Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

sloooow


  • This topic is locked This topic is locked
64 replies to this topic

#1 basssinger

basssinger

  • Members
  • 30 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Ontario, Canada
  • Local time:07:57 AM

Posted 04 November 2010 - 06:15 PM

Gentlemen,

For several weeks now, my computer has been running VEEERY slow. Programs will crash with the message "Not responding", but may start up again in 1 1/2 to 2 minutes.

I have updated & run Adaware, AVG, Malwarebyte, Spybot, Spysweeper and MS Malware remover. They all claim to find nothing wrong. HijackThis gave me a log but I don't know where to send it.

I have gone through the "Preparation Guide ... " and "Slow computer? use this..." but the wretched slowness continues. Bill Hely, author of "The Hacker's Nightmare", suggested you might be able to help.

I hope there might be someone who could look through my HJT log to see if there's something I'm missing.

Thank you in advance.

Sincerely,
basssinger

Attached Files



BC AdBot (Login to Remove)

 


#2 etavares

etavares

    Bleepin' Remover


  • Malware Response Team
  • 15,514 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:08:57 AM

Posted 12 November 2010 - 06:41 PM

Hello and welcome to Bleeping Computer

We apologize for the delay in responding to your request for help. Here at Bleeping Computer we get overwhelmed at times, and we are trying our best to keep up. Please note that your topic was not intentionally overlooked. Our mission is to help everyone in need, but sometimes it takes just a little longer to get to every request for help. No one is ignored here.

If you have since resolved the original problem you were having, we would appreciate you letting us know. If not please perform the following steps below so we can have a look at the current condition of your machine.

If you have not done so, include a clear description of the problems you're having, along with any steps you may have performed so far.

Please refrain from running tools or applying updates other than those we suggest while we are cleaning up your computer. The reason for this is so we know what is going on with the machine at any time. Some programs can interfere with others and hamper the recovery process. Please also continue to work with me until I give you the all clear. Even if your computer appears to act better, you may still be infected.

Even if you have already provided information about your PC, we need a new log to see what has changed since you originally posted your problem.

Once we start working together, please reply back within 3 days or this thread may be closed so we can help others who are waiting.

We need to create an OTL report,
  • Please download OTL from this link.
  • Save it to your desktop.
  • Double click on the Posted Image icon on your desktop.
  • Click the "Scan All Users" checkbox.
  • Under the Custom Scan box paste this in:

    netsvcs
    msconfig
    drivers32 /all
    %systemroot%\system32\*.dll /lockedfiles
    %systemroot%\system32\*.sys /90
    %systemroot%\Tasks\*.job /lockedfiles
    %systemroot%\System32\config\*.sav
    %SYSTEMDRIVE%\*.*
    %systemroot%\system32\Spool\prtprocs\w32x86\*.dll
    %systemroot%\*. /mp /s
    HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU
    CREATERESTOREPOINT

  • Click the Quick Scan button.
  • The scan should take a few minutes.
  • Please copy and paste both logs in your reply.

We also need a new log from the GMER anti-rootkit scanner. Please first disable any CD emulation programs using the steps found in this topic:

Why we request you disable CD Emulation when receiving Malware Removal Advice

Then create another GMER log and post it as an attachment to the reply where you post your new OTL log. Instructions on how to properly create a GMER log can be found here:

How to create a GMER log


In your reply, please post both OTL logs and the GMER log.


If I don't respond within 2 days, please feel free to PM me.
Please don't ask for help via PM. The forums are there for a reason. Please post in the forums so others may benefit as well.

Posted Image
Unified Network of Instructors and Trusted Eliminators
 


#3 basssinger

basssinger
  • Topic Starter

  • Members
  • 30 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Ontario, Canada
  • Local time:07:57 AM

Posted 15 November 2010 - 11:07 AM

etavares,
Sad to say, the original problem has NOT been eradicated: bootup is extremely slow, programs run extremely slow with frequent "not responding" notifications (hang ups) but may continue after 1 to 1 1/2 minutes, and extremely slow shut downs.

I have updated and run Ad-Aware, AVG, Malwarebytes, Spybot S&D, Spy Sweeper, CCleaner and MS Malware Remover -they all report no problems.

I went through the "Slow computer/browser...?" article and "Preparation Guide for use Before..." with no discernible change in symptoms.

Here are the files requested in your reply. I'm not entirely sure where to send them, since my topic was already started ...

Holding off changing anything until I hear from you again.

Thank you for taking time to look through my "notes".

Sincerely,
Rod ColquhounAttached File  OTL.Txt   105.85KB   1 downloads

Attached Files



#4 Orange Blossom

Orange Blossom

    OBleepin Investigator


  • Moderator
  • 36,942 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Location:Bloomington, IN
  • Local time:08:57 AM

Posted 15 November 2010 - 02:46 PM

Hello basssinger,

I have merged your new topic to your previous topic where it belongs. Please keep all posts regarding this issue to this topic by using the Add Reply button found near the bottom of the topic. Starting new topics confuses things for all concerned and delays the assistance you receive.

Back to you etavares,

Orange Blossom :cherry:
Help us help you. If HelpBot replies, you MUST follow step 1 in its reply so we know you need help.

Orange Blossom

An ounce of prevention is worth a pound of cure

SpywareBlaster, WinPatrol Plus, ESET Smart Security, Malwarebytes' Anti-Malware, NoScript Firefox ext., Norton noscript

#5 etavares

etavares

    Bleepin' Remover


  • Malware Response Team
  • 15,514 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:08:57 AM

Posted 15 November 2010 - 07:19 PM

Hello, basssinger.

As OB notes, please just reply to this topic instead of starting a new thread. If she hadn't caught your reply, I definitely would not have.

I don't see much in your logs, but these symptoms are often malware. Let's dig deeper. It is important to note that often a slow system is not related to malware as well, so we'll have to figure this out.





Registry Cleaner Warning


I also see that you have a registry cleaner installed (in your case Uniblue Power Suite). Here at BC, we do not recommend using registry cleaners. If you do use it, make sure to use a tool like ERUNT to back up your registry first. Merely backing it up yourself via regedit wont' help you if you can't boot up as a result!

See here for more information:
http://www.bleepingcomputer.com/forums/index.php?showtopic=238799&st=0&p=1326578&#entry1326578

Registry Cleaner Warning


I also see that you have a Ccleaner installed. It is a great tool that I use. However, be careful of the registry cleaning functionality (versus file cleaning), Here at BC, we do not recommend using registry cleaners as they don't speed up your computer and they can do more harm than good if they remove a legitimate entry. If you do use it, make sure to use a tool like ERUNT to back up your registry first. Merely backing it up yourself via regedit wont' help you if you can't boot up as a result!

See here for more information:
http://www.bleepingcomputer.com/forums/index.php?showtopic=238799&st=0&p=1326578&#entry1326578






Trusted Zone Warning

Having trusted sites may not be a good idea. The reason why I say it's not a good idea is because the security settings for the internet is not extremely high and once you put a site in your trusted zone, basically almost anymore or thing, including hackers or other malicious software have full access to that site which can lead to hijacking that site and may even have access to your computer. Are you sure you trust a site to that degree?

