Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Slow computer


  • Please log in to reply
3 replies to this topic

#1 paganw

paganw

  • Members
  • 11 posts
  • OFFLINE
  •  
  • Local time:06:16 PM

Posted 23 March 2012 - 02:22 AM

I noticed my computer running slowly within the past week; an instance of svchost.exe starts using excessive memory & shutting it down through Task Manager does not help because it relaunches and within ten minutes is doing it again (using over 250 mbs of memory within 10 minutes). I have XP home so I don't have task list but was able to download procexp.exe from Microsoft. I think that occurrence of svchost.exe is responsible for BITS, EventSystem, Nla, RasMan, SENS, TapiSrv, W32Time & winmgnt (task manager lists the svchost.exe using excessive memory as SYSTEM, but procexp lists it as netsvcs; I have no problems with the netsvcs occurrence in task manager, it's using less than 2 mbs of memory).

I started with the steps listed under the page labeled "Slow Computer?" and was able to to complete steps 1-5 but I get stuck at step 6; my computer will only let me run CHKDSK in Safe Mode as read-only. If I want to run it so it can correct errors it finds I have to allow the computer to start up normally.

Step 1: Found 13 problems (malware), 11 were able to be removed, 2 weren't. After removal the program suggested I rerun it; I did & the other 2 were deleted at that time. No change in svchost.exe memory usage.

Step 2: It was sudden but no new programs had been installed by me recently before the problem occurred. I searched for files modified between 3/14/12 & 3/21/12 because 3/15 was about when I started getting warnings from Avira about Malware (I always click no & remove but some showed up as allow access, including a & also the last time that System Restore created a restore point. I found some odd exe files in the temp directory (all had weird names like ecbtarercysujmolssau, all occurred on 3/14/12 at about 3 pm, none of the properties contained any information about them & they couldn't be uninstalled because they didn't appear anywhere as installed programs). I manually removed those & made sure there was no trace of them in the registry. No change in svchost.exe memory usage.

Step 3: Found 293 tracking cookies & one registry threat from iwin games; all were removed. No change in svchost.exe memory usage.

Step 4: Startup should have been pretty clean, the only 3 programs I set to launch on startup are Avira, Super anti-spyware, & ctfmon; one of the files from 3/14/12 was checked as well, though (Startup item: zchvwceaw; command: rundll32.exe "c:documents and settings\networkservice\application data\Sun\Sun\zchvwceaw.dll", dllregisterservice; location: hkcu\software\microsoft\currentversion\run). I unchecked it, restarted, & checked the registry for any remaining trace of it. No change in svchost.exe memory usage.

Step 5: I frequently transfer large files to a flex drive & had just ran Windows disk cleanup so there not much that needed to be deleted. No change in svchost.exe memory usage.

Step 6: Ran this a few days ago in Normal Mode & appeared to fix several errors; in Safe Mode (read-only) it did not indicate finding any errors. No change in svchost.exe memory usage. Since when I ran CHKDSK in Safe Mode it completed all stages and did not indicate finding any errors that needed to be corrected should this suffice for Step 6?

Step 7: I am leery of running Disk Defragmenter with the svchost.exe memory problem still occurring because I am afraid it might use up too much memory to allow Disk Defragmenter to function. I ran an errand while I was waiting for CHKDSK to finish up the last stage; when I came back it had finished and I had no programs open other than Msconfig but there was a yellow warning in the bottom right hand corner about low memory telling me to launch task manager & close some programs. There wasn't enough memory to do that with msconfig open & when I closed msconfig & launched task manager it showed that svchost.exe was using nearly 350 MBs of memory. I actually tried defragging several days ago thinking that might be the reason for the sluggishness and when it completed the analysis of the drive it said that less than 11% of the drive was fragmented so defragmentation was unnecessary, the analysis after going through the above still says 11% but now it says that the drive should be defragmented. Should I try to defrag anyway?

Since I did the above steps I am having additional problems. I get error messages saying programs with unfamiliar names such as 4xG2Ip4t.exe failed to load when I have barely anything open, am not online, & didn't try to launch any new programs; I couldn't get Task manager to open (even from the Start/run prompt); I had to force the computer to shut down; when I restarted it everything except the Recycle Bin was grey; & when I clicked start/all programs it says (empty). That last part is odd since I was able to run Avira & Super anti-spyware to scan individual files, launch Internet Explorer & Outlook Express. I wasn't able to launch Microsoft Word or WordPad, but I was able to open Word files & .rtfs in Microsoft Word.

Since I could pinpoint when this problem started to sometime between 3/14 & 3/15, I backed up my files & tried to use System Restore to restore it to the last restore point before the 14th but so far the restore points have not worked (every time I get a message that says Your computer cannot be restored to xxxxxxxx, March xx, 2012 System Checkpoint. No changes have been made to your computer. To choose another restore point, restart System Restore). I have tried March 13th, 14th (since it was it was at 6:50 am which was prior to the problems) & March 12th and got the same message each time.

Edited by hamluis, 23 March 2012 - 06:21 AM.
Moved from XP to Am I Infected.


BC AdBot (Login to Remove)

 


#2 TheShooter93

TheShooter93

    Cody


  • Malware Response Team
  • 4,792 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Orlando, Florida
  • Local time:07:16 PM

Posted 23 March 2012 - 10:49 AM

Hi,

That is quite the initial post there. :huh:

After performing these scans, enter the results in your next post and also update me on the status of the PC.

Note: You may have to perform some or all of the following in Safe Mode With Networking, depending on if you have internet access while in the normal Windows environment.

================================================================================

Download Security Check by screen317 from here or here.
  • Save it to your Desktop.
  • Double click SecurityCheck.exe and follow the onscreen instructions inside of the black box.
  • A Notepad document should open automatically called checkup.txt; please post the contents of that document.

================================================================================

Please download and scan with SUPERAntiSpyware Free
  • Double-click SUPERAntiSypware.exe and use the default settings for installation.
    For instructions with screenshots, please refer to the How to use SUPERAntiSpyware to scan and remove malware from your computer Guide.
  • An icon will be created on your desktop. Double-click that icon to launch the program.
  • If it will not start, go to Start > All Prgrams > SUPERAntiSpyware and click on Alternate Start.
  • If asked to update the program definitions, click "Yes". If not, update the definitions before scanning by selecting "Check for Updates". (If you encounter any problems while downloading the updates, manually download them from here. Double-click on the hyperlink for Download Installer and save SASDEFINITIONS.EXE to your desktop. Then double-click on SASDEFINITIONS.EXE to install the definitions.)
  • In the Main Menu, click the Preferences... button.
  • Click the "General and Startup" tab, and under Start-up Options, make sure "Start SUPERAntiSpyware when Windows starts" box is unchecked.
  • Click the "Scanning Control" tab, and under Scanner Options, make sure the following are checked (leave all other options as they are set):
    • Close browsers before scanning.
    • Scan for tracking cookies.
    • Terminate memory threats before quarantining.
  • Click the "Close" button to leave the Control Center screen.
  • Back on the main screen, under "Select Scan Type" check the box for Complete Scan.
  • If your computer is badly infected, be sure to check the box next to Enable Rescue Scan (Highly Infected Systems ONLY).
  • Click the Scan your computer... button.
  • After the scan is complete, a Scan Summary box will appear with potentially harmful items that were detected. Click "OK".
  • Make sure everything has a checkmark next to it and click "Next".
  • A notification will appear that "Quarantine and Removal is Complete". Click "OK" and then click the "Finish" button to return to the main menu.
  • If asked if you want to reboot, click "Yes" and reboot normally.

