Jump to content

Welcome to Geeks to Go - Register now for FREE

Need help with your computer or device? Want to learn new tech skills? You're in the right place!
Geeks to Go is a friendly community of tech experts who can solve any problem you have. Just create a free account and post your question. Our volunteers will reply quickly and guide you through the steps. Don't let tech troubles stop you. Join Geeks to Go now and get the support you need!

How it Works Create Account
Photo

Big Problem With Google Redirect & csrss.exe Virus for XP


  • Please log in to reply

#31
RKinner

RKinner

    Malware Expert

  • Expert
  • 24,598 posts
  • MVP
If you haven't done it already now is a good time to update to XP SP3. Running SP2 you will get a lot more of these infections.

If this is an AMD CPU then you need to get KB953356:
http://www.microsoft...ang=en&id=23751
and install it first.


You should be offered the SP3 update from MS Updates but if not you can get it from:

http://technet.micro...indows/bb794714

Ron
  • 0

Advertisements


#32
jerosakireno

jerosakireno

    Member

  • Topic Starter
  • Member
  • PipPip
  • 38 posts
I dont know what an AMD CPU means
  • 0

#33
RKinner

RKinner

    Malware Expert

  • Expert
  • 24,598 posts
  • MVP
There are two types of cpu used. Intel and AMD. Usually they put a sticker on the computer somewhere bragging about it. If not you can run Speccy:

Get the free version of Speccy:

http://www.filehippo...download_speccy (Look in the upper right for the Download
Latest Version button) Download, Save and Install it. Run Speccy. When it finishes (the little icon in the bottom left will stop moving), File, Save as Text File, (to your desktop) note the name it gives. OK. Open the file in notepad and delete the line that gives the serial number of your Operating System. (It will be near the top about 10 lines down.) Attach the file to your next post.
  • 0

#34
jerosakireno

jerosakireno

    Member

  • Topic Starter
  • Member
  • PipPip
  • 38 posts
OK, so on the front, mine says "Intel Inside" "Pentium 4". So I'm assuming I don't need KB953356?
  • 0

#35
RKinner

RKinner

    Malware Expert

  • Expert
  • 24,598 posts
  • MVP
That's right. SP3 is all you need.

Ron
  • 0

#36
jerosakireno

jerosakireno

    Member

  • Topic Starter
  • Member
  • PipPip
  • 38 posts
OK, I got SP3, but it was a little weird..

Everything seemed to download & install ok, but the problem seemed to be when I rebooted. I had the black screen with the microsoft logo, saying "please wait".. I waited & waited.... I even left it all day the next day (I wasnt home) & when I came back it was still on that screen. I manually shut the computer down, start it back up, & everything seems fine. I check & it says I have SP3.

But for some reason my computer seems to be running slower, even after getting rid of all that other junk. I open up one new tab & then it takes forever. I'll see on the blue bar on the top of my screen, that the Firefox logo will turn into a white box & it will say "not responding". It does end up responding most of the time, its just really slow & it shouldn't be doing that, especially if I'm only opening one extra tab. I basically have no other programs running other than the Avira.
  • 0

#37
RKinner

RKinner

    Malware Expert

  • Expert
  • 24,598 posts
  • MVP
Run OTL, Quickscan and post the log.

In Firefox, Help (or Firefox then Help and select Restart with Add-ons Disabled. Shut FF down and restart. IT will give you the option to make your changes permanent but we just want to see if it works better this way.

512Mb is actually a bit low. I usually like to see 1 GB on XP.

Get SpeedyFox http://www.crystalidea.com/speedyfox
Save it, close FF and run it. Speed up my Firefox. Exit when done. Restart FF.

Ron
  • 0

#38
jerosakireno

jerosakireno

    Member

  • Topic Starter
  • Member
  • PipPip
  • 38 posts
OTL logfile created on: 9/22/2011 4:49:16 PM - Run 2
OTL by OldTimer - Version 3.2.26.7 Folder = C:\Documents and Settings\theonyxserpent\Desktop
Windows XP Professional Edition Service Pack 3 (Version = 5.1.2600) - Type = NTWorkstation
Internet Explorer (Version = 8.0.6001.18702)
Locale: 00000409 | Country: United States | Language: ENU | Date Format: M/d/yyyy

509.98 Mb Total Physical Memory | 160.13 Mb Available Physical Memory | 31.40% Memory free
1.21 Gb Paging File | 0.75 Gb Available in Paging File | 61.46% Paging File free
Paging file location(s): C:\pagefile.sys 0 0 [binary data]

%SystemDrive% = C: | %SystemRoot% = C:\WINDOWS | %ProgramFiles% = C:\Program Files
Drive C: | 37.25 Gb Total Space | 6.21 Gb Free Space | 16.66% Space Free | Partition Type: NTFS

Computer Name: WDT-BMARVELL | User Name: theonyxserpent | Logged in as Administrator.
Boot Mode: Normal | Scan Mode: Current user | Quick Scan
Company Name Whitelist: On | Skip Microsoft Files: On | No Company Name Whitelist: On | File Age = 30 Days

========== Processes (SafeList) ==========

PRC - [2011/09/14 17:52:53 | 000,269,480 | ---- | M] (Avira GmbH) -- C:\Program Files\Avira\AntiVir Desktop\avguard.exe
PRC - [2011/09/08 18:04:53 | 000,924,632 | ---- | M] (Mozilla Corporation) -- C:\Program Files\Mozilla Firefox\firefox.exe
PRC - [2011/08/30 16:53:34 | 000,580,608 | ---- | M] (OldTimer Tools) -- C:\Documents and Settings\theonyxserpent\desktop\OTL.exe
PRC - [2011/04/21 07:54:05 | 000,076,968 | ---- | M] (Avira GmbH) -- C:\Program Files\Avira\AntiVir Desktop\avshadow.exe
PRC - [2011/04/21 07:53:48 | 000,136,360 | ---- | M] (Avira GmbH) -- C:\Program Files\Avira\AntiVir Desktop\sched.exe
PRC - [2011/04/21 07:53:33 | 000,281,768 | ---- | M] (Avira GmbH) -- C:\Program Files\Avira\AntiVir Desktop\avgnt.exe
PRC - [2010/07/05 09:15:53 | 000,755,576 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\SoftwareDistribution\Download\cb88a2f03b29735db957d61a63df6504\update\update.exe
PRC - [2008/04/13 20:12:19 | 001,033,728 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\explorer.exe
PRC - [2006/02/09 03:50:00 | 000,578,784 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\system32\CCM\CcmExec.exe
PRC - [2006/02/09 03:50:00 | 000,248,544 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\system32\CCM\clicomp\RemCtrl\Wuser32.exe


========== Modules (No Company Name) ==========

MOD - [2011/09/08 18:06:51 | 006,277,280 | ---- | M] () -- C:\WINDOWS\system32\Macromed\Flash\NPSWF32.dll
MOD - [2011/09/08 18:04:51 | 001,846,232 | ---- | M] () -- C:\Program Files\Mozilla Firefox\mozjs.dll
MOD - [2011/07/20 16:40:24 | 000,355,688 | ---- | M] () -- C:\Program Files\Avira\AntiVir Desktop\sqlite3.dll
MOD - [2009/12/09 17:56:17 | 000,141,824 | ---- | M] () -- C:\Program Files\WinRAR\RarExt.dll


========== Win32 Services (SafeList) ==========

SRV - [2011/09/14 17:52:53 | 000,269,480 | ---- | M] (Avira GmbH) [Auto | Running] -- C:\Program Files\Avira\AntiVir Desktop\avguard.exe -- (AntiVirService)
SRV - [2011/04/21 07:53:48 | 000,136,360 | ---- | M] (Avira GmbH) [Auto | Running] -- C:\Program Files\Avira\AntiVir Desktop\sched.exe -- (AntiVirSchedulerService)
SRV - [2009/06/16 18:18:45 | 000,469,504 | ---- | M] (Constantin Kaplinsky) [On_Demand | Stopped] -- C:\VNCTEMP\WinVNC.exe -- (VNCTEMP)
SRV - [2006/02/09 03:50:00 | 000,578,784 | ---- | M] (Microsoft Corporation) [Auto | Running] -- C:\WINDOWS\system32\CCM\CcmExec.exe -- (CcmExec)
SRV - [2006/02/09 03:50:00 | 000,248,544 | ---- | M] (Microsoft Corporation) [Auto | Running] -- C:\WINDOWS\system32\CCM\clicomp\RemCtrl\Wuser32.exe -- (Wuser32)


