Sudden event with several symptoms; slow, no mouse, won't shut down

Windows XP Professional user, and take frequent steps to prevent problems with regular scans by Malaware Bytes, SUPERantispyware, and SpyBot, and I maintain continuous protection with McAfee. The other day while having numerous windows opened received a warning from McAfee about a program trying to make a change to the registry. I responded to not allow it, afterwhich Firefox shut itself down. Since then the computer has not been acting properly. I updated MAB and ran in safe mode. I also proceeded with the other customary steps, ATF Cleaner, CCleaner, and others including McAfee full scan in safe mode (after updating).

Present situation is that the computer is very slow starting up, Windows will not shut down (gets stuck at "shutting down") and sometimes the keyboard and mouse loose communication. I have also tried to use System Restore several times, going back to both recent dates as well as the earliest date available (October 2009). Please advise if there is another means to assess if the registry files have been changed, and a means to restore. Thank you very much, in advance.

You guys are the best!

Hi SmartDad33,

Lets first have a look for rootkits here. Note, if you have trouble with running GMER, try leaving Devices unchecked, before running a scan.

GMER
-------
Please download GMER from one of the following locations and save it to your desktop:

• Main Mirror
  This version will download a randomly named file (Recommended)
• Zipped Mirror
  This version will download a zip file you will need to extract first. If you use this mirror, please extract the zip file to your desktop.

• Disconnect from the Internet and close all running programs.
• Temporarily disable any real-time active protection so your security programs will not conflict with gmer's driver.
• Double-click on the randomly named GMER file (i.e. n7gmo46c.exe) and allow the gmer.sys driver to load if asked.
• Note: If you downloaded the zipped version, extract the file to its own folder such as C:\gmer and then double-click on gmer.exe.
  
  
  
• GMER will open to the Rootkit/Malware tab and perform an automatic quick scan when first run. (do not use the computer while the scan is in progress)
• If you receive a WARNING!!! about rootkit activity and are asked to fully scan your system...click NO.
• Now click the Scan button. If you see a rootkit warning window, click OK.
• When the scan is finished, click the Save... button to save the scan results to your Desktop. Save the file as gmer.log.
• Click the Copy button and paste the results into your next reply.
• Exit GMER and re-enable all active protection when done.

-- If you encounter any problems, try running GMER in Safe Mode.

Thanks. I had some difficulty. First run it went to BSOD after an about an hour of scan. I tried again in safe mode and it took about 6 hours for this one.

GMER 1.0.15.15281 - http://www.gmer.net
Rootkit scan 2010-01-15 03:49:45
Windows 5.1.2600 Service Pack 3
Running: 5df5xqov.exe; Driver: C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\fxddqpob.sys