To retrieve the scan log after reboot, launch SUPERAntiSpyware again.
  • Click the View Scan Logs button at the bottom.
  • This will open the Scanner Logs Window.
  • Click on the log to highlight it and then click on View Selected Log to open it.
  • Copy and paste the scan log results in your next reply.
-- Some types of malware will disable security tools. If SUPERAntiSpyware will not install, please refer to these instructions for using the SUPERAntiSpyware Installer. If SUPERAntiSpyware is already installed but will not run, then follow the instructions for using RUNSAS.EXE to launch the program.
================================================================================

Please download Malwarebytes Anti-Malware Posted Image and save it to your desktop.
  • Important!! When you save the mbam-setup file, rename it to something random (such as 123abc.exe) before beginning the download.
Malwarebytes may "make changes to your registry" as part of its disinfection routine. If using other security programs that detect registry changes (ie Spybot's Teatimer), they may interfere or alert you. Temporarily disable such programs or permit them to allow the changes.

  • Make sure you are connected to the Internet and double-click on the renamed file to install the application.
  • When the installation begins, follow the prompts and do not make any changes to default settings.
  • Malwarebytes will automatically start and you will be asked to update the program before performing a scan.
  • If an update is found, the program will automatically update itself. Press the OK button and continue.
  • If you cannot update Malwarebytes or use the Internet to download any files to the infected computer, manually update the database by following the instructions in FAQ Section A: 4. Issues.
  • Under the Scanner tab, make sure the "Perform Quick Scan" option is selected.
  • Click on the Scan button.
  • When finished, a message box will say "The scan completed successfully. Click 'Show Results' to display all objects found".
  • Click OK to close the message box, then click the Show Results button to see a list of any malware that was found.
  • Make sure that everything is checked and then click Remove Selected.
  • When removal is completed, a log report will open in Notepad.
  • The log is automatically saved and can be viewed by clicking the Logs tab.
  • Copy and paste the contents of that report in your next reply. Be sure to post the complete log to include the top portion which shows the database version and your operating system.
  • Exit Malwarebytes when done.
Note: If Malwarebytes encounters a file that is difficult to remove, you will be asked to reboot your computer so it can proceed with the disinfection process. If asked to restart the computer, please do so immediately. Failure to reboot normally will prevent Malwarebytes from removing all the malware.

-- Some types of malware will target Malwarebytes and other security tools to keep them from running properly. If that's the case, go to Start > All Programs > Malwarebytes Anti-Malware folder > Tools > click on Malwarebytes Chameleon and follow the onscreen instructions. The Chameleon folder can be accessed by opening the program folder for Malwarebytes Anti-Malware (normally C:\Program Files\Malwarebytes' Anti-Malware or C:\Program Files (x86)\Malwarebytes' Anti-Malware).
================================================================================

Please download GMER from one of the following locations and save it to your desktop:
  • Main Mirror
    This version will download a randomly named file (Recommended)
  • Zipped Mirror
    This version will download a zip file you will need to extract first. If you use this mirror, please extract the zip file to your desktop.
  • Disconnect from the Internet and close all running programs.
  • Temporarily disable any real-time active protection so your security programs will not conflict with gmer's driver.
  • Double-click on the randomly named GMER file (i.e. n7gmo46c.exe) and allow the gmer.sys driver to load if asked.
  • Note: If you downloaded the zipped version, extract the file to its own folder such as C:\gmer and then double-click on gmer.exe.

    Posted Image
  • GMER will open to the Rootkit/Malware tab and perform an automatic quick scan when first run. (do not use the computer while the scan is in progress)
  • If you receive a WARNING!!! about rootkit activity and are asked to fully scan your system...click NO.
  • Now click the Scan button. If you see a rootkit warning window, click OK.
  • When the scan is finished, click the Save... button to save the scan results to your Desktop. Save the file as gmer.log.
  • Click the Copy button and paste the results into your next reply.
  • Exit GMER and be sure to re-enable your anti-virus, Firewall and any other security programs you had disabled.
-- If you encounter any problems, try running GMER in safe mode.
-- If GMER crashes or keeps resulting in a BSODs, uncheck Devices on the right side before scanning
.

CCNA R&SCCNA Security | Network+  |  B.S. - Information Technology | Cyber Security Engineer

If I am helping you and have not replied within 48 hours, please send me a private message.

 

 


#3 paganw

paganw
  • Topic Starter

  • Members
  • 11 posts
  • OFFLINE
  •  
  • Local time:06:16 PM

Posted 26 March 2012 - 06:13 AM

Thanks, I just figured the more info you had, the easier it might be to figure out the solution.

Security Check:

Results of screen317's Security Check version 0.99.32
Windows XP Service Pack 2 x86
Out of date service pack!!
Internet Explorer 7 Out of date!
``````````````````````````````
Antivirus/Firewall Check:

Avira AntiVir Personal - Free Antivirus
Avira successfully updated!
```````````````````````````````
Anti-malware/Other Utilities Check:

Ad-Aware
SUPERAntiSpyware Free Edition
TuneUp Companion 1.9.0
Java™ 6 Update 2
Java 2 Runtime Environment, SE v1.4.2
Java version out of date!
Adobe Flash Player 9.0.124.0 Flash Player out of Date!
````````````````````````````````
Process Check:
objlist.exe by Laurent

Ad-Aware AAWService.exe
Ad-Aware AAWTray.exe is disabled!
Avira Antivir avgnt.exe
Avira Antivir avguard.exe
``````````End of Log````````````

No change in computer's behavior.

