1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.

Very slow system ! Crawling..

Discussion in 'Windows - Virus and spyware problems' started by mossfan18, May 25, 2011.

  1. mossfan18

    mossfan18 Regular member

    Joined:
    Feb 23, 2007
    Messages:
    214
    Likes Received:
    0
    Trophy Points:
    26
    So my sister calls me from another state to tell me her PC is not working; that it is crawling all of the sudden and it loads pages extremely slow. Moreover, it will not allow her to create a system restore point, whenever she attempts to restore to an earlier date it just gives the current date. She is running Vista as her OS. Here is her HijackThis log file:

    ogfile of Trend Micro HijackThis v2.0.2
    Scan saved at 10:11:25 PM, on 2/1/2008
    Platform: Windows Vista (WinNT 6.00.1904)
    MSIE: Internet Explorer v7.00 (7.00.6000.16575)
    Boot mode: Normal

    Running processes:
    C:\Windows\system32\taskeng.exe
    C:\Windows\Explorer.EXE
    C:\Windows\system32\Dwm.exe
    C:\Windows\RtHDVCpl.exe
    C:\Windows\System32\igfxtray.exe
    C:\Windows\System32\hkcmd.exe
    C:\Windows\System32\igfxpers.exe
    C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe
    C:\Program Files\Grisoft\AVG7\avgcc.exe
    C:\Program Files\Common Files\Real\Update_OB\realsched.exe
    C:\Program Files\Common Files\Nero\Lib\NMIndexStoreSvr.exe
    C:\Program Files\BigFix\bigfix.exe
    C:\Program Files\Windows Defender\MSASCui.exe
    C:\Program Files\Windows Media Player\wmpnscfg.exe
    C:\Program Files\Internet Explorer\ieuser.exe
    C:\Program Files\Internet Explorer\iexplore.exe
    C:\Windows\system32\Macromed\Flash\FlashUtil9d.exe
    C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
    C:\Windows\system32\SearchFilterHost.exe

