Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

My Computer Slows Down Over Time


  • This topic is locked This topic is locked
15 replies to this topic

#1 Mattagin

Mattagin

  • Members
  • 33 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:11:46 PM

Posted 14 August 2007 - 09:22 PM

I have been having slow sluggish performance for some time now and nothing seems to help for long. I run AVG, a-squared, Adaware and Spybot. I delete Temp files. I run DeFrag and it now it always says that some files could not be defragged..It's always the same file in pchealth. I restored my computer to a time last month and then cleared all the remaining Restore points. I have cleared the PageFile and reset it to a 2.5 GB size. If I dont need Napster for Windows Media Player to work, I dont mind losing that.

Here is my HijackThis log:
------------------------------
Logfile of HijackThis v1.99.1
Scan saved at 10:45:13 PM, on 8/14/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\hkcmd.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe
C:\Program Files\Java\jre1.6.0_02\bin\jusched.exe
C:\Program Files\a-squared Free\a2service.exe
C:\WINDOWS\system32\ctfmon.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\WINDOWS\system32\svchost.exe
C:\Program Files\hijackthis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://ca.yahoo.com/
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows

Live\WindowsLiveLogin.dll
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [NapsterShell] C:\Program Files\Napster\napster.exe /systray
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [Workflow] D:\Workflow.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_02\bin\jusched.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [NBJ] "C:\PROGRA~1\Ahead\NEROBA~1\NBJ.exe"
O4 - HKCU\..\Run: [updateMgr] "C:\Program Files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe" AcRdB7_0_7 -reboot 1
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: Ulead Photo Express 4.0 SE Calendar Checker .lnk = C:\Program Files\Ulead Systems\Ulead Photo Express 4.0

SE\CalCheck.exe
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file

missing)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O12 - Plugin for .UVR: C:\Program Files\Internet Explorer\Plugins\NPUPano.dll
O16 - DPF: Bowling by pogo - http://game1.pogo.com/applet-6.8.0.32/bowl...wling-en_US.cab
O16 - DPF: Chess by pogo - http://game1.pogo.com/applet-6.8.0.32/ches...hess2-en_US.cab
O16 - DPF: Keno by pogo - http://game1.pogo.com/applet-6.8.0.25/keno/keno-en_US.cab
O16 - DPF: Lost Temple Poker by pogo - http://game1.pogo.com/applet-6.8.0.32/mhpo...poker-en_US.cab
O16 - DPF: Shuffle Bump by pogo - http://game1.pogo.com/applet-6.8.0.25/puck/puck-en_US.cab
O16 - DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} - http://download.mcafee.com/molbin/shared/m...01/mcinsctl.cab
O16 - DPF: {7E980B9B-8AE5-466A-B6D6-DA8CF814E78A} (MJLauncherCtrl Class) - http://clubgames.pogo.com/online2/pogop/ch...mjolauncher.cab
O16 - DPF: {EF148DBB-5B6D-4130-B2A1-661571E86260} (Playtime Games Launcher) -

http://clubgames.pogo.com/online2/pogop/ma...ameLauncher.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{B0F4ECB7-B766-428B-BE8A-AC482C7817F4}: NameServer = 142.177.1.2 142.177.129.11
O18 - Protocol: livecall - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxsrvc.dll
O20 - Winlogon Notify: mszsrn32 - C:\WINDOWS\system32\mszsrn32.dll (file missing)
O23 - Service: a-squared Free Service (a2free) - Emsi Software GmbH - C:\Program Files\a-squared Free\a2service.exe
O23 - Service: Ares Chatroom server (AresChatServer) - Ares Development Group - C:\Program Files\Ares\chatServer.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\av

BC AdBot (Login to Remove)

 


#2 RichieUK

RichieUK

    Malware Assassin


  • Malware Response Team
  • 13,614 posts
  • OFFLINE
  •  
  • Local time:04:46 AM

Posted 15 August 2007 - 04:28 AM

Welcome to the BleepingComputer HijackThis Logs and Analysis forum Mattagin :thumbsup:
My name is Richie and i'll be helping you to fix your problems.

The current formatting of your log makes it difficult to read/evaluate.
Open 'Notepad',click on 'Format' at the top,then uncheck 'Word Wrap' if it's checked.

