Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Computer running very slow, possible Malware


  • Please log in to reply
5 replies to this topic

#1 HelpmeDan

HelpmeDan

  • Members
  • 4 posts
  • OFFLINE
  •  
  • Local time:12:17 AM

Posted 02 July 2009 - 12:03 AM

I recently took care of a Malware problem I had, but now my computer is running very slow and at 100% usage. I ran malwarebytes and cleaned my computer again and found more malware, so maybe i am not 100% cleaning my computer.

I want my computer to run at an optimal rate with all extras removed.

thanks in advance, i posted all logs

Attached Files



BC AdBot (Login to Remove)

 


#2 miekiemoes

miekiemoes

    Malware Killer Dog


  • Malware Response Team
  • 19,420 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Belgium
  • Local time:06:17 AM

Posted 02 July 2009 - 08:12 AM

Hi,

From your DDS log, I can see that you never updated your Malwarebytes.

So, please update MalwareBytes...
  • Start MalwareBytes and click the Update tab. There click "Check for updates"
  • In case you can't update the database via the update option, please download and install the database from here. Only do this when the update option doesn't work.
  • Once the updates are downloaded, perform a quick scan again.
  • The scan may take some time to finish,so please be patient.
  • When the scan is complete, click OK, then Show Results to view the results.
  • Make sure that everything is checked, and click Remove Selected.
  • When disinfection is completed, a log will open in Notepad and you may be prompted to Restart.(See Extra Note)
  • The log is automatically saved by MBAM and can be viewed by clicking the Logs tab in MBAM.
  • Copy&Paste the entire report in your next reply along with a fresh DDS, then we'll proceed from there with new steps.
Extra Note:
If MBAM encounters a file that is difficult to remove,you will be presented with 1 of 2 prompts,click OK to either and let MBAM proceed with the disinfection process,if asked to restart the computer,please do so immediatly.
AntispywareScanners---Antivirus Scanners---Firewalls---Online Scanners---Prevention---Help! My computer is slow---My Blog---Follow me on Twitter.
My help is ALWAYS FREE, but if you want to donate to help me continue my fight against malware -- click here!
Asking for help via Private Message or Mail will be ignored - So If you need help, post your problem in the forum.

#3 HelpmeDan

HelpmeDan
  • Topic Starter

  • Members
  • 4 posts
  • OFFLINE
  •  
  • Local time:12:17 AM

Posted 02 July 2009 - 08:30 PM

So I ran the program and it cleaned it again.

I posted the log.


Thanks for the quick response btw

Attached Files


Edited by HelpmeDan, 02 July 2009 - 08:33 PM.


#4 miekiemoes

miekiemoes

    Malware Killer Dog


  • Malware Response Team
  • 19,420 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Belgium
  • Local time:06:17 AM

Posted 03 July 2009 - 12:31 AM

Hi,

Please don't attach your logs, but copy and paste in the thread instead. Only attach the Attach.txt, but I won't need that anymore now..

* Please visit this webpage for instructions for downloading and running ComboFix:

http://www.bleepingcomputer.com/combofix/how-to-use-combofix

Post the log from ComboFix in your next reply.

Please make sure you disable ALL of your Antivirus/Antispyware/Firewall before running ComboFix..This because Security Software may see some components ComboFix uses (prep.com for example) as suspicious and blocks the tool, or even deletes it. Please visit HERE if you don't know how.


Extra note: The combofix tutorial recommends to disable your Antivirus, in your case McAfee. For McAfee, I rather recommend to temporary uninstall it, because Mcafee causes a lot of problems with Combofix after reboot, this because McAfee enables again after reboot. So please temporary uninstall McAfee first, then reboot and then scan with Combofix.
AntispywareScanners---Antivirus Scanners---Firewalls---Online Scanners---Prevention---Help! My computer is slow---My Blog---Follow me on Twitter.
My help is ALWAYS FREE, but if you want to donate to help me continue my fight against malware -- click here!
Asking for help via Private Message or Mail will be ignored - So If you need help, post your problem in the forum.

#5 HelpmeDan

HelpmeDan
  • Topic Starter

  • Members
  • 4 posts
  • OFFLINE
  •  
  • Local time:12:17 AM

Posted 03 July 2009 - 09:56 PM

ComboFix 09-07-03.03 - Maria 07/03/2009 22:11.1 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.511.260 [GMT -4:00]
Running from: c:\documents and settings\Maria\Desktop\ComboFix.exe
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\windows\system32\proquota.exe was missing
Restored copy from - c:\i386\proquota.exe

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Legacy_AVAST!ANTIVIRUS
-------\Legacy_PODMENA
-------\Legacy_PODMENADRV
-------\Legacy_SVCPROC


((((((((((((((((((((((((( Files Created from 2009-06-04 to 2009-07-04 )))))))))))))))))))))))))))))))
.