It is recommended NOT to have ANY sites in your Trusted Zone unless the site requires it to function properly and you trust it very well. Other than that, it is not necessary for you to add any sites into the trusted zone. If you're not sure, and/or you do not need these in your trusted zone to facilitate access or you did not knowingly permit this access yourself, then please remove those sites from your trusted zone.

They can be accessed in Internet Explorer via Tools>>Internet Options>>Security>>Trusted Zone>>Sites. Remove if there are any there.



Step 1

Scan With RKUnHooker

  • Please Download Rootkit Unhooker Save it to your desktop.
  • extract RKUnhooker to your desktop
    Note** it is zipped up in a .rar file - If you do not have a program to unzip this type of file
    you can get a free one from here - http://www.7-zip.org/
  • Now double-click on RKUnhookerLE.exe to run it.
  • Click the Report tab, then click Scan.
  • Check (Tick) Drivers, Stealth,. Uncheck the rest. then Click OK.
  • Wait till the scanner has finished and then click File, Save Report.
  • Save the report somewhere where you can find it. Click Close.
Copy the entire contents of the report and paste it in a reply here.

Note** you may get this warning it is ok, just ignore

"Rootkit Unhooker has detected a parasite inside itself!
It is recommended to remove parasite, okay?"


"just click on Cancel, then Accept".



Step 2

Please download MBRCheck by ad_13 and save it to your desktop.

Double-click to run. A window will pop up. If it says 'non-standard' or 'infected' MBR code detected, please type 3 for Exit for now and press Enter.

It will save a logfile on your desktop that starts with MBR, then has the date, etc. Please copy and paste the contents of that log in your reply.

etavares


If I don't respond within 2 days, please feel free to PM me.
Please don't ask for help via PM. The forums are there for a reason. Please post in the forums so others may benefit as well.

Posted Image
Unified Network of Instructors and Trusted Eliminators
 


#6 etavares

etavares

    Bleepin' Remover


  • Malware Response Team
  • 15,514 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:08:57 AM

Posted 20 November 2010 - 07:52 AM

still with me?


If I don't respond within 2 days, please feel free to PM me.
Please don't ask for help via PM. The forums are there for a reason. Please post in the forums so others may benefit as well.

Posted Image
Unified Network of Instructors and Trusted Eliminators
 


#7 etavares

etavares

    Bleepin' Remover


  • Malware Response Team
  • 15,514 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:08:57 AM

Posted 23 November 2010 - 06:37 PM

Due to the lack of feedback, this Topic is closed.

If you need this topic reopened, please request this by sending the moderating team
a PM with the address of the thread. This applies only to the original topic starter.

Everyone else please begin a New Topic.


If I don't respond within 2 days, please feel free to PM me.
Please don't ask for help via PM. The forums are there for a reason. Please post in the forums so others may benefit as well.

Posted Image
Unified Network of Instructors and Trusted Eliminators
 


#8 etavares

etavares

    Bleepin' Remover


  • Malware Response Team
  • 15,514 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:08:57 AM

Posted 30 November 2010 - 10:53 AM

Reopened at OP's request. Please follow the instructions above in Post #5.


If I don't respond within 2 days, please feel free to PM me.
Please don't ask for help via PM. The forums are there for a reason. Please post in the forums so others may benefit as well.

Posted Image
Unified Network of Instructors and Trusted Eliminators
 


#9 basssinger

basssinger
  • Topic Starter

  • Members
  • 30 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Ontario, Canada
  • Local time:07:57 AM

Posted 01 December 2010 - 11:10 AM

Thanks 1 000 000 for coming back, and thanks to Orange Blossom for straightening out my mess.

Re post #5:

I will cease and desist with the Reg Cleanr. I do have ERUNT but from some time ago and I was not at all sure what it was for.

Cleaned out one Trusted site, still had some files about https: MS update.com.

Did the RKUnhooker but did not get the "LE" version. "Report" and "scan" did not appear, nor did "Drivers, Stealth" and the rest. What I did get was file <1c41rmFlQxlleS.exe>. I tried running it but got a notice from AVG that it was being deleted. Looked for a way to shut down AVG but the "exit" button did not close the notification bar icon.

The warning about a parasite did not appear.

Then I found "report.txt".

Downloaded MBRCheck and ran it.


Hopefully, all this will mean something to you AND I will get it to your inbox!

Again, many thanks for your help.

Rod Colquhoun



MBRCheck, version 1.2.3
© 2010, AD

Command-line:
Windows Version: Windows XP Home Edition
Windows Information: Service Pack 3 (build 2600)
Logical Drives Mask: 0x000000fd

