Computer has gone crazy

Discussion in 'malware problems & news' started by hilus, Aug 22, 2006.

Thread Status:
Not open for further replies.
  1. hilus

    hilus Registered Member

    Joined:
    Aug 22, 2006
    Posts:
    1
    Hi, Please help! I have been trying to solve my problem for 3 days. My computer suddenly seems to have a mind of its own. It seems to be slower than normal. Also while sitting Idle, it will suddenly begin to do things on its own (the mouse cursor becomes busy). I have included reports from several scans, they seen to indicate that I have unknown process and/or services running. Any help will be greatly appreciated.

    Thanks…

    Running Windows XP Pro W/ SP2 and all updates along with the following security programs.
    Symantec Antivirus Corporate Edition- V 7.61.930
    Spybot Search and Destroy
    Ad-Aware SE Personal V1.06r1
    A-Squared Free 2.0
    Ewido Anti-Spyware trial
    Windows Defender
    AVG Free V7.1.405
    Zone Alarm Free
    Mozilla Thunderbird, and Firefox.


    Logs...

    "Silent Runners.vbs", revision 46, http://www.silentrunners.org/
    Operating System: Windows XP SP2
    Output limited to non-default values, except where indicated by "{++}"


    Startup items buried in registry:
    ---------------------------------

    HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ {++}
    "Windows Defender" = ""C:\Program Files\Windows Defender\MSASCui.exe" -hide" [MS]
    "AVG7_CC" = "C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP" ["GRISOFT, s.r.o."]
    "Zone Labs Client" = ""C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"" ["Zone Labs, LLC"]
    "!ewido" = ""C:\Program Files\ewido anti-spyware 4.0\ewido.exe" /minimized" ["Anti-Malware Development a.s."]

    HKLM\Software\Microsoft\Active Setup\Installed Components\
    >{881dd1c5-3dcf-431b-b061-f3f88e8be88a}\(Default) = "Outlook Express"
    \StubPath = "C:\WINDOWS\system32\shmgrate.exe OCInstallUserConfigOE" [MS]

    HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\
    {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3}\(Default) = (no title provided)
    -> {HKLM...CLSID} = "Adobe PDF Reader Link Helper"
    \InProcServer32\(Default) = "C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll" ["Adobe Systems Incorporated"]
    {089FD14D-132B-48FC-8861-0048AE113215}\(Default) = (no title provided)
    -> {HKLM...CLSID} = (no title provided)
    \InProcServer32\(Default) = "C:\Program Files\SiteAdvisor\SiteAdv.dll" ["McAfee, Inc."]
    {53707962-6F74-2D53-2644-206D7942484F}\(Default) = (no title provided)
    -> {HKLM...CLSID} = (no title provided)
    \InProcServer32\(Default) = "C:\PROGRA~1\SPYBOT~1\SDHelper.dll" ["Safer Networking Limited"]

    HKLM\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\
    "{42071714-76d4-11d1-8b24-00a0c9068ff3}" = "Display Panning CPL Extension"
    -> {HKLM...CLSID} = "Display Panning CPL Extension"
    \InProcServer32\(Default) = "deskpan.dll" [file not found]
    "{88895560-9AA2-1069-930E-00AA0030EBC8}" = "HyperTerminal Icon Ext"
    -> {HKLM...CLSID} = "HyperTerminal Icon Ext"
    \InProcServer32\(Default) = "C:\WINDOWS\System32\hticons.dll" ["Hilgraeve, Inc."]
    "{21569614-B795-46b1-85F4-E737A8DC09AD}" = "Shell Search Band"
    -> {HKLM...CLSID} = "Shell Search Band"
    \InProcServer32\(Default) = "C:\WINDOWS\system32\browseui.dll" [MS]
    "{640167b4-59b0-47a6-b335-a6b3c0695aea}" = "Portable Media Devices"
    -> {HKLM...CLSID} = "Portable Media Devices"
    \InProcServer32\(Default) = "C:\WINDOWS\system32\Audiodev.dll" [MS]
    "{cc86590a-b60a-48e6-996b-41d25ed39a1e}" = "Portable Media Devices Menu"
    -> {HKLM...CLSID} = "Portable Media Devices Menu"
    \InProcServer32\(Default) = "C:\WINDOWS\system32\Audiodev.dll" [MS]
    "{BDA77241-42F6-11d0-85E2-00AA001FE28C}" = "LDVP Shell Extensions"
    -> {HKLM...CLSID} = "VpshellEx Class"
    \InProcServer32\(Default) = "C:\Program Files\Common Files\Symantec Shared\SSC\vpshell2.dll" ["Symantec Corporation"]
    "{B9E1D2CB-CCFF-4AA6-9579-D7A4754030EF}" = "iTunes"
    -> {HKLM...CLSID} = "iTunes"
    \InProcServer32\(Default) = "C:\Program Files\iTunes\iTunesMiniPlayer.dll" ["Apple Computer, Inc."]
    "{9F97547E-4609-42C5-AE0C-81C61FFAEBC3}" = "AVG7 Shell Extension"
    -> {HKLM...CLSID} = "AVG7 Shell Extension Class"
    \InProcServer32\(Default) = "C:\Program Files\Grisoft\AVG Free\avgse.dll" ["GRISOFT, s.r.o."]
    "{9F97547E-460A-42C5-AE0C-81C61FFAEBC3}" = "AVG7 Find Extension"
    -> {HKLM...CLSID} = "AVG7 Find Extension Class"
    \InProcServer32\(Default) = "C:\Program Files\Grisoft\AVG Free\avgse.dll" ["GRISOFT, s.r.o."]
    "{A155339D-CCCD-4714-85EB-3754B804C9DF}" = "a-squared Free Context Menu Shell Extension"
    -> {HKLM...CLSID} = "a-squared Free Context Menu"
    \InProcServer32\(Default) = "C:\PROGRA~1\A-SQUA~1\A2FREE~1.DLL" ["Emsi Software GmbH"]
    "{59850401-6664-101B-B21C-00AA004BA90B}" = "Microsoft Office Binder Unbind"
    -> {HKLM...CLSID} = "Microsoft Office Binder Unbind"
    \InProcServer32\(Default) = "C:\PROGRA~1\MICROS~2\Office\1033\UNBIND.DLL" [MS]

    HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks\
    INFECTION WARNING! "{091EB208-39DD-417D-A5DD-7E2C2D8FB9CB}" = "Microsoft AntiMalware ShellExecuteHook"
    -> {HKLM...CLSID} = "Microsoft AntiMalware ShellExecuteHook"
    \InProcServer32\(Default) = "C:\PROGRA~1\WINDOW~4\MpShHook.dll" [MS]
    INFECTION WARNING! "{57B86673-276A-48B2-BAE7-C6DBB3020EB8}" = "ewido anti-spyware 4.0"
    -> {HKLM...CLSID} = "CShellExecuteHookImpl Object"
    \InProcServer32\(Default) = "C:\Program Files\ewido anti-spyware 4.0\shellexecutehook.dll" ["Anti-Malware Development a.s."]

    HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\
    INFECTION WARNING! WgaLogon\DLLName = "WgaLogon.dll" [MS]

    HKLM\Software\Classes\Folder\shellex\ColumnHandlers\
    {F9DB5320-233E-11D1-9F84-707F02C10627}\(Default) = "PDF Column Info"
    -> {HKLM...CLSID} = "PDF Shell Extension"
    \InProcServer32\(Default) = "C:\Program Files\Adobe\Acrobat 7.0\ActiveX\PDFShell.dll" ["Adobe Systems, Inc."]

    HKLM\Software\Classes\*\shellex\ContextMenuHandlers\
    AVG7 Shell Extension\(Default) = "{9F97547E-4609-42C5-AE0C-81C61FFAEBC3}"
    -> {HKLM...CLSID} = "AVG7 Shell Extension Class"
    \InProcServer32\(Default) = "C:\Program Files\Grisoft\AVG Free\avgse.dll" ["GRISOFT, s.r.o."]
    ewido anti-spyware\(Default) = "{8934FCEF-F5B8-468f-951F-78A921CD3920}"
    -> {HKLM...CLSID} = "CContextScan Object"
    \InProcServer32\(Default) = "C:\Program Files\ewido anti-spyware 4.0\context.dll" ["Anti-Malware Development a.s."]
    LDVPMenu\(Default) = "{BDA77241-42F6-11d0-85E2-00AA001FE28C}"
    -> {HKLM...CLSID} = "VpshellEx Class"
    \InProcServer32\(Default) = "C:\Program Files\Common Files\Symantec Shared\SSC\vpshell2.dll" ["Symantec Corporation"]

    HKLM\Software\Classes\Directory\shellex\ContextMenuHandlers\
    ewido anti-spyware\(Default) = "{8934FCEF-F5B8-468f-951F-78A921CD3920}"
    -> {HKLM...CLSID} = "CContextScan Object"
    \InProcServer32\(Default) = "C:\Program Files\ewido anti-spyware 4.0\context.dll" ["Anti-Malware Development a.s."]