2009-07-04 02:16 . 2004-08-04 10:00 50176 ----a-w- c:\windows\system32\proquota.exe
2009-07-04 02:16 . 2004-08-04 10:00 50176 ----a-w- c:\windows\system32\dllcache\proquota.exe
2009-07-02 23:59 . 2009-07-02 23:59 3561743 ----a-w- c:\documents and settings\All Users\Application Data\Malwarebytes\Malwarebytes' Anti-Malware\mbam-setup.exe
2009-06-18 05:04 . 2009-06-28 10:07 0 ----a-w- c:\windows\system32\drivers\cc42d2f9.sys
2009-06-18 00:16 . 2009-06-20 18:02 0 ----a-w- c:\windows\system32\drivers\5bf5aa4b.sys
2009-06-17 19:31 . 2009-06-17 23:13 0 ----a-w- c:\windows\system32\drivers\2e25414e.sys
2009-06-17 06:40 . 2009-06-29 06:05 0 ----a-w- c:\windows\system32\drivers\51789ed6.sys
2009-06-17 04:11 . 2009-06-17 04:11 -------- d-----w- c:\program files\MetaStream
2009-06-17 00:50 . 2009-06-17 00:50 -------- d-----w- c:\program files\Trend Micro
2009-06-17 00:45 . 2009-06-17 00:45 36768 ----a-w- c:\documents and settings\Administrator\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2009-06-16 21:12 . 2009-06-25 20:55 0 ----a-w- c:\windows\system32\drivers\c3070e28.sys
2009-06-16 20:25 . 2009-06-16 20:25 -------- d-----w- c:\documents and settings\Maria\Application Data\Malwarebytes
2009-06-16 20:25 . 2009-06-17 15:27 38160 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2009-06-16 20:25 . 2009-06-17 15:27 19096 ----a-w- c:\windows\system32\drivers\mbam.sys
2009-06-16 20:25 . 2009-06-16 20:25 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes
2009-06-16 20:25 . 2009-07-03 00:01 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-07-04 01:55 . 2005-04-08 09:46 -------- d-----w- c:\documents and settings\All Users\Application Data\McAfee.com
2009-06-17 03:47 . 2005-04-08 09:48 -------- d-----w- c:\documents and settings\All Users\Application Data\Viewpoint
2009-06-14 06:09 . 2009-01-16 17:43 -------- d-----w- c:\program files\Dziobas Rar Player
2009-05-10 10:43 . 2005-04-08 09:32 -------- d-----w- c:\program files\Java
2009-05-10 09:20 . 2009-05-10 09:20 152576 ----a-w- c:\documents and settings\Maria\Application Data\Sun\Java\jre1.6.0_13\lzma.dll
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"DellSupport"="c:\program files\DellSupport\DSAgnt.exe" [2007-03-15 460784]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2004-08-04 15360]
"MSMSGS"="c:\program files\Messenger\msmsgs.exe" [2004-10-13 1694208]
"DellSupportCenter"="c:\program files\Dell Support Center\bin\sprtcmd.exe" [2008-08-13 206064]
"AOL Fast Start"="c:\program files\AOL 9.1\AOL.EXE" [2007-10-27 50528]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Apoint"="c:\program files\Apoint\Apoint.exe" [2005-01-31 155648]
"IntelWireless"="c:\program files\Intel\Wireless\Bin\ifrmewrk.exe" [2004-10-30 385024]
"ATIPTA"="c:\program files\ATI Technologies\ATI Control Panel\atiptaxx.exe" [2004-09-01 339968]
"DVDLauncher"="c:\program files\CyberLink\PowerDVD\DVDLauncher.exe" [2004-10-12 57344]
"UpdateManager"="c:\program files\Common Files\Sonic\Update Manager\sgtray.exe" [2004-01-07 110592]
"dla"="c:\windows\system32\dla\tfswctrl.exe" [2004-12-06 127035]
"DMXLauncher"="c:\program files\Dell\Media Experience\DMXLauncher.exe" [2005-01-27 86016]
"mmtask"="c:\program files\Musicmatch\Musicmatch Jukebox\mmtask.exe" [2005-03-15 53248]
"HostManager"="c:\program files\Common Files\AOL\1129598346\ee\AOLSoftware.exe" [2008-06-24 41824]
"AOLDialer"="c:\program files\Common Files\AOL\ACS\AOLDial.exe" [2006-10-23 71216]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2005-10-06 278528]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2006-03-05 155648]
"ISUSPM Startup"="c:\program files\Common Files\InstallShield\UpdateService\isuspm.exe" [2005-08-11 249856]
"ISUSScheduler"="c:\program files\Common Files\InstallShield\UpdateService\issch.exe" [2005-08-11 81920]
"WinampAgent"="c:\program files\Winamp\winampa.exe" [2006-11-21 35328]
"dscactivate"="c:\program files\Dell Support Center\gs_agent\custom\dsca.exe" [2007-11-15 16384]
"DellSupportCenter"="c:\program files\Dell Support Center\bin\sprtcmd.exe" [2008-08-13 206064]
"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2009-03-09 148888]
"RRT-Auto"="c:\documents and settings\Maria\Desktop\Jobs\RRT\RRT.exe" [2009-06-18 152576]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
Digital Line Detect.lnk - c:\program files\Digital Line Detect\DLG.exe [2005-4-8 24576]
Microsoft Office.lnk - c:\program files\Microsoft Office\Office10\OSA.EXE [2001-2-13 83360]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\explorer]
"NoViewOnDrive"= 0 (0x0)

