Jump to content

jwalker

Members
  • Posts

    2
  • Joined

  • Last visited

Everything posted by jwalker

  1. Probably bad form to reply to your own post here.. but as I've more or less resolved this, so I wanted to free up your time to help other posters. Feel free to ignore or close this thread. But I'll still check this thread a few more times in case anyone has any advice to add. Here's a quick rundown that may be helpful to anyone encountering a similar situation.. Seems that one of the cleanup utilities e.g. DSS, GMER, Combofix defaulted most of my services & startup items. So a lot of services & startup items that were previously disabled or set to manual were all enabled en block. After a few dozen diagnostic boots, I narrowed the problem down to a group of 15 or so services & startup items for defunct programs. That is programs that have been long since uninstalled or that I have had disabled on every computer that I've owned since WinXP was originally released. The shutdown /restart is now back to about 2 seconds, instead of 90 - 100 seconds, so it must have been hanging on a search for or timeout regarding one of the defunct entries. As I don't need anything in this group of defunct programs, I didn't take the extra time to narrow it down further. Although it didn't help me directly, I did find a very good windows shutdown troubleshooting page. (I have no affiliation with the site & they're not selling anything) http://www.aumha.org/win5/a/shtdwnxp.htm I still have one small issue. Now my wireless (Intel pro set) is taking 20 seconds to connect instead of the normal five or so. But this is a small issue. Moreover it should be relatively easy to troubleshoot, so in the absence of new symptoms, I'm considering this resolved. Thanks for this forum. Looks like a lot of good work is being done here.
  2. Hi. I recently clicked on a piece of malware when I shouldn't have & gained a few new root folder files (90210.exe, iexploreXXX.exe) & a few corresponding registry entries. Presumably this is some kind of trojan. I followed the forum template; Ran MBAM, with current updates Ran Avira anti-virus, with current updates Ran DDS/GMER And I also ran CC cleaner, Combofix & HijackThis I'm reasonably certain that the malware is now gone. The computer is stable with no unexpected behavior. But the cleaning process seems to have "broken" two things. One is my computers fingerprint reader (UPEK) software. That was easily fixed by uninstalling, then reinstalling the fingerprint reader software. So the remaining issue is that shutting down or restarting windows now takes 90 seconds, instead of the normal 2 - 3 seconds. No error messages during the shutdown & nothing that I can see in the control panel event viewer. The windows shutdown appears clean, apart from the long delay. The subsequent boot is normal & uneventful. I had no shutdown or hibernation issues prior to adopting the malware & shutdown was also normal before the malware was removed. So it would seem that the shutdown issue is an artifact of the cleaning process. Any help or insight into how I can troubleshoot the shutdown issue would be appreciated. Or steps you think should be pursued if you believe that malware may still be active. This is a WinXP SP3 computer. MBAM/DDS logs below & GMER/HijackThis logs attached. Thanks. ---- MBAM log Malwarebytes' Anti-Malware 1.43 Database version: 3509 Windows 5.1.2600 Service Pack 3 Internet Explorer 7.0.5730.13 07/01/2010 