1. Computer problem? Tech Support Guy is completely free -- paid for by advertisers and donations. Click here to join today! If you're new to Tech Support Guy, we highly recommend that you visit our Guide for New Members.

Slow startup and load times

Discussion in 'Virus & Other Malware Removal' started by Zapotec, Aug 16, 2010.

Thread Status:
Not open for further replies.
Advertisement
  1. Zapotec

    Zapotec Thread Starter

    Joined:
    Aug 16, 2010
    Messages:
    15
    We have been experiencing increasingly slow start-up and load times, and more recently unresponsive mouse movements. All very annoying, and now almost unusuable. It all seems to point to problems left over after being infected with various spyware problems. These were removed with superantispyware (which I subsequently removed) and malwarebytes' Anti-malware (which I've left on), however the damage seems to have been done. Apparently HiJackThis can identify the problems and fix them, but it's far too advanced for me to do on my own. The processor is AMD Sempron 1.6 GHz, with 704 MB RAM/ The system is Microsoft Windows XP Hoem Edn V 2002. It's a slow processor I know, and probably unsuitable for things like itunes and Skype. But I want to avoid upgrading if possible, as we just can't afford at the moment. Can anyone help?
     
  2. surferdude2

    surferdude2

    Joined:
    Jul 6, 2010
    Messages:
    619
    I've asked for your request to be moved to the Virus and Malware forum where there are some good heads for this type of work.

    Good luck.
     
  3. Zapotec

    Zapotec Thread Starter

    Joined:
    Aug 16, 2010
    Messages:
    15
    Great. Many thanks.
     
  4. vicks

    vicks

    Joined:
    Jan 31, 2005
    Messages:
    5,139
  5. Zapotec

    Zapotec Thread Starter

    Joined:
    Aug 16, 2010
    Messages:
    15
    Here are the HijackThis, DDS and Ark logs, pasted below, and Attach.txt attached.
    Do hope these make sense to someone and they can divine the problem.
    -----------------------------------------------------

    Logfile of Trend Micro HijackThis v2.0.4
    Scan saved at 22:38:27, on 16/08/2010
    Platform: Windows XP SP3 (WinNT 5.01.2600)
    MSIE: Internet Explorer v8.00 (8.00.6001.18702)
    Boot mode: Normal

    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\SYSTEM32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\system32\svchost.exe
    C:\Program Files\AVG\AVG9\avgchsvx.exe
    C:\Program Files\AVG\AVG9\avgrsx.exe
    C:\Program Files\AVG\AVG9\avgcsrvx.exe
    C:\WINDOWS\system32\spoolsv.exe
    C:\WINDOWS\system32\rundll32.exe
    C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
    C:\Program Files\AVG\AVG9\avgwdsvc.exe
    C:\Program Files\Bonjour\mDNSResponder.exe
    C:\WINDOWS\system32\cisvc.exe
    C:\Program Files\Java\jre6\bin\jqs.exe
    C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
    C:\WINDOWS\system32\svchost.exe
    C:\Program Files\AVG\AVG9\avgnsx.exe
    C:\WINDOWS\Explorer.EXE
    C:\WINDOWS\system32\VTTimer.exe
    C:\WINDOWS\system32\VTtrayp.exe
    C:\Program Files\FreePDF_XP\fpassist.exe
    C:\PROGRA~1\AVG\AVG9\avgtray.exe
    C:\WINDOWS\system32\ctfmon.exe
    C:\WINDOWS\SYSTEM32\cidaemon.exe
    C:\Program Files\Safari\Safari.exe
    C:\WINDOWS\system32\msiexec.exe
    C:\Program Files\Trend Micro\HiJackThis\HiJackThis.exe