========== Driver Services (SafeList) ==========

DRV - [2011/09/14 17:53:03 | 000,138,192 | ---- | M] (Avira GmbH) [Kernel | System | Running] -- C:\WINDOWS\system32\drivers\avipbb.sys -- (avipbb)
DRV - [2011/09/14 17:53:03 | 000,066,616 | ---- | M] (Avira GmbH) [File_System | Auto | Running] -- C:\WINDOWS\system32\drivers\avgntflt.sys -- (avgntflt)
DRV - [2011/06/21 23:14:52 | 000,020,552 | ---- | M] () [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\hitmanpro35.sys -- (hitmanpro35)
DRV - [2010/06/17 15:27:22 | 000,028,520 | ---- | M] (Avira GmbH) [Kernel | System | Running] -- C:\WINDOWS\system32\drivers\ssmdrv.sys -- (ssmdrv)
DRV - [2010/06/17 15:27:12 | 000,011,608 | ---- | M] (Avira GmbH) [Kernel | System | Running] -- C:\Program Files\Avira\AntiVir Desktop\avgio.sys -- (avgio)
DRV - [2009/12/14 17:20:33 | 000,722,416 | ---- | M] (Duplex Secure Ltd.) [Kernel | Boot | Stopped] -- C:\WINDOWS\System32\Drivers\sptd.sys -- (sptd)
DRV - [2006/02/09 03:50:00 | 000,020,704 | ---- | M] (Microsoft Corporation) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\CCM\PrepDrv.sys -- (prepdrvr)
DRV - [2006/02/09 02:50:00 | 000,011,744 | ---- | M] (Microsoft Corporation) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\kbstuff5.sys -- (kbstuff)
DRV - [2006/02/09 02:50:00 | 000,008,992 | ---- | M] (Microsoft Corporation) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\idisw2km.sys -- (idisw2km)
DRV - [2005/11/24 19:51:38 | 000,245,248 | ---- | M] (Ralink Technology, Corp.) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\rt73.sys -- (RT73)
DRV - [2005/02/01 18:18:38 | 000,017,992 | ---- | M] (Broadcom Corporation) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\bcm42rly.sys -- (BCM42RLY)
DRV - [2003/04/15 10:39:54 | 000,011,319 | ---- | M] (Intel Corporation) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\a302.sys -- ({E6759E0C-470B-44DC-A4A1-627E68BB3A85})
DRV - [2001/08/22 08:42:58 | 000,013,632 | ---- | M] (Dell Computer Corporation) [Kernel | System | Running] -- C:\WINDOWS\SYSTEM32\DRIVERS\OMCI.SYS -- (OMCI)


========== Standard Registry (SafeList) ==========


========== Internet Explorer ==========


IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = http://www.google.com/
IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,XMLHTTP_UUID_Default = 75 2B 18 06 84 C6 C5 4F 94 90 2C 04 01 93 77 62 [binary data]
IE - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0

========== FireFox ==========

FF - prefs.js..browser.search.selectedEngine: "Google"
FF - prefs.js..browser.startup.homepage: "http://start.mozilla...en-US:official"
FF - prefs.js..extensions.enabledItems: [email protected]:1.0
FF - prefs.js..extensions.enabledItems: [email protected]:1.10.01
FF - prefs.js..network.proxy.type: 0

FF - HKLM\Software\MozillaPlugins\@adobe.com/FlashPlayer: C:\WINDOWS\system32\Macromed\Flash\NPSWF32.dll ()
FF - HKLM\Software\MozillaPlugins\@adobe.com/ShockwavePlayer: C:\WINDOWS\system32\Adobe\Director\np32dsw.dll (Adobe Systems, Inc.)
FF - HKLM\Software\MozillaPlugins\@java.com/JavaPlugin: C:\Program Files\Java\jre6\bin\new_plugin\npjp2.dll (Sun Microsystems, Inc.)
FF - HKLM\Software\MozillaPlugins\@microsoft.com/WPF,version=3.5: c:\WINDOWS\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\NPWPF.dll (Microsoft Corporation)
FF - HKLM\Software\MozillaPlugins\@viewpoint.com/VMP: C:\Program Files\Viewpoint\Viewpoint Experience Technology\npViewpoint.dll ()

FF - HKEY_LOCAL_MACHINE\software\mozilla\Mozilla Firefox 6.0.2\extensions\\Components: C:\Program Files\Mozilla Firefox\components [2011/09/08 18:04:54 | 000,000,000 | ---D | M]
FF - HKEY_LOCAL_MACHINE\software\mozilla\Mozilla Firefox 6.0.2\extensions\\Plugins: C:\Program Files\Mozilla Firefox\plugins [2011/08/30 18:53:01 | 000,000,000 | ---D | M]

[2009/12/13 16:09:24 | 000,000,000 | ---D | M] (No name found) -- C:\Documents and Settings\theonyxserpent\Application Data\Mozilla\Extensions
[2011/09/16 19:27:09 | 000,000,000 | ---D | M] (No name found) -- C:\Documents and Settings\theonyxserpent\Application Data\Mozilla\Firefox\Profiles\og0g7s2n.default\extensions
[2011/08/30 18:53:04 | 000,000,000 | ---D | M] (No name found) -- C:\Program Files\Mozilla Firefox\extensions
[2011/08/30 18:53:05 | 000,000,000 | ---D | M] (Java Console) -- C:\Program Files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0027-ABCDEFFEDCBA}
() (No name found) -- C:\DOCUMENTS AND SETTINGS\THEONYXSERPENT\APPLICATION DATA\MOZILLA\FIREFOX\PROFILES\OG0G7S2N.DEFAULT\EXTENSIONS\[email protected]
[2011/08/30 18:52:43 | 000,000,000 | ---D | M] (Java Quick Starter) -- C:\PROGRAM FILES\JAVA\JRE6\LIB\DEPLOY\JQS\FF
[2011/09/04 12:58:36 | 000,000,000 | ---D | M] (Microsoft .NET Framework Assistant) -- C:\WINDOWS\MICROSOFT.NET\FRAMEWORK\V3.5\WINDOWS PRESENTATION FOUNDATION\DOTNETASSISTANTEXTENSION
[2011/09/08 18:04:53 | 000,134,104 | ---- | M] (Mozilla Foundation) -- C:\Program Files\mozilla firefox\components\browsercomps.dll
[2011/08/30 18:52:42 | 000,476,904 | ---- | M] (Sun Microsystems, Inc.) -- C:\Program Files\mozilla firefox\plugins\npdeployJava1.dll
[2011/05/09 23:01:17 | 000,002,252 | ---- | M] () -- C:\Program Files\mozilla firefox\searchplugins\bing.xml

O1 HOSTS File: ([2011/08/30 07:01:15 | 000,000,027 | ---- | M]) - C:\WINDOWS\system32\drivers\etc\hosts
O1 - Hosts: 127.0.0.1 localhost
O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - No CLSID value found.
O2 - BHO: (Burn4Free Toolbar Helper) - {D187A56B-A33F-4CBE-9D77-459FC0BAE012} - C:\Program Files\Burn4Free Toolbar\v3.3.0.3\Burn4Free_Toolbar.dll ()
O3 - HKCU\..\Toolbar\WebBrowser: (no name) - {D4027C7F-154A-4066-A1AD-4243D8127440} - No CLSID value found.
O4 - HKLM..\Run: [avgnt] C:\Program Files\Avira\AntiVir Desktop\avgnt.exe (Avira GmbH)
O4 - HKLM..\Run: [RandMAC] C:\extracted\MadMACs\MadMACs.exe ()
O4 - HKCU..\RunOnce: [FlashPlayerUpdate] C:\WINDOWS\System32\Macromed\Flash\FlashUtil10w_Plugin.exe (Adobe Systems, Inc.)
O6 - HKLM\Software\Policies\Microsoft\Internet Explorer\Restrictions present
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveAutoRun = 67108863
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 323
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDrives = 0
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: HonorAutoRunSetting = 1
O7 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O7 - HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 323
O7 - HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveAutoRun = 67108863
O7 - HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDrives = 0
O16 - DPF: {3E68E405-C6DE-49FF-83AE-41EE9F4C36CE} http://office.micros...ntent/opuc2.cab (Office Update Installation Engine)
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} http://www.update.mi...b?1232729059632 (WUWebControl Class)
O16 - DPF: {7530BFB8-7293-4D34-9923-61A11451AFC5} http://download.eset...lineScanner.cab (OnlineScanner Control)
O16 - DPF: {CAFEEFAC-0016-0000-0027-ABCDEFFEDCBA} http://java.sun.com/...indows-i586.cab (Java Plug-in 1.6.0_27)
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: DhcpNameServer = 192.168.1.1
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = onyx
O20 - HKLM Winlogon: Shell - (Explorer.exe) - C:\WINDOWS\explorer.exe (Microsoft Corporation)
O20 - HKLM Winlogon: UserInit - (C:\WINDOWS\system32\userinit.exe) - C:\WINDOWS\system32\userinit.exe (Microsoft Corporation)
O20 - Winlogon\Notify\igfxcui: DllName - igfxsrvc.dll - C:\WINDOWS\System32\igfxsrvc.dll (Intel Corporation)
O24 - Desktop WallPaper: C:\WINDOWS\Web\Wallpaper\Bliss.bmp
O24 - Desktop BackupWallPaper: C:\WINDOWS\Web\Wallpaper\Bliss.bmp
O32 - HKLM CDRom: AutoRun - 1
O32 - AutoRun File - [2005/05/10 14:57:30 | 000,000,000 | ---- | M] () - C:\AUTOEXEC.BAT -- [ NTFS ]
O34 - HKLM BootExecute: (autocheck autochk *) - File not found
O35 - HKLM\..comfile [open] -- "%1" %*
O35 - HKLM\..exefile [open] -- "%1" %*
O35 - HKCU\..exefile [open] -- "%1" %*
O37 - HKLM\...com [@ = ComFile] -- "%1" %*
O37 - HKLM\...exe [@ = exefile] -- "%1" %*

