Tech Support banner

Status
Not open for further replies.
1 - 16 of 16 Posts

·
Registered
Joined
·
8 Posts
Discussion Starter #1
I am a caveman when it comes to technology, but a dear friend swears by your site, so hopefully you can help me. I apologize in advance for any stupid questions.

I run XP Home Edition. I have noticed in the past two weeks that my computer is exceptionally slow when running any program (from Internet Explorer to Free Cell). Some internet pages take over a minute to load whereas they previously took less than 5 seconds. When watching anything "streaming" (be it video or a favorite sports sim site that has streaming text), the streaming is interrupted by temporary freezing.

Each time I turn on the computer, after running it for about 10 minutes, I get a message that my virtual memory is low. Sometimes after running Internet Explorer, I get an error message saying it must abort. My computer then freezes.

I haven't added any new software (as far as I am aware) in the past two weeks. I have tried to use system restore, but it will not let me restore to any points I have selected. I have run virus scans using Norton and Spybot, but the problem persists.

I have run the applicable programs. Can you help me?


DDS Log:


DDS (Ver_09-03-16.01) - NTFSx86
Run by Philip at 21:54:47.01 on Mon 05/11/2009
Internet Explorer: 6.0.2900.5512

============== Pseudo HJT Report ===============

uInternet Connection Wizard,ShellNext = iexplore
uInternet Settings,ProxyOverride = *.local
BHO: Adobe PDF Reader Link Helper: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelper.dll
BHO: Spybot-S&D IE Protection: {53707962-6f74-2d53-2644-206d7942484f} - c:\program files\spybot - search & destroy\SDHelper.dll
BHO: NCO 2.0 IE BHO: {602adb0e-4aff-4217-8aa1-95dac4dfa408} - c:\program files\common files\symantec shared\coshared\browser\2.0\coIEPlg.dll
BHO: Symantec Intrusion Prevention: {6d53ec84-6aae-4787-aeee-f4628f01010c} - c:\progra~1\common~1\symant~1\ids\IPSBHO.dll
BHO: {7E853D72-626A-48EC-A868-BA8D5E23E045} - No File
TB: Show Norton Toolbar: {7febefe3-6b19-4349-98d2-ffb09d4b49ca} - c:\program files\common files\symantec shared\coshared\browser\2.0\CoIEPlg.dll
TB: {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - No File
EB: {32683183-48a0-441b-a342-7c2a440a9478} - No File
uRun: [NvMediaCenter] RUNDLL32.EXE c:\windows\system32\NVMCTRAY.DLL,NvTaskbarInit
uRun: [SpybotSD TeaTimer] c:\program files\spybot - search & destroy\TeaTimer.exe
mRun: [MMTray] c:\program files\musicmatch\musicmatch jukebox\mm_tray.exe
mRun: [Lexmark X5100 Series] "c:\program files\lexmark x5100 series\lxbabmgr.exe"
mRun: [AdaptecDirectCD] "c:\program files\roxio\easy cd creator 5\directcd\DirectCD.exe"
mRun: [Optimum Online net guide] "c:\program files\optimum online\Netsurf.exe" -trayicon
mRun: [NvCplDaemon] RUNDLL32.EXE c:\windows\system32\NvCpl.dll,NvStartup
mRun: [nwiz] nwiz.exe /install
mRun: [BCMSMMSG] BCMSMMSG.exe
mRun: [ccApp] "c:\program files\common files\symantec shared\ccApp.exe"
mRun: [osCheck] "c:\program files\norton internet security\osCheck.exe"
mRun: [QuickTime Task] "c:\program files\quicktime\qttask.exe" -atboottime
mRun: [iTunesHelper] "c:\program files\itunes\iTunesHelper.exe"
mRun: [Adobe Reader Speed Launcher] "c:\program files\adobe\reader 8.0\reader\Reader_sl.exe"
IE: {d9288080-1baa-4bc4-9cf8-a92d743db949} - c:\documents and settings\philip\start menu\programs\imvu\Run IMVU.lnk
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - {53707962-6F74-2D53-2644-206D7942484F} - c:\program files\spybot - search & destroy\SDHelper.dll
DPF: DirectAnimation Java Classes - file://c:\windows\java\classes\dajava.cab
DPF: Microsoft XML Parser for Java - file://c:\windows\java\classes\xmldso.cab
DPF: {5D6F45B3-9043-443D-A792-115447494D24} - hxxp://messenger.zone.msn.com/EN-CA/a-UNO1/GAME_UNO1.cab
DPF: {6A344D34-5231-452A-8A57-D064AC9B7862} - hxxps://webdl.symantec.com/activex/symdlmgr.cab
DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} - hxxp://fpdownload.macromedia.com/get/flashplayer/current/polarbear/ultrashim.cab
DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} - hxxp://messenger.zone.msn.com/binary/ZIntro.cab56649.cab
DPF: {C3F79A2B-B9B4-4A66-B012-3EE46475B072} - hxxp://messenger.zone.msn.com/binary/MessengerStatsPAClient.cab56907.cab
DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab

============= SERVICES / DRIVERS ===============


=============== Created Last 30 ================

2009-05-08 21:13 54,156 a---h--- c:\windows\QTFont.qfn
2009-05-08 21:13 1,409 a------- c:\windows\QTFont.for
2009-04-15 22:38 401,408 -c------ c:\windows\system32\dllcache\rpcss.dll
2009-04-15 22:38 284,160 -c------ c:\windows\system32\dllcache\pdh.dll
2009-04-15 22:38 473,600 -c------ c:\windows\system32\dllcache\fastprox.dll
2009-04-15 22:38 227,840 -c------ c:\windows\system32\dllcache\wmiprvse.exe
2009-04-15 22:38 110,592 -c------ c:\windows\system32\dllcache\services.exe
2009-04-15 22:38 729,088 -c------ c:\windows\system32\dllcache\lsasrv.dll
2009-04-15 22:38 617,472 -c------ c:\windows\system32\dllcache\advapi32.dll
2009-04-15 22:38 453,120 -c------ c:\windows\system32\dllcache\wmiprvsd.dll
2009-04-15 22:38 714,752 -c------ c:\windows\system32\dllcache\ntdll.dll
2009-04-15 22:36 2,560 -------- c:\windows\system32\xpsp4res.dll
2009-04-15 22:36 1,203,922 -c------ c:\windows\system32\dllcache\sysmain.sdb
2009-04-15 22:36 215,552 -c------ c:\windows\system32\dllcache\wordpad.exe

==================== Find3M ====================

2009-03-06 10:22 284,160 a------- c:\windows\system32\pdh.dll
2009-02-20 04:10 666,112 a------- c:\windows\system32\wininet.dll
2009-02-20 04:10 81,920 -------- c:\windows\system32\ieencode.dll
2009-02-19 13:03 579,464 a------- c:\windows\system32\SymNeti.dll
2009-02-19 13:03 207,240 a------- c:\windows\system32\SymRedir.dll

============= FINISH: 21:56:38.68 ===============
 

Attachments

·
TSF-Emeritus
Joined
·
15,384 Posts
Hello and welcome to TSF.

We will begin with ComboFix.exe. Please visit this webpage for download links, and instructions for running the tool:

http://www.bleepingcomputer.com/combofix/how-to-use-combofix

* Ensure you have disabled all anti virus and anti malware programs so they do not interfere with the running of ComboFix.

Please include the C:\ComboFix.txt in your next reply for further review.

Please subscribe to this thread to get immediate notification of replies as soon as they are posted. To do this click Thread Tools, then click Subscribe to this Thread. Make sure it is set to Instant Notification, then click Subscribe.

Please note that the forum is very busy and if I don’t hear from you in three days this thread will be closed.
 

