We’d like to remind Forumites to please avoid political debate on the Forum.
This is to keep it a safe and useful space for MoneySaving discussions. Threads that are – or become – political in nature may be removed in line with the Forum’s rules. Thank you for your understanding.
📨 Have you signed up to the Forum's new Email Digest yet? Get a selection of trending threads sent straight to your inbox daily, weekly or monthly!
Firefox grinding to load (hijackthis log included)
Comments
-
How much ram?!!
> . !!!! ----> .0 -
512mb ram Intel 1600 or 1.59GHz processor:A:dance:1+1+1=1:dance::A
"Marleyboy you are a legend!"
MarleyBoy "You are the Greatest"
Marleyboy You Are A Legend!
Marleyboy speaks sense
marleyboy (total legend)
Marleyboy - You are, indeed, a legend.0 -
What are the 3 figures under task manager, performance, commit charge immediately after a reboot with nothing running, then with firefox running?
How long does a boot take?
Install portable firefox to a different directory, and see if it also takes 7 minutes to load. Does IE work ok?
You've still got a nameserver from the Ukraine in there, as well as loads of apps that aren't needed at startup
adaware, epson apps,arcsoft, affinergyservice, jqs,lightscribe, nbservice, tomtom, winpcap,googledesktop,Reader_sl.exe, AdobeARM.exe, Thoosje Sidebar.exe,spybot,mdm etc.
If it's a laptop, try it without the battery in!!
> . !!!! ----> .0 -
if malwarebytes is well out of date, then youd need to update twice (Once for the program, and again for the latest definitions)
Obviously 1 gig of RAM would help a lot too
anyways ~
Please run COMBOFIX
http://download.bleepingcomputer.com/sUBs/ComboFix.exe
Shut down your anti virus
Follow the simple instructions it gives
Post the COMPLETE log it creates here (Split into sections if need be) ~ if there are loads of 'SNAPSHOT' pages then leave them out
If it comes up with a RENAMING error then RIGHT click the exe file and RENAME and call it QWERTY (Making the complete file name 'QWERTY.exe') Or SAVE as 'QWERTY' on download:idea:0 -
Finally, now take a Deep Breath.............
ComboFix 10-04-21.01 - Admin 23/04/2010 12:57:02.1.1 - x86
Microsoft Windows XP Professional 5.1.2600.3.1252.44.1033.18.511.66 [GMT 1:00]
Running from: c:\documents and settings\Admin\Desktop\ComboFix.exe
AV: AntiVir Desktop *On-access scanning disabled* (Updated) {AD166499-45F9-482A-A743-FDD3350758C7}
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
c:\documents and settings\Admin\Application Data\Desktopicon
c:\documents and settings\Admin\Application Data\Desktopicon\config.ini
c:\documents and settings\All Users\Documents\registry-backup.reg
c:\program files\SpeedBit Video Downloader\Toolbar\tbhelper.dll
c:\program files\WinPCap
c:\program files\WinPCap\daemon_mgm.exe
c:\program files\WinPCap\npf_mgm.exe
c:\program files\WinPCap\rpcapd.exe
c:\windows\Downloaded Program Files\ODCTOOLS
c:\windows\system32\drivers\npf.sys
c:\windows\system32\Packet.dll
c:\windows\system32\pthreadVC.dll
c:\windows\system32\SHELLLNK.TLB
c:\windows\system32\WanPacket.dll
c:\windows\system32\wpcap.dll
.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.
\Legacy_NPF
\Service_NPF
((((((((((((((((((((((((( Files Created from 2010-03-23 to 2010-04-23 )))))))))))))))))))))))))))))))
.
2010-04-23 11:22 . 2010-04-23 11:22
d
w- c:\documents and settings\Admin\Local Settings\Application Data\Yahoo!
