Welcome to Tech Support Forum home to more then 136,000 problems solved. Issues have included: Spyware, Malware, Virus Issues, Windows, Microsoft, Linux, Networking, Security, Hardware, and Gaming Getting your problem solved is as easy as:
1. Registering for a free account
2. Asking your question
3. Receiving an answer

Registered members:
* Get free support
* Communicate privately with other members (PM).
* Removal of this message
* See fewer ads.
* And much more..

 


Want to know how to post a question? click here Having problems with spyware and pop-ups? First Steps
Go Back   Tech Support Forum > Security Center > Virus/Trojan/Spyware Help > Resolved HJT Threads
Reload this Page Please Help!! Malware causing MAJOR internet Slowdown
User Name
Password
Site Map Register Donate Rules Blogs Mark Forums Read


Resolved HJT Threads Resolved spyware and popup issues.

 
 
LinkBack Thread Tools
Old 11-06-2009, 01:10 AM   #1 (permalink)
Registered User
 
Join Date: Nov 2009
Posts: 6
OS: winxp


Please Help!! Malware causing MAJOR internet Slowdown
Hey guys i just want to say you have a great service here, thanks for your time.
Recently my AVG anti-virus found a few viruses which I immediately deleted, since then AVG has been reporting that my System Restore keeps trying to activate a worm of some sort. Sorry i don't have the name off the top of my head, i think it was a worm called "Cryptor"?? Anyway here are my logs, if you could please let me know if anything looks wrong. Thanks again, have a good day.

DDS (Ver_09-10-26.01) - NTFSx86
Run by Rich at 0:38:59.01 on Fri 11/06/2009
Internet Explorer: 7.0.5730.11
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.1526.833 [GMT -7:00]

AV: AVG Anti-Virus Free *On-access scanning enabled* (Updated) {17DDD097-36FF-435F-9E1B-52D74245D6BF}
FW: ZoneAlarm Pro Firewall *enabled* {829BDA32-94B3-44F4-8446-F8FCFF809F8B}

============== Running Processes ===============

C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
C:\WINDOWS\system32\svchost.exe -k WudfServiceGroup
C:\Program Files\AVG\AVG9\avgchsvx.exe
C:\Program Files\AVG\AVG9\avgrsx.exe
C:\Program Files\AVG\AVG9\avgcsrvx.exe
svchost.exe
svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
C:\WINDOWS\system32\spoolsv.exe
svchost.exe
C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
C:\Program Files\AVG\AVG9\avgwdsvc.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\WINDOWS\eHome\ehRecvr.exe
C:\Program Files\AVG\AVG9\avgnsx.exe
C:\WINDOWS\System32\svchost.exe -k HTTPFilter
C:\WINDOWS\ehome\RMSvc.exe
svchost.exe
C:\WINDOWS\system32\svchost.exe -k imgsvc
C:\WINDOWS\system32\svchost.exe -k netsvcs
C:\Program Files\AVG\AVG9\avgemc.exe
C:\Program Files\AVG\AVG9\avgcsrvx.exe
C:\WINDOWS\system32\dllhost.exe
C:\WINDOWS\system32\dla\tfswctrl.exe
C:\Program Files\EPSON\Creativity Suite\Event Manager\EEventManager.exe
C:\PROGRA~1\AVG\AVG9\avgtray.exe
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\Program Files\FreeRAM XP Pro\FreeRAM XP Pro.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Digital Line Detect\DLG.exe
C:\Program Files\SpywareGuard\sgmain.exe
C:\Program Files\SpywareGuard\sgbhp.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Documents and Settings\Rich\Desktop\dds.scr

============== Pseudo HJT Report ===============

uSearch Page = hxxp://www.google.com/hws/sb/dell/en/side.html
uSearch Bar = hxxp://www.google.com/hws/sb/dell/en/side.html
uWindow Title = Windows Internet Explorer provided by Comcast
uDefault_Page_URL = hxxp://www.google.com/ig/dell?hl=en
uSearchMigratedDefaultURL = hxxp://www.google.com/search?q={searchTerms}&sourceid=ie7&rls=com.microsoft:en-US&ie=utf8&oe=utf8
mDefault_Page_URL = hxxp://www.dell.com
mStart Page = hxxp://www.comcast.net/
mWindow Title = Windows Internet Explorer provided by Comcast
mSearchAssistant = hxxp://www.google.com/hws/sb/dell/en/side.html
BHO: AVG Safe Search: {3ca2f312-6f6e-4b53-a66e-4e65e497c8c0} - c:\program files\avg\avg9\avgssie.dll
TB: {2318C2B1-4965-11D4-9B18-009027A5CD4F} - No File
TB: {32099AAC-C132-4136-9E9A-4E364A424E17} - No File
TB: {EE2AC4E5-B0B0-4EC6-88A9-BCA1A32AB107} - No File
EB: Real.com: {fe54fa40-d68c-11d2-98fa-00c0f0318afe} - c:\windows\system32\Shdocvw.dll
uRun: [FreeRAM XP] "c:\program files\freeram xp pro\FreeRAM XP Pro.exe" -win
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
mRun: [dla] c:\windows\system32\dla\tfswctrl.exe
mRun: [tgcmd] "c:\program files\support.com\bin\tgcmd.exe" /server
mRun: [EEventManager] c:\program files\epson\creativity suite\event manager\EEventManager.exe
mRun: [Malwarebytes Anti-Malware (reboot)] "c:\program files\malwarebytes' anti-malware\mbam.exe" /runcleanupscript
mRun: [AVG9_TRAY] c:\progra~1\avg\avg9\avgtray.exe
mRun: [ZoneAlarm Client] "c:\program files\zone labs\zonealarm\zlclient.exe"
StartupFolder: c:\docume~1\rich\startm~1\programs\startup\spywar~1.lnk - c:\program files\spywareguard\sgmain.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\digita~1.lnk - c:\program files\digital line detect\DLG.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\extend~1.lnk - c:\windows\ehome\RMSysTry.exe
IE: Open with WordPerfect - c:\program files\wordperfect office x3\programs\WPLauncher.hta
IE: {669B269B-0D4E-41FB-A3D8-FD67CA94F646} - http://www.comcast.net/
IE: {8828075D-D097-4055-AA02-2DBFA9D85E8A} - http://www.comcastsupport.com/
IE: {97809617-3937-4F84-B335-9BB05EF1A8D4} - http://online.comcast.net/help/
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {F4430FE8-2638-42e5-B849-800749B94EED} - c:\program files\partygaming.net\partypokernet\RunPF.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - {CAFEEFAC-0015-0000-0006-ABCDEFFEDCBC} - c:\program files\java\jre1.5.0_06\bin\ssv.dll
IE: {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - {FE54FA40-D68C-11d2-98FA-00C0F0318AFE} - c:\windows\system32\Shdocvw.dll
Trusted Zone: hidebehind.com
Trusted Zone: intuit.com
Trusted Zone: musicmatch.com\online
DPF: {17492023-C23A-453E-A040-C7C580BBF700} - hxxp://download.microsoft.com/download/F/D/9/FD9E437D-5BC8-4264-A093-DFA2C39D197E/LegitCheckControl.cab
DPF: {233C1507-6A77-46A4-9443-F871F945D258} - hxxp://fpdownload.macromedia.com/get/shockwave/cabs/director/sw.cab
DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} - hxxp://download.mcafee.com/molbin/shared/mcinsctl/4,0,0,101/mcinsctl.cab
DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} - hxxp://gfx2.hotmail.com/mail/w2/resources/MSNPUpld.cab
DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} - hxxp://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1226446168522
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.5.0/jinstall-1_5_0_06-windows-i586.cab
DPF: {BCC0FF27-31D9-4614-A68E-C18E1ADA4389} - hxxp://download.mcafee.com/molbin/shared/mcgdmgr/1,0,0,26/mcgdmgr.cab
DPF: {CAFEEFAC-0015-0000-0006-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.5.0/jinstall-1_5_0_06-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.5.0/jinstall-1_5_0_06-windows-i586.cab
DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
Handler: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - c:\program files\avg\avg9\avgpp.dll
Notify: avgrsstarter - avgrsstx.dll
Notify: igfxcui - igfxdev.dll
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll
SEH: SpywareGuard.Handler: {81559c35-8464-49f7-bb0e-07a383bef910} - c:\program files\spywareguard\spywareguard.dll

================= FIREFOX ===================

FF - ProfilePath - c:\docume~1\rich\applic~1\mozilla\firefox\profiles\w90bazbq.default\
FF - prefs.js: browser.startup.homepage - hxxp://www.msn.com/
FF - plugin: c:\program files\java\jre1.5.0_06\bin\NPJava11.dll
FF - plugin: c:\program files\java\jre1.5.0_06\bin\NPJava12.dll
FF - plugin: c:\program files\java\jre1.5.0_06\bin\NPJava13.dll
FF - plugin: c:\program files\java\jre1.5.0_06\bin\NPJava14.dll
FF - plugin: c:\program files\java\jre1.5.0_06\bin\NPJava32.dll
FF - plugin: c:\program files\java\jre1.5.0_06\bin\NPJPI150_06.dll
FF - plugin: c:\program files\java\jre1.5.0_06\bin\NPOJI610.dll
FF - HiddenExtension: XUL Cache: {4B08DEBA-8068-4B8A-913D-AC17310A7C86} - c:\documents and settings\rich\local settings\application data\{4B08DEBA-8068-4B8A-913D-AC17310A7C86}
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\microsoft.net\framework\v3.5\windows presentation foundation\dotnetassistantextension\

---- FIREFOX POLICIES ----
c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl3.rsa_seed_sha", true);

