Tech Support Forum banner
Cancel

Think I have a bug

Jump to Latest Follow
Status
Not open for further replies.
1 - 20 of 21 Posts
G

· Registered
Joined
·
46 Posts
Discussion Starter · #1 ·
Email seems slow the last week and computer freezes up often. Can anyone help with this?
Thanks

DDS (Ver_2012-10-19.01) - NTFS_x86 NETWORK
Internet Explorer: 8.0.6001.18702 BrowserJavaVersion: 10.9.2
Run by Administrator at 7:14:07 on 2013-02-07
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.702.561 [GMT -8:00]
.
AV: avast! Antivirus *Enabled/Updated* {7591DB91-41F0-48A3-B128-1A293FD8233D}
.
============== Running Processes ================
.
C:\Program Files\SUPERAntiSpyware\SASCORE.EXE
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\wbem\wmiprvse.exe
C:\WINDOWS\system32\svchost.exe -k DcomLaunch
C:\WINDOWS\system32\svchost.exe -k rpcss
C:\WINDOWS\system32\svchost.exe -k netsvcs
C:\WINDOWS\system32\svchost.exe -k NetworkService
.
============== Pseudo HJT Report ===============
.
BHO: Adobe PDF Link Helper: {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll
BHO: RealPlayer Download and Record Plugin for Internet Explorer: {3049C3E9-B461-4BC5-8870-4C09146192CA} - c:\documents and settings\all users\application data\real\realplayer\browserrecordplugin\ie\rpbrowserrecordplugin.dll
BHO: Java(tm) Plug-In SSV Helper: {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - c:\program files\java\jre7\bin\ssv.dll
BHO: avast! WebRep: {8E5E2654-AD2D-48bf-AC2D-D17F00898D06} - c:\program files\avast software\avast\aswWebRepIE.dll
BHO: Java(tm) Plug-In 2 SSV Helper: {DBC80044-A445-435b-BC74-9C25C1C588A9} - c:\program files\java\jre7\bin\jp2ssv.dll
TB: avast! WebRep: {8E5E2654-AD2D-48bf-AC2D-D17F00898D06} - c:\program files\avast software\avast\aswWebRepIE.dll
mRun: [avast] "c:\program files\avast software\avast\avastUI.exe" /nogui
mRun: [Adobe ARM] "c:\program files\common files\adobe\arm\1.0\AdobeARM.exe"
uPolicies-Explorer: NoDriveTypeAutoRun = dword:323
uPolicies-Explorer: NoDriveAutoRun = dword:67108863
uPolicies-Explorer: NoDrives = dword:0
mPolicies-Explorer: NoResolveTrack = dword:1
mPolicies-Explorer: NoDriveAutoRun = dword:67108863
mPolicies-Explorer: NoDriveTypeAutoRun = dword:323
mPolicies-Explorer: NoDriveTypeAutoRun = dword:323
mPolicies-Explorer: NoDriveAutoRun = dword:67108863
IE: E&xport to Microsoft Excel - c:\progra~1\micros~2\office12\EXCEL.EXE/3000
IE: {2670000A-7350-4f3c-8081-5663EE0C6C49} - {48E73304-E1D6-4330-914C-F5F514E3486C} - c:\program files\microsoft office\office12\ONBttnIE.dll
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503}
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
DPF: {62789780-B744-11D0-986B-00609731A21D} - hxxp://download.autodesk.com/esd/mapguide/SP1/ENG/mgaxctrl.cab
DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} - hxxp://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1277442925546
DPF: {7530BFB8-7293-4D34-9923-61A11451AFC5} - hxxp://download.eset.com/special/eos/OnlineScanner.cab
DPF: {8C279F4E-917E-4CD2-8DF0-D9C73C0CE763} - hxxp://zone.msn.com/bingame/zpagames/zpa_wof.cab55579.cab
DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} - hxxp://cdn2.zone.msn.com/binFramework/v10/ZPAFramework.cab102118.cab
DPF: {FF3C5A9F-5A99-4930-80E8-4709194C2AD3} - hxxp://zone.msn.com/bingame/zpagames/ZPA_Backgammon.cab64162.cab
TCP: NameServer = 192.168.0.1 205.171.3.25
TCP: Interfaces\{73D36669-41A7-4756-9D87-708C69B0F62C} : DHCPNameServer = 192.168.0.1 205.171.3.25
Handler: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - c:\program files\microsoft office\office12\GrooveSystemServices.dll
Notify: AtiExtEvent - Ati2evxx.dll
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll
SEH: Groove GFS Stub Execution Hook - {B5A7F190-DDA6-4420-B3BA-52453494E6CD} - c:\program files\microsoft office\office12\GrooveShellExtensions.dll
SEH: SABShellExecuteHook Class - {5AE067D3-9AFB-48E0-853A-EBB7F4A000DA} - c:\program files\superantispyware\SASSEH.DLL
mASetup: {10880D85-AAD9-4558-ABDC-2AB1552D831F} - "c:\program files\common files\lightscribe\LSRunOnce.exe"
.
================= FIREFOX ===================
.
FF - ProfilePath -
.
============= SERVICES / DRIVERS ===============
.
.
=============== Created Last 30 ================
.
.
==================== Find3M ====================
.
.
============= FINISH: 7:14:28.34 ===============
 