2010-04-21 18:45 . 2010-04-21 18:45
d
w- c:\program files\Trend Micro
2010-04-17 19:17 . 2010-04-17 19:17
d
w- c:\documents and settings\Admin\Application Data\facemoods.com
2010-04-17 02:08 . 2010-04-17 03:19
d
w- c:\windows\system32\NtmsData
2010-04-17 02:05 . 2010-04-17 02:05
d
w- c:\documents and settings\Admin\Application Data\Avira
2010-04-14 17:17 . 2010-04-14 17:17 96512 ----a-w- c:\windows\system32\drivers\rtnoruzs.sys
2010-04-14 00:56 . 2010-04-14 17:18
d
w- c:\windows\system32\MpEngineStore
2010-04-10 17:12 . 2010-04-21 19:28
d
w- c:\program files\DAP
2010-04-10 17:11 . 2010-04-10 17:11
d
w- c:\documents and settings\Admin\Application Data\Toolbar4
2010-04-10 17:11 . 2010-04-22 19:05
d
w- c:\program files\SearchPredict
2010-04-10 17:11 . 2010-04-21 19:28
d
w- c:\documents and settings\All Users\Application Data\SpeedBit
2010-04-10 17:11 . 2010-04-10 17:11
d
w- c:\program files\SpeedBit Video Downloader
2010-04-07 00:58 . 2010-04-07 00:58
d
w- c:\documents and settings\Admin\Local Settings\Application Data\Stardock
2010-04-06 20:11 . 2010-04-06 20:11
d
w- c:\program files\zoneLINK
2010-04-06 19:44 . 2010-04-06 19:44
d
w- c:\documents and settings\Admin\Local Settings\Application Data\Innovative Solutions
2010-04-06 19:43 . 2010-04-06 19:43
d
w- c:\program files\Innovative Solutions
2010-04-06 18:32 . 2010-04-06 18:32
d
w- c:\documents and settings\Admin\Application Data\Lavasoft
2010-04-06 18:29 . 2010-04-06 18:29
d
w- c:\windows\Time Stopper
2010-04-06 18:29 . 2010-04-06 18:29
d
w- c:\program files\Time Stopper
2010-04-06 15:34 . 2010-04-07 00:42
d
w- c:\program files\AcceleRun
2010-04-06 10:08 . 2010-04-06 10:08
d
w- c:\windows\system32\XPSViewer
2010-04-06 10:08 . 2010-04-06 10:08
d
w- c:\program files\MSBuild
2010-04-06 10:08 . 2010-04-06 10:08
d
w- c:\program files\Reference Assemblies
2010-04-06 10:08 . 2008-07-06 12:06 89088 ----a-w- c:\windows\system32\Spool\prtprocs\w32x86\filterpipelineprintproc.dll
2010-04-06 10:07 . 2008-07-06 12:06 89088 -c----w- c:\windows\system32\dllcache\filterpipelineprintproc.dll
2010-04-06 10:07 . 2008-07-06 12:06 575488 -c----w- c:\windows\system32\dllcache\xpsshhdr.dll
2010-04-06 10:07 . 2008-07-06 12:06 575488
w- c:\windows\system32\xpsshhdr.dll
2010-04-06 10:07 . 2008-07-06 12:06 117760
w- c:\windows\system32\prntvpt.dll
2010-04-06 10:07 . 2008-07-06 10:50 597504 -c----w- c:\windows\system32\dllcache\printfilterpipelinesvc.exe
2010-04-06 10:07 . 2008-07-06 10:50 597504
w- c:\windows\system32\Spool\prtprocs\w32x86\printfilterpipelinesvc.exe
2010-04-06 10:07 . 2010-04-06 10:08
d
w- C:\9b4b0f49be693f7408c1f7dd
2010-04-06 10:07 . 2008-07-06 12:06 1676288 -c----w- c:\windows\system32\dllcache\xpssvcs.dll
2010-04-06 10:07 . 2008-07-06 12:06 1676288
w- c:\windows\system32\xpssvcs.dll
2010-04-06 01:59 . 2010-04-06 01:59
d-sh--w- c:\windows\system32\config\systemprofile\IETldCache
2010-04-06 01:59 . 2010-04-06 01:59 54 ----a-w- c:\windows\system32\rp_stats.dat
2010-04-06 01:59 . 2010-04-06 01:59 39 ----a-w- c:\windows\system32\rp_rules.dat
2010-04-05 16:16 . 2010-04-05 16:16
d
w- c:\program files\AviSynth 2.5
2010-04-05 16:15 . 2010-04-05 16:26
d
w- c:\program files\Foto2Avi
2010-04-05 16:14 . 2010-04-05 16:14
d
w- c:\program files\WinSnap
2010-04-05 15:54 . 2010-04-05 15:54
d
w- c:\program files\Fast Duplicate File Finder
2010-04-05 11:41 . 2010-04-05 11:43
d
w- c:\program files\3GP Player 2009
2010-04-05 10:24 . 2010-04-05 10:24
d
w- c:\documents and settings\Admin\Local Settings\Application Data\Ahead
2010-04-04 23:13 . 2010-04-04 23:14
d
w- c:\documents and settings\Admin\Application Data\VSO
2010-04-04 23:10 . 2010-04-04 23:10
d
w- c:\program files\VSO
2010-04-04 22:48 . 2010-04-04 22:48
d
w- c:\documents and settings\Admin\Application Data\MyPhoneExplorer
2010-04-04 22:48 . 2010-04-21 19:27
d---a-w- c:\documents and settings\All Users\Application Data\TEMP
2010-04-04 22:48 . 2010-04-04 22:48
d
w- c:\program files\MyPhoneExplorer
2010-04-04 22:27 . 2010-04-22 23:31
d
w- c:\program files\Mgtweak
2010-04-04 19:51 . 2010-04-04 19:51
d
w- c:\windows\system32\wbem\Repository
2010-04-04 17:46 . 2010-04-04 17:45 737280 ----a-w- c:\windows\iun6002.exe
2010-04-04 17:46 . 2010-04-07 10:30
d
w- c:\program files\Tweak-XP Pro 4
2010-03-26 03:19 . 2010-03-26 03:19
d
w- c:\documents and settings\Admin\Application Data\ManyCam
2010-03-26 03:19 . 2010-03-26 03:21
d
w- c:\program files\ManyCam 2.4
2010-03-25 03:21 . 2010-04-20 01:17
d
w- c:\documents and settings\Admin\dwhelper
2010-03-25 01:07 . 2010-03-25 01:07
d
w- c:\program files\Common Files\DivX Shared:A:dance:1+1+1=1:dance::A
"Marleyboy you are a legend!"
