Username:    Password:    Remember me     
Google
 

Forums


Malwareteks :: Forums :: Malware Support :: Inactive Malware Threads
 
<< Previous thread | Next thread >>
[INACTIVE] Tried the cleaning and what have you, nothing is working.
Moderators: ShadowPuterDude, Greg, D3m3nt3d, Brandon, Vmarm, peterparker, siljaline, jholland1964, TurcoLoco, Windsor, JeanInMontana, KZ, RatHat, Jason Amison, MrCharlie
This thread is now closed
Author Post
hockeygoalieeh
Tue Jun 12 2007, 03:19AM
Registered Member #74
Joined: Tue Jun 12 2007, 02:39AM
Posts: 3
Thanked 0 times in 0 posts
This isn't my computer, it's somebody elses. All the tests come out clean, yet simply opening Firefox takes up 87% of the processor speed. I'm trying to avoid a complete reformat. Attached are the files.
iseeyouxp.txt
hijackthis.log
msxml4-kb927978-enu.log

[ Edited Mon Jul 21 2008, 08:53AM ]
Back to top
ShadowPuterDude
Tue Jun 12 2007, 08:43PM
...the Shadow knows


Registered Member #1
Joined: Thu Apr 27 2006, 04:52PM
Location: Northern NY
Posts: 251
Thanked 12 times in 12 posts
I don't see much in the logs. Could be a conflict betweem AVG 7.5 and an old install of Panda Titanium 2006.

Download
- Pocket Killbox
- ExplorerXP

Run HijackThis. Click the 'Do a system scan only' button. Place a checkmark in the box next to the following lines:

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=EN_US&c=Q106&bd=presario&pf=laptop

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://us.rd.yahoo.com/customize/ie/defaults/sb/msgr8/*http://www.yahoo.com/ext/search/search.html

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://us.rd.yahoo.com/customize/ie/defaults/sp/msgr8/*http://www.yahoo.com

R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=EN_US&c=Q106&bd=presario&pf=laptop

R3 - URLSearchHook: (no name) - {EA756889-2338-43DB-8F07-D1CA6FB9C90D} - (no file)

R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - (no file)

O2 - BHO: Yahoo! Toolbar Helper - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - (no file)

O2 - BHO: (no name) - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - (no file)

O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
O4 - HKLM\..\Run: [APVXDWIN] "C:\Program Files\Panda Software\Panda Titanium 2006 Antivirus + Antispyware\APVXDWIN.EXE" /s
O4 - HKLM\..\Run: [LUPGCONF] "C:\Program Files\Panda Software\Panda Titanium 2006 Antivirus + Antispyware\LUpgConf.exe" /RunOnce:5_01_00

O9 - Extra button: WeatherBug - {AF6CABAB-61F9-4f12-A198-B7D41EF1CB52} - C:\Program Files\AWS\WeatherBug\Weather.exe (file missing) (HKCU)

O14 - IERESET.INF: START_PAGE_URL=http://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=EN_US&c=Q106&bd=presario&pf=laptop

O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} -

Click on the 'Fix checked' button. Wait for HijackThis to finish; close HijackThis.

Now run Pocket Killbox:

Choose Tools -> Delete Temp Files and click Delete Selected Temp Files
Then after it deletes the files click the Exit (Save Settings) button.

NOTE: Pocket Killbox will only list the added files it is able to find on the system. So when you do the below, if some files do not show in the list after pasting them in, just continue..

Select:

  • Delete on Reboot
  • then Click on the All Files button.
  • Please copy the file paths below to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose copy):
    C:\WINDOWS\Temp\mv3wa9rr.TMP
  • Return to Killbox, go to the File menu, and choose Paste from Clipboard.
  • Click the red-and-white Delete File button. Click Yes at the Delete on Reboot prompt. Click OK at any PendingFileRenameOperations prompt (and please let me know if you receive this message!).

If Killbox does not reboot or you get a Pending Operations type error message just reboot your PC yourself.

