Welcome to MalwareRemoval.com,
What if we told you that you could get malware removal help from experts, and that it was 100% free? MalwareRemoval.com provides free support for people with infected computers. Our help, and the tools we use are always 100% free. No hidden catch. We simply enjoy helping others. You enjoy a clean, safe computer.

Malware Removal Instructions

Computer freezes with every click...

MalwareRemoval.com provides free support for people with infected computers. Using plain language that anyone can understand, our community of volunteer experts will walk you through each step.

Computer freezes with every click...

Unread postby xyonist » March 15th, 2010, 6:57 pm

My roommate likes to open every e-mail he gets no matter how many times I tell him not to. Now my computer freezes for 10-15 seconds (sometimes longer) with every link I click on. Firefox is (Not Responding), BitDefender can not load services and Outpost Firewall Service is not available. I think they're being blocked. Please let me know what you find.

HijackThis log:

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 6:12:20 PM, on 3/15/2010
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v8.00 (8.00.6001.18702)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Google\Update\GoogleUpdate.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Google\Update\1.2.183.17\GoogleCrashHandler.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\SearchIndexer.exe
C:\WINDOWS\system32\igfxpers.exe
C:\WINDOWS\system32\hkcmd.exe
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.sportsims.net/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Windows Internet Explorer provided by Yahoo!
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - (no file)
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
O3 - Toolbar: BitDefender Toolbar - {381FFDE8-2394-4f90-B10D-FC6124A40F8C} - C:\Program Files\BitDefender\BitDefender 2010\IEToolbar.dll
O4 - HKLM\..\Run: [igfxtray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [igfxpers] C:\WINDOWS\system32\igfxpers.exe
O4 - HKLM\..\Run: [igfxhkcmd] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [OutpostMonitor] C:\PROGRA~1\Agnitum\OUTPOS~1\op_mon.exe /tray /noservice
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKUS\S-1-5-18\..\Run: [DWQueuedReporting] "C:\PROGRA~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" -t (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [DWQueuedReporting] "C:\PROGRA~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" -t (User 'Default user')
O8 - Extra context menu item: &ieSpell Options - res://C:\Program Files\ieSpell\iespell.dll/SPELLOPTION.HTM
O8 - Extra context menu item: Check &Spelling - res://C:\Program Files\ieSpell\iespell.dll/SPELLCHECK.HTM
O9 - Extra button: ieSpell - {0E17D5B7-9F5D-4fee-9DF6-CA6EE38B68A8} - C:\Program Files\ieSpell\iespell.dll
O9 - Extra 'Tools' menuitem: ieSpell - {0E17D5B7-9F5D-4fee-9DF6-CA6EE38B68A8} - C:\Program Files\ieSpell\iespell.dll
O9 - Extra button: (no name) - {1606D6F9-9D3B-4aea-A025-ED5B2FD488E7} - C:\Program Files\ieSpell\iespell.dll
O9 - Extra 'Tools' menuitem: ieSpell Options - {1606D6F9-9D3B-4aea-A025-ED5B2FD488E7} - C:\Program Files\ieSpell\iespell.dll
O9 - Extra button: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - C:\Program Files\PartyGaming\PartyPoker\RunApp.exe (file missing)
O9 - Extra 'Tools' menuitem: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - C:\Program Files\PartyGaming\PartyPoker\RunApp.exe (file missing)
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\system32\Shdocvw.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra button: Absolute Poker - {1FBA04EE-3024-11d2-8F1F-0000F87ABD16} - C:\Documents and Settings\Pete\Start Menu\Programs\Absolute Poker\Absolute Poker.lnk (HKCU)
O9 - Extra 'Tools' menuitem: Absolute Poker - {1FBA04EE-3024-11d2-8F1F-0000F87ABD16} - C:\Documents and Settings\Pete\Start Menu\Programs\Absolute Poker\Absolute Poker.lnk (HKCU)
O16 - DPF: {02A2D714-433E-46E4-B217-7C3B3FAF8EAE} (ScrabbleCubes Control) - http://www.worldwinner.com/games/v46/sc ... ecubes.cab
O16 - DPF: {04063354-A10E-4427-A1EC-F3CC81587BC6} (Mines Control) - http://www.worldwinner.com/games/v40/mines/mines.cab
O16 - DPF: {1A1F56AA-3401-46F9-B277-D57F3421F821} (FunGamesLoader Object) - http://www.worldwinner.com/games/v47/sh ... Loader.cab
O16 - DPF: {33E54F7F-561C-49E6-929B-D7E76D3AFEB1} (Pool Control) - http://www.worldwinner.com/games/v50/pool/pool.cab
O16 - DPF: {6F6DBC29-7A0C-4AC0-A42D-10EC70678526} (Word Cubes Control) - http://www.worldwinner.com/games/v44/wo ... rdcube.cab
O16 - DPF: {8A94C905-FF9D-43B6-8708-F0F22D22B1CB} (Wwlaunch Control) - http://www.worldwinner.com/games/shared/wwlaunch.cab
O16 - DPF: {A91FB93D-7561-4524-8484-5C27C8FA8D42} (WwLuxor Control) - http://www.worldwinner.com/games/v48/luxor/luxor.cab
O16 - DPF: {E12EB891-D000-421B-A8ED-EDE1BDCA14A0} (GolfSol Control) - http://www.worldwinner.com/games/v42/go ... olfsol.cab
O16 - DPF: {E70E3E64-2793-4AEF-8CC8-F1606BE563B0} (WWSpades Control) - http://www.worldwinner.com/games/v52/ww ... spades.cab

--
End of file - 5839 bytes

Uninstall list:

7-Zip 4.65
Adobe Flash Player 10 ActiveX
Adobe Flash Player 10 Plugin
Adobe Reader 7.0.5
Adobe Shockwave Player
Amazon MP3 Downloader 1.0.9
AOLIcon
Apple Application Support
Apple Mobile Device Support
Apple Software Update
Banctec Service Agreement
Baseball Mogul 2005
BitDefender Antivirus 2010
Black and White
Bonjour
Civilization III
Conexant D850 56K V.9x DFVc Modem
Critical Update for Windows Media Player 11 (KB959772)
Dell Digital Jukebox Driver
Dell Driver Reset Tool
Dell Games
Dell Media Experience
Dell Photo Printer 720
DellSupport
Digital Content Portal
Digital Line Detect
EducateU
Google Earth
Google Update Helper
HijackThis 2.0.2
Hotfix for Microsoft .NET Framework 3.5 SP1 (KB953595)
Hotfix for Microsoft .NET Framework 3.5 SP1 (KB958484)
Hotfix for Windows Internet Explorer 7 (KB947864)
Hotfix for Windows Media Format 11 SDK (KB929399)
Hotfix for Windows Media Player 11 (KB939683)
Hotfix for Windows XP (KB915800-v4)
Hotfix for Windows XP (KB952287)
Hotfix for Windows XP (KB961118)
Hotfix for Windows XP (KB970653-v3)
Hotfix for Windows XP (KB976098-v2)
Hotfix for Windows XP (KB979306)
Hoyle Board Games 2003
Hoyle Casino 2004
ieSpell 2.2.0 (build 647)
Intel(R) Extreme Graphics 2 Driver
Intel(R) PRO Network Adapters and Drivers
Intel(R) PROSet for Wired Connections
Internet Explorer Default Page
IrfanView (remove only)
iTunes
Java(TM) 6 Update 16
Learn2 Player (Uninstall Only)
Magic Pack v1.0 for Pocket Tanks Deluxe
Malwarebytes' Anti-Malware
Microsoft .NET Framework 1.1
Microsoft .NET Framework 1.1
Microsoft .NET Framework 1.1 Security Update (KB953297)
Microsoft .NET Framework 2.0 Service Pack 2
Microsoft .NET Framework 3.0 Service Pack 2
Microsoft .NET Framework 3.5 SP1
Microsoft .NET Framework 3.5 SP1
Microsoft Base Smart Card Cryptographic Service Provider Package
Microsoft Choice Guard
Microsoft Compression Client Pack 1.0 for Windows XP
Microsoft Internationalized Domain Names Mitigation APIs
Microsoft National Language Support Downlevel APIs
Microsoft Plus! Digital Media Edition Installer
Microsoft Plus! Photo Story 2 LE
Microsoft User-Mode Driver Framework Feature Pack 1.0
Microsoft Visual C++ 2008 ATL Update kb973924 - x86 9.0.30729.4148
Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.17
Modem Helper
Monopoly Tycoon
Mozilla Firefox (3.5.8)
MSVCRT
MSXML 6 Service Pack 2 (KB954459)
NetWaiting
Nuke Pack v1.1 for Pocket Tanks Deluxe
Outpost Firewall 2009
Party Pack for Pocket Tanks Deluxe
Pocket Tanks Deluxe v1.3
QuickTime
RealPlayer Basic
Rocket Pack v1.0 for Pocket Tanks Deluxe
Roll
Security Update for Step By Step Interactive Training (KB898458)
Security Update for Step By Step Interactive Training (KB923723)
Security Update for Windows Internet Explorer 7 (KB928090)
Security Update for Windows Internet Explorer 7 (KB929969)
Security Update for Windows Internet Explorer 7 (KB931768)
Security Update for Windows Internet Explorer 7 (KB933566)
Security Update for Windows Internet Explorer 7 (KB937143)
Security Update for Windows Internet Explorer 7 (KB938127)
Security Update for Windows Internet Explorer 7 (KB939653)
Security Update for Windows Internet Explorer 7 (KB942615)
Security Update for Windows Internet Explorer 7 (KB944533)
Security Update for Windows Internet Explorer 7 (KB950759)
Security Update for Windows Internet Explorer 7 (KB961260)
Security Update for Windows Internet Explorer 7 (KB963027)
Security Update for Windows Internet Explorer 7 (KB969897)
Security Update for Windows Internet Explorer 7 (KB972260)
Security Update for Windows Internet Explorer 7 (KB974455)
Security Update for Windows Internet Explorer 8 (KB971961)
Security Update for Windows Internet Explorer 8 (KB974455)
Security Update for Windows Internet Explorer 8 (KB976325)
Security Update for Windows Internet Explorer 8 (KB978207)
Security Update for Windows Media Player (KB952069)
Security Update for Windows Media Player (KB954155)
Security Update for Windows Media Player (KB968816)
Security Update for Windows Media Player (KB973540)
Security Update for Windows Media Player 10 (KB911565)
Security Update for Windows Media Player 10 (KB917734)
Security Update for Windows Media Player 11 (KB936782)
Security Update for Windows Media Player 11 (KB954154)
Security Update for Windows Search 4 - KB963093
Security Update for Windows XP (KB923561)
Security Update for Windows XP (KB938464)
Security Update for Windows XP (KB941569)
Security Update for Windows XP (KB946648)
Security Update for Windows XP (KB950760)
Security Update for Windows XP (KB950762)
Security Update for Windows XP (KB950974)
Security Update for Windows XP (KB951066)
Security Update for Windows XP (KB951376)
Security Update for Windows XP (KB951376-v2)
Security Update for Windows XP (KB951698)
Security Update for Windows XP (KB951748)
Security Update for Windows XP (KB952004)
Security Update for Windows XP (KB952954)
Security Update for Windows XP (KB954211)
Security Update for Windows XP (KB954600)
Security Update for Windows XP (KB955069)
Security Update for Windows XP (KB956572)
Security Update for Windows XP (KB956744)
Security Update for Windows XP (KB956802)
Security Update for Windows XP (KB956803)
Security Update for Windows XP (KB956841)
Security Update for Windows XP (KB956844)
Security Update for Windows XP (KB957097)
Security Update for Windows XP (KB958644)
Security Update for Windows XP (KB958687)
Security Update for Windows XP (KB958690)
Security Update for Windows XP (KB958869)
Security Update for Windows XP (KB959426)
Security Update for Windows XP (KB960225)
Security Update for Windows XP (KB960715)
Security Update for Windows XP (KB960803)
Security Update for Windows XP (KB960859)
Security Update for Windows XP (KB961371)
Security Update for Windows XP (KB961371-v2)
Security Update for Windows XP (KB961373)
Security Update for Windows XP (KB961501)
Security Update for Windows XP (KB968537)
Security Update for Windows XP (KB969059)
Security Update for Windows XP (KB969898)
Security Update for Windows XP (KB969947)
Security Update for Windows XP (KB970238)
Security Update for Windows XP (KB970430)
Security Update for Windows XP (KB971468)
Security Update for Windows XP (KB971486)
Security Update for Windows XP (KB971557)
Security Update for Windows XP (KB971633)
Security Update for Windows XP (KB971657)
Security Update for Windows XP (KB971961)
Security Update for Windows XP (KB972270)
Security Update for Windows XP (KB973346)
Security Update for Windows XP (KB973354)
Security Update for Windows XP (KB973507)
Security Update for Windows XP (KB973525)
Security Update for Windows XP (KB973869)
Security Update for Windows XP (KB973904)
Security Update for Windows XP (KB974112)
Security Update for Windows XP (KB974318)
Security Update for Windows XP (KB974392)
Security Update for Windows XP (KB974571)
Security Update for Windows XP (KB975025)
Security Update for Windows XP (KB975467)
Security Update for Windows XP (KB975560)
Security Update for Windows XP (KB975561)
Security Update for Windows XP (KB975713)
Security Update for Windows XP (KB977165)
Security Update for Windows XP (KB977914)
Security Update for Windows XP (KB978037)
Security Update for Windows XP (KB978251)
Security Update for Windows XP (KB978262)
Security Update for Windows XP (KB978706)
Segoe UI
Snowball Pack v1.1 for Pocket Tanks Deluxe
Stella 2.2
Stronghold Crusader
Taito Legends
The Oregon Trail
Update for Microsoft .NET Framework 3.5 SP1 (KB963707)
Update for Windows Internet Explorer 8 (KB973874)
Update for Windows Internet Explorer 8 (KB976662)
Update for Windows Internet Explorer 8 (KB976749)
Update for Windows XP (KB951978)
Update for Windows XP (KB955759)
Update for Windows XP (KB955839)
Update for Windows XP (KB961503)
Update for Windows XP (KB967715)
Update for Windows XP (KB968389)
Update for Windows XP (KB971737)
Update for Windows XP (KB973687)
Update for Windows XP (KB973815)
Verizon Online
Verizon Online Help and Support
Viewpoint Media Player
WebCyberCoach 3.2 Dell
WildTangent Web Driver
Winamp (remove only)
Windows Live Call
Windows Live Communications Platform
Windows Live Essentials
Windows Live Essentials
Windows Live Messenger
Windows Live Sign-in Assistant
Windows Live Upload Tool
Windows Media Format 11 runtime
Windows Media Format 11 runtime
Windows Media Player 10
Windows Media Player 11
Windows Media Player 11
Windows Search 4.0
Windows XP Service Pack 3
xyonist
Regular Member
 