·
Registered
Joined
·
8 Posts
Discussion Starter #3
Thank you very much for your offer of help. I have downloaded and run ComboFix and the log is as follows:


ComboFix 09-05-17.03 - Philip 05/17/2009 19:44.1 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.1023.560 [GMT -4:00]
Running from: c:\documents and settings\Philip\Desktop\ComboFix.exe
AV: Norton Internet Security *On-access scanning disabled* (Updated) {E10A9785-9598-4754-B552-92431C1C35F8}
FW: Norton Internet Security *enabled* {7C21A4C9-F61F-4AC4-B722-A6E19C16F220}
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\recycler\S-1-5-21-1202660629-1960408961-682003330-1005\Dc3.url
c:\recycler\S-1-5-21-1202660629-1960408961-682003330-1005\Dc7.m4a
c:\recycler\S-1-5-21-1202660629-1960408961-682003330-1005\Dc8.m4a
c:\recycler\S-1-5-21-1202660629-1960408961-682003330-1005\Dc9.m4a
c:\recycler\S-1-5-21-1202660629-1960408961-682003330-1005\INFO2
c:\windows\IE4 Error Log.txt
c:\windows\system32\drivers\npf.sys
c:\windows\system32\ntnet.drv
c:\windows\system32\Packet.dll
c:\windows\system32\pthreadVC.dll
c:\windows\system32\TDSSfxmp.dll
c:\windows\system32\TDSSosvd.dat
c:\windows\system32\wpcap.dll

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Legacy_NPF
-------\Service_NPF


((((((((((((((((((((((((( Files Created from 2009-04-17 to 2009-05-17 )))))))))))))))))))))))))))))))
.

2009-04-28 23:05 . 2009-05-12 02:00 286208 ----a-w c:\program files\gmer.exe

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-05-17 23:40 . 2007-06-24 01:09 -------- d-----w c:\program files\Common Files\Symantec Shared
2009-03-15 07:07 . 2007-06-24 01:46 167888 ----a-w c:\documents and settings\Philip\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2009-03-06 14:22 . 2002-09-03 16:51 284160 ----a-w c:\windows\system32\pdh.dll
2009-02-20 08:10 . 2002-09-03 17:12 666112 ----a-w c:\windows\system32\wininet.dll
2009-02-20 08:10 . 2007-06-24 01:36 81920 ------w c:\windows\system32\ieencode.dll
2009-02-19 17:03 . 2009-02-19 17:03 579464 ----a-w c:\windows\system32\SymNeti.dll
2009-02-19 17:03 . 2009-02-19 17:03 207240 ----a-w c:\windows\system32\SymRedir.dll
2009-02-19 16:31 . 2009-02-19 16:31 31280 ----a-w c:\windows\system32\drivers\SymIM.sys
2009-02-19 16:31 . 2009-02-19 16:31 41008 ----a-w c:\windows\system32\drivers\symndisv.sys
2009-02-19 16:31 . 2009-02-19 16:31 96560 ----a-w c:\windows\system32\drivers\symfw.sys
2009-02-19 16:31 . 2009-02-19 16:31 38576 ----a-w c:\windows\system32\drivers\symids.sys
2009-02-19 16:31 . 2009-02-19 16:31 37424 ----a-w c:\windows\system32\drivers\symndis.sys
2009-02-19 16:31 . 2009-02-19 16:31 22320 ----a-w c:\windows\system32\drivers\symredrv.sys
2009-02-19 16:31 . 2009-02-19 16:31 184496 ----a-w c:\windows\system32\drivers\symtdi.sys
2009-02-19 16:31 . 2009-02-19 16:31 13616 ----a-w c:\windows\system32\drivers\symdns.sys
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"NvMediaCenter"="c:\windows\system32\NVMCTRAY.DLL" [2003-10-06 49152]
"SpybotSD TeaTimer"="c:\program files\Spybot - Search & Destroy\TeaTimer.exe" [2009-03-05 2260480]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"MMTray"="c:\program files\MUSICMATCH\MUSICMATCH Jukebox\mm_tray.exe" [2002-08-14 90112]
"Lexmark X5100 Series"="c:\program files\Lexmark X5100 Series\lxbabmgr.exe" [2002-12-03 86102]
"AdaptecDirectCD"="c:\program files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe" [2002-04-10 679936]
"Optimum Online net guide"="c:\program files\Optimum Online\Netsurf.exe" [2007-06-24 1630208]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2003-10-06 5058560]
"ccApp"="c:\program files\Common Files\Symantec Shared\ccApp.exe" [2008-10-17 51048]
"osCheck"="c:\program files\Norton Internet Security\osCheck.exe" [2007-08-25 714608]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2008-02-01 385024]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2008-02-19 267048]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2008-01-12 39792]
"nwiz"="nwiz.exe" - c:\windows\system32\nwiz.exe [2003-10-06 741376]
"BCMSMMSG"="BCMSMMSG.exe" - c:\windows\BCMSMMSG.exe [2003-08-29 122880]

