Thread: Help!! CPU running slow, yellow triangle w/ exclamation pt and constant pop-ups
View Single Post
Old 04-28-2007, 04:53 PM   #4 (permalink)
angelgirl30
Registered User
 
Join Date: Apr 2007
Posts: 17
OS: windows xp


Re: Help!! CPU running slow, yellow triangle w/ exclamation pt and constant pop-ups
Thank you for your quick response. I have run Fixwareout and ComboFix. I have also removed the entries from the system scan performed by HijackThis. My computer seems to be running faster and I haven't noticed any pop-ups since I ran these programs.

Here are my logs:

Fixwareout Last edited 4/5/2007
Post this report in the forums please
...
»»»»»Prerun check

»»»»» System restarted

»»»»» Postrun check
HKLM\SOFTWARE\~\Winlogon\ "System"=""
....
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Urls "putesprpgd" Deleted
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Urls "onisacputes" Deleted
....
»»»»» Misc files.
C:\WINDOWS\System32\kernel32.exe Deleted
....
»»»»» Checking for older varients.
....

Search five digit cs, dm, kd, jb, other, files.
The following files NEED TO BE SUBMITTED to one of the following URL'S for further inspection.



Click browse, find the file then click submit.
http://www.virustotal.com/flash/index_en.html
Or http://virusscan.jotti.org/

»»»»» Other



»»»»» Current runs
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SoundMan"="SOUNDMAN.EXE"
"QuickTime Task"="\"C:\\Program Files\\QuickTime\\qttask.exe\" -atboottime"
"avast!"="C:\\PROGRA~1\\ALWILS~1\\Avast4\\ashDisp.exe"
"LXBSCATS"="rundll32 C:\\WINDOWS\\System32\\spool\\DRIVERS\\W32X86\\3\\LXBStime.dll,_RunDLLEntry@16"
"Logitech Utility"="Logi_MwX.Exe"
"explorer"="C:\\Documents and Settings\\Carla\\Desktop\\winstall.exe"
"runner1"="C:\\WINDOWS\\retadpu2000340.exe 61A847B5BBF72810329B385576F901F0B3E35B6638993F4661AA4EBD86D67C56389B284534F310F3D1DC7E4638E8323A15806F97BDE4417E77DB6C0736AC53FD97CB77"
"RoxioDragToDisc"="\"C:\\Program Files\\Roxio\\Easy Media Creator 7\\Drag to Disc\\DrgToDsc.exe\""
"InfoData"="rundll32.exe \"C:\\WINDOWS\\system32\\uxeynipk.dll\",realset"

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"MsnMsgr"="\"C:\\Program Files\\MSN Messenger\\MsnMsgr.Exe\" /background"
"DS Clock"="\"C:\\Program Files\\DS Clock\\dsclock.exe\""
"ctfmon.exe"="C:\\WINDOWS\\system32\\ctfmon.exe"
"ares"="\"C:\\Program Files\\Ares\\bak\\Ares.exe\" -h"
"Skype"="\"C:\\Program Files\\Skype\\Phone\\Skype.exe\" /nosplash /minimized"
"IpWins"="C:\\Program Files\\Ipwindows\\ipwins.exe"
....
Hosts file was reset, If you use a custom hosts file please replace it

Rustock pe386 is present
C:\WINDOWS\System32\AUTOEXEC.NT missing
C:\WINDOWS\repair\autoexec.nt missing
»»»»» End report »»»»»

-------------------------------------------------

"Carla" - 07-04-28 19:21:11 Service Pack 2
ComboFix 07-04-25.4V - Running from: "C:\Program Files\Mozilla Firefox\"


(((((((((((((((((((((((((((((((((((((((((((((((((( V Log )))))))))))))))))))))))))))))))))))))))))))))))))))))))


C:\WINDOWS\system32\lbymhjxa.dll
C:\WINDOWS\system32\qbyprbfn.dll
C:\WINDOWS\system32\tmp11.tmp.dll
C:\WINDOWS\system32\tmp13.tmp.dll
C:\WINDOWS\system32\tmp4.tmp.dll
C:\WINDOWS\system32\tmp5.tmp.dll
C:\WINDOWS\system32\tmp11.tmp.dll
C:\WINDOWS\system32\tmp13.tmp.dll
C:\WINDOWS\system32\tmp4.tmp.dll
C:\WINDOWS\system32\tmp5.tmp.dll
C:\WINDOWS\system32\rqrsspp.dll