MarleyBoy "You are the Greatest"
Marleyboy You Are A Legend!
Marleyboy speaks sense
marleyboy (total legend)
Marleyboy - You are, indeed, a legend.0 -
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-04-23 10:12 . 2007-05-14 15:40
d--h--w- c:\program files\InstallShield Installation Information
2010-04-22 19:14 . 2010-01-29 10:48
d
w- c:\program files\Malwarebytes' Anti-Malware
2010-04-22 19:09 . 2010-01-29 10:48 5918776 ----a-w- c:\documents and settings\All Users\Application Data\Malwarebytes\Malwarebytes' Anti-Malware\mbam-setup.exe
2010-04-22 19:05 . 2010-02-26 22:18
d
w- c:\program files\blinkx Remote Toolbar
2010-04-21 20:08 . 2007-05-14 15:55
d
w- c:\program files\Common Files\Adobe
2010-04-21 18:45 . 2010-04-21 18:45 388096 ----a-r- c:\documents and settings\Admin\Application Data\Microsoft\Installer\{45A66726-69BC-466B-A7A4-12FCBA4883D7}\HiJackThis.exe
2010-04-19 18:00 . 2009-03-10 18:12
d
w- c:\program files\Mozilla Thunderbird
2010-04-19 17:56 . 2009-03-10 18:12
d
w- c:\documents and settings\Admin\Application Data\Thunderbird
2010-04-14 18:03 . 2009-06-07 16:47
d
w- c:\program files\Google
2010-04-06 20:12 . 2007-05-14 15:27 69600 ----a-w- c:\documents and settings\Admin\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2010-04-06 18:32 . 2009-05-30 16:03
d
w- c:\program files\Lavasoft
2010-04-05 16:10 . 2009-12-27 14:07
d
w- c:\documents and settings\All Users\Application Data\UDL
2010-04-05 10:24 . 2010-03-23 20:26
d
w- c:\documents and settings\Admin\Application Data\DivX
2010-04-04 19:51 . 2009-10-26 21:25
d
w- c:\program files\QuickTime
2010-04-04 19:51 . 2007-06-25 21:00
d
w- c:\program files\Real
2010-04-04 19:51 . 2010-01-25 22:19
d
w- c:\program files\DivX
2010-04-04 19:51 . 2010-01-11 15:36
d
w- c:\program files\coverXP
2010-04-04 19:51 . 2008-07-16 17:50
dcsh--w- c:\program files\Common Files\WindowsLiveInstaller
2010-04-04 19:51 . 2008-05-06 18:32
d
w- c:\program files\Compendium-OpenLearn
2010-04-04 19:51 . 2007-12-04 20:01
d
w- c:\program files\FirstClass
2010-04-04 19:51 . 2010-01-29 11:28
d
w- c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy
2010-04-04 19:51 . 2009-12-26 01:26
d
w- c:\documents and settings\All Users\Application Data\LightScribe
2010-04-04 19:51 . 2009-11-29 14:45
d
w- c:\documents and settings\All Users\Application Data\ArcSoft
2010-04-04 19:50 . 2009-12-27 14:25
d
w- c:\documents and settings\Admin\Application Data\Epson
2010-04-04 19:50 . 2009-12-27 14:05
d
w- c:\documents and settings\Admin\Application Data\InstallShield
2010-04-04 19:50 . 2009-11-29 14:47
d
w- c:\documents and settings\Admin\Application Data\ArcSoft
2010-04-04 19:50 . 2008-08-23 13:49
d
w- c:\documents and settings\Admin\Application Data\Apple Computer
2010-04-04 19:50 . 2010-04-04 19:50
d
w- c:\documents and settings\Admin\Application Data\Affinegy
2010-04-04 19:50 . 2010-04-04 19:50
d
w- c:\documents and settings\Admin\Application Data\U3
2010-04-04 19:50 . 2010-04-04 19:50
d--h--w- c:\documents and settings\All Users\Application Data\{BC9FCCF7-E686-494B-8C9B-55C9A39A7CA9}
2010-04-04 19:50 . 2010-04-04 19:50
d
w- c:\program files\MSXML 4.0
2010-04-01 02:54 . 2007-05-15 15:40
d
w- c:\program files\Common Files\Java
2010-04-01 02:53 . 2008-12-10 17:32 411368 ----a-w- c:\windows\system32\deploytk.dll