c:\documents and settings\Philip\Start Menu\Programs\Startup\
Adobe Gamma.lnk - c:\program files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe [2005-3-16 113664]

HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32
"wave"= serwvdrv.dll
"aux"= sysaudio.sys

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\MSN Messenger\\msnmsgr.exe"=
"c:\\Program Files\\MSN Messenger\\livecall.exe"=
"c:\\Program Files\\Messenger\\msmsgs.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=

R2 LiveUpdate Notice;LiveUpdate Notice;c:\program files\Common Files\Symantec Shared\CCSVCHST.EXE [8/25/2007 1:07 AM 149352]
R3 COH_Mon;COH_Mon;c:\windows\system32\drivers\COH_Mon.sys [5/29/2007 4:55 PM 23888]
R3 EraserUtilRebootDrv;EraserUtilRebootDrv;c:\program files\Common Files\Symantec Shared\EENGINE\EraserUtilRebootDrv.sys [4/13/2009 11:40 AM 101936]

--- Other Services/Drivers In Memory ---

*NewlyCreated* - COMHOST
.
Contents of the 'Scheduled Tasks' folder

2009-05-17 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2007-08-29 18:57]

2008-11-25 c:\windows\Tasks\Norton Internet Security - Run Full System Scan - Philip.job
- c:\program files\Norton Internet Security\Norton AntiVirus\Navw32.exe [2007-08-27 01:19]
.
.
------- Supplementary Scan -------
.
uInternet Connection Wizard,ShellNext = iexplore
uInternet Settings,ProxyOverride = *.local
IE: **{d9288080-1baa-4bc4-9cf8-a92d743db949} - c:\documents and settings\Philip\Start Menu\Programs\IMVU\Run IMVU.lnk
DPF: DirectAnimation Java Classes - file://c:\windows\Java\classes\dajava.cab
DPF: Microsoft XML Parser for Java - file://c:\windows\Java\classes\xmldso.cab
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-05-17 19:51
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

HKLM\Software\Microsoft\Windows\CurrentVersion\Run
MMTray = c:\program files\MUSICMATCH\MUSICMATCH Jukebox\mm_tray.exe?w???g`???V??g`???SOFTWARE\MusicMatch\MusicMatch Jukebox\4.0\TrayApp??????? ?w?????????????\?wp ?w???????w???g ??????????g?????CY????????gb???2??????? ???<???? @???X???X???????????????????Y?????F?Q?????

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'explorer.exe'(3332)
c:\program files\Common Files\Symantec Shared\NPC\2.0\NPCEXT.dll
.
------------------------ Other Running Processes ------------------------
.
c:\windows\system32\LEXBCES.EXE
c:\windows\system32\LEXPPS.EXE
c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
c:\program files\Symantec\LiveUpdate\AluSchedulerSvc.exe
c:\program files\Bonjour\mDNSResponder.exe
c:\windows\system32\nvsvc32.exe
c:\program files\Lexmark X5100 Series\lxbabmon.exe
c:\program files\iPod\bin\iPodService.exe
.
**************************************************************************
.
Completion time: 2009-05-17 19:56 - machine was rebooted
ComboFix-quarantined-files.txt 2009-05-17 23:56

Pre-Run: 36,261,244,928 bytes free
Post-Run: 37,346,783,232 bytes free

WindowsXP-KB310994-SP2-Home-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(2)\WINDOWS
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
multi(0)disk(0)rdisk(0)partition(2)\WINDOWS="Microsoft Windows XP Home Edition" /fastdetect /NoExecute=OptIn

Current=1 Default=1 Failed=0 LastKnownGood=4 Sets=1,2,3,4
153 --- E O F --- 2009-05-12 22:17
 

·
TSF-Emeritus
Joined
·
15,384 Posts
Hi,



  • Open notepad (Start>All programs>accessories>notepad ) (It must be notepad, not wordpad, or it won’t work)
  • Copy the entire contents of the Quote Box below to Notepad.
  • Name the file as CFScript.txt
  • Change the Save as Type to All Files
  • and Save it on the desktop
  • Click Format and ensure Wordwrap is unchecked.

Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.

Code:
Registry::
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"aux"= wdmaud.drv 
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring]
"DisableMonitoring"=dword:00000000
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=dword:00000000
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]
"DisableMonitoring"=dword:00000000

DDS::
uInternet Connection Wizard,ShellNext = iexplore
Save this as CFScript.txt, in the same location as ComboFix.exe



Refering to the picture above, drag CFScript.txt into ComboFix.exe

When finished, it shall produce a log for you. Post that log in your next reply.

Note:
Do not mouseclick combofix's window whilst it's running. That may cause it to stall


============================

Perform an online scan with Firefox or Internet Explorer at Kaspersky Online Scanner

**Note**

To optimize scanning time and produce a more sensible report for review:
  • Close any open programs
  • Turn off the real time scanner of any existing antivirus program while performing the online scan.
Click Accept, when prompted to download and install the program files and database of malware definitions.
  • Click Run at the Security prompt.
  • The program will then begin downloading and installing and will also update the database.
  • Please be patient as this can take several minutes.
  • Once the update is complete, click on My Computer under the green Scan bar to the left to start the scan.
  • Once the scan is complete, it will display if your system has been infected. It does not provide an option to clean/disinfect. We only require a report from it.
  • Do NOT be alarmed by what you see in the report. Many of the finds have likely been quarantined.
  • Click View scan report at the bottom.
  • Click the Save Report As... button.
  • Click the Save as Text button to save the file to your desktop so that you may post it in your next reply.

Note for Internet Explorer 7 users: If at any time you have trouble viewing the accept button of the license, click on the Zoom tool located at the bottom right of the IE window and set the zoom to 75%. Once the license is accepted, reset to 100%.

Note: If you are using Windows Vista, open your browser by right-clicking on its icon and select 'Run as administrator' to perform this scan.

========================

Please reply back with the Combofix.txt, Kaspersky report and feedback on how the system is running now.
 

·
Registered
Joined
·
8 Posts
Discussion Starter #5
I'm sorry, I tried to do this correctly. Did I not have my Norton turned off/disabled? I tried to do so by turning off th eliveupdate and the security center.

Do you wish for me to run ComboFix again? And, if so, what steps do I take to disable Norton?

Additionally, shall I post the ComboFix script or attach it as a file?
 

·
TSF-Emeritus
Joined
·
15,384 Posts
I'm sorry, I tried to do this correctly. Did I not have my Norton turned off/disabled? I tried to do so by turning off th eliveupdate and the security center.
Just make sure that it's still disabled. If you need to disable it again this is how:

Please navigate to the system tray on the bottom right hand corner and look for a
sign.
  • right-click it -> chose "Disable Auto-Protect."
  • select a duration of 5 hours (this assures no interference with the cleanup of your pc)
  • click "Ok."
  • a popup will warn that protection will now be disabled and the sign will now look like this:

Do you wish for me to run ComboFix again?
Dragging and dropping CFScript.txt onto Combofix will cause Combofix to run again. When it's done, it will produce a log. Please copy/paste the log in your next reply, don't attach it.
 

·
Registered
Joined
·
8 Posts
Discussion Starter #9
After I ran ComboFix the first time, I noticed a slight increase in my computer's speed, though I still received the Windows Virtual Memory Minimum Too Low prompt. I have not received the Windows Explorer Abort prompt which had been freezing my computer. The pc seems a touch slow still.

I ran ComboFix again and then the Kasperky Scan. The logs are below.