============= SERVICES / DRIVERS ===============

R1 AvgLdx86;AVG AVI Loader Driver x86;c:\windows\system32\drivers\avgldx86.sys [2008-10-14 333192]
R1 AvgTdiX;AVG8 Network Redirector;c:\windows\system32\drivers\avgtdix.sys [2008-10-14 360584]
R2 avg8wd;AVG8 WatchDog;c:\progra~1\avg\avg8\avgwdsvc.exe [2009-1-8 298264]
R2 avg9emc;AVG Free E-mail Scanner;c:\program files\avg\avg9\avgemc.exe [2009-11-4 906520]
R2 avg9wd;AVG Free WatchDog;c:\program files\avg\avg9\avgwdsvc.exe [2009-11-4 285392]
S0 black;black;c:\windows\system32\drivers\blackdrv.sys --> c:\windows\system32\drivers\BlackDrv.sys [?]
S2 avg8emc;AVG8 E-mail Scanner;c:\progra~1\avg\avg8\avgemc.exe [2009-1-8 903960]
S3 RapFile;RapFile;c:\windows\system32\drivers\RapFile.sys [2006-2-8 36644]
S3 RapNet;RapNet;c:\windows\system32\drivers\RapNet.sys [2006-2-8 24344]

=============== Created Last 30 ================

2009-11-06 03:18:41 1238408 ----a-w- c:\windows\system32\zpeng25.dll
2009-11-06 03:18:40 0 d-----w- c:\windows\system32\ZoneLabs
2009-11-06 03:18:38 418012 ----a-w- c:\windows\system32\vsconfig.xml
2009-11-06 03:18:37 0 d-----w- c:\program files\Zone Labs
2009-11-06 03:17:54 0 d-----w- c:\windows\Internet Logs
2009-11-04 10:11:09 0 ----a-w- c:\windows\system32\commonpriv.log.lock
2009-11-04 10:07:51 0 d--h--w- C:\$AVG
2009-11-04 10:05:27 0 d-----w- c:\docume~1\alluse~1\applic~1\avg9
2009-10-24 21:42:16 0 d--h--w- c:\windows\system32\GroupPolicy
2009-10-24 21:27:08 295424 ------w- c:\windows\system32\dllcache\termsrv.dll
2009-10-24 21:18:33 0 d-----w- c:\windows\system32\wbem\Repository
2009-10-20 15:21:12 0 d-----w- c:\docume~1\alluse~1\applic~1\Symantec
2009-10-20 09:18:45 0 d-----w- c:\docume~1\alluse~1\applic~1\Norton
2009-10-19 05:54:11 1024 ----a-w- c:\windows\system32\gncontent.cch
2009-10-19 05:42:24 0 d-----w- c:\program files\common files\Sony Shared
2009-10-19 05:34:00 0 d-----w- c:\program files\Sony Ericsson Media Manager

==================== Find3M ====================

2009-11-06 03:30:37 4212 ---ha-w- c:\windows\system32\zllictbl.dat
2009-11-04 10:07:24 360584 ----a-w- c:\windows\system32\drivers\avgtdix.sys
2009-11-04 10:07:24 333192 ----a-w- c:\windows\system32\drivers\avgldx86.sys
2009-11-04 10:07:24 12464 ----a-w- c:\windows\system32\avgrsstx.dll
2009-10-21 04:08:54 3598336 ----a-w- c:\windows\system32\dllcache\mshtml.dll
2009-09-11 14:18:39 136192 ----a-w- c:\windows\system32\msv1_0.dll
2009-09-11 14:18:39 136192 ------w- c:\windows\system32\dllcache\msv1_0.dll
2009-09-10 21:54:06 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2009-09-10 21:53:50 19160 ----a-w- c:\windows\system32\drivers\mbam.sys
2009-09-04 21:03:36 58880 ----a-w- c:\windows\system32\msasn1.dll
2009-09-04 21:03:36 58880 ------w- c:\windows\system32\dllcache\msasn1.dll
2009-08-28 10:28:59 70656 ------w- c:\windows\system32\dllcache\ie4uinit.exe
2009-08-28 10:28:59 13824 ------w- c:\windows\system32\dllcache\ieudinit.exe
2009-08-27 05:18:44 634648 ------w- c:\windows\system32\dllcache\iexplore.exe
2009-08-27 05:18:41 161792 ------w- c:\windows\system32\dllcache\ieakui.dll
2009-08-26 08:00:21 247326 ----a-w- c:\windows\system32\strmdll.dll
2009-08-26 08:00:21 247326 ------w- c:\windows\system32\dllcache\strmdll.dll
2009-08-13 15:16:05 512000 ------w- c:\windows\system32\dllcache\jscript.dll
2008-02-09 23:19:58 152 --sh--r- c:\windows\system32\A98D7208C4.sys
2008-02-09 23:20:01 9188 --sha-w- c:\windows\system32\KGyGaAvL.sys
2008-05-25 01:09:39 32768 --sha-w- c:\windows\system32\config\systemprofile\local settings\history\history.ie5\mshist012008052420080525\index.dat
2009-03-04 18:38:12 32768 --sha-w- c:\windows\system32\config\systemprofile\local settings\history\history.ie5\mshist012009030420090305\index.dat

============= FINISH: 0:40:40.96 ===============
Attached Files
File Type: rar Attach.rar (5.6 KB, 2 views)
RichCon1983 is offline  
Digg this Post!Add Post to del.icio.usBookmark Post in TechnoratiFurl this Post!Reddit!
Important Information
Join the #1 Tech Support Forum Today - It's Totally Free!

TechSupportForum.com is a leading support website for your computer needs. We offer free, friendly and personalized computer support. Why pay to have your computer fixed when you can do it for free.

Join TechSupportforum.com Today - Click Here

Old 11-07-2009, 04:51 AM   #2 (permalink)
Analyst, Security Team
 
CatByte's Avatar
 
Join Date: Jan 2009
Location: Canada
Posts: 2,181
OS: XP sp3


Re: Please Help!! Malware causing MAJOR internet Slowdown
Hi,

Please do the following:

Download Combofix from either of the links below. You must rename it to combafix.exe before saving it.
Save it to your desktop. Change the save as file type to "all files"

**Note: In the event you already have Combofix, delete it, this is a new version that I need you to download. It is important that it is saved and renamed following this process directly to your desktop**
  • If you are using Firefox, make sure that your download settings are as follows:
    • Tools->Options->Main tab
    • Set to "Always ask me where to Save the files".

Link 1
Link 2

-----------------------------------------------------------
  • Very Important! Temporarily disable your anti-virus, script blocking and any anti-malware real-time protection before performing a scan. They can interfere with ComboFix or remove some of its embedded files which may cause "unpredictable results".
  • Click on this link to see a list of programs that should be disabled. The list is not all inclusive. If yours is not listed and you don't know how to disable it, please ask.

    -----------------------------------------------------------
  • NOTE: If ComboFix asks to install the Recovery Console, please ALLOW it to do so.

    -----------------------------------------------------------
  • Double click on the renamed ComboFix.exe & follow the prompts.
    • When finished, it will produce a report for you.
    • Please post the C:\ComboFix.txt so we can continue cleaning the system.

-----------------------------------------------------------
__________________


ASAP & UNITE Member
CatByte is offline  
Digg this Post!Add Post to del.icio.usBookmark Post in TechnoratiFurl this Post!Reddit!
Old 11-07-2009, 04:10 PM   #3 (permalink)
Registered User
 
Join Date: Nov 2009
Posts: 6
OS: winxp


Re: Please Help!! Malware causing MAJOR internet Slowdown
Alright, here's my ComboFix Log...thank you..

ComboFix 09-11-07.02 - Rich 11/07/2009 15:46.3.1 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.1526.1102 [GMT -7:00]
Running from: c:\documents and settings\Rich\Desktop\combafix.exe
AV: AVG Anti-Virus *On-access scanning disabled* (Outdated) {17DDD097-36FF-435F-9E1B-52D74245D6BF}
FW: ZoneAlarm Pro Firewall *disabled* {829BDA32-94B3-44F4-8446-F8FCFF809F8B}
.

((((((((((((((((((((((((( Files Created from 2009-10-07 to 2009-11-07 )))))))))))))))))))))))))))))))
.

2009-11-07 06:56 . 2009-06-30 17:37 28552 ----a-w- c:\windows\system32\drivers\pavboot.sys
2009-11-07 06:55 . 2009-11-07 06:55 -------- d-----w- c:\program files\Panda Security
2009-11-06 03:18 . 2009-09-22 09:01 69000 ----a-w- c:\windows\system32\zlcomm.dll
2009-11-06 03:18 . 2009-09-22 09:01 103816 ----a-w- c:\windows\system32\zlcommdb.dll
2009-11-06 03:18 . 2009-09-22 09:01 1238408 ----a-w- c:\windows\system32\zpeng25.dll
2009-11-06 03:18 . 2009-11-06 03:58 -------- d-----w- c:\windows\system32\ZoneLabs
2009-11-06 03:18 . 2009-11-06 03:58 -------- d-----w- c:\program files\Zone Labs
2009-11-06 03:17 . 2009-11-07 22:43 -------- d-----w- c:\windows\Internet Logs
2009-11-04 10:07 . 2009-11-07 22:34 -------- d-----w- C:\$AVG
2009-11-04 10:05 . 2009-11-07 22:34 -------- d-----w- c:\documents and settings\All Users\Application Data\avg9
2009-10-24 21:42 . 2009-10-24 21:42 -------- d--h--w- c:\windows\system32\GroupPolicy
2009-10-24 21:27 . 2008-04-15 15:17 295424 ------w- c:\windows\system32\dllcache\termsrv.dll
2009-10-24 21:18 . 2009-10-24 21:18 -------- d-----w- c:\windows\system32\wbem\Repository
2009-10-20 15:21 . 2009-10-20 15:21 -------- d-----w- c:\documents and settings\All Users\Application Data\Symantec
2009-10-20 09:18 . 2009-11-04 09:30 -------- d-----w- c:\documents and settings\All Users\Application Data\Norton
2009-10-19 05:44 . 2009-10-19 05:57 -------- d-----w- c:\documents and settings\Rich\Application Data\Sony
2009-10-19 05:44 . 2009-10-19 05:44 -------- d-----w- c:\documents and settings\All Users\Application Data\Sony
2009-10-19 05:43 . 2009-10-19 05:57 -------- d-----w- c:\documents and settings\Rich\Local Settings\Application Data\Sony
2009-10-19 05:42 . 2009-10-19 05:42 -------- d-----w- c:\program files\Common Files\Sony Shared
2009-10-19 05:34 . 2009-10-19 05:34 -------- d-----w- c:\program files\Sony Ericsson Media Manager