2010-03-29 23:46 . 2010-01-29 10:48 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2010-03-29 23:45 . 2010-01-29 10:48 20824 ----a-w- c:\windows\system32\drivers\mbam.sys
2010-03-25 01:25 . 2010-03-23 20:19
d
w- c:\documents and settings\All Users\Application Data\DivX
2010-03-25 01:12 . 2010-03-25 01:12 54101 ----a-w- c:\documents and settings\All Users\Application Data\DivX\MPEG2Plugin\Uninstaller.exe
2010-03-25 01:12 . 2010-03-25 01:12 57054 ----a-w- c:\documents and settings\All Users\Application Data\DivX\DSDesktopComponents\Uninstaller.exe
2010-03-25 01:11 . 2010-03-25 01:11 54166 ----a-w- c:\documents and settings\All Users\Application Data\DivX\DSAVCDecoder\Uninstaller.exe
2010-03-25 01:11 . 2010-03-25 01:11 57532 ----a-w- c:\documents and settings\All Users\Application Data\DivX\DSASPDecoder\Uninstaller.exe
2010-03-25 01:11 . 2010-03-25 01:11 56458 ----a-w- c:\documents and settings\All Users\Application Data\DivX\DivXDecoderShortcut\Uninstaller.exe
2010-03-25 01:11 . 2010-03-25 01:11 54174 ----a-w- c:\documents and settings\All Users\Application Data\DivX\DSAACDecoder\Uninstaller.exe
2010-03-25 01:11 . 2010-03-25 01:11 54153 ----a-w- c:\documents and settings\All Users\Application Data\DivX\DFXPlugin\Uninstaller.exe
2010-03-25 01:11 . 2010-03-25 01:11 57409 ----a-w- c:\documents and settings\All Users\Application Data\DivX\ControlPanel\Uninstaller.exe
2010-03-25 01:11 . 2010-03-25 01:11 52963 ----a-w- c:\documents and settings\All Users\Application Data\DivX\MSVC80CRTRedist\Uninstaller.exe
2010-03-25 01:07 . 2010-03-25 01:07 54073 ----a-w- c:\documents and settings\All Users\Application Data\DivX\Qt4.5\Uninstaller.exe
2010-03-25 01:07 . 2010-03-25 01:07 56969 ----a-w- c:\documents and settings\All Users\Application Data\DivX\ASPEncoder\Uninstaller.exe
2010-03-24 15:04 . 2010-03-25 01:52 52224 ----a-w- c:\documents and settings\Admin\Application Data\Mozilla\Firefox\Profiles\fpjic1fy.default\extensions\{34c27e42-a304-470e-a066-d724148aed1b}\components\FFExternalAlert.dll
2010-03-24 15:04 . 2010-03-25 01:52 101376 ----a-w- c:\documents and settings\Admin\Application Data\Mozilla\Firefox\Profiles\fpjic1fy.default\extensions\{34c27e42-a304-470e-a066-d724148aed1b}\components\RadioWMPCore.dll
2010-03-23 21:34 . 2010-03-18 09:35
d
w- c:\program files\VidMorph
2010-03-23 20:19 . 2010-03-23 20:28 986392 ----a-w- c:\documents and settings\All Users\Application Data\DivX\Setup\DivXSetup.exe
2010-03-22 14:40 . 2010-03-22 14:38
d
w- c:\documents and settings\Admin\Application Data\MSN6
2010-03-18 17:32 . 2010-03-18 17:32
d
w- c:\program files\Tubegadgets
2010-03-18 16:36 . 2010-03-18 09:37
d
w- c:\documents and settings\Admin\Application Data\VidMorph
2010-03-18 09:35 . 2010-03-18 09:35
d
w- c:\program files\Common Files\GeoVid
2010-03-10 06:15 . 2001-08-23 12:00 420352 ----a-w- c:\windows\system32\vbscript.dll
2010-03-01 08:05 . 2009-06-15 13:16 124784 ----a-w- c:\windows\system32\drivers\avipbb.sys
2010-02-25 06:24 . 2001-08-23 12:00 916480 ----a-w- c:\windows\system32\wininet.dll
2010-02-24 13:11 . 2001-08-23 12:00 455680 ----a-w- c:\windows\system32\drivers\mrxsmb.sys
2010-02-19 19:27 . 2010-02-19 19:27 720384 ----a-w- c:\windows\system32\DivX.dll
2010-02-19 19:27 . 2010-02-19 19:27 856064 ----a-w- c:\windows\system32\divx_xx0c.dll
