Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Really slow & getting worse


  • This topic is locked This topic is locked
40 replies to this topic

#1 grybnsll

grybnsll

  • Members
  • 24 posts
  • OFFLINE
  •  
  • Local time:11:36 AM

Posted 30 April 2009 - 11:03 PM

If someone could look over my HJT log and let me know if my problem is here I'd appreciate it. Thx, gb

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 11:02:23 PM, on 4/30/2009
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v8.00 (8.00.6001.18702)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Windows Defender\MsMpEng.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\ArcSoft\Connection Service\Bin\ACService.exe
C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
C:\PROGRA~1\AVG\AVG8\avgfws8.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Analog Devices\SoundMAX\spkrmon.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Viewpoint\Common\ViewpointService.exe
C:\PROGRA~1\AVG\AVG8\avgemc.exe
C:\PROGRA~1\AVG\AVG8\avgam.exe
C:\PROGRA~1\AVG\AVG8\avgrsx.exe
C:\PROGRA~1\AVG\AVG8\avgnsx.exe
C:\Program Files\AVG\AVG8\avgcsrvx.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
C:\Program Files\HP\Digital Imaging\bin\hpqSTE08.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\Internet Explorer\IEXPLORE.EXE

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
O2 - BHO: (no name) - AutorunsDisabled - (no file)
O2 - BHO: AcroIEHelperStub - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
O2 - BHO: Skype add-on (mastermind) - {22BF413B-C6D2-4d91-82A9-A0F997BA588C} - C:\Program Files\Skype\Toolbars\Internet Explorer\SkypeIEPlugin.dll
O2 - BHO: WormRadar.com IESiteBlocker.NavFilter - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - C:\Program Files\AVG\AVG8\avgssie.dll
O2 - BHO: (no name) - {5C255C8A-E604-49b4-9D64-90988571CECB} - (no file)
O2 - BHO: DriveLetterAccess - {5CA3D70E-1895-11CF-8E15-001234567890} - C:\WINDOWS\system32\dla\tfswshx.dll
O2 - BHO: AVG Security Toolbar - {A057A204-BACC-4D26-9990-79A187E2698E} - C:\PROGRA~1\AVG\AVG8\AVGTOO~1.DLL
O2 - BHO: HP Smart Web Printing 1.0 - {AE84A6AA-A333-4B92-B276-C11E2212E4FE} - C:\Program Files\HP\Smart Web Printing\SmartWebPrinting.dll
O2 - BHO: Java™ Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
O3 - Toolbar: AVG Security Toolbar - {A057A204-BACC-4D26-9990-79A187E2698E} - C:\PROGRA~1\AVG\AVG8\AVGTOO~1.DLL
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 9.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [HP Software Update] C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\Windows Live\Messenger\msnmsgr.exe" /background
O4 - HKCU\..\Run: [Uniblue RegistryBooster 2009] C:\Program Files\Uniblue\RegistryBooster\RegistryBooster.exe /S
O4 - HKUS\S-1-5-21-2052111302-329068152-682003330-1005\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe (User 'Administrator 2')
O4 - HKUS\S-1-5-21-2052111302-329068152-682003330-1005\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background (User 'Administrator 2')
O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~4\Office12\EXCEL.EXE/3000
O9 - Extra button: (no name) - AutorunsDisabled - (no file)
O9 - Extra button: Skype - {77BF5300-1474-4EC7-9980-D32B190E9B07} - C:\Program Files\Skype\Toolbars\Internet Explorer\SkypeIEPlugin.dll
O9 - Extra button: Run IMVU - {d9288080-1baa-4bc4-9cf8-a92d743db949} - C:\Documents and Settings\Gary\Start Menu\Programs\IMVU\Run IMVU.lnk (file missing)
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O10 - Unknown file in Winsock LSP: c:\windows\system32\nwprovau.dll
O16 - DPF: {0CCA191D-13A6-4E29-B746-314DEE697D83} (Facebook Photo Uploader 5 Control) - http://upload.facebook.com/controls/2008.1...toUploader5.cab
O16 - DPF: {49232000-16E4-426C-A231-62846947304B} (SysData Class) - https://wimpro.cce.hp.com/ChatEntry/downloads/sysinfo.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdat...b?1223014002656
O16 - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} (Java Runtime Environment 1.6.0) - http://dl8-cdn-01.sun.com/s/ESD7/JSCDL/jdk...ows-i586-jc.cab
O18 - Protocol: AutorunsDisabled - (no CLSID) - (no file)
O18 - Protocol: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - C:\Program Files\AVG\AVG8\avgpp.dll
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL
O20 - Winlogon Notify: avgrsstarter - C:\WINDOWS\SYSTEM32\avgrsstx.dll
O23 - Service: ArcSoft Connect Daemon (ACDaemon) - ArcSoft Inc. - C:\Program Files\Common Files\ArcSoft\Connection Service\Bin\ACService.exe
O23 - Service: AVG8 E-mail Scanner (avg8emc) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgemc.exe
O23 - Service: AVG8 WatchDog (avg8wd) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
O23 - Service: AVG8 Firewall (avgfws8) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgfws8.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
O23 - Service: spkrmon - Unknown owner - C:\Program Files\Analog Devices\SoundMAX\spkrmon.exe
O23 - Service: Viewpoint Manager Service - Viewpoint Corporation - C:\Program Files\Viewpoint\Common\ViewpointService.exe

--
End of file - 6816 bytes

BC AdBot (Login to Remove)

 


#2 DocSatan

DocSatan

    Bleepin' Wanna-Be


  • Members
  • 2,156 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Boston, Ma.
  • Local time:12:36 PM

Posted 13 May 2009 - 11:34 AM

Hello grybnsll and Welcome to BleepingComputer.

I'm DocSatan and I will be helping you with your "Malware" related computer problems.

1. Please Post a NEW DDS Log.
Some time has passed since your initial DDS Log and it's possible that the old DDS Log no longer accurately reflects your computers current state. This will also let me know that you are still interested in receiving assistance with your computer issues. If you do not post a NEW DDS Log, then I will assume that you are no longer in need of assistance and this thread will be closed.
  • Download DDS by sUBs from the following link. Save it to your desktop.
  • Double click on the DDS icon, allow it to run.
  • A small box will open, with an explanation about the tool. No input is needed, the scan is running.
  • Notepad will open with the results.
  • Follow the instructions that pop up for posting the results.
  • Close the program window, and delete the program from your desktop.
    • NOTE: You may have to disable any script protection running if the scan fails to run. After downloading the tool, disconnect from the internet and disable all antivirus protection. Run the scan, enable your A/V and reconnect to the internet.
    • Information on A/V control HERE
2. Do Not Make Any Changes to the "Infected" Computer.
Once you have posted a NEW DDS Log, Do Not make any changes to the computer. I will be researching the DDS Log that you post and any changes made to the system might interfere with the FIX that I prepare for you. Examples of "Changes":
  • Deleting Files/Folders
  • Installing/Uninstalling Programs
  • Running Anti-Virus, Anti-Malware, Anti-Spyware, etc., Programs
Doc.

#3 grybnsll

grybnsll
  • Topic Starter

  • Members
  • 24 posts
  • OFFLINE
  •  
  • Local time:11:36 AM

Posted 18 May 2009 - 07:13 PM

Thank you, Doc. Yes, I still need help. I hope the file made it to you and also hope it's what you need. I appreciate it.

Attached Files

  • Attached File  DDS.txt   9.51KB   20 downloads


#4 DocSatan

DocSatan

    Bleepin' Wanna-Be


  • Members
  • 2,156 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Boston, Ma.
  • Local time:12:36 PM

Posted 18 May 2009 - 07:30 PM

Hello grybnsll,

Give me some time to research you DDS Log and I will get back to you ASAP. :thumbup2:

In the meantime, please do not make any changes to this computer (refer to previous post).

Also, can you tell me what is happening that makes you think that your computer is infected?

Doc.

#5 grybnsll

grybnsll
  • Topic Starter

  • Members
  • 24 posts
  • OFFLINE
  •  
  • Local time:11:36 AM

Posted 18 May 2009 - 08:28 PM

It takes about 15 minutes to boot (no exaggeration). We have a daughter and son-in-law in Florida with our two grandchildren and would like to webcam with them through Skype but can't get it done. Windows open slowly and close equally as slowly; by that I mean they appear and disappear in a top down fashion one row at a time over a period of about 15 to 20 seconds. I have 648 autoruns at last count and wonder if some of those are using resources unnecessarily. I tried Googling my autorun list but only came up with more lists. With only Outlook open (that I open myself) I often get a message that system resources are too low. I have 84% free space on 112 gig hard drive. It began taking so long to do anything I installed the restoration disk that came with the computer a few months ago but things still aren't right. Some things improved but I'm still dealing with all of the above.

#6 DocSatan

DocSatan

    Bleepin' Wanna-Be


  • Members
  • 2,156 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Boston, Ma.
  • Local time:12:36 PM

Posted 22 May 2009 - 10:05 AM

Hi grybnsll,

I don't see anything in your DDS Log that would cause your 15 min boot-up time and deplete your system resources. I believe you when you tell me this...so I will try to dig deeper. :thumbup2:

Question(s)

1. When did you first notice that your computer was taking longer to boot-up? Same question for computer running slow.

2. When you say that you have 648 autoruns, are you talking about the items listed under the Everything Tab when autoruns first opens?