    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://www.gateway.com/g/sidepanel.html?Ch=Retail&Br=EM&Loc=ENG_US&Sys=DTP&M=T3612
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.gateway.com/g/startpage.html?Ch=Retail&Br=EM&Loc=ENG_US&Sys=DTP&M=T3612
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
    R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.gateway.com/g/startpage.html?Ch=Retail&Br=EM&Loc=ENG_US&Sys=DTP&M=T3612
    R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://www.gateway.com/g/sidepanel.html?Ch=Retail&Br=EM&Loc=ENG_US&Sys=DTP&M=T3612
    R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =
    R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
    R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
    O1 - Hosts: ::1 localhost
    O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
    O2 - BHO: RealPlayer Download and Record Plugin for Internet Explorer - {3049C3E9-B461-4BC5-8870-4C09146192CA} - C:\Program Files\Real\RealPlayer\rpbrowserrecordplugin.dll
    O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0\bin\ssv.dll
    O2 - BHO: Browser Address Error Redirector - {CA6319C0-31B7-401E-A518-A07C3DB8F777} - c:\google\BAE.dll
    O4 - HKLM\..\Run: [Windows Defender] %ProgramFiles%\Windows Defender\MSASCui.exe -hide
    O4 - HKLM\..\Run: [RtHDVCpl] RtHDVCpl.exe
    O4 - HKLM\..\Run: [IgfxTray] C:\Windows\system32\igfxtray.exe
    O4 - HKLM\..\Run: [HotKeysCmds] C:\Windows\system32\hkcmd.exe
    O4 - HKLM\..\Run: [Persistence] C:\Windows\system32\igfxpers.exe
    O4 - HKLM\..\Run: [RemoteControl] "C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe"
    O4 - HKLM\..\Run: [LanguageShortcut] "C:\Program Files\CyberLink\PowerDVD\Language\Language.exe"
    O4 - HKLM\..\Run: [NapsterShell] C:\Program Files\Napster\napster.exe /systray
    O4 - HKLM\..\Run: [BigFix] c:\program files\Bigfix\bigfix.exe /atstartup
    O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVG7\avgcc.exe /STARTUP
    O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime
    O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
    O4 - HKLM\..\Run: [NeroFilterCheck] C:\Program Files\Common Files\Nero\Lib\NeroCheck.exe
    O4 - HKLM\..\Run: [NBKeyScan] "C:\Program Files\Nero\Nero8\Nero BackItUp\NBKeyScan.exe"
    O4 - HKCU\..\Run: [WindowsWelcomeCenter] rundll32.exe oobefldr.dll,ShowWelcomeCenter
    O4 - HKCU\..\Run: [AdobeUpdater] C:\Program Files\Common Files\Adobe\Updater5\AdobeUpdater.exe
    O4 - HKCU\..\Run: [IndxStoreSvr_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}] "C:\Program Files\Common Files\Nero\Lib\NMIndexStoreSvr.exe" ASO-616B5711-6DAE-4795-A05F-39A1E5104020
    O4 - HKCU\..\Run: [WMPNSCFG] C:\Program Files\Windows Media Player\WMPNSCFG.exe
    O4 - HKUS\S-1-5-19\..\Run: [Sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /detectMem (User 'LOCAL SERVICE')
    O4 - HKUS\S-1-5-19\..\Run: [WindowsWelcomeCenter] rundll32.exe oobefldr.dll,ShowWelcomeCenter (User 'LOCAL SERVICE')
    O4 - HKUS\S-1-5-19\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'LOCAL SERVICE')
    O4 - HKUS\S-1-5-20\..\Run: [Sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /detectMem (User 'NETWORK SERVICE')
    O4 - HKUS\S-1-5-18\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'SYSTEM')
    O4 - HKUS\.DEFAULT\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'Default user')
    O4 - Global Startup: BigFix.lnk = C:\Program Files\BigFix\bigfix.exe
    O4 - Global Startup: hpoddt01.exe.lnk = ?
    O4 - Global Startup: Kodak EasyShare software.lnk = C:\Program Files\Kodak\Kodak EasyShare software\bin\EasyShare.exe
    O4 - Global Startup: Kodak software updater.lnk = C:\Program Files\Kodak\KODAK Software Updater\7288971\Program\Kodak Software Updater.exe
    O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office12\EXCEL.EXE/3000
    O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0\bin\ssv.dll
    O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0\bin\ssv.dll
    O9 - Extra button: Send to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll
    O9 - Extra 'Tools' menuitem: S&end to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll
    O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\Office12\REFIEBAR.DLL
    O9 - Extra button: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - C:\Programs\PartyGaming\PartyPoker\RunApp.exe (file missing)
    O9 - Extra 'Tools' menuitem: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - C:\Programs\PartyGaming\PartyPoker\RunApp.exe (file missing)
    O13 - Gopher Prefix:
    O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab
    O20 - Winlogon Notify: avgwlntf - C:\Windows\SYSTEM32\avgwlntf.dll
    O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
    O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
    O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
    O23 - Service: AVG7 Resident Shield Service (AvgCoreSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgrssvc.exe
    O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
    O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
    O23 - Service: Nero BackItUp Scheduler 3 - Nero AG - C:\Program Files\Nero\Nero8\Nero BackItUp\NBService.exe
    O23 - Service: NMIndexingService - Nero AG - C:\Program Files\Common Files\Nero\Lib\NMIndexingService.exe
    O23 - Service: Cyberlink RichVideo Service(CRVS) (RichVideo) - Unknown owner - C:\Program Files\CyberLink\Shared Files\RichVideo.exe
    O23 - Service: XAudioService - Conexant Systems, Inc. - C:\Windows\system32\DRIVERS\xaudio.exe

    --
    End of file - 7759 bytes

    If you can see anything please let me know. If you have any advice or recommendations please let me know. I had her run Malwarebyes as well. I will post a log of that below.

    Thanks in advance!
     
