Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Latest News:    New Bomb Threat Email Scam Campaign Demanding $20K in Bitcoin

Featured Deal: Get 91% off The ReactJS Programming Bootcamp Deal

Photo

Computer slow, locks up alot, unable to run safe mode

Started by spasticgamer , May 19 2010 12:03 AM

  • This topic is locked This topic is locked
24 replies to this topic

#1 spasticgamer

spasticgamer

  • Members
  • 25 posts
  • OFFLINE
    •  
  • Local time:10:52 PM

Posted 19 May 2010 - 12:03 AM

My computer seems to run slow. Just running my internet browser makes the fan run full tilt boogie. It seems to lock up if you try to use more than two programs at a time. Sometimes clicking on an icon does nothing, then computer will not allow you to restart or run task manager leaving me no other option but to hold down power button to shut PC off.

I was trying to follow the bleeping computer instructions for a slow computer, but I cannot even get the computer to run in safe mode. I have already ran chkdisk and chkdisk f. Malwarebytes finds nothing. Dr Web finds nothing. Webroot spysweeper finds nothing. Trend Micro antivirus only ever finds a cookie or two.

Please help? I am thinking about using my current PC for target practice at the gun range, and buying some good books to read.

Thanks!

spasticgamer

Forgot to add, running windows xp

I have run steps 6 -9 of prep guide as instructed by boopme. gmer would run, but appears to freeze part way through, with the pc fan running full tilt boogie again. Had to shut down pc twice by holding down power button before giving up and posting this new topic. DDS and ATTACH have been uploaded.

Thanks so much for the help. I know just enough about computers to be dangerous.

spasticgamer

BC AdBot (Login to Remove)

 

#2 gringo_pr

gringo_pr

    Bleepin Gringo


  • Malware Response Team
  • 136,773 posts
  • OFFLINE
    •  
  • Gender:Male
  • Location:Puerto rico
  • Local time:11:52 PM

Posted 20 May 2010 - 12:14 PM

Hello and Welcome to the forums!

My name is Gringo and I'll be glad to help you with your computer problems. HijackThis logs can take some time to research, so please be patient with me. I know that you need your computer working as quickly as possible, and I will work hard to help see that it happens.

Somethings to remember while we are working together.
    1.Please do not run any other tool untill instructed to do so!
    2.Please reply to this thread, do not start another!
    3.Please tell me about any problems that have occurred during the fix.
    4.Please tell me of any other symptoms you may be having as these can help also.
    5.Please try as much as possible not to run anything while executing a fix.
If you follow these instructions, everything should go smoothly.

Please print out or make a copy in notpad of any instructions given, as sometimes it is necessary to go offline and you will lose access to them.

Scan With RKUnHooker
  • Please Download Rootkit Unhooker Save it to your desktop.
  • Now double-click on RKUnhookerLE.exe to run it.
  • Click the Report tab, then click Scan.
  • Check (Tick) Drivers, Stealth, Files, Code Hooks. Uncheck the rest. then Click OK.
  • Wait till the scanner has finished and then click File, Save Report.
  • Save the report somewhere where you can find it. Click Close.
Copy the entire contents of the report and paste it in a reply here.

Gringo
I Close My Topics If You Have Not Replied In 5 Days If You Will Be Longer Please Let Me Know

If I Have Not Replied To One Of My Topics In 48 Hrs Please Bump The Topic


My help is free, however, if you wish to make a small donation to show your appreciation or to help me continue the fight against Malware, then click here -->btn_donate_SM.gif<-- Don't worry every little bit helps.

Proud Graduate Of Malware Removal University

#3 spasticgamer

spasticgamer
  • Topic Starter

  • Members
  • 25 posts
  • OFFLINE
    •  
  • Local time:10:52 PM

Posted 20 May 2010 - 10:39 PM

Gringo,

Thanks for the help.

I had a very difficult time getting RKUnhookerLE.exe to save to my desktop. It took three attempts. It took a couple more attempts to get the program to open up and run. The pc locked up each time, and I had to reboot.

After getting the program open, it actually scanned on the first try.

Here is the report RKU generated:


RkU Version: 3.8.388.590, Type LE (SR2)
==============================================
OS Name: Windows XP
Version 5.1.2600 (Service Pack 3)
Number of processors #2
==============================================
>Drivers
==============================================
0x804D7000 C:\WINDOWS\system32\ntkrnlpa.exe 2150400 bytes (Microsoft Corporation, NT Kernel & System)
0x804D7000 PnpManager 2150400 bytes
0x804D7000 RAW 2150400 bytes
0x804D7000 WMIxWDM 2150400 bytes
0xBF800000 Win32k 1851392 bytes
0xBF800000 C:\WINDOWS\System32\win32k.sys 1851392 bytes (Microsoft Corporation, Multi-User Win32 Driver)
0x994AA000 C:\WINDOWS\system32\DRIVERS\vsapint.sys 1318912 bytes (Trend Micro Inc., VsapiNT )
0xB8C98000 C:\WINDOWS\system32\DRIVERS\ialmnt5.sys 1302528 bytes (Intel Corporation, Intel Graphics Miniport Driver)
0xB8B2C000 C:\WINDOWS\system32\DRIVERS\AGRSM.sys 1097728 bytes (Agere Systems, SoftModem Device Driver)
0xA1170000 C:\WINDOWS\system32\drivers\sthda.sys 1048576 bytes (SigmaTel, Inc., NDRC)
0xBF077000 C:\WINDOWS\System32\ialmdd5.DLL 925696 bytes (Intel Corporation, DirectDraw® Driver for Intel® Graphics Technology)
0x995EC000 C:\WINDOWS\System32\Drivers\dump_iaStor.sys 876544 bytes
0xB9DDA000 IASTOR.SYS 876544 bytes
0xB9C94000 Ntfs.sys 577536 bytes (Microsoft Corporation, NT File System Driver)
0x9EC79000 C:\WINDOWS\system32\DRIVERS\mrxsmb.sys 458752 bytes (Microsoft Corporation, Windows NT SMB Minirdr)
0xB8A17000 C:\WINDOWS\system32\DRIVERS\update.sys 385024 bytes (Microsoft Corporation, Update Driver)
0xA1098000 C:\WINDOWS\system32\DRIVERS\tcpip.sys 364544 bytes (Microsoft Corporation, TCP/IP Protocol Driver)
0x98ABA000 C:\WINDOWS\system32\DRIVERS\srv.sys 356352 bytes (Microsoft Corporation, Server driver)
0x99461000 C:\WINDOWS\system32\DRIVERS\tmxpflt.sys 299008 bytes (Trend Micro Inc., Post Filter For XP)
0xBFFA0000 C:\WINDOWS\System32\ATMFD.DLL 286720 bytes (Adobe Systems Incorporated, Windows NT OpenType/Type 1 Font Driver)
0x98C29000 C:\WINDOWS\System32\Drivers\HTTP.sys 266240 bytes (Microsoft Corporation, HTTP Protocol Stack)
0xBF042000 C:\WINDOWS\System32\ialmdev5.DLL 217088 bytes (Intel Corporation, Component GHAL Driver)
0xB8A75000 C:\WINDOWS\system32\DRIVERS\rdpdr.sys 196608 bytes (Microsoft Corporation, Microsoft RDP Device redirector)
0xB9F79000 ACPI.sys 188416 bytes (Microsoft Corporation, ACPI Driver for NT)
0xB9F3A000 SSIDRV.SYS 188416 bytes (Webroot Software, Inc. (www.webroot.com), Spy Sweeper Interdiction Driver)
0x98E39000 C:\WINDOWS\system32\DRIVERS\mrxdav.sys 184320 bytes (Microsoft Corporation, Windows NT WebDav Minirdr)
0xB9F0D000 C:\WINDOWS\SYSTEM32\Drivers\NDIS.SYS 184320 bytes (Microsoft Corporation, NDIS 5.1 wrapper driver)
0xB9D7D000 dac2w2k.sys 180224 bytes (Mylex Corporation, Mylex Disk Array Controller Driver)
0x98DE5000 C:\WINDOWS\system32\drivers\tmcomm.sys 180224 bytes (Trend Micro Inc., TrendMicro Common Module)
0x99336000 C:\WINDOWS\system32\drivers\kmixer.sys 176128 bytes (Microsoft Corporation, Kernel Mode Audio Mixer)
0x9FBC2000 C:\WINDOWS\system32\DRIVERS\rdbss.sys 176128 bytes (Microsoft Corporation, Redirected Drive Buffering SubSystem Driver)
0xB8AE1000 C:\WINDOWS\system32\DRIVERS\e100b325.sys 163840 bytes (Intel Corporation, Intel® PRO/100 Adapter NDIS 5.1 driver)
0xB8C5C000 C:\WINDOWS\system32\DRIVERS\HDAudBus.sys 163840 bytes (Windows ® Server 2003 DDK provider, High Definition Audio Bus Driver v1.0a)
0xA1070000 C:\WINDOWS\system32\DRIVERS\netbt.sys 163840 bytes (Microsoft Corporation, MBT Transport driver)
0xB9EC8000 dmio.sys 155648 bytes (Microsoft Corp., Veritas Software, NT Disk Manager I/O Driver)
0x9D590000 C:\WINDOWS\system32\DRIVERS\ipnat.sys 155648 bytes (Microsoft Corporation, IP Network Address Translator)
0x996C2000 C:\WINDOWS\System32\Drivers\Fastfat.SYS 147456 bytes (Microsoft Corporation, Fast FAT File System Driver)
0xA114C000 C:\WINDOWS\system32\drivers\portcls.sys 147456 bytes (Microsoft Corporation, Port Class (Class Driver for Port/Miniport Devices))
0xB8C38000 C:\WINDOWS\system32\DRIVERS\USBPORT.SYS 147456 bytes (Microsoft Corporation, USB 1.1 & 2.0 Port Driver)
0xB8B09000 C:\WINDOWS\system32\DRIVERS\ks.sys 143360 bytes (Microsoft Corporation, Kernel CSA Library)
0xA104E000 C:\WINDOWS\System32\drivers\afd.sys 139264 bytes (Microsoft Corporation, Ancillary Function Driver for WinSock)
0xBF020000 C:\WINDOWS\System32\ialmdnt5.dll 139264 bytes (Intel Corporation, Controller Hub for Intel Graphics Driver)
0x806E4000 ACPI_HAL 134400 bytes
0x806E4000 C:\WINDOWS\system32\hal.dll 134400 bytes (Microsoft Corporation, Hardware Abstraction Layer DLL)
0xB9D5D000 fltmgr.sys 131072 bytes (Microsoft Corporation, Microsoft Filesystem Filter Manager)
0xB9EEE000 ftdisk.sys 126976 bytes (Microsoft Corporation, FT Disk Driver)
0xB9C7A000 Mup.sys 106496 bytes (Microsoft Corporation, Multiple UNC Provider driver)
0xB9DA9000 adpu160m.sys 102400 bytes (Microsoft Corporation, Adaptec Ultra160 SCSI miniport)
0xB9DC2000 atapi.sys 98304 bytes (Microsoft Corporation, IDE/ATAPI Port Driver)
0xB9EB0000 C:\WINDOWS\system32\DRIVERS\SCSIPORT.SYS 98304 bytes (Microsoft Corporation, SCSI Port Driver)
0xB9D34000 KSecDD.sys 94208 bytes (Microsoft Corporation, Kernel Security Support Provider Interface)
0xB8AB6000 C:\WINDOWS\system32\DRIVERS\ndiswan.sys 94208 bytes (Microsoft Corporation, MS PPP Framing Driver (Strong Encryption))
0x99384000 C:\WINDOWS\system32\drivers\wdmaud.sys 86016 bytes (Microsoft Corporation, MMSYSTEM Wave/Midi API mapper)
0xB8ACD000 C:\WINDOWS\system32\DRIVERS\parport.sys 81920 bytes (Microsoft Corporation, Parallel Port Driver)
0xB8C84000 C:\WINDOWS\system32\DRIVERS\VIDEOPRT.SYS 81920 bytes (Microsoft Corporation, Video Port Driver)
0xA10F1000 C:\WINDOWS\system32\DRIVERS\ipsec.sys 77824 bytes (Microsoft Corporation, IPSec Driver)
0xB9D21000 WudfPf.sys 77824 bytes (Microsoft Corporation, Windows Driver Foundation - User-mode Driver Framework Platform Driver)
0xBF000000 C:\WINDOWS\System32\drivers\dxg.sys 73728 bytes (Microsoft Corporation, DirectX Graphics Driver)
0xB9D4B000 sr.sys 73728 bytes (Microsoft Corporation, System Restore Filesystem Filter Driver)
0xA010C000 C:\WINDOWS\system32\DRIVERS\tmtdi.sys 73728 bytes (Trend Micro Inc., Trend Micro TDI Driver (i386-fre))
0xB9F68000 pci.sys 69632 bytes (Microsoft Corporation, NT Plug and Play PCI Enumerator)
0xB8AA5000 C:\WINDOWS\system32\DRIVERS\psched.sys 69632 bytes (Microsoft Corporation, MS QoS Packet Scheduler)
0x9904E000 C:\WINDOWS\System32\Drivers\Cdfs.SYS 65536 bytes (Microsoft Corporation, CD-ROM File System Driver)
0xB95B1000 C:\WINDOWS\system32\DRIVERS\cdrom.sys 65536 bytes (Microsoft Corporation, SCSI CD-ROM Driver)
0xBA238000 C:\WINDOWS\system32\DRIVERS\nic1394.sys 65536 bytes (Microsoft Corporation, IEEE1394 Ndis Miniport and Call Manager)
0xBA1C8000 ohci1394.sys 65536 bytes (Microsoft Corporation, 1394 OpenHCI Port Driver)
0xB95D1000 C:\WINDOWS\system32\DRIVERS\serial.sys 65536 bytes (Microsoft Corporation, Serial Device Driver)
0x9D0EE000 C:\WINDOWS\system32\DRIVERS\arp1394.sys 61440 bytes (Microsoft Corporation, IP/1394 Arp Client)
0xA40AE000 C:\WINDOWS\system32\drivers\drmk.sys 61440 bytes (Microsoft Corporation, Microsoft Kernel DRM Descrambler Filter)
0xB95A1000 C:\WINDOWS\system32\DRIVERS\redbook.sys 61440 bytes (Microsoft Corporation, Redbook Audio Filter Driver)
0x99997000 C:\WINDOWS\system32\drivers\sysaudio.sys 61440 bytes (Microsoft Corporation, System Audio WDM Filter)
0xA408E000 C:\WINDOWS\system32\DRIVERS\usbhub.sys 61440 bytes (Microsoft Corporation, Default Hub Driver for USB)
0xBA1D8000 C:\WINDOWS\system32\DRIVERS\1394BUS.SYS 57344 bytes (Microsoft Corporation, 1394 Bus Device Driver)
0xBA128000 aic78u2.sys 57344 bytes (Microsoft Corporation, Adaptec Ultra2 SCSI miniport)
0xBA0F8000 aic78xx.sys 57344 bytes (Microsoft Corporation, Adaptec Ultra SCSI miniport)
0xBF012000 C:\WINDOWS\System32\ialmrnt5.dll 57344 bytes (Intel Corporation, Controller Hub for Intel Graphics Driver)
0xBA188000 C:\WINDOWS\system32\DRIVERS\CLASSPNP.SYS 53248 bytes (Microsoft Corporation, SCSI Class System Dll)
0xBA2B8000 C:\WINDOWS\System32\drivers\HPFECP16.SYS 53248 bytes
0xB95E1000 C:\WINDOWS\system32\DRIVERS\i8042prt.sys 53248 bytes (Microsoft Corporation, i8042 Port Driver)
0xB9591000 C:\WINDOWS\system32\DRIVERS\rasl2tp.sys 53248 bytes (Microsoft Corporation, RAS L2TP mini-port/call-manager driver)
0xA3CA7000 C:\WINDOWS\system32\DRIVERS\tmpreflt.sys 53248 bytes (Trend Micro Inc., Pre-Filter For XP)
0xBA0E8000 VolSnap.sys 53248 bytes (Microsoft Corporation, Volume Shadow Copy Driver)
0xBA168000 ql12160.sys 49152 bytes (QLogic Corporation, Miniport Driver for QLogic ISP PCI Adapters)
0xBA158000 ql1280.sys 49152 bytes (QLogic Corporation, Miniport Driver for QLogic ISP PCI Adapters)
0xB9571000 C:\WINDOWS\system32\DRIVERS\raspptp.sys 49152 bytes (Microsoft Corporation, Peer-to-Peer Tunneling Protocol)
0xBA1E8000 agp440.sys 45056 bytes (Microsoft Corporation, 440 NT AGP Filter)
0xBA218000 agpCPQ.sys 45056 bytes (Microsoft Corporation, CompatNT AGP Filter)
0xBA1F8000 alim1541.sys 45056 bytes (Microsoft Corporation, ALi M1541 NT AGP Filter)
0xBA208000 amdagp.sys 45056 bytes (Advanced Micro Devices, Inc., AMD Win2000 AGP Filter)
0xA850A000 C:\WINDOWS\System32\Drivers\Fips.SYS 45056 bytes (Microsoft Corporation, FIPS Crypto Driver)
0xB95C1000 C:\WINDOWS\system32\DRIVERS\imapi.sys 45056 bytes (Microsoft Corporation, IMAPI Kernel Driver)
0xBA0D8000 MountMgr.sys 45056 bytes (Microsoft Corporation, Mount Manager)
0xB9581000 C:\WINDOWS\system32\DRIVERS\raspppoe.sys 45056 bytes (Microsoft Corporation, RAS PPPoE mini-port/call-manager driver)
0xA409E000 C:\WINDOWS\system32\drivers\sfng32.sys 45056 bytes (Sonic Focus, Inc, SFNG32.SYS)
0xBA0C8000 ssfs0bbc.sys 45056 bytes (Webroot Software, Inc. (www.webroot.com), Spy Sweeper FileSystem Filter Driver)
0xBA1B8000 viaagp.sys 45056 bytes (Microsoft Corporation, VIA NT AGP Filter)
0xBA0A8000 isapnp.sys 40960 bytes (Microsoft Corporation, PNP ISA Bus Driver)
0xB9BFA000 C:\WINDOWS\System32\Drivers\NDProxy.SYS 40960 bytes (Microsoft Corporation, NDIS Proxy)
0xBA148000 ql1080.sys 40960 bytes (QLogic Corporation, Miniport Driver for QLogic ISP PCI Adapters)
0xBA118000 ql1240.sys 40960 bytes (Microsoft Corporation, QLogic ISP PCI Adapters)
0xBA1A8000 sisagp.sys 40960 bytes (Silicon Integrated Systems Corporation, SiS NT AGP Filter)
0xB9C2A000 C:\WINDOWS\system32\DRIVERS\termdd.sys 40960 bytes (Microsoft Corporation, Terminal Server Driver)
0xBA178000 disk.sys 36864 bytes (Microsoft Corporation, PnP Disk Driver)
0xA406E000 C:\WINDOWS\system32\DRIVERS\HIDCLASS.SYS 36864 bytes (Microsoft Corporation, Hid Class Library)
0xB95F1000 C:\WINDOWS\system32\DRIVERS\intelppm.sys 36864 bytes (Microsoft Corporation, Processor Device Driver)
0xB9561000 C:\WINDOWS\system32\DRIVERS\msgpc.sys 36864 bytes (Microsoft Corporation, MS General Packet Classifier)
0xA405E000 C:\WINDOWS\system32\DRIVERS\netbios.sys 36864 bytes (Microsoft Corporation, NetBIOS interface driver)
0x979D8000 C:\WINDOWS\System32\Drivers\Normandy.SYS 36864 bytes (RKU Driver)
0xBA198000 PxHelp20.sys 36864 bytes (Sonic Solutions, Px Engine Device Driver for Windows 2000/XP)
0xBA108000 ql10wnt.sys 36864 bytes (Microsoft Corporation, Miniport Driver for QLogic ISP PCI Adapters)
0xBA0B8000 SSHRMD.SYS 36864 bytes (Webroot Software, Inc. (www.webroot.com), Spy Sweeper Mini Driver)
0xBA138000 ultra.sys 36864 bytes (Promise Technology, Inc., Promise Ultra66 Miniport Driver)
0x9DBC7000 C:\WINDOWS\system32\DRIVERS\wanarp.sys 36864 bytes (Microsoft Corporation, MS Remote Access and Routing ARP Driver)
0xBA3F8000 C:\WINDOWS\System32\Drivers\Modem.SYS 32768 bytes (Microsoft Corporation, Modem Device Driver)
0xA1A76000 C:\WINDOWS\System32\Drivers\Npfs.SYS 32768 bytes (Microsoft Corporation, NPFS Driver)