Kernel Drivers (total 146):
0x804D7000 \WINDOWS\system32\ntoskrnl.exe
0x806EE000 \WINDOWS\system32\hal.dll
0xF7987000 \WINDOWS\system32\KDCOM.DLL
0xF7897000 \WINDOWS\system32\BOOTVID.dll
0xF75B6000 imagesrv.sys
0xF7588000 ACPI.sys
0xF7989000 \WINDOWS\System32\DRIVERS\WMILIB.SYS
0xF7577000 pci.sys
0xF75F7000 isapnp.sys
0xF7607000 sshrmd.sys
0xF7617000 ssfs0bbc.sys
0xF74A9000 ssidrv.sys
0xF747C000 \WINDOWS\system32\DRIVERS\NDIS.SYS
0xF7707000 \WINDOWS\system32\DRIVERS\TDI.SYS
0xF7A4F000 pciide.sys
0xF770F000 \WINDOWS\System32\DRIVERS\PCIIDEX.SYS
0xF7627000 MountMgr.sys
0xF745D000 ftdisk.sys
0xF7717000 PartMgr.sys
0xF789B000 IdeBusDr.sys
0xF7637000 VolSnap.sys
0xF7445000 atapi.sys
0xF742D000 IdeChnDr.sys
0xF798B000 imagedrv.sys
0xF7415000 \WINDOWS\System32\Drivers\SCSIPORT.SYS
0xF7647000 disk.sys
0xF7657000 \WINDOWS\System32\DRIVERS\CLASSPNP.SYS
0xF7877000 fltmgr.sys
0xF7403000 sr.sys
0xF7667000 Lbd.sys
0xF7677000 PxHelp20.sys
0xBA749000 KSecDD.sys
0xBA6BC000 Ntfs.sys
0xBA62F000 timntr.sys
0xBA552000 tdrpm258.sys
0xBA52B000 snapman.sys
0xBA511000 Mup.sys
0xF7687000 avgrkx86.sys
0xF7697000 AVGIDSxx.sys
0xF76A7000 agp440.sys
0xB9ED9000 \SystemRoot\System32\DRIVERS\processr.sys
0xB8E51000 \SystemRoot\System32\DRIVERS\ati2mtag.sys
0xB8E3D000 \SystemRoot\System32\DRIVERS\VIDEOPRT.SYS
0xF7787000 \SystemRoot\System32\DRIVERS\usbuhci.sys
0xB8E19000 \SystemRoot\System32\DRIVERS\USBPORT.SYS
0xF778F000 \SystemRoot\System32\DRIVERS\usbehci.sys
0xB9EB9000 \SystemRoot\System32\DRIVERS\serial.sys
0xBA3B1000 \SystemRoot\System32\DRIVERS\serenum.sys
0xF7797000 \SystemRoot\System32\DRIVERS\fdc.sys
0xB8E05000 \SystemRoot\System32\DRIVERS\parport.sys
0xB9EA9000 \SystemRoot\System32\DRIVERS\i8042prt.sys
0xF79DF000 \SystemRoot\system32\DRIVERS\a2ptbtn.sys
0xB9E99000 \SystemRoot\system32\DRIVERS\HIDCLASS.SYS
0xF779F000 \SystemRoot\system32\DRIVERS\HIDPARSE.SYS
0xF77A7000 \SystemRoot\system32\DRIVERS\point32.sys
0xB93BD000 \SystemRoot\System32\DRIVERS\mouclass.sys
0xBA7A0000 \SystemRoot\system32\DRIVERS\imapi.sys
0xB93B5000 \SystemRoot\system32\drivers\Afc.sys
0xBA790000 \SystemRoot\System32\DRIVERS\cdrom.sys
0xBA780000 \SystemRoot\System32\DRIVERS\redbook.sys
0xB8DE2000 \SystemRoot\System32\DRIVERS\ks.sys
0xB93AD000 \SystemRoot\System32\Drivers\incdrm.SYS
0xB93A5000 \SystemRoot\System32\DRIVERS\InCDPass.sys
0xB8D62000 \SystemRoot\system32\drivers\smwdm.sys
0xB8D3E000 \SystemRoot\system32\drivers\portcls.sys
0xBA770000 \SystemRoot\system32\drivers\drmk.sys
0xB8D26000 \SystemRoot\system32\drivers\aeaudio.sys
0xB939D000 \SystemRoot\system32\DRIVERS\avgfwdx.sys
0xF7A76000 \SystemRoot\System32\DRIVERS\audstub.sys
0xBA760000 \SystemRoot\System32\DRIVERS\rasl2tp.sys
0xB9F89000 \SystemRoot\System32\DRIVERS\ndistapi.sys
0xB8D0F000 \SystemRoot\System32\DRIVERS\ndiswan.sys
0xB9365000 \SystemRoot\System32\DRIVERS\raspppoe.sys
0xB9355000 \SystemRoot\System32\DRIVERS\raspptp.sys
0xB8CFE000 \SystemRoot\System32\DRIVERS\psched.sys
0xB9345000 \SystemRoot\System32\DRIVERS\msgpc.sys
0xB9395000 \SystemRoot\System32\DRIVERS\ptilink.sys
0xB938D000 \SystemRoot\System32\DRIVERS\raspti.sys
0xB9335000 \SystemRoot\System32\DRIVERS\termdd.sys
0xB8FF0000 \SystemRoot\System32\DRIVERS\kbdclass.sys
0xF79EB000 \SystemRoot\System32\DRIVERS\swenum.sys
0xB87F5000 \SystemRoot\System32\DRIVERS\update.sys
0xBA439000 \SystemRoot\System32\DRIVERS\mssmbios.sys
0xB87C7000 \SystemRoot\system32\DRIVERS\MarvinBus.sys
0xBA7B0000 \SystemRoot\System32\Drivers\NDProxy.SYS
0xB9EF9000 \SystemRoot\System32\DRIVERS\usbhub.sys
0xF798D000 \SystemRoot\System32\DRIVERS\USBD.SYS
0xB6BAB000 \SystemRoot\system32\DRIVERS\kbdhid.sys
0xB2B83000 \SystemRoot\System32\Drivers\vulfntr.sys
0xB0C54000 \SystemRoot\System32\DRIVERS\flpydisk.sys
0xF79AB000 \SystemRoot\System32\Drivers\Fs_Rec.SYS
0xAED7C000 \SystemRoot\System32\Drivers\Null.SYS
0xF79AD000 \SystemRoot\System32\Drivers\Beep.SYS
0xAF6FA000 \SystemRoot\System32\drivers\vga.sys
0xF79AF000 \SystemRoot\System32\Drivers\mnmdd.SYS
0xF79B1000 \SystemRoot\System32\DRIVERS\RDPCDD.sys
0xB0599000 \SystemRoot\System32\Drivers\InCDrec.SYS
0xAE974000 \SystemRoot\System32\Drivers\InCDfs.SYS
0xAF6F2000 \SystemRoot\System32\Drivers\Msfs.SYS
0xAF6EA000 \SystemRoot\System32\Drivers\Npfs.SYS
0xB0595000 \SystemRoot\System32\DRIVERS\rasacd.sys
0xAE961000 \SystemRoot\System32\DRIVERS\ipsec.sys
0xAE908000 \SystemRoot\System32\DRIVERS\tcpip.sys
0xAE8CE000 \SystemRoot\System32\Drivers\avgtdix.sys
0xAE8A8000 \SystemRoot\System32\DRIVERS\ipnat.sys
0xAF667000 \SystemRoot\System32\DRIVERS\wanarp.sys
0xAE84E000 \SystemRoot\System32\DRIVERS\netbt.sys
0xAE82C000 \SystemRoot\System32\drivers\afd.sys
0xAF657000 \SystemRoot\System32\DRIVERS\netbios.sys
0xAE801000 \SystemRoot\System32\DRIVERS\rdbss.sys
0xAE791000 \SystemRoot\System32\DRIVERS\mrxsmb.sys
0xAF647000 \SystemRoot\System32\Drivers\Fips.SYS
0xAD69A000 \SystemRoot\System32\Drivers\ICAM3D2.SYS
0xAE181000 \SystemRoot\System32\Drivers\STREAM.SYS
0xADE71000 \SystemRoot\System32\Drivers\USBCAMD2.SYS
0xB7FB4000 \SystemRoot\System32\Drivers\FileDisk.SYS
0xADE69000 \SystemRoot\System32\Drivers\avgmfx86.sys
0xAD5C6000 \SystemRoot\System32\Drivers\avgldx86.sys
0xB8636000 \SystemRoot\System32\Drivers\Cdfs.SYS
0xA869A000 \SystemRoot\System32\Drivers\dump_IdeChnDr.sys
0xBF800000 \SystemRoot\System32\win32k.sys
0xA8902000 \SystemRoot\System32\drivers\Dxapi.sys
0xADC14000 \SystemRoot\System32\watchdog.sys
0xBF000000 \SystemRoot\System32\drivers\dxg.sys
0xAD57D000 \SystemRoot\System32\drivers\dxgthk.sys
0xBF012000 \SystemRoot\System32\ati2dvag.dll
0xBF055000 \SystemRoot\System32\ati2cqag.dll
0xBF09A000 \SystemRoot\System32\atikvmag.dll
0xBF0D0000 \SystemRoot\System32\ati3duag.dll
0xBF362000 \SystemRoot\System32\ativvaxx.dll
0xBFFA0000 \SystemRoot\System32\ATMFD.DLL
0xA86C2000 \SystemRoot\System32\DRIVERS\ndisuio.sys
0xB92D5000 \??\C:\Program Files\AVG\AVG9\Identity Protection\Agent\Driver\Platform_XP\AVGIDSShim.sys
0xF76F7000 \??\C:\Program Files\AVG\AVG9\Identity Protection\Agent\Driver\Platform_XP\AVGIDSFilter.sys
0xA65AA000 \??\C:\Program Files\AVG\AVG9\Identity Protection\Agent\Driver\Platform_XP\AVGIDSDriver.sys
0xAD171000 \SystemRoot\System32\Drivers\ParVdm.SYS
0xA6322000 \SystemRoot\System32\DRIVERS\srv.sys
0xA62D4000 \SystemRoot\system32\DRIVERS\afcdp.sys
0xA6210000 \SystemRoot\System32\Drivers\Fastfat.SYS
0xA5ED7000 \SystemRoot\System32\Drivers\HTTP.sys
0x8D496000 \SystemRoot\system32\drivers\wdmaud.sys
0xA5FC0000 \SystemRoot\system32\drivers\sysaudio.sys
0x8CF02000 \SystemRoot\system32\drivers\kmixer.sys
0x8CFCD000 \SystemRoot\System32\Drivers\Normandy.SYS
0x8A561000 \SystemRoot\system32\DRIVERS\FastNIC.sys
0x7C900000 \WINDOWS\system32\ntdll.dll