Posts: 28
Joined: October 27th, 2009, 8:23 am
Advertisement
Register to Remove

Re: Computer freezes with every click...

Unread postby MWR 3 day Mod » March 19th, 2010, 3:20 am

Hi,

We are sorry to see your topic is over three days old and no one has yet been able to respond and offer help.

If you still require assistance, please post a link to your topic in our Waiting for help with malware removal? forum, and our staff will make an effort to assist you as promptly as possible. Only post a LINK to this topic, DO NOT post your DDS log!

Please do not reply to this topic.

If you haven't posted within two days in the "Waiting for help with malware removal?" forum, we will assume you have been able to get assistance in other ways and this topic will be closed.
MWR 3 day Mod
MRU Undergrad
MRU Undergrad
 
Posts: 2534
Joined: April 4th, 2008, 8:40 am

Re: Computer freezes with every click...

Unread postby gringo_pr » March 19th, 2010, 7:43 pm

Hello and Welcome to the forums!

My name is Gringo and I'll be glad to help you with your computer problems.

Somethings to remember while we are working together.

    1.Please do not run any other tool untill instructed to do so!
    2.Please reply to this thread, do not start another!
    3.Please tell me about any problems that have occurred during the fix.
    4.Please tell me of any other symptoms you may be having as these can help also.
    5.Please try as much as possible not to run anything while executing a fix.

If you follow these instructions, everything should go smoothly.

Please subscribe to this thread to get immediate notification of replies as soon as they are posted. To do this click Thread Tools, then click Subscribe to this Thread. Make sure it is set to Instant Notification, then click Subscribe.

I would like to get a better look at your system, please do the following so I can get some more detailed logs.


DeFogger:

    Please download DeFogger to your desktop.

    Double click DeFogger to run the tool.
    • The application window will appear
    • Click the Disable button to disable your CD Emulation drivers
    • Click Yes to continue
    • A 'Finished!' message will appear
    • Click OK
    • DeFogger may ask you to reboot the machine, if it does - click OK
    Do not re-enable these drivers until otherwise instructed.
IMPORTANT! If you receive an error message while running DeFogger, please post the log defogger_disable which will appear on your desktop.

Download DDS:

    Please download DDS by sUBs from one of the links below and save it to your desktop:

    Image
    Download DDS and save it to your desktop

    Link1
    Link2
    Link3

    Please disable any anti-malware program that will block scripts from running before running DDS.

    • Double-Click on dds.scr and a command window will appear. This is normal.
    • Shortly after two logs will appear:
      • DDS.txt
      • Attach.txt
    • A window will open instructing you save & post the logs
    • Save the logs to a convenient place such as your desktop
    • Copy the contents of both logs & post in your next reply

GMER:

    Download GMER Rootkit Scanner from here or here.
    • Extract the contents of the zipped file to desktop.
    • Double click GMER.exe. If asked to allow gmer.sys driver to load, please consent .
    • If it gives you a warning about rootkit activity and asks if you want to run scan...click on NO, then use the following settings for a more complete scan..
    Image
    • In the right panel, you will see several boxes that have been checked. Uncheck the following ...
      • Sections
      • IAT/EAT
      • Drives/Partition other than Systemdrive (typically C:\)
      • Show All (don't miss this one)
    • Then click the Scan button & wait for it to finish.
    • Once done click on the [Save..] button, and in the File name area, type in "ark.txt" or it will save as a .log file which cannot be uploaded to your post.
    Save it where you can easily find it, such as your desktop

    **Caution**
    Rootkit scans often produce false positives. Do NOT take any action on any "<--- ROOKIT" entries

information and logs:

    In your next post I need the following

      1.logs from DDS
      2.log from GMER
      3.let me know of any problems you may have had

Gringo
User avatar
gringo_pr
Site Moderator
Site Moderator
 
Posts: 1816
Joined: March 31st, 2007, 1:35 pm
Location: puerto rico

Re: Computer freezes with every click...

Unread postby xyonist » March 20th, 2010, 12:09 pm

I successfully disabled the CD Emulation drivers, downloaded DDS and saved the two logs (DDS.txt and Attach.txt), but I'm having trouble running GMER. The first time I tried running it, the program appeared to just stop working. The second time I ran it, I encountered an error message and almost immediately after that, the BSOD. The third time I ran it, I got a message saying that "An error has occured and GMER.exe needs to close". Still trying to successfully run GMER.
xyonist
Regular Member
 
Posts: 28
Joined: October 27th, 2009, 8:23 am

Re: Computer freezes with every click...

Unread postby gringo_pr » March 20th, 2010, 4:21 pm

GMER:

I would like you to download this "special version of gmer." and save it to your desktop.


  • Double click GMER.exe. If asked to allow gmer.sys driver to load, please consent .
  • If it gives you a warning about rootkit activity and asks if you want to run scan...click on NO, then use the following settings for a more complete scan..
Image
  • In the right panel, you will see several boxes that have been checked. Uncheck the following ...
    • Sections
    • IAT/EAT
    • devices(don't miss this one) <--this one is different than the picture
    • Drives/Partition other than Systemdrive (typically C:\)
    • Show All (don't miss this one)
  • Then click the Scan button & wait for it to finish.
  • Once done click on the [Save..] button, and in the File name area, type in "ark.txt" or it will save as a .log file which cannot be uploaded to your post.
Save it where you can easily find it, such as your desktop

**Caution**
Rootkit scans often produce false positives. Do NOT take any action on any "<--- ROOKIT" entries

If Gmer runs then please give me the log and pass on the next step.

If Gmer still does not run and Only if it don't run please do the following.

I would like you to try and run Gmer in Safe mode to enter safe mode do the following.

Boot into Safe Mode

Reboot your computer in Safe Mode.

  • If the computer is running, shut down Windows, and then turn off the power.
  • Wait 30 seconds, and then turn the computer on.
  • Start tapping the F8 key. The Windows Advanced Options Menu appears. If you begin tapping the F8 key too soon, some computers display a "keyboard error" message. To resolve this, restart the computer and try again.
  • Ensure that the Safe Mode option is selected.
  • Press Enter. The computer then begins to start in Safe mode.
  • Login on your usual account.

If Gmer does run to the end please send me the log in your next reply and If it still does not run please let me know and we will try something else

"information and logs"

    In your next post I need the following

    1. log from Gmer
    2. let me know of any problems you may have had
    3. How is the computer doing now?

Gringo
User avatar
gringo_pr
Site Moderator
Site Moderator
 
Posts: 1816
Joined: March 31st, 2007, 1:35 pm
Location: puerto rico

Re: Computer freezes with every click...

