Javascript Disabled Detected

You currently have javascript disabled. Several functions may not work. Please re-enable javascript to access full functionality.

Trouble with trojans [RESOLVED]

Started by TrailBate , Aug 24 2008 10:16 PM

This topic is locked

#1
TrailBate

Posted 24 August 2008 - 10:16 PM

Member

Member
18 posts

Hello and than you in advance for any and all help. I recently discovered that I had a virus or malware of some sort on my pc. It put a red circle with an "X" in it on the lower right side of my task bar (I think that is what it is called). Anyhow, it would constantly give me a ballon that stated I should instal XP Security Center because I had a virus. I was pretty sure this was a virus (well, not sure that virus is the right term, but I knew something was wrong) because there were misspelling in the notification. I did a scan with my antivirus software and it came up with SEVERAL infections. After rebooting the red X was still there and so were the ballons. I scanned again with no luck. I did a bit of research that led me to Malwarebyte and that program was able to remove the red X but now my pc is horribly slow. I have since ran two other Malwarebytes scans that have come up clean and three other McAfee scans, one of which came up with just one infection that was quarentined. I'm not very computer savvy so please bear with my ignorance if it rears its head

After a bit more research I found this site and have seen how you have helped many and am in hope that I may also share in the wealth of your experience...

Here is my HJT log and my Uninstal log.

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 8:50:46 PM, on 8/24/2008
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16705)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\devldr32.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\RUNDLL32.EXE
C:\Program Files\McAfee.com\Agent\mcagent.exe
C:\Program Files\SiteAdvisor\6261\SiteAdv.exe
C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Windows Media Player\WMPNSCFG.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\WINDOWS\system32\CTsvcCDA.EXE
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe
c:\PROGRA~1\COMMON~1\mcafee\mna\mcnasvc.exe
c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe
C:\Program Files\McAfee\VirusScan\McShield.exe
C:\Program Files\McAfee\MPF\MPFSrv.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\SiteAdvisor\6261\SAService.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\MsPMSPSv.exe
C:\WINDOWS\system32\ZuneBusEnum.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\WINDOWS\system32\wuauclt.exe
C:\PROGRA~1\McAfee\VIRUSS~1\mcsysmon.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft....k/?LinkId=69157
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
O2 - BHO: (no name) - {089FD14D-132B-48FC-8861-0048AE113215} - C:\Program Files\SiteAdvisor\6261\SiteAdv.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O3 - Toolbar: McAfee SiteAdvisor - {0BF43445-2F28-4351-9252-17FE6E806AA0} - C:\Program Files\SiteAdvisor\6261\SiteAdv.dll
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [mcagent_exe] C:\Program Files\McAfee.com\Agent\mcagent.exe /runkey
O4 - HKLM\..\Run: [SiteAdvisor] "C:\Program Files\SiteAdvisor\6261\SiteAdv.exe"
O4 - HKLM\..\Run: [McENUI] C:\PROGRA~1\McAfee\MHN\McENUI.exe /hide
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [WMPNSCFG] C:\Program Files\Windows Media Player\WMPNSCFG.exe
O4 - HKCU\..\Run: [updateMgr] "C:\Program Files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe" AcRdB7_0_9 -reboot 1
O4 - Startup: LimeWire On Startup.lnk = C:\Program Files\LimeWire\LimeWire.exe
O4 - Global Startup: AutorunsDisabled
O9 - Extra button: (no name) - AutorunsDisabled - (no file)
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O9 - Extra button: HP Clipbook - {58ECB495-38F0-49cb-A538-10282ABF65E7} - C:\Program Files\HP\Smart Web Printing\hpswp_extensions.dll
O9 - Extra button: HP Smart Select - {700259D7-1666-479a-93B1-3250410481E8} - C:\Program Files\HP\Smart Web Printing\hpswp_extensions.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {67A5F8DC-1A4B-4D66-9F24-A704AD929EEE} (System Requirements Lab) - http://www.nvidia.co.../sysreqlab2.cab
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\system32\CTsvcCDA.EXE
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: McAfee Services (mcmscsvc) - McAfee, Inc. - C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe
O23 - Service: McAfee Network Agent (McNASvc) - McAfee, Inc. - c:\PROGRA~1\COMMON~1\mcafee\mna\mcnasvc.exe
O23 - Service: McAfee Scanner (McODS) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcods.exe
O23 - Service: McAfee Proxy Service (McProxy) - McAfee, Inc. - c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe
O23 - Service: McAfee Real-time Scanner (McShield) - McAfee, Inc. - C:\Program Files\McAfee\VirusScan\McShield.exe
O23 - Service: McAfee SystemGuards (McSysmon) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcsysmon.exe
O23 - Service: McAfee Personal Firewall Service (MpfService) - McAfee, Inc. - C:\Program Files\McAfee\MPF\MPFSrv.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: SiteAdvisor Service - Unknown owner - C:\Program Files\SiteAdvisor\6261\SAService.exe

