|
| ||
| Recent problem: Slowdown, viruses of some sort, and many other things. I share this computer with my roomate, and we both pretty much spend the same amount of time on it. Recently I've been experiencing huge slowdown. Today it got so much worse. I noticed something called the Mirar toolbar that I couldn't disable, and any of my actions took minutes to complete that would normally take a second. So I googled "how to remove Mirar toolbar" and that eventually lead to me downloading Spyware Doctor. It picked up a few things but I can't remove them without being registered. I get maybe 30 Malicious Actions blocked a minute, and it's incredibly annoying.AVG Anti Virus is doing a scan now but it hasn't picked up anything yet. Attached is a HijackThis log, if anyone could help me it would be greatly appreciated! Logfile of Trend Micro HijackThis v2.0.0 (BETA) Scan saved at 8:42:09 PM, on 6/25/2007 Platform: Windows XP SP2 (WinNT 5.01.2600) Boot mode: Normal Running processes: C:\WINDOWS\System32\smss.exe C:\WINDOWS\system32\csrss.exe C:\WINDOWS\system32\winlogon.exe C:\WINDOWS\system32\services.exe C:\WINDOWS\system32\lsass.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\System32\svchost.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\system32\spoolsv.exe C:\Program Files\NavNT\defwatch.exe C:\Program Files\ewido anti-spyware 4.0\guard.exe C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE C:\WINDOWS\system32\nvsvc32.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\system32\wdfmgr.exe C:\WINDOWS\System32\alg.exe C:\WINDOWS\Explorer.EXE C:\Program Files\NavNT\vptray.exe C:\WINDOWS\system32\RunDll32.exe C:\WINDOWS\system32\atwtusb.exe C:\WINDOWS\system32\RUNDLL32.EXE C:\Program Files\Xfire\Xfire.exe C:\WINDOWS\system32\dllhost.exe C:\WINDOWS\system32\msdtc.exe C:\WINDOWS\system32\rundll32.exe C:\WINDOWS\system32\o02PrEz\o02PrEz1065.exe C:\Program Files\Spyware Doctor\swdsvc.exe C:\Program Files\Spyware Doctor\SDTrayApp.exe C:\Program Files\Spyware Doctor\svcntaux.exe C:\Program Files\Internet Explorer\iexplore.exe C:\Program Files\Internet Explorer\IEXPLORE.EXE C:\Program Files\Google\GoogleToolbarNotifier\1.2.1128.5462\GoogleToolbarNotifier.exe C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe C:\Program Files\Adobe\Acrobat 7.0\Reader\AcroRd32.exe C:\Documents and Settings\Larry\Desktop\HiJackThis_v2.exe C:\WINDOWS\system32\wbem\wmiprvse.exe R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://us.rd.yahoo.com/customize/ie/...ch/search.html R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/ R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://us.rd.yahoo.com/customize/ie/.../www.yahoo.com R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll O2 - BHO: Yahoo! Toolbar Helper - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll O2 - BHO: (no name) - {2E9D4C81-9F27-4c14-B804-7B0F6BC88A4F} - C:\Program Files\Outerinfo\Outerinfo.dll O2 - BHO: (no name) - {4A168249-1BF9-4A1D-965C-3EC04A69736B} - C:\Program Files\Windows NT\mewofyn83122.dll O2 - BHO: Yahoo! IE Services Button - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_10\bin\ssv.dll O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file) O2 - BHO: Mirar - {9A9C9B69-F908-4AAB-8D0C-10EA8997F37E} - C:\WINDOWS\system32\WinNB58.dll O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar2.dll O2 - BHO: (no name) - {E62D925C-87E0-41DB-8EAF-4019C079FD96} - C:\WINDOWS\system32\jkhfe.dll O2 - BHO: (no name) - {f692398e-2c9c-4a4d-96e8-b1520eeac2c8} - C:\WINDOWS\system32\bxvymww.dll O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll O3 - Toolbar: Mirar - {9A9C9B68-F908-4AAB-8D0C-10EA8997F37E} - C:\WINDOWS\system32\WinNB58.dll O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll O4 - HKLM\..\Run: [vptray] C:\Program Files\NavNT\vptray.exe O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup O4 - HKLM\..\Run: [nwiz] nwiz.exe /install O4 - HKLM\..\Run: [Logitech Hardware Abstraction Layer] "C:\Program Files\Common Files\Logitech\khalshared\KHALMNPR.EXE" O4 - HKLM\..\Run: [jiahus] C:\WINDOWS\system32\svchcs.exe O4 - HKLM\..\Run: [ViewMgr] C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe O4 - HKLM\..\Run: [Cmaudio] RunDll32 cmicnfg.cpl,CMICtrlWnd O4 - HKLM\..\Run: [Kernel and Hardware Abstraction Layer] KHALMNPR.EXE O4 - HKLM\..\Run: [atwtusb] atwtusb.exe beta O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.5.0_10\bin\jusched.exe" O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit O4 - HKLM\..\Run: [runner1] C:\WINDOWS\retadpu2000219.exe 61A847B5BBF72810329B385473F001F0B3E35B6638993F4661AA4EBD86D67C56389B284534F310 O4 - HKLM\..\Run: [SDTray] "C:\Program Files\Spyware Doctor\SDTrayApp.exe" O4 - HKCU\..\Run: [UpData] C:\WINDOWS\system32\svch0st.exe O4 - HKCU\..\Run: [igndlm.exe] C:\Program Files\IGN\Download Manager\DLM.exe /windowsstart /startifwork O4 - HKCU\..\Run: [DAEMON Tools] "C:\Program Files\DAEMON Tools\daemon.exe" -lang 1033 O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background O4 - HKCU\..\Run: [Yahoo! Pager] "C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe" -quiet O4 - HKCU\..\Run: [Outerinfo] "C:\Program Files\Outerinfo\Outerinfo.exe" O4 - HKCU\..\Run: [OuterinfoUpdate] "C:\Program Files\Outerinfo\OuterinfoUpdate.exe" O4 - HKCU\..\Run: [WebBuying] C:\Program Files\Web Buying\v1.7.4\webbuying.exe O4 - HKCU\..\Run: [WinPop] C:\Program Files\WinPop\winpop.exe O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\1.2.1128.5462\GoogleToolbarNotifier.exe O4 - HKUS\S-1-5-18\..\RunOnce: [RunNarrator] Narrator.exe (User 'SYSTEM') O4 - HKUS\.DEFAULT\..\RunOnce: [RunNarrator] Narrator.exe (User 'Default user') O4 - Startup: Xfire.lnk = C:\Program Files\Xfire\Xfire.exe O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_10\bin\ssv.dll O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_10\bin\ssv.dll O9 - Extra button: Yahoo! Services - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe O15 - Trusted Zone: http://click.getmirar.com (HKLM) O15 - Trusted Zone: http://click.mirarsearch.com (HKLM) O15 - Trusted Zone: http://redirect.mirarsearch.com (HKLM) O15 - Trusted Zone: http://awbeta.net-nucleus.com (HKLM) O16 - DPF: {193C772A-87BE-4B19-A7BB-445B226FE9A1} (ewidoOnlineScan Control) - http://downloads.ewido.net/ewidoOnlineScan.cab O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (YInstStarter Class) - C:\Program Files\Yahoo!