Unread postby xyonist » March 21st, 2010, 12:31 pm

I was able to successfully run the 2nd version of GMER. Here are the logs you requested (DDS.txt, attach.txt and ark.txt):

DDS.txt:


DDS (Ver_10-03-17.01) - NTFSx86
Run by Pete at 2:31:49.09 on Sat 03/20/2010
Internet Explorer: 8.0.6001.18702 BrowserJavaVersion: 1.6.0_16
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.254.40

[GMT -4:00]

AV: Trend Micro PC-cillin Internet Security *On-access scanning

disabled* (Outdated) {7D2296BC-32CC-4519-917E-52E652474AF5}

============== Running Processes ===============

C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
svchost.exe
svchost.exe
C:\WINDOWS\Explorer.EXE
svchost.exe
C:\WINDOWS\system32\svchost.exe -k imgsvc
C:\WINDOWS\system32\igfxpers.exe
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\system32\SearchIndexer.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\system32\igfxsrvc.exe
C:\Program Files\Google\Update\1.2.183.23\GoogleCrashHandler.exe
C:\WINDOWS\system32\NOTEPAD.EXE
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Documents and Settings\Pete\Desktop\dds.scr

============== Pseudo HJT Report ===============

uStart Page = hxxp://www.sportsims.net/
uWindow Title = Windows Internet Explorer provided by Yahoo!
uURLSearchHooks: Yahoo! Toolbar:

{ef99bd32-c1fb-11d2-892f-0090271d4f88} -
BHO: AcroIEHlprObj Class: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} -

c:\program files\adobe\acrobat 7.0\activex\AcroIEHelper.dll
BHO: Windows Live Sign-in Helper:

{9030d464-4c02-4abf-8ecc-5164760863c6} - c:\program files\common

files\microsoft shared\windows live\WindowsLiveLogin.dll
BHO: JQSIEStartDetectorImpl Class:

{e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program

files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
TB: BitDefender Toolbar: {381ffde8-2394-4f90-b10d-fc6124a40f8c} -

c:\program files\bitdefender\bitdefender 2010\IEToolbar.dll
TB: Yahoo! Toolbar: {ef99bd32-c1fb-11d2-892f-0090271d4f88} -
EB: Real.com: {fe54fa40-d68c-11d2-98fa-00c0f0318afe} -

c:\windows\system32\Shdocvw.dll
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
mRun: [igfxtray] c:\windows\system32\igfxtray.exe
mRun: [igfxpers] c:\windows\system32\igfxpers.exe
mRun: [igfxhkcmd] c:\windows\system32\hkcmd.exe
mRun: [OutpostMonitor] c:\progra~1\agnitum\outpos~1\op_mon.exe /tray

/noservice
dRun: [DWQueuedReporting]

"c:\progra~1\common~1\micros~1\dw\dwtrig20.exe" -t
IE: &ieSpell Options - c:\program

files\iespell\iespell.dll/SPELLOPTION.HTM
IE: Check &Spelling - c:\program

files\iespell\iespell.dll/SPELLCHECK.HTM
IE: {0E17D5B7-9F5D-4fee-9DF6-CA6EE38B68A8} - res://c:\program

files\iespell\iespell.dll/SPELLCHECK.HTM
IE: {1606D6F9-9D3B-4aea-A025-ED5B2FD488E7} - res://c:\program

files\iespell\iespell.dll/SPELLOPTION.HTM
IE: {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - c:\program

files\partygaming\partypoker\RunApp.exe
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network

Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program

files\messenger\msmsgs.exe
IE: {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} -

{FE54FA40-D68C-11d2-98FA-00C0F0318AFE} -

c:\windows\system32\Shdocvw.dll
DPF: Microsoft XML Parser for Java -

file://c:\windows\java\classes\xmldso.cab
DPF: {02A2D714-433E-46E4-B217-7C3B3FAF8EAE} -

hxxp://www.worldwinner.com/games/v46/sc ... ecubes.cab
DPF: {04063354-A10E-4427-A1EC-F3CC81587BC6} -

hxxp://www.worldwinner.com/games/v40/mines/mines.cab
DPF: {166B1BCA-3F9C-11CF-8075-444553540000} -

hxxp://download.macromedia.com/pub/shoc ... tor/sw.cab
DPF: {17492023-C23A-453E-A040-C7C580BBF700} -

hxxp://download.microsoft.com/download/ ... bdf-b09c-4

e3c49808ec7/LegitCheckControl.cab
DPF: {1A1F56AA-3401-46F9-B277-D57F3421F821} -

hxxp://www.worldwinner.com/games/v47/sh ... Loader.cab
DPF: {33E54F7F-561C-49E6-929B-D7E76D3AFEB1} -

hxxp://www.worldwinner.com/games/v50/pool/pool.cab
DPF: {6F6DBC29-7A0C-4AC0-A42D-10EC70678526} -

hxxp://www.worldwinner.com/games/v44/wo ... rdcube.cab
DPF: {8A94C905-FF9D-43B6-8708-F0F22D22B1CB} -

hxxp://www.worldwinner.com/games/shared/wwlaunch.cab
DPF: {A91FB93D-7561-4524-8484-5C27C8FA8D42} -

hxxp://www.worldwinner.com/games/v48/luxor/luxor.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} -

hxxp://java.sun.com/update/1.6.0/jinsta ... s-i586.cab
DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} -

hxxp://download.macromedia.com/pub/shoc ... wflash.cab
DPF: {E12EB891-D000-421B-A8ED-EDE1BDCA14A0} -

hxxp://www.worldwinner.com/games/v42/go ... olfsol.cab
DPF: {E70E3E64-2793-4AEF-8CC8-F1606BE563B0} -

hxxp://www.worldwinner.com/games/v52/ww ... spades.cab
Notify: igfxcui - igfxdev.dll
Notify: WRNotifier - WRLogonNTF.dll
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} -

c:\windows\system32\WPDShServiceObj.dll
SEH: Windows Desktop Search Namespace Manager:

{56f9679e-7826-4c84-81f3-532071a8bcc5} - c:\program files\windows

desktop search\MSNLNamespaceMgr.dll

================= FIREFOX ===================

FF - ProfilePath -

c:\docume~1\pete\applic~1\mozilla\firefox\profiles\b67i1qst.pete\
FF - prefs.js: browser.startup.homepage - hxxp://www.yahoo.com
FF - component: c:\program files\mozilla firefox\components\FFComm.dll
FF - plugin: c:\program files\google\google

earth\plugin\npgeplugin.dll
FF - plugin: c:\program

files\google\update\1.2.183.23\npGoogleOneClick8.dll
FF - plugin: c:\program files\viewpoint\viewpoint experience

technology\npViewpoint.dll
FF - HiddenExtension: Microsoft .NET Framework Assistant:

{20a82645-c095-46ed-80e3-08825760534b} -

c:\windows\microsoft.net\framework\v3.5\windows presentation

foundation\dotnetassistantextension\
FF - HiddenExtension: Java Console: No Registry Reference - c:\program

files\mozilla

firefox\extensions\{CAFEEFAC-0016-0000-0011-ABCDEFFEDCBA}
FF - HiddenExtension: Java Console: No Registry Reference - c:\program

files\mozilla

firefox\extensions\{CAFEEFAC-0016-0000-0016-ABCDEFFEDCBA}

---- FIREFOX POLICIES ----
c:\program files\mozilla firefox\greprefs\security-prefs.js -

pref("security.ssl3.rsa_seed_sha", true);

============= SERVICES / DRIVERS ===============

R1 SandBox;SandBox;c:\windows\system32\drivers\SandBox.sys [2009-11-3

704384]
R3 afw;Agnitum firewall driver;c:\windows\system32\drivers\afw.sys

[2009-11-3 31128]
R3 afwcore;afwcore;c:\windows\system32\drivers\afwcore.sys [2009-11-3

257432]
S2 gupdate1c9f747ee1c2390;Google Update Service

(gupdate1c9f747ee1c2390);c:\program

files\google\update\GoogleUpdate.exe [2009-6-27 133104]
S3 bdfm;BDFM;c:\windows\system32\drivers\bdfm.sys [2009-9-17 152328]
S4 Arrakis3;BitDefender Arrakis Server;c:\program files\common

files\bitdefender\bitdefender arrakis server\bin\arrakis3.exe

[2009-9-13 183880]

=============== Created Last 30 ================

2010-03-20 06:26:52 0 ----a-w- c:\documents and

settings\pete\defogger_reenable
2010-03-03 21:43:38 0 d-----w- c:\program

files\Amazon

==================== Find3M ====================

2010-01-22 02:42:08 14012 ---ha-w-

c:\windows\system32\mlfcache.dat
2009-12-31 16:50:03 353792 ------w-

c:\windows\system32\dllcache\srv.sys
2009-12-21 13:19:18 173056 ------w-

c:\windows\system32\dllcache\ie4uinit.exe
2006-04-07 20:11:52 104 -csh--r-

c:\windows\system32\6287751CD3.sys
2006-04-07 20:11:52 4184 -csha-w-

c:\windows\system32\KGyGaAvL.sys
2009-10-18 17:20:57 32768 -csha-w-

c:\windows\system32\config\systemprofile\local

settings\history\history.ie5\mshist012009101820091019\index.dat

============= FINISH: 2:33:11.71 ===============

Attach.txt:


UNLESS SPECIFICALLY INSTRUCTED, DO NOT POST THIS LOG.
IF REQUESTED, ZIP IT UP & ATTACH IT

DDS (Ver_10-03-17.01)

Microsoft Windows XP Home Edition
Boot Device: \Device\HarddiskVolume2
Install Date: 12/27/2005 12:45:35 PM
System Uptime: 3/17/2010 6:47:16 PM (56 hours ago)

Motherboard: Dell Computer Corp. | | 0CF458
Processor: Intel(R) Celeron(R) CPU 2.53GHz |

Microprocessor | 2527/533mhz

==== Disk Partitions =========================

C: is FIXED (NTFS) - 34 GiB total, 3.688 GiB free.
D: is CDROM ()
E: is CDROM ()

==== Disabled Device Manager Items =============

==== System Restore Points ===================

RP126: 3/12/2010 3:47:50 AM - System Checkpoint
RP127: 3/12/2010 8:19:11 PM - Restore Operation
RP128: 3/13/2010 10:12:29 PM - System Checkpoint
RP129: 3/14/2010 10:33:41 PM - System Checkpoint
RP130: 3/15/2010 5:34:51 PM - Agnitum Outpost Firewall Restore Point:

uninstall
RP131: 3/16/2010 7:13:58 PM - System Checkpoint
RP132: 3/17/2010 9:13:49 PM - System Checkpoint
RP133: 3/18/2010 10:01:58 PM - System Checkpoint
RP134: 3/19/2010 10:55:25 PM - System Checkpoint