With you having Service Pack 2 installed i'm presuming you're using the Windows Firewall.
If you're not using Windows Firewall,or you require a more robust third party firewall then download\install one of the following freeware choices:

Outpost Firewall Free:
http://www.agnitum.com/products/outpostfree/index.php

Sygate Personal Firewall Free Edition:
http://www.filehippo.com/download_sygate_personal_firewall/

Zone Alarm Free:
http://download.zonelabs.com/bin/free/1001..._737_000_en.exe

Comodo Personal Firewall:
http://www.personalfirewall.comodo.com/

You may want to read the following.
Understanding and Using Firewalls:
http://www.bleepingcomputer.com/tutorials/understanding-and-using-firewalls/

Download Combofix and save to your desktop:
Note:
It is important that it is saved directly to your desktop

Close any open browsers.
Double click on combofix.exe and follow the prompts.
When it's finished it will produce a log.
Post the entire contents of C:\ComboFix.txt into your next reply.
Note:
Do not mouseclick combofix's window while it's running.
That may cause the program to freeze/hang.

Do NOT post the ComboFix-quarantined-files.txt unless I ask.

Also post a new Hijackthis log please.
Posted Image
Posted Image

#3 Mattagin

Mattagin
  • Topic Starter

  • Members
  • 33 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:11:46 PM

Posted 15 August 2007 - 06:29 AM

Thank you RichieUK for the help in advance. Here is a new HijackThis log (with word wrap off ):

Logfile of HijackThis v1.99.1
Scan saved at 8:25:33 AM, on 8/15/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\a-squared Free\a2service.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\WINDOWS\system32\hkcmd.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
C:\Program Files\Java\jre1.6.0_02\bin\jusched.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\hijackthis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://ca.yahoo.com/
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [NapsterShell] C:\Program Files\Napster\napster.exe /systray
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [Workflow] D:\Workflow.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_02\bin\jusched.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [NBJ] "C:\PROGRA~1\Ahead\NEROBA~1\NBJ.exe"
O4 - HKCU\..\Run: [updateMgr] "C:\Program Files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe" AcRdB7_0_7 -reboot 1
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: Ulead Photo Express 4.0 SE Calendar Checker .lnk = C:\Program Files\Ulead Systems\Ulead Photo Express 4.0 SE\CalCheck.exe
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O12 - Plugin for .UVR: C:\Program Files\Internet Explorer\Plugins\NPUPano.dll
O16 - DPF: Bowling by pogo - http://game1.pogo.com/applet-6.8.0.32/bowl...wling-en_US.cab
O16 - DPF: Chess by pogo - http://game1.pogo.com/applet-6.8.0.32/ches...hess2-en_US.cab
O16 - DPF: Keno by pogo - http://game1.pogo.com/applet-6.8.0.25/keno/keno-en_US.cab
O16 - DPF: Lost Temple Poker by pogo - http://game1.pogo.com/applet-6.8.0.32/mhpo...poker-en_US.cab
O16 - DPF: Shuffle Bump by pogo - http://game1.pogo.com/applet-6.8.0.25/puck/puck-en_US.cab
O16 - DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} - http://download.mcafee.com/molbin/shared/m...01/mcinsctl.cab
O16 - DPF: {7E980B9B-8AE5-466A-B6D6-DA8CF814E78A} (MJLauncherCtrl Class) - http://clubgames.pogo.com/online2/pogop/ch...mjolauncher.cab
O16 - DPF: {EF148DBB-5B6D-4130-B2A1-661571E86260} (Playtime Games Launcher) - http://clubgames.pogo.com/online2/pogop/ma...ameLauncher.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{B0F4ECB7-B766-428B-BE8A-AC482C7817F4}: NameServer = 142.177.1.2 142.177.129.11
O18 - Protocol: livecall - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxsrvc.dll
O20 - Winlogon Notify: mszsrn32 - C:\WINDOWS\system32\mszsrn32.dll (file missing)
O23 - Service: a-squared Free Service (a2free) - Emsi Software GmbH - C:\Program Files\a-squared Free\a2service.exe
O23 - Service: Ares Chatroom server (AresChatServer) - Ares Development Group - C:\Program Files\Ares\chatServer.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe

#4 Mattagin

Mattagin
  • Topic Starter

  • Members
  • 33 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:11:46 PM

Posted 15 August 2007 - 06:42 AM

Here is the Combofix Log:
-----------------------------
ComboFix 07-08-15.3 - "Matt" 2007-08-15 8:34:33.1 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.205 [GMT -3:00]
* Created a new restore point

Rootkit driver pe386 is present. ... attempting disinfection
pe386 ...... driver unloaded successfully.
ADS removed - system32: deleted 55004 bytes in 1 streams.