11:44:04 AM mbam-log-2010-01-07 (11-44-04).txt Scan type: Full Scan (C:\|D:\|F:\|) Objects scanned: 198915 Time elapsed: 43 minute(s), 11 second(s) Memory Processes Infected: 0 Memory Modules Infected: 0 Registry Keys Infected: 0 Registry Values Infected: 0 Registry Data Items Infected: 0 Folders Infected: 0 Files Infected: 0 Memory Processes Infected: (No malicious items detected) Memory Modules Infected: (No malicious items detected) Registry Keys Infected: (No malicious items detected) Registry Values Infected: (No malicious items detected) Registry Data Items Infected: (No malicious items detected) Folders Infected: (No malicious items detected) Files Infected: (No malicious items detected) ---- ---- DDS log DDS (Ver_09-12-01.01) - NTFSx86 Run by John at 11:47:09.01 on 07/01/2010 Internet Explorer: 7.0.5730.13 BrowserJavaVersion: 1.6.0_16 Microsoft Windows XP Professional 5.1.2600.3.1252.2.1033.18.3582.2421 [GMT -8:00] AV: AntiVir Desktop *On-access scanning enabled* (Updated) {AD166499-45F9-482A-A743-FDD3350758C7} ============== Running Processes =============== C:\WINDOWS\system32\svchost -k DcomLaunch svchost.exe C:\WINDOWS\System32\svchost.exe -k netsvcs C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe svchost.exe C:\WINDOWS\system32\spoolsv.exe C:\Program Files\Avira\AntiVir Desktop\sched.exe C:\Program Files\Avira\AntiVir Desktop\avguard.exe svchost.exe C:\Program Files\Common Files\Acronis\Schedule2\schedul2.exe C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe C:\Program Files\Intel\Wireless\Bin\EvtEng.exe C:\Program Files\JavaHMO\bin\Wrapper.exe C:\WINDOWS\system32\nvsvc32.exe C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe C:\WINDOWS\system32\java.exe C:\Program Files\SigmaTel\C-Major Audio\DellXPM_5515v131\WDM\STacSV.exe C:\WINDOWS\system32\svchost.exe -k imgsvc C:\Program Files\Common Files\TiVo Shared\Beacon\TiVoBeacon.exe C:\Program Files\Intel\Wireless\Bin\WLKeeper.exe C:\WINDOWS\Explorer.EXE C:\Program Files\Fingerprint Reader Suite\psqltray.exe C:\Program Files\Synaptics\SynTP\SynTPStart.exe C:\Program Files\Synaptics\SynTP\SynTPEnh.exe C:\Program Files\SigmaTel\C-Major Audio\WDM\stsystra.exe C:\Program Files\Dell\QuickSet\Quickset.exe C:\Program Files\Intel\Wireless\bin\ZCfgSvc.exe C:\Program Files\Intel\Wireless\Bin\ifrmewrk.exe C:\Program Files\Avira\AntiVir Desktop\avgnt.exe C:\Program Files\DAEMON Tools Lite 4.12.2\daemon.exe C:\Program Files\Intel\Wireless\Bin\Dot1XCfg.exe C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Malwarebytes' Anti-Malware\mbam.exe C:\Documents and Settings\John\Desktop\dds.com ============== Pseudo HJT Report =============== uStart Page = file:///C:/Belfry/google%20black%20homepage.html uInternet Settings,ProxyOverride = *.local BHO: HelperObject Class: {00c6482d-c502-44c8-8409-fce54ad9c208} - c:\program files\techsmith\snagit 7\SnagItBHO.dll BHO: Adobe PDF Reader Link Helper: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelper.dll TB: SnagIt: {8ff5e183-abde-46eb-b09e-d2aab95cabe3} - c:\program files\techsmith\snagit 7\SnagItIEAddin.dll TB: {47833539-D0C5-4125-9FA8-0819E2EAAC93} - No File uRun: [DAEMON Tools Lite] "c:\program files\daemon tools lite 4.12.2\daemon.exe" -autorun mRun: [PSQLLauncher] "c:\program files\fingerprint reader suite\launcher.exe" /startup mRun: [synTPStart] c:\program files\synaptics\syntp\SynTPStart.exe mRun: [sigmatelSysTrayApp] %ProgramFiles%\SigmaTel\C-Major Audio\WDM\stsystra.exe mRun: [Dell QuickSet] c:\program