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-11-07 04:41 . 2006-02-08 21:16 -------- d-----w- c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy
2009-11-06 23:25 . 2008-03-03 04:56 -------- d---a-w- c:\documents and settings\All Users\Application Data\TEMP
2009-11-06 23:24 . 2009-07-20 04:06 -------- d-----w- c:\program files\SpywareBlaster
2009-11-06 03:30 . 2006-02-09 00:49 4212 ---ha-w- c:\windows\system32\zllictbl.dat
2009-11-04 10:05 . 2008-10-14 23:09 -------- d-----w- c:\program files\AVG
2009-11-02 07:58 . 2009-09-26 12:55 -------- d-----w- c:\program files\PeerGuardian2
2009-10-31 20:02 . 2006-05-16 10:15 -------- d-----w- c:\documents and settings\Rich\Application Data\uTorrent
2009-10-24 21:44 . 2009-10-24 21:43 127 ----a-w- c:\documents and settings\MCX1\Local Settings\Application Data\fusioncache.dat
2009-10-23 07:32 . 2006-02-18 00:40 -------- d-----w- c:\program files\PartyGaming.net
2009-10-10 20:46 . 2008-02-23 05:00 -------- d-----w- c:\documents and settings\Rich\Application Data\Wildfire
2009-09-30 08:21 . 2009-07-20 05:57 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2009-09-30 08:21 . 2009-08-14 08:36 4045528 ----a-w- c:\documents and settings\All Users\Application Data\Malwarebytes\Malwarebytes' Anti-Malware\mbam-setup.exe
2009-09-30 07:58 . 2006-02-08 21:16 -------- d-----w- c:\program files\Spybot - Search & Destroy
2009-09-29 00:20 . 2009-09-29 00:20 -------- d-----w- c:\documents and settings\Rich\Application Data\Mozilla-Cache
2009-09-27 02:16 . 2009-09-27 02:16 33792 ----a-w- c:\documents and settings\Rich\Application Data\Thinstall\Office 2003\400000b00002i\E_FBSRABA.EXE
2009-09-19 06:10 . 2009-09-19 06:10 33792 ----a-w- c:\documents and settings\Rich\Application Data\Thinstall\Office 2003\400000ab00002i\avgcsrvx.exe
2009-09-11 14:18 . 2005-08-16 10:18 136192 ----a-w- c:\windows\system32\msv1_0.dll
2009-09-10 21:54 . 2009-07-20 05:57 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2009-09-10 21:53 . 2009-07-20 05:57 19160 ----a-w- c:\windows\system32\drivers\mbam.sys
2009-09-04 21:03 . 2005-08-16 10:18 58880 ----a-w- c:\windows\system32\msasn1.dll
2009-08-30 20:22 . 2006-02-09 06:05 32104 ----a-w- c:\documents and settings\Rich\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2009-08-29 07:36 . 2005-08-16 10:18 832512 ------w- c:\windows\system32\wininet.dll
2009-08-29 07:36 . 2005-08-16 10:18 78336 ----a-w- c:\windows\system32\ieencode.dll
2009-08-29 07:36 . 2005-08-16 10:18 17408 ----a-w- c:\windows\system32\corpol.dll
2009-08-26 08:00 . 2005-08-16 10:19 247326 ----a-w- c:\windows\system32\strmdll.dll
2008-02-09 23:19 . 2006-02-15 00:39 152 --sh--r- c:\windows\system32\A98D7208C4.sys
2008-02-09 23:20 . 2006-02-14 22:37 9188 --sha-w- c:\windows\system32\KGyGaAvL.sys
.

------- Sigcheck -------

[7] 2008-06-20 . AD978A1B783B5719720CFF204B666C8E . 361600 . . [5.1.2600.5625] . . c:\windows\$hf_mig$\KB951748\SP3QFE\tcpip.sys
[-] 2008-06-20 . 9425B72F40257B45D45D24773273DAD0 . 361600 . . [5.1.2600.5625] . . c:\windows\system32\dllcache\tcpip.sys
[-] 2008-06-20 . 9425B72F40257B45D45D24773273DAD0 . 361600 . . [5.1.2600.5625] . . c:\windows\system32\drivers\tcpip.sys
[7] 2008-04-13 . 93EA8D04EC73A85DB02EB8805988F733 . 361344 . . [5.1.2600.5512] . . c:\windows\$NtUninstallKB951748$\tcpip.sys
[-] 2008-04-13 . ACCF5A9A1FFAA490F33DBA1C632B95E1 . 361344 . . [5.1.2600.5512] . . c:\windows\ServicePackFiles\i386\tcpip.sys
[-] 2007-10-30 . 90CAFF4B094573449A0872A0F919B178 . 360064 . . [5.1.2600.3244] . . c:\windows\$NtServicePackUninstall$\tcpip.sys
[-] 2007-10-30 . 64798ECFA43D78C7178375FCDD16D8C8 . 360832 . . [5.1.2600.3244] . . c:\windows\$hf_mig$\KB941644\SP2QFE\tcpip.sys
[-] 2006-10-26 . 8D8949936913B041C6A0E184FBF1030B . 359808 . . [5.1.2600.2892] . . c:\windows\$NtUninstallKB941644$\tcpip.sys
[-] 2006-04-20 . B2220C618B42A2212A59D91EBD6FC4B4 . 360576 . . [5.1.2600.2892] . . c:\windows\$hf_mig$\KB917953\SP2QFE\tcpip.sys
[-] 2006-01-13 . 5562CC0A47B2AEF06D3417B733F3C195 . 360448 . . [5.1.2600.2827] . . c:\windows\$hf_mig$\KB913446\SP2QFE\tcpip.sys
[-] 2006-01-13 . 583E063FDC888CA30D05C2724B0D7EF4 . 359808 . . [5.1.2600.2827] . . c:\windows\$NtUninstallKB917953$\tcpip.sys
[-] 2005-05-25 . 63FDFEA54EB53DE2D863EE454937CE1E . 359936 . . [5.1.2600.2685] . . c:\windows\$hf_mig$\KB893066\SP2QFE\tcpip.sys
[-] 2005-05-25 . 88763A98A4C26C409741B4AA162720C9 . 359808 . . [5.1.2600.2685] . . c:\windows\$NtUninstallKB913446$\tcpip.sys
[-] 2004-08-10 . 9F4B36614A0FC234525BA224957DE55C . 359040 . . [5.1.2600.2180] . . c:\windows\$NtUninstallKB893066$\tcpip.sys
.
((((((((((((((((((((((((((((( SnapShot@2009-11-07_04.29.56 )))))))))))))))))))))))))))))))))))))))))
.
+ 2009-11-07 22:39 . 2009-11-07 22:39 16384 c:\windows\temp\Perflib_Perfdata_6e4.dat
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"FreeRAM XP"="c:\program files\FreeRAM XP Pro\FreeRAM XP Pro.exe" [2005-09-19 1585664]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"dla"="c:\windows\system32\dla\tfswctrl.exe" [2004-12-06 127035]
"tgcmd"="c:\program files\support.com\bin\tgcmd.exe" [2002-04-25 1544192]
"EEventManager"="c:\program files\EPSON\Creativity Suite\Event Manager\EEventManager.exe" [2006-03-17 102400]
"Malwarebytes Anti-Malware (reboot)"="c:\program files\Malwarebytes' Anti-Malware\mbam.exe" [2009-09-10 1312080]
"ZoneAlarm Client"="c:\program files\Zone Labs\ZoneAlarm\zlclient.exe" [2009-09-22 1011080]

c:\documents and settings\Rich\Start Menu\Programs\Startup\
SpywareGuard.lnk - c:\program files\SpywareGuard\sgmain.exe [2003-8-29 360448]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
Digital Line Detect.lnk - c:\program files\Digital Line Detect\DLG.exe [2006-2-3 24576]
Extender Resource Monitor.lnk - c:\windows\ehome\RMSysTry.exe [2005-10-20 18432]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\aawservice]
@="Service"

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\ZoneLabsFirewall]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Messenger\\msmsgs.exe"=
"c:\\Program Files\\support.com\\bin\\tgcmd.exe"=
"c:\\Program Files\\LimeWire\\LimeWire.exe"=
"c:\\Program Files\\uTorrent\\utorrent.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\AVG\\AVG8\\avgupd.exe"=
"c:\\Program Files\\AVG\\AVG8\\avgemc.exe"=
"c:\\Program Files\\AVG\\AVG8\\avgnsx.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"3776:UDP"= 3776:UDP:Media Center Extender Service
"3390:TCP"= 3390:TCP:Remote Media Center Experience

R0 pavboot;pavboot;c:\windows\system32\drivers\pavboot.sys [11/6/2009 11:56 PM 28552]
R2 avg8wd;AVG8 WatchDog;c:\progra~1\AVG\AVG8\avgwdsvc.exe [1/8/2009 9:26 AM 298264]
S0 black;black;c:\windows\system32\drivers\BlackDrv.sys --> c:\windows\system32\drivers\BlackDrv.sys [?]
S2 avg8emc;AVG8 E-mail Scanner;c:\progra~1\AVG\AVG8\avgemc.exe [1/8/2009 9:26 AM 903960]
S3 RapFile;RapFile;c:\windows\system32\drivers\RapFile.sys [2/8/2006 5:10 PM 36644]
S3 RapNet;RapNet;c:\windows\system32\drivers\RapNet.sys [2/8/2006 5:10 PM 24344]