--
End of file - 5841 bytes

32 Bit HP CIO Components Installer
Adobe Flash Player 9 ActiveX
Adobe Flash Player ActiveX
Adobe Reader 7.0.9
Apple Mobile Device Support
Apple Software Update
Bonjour
Comcast High-Speed Internet Install Wizard
DivX Player
DivX Web Player
DVD Shrink 3.2
ERUNT 1.1j
HijackThis 2.0.2
Hotfix for Windows Internet Explorer 7 (KB947864)
Hotfix for Windows Media Format 11 SDK (KB929399)
Hotfix for Windows Media Player 11 (KB939683)
Hotfix for Windows XP (KB952287)
HP Customer Participation Program 9.0
HP Imaging Device Functions 9.0
HP OCR Software 9.0
HP Photosmart All-In-One Software 9.0
HP Photosmart Essential 2.01
HP Smart Web Printing
HP Solution Center 9.0
HP Update
HPSSupply
Intel Application Accelerator
iTunes
Java™ 6 Update 7
kSolo Recorder
Malwarebytes' Anti-Malware
McAfee SecurityCenter
Microsoft .NET Framework 2.0 Service Pack 1
Microsoft Compression Client Pack 1.0 for Windows XP
Microsoft Halo Trial
Microsoft Internationalized Domain Names Mitigation APIs
Microsoft Kernel-Mode Driver Framework Feature Pack 1.5
Microsoft National Language Support Downlevel APIs
Microsoft User-Mode Driver Framework Feature Pack 1.0
MSXML 4.0 SP2 (KB936181)
MSXML 4.0 SP2 Parser and SDK
MSXML 6.0 Parser (KB933579)
NVIDIA Drivers
QuickTime
Security Update for Windows Internet Explorer 7 (KB938127)
Security Update for Windows Internet Explorer 7 (KB942615)
Security Update for Windows Internet Explorer 7 (KB944533)
Security Update for Windows Internet Explorer 7 (KB950759)
Security Update for Windows Internet Explorer 7 (KB953838)
Security Update for Windows Media Player 11 (KB936782)
Security Update for Windows XP (KB923789)
Security Update for Windows XP (KB941569)
Security Update for Windows XP (KB946648)
Security Update for Windows XP (KB950760)
Security Update for Windows XP (KB950762)
Security Update for Windows XP (KB950974)
Security Update for Windows XP (KB951066)
Security Update for Windows XP (KB951376)
Security Update for Windows XP (KB951376-v2)
Security Update for Windows XP (KB951698)
Security Update for Windows XP (KB951748)
Security Update for Windows XP (KB952954)
Security Update for Windows XP (KB953839)
Sound Blaster Live! Value
System Requirements Lab
Update for Windows XP (KB951072-v2)
Update for Windows XP (KB951978)
Windows Media Format 11 runtime
Windows Media Format 11 runtime
Windows Media Player 11
Windows Media Player 11
Windows XP Service Pack 3
Zune
Zune Language Pack (ES)
Zune Language Pack (FR)

#2
Essexboy

Posted 02 September 2008 - 12:15 PM

GeekU Moderator

Retired Staff
69,964 posts

Hi there and sorry for the delay I would like a fresh look at your system

Download OTScanit to your Desktop and double-click on it to extract the files. It will create a folder named OTScanIt on your desktop.

