Jump to content

Build Theme!
  •  
  • Infected?

WE'RE SURE THAT YOU'LL LOVE US!

Hey there! :wub: Looks like you're enjoying the discussion, but you're not signed up for an account. When you create an account, we remember exactly what you've read, so you always come right back where you left off. You also get notifications, here and via email, whenever new posts are made. You can like posts to share the love. :D Join 93105 other members! Anybody can ask, anybody can answer. Consistently helpful members may be invited to become staff. Here's how it works. Virus cleanup? Start here -> Malware Removal Forum.

Try What the Tech -- It's free!


Computer Running Slow Please Help


  • Please log in to reply
12 replies to this topic

#1 Guest_jeppy_*

Guest_jeppy_*
  • Guests

Posted 03 June 2007 - 12:40 AM

Hi
Can anyone please help

Logfile of HijackThis v1.99.1
Scan saved at 07:35:13, on 03/06/2007
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\ntl\ntl Netguard\fws.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\System32\atievxx.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\ntl\ntl Netguard\RPS.exe
C:\Program Files\Nokia\Nokia PC Suite 6\LaunchApplication.exe
C:\Program Files\PC Connectivity Solution\ServiceLayer.exe
C:\Program Files\Common Files\Command Software\dvpapi.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\Outlook Express\msimn.exe
C:\Program Files\WinRAR\WinRAR.exe
C:\DOCUME~1\Jeff\LOCALS~1\Temp\Rar$EX23.304\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.co.uk/
O4 - HKLM\..\Run: [ntl Netguard] "C:\Program Files\ntl\ntl Netguard\RPS.exe"
O4 - HKLM\..\Run: [Genuine] rundll32.exe "C:\WINDOWS\System32\ryuyccuo.dll",realset
O4 - HKLM\..\Run: [PCSuiteTrayApplication] C:\Program Files\Nokia\Nokia PC Suite 6\LaunchApplication.exe -startup
O23 - Service: DvpApi (dvpapi) - Command Software Systems, Inc. - C:\Program Files\Common Files\Command Software\dvpapi.exe
O23 - Service: Radialpoint Service (FWS) - Radialpoint Inc. - C:\Program Files\ntl\ntl Netguard\fws.exe
O23 - Service: ServiceLayer - Nokia. - C:\Program Files\PC Connectivity Solution\ServiceLayer.exe

StartupList report, 03/06/2007, 07:38:52
StartupList version: 1.52.2
Started from : C:\DOCUME~1\Jeff\LOCALS~1\Temp\Rar$EX43.516\HijackThis.EXE
Detected: Windows XP SP1 (WinNT 5.01.2600)
Detected: Internet Explorer v6.00 SP1 (6.00.2800.1106)
* Using default options
* Showing rarely important sections
==================================================

Running processes:

C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\ntl\ntl Netguard\fws.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\System32\atievxx.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\ntl\ntl Netguard\RPS.exe
C:\Program Files\Nokia\Nokia PC Suite 6\LaunchApplication.exe
C:\Program Files\PC Connectivity Solution\ServiceLayer.exe
C:\Program Files\Common Files\Command Software\dvpapi.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\Outlook Express\msimn.exe
C:\Program Files\WinRAR\WinRAR.exe
C:\DOCUME~1\Jeff\LOCALS~1\Temp\Rar$EX43.516\HijackThis.exe

--------------------------------------------------

Checking Windows NT UserInit:

[HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon]
UserInit = C:\WINDOWS\system32\userinit.exe,

--------------------------------------------------

Autorun entries from Registry:
HKLM\Software\Microsoft\Windows\CurrentVersion\Run

ntl Netguard = "C:\Program Files\ntl\ntl Netguard\RPS.exe"
Genuine = rundll32.exe "C:\WINDOWS\System32\ryuyccuo.dll",realset
PCSuiteTrayApplication = C:\Program Files\Nokia\Nokia PC Suite 6\LaunchApplication.exe -startup

--------------------------------------------------

Enumerating Active Setup stub paths:
HKLM\Software\Microsoft\Active Setup\Installed Components
(* = disabled by HKCU twin)

[>{22d6f312-b0f6-11d0-94ab-0080c74c7e95}]
StubPath = C:\WINDOWS\inf\unregmp2.exe /ShowWMP

[>{26923b43-4d38-484f-9b9e-de460746276c}] *
StubPath = %systemroot%\system32\shmgrate.exe OCInstallUserConfigIE

[>{881dd1c5-3dcf-431b-b061-f3f88e8be88a}] *
StubPath = %systemroot%\system32\shmgrate.exe OCInstallUserConfigOE

[{2C7339CF-2B09-4501-B3F3-F3508C9228ED}] *
StubPath = %SystemRoot%\system32\regsvr32.exe /s /n /i:/UserInstall %SystemRoot%\system32\themeui.dll

[{306D6C21-C1B6-4629-986C-E59E1875B8AF}]
StubPath = "C:\WINDOWS\System32\rundll32.exe" "C:\Program Files\Messenger\msgsc.dll",ShowIconsUser

[{44BBA840-CC51-11CF-AAFA-00AA00B6015C}] *
StubPath = "%ProgramFiles%\Outlook Express\setup50.exe" /APP:OE /CALLER:WINNT /user /install

[{7790769C-0471-11d2-AF11-00C04FA35D02}] *
StubPath = "%ProgramFiles%\Outlook Express\setup50.exe" /APP:WAB /CALLER:WINNT /user /install

[{89820200-ECBD-11cf-8B85-00AA005B4340}] *
StubPath = regsvr32.exe /s /n /i:U shell32.dll

[{89820200-ECBD-11cf-8B85-00AA005B4383}] *
StubPath = %SystemRoot%\system32\ie4uinit.exe

--------------------------------------------------

Shell & screensaver key from C:\WINDOWS\SYSTEM.INI:

Shell=*INI section not found*
SCRNSAVE.EXE=*INI section not found*
drivers=*INI section not found*

Shell & screensaver key from Registry:

Shell=Explorer.exe
SCRNSAVE.EXE=*Registry value not found*
drivers=*Registry value not found*

Policies Shell key:

HKCU\..\Policies: Shell=*Registry value not found*
HKLM\..\Policies: Shell=*Registry value not found*

--------------------------------------------------

Checking for EXPLORER.EXE instances:

C:\WINDOWS\Explorer.exe: PRESENT!

