|
|
|
|
|||||
|
|
|
|
|
|
|||
| Welcome
to Tech Support Forum home to more then 136,000 problems solved. Issues
have included: Spyware, Malware, Virus Issues, Windows, Microsoft,
Linux, Networking, Security, Hardware, and Gaming Getting your
problem solved is as easy as: 1. Registering for a free account 2. Asking your question 3. Receiving an answer Registered members: * See fewer ads. * And much more..
|
| Want to know how to post a question? click here | Having problems with spyware and pop-ups? First Steps |
|
|||||||
| Resolved HJT Threads Resolved spyware and popup issues. |
|
|
Thread Tools |
04-25-2007, 01:07 PM
|
#1 (permalink) |
|
Registered User
Join Date: Apr 2007
Posts: 17
OS: windows xp
|
Help!! CPU running slow, yellow triangle w/ exclamation pt and constant pop-ups
Hi,
Lately my computer has been running very slow (start up is also very slow) and I've been bombarded with constant pop-ups. I've also been experiencing strange icons in my system tray (yellow triangle with an explanation point in the centre of it as well as a red circle with an X through it). I've run Avast Anti-Virus and Ad-Aware SE with no success. Any help you can provide will be greatly appreciated. Thank you!! Deckard's System Scanner v20070423.42 Run by Carla on 2007-04-25 at 15:22:49 Computer is in Normal Mode. -------------------------------------------------------------------------------- -- System Restore -------------------------------------------------------------- Successfully created a Deckard's System Scanner Restore Point. -- Last 5 Restore Point(s) -- 93: 2007-04-25 19:23:04 UTC - RP2064 - Deckard's System Scanner Restore Point 92: 2007-04-25 18:33:34 UTC - RP2063 - Software Distribution Service 2.0 91: 2007-04-25 15:19:31 UTC - RP2062 - Software Distribution Service 2.0 90: 2007-04-25 04:34:21 UTC - RP2061 - Software Distribution Service 2.0 89: 2007-04-25 04:12:25 UTC - RP2060 - Software Distribution Service 2.0 -- First Restore Point -- 1: 2007-01-25 20:47:45 UTC - RP1972 - System Checkpoint Backed up registry hives. Performed disk cleanup. -- HijackThis (run as Carla.exe) ----------------------------------------------- Logfile of HijackThis v1.99.1 Scan saved at 3:31:14 PM, on 25/04/2007 Platform: Windows XP SP2 (WinNT 5.01.2600) MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180) Running processes: C:\WINDOWS\System32\smss.exe C:\WINDOWS\system32\winlogon.exe C:\WINDOWS\system32\services.exe C:\WINDOWS\system32\lsass.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\System32\svchost.exe C:\WINDOWS\system32\LEXBCES.EXE C:\WINDOWS\system32\spoolsv.exe C:\WINDOWS\system32\LEXPPS.EXE C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe C:\Program Files\Alwil Software\Avast4\ashServ.exe C:\Program Files\ewido anti-spyware 4.0\guard.exe C:\WINDOWS\Explorer.EXE C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE C:\WINDOWS\System32\svchost.exe C:\WINDOWS\SOUNDMAN.EXE C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe C:\WINDOWS\retadpu2000340.exe C:\Program Files\Roxio\Easy Media Creator 7\Drag to Disc\DrgToDsc.exe C:\Program Files\MSN Messenger\MsnMsgr.Exe C:\WINDOWS\system32\ctfmon.exe C:\Program Files\Ares\bak\Ares.exe C:\Corel\Suite8\Programs\DAD8.EXE C:\Program Files\Logitech\MouseWare\system\em_exec.exe C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe C:\WINDOWS\system32\sistray.exe C:\Program Files\Free Sticky Notes\freenote.exe C:\Program Files\Canon\CAL\CALMAIN.exe C:\Program Files\HP\Digital Imaging\bin\hpqgalry.exe C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe C:\Program Files\Alwil Software\Avast4\ashWebSv.exe C:\WINDOWS\system32\WgaTray.exe C:\WINDOWS\system32\wuauclt.exe C:\Program Files\MSN Messenger\usnsvc.exe C:\Documents and Settings\Carla\Desktop\dss.exe C:\PROGRA~1\HIJACK~1\Carla.exe F3 - REG:win.ini: load=C:\OPLIMIT\ocraware.exe O2 - BHO: (no name) - {00000250-0320-4dd4-be4f-7566d2314352} - (no file) O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll O2 - BHO: (no name) - {121950A7-E2F1-4081-95B0-5997943736E2} - C:\WINDOWS\system32\ddcyy.dll O2 - BHO: PsapiAnalyzer Object - {125399A6-E13D-42CE-A021-7F9069A79440} - c:\windows\fonts\pcreg.dll O2 - BHO: (no name) - {13197ace-6851-45c3-a7ff-c281324d5489} - (no file) O2 - BHO: (no name) - {1557B435-8242-4686-9AA3-9265BF7525A4} - C:\WINDOWS\system32\tmp4.tmp.dll O2 - BHO: (no name) - {30000273-8230-4dd4-be4f-6889d1e74167} - (no file) O2 - BHO: (no name) - {4e1075f4-eec4-4a86-add7-cd5f52858c31} - (no file) O2 - BHO: (no name) - {5dafd089-24b1-4c5e-bd42-8ca72550717b} - (no file) O2 - BHO: (no name) - {5fa6752a-c4a0-4222-88c2-928ae5ab4966} - (no file) O2 - BHO: (no name) - {669695bc-a811-4a9d-8cdf-ba8c795f261e} - (no file) O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_07\bin\ssv.dll O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file) O2 - BHO: (no name) - {8674aea0-9d3d-11d9-99dc-00600f9a01f1} - (no file) O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll O2 - BHO: ST - {9394EDE7-C8B5-483E-8773-474BF36AF6E4} - C:\Program Files\MSN Apps\ST\01.03.0000.1005\en-xu\stmain.dll O2 - BHO: (no name) - {b8875bfe-b021-11d4-bfa8-00508b8e9bd3} - (no file) O2 - BHO: (no name) - {B9697716-61E6-4FBC-89FD-EAC504D9EFE3} - C:\WINDOWS\system32\rqrsspp.dll O2 - BHO: MSNToolBandBHO - {BDBD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\MSN Apps\MSN Toolbar\MSN Toolbar\01.02.5000.1021\en-ca\msntb.dll O2 - BHO: (no name) - {c2dace2d-f27f-4591-97be-10c379cef2e6} - C:\WINDOWS\system32\lprcmd.dll (file missing) O2 - BHO: (no name) - {C3F16958-9601-43E3-AC3C-6E89762079Ec} - C:\WINDOWS\system32\lbymhjxa.dll O2 - BHO: (no name) - {ca1d1b05-9c66-11d5-a009-000103c1e50b} - (no file) O2 - BHO: (no name) - {cf021f40-3e14-23a5-cba2-717765728274} - (no file) O2 - BHO: msnhlp32.msn_hlp - {EEFBE5D6-FEFF-4CB4-AA26-6A464090CB89} - C:\WINDOWS\system32\msnhlp32.dll O3 - Toolbar: MSN - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\MSN Apps\MSN Toolbar\MSN Toolbar\01.02.5000.1021\en-ca\msntb.dll O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe O4 - HKLM\..\Run: [LXBSCATS] rundll32 C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\LXBStime.dll,_RunDLLEntry@16 O4 - HKLM\..