* * * POST RUN FILES/FOLDERS * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * *



(((((((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))


C:\1.exe
C:\WINDOWS\1.exe
C:\WINDOWS\system32\117495375.exe
C:\WINDOWS\system32\117495406.exe
C:\WINDOWS\system32\117495984.exe
C:\WINDOWS\764.exe
C:\WINDOWS\updater.exe
C:\WINDOWS\system32\tmp11.tmp.dll
C:\WINDOWS\system32\tmp13.tmp.dll
C:\WINDOWS\system32\tmp4.tmp.dll
C:\WINDOWS\system32\tmp5.tmp.dll
C:\Program Files\ipwindows\ipwins.dll
C:\Program Files\ipwindows\ipwins.exe
C:\Program Files\ipwindows\UnInstall.exe
C:\Program Files\ipwins\pop19.tmp
C:\Program Files\ipwins\pop1B.tmp
C:\Program Files\ipwins\Uninst.exe
C:\Program Files\quick links\Uninst.log
C:\Program Files\Common Files\{3CCF4~1\toolbardll.lzma
C:\DOCUME~1\Carla\Desktop.\internet explorer.lnk
C:\WINDOWS\system32\preuninstallql.exe
C:\WINDOWS\winhp32.exe
C:\svhost.exe
C:\Program Files\inetget2
C:\Program Files\ipwindows
C:\Program Files\ipwins
C:\Program Files\quick links
C:\Program Files\Common Files\{3CCF4~1
C:\Program Files\Common Files\{8CCF4~1


((((((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))


-------\nm


((((((((((((((((((((((((((((((( Files Created from 2007-03-28 to 2007-04-28 ))))))))))))))))))))))))))))))))))