C:\Explorer.exe: not present
C:\WINDOWS\Explorer\Explorer.exe: not present
C:\WINDOWS\System\Explorer.exe: not present
C:\WINDOWS\System32\Explorer.exe: not present
C:\WINDOWS\Command\Explorer.exe: not present
C:\WINDOWS\Fonts\Explorer.exe: not present

--------------------------------------------------

Checking for superhidden extensions:

.lnk: HIDDEN! (arrow overlay: yes)
.pif: HIDDEN! (arrow overlay: yes)
.exe: not hidden
.com: not hidden
.bat: not hidden
.hta: not hidden
.scr: not hidden
.shs: HIDDEN!
.shb: HIDDEN!
.vbs: not hidden
.vbe: not hidden
.wsh: not hidden
.scf: HIDDEN! (arrow overlay: NO!)
.url: HIDDEN! (arrow overlay: yes)
.js: not hidden
.jse: not hidden

--------------------------------------------------

Enumerating Download Program Files:

[{33564D57-0000-0010-8000-00AA00389B71}]
CODEBASE = http://download.micr...922/wmv9VCM.CAB

--------------------------------------------------

Enumerating Windows NT/2000/XP services

AFD Networking Support Environment: \SystemRoot\System32\drivers\afd.sys (autostart)
Ati HotKey Poller: %SystemRoot%\System32\atievxx.exe (autostart)
Windows Audio: %SystemRoot%\System32\svchost.exe -k netsvcs (autostart)
Computer Browser: %SystemRoot%\System32\svchost.exe -k netsvcs (autostart)
Cryptographic Services: %SystemRoot%\system32\svchost.exe -k netsvcs (autostart)
CSS DVP: System32\DRIVERS\css-dvp.sys (autostart)
DHCP Client: %SystemRoot%\System32\svchost.exe -k netsvcs (autostart)
DNS Client: %SystemRoot%\System32\svchost.exe -k NetworkService (autostart)
DvpApi: C:\Program Files\Common Files\Command Software\dvpapi.exe (autostart)
Error Reporting Service: %SystemRoot%\System32\svchost.exe -k netsvcs (autostart)
Event Log: %SystemRoot%\system32\services.exe (autostart)
Radialpoint Filter: System32\Drivers\FreeTdi.sys (autostart)
Radialpoint Service: C:\Program Files\ntl\ntl Netguard\fws.exe (autostart)
Help and Support: %SystemRoot%\System32\svchost.exe -k netsvcs (autostart)
Server: %SystemRoot%\System32\svchost.exe -k netsvcs (autostart)
Workstation: %SystemRoot%\System32\svchost.exe -k netsvcs (autostart)
TCP/IP NetBIOS Helper: %SystemRoot%\System32\svchost.exe -k LocalService (autostart)
Plug and Play: %SystemRoot%\system32\services.exe (autostart)
IPSEC Services: %SystemRoot%\System32\lsass.exe (autostart)
Protected Storage: %SystemRoot%\system32\lsass.exe (autostart)
Remote Registry: %SystemRoot%\system32\svchost.exe -k LocalService (autostart)
Remote Procedure Call (RPC): %SystemRoot%\system32\svchost -k rpcss (autostart)
Security Accounts Manager: %SystemRoot%\system32\lsass.exe (autostart)
Task Scheduler: %SystemRoot%\System32\svchost.exe -k netsvcs (autostart)
Secondary Logon: %SystemRoot%\System32\svchost.exe -k netsvcs (autostart)
System Event Notification: %SystemRoot%\system32\svchost.exe -k netsvcs (autostart)
Internet Connection Firewall (ICF) / Internet Connection Sharing (ICS): %SystemRoot%\System32\svchost.exe -k netsvcs (autostart)
Shell Hardware Detection: %SystemRoot%\System32\svchost.exe -k netsvcs (autostart)
Print Spooler: %SystemRoot%\system32\spoolsv.exe (autostart)
System Restore Service: %SystemRoot%\System32\svchost.exe -k netsvcs (autostart)
Windows Image Acquisition (WIA): %SystemRoot%\System32\svchost.exe -k imgsvc (autostart)
Themes: %SystemRoot%\System32\svchost.exe -k netsvcs (autostart)
Distributed Link Tracking Client: %SystemRoot%\system32\svchost.exe -k netsvcs (autostart)
vsdatant: \??\C:\WINDOWS\System32\vsdatant.sys (autostart)
Windows Time: %SystemRoot%\System32\svchost.exe -k netsvcs (autostart)
WebClient: %SystemRoot%\System32\svchost.exe -k LocalService (autostart)
Windows Management Instrumentation: %systemroot%\system32\svchost.exe -k netsvcs (autostart)
Portable Media Serial Number: %SystemRoot%\System32\svchost.exe -k netsvcs (autostart)
Automatic Updates: %systemroot%\system32\svchost.exe -k netsvcs (autostart)
Wireless Zero Configuration: %SystemRoot%\System32\svchost.exe -k netsvcs (autostart)