    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = https://mail.google.com/mail/?shva=1#inbox
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
    R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
    R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
    R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
    O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
    O2 - BHO: RealPlayer Download and Record Plugin for Internet Explorer - {3049C3E9-B461-4BC5-8870-4C09146192CA} - c:\program files\real\realplayer\rpbrowserrecordplugin.dll
    O2 - BHO: WormRadar.com IESiteBlocker.NavFilter - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - C:\Program Files\AVG\AVG9\avgssie.dll
    O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar2.dll
    O2 - BHO: SkypeIEPluginBHO - {AE805869-2E5C-4ED4-8F7B-F1F7851A4497} - C:\Program Files\Skype\Toolbars\Internet Explorer\skypeieplugin.dll
    O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
    O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
    O2 - BHO: EpsonToolBandKicker Class - {E99421FB-68DD-40F0-B4AC-B7027CAE2F1A} - C:\Program Files\EPSON\EPSON Web-To-Page\EPSON Web-To-Page.dll
    O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll
    O3 - Toolbar: EPSON Web-To-Page - {EE5D279F-081B-4404-994D-C6B60AAEBA6D} - C:\Program Files\EPSON\EPSON Web-To-Page\EPSON Web-To-Page.dll
    O4 - HKLM\..\Run: [VTTimer] VTTimer.exe
    O4 - HKLM\..\Run: [VTTrayp] VTtrayp.exe
    O4 - HKLM\..\Run: [AVG8_TRAY] C:\PROGRA~1\AVG\AVG8\avgtray.exe
    O4 - HKLM\..\Run: [OTB_util] C:\Program Files\OTB_util\OTB_util.exe
    O4 - HKLM\..\Run: [FreePDF Assistant] C:\Program Files\FreePDF_XP\fpassist.exe
    O4 - HKLM\..\Run: [AVG9_TRAY] C:\PROGRA~1\AVG\AVG9\avgtray.exe
    O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
    O4 - HKCU\..\Run: [EPSON Stylus S20 Series] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_FATIEAE.EXE /FU "C:\DOCUME~1\user\LOCALS~1\Temp\E_S19.tmp" /EF "HKCU"
    O4 - HKUS\S-1-5-18\..\RunOnce: [RunNarrator] Narrator.exe (User 'SYSTEM')
    O4 - HKUS\.DEFAULT\..\RunOnce: [RunNarrator] Narrator.exe (User 'Default user')
    O8 - Extra context menu item: &Google Search - res://c:\program files\google\GoogleToolbar2.dll/cmsearch.html
    O8 - Extra context menu item: &Translate English Word - res://c:\program files\google\GoogleToolbar2.dll/cmwordtrans.html
    O8 - Extra context menu item: Add to Google Photos Screensa&ver - res://C:\WINDOWS\system32\GPhotos.scr/200
    O8 - Extra context menu item: Backward Links - res://c:\program files\google\GoogleToolbar2.dll/cmbacklinks.html
    O8 - Extra context menu item: Cached Snapshot of Page - res://c:\program files\google\GoogleToolbar2.dll/cmcache.html
    O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
    O8 - Extra context menu item: Similar Pages - res://c:\program files\google\GoogleToolbar2.dll/cmsimilar.html
    O8 - Extra context menu item: Translate Page into English - res://c:\program files\google\GoogleToolbar2.dll/cmtrans.html
    O9 - Extra button: Skype add-on for Internet Explorer - {898EA8C8-E7FF-479B-8935-AEC46303B9E5} - C:\Program Files\Skype\Toolbars\Internet Explorer\skypeieplugin.dll
    O9 - Extra 'Tools' menuitem: Skype add-on for Internet Explorer - {898EA8C8-E7FF-479B-8935-AEC46303B9E5} - C:\Program Files\Skype\Toolbars\Internet Explorer\skypeieplugin.dll
    O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
    O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
    O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
    O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
    O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://by105fd.bay105.hotmail.msn.com/resources/MsnPUpld.cab
    O16 - DPF: {7FC1B346-83E6-4774-8D20-1A6B09B0E737} (Windows Live Photo Upload Control) - http://cid-f79610f6fb9dcd57.spaces.live.com/PhotoUpload/MsnPUpld.cab
    O16 - DPF: {F04A8AE2-A59D-11D2-8792-00C04F8EF29D} (Hotmail Attachments Control) - http://by117fd.bay117.hotmail.msn.com/activex/HMAtchmt.ocx
    O18 - Protocol: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - C:\Program Files\AVG\AVG9\avgpp.dll
    O18 - Protocol: skype-ie-addon-data - {91774881-D725-4E58-B298-07617B9B86A8} - C:\Program Files\Skype\Toolbars\Internet Explorer\skypeieplugin.dll
    O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL
    O20 - Winlogon Notify: avgrsstarter - avgrsstx.dll (file missing)
    O22 - SharedTaskScheduler: Browseui preloader - {438755C2-A8BA-11D1-B96B-00A0C90312E1} - C:\WINDOWS\system32\browseui.dll
    O22 - SharedTaskScheduler: Component Categories cache daemon - {8C7461EF-2B13-11d2-BE35-3078302C2030} - C:\WINDOWS\system32\browseui.dll
    O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
    O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
    O23 - Service: AVG Free8 WatchDog (avg8wd) - Unknown owner - C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe (file missing)
    O23 - Service: AVG Free WatchDog (avg9wd) - AVG Technologies CZ, s.r.o. - C:\Program Files\AVG\AVG9\avgwdsvc.exe
    O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
    O23 - Service: Google Update Service (gupdate1ca346513a2333e) (gupdate1ca346513a2333e) - Google Inc. - C:\Program Files\Google\Update\GoogleUpdate.exe
    O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
    O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
    O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
    O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
    O23 - Service: SoundMAX Agent Service (SoundMAX Agent Service (default)) - Analog Devices, Inc. - C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
    O24 - Desktop Component 0: (no name) - http://www.animatedgif.net/naughty/new/femme_flasher.gif

    --
    End of file - 8769 bytes



    DDS (Ver_10-03-17.01) - NTFSx86
    Run by user at 22:40:19.71 on 16/08/2010
    Internet Explorer: 8.0.6001.18702
    Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.703.203 [GMT 1:00]

    AV: AVG Anti-Virus Free *On-access scanning enabled* (Updated) {17DDD097-36FF-435F-9E1B-52D74245D6BF}

    ============== Running Processes ===============

    C:\WINDOWS\system32\svchost -k DcomLaunch
    svchost.exe
    C:\WINDOWS\System32\svchost.exe -k netsvcs
    C:\WINDOWS\system32\svchost.exe -k WudfServiceGroup
    C:\Program Files\AVG\AVG9\avgchsvx.exe
    C:\Program Files\AVG\AVG9\avgrsx.exe
    svchost.exe
    svchost.exe
    C:\Program Files\AVG\AVG9\avgcsrvx.exe
    C:\WINDOWS\system32\spoolsv.exe
    C:\WINDOWS\system32\rundll32.exe
    svchost.exe
    C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
    C:\Program Files\AVG\AVG9\avgwdsvc.exe
    C:\Program Files\Bonjour\mDNSResponder.exe
    C:\WINDOWS\system32\cisvc.exe
    C:\Program Files\Java\jre6\bin\jqs.exe
    C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
    C:\WINDOWS\system32\svchost.exe -k imgsvc
    C:\Program Files\AVG\AVG9\avgnsx.exe
    C:\WINDOWS\Explorer.EXE
    C:\WINDOWS\system32\VTTimer.exe
    C:\WINDOWS\system32\VTtrayp.exe
    C:\Program Files\FreePDF_XP\fpassist.exe
    C:\PROGRA~1\AVG\AVG9\avgtray.exe
    C:\WINDOWS\system32\ctfmon.exe
    C:\WINDOWS\SYSTEM32\cidaemon.exe
    C:\Program Files\Safari\Safari.exe
    C:\WINDOWS\system32\msiexec.exe
    E:\dds.scr