SUPERAntiSpyware Scan Log

http://www.superantispyware.com

Generated 03/23/2012 at 10:53 PM

Application Version : 5.0.1146

Core Rules Database Version : 0

Trace Rules Database Version: 0

Scan type : Complete Scan

Total Scan Time : 04:19:41

Operating System Information

Windows XP Home Edition 32-bit, Service Pack 2 (Build 5.01.2600)

Administrator

Memory items scanned : 368

Memory threats detected : 0

Registry items scanned : 37324

Registry threats detected : 5

File items scanned : 49384

File threats detected : 113

Disabled.SecurityCenterOption

HKLM\SOFTWARE\MICROSOFT\SECURITY CENTER#ANTIVIRUSDISABLENOTIFY

HKLM\SOFTWARE\MICROSOFT\SECURITY CENTER#FIREWALLDISABLENOTIFY

HKLM\SOFTWARE\MICROSOFT\SECURITY CENTER#UPDATESDISABLENOTIFY

Adware.Tracking Cookie

C:\Documents and Settings\Owner\Cookies\owner@caloriecount.about[1].txt [ /caloriecount.about ]

C:\DOCUMENTS AND SETTINGS\LOCALSERVICE\Cookies\system@ru4[2].txt [ Cookie:system@ru4.com/ ]

C:\DOCUMENTS AND SETTINGS\LOCALSERVICE\Cookies\system@ads.gamersmedia[1].txt [ Cookie:system@ads.gamersmedia.com/ ]

C:\DOCUMENTS AND SETTINGS\LOCALSERVICE\Cookies\system@pointroll[1].txt [ Cookie:system@pointroll.com/ ]

C:\DOCUMENTS AND SETTINGS\LOCALSERVICE\Cookies\system@revsci[1].txt [ Cookie:system@revsci.net/ ]

C:\DOCUMENTS AND SETTINGS\LOCALSERVICE\Cookies\system@atdmt[2].txt [ Cookie:system@atdmt.com/ ]

C:\DOCUMENTS AND SETTINGS\LOCALSERVICE\Cookies\system@trafficno[1].txt [ Cookie:system@trafficno.com/ ]

C:\DOCUMENTS AND SETTINGS\LOCALSERVICE\Cookies\system@doubleclick[2].txt [ Cookie:system@doubleclick.net/ ]

C:\DOCUMENTS AND SETTINGS\LOCALSERVICE\Cookies\system@realmedia[2].txt [ Cookie:system@realmedia.com/ ]

C:\DOCUMENTS AND SETTINGS\LOCALSERVICE\Cookies\system@burstnet[2].txt [ Cookie:system@burstnet.com/ ]

C:\DOCUMENTS AND SETTINGS\LOCALSERVICE\Cookies\system@adbrite[1].txt [ Cookie:system@adbrite.com/ ]

C:\DOCUMENTS AND SETTINGS\LOCALSERVICE\Cookies\system@micklemedia[2].txt [ Cookie:system@micklemedia.com/ ]

C:\DOCUMENTS AND SETTINGS\LOCALSERVICE\Cookies\system@apmebf[1].txt [ Cookie:system@apmebf.com/ ]

C:\DOCUMENTS AND SETTINGS\LOCALSERVICE\Cookies\system@ad2.adfarm1.adition[2].txt [ Cookie:system@ad2.adfarm1.adition.com/ ]

C:\DOCUMENTS AND SETTINGS\LOCALSERVICE\Cookies\system@pro-market[2].txt [ Cookie:system@pro-market.net/ ]

C:\DOCUMENTS AND SETTINGS\LOCALSERVICE\Cookies\system@bizzclick[1].txt [ Cookie:system@bizzclick.com/ ]

C:\DOCUMENTS AND SETTINGS\LOCALSERVICE\Cookies\system@questionmarket[2].txt [ Cookie:system@questionmarket.com/ ]

C:\DOCUMENTS AND SETTINGS\LOCALSERVICE\Cookies\system@tribalfusion[2].txt [ Cookie:system@tribalfusion.com/ ]

C:\DOCUMENTS AND SETTINGS\NETWORKSERVICE\Cookies\system@ru4[2].txt [ Cookie:system@ru4.com/ ]

C:\DOCUMENTS AND SETTINGS\NETWORKSERVICE\Cookies\system@imrworldwide[2].txt [ Cookie:system@imrworldwide.com/cgi-bin ]

C:\DOCUMENTS AND SETTINGS\NETWORKSERVICE\Cookies\system@1sadx[2].txt [ Cookie:system@1sadx.net/ ]

C:\DOCUMENTS AND SETTINGS\NETWORKSERVICE\Cookies\system@fastclick[1].txt [ Cookie:system@fastclick.net/ ]

C:\DOCUMENTS AND SETTINGS\NETWORKSERVICE\Cookies\system@www.burstnet[2].txt [ Cookie:system@www.burstnet.com/ ]

C:\DOCUMENTS AND SETTINGS\NETWORKSERVICE\Cookies\system@dc.tremormedia[2].txt [ Cookie:system@dc.tremormedia.com/ ]

C:\DOCUMENTS AND SETTINGS\NETWORKSERVICE\Cookies\system@youporn[2].txt [ Cookie:system@youporn.com/ ]

C:\DOCUMENTS AND SETTINGS\NETWORKSERVICE\Cookies\system@fromtofind[1].txt [ Cookie:system@fromtofind.com/ ]

C:\DOCUMENTS AND SETTINGS\NETWORKSERVICE\Cookies\system@ox-d.enveromedia[1].txt [ Cookie:system@ox-d.enveromedia.com/ ]

C:\DOCUMENTS AND SETTINGS\NETWORKSERVICE\Cookies\system@media6degrees[1].txt [ Cookie:system@media6degrees.com/ ]

C:\DOCUMENTS AND SETTINGS\NETWORKSERVICE\Cookies\system@revsci[1].txt [ Cookie:system@revsci.net/ ]

C:\DOCUMENTS AND SETTINGS\NETWORKSERVICE\Cookies\system@a1.interclick[2].txt [ Cookie:system@a1.interclick.com/ ]

C:\DOCUMENTS AND SETTINGS\NETWORKSERVICE\Cookies\system@atdmt[2].txt [ Cookie:system@atdmt.com/ ]

C:\DOCUMENTS AND SETTINGS\NETWORKSERVICE\Cookies\system@adsonar[2].txt [ Cookie:system@adsonar.com/adserving ]

C:\DOCUMENTS AND SETTINGS\NETWORKSERVICE\Cookies\system@trafficno[2].txt [ Cookie:system@trafficno.com/ ]

C:\DOCUMENTS AND SETTINGS\NETWORKSERVICE\Cookies\system@doubleclick[2].txt [ Cookie:system@doubleclick.net/ ]

C:\DOCUMENTS AND SETTINGS\NETWORKSERVICE\Cookies\system@lucidmedia[1].txt [ Cookie:system@lucidmedia.com/ ]

C:\DOCUMENTS AND SETTINGS\NETWORKSERVICE\Cookies\system@keepufind[1].txt [ Cookie:system@keepufind.com/ ]

C:\DOCUMENTS AND SETTINGS\NETWORKSERVICE\Cookies\system@perfind[1].txt [ Cookie:system@perfind.net/ ]

C:\DOCUMENTS AND SETTINGS\NETWORKSERVICE\Cookies\system@c.gigcount[1].txt [ Cookie:system@c.gigcount.com/ ]

C:\DOCUMENTS AND SETTINGS\NETWORKSERVICE\Cookies\system@realmedia[1].txt [ Cookie:system@realmedia.com/ ]