--------------------------------------------------

Enumerating ShellServiceObjectDelayLoad items:

PostBootReminder: C:\WINDOWS\system32\SHELL32.dll
CDBurn: C:\WINDOWS\system32\SHELL32.dll
WebCheck: C:\WINDOWS\System32\webcheck.dll
SysTray: C:\WINDOWS\System32\stobject.dll

--------------------------------------------------
End of report, 8,733 bytes
Report generated in 0.611 seconds

Command line options:
/verbose - to add additional info on each section
/complete - to include empty sections and unsuspicious data
/full - to include several rarely-important sections
/force9x - to include Win9x-only startups even if running on WinNT
/forcent - to include WinNT-only startups even if running on Win9x
/forceall - to include all Win9x and WinNT startups, regardless of platform
/history - to list version history only

    Advertisements

Register to Remove


#2 Rogue

Rogue

    Authentic Member

  • Authentic Member
  • PipPip
  • 179 posts

Posted 03 June 2007 - 12:48 PM

Welcome to Tom Coyote Forums

Please observe these rules while we work:
  • Perform all actions in the order given.
  • If you don't know, stop and ask! Don't keep going on.
  • Please reply to this thread. Do not start a new topic.
  • Since there may be other issues with your system besides your original symptoms, please continue to follow this thread until I have given you an "All Clean.".
If you can do these things, everything should go smoothly.

I see you are at XP's SP1. Be prepared to update to SP2 when I have given the all clean..but not before.

Ready? Let's go.

*=========================*

We need to Relocate Hijackthis

You currently are running HijackThis[b/] from a Temporary location:
Temp\Rar$EX23.304
HijackThis will not be able to make backups of the removed entries, if it's running from a Temp folder and we risk the chance of aacidently removing the application when you clean the temp file from your system.

Please make a folder here: c:\HJTand place HijackThis.exe in that folder.
DO NOT follow the steps below until you have moved HijackThis
*=========================*

Rename Hijackthis:

Locate the program Hijackthis.
Select the file, Hijackthis.exe, right-click and select Rename.
Please change the name to: icmore.exe
Then please could you post a new Hijackthis log.
*========================*

Please download VundoFix by Atribune to your Desktop
http://www.atribune..../click.php?id=4
  • Double-click VundoFix.exe to run it.
  • Click the Scan for Vundo button.
  • Once it's done scanning, click the Remove Vundo button.
  • You will receive a prompt asking if you want to remove the files, click YES
  • Once you click yes, your desktop will go blank as it starts removing Vundo.
  • When completed, it will prompt that it will reboot your computer, click OK.
  • Please post the contents of C:\\vundofix.txt and a new HiJackThis log.
Note: It is possible that VundoFix encountered a file it could not remove.
In this case, VundoFix will run on reboot, simply follow the above instructions starting from "Click the [b]Scan for Vundo
button." when VundoFix appears at reboot.
*=========================*

Please post the following;

New hijackthis log
vundofix.txt

Thanks,
Rogue
Rogue
Trained at MalWare Removal University - A Cooperative Effort with WhatTheTech Classroom

#3 Guest_jeppy_*

Guest_jeppy_*
  • Guests

Posted 03 June 2007 - 01:27 PM

Thanks Rouge

Logfile of HijackThis v1.99.1
Scan saved at 20:24:33, on 03/06/2007
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\ntl\ntl Netguard\fws.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\System32\atievxx.exe
C:\Program Files\Common Files\Command Software\dvpapi.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\ntl\ntl Netguard\RPS.exe
C:\Program Files\internet explorer\iexplore.exe
C:\Program Files\Outlook Express\msimn.exe
C:\SDFix\HJT\Icmore.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.co.uk/
O4 - HKLM\..\Run: [ntl Netguard] "C:\Program Files\ntl\ntl Netguard\RPS.exe"
O4 - HKLM\..\Run: [PCSuiteTrayApplication] C:\Program Files\Nokia\Nokia PC Suite 6\LaunchApplication.exe -startup
O23 - Service: DvpApi (dvpapi) - Command Software Systems, Inc. - C:\Program Files\Common Files\Command Software\dvpapi.exe
O23 - Service: Radialpoint Service (FWS) - Radialpoint Inc. - C:\Program Files\ntl\ntl Netguard\fws.exe
O23 - Service: ServiceLayer - Nokia. - C:\Program Files\PC Connectivity Solution\ServiceLayer.exe


VundoFix V6.4.2

Checking Java version...

Java version is 1.5.0.9
Old versions of java are exploitable and should be removed.

Scan started at 19:54:08 03/06/2007

Listing files found while scanning....

C:\WINDOWS\system32\ouccyuyr.ini
C:\WINDOWS\system32\ryuyccuo.dll

Beginning removal...

Attempting to delete C:\WINDOWS\system32\ouccyuyr.ini
C:\WINDOWS\system32\ouccyuyr.ini Has been deleted!

Attempting to delete C:\WINDOWS\system32\ryuyccuo.dll
C:\WINDOWS\system32\ryuyccuo.dll Has been deleted!

Performing Repairs to the registry.
Done!

#4 Rogue

Rogue

    Authentic Member

  • Authentic Member
  • PipPip
  • 179 posts

Posted 03 June 2007 - 01:51 PM

Hi jeppy,

Geeez that log is short.
What have you tried prior to comming here for help?


Please run a GMER Rootkit scan:

Download GMER's application from here:
http://www.gmer.net/gmer.zip

Unzip it and start the GMER.exe
Click the Rootkit tab and click the Scan button.