0xBA360000 symc8xx.sys 32768 bytes (LSI Logic, Symbios 8XX SCSI Miniport Driver)
0xBA370000 sym_u3.sys 32768 bytes (LSI Logic, Symbios Ultra3 SCSI Miniport Driver)
0xBA3F0000 C:\WINDOWS\system32\DRIVERS\usbehci.sys 32768 bytes (Microsoft Corporation, EHCI eUSB Miniport Driver)
0xBA348000 asc.sys 28672 bytes (Advanced System Products, Inc., AdvanSys SCSI Controller Driver)
0xA1A8E000 C:\WINDOWS\system32\DRIVERS\HIDPARSE.SYS 28672 bytes (Microsoft Corporation, Hid Parsing Library)
0xBA398000 hpn.sys 28672 bytes (Microsoft Corporation, NetRAID-4M Miniport Driver)
0xBA330000 C:\WINDOWS\system32\DRIVERS\PCIIDEX.SYS 28672 bytes (Microsoft Corporation, PCI IDE Bus Driver Extension)
0xBA390000 perc2.sys 28672 bytes (Microsoft Corporation, PERC 2 Miniport Driver)
0xBA368000 sym_hi.sys 28672 bytes (LSI Logic, Symbios Hi-Perf SCSI Miniport Driver)
0x9A959000 C:\WINDOWS\system32\DRIVERS\usbprint.sys 28672 bytes (Microsoft Corporation, USB Printer driver)
0xA1A96000 C:\WINDOWS\system32\DRIVERS\USBSTOR.SYS 28672 bytes (Microsoft Corporation, USB Mass Storage Class Driver)
0xBA378000 ABP480N5.SYS 24576 bytes (Microsoft Corporation, AdvanSys SCSI Controller Driver)
0xBA380000 asc3350p.sys 24576 bytes (Microsoft Corporation, AdvanSys SCSI Card Driver)
0xBA408000 C:\WINDOWS\System32\Drivers\GEARAspiWDM.sys 24576 bytes (GEAR Software Inc., CD DVD Filter)
0xBA400000 C:\WINDOWS\system32\DRIVERS\kbdclass.sys 24576 bytes (Microsoft Corporation, Keyboard Class Driver)
0xBA420000 C:\WINDOWS\system32\DRIVERS\mouclass.sys 24576 bytes (Microsoft Corporation, Mouse Class Driver)
0xBA3E8000 C:\WINDOWS\system32\DRIVERS\usbuhci.sys 24576 bytes (Microsoft Corporation, UHCI USB Miniport Driver)
0xA1A86000 C:\WINDOWS\System32\drivers\vga.sys 24576 bytes (Microsoft Corporation, VGA/Super VGA Video Driver)
0xBA3C0000 C:\WINDOWS\system32\DRIVERS\arhidfltr.sys 20480 bytes (Microsoft Corporation, Microsoft AR HID Filter Driver (Beta 2 Release 2))
0xBA388000 dpti2o.sys 20480 bytes (Microsoft Corporation, DPT SmartRAID miniport)
0xBA358000 i2omp.sys 20480 bytes (Microsoft Corporation, I2O Miniport Driver)
0xBA350000 mraid35x.sys 20480 bytes (American Megatrends Inc., MegaRAID RAID Controller Driver for Windows Whistler 32)
0xA1A7E000 C:\WINDOWS\System32\Drivers\Msfs.SYS 20480 bytes (Microsoft Corporation, Mailslot driver)
0xBA338000 PartMgr.sys 20480 bytes (Microsoft Corporation, Partition Manager)
0xBA410000 C:\WINDOWS\system32\DRIVERS\ptilink.sys 20480 bytes (Parallel Technologies, Inc., Parallel Technologies DirectParallel IO Library)
0xBA418000 C:\WINDOWS\system32\DRIVERS\raspti.sys 20480 bytes (Microsoft Corporation, PTI DirectParallel® mini-port/call-manager driver)
0xBA340000 sparrow.sys 20480 bytes (Adaptec, Inc., Adaptec AIC-6x60 series SCSI miniport)
0xBA328000 C:\WINDOWS\SYSTEM32\Drivers\TDI.SYS 20480 bytes (Microsoft Corporation, TDI Wrapper)
0x9A941000 C:\WINDOWS\System32\watchdog.sys 20480 bytes (Microsoft Corporation, Watchdog Driver)
0xBA4C0000 aha154x.sys 16384 bytes (Microsoft Corporation, Adaptec AHA-154x series SCSI miniport)
0xBA4D0000 asc3550.sys 16384 bytes (Advanced System Products, Inc., AdvanSys Ultra-Wide PCI SCSI Driver)
0xBA4D8000 cbidf2k.sys 16384 bytes (Microsoft Corporation, CardBus/PCMCIA IDE Miniport Driver)
0xBA4BC000 cpqarray.sys 16384 bytes (Microsoft Corporation, Compaq Drive Array Controllers SCSI Miniport Driver)
0xBA4C8000 dac960nt.sys 16384 bytes (Microsoft Corporation, Mylex Disk Array Controller Driver)
0xBA4D4000 ini910u.sys 16384 bytes (Microsoft Corporation, INITIO ini910u SCSI miniport)
0xBA588000 C:\WINDOWS\system32\DRIVERS\mssmbios.sys 16384 bytes (Microsoft Corporation, System Management BIOS Driver)
0xB9B75000 C:\WINDOWS\system32\DRIVERS\ndisuio.sys 16384 bytes (Microsoft Corporation, NDIS User mode I/O Driver)
0xB9B4D000 C:\WINDOWS\system32\DRIVERS\serenum.sys 16384 bytes (Microsoft Corporation, Serial Port Enumerator)
0xBA4C4000 symc810.sys 16384 bytes (Symbios Logic Inc., Symbios Logic Inc. SCSI Miniport Driver)
0xBA4CC000 amsint.sys 12288 bytes (Microsoft Corporation, AMD SCSI/NET Controller)
0xB9B45000 C:\WINDOWS\system32\DRIVERS\arpolicy.sys 12288 bytes (Microsoft Corporation, Microsoft AR Policy Driver (Beta 2 Release 2))
0xBA4B8000 C:\WINDOWS\system32\BOOTVID.dll 12288 bytes (Microsoft Corporation, VGA Boot Driver)
0x9AC67000 C:\WINDOWS\System32\drivers\Dxapi.sys 12288 bytes (Microsoft Corporation, DirectX API Driver)
0xA6943000 C:\WINDOWS\system32\DRIVERS\hidusb.sys 12288 bytes (Microsoft Corporation, USB Miniport Driver for Input Devices)
0xA6947000 C:\WINDOWS\System32\Drivers\i2omgmt.SYS 12288 bytes (Microsoft Corporation, I2O Utility Filter)
0x9C369000 C:\WINDOWS\system32\DRIVERS\mouhid.sys 12288 bytes (Microsoft Corporation, HID Mouse Filter Driver)
0xB9B41000 C:\WINDOWS\system32\DRIVERS\ndistapi.sys 12288 bytes (Microsoft Corporation, NDIS 3.0 connection wrapper driver)
0xA693B000 C:\WINDOWS\system32\DRIVERS\rasacd.sys 12288 bytes (Microsoft Corporation, RAS Automatic Connection Driver)
0xBA5AC000 aliide.sys 8192 bytes (Acer Laboratories Inc., ALi mini IDE Driver)
0xBA5F6000 C:\WINDOWS\system32\DRIVERS\arkbcfltr.sys 8192 bytes (Microsoft Corporation, Microsoft AR PS/2 Keyboard Filter Driver (Beta 2 Release 2))
0xBA5C8000 C:\WINDOWS\system32\DRIVERS\armoucfltr.sys 8192 bytes (Microsoft Corporation, Microsoft AR PS/2 Mouse Filter Driver (Beta 2 Release 2))
0xA38E2000 C:\WINDOWS\System32\Drivers\Beep.SYS 8192 bytes (Microsoft Corporation, BEEP Driver)
0xBA5B8000 cd20xrnt.sys 8192 bytes (Microsoft Corporation, IBM Portable CD-ROM Drive Miniport)
0xBA5AE000 cmdide.sys 8192 bytes (CMD Technology, Inc., CMD PCI IDE Bus Driver)
0xBA5B6000 dmload.sys 8192 bytes (Microsoft Corp., Veritas Software., NT Disk Manager Startup Driver)
0xBA5FA000 C:\WINDOWS\system32\DRIVERS\ELacpi.sys 8192 bytes (Intel Corporation, -)
0xBA612000 C:\WINDOWS\System32\DRIVERS\ELhid.sys 8192 bytes (Intel Corporation, -)
0xBA5F8000 C:\WINDOWS\System32\DRIVERS\ELkbd.sys 8192 bytes (Intel Corporation, -)
0xA38EA000 C:\WINDOWS\System32\DRIVERS\ELmon.sys 8192 bytes (Intel Corporation, -)
0xBA5CA000 C:\WINDOWS\System32\DRIVERS\ELmou.sys 8192 bytes (Intel Corporation, -)
0xA38E4000 C:\WINDOWS\System32\Drivers\Fs_Rec.SYS 8192 bytes (Microsoft Corporation, File System Recognizer Driver)
0xBA5B4000 intelide.sys 8192 bytes (Microsoft Corporation, Intel PCI IDE Driver)
0xBA5A8000 C:\WINDOWS\system32\KDCOM.DLL 8192 bytes (Microsoft Corporation, Kernel Debugger HW Extension DLL)
0xA34FF000 C:\WINDOWS\System32\Drivers\mnmdd.SYS 8192 bytes (Microsoft Corporation, Frame buffer simulator)
0xBA5BA000 perc2hib.sys 8192 bytes (Microsoft Corporation, PERC 2 Hibernate Driver)
0xA34FD000 C:\WINDOWS\System32\DRIVERS\RDPCDD.sys 8192 bytes (Microsoft Corporation, RDP Miniport)
0xBA5FC000 C:\WINDOWS\system32\DRIVERS\swenum.sys 8192 bytes (Microsoft Corporation, Plug and Play Software Device Enumerator)
0xBA5B0000 toside.sys 8192 bytes (Microsoft Corporation, Toshiba PCI IDE Controller)
0xA38E6000 C:\WINDOWS\system32\DRIVERS\USBD.SYS 8192 bytes (Microsoft Corporation, Universal Serial Bus Driver)
0xBA5B2000 viaide.sys 8192 bytes (Microsoft Corporation, Generic PCI IDE Bus Driver)
0xBA5AA000 C:\WINDOWS\system32\DRIVERS\WMILIB.SYS 8192 bytes (Microsoft Corporation, WMILIB WMI support library Dll)
0xBA71A000 C:\WINDOWS\system32\DRIVERS\audstub.sys 4096 bytes (Microsoft Corporation, AudStub Driver)
0xA1970000 C:\WINDOWS\System32\Drivers\Cdr4_xp.SYS 4096 bytes (Sonic Solutions, CDR4 CD and DVD Place Holder Driver (see PxHelp))
0xA196D000 C:\WINDOWS\System32\Drivers\Cdralw2k.SYS 4096 bytes (Sonic Solutions, CDRAL Place Holder Driver (see PxHelp))
0xBA7CD000 C:\WINDOWS\System32\drivers\dxgthk.sys 4096 bytes (Microsoft Corporation, DirectX Graphics Driver Thunk)
0xA196C000 C:\WINDOWS\System32\Drivers\Null.SYS 4096 bytes (Microsoft Corporation, NULL Driver)
0xBA670000 pciide.sys 4096 bytes (Microsoft Corporation, Generic PCI IDE Bus Driver)
0x89D3B0D0 unknown_irp_handler 3888 bytes
0x89D1A0D0 unknown_irp_handler 3888 bytes
0x89D0B0D0 unknown_irp_handler 3888 bytes
0x899DE0E0 unknown_irp_handler 3872 bytes
0x89D5B0E0 unknown_irp_handler 3872 bytes
0x898CC1B0 unknown_irp_handler 3664 bytes
0x89C1C1F8 unknown_irp_handler 3592 bytes
0x89796258 unknown_irp_handler 3496 bytes
0x897A0280 unknown_irp_handler 3456 bytes
0x89BAF2C8 unknown_irp_handler 3384 bytes
0x89C0D320 unknown_irp_handler 3296 bytes
0x899514B0 unknown_irp_handler 2896 bytes
0x897B74B8 unknown_irp_handler 2888 bytes
0x897C44B8 unknown_irp_handler 2888 bytes
0x8986D4E0 unknown_irp_handler 2848 bytes
0x897AE530 unknown_irp_handler 2768 bytes
0x89BB0580 unknown_irp_handler 2688 bytes
0x89B6D770 unknown_irp_handler 2192 bytes
0x89953928 unknown_irp_handler 1752 bytes
0x89BFAA48 unknown_irp_handler 1464 bytes
0x89A63AC0 unknown_irp_handler 1344 bytes
0x89C3EB48 unknown_irp_handler 1208 bytes
0x89DB0B98 unknown_irp_handler 1128 bytes
0x89B3DC20 unknown_irp_handler 992 bytes
0x89BB2C40 unknown_irp_handler 960 bytes
0x89BD4DA8 unknown_irp_handler 600 bytes
0x89C28DD8 unknown_irp_handler 552 bytes
0x89948F10 unknown_irp_handler 240 bytes
==============================================
>Stealth
==============================================
0x05470000 Hidden Image-->System.XML.dll [ EPROCESS 0x89979020 ] PID: 208, 2060288 bytes
==============================================
>Files
==============================================
!-->[Hidden] C:\Documents and Settings\All Users\Application Data\Real\setup\config.ini::$DATA
==============================================
>Hooks
==============================================
ntkrnlpa.exe+0x0002D4B0, Type: Inline - RelativeJump 0x805044B0-->80504442 [ntkrnlpa.exe]
ntkrnlpa.exe+0x0002D510, Type: Inline - RelativeJump 0x80504510-->805044A2 [ntkrnlpa.exe]
ntkrnlpa.exe+0x0002D528, Type: Inline - RelativeJump 0x80504528-->805044BE [ntkrnlpa.exe]
ntkrnlpa.exe+0x0002D540, Type: Inline - RelativeJump 0x80504540-->805044D2 [ntkrnlpa.exe]
ntkrnlpa.exe+0x0002D73C, Type: Inline - RelativeJump 0x8050473C-->805046CE [ntkrnlpa.exe]
ntkrnlpa.exe+0x0002D76C, Type: Inline - RelativeJump 0x8050476C-->805046FE [ntkrnlpa.exe]
ntkrnlpa.exe+0x0002D7C0, Type: Inline - RelativeJump 0x805047C0-->805047E8 [ntkrnlpa.exe]
ntkrnlpa.exe+0x0002D7FC, Type: Inline - RelativeJump 0x805047FC-->8050478E [ntkrnlpa.exe]
ntkrnlpa.exe+0x0002D860, Type: Inline - RelativeJump 0x80504860-->805047F6 [ntkrnlpa.exe]
ntkrnlpa.exe+0x0002D8C0, Type: Inline - RelativeJump 0x805048C0-->80504852 [ntkrnlpa.exe]
ntkrnlpa.exe+0x0006ECAE, Type: Inline - RelativeJump 0x80545CAE-->80545CB5 [ntkrnlpa.exe]
tcpip.sys-->ndis.sys-->NdisRegisterProtocol, Type: IAT modification 0xA10D7460-->8A772F58 [unknown_code_page]
wanarp.sys-->ndis.sys-->NdisDeregisterProtocol, Type: IAT modification 0x9DBCCB1C-->8A772E60 [unknown_code_page]
wanarp.sys-->ndis.sys-->NdisRegisterProtocol, Type: IAT modification 0x9DBCCB28-->8A772F58 [unknown_code_page]
[208]explorer.exe-->advapi32.dll-->kernel32.dll-->GetProcAddress, Type: IAT modification 0x77DD1218-->00000000 [shimeng.dll]
[208]explorer.exe-->gdi32.dll-->kernel32.dll-->GetProcAddress, Type: IAT modification 0x77F110B4-->00000000 [shimeng.dll]
[208]explorer.exe-->kernel32.dll-->GetProcAddress, Type: IAT modification 0x01001268-->00000000 [shimeng.dll]
[208]explorer.exe-->shell32.dll-->kernel32.dll-->GetProcAddress, Type: IAT modification 0x7C9C15A4-->00000000 [shimeng.dll]
[208]explorer.exe-->user32.dll-->kernel32.dll-->GetProcAddress, Type: IAT modification 0x7E41133C-->00000000 [shimeng.dll]
[208]explorer.exe-->wininet.dll-->kernel32.dll-->GetProcAddress, Type: IAT modification 0x3D931480-->00000000 [shimeng.dll]
[208]explorer.exe-->ws2_32.dll-->kernel32.dll-->GetProcAddress, Type: IAT modification 0x71AB109C-->00000000 [shimeng.dll]