    ============== Pseudo HJT Report ===============

    uStart Page = https://mail.google.com/mail/?shva=1#inbox
    uWindow Title =
    uSearchMigratedDefaultURL = hxxp://www.google.com/search?q={searchTerms}&sourceid=ie7&rls=com.microsoft:en-US&ie=utf8&oe=utf8
    mWindow Title =
    uInternet Settings,ProxyOverride = *.local
    uSearchURL,(Default) = hxxp://www.google.com/keyword/%s
    BHO: Adobe PDF Reader Link Helper: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program files\adobe\acrobat 7.0\activex\AcroIEHelper.dll
    BHO: RealPlayer Download and Record Plugin for Internet Explorer: {3049c3e9-b461-4bc5-8870-4c09146192ca} - c:\program files\real\realplayer\rpbrowserrecordplugin.dll
    BHO: AVG Safe Search: {3ca2f312-6f6e-4b53-a66e-4e65e497c8c0} - c:\program files\avg\avg9\avgssie.dll
    BHO: Google Toolbar Helper: {aa58ed58-01dd-4d91-8333-cf10577473f7} - c:\program files\google\googletoolbar2.dll
    BHO: Skype add-on for Internet Explorer: {ae805869-2e5c-4ed4-8f7b-f1f7851a4497} - c:\program files\skype\toolbars\internet explorer\skypeieplugin.dll
    BHO: Java(tm) Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
    BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
    BHO: EpsonToolBandKicker Class: {e99421fb-68dd-40f0-b4ac-b7027cae2f1a} - c:\program files\epson\epson web-to-page\EPSON Web-To-Page.dll
    TB: &Google: {2318c2b1-4965-11d4-9b18-009027a5cd4f} - c:\program files\google\googletoolbar2.dll
    TB: EPSON Web-To-Page: {ee5d279f-081b-4404-994d-c6b60aaeba6d} - c:\program files\epson\epson web-to-page\EPSON Web-To-Page.dll
    uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
    uRun: [EPSON Stylus S20 Series] c:\windows\system32\spool\drivers\w32x86\3\e_fatieae.exe /fu "c:\docume~1\user\locals~1\temp\E_S19.tmp" /EF "HKCU"
    mRun: [VTTimer] VTTimer.exe
    mRun: [VTTrayp] VTtrayp.exe
    mRun: [AVG8_TRAY] c:\progra~1\avg\avg8\avgtray.exe
    mRun: [OTB_util] c:\program files\otb_util\OTB_util.exe
    mRun: [FreePDF Assistant] c:\program files\freepdf_xp\fpassist.exe
    mRun: [AVG9_TRAY] c:\progra~1\avg\avg9\avgtray.exe
    dRunOnce: [RunNarrator] Narrator.exe
    IE: &Google Search - c:\program files\google\GoogleToolbar2.dll/cmsearch.html
    IE: &Translate English Word - c:\program files\google\GoogleToolbar2.dll/cmwordtrans.html
    IE: Add to Google Photos Screensa&ver - c:\windows\system32\GPhotos.scr/200
    IE: Backward Links - c:\program files\google\GoogleToolbar2.dll/cmbacklinks.html
    IE: Cached Snapshot of Page - c:\program files\google\GoogleToolbar2.dll/cmcache.html
    IE: E&xport to Microsoft Excel - c:\progra~1\micros~2\office10\EXCEL.EXE/3000
    IE: Similar Pages - c:\program files\google\GoogleToolbar2.dll/cmsimilar.html
    IE: Translate Page into English - c:\program files\google\GoogleToolbar2.dll/cmtrans.html
    IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
    IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
    IE: {898EA8C8-E7FF-479B-8935-AEC46303B9E5} - {898EA8C8-E7FF-479B-8935-AEC46303B9E5} - c:\program files\skype\toolbars\internet explorer\skypeieplugin.dll
    DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} - hxxp://www.apple.com/qtactivex/qtplugin.cab
    DPF: {17492023-C23A-453E-A040-C7C580BBF700} - hxxp://download.microsoft.com/download/8/b/d/8bd77752-5704-4d68-a152-f7252adaa4f2/LegitCheckControl.cab
    DPF: {233C1507-6A77-46A4-9443-F871F945D258} - hxxp://download.macromedia.com/pub/shockwave/cabs/director/sw.cab
    DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} - hxxp://by105fd.bay105.hotmail.msn.com/resources/MsnPUpld.cab
    DPF: {7FC1B346-83E6-4774-8D20-1A6B09B0E737} - hxxp://cid-f79610f6fb9dcd57.spaces.live.com/PhotoUpload/MsnPUpld.cab
    DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_14-windows-i586.cab
    DPF: {CAFEEFAC-0014-0002-0000-ABCDEFFEDCBA} - hxxp://java.sun.com/products/plugin/autodl/jinstall-1_4_2-windows-i586.cab
    DPF: {CAFEEFAC-0016-0000-0003-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_03-windows-i586.cab
    DPF: {CAFEEFAC-0016-0000-0005-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_05-windows-i586.cab
    DPF: {CAFEEFAC-0016-0000-0014-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_14-windows-i586.cab
    DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_14-windows-i586.cab
    DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
    DPF: {F04A8AE2-A59D-11D2-8792-00C04F8EF29D} - hxxp://by117fd.bay117.hotmail.msn.com/activex/HMAtchmt.ocx
    Handler: cdo - {CD00020A-8B95-11D1-82DB-00C04FB1625D} - c:\program files\common files\microsoft shared\web folders\PKMCDO.DLL
    Handler: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - c:\program files\avg\avg9\avgpp.dll
    Handler: skype-ie-addon-data - {91774881-D725-4E58-B298-07617B9B86A8} - c:\program files\skype\toolbars\internet explorer\skypeieplugin.dll
    Handler: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - c:\progra~1\common~1\skype\SKYPE4~1.DLL
    Notify: avgrsstarter - avgrsstx.dll
    SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll
    Hosts: 127.0.0.1 www.spywareinfo.com

