Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Slow Computer


  • Please log in to reply
9 replies to this topic

#1 wigwams2

wigwams2

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Local time:07:32 AM

Posted 05 July 2011 - 03:23 PM

Hello,

I'm running XP Pro SP3, ran Malware Bytes scan and it stopped access from a couple of ip addresses that originated in China (based on google search). I removed PC Mighty Max (at least most of what I could find). Any help is appreciated

Edited by Orange Blossom, 07 July 2011 - 11:16 PM.
Moved to AII from XP. ~ OB


BC AdBot (Login to Remove)

 


#2 USN Vet

USN Vet

  • Members
  • 190 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:10:32 AM

Posted 06 July 2011 - 01:32 AM

What processes in task mgr are hogging the resources ?
Feel free to ignore my comment, just another user !

#3 wigwams2

wigwams2
  • Topic Starter

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Local time:07:32 AM

Posted 07 July 2011 - 11:58 AM

Nothing visible that I can see. Firefox was the big one (when it's open). The CPU would peg at 100% at times when nothing extraordinary was going on. Memory usage was bout 350MB which seems high but could be I only have 512.

#4 Broni

Broni

    The Coolest BC Computer


  • BC Advisor
  • 42,699 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:Daly City, CA
  • Local time:08:32 AM

Posted 07 July 2011 - 10:29 PM

Welcome aboard Posted Image

Download Security Check from HERE, and save it to your Desktop.

* Double-click SecurityCheck.exe
* Follow the onscreen instructions inside of the black box.
* A Notepad document should open automatically called checkup.txt; please post the contents of that document.

=============================================================================

Please download MiniToolBox and run it.

Checkmark following boxes:
  • Report IE Proxy Settings
  • List content of Hosts
  • List IP configuration
  • List last 10 Event Viewer log
  • List Users, Partitions and Memory size
Click Go and post the result.

=============================================================================

Download Malwarebytes' Anti-Malware (aka MBAM): https://www.bleepingcomputer.com/download/malwarebytes-anti-malware/ to your desktop.

* Double-click mbam-setup.exe and follow the prompts to install the program.
* At the end, be sure a checkmark is placed next to Update Malwarebytes' Anti-Malware and Launch Malwarebytes' Anti-Malware, then click Finish.
* If an update is found, it will download and install the latest version.
* Once the program has loaded, select Perform quick scan, then click Scan.
* When the scan is complete, click OK, then Show Results to view the results.
* Be sure that everything is checked, and click Remove Selected.
* When completed, a log will open in Notepad.
* Post the log back here.

Be sure to restart the computer.

The log can also be found here:
C:\Documents and Settings\Username\Application Data\Malwarebytes\Malwarebytes' Anti-Malware\Logs\log-date.txt
Or at C:\Program Files\Malwarebytes' Anti-Malware\Logs\log-date.txt

=============================================================================

Please download GMER from one of the following locations and save it to your desktop:
  • Main Mirror
    This version will download a randomly named file (Recommended)
  • Zipped Mirror
    This version will download a zip file you will need to extract first. If you use this mirror, please extract the zip file to your desktop.
  • Disconnect from the Internet and close all running programs.
  • Temporarily disable any real-time active protection so your security programs will not conflict with gmer's driver.
  • Double-click on the randomly named GMER file (i.e. n7gmo46c.exe) and allow the gmer.sys driver to load if asked.
  • Note: If you downloaded the zipped version, extract the file to its own folder such as C:\gmer and then double-click on gmer.exe.

    Posted Image
  • GMER will open to the Rootkit/Malware tab and perform an automatic quick scan when first run. (do not use the computer while the scan is in progress)
  • If you receive a WARNING!!! about rootkit activity and are asked to fully scan your system...click NO.
  • Now click the Scan button. If you see a rootkit warning window, click OK.
  • When the scan is finished, click the Save... button to save the scan results to your Desktop. Save the file as gmer.log.
  • Click the Copy button and paste the results into your next reply.
  • Exit GMER and be sure to re-enable your anti-virus, Firewall and any other security programs you had disabled.