Processes (total 48):
0 System Idle Process
4 System
952 C:\WINDOWS\system32\smss.exe
1076 csrss.exe
1104 C:\WINDOWS\system32\winlogon.exe
1148 C:\WINDOWS\system32\services.exe
1160 C:\WINDOWS\system32\lsass.exe
1312 C:\Program Files\Webroot\WebrootSecurity\WRConsumerService.exe
1336 C:\WINDOWS\system32\svchost.exe
1408 svchost.exe
1504 C:\WINDOWS\system32\svchost.exe
1524 C:\Program Files\Ahead\InCD\InCDsrv.exe
1852 svchost.exe
424 C:\WINDOWS\system32\spoolsv.exe
472 C:\Program Files\AVG\AVG9\Identity Protection\Agent\Bin\AVGIDSAgent.exe
2304 C:\Program Files\Common Files\ArcSoft\Connection Service\Bin\ACService.exe
2320 C:\Program Files\Common Files\Acronis\Schedule2\schedul2.exe
2340 C:\Program Files\Common Files\Acronis\CDP\afcdpsrv.exe
2376 C:\Program Files\AVG\AVG9\avgwdsvc.exe
2396 C:\Program Files\AVG\AVG9\avgfws9.exe
2472 C:\Program Files\Java\jre6\bin\jqs.exe
2584 C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
2668 C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
2728 C:\WINDOWS\system32\svchost.exe
2824 C:\Program Files\Webroot\WebrootSecurity\SpySweeper.exe
3288 C:\Program Files\AVG\AVG9\avgemc.exe
3328 C:\Program Files\AVG\AVG9\avgam.exe
3368 C:\Program Files\AVG\AVG9\avgnsx.exe
3816 C:\Program Files\AVG\AVG9\avgcsrvx.exe
984 svchost.exe
1064 C:\Program Files\AVG\AVG9\avgcsrvx.exe
2288 alg.exe
2104 C:\WINDOWS\explorer.exe
2688 C:\Program Files\Microsoft IntelliType Pro\type32.exe
2784 C:\Program Files\Microsoft IntelliPoint\point32.exe
3476 C:\WINDOWS\system32\ctfmon.exe
4068 C:\PROGRA~1\AVG\AVG9\avgtray.exe
2156 C:\Program Files\Acronis\TrueImageHome\TrueImageMonitor.exe
2196 C:\Program Files\Common Files\Acronis\Schedule2\schedhlp.exe
3176 C:\Program Files\AVG\AVG9\Identity Protection\Agent\Bin\AVGIDSMonitor.exe
2696 C:\Program Files\Lavasoft\Ad-Aware\AAWService.exe
3100 unsecapp.exe
1536 wmiprvse.exe
2368 C:\totalcmd\TOTALCMD.EXE
2400 C:\Program Files\AVG\AVG9\avgchsvx.exe
4148 C:\Program Files\AVG\AVG9\avgrsx.exe
3160 C:\Program Files\AVG\AVG9\avgcsrvx.exe
5048 C:\Documents and Settings\Owner\Desktop\Computer cleaner files\MBRchk\MBRCheck.exe

\\.\C: --> \\.\PhysicalDrive0 at offset 0x00000000`00007e00 (NTFS)
\\.\D: --> \\.\PhysicalDrive1 at offset 0x00000000`00007e00 (NTFS)
\\.\E: --> \\.\PhysicalDrive0 at offset 0x00000010`002a4400 (NTFS)
\\.\F: --> \\.\PhysicalDrive1 at offset 0x0000000d`8c9fc600 (NTFS)

PhysicalDrive0 Model Number: WDCWD2500AAJB-00WGA0, Rev: 00.02C01
PhysicalDrive1 Model Number: WDCWD1200JB-00GVA0, Rev: 08.02D08

Size Device Name MBR Status
--------------------------------------------
232 GB \\.\PhysicalDrive0 Legit MBR code detected
SHA1: 397480E03F82925B9B94EA2A54A75A78E81FD00F
111 GB \\.\PhysicalDrive1 Windows XP MBR code detected
SHA1: DA38B874B7713D1B51CBC449F4EF809B0DEC644A


Done!