C:\DOCUMENTS AND SETTINGS\NETWORKSERVICE\Cookies\system@adbrite[1].txt [ Cookie:system@adbrite.com/ ]

C:\DOCUMENTS AND SETTINGS\NETWORKSERVICE\Cookies\system@yieldmanager[1].txt [ Cookie:system@yieldmanager.net/ ]

C:\DOCUMENTS AND SETTINGS\NETWORKSERVICE\Cookies\system@apmebf[1].txt [ Cookie:system@apmebf.com/ ]

C:\DOCUMENTS AND SETTINGS\NETWORKSERVICE\Cookies\system@adxpose[1].txt [ Cookie:system@adxpose.com/ ]

C:\DOCUMENTS AND SETTINGS\NETWORKSERVICE\Cookies\system@pro-market[1].txt [ Cookie:system@pro-market.net/ ]

C:\DOCUMENTS AND SETTINGS\NETWORKSERVICE\Cookies\system@bizzclick[1].txt [ Cookie:system@bizzclick.com/ ]

C:\DOCUMENTS AND SETTINGS\NETWORKSERVICE\Cookies\system@questionmarket[2].txt [ Cookie:system@questionmarket.com/ ]

C:\DOCUMENTS AND SETTINGS\NETWORKSERVICE\Cookies\system@adserver.adtechus[1].txt [ Cookie:system@adserver.adtechus.com/ ]

C:\DOCUMENTS AND SETTINGS\NETWORKSERVICE\Cookies\system@network.realmedia[1].txt [ Cookie:system@network.realmedia.com/ ]

C:\DOCUMENTS AND SETTINGS\NETWORKSERVICE\Cookies\system@247realmedia[2].txt [ Cookie:system@247realmedia.com/ ]

C:\DOCUMENTS AND SETTINGS\NETWORKSERVICE\Cookies\system@cdn.jemamedia[1].txt [ Cookie:system@cdn.jemamedia.com/ ]

C:\DOCUMENTS AND SETTINGS\NETWORKSERVICE\Cookies\system@advertising[2].txt [ Cookie:system@advertising.com/ ]

cdn2.baronsmedia.com [ C:\DOCUMENTS AND SETTINGS\LOCALSERVICE\APPLICATION DATA\MACROMEDIA\FLASH PLAYER\#SHAREDOBJECTS\926ZQ5GC ]

click.searchnation.net [ C:\DOCUMENTS AND SETTINGS\LOCALSERVICE\APPLICATION DATA\MACROMEDIA\FLASH PLAYER\#SHAREDOBJECTS\926ZQ5GC ]

content.yieldmanager.edgesuite.net [ C:\DOCUMENTS AND SETTINGS\LOCALSERVICE\APPLICATION DATA\MACROMEDIA\FLASH PLAYER\#SHAREDOBJECTS\926ZQ5GC ]

core.insightexpressai.com [ C:\DOCUMENTS AND SETTINGS\LOCALSERVICE\APPLICATION DATA\MACROMEDIA\FLASH PLAYER\#SHAREDOBJECTS\926ZQ5GC ]

ds.serving-sys.com [ C:\DOCUMENTS AND SETTINGS\LOCALSERVICE\APPLICATION DATA\MACROMEDIA\FLASH PLAYER\#SHAREDOBJECTS\926ZQ5GC ]

objects.tremormedia.com [ C:\DOCUMENTS AND SETTINGS\LOCALSERVICE\APPLICATION DATA\MACROMEDIA\FLASH PLAYER\#SHAREDOBJECTS\926ZQ5GC ]

C:\DOCUMENTS AND SETTINGS\LOCALSERVICE\COOKIES\SYSTEM@AD.YIELDMANAGER[1].TXT [ /AD.YIELDMANAGER ]

C:\DOCUMENTS AND SETTINGS\LOCALSERVICE\COOKIES\SYSTEM@ADFARM1.ADITION[1].TXT [ /ADFARM1.ADITION ]

C:\DOCUMENTS AND SETTINGS\LOCALSERVICE\COOKIES\SYSTEM@ADS.LYCOS[2].TXT [ /ADS.LYCOS ]

C:\DOCUMENTS AND SETTINGS\LOCALSERVICE\COOKIES\SYSTEM@ADS.PUBMATIC[2].TXT [ /ADS.PUBMATIC ]

C:\DOCUMENTS AND SETTINGS\LOCALSERVICE\COOKIES\SYSTEM@AT.ATWOLA[1].TXT [ /AT.ATWOLA ]

C:\DOCUMENTS AND SETTINGS\LOCALSERVICE\COOKIES\SYSTEM@CLICK.SEARCHNATION[2].TXT [ /CLICK.SEARCHNATION ]

C:\DOCUMENTS AND SETTINGS\LOCALSERVICE\COOKIES\SYSTEM@INVITEMEDIA[2].TXT [ /INVITEMEDIA ]

C:\DOCUMENTS AND SETTINGS\LOCALSERVICE\COOKIES\SYSTEM@MEDIAPLEX[1].TXT [ /MEDIAPLEX ]

C:\DOCUMENTS AND SETTINGS\LOCALSERVICE\COOKIES\SYSTEM@SERVING-SYS[2].TXT [ /SERVING-SYS ]

C:\DOCUMENTS AND SETTINGS\LOCALSERVICE\COOKIES\SYSTEM@SPECIFICCLICK[1].TXT [ /SPECIFICCLICK ]

C:\DOCUMENTS AND SETTINGS\LOCALSERVICE\COOKIES\SYSTEM@ZEDO[1].TXT [ /ZEDO ]

art.aim4media.com [ C:\DOCUMENTS AND SETTINGS\NETWORKSERVICE\APPLICATION DATA\MACROMEDIA\FLASH PLAYER\#SHAREDOBJECTS\HF399N9Y ]

cdn.complexmedianetwork.com [ C:\DOCUMENTS AND SETTINGS\NETWORKSERVICE\APPLICATION DATA\MACROMEDIA\FLASH PLAYER\#SHAREDOBJECTS\HF399N9Y ]

cdn.tremormedia.com [ C:\DOCUMENTS AND SETTINGS\NETWORKSERVICE\APPLICATION DATA\MACROMEDIA\FLASH PLAYER\#SHAREDOBJECTS\HF399N9Y ]

cdn2.baronsmedia.com [ C:\DOCUMENTS AND SETTINGS\NETWORKSERVICE\APPLICATION DATA\MACROMEDIA\FLASH PLAYER\#SHAREDOBJECTS\HF399N9Y ]

click.searchnation.net [ C:\DOCUMENTS AND SETTINGS\NETWORKSERVICE\APPLICATION DATA\MACROMEDIA\FLASH PLAYER\#SHAREDOBJECTS\HF399N9Y ]

core.insightexpressai.com [ C:\DOCUMENTS AND SETTINGS\NETWORKSERVICE\APPLICATION DATA\MACROMEDIA\FLASH PLAYER\#SHAREDOBJECTS\HF399N9Y ]