2007-04-25 21:28 132,660 --a------ C:\WINDOWS\system32\uxeynipk.dll
2007-04-25 15:22 <DIR> d-------- C:\Deckard
2007-04-25 15:02 <DIR> d-------- C:\Program Files\SpywareBlaster
2007-04-24 22:29 <DIR> d-------- C:\WINDOWS\system32\ActiveScan
2007-04-24 21:28 208,998 --a------ C:\WINDOWS\system32\rsnujvrb.exe
2007-04-24 21:28 2,068 --a------ C:\WINDOWS\system32\glcpyjca.exe
2007-04-23 21:28 208,998 --a------ C:\WINDOWS\system32\jbwwgvfq.exe
2007-04-23 21:28 2,068 --a------ C:\WINDOWS\system32\iwkhtqfn.exe
2007-04-23 17:29 45,056 -ra------ C:\WINDOWS\retadpu2000340.exe
2007-04-22 15:13 208,998 --a------ C:\WINDOWS\system32\nfwjbqfj.exe
2007-04-22 15:13 2,068 --a------ C:\WINDOWS\system32\gdgawoss.exe
2007-04-22 15:13 2,068 --a------ C:\WINDOWS\system32\ctgidxii.exe
2007-04-21 15:13 744,871 ---hs---- C:\WINDOWS\system32\yycdd.bak2
2007-04-21 15:13 208,998 --a------ C:\WINDOWS\system32\vgqvkxjj.exe
2007-04-21 15:13 2,068 --a------ C:\WINDOWS\system32\jwrvpfsk.exe
2007-04-20 15:24 18,432 --a------ C:\WINDOWS\sysrlb32.exe
2007-04-20 15:13 803,301 ---hs---- C:\WINDOWS\system32\yycdd.bak1
2007-04-20 15:13 208,998 --a------ C:\WINDOWS\system32\ceofmyyt.exe
2007-04-20 15:13 2,068 --a------ C:\WINDOWS\system32\mmhgssdc.exe
2007-04-20 15:12 280,660 ---hs---- C:\WINDOWS\system32\jkhhg.dll
2007-04-20 15:12 280,660 ---hs---- C:\WINDOWS\system32\ddcyy.dll
2007-04-20 15:06 4 --a------ C:\WINDOWS\system32\stfv.bin
2007-04-20 15:06 12 --a------ C:\WINDOWS\system32\sl.bin
2007-04-20 15:05 9,984 --a------ C:\WINDOWS\saiemod.dll
2007-04-20 15:05 9,472 --a------ C:\WINDOWS\salm.exe
2007-04-20 15:05 8,960 --a------ C:\WINDOWS\voiceip.dll
2007-04-20 15:05 31,232 --a------ C:\WINDOWS\180ax.exe
2007-04-20 15:05 28,672 --a------ C:\WINDOWS\system32\MSIXU.DLL
2007-04-20 15:05 25,856 --a------ C:\WINDOWS\vxddsk.exe
2007-04-20 15:05 25,344 --a------ C:\WINDOWS\updatetc.exe
2007-04-20 15:05 24,320 --a------ C:\WINDOWS\bjam.dll
2007-04-20 15:05 23,296 --a------ C:\WINDOWS\7search.dll
2007-04-20 15:05 22,528 --a------ C:\WINDOWS\mspphe.dll
2007-04-20 15:05 22,016 --a------ C:\WINDOWS\flt.dll
2007-04-20 15:05 21,760 --a------ C:\WINDOWS\stcloader.exe
2007-04-20 15:05 21,504 --a------ C:\WINDOWS\system32\msnhlp32.dll
2007-04-20 15:05 20,992 --a------ C:\WINDOWS\satmat.exe
2007-04-20 15:05 19,456 --a------ C:\WINDOWS\system32\wml.exe
2007-04-20 15:05 19,456 --a------ C:\WINDOWS\pbar.dll
2007-04-20 15:05 17,664 --a------ C:\WINDOWS\system32\WER8274.DLL
2007-04-20 15:05 17,408 --a------ C:\WINDOWS\system32\tmrsrv32.exe
2007-04-20 15:05 17,152 --a------ C:\WINDOWS\swin32.dll
2007-04-20 15:05 16,896 --a------ C:\WINDOWS\wml.exe
2007-04-20 15:05 16,128 --a------ C:\WINDOWS\cdsm32.dll
2007-04-20 15:05 14,848 --a------ C:\WINDOWS\system32\vxddsk.exe
2007-04-20 15:05 14,848 --a------ C:\WINDOWS\SUSP.exe
2007-04-20 15:05 12 --a------ C:\WINDOWS\system32\gtv_sd.bin
2007-04-20 15:05 11,008 --a------ C:\WINDOWS\bokja.exe
2007-04-20 15:04 81,412 --a------ C:\WINDOWS\system32\idleserv.exe
2007-04-20 15:04 12,800 --a------ C:\WINDOWS\system32\user_32.dll
2007-04-12 20:31 1,141 --a------ C:\WINDOWS\checkip.dat


(((((((((((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))))

Rootkit driver pe386 is present. ... attempting disinfection
pe386 ...... driver unloaded successfully.
ADS removed - system32: deleted 69682 bytes in 1 streams.

2007-04-24 23:17 -------- d-------- C:\Program Files\msn messenger
2007-04-24 23:12 -------- d-------- C:\Program Files\free sticky notes
2007-04-24 23:12 -------- d-------- C:\Program Files\ewido anti-spyware 4.0
2007-04-23 21:26 -------- d-------- C:\Program Files\lx_cats
2007-04-15 12:43 -------- d-------- C:\Program Files\tclockex
2007-03-17 09:43 292864 --a------ C:\WINDOWS\system32\winsrv.dll
2007-03-15 10:08 101438 --a------ C:\WINDOWS\b122.exe
2007-03-08 11:36 577536 --a------ C:\WINDOWS\system32\user32.dll
2007-03-08 11:36 40960 --a------ C:\WINDOWS\system32\mf3216.dll
2007-03-08 11:36 281600 --a------ C:\WINDOWS\system32\gdi32.dll
2007-03-08 09:47 1843584 --a------ C:\WINDOWS\system32\win32k.sys
2007-02-05 16:17 185344 --a------ C:\WINDOWS\system32\upnphost.dll


(((((((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))


