Tech Support Guy banner
Cancel

Solved: Sluggish PC performance, Help required

Jump to Latest Follow
  • IMPORTANT: Only authorized members may reply to threads in this forum due to the complexity of the malware removal process. Authorized members include Malware Specialists and Trainees, Administrators, Moderators, and Trusted Advisors. Regular members are not permitted to reply, and any such posts will be deleted without notice or further explanation. Notice
Status
Not open for further replies.
1 - 6 of 6 Posts
F

· Registered
Joined
·
3 Posts
Discussion Starter · #1 ·
Hello,

Recently, my computer has been acting sluggishly ever since a certain series of events.
After attempting to resolve the problem by myself and being unable to, I've decided to come to this forum for help.

On the 24th of december, while accessing the internet, I receieved an error message. I'm not too sure about the exact contents of the message, but it was something about a C++ error. (I suspect it has something to do with a popup ad)

After that window popped up, my computer suddenly began to lag. Instinctively checking task manager (I do so periodically ever since my computer was infected with a backdoor in 2003) , I noticed a few abnormal processes running. They were named something like "1.exe" and "8.exe" and "relpop.exe"

After ending those processes, I checked my registry and deleted some unfamiliar keys in the HKLM\software\microsoft\windows\currentversion\run

However, my system was still not performing properly. Scanning with the Symantec online virus detection, I have found multiple viruses. (My own antivirus on my computer did not pick up anything)

C:\WINDOWS\system32\cqdd.exe is infected with Infostealer
C:\WINDOWS\system32\mywl.dll is infected with Infostealer
C:\WINDOWS\system32\norton.sys is infected with Hacktool.Rootkit
C:\WINDOWS\system32\svvosts.exe is infected with Infostealer
C:\WINDOWS\system32\windhcp.ocx is infected with Trojan Horse
C:\WINDOWS\system32\xydll.dll is infected with Infostealer
C:\WINDOWS\Download\svhost32.exe is infected with Infostealer.Lineage
C:\RECYCLER\S-1-5-21-746137067-813497703-1060284298-1004\Dc314.exe is infected with Downloader
C:\RECYCLER\S-1-5-21-746137067-813497703-1060284298-1004\Dc316\3.exe is infected with Infostealer.Lineage
C:\Program Files\Messenger Plus! 3\Plugins\ShortcutPlug.dll is infected with Backdoor.Trojan
C:\Documents and Settings\HCH2\My Documents\My Website\localhost\www\index.html is infected with Trojan.Dowiex!inf
C:\Documents and Settings\HCH2\My Documents\My Website\localhost\www\oldindex.html is infected with Trojan.Dowiex!inf
C:\Documents and Settings\HCH2\My Documents\My Website\localhost\www\search.php is infected with Trojan.Dowiex!inf
C:\Documents and Settings\HCH2\My Documents\My Website\localhost\www\talkroom.html is infected with Trojan.Dowiex!inf
C:\Documents and Settings\HCH2\My Documents\My Website\localhost\www\talkroom.php is infected with Trojan.Dowiex!inf
C:\Documents and Settings\HCH2\My Documents\My Website\localhost\www\view.php is infected with Trojan.Dowiex!inf
C:\Documents and Settings\HCH2\My Documents\My Website\localhost\www\Game\clearmsg.php is infected with Trojan.Dowiex!inf
C:\Documents and Settings\HCH2\My Documents\My Website\localhost\www\Game\createteam.php is infected with Trojan.Dowiex!inf
C:\Documents and Settings\HCH2\My Documents\My Website\localhost\www\Game\login.html is infected with Trojan.Dowiex!inf
C:\Documents and Settings\HCH2\My Documents\My Website\localhost\www\Game\login.php is infected with Trojan.Dowiex!inf
C:\Documents and Settings\HCH2\My Documents\My Website\localhost\www\Game\logout.php is infected with Trojan.Dowiex!inf
C:\Documents and Settings\HCH2\Local Settings\Temporary Internet Files\Content.IE5\W1674LYZ\up5[1].exe is infected with Infostealer.Lineage
C:\Documents and Settings\HCH2\Local Settings\Temporary Internet Files\Content.IE5\G9ABWXUJ\joke[1].htm is infected with Downloader
C:\Documents and Settings\HCH2\Local Settings\Temporary Internet Files\Content.IE5\CZYVILUP\cqsj[1].exe is infected with Infostealer
C:\Documents and Settings\HCH2\Local Settings\Temporary Internet Files\Content.IE5\CZYVILUP\cq[1].exe is infected with Downloader
C:\Documents and Settings\HCH2\Local Settings\Temporary Internet Files\Content.IE5\CZYVILUP\up4[1].exe is infected with Infostealer
C:\Documents and Settings\HCH2\Local Settings\Temporary Internet Files\Content.IE5\0PYFS9EB\up3[1].exe is infected with Infostealer.Lineage
C:\Documents and Settings\HCH2\Local Settings\Temp\relpop.exe is infected with Infostealer
C:\Documents and Settings\HCH2\Local Settings\Temp\ywky.dll is infected with Trojan Horse
C:\Documents and Settings\HCH2\Local Settings\Temp\Ztgx.dll is infected with Infostealer.Gampass
(a sidenote: i have these files as i used to play around with an apache server and php last year. however, i have not touched the files in quite a few months already)

