Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Avast boot time scan help


  • This topic is locked This topic is locked
2 replies to this topic

#1 Sam29

Sam29

  • Members
  • 1 posts
  • OFFLINE
  •  
  • Local time:01:24 PM

Posted 10 September 2011 - 09:33 PM

Can anyone please help me find out why my computer is messed up. Any icon or program I try to open takes forever. This has never happened before so I scanned with Avast and hijackthis.Here are the results of both scans. Please help,thanks

Logfile of Trend Micro HijackThis v2.0.4
Scan saved at 2:01:05 PM, on 9/10/2011
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v8.00 (8.00.6001.18702)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Alwil Software\Avast5\AvastSvc.exe
C:\WINDOWS\wanmpsvc.exe
C:\Program Files\Alwil Software\Avast5\avastUI.exe
C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\explorer.exe
C:\Documents and Settings\Owner\My Documents\Downloads\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =
O2 - BHO: (no name) - {02478D38-C3F9-4efb-9B51-7695ECA05670} - (no file)
O2 - BHO: avast! WebRep - {8E5E2654-AD2D-48bf-AC2D-D17F00898D06} - C:\PROGRA~1\ALWILS~1\Avast5\aswWebRepIE.dll
O3 - Toolbar: avast! WebRep - {8E5E2654-AD2D-48bf-AC2D-D17F00898D06} - C:\PROGRA~1\ALWILS~1\Avast5\aswWebRepIE.dll
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [{F9AA8FE2-E89A-E99B-E8b8-E9AE9B9ABA99}] "C:\Program Files\Cricket Broadband Connect\AvqAutoRun.exe" "C:\Program Files\Cricket Broadband Connect\mphonetools.exe" /OnPlug=%s
O4 - HKLM\..\Run: [avast5] "C:\Program Files\Alwil Software\Avast5\avastUI.exe" /nogui
O4 - HKLM\..\Run: [Synchronization Manager] %SystemRoot%\system32\mobsync.exe /logon
O4 - HKLM\..\Run: [SynTPLpr] C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [WorksFUD] C:\Program Files\Microsoft Works\wkfud.exe
O4 - HKLM\..\Run: [Microsoft Works Portfolio] C:\Program Files\Microsoft Works\WksSb.exe /AllUsers
O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKUS\S-1-5-19\..\RunOnce: [nltide_2] regsvr32 /s /n /i:U shell32 (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-19\..\RunOnce: [nltide_3] rundll32 advpack.dll,LaunchINFSectionEx nLite.inf,C,,4,N (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\RunOnce: [nltide_2] regsvr32 /s /n /i:U shell32 (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\RunOnce: [nltide_2] regsvr32 /s /n /i:U shell32 (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\RunOnce: [nltide_2] regsvr32 /s /n /i:U shell32 (User 'Default user')
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\system32\Shdocvw.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O15 - Trusted Zone: http://www.daysinn.com
O15 - Trusted Zone: http://www.youtube.com
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1282765973858
O22 - SharedTaskScheduler: Browseui preloader - {438755C2-A8BA-11D1-B96B-00A0C90312E1} - C:\WINDOWS\system32\browseui.dll
O22 - SharedTaskScheduler: Component Categories cache daemon - {8C7461EF-2B13-11d2-BE35-3078302C2030} - C:\WINDOWS\system32\browseui.dll
O23 - Service: avast! Antivirus - AVAST Software - C:\Program Files\Alwil Software\Avast5\AvastSvc.exe
O23 - Service: ResultBrowse Service - Unknown owner - C:\Documents and Settings\All Users\Application Data\ResultBrowse\resultbrowse117.exe (file missing)
O23 - Service: WAN Miniport (ATW) Service (WANMiniportService) - America Online, Inc. - C:\WINDOWS\wanmpsvc.exe