((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))


-------\LEGACY_MSUPDATE
-------\ntldr.sys


((((((((((((((((((((((((( Files Created from 2007-07-15 to 2007-08-15 )))))))))))))))))))))))))))))))


2007-08-15 08:31 51,200 --a------ C:\WINDOWS\nircmd.exe
2007-08-13 10:27 271,224 --a------ C:\WINDOWS\system32\mucltui.dll
2007-08-13 10:27 208,248 --a------ C:\WINDOWS\system32\muweb.dll
2007-08-13 10:19 <DIR> d-------- C:\Program Files\bfgclient
2007-08-13 10:19 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\Legacy Interactive
2007-08-13 10:19 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\BigFishGamesCache
2007-08-13 10:16 <DIR> d-------- C:\Program Files\Ares
2007-08-13 09:41 <DIR> d-------- C:\Program Files\Microsoft CAPICOM 2.1.0.2
2007-08-10 17:50 4,980,736 --a------ C:\DOCUME~1\Matt\ntuser.dat
2007-08-06 17:16 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\Legacy Interactive(2)
2007-08-04 18:18 <DIR> d-------- C:\Program Files\Games of the Month(2)
2007-08-04 18:15 <DIR> d-------- C:\DOCUME~1\Matt\APPLIC~1\SecuROM
2007-08-03 16:35 1,310,720 --a------ C:\DOCUME~1\LOCALS~1\ntuser.dat
2007-07-31 06:04 <DIR> d-------- C:\Program Files\Shockwave.com
2007-07-29 13:55 <DIR> d-------- C:\DOCUME~1\Matt\APPLIC~1\My Games
2007-07-24 13:23 <DIR> d-------- C:\Program Files\Real
2007-07-24 06:08 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\Friday's games
2007-07-20 13:16 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\Oberon Games
2007-07-17 18:07 <DIR> d-------- C:\DOCUME~1\Matt\APPLIC~1\GetRightToGo
2007-07-17 08:52 <DIR> d-------- C:\Program Files\bfgclient(2)
2007-07-17 08:52 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\BigFishGamesCache(2)
2007-07-16 12:09 <DIR> d-------- C:\Program Files\Comport Interactive


(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))

2007-08-14 01:23 --------- d-------- C:\Program Files\a-squared Free
2007-08-13 10:19 --------- d--h----- C:\Program Files\InstallShield Installation Information
2007-08-13 10:18 --------- d-------- C:\Program Files\PlayFirst
2007-08-13 10:18 --------- d-------- C:\DOCUME~1\Matt\APPLIC~1\PlayFirst
2007-08-13 10:17 --------- d-------- C:\Program Files\Common Files\Real
2007-08-13 10:15 --------- d-------- C:\Program Files\Oberon Media
2007-07-03 16:03 774144 --a------ C:\Program Files\RngInterstitial.dll
2007-07-03 09:42 --------- d-------- C:\DOCUME~1\Matt\APPLIC~1\Big Fish Games
2007-07-01 10:49 --------- d-------- C:\DOCUME~1\Matt\APPLIC~1\Sandlot Games
2007-06-26 17:12 --------- d-------- C:\DOCUME~1\Matt\APPLIC~1\Pogo Games
2007-06-23 19:00 --------- d-------- C:\DOCUME~1\Matt\APPLIC~1\EA
2007-06-23 17:48 --------- d-------- C:\DOCUME~1\Matt\APPLIC~1\Magic Academy
2007-06-23 11:59 --------- d-------- C:\DOCUME~1\Matt\APPLIC~1\SecondLife
2007-05-16 12:12 86528 --a--c--- C:\WINDOWS\system32\dllcache\directdb.dll
2007-05-16 12:12 85504 --a--c--- C:\WINDOWS\system32\dllcache\wabimp.dll
2007-05-16 12:12 683520 --a--c--- C:\WINDOWS\system32\dllcache\inetcomm.dll
2007-05-16 12:12 683520 --a------ C:\WINDOWS\system32\inetcomm.dll
2007-05-16 12:12 510976 --a--c--- C:\WINDOWS\system32\dllcache\wab32.dll
2007-05-16 12:12 1314816 --a--c--- C:\WINDOWS\system32\dllcache\msoe.dll
2006-10-17 04:21:36 0 -csha-w C:\WINDOWS\SMINST\HPCD.sys


