Tech Support Forum - View Single Post - pc very slow, multiple trojans/malware, hijackthis log

**eXPeri3nc3** · 10-03-2007, 07:54 PM

Hello and welcome to TSF

You may wish to Subscribe to this thread (Thread Tools) so that you are notified when you receive a reply. To do this click Thread Tools (above the first post), then click Subscribe to this Thread. Make sure it is set to Instant Notification, then click Subscribe.

Please read this post completely before begining the fix. If there's anything that you do not understand, kindly ask your questions before proceeding. Please ensure that there aren't any opened browsers when you are carrying out the procedures below. Please print out or copy this page to Notepad in order to assist you when carrying out the following instructions as this webpage would not be available when you're carrying out the fix.

Note that the fix may take several posts. Please continue to respond to my instructions until I confirm that your system is clean.

IT IS IMPORTANT THAT YOU DON'T MISS A STEP & PERFORM EVERYTHING IN THE RIGHT ORDER.

----------------------------------------

The fixes we will use are specific to your problems and should only be used for this issue on this machine.

Please only use this topic to reply to. Do not start another thread.
If any other issues arise let me know.

The process is not instant. Please continue to review my answers until I tell you your machine is clear.
Absence of symptoms does not mean that everything is clear. So lets do this to the end!

Please make every effort to reply to my posts in a timely manner. Malware breeds malware and the longer an infection remains on a system, the more likely additional infections will result.

----------------------------------------

Download Combofix and save it to your desktop.

**Note: It is important that it is saved directly to your desktop**

DO NOT RUN IT YET

--------------------------------------------------------------------

Download SDFix and save it to your Desktop.

We will use it shortly.

--------------------------------------------------------------------

P2P - I see you have P2P software (Shareaza) installed on your machine. We are not here to pass judgment on file-sharing as a concept. However, we will warn you that engaging in this activity and having this kind of software installed on your machine will always make you more susceptible to re-infections. It may be contributing to your current situation. This page will give you further information.

We recommend you to uninstall it.

Click > Start > Control Panel > Add / Remove Programs and uninstall the following programs (if they exist):

Go!Zilla

Please restart if prompted

--------------------------------------------------------------------

Open HijackThis and click on 'Do a System Scan Only'. Check the following entries (If they still exist, make sure you do not miss any)

[b]R3 - URLSearchHook: (no name) - _{D94AAA2A-C415-42E3-82B6-49FAB4EBFFE9} - (no file)
O16 - DPF: {0A79AAEF-0913-4E57-9429-59EA4377D8E9} ( LaunchGame.launchGameCtrl) - http://shot.ongamenet.com.au/LaunchGame_20050802.CAB
O16 - DPF: {0D62A517-E7C6-4E1F-A577-07D4AC549A48} (Progetto1.int_ver32 ) - http://advnt01.com/dialer/int_ver32b.CAB
O16 - DPF: {127CE7BA-AD89-4108-A913-C52EFC037C36} -
O16 - DPF: {15AD6789-CDB4-47E1-A9DA-992EE8E6BAD6} - http://static.35mb.com/applet/applet_l.cab
O16 - DPF: {2776DDE9-D4B2-4BF7-9F98-ADC1A1B80AF5} -
O16 - DPF: {33331111-1111-1111-1111-611111193423} -
O16 - DPF: {33331111-1111-1111-1111-611111193429} -
O16 - DPF: {33331111-1111-1111-1111-615111193427} -
O16 - DPF: {33331111-1131-1111-1111-611111193428} -
O16 - DPF: {42F2C9BA-614F-47C0-B3E3-ECFD34EED658} - http://www.ysbweb.com/ist/softwares/...b_pictures.cab
O16 - DPF: {85D1F3B2-2A21-11D7-97B9-0010DC2A6243} (SecureLogin class) - http://secure2.comned.com/signuptemp...ogin-devel.cab
O16 - DPF: {861FDA2A-2B57-4BDA-8B8B-305C9D5D8604} (_Multimedia Player) - http://stream.pussyharem.com/stream/mmp.cab
O16 - DPF: {91433D86-9F27-402C-B5E3-DEBDD122C339} - http://l00kl23.com/default.cab?uid=6...x&ppd=4&tag=45
O16 - DPF: {A1426AC5-8CE5-4A00-B71E-011D35709AC6} (Progetto1.int_ver34) - http://advnt01.com/dialer/int_ver34.CAB
O16 - DPF: {B64F4A7C-97C9-11DA-8BDE-F66BAD1E3F3A} - http://locator1.cdn.imagesrvr.com/si...nerInstall.cab
O16 - DPF: {D94AAA2A-C415-42E3-82B6-49FAB4EBFFE9} (SearchHook Class) - http://www.halflemon.com/Halflemon.cab
O16 - DPF: {DF780F87-FF2B-4DF8-92D0-73DB16A1543A} (PopCapLoader Object) - http://games.pogo.com/online2/pogo/c...ploader_v6.cab

Please remember to close all other windows, including browsers then click Fix checked.