    ============= SERVICES / DRIVERS ===============

    R1 AvgLdx86;AVG Free AVI Loader Driver x86;c:\windows\system32\drivers\avgldx86.sys [2009-3-21 216400]
    R1 AvgMfx86;AVG Free On-access Scanner Minifilter Driver x86;c:\windows\system32\drivers\avgmfx86.sys [2009-3-21 29584]
    R1 AvgTdiX;AVG Free8 Network Redirector;c:\windows\system32\drivers\avgtdix.sys [2009-3-21 243024]
    R2 avg9wd;AVG Free WatchDog;c:\program files\avg\avg9\avgwdsvc.exe [2010-7-15 308136]
    R3 Avgfwdx;Avgfwdx;c:\windows\system32\drivers\avgfwdx.sys [2010-2-28 30104]
    S2 avg8wd;AVG Free8 WatchDog;c:\progra~1\avg\avg8\avgwdsvc.exe --> c:\progra~1\avg\avg8\avgwdsvc.exe [?]
    S2 gupdate1ca346513a2333e;Google Update Service (gupdate1ca346513a2333e);c:\program files\google\update\GoogleUpdate.exe [2009-9-13 133104]
    S3 ADM8511;ADMtek ADM8511/AN986 USB To Fast Ethernet Converter;c:\windows\system32\drivers\ADM8511.SYS [2005-11-7 20160]
    S3 AvFlt;Antivirus Filter Driver;c:\windows\system32\drivers\av5flt.sys --> c:\windows\system32\drivers\av5flt.sys [?]
    S3 Avgfwfd;AVG network filter service;c:\windows\system32\drivers\avgfwdx.sys [2010-2-28 30104]
    S3 USBDFU;USBDFU;c:\windows\system32\drivers\usbdfu.sys --> c:\windows\system32\drivers\usbdfu.sys [?]

    =============== Created Last 30 ================


    ==================== Find3M ====================

    2010-08-14 16:47:48 33052 ---ha-w- c:\windows\system32\mlfcache.dat
    2010-08-14 16:16:02 31112 ----a-w- c:\windows\fonts\writers_condensed.ttf
    2010-07-15 19:31:01 243024 ----a-w- c:\windows\system32\drivers\avgtdix.sys
    2010-07-15 19:30:53 12536 ----a-w- c:\windows\system32\avgrsstx.dll
    2010-07-15 19:30:31 216400 ----a-w- c:\windows\system32\drivers\avgldx86.sys
    2010-06-30 12:31:35 149504 ----a-w- c:\windows\system32\schannel.dll
    2010-06-24 12:22:03 916480 ----a-w- c:\windows\system32\wininet.dll
    2010-06-23 13:44:04 1851904 ----a-w- c:\windows\system32\win32k.sys
    2010-06-21 15:27:11 354304 ----a-w- c:\windows\system32\drivers\srv.sys
    2010-06-17 14:03:00 80384 ----a-w- c:\windows\system32\iccvid.dll
    2010-06-14 07:41:45 1172480 ----a-w- c:\windows\system32\msxml3.dll
    2010-06-03 02:41:44 3600384 ----a-w- c:\windows\system32\GPhotos.scr
    2010-03-31 08:35:51 16384 --sha-w- c:\windows\system32\config\systemprofile\ietldcache\index.dat
    2008-12-29 16:56:12 32768 -csha-w- c:\windows\system32\config\systemprofile\local settings\history\history.ie5\mshist012008122920081230\index.dat

    ============= FINISH: 22:41:32.82 ===============


    GMER 1.0.15.15281 - http://www.gmer.net
    Rootkit scan 2010-08-17 09:10:06
    Windows 5.1.2600 Service Pack 3
    Running: 74y5mfnn.exe; Driver: C:\DOCUME~1\user\LOCALS~1\Temp\afndykob.sys


    ---- Kernel code sections - GMER 1.0.15 ----

    init C:\WINDOWS\system32\drivers\senfilt.sys entry point in "init" section [0xF79C3F80]

    ---- Devices - GMER 1.0.15 ----

    AttachedDevice \Driver\Tcpip \Device\Ip avgtdix.sys (AVG Network connection watcher/AVG Technologies CZ, s.r.o.)
    AttachedDevice \Driver\Tcpip \Device\Tcp avgtdix.sys (AVG Network connection watcher/AVG Technologies CZ, s.r.o.)
    AttachedDevice \Driver\Tcpip \Device\Udp avgtdix.sys (AVG Network connection watcher/AVG Technologies CZ, s.r.o.)
    AttachedDevice \Driver\Tcpip \Device\RawIp avgtdix.sys (AVG Network connection watcher/AVG Technologies CZ, s.r.o.)
    AttachedDevice \FileSystem\Fastfat \Fat fltmgr.sys (Microsoft Filesystem Filter Manager/Microsoft Corporation)
     

    Attached Files:

  6. Zapotec

    Zapotec Thread Starter

    Joined:
    Aug 16, 2010
    Messages:
    15
    It's now beginning of September and no-one has replied. I realise the need to be patient, but is there anyone out there?! Actually I had thought perhaps I had pulled the alarm cord to readily - over the last few weeks the problems seemed less noticeable, and I was thinking perhaps it was just a low memory issue and not due to the spyware attack afterall. But the mouse problem is back. It seems to drag itself and jumps around unpredictably, making it very hard to accurately click on things. Very frustrating. Why does it do that? :(
     
  7. cybertech

    cybertech Moderator

    Joined:
    Apr 16, 2002
    Messages:
    72,113
    I would remove AVG and reinstall if that is your preferred AV program. You have two instances of avgtray.exe running, version 8 and 9 so something must have gone wrong in the upgrade. Personally I would go with Microsoft Security Essentials.