Now boot into SAFE MODE

Open ExplorerXP navigate to and DELETE the following:

C:\WINDOWS\r007
C:\WINDOWS\Downloaded Program Files\install.log
C:\WINDOWS\Downloaded Program Files\unagiuninst.exe
Now run ATFCleaner.

Then, as an added precaution, Go to Start -> Run and type: cleanmgr and then click OK. Make sure the boxes for these are checked:

Temporary Files
Temporary Internet Files
Recycle Bin

And Click OK.

Using Windows Explorer (right click the Start button and select Explore to open Windows Explorer) navigate to C:\ISeeYouXP and locate the following script:
ShowIT.bat

Double-click to run the batch.

REBOOT to .

Post the following logs:
ISeeYouXP.txt (C:\ISeeYouXP.txt)
HijackThis (C:\Program Files\HJT\hijackthis.log)

Make sure you tell me how things are working.

What extensions are installed on FireFox?



"Only those who fail greatly can ever achieve greatly" - Robert F. Kennedy
Microsoft Most Valuable Professional - Consumer Security (2007-2008)
Member - Alliance of Security Analysis Professionals - Since 2006
Linux Registered User # 363218
Back to top
Website
hockeygoalieeh
Wed Jun 13 2007, 01:12AM
Registered Member #74
Joined: Tue Jun 12 2007, 02:39AM
Posts: 3
Thanked 0 times in 0 posts
Everything seems to be back in relative order. The computer still seems a wee bit slow. The processor spikes to 100% just to try and open an additional IE6 window, but then again after doing all of this I have yet to run a CHKDISK or a defrag, so that's probably part of the problem right there. Once opened, the CPU usage dips back down to 5% or less. Everything appears to be in relative order. Actually, never mind. It's still taking far too long even after everything is set. The current memory usage is 253 MB on a 1 GB machine. Befuddling. Thanks.
hijackthis.log
iseeyouxp.txt

[ Edited Wed Jun 13 2007, 03:20AM ]
Back to top
ShadowPuterDude
Wed Jun 13 2007, 09:47PM
...the Shadow knows


Registered Member #1
Joined: Thu Apr 27 2006, 04:52PM
Location: Northern NY
Posts: 251
Thanked 12 times in 12 posts
Did you run ShowIT.bat as requested?  If so, the settings that should have been changed, weren't.

None of the things I indicated to be fixed by HijackThis were fixed.

When did this CPU spiking start?  Before or after AdAware 2007 was installed?


"Only those who fail greatly can ever achieve greatly" - Robert F. Kennedy
Microsoft Most Valuable Professional - Consumer Security (2007-2008)
Member - Alliance of Security Analysis Professionals - Since 2006
Linux Registered User # 363218
Back to top
Website
hockeygoalieeh
Sat Jun 16 2007, 02:30PM
Registered Member #74
Joined: Tue Jun 12 2007, 02:39AM
Posts: 3
Thanked 0 times in 0 posts
The problems started before the A.A.W. installation. The computer is still exceedingly slow, but I don't see anything else wrong.

hijackthis.log
iseeyouxp.txt
Back to top
ShadowPuterDude
Sat Jun 16 2007, 09:29PM
...the Shadow knows


Registered Member #1
Joined: Thu Apr 27 2006, 04:52PM
Location: Northern NY
Posts: 251
Thanked 12 times in 12 posts
You may need to uninstall AAW, to see if that is the problem.

Run HijackThis. Click the 'Do a system scan only' button. Place a checkmark in the box next to the following lines:
O20 - Winlogon Notify: avldr - C:\WINDOWS\
Click on the 'Fix checked' button. Wait for HijackThis to finish; close HijackThis.

Copy the contents of the below quote box to Notepad; Save As FixReg.reg to your Desktop; make sure File Type: is set to All Files (*.*).

REGEDIT4

HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\advanced
"Hidden"=dword:00000001
"SuperHidden"=dword:00000001
"ShowSuperHidden"=dword:00000001
"HideFileExt"=dword:00000000

[-HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\avldr]

Close Notepad.