2010-02-19 19:27 . 2010-02-19 19:27 856064 ----a-w- c:\windows\system32\divx_xx07.dll
2010-02-19 19:27 . 2010-02-19 19:27 847872 ----a-w- c:\windows\system32\divx_xx0a.dll
2010-02-19 19:27 . 2010-02-19 19:27 843776 ----a-w- c:\windows\system32\divx_xx16.dll
2010-02-19 19:27 . 2010-02-19 19:27 839680 ----a-w- c:\windows\system32\divx_xx11.dll
2010-02-16 12:24 . 2009-06-15 13:16 60936 ----a-w- c:\windows\system32\drivers\avgntflt.sys
2010-02-12 10:03 . 2010-03-22 15:30 293376
w- c:\windows\system32\browserchoice.exe
2010-02-12 04:33 . 2001-08-23 12:00 100864 ----a-w- c:\windows\system32\6to4svc.dll
2010-02-11 12:02 . 2001-08-23 12:00 226880 ----a-w- c:\windows\system32\drivers\tcpip6.sys
2010-02-05 19:16 . 2010-02-05 19:16 94208 ----a-w- c:\windows\system32\dpl100.dll
2010-01-28 11:58 . 2010-01-28 11:58 348160 ----a-w- c:\documents and settings\Admin\Application Data\Sun\Java\Deployment\SystemCache\6.0\54\1a209876-40929174-n\msvcr71.dll
2010-01-28 11:58 . 2010-01-28 11:58 61440 ----a-w- c:\documents and settings\Admin\Application Data\Sun\Java\Deployment\SystemCache\6.0\17\6d0ad391-36d8db9a-n\decora-sse.dll
2010-01-28 11:58 . 2010-01-28 11:58 503808 ----a-w- c:\documents and settings\Admin\Application Data\Sun\Java\Deployment\SystemCache\6.0\54\1a209876-40929174-n\msvcp71.dll
2010-01-28 11:58 . 2010-01-28 11:58 499712 ----a-w- c:\documents and settings\Admin\Application Data\Sun\Java\Deployment\SystemCache\6.0\54\1a209876-40929174-n\jmc.dll
2010-01-28 11:58 . 2010-01-28 11:58 12800 ----a-w- c:\documents and settings\Admin\Application Data\Sun\Java\Deployment\SystemCache\6.0\17\6d0ad391-36d8db9a-n\decora-d3d.dll
2010-04-07 12:43 . 2010-04-07 12:43 119808 ----a-w- c:\program files\mozilla firefox\components\GoogleDesktopMozilla.dll
2009-05-01 21:02 . 2009-05-01 21:02 1044480 ----a-w- c:\program files\mozilla firefox\plugins\libdivx.dll
2009-05-01 21:02 . 2009-05-01 21:02 200704 ----a-w- c:\program files\mozilla firefox\plugins\ssldivx.dll
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Tweak-XP Pro"="c:\program files\Tweak-XP Pro 4\autostart.exe" [2004-09-28 16896]
"TomTomHOME.exe"="c:\program files\TomTom HOME 2\TomTomHOMERunner.exe" [2009-11-13 247144]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ATIPTA"="c:\program files\ATI Technologies\ATI Control Panel\atiptaxx.exe" [2005-11-10 344064]
"Wireless Manager"="c:\program files\Virgin Broadband Wireless\Wireless Manager.exe" [2008-05-26 585728]
"BluetoothAuthenticationAgent"="bthprops.cpl" [2008-04-14 110592]
"Ad-Watch"="c:\program files\Lavasoft\Ad-Aware\AAWTray.exe" [2010-03-01 524632]
"avgnt"="c:\program files\Avira\AntiVir Desktop\avgnt.exe" [2010-03-02 282792]
"Apoint"="c:\program files\Apoint\Apoint.exe" [2005-10-07 176128]
"Google Desktop Search"="c:\program files\Google\Google Desktop Search\GoogleDesktop.exe" [2010-04-07 30192]
"Sony Ericsson PC Suite"="c:\program files\Sony Ericsson\Mobile2\Application Launcher\Application Launcher.exe" [2007-04-26 401408]
"snpstd"="c:\windows\vsnpstd.exe" [2003-12-31 40960]
"NeroFilterCheck"="c:\program files\Common Files\Nero\Lib\NeroCheck.exe" [2008-07-09 570664]
"NBKeyScan"="c:\program files\Nero\Nero8\Nero BackItUp\NBKeyScan.exe" [2008-06-10 2221352]
"EEventManager"="c:\progra~1\EPSONS~1\EVENTM~1\EEventManager.exe" [2009-01-12 669520]