G

· Registered
Joined
·
46 Posts
Discussion Starter · #2 ·
Sorry but I'm not very experienced with my computer. I managed to zip the file that you want and it's on my desktop but I don't know how to get that file to here. Can you help me with that?
 
chemist

· Premium Member
Joined
·
29,813 Posts
#5 ·
Hello and Welcome to TSF.

If you haven't already, please Subscribe to this Thread to get immediate notification of replies as soon as they are posted. To do this click Thread Tools, then click Subscribe to this Thread. Make sure it is set to Instant notification by email, then click Add Subscription.

Please note that the forum is very busy and if I don't hear from you within three days this thread will be closed.

------------------------------------------------------

I need to see a gmer log in order to help you.

Download GMER Rootkit Scanner from herehttp://www.gmer.net/download.phphttp://www.gmer.net/download.php and Save it to your Desktop.
  • Double-click gmer.exe to run it. If asked to allow gmer.sys driver to load, please consent.
  • First, gmer will run a short, initial scan.
  • If it gives you a warning about rootkit activity and asks if you want to run scan...click on NO.



    Click the image to enlarge it


  • In the right panel, you will see several boxes that have been checked. Ensure the following are UNCHECKED ...
    • IAT/EAT
    • Drives/Partition other than Systemdrive (typically C:\)
    • Show All (don't miss this one)
  • Then click the Scan button & wait for it to finish.
  • Once done click on the [Save..] button, and in the File name area, type in ark.txt or it will save as a .log file which cannot be uploaded to your post.
  • Save it where you can easily find it, such as your desktop, and attach it to your next reply.

**Caution**
Rootkit scans often produce false positives. Do NOT take any action on any "<--- ROOKIT" entries

------------------------------------------------------
 
Save Share
G

· Registered
Joined
·
46 Posts
Discussion Starter · #6 ·
GMER 2.1.18952 - GMER - Rootkit Detector and Remover
Rootkit scan 2013-02-13 21:41:50
Windows 5.1.2600 Service Pack 3 \Device\Harddisk0\DR0 -> \Device\Ide\IdeDeviceP2T0L0-12 ST380011A rev.8.11 74.53GB
Running: u1sginj3[1].exe; Driver: C:\DOCUME~1\Administrator\Local Settings\Temp\uweiqaoc.sys