3. How did you come up with the total 648? Did you count each one yourself, or did you use another program?


1. Recommended Removal of a Program

You have a program on this computer called: ViewPoint

If you want to remove it, please follow the following steps:
  • Click on Start > Settings > Control Panel > Add/Remove Programs > highlight and remove all references to Viewpoint - i.e. Viewpoint, Viewpoint Manager, Viewpoint Media Player.
  • Delete the following folders if they still exist:
  • C:\Program Files\ViewManager\ <-- delete this folder
  • C:\Program Files\Viewpoint\ <-- delete this folder


2. Download and Run MalwareByte's Anti-Malware (MBAM)
Please download Malwarebytes Anti-Malware and save it to your desktop.
alternate download link 1
alternate download link 2

MBAM may "make changes to your registry" as part of its disinfection routine. If using other security programs that detect registry changes (ie Spybot's Teatimer), they may interfere or alert you. Temporarily disable such programs or permit them to allow the changes.

  • Make sure you are connected to the Internet.
  • Double-click on mbam-setup.exe to install the application.
  • When the installation begins, follow the prompts and do not make any changes to default settings.
  • When installation has finished, make sure you leave both of these checked:
    • Update Malwarebytes' Anti-Malware
    • Launch Malwarebytes' Anti-Malware
  • Then click Finish.
MBAM will automatically start and you will be asked to update the program before performing a scan.
  • If an update is found, the program will automatically update itself. Press the OK button to close that box and continue.
  • If you encounter any problems while downloading the definition updates, manually download them from here and just double-click on mbam-rules.exe to install.
On the Scanner tab:
  • Make sure the "Perform Quick Scan" option is selected.
  • Then click on the Scan button.
  • If asked to select the drives to scan, leave all the drives selected and click on the Start Scan button.
  • The scan will begin and "Scan in progress" will show at the top. It may take some time to complete so please be patient.
  • When the scan is finished, a message box will say "The scan completed successfully. Click 'Show Results' to display all objects found".
  • Click OK to close the message box and continue with the removal process.
Back at the main Scanner screen:
  • Click on the Show Results button to see a list of any malware that was found.
  • Make sure that everything is checked, and click Remove Selected.
  • When removal is completed, a log report will open in Notepad.
  • The log is automatically saved and can be viewed by clicking the Logs tab in MBAM.
  • Copy and paste the contents of that report in your next reply. Be sure to post the complete log to include the top portion which shows MBAM's database version and your operating system.
  • Exit MBAM when done.
Note: If MBAM encounters a file that is difficult to remove, you will be asked to reboot your computer so MBAM can proceed with the disinfection process. If asked to restart the computer, please do so immediately. Failure to reboot normally (not into safe mode) will prevent MBAM from removing all the malware.


3. Please Download ComboFix
Here is a Tutorial on using ComboFix: A guide and tutorial on using ComboFix
  • Save it to your Desktop
  • Do NOT run ComboFix yet
  • Here are some alternative links to download ComboFix, if the above one is not working for you:
  • Link 1
    Link 2
4. Disable Your AntiVirus and AntiSpyware Programs
  • You should be able to Right-Click on the program's icon in the System Tray and get an option to shut-down/disable each program.
  • These programs may interfere with our fix. We will re-enable them when we are done.
5. Double click on ComboFix.exe that you just saved to your Desktop
  • Follow the prompts.
  • As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. The Recovery Console will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.
  • It is strongly recommended to have the Recovery Console installed on your machine before doing any malware removal.
  • Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.

Posted Image

NOTE: If the Microsoft Windows Recovery Console is already installed, you will not receive a prompt from ComboFix regarding the Recovery Console.

  • Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:

    Posted Image

  • Click on Yes, to continue scanning for malware.
  • When finished, it will produce a log for you. Please include the C:\ComboFix.txt in your next reply along with a fresh HijackThis log.
6. Re-enable Your AntiVirus and AntiSpyware Programs That You Disabled in Step 3.

7. What I need in Your Next Reply:
  • MBAM Report Results
  • ComboFix.txt
  • Answer to my questions
  • Any problems following my instructions?
Doc.

#7 grybnsll

grybnsll
  • Topic Starter

  • Members
  • 24 posts
  • OFFLINE
  •  
  • Local time:11:36 AM

Posted 23 May 2009 - 12:30 AM

1. My computer began causing problems at least a year ago, perhaps longer. It was gradual enough that I was unable to associate it with any download or change in programming. We dumped numerous programs that we felt we could do without but to no avail. We also transferred pictures and most other files to CD. The restoration disk didn't seem to help, although the boot process changed. Now I have to press F1 to get started. Another strange thing that happened is that my computer now tries to boot at midnight every night. The F1 is there waiting for me each morning but I just turn it off and get ready for work. There is also an F2 option for setup.

2. The number of my autoruns were determined by Systernal, which I picked up off of BC. That list is posted at the appropriate place on the BC website but it was recommended that I would have to Google them one-by-one to know what to keep and what to dump. I spent quite a bit of time trying but didn't have much luck with that so they remain.

3. I counted each one myself to come up with the number 648.

I found one ViewPoint reference in my add/remove list (ViewPoint Media Player). I removed it.

The following files were not found:
C:\Program Files\ViewManager\
C:\Program Files\Viewpoint\

I had acquired MalwareByte's from BC and downloaded it some time ago; it remains on my computer. I ran it again this evening and got the following result: Objects Scanned 152,620; Objects Infected 0; Time Elapsed 52:49.

I have no other registry fixes that I know of, however, I have run a few and they all tell me I have hundreds of errors, but I have not made any purchase that allows me to fix them because I don't know who to trust. If you have a recommendation, I am happy to make a purchase.

My Internet connection is dedicated wireless broadband that reports 100.0Mbps, although it seems slower than that. I found and downloaded one MalwareByte's update before I ran the scan. I ran it before reading ahead and called for the full scan that came up be default rather than the quick scan you wanted. I hope that doesn't provide you erroneous information. If so, I'll proceed from there and get it right next time.

My operating system is Windows XP, Home Edition, Version 2002, Service Pack 3; the computer is Dell, Intel ®, Pentium ®, 4 CPU 3.00 GHZ, 2.99 GHz, 256 MB of RAM, 112gb hard drive.

I downloaded ComboFix and saved it to my desktop. However, after about an hour of trying I'm unable to find a way to disable my AVG protection components except the firewall and spam filter. The systray icon offers an "exit" option but I'm not sure that's what you want me to do. The other two items on that pop up menu are Open AVG User Interface and Update Now. I've searched the User Interface diligently and come up with no way to disable anything other than the two mentioned above.

I aborted your plan at this point until I figure out how to temporarily disable all of AVG's components; there are 13 all totaled. The only thing I get from Add/Remove is uninstall. I used Trend Micro for years beginning when the Klez worm came out and they offered their free house call. I was satisfied with their service and only changed because one of our local college CISS professors recommended AVG. I hope that wasn't a mistake. I'll follow whatever recommendation you have on that.

#8 DocSatan

DocSatan

    Bleepin' Wanna-Be


  • Members
  • 2,156 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Boston, Ma.
  • Local time:12:36 PM

Posted 23 May 2009 - 12:26 PM

Hi grybnsll,

after about an hour of trying I'm unable to find a way to disable my AVG protection components except the firewall and spam filter.

  • There is a "link" to a list for disabling various AV in the instructions I gave you. (Step 2. MABAM) :thumbup2:
  • For AVG 8:
    • Please open the AVG 8 Control Center, by right clicking on the AVG 8 icon on task bar.
    • Click on Tools.
    • Select Advanced.
    • In the left hand pane, scroll down to "Resident Shield".
    • In the main pane, deselect the option to "Enable Resident Shield."
    • To re-enable AVG 8, please select "Enable Resident Shield" again.

I have no other registry fixes that I know of, however, I have run a few and they all tell me I have hundreds of errors, but I have not made any purchase that allows me to fix them because I don't know who to trust. If you have a recommendation, I am happy to make a purchase.

  • I don't recommend using tools to "fix/delete" Registry Entries. Making changes to your Registry is very risky business if you are not Very Familiar with working with the Registry. It's possible to corrupt the Registry, and render your computer incapable of starting. Having these auto-tools "clean" your registry doesn't help with speeding up your computer anyway, so the risk vs. advantage is not worth it.

I aborted your plan at this point until I figure out how to temporarily disable all of AVG's components; there are 13 all totaled. The only thing I get from Add/Remove is uninstall.

  • We don't want to use Add/Remove Programs for disabling AVG. :)
  • Following the steps from above will do fine.
Since you already have MBAM on your computer, just update MBAM, disable your AVG, and then run a Quick Scan. Follow the rest of the instructions from Step 2 MBAM from the previous post and post the results in a Reply (cut and paste please).

After running MBAM, follow the ComboFix instructions (your AV should already be disabled).