"ArcSoft Connection Service"="c:\program files\Common Files\ArcSoft\Connection Service\Bin\ACDaemon.exe" [2010-03-18 207360]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2010-04-02 40368]
"Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2010-03-24 952768]
[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="c:\windows\System32\CTFMON.EXE" [2008-04-14 15360]
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Lavasoft Ad-Aware Service]
@="Service"
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Wdf01000.sys]
@="Driver"
[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusOverride"=dword:00000001
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\wlcsdk.exe"=
"c:\\Program Files\\UltraVNC\\vncviewer.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"=
"c:\\WINDOWS\\system32\\dpvsetup.exe"=
"c:\\Program Files\\Epson Software\\Event Manager\\EEventManager.exe"=
"c:\\Program Files\\EpsonNet\\EpsonNet Setup\\tool09\\ENEasyApp.exe"=
"c:\\Program Files\\Mozilla Firefox\\firefox.exe"=
"c:\\Program Files\\Java\\jre6\\bin\\java.exe"=
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"5900:TCP"= 5900:TCP:vnc5900
"5800:TCP"= 5800:TCP:vnc5800
R0 Lbd;Lbd;c:\windows\system32\drivers\Lbd.sys [30/05/2009 17:06 64160]
R1 archlp;archlp;c:\windows\system32\drivers\archlp.sys [29/11/2009 15:47 11392]
R2 Ç-DillaSrv;Ç-DillaSrv;c:\windows\system32\drivers\CDANTSRV.EXE [09/04/1998 17:31 18432]
R2 AntiVirSchedulerService;Avira AntiVir Scheduler;c:\program files\Avira\AntiVir Desktop\sched.exe [15/06/2009 14:16 135336]
R2 CSHelper;CopySafe Helper Service;c:\windows\system32\CSHelper.exe [14/04/2009 17:39 266240]
R2 Lavasoft Ad-Aware Service;Lavasoft Ad-Aware Service;c:\program files\Lavasoft\Ad-Aware\AAWService.exe [09/03/2009 20:06 1029456]
R2 TomTomHOMEService;TomTomHOMEService;c:\program files\TomTom HOME 2\TomTomHOMEService.exe [13/11/2009 12:31 92008]
R3 ManyCam;ManyCam Virtual Webcam, WDM Video Capture Driver;c:\windows\system32\drivers\ManyCam.sys [14/01/2008 11:06 21632]
S2 gupdate;Google Update Service (gupdate);c:\program files\Google\Update\GoogleUpdate.exe [20/02/2010 20:37 135664]
S3 ggflt;SEMC USB Flash Driver Filter;c:\windows\system32\drivers\ggflt.sys [15/11/2009 14:05 13224]
S3 GoogleDesktopManager-110309-193829;Google Desktop Manager 5.9.911.3589;c:\program files\Google\Google Desktop Search\GoogleDesktop.exe [07/04/2010 13:42 30192]
S3 INIDVD;Initio USB DVD Filter Driver;c:\windows\system32\drivers\inidvd.sys [26/12/2009 02:21 7936]
[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{10880D85-AAD9-4558-ABDC-2AB1552D831F}]
2009-11-20 14:28 451872 ----a-w- c:\program files\Common Files\LightScribe\LSRunOnce.exe
.
Contents of the 'Scheduled Tasks' folder
2010-04-19 c:\windows\Tasks\Ad-Aware Update (Weekly).job
- c:\program files\Lavasoft\Ad-Aware\Ad-AwareAdmin.exe [2009-03-09 17:07]
2010-04-23 c:\windows\Tasks\Epson Printer Software Downloader.job
- c:\program files\EPSON\EPAPDL\E_SAPDL2.EXE [2009-01-23 15:03]
2010-04-23 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\program files\Google\Update\GoogleUpdate.exe [2010-02-20 19:37]
2010-04-23 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\program files\Google\Update\GoogleUpdate.exe [2010-02-20 19:37]:A:dance:1+1+1=1:dance::A
"Marleyboy you are a legend!"