---- User code sections - GMER 2.1 ----
.text C:\Program Files\internet explorer\iexplore.exe[1416] USER32.dll!DialogBoxParamW 7E4247AB 5 Bytes JMP 00BD9315 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\internet explorer\iexplore.exe[1416] USER32.dll!CreateWindowExW 7E42D0A3 5 Bytes JMP 00CB4832 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\internet explorer\iexplore.exe[1416] USER32.dll!DialogBoxIndirectParamW 7E432072 5 Bytes JMP 00DCE021 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\internet explorer\iexplore.exe[1416] USER32.dll!MessageBoxIndirectA 7E43A082 5 Bytes JMP 00DCDF51 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\internet explorer\iexplore.exe[1416] USER32.dll!DialogBoxParamA 7E43B144 5 Bytes JMP 00DCDFBE C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\internet explorer\iexplore.exe[1416] USER32.dll!MessageBoxExW 7E450838 5 Bytes JMP 00DCDE22 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\internet explorer\iexplore.exe[1416] USER32.dll!MessageBoxExA 7E45085C 5 Bytes JMP 00DCDE84 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\internet explorer\iexplore.exe[1416] USER32.dll!DialogBoxIndirectParamA 7E456D7D 5 Bytes JMP 00DCE084 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\internet explorer\iexplore.exe[1416] USER32.dll!MessageBoxIndirectW 7E4664D5 5 Bytes JMP 00DCDEE6 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\internet explorer\iexplore.exe[1512] USER32.dll!DialogBoxParamW 7E4247AB 5 Bytes JMP 00BD9315 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\internet explorer\iexplore.exe[1512] USER32.dll!SetWindowsHookExW 7E42820F 5 Bytes JMP 00CADBCB C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\internet explorer\iexplore.exe[1512] USER32.dll!CallNextHookEx 7E42B3C6 5 Bytes JMP 00CADD81 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\internet explorer\iexplore.exe[1512] USER32.dll!CreateWindowExW 7E42D0A3 5 Bytes JMP 00CB4832 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\internet explorer\iexplore.exe[1512] USER32.dll!UnhookWindowsHookEx 7E42D5F3 5 Bytes JMP 00C11CA2 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\internet explorer\iexplore.exe[1512] USER32.dll!DialogBoxIndirectParamW 7E432072 5 Bytes JMP 00DCE021 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\internet explorer\iexplore.exe[1512] USER32.dll!MessageBoxIndirectA 7E43A082 5 Bytes JMP 00DCDF51 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\internet explorer\iexplore.exe[1512] USER32.dll!DialogBoxParamA 7E43B144 5 Bytes JMP 00DCDFBE C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\internet explorer\iexplore.exe[1512] USER32.dll!MessageBoxExW 7E450838 5 Bytes JMP 00DCDE22 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\internet explorer\iexplore.exe[1512] USER32.dll!MessageBoxExA 7E45085C 5 Bytes JMP 00DCDE84 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\internet explorer\iexplore.exe[1512] USER32.dll!DialogBoxIndirectParamA 7E456D7D 5 Bytes JMP 00DCE084 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\internet explorer\iexplore.exe[1512] USER32.dll!MessageBoxIndirectW 7E4664D5 5 Bytes JMP 00DCDEE6 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\internet explorer\iexplore.exe[1512] ole32.dll!CoCreateInstance 7750057E 5 Bytes JMP 00CB488E C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
---- Devices - GMER 2.1 ----
AttachedDevice \Driver\Tcpip \Device\Tcp AswRdr.SYS (avast! TDI Redirect Driver/AVAST Software)
---- EOF - GMER 2.1 ----
 
chemist

· Premium Member
Joined
·
29,813 Posts
#7 ·
Hello griffinhomes.

------------------------------------------------------

Please note that these fixes are not instantaneous. Most infections require more than one round to properly eradicate.

Please stay with me until given the 'all clear' even if symptoms seemingly abate.

Kindly follow my instructions and please do no fixing on your own or running of scanners unless requested by a helper.

------------------------------------------------------

If there are any personal files, pics, etc. on your computer you cannot live without, back them up now just as a precaution.

Emergency Backup Procedure - Tech Support Forum

------------------------------------------------------

Please download ComboFix and Save it to your Desktop.

**Note: It is important that it is saved directly to your desktop**

Disable all antivirus and antispyware programs. Get help here

Double-click ComboFix.exe and follow the prompts to run it.

  • As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed.
  • With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal.
  • It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.
  • Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console.
  • When prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.
**Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.



ComboFix will now automatically install the Windows Recovery Console onto your computer, which will show up as a new option when booting up your computer. Do not select the Windows Recovery Console option when you start your computer unless requested to by a helper.

Once the Recovery Console is installed, this blue window will appear:


  • Please click Yes to continue scanning for malware.
  • Your desktop may go blank. This is normal. It will return when ComboFix is done.
  • ComboFix may reboot your machine. This is normal. For some infections, it may do this multiple times.
  • When the tool is finished, it will produce a log for you.

Please post that log, C:\ComboFix.txt, in your next reply.

Please re-enable your antivirus before posting the ComboFix.txt log.

------------------------------------------------------

Go to Start > Run and copy/paste the following into the Run box and click OK:

C:\Qoobox\Add-Remove Programs.txt

A text file should open. Please post the contents of that file in your next reply.