\Run: [Logitech Utility] Logi_MwX.Exe O4 - HKLM\..\Run: [explorer] C:\Documents and Settings\Carla\Desktop\winstall.exe O4 - HKLM\..\Run: [runner1] C:\WINDOWS\retadpu2000340.exe 61A847B5BBF72810329B385576F901F0B3E35B6638993F4661AA4EBD86D67C56389B284534F310F3D1DC7E4638E8323A15806F97BDE4417E77DB6C0736AC53FD97CB77 O4 - HKLM\..\Run: [PrintDrive] rundll32.exe "C:\WINDOWS\system32\veqgcgmy.dll",setvm O4 - HKLM\..\Run: [RoxioDragToDisc] "C:\Program Files\Roxio\Easy Media Creator 7\Drag to Disc\DrgToDsc.exe" O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background O4 - HKCU\..\Run: [DS Clock] "C:\Program Files\DS Clock\dsclock.exe" O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe O4 - HKCU\..\Run: [ares] "C:\Program Files\Ares\bak\Ares.exe" -h O4 - HKCU\..\Run: [Skype] "C:\Program Files\Skype\Phone\Skype.exe" /nosplash /minimized O4 - Startup: Shortcut to Free Sticky Notes.LNK = C:\Program Files\Free Sticky Notes\freenote.exe O4 - Startup: UMAX VistaAccess.lnk = C:\VSTASCAN\vsaccess.exe O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe O4 - Global Startup: Corel Desktop Application Director 8.LNK = C:\Corel\Suite8\Programs\DAD8.EXE O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe O4 - Global Startup: HP Image Zone Fast Start.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqthb08.exe O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE O4 - Global Startup: Utility Tray.lnk = C:\WINDOWS\system32\sistray.exe O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000 O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_07\bin\ssv.dll O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_07\bin\ssv.dll O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe O16 - DPF: {11260943-421B-11D0-8EAC-0000C07D88CF} (iPIX ActiveX Control) - http://www.ipix.com/viewers/ipixx.cab O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204 O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://angelgirl76.spaces.live.com//...d/MsnPUpld.cab O16 - DPF: {5F8469B4-B055-49DD-83F7-62B522420ECC} (Facebook Photo Uploader Control) - http://upload.facebook.com/controls/...toUploader.cab O16 - DPF: {6E5A37BF-FD42-463A-877C-4EB7002E68AE} (Trend Micro ActiveX Scan Agent 6.5) - http://housecall65.trendmicro.com/ho...vex/hcImpl.cab O16 - DPF: {6E5E167B-1566-4316-B27F-0DDAB3484CF7} (Image Uploader Control) - http://www.photolab.ca/Upload/ImageUploader4.cab O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/actives...ree/asinst.cab O16 - DPF: {A18962F6-E6ED-40B1-97C9-1FB36F38BFA8} (Aurigma Image Uploader 3.5 Control) - http://www.photolab.ca/en/Photo/ImageUploader3.cab O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn.com/download/Ms...Downloader.cab O16 - DPF: {D57262F5-9637-4E67-BC59-88C53EA76FC3} (ULcontrol Control) - https://pix.futureshop.ca/en/ulcontrolxp.cab O16 - DPF: {F04A8AE2-A59D-11D2-8792-00C04F8EF29D} (Hotmail Attachments Control) - http://by119fd.bay119.hotmail.msn.co...x/HMAtchmt.ocx O16 - DPF: {F127B9BA-89EA-4B04-9C67-2074A9DF61FC} (PCUploader Class) - http://www.walmartphotocentre.ca/activex/PCAXSetup.cab? O16 - DPF: {F127B9BA-89EA-4B04-9C67-2074A9DF61FD} (Photo Upload Plugin Class) - http://walmart.pnimedia.com/upload/a...pv2.0.0.9.cab? O17 - HKLM\System\CCS\Services\Tcpip\..\{9A8263D9-14C4-47C3-85CB-BB6E08033BE1}: NameServer = 85.255.114.27,85.255.112.89 O17 - HKLM\System\CCS\Services\Tcpip\..\{F191F77D-DE21-46B2-8C44-C9B6A0810F41}: NameServer = 85.255.114.27,85.255.112.89 O17 - HKLM\System\CCS\Services\Tcpip\Parameters: NameServer = 85.255.114.27 85.255.112.89 O18 - Protocol: livecall - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL O20 - AppInit_DLLs: O20 - Winlogon Notify: ddcyy - C:\WINDOWS\system32\ddcyy.dll O20 - Winlogon Notify: lprcmd - lprcmd.dll (file missing) O20 - Winlogon Notify: pcreg - c:\windows\fonts\pcreg.dll O20 - Winlogon Notify: rqrsspp - C:\WINDOWS\SYSTEM32\rqrsspp.dll O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll O23 - Service: Adobe LM Service - Unknown owner - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - Unknown owner - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe O23 - Service: avast! Antivirus - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashServ.exe O23 - Service: avast! Mail Scanner - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe" /service (file missing) O23 - Service: avast! Web Scanner - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe" /service (file missing) O23 - Service: Canon Camera Access Library 8 (CCALib8) - Canon Inc. - C:\Program Files\Canon\CAL\CALMAIN.exe O23 - Service: ewido anti-spyware 4.0 guard - Anti-Malware Development a.s. - C:\Program Files\ewido anti-spyware 4.0\guard.exe O23 - Service: iPod Service (iPodService) - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE O23 - Service: lxbs_device - Lexmark International, Inc. - C:\WINDOWS\system32\lxbscoms.exe O23 - Service: ML-2010 Status Monitor Service (SM_ml1600_FUService) - Unknown owner - C:\Program.exe (file missing) -- HijackThis Fixed Entries (C:\PROGRA~1\HIJACK~1\backups\) -------------------- backup-20060815-211037-227 O16 - DPF: {1D4DB7D2-6EC9-47A3-BD87-1E41684E07BB} - http://ak.imgfarm.com/images/nocache...up1.0.0.15.cab backup-20060815-211037-251 R1 - HKCU\Software\Microsoft\Internet Explorer,SearchURL = http://searchforfree.info/browser/ backup-20060815-211037-266 O15 - Trusted Zone: *.frame.crazywinnings.com backup-20060815-211037-272 O15 - Trusted Zone: *.dapsol.com backup-20060815-211037-280 O15 - Trusted Zone: *.dapsol.com (HKLM) backup-20060815-211037-461 O16 - DPF: {F04A8AE2-A59D-11D2-8792-00C04F8EF29D} (Hotmail Attachments Control) - http://by103fd.bay103.hotmail.msn.co...x/HMAtchmt.ocx backup-20060815-211037-574 R3 - URLSearchHook: {EA551C00-2AE5-11d3-8592-00A0C98E9EA4} - - (no file) backup-20060815-211037-603 O15 - Trusted Zone: *.bestsearch.cc backup-20060815-211037-606 O4 - HKLM\..\Run: [wintt.exe] C:\WINDOWS\system32\wintt.exe backup-20060815-211037-710 O15 - Trusted Zone: *.frame.crazywinnings.com (HKLM) backup-20060815-211037-757 O15 - Trusted Zone: *.bestsearch.cc (HKLM) backup-20060815-211037-784 O4 - HKLM\..