What I need in your next Reply:
  • MBAM Report (cut and paste)
  • ComboFix.txt
  • Any Problems with following the instructions?
  • Any questions/comments?
Doc.

#9 grybnsll

grybnsll
  • Topic Starter

  • Members
  • 24 posts
  • OFFLINE
  •  
  • Local time:11:36 AM

Posted 23 May 2009 - 11:18 PM

Malwarebytes' Anti-Malware 1.36
Database version: 2168
Windows 5.1.2600 Service Pack 3

5/23/2009 10:53:11 PM
mbam-log-2009-05-23 (22-53-11).txt

Scan type: Quick Scan
Objects scanned: 96318
Time elapsed: 8 minute(s), 3 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)



ComboFix 09-05-22.05 - Gary 05/23/2009 22:58.1 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.255.64 [GMT -5:00]
Running from: c:\documents and settings\Gary\Desktop\ComboFix.exe
AV: AVG Internet Security *On-access scanning disabled* (Updated) {17DDD097-36FF-435F-9E1B-52D74245D6BF}
FW: AVG Firewall *enabled* {8decf618-9569-4340-b34a-d78d28969b66}

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\program files\Common Files\System\Uninstall
c:\windows\system32\winconfig.dll.tmp.tmp

.
((((((((((((((((((((((((( Files Created from 2009-04-24 to 2009-05-24 )))))))))))))))))))))))))))))))
.

2009-05-23 04:18 . 2009-05-23 04:18 -------- d-----w c:\documents and settings\log
2009-05-23 04:16 . 2009-05-23 04:16 -------- d-----w c:\documents and settings\All Users\Application Data\Downloaded Installations
2009-05-22 03:13 . 2009-05-06 18:06 4784464 ----a-w c:\documents and settings\All Users\Application Data\Microsoft\Windows Defender\Definition Updates\{14C200F4-4D04-4FA3-B4F2-2B3330302A06}\mpengine.dll
2009-05-18 14:53 . 2009-04-26 01:51 312088 ----a-w c:\documents and settings\All Users\Application Data\avg8\update\backup\avglngx.dll
2009-05-18 14:52 . 2009-04-26 01:36 1437464 ----a-w c:\documents and settings\All Users\Application Data\avg8\update\backup\avgupd.dll
2009-05-13 02:21 . 2009-05-13 02:19 2051864 ----a-w c:\documents and settings\All Users\Application Data\avg8\update\backup\avgcorex.dll
2009-05-13 02:21 . 2009-04-26 01:54 1224472 ----a-w c:\documents and settings\All Users\Application Data\avg8\update\backup\avgspmui.dll
2009-05-13 02:21 . 2009-04-26 01:54 2302232 ----a-w c:\documents and settings\All Users\Application Data\avg8\update\backup\avguiadv.dll
2009-05-13 02:21 . 2009-04-26 01:53 3399960 ----a-w c:\documents and settings\All Users\Application Data\avg8\update\backup\avgui.exe
2009-05-13 02:21 . 2009-04-26 01:53 3288344 ----a-w c:\documents and settings\All Users\Application Data\avg8\update\backup\setup.exe
2009-05-13 02:21 . 2009-04-26 01:52 2291992 ----a-w c:\documents and settings\All Users\Application Data\avg8\update\backup\avgfwui.dll
2009-05-13 02:21 . 2009-04-26 01:52 424472 ----a-w c:\documents and settings\All Users\Application Data\avg8\update\backup\avgwdwsc.dll
2009-05-13 02:21 . 2009-04-26 01:52 1262880 ----a-w c:\documents and settings\All Users\Application Data\avg8\update\backup\avgwd.dll
2009-05-13 02:21 . 2009-04-26 01:51 177432 ----a-w c:\documents and settings\All Users\Application Data\avg8\update\backup\avgmail.dll
2009-05-13 02:21 . 2009-04-26 01:55 486168 ----a-w c:\documents and settings\All Users\Application Data\avg8\update\backup\avgrsx.exe
2009-05-13 02:11 . 2009-04-26 01:36 1083672 ----a-w c:\documents and settings\All Users\Application Data\avg8\update\backup\avgupd.exe
2009-05-13 02:11 . 2009-04-26 01:35 755992 ----a-w c:\documents and settings\All Users\Application Data\avg8\update\backup\avginet.dll
2009-05-01 02:37 . 2009-05-01 02:37 -------- d-----w c:\documents and settings\Administrator 2\Application Data\HP
2009-05-01 02:37 . 2009-05-01 02:37 -------- d-----w c:\documents and settings\Administrator 2\Local Settings\Application Data\Identities
2009-05-01 02:32 . 2009-05-01 02:32 -------- d-sh--w c:\documents and settings\Administrator 2\IETldCache
2009-05-01 01:43 . 2009-04-26 01:54 563456 ----a-w c:\documents and settings\All Users\Application Data\avg8\update\backup\dtuser.exe
2009-05-01 01:43 . 2009-04-26 01:54 2227968 ----a-w c:\documents and settings\All Users\Application Data\avg8\update\backup\avgtoolbar.dll
2009-04-30 03:01 . 2009-04-30 03:01 -------- d-----w c:\documents and settings\Gary\Application Data\aAvgApi
2009-04-27 04:28 . 2009-04-27 04:42 -------- d-----w c:\documents and settings\All Users\Application Data\DriverScanner
2009-04-25 04:59 . 2009-04-26 20:18 -------- d-----w c:\documents and settings\All Users\Application Data\SITEguard
2009-04-25 04:57 . 2009-04-25 04:57 -------- d-----w c:\program files\Common Files\iS3
2009-04-25 04:57 . 2009-04-26 20:20 -------- d-----w c:\documents and settings\All Users\Application Data\STOPzilla!
2009-04-25 04:30 . 2009-04-27 04:42 -------- d-----w c:\documents and settings\Gary\Application Data\Uniblue