------------------------------------------------------
 
Save Share
G

· Registered
Joined
·
46 Posts
Discussion Starter · #8 ·
ComboFix 13-02-13.02 - Administrator 02/14/2013 18:17:21.2.1 - x86 NETWORK
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.702.524 [GMT -8:00]
Running from: c:\documents and settings\Administrator\Desktop\ComboFix.exe
AV: avast! Antivirus *Enabled/Updated* {7591DB91-41F0-48A3-B128-1A293FD8233D}
.
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
c:\documents and settings\Kevin\Application Data\Adobe\plugs
c:\documents and settings\Kevin\Application Data\Adobe\shed
.
.
((((((((((((((((((((((((( Files Created from 2013-01-15 to 2013-02-15 )))))))))))))))))))))))))))))))
.
.
2013-02-07 16:08 . 2013-02-07 16:08 -------- d-sh--w- c:\documents and settings\Administrator\IECompatCache
2013-02-07 15:17 . 2013-02-07 15:17 -------- d-----w- c:\documents and settings\Administrator\Local Settings\Application Data\Mozilla
.
.
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2013-02-10 01:07 . 2012-12-14 04:09 697712 ----a-w- c:\windows\system32\FlashPlayerApp.exe
2013-02-10 01:07 . 2012-12-14 04:09 74096 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl
2012-12-12 22:10 . 2012-12-12 22:10 388096 ----a-r- c:\documents and settings\Kevin\Application Data\Microsoft\Installer\{45A66726-69BC-466B-A7A4-12FCBA4883D7}\HiJackThis.exe
2013-02-06 20:00 . 2013-02-06 20:00 262552 ----a-w- c:\program files\mozilla firefox\components\browsercomps.dll
.
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\00avast]
@="{472083B0-C522-11CF-8763-00608CC02F24}"
[HKEY_CLASSES_ROOT\CLSID\{472083B0-C522-11CF-8763-00608CC02F24}]
2012-10-30 22:50 121528 ----a-w- c:\program files\AVAST Software\Avast\ashShell.dll
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"avast"="c:\program files\AVAST Software\Avast\avastUI.exe" [2012-10-30 4297136]
"Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2012-12-03 946352]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2010-11-30 421888]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\explorer]
"NoResolveTrack"= 1 (0x1)
.
[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= "c:\program files\SUPERAntiSpyware\SASSEH.DLL" [2011-07-19 113024]
.
[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\session manager]
BootExecute REG_MULTI_SZ autocheck autochk *\0pgdfgsvc C 1
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\!SASCORE]
@=""
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe ARM]
2012-12-03 07:35 946352 ----a-w- c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AlcxMonitor]
2004-09-07 20:47 57344 ----a-w- c:\windows\ALCXMNTR.EXE
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ATIPTA]
2005-08-14 04:05 344064 ----a-w- c:\program files\ATI Technologies\ATI Control Panel\atiptaxx.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\BDRegion]
2008-10-07 20:31 75048 ------w- c:\program files\CyberLink\Shared files\brs.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\CLMLServer]
2008-07-19 02:52 104936 ------w- c:\program files\CyberLink\Power2Go\CLMLSvc.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\GrooveMonitor]
2006-10-27 07:47 31016 ----a-w- c:\program files\Microsoft Office\Office12\GrooveMonitor.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\InstantBurn]
2007-10-26 17:55 681256 ----a-w- c:\progra~1\CYBERL~1\INSTAN~1\Win2K\IBurn.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\LightScribe Control Panel]
2008-07-30 17:41 2363392 ----a-w- c:\program files\Common Files\LightScribe\LightScribeControlPanel.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSMSGS]
2008-04-14 12:42 1695232 ------w- c:\program files\Messenger\msmsgs.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PDVD8LanguageShortcut]
2007-12-14 18:36 50472 ------w- c:\program files\CyberLink\PowerDVD8\Language\Language.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Power2GoExpress]
2008-08-02 01:06 2663720 ------w- c:\program files\CyberLink\Power2Go\Power2GoExpress.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