\Run: [Windows AdStatus] C:\Program Files\Windows AdStatus\WinStat.exe backup-20060815-211037-795 R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://searchforfree.info/browser/ backup-20060815-211037-873 O4 - HKLM\..\RunServices: [ine] svchosts.exe backup-20060815-211037-952 O15 - Trusted IP range: 206.161.125.149 backup-20060815-211037-970 O4 - HKLM\..\Run: [ine] svchosts.exe backup-20060815-211038-461 O21 - SSODL: TLxSODndBFQ - {8CCF4E95-2665-E43F-A8F9-A03A8FFDAA1C} - C:\WINDOWS\System32\jlilkr.dll (file missing) backup-20060829-192433-869 O16 - DPF: {56336BCB-3D8A-11D6-A00B-0050DA18DE71} - http://software-dl.real.com/087cfa0f...p/RdxIE601.cab -- File Associations ----------------------------------------------------------- All associations okay. -- Drivers: 0-Boot, 1-System, 2-Auto, 3-Demand, 4-Disabled --------------------- R1 Cdr4_xp - c:\windows\system32\drivers\cdr4_xp.sys <Not Verified; Roxio; Drag-to-Disc; 7.0.0.162; 7.0.0.162> R1 Cdralw2k - c:\windows\system32\drivers\cdralw2k.sys <Not Verified; Roxio; Drag-to-Disc; 7.0.0.162; 7.0.0.162> R1 cdudf_xp - c:\windows\system32\drivers\cdudf_xp.sys <Not Verified; Roxio; Drag-to-Disc; 7.0.0.162; 7.0.0.162> R1 DVDVRRdr_xp - c:\windows\system32\drivers\dvdvrrdr_xp.sys <Not Verified; Windows (R) 2000 DDK provider; Windows (R) 2000 DDK driver; 7.0.0.162; 7.0.0.162> R1 pwd_2k - c:\windows\system32\drivers\pwd_2k.sys <Not Verified; Roxio; Drag-to-Disc; 7.0.0.162; 7.0.0.162> R1 SiSkp - c:\windows\system32\drivers\srvkp.sys <Verified; Silicon Integrated Systems Corporation; SiS (R) WindowsXP Display Manager; 6.14.10.3611; 6.14.10.3611> R1 UDFReadr - c:\windows\system32\drivers\udfreadr.sys <Not Verified; Roxio; Drag-to-Disc; 7.0.0.162; 7.0.0.162> R2 DgiVecp (Team MFP Comm Driver) - c:\windows\system32\drivers\dgivecp.sys <Not Verified; DeviceGuys, Inc.; DeviceGuys, Inc. Team MFP for Windows NT, 9x, and 3.1; 1.0.0.22; 1.1.1.30> R3 dvd_2K - c:\windows\system32\drivers\dvd_2k.sys <Not Verified; Roxio; Drag-to-Disc; 7.0.0.162; 7.0.0.162> R3 itchfltr (iTouch Keyboard Filter) - c:\windows\system32\drivers\itchfltr.sys <Verified; Logitech, Inc.; Logitech iTouch(TM); 2.10.251.0; 2.10.251.0> R3 L8042pr2 (Logitech PS/2 Mouse Filter Driver) - c:\windows\system32\drivers\l8042pr2.sys <Verified; Logitech, Inc.; Logitech MouseWare(TM); 9.75.294.0; 9.75.294.0> R3 mmc_2K - c:\windows\system32\drivers\mmc_2k.sys <Not Verified; Roxio; Drag-to-Disc; 7.0.0.162; 7.0.0.162> R3 P0630VID (Creative WebCam Live!) - c:\windows\system32\drivers\p0630vid.sys <Verified; Creative Technology Ltd.; ; ; 1.00.01.00> R3 SiS315 - c:\windows\system32\drivers\sisgrp.sys <Verified; Silicon Integrated Systems Corporation; SiS (R) Compatible Super VGA Miniport Driver for Windows XP; 6.14.10.3611; 6.14.10.3611> R3 SISNIC (SiS PCI Fast Ethernet Adapter Driver) - c:\windows\system32\drivers\sisnic.sys <Not Verified; SiS Corporation; NDIS 5 NIC Driver; 1.13.02.00; 1.13.02.00 built by: WinDDK> pe386 driver present -- Services: 0-Boot, 1-System, 2-Auto, 3-Demand, 4-Disabled -------------------- R2 CCALib8 (Canon Camera Access Library 8) - c:\program files\canon\cal\calmain.exe <Not Verified; Canon Inc.; ; 8, 1, 0, 14; 8, 1, 0, 14> S3 lxbs_device - c:\windows\system32\lxbscoms.exe -service <Verified; Lexmark International, Inc.; Lexmark Communication System; 1.27.12.0; 1.27.12.0> S3 SM_ml1600_FUService (ML-2010 Status Monitor Service) - "c:\program files\samsung ml-2010 series\commonsm\ssmsrvc /service (file missing) -- Files created between 2007-03-25 and 2007-04-25 ----------------------------- 2007-04-25 15:02:52 0 d-------- C:\Program Files\SpywareBlaster 2007-04-24 22:29:18 0 d-------- C:\WINDOWS\system32\ActiveScan 2007-04-24 21:28:35 208998 --a------ C:\WINDOWS\system32\rsnujvrb.exe 2007-04-24 21:28:35 2068 --a------ C:\WINDOWS\system32\glcpyjca.exe 2007-04-23 21:29:39 131604 --a------ C:\WINDOWS\system32\lbymhjxa.dll 2007-04-23 21:28:38 208998 --a------ C:\WINDOWS\system32\jbwwgvfq.exe 2007-04-23 21:28:28 2068 --a------ C:\WINDOWS\system32\iwkhtqfn.exe 2007-04-23 17:29:10 45056 -ra------ C:\WINDOWS\retadpu2000340.exe <Not Verified; ; updater Application; 1, 0, 0, 1; 1, 0, 0, 1> 2007-04-22 15:13:34 208998 --a------ C:\WINDOWS\system32\nfwjbqfj.exe 2007-04-22 15:13:33 2068 --a------ C:\WINDOWS\system32\gdgawoss.exe 2007-04-22 15:13:17 2068 --a------ C:\WINDOWS\system32\ctgidxii.exe 2007-04-21 15:13:19 208998 --a------ C:\WINDOWS\system32\vgqvkxjj.exe 2007-04-21 15:13:17 737339 ---hs---- C:\WINDOWS\system32\yycdd.bak2 2007-04-21 15:13:17 2068 --a------ C:\WINDOWS\system32\jwrvpfsk.exe 2007-04-21 05:32:34 44544 -ra------ C:\WINDOWS\updater.exe <Not Verified; ; updater Application; 1, 0, 0, 1; 1, 0, 0, 1> 2007-04-20 22:34:23 0 --a------ C:\WINDOWS\winhp32.exe 2007-04-20 22:32:45 123972 --a------ C:\WINDOWS\system32\veqgcgmy.dll 2007-04-20 15:24:07 18432 --a------ C:\WINDOWS\sysrlb32.exe <Not Verified; Microsoft Corp.; Project1; 1.00; 1.00> 2007-04-20 15:13:10 2068 --a------ C:\WINDOWS\system32\mmhgssdc.exe 2007-04-20 15:13:07 208998 --a------ C:\WINDOWS\system32\ceofmyyt.exe 2007-04-20 15:13:06 735951 ---hs---- C:\WINDOWS\system32\yycdd.bak1 2007-04-20 15:12:36 280660 ---hs---- C:\WINDOWS\system32\jkhhg.dll 2007-04-20 15:12:36 280660 ---hs---- C:\WINDOWS\system32\ddcyy.dll 2007-04-20 15  40 4 --a------ C:\WINDOWS\system32\stfv.bin2007-04-20 15 21 12 --a------ C:\WINDOWS\system32\sl.bin2007-04-20 15:05:45 25856 --a------ C:\WINDOWS\vxddsk.exe 2007-04-20 15:05:44 19456 --a------ C:\WINDOWS\system32\wml.exe 2007-04-20 15:05:44 14848 --a------ C:\WINDOWS\system32\vxddsk.exe 2007-04-20 15:05:43 16896 --a------ C:\WINDOWS\wml.exe 2007-04-20 15:05:43 14848 --a------ C:\WINDOWS\SUSP.exe 2007-04-20 15:05:42 20992 --a------ C:\WINDOWS\satmat.exe 2007-04-20 15:05:40 22016 --a------ C:\WINDOWS\flt.dll 2007-04-20 15:05:40 23296 --a------ C:\WINDOWS\7search.dll 2007-04-20 15:05:39 21504 --a------ C:\WINDOWS\764.exe 2007-04-20 15:05:38 21760 --a------ C:\WINDOWS\stcloader.exe 2007-04-20 15:05:38 19456 --a------ C:\WINDOWS\pbar.dll 2007-04-20 15:05:37 8960 --a------ C:\WINDOWS\voiceip.dll 2007-04-20 15:05:37 17152 --a------ C:\WINDOWS\swin32.dll 