8 replies to this topic

[Chinwabee]

My computer started running slow about 4 months ago and I've tried numerous spyware, malware and anti-virus programs that have found some stuff and slightly improved things but nothing has gotten my computer back to where it was and should be. I'm pretty sure I know when and how my problem initially started. One night I was trying to watch something and I installed tvu player and I got a message from my anti-virus saying that it was a known phishing program or something to that effect. I would have normally not proceeded but for once I said screw it and continued with the installation figuring nothing serious would come about and malwarebytes would knock it out anyway. Well it turned out to be a bad call and right after I finished watching my program I unistalled tvu player and rebooted and it took me at least 7-8 minutes to boot up when it was usually under a minute. Also everything just runs slower now. It can take me 2+ hours just to unzip files now which is obviously ridiculous (just for example). Also its nearly impossible to watch a movie or play music as the picture and sound is slow and the sound distorted as if the processor is overworked, but my performance tab in task manager never really shows the computer usage above 10-15% except when im doing things like extracting archived files or something.

I've ran Hijack this as the first step in the malware guide stated to do and here is the log. Any help would be greatly apprectiated.

Logfile of Trend Micro HijackThis v2.0.4
Scan saved at 6:26:52 PM, on 8/3/2010
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.17055)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
c:\Program Files\Microsoft Security Essentials\MsMpEng.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\ArcSoft\Connection Service\Bin\ACService.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\InterVideo\RegMgr\iviRegMgr.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Western Digital\WD SmartWare\WD Drive Manager\WDDMService.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\igfxtray.exe
C:\Acer\Empowering Technology\eRecovery\eRAgent.exe
C:\WINDOWS\system32\hkcmd.exe
C:\WINDOWS\system32\igfxsrvc.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\system32\igfxpers.exe
C:\WINDOWS\RTHDCPL.EXE
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\PROGRA~1\LAUNCH~1\QtZgAcer.EXE
C:\Program Files\Common Files\AOL\1263398909\ee\AOLSoftware.exe
C:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Windows Media Player\WMPNSCFG.exe
C:\Program Files\Common Files\Ahead\Lib\NMIndexingService.exe
C:\Program Files\Common Files\Ahead\Lib\NMIndexStoreSvr.exe
C:\WINDOWS\system32\igfxext.exe
C:\Program Files\InterVideo\Common\Bin\WinCinemaMgr.exe
C:\Program Files\Microsoft Office\Office12\ONENOTEM.EXE
C:\Program Files\Common Files\AOL\ACS\AOLAcsd.exe
C:\Program Files\Common Files\AOL\1263398909\ee\AOLDesktop.exe
C:\Documents and Settings\Stiz\Desktop\HiJackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://homepage.acer...a...10&m=aoa150
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://homepage.acer...a...10&m=aoa150
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft....k/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft....k/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://homepage.acer...a...10&m=aoa150
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://go.microsoft....k/?LinkId=74005
R3 - URLSearchHook: IAOLTBSearch Class - {EA756889-2338-43DB-8F07-D1CA6FB9C90D} - C:\Program Files\AOL Toolbar\aoltb.dll
O2 - BHO: (no name) - {11BF46C6-B3DE-48BD-BF70-3AD85CAB80B5} - C:\PROGRA~1\SITERA~1\SiteRank.dll
O2 - BHO: AcroIEHelperStub - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
O2 - BHO: Groove GFS Browser Helper - {72853161-30C5-4D22-B7F9-0BBC1D38A37E} - C:\Program Files\Microsoft Office\Office12\GrooveShellExtensions.dll
O2 - BHO: AOL Toolbar Loader - {7C554162-8CB7-45A4-B8F4-8EA1C75885F9} - C:\Program Files\AOL Toolbar\aoltb.dll
O3 - Toolbar: (no name) - {0BF43445-2F28-4351-9252-17FE6E806AA0} - (no file)
O3 - Toolbar: AOL Toolbar - {DE9C389F-3316-41A7-809B-AA305ED9D922} - C:\Program Files\AOL Toolbar\aoltb.dll
O4 - HKLM\..\Run: [LaunchApp] Alaunch
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [Persistence] C:\WINDOWS\system32\igfxpers.exe
O4 - HKLM\..\Run: [RTHDCPL] RTHDCPL.EXE
O4 - HKLM\..\Run: [Alcmtr] ALCMTR.EXE
O4 - HKLM\..\Run: [AzMixerSel] C:\Program Files\Realtek\Audio\InstallShield\AzMixerSel.exe
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [IMJPMIG8.1] "C:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE" /Spoil /RemAdvDef /Migration32
O4 - HKLM\..\Run: [MSPY2002] C:\WINDOWS\system32\IME\PINTLGNT\ImScInst.exe /SYNC
O4 - HKLM\..\Run: [PHIME2002ASync] C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /SYNC
O4 - HKLM\..\Run: [PHIME2002A] C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /IMEName
O4 - HKLM\..\Run: [LManager] C:\PROGRA~1\LAUNCH~1\QtZgAcer.EXE
O4 - HKLM\..\Run: [PLFSetL] C:\WINDOWS\PLFSetL.exe
O4 - HKLM\..\Run: [eRecoveryService] C:\Acer\Empowering Technology\eRecovery\eRAgent.exe
O4 - HKLM\..\Run: [HostManager] C:\Program Files\Common Files\AOL\1263398909\ee\AOLSoftware.exe
O4 - HKCU\..\Run: [BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}] "C:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [cdloader] "C:\Documents and Settings\Stiz\Application Data\mjusbsp\cdloader2.exe" MAGICJACK
O4 - HKCU\..\Run: [WMPNSCFG] C:\Program Files\Windows Media Player\WMPNSCFG.exe
O4 - HKUS\S-1-5-18\..\Run: [DWQueuedReporting] "C:\PROGRA~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" -t (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [DWQueuedReporting] "C:\PROGRA~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" -t (User 'Default user')
O4 - Startup: AOL Desktop.lnk = C:\Program Files\Common Files\AOL\Launch\aollaunch.exe
O4 - Global Startup: InterVideo WinCinema Manager.lnk = C:\Program Files\InterVideo\Common\Bin\WinCinemaMgr.exe
O8 - Extra context menu item: &AOL Toolbar Search - C:\Documents and Settings\All Users\Application Data\AOL\ieToolbar\resources\en-US\local\search.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office12\EXCEL.EXE/3000
O9 - Extra button: Send to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll
O9 - Extra 'Tools' menuitem: S&end to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\Office12\REFIEBAR.DLL
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - http://platformdl.ad...Plus/1.6/gp.cab
O18 - Protocol: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - C:\Program Files\Microsoft Office\Office12\GrooveSystemServices.dll
O22 - SharedTaskScheduler: Browseui preloader - {438755C2-A8BA-11D1-B96B-00A0C90312E1} - C:\WINDOWS\system32\browseui.dll
O22 - SharedTaskScheduler: Component Categories cache daemon - {8C7461EF-2B13-11d2-BE35-3078302C2030} - C:\WINDOWS\system32\browseui.dll
O23 - Service: ArcSoft Connect Daemon (ACDaemon) - ArcSoft Inc. - C:\Program Files\Common Files\ArcSoft\Connection Service\Bin\ACService.exe
O23 - Service: AOL Connectivity Service (AOL ACS) - AOL LLC - C:\Program Files\Common Files\AOL\ACS\AOLAcsd.exe
O23 - Service: IviRegMgr - InterVideo - C:\Program Files\Common Files\InterVideo\RegMgr\iviRegMgr.exe
O23 - Service: NBService - Nero AG - C:\Program Files\Nero\Nero 7\Nero BackItUp\NBService.exe
O23 - Service: NMIndexingService - Nero AG - C:\Program Files\Common Files\Ahead\Lib\NMIndexingService.exe
O23 - Service: WD SmartWare Drive Manager (WDDMService) - WDC - C:\Program Files\Western Digital\WD SmartWare\WD Drive Manager\WDDMService.exe

