Welcome to MalwareRemoval.com,
What if we told you that you could get malware removal help from experts, and that it was 100% free? MalwareRemoval.com provides free support for people with infected computers. Our help, and the tools we use are always 100% free. No hidden catch. We simply enjoy helping others. You enjoy a clean, safe computer.

Malware Removal Instructions

Slowdown and Firefox crashes plus Mass Infection

MalwareRemoval.com provides free support for people with infected computers. Using plain language that anyone can understand, our community of volunteer experts will walk you through each step.

Slowdown and Firefox crashes plus Mass Infection

Unread postby Scico » February 7th, 2011, 9:40 pm

Hello, new guy here, okay I am gonna make this short. My primary browser is Firefox. It starts off with a tab opening to some random crap(DL a registry cleaner, pay 2$ for something, etc.). Minutes later the modem traffic and CPU usage sky rockets. When this happens I'm not running any P2P software nor am I streaming anything. Afterwards I am Inundated with 650 infected files.(Atleast, that is, what Malwarebytes tells me) Though, that is, just a guess. I disconnect the modem, everytime the internet traffic and cpu usage shoots up, after the first time. I then experience slow down and Fierfox promptly crashes. I have ran Malewarebytes, it solves my problem with the aforementioned infected files, but not with the source. Also, could you tell me, what on the list to have Hijackthis ignore?

I am sorry, this is as short, as I can describe the symptoms. Thank you for your time.


Logfile of Trend Micro HijackThis v2.0.4
Scan saved at 7:29:31 PM, on 2/7/2011
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.17093)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\arservice.exe
C:\WINDOWS\eHome\ehRecvr.exe
C:\WINDOWS\eHome\ehSched.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\Common Files\LightScribe\LSSrvc.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\ehome\ehtray.exe
C:\WINDOWS\RTHDCPL.EXE
C:\WINDOWS\ARPWRMSG.EXE
C:\Program Files\HP DigitalMedia Archive\DMAScheduler.exe
C:\PROGRA~1\ALLTEL~1\SMARTB~1\MotiveSB.exe
C:\Program Files\Hewlett-Packard\OrderReminder\OrderReminder.exe
C:\Program Files\ClamWin\bin\ClamTray.exe
C:\Program Files\Java\jre6\bin\jusched.exe
C:\Program Files\Hp\HP Software Update\HPWuSchd2.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\DNA\btdna.exe
C:\Program Files\Updates from HP\9972322\Program\Updates from HP.exe
C:\Program Files\OpenOffice.org 2.2\program\soffice.exe
C:\Program Files\OpenOffice.org 2.2\program\soffice.BIN
C:\Program Files\ALLTEL DSL Check-up Center\bin\mpbtn.exe
C:\HP\KBD\KBD.EXE
c:\windows\system\hpsysdrv.exe
C:\Program Files\DISC\DISCover.exe
C:\Program Files\DISC\DiscUpdMgr.exe
C:\WINDOWS\system32\dllhost.exe
C:\Program Files\DISC\DiscStreamHub.exe
C:\WINDOWS\eHome\ehmsas.exe
C:\Program Files\Trend Micro\HiJackThis\HiJackThis.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Mozilla Firefox\plugin-container.exe
C:\WINDOWS\system32\notepad.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://ie.redirect.hp.com/svs/rdr?TYPE= ... pf=desktop
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://ie.redirect.hp.com/svs/rdr?TYPE= ... pf=desktop
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://ie.redirect.hp.com/svs/rdr?TYPE= ... pf=desktop
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.bing.com/?pc=ZUGO&form=ZGAPHP
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://ie.redirect.hp.com/svs/rdr?TYPE= ... pf=desktop
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://ie.redirect.hp.com/svs/rdr?TYPE= ... pf=desktop
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://ie.redirect.hp.com/svs/rdr?TYPE= ... pf=desktop
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://www2.windstream.net/newuser/benefits/
O2 - BHO: &Yahoo! Toolbar Helper - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn0\yt.dll
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: Conduit Engine - {30F9B915-B755-4826-820B-08FBA6BD249D} - C:\Program Files\ConduitEngine\ConduitEngine.dll
O2 - BHO: Java(tm) Plug-In SSV Helper - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre6\bin\ssv.dll
O2 - BHO: BitTorrentBar Toolbar - {88c7f2aa-f93f-432c-8f0e-b7d85967a527} - C:\Program Files\BitTorrentBar\tbBitT.dll
O2 - BHO: Search Toolbar - {9D425283-D487-4337-BAB6-AB8354A81457} - C:\Program Files\Search Toolbar\SearchToolbar.dll
O2 - BHO: hpWebHelper Class - {AAAE832A-5FFF-4661-9C8F-369692D1DCB9} - C:\WINDOWS\pchealth\helpctr\Vendors\CN=Hewlett-Packard,L=Cupertino,S=Ca,C=US\plugin\WebHelper.dll
O2 - BHO: Ask Toolbar BHO - {D4027C7F-154A-4066-A1AD-4243D8127440} - C:\Program Files\Ask.com\GenericAskToolbar.dll
O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
O2 - BHO: Yontoo Layers - {FD72061E-9FDE-484D-A58A-0BAB4151CAD8} - C:\Program Files\Yontoo Layers Client\YontooIEClient.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn0\yt.dll
O3 - Toolbar: LimeWire Toolbar - {D4027C7F-154A-4066-A1AD-4243D8127440} - C:\Program Files\Ask.com\GenericAskToolbar.dll
O3 - Toolbar: BitTorrentBar Toolbar - {88c7f2aa-f93f-432c-8f0e-b7d85967a527} - C:\Program Files\BitTorrentBar\tbBitT.dll
O3 - Toolbar: Conduit Engine - {30F9B915-B755-4826-820B-08FBA6BD249D} - C:\Program Files\ConduitEngine\ConduitEngine.dll
O3 - Toolbar: Search Toolbar - {9D425283-D487-4337-BAB6-AB8354A81457} - C:\Program Files\Search Toolbar\SearchToolbar.dll
O4 - HKLM\..\Run: [ehTray] C:\WINDOWS\ehome\ehtray.exe
O4 - HKLM\..\Run: [ftutil2] rundll32.exe ftutil2.dll,SetWriteCacheMode
O4 - HKLM\..\Run: [RTHDCPL] RTHDCPL.EXE
O4 - HKLM\..\Run: [AlwaysReady Power Message APP] ARPWRMSG.EXE
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [DMAScheduler] "c:\Program Files\HP DigitalMedia Archive\DMAScheduler.exe"
O4 - HKLM\..\Run: [Recguard] C:\WINDOWS\SMINST\RECGUARD.EXE
O4 - HKLM\..\Run: [HPBootOp] "C:\Program Files\Hewlett-Packard\HP Boot Optimizer\HPBootOp.exe" /run
O4 - HKLM\..\Run: [Reminder] "C:\Windows\Creator\Remind_XP.exe"
O4 - HKLM\..\Run: [Motive SmartBridge] C:\PROGRA~1\ALLTEL~1\SMARTB~1\MotiveSB.exe
O4 - HKLM\..\Run: [OrderReminder] C:\Program Files\Hewlett-Packard\OrderReminder\OrderReminder.exe
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [ClamWin] "C:\Program Files\ClamWin\bin\ClamTray.exe" --logon
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre6\bin\jusched.exe"
O4 - HKLM\..\Run: [HP Software Update] C:\Program Files\Hp\HP Software Update\HPWuSchd2.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [TypingSatellite] "C:\Program Files\Cosmi\Perfect Typing Pro English\KBOOST.EXE"
O4 - HKCU\..\Run: [BitTorrent DNA] "C:\Program Files\DNA\btdna.exe"
O4 - HKCU\..\Run: [236421] C:\DOCUME~1\Cole\LOCALS~1\Temp\236421.exe
O4 - .DEFAULT User Startup: Pin.lnk = C:\hp\bin\CLOAKER.EXE (User 'Default user')
O4 - .DEFAULT User Startup: PinMcLnk.lnk = C:\hp\bin\cloaker.exe (User 'Default user')
O4 - Startup: OpenOffice.org 2.2.lnk = C:\Program Files\OpenOffice.org 2.2\program\quickstart.exe
O4 - Startup: PinMcLnk.lnk = C:\hp\bin\cloaker.exe
O4 - Global Startup: Updates From HP.lnk = C:\Program Files\Updates from HP\9972322\Program\Updates from HP.exe
O4 - Global Startup: Windstream Broadband Check-up Center.lnk = C:\Program Files\ALLTEL DSL Check-up Center\bin\matcli.exe
O9 - Extra button: Internet Connection Help - {E2D4D26B-0180-43a4-B05F-462D6D54C789} - C:\WINDOWS\PCHEALTH\HELPCTR\Vendors\CN=Hewlett-Packard,L=Cupertino,S=Ca,C=US\IEButton\support.htm
O9 - Extra 'Tools' menuitem: Internet Connection Help - {E2D4D26B-0180-43a4-B05F-462D6D54C789} - C:\WINDOWS\PCHEALTH\HELPCTR\Vendors\CN=Hewlett-Packard,L=Cupertino,S=Ca,C=US\IEButton\support.htm
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O15 - Trusted Zone: http://care.alltel.com
O15 - Trusted Zone: http://*.trymedia.com (HKLM)
O16 - DPF: {321FB770-1FBE-4BFE-BDC1-6F622D4FA499} - https://activation.alltel.com/wizlet/WI ... _2-0-0.cab
O16 - DPF: {B3E32D88-8E7F-468F-B0E2-3A300FD4A82C} (Enlite 2.x Simulation Engine Installer) - http://myitlab.pearsoned.com/Pegasus/Mo ... x/stub.cab
O22 - SharedTaskScheduler: Browseui preloader - {438755C2-A8BA-11D1-B96B-00A0C90312E1} - C:\WINDOWS\system32\browseui.dll
O22 - SharedTaskScheduler: Component Categories cache daemon - {8C7461EF-2B13-11d2-BE35-3078302C2030} - C:\WINDOWS\system32\browseui.dll
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
O23 - Service: LightScribeService Direct Disc Labeling Service (LightScribeService) - Hewlett-Packard Company - C:\Program Files\Common Files\LightScribe\LSSrvc.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe

--
End of file - 9795 bytes

Unistall list:
Adobe Flash Player 10 ActiveX
Adobe Flash Player 10 Plugin
Adobe Reader 8.1.5
Age of Mythology
Ask Toolbar
Battle Realms
BitTorrentBar Toolbar
Cataclysm
CCleaner
Civ3 Conquests v1.22 Full
Civilization III
Civilization III v1.29f
Civilization III: Conquests
ClamWin Free Antivirus 0.96.5.0
Command & Conquer The First Decade
Conduit Engine
Critical Update for Windows Media Player 11 (KB959772)
Customer Experience Enhancement
Data Fax SoftModem with SmartCP
Dawn of War - Soulstorm Demo
Dawn Of War DEMO
Diablo II
DISCover
DivX
Easy Internet Sign-up
Empire Earth
Enhanced Multimedia Keyboard Solution
Fallout Collection
ffdshow [rev 1953] [2008-05-04]
Galactic Civilizations II
GameSpy Arcade
GemMaster Mystic
Ground Control
High Definition Audio Driver Package - KB888111
HiJackThis
Homeworld
Hotfix for Microsoft .NET Framework 3.5 SP1 (KB953595)
Hotfix for Microsoft .NET Framework 3.5 SP1 (KB958484)
Hotfix for Windows Internet Explorer 7 (KB947864)
Hotfix for Windows Media Format 11 SDK (KB929399)
Hotfix for Windows Media Player 10 (KB910393)
Hotfix for Windows Media Player 11 (KB939683)
Hotfix for Windows XP (KB2158563)
Hotfix for Windows XP (KB2443685)
Hotfix for Windows XP (KB952287)
Hotfix for Windows XP (KB961118)
Hotfix for Windows XP (KB970653-v3)
Hotfix for Windows XP (KB976098-v2)
Hotfix for Windows XP (KB979306)
Hotfix for Windows XP (KB981793)
HP Boot Optimizer
HP DigitalMedia Archive
HP DVD Play 2.1
HP Imaging Device Functions 7.0
HP OrderReminder
HP Photosmart for Media Center PC
HP Photosmart Premier Software 6.5
HP Update
HP Web Helper
Imperium Galactica 2
InterActual Player
J2SE Runtime Environment 5.0 Update 6
Java(TM) 6 Update 11
Katawa Shoujo Act 1
LaserJet 1018
LimeWire 5.5.16
Lords of Magic Special Edition
Malwarebytes' Anti-Malware
Microsoft .NET Framework 1.0 Hotfix (KB953295)
Microsoft .NET Framework 1.0 Hotfix (KB979904)
Microsoft .NET Framework 1.1
Microsoft .NET Framework 1.1
Microsoft .NET Framework 1.1 Security Update (KB2416447)
Microsoft .NET Framework 1.1 Security Update (KB979906)
Microsoft .NET Framework 2.0 Service Pack 2
Microsoft .NET Framework 3.0 Service Pack 2
Microsoft .NET Framework 3.5 SP1
Microsoft .NET Framework 3.5 SP1
Microsoft Age of Empires II
Microsoft Age of Empires II: The Conquerors Expansion
Microsoft Compression Client Pack 1.0 for Windows XP
Microsoft Games for Windows - LIVE
Microsoft Games for Windows - LIVE Redistributable
Microsoft Internationalized Domain Names Mitigation APIs
Microsoft Money 2006
Microsoft National Language Support Downlevel APIs
Microsoft Office Standard Edition 2003 60 days trial
Microsoft Rise Of Nations
Microsoft User-Mode Driver Framework Feature Pack 1.0
Microsoft Visual C++ 2005 Redistributable
Microsoft Works
MobMap 2.12
Mozilla Firefox (3.6.13)
MSN
MSXML 4.0 SP2 (KB927978)
MSXML 4.0 SP2 (KB936181)
MSXML 4.0 SP2 (KB954430)
MSXML 4.0 SP2 (KB973688)
MSXML 6.0 Parser (KB925673)
MSXML4 Parser
muvee autoProducer 5.0
muvee autoProducer unPlugged 2.0
My HP Games
MySQL Connector/ODBC 3.51
Netscape Browser (remove only)
NetZero Internet and Voice Offer
NVIDIA Drivers
OpenOffice.org 2.2
Passport to 35 Languages
PC-Doctor 5 for Windows
Perfect Typing Pro English
Python 2.2 pywin32 extensions (build 203)
Python 2.2.3
Quicken 2006
RealPlayer
Realtek High Definition Audio Driver
Remove WeatherBug Installer
Rhapsody
Search Toolbar
Security Update for Microsoft .NET Framework 3.5 SP1 (KB2416473)
Security Update for Step By Step Interactive Training (KB898458)
Security Update for Step By Step Interactive Training (KB923723)
Security Update for Windows Internet Explorer 7 (KB2183461)
Security Update for Windows Internet Explorer 7 (KB2360131)
Security Update for Windows Internet Explorer 7 (KB2416400)
Security Update for Windows Internet Explorer 7 (KB928090)
Security Update for Windows Internet Explorer 7 (KB931768)
Security Update for Windows Internet Explorer 7 (KB933566)
Security Update for Windows Internet Explorer 7 (KB937143)
Security Update for Windows Internet Explorer 7 (KB938127)
Security Update for Windows Internet Explorer 7 (KB939653)
Security Update for Windows Internet Explorer 7 (KB942615)
Security Update for Windows Internet Explorer 7 (KB944533)
Security Update for Windows Internet Explorer 7 (KB950759)
Security Update for Windows Internet Explorer 7 (KB953838)
Security Update for Windows Internet Explorer 7 (KB956390)
Security Update for Windows Internet Explorer 7 (KB958215)
Security Update for Windows Internet Explorer 7 (KB960714)
Security Update for Windows Internet Explorer 7 (KB961260)
Security Update for Windows Internet Explorer 7 (KB963027)
Security Update for Windows Internet Explorer 7 (KB969897)
Security Update for Windows Internet Explorer 7 (KB972260)
Security Update for Windows Internet Explorer 7 (KB974455)
Security Update for Windows Internet Explorer 7 (KB976325)
Security Update for Windows Internet Explorer 7 (KB978207)
Security Update for Windows Internet Explorer 7 (KB982381)
Security Update for Windows Media Player (KB2378111)
Security Update for Windows Media Player (KB952069)
Security Update for Windows Media Player (KB954155)
Security Update for Windows Media Player (KB968816)
Security Update for Windows Media Player (KB973540)
Security Update for Windows Media Player (KB975558)
Security Update for Windows Media Player (KB978695)
Security Update for Windows Media Player 10 (KB911565)
Security Update for Windows Media Player 10 (KB917734)
Security Update for Windows Media Player 11 (KB936782)
Security Update for Windows Media Player 11 (KB954154)
Security Update for Windows XP (KB2079403)
Security Update for Windows XP (KB2115168)
Security Update for Windows XP (KB2121546)
Security Update for Windows XP (KB2160329)
Security Update for Windows XP (KB2229593)
Security Update for Windows XP (KB2259922)
Security Update for Windows XP (KB2279986)
Security Update for Windows XP (KB2286198)
Security Update for Windows XP (KB2296011)
Security Update for Windows XP (KB2296199)
Security Update for Windows XP (KB2347290)
Security Update for Windows XP (KB2360937)
Security Update for Windows XP (KB2387149)
Security Update for Windows XP (KB2419632)
Security Update for Windows XP (KB2423089)
Security Update for Windows XP (KB2436673)
Security Update for Windows XP (KB2440591)
Security Update for Windows XP (KB2443105)
Security Update for Windows XP (KB923561)
Security Update for Windows XP (KB938464)
Security Update for Windows XP (KB941569)
Security Update for Windows XP (KB946648)
Security Update for Windows XP (KB950760)
Security Update for Windows XP (KB950762)
Security Update for Windows XP (KB950974)
Security Update for Windows XP (KB951066)
Security Update for Windows XP (KB951376)
Security Update for Windows XP (KB951376-v2)
Security Update for Windows XP (KB951698)
Security Update for Windows XP (KB951748)
Security Update for Windows XP (KB952004)
Security Update for Windows XP (KB952954)
Security Update for Windows XP (KB953839)
Security Update for Windows XP (KB954211)
Security Update for Windows XP (KB954459)
Security Update for Windows XP (KB954600)
Security Update for Windows XP (KB955069)
Security Update for Windows XP (KB956391)
Security Update for Windows XP (KB956572)
Security Update for Windows XP (KB956744)
Security Update for Windows XP (KB956802)
Security Update for Windows XP (KB956803)
Security Update for Windows XP (KB956841)
Security Update for Windows XP (KB956844)
Security Update for Windows XP (KB957095)
Security Update for Windows XP (KB957097)
Security Update for Windows XP (KB958644)
Security Update for Windows XP (KB958687)
Security Update for Windows XP (KB958690)
Security Update for Windows XP (KB958869)
Security Update for Windows XP (KB959426)
Security Update for Windows XP (KB960225)
Security Update for Windows XP (KB960715)
Security Update for Windows XP (KB960803)
Security Update for Windows XP (KB960859)
Security Update for Windows XP (KB961371)
Security Update for Windows XP (KB961373)
Security Update for Windows XP (KB961501)
Security Update for Windows XP (KB968537)
Security Update for Windows XP (KB969059)
Security Update for Windows XP (KB969898)
Security Update for Windows XP (KB969947)
Security Update for Windows XP (KB970238)
Security Update for Windows XP (KB970430)
Security Update for Windows XP (KB971468)
Security Update for Windows XP (KB971486)
Security Update for Windows XP (KB971557)
Security Update for Windows XP (KB971633)
Security Update for Windows XP (KB971657)
Security Update for Windows XP (KB971961)
Security Update for Windows XP (KB972270)
Security Update for Windows XP (KB973346)
Security Update for Windows XP (KB973354)
Security Update for Windows XP (KB973507)
Security Update for Windows XP (KB973525)
Security Update for Windows XP (KB973869)
Security Update for Windows XP (KB973904)
Security Update for Windows XP (KB974112)
Security Update for Windows XP (KB974318)
Security Update for Windows XP (KB974392)
Security Update for Windows XP (KB974571)
Security Update for Windows XP (KB975025)
Security Update for Windows XP (KB975467)
Security Update for Windows XP (KB975560)
Security Update for Windows XP (KB975561)
Security Update for Windows XP (KB975562)
Security Update for Windows XP (KB975713)
Security Update for Windows XP (KB977165)
Security Update for Windows XP (KB977816)
Security Update for Windows XP (KB977914)
Security Update for Windows XP (KB978037)
Security Update for Windows XP (KB978251)
Security Update for Windows XP (KB978262)
Security Update for Windows XP (KB978338)
Security Update for Windows XP (KB978542)
Security Update for Windows XP (KB978601)
Security Update for Windows XP (KB978706)
Security Update for Windows XP (KB979309)
Security Update for Windows XP (KB979482)
Security Update for Windows XP (KB979559)
Security Update for Windows XP (KB979683)
Security Update for Windows XP (KB979687)
Security Update for Windows XP (KB980195)
Security Update for Windows XP (KB980218)
Security Update for Windows XP (KB980232)
Security Update for Windows XP (KB980436)
Security Update for Windows XP (KB981322)
Security Update for Windows XP (KB981349)
Security Update for Windows XP (KB981852)
Security Update for Windows XP (KB981957)
Security Update for Windows XP (KB981997)
Security Update for Windows XP (KB982132)
Security Update for Windows XP (KB982214)
Security Update for Windows XP (KB982665)
Security Update for Windows XP (KB982802)
Sins of a Solar Empire
Sins of a Solar Empire
Sonic Express Labeler
Sonic MyDVD Plus
Sonic RecordNow Audio
Sonic RecordNow Copy
Sonic RecordNow Data
Sonic Update Manager
StarCraft
StarCraft II
System Tool2011
Update for Microsoft .NET Framework 3.5 SP1 (KB963707)
Update for Windows Internet Explorer 7 (KB976749)
Update for Windows Internet Explorer 7 (KB980182)
Update for Windows Media Player 10 (KB913800)
Update for Windows Media Player 10 (KB926251)
Update for Windows XP (KB2141007)
Update for Windows XP (KB2345886)
Update for Windows XP (KB2467659)
Update for Windows XP (KB951072-v2)
Update for Windows XP (KB951978)
Update for Windows XP (KB953356)
Update for Windows XP (KB955759)
Update for Windows XP (KB955839)
Update for Windows XP (KB967715)
Update for Windows XP (KB968389)
Update for Windows XP (KB971737)
Update for Windows XP (KB973687)
Update for Windows XP (KB973815)
Updates from HP (remove only)
VideoLAN VLC media player 0.8.6a
WildTangent Web Driver
Windows Media Format 11 runtime
Windows Media Format 11 runtime
Windows Media Player 11
Windows Media Player 11
Windows Presentation Foundation
Windows XP Media Center Edition 2005 KB908246
Windows XP Media Center Edition 2005 KB925766
Windows XP Media Center Edition 2005 KB973768
Windows XP Service Pack 3
Windstream Broadband Check-up Center
WinRAR 4.00 beta 2 (32-bit)
World of Warcraft
Yahoo! Install Manager
Yahoo! Toolbar
Yontoo Layers Client 1.10.01
Zeus & Poseidon
Scico
Active Member
 
Posts: 12
Joined: February 7th, 2011, 8:24 pm
Advertisement
Register to Remove

Re: Slowdown and Firefox crashes plus Mass Infection

Unread postby melboy » February 10th, 2011, 1:54 pm

Hi and welcome to the MR forums. :)

I'm melboy and I am going to try to help you with your problem. Please take note of the following:

  1. I will be working on your Malware issues this may or may not solve other issues you have with your machine.
  2. The fixes are specific to your problem and should only be used for this issue on this machine.
  3. If you don't know or understand something, please don't hesitate to ask.
  4. Please refrain from making any further changes to your computer (Install/Uninstall programs, delete files, edit the registry, etc...)
  5. Please DO NOT run any other tools or scans whilst I am helping you.
  6. It is important that you reply to this thread. Do not start a new topic.
  7. DO NOT attach logs unless requested to. Please copy/paste all requested logs into your replies.
  8. Your security programs may give warnings for some of the tools I will ask you to use. Be assured, any links I give are safe.
  9. Absence of symptoms does not mean that everything is clear.


NOTE: Please take time to read the Malware Removal Forum Guidelines and Rules where the conditions for receiving help at this forum are explained.


IMPORTANT: Please be aware that removing Malware is a potentially hazardous undertaking. I will take care not to knowingly suggest courses of action that might damage your computer. However it is impossible for me to foresee all interactions that may happen between the software on your computer and those we'll use to clear you of infection, and I cannot guarantee the safety of your system. It is possible that we might encounter situations where the only recourse is to re-format and re-install your operating system, or to necessitate you taking your computer to a repair shop.

Because of this, I advise you to backup any personal files and folders before you start.



No Reply Within 3 Days Will Result In Your Topic Being Closed!! If you need more time, please inform me.


==================================


With reference to Malware Removal's P2P Programs Policy, please uninstall the following programs before we continue:

  • Click on Start > Control Panel and double click on Add/Remove Programs.
  • Locate LimeWire 5.5.16 and click on the Change/Remove button to uninstall it.
  • Repeat for BitTorrentBar Toolbar & if BitTorrent is installed, please remove it.
  • Close Add/Remove Programs and Control Panel when done.

When you use them you are downloading software from an unknown source directly onto your computer, bypassing your Firewall and Anti-Virus software. Hardly surprising then that many of these Downloads are being targeted to carry infections.
We see no purpose in cleaning your machine if you use P2P programmes, as it is pretty much certain that if you continue to use them then you will get infected again.



DDS

Please download DDS from one of the links below and save it to your desktop:

Link1
Link2
Link3

Temporarily disable any real-time active protection and then double click dds.scr to run the tool. A command window will appear, this is normal.

Image
  • When done, DDS will open two (2) logs:
    1. DDS.txt
    2. Attach.txt
  • Save both reports to your desktop.

Please copy & paste the contents of :
  • DDS.txt
  • Attach.txt
And post them in your next reply.



CKScanner
Download CKScanner from here
  • Important - Save it to your desktop.
  • Doubleclick CKScanner.exe and click Search For Files.
  • After a very short time, when the cursor hourglass disappears, click Save List To File.
  • A message box will verify the file saved.
  • Double-click the CKFiles.txt icon on your desktop and copy/paste the contents in your next reply.




In your next reply:
  1. DDS.txt
  2. Attach.txt
  3. CKFiles.txt
User avatar
melboy
MRU Expert
MRU Expert
 
Posts: 3670
Joined: July 25th, 2008, 4:25 pm
Location: UK

Re: Slowdown and Firefox crashes plus Mass Infection

Unread postby Scico » February 11th, 2011, 8:42 pm

Bad news! The reason for no log files in this reply is because of my being an idiot. I'm on a friend's PC.

Last night I ran the DDS and CKscanner and saved their respective files. I shutdown my PC for the night. That turned out to be a mistake. My computer will just begin to startup, then I get this.

\WINDOWS\SYSTEM32\CONFIG\SYSTEM is corrupted or missing. The only thing I can think of that caused this, is that the Rootkit DDS found in the MBR, was Booby-trapped.

I'm gonna need a some time. The reason, is that I have to call HP, and ask for a copy of the setup/recovery disc/s.

Thank you for your time. Sorry for the inconvience. I'm not sure, I spelled that last word correctly, or not.
Scico
Active Member
 
Posts: 12
Joined: February 7th, 2011, 8:24 pm

Re: Slowdown and Firefox crashes plus Mass Infection

Unread postby melboy » February 12th, 2011, 3:55 am

Hi

Do you get a blue screen error message? Please post the exact error message & stop code.
User avatar
melboy
MRU Expert
MRU Expert
 
Posts: 3670
Joined: July 25th, 2008, 4:25 pm
Location: UK

Re: Slowdown and Firefox crashes plus Mass Infection

Unread postby Scico » February 13th, 2011, 9:12 pm

No BSOD(blue screen of death) My PC is a Hewlett-Packard.

I press the power button, then a screen with the HP logo pops up, thats normal. Few seconds after that, I get a black screen with this:
-------
Windows could not start because the following file is missing or corrupt:
\WINDOWS\SYSTEM32\CONFIG\SYSTEM

You can attempt to repair this file by starting Windows Setup using the original Setup CD-ROM.
Select 'r' at the first screen to start repair.
----
No stop code. That is everything to show up.

Problem is, I have no clue, as to where that disc is or if its still in the house. I am going to continue to look for the Setup disc, but I will call HP to ask for a replacement.

Any advice will be appreciated. Thank you for your time.
Scico
Active Member
 
Posts: 12
Joined: February 7th, 2011, 8:24 pm

Re: Slowdown and Firefox crashes plus Mass Infection

Unread postby melboy » February 14th, 2011, 9:00 pm

We can try to repair the computer using a Linux based operating system. If you have any questions - Please ask.

You will need another computer, a USB drive & a CD.

Download GETxPUD.exe to the desktop of a clean computer

  • Run GETxPUD.exe
  • A new folder will appear on the desktop.
  • Open the GETxPUD folder and click on get&burn.bat
  • The program will download xpud_0.9.2.iso, and upon finished will open BurnCDCC ready to burn the image.
  • Click on Start and follow the prompts to burn the image to a CD.

Also using the clean computer, download rst.sh to a USB drive.

Then to the unbootable computer.

  • The unbootable computer must be set to boot from the CD.
  • Insert the USB drive and CD into the non-bootable computer and boot the computer from the CD
  • Follow the prompts
  • A Welcome to xPUD screen will appear
  • Press File
  • Expand mnt
  • Expand sdb1 (your USB)
  • Confirm that you see rst.sh
  • Press Tool at the top
  • Choose Open Terminal
  • Type bash rst.sh & Press Enter and let it run uninterrupted.
    • Please also note - all text entries (bash rst.sh) are case sensitive
  • After it has finished it will say "Done"
  • Type Exit to close the terminal window and a report will be located at sdb1 (Your USB) named enum.log
  • Plug that USB back into the clean computer and open it.
  • Copy and paste the contents of enum.log into your next reply.


Please note: If you have an ethernet connection you can access the internet using your unbootable computer by way of xPUD & Firefox. You can use Firefox to access this thread and download rst.sh When you download rst.sh the download will reside in the Download folder which can be found under the File tab also. enum.log will be created in the same folder. Still using Firefox, you can then access this thread so you can post the log that way.
User avatar
melboy
MRU Expert
MRU Expert
 
Posts: 3670
Joined: July 25th, 2008, 4:25 pm
Location: UK

Re: Slowdown and Firefox crashes plus Mass Infection

Unread postby Scico » February 15th, 2011, 4:25 pm

Ok, here is, the enum log file.

