So Bl00dy Slooooowwww!

rizla01

Hi all.

Have just had a few trojans Etc which Panday online seem to get rid of. ran Superspyware and a couple of other utils but now the thing is locking up everytime I try to do anything and then takes an absolute AGE before responding.

Just ran Hijack this and here is the result.

Can anyone assist, please?

Thx
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 20:09:34, on 15/06/2010
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v8.00 (8.00.6001.18702)
Boot mode: Normal
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
G:\Online Armor\OAcat.exe
G:\Online Armor\oasrv.exe
C:\WINDOWS\system32\devldr32.exe
C:\WINDOWS\Explorer.EXE
G:\Online Armor\a2\AVGate.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\svchost.exe
G:\Online Armor\oaui.exe
C:\WINDOWS\system32\igfxpers.exe
C:\Program Files\Panda Security\Panda Cloud Antivirus\PSUNMain.exe
G:\Program Files\Stardock\ObjectDock\ObjectDock.exe
G:\Online Armor\OAhlp.exe
C:\Program Files\internet explorer\iexplore.exe
C:\Program Files\internet explorer\iexplore.exe
C:\Program Files\Panda Security\Panda Cloud Antivirus\PSANHost.exe
d:\program files\Mozilla Firefox\firefox.exe
C:\Documents and Settings\Terry\Desktop\HijackThis.exe
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://by118w.bay118.mail.live.com/default.aspx?&n=1721578409
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = http=127.0.0.1:5555
O2 - BHO: AcroIEHelperStub - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
O2 - BHO: RoboForm - {724d43a9-0d85-11d4-9908-00400523e39a} - \Roboform\roboform.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre6\bin\ssv.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll
O3 - Toolbar: &RoboForm - {724d43a0-0d85-11d4-9908-00400523e39a} - \Roboform\roboform.dll
O4 - HKLM\..\Run: [@OnlineArmor GUI] "G:\Online Armor\oaui.exe"
O4 - HKLM\..\Run: [Persistence] C:\WINDOWS\system32\igfxpers.exe
O4 - HKLM\..\Run: [a-squared] "G:\Emsisoft Anti-Malware\a2guard.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [PSUNMain] "C:\Program Files\Panda Security\Panda Cloud Antivirus\PSUNMain.exe" /Traybar
O4 - HKCU\..\Run: [StartMenu7] "F:\Start Menu 7\StartMenu7.exe"
O4 - S-1-5-18 Startup: Stardock ObjectDock.lnk = G:\Program Files\Stardock\ObjectDock\ObjectDock.exe (User 'SYSTEM')
O4 - .DEFAULT Startup: Stardock ObjectDock.lnk = G:\Program Files\Stardock\ObjectDock\ObjectDock.exe (User 'Default user')
O4 - Startup: Stardock ObjectDock.lnk = G:\Program Files\Stardock\ObjectDock\ObjectDock.exe
O8 - Extra context menu item: Customize Menu - [URL]file://D:\Roboform\RoboFormComCustomizeIEMenu.html[/URL]
O8 - Extra context menu item: Fill Forms - [URL]file://D:\Roboform\RoboFormComFillForms.html[/URL]
O8 - Extra context menu item: Password Generator - [URL]file://D:\Roboform\RoboFormComPasswordGenerator.html[/URL]
O8 - Extra context menu item: RoboForm Toolbar - [URL]file://D:\Roboform\RoboFormComShowToolbar.html[/URL]
O8 - Extra context menu item: Save Forms - [URL]file://D:\Roboform\RoboFormComSavePass.html[/URL]
O8 - Extra context menu item: Sothink SWF Catcher - C:\Program Files\Common Files\SourceTec\SWF Catcher\InternetExplorer.htm
O8 - Extra context menu item: Zoom &in - C:\Documents and Settings\All Users\Application Data\TuneUp Software\TuneUp Utilities\Web\tuzoomin.htm