((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))


*Note* empty entries & legit default entries are not shown

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"IgfxTray"="C:\WINDOWS\system32\igfxtray.exe" [2004-11-03 00:03]
"HotKeysCmds"="C:\WINDOWS\system32\hkcmd.exe" [2004-11-02 23:59]
"AVG7_CC"="C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe" [2007-04-21 08:01]
"NapsterShell"="C:\Program Files\Napster\napster.exe" []
"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" []
"Workflow"="D:\Workflow.exe" []
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_02\bin\jusched.exe" [2007-07-12 04:00]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 09:00]
"NBJ"="C:\PROGRA~1\Ahead\NEROBA~1\NBJ.exe" [2005-10-12 02:25]
"updateMgr"="C:\Program Files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe" [2005-10-25 06:53]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
Adobe Gamma Loader.lnk - C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe [2006-11-16 11:48:09]
Adobe Reader Speed Launch.lnk - C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe [2005-09-24 13:05:26]
Ulead Photo Express 4.0 SE Calendar Checker .lnk - C:\Program Files\Ulead Systems\Ulead Photo Express 4.0 SE\CalCheck.exe [2007-06-14 15:45:58]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\mszsrn32]
C:\WINDOWS\system32\mszsrn32.dll

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MCAFInstaller_mskins.ui]
C:\WINDOWS\TEMP\mcu27.tmp\MCAPPINS.exe /v=3 /start=mskins.ui::default.htm

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NeroFilterCheck]
C:\WINDOWS\system32\NeroCheck.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Recguard]
C:\WINDOWS\SMINST\RECGUARD.EXE

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SoundMan]
SOUNDMAN.EXE



**************************************************************************

catchme 0.3.1061 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2007-08-15 08:37:27
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************

Completion time: 2007-08-15 8:38:33 - machine was rebooted
C:\ComboFix-quarantined-files.txt ... 2007-08-15 08:38

--- E O F ---

#5 RichieUK

RichieUK

    Malware Assassin


  • Malware Response Team
  • 13,614 posts
  • OFFLINE
  •  
  • Local time:04:46 AM

Posted 15 August 2007 - 07:35 AM

Download\install 'SuperAntiSpyware Home Edition Free Version' from here:
http://www.superantispyware.com/downloadfi...ANTISPYWAREFREE

Launch SuperAntiSpyware and click on 'Check for updates'.
Once the updates have been installed,exit SuperAntiSpyware.

Have Hijack This fix the following by placing a check in the appropriate boxes and selecting 'Fix checked'.
Make sure all browser and all Windows Explorer windows are closed before fixing:
O20 - Winlogon Notify: mszsrn32 - C:\WINDOWS\system32\mszsrn32.dll (file missing)
Exit Hijackthis.

Start SuperAntiSpyware.
On the main screen click on 'Scan your computer'.
Check: 'Perform Complete Scan'.
Click 'Next' to start the scan.

Superantispyware will now scan your computer,when it's finished it will list all/any infections found.
Make sure everything found has a checkmark next to it,then press 'Next'.
Click on 'Finish' when you've done.

It's possible that the program will ask you to reboot in order to delete some files.

Obtain the SuperAntiSpyware log as follows:
Click on 'Preferences'.
Click on the 'Statistics/Logs' tab.
Under 'Scanner Logs' double click on 'SuperAntiSpyware Scan Log'.
It will then open in your default text editor,such as Notepad.
Copy and paste the contents of that report into your next reply.

-----------------------------------------------------------

Please run this online virus scan:Activescan using Internet Explorer.
Once you are on the Panda site click the Scan your PC button
A new window will open...click the Check Now button
Enter your Country
Enter your State/Province
Enter your e-mail address and click send
Select either Home User or Company
Click the big Scan Now button
If it wants to install an ActiveX component allow it
It will start downloading the files it requires for the scan (Note: It may take a couple of minutes)
When download is complete, click on Local Disks to start the scan
When the scan completes,click the See Report button, then Save Report, and save it to your desktop.