Checking through the HTML and PHP files, I noticed that an IFRAME tag had been added to the bottom of the code.

I searched for and deleted the other infected files (my system restore was off).
I then ran AdAware and scanned and cleaned up my system.

However, the problem was not over.
Ever since then, when I use the computer, the process "IEXPLORE.exe" will popup in the taskmanager every few seconds (by that i mean a new process each time).
Normally, that is just the process I see when using internet explorer. However, in task manager, the user name is called "SYSTEM" and there is NO VISIBLE window. Additionally, the process takes up around 18K in MEM usage EACH, and it opens until there are around 8 IEXPLORE.exe processes.

Not only that, every 10 minutes or so, a message box will pop up and announce:

16 Bit MS_DOS subsystem

C:\DOCUME~1\HCH2\LOCALS~1\Temp\WinNNN.exe
The NTVDM CPU has encountered an illegal instruction.
CS:053c IP:b54d OP:ff ff ff ff ff Choose 'Close' to terminate the application.
where the NNN in the file name is random characters.

Its fustrating because I cannot seem to find the process which spawns both the message boxes and the hidden IEXPLORE.exe processes.

Can anyone help me solve this problem and restore order in my computer?

Here are my system specifications:

Intel Pentium 3 800MHZ processor
326 MB RAM (Its actually a 256MB card and a 64MB card)
Microsoft Windows XP (service pack 1)
Microsoft IE6

Here is a hijackthis report:

Logfile of HijackThis v1.99.1
Scan saved at 4:53:07 PM, on 12/26/2006
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\TRENDM~1\INTERN~1\PcCtlCom.exe
C:\WINDOWS\System32\svchost.exe
C:\PROGRA~1\TRENDM~1\INTERN~1\Tmntsrv.exe
C:\PROGRA~1\TRENDM~1\INTERN~1\tmproxy.exe
C:\PROGRA~1\TRENDM~1\INTERN~1\TmPfw.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Trend Micro\Internet Security 2005\pccguide.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Messenger Plus! 3\MsgPlus.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe
C:\WINDOWS\System32\ctfmon.exe
C:\Program Files\Apache Group\Apache2\bin\ApacheMonitor.exe
C:\Program Files\MSN Messenger\msnmsgr.exe
C:\WINDOWS\System32\conime.exe
C:\WINDOWS\system32\mmc.exe
C:\WINDOWS\System32\wbem\wmiapsrv.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\hijackthis\HijackThis.exe