    Let me know if that helps.
     
  8. Zapotec

    Zapotec Thread Starter

    Joined:
    Aug 16, 2010
    Messages:
    15
    Ah, I hadn't spotted the two versions of AVG! I've now uninstalled both versions, and replaced with Security Essentials. The mouse still seems to be dragging a little and load times still slow. But maybe I just have to live with that. Thanks for the advice.
     
  9. cybertech

    cybertech Moderator

    Joined:
    Apr 16, 2002
    Messages:
    72,113
    I would also suggest using Secunia Software Inspector to identify several vulnerabilities I see in old software you have installed. You should get the most current version(s) and remove the old from add/remove programs.

    Do you have a different mouse you can try to see if the problem is hardware related?
     
  10. Zapotec

    Zapotec Thread Starter

    Joined:
    Aug 16, 2010
    Messages:
    15
    Wow, Secunia Softwae Detector is great resource. Many thanks for pointing it out. It did indeed highlight several out of date programs and patches, however in removing them I must have accidentally deleted something that disabled Safari as well. I suppose I could remove that too, and reinstall, but don't want to lose my bookmarks if I can help it, so a bit stuck about what to do next...

    The reason I switched to Safari, btw, is because I have that bug that infects Explorer, and Firefox too, so that when you Google and click on a link it redirects to an advert. Safari seems immune, however it does crash quite frequently with no explanation, so all our browser programs are buggy. I mention becase I wonder if this could be part of the problem?

    New mouse seems ok, so that at least is solved.
     
  11. Zapotec

    Zapotec Thread Starter

    Joined:
    Aug 16, 2010
    Messages:
    15
    Just to update:
    Even though the offending out fo date applications have now been removed, it's still running extremely slow, so I don't think we've got to the root of what might be going on here. If anything it's slower. My wife just attempted to access googlemail via Explorer, and it took 8 mins to load up - really frustrating! I then switched tabs to check tech guy. This took 3 mins, just to switch tabs!

    By the way, frequently we get error messages saying that windows virtual memory is too low. I guess this is relevant - should have mentioned it earlier on.
     
  12. cybertech

    cybertech Moderator

    Joined:
    Apr 16, 2002
    Messages:
    72,113
    While we try our hardest to avoid them, accidents do happen. With today's malware being as it is, we will not be held responsible for any loss of your data. You are following the instructions given at your own risk. We recommend that you back up any data that’s important to you beforehand, just in case the worst happens.


    Please visit Combofix Guide & Instructions for instructions for installing the recovery console and downloading and running ComboFix.


    When finished, it will produce a log for you. Please include the C:\ComboFix.txt in your next reply for further review.
     
  13. Zapotec

    Zapotec Thread Starter

    Joined:
    Aug 16, 2010
    Messages:
    15
    I have backed up our data, and tried installing the recovery consol. However, an error message came up: 'Setup cannot continue because the version of Windows on your computer is newer than the version on the CD.
    Warning: If you decide to delete the newer version of Windows that is currently installed on your computer, the files and settings cannot be recovered.' This sounds a bit scary. Is it safe to proceed. If so, how?
     
  14. Zapotec

    Zapotec Thread Starter

    Joined:
    Aug 16, 2010
    Messages:
    15
    Here is the combofix log. It did identify a serious infection right at the start of the scan. Anyhow, here are the details ...