========== Files/Folders - Created Within 30 Days ==========

[2011/09/20 10:59:19 | 000,000,000 | ---D | C] -- C:\WINDOWS\LastGood
[2011/09/19 19:41:59 | 000,000,000 | ---D | C] -- C:\WINDOWS\Prefetch
[2011/09/19 19:03:24 | 000,000,000 | ---D | C] -- C:\WINDOWS\System32\scripting
[2011/09/19 19:03:22 | 000,000,000 | ---D | C] -- C:\WINDOWS\l2schemas
[2011/09/19 19:03:20 | 000,000,000 | ---D | C] -- C:\WINDOWS\System32\en
[2011/09/19 19:03:20 | 000,000,000 | ---D | C] -- C:\WINDOWS\System32\bits
[2011/09/19 18:38:23 | 000,000,000 | -H-D | C] -- C:\WINDOWS\$NtServicePackUninstall$
[2011/09/17 09:31:21 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Start Menu\Programs\Malwarebytes' Anti-Malware
[2011/09/13 20:22:42 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Start Menu\Programs\Avira
[2011/09/13 20:22:12 | 000,028,520 | ---- | C] (Avira GmbH) -- C:\WINDOWS\System32\drivers\ssmdrv.sys
[2011/09/13 20:22:06 | 000,138,192 | ---- | C] (Avira GmbH) -- C:\WINDOWS\System32\drivers\avipbb.sys
[2011/09/13 20:22:06 | 000,066,616 | ---- | C] (Avira GmbH) -- C:\WINDOWS\System32\drivers\avgntflt.sys
[2011/09/13 20:22:06 | 000,045,416 | ---- | C] (Avira GmbH) -- C:\WINDOWS\System32\drivers\avgntdd.sys
[2011/09/13 20:22:06 | 000,022,360 | ---- | C] (Avira GmbH) -- C:\WINDOWS\System32\drivers\avgntmgr.sys
[2011/09/13 20:22:06 | 000,000,000 | ---D | C] -- C:\Program Files\Avira
[2011/09/13 20:22:06 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Application Data\Avira
[2011/09/09 21:20:25 | 000,000,000 | ---D | C] -- C:\Documents and Settings\theonyxserpent\Application Data\QuickScan
[2011/09/09 18:06:07 | 000,000,000 | -HSD | C] -- C:\Documents and Settings\theonyxserpent\PrivacIE
[2011/09/04 12:47:07 | 000,000,000 | ---D | C] -- C:\Documents and Settings\theonyxserpent\Local Settings\Application Data\PCHealth
[2011/09/03 19:40:07 | 000,022,216 | ---- | C] (Malwarebytes Corporation) -- C:\WINDOWS\System32\drivers\mbam.sys
[2011/09/03 19:04:31 | 000,000,000 | ---D | C] -- C:\WINDOWS\System32\XPSViewer
[2011/09/03 19:04:09 | 000,000,000 | ---D | C] -- C:\Program Files\MSBuild
[2011/09/03 19:03:25 | 000,000,000 | ---D | C] -- C:\Program Files\Reference Assemblies
[2011/09/03 19:01:36 | 000,000,000 | ---D | C] -- C:\fa55748adfcb5faff4293d
[2011/09/03 18:46:29 | 000,000,000 | ---D | C] -- C:\Program Files\MSXML 6.0
[2011/09/02 20:18:06 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Application Data\Driver Tool
[2011/09/02 16:52:24 | 000,061,440 | ---- | C] ( ) -- C:\Documents and Settings\theonyxserpent\Desktop\VEW.exe
[2011/08/31 17:49:06 | 000,000,000 | -HSD | C] -- C:\RECYCLER
[2011/08/31 00:36:28 | 000,000,000 | -HSD | C] -- C:\Documents and Settings\theonyxserpent\IETldCache
[2011/08/31 00:27:42 | 000,000,000 | ---D | C] -- C:\WINDOWS\ie8updates
[2011/08/31 00:18:39 | 000,000,000 | -H-D | C] -- C:\WINDOWS\ie8
[2011/08/30 19:56:12 | 000,000,000 | ---D | C] -- C:\Program Files\AVAST Software
[2011/08/30 19:56:12 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Application Data\AVAST Software
[2011/08/30 18:55:43 | 000,000,000 | ---D | C] -- C:\_OTL
[2011/08/30 18:53:29 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Application Data\Sun
[2011/08/30 18:53:26 | 000,000,000 | ---D | C] -- C:\Program Files\Common Files\Java
[2011/08/30 16:53:35 | 000,580,608 | ---- | C] (OldTimer Tools) -- C:\Documents and Settings\theonyxserpent\Desktop\OTL.exe
[2011/08/30 01:22:01 | 000,518,144 | ---- | C] (SteelWerX) -- C:\WINDOWS\SWREG.exe
[2011/08/30 01:22:01 | 000,406,528 | ---- | C] (SteelWerX) -- C:\WINDOWS\SWSC.exe
[2011/08/30 01:22:01 | 000,212,480 | ---- | C] (SteelWerX) -- C:\WINDOWS\SWXCACLS.exe
[2011/08/30 01:22:01 | 000,060,416 | ---- | C] (NirSoft) -- C:\WINDOWS\NIRCMD.exe
[2011/08/30 01:16:29 | 004,189,688 | R--- | C] (Swearware) -- C:\Documents and Settings\theonyxserpent\Desktop\ComboFix.exe
[2011/08/29 16:04:28 | 000,000,000 | ---D | C] -- C:\Program Files\Malwarebytes' Anti-Malware
[2011/08/25 19:49:53 | 000,000,000 | ---D | C] -- C:\Program Files\Windows Media Connect 2
[2011/08/25 19:17:14 | 000,000,000 | ---D | C] -- C:\0b567addfd69ab4749e4a2a6
[2011/08/23 20:05:31 | 000,000,000 | ---D | C] -- C:\Documents and Settings\theonyxserpent\Desktop\The Last Emperor - Heaven_data
[17 C:\WINDOWS\System32\*.tmp files -> C:\WINDOWS\System32\*.tmp -> ]
[1 C:\WINDOWS\*.tmp files -> C:\WINDOWS\*.tmp -> ]

========== Files - Modified Within 30 Days ==========

[2011/09/22 17:12:11 | 000,001,374 | ---- | M] () -- C:\WINDOWS\imsins.BAK
[2011/09/22 16:46:28 | 000,000,664 | ---- | M] () -- C:\WINDOWS\System32\d3d9caps.dat
[2011/09/21 17:52:28 | 000,000,386 | ---- | M] () -- C:\WINDOWS\SMSCFG.ini
[2011/09/21 17:50:04 | 000,002,206 | ---- | M] () -- C:\WINDOWS\System32\wpa.dbl
[2011/09/21 17:48:45 | 000,002,048 | --S- | M] () -- C:\WINDOWS\bootstat.dat
[2011/09/21 17:48:44 | 000,259,840 | ---- | M] () -- C:\WINDOWS\System32\FNTCACHE.DAT
[2011/09/19 19:44:58 | 000,445,750 | ---- | M] () -- C:\WINDOWS\System32\perfh009.dat
[2011/09/19 19:44:58 | 000,072,480 | ---- | M] () -- C:\WINDOWS\System32\perfc009.dat
[2011/09/19 18:50:19 | 000,250,048 | RHS- | M] () -- C:\ntldr
[2011/09/19 12:24:04 | 000,000,284 | ---- | M] () -- C:\WINDOWS\tasks\AppleSoftwareUpdate.job
[2011/09/18 22:51:13 | 000,090,112 | ---- | M] () -- C:\Documents and Settings\theonyxserpent\Local Settings\Application Data\DCBC2A71-70D8-4DAN-EHR8-E0D61DEA3FDF.ini
[2011/09/18 22:01:38 | 000,054,156 | -H-- | M] () -- C:\WINDOWS\QTFont.qfn
[2011/09/17 09:31:22 | 000,000,784 | ---- | M] () -- C:\Documents and Settings\All Users\Desktop\Malwarebytes' Anti-Malware.lnk
[2011/09/14 17:53:03 | 000,138,192 | ---- | M] (Avira GmbH) -- C:\WINDOWS\System32\drivers\avipbb.sys
[2011/09/14 17:53:03 | 000,066,616 | ---- | M] (Avira GmbH) -- C:\WINDOWS\System32\drivers\avgntflt.sys
[2011/09/13 20:22:42 | 000,001,707 | ---- | M] () -- C:\Documents and Settings\All Users\Desktop\Avira AntiVir Control Center.lnk
[2011/09/13 20:15:28 | 000,002,577 | ---- | M] () -- C:\WINDOWS\System32\CONFIG.NT
[2011/09/13 19:28:56 | 000,000,327 | RHS- | M] () -- C:\boot.ini
[2011/09/03 20:23:00 | 000,000,298 | ---- | M] () -- C:\WINDOWS\tasks\videopadDowngrade.job
[2011/09/02 16:52:21 | 000,061,440 | ---- | M] ( ) -- C:\Documents and Settings\theonyxserpent\Desktop\VEW.exe
[2011/08/31 17:00:53 | 015,440,280 | ---- | M] () -- C:\Documents and Settings\theonyxserpent\Desktop\wokal kopia.wav
[2011/08/31 17:00:50 | 000,022,216 | ---- | M] (Malwarebytes Corporation) -- C:\WINDOWS\System32\drivers\mbam.sys
[2011/08/31 00:37:41 | 000,000,815 | ---- | M] () -- C:\Documents and Settings\theonyxserpent\Application Data\Microsoft\Internet Explorer\Quick Launch\Launch Internet Explorer Browser.lnk
[2011/08/30 16:53:34 | 000,580,608 | ---- | M] (OldTimer Tools) -- C:\Documents and Settings\theonyxserpent\Desktop\OTL.exe
[2011/08/30 07:01:15 | 000,000,027 | ---- | M] () -- C:\WINDOWS\System32\drivers\etc\hosts
[2011/08/30 01:16:27 | 004,189,688 | R--- | M] (Swearware) -- C:\Documents and Settings\theonyxserpent\Desktop\ComboFix.exe
[2011/08/29 17:50:02 | 000,001,183 | ---- | M] () -- C:\WINDOWS\wininit.ini
[2011/08/25 19:54:43 | 000,000,800 | ---- | M] () -- C:\Documents and Settings\theonyxserpent\Application Data\Microsoft\Internet Explorer\Quick Launch\Windows Media Player.lnk
[2011/08/25 19:54:43 | 000,000,782 | ---- | M] () -- C:\Documents and Settings\theonyxserpent\Desktop\Windows Media Player.lnk
[2011/08/25 19:50:15 | 000,023,392 | ---- | M] () -- C:\WINDOWS\System32\nscompat.tlb
[2011/08/25 19:50:15 | 000,016,832 | ---- | M] () -- C:\WINDOWS\System32\amcompat.tlb
[2011/08/25 19:48:10 | 000,316,640 | ---- | M] () -- C:\WINDOWS\WMSysPr9.prx
[2011/08/23 20:38:19 | 000,038,530 | ---- | M] () -- C:\Documents and Settings\theonyxserpent\Desktop\The Last Emperor - Heaven.aup
[2011/08/23 20:36:59 | 005,702,780 | ---- | M] () -- C:\Documents and Settings\theonyxserpent\Desktop\The Last Emperor - Heaven (remixed).mp3
[2011/08/23 20:05:32 | 000,021,290 | ---- | M] () -- C:\Documents and Settings\theonyxserpent\Desktop\The Last Emperor - Heaven.aup.bak
[20 C:\WINDOWS\System32\*.tmp files -> C:\WINDOWS\System32\*.tmp -> ]
[1 C:\WINDOWS\*.tmp files -> C:\WINDOWS\*.tmp -> ]