\Common\yinsthelper.dll O16 - DPF: {39B0684F-D7BF-4743-B050-FDC3F48F7E3B} (CDownloadCtrl Object) - http://www.fileplanet.com/fpdlmgr/ca..._2.3.6.108.cab O16 - DPF: {8A0DCBDB-6E20-489C-9041-C1E8A0352E75} (Mirar_Dummy_ATS1 Class) - http://awbeta.net-nucleus.com/FIX/WinATS.cab O16 - DPF: {917623D1-D8E5-11D2-BE8B-00104B06BDE3} (CamImage Class) - http://webcam.salisbury.edu/activex/AxisCamControl.cab O20 - Winlogon Notify: jkhfe - C:\WINDOWS\system32\jkhfe.dll O20 - Winlogon Notify: opnmlmm - C:\WINDOWS\SYSTEM32\opnmlmm.dll O22 - SharedTaskScheduler: Browseui preloader - {438755C2-A8BA-11D1-B96B-00A0C90312E1} - C:\WINDOWS\system32\browseui.dll O22 - SharedTaskScheduler: Component Categories cache daemon - {8C7461EF-2B13-11d2-BE35-3078302C2030} - C:\WINDOWS\system32\browseui.dll O23 - Service: Adobe LM Service - Unknown owner - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe O23 - Service: AVG Anti-Spyware Guard - Anti-Malware Development a.s. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe O23 - Service: DefWatch - Symantec Corporation - C:\Program Files\NavNT\defwatch.exe O23 - Service: ewido anti-spyware 4.0 guard - Anti-Malware Development a.s. - C:\Program Files\ewido anti-spyware 4.0\guard.exe O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe O23 - Service: Norton AntiVirus Client (Norton AntiVirus Server) - Symantec Corporation - C:\Program Files\NavNT\rtvscan.exe O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe O23 - Service: Spyware Doctor Auxiliary Service (sdAuxService) - Unknown owner - C:\Program Files\Spyware Doctor\svcntaux.exe O23 - Service: Spyware Doctor Service (sdCoreService) - PC Tools - C:\Program Files\Spyware Doctor\swdsvc.exe O24 - Desktop Component 0: (no name) - C:\Program Files\Internet Explorer\rteremejyfs.html -- End of file - 8745 bytes |
| ||
| Re: Recent problem: Slowdown, viruses of some sort, and many other things. Holy Cow!! What a selection! First things first, so please do these things in this order: For a start you have a vundo infection... so just in case something else is hidden would you rename hijackthis.exe to.. umm... imabunny.exe for the next scan, please? And move it to a new folder, say alongside your pgm files folder. ==Please download VundoFix.exe to your desktop from http://www.atribune.org/ccount/click.php?id=4 Double-click VundoFix.exe to start it, click the Scan for Vundo button. When the scan completes click the Remove Vundo button. You will receive a prompt asking if you want to remove the files - click YES Your desktop will then go blank as the process of removing Vundo starts. When completed it will prompt that it will restart your computer - click OK. Note: It is possible that VundoFix encountered a file it could not remove. In this case, VundoFix will run on reboot, simply follow the above instructions starting from "Click the Scan for Vundo button." when VundoFix appears at reboot. Read the log - if any files it found were not deleted re-run Vundofix until they are all deletion attempts are successful. Post the contents of C:\vundofix.txt plus a new HijackThis log. CCleaner: ==Get CCleaner from http://www.ccleaner.com/ - and put it in a new folder. You should aim to keep this one for general use. I set it from the installation checkboxes to only open from the recycle bin. It's neater that way. Now run CCleaner from the recycle bin rclick menu using its default settings [if you set up CCleaner as i suggested, rclicking the bin icon should give you the Open CCleaner option...]. Select the Cleaner icon, press Run Cleaner. [For future quick temp file cleaning select the options you wish to use via the Windows and Applications tabs .. Note that CCleaner is also a free registry cleaner. Explore all its options, but skip the prefetch folder cleaning option. That one is unnecessary because windows automatically dumps old unused entries anyway, they can do no harm, and further, if there is no prefetch entry for an app you wish to load then your sys will just be a lil bit slower loading it. And an entry will then be generated anyway.] Combofix: ==Download this file to your desktop: http://www.techsupportforum.com/sect...s/ComboFix.exe ...or from here: http://download.bleepingcomputer.com/sUBs/ComboFix.exe ...or this new one: http://download.bleepingcomputer.com...a/ComboFix.exe - to run it dclick combofix.exe and follow the prompts to start it. When finished, it will produce a log, C:\Combofix.txt - post that log in your next reply. A word of caution - do not touch your mouse/keyboard until the scan has completed. The scan will temporarily disable your desktop, and if interrupted may leave your desktop disabled. If this occurs, please reboot to restore the desktop. Do you have a special desktop backgound? Or is there a new one you did not put there? If that O24 entry means nothing to you, rclick on a blank space on your desktop, go properties, desktop, customize desktop, web, select all components you do not want and delete them. Then navigate to this file and delete it: C:\Program Files\Internet Explorer\rteremejyfs.html Come back with those logs.. Btw, I hope you set AVG AS recommended actions to Quarantine.... |
| ||