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-05-23 02:35 . 2009-04-15 22:39 -------- d-----w c:\documents and settings\All Users\Application Data\Viewpoint
2009-04-28 04:09 . 2008-10-04 06:51 -------- d-----w c:\documents and settings\Gary\Application Data\AVGTOOLBAR
2009-04-26 01:55 . 2009-01-09 05:58 11952 ----a-w c:\windows\system32\avgrsstx.dll
2009-04-26 01:55 . 2008-10-04 06:51 27784 ----a-w c:\windows\system32\drivers\avgmfx86.sys
2009-04-26 01:54 . 2008-10-04 06:51 325896 ----a-w c:\windows\system32\drivers\avgldx86.sys
2009-04-26 01:54 . 2008-10-04 06:50 50968 ----a-w c:\windows\system32\avgfwdx.dll
2009-04-26 01:54 . 2008-10-04 06:50 29208 ----a-w c:\windows\system32\drivers\avgfwdx.sys
2009-04-26 01:54 . 2008-10-04 06:51 12552 ----a-w c:\windows\system32\drivers\avgrkx86.sys
2009-04-26 01:53 . 2008-10-04 06:51 108552 ----a-w c:\windows\system32\drivers\avgtdix.sys
2009-04-25 04:36 . 2009-02-01 01:27 -------- d-----w c:\program files\Unity
2009-04-21 03:30 . 2008-10-10 23:19 -------- d-----w c:\documents and settings\Gary\Application Data\Image Zone Express
2009-04-21 03:25 . 2009-03-09 03:02 -------- d-----w c:\documents and settings\Gary\Application Data\ArcSoft
2009-04-21 02:14 . 2009-04-19 16:55 129778 ----a-w c:\windows\hpoins13.dat
2009-04-19 21:53 . 2008-10-10 23:19 -------- d-----w c:\documents and settings\Gary\Application Data\Printer Info Cache
2009-04-19 18:07 . 2008-09-27 06:45 -------- d-----w c:\documents and settings\All Users\Application Data\HP
2009-04-19 18:06 . 2009-04-19 18:06 -------- d-----w c:\program files\Hewlett-Packard
2009-04-19 16:39 . 2009-01-28 01:03 -------- d-----w c:\documents and settings\All Users\Application Data\NOS
2009-04-19 16:39 . 2009-01-28 01:03 -------- d-----w c:\program files\NOS
2009-04-17 00:28 . 2008-10-23 02:01 -------- d-----w c:\program files\Common Files\Adobe
2009-04-17 00:15 . 2009-04-15 22:38 -------- d-----w c:\program files\Common Files\AOL
2009-04-16 22:23 . 2009-04-15 23:21 -------- d-----w c:\documents and settings\Gary\Application Data\Skype
2009-04-16 21:02 . 2009-03-04 03:53 -------- d-----w c:\documents and settings\Gary\Application Data\skypePM
2009-04-15 23:22 . 2009-01-21 02:35 664 ----a-w c:\windows\system32\d3d9caps.dat
2009-04-15 23:20 . 2009-04-15 23:20 -------- d-----w c:\program files\Common Files\Skype
2009-04-15 23:20 . 2009-03-04 03:49 -------- d-----r c:\program files\Skype
2009-04-15 23:20 . 2009-03-04 03:49 -------- d-----w c:\documents and settings\All Users\Application Data\Skype
2009-04-15 22:40 . 2009-04-15 22:38 -------- d-----w c:\documents and settings\All Users\Application Data\AOL OCP
2009-04-15 22:38 . 2009-04-15 22:38 -------- d-----w c:\documents and settings\All Users\Application Data\AOL
2009-04-14 00:39 . 2009-03-17 03:11 4656976 ----a-w c:\documents and settings\All Users\Application Data\Microsoft\Windows Defender\Definition Updates\Backup\mpengine.dll
2009-04-10 03:02 . 2009-04-10 03:02 -------- d-----w c:\program files\CCleaner
2009-04-10 02:13 . 2009-04-10 02:13 -------- d-----w c:\program files\Microsoft Silverlight
2009-04-09 03:42 . 2009-03-20 02:48 -------- d-----w c:\program files\Malwarebytes' Anti-Malware
2009-04-09 03:42 . 2009-04-09 03:42 2967799 ----a-w c:\documents and settings\All Users\Application Data\Malwarebytes\Malwarebytes' Anti-Malware\mbam-setup.exe
2009-04-06 20:32 . 2009-03-20 02:48 38496 ----a-w c:\windows\system32\drivers\mbamswissarmy.sys
2009-04-06 20:32 . 2009-03-20 02:48 15504 ----a-w c:\windows\system32\drivers\mbam.sys
2009-03-31 02:27 . 2008-09-28 03:15 -------- d-----w c:\documents and settings\Gary\Application Data\Sonic
2009-03-17 06:02 . 2009-03-17 06:02 25992 ----a-w c:\windows\system32\pgdfgsvc.exe
2009-03-17 03:03 . 2009-03-17 03:03 65328 ----a-w c:\documents and settings\Administrator 2\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2009-03-08 09:34 . 2006-06-23 18:33 914944 ----a-w c:\windows\system32\wininet.dll
2009-03-08 09:34 . 2003-07-16 20:32 43008 ----a-w c:\windows\system32\licmgr10.dll
2009-03-08 09:33 . 2003-07-16 20:25 18944 ----a-w c:\windows\system32\corpol.dll
2009-03-08 09:33 . 2003-07-16 20:49 420352 ----a-w c:\windows\system32\vbscript.dll
2009-03-08 09:32 . 2003-07-16 20:23 72704 ----a-w c:\windows\system32\admparse.dll
2009-03-08 09:32 . 2003-07-16 20:30 71680 ----a-w c:\windows\system32\iesetup.dll
2009-03-08 09:31 . 2003-07-16 20:30 34816 ----a-w c:\windows\system32\imgutil.dll
2009-03-08 09:31 . 2003-07-16 20:35 48128 ----a-w c:\windows\system32\mshtmler.dll
2009-03-08 09:31 . 2003-07-16 20:35 45568 ----a-w c:\windows\system32\mshta.exe
2009-03-08 09:22 . 2003-07-16 20:36 156160 ----a-w c:\windows\system32\msls31.dll
2009-03-06 14:22 . 2003-07-16 20:41 284160 ----a-w c:\windows\system32\pdh.dll
2009-03-05 07:23 . 2009-03-05 07:24 410984 ----a-w c:\windows\system32\deploytk.dll
2009-03-05 07:22 . 2009-03-05 07:22 152576 ----a-w c:\documents and settings\Gary\Application Data\Sun\Java\jre1.6.0_12\lzma.dll
2009-03-04 03:53 . 2009-03-04 03:53 56 ---ha-w c:\windows\system32\ezsidmv.dat
2009-02-28 02:57 . 2009-04-16 21:21 38208 ----a-w c:\documents and settings\Gary\Application Data\Macromedia\Flash Player\www.macromedia.com\bin\airappinstaller\airappinstaller.exe
2009-02-26 17:46 . 2009-02-26 17:46 74760 ----a-w c:\windows\system32\drivers\UniversalDD.sys
2009-02-26 17:46 . 2009-02-26 17:46 25608 ----a-w c:\windows\system32\drivers\AVGIDSErHr.sys
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2008-04-14 15360]
"msnmsgr"="c:\program files\Windows Live\Messenger\msnmsgr.exe" [2009-02-06 3885408]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2009-02-27 35696]
"HP Software Update"="c:\program files\HP\HP Software Update\HPWuSchd2.exe" [2006-12-11 49152]
"AVGIDS"="c:\program files\AVG\AVG8\Identity Protection\agent\bin\AVGIDSUI.exe" [2009-02-26 1579528]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
HP Digital Imaging Monitor.lnk - c:\program files\HP\Digital Imaging\bin\hpqtra08.exe [2007-1-2 210520]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\avgrsstarter]
2009-04-26 01:55 11952 ----a-w c:\windows\system32\avgrsstx.dll

HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32
"wave"= serwvdrv.dll
"wave1"= serwvdrv.dll
"wave2"= serwvdrv.dll

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\WinDefend]
@="Service"

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusOverride"=dword:00000001
"FirewallOverride"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\AVG\\AVG8\\avgupd.exe"=
"c:\\Program Files\\AVG\\AVG8\\avgnsx.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\Messenger\\msmsgs.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\wlcsdk.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"=
"c:\\Program Files\\Skype\\Phone\\Skype.exe.exe"=
"c:\\Program Files\\Skype\\Phone\\Skype.exe"=

R0 AVGIDSErHr;AVGIDSErHr;c:\windows\system32\drivers\AVGIDSErHr.sys [2/26/2009 12:46 PM 25608]
R0 AvgRkx86;avgrkx86.sys;c:\windows\system32\drivers\avgrkx86.sys [10/4/2008 1:51 AM 12552]
R1 AvgLdx86;AVG AVI Loader Driver x86;c:\windows\system32\drivers\avgldx86.sys [10/4/2008 1:51 AM 325896]
R1 AvgTdiX;AVG8 Network Redirector;c:\windows\system32\drivers\avgtdix.sys [10/4/2008 1:51 AM 108552]
R2 avg8emc;AVG8 E-mail Scanner;c:\progra~1\AVG\AVG8\avgemc.exe [4/25/2009 8:54 PM 908568]
R2 avg8wd;AVG8 WatchDog;c:\progra~1\AVG\AVG8\avgwdsvc.exe [1/9/2009 12:30 AM 298776]
R2 avgfws8;AVG8 Firewall;c:\progra~1\AVG\AVG8\avgfws8.exe [4/25/2009 8:52 PM 1366904]
R2 AVGIDSAgent;AVGIDSAgent;c:\program files\AVG\AVG8\Identity Protection\agent\Bin\AVGIDSAgent.exe [2/26/2009 12:46 PM 5576712]
R2 AVGIDSWatcher;AVGIDSWatcher;c:\program files\AVG\AVG8\Identity Protection\agent\Bin\AVGIDSWatcher.exe [2/26/2009 12:46 PM 563720]
R2 NwSapAgent;SAP Agent;c:\windows\System32\svchost.exe -k netsvcs [7/16/2003 3:47 PM 14336]
R2 WinDefend;Windows Defender;c:\program files\Windows Defender\MsMpEng.exe [11/3/2006 7:19 PM 13592]
R3 Avgfwdx;Avgfwdx;c:\windows\system32\drivers\avgfwdx.sys [10/4/2008 1:50 AM 29208]
R3 AVGIDSDriver;AVGIDSDriver;c:\program files\AVG\AVG8\Identity Protection\agent\driver\platform_XP\AVGIDSDriver.sys [2/26/2009 12:46 PM 121352]
R3 AVGIDSFilter;AVGIDSFilter;c:\program files\AVG\AVG8\Identity Protection\agent\driver\platform_XP\AVGIDSFilter.sys [2/26/2009 12:46 PM 30216]
R3 AVGIDSShim;AVGIDSShim;c:\program files\AVG\AVG8\Identity Protection\agent\driver\platform_XP\AVGIDSShim.sys [2/26/2009 12:46 PM 27232]
S3 Avgfwfd;AVG network filter service;c:\windows\system32\drivers\avgfwdx.sys [10/4/2008 1:50 AM 29208]

--- Other Services/Drivers In Memory ---

*NewlyCreated* - AVGIDSERHR

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
HPZ12 REG_MULTI_SZ Pml Driver HPZ12 Net Driver HPZ12
hpdevmgmt REG_MULTI_SZ hpqcxs08 hpqddsvc
.
Contents of the 'Scheduled Tasks' folder

2009-05-23 c:\windows\Tasks\MP Scheduled Scan.job
- c:\program files\Windows Defender\MpCmdRun.exe [2006-11-04 00:20]

2009-05-24 c:\windows\Tasks\User_Feed_Synchronization-{9F7C62B5-A4C0-4F09-9E59-23103FCD180C}.job
- c:\windows\system32\msfeedssync.exe [2007-08-14 09:31]
.
- - - - ORPHANS REMOVED - - - -

HKCU-Run-Uniblue RegistryBooster 2009 - c:\program files\Uniblue\RegistryBooster\RegistryBooster.exe
SafeBoot-procexp90.Sys


.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.msn.com
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~4\Office12\EXCEL.EXE/3000
IE: {{d9288080-1baa-4bc4-9cf8-a92d743db949} - c:\documents and settings\Gary\Start Menu\Programs\IMVU\Run IMVU.lnk
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-05-23 23:02
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
Completion time: 2009-05-24 23:05
ComboFix-quarantined-files.txt 2009-05-24 04:05

Pre-Run: 102,698,475,520 bytes free
Post-Run: 102,900,563,968 bytes free

191 --- E O F --- 2009-05-22 03:14


Points of note -

Prior to resuming your instructions this evening I was nosing around on the machine and went to System Information where I noticed I have "Total Physical Memory 512MB" and "Available Physical Memory 36.91MB."