Once done, click the Copy button.
This will copy the results to your clipboard.
Paste the results in your next reply.

Warning ! Please, do not select the "Show all" checkbox during the scan.

If you're having problems with running GMER.exe, try it in safe mode.
This tools works in safe mode. Other rootkitrevealers don't.
*=========================*

Download WinPFind3U.exe to your Desktop and double-click on it to extract the files. It will create a folder named WinPFind3u on your desktop.
  • Close ALL OTHER PROGRAMS.
  • Open the WinPFind3u folder and double-click on WinPFind3U.exe to start the program.
  • Now click the Run Scan button on the toolbar.
  • The program will be scanning huge amounts of data so depending on your system it could take a long time to complete. Let it run unhindered until it finishes.
  • When the scan is complete Notepad will open with the report file loaded in it.
  • Click the Format menu and make sure that Wordwrap is not checked. If it is then click on it to uncheck it.
Use the Add Reply button and Copy/Paste the information back here. I will review it when it comes in. If, after posting, the last line is not < End of Report > then the log is too big to fit into a single post and you will need to split it into multiple posts.

*=========================*

Run Kapersky Online AV Scanner
Using Internet Explore Go to http://www.kaspersky.com/virusscanner and click the Kaspersky Online Scanner button.
Note for Internet Explorer 7 users: If at any time you have trouble with the accept button of the licence, click on the Zoom tool located at the right bottom of the IE window and set the zoom to 75 %. Once the license accepted, reset to 100%.
  • Read the Requirements and limitations before you click Accept.
  • Allow the ActiveX download if necessary.
  • Once the database has downloaded, click Next.
  • Click Scan Settings and change the "Scan using the following antivirus database" from standard to extended and then click OK.
  • Click on "My Computer" and then put the kettle on!
  • When the scan has completed, click Save Report As...
  • Enter a name for the file in the Filename: text box and then click the down arrow to the right of Save as type: and select text file (*.txt)
  • Click Save - by default the file will be saved to your Desktop, but you can change this if you wish.
Copy and paste the report into your next reply along with a fresh HJT log and a description of how your PC is behaving.
*=========================*

Create Uninstall List with Hijackthis
This is how you do that:
Open HiJackThis
Click on the tab "Open the Misc Tools Session"
Click on the Box that says "Uninstall Manager"
Click on the button "Save list"
Copy and past the List from notepad into your post
*=========================*

Please post the following;

GMER log
WinPFind log
Kapersky Log
Uninstall list

Some of these logs can be large and may require seperate posts

Thanks,

Rogue
Rogue
Trained at MalWare Removal University - A Cooperative Effort with WhatTheTech Classroom

#5 Guest_jeppy_*

Guest_jeppy_*
  • Guests

Posted 03 June 2007 - 02:33 PM

Hi Rouge

I read a post which had similar HJT to mine so I ran SDFix then Combofix. I also had problems with Windows Media Player( I couldnt play video/audio files) I looked in the Windows media player folder all the files in the folder were less than 1 Meg. When I tried to delete the files in Windows Media Player folder they deleted but reapperaed seconds later. So I download the software again and reinstalled.

Is my log getting better ???

my computer is running a lot faster now :)

Whats the difference between Vundo and GME ( GME looks more complicated and through)

Here's GME log below.

GMER 1.0.12.12244 - http://www.gmer.net
Rootkit scan 2007-06-03 21:30:48
Windows 5.1.2600 Service Pack 1


---- System - GMER 1.0.12 ----

SSDT \??\C:\WINDOWS\System32\vsdatant.sys ZwCreateFile
SSDT \??\C:\WINDOWS\System32\vsdatant.sys ZwCreateKey
SSDT \??\C:\WINDOWS\System32\vsdatant.sys ZwDeleteFile
SSDT \??\C:\WINDOWS\System32\vsdatant.sys ZwDeleteKey
SSDT \??\C:\WINDOWS\System32\vsdatant.sys ZwDeleteValueKey
SSDT \??\C:\WINDOWS\System32\vsdatant.sys ZwLoadKey
SSDT \??\C:\WINDOWS\System32\vsdatant.sys ZwOpenFile
SSDT \??\C:\WINDOWS\System32\vsdatant.sys ZwReplaceKey
SSDT \??\C:\WINDOWS\System32\vsdatant.sys ZwRestoreKey
SSDT \??\C:\WINDOWS\System32\vsdatant.sys ZwSetInformationFile
SSDT \??\C:\WINDOWS\System32\vsdatant.sys ZwSetValueKey

Code FF96ADB8 ZwClose
Code FF96AA80 ZwCreateSection
Code FF96A950 ZwSetInformationFile
Code FF96C540 ZwSetSystemInformation
Code FF96AC88 ZwWriteFile
Code FF96AEE7 IoCreateFile
Code FF96ADB7 NtClose
Code FF96AA7F NtCreateSection
Code FF96A94F NtSetInformationFile
Code FF96AC87 NtWriteFile