| Re: Recent problem: Slowdown, viruses of some sort, and many other things. Vundofix found 3 vundo, entitled "efhkj.bak1.bad" "efhkj.ini.bad" and "jkhfe.dll.bad" When you say "logs" do you mean from HijackThis? Here's the log from ComboFix. ComboFix 07-06-18.2 - C:\Documents and Settings\Larry\Desktop\ComboFix.exe "Larry" - 2007-06-25 23:06:44 - Service Pack 2 NTFS (((((((((((((((((((((((((((((((((((((((((((( V Log ))))))))))))))))))))))))))))))))))))))))))))))))))))))) C:\WINDOWS\system32\gebcc.dll C:\WINDOWS\system32\ccbeg.bak1 C:\WINDOWS\system32\ccbeg.ini * * * POST RUN FILES/FOLDERS * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * ((((((((((((((((((((((((((((((((((((((( Other Deletions ))))))))))))))))))))))))))))))))))))))))))))))))) C:\Program Files\inetget2 C:\Program Files\Internet Explorer\rteremejyfs.html C:\Program Files\outerinfo C:\Program Files\outerinfo\OinUninstall.exe C:\Program Files\outerinfo\OiUninstaller.exe C:\Program Files\outerinfo\Outerinfo.dll C:\Program Files\outerinfo\Outerinfo.exe C:\Program Files\outerinfo\outerinfo.ico C:\Program Files\outerinfo\OuterinfoUpdate.exe C:\Program Files\outerinfo\Terms.rtf C:\Program Files\web buying C:\Program Files\web buying\v1.7.4\wbuninst.exe C:\Program Files\web buying\v1.7.4\webbuying.exe C:\Temp\0b9 C:\Temp\0b9\tmpTF.log C:\Temp\tn3 C:\WINDOWS\b122.exe C:\WINDOWS\retadpu1000106.exe C:\WINDOWS\retadpu2000219.exe C:\WINDOWS\system32\drivers\core.cache.dsk C:\WINDOWS\system32\drivers\core.sys C:\WINDOWS\system32\winnb58.dll C:\WINDOWS\wr.txt ((((((((((((((((((((((((((((((((((((((( Drivers/Services ))))))))))))))))))))))))))))))))))))))))))))))))) -------\LEGACY_CORE -------\core ((((((((((((((((((((((((( Files Created from 2007-05-26 to 2007-06-26 ))))))))))))))))))))))))))))))) 2007-06-25 23:04 49,152 --a------ C:\WINDOWS\nircmd.exe 2007-06-25 22:58 <DIR> d-------- C:\Program Files\CCleaner 2007-06-25 22:51 664 --a------ C:\WINDOWS\system32\d3d9caps.dat 2007-06-25 21:26 <DIR> d-------- C:\WINDOWS\system32\ActiveScan 2007-06-25 20:41 1,308,216 --a------ C:\Program Files\imsubtle.exe 2007-06-25 20:24 83,024 --a------ C:\WINDOWS\system32\drivers\iksyssec.sys 2007-06-25 20:24 57,424 --a------ C:\WINDOWS\system32\drivers\iksysflt.sys 2007-06-25 20:24 53,840 --a------ C:\WINDOWS\system32\drivers\ikfilesec.sys 2007-06-25 20:24 39,376 --a------ C:\WINDOWS\system32\drivers\ikfileflt.sys 2007-06-25 20:24 29,264 --a------ C:\WINDOWS\system32\drivers\kcom.sys 2007-06-25 20:24 <DIR> d-------- C:\Program Files\Spyware Doctor 2007-06-25 20:24 <DIR> d-------- C:\DOCUME~1\Larry\APPLIC~1\PC Tools 2007-06-25 20:24 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\Google 2007-06-25 20:23 31,254 --a------ C:\WINDOWS\system32\xxyvsrr.dll 2007-06-25 20:18 <DIR> d-------- C:\Program Files\WinPop 2007-06-25 20:15 31,254 --a------ C:\WINDOWS\system32\opnmlmm.dll 2007-06-25 20:15 172,544 --a------ C:\WINDOWS\system32\bxvymww.dll 2007-06-25 20:15 <DIR> d-------- C:\WINDOWS\system32\win 2007-06-25 20:15 <DIR> d-------- C:\WINDOWS\system32\o02PrEz 2007-06-25 20:15 <DIR> d-------- C:\WINDOWS\system32\B4 2007-06-25 20:15 <DIR> d-------- C:\WINDOWS\system32\B3 2007-06-25 20:15 <DIR> d-------- C:\WINDOWS\system32\B2 2007-06-25 20:15 <DIR> d-------- C:\WINDOWS\system32\B1 2007-06-25 20:15 <DIR> d-------- C:\Temp\iee 2007-06-25 20:15 <DIR> d-------- C:\Temp 2007-06-25 00:50 59,264 --a------ C:\WINDOWS\system32\drivers\USBAUDIO.sys 2007-06-24 22:05 <DIR> d-------- C:\Program Files\Psicraft 2007-06-24 22:05 <DIR> d-------- C:\DOCUME~1\Larry\APPLIC~1\Psicraft 2007-06-24 21:35 <DIR> d-------- C:\Program Files\Line6 2007-06-24 21:35 <DIR> d-------- C:\DOCUME~1\Larry\APPLIC~1\Line 6 (((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))) 2007-06-26 03:22:22 -------- d-----w C:\DOCUME~1\Larry\APPLIC~1\Xfire 2007-06-26 03:21:56 -------- d-s---w C:\Program Files\Xfire 2007-06-26 02:51:45 1,100 ----a-w C:\WINDOWS\system32\d3d8caps.dat 2007-06-26 02:46:32 -------- d-----w C:\Program Files\Google 2007-06-26 00:35:57 -------- d-----w C:\DOCUME~1\Larry\APPLIC~1\Google 2007-06-26 00:15:29 -------- d-----w C:\Program Files\Windows NT 2007-06-23 13:41:51 -------- d-----w C:\Program Files\World of Warcraft 2007-06-19 19:04:30 -------- d-----w C:\Program Files\GCH Guitar academy 2007-06-19 03:43:07 -------- d-----w C:\DOCUME~1\Larry\APPLIC~1\IGN_DLM 2007-06-16 05:16:32 -------- d-----w C:\Program Files\Mp3 My Mp3 2.0 2007-06-08 03:42:21 -------- d--h--w C:\Program Files\InstallShield Installation Information 2007-06-02 22:58:50 -------- d-----w C:\Program Files\Steam 2007-05-20 00:20:05 43,520 ----a-w C:\WINDOWS\system32\CmdLineExt03.dll 2007-05-16 15:12:02 683,520 ----a-w C:\WINDOWS\system32\inetcomm.dll 2007-05-09 01:51:20 -------- d-----w C:\Program Files\AGEIA Technologies 2007-05-09 01:51:14 -------- d-----w C:\Program Files\Common Files\Wise Installation Wizard 2007-05-09 01:46:54 -------- d-----w C:\Program Files\Timeline Interactive 2007-05-05 06:52:33 -------- d-----w C:\Program Files\e frontier 2007-04-27 18:30:05 -------- d-----w C:\Program Files\Common Files\Alias Shared 2007-04-27 18:28:06 -------- d-----w C:\Program Files\Autodesk 2007-04-27 00:17:01 -------- d-----w C:\Program Files\Alias 2007-04-27 00:10:28 -------- d-----w C:\Program Files\Common Files\AliasWavefront Shared 2007-04-27 00:07:41 -------- d--h--w C:\Program Files\Zero G Registry 2007-04-26 22:12:43 -------- d-----w C:\Program Files\eMedia Guitar Method 1 2007-04-25 14:21:15 144,896 ----a-w C:\WINDOWS\system32\schannel.dll 2007-04-19 17:26:00 888,832 ----a-w C:\WINDOWS\system32\nvmobls.dll 2007-04-19 17:26:00 86,016 ----a-w C:\WINDOWS\system32\nvmctray.dll 2007-04-19 17:26:00 81,920 ----a-w C:\WINDOWS\system32\nvwddi.dll 2007-04-19 17:26:00 794,624 ----a-w C:\WINDOWS\system32\nvcplui.exe 2007-04-19 17:26:00 7,700,480 ----a-w C:\WINDOWS\system32\nvcpl.dll 2007-04-19 17:26:00 581,632 ----a-w C:\WINDOWS\system32\nvhwvid.dll 2007-04-19 17:26:00 5,644,288 ----a-w C:\WINDOWS\system32\nvoglnt.dll 2007-04-19 17:26:00 5,619,712 ----a-w C:\WINDOWS\system32\nvdisps.dll 2007-04-19 17:26:00 5,255,168 ----a-w C:\WINDOWS\system32\nvdispsr.dll 2007-04-19 17:26:00 466,944 ----a-w C:\WINDOWS\system32\nvshell.dll 2007-04-19 17:26:00 458,752 ----a-w C:\WINDOWS\system32\nvmccssr.dll 2007-04-19 17:26:00 45,056 ----a-w C:\WINDOWS\system32\nvmccsrs.dll 2007-04-19 17:26:00 442,368 ----a-w C:\WINDOWS\system32\nvappbar.exe 2007-04-19 17:26:00 425,984 ----a-w C:\WINDOWS\system32\keystone.exe 2007-04-19 17:26:00 4,543,616 ----a-w C:\WINDOWS\system32\nv4_disp.dll 2007-04-19 17:26:00 35,840 ----a-w C:\WINDOWS\system32\nvcodins.dll 2007-04-19 17:26:00 35,840 ----a-w C:\WINDOWS\system32\nvcod.dll 2007-04-19 17:26:00 335,872 ----a-w C:\WINDOWS\system32\nvwrses.dll 2007-04-19 17:26:00 335,872 ----a-w C:\WINDOWS\system32\nvwrsel.dll 2007-04-19 17:26:00 327,680 ----a-w