O8 - Extra context menu item: Zoom &out - C:\Documents and Settings\All Users\Application Data\TuneUp Software\TuneUp Utilities\Web\tuzoomout.htm
O9 - Extra button: Fill Forms - {320AF880-6646-11D3-ABEE-C5DBF3571F46} - [URL]file://D:\Roboform\RoboFormComFillForms.html[/URL]
O9 - Extra 'Tools' menuitem: Fill Forms - {320AF880-6646-11D3-ABEE-C5DBF3571F46} - [URL]file://D:\Roboform\RoboFormComFillForms.html[/URL]
O9 - Extra button: Save - {320AF880-6646-11D3-ABEE-C5DBF3571F49} - [URL]file://D:\Roboform\RoboFormComSavePass.html[/URL]
O9 - Extra 'Tools' menuitem: Save Forms - {320AF880-6646-11D3-ABEE-C5DBF3571F49} - [URL]file://D:\Roboform\RoboFormComSavePass.html[/URL]
O9 - Extra button: RoboForm - {724d43aa-0d85-11d4-9908-00400523e39a} - [URL]file://D:\Roboform\RoboFormComShowToolbar.html[/URL]
O9 - Extra 'Tools' menuitem: RoboForm Toolbar - {724d43aa-0d85-11d4-9908-00400523e39a} - [URL]file://D:\Roboform\RoboFormComShowToolbar.html[/URL]
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - I:\SPYBOT~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - I:\SPYBOT~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: Sothink SWF Catcher - {E19ADC6E-3909-43E4-9A89-B7B676377EE3} - C:\Program Files\Common Files\SourceTec\SWF Catcher\InternetExplorer.htm
O9 - Extra 'Tools' menuitem: Sothink SWF Catcher - {E19ADC6E-3909-43E4-9A89-B7B676377EE3} - C:\Program Files\Common Files\SourceTec\SWF Catcher\InternetExplorer.htm
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: CabBuilder - http://kiw.imgag.com/imgag/kiw/toolbar/download/InstallerControl.cab
O16 - DPF: {0A43D7AC-D6C1-4622-B309-BF975F427C0E} (first direct internet banking plus digital safe) - https://internetbankingplus2.firstdirect.com/ibplus/frontdoorFD.cab
O16 - DPF: {215B8138-A3CF-44C5-803F-8226143CFC0A} (Trend Micro ActiveX Scan Agent 6.6) - http://housecall65.trendmicro.com/housecall/applet/html/native/x86/win32/activex/hcImpl.cab
O16 - DPF: {2D8ED06D-3C30-438B-96AE-4D110FDC1FB8} (ActiveScan 2.0 Installer Class) - http://acs.pandasoftware.com/activescan/cabs/as2stubie.cab
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://gfx2.hotmail.com/mail/w3/pr01/resources/MSNPUpld.cab
O16 - DPF: {56762DEC-6B0D-4AB4-A8AD-989993B5D08B} (OnlineScanner Control) - http://www.eset.eu/buxus/docs/OnlineScanner.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://www.update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1218797834562
O16 - DPF: {7530BFB8-7293-4D34-9923-61A11451AFC5} (OnlineScanner Control) - http://download.eset.com/special/eos/OnlineScanner.cab
O16 - DPF: {9191F686-7F0A-441D-8A98-2FE3AC1BD913} (ActiveScan 2.0 Installer Class) - http://acs.pandasoftware.com/activescan/cabs/as2stubie.cab
O16 - DPF: {CF40ACC5-E1BB-4AFF-AC72-04C2F616BCA7} -
O16 - DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - http://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab
O16 - DPF: {E77F23EB-E7AB-4502-8F37-247DBAF1A147} (Windows Live Hotmail Photo Upload Tool) - http://gfx1.hotmail.com/mail/w4/pr01/photouploadcontrol/MSNPUpld.cab
O20 - Winlogon Notify: !SASWinLogon - G:\SUPERAntiSpyware\SASWINLO.DLL
O23 - Service: Panda Cloud Antivirus Service (NanoServiceMain) - Panda Security, S.L. - C:\Program Files\Panda Security\Panda Cloud Antivirus\PSANHost.exe
O23 - Service: Online Armor Helper Service (OAcat) - Tall Emu - G:\Online Armor\OAcat.exe
O23 - Service: Online Armor (SvcOnlineArmor) - Tall Emu - G:\Online Armor\oasrv.exe
--
End of file - 8012 bytes