==== Installed Programs ======================

7-Zip 4.65
Absolute Poker
Adobe Flash Player 10 ActiveX
Adobe Flash Player 10 Plugin
Adobe Reader 7.0.5
Adobe Shockwave Player
Amazon MP3 Downloader 1.0.9
AOLIcon
Apple Application Support
Apple Mobile Device Support
Apple Software Update
Banctec Service Agreement
Baseball Mogul 2005
BitDefender Antivirus 2010
Black and White
Bonjour
Civilization III
Conexant D850 56K V.9x DFVc Modem
Critical Update for Windows Media Player 11 (KB959772)
Dell Digital Jukebox Driver
Dell Driver Reset Tool
Dell Games
Dell Media Experience
Dell Photo Printer 720
Dell System Restore
DellSupport
Digital Content Portal
Digital Line Detect
EducateU
Google Earth
Google Update Helper
HijackThis 2.0.2
Hotfix for Microsoft .NET Framework 3.5 SP1 (KB953595)
Hotfix for Microsoft .NET Framework 3.5 SP1 (KB958484)
Hotfix for Windows Internet Explorer 7 (KB947864)
Hotfix for Windows Media Format 11 SDK (KB929399)
Hotfix for Windows Media Player 11 (KB939683)
Hotfix for Windows XP (KB915800-v4)
Hotfix for Windows XP (KB952287)
Hotfix for Windows XP (KB954550-v5)
Hotfix for Windows XP (KB961118)
Hotfix for Windows XP (KB970653-v3)
Hotfix for Windows XP (KB976098-v2)
Hotfix for Windows XP (KB979306)
Hoyle Board Games 2003
Hoyle Casino 2004
ieSpell 2.2.0 (build 647)
Intel(R) Extreme Graphics 2 Driver
Intel(R) PRO Network Adapters and Drivers
Intel(R) PROSet for Wired Connections
Internet Explorer Default Page
IrfanView (remove only)
iTunes
Java(TM) 6 Update 16
Learn2 Player (Uninstall Only)
Magic Pack v1.0 for Pocket Tanks Deluxe
Malwarebytes' Anti-Malware
Microsoft .NET Framework 1.1
Microsoft .NET Framework 1.1 Security Update (KB953297)
Microsoft .NET Framework 2.0 Service Pack 2
Microsoft .NET Framework 3.0 Service Pack 2
Microsoft .NET Framework 3.5 SP1
Microsoft Application Error Reporting
Microsoft Base Smart Card Cryptographic Service Provider Package
Microsoft Choice Guard
Microsoft Compression Client Pack 1.0 for Windows XP
Microsoft Internationalized Domain Names Mitigation APIs
Microsoft National Language Support Downlevel APIs
Microsoft Plus! Digital Media Edition Installer
Microsoft Plus! Photo Story 2 LE
Microsoft User-Mode Driver Framework Feature Pack 1.0
Microsoft Visual C++ 2008 ATL Update kb973924 - x86 9.0.30729.4148
Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.17
Modem Helper
Monopoly Tycoon
Mozilla Firefox (3.5.8)
MSVCRT
MSXML 6 Service Pack 2 (KB954459)
NetWaiting
Nuke Pack v1.1 for Pocket Tanks Deluxe
Outpost Firewall 2009
Party Pack for Pocket Tanks Deluxe
Pocket Tanks Deluxe v1.3
QuickTime
RealPlayer Basic
Rocket Pack v1.0 for Pocket Tanks Deluxe
Roll
Security Update for Step By Step Interactive Training (KB898458)
Security Update for Step By Step Interactive Training (KB923723)
Security Update for Windows Internet Explorer 7 (KB928090)
Security Update for Windows Internet Explorer 7 (KB929969)
Security Update for Windows Internet Explorer 7 (KB931768)
Security Update for Windows Internet Explorer 7 (KB933566)
Security Update for Windows Internet Explorer 7 (KB937143)
Security Update for Windows Internet Explorer 7 (KB938127)
Security Update for Windows Internet Explorer 7 (KB939653)
Security Update for Windows Internet Explorer 7 (KB942615)
Security Update for Windows Internet Explorer 7 (KB944533)
Security Update for Windows Internet Explorer 7 (KB950759)
Security Update for Windows Internet Explorer 7 (KB961260)
Security Update for Windows Internet Explorer 7 (KB963027)
Security Update for Windows Internet Explorer 7 (KB969897)
Security Update for Windows Internet Explorer 7 (KB972260)
Security Update for Windows Internet Explorer 7 (KB974455)
Security Update for Windows Internet Explorer 8 (KB971961)
Security Update for Windows Internet Explorer 8 (KB974455)
Security Update for Windows Internet Explorer 8 (KB976325)
Security Update for Windows Internet Explorer 8 (KB978207)
Security Update for Windows Media Player (KB911564)
Security Update for Windows Media Player (KB952069)
Security Update for Windows Media Player (KB954155)
Security Update for Windows Media Player (KB968816)
Security Update for Windows Media Player (KB973540)
Security Update for Windows Media Player 10 (KB911565)
Security Update for Windows Media Player 10 (KB917734)
Security Update for Windows Media Player 11 (KB936782)
Security Update for Windows Media Player 11 (KB954154)
Security Update for Windows Media Player 6.4 (KB925398)
Security Update for Windows Search 4 - KB963093
Security Update for Windows XP (KB923561)
Security Update for Windows XP (KB923689)
Security Update for Windows XP (KB938464)
Security Update for Windows XP (KB941569)
Security Update for Windows XP (KB946648)
Security Update for Windows XP (KB950760)
Security Update for Windows XP (KB950762)
Security Update for Windows XP (KB950974)
Security Update for Windows XP (KB951066)
Security Update for Windows XP (KB951376-v2)
Security Update for Windows XP (KB951376)
Security Update for Windows XP (KB951698)
Security Update for Windows XP (KB951748)
Security Update for Windows XP (KB952004)
Security Update for Windows XP (KB952954)
Security Update for Windows XP (KB954211)
Security Update for Windows XP (KB954600)
Security Update for Windows XP (KB955069)
Security Update for Windows XP (KB956572)
Security Update for Windows XP (KB956744)
Security Update for Windows XP (KB956802)
Security Update for Windows XP (KB956803)
Security Update for Windows XP (KB956841)
Security Update for Windows XP (KB956844)
Security Update for Windows XP (KB957097)
Security Update for Windows XP (KB958644)
Security Update for Windows XP (KB958687)
Security Update for Windows XP (KB958690)
Security Update for Windows XP (KB958869)
Security Update for Windows XP (KB959426)
Security Update for Windows XP (KB960225)
Security Update for Windows XP (KB960715)
Security Update for Windows XP (KB960803)
Security Update for Windows XP (KB960859)
Security Update for Windows XP (KB961371-v2)
Security Update for Windows XP (KB961371)
Security Update for Windows XP (KB961373)
Security Update for Windows XP (KB961501)
Security Update for Windows XP (KB968537)
Security Update for Windows XP (KB969059)
Security Update for Windows XP (KB969898)
Security Update for Windows XP (KB969947)
Security Update for Windows XP (KB970238)
Security Update for Windows XP (KB970430)
Security Update for Windows XP (KB971468)
Security Update for Windows XP (KB971486)
Security Update for Windows XP (KB971557)
Security Update for Windows XP (KB971633)
Security Update for Windows XP (KB971657)
Security Update for Windows XP (KB971961)
Security Update for Windows XP (KB972270)
Security Update for Windows XP (KB973346)
Security Update for Windows XP (KB973354)
Security Update for Windows XP (KB973507)
Security Update for Windows XP (KB973525)
Security Update for Windows XP (KB973869)
Security Update for Windows XP (KB973904)
Security Update for Windows XP (KB974112)
Security Update for Windows XP (KB974318)
Security Update for Windows XP (KB974392)
Security Update for Windows XP (KB974571)
Security Update for Windows XP (KB975025)
Security Update for Windows XP (KB975467)
Security Update for Windows XP (KB975560)
Security Update for Windows XP (KB975561)
Security Update for Windows XP (KB975713)
Security Update for Windows XP (KB977165)
Security Update for Windows XP (KB977914)
Security Update for Windows XP (KB978037)
Security Update for Windows XP (KB978251)
Security Update for Windows XP (KB978262)
Security Update for Windows XP (KB978706)
Segoe UI
Snowball Pack v1.1 for Pocket Tanks Deluxe
Stella 2.2
Stronghold Crusader
Taito Legends
The Oregon Trail
Update for Microsoft .NET Framework 3.5 SP1 (KB963707)
Update for Windows Internet Explorer 8 (KB973874)
Update for Windows Internet Explorer 8 (KB976662)
Update for Windows Internet Explorer 8 (KB976749)
Update for Windows XP (KB951978)
Update for Windows XP (KB955759)
Update for Windows XP (KB955839)
Update for Windows XP (KB961503)
Update for Windows XP (KB967715)
Update for Windows XP (KB968389)
Update for Windows XP (KB971737)
Update for Windows XP (KB973687)
Update for Windows XP (KB973815)
Verizon Online
Verizon Online Help and Support
Viewpoint Media Player
WebCyberCoach 3.2 Dell
WebFldrs XP
WildTangent Web Driver
Winamp (remove only)
Windows Genuine Advantage Validation Tool (KB892130)
Windows Internet Explorer 7
Windows Internet Explorer 8
Windows Live Call
Windows Live Communications Platform
Windows Live Essentials
Windows Live Messenger
Windows Live Sign-in Assistant
Windows Live Upload Tool
Windows Media Format 11 runtime
Windows Media Player 10
Windows Media Player 11
Windows Search 4.0
Windows XP Service Pack 3

==== Event Viewer Messages From Past Week ========

3/16/2010 6:22:51 PM, error: System Error [1003] - Error code

1000000a, parameter1 00000000, parameter2 00000002, parameter3

00000000, parameter4 804fd603.
3/15/2010 7:28:01 AM, error: DCOM [10005] - DCOM got error "%1058"

attempting to start the service McAfee SiteAdvisor Service with

arguments "" in order to run the server:

{5A90F5EE-16B8-4C2A-81B3-FD5329BA477C}
3/15/2010 5:41:30 PM, error: Service Control Manager [7001] - The

Print Spooler service depends on the LexBce Server service which

failed to start because of the following error: The service cannot be

started, either because it is disabled or because it has no enabled

devices associated with it.
3/15/2010 5:41:30 PM, error: Service Control Manager [7001] - The Fax

service depends on the Print Spooler service which failed to start

because of the following error: The dependency service or group

failed to start.