RkU Version: 3.8.388.590, Type LE (SR2)
==============================================
OS Name: Windows XP
Version 5.1.2600 (Service Pack 3)
Number of processors #1
==============================================
ntoskrnl.exe-->NtAllocateVirtualMemory, Type: Address change 0x80568FCA-->89FCECD8 [Unknown module filename]
ntoskrnl.exe-->NtCreateKey, Type: Address change 0x80570833-->F766787E [Lbd.sys]
ntoskrnl.exe-->NtCreateProcess, Type: Address change 0x805B14AC-->89FA15B0 [Unknown module filename]
ntoskrnl.exe-->NtCreateProcessEx, Type: Address change 0x8057FE4C-->89FA1538 [Unknown module filename]
ntoskrnl.exe-->NtCreateThread, Type: Address change 0x80587A3C-->89FCEFA8 [Unknown module filename]
ntoskrnl.exe-->NtDeleteKey, Type: Address change 0x80595316-->89FBA340 [Unknown module filename]
ntoskrnl.exe-->NtDeleteValueKey, Type: Address change 0x80592D64-->89FA1628 [Unknown module filename]
ntoskrnl.exe-->NtOpenProcess, Type: Address change 0x805719AC-->B92D7670 [C:\Program Files\AVG\AVG9\Identity Protection\Agent\Driver\Platform_XP\AVGIDSShim.sys]
ntoskrnl.exe-->NtQueueApcThread, Type: Address change 0x8058A487-->89FCED50 [Unknown module filename]
ntoskrnl.exe-->NtReadVirtualMemory, Type: Address change 0x8057E4B8-->89FCEBE8 [Unknown module filename]
ntoskrnl.exe-->NtRenameKey, Type: Address change 0x8064EAEA-->89FBA2C8 [Unknown module filename]
ntoskrnl.exe-->NtSetContextThread, Type: Address change 0x8062E057-->89FCEE40 [Unknown module filename]
ntoskrnl.exe-->NtSetInformationKey, Type: Address change 0x8064E1CE-->89FA1718 [Unknown module filename]
ntoskrnl.exe-->NtSetInformationProcess, Type: Address change 0x8056DDD9-->89FA1448 [Unknown module filename]
ntoskrnl.exe-->NtSetInformationThread, Type: Address change 0x80575756-->89FCEEB8 [Unknown module filename]
ntoskrnl.exe-->NtSetValueKey, Type: Address change 0x80572A6E-->F7667BFE [Lbd.sys]
ntoskrnl.exe-->NtSuspendProcess, Type: Address change 0x8062FC39-->89FCE020 [Unknown module filename]
ntoskrnl.exe-->NtSuspendThread, Type: Address change 0x805E053E-->89FCEDC8 [Unknown module filename]
ntoskrnl.exe-->NtTerminateProcess, Type: Address change 0x805824CC-->B92D7720 [C:\Program Files\AVG\AVG9\Identity Protection\Agent\Driver\Platform_XP\AVGIDSShim.sys]
ntoskrnl.exe-->NtTerminateThread, Type: Address change 0x8057BA6F-->B92D77C0 [C:\Program Files\AVG\AVG9\Identity Protection\Agent\Driver\Platform_XP\AVGIDSShim.sys]
ntoskrnl.exe-->NtWriteVirtualMemory, Type: Address change 0x8057E60A-->B92D7860 [C:\Program Files\AVG\AVG9\Identity Protection\Agent\Driver\Platform_XP\AVGIDSShim.sys]

#10 etavares

etavares

    Bleepin' Remover


  • Malware Response Team
  • 15,514 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:08:57 AM

Posted 17 December 2010 - 05:38 PM

Hello, basssinger.

Thanks for the PM. In the future, please, please PM me if it's been more than 2 days since your last reply. I'm really sorry I overlooked this. When I reopened the topic, I swear I re-watched it, but either it didn't go through or I just forgot.

We need to run Combofix.

ComboFix will not run until AVG is uninstalled as a protective measure against the anti-virus. This is because AVG "falsely" detects ComboFix (or its embedded files) as a threat and may remove them resulting in the tool not working correctly which in turn can cause "unpredictable results". Since AVG cannot be effectively disabled before running ComboFix, the author recommends you to uninstall AVG first. We can reinstall it when we're done with CF. Please let me know if you do uninstall it.

Next, please download ComboFix from one of these locations:
* IMPORTANT !!! Save ComboFix.exe to your Desktop as etavaresCF.exe
  • Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools. (Click on this link to see a list of programs that should be disabled. The list is not all inclusive.)
  • Double click on etavaresCF.exe & follow the prompts.
  • As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.
  • Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.
**Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.


Posted Image
Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:

Posted Image

Click on Yes, to continue scanning for malware.

When finished, it shall produce a log for you. Please include the C:\ComboFix.txt in your next reply, along with any symptoms that are present after it runs.

etavares


If I don't respond within 2 days, please feel free to PM me.
Please don't ask for help via PM. The forums are there for a reason. Please post in the forums so others may benefit as well.

Posted Image
Unified Network of Instructors and Trusted Eliminators
 


#11 basssinger

basssinger
  • Topic Starter

  • Members
  • 30 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Ontario, Canada
  • Local time:07:57 AM

Posted 23 December 2010 - 04:27 PM

I'm getting a bit confused with the 2 "places" going: one's at "sloooow.." and the other at "reopened thread".
Where do I send the combofix file so you can have a look at it ?

basssinger

#12 etavares

etavares

    Bleepin' Remover


  • Malware Response Team
  • 15,514 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:08:57 AM

Posted 23 December 2010 - 06:52 PM

Please use this thread here which I reopened. I can't find any other thread that you have started. I looked in your profile and also did a search of the forums. Can you please provide a link? I can merge them together.

Please post the combofix log here and we'll keep pressing on.

Thanks!


If I don't respond within 2 days, please feel free to PM me.
Please don't ask for help via PM. The forums are there for a reason. Please post in the forums so others may benefit as well.

Posted Image
Unified Network of Instructors and Trusted Eliminators
 


#13 basssinger

basssinger
  • Topic Starter

  • Members
  • 30 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Ontario, Canada
  • Local time:07:57 AM

Posted 23 December 2010 - 09:24 PM

maybe just as well to keep to this one.

here's the combofix file:

ComboFix 10-12-18.01 - Owner 18/12/2010 14:47:06.1.1 - x86
Microsoft Windows XP Home Edition 5.1.2600.3.1252.2.1033.18.2047.1489 [GMT -5:00]
Running from: c:\documents and settings\Owner\Desktop\etavaresCF.exe
AV: Lavasoft Ad-Watch Live! Anti-Virus *Disabled/Updated* {A1C4F2E0-7FDE-4917-AFAE-013EFC3EDE33}
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\program files\UNWISE.EXE
c:\windows\d.ini
c:\windows\system32\spool\prtprocs\w32x86\CBWP_OLD.DLL
e:\business\Entrepreneurial\MoneyBKv1\MoNEybkv1.exe

.
((((((((((((((((((((((((( Files Created from 2010-11-18 to 2010-12-18 )))))))))))))))))))))))))))))))
.