I have also uploaded the notepad file containing this report to my current attachments.

Thanks again,


spasticgamer

#4 gringo_pr

gringo_pr

    Bleepin Gringo


  • Malware Response Team
  • 136,773 posts
  • OFFLINE
    •  
  • Gender:Male
  • Location:Puerto rico
  • Local time:11:52 PM

Posted 20 May 2010 - 10:58 PM

Hello

I Would like you to do the following.

Please print out or make a copy in notpad of any instructions given, as sometimes it is necessary to go offline and you will lose access to them.

Run Combofix:
    Please visit this webpage for download links, and instructions for running the tool:

    http://www.bleepingcomputer.com/combofix/how-to-use-combofix

    Please ensure you read this guide carefully and install the Recovery Console first.

    The Windows Recovery Console will allow you to boot up into a special recovery (repair) mode.
    This allows us to more easily help you should your computer have a problem after an attempted removal of malware.
    It is a simple procedure that will only take a few moments of your time.

    Once installed, you should see a blue screen prompt that says:
      The Recovery Console was successfully installed.
    Please continue as follows:
    • Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.
    • Click Yes to allow ComboFix to continue scanning for malware.

    When the tool is finished, it will produce a report for you.

    Please include the report in your next post:

    C:\ComboFix.txt

"information and logs"
    In your next post I need the following
    1. Log from Combofix
    2. let me know of any problems you may have had
    3. How is the computer doing now?

Gringo


I Close My Topics If You Have Not Replied In 5 Days If You Will Be Longer Please Let Me Know

If I Have Not Replied To One Of My Topics In 48 Hrs Please Bump The Topic


My help is free, however, if you wish to make a small donation to show your appreciation or to help me continue the fight against Malware, then click here -->btn_donate_SM.gif<-- Don't worry every little bit helps.

Proud Graduate Of Malware Removal University

#5 spasticgamer

spasticgamer
  • Topic Starter

  • Members
  • 25 posts
  • OFFLINE
    •  
  • Local time:10:52 PM

Posted 21 May 2010 - 06:31 AM

Ran combofix last night without much trouble until the step that reloads windows. The computer froze up during the step: "Preparing Log Report" I had to reboot the computer this morning and try again.

The second attempt ran with no problems. However, Internet Explorer browser still runs slow. First reboot of pc after saving the combofix log still froze up when I tried to load yahoo.com.

