Thread: Computer running very slow. Possible worm?
View Single Post
Old 05-04-2007, 02:37 PM   #4 (permalink)
sUBs
Asst Manager Security, Expert Analyst, Moderator, Security Team; Rangemaster, Moderator, TSF Academy
 
sUBs's Avatar
 
Join Date: May 2005
Posts: 24,480
OS: N/A


Re: Computer running very slow. Possible worm?
Easy Desk Utilities - Is this something you installed ?



Before fixing anything, Please download the Suspicious File Packer → http://www.safer-networking.org/files/sfp.zip
Unzip it to the desktop and run it.
Paste the following list of filepaths into the Suspicious File Packer window:

C:\WINDOWS\system32\confdrv.dll
C:\WINDOWS\system32\rsrc32.dll
C:\WINDOWS\system32\drvstat.dll
C:\WINDOWS\system32\ldfksdioduihj.dll
C:\WINDOWS\system32\drvprf32.dll
C:\WINDOWS\system32\crypt32net.dll
C:\WINDOWS\system32\system32.exe
C:\WINDOWS\system32\scardrv.exe
C:\WINDOWS\system32\kernel.dll
C:\WINDOWS\system32\svehost.exe
C:\WINDOWS\system32\ipv6mons.dll
C:\WINDOWS\system32\paiqvpji.dll
C:\WINDOWS\system32\mujyifrj.dll
C:\WINDOWS\system32\xgprqjcm.dll
C:\WINDOWS\system32\pwiykpuo.exe
C:\LSL7DOS.BAT

Allow SFP to pack the files. This will generate a CAB archive on your desktop.
Please submit it to this site → http://www.bleepingcomputer.com/subm....php?channel=4
Please include a link to this topic in the message.


---------------


Open notepad and copy/paste the text in the quotebox below into it:

Code:
@echo off
@(
echo.REGEDIT4&echo.
echo.[hkey_local_machine\software\microsoft\windows\currentversion\run]
echo."registrymechanic"=-
echo.[hkey_local_machine\software\microsoft\windows nt\currentversion\winlogon]
echo."system"=""
echo.[-hkey_local_machine\software\microsoft\windows nt\currentversion\winlogon\notify\crypt32net]
echo.[-hkey_local_machine\software\microsoft\windows nt\currentversion\winlogon\notify\drvmgr]
echo.[-hkey_local_machine\software\microsoft\windows nt\currentversion\winlogon\notify\ssqrssp]
echo.[-hkey_local_machine\software\microsoft\shared tools\msconfig\startupfolder\c:^^documents and settings^^mikey^^start menu^^programs^^startup^^mswin--1696782548.exe]
echo.[-hkey_local_machine\software\microsoft\shared tools\msconfig\startupreg\-2057253927.exe]
echo.[-hkey_local_machine\software\microsoft\shared tools\msconfig\startupreg\drvdiag]
echo.[-hkey_local_machine\software\microsoft\shared tools\msconfig\startupreg\infodata]
echo.[-hkey_local_machine\software\microsoft\shared tools\msconfig\startupreg\intel system tool]
echo.[-hkey_local_machine\software\microsoft\shared tools\msconfig\startupreg\jrwqbaaa]
echo.[-hkey_local_machine\software\microsoft\shared tools\msconfig\startupreg\restore operation]
echo.[-hkey_local_machine\software\microsoft\shared tools\msconfig\startupreg\runonce2upd]
echo.[-hkey_local_machine\software\microsoft\shared tools\msconfig\startupreg\standardinstall]
echo.[-hkey_local_machine\software\microsoft\shared tools\msconfig\startupreg\sysvx.exe]
echo.[-hkey_local_machine\software\microsoft\shared tools\msconfig\startupreg\vactrls]
echo.[-hkey_local_machine\software\microsoft\windows\currentversion\explorer\browser helper objects\{8d5849a2-93f3-429d-ff34-260a2068897c}]
echo.[-hkey_classes_root\clsid\{8d5849a2-93f3-429d-ff34-260a2068897c}]
echo.[-hkey_local_machine\software\microsoft\windows nt\currentversion\winlogon\notify\crypt32net]
echo.[-hkey_local_machine\software\microsoft\windows nt\currentversion\winlogon\notify\drvmgr]
echo.[-hkey_local_machine\software\microsoft\windows nt\currentversion\winlogon\notify\ssqrssp]
)>fix.reg
regedit.exe /s fix.reg 
del fix.reg
for %%g in (
C:\WINDOWS\system32\system32.exe
C:\WINDOWS\system32\scardrv.exe
C:\WINDOWS\system32\svehost.exe
C:\WINDOWS\system32\pwiykpuo.exe
C:\LSL7DOS.BAT
C:\WINDOWS\System32\jrwqbaaa.exe
C:\WINDOWS\System32\sysvx.exe
C:\WINDOWS\System32\kdtpr.exe
C:\WINDOWS\System32\drvconf.exe
C:\DOCUME~1\Mikey\ie_updater.exe
) do if exist "%%~g" @(
	catchme -l \Qoobox\Quarantine\catchme.log -k "%%~g" >nul
	del /a/f "%%~g" 2>nul
	)
echo.Done !!
pause
exit
exit
Save this as fix.bat Choose to "Save type as - All Files"
It should look like this:
Double click on fix.bat & allow it to run


------------------


1. * IMPORTANT !!! Place combofix.exe on your Desktop







2. Go to → Run → paste in the single line command & click OK

Code:
"%userprofile%\desktop\combofix.exe" /v confdrv rsrc32 drvstat ldfksdioduihj drvprf32 crypt32net. paiqvpji mujyifrj xgprqjcm rikucev ipv6mons kernel frikucev
3. When finished, it shall produce a log for you. Post that log & a fresh HJT log in your next reply

Note:
Do not mouseclick combofix's window whilst it's running. That may cause it to stall
__________________

Question - what have you done for the community today?
sUBs is offline