Post the Activescan report in your next reply.
Also post a new Hijackthis log,let me know how your pc is running now.
Posted Image
Posted Image

#6 Mattagin

Mattagin
  • Topic Starter

  • Members
  • 33 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:11:46 PM

Posted 15 August 2007 - 09:07 AM

Here is the SUPERAnti Spyware log. I'm on my way to ActiveScan now at Panda.
-----------------------------------------
SUPERAntiSpyware Scan Log
http://www.superantispyware.com

Generated 08/15/2007 at 10:58 AM

Application Version : 3.9.1008

Core Rules Database Version : 3286
Trace Rules Database Version: 1297

Scan type : Complete Scan
Total Scan Time : 00:20:22

Memory items scanned : 338
Memory threats detected : 0
Registry items scanned : 5311
Registry threats detected : 5
File items scanned : 25872
File threats detected : 4

Adware.Tracking Cookie
C:\Documents and Settings\Matt\Cookies\matt@serving-sys[1].txt
C:\Documents and Settings\Matt\Cookies\matt@electronicarts.112.2o7[1].txt
C:\Documents and Settings\Matt\Cookies\matt@azjmp[1].txt
C:\Documents and Settings\Matt\Cookies\matt@bs.serving-sys[2].txt

Registry Cleaner Trial
HKCR\Install.Install
HKCR\Install.Install\CLSID
HKCR\Install.Install\CurVer
HKCR\Install.Install.1
HKCR\Install.Install.1\CLSID

#7 RichieUK

RichieUK

    Malware Assassin


  • Malware Response Team
  • 13,614 posts
  • OFFLINE
  •  
  • Local time:04:46 AM

Posted 15 August 2007 - 09:21 AM

Carry on with the rest of the instructions please.
Posted Image
Posted Image

#8 Mattagin

Mattagin
  • Topic Starter

  • Members
  • 33 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:11:46 PM

Posted 15 August 2007 - 09:42 AM

I have been booted from the Net twice now trying to complete the ActiveScan at Panda. It comes up with two threats, one Spyware threat and a Hacking and RootKit threat..but then it freezes and boots me from the Net...Here is a new HijackThis Log though if it will help:
----------------------------------------------
Logfile of HijackThis v1.99.1
Scan saved at 11:39:15 AM, on 8/15/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\a-squared Free\a2service.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
C:\WINDOWS\system32\hkcmd.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Program Files\Java\jre1.6.0_02\bin\jusched.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\hijackthis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://ca.yahoo.com/
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [NapsterShell] C:\Program Files\Napster\napster.exe /systray
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [Workflow] D:\Workflow.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_02\bin\jusched.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [NBJ] "C:\PROGRA~1\Ahead\NEROBA~1\NBJ.exe"
O4 - HKCU\..\Run: [updateMgr] "C:\Program Files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe" AcRdB7_0_7 -reboot 1
O4 - HKCU\..\Run: [SUPERAntiSpyware] C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: Ulead Photo Express 4.0 SE Calendar Checker .lnk = C:\Program Files\Ulead Systems\Ulead Photo Express 4.0 SE\CalCheck.exe
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O12 - Plugin for .UVR: C:\Program Files\Internet Explorer\Plugins\NPUPano.dll
O16 - DPF: Bowling by pogo - http://game1.pogo.com/applet-6.8.0.32/bowl...wling-en_US.cab
O16 - DPF: Chess by pogo - http://game1.pogo.com/applet-6.8.0.32/ches...hess2-en_US.cab
O16 - DPF: Keno by pogo - http://game1.pogo.com/applet-6.8.0.25/keno/keno-en_US.cab
O16 - DPF: Lost Temple Poker by pogo - http://game1.pogo.com/applet-6.8.0.32/mhpo...poker-en_US.cab
O16 - DPF: Shuffle Bump by pogo - http://game1.pogo.com/applet-6.8.0.25/puck/puck-en_US.cab
O16 - DPF: {7E980B9B-8AE5-466A-B6D6-DA8CF814E78A} (MJLauncherCtrl Class) - http://clubgames.pogo.com/online2/pogop/ch...mjolauncher.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab
O16 - DPF: {EF148DBB-5B6D-4130-B2A1-661571E86260} (Playtime Games Launcher) - http://clubgames.pogo.com/online2/pogop/ma...ameLauncher.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{B0F4ECB7-B766-428B-BE8A-AC482C7817F4}: NameServer = 142.177.1.2 142.177.129.11
O18 - Protocol: livecall - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxsrvc.dll
O23 - Service: a-squared Free Service (a2free) - Emsi Software GmbH - C:\Program Files\a-squared Free\a2service.exe
O23 - Service: Ares Chatroom server (AresChatServer) - Ares Development Group - C:\Program Files\Ares\chatServer.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe

#9 RichieUK

RichieUK

    Malware Assassin


  • Malware Response Team
  • 13,614 posts
  • OFFLINE
  •  
  • Local time:04:46 AM

Posted 15 August 2007 - 11:24 AM

Download rustbfix.exe and save it to your desktop:
http://www.uploads.ejvindh.net/rustbfix.exe
Double click on rustbfix.exe to run the tool.
If a Rustock.b-infection is found, you will be asked to reboot the computer.
The reboot will probably take quite a while,possibly two reboots will be needed,this should happen automatically..
After the reboot two logfiles will/should open (%root%\avenger.txt & %root%\rustbfix\pelog.txt).
Post the contents of those logfiles in your next reply.

--------------------------------------------------

First make sure you're logged on to your pc as Administrator,or at least logged on using an account with administrators privileges.

Go here,download the Sysclean Package (3.1MB):
http://www.trendmicro.com/download/pattern-dcs.asp

Go here,download the latest Virus Pattern File for Windows (lpt653.zip) (24.5MB):
http://www.trendmicro.com/download/viruspattern.asp

Now create a new folder on your desktop,rename it Sysclean.
Now place the Sysclean Package inside that new folder.
Unzip/extract the Virus Pattern File to that new folder.

Close all open applications,and DISABLE your current antivirus software.
Open the Sysclean folder and double-click on sysclean.com to start the scan.
It will take some time to complete.
Be patient and let it clean whatever it finds.
Exit when done.

Open your Sysclean folder then copy and paste the contents of sysclean.log in your next reply.
Also post a new HijackThis log.
Posted Image
Posted Image

#10 Mattagin

Mattagin
  • Topic Starter

  • Members
  • 33 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:11:46 PM

Posted 15 August 2007 - 01:45 PM

No Rustock.b-infection was found: I'm doing the Sysclean scan now.
----------------------------------------

************************* Rustock.b-fix v. 1.01 -- By ejvindh *************************
Wed 08/15/2007 15:22:32.07

No Rustock.b-rootkits found

******************************* End of Logfile ********************************

#11 Mattagin

Mattagin
  • Topic Starter

  • Members
  • 33 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:11:46 PM

Posted 15 August 2007 - 02:19 PM

Here is the Sysclean Log..and a new HijackThis Log:
-----------------------------------------------------------


/--------------------------------------------------------------\
| Trend Micro System Cleaner |
| Copyright 2006, Trend Micro, Inc. |
| http://www.antivirus.com |
\--------------------------------------------------------------/


2007-08-15, 15:52:06, Auto-clean mode specified.
2007-08-15, 15:52:06, Running scanner "C:\Documents and Settings\Matt\Desktop\Sysclean\TSC.BIN"...
2007-08-15, 15:52:18, Scanner "C:\Documents and Settings\Matt\Desktop\Sysclean\TSC.BIN" has finished running.
2007-08-15, 15:52:18, TSC Log:

2007-08-15, 15:52:34, An error was detected on "C:\System Volume Information\*.*": Access is denied.
2007-08-15, 16:09:25, Files Detected:
Copyright © 1990 - 2004 Trend Micro Inc.
Report Date : 8/15/2007 15:52:41
VSAPI Engine Version : 8.000-1001
VSCANTM Version : 1.1-1001
Virus Pattern Version : 653 (215552 Patterns) (2007/08/14) (465300)
Command Line: C:\Documents and Settings\Matt\Desktop\Sysclean\VSCANTM.BIN /NBPM /S /CLEANALL /DCEGENCLEAN /LAPPEND /LD /LC /LCF /NM /NB /C /ACTIVEACTION=5 C:\*.* /P=C:\Documents and Settings\Matt\Desktop\Sysclean