==== End Of File ===========================

ark.txt:

GMER 1.0.15.15281 - http://www.gmer.net
Rootkit scan 2010-03-21 12:15:50
Windows 5.1.2600 Service Pack 3
Running: 3pb8cw5u.exe; Driver:

C:\DOCUME~1\Pete\LOCALS~1\Temp\pwdoapoc.sys


---- System - GMER 1.0.15 ----

SSDT \??\C:\WINDOWS\system32\drivers\SandBox.sys (Host Protection

Component/Agnitum Ltd.) ZwAssignProcessToJobObject [0xF02AEA60]
SSDT \??\C:\WINDOWS\system32\drivers\SandBox.sys (Host Protection

Component/Agnitum Ltd.) ZwClose [0xF0293BF0]
SSDT \??\C:\WINDOWS\system32\drivers\SandBox.sys (Host Protection

Component/Agnitum Ltd.) ZwConnectPort [0xF02B0920]
SSDT \??\C:\WINDOWS\system32\drivers\SandBox.sys (Host Protection

Component/Agnitum Ltd.) ZwCreateFile [0xF028FF60]
SSDT \??\C:\WINDOWS\system32\drivers\SandBox.sys (Host Protection

Component/Agnitum Ltd.) ZwCreateKey [0xF029B090]
SSDT \??\C:\WINDOWS\system32\drivers\SandBox.sys (Host Protection

Component/Agnitum Ltd.) ZwCreateProcess [0xF02A72B0]
SSDT \??\C:\WINDOWS\system32\drivers\SandBox.sys (Host Protection

Component/Agnitum Ltd.) ZwCreateProcessEx [0xF02A7BB0]
SSDT \??\C:\WINDOWS\system32\drivers\SandBox.sys (Host Protection

Component/Agnitum Ltd.) ZwCreateSection [0xF028ED10]
SSDT \??\C:\WINDOWS\system32\drivers\SandBox.sys (Host Protection

Component/Agnitum Ltd.) ZwCreateSymbolicLinkObject [0xF029AE40]
SSDT \??\C:\WINDOWS\system32\drivers\SandBox.sys (Host Protection

Component/Agnitum Ltd.) ZwCreateThread [0xF02A5D70]
SSDT \??\C:\WINDOWS\system32\drivers\SandBox.sys (Host Protection

Component/Agnitum Ltd.) ZwDebugActiveProcess [0xF02B3F30]
SSDT \??\C:\WINDOWS\system32\drivers\SandBox.sys (Host Protection

Component/Agnitum Ltd.) ZwDeleteFile [0xF0299B20]
SSDT \??\C:\WINDOWS\system32\drivers\SandBox.sys (Host Protection

Component/Agnitum Ltd.) ZwDeleteKey [0xF029C900]
SSDT \??\C:\WINDOWS\system32\drivers\SandBox.sys (Host Protection

Component/Agnitum Ltd.) ZwDeleteValueKey [0xF02A33A0]
SSDT \??\C:\WINDOWS\system32\drivers\SandBox.sys (Host Protection

Component/Agnitum Ltd.) ZwLoadDriver [0xF02A4BB0]
SSDT \??\C:\WINDOWS\system32\drivers\SandBox.sys (Host Protection

Component/Agnitum Ltd.) ZwMakeTemporaryObject [0xF029A6B0]
SSDT \??\C:\WINDOWS\system32\drivers\SandBox.sys (Host Protection

Component/Agnitum Ltd.) ZwOpenFile [0xF0292C10]
SSDT \??\C:\WINDOWS\system32\drivers\SandBox.sys (Host Protection

Component/Agnitum Ltd.) ZwOpenKey [0xF029BFC0]
SSDT \??\C:\WINDOWS\system32\drivers\SandBox.sys (Host Protection

Component/Agnitum Ltd.) ZwOpenProcess [0xF02A9CA0]
SSDT \??\C:\WINDOWS\system32\drivers\SandBox.sys (Host Protection

Component/Agnitum Ltd.) ZwOpenSection [0xF028F580]
SSDT \??\C:\WINDOWS\system32\drivers\SandBox.sys (Host Protection

Component/Agnitum Ltd.) ZwOpenThread [0xF02A9060]
SSDT \??\C:\WINDOWS\system32\drivers\SandBox.sys (Host Protection

Component/Agnitum Ltd.) ZwProtectVirtualMemory [0xF02AFDA0]
SSDT \??\C:\WINDOWS\system32\drivers\SandBox.sys (Host Protection

Component/Agnitum Ltd.) ZwQueryDirectoryFile [0xF02948A0]
SSDT \??\C:\WINDOWS\system32\drivers\SandBox.sys (Host Protection

Component/Agnitum Ltd.) ZwQueryKey [0xF029E750]
SSDT \??\C:\WINDOWS\system32\drivers\SandBox.sys (Host Protection

Component/Agnitum Ltd.) ZwQueryValueKey [0xF029EFA0]
SSDT \??\C:\WINDOWS\system32\drivers\SandBox.sys (Host Protection

Component/Agnitum Ltd.) ZwQueueApcThread [0xF02ADED0]
SSDT \??\C:\WINDOWS\system32\drivers\SandBox.sys (Host Protection

Component/Agnitum Ltd.) ZwRenameKey [0xF02A2590]
SSDT \??\C:\WINDOWS\system32\drivers\SandBox.sys (Host Protection

Component/Agnitum Ltd.) ZwReplaceKey [0xF02A0500]
SSDT \??\C:\WINDOWS\system32\drivers\SandBox.sys (Host Protection

Component/Agnitum Ltd.) ZwRequestPort [0xF02B2A50]
SSDT \??\C:\WINDOWS\system32\drivers\SandBox.sys (Host Protection

Component/Agnitum Ltd.) ZwRequestWaitReplyPort [0xF02B2D70]
SSDT \??\C:\WINDOWS\system32\drivers\SandBox.sys (Host Protection

Component/Agnitum Ltd.) ZwRestoreKey [0xF02A1D20]
SSDT \??\C:\WINDOWS\system32\drivers\SandBox.sys (Host Protection

Component/Agnitum Ltd.) ZwSaveKey [0xF02A0C80]
SSDT \??\C:\WINDOWS\system32\drivers\SandBox.sys (Host Protection

Component/Agnitum Ltd.) ZwSaveKeyEx [0xF02A14D0]
SSDT \??\C:\WINDOWS\system32\drivers\SandBox.sys (Host Protection

Component/Agnitum Ltd.) ZwSecureConnectPort [0xF02B1480]
SSDT \??\C:\WINDOWS\system32\drivers\SandBox.sys (Host Protection

Component/Agnitum Ltd.) ZwSetContextThread [0xF02AD440]
SSDT \??\C:\WINDOWS\system32\drivers\SandBox.sys (Host Protection

Component/Agnitum Ltd.) ZwSetInformationDebugObject [0xF02B4520]
SSDT \??\C:\WINDOWS\system32\drivers\SandBox.sys (Host Protection

Component/Agnitum Ltd.) ZwSetInformationFile [0xF0295BF0]
SSDT \??\C:\WINDOWS\system32\drivers\SandBox.sys (Host Protection

Component/Agnitum Ltd.) ZwSetSystemInformation [0xF02A41C0]
SSDT \??\C:\WINDOWS\system32\drivers\SandBox.sys (Host Protection

Component/Agnitum Ltd.) ZwSetValueKey [0xF029F820]
SSDT \??\C:\WINDOWS\system32\drivers\SandBox.sys (Host Protection

Component/Agnitum Ltd.) ZwSuspendProcess [0xF02AC190]
SSDT \??\C:\WINDOWS\system32\drivers\SandBox.sys (Host Protection

Component/Agnitum Ltd.) ZwSuspendThread [0xF02ACAC0]
SSDT \??\C:\WINDOWS\system32\drivers\SandBox.sys (Host Protection

Component/Agnitum Ltd.) ZwSystemDebugControl [0xF02B3770]
SSDT \??\C:\WINDOWS\system32\drivers\SandBox.sys (Host Protection

Component/Agnitum Ltd.) ZwTerminateProcess [0xF02AA790]
SSDT \??\C:\WINDOWS\system32\drivers\SandBox.sys (Host Protection

Component/Agnitum Ltd.) ZwTerminateThread [0xF02AB620]
SSDT \??\C:\WINDOWS\system32\drivers\SandBox.sys (Host Protection

Component/Agnitum Ltd.) ZwUnloadDriver [0xF02A5530]
SSDT \??\C:\WINDOWS\system32\drivers\SandBox.sys (Host Protection

Component/Agnitum Ltd.) ZwWriteVirtualMemory [0xF02AF2B0]

---- Registry - GMER 1.0.15 ----

Reg HKLM\SOFTWARE\Microsoft\Windows

Search\Gather\Windows\SystemIndex@LogName C:\Documents

and Settings\All Users\Application

Data\Microsoft\Search\Data\Applications\Windows\Projects\SystemIndex\S

ystemIndex.Ntfy26.gthr
Reg HKLM\SOFTWARE\Microsoft\Windows

Search\Gather\Windows\SystemIndex@LogNumber 26
Reg HKLM\SOFTWARE\Microsoft\Windows

Search\Gather\Windows\SystemIndex@CheckPointSignature

a854df19-caa6-45fa-9166-25c3059c8f11

---- Disk sectors - GMER 1.0.15 ----

Disk \Device\Harddisk0\DR0

sector 00: rootkit-like behavior;

---- EOF - GMER 1.0.15 ----
xyonist
Regular Member
 
Posts: 28
Joined: October 27th, 2009, 8:23 am

Re: Computer freezes with every click...

Unread postby gringo_pr » March 22nd, 2010, 1:00 am

Hello


Please print out these instructions, or copy them to a Notepad file. It will make it easier for you to follow the instructions and complete all of the necessary steps..

Vista and Win 7 Users please Right Click and run as Admin all programs that I ask you to run

RootRepeal - Rootkit Detector:

  • Download RootRepeal from the following location and save it to your desktop.
  • Unzip it to your Desktop
  • Double click RootRepeal.exe to start the program
  • Click on the Report tab at the bottom of the program window
  • Click the Scan button
  • In the Select Scan dialog, check:
    • Drivers
    • Files
    • Processes
    • SSDT
    • Stealth Objects
    • Hidden Services
    • Shadow SSDT
  • Click the OK button
  • Check the box for your main system drive (Usually C:), and Click OK to start the scan

    The scan can take some time. DO NOT run any other programs while the scan is running
  • When the scan is complete, the Save Report button will become available
  • Click this and save the report to your Desktop as RootRepeal.txt
  • Go to File, then Exit to close the program

uninstall some programs

    1. click on start
    2. then go to settings
    3. after that you need control panel
    4. look for the icon add/remove programs
    click on the following programs

    Adobe Reader 7.0.5
    Internet Explorer Default Page
    Viewpoint Media Player
    WildTangent Web Driver


    and click on remove

Update Adobe Reader

    Recently there have been vunerabilities detected in older versions of Adobe Reader. It is strongly suggested that you update to the current version.

    You can download it from http://www.adobe.com/products/acrobat/readstep2.html
    After installing the latest Adobe Reader, uninstall all previous versions.
    If you already have Adobe Photoshop® Album Starter Edition installed or do not wish to have it installed UNcheck the box which says Also Download Adobe Photoshop® Album Starter Edition.

      If you don't like Adobe Reader (33.5 MB), you can download Foxit PDF Reader(3.5MB) from here. It's a much smaller file to download and uses a lot less resources than Adobe Reader.

      Note: When installing FoxitReader, be carefull not to install anything to do with AskBar.

Your Java is out of date.

It can be updated by the Java control panel
  • click on Start-> Control Panel (Classic View)-> Java (looks like a coffee cup) -> Update Tab -> Update Now.
  • An update should begin;
  • follow the prompts
  • After the update is complete, go into the Control Panel (using Classic View) and double-click the Java Icon. (looks like a coffee cup)
    • On the General tab, under Temporary Internet Files, click the Settings button.
    • Next, click on the Delete Files button
    • There are two options in the window to clear the cache - Leave BOTH Checked
        Applications and Applets
        Trace and Log Files

    • Click OK on Delete Temporary Files Window
      Note: This deletes ALL the Downloaded Applications and Applets from the CACHE.
    • Click OK to leave the Temporary Files Window
    • Click OK to leave the Java Control Panel.