Log follows:


ComboFix 10-05-20.A0 - Owner 05/21/2010 6:34.2.2 - x86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.2037.1536 [GMT -4:00]
Running from: c:\documents and settings\Owner\Desktop\ComboFix.exe
AV: Trend Micro AntiVirus *On-access scanning disabled* (Updated) {7D2296BC-32CC-4519-917E-52E652474AF5}
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\windows\system32\service
c:\windows\system32\service\21052010_TIS17_SfFniAU.log
c:\windows\Tasks.\nqnhaqiw.job
c:\windows\Tasks.\nqnhaqiw.job . . . . failed to delete
.
---- Previous Run -------
.
c:\documents and settings\Owner\Recent\Thumbs.db
c:\program files\Internet Explorer\SET109.tmp
c:\program files\Internet Explorer\SET10A.tmp
c:\program files\Internet Explorer\SET10C.tmp
c:\program files\Internet Explorer\SET2BE.tmp
c:\program files\Internet Explorer\SET2BF.tmp
c:\program files\Internet Explorer\SET2C1.tmp
c:\windows\Downloaded Program Files\f3initialsetup1.0.1.1.inf
c:\windows\system32\service\01042010_TIS17_SfFniAU.log
c:\windows\system32\service\02042010_TIS17_SfFniAU.log
c:\windows\system32\service\02082009_TIS17_SfFniAU.log
c:\windows\system32\service\02092009_TIS17_SfFniAU.log
c:\windows\system32\service\04042010_TIS17_SfFniAU.log
c:\windows\system32\service\04072009_TIS17_SfFniAU.log
c:\windows\system32\service\04092009_TIS17_SfFniAU.log
c:\windows\system32\service\05082009_TIS17_SfFniAU.log
c:\windows\system32\service\06032010_TIS17_SfFniAU.log
c:\windows\system32\service\06092009_TIS17_SfFniAU.log
c:\windows\system32\service\07072009_TIS17_SfFniAU.log
c:\windows\system32\service\07082009_TIS17_SfFniAU.log
c:\windows\system32\service\08012010_TIS17_SfFniAU.log
c:\windows\system32\service\08052010_TIS17_SfFniAU.log
c:\windows\system32\service\08082009_TIS17_SfFniAU.log
c:\windows\system32\service\09022010_TIS17_SfFniAU.log
c:\windows\system32\service\09122009_TIS17_SfFniAU.log
c:\windows\system32\service\10072009_TIS17_SfFniAU.log
c:\windows\system32\service\11032010_TIS17_SfFniAU.log
c:\windows\system32\service\13042010_TIS17_SfFniAU.log
c:\windows\system32\service\14042010_TIS17_SfFniAU.log
c:\windows\system32\service\14052010_TIS17_SfFniAU.log
c:\windows\system32\service\14072009_TIS17_SfFniAU.log
c:\windows\system32\service\15032010_TIS17_SfFniAU.log
c:\windows\system32\service\16092009_TIS17_SfFniAU.log
c:\windows\system32\service\17052010_TIS17_SfFniAU.log
c:\windows\system32\service\18042010_TIS17_SfFniAU.log
c:\windows\system32\service\18072009_TIS17_SfFniAU.log
c:\windows\system32\service\19012010_TIS17_SfFniAU.log
c:\windows\system32\service\19092009_TIS17_SfFniAU.log
c:\windows\system32\service\21012010_TIS17_SfFniAU.log
c:\windows\system32\service\21022010_TIS17_SfFniAU.log
c:\windows\system32\service\22082009_TIS17_SfFniAU.log
c:\windows\system32\service\23072009_TIS17_SfFniAU.log
c:\windows\system32\service\24032010_TIS17_SfFniAU.log
c:\windows\system32\service\24072009_TIS17_SfFniAU.log
c:\windows\system32\service\24082009_TIS17_SfFniAU.log
c:\windows\system32\service\25102009_TIS17_SfFniAU.log
c:\windows\system32\service\27062009_TIS17_SfFniAU.log
c:\windows\system32\service\27102009_TIS17_SfFniAU.log
c:\windows\system32\service\28062009_TIS17_SfFniAU.log
c:\windows\system32\service\28072009_TIS17_SfFniAU.log
c:\windows\system32\service\28092009_TIS17_SfFniAU.log
c:\windows\system32\service\30082009_TIS17_SfFniAU.log
c:\windows\system32\service\31082009_TIS17_SfFniAU.log
c:\windows\Tasks.\nqnhaqiw.job
c:\windows\wiaserviv.log
D:\Autorun.inf
c:\windows\Tasks.\nqnhaqiw.job . . . . failed to delete

-- Previous Run --

c:\windows\system32\proquota.exe was missing
Restored copy from - c:\windows\ServicePackFiles\i386\proquota.exe

--------

.
((((((((((((((((((((((((( Files Created from 2010-04-21 to 2010-05-21 )))))))))))))))))))))))))))))))
.

2010-05-21 04:26 . 2008-04-14 00:12 50176 -c--a-w- c:\windows\system32\dllcache\proquota.exe
2010-05-21 04:26 . 2008-04-14 00:12 50176 ----a-w- c:\windows\system32\proquota.exe
2010-05-19 03:19 . 2010-05-19 03:19 -------- d-----w- c:\documents and settings\All Users\Application Data\SUPERAntiSpyware.com
2010-05-19 03:19 . 2010-05-19 03:40 -------- d-----w- c:\program files\SUPERAntiSpyware

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-05-19 03:43 . 2008-11-22 00:41 -------- d-----w- c:\program files\Windows Live Safety Center
2010-05-19 03:40 . 2010-02-14 05:07 -------- d-----w- c:\program files\Common Files\Wise Installation Wizard
2010-05-18 02:46 . 2010-01-09 02:27 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2010-05-16 03:34 . 2008-12-31 14:36 -------- d-----w- c:\program files\V CAST Music with Rhapsody
2010-05-12 15:21 . 2009-12-04 11:56 221568 ------w- c:\windows\system32\MpSigStub.exe
2010-04-29 19:39 . 2010-01-09 02:27 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2010-04-29 19:39 . 2010-01-09 02:27 20952 ----a-w- c:\windows\system32\drivers\mbam.sys
2010-04-11 23:54 . 2006-08-08 00:28 -------- d-----w- c:\documents and settings\Owner\Application Data\AdobeUM
2010-03-11 12:38 . 2005-01-09 23:48 832512 ----a-w- c:\windows\system32\wininet.dll
2010-03-11 12:38 . 2005-01-09 23:48 78336 ----a-w- c:\windows\system32\ieencode.dll
2010-03-11 12:38 . 2005-01-09 23:47 17408 ------w- c:\windows\system32\corpol.dll
2010-03-09 11:09 . 2005-01-09 23:48 430080 ----a-w- c:\windows\system32\vbscript.dll
2010-03-07 17:46 . 2010-03-07 17:47 411368 ----a-w- c:\windows\system32\deploytk.dll
2010-02-24 13:11 . 2005-01-09 23:48 455680 ----a-w- c:\windows\system32\drivers\mrxsmb.sys
2008-06-26 16:16 . 2008-06-26 16:16 23 --sha-w- c:\windows\system32\acabbfcdfba3_r.dll
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\BackupIconOverlayId]
@="{2EE61E5C-8F94-4AAB-8A80-D2A8CD1FEDAD}"
[HKEY_CLASSES_ROOT\CLSID\{2EE61E5C-8F94-4AAB-8A80-D2A8CD1FEDAD}]
2009-03-05 21:02 238968 ----a-w- c:\program files\Webroot\Spy Sweeper\Backup\CtxMenu_1_0_0_10.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ehTray"="c:\windows\ehome\ehtray.exe" [2005-08-06 64512]
"AlwaysReady Power Message APP"="c:\windows\ARPWRMSG.EXE" [2005-08-03 77312]
"readericon"="c:\program files\Digital Media Reader\readericon45G.exe" [2005-12-10 139264]
"Recguard"="c:\windows\SMINST\RECGUARD.EXE" [2002-09-14 212992]
"IAAnotif"="c:\program files\Intel\Intel Matrix Storage Manager\iaanotif.exe" [2005-10-12 139264]
"LXSUPMON"="c:\windows\system32\LXSUPMON.EXE" [2002-08-15 886272]
"TkBellExe"="c:\program files\Common Files\Real\Update_OB\realsched.exe" [2006-09-29 185784]
"AppleSyncNotifier"="c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleSyncNotifier.exe" [2009-08-13 177440]
"Windows Defender"="c:\program files\Windows Defender\MSASCui.exe" [2006-11-04 866584]
"UfSeAgnt.exe"="c:\program files\Trend Micro\Internet Security\UfSeAgnt.exe" [2009-10-21 995528]
"QuickTime Task"="c:\program files\QuickTime\QTTask.exe" [2009-09-05 417792]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2009-09-21 305440]
"SunJavaUpdateSched"="c:\program files\Common Files\Java\Java Update\jusched.exe" [2010-02-18 248040]
"SpySweeper"="c:\program files\Webroot\Spy Sweeper\SpySweeperUI.exe" [2009-11-06 6515784]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"Power2GoExpress"="NA" [X]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
Adobe Reader Speed Launch.lnk - c:\program files\Adobe\Acrobat 7.0\Reader\reader_sl.exe [2005-9-23 29696]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\ljJCvTkL]
ljJCvTkL.dll [BU]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\tuvUNFVn]
tuvUNFVn.dll [BU]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\WebrootSpySweeperService]
@="Service"

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\TrendAntiVirus]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Common Files\\AOL\\Loader\\aolload.exe"=
"c:\\Program Files\\Messenger\\msmsgs.exe"=
"c:\\Program Files\\EA Games\\Command & Conquer The First Decade\\Command & Conquer™ Generals\\game.dat"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\EA Games\\Command & Conquer The First Decade\\Command & Conquer Renegade™\\Renegade\\Game.exe"=
"c:\\WINDOWS\\system32\\LEXPPS.EXE"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
"c:\\Program Files\\Windows Defender\\MSASCui.exe"=