2007-04-20 15:05:37 16128 --a------ C:\WINDOWS\cdsm32.dll 2007-04-20 15:05:36 11008 --a------ C:\WINDOWS\bokja.exe 2007-04-20 15:05:35 22528 --a------ C:\WINDOWS\mspphe.dll 2007-04-20 15:05:35 24320 --a------ C:\WINDOWS\bjam.dll 2007-04-20 15:05:32 28672 --a------ C:\WINDOWS\system32\MSIXU.DLL 2007-04-20 15:05:31 17664 --a------ C:\WINDOWS\system32\WER8274.DLL 2007-04-20 15:05:31 31232 --a------ C:\WINDOWS\180ax.exe 2007-04-20 15:05:29 25344 --a------ C:\WINDOWS\updatetc.exe 2007-04-20 15:05:29 9472 --a------ C:\WINDOWS\salm.exe 2007-04-20 15:05:28 9984 --a------ C:\WINDOWS\saiemod.dll 2007-04-20 15:05:21 21504 --a------ C:\WINDOWS\system32\msnhlp32.dll <Not Verified; Microsoft; Windows Explorer cdrom optimizer; 1.00.0048; 1.00.0048> 2007-04-20 15:05:18 17408 --a------ C:\WINDOWS\system32\tmrsrv32.exe <Not Verified; Microsoft; Timer Service; 1.00.0013; 1.00.0013> 2007-04-20 15:05:17 12 --a------ C:\WINDOWS\system32\gtv_sd.bin 2007-04-20 15:05:06 4669 --a------ C:\WINDOWS\1.exe 2007-04-20 15:04:57 81412 --a------ C:\WINDOWS\system32\idleserv.exe <Not Verified; Microsoft; IDLE component; 1.00.0064; 1.00.0064> 2007-04-20 15:04:55 12800 --a------ C:\WINDOWS\system32\user_32.dll <Not Verified; Home; Microsoft Internet Transfer; 1.00.0024; 1.00.0024> 2007-04-20 15:04:23 11612 --a------ C:\svhost.exe 2007-04-20 15:04:10 26694 --a------ C:\WINDOWS\system32\rqrsspp.dll 2007-04-20 15:04:00 4669 --a------ C:\1.exe 2007-04-12 20:31:44 1141 --a------ C:\WINDOWS\checkip.dat -- Find3M Report --------------------------------------------------------------- 2007-04-24 23:17:23 0 d-------- C:\Program Files\MSN Messenger 2007-04-24 23:12:21 0 d-------- C:\Program Files\Free Sticky Notes 2007-04-24 23:12:15 0 d-------- C:\Program Files\ewido anti-spyware 4.0 2007-04-23 21:26:10 0 d-------- C:\Program Files\Lx_cats 2007-04-15 16:18:56 0 d-------- C:\Program Files\Ares 2007-04-15 12:43:26 0 d-------- C:\Program Files\TClockEx 2007-04-11 16:15:12 0 d-------- C:\Documents and Settings\Carla\Application Data\Skype 2007-02-06 21:51:37 0 --a------ C:\WINDOWS\system32\kernel32.exe -- Registry Dump --------------------------------------------------------------- [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects] {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll {121950A7-E2F1-4081-95B0-5997943736E2} C:\WINDOWS\system32\ddcyy.dll {125399A6-E13D-42CE-A021-7F9069A79440} c:\windows\fonts\pcreg.dll {1557B435-8242-4686-9AA3-9265BF7525A4} C:\WINDOWS\system32\tmp4.tmp.dll {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} C:\Program Files\Java\jre1.5.0_07\bin\ssv.dll {9030D464-4C02-4ABF-8ECC-5164760863C6} C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll {9394EDE7-C8B5-483E-8773-474BF36AF6E4} C:\Program Files\MSN Apps\ST\01.03.0000.1005\en-xu\stmain.dll {B9697716-61E6-4FBC-89FD-EAC504D9EFE3} C:\WINDOWS\system32\rqrsspp.dll {BDBD1DAD-C946-4A17-ADC1-64B5B4FF55D0} C:\Program Files\MSN Apps\MSN Toolbar\MSN Toolbar\01.02.5000.1021\en-ca\msntb.dll {c2dace2d-f27f-4591-97be-10c379cef2e6} C:\WINDOWS\system32\lprcmd.dll [x] {C3F16958-9601-43E3-AC3C-6E89762079Ec} C:\WINDOWS\system32\lbymhjxa.dll {EEFBE5D6-FEFF-4CB4-AA26-6A464090CB89} C:\WINDOWS\system32\msnhlp32.dll [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run] "SoundMan"="SOUNDMAN.EXE" "QuickTime Task"="\"C:\\Program Files\\QuickTime\\qttask.exe\" -atboottime" "avast!"="C:\\PROGRA~1\\ALWILS~1\\Avast4\\ashDisp.exe" "LXBSCATS"="rundll32 C:\\WINDOWS\\System32\\spool\\DRIVERS\\W32X86\\3\\LXBStime.dll,_RunDLLEntry@16" "Logitech Utility"="Logi_MwX.Exe" "explorer"="C:\\Documents and Settings\\Carla\\Desktop\\winstall.exe" "runner1"="C:\\WINDOWS\\retadpu2000340.exe 61A847B5BBF72810329B385576F901F0B3E35B6638993F4661AA4EBD86D67C56389B284534F310F3D1DC7E4638E8323A15806F97BDE4417E77DB6C0736AC53FD97CB77" "PrintDrive"="rundll32.exe \"C:\\WINDOWS\\system32\\veqgcgmy.dll\",setvm" "RoxioDragToDisc"="\"C:\\Program Files\\Roxio\\Easy Media Creator 7\\Drag to Disc\\DrgToDsc.exe\"" [HKEY_CURRENT_USER\software\microsoft\windows\currentversion\run] "MsnMsgr"="\"C:\\Program Files\\MSN Messenger\\MsnMsgr.Exe\" /background" "DS Clock"="\"C:\\Program Files\\DS Clock\\dsclock.exe\"" "ctfmon.exe"="C:\\WINDOWS\\system32\\ctfmon.exe" "ares"="\"C:\\Program Files\\Ares\\bak\\Ares.exe\" -h" "Skype"="\"C:\\Program Files\\Skype\\Phone\\Skype.exe\" /nosplash /minimized" [HKEY_USERS\.default\software\microsoft\windows\currentversion\run] "CTFMON.EXE"="C:\\WINDOWS\\System32\\CTFMON.EXE" [HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\system] "DisableRegistryTools"=dword:00000000 "DisableTaskMgr"=dword:00000000 [HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer] [HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer\Run] "{8CCF4E94-0960-1033-0310-040829200002}"="\"C:\\Program Files\\Common Files\\{8CCF4E94-0960-1033-0310-040829200002}\\Update.exe\" mc-110-12-0001411" [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shellexecutehooks] "{57B86673-276A-48B2-BAE7-C6DBB3020EB8}"="ewido anti-spyware 4.0" "{B9697716-61E6-4FBC-89FD-EAC504D9EFE3}"="" HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\ddcyy HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\lprcmd HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\pcreg HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\rqrsspp HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa Authentication Packages REG_MULTI_SZ msv1_0\0\0 Security Packages REG_MULTI_SZ kerberos\0msv1_0\0schannel\0wdigest\0\0 Notification Packages REG_MULTI_SZ scecli\0\0 [HKEY_LOCAL_MACHINE\software\Microsoft\Windows NT\CurrentVersion\Svchost] LocalService REG_MULTI_SZ Alerter\0WebClient\0LmHosts\0RemoteRegistry\0upnphost\0SSDPSRV\0\0 NetworkService REG_MULTI_SZ DnsCache\0\0 rpcss REG_MULTI_SZ RpcSs\0\0 imgsvc REG_MULTI_SZ StiSvc\0\0 termsvcs REG_MULTI_SZ TermService\0\0 HTTPFilter REG_MULTI_SZ HTTPFilter\0\0 DcomLaunch REG_MULTI_SZ DcomLaunch\0TermService\0\0 -- End of Deckard's System Scanner: finished at 2007-04-25 at 15:33:34 --------- |
|
     |
|
04-27-2007, 09:25 AM
|
#2 (permalink) |
|
Moderator, Analyst, Security Team
Join Date: Oct 2006
Location: Dùn Èideann,Scotland.