31.3M Feb 11 19:29 /mnt/sda1/WINDOWS/system32/config/software
768.0K May 19 2004 /mnt/sda2/i386/system32/config/software
768.0K Oct 30 17:34 /mnt/sda2/MiniNT/system32/config/software
8.0M Feb 11 19:29 /mnt/sda1/WINDOWS/system32/config/system

31.2M Dec 18 09:23 /sda1/~/RP1363/~SOFTWARE
31.2M Dec 19 10:04 /sda1/~/RP1364/~SOFTWARE
31.2M Dec 20 21:32 /sda1/~/RP1365/~SOFTWARE
31.2M Dec 21 21:47 /sda1/~/RP1366/~SOFTWARE
31.2M Dec 22 21:50 /sda1/~/RP1367/~SOFTWARE
31.2M Dec 23 22:05 /sda1/~/RP1368/~SOFTWARE
31.2M Dec 24 22:10 /sda1/~/RP1369/~SOFTWARE
31.2M Dec 25 22:52 /sda1/~/RP1370/~SOFTWARE
31.2M Dec 27 00:20 /sda1/~/RP1371/~SOFTWARE
31.2M Dec 28 01:18 /sda1/~/RP1372/~SOFTWARE
31.2M Dec 29 01:46 /sda1/~/RP1373/~SOFTWARE
31.2M Dec 30 03:00 /sda1/~/RP1374/~SOFTWARE
31.2M Dec 31 03:06 /sda1/~/RP1375/~SOFTWARE
31.2M Jan 1 04:02 /sda1/~/RP1376/~SOFTWARE
31.2M Jan 1 08:00 /sda1/~/RP1377/~SOFTWARE
31.2M Jan 2 10:23 /sda1/~/RP1378/~SOFTWARE
31.2M Jan 3 22:08 /sda1/~/RP1379/~SOFTWARE
31.2M Jan 4 22:35 /sda1/~/RP1380/~SOFTWARE
31.2M Jan 5 08:00 /sda1/~/RP1381/~SOFTWARE
31.2M Jan 6 12:03 /sda1/~/RP1382/~SOFTWARE
31.2M Jan 8 20:53 /sda1/~/RP1384/~SOFTWARE
31.2M Jan 9 22:06 /sda1/~/RP1385/~SOFTWARE
31.2M Jan 10 22:34 /sda1/~/RP1386/~SOFTWARE
31.2M Jan 11 22:50 /sda1/~/RP1387/~SOFTWARE
31.2M Jan 12 08:00 /sda1/~/RP1388/~SOFTWARE
31.2M Jan 13 21:22 /sda1/~/RP1389/~SOFTWARE
31.2M Jan 14 21:37 /sda1/~/RP1390/~SOFTWARE
31.2M Jan 15 21:42 /sda1/~/RP1391/~SOFTWARE
31.2M Jan 16 22:31 /sda1/~/RP1392/~SOFTWARE
31.2M Jan 18 00:17 /sda1/~/RP1393/~SOFTWARE
31.2M Jan 19 03:25 /sda1/~/RP1394/~SOFTWARE
31.2M Jan 20 03:29 /sda1/~/RP1395/~SOFTWARE
31.2M Jan 21 03:51 /sda1/~/RP1396/~SOFTWARE
31.2M Jan 22 06:52 /sda1/~/RP1397/~SOFTWARE
31.2M Jan 23 07:48 /sda1/~/RP1398/~SOFTWARE
31.2M Jan 24 10:55 /sda1/~/RP1399/~SOFTWARE
31.2M Jan 25 22:02 /sda1/~/RP1400/~SOFTWARE
31.2M Jan 27 01:53 /sda1/~/RP1401/~SOFTWARE
31.2M Jan 28 03:12 /sda1/~/RP1402/~SOFTWARE
31.2M Jan 29 03:37 /sda1/~/RP1403/~SOFTWARE
31.2M Jan 30 03:43 /sda1/~/RP1404/~SOFTWARE
31.2M Jan 31 06:07 /sda1/~/RP1405/~SOFTWARE
31.2M Feb 1 06:42 /sda1/~/RP1406/~SOFTWARE
31.2M Feb 2 20:39 /sda1/~/RP1407/~SOFTWARE
31.2M Feb 4 07:29 /sda1/~/RP1408/~SOFTWARE
31.2M Feb 5 08:15 /sda1/~/RP1409/~SOFTWARE
31.2M Feb 6 21:25 /sda1/~/RP1410/~SOFTWARE
31.2M Feb 7 09:03 /sda1/~/RP1411/~SOFTWARE
31.2M Feb 8 10:23 /sda1/~/RP1412/~SOFTWARE
31.2M Feb 9 21:51 /sda1/~/RP1413/~SOFTWARE
31.2M Feb 10 22:15 /sda1/~/RP1414/~SOFTWARE
31.2M Feb 11 01:28 /sda1/~/RP1415/~SOFTWARE
31.2M Nov 14 08:10 /sda1/~/RP1331/~SOFTWARE
31.2M Nov 15 10:33 /sda1/~/RP1332/~SOFTWARE
31.2M Nov 16 11:03 /sda1/~/RP1333/~SOFTWARE
31.2M Nov 17 22:02 /sda1/~/RP1334/~SOFTWARE
31.2M Nov 18 22:17 /sda1/~/RP1335/~SOFTWARE
31.2M Nov 20 03:12 /sda1/~/RP1336/~SOFTWARE
31.2M Nov 21 03:54 /sda1/~/RP1337/~SOFTWARE
31.2M Nov 22 04:08 /sda1/~/RP1338/~SOFTWARE
31.2M Nov 23 04:32 /sda1/~/RP1339/~SOFTWARE
31.2M Nov 24 05:11 /sda1/~/RP1340/~SOFTWARE
31.2M Nov 26 05:36 /sda1/~/RP1342/~SOFTWARE
31.2M Nov 27 07:24 /sda1/~/RP1343/~SOFTWARE
31.2M Nov 28 21:19 /sda1/~/RP1344/~SOFTWARE
31.2M Nov 29 21:40 /sda1/~/RP1345/~SOFTWARE
31.2M Nov 30 21:48 /sda1/~/RP1346/~SOFTWARE
31.2M Dec 1 21:55 /sda1/~/RP1347/~SOFTWARE
31.2M Dec 2 22:21 /sda1/~/RP1348/~SOFTWARE
31.2M Dec 4 02:56 /sda1/~/RP1349/~SOFTWARE
31.2M Dec 5 03:06 /sda1/~/RP1350/~SOFTWARE
31.2M Dec 6 03:58 /sda1/~/RP1351/~SOFTWARE
31.2M Dec 7 04:06 /sda1/~/RP1352/~SOFTWARE
31.2M Dec 8 05:41 /sda1/~/RP1353/~SOFTWARE
31.2M Dec 9 06:29 /sda1/~/RP1354/~SOFTWARE
31.2M Dec 10 07:25 /sda1/~/RP1355/~SOFTWARE
31.2M Dec 11 08:08 /sda1/~/RP1356/~SOFTWARE
31.2M Dec 12 08:38 /sda1/~/RP1357/~SOFTWARE
31.2M Dec 13 08:50 /sda1/~/RP1358/~SOFTWARE
31.2M Dec 14 10:33 /sda1/~/RP1359/~SOFTWARE
31.2M Dec 15 21:52 /sda1/~/RP1360/~SOFTWARE
31.2M Dec 16 08:00 /sda1/~/RP1361/~SOFTWARE
31.2M Nov 25 05:24 /sda1/~/RP1341/~SOFTWARE
31.2M Dec 17 08:26 /sda1/~/RP1362/~SOFTWARE
31.2M Jan 7 12:23 /sda1/~/RP1383/~SOFTWARE
7.8M Dec 18 09:23 /sda1/~/RP1363/~SYSTEM
7.8M Dec 19 10:04 /sda1/~/RP1364/~SYSTEM
7.8M Dec 20 21:32 /sda1/~/RP1365/~SYSTEM
7.8M Dec 21 21:47 /sda1/~/RP1366/~SYSTEM
7.8M Dec 22 21:50 /sda1/~/RP1367/~SYSTEM
7.8M Dec 23 22:05 /sda1/~/RP1368/~SYSTEM
7.8M Dec 24 22:10 /sda1/~/RP1369/~SYSTEM
7.8M Dec 25 22:52 /sda1/~/RP1370/~SYSTEM
7.8M Dec 27 00:20 /sda1/~/RP1371/~SYSTEM
7.8M Dec 28 01:18 /sda1/~/RP1372/~SYSTEM
7.8M Dec 29 01:46 /sda1/~/RP1373/~SYSTEM
7.8M Dec 30 03:00 /sda1/~/RP1374/~SYSTEM
7.8M Dec 31 03:06 /sda1/~/RP1375/~SYSTEM
7.8M Jan 1 04:02 /sda1/~/RP1376/~SYSTEM
7.8M Jan 1 08:00 /sda1/~/RP1377/~SYSTEM
7.8M Jan 2 10:23 /sda1/~/RP1378/~SYSTEM
7.8M Jan 3 22:08 /sda1/~/RP1379/~SYSTEM
7.8M Jan 4 22:35 /sda1/~/RP1380/~SYSTEM
7.8M Jan 5 08:00 /sda1/~/RP1381/~SYSTEM
7.8M Jan 6 12:03 /sda1/~/RP1382/~SYSTEM
7.8M Jan 8 20:53 /sda1/~/RP1384/~SYSTEM
7.8M Jan 9 22:06 /sda1/~/RP1385/~SYSTEM
7.8M Jan 10 22:34 /sda1/~/RP1386/~SYSTEM
7.8M Jan 11 22:50 /sda1/~/RP1387/~SYSTEM
7.8M Jan 12 08:00 /sda1/~/RP1388/~SYSTEM
7.8M Jan 13 21:22 /sda1/~/RP1389/~SYSTEM
7.8M Jan 14 21:37 /sda1/~/RP1390/~SYSTEM
7.8M Jan 15 21:42 /sda1/~/RP1391/~SYSTEM
7.8M Jan 16 22:31 /sda1/~/RP1392/~SYSTEM
7.8M Jan 18 00:17 /sda1/~/RP1393/~SYSTEM
7.8M Jan 19 03:25 /sda1/~/RP1394/~SYSTEM
7.8M Jan 20 03:29 /sda1/~/RP1395/~SYSTEM
7.8M Jan 21 03:51 /sda1/~/RP1396/~SYSTEM
7.8M Jan 22 06:52 /sda1/~/RP1397/~SYSTEM
7.8M Jan 23 07:48 /sda1/~/RP1398/~SYSTEM
7.8M Jan 24 10:55 /sda1/~/RP1399/~SYSTEM
7.8M Jan 25 22:02 /sda1/~/RP1400/~SYSTEM
7.8M Jan 27 01:53 /sda1/~/RP1401/~SYSTEM
7.8M Jan 28 03:12 /sda1/~/RP1402/~SYSTEM
7.8M Jan 29 03:37 /sda1/~/RP1403/~SYSTEM
7.8M Jan 30 03:43 /sda1/~/RP1404/~SYSTEM
7.8M Jan 31 06:07 /sda1/~/RP1405/~SYSTEM
7.8M Feb 1 06:42 /sda1/~/RP1406/~SYSTEM
7.8M Feb 2 20:39 /sda1/~/RP1407/~SYSTEM
7.8M Feb 4 07:29 /sda1/~/RP1408/~SYSTEM
7.8M Feb 5 08:15 /sda1/~/RP1409/~SYSTEM
7.8M Feb 6 21:25 /sda1/~/RP1410/~SYSTEM
7.8M Feb 7 09:03 /sda1/~/RP1411/~SYSTEM
7.8M Feb 8 10:23 /sda1/~/RP1412/~SYSTEM
7.8M Feb 9 21:51 /sda1/~/RP1413/~SYSTEM
7.8M Feb 10 22:15 /sda1/~/RP1414/~SYSTEM
7.8M Feb 11 01:28 /sda1/~/RP1415/~SYSTEM
7.8M Nov 14 08:10 /sda1/~/RP1331/~SYSTEM
7.8M Nov 15 10:33 /sda1/~/RP1332/~SYSTEM
7.8M Nov 16 11:03 /sda1/~/RP1333/~SYSTEM
7.8M Nov 17 22:02 /sda1/~/RP1334/~SYSTEM
7.8M Nov 18 22:17 /sda1/~/RP1335/~SYSTEM
7.8M Nov 20 03:12 /sda1/~/RP1336/~SYSTEM
7.8M Nov 21 03:54 /sda1/~/RP1337/~SYSTEM
7.8M Nov 22 04:08 /sda1/~/RP1338/~SYSTEM
7.8M Nov 23 04:32 /sda1/~/RP1339/~SYSTEM
7.8M Nov 24 05:11 /sda1/~/RP1340/~SYSTEM
7.8M Nov 26 05:36 /sda1/~/RP1342/~SYSTEM
7.8M Nov 27 07:24 /sda1/~/RP1343/~SYSTEM
7.8M Nov 28 21:19 /sda1/~/RP1344/~SYSTEM
7.8M Nov 29 21:40 /sda1/~/RP1345/~SYSTEM
7.8M Nov 30 21:48 /sda1/~/RP1346/~SYSTEM
7.8M Dec 1 21:55 /sda1/~/RP1347/~SYSTEM
7.8M Dec 2 22:21 /sda1/~/RP1348/~SYSTEM
7.8M Dec 4 02:56 /sda1/~/RP1349/~SYSTEM
7.8M Dec 5 03:06 /sda1/~/RP1350/~SYSTEM
7.8M Dec 6 03:58 /sda1/~/RP1351/~SYSTEM
7.8M Dec 7 04:06 /sda1/~/RP1352/~SYSTEM
7.8M Dec 8 05:41 /sda1/~/RP1353/~SYSTEM
7.8M Dec 9 06:29 /sda1/~/RP1354/~SYSTEM
7.8M Dec 10 07:25 /sda1/~/RP1355/~SYSTEM
7.8M Dec 11 08:08 /sda1/~/RP1356/~SYSTEM
7.8M Dec 12 08:38 /sda1/~/RP1357/~SYSTEM
7.8M Dec 13 08:50 /sda1/~/RP1358/~SYSTEM
7.8M Dec 14 10:33 /sda1/~/RP1359/~SYSTEM
7.8M Dec 15 21:52 /sda1/~/RP1360/~SYSTEM
7.8M Dec 16 08:00 /sda1/~/RP1361/~SYSTEM
7.8M Nov 25 05:24 /sda1/~/RP1341/~SYSTEM
7.8M Dec 17 08:26 /sda1/~/RP1362/~SYSTEM
7.8M Jan 7 12:23 /sda1/~/RP1383/~SYSTEM
Scico
Active Member
 
Posts: 12
Joined: February 7th, 2011, 8:24 pm

Re: Slowdown and Firefox crashes plus Mass Infection

Unread postby melboy » February 15th, 2011, 4:55 pm

Hi

Good.

  • Insert the USB drive and CD in the unbootable computer and boot the computer from the CD again
  • Press File
  • Expand mnt
  • Expand sdb1 (your USB)
  • Press Tool at the top
  • Choose Open Terminal
  • Type bash rst.sh -r (note there is a space between the h and the -r)
    • Please note - all text entries are case sensitive
  • Press Enter
  • At the next prompt, type 1414
  • Press Enter
  • After it has finished a report will be located at sdb1 (your USB) named restore.log
  • Restart the computer & try to boot into normal Windows now. Indicate if you were successful

Copy and paste the restore.log from your USB drive here for my review.
User avatar
melboy
MRU Expert
MRU Expert
 
Posts: 3670
Joined: July 25th, 2008, 4:25 pm
Location: UK

Re: Slowdown and Firefox crashes plus Mass Infection

Unread postby Scico » February 15th, 2011, 9:49 pm

Success! I shall post the DDS and CKScanner logs, after this post, shortly.

SOFTWARE hive restored from RP1414
SYSTEM hive restored from RP1414
SECURITY hive restored from RP1414
SAM hive restored from RP1414
Scico
Active Member
 
Posts: 12
Joined: February 7th, 2011, 8:24 pm

Re: Slowdown and Firefox crashes plus Mass Infection

Unread postby Scico » February 15th, 2011, 10:00 pm

Now we can move on to the real problem. Thank you very much for all your help.