    HKLM\Software\Classes\Folder\shellex\ContextMenuHandlers\
    a2FreeContMenu\(Default) = "{A155339D-CCCD-4714-85EB-3754B804C9DF}"
    -> {HKLM...CLSID} = "a-squared Free Context Menu"
    \InProcServer32\(Default) = "C:\PROGRA~1\A-SQUA~1\A2FREE~1.DLL" ["Emsi Software GmbH"]
    AVG7 Shell Extension\(Default) = "{9F97547E-4609-42C5-AE0C-81C61FFAEBC3}"
    -> {HKLM...CLSID} = "AVG7 Shell Extension Class"
    \InProcServer32\(Default) = "C:\Program Files\Grisoft\AVG Free\avgse.dll" ["GRISOFT, s.r.o."]
    LDVPMenu\(Default) = "{BDA77241-42F6-11d0-85E2-00AA001FE28C}"
    -> {HKLM...CLSID} = "VpshellEx Class"
    \InProcServer32\(Default) = "C:\Program Files\Common Files\Symantec Shared\SSC\vpshell2.dll" ["Symantec Corporation"]


    Active Desktop and Wallpaper:
    -----------------------------

    Active Desktop is disabled at this entry:
    HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\ShellState

    HKCU\Control Panel\Desktop\
    "Wallpaper" = "C:\Documents and Settings\John\Local Settings\Application Data\Microsoft\Wallpaper1.bmp"


    Startup items in "John" & "All Users" startup folders:
    ------------------------------------------------------

    C:\Documents and Settings\All Users\Start Menu\Programs\Startup
    "Microsoft Office" -> shortcut to: "C:\Program Files\Microsoft Office\Office\OSA9.EXE -b -l" [MS]


    Enabled Scheduled Tasks:
    ------------------------

    "MP Scheduled Scan" -> launches: "C:\Program Files\Windows Defender\MpCmdRun.exe Scan -RestrictPrivileges" [MS]


    Winsock2 Service Provider DLLs:
    -------------------------------

    Namespace Service Providers

    HKLM\System\CurrentControlSet\Services\Winsock2\Parameters\NameSpace_Catalog5\Catalog_Entries\ {++}
    000000000001\LibraryPath = "%SystemRoot%\System32\mswsock.dll" [MS]
    000000000002\LibraryPath = "%SystemRoot%\System32\winrnr.dll" [MS]
    000000000003\LibraryPath = "%SystemRoot%\System32\mswsock.dll" [MS]

    Transport Service Providers

    HKLM\System\CurrentControlSet\Services\Winsock2\Parameters\Protocol_Catalog9\Catalog_Entries\ {++}
    0000000000##\PackedCatalogItem (contains) DLL [Company Name], (at) ## range:
    %SystemRoot%\system32\mswsock.dll [MS], 01 - 03, 06 - 11
    %SystemRoot%\system32\rsvpsp.dll [MS], 04 - 05


    Toolbars, Explorer Bars, Extensions:
    ------------------------------------

    Toolbars

    HKLM\Software\Microsoft\Internet Explorer\Toolbar\
    "{0BF43445-2F28-4351-9252-17FE6E806AA0}" = "McAfee SiteAdvisor"
    -> {HKLM...CLSID} = "McAfee SiteAdvisor"
    \InProcServer32\(Default) = "C:\Program Files\SiteAdvisor\SiteAdv.dll" ["McAfee, Inc."]


    Running Services (Display Name, Service Name, Path {Service DLL}):
    ------------------------------------------------------------------

    AVG E-mail Scanner, AVGEMS, "C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe" ["GRISOFT, s.r.o."]
    AVG7 Alert Manager Server, Avg7Alrt, "C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe" ["GRISOFT, s.r.o."]
    AVG7 Update Service, Avg7UpdSvc, "C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe" ["GRISOFT, s.r.o."]
    ewido anti-spyware 4.0 guard, ewido anti-spyware 4.0 guard, "C:\Program Files\ewido anti-spyware 4.0\guard.exe" ["Anti-Malware Development a.s."]
    TrueVector Internet Monitor, vsmon, "C:\WINDOWS\system32\ZoneLabs\vsmon.exe -service" ["Zone Labs, LLC"]
    Windows Defender Service, WinDefend, ""C:\Program Files\Windows Defender\MsMpEng.exe"" [MS]


    Print Monitors:
    ---------------

    HKLM\System\CurrentControlSet\Control\Print\Monitors\
    Canon BJ Language Monitor PIXMA iP4000\Driver = "CNMLM64.DLL" ["CANON INC."]
    SUGS2 Langmon\Driver = "SUGS2LMK.DLL" ["Samsung Electronics."]


    ----------
    + This report excludes default entries except where indicated.
    + To see *everywhere* the script checks and *everything* it finds,
    launch it from a command prompt or a shortcut with the -all parameter.
    + The search for DESKTOP.INI DLL launch points on all local fixed drives
    took 18 seconds.
    + The search for all Registry CLSIDs containing dormant Explorer Bars
    took 13 seconds.
    ---------- (total run time: 59 seconds)
     
  2. zapjb

    zapjb Registered Member

    Joined:
    Nov 15, 2005
    Posts:
    3,518
    Location:
    USA - Back in a real State in time for a real Pres
  3. WSFuser

    WSFuser Registered Member

    Joined:
    Oct 7, 2004
    Posts:
    10,632
    if after following that guide you still have trouble, i suggest you repost your hijackthis log at the SpywareInfo forums
     
Loading...
Thread Status:
Not open for further replies.