Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

IE freezes then a bunch of IE loads up, virtual low memory pop up


  • This topic is locked This topic is locked
3 replies to this topic

#1 PaGrrl

PaGrrl

  • Members
  • 2 posts
  • OFFLINE
  •  
  • Local time:06:24 PM

Posted 17 November 2008 - 09:27 AM

When I am using the IE. Sometimes it will freeze up when I go to close it out then it will open more IEs and it wont stop until I shut down the computer. I also get a pup up saying that my memory is low. And the only thing I have running most of the time when I get it is one IE. Ive done a few things to try and fix it. So here is all the information that I have. Oh and I have Win XP



Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 8:07:05 AM, on 11/17/2008
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16735)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Viewpoint\Common\ViewpointService.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe
C:\Program Files\Ahead\InCD\InCD.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Microsoft ActiveSync\wcescomm.exe
C:\Program Files\NETGEAR WG311v2 Adapter\wlancfg5.exe
C:\PROGRA~1\MICROS~4\rapimgr.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O4 - HKLM\..\Run: [NeroCheck] C:\WINDOWS\system32\\NeroCheck.exe
O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [InCD] C:\Program Files\Ahead\InCD\InCD.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [H/PC Connection Agent] "C:\Program Files\Microsoft ActiveSync\wcescomm.exe"
O4 - HKUS\S-1-5-18\..\Run: [MySpaceIM] C:\Program Files\MySpace\IM\MySpaceIM.exe (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [MySpaceIM] C:\Program Files\MySpace\IM\MySpaceIM.exe (User 'Default user')
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O4 - Global Startup: NETGEAR WG311v2 Smart Configuration.lnk = C:\Program Files\NETGEAR WG311v2 Adapter\wlancfg5.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra button: Create Mobile Favorite - {2EAF5BB1-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MICROS~4\INetRepl.dll
O9 - Extra button: (no name) - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MICROS~4\INetRepl.dll
O9 - Extra 'Tools' menuitem: Create Mobile Favorite... - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MICROS~4\INetRepl.dll
O9 - Extra button: PalTalk - {4EAFEF58-EEFA-4116-983D-03B49BCBFFFE} - C:\Program Files\Paltalk Messenger\Paltalk.exe
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {48DD0448-9209-4F81-9F6D-D83562940134} (MySpace Uploader Control) - http://lads.myspace.com/upload/MySpaceUploader1006.cab
O16 - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} (Java Runtime Environment 1.6.0) - http://javadl-esd.sun.com/update/1.6.0/jin...ows-i586-jc.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{AC5E870F-3A11-476E-85A4-497291F1798D}: NameServer = 68.87.68.162,68.87.74.162
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: avast! Antivirus - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
O23 - Service: avast! Web Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
O23 - Service: ##Id_String1.6844F930_1628_4223_B5CC_5BB94B879762## (Bonjour Service) - Apple Computer, Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: FLEXnet Licensing Service - Macrovision Europe Ltd. - C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
O23 - Service: Viewpoint Manager Service - Viewpoint Corporation - C:\Program Files\Viewpoint\Common\ViewpointService.exe