Close ALL OTHER PROGRAMS.
Open the OTScanit folder and double-click on OTScanit.exe to start the program.
Check the box that says Scan All User Accounts
Check the Radio buttons for Files/Folders Created Within 90 Days and Files/Folders Modified Within 90 Days
Under Additional Scans check the following:
- Reg - BotCheck
- File - Additional Folder Scans
- File - Purity Scan
Now click the Run Scan button on the toolbar.
Let it run unhindered until it finishes.
When the scan is complete Notepad will open with the report file loaded in it.
Click the Format menu and make sure that Wordwrap is not checked. If it is then click on it to uncheck it.

Please attach the log in your next post.

To attach a file, do the following:

Click Add Reply
Under the reply panel is the Attachments Panel
Browse for the attachment file you want to upload, then click the green Upload button
Once it has uploaded, click the Manage Current Attachments drop down box
Click on to insert the attachment into your post

#3
TrailBate

Posted 02 September 2008 - 03:03 PM

Member

Topic Starter
Member
18 posts

Thank you very much for getting back to me so quickly, I hope that I attached this properly.

OTScanIt.Txt 174.71KB 70 downloads

#4
Essexboy

Posted 02 September 2008 - 04:11 PM

GeekU Moderator

Retired Staff
69,964 posts

I can see a few remnants, let me know how your computer is after this run

Start OTScanit. Copy/Paste the information in the quotebox below into the pane where it says "Paste fix here" and then click the Run Fix button.

[Unregister Dlls]
[Files/Folders - Created Within 90 days]
NY -> 1025z.sys -> %SystemRoot%\System32\1025z.sys
NY -> 1144731444.dat -> %SystemRoot%\System32\1144731444.dat
NY -> adsnto.sys -> %SystemRoot%\System32\adsnto.sys
NY -> windrv.sys -> %SystemRoot%\System32\windrv.sys
[Files Created - Additional Folder Scans - Non-Microsoft Only]
NY -> otwzelun -> %AllUsersProfile%\Application Data\otwzelun
[Files/Folders - Modified Within 90 days]
NY -> 1025z.sys -> %SystemRoot%\System32\1025z.sys
NY -> 1144731444.dat -> %SystemRoot%\System32\1144731444.dat
NY -> adsnto.sys -> %SystemRoot%\System32\adsnto.sys
NY -> windrv.sys -> %SystemRoot%\System32\windrv.sys
[Empty Temp Folders]

The fix should only take a very short time. When the fix is completed a message box will popup telling you that it is finished. Click the Ok button and Notepad will open with a log of actions taken during the fix. Post that information back here along with a new Hijackthis log.

I will review the information when it comes back in.

Also let me know of any problems you encountered performing the steps above or any continuing problems you are still having with the computer.

#5
TrailBate

Posted 02 September 2008 - 07:08 PM

Member

Topic Starter
Member
18 posts

Here is the OTScanIt log.

[Files/Folders - Created Within 90 days]
C:\WINDOWS\System32\1025z.sys moved successfully.
C:\WINDOWS\System32\1144731444.dat moved successfully.
C:\WINDOWS\System32\adsnto.sys moved successfully.
C:\WINDOWS\System32\windrv.sys moved successfully.
[Files Created - Additional Folder Scans - Non-Microsoft Only]
C:\Documents and Settings\All Users\Application Data\otwzelun folder moved successfully.
[Files/Folders - Modified Within 90 days]
File C:\WINDOWS\System32\1025z.sys not found!
File C:\WINDOWS\System32\1144731444.dat not found!
File C:\WINDOWS\System32\adsnto.sys not found!
File C:\WINDOWS\System32\windrv.sys not found!
[Empty Temp Folders]
File delete failed. C:\Documents and Settings\Ray Hernandez\Local Settings\Temp\~DFFB1D.tmp scheduled to be deleted on reboot.
User's Temp folder emptied.
User's Temporary Internet Files folder emptied.
User's Internet Explorer cache folder emptied.
Local Service Temp folder emptied.
File delete failed. C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\index.dat scheduled to be deleted on reboot.
Local Service Temporary Internet Files folder emptied.
File delete failed. C:\WINDOWS\temp\mcafee_OU1GjXkgXObPveC scheduled to be deleted on reboot.
File delete failed. C:\WINDOWS\temp\mcafee_RDdioGOMkFD0apN scheduled to be deleted on reboot.
File delete failed. C:\WINDOWS\temp\mcmsc_8RdP0gK3OdAErvM scheduled to be deleted on reboot.
File delete failed. C:\WINDOWS\temp\mcmsc_lVS7RfVOJU85vJU scheduled to be deleted on reboot.
File delete failed. C:\WINDOWS\temp\mcmsc_pTh14ixBT5tKCVk scheduled to be deleted on reboot.
Windows Temp folder emptied.
Java cache emptied.
RecycleBin -> emptied.
< End of fix log >
OTScanIt by OldTimer - Version 1.0.18.0 fix logfile created on 09022008_175414