Posts: 3,247
OS: XP
|
Re: Help!! CPU running slow, yellow triangle w/ exclamation pt and constant pop-ups
Hi and welcome to TSF.
I am currently reviewing your log. Please note that this is under the supervision of an expert analyst, and I will be back with a fix for your problem as soon as possible. You may wish to subscribe to this thread to get immediate notification of replies as soon as they are posted. To do this click Thread Tools, then click Subscribe to this Thread. Make sure it is set to Instant Notification, then click Subscribe. Please be patient with me during this time.
__________________
Member of ASAP since 2007 Member of UNITE since 2008 **Notice to BT customers** Trial of BT-Phorm spyware to start 30th September, 2008- for more information please visit No DPI website for more information.  Phorm, previously known as 121Media were responsible for the Apropos rootkit, see Here for more information on said rootkit. If we have helped you in anyway,please consider Donating |
|
|
|
|
04-27-2007, 03:50 PM
|
#3 (permalink) |
|
Moderator, Analyst, Security Team
Join Date: Oct 2006
Location: Dùn Èideann,Scotland.
Posts: 3,247
OS: XP
|
Re: Help!! CPU running slow, yellow triangle w/ exclamation pt and constant pop-ups
Hello and welcome to TSF
Please print out or copy this page to Notepad in order to assist you when carrying out the following instructions. -------------------------------------------------------------------------------------------- Please follow all instructions and in which order they come,if you have any questions,please ask before proceeding. --------------------------------------------------------------------------------------------- P2P P2P - I see you have P2P software <Ares 1.9.7,BitTornado 0.3.9,BitTorrent 3.4.2>) installed on your machine. We are not here to pass judgment on file-sharing as a concept. However, we will warn you that engaging in this activity and having this kind of software installed on your machine will always make you more susceptible to re-infections. It may be contributing to your current situation. This page will give you further information. --------------------------------------------------------------------------------------------- Spywareguard Please disable Spywareguard, as it may hinder the removal of some entries. You can re-enable it after you're clean.
Ewido *Open Ewido by double-clicking the yellow 'E' icon in the system tray. *In the 'Your security status' section, toggle the Ewido Guard realtime protection 'off' by clicking 'active' which will then change the protection status to 'inactive'. *When you reboot, Ewido will prompt you as to whether you would like to "Restart the guard?". *Reply 'no' and set it to 'inactive' for the duration of your cleanup. ------------------------------------------------------------------------------------------------- Downloads You may want to print out these instructions for reference, since you will have to restart your computer during the fix. Please download FixWareout from one of these sites: http://downloads.subratam.org/Fixwareout.exe http://www.bleepingcomputer.com/file...Fixwareout.exe Save it to your desktop and run it. Click Next, then Install, make sure "Run fixit" is checked and click Finish. The fix will begin; follow the prompts. You will be asked to reboot your computer; please do so. Your system may take longer than usual to load; this is normal. Once the desktop loads a text file will open (report.txt), you can close it - the file has already been saved. Open Hijack This and click on 'Do a System Scan Only'. Check the following entries if found (make sure you do not miss any) O17 - HKLM\System\CCS\Services\Tcpip\..\{9A8263D9-14C4-47C3-85CB-BB6E08033BE1}: NameServer = 85.255.114.27,85.255.112.89 O17 - HKLM\System\CCS\Services\Tcpip\..\{F191F77D-DE21-46B2-8C44-C9B6A0810F41}: NameServer = 85.255.114.27,85.255.112.89 O17 - HKLM\System\CCS\Services\Tcpip\Parameters: NameServer = 85.255.114.27 85.255.112.89 --------------------------------------------------------------------------------------------------------- ComboFix Download ComboFix from here or here **Save it to your desktop** Double click on ComboFix.exe & follow the prompts. When finished, it shall produce a log for you. Post that log in your next reply. Note: Do not mouseclick combofix's window whilst it's running. That may cause it to stall ------------------------------------------------------------------------------------------------------------- Logs Required report.txt(from Fixwareout Tool) C:\Combofix.txt Let me know how you system is behaving,thanks.
__________________
Member of ASAP since 2007 Member of UNITE since 2008 **Notice to BT customers** Trial of BT-Phorm spyware to start 30th September, 2008- for more information please visit No DPI website for more information. Phorm, previously known as 121Media were responsible for the Apropos rootkit, see Here for more information on said rootkit. If we have helped you in anyway,please consider Donating |
|
|
|
|
04-28-2007, 04:53 PM
|
#4 (permalink) |
|
Registered User
Join Date: Apr 2007
Posts: 17
OS: windows xp
|
Re: Help!! CPU running slow, yellow triangle w/ exclamation pt and constant pop-ups
Thank you for your quick response. I have run Fixwareout and ComboFix. I have also removed the entries from the system scan performed by HijackThis. My computer seems to be running faster and I haven't noticed any pop-ups since I ran these programs.