files\dell\quickset\Quickset.exe mRun: [intelZeroConfig] "c:\program files\intel\wireless\bin\ZCfgSvc.exe" mRun: [intelWireless] "c:\program files\intel\wireless\bin\ifrmewrk.exe" /tf Intel PROSet/Wireless mRun: [NvCplDaemon] RUNDLL32.EXE c:\windows\system32\NvCpl.dll,NvStartup mRun: [avgnt] "c:\program files\avira\antivir desktop\avgnt.exe" /min mRunOnce: [Malwarebytes' Anti-Malware] c:\program files\malwarebytes' anti-malware\mbamgui.exe /install /silent IE: Convert selected links to Adobe PDF - c:\program files\adobe\acrobat 8.0\acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html IE: Convert selected links to existing PDF - c:\program files\adobe\acrobat 8.0\acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html IE: Convert selection to Adobe PDF - c:\program files\adobe\acrobat 8.0\acrobat\AcroIEFavClient.dll/AcroIECapture.html IE: Convert selection to existing PDF - c:\program files\adobe\acrobat 8.0\acrobat\AcroIEFavClient.dll/AcroIEAppend.html IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe DPF: {17492023-C23A-453E-A040-C7C580BBF700} - hxxp://download.microsoft.com/download/F/D/9/FD9E437D-5BC8-4264-A093-DFA2C39D197E/LegitCheckControl.cab DPF: {62789780-B744-11D0-986B-00609731A21D} - hxxp://vanmappub.vancouver.ca/download/mgaxctrl.cab DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} - hxxp://www.update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1260862663546 DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} - hxxp://www.update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1260063864984 DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_16-windows-i586.cab DPF: {CAFEEFAC-0014-0002-0006-ABCDEFFEDCBA} - hxxp://java.sun.com/products/plugin/autodl/jinstall-142-windows-i586.cab DPF: {CAFEEFAC-0016-0000-0016-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_16-windows-i586.cab DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_16-windows-i586.cab Handler: belarc - {6318E0AB-2E93-11D1-B8ED-00608CC9A71F} - c:\program files\belarc\advisor\system\BAVoilaX.dll Notify: psfus - c:\windows\system32\psqlpwd.dll SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll LSA: Authentication Packages = msv1_0 relog_ap LSA: Notification Packages = scecli psqlpwd ================= FIREFOX =================== FF - ProfilePath - c:\docume~1\John\applic~1\mozilla\firefox\profiles\g8vkkk1r.default\ FF - prefs.js: browser.startup.homepage - file:///C:/Belfry/google%20black%20homepage.html FF - component: c:\program files\mozilla firefox\components\pbgk1_9.dll ============= SERVICES / DRIVERS =============== R0 SscRdBus;Virtual bus device (SuperSpeed LLC);c:\windows\system32\drivers\SscRdBus.sys [2007-11-16 50944] R0 SscRdCls;RAM Disk (SuperSpeed LLC);c:\windows\system32\drivers\SscRdCls.sys [2007-11-16 37504] R1 avgio;avgio;c:\program files\avira\antivir desktop\avgio.sys [2009-12-10 11608] R2 AntiVirSchedulerService;Avira AntiVir Scheduler;c:\program files\avira\antivir desktop\sched.exe [2009-12-10 108289] R2 AntiVirService;Avira AntiVir Guard;c:\program files\avira\antivir desktop\avguard.exe [2009-12-10 185089] R2 avgntflt;avgntflt;c:\windows\system32\drivers\avgntflt.sys [2009-12-10 56816] R2 JavaHMO;JavaHMO TiVo TCM;c:\program files\javahmo\bin\Wrapper.exe [2005-2-27 110592] R2 TiVoBeacon2;TiVo Beacon;c:\program files\common files\tivo shared\beacon\TiVoBeacon.exe [2005-2-27 928768] R3 MBAMSwissArmy;MBAMSwissArmy;c:\windows\system32\drivers\mbamswissarmy.sys [2009-1-13 38224] R3 