---- Threads - GMER 1.0.15 ----

Thread System [4:252] 896E5EAB

---- Registry - GMER 1.0.15 ----

Reg HKLM\SYSTEM\ControlSet001\Services\SKYNEToeenruwv@start 1
Reg HKLM\SYSTEM\ControlSet001\Services\SKYNEToeenruwv@type 1
Reg HKLM\SYSTEM\ControlSet001\Services\SKYNEToeenruwv@group file system
Reg HKLM\SYSTEM\ControlSet001\Services\SKYNEToeenruwv@imagepath \systemroot\system32\drivers\SKYNEToqnxsnkx.sys
Reg HKLM\SYSTEM\ControlSet001\Services\SKYNEToeenruwv\main (not active ControlSet)
Reg HKLM\SYSTEM\ControlSet001\Services\SKYNEToeenruwv\main@aid 10002
Reg HKLM\SYSTEM\ControlSet001\Services\SKYNEToeenruwv\main@sid 1
Reg HKLM\SYSTEM\ControlSet001\Services\SKYNEToeenruwv\main@cmddelay 14400
Reg HKLM\SYSTEM\ControlSet001\Services\SKYNEToeenruwv\main\delete (not active ControlSet)
Reg HKLM\SYSTEM\ControlSet001\Services\SKYNEToeenruwv\main\injector (not active ControlSet)
Reg HKLM\SYSTEM\ControlSet001\Services\SKYNEToeenruwv\main\injector@* SKYNETwsp.dll
Reg HKLM\SYSTEM\ControlSet001\Services\SKYNEToeenruwv\main\tasks (not active ControlSet)
Reg HKLM\SYSTEM\ControlSet001\Services\SKYNEToeenruwv\main\tasks\0000000001 (not active ControlSet)
Reg HKLM\SYSTEM\ControlSet001\Services\SKYNEToeenruwv\main\tasks\0000000001@fn (null)
Reg HKLM\SYSTEM\ControlSet001\Services\SKYNEToeenruwv\main\tasks\0000000001@url http://212.117.174.14/PC_protect.exe
Reg HKLM\SYSTEM\ControlSet001\Services\SKYNEToeenruwv\main\tasks\0000000001@knock (null)
Reg HKLM\SYSTEM\ControlSet001\Services\SKYNEToeenruwv\main\tasks\0000000001@timeout 300
Reg HKLM\SYSTEM\ControlSet001\Services\SKYNEToeenruwv\main\tasks\0000000001@type 0
Reg HKLM\SYSTEM\ControlSet001\Services\SKYNEToeenruwv\main\tasks\0000000001@count 10
Reg HKLM\SYSTEM\ControlSet001\Services\SKYNEToeenruwv\modules (not active ControlSet)
Reg HKLM\SYSTEM\ControlSet001\Services\SKYNEToeenruwv\modules@SKYNETrk.sys \systemroot\system32\drivers\SKYNEToqnxsnkx.sys
Reg HKLM\SYSTEM\ControlSet001\Services\SKYNEToeenruwv\modules@SKYNETcmd.dll \systemroot\system32\SKYNETtoflyxjr.dll
Reg HKLM\SYSTEM\ControlSet001\Services\SKYNEToeenruwv\modules@SKYNETlog.dat \systemroot\system32\SKYNETgkukjkfo.dat
Reg HKLM\SYSTEM\ControlSet001\Services\SKYNEToeenruwv\modules@SKYNETwsp.dll \systemroot\system32\SKYNETuhwvacqj.dll
Reg HKLM\SYSTEM\ControlSet001\Services\SKYNEToeenruwv\modules@SKYNET.dat \systemroot\system32\SKYNEThctavxda.dat
Reg HKLM\SYSTEM\ControlSet001\Services\UACd.sys@start 1
Reg HKLM\SYSTEM\ControlSet001\Services\UACd.sys@type 1
Reg HKLM\SYSTEM\ControlSet001\Services\UACd.sys@imagepath \systemroot\system32\drivers\UACwualkukjod.sys
Reg HKLM\SYSTEM\ControlSet001\Services\UACd.sys@group file system
Reg HKLM\SYSTEM\ControlSet001\Services\UACd.sys\modules (not active ControlSet)
Reg HKLM\SYSTEM\ControlSet001\Services\UACd.sys\modules@UACd
Reg HKLM\SYSTEM\ControlSet001\Services\UACd.sys\modules@UACc
Reg HKLM\SYSTEM\ControlSet001\Services\UACd.sys\modules@uacbbr
Reg HKLM\SYSTEM\ControlSet001\Services\UACd.sys\modules@uacsr
Reg HKLM\SYSTEM\ControlSet001\Services\UACd.sys\modules@uacmal
Reg HKLM\SYSTEM\ControlSet001\Services\UACd.sys\modules@uacrem
Reg HKLM\SYSTEM\ControlSet001\Services\UACd.sys\modules@uacserf

---- EOF - GMER 1.0.15 ----

Ouch, thats quite some rootkits we have there

BACKDOOR WARNING
------------------------------
One or more of the identified infections is known to use a backdoor.

This allows hackers to remotely control your computer, steal critical system information and download and execute files.

I would advice you to disconnect this PC from the Internet immediately. If you do any banking or other financial transactions on the PC or if it should contain any other sensitive information, please get to a known clean computer and change all passwords where applicable, and it would be wise to contact those same financial institutions to apprise them of your situation.

Though the infection has been identified and can be killed, because of it's backdoor functionality, your PC is very likely compromised and there is no way to be sure your computer can ever again be trusted. Many experts in the security community believe that once infected with this type of trojan, the best course of action would be a reformat and reinstall of the OS. Please read these for more information:

How Do I Handle Possible Identify Theft, Internet Fraud and CC Fraud?
When Should I Format, How Should I Reinstall

We can still clean this machine but I can't guarantee that it will be 100% secure afterwards. Let me know what you decide to do. If you decide to go through with the cleanup, please proceed with the following steps.