--
End of file - 4814 bytes

09/10/2011 16:19
Scan of all local drives

File C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\1S9EK427\upgrade[1].cab|>upgrade.exe|>$0\questbrowser.exe is infected by Win32:Zwangi-K [PUP], Moved to chest
File C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\1S9EK427\upgrade[2].cab|>upgrade.exe|>$0\uninstall.exe is infected by Win32:Zwangi-AU [PUP], Moved to chest
File C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\1S9EK427\upgrade[2].cab|>upgrade.exe|>$0\questbrowser.exe is infected by Win32:Zwangi-P [PUP], Moved to chest
File C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\1S9EK427\upgrade[2].cab|>upgrade.exe is infected by Win32:Zwangi-AU [PUP], Moved to chest
File C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\1S9EK427\upgrade[2].cab is infected by Win32:Zwangi-AU [PUP], Moved to chest
File C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\2GMP1F7T\upgrade[1].cab|>upgrade.exe|>$0\uninstall.exe is infected by Win32:Zwangi-AU [PUP], Moved to chest
File C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\2GMP1F7T\upgrade[1].cab|>upgrade.exe|>$0\questbrowser.exe is infected by Win32:Zwangi-K [PUP], Moved to chest
File C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\2GMP1F7T\upgrade[1].cab|>upgrade.exe is infected by Win32:Zwangi-AU [PUP], Moved to chest
File C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\2GMP1F7T\upgrade[1].cab is infected by Win32:Zwangi-AU [PUP], Moved to chest
File C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\2GMP1F7T\upgrade[2].cab|>upgrade.exe|>$0\uninstall.exe is infected by Win32:Zwangi-AU [PUP], Moved to chest
File C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\2GMP1F7T\upgrade[2].cab|>upgrade.exe|>$0\questbrowser.exe is infected by Win32:Zwangi-P [PUP], Moved to chest
File C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\2GMP1F7T\upgrade[2].cab|>upgrade.exe is infected by Win32:Zwangi-AU [PUP], Moved to chest
File C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\2GMP1F7T\upgrade[2].cab is infected by Win32:Zwangi-AU [PUP], Moved to chest
File C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\6CRYL59Y\upgrade[1].cab|>upgrade.exe|>$0\resultbrowse.dll is infected by Win32:Zwangi-BE [Adw], Moved to chest
File C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\6CRYL59Y\upgrade[1].cab|>upgrade.exe|>$0\uninstall.exe is infected by Win32:Zwangi-AV [PUP], Moved to chest
File C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\6CRYL59Y\upgrade[1].cab|>upgrade.exe|>$0\resultbrowse.exe is infected by Win32:Zwangi-J [PUP], Moved to chest
File C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\6CRYL59Y\upgrade[1].cab|>upgrade.exe is infected by Win32:Zwangi-AV [PUP], Moved to chest
File C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\6CRYL59Y\upgrade[1].cab is infected by Win32:Zwangi-AV [PUP], Moved to chest
File C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\6CRYL59Y\upgrade[2].cab|>upgrade.exe|>$0\questbrowser.exe is infected by Win32:Zwangi-K [PUP], Moved to chest
File C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\6CRYL59Y\upgrade[3].cab|>upgrade.exe|>$0\questbrowser.exe is infected by Win32:Zwangi-P [PUP], Moved to chest
File C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\F41NWGUL\upgrade[1].cab|>upgrade.exe|>$0\uninstall.exe is infected by Win32:Zwangi-AU [PUP], Moved to chest
File C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\F41NWGUL\upgrade[1].cab|>upgrade.exe|>$0\questbrowser.exe is infected by Win32:Zwangi-J [PUP], Moved to chest
File C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\F41NWGUL\upgrade[1].cab|>upgrade.exe is infected by Win32:Zwangi-AU [PUP], Moved to chest
File C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\F41NWGUL\upgrade[1].cab is infected by Win32:Zwangi-AU [PUP], Moved to chest
File C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\F41NWGUL\upgrade[2].cab|>upgrade.exe|>$0\uninstall.exe is infected by Win32:Zwangi-AU [PUP], Moved to chest
File C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\F41NWGUL\upgrade[2].cab|>upgrade.exe|>$0\questbrowser.exe is infected by Win32:Zwangi-M [PUP], Moved to chest
File C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\F41NWGUL\upgrade[2].cab|>upgrade.exe is infected by Win32:Zwangi-AU [PUP], Moved to chest
File C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\F41NWGUL\upgrade[2].cab is infected by Win32:Zwangi-AU [PUP], Moved to chest
File C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\F41NWGUL\upgrade[3].cab|>upgrade.exe|>$0\questbrowser.exe is infected by Win32:Zwangi-P [PUP], Moved to chest
File C:\Documents and Settings\Owner\Local Settings\Temp\9CpdgLf2.exe.part|>[Embedded_R#001280]|>Wise0014.bin Error 42145 {Installer archive is corrupted.}
File C:\Documents and Settings\Owner\Local Settings\Temp\uocC.tmp|>10.exe is infected by Win32:Dropper-EFC [Trj], Moved to chest
File C:\Documents and Settings\Owner\Local Settings\Temp\uocC.tmp|>40.exe|>[Embedded_R#02a0ac] is infected by Win32:Adware-gen [Adw], Moved to chest
File C:\Documents and Settings\Owner\Local Settings\Temp\uocC.tmp|>40.exe is infected by Win32:Malware-gen, Moved to chest
File C:\Documents and Settings\Owner\Local Settings\Temp\uocC.tmp|>rdns.exe is infected by Win32:Malware-gen, Moved to chest
File C:\Program Files\SmileyCentral_1vEI\Installr\8.bin\1vEZSETP.dll is infected by Win32:PUP-gen [PUP], Moved to chest
File C:\System Volume Information\_restore{27780000-3146-41F8-9D5D-80329D85CA68}\RP194\A0037989.exe is infected by Win32:Zwangi-P [PUP], Moved to chest
File C:\System Volume Information\_restore{27780000-3146-41F8-9D5D-80329D85CA68}\RP194\A0037990.exe is infected by Win32:Zwangi-J [PUP], Moved to chest
File C:\System Volume Information\_restore{27780000-3146-41F8-9D5D-80329D85CA68}\RP194\A0037991.exe is infected by Win32:Zwangi-K [PUP], Moved to chest
File C:\System Volume Information\_restore{27780000-3146-41F8-9D5D-80329D85CA68}\RP194\A0038039.exe is infected by Win32:Zwangi-AV [PUP], Moved to chest
File C:\System Volume Information\_restore{27780000-3146-41F8-9D5D-80329D85CA68}\RP194\A0038040.exe is infected by Win32:Zwangi-J [PUP], Moved to chest
File C:\System Volume Information\_restore{27780000-3146-41F8-9D5D-80329D85CA68}\RP194\A0038042.exe is infected by Win32:Zwangi-P [PUP], Moved to chest
File C:\System Volume Information\_restore{27780000-3146-41F8-9D5D-80329D85CA68}\RP196\A0038396.exe is infected by Win32:Zwangi-J [PUP], Moved to chest