    ComboFix 10-09-06.02 - user 06/09/2010 22:20:39.1.1 - x86
    Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.703.336 [GMT 1:00]
    Running from: c:\documents and settings\user\Desktop\ComboFix.exe
    AV: Microsoft Security Essentials *On-access scanning disabled* (Updated) {BCF43643-A118-4432-AEDE-D861FCBCFCDF}
    .
    ((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
    .
    c:\documents and settings\user\Local Settings\Temporary Internet Files\3vegn78.jpg
    c:\documents and settings\user\Local Settings\Temporary Internet Files\68ei43cmM.jpg
    c:\documents and settings\user\Local Settings\Temporary Internet Files\6u8DlJGWv.jpg
    c:\documents and settings\user\Local Settings\Temporary Internet Files\blNBB.jpg
    c:\documents and settings\user\Local Settings\Temporary Internet Files\d6J526.jpg
    c:\documents and settings\user\Local Settings\Temporary Internet Files\ER1DykIa.jpg
    c:\documents and settings\user\Local Settings\Temporary Internet Files\h7IO8d3.jpg
    c:\documents and settings\user\Local Settings\Temporary Internet Files\MFlE4.jpg
    c:\windows\AutoRun.ini
    c:\windows\system32\winlogon.bak
    .
    ((((((((((((((((((((((((( Files Created from 2010-08-06 to 2010-09-06 )))))))))))))))))))))))))))))))
    .
    2010-09-05 17:07 . 2009-08-06 18:23 274288 ----a-w- c:\windows\system32\mucltui.dll
    2010-09-05 17:07 . 2009-08-06 18:23 215920 ----a-w- c:\windows\system32\muweb.dll
    2010-09-04 21:30 . 2010-06-01 17:37 221568 ------w- c:\windows\system32\MpSigStub.exe
    2010-09-04 21:25 . 2010-09-04 21:25 -------- d-----w- c:\program files\Microsoft Security Essentials
    2010-08-16 21:34 . 2010-08-16 21:34 -------- d-----w- c:\program files\Trend Micro
    2010-08-16 17:58 . 2010-08-16 17:58 -------- d-----w- c:\program files\Common Files\Skype
    2010-08-15 16:33 . 2010-09-06 19:01 -------- d-----w- c:\documents and settings\user\Application Data\gtk-2.0
    2010-08-15 16:32 . 2010-08-16 09:01 -------- d-----w- c:\documents and settings\user\.thumbnails
    2010-08-14 16:05 . 2010-09-06 19:01 -------- d-----w- c:\documents and settings\user\.gimp-2.6
    2010-08-14 16:02 . 2010-09-06 19:12 -------- d-----w- c:\program files\GIMP-2.0
    .
    (((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
    .
    2010-09-06 07:49 . 2005-10-14 21:54 35920 -c--a-w- c:\documents and settings\user\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
    2010-09-05 21:02 . 2008-12-28 17:23 -------- d-----w- c:\program files\Common Files\Apple
    2010-09-05 20:55 . 2005-12-12 00:37 -------- d-----w- c:\program files\Java
    2010-09-05 20:40 . 2005-10-16 04:07 -------- d-----w- c:\program files\Common Files\Adobe
    2010-09-04 21:14 . 2010-02-28 08:36 -------- d-----w- c:\documents and settings\All Users\Application Data\avg9
    2010-09-03 17:31 . 2006-01-22 23:35 -------- d-----w- c:\program files\ScreenShot Wizard
    2010-08-22 17:35 . 2009-06-15 18:30 34088 ---ha-w- c:\windows\system32\mlfcache.dat
    2010-08-21 17:11 . 2009-09-13 11:26 -------- d-----w- c:\documents and settings\user\Application Data\Skype
    2010-08-21 15:05 . 2009-09-13 15:24 -------- d-----w- c:\documents and settings\user\Application Data\skypePM
    2010-08-16 21:34 . 2010-08-16 21:34 388096 ----a-r- c:\documents and settings\user\Application Data\Microsoft\Installer\{45A66726-69BC-466B-A7A4-12FCBA4883D7}\HiJackThis.exe
    2010-08-15 11:24 . 2010-03-31 08:42 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
    2010-08-05 11:59 . 2009-06-05 15:09 -------- d-----w- c:\program files\Safari
    2010-08-04 17:34 . 2010-08-04 17:34 72488 ----a-w- c:\documents and settings\All Users\Application Data\Apple Computer\Installer Cache\Safari 5.33.17.8\SetupAdmin.exe
    2010-07-31 09:15 . 2010-07-31 09:15 54784 --sha-r- c:\windows\system32\sprestrts.dll
    2010-07-24 06:15 . 2010-07-14 20:45 -------- d-----w- c:\program files\iTunes
    2010-07-24 06:13 . 2010-07-24 06:13 -------- d-----w- c:\program files\iPod
    2010-07-24 06:04 . 2010-07-24 06:04 73000 ----a-w- c:\documents and settings\All Users\Application Data\Apple Computer\Installer Cache\iTunes 9.2.1.5\SetupAdmin.exe
    2010-07-18 19:29 . 2005-11-23 20:36 -------- d-----w- c:\documents and settings\user\Application Data\Canon
    2010-07-14 20:33 . 2010-07-14 20:33 71992 ----a-w- c:\documents and settings\All Users\Application Data\Apple Computer\Installer Cache\Safari 5.33.16.0\SetupAdmin.exe
    2010-06-30 12:31 . 2004-08-04 12:00 149504 ----a-w- c:\windows\system32\schannel.dll
    2010-06-24 12:22 . 2004-08-04 12:00 916480 ----a-w- c:\windows\system32\wininet.dll
    2010-06-23 13:44 . 2004-08-04 12:00 1851904 ----a-w- c:\windows\system32\win32k.sys
    2010-06-21 15:27 . 2004-08-04 12:00 354304 ----a-w- c:\windows\system32\drivers\srv.sys
    2010-06-17 14:03 . 2004-08-04 12:00 80384 ----a-w- c:\windows\system32\iccvid.dll
    2010-06-14 14:31 . 2005-10-14 21:22 744448 ----a-w- c:\windows\pchealth\helpctr\binaries\helpsvc.exe
    2010-06-14 07:41 . 2004-08-04 12:00 1172480 ----a-w- c:\windows\system32\msxml3.dll
    .
    ((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
    .
    .
    *Note* empty entries & legit default entries are not shown
    REGEDIT4
    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "VTTimer"="VTTimer.exe" [2005-03-08 53248]
    "VTTrayp"="VTtrayp.exe" [2005-03-12 147456]
    "FreePDF Assistant"="c:\program files\FreePDF_XP\fpassist.exe" [2007-06-26 312320]
    "MSSE"="c:\program files\Microsoft Security Essentials\msseces.exe" [2010-06-01 1093208]
    [HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\RunOnce]
    "RunNarrator"="Narrator.exe" [2008-04-14 53760]
    [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\MsMpSvc]
    @="Service"
    [HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Reader Speed Launch.lnk]
    path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Adobe Reader Speed Launch.lnk
    backup=c:\windows\pss\Adobe Reader Speed Launch.lnkCommon Startup
    [HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Microsoft Office.lnk]
    path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Microsoft Office.lnk
    backup=c:\windows\pss\Microsoft Office.lnkCommon Startup
    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AppleSyncNotifier]
    2010-04-13 01:29 47392 ----a-w- c:\program files\Common Files\Apple\Mobile Device Support\AppleSyncNotifier.exe
    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iTunesHelper]
    2010-07-21 14:53 141608 ----a-w- c:\program files\iTunes\iTunesHelper.exe
    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NBJ]
    2005-01-04 21:17 1937408 -c----w- c:\program files\Ahead\Nero BackItUp\NBJ.exe
    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NeroFilterCheck]
    2001-07-09 17:50 155648 ----a-w- c:\windows\system32\NeroCheck.exe
    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
    2010-03-17 20:53 421888 ----a-w- c:\program files\QuickTime\QTTask.exe
    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Skype]
    2010-05-13 16:57 26192168 ----a-r- c:\program files\Skype\Phone\Skype.exe
    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SoundMAX]
    2004-03-26 21:40 794624 ----a-w- c:\program files\Analog Devices\SoundMAX\SMax4.exe
    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SoundMAXPnP]
    2004-04-01 17:52 1368064 ----a-w- c:\program files\Analog Devices\SoundMAX\SMax4PNP.exe
    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\TkBellExe]
    2009-09-05 14:12 198160 ----a-w- c:\program files\Common Files\Real\Update_OB\realsched.exe
    [HKEY_LOCAL_MACHINE\software\microsoft\security center]
    "AntiVirusOverride"=dword:00000001
    "FirewallOverride"=dword:00000001
    [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
    "EnableFirewall"= 0 (0x0)
    "DisableNotifications"= 1 (0x1)
    [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
    "%windir%\\system32\\sessmgr.exe"=
    "c:\\Program Files\\Messenger\\msmsgs.exe"=
    "c:\\Program Files\\Real\\RealPlayer\\realplay.exe"=
    "%windir%\\Network Diagnostic\\xpnetdiag.exe"=
    "c:\\Program Files\\Bamzooki\\Bonsai.exe"=
    "c:\\Program Files\\iTunes\\iTunes.exe"=
    "c:\\Program Files\\Skype\\Phone\\Skype.exe"=
    [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
    "65533:TCP"= 65533:TCP:Services
    "52344:TCP"= 52344:TCP:Services
    "2479:TCP"= 2479:TCP:Services
    "4241:TCP"= 4241:TCP:Services
    "3389:TCP"= 3389:TCP:Remote Desktop
    "8692:TCP"= 8692:TCP:Services
    "2615:TCP"= 2615:TCP:Services
    "3730:TCP"= 3730:TCP:Services
    S2 avg8wd;AVG Free8 WatchDog;c:\progra~1\AVG\AVG8\avgwdsvc.exe --> c:\progra~1\AVG\AVG8\avgwdsvc.exe [?]
    S2 gupdate1ca346513a2333e;Google Update Service (gupdate1ca346513a2333e);c:\program files\Google\Update\GoogleUpdate.exe [13/09/2009 12:26 133104]
    S3 ADM8511;ADMtek ADM8511/AN986 USB To Fast Ethernet Converter;c:\windows\system32\drivers\ADM8511.SYS [07/11/2005 01:37 20160]
    S3 AvFlt;Antivirus Filter Driver;c:\windows\system32\drivers\av5flt.sys --> c:\windows\system32\drivers\av5flt.sys [?]
    S3 USBDFU;USBDFU;c:\windows\system32\drivers\usbdfu.sys --> c:\windows\system32\drivers\usbdfu.sys [?]
    .
    Contents of the 'Scheduled Tasks' folder
    2010-08-18 c:\windows\Tasks\AppleSoftwareUpdate.job
    - c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 12:34]
    2010-09-06 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
    - c:\program files\Google\Update\GoogleUpdate.exe [2009-09-13 11:24]
    2010-09-06 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
    - c:\program files\Google\Update\GoogleUpdate.exe [2009-09-13 11:24]
    2010-09-06 c:\windows\Tasks\MP Scheduled Scan.job
    - c:\program files\Microsoft Security Essentials\MpCmdRun.exe [2010-03-25 20:40]
    2010-09-06 c:\windows\Tasks\User_Feed_Synchronization-{34FAA5FF-5F5F-4A1D-BABB-7D09DA98EF3B}.job
    - c:\windows\system32\msfeedssync.exe [2006-10-17 03:31]
    .
    .
    ------- Supplementary Scan -------
    .
    uStart Page = https://mail.google.com/mail/?shva=1#inbox
    uSearchMigratedDefaultURL = hxxp://www.google.com/search?q={searchTerms}&sourceid=ie7&rls=com.microsoft:en-US&ie=utf8&oe=utf8
    mWindow Title =
    uSearchURL,(Default) = hxxp://www.google.com/keyword/%s
    IE: &Google Search - c:\program files\google\GoogleToolbar2.dll/cmsearch.html
    IE: &Translate English Word - c:\program files\google\GoogleToolbar2.dll/cmwordtrans.html
    IE: Add to Google Photos Screensa&ver - c:\windows\system32\GPhotos.scr/200
    IE: Backward Links - c:\program files\google\GoogleToolbar2.dll/cmbacklinks.html
    IE: Cached Snapshot of Page - c:\program files\google\GoogleToolbar2.dll/cmcache.html
    IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\Office10\EXCEL.EXE/3000
    IE: Similar Pages - c:\program files\google\GoogleToolbar2.dll/cmsimilar.html
    IE: Translate Page into English - c:\program files\google\GoogleToolbar2.dll/cmtrans.html
    .
    - - - - ORPHANS REMOVED - - - -
    HKLM-Run-OTB_util - c:\program files\OTB_util\OTB_util.exe
    MSConfigStartUp-SunJavaUpdateSched - c:\program files\Java\jre6\bin\jusched.exe
    MSConfigStartUp-Uniblue RegistryBooster 2 - c:\program files\Uniblue\RegistryBooster 2\RegistryBooster.exe
    AddRemove-Blender - c:\documents and settings\user\Desktop\Latin project\blender\uninstall.exe
    AddRemove-GamewareBAMZOOKiZookKitSeries1_is1 - c:\documents and settings\All Users\Desktop\BAMZOOKi Zook Kit\unins000.exe