51394 files have been read.
51394 files have been checked.
45931 files have been scanned.
149150 files have been scanned. (including files in archived)
0 files containing viruses.
Found 0 viruses totally.
Maybe 0 viruses totally.
Stop At : 8/15/2007 16:09:24
---------*---------*---------*---------*---------*---------*---------*---------*
2007-08-15, 16:09:25, Files Clean:
Copyright © 1990 - 2004 Trend Micro Inc.
Report Date : 8/15/2007 15:52:41
VSAPI Engine Version : 8.000-1001
VSCANTM Version : 1.1-1001
Virus Pattern Version : 653 (215552 Patterns) (2007/08/14) (465300)
Command Line: C:\Documents and Settings\Matt\Desktop\Sysclean\VSCANTM.BIN /NBPM /S /CLEANALL /DCEGENCLEAN /LAPPEND /LD /LC /LCF /NM /NB /C /ACTIVEACTION=5 C:\*.* /P=C:\Documents and Settings\Matt\Desktop\Sysclean

51394 files have been read.
51394 files have been checked.
45931 files have been scanned.
149150 files have been scanned. (including files in archived)
0 files containing viruses.
Found 0 viruses totally.
Maybe 0 viruses totally.
Stop At : 8/15/2007 16:09:24 16 minutes 42 seconds (1001.58 seconds) has elapsed.

---------*---------*---------*---------*---------*---------*---------*---------*
2007-08-15, 16:09:25, Clean Fail:
Copyright © 1990 - 2004 Trend Micro Inc.
Report Date : 8/15/2007 15:52:41
VSAPI Engine Version : 8.000-1001
VSCANTM Version : 1.1-1001
Virus Pattern Version : 653 (215552 Patterns) (2007/08/14) (465300)
Command Line: C:\Documents and Settings\Matt\Desktop\Sysclean\VSCANTM.BIN /NBPM /S /CLEANALL /DCEGENCLEAN /LAPPEND /LD /LC /LCF /NM /NB /C /ACTIVEACTION=5 C:\*.* /P=C:\Documents and Settings\Matt\Desktop\Sysclean

51394 files have been read.
51394 files have been checked.
45931 files have been scanned.
149150 files have been scanned. (including files in archived)
0 files containing viruses.
Found 0 viruses totally.
Maybe 0 viruses totally.
Stop At : 8/15/2007 16:09:24 16 minutes 42 seconds (1001.58 seconds) has elapsed.

---------*---------*---------*---------*---------*---------*---------*---------*
2007-08-15, 16:09:25, Scanner "C:\Documents and Settings\Matt\Desktop\Sysclean\VSCANTM.BIN" has finished running.


----------------------------------------------------------------------------
Logfile of HijackThis v1.99.1
Scan saved at 4:18:20 PM, on 8/15/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\hkcmd.exe
C:\Program Files\a-squared Free\a2service.exe
C:\Program Files\Java\jre1.6.0_02\bin\jusched.exe
C:\WINDOWS\system32\ctfmon.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Grisoft\AVG Free\avgcc.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\hijackthis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://ca.yahoo.com/
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [NapsterShell] C:\Program Files\Napster\napster.exe /systray
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [Workflow] D:\Workflow.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_02\bin\jusched.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [NBJ] "C:\PROGRA~1\Ahead\NEROBA~1\NBJ.exe"
O4 - HKCU\..\Run: [updateMgr] "C:\Program Files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe" AcRdB7_0_7 -reboot 1
O4 - HKCU\..\Run: [SUPERAntiSpyware] C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: Ulead Photo Express 4.0 SE Calendar Checker .lnk = C:\Program Files\Ulead Systems\Ulead Photo Express 4.0 SE\CalCheck.exe
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O12 - Plugin for .UVR: C:\Program Files\Internet Explorer\Plugins\NPUPano.dll
O16 - DPF: Bowling by pogo - http://game1.pogo.com/applet-6.8.0.32/bowl...wling-en_US.cab
O16 - DPF: Chess by pogo - http://game1.pogo.com/applet-6.8.0.32/ches...hess2-en_US.cab
O16 - DPF: Keno by pogo - http://game1.pogo.com/applet-6.8.0.25/keno/keno-en_US.cab
O16 - DPF: Lost Temple Poker by pogo - http://game1.pogo.com/applet-6.8.0.32/mhpo...poker-en_US.cab
O16 - DPF: Shuffle Bump by pogo - http://game1.pogo.com/applet-6.8.0.25/puck/puck-en_US.cab
O16 - DPF: {7E980B9B-8AE5-466A-B6D6-DA8CF814E78A} (MJLauncherCtrl Class) - http://clubgames.pogo.com/online2/pogop/ch...mjolauncher.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab
O16 - DPF: {EF148DBB-5B6D-4130-B2A1-661571E86260} (Playtime Games Launcher) - http://clubgames.pogo.com/online2/pogop/ma...ameLauncher.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{B0F4ECB7-B766-428B-BE8A-AC482C7817F4}: NameServer = 142.177.1.2 142.177.129.11
O18 - Protocol: livecall - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxsrvc.dll
O23 - Service: a-squared Free Service (a2free) - Emsi Software GmbH - C:\Program Files\a-squared Free\a2service.exe
O23 - Service: Ares Chatroom server (AresChatServer) - Ares Development Group - C:\Program Files\Ares\chatServer.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe

#12 RichieUK

RichieUK

    Malware Assassin


  • Malware Response Team
  • 13,614 posts
  • OFFLINE
  •  
  • Local time:04:46 AM

Posted 15 August 2007 - 02:39 PM

Your log is clean,hows your pc running now.
Posted Image
Posted Image

#13 Mattagin

Mattagin
  • Topic Starter

  • Members
  • 33 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:11:46 PM

Posted 15 August 2007 - 03:42 PM

My computer is running at optimum speed again..Thanks very much for your help.

#14 RichieUK

RichieUK

    Malware Assassin


  • Malware Response Team
  • 13,614 posts
  • OFFLINE
  •  
  • Local time:04:46 AM

Posted 15 August 2007 - 04:07 PM

Please do the following.

Find and delete:
Combofix
rustbfix.exe

C:\Qoobox

Download ATF Cleaner by Atribune:
http://www.atribune.org/ccount/click.php?id=1

Double-click ATF-Cleaner.exe to run the program.
Click 'Select All' found at the bottom of the list.
Click the 'Empty Selected' button.

If you use Firefox browser, do this also:
Click Firefox at the top and choose 'Select All' from the list.
Click the 'Empty Selected' button.
NOTE:
If you would like to keep your saved passwords,please click 'No' at the prompt.

If you use Opera browser,do this also:
Click Opera at the top and choose 'Select All' from the list.
Click the 'Empty Selected' button.
NOTE:
If you would like to keep your saved passwords,please click 'No' at the prompt.

Click 'Exit' on the Main menu to close the program.

-------------------------------------------------

Click on Start/All Programs/Accessories/System Tools/System Restore.
In the 'System Restore' window,click on the 'Create a Restore Point' button,then click 'Next'.
In the window that appears,enter a description\name for the Restore Point,then click on 'Create',wait,then click 'Close'.
The date and time will be created automatically.

Next click on Start/All Programs/Accessories/System Tools/Disk Cleanup.
The 'Select Drive' box will appear,click on Ok.
The 'Disk Cleanup for [C:]' box will appear,click on the 'More Options' tab.
At the bottom in the 'System Restore' window,click on the 'Clean up...' button.
A box will pop up 'Are you sure you want to delete all but the most recent restore point?',click on 'Yes'.
Click on 'Yes' at 'Are you sure you want to perform these actions?'.
Now wait until 'Disk Cleanup' finishes and the box disappears.

Read through the information found here,to help you prevent any possible future infections.
'How to prevent Malware' by miekiemoes:
http://users.telenet.be/bluepatchy/miekiem...prevention.html
Posted Image
Posted Image

#15 Mattagin

Mattagin
  • Topic Starter

  • Members
  • 33 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:11:46 PM

Posted 16 August 2007 - 08:57 AM

ATF Cleaner - New System Restore Point....done and done..Thanks again for your help and I have bookmarked the 'How to prevent Malware' page.




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users