========== Files Created - No Company Name ==========

[2011/09/19 18:13:32 | 000,067,866 | ---- | C] () -- C:\WINDOWS\System32\drivers\netwlan5.img
[2011/09/19 18:13:30 | 000,139,264 | ---- | C] () -- C:\WINDOWS\System32\netid.dll
[2011/09/19 18:11:23 | 000,000,974 | ---- | C] () -- C:\WINDOWS\System32\pid.inf
[2011/09/19 18:10:18 | 000,129,045 | ---- | C] () -- C:\WINDOWS\System32\drivers\cxthsfs2.cty
[2011/09/19 18:09:52 | 000,064,352 | ---- | C] () -- C:\WINDOWS\System32\drivers\ativmc20.cod
[2011/09/13 20:22:42 | 000,001,707 | ---- | C] () -- C:\Documents and Settings\All Users\Desktop\Avira AntiVir Control Center.lnk
[2011/09/03 19:40:13 | 000,000,784 | ---- | C] () -- C:\Documents and Settings\All Users\Desktop\Malwarebytes' Anti-Malware.lnk
[2011/08/31 17:00:08 | 015,440,280 | ---- | C] () -- C:\Documents and Settings\theonyxserpent\Desktop\wokal kopia.wav
[2011/08/30 01:22:01 | 000,256,000 | ---- | C] () -- C:\WINDOWS\PEV.exe
[2011/08/30 01:22:01 | 000,208,896 | ---- | C] () -- C:\WINDOWS\MBR.exe
[2011/08/30 01:22:01 | 000,098,816 | ---- | C] () -- C:\WINDOWS\sed.exe
[2011/08/30 01:22:01 | 000,080,412 | ---- | C] () -- C:\WINDOWS\grep.exe
[2011/08/30 01:22:01 | 000,068,096 | ---- | C] () -- C:\WINDOWS\zip.exe
[2011/08/27 21:39:38 | 005,702,780 | ---- | C] () -- C:\Documents and Settings\theonyxserpent\Desktop\The Last Emperor - Heaven (remixed).mp3
[2011/08/23 20:05:32 | 000,038,530 | ---- | C] () -- C:\Documents and Settings\theonyxserpent\Desktop\The Last Emperor - Heaven.aup
[2011/08/23 20:05:32 | 000,021,290 | ---- | C] () -- C:\Documents and Settings\theonyxserpent\Desktop\The Last Emperor - Heaven.aup.bak
[2011/07/17 03:05:02 | 000,000,197 | ---- | C] () -- C:\WINDOWS\System32\MRT.INI
[2011/06/21 22:14:19 | 000,020,552 | ---- | C] () -- C:\WINDOWS\System32\drivers\hitmanpro35.sys
[2011/05/22 12:46:25 | 000,001,183 | ---- | C] () -- C:\WINDOWS\wininit.ini
[2011/01/31 00:04:34 | 000,000,552 | ---- | C] () -- C:\WINDOWS\System32\d3d8caps.dat
[2010/11/19 01:00:37 | 000,164,352 | ---- | C] () -- C:\WINDOWS\System32\unrar.dll
[2010/11/19 01:00:32 | 000,755,027 | ---- | C] () -- C:\WINDOWS\System32\xvidcore.dll
[2010/11/19 01:00:32 | 000,159,839 | ---- | C] () -- C:\WINDOWS\System32\xvidvfw.dll
[2010/11/19 01:00:31 | 003,596,288 | ---- | C] () -- C:\WINDOWS\System32\qt-dx331.dll
[2010/11/19 01:00:30 | 000,007,680 | ---- | C] () -- C:\WINDOWS\System32\ff_vfw.dll
[2010/10/15 21:39:54 | 000,000,664 | ---- | C] () -- C:\WINDOWS\System32\d3d9caps.dat
[2007/06/04 16:51:33 | 000,000,000 | ---- | C] () -- C:\WINDOWS\vpc32.INI
[2007/03/23 15:59:00 | 000,000,029 | ---- | C] () -- C:\WINDOWS\atid.ini
[2006/11/07 14:25:34 | 000,001,751 | ---- | C] () -- C:\Documents and Settings\All Users\Application Data\QTSBandwidthCache
[2006/10/25 11:25:47 | 000,135,168 | ---- | C] () -- C:\WINDOWS\System32\SVSetup.Exe
[2006/10/25 11:25:46 | 000,053,248 | ---- | C] () -- C:\WINDOWS\System32\SVSetup.dll
[2006/10/25 11:25:45 | 000,151,552 | ---- | C] () -- C:\WINDOWS\System32\SSCoInst.exe
[2006/10/25 11:25:44 | 000,057,344 | ---- | C] () -- C:\WINDOWS\System32\SSCoInst.dll
[2006/10/25 11:25:31 | 000,020,594 | ---- | C] () -- C:\WINDOWS\System32\Dels3LMK.DLL
[2006/10/12 11:51:49 | 000,006,454 | ---- | C] () -- C:\WINDOWS\solomon.ini
[2006/10/12 11:25:50 | 000,100,352 | ---- | C] () -- C:\WINDOWS\System32\pg32conv.dll
[2006/10/12 11:25:29 | 001,128,448 | ---- | C] () -- C:\WINDOWS\System32\sbl.dll
[2006/10/12 11:25:27 | 000,496,640 | ---- | C] () -- C:\WINDOWS\System32\tls7012d.dll
[2005/05/10 16:41:41 | 000,000,546 | ---- | C] () -- C:\WINDOWS\ODBC.INI
[2005/05/10 16:24:15 | 000,000,335 | ---- | C] () -- C:\WINDOWS\nsreg.dat
[2005/05/10 16:24:09 | 000,099,965 | ---- | C] () -- C:\WINDOWS\UninstallFirefox.exe
[2005/05/10 16:24:00 | 000,004,147 | ---- | C] () -- C:\WINDOWS\mozver.dat
[2005/05/10 15:43:28 | 000,000,386 | ---- | C] () -- C:\WINDOWS\SMSCFG.ini
[2005/05/10 15:40:10 | 000,126,976 | ---- | C] () -- C:\WINDOWS\System32\e1000msg.dll
[2005/05/10 15:00:47 | 000,002,048 | --S- | C] () -- C:\WINDOWS\bootstat.dat
[2005/05/10 14:53:16 | 000,021,640 | ---- | C] () -- C:\WINDOWS\System32\emptyregdb.dat
[2005/05/10 10:24:45 | 000,004,161 | ---- | C] () -- C:\WINDOWS\ODBCINST.INI
[2005/05/10 10:23:14 | 000,259,840 | ---- | C] () -- C:\WINDOWS\System32\FNTCACHE.DAT
[2004/10/08 04:47:08 | 000,094,208 | ---- | C] () -- C:\WINDOWS\System32\GTW32N50.dll
[2004/09/29 01:46:40 | 000,090,112 | ---- | C] () -- C:\Documents and Settings\theonyxserpent\Local Settings\Application Data\DCBC2A71-70D8-4DAN-EHR8-E0D61DEA3FDF.ini
[2004/08/04 08:00:00 | 013,107,200 | ---- | C] () -- C:\WINDOWS\System32\oembios.bin
[2004/08/04 08:00:00 | 000,673,088 | ---- | C] () -- C:\WINDOWS\System32\mlang.dat
[2004/08/04 08:00:00 | 000,445,750 | ---- | C] () -- C:\WINDOWS\System32\perfh009.dat
[2004/08/04 08:00:00 | 000,272,128 | ---- | C] () -- C:\WINDOWS\System32\perfi009.dat
[2004/08/04 08:00:00 | 000,218,003 | ---- | C] () -- C:\WINDOWS\System32\dssec.dat
[2004/08/04 08:00:00 | 000,072,480 | ---- | C] () -- C:\WINDOWS\System32\perfc009.dat
[2004/08/04 08:00:00 | 000,046,258 | ---- | C] () -- C:\WINDOWS\System32\mib.bin
[2004/08/04 08:00:00 | 000,028,626 | ---- | C] () -- C:\WINDOWS\System32\perfd009.dat
[2004/08/04 08:00:00 | 000,004,569 | ---- | C] () -- C:\WINDOWS\System32\secupd.dat
[2004/08/04 08:00:00 | 000,004,463 | ---- | C] () -- C:\WINDOWS\System32\oembios.dat
[2004/08/04 08:00:00 | 000,001,804 | ---- | C] () -- C:\WINDOWS\System32\dcache.bin
[2004/08/04 08:00:00 | 000,000,741 | ---- | C] () -- C:\WINDOWS\System32\noise.dat