---- Kernel code sections - GMER 1.0.12 ----

.text ntoskrnl.exe!KeInitializeInterrupt + B67 804DA23C 1 Byte [ 06 ]
.text ntoskrnl.exe!KeI386Call16BitCStyleFunction + 1A0 8050261C 4 Bytes [ 20, D8, C4, FA ]
.text ntoskrnl.exe!KeI386Call16BitCStyleFunction + 1B0 8050262C 4 Bytes [ 90, 86, C5, FA ]
.text ntoskrnl.exe!KeI386Call16BitCStyleFunction + 204 80502680 8 Bytes [ A0, DE, C4, FA, A0, 96, C5, ... ]
.text ntoskrnl.exe!KeI386Call16BitCStyleFunction + 210 8050268C 4 Bytes [ E0, 92, C5, FA ]
.text ntoskrnl.exe!KeI386Call16BitCStyleFunction + 294 80502710 4 Bytes [ E0, 99, C5, FA ]
.text ...
PAGE ntoskrnl.exe!ZwSetSystemInformation 805779DC 5 Bytes JMP FF96C544
PAGE ntoskrnl.exe!NtCreateSection 8057FB92 7 Bytes JMP FF96AA84
PAGE ntoskrnl.exe!NtClose 80581355 6 Bytes JMP FF96ADBC
PAGE ntoskrnl.exe!IoCreateFile 80583218 5 Bytes JMP FF96AEEC
PAGE ntoskrnl.exe!NtWriteFile 8058DC04 7 Bytes JMP FF96AC8C
PAGE ntoskrnl.exe!NtSetInformationFile 80592589 5 Bytes JMP FF96A954
PAGE Fastfat.sys FC3FC90C 7 Bytes JMP FF96A824

---- Devices - GMER 1.0.12 ----

Device \FileSystem\Fastfat \FatCdrom IRP_MJ_FILE_SYSTEM_CONTROL Code FF96A820
Device \Driver\Tcpip \Device\Ip IRP_MJ_CREATE [FAC628A0] vsdatant.sys
Device \Driver\Tcpip \Device\Ip IRP_MJ_CLOSE [FAC628A0] vsdatant.sys
Device \Driver\Tcpip \Device\Ip IRP_MJ_DEVICE_CONTROL [FAC628A0] vsdatant.sys
Device \Driver\Tcpip \Device\Ip IRP_MJ_INTERNAL_DEVICE_CONTROL [FAC628A0] vsdatant.sys
Device \Driver\Tcpip \Device\Ip IRP_MJ_CLEANUP [FAC628A0] vsdatant.sys
Device \Driver\Tcpip \Device\Tcp IRP_MJ_CREATE [FAC628A0] vsdatant.sys
Device \Driver\Tcpip \Device\Tcp IRP_MJ_CLOSE [FAC628A0] vsdatant.sys
Device \Driver\Tcpip \Device\Tcp IRP_MJ_DEVICE_CONTROL [FAC628A0] vsdatant.sys
Device \Driver\Tcpip \Device\Tcp IRP_MJ_INTERNAL_DEVICE_CONTROL [FAC628A0] vsdatant.sys
Device \Driver\Tcpip \Device\Tcp IRP_MJ_CLEANUP [FAC628A0] vsdatant.sys
Device \Driver\Tcpip \Device\Udp IRP_MJ_CREATE [FAC628A0] vsdatant.sys
Device \Driver\Tcpip \Device\Udp IRP_MJ_CLOSE [FAC628A0] vsdatant.sys
Device \Driver\Tcpip \Device\Udp IRP_MJ_DEVICE_CONTROL [FAC628A0] vsdatant.sys
Device \Driver\Tcpip \Device\Udp IRP_MJ_INTERNAL_DEVICE_CONTROL [FAC628A0] vsdatant.sys
Device \Driver\Tcpip \Device\Udp IRP_MJ_CLEANUP [FAC628A0] vsdatant.sys
Device \Driver\Tcpip \Device\RawIp IRP_MJ_CREATE [FAC628A0] vsdatant.sys
Device \Driver\Tcpip \Device\RawIp IRP_MJ_CLOSE [FAC628A0] vsdatant.sys
Device \Driver\Tcpip \Device\RawIp IRP_MJ_DEVICE_CONTROL [FAC628A0] vsdatant.sys
Device \Driver\Tcpip \Device\RawIp IRP_MJ_INTERNAL_DEVICE_CONTROL [FAC628A0] vsdatant.sys
Device \Driver\Tcpip \Device\RawIp IRP_MJ_CLEANUP [FAC628A0] vsdatant.sys
Device \Driver\Tcpip \Device\IPMULTICAST IRP_MJ_CREATE [FAC628A0] vsdatant.sys
Device \Driver\Tcpip \Device\IPMULTICAST IRP_MJ_CLOSE [FAC628A0] vsdatant.sys
Device \Driver\Tcpip \Device\IPMULTICAST IRP_MJ_DEVICE_CONTROL [FAC628A0] vsdatant.sys
Device \Driver\Tcpip \Device\IPMULTICAST IRP_MJ_INTERNAL_DEVICE_CONTROL [FAC628A0] vsdatant.sys
Device \Driver\Tcpip \Device\IPMULTICAST IRP_MJ_CLEANUP [FAC628A0] vsdatant.sys
Device \FileSystem\Fastfat \Fat IRP_MJ_FILE_SYSTEM_CONTROL Code FF96A820

---- EOF - GMER 1.0.12 ----

#6 Guest_jeppy_*

Guest_jeppy_*
  • Guests

Posted 03 June 2007 - 02:37 PM

Hi Rouge Here is HJT, thanks for the help mate Ad-Aware SE Personal Adobe Flash Player 9 ActiveX Adobe Reader 7.0.9 Adobe® Photoshop® Album Starter Edition 3.0 Canon Camera Support Core Library Canon Digital Camera USB WIA Driver CCleaner (remove only) HijackThis 1.99.1 J2SE Runtime Environment 5.0 Update 9 Microsoft Office XP Professional with FrontPage Nokia Connectivity Cable Driver Nokia PC Suite Nokia PC Suite ntl Netguard Security PC Connectivity Solution Windows Driver Package - Nokia (WUDFRd) WPD (03/19/2007 6.83.31.1) Windows Driver Package - Nokia Modem (02/15/2007 3.1) Windows Driver Package - Nokia Modem (11/03/2006 6.82.0.1) Windows Media Format Runtime Windows Media Player 10 WinRAR archiver Xvid 1.1.2 final uninstall

#7 Rogue

Rogue

    Authentic Member

  • Authentic Member
  • PipPip
  • 179 posts

Posted 03 June 2007 - 07:35 PM

Jeppy,

That's all good information.
Can you post the SDFix log located in the c:\sdfix folder and the ComboFix log located at c:\combofix.txt
If you haven't already run WinPFind or the Kapersky Online AV you can hold off on those for now. If you have those please post those logs also.