ComboFix:

ComboFix 09-05-17.03 - Philip 05/17/2009 22:13.2 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.1023.772 [GMT -4:00]
Running from: c:\documents and settings\Philip\Desktop\ComboFix.exe
Command switches used :: c:\documents and settings\Philip\My Documents\CFScript.txt
AV: Norton Internet Security *On-access scanning disabled* (Updated) {E10A9785-9598-4754-B552-92431C1C35F8}
FW: Norton Internet Security *enabled* {7C21A4C9-F61F-4AC4-B722-A6E19C16F220}
.

((((((((((((((((((((((((( Files Created from 2009-04-18 to 2009-05-18 )))))))))))))))))))))))))))))))
.

2009-04-28 23:05 . 2009-05-12 02:00 286208 ----a-w c:\program files\gmer.exe

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-05-17 23:55 . 2007-06-24 01:09 -------- d-----w c:\program files\Common Files\Symantec Shared
2009-03-15 07:07 . 2007-06-24 01:46 167888 ----a-w c:\documents and settings\Philip\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2009-03-06 14:22 . 2002-09-03 16:51 284160 ----a-w c:\windows\system32\pdh.dll
2009-02-20 08:10 . 2002-09-03 17:12 666112 ----a-w c:\windows\system32\wininet.dll
2009-02-20 08:10 . 2007-06-24 01:36 81920 ------w c:\windows\system32\ieencode.dll
2009-02-19 17:03 . 2009-02-19 17:03 579464 ----a-w c:\windows\system32\SymNeti.dll
2009-02-19 17:03 . 2009-02-19 17:03 207240 ----a-w c:\windows\system32\SymRedir.dll
2009-02-19 16:31 . 2009-02-19 16:31 31280 ----a-w c:\windows\system32\drivers\SymIM.sys
2009-02-19 16:31 . 2009-02-19 16:31 41008 ----a-w c:\windows\system32\drivers\symndisv.sys
2009-02-19 16:31 . 2009-02-19 16:31 96560 ----a-w c:\windows\system32\drivers\symfw.sys
2009-02-19 16:31 . 2009-02-19 16:31 38576 ----a-w c:\windows\system32\drivers\symids.sys
2009-02-19 16:31 . 2009-02-19 16:31 37424 ----a-w c:\windows\system32\drivers\symndis.sys
2009-02-19 16:31 . 2009-02-19 16:31 22320 ----a-w c:\windows\system32\drivers\symredrv.sys
2009-02-19 16:31 . 2009-02-19 16:31 184496 ----a-w c:\windows\system32\drivers\symtdi.sys
2009-02-19 16:31 . 2009-02-19 16:31 13616 ----a-w c:\windows\system32\drivers\symdns.sys
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"NvMediaCenter"="c:\windows\system32\NVMCTRAY.DLL" [2003-10-06 49152]
"SpybotSD TeaTimer"="c:\program files\Spybot - Search & Destroy\TeaTimer.exe" [2009-03-05 2260480]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"MMTray"="c:\program files\MUSICMATCH\MUSICMATCH Jukebox\mm_tray.exe" [2002-08-14 90112]
"Lexmark X5100 Series"="c:\program files\Lexmark X5100 Series\lxbabmgr.exe" [2002-12-03 86102]
"AdaptecDirectCD"="c:\program files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe" [2002-04-10 679936]
"Optimum Online net guide"="c:\program files\Optimum Online\Netsurf.exe" [2007-06-24 1630208]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2003-10-06 5058560]
"ccApp"="c:\program files\Common Files\Symantec Shared\ccApp.exe" [2008-10-17 51048]
"osCheck"="c:\program files\Norton Internet Security\osCheck.exe" [2007-08-25 714608]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2008-02-01 385024]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2008-02-19 267048]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2008-01-12 39792]
"nwiz"="nwiz.exe" - c:\windows\system32\nwiz.exe [2003-10-06 741376]
"BCMSMMSG"="BCMSMMSG.exe" - c:\windows\BCMSMMSG.exe [2003-08-29 122880]

c:\documents and settings\Philip\Start Menu\Programs\Startup\
Adobe Gamma.lnk - c:\program files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe [2005-3-16 113664]

HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32
"wave"= serwvdrv.dll
"aux"= sysaudio.sys