2010-11-30 00:38 421888 ----a-w- c:\program files\QuickTime\QTTask.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\RemoteControl8]
2008-03-21 03:23 83240 ------w- c:\program files\CyberLink\PowerDVD8\PDVD8Serv.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SMSERIAL]
2005-01-24 09:56 544768 ----a-w- c:\windows\sm56hlpr.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched]
2012-07-03 17:04 252848 ----a-w- c:\program files\Common Files\Java\Java Update\jusched.exe
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Microsoft Office\\Office12\\OUTLOOK.EXE"=
"c:\\Program Files\\Microsoft Office\\Office12\\GROOVE.EXE"=
"c:\\Program Files\\Microsoft Office\\Office12\\ONENOTE.EXE"=
.
R1 CLBStor;InstantBurn Storage Helper Driver;c:\windows\system32\drivers\CLBStor.sys [5/24/2010 7:46 PM 15784]
R2 !SASCORE;SAS Core Service;c:\program files\SUPERAntiSpyware\SASCore.exe [7/11/2012 10:54 AM 116608]
S1 aswSnx;aswSnx;c:\windows\system32\drivers\aswSnx.sys [11/12/2012 11:33 AM 738504]
S1 aswSP;aswSP;c:\windows\system32\drivers\aswSP.sys [11/12/2012 11:33 AM 361032]
S1 SASDIFSV;SASDIFSV;c:\program files\SUPERAntiSpyware\sasdifsv.sys [7/22/2011 8:27 AM 12880]
S1 SASKUTIL;SASKUTIL;c:\program files\SUPERAntiSpyware\SASKUTIL.SYS [7/12/2011 1:55 PM 67664]
S2 {FE4C91E7-22C2-4D0C-9F6B-82F1B7742054};{FE4C91E7-22C2-4D0C-9F6B-82F1B7742054};c:\program files\CyberLink\PowerDVD8\000.fcl [10/7/2008 7:31 PM 61424]
S2 aswFsBlk;aswFsBlk;c:\windows\system32\drivers\aswFsBlk.sys [11/12/2012 11:33 AM 21256]
S2 CachemanService;Cacheman Service; [x]
S2 CLBUDF;CyberLink InstantBurn UDF Filesystem;c:\windows\system32\drivers\CLBUDF.sys [5/24/2010 7:46 PM 162344]
S2 MBAMScheduler;MBAMScheduler;c:\program files\Malwarebytes' Anti-Malware\mbamscheduler.exe [10/19/2012 7:08 PM 399432]
S2 MBAMService;MBAMService;c:\program files\Malwarebytes' Anti-Malware\mbamservice.exe [5/24/2010 8:17 PM 676936]
S3 MBAMProtector;MBAMProtector;c:\windows\system32\drivers\mbam.sys [5/24/2010 8:17 PM 22856]
S3 Revoflt;Revoflt;c:\windows\system32\drivers\revoflt.sys [10/15/2012 7:29 PM 27064]
.
--- Other Services/Drivers In Memory ---
.
*Deregistered* - uweiqaoc
.
[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{10880D85-AAD9-4558-ABDC-2AB1552D831F}]
2008-07-30 17:39 451872 ----a-w- c:\program files\Common Files\LightScribe\LSRunOnce.exe
.
Contents of the 'Scheduled Tasks' folder
.
2013-02-14 c:\windows\Tasks\Adobe Flash Player Updater.job
- c:\windows\system32\Macromed\Flash\FlashPlayerUpdateService.exe [2012-12-14 01:07]
.
2013-02-13 c:\windows\Tasks\avast! Emergency Update.job
- c:\program files\AVAST Software\Avast\AvastEmUpdate.exe [2012-11-12 22:50]
.
2013-02-09 c:\windows\Tasks\RealUpgradeScheduledTaskS-1-5-21-796845957-1644491937-1801674531-1003.job
- c:\program files\Real\RealUpgrade\realupgrade.exe [2012-07-27 21:27]
.
.
------- Supplementary Scan -------
.
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\Office12\EXCEL.EXE/3000
TCP: DhcpNameServer = 192.168.0.1 205.171.3.25
FF - ProfilePath - c:\documents and settings\Administrator\Application Data\Mozilla\Firefox\Profiles\ei8stx66.default\
.
- - - - ORPHANS REMOVED - - - -
.
MSConfigStartUp-Adobe Reader Speed Launcher - c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe
.
.
.
**************************************************************************
.
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, GMER - Rootkit Detector and Remover
Rootkit scan 2013-02-14 18:21
Windows 5.1.2600 Service Pack 3 NTFS
.
scanning hidden processes ...
.
scanning hidden autostart entries ...
.
scanning hidden files ...
.
scan completed successfully
hidden files: 0
.
**************************************************************************
.
[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\{FE4C91E7-22C2-4D0C-9F6B-82F1B7742054}]
"ImagePath"="\??\c:\program files\CyberLink\PowerDVD8\000.fcl"
.
--------------------- LOCKED REGISTRY KEYS ---------------------
.
[HKEY_USERS\S-1-5-21-796845957-1644491937-1801674531-500\Software\Microsoft\Internet Explorer\User Preferences]
@Denied: (2) (Administrator)