--- Other Services/Drivers In Memory ---

*Deregistered* - mbr
*Deregistered* - PROCEXP113

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
QWAVE REG_MULTI_SZ QWAVE
.
.
------- Supplementary Scan -------
.
uSearchMigratedDefaultURL = hxxp://www.google.com/search?q={searchTerms}&sourceid=ie7&rls=com.microsoft:en-US&ie=utf8&oe=utf8
mStart Page = hxxp://www.comcast.net/
mWindow Title = Windows Internet Explorer provided by Comcast
IE: Open with WordPerfect - c:\program files\WordPerfect Office X3\Programs\WPLauncher.hta
Trusted Zone: hidebehind.com
Trusted Zone: intuit.com
Trusted Zone: musicmatch.com\online
FF - ProfilePath - c:\documents and settings\Rich\Application Data\Mozilla\Firefox\Profiles\w90bazbq.default\
FF - prefs.js: browser.startup.homepage - hxxp://www.msn.com/
FF - plugin: c:\program files\Java\jre1.5.0_06\bin\NPJava11.dll
FF - plugin: c:\program files\Java\jre1.5.0_06\bin\NPJava12.dll
FF - plugin: c:\program files\Java\jre1.5.0_06\bin\NPJava13.dll
FF - plugin: c:\program files\Java\jre1.5.0_06\bin\NPJava14.dll
FF - plugin: c:\program files\Java\jre1.5.0_06\bin\NPJava32.dll
FF - plugin: c:\program files\Java\jre1.5.0_06\bin\NPJPI150_06.dll
FF - plugin: c:\program files\Java\jre1.5.0_06\bin\NPOJI610.dll
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\

---- FIREFOX POLICIES ----
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl3.rsa_seed_sha", true);
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-11-07 15:56
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

HKLM\Software\Microsoft\Windows\CurrentVersion\Run
tgcmd = "c:\program files\support.com\bin\tgcmd.exe" /server?cmd.exe" /server

scanning hidden files ...

scan completed successfully
hidden files:

**************************************************************************

Stealth MBR rootkit/Mebroot/Sinowal detector 0.3.7 by Gmer, http://www.gmer.net

device: opened successfully
user: MBR read successfully
called modules: ntkrnlpa.exe catchme.sys CLASSPNP.SYS disk.sys atapi.sys spda.sys hal.dll >>UNKNOWN [0x8A4F8938]<<
kernel: MBR read successfully
user & kernel MBR OK
Stealth MBR rootkit/Mebroot/Sinowal detector 0.3.7 by Gmer, http://www.gmer.net

atapi.sys @ 0x0 0x0 bytes

\Driver\atapi [ IRP_MJ_CREATE ] 0xA6F2 != 0xB9DFCB40 atapi.sys
\Driver\atapi [ IRP_MJ_CLOSE ] 0xA6F2 != 0xB9DFCB40 atapi.sys
\Driver\atapi [ IRP_MJ_DEVICE_CONTROL ] 0xA712 != 0xB9DFCB40 atapi.sys
\Driver\atapi [ IRP_MJ_INTERNAL_DEVICE_CONTROL ] 0x6852 != 0xB9DFCB40 atapi.sys
\Driver\atapi [ IRP_MJ_POWER ] 0xA73C != 0xB9DFCB40 atapi.sys
\Driver\atapi [ IRP_MJ_SYSTEM_CONTROL ] 0x11336 != 0xB9DFCB40 atapi.sys
\Driver\atapi IRP hooks detected !

**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_USERS\S-1-5-21-3795163467-1675600426-3053425657-1005\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\{DA044691-9197-7F46-D369-CEF11811FFB9}*]
@Allowed: (Read) (RestrictedCode)
@Allowed: (Read) (RestrictedCode)
"iaefdffeailkpdmcbk"=hex:6a,61,61,66,65,67,6f,68,67,69,6c,63,68,66,66,6f,6f,67,
6e,6c,00,00
"hakebflimgojbikk"=hex:6a,61,61,66,6c,68,70,68,68,64,70,6f,68,6d,67,6e,62,6c,
6f,62,00,ea
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'explorer.exe'(3368)
c:\windows\system32\WININET.dll
c:\windows\system32\ieframe.dll
c:\windows\system32\WPDShServiceObj.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
.
Completion time: 2009-11-07 16:00
ComboFix-quarantined-files.txt 2009-11-07 22:59
ComboFix2.txt 2009-11-07 04:34

Pre-Run: 8,378,306,560 bytes free
Post-Run: 8,348,909,568 bytes free

Current=2 Default=2 Failed=1 LastKnownGood=4 Sets=1,2,3,4
- - End Of File - - 4A93DC1C1E7C993412D3433A2CE1568F
RichCon1983 is offline  
Digg this Post!Add Post to del.icio.usBookmark Post in TechnoratiFurl this Post!Reddit!
Old 11-07-2009, 04:59 PM   #4 (permalink)
Analyst, Security Team
 
CatByte's Avatar
 
Join Date: Jan 2009
Location: Canada
Posts: 2,181
OS: XP sp3


Re: Please Help!! Malware causing MAJOR internet Slowdown
Hi,

Please do the following:
  • Please open your MalwareBytes AntiMalware Program
  • Click the Update Tab and search for updates
  • If an update is found, it will download and install the latest version.
  • Once the program has loaded, select "Perform Quick Scan", then click Scan.
  • The scan may take some time to finish, so please be patient.
  • When the scan is complete, click OK, then Show Results to view the results.
  • Make sure that everything is checked, and click Remove Selected. <-- very important
  • When disinfection is completed, a log will open in Notepad and you may be prompted to Restart. (See Extra Note)
  • The log is automatically saved by MBAM and can be viewed by clicking the Logs tab in MBAM.
  • Copy&Paste the entire report in your next reply.

Extra Note:If MBAM encounters a file that is difficult to remove, you will be presented with 1 of 2 prompts, click OK to either and let MBAM proceed with the disinfection process, if asked to restart the computer, please do so immediately.




NEXT

**Vista users - right click on the IE icon and run as administrator

Run an on-line scan with Kaspersky

Using Internet Explorer or Firefox, visit Kaspersky On-line Scanner

1. Click Accept, when prompted to download and install the program files and database of malware definitions.
2. To optimize scanning time and produce a more sensible report for review:
  • Close any open programs
  • Turn off the real time scanner of any existing antivirus program while performing the online scan
3. Click Run at the Security prompt.
The program will then begin downloading and installing and will also update the database.
Please be patient as this can take several minutes.
  • Once the update is complete, click on My Computer under the green Scan bar to the left to start the scan.
  • Once the scan is complete, it will display if your system has been infected. It does not provide an option to clean/disinfect. We only require a report from it.
  • Do NOT be alarmed by what you see in the report. Many of the finds have likely been quarantined.
  • Click View scan report at the bottom.


  • Click the Save as Text button to save the file to your desktop so that you may post it in your next reply


In your next reply please include
  • MBAM Log
  • Kaspersky report


NOTE:

This was the third Combofix run. I'd like to see the first two logs please, they can be found at C:\Qoobox\combofix2.txt & C:\Qoobox\combofix3.txt
__________________


ASAP & UNITE Member
CatByte is offline  
Digg this Post!Add Post to del.icio.usBookmark Post in TechnoratiFurl this Post!Reddit!
Old 11-08-2009, 01:51 AM   #5 (permalink)
Registered User
 
Join Date: Nov 2009
Posts: 6
OS: winxp


Re: Please Help!! Malware causing MAJOR internet Slowdown
Malwarebytes' Anti-Malware 1.41
Database version: 3120
Windows 5.1.2600 Service Pack 3

11/7/2009 9:40:05 PM
mbam-log-2009-11-07 (21-40-05).txt

Scan type: Quick Scan
Objects scanned: 117042
Time elapsed: 5 minute(s), 16 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)

--------------------------------------------------------------------------------
KASPERSKY ONLINE SCANNER 7.0: scan report
Sunday, November 8, 2009
Operating system: Microsoft Windows XP Professional Service Pack 3 (build 2600)
Kaspersky Online Scanner version: 7.0.26.13
Last database update: Sunday, November 08, 2009 02:40:29
Records in database: 3173638
--------------------------------------------------------------------------------

Scan settings:
scan using the following database: extended
Scan archives: yes
Scan e-mail databases: yes

Scan area - My Computer:
A:\
C:\
E:\

Scan statistics:
Objects scanned: 226475
Threats found: 1
Infected objects found: 2
Suspicious objects found: 0
Scan duration: 02:33:19


File name / Threat / Threats count
C:\Program Files\MUSICMATCH\Common\ComponentMgr\HoldingArea\WebSys\WebSys.mmz Infected: not-a-virus:RiskTool.Win32.Deleter.f 1
C:\Program Files\MUSICMATCH\Musicmatch Jukebox\WebSys\offline.mmz Infected: not-a-virus:RiskTool.Win32.Deleter.f 1

Selected area has been scanned.

here's the other ComboFix Log...i can't find the third one...either way i think it was identical to the second one...here's my 2nd combofix log..