C:\WINDOWS\system32\nvwrsfr.dll 2007-04-19 17:26:00 327,680 ----a-w C:\WINDOWS\system32\nvwrsesm.dll 2007-04-19 17:26:00 323,584 ----a-w C:\WINDOWS\system32\nvwrspt.dll 2007-04-19 17:26:00 323,584 ----a-w C:\WINDOWS\system32\nvwrsit.dll 2007-04-19 17:26:00 323,584 ----a-w C:\WINDOWS\system32\nvrshe.dll 2007-04-19 17:26:00 323,584 ----a-w C:\WINDOWS\system32\nvrsar.dll 2007-04-19 17:26:00 319,488 ----a-w C:\WINDOWS\system32\nvwrsptb.dll 2007-04-19 17:26:00 319,488 ----a-w C:\WINDOWS\system32\nvwrsnl.dll 2007-04-19 17:26:00 315,392 ----a-w C:\WINDOWS\system32\nvwrsru.dll 2007-04-19 17:26:00 315,392 ----a-w C:\WINDOWS\system32\nvwrshu.dll 2007-04-19 17:26:00 311,296 ----a-w C:\WINDOWS\system32\nvwrsde.dll 2007-04-19 17:26:00 311,296 ----a-w C:\WINDOWS\system32\nvexpbar.dll 2007-04-19 17:26:00 303,104 ----a-w C:\WINDOWS\system32\nvwrstr.dll 2007-04-19 17:26:00 303,104 ----a-w C:\WINDOWS\system32\nvwrssl.dll 2007-04-19 17:26:00 303,104 ----a-w C:\WINDOWS\system32\nvwrsfi.dll 2007-04-19 17:26:00 3,203,072 ----a-w C:\WINDOWS\system32\nvgamesr.dll 2007-04-19 17:26:00 3,035,136 ----a-w C:\WINDOWS\system32\nvgames.dll 2007-04-19 17:26:00 299,008 ----a-w C:\WINDOWS\system32\nvwrssk.dll 2007-04-19 17:26:00 299,008 ----a-w C:\WINDOWS\system32\nvwrsno.dll 2007-04-19 17:26:00 294,912 ----a-w C:\WINDOWS\system32\nvwrssv.dll 2007-04-19 17:26:00 294,912 ----a-w C:\WINDOWS\system32\nvwrspl.dll 2007-04-19 17:26:00 294,912 ----a-w C:\WINDOWS\system32\nvwrsda.dll 2007-04-19 17:26:00 286,720 ----a-w C:\WINDOWS\system32\nvwrseng.dll 2007-04-19 17:26:00 286,720 ----a-w C:\WINDOWS\system32\nvwrscs.dll 2007-04-19 17:26:00 286,720 ----a-w C:\WINDOWS\system32\nvnt4cpl.dll 2007-04-19 17:26:00 282,624 ----a-w C:\WINDOWS\system32\nvwrsar.dll 2007-04-19 17:26:00 278,528 ----a-w C:\WINDOWS\system32\nvwrshe.dll 2007-04-19 17:26:00 278,528 ----a-w C:\WINDOWS\system32\nvrsfr.dll 2007-04-19 17:26:00 274,432 ----a-w C:\WINDOWS\system32\nvrsit.dll 2007-04-19 17:26:00 274,432 ----a-w C:\WINDOWS\system32\nvrses.dll 2007-04-19 17:26:00 274,432 ----a-w C:\WINDOWS\system32\nvrsel.dll 2007-04-19 17:26:00 270,336 ----a-w C:\WINDOWS\system32\nvrsde.dll 2007-04-19 17:26:00 266,240 ----a-w C:\WINDOWS\system32\nvrspt.dll 2007-04-19 17:26:00 266,240 ----a-w C:\WINDOWS\system32\nvrsnl.dll 2007-04-19 17:26:00 266,240 ----a-w C:\WINDOWS\system32\nvrsesm.dll 2007-04-19 17:26:00 262,144 ----a-w C:\WINDOWS\system32\nvrsru.dll 2007-04-19 17:26:00 262,144 ----a-w C:\WINDOWS\system32\nvrsptb.dll 2007-04-19 17:26:00 262,144 ----a-w C:\WINDOWS\system32\nvrsja.dll 2007-04-19 17:26:00 258,048 ----a-w C:\WINDOWS\system32\nvrsko.dll 2007-04-19 17:26:00 253,952 ----a-w C:\WINDOWS\system32\nvrshu.dll 2007-04-19 17:26:00 249,856 ----a-w C:\WINDOWS\system32\nvrstr.dll 2007-04-19 17:26:00 249,856 ----a-w C:\WINDOWS\system32\nvrssl.dll 2007-04-19 17:26:00 249,856 ----a-w C:\WINDOWS\system32\nvrssk.dll 2007-04-19 17:26:00 249,856 ----a-w C:\WINDOWS\system32\nvrspl.dll 2007-04-19 17:26:00 249,856 ----a-w C:\WINDOWS\system32\nvrsno.dll 2007-04-19 17:26:00 245,760 ----a-w C:\WINDOWS\system32\nvrssv.dll 2007-04-19 17:26:00 245,760 ----a-w C:\WINDOWS\system32\nvrsda.dll 2007-04-19 17:26:00 241,664 ----a-w C:\WINDOWS\system32\nvrsfi.dll 2007-04-19 17:26:00 241,664 ----a-w C:\WINDOWS\system32\nvrseng.dll 2007-04-19 17:26:00 241,664 ----a-w C:\WINDOWS\system32\nvrscs.dll 2007-04-19 17:26:00 229,376 ----a-w C:\WINDOWS\system32\nvmccs.dll 2007-04-19 17:26:00 221,184 ----a-w C:\WINDOWS\system32\nvrszhc.dll 2007-04-19 17:26:00 212,992 ----a-w C:\WINDOWS\system32\nvwrsja.dll 2007-04-19 17:26:00 212,992 ----a-w C:\WINDOWS\system32\nvapi.dll 2007-04-19 17:26:00 2,973,696 ----a-w C:\WINDOWS\system32\nvvitvsr.dll 2007-04-19 17:26:00 2,924,544 ----a-w C:\WINDOWS\system32\nvvitvs.dll 2007-02-23 07:57:59 88 --sh--r C:\WINDOWS\system32\4BFB238848.sys ((((((((((((((((((((((((((((((((((((( Reg Loading Points )))))))))))))))))))))))))))))))))))))))))))))))))) *Note* empty entries & legit default entries are not shown [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects] {02478D38-C3F9-4EFB-9B51-7695ECA05670}=C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll [2006-10-26 11:28] {4A168249-1BF9-4A1D-965C-3EC04A69736B}=C:\Program Files\Windows NT\mewofyn83122.dll [2007-06-18 14:59] {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897}=C:\Program Files\Yahoo!\Common\yiesrvc.dll [2006-10-31 16:29] {761497BB-D6F0-462C-B6EB-D4DAF1D92D43}=C:\Program Files\Java\jre1.5.0_10\bin\ssv.dll [2006-11-09 16:21] {9A9C9B69-F908-4AAB-8D0C-10EA8997F37E}=C:\WINDOWS\system32\WinNB58.dll [] {AA58ED58-01DD-4d91-8333-CF10577473F7}=c:\program files\google\googletoolbar2.dll [2007-01-19 23:55] {DC192567-65F9-4AB6-ADB7-E13575F81726}=C:\WINDOWS\system32\opnmlmm.dll [2007-06-25 20:15] {E62D925C-87E0-41DB-8EAF-4019C079FD96}=C:\WINDOWS\system32\jkhfe.dll [] {f692398e-2c9c-4a4d-96e8-b1520eeac2c8}=C:\WINDOWS\system32\bxvymww.dll [2007-06-25 20:15] [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "vptray"="C:\Program Files\NavNT\vptray.exe" [2001-09-24 07:59] "nwiz"="nwiz.exe" [2007-04-19 13:26 C:\WINDOWS\system32\nwiz.exe] "Logitech Hardware Abstraction Layer"="C:\Program Files\Common Files\Logitech\khalshared\KHALMNPR.EXE" [] "ViewMgr"="C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe" [] "Cmaudio"="cmicnfg.cpl" [] "@"="" [] "Kernel and Hardware Abstraction Layer"="KHALMNPR.EXE" [] "atwtusb"="atwtusb.exe" [2005-02-03 10:37 C:\WINDOWS\system32\atwtusb.exe] "SunJavaUpdateSched"="C:\Program Files\Java\jre1.5.0_10\bin\jusched.exe" [2006-11-09 16:07] "QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [2006-09-01 16:57] [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "UpData"="C:\WINDOWS\system32\svch0st.exe" [] "igndlm.exe"="C:\Program Files\IGN\Download Manager\DLM.exe" [2006-11-07 18:22] "DAEMON Tools"="C:\Program Files\DAEMON Tools\daemon.exe" [2006-11-12 06:48] "MsnMsgr"="C:\Program Files\MSN Messenger\MsnMsgr.exe" [2007-01-19 13:54] "Steam"="" [] "Yahoo! Pager"="C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe" [2007-01-19 13:49] "Outerinfo"="C:\Program Files\Outerinfo\Outerinfo.exe" [] "OuterinfoUpdate"="C:\Program