--
End of file - 7714 bytes

Edited by Chinwabee, 04 August 2010 - 04:30 AM.

[RPMcMurphy]

Hello Chinwabee and welcome to WhatTheTech. Please follow these guidelines while we work on your PC:

• Malware removal is a sometimes lengthy and tedious process. Please stick with the thread until I’ve given you the “All clear.” Absence of symptoms does not mean your machine is clean!
• Please do not run any scans or install/uninstall any applications without being directed to do so.
• Please follow my instructions carefully and in the order they are posted.
• Any underlined text in my posts indicates a clickable link.
• You should print any instructions I give you for ease of use and reference.
• If you have any questions at all, please stop and ask before proceeding.

Please download DDS by sUBs from one of the following links and save it to your desktop.

DDS.scr
DDS.pif

• Disable any script blocking protection (How to Disable your Security Programs)
• Double click DDS icon to run the tool (may take up to 3 minutes to run)
• When done, DDS.txt will open.
• After a few moments, attach.txt will open in a second window.
• Save both reports to your desktop.

---------------------------------------------------

• Post the contents of the DDS.txt report in your next reply
• Attach the Attach.txt report to your post by scroling down to the Attachments area and then clicking Browse. Browse to where you saved the file, and click Open and then click UPLOAD.

Download GMER Rootkit Scanner from here to your desktop.

• Double click the exe file. If asked to allow gmer.sys driver to load, please consent .
• If it gives you a warning about rootkit activity and asks if you want to run scan...click on NO.
  
  
  
  Click the image to enlarge it
  
  
  
• In the right panel, you will see several boxes that have been checked. Uncheck the following ...
  • IAT/EAT
  • Drives/Partition other than Systemdrive (typically C:\)
  • Show All (don't miss this one)
• Then click the Scan button & wait for it to finish.
• Once done click on the [Save..] button, and in the File name area, type in "Gmer.txt" or it will save as a .log file which cannot be uploaded to your post.
  
• Save it where you can easily find it, such as your desktop, and post it in reply.