IMPORTANT! If for some reason GMER refuses to run, try again.
If it still fails, try to UN-check "Devices" in right pane.
If still no joy, try to run it from Safe Mode.

My Website

p4433470.gif

My help doesn't cost a penny, but if you'd like to consider a donation, click p22001735.gif


 


#5 wigwams2

wigwams2
  • Topic Starter

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Local time:07:32 AM

Posted 06 August 2011 - 06:56 PM

Apologies for the late reply. I'm doing this for my grandparents and that last step was too advanced for them...
Here's the checkup file:

Results of screen317's Security Check version 0.99.7
Windows XP Service Pack 3
Internet Explorer 7 Out of date!
``````````````````````````````
Antivirus/Firewall Check:

Windows Security Center service is not running! This report may not be accurate!
Windows Firewall Enabled!
McAfee Security Scan Plus
```````````````````````````````
Anti-malware/Other Utilities Check:

MVPS Hosts File
Malwarebytes' Anti-Malware
CCleaner
Java 2 Runtime Environment Standard Edition v1.3.1_04
Java™ 6 Update 17
Out of date Java installed!
Adobe Flash Player 10.2.152.32
Adobe Reader 7.0.7
Out of date Adobe Reader installed!
Mozilla Firefox (3.6.15)
````````````````````````````````
Process Check:
objlist.exe by Laurent

Malwarebytes' Anti-Malware mbamservice.exe
Malwarebytes' Anti-Malware mbamgui.exe
``````````End of Log````````````

#6 wigwams2

wigwams2
  • Topic Starter

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Local time:07:32 AM

Posted 06 August 2011 - 07:10 PM

Here's the Malwarebytes file (note I removed/quarantined after this scan but I wanted you to see the results):

Malwarebytes' Anti-Malware 1.51.0.1200
www.malwarebytes.org

Database version: 7027

Windows 5.1.2600 Service Pack 3
Internet Explorer 7.0.5730.13

7/5/2011 10:48:54 AM
mbam-log-2011-07-05 (10-48-54).txt

Scan type: Full scan (C:\|)
Objects scanned: 219180
Time elapsed: 1 hour(s), 40 minute(s), 22 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 1
Registry Values Infected: 0
Registry Data Items Infected: 1
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{3f6555c4-0a24-11dc-8314-0800200c9a66} (Rogue.PcMightyMax) -> Quarantined and deleted successfully.

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\StartMenuLogoff (PUM.Hijack.StartMenu) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)

#7 wigwams2

wigwams2
  • Topic Starter

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Local time:07:32 AM

Posted 06 August 2011 - 07:11 PM

Here's the minitoolbox text:

MiniToolBox by Farbar
Ran by Gateway User (administrator) on 06-08-2011 at 16:48:38
Microsoft Windows XP Service Pack 3 (X86)

***************************************************************************

========================= IE Proxy Settings: ==============================

Proxy is not enabled.
No Proxy Server is set.
========================= Hosts content: =================================


127.0.0.1 localhost
127.0.0.1 www.007guard.com
127.0.0.1 007guard.com
127.0.0.1 008i.com
127.0.0.1 www.008k.com
127.0.0.1 008k.com
127.0.0.1 www.00hq.com
127.0.0.1 00hq.com
127.0.0.1 010402.com
127.0.0.1 www.032439.com
127.0.0.1 032439.com
127.0.0.1 www.0scan.com
127.0.0.1 0scan.com
127.0.0.1 www.1000gratisproben.com
127.0.0.1 1000gratisproben.com
127.0.0.1 www.1001namen.com
127.0.0.1 1001namen.com
127.0.0.1 www.100888290cs.com
127.0.0.1 100888290cs.com

There are 15019 more lines starting with "127.0.0.1"

========================= IP Configuration: ================================

# ----------------------------------
# Interface IP Configuration
# ----------------------------------
pushd interface ip


# Interface IP Configuration for "Local Area Connection"

set address name="Local Area Connection" source=dhcp
set dns name="Local Area Connection" source=dhcp register=PRIMARY
set wins name="Local Area Connection" source=dhcp


popd
# End of interface IP configuration




Windows IP Configuration



Host Name . . . . . . . . . . . . : computer

Primary Dns Suffix . . . . . . . :