--
End of file - 9379 bytes






Avast 4. This is what was in the Log viewer/ Warning


2/2/2008 9:34:58 AM SYSTEM 1628 Sign of "Java:OpenStream-H [Trj]" has been found in "http://xbpfkkesju.cn/dl/loaderadv464.jar\Matrix.class" file.
2/2/2008 9:34:58 AM SYSTEM 1628 Sign of "JS:OpenConnection-I" has been found in "http://xbpfkkesju.cn/dl/java.jar\GetAccess.class" file.
2/3/2008 3:32:12 PM SYSTEM 1616 Function setifaceUpdateFiles() has failed. Return code is 0xC0000142, dwRes is C0000142.
2/3/2008 3:32:15 PM SYSTEM 1616 An error has occured while attempting to update. Please check the logs.
9/21/2008 9:09:48 PM SYSTEM 952 Function setifaceUpdatePackages() has failed. Return code is 0x20000004, dwRes is 20000004.
10/11/2008 2:58:36 AM SYSTEM 1100 Sign of "Win32:PureMorph [Cryp]" has been found in "C:\DOCUME~1\Owner\LOCALS~1\Temp\lkdkkkej.exe" file.
10/12/2008 5:17:30 PM Owner 1040 Function setifaceUpdatePackages() has failed. Return code is 0x000004C7, dwRes is 000004C7.
10/14/2008 7:38:40 AM SYSTEM 1100 Sign of "Win32:Trojan-gen {Other}" has been found in "C:\WINDOWS\system32\drivers\svchost.exe" file.
10/14/2008 10:17:47 PM Owner 1244 Sign of "Win32:Trojan-gen {Other}" has been found in "C:\Documents and Settings\Owner\xrt_repr.exe" file.
10/14/2008 11:51:53 PM Owner 1084 Sign of "Win32:Trojan-gen {Other}" has been found in "C:\Documents and Settings\Owner\xrt_repr.exe" file.
10/15/2008 2:39:29 PM Owner 1100 Sign of "Win32:Trojan-gen {Other}" has been found in "C:\Documents and Settings\Owner\xrt_repr.exe" file.
10/15/2008 2:42:06 PM Owner 1096 Sign of "Win32:Trojan-gen {Other}" has been found in "C:\Documents and Settings\Owner\xrt_repr.exe" file.
10/16/2008 12:33:13 AM Owner 1092 Sign of "Win32:Trojan-gen {Other}" has been found in "C:\Documents and Settings\Owner\xrt_repr.exe" file.
10/16/2008 4:58:14 PM Owner 1240 Sign of "Win32:Trojan-gen {Other}" has been found in "C:\Documents and Settings\Owner\xrt_repr.exe" file.
10/17/2008 2:21:56 AM Owner 1220 Sign of "Win32:Trojan-gen {Other}" has been found in "C:\Documents and Settings\Owner\xrt_repr.exe" file.
10/18/2008 3:42:26 AM Owner 1108 Sign of "Win32:Trojan-gen {Other}" has been found in "C:\Documents and Settings\Owner\xrt_repr.exe" file.
10/19/2008 12:30:31 AM Owner 1696 Sign of "Win32:Trojan-gen {Other}" has been found in "C:\Documents and Settings\Owner\xrt_repr.exe" file.
10/24/2008 4:37:05 AM SYSTEM 1220 Function setifaceUpdatePackages() has failed. Return code is 0x20000004, dwRes is 20000004.
10/24/2008 11:31:15 AM Owner 360 Sign of "Win32:Trojan-gen {Other}" has been found in "C:\System Volume Information\_restore{6BAACEEA-630D-434C-B261-23484895EB11}\RP52\A0017077.exe" file.
10/24/2008 11:35:35 AM Owner 360 Sign of "Win32:Trojan-gen {Other}" has been found in "C:\System Volume Information\_restore{6BAACEEA-630D-434C-B261-23484895EB11}\RP57\A0017404.exe" file.
10/24/2008 9:31:31 PM Owner 360 Function setifaceUpdatePackages() has failed. Return code is 0x000004C7, dwRes is 000004C7.








This is what is in the Virus chest

ADD17077.exe C:\system volume information\_restore{6baaceea-630d-434c-b231-23484865eb11}\RP52 - Win32: Trojan-gen{Other}



ADD17404.exe C:\system volume information\_restore(6baaceea-630d-434c-b261-23484895eb11}\RP57 - Win32:Trojan-gen{Other}



lkdlkkej.exe C:\docume~1\owner\locals~1\Temp - Win32:PureMorph{cryp}



svchost.exe C:\Windows\system32\drivers - Win32:Trojan-gen {other}



xrt_repr.exe C:\documents and settings\owner - Win32:Trojan-gen{other}







Malwarebytes' Anti-Malware 1.30
Database version: 1308
Windows 5.1.2600 Service Pack 3


Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 1
Registry Values Infected: 19
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 1

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
HKEY_CLASSES_ROOT\CLSID\{9afb8248-617f-460d-9366-d71cdeda3179} (Adware.MyWebSearch) -> Quarantined and deleted successfully.

Registry Values Infected:
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\svchost.exe (Trojan.Agent) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\xrt_Shell (Trojan.Agent) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\xrt_id (Backdoor.Agent) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\xrt_options (Backdoor.Agent) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\xrt_opt_server1 (Backdoor.Agent) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\xrt_opt_reserv (Backdoor.Agent) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\xrt_opt_forms (Backdoor.Agent) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\xrt_opt_certs (Backdoor.Agent) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\xrt_opt_options (Backdoor.Agent) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\xrt_opt_ss (Backdoor.Agent) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\xrt_opt_pstorag e (Backdoor.Agent) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\xrt_opt_command (Backdoor.Agent) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\xrt_opt_file (Backdoor.Agent) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\xrt_opt_idproje ct (Backdoor.Agent) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\xrt_opt_pauseop t (Backdoor.Agent) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\xrt_opt_pausece rt (Backdoor.Agent) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\xrt_opt_deletec ookie (Backdoor.Agent) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\xrt_opt_deletes ol (Backdoor.Agent) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\xrt_patch (Backdoor.Agent) -> Quarantined and deleted successfully.

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
C:\WINDOWS\system32\winlogon.old (Heuristics.Reserved.Word.Exploit) -> Quarantined and deleted successfully.