Files moved on Reboot...
C:\Documents and Settings\Ray Hernandez\Local Settings\Temp\~DFFB1D.tmp moved successfully.
File move failed. C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\index.dat scheduled to be moved on reboot.
File C:\WINDOWS\temp\mcafee_OU1GjXkgXObPveC not found!
File C:\WINDOWS\temp\mcafee_RDdioGOMkFD0apN not found!
File C:\WINDOWS\temp\mcmsc_8RdP0gK3OdAErvM not found!
File C:\WINDOWS\temp\mcmsc_lVS7RfVOJU85vJU not found!
C:\WINDOWS\temp\mcmsc_pTh14ixBT5tKCVk moved successfully.

And here is the new HJT log.

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 6:02:10 PM, on 9/2/2008
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16705)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\WINDOWS\system32\CTsvcCDA.EXE
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe
c:\PROGRA~1\COMMON~1\mcafee\mna\mcnasvc.exe
c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe
C:\Program Files\McAfee\VirusScan\McShield.exe
C:\Program Files\McAfee\MPF\MPFSrv.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\devldr32.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\SiteAdvisor\6261\SAService.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\MsPMSPSv.exe
C:\WINDOWS\system32\ZuneBusEnum.exe
c:\PROGRA~1\mcafee.com\agent\mcagent.exe
C:\WINDOWS\notepad.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\system32\RUNDLL32.EXE
C:\Program Files\SiteAdvisor\6261\SiteAdv.exe
C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Windows Media Player\WMPNSCFG.exe
C:\PROGRA~1\McAfee\VIRUSS~1\mcsysmon.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft....k/?LinkId=69157
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
O2 - BHO: (no name) - {089FD14D-132B-48FC-8861-0048AE113215} - C:\Program Files\SiteAdvisor\6261\SiteAdv.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O3 - Toolbar: McAfee SiteAdvisor - {0BF43445-2F28-4351-9252-17FE6E806AA0} - C:\Program Files\SiteAdvisor\6261\SiteAdv.dll
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [mcagent_exe] C:\Program Files\McAfee.com\Agent\mcagent.exe /runkey
O4 - HKLM\..\Run: [SiteAdvisor] "C:\Program Files\SiteAdvisor\6261\SiteAdv.exe"
O4 - HKLM\..\Run: [McENUI] C:\PROGRA~1\McAfee\MHN\McENUI.exe /hide
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [WMPNSCFG] C:\Program Files\Windows Media Player\WMPNSCFG.exe
O4 - HKCU\..\Run: [updateMgr] "C:\Program Files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe" AcRdB7_0_9 -reboot 1
O4 - Startup: LimeWire On Startup.lnk = C:\Program Files\LimeWire\LimeWire.exe
O4 - Global Startup: AutorunsDisabled
O9 - Extra button: (no name) - AutorunsDisabled - (no file)
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O9 - Extra button: HP Clipbook - {58ECB495-38F0-49cb-A538-10282ABF65E7} - C:\Program Files\HP\Smart Web Printing\hpswp_extensions.dll
O9 - Extra button: HP Smart Select - {700259D7-1666-479a-93B1-3250410481E8} - C:\Program Files\HP\Smart Web Printing\hpswp_extensions.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {67A5F8DC-1A4B-4D66-9F24-A704AD929EEE} (System Requirements Lab) - http://www.nvidia.co.../sysreqlab2.cab
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\system32\CTsvcCDA.EXE
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: McAfee Services (mcmscsvc) - McAfee, Inc. - C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe
O23 - Service: McAfee Network Agent (McNASvc) - McAfee, Inc. - c:\PROGRA~1\COMMON~1\mcafee\mna\mcnasvc.exe
O23 - Service: McAfee Scanner (McODS) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcods.exe
O23 - Service: McAfee Proxy Service (McProxy) - McAfee, Inc. - c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe
O23 - Service: McAfee Real-time Scanner (McShield) - McAfee, Inc. - C:\Program Files\McAfee\VirusScan\McShield.exe
O23 - Service: McAfee SystemGuards (McSysmon) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcsysmon.exe
O23 - Service: McAfee Personal Firewall Service (MpfService) - McAfee, Inc. - C:\Program Files\McAfee\MPF\MPFSrv.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: SiteAdvisor Service - Unknown owner - C:\Program Files\SiteAdvisor\6261\SAService.exe

