PDA

View Full Version : Trojans and other FAKEMSN removed but system still doesn't seem just right



leejames75
2008-01-01, 21:46
Happy New Year Folks.

My Girlfriend has a problem with her computer, bascially her teenage brother has moved in, and in the last 2 months she has noticed that her pc is very slow. She created him as a Limited User on Windows XP. Today when I looked at her PC, I have found and removed a few several adawares and 2 Trojans relating to the FAKEMSN messenger. I have downloaded and installed Zonealarm, and used AVG to find and remove several trojans.

I have also downloaded superantispyware, and used Cleanup,ATF and the new version of CCLEANER to recover 6GB of space and removed several toolbars and BHO's using SPYBOT 1.5, I have also prevented aot of programs from starting up.

Spybot and Kaspersky have come back with clean scans, but she still says that the computer is still slow when logged on to her account from what it was before her brother became a user. IE 7 pages are hanging and appears as not responding when other programs run.

She has a Pentium 3 with XP Home with SP2 and only 256mb of ram. I used PCPITSTOP to runs some scans but that ended up as not responding, as well as the scan of CRUCIAL. So I used CPU-Z to find the speed of her memory so I can now buy some more memory for her. So just on the safe side, I am posting a HJT log whilst logged in as her brother.



Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 19:21:17, on 01/01/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16574)
Boot mode: Normal

Running processes:
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\vsnpstd3.exe
C:\PROGRA~1\Grisoft\AVG7\avgcc.exe
C:\Program Files\Adobe\Photoshop Album Starter Edition\3.2\Apps\apdproxy.exe
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\MSN Messenger\msnmsgr.exe
C:\WINDOWS\system32\ctfmon.exe
C:\HijackThis\HiJackThis.exe
C:\Program Files\Spybot - Search & Destroy\SpybotSD.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://uk.msn.com/
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: Skype add-on (mastermind) - {22BF413B-C6D2-4d91-82A9-A0F997BA588C} - C:\Program Files\Skype\Toolbars\Internet Explorer\SkypeIEPlugin.dll
O2 - BHO: ZoneAlarm Spy Blocker BHO - {F0D4B231-DA4B-4daf-81E4-DFEE4931A4AA} - C:\Program Files\ZoneAlarmSB\bar\1.bin\SPYBLOCK.DLL
O3 - Toolbar: ZoneAlarm Spy Blocker - {F0D4B239-DA4B-4daf-81E4-DFEE4931A4AA} - C:\Program Files\ZoneAlarmSB\bar\1.bin\SPYBLOCK.DLL
O4 - HKLM\..\Run: [snpstd3] C:\WINDOWS\vsnpstd3.exe
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVG7\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [Adobe Photo Downloader] "C:\Program Files\Adobe\Photoshop Album Starter Edition\3.2\Apps\apdproxy.exe"
O4 - HKLM\..\Run: [ZoneAlarm Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"
O4 - HKCU\..\Run: [Yahoo! Pager] "C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe" -quiet
O4 - HKCU\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\MSN Messenger\msnmsgr.exe" /background
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKUS\S-1-5-21-1409082233-1343024091-1957994488-1004\..\Run: [Yahoo! Pager] "C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe" -quiet (User '?')
O4 - HKUS\S-1-5-21-1409082233-1343024091-1957994488-1004\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime (User '?')
O4 - HKUS\S-1-5-21-1409082233-1343024091-1957994488-1004\..\Run: [msnmsgr] "C:\Program Files\MSN Messenger\msnmsgr.exe" /background (User '?')
O4 - HKUS\S-1-5-21-1409082233-1343024091-1957994488-1004\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe (User '?')
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User '?')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'Default user')
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: Skype - {77BF5300-1474-4EC7-9980-D32B190E9B07} - C:\Program Files\Skype\Toolbars\Internet Explorer\SkypeIEPlugin.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/eng/partner/default/kavwebscan_unicode.cab
O16 - DPF: {20A60F0D-9AFA-4515-A0FD-83BD84642501} (Checkers Class) - http://messenger.zone.msn.com/binary/msgrchkr.cab56986.cab
O16 - DPF: {5ED80217-570B-4DA9-BF44-BE107C0EC166} (Windows Live Safety Center Base Module) - http://cdn.scan.onecare.live.com/resource/download/scanner/wlscbase4009.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1164319386296
O16 - DPF: {C3F79A2B-B9B4-4A66-B012-3EE46475B072} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/MessengerStatsPAClient.cab56907.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
O23 - Service: AVG Anti-Spyware Guard - GRISOFT s.r.o. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
O23 - Service: Google Updater Service (gusvc) - Unknown owner - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe (file missing)
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINDOWS\system32\ZoneLabs\vsmon.exe