ComboFix 09-11-06.01 - Rich 11/06/2009 21:09.1.1 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.1526.872 [GMT -7:00]
Running from: c:\documents and settings\Rich\Desktop\ComboFix.exe
AV: AVG Anti-Virus *On-access scanning enabled* (Outdated) {17DDD097-36FF-435F-9E1B-52D74245D6BF}
FW: ZoneAlarm Pro Firewall *enabled* {829BDA32-94B3-44F4-8446-F8FCFF809F8B}
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\documents and settings\Rich\Application Data\EurekaLog
c:\documents and settings\Rich\Application Data\inst.exe
c:\documents and settings\Rich\Local Settings\Application Data\{4B08DEBA-8068-4B8A-913D-AC17310A7C86}
c:\documents and settings\Rich\Local Settings\Application Data\{4B08DEBA-8068-4B8A-913D-AC17310A7C86}\chrome.manifest
c:\documents and settings\Rich\Local Settings\Application Data\{4B08DEBA-8068-4B8A-913D-AC17310A7C86}\chrome\content\_cfg.js
c:\documents and settings\Rich\Local Settings\Application Data\{4B08DEBA-8068-4B8A-913D-AC17310A7C86}\chrome\content\c.js
c:\documents and settings\Rich\Local Settings\Application Data\{4B08DEBA-8068-4B8A-913D-AC17310A7C86}\chrome\content\overlay.xul
c:\documents and settings\Rich\Local Settings\Application Data\{4B08DEBA-8068-4B8A-913D-AC17310A7C86}\install.rdf
C:\Documents
c:\windows\a3kebook.ini
c:\windows\akebook.ini
c:\windows\ANS2000.INI
c:\windows\kb913800.exe
c:\windows\system32\4241424815.dat

.
((((((((((((((((((((((((( Files Created from 2009-10-07 to 2009-11-07 )))))))))))))))))))))))))))))))
.

2009-11-06 03:18 . 2009-09-22 09:01 69000 ----a-w- c:\windows\system32\zlcomm.dll
2009-11-06 03:18 . 2009-09-22 09:01 103816 ----a-w- c:\windows\system32\zlcommdb.dll
2009-11-06 03:18 . 2009-09-22 09:01 1238408 ----a-w- c:\windows\system32\zpeng25.dll
2009-11-06 03:18 . 2009-11-06 03:58 -------- d-----w- c:\windows\system32\ZoneLabs
2009-11-06 03:18 . 2009-11-06 03:58 -------- d-----w- c:\program files\Zone Labs
2009-11-06 03:17 . 2009-11-07 04:29 -------- d-----w- c:\windows\Internet Logs
2009-11-04 10:07 . 2009-11-04 10:10 -------- d-----w- C:\$AVG
2009-11-04 10:05 . 2009-11-04 10:05 -------- d-----w- c:\documents and settings\All Users\Application Data\avg9
2009-10-24 21:42 . 2009-10-24 21:42 -------- d--h--w- c:\windows\system32\GroupPolicy
2009-10-24 21:27 . 2008-04-15 15:17 295424 ------w- c:\windows\system32\dllcache\termsrv.dll
2009-10-24 21:18 . 2009-10-24 21:18 -------- d-----w- c:\windows\system32\wbem\Repository
2009-10-20 15:21 . 2009-10-20 15:21 -------- d-----w- c:\documents and settings\All Users\Application Data\Symantec
2009-10-20 09:18 . 2009-11-04 09:30 -------- d-----w- c:\documents and settings\All Users\Application Data\Norton
2009-10-19 05:44 . 2009-10-19 05:57 -------- d-----w- c:\documents and settings\Rich\Application Data\Sony
2009-10-19 05:44 . 2009-10-19 05:44 -------- d-----w- c:\documents and settings\All Users\Application Data\Sony
2009-10-19 05:43 . 2009-10-19 05:57 -------- d-----w- c:\documents and settings\Rich\Local Settings\Application Data\Sony
2009-10-19 05:42 . 2009-10-19 05:42 -------- d-----w- c:\program files\Common Files\Sony Shared
2009-10-19 05:34 . 2009-10-19 05:34 -------- d-----w- c:\program files\Sony Ericsson Media Manager

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-11-06 23:25 . 2006-02-08 21:16 -------- d-----w- c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy
2009-11-06 23:25 . 2008-03-03 04:56 -------- d---a-w- c:\documents and settings\All Users\Application Data\TEMP
2009-11-06 23:24 . 2009-07-20 04:06 -------- d-----w- c:\program files\SpywareBlaster
2009-11-06 03:30 . 2006-02-09 00:49 4212 ---ha-w- c:\windows\system32\zllictbl.dat
2009-11-04 10:07 . 2008-10-14 23:09 -------- d-----w- c:\documents and settings\All Users\Application Data\avg8
2009-11-04 10:07 . 2008-10-16 03:19 12464 ----a-w- c:\windows\system32\avgrsstx.dll
2009-11-04 10:07 . 2008-10-14 23:09 360584 ----a-w- c:\windows\system32\drivers\avgtdix.sys
2009-11-04 10:07 . 2008-10-14 23:09 333192 ----a-w- c:\windows\system32\drivers\avgldx86.sys
2009-11-04 10:07 . 2008-10-14 23:09 28424 ----a-w- c:\windows\system32\drivers\avgmfx86.sys
2009-11-04 10:05 . 2008-10-14 23:09 -------- d-----w- c:\program files\AVG
2009-11-02 07:58 . 2009-09-26 12:55 -------- d-----w- c:\program files\PeerGuardian2
2009-10-31 20:02 . 2006-05-16 10:15 -------- d-----w- c:\documents and settings\Rich\Application Data\uTorrent
2009-10-24 21:44 . 2009-10-24 21:43 127 ----a-w- c:\documents and settings\MCX1\Local Settings\Application Data\fusioncache.dat
2009-10-23 07:32 . 2006-02-18 00:40 -------- d-----w- c:\program files\PartyGaming.net
2009-10-10 20:46 . 2008-02-23 05:00 -------- d-----w- c:\documents and settings\Rich\Application Data\Wildfire
2009-09-30 08:21 . 2009-07-20 05:57 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2009-09-30 08:21 . 2009-08-14 08:36 4045528 ----a-w- c:\documents and settings\All Users\Application Data\Malwarebytes\Malwarebytes' Anti-Malware\mbam-setup.exe
2009-09-30 07:58 . 2006-02-08 21:16 -------- d-----w- c:\program files\Spybot - Search & Destroy
2009-09-29 00:20 . 2009-09-29 00:20 -------- d-----w- c:\documents and settings\Rich\Application Data\Mozilla-Cache
2009-09-27 02:16 . 2009-09-27 02:16 33792 ----a-w- c:\documents and settings\Rich\Application Data\Thinstall\Office 2003\400000b00002i\E_FBSRABA.EXE
2009-09-19 06:10 . 2009-09-19 06:10 33792 ----a-w- c:\documents and settings\Rich\Application Data\Thinstall\Office 2003\400000ab00002i\avgcsrvx.exe
2009-09-11 14:18 . 2005-08-16 10:18 136192 ----a-w- c:\windows\system32\msv1_0.dll
2009-09-10 21:54 . 2009-07-20 05:57 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2009-09-10 21:53 . 2009-07-20 05:57 19160 ----a-w- c:\windows\system32\drivers\mbam.sys
2009-09-04 21:03 . 2005-08-16 10:18 58880 ----a-w- c:\windows\system32\msasn1.dll
2009-08-30 20:22 . 2006-02-09 06:05 32104 ----a-w- c:\documents and settings\Rich\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2009-08-29 07:36 . 2005-08-16 10:18 832512 ----a-w- c:\windows\system32\wininet.dll
2009-08-29 07:36 . 2005-08-16 10:18 78336 ----a-w- c:\windows\system32\ieencode.dll
2009-08-29 07:36 . 2005-08-16 10:18 17408 ----a-w- c:\windows\system32\corpol.dll
2009-08-26 08:00 . 2005-08-16 10:19 247326 ----a-w- c:\windows\system32\strmdll.dll
2008-02-09 23:19 . 2006-02-15 00:39 152 --sh--r- c:\windows\system32\A98D7208C4.sys
2008-02-09 23:20 . 2006-02-14 22:37 9188 --sha-w- c:\windows\system32\KGyGaAvL.sys
.

------- Sigcheck -------

[7] 2008-06-20 . AD978A1B783B5719720CFF204B666C8E . 361600 . . [5.1.2600.5625] . . c:\windows\$hf_mig$\KB951748\SP3QFE\tcpip.sys
[-] 2008-06-20 . 9425B72F40257B45D45D24773273DAD0 . 361600 . . [5.1.2600.5625] . . c:\windows\system32\dllcache\tcpip.sys
[-] 2008-06-20 . 9425B72F40257B45D45D24773273DAD0 . 361600 . . [5.1.2600.5625] . . c:\windows\system32\drivers\tcpip.sys
[7] 2008-04-13 . 93EA8D04EC73A85DB02EB8805988F733 . 361344 . . [5.1.2600.5512] . . c:\windows\$NtUninstallKB951748$\tcpip.sys
[-] 2008-04-13 . ACCF5A9A1FFAA490F33DBA1C632B95E1 . 361344 . . [5.1.2600.5512] . . c:\windows\ServicePackFiles\i386\tcpip.sys
[-] 2007-10-30 . 90CAFF4B094573449A0872A0F919B178 . 360064 . . [5.1.2600.3244] . . c:\windows\$NtServicePackUninstall$\tcpip.sys
[-] 2007-10-30 . 64798ECFA43D78C7178375FCDD16D8C8 . 360832 . . [5.1.2600.3244] . . c:\windows\$hf_mig$\KB941644\SP2QFE\tcpip.sys
[-] 2006-10-26 . 8D8949936913B041C6A0E184FBF1030B . 359808 . . [5.1.2600.2892] . . c:\windows\$NtUninstallKB941644$\tcpip.sys
[-] 2006-04-20 . B2220C618B42A2212A59D91EBD6FC4B4 . 360576 . . [5.1.2600.2892] . . c:\windows\$hf_mig$\KB917953\SP2QFE\tcpip.sys
[-] 2006-01-13 . 5562CC0A47B2AEF06D3417B733F3C195 . 360448 . . [5.1.2600.2827] . . c:\windows\$hf_mig$\KB913446\SP2QFE\tcpip.sys
[-] 2006-01-13 . 583E063FDC888CA30D05C2724B0D7EF4 . 359808 . . [5.1.2600.2827] . . c:\windows\$NtUninstallKB917953$\tcpip.sys
[-] 2005-05-25 . 63FDFEA54EB53DE2D863EE454937CE1E . 359936 . . [5.1.2600.2685] . . c:\windows\$hf_mig$\KB893066\SP2QFE\tcpip.sys
[-] 2005-05-25 . 88763A98A4C26C409741B4AA162720C9 . 359808 . . [5.1.2600.2685] . . c:\windows\$NtUninstallKB913446$\tcpip.sys
[-] 2004-08-10 . 9F4B36614A0FC234525BA224957DE55C . 359040 . . [5.1.2600.2180] . . c:\windows\$NtUninstallKB893066$\tcpip.sys
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"FreeRAM XP"="c:\program files\FreeRAM XP Pro\FreeRAM XP Pro.exe" [2005-09-19 1585664]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2008-04-14 15360]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"dla"="c:\windows\system32\dla\tfswctrl.exe" [2004-12-06 127035]
"tgcmd"="c:\program files\support.com\bin\tgcmd.exe" [2002-04-25 1544192]
"EEventManager"="c:\program files\EPSON\Creativity Suite\Event Manager\EEventManager.exe" [2006-03-17 102400]
"Malwarebytes Anti-Malware (reboot)"="c:\program files\Malwarebytes' Anti-Malware\mbam.exe" [2009-09-10 1312080]
"AVG9_TRAY"="c:\progra~1\AVG\AVG9\avgtray.exe" [2009-11-04 2010904]
"ZoneAlarm Client"="c:\program files\Zone Labs\ZoneAlarm\zlclient.exe" [2009-09-22 1011080]