--
End of file - 5810 bytes

The pc seems to still be running sluggish. There were no problems with the scan other than having to reboot, but the log was there upon log in. The pc really seems sto be "struggling" every time a page is loading. You can literally hear the fan and/or drive start working really hard every time a page is loading. Hope this helps and thank yo so much so far.....

And if it will help I can post the original Malwarebytes log that found and removed what was visible to me on the pc.

Edited by TrailBate, 02 September 2008 - 07:22 PM.

#6
Essexboy

Posted 03 September 2008 - 01:44 PM

GeekU Moderator

Retired Staff
69,964 posts

Hmm that sounds very much like an overheating problem have a look at this page and see if you have a colony of dust bunnies within your system

Yes could you re-run and post the malwarebytes log

Let me now how your bunny hunt goes

#7
TrailBate

Posted 04 September 2008 - 12:35 AM

Member

Topic Starter
Member
18 posts

Ok, so here is the very first Malwarebyte's log that took off the malware that was visible to me.

Malwarebytes' Anti-Malware 1.24
Database version: 1051
Windows 5.1.2600 Service Pack 2

8:39:27 PM 8/13/2008
mbam-log-8-13-2008 (20-39-27).txt

Scan type: Quick Scan
Objects scanned: 59445
Time elapsed: 16 minute(s), 0 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 2
Registry Keys Infected: 2
Registry Values Infected: 3
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 11

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
C:\WINDOWS\system32\amcompatd.dll (Trojan.Agent) -> Delete on reboot.
C:\WINDOWS\system32\WinCtrl32.dll (Trojan.Agent) -> Delete on reboot.

Registry Keys Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\WinCtrl32 (Trojan.Agent) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Trymedia Systems (Adware.Trymedia) -> Quarantined and deleted successfully.

Registry Values Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\buritos (Trojan.Agent) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\XP SecurityCenter (Rogue.XPSecurityCenter) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\braviax (Trojan.Downloader) -> Quarantined and deleted successfully.

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
C:\WINDOWS\system32\amcompatd.dll (Trojan.Agent) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\drivers\Windk73.sys (Rootkit.Agent) -> Quarantined and deleted successfully.
C:\Documents and Settings\Ray Hernandez\Local Settings\Temporary Internet Files\Content.IE5\8T98X59K\WormsWorldParty-dm[1].exe (Adware.Trymedia) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\buritos.exe (Trojan.Agent) -> Delete on reboot.
C:\WINDOWS\system32\WinCtrl32.dll (Trojan.Agent) -> Delete on reboot.
C:\WINDOWS\system32\WinCtrl32.dl_ (Trojan.Agent) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\ksvcl.dll (Stolen.Data) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\kcopt.dll (Stolen.Data) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\~.exe (Trojan.Downloader) -> Quarantined and deleted successfully.
C:\WINDOWS\buritos.exe (Trojan.FakeAlert) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\qmopt.dll (Malware.Trace) -> Quarantined and deleted successfully.

I have since run four additional scans including this, the latest one, that all appear to be clean. I have updated Malwarebyte's every time I have used it.