**Caution**
Rootkit scans often produce false positives. Do NOT take any action on any "<--- ROOKIT" entries

If you have trouble running GEMR:

• Make sure that your security software is disabled
• Uncheck the box next to "Files" this time also
• If you still can't run it, try in the Safe Mode

Please download MBRCheck.exe to your desktop.

• Be sure to disable your security programs
• Double click on the file to run it (Vista and Windows 7 users will have to confirm the UAC prompt)
• A small window should open on your desktop
• if an unknown bootcode is found you will have further options available to you, at this time press N then press Enter twice.
• If nothing unusual is found just press Enter
• A .txt file named MBRCheck_mm.dd.yy_hh.mm.ss should appear on your deskop. Please post the contents of that file.

Please include the following in your next post:

• DDS and Attach.txt logs
• GMER log
• MBRCheck log

[Chinwabee]

Ok just now got done running scans 7 hours later. I got your instructions 21 mins after you posted and I just now got done. Gmer took forever and crashed my system once and then pegged out the cpu usage at 100% and forced me to do a hard shutdown. Anyway here are the logs DDS (Ver_10-03-17.01) - NTFSx86 Run by Stiz at 16:20:11.48 on Wed 08/04/2010 Internet Explorer: 7.0.5730.13 Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.1012.547 [GMT -6:00] AV: Microsoft Security Essentials *On-access scanning enabled* (Updated) {BCF43643-A118-4432-AEDE-D861FCBCFCDF} ============== Running Processes =============== C:\WINDOWS\system32\svchost -k DcomLaunch svchost.exe c:\Program Files\Microsoft Security Essentials\MsMpEng.exe C:\WINDOWS\System32\svchost.exe -k netsvcs svchost.exe svchost.exe C:\WINDOWS\system32\spoolsv.exe svchost.exe C:\Program Files\Common Files\ArcSoft\Connection Service\Bin\ACService.exe C:\WINDOWS\system32\crypserv.exe C:\WINDOWS\System32\svchost.exe -k HTTPFilter C:\Program Files\Common Files\InterVideo\RegMgr\iviRegMgr.exe C:\WINDOWS\system32\svchost.exe -k imgsvc C:\Program Files\Western Digital\WD SmartWare\WD Drive Manager\WDDMService.exe C:\WINDOWS\Explorer.EXE C:\Acer\Empowering Technology\eRecovery\eRAgent.exe C:\WINDOWS\system32\igfxtray.exe C:\WINDOWS\system32\igfxsrvc.exe C:\WINDOWS\system32\igfxpers.exe C:\WINDOWS\RTHDCPL.EXE C:\Program Files\Synaptics\SynTP\SynTPEnh.exe C:\PROGRA~1\LAUNCH~1\QtZgAcer.EXE C:\WINDOWS\system32\ctfmon.exe C:\Program Files\Windows Media Player\WMPNSCFG.exe C:\WINDOWS\system32\igfxext.exe C:\DOCUME~1\Stiz\LOCALS~1\Temp\RtkBtMnt.exe c:\Program Files\Microsoft Works\WksWP.exe c:\Program Files\Microsoft Works\WkDStore.exe C:\Program Files\Microsoft Works\wkgdcach.exe C:\WINDOWS\system32\taskmgr.exe C:\Documents and Settings\Stiz\Desktop\dds.scr ============== Pseudo HJT Report =============== uStart Page = hxxp://www.aol.com/ uDefault_Page_URL = hxxp://homepage.acer.com/rdr.aspx?b=ACAW&l=0409&s=0&o=xph&d=0110&m=aoa150 mDefault_Page_URL = hxxp://homepage.acer.com/rdr.aspx?b=ACAW&l=0409&s=0&o=xph&d=0110&m=aoa150 mStart Page = hxxp://homepage.acer.com/rdr.aspx?b=ACAW&l=0409&s=0&o=xph&d=0110&m=aoa150 uURLSearchHooks: IAOLTBSearch Class: {ea756889-2338-43db-8f07-d1ca6fb9c90d} - c:\program files\aol toolbar\aoltb.dll mURLSearchHooks: IAOLTBSearch Class: {ea756889-2338-43db-8f07-d1ca6fb9c90d} - c:\program files\aol toolbar\aoltb.dll