Files\Outerinfo\OuterinfoUpdate.exe" [] "WinPop"="C:\Program Files\WinPop\winpop.exe" [2007-06-25 20:18] "swg"="C:\Program Files\Google\GoogleToolbarNotifier\1.2.1128.5462\GoogleToolbarNotifier.exe" [2007-06-25 20:30] [HKEY_USERS\.default\software\microsoft\windows\currentversion\runonce] "RunNarrator"=Narrator.exe [HKEY_CURRENT_USER\software\microsoft\internet explorer\desktop\components\0] Source= C:\Program Files\Internet Explorer\rteremejyfs.html FriendlyName= [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks] "{57B86673-276A-48B2-BAE7-C6DBB3020EB8}"="C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\shellexecutehook.dll" [2006-09-28 10:13] "{DC192567-65F9-4AB6-ADB7-E13575F81726}"="C:\WINDOWS\system32\opnmlmm.dll" [2007-06-25 20:15] [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\opnmlmm] opnmlmm.dll [HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\minimal\sdauxservice] [HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\minimal\sdcoreservice] [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Gamma Loader.lnk] path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Adobe Gamma Loader.lnk backup=C:\WINDOWS\pss\Adobe Gamma Loader.lnkCommon Startup [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Reader Speed Launch.lnk] path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Adobe Reader Speed Launch.lnk backup=C:\WINDOWS\pss\Adobe Reader Speed Launch.lnkCommon Startup [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Steam] "C:\Program Files\Steam\Steam.exe" -silent [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Yahoo! Pager] "C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe" -quiet [HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{2a15a5a0-aa57-11db-a05a-9ccc57198468}] AutoRun\command- F:\LaunchU3.exe -a ************************************************************************** catchme 0.3.721 W2K/XP/Vista - userland rootkit detector by Gmer, http://www.gmer.net Rootkit scan 2007-06-25 23:21:42 Windows 5.1.2600 Service Pack 2 NTFS scanning hidden processes ... scanning hidden autostart entries ... scanning hidden files ... scan completed successfully hidden files: 0 ************************************************************************** Completion time: 2007-06-25 23:23:21 - machine was rebooted C:\ComboFix-quarantined-files.txt ... 2007-06-25 23:23 --- E O F --- Sadly, Mirar and all it's little pop-up pals are still bugging me almost constantly, but there is definitely a change in performance so far. |
| ||
| Re: Recent problem: Slowdown, viruses of some sort, and many other things. Post the contents of C:\vundofix.txt. Plus a fresh hijackthis log. And we've barely started on the fix... |
| ||
| Re: Recent problem: Slowdown, viruses of some sort, and many other things. Quote:
VundoFix V6.3.21 Checking Java version... Java version is 1.5.0.10 Scan started at 4:29:54 PM 4/30/2007 Listing files found while scanning.... No infected files were found. VundoFix V6.3.21 Checking Java version... Java version is 1.5.0.4 Old versions of java are exploitable and should be removed. Java version is 1.5.0.10 Scan started at 8:25:04 PM 6/25/2007 Listing files found while scanning.... VundoFix V6.3.21 Checking Java version... Java version is 1.5.0.4 Old versions of java are exploitable and should be removed. Java version is 1.5.0.10 Scan started at 10:15:58 PM 6/25/2007 Listing files found while scanning.... C:\WINDOWS\system32\efhkj.bak1 C:\WINDOWS\system32\efhkj.ini C:\WINDOWS\system32\jkhfe.dll Beginning removal... Attempting to delete C:\WINDOWS\system32\efhkj.bak1 C:\WINDOWS\system32\efhkj.bak1 Has been deleted! Attempting to delete C:\WINDOWS\system32\efhkj.ini C:\WINDOWS\system32\efhkj.ini Has been deleted! Attempting to delete C:\WINDOWS\system32\jkhfe.dll C:\WINDOWS\system32\jkhfe.dll Could not be deleted. Performing Repairs to the registry. Done! Beginning removal... Attempting to delete C:\WINDOWS\system32\jkhfe.dll C:\WINDOWS\system32\jkhfe.dll Has been deleted! Performing Repairs to the registry. Done! VundoFix V6.3.21 Checking Java version... Java version is 1.5.0.4 Old versions of java are exploitable and should be removed. Java version is 1.5.0.10 Scan started at 10:53:31 PM 6/25/2007 Listing files found while scanning.... No infected files were found. Hijack This Log Logfile of Trend Micro HijackThis v2.0.0 (BETA) Scan saved at 11:30:09 PM, on 6/25/2007 Platform: Windows XP SP2 (WinNT 5.01.2600) Boot mode: Normal Running processes: C:\WINDOWS\System32\smss.exe C:\WINDOWS\system32\winlogon.exe C:\WINDOWS\system32\services.exe C:\WINDOWS\system32\lsass.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\System32\svchost.exe C:\WINDOWS\system32\spoolsv.exe C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe C:\Program Files\NavNT\defwatch.exe C:\Program Files\ewido anti-spyware 4.0\guard.exe C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE C:\WINDOWS\system32\nvsvc32.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\Explorer.EXE C:\Program Files\NavNT\vptray.exe C:\WINDOWS\system32\RunDll32.exe C:\WINDOWS\system32\atwtusb.exe C:\Program Files\Java\jre1.5.0_10\bin\jusched.exe C:\Program Files\WinPop\winpop.exe C:\Program Files\Google\GoogleToolbarNotifier\1.2.1128.5462\GoogleToolbarNotifier.exe C:\Program Files\Xfire\Xfire.exe C:\Program Files\Internet Explorer\IEXPLORE.EXE C:\Program Files\Internet Explorer\iexplore.exe C:\WINDOWS\system32\notepad.exe C:\Program Files\imsubtle.exe R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://us.rd.yahoo.com/customize/ie/...ch/search.html R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll O2 - BHO: Yahoo! Toolbar Helper - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll O2 - BHO: (no name) - {4A168249-1BF9-4A1D-965C-3EC04A69736B} - C:\Program Files\Windows NT\mewofyn83122.dll O2 - BHO: Yahoo! IE Services Button - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_10\bin\ssv.dll O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file) O2 - BHO: Mirar - {9A9C9B69-F908-4AAB-8D0C-10EA8997F37E} - C:\WINDOWS\system32\WinNB58.dll (file missing) O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar2.dll O2 - BHO: (no name) - {DC192567-65F9-4AB6-ADB7-E13575F81726} - C:\WINDOWS\system32\opnmlmm.dll O2 - BHO: (no name) - {E62D925C-87E0-41DB-8EAF-4019C079FD96} - C:\WINDOWS\system32\jkhfe.dll (file missing) O2 - BHO: (no name) - {f692398e-2c9c-4a4d-96e8-b1520eeac2c8} - C:\WINDOWS\system32\bxvymww.dll O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll O3 - Toolbar: Mirar - {9A9C9B68-F908-4AAB-8D0C-10EA8997F37E} - C:\WINDOWS\system32\WinNB58.dll (file missing) O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll O4 - HKLM\..