Locate FixReg.reg on your Desktop. Double-click on it and answer 'Yes' when asked if you want to merge with the registry.

Now run Pocket Killbox:

Choose Tools -> Delete Temp Files and click Delete Selected Temp Files
Then after it deletes the files click the Exit (Save Settings) button.

NOTE: Pocket Killbox will only list the added files it is able to find on the system. So when you do the below, if some files do not show in the list after pasting them in, just continue..

Select:

  • Delete on Reboot
  • then Click on the All Files button.
  • Please copy the file paths below to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose copy):
    C:\WINDOWS\Downloaded Program Files\install.log
    C:\WINDOWS\Downloaded Program Files\unagiuninst.exe
    C:\WINDOWS\system32\perfc009.dat
    C:\WINDOWS\system32\perfh009.dat
    C:\WINDOWS\system32\drivers\wnmsav.dat
    C:\WINDOWS\system32\drivers\etc\NetAR.wlt
    C:\WINDOWS\system32\drivers\etc\NetFlt.cfg
    C:\WINDOWS\system32\drivers\etc\SmsFlt.cfg
    C:\WINDOWS\Temp\mv3wa9rr.TMP
  • Return to Killbox, go to the File menu, and choose Paste from Clipboard.
  • Click the red-and-white Delete File button. Click Yes at the Delete on Reboot prompt. Click OK at any PendingFileRenameOperations prompt (and please let me know if you receive this message!).

If Killbox does not reboot or you get a Pending Operations type error message just reboot your PC yourself.

Now boot into SAFE MODE

Open ExplorerXP navigate to and DELETE the following:

C:\WINDOWS\r007

C:\WINDOWS\Downloaded Program Files\install.log
C:\WINDOWS\Downloaded Program Files\unagiuninst.exe
C:\WINDOWS\system32\perfc009.dat
C:\WINDOWS\system32\perfh009.dat
C:\WINDOWS\system32\drivers\wnmsav.dat
C:\WINDOWS\system32\drivers\etc\NetAR.wlt
C:\WINDOWS\system32\drivers\etc\NetFlt.cfg
C:\WINDOWS\system32\drivers\etc\SmsFlt.cfg
C:\WINDOWS\Temp\mv3wa9rr.TMP

Now run ATF Cleaner.
  • Double-click ATF- Cleaner.exe to run the program.
    Under Main choose: Select All
  • Click the Empty Selected button.

    If you use Firefox browser

  • Click Firefox at the top and choose: Select All
  • Click the Empty Selected button.
    NOTE: If you would like to keep your saved passwords, please click No at the prompt.

    If you use Opera browser

  • Click Opera at the top and choose: Select All
  • Click the Empty Selected button.
    NOTE: If you would like to keep your saved passwords, please click No at the prompt.

Click Exit on the Main menu to close the program.

NOTE: This will remove all files from the items that are checked so if you have some cookies you'd like to save. please move them to a different directory first.

Then, as an added precaution, Go to Start -> Run and type: cleanmgr and then click OK. Make sure the boxes for these are checked:

Temporary Files
Temporary Internet Files
Recycle Bin

And Click OK.

REBOOT to .

Attach fresh logs for:
HijackThis
ISeeYouXP



[ Edited Sat Jun 16 2007, 09:56PM ]

"Only those who fail greatly can ever achieve greatly" - Robert F. Kennedy
Microsoft Most Valuable Professional - Consumer Security (2007-2008)
Member - Alliance of Security Analysis Professionals - Since 2006
Linux Registered User # 363218
Back to top
Website
 

Jump:     Back to top
Syndicate this thread: rss 0.92 Syndicate this thread: rss 2.0 Syndicate this thread: RDF
Powered by e107 Forum System

< ASAP Member Sites | Privacy Policy | Infected? | Want to Help? | Software Piracy | Malware Complaints | About Us | Contact Us | Terms of Service >

Copyright 2006-2009 MalwareTeks
This site is powered by e107, which is released under the terms of the GNU GPL License.


Banner