*Note* empty entries & legit default entries are not shown

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects]
{06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
{0CD71CA8-C5A8-4C77-9CB0-106EC6AD70B1} C:\WINDOWS\system32\ddcyy.dll
{125399A6-E13D-42CE-A021-7F9069A79440} c:\windows\fonts\pcreg.dll
{761497BB-D6F0-462C-B6EB-D4DAF1D92D43} C:\Program Files\Java\jre1.5.0_07\bin\ssv.dll
{9030D464-4C02-4ABF-8ECC-5164760863C6} C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
{9394EDE7-C8B5-483E-8773-474BF36AF6E4} C:\Program Files\MSN Apps\ST\01.03.0000.1005\en-xu\stmain.dll
{BDBD1DAD-C946-4A17-ADC1-64B5B4FF55D0} C:\Program Files\MSN Apps\MSN Toolbar\MSN Toolbar\01.02.5000.1021\en-ca\msntb.dll
{c2dace2d-f27f-4591-97be-10c379cef2e6} C:\WINDOWS\system32\lprcmd.dll [x]
{C3F16958-9601-43E3-AC3C-6E89762079Ec} C:\WINDOWS\system32\lbymhjxa.dll [x]
{D651AFF4-9590-424d-BD1E-8E33E090DFB3} C:\WINDOWS\system32\qbyprbfn.dll [x]
{EEFBE5D6-FEFF-4CB4-AA26-6A464090CB89} C:\WINDOWS\system32\msnhlp32.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run]
"SoundMan"="SOUNDMAN.EXE"
"QuickTime Task"="\"C:\\Program Files\\QuickTime\\qttask.exe\" -atboottime"
"avast!"="C:\\PROGRA~1\\ALWILS~1\\Avast4\\ashDisp.exe"
"LXBSCATS"="rundll32 C:\\WINDOWS\\System32\\spool\\DRIVERS\\W32X86\\3\\LXBStime.dll,_RunDLLEntry@16"
"Logitech Utility"="Logi_MwX.Exe"
"RoxioDragToDisc"="\"C:\\Program Files\\Roxio\\Easy Media Creator 7\\Drag to Disc\\DrgToDsc.exe\""
"InfoData"="rundll32.exe \"C:\\WINDOWS\\system32\\uxeynipk.dll\",realset"

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\run]
"MsnMsgr"="\"C:\\Program Files\\MSN Messenger\\MsnMsgr.Exe\" /background"
"DS Clock"="\"C:\\Program Files\\DS Clock\\dsclock.exe\""
"ctfmon.exe"="C:\\WINDOWS\\system32\\ctfmon.exe"
"ares"="\"C:\\Program Files\\Ares\\bak\\Ares.exe\" -h"
"Skype"="\"C:\\Program Files\\Skype\\Phone\\Skype.exe\" /nosplash /minimized"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shellexecutehooks]
"{57B86673-276A-48B2-BAE7-C6DBB3020EB8}"="ewido anti-spyware 4.0"

HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\ddcyy
HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\lprcmd
HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\pcreg

HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa
Authentication Packages REG_MULTI_SZ msv1_0\0\0
Security Packages REG_MULTI_SZ kerberos\0msv1_0\0schannel\0wdigest\0\0
Notification Packages REG_MULTI_SZ scecli\0\0


[HKEY_LOCAL_MACHINE\software\Microsoft\Windows NT\CurrentVersion\Svchost]
LocalService REG_MULTI_SZ Alerter\0WebClient\0LmHosts\0RemoteRegistry\0upnphost\0SSDPSRV\0\0
NetworkService REG_MULTI_SZ DnsCache\0\0
rpcss REG_MULTI_SZ RpcSs\0\0
imgsvc REG_MULTI_SZ StiSvc\0\0
termsvcs REG_MULTI_SZ TermService\0\0
HTTPFilter REG_MULTI_SZ HTTPFilter\0\0
DcomLaunch REG_MULTI_SZ DcomLaunch\0TermService\0\0


********************************************************************

catchme 0.3.660 W2K/XP/Vista - userland rootkit detector by Gmer, http://www.gmer.net
Rootkit scan 2007-04-28 19:42:57
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden services ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden processes: 0
hidden services: 0
hidden files: 0


********************************************************************

Completion time: 07-04-28 19:44:49 - machine was rebooted
C:\ComboFix-quarantined-files.txt ... 07-04-28 19:44
angelgirl30 is offline