BHO: : {11bf46c6-b3de-48bd-bf70-3ad85cab80b5} - c:\progra~1\sitera~1\SiteRank.dll BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll BHO: Groove GFS Browser Helper: {72853161-30c5-4d22-b7f9-0bbc1d38a37e} - c:\program files\microsoft office\office12\GrooveShellExtensions.dll BHO: AOL Toolbar Loader: {7c554162-8cb7-45a4-b8f4-8ea1c75885f9} - c:\program files\aol toolbar\aoltb.dll TB: {0BF43445-2F28-4351-9252-17FE6E806AA0} - No File TB: AOL Toolbar: {de9c389f-3316-41a7-809b-aa305ed9d922} - c:\program files\aol toolbar\aoltb.dll uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe uRun: [WMPNSCFG] c:\program files\windows media player\WMPNSCFG.exe mRun: [LaunchApp] Alaunch mRun: [IgfxTray] c:\windows\system32\igfxtray.exe mRun: [HotKeysCmds] c:\windows\system32\hkcmd.exe mRun: [Persistence] c:\windows\system32\igfxpers.exe mRun: [RTHDCPL] RTHDCPL.EXE mRun: [Alcmtr] ALCMTR.EXE mRun: [AzMixerSel] c:\program files\realtek\audio\installshield\AzMixerSel.exe mRun: [SynTPEnh] c:\program files\synaptics\syntp\SynTPEnh.exe mRun: [IMJPMIG8.1] "c:\windows\ime\imjp8_1\IMJPMIG.EXE" /Spoil /RemAdvDef /Migration32 mRun: [MSPY2002] c:\windows\system32\ime\pintlgnt\ImScInst.exe /SYNC mRun: [PHIME2002ASync] c:\windows\system32\ime\tintlgnt\TINTSETP.EXE /SYNC mRun: [PHIME2002A] c:\windows\system32\ime\tintlgnt\TINTSETP.EXE /IMEName mRun: [LManager] c:\progra~1\launch~1\QtZgAcer.EXE mRun: [PLFSetL] c:\windows\PLFSetL.exe mRun: [eRecoveryService] c:\acer\empowering technology\erecovery\eRAgent.exe dRun: [DWQueuedReporting] "c:\progra~1\common~1\micros~1\dw\dwtrig20.exe" -t IE: &AOL Toolbar Search - c:\documents and settings\all users\application data\aol\ietoolbar\resources\en-us\local\search.html IE: E&xport to Microsoft Excel - c:\progra~1\micros~2\office12\EXCEL.EXE/3000 IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe IE: {2670000A-7350-4f3c-8081-5663EE0C6C49} - {48E73304-E1D6-4330-914C-F5F514E3486C} - c:\progra~1\micros~2\office12\ONBttnIE.dll IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~2\office12\REFIEBAR.DLL DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - hxxp://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab Handler: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - c:\program files\microsoft office\office12\GrooveSystemServices.dll Notify: igfxcui - igfxdev.dll SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll SEH: Groove GFS Stub Execution Hook: {b5a7f190-dda6-4420-b3ba-52453494e6cd} - c:\program files\microsoft office\office12\GrooveShellExtensions.dll ============= SERVICES / DRIVERS =============== R1 MpFilter;Microsoft Malware Protection Driver;c:\windows\system32\drivers\MpFilter.sys [2010-3-25 151216] R1 vcdrom;Virtual CD-ROM Device Driver;c:\windows\system32\drivers\VCdRom.sys [2001-12-19 8576] R2 WDDMService;WD SmartWare Drive Manager;c:\program files\western digital\wd smartware\wd drive manager\WDDMService.exe [2009-11-13 110592] S3 JMCR;JMCR;c:\windows\system32\drivers\jmcr.sys [2010-1-4 96856] S3 pbfilter;pbfilter;c:\documents and settings\stiz\my documents\peerblock\pbfilter.sys [2010-3-11 14424] S3 WDC_SAM;WD SCSI Pass Thru driver;c:\windows\system32\drivers\wdcsam.sys [2010-1-19 11520] S4 WDSmartWareBackgroundService;WD SmartWare Background Service;c:\program files\western digital\wd smartware\front parlor\WDSmartWareBackgroundService.exe [2009-6-16 20480] =============== Created Last 30 ================ 2010-08-04 16:27:02 0 d-----w- c:\windows\system32\?? 