Malwarebytes' Anti-Malware 1.26
Database version: 1112
Windows 5.1.2600 Service Pack 3

9/3/2008 11:23:35 PM
mbam-log-2008-09-03 (23-23-35).txt

Scan type: Quick Scan
Objects scanned: 53222
Time elapsed: 10 minute(s), 50 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)

My search for dust bunnies resulted minimal amounts of dust (I do try to keep things clean in there) and it didn't feel as though it were excessively warm inside the case when I opened it (just after shutting down) although I did not use any type of temperature measuring device to verify. I cleaned out the dust that was present.

#8
Essexboy

Posted 04 September 2008 - 02:03 PM

GeekU Moderator

Retired Staff
69,964 posts

Is it just on start that the fan is noisy or does it do it regularly ?

I would also like you to check out your Hard Drive by running check disk. This Microsoft KB gives the procedure and also has a dowloadable programme to do it for you

#9
TrailBate

Posted 04 September 2008 - 02:28 PM

Member

Topic Starter
Member
18 posts

Please forgive me as I am not very savvy when it comes to these things. When I mentioned the "fan and/or hard drive" (lets see if I can explain it in a way that makes sense) sounding a certain way, I wasn't implying that it was excessively noisy, this is what I meant. When my pc in on, it has a "hum" to it (this is sad that I'm trying to explain a problem by sounds that my pc makes...lol). I'm sure that hum is from multiple things (fan, hard drive, etc.), well, whenever there is a page loading on the net, the page laggs a bit and slowly begins to open, and the hum then sounds as if whatever is humming is struggling durring the page load, then after the page loads, the hum goes back to normal. I have no clue if you will even make heads or tails of that, but that's about all I've got for an explination, sorry....

As for what you recommended, should there be a log of some sort that you would like for me to post? What should I be looking for when it is complete?

Please forgive my ignorance when it comes to tech info, I really do appreciate all the help that you hve been providing.

#10
Essexboy

Posted 04 September 2008 - 02:37 PM

GeekU Moderator

Retired Staff
69,964 posts

No problems, as all the malware appears to have gone I am now looking at other avenues to resolve this

There will not be a log but it will state if you have any bad sectors on your disk which could cause a slow down. Also how much RAM do you have on your system and do the slowdowns only occur when using Internet Explorer or when using other programmes ?

#11
Essexboy

Posted 06 September 2008 - 05:32 AM

GeekU Moderator

Retired Staff
69,964 posts

Whilst we try to sort this problem out I will give the clean spiel

Now the best part of the day ----- Your log now appears clean

A good workman always cleans up after himself so...Download and run this small programme and hit the cleanup button. It will remove all the programmes we have used plus itself. MBAM can be uninstalled via control panel add/remove along with ERUNT. But they may be useful tools to keep

XP
Now to get you off to a good start we will clean your restore points so that all the bad stuff is gone for good. Then if you need to restore at some stage you will be clean. There are several ways to reset your restore points, but this is my method:

Select Start > All Programs > Accessories > System tools > System Restore.
On the dialogue box that appears select Create a Restore Point
Click NEXT
Enter a name e.g. Clean
Click CREATE

You now have a clean restore point, to get rid of the bad ones:

Select Start > All Programs > Accessories > System tools > Disk Cleanup.
In the Drop down box that appears select your main drive e.g. C
Click OK
The System will do some calculation and the display a dialogue box with TABS
Select the More Options Tab.
At the bottom will be a system restore box with a CLEANUP button click this
Accept the Warning and select OK again, the program will close and you are done

VISTA
To manually create a new Restore Point

Go to Control Panel and select System and Maintenance
Select System
On the left select Advance System Settings and accept the warning if you get one
Select System Protection Tab
Select Create at the bottom
Type in a name i.e. Clean
Select Create

Now we can purge the infected ones

Go back to the System and Maintenance page
Select Performance Information and Tools
On the left select Open Disk Cleanup
Select Files from all users and accept the warning if you get one
In the drop down box select your main drive i.e. C
For a few moments the system will make some calculations
Select the More Options tab
In the System Restore and Shadow Backups select Clean up
Select Delete on the pop up
Select OK
Select Delete

You are now done

Now that you are clean, to help protect your computer in the future I recommend that you get the following free programmes:

SpywareBlaster to help prevent spyware from installing in the first place.
SuperAntispyware Run weekly to keep your system clean

It is critical to have both a firewall and anti virus to protect your system and to keep them updated.