Since rootkit removal in this subforum is not allowed, I will have to move your topic to the HJT forum, so we can continue there. Just let me know what you decide to do: reformat or cleanup.

Thanks... been busy changing pw's all over the place and making other notifications. Since I do intend on continuing to use the computer for online banking as well as for work-related activities, music and entertainment, seems as if reinstall/reformatting is the obvious answer. The computer was issued to me with the OS installed and no disks. Assuming I can't get the disks from the original issuer, does that mean I must purchase a replacment OS?

Yes, unless you have the product activation key. In that case you can use a CD that matches the version and servicepack of windows that key came with.

To refine my prior question, the computer has a partioned drive, C & E. The C drive is 139 GB w/ 58 GB free, while the E is 9.65 GB mostly free with only 270 MB in use, but is labeled "HP_RECOVERY". Does this provide me with the necessities for reformatting without having external disks?

See here on how to use HP Recovery partition.

If you have more questions, just let me know!

okay, thanks. I'm on my way and past the point of no return, formatting the HD now. I guess I better stay away from The Pirate Bay and probably Vuze. And, I guess I'll look around here at the site about maintaining better protections. This isn't my first fall from grace and I thought I was fairly diligent about keeping protections active and conducting routine malware scans.

Indeed, better stay away from torrent/crack sites, keygens and the like

I will post some general information that might be of user. If you have more question, just ask them!

Please read these advices, in order to prevent reinfecting your PC:

1. Install and update the following programs regularly:
   • an outbound firewall
     A comprehensive tutorial and a list of possible firewalls can be found here.
   • an AntiVirus Software
     It is imperative that you update your AntiVirus Software on regular basis.If you do not update your AntiVirus Software then it will not be able to catch the latest threats.
   • an Anti-Spyware program
     Malware Byte's Anti Malware is an excellent Anti-Spyware scanner. It's scan times are usually under ten minutes, and has excellent detection and removal rates.
     SUPERAntiSpyware is another good scanner with high detection and removal rates.
     Both programs are free for non commercial home use but provide a resident and do not nag if you purchase the paid versions.
   • Spyware Blaster
     A tutorial for Spywareblaster can be found here. If you wish, the commercial version provides automatic updating.
   • MVPs hosts file
     A tutorial for MVPs hosts file can be found here. If you would like automatic updates you might want to take a look at HostMan host file manager. For more information on thehosts file, and what it can do for you,please consult the Tutorial on the Hosts file
2. Keep Windows (and your other Microsoft software) up to date!
   I cannot stress how important this is enough. Often holes are found in Internet Explorer or Windows itself that require patching. Sometimes these holes will allow an attacker unrestricted access to your computer.
   Therefore, please, visit the Microsoft Update Website and follow the on screen instructions to setup Microsoft Update. Also follow the instructions to update your system. Please REBOOT and repeat this process until there are no more updates to install!!
3. Keep your other software up to date as well
   Software does not need to be made by Microsoft to be insecure. You can use the Secunia Online Software occasionally to help you check for out of date software on yourmachine.
4. Stay up to date!
   The MOST IMPORTANT part of any security setup is keeping the software up to date. Malware writers release new variants every single day. If your software updates don't keep up, then the malware will always be one step ahead. Not a good thing .

Some more links you might find of interest:

• Miekies' prevention suggestions
• So How did I get infected?
• Microsoft - 'Security at home'
• Calendar of Updates: See which updates have been released.
• How to backup your Data with Cobian Backup:because you never know, when your harddisk might fail
• Commonly UsedFreeware Replacements: a nice list of freeware programs in all categories, that are regarded as useful by the users of this forum.
• osalt: Find (free) open source alternatives to known commercial software.

Is there any point in running a GMER scan after the HP Recovery is finished?

No, after the recovery is finished everything should be as it was when you purchased the computer. No need to look for rootkits then

However, if you feel safer that way, you can run it and post the log here for my review.

I am surprised to see, after going through the recovery, which then requires the reinstallation of Firefox after downloading the application at Mozilla, that my Bookmarks are present. Then, just to check, I looked at IE which I currently use less frequently but from earlier usage had an extensive list of Favorites, and they are present too after the re-format. Does that make sense? I thought I cleaned everything out and restored the PC to factory settings.

Did you do non-destructive recovery? This will only reset the system files, but not personal data.

I guess that's what happened. It's very convenient for me providing the rootkit would still be gone though, right?