DDS (Ver_10-12-12.02) - NTFSx86
Run by Cole at 4:02:06.20 on Fri 02/11/2011
Internet Explorer: 7.0.5730.11 BrowserJavaVersion: 1.6.0_11
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.958.381 [GMT -5:00]


============== Running Processes ===============

C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
svchost.exe
svchost.exe
C:\WINDOWS\system32\spoolsv.exe
svchost.exe
C:\WINDOWS\arservice.exe
C:\WINDOWS\eHome\ehRecvr.exe
C:\WINDOWS\eHome\ehSched.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\Common Files\LightScribe\LSSrvc.exe
C:\WINDOWS\system32\nvsvc32.exe
svchost.exe
C:\WINDOWS\system32\dllhost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\ehome\ehtray.exe
C:\WINDOWS\RTHDCPL.EXE
C:\WINDOWS\ARPWRMSG.EXE
C:\Program Files\HP DigitalMedia Archive\DMAScheduler.exe
C:\PROGRA~1\ALLTEL~1\SMARTB~1\MotiveSB.exe
C:\Program Files\Hewlett-Packard\OrderReminder\OrderReminder.exe
C:\Program Files\ClamWin\bin\ClamTray.exe
C:\Program Files\Java\jre6\bin\jusched.exe
C:\Program Files\Hp\HP Software Update\HPWuSchd2.exe
C:\WINDOWS\eHome\ehmsas.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\DNA\btdna.exe
C:\Program Files\Updates from HP\9972322\Program\Updates from HP.exe
C:\Program Files\OpenOffice.org 2.2\program\soffice.exe
C:\Program Files\OpenOffice.org 2.2\program\soffice.BIN
C:\Program Files\ALLTEL DSL Check-up Center\bin\mpbtn.exe
C:\HP\KBD\KBD.EXE
c:\windows\system\hpsysdrv.exe
C:\Program Files\DISC\DISCover.exe
C:\Program Files\DISC\DiscUpdMgr.exe
C:\Program Files\DISC\DiscStreamHub.exe
C:\WINDOWS\System32\svchost.exe -k HTTPFilter
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Mozilla Firefox\plugin-container.exe
C:\Documents and Settings\Cole\My Documents\Downloads\dds.scr

============== Pseudo HJT Report ===============

uStart Page = hxxp://www.bing.com/?pc=ZUGO&form=ZGAPHP
uSearch Page = hxxp://ie.redirect.hp.com/svs/rdr?TYPE= ... pf=desktop
uDefault_Search_URL = hxxp://ie.redirect.hp.com/svs/rdr?TYPE= ... pf=desktop
uSearch Bar = hxxp://ie.redirect.hp.com/svs/rdr?TYPE= ... pf=desktop
mStart Page = hxxp://ie.redirect.hp.com/svs/rdr?TYPE= ... pf=desktop
mSearch Bar = hxxp://ie.redirect.hp.com/svs/rdr?TYPE= ... pf=desktop
uInternet Connection Wizard,ShellNext = hxxp://www2.windstream.net/newuser/benefits/
uInternet Settings,ProxyOverride = <local>
mSearchAssistant = hxxp://ie.redirect.hp.com/svs/rdr?TYPE= ... pf=desktop
BHO: &Yahoo! Toolbar Helper: {02478d38-c3f9-4efb-9b51-7695eca05670} - c:\program files\yahoo!\companion\installs\cpn0\yt.dll
BHO: Adobe PDF Reader Link Helper: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelper.dll
BHO: Java(tm) Plug-In SSV Helper: {761497bb-d6f0-462c-b6eb-d4daf1d92d43} - c:\program files\java\jre6\bin\ssv.dll
BHO: Search Toolbar: {9d425283-d487-4337-bab6-ab8354a81457} - c:\program files\search toolbar\SearchToolbar.dll
BHO: hpWebHelper Class: {aaae832a-5fff-4661-9c8f-369692d1dcb9} - c:\windows\pchealth\helpctr\vendors\cn=hewlett-packard,l=cupertino,s=ca,c=us\plugin\WebHelper.dll
BHO: Java(tm) Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
BHO: Yontoo Layers: {fd72061e-9fde-484d-a58a-0bab4151cad8} - c:\program files\yontoo layers client\YontooIEClient.dll
TB: Yahoo! Toolbar: {ef99bd32-c1fb-11d2-892f-0090271d4f88} - c:\program files\yahoo!\companion\installs\cpn0\yt.dll
TB: Search Toolbar: {9d425283-d487-4337-bab6-ab8354a81457} - c:\program files\search toolbar\SearchToolbar.dll
TB: {D4027C7F-154A-4066-A1AD-4243D8127440} - No File
uRun: [MSMSGS] "c:\program files\messenger\msmsgs.exe" /background
uRun: [TypingSatellite] "c:\program files\cosmi\perfect typing pro english\KBOOST.EXE"
uRun: [BitTorrent DNA] "c:\program files\dna\btdna.exe"
uRun: [236421] c:\docume~1\cole\locals~1\temp\236421.exe
mRun: [ehTray] c:\windows\ehome\ehtray.exe
mRun: [ftutil2] rundll32.exe ftutil2.dll,SetWriteCacheMode
mRun: [RTHDCPL] RTHDCPL.EXE
mRun: [AlwaysReady Power Message APP] ARPWRMSG.EXE
mRun: [NvCplDaemon] RUNDLL32.EXE c:\windows\system32\NvCpl.dll,NvStartup
mRun: [nwiz] nwiz.exe /install
mRun: [DMAScheduler] "c:\program files\hp digitalmedia archive\DMAScheduler.exe"
mRun: [Recguard] c:\windows\sminst\RECGUARD.EXE
mRun: [<NO NAME>]
mRun: [PCDrProfiler]
mRun: [HPBootOp] "c:\program files\hewlett-packard\hp boot optimizer\HPBootOp.exe" /run
mRun: [Reminder] "c:\windows\creator\Remind_XP.exe"
mRun: [Motive SmartBridge] c:\progra~1\alltel~1\smartb~1\MotiveSB.exe
mRun: [OrderReminder] c:\program files\hewlett-packard\orderreminder\OrderReminder.exe
mRun: [Adobe Reader Speed Launcher] "c:\program files\adobe\reader 8.0\reader\Reader_sl.exe"
mRun: [ClamWin] "c:\program files\clamwin\bin\ClamTray.exe" --logon
mRun: [SunJavaUpdateSched] "c:\program files\java\jre6\bin\jusched.exe"
mRun: [HP Software Update] c:\program files\hp\hp software update\HPWuSchd2.exe
mRun: [TkBellExe] "c:\program files\common files\real\update_ob\realsched.exe" -osboot
StartupFolder: c:\docume~1\cole\startm~1\programs\startup\openof~1.lnk - c:\program files\openoffice.org 2.2\program\quickstart.exe
StartupFolder: c:\docume~1\cole\startm~1\programs\startup\pinmclnk.lnk - c:\hp\bin\cloaker.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\update~1.lnk - c:\program files\updates from hp\9972322\program\Updates from HP.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\windst~1.lnk - c:\program files\alltel dsl check-up center\bin\matcli.exe
IE: {E2D4D26B-0180-43a4-B05F-462D6D54C789} - c:\windows\pchealth\helpctr\vendors\cn=hewlett-packard,l=cupertino,s=ca,c=us\iebutton\support.htm
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
Trusted Zone: alltel.com\care
Trusted Zone: trymedia.com
DPF: Microsoft XML Parser for Java - file://c:\windows\java\classes\xmldso.cab
DPF: {321FB770-1FBE-4BFE-BDC1-6F622D4FA499} - hxxps://activation.alltel.com/wizlet/WI ... _2-0-0.cab
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinsta ... s-i586.cab
DPF: {B3E32D88-8E7F-468F-B0E2-3A300FD4A82C} - hxxp://myitlab.pearsoned.com/Pegasus/Mo ... x/stub.cab
DPF: {CAFEEFAC-0015-0000-0006-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.5.0/jinsta ... s-i586.cab
DPF: {CAFEEFAC-0016-0000-0011-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinsta ... s-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinsta ... s-i586.cab
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll

================= FIREFOX ===================

FF - ProfilePath - c:\docume~1\cole\applic~1\mozilla\firefox\profiles\ri2r6ytx.default\
FF - prefs.js: browser.search.defaulturl - hxxp://search.conduit.com/ResultsExt.as ... ource=3&q={searchTerms}
FF - prefs.js: browser.search.selectedEngine - Bing
FF - prefs.js: browser.startup.homepage - hxxp://www.yahoo.com/
FF - prefs.js: keyword.URL - hxxp://www.bing.com/search?pc=ZUGO&form=ZGAADF&q=
FF - prefs.js: network.proxy.http - 127.0.0.1
FF - prefs.js: network.proxy.http_port - 50370
FF - prefs.js: network.proxy.type - 4
FF - component: c:\documents and settings\cole\application data\mozilla\firefox\profiles\ri2r6ytx.default\extensions\{88c7f2aa-f93f-432c-8f0e-b7d85967a527}\components\RadioWMPCoreGecko19.dll
FF - component: c:\documents and settings\cole\application data\mozilla\firefox\profiles\ri2r6ytx.default\extensions\engine@conduit.com\components\RadioWMPCoreGecko19.dll
FF - Ext: Yahoo! Toolbar: {635abd67-4fe9-1b23-4f01-e679fa7484c1} - %profile%\extensions\{635abd67-4fe9-1b23-4f01-e679fa7484c1}
FF - Ext: Adblock Plus: {d10d0bf8-f5b5-c8b4-a8b2-2b9879e08c5d} - %profile%\extensions\{d10d0bf8-f5b5-c8b4-a8b2-2b9879e08c5d}
FF - Ext: Conduit Engine : engine@conduit.com - %profile%\extensions\engine@conduit.com
FF - Ext: BitTorrentBar Community Toolbar: {88c7f2aa-f93f-432c-8f0e-b7d85967a527} - %profile%\extensions\{88c7f2aa-f93f-432c-8f0e-b7d85967a527}
FF - Ext: Yontoo Layers: plugin@yontoo.com - %profile%\extensions\plugin@yontoo.com
FF - Ext: Search Toolbar: searchtoolbar@zugo.com - %profile%\extensions\searchtoolbar@zugo.com
FF - Ext: Default: {972ce4c6-7e08-4474-a285-3208198ce6fd} - c:\program files\mozilla firefox\extensions\{972ce4c6-7e08-4474-a285-3208198ce6fd}
FF - Ext: Java Console: {CAFEEFAC-0016-0000-0011-ABCDEFFEDCBA} - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0011-ABCDEFFEDCBA}
FF - Ext: Java Quick Starter: jqs@sun.com - c:\program files\java\jre6\lib\deploy\jqs\ff
FF - Ext: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\microsoft.net\framework\v3.5\windows presentation foundation\DotNetAssistantExtension
FF - Ext: XULRunner: {0987417E-E3F3-479C-9D61-908567F2668E} - c:\documents and settings\cole\local settings\application data\{0987417E-E3F3-479C-9D61-908567F2668E}

============= SERVICES / DRIVERS ===============

R2 McrdSvc;Media Center Extender Service;c:\windows\ehome\mcrdsvc.exe [2005-8-5 99328]

=============== Created Last 30 ================

2011-02-10 07:59:34 -------- d-----w- c:\docume~1\alluse~1\applic~1\jGdHbLe03100
2011-02-07 09:03:56 388096 ----a-r- c:\docume~1\cole\applic~1\microsoft\installer\{45a66726-69bc-466b-a7a4-12fcba4883d7}\HiJackThis.exe
2011-02-07 09:03:54 -------- d-----w- c:\program files\Trend Micro
2011-02-07 04:58:53 -------- d--h--w- c:\windows\system32\GroupPolicy
2011-02-03 23:49:22 -------- d-----w- c:\docume~1\alluse~1\applic~1\SpeedyPC
2011-02-03 03:09:09 0 ----a-w- c:\windows\Dzilaniler.bin
2011-02-03 03:09:08 -------- d-----w- c:\docume~1\cole\locals~1\applic~1\{0987417E-E3F3-479C-9D61-908567F2668E}
2011-02-03 03:08:44 -------- d-----w- c:\program files\Search Toolbar
2011-02-03 03:08:35 -------- d-----w- c:\program files\Yontoo Layers Client
2011-02-03 03:08:35 -------- d-----w- c:\docume~1\alluse~1\applic~1\Tarma Installer
2011-02-03 03:07:35 -------- d-----w- c:\docume~1\alluse~1\applic~1\pGfHhJm15400

==================== Find3M ====================

2010-11-18 18:12:44 81920 ----a-w- c:\windows\system32\isign32.dll
2007-01-14 17:30:21 1410680 ----a-w- c:\program files\install_flash_player.exe
2007-01-12 16:35:02 6820512 ----a-w- c:\program files\FirefoxGoogleToolbarSetup.exe
2007-01-12 04:42:17 359112 ----a-w- c:\program files\LimeWireWin.exe

=================== ROOTKIT ====================

Stealth MBR rootkit/Mebroot/Sinowal/TDL4 detector 0.4.2 by Gmer, http://www.gmer.net
Windows 5.1.2600 Disk: SAMSUNG_SP2504C rev.VT100-49 -> Harddisk0\DR0 -> \Device\Ide\IdePort2 P2T0L0-e

device: opened successfully
user: MBR read successfully

Disk trace:
called modules: ntkrnlpa.exe CLASSPNP.SYS disk.sys ACPI.sys hal.dll >>UNKNOWN [0x8628D7AF]<<
_asm { PUSH EBP; MOV EBP, ESP; PUSH ECX; MOV EAX, [EBP+0x8]; CMP EAX, [0x862939b0]; MOV EAX, [0x86293a2c]; PUSH EBX; PUSH ESI; MOV ESI, [EBP+0xc]; MOV EBX, [ESI+0x60]; PUSH EDI; JNZ 0x20; MOV [EBP+0x8], EAX; }
1 ntkrnlpa!IofCallDriver[0x804EF1A6] -> \Device\Harddisk0\DR0[0x86334AB8]
3 CLASSPNP[0xF75D0FD7] -> ntkrnlpa!IofCallDriver[0x804EF1A6] -> \Device\00000068[0x86337E98]
5 ACPI[0xF7447620] -> ntkrnlpa!IofCallDriver[0x804EF1A6] -> [0x86343940]
\Driver\atapi[0x8632DA70] -> IRP_MJ_CREATE -> 0x8628D7AF
kernel: MBR read successfully
_asm { XOR DI, DI; MOV SI, 0x200; MOV SS, DI; MOV SP, 0x7a00; MOV BX, 0x7a0; MOV CX, SI; MOV DS, BX; MOV ES, BX; REP MOVSB ; JMP FAR 0x7a0:0x5c; }
detected disk devices:
\Device\Ide\IdeDeviceP2T0L0-e -> \??\IDE#DiskSAMSUNG_SP2504C_________________________VT100-49#30535139314a4c54304237333539202020202020#{53f56307-b6bf-11d0-94f2-00a0c91efb8b} device not found
detected hooks:
\Driver\atapi DriverStartIo -> 0x8628D5F5
user & kernel MBR OK
Warning: possible TDL3 rootkit infection !