========== LOP Check ==========

[2011/09/13 20:15:50 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\AVAST Software
[2009/12/14 13:28:05 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\DAEMON Tools Pro
[2011/02/17 23:58:30 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\dPhIcDd15405
[2011/09/02 20:18:06 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\Driver Tool
[2011/06/21 22:18:14 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\Hitman Pro
[2011/07/03 13:48:30 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\NCH Swift Sound
[2010/10/02 01:44:54 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\ScreenVCR
[2011/06/23 18:44:57 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\Viewpoint
[2009/12/12 15:50:09 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\WinZip
[2011/01/31 00:02:22 | 000,000,000 | ---D | M] -- C:\Documents and Settings\theonyxserpent\Application Data\Cocoon Software
[2009/12/14 13:37:19 | 000,000,000 | ---D | M] -- C:\Documents and Settings\theonyxserpent\Application Data\DAEMON Tools Pro
[2009/12/12 18:12:55 | 000,000,000 | ---D | M] -- C:\Documents and Settings\theonyxserpent\Application Data\GlarySoft
[2010/10/08 23:35:29 | 000,000,000 | ---D | M] -- C:\Documents and Settings\theonyxserpent\Application Data\MSNInstaller
[2011/07/30 17:33:29 | 000,000,000 | ---D | M] -- C:\Documents and Settings\theonyxserpent\Application Data\NCH Swift Sound
[2011/09/09 21:21:32 | 000,000,000 | ---D | M] -- C:\Documents and Settings\theonyxserpent\Application Data\QuickScan
[2004/09/29 03:36:59 | 000,000,000 | ---D | M] -- C:\Documents and Settings\theonyxserpent\Application Data\Smith Micro
[2011/08/15 13:14:31 | 000,000,000 | ---D | M] -- C:\Documents and Settings\theonyxserpent\Application Data\uTorrent
[2011/07/02 19:52:16 | 000,000,000 | ---D | M] -- C:\Documents and Settings\theonyxserpent\Application Data\WinFF
[2009/12/13 12:50:56 | 000,000,000 | ---D | M] -- C:\Documents and Settings\theonyxserpent\Application Data\yoclient
[2011/07/13 12:27:02 | 000,000,306 | ---- | M] () -- C:\WINDOWS\Tasks\photostageShakeIcon.job
[2011/09/03 20:23:00 | 000,000,298 | ---- | M] () -- C:\WINDOWS\Tasks\videopadDowngrade.job
[2011/08/08 17:30:14 | 000,000,298 | ---- | M] () -- C:\WINDOWS\Tasks\videopadShakeIcon.job

========== Purity Check ==========



< End of report >
  • 0

#39
RKinner

RKinner

    Malware Expert

  • Expert
  • 24,598 posts
  • MVP
Looks like I might have missed a piece of an infection.

IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,XMLHTTP_UUID_Default = 75 2B 18 06 84 C6 C5 4F 94 90 2C 04 01 93 77 62 [binary data]

may be a sign of
Win32/TrojanDownloader.Tracur.D

See:

http://www.eset.eu/e...ader-tracur-d-x

If you look at the deletions that Combofix reported you will see a lot of the files mentioned in the Eset article.

Also from the Extras log, the "Windows Update Service" for the firewall:

"C:\WINDOWS\system32\digest32.exe" = C:\WINDOWS\system32\digest32.exe:*:Enabled:Windows Update Service
"C:\WINDOWS\system32\msctf32.exe" = C:\WINDOWS\system32\msctf32.exe:*:Enabled:Windows Update Service
"C:\WINDOWS\system32\dpnaddr32.exe" = C:\WINDOWS\system32\dpnaddr32.exe:*:Enabled:Windows Update Service
"C:\WINDOWS\system32\schedsvc32.exe" = C:\WINDOWS\system32\schedsvc32.exe:*:Enabled:Windows Update Service

I don't see them deleted anywhere so let's see if OTL finds them. Before we do, right click on Start and select Explore then navigate to the first one and see if you can find it. IF not check the others. IF you find one, note the date and time. (Change the view so it shows you Details not icons then click on the Date Modified Column header and it will sort things by date and time. Do you see any others with the same date and time plus or minus maybe 5 minutes?



Copy the text in the code box by highlighting and Ctrl + c


:processes
killallprocesses

:OTL
IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,XMLHTTP_UUID_Default = 75 2B 18 06 84 C6 C5 4F 94 90 2C 04 01 93 77 62 [binary data]


:files
C:\WINDOWS\system32\digest32.exe
C:\WINDOWS\system32\msctf32.exe
C:\WINDOWS\system32\dpnaddr32.exe
C:\WINDOWS\system32\schedsvc32.exe
C:\Documents and Settings\theonyxserpent\Local Settings\Application Data\*.exe
netsh.exe firewall delete allowedprogram "program=C:\WINDOWS\system32\digest32.exe" name="Windows Update Service" /c
netsh.exe firewall delete allowedprogram "program=C:\WINDOWS\system32\msctf32.exe" name="Windows Update Service" /c
netsh.exe firewall delete allowedprogram "program=C:\WINDOWS\system32\dpnaddr32.exe" name="Windows Update Service" /c
netsh.exe firewall delete allowedprogram "program=C:\WINDOWS\system32\schedsvc32.exe" name="Windows Update Service" /c
netsh.exe advfirewall firewall delete rule name="Windows Update Service" /c

:Commands
[Reboot]

then run OTL and Under the Custom Scans/Fixes box at the bottom, paste (ctrl +v) the text. Verify that you got it all and Then click the Run Fix button at the top
Let the program run unhindered, OTL will reboot the PC when it is done. Save the log and copy and paste it to a reply.


Ron
  • 0

#40
jerosakireno

jerosakireno

    Member

  • Topic Starter
  • Member
  • PipPip
  • 38 posts
I looked & this is all I found:


"C:\WINDOWS\system32\digest.dll"
"C:\WINDOWS\system32\msctf.dll"
"C:\WINDOWS\system32\dpnaddr.dll"
"C:\WINDOWS\system32\schedsvc.dll"



Not exactly a match, but I found each one without the 32 and are .dll instead of .exe. Just thought I would let you know that.

Here is the OTL log:


========== PROCESSES ==========
All processes killed
========== OTL ==========
HKCU\SOFTWARE\Microsoft\Internet Explorer\Main\\XMLHTTP_UUID_Default| /E : value set successfully!
========== FILES ==========
File\Folder C:\WINDOWS\system32\digest32.exe not found.
File\Folder C:\WINDOWS\system32\msctf32.exe not found.
File\Folder C:\WINDOWS\system32\dpnaddr32.exe not found.
File\Folder C:\WINDOWS\system32\schedsvc32.exe not found.
File\Folder C:\Documents and Settings\theonyxserpent\Local Settings\Application Data\*.exe not found.
< netsh.exe firewall delete allowedprogram "program=C:\WINDOWS\system32\digest32.exe" name="Windows Update Service" /c >
'name' is not a valid argument for this command.
The syntax supplied for this command is not valid. Check help for the correct syntax.
delete allowedprogram
[ program = ] path
[ [ profile = ] CURRENT|DOMAIN|STANDARD|ALL ]

Deletes firewall allowed program configuration.

Parameters:

program - Program path and file name.

profile - Configuration profile (optional).
CURRENT - Current profile (default).
DOMAIN - Domain profile.
STANDARD - Standard profile.
ALL - All profiles.

Examples:

delete allowedprogram C:\MyApp\MyApp.exe
delete allowedprogram program = C:\MyApp\MyApp.exe
C:\Documents and Settings\theonyxserpent\Desktop\cmd.bat deleted successfully.
C:\Documents and Settings\theonyxserpent\Desktop\cmd.txt deleted successfully.
< netsh.exe firewall delete allowedprogram "program=C:\WINDOWS\system32\msctf32.exe" name="Windows Update Service" /c >
'name' is not a valid argument for this command.
The syntax supplied for this command is not valid. Check help for the correct syntax.
delete allowedprogram
[ program = ] path
[ [ profile = ] CURRENT|DOMAIN|STANDARD|ALL ]

Deletes firewall allowed program configuration.

Parameters:

program - Program path and file name.

profile - Configuration profile (optional).
CURRENT - Current profile (default).
DOMAIN - Domain profile.
STANDARD - Standard profile.
ALL - All profiles.

Examples:

delete allowedprogram C:\MyApp\MyApp.exe
delete allowedprogram program = C:\MyApp\MyApp.exe
C:\Documents and Settings\theonyxserpent\Desktop\cmd.bat deleted successfully.
C:\Documents and Settings\theonyxserpent\Desktop\cmd.txt deleted successfully.
< netsh.exe firewall delete allowedprogram "program=C:\WINDOWS\system32\dpnaddr32.exe" name="Windows Update Service" /c >
'name' is not a valid argument for this command.
The syntax supplied for this command is not valid. Check help for the correct syntax.
delete allowedprogram
[ program = ] path
[ [ profile = ] CURRENT|DOMAIN|STANDARD|ALL ]

Deletes firewall allowed program configuration.

Parameters:

program - Program path and file name.

profile - Configuration profile (optional).
CURRENT - Current profile (default).
DOMAIN - Domain profile.
STANDARD - Standard profile.
ALL - All profiles.

Examples:

delete allowedprogram C:\MyApp\MyApp.exe
delete allowedprogram program = C:\MyApp\MyApp.exe
C:\Documents and Settings\theonyxserpent\Desktop\cmd.bat deleted successfully.
C:\Documents and Settings\theonyxserpent\Desktop\cmd.txt deleted successfully.
< netsh.exe firewall delete allowedprogram "program=C:\WINDOWS\system32\schedsvc32.exe" name="Windows Update Service" /c >
'name' is not a valid argument for this command.
The syntax supplied for this command is not valid. Check help for the correct syntax.
delete allowedprogram
[ program = ] path
[ [ profile = ] CURRENT|DOMAIN|STANDARD|ALL ]

Deletes firewall allowed program configuration.