O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O4 - HKLM\..\Run: [pccguide.exe] "C:\Program Files\Trend Micro\Internet Security 2005\pccguide.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [MessengerPlus3] "C:\Program Files\Messenger Plus! 3\MsgPlus.exe"
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\System32\ctfmon.exe
O4 - HKCU\..\Run: [MessengerPlus3] "C:\Program Files\Messenger Plus! 3\MsgPlus.exe" /WinStart
O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\MSN Messenger\msnmsgr.exe" /background
O4 - Global Startup: Monitor Apache Servers.lnk = C:\Program Files\Apache Group\Apache2\bin\ApacheMonitor.exe
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} (Symantec AntiVirus scanner) - http://security.symantec.com/sscv6/SharedContent/vc/bin/AvSniff.cab
O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.symantec.com/sscv6/SharedContent/common/bin/cabsa.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
O23 - Service: iPod Service (iPodService) - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Trend Micro Central Control Component (PcCtlCom) - Trend Micro Incorporated. - C:\PROGRA~1\TRENDM~1\INTERN~1\PcCtlCom.exe
O23 - Service: Remote Packet Capture Protocol v.0 (experimental) (rpcapd) - Unknown owner - %ProgramFiles%\WinPcap\rpcapd.exe" -d -f "%ProgramFiles%\WinPcap\rpcapd.ini (file missing)
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: SymWMI Service (SymWSC) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe
O23 - Service: Trend Micro Real-time Service (Tmntsrv) - Trend Micro Incorporated. - C:\PROGRA~1\TRENDM~1\INTERN~1\Tmntsrv.exe
O23 - Service: Trend Micro Personal Firewall (TmPfw) - Trend Micro Inc. - C:\PROGRA~1\TRENDM~1\INTERN~1\TmPfw.exe
O23 - Service: Trend Micro Proxy Service (tmproxy) - Trend Micro Inc. - C:\PROGRA~1\TRENDM~1\INTERN~1\tmproxy.exe
and a startup log:

StartupList report, 12/26/2006, 4:54:30 PM
StartupList version: 1.52.2
Started from : C:\hijackthis\HijackThis.EXE
Detected: Windows XP SP1 (WinNT 5.01.2600)
Detected: Internet Explorer v6.00 SP1 (6.00.2800.1106)
* Using default options
==================================================

Running processes:

C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\TRENDM~1\INTERN~1\PcCtlCom.exe
C:\WINDOWS\System32\svchost.exe
C:\PROGRA~1\TRENDM~1\INTERN~1\Tmntsrv.exe
C:\PROGRA~1\TRENDM~1\INTERN~1\tmproxy.exe
C:\PROGRA~1\TRENDM~1\INTERN~1\TmPfw.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Trend Micro\Internet Security 2005\pccguide.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Messenger Plus! 3\MsgPlus.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe
C:\WINDOWS\System32\ctfmon.exe
C:\Program Files\Apache Group\Apache2\bin\ApacheMonitor.exe
C:\Program Files\MSN Messenger\msnmsgr.exe
C:\WINDOWS\System32\conime.exe
C:\WINDOWS\system32\mmc.exe
C:\WINDOWS\System32\wbem\wmiapsrv.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\hijackthis\HijackThis.exe

--------------------------------------------------

Listing of startup folders:

Shell folders Common Startup:
[C:\Documents and Settings\All Users\Start Menu\Programs\Startup]
Monitor Apache Servers.lnk = C:\Program Files\Apache Group\Apache2\bin\ApacheMonitor.exe

--------------------------------------------------

Checking Windows NT UserInit:

[HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon]
UserInit = C:\WINDOWS\system32\userinit.exe,

--------------------------------------------------

Autorun entries from Registry:
HKLM\Software\Microsoft\Windows\CurrentVersion\Run

pccguide.exe = "C:\Program Files\Trend Micro\Internet Security 2005\pccguide.exe"
QuickTime Task = "C:\Program Files\QuickTime\qttask.exe" -atboottime
MessengerPlus3 = "C:\Program Files\Messenger Plus! 3\MsgPlus.exe"
AVG7_CC = C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP

--------------------------------------------------

Autorun entries from Registry:
HKCU\Software\Microsoft\Windows\CurrentVersion\Run

ctfmon.exe = C:\WINDOWS\System32\ctfmon.exe
MessengerPlus3 = "C:\Program Files\Messenger Plus! 3\MsgPlus.exe" /WinStart
msnmsgr = "C:\Program Files\MSN Messenger\msnmsgr.exe" /background

--------------------------------------------------

Shell & screensaver key from C:\WINDOWS\SYSTEM.INI:

Shell=*INI section not found*
SCRNSAVE.EXE=*INI section not found*
drivers=*INI section not found*