--
End of file - 5183 bytes

Blade81
2008-01-03, 12:24
Hi

Looks clean. Check if this set of instructions (http://users.telenet.be/bluepatchy/miekiemoes/slowcomputer.html) helps. 256mb of ram is quite low for XP..

leejames75
2008-01-06, 00:49
Hi, followed the advice given, and just out of curiosity, I tried to boot into safe mode and it just hangs, after 2 hours I left it hanging over night and ended up rebooting the PC back into normal mode.

I ran a combo fix. Here is the log.

ComboFix 08-01-04.1 - Lee 2008-01-05 22:19:57.3 - NTFSx86
Running from: C:\Documents and Settings\Lee\Desktop\ComboFix.exe
.

((((((((((((((((((((((((( Files Created from 2007-12-05 to 2008-01-05 )))))))))))))))))))))))))))))))
.

2008-01-05 22:20 . 2007-11-20 19:37 136,704 --a--c--- C:\WINDOWS\system32\catchme.exe
2008-01-05 22:14 . 2000-08-31 08:00 51,200 --a--c--- C:\WINDOWS\NirCmd.exe
2008-01-05 22:02 . 2001-05-25 06:01 90,112 --a--c--- C:\WINDOWS\system32\RegDACL.exe
2008-01-05 22:02 . 2005-01-13 20:41 53,248 --a--c--- C:\WINDOWS\system32\process.exe
2008-01-05 22:02 . 2007-12-29 20:40 8,940 --a--c--- C:\clean.bat
2008-01-05 22:02 . 2004-07-22 12:15 4,096 --a--c--- C:\WINDOWS\system32\reboot.exe
2008-01-05 22:02 . 2007-10-11 08:55 347 --a--c--- C:\run2.reg
2008-01-05 21:52 . 2008-01-01 18:09 262,144 --a--c--- C:\Program Files\Uninstall Spy Blocker.dll
2008-01-05 21:29 . 2008-01-05 21:29 <DIR> d----c--- C:\WINDOWS\LastGood
2008-01-05 21:20 . 2008-01-05 21:21 <DIR> d----c--- C:\WINDOWS\0E6AB9FC76C2431B9C066C1CFFFEA8EB.TMP
2008-01-04 21:15 . 2008-01-04 21:15 <DIR> d----c--- C:\Documents and Settings\All Users\Application Data\Lavasoft
2008-01-03 20:02 . 2008-01-03 20:02 <DIR> d--h-c--- C:\WINDOWS\PIF
2008-01-01 22:53 . 2007-09-24 23:31 69,632 --a--c--- C:\WINDOWS\system32\javacpl.cpl
2008-01-01 22:46 . 2008-01-01 22:53 <DIR> d----c--- C:\Program Files\Java
2008-01-01 22:45 . 2008-01-01 22:45 <DIR> d----c--- C:\Program Files\Common Files\Java
2008-01-01 20:23 . 2008-01-01 20:23 <DIR> d----c--- C:\Documents and Settings\samuel\Sam's Stuff
2008-01-01 19:11 . 2008-01-05 22:33 2,564,128 --ahsc--- C:\WINDOWS\system32\drivers\fidbox.dat
2008-01-01 19:11 . 2008-01-04 22:51 29,564 --ahsc--- C:\WINDOWS\system32\drivers\fidbox.idx
2008-01-01 18:09 . 2008-01-01 18:09 <DIR> d-a--c--- C:\Program Files\ZoneAlarmSB