closed

Ditch panda, superantispyware, asquared, online armour, disable the proxy server in ie connections.

Then enable windows firewall, install malwarebytes and avast, and scan with both.

Also post your physical memory and commit charge figures in task manager, performance

rizla01

Hi,

When you say DITCH do you mean uninstall or just stop the processes?

I had problems with AVASt and for some reason when downloaded it is corrupted (I vaguely recall as it was a while back) Recently got rid of AVIRA for similar reasons - Kept trying to update but froze.

Not using a proxy server. It is already disabled?

Have scanned with MALWAREBYTES.

Running Pentium (R) D CPU 3.40 Ghz 1.99 Gb Ram and XP Home 2002 Service pack 3

closed

I meant uninstall, you have plenty of ram, not too many processes, so something somewhere is slowing it down, apart from objectdoc most of what you have running is security related, so rule them out one by one, too many AV/antispyware apps can slow things down.

If you are talking about internet browsing being slow, this may have something to do with it, which infection did you have? If you mean slow generally, look in task manager to see which process is hogging the processor.

R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Int ernet Settings,ProxyServer = http=127.0.0.1:5555

You may have more luck with avast5, did you update malwarebytes before doing a full scan?

aliEnRIK

Please open malwarebytes, goto LOGS and post the WHOLE of the last log

rizla01

Hi Chaps. Sorry if I have ignored your comments but over the last two days I have thrown everything at it including dropping to safe moda nad running various spyware/malware progs and also getting rid of stuff that either didn't run or tried to run & failed, plus managed to get Avast up & running and re-installed my firewall (Something killed it).

Seemingly perfectly satisfactory now (Phew) so thanks for the input.

Just one question - Is there NOTHING to stop viruses Etc wiping out the past Sys restore points and switching it off?

This appears to be very vulnerable and ALWAYS affected.

aliEnRIK

What it 'seems like', might not mean its actually clear

rizla01

aliEnRIK wrote: »

What it 'seems like', might not mean its actually clear

|Take your point.

Here's the last log.


Malwarebytes' Anti-Malware 1.46
www.malwarebytes.org
Database version: 4057
Windows 5.1.2600 Service Pack 3 (Safe Mode)
Internet Explorer 8.0.6001.18702
16/06/2010 15:56:42
mbam-log-2010-06-16 (15-56-42).txt
Scan type: Full scan (C:\|D:\|E:\|F:\|G:\|H:\|I:\|J:\|K:\|L:\|M:\|N:\|)
Objects scanned: 323807
Time elapsed: 2 hour(s), 2 minute(s), 4 second(s)
Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0
Memory Processes Infected:
(No malicious items detected)
Memory Modules Infected:
(No malicious items detected)
Registry Keys Infected:
(No malicious items detected)
Registry Values Infected:
(No malicious items detected)
Registry Data Items Infected:
(No malicious items detected)
Folders Infected:
(No malicious items detected)
Files Infected:
(No malicious items detected)


Is that what you meant?

aliEnRIK

rizla01 wrote: »

|Take your point.

Here's the last log.


Malwarebytes' Anti-Malware 1.46
www.malwarebytes.org
Database version: 4057
Windows 5.1.2600 Service Pack 3 (Safe Mode)
Internet Explorer 8.0.6001.18702
16/06/2010 15:56:42
mbam-log-2010-06-16 (15-56-42).txt
Scan type: Full scan (C:\|D:\|E:\|F:\|G:\|H:\|I:\|J:\|K:\|L:\|M:\|N:\|)

Its quite a bit out of date. Id recommend UPDATING and running another full scan

rizla01

Latest log here.

Malwarebytes' Anti-Malware 1.46
www.malwarebytes.org
Database version: 4210
Windows 5.1.2600 Service Pack 3
Internet Explorer 8.0.6001.18702
18/06/2010 00:30:24
mbam-log-2010-06-18 (00-30-24).txt
Scan type: Full scan (C:\|D:\|E:\|F:\|G:\|H:\|I:\|J:\|K:\|L:\|M:\|N:\|)
Objects scanned: 328168
Time elapsed: 1 hour(s), 15 minute(s), 27 second(s)
Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0
Memory Processes Infected:
(No malicious items detected)
Memory Modules Infected:
(No malicious items detected)
Registry Keys Infected:
(No malicious items detected)
Registry Values Infected:
(No malicious items detected)
Registry Data Items Infected:
(No malicious items detected)
Folders Infected:
(No malicious items detected)
Files Infected:
(No malicious items detected)


Can you answer the sys restore question Rick?

aliEnRIK

I doubt any of them have rmeoved your restore points as they love to INFECT them. Youll probably find its an av program thats removed them as theyve been infected

If you want a double check your clean ~

Please run COMBOFIX
http://download.bleepingcomputer.com/sUBs/ComboFix.exe
Shut down your anti virus
Follow the simple instructions it gives
Post the COMPLETE log it creates here (Split into sections if need be) ~ if there are loads of 'SNAPSHOT' pages then leave them out

If it comes up with a RENAMING error then RIGHT click the exe file and RENAME and call it QWERTY (Making the complete file name 'QWERTY.exe') Or SAVE as 'QWERTY' on download
(If no log comes up or you lose it, COMBOFIX.TXT can be found in C drive)