2010-08-04 13:36:05 0 d-----w- c:\temp\hspm9 2010-08-04 13:36:05 0 d-----w- C:\Temp 2010-08-04 13:32:54 4 ----a-w- c:\windows\CKSNNT.flg 2010-08-04 13:32:53 4 ----a-w- c:\windows\vx86036.dat 2010-08-04 13:32:53 2240 ----a-w- c:\windows\system32\esnecil.nlp 2010-08-04 13:32:53 2240 ----a-w- c:\windows\system32\esnecil.ind 2010-08-04 13:32:48 55 ----a-w- c:\windows\Crypkey.ini 2010-08-04 13:32:43 73728 ----a-w- c:\windows\system32\Crypserv.exe 2010-08-04 13:32:43 31654 ----a-w- c:\windows\system32\Ckldrv.sys 2010-08-04 13:32:43 27648 ----a-r- c:\windows\Setup_ck.exe 2010-08-04 13:32:43 18432 ----a-w- c:\windows\Setup_ck.dll 2010-08-04 13:32:43 165888 ----a-w- c:\windows\Ckconfig.exe 2010-08-04 13:32:43 11776 ----a-w- c:\windows\Ckrfresh.exe 2010-08-04 12:12:50 0 d-----w- c:\windows\WinRAR 2010-08-03 19:48:33 0 d-----w- c:\program files\CCleaner 2010-07-30 00:53:28 0 d-----w- C:\ComboFix 2010-07-29 23:51:00 0 d-----w- C:\Rooter$ 2010-07-26 23:53:52 221568 ------w- c:\windows\system32\MpSigStub.exe 2010-07-26 10:00:34 0 d-----w- c:\program files\Microsoft Security Essentials 2010-07-26 09:36:54 0 d-----w- C:\67915a414e8afffc81df99d6216732c4 ==================== Find3M ==================== 2010-08-04 22:01:06 224 ----a-w- c:\docume~1\stiz\applic~1\wklnhst.dat 2008-08-15 17:51:40 32768 --sha-w- c:\windows\system32\config\systemprofile\local settings\application data\microsoft\feeds cache\index.dat ============= FINISH: 16:20:49.46 =============== MBRCheck, version 1.2.3 © 2010, AD Command-line: Windows Version: Windows XP Home Edition Windows Information: Service Pack 3 (build 2600) Logical Drives Mask: 0x00000004 Kernel Drivers (total 159): 0x804D7000 \WINDOWS\system32\ntoskrnl.exe 0x806FF000 \WINDOWS\system32\hal.dll 0xF79E7000 \WINDOWS\system32\KDCOM.DLL 0xF78F7000 \WINDOWS\system32\BOOTVID.dll 0xF7498000 ACPI.sys 0xF79E9000 \WINDOWS\system32\DRIVERS\WMILIB.SYS 0xF7487000 pci.sys 0xF74E7000 isapnp.sys 0xF78FB000 compbatt.sys 0xF78FF000 \WINDOWS\system32\DRIVERS\BATTC.SYS 0xF7AAF000 pciide.sys 0xF7767000 \WINDOWS\system32\DRIVERS\PCIIDEX.SYS 0xF79EB000 aliide.sys 0xF79ED000 cmdide.sys 0xF79EF000 toside.sys 0xF79F1000 viaide.sys 0xF79F3000 intelide.sys 0xF74F7000 MountMgr.sys 0xF7468000 ftdisk.sys 0xF7903000 ACPIEC.sys 0xF7AB0000 \WINDOWS\system32\DRIVERS\OPRGHDLR.SYS 0xF776F000 PartMgr.sys 0xF7507000 VolSnap.sys 0xF7907000 cpqarray.sys 0xF7450000 \WINDOWS\system32\DRIVERS\SCSIPORT.SYS 0xF7438000 atapi.sys 0xF790B000 aha154x.sys 0xF7777000 sparrow.sys 0xF790F000 symc810.sys 0xF7517000 aic78xx.sys 0xF7913000 dac960nt.sys 0xF7527000 ql10wnt.sys 0xF7917000 amsint.sys 0xF777F000 asc.sys 0xF791B000 asc3550.sys 0xF7787000 mraid35x.sys 0xF778F000 i2omp.sys 0xF791F000 ini910u.sys 0xF7537000 ql1240.sys 0xF7547000 aic78u2.sys 0xF7797000 symc8xx.sys 0xF779F000 sym_hi.sys 0xF77A7000 sym_u3.sys 0xF77AF000 ABP480N5.SYS 0xF77B7000 asc3350p.sys 0xF79F5000 cd20xrnt.sys 0xF7557000 ultra.sys 0xF741F000 adpu160m.sys 0xF77BF000 dpti2o.sys 0xF7567000 ql1080.sys 0xF7577000 ql1280.sys 0xF7587000 ql12160.sys 0xF77C7000 perc2.sys 0xF79F7000 perc2hib.sys 0xF77CF000 hpn.sys 0xF7923000 cbidf2k.sys 0xF73F3000 dac2w2k.sys 0xF7597000 disk.sys 0xF75A7000 \WINDOWS\system32\DRIVERS\CLASSPNP.SYS 0xF73D3000 fltMgr.sys 0xF73C1000 sr.sys 