"88D7D0879DAB32E14DE5B3A805A34F98AFF34F5977"=hex:01,00,00,00,d0,8c,9d,df,01,15,
d1,11,8c,7a,00,c0,4f,c2,97,eb,01,00,00,00,e3,4d,d7,ed,bd,f8,70,4a,99,8b,60,\
"2D53CFFC5C1A3DD2E97B7979AC2A92BD59BC839E81"=hex:01,00,00,00,d0,8c,9d,df,01,15,
d1,11,8c,7a,00,c0,4f,c2,97,eb,01,00,00,00,e3,4d,d7,ed,bd,f8,70,4a,99,8b,60,\
.
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}]
@Denied: (A 2) (Everyone)
@="FlashBroker"
"LocalizedString"="@c:\\WINDOWS\\system32\\Macromed\\Flash\\FlashUtil32_11_5_502_149_ActiveX.exe,-101"
.
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}\Elevation]
"Enabled"=dword:00000001
.
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}\LocalServer32]
@="c:\\WINDOWS\\system32\\Macromed\\Flash\\FlashUtil32_11_5_502_149_ActiveX.exe"
.
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
.
[HKEY_LOCAL_MACHINE\software\Classes\Interface\{6AE38AE0-750C-11E1-B0C4-0800200C9A66}]
@Denied: (A 2) (Everyone)
@="IFlashBroker5"
.
[HKEY_LOCAL_MACHINE\software\Classes\Interface\{6AE38AE0-750C-11E1-B0C4-0800200C9A66}\ProxyStubClsid32]
@="{00020424-0000-0000-C000-000000000046}"
.
[HKEY_LOCAL_MACHINE\software\Classes\Interface\{6AE38AE0-750C-11E1-B0C4-0800200C9A66}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
"Version"="1.0"
.
[HKEY_LOCAL_MACHINE\software\Microsoft\EncryptionInterface*]
"c_encryption_d"="5B534359425A\003"
"c_encryption_e"="2A2E455F42425F2E0639205F22415C5E47602553313E4142332C7D25365F5F43572732603F26425E43"
.
--------------------- DLLs Loaded Under Running Processes ---------------------
.
- - - - - - - > 'winlogon.exe'(476)
c:\windows\system32\Ati2evxx.dll
c:\windows\system32\l3codecp.acm
.
Completion time: 2013-02-14 18:22:14
ComboFix-quarantined-files.txt 2013-02-15 02:22
.
Pre-Run: 16,420,155,392 bytes free
Post-Run: 16,913,776,640 bytes free
.
- - End Of File - - FE9D1077BFE75A0D9EDBEA3F485DF2B2
Adobe Flash Player 11 ActiveX
Adobe Flash Player 11 Plugin
Adobe Reader XI (11.0.01)
Adobe Shockwave Player 11.6
ATI Control Panel
ATI Display Driver
avast! Free Antivirus
CCleaner
Coupon Printer for Windows
CyberLink BD Advisor 2.0
CyberLink DVD Suite
CyberLink InstantBurn
CyberLink LabelPrint
CyberLink MediaShow
CyberLink PhotoNow
CyberLink Power2Go
CyberLink PowerBackup
CyberLink PowerDirector
CyberLink PowerDVD 8
CyberLink PowerDVD Copy
CyberLink PowerProducer
Disk Cleaner (remove only)
HiJackThis
Java 7 Update 9
Java Auto Updater
LightScribe System Software 1.14.19.1
Malwarebytes Anti-Malware version 1.65.1.1000
Microsoft .NET Framework 2.0 Client Service Pack 2
Microsoft .NET Framework 3.0 Client Service Pack 2
Microsoft .NET Framework 3.5 Client Service Pack 1
Microsoft .NET Framework Client Profile
Microsoft Bootvis
Microsoft Office Access MUI (English) 2007
Microsoft Office Access Setup Metadata MUI (English) 2007
Microsoft Office Enterprise 2007
Microsoft Office Excel MUI (English) 2007
Microsoft Office Groove MUI (English) 2007
Microsoft Office Groove Setup Metadata MUI (English) 2007
Microsoft Office InfoPath MUI (English) 2007
Microsoft Office OneNote MUI (English) 2007
Microsoft Office Outlook MUI (English) 2007
Microsoft Office PowerPoint MUI (English) 2007
Microsoft Office Proof (English) 2007
Microsoft Office Proof (French) 2007
Microsoft Office Proof (Spanish) 2007
Microsoft Office Proofing (English) 2007
Microsoft Office Publisher MUI (English) 2007
Microsoft Office Shared MUI (English) 2007
Microsoft Office Shared Setup Metadata MUI (English) 2007
Microsoft Office Word MUI (English) 2007
Microsoft Silverlight
Microsoft Software Update for Web Folders (English) 12
Microsoft User-Mode Driver Framework Feature Pack 1.0 (Beta2)
Microsoft Visual C++ 2005 Redistributable
Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.4148
Microsoft Visual C++ 2010 x86 Redistributable - 10.0.40219
Motorola SM56 Speakerphone Modem
Mozilla Firefox 18.0.2 (x86 en-US)
MSN
Paint.NET v3.5.8
QuickTime
RealNetworks - Microsoft Visual C++ 2008 Runtime
RealPlayer
Realtek AC'97 Audio
RealUpgrade 1.1
Revo Uninstaller Pro 2.5.9
SUPERAntiSpyware
swMSM
WebFldrs XP
Winamp
Windows Internet Explorer 8
Windows Media Format 11 runtime
Windows Media Player 11
 