MarleyBoy "You are the Greatest"
Marleyboy You Are A Legend!
Marleyboy speaks sense
marleyboy (total legend)
Marleyboy - You are, indeed, a legend.0 -
Supplementary Scan
.
uStart Page = hxxp://start.facemoods.com
uInternet Settings,ProxyOverride = local
IE: Add to Google Photos Screensa&ver - c:\windows\system32\GPhotos.scr/200
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
FF - ProfilePath - c:\documents and settings\Admin\Application Data\Mozilla\Firefox\Profiles\fpjic1fy.default\
FF - prefs.js: browser.startup.homepage - hxxp://www.google.co.uk/firefox?client=firefox-a&rls=org.mozilla:en-US:official
FF - plugin: c:\documents and settings\Admin\Local Settings\Application Data\Yahoo!\BrowserPlus\2.7.1\Plugins\npybrowserplus_2.7.1.dll
FF - plugin: c:\program files\Google\Google Earth\plugin\npgeplugin.dll
FF - plugin: c:\program files\Google\Picasa3\npPicasa3.dll
FF - plugin: c:\program files\Google\Update\1.2.183.23\npGoogleOneClick8.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\np-mswmp.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\np_blinkx_plugin.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\npCouponPrinter.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\npmozax.dll
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\
---- FIREFOX POLICIES ----
c:\program files\Mozilla Firefox\greprefs\all.js - pref("ui.use_native_colors", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("ui.use_native_popup_windows", false);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.enable_click_image_resizing", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("accessibility.browsewithcaret_shortcut.enabled", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("javascript.options.mem.high_water_mark", 32);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("javascript.options.mem.gc_frequency", 1600);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.auth.force-generic-ntlm", false);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("svg.smil.enabled", false);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("ui.trackpoint_hack.enabled", -1);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.debug", false);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.agedWeight", 2);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.bucketSize", 1);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.maxTimeGroupings", 25);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.timeGroupingSize", 604800);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.boundaryWeight", 25);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.prefixWeight", 5);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("html5.enable", false);
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.allow_unrestricted_renego_everywhere__temporarily_available_pref", true);
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.renego_unrestricted_hosts", "");
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.treat_unsafe_negotiation_as_broken", false);
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.require_safe_negotiation", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox-branding.js - pref("app.update.download.backgroundInterval", 600);
c:\program files\Mozilla Firefox\defaults\pref\firefox-branding.js - pref("app.update.url.manual", "http://www.firefox.com");
c:\program files\Mozilla Firefox\defaults\pref\firefox-branding.js - pref("browser.search.param.yahoo-fr-ja", "mozff");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.name", "chrome://browser/locale/browser.properties");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.description", "chrome://browser/locale/browser.properties");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("xpinstall.whitelist.add", "addons.mozilla.org");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("xpinstall.whitelist.add.36", "getpersonas.com");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("lightweightThemes.update.enabled", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.allTabs.previews", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("plugins.hide_infobar_for_outdated_plugin", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("plugins.update.notifyUser", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("toolbar.customization.usesheet", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.enable", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.max", 20);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.cachetime", 20);
.
- - - - ORPHANS REMOVED - - - -
WebBrowser-{D4027C7F-154A-4066-A1AD-4243D8127440} - (no file)
**************************************************************************
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2010-04-23 13:19
Windows 5.1.2600 Service Pack 3 NTFS
scanning hidden processes ...
scanning hidden autostart entries ...
scanning hidden files ...
scan completed successfully
hidden files: 0
**************************************************************************
Stealth MBR rootkit/Mebroot/Sinowal detector 0.3.7 by Gmer, http://www.gmer.net
device: opened successfully
user: MBR read successfully
called modules: ntoskrnl.exe CLASSPNP.SYS disk.sys atapi.sys >>UNKNOWN [0x82F998C8]<<
kernel: MBR read successfully
detected MBR rootkit hooks:
\Driver\Disk -> CLASSPNP.SYS @ 0xf87b1f28
\Driver\ACPI -> ACPI.sys @ 0xf8724cb8
\Driver\atapi -> atapi.sys @ 0xf86c1b3a
IoDeviceObjectType -> DeleteProcedure -> ntoskrnl.exe @ 0x805a0598
ParseProcedure -> ntoskrnl.exe @ 0x8056ea15
\Device\Harddisk0\DR0 -> DeleteProcedure -> ntoskrnl.exe @ 0x805a0598
ParseProcedure -> ntoskrnl.exe @ 0x8056ea15
user & kernel MBR OK:A:dance:1+1+1=1:dance::A
"Marleyboy you are a legend!"