crackle.com [ C:\DOCUMENTS AND SETTINGS\NETWORKSERVICE\APPLICATION DATA\MACROMEDIA\FLASH PLAYER\#SHAREDOBJECTS\HF399N9Y ]

media1.break.com [ C:\DOCUMENTS AND SETTINGS\NETWORKSERVICE\APPLICATION DATA\MACROMEDIA\FLASH PLAYER\#SHAREDOBJECTS\HF399N9Y ]

objects.tremormedia.com [ C:\DOCUMENTS AND SETTINGS\NETWORKSERVICE\APPLICATION DATA\MACROMEDIA\FLASH PLAYER\#SHAREDOBJECTS\HF399N9Y ]

tag.2bluemedia.hiro.tv [ C:\DOCUMENTS AND SETTINGS\NETWORKSERVICE\APPLICATION DATA\MACROMEDIA\FLASH PLAYER\#SHAREDOBJECTS\HF399N9Y ]

www.goodcholesterolcount.com [ C:\DOCUMENTS AND SETTINGS\NETWORKSERVICE\APPLICATION DATA\MACROMEDIA\FLASH PLAYER\#SHAREDOBJECTS\HF399N9Y ]

C:\DOCUMENTS AND SETTINGS\NETWORKSERVICE\COOKIES\SYSTEM@1SADX[1].TXT [ /1SADX ]

C:\DOCUMENTS AND SETTINGS\NETWORKSERVICE\COOKIES\SYSTEM@AD.YIELDMANAGER[1].TXT [ /AD.YIELDMANAGER ]

C:\DOCUMENTS AND SETTINGS\NETWORKSERVICE\COOKIES\SYSTEM@ADBRITE[2].TXT [ /ADBRITE ]

C:\DOCUMENTS AND SETTINGS\NETWORKSERVICE\COOKIES\SYSTEM@ADS.PUBMATIC[2].TXT [ /ADS.PUBMATIC ]

C:\DOCUMENTS AND SETTINGS\NETWORKSERVICE\COOKIES\SYSTEM@AT.ATWOLA[1].TXT [ /AT.ATWOLA ]

C:\DOCUMENTS AND SETTINGS\NETWORKSERVICE\COOKIES\SYSTEM@BS.SERVING-SYS[1].TXT [ /BS.SERVING-SYS ]

C:\DOCUMENTS AND SETTINGS\NETWORKSERVICE\COOKIES\SYSTEM@BURSTNET[1].TXT [ /BURSTNET ]

C:\DOCUMENTS AND SETTINGS\NETWORKSERVICE\COOKIES\SYSTEM@CDN.JEMAMEDIA[2].TXT [ /CDN.JEMAMEDIA ]

C:\DOCUMENTS AND SETTINGS\NETWORKSERVICE\COOKIES\SYSTEM@DC.TREMORMEDIA[1].TXT [ /DC.TREMORMEDIA ]

C:\DOCUMENTS AND SETTINGS\NETWORKSERVICE\COOKIES\SYSTEM@DOUBLECLICK[1].TXT [ /DOUBLECLICK ]

C:\DOCUMENTS AND SETTINGS\NETWORKSERVICE\COOKIES\SYSTEM@FINDESOP[1].TXT [ /FINDESOP ]

C:\DOCUMENTS AND SETTINGS\NETWORKSERVICE\COOKIES\SYSTEM@FROMTOFIND[2].TXT [ /FROMTOFIND ]

C:\DOCUMENTS AND SETTINGS\NETWORKSERVICE\COOKIES\SYSTEM@INCSFIND[1].TXT [ /INCSFIND ]

C:\DOCUMENTS AND SETTINGS\NETWORKSERVICE\COOKIES\SYSTEM@INSIGHTEXPRESSAI[2].TXT [ /INSIGHTEXPRESSAI ]

C:\DOCUMENTS AND SETTINGS\NETWORKSERVICE\COOKIES\SYSTEM@INTERCLICK[2].TXT [ /INTERCLICK ]

C:\DOCUMENTS AND SETTINGS\NETWORKSERVICE\COOKIES\SYSTEM@INVITEMEDIA[1].TXT [ /INVITEMEDIA ]

C:\DOCUMENTS AND SETTINGS\NETWORKSERVICE\COOKIES\SYSTEM@LUCIDMEDIA[2].TXT [ /LUCIDMEDIA ]

C:\DOCUMENTS AND SETTINGS\NETWORKSERVICE\COOKIES\SYSTEM@MEDIA6DEGREES[2].TXT [ /MEDIA6DEGREES ]

C:\DOCUMENTS AND SETTINGS\NETWORKSERVICE\COOKIES\SYSTEM@MEDIAPLEX[1].TXT [ /MEDIAPLEX ]

C:\DOCUMENTS AND SETTINGS\NETWORKSERVICE\COOKIES\SYSTEM@MEDIASERVICES-D.OPENXENTERPRISE[1].TXT [ /MEDIASERVICES-D.OPENXENTERPRISE ]

C:\DOCUMENTS AND SETTINGS\NETWORKSERVICE\COOKIES\SYSTEM@SERVING-SYS[2].TXT [ /SERVING-SYS ]

C:\DOCUMENTS AND SETTINGS\NETWORKSERVICE\COOKIES\SYSTEM@SPECIFICCLICK[1].TXT [ /SPECIFICCLICK ]

C:\DOCUMENTS AND SETTINGS\NETWORKSERVICE\COOKIES\SYSTEM@TRIBALFUSION[2].TXT [ /TRIBALFUSION ]

C:\DOCUMENTS AND SETTINGS\NETWORKSERVICE\COOKIES\SYSTEM@XML.HAPPYTOFIND[2].TXT [ /XML.HAPPYTOFIND ]

C:\DOCUMENTS AND SETTINGS\NETWORKSERVICE\COOKIES\SYSTEM@ZEDO[1].TXT [ /ZEDO ]

ad.insightexpressai.com [ C:\DOCUMENTS AND SETTINGS\OWNER\APPLICATION DATA\MACROMEDIA\FLASH PLAYER\#SHAREDOBJECTS\NTRYQJVD ]

core.insightexpressai.com [ C:\DOCUMENTS AND SETTINGS\OWNER\APPLICATION DATA\MACROMEDIA\FLASH PLAYER\#SHAREDOBJECTS\NTRYQJVD ]

giantdiscountcig.com [ C:\DOCUMENTS AND SETTINGS\OWNER\APPLICATION DATA\MACROMEDIA\FLASH PLAYER\#SHAREDOBJECTS\NTRYQJVD ]

Trojan.Agent/Gen-FakeLoad

C:\DOCUMENTS AND SETTINGS\ALL USERS\APPLICATION DATA\BQBDIMWBRMHTD.EXE

Unclassified.Unknown Origin

HKU\S-1-5-21-229251845-1399500245-1938766618-1003\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{9C8A568E-4201-478A-8536-526CF371D2E2}