    **************************************************************************
    catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
    Rootkit scan 2010-09-06 22:35
    Windows 5.1.2600 Service Pack 3 NTFS
    scanning hidden processes ...
    scanning hidden autostart entries ...
    scanning hidden files ...
    scan completed successfully
    hidden files: 0
    **************************************************************************
    Stealth MBR rootkit/Mebroot/Sinowal detector 0.3.7 by Gmer, http://www.gmer.net
    device: opened successfully
    user: MBR read successfully
    called modules: ntkrnlpa.exe catchme.sys CLASSPNP.SYS disk.sys ACPI.sys hal.dll >>UNKNOWN [0x82FDA78A]<<
    kernel: MBR read successfully
    detected MBR rootkit hooks:
    \Driver\Disk -> CLASSPNP.SYS @ 0xf7e50f28
    \Driver\ACPI -> ACPI.sys @ 0xf7cd3cb8
    \Driver\atapi -> ntkrnlpa.exe @ 0x8057c2df
    IoDeviceObjectType -> DeleteProcedure -> ntkrnlpa.exe @ 0x80579014
    ParseProcedure -> ntkrnlpa.exe @ 0x80577c76
    \Device\Harddisk0\DR0 -> DeleteProcedure -> ntkrnlpa.exe @ 0x80579014
    ParseProcedure -> ntkrnlpa.exe @ 0x80577c76
    NDIS: VIA Rhine II Fast Ethernet Adapter -> SendCompleteHandler -> 0x83040b60
    PacketIndicateHandler -> NDIS.sys @ 0xf7b79a21
    SendHandler -> NDIS.sys @ 0xf7b5787b
    copy of MBR has been found in sector 0x04A85300
    malicious code @ sector 0x04A85303 !
    PE file found in sector at 0x04A85319 !
    MBR rootkit infection detected ! Use: "mbr.exe -f" to fix.
    **************************************************************************
    .
    --------------------- LOCKED REGISTRY KEYS ---------------------
    [HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}]
    @Denied: (A 2) (Everyone)
    @="FlashBroker"
    "LocalizedString"="@c:\\WINDOWS\\system32\\Macromed\\Flash\\FlashUtil10i_ActiveX.exe,-101"
    [HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\Elevation]
    "Enabled"=dword:00000001
    [HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\LocalServer32]
    @="c:\\WINDOWS\\system32\\Macromed\\Flash\\FlashUtil10i_ActiveX.exe"
    [HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\TypeLib]
    @="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
    [HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}]
    @Denied: (A 2) (Everyone)
    @="IFlashBroker4"
    [HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\ProxyStubClsid32]
    @="{00020424-0000-0000-C000-000000000046}"
    [HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\TypeLib]
    @="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
    "Version"="1.0"
    .
    Completion time: 2010-09-06 22:42:11
    ComboFix-quarantined-files.txt 2010-09-06 21:42
    Pre-Run: 24,043,061,248 bytes free
    Post-Run: 24,443,572,224 bytes free
    WindowsXP-KB310994-SP2-Home-BootDisk-ENU.exe
    [boot loader]
    timeout=2
    default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS
    [operating systems]
    c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
    UnsupportedDebug="do not select this" /debug
    multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Home Edition" /noexecute=optin /fastdetect
    - - End Of File - - AE96FA9DDB141E281DA983FFF429FB9E
     