Node Type . . . . . . . . . . . . : Unknown

IP Routing Enabled. . . . . . . . : No

WINS Proxy Enabled. . . . . . . . : No



Ethernet adapter Local Area Connection:



Connection-specific DNS Suffix . :

Description . . . . . . . . . . . : Linksys LNE100TX Fast Ethernet Adapter(LNE100TX v4)

Physical Address. . . . . . . . . : 00-04-5A-52-30-DC

Dhcp Enabled. . . . . . . . . . . : Yes

Autoconfiguration Enabled . . . . : Yes

IP Address. . . . . . . . . . . . : 192.168.1.2

Subnet Mask . . . . . . . . . . . : 255.255.255.0

Default Gateway . . . . . . . . . : 192.168.1.1

DHCP Server . . . . . . . . . . . : 192.168.1.1

DNS Servers . . . . . . . . . . . : 192.168.1.1

Lease Obtained. . . . . . . . . . : Saturday, August 06, 2011 4:38:17 PM

Lease Expires . . . . . . . . . . : Sunday, August 07, 2011 4:38:17 PM

Server: UnKnown
Address: 192.168.1.1

Name: google.com
Addresses: 74.125.224.81, 74.125.224.82, 74.125.224.83, 74.125.224.84
74.125.224.80



Pinging google.com [74.125.224.50] with 32 bytes of data:



Reply from 74.125.224.50: bytes=32 time=22ms TTL=51

Reply from 74.125.224.50: bytes=32 time=20ms TTL=51



Ping statistics for 74.125.224.50:

Packets: Sent = 2, Received = 2, Lost = 0 (0% loss),

Approximate round trip times in milli-seconds:

Minimum = 20ms, Maximum = 22ms, Average = 21ms

Server: UnKnown
Address: 192.168.1.1

Name: yahoo.com
Addresses: 72.30.2.43, 98.137.149.56, 209.191.122.70, 67.195.160.76
69.147.125.65



Pinging yahoo.com [72.30.2.43] with 32 bytes of data:



Reply from 72.30.2.43: bytes=32 time=26ms TTL=51

Reply from 72.30.2.43: bytes=32 time=19ms TTL=51



Ping statistics for 72.30.2.43:

Packets: Sent = 2, Received = 2, Lost = 0 (0% loss),

Approximate round trip times in milli-seconds:

Minimum = 19ms, Maximum = 26ms, Average = 22ms



Pinging 127.0.0.1 with 32 bytes of data:



Reply from 127.0.0.1: bytes=32 time<1ms TTL=128

Reply from 127.0.0.1: bytes=32 time<1ms TTL=128



Ping statistics for 127.0.0.1:

Packets: Sent = 2, Received = 2, Lost = 0 (0% loss),

Approximate round trip times in milli-seconds:

Minimum = 0ms, Maximum = 0ms, Average = 0ms

===========================================================================
Interface List
0x1 ........................... MS TCP Loopback interface
0x2 ...00 04 5a 52 30 dc ...... Linksys LNE100TX Fast Ethernet Adapter(LNE100TX v4) - Packet Scheduler Miniport
===========================================================================
===========================================================================
Active Routes:
Network Destination Netmask Gateway Interface Metric
0.0.0.0 0.0.0.0 192.168.1.1 192.168.1.2 20
127.0.0.0 255.0.0.0 127.0.0.1 127.0.0.1 1
192.168.1.0 255.255.255.0 192.168.1.2 192.168.1.2 20
192.168.1.2 255.255.255.255 127.0.0.1 127.0.0.1 20
192.168.1.255 255.255.255.255 192.168.1.2 192.168.1.2 20
224.0.0.0 240.0.0.0 192.168.1.2 192.168.1.2 20
255.255.255.255 255.255.255.255 192.168.1.2 192.168.1.2 1
Default Gateway: 192.168.1.1
===========================================================================
Persistent Routes:
None

========================= Event log errors: ===============================

Application errors:
==================
Error: (07/05/2011 11:29:56 AM) (Source: crypt32) (User: )
Description: Failed auto update retrieval of third-party root list sequence number from: <http://www.download.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootseq.txt> with error: The specified server cannot perform the requested operation.