Parameters:

program - Program path and file name.

profile - Configuration profile (optional).
CURRENT - Current profile (default).
DOMAIN - Domain profile.
STANDARD - Standard profile.
ALL - All profiles.

Examples:

delete allowedprogram C:\MyApp\MyApp.exe
delete allowedprogram program = C:\MyApp\MyApp.exe
C:\Documents and Settings\theonyxserpent\Desktop\cmd.bat deleted successfully.
C:\Documents and Settings\theonyxserpent\Desktop\cmd.txt deleted successfully.
< netsh.exe advfirewall firewall delete rule name="Windows Update Service" /c >
The following command was not found: advfirewall firewall delete rule "name=Windows Update Service".
C:\Documents and Settings\theonyxserpent\Desktop\cmd.bat deleted successfully.
C:\Documents and Settings\theonyxserpent\Desktop\cmd.txt deleted successfully.
========== COMMANDS ==========

OTL by OldTimer - Version 3.2.26.7 log created on 09262011_190508

Files\Folders moved on Reboot...

Registry entries deleted on Reboot...

Edited by jerosakireno, 26 September 2011 - 05:14 PM.

  • 0

Advertisements


#41
RKinner

RKinner

    Malware Expert

  • Expert
  • 24,598 posts
  • MVP
The four you found are all good guys.

Run Combofix again and let's see if it finds anything interesting.

Get Process Explorer

http://live.sysinter...com/procexp.exe

Save it to your desktop then run it (Vista or Win7 - right click and Run As Administrator). Click twice on the CPU column header to sort things by CPU usage with the big hitters at the top. Wait a minute for things to settle down. File, Save As, Save. Open the file Procexp.txt on your desktop and copy and paste the text to a reply.

Ron
  • 0

#42
jerosakireno

jerosakireno

    Member

  • Topic Starter
  • Member
  • PipPip
  • 38 posts
I cant get it to look like the way it looks on my end. I also tried print screen/image hosting but it wouldnt allow the link.

Process PID CPU Private Bytes Working Set Description Company Name
System Idle Process 0 90.63 0 K 16 K
procexp.exe 1560 4.69 9,292 K 14,544 K Sysinternals Process Explorer Sysinternals - www.sysinternals.com
avguard.exe 1408 3.13 118,000 K 9,404 K Antivirus On-Access Service Avira GmbH
Interrupts n/a 1.56 0 K 0 K Hardware Interrupts and DPCs
Wuser32.exe 1652 1,388 K 580 K Systems Management Server Microsoft Corporation
wmiprvse.exe 916 3,840 K 5,444 K WMI Microsoft Corporation
wmiprvse.exe 2884 2,276 K 4,940 K WMI Microsoft Corporation
wmiprvse.exe 840 2,204 K 4,832 K WMI Microsoft Corporation
winlogon.exe 532 6,896 K 2,612 K Windows NT Logon Application Microsoft Corporation
System 4 0 K 212 K
svchost.exe 936 19,480 K 31,488 K Generic Host Process for Win32 Services Microsoft Corporation
svchost.exe 756 2,676 K 5,056 K Generic Host Process for Win32 Services Microsoft Corporation
svchost.exe 868 1,756 K 4,304 K Generic Host Process for Win32 Services Microsoft Corporation
svchost.exe 1036 1,352 K 3,656 K Generic Host Process for Win32 Services Microsoft Corporation
svchost.exe 1116 1,548 K 4,048 K Generic Host Process for Win32 Services Microsoft Corporation
svchost.exe 1332 1,280 K 3,756 K Generic Host Process for Win32 Services Microsoft Corporation
spoolsv.exe 1208 3,240 K 4,924 K Spooler SubSystem App Microsoft Corporation
smss.exe 452 168 K 416 K Windows NT Session Manager Microsoft Corporation
services.exe 576 1,684 K 3,408 K Services and Controller app Microsoft Corporation
sched.exe 1272 4,308 K 1,128 K Antivirus Scheduler Avira GmbH
plugin-container.exe 4028 24,448 K 28,616 K Plugin Container for Firefox Mozilla Corporation
MDM.EXE 1500 920 K 2,900 K Machine Debug Manager Microsoft Corporation
lsass.exe 588 3,744 K 1,004 K LSA Shell (Export Version) Microsoft Corporation
jusched.exe 2388 812 K 2,992 K Java™ Update Scheduler Sun Microsystems, Inc.
jqs.exe 1464 2,008 K 1,384 K Java™ Quick Starter Service Sun Microsystems, Inc.
firefox.exe 3872 127,352 K 142,496 K Firefox Mozilla Corporation
explorer.exe 1700 19,664 K 26,736 K Windows Explorer Microsoft Corporation
ctfmon.exe 2424 876 K 3,492 K CTF Loader Microsoft Corporation
csrss.exe 508 1,716 K 3,752 K Client Server Runtime Process Microsoft Corporation
CcmExec.exe 1760 9,368 K 15,444 K CCM Executive Microsoft Corporation
avshadow.exe 1840 632 K 2,828 K AntiVir shadow copy service Avira GmbH
avgnt.exe 2416 5,092 K 1,652 K Antivirus System Tray Tool Avira GmbH
alg.exe 472 1,124 K 3,596 K Application Layer Gateway Service Microsoft Corporation