2010-12-16 21:22 . 2010-12-16 21:32 -------- d-----w- c:\program files\SpywareBlaster
2010-12-16 21:06 . 2010-12-16 21:14 -------- d-----w- c:\documents and settings\Owner\Application Data\wsInspector
2010-12-16 02:48 . 2010-12-16 02:48 -------- d-----w- c:\program files\Auslogics
2010-12-15 20:21 . 2010-11-06 00:26 12800 -c--a-w- c:\windows\system32\dllcache\xpshims.dll
2010-12-15 20:21 . 2010-11-02 15:17 40960 -c----w- c:\windows\system32\dllcache\ndproxy.sys
2010-12-15 20:20 . 2010-10-11 14:59 45568 -c----w- c:\windows\system32\dllcache\wab.exe
2010-12-14 01:02 . 2009-11-16 20:45 4194304 ----a-w- c:\windows\system32\cdintf400.dll
2010-12-13 17:11 . 2010-12-03 19:35 25048 ----a-w- c:\program files\Mozilla Firefox\components\browserdirprovider.dll
2010-12-13 17:11 . 2010-12-03 19:35 140248 ----a-w- c:\program files\Mozilla Firefox\components\brwsrcmp.dll
2010-12-10 15:24 . 2010-12-10 15:24 -------- dc-h--w- c:\documents and settings\All Users\Application Data\{2162CCC0-3A5F-4887-B51F-CE5F195B3620}
2010-12-10 15:23 . 2010-12-10 15:23 -------- d-----w- c:\program files\Lavasoft
2010-12-06 17:59 . 2010-12-06 17:59 709456 ----a-w- c:\temp\Malwarebytes' Anti-Malware\unins000.exe
2010-12-04 04:00 . 2010-11-29 22:42 330576 ----a-w- c:\temp\Malwarebytes' Anti-Malware\mbamnet.dll
2010-12-04 04:00 . 2010-11-29 22:42 515408 ----a-w- c:\temp\Malwarebytes' Anti-Malware\mbamcore.dll
2010-11-23 21:02 . 2010-11-23 21:02 -------- d-----w- c:\documents and settings\Owner\Application Data\pdf995
2010-11-23 02:36 . 2010-11-28 19:53 -------- d-----w- c:\documents and settings\All Users\Application Data\pdf995
2010-11-23 02:36 . 2010-11-28 19:52 59 ----a-w- c:\windows\wpd99.drv
2010-11-23 02:36 . 2010-11-23 02:36 51716 ----a-w- c:\windows\system32\pdf995mon.dll
2010-11-23 02:36 . 2010-11-23 02:36 249856 ----a-w- c:\windows\system32\pdfmona.dll
2010-11-23 02:36 . 2010-11-23 02:38 -------- d-----w- c:\program files\pdf995
2010-11-22 15:31 . 2010-11-22 15:39 -------- d-----w- c:\documents and settings\Owner\Application Data\XnView
2010-11-22 15:31 . 2010-11-22 15:31 -------- d-----w- c:\program files\XnView
2010-11-22 15:15 . 2010-11-22 15:15 -------- d-----w- c:\documents and settings\Owner\Application Data\Foxit Software
2010-11-22 15:05 . 2010-11-22 15:05 -------- d-----w- c:\program files\Common Files\Apple
2010-11-22 15:05 . 2010-11-22 15:05 -------- d-----w- c:\program files\Apple Software Update
2010-11-22 15:05 . 2010-11-22 15:05 -------- d-----w- c:\documents and settings\All Users\Application Data\Apple
2010-11-22 14:47 . 2010-11-22 14:46 472808 ----a-w- c:\windows\system32\deployJava1.dll
2010-11-22 14:47 . 2010-11-22 14:46 472808 ----a-w- c:\program files\Mozilla Firefox\plugins\npdeployJava1.dll
2010-11-22 14:38 . 2010-11-22 14:36 75208 ----a-w- c:\program files\Mozilla Firefox\plugins\npFoxitReaderPlugin.dll
2010-11-22 13:26 . 2010-11-22 13:26 -------- d-----w- c:\program files\Secunia
2010-11-21 18:42 . 2010-09-23 07:46 15880 ----a-w- c:\windows\system32\lsdelete.exe

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-12-17 01:01 . 2009-12-22 16:09 25992 ----a-w- c:\windows\system32\pgdfgsvc.exe
2010-12-03 09:05 . 2010-03-18 16:55 64288 ----a-w- c:\windows\system32\drivers\Lbd.sys
2010-11-29 22:42 . 2009-09-23 00:22 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2010-11-29 22:42 . 2010-01-07 18:48 20952 ----a-w- c:\windows\system32\drivers\mbam.sys
2010-11-22 14:46 . 2009-05-22 18:31 73728 ----a-w- c:\windows\system32\javacpl.cpl
2010-11-18 18:12 . 2009-05-22 14:54 81920 ----a-w- c:\windows\system32\isign32.dll
2010-11-12 00:44 . 2010-10-23 17:48 67568 ----a-w- c:\windows\system32\drivers\usbhub20.sys
2010-11-06 00:26 . 2001-08-18 12:00 916480 ----a-w- c:\windows\system32\wininet.dll
2010-11-06 00:26 . 2001-08-18 12:00 43520 ----a-w- c:\windows\system32\licmgr10.dll
2010-11-06 00:26 . 2001-08-18 12:00 1469440 ----a-w- c:\windows\system32\inetcpl.cpl
2010-11-04 17:56 . 2009-11-19 17:45 98392 ----a-w- c:\windows\system32\drivers\SBREDrv.sys
2010-11-03 12:25 . 2009-05-22 17:13 385024 ----a-w- c:\windows\system32\html.iec
2010-11-02 15:17 . 2001-08-18 12:00 40960 ----a-w- c:\windows\system32\drivers\ndproxy.sys
2010-10-28 13:13 . 2001-08-18 12:00 290048 ----a-w- c:\windows\system32\atmfd.dll
2010-10-26 13:25 . 2001-08-18 12:00 1853312 ----a-w- c:\windows\system32\win32k.sys
2010-10-23 17:49 . 2010-10-23 17:49 7180 ----a-w- c:\windows\system32\drivers\a2ptbtn.sys
2010-10-23 17:46 . 2010-10-23 17:46 38853 ----a-w- c:\windows\system32\drivers\FastNIC.sys
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"type32"="c:\program files\Microsoft IntelliType Pro\type32.exe" [2004-06-03 172032]
"IntelliPoint"="c:\program files\Microsoft IntelliPoint\point32.exe" [2004-06-03 204800]
"USB2Check"="c:\windows\system32\PCLECoInst.dll" [2005-12-21 73728]
"EPSON Stylus CX4200 Series"="c:\windows\System32\spool\DRIVERS\W32X86\3\E_FATIAEA.EXE" [2005-03-07 98304]
"WinPatrol"="c:\program files\BillP Studios\WinPatrol\winpatrol.exe" [2009-10-10 320832]
"TrueImageMonitor.exe"="c:\program files\Acronis\TrueImageHome\TrueImageMonitor.exe" [2010-03-27 5107544]
"Acronis Scheduler2 Service"="c:\program files\Common Files\Acronis\Schedule2\schedhlp.exe" [2009-11-27 390600]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce]
"AvgUninstallURL"="start http:" [X]

c:\documents and settings\Owner\Start Menu\Programs\Startup\AutorunsDisabled
Secunia PSI.lnk - c:\program files\Secunia\PSI\psi.exe [2010-7-21 965176]

c:\documents and settings\All Users\Start Menu\Programs\Startup\AutorunsDisabled
HP Digital Imaging Monitor.lnk - c:\program files\HP\Digital Imaging\bin\hpqtra08.exe [2003-9-16 237568]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\AutorunsDisabled]
2006-05-03 16:44 61440 ----a-w- c:\windows\system32\ati2evxx.dll