2008-01-01 18:01 . 2008-01-01 18:01 <DIR> d----c--- C:\Documents and Settings\All Users\Application Data\MailFrontier
2008-01-01 17:57 . 2007-11-14 16:05 75,248 --a--c--- C:\WINDOWS\zllsputility.exe
2008-01-01 17:49 . 2007-11-14 16:05 1,086,952 --a------ C:\WINDOWS\system32\zpeng24.dll
2008-01-01 15:29 . 2008-01-01 15:29 <DIR> d----c--- C:\CPU-Z
2007-12-31 00:33 . 2000-03-15 00:07 57,344 --a--c--- C:\WINDOWS\system32\GkSui16.EXE
2007-12-30 17:58 . 2007-12-30 18:10 <DIR> d----c--- C:\Documents and Settings\Lee\Application Data\Uniblue
2007-12-30 17:43 . 2007-12-30 17:43 <DIR> d----c--- C:\Documents and Settings\All Users\Application Data\PCPitstop
2007-12-30 17:04 . 2007-12-30 17:04 <DIR> d----c--- C:\Documents and Settings\Lee\Application Data\Skype
2007-12-30 16:21 . 2008-01-01 13:36 <DIR> d----c--- C:\Documents and Settings\Lee\Contacts
2007-12-30 15:56 . 2007-12-30 15:55 720,896 --a--c--- C:\WINDOWS\iun6002.exe
2007-12-30 15:41 . 2007-12-30 15:41 <DIR> d----c--- C:\Program Files\Defraggler
2007-12-25 16:02 . 2007-12-25 16:02 <DIR> d----c--- C:\Documents and Settings\samuel\Program Files
2007-12-25 16:02 . 2007-12-25 22:25 <DIR> d----c--- C:\Documents and Settings\samuel\Application Data\uTorrent
2007-12-22 14:00 . 2007-12-22 14:00 <DIR> d----c--- C:\WINDOWS\ERUNT
2007-12-17 22:09 . 2007-12-17 22:09 <DIR> d----c--- C:\Documents and Settings\samuel\Application Data\Grisoft
2007-12-16 09:35 . 2007-12-16 09:35 <DIR> d----c--- C:\Documents and Settings\adam\Application Data\Grisoft
2007-12-14 21:48 . 2007-12-14 21:48 <DIR> d----c--- C:\WINDOWS\system32\Kaspersky Lab
2007-12-14 21:48 . 2007-12-14 21:48 <DIR> d----c--- C:\Documents and Settings\All Users\Application Data\Kaspersky Lab
2007-12-14 21:43 . 2007-12-14 21:43 <DIR> d----c--- C:\Documents and Settings\Lee\Application Data\Grisoft
2007-12-14 21:42 . 2007-05-30 12:10 10,872 --a--c--- C:\WINDOWS\system32\drivers\AvgAsCln.sys
2007-12-13 16:35 . 2008-01-05 21:27 <DIR> d----c--- C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
2007-12-13 16:07 . 2008-01-04 21:19 <DIR> d----c--- C:\HijackThis
2007-12-13 15:40 . 2007-12-13 15:40 <DIR> d----c--- C:\Documents and Settings\samuel\Application Data\SUPERAntiSpyware.com
2007-12-12 20:29 . 2007-12-12 20:29 <DIR> d----c--- C:\Documents and Settings\adam\Application Data\SUPERAntiSpyware.com
2007-12-09 21:39 . 2007-12-09 21:41 <DIR> d----c--- C:\Documents and Settings\samuel\Application Data\AVG7