============= FINISH: 4:04:21.62 ===============

UNLESS SPECIFICALLY INSTRUCTED, DO NOT POST THIS LOG.
IF REQUESTED, ZIP IT UP & ATTACH IT

DDS (Ver_10-12-12.02)

Microsoft Windows XP Professional
Boot Device: \Device\HarddiskVolume1
Install Date: 12/18/2006 8:48:41 PM
System Uptime: 2/10/2011 2:37:00 PM (14 hours ago)

Motherboard: ASUSTek Computer INC. | | NODUSM3
Processor: AMD Athlon(tm) 64 X2 Dual Core Processor 3800+ | Socket AM2 | 2004/200mhz

==== Disk Partitions =========================

C: is FIXED (NTFS) - 224 GiB total, 77.206 GiB free.
D: is FIXED (FAT32) - 9 GiB total, 0.602 GiB free.
E: is CDROM ()
F: is Removable
G: is Removable
H: is Removable
I: is Removable

==== Disabled Device Manager Items =============

==== System Restore Points ===================

RP1330: 11/13/2010 3:00:16 AM - Software Distribution Service 3.0
RP1331: 11/14/2010 3:10:15 AM - System Checkpoint
RP1332: 11/15/2010 5:33:18 AM - System Checkpoint
RP1333: 11/16/2010 6:03:17 AM - System Checkpoint
RP1334: 11/17/2010 5:02:19 PM - System Checkpoint
RP1335: 11/18/2010 5:17:06 PM - System Checkpoint
RP1336: 11/19/2010 10:12:15 PM - System Checkpoint
RP1337: 11/20/2010 10:54:32 PM - System Checkpoint
RP1338: 11/21/2010 11:08:10 PM - System Checkpoint
RP1339: 11/22/2010 11:32:09 PM - System Checkpoint
RP1340: 11/24/2010 12:11:12 AM - System Checkpoint
RP1341: 11/25/2010 12:24:27 AM - System Checkpoint
RP1342: 11/26/2010 12:36:32 AM - System Checkpoint
RP1343: 11/27/2010 2:24:17 AM - System Checkpoint
RP1344: 11/28/2010 4:19:53 PM - System Checkpoint
RP1345: 11/29/2010 4:40:58 PM - System Checkpoint
RP1346: 11/30/2010 4:48:08 PM - System Checkpoint
RP1347: 12/1/2010 4:55:07 PM - System Checkpoint
RP1348: 12/2/2010 5:21:27 PM - System Checkpoint
RP1349: 12/3/2010 9:56:21 PM - System Checkpoint
RP1350: 12/4/2010 10:06:33 PM - System Checkpoint
RP1351: 12/5/2010 10:58:51 PM - System Checkpoint
RP1352: 12/6/2010 11:06:46 PM - System Checkpoint
RP1353: 12/8/2010 12:41:19 AM - System Checkpoint
RP1354: 12/9/2010 1:29:26 AM - System Checkpoint
RP1355: 12/10/2010 2:25:09 AM - System Checkpoint
RP1356: 12/11/2010 3:08:15 AM - System Checkpoint
RP1357: 12/12/2010 3:38:19 AM - System Checkpoint
RP1358: 12/13/2010 3:50:39 AM - System Checkpoint
RP1359: 12/14/2010 5:33:47 AM - System Checkpoint
RP1360: 12/15/2010 4:52:38 PM - System Checkpoint
RP1361: 12/16/2010 3:00:25 AM - Software Distribution Service 3.0
RP1362: 12/17/2010 3:26:14 AM - System Checkpoint
RP1363: 12/18/2010 4:23:14 AM - System Checkpoint
RP1364: 12/19/2010 5:04:17 AM - System Checkpoint
RP1365: 12/20/2010 4:32:48 PM - System Checkpoint
RP1366: 12/21/2010 4:47:02 PM - System Checkpoint
RP1367: 12/22/2010 4:50:32 PM - System Checkpoint
RP1368: 12/23/2010 5:05:32 PM - System Checkpoint
RP1369: 12/24/2010 5:10:17 PM - System Checkpoint
RP1370: 12/25/2010 5:52:48 PM - System Checkpoint
RP1371: 12/26/2010 7:20:40 PM - System Checkpoint
RP1372: 12/27/2010 8:18:17 PM - System Checkpoint
RP1373: 12/28/2010 8:46:53 PM - System Checkpoint
RP1374: 12/29/2010 10:00:36 PM - System Checkpoint
RP1375: 12/30/2010 10:06:53 PM - System Checkpoint
RP1376: 12/31/2010 11:02:30 PM - System Checkpoint
RP1377: 1/1/2011 3:00:25 AM - Software Distribution Service 3.0
RP1378: 1/2/2011 5:23:27 AM - System Checkpoint
RP1379: 1/3/2011 5:08:11 PM - System Checkpoint
RP1380: 1/4/2011 5:35:08 PM - System Checkpoint
RP1381: 1/5/2011 3:00:16 AM - Software Distribution Service 3.0
RP1382: 1/6/2011 7:03:25 AM - System Checkpoint
RP1383: 1/7/2011 7:23:33 AM - System Checkpoint
RP1384: 1/8/2011 3:53:59 PM - System Checkpoint
RP1385: 1/9/2011 5:06:01 PM - System Checkpoint
RP1386: 1/10/2011 5:34:18 PM - System Checkpoint
RP1387: 1/11/2011 5:50:35 PM - System Checkpoint
RP1388: 1/12/2011 3:00:15 AM - Software Distribution Service 3.0
RP1389: 1/13/2011 4:22:21 PM - System Checkpoint
RP1390: 1/14/2011 4:37:07 PM - System Checkpoint
RP1391: 1/15/2011 4:42:39 PM - System Checkpoint
RP1392: 1/16/2011 5:31:07 PM - System Checkpoint
RP1393: 1/17/2011 7:17:40 PM - System Checkpoint
RP1394: 1/18/2011 10:25:31 PM - System Checkpoint
RP1395: 1/19/2011 10:29:39 PM - System Checkpoint
RP1396: 1/20/2011 10:51:31 PM - System Checkpoint
RP1397: 1/22/2011 1:52:42 AM - System Checkpoint
RP1398: 1/23/2011 2:48:44 AM - System Checkpoint
RP1399: 1/24/2011 5:55:34 AM - System Checkpoint
RP1400: 1/25/2011 5:02:58 PM - System Checkpoint
RP1401: 1/26/2011 8:53:37 PM - System Checkpoint
RP1402: 1/27/2011 10:12:14 PM - System Checkpoint
RP1403: 1/28/2011 10:37:39 PM - System Checkpoint
RP1404: 1/29/2011 10:43:23 PM - System Checkpoint
RP1405: 1/31/2011 1:07:31 AM - System Checkpoint
RP1406: 2/1/2011 1:42:50 AM - System Checkpoint
RP1407: 2/2/2011 3:39:48 PM - System Checkpoint
RP1408: 2/4/2011 2:29:16 AM - System Checkpoint
RP1409: 2/5/2011 3:15:24 AM - System Checkpoint
RP1410: 2/6/2011 4:25:30 PM - System Checkpoint
RP1411: 2/7/2011 4:03:52 AM - Installed HiJackThis
RP1412: 2/8/2011 5:23:46 AM - System Checkpoint
RP1413: 2/9/2011 4:51:08 PM - System Checkpoint
RP1414: 2/10/2011 5:15:44 PM - System Checkpoint
RP1415: 2/10/2011 8:28:37 PM - Removed Ask Toolbar.

==== Installed Programs ======================

Adobe Flash Player 10 ActiveX
Adobe Flash Player 10 Plugin
Adobe Reader 8.1.5
Age of Mythology
AutoUpdate
Battle Realms
BufferChm
Cataclysm
CCleaner
Civ3 Conquests v1.22 Full
Civilization III
Civilization III v1.29f
Civilization III: Conquests
ClamWin Free Antivirus 0.96.5.0
Command & Conquer The First Decade
CP_AtenaShokunin1Config
CP_CalendarTemplates1
cp_LightScribeConfig
cp_OnlineProjectsConfig
CP_Package_Basic1
CP_Package_Variety1
CP_Package_Variety2
CP_Package_Variety3
CP_Panorama1Config
cp_PosterPrintConfig
cp_UpdateProjectsConfig
Critical Update for Windows Media Player 11 (KB959772)
CueTour
Customer Experience Enhancement
Data Fax SoftModem with SmartCP
Dawn of War - Soulstorm Demo
Dawn Of War DEMO
Destinations
DeviceManagementQFolder
Diablo II
DISCover
DivX
DNA
Easy Internet Sign-up
Empire Earth
Enhanced Multimedia Keyboard Solution
Fallout Collection
ffdshow [rev 1953] [2008-05-04]
FullDPAppQFolder
Galactic Civilizations II
GameSpy Arcade
GemMaster Mystic
Ground Control
High Definition Audio Driver Package - KB888111
HiJackThis
Homeworld
Hotfix for Microsoft .NET Framework 3.5 SP1 (KB953595)
Hotfix for Microsoft .NET Framework 3.5 SP1 (KB958484)
Hotfix for Windows Internet Explorer 7 (KB947864)
Hotfix for Windows Media Format 11 SDK (KB929399)
Hotfix for Windows Media Player 10 (KB903157)
Hotfix for Windows Media Player 10 (KB910393)
Hotfix for Windows Media Player 11 (KB939683)
Hotfix for Windows XP (KB2158563)
Hotfix for Windows XP (KB2443685)
Hotfix for Windows XP (KB952287)
Hotfix for Windows XP (KB954550-v5)
Hotfix for Windows XP (KB961118)
Hotfix for Windows XP (KB970653-v3)
Hotfix for Windows XP (KB976098-v2)
Hotfix for Windows XP (KB979306)
Hotfix for Windows XP (KB981793)
HP Boot Optimizer
HP DigitalMedia Archive
HP DVD Play 2.1
HP Imaging Device Functions 7.0
HP OrderReminder
HP Photosmart for Media Center PC
HP Photosmart Premier Software 6.5
HP Update
HP Web Helper
HPPhotoSmartExpress
HpSdpAppCoreApp
Imperium Galactica 2
InstantShareDevices
InterActual Player
J2SE Runtime Environment 5.0 Update 6
Java(TM) 6 Update 11
Katawa Shoujo Act 1
KB408682
LaserJet 1018
LightScribe 1.4.105.1
Lords of Magic Special Edition
Malwarebytes' Anti-Malware
Microsoft .NET Framework 1.0 Hotfix (KB953295)
Microsoft .NET Framework 1.0 Hotfix (KB979904)
Microsoft .NET Framework 1.1
Microsoft .NET Framework 1.1 Security Update (KB2416447)
Microsoft .NET Framework 1.1 Security Update (KB979906)
Microsoft .NET Framework 2.0 Service Pack 2
Microsoft .NET Framework 3.0 Service Pack 2
Microsoft .NET Framework 3.5 SP1
Microsoft Age of Empires II
Microsoft Age of Empires II: The Conquerors Expansion
Microsoft Away Mode
Microsoft Compression Client Pack 1.0 for Windows XP
Microsoft Games for Windows - LIVE
Microsoft Games for Windows - LIVE Redistributable
Microsoft Internationalized Domain Names Mitigation APIs
Microsoft Money 2006
Microsoft National Language Support Downlevel APIs
Microsoft Office Standard Edition 2003 60 days trial
Microsoft Rise Of Nations
Microsoft User-Mode Driver Framework Feature Pack 1.0
Microsoft Visual C++ 2005 Redistributable
Microsoft Works
MobMap 2.12
Mozilla Firefox (3.6.13)
MSN
MSXML 4.0 SP2 (KB927978)
MSXML 4.0 SP2 (KB936181)
MSXML 4.0 SP2 (KB954430)
MSXML 4.0 SP2 (KB973688)
MSXML 6.0 Parser (KB925673)
MSXML4 Parser
muvee autoProducer 5.0
muvee autoProducer unPlugged 2.0
My HP Games
MySQL Connector/ODBC 3.51
Netscape Browser (remove only)
NetZero Internet and Voice Offer
NVIDIA Drivers
OpenOffice.org 2.2
OptionalContentQFolder
Passport to 35 Languages
PC-Doctor 5 for Windows
Perfect Typing Pro English
PhotoGallery
Python 2.2 pywin32 extensions (build 203)
Python 2.2.3
Quicken 2006
RandMap
RealPlayer
Realtek High Definition Audio Driver
Remove WeatherBug Installer
Rhapsody
Search Toolbar
Security Update for Microsoft .NET Framework 3.5 SP1 (KB2416473)
Security Update for Step By Step Interactive Training (KB898458)
Security Update for Step By Step Interactive Training (KB923723)
Security Update for Windows Internet Explorer 7 (KB2183461)
Security Update for Windows Internet Explorer 7 (KB2360131)
Security Update for Windows Internet Explorer 7 (KB2416400)
Security Update for Windows Internet Explorer 7 (KB928090)
Security Update for Windows Internet Explorer 7 (KB929969)
Security Update for Windows Internet Explorer 7 (KB931768)
Security Update for Windows Internet Explorer 7 (KB933566)
Security Update for Windows Internet Explorer 7 (KB937143)
Security Update for Windows Internet Explorer 7 (KB938127)
Security Update for Windows Internet Explorer 7 (KB939653)
Security Update for Windows Internet Explorer 7 (KB942615)
Security Update for Windows Internet Explorer 7 (KB944533)
Security Update for Windows Internet Explorer 7 (KB950759)
Security Update for Windows Internet Explorer 7 (KB953838)
Security Update for Windows Internet Explorer 7 (KB956390)
Security Update for Windows Internet Explorer 7 (KB958215)
Security Update for Windows Internet Explorer 7 (KB960714)
Security Update for Windows Internet Explorer 7 (KB961260)
Security Update for Windows Internet Explorer 7 (KB963027)
Security Update for Windows Internet Explorer 7 (KB969897)
Security Update for Windows Internet Explorer 7 (KB972260)
Security Update for Windows Internet Explorer 7 (KB974455)
Security Update for Windows Internet Explorer 7 (KB976325)
Security Update for Windows Internet Explorer 7 (KB978207)
Security Update for Windows Internet Explorer 7 (KB982381)
Security Update for Windows Media Player (KB2378111)
Security Update for Windows Media Player (KB952069)
Security Update for Windows Media Player (KB954155)
Security Update for Windows Media Player (KB968816)
Security Update for Windows Media Player (KB973540)
Security Update for Windows Media Player (KB975558)
Security Update for Windows Media Player (KB978695)
Security Update for Windows Media Player 10 (KB911565)
Security Update for Windows Media Player 10 (KB917734)
Security Update for Windows Media Player 11 (KB936782)
Security Update for Windows Media Player 11 (KB954154)
Security Update for Windows Media Player 6.4 (KB925398)
Security Update for Windows XP (KB2079403)
Security Update for Windows XP (KB2115168)
Security Update for Windows XP (KB2121546)
Security Update for Windows XP (KB2160329)
Security Update for Windows XP (KB2229593)
Security Update for Windows XP (KB2259922)
Security Update for Windows XP (KB2279986)
Security Update for Windows XP (KB2286198)
Security Update for Windows XP (KB2296011)
Security Update for Windows XP (KB2296199)
Security Update for Windows XP (KB2347290)
Security Update for Windows XP (KB2360937)
Security Update for Windows XP (KB2387149)
Security Update for Windows XP (KB2419632)
Security Update for Windows XP (KB2423089)
Security Update for Windows XP (KB2436673)
Security Update for Windows XP (KB2440591)
Security Update for Windows XP (KB2443105)
Security Update for Windows XP (KB923561)
Security Update for Windows XP (KB923689)
Security Update for Windows XP (KB938464)
Security Update for Windows XP (KB941569)
Security Update for Windows XP (KB946648)
Security Update for Windows XP (KB950760)
Security Update for Windows XP (KB950762)
Security Update for Windows XP (KB950974)
Security Update for Windows XP (KB951066)
Security Update for Windows XP (KB951376-v2)
Security Update for Windows XP (KB951376)
Security Update for Windows XP (KB951698)
Security Update for Windows XP (KB951748)
Security Update for Windows XP (KB952004)
Security Update for Windows XP (KB952954)
Security Update for Windows XP (KB953839)
Security Update for Windows XP (KB954211)
Security Update for Windows XP (KB954459)
Security Update for Windows XP (KB954600)
Security Update for Windows XP (KB955069)
Security Update for Windows XP (KB956391)
Security Update for Windows XP (KB956572)
Security Update for Windows XP (KB956744)
Security Update for Windows XP (KB956802)
Security Update for Windows XP (KB956803)
Security Update for Windows XP (KB956841)
Security Update for Windows XP (KB956844)
Security Update for Windows XP (KB957095)
Security Update for Windows XP (KB957097)
Security Update for Windows XP (KB958644)
Security Update for Windows XP (KB958687)
Security Update for Windows XP (KB958690)
Security Update for Windows XP (KB958869)
Security Update for Windows XP (KB959426)
Security Update for Windows XP (KB960225)
Security Update for Windows XP (KB960715)
Security Update for Windows XP (KB960803)
Security Update for Windows XP (KB960859)
Security Update for Windows XP (KB961371)
Security Update for Windows XP (KB961373)
Security Update for Windows XP (KB961501)
Security Update for Windows XP (KB968537)
Security Update for Windows XP (KB969059)
Security Update for Windows XP (KB969898)
Security Update for Windows XP (KB969947)
Security Update for Windows XP (KB970238)
Security Update for Windows XP (KB970430)
Security Update for Windows XP (KB971468)
Security Update for Windows XP (KB971486)
Security Update for Windows XP (KB971557)
Security Update for Windows XP (KB971633)
Security Update for Windows XP (KB971657)
Security Update for Windows XP (KB971961)
Security Update for Windows XP (KB972270)
Security Update for Windows XP (KB973346)
Security Update for Windows XP (KB973354)
Security Update for Windows XP (KB973507)
Security Update for Windows XP (KB973525)
Security Update for Windows XP (KB973869)
Security Update for Windows XP (KB973904)
Security Update for Windows XP (KB974112)
Security Update for Windows XP (KB974318)
Security Update for Windows XP (KB974392)
Security Update for Windows XP (KB974571)
Security Update for Windows XP (KB975025)
Security Update for Windows XP (KB975467)
Security Update for Windows XP (KB975560)
Security Update for Windows XP (KB975561)
Security Update for Windows XP (KB975562)
Security Update for Windows XP (KB975713)
Security Update for Windows XP (KB977165)
Security Update for Windows XP (KB977816)
Security Update for Windows XP (KB977914)
Security Update for Windows XP (KB978037)
Security Update for Windows XP (KB978251)
Security Update for Windows XP (KB978262)
Security Update for Windows XP (KB978338)
Security Update for Windows XP (KB978542)
Security Update for Windows XP (KB978601)
Security Update for Windows XP (KB978706)
Security Update for Windows XP (KB979309)
Security Update for Windows XP (KB979482)
Security Update for Windows XP (KB979559)
Security Update for Windows XP (KB979683)
Security Update for Windows XP (KB979687)
Security Update for Windows XP (KB980195)
Security Update for Windows XP (KB980218)
Security Update for Windows XP (KB980232)
Security Update for Windows XP (KB980436)
Security Update for Windows XP (KB981322)
Security Update for Windows XP (KB981349)
Security Update for Windows XP (KB981852)
Security Update for Windows XP (KB981957)
Security Update for Windows XP (KB981997)
Security Update for Windows XP (KB982132)
Security Update for Windows XP (KB982214)
Security Update for Windows XP (KB982665)
Security Update for Windows XP (KB982802)
Sins of a Solar Empire
SkinsHP1
SlideShow
SlideShowMusic
Sonic Express Labeler
Sonic MyDVD Plus
Sonic RecordNow Audio
Sonic RecordNow Copy
Sonic RecordNow Data
Sonic Update Manager
Sonic_PrimoSDK
StarCraft
StarCraft II
System Tool2011
Unload
Update for Microsoft .NET Framework 3.5 SP1 (KB963707)
Update for Windows Internet Explorer 7 (KB976749)
Update for Windows Internet Explorer 7 (KB980182)
Update for Windows Media Player 10 (KB913800)
Update for Windows Media Player 10 (KB926251)
Update for Windows XP (KB2141007)
Update for Windows XP (KB2345886)
Update for Windows XP (KB2467659)
Update for Windows XP (KB951072-v2)
Update for Windows XP (KB951978)
Update for Windows XP (KB953356)
Update for Windows XP (KB955759)
Update for Windows XP (KB955839)
Update for Windows XP (KB967715)
Update for Windows XP (KB968389)
Update for Windows XP (KB971737)
Update for Windows XP (KB973687)
Update for Windows XP (KB973815)
Update Rollup 2 for Windows XP Media Center Edition 2005
Updates from HP (remove only)
VideoLAN VLC media player 0.8.6a
Warcraft III: All Products
WebFldrs XP
WildTangent Web Driver
Windows Internet Explorer 7
Windows Media Format 11 runtime
Windows Media Player 11
Windows Presentation Foundation
Windows XP Media Center Edition 2005 KB908246
Windows XP Media Center Edition 2005 KB925766
Windows XP Media Center Edition 2005 KB973768
Windows XP Service Pack 3
Windstream Broadband Check-up Center
WinRAR 4.00 beta 2 (32-bit)
World of Warcraft
XML Paper Specification Shared Components Pack 1.0
Yahoo! Install Manager
Yahoo! Toolbar
Yontoo Layers Client 1.10.01
Zeus & Poseidon