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\securityproviders]
SecurityProviders msapsspc.dll, schannel.dll, digest.dll

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Lavasoft Ad-Aware Service]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\WebrootSpySweeperService]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\WRConsumerService]
@="Service"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HP Software Update]
2003-06-25 16:24 49152 ----a-w- c:\program files\Hewlett-Packard\HP Software Update\hpwuSchd.exe

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\Pinnacle\\Studio 11\\programs\\RM.exe"=
"c:\\Program Files\\Pinnacle\\Studio 11\\programs\\Studio.exe"=
"c:\\Program Files\\Pinnacle\\Studio 11\\programs\\PMSRegisterFile.exe"=
"c:\\Program Files\\Pinnacle\\Studio 11\\programs\\umi.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"5985:TCP"= 5985:TCP:*:Disabled:Windows Remote Management

R0 Lbd;Lbd;c:\windows\system32\drivers\Lbd.sys [18/03/2010 11:55 AM 64288]
R0 ssfs0bbc;ssfs0bbc;c:\windows\system32\drivers\ssfs0bbc.sys [21/04/2009 5:27 PM 29808]
R0 tdrpman258;Acronis Try&Decide and Restore Points filter (build 258);c:\windows\system32\drivers\tdrpm258.sys [11/04/2010 11:57 AM 911680]
R2 afcdpsrv;Acronis Nonstop Backup service;c:\program files\Common Files\Acronis\CDP\afcdpsrv.exe [11/04/2010 11:57 AM 2480048]
R2 WRConsumerService;Webroot Client Service;c:\program files\Webroot\WebrootSecurity\WRConsumerService.exe [26/05/2009 6:46 PM 1201640]
R3 afcdp;afcdp;c:\windows\system32\drivers\afcdp.sys [11/04/2010 11:57 AM 160704]
R3 FastNIC;PCI/R8139DL CardBus 10/100 Fast Ethernet Adapter;c:\windows\system32\drivers\FastNIC.sys [23/10/2010 12:46 PM 38853]
R3 Lavasoft Ad-Aware Service;Lavasoft Ad-Aware Service;c:\program files\Lavasoft\Ad-Aware\AAWService.exe [03/12/2010 4:05 AM 1389400]
S2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;c:\windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe [18/03/2010 1:16 PM 130384]
S3 APL531;OVT Scanner;c:\windows\system32\drivers\ov550i.sys [31/07/2006 7:44 AM 580992]
S3 ca506aaf;ADS USB Audio Filter Driver (WDM);c:\windows\system32\drivers\ca506aaf.sys [17/06/2009 3:31 PM 14273]
S3 Lavasoft Kernexplorer;Lavasoft helper driver;c:\program files\Lavasoft\Ad-Aware\kernexplorer.sys [03/12/2010 4:05 AM 15264]
S3 PSI;PSI;c:\windows\system32\drivers\psi_mf.sys [17/06/2009 7:20 AM 14904]
S3 SPCA506AV;USB Instant VCD;c:\windows\system32\DRIVERS\CA506AV.SYS --> c:\windows\system32\DRIVERS\CA506AV.SYS [?]
S3 WinRM;Windows Remote Management (WS-Management);c:\windows\system32\svchost.exe -k WINRM [18/08/2001 7:00 AM 14336]
S3 WPFFontCache_v0400;Windows Presentation Foundation Font Cache 4.0.0.0;c:\windows\Microsoft.NET\Framework\v4.0.30319\WPF\WPFFontCache_v0400.exe [18/03/2010 1:16 PM 753504]
S3 XoftSpyService;XoftSpyService;c:\program files\Common Files\XoftSpySE\6\xoftspyservice.exe [28/08/2009 4:15 PM 582424]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
WINRM REG_MULTI_SZ WINRM
.
Contents of the 'Scheduled Tasks' folder

2010-12-18 c:\windows\Tasks\Ad-Aware Update (Weekly).job
- c:\program files\Lavasoft\Ad-Aware\Ad-AwareAdmin.exe [2010-12-03 09:05]

2010-12-16 c:\windows\Tasks\ParetoLogic Registration3.job
- c:\program files\Common Files\ParetoLogic\UUS3\UUS3.dll [2009-08-28 21:15]

2010-03-14 c:\windows\Tasks\ParetoLogic Update Version3.job
- c:\program files\Common Files\ParetoLogic\UUS3\Pareto_Update3.exe [2009-08-28 21:15]

2010-12-18 c:\windows\Tasks\User_Feed_Synchronization-{9D2914BC-883E-427C-BDDA-DD55CFEF62A7}.job
- c:\windows\system32\msfeedssync.exe [2009-03-08 08:31]

2010-01-20 c:\windows\Tasks\XoftSpySE.job
- c:\program files\XoftSpySE6\XoftSpySELauncher.exe [2009-08-28 21:13]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://lite.rogers.yahoo.com/
uInternet Settings,ProxyOverride = dynhost.inetcam.com;register.inetcam.com
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~4\OFFICE11\EXCEL.EXE/3000
Trusted Zone: microsoft.com\*.update
Trusted Zone: microsoft.com\update
Trusted Zone: windowsupdate.com\download
FF - ProfilePath - c:\documents and settings\Owner\Application Data\Mozilla\Firefox\Profiles\i5vphnyl.default\
FF - prefs.js: browser.startup.homepage - hxxp://lite.rogers.yahoo.com/
FF - Ext: Default: {972ce4c6-7e08-4474-a285-3208198ce6fd} - c:\program files\Mozilla Firefox\extensions\{972ce4c6-7e08-4474-a285-3208198ce6fd}
FF - Ext: Java Console: {CAFEEFAC-0016-0000-0007-ABCDEFFEDCBA} - c:\program files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0007-ABCDEFFEDCBA}
FF - Ext: Java Console: {CAFEEFAC-0016-0000-0016-ABCDEFFEDCBA} - c:\program files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0016-ABCDEFFEDCBA}
FF - Ext: Java Console: {CAFEEFAC-0016-0000-0022-ABCDEFFEDCBA} - c:\program files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0022-ABCDEFFEDCBA}
FF - Ext: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - %profile%\extensions\{20a82645-c095-46ed-80e3-08825760534b}
FF - Ext: NoScript: {73a6fe31-595d-460b-a920-fcc0f8843232} - %profile%\extensions\{73a6fe31-595d-460b-a920-fcc0f8843232}
FF - Ext: IE Tab Plus: coralietab@mozdev.org - %profile%\extensions\coralietab@mozdev.org
FF - Ext: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension
FF - Ext: Java Quick Starter: jqs@sun.com - c:\program files\Java\jre6\lib\deploy\jqs\ff
.
- - - - ORPHANS REMOVED - - - -