\Run: [vptray] C:\Program Files\NavNT\vptray.exe O4 - HKLM\..\Run: [nwiz] nwiz.exe /install O4 - HKLM\..\Run: [Logitech Hardware Abstraction Layer] "C:\Program Files\Common Files\Logitech\khalshared\KHALMNPR.EXE" O4 - HKLM\..\Run: [ViewMgr] C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe O4 - HKLM\..\Run: [Cmaudio] RunDll32 cmicnfg.cpl,CMICtrlWnd O4 - HKLM\..\Run: [Kernel and Hardware Abstraction Layer] KHALMNPR.EXE O4 - HKLM\..\Run: [atwtusb] atwtusb.exe beta O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.5.0_10\bin\jusched.exe" O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime O4 - HKCU\..\Run: [UpData] C:\WINDOWS\system32\svch0st.exe O4 - HKCU\..\Run: [igndlm.exe] C:\Program Files\IGN\Download Manager\DLM.exe /windowsstart /startifwork O4 - HKCU\..\Run: [DAEMON Tools] "C:\Program Files\DAEMON Tools\daemon.exe" -lang 1033 O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background O4 - HKCU\..\Run: [Yahoo! Pager] "C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe" -quiet O4 - HKCU\..\Run: [Outerinfo] "C:\Program Files\Outerinfo\Outerinfo.exe" O4 - HKCU\..\Run: [OuterinfoUpdate] "C:\Program Files\Outerinfo\OuterinfoUpdate.exe" O4 - HKCU\..\Run: [WinPop] C:\Program Files\WinPop\winpop.exe O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\1.2.1128.5462\GoogleToolbarNotifier.exe O4 - HKUS\S-1-5-18\..\RunOnce: [RunNarrator] Narrator.exe (User 'SYSTEM') O4 - HKUS\.DEFAULT\..\RunOnce: [RunNarrator] Narrator.exe (User 'Default user') O4 - Startup: Xfire.lnk = C:\Program Files\Xfire\Xfire.exe O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_10\bin\ssv.dll O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_10\bin\ssv.dll O9 - Extra button: Yahoo! Services - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe O15 - Trusted Zone: http://click.getmirar.com (HKLM) O15 - Trusted Zone: http://click.mirarsearch.com (HKLM) O15 - Trusted Zone: http://redirect.mirarsearch.com (HKLM) O15 - Trusted Zone: http://awbeta.net-nucleus.com (HKLM) O16 - DPF: {193C772A-87BE-4B19-A7BB-445B226FE9A1} (ewidoOnlineScan Control) - http://downloads.ewido.net/ewidoOnlineScan.cab O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (YInstStarter Class) - C:\Program Files\Yahoo!\Common\yinsthelper.dll O16 - DPF: {39B0684F-D7BF-4743-B050-FDC3F48F7E3B} (CDownloadCtrl Object) - http://www.fileplanet.com/fpdlmgr/ca..._2.3.6.108.cab O16 - DPF: {8A0DCBDB-6E20-489C-9041-C1E8A0352E75} (Mirar_Dummy_ATS1 Class) - http://awbeta.net-nucleus.com/FIX/WinATS.cab O16 - DPF: {917623D1-D8E5-11D2-BE8B-00104B06BDE3} (CamImage Class) - http://webcam.salisbury.edu/activex/AxisCamControl.cab O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/actives...ree/asinst.cab O20 - Winlogon Notify: opnmlmm - C:\WINDOWS\SYSTEM32\opnmlmm.dll O22 - SharedTaskScheduler: Browseui preloader - {438755C2-A8BA-11D1-B96B-00A0C90312E1} - C:\WINDOWS\system32\browseui.dll O22 - SharedTaskScheduler: Component Categories cache daemon - {8C7461EF-2B13-11d2-BE35-3078302C2030} - C:\WINDOWS\system32\browseui.dll O23 - Service: Adobe LM Service - Unknown owner - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe O23 - Service: AVG Anti-Spyware Guard - Anti-Malware Development a.s. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe O23 - Service: DefWatch - Symantec Corporation - C:\Program Files\NavNT\defwatch.exe O23 - Service: ewido anti-spyware 4.0 guard - Anti-Malware Development a.s. - C:\Program Files\ewido anti-spyware 4.0\guard.exe O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe O23 - Service: Norton AntiVirus Client (Norton AntiVirus Server) - Symantec Corporation - C:\Program Files\NavNT\rtvscan.exe O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe O23 - Service: Spyware Doctor Auxiliary Service (sdAuxService) - Unknown owner - C:\Program Files\Spyware Doctor\svcntaux.exe O23 - Service: Spyware Doctor Service (sdCoreService) - PC Tools - C:\Program Files\Spyware Doctor\swdsvc.exe O24 - Desktop Component 0: (no name) - C:\Program Files\Internet Explorer\rteremejyfs.html -- End of file - 7663 bytes I didn't mean to imply that this was going slow or anything, I just wanted to say that my computer has sped up by a bit. |
| ||
| Re: Recent problem: Slowdown, viruses of some sort, and many other things. That's ok, still a lot of work to do. Run vundofix again please, and post only the vundofix log. |
| ||
| Re: Recent problem: Slowdown, viruses of some sort, and many other things. VundoFix V6.3.21 Checking Java version... Java version is 1.5.0.4 Old versions of java are exploitable and should be removed. Java version is 1.5.0.10 Scan started at 11:55:17 PM 6/25/2007 Listing files found while scanning.... No infected files were found. |
| ||