Here are my logs: Fixwareout Last edited 4/5/2007 Post this report in the forums please ... »»»»»Prerun check »»»»» System restarted »»»»» Postrun check HKLM\SOFTWARE\~\Winlogon\ "System"="" .... HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Urls "putesprpgd" Deleted HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Urls "onisacputes" Deleted .... »»»»» Misc files. C:\WINDOWS\System32\kernel32.exe Deleted .... »»»»» Checking for older varients. .... Search five digit cs, dm, kd, jb, other, files. The following files NEED TO BE SUBMITTED to one of the following URL'S for further inspection. Click browse, find the file then click submit. http://www.virustotal.com/flash/index_en.html Or http://virusscan.jotti.org/ »»»»» Other »»»»» Current runs [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "SoundMan"="SOUNDMAN.EXE" "QuickTime Task"="\"C:\\Program Files\\QuickTime\\qttask.exe\" -atboottime" "avast!"="C:\\PROGRA~1\\ALWILS~1\\Avast4\\ashDisp.exe" "LXBSCATS"="rundll32 C:\\WINDOWS\\System32\\spool\\DRIVERS\\W32X86\\3\\LXBStime.dll,_RunDLLEntry@16" "Logitech Utility"="Logi_MwX.Exe" "explorer"="C:\\Documents and Settings\\Carla\\Desktop\\winstall.exe" "runner1"="C:\\WINDOWS\\retadpu2000340.exe 61A847B5BBF72810329B385576F901F0B3E35B6638993F4661AA4EBD86D67C56389B284534F310F3D1DC7E4638E8323A15806F97BDE4417E77DB6C0736AC53FD97CB77" "RoxioDragToDisc"="\"C:\\Program Files\\Roxio\\Easy Media Creator 7\\Drag to Disc\\DrgToDsc.exe\"" "InfoData"="rundll32.exe \"C:\\WINDOWS\\system32\\uxeynipk.dll\",realset" [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "MsnMsgr"="\"C:\\Program Files\\MSN Messenger\\MsnMsgr.Exe\" /background" "DS Clock"="\"C:\\Program Files\\DS Clock\\dsclock.exe\"" "ctfmon.exe"="C:\\WINDOWS\\system32\\ctfmon.exe" "ares"="\"C:\\Program Files\\Ares\\bak\\Ares.exe\" -h" "Skype"="\"C:\\Program Files\\Skype\\Phone\\Skype.exe\" /nosplash /minimized" "IpWins"="C:\\Program Files\\Ipwindows\\ipwins.exe" .... Hosts file was reset, If you use a custom hosts file please replace it Rustock pe386 is present C:\WINDOWS\System32\AUTOEXEC.NT missing C:\WINDOWS\repair\autoexec.nt missing »»»»» End report »»»»» ------------------------------------------------- "Carla" - 07-04-28 19:21:11 Service Pack 2 ComboFix 07-04-25.4V - Running from: "C:\Program Files\Mozilla Firefox\" (((((((((((((((((((((((((((((((((((((((((((((((((( V Log ))))))))))))))))))))))))))))))))))))))))))))))))))))))) C:\WINDOWS\system32\lbymhjxa.dll C:\WINDOWS\system32\qbyprbfn.dll C:\WINDOWS\system32\tmp11.tmp.dll C:\WINDOWS\system32\tmp13.tmp.dll C:\WINDOWS\system32\tmp4.tmp.dll C:\WINDOWS\system32\tmp5.tmp.dll C:\WINDOWS\system32\tmp11.tmp.dll C:\WINDOWS\system32\tmp13.tmp.dll C:\WINDOWS\system32\tmp4.tmp.dll C:\WINDOWS\system32\tmp5.tmp.dll C:\WINDOWS\system32\rqrsspp.dll * * * POST RUN FILES/FOLDERS * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * (((((((((((((((((((((((((((((((((((((((((((( Other Deletions ))))))))))))))))))))))))))))))))))))))))))))))))) C:\1.exe C:\WINDOWS\1.exe C:\WINDOWS\system32\117495375.exe C:\WINDOWS\system32\117495406.exe C:\WINDOWS\system32\117495984.exe C:\WINDOWS\764.exe C:\WINDOWS\updater.exe C:\WINDOWS\system32\tmp11.tmp.dll C:\WINDOWS\system32\tmp13.tmp.dll C:\WINDOWS\system32\tmp4.tmp.dll C:\WINDOWS\system32\tmp5.tmp.dll C:\Program Files\ipwindows\ipwins.dll C:\Program Files\ipwindows\ipwins.exe C:\Program Files\ipwindows\UnInstall.exe C:\Program Files\ipwins\pop19.tmp C:\Program Files\ipwins\pop1B.tmp C:\Program Files\ipwins\Uninst.exe C:\Program Files\quick links\Uninst.log C:\Program Files\Common Files\{3CCF4~1\toolbardll.lzma C:\DOCUME~1\Carla\Desktop.\internet explorer.lnk C:\WINDOWS\system32\preuninstallql.exe C:\WINDOWS\winhp32.exe C:\svhost.exe C:\Program Files\inetget2 C:\Program Files\ipwindows C:\Program Files\ipwins C:\Program Files\quick links C:\Program Files\Common Files\{3CCF4~1 C:\Program Files\Common Files\{8CCF4~1 ((((((((((((((((((((((((((((((((((((((((((( Drivers/Services ))))))))))))))))))))))))))))))))))))))))))))))))) -------\nm ((((((((((((((((((((((((((((((( Files Created from 2007-03-28 to 2007-04-28 )))))))))))))))))))))))))))))))))) 2007-04-25 21:28 132,660 --a------ C:\WINDOWS\system32\uxeynipk.dll 2007-04-25 15:22 <DIR> d-------- C:\Deckard 2007-04-25 15:02 <DIR> d-------- C:\Program Files\SpywareBlaster 2007-04-24 22:29 <DIR> d-------- C:\WINDOWS\system32\ActiveScan 2007-04-24 21:28 208,998 --a------ C:\WINDOWS\system32\rsnujvrb.exe 2007-04-24 21:28 2,068 --a------ C:\WINDOWS\system32\glcpyjca.exe 2007-04-23 21:28 208,998 --a------ C:\WINDOWS\system32\jbwwgvfq.exe 2007-04-23 21:28 2,068 --a------ C:\WINDOWS\system32\iwkhtqfn.exe 2007-04-23 17:29 45,056 -ra------ C:\WINDOWS\retadpu2000340.exe 2007-04-22 15:13 208,998 --a------ C:\WINDOWS\system32\nfwjbqfj.exe 2007-04-22 15:13 2,068 --a------ C:\WINDOWS\system32\gdgawoss.exe 2007-04-22 15:13 2,068 --a------ C:\WINDOWS\system32\ctgidxii.exe 2007-04-21 15:13 744,871 ---hs---- C:\WINDOWS\system32\yycdd.bak2 2007-04-21 15:13 208,998 --a------ C:\WINDOWS\system32\vgqvkxjj.exe 2007-04-21 15:13 2,068 --a------ C:\WINDOWS\system32\jwrvpfsk.exe 2007-04-20 15:24 18,432 --a------ C:\WINDOWS\sysrlb32.exe 2007-04-20 15:13 803,301 ---hs---- C:\WINDOWS\system32\yycdd.bak1 2007-04-20 15:13 208,998 --a------ C:\WINDOWS\system32\ceofmyyt.exe 2007-04-20 15:13 2,068 --a------ C:\WINDOWS\system32\mmhgssdc.exe 2007-04-20 15:12 280,660 ---hs---- C:\WINDOWS\system32\jkhhg.dll 2007-04-20 15:12 280,660 ---hs---- C:\WINDOWS\system32\ddcyy.dll 2007-04-20 15:06 4 --a------ C:\WINDOWS\system32\stfv.bin 2007-04-20 15:06 12 --a------ C:\WINDOWS\system32\sl.bin 2007-04-20 15:05 9,984 --a------ C:\WINDOWS\saiemod.dll 2007-04-20 15:05 9,472 --a------ C:\WINDOWS\salm.exe 2007-04-20 15:05 8,960 --a------ C:\WINDOWS\voiceip.dll 2007-04-20 15:05 31,232 --a------ C:\WINDOWS\180ax.exe 2007-04-20 15:05 28,672 --a------ C:\WINDOWS\system32\MSIXU.DLL 2007-04-20 15:05 25,856 --a------ C:\WINDOWS\vxddsk.exe 2007-04-20 15:05 25,344 --a------ C:\WINDOWS\updatetc.exe 2007-04-20 15:05 24,320 --a------ C:\WINDOWS\bjam.dll 2007-04-20 15:05 23,296 --a------ C:\WINDOWS\7search.dll 2007-04-20 15:05 22,528 --a------ C:\WINDOWS\mspphe.dll 2007-04-20 15:05 22,016 --a------ C:\WINDOWS\flt.dll 2007-04-20 15:05 21,760 --a------ C:\WINDOWS\stcloader.exe 2007-04-20 15:05 21,504 --a------ C:\WINDOWS\system32\msnhlp32.dll 2007-04-20 15:05 20,992 --a------ C:\WINDOWS\satmat.exe 2007-04-20 15:05 19,456 --a------ C:\WINDOWS\system32\wml.exe 2007-04-20 15:05 19,456 --a------ C:\WINDOWS\pbar.dll 2007-04-20 15:05 17,664 --a------ C:\WINDOWS\system32\WER8274.DLL 2007-04-20 15:05 17,408 --a------ C:\WINDOWS\system32\tmrsrv32.exe 2007-04-20 15:05 17,152 --a------ C:\WINDOWS\swin32.dll 2007-04-20 15:05 16,896 --a------ C:\WINDOWS\wml.exe 2007-04-20 15:05 16,128 --a------ C:\WINDOWS\cdsm32.dll 2007-04-20 15:05 14,848 --a------ C:\WINDOWS\system32\vxddsk.exe 2007-04-20 15:05 14,848 --a------ C:\WINDOWS\SUSP.exe 2007-04-20 15:05 12 --a------ C:\WINDOWS\system32\gtv_sd.bin 2007-04-20 15:05 11,008 --a------ C:\WINDOWS\bokja.exe 2007-04-20 15:04 81,412 --a------ C:\WINDOWS\system32\idleserv.exe 2007-04-20 15:04 12,800 --a------ C:\WINDOWS\system32\user_32.dll 2007-04-12 20:31 1,141 --a------ C:\WINDOWS\checkip.dat (((((((((((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))) Rootkit driver pe386 is present. ... attempting disinfection pe386 ...... driver unloaded successfully. ADS removed - system32: deleted 69682 bytes in 1 streams. 