TFC(Temp File Cleaner):

  • Please download TFC to your desktop,
  • Save any unsaved work. TFC will close all open application windows.
  • Double-click TFC.exe to run the program.
  • If prompted, click "Yes" to reboot.
Note: Save your work. TFC will automatically close any open programs, let it run uninterrupted. It shouldn't take longer take a couple of minutes, and may only take a few seconds. Only if needed will you be prompted to reboot.

: Malwarebytes' Anti-Malware :

    Please download Malwarebytes' Anti-Malware to your desktop.

  • Double-click mbam-setup.exe and follow the prompts to install the program.
  • At the end, be sure a checkmark is placed next to
    • Update Malwarebytes' Anti-Malware
    • and Launch Malwarebytes' Anti-Malware
  • then click Finish.
  • If an update is found, it will download and install the latest version.
  • Once the program has loaded, select Perform quick scan, then click Scan.
  • When the scan is complete, click OK, then Show Results to view the results.
  • Be sure that everything is Checked (ticked) except items in the C:\System Volume Information folder and click on Remove Selected.
  • When completed, a log will open in Notepad. please copy and paste the log into your next reply
    • If you accidently close it, the log file is saved here and will be named like this:
    • C:\Documents and Settings\Username\Application Data\Malwarebytes\Malwarebytes' Anti-Malware\Logs\mbam-log-date (time).txt

Note: If MBAM encounters a file that is difficult to remove, you will be presented with 1 of 2 prompts.
Click OK to either and let MBAM proceed with the disinfection process.
If asked to restart the computer, please do so immediately. Failure to reboot will prevent MBAM from removing all the malware.


:Kaspersky scan:

    Please go to Kaspersky website and perform an online antivirus scan.

    • Read through the requirements and privacy statement and click on Accept button.
    • It will start downloading and installing the scanner and virus definitions. You will be prompted to install an application from Kaspersky. Click Run.
    • When the downloads have finished, click on Settings.
    • Make sure these boxes are checked (ticked). If they are not, please tick them and click on the Save button:
        Spyware, Adware, Dialers, and other potentially dangerous programs
        Archives
        Mail databases
    • Click on My Computer under Scan.
    • Once the scan is complete, it will display the results. Click on View Scan Report.
    • You will see a list of infected items there. Click on Save Report As....
    • Save this report to a convenient place. Change the Files of type to Text file (.txt) before clicking on the Save button.
    • Please post this log in your next reply.

"information and logs"

    In your next post I need the following

    1. log from rootrepel
    2. Log From MBAM
    3. Log From Kaspersky
    4. let me know of any problems you may have had
    5. How is the computer doing now?

Gringo
User avatar
gringo_pr
Site Moderator
Site Moderator
 
Posts: 1816
Joined: March 31st, 2007, 1:35 pm
Location: puerto rico

Re: Computer freezes with every click...

Unread postby xyonist » March 24th, 2010, 5:17 pm

Ok, just to update you on where I'm at here. I successfully downloaded RootRepeal and have the RootRepeal.txt report to post in my next update. I was able to uninstall Adobe Reader 7.0.5, Viewpoint Media Player and WildTangent Web Driver from my system, but I was not able to locate any program(s) titled "Internet Explorer Default Page", even after I did a search of my C: drive. Next, I tried to update Java using the directions you provided, but when I clicked on "Update Now", nothing happened. No update began and there were no prompts to follow. I was, however, able to delete the Applications and Applets and the Trace and Log Files as directed. I was able to download and run both TFC and Malwarebytes' Anti-Malware without any problems and I have the mbam-log-date.txt report to post as well in my next update. Finally I moved on to the Kaspersky scan. I have tried unsuccessfully to run twice in the past 2 days. I have no problem installing the scanner and virus definitions or even running the program. The problem occurs when the 'Scanning Progress' reaches 99% (after 4 1/2 hours of scanning), the program just freezes. Even when I click on the 'Stop Scanning' button, nothing happens and I am not able to view the Scan Report. The program does find two infected files, but since the scanner freezes I am not able to delete, quarantine or otherwise read about which files are infected. I will continue to try to run the program successfully in lieu of a different option, but it may take me a few tries (and hence, a few days since I work 10-12 hours a day) to get the Kaspersky log file. Thank you for your patience.
xyonist
Regular Member
 
Posts: 28
Joined: October 27th, 2009, 8:23 am

Re: Computer freezes with every click...

Unread postby gringo_pr » March 24th, 2010, 7:28 pm

Hello xyonist

ok let me have the logs you have so far
RootRepeal.txt
mbam-log-date.txt


I tried to update Java - we will try this later


try this online scan


Go here to run an online scannner from ESET.
  • Note: You will need to use Internet explorer for this scan
  • Turn off the real time scanner of any existing antivirus program while performing the online scan
  • Tick the box next to YES, I accept the Terms of Use.
  • Click Start
  • When asked, allow the activex control to install
  • Click Start
  • Make sure that the option Remove found threats is unticked and the Scan Archives option is ticked.
  • Click on Advanced Settings, ensure the options Scan for potentially unwanted applications, Scan for potentially unsafe applications, and Enable Anti-Stealth Technology are ticked.
  • Click Scan
  • Wait for the scan to finish
  • Use notepad to open the logfile located at C:\Program Files\Eset\Eset Online Scanner\log.txt
  • Copy and paste that log as a reply to this topic and also let me know how things are now.



let me have what you can


gringo
User avatar
gringo_pr
Site Moderator
Site Moderator
 
Posts: 1816
Joined: March 31st, 2007, 1:35 pm
Location: puerto rico

Re: Computer freezes with every click...

Unread postby xyonist » March 24th, 2010, 9:00 pm

The ESET Scanner does not appear to work. I tried it several times, but after clicking Scan, the program skips directly to the finish and states 'No Oblects Found' without even downloading the definitions or scanning any files. I will try the Kaspersky scanner again tonight.

Here are the RootRepeal.txt and mbam-log-date.txt logs you requested:

RootRepeal.txt

ROOTREPEAL (c) AD, 2007-2009
==================================================
Scan Start Time: 2010/03/22 16:56
Program Version: Version 1.3.5.0
Windows Version: Windows XP SP3
==================================================

Drivers
-------------------
Name: dump_atapi.sys
Image Path: C:\WINDOWS\System32\Drivers\dump_atapi.sys
Address: 0xEFDC0000 Size: 98304 File Visible: No Signed: -
Status: -

Name: dump_WMILIB.SYS
Image Path: C:\WINDOWS\System32\Drivers\dump_WMILIB.SYS
Address: 0xF981E000 Size: 8192 File Visible: No Signed: -
Status: -

Name: rootrepeal.sys
Image Path: C:\WINDOWS\system32\drivers\rootrepeal.sys
Address: 0xEED27000 Size: 49152 File Visible: No Signed: -
Status: -

Hidden/Locked Files
-------------------
Path: Volume C:\
Status: MBR Rootkit Detected!

Path: C:\hiberfil.sys
Status: Locked to the Windows API!

Processes
-------------------
Path: C:\PROGRA~1\Agnitum\OUTPOS~1\op_mon.exe
PID: 5408 Status: Locked to the Windows API!

SSDT
-------------------
#: 019 Function Name: NtAssignProcessToJobObject
Status: Hooked by "C:\WINDOWS\system32\drivers\SandBox.sys" at address 0xf0365a60

#: 025 Function Name: NtClose
Status: Hooked by "C:\WINDOWS\system32\drivers\SandBox.sys" at address 0xf034abf0

#: 031 Function Name: NtConnectPort
Status: Hooked by "C:\WINDOWS\system32\drivers\SandBox.sys" at address 0xf0367920

#: 037 Function Name: NtCreateFile
Status: Hooked by "C:\WINDOWS\system32\drivers\SandBox.sys" at address 0xf0346f60

#: 041 Function Name: NtCreateKey
Status: Hooked by "C:\WINDOWS\system32\drivers\SandBox.sys" at address 0xf0352090

#: 047 Function Name: NtCreateProcess
Status: Hooked by "C:\WINDOWS\system32\drivers\SandBox.sys" at address 0xf035e2b0

#: 048 Function Name: NtCreateProcessEx
Status: Hooked by "C:\WINDOWS\system32\drivers\SandBox.sys" at address 0xf035ebb0

#: 050 Function Name: NtCreateSection
Status: Hooked by "C:\WINDOWS\system32\drivers\SandBox.sys" at address 0xf0345d10

#: 052 Function Name: NtCreateSymbolicLinkObject
Status: Hooked by "C:\WINDOWS\system32\drivers\SandBox.sys" at address 0xf0351e40

#: 053 Function Name: NtCreateThread
Status: Hooked by "C:\WINDOWS\system32\drivers\SandBox.sys" at address 0xf035cd70

#: 057 Function Name: NtDebugActiveProcess
Status: Hooked by "C:\WINDOWS\system32\drivers\SandBox.sys" at address 0xf036af30

#: 062 Function Name: NtDeleteFile
Status: Hooked by "C:\WINDOWS\system32\drivers\SandBox.sys" at address 0xf0350b20

#: 063 Function Name: NtDeleteKey
Status: Hooked by "C:\WINDOWS\system32\drivers\SandBox.sys" at address 0xf0353900

#: 065 Function Name: NtDeleteValueKey
Status: Hooked by "C:\WINDOWS\system32\drivers\SandBox.sys" at address 0xf035a3a0

#: 097 Function Name: NtLoadDriver
Status: Hooked by "C:\WINDOWS\system32\drivers\SandBox.sys" at address 0xf035bbb0

#: 105 Function Name: NtMakeTemporaryObject
Status: Hooked by "C:\WINDOWS\system32\drivers\SandBox.sys" at address 0xf03516b0

#: 116 Function Name: NtOpenFile
Status: Hooked by "C:\WINDOWS\system32\drivers\SandBox.sys" at address 0xf0349c10

#: 119 Function Name: NtOpenKey
Status: Hooked by "C:\WINDOWS\system32\drivers\SandBox.sys" at address 0xf0352fc0

#: 122 Function Name: NtOpenProcess
Status: Hooked by "C:\WINDOWS\system32\drivers\SandBox.sys" at address 0xf0360ca0

#: 125 Function Name: NtOpenSection
Status: Hooked by "C:\WINDOWS\system32\drivers\SandBox.sys" at address 0xf0346580

#: 128 Function Name: NtOpenThread
Status: Hooked by "C:\WINDOWS\system32\drivers\SandBox.sys" at address 0xf0360060

#: 137 Function Name: NtProtectVirtualMemory
Status: Hooked by "C:\WINDOWS\system32\drivers\SandBox.sys" at address 0xf0366da0

#: 145 Function Name: NtQueryDirectoryFile
Status: Hooked by "C:\WINDOWS\system32\drivers\SandBox.sys" at address 0xf034b8a0

#: 160 Function Name: NtQueryKey
Status: Hooked by "C:\WINDOWS\system32\drivers\SandBox.sys" at address 0xf0355750