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\MSN Messenger\\msnmsgr.exe"=
"c:\\Program Files\\MSN Messenger\\livecall.exe"=
"c:\\Program Files\\Messenger\\msmsgs.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=

R2 LiveUpdate Notice;LiveUpdate Notice;c:\program files\Common Files\Symantec Shared\CCSVCHST.EXE [8/25/2007 1:07 AM 149352]
R3 EraserUtilRebootDrv;EraserUtilRebootDrv;c:\program files\Common Files\Symantec Shared\EENGINE\EraserUtilRebootDrv.sys [4/13/2009 11:40 AM 101936]
S3 COH_Mon;COH_Mon;c:\windows\system32\drivers\COH_Mon.sys [5/29/2007 4:55 PM 23888]

--- Other Services/Drivers In Memory ---

*NewlyCreated* - COMHOST
.
Contents of the 'Scheduled Tasks' folder

2009-05-17 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2007-08-29 18:57]

2008-11-25 c:\windows\Tasks\Norton Internet Security - Run Full System Scan - Philip.job
- c:\program files\Norton Internet Security\Norton AntiVirus\Navw32.exe [2007-08-27 01:19]
.
.
------- Supplementary Scan -------
.
uInternet Connection Wizard,ShellNext = iexplore
uInternet Settings,ProxyOverride = *.local
IE: **{d9288080-1baa-4bc4-9cf8-a92d743db949} - c:\documents and settings\Philip\Start Menu\Programs\IMVU\Run IMVU.lnk
DPF: DirectAnimation Java Classes - file://c:\windows\Java\classes\dajava.cab
DPF: Microsoft XML Parser for Java - file://c:\windows\Java\classes\xmldso.cab
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-05-17 22:16
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

HKLM\Software\Microsoft\Windows\CurrentVersion\Run
MMTray = c:\program files\MUSICMATCH\MUSICMATCH Jukebox\mm_tray.exe?w???g`???V??g`???SOFTWARE\MusicMatch\MusicMatch Jukebox\4.0\TrayApp??????? ?w?????????????\?wp ?w???????w???g ??????????g?????CY????????gb???2??????? ???<???? @???X???X???????????????????Y?????F?Q?????

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
Completion time: 2009-05-18 22:19
ComboFix-quarantined-files.txt 2009-05-18 02:18
ComboFix2.txt 2009-05-17 23:56

Pre-Run: 37,303,775,232 bytes free
Post-Run: 37,334,130,688 bytes free

Current=1 Default=1 Failed=0 LastKnownGood=4 Sets=1,2,3,4
111 --- E O F --- 2009-05-12 22:17




Kasperky Scan Report:

--------------------------------------------------------------------------------
KASPERSKY ONLINE SCANNER 7.0 REPORT
Monday, May 18, 2009
Operating System: Microsoft Windows XP Home Edition Service Pack 3 (build 2600)
Kaspersky Online Scanner version: 7.0.26.13
Program database last update: Monday, May 18, 2009 03:12:19
Records in database: 2189365
--------------------------------------------------------------------------------

Scan settings:
Scan using the following database: extended
Scan archives: yes
Scan mail databases: yes

Scan area - My Computer:
A:\
C:\
D:\
E:\

Scan statistics:
Files scanned: 69874
Threat name: 1
Infected objects: 1
Suspicious objects: 0
Duration of the scan: 01:28:47


File name / Threat name / Threats count
C:\System Volume Information\_restore{CEED605F-7E36-4408-9C37-9AEC3BE792C6}\RP278\A0784855.exe Infected: Backdoor.Win32.Small.hnw 1

The selected area was scanned.
 

·
Registered
Joined
·
8 Posts
Discussion Starter #10
Correction: SInce i posted the second ComboFix log as well as the Kaspersky scan result, my computer seems to be quite fast once more.

What do I do next?
 

·
TSF-Emeritus
Joined
·
15,384 Posts
Hi Jubatus,

Correction: SInce i posted the second ComboFix log as well as the Kaspersky scan result, my computer seems to be quite fast once more.

What do I do next?
That's what I expected to hear. The only item reported by Kaspersky is in the system restore cache which will be cleared shortly when Combofix is uninstalled.