ComboFix 11-09-27.01 - theonyxserpent 09/27/2011 17:35:14.6.1 - x86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.510.263 [GMT -4:00]
Running from: c:\documents and settings\theonyxserpent\Desktop\ComboFix.exe
AV: AntiVir Desktop *Disabled/Outdated* {AD166499-45F9-482A-A743-FDD3350758C7}
.
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
c:\documents and settings\Administrator\Local Settings\Application Data\ApplicationHistory
c:\documents and settings\Administrator\Local Settings\Application Data\ApplicationHistory\ngen.exe.2c05686e.ini
c:\documents and settings\Administrator\Local Settings\Application Data\ApplicationHistory\SL2FC.tmp.7d4fe9d8.ini
c:\documents and settings\Mouth\Local Settings\Application Data\ApplicationHistory
c:\documents and settings\Mouth\Local Settings\Application Data\ApplicationHistory\ngen.exe.2c05686e.ini
c:\documents and settings\Mouth\Local Settings\Application Data\ApplicationHistory\SL2FC.tmp.7d4fe9d8.ini
c:\documents and settings\theonyxserpent\Local Settings\Application Data\ApplicationHistory
c:\documents and settings\theonyxserpent\Local Settings\Application Data\ApplicationHistory\ngen.exe.2c05686e.ini
c:\documents and settings\theonyxserpent\Local Settings\Application Data\ApplicationHistory\SL2FC.tmp.7d4fe9d8.ini
.
.
((((((((((((((((((((((((( Files Created from 2011-08-27 to 2011-09-27 )))))))))))))))))))))))))))))))
.
.
2011-09-27 21:29 . 2011-09-27 21:29 -------- d-----w- c:\documents and settings\theonyxserpent\Application Data\Avira
2011-09-24 17:53 . 2011-09-24 17:53 131072 ----a-w- c:\program files\Mozilla Firefox\plugins\npqtplugin7.dll
2011-09-24 17:53 . 2011-09-24 17:53 131072 ----a-w- c:\program files\Mozilla Firefox\plugins\npqtplugin6.dll
2011-09-24 17:53 . 2011-09-24 17:53 131072 ----a-w- c:\program files\Mozilla Firefox\plugins\npqtplugin5.dll
2011-09-24 17:53 . 2011-09-24 17:53 131072 ----a-w- c:\program files\Mozilla Firefox\plugins\npqtplugin3.dll
2011-09-24 17:53 . 2011-09-24 17:53 131072 ----a-w- c:\program files\Mozilla Firefox\plugins\npqtplugin2.dll
2011-09-24 17:53 . 2011-09-24 17:53 131072 ----a-w- c:\program files\Mozilla Firefox\plugins\npqtplugin.dll
2011-09-24 17:53 . 2004-09-29 06:02 131072 ----a-w- c:\program files\Mozilla Firefox\plugins\npqtplugin4.dll
2011-09-24 17:52 . 2011-09-24 17:52 -------- d-----w- c:\documents and settings\theonyxserpent\Local Settings\Application Data\Apple
2011-09-23 02:50 . 2011-09-23 02:51 -------- d-----w- c:\program files\Glary Utilities
2011-09-23 01:43 . 2011-09-23 01:43 -------- d-sh--w- c:\documents and settings\theonyxserpent\IECompatCache
2011-09-20 15:04 . 2010-08-23 16:12 617472 -c----w- c:\windows\system32\dllcache\comctl32.dll
2011-09-20 15:03 . 2010-09-18 06:53 953856 -c----w- c:\windows\system32\dllcache\mfc40u.dll
2011-09-20 15:03 . 2010-11-02 15:17 40960 -c----w- c:\windows\system32\dllcache\ndproxy.sys
2011-09-20 15:02 . 2011-06-24 14:10 139656 -c----w- c:\windows\system32\dllcache\rdpwd.sys
2011-09-20 15:01 . 2011-04-21 13:37 105472 -c----w- c:\windows\system32\dllcache\mup.sys
2011-09-20 14:57 . 2011-07-08 14:02 10496 -c----w- c:\windows\system32\dllcache\ndistapi.sys
2011-09-20 14:57 . 2010-10-11 14:59 45568 -c----w- c:\windows\system32\dllcache\wab.exe
2011-09-19 23:41 . 2011-09-19 23:41 -------- d-sh--w- c:\windows\system32\config\systemprofile\IETldCache
2011-09-19 23:03 . 2011-09-19 23:03 -------- d-----w- c:\windows\system32\scripting
2011-09-19 23:03 . 2011-09-19 23:03 -------- d-----w- c:\windows\l2schemas
2011-09-19 23:03 . 2011-09-19 23:03 -------- d-----w- c:\windows\system32\en
2011-09-19 23:03 . 2011-09-19 23:03 -------- d-----w- c:\windows\system32\bits
2011-09-19 22:18 . 2008-04-14 00:12 69120 ------w- c:\windows\system32\wlanapi.dll
2011-09-19 22:15 . 2008-04-14 00:12 20992 ------w- c:\windows\system32\spupdwxp.exe
2011-09-19 22:14 . 2008-04-13 18:56 30592 ------w- c:\windows\system32\drivers\rndismpx.sys
2011-09-19 22:14 . 2008-04-14 00:12 290304 ------w- c:\windows\system32\rhttpaa.dll
2011-09-19 22:14 . 2008-04-13 18:46 59136 ------w- c:\windows\system32\drivers\rfcomm.sys
2011-09-19 22:14 . 2004-08-04 03:41 13776 ------w- c:\windows\system32\drivers\recagent.sys
2011-09-19 22:14 . 2008-04-14 00:12 61952 ------w- c:\windows\system32\rasqec.dll
2011-09-19 22:14 . 2008-04-14 00:12 76800 ------w- c:\windows\system32\qutil.dll
2011-09-19 22:14 . 2008-04-14 00:12 62464 ------w- c:\windows\system32\qcliprov.dll
2011-09-19 22:14 . 2008-04-14 00:12 291328 ------w- c:\windows\system32\qagentrt.dll
2011-09-19 22:14 . 2008-04-14 00:12 150528 ------w- c:\windows\system32\qagent.dll
2011-09-19 22:12 . 2008-04-14 00:12 33792 ------w- c:\windows\system32\mmcperf.exe
2011-09-19 22:12 . 2008-04-14 00:11 106496 ------w- c:\windows\system32\mmcfxcommon.dll
2011-09-19 22:12 . 2008-04-14 00:11 397312 ------w- c:\windows\system32\mmcex.dll
2011-09-19 22:12 . 2008-04-14 00:11 184320 ------w- c:\windows\system32\microsoft.managementconsole.dll
2011-09-19 22:12 . 2008-04-14 00:11 86016 ------w- c:\windows\system32\mdmxsdk.dll
2011-09-19 22:12 . 2004-08-04 03:41 11868 ------w- c:\windows\system32\drivers\mdmxsdk.sys
2011-09-19 22:10 . 2008-04-13 18:46 25600 ------w- c:\windows\system32\drivers\hidbth.sys
2011-09-19 22:09 . 2008-04-13 18:51 101120 ------w- c:\windows\system32\drivers\bthpan.sys
2011-09-19 16:24 . 2011-09-19 16:24 -------- d-sh--w- c:\documents and settings\NetworkService\IETldCache
2011-09-14 00:22 . 2011-09-16 23:09 -------- d-----w- c:\documents and settings\All Users\Application Data\Avira
2011-09-14 00:22 . 2011-09-14 21:53 66616 ----a-w- c:\windows\system32\drivers\avgntflt.sys
2011-09-14 00:22 . 2011-09-14 21:53 138192 ----a-w- c:\windows\system32\drivers\avipbb.sys
2011-09-14 00:22 . 2011-09-14 00:22 -------- d-----w- c:\program files\Avira
2011-09-14 00:22 . 2010-06-17 19:27 45416 ----a-w- c:\windows\system32\drivers\avgntdd.sys
2011-09-14 00:22 . 2010-06-17 19:27 22360 ----a-w- c:\windows\system32\drivers\avgntmgr.sys
2011-09-10 01:20 . 2011-09-10 01:21 -------- d-----w- c:\documents and settings\theonyxserpent\Application Data\QuickScan
2011-09-09 22:06 . 2011-09-09 22:06 -------- d-sh--w- c:\documents and settings\theonyxserpent\PrivacIE
2011-09-09 09:12 . 2011-09-09 09:12 599040 -c----w- c:\windows\system32\dllcache\crypt32.dll
2011-09-07 22:34 . 2011-09-07 22:34 -------- d-sh--w- c:\documents and settings\LocalService\IETldCache
2011-09-04 16:47 . 2011-09-04 16:47 -------- d-----w- c:\documents and settings\theonyxserpent\Local Settings\Application Data\PCHealth
2011-09-03 23:40 . 2011-08-31 21:00 22216 ----a-w- c:\windows\system32\drivers\mbam.sys
2011-09-03 23:04 . 2011-09-03 23:04 -------- d-----w- c:\windows\system32\XPSViewer
2011-09-03 23:04 . 2011-09-03 23:04 -------- d-----w- c:\program files\MSBuild
2011-09-03 23:03 . 2011-09-03 23:03 -------- d-----w- c:\program files\Reference Assemblies
2011-09-03 23:02 . 2008-07-06 12:06 89088 ----a-w- c:\windows\system32\Spool\prtprocs\w32x86\filterpipelineprintproc.dll
2011-09-03 23:01 . 2008-07-06 12:06 89088 -c----w- c:\windows\system32\dllcache\filterpipelineprintproc.dll
2011-09-03 23:01 . 2008-07-06 12:06 575488 -c----w- c:\windows\system32\dllcache\xpsshhdr.dll
2011-09-03 23:01 . 2008-07-06 12:06 575488 ------w- c:\windows\system32\xpsshhdr.dll
2011-09-03 23:01 . 2008-07-06 12:06 117760 ------w- c:\windows\system32\prntvpt.dll
2011-09-03 23:01 . 2008-07-06 10:50 597504 -c----w- c:\windows\system32\dllcache\printfilterpipelinesvc.exe
2011-09-03 23:01 . 2008-07-06 10:50 597504 ------w- c:\windows\system32\Spool\prtprocs\w32x86\printfilterpipelinesvc.exe
2011-09-03 23:01 . 2008-07-06 12:06 1676288 -c----w- c:\windows\system32\dllcache\xpssvcs.dll
2011-09-03 23:01 . 2008-07-06 12:06 1676288 ------w- c:\windows\system32\xpssvcs.dll
2011-09-03 23:01 . 2011-09-03 23:02 -------- d-----w- C:\fa55748adfcb5faff4293d
2011-09-03 22:46 . 2011-09-03 22:46 -------- d-----w- c:\program files\MSXML 6.0
2011-09-03 00:18 . 2011-09-03 00:18 -------- d-----w- c:\documents and settings\All Users\Application Data\Driver Tool
2011-08-31 04:36 . 2011-08-31 04:36 -------- d-sh--w- c:\documents and settings\theonyxserpent\IETldCache
2011-08-31 04:18 . 2011-08-31 04:23 -------- dc-h--w- c:\windows\ie8
2011-08-31 04:14 . 2011-06-23 18:36 12800 -c----w- c:\windows\system32\dllcache\xpshims.dll
2011-08-31 04:14 . 2011-06-23 18:36 247808 -c----w- c:\windows\system32\dllcache\ieproxy.dll
2011-08-31 04:14 . 2011-06-23 18:36 743424 -c----w- c:\windows\system32\dllcache\iedvtool.dll
2011-08-30 23:56 . 2011-09-14 00:15 -------- d-----w- c:\documents and settings\All Users\Application Data\AVAST Software
2011-08-30 23:56 . 2011-08-30 23:56 -------- d-----w- c:\program files\AVAST Software
2011-08-30 22:55 . 2011-08-30 22:55 -------- d-----w- C:\_OTL
2011-08-30 22:53 . 2011-08-30 22:53 -------- d-----w- c:\program files\Common Files\Java
2011-08-30 22:53 . 2011-08-30 22:52 73728 ----a-w- c:\windows\system32\javacpl.cpl
2011-08-30 22:53 . 2011-08-30 22:52 476904 ----a-w- c:\program files\Mozilla Firefox\plugins\npdeployJava1.dll
2011-08-30 22:53 . 2011-08-30 22:52 472808 ----a-w- c:\windows\system32\deployJava1.dll
2011-08-30 05:26 . 2011-02-16 13:25 138496 -c--a-w- c:\windows\system32\dllcache\afd.sys
2011-08-30 05:26 . 2011-02-16 13:25 138496 ----a-w- c:\windows\system32\drivers\afd.sys
2011-08-29 20:04 . 2011-09-17 13:31 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
.
.
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2011-09-22 23:43 . 2011-05-31 02:09 404640 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl
2011-09-09 09:12 . 2004-08-04 12:00 599040 ----a-w- c:\windows\system32\crypt32.dll
2011-07-15 13:29 . 2004-08-04 12:00 456320 ----a-w- c:\windows\system32\drivers\mrxsmb.sys
2011-07-08 14:02 . 2004-08-04 12:00 10496 ----a-w- c:\windows\system32\drivers\ndistapi.sys
2011-09-08 22:04 . 2011-05-10 03:01 134104 ----a-w- c:\program files\mozilla firefox\components\browsercomps.dll
.
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{D187A56B-A33F-4CBE-9D77-459FC0BAE012}]
2010-01-18 19:28 815104 ----a-w- c:\program files\Burn4Free Toolbar\v3.3.0.3\Burn4Free_Toolbar.dll
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"RandMAC"="c:\extracted\MadMACs\MadMACs.exe" [2008-08-06 253245]
"SunJavaUpdateSched"="c:\program files\Common Files\Java\Java Update\jusched.exe" [2011-06-09 254696]
"avgnt"="c:\program files\Avira\AntiVir Desktop\avgnt.exe" [2011-04-21 281768]
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Wdf01000.sys]
@="Driver"
.
[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Reader Speed Launch.lnk]
backup=c:\windows\pss\Adobe Reader Speed Launch.lnkCommon Startup
HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DAEMON Tools Pro Agent
HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SpybotSD TeaTimer
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ctfmon.exe]
2008-04-14 00:12 15360 ----a-w- c:\windows\system32\ctfmon.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HotKeysCmds]
2003-04-07 04:07 114688 ----a-w- c:\windows\system32\hkcmd.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\IgfxTray]
2003-04-07 04:19 155648 ----a-w- c:\windows\system32\igfxtray.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSMSGS]
2008-04-14 00:12 1695232 ----a-w- c:\program files\Messenger\msmsgs.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run-disabled]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" -atboottime
.
[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusOverride"=dword:00000001
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"DisableNotifications"= 1 (0x1)
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\uTorrent\\uTorrent.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
.
R2 AntiVirSchedulerService;Avira AntiVir Scheduler;c:\program files\Avira\AntiVir Desktop\sched.exe [9/13/2011 8:22 PM 136360]
R3 {E6759E0C-470B-44DC-A4A1-627E68BB3A85};AIM 3.0 SI164;c:\windows\system32\drivers\a302.sys [5/10/2005 3:35 PM 11319]
S0 sptd;sptd;c:\windows\system32\drivers\sptd.sys [12/14/2009 1:20 PM 722416]
S3 ewusbnet;HUAWEI USB-NDIS miniport;c:\windows\system32\DRIVERS\ewusbnet.sys --> c:\windows\system32\DRIVERS\ewusbnet.sys [?]
S3 hitmanpro35;Hitman Pro 3.5 Support Driver;c:\windows\system32\drivers\hitmanpro35.sys [6/21/2011 10:14 PM 20552]
S3 VNCTEMP;Gencontrol WinVNC temporary service;c:\vnctemp\WinVNC.exe [6/16/2009 6:18 PM 469504]
.
--- Other Services/Drivers In Memory ---
.
*NewlyCreated* - PROCEXP141
*Deregistered* - PROCEXP141
.
Contents of the 'Scheduled Tasks' folder
.
2011-09-19 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2007-06-03 17:42]
.
2011-09-27 c:\windows\Tasks\GlaryInitialize.job
- c:\program files\Glary Utilities\initialize.exe [2011-09-23 13:26]
.
2011-07-13 c:\windows\Tasks\photostageShakeIcon.job
- c:\program files\NCH Software\PhotoStage\photostage.exe [2011-07-03 15:29]
.
2011-09-04 c:\windows\Tasks\videopadDowngrade.job
- c:\program files\NCH Software\VideoPad\videopad.exe [2011-07-03 15:28]
.
2011-08-08 c:\windows\Tasks\videopadShakeIcon.job
- c:\program files\NCH Software\VideoPad\videopad.exe [2011-07-03 15:28]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.google.com/
TCP: DhcpNameServer = 192.168.1.1
FF - ProfilePath - c:\documents and settings\theonyxserpent\Application Data\Mozilla\Firefox\Profiles\og0g7s2n.default\
FF - prefs.js: browser.search.selectedEngine - Google
FF - prefs.js: browser.startup.homepage - hxxp://start.mozilla.org/firefox?client=firefox-a&rls=org.mozilla:en-US:official
FF - prefs.js: network.proxy.type - 0
.
- - - - ORPHANS REMOVED - - - -
.
WebBrowser-{D4027C7F-154A-4066-A1AD-4243D8127440} - (no file)
MSConfigStartUp-SunJavaUpdateSched - c:\program files\Java\jre6\bin\jusched.exe
.
.
.
**************************************************************************
.
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2011-09-27 17:47
Windows 5.1.2600 Service Pack 3 NTFS
.
scanning hidden processes ...
.
scanning hidden autostart entries ...
.
scanning hidden files ...
.
scan completed successfully
hidden files: 0
.
**************************************************************************
.
Completion time: 2011-09-27 17:52:51
ComboFix-quarantined-files.txt 2011-09-27 21:52
ComboFix2.txt 2011-08-30 11:07
.
Pre-Run: 5,749,735,424 bytes free
Post-Run: 5,703,933,952 bytes free
.
Current=3 Default=3 Failed=2 LastKnownGood=1 Sets=1,2,3,4
- - End Of File - - 4984F79C0F9DB9F1252790F5C8A497A0