AddRemove-OVT Scanner - c:\windows\omniuns.exe USB\Vid_05a9&PID_1550 OVT Scanner
AddRemove-Registry Mechanic_is1 - c:\program files\Registry Mechanic\unins000.exe



**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2010-12-18 14:53
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}]
@Denied: (A 2) (Everyone)
@="FlashBroker"
"LocalizedString"="@c:\\WINDOWS\\system32\\Macromed\\Flash\\FlashUtil10l_ActiveX.exe,-101"

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\Elevation]
"Enabled"=dword:00000001

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\LocalServer32]
@="c:\\WINDOWS\\system32\\Macromed\\Flash\\FlashUtil10l_ActiveX.exe"

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"

[HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}]
@Denied: (A 2) (Everyone)
@="IFlashBroker4"

[HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\ProxyStubClsid32]
@="{00020424-0000-0000-C000-000000000046}"

[HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
"Version"="1.0"

[HKEY_LOCAL_MACHINE\software\Microsoft\Environment*]
"Licence0"="REMOVED"
.
Completion time: 2010-12-18 14:56:35
ComboFix-quarantined-files.txt 2010-12-18 19:56

Pre-Run: 44,483,407,872 bytes free
Post-Run: 44,537,974,784 bytes free

WindowsXP-KB310994-SP2-Home-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
UnsupportedDebug="do not select this" /debug
multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Home Edition" /fastdetect /NoExecute=OptOut

- - End Of File - - 5ACA60042C464A67246E47C0E9D63CE8

#14 etavares

etavares

    Bleepin' Remover


  • Malware Response Team
  • 15,514 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:08:57 AM

Posted 24 December 2010 - 07:51 AM

Hello, basssinger.


Step 1

Do you know that this file is?
e:\business\Entrepreneurial\MoneyBKv1\MoNEybkv1.exe

There are zero google references which suggest it is bad, but given the directory, perhaps it is a false posistive?





Step 2


I see you have XoftSpy installed. All the earlier versions are known rogue software. Web of Trust rates the site that provides it (Paretologic.com) as yellow, meaning it is not a well regarded safe website. They engage in questionsable practices.

Please uninstall XoftSpy from the add/remove programs. We'll replace it with MBAM in the next step.




Step 3

Please download Malwarebytes Anti-Malware and save it to your desktop.
alternate download link 1
alternate download link 2

MBAM may "make changes to your registry" as part of its disinfection routine. If using other security programs that detect registry changes (ie Spybot's Teatimer), they may interfere or alert you. Temporarily disable such programs or permit them to allow the changes.
  • Make sure you are connected to the Internet.
  • Double-click on mbam-setup.exe to install the application.
  • When the installation begins, follow the prompts and do not make any changes to default settings.
  • When installation has finished, make sure you leave both of these checked:
    • Update Malwarebytes' Anti-Malware
    • Launch Malwarebytes' Anti-Malware
  • Then click Finish.
MBAM will automatically start and you will be asked to update the program before performing a scan.
  • If an update is found, the program will automatically update itself. Press the OK button to close that box and continue.
  • If you encounter any problems while downloading the definition updates, manually download them from here and just double-click on mbam-rules.exe to install.
On the Scanner tab:
  • Make sure the "Perform Quick Scan" option is selected.
  • Then click on the Scan button.
  • If asked to select the drives to scan, leave all the drives selected and click on the Start Scan button.
  • The scan will begin and "Scan in progress" will show at the top. It may take some time to complete so please be patient.
  • When the scan is finished, a message box will say "The scan completed successfully. Click 'Show Results' to display all objects found".
  • Click OK to close the message box and continue with the removal process.
Back at the main Scanner screen:
  • Click on the Show Results button to see a list of any malware that was found.
  • Make sure that everything is checked, and click Remove Selected.
  • When removal is completed, a log report will open in Notepad.
  • The log is automatically saved and can be viewed by clicking the Logs tab in MBAM.
  • Copy and paste the contents of that report in your next reply. Be sure to post the complete log to include the top portion which shows MBAM's database version and your operating system.
  • Exit MBAM when done.
Note: If MBAM encounters a file that is difficult to remove, you will be asked to reboot your computer so MBAM can proceed with the disinfection process. If asked to restart the computer, please do so immediately. Failure to reboot normally (not into safe mode) will prevent MBAM from removing all the malware.

etavares

Edited by etavares, 24 December 2010 - 07:51 AM.


If I don't respond within 2 days, please feel free to PM me.
Please don't ask for help via PM. The forums are there for a reason. Please post in the forums so others may benefit as well.

Posted Image
Unified Network of Instructors and Trusted Eliminators
 


#15 basssinger

basssinger
  • Topic Starter

  • Members
  • 30 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Ontario, Canada
  • Local time:07:57 AM

Posted 24 December 2010 - 01:19 PM

hello, etavares.

1)Yes, that mystery file is a passworded ebook from boogiejack.com. I was surprised it showed up this way.

2)XoftSpy from Pareto-whatever was deleted a couple of weeks ago by Revo Uninstaller, I thought. Does not show up in Revo or ad-remove but I did find a folder in C:\Program Files, so I deep-sixed it.

3) I have had Malwarebytes for a long time now and use it regularly, last time I ran it in quick mode after updating to database 5376 around the 22 Dec.

NOW THERE'S A PROBLEM:
I get "AVG Resident Shield Alert", c:\temp\Malwarebytes' Antimalware\mbamcore.dll; trojan horse BackDoor.Generic13.YXM detected on open.

When I try to start mbam I get a window with "file not found:mbamcore". Means, I guess, I'll have to go fishing (NOT phishing!)for the log ...

I went to AVG Virus Encyclopedia but it was not listed.

In the AVG alert window, I did option "move to vault".

so here's one log:

Malwarebytes' Anti-Malware 1.50.1.1100
www.malwarebytes.org

Database version: 5376

Windows 5.1.2600 Service Pack 3
Internet Explorer 8.0.6001.18702

22/12/2010 10:20:41 AM
mbam-log-2010-12-22 (10-20-41).txt

Scan type: Quick scan
Objects scanned: 162482
Time elapsed: 4 minute(s), 10 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)


NO JOY there.

here's the previous log:

Malwarebytes' Anti-Malware 1.50
www.malwarebytes.org

Database version: 5289

Windows 5.1.2600 Service Pack 3 (Safe Mode)
Internet Explorer 8.0.6001.18702

10/12/2010 1:00:04 PM
mbam-log-2010-12-10 (13-00-04).txt

Scan type: Full scan (C:\|D:\|E:\|F:\|)
Objects scanned: 276329
Time elapsed: 28 minute(s), 56 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 1

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
c:\program files\Intel\createshare\program\lpifpx5rdllmmx.dll (Trojan.Scar) -> Quarantined and deleted successfully.

Well, that's the story so far.
I'd be glad for any help you can offer.

Thanks for your continued attention to my case.

Have a very Merry Christmas, etavares.

basssinger




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users