| Re: Recent problem: Slowdown, viruses of some sort, and many other things. I assume imsubtle is hijackthis? Cool. :) I'm not so subtle. ==Download Avenger from http://swandog46.geekstogo.com/avenger.zip You must be in an Administrator-privileged account to run this procedure... -unzip it to your desktop and leave it for the moment. ==Okay, this time we'll point VundoFix at the remaing vundo pest: Start Vundofix, *****When the scan completes rclick inside the white text box, lclick the Addmore files? line, paste into the new window these two pathnames [one per line]: C:\WINDOWS\system32\opnmlmm.dll Click the Add Files button, and next the Remove Vundo button.***** You will receive a prompt asking if you want to remove the files - click YES Your desktop will then go blank as the process of removing Vundo starts. When completed it will prompt that it will restart your computer - click OK. Note: It is possible that VundoFix encountered a file it could not remove. In this case, VundoFix will run on reboot, simply follow the above instructions starting from "Click the Scan for Vundo button." when VundoFix appears at reboot. Post the contents of C:\vundofix.txt ==Start hijackthis, select Scan Only, place checkmarks against all the entries listed below that still exist, and then press Fix Checked. O2 - BHO: (no name) - {4A168249-1BF9-4A1D-965C-3EC04A69736B} - C:\Program Files\Windows NT\mewofyn83122.dll O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file) O2 - BHO: Mirar - {9A9C9B69-F908-4AAB-8D0C-10EA8997F37E} - C:\WINDOWS\system32\WinNB58.dll (file missing) O2 - BHO: (no name) - {DC192567-65F9-4AB6-ADB7-E13575F81726} - C:\WINDOWS\system32\opnmlmm.dll O2 - BHO: (no name) - {E62D925C-87E0-41DB-8EAF-4019C079FD96} - C:\WINDOWS\system32\jkhfe.dll (file missing) O3 - Toolbar: Mirar - {9A9C9B68-F908-4AAB-8D0C-10EA8997F37E} - C:\WINDOWS\system32\WinNB58.dll (file missing) O4 - HKCU\..\Run: [UpData] C:\WINDOWS\system32\svch0st.exe O4 - HKCU\..\Run: [Outerinfo] "C:\Program Files\Outerinfo\Outerinfo.exe" O4 - HKCU\..\Run: [OuterinfoUpdate] "C:\Program Files\Outerinfo\OuterinfoUpdate.exe" O16 - DPF: {8A0DCBDB-6E20-489C-9041-C1E8A0352E75} (Mirar_Dummy_ATS1 Class) - http://awbeta.net-nucleus.com/FIX/WinATS.cab O20 - Winlogon Notify: opnmlmm - C:\WINDOWS\SYSTEM32\opnmlmm.dll Good. ==Start Avenger; select “Input script manually” and then click the magnifying glass icon. Paste into the box as one block all the text between the lines:- _____________________________________ Files to delete: C:\WINDOWS\system32\svch0st.exe C:\Program Files\Outerinfo\Outerinfo.exe C:\Program Files\Internet Explorer\rteremejyfs.html Folders to delete: C:\Program Files\Outerinfo _____________________________________ ...and click Done, and finally the green light. Follow promps to reboot your machine. [The files, etc., that you asked Avenger to delete are zipped to C:\avenger\backup.zip.] Avenger creates a log file that should open with the results of its actions. This file is located at C:\avenger.txt ==Did you carry out the last part of my first post to you re the desktop file? Please post that log file, plus the new vundofix log and a fresh hijackthis log.. |
| ||
| Re: Recent problem: Slowdown, viruses of some sort, and many other things. Avenger Log Logfile of The Avenger version 1, by Swandog46 Running from registry key: \Registry\Machine\System\CurrentControlSet\Services\sabnfpwk ******************* Script file located at: \??\C:\WINDOWS\gupbmjui.txt Script file opened successfully. Script file read successfully Backups directory opened successfully at C:\Avenger ******************* Beginning to process script file: File C:\WINDOWS\system32\svch0st.exe not found! Deletion of file C:\WINDOWS\system32\svch0st.exe failed! Could not process line: C:\WINDOWS\system32\svch0st.exe Status: 0xc0000034 Could not open file C:\Program Files\Outerinfo\Outerinfo.exe for deletion Deletion of file C:\Program Files\Outerinfo\Outerinfo.exe failed! Could not process line: C:\Program Files\Outerinfo\Outerinfo.exe Status: 0xc000003a File C:\Program Files\Internet Explorer\rteremejyfs.html deleted successfully. Folder C:\Program Files\Outerinfo not found! Deletion of folder C:\Program Files\Outerinfo failed! Could not process line: C:\Program Files\Outerinfo Status: 0xc0000034 Completed script processing. ******************* Finished! Terminate. Hijack This Log Logfile of Trend Micro HijackThis v2.0.0 (BETA) Scan saved at 12:49:12 AM, on 6/26/2007 Platform: Windows XP SP2 (WinNT 5.01.2600) Boot mode: Normal Running processes: C:\WINDOWS\System32\smss.exe C:\WINDOWS\system32\winlogon.exe C:\WINDOWS\system32\services.exe C:\WINDOWS\system32\lsass.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\System32\svchost.exe C:\WINDOWS\system32\spoolsv.exe C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe C:\Program Files\NavNT\defwatch.exe C:\Program Files\ewido anti-spyware 4.0\guard.exe C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE C:\WINDOWS\system32\nvsvc32.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\Explorer.EXE C:\Program Files\NavNT\vptray.exe C:\WINDOWS\system32\RunDll32.exe C:\WINDOWS\system32\atwtusb.exe C:\Program Files\Java\jre1.5.0_10\bin\jusched.exe C:\Program Files\DAEMON Tools\daemon.exe C:\Program Files\MSN Messenger\MsnMsgr.Exe C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe C:\Program Files\WinPop\winpop.exe C:\Program Files\Xfire\Xfire.exe C:\WINDOWS\system32\notepad.exe C:\Program Files\Internet Explorer\IEXPLORE.EXE C:\WINDOWS\system32\wuauclt.exe C:\Program Files\imsubtle.exe R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://us.rd.yahoo.com/customize/ie/...ch/search.html R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll O2 - BHO: Yahoo! Toolbar Helper - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_10\bin\ssv.dll O2 - BHO: (no name) - {D103A75C-9439-48F6-B35A-1804CAD065ED} - C:\WINDOWS\system32\gebyw.dll (file missing) O2 - BHO: (no name) - {f692398e-2c9c-4a4d-96e8-b1520eeac2c8} - C:\WINDOWS\system32\bxvymww.dll O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll O4 - HKLM\..\Run: [vptray] C:\Program Files\NavNT\vptray.exe O4 - HKLM\..\Run: [nwiz] nwiz.exe /install O4 - HKLM\..\Run: [Logitech Hardware Abstraction Layer] "C:\Program Files\Common Files\Logitech\khalshared\KHALMNPR.EXE" O4 - HKLM\..\Run: [ViewMgr] C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe O4 - HKLM\..\Run: [Cmaudio] RunDll32 cmicnfg.cpl,CMICtrlWnd O4 - HKLM\..\Run: [Kernel and Hardware Abstraction Layer] KHALMNPR.EXE O4 - HKLM\..\Run: [atwtusb] atwtusb.exe beta O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.5.0_10\bin\jusched.exe" O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup O4 - HKCU\..\Run: [igndlm.exe] C:\Program Files\IGN\Download Manager\DLM.exe /windowsstart /startifwork O4 - HKCU\..\Run: [DAEMON Tools] "C:\Program Files\DAEMON Tools\daemon.exe" -lang 1033 O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background O4 - HKCU\..