amateur

· TSF-Emeritus
Joined
·
15,457 Posts
#11 ·
How is the system behaving now?

Since you already have Malwarebytes Anti malware installed, please update it to it's latest definitions, and run a new Quick Scan.
  • Please open your MalwareBytes AntiMalware Program
  • Click the Update Tab and search for updates
  • If an update is found, it will download and install the latest version.
  • Once the program has loaded, select "Perform Quick Scan", then click Scan.
  • The scan may take some time to finish, so please be patient.
  • When the scan is complete, click OK, then Show Results to view the results.
  • Make sure that everything is checked, and click Remove Selected. <-- very important
  • When disinfection is completed, a log will open in Notepad and you may be prompted to Restart. (See Extra Note)
  • The log is automatically saved by MBAM and can be viewed by clicking the Logs tab in MBAM.
  • Copy&Paste the entire report in your next reply.

=================

Java 7 Update 9 is out of date.

Please go to Start > Control Panel > Add or Remove Programs, and remove the Java program(s) installed.
Next, download the latest Java, version 7 update 15 from the following link
Download Free Java Software

Once the install is complete....

Go into the Control Panel and double-click the Java Icon. (looks like a coffee cup)
  • On the General tab, under Temporary Internet Files, click the Settings button.
  • Next, click on the Delete Files button
  • There are two options in the window to clear the cache - Leave BOTH Checked

    • Applications and Applets
      Trace and Log Files
  • Click OK on Delete Temporary Files Window
    Note: This deletes ALL the Downloaded Applications and Applets from the CACHE.
  • Click OK to leave the Temporary Files Window
  • Click OK to leave the Java Control Panel.

==================

Please run this online scan to help look for remnants. Ensure your external and/or USB drives are inserted during the scan.

Go here and click 'ESET Online Scanner'.
  • If you are not using Internet Explorer, double-click esetsmartinstaller_enu.exe to install it, then click 'Run'.
  • Turn off the real-time scanner of any existing antivirus program while performing the online scan.
  • Tick the box next to YES, I accept the Terms of Use.
  • Click Start
  • If using Internet Explorer, allow the ActiveX control to install when asked.
  • Make sure that the option Remove found threats is unticked and the Scan Archives option is ticked.
  • Click on Advanced Settings and ensure these options are ticked:
    • Scan for potentially unwanted applications
    • Scan for potentially unsafe applications
    • Enable Anti-Stealth Technology
  • Next to 'Current scan targets: Operating memory, Local drives', click the Change.. button.
  • Tick all the boxes that correspond to your external/inserted drives.
  • Click Start
  • Wait for the scan to finish.
  • When the scan is done, if it shows a screen that says "Threats found!", click "List of found threats", and then click "Export to text file..."
  • Save that text file to your desktop, and then copy/paste the contents in your next reply.
 
G

· Registered
Joined
·
46 Posts
Discussion Starter · #12 ·
Malwarebytes Anti-Malware (PRO) 1.70.0.1100
Malwarebytes : Free anti-malware download

Database version: v2013.02.21.01

Windows XP Service Pack 3 x86 NTFS
Internet Explorer 8.0.6001.18702
Kevin :: KEVIN-0B327987B [administrator]

Protection: Enabled

2/20/2013 7:30:54 PM
mbam-log-2013-02-20 (19-30-54).txt

Scan type: Quick scan
Scan options enabled: Memory | Startup | Registry | File System | Heuristics/Extra | Heuristics/Shuriken | PUP | PUM
Scan options disabled: P2P
Objects scanned: 215491
Time elapsed: 6 minute(s), 20 second(s)

Memory Processes Detected: 0
(No malicious items detected)

Memory Modules Detected: 0
(No malicious items detected)