Adware.Vundo Variant

HKU\S-1-5-21-229251845-1399500245-1938766618-1003\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{A8EEB996-62AA-4E48-995D-EADDCAC47476}

Adware.ClickSpring/Yazzle

C:\DOCUMENTS AND SETTINGS\OWNER\DESKTOP\GAMEHOUSE SUDOKU FULL\SUDOKUINSTALL.EXE

PUP.CNETInstaller

C:\DOCUMENTS AND SETTINGS\OWNER\LOCAL SETTINGS\TEMP\ICREINSTALL\CNET2_EPUBTOPDF_EXE.EXE

C:\DOCUMENTS AND SETTINGS\OWNER\LOCAL SETTINGS\TEMP\ICREINSTALL\CNET2_LUCIDOR-0_9_7-1_MSI.EXE

C:\SYSTEM VOLUME INFORMATION\_RESTORE{7DCA1BE4-D752-48D6-A25E-C722C8FD1BC4}\RP2260\A0216746.EXE

C:\SYSTEM VOLUME INFORMATION\_RESTORE{7DCA1BE4-D752-48D6-A25E-C722C8FD1BC4}\RP2260\A0216747.EXE

Seems like a lot of third party cookies; especially since my privacy settings are third party: block.

I got several event alerts from Avira while running it and had to manually shut down the svchost.exe multiple times (at least every 15 minutes) during the scan to avoid running out of memory even though no memory items were detected. After the scan start/all programs was still empty except for the ones I downloaded for these scans & still no direct access to Microsoft Word or WordPad. After a restart caused by another Avira warning rSkVSbFvavfCaY was checked in the startup programs list in MSConfig, unchecking it caused System Check (fake HDD rogue defragmenter) to launch.

Malwarebytes Anti-Malware (Trial) 1.60.1.1000
www.malwarebytes.org

Database version: v2012.03.24.01

Windows XP Service Pack 2 x86 NTFS
Internet Explorer 7.0.5730.13
Owner :: DESKTOP [administrator]

Protection: Enabled

3/24/2012 8:53:54 AM
mbam-log-2012-03-24 (08-53-54).txt

Scan type: Quick scan
Scan options enabled: Memory | Startup | Registry | File System | Heuristics/Extra | Heuristics/Shuriken | PUP | PUM
Scan options disabled: P2P
Objects scanned: 247057
Time elapsed: 45 minute(s), 26 second(s)

Memory Processes Detected: 0
(No malicious items detected)

Memory Modules Detected: 0
(No malicious items detected)

Registry Keys Detected: 42
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\PreApproved\{37B85A2B-692B-4205-9CAD-2626E4993404} (PUP.MyWebSearch) -> No action taken.
HKCR\AppID\{F4406238-983A-4845-9053-F1D0007FD135} (Trojan.FakeAlert) -> Quarantined and deleted successfully.
HKCR\CLSID\{25F97EB4-1C02-45BA-BA0C-E67AACE64D4A} (Adware.ToolBar) -> Quarantined and deleted successfully.
HKCR\TypeLib\{737AC58F-3DD4-41E2-B987-81FA402844A4} (Adware.ToolBar) -> Quarantined and deleted successfully.
HKCR\Interface\{17BB379A-997B-465B-8239-157DB81DE909} (Adware.ToolBar) -> Quarantined and deleted successfully.
HKCR\XBTB06829.XBTB06829.3 (Adware.ToolBar) -> Quarantined and deleted successfully.
HKCR\XBTB06829.XBTB06829 (Adware.ToolBar) -> Quarantined and deleted successfully.
HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{25F97EB4-1C02-45BA-BA0C-E67AACE64D4A} (Adware.ToolBar) -> Quarantined and deleted successfully.
HKCR\CLSID\{D37D6C1A-7BA4-47F4-9BF2-75031E257DF6} (Trojan.FakeAlert) -> Quarantined and deleted successfully.
HKCR\TypeLib\{84562FCA-EE8B-4585-A1D1-EAE97B23370E} (Trojan.FakeAlert) -> Quarantined and deleted successfully.
HKCR\Interface\{48E92754-2DAF-4DE4-8385-34F631580E9B} (Trojan.FakeAlert) -> Quarantined and deleted successfully.
HKCR\CodecBHO.XMLDOMDocumentEventsSink.1 (Trojan.FakeAlert) -> Quarantined and deleted successfully.
HKCR\CodecBHO.XMLDOMDocumentEventsSink (Trojan.FakeAlert) -> Quarantined and deleted successfully.
HKCR\Typelib\{15C7D7AD-A87A-4C0D-9D8B-637FCD3488EF} (Trojan.BHO) -> Quarantined and deleted successfully.
HKCR\Interface\{2BC9A3BD-9FF9-4C52-B8B8-8051ADAA7FF6} (Trojan.BHO) -> Quarantined and deleted successfully.
HKCR\Typelib\{B4094603-DDA9-4CAF-9B13-0AD1034C9C53} (Trojan.BHO) -> Quarantined and deleted successfully.
HKCR\Interface\{48DC6FFB-64D7-42E8-949D-8EF2641EB73A} (Trojan.BHO) -> Quarantined and deleted successfully.
HKCR\Typelib\{C7F00A9A-F1BC-436E-82C7-E8CAE6FD67F7} (Trojan.Downloader) -> Quarantined and deleted successfully.
HKCR\Interface\{450B9E4D-4014-4DE3-B34E-014A81468293} (Trojan.Downloader) -> Quarantined and deleted successfully.
HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{098716A9-0310-4CBE-BD64-B790A9761158} (Trojan.FakeAlert) -> Quarantined and deleted successfully.
HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{53322B35-2C26-4FAC-A713-C31BBAA1C636} (Trojan.FakeAlert) -> Quarantined and deleted successfully.
HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{E596DF5F-4239-4D40-8367-EBADF0165917} (Rogue.Installer) -> Quarantined and deleted successfully.
HKLM\SOFTWARE\Microsoft\Code Store Database\Distribution Units\{24311111-1111-1121-1111-111191113457} (Trojan.Agent) -> Quarantined and deleted successfully.
HKCR\BhoNew.Bho (Trojan.FakeAlert) -> Quarantined and deleted successfully.
HKCR\CodecBHO.CodecPlugin (Trojan.FakeAlert) -> Quarantined and deleted successfully.
HKCR\CodecBHO.CodecPlugin.1 (Trojan.FakeAlert) -> Quarantined and deleted successfully.
HKCR\AppID\CodecBHO.DLL (Trojan.FakeAlert) -> Quarantined and deleted successfully.
HKCU\SOFTWARE\RichVideoCodec (Trojan.FakeAlert) -> Quarantined and deleted successfully.
HKCU\SOFTWARE\Microsoft\adssite (Trojan.Agent) -> Quarantined and deleted successfully.
HKCU\SOFTWARE\Microsoft\Bind (Malware.Trace) -> Quarantined and deleted successfully.
HKCU\SOFTWARE\Microsoft\HID_Layer (Malware.Trace) -> Quarantined and deleted successfully.
HKLM\SOFTWARE\Relevant Knowledge (Adware.RelevantKnowledge) -> Quarantined and deleted successfully.
HKLM\SOFTWARE\Microsoft\dslcnnct (Trojan.Vundo) -> Quarantined and deleted successfully.
HKLM\SOFTWARE\Microsoft\Nvchost (Trojan.Goldun) -> Quarantined and deleted successfully.
HKLM\SOFTWARE\Microsoft\Software Notifier (Rogue.Multiple) -> Quarantined and deleted successfully.
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{7D9362F8-77D8-4b29-97B5-621D550890C0} (Trojan.BHO) -> Quarantined and deleted successfully.
HKCR\CLSID\{7D9362F8-77D8-4b29-97B5-621D550890C0} (Trojan.BHO) -> Quarantined and deleted successfully.
HKCR\TypeLib\{18568A7D-5B4C-4ff5-AEAA-D4A7CC177243} (Trojan.BHO) -> Quarantined and deleted successfully.
HKCR\Interface\{9B6FD982-9FCC-4C33-B6ED-59AB7FD0E278} (Trojan.BHO) -> Quarantined and deleted successfully.
HKCR\Fokoroko.Rombo.1 (Trojan.BHO) -> Quarantined and deleted successfully.
HKCR\Fokoroko.Rombo (Trojan.BHO) -> Quarantined and deleted successfully.
HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{7D9362F8-77D8-4B29-97B5-621D550890C0} (Trojan.BHO) -> Quarantined and deleted successfully.