\Run: [Yahoo! Pager] "C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe" -quiet O4 - HKCU\..\Run: [WinPop] C:\Program Files\WinPop\winpop.exe O4 - HKUS\S-1-5-18\..\RunOnce: [RunNarrator] Narrator.exe (User 'SYSTEM') O4 - HKUS\.DEFAULT\..\RunOnce: [RunNarrator] Narrator.exe (User 'Default user') O4 - Startup: Xfire.lnk = C:\Program Files\Xfire\Xfire.exe O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_10\bin\ssv.dll O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_10\bin\ssv.dll O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe O15 - Trusted Zone: http://click.getmirar.com (HKLM) O15 - Trusted Zone: http://click.mirarsearch.com (HKLM) O15 - Trusted Zone: http://redirect.mirarsearch.com (HKLM) O15 - Trusted Zone: http://awbeta.net-nucleus.com (HKLM) O16 - DPF: {193C772A-87BE-4B19-A7BB-445B226FE9A1} (ewidoOnlineScan Control) - http://downloads.ewido.net/ewidoOnlineScan.cab O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (YInstStarter Class) - C:\Program Files\Yahoo!\Common\yinsthelper.dll O16 - DPF: {39B0684F-D7BF-4743-B050-FDC3F48F7E3B} (CDownloadCtrl Object) - http://www.fileplanet.com/fpdlmgr/ca..._2.3.6.108.cab O16 - DPF: {917623D1-D8E5-11D2-BE8B-00104B06BDE3} (CamImage Class) - http://webcam.salisbury.edu/activex/AxisCamControl.cab O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/actives...ree/asinst.cab O22 - SharedTaskScheduler: Browseui preloader - {438755C2-A8BA-11D1-B96B-00A0C90312E1} - C:\WINDOWS\system32\browseui.dll O22 - SharedTaskScheduler: Component Categories cache daemon - {8C7461EF-2B13-11d2-BE35-3078302C2030} - C:\WINDOWS\system32\browseui.dll O23 - Service: Adobe LM Service - Unknown owner - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe O23 - Service: AVG Anti-Spyware Guard - Anti-Malware Development a.s. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe O23 - Service: DefWatch - Symantec Corporation - C:\Program Files\NavNT\defwatch.exe O23 - Service: ewido anti-spyware 4.0 guard - Anti-Malware Development a.s. - C:\Program Files\ewido anti-spyware 4.0\guard.exe O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe O23 - Service: Norton AntiVirus Client (Norton AntiVirus Server) - Symantec Corporation - C:\Program Files\NavNT\rtvscan.exe O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe O23 - Service: Spyware Doctor Auxiliary Service (sdAuxService) - Unknown owner - C:\Program Files\Spyware Doctor\svcntaux.exe O23 - Service: Spyware Doctor Service (sdCoreService) - PC Tools - C:\Program Files\Spyware Doctor\swdsvc.exe O24 - Desktop Component 0: (no name) - C:\Program Files\Internet Explorer\rteremejyfs.html -- End of file - 6296 bytes VundoFix Log VundoFix V6.3.21 Checking Java version... Java version is 1.5.0.4 Old versions of java are exploitable and should be removed. Java version is 1.5.0.10 Scan started at 12:28:06 AM 6/26/2007 Listing files found while scanning.... C:\WINDOWS\system32\gebyw.dll C:\WINDOWS\system32\wybeg.bak1 C:\WINDOWS\system32\wybeg.ini Beginning removal... Attempting to delete C:\WINDOWS\system32\gebyw.dll C:\WINDOWS\system32\gebyw.dll Could not be deleted. Attempting to delete C:\WINDOWS\system32\wybeg.bak1 C:\WINDOWS\system32\wybeg.bak1 Has been deleted! Attempting to delete C:\WINDOWS\system32\wybeg.ini C:\WINDOWS\system32\wybeg.ini Has been deleted! Performing Repairs to the registry. Done! Beginning removal... Attempting to delete C:\WINDOWS\system32\gebyw.dll C:\WINDOWS\system32\gebyw.dll Has been deleted! Performing Repairs to the registry. Done! Beginning removal... Attempting to delete C:\WINDOWS\system32\opnmlmm.dll C:\WINDOWS\system32\opnmlmm.dll Has been deleted! Performing Repairs to the registry. Done! I did a scan before rclicking the white box, I misread your post and removed the 3 items it had. It restarted and deleted one of them, and then I right clicked the white box, and continued following your directions. And if you meant: Quote:
One problem I encountered was fixing O20 - Winlogon Notify: opnmlmm - C:\WINDOWS\SYSTEM32\opnmlmm.dll I couldn't find it, the numbers went from 16 to 22 with nothing in between. |
| ||
| Re: Recent problem: Slowdown, viruses of some sort, and many other things. You're doing fine. That O20? vundofix deleted its file. Okay, couple more things to fix [incl one I missed putting in cos I was at the time wondering if it was a vundo file..] Fix these and then restart your sys: O2 - BHO: (no name) - {D103A75C-9439-48F6-B35A-1804CAD065ED} - C:\WINDOWS\system32\gebyw.dll (file missing) O2 - BHO: (no name) - {f692398e-2c9c-4a4d-96e8-b1520eeac2c8} - C:\WINDOWS\system32\bxvymww.dll O24 - Desktop Component 0: (no name) - C:\Program Files\Internet Explorer\rteremejyfs.html Do a scan and note if the second entry comes back. Let me know. The last one - I do not know if this is something to do with the Beta version you are using or not, I would have thought it would not reappear if you deleted the file. Please check the file has not reappeared, and let me know. Actually, it would not hurt to load this file into Vundofix as you did the previous one and let it look at it: C:\WINDOWS\system32\bxvymww.dll -show mw the result. I do not see any resident antivirus service in your sys. Please go into safe mode and run AVG AS -under Scanner/ Settings please set Recommended actions to Quarantine, and run the scan. -click Apply all actions and then save the log file. Post the log file. And next, with Windows firewall activated at least, go to one of these sites and get an AV!! Now. AVG Free 7.5 at http://free.grisoft.com/doc/5390/lng/us/tpl/v5 Avira personal free at http://www.free-av.com/ Avast home edition at http://www.avast.com/eng/avast_4_home.html Done that? Now get a firewall, a real one, Zonealarm or Kerio. And Spywareblaster. JAVA Update: ==Finally: Java update!!! This is for security reasons. Go control panel > java > update, & press update now. Restart after installing the update, and then go into control panel again, add/remove pgms and remove all old versions of java. Vsn 1.6.0.1 is current.... |
| All times are GMT -4. The time now is 10:02 am. |
Forum system based on vBulletin Copyright ©2000 - 2009, Jelsoft Enterprises Ltd.
©2003 - 2009 DaniWeb® LLC