Error: (07/05/2011 11:29:55 AM) (Source: crypt32) (User: )
Description: Failed auto update retrieval of third-party root list sequence number from: <http://www.download.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootseq.txt> with error: The specified server cannot perform the requested operation.

Error: (07/05/2011 11:29:55 AM) (Source: crypt32) (User: )
Description: Failed auto update retrieval of third-party root list sequence number from: <http://www.download.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootseq.txt> with error: This operation returned because the timeout period expired.

Error: (07/05/2011 00:34:27 AM) (Source: crypt32) (User: )
Description: Failed auto update retrieval of third-party root list sequence number from: <http://www.download.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootseq.txt> with error: The specified server cannot perform the requested operation.

Error: (07/05/2011 00:34:27 AM) (Source: crypt32) (User: )
Description: Failed auto update retrieval of third-party root list sequence number from: <http://www.download.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootseq.txt> with error: The specified server cannot perform the requested operation.

Error: (07/05/2011 00:34:26 AM) (Source: crypt32) (User: )
Description: Failed auto update retrieval of third-party root list sequence number from: <http://www.download.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootseq.txt> with error: The specified server cannot perform the requested operation.

Error: (07/05/2011 00:34:26 AM) (Source: crypt32) (User: )
Description: Failed auto update retrieval of third-party root list sequence number from: <http://www.download.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootseq.txt> with error: The specified server cannot perform the requested operation.

Error: (07/05/2011 00:34:25 AM) (Source: crypt32) (User: )
Description: Failed auto update retrieval of third-party root list sequence number from: <http://www.download.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootseq.txt> with error: The specified server cannot perform the requested operation.

Error: (07/05/2011 00:34:24 AM) (Source: crypt32) (User: )
Description: Failed auto update retrieval of third-party root list sequence number from: <http://www.download.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootseq.txt> with error: This operation returned because the timeout period expired.

Error: (06/27/2011 04:50:19 PM) (Source: crypt32) (User: )
Description: Failed auto update retrieval of third-party root list sequence number from: <http://www.download.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootseq.txt> with error: The specified server cannot perform the requested operation.


System errors:
=============
Error: (08/06/2011 04:40:59 PM) (Source: Service Control Manager) (User: )
Description: The Windows Image Acquisition (WIA) service hung on starting.

Error: (08/06/2011 04:40:56 PM) (Source: Service Control Manager) (User: )
Description: The Fax service hung on starting.

Error: (08/06/2011 04:39:52 PM) (Source: Service Control Manager) (User: )
Description: The lxeaCATSCustConnectService service failed to start due to the following error:
%%1053

Error: (08/06/2011 04:39:52 PM) (Source: Service Control Manager) (User: )
Description: Timeout (30000 milliseconds) waiting for the lxeaCATSCustConnectService service to connect.

Error: (08/06/2011 04:38:39 PM) (Source: 0) (User: )
Description: UdfReadr.SYS

Error: (08/06/2011 04:38:39 PM) (Source: 0) (User: )
Description: cdudf.SYS

Error: (08/05/2011 10:45:21 PM) (Source: Service Control Manager) (User: )
Description: Timeout (30000 milliseconds) waiting for a transaction response from the Dnscache service.

Error: (08/03/2011 09:39:05 PM) (Source: Service Control Manager) (User: )
Description: Timeout (30000 milliseconds) waiting for a transaction response from the Netman service.

Error: (08/01/2011 02:40:15 PM) (Source: Service Control Manager) (User: )
Description: Timeout (30000 milliseconds) waiting for a transaction response from the WZCSVC service.

Error: (08/01/2011 00:44:00 AM) (Source: DCOM) (User: SYSTEM)
Description: DCOM got error "%%1058" attempting to start the service gupdate1c9bc47bd14617b with arguments "/comsvc"
in order to run the server:
{4EB61BAC-A3B6-4760-9581-655041EF4D69}


Microsoft Office Sessions:
=========================
Error: (07/05/2011 11:29:56 AM) (Source: crypt32)(User: )
Description: http://www.download.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootseq.txtThe specified server cannot perform the requested operation.

