not Track Plus for Firefox
Do Not Track Plus for Chrome
Do Not Track Plus for Internet Explorer (32-bit)
Do Not Track Plus for Internet Explorer (64-bit)
Do Not Track Plus for Safari
Or, the built in one for Firefox, Internet Explorer, Safari.
Do Not Track
What ‘Do Not Track’ Doesn’t Do
Internet Explorer
Do Not Track is a technology and policy proposal that enables users to opt out of tracking by websites they do not visit, including analytics services, advertising networks, and social platforms. At present few of these third parties offer a reliable tracking opt out, and tools for blocking them are neither user-friendly nor comprehensive. Much like the popular Do Not Call registry, Do Not Track provides users with a single, simple, persistent choice to opt out of third-party web tracking.
Do Not Track signals a user's opt-out preference with an HTTP header, a simple technology that is completely compatible with the existing web. Several large third parties have already committed to honor Do Not Track, but many more have been recalcitrant. We believe regulation is necessary to verify and enforce compliance with a user’s choice to opt out of tracking.

Report •

December 4, 2012 at 17:13:17
I've run the first cleaner, it freed up space - mostly from deleting old windows uninstall patches. Not quite at what it was yesterday, but an improvement. Haven't run the registry cleaner yet.
The start up still was really slow (3 minutes, I timed it), but it started, which is what matters. No PerfNet error this time, just slow.
I have Ghostery and Do Not Track on, they're really good add-ons.
I think the DVD burner isn't going to be fixed. :( Nothing wants to see the blank DVD. Right now, the plan is that we're going to get mum a new comp first, then me, and I'll burn my backups then. Right now I have a new flash drive I'm backing things up on.
Thanks for the help - I'm not sure where I picked up the virus, but that was very frustrating.

Report •

December 4, 2012 at 17:16:46
"I think the DVD burner isn't going to be fixed. :( Nothing wants to see the blank DVD"
It would'nt surprise me, if after running the registry cleaner, it comes good.

Report •

December 4, 2012 at 17:19:16
Okay - I have to take care of things I've been neglecting today, but I'll run the registry cleaner and check out the tweaker tomorrow, then come back with the results.

Report •

December 4, 2012 at 17:21:16
"The start up still was really slow (3 minutes"
Check your startup's with CCleaner.

Report •

December 4, 2012 at 17:27:16
"I've run the first cleaner, it freed up space"
Reduce your Java Cache
Dumping Java cache improves browser performance

Turn off or reduce system restore to save hard drive space in XP
Start > My Computer > right click & select Properties.
Select System Restore & untick > Turn off System Restore on all drives.
Select the drive with the operating system on, click Settings & set it on Min or slightly higher.
Any other drive or partition, click Settings & tick > Turn off System Restore on this drive.

Managing your Internet Explorer Temporary Internet Files
Amount of Disk Space to Use.
This shows the amount of disk space that will be allocated for your Temporary Internet Files. By default Windows uses 10 percent of your Windows system partition. This amount can be significant if you use the 10 percent model. It is advised that you change this setting to a lower number such as 50 MB.

Report •

December 5, 2012 at 17:52:00
I haven't had the time today yet to run the registry cleaner or the tweaker, but I noticed something that has me a bit worried. Maybe I'm overreacting, but...I'd still like to know.
All right, I may be being alarmist, but considering how freaked this made me...
all day I've been worried that it wasn't getting back free space. It was at 4.31 earlier today, after a lot of work and deleting things. I went to check it after goofing off a bit - and it says 7.53 gigs free space! What? Is this something to do with all the system restores I did back on Sunday/Monday? Seems odd that it would free up so randomly - everything still seems to be there.

Report •

Ask Question