==== Event Viewer Messages From Past Week ========

2/7/2011 4:03:14 AM, error: Service Control Manager [7022] - The Automatic Updates service hung on starting.
2/6/2011 12:43:58 AM, error: DCOM [10005] - DCOM got error "%1084" attempting to start the service netman with arguments "" in order to run the server: {BA126AE5-2166-11D1-B1D0-00805FC1270E}
2/5/2011 5:38:13 AM, error: W32Time [17] - Time Provider NtpClient: An error occurred during DNS lookup of the manually configured peer 'time.windows.com,0x1'. NtpClient will try the DNS lookup again in 15 minutes. The error was: A socket operation was attempted to an unreachable host. (0x80072751)
2/5/2011 11:43:14 AM, error: Service Control Manager [7026] - The following boot-start or system-start driver(s) failed to load: ftsata2
2/5/2011 11:43:14 AM, error: Service Control Manager [7023] - The Network Security service terminated with the following error: The specified module could not be found.
2/5/2011 11:42:40 AM, error: Dhcp [1002] - The IP address lease 192.168.254.1 for the Network Card with network address 0018F3D216C0 has been denied by the DHCP server 192.168.254.254 (The DHCP Server sent a DHCPNACK message).
2/4/2011 6:10:32 PM, error: Service Control Manager [7026] - The following boot-start or system-start driver(s) failed to load: AmdK8 Fips ftsata2
2/4/2011 10:22:52 PM, error: DCOM [10005] - DCOM got error "%1084" attempting to start the service EventSystem with arguments "" in order to run the server: {1BE1F766-5536-11D1-B726-00C04FB926AF}
2/10/2011 3:09:15 AM, error: Service Control Manager [7009] - Timeout (30000 milliseconds) waiting for the Media Center Receiver Service service to connect.
2/10/2011 3:09:15 AM, error: Service Control Manager [7009] - Timeout (30000 milliseconds) waiting for the Media Center Extender Service service to connect.
2/10/2011 3:09:15 AM, error: Service Control Manager [7000] - The Media Center Extender Service service failed to start due to the following error: The service did not respond to the start or control request in a timely fashion.
2/10/2011 3:09:10 AM, error: Service Control Manager [7009] - Timeout (30000 milliseconds) waiting for the COM+ System Application service to connect.
2/10/2011 3:09:10 AM, error: Service Control Manager [7000] - The COM+ System Application service failed to start due to the following error: The service did not respond to the start or control request in a timely fashion.
2/10/2011 3:09:09 AM, error: Service Control Manager [7034] - The NVIDIA Display Driver Service service terminated unexpectedly. It has done this 1 time(s).
2/10/2011 3:09:09 AM, error: Service Control Manager [7034] - The Media Center Scheduler Service service terminated unexpectedly. It has done this 1 time(s).
2/10/2011 3:09:09 AM, error: Service Control Manager [7034] - The LightScribeService Direct Disc Labeling Service service terminated unexpectedly. It has done this 1 time(s).
2/10/2011 3:09:09 AM, error: Service Control Manager [7034] - The Java Quick Starter service terminated unexpectedly. It has done this 1 time(s).
2/10/2011 3:09:09 AM, error: Service Control Manager [7034] - The ARSVC service terminated unexpectedly. It has done this 1 time(s).
2/10/2011 3:09:09 AM, error: Service Control Manager [7031] - The Media Center Receiver Service service terminated unexpectedly. It has done this 1 time(s). The following corrective action will be taken in 5000 milliseconds: Restart the service.
2/10/2011 3:09:09 AM, error: Service Control Manager [7031] - The Media Center Extender Service service terminated unexpectedly. It has done this 1 time(s). The following corrective action will be taken in 5000 milliseconds: Restart the service.
2/10/2011 3:09:09 AM, error: Service Control Manager [7031] - The COM+ System Application service terminated unexpectedly. It has done this 1 time(s). The following corrective action will be taken in 1000 milliseconds: Restart the service.

==== End Of File ===========================
CKScanner - Additional Security Risks - These are not necessarily bad
c:\program files\hp games\bejeweled 2 deluxe\sounds\firecrackle.ogg
c:\program files\hp games\jewel quest\audio\st_win3_crackle.ogg
c:\program files\hp games\mah jong quest\images\tile_firecracker-1.pnge
c:\program files\hp games\mah jong quest\images\tile_firecracker-2.pnge
c:\program files\hp games\mah jong quest\images\tile_firecracker-3.pnge
c:\program files\hp games\mah jong quest\images\tile_firecracker1.pnge
c:\program files\hp games\mah jong quest\images\kwazi3\level5-1cracktop.jpge
c:\program files\hp games\mah jong quest\images\kwazi5\5_lvl_5a_postcrack1.jpge
c:\program files\hp games\mah jong quest\images\kwazi5\5_lvl_5a_postcrack2.jpge
scanner sequence 3.CF.11
----- EOF -----
Scico
Active Member
 
Posts: 12
Joined: February 7th, 2011, 8:24 pm

Re: Slowdown and Firefox crashes plus Mass Infection

Unread postby melboy » February 16th, 2011, 1:11 pm

Hi

Great.

ComboFix (by sUBs)

Please visit this webpage for instructions for downloading and running ComboFix: Bleeping Computer ComboFix Tutorial

  • You must download it to and run it from your Desktop
  • Now STOP all your security applications (Antivirus/Antispyware, Guards and Shields) as they could easily interfere with ComboFix.
    For instructions on how to disable your security programs, please see this topic:
    How to disable your security applications
  • Double click combofix.exe & follow the prompts.
  • When finished, it will produce a log. Please save that log to post in your next reply
  • Re-enable all the programs that were disabled during the running of ComboFix..


A word of warning: This tool is not for everyday use. ComboFix SHOULD NOT be used unless requested by a forum helper
Neither I nor sUBs are responsible for any damage you may have caused your machine by running ComboFix on your own.
User avatar
melboy
MRU Expert
MRU Expert
 
Posts: 3670
Joined: July 25th, 2008, 4:25 pm
Location: UK

Re: Slowdown and Firefox crashes plus Mass Infection

Unread postby Scico » February 16th, 2011, 4:12 pm

ComboFix log as requested.

ComboFix 11-02-16.01 - Cole 02/16/2011 14:34:09.1.2 - x86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.958.601 [GMT -5:00]
Running from: c:\documents and settings\Cole\My Documents\Downloads\ComboFix.exe
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\documents and settings\Cole\Application Data\alot
c:\documents and settings\Cole\Application Data\PriceGong
c:\documents and settings\Cole\Application Data\PriceGong\Data\1.xml
c:\documents and settings\Cole\Application Data\PriceGong\Data\a.xml
c:\documents and settings\Cole\Application Data\PriceGong\Data\b.xml
c:\documents and settings\Cole\Application Data\PriceGong\Data\c.xml
c:\documents and settings\Cole\Application Data\PriceGong\Data\d.xml
c:\documents and settings\Cole\Application Data\PriceGong\Data\e.xml
c:\documents and settings\Cole\Application Data\PriceGong\Data\f.xml
c:\documents and settings\Cole\Application Data\PriceGong\Data\g.xml
c:\documents and settings\Cole\Application Data\PriceGong\Data\h.xml
c:\documents and settings\Cole\Application Data\PriceGong\Data\i.xml
c:\documents and settings\Cole\Application Data\PriceGong\Data\J.xml
c:\documents and settings\Cole\Application Data\PriceGong\Data\k.xml
c:\documents and settings\Cole\Application Data\PriceGong\Data\l.xml
c:\documents and settings\Cole\Application Data\PriceGong\Data\m.xml
c:\documents and settings\Cole\Application Data\PriceGong\Data\mru.xml
c:\documents and settings\Cole\Application Data\PriceGong\Data\n.xml
c:\documents and settings\Cole\Application Data\PriceGong\Data\o.xml
c:\documents and settings\Cole\Application Data\PriceGong\Data\p.xml
c:\documents and settings\Cole\Application Data\PriceGong\Data\q.xml
c:\documents and settings\Cole\Application Data\PriceGong\Data\r.xml
c:\documents and settings\Cole\Application Data\PriceGong\Data\s.xml
c:\documents and settings\Cole\Application Data\PriceGong\Data\t.xml
c:\documents and settings\Cole\Application Data\PriceGong\Data\u.xml
c:\documents and settings\Cole\Application Data\PriceGong\Data\v.xml
c:\documents and settings\Cole\Application Data\PriceGong\Data\w.xml
c:\documents and settings\Cole\Application Data\PriceGong\Data\x.xml
c:\documents and settings\Cole\Application Data\PriceGong\Data\y.xml
c:\documents and settings\Cole\Application Data\PriceGong\Data\z.xml
c:\documents and settings\Cole\Local Settings\Application Data\{0987417E-E3F3-479C-9D61-908567F2668E}
c:\documents and settings\Cole\Local Settings\Application Data\{0987417E-E3F3-479C-9D61-908567F2668E}\chrome.manifest
c:\documents and settings\Cole\Local Settings\Application Data\{0987417E-E3F3-479C-9D61-908567F2668E}\chrome\content\_cfg.js
c:\documents and settings\Cole\Local Settings\Application Data\{0987417E-E3F3-479C-9D61-908567F2668E}\chrome\content\overlay.xul
c:\documents and settings\Cole\Local Settings\Application Data\{0987417E-E3F3-479C-9D61-908567F2668E}\install.rdf
c:\documents and settings\Cole\Start Menu\Programs\System Tool
c:\documents and settings\Cole\Start Menu\Programs\System Tool\System Tool 2011.lnk
c:\documents and settings\HP_Administrator\Application Data\alot
c:\program files\Search Toolbar
c:\program files\Search Toolbar\icon.ico
c:\program files\Search Toolbar\SearchToolbar.dll
c:\program files\Search Toolbar\SearchToolbarUninstall.exe
c:\program files\Search Toolbar\SearchToolbarUpdater.exe
D:\Autorun.inf

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Legacy_6TO4
-------\Service_6to4


((((((((((((((((((((((((( Files Created from 2011-01-16 to 2011-02-16 )))))))))))))))))))))))))))))))
.

2011-02-10 07:59 . 2011-02-10 08:23 -------- d-----w- c:\documents and settings\All Users\Application Data\jGdHbLe03100
2011-02-07 09:03 . 2011-02-07 09:03 388096 ----a-r- c:\documents and settings\Cole\Application Data\Microsoft\Installer\{45A66726-69BC-466B-A7A4-12FCBA4883D7}\HiJackThis.exe
2011-02-07 09:03 . 2011-02-07 09:03 -------- d-----w- c:\program files\Trend Micro
2011-02-07 04:58 . 2011-02-07 04:58 -------- d--h--w- c:\windows\system32\GroupPolicy
2011-02-04 23:09 . 2011-02-04 23:16 -------- d-----w- c:\documents and settings\Administrator\Application Data\.clamwin
2011-02-04 01:30 . 2011-02-04 01:31 -------- d-----w- c:\documents and settings\NetworkService\Local Settings\Application Data\Adobe
2011-02-04 00:08 . 2011-02-04 00:08 -------- d-----w- c:\documents and settings\Administrator\Application Data\Malwarebytes
2011-02-03 23:49 . 2011-02-03 23:59 -------- d-----w- c:\documents and settings\All Users\Application Data\SpeedyPC
2011-02-03 23:42 . 2011-02-03 23:42 -------- d-----w- c:\documents and settings\Administrator\Local Settings\Application Data\Mozilla
2011-02-03 03:09 . 2011-02-03 03:09 0 ----a-w- c:\windows\Dzilaniler.bin
2011-02-03 03:08 . 2011-02-03 03:08 -------- d-----w- c:\program files\Yontoo Layers Client
2011-02-03 03:08 . 2011-02-03 03:08 -------- d-----w- c:\documents and settings\All Users\Application Data\Tarma Installer
2011-02-03 03:07 . 2011-02-03 03:27 -------- d-----w- c:\documents and settings\All Users\Application Data\pGfHhJm15400
2011-01-21 14:44 . 2011-01-21 14:44 439296 ------w- c:\windows\system32\dllcache\shimgvw.dll