And where it says Quarantined and deleted successfully. Its still in the Quarantined thing in this progam. Also here is the list that is in there as well

Heuristics.Reserved.Word.Exploit - File- C:\Windows\system32\winlogon.old


Adware.MyWebSearch - Registry Key -

HKEY_CLASSES_CLSIO\{9afb8248-617f-460d-9366-d71cdeda3179}


Trojan.Agent - Registry Value _

HKEY_CURRENT_USER_SPOFTWARE"Microsoft\Windows/CurrentVerison\Run\xrt_Shell (Data:

C:\Doucments and Settings\Owner\xrt_repr.exe)


Backdoor.Agent - Registry Value -

HKEY_CURRENT_USER\SOFTWARE|Microsoft\Windows\CurrentVersion\xrt_opt_server1 (Data:

78.109.21.64


Backdoor.Agent - Registry Value-

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\Currentversion\xrt_opt_command (Data:

/cgi-bin/command.py


Backdoor.Agent - Registry Value -

HKEY_CURRENT_USER\SOFTWARE\Microsfot\Windows\Currentversion\xrt_opt_deletec ookie

(Data: yes)


Backdoor.Agent - Registry Value -

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\Currentversion\xrt_opt_pausept (Data:

1200)


Backdoor.Agent - Registry Value -

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\Currentversion\xrt_opt_pausece rt

(Data: 300)


Backdoor.Agent - Registry Value -

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\Currentversion\xrt_opt_file

(Data:/cgi-bin/file.py


Backdoor.Agent - Registry Value -

HKEY_CURRENT_USER\SOFTWARE\Microsfot\Windows\Currentversion\xrt_opt_ss (Data:

/cgi-bin/trash.py)


Backdoor.Agent - Registry Value -

HKEY_CURRENT_USER\SOFTWARE\Microsfot\Windows\Currentversion\xrt_opt_forms (Data:

/cgi-bin/forms.py


Backdoor.Agent - Registry Value -

HKEY_CURRENT_USER\SOFTWARE\Microsfot\Windows\Currentversion\xrt_opt_reserv (Data:

78.109.21.64)


Backdoor.Agent - Registry Value -

HKEY_CURRENT_USER\SOFTWARE\Microsfot\Windows\Currentversion\xrt_opt_pstorag e (Data:

/cgi-bin/trash.py)


Backdoor.Agent - Registry Value -

HKEY_CURRENT_USER\SOFTWARE\Microsfot\Windows\Currentversion\xrt_opt_options (Data:

/cgi-bin/options.py)


Backdoor.Agent - Registry Value -

HKEY_CURRENT_USER\SOFTWARE\Microsfot\Windows\Currentversion\xrt_options (Data:

NEWOPTS)


Backdoor.Agent - Registry Value -

HKEY_CURRENT_USER\SOFTWARE\Microsfot\Windows\Currentversion\xrt_opt_certs (Data:

/cgi-bin/trash/py)


Backdoor.Agent - Registry Value -

HKEY_CURRENT_USER\SOFTWARE\Microsfot\Windows\Currentversion\xrt_opt_idproje ct

(Data: 000029)


Backdoor.Agent - Registry Value -

HKEY_CURRENT_USER\SOFTWARE\Microsfot\Windows\Currentversion\xrt_opt_deletes ol

(data: no)


Backdoor.Agent - Registry Value -

HKEY_CURRENT_USER\SOFTWARE\Microsfot\Windows\Currentversion\xrt_id (data:

4176778026)


Trojan.Agent - Registry Value -

HKEY_CURRENT_USER\SOFTWARE\Microsfot\Windows\Currentversion\Run\svchost.exe (Data:

C:\WINDOWS\system32\drivers\svchost.exe)


Backdoor.Agent - Registry Value -

HKEY_CURRENT_USER\SOFTWARE\Microsfot\Windows\Currentversion\xrt_patch (data: ok)

BC AdBot (Login to Remove)

 


#2 PaGrrl

PaGrrl
  • Topic Starter

  • Members
  • 2 posts
  • OFFLINE
  •  
  • Local time:06:24 PM

Posted 25 November 2008 - 06:26 AM

anyone gona help me out?

#3 SNOWHITE

SNOWHITE

    missy malware magnet


  • Members
  • 2,676 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Bitola, Macedonia
  • Local time:12:24 AM

Posted 04 December 2008 - 08:37 PM

Hello and welcome to BC

We apologize for the delay in responding to your request for help. Here at Bleeping Computer we get overwhelmed at times, and we are trying our best to keep up. Please note that your topic was not intentionally overlooked. We aim to provide the valuable service known to come from BC to every member we can, but sometimes it takes just a little longer to get to every request for help.

If you are still having a problem, and want us to analyze your information, please reply to this topic stating that you still need help and I will work with you on resolving your computer problems. If your problem has been resolved, please post a reply letting us know so we can close your topic.

Unfortunately, if I do not hear back from you within 5 days, I will be forced to close your topic. If you still need help after I have closed your topic, feel free to create a new one.

Once again, I apologize for the delay in responding to this topic.

Regards
SNOWHITE
Posted Image

#4 SNOWHITE

SNOWHITE

    missy malware magnet


  • Members
  • 2,676 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Bitola, Macedonia
  • Local time:12:24 AM

Posted 10 December 2008 - 02:40 PM

Due to lack of feedback, this topic has been closed.

If you still need help after I have closed your topic, feel free to create a new one.

Thank you
SNOWHITE
Posted Image




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users