R0 ssfs0bbc;ssfs0bbc;c:\windows\system32\drivers\ssfs0bbc.sys [10/2/2008 4:15 AM 29808]
R2 HPFECP16;HPFECP16;c:\windows\system32\drivers\HPFecp16.sys [7/1/1998 2:55 AM 52800]
R2 tmpreflt;tmpreflt;c:\windows\system32\drivers\tmpreflt.sys [6/27/2009 1:48 AM 36368]
R2 WinDefend;Windows Defender;c:\program files\Windows Defender\MsMpEng.exe [11/3/2006 8:19 PM 13592]
R2 WRConsumerService;Webroot Client Service;c:\program files\Webroot\Spy Sweeper\WRConsumerService.exe [10/18/2008 12:37 AM 1201640]
S2 tmevtmgr;tmevtmgr;c:\windows\system32\drivers\tmevtmgr.sys [6/27/2009 1:54 AM 50192]
S2 TmProxy;Trend Micro Proxy Service;c:\program files\Trend Micro\Internet Security\TmProxy.exe [6/27/2009 1:54 AM 677128]
.
Contents of the 'Scheduled Tasks' folder

2010-05-18 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 16:34]

2006-07-23 c:\windows\Tasks\ISP signup reminder 2.job
- c:\windows\system32\OOBE\oobebaln.exe [2005-01-10 00:12]

2010-05-21 c:\windows\Tasks\MP Scheduled Scan.job
- c:\program files\Windows Defender\MpCmdRun.exe [2006-11-04 00:20]

2010-05-21 c:\windows\Tasks\User_Feed_Synchronization-{449BDC8D-DE54-4A69-8C93-89802D5DE41A}.job
- c:\windows\system32\msfeedssync.exe [2007-08-13 23:36]

2010-05-17 c:\windows\Tasks\wrSpySweeper_3BAF43EA2FE54F74814B2C76AC6BD9B7.job
- c:\program files\Webroot\Spy Sweeper\SpySweeperUI.exe [2006-08-05 20:19]

2010-05-17 c:\windows\Tasks\wrSpySweeper_3BAF43EA2FE54F74814B2C76AC6BD9B7.job
- c:\program files\Webroot\Spy Sweeper\SpySweeperUI.exe [2006-08-05 20:19]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.yahoo.com/
uInternet Connection Wizard,ShellNext = iexplore
IE: E&xport to Microsoft Excel
Trusted Zone: amazon.com\www
Trusted Zone: ebay.com\www
.
- - - - ORPHANS REMOVED - - - -

WebBrowser-{D4027C7F-154A-4066-A1AD-4243D8127440} - (no file)



**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2010-05-21 06:42
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'explorer.exe'(2524)
c:\windows\system32\WININET.dll
c:\program files\Webroot\Spy Sweeper\Backup\CtxMenu_1_0_0_10.dll
c:\windows\system32\ieframe.dll
c:\windows\system32\WPDShServiceObj.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
.
------------------------ Other Running Processes ------------------------
.
c:\windows\system32\LEXBCES.EXE
c:\windows\system32\LEXPPS.EXE
c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
c:\windows\arservice.exe
c:\program files\Bonjour\mDNSResponder.exe
c:\windows\eHome\ehRecvr.exe
c:\windows\eHome\ehSched.exe
c:\program files\Intel\Intel Matrix Storage Manager\iaantmon.exe
c:\program files\Java\jre6\bin\jqs.exe
c:\program files\SigmaTel\C-Major Audio\WDM\Stacsv.exe
c:\program files\Webroot\Spy Sweeper\SpySweeper.exe
c:\windows\ehome\mcrdsvc.exe
c:\program files\Intel\IntelDH\Intel® Quick Resume Technology\ELService.exe
c:\windows\system32\dllhost.exe
c:\program files\iPod\bin\iPodService.exe
c:\windows\eHome\ehmsas.exe
c:\program files\Real\RealPlayer\RealPlay.exe
c:\windows\system32\wscntfy.exe
.
**************************************************************************
.
Completion time: 2010-05-21 06:59:05 - machine was rebooted
ComboFix-quarantined-files.txt 2010-05-21 10:59

Pre-Run: 65,725,636,608 bytes free
Post-Run: 65,377,112,064 bytes free

- - End Of File - - 905C12183ECFE5FF410ED99B48EB8D2C

#6 spasticgamer

spasticgamer
  • Topic Starter

  • Members
  • 25 posts
  • OFFLINE
    •  
  • Local time:10:52 PM

Posted 21 May 2010 - 09:23 AM

Update:

Right after I posted the combofix log to this thread, I opened Internet Explorer and iTunes at the same time. The computer locked up again. I had to hold power button down to shut down the pc. I let it sit for five minutes and turned it back on. The pc locked up again after booting up.

I restarted it again the same way as described above, and then the programs worked, but still slow loading and the fan runs at a high speed the whole time it is loading websites.

Thank you very much for your assistance so far.


spasticgamer

#7 gringo_pr

gringo_pr

    Bleepin Gringo


  • Malware Response Team
  • 136,773 posts
  • OFFLINE
    •  
  • Gender:Male
  • Location:Puerto rico
  • Local time:11:52 PM

Posted 21 May 2010 - 12:54 PM

Greetings

:Run CFScript:

Open Notepad and copy/paste the text in the box into the window:

CODE
File::
c:\windows\system32\acabbfcdfba3_r.dll

Registry::
[-HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\ljJCvTkL]
[-HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\tuvUNFVn]


Save it to your desktop as CFScript.txt

Refering to the picture above, drag CFScript.txt into ComboFix.exe

This will let ComboFix run again.
Restart if you have to.
Save the produced logfile to your desktop.

Note: Do not mouseclick combofix's window whilst it's running. That may cause it to stall

Let me have this report


Gringo
I Close My Topics If You Have Not Replied In 5 Days If You Will Be Longer Please Let Me Know

If I Have Not Replied To One Of My Topics In 48 Hrs Please Bump The Topic


My help is free, however, if you wish to make a small donation to show your appreciation or to help me continue the fight against Malware, then click here -->btn_donate_SM.gif<-- Don't worry every little bit helps.

Proud Graduate Of Malware Removal University

#8 spasticgamer

spasticgamer
  • Topic Starter

  • Members
  • 25 posts
  • OFFLINE
    •  
  • Local time:10:52 PM

Posted 21 May 2010 - 08:06 PM

Ran combofix again by dragging the txt file into it.

Scan ran with no problems.

The only problem I had was the first time I tried to post this reply, the PC locked up again when I tried to open the notebook file with the following log. I had to reboot the computer once again by holding in the power button.

Here is the log:


ComboFix 10-05-21.01 - Owner 05/21/2010 20:23:53.3.2 - x86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.2037.1355 [GMT -4:00]
Running from: c:\documents and settings\Owner\Desktop\ComboFix.exe
Command switches used :: c:\documents and settings\Owner\Desktop\CFScript.txt
AV: Trend Micro AntiVirus *On-access scanning disabled* (Updated) {7D2296BC-32CC-4519-917E-52E652474AF5}

FILE ::
"c:\windows\system32\acabbfcdfba3_r.dll"
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\windows\system32\acabbfcdfba3_r.dll

.
((((((((((((((((((((((((( Files Created from 2010-04-22 to 2010-05-22 )))))))))))))))))))))))))))))))
.

2010-05-21 04:26 . 2008-04-14 00:12 50176 -c--a-w- c:\windows\system32\dllcache\proquota.exe
2010-05-21 04:26 . 2008-04-14 00:12 50176 ----a-w- c:\windows\system32\proquota.exe
2010-05-19 03:19 . 2010-05-19 03:19 -------- d-----w- c:\documents and settings\All Users\Application Data\SUPERAntiSpyware.com
2010-05-19 03:19 . 2010-05-19 03:40 -------- d-----w- c:\program files\SUPERAntiSpyware
2010-05-12 10:41 . 2010-05-12 10:41 439816 ----a-w- c:\documents and settings\Owner\Application Data\Real\Update\setup3.10\setup.exe