c:\documents and settings\Rich\Start Menu\Programs\Startup\
SpywareGuard.lnk - c:\program files\SpywareGuard\sgmain.exe [2003-8-29 360448]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
Digital Line Detect.lnk - c:\program files\Digital Line Detect\DLG.exe [2006-2-3 24576]
Extender Resource Monitor.lnk - c:\windows\ehome\RMSysTry.exe [2005-10-20 18432]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\avgrsstarter]
2009-11-04 10:07 12464 ----a-w- c:\windows\system32\avgrsstx.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"LoadAppInit_DLLs"=1 (0x1)

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\aawservice]
@="Service"

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\ZoneLabsFirewall]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Messenger\\msmsgs.exe"=
"c:\\Program Files\\support.com\\bin\\tgcmd.exe"=
"c:\\Program Files\\LimeWire\\LimeWire.exe"=
"c:\\Program Files\\uTorrent\\utorrent.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\AVG\\AVG8\\avgupd.exe"=
"c:\\Program Files\\AVG\\AVG8\\avgemc.exe"=
"c:\\Program Files\\AVG\\AVG8\\avgnsx.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
"c:\\Program Files\\AVG\\AVG9\\avgemc.exe"=
"c:\\Program Files\\AVG\\AVG9\\avgupd.exe"=
"c:\\Program Files\\AVG\\AVG9\\avgnsx.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"3776:UDP"= 3776:UDP:Media Center Extender Service
"3390:TCP"= 3390:TCP:Remote Media Center Experience

R1 AvgLdx86;AVG AVI Loader Driver x86;c:\windows\system32\drivers\avgldx86.sys [10/14/2008 4:09 PM 333192]
R1 AvgTdiX;AVG8 Network Redirector;c:\windows\system32\drivers\avgtdix.sys [10/14/2008 4:09 PM 360584]
R2 avg8wd;AVG8 WatchDog;c:\progra~1\AVG\AVG8\avgwdsvc.exe [1/8/2009 9:26 AM 298264]
R2 avg9emc;AVG Free E-mail Scanner;c:\program files\AVG\AVG9\avgemc.exe [11/4/2009 3:05 AM 906520]
R2 avg9wd;AVG Free WatchDog;c:\program files\AVG\AVG9\avgwdsvc.exe [11/4/2009 3:05 AM 285392]
S0 black;black;c:\windows\system32\drivers\BlackDrv.sys --> c:\windows\system32\drivers\BlackDrv.sys [?]
S2 avg8emc;AVG8 E-mail Scanner;c:\progra~1\AVG\AVG8\avgemc.exe [1/8/2009 9:26 AM 903960]
S3 RapFile;RapFile;c:\windows\system32\drivers\RapFile.sys [2/8/2006 5:10 PM 36644]
S3 RapNet;RapNet;c:\windows\system32\drivers\RapNet.sys [2/8/2006 5:10 PM 24344]

--- Other Services/Drivers In Memory ---

*NewlyCreated* - MBR
*NewlyCreated* - PROCEXP113
*Deregistered* - mbr
*Deregistered* - PROCEXP113

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
QWAVE REG_MULTI_SZ QWAVE
.
.
------- Supplementary Scan -------
.
uSearch Page = hxxp://www.google.com/hws/sb/dell/en/side.html
uSearch Bar = hxxp://www.google.com/hws/sb/dell/en/side.html
uWindow Title = Windows Internet Explorer provided by Comcast
uDefault_Page_URL = hxxp://www.google.com/ig/dell?hl=en
uSearchMigratedDefaultURL = hxxp://www.google.com/search?q={searchTerms}&sourceid=ie7&rls=com.microsoft:en-US&ie=utf8&oe=utf8
mDefault_Page_URL = hxxp://www.dell.com
mStart Page = hxxp://www.comcast.net/
mWindow Title = Windows Internet Explorer provided by Comcast
mSearchAssistant = hxxp://www.google.com/hws/sb/dell/en/side.html
IE: Open with WordPerfect - c:\program files\WordPerfect Office X3\Programs\WPLauncher.hta
Trusted Zone: hidebehind.com
Trusted Zone: intuit.com
Trusted Zone: musicmatch.com\online
FF - ProfilePath - c:\documents and settings\Rich\Application Data\Mozilla\Firefox\Profiles\w90bazbq.default\
FF - prefs.js: browser.startup.homepage - hxxp://www.msn.com/
FF - plugin: c:\program files\Java\jre1.5.0_06\bin\NPJava11.dll
FF - plugin: c:\program files\Java\jre1.5.0_06\bin\NPJava12.dll
FF - plugin: c:\program files\Java\jre1.5.0_06\bin\NPJava13.dll
FF - plugin: c:\program files\Java\jre1.5.0_06\bin\NPJava14.dll
FF - plugin: c:\program files\Java\jre1.5.0_06\bin\NPJava32.dll
FF - plugin: c:\program files\Java\jre1.5.0_06\bin\NPJPI150_06.dll
FF - plugin: c:\program files\Java\jre1.5.0_06\bin\NPOJI610.dll
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\

---- FIREFOX POLICIES ----
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl3.rsa_seed_sha", true);
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-11-06 21:29
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

HKLM\Software\Microsoft\Windows\CurrentVersion\Run
tgcmd = "c:\program files\support.com\bin\tgcmd.exe" /server?cmd.exe" /server

scanning hidden files ...

scan completed successfully
hidden files:

**************************************************************************

Stealth MBR rootkit/Mebroot/Sinowal detector 0.3.7 by Gmer, http://www.gmer.net

device: opened successfully
user: MBR read successfully
called modules: ntkrnlpa.exe catchme.sys CLASSPNP.SYS disk.sys atapi.sys spva.sys hal.dll >>UNKNOWN [0x8A4F8938]<<
kernel: MBR read successfully
user & kernel MBR OK
Stealth MBR rootkit/Mebroot/Sinowal detector 0.3.7 by Gmer, http://www.gmer.net

atapi.sys @ 0x0 0x0 bytes

\Driver\atapi [ IRP_MJ_CREATE ] 0xA6F2 != 0xB9DFCB40 atapi.sys
\Driver\atapi [ IRP_MJ_CLOSE ] 0xA6F2 != 0xB9DFCB40 atapi.sys
\Driver\atapi [ IRP_MJ_DEVICE_CONTROL ] 0xA712 != 0xB9DFCB40 atapi.sys
\Driver\atapi [ IRP_MJ_INTERNAL_DEVICE_CONTROL ] 0x6852 != 0xB9DFCB40 atapi.sys
\Driver\atapi [ IRP_MJ_POWER ] 0xA73C != 0xB9DFCB40 atapi.sys
\Driver\atapi [ IRP_MJ_SYSTEM_CONTROL ] 0x11336 != 0xB9DFCB40 atapi.sys
\Driver\atapi IRP hooks detected !

**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_USERS\S-1-5-21-3795163467-1675600426-3053425657-1005\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\{DA044691-9197-7F46-D369-CEF11811FFB9}*]
@Allowed: (Read) (RestrictedCode)
@Allowed: (Read) (RestrictedCode)
"iaefdffeailkpdmcbk"=hex:6a,61,61,66,65,67,6f,68,67,69,6c,63,68,66,66,6f,6f,67,
6e,6c,00,00
"hakebflimgojbikk"=hex:6a,61,61,66,6c,68,70,68,68,64,70,6f,68,6d,67,6e,62,6c,
6f,62,00,ea
.
Completion time: 2009-11-07 21:34
ComboFix-quarantined-files.txt 2009-11-07 04:34

Pre-Run: 8,282,759,168 bytes free
Post-Run: 8,410,935,296 bytes free

WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(2)\WINDOWS
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
multi(0)disk(0)rdisk(0)partition(2)\WINDOWS="Windows XP Media Center Edition" /noexecute=optin /fastdetect

Current=2 Default=2 Failed=1 LastKnownGood=4 Sets=1,2,3,4
- - End Of File - - 9762AB29EB5BFCAFFA74B1C550A7772E
RichCon1983 is offline  
Digg this Post!Add Post to del.icio.usBookmark Post in TechnoratiFurl this Post!Reddit!
Old 11-08-2009, 05:34 AM   #6 (permalink)
Analyst, Security Team
 
CatByte's Avatar
 
Join Date: Jan 2009
Location: Canada
Posts: 2,181
OS: XP sp3


Re: Please Help!! Malware causing MAJOR internet Slowdown
Hi,

Please post a fresh DDS and Attach.txt and advise how your computer is running now and if there are any outstanding issues
__________________


ASAP & UNITE Member
CatByte is offline  
Digg this Post!Add Post to del.icio.usBookmark Post in TechnoratiFurl this Post!Reddit!
Old 11-08-2009, 01:16 PM   #7 (permalink)
Registered User
 
Join Date: Nov 2009
Posts: 6
OS: winxp


Re: Please Help!! Malware causing MAJOR internet Slowdown
Alright here's my new DDS and Attach logs....my computer has been running a lot better since the fixes....do my logs look clean now?