2007-12-09 10:08 . 2007-12-09 10:08 444 --a--c--- C:\WINDOWS\system32\d3d8caps.dat
2007-12-09 08:52 . 2007-12-15 10:37 664 --a--c--- C:\WINDOWS\system32\d3d9caps.dat
2007-12-09 08:24 . 2007-12-09 08:24 <DIR> d----c--- C:\Documents and Settings\Administrator\Application Data\SUPERAntiSpyware.com
2007-12-08 22:32 . 2007-12-08 22:32 <DIR> d----c--- C:\Program Files\MSBuild
2007-12-08 22:11 . 2008-01-01 14:40 <DIR> d----c--- C:\WINDOWS\system32\XPSViewer
2007-12-08 22:07 . 2007-12-08 22:07 <DIR> d----c--- C:\Program Files\Reference Assemblies
2007-12-08 22:03 . 2006-06-29 13:07 14,048 -----c--- C:\WINDOWS\system32\spmsg2.dll
2007-12-08 22:01 . 2007-12-08 22:01 <DIR> d----c--- C:\Program Files\MSXML 6.0
2007-12-08 21:50 . 2006-11-13 06:02 288,768 -----c--- C:\WINDOWS\system32\rhttpaa.dll
2007-12-08 21:50 . 2006-11-13 06:02 116,736 -----c--- C:\WINDOWS\system32\aaclient.dll
2007-12-08 21:50 . 2006-11-13 06:02 36,352 -----c--- C:\WINDOWS\system32\tsgqec.dll
2007-12-08 21:20 . 2007-12-10 16:02 <DIR> d----c--- C:\Documents and Settings\adam\Application Data\AVG7
2007-12-08 18:52 . 2007-12-08 18:52 <DIR> d----c--- C:\Program Files\RegCompact.NET
2007-12-08 17:57 . 2008-01-01 18:10 4,212 ---h-c--- C:\WINDOWS\system32\zllictbl.dat
2007-12-08 17:54 . 2008-01-01 17:58 <DIR> d----c--- C:\WINDOWS\system32\ZoneLabs
2007-12-08 17:54 . 2008-01-05 22:02 <DIR> d----c--- C:\WINDOWS\Internet Logs
2007-12-08 17:54 . 2008-01-05 18:34 353,431 --a--c--- C:\WINDOWS\system32\vsconfig.xml
2007-12-08 17:40 . 2008-01-05 18:38 <DIR> d----c--- C:\Documents and Settings\Lee\Application Data\AVG7
2007-12-08 10:11 . 2007-12-08 10:11 <DIR> d----c--- C:\Documents and Settings\LocalService\Application Data\AVG7
2007-12-08 10:09 . 2007-12-14 21:42 <DIR> d----c--- C:\Documents and Settings\All Users\Application Data\Grisoft
2007-12-08 10:09 . 2008-01-05 22:00 <DIR> d----c--- C:\Documents and Settings\All Users\Application Data\avg7
2007-12-08 09:51 . 2008-01-05 21:29 <DIR> d----c--- C:\Program Files\Windows Live Safety Center
2007-12-07 22:39 . 2007-12-07 22:39 <DIR> d----c--- C:\Documents and Settings\All Users\Application Data\SUPERAntiSpyware.com
2007-12-07 22:36 . 2008-01-05 21:32 <DIR> d----c--- C:\Program Files\Common Files\Wise Installation Wizard
2007-12-07 22:03 . 2007-12-30 15:42 <DIR> d----c--- C:\Program Files\CCleaner