OEM04Afx;Provides a software interface to control audio effects of OEM004 camera.;c:\windows\system32\drivers\OEM04Afx.sys [2008-3-14 141376] R3 OEM04Vfx;Creative Camera OEM004 Video VFX Driver;c:\windows\system32\drivers\OEM04Vfx.sys [2008-3-14 7424] R3 OEM04Vid;Creative Camera OEM004 Driver;c:\windows\system32\drivers\OEM04Vid.sys [2008-3-14 234720] S2 DigiNet;Digidesign Ethernet Support;c:\windows\system32\drivers\diginet.sys --> c:\windows\system32\drivers\diginet.sys [?] S3 MotDev;Motorola Inc. USB Device;c:\windows\system32\drivers\motodrv.sys [2009-5-27 42112] S3 RTCore32;RTCore32;c:\program files\rmclock 2.35\RTCore32.sys [2008-3-18 4608] S3 SWUSBFLT;Microsoft SideWinder VIA Filter Driver;c:\windows\system32\drivers\SWUSBFLT.SYS [2008-6-7 3968] S4 Olympus DVR Service;Olympus DVR Service;c:\program files\common files\olympus shared\devicemanager\olydvrsv.exe [2008-8-5 167936] S4 SlingAgentService;SlingAgentService;c:\program files\sling media\slingagent\SlingAgentService.exe [2009-9-25 93960] =============== Created Last 30 ================ 2010-01-07 15:45:04 98816 ----a-w- c:\windows\sed.exe 2010-01-07 15:45:04 77312 ----a-w- c:\windows\MBR.exe 2010-01-07 15:45:04 261632 ----a-w- c:\windows\PEV.exe 2010-01-07 15:45:04 161792 ----a-w- c:\windows\SWREG.exe 2010-01-07 15:43:08 0 d-----w- C:\ComboFix 2010-01-07 08:43:17 578560 -c--a-w- c:\windows\system32\dllcache\user32.dll 2010-01-07 08:41:58 0 d-----w- c:\windows\ERUNT 2009-12-19 17:31:14 0 d-----w- c:\program files\Sling Media 2009-12-19 17:31:14 0 d-----w- c:\docume~1\alluse~1\applic~1\Sling Media 2009-12-14 20:38:55 0 d-----w- c:\docume~1\John\applic~1\BitTorrent 2009-12-14 20:38:49 0 d-----w- c:\program files\BitTorrent 2009-12-12 23:00:10 0 d-----w- c:\program files\Mozilla 2009-12-11 04:11:04 0 d--h--w- c:\windows\system32\GroupPolicy 2009-12-11 04:07:07 56816 ----a-w- c:\windows\system32\drivers\avgntflt.sys 2009-12-11 04:07:05 0 d-----w- c:\program files\Avira 2009-12-11 04:07:05 0 d-----w- c:\docume~1\alluse~1\applic~1\Avira ==================== Find3M ==================== 2009-12-30 22:55:24 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys 2009-12-30 22:54:58 19160 ----a-w- c:\windows\system32\drivers\mbam.sys 2009-12-02 00:16:08 5632 ----a-w- c:\windows\system32\drivers\StarOpen.sys 2009-11-24 18:27:37 395744 ----a-w- c:\windows\system32\drivers\timntr.sys 2009-11-24 18:27:37 39264 ----a-w- c:\windows\system32\drivers\tifsfilt.sys 2009-11-24 18:27:35 114048 ----a-w- c:\windows\system32\drivers\snapman.sys 2009-11-16 11:24:45 33824 ----a-w- c:\windows\system32\drivers\oreans32.sys 2009-11-12 21:42:16 32768 ----a-w- c:\windows\system32\drivers\taphss.sys 2009-10-29 07:46:59 832512 ------w- c:\windows\system32\wininet.dll 2009-10-29 07:46:52 78336 ----a-w- c:\windows\system32\ieencode.dll 2009-10-29 07:46:50 17408 ----a-w- c:\windows\system32\corpol.dll 2009-10-21 05:38:36 75776 ----a-w- c:\windows\system32\strmfilt.dll 2009-10-21 05:38:36 25088 ----a-w- c:\windows\system32\httpapi.dll 2009-10-13 10:30:16 270336 ----a-w- c:\windows\system32\oakley.dll 2009-10-12 13:38:19 149504 ----a-w- c:\windows\system32\rastls.dll 2009-10-12 13:38:18 79872 ----a-w- c:\windows\system32\raschap.dll 2008-11-08 21:31:57 32768 --sha-w- c:\windows\system32\config\systemprofile\local settings\history\history.ie5\mshist012008110820081109\index.dat ============= FINISH: 11:47:21.42 =============== ---- Attach.zip
Back to top
×
×
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.