Shell & screensaver key from Registry:

Shell=Explorer.exe
SCRNSAVE.EXE=C:\WINDOWS\System32\ssmarque.scr
drivers=*Registry value not found*

Policies Shell key:

HKCU\..\Policies: Shell=*Registry key not found*
HKLM\..\Policies: Shell=*Registry value not found*

--------------------------------------------------

Enumerating Browser Helper Objects:

(no name) - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43}

--------------------------------------------------

Enumerating Download Program Files:

[Shockwave ActiveX Control]
InProcServer32 = C:\WINDOWS\system32\Macromed\Director\SwDir.dll
CODEBASE = http://download.macromedia.com/pub/shockwave/cabs/director/sw.cab

[Symantec AntiVirus scanner]
InProcServer32 = C:\WINDOWS\Downloaded Program Files\avsniff.dll
CODEBASE = http://security.symantec.com/sscv6/SharedContent/vc/bin/AvSniff.cab

[Symantec RuFSI Utility Class]
InProcServer32 = C:\WINDOWS\Downloaded Program Files\rufsi.dll
CODEBASE = http://security.symantec.com/sscv6/SharedContent/common/bin/cabsa.cab

[ActiveScan Installer Class]
InProcServer32 = C:\WINDOWS\Downloaded Program Files\asinst.dll
CODEBASE = http://acs.pandasoftware.com/activescan/as5free/asinst.cab

[Shockwave Flash Object]
InProcServer32 = C:\WINDOWS\System32\Macromed\Flash\Flash9b.ocx
CODEBASE = http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab

--------------------------------------------------

Enumerating Winsock LSP files:

NameSpace #4: C:\WINDOWS\system32\pnrpnsp.dll
NameSpace #5: C:\WINDOWS\system32\pnrpnsp.dll

--------------------------------------------------

Enumerating ShellServiceObjectDelayLoad items:

PostBootReminder: C:\WINDOWS\system32\SHELL32.dll
CDBurn: C:\WINDOWS\system32\SHELL32.dll
WebCheck: C:\WINDOWS\System32\webcheck.dll
SysTray: C:\WINDOWS\System32\stobject.dll

--------------------------------------------------
End of report, 5,361 bytes
Report generated in 0.120 seconds

It will be really good if someone could offer me assistance. Thank you.
(and maybe i shouldnt have tried tackling the problem myself at first)

EDIT: After browsing the forums a little, I have some additional info to put here.]

Here is a screenshot of the multiple IEXPLORE.exe processes, and I attempted to resolve the host using TCPView but it's weird.



Also, here are results for a scan that i did with Activescan.