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]
"NoViewOnDrive"= 0 (0x0)

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\IntelWireless]
2004-09-07 21:08 110592 ----a-w- c:\program files\Intel\Wireless\Bin\LgNotify.dll

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\America Online 9.0\\waol.exe"=
"c:\\Program Files\\Messenger\\msmsgs.exe"=
"c:\\Program Files\\Common Files\\AOL\\ACS\\AOLDial.exe"=
"c:\\Program Files\\Common Files\\AOL\\ACS\\AOLAcsd.exe"=
"c:\\Program Files\\America Online 9.0a\\waol.exe"=
"c:\\Program Files\\Common Files\\AOL\\1129598346\\ee\\AOLServiceHost.exe"=
"c:\\Program Files\\Common Files\\AOL\\Loader\\aolload.exe"=
"c:\\Program Files\\Common Files\\AOL\\System Information\\sinf.exe"=
"c:\\Program Files\\Common Files\\AOL\\TopSpeed\\3.0\\aoltpsd3.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\Common Files\\AOL\\1129598346\\ee\\aolsoftware.exe"=
"c:\\Program Files\\AOL 9.0\\waol.exe"=
"c:\\Program Files\\LimeWire\\LimeWire.exe"=
"c:\\Program Files\\AOL 9.1\\waol.exe"=

S1 2e25414e;2e25414e;c:\windows\system32\drivers\2e25414e.sys [6/17/2009 3:31 PM 0]
S1 51789ed6;51789ed6;c:\windows\system32\drivers\51789ed6.sys [6/17/2009 2:40 AM 0]
S1 5bf5aa4b;5bf5aa4b;c:\windows\system32\drivers\5bf5aa4b.sys [6/17/2009 8:16 PM 0]
S1 c3070e28;c3070e28;c:\windows\system32\drivers\c3070e28.sys [6/16/2009 5:12 PM 0]
S1 cc42d2f9;cc42d2f9;c:\windows\system32\drivers\cc42d2f9.sys [6/18/2009 1:04 AM 0]
.
Contents of the 'Scheduled Tasks' folder

2005-04-15 c:\windows\Tasks\ISP signup reminder 1.job
- c:\windows\system32\OOBE\oobebaln.exe [2004-08-10 10:00]

2009-07-03 c:\windows\Tasks\User_Feed_Synchronization-{F0FC46D2-3FA3-4902-A5A2-C5AAFE6BC28A}.job
- c:\windows\system32\msfeedssync.exe [2006-10-17 17:58]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.aol.com/?src=toolbar
uInternet Connection Wizard,ShellNext = hxxp://www.dell4me.com/myway
IE: &AIM Search - c:\program files\AIM Toolbar\AIMBar.dll/aimsearch.htm
IE: &AOL Toolbar Search - c:\documents and settings\All Users\Application Data\AOL\ieToolbar\resources\en-US\local\search.html
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~4\Office10\EXCEL.EXE/3000
Trusted Zone: google.com\www
Trusted Zone: hofstra.edu\www
Trusted Zone: myspace.com\www
Trusted Zone: nyu.edu\www.home
DPF: ActiveGS.cab - hxxp://www.virtualapple.org/gs.cab
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-07-03 22:23
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...