0xF73A8000 TPkd.sys 0xF7391000 KSecDD.sys 0xF7304000 Ntfs.sys 0xF72D7000 NDIS.sys 0xF75B7000 sisagp.sys 0xF75C7000 viaagp.sys 0xF72BD000 Mup.sys 0xF75D7000 alim1541.sys 0xF75E7000 amdagp.sys 0xF75F7000 agp440.sys 0xF7607000 agpCPQ.sys 0xF7687000 \SystemRoot\system32\DRIVERS\intelppm.sys 0xF7289000 \SystemRoot\system32\DRIVERS\CmBatt.sys 0xF652F000 \SystemRoot\system32\DRIVERS\igxpmp32.sys 0xF651B000 \SystemRoot\system32\DRIVERS\VIDEOPRT.SYS 0xF64F3000 \SystemRoot\system32\DRIVERS\HDAudBus.sys 0xF64D7000 \SystemRoot\system32\DRIVERS\Rtenicxp.sys 0xF6396000 \SystemRoot\system32\DRIVERS\athw.sys 0xF78C7000 \SystemRoot\system32\DRIVERS\usbuhci.sys 0xF6372000 \SystemRoot\system32\DRIVERS\USBPORT.SYS 0xF78CF000 \SystemRoot\system32\DRIVERS\usbehci.sys 0xF7697000 \SystemRoot\system32\DRIVERS\i8042prt.sys 0xF78D7000 \SystemRoot\system32\DRIVERS\DKbFltr.sys 0xF78DF000 \SystemRoot\system32\DRIVERS\kbdclass.sys 0xF633B000 \SystemRoot\system32\DRIVERS\SynTP.sys 0xF7A15000 \SystemRoot\system32\DRIVERS\USBD.SYS 0xF78E7000 \SystemRoot\system32\DRIVERS\mouclass.sys 0xF7285000 \SystemRoot\system32\DRIVERS\wmiacpi.sys 0xF7BC0000 \SystemRoot\system32\DRIVERS\audstub.sys 0xF76A7000 \SystemRoot\system32\DRIVERS\rasl2tp.sys 0xF7281000 \SystemRoot\system32\DRIVERS\ndistapi.sys 0xF6324000 \SystemRoot\system32\DRIVERS\ndiswan.sys 0xF76B7000 \SystemRoot\system32\DRIVERS\raspppoe.sys 0xF76C7000 \SystemRoot\system32\DRIVERS\raspptp.sys 0xF78EF000 \SystemRoot\system32\DRIVERS\TDI.SYS 0xF6313000 \SystemRoot\system32\DRIVERS\psched.sys 0xF76D7000 \SystemRoot\system32\DRIVERS\msgpc.sys 0xF6046000 \SystemRoot\system32\DRIVERS\ptilink.sys 0xF603E000 \SystemRoot\system32\DRIVERS\raspti.sys 0xF6036000 \SystemRoot\system32\DRIVERS\wanatw4.sys 0xF7747000 \SystemRoot\system32\DRIVERS\termdd.sys 0xF7A73000 \SystemRoot\system32\DRIVERS\swenum.sys 0xF4D51000 \SystemRoot\system32\DRIVERS\ks.sys 0xF4CF3000 \SystemRoot\system32\DRIVERS\update.sys 0xF79D3000 \SystemRoot\system32\DRIVERS\mssmbios.sys 0xF721B000 \SystemRoot\System32\Drivers\NDProxy.SYS 0xF6AD5000 \SystemRoot\system32\DRIVERS\usbhub.sys 0xAA303000 \SystemRoot\system32\drivers\RtkHDAud.sys 0xAA2DF000 \SystemRoot\system32\drivers\portcls.sys 0xF71EB000 \SystemRoot\system32\drivers\drmk.sys 0xF79CB000 \SystemRoot\System32\Drivers\i2omgmt.SYS 0xA9893000 \SystemRoot\system32\DRIVERS\MpFilter.sys 0xA96E2000 \SystemRoot\system32\DRIVERS\snp2uvc.sys 0xF6AC5000 \SystemRoot\system32\DRIVERS\STREAM.SYS 0xF600E000 \SystemRoot\system32\DRIVERS\sncduvc.SYS 0xF7A41000 \SystemRoot\System32\Drivers\Fs_Rec.SYS 0xF7ABA000 \SystemRoot\System32\Drivers\Null.SYS 0xF7A43000 \SystemRoot\System32\Drivers\Beep.SYS 0xF77DF000 \SystemRoot\System32\drivers\vga.sys 0xF7A45000 \SystemRoot\System32\Drivers\mnmdd.SYS 0xF7A47000 \SystemRoot\System32\DRIVERS\RDPCDD.sys 0xF77FF000 \SystemRoot\System32\Drivers\Msfs.SYS 0xF7807000 \SystemRoot\System32\Drivers\Npfs.SYS 0xA98DA000 \SystemRoot\system32\DRIVERS\rasacd.sys 0xA96AF000 \SystemRoot\system32\DRIVERS\ipsec.sys 0xA9656000 \SystemRoot\system32\DRIVERS\tcpip.sys 0xA962E000 \SystemRoot\system32\DRIVERS\netbt.sys 0xA9608000 \SystemRoot\system32\DRIVERS\ipnat.sys 0xA95E6000 \SystemRoot\System32\drivers\afd.sys 0xF4E04000 \SystemRoot\system32\DRIVERS\netbios.sys 0xA98C6000 \??