.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-01-05 21:54 --------- dc-h--w C:\Program Files\InstallShield Installation Information
2008-01-04 22:06 9,344 -c--a-w C:\windows\system32\drivers\NSDriver.sys
2008-01-04 22:06 8,320 -c--a-w C:\windows\system32\drivers\AWRTRD.sys
2007-12-23 17:38 --------- dc----w C:\Program Files\MSN Messenger
2007-12-08 17:41 --------- dc--a-w C:\Documents and Settings\All Users\Application Data\TEMP
2007-12-07 21:40 --------- dc----w C:\Documents and Settings\All Users\Application Data\McAfee.com
2007-11-29 16:50 4,096 -c--a-w C:\windows\system32\sysres.dll
2007-11-29 16:50 38,567 -c--a-w C:\windows\system32\pcpbios.exe
2007-11-28 20:57 32 -c--a-w C:\Documents and Settings\All Users\Application Data\ezsid.dat
2007-11-28 20:54 --------- dc----w C:\Program Files\Skype
2007-11-28 20:54 --------- dc----w C:\Documents and Settings\All Users\Application Data\Skype
2007-11-28 20:53 --------- dc----w C:\Program Files\Common Files\Skype
2007-11-27 19:56 --------- dc----w C:\Program Files\Picasa2
2007-11-13 10:25 20,480 -c--a-w C:\windows\system32\drivers\secdrv.sys
2007-11-09 17:47 --------- dc----w C:\Program Files\VideoLAN
2007-10-29 22:43 1,287,680 -c--a-w C:\windows\system32\quartz.dll
2007-10-27 17:40 222,720 -c--a-w C:\windows\system32\wmasf.dll
2007-10-24 01:47 96,760 -c--a-w C:\windows\system32\dfshim.dll
2007-10-24 01:47 84,480 -c--a-w C:\windows\system32\mscories.dll
2007-10-24 01:47 282,112 ----a-w C:\windows\system32\mscoree.dll
2007-10-24 01:47 158,720 -c--a-w C:\windows\system32\mscorier.dll
2007-10-14 18:44 30,760 -c--a-w C:\Documents and Settings\samuel\Application Data\GDIPFONTCACHEV1.DAT
2007-10-11 09:55 88,576 -c--a-w C:\windows\system32\infocardapi.dll
2007-10-11 09:55 579,584 -c--a-w C:\windows\system32\icardagt.exe
2007-10-11 09:55 11,776 -c--a-w C:\windows\system32\icardres.dll
2007-10-09 13:03 779,800 -c--a-w C:\windows\system32\PresentationNative_v0300.dll
2007-10-09 13:03 73,752 -c--a-w C:\windows\system32\dxva2.dll
2007-10-09 13:03 493,080 -c--a-w C:\windows\system32\evr.dll
2007-10-09 13:03 350,744 -c--a-w C:\windows\system32\PresentationHost.exe
2007-10-09 13:03 33,304 -c--a-w C:\windows\system32\PresentationHostProxy.dll
2007-10-09 13:03 161,304 -c--a-w C:\windows\system32\UIAutomationCore.dll
2007-10-09 13:03 106,520 -c--a-w C:\windows\system32\PresentationCFFRasterizerNative_v0300.dll
2007-10-09 13:03 1,986,072 -c--a-w C:\windows\system32\milcore.dll
2007-10-09 12:58 16,896 -c--a-w C:\windows\system32\tswpfwrp.exe
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="C:\windows\system32\ctfmon.exe" [2004-08-04 07:56 15360]
"msnmsgr"="C:\Program Files\MSN Messenger\msnmsgr.exe" [2007-01-19 12:54 5674352]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"snpstd3"="C:\WINDOWS\vsnpstd3.exe" [2006-09-19 08:07 827392]
"AVG7_CC"="C:\PROGRA~1\Grisoft\AVG7\avgcc.exe" [2007-12-20 18:01 579072]
"Adobe Photo Downloader"="C:\Program Files\Adobe\Photoshop Album Starter Edition\3.2\Apps\apdproxy.exe" [2007-03-09 10:09 63712]
"ZoneAlarm Client"="C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe" [2007-11-14 16:05 919016]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe" [2007-09-25 01:11 132496]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce]
"ZoneAlarmSB Uninstall"="C:\PROGRA~1\UNINST~1.DLL" [2008-01-01 18:09 262144]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="C:\WINDOWS\System32\CTFMON.EXE" [2004-08-04 07:56 15360]
"Picasa Media Detector"="C:\Program Files\Picasa2\PicasaMediaDetector.exe" [2007-10-23 21:18 443968]
"AVG7_Run"="C:\PROGRA~1\Grisoft\AVG7\avgw.exe" [2007-12-08 10:09 219136]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\CTFMON.EXE]
2004-08-04 07:56 15360 --a------ C:\WINDOWS\system32\ctfmon.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MsnMsgr]
C:\PROGRA~1\MSNMES~1\msnmsgr.exe /background