MarleyBoy "You are the Greatest"
Marleyboy You Are A Legend!
Marleyboy speaks sense
marleyboy (total legend)
Marleyboy - You are, indeed, a legend.0 -
**************************************************************************
[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\INIDVD]
"ImagePath"=multi:"system32\DRIVERS\inidvd.sys\00"
[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\INIDVD]
"ImagePath"=multi:"system32\DRIVERS\inidvd.sys\00"
.
DLLs Loaded Under Running Processes
- - - - - - - > 'winlogon.exe'(732)
c:\windows\system32\Ati2evxx.dll
- - - - - - - > 'explorer.exe'(1252)
c:\windows\system32\WININET.dll
c:\windows\system32\ieframe.dll
c:\windows\system32\webcheck.dll
c:\windows\system32\WPDShServiceObj.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
.
Other Running Processes
.
c:\windows\system32\Ati2evxx.exe
c:\windows\System32\SCardSvr.exe
c:\program files\Common Files\EPSON\EBAPI\eEBSVC.exe
c:\program files\Common Files\ArcSoft\Connection Service\Bin\ACService.exe
c:\program files\Virgin Broadband Wireless\AffinegyService.exe
c:\program files\Avira\AntiVir Desktop\avguard.exe
c:\documents and settings\All Users\Application Data\EPSON\EPW!3 SSRP\E_S40ST7.EXE
c:\documents and settings\All Users\Application Data\EPSON\EPW!3 SSRP\E_S40RP7.EXE
c:\program files\Avira\AntiVir Desktop\avshadow.exe
c:\program files\Java\jre6\bin\jqs.exe
c:\program files\Common Files\LightScribe\LSSrvc.exe
c:\program files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
c:\program files\Nero\Nero8\Nero BackItUp\NBService.exe
c:\windows\system32\IoctlSvc.exe
c:\windows\system32\Ati2evxx.exe
c:\windows\System32\wbem\unsecapp.exe
c:\windows\system32\rundll32.exe
c:\program files\Common Files\ArcSoft\Connection Service\Bin\ArcCon.ac
.
**************************************************************************
.
Completion time: 2010-04-23 13:33:43 - machine was rebooted
ComboFix-quarantined-files.txt 2010-04-23 12:33
Pre-Run: 7,376,564,224 bytes free
Post-Run: 7,421,390,848 bytes free
WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Professional" /fastdetect /NoExecute=OptIn
- - End Of File - - 3F3F8BC6F334877B594999C7C3070DFE
...............................And release
:A:dance:1+1+1=1:dance::A
"Marleyboy you are a legend!"
MarleyBoy "You are the Greatest"
Marleyboy You Are A Legend!
Marleyboy speaks sense
marleyboy (total legend)
Marleyboy - You are, indeed, a legend.0 -
NOTE: Cant get rid of that irritating Facemoods.:A:dance:1+1+1=1:dance::A
"Marleyboy you are a legend!"
MarleyBoy "You are the Greatest"
Marleyboy You Are A Legend!
Marleyboy speaks sense
marleyboy (total legend)
Marleyboy - You are, indeed, a legend.0 -
TICK and FIX these ~
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://start.facemoods.com
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://start.facemoods.com/?a=ssm&s={searchTerms}&f=4
O9 - Extra button: (no name) - {09E90109-A9AA-4980-BCEF-76F8D924E902} - (no file) (HKCU)
Open notepad and copy/paste the text in RED below
File::
c:\windows\system32\drivers\rtnoruzs.sys
c:\windows\iun6002.exe
c:\windows\vsnpstd.exe
Save this as "CFScript"
Then drag the CFScript into ComboFix.exe as you see in the screenshot below.
This will start ComboFix again. After reboot, (in case it asks to reboot), post the contents of Combofix.txt in your next reply
Combofix should never take more that 20 minutes including the reboot if malware is detected.
If it does, open Task Manager then Processes tab (press ctrl, alt and del at the same time) and end any processes of findstr, find, sed or swreg, then combofix should continue.
:idea:0
This discussion has been closed.
Confirm your email address to Create Threads and Reply
Categories
- All Categories
- 352.9K Banking & Borrowing
- 253.9K Reduce Debt & Boost Income
- 454.7K Spending & Discounts
- 246K Work, Benefits & Business
- 602K Mortgages, Homes & Bills
- 177.8K Life & Family
- 259.9K Travel & Transport
- 1.5M Hobbies & Leisure
- 16K Discuss & Feedback
- 37.7K Read-Only Boards