Of those various Registry Fixs I've run in recent months, they all had a number of free fixes, which I accepted. It's not beyond the realm of possiblity that I made my problem worse each time I did that.

After disabling AVG's Resident Shield, AVG still blocked several ComboFix steps, for each of which I selected "Allow."

#10 DocSatan

DocSatan

    Bleepin' Wanna-Be


  • Members
  • 2,156 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Boston, Ma.
  • Local time:12:36 PM

Posted 27 May 2009 - 08:10 AM

Hi grybnsll,

The Recovery Console was not installed by ComboFix. Did you get prompted to install it?
We have to get the Recovery Console installed before we continue, please follow the steps below to install the Recovery Console:

Download the tools needed to a flash drive or other removable media, and transfer them to the infected computer.

***************************************************

Download ComboFix from one of these locations:

Link 1
Link 2
Link 3

**Note: It is important that it is saved directly to your desktop**

--------------------------------------------------------------------

With malware infections being as they are today, it's strongly recommended to have the Windows Recovery Console pre-installed on your machine before doing any malware removal.

The Windows Recovery Console will allow you to boot up into a special recovery (repair) mode. This allows us to more easily help you should your computer have a problem after an attempted removal of malware. It is a simple procedure that will only take a few moments of your time.


Go to Microsoft's website => http://support.microsoft.com/kb/310994

Select the download that's appropriate for your Operating System

Posted Image


Download the file & save it as it's originally named.


---------------------------------------------------------------------

Transfer all files you just downloaded, to the desktop of the infected computer.

--------------------------------------------------------------------


Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools

Posted Image

  • Drag the setup package onto ComboFix.exe and drop it.

  • Follow the prompts to start ComboFix and when prompted, agree to the End-User License Agreement to install the Microsoft Recovery Console.


    Posted Image


  • At the next prompt, click 'Yes' to run the full ComboFix scan.

  • When the tool is finished, it will produce a report for you.

Please post the C:\ComboFix.txt in your next reply.

#11 grybnsll

grybnsll
  • Topic Starter

  • Members
  • 24 posts
  • OFFLINE
  •  
  • Local time:11:36 AM

Posted 27 May 2009 - 10:01 PM

ComboFix 09-05-26.05 - Gary 05/27/2009 21:50.2 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.255.76 [GMT -5:00]
Running from: c:\documents and settings\Gary\Desktop\ComboFix.exe
Command switches used :: c:\documents and settings\Gary\Desktop\WindowsXP-KB310994-SP2-Home-BootDisk-ENU.exe
AV: AVG Internet Security *On-access scanning disabled* (Updated) {17DDD097-36FF-435F-9E1B-52D74245D6BF}
FW: AVG Firewall *disabled* {8decf618-9569-4340-b34a-d78d28969b66}
.

((((((((((((((((((((((((( Files Created from 2009-04-28 to 2009-05-28 )))))))))))))))))))))))))))))))
.

2009-05-27 02:56 . 2009-05-27 02:56 -------- d-sh--w c:\documents and settings\Administrator 2\PrivacIE
2009-05-26 02:58 . 2009-05-06 18:06 4784464 ----a-w c:\documents and settings\All Users\Application Data\Microsoft\Windows Defender\Definition Updates\{28454E0E-4EC1-45BF-ABF2-60C2970A0430}\mpengine.dll
2009-05-23 04:18 . 2009-05-23 04:18 -------- d-----w c:\documents and settings\log
2009-05-23 04:16 . 2009-05-23 04:16 -------- d-----w c:\documents and settings\All Users\Application Data\Downloaded Installations
2009-05-13 02:21 . 2009-05-13 02:19 2051864 ----a-w c:\documents and settings\All Users\Application Data\avg8\update\backup\avgcorex.dll
2009-05-01 02:37 . 2009-05-01 02:37 -------- d-----w c:\documents and settings\Administrator 2\Application Data\HP
2009-05-01 02:37 . 2009-05-01 02:37 -------- d-----w c:\documents and settings\Administrator 2\Local Settings\Application Data\Identities
2009-05-01 02:32 . 2009-05-01 02:32 -------- d-sh--w c:\documents and settings\Administrator 2\IETldCache
2009-04-30 03:01 . 2009-04-30 03:01 -------- d-----w c:\documents and settings\Gary\Application Data\aAvgApi

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-05-27 03:10 . 2009-03-17 02:45 -------- d-----w c:\documents and settings\Administrator 2\Application Data\AVGTOOLBAR
2009-05-23 02:35 . 2009-04-15 22:39 -------- d-----w c:\documents and settings\All Users\Application Data\Viewpoint
2009-05-06 18:06 . 2009-03-17 03:11 4784464 ----a-w c:\documents and settings\All Users\Application Data\Microsoft\Windows Defender\Definition Updates\Backup\mpengine.dll
2009-04-28 04:09 . 2008-10-04 06:51 -------- d-----w c:\documents and settings\Gary\Application Data\AVGTOOLBAR
2009-04-27 04:42 . 2009-04-27 04:28 -------- d-----w c:\documents and settings\All Users\Application Data\DriverScanner
2009-04-27 04:42 . 2009-04-25 04:30 -------- d-----w c:\documents and settings\Gary\Application Data\Uniblue
2009-04-26 20:20 . 2009-04-25 04:57 -------- d-----w c:\documents and settings\All Users\Application Data\STOPzilla!
2009-04-26 20:18 . 2009-04-25 04:59 -------- d-----w c:\documents and settings\All Users\Application Data\SITEguard
2009-04-26 01:55 . 2009-01-09 05:58 11952 ----a-w c:\windows\system32\avgrsstx.dll
2009-04-26 01:55 . 2008-10-04 06:51 27784 ----a-w c:\windows\system32\drivers\avgmfx86.sys
2009-04-26 01:54 . 2008-10-04 06:51 325896 ----a-w c:\windows\system32\drivers\avgldx86.sys
2009-04-26 01:54 . 2008-10-04 06:50 50968 ----a-w c:\windows\system32\avgfwdx.dll
2009-04-26 01:54 . 2008-10-04 06:50 29208 ----a-w c:\windows\system32\drivers\avgfwdx.sys
2009-04-26 01:54 . 2008-10-04 06:51 12552 ----a-w c:\windows\system32\drivers\avgrkx86.sys
2009-04-26 01:53 . 2008-10-04 06:51 108552 ----a-w c:\windows\system32\drivers\avgtdix.sys
2009-04-25 04:57 . 2009-04-25 04:57 -------- d-----w c:\program files\Common Files\iS3
2009-04-25 04:36 . 2009-02-01 01:27 -------- d-----w c:\program files\Unity
2009-04-21 03:30 . 2008-10-10 23:19 -------- d-----w c:\documents and settings\Gary\Application Data\Image Zone Express
2009-04-21 03:25 . 2009-03-09 03:02 -------- d-----w c:\documents and settings\Gary\Application Data\ArcSoft
2009-04-21 02:14 . 2009-04-19 16:55 129778 ----a-w c:\windows\hpoins13.dat
2009-04-19 21:53 . 2008-10-10 23:19 -------- d-----w c:\documents and settings\Gary\Application Data\Printer Info Cache
2009-04-19 18:07 . 2008-09-27 06:45 -------- d-----w c:\documents and settings\All Users\Application Data\HP
2009-04-19 18:06 . 2009-04-19 18:06 -------- d-----w c:\program files\Hewlett-Packard
2009-04-19 16:39 . 2009-01-28 01:03 -------- d-----w c:\documents and settings\All Users\Application Data\NOS
2009-04-19 16:39 . 2009-01-28 01:03 -------- d-----w c:\program files\NOS
2009-04-17 00:28 . 2008-10-23 02:01 -------- d-----w c:\program files\Common Files\Adobe
2009-04-17 00:15 . 2009-04-15 22:38 -------- d-----w c:\program files\Common Files\AOL
2009-04-16 22:23 . 2009-04-15 23:21 -------- d-----w c:\documents and settings\Gary\Application Data\Skype
2009-04-16 21:02 . 2009-03-04 03:53 -------- d-----w c:\documents and settings\Gary\Application Data\skypePM
2009-04-15 23:22 . 2009-01-21 02:35 664 ----a-w c:\windows\system32\d3d9caps.dat
2009-04-15 23:20 . 2009-04-15 23:20 -------- d-----w c:\program files\Common Files\Skype
2009-04-15 23:20 . 2009-03-04 03:49 -------- d-----r c:\program files\Skype
2009-04-15 23:20 . 2009-03-04 03:49 -------- d-----w c:\documents and settings\All Users\Application Data\Skype
2009-04-15 22:40 . 2009-04-15 22:38 -------- d-----w c:\documents and settings\All Users\Application Data\AOL OCP
2009-04-15 22:38 . 2009-04-15 22:38 -------- d-----w c:\documents and settings\All Users\Application Data\AOL
2009-04-10 03:02 . 2009-04-10 03:02 -------- d-----w c:\program files\CCleaner
2009-04-10 02:13 . 2009-04-10 02:13 -------- d-----w c:\program files\Microsoft Silverlight
2009-04-09 03:42 . 2009-03-20 02:48 -------- d-----w c:\program files\Malwarebytes' Anti-Malware
2009-04-09 03:42 . 2009-04-09 03:42 2967799 ----a-w c:\documents and settings\All Users\Application Data\Malwarebytes\Malwarebytes' Anti-Malware\mbam-setup.exe
2009-04-06 20:32 . 2009-03-20 02:48 38496 ----a-w c:\windows\system32\drivers\mbamswissarmy.sys
2009-04-06 20:32 . 2009-03-20 02:48 15504 ----a-w c:\windows\system32\drivers\mbam.sys
2009-03-31 02:27 . 2008-09-28 03:15 -------- d-----w c:\documents and settings\Gary\Application Data\Sonic
2009-03-17 06:02 . 2009-03-17 06:02 25992 ----a-w c:\windows\system32\pgdfgsvc.exe
2009-03-17 03:03 . 2009-03-17 03:03 65328 ----a-w c:\documents and settings\Administrator 2\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2009-03-08 09:34 . 2006-06-23 18:33 914944 ----a-w c:\windows\system32\wininet.dll
2009-03-08 09:34 . 2003-07-16 20:32 43008 ----a-w c:\windows\system32\licmgr10.dll
2009-03-08 09:33 . 2003-07-16 20:25 18944 ----a-w c:\windows\system32\corpol.dll
2009-03-08 09:33 . 2003-07-16 20:49 420352 ----a-w c:\windows\system32\vbscript.dll
2009-03-08 09:32 . 2003-07-16 20:23 72704 ----a-w c:\windows\system32\admparse.dll
2009-03-08 09:32 . 2003-07-16 20:30 71680 ----a-w c:\windows\system32\iesetup.dll
2009-03-08 09:31 . 2003-07-16 20:30 34816 ----a-w c:\windows\system32\imgutil.dll
2009-03-08 09:31 . 2003-07-16 20:35 48128 ----a-w c:\windows\system32\mshtmler.dll
2009-03-08 09:31 . 2003-07-16 20:35 45568 ----a-w c:\windows\system32\mshta.exe
2009-03-08 09:22 . 2003-07-16 20:36 156160 ----a-w c:\windows\system32\msls31.dll
2009-03-06 14:22 . 2003-07-16 20:41 284160 ----a-w c:\windows\system32\pdh.dll
2009-03-05 07:23 . 2009-03-05 07:24 410984 ----a-w c:\windows\system32\deploytk.dll
2009-03-05 07:22 . 2009-03-05 07:22 152576 ----a-w c:\documents and settings\Gary\Application Data\Sun\Java\jre1.6.0_12\lzma.dll
2009-03-04 03:53 . 2009-03-04 03:53 56 ---ha-w c:\windows\system32\ezsidmv.dat
2009-02-28 02:57 . 2009-04-16 21:21 38208 ----a-w c:\documents and settings\Gary\Application Data\Macromedia\Flash Player\www.macromedia.com\bin\airappinstaller\airappinstaller.exe
.