    Last edited: May 26, 2011
  2. mossfan18

    mossfan18 Regular member

    Joined:
    Feb 23, 2007
    Messages:
    214
    Likes Received:
    0
    Trophy Points:
    26
    Malwarebytes' Anti-Malware 1.50.1.1100
    www.malwarebytes.org

    Database version: 6668

    Windows 6.0.6000
    Internet Explorer 7.0.6000.17037

    5/24/2011 8:11:45 PM
    mbam-log-2011-05-24 (20-11-45).txt

    Scan type: Quick scan
    Objects scanned: 164245
    Time elapsed: 7 minute(s), 17 second(s)

    Memory Processes Infected: 0
    Memory Modules Infected: 0
    Registry Keys Infected: 32
    Registry Values Infected: 0
    Registry Data Items Infected: 0
    Folders Infected: 3
    Files Infected: 10

    Memory Processes Infected:
    (No malicious items detected)

    Memory Modules Infected:
    (No malicious items detected)

    Registry Keys Infected:
    HKEY_CLASSES_ROOT\AppID\{4A40E8FC-C7E4-4F57-9FA4-85DD77402897} (Adware.Seekmo) -> Quarantined and deleted successfully.
    HKEY_CLASSES_ROOT\CLSID\{1F158A1E-A687-4a11-9679-B3AC64B86A1C} (Adware.Seekmo) -> Quarantined and deleted successfully.
    HKEY_CLASSES_ROOT\TypeLib\{FBB40FDF-B715-4342-AB82-244ECC66E979} (Adware.Seekmo) -> Quarantined and deleted successfully.
    HKEY_CLASSES_ROOT\Interface\{067C6A37-72EA-4437-863A-5BE20C246F3C} (Adware.Seekmo) -> Quarantined and deleted successfully.
    HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{1F158A1E-A687-4A11-9679-B3AC64B86A1C} (Adware.Seekmo) -> Quarantined and deleted successfully.
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\PreApproved\{1F158A1E-A687-4A11-9679-B3AC64B86A1C} (Adware.Seekmo) -> Quarantined and deleted successfully.
    HKEY_CLASSES_ROOT\CLSID\{E313F5DC-CFE7-4568-84A4-C76653547571} (Adware.Seekmo) -> Quarantined and deleted successfully.
    HKEY_CLASSES_ROOT\SeekmoAX.UserProfiles.1 (Adware.Seekmo) -> Quarantined and deleted successfully.
    HKEY_CLASSES_ROOT\SeekmoAX.UserProfiles (Adware.Seekmo) -> Quarantined and deleted successfully.
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\PreApproved\{E313F5DC-CFE7-4568-84A4-C76653547571} (Adware.Seekmo) -> Quarantined and deleted successfully.
    HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{1A26F07F-0D60-4835-91CF-1E1766A0EC56} (Trojan.Agent) -> Quarantined and deleted successfully.
    HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{1E5B2693-D348-4CA7-8364-4F5E51BF9C6D} (Adware.Zango) -> Quarantined and deleted successfully.
    HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{6FD31ED6-7C94-4BBC-8E95-F927F4D3A949} (Adware.180Solutions) -> Quarantined and deleted successfully.
    HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{B64F4A7C-97C9-11DA-8BDE-F66BAD1E3F3A} (Rogue.WinAntiVirus) -> Quarantined and deleted successfully.
    HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{E596DF5F-4239-4D40-8367-EBADF0165917} (Rogue.Installer) -> Quarantined and deleted successfully.
    HKEY_CLASSES_ROOT\HBMain.CommBand (Adware.Zango) -> Quarantined and deleted successfully.
    HKEY_CLASSES_ROOT\HBMain.CommBand.1 (Adware.Zango) -> Quarantined and deleted successfully.
    HKEY_CLASSES_ROOT\hbr.HbMain (Adware.Zango) -> Quarantined and deleted successfully.
    HKEY_CLASSES_ROOT\hbr.HbMain.1 (Adware.Zango) -> Quarantined and deleted successfully.
    HKEY_CLASSES_ROOT\HostIE.Bho (Adware.Zango) -> Quarantined and deleted successfully.
    HKEY_CLASSES_ROOT\HostIE.Bho.1 (Adware.Zango) -> Quarantined and deleted successfully.
    HKEY_CLASSES_ROOT\Seekmo.DesktopFlash (Adware.Seekmo) -> Quarantined and deleted successfully.
    HKEY_CLASSES_ROOT\Seekmo.DesktopFlash.1 (Adware.Seekmo) -> Quarantined and deleted successfully.
    HKEY_CLASSES_ROOT\SeekmoAX.ClientDetector (Adware.Seekmo) -> Quarantined and deleted successfully.
    HKEY_CLASSES_ROOT\SeekmoAX.ClientDetector.1 (Adware.Seekmo) -> Quarantined and deleted successfully.
    HKEY_CLASSES_ROOT\AppID\SeekmoSA_df.exe (Adware.Seekmo) -> Quarantined and deleted successfully.
    HKEY_CLASSES_ROOT\CLSID\{645FF040-5081-101B-9F08-00AA002F954E}\Shell\Secure Delete (Rogue.SecurePCCleaner) -> Quarantined and deleted successfully.
    HKEY_CLASSES_ROOT\Directory\Background\shellex\ContextMenuHandlers\secure_del (Rogue.SecurePCCleaner) -> Quarantined and deleted successfully.
    HKEY_CLASSES_ROOT\SystemFileAssociations\Directory.Audio\shellex\ContextMenuHandlers\secure_del (Rogue.SecurePCCleaner) -> Quarantined and deleted successfully.
    HKEY_CLASSES_ROOT\SystemFileAssociations\Directory.Image\shellex\ContextMenuHandlers\secure_del (Rogue.SecurePCCleaner) -> Quarantined and deleted successfully.
    HKEY_CLASSES_ROOT\SystemFileAssociations\Directory.Video\shellex\ContextMenuHandlers\secure_del (Rogue.SecurePCCleaner) -> Quarantined and deleted successfully.
    HKEY_CURRENT_USER\SOFTWARE\seekmosa (Adware.Seekmo) -> Quarantined and deleted successfully.