Whats the difference between Vundo and GME ( GME looks more complicated and through)

The GMER is a rootkit scanner and VundoFix is the removal tool for the Vundo infection, which you had/have. When I see a log with as few entries as yours I get concerned that a rootkit is hiding this. That's why GMER. No rootkit by the way.

Looking at your uninstall list explains the short logs. You don't have hardly any programs installed.

Why no Windows update files in the uninstall list? Is your copy of XP legit?

Rogue
Rogue
Trained at MalWare Removal University - A Cooperative Effort with WhatTheTech Classroom

#8 Guest_jeppy_*

Guest_jeppy_*
  • Guests

Posted 04 June 2007 - 12:08 AM

Hi Rouge I have SP2 on my installation disks, I have never installed is it worth installing ? Here's SDFix log , will have to run Combo again as I deleted the combo.txt SDFix: Version 1.85 Run by Jeff - 03/06/2007 - 10:22:06.10 Microsoft Windows XP [Version 5.1.2600] Running From: C:\SDFix Safe Mode: Checking Services: Restoring Windows Registry Values Restoring Windows Default Hosts File Rebooting... Normal Mode: Checking Files: No Trojan Files Found Removing Temp Files... ADS Check: Checking if ADS is attached to system32 Folder C:\WINDOWS\system32 No streams found. Checking if ADS is attached to svchost.exe C:\WINDOWS\system32\svchost.exe No streams found. Final Check: Remaining Services: ------------------ Authorized Application Key Export: [HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\standardprofile\authorizedapplications\list] [HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\domainprofile\authorizedapplications\list] Remaining Files: --------------- Checking For Files with Hidden Attributes: C:\COMMAND.COM C:\WINDOWS\system32\efecd.dll C:\WINDOWS\system32\adceda8_s.dll C:\WINDOWS\system32\config\system.tmp.LOG C:\WINDOWS\system32\config\software.tmp.LOG C:\WINDOWS\system32\config\default.tmp.LOG Finished

#9 Rogue

Rogue

    Authentic Member

  • Authentic Member
  • PipPip
  • 179 posts

Posted 04 June 2007 - 07:07 AM

Hi jeppy,

I'll wait for you to run ComboFix again before I give any further instructions.

Download Combofix by sUBs! from
http://www.techsuppo...Bs/ComboFix.exe
or
http://download.blee...Bs/ComboFix.exe

Save it to your Desktop
Double click combofix.exe and follow the prompts.
When finished, it shall produce a log C:\ComboFix.txt
Post that log in your next reply

Note: Do not mouseclick combofix's window while it's running. That may cause it to stall

Yes you will want to install SP2. It fixes a number of security flaws with XP. Do not install it until I have given you an All Clean. If still infected it may cause problems since it will install a large number of files.

Thanks,

Rogue
Rogue
Trained at MalWare Removal University - A Cooperative Effort with WhatTheTech Classroom

#10 Guest_jeppy_*

Guest_jeppy_*
  • Guests

Posted 04 June 2007 - 03:48 PM

Hi Rouge

Just got in the house, here's my Combo log as requested.

"Jeff" - 2007-06-04 22:34:47 Service Pack 1
ComboFix 07-06-3 - Running from: "C:\Documents and Settings\Jeff\Desktop\"


((((((((((((((((((((((((( Files Created from 2007-05-04 to 2007-06-04 )))))))))))))))))))))))))))))))