S3 cur_bus;Curitel USB Composite Device driver (WDM);C:\windows\system32\DRIVERS\cur_bus.sys [2005-07-19 19:39]
S3 cur_mdfl;Curitel Packet Service Filter;C:\windows\system32\DRIVERS\cur_mdfl.sys [2005-07-19 19:40]
S3 cur_mdm;Curitel Packet Service Drivers;C:\windows\system32\DRIVERS\cur_mdm.sys [2005-07-19 19:40]
S3 cur_serd;Curitel Packet Service Diagnostic Serial Port (WDM);C:\windows\system32\DRIVERS\cur_serd.sys [2005-07-19 19:42]

.
Contents of the 'Scheduled Tasks' folder
"2007-06-15 16:25:21 C:\windows\Tasks\MP Scheduled Quick Scan.job"
- C:\Program Files\Microsoft Windows OneCare Live\Antivirus\MpCmdRun.exe%Scan -RestrictPrivileges -ScanType 1
"2007-12-30 17:58:28 C:\windows\Tasks\Uniblue SpeedUpMyPC Nag.job"
- C:\Program Files\Uniblue\SpeedUpMyPC 3\SpeedUpMyPC.exe
"2007-12-30 17:58:25 C:\windows\Tasks\Uniblue SpeedUpMyPC.job"
- C:\Program Files\Uniblue\SpeedUpMyPC 3\SpeedUpMyPC.exe
.
**************************************************************************

catchme 0.3.1344 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-01-05 22:36:17
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

PROCESS: C:\windows\system32\winlogon.exe
-> C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
.
Completion time: 2008-01-05 22:40:05
.
2007-12-13 00:07:26 --- E O F ---

Blade81
2008-01-06, 16:22
Hi

Looks ok. Have you tried booting into safe mode after you had run combofix? If you have did it work?

leejames75
2008-01-06, 18:22
Yes the PC booted up into safe mode, and I am now able to run PCPITSTOP.

When the PC is idle, the CPU is at 54% according to Task Manager.

At the moment the only items in the Taskbar are AVG Anti Virus and Zonealarm.

I was wondering if IE7 is causing the slowness, but since this is not my PC, I am unsure if there is a link still available somewhere, for me download IE6 and then uninstall IE7, and go back to IE6 until I can upgrade their memory to 512mb.

However I can't do anything to this PC for another week.

They have the Genuine Version of Windows, but no disk :sad:

Blade81
2008-01-06, 18:28
Ok. Since this seems to be issue with other than malware and we mainly deal with malware issues only I suggest you post about the problem for example to PCPitstop forums (http://forums.pcpitstop.com). :)

Blade81
2008-01-13, 02:14
leejames75

Did you post about the problem at PCPitstop forums? Can we close the topic here?

Blade81
2008-01-16, 22:33
Due to inactivity, this thread will now be closed.

Note:If it has been five days or more since your last post, and the helper assisting you posted a response to that post to which you did not reply, your topic will not be reopened. At that point, if you still require help, please start a new topic and include a fresh HijackThis log and a link to your previous thread.

If it has been less than five days since your last response and you need the thread re-opened, please send me or your helper a private message (pm). A valid, working link to the closed topic is required.