Error: (07/05/2011 11:29:55 AM) (Source: crypt32)(User: )
Description: http://www.download.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootseq.txtThe specified server cannot perform the requested operation.

Error: (07/05/2011 11:29:55 AM) (Source: crypt32)(User: )
Description: http://www.download.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootseq.txtThis operation returned because the timeout period expired.

Error: (07/05/2011 00:34:27 AM) (Source: crypt32)(User: )
Description: http://www.download.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootseq.txtThe specified server cannot perform the requested operation.

Error: (07/05/2011 00:34:27 AM) (Source: crypt32)(User: )
Description: http://www.download.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootseq.txtThe specified server cannot perform the requested operation.

Error: (07/05/2011 00:34:26 AM) (Source: crypt32)(User: )
Description: http://www.download.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootseq.txtThe specified server cannot perform the requested operation.

Error: (07/05/2011 00:34:26 AM) (Source: crypt32)(User: )
Description: http://www.download.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootseq.txtThe specified server cannot perform the requested operation.

Error: (07/05/2011 00:34:25 AM) (Source: crypt32)(User: )
Description: http://www.download.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootseq.txtThe specified server cannot perform the requested operation.

Error: (07/05/2011 00:34:24 AM) (Source: crypt32)(User: )
Description: http://www.download.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootseq.txtThis operation returned because the timeout period expired.

Error: (06/27/2011 04:50:19 PM) (Source: crypt32)(User: )
Description: http://www.download.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootseq.txtThe specified server cannot perform the requested operation.


========================= Memory info: ===================================

Percentage of memory in use: 72%
Total physical RAM: 511.3 MB
Available physical RAM: 138.71 MB
Total Pagefile: 864.58 MB
Available Pagefile: 440.76 MB
Total Virtual: 2047.88 MB
Available Virtual: 2002.54 MB

========================= Partitions: =====================================

2 Drive c: () (Fixed) (Total:18.64 GB) (Free:3.5 GB) FAT32

========================= Users: ========================================

User accounts for \\COMPUTER

Administrator Gateway User Guest
HelpAssistant SUPPORT_388945a0


== End of log ==

#8 Broni

Broni

    The Coolest BC Computer


  • BC Advisor
  • 42,699 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:Daly City, CA
  • Local time:08:32 AM

Posted 06 August 2011 - 09:42 PM

I still need GMER log.

My Website

p4433470.gif

My help doesn't cost a penny, but if you'd like to consider a donation, click p22001735.gif


 


#9 wigwams2

wigwams2
  • Topic Starter

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Local time:07:32 AM

Posted 06 August 2011 - 10:50 PM

gmer just finished...

I don't see anywhere to attach the actual file, but the text is here (doesn't seem like all of it?):

GMER 1.0.15.15641 - http://www.gmer.net
Rootkit scan 2011-08-06 20:45:08
Windows 5.1.2600 Service Pack 3 Harddisk0\DR0 -> \Device\Ide\IdeDeviceP0T0L0-3 ST320410A rev.3.34
Running: d3xc8otn.exe; Driver: C:\DOCUME~1\GATEWA~1\LOCALS~1\Temp\pgliqpow.sys


---- Devices - GMER 1.0.15 ----

AttachedDevice \FileSystem\Fastfat \Fat fltmgr.sys (Microsoft Filesystem Filter Manager/Microsoft Corporation)

---- EOF - GMER 1.0.15 ----

#10 Broni

Broni

    The Coolest BC Computer


  • BC Advisor
  • 42,699 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:Daly City, CA
  • Local time:08:32 AM

Posted 06 August 2011 - 10:53 PM

You can safely uninstall McAfee Security Scan Plus typical foistware.

You're not running any AV program.
Install one of these:
- Avast! free antivirus: http://www.avast.com/eng/download-avast-home.html
- Avira free antivirus: http://www.free-av.com/en/download/1/avira_antivir_personal__free_antivirus.html
Update, run full scan, report on any findings.

My Website

p4433470.gif

My help doesn't cost a penny, but if you'd like to consider a donation, click p22001735.gif


 





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users