2007-06-04 22:29 <DIR> dr------- C:\Outlook Express
2007-06-04 22:17 <DIR> d--h----- C:\Program Files\WindowsUpdate
2007-06-03 10:37 49,152 --a------ C:\WINDOWS\nircmd.exe
2007-06-03 08:56 <DIR> d-------- C:\Program Files\Lavasoft
2007-06-03 08:56 <DIR> d-------- C:\DOCUME~1\Jeff\APPLIC~1\Lavasoft
2007-06-02 18:10 <DIR> d-------- C:\DOCUME~1\Jeff\Phone Browser
2007-06-02 18:09 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\PC Suite
2007-06-02 18:08 <DIR> d-------- C:\DOCUME~1\Jeff\APPLIC~1\Nokia
2007-06-02 17:59 <DIR> d-------- C:\Program Files\Common Files\PCSuite
2007-06-02 17:55 <DIR> d-------- C:\Program Files\Common Files\Nokia
2007-06-02 17:08 <DIR> d-------- C:\Program Files\DIFX
2007-06-02 17:08 <DIR> d-------- C:\DOCUME~1\Jeff\APPLIC~1\PC Suite
2007-06-02 17:06 <DIR> d-------- C:\Program Files\PC Connectivity Solution
2007-06-02 17:05 8,320 --a------ C:\WINDOWS\system32\drivers\nmwcdc.sys
2007-06-02 17:05 12,288 --a------ C:\WINDOWS\system32\drivers\nmwcdcm.sys
2007-06-02 17:04 90,624 --a------ C:\WINDOWS\system32\nmwcdcls.dll
2007-06-02 17:04 65,536 --a------ C:\WINDOWS\system32\nmwcdcocls.dll
2007-06-02 17:04 137,216 --a------ C:\WINDOWS\system32\drivers\nmwcd.sys
2007-06-02 17:04 <DIR> d-------- C:\WINDOWS\system32\DRVSTORE
2007-06-02 17:04 <DIR> d-------- C:\Program Files\Nokia
2007-06-02 17:00 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\Installations
2007-06-01 19:22 <DIR> d--hs---- C:\FOUND.000
2007-06-01 18:33 1,087,216 --a------ C:\WINDOWS\system32\zpeng24.dll
2007-06-01 18:25 <DIR> d-------- C:\WINDOWS\Internet Logs
2007-06-01 16:49 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\Spybot - Search & Destroy
2007-06-01 07:52 1,372 --a------ C:\WINDOWS\system32\tmp.reg
2007-05-30 22:21 <DIR> d-------- C:\Program Files\CCleaner
2007-05-29 20:55 26,141 --a------ C:\WINDOWS\system32\drivers\el589nd5.sys
2007-05-29 20:32 <DIR> d-------- C:\WINDOWS\Prefetch
2007-05-29 20:17 221,696 --a------ C:\WINDOWS\system32\qmgr.dll
2007-05-29 20:17 17,408 --a------ C:\WINDOWS\system32\qmgrprxy.dll
2007-05-29 20:16 9,728 --a------ C:\WINDOWS\system32\mstinit.exe
2007-05-29 20:16 81,408 --a------ C:\WINDOWS\system32\msoert2.dll
2007-05-29 20:16 73,728 --a------ C:\WINDOWS\system32\ils.dll
2007-05-29 20:16 69,248 --a------ C:\WINDOWS\system32\drivers\sr.sys
2007-05-29 20:16 65,536 --a------ C:\WINDOWS\system32\msconf.dll
2007-05-29 20:16 63,488 --a------ C:\WINDOWS\system32\srclient.dll
2007-05-29 20:16 587,776 --a------ C:\WINDOWS\system32\inetcomm.dll
2007-05-29 20:16 32,256 --a------ C:\WINDOWS\system32\mnmdd.dll
2007-05-29 20:16 250,368 --a------ C:\WINDOWS\system32\mstask.dll
2007-05-29 20:16 24,576 --a------ C:\WINDOWS\system32\nmmkcert.dll
2007-05-29 20:16 228,864 --a------ C:\WINDOWS\system32\msoeacct.dll
2007-05-29 20:16 226,304 --a------ C:\WINDOWS\system32\srrstr.dll
2007-05-29 20:16 159,232 --a------ C:\WINDOWS\system32\schedsvc.dll
2007-05-29 20:16 158,720 --a------ C:\WINDOWS\system32\srsvc.dll
2007-05-29 20:13 98,816 --a------ C:\WINDOWS\system32\clipbrd.exe
2007-05-29 20:13 9,216 --a------ C:\WINDOWS\system32\wuauserv.dll
2007-05-29 20:13 9,216 --a------ C:\WINDOWS\system32\icaapi.dll
2007-05-29 20:13 88,064 --a------ C:\WINDOWS\system32\tscfgwmi.dll
2007-05-29 20:13 75,912 --a------ C:\WINDOWS\system32\rdpwsx.dll
2007-05-29 20:13 598,016 --a------ C:\WINDOWS\system32\mstscax.dll
2007-05-29 20:13 582,656 --a------ C:\WINDOWS\system32\catsrvut.dll
2007-05-29 20:13 57,856 --a------ C:\WINDOWS\system32\licwmi.dll
2007-05-29 20:13 56,320 --a------ C:\WINDOWS\system32\remotepg.dll
2007-05-29 20:13 534,016 --a------ C:\WINDOWS\system32\spider.exe
2007-05-29 20:13 44,032 --a------ C:\WINDOWS\system32\rdpclip.exe
2007-05-29 20:13 40,960 --a------ C:\WINDOWS\system32\tscupgrd.exe
2007-05-29 20:13 388,608 --a------ C:\WINDOWS\system32\mstsc.exe
2007-05-29 20:13 359,936 --a------ C:\WINDOWS\system32\msdtcprx.dll
2007-05-29 20:13 339,968 --a------ C:\WINDOWS\system32\mspaint.exe
2007-05-29 20:13 32,768 --a------ C:\WINDOWS\system32\cfgbkend.dll
2007-05-29 20:13 200,192 --a------ C:\WINDOWS\system32\termsrv.dll
2007-05-29 20:13 189,440 --a------ C:\WINDOWS\system32\wuaueng.dll
2007-05-29 20:13 14,848 --a------ C:\WINDOWS\system32\rdpsnd.dll
2007-05-29 20:13 139,776 --a------ C:\WINDOWS\system32\wuauclt.exe
2007-05-29 20:13 135,680 --a------ C:\WINDOWS\system32\rdchost.dll
2007-05-29 20:13 129,024 --a------ C:\WINDOWS\system32\sessmgr.exe
2007-05-29 20:13 12,288 --a------ C:\WINDOWS\system32\rdsaddin.exe
2007-05-29 20:13 116,736 --a------ C:\WINDOWS\system32\mplay32.exe
2007-05-29 20:13 115,976 --a------ C:\WINDOWS\system32\drivers\rdpwd.sys
2007-05-29 20:13 1,172,992 --a------ C:\WINDOWS\system32\comsvcs.dll
2007-05-29 20:09 56,576 --a------ C:\WINDOWS\system32\drivers\redbook.sys
2007-05-29 20:09 5,888 --a------ C:\WINDOWS\system32\drivers\splitter.sys
2007-05-29 20:08 137,088 --a------ C:\WINDOWS\system32\drivers\essm2e.sys
2007-05-29 20:07 38,024 --a------ C:\WINDOWS\system32\drivers\termdd.sys
2007-05-29 20:07 182,400 --a------ C:\WINDOWS\system32\drivers\rdpdr.sys
2007-05-29 20:05 71,168 --a------ C:\WINDOWS\system32\storprop.dll
2007-05-29 20:05 24,661 --a------ C:\WINDOWS\system32\spxcoins.dll
2007-05-29 20:05 13,312 --a------ C:\WINDOWS\system32\irclass.dll
2007-05-28 20:50 <DIR> d--h----- C:\WINDOWS\system32\GroupPolicy
2007-05-28 17:19 <DIR> d-------- C:\WINDOWS\pss
2007-05-28 17:05 507,904 --a------ C:\DOCUME~1\ADMINI~1.JEF\NTUSER.DAT
2007-05-28 16:48 <DIR> d-------- C:\WINDOWS\CSC
2007-05-28 16:12 524,288 --ah----- C:\DOCUME~1\ADMINI~1\NTUSER.DAT
2007-05-28 11:45 778,240 --a------ C:\DOCUME~1\NETWOR~1\NTUSER.DAT
2007-05-28 11:45 778,240 --a------ C:\DOCUME~1\LOCALS~1\NTUSER.DAT
2007-05-28 11:45 3,145,728 --a------ C:\DOCUME~1\Jeff\ntuser.dat
2007-05-13 16:22 2,560 --a------ C:\WINDOWS\_MSRSTRT.EXE