((((((((((((((((((((((((((((( SnapShot@2009-05-24_04.03.02 )))))))))))))))))))))))))))))))))))))))))
.
+ 2009-05-28 00:24 . 2009-05-28 00:24 16384 c:\windows\Temp\Perflib_Perfdata_474.dat
+ 2008-10-06 22:24 . 2009-05-27 04:09 45056 c:\windows\Installer\{911B0409-6000-11D3-8CFE-0050048383C9}\wordicon.exe
- 2008-10-06 22:24 . 2009-04-16 22:02 45056 c:\windows\Installer\{911B0409-6000-11D3-8CFE-0050048383C9}\wordicon.exe
- 2008-10-06 22:24 . 2009-04-16 22:02 22528 c:\windows\Installer\{911B0409-6000-11D3-8CFE-0050048383C9}\unbndico.exe
+ 2008-10-06 22:24 . 2009-05-27 04:09 22528 c:\windows\Installer\{911B0409-6000-11D3-8CFE-0050048383C9}\unbndico.exe
+ 2008-10-06 22:24 . 2009-05-27 04:09 16384 c:\windows\Installer\{911B0409-6000-11D3-8CFE-0050048383C9}\PEicons.exe
- 2008-10-06 22:24 . 2009-04-16 22:02 16384 c:\windows\Installer\{911B0409-6000-11D3-8CFE-0050048383C9}\PEicons.exe
- 2008-10-06 22:24 . 2009-04-16 22:02 34304 c:\windows\Installer\{911B0409-6000-11D3-8CFE-0050048383C9}\misc.exe
+ 2008-10-06 22:24 . 2009-05-27 04:09 34304 c:\windows\Installer\{911B0409-6000-11D3-8CFE-0050048383C9}\misc.exe
- 2008-10-06 22:24 . 2009-04-16 22:02 3584 c:\windows\Installer\{911B0409-6000-11D3-8CFE-0050048383C9}\opwicon.exe
+ 2008-10-06 22:24 . 2009-05-27 04:09 3584 c:\windows\Installer\{911B0409-6000-11D3-8CFE-0050048383C9}\opwicon.exe
+ 2008-10-06 22:24 . 2009-05-27 04:09 8192 c:\windows\Installer\{911B0409-6000-11D3-8CFE-0050048383C9}\mspicons.exe
- 2008-10-06 22:24 . 2009-04-16 22:02 8192 c:\windows\Installer\{911B0409-6000-11D3-8CFE-0050048383C9}\mspicons.exe
+ 2008-10-06 22:24 . 2009-05-27 04:09 2560 c:\windows\Installer\{911B0409-6000-11D3-8CFE-0050048383C9}\cagicon.exe
- 2008-10-06 22:24 . 2009-04-16 22:02 2560 c:\windows\Installer\{911B0409-6000-11D3-8CFE-0050048383C9}\cagicon.exe
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2008-04-14 15360]
"msnmsgr"="c:\program files\Windows Live\Messenger\msnmsgr.exe" [2009-02-06 3885408]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2009-02-27 35696]
"HP Software Update"="c:\program files\HP\HP Software Update\HPWuSchd2.exe" [2006-12-11 49152]
"AVGIDS"="c:\program files\AVG\AVG8\Identity Protection\agent\bin\AVGIDSUI.exe" [2009-02-26 1579528]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
HP Digital Imaging Monitor.lnk - c:\program files\HP\Digital Imaging\bin\hpqtra08.exe [2007-1-2 210520]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\avgrsstarter]
2009-04-26 01:55 11952 ----a-w c:\windows\system32\avgrsstx.dll

HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32
"wave"= serwvdrv.dll
"wave1"= serwvdrv.dll
"wave2"= serwvdrv.dll

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\WinDefend]
@="Service"

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusOverride"=dword:00000001
"FirewallOverride"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\AVG\\AVG8\\avgupd.exe"=
"c:\\Program Files\\AVG\\AVG8\\avgnsx.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\Messenger\\msmsgs.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\wlcsdk.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"=
"c:\\Program Files\\Skype\\Phone\\Skype.exe.exe"=
"c:\\Program Files\\Skype\\Phone\\Skype.exe"=