Edited by jerosakireno, 27 September 2011 - 04:34 PM.

  • 0

#43
RKinner

RKinner

    Malware Expert

  • Expert
  • 24,598 posts
  • MVP
Is this a laptop? Try removing the battery. I've seen old batteries slow things down a lot.

Also a hot PC is a slow PC so run Speccy and it will tell you what temp you are running (if we are lucky). 35 C is normal for a desktop. 50 C for a laptop. Hard drives should be below 50 C.

Start, Run, eventvwr.msc, OK to bring up the Event Viewer. Right click on System and Clear All Events, No (we don't want to save the old log), OK. Repeat for Application. Reboot.

1. Please download the Event Viewer Tool by Vino Rosso
http://images.malwar...om/vino/VEW.exe
and save it to your Desktop:
2. Double-click VEW.exe
3. Under 'Select log to query', select:

* System
4. Under 'Select type to list', select:
* Error
* Warning


Then use the 'Number of events' as follows:


1. Click the radio button for 'Number of events'
Type 20 in the 1 to 20 box
Then click the Run button.
Notepad will open with the output log.


Please post the Output log in your next reply then repeat but select Application.

Go to http://www.speedtest.net/ and click on Begin Test

When the Test finishes click on Share This Result and then select Forum then Copy then move to a reply and Ctrl + v



Ron
  • 0

#44
jerosakireno

jerosakireno

    Member

  • Topic Starter
  • Member
  • PipPip
  • 38 posts
Sorry, haven't been around for a while...

-This is a desktop.
-I too was worried about the heat so I started keeping the computer off for as much as possible. I can start it up cold, give it some time to load everything, but as soon as i click an icon it stars delaying.. I mean, it works, but it just takes time for stuff to register, like typing, or scrolling, or clicking. It takes seconds-to-minutes with each click. I realized one time during this, Avira popped up & said it finished doing something, so I'm assuming that could have been slowing my computer down at that time, but that much?

I just "cleared all events", now I'm about to reboot. I will run that VEW thing, but I think you already told me to download that, because I have it on my desktop already & I never heard of it. Anyway, I'll run it in a sec, but for now, here is that speedtest log:

Posted Image


OK- Here are the VEW logs. First is for "system":

Vino's Event Viewer v01c run on Windows XP in English
Report run at 04/10/2011 5:37:48 PM

Note: All dates below are in the format dd/mm/yyyy

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
'System' Log - error Type
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Log: 'System' Date/Time: 04/10/2011 5:31:26 PM
Type: error Category: 0
Event: 1002 Source: Dhcp
The IP address lease 192.168.1.33 for the Network Card with network address 006D29E288B1 has been denied by the DHCP server 192.168.1.1 (The DHCP Server sent a DHCPNACK message).

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
'System' Log - warning Type
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Log: 'System' Date/Time: 04/10/2011 5:31:26 PM
Type: warning Category: 0
Event: 1003 Source: Dhcp
Your computer was not able to renew its address from the network (from the DHCP Server) for the Network Card with network address 006D29E288B1. The following error occurred: The operation was canceled by the user. . Your computer will continue to try and obtain an address on its own from the network address (DHCP) server.



& Here is the log for "application":


Vino's Event Viewer v01c run on Windows XP in English
Report run at 04/10/2011 5:41:01 PM

Note: All dates below are in the format dd/mm/yyyy

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
'Application' Log - error Type
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Log: 'Application' Date/Time: 04/10/2011 5:32:14 PM
Type: error Category: 0
Event: 8 Source: crypt32
Failed auto update retrieval of third-party root list sequence number from: <http://www.download....uthrootseq.txt> with error: A connection with the server could not be established

Log: 'Application' Date/Time: 04/10/2011 5:32:12 PM
Type: error Category: 0
Event: 11 Source: crypt32
Failed extract of third-party root list from auto update cab at: <http://www.download....uthrootstl.cab> with error: A required certificate is not within its validity period when verifying against the current system clock or the timestamp in the signed file.

Log: 'Application' Date/Time: 04/10/2011 5:32:12 PM
Type: error Category: 0
Event: 11 Source: crypt32
Failed extract of third-party root list from auto update cab at: <http://www.download....uthrootstl.cab> with error: A required certificate is not within its validity period when verifying against the current system clock or the timestamp in the signed file.

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
'Application' Log - warning Type
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~




Edited by jerosakireno, 04 October 2011 - 03:42 PM.

  • 0

#45
RKinner

RKinner

    Malware Expert

  • Expert
  • 24,598 posts
  • MVP
I'm still on a trip but have a little time this morning.

Try speedfan

http://www.almico.com/sfdownload.php

Download, save and run it and check Automatic Fan Control (or something similar I don't have time to look it up.) Leave it running and see if the temps drop. What it does if it works is turn the fan on full which seems to help. Also prop up the back of the laptop with a book (don't block the vents). If it's like my daughter's Dell laptop which I worked on this week it uses a heat pipe to transmit heat from the CPU to the heatsink. I don't think it works all that well. Propping it up in the back let's the heat rise to the heatsink which should make it cool a bit better.

Ron
  • 0






Similar Topics

0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

As Featured On:

Microsoft Yahoo BBC MSN PC Magazine Washington Post HP