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2011-01-21 14:44 . 2004-08-09 21:00 439296 ----a-w- c:\windows\system32\shimgvw.dll
2011-01-07 14:09 . 2004-08-09 21:00 290048 ----a-w- c:\windows\system32\atmfd.dll
2010-12-31 13:10 . 2004-08-09 21:00 1854976 ----a-w- c:\windows\system32\win32k.sys
2010-12-22 12:34 . 2004-08-09 21:00 301568 ----a-w- c:\windows\system32\kerberos.dll
2010-12-20 23:09 . 2010-04-04 21:05 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2010-12-20 23:08 . 2004-08-09 21:00 832512 ----a-w- c:\windows\system32\wininet.dll
2010-12-20 23:08 . 2004-08-09 21:00 78336 ----a-w- c:\windows\system32\ieencode.dll
2010-12-20 23:08 . 2004-08-09 21:00 1830912 ----a-w- c:\windows\system32\inetcpl.cpl
2010-12-20 23:08 . 2004-08-09 21:00 17408 ----a-w- c:\windows\system32\corpol.dll
2010-12-20 23:08 . 2010-04-04 21:05 20952 ----a-w- c:\windows\system32\drivers\mbam.sys
2010-12-20 17:26 . 2004-08-09 21:00 730112 ----a-w- c:\windows\system32\lsasrv.dll
2010-12-20 12:55 . 2004-08-09 21:00 389120 ----a-w- c:\windows\system32\html.iec
2010-12-09 15:15 . 2004-08-10 04:00 718336 ----a-w- c:\windows\system32\ntdll.dll
2010-12-09 14:30 . 2004-08-09 21:00 33280 ----a-w- c:\windows\system32\csrsrv.dll
2010-12-09 13:42 . 2007-01-13 08:11 2148864 ----a-w- c:\windows\system32\ntoskrnl.exe
2010-12-09 13:07 . 2007-01-13 08:11 2027008 ----a-w- c:\windows\system32\ntkrnlpa.exe
2007-01-14 17:30 . 2007-01-14 17:30 1410680 ----a-w- c:\program files\install_flash_player.exe
2007-01-12 16:35 . 2007-01-12 16:34 6820512 ----a-w- c:\program files\FirefoxGoogleToolbarSetup.exe
2007-01-12 04:42 . 2007-01-12 04:42 359112 ----a-w- c:\program files\LimeWireWin.exe
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{FD72061E-9FDE-484D-A58A-0BAB4151CAD8}]
2010-12-20 18:09 191488 ------w- c:\program files\Yontoo Layers Client\YontooIEClient.dll

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"TypingSatellite"="c:\program files\Cosmi\Perfect Typing Pro English\KBOOST.EXE" [2002-01-08 740352]
"BitTorrent DNA"="c:\program files\DNA\btdna.exe" [2009-10-07 323392]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ehTray"="c:\windows\ehome\ehtray.exe" [2005-09-29 67584]
"ftutil2"="ftutil2.dll" [2004-06-07 106496]
"RTHDCPL"="RTHDCPL.EXE" [2006-06-13 16239616]
"AlwaysReady Power Message APP"="ARPWRMSG.EXE" [2005-08-02 77312]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2006-05-09 7311360]
"nwiz"="nwiz.exe" [2006-05-09 1519616]
"DMAScheduler"="c:\program files\HP DigitalMedia Archive\DMAScheduler.exe" [2006-04-13 90112]
"Recguard"="c:\windows\SMINST\RECGUARD.EXE" [2005-07-22 237568]
"HPBootOp"="c:\program files\Hewlett-Packard\HP Boot Optimizer\HPBootOp.exe" [2006-02-15 249856]
"Reminder"="c:\windows\Creator\Remind_XP.exe" [2004-12-14 663552]
"Motive SmartBridge"="c:\progra~1\ALLTEL~1\SMARTB~1\MotiveSB.exe" [2004-11-09 393216]
"OrderReminder"="c:\program files\Hewlett-Packard\OrderReminder\OrderReminder.exe" [2006-01-30 98304]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2008-10-15 39792]
"ClamWin"="c:\program files\ClamWin\bin\ClamTray.exe" [2010-12-06 86016]
"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2009-08-05 136600]
"HP Software Update"="c:\program files\Hp\HP Software Update\HPWuSchd2.exe" [2008-12-08 54576]
"TkBellExe"="c:\program files\Common Files\Real\Update_OB\realsched.exe" [2006-09-07 180269]

c:\documents and settings\HP_Administrator\Start Menu\Programs\Startup\
PinMcLnk.lnk - c:\hp\bin\cloaker.exe [2006-9-6 27136]

c:\documents and settings\Cole\Start Menu\Programs\Startup\
OpenOffice.org 2.2.lnk - c:\program files\OpenOffice.org 2.2\program\quickstart.exe [2007-2-2 393216]
PinMcLnk.lnk - c:\hp\bin\cloaker.exe [2006-9-6 27136]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
Updates From HP.lnk - c:\program files\Updates from HP\9972322\Program\Updates from HP.exe [2006-9-6 36903]
Windstream Broadband Check-up Center.lnk - c:\program files\ALLTEL DSL Check-up Center\bin\matcli.exe [2007-1-11 217088]

c:\documents and settings\Default User\Start Menu\Programs\Startup\
Pin.lnk - c:\hp\bin\CLOAKER.EXE [2006-9-6 27136]
PinMcLnk.lnk - c:\hp\bin\cloaker.exe [2006-9-6 27136]

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\DISC\\DISCover.exe"=
"c:\\Program Files\\DISC\\DiscStreamHub.exe"=
"c:\\Program Files\\DISC\\myFTP.exe"=
"c:\\Program Files\\Updates from HP\\9972322\\Program\\Updates from HP.exe"=
"c:\\Program Files\\Warcraft III\\Warcraft III.exe"=
"c:\\Program Files\\HP Games\\Wheel of Fortune\\Wheel of Fortune.exe"=
"c:\\StubInstaller.exe"=
"c:\\Program Files\\Messenger\\msmsgs.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\DNA\\btdna.exe"=
"c:\\Program Files\\EA Games\\Command & Conquer The First Decade\\Command & Conquer(tm) Generals\\game.dat"=
"c:\\Program Files\\Stardock Games\\Sins of a Solar Empire\\Sins of a Solar Empire.exe"=
"c:\\Program Files\\THQ\\Dawn of War DEMO\\W40k.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"3724:TCP"= 3724:TCP:Blizzard Downloader: 3724

.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.bing.com/?pc=ZUGO&form=ZGAPHP
uDefault_Search_URL = hxxp://ie.redirect.hp.com/svs/rdr?TYPE= ... pf=desktop
mStart Page = hxxp://ie.redirect.hp.com/svs/rdr?TYPE= ... pf=desktop
mSearch Bar = hxxp://ie.redirect.hp.com/svs/rdr?TYPE= ... pf=desktop
uInternet Connection Wizard,ShellNext = hxxp://www2.windstream.net/newuser/benefits/
uInternet Settings,ProxyOverride = <local>
Trusted Zone: alltel.com\care
Trusted Zone: trymedia.com
DPF: Microsoft XML Parser for Java - file://c:\windows\Java\classes\xmldso.cab
FF - ProfilePath - c:\documents and settings\Cole\Application Data\Mozilla\Firefox\Profiles\ri2r6ytx.default\
FF - prefs.js: browser.search.defaulturl - hxxp://search.conduit.com/ResultsExt.as ... ource=3&q={searchTerms}
FF - prefs.js: browser.search.selectedEngine - Bing
FF - prefs.js: browser.startup.homepage - hxxp://www.yahoo.com/
FF - prefs.js: keyword.URL - hxxp://www.bing.com/search?pc=ZUGO&form=ZGAADF&q=
FF - prefs.js: network.proxy.http - 127.0.0.1
FF - prefs.js: network.proxy.http_port - 50370
FF - prefs.js: network.proxy.type - 4
FF - Ext: Yahoo! Toolbar: {635abd67-4fe9-1b23-4f01-e679fa7484c1} - %profile%\extensions\{635abd67-4fe9-1b23-4f01-e679fa7484c1}
FF - Ext: Adblock Plus: {d10d0bf8-f5b5-c8b4-a8b2-2b9879e08c5d} - %profile%\extensions\{d10d0bf8-f5b5-c8b4-a8b2-2b9879e08c5d}
FF - Ext: Conduit Engine : engine@conduit.com - %profile%\extensions\engine@conduit.com
FF - Ext: BitTorrentBar Community Toolbar: {88c7f2aa-f93f-432c-8f0e-b7d85967a527} - %profile%\extensions\{88c7f2aa-f93f-432c-8f0e-b7d85967a527}
FF - Ext: Yontoo Layers: plugin@yontoo.com - %profile%\extensions\plugin@yontoo.com
FF - Ext: Search Toolbar: searchtoolbar@zugo.com - %profile%\extensions\searchtoolbar@zugo.com
FF - Ext: Default: {972ce4c6-7e08-4474-a285-3208198ce6fd} - c:\program files\Mozilla Firefox\extensions\{972ce4c6-7e08-4474-a285-3208198ce6fd}
FF - Ext: Java Console: {CAFEEFAC-0016-0000-0011-ABCDEFFEDCBA} - c:\program files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0011-ABCDEFFEDCBA}
FF - Ext: Java Quick Starter: jqs@sun.com - c:\program files\Java\jre6\lib\deploy\jqs\ff
FF - Ext: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension
.
- - - - ORPHANS REMOVED - - - -

Toolbar-SITEguard - (no file)
WebBrowser-{D4027C7F-154A-4066-A1AD-4243D8127440} - (no file)
HKLM-Run-PCDrProfiler - (no file)
AddRemove-Search Toolbar - c:\program files\Search Toolbar\SearchToolbarUninstall.exe



**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2011-02-16 14:58
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_USERS\S-1-5-21-596501174-992397369-2604716157-1008\Software\SecuROM\!CAUTION! NEVER A OR CHANGE ANY KEY*]
"??"=hex:04,69,cd,a3,64,52,be,42,58,65,51,7c,f8,6a,ab,5f,b5,35,a2,d7,99,8e,c5,
e6,49,47,f8,13,21,70,14,94,19,dc,98,73,05,ae,08,b1,0c,0a,4e,5a,67,fe,3e,40,\
"??"=hex:79,07,a1,33,c9,d7,32,c3,97,30,16,83,4f,61,b3,55
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'explorer.exe'(3228)
c:\windows\system32\WININET.dll
c:\progra~1\ALLTEL~1\SMARTB~1\SBHook.dll
c:\windows\system32\ieframe.dll
c:\program files\Cosmi\Perfect Typing Pro English\KBSatellite.dll
c:\windows\system32\WPDShServiceObj.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
.
------------------------ Other Running Processes ------------------------
.
c:\windows\arservice.exe
c:\windows\eHome\ehRecvr.exe
c:\windows\eHome\ehSched.exe
c:\program files\Java\jre6\bin\jqs.exe
c:\program files\Common Files\LightScribe\LSSrvc.exe
c:\windows\system32\nvsvc32.exe
c:\windows\ehome\mcrdsvc.exe
c:\windows\system32\dllhost.exe
c:\windows\system32\wscntfy.exe
c:\windows\RTHDCPL.EXE
c:\windows\ARPWRMSG.EXE
c:\windows\eHome\ehmsas.exe
c:\program files\OpenOffice.org 2.2\program\soffice.exe
c:\program files\OpenOffice.org 2.2\program\soffice.BIN
c:\program files\ALLTEL DSL Check-up Center\bin\mpbtn.exe
.
**************************************************************************
.
Completion time: 2011-02-16 15:06:11 - machine was rebooted
ComboFix-quarantined-files.txt 2011-02-16 20:06

Pre-Run: 82,699,096,064 bytes free
Post-Run: 83,216,752,640 bytes free

WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
UnsupportedDebug="do not select this" /debug
multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Windows XP Media Center Edition" /noexecute=optin /fastdetect

- - End Of File - - 5A5B9A1EA11834ACA668BB2F1EA5B48D
Scico
Active Member
 
Posts: 12
Joined: February 7th, 2011, 8:24 pm

Re: Slowdown and Firefox crashes plus Mass Infection

Unread postby melboy » February 16th, 2011, 5:09 pm

Hi

Good - Give me an update on how things are running.


COMBOFIX-Script
A word of warning: Please do not run ComboFix on your own. This tool is not a toy and not for everyday use.


  • Please open Notepad (Start -> Run -> type notepad in the Open field -> OK) and copy and paste the text present inside the code box below:

    Code: Select all
    File:: 
    c:\program files\LimeWireWin.exe
    
    DDS::
    uStart Page = hxxp://www.bing.com/?pc=ZUGO&form=ZGAPHP
    Trusted Zone: alltel.com\care
    Trusted Zone: trymedia.com
    
    Firefox::
    FF - ProfilePath - c:\documents and settings\Cole\Application Data\Mozilla\Firefox\Profiles\ri2r6ytx.default\
    FF - prefs.js: browser.search.defaulturl -
    FF - prefs.js: keyword.URL -
    FF - prefs.js: network.proxy.http -
    FF - prefs.js: network.proxy.http_port -
    FF - prefs.js: network.proxy.type -
    FF - Ext: Conduit Engine : engine@conduit.com -
    FF - Ext: BitTorrentBar Community Toolbar: {88c7f2aa-f93f-432c-8f0e-b7d85967a527} - 
    FF - Ext: Search Toolbar: searchtoolbar@zugo.com -
    
    DirLook::
    c:\documents and settings\All Users\Application Data\jGdHbLe03100
    c:\documents and settings\All Users\Application Data\pGfHhJm15400
    
    

  • Save this as CFScript.txt and change the "Save as type" to "All Files" and place it on your desktop.

    Image
  • Very Important! Temporarily disable your anti-virus, script blocking and any anti-malware real-time protection before following the steps below. They can interfere with ComboFix or remove some of its embedded files which may cause "unpredictable results".
  • If you need help to disable your protection programs see here.
  • Referring to the screenshot above, drag CFScript.txt into ComboFix.exe.
  • ComboFix will now run a scan on your system. It may reboot your system when it finishes. This is normal.
  • When finished, it shall produce a log for you. Copy and paste the contents of the log in your next reply.

CAUTION: Do not mouse-click ComboFix's window while it is running. That may cause it to stall.



After combofix has rebooted & produced it's log



Malwarebytes' Anti-Malware (MBAM)

As you have Malwarebytes' Anti-Malware installed on your computer. Could you please do a scan using these settings:

  • Open Malwarebytes' Anti-Malware
  • Select the Update tab
  • Click Check for Updates
  • After the update have been completed, Select the Scanner tab.
  • Select Perform Quick scan, then click on Scan
  • When done, you will be prompted. Click OK. If Items are found, then click on Show Results
  • Check all items then click on Remove Selected
  • After it has removed the items, Notepad will open. Please post this log in your next reply.

    The log can also be found here:
    1. C:\Documents and Settings\Username\Application Data\Malwarebytes\Malwarebytes' Anti-Malware\Logs\mbam-log-date (time).txt
    2. Or via the Logs tab when the application is started.

Note: MBAM may ask to reboot your computer so it can continue with the removal process, please do so immediately.
Failure to reboot will prevent MBAM from removing all the malware.




In your next reply:
  1. combofix.txt
  2. mbam log
User avatar
melboy
MRU Expert
MRU Expert
 
Posts: 3670
Joined: July 25th, 2008, 4:25 pm
Location: UK

Re: Slowdown and Firefox crashes plus Mass Infection

Unread postby Scico » February 16th, 2011, 7:46 pm

ComboFix 11-02-16.01 - Cole 02/16/2011 17:09:32.2.2 - x86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.958.529 [GMT -5:00]
Running from: c:\documents and settings\Cole\My Documents\Downloads\ComboFix.exe
Command switches used :: c:\documents and settings\Cole\Desktop\CFScript.txt

FILE ::
"c:\program files\LimeWireWin.exe"
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\program files\LimeWireWin.exe

.
((((((((((((((((((((((((( Files Created from 2011-01-16 to 2011-02-16 )))))))))))))))))))))))))))))))
.