    Registry Values Infected:
    (No malicious items detected)

    Registry Data Items Infected:
    (No malicious items detected)

    Folders Infected:
    c:\programdata\SeekmoSA (Adware.Seekmo) -> Quarantined and deleted successfully.
    c:\Users\jenn\AppData\Roaming\Seekmo (Adware.Seekmo) -> Delete on reboot.
    c:\programdata\microsoft\Windows\start menu\Programs\Seekmo (Adware.Seekmo) -> Quarantined and deleted successfully.

    Files Infected:
    c:\Users\jenn\AppData\Local\Temp\Low\h8srtca3e.tmp (Trojan.FakeAlert) -> Quarantined and deleted successfully.
    c:\Windows\Temp\tmp0000003db4fd0a9082a73284 (Trojan.Dropper) -> Quarantined and deleted successfully.
    c:\Users\jenn\downloads\Setup.exe (Adware.Seekmo) -> Quarantined and deleted successfully.
    c:\programdata\SeekmoSA\SeekmoSA.dat (Adware.Seekmo) -> Quarantined and deleted successfully.
    c:\programdata\SeekmoSA\seekmosaabout.mht (Adware.Seekmo) -> Quarantined and deleted successfully.
    c:\programdata\SeekmoSA\seekmosaau.dat (Adware.Seekmo) -> Quarantined and deleted successfully.
    c:\programdata\SeekmoSA\seekmosaeula.mht (Adware.Seekmo) -> Quarantined and deleted successfully.
    c:\programdata\SeekmoSA\seekmosa_kyf.dat (Adware.Seekmo) -> Quarantined and deleted successfully.
    c:\programdata\microsoft\Windows\start menu\Programs\Seekmo\reset cursor.lnk (Adware.Seekmo) -> Quarantined and deleted successfully.
    c:\programdata\microsoft\Windows\start menu\Programs\Seekmo\seekmo customer support center.lnk (Adware.Seekmo) -> Quarantined and deleted successfully.
     

Share This Page