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-05-19 03:43 . 2008-11-22 00:41 -------- d-----w- c:\program files\Windows Live Safety Center
2010-05-19 03:40 . 2010-02-14 05:07 -------- d-----w- c:\program files\Common Files\Wise Installation Wizard
2010-05-18 02:46 . 2010-01-09 02:27 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2010-05-16 03:34 . 2008-12-31 14:36 -------- d-----w- c:\program files\V CAST Music with Rhapsody
2010-05-12 15:21 . 2009-12-04 11:56 221568 ------w- c:\windows\system32\MpSigStub.exe
2010-04-29 19:39 . 2010-01-09 02:27 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2010-04-29 19:39 . 2010-01-09 02:27 20952 ----a-w- c:\windows\system32\drivers\mbam.sys
2010-04-11 23:54 . 2006-08-08 00:28 -------- d-----w- c:\documents and settings\Owner\Application Data\AdobeUM
2010-03-11 12:38 . 2005-01-09 23:48 832512 ----a-w- c:\windows\system32\wininet.dll
2010-03-11 12:38 . 2005-01-09 23:48 78336 ----a-w- c:\windows\system32\ieencode.dll
2010-03-11 12:38 . 2005-01-09 23:47 17408 ------w- c:\windows\system32\corpol.dll
2010-03-09 11:09 . 2005-01-09 23:48 430080 ----a-w- c:\windows\system32\vbscript.dll
2010-03-09 02:15 . 2010-03-09 02:15 503808 ----a-w- c:\documents and settings\Owner\Application Data\Sun\Java\Deployment\SystemCache\6.0\54\1a209876-100968dd-n\msvcp71.dll
2010-03-09 02:15 . 2010-03-09 02:15 499712 ----a-w- c:\documents and settings\Owner\Application Data\Sun\Java\Deployment\SystemCache\6.0\54\1a209876-100968dd-n\jmc.dll
2010-03-09 02:15 . 2010-03-09 02:15 348160 ----a-w- c:\documents and settings\Owner\Application Data\Sun\Java\Deployment\SystemCache\6.0\54\1a209876-100968dd-n\msvcr71.dll
2010-03-07 17:47 . 2010-03-07 17:47 499712 ----a-w- c:\documents and settings\Owner\Application Data\Sun\Java\Deployment\SystemCache\6.0\54\1a209876-66b5f548-n\jmc.dll
2010-03-07 17:47 . 2010-03-07 17:47 61440 ----a-w- c:\documents and settings\Owner\Application Data\Sun\Java\Deployment\SystemCache\6.0\17\6d0ad391-3b7c58c6-n\decora-sse.dll
2010-03-07 17:47 . 2010-03-07 17:47 12800 ----a-w- c:\documents and settings\Owner\Application Data\Sun\Java\Deployment\SystemCache\6.0\17\6d0ad391-3b7c58c6-n\decora-d3d.dll
2010-03-07 17:46 . 2010-03-07 17:47 411368 ----a-w- c:\windows\system32\deploytk.dll
2010-02-24 13:11 . 2005-01-09 23:48 455680 ----a-w- c:\windows\system32\drivers\mrxsmb.sys
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\BackupIconOverlayId]
@="{2EE61E5C-8F94-4AAB-8A80-D2A8CD1FEDAD}"
[HKEY_CLASSES_ROOT\CLSID\{2EE61E5C-8F94-4AAB-8A80-D2A8CD1FEDAD}]
2009-03-05 21:02 238968 ----a-w- c:\program files\Webroot\Spy Sweeper\Backup\CtxMenu_1_0_0_10.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ehTray"="c:\windows\ehome\ehtray.exe" [2005-08-06 64512]
"AlwaysReady Power Message APP"="c:\windows\ARPWRMSG.EXE" [2005-08-03 77312]
"readericon"="c:\program files\Digital Media Reader\readericon45G.exe" [2005-12-10 139264]
"Recguard"="c:\windows\SMINST\RECGUARD.EXE" [2002-09-14 212992]
"IAAnotif"="c:\program files\Intel\Intel Matrix Storage Manager\iaanotif.exe" [2005-10-12 139264]
"LXSUPMON"="c:\windows\system32\LXSUPMON.EXE" [2002-08-15 886272]
"TkBellExe"="c:\program files\Common Files\Real\Update_OB\realsched.exe" [2006-09-29 185784]
"AppleSyncNotifier"="c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleSyncNotifier.exe" [2009-08-13 177440]
"Windows Defender"="c:\program files\Windows Defender\MSASCui.exe" [2006-11-04 866584]
"UfSeAgnt.exe"="c:\program files\Trend Micro\Internet Security\UfSeAgnt.exe" [2009-10-21 995528]
"QuickTime Task"="c:\program files\QuickTime\QTTask.exe" [2009-09-05 417792]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2009-09-21 305440]
"SunJavaUpdateSched"="c:\program files\Common Files\Java\Java Update\jusched.exe" [2010-02-18 248040]
"SpySweeper"="c:\program files\Webroot\Spy Sweeper\SpySweeperUI.exe" [2009-11-06 6515784]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"Power2GoExpress"="NA" [X]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
Adobe Reader Speed Launch.lnk - c:\program files\Adobe\Acrobat 7.0\Reader\reader_sl.exe [2005-9-23 29696]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\WebrootSpySweeperService]
@="Service"

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\TrendAntiVirus]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Common Files\\AOL\\Loader\\aolload.exe"=
"c:\\Program Files\\Messenger\\msmsgs.exe"=
"c:\\Program Files\\EA Games\\Command & Conquer The First Decade\\Command & Conquer™ Generals\\game.dat"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\EA Games\\Command & Conquer The First Decade\\Command & Conquer Renegade™\\Renegade\\Game.exe"=
"c:\\WINDOWS\\system32\\LEXPPS.EXE"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
"c:\\Program Files\\Windows Defender\\MSASCui.exe"=

R0 ssfs0bbc;ssfs0bbc;c:\windows\system32\drivers\ssfs0bbc.sys [10/2/2008 4:15 AM 29808]
R2 HPFECP16;HPFECP16;c:\windows\system32\drivers\HPFecp16.sys [7/1/1998 2:55 AM 52800]
R2 tmpreflt;tmpreflt;c:\windows\system32\drivers\tmpreflt.sys [6/27/2009 1:48 AM 36368]
R2 WinDefend;Windows Defender;c:\program files\Windows Defender\MsMpEng.exe [11/3/2006 8:19 PM 13592]
R2 WRConsumerService;Webroot Client Service;c:\program files\Webroot\Spy Sweeper\WRConsumerService.exe [10/18/2008 12:37 AM 1201640]
S2 tmevtmgr;tmevtmgr;c:\windows\system32\drivers\tmevtmgr.sys [6/27/2009 1:54 AM 50192]
S2 TmProxy;Trend Micro Proxy Service;c:\program files\Trend Micro\Internet Security\TmProxy.exe [6/27/2009 1:54 AM 677128]
.
Contents of the 'Scheduled Tasks' folder

2010-05-18 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 16:34]

2006-07-23 c:\windows\Tasks\ISP signup reminder 2.job
- c:\windows\system32\OOBE\oobebaln.exe [2005-01-10 00:12]

2010-05-21 c:\windows\Tasks\MP Scheduled Scan.job
- c:\program files\Windows Defender\MpCmdRun.exe [2006-11-04 00:20]

2010-05-22 c:\windows\Tasks\User_Feed_Synchronization-{449BDC8D-DE54-4A69-8C93-89802D5DE41A}.job
- c:\windows\system32\msfeedssync.exe [2007-08-13 23:36]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.yahoo.com/
uInternet Connection Wizard,ShellNext = iexplore
IE: E&xport to Microsoft Excel
Trusted Zone: amazon.com\www
Trusted Zone: ebay.com\www
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2010-05-21 20:28
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
Completion time: 2010-05-21 20:31:47
ComboFix-quarantined-files.txt 2010-05-22 00:31
ComboFix2.txt 2010-05-21 10:59

Pre-Run: 65,286,135,808 bytes free
Post-Run: 65,257,181,184 bytes free

- - End Of File - - E19F7E1B866BB6B88423207FE9C532C9




#9 gringo_pr

gringo_pr

    Bleepin Gringo


  • Malware Response Team
  • 136,773 posts
  • OFFLINE
    •  
  • Gender:Male
  • Location:Puerto rico
  • Local time:11:52 PM

Posted 21 May 2010 - 09:25 PM

Hello

These logs are looking alot better. But we still have some work to do.

Please print out these instructions, or copy them to a Notepad file. It will make it easier for you to follow the instructions and complete all of the necessary steps..

uninstall some programs
    1. click on start
    2. then go to settings
    3. after that you need control panel
    4. look for the icon add/remove programs
    click on the following programs

    Adobe Reader 7.0.9
    J2SE Runtime Environment 5.0 Update 2

    and click on remove

Update Adobe Reader
    Recently there have been vunerabilities detected in older versions of Adobe Reader. It is strongly suggested that you update to the current version.

    You can download it from http://www.adobe.com/products/acrobat/readstep2.html
    After installing the latest Adobe Reader, uninstall all previous versions.
    If you already have Adobe Photoshop® Album Starter Edition installed or do not wish to have it installed UNcheck the box which says Also Download Adobe Photoshop® Album Starter Edition.
      If you don't like Adobe Reader (33.5 MB), you can download Foxit PDF Reader(3.5MB) from here. It's a much smaller file to download and uses a lot less resources than Adobe Reader.

      Note: When installing FoxitReader, be carefull not to install anything to do with AskBar.

Your Java is out of date.

It can be updated by the Java control panel
  • click on Start-> Control Panel (Classic View)-> Java (looks like a coffee cup) -> Update Tab -> Update Now.
  • An update should begin;
  • follow the prompts
  • After the update is complete, go into the Control Panel (using Classic View) and double-click the Java Icon. (looks like a coffee cup)
    • On the General tab, under Temporary Internet Files, click the Settings button.
    • Next, click on the Delete Files button
    • There are two options in the window to clear the cache - Leave BOTH Checked
        Applications and Applets
        Trace and Log Files
    • Click OK on Delete Temporary Files Window
      Note: This deletes ALL the Downloaded Applications and Applets from the CACHE.
    • Click OK to leave the Temporary Files Window
    • Click OK to leave the Java Control Panel.

TFC(Temp File Cleaner):
  • Please download TFC to your desktop,
  • Save any unsaved work. TFC will close all open application windows.
  • Double-click TFC.exe to run the program.
  • If prompted, click "Yes" to reboot.
Note: Save your work. TFC will automatically close any open programs, let it run uninterrupted. It shouldn't take longer take a couple of minutes, and may only take a few seconds. Only if needed will you be prompted to reboot.

: Malwarebytes' Anti-Malware :
    Please download Malwarebytes' Anti-Malware to your desktop.
  • Double-click mbam-setup.exe and follow the prompts to install the program.
  • At the end, be sure a checkmark is placed next to
    • Update Malwarebytes' Anti-Malware
    • and Launch Malwarebytes' Anti-Malware
  • then click Finish.
  • If an update is found, it will download and install the latest version.
  • Once the program has loaded, select Perform quick scan, then click Scan.
  • When the scan is complete, click OK, then Show Results to view the results.
  • Be sure that everything is Checked (ticked) except items in the C:\System Volume Information folder and click on Remove Selected.
  • When completed, a log will open in Notepad. please copy and paste the log into your next reply
    • If you accidently close it, the log file is saved here and will be named like this:
    • C:\Documents and Settings\Username\Application Data\Malwarebytes\Malwarebytes' Anti-Malware\Logs\mbam-log-date (time).txt

Note: If MBAM encounters a file that is difficult to remove, you will be presented with 1 of 2 prompts.
Click OK to either and let MBAM proceed with the disinfection process.
If asked to restart the computer, please do so immediately. Failure to reboot will prevent MBAM from removing all the malware.