--------------------------------------------------------------------

1. Close any open browsers.

2. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.

--------------------------------------------------------------------

Run ComboFix using these instructions:

Click the Windows 'Start' button > Select 'Run' - then copy/paste the following bolded text into the run box & click OK.

"%userprofile%\desktop\combofix.exe" /killall

When finished, it shall produce a log for you. Post that log in your next reply.

Note:
Do not mouseclick combofix's window whilst it's running. That may cause it to stall.

--------------------------------------------------------------------

Double click SDFix.exe and it will extract the files to %systemdrive%
(Drive that contains the Windows Directory, typically C:\SDFix)

Please then reboot your computer in Safe Mode by doing the following :

Restart your computer
After hearing your computer beep once during startup, but before the Windows icon appears, tap the F8 key continually;
Instead of Windows loading as normal, the Advanced Options Menu should appear;
Select the first option, to run Windows in Safe Mode, then press Enter.
Choose your usual account.

Open the extracted SDFix folder and double click RunThis.bat to start the script.
Type Y to begin the cleanup process.
It will remove any Trojan Services and Registry Entries that it finds then prompt you to press any key to Reboot.
Press any Key and it will restart the PC.
When the PC restarts the Fixtool will run again and complete the removal process then display Finished, press any key to end the script and load your desktop icons.
Once the desktop icons load the SDFix report will open on screen and also save into the SDFix folder as Report.txt
(Report.txt will also be copied to Clipboard ready for posting back on the forum).
Finally paste the contents of the Report.txt back on the forum with a new HijackThis log

--------------------------------------------------------------------

Post the following logs in your next reply...

C:\ComboFix.txt

SDFix log

Fresh HJT log

Please provide details of any problems you encountered whilst performing the above steps & update us on how the computer behaves now.