DDS (Ver_09-10-26.01) - NTFSx86
Run by Rich at 13:04:46.49 on Sun 11/08/2009
Internet Explorer: 7.0.5730.11
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.1526.959 [GMT -7:00]

AV: AVG Anti-Virus *On-access scanning disabled* (Outdated) {17DDD097-36FF-435F-9E1B-52D74245D6BF}
FW: ZoneAlarm Pro Firewall *enabled* {829BDA32-94B3-44F4-8446-F8FCFF809F8B}

============== Running Processes ===============

C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
C:\WINDOWS\system32\svchost.exe -k WudfServiceGroup
svchost.exe
svchost.exe
C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\system32\dla\tfswctrl.exe
C:\Program Files\EPSON\Creativity Suite\Event Manager\EEventManager.exe
C:\Program Files\Digital Line Detect\DLG.exe
C:\WINDOWS\system32\spoolsv.exe
svchost.exe
C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\WINDOWS\eHome\ehRecvr.exe
C:\WINDOWS\System32\svchost.exe -k HTTPFilter
C:\WINDOWS\ehome\RMSvc.exe
svchost.exe
C:\WINDOWS\system32\svchost.exe -k imgsvc
C:\WINDOWS\system32\svchost.exe -k netsvcs
C:\WINDOWS\system32\dllhost.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\explorer.exe
C:\Program Files\FreeRAM XP Pro\FreeRAM XP Pro.exe
C:\Program Files\SpywareGuard\sgmain.exe
C:\Program Files\SpywareGuard\sgbhp.exe
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
C:\Documents and Settings\Rich\Desktop\dds.scr

============== Pseudo HJT Report ===============

uSearchMigratedDefaultURL = hxxp://www.google.com/search?q={searchTerms}&sourceid=ie7&rls=com.microsoft:en-US&ie=utf8&oe=utf8
mStart Page = hxxp://www.comcast.net/
mWindow Title = Windows Internet Explorer provided by Comcast
TB: {2318C2B1-4965-11D4-9B18-009027A5CD4F} - No File
TB: {32099AAC-C132-4136-9E9A-4E364A424E17} - No File
TB: {EE2AC4E5-B0B0-4EC6-88A9-BCA1A32AB107} - No File
uRun: [FreeRAM XP] "c:\program files\freeram xp pro\FreeRAM XP Pro.exe" -win
mRun: [dla] c:\windows\system32\dla\tfswctrl.exe
mRun: [tgcmd] "c:\program files\support.com\bin\tgcmd.exe" /server
mRun: [EEventManager] c:\program files\epson\creativity suite\event manager\EEventManager.exe
mRun: [Malwarebytes Anti-Malware (reboot)] "c:\program files\malwarebytes' anti-malware\mbam.exe" /runcleanupscript
mRun: [ZoneAlarm Client] "c:\program files\zone labs\zonealarm\zlclient.exe"
StartupFolder: c:\docume~1\rich\startm~1\programs\startup\spywar~1.lnk - c:\program files\spywareguard\sgmain.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\digita~1.lnk - c:\program files\digital line detect\DLG.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\extend~1.lnk - c:\windows\ehome\RMSysTry.exe
IE: Open with WordPerfect - c:\program files\wordperfect office x3\programs\WPLauncher.hta
IE: {669B269B-0D4E-41FB-A3D8-FD67CA94F646} - http://www.comcast.net/
IE: {8828075D-D097-4055-AA02-2DBFA9D85E8A} - http://www.comcastsupport.com/
IE: {97809617-3937-4F84-B335-9BB05EF1A8D4} - http://online.comcast.net/help/
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {F4430FE8-2638-42e5-B849-800749B94EED} - c:\program files\partygaming.net\partypokernet\RunPF.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - {CAFEEFAC-0015-0000-0006-ABCDEFFEDCBC} - c:\program files\java\jre1.5.0_06\bin\ssv.dll
IE: {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - {FE54FA40-D68C-11d2-98FA-00C0F0318AFE} - c:\windows\system32\Shdocvw.dll
Trusted Zone: hidebehind.com
Trusted Zone: intuit.com
Trusted Zone: musicmatch.com\online
DPF: {17492023-C23A-453E-A040-C7C580BBF700} - hxxp://download.microsoft.com/download/F/D/9/FD9E437D-5BC8-4264-A093-DFA2C39D197E/LegitCheckControl.cab
DPF: {233C1507-6A77-46A4-9443-F871F945D258} - hxxp://fpdownload.macromedia.com/get/shockwave/cabs/director/sw.cab
DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} - hxxp://download.mcafee.com/molbin/shared/mcinsctl/4,0,0,101/mcinsctl.cab
DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} - hxxp://gfx2.hotmail.com/mail/w2/resources/MSNPUpld.cab
DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} - hxxp://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1226446168522
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.5.0/jinstall-1_5_0_06-windows-i586.cab
DPF: {BCC0FF27-31D9-4614-A68E-C18E1ADA4389} - hxxp://download.mcafee.com/molbin/shared/mcgdmgr/1,0,0,26/mcgdmgr.cab
DPF: {CAFEEFAC-0015-0000-0006-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.5.0/jinstall-1_5_0_06-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.5.0/jinstall-1_5_0_06-windows-i586.cab
DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
Notify: igfxcui - igfxdev.dll
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll
SEH: SpywareGuard.Handler: {81559c35-8464-49f7-bb0e-07a383bef910} - c:\program files\spywareguard\spywareguard.dll

================= FIREFOX ===================

FF - ProfilePath - c:\docume~1\rich\applic~1\mozilla\firefox\profiles\w90bazbq.default\
FF - prefs.js: browser.startup.homepage - hxxp://www.msn.com/
FF - plugin: c:\program files\java\jre1.5.0_06\bin\NPJava11.dll
FF - plugin: c:\program files\java\jre1.5.0_06\bin\NPJava12.dll
FF - plugin: c:\program files\java\jre1.5.0_06\bin\NPJava13.dll
FF - plugin: c:\program files\java\jre1.5.0_06\bin\NPJava14.dll
FF - plugin: c:\program files\java\jre1.5.0_06\bin\NPJava32.dll
FF - plugin: c:\program files\java\jre1.5.0_06\bin\NPJPI150_06.dll
FF - plugin: c:\program files\java\jre1.5.0_06\bin\NPOJI610.dll
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\microsoft.net\framework\v3.5\windows presentation foundation\dotnetassistantextension\

---- FIREFOX POLICIES ----
c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl3.rsa_seed_sha", true);

============= SERVICES / DRIVERS ===============

R0 pavboot;pavboot;c:\windows\system32\drivers\pavboot.sys [2009-11-6 28552]
R2 avg8wd;AVG8 WatchDog;c:\progra~1\avg\avg8\avgwdsvc.exe [2009-1-8 298264]
S0 black;black;c:\windows\system32\drivers\blackdrv.sys --> c:\windows\system32\drivers\BlackDrv.sys [?]
S2 avg8emc;AVG8 E-mail Scanner;c:\progra~1\avg\avg8\avgemc.exe [2009-1-8 903960]
S3 RapFile;RapFile;c:\windows\system32\drivers\RapFile.sys [2006-2-8 36644]
S3 RapNet;RapNet;c:\windows\system32\drivers\RapNet.sys [2006-2-8 24344]

=============== Created Last 30 ================

2009-11-07 06:56:03 28552 ----a-w- c:\windows\system32\drivers\pavboot.sys
2009-11-07 06:55:01 0 d-----w- c:\program files\Panda Security
2009-11-07 04:03:15 0 d-sha-r- C:\cmdcons
2009-11-07 04:01:15 98816 ----a-w- c:\windows\sed.exe
2009-11-07 04:01:15 77312 ----a-w- c:\windows\MBR.exe
2009-11-07 04:01:15 267264 ----a-w- c:\windows\PEV.exe
2009-11-07 04:01:15 161792 ----a-w- c:\windows\SWREG.exe
2009-11-06 03:18:41 1238408 ----a-w- c:\windows\system32\zpeng25.dll
2009-11-06 03:18:40 0 d-----w- c:\windows\system32\ZoneLabs
2009-11-06 03:18:38 418012 ----a-w- c:\windows\system32\vsconfig.xml
2009-11-06 03:18:37 0 d-----w- c:\program files\Zone Labs
2009-11-06 03:17:54 0 d-----w- c:\windows\Internet Logs
2009-11-04 10:11:09 1024262 ----a-w- c:\windows\system32\commonpriv.log.1
2009-11-04 10:11:09 0 ----a-w- c:\windows\system32\commonpriv.log.lock
2009-11-04 10:05:27 0 d-----w- c:\docume~1\alluse~1\applic~1\avg9
2009-10-24 21:42:16 0 d--h--w- c:\windows\system32\GroupPolicy
2009-10-24 21:27:08 295424 ------w- c:\windows\system32\dllcache\termsrv.dll
2009-10-24 21:18:33 0 d-----w- c:\windows\system32\wbem\Repository
2009-10-20 15:21:12 0 d-----w- c:\docume~1\alluse~1\applic~1\Symantec
2009-10-20 09:18:45 0 d-----w- c:\docume~1\alluse~1\applic~1\Norton
2009-10-19 05:54:11 1024 ----a-w- c:\windows\system32\gncontent.cch
2009-10-19 05:42:24 0 d-----w- c:\program files\common files\Sony Shared
2009-10-19 05:34:00 0 d-----w- c:\program files\Sony Ericsson Media Manager