Eset Online Scanner

**Note** You will need to use Internet explorer for this scan

Go Eset web page to run an online scannner from ESET.
  • Turn off the real time scanner of any existing antivirus program while performing the online scan
  • click on the ESET Online Scanner button
  • Tick the box next to YES, I accept the Terms of Use.
    • Click Start
  • When asked, allow the activex control to install
    • Click Start
  • Make sure that the option Remove found threats is unticked and the Scan Archives option is ticked.
  • Click on Advanced Settings, ensure the options
      Scan for potentially unwanted applications, Scan for potentially unsafe applications, and Enable Anti-Stealth Technology are ticked.
  • Click Scan
  • Wait for the scan to finish
  • Use notepad to open the logfile located at C:\Program Files\Eset\Eset Online Scanner\log.txt
Copy and paste that log as a reply to this topic

"information and logs"
    In your next post I need the following
    1. Log From MBAM
    2. Log From ESET Online Scanner
    3. let me know of any problems you may have had
    4. How is the computer doing now?

Gringo

I Close My Topics If You Have Not Replied In 5 Days If You Will Be Longer Please Let Me Know

If I Have Not Replied To One Of My Topics In 48 Hrs Please Bump The Topic


My help is free, however, if you wish to make a small donation to show your appreciation or to help me continue the fight against Malware, then click here -->btn_donate_SM.gif<-- Don't worry every little bit helps.

Proud Graduate Of Malware Removal University

#10 spasticgamer

spasticgamer
  • Topic Starter

  • Members
  • 25 posts
  • OFFLINE
    •  
  • Local time:10:52 PM

Posted 23 May 2010 - 12:20 AM

This step was the most difficult so far.

The PC froze 2 times while trying to uninstall Adobe 7, and twice more removing J2SE. It froze up three more times while installing Adobe rader 9. Each time it froze, I was only able to shut down by holding in the power button.

There was another freeze up installing Java update. After the install, I tried to restart the computer the proper way. I was unable to restart without holding down power button.

TFC ran with no problems, and prompted a reboot of the computer. The pc froze up immediately after the reboot, and had to be shut down by holding in power button again.

MBam found nothing. I was not prompted to check any items or remove any files.

ESET ran without any problems. It took 3 hours to coplete the scan. Nothing was found.

Here is the MBAM log:


Malwarebytes' Anti-Malware 1.46
www.malwarebytes.org

Database version: 4131

Windows 5.1.2600 Service Pack 3
Internet Explorer 7.0.5730.13

5/22/2010 8:55:12 PM
mbam-log-2010-05-22 (20-55-12).txt

Scan type: Quick scan
Objects scanned: 129334
Time elapsed: 7 minute(s), 0 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)




Here is the ESET log:

ESETSmartInstaller@High as CAB hook log:
OnlineScanner.ocx - registred OK
# version=7
# iexplore.exe=7.00.6000.17023 (vista_gdr.100222-0012)
# OnlineScanner.ocx=1.0.0.6211
# api_version=3.0.2
# EOSSerial=7d21474462452149b64000abdb2c1be7
# end=stopped
# remove_checked=false
# archives_checked=true
# unwanted_checked=true
# unsafe_checked=false
# antistealth_checked=true
# utc_time=2010-05-23 01:11:58
# local_time=2010-05-22 09:11:58 (-0500, Eastern Daylight Time)
# country="United States"
# lang=1033
# osver=5.1.2600 NT Service Pack 3
# compatibility_mode=512 16777215 100 0 27573252 27573252 0 0
# compatibility_mode=4352 16777215 100 0 0 0 0 0
# compatibility_mode=6143 16777215 0 0 0 0 0 0
# compatibility_mode=8192 67108863 100 0 0 0 0 0
# scanned=324
# found=0
# cleaned=0
# scan_time=186
esets_scanner_update returned -1 esets_gle=53251
# version=7
# iexplore.exe=7.00.6000.17023 (vista_gdr.100222-0012)
# OnlineScanner.ocx=1.0.0.6211
# api_version=3.0.2
# EOSSerial=7d21474462452149b64000abdb2c1be7
# end=stopped
# remove_checked=false
# archives_checked=true
# unwanted_checked=true
# unsafe_checked=true
# antistealth_checked=true
# utc_time=2010-05-23 01:40:18
# local_time=2010-05-22 09:40:18 (-0500, Eastern Daylight Time)
# country="United States"
# lang=1033
# osver=5.1.2600 NT Service Pack 3
# compatibility_mode=512 16777215 100 0 27573487 27573487 0 0
# compatibility_mode=4352 16777215 100 0 0 0 0 0
# compatibility_mode=6143 16777215 0 0 0 0 0 0
# compatibility_mode=8192 67108863 100 0 0 0 0 0
# scanned=993
# found=0
# cleaned=0
# scan_time=1652
esets_scanner_update returned -1 esets_gle=53251
# version=7
# iexplore.exe=7.00.6000.17023 (vista_gdr.100222-0012)
# OnlineScanner.ocx=1.0.0.6211
# api_version=3.0.2
# EOSSerial=7d21474462452149b64000abdb2c1be7
# end=finished
# remove_checked=false
# archives_checked=true
# unwanted_checked=true
# unsafe_checked=true
# antistealth_checked=true
# utc_time=2010-05-23 04:46:25
# local_time=2010-05-23 12:46:25 (-0500, Eastern Daylight Time)
# country="United States"
# lang=1033
# osver=5.1.2600 NT Service Pack 3
# compatibility_mode=512 16777215 100 0 27575160 27575160 0 0
# compatibility_mode=4352 16777215 100 0 0 0 0 0
# compatibility_mode=6143 16777215 0 0 0 0 0 0
# compatibility_mode=8192 67108863 100 0 0 0 0 0
# scanned=89504
# found=0
# cleaned=0
# scan_time=11147


I will use the computer to run several programs at once to see how it runs, and I will let you know if I notice any improvements in performance.

Thank you very much for your help thus far.

spasticgamer



#11 gringo_pr

gringo_pr

    Bleepin Gringo


  • Malware Response Team
  • 136,773 posts
  • OFFLINE
    •  
  • Gender:Male
  • Location:Puerto rico
  • Local time:11:52 PM

Posted 23 May 2010 - 12:38 AM

Hello

quick question: does your version of spysweeper have an antivirus with it?

gringo
I Close My Topics If You Have Not Replied In 5 Days If You Will Be Longer Please Let Me Know

If I Have Not Replied To One Of My Topics In 48 Hrs Please Bump The Topic


My help is free, however, if you wish to make a small donation to show your appreciation or to help me continue the fight against Malware, then click here -->btn_donate_SM.gif<-- Don't worry every little bit helps.

Proud Graduate Of Malware Removal University

#12 spasticgamer

spasticgamer
  • Topic Starter

  • Members
  • 25 posts
  • OFFLINE
    •  
  • Local time:10:52 PM

Posted 23 May 2010 - 09:00 AM

No. I have webroot spysweeper but it has no antivirus. I also have Trend Micro Antivirus. Both of these programs were installed by the Geek Squad when the computer was installed four years ago.

The computer still seems sluggish. When it froze up last night, I left it sit instead of holding in the power button. It eventually continued to run the programs I had open. I am beginning to wonder if there isn't some kind of memory or other hardware problem.

Thanks,



spasticgamer

Edited by spasticgamer, 23 May 2010 - 12:12 PM.

#13 spasticgamer

spasticgamer
  • Topic Starter

  • Members
  • 25 posts
  • OFFLINE
    •  
  • Local time:10:52 PM

Posted 24 May 2010 - 09:06 PM

Update:

I left the computer turned on after my last post, even overnight.

This morning I opened Internet Explorer to read Yahoo news. In the middle of reading an article, the pc powered down and made the same kind of spooling down whirring sound it makes when entering hibernation mode. As this was happening, a blue warning screen flashed up on the monitor, it read as follows:





A problem has been detected and windows has been shut down to prevent damage to your computer.

IQRL_NOT_LESS_OR_EQUAL

If this is the first time you've seen this stop error screen, restart your computer. If this screen appears again follow these steps:
(I did not write down all of the steps, because the screen did not come back after restarting)


At the bottom of the warning screen it read:

Technical Information:
xxx STOP: 0x000000A (0x9092F6F8, 0x00000002, 0x00000000, 0x80523DBE)

Beginning dump of physical memory
Physical memory dump complete
Contact your system administrator or technical support group for further assistance



Not sure what this all means or if it is helpful to you at all.
I have had no more trouble today other than this. Computer is still slow and still runs fan hard when opening 2 or three programs at a time.

Thanks so much for your help,


Spasticgamer

#14 gringo_pr

gringo_pr

    Bleepin Gringo


  • Malware Response Team
  • 136,773 posts
  • OFFLINE
    •  
  • Gender:Male
  • Location:Puerto rico
  • Local time:11:52 PM

Posted 24 May 2010 - 11:41 PM

Hello spasticgamer

I have been going over this thread over and over and it sounds like to me that the harddrive is about to go out,

you did have some bad infections but they are now gone and the symtoms you discribe sounds to me like the harddrive.

I would like the tech side to look at this and see what they come up with

start a topic >here< with the stop codes that you got last time also give them a link to this topic with some more explination to what is going on, after you have made a topic please come back here and give me a link to the topic so I can follow it and put in my 2 cents if needed and to finish us up when it is resolved.

here is the link --> http://www.bleepingcomputer.com/forums/ind...t&p=1763335

lets find out what is going on

gringo


I Close My Topics If You Have Not Replied In 5 Days If You Will Be Longer Please Let Me Know

If I Have Not Replied To One Of My Topics In 48 Hrs Please Bump The Topic


My help is free, however, if you wish to make a small donation to show your appreciation or to help me continue the fight against Malware, then click here -->btn_donate_SM.gif<-- Don't worry every little bit helps.

Proud Graduate Of Malware Removal University

#15 spasticgamer

spasticgamer
  • Topic Starter

  • Members
  • 25 posts
  • OFFLINE
    •  
  • Local time:10:52 PM

Posted 25 May 2010 - 11:20 AM

Gringo,


I have started the new post as per your instructions.

Here is the link: http://www.bleepingcomputer.com/forums/t/319113/possible-problem-with-hard-drive/



Thank you so much for everything.



Spasticgamer
Back to Virus, Trojan, Spyware, and Malware Removal Help


0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users


  1. BleepingComputer.com
  2. Security
  3. Virus, Trojan, Spyware, and Malware Removal Help
  4. Privacy Policy
  5. Rules ·