Registry Values Detected: 5
HKCU\SOFTWARE\Microsoft\Internet Explorer\Toolbar\WebBrowser|{25F97EB4-1C02-45BA-BA0C-E67AACE64D4A} (Adware.ToolBar) -> Data: ~%EzMJ -> Quarantined and deleted successfully.
HKLM\SOFTWARE\Microsoft\Internet Explorer\Toolbar|{25F97EB4-1C02-45BA-BA0C-E67AACE64D4A} (Adware.ToolBar) -> Data: -> Quarantined and deleted successfully.
HKCU\SOFTWARE\Microsoft\Internet Explorer\Toolbar\WebBrowser\{25F97EB4-1C02-45BA-BA0C-E67AACE64D4A} (Adware.ToolBar) -> Data: -> Quarantined and deleted successfully.
HKLM\SOFTWARE\Microsoft\Internet Explorer\Toolbar\{25F97EB4-1C02-45BA-BA0C-E67AACE64D4A} (Adware.ToolBar) -> Data: -> Quarantined and deleted successfully.
HKCU\Control Panel\Desktop|SCRNSAVE.EXE (Hijack.Wallpaper) -> Data: C:\WINNT\system32\blphcn6lj0e1b9.scr -> Quarantined and deleted successfully.

Registry Data Items Detected: 3
HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer|NoDesktop (PUM.Hidden.Desktop) -> Bad: (1) Good: (0) -> Quarantined and repaired successfully.
HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System|NoDispBackgroundPage (PUM.Hijack.DisplayProperties) -> Bad: (1) Good: (0) -> Quarantined and repaired successfully.
HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System|NoDispScrSavPage (PUM.Hijack.DisplayProperties) -> Bad: (1) Good: (0) -> Quarantined and repaired successfully.

Folders Detected: 1
C:\WINNT\system32\kBin15 (Trojan.Agent) -> Quarantined and deleted successfully.

Files Detected: 5
C:\WINNT\Temp\0.7174204335117028 (Exploit.Drop.9) -> Quarantined and deleted successfully.
C:\WINNT\Temp\0.23109531547351214 (Exploit.Drop.9) -> Quarantined and deleted successfully.
C:\WINNT\BM13839b69.txt (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\WINNT\BM13839b69.xml (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\WINNT\pskt.ini (Trojan.Vundo) -> Quarantined and deleted successfully.
(end)

Those last three registry keys seemed to remove System Check; I moved all of the files I could find to the correct folders (I seem to have lost Outlook Express, though) & deleted the folders Security Check created. The files that appeared grey are fine (apparently they look grey because they were changed to hidden files). I still have the same svchost.exe file problem I started with though.

After the System Check problem I decided to get rid of Avira and replace it with Microsoft Essentials, so the service pack has been updated to SP3.

GMER 1.0.15.15641 - http://www.gmer.net
Rootkit scan 2012-03-26 01:49:18
Windows 5.1.2600 Service Pack 3 Harddisk0\DR0 -> \Device\Ide\IdePort0 WDC_WD1200BB-53DWA0 rev.15.05R15
Running: pigg92n6.exe; Driver: C:\DOCUME~1\Owner\LOCALS~1\Temp\fxddapoc.sys


---- Kernel code sections - GMER 1.0.15 ----

init C:\WINNT\System32\DRIVERS\mohfilt.sys entry point in "init" section [0xF7AB1A60]

---- User code sections - GMER 1.0.15 ----

.text C:\WINNT\System32\svchost.exe[852] kernel32.dll!WriteFile 7C810E17 5 Bytes JMP 0092000C
.text C:\WINNT\System32\svchost.exe[852] USER32.dll!GetCursorPos 7E42974E 5 Bytes JMP 02BA000A
.text C:\WINNT\System32\svchost.exe[852] USER32.dll!WindowFromPoint 7E429766 5 Bytes JMP 02BB000A
.text C:\WINNT\System32\svchost.exe[852] USER32.dll!GetForegroundWindow 7E429823 5 Bytes JMP 02BC000A
.text C:\WINNT\System32\svchost.exe[852] ole32.dll!CoCreateInstance 7750057E 5 Bytes JMP 00E7000A