Registry Keys Detected: 0
(No malicious items detected)

Registry Values Detected: 0
(No malicious items detected)

Registry Data Items Detected: 0
(No malicious items detected)

Folders Detected: 0
(No malicious items detected)

Files Detected: 0
(No malicious items detected)

(end)
 
G

· Registered
Joined
·
46 Posts
Discussion Starter · #15 ·
Seems generally better but still very slow at Ticket Master and Expedia. Also after clicking "Repy" button here, it took about 15-20 seconds to get to the log in window. You don't see anything that would be slowing things down? Perhaps my computer is old and slow? It seems slower than a month ago though. Thanks for your help with this..... Kevin
 
amateur

· TSF-Emeritus
Joined
·
15,457 Posts
#17 ·
Hi Kevin, you're welcome.

I see that you have CCleaner installed. It's a good tool for cleaning temporary files and clearing the caches, but the Registry Section of the tool must not be used unless you know exactly what you're doing. Otherwise, if not used properly, it may cripple the system. We do not recommend the use of registry cleaners/optimizers/tweakers. Our colleague miekiemoes has an excellent writeup here

Two other excellent articles: One by Bill Castner is located here and the other by Ed Bott is here

===================

Do I need to remove any of those things you had me download for scanning?
Click to expand...
When we are done, we'll clean up our tools and give you some guidelines to prevent future infections.

===================

Although your RAM should be sufficient for running XP, if you're running several applications at the same time, you may experience some slowness. It's normal to have the system slow down as it gets older and more and more applications are installed. Your internet connection speed may also be slow at times. Not all sluggishness is caused by malware. Please visit this page and see if any of their suggestions help.

Slow Computer

I am not seeing any evidence of malware in the logs. However, when you ran Combofix last time, it was run in Safe Mode with Networking, as was DDS. Were you having problem running it in Normal Mode? Are you able to run it in Normal Mode now? If you are, I'd like to see a fresh log. Please disable Avast & SuperAntiSpyware, run Combofix as per previous instructions and post the log, please.
 
G

· Registered
Joined
·
46 Posts
Discussion Starter · #18 ·
I thought I disabled Avast, didn't do Malwarebytes. I may have done it wrong. Can you go over it with me and I'll run combofix again? I'm barely computer literate.....barely. LOL
 
amateur

· TSF-Emeritus
Joined
·
15,457 Posts
#19 ·
Sure. The free version of Malwarebytes doesn't have a real-time scanner, therefore doesn't need to be disabled. If you have the paid version, then it needs to be disabled. I'll provide the instructions below for all of them :


To disable SuperAntiSpyware:
  • Open SUPERAntiSpyware
  • Click on Preferences
  • Click on Real-Time Protection tab
  • Untick Real-Time protection
  • Click on the Hi-Jack Protection tab
  • Under Home Page Protection, uncheck "Protect Home Page from being changed. Changes can only be made here."
  • Click on Close.
  • Close SUPERAntiSpyware

To disable Malwarebytes' Real Time Protection (Registered version only)

  • Right-click on the MBAM icon in the System Tray and uncheck "Enable Protection".
  • When asked, "Are you sure you want to disable the MBAM Protection Module?", click Yes.
  • Right-click on the MBAM icon again and then uncheck "Start with Windows".
  • The Protection Module is now disabled and will not restart.

To disable Avast:

  • Right Click on the Avast icon in the system tray
  • Click on Program Settings...
  • Click on Troubleshooting
  • Place a tick next to Disable avast! self-defense module
  • Click OK
  • At the prompt that appears, click Yes
  • Right Click on the Avast icon in the system tray and click Stop On-Access protection
  • At the prompt that appears, click Yes


===========================

When done with disabling of your security tools, double click on Combofix.exe on your desktop. Allow it to update if prompted and let it run its course. When the scan is finished, it will produce a log. It may take some time to produce the log. Please be patient. When the log is produced, please copy/paste the contents of the log in your next reply.
 
1 - 20 of 21 Posts
Status
Not open for further replies.
About this Discussion
20 Replies
3 Participants
Last post:
amateur
Tech Support Forum
A forum community dedicated to tech experts and enthusiasts. Come join the discussion about articles, computer security, Mac, Microsoft, Linux, hardware, networking, gaming, reviews, accessories, and more!
Full Forum Listing
Explore Our Forums
Windows XP Support Windows 7 , Windows Vista Support Motherboards, Bios|UEFI & CPU Networking Support Laptop Support
Top