==================== Find3M ====================

2009-11-06 03:30:37 4212 ---ha-w- c:\windows\system32\zllictbl.dat
2009-10-21 04:08:54 3598336 ----a-w- c:\windows\system32\dllcache\mshtml.dll
2009-09-11 14:18:39 136192 ----a-w- c:\windows\system32\msv1_0.dll
2009-09-11 14:18:39 136192 ------w- c:\windows\system32\dllcache\msv1_0.dll
2009-09-10 21:54:06 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2009-09-10 21:53:50 19160 ----a-w- c:\windows\system32\drivers\mbam.sys
2009-09-04 21:03:36 58880 ----a-w- c:\windows\system32\msasn1.dll
2009-09-04 21:03:36 58880 ------w- c:\windows\system32\dllcache\msasn1.dll
2009-08-28 10:28:59 70656 ------w- c:\windows\system32\dllcache\ie4uinit.exe
2009-08-28 10:28:59 13824 ------w- c:\windows\system32\dllcache\ieudinit.exe
2009-08-27 05:18:44 634648 ------w- c:\windows\system32\dllcache\iexplore.exe
2009-08-27 05:18:41 161792 ------w- c:\windows\system32\dllcache\ieakui.dll
2009-08-26 08:00:21 247326 ----a-w- c:\windows\system32\strmdll.dll
2009-08-26 08:00:21 247326 ------w- c:\windows\system32\dllcache\strmdll.dll
2009-08-13 15:16:05 512000 ------w- c:\windows\system32\dllcache\jscript.dll
2008-02-09 23:19:58 152 --sh--r- c:\windows\system32\A98D7208C4.sys
2008-02-09 23:20:01 9188 --sha-w- c:\windows\system32\KGyGaAvL.sys
2008-05-25 01:09:39 32768 --sha-w- c:\windows\system32\config\systemprofile\local settings\history\history.ie5\mshist012008052420080525\index.dat
2009-03-04 18:38:12 32768 --sha-w- c:\windows\system32\config\systemprofile\local settings\history\history.ie5\mshist012009030420090305\index.dat

============= FINISH: 1320.13 ===============
Attached Files
File Type: zip Attach.zip (3.5 KB, 2 views)
RichCon1983 is offline  
Digg this Post!Add Post to del.icio.usBookmark Post in TechnoratiFurl this Post!Reddit!
Old 11-08-2009, 01:52 PM   #8 (permalink)
Analyst, Security Team
 
CatByte's Avatar
 
Join Date: Jan 2009
Location: Canada
Posts: 2,181
OS: XP sp3


Re: Please Help!! Malware causing MAJOR internet Slowdown
Hi,

Your logs are clean,

Just some housekeeping to do now,

Please do the following:

P2P - I see you have P2P software utorrent installed on your machine. We are not here to pass judgment on file-sharing as a concept. However, we will warn you that engaging in this activity and having this kind of software installed on your machine will always make you more susceptible to re-infections. It likely contributed to your current situation. This page will give you further information.
Please note: Even if you are using a "safe" P2P program, it is only the program that is safe. You will be sharing files from uncertified sources, and these are often infected. The bad guys use P2P filesharing as a major conduit to spread their wares.
Please see this topic for more information:
Perils of P2P File Sharing.
I would strongly recommend that you uninstall this now. You can do so via Control Panel >> Add or Remove Programs.

NEXT

You can delete the DDS and GMER folders from your desktop.

NEXT

Follow these steps to uninstall Combofix
  • Click START then RUN
  • Now type Combofix /uninstall in the runbox and click OK. Note the space between the ..X and the /U, it needs to be there.





Should you wish to contribute to the ongoing development of ComboFix, donations are being accepted via PayPal.


If there are any other logs/tools remaining on your desktop > right click and delete them.


NEXT


Below I have included a number of recommendations for how to protect your computer against malware infections.
  • It is good security practice to change your passwords to all your online accounts on a fairly regular basis, this is especially true after an infection. Refer to this Microsoft article
    Strong passwords: How to create and use them     Then consider a password keeper, to keep all your passwords safe.

  • Keep Windows updated by regularly checking their website at :
    http://windowsupdate.microsoft.com/
    This will ensure your computer has always the latest security updates available installed on your computer.

  • SpywareBlaster protects against bad ActiveX, it immunizes your PC against them.

  • SpywareGuard offers realtime protection from spyware installation attempts. Make sure you are only running one real-time anti-spyware protection program ( eg : TeaTimer, Windows Defender ) or there will be a conflict.

  • Make Internet Explorer more secure
    • Click Start > Run
    • Type Inetcpl.cpl & click OK
    • Click on the Security tab
    • Click Reset all zones to default level
    • Make sure the Internet Zone is selected & Click Custom level
    • In the ActiveX section, set the first two options ("Download signed and unsigned ActiveX controls) to "Prompt", and ("Initialize and Script ActiveX controls not marked as safe") to "Disable".
    • Next Click OK, then Apply button and then OK to exit the Internet Properties page.
  • ATF Cleaner - Cleans temporary files from IE and Windows, empties the recycle bin and more. Great tool to help speed up your computer and knock out those nasties that like to reside in the temp folders.

  • MVPS Hosts file replaces your current HOSTS file with one containing well known ad sites and other bad sites. Basically, this prevents your computer from connecting to those sites by redirecting them to 127.0.0.1 which is your local computer, meaning it will be difficult to infect yourself in the future.

    WOT, Web of Trust, warns you about risky websites that try to scam visitors, deliver malware or send spam. Protect your computer against online threats by using WOT as your front-line layer of protection when browsing or searching in unfamiliar territory. WOT's color-coded icons show you ratings for 21 million websites, helping you avoid the dangerous sites:
    • Green to go
    • Yellow for caution
    • Red to stop
    WOT has an addon available for both Firefox and IE

  • For Firefox, I highly recommend this add-on to keep your PC even more secure.
    • NoScript - for blocking ads and other potential website attacks
  • Keep a backup of your important files - Now, more than ever, it's especially important to protect your digital files and memories. This article is full of good information on alternatives for home backup solutions.
  • ERUNT (Emergency Recovery Utility NT) allows you to keep a complete backup of your registry and restore it when needed. The standard registry backup options that come with Windows back up most of the registry but not all of it. ERUNT however creates a complete backup set, including the Security hive and user related sections. ERUNT is easy to use and since it creates a full backup, there are no options or choices other than to select the location of the backup files. The backup set includes a small executable that will launch the registry restore if needed.
  • In light of your recent issue, I'm sure you'd like to avoid any future infections. Please take a look at these well written articles:
    Think Prevention.
    PC Safety and Security--What Do I Need?.


**Be very wary with any security software that is advertised in popups or in other ways. They are not only usually of no use, but often have malware in them.


Thank you for your patience, and performing all of the procedures requested.

Please respond one last time so we can consider the thread resolved and close it, thank-you.
__________________


ASAP & UNITE Member
CatByte is offline  
Digg this Post!Add Post to del.icio.usBookmark Post in TechnoratiFurl this Post!Reddit!
Old 11-08-2009, 02:35 PM   #9 (permalink)
Registered User
 
Join Date: Nov 2009
Posts: 6
OS: winxp


Re: Please Help!! Malware causing MAJOR internet Slowdown
thank you very much CatByte, you're a lifesaver!
RichCon1983 is offline  
Digg this Post!Add Post to del.icio.usBookmark Post in TechnoratiFurl this Post!Reddit!
Old 11-09-2009, 02:37 AM   #10 (permalink)
Registered User
 
Join Date: Nov 2009
Posts: 6
OS: winxp


Re: Please Help!! Malware causing MAJOR internet Slowdown
i hate to be a pest but i still find myself having to reload pages in firefox alot...sometimes they just don't load up, i have to refresh 2-3 times just to see certain websites....what could be the cause of this??
RichCon1983 is offline  
Digg this Post!Add Post to del.icio.usBookmark Post in TechnoratiFurl this Post!Reddit!
Old 11-09-2009, 08:51 AM   #11 (permalink)
Analyst, Security Team
 
CatByte's Avatar
 
Join Date: Jan 2009
Location: Canada
Posts: 2,181
OS: XP sp3


Re: Please Help!! Malware causing MAJOR internet Slowdown
Hi,

There could be a number of reasons, from security program settings, to browser cache.

Start with clearing your browser cache:

In FireFox go to Tools -> Options -> Advanced -> Network / Offline Storage -> Clear Now

See if that makes any difference:

If not there are a number of trouble shooting tips at the Mozilla website, see if anything here helps:

http://kb.mozillazine.org/Error_load...ng_any_website
__________________


ASAP & UNITE Member
CatByte is offline  
Digg this Post!Add Post to del.icio.usBookmark Post in TechnoratiFurl this Post!Reddit!
 

« Previous Thread | Next Thread »

Thread Tools

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts
BB code is On
Smilies are On
[IMG] code is On
HTML code is Off
Trackbacks are Off
Pingbacks are Off
Refbacks are Off



All times are GMT -7. The time now is 08:25 AM.

Contact Us - Tech Support Forum - Archive - Privacy Statement - Top


Copyright 2001 - 2009, Tech Support Forum
Home Tips Plus | Outdoor Basecamp | Automotive Support Forum

1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 61 62 63 64 65 66 67 68 69 70 71 72 73 74 75 76 77 78 79 80 81 82 83 84 85