2007-04-24 23:17 -------- d-------- C:\Program Files\msn messenger 2007-04-24 23:12 -------- d-------- C:\Program Files\free sticky notes 2007-04-24 23:12 -------- d-------- C:\Program Files\ewido anti-spyware 4.0 2007-04-23 21:26 -------- d-------- C:\Program Files\lx_cats 2007-04-15 12:43 -------- d-------- C:\Program Files\tclockex 2007-03-17 09:43 292864 --a------ C:\WINDOWS\system32\winsrv.dll 2007-03-15 10:08 101438 --a------ C:\WINDOWS\b122.exe 2007-03-08 11:36 577536 --a------ C:\WINDOWS\system32\user32.dll 2007-03-08 11:36 40960 --a------ C:\WINDOWS\system32\mf3216.dll 2007-03-08 11:36 281600 --a------ C:\WINDOWS\system32\gdi32.dll 2007-03-08 09:47 1843584 --a------ C:\WINDOWS\system32\win32k.sys 2007-02-05 16:17 185344 --a------ C:\WINDOWS\system32\upnphost.dll (((((((((((((((((((((((((((((((((((((((((( Reg Loading Points )))))))))))))))))))))))))))))))))))))))))))))))) *Note* empty entries & legit default entries are not shown [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects] {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll {0CD71CA8-C5A8-4C77-9CB0-106EC6AD70B1} C:\WINDOWS\system32\ddcyy.dll {125399A6-E13D-42CE-A021-7F9069A79440} c:\windows\fonts\pcreg.dll {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} C:\Program Files\Java\jre1.5.0_07\bin\ssv.dll {9030D464-4C02-4ABF-8ECC-5164760863C6} C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll {9394EDE7-C8B5-483E-8773-474BF36AF6E4} C:\Program Files\MSN Apps\ST\01.03.0000.1005\en-xu\stmain.dll {BDBD1DAD-C946-4A17-ADC1-64B5B4FF55D0} C:\Program Files\MSN Apps\MSN Toolbar\MSN Toolbar\01.02.5000.1021\en-ca\msntb.dll {c2dace2d-f27f-4591-97be-10c379cef2e6} C:\WINDOWS\system32\lprcmd.dll [x] {C3F16958-9601-43E3-AC3C-6E89762079Ec} C:\WINDOWS\system32\lbymhjxa.dll [x] {D651AFF4-9590-424d-BD1E-8E33E090DFB3} C:\WINDOWS\system32\qbyprbfn.dll [x] {EEFBE5D6-FEFF-4CB4-AA26-6A464090CB89} C:\WINDOWS\system32\msnhlp32.dll [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run] "SoundMan"="SOUNDMAN.EXE" "QuickTime Task"="\"C:\\Program Files\\QuickTime\\qttask.exe\" -atboottime" "avast!"="C:\\PROGRA~1\\ALWILS~1\\Avast4\\ashDisp.exe" "LXBSCATS"="rundll32 C:\\WINDOWS\\System32\\spool\\DRIVERS\\W32X86\\3\\LXBStime.dll,_RunDLLEntry@16" "Logitech Utility"="Logi_MwX.Exe" "RoxioDragToDisc"="\"C:\\Program Files\\Roxio\\Easy Media Creator 7\\Drag to Disc\\DrgToDsc.exe\"" "InfoData"="rundll32.exe \"C:\\WINDOWS\\system32\\uxeynipk.dll\",realset" [HKEY_CURRENT_USER\software\microsoft\windows\currentversion\run] "MsnMsgr"="\"C:\\Program Files\\MSN Messenger\\MsnMsgr.Exe\" /background" "DS Clock"="\"C:\\Program Files\\DS Clock\\dsclock.exe\"" "ctfmon.exe"="C:\\WINDOWS\\system32\\ctfmon.exe" "ares"="\"C:\\Program Files\\Ares\\bak\\Ares.exe\" -h" "Skype"="\"C:\\Program Files\\Skype\\Phone\\Skype.exe\" /nosplash /minimized" [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shellexecutehooks] "{57B86673-276A-48B2-BAE7-C6DBB3020EB8}"="ewido anti-spyware 4.0" HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\ddcyy HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\lprcmd HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\pcreg HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa Authentication Packages REG_MULTI_SZ msv1_0\0\0 Security Packages REG_MULTI_SZ kerberos\0msv1_0\0schannel\0wdigest\0\0 Notification Packages REG_MULTI_SZ scecli\0\0 [HKEY_LOCAL_MACHINE\software\Microsoft\Windows NT\CurrentVersion\Svchost] LocalService REG_MULTI_SZ Alerter\0WebClient\0LmHosts\0RemoteRegistry\0upnphost\0SSDPSRV\0\0 NetworkService REG_MULTI_SZ DnsCache\0\0 rpcss REG_MULTI_SZ RpcSs\0\0 imgsvc REG_MULTI_SZ StiSvc\0\0 termsvcs REG_MULTI_SZ TermService\0\0 HTTPFilter REG_MULTI_SZ HTTPFilter\0\0 DcomLaunch REG_MULTI_SZ DcomLaunch\0TermService\0\0 ******************************************************************** catchme 0.3.660 W2K/XP/Vista - userland rootkit detector by Gmer, http://www.gmer.net Rootkit scan 2007-04-28 19:42:57 Windows 5.1.2600 Service Pack 2 NTFS scanning hidden processes ... scanning hidden services ... scanning hidden autostart entries ... scanning hidden files ... scan completed successfully hidden processes: 0 hidden services: 0 hidden files: 0 ******************************************************************** Completion time: 07-04-28 19:44:49 - machine was rebooted C:\ComboFix-quarantined-files.txt ... 07-04-28 19:44 |
|
|
|
|
04-28-2007, 11:00 PM
|
#5 (permalink) |
|
Manager, Security Center, TSF Academy; Analyst, Security Team
Join Date: Jan 2005
Location: Transylvania County, North Carolina, USA
Posts: 26,752
OS: 2000 Pro; XP Pro; XP Home
|
Re: Help!! CPU running slow, yellow triangle w/ exclamation pt and constant pop-ups
Hi angelgirl30, please also do this:
Open Hijack This and click on 'Do a System Scan and save a Logfile'. Save the log file and post it here. ---------------------------------------------------------------------------------------------
__________________
Practice Safe Surfing Because what you don't know, CAN hurt you.  Please do not ask for help via Private Message. |
|
|
|
|
04-29-2007, 08:56 AM
|
#6 (permalink) |
|
Registered User
Join Date: Apr 2007
Posts: 17
OS: windows xp
|
Re: Help!! CPU running slow, yellow triangle w/ exclamation pt and constant pop-ups
Here is my latest HijackThis logfile:
Logfile of HijackThis v1.99.1 Scan saved at 11:54:18 AM, on 29/04/2007 Platform: Windows XP SP2 (WinNT 5.01.2600) MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180) Running processes: C:\WINDOWS\System32\smss.exe C:\WINDOWS\system32\winlogon.exe C:\WINDOWS\system32\services.exe C:\WINDOWS\system32\lsass.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\System32\svchost.exe C:\WINDOWS\system32\LEXBCES.EXE C:\WINDOWS\system32\spoolsv.exe C:\WINDOWS\system32\LEXPPS.EXE C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe C:\Program Files\Alwil Software\Avast4\ashServ.exe C:\WINDOWS\Explorer.EXE C:\Program Files\ewido anti-spyware 4.0\guard.exe C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE C:\WINDOWS\System32\svchost.exe C:\Program Files\Canon\CAL\CALMAIN.exe C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe C:\Program Files\Alwil Software\Avast4\ashWebSv.exe C:\WINDOWS\system32\WgaTray.exe C:\WINDOWS\system32\wuauclt.exe C:\WINDOWS\SOUNDMAN.EXE C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe C:\Program Files\Roxio\Easy Media Creator 7\Drag to Disc\DrgToDsc.exe C:\Program Files\MSN Messenger\MsnMsgr.Exe C:\WINDOWS\system32\ctfmon.exe C:\Program Files\Ares\bak\Ares.exe C:\Program Files\Skype\Phone\Skype.exe C:\Program Files\Logitech\MouseWare\system\em_exec.exe C:\Corel\Suite8\Programs\DAD8.EXE C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe C:\WINDOWS\system32\sistray.exe C:\Program Files\Free Sticky Notes\freenote.exe C:\VSTASCAN\vsaccess.exe C:\Program Files\HP\Digital Imaging\bin\hpqgalry.exe C:\Program Files\MSN Messenger\usnsvc.exe C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\HijackThis\HijackThis.exe O3 - Toolbar: MSN - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\MSN Apps\MSN Toolbar\MSN Toolbar\01.02.5000.1021\en-ca\msntb.dll O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe O4 - HKLM\..\Run: [LXBSCATS] rundll32 C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\LXBStime.dll,_RunDLLEntry@16 O4 - HKLM\..\Run: [Logitech Utility] Logi_MwX.Exe O4 - HKLM\..\Run: [RoxioDragToDisc] "C:\Program Files\Roxio\Easy Media Creator 7\Drag to Disc\DrgToDsc.exe" O4 - HKLM\..\Run: [InfoData] rundll32.exe "C:\WINDOWS\system32\uxeynipk.dll",realset O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background O4 - HKCU\..\Run: [DS Clock] "C:\Program Files\DS Clock\dsclock.exe" O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe O4 - HKCU\..\Run: [ares] "C:\Program Files\Ares\bak\Ares.exe" -h O4 - HKCU\..\Run: [Skype] "C:\Program Files\Skype\Phone\Skype.exe" /nosplash /minimized O4 - Startup: Shortcut to Free Sticky Notes.LNK = C:\Program Files\Free Sticky Notes\freenote.exe O4 - Startup: UMAX VistaAccess.lnk = C:\VSTASCAN\vsaccess.exe O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe O4 - Global Startup: Corel Desktop Application Director 8.LNK = C:\Corel\Suite8\Programs\DAD8.EXE O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe O4 - Global Startup: HP Image Zone Fast Start.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqthb08.exe O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE O4 - Global Startup: Utility Tray.lnk = C:\WINDOWS\system32\sistray.exe O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000 O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_07\bin\ssv.dll O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_07\bin\ssv.dll O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe O16 - DPF: {11260943-421B-11D0-8EAC-0000C07D88CF} (iPIX ActiveX Control) - http://www.ipix.com/viewers/ipixx.cab O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204 O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://angelgirl76.spaces.live.com//...d/MsnPUpld.cab O16 - DPF: {5F8469B4-B055-49DD-83F7-62B522420ECC} (Facebook Photo Uploader Control) - http://upload.facebook.com/controls/...toUploader.cab O16 - DPF: {6E5A37BF-FD42-463A-877C-4EB7002E68AE} (Trend Micro ActiveX Scan Agent 6.5) - http://housecall65.trendmicro.com/ho...vex/hcImpl.cab O16 - DPF: {6E5E167B-1566-4316-B27F-0DDAB3484CF7} (Image Uploader Control) - http://www.photolab.ca/Upload/ImageUploader4.cab O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/actives...ree/asinst.cab O16 - DPF: {A18962F6-E6ED-40B1-97C9-1FB36F38BFA8} (Aurigma Image Uploader 3.5 Control) - http://www.photolab.ca/en/Photo/ImageUploader3.cab O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn.com/download/Ms...Downloader.cab O16 - DPF: {D57262F5-9637-4E67-BC59-88C53EA76FC3} (ULcontrol Control) - https://pix.futureshop.ca/en/ulcontrolxp.cab O16 - DPF: {F04A8AE2-A59D-11D2-8792-00C04F8EF29D} (Hotmail Attachments Control) - http://by119fd.bay119.hotmail.msn.co...x/HMAtchmt.ocx O16 - DPF: {F127B9BA-89EA-4B04-9C67-2074A9DF61FC} (PCUploader Class) - http://www.walmartphotocentre.ca/activex/PCAXSetup.cab? O16 - DPF: {F127B9BA-89EA-4B04-9C67-2074A9DF61FD} (Photo Upload Plugin Class) - http://walmart.pnimedia.com/upload/a...pv2.0.0.9.cab? O18 - Protocol: livecall - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL O20 - AppInit_DLLs: O23 - Service: Adobe LM Service - Unknown owner - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - Unknown owner - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe O23 - Service: avast! Antivirus - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashServ.exe O23 - Service: avast! Mail Scanner - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe" /service (file missing) O23 - Service: avast! Web Scanner - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe" /service (file missing) O23 - Service: Canon Camera Access Library 8 (CCALib8) - Canon Inc. - C:\Program Files\Canon\CAL\CALMAIN.exe O23 - Service: ewido anti-spyware 4.0 guard - Anti-Malware Development a.s. - C:\Program Files\ewido anti-spyware 4.0\guard.exe O23 - Service: iPod Service (iPodService) - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE O23 - Service: lxbs_device - Lexmark International, Inc. - C:\WINDOWS\system32\lxbscoms.exe O23 - Service: ML-2010 Status Monitor Service (SM_ml1600_FUService) - Unknown owner - C:\Program.exe (file missing) |
|
|
|
|
04-29-2007, 10:23 AM
|
#7 (permalink) |
|
Moderator, Analyst, Security Team
Join Date: Oct 2006
Location: Dùn Èideann,Scotland.
Posts: 3,247
OS: XP
|
Re: Help!! CPU running slow, yellow triangle w/ exclamation pt and constant pop-ups
Hello again,good job so far.
We need to rename Hijackthis as some infections hide from it. Locate Hijackthis.exe and click on rename,rename to angelgirl30 or anything else you want. Then Open Hijack This and click on 'Do a System Scan and save a Logfile'. Save the log file and post it here.
__________________
Member of ASAP since 2007 Member of UNITE since 2008 **Notice to BT customers** Trial of BT-Phorm spyware to start 30th September, 2008- for more information please visit No DPI website for more information. Phorm, previously known as 121Media were responsible for the Apropos rootkit, see Here for more information on said rootkit. If we have helped you in anyway,please consider Donating |
|
|
|