I still received the Windows Virtual Memory Minimum Too Low prompt.
Do you still get this notice? If so:

Please right click My Computer and select properties.
Select the Advanced tab.
Click Settings in the Performance section.
Select the Advanced tab.
In the Virtual Memory section, click Change.
Make sure System Managed size is selected then click on Set and OK your way out. It may require a reboot.

======================

If you have no further malware issues, you're all set to go. The logs are clean.

  • Click Start then Run
  • Now type Combofix /u in the runbox and click OK. Notice the space between the Combofix and the /




This will uninstall ComboFix. It will also implement some cleanup procedures and reset System Restore to prevent reinfection from old restore points.

It’s vital that you keep all your software up-to-date as older versions may have some security vulnerabilities. Secunia Software Inspector Scan can help you find out which programs need to be updated.

Please respond to this thread one more time so we can mark this thread as resolved.

Surf Safely and Think Prevention!:wave:
 

·
Registered
Joined
·
8 Posts
Discussion Starter #12
I am currently at work but will undertake those steps when I get home later. I did, however, have another question:

I had been running Norton as my antivirus/firewall and had also been using SpyBot as another virus scan tool (I found SpyBot would find more viruses than Norton and figured two heaeds were better than one). Am I wasting my time with those programs? Given that I had this problem despite the Norton firewall, should I switch to another? Do you have any recommendations on how to avoid this issue in the future?

I'm a novice when it comes to computer issues and any help you can give me to better protect my computer in the future would be greatly appreciated.
 

·
TSF-Emeritus
Joined
·
15,384 Posts
Hi,

Spybot is not an antivirus tool. It's and anti-spyware/adware software. You can keep it, as it can work along with the antivirus applications. However, I don't know which version you have. It's now at version 1.6. If you have the older version, I would recommend that you remove it via Start>Control Panel>Add or Remove Programs, reboot, and then install the latest version.

The ultimate protection is the user himself/herself. The Think Prevention link I've given you in my previous post has a lot of good tips to keep your computer out of trouble while surfing the net.
 

·
Registered
Joined
·
8 Posts
Discussion Starter #14
All seems well now, amateur. Please, once again, accept my most sincere thanks. I am already checking the links you provided to get the best protection possible so that hopefully I've learned from this and can prevent any reoccurence.

My computer is running normal speed once more, I am not receiving the Virtual Memory prompt, nor am I having any of the prior issues. I cannot thank you enough.
 

·
TSF-Emeritus
Joined
·
15,384 Posts
Hi,

Excellent, and you're welcome.

There's one registry entry that we need to fix again. Spybot's TeaTimer rolled it back.

Please disable Teatimer. You can re-enable it later. If you have uninstalled the older version and not yet installed the new one, you can skip this step. Otherwise,

  • Open Spybot Search & Destroy.
  • In the Mode menu click "Advanced mode" if not already selected.
  • Choose "Yes" at the Warning prompt.
  • Expand the "Tools" menu.
  • Click "Resident".
  • Uncheck the "Resident "TeaTimer" (Protection of overall system settings) active." box.
  • If TeaTimer gives you a warning that changes were made, click the "Allow Change" box when prompted.
  • In the File menu click "Exit" to exit Spybot Search & Destroy.

===================

Open notepad. It must be notepad, not wordpad.
Copy and paste the text inside the code box below into notepad, including the blank line at the end. Make sure that wordwrap is turned off in notepad - click the format menu and uncheck wordwrap.
Choose file save as and set file type to all files.
Type fixreg.reg in the file name and save it to your desktop. It should look like this:


Code:
REGEDIT4

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"aux"="wdmaud.drv"
Make sure there are NO blank lines before REGEDIT4
Make sure there IS one blank line at the end of the file.

Close notepad. Make sure that all windows are closed.

Find the fixreg.reg file on your desktop.
Double click it.
It will then ask if you want the file merged to your registry.
Answer yes.

Reboot your computer.

=====================

Let me know if you run into any issues doing this.
 
1 - 16 of 16 Posts
Status
Not open for further replies.
Top