R0 AVGIDSErHr;AVGIDSErHr;c:\windows\system32\drivers\AVGIDSErHr.sys [2/26/2009 12:46 PM 25608]
R0 AvgRkx86;avgrkx86.sys;c:\windows\system32\drivers\avgrkx86.sys [10/4/2008 1:51 AM 12552]
R1 AvgLdx86;AVG AVI Loader Driver x86;c:\windows\system32\drivers\avgldx86.sys [10/4/2008 1:51 AM 325896]
R1 AvgTdiX;AVG8 Network Redirector;c:\windows\system32\drivers\avgtdix.sys [10/4/2008 1:51 AM 108552]
R2 avg8emc;AVG8 E-mail Scanner;c:\progra~1\AVG\AVG8\avgemc.exe [4/25/2009 8:54 PM 908568]
R2 avg8wd;AVG8 WatchDog;c:\progra~1\AVG\AVG8\avgwdsvc.exe [1/9/2009 12:30 AM 298776]
R2 avgfws8;AVG8 Firewall;c:\progra~1\AVG\AVG8\avgfws8.exe [4/25/2009 8:52 PM 1366904]
R2 AVGIDSAgent;AVGIDSAgent;c:\program files\AVG\AVG8\Identity Protection\agent\Bin\AVGIDSAgent.exe [2/26/2009 12:46 PM 5576712]
R2 AVGIDSWatcher;AVGIDSWatcher;c:\program files\AVG\AVG8\Identity Protection\agent\Bin\AVGIDSWatcher.exe [2/26/2009 12:46 PM 563720]
R2 NwSapAgent;SAP Agent;c:\windows\System32\svchost.exe -k netsvcs [7/16/2003 3:47 PM 14336]
R2 WinDefend;Windows Defender;c:\program files\Windows Defender\MsMpEng.exe [11/3/2006 7:19 PM 13592]
R3 Avgfwdx;Avgfwdx;c:\windows\system32\drivers\avgfwdx.sys [10/4/2008 1:50 AM 29208]
R3 AVGIDSDriver;AVGIDSDriver;c:\program files\AVG\AVG8\Identity Protection\agent\driver\platform_XP\AVGIDSDriver.sys [2/26/2009 12:46 PM 121352]
R3 AVGIDSFilter;AVGIDSFilter;c:\program files\AVG\AVG8\Identity Protection\agent\driver\platform_XP\AVGIDSFilter.sys [2/26/2009 12:46 PM 30216]
R3 AVGIDSShim;AVGIDSShim;c:\program files\AVG\AVG8\Identity Protection\agent\driver\platform_XP\AVGIDSShim.sys [2/26/2009 12:46 PM 27232]
S3 Avgfwfd;AVG network filter service;c:\windows\system32\drivers\avgfwdx.sys [10/4/2008 1:50 AM 29208]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
HPZ12 REG_MULTI_SZ Pml Driver HPZ12 Net Driver HPZ12
hpdevmgmt REG_MULTI_SZ hpqcxs08 hpqddsvc
.
Contents of the 'Scheduled Tasks' folder

2009-05-28 c:\windows\Tasks\MP Scheduled Scan.job
- c:\program files\Windows Defender\MpCmdRun.exe [2006-11-04 00:20]

2009-05-28 c:\windows\Tasks\User_Feed_Synchronization-{9F7C62B5-A4C0-4F09-9E59-23103FCD180C}.job
- c:\windows\system32\msfeedssync.exe [2007-08-14 09:31]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.msn.com
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~4\Office12\EXCEL.EXE/3000
IE: {{d9288080-1baa-4bc4-9cf8-a92d743db949} - c:\documents and settings\Gary\Start Menu\Programs\IMVU\Run IMVU.lnk
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-05-27 21:54
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...


c:\windows\TEMP\TMP0000008FDCB2D31AEFD383B3 524288 bytes executable

scan completed successfully
hidden files: 1

**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_USERS\S-1-5-21-2052111302-329068152-682003330-1004\Software\Microsoft\SystemCertificates\AddressBook*]
@Allowed: (Read) (RestrictedCode)
@Allowed: (Read) (RestrictedCode)
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'explorer.exe'(3140)
c:\windows\system32\ieframe.dll
c:\windows\system32\OneX.DLL
c:\windows\system32\eappprxy.dll
c:\windows\system32\webcheck.dll
c:\windows\system32\WPDShServiceObj.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
.
Completion time: 2009-05-28 21:58
ComboFix-quarantined-files.txt 2009-05-28 02:57
ComboFix2.txt 2009-05-24 04:05

Pre-Run: 103,136,178,176 bytes free
Post-Run: 103,156,662,272 bytes free

WindowsXP-KB310994-SP2-Home-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(2)\WINDOWS
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
multi(0)disk(0)rdisk(0)partition(2)\WINDOWS="Microsoft Windows XP Home Edition" /fastdetect /NoExecute=OptIn

208 --- E O F --- 2009-05-26 02:58

#12 DocSatan

DocSatan

    Bleepin' Wanna-Be


  • Members
  • 2,156 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Boston, Ma.
  • Local time:12:36 PM

Posted 01 June 2009 - 10:14 AM

Hello grybnsll,

Sorry for the delay. :thumbup2:

Catchme found a hidden file in the last ComboFix scan. Let's run a scan for rootkits next:

1. Please download gmer.zip and save to your desktop.
  • Extract (unzip) the file to its own folder such as C:\Gmer. (Click here for information on how to do this if not sure.)
  • Disconnect from the Internet and close all running programs.
  • Temporarily disable any real-time active protection so your security program drivers will not conflict with gmer's driver.
    • Click on this link to see a list of programs that should be disabled.
  • Double-click on gmer.exe to start the program.
  • Allow the gmer.sys driver to load if asked.
  • You may be prompted to scan immediately if GMER detects rootkit activity.
  • If you are prompted to scan your system click "Yes" to begin the scan.
  • If not prompted, click the "Rootkit/Malware" tab.
  • On the right-side, all items to be scanned should be checked by default except for "Show All". Leave that box unchecked.
  • Select all drives that are connected to your system to be scanned.
  • Click the Scan button to begin. (Please be patient as it can take some time to complete)
  • When the scan is finished, click Save to save the scan results to your Desktop.
  • Save the file as gmer.log and copy/paste the contents in your next reply.
  • Exit GMER and re-enable all active protection when done.
2. What I need in Your Next Reply
  • gmer.log
  • How's your computer running?
  • Questions/Comments?
Doc.

#13 grybnsll

grybnsll
  • Topic Starter

  • Members
  • 24 posts
  • OFFLINE
  •  
  • Local time:11:36 AM

Posted 01 June 2009 - 07:23 PM

GMER 1.0.15.14972 - http://www.gmer.net
Rootkit scan 2009-06-01 19:12:00
Windows 5.1.2600 Service Pack 3


---- System - GMER 1.0.15 ----

SSDT \??\C:\Program Files\AVG\AVG8\Identity Protection\agent\driver\platform_XP\AVGIDSShim.sys (IDS Application Activity Monitor Loader Driver./AVG Technologies ) ZwClose [0xF87AB8A0]
SSDT \??\C:\Program Files\AVG\AVG8\Identity Protection\agent\driver\platform_XP\AVGIDSShim.sys (IDS Application Activity Monitor Loader Driver./AVG Technologies ) ZwOpenProcess [0xF87AB8D0]
SSDT \??\C:\Program Files\AVG\AVG8\Identity Protection\agent\driver\platform_XP\AVGIDSShim.sys (IDS Application Activity Monitor Loader Driver./AVG Technologies ) ZwTerminateProcess [0xF87AB980]
SSDT \??\C:\Program Files\AVG\AVG8\Identity Protection\agent\driver\platform_XP\AVGIDSShim.sys (IDS Application Activity Monitor Loader Driver./AVG Technologies ) ZwTerminateThread [0xF87ABA20]
SSDT \??\C:\Program Files\AVG\AVG8\Identity Protection\agent\driver\platform_XP\AVGIDSShim.sys (IDS Application Activity Monitor Loader Driver./AVG Technologies ) ZwWriteVirtualMemory [0xF87ABAC0]

---- User code sections - GMER 1.0.15 ----

.text C:\Program Files\Internet Explorer\IEXPLORE.EXE[1592] USER32.dll!DialogBoxParamW 7E4247AB 5 Bytes JMP 01179315 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\IEXPLORE.EXE[1592] USER32.dll!CreateWindowExW 7E42D0A3 5 Bytes JMP 01254832 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\IEXPLORE.EXE[1592] USER32.dll!DialogBoxIndirectParamW 7E432072 5 Bytes JMP 0136E021 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\IEXPLORE.EXE[1592] USER32.dll!MessageBoxIndirectA 7E43A082 5 Bytes JMP 0136DF51 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\IEXPLORE.EXE[1592] USER32.dll!DialogBoxParamA 7E43B144 5 Bytes JMP 0136DFBE C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\IEXPLORE.EXE[1592] USER32.dll!MessageBoxExW 7E450838 5 Bytes JMP 0136DE22 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\IEXPLORE.EXE[1592] USER32.dll!MessageBoxExA 7E45085C 5 Bytes JMP 0136DE84 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\IEXPLORE.EXE[1592] USER32.dll!DialogBoxIndirectParamA 7E456D7D 5 Bytes JMP 0136E084 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\IEXPLORE.EXE[1592] USER32.dll!MessageBoxIndirectW 7E4664D5 5 Bytes JMP 0136DEE6 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\IEXPLORE.EXE[2800] USER32.dll!DialogBoxParamW 7E4247AB 5 Bytes JMP 01179315 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\IEXPLORE.EXE[2800] USER32.dll!SetWindowsHookExW 7E42820F 5 Bytes JMP 0124DBCB C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\IEXPLORE.EXE[2800] USER32.dll!CallNextHookEx 7E42B3C6 5 Bytes JMP 0124DD81 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\IEXPLORE.EXE[2800] USER32.dll!CreateWindowExW 7E42D0A3 5 Bytes JMP 01254832 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\IEXPLORE.EXE[2800] USER32.dll!UnhookWindowsHookEx 7E42D5F3 5 Bytes JMP 011B1CA2 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\IEXPLORE.EXE[2800] USER32.dll!DialogBoxIndirectParamW 7E432072 5 Bytes JMP 0136E021 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\IEXPLORE.EXE[2800] USER32.dll!MessageBoxIndirectA 7E43A082 5 Bytes JMP 0136DF51 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\IEXPLORE.EXE[2800] USER32.dll!DialogBoxParamA 7E43B144 5 Bytes JMP 0136DFBE C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\IEXPLORE.EXE[2800] USER32.dll!MessageBoxExW 7E450838 5 Bytes JMP 0136DE22 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\IEXPLORE.EXE[2800] USER32.dll!MessageBoxExA 7E45085C 5 Bytes JMP 0136DE84 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\IEXPLORE.EXE[2800] USER32.dll!DialogBoxIndirectParamA 7E456D7D 5 Bytes JMP 0136E084 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\IEXPLORE.EXE[2800] USER32.dll!MessageBoxIndirectW 7E4664D5 5 Bytes JMP 0136DEE6 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\IEXPLORE.EXE[2800] ole32.dll!CoCreateInstance 7750057E 5 Bytes JMP 0125488E C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)