\C:\WINDOWS\system32\drivers\VCdRom.sys 0xF4DF4000 \SystemRoot\system32\DRIVERS\wanarp.sys 0xA95BB000 \SystemRoot\system32\DRIVERS\rdbss.sys 0xF7827000 \SystemRoot\system32\ckldrv.sys 0xA954B000 \SystemRoot\system32\DRIVERS\mrxsmb.sys 0xF4DC4000 \SystemRoot\System32\Drivers\Fips.SYS 0xA9533000 \SystemRoot\System32\Drivers\dump_atapi.sys 0xF7A4D000 \SystemRoot\System32\Drivers\dump_WMILIB.SYS 0xBF800000 \SystemRoot\System32\win32k.sys 0xF7260000 \SystemRoot\System32\drivers\Dxapi.sys 0xF7857000 \SystemRoot\System32\watchdog.sys 0xBF000000 \SystemRoot\System32\drivers\dxg.sys 0xF7C09000 \SystemRoot\System32\drivers\dxgthk.sys 0xBF024000 \SystemRoot\System32\igxpgd32.dll 0xBF012000 \SystemRoot\System32\igxprd32.dll 0xBF04F000 \SystemRoot\System32\igxpdv32.DLL 0xBF1E7000 \SystemRoot\System32\igxpdx32.DLL 0xBFFA0000 \SystemRoot\System32\ATMFD.DLL 0xA8C4F000 \SystemRoot\system32\DRIVERS\ndisuio.sys 0xA8A76000 \SystemRoot\system32\DRIVERS\mrxdav.sys 0xA896D000 \SystemRoot\System32\Drivers\HTTP.sys 0xA889E000 \SystemRoot\system32\DRIVERS\srv.sys 0xA8721000 \SystemRoot\system32\drivers\wdmaud.sys 0xA87C6000 \SystemRoot\system32\drivers\sysaudio.sys 0xA7EDE000 \SystemRoot\System32\Drivers\Fastfat.SYS 0xA7D4C000 \??\C:\Acer\Empowering Technology\eRecovery\int15.sys 0xA7AEE000 \SystemRoot\system32\drivers\kmixer.sys 0x7C900000 \WINDOWS\system32\ntdll.dll Processes (total 43): 0 System Idle Process 4 System 652 C:\WINDOWS\system32\smss.exe 712 csrss.exe 736 C:\WINDOWS\system32\winlogon.exe 780 C:\WINDOWS\system32\services.exe 792 C:\WINDOWS\system32\lsass.exe 956 C:\WINDOWS\system32\svchost.exe 1036 svchost.exe 1076 C:\Program Files\Microsoft Security Essentials\MsMpEng.exe 1116 C:\WINDOWS\system32\svchost.exe 1176 svchost.exe 1280 svchost.exe 1488 C:\WINDOWS\system32\spoolsv.exe 1568 svchost.exe 1600 C:\Program Files\Common Files\ArcSoft\Connection Service\Bin\ACService.exe 1616 C:\WINDOWS\system32\Crypserv.exe 1704 C:\WINDOWS\system32\svchost.exe 1784 C:\Program Files\Common Files\InterVideo\RegMgr\iviRegMgr.exe 1936 C:\WINDOWS\system32\svchost.exe 200 C:\Program Files\Western Digital\WD SmartWare\WD Drive Manager\WDDMService.exe 456 wmpnetwk.exe 1768 C:\WINDOWS\explorer.exe 1660 alg.exe 2544 C:\Acer\Empowering Technology\eRecovery\eRAgent.exe 2532 C:\WINDOWS\system32\igfxtray.exe 2600 C:\WINDOWS\system32\igfxsrvc.exe 2668 C:\WINDOWS\system32\hkcmd.exe 2684 C:\WINDOWS\system32\igfxpers.exe 2712 C:\WINDOWS\RTHDCPL.exe 2776 C:\Program Files\Synaptics\SynTP\SynTPEnh.exe 2840 C:\PROGRA~1\LAUNCH~1\QtZgAcer.EXE 2940 C:\WINDOWS\system32\ctfmon.exe 2972 C:\Program Files\Windows Media Player\wmpnscfg.exe 3012 C:\WINDOWS\system32\igfxext.exe 3436 C:\DOCUME~1\Stiz\LOCALS~1\Temp\RtkBtMnt.exe 2104 C:\Program Files\Internet Explorer\iexplore.exe 2560 C:\WINDOWS\system32\taskmgr.exe 3024 C:\Program Files\AOL Toolbar\aoltbServer.exe 3800 C:\Program Files\Microsoft Works\WksWP.exe 2492 C:\Program Files\Microsoft Works\WkDStore.exe 2216 C:\Program Files\Microsoft Works\wkgdcach.exe 2572 C:\Documents and Settings\Stiz\Desktop\MBRCheck.exe \\.\C: --> \\.\PhysicalDrive0 at offset 0x00000001`384c7a00 (NTFS) PhysicalDrive0 Model Number: WDCWD1600BEVT-22ZCT0, Rev: 11.01A11 Size Device Name MBR Status -------------------------------------------- 149 GB \\.\PhysicalDrive0 Unknown MBR code SHA1: 6A37CCD118436B688B51F6BD4C2B47A895EBDF7F Found non-standard or infected MBR. Enter 'Y' and hit ENTER for more options, or 'N' to exit: Done!