#: 177 Function Name: NtQueryValueKey
Status: Hooked by "C:\WINDOWS\system32\drivers\SandBox.sys" at address 0xf0355fa0

#: 180 Function Name: NtQueueApcThread
Status: Hooked by "C:\WINDOWS\system32\drivers\SandBox.sys" at address 0xf0364ed0

#: 192 Function Name: NtRenameKey
Status: Hooked by "C:\WINDOWS\system32\drivers\SandBox.sys" at address 0xf0359590

#: 193 Function Name: NtReplaceKey
Status: Hooked by "C:\WINDOWS\system32\drivers\SandBox.sys" at address 0xf0357500

#: 199 Function Name: NtRequestPort
Status: Hooked by "C:\WINDOWS\system32\drivers\SandBox.sys" at address 0xf0369a50

#: 200 Function Name: NtRequestWaitReplyPort
Status: Hooked by "C:\WINDOWS\system32\drivers\SandBox.sys" at address 0xf0369d70

#: 204 Function Name: NtRestoreKey
Status: Hooked by "C:\WINDOWS\system32\drivers\SandBox.sys" at address 0xf0358d20

#: 207 Function Name: NtSaveKey
Status: Hooked by "C:\WINDOWS\system32\drivers\SandBox.sys" at address 0xf0357c80

#: 208 Function Name: NtSaveKeyEx
Status: Hooked by "C:\WINDOWS\system32\drivers\SandBox.sys" at address 0xf03584d0

#: 210 Function Name: NtSecureConnectPort
Status: Hooked by "C:\WINDOWS\system32\drivers\SandBox.sys" at address 0xf0368480

#: 213 Function Name: NtSetContextThread
Status: Hooked by "C:\WINDOWS\system32\drivers\SandBox.sys" at address 0xf0364440

#: 223 Function Name: NtSetInformationDebugObject
Status: Hooked by "C:\WINDOWS\system32\drivers\SandBox.sys" at address 0xf036b520

#: 224 Function Name: NtSetInformationFile
Status: Hooked by "C:\WINDOWS\system32\drivers\SandBox.sys" at address 0xf034cbf0

#: 240 Function Name: NtSetSystemInformation
Status: Hooked by "C:\WINDOWS\system32\drivers\SandBox.sys" at address 0xf035b1c0

#: 247 Function Name: NtSetValueKey
Status: Hooked by "C:\WINDOWS\system32\drivers\SandBox.sys" at address 0xf0356820

#: 253 Function Name: NtSuspendProcess
Status: Hooked by "C:\WINDOWS\system32\drivers\SandBox.sys" at address 0xf0363190

#: 254 Function Name: NtSuspendThread
Status: Hooked by "C:\WINDOWS\system32\drivers\SandBox.sys" at address 0xf0363ac0

#: 255 Function Name: NtSystemDebugControl
Status: Hooked by "C:\WINDOWS\system32\drivers\SandBox.sys" at address 0xf036a770

#: 257 Function Name: NtTerminateProcess
Status: Hooked by "C:\WINDOWS\system32\drivers\SandBox.sys" at address 0xf0361790

#: 258 Function Name: NtTerminateThread
Status: Hooked by "C:\WINDOWS\system32\drivers\SandBox.sys" at address 0xf0362620

#: 262 Function Name: NtUnloadDriver
Status: Hooked by "C:\WINDOWS\system32\drivers\SandBox.sys" at address 0xf035c530

#: 277 Function Name: NtWriteVirtualMemory
Status: Hooked by "C:\WINDOWS\system32\drivers\SandBox.sys" at address 0xf03662b0

Stealth Objects
-------------------
Object: Hidden Code [Driver: atapi, IRP_MJ_INTERNAL_DEVICE_CONTROL]
Process: System Address: 0xff32c950 Size: 1248

Shadow SSDT
-------------------
#: 307 Function Name: NtUserAttachThreadInput
Status: Hooked by "C:\WINDOWS\system32\drivers\SandBox.sys" at address 0xf036f1a0

#: 383 Function Name: NtUserGetAsyncKeyState
Status: Hooked by "C:\WINDOWS\system32\drivers\SandBox.sys" at address 0xf036edb0

#: 416 Function Name: NtUserGetKeyState
Status: Hooked by "C:\WINDOWS\system32\drivers\SandBox.sys" at address 0xf036e6b0

#: 460 Function Name: NtUserMessageCall
Status: Hooked by "C:\WINDOWS\system32\drivers\SandBox.sys" at address 0xf036ced0

#: 475 Function Name: NtUserPostMessage
Status: Hooked by "C:\WINDOWS\system32\drivers\SandBox.sys" at address 0xf036c3d0

#: 476 Function Name: NtUserPostThreadMessage
Status: Hooked by "C:\WINDOWS\system32\drivers\SandBox.sys" at address 0xf036c760

#: 491 Function Name: NtUserRegisterRawInputDevices
Status: Hooked by "C:\WINDOWS\system32\drivers\SandBox.sys" at address 0xf036f600

#: 502 Function Name: NtUserSendInput
Status: Hooked by "C:\WINDOWS\system32\drivers\SandBox.sys" at address 0xf036e380

#: 549 Function Name: NtUserSetWindowsHookEx
Status: Hooked by "C:\WINDOWS\system32\drivers\SandBox.sys" at address 0xf036d290

#: 552 Function Name: NtUserSetWinEventHook
Status: Hooked by "C:\WINDOWS\system32\drivers\SandBox.sys" at address 0xf036da60

==EOF==

mbam-log-date.txt

Malwarebytes' Anti-Malware 1.44
Database version: 3510
Windows 5.1.2600 Service Pack 3
Internet Explorer 8.0.6001.18702

3/22/2010 7:43:20 PM
mbam-log-2010-03-22 (19-43-20).txt

Scan type: Quick Scan
Objects scanned: 124894
Time elapsed: 18 minute(s), 53 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)

I'll also post the log.txt from ESET Scanner:

log.txt

ESETSmartInstaller@High as CAB hook log:
OnlineScanner.ocx - registred OK
esets_scanner_update returned -1 esets_gle=0
# version=7
# iexplore.exe=8.00.6001.18702 (longhorn_ie8_rtm(wmbla).090308-0339)
# OnlineScanner.ocx=1.0.0.6211
# api_version=3.0.2
# EOSSerial=85eae4af2591f045ad5f691de42481e6
# end=finished
# remove_checked=false
# archives_checked=true
# unwanted_checked=true
# unsafe_checked=true
# antistealth_checked=true
# utc_time=2010-03-25 12:38:40
# local_time=2010-03-24 08:38:40 (-0500, Eastern Daylight Time)
# country="United States"
# lang=1033
# osver=5.1.2600 NT Service Pack 3
# compatibility_mode=512 16777195 100 0 12706234 12706234 0 0
# compatibility_mode=6912 16777215 100 0 12105598 12105598 0 0
# compatibility_mode=8192 67108863 100 0 0 0 0 0
# scanned=0
# found=0
# cleaned=0
# scan_time=0
esets_scanner_update returned -1 esets_gle=0
# version=7
# iexplore.exe=8.00.6001.18702 (longhorn_ie8_rtm(wmbla).090308-0339)
# OnlineScanner.ocx=1.0.0.6211
# api_version=3.0.2
# EOSSerial=85eae4af2591f045ad5f691de42481e6
# end=finished
# remove_checked=false
# archives_checked=true
# unwanted_checked=true
# unsafe_checked=true
# antistealth_checked=true
# utc_time=2010-03-25 12:39:38
# local_time=2010-03-24 08:39:38 (-0500, Eastern Daylight Time)
# country="United States"
# lang=1033
# osver=5.1.2600 NT Service Pack 3
# compatibility_mode=512 16777195 100 0 12706292 12706292 0 0
# compatibility_mode=6912 16777215 100 0 12105656 12105656 0 0
# compatibility_mode=8192 67108863 100 0 0 0 0 0
# scanned=0
# found=0
# cleaned=0
# scan_time=0
esets_scanner_update returned -1 esets_gle=0
# version=7
# iexplore.exe=8.00.6001.18702 (longhorn_ie8_rtm(wmbla).090308-0339)
# OnlineScanner.ocx=1.0.0.6211
# api_version=3.0.2
# EOSSerial=85eae4af2591f045ad5f691de42481e6
# end=finished
# remove_checked=false
# archives_checked=true
# unwanted_checked=true
# unsafe_checked=true
# antistealth_checked=true
# utc_time=2010-03-25 12:40:32
# local_time=2010-03-24 08:40:32 (-0500, Eastern Daylight Time)
# country="United States"
# lang=1033
# osver=5.1.2600 NT Service Pack 3
# compatibility_mode=512 16777195 100 0 12706346 12706346 0 0
# compatibility_mode=6912 16777215 100 0 12105710 12105710 0 0
# compatibility_mode=8192 67108863 100 0 0 0 0 0
# scanned=0
# found=0
# cleaned=0
# scan_time=0
esets_scanner_update returned -1 esets_gle=0
# version=7
# iexplore.exe=8.00.6001.18702 (longhorn_ie8_rtm(wmbla).090308-0339)
# OnlineScanner.ocx=1.0.0.6211
# api_version=3.0.2
# EOSSerial=85eae4af2591f045ad5f691de42481e6
# end=finished
# remove_checked=false
# archives_checked=true
# unwanted_checked=true
# unsafe_checked=true
# antistealth_checked=true
# utc_time=2010-03-25 12:42:11
# local_time=2010-03-24 08:42:11 (-0500, Eastern Daylight Time)
# country="United States"
# lang=1033
# osver=5.1.2600 NT Service Pack 3
# compatibility_mode=512 16777195 100 0 12706445 12706445 0 0
# compatibility_mode=6912 16777215 100 0 12105809 12105809 0 0
# compatibility_mode=8192 67108863 100 0 0 0 0 0
# scanned=0
# found=0
# cleaned=0
# scan_time=0
esets_scanner_update returned -1 esets_gle=0
# version=7
# iexplore.exe=8.00.6001.18702 (longhorn_ie8_rtm(wmbla).090308-0339)
# OnlineScanner.ocx=1.0.0.6211
# api_version=3.0.2
# EOSSerial=85eae4af2591f045ad5f691de42481e6
# end=finished
# remove_checked=false
# archives_checked=true
# unwanted_checked=true
# unsafe_checked=true
# antistealth_checked=true
# utc_time=2010-03-25 12:42:55
# local_time=2010-03-24 08:42:55 (-0500, Eastern Daylight Time)
# country="United States"
# lang=1033
# osver=5.1.2600 NT Service Pack 3
# compatibility_mode=512 16777195 100 0 12706489 12706489 0 0
# compatibility_mode=6912 16777215 100 0 12105853 12105853 0 0
# compatibility_mode=8192 67108863 100 0 0 0 0 0
# scanned=0
# found=0
# cleaned=0
# scan_time=0
esets_scanner_update returned -1 esets_gle=0
# version=7
# iexplore.exe=8.00.6001.18702 (longhorn_ie8_rtm(wmbla).090308-0339)
# OnlineScanner.ocx=1.0.0.6211
# api_version=3.0.2
# EOSSerial=85eae4af2591f045ad5f691de42481e6
# end=finished
# remove_checked=false
# archives_checked=true
# unwanted_checked=true
# unsafe_checked=true
# antistealth_checked=true
# utc_time=2010-03-25 12:43:41
# local_time=2010-03-24 08:43:41 (-0500, Eastern Daylight Time)
# country="United States"
# lang=1033
# osver=5.1.2600 NT Service Pack 3
# compatibility_mode=512 16777195 100 0 12706535 12706535 0 0
# compatibility_mode=6912 16777215 100 0 12105899 12105899 0 0
# compatibility_mode=8192 67108863 100 0 0 0 0 0
# scanned=0
# found=0
# cleaned=0
# scan_time=0
xyonist
Regular Member
 
Posts: 28
Joined: October 27th, 2009, 8:23 am

Re: Computer freezes with every click...