2011-02-10 07:59 . 2011-02-10 08:23 -------- d-----w- c:\documents and settings\All Users\Application Data\jGdHbLe03100
2011-02-07 09:03 . 2011-02-07 09:03 388096 ----a-r- c:\documents and settings\Cole\Application Data\Microsoft\Installer\{45A66726-69BC-466B-A7A4-12FCBA4883D7}\HiJackThis.exe
2011-02-07 09:03 . 2011-02-07 09:03 -------- d-----w- c:\program files\Trend Micro
2011-02-07 04:58 . 2011-02-07 04:58 -------- d--h--w- c:\windows\system32\GroupPolicy
2011-02-04 23:09 . 2011-02-04 23:16 -------- d-----w- c:\documents and settings\Administrator\Application Data\.clamwin
2011-02-04 01:30 . 2011-02-04 01:31 -------- d-----w- c:\documents and settings\NetworkService\Local Settings\Application Data\Adobe
2011-02-04 00:08 . 2011-02-04 00:08 -------- d-----w- c:\documents and settings\Administrator\Application Data\Malwarebytes
2011-02-03 23:49 . 2011-02-03 23:59 -------- d-----w- c:\documents and settings\All Users\Application Data\SpeedyPC
2011-02-03 23:42 . 2011-02-03 23:42 -------- d-----w- c:\documents and settings\Administrator\Local Settings\Application Data\Mozilla
2011-02-03 03:09 . 2011-02-03 03:09 0 ----a-w- c:\windows\Dzilaniler.bin
2011-02-03 03:08 . 2011-02-03 03:08 -------- d-----w- c:\program files\Yontoo Layers Client
2011-02-03 03:08 . 2011-02-03 03:08 -------- d-----w- c:\documents and settings\All Users\Application Data\Tarma Installer
2011-02-03 03:07 . 2011-02-03 03:27 -------- d-----w- c:\documents and settings\All Users\Application Data\pGfHhJm15400
2011-01-21 14:44 . 2011-01-21 14:44 439296 ------w- c:\windows\system32\dllcache\shimgvw.dll

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2011-01-21 14:44 . 2004-08-09 21:00 439296 ----a-w- c:\windows\system32\shimgvw.dll
2011-01-07 14:09 . 2004-08-09 21:00 290048 ----a-w- c:\windows\system32\atmfd.dll
2010-12-31 13:10 . 2004-08-09 21:00 1854976 ----a-w- c:\windows\system32\win32k.sys
2010-12-22 12:34 . 2004-08-09 21:00 301568 ----a-w- c:\windows\system32\kerberos.dll
2010-12-20 23:09 . 2010-04-04 21:05 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2010-12-20 23:08 . 2004-08-09 21:00 832512 ----a-w- c:\windows\system32\wininet.dll
2010-12-20 23:08 . 2004-08-09 21:00 78336 ----a-w- c:\windows\system32\ieencode.dll
2010-12-20 23:08 . 2004-08-09 21:00 1830912 ----a-w- c:\windows\system32\inetcpl.cpl
2010-12-20 23:08 . 2004-08-09 21:00 17408 ----a-w- c:\windows\system32\corpol.dll
2010-12-20 23:08 . 2010-04-04 21:05 20952 ----a-w- c:\windows\system32\drivers\mbam.sys
2010-12-20 17:26 . 2004-08-09 21:00 730112 ----a-w- c:\windows\system32\lsasrv.dll
2010-12-20 12:55 . 2004-08-09 21:00 389120 ----a-w- c:\windows\system32\html.iec
2010-12-09 15:15 . 2004-08-10 04:00 718336 ----a-w- c:\windows\system32\ntdll.dll
2010-12-09 14:30 . 2004-08-09 21:00 33280 ----a-w- c:\windows\system32\csrsrv.dll
2010-12-09 13:42 . 2007-01-13 08:11 2148864 ----a-w- c:\windows\system32\ntoskrnl.exe
2010-12-09 13:07 . 2007-01-13 08:11 2027008 ----a-w- c:\windows\system32\ntkrnlpa.exe
2007-01-14 17:30 . 2007-01-14 17:30 1410680 ----a-w- c:\program files\install_flash_player.exe
2007-01-12 16:35 . 2007-01-12 16:34 6820512 ----a-w- c:\program files\FirefoxGoogleToolbarSetup.exe
.

(((((((((((((((((((((((((((((((((((((((((((( Look )))))))))))))))))))))))))))))))))))))))))))))))))))))))))
.
---- Directory of c:\documents and settings\All Users\Application Data\jGdHbLe03100 ----

2011-02-10 07:59 . 2011-02-10 08:09 98 ----a-w- c:\documents and settings\All Users\Application Data\jGdHbLe03100\jGdHbLe03100

---- Directory of c:\documents and settings\All Users\Application Data\pGfHhJm15400 ----

2011-02-03 03:07 . 2011-02-03 03:17 94 ----a-w- c:\documents and settings\All Users\Application Data\pGfHhJm15400\pGfHhJm15400


((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{FD72061E-9FDE-484D-A58A-0BAB4151CAD8}]
2010-12-20 18:09 191488 ------w- c:\program files\Yontoo Layers Client\YontooIEClient.dll

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"TypingSatellite"="c:\program files\Cosmi\Perfect Typing Pro English\KBOOST.EXE" [2002-01-08 740352]
"BitTorrent DNA"="c:\program files\DNA\btdna.exe" [2009-10-07 323392]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ehTray"="c:\windows\ehome\ehtray.exe" [2005-09-29 67584]
"ftutil2"="ftutil2.dll" [2004-06-07 106496]
"RTHDCPL"="RTHDCPL.EXE" [2006-06-13 16239616]
"AlwaysReady Power Message APP"="ARPWRMSG.EXE" [2005-08-02 77312]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2006-05-09 7311360]
"nwiz"="nwiz.exe" [2006-05-09 1519616]
"DMAScheduler"="c:\program files\HP DigitalMedia Archive\DMAScheduler.exe" [2006-04-13 90112]
"Recguard"="c:\windows\SMINST\RECGUARD.EXE" [2005-07-22 237568]
"HPBootOp"="c:\program files\Hewlett-Packard\HP Boot Optimizer\HPBootOp.exe" [2006-02-15 249856]
"Reminder"="c:\windows\Creator\Remind_XP.exe" [2004-12-14 663552]
"Motive SmartBridge"="c:\progra~1\ALLTEL~1\SMARTB~1\MotiveSB.exe" [2004-11-09 393216]
"OrderReminder"="c:\program files\Hewlett-Packard\OrderReminder\OrderReminder.exe" [2006-01-30 98304]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2008-10-15 39792]
"ClamWin"="c:\program files\ClamWin\bin\ClamTray.exe" [2010-12-06 86016]
"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2009-08-05 136600]
"HP Software Update"="c:\program files\Hp\HP Software Update\HPWuSchd2.exe" [2008-12-08 54576]
"TkBellExe"="c:\program files\Common Files\Real\Update_OB\realsched.exe" [2006-09-07 180269]

c:\documents and settings\HP_Administrator\Start Menu\Programs\Startup\
PinMcLnk.lnk - c:\hp\bin\cloaker.exe [2006-9-6 27136]

c:\documents and settings\Cole\Start Menu\Programs\Startup\
OpenOffice.org 2.2.lnk - c:\program files\OpenOffice.org 2.2\program\quickstart.exe [2007-2-2 393216]
PinMcLnk.lnk - c:\hp\bin\cloaker.exe [2006-9-6 27136]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
Updates From HP.lnk - c:\program files\Updates from HP\9972322\Program\Updates from HP.exe [2006-9-6 36903]
Windstream Broadband Check-up Center.lnk - c:\program files\ALLTEL DSL Check-up Center\bin\matcli.exe [2007-1-11 217088]

c:\documents and settings\Default User\Start Menu\Programs\Startup\
Pin.lnk - c:\hp\bin\CLOAKER.EXE [2006-9-6 27136]
PinMcLnk.lnk - c:\hp\bin\cloaker.exe [2006-9-6 27136]

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\DISC\\DISCover.exe"=
"c:\\Program Files\\DISC\\DiscStreamHub.exe"=
"c:\\Program Files\\DISC\\myFTP.exe"=
"c:\\Program Files\\Updates from HP\\9972322\\Program\\Updates from HP.exe"=
"c:\\Program Files\\Warcraft III\\Warcraft III.exe"=
"c:\\Program Files\\HP Games\\Wheel of Fortune\\Wheel of Fortune.exe"=
"c:\\StubInstaller.exe"=
"c:\\Program Files\\Messenger\\msmsgs.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\DNA\\btdna.exe"=
"c:\\Program Files\\EA Games\\Command & Conquer The First Decade\\Command & Conquer(tm) Generals\\game.dat"=
"c:\\Program Files\\Stardock Games\\Sins of a Solar Empire\\Sins of a Solar Empire.exe"=
"c:\\Program Files\\THQ\\Dawn of War DEMO\\W40k.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"3724:TCP"= 3724:TCP:Blizzard Downloader: 3724

.
.
------- Supplementary Scan -------
.
uDefault_Search_URL = hxxp://ie.redirect.hp.com/svs/rdr?TYPE= ... pf=desktop
mStart Page = hxxp://ie.redirect.hp.com/svs/rdr?TYPE= ... pf=desktop
mSearch Bar = hxxp://ie.redirect.hp.com/svs/rdr?TYPE= ... pf=desktop
uInternet Connection Wizard,ShellNext = hxxp://www2.windstream.net/newuser/benefits/
uInternet Settings,ProxyOverride = <local>
DPF: Microsoft XML Parser for Java - file://c:\windows\Java\classes\xmldso.cab
FF - ProfilePath - c:\documents and settings\Cole\Application Data\Mozilla\Firefox\Profiles\ri2r6ytx.default\
FF - prefs.js: browser.search.selectedEngine - Bing
FF - prefs.js: browser.startup.homepage - hxxp://www.yahoo.com/
FF - Ext: Yahoo! Toolbar: {635abd67-4fe9-1b23-4f01-e679fa7484c1} - %profile%\extensions\{635abd67-4fe9-1b23-4f01-e679fa7484c1}
FF - Ext: Adblock Plus: {d10d0bf8-f5b5-c8b4-a8b2-2b9879e08c5d} - %profile%\extensions\{d10d0bf8-f5b5-c8b4-a8b2-2b9879e08c5d}
FF - Ext: Conduit Engine : engine@conduit.com - %profile%\extensions\engine@conduit.com
FF - Ext: BitTorrentBar Community Toolbar: {88c7f2aa-f93f-432c-8f0e-b7d85967a527} - %profile%\extensions\{88c7f2aa-f93f-432c-8f0e-b7d85967a527}
FF - Ext: Yontoo Layers: plugin@yontoo.com - %profile%\extensions\plugin@yontoo.com
FF - Ext: Search Toolbar: searchtoolbar@zugo.com - %profile%\extensions\searchtoolbar@zugo.com
FF - Ext: Default: {972ce4c6-7e08-4474-a285-3208198ce6fd} - c:\program files\Mozilla Firefox\extensions\{972ce4c6-7e08-4474-a285-3208198ce6fd}
FF - Ext: Java Console: {CAFEEFAC-0016-0000-0011-ABCDEFFEDCBA} - c:\program files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0011-ABCDEFFEDCBA}
FF - Ext: Java Quick Starter: jqs@sun.com - c:\program files\Java\jre6\lib\deploy\jqs\ff
FF - Ext: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2011-02-16 17:19
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_USERS\S-1-5-21-596501174-992397369-2604716157-1008\Software\SecuROM\!CAUTION! NEVER A OR CHANGE ANY KEY*]
"??"=hex:04,69,cd,a3,64,52,be,42,58,65,51,7c,f8,6a,ab,5f,b5,35,a2,d7,99,8e,c5,
e6,49,47,f8,13,21,70,14,94,19,dc,98,73,05,ae,08,b1,0c,0a,4e,5a,67,fe,3e,40,\
"??"=hex:79,07,a1,33,c9,d7,32,c3,97,30,16,83,4f,61,b3,55
.
Completion time: 2011-02-16 17:21:29
ComboFix-quarantined-files.txt 2011-02-16 22:21
ComboFix2.txt 2011-02-16 20:06

Pre-Run: 83,227,676,672 bytes free
Post-Run: 83,209,658,368 bytes free

- - End Of File - - 1A5898E6F06B30679F08C3AAB43154CE
Malwarebytes' Anti-Malware 1.50.1.1100
www.malwarebytes.org

Database version: 5777

Windows 5.1.2600 Service Pack 3
Internet Explorer 7.0.5730.11

2/16/2011 6:41:42 PM
mbam-log-2011-02-16 (18-41-42).txt

Scan type: Quick scan
Objects scanned: 169656
Time elapsed: 3 minute(s), 23 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)
Scico
Active Member
 
Posts: 12
Joined: February 7th, 2011, 8:24 pm

Re: Slowdown and Firefox crashes plus Mass Infection

Unread postby melboy » February 17th, 2011, 1:40 pm

Hi

Good - Give me an update on how things are running. Things should be better.


Update Adobe Reader

Your Adobe Reader is out of date.
Older versions may have vulnerabilities that malware can use to infect your system.
Please download Adobe Reader X to your PC's desktop.
  • Uninstall via Start > Control Panel > Add/Remove Programs:
    Adobe Reader 8.1.5
  • Install the new downloaded updated software.
  • Then using the internal updater update the software to the current increment 10.0.1
    • Open Adobe Reader go to > Help > Check for updates and allow the updater to check.
    • Click to download and install any necessary updates.



Update Java Runtime
You are using an old version of Java. Oracle's Java (Was Sun Java) is sometimes updated in order to eliminate the exploitation of vulnerabilities in an existing version. For this reason, it's extremely important that you keep the program up to date, and also remove the older more vulnerable versions from your system. The most current version of Oracle Java is: Java Runtime Environment Version 6 Update 24.

  • Go to Oracle Java
  • Scroll down to where it says "Java Platform, Standard Edition. Java SE 6 Update 24"
  • Click the Download JRE button to the right
  • In the Platform box choose Windows.
  • Check the box to Accept License Agreement and click Continue.
  • Click on Windows Offline Installation, click on the link under it which says "jre-6u24-windows-i586.exe" and save the downloaded file to your desktop.
  • Uninstall all old versions of Java via Start > Control Panel > Add/Remove Programs:
    J2SE Runtime Environment 5.0 Update 6
    Java(TM) 6 Update 11
  • Install the new version by running the newly-downloaded file with the java icon which will be at your desktop, and follow the on-screen instructions.
  • Reboot your computer



TFC

  • Please download TFC by Old Timer to your desktop,
  • Save any unsaved work. TFC will close all open application windows.
  • Double-click TFC.exe to run the program.
  • Click the Start button in the bottom left of TFC
  • If prompted, click "Yes" to reboot.

Note: Save your work. TFC will automatically close any open programs, let it run uninterrupted. It should not take longer than a couple of minutes , and may only take a few seconds. Only if needed will you be prompted to reboot.



ESET Online Scanner

Note: You can use either Internet Explorer or Mozilla FireFox for this scan. You will however need to disable your current installed Anti-Virus, how to do so can be read here.

  • Please go here then click on: Image
    Note: If using Mozilla Firefox you will need to download esetsmartinstaller_enu.exe when prompted then double click on it to install.
    All of the below instructions are compatible with either Internet Explorer or Mozilla FireFox.
  • Select the option YES, I accept the Terms of Use then click on: Image
  • When prompted allow the Add-On/Active X to install.
  • Make sure that the option Remove found threats is NOT checked, and the option Scan archives is checked.
  • Now click on Advanced Settings and select the following:
    • Scan for potentially unwanted applications
    • Scan for potentially unsafe applications
    • Enable Anti-Stealth Technology
  • Now click on: Image
  • The virus signature database... will begin to download. Be patient this make take some time depending on the speed of your Internet Connection.
  • When completed the Online Scan will begin automatically.
  • Do not touch either the Mouse or keyboard during the scan otherwise it may stall.
  • When completed make sure you first copy the logfile located at C:\Program Files\ESET\EsetOnlineScanner\log.txt
  • Copy and paste that log as a reply to this topic.
  • Now click on: Image (Selecting Uninstall application on close if you so wish)
  • Re-enable your anti-virus software.




In your next reply:
  1. ESET log
  2. Update on how things are running
User avatar
melboy
MRU Expert
MRU Expert
 
Posts: 3670
Joined: July 25th, 2008, 4:25 pm
Location: UK
Advertisement
Register to Remove

Next

  • Similar Topics
    Replies
    Views
    Last post

Return to Infected? Virus, malware, adware, ransomware, oh my!



Who is online

Users browsing this forum: No registered users and 339 guests

Contact us:

Advertisements do not imply our endorsement of that product or service. Register to remove all ads. The forum is run by volunteers who donate their time and expertise. We make every attempt to ensure that the help and advice posted is accurate and will not cause harm to your computer. However, we do not guarantee that they are accurate and they are to be used at your own risk. All trademarks are the property of their respective owners.

Member site: UNITE Against Malware