---- User IAT/EAT - GMER 1.0.15 ----

IAT C:\WINNT\Explorer.EXE[1372] @ C:\WINNT\Explorer.EXE [KERNEL32.dll!GetProcAddress] [5CB77774] C:\WINNT\system32\ShimEng.dll (Shim Engine DLL/Microsoft Corporation)
IAT C:\WINNT\Explorer.EXE[1372] @ C:\WINNT\system32\ADVAPI32.dll [KERNEL32.dll!GetProcAddress] [5CB77774] C:\WINNT\system32\ShimEng.dll (Shim Engine DLL/Microsoft Corporation)
IAT C:\WINNT\Explorer.EXE[1372] @ C:\WINNT\system32\RPCRT4.dll [KERNEL32.dll!GetProcAddress] [5CB77774] C:\WINNT\system32\ShimEng.dll (Shim Engine DLL/Microsoft Corporation)
IAT C:\WINNT\Explorer.EXE[1372] @ C:\WINNT\system32\Secur32.dll [KERNEL32.dll!GetProcAddress] [5CB77774] C:\WINNT\system32\ShimEng.dll (Shim Engine DLL/Microsoft Corporation)
IAT C:\WINNT\Explorer.EXE[1372] @ C:\WINNT\system32\GDI32.dll [KERNEL32.dll!GetProcAddress] [5CB77774] C:\WINNT\system32\ShimEng.dll (Shim Engine DLL/Microsoft Corporation)
IAT C:\WINNT\Explorer.EXE[1372] @ C:\WINNT\system32\USER32.dll [KERNEL32.dll!GetProcAddress] [5CB77774] C:\WINNT\system32\ShimEng.dll (Shim Engine DLL/Microsoft Corporation)
IAT C:\WINNT\Explorer.EXE[1372] @ C:\WINNT\system32\msvcrt.dll [KERNEL32.dll!GetProcAddress] [5CB77774] C:\WINNT\system32\ShimEng.dll (Shim Engine DLL/Microsoft Corporation)
IAT C:\WINNT\Explorer.EXE[1372] @ C:\WINNT\system32\ole32.dll [KERNEL32.dll!GetProcAddress] [5CB77774] C:\WINNT\system32\ShimEng.dll (Shim Engine DLL/Microsoft Corporation)
IAT C:\WINNT\Explorer.EXE[1372] @ C:\WINNT\system32\SHLWAPI.dll [KERNEL32.dll!GetProcAddress] [5CB77774] C:\WINNT\system32\ShimEng.dll (Shim Engine DLL/Microsoft Corporation)
IAT C:\WINNT\Explorer.EXE[1372] @ C:\WINNT\system32\CRYPT32.dll [KERNEL32.dll!GetProcAddress] [5CB77774] C:\WINNT\system32\ShimEng.dll (Shim Engine DLL/Microsoft Corporation)
IAT C:\WINNT\Explorer.EXE[1372] @ C:\WINNT\system32\NETAPI32.dll [KERNEL32.dll!GetProcAddress] [5CB77774] C:\WINNT\system32\ShimEng.dll (Shim Engine DLL/Microsoft Corporation)
IAT C:\WINNT\Explorer.EXE[1372] @ C:\WINNT\system32\WININET.dll [KERNEL32.dll!GetProcAddress] [5CB77774] C:\WINNT\system32\ShimEng.dll (Shim Engine DLL/Microsoft Corporation)
IAT C:\WINNT\Explorer.EXE[1372] @ C:\WINNT\system32\SHELL32.dll [KERNEL32.dll!GetProcAddress] [5CB77774] C:\WINNT\system32\ShimEng.dll (Shim Engine DLL/Microsoft Corporation)
IAT C:\WINNT\Explorer.EXE[1372] @ C:\WINNT\system32\USERENV.dll [KERNEL32.dll!GetProcAddress] [5CB77774] C:\WINNT\system32\ShimEng.dll (Shim Engine DLL/Microsoft Corporation)
IAT C:\WINNT\Explorer.EXE[1372] @ C:\WINNT\system32\PSAPI.DLL [KERNEL32.dll!GetProcAddress] [5CB77774] C:\WINNT\system32\ShimEng.dll (Shim Engine DLL/Microsoft Corporation)
IAT C:\WINNT\Explorer.EXE[1372] @ C:\WINNT\system32\iphlpapi.dll [KERNEL32.dll!GetProcAddress] [5CB77774] C:\WINNT\system32\ShimEng.dll (Shim Engine DLL/Microsoft Corporation)
IAT C:\WINNT\Explorer.EXE[1372] @ C:\WINNT\system32\WS2_32.dll [KERNEL32.dll!GetProcAddress] [5CB77774] C:\WINNT\system32\ShimEng.dll (Shim Engine DLL/Microsoft Corporation)
IAT C:\WINNT\Explorer.EXE[1372] @ C:\WINNT\system32\WS2HELP.dll [KERNEL32.dll!GetProcAddress] [5CB77774] C:\WINNT\system32\ShimEng.dll (Shim Engine DLL/Microsoft Corporation)

---- Devices - GMER 1.0.15 ----

Device \Driver\atapi -> DriverStartIo \Device\Ide\IdePort0 864462C6

---- Disk sectors - GMER 1.0.15 ----

Disk \Device\Harddisk0\DR0 TDL4@MBR code has been found <-- ROOTKIT !!!
Disk \Device\Harddisk0\DR0 sector 00: rootkit-like behavior

---- EOF - GMER 1.0.15 ----

The first couple of times I tried running this I had trouble, it would start running and then turn off the computer and restart it. Each time it restarted dumprep 0-k was in the start up menu of MSconfig and a message popped up that new hardware had been found (nothing new was attached, and only information about the new hardware was "Unknown"). I disabled dumprep 0-k, restarted and was able to run GMER.

I do not know how it's working right now since the svchost.exe is usually worse when connected to the internet (only uses about 14000kbs of memory in 20 minutes without a connection, uses 350,000kbs in 10 minutes with a connection) because since I ran GMER I have not been able to get online with this PC. The network adapter is enabled and working, DHCP client is started, connection is a wired connection plugged directly into the router/modem & the light on the port it's plugged into is lit up. Icon in task bar shows details as Local Area Connection Speed: 100 MBps Status: Connected but when I launch IE I get a page cannot be displayed error, when I try to update Microsoft Security Essentials it says could not check for updates due to am Internet network connectivity issue, and E-Mule says fatal error when trying to connect. Internet connection may be down. I undid the changes to dumprep 0-k and restarted to see if that would help; nothing changed though. I also tried connecting with WiFi using a wireless adapter; it couldn't discover my network, even after setting it up manualy just in case the SSID wasn't being broadcast.

#4 TheShooter93

TheShooter93

    Cody


  • Malware Response Team
  • 4,792 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Orlando, Florida
  • Local time:07:16 PM

Posted 26 March 2012 - 08:14 AM

Thanks, I just figured the more info you had, the easier it might be to figure out the solution.

The more info, the better. :thumbup2:

I wasn't saying it was a bad thing, I was just surprised. A lot of users give one sentence to go off of. :lol:

-------------------------------------------------------------------

Please follow the instructions in ==>This Guide<== starting at Step 6. If you cannot complete a step, skip it and continue.

Once the proper logs are created, then make a NEW TOPIC and post it ==>HERE<== Please include a description of your computer issues, what you have done to resolve them, and a link to this topic.

If you can produce at least some of the logs, then please create the new topic and explain what happens when you try to create the log(s) that you couldn't get. If you cannot produce any of the logs, then still post the topic and explain that you followed the Prep. Guide, were unable to create the logs, and describe what happens when you try to create the logs.

It would be helpful if you post a note here once you have completed the steps in the guide and have started your topic in malware removal. Good luck and be patient.

If HelpBot replies to your topic, PLEASE follow Step One so it will report your topic to the team members.

CCNA R&SCCNA Security | Network+  |  B.S. - Information Technology | Cyber Security Engineer

If I am helping you and have not replied within 48 hours, please send me a private message.

 

 





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users