Incident Status Location

Spyware:Cookie/Hitbox Not disinfected C:\Documents and Settings\Guest\Application Data\Mozilla\Profiles\default\ckk69byk.slt\cookies.txt[.hitbox.com/]
Spyware:Cookie/Atlas DMT Not disinfected C:\Documents and Settings\Guest\Application Data\Mozilla\Profiles\default\ckk69byk.slt\cookies.txt[.atdmt.com/]
Spyware:Cookie/Advertising Not disinfected C:\Documents and Settings\Guest\Application Data\Mozilla\Profiles\default\ckk69byk.slt\cookies.txt[.advertising.com/]
Spyware:Cookie/Doubleclick Not disinfected C:\Documents and Settings\Guest\Application Data\Mozilla\Profiles\default\ckk69byk.slt\cookies.txt[.doubleclick.net/]
Spyware:Cookie/YieldManager Not disinfected C:\Documents and Settings\Guest\Cookies\[email protected][2].txt
Adware:Adware/Gmter Not disinfected C:\Documents and Settings\Guest\Local Settings\Temporary Internet Files\Content.IE5\6D6ZYX8N\popup[2].php
Spyware:Cookie/YieldManager Not disinfected C:\Documents and Settings\HCH2\Application Data\Mozilla\Profiles\default\9stsip4d.slt\cookies.txt[ad.yieldmanager.com/]
Spyware:Cookie/Statcounter Not disinfected C:\Documents and Settings\HCH2\Application Data\Mozilla\Profiles\default\9stsip4d.slt\cookies.txt[.statcounter.com/]
Spyware:Cookie/FastClick Not disinfected C:\Documents and Settings\HCH2\Application Data\Mozilla\Profiles\default\9stsip4d.slt\cookies.txt[.fastclick.net/]
Spyware:Cookie/Mammamediasolutions Not disinfected C:\Documents and Settings\HCH2\Application Data\Mozilla\Profiles\default\9stsip4d.slt\cookies.txt[.targetnet.com/]
Spyware:Cookie/Tribalfusion Not disinfected C:\Documents and Settings\HCH2\Application Data\Mozilla\Profiles\default\9stsip4d.slt\cookies.txt[.tribalfusion.com/]
Spyware:Cookie/2o7 Not disinfected C:\Documents and Settings\HCH2\Application Data\Mozilla\Profiles\default\9stsip4d.slt\cookies.txt[.2o7.net/]
Spyware:Cookie/Atlas DMT Not disinfected C:\Documents and Settings\HCH2\Application Data\Mozilla\Profiles\default\9stsip4d.slt\cookies.txt[.atdmt.com/]
Spyware:Cookie/BurstNet Not disinfected C:\Documents and Settings\HCH2\Application Data\Mozilla\Profiles\default\9stsip4d.slt\cookies.txt[.burstnet.com/]
Spyware:Cookie/Casalemedia Not disinfected C:\Documents and Settings\HCH2\Application Data\Mozilla\Profiles\default\9stsip4d.slt\cookies.txt[.casalemedia.com/]
Spyware:Cookie/CentrPort Not disinfected C:\Documents and Settings\HCH2\Application Data\Mozilla\Profiles\default\9stsip4d.slt\cookies.txt[.centrport.net/]
Spyware:Cookie/Com.com Not disinfected C:\Documents and Settings\HCH2\Application Data\Mozilla\Profiles\default\9stsip4d.slt\cookies.txt[.com.com/]
Spyware:Cookie/Overture Not disinfected C:\Documents and Settings\HCH2\Application Data\Mozilla\Profiles\default\9stsip4d.slt\cookies.txt[.perf.overture.com/]
Spyware:Cookie/QuestionMarket Not disinfected C:\Documents and Settings\HCH2\Application Data\Mozilla\Profiles\default\9stsip4d.slt\cookies.txt[.questionmarket.com/]
Spyware:Cookie/Searchportal Not disinfected C:\Documents and Settings\HCH2\Application Data\Mozilla\Profiles\default\9stsip4d.slt\cookies.txt[searchportal.information.com/]
Spyware:Cookie/YieldManager Not disinfected C:\Documents and Settings\HCH2\Cookies\[email protected][2].txt
Spyware:Cookie/Atlas DMT Not disinfected C:\Documents and Settings\HCH2\Cookies\[email protected][2].txt
Spyware:Cookie/Bluestreak Not disinfected C:\Documents and Settings\HCH2\Cookies\[email protected][1].txt
Spyware:Cookie/Com.com Not disinfected C:\Documents and Settings\HCH2\Cookies\[email protected][1].txt
Spyware:Cookie/Doubleclick Not disinfected C:\Documents and Settings\HCH2\Cookies\[email protected][1].txt
Spyware:Cookie/FastClick Not disinfected C:\Documents and Settings\HCH2\Cookies\[email protected][2].txt
Spyware:Cookie/Mediaplex Not disinfected C:\Documents and Settings\HCH2\Cookies\[email protected][1].txt
Spyware:Cookie/Overture Not disinfected C:\Documents and Settings\HCH2\Cookies\[email protected][1].txt
Spyware:Cookie/Serving-sys Not disinfected C:\Documents and Settings\HCH2\Cookies\[email protected][1].txt
Spyware:Cookie/Tribalfusion Not disinfected C:\Documents and Settings\HCH2\Cookies\[email protected][1].txt
Virus:Trj/Lineage.BRK Disinfected C:\Documents and Settings\HCH2\Local Settings\Temp\ywky.dll
Adware:Adware/Gmter Not disinfected C:\Documents and Settings\HCH2\Local Settings\Temporary Internet Files\Content.IE5\A9X2N6X8\popup[2].php
Adware:Adware/WUpd Not disinfected C:\Documents and Settings\HCH2\My Documents\hijackthis\backup-20040805-153845-386.inf
Possible Virus. Not disinfected C:\Program Files\Aldo's Macro Recorder\Macro.exe
Spyware:Cookie/YieldManager Not disinfected C:\RECYCLER\S-1-5-21-746137067-813497703-1060284298-1004\Dc377.txt
Spyware:Cookie/Doubleclick Not disinfected C:\RECYCLER\S-1-5-21-746137067-813497703-1060284298-1004\Dc378.txt
Possible Virus. Not disinfected C:\WINDOWS\system32\5.dll
Potentially unwanted tool:Application/Processor Not disinfected C:\WINDOWS\system32\Process.exe
 