To keep your operating system up to date visit

Secunia Software inspector To check your programme update status
Microsoft Windows Update

To learn more about how to protect yourself while on the internet read our little guide How did I get infected in the first place ?
Keep safe

#12
TrailBate

Posted 06 September 2008 - 09:02 PM

Member

Topic Starter
Member
18 posts

Ok, so I ran the check disk and it took about an hour, the last two steps took the longest of the five, so I was not at the pc when it had finished. I happened in uppon the restart (it restarted automatically) and I did notice something about "files are clean" durring the restart but I did not get all the verbiage, so I can only assume all was well. I've found that the pc has 512MB of RAM. This pc is used primarily for internet browsing and online gaming (a HALO trial that my son downloaded) so as far as it being sluggish with other programs I would not be able to say. With the HALO trial, there are some games that lag and others that don't so I assume it has to do with the who is playing at the time and the server that is used in the game.

I used the program provided to remove the programs as you suggested but have kept MBAM and ERUNT. Created a new restore point and delted the old as instructed. Downloaded Spywareblaster and Superantispyware and run a scan with Superantispyware (it only found some tracking cookies). I also took it upon myself to run a disk defrag (hope that was ok). I also did the Secunia and Windows updates.

I do although, have a couple of questions concerning the McAfee VirusScan Plus that I am using. I have hear that McAfee is a bit of a hog, but heard that about McAfee Suite. Does that hold true with the program that I am using and will that program interfere with anything you have asked me to download? In your oppinion, are the free virus protection and firewall programs offered in the "How did I get infected" guide more reliable and pc friendly? Just trying to get the most I can out of all of this, and thank you so much again. My pc still does seem a bit sluggish, but quite honestly, it all began when I got the initial virus/malware, and I installed the McAfee progam that very day. Could it be that program that is slowing me down? Again, thank you so much, and I am happy to hear that all looks clean from your view.

#13
Essexboy

Posted 07 September 2008 - 05:10 AM

GeekU Moderator

Retired Staff
69,964 posts

Right then lets see what I can answer

I've found that the pc has 512MB of RAM

That is at the low end for XP to run smoothly. For more ram use the crucial inspector to tell you the amount you can add and the type. You can then use Google to search for the cheapest of that type (the site also has an installation guide)

also took it upon myself to run a disk defrag (hope that was ok).

Absolutely I use the free Auslogics Disc Defragmenter as it is better than the windows version

I have hear that McAfee is a bit of a hog, but heard that about McAfee Suite. Does that hold true with the program that I am using and will that program interfere with anything you have asked me to download? In your oppinion, are the free virus protection and firewall programs offered in the "How did I get infected" guide more reliable and pc friendly?

This is a great topic for debate and there are as many opinions as there are programmes. Generally speaking the suites are more resource intensive. Free programmes are generally as good as the paid for versions.. I use Avast free but AVG has gone the suite route so is becoming heavier in resource usage. There will not be any conflicts with the recommended programmes

My pc still does seem a bit sluggish, but quite honestly, it all began when I got the initial virus/malware, and I installed the McAfee progam that very day. Could it be that program that is slowing me down? Again, thank you so much, and I am happy to hear that all looks clean from your view.

That is a possibility but can only be discovered by trialling other programmes in its place

Keep safe and enjoy

#14
TrailBate

Posted 08 September 2008 - 11:45 AM

Member

Topic Starter
Member
18 posts

So, I took it upon myself to try out a new browser this weekend, Google Chrome. Have you had any feedback on this web browser? To my surprise, I found it to be SO much faster than IE, almost completely resolving the lag issues I was talking about. I want to thank you once again for the time and effort spent helping me to solve the issues with my pc, I can definite ly say it has been a learning experience for me. I actually enjoyed it!!! I will look into getting more RAM for my pc and with great joy I'll call this good. I'm so sorry I have taken up so much of your time, but you have been a great help and a wealth of knowledge..... Thank you agian.

#15
Essexboy

Posted 08 September 2008 - 12:51 PM

GeekU Moderator

Retired Staff
69,964 posts

It was my pleasure to be of assistance. It is my way of paying back the training that I received at this site..

I haven't tried out chrome yet, but I probably will when it gets to the next version

Enjoy