Number of searched folders: 1167
Number of tested files: 33779
Number of infected files: 41

BC AdBot (Login to Remove)

 


#2 nasdaq

nasdaq

  • Malware Response Team
  • 40,540 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Montreal, QC. Canada
  • Local time:01:24 PM

Posted 17 September 2011 - 09:07 AM

Hello, Welcome to BleepingComputer.
I'm nasdaq and will be helping you.

If you can please print this topic it will make it easier for you to follow the instructions and complete all of the necessary steps.
===

Please download ComboFix from one of these locations:

Link 1
Link 2

* IMPORTANT !!! Save ComboFix.exe to your Desktop

  • Disable your Anti-Virus and Anti-Spyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools
  • Double click on ComboFix.exe & follow the prompts.
  • As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.
  • Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.
  • Some Rookit infection may damage your boot sector. The Windows Recovery Console may be needed to restore it. Do not bypass this installation. You may regret it.

**Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.

Posted Image


Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:

Posted Image

Click on Yes, to continue scanning for malware.

When finished, it shall produce a log for you. Please include the C:\ComboFix.txt in your next reply.

Note: If you have difficulty properly disabling your protection programs, refer to this link --> http://www.bleepingcomputer.com/forums/topic114351.html

Do not mouse click ComboFix's window while it's running. That may cause it to stall
===

Third party programs if not up to date can be the cause infiltration of an infection.

Please run this security check for my review.

Download Security Check by screen317 from here.
  • Save it to your Desktop.
  • Double click SecurityCheck.exe and follow the onscreen instructions inside of the black box.
  • A Notepad document should open automatically called checkup.txt; please post the contents of that document.
===

Please post the logs and let me know if the problem persists.

#3 nasdaq

nasdaq

  • Malware Response Team
  • 40,540 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Montreal, QC. Canada
  • Local time:01:24 PM

Posted 25 September 2011 - 09:22 AM

Due to the lack of feedback, this topic is now closed.

In the event you still have problems, please send me or any Moderator a Private Message and ask them to reopen this topic within the next 5 days. Please include a link to your topic in the Private Message. Thank you.




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users