cybertech

· Retired Moderator
Joined
·
72,209 Posts
#2 ·
Please download ATF Cleaner by Atribune.
This program is for XP and Windows 2000 only

  • Double-click ATF-Cleaner.exe to run the program.
    Under Main choose: Select All
    Click the Empty Selected button.
If you use Firefox browser
  • Click Firefox at the top and choose: Select All
    Click the Empty Selected button.
    NOTE: If you would like to keep your saved passwords, please click No at the prompt.
If you use Opera browser
  • Click Opera at the top and choose: Select All
    Click the Empty Selected button.
    NOTE: If you would like to keep your saved passwords, please click No at the prompt.
Click Exit on the Main menu to close the program.
For Technical Support, double-click the e-mail address located at the bottom of each menu.

Download and install AVG Anti-Spyware 7.5 AVG ANTI-SPYWARE IS ONLY FOR SYSTEMS RUNNING WIN 2K and XP
(This is Ewdio 4.0 renamed. If you already have Ewido installed, please update to this version which has a special "clean driver" for removing persistent malware)
1. After download, double click on the file to launch the install process.
2. Choose a language, click "OK" and then click "Next".
3. Read the "License Agreement" and click "I Agree".
4. Accept default installation path: C:\Program Files\Grisoft\AVG Anti-Spyware 7.5, click "Next", then click "Install".
5. After setup completes, click "Finish" to start the program automatically or launch AVG Anti-Spyware by double-clicking its icon on your desktop or in the system tray.
6. The main "Status" menu will appear. Select "Change state" to inactivate 'Resident Shield' and 'Automatic Updates'.
7. Then right click on AVG Anti-Spyware in the system tray and uncheck "Start with Windows".
8. Go to Start > Run and type: services.msc
  • Press "OK".
  • Click the "Extended tab" and scroll down the list to find AVG Anti-Spyware guard.
  • When you find the guard service, double-click on it.
  • In the Properties Window > General Tab that opens, click the "Stop" button.
  • From the drop-down menu next to "Startup Type", click on "Manual".
  • Now click "Apply", then "OK" and close the Services window.
9. Select the "Update" button and click "Start update". Wait until you see the "Update succesfull message. If you are having problems with the updater, manually update with the AVG Anti-Spyware Full database installer from here. Exit AVG Anti-Spyware when done - DO NOT perform a scan yet.

Reboot your computer in "SAFE MODE" using the F8 method. To do this, restart your computer and after hearing your computer beep once during startup [but before the Windows icon appears] press the F8 key repeatedly. A menu will appear with several options. Use the arrow keys to navigate and select the option to run Windows in "Safe Mode".

Scan with AVG Anti-Spyware as follows:
1. Launch AVG Anti-Spyware, click on the "Scanner" button and choose the "Settings" tab.
  • Under "How to act?", click on "Recommended actions" and choose "Quarantine" to set default action for detected malware.
  • Under "How to Scan?" check all (default).
  • Under "Possibly unwanted software" check all (default).
  • Under "What to Scan?" make sure "Scan every file" is selected (default).
  • Under "Reports" select "Automatically generate report after every scan" and UNcheck "Only if threats were found".
2. Click the "Scan" tab to return to scanning options.
3. Click "Complete System Scan" to start.
4. When the scan has finished you will be presented with a list of infected objects found. Click "Apply all actions" to place the files in Quarantine.