Attached Files

•  Attach.txt   13.22KB   236 downloads
•  gmer.zip   42.78KB   191 downloads

Edited by Chinwabee, 04 August 2010 - 05:09 PM.

[RPMcMurphy]

Chinwabee,

It looks like you ran ComboFix and Rooter on this machine last week. Were/are you being helped elsewhere, or did you run those on your own? I'd like to see the ComboFix log this will open it if it is there:

Click Start > Run or press Windows Key + R copy/paste the following into the run box that opens and press OK:
c:\ComboFix.txt

You have this program installed, Malwarebytes' Anti-Malware (MBAM). Please update it and run a scan.

Open MBAM

• Click the Update tab
• Click Check for Updates
• If an update is found, it will download and install the latest version.
• The program will close to update and reopen.
• Once the program has loaded, select "Perform Quick Scan", then click Scan.
• The scan may take some time to finish,so please be patient.
• When the scan is complete, click OK, then Show Results to view the results.
• Make sure that everything is checked, and click Remove Selected.
• When disinfection is completed, a log will open in Notepad and you may be prompted to Restart.(See Extra Note)
• The log is automatically saved by MBAM and can be viewed by clicking the Logs tab in MBAM.
• Copy&Paste the entire report in your next reply.

Extra Note:
If MBAM encounters a file that is difficult to remove,you will be presented with 1 of 2 prompts,click OK to either and let MBAM proceed with the disinfection process,if asked to restart the computer,please do so immediatly.

Please run ESET Online Scanner

• Place a check mark in the box YES, I accept the Terms Of Use
• Click the Start button.
• Now click the Install button.
• Click Start. The scanner engine will initialize and update.
• Do Not place a check mark in the box beside Remove found threats.
• Click the Scan button. The scan will now run, please be patient.
• When the scan finishes click the Details tab.
• Copy and paste the contents of the C:\ProgramFiles\EsetOnlineScanner\log.txt into your next reply.

Please include the following in your next post:

• MBAM log
• ESET log

[Chinwabee]

I had combofix and rooter on this machine because I had a problem on my desktop about a year ago and a person named Tom from this site actually helped me clean the machine and so I thought they must be good programs to hold on to. I only ran the scans on them just to see if anything jumped out at me but I'm 99.9% sure I have NO CLUE what i'm reading in those scan results. I was just looking for something very obvious like the word trojan or something. But I only ran scans...I did not use any fix buttons at all as bec i'm no expert and didnt want to delete files that could cause further damage. I ran Malware and everything was clean as the log will show. Now, I run it regularly and going thru my logs all the way back to the beginning of the year it has always shown clean scans. I had AVG installed, which was very good about giving me detection warnings about files and sites, but then someone told me to try microsoft security essentials last week so I unistalled AVG and installed essentials and it came up with a bunch of threats that AVG had failed to find for months i'm guessing. The second scan you told me to run from that website, ESET or something I dont remember the name but it ran and said that no threats were found and it never gave me any details tab so I didnt get any log from it, i'm assuming because it didnt find anything. If you need me to re-run the scan to get something just let me know. At this point i'm just wondering what you think may be causing my computer problems because all of the scans I ran prior to coming to this site produced a few results that were removed but it seems like nothing is showing up now in the scans you are having me run (of course I didnt read those long logs from the first scans you had me run because I would have no idea what they mean). So i'm just asking if there is anything you have seen to this point that may lead you to some indication of what may be causing my issues. Malwarebytes' Anti-Malware 1.46 www.malwarebytes.org Database version: 4393 Windows 5.1.2600 Service Pack 3 Internet Explorer 7.0.5730.13 8/5/2010 9:59:21 AM mbam-log-2010-08-05 (09-59-21).txt Scan type: Quick scan Objects scanned: 159043 Time elapsed: 37 minute(s), 1 second(s) Memory Processes Infected: 0 Memory Modules Infected: 0 Registry Keys Infected: 0 Registry Values Infected: 0 Registry Data Items Infected: 0 Folders Infected: 0 Files Infected: 0 Memory Processes Infected: (No malicious items detected) Memory Modules Infected: (No malicious items detected) Registry Keys Infected: (No malicious items detected) Registry Values Infected: (No malicious items detected) Registry Data Items Infected: (No malicious items detected) Folders Infected: (No malicious items detected) Files Infected: (No malicious items detected)

Edited by Chinwabee, 05 August 2010 - 03:52 PM.

[RPMcMurphy]

Chinwabee,

ComboFix is not something you should be using as a scanner. It is not a scanner at all - it is a very powerful tool that is not intended for unsupervised use. Used improperly it can damage your operating system. I'd like you to uninstall it now, using these instructions:

Uninstall ComboFix

• Press the Windows key + R on your keyboard or click Start -> Run. Copy and past the following text into the run box that opens and press OK:
  Combofix /Uninstall

Delete the following tools along with any other logs you saved from our work:

• DDS
• GMER
• MBRCheck
• Rooter

I don't see any malware in your logs, but based on your descripton of the computer's behavior there is definately a problem in there. I'd recommend starting a new topic in our Microsoft Windows Forum Be sure to give whoever helps you there a link back to this thread.

Good luck.

[Chinwabee]

I understand what your saying about combofix and I did delete it right after I ran it a week or so ago...like I said I didnt know what it was showing me so I got rid of it, I also got rid of the stuff you had me use. But I wanted to thank you for your time and help and I've started a new topic in the other forum.

[RPMcMurphy]

You're welcome, Chinwabee.

[RPMcMurphy]

Since this issue appears to be resolved ... this Topic has been closed. Glad we could be of assistance.

If you're the topic starter, and need this topic reopened, please contact a staff member with the address of the thread.

Everyone else please follow the instructions here http://forums.whatth...ed_t106388.html
and start a New Topic.