Unread postby xyonist » March 25th, 2010, 6:01 am

Hey, gringo. I was able to successfully run the Kaspersky Scan overnight! Here is the log:

Kaspersky.txt:

--------------------------------------------------------------------------------
KASPERSKY ONLINE SCANNER 7.0: scan report
Thursday, March 25, 2010
Operating system: Microsoft Windows XP Home Edition Service Pack 3 (build 2600)
Kaspersky Online Scanner version: 7.0.26.13
Last database update: Wednesday, March 24, 2010 23:36:01
Records in database: 3863103
--------------------------------------------------------------------------------

Scan settings:
scan using the following database: extended
Scan archives: yes
Scan e-mail databases: yes

Scan area - My Computer:
C:\
D:\
E:\

Scan statistics:
Objects scanned: 120954
Threats found: 1
Infected objects found: 2
Suspicious objects found: 0
Scan duration: 04:34:28


File name / Threat / Threats count
C:\Documents and Settings\HelpAssistant\Local Settings\Application Data\bdxkdp\dprxsftav.exe Infected: Trojan.Win32.FraudPack.anrh 1
C:\Documents and Settings\Pete\Local Settings\Application Data\bdxkdp\dprxsftav.exe Infected: Trojan.Win32.FraudPack.anrh 1

Selected area has been scanned.
xyonist
Regular Member
 
Posts: 28
Joined: October 27th, 2009, 8:23 am

Re: Computer freezes with every click...

Unread postby gringo_pr » March 25th, 2010, 6:43 am

Hello xyonist

Please download HelpAsst_mebroot_fix.exe and save it to your desktop.
Close out all other open programs and windows.
Double click the file to run it and follow any prompts.
If the tool detects an mbr infection, please allow it to run mbr -f and shutdown your computer.
Upon restarting, please wait about 5 minutes, click Start>Run and type the following bolded command, then hit Enter.

helpasst -mbrt

Make sure you leave a space between helpasst and -mbrt !
When it completes, a log will open.
Please post the contents of that log.

gringo
User avatar
gringo_pr
Site Moderator
Site Moderator
 
Posts: 1816
Joined: March 31st, 2007, 1:35 pm
Location: puerto rico

Re: Computer freezes with every click...

Unread postby xyonist » March 25th, 2010, 8:19 pm

HelpAsst.txt

C:\Documents and Settings\Pete\Desktop\HelpAsst_mebroot_fix.exe
Thu 03/25/2010 at 19:30:44.48

HelpAssistant account was found to be Active ~ attempting to

de-activate

Full Name Remote Desktop Help Assistant Account
Account active Yes
Local Group Memberships *Administrators

HelpAssistant successfully set Inactive

~~ Checking for termsrv32.dll ~~

termsrv32.dll present! ~ attempting to remove
Remove on reboot: C:\WINDOWS\system32\termsrv32.dll

~~ Checking firewall ports ~~

backing up DomainProfile\GloballyOpenPorts\List registry key
closing rogue ports

HKLM\~\services\sharedaccess\parameters\firewallpolicy\domainprofile\g

loballyopenports\list
"65533:TCP"=-
"52344:TCP"=-
"2479:TCP"=-
"9168:TCP"=-
"3389:TCP"=-
"7078:TCP"=-
"7079:TCP"=-
"8786:TCP"=-
"8787:TCP"=-

backing up StandardProfile\GloballyOpenPorts\List registry key
closing rogue ports

HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile

\globallyopenports\list
"3389:TCP"=-
"65533:TCP"=-
"52344:TCP"=-
"2479:TCP"=-
"9168:TCP"=-
"7078:TCP"=-
"7079:TCP"=-
"8786:TCP"=-
"8787:TCP"=-

HelpAssistant profile found in registry ~ backing up and removing

S-1-5-21-2648800068-1536023876-680085538-1005
HelpAssistant profile directory exists at C:\Documents and

Settings\HelpAssistant ~ attempting to remove
~ All C:\Documents and Settings\HelpAssistant files successfully

removed ~

~~ Checking mbr ~~

mbr infection detected! ~ running mbr -f

Stealth MBR rootkit/Mebroot/Sinowal detector 0.3.7 by Gmer,

http://www.gmer.net

device: opened successfully
user: MBR read successfully
kernel: MBR read successfully
detected MBR rootkit hooks:
\Driver\atapi -> 0xff31a918
NDIS: Intel(R) PRO/100 VE Network Connection -> SendCompleteHandler ->

0xff410330
Warning: possible MBR rootkit infection !
copy of MBR has been found in sector 0x04A7D57E
malicious code @ sector 0x04A7D581 !
PE file found in sector at 0x04A7D597 !
MBR rootkit infection detected ! Use: "mbr.exe -f" to fix.
original MBR restored successfully !

Stealth MBR rootkit/Mebroot/Sinowal detector 0.3.7 by Gmer,

http://www.gmer.net

device: opened successfully
user: MBR read successfully
kernel: MBR read successfully
detected MBR rootkit hooks:
\Driver\atapi -> 0xff31a918
NDIS: Intel(R) PRO/100 VE Network Connection -> SendCompleteHandler ->

0xff410330
Warning: possible MBR rootkit infection !
user & kernel MBR OK
copy of MBR has been found in sector 0x04A7D57E
malicious code @ sector 0x04A7D581 !
PE file found in sector at 0x04A7D597 !
Use "Recovery Console" command "fixmbr" to clear infection !
user & kernel MBR OK

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Status check on Thu 03/25/2010 at 20:15:21.62

Full Name Remote Desktop Help Assistant Account
Account active No
Local Group Memberships

~~ Checking mbr ~~

Stealth MBR rootkit/Mebroot/Sinowal detector 0.3.7 by Gmer,

http://www.gmer.net

device: opened successfully
user: MBR read successfully
called modules: ntoskrnl.exe CLASSPNP.SYS disk.sys atapi.sys hal.dll

pciide.sys PCIIDEX.SYS
kernel: MBR read successfully
user & kernel MBR OK
copy of MBR has been found in sector 0x04A7D57E
malicious code @ sector 0x04A7D581 !
PE file found in sector at 0x04A7D597 !

~~ Checking for termsrv32.dll ~~

termsrv32.dll not found


HKEY_LOCAL_MACHINE\system\currentcontrolset\services\termservice\param

eters
ServiceDll REG_EXPAND_SZ %systemroot%\System32\termsrv.dll

~~ Checking profile list ~~

No HelpAssistant profile in List

~~ Checking for HelpAssistant directories ~~

none found

~~ Checking firewall ports ~~

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\domainprofile\

GloballyOpenPorts\List]

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofil

e\GloballyOpenPorts\List]


~~ EOF ~~
xyonist
Regular Member
 
Posts: 28
Joined: October 27th, 2009, 8:23 am

Re: Computer freezes with every click...

Unread postby xyonist » March 25th, 2010, 8:57 pm

Let me just say that my computer is much, much better since running the HelpAsst program. Thanks for all your help so far!
xyonist
Regular Member
 
Posts: 28
Joined: October 27th, 2009, 8:23 am

Re: Computer freezes with every click...

Unread postby gringo_pr » March 25th, 2010, 11:07 pm

Hello

The HelpAssistant is a nasty rootkit that is hard to detect. I am glad we were able to find it and remove it.

I would like to do 2 more scans to make sure all is clean before I send you on your way.

: Malwarebytes' Anti-Malware :

    I would like you to rerun MBAM

  • Double-click mbam icon
  • go to the update tab at the top
  • click on check for updates
  • If an update is found, it will download and install the latest version.
  • Once the program has loaded, select Perform quick scan, then click Scan.
  • When the scan is complete, click OK, then Show Results to view the results.
  • Be sure that everything is Checked (ticked) except items in the C:\System Volume Information folder and click on Remove Selected.
  • When completed, a log will open in Notepad. please copy and paste the log into your next reply
    • If you accidently close it, the log file is saved here and will be named like this:
    • C:\Documents and Settings\Username\Application Data\Malwarebytes\Malwarebytes' Anti-Malware\Logs\mbam-log-date (time).txt

Note: If MBAM encounters a file that is difficult to remove, you will be presented with 1 of 2 prompts.
Click OK to either and let MBAM proceed with the disinfection process.
If asked to restart the computer, please do so immediately. Failure to reboot will prevent MBAM from removing all the malware.


:Kaspersky scan:

    Please go to Kaspersky website and perform an online antivirus scan.

    • Read through the requirements and privacy statement and click on Accept button.
    • It will start downloading and installing the scanner and virus definitions. You will be prompted to install an application from Kaspersky. Click Run.
    • When the downloads have finished, click on Settings.
    • Make sure these boxes are checked (ticked). If they are not, please tick them and click on the Save button:
        Spyware, Adware, Dialers, and other potentially dangerous programs
        Archives
        Mail databases
    • Click on My Computer under Scan.
    • Once the scan is complete, it will display the results. Click on View Scan Report.
    • You will see a list of infected items there. Click on Save Report As....
    • Save this report to a convenient place. Change the Files of type to Text file (.txt) before clicking on the Save button.
    • Please post this log in your next reply.


"information and logs"

    In your next post I need the following

    1. Log From MBAM
    2. Log From Kaspersky
    3. let me know of any problems you may have had
    4. How is the computer doing now?

Gringo
User avatar
gringo_pr
Site Moderator
Site Moderator
 
Posts: 1816
Joined: March 31st, 2007, 1:35 pm
Location: puerto rico
Advertisement
Register to Remove

Next

  • Similar Topics
    Replies
    Views
    Last post

Return to Infected? Virus, malware, adware, ransomware, oh my!



Who is online

Users browsing this forum: No registered users and 74 guests

Contact us:

Advertisements do not imply our endorsement of that product or service. Register to remove all ads. The forum is run by volunteers who donate their time and expertise. We make every attempt to ensure that the help and advice posted is accurate and will not cause harm to your computer. However, we do not guarantee that they are accurate and they are to be used at your own risk. All trademarks are the property of their respective owners.

Member site: UNITE Against Malware