IMPORTANT! Do not save the report before you have clicked the Apply all actions button. If you do, the log that is created will indicate "No action taken", making it more difficult to interpret the report. So be sure you save it only AFTER clicking the "Apply all actions" button?

5. Click on "Save Report" to view all completed scans. Click on the most recent scan you just performed and select "Save report as" - the default file name will be in date/time format as follows: Report-Scan-20060620-142816.txt. Save to your desktop. A copy of each report will also be saved in C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\Reports\
6. Exit AVG Anti-Spyware when done, reboot normally and submit the log report in your next response.

Note: Close all open windows, programs, and DO NOT USE the computer while AVG Anti-Spyware is scanning. If Explorer or other programs are open during the scan that means certain files will also be in use. Some malware will insert itself and hide in areas that are "protected" by Windows when the files are being used. This can hamper AVG Anti-Spyware's ability to clean properly and may result in reinfection.

Note: If AVG Anti-Spyware "crashes" or "hangs" during the scan, try scanning again by doing this:
1. Scan one sector of the system at a time by using the "Custom Scan" feature. To do this select Scanner > Custom Scan and click on Add drive/directory/file. Browse to C:\Windows > System, add this folder to the list and click on "Start Scan". When the scan is complete, repeat the Custom Scan but this time, browse to and add the System32 folder. Then keep repeating this procedure until all your folders have been scanned. Make sure you include the Documents & Settings folder.

2. If this still does not help, then turn the ADS scanner off while making a Custom Scan. To do this select Scanner > Scan Settings and untick "Scan in NTFS Alternate Data Streams". Then repeat the steps above for performing a Custom Scan.
 
F

· Registered
Joined
·
3 Posts
Discussion Starter · #3 ·
Thank you for helping me.

I have managed to complete your instructions from the ATF cleaner until the modifying of the service settings.

However, I cannot update the AVG Anti-spyware.
The update window displays the message

ERROR: Sorry, The server is not ready to serve. Please try again later.

I also cannot update manually, when I run the installer, an error message pops up saying:
Ewido Anti-Malware could not be found on your system.

It then prompts to browse for the folder containing the program, however, when I select the folder (C:\Program Files\Grisoft\AVG Anti-Spyware 7.5) it unpacks, but the software still states that it has not been updated.

Additionally, there have been more weird occurances happening on my PC. It suffers lag spikes frequently, and often many processes named "ntvdm.exe" can be seen in the task manager. I got an error message which made the computer reboot in one minute saying some RPC thing was terminated. And there were a few printer tasked schedule which I did not set.

Please help me. Thanks.
 
cybertech

· Retired Moderator
Joined
·
72,209 Posts
#4 ·
Run Panda ActiveScan here

Once you are on the Panda site click the "Scan your PC" button.
A new window will open... click the "Check Now" button.
Enter your Country.
Enter your State/Province.
Enter your e-mail address.
Select either Home User or Company.
Click the big "Scan Now" button.
If it wants to install an ActiveX component allow it.
It will start downloading the files it requires for the scan (Note: It may take a couple of minutes).
When download is complete, click on "Local Disks" to start the scan.
When the scan completes, if anything malicious is detected, click the "See Report" button; then "Save Report" and save it to a convenient location. Post the contents of the Panda scan report in your next reply.

Post a new HiJack This log along with the results from ActiveScan.
 
F

· Registered
Joined
·
3 Posts
Discussion Starter · #5 ·
Hello again,

After some thought, I have decided to reformat my pc.
It seems that many applications are not functioning properly and the whole PC is just too laggy to use.
Since I have also been trying to clear some clutter of files, I think it would be easier to just reformat my PC.

Anyway, Thank you for your time trying to help.
P.S. - you may close this thread if necessary
 
1 - 6 of 6 Posts
Status
Not open for further replies.
About this Discussion
5 Replies
2 Participants
Last post:
cybertech
Tech Support Guy
A forum community dedicated to tech experts and enthusiasts. Come join the discussion about articles, computer security, Mac, Microsoft, Linux, hardware, networking, gaming, reviews, accessories, and more!
Full Forum Listing
Explore Our Forums
Hardware Virus & Other Malware Removal Windows XP Off Topic Lounge Thread Games & Discussion
Top