  15. cybertech

    cybertech Moderator

    Joined:
    Apr 16, 2002
    Messages:
    72,113
    Please download HelpAsst_mebroot_fix.exe and save it to your desktop.
    Close out all other open programs and windows.
    Double click the file to run it and follow any prompts.
    If the tool detects an mbr infection, please allow it to run mbr -f and shutdown your computer.
    Upon restarting, please wait about 5 minutes, click Start>Run and type the following bolded command, then hit Enter.

    helpasst -mbrt

    Make sure you leave a space between helpasst and -mbrt !
    When it completes, a log will open.
    Please post the contents of that log.


    *In the event the tool does not detect an mbr infection and completes, click Start>Run and type the following bolded command, then hit Enter.

    mbr -f

    Now, please do the Start>Run>mbr -f command a second time.
    Now shut down the computer (do not restart, but shut it down), wait a few minutes then start it back up.
    Give it about 5 minutes, then click Start>Run and type the following bolded command, then hit Enter.

    helpasst -mbrt

    Make sure you leave a space between helpasst and -mbrt !
    When it completes, a log will open.
    Please post the contents of that log.

    **Important note to Dell users - fixing the mbr may prevent access the the Dell Restore Utility, which allows you to press a key on startup and revert your computer to a factory delivered state. There are a couple of known fixes for said condition, though the methods are somewhat advanced. If you are unwilling to take such a risk, you should not allow the tool to execute mbr -f nor execute the command manually, and you will either need to restore your computer to a factory state or allow your computer to remain having an infected mbr (the latter not recommended).
     
  16. Sponsor

As Seen On
As Seen On...

Welcome to Tech Support Guy!

Are you looking for the solution to your computer problem? Join our site today to ask your question. This site is completely free -- paid for by advertisers and donations.

If you're not already familiar with forums, watch our Welcome Guide to get started.

Join over 733,556 other people just like you!

Loading...
Thread Status:
Not open for further replies.

Short URL to this thread: https://techguy.org/943557

  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.
    Dismiss Notice