(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))

2007-06-04 06:35:44 243 ----a-w C:\WINDOWS\freedom.backup.dat
2007-05-29 19:14:40 22,720 ----a-w C:\WINDOWS\system32\emptyregdb.dat
2007-04-22 11:41:30 5 --sha-w C:\WINDOWS\system32\adceda8_s.dll


((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))


*Note* empty entries & legit default entries are not shown

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ntl Netguard"="C:\Program Files\ntl\ntl Netguard\RPS.exe" [2005-07-05 15:31]

[HKEY_USERS\.default\software\microsoft\windows\currentversion\run]
"Nokia.PCSync"=C:\Program Files\Nokia\Nokia PC Suite 6\PcSync2.exe /NoDialog

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PCSuiteTrayApplication]
C:\Program Files\Nokia\Nokia PC Suite 6\LaunchApplication.exe -startup

HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost *netsvcs*


**************************************************************************

catchme 0.3.692 W2K/XP/Vista - userland rootkit detector by Gmer, http://www.gmer.net
Rootkit scan 2007-06-04 22:36:51
Windows 5.1.2600 Service Pack 1 FAT NTAPI

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************

Completion time: 2007-06-04 22:38:29

--- E O F ---

#11 Rogue

Rogue

    Authentic Member

  • Authentic Member
  • PipPip
  • 179 posts

Posted 04 June 2007 - 09:08 PM

Hi Jeppy, Did you just re-install XP since March? I'm not seeing anything else malicious in the logs. You had Vundo back in March and then now. Which was removed. I would say you are safe to install XP SP2 now. Unless you are having problems. If so please advise what those are. After XP if you could post a new hijackthis log that would be great. If no problems I'll give you some security tips and applications you can use. Thanks, Rogue
Rogue
Trained at MalWare Removal University - A Cooperative Effort with WhatTheTech Classroom

#12 Guest_jeppy_*

Guest_jeppy_*
  • Guests

Posted 05 June 2007 - 01:19 PM

Hi Rouge

Computer's running at lightning speed even though it only has around 200 meg of RAM and 500mHz CPU.

Many thanks for your help, Is there any classes on the forum where you can learn and become a helper ??

Whats the next stage ?

Here's my HJT log

Logfile of HijackThis v1.99.1
Scan saved at 20:17:34, on 05/06/2007
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\ntl\ntl Netguard\fws.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\System32\atievxx.exe
C:\Program Files\Common Files\Command Software\dvpapi.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\ntl\ntl Netguard\RPS.exe
C:\Program Files\Outlook Express\msimn.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\SDFix\HJT\Icmore.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.co.uk/
O4 - HKLM\..\Run: [ntl Netguard] "C:\Program Files\ntl\ntl Netguard\RPS.exe"
O23 - Service: DvpApi (dvpapi) - Command Software Systems, Inc. - C:\Program Files\Common Files\Command Software\dvpapi.exe
O23 - Service: Radialpoint Service (FWS) - Radialpoint Inc. - C:\Program Files\ntl\ntl Netguard\fws.exe
O23 - Service: ServiceLayer - Nokia. - C:\Program Files\PC Connectivity Solution\ServiceLayer.exe

#13 Rogue

Rogue

    Authentic Member

  • Authentic Member
  • PipPip
  • 179 posts

Posted 05 June 2007 - 01:37 PM

Hi jeppy,

Computer's running at lightning speed even though it only has around 200 meg of RAM and 500mHz CPU.

Yes I would say you a little low on system resources ;) How much free disk space do you have?

Many thanks for your help, Is there any classes on the forum where you can learn and become a helper ??

Two links in my signature

Whats the next stage ?

You said you had the XP SP2 disk. I would strongly suggest installing that.
With the exploits that are out there I would like to see a highjackthis log after installing SP2 just to be safe.


Rogue
Rogue
Trained at MalWare Removal University - A Cooperative Effort with WhatTheTech Classroom

Related Topics



0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users