**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{D96284CB-92E6-3E1E-196BB0273B005327}\{BCF0CDFC-4A0B-26E5-259182A4D665E8F2}\{6E248836-421D-F84C-CF6B8AC08EBF0D43}*]
"SE4K5INHHR1EDZYY15BVZC6TKG1"=hex:01,00,01,00,00,00,00,00,7e,c3,c3,8e,86,b4,21,
5e,35,81,92,71,e8,29,5a,84,14,35,16,70,d8,6e,ff,61
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(684)
c:\windows\system32\Ati2evxx.dll
c:\program files\Intel\Wireless\Bin\LgNotify.dll
c:\program files\CA\PPRT\bin\CACheck.dll
c:\program files\CA\PPRT\bin\CAHook.dll
c:\program files\CA\PPRT\bin\CAServer.dll

- - - - - - - > 'lsass.exe'(740)
c:\program files\CA\PPRT\bin\CACheck.dll
c:\program files\CA\PPRT\bin\CAHook.dll
c:\program files\CA\PPRT\bin\CAServer.dll

- - - - - - - > 'Explorer.EXE'(3244)
c:\program files\CA\PPRT\bin\CACheck.dll
c:\program files\CA\PPRT\bin\CAHook.dll
c:\program files\CA\PPRT\bin\CAServer.dll

- - - - - - - > 'csrss.exe'(624)
c:\program files\CA\PPRT\bin\CACheck.dll
c:\program files\CA\PPRT\bin\CAHook.dll
c:\program files\CA\PPRT\bin\CAServer.dll
.
------------------------ Other Running Processes ------------------------
.
c:\windows\system32\ati2evxx.exe
c:\program files\Intel\Wireless\Bin\EvtEng.exe
c:\program files\Intel\Wireless\Bin\S24EvMon.exe
c:\program files\Intel\Wireless\Bin\WLKEEPER.exe
c:\windows\system32\LEXBCES.EXE
c:\windows\system32\scardsvr.exe
c:\windows\system32\LEXPPS.EXE
c:\program files\Common Files\AOL\ACS\AOLacsd.exe
c:\windows\system32\CTSVCCDA.EXE
c:\program files\CA\PPRT\bin\ITMRTSVC.exe
c:\program files\Java\jre6\bin\jqs.exe
c:\program files\Intel\Wireless\Bin\RegSrvc.exe
c:\program files\Dell Support Center\bin\sprtsvc.exe
c:\windows\wanmpsvc.exe
c:\program files\Intel\Wireless\Bin\ZCfgSvc.exe
c:\windows\system32\ati2evxx.exe
c:\windows\system32\wscntfy.exe
c:\progra~1\Intel\Wireless\Bin\1XConfig.exe
c:\combofix\hidec.exe
c:\windows\system32\drwtsn32.exe
c:\windows\system32\drwtsn32.exe
c:\combofix\Catchme.tmp
.
**************************************************************************
.
Completion time: 2009-07-04 22:29 - machine was rebooted
ComboFix-quarantined-files.txt 2009-07-04 02:28

Pre-Run: 17,803,386,880 bytes free
Post-Run: 20,404,989,952 bytes free

WindowsXP-KB310994-SP2-Home-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(2)\WINDOWS
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
multi(0)disk(0)rdisk(0)partition(2)\WINDOWS="Microsoft Windows XP Home Edition" /noexecute=optin /fastdetect

199 --- E O F --- 2008-08-18 00:32

#6 miekiemoes

miekiemoes

    Malware Killer Dog


  • Malware Response Team
  • 19,420 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Belgium
  • Local time:06:17 AM

Posted 04 July 2009 - 01:06 AM

Hi,

* Open notepad - don't use any other texteditor than notepad or the script will fail.
Copy/paste the text in the quotebox below into notepad:

File::
c:\windows\system32\drivers\cc42d2f9.sys
c:\windows\system32\drivers\c3070e28.sys
c:\windows\system32\drivers\2e25414e.sys
c:\windows\system32\drivers\51789ed6.sys
c:\windows\system32\drivers\5bf5aa4b.sys
Driver::
cc42d2f9
c3070e28
2e25414e
51789ed6
5bf5aa4b


Save this as txtfile CFScript

Then drag the CFScript into ComboFix.exe as you see in the screenshot below.

Posted Image

This will start ComboFix again. After reboot, (in case it asks to reboot), post the contents of Combofix.txt in your next reply.
AntispywareScanners---Antivirus Scanners---Firewalls---Online Scanners---Prevention---Help! My computer is slow---My Blog---Follow me on Twitter.
My help is ALWAYS FREE, but if you want to donate to help me continue my fight against malware -- click here!
Asking for help via Private Message or Mail will be ignored - So If you need help, post your problem in the forum.




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users