10-03-2007, 07:54 PM	#3 (permalink)
eXPeri3nc3 TSF Enthusiast Join Date: Dec 2005 Location: Malaysia (GMT+8) Posts: 1,073 OS: Windows XP Pro SP3 RC, VMWare (Ubuntu 7.10), BackTrack3 Beta My System Blog Entries: 5	Re: pc very slow, multiple trojans/malware, hijackthis log Hello and welcome to TSF You may wish to Subscribe to this thread (Thread Tools) so that you are notified when you receive a reply. To do this click Thread Tools (above the first post), then click Subscribe to this Thread. Make sure it is set to Instant Notification, then click Subscribe. Please read this post completely before begining the fix. If there's anything that you do not understand, kindly ask your questions before proceeding. Please ensure that there aren't any opened browsers when you are carrying out the procedures below. Please print out or copy this page to Notepad in order to assist you when carrying out the following instructions as this webpage would not be available when you're carrying out the fix. Note that the fix may take several posts. Please continue to respond to my instructions until I confirm that your system is clean. IT IS IMPORTANT THAT YOU DON'T MISS A STEP & PERFORM EVERYTHING IN THE RIGHT ORDER. ---------------------------------------- The fixes we will use are specific to your problems and should only be used for this issue on this machine. Please only use this topic to reply to. Do not start another thread. If any other issues arise let me know. The process is not instant. Please continue to review my answers until I tell you your machine is clear. Absence of symptoms does not mean that everything is clear. So lets do this to the end! Please make every effort to reply to my posts in a timely manner. Malware breeds malware and the longer an infection remains on a system, the more likely additional infections will result. ---------------------------------------- Download Combofix and save it to your desktop. Note: It is important that it is saved directly to your desktop DO NOT RUN IT YET -------------------------------------------------------------------- Download SDFix and save it to your Desktop. We will use it shortly. -------------------------------------------------------------------- P2P - I see you have P2P software (Shareaza) installed on your machine. We are not here to pass judgment on file-sharing as a concept. However, we will warn you that engaging in this activity and having this kind of software installed on your machine will always make you more susceptible to re-infections. It may be contributing to your current situation. This page will give you further information. We recommend you to uninstall it. Click > Start > Control Panel > Add / Remove Programs and uninstall the following programs (if they exist): Go!Zilla Please restart if prompted -------------------------------------------------------------------- Open HijackThis and click on 'Do a System Scan Only'. Check the following entries (If they still exist, make sure you do not miss any) [b]R3 - URLSearchHook: (no name) - _{D94AAA2A-C415-42E3-82B6-49FAB4EBFFE9} - (no file) O16 - DPF: {0A79AAEF-0913-4E57-9429-59EA4377D8E9} ( LaunchGame.launchGameCtrl) - http://shot.ongamenet.com.au/LaunchGame_20050802.CAB O16 - DPF: {0D62A517-E7C6-4E1F-A577-07D4AC549A48} (Progetto1.int_ver32 ) - http://advnt01.com/dialer/int_ver32b.CAB O16 - DPF: {127CE7BA-AD89-4108-A913-C52EFC037C36} - O16 - DPF: {15AD6789-CDB4-47E1-A9DA-992EE8E6BAD6} - http://static.35mb.com/applet/applet_l.cab O16 - DPF: {2776DDE9-D4B2-4BF7-9F98-ADC1A1B80AF5} - O16 - DPF: {33331111-1111-1111-1111-611111193423} - O16 - DPF: {33331111-1111-1111-1111-611111193429} - O16 - DPF: {33331111-1111-1111-1111-615111193427} - O16 - DPF: {33331111-1131-1111-1111-611111193428} - O16 - DPF: {42F2C9BA-614F-47C0-B3E3-ECFD34EED658} - http://www.ysbweb.com/ist/softwares/...b_pictures.cab O16 - DPF: {85D1F3B2-2A21-11D7-97B9-0010DC2A6243} (SecureLogin class) - http://secure2.comned.com/signuptemp...ogin-devel.cab O16 - DPF: {861FDA2A-2B57-4BDA-8B8B-305C9D5D8604} (_Multimedia Player) - http://stream.pussyharem.com/stream/mmp.cab O16 - DPF: {91433D86-9F27-402C-B5E3-DEBDD122C339} - http://l00kl23.com/default.cab?uid=6...x&ppd=4&tag=45 O16 - DPF: {A1426AC5-8CE5-4A00-B71E-011D35709AC6} (Progetto1.int_ver34) - http://advnt01.com/dialer/int_ver34.CAB O16 - DPF: {B64F4A7C-97C9-11DA-8BDE-F66BAD1E3F3A} - http://locator1.cdn.imagesrvr.com/si...nerInstall.cab O16 - DPF: {D94AAA2A-C415-42E3-82B6-49FAB4EBFFE9} (SearchHook Class) - http://www.halflemon.com/Halflemon.cab O16 - DPF: {DF780F87-FF2B-4DF8-92D0-73DB16A1543A} (PopCapLoader Object) - http://games.pogo.com/online2/pogo/c...ploader_v6.cab *Please remember to close all other windows, including browsers then click Fix checked.* -------------------------------------------------------------------- 1. Close any open browsers. 2. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix. -------------------------------------------------------------------- Run ComboFix using these instructions: Click the Windows 'Start' button > Select 'Run' - then copy/paste the following bolded text into the run box & click OK. "%userprofile%\desktop\combofix.exe" /killall When finished, it shall produce a log for you. Post that log in your next reply. Note: Do not mouseclick combofix's window whilst it's running. That may cause it to stall. -------------------------------------------------------------------- Double click SDFix.exe and it will extract the files to %systemdrive% (Drive that contains the Windows Directory, typically C:\SDFix) Please then reboot your computer in Safe Mode by doing the following : Restart your computer After hearing your computer beep once during startup, but before the Windows icon appears, tap the F8 key continually; Instead of Windows loading as normal, the Advanced Options Menu should appear; Select the first option, to run Windows in Safe Mode, then press Enter. Choose your usual account. Open the extracted SDFix folder and double click RunThis.bat to start the script. Type Y to begin the cleanup process. It will remove any Trojan Services and Registry Entries that it finds then prompt you to press any key to Reboot. Press any Key and it will restart the PC. When the PC restarts the Fixtool will run again and complete the removal process then display Finished, press any key to end the script and load your desktop icons. Once the desktop icons load the SDFix report will open on screen and also save into the SDFix folder as Report.txt (Report.txt will also be copied to Clipboard ready for posting back on the forum). Finally paste the contents of the Report.txt back on the forum with a new HijackThis log -------------------------------------------------------------------- Post the following logs in your next reply... C:\ComboFix.txt SDFix log Fresh HJT log Please provide details of any problems you encountered whilst performing the above steps & update us on how the computer behaves now. __________________ If You Feel That We've Helped You, Please Donate To The Forum `世上无难事,只怕有心人` e X P e r i 3 n c 3 -- AleX `玉不琢不成器` "It's not because things are difficult that we dare not, it's because we dare not that things are difficult" <- Makes a huge diff