---- User IAT/EAT - GMER 1.0.15 ----

IAT C:\Program Files\Internet Explorer\IEXPLORE.EXE[2800] @ C:\WINDOWS\system32\ole32.dll [KERNEL32.dll!LoadLibraryExW] [009418FD] C:\Program Files\Internet Explorer\xpshims.dll (Internet Explorer Compatibility Shims for XP/Microsoft Corporation)

---- Devices - GMER 1.0.15 ----

AttachedDevice \FileSystem\Ntfs \Ntfs AVGIDSFilter.sys (IDS Application Activity Monitor Filter Driver./AVG Technologies )
AttachedDevice \Driver\Tcpip \Device\Ip avgtdix.sys (AVG Network connection watcher/AVG Technologies CZ, s.r.o.)
AttachedDevice \Driver\Tcpip \Device\Tcp avgtdix.sys (AVG Network connection watcher/AVG Technologies CZ, s.r.o.)
AttachedDevice \Driver\Tcpip \Device\Udp avgtdix.sys (AVG Network connection watcher/AVG Technologies CZ, s.r.o.)
AttachedDevice \Driver\Tcpip \Device\RawIp avgtdix.sys (AVG Network connection watcher/AVG Technologies CZ, s.r.o.)
AttachedDevice \FileSystem\Fastfat \Fat fltmgr.sys (Microsoft Filesystem Filter Manager/Microsoft Corporation)
AttachedDevice \FileSystem\Fastfat \Fat AVGIDSFilter.sys (IDS Application Activity Monitor Filter Driver./AVG Technologies )

Device \FileSystem\Fs_Rec \FileSystem\UdfsCdRomRecognizer tfsnifs.sys (Drive Letter Access Component/Sonic Solutions)
Device \FileSystem\Fs_Rec \FileSystem\FatCdRomRecognizer tfsnifs.sys (Drive Letter Access Component/Sonic Solutions)
Device \FileSystem\Fs_Rec \FileSystem\CdfsRecognizer tfsnifs.sys (Drive Letter Access Component/Sonic Solutions)
Device \FileSystem\Fs_Rec \FileSystem\FatDiskRecognizer tfsnifs.sys (Drive Letter Access Component/Sonic Solutions)
Device \FileSystem\Fs_Rec \FileSystem\UdfsDiskRecognizer tfsnifs.sys (Drive Letter Access Component/Sonic Solutions)
Device \FileSystem\Cdfs \Cdfs tfsnifs.sys (Drive Letter Access Component/Sonic Solutions)

---- EOF - GMER 1.0.15 ----


Although I'm still contending with 20 minute boots, my computer seems to be responding better than when I first posted the problem, once it is up and running. My DVD and CD drives have disappeared; I can play from them but they are no longer offered as a choice when saving files. My printer has quit. I've uninstalled and re-installed but the computer refuses to print to it. The printer is shown on the Control Panel and pending print jobs are numbered there but I only get about 1/2 of one line of an old print job that should no longer be in the system, with about 3 1/2 lines of the new print job superimposed over it. The re-installation didn't change anything.

#14 DocSatan

DocSatan

    Bleepin' Wanna-Be


  • Members
  • 2,156 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Boston, Ma.
  • Local time:12:36 PM

Posted 05 June 2009 - 09:03 AM

Hello grybnsll,

The RootKit scan with GMER came out clean. :thumbup2:

Please do an online scan with Kaspersky WebScanner

Click on Kaspersky Online Scanner

You will be prompted to install an ActiveX component from Kaspersky, Click Yes.
  • The program will launch and then begin downloading the latest definition files:
  • Once the files have been downloaded click on NEXT
  • Now click on Scan Settings
  • In the scan settings make that the following are selected:
    • Scan using the following Anti-Virus database:
    Extended (if available otherwise Standard)
    • Scan Options:
    Scan Archives
    Scan Mail Bases
  • Click OK
  • Now under select a target to scan:Select My Computer
  • This will program will start and scan your system.
  • The scan will take a while so be patient and let it run.
  • Once the scan is complete it will display if your system has been infected.
    • Now click on the Save as Text button:
  • Save the file to your desktop.
  • Copy and paste that information in your next post.
I read over this thread again and found some comments/questions of yours that I feel that I should address. Mostly for clarification purposes, didn't want to inadvertently ignore some of your questions. :)

1. AVG Internet Security
  • In Post #7 you mention that you used to use Trend Micro for antivirus, but changed to AVG on a recommendation from a friend. Were you having these issues when you were using TrendMicro? Or did they appear after you installed AVG Internet Security?
  • I ask this question because according to the System Requirements for AVG Internet Security your computer should have at least 256mb RAM for the program to run. You meet that "minimum" requirement, but the more programs that you have running, the more RAM that will be used. So, AVG will "HOG" the available resources in order to run properly, thereby rendering any other running programs that require RAM (printer, Skype, windows, etc.) very slooow.
  • So this MAY be the cause of the slow performance that you are experiencing.
2. Random Access Memory (RAM)
  • 256mb RAM is a very small amount by today's standards. I would seriously recommend that you add some RAM to this computer. At least 512mb RAM, but 1 or 2 GB RAM would probably be more reasonable.
  • You can search for the proper RAM for your computer at NewEgg.
3. Rogue Security Programs4. "I have 648 autoruns"
  • Actually, you have about 8 programs set to auto-run. If I count all of the entries listed under the tab Everything in autoruns, I'll have about 600 too. :step1:
  • When people refer to how many auto-start/auto-run entries/programs, they are generally referring to programs that are set to start aoutomatically when windows starts. The Everything tab lists everything that starts at start-up.
  • If you want to use autoruns to check what programs are starting auotmatically, click on the Logon tab and look under the following entries:
    • HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
    • C:\Documents and Settings\All Users\Start Menu\Programs\Startup
    • C:\Documents and Settings\UserName\Start Menu\Programs\Startup
    • HKCU\Software\Microsoft\Windows\CurrentVersion\Run
  • You can Google these entries to read more about them. You can also use SystemLookUp's Startup List to see if disabling the entry is recommended.
5. Restoration Disk
  • It began taking so long to do anything I installed the restoration disk that came with the computer a few months ago, but things still aren't right.

  • Did you do a Reformat, or a Restoration?
  • What does the disk actually say on it?
  • If you did a Reformat, and the problem still exists, then it's definitely not malware related. Reformatting puts a Clean factory-fresh copy of the operating system on the computer.
6. Boot Process Changed
  • The restoration disk didn't seem to help, although the boot process changed. Now I have to press F1 to get started. Another strange thing that happened is that my computer now tries to boot at midnight every night. The F1 is there waiting for me each morning but I just turn it off and get ready for work. There is also an F2 option for setup.

  • Not sure why this happens. It may be due to the restoration disk having changed something.
  • Next time you get that window, Press the F2 button. This should bring you to the Bios Setup.
  • Don't make any changes. If there is an option to save settings, then please choose to save.
  • Then exit. This should bring you to your desk top.
  • Try restarting the computer to see if you get the same F1/F2 option.
Please post the results of the Kaspersky Scan, as well as any comments/questions/concerns from the above topics. :step5:

#15 grybnsll

grybnsll
  • Topic Starter

  • Members
  • 24 posts
  • OFFLINE
  •  
  • Local time:11:36 AM

Posted 05 June 2009 - 11:38 AM

I didn't get far with this. I opened Kaspersky WebScanner and it faithfully began downloading as you said it would. As I watched the progress, we had a brief power outage, which required me to reboot and go back to square one. Unlike the first try, the second Kaspersky WebScanner told me "You need to install Java version 1.5 or later to run Kaspersky Online Scanner 7.0." Instructions were offered so I installed Java 1.5 to my desktop. Each subsequent try to use the Kaspersky WebScanner results in the same "You need to install Java version 1.5 or later to run Kaspersky Online Scanner 7.0." I've checked and double checked and am told I have a successful installation.

Doc, I immensely appreciate the time you're spending on this as you work to help me through my computer woes, however, the time has come for me to make my annual pilgrimage to SW Kansas to assist my parents with the wheat harvest; I'll be leaving later today; it's about a 10 hour drive and I'll probably be gone about two weeks. Although I'll be checking my webmail from there I'd very much like to continue this process but will be away from my personal computer during that time. With your kind permission I'll follow your next instruction upon my return.

Kind Regards, Gary




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users