1. You are viewing our forum as a guest. For full access please Register. WindowsBBS.com is completely free, paid for by advertisers and donations.

Active computer hang when i use firefox or IE surf web

Discussion in 'Malware and Virus Removal Archive' started by Hei, 2009/11/07.

  1. 2009/11/07
    Hei

    Hei Inactive Thread Starter

    Joined:
    2008/09/02
    Messages:
    37
    Likes Received:
    0
    [Active] computer hang when i use firefox or IE surf web

    DDS (Ver_09-10-26.01) - NTFSx86 NETWORK
    Run by Administrator at 11:32:50.67 on Sun 11/15/2009
    Internet Explorer: 6.0.2900.2180
    Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.503.347 [GMT 8:00]

    AV: AntiVir Desktop *On-access scanning enabled* (Outdated) {AD166499-45F9-482A-A743-FDD3350758C7}

    ============== Running Processes ===============

    C:\WINDOWS\system32\svchost -k DcomLaunch
    svchost.exe
    C:\WINDOWS\system32\svchost.exe -k netsvcs
    svchost.exe
    svchost.exe
    C:\WINDOWS\Explorer.EXE
    D:\Program Files\Mozilla Firefox\firefox.exe
    C:\WINDOWS\system32\mmc.exe
    C:\Documents and Settings\Administrator\My Documents\Downloads\dds.scr

    ============== Pseudo HJT Report ===============

    uInternet Connection Wizard,ShellNext = iexplore
    uURLSearchHooks: Yahoo! Toolbar: {ef99bd32-c1fb-11d2-892f-0090271d4f88} - c:\program files\yahoo!\companion\installs\cpn\yt.dll
    BHO: &Yahoo! Toolbar Helper: {02478d38-c3f9-4efb-9b51-7695eca05670} - c:\program files\yahoo!\companion\installs\cpn\yt.dll
    BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll
    BHO: FDMIECookiesBHO Class: {cc59e0f9-7e43-44fa-9faa-8377850bf205} - d:\program files\free download manager\iefdm2.dll
    BHO: SingleInstance Class: {fdad4da1-61a2-4fd8-9c17-86f7ac245081} - c:\program files\yahoo!\companion\installs\cpn\YTSingleInstance.dll
    TB: Yahoo! Toolbar: {ef99bd32-c1fb-11d2-892f-0090271d4f88} - c:\program files\yahoo!\companion\installs\cpn\yt.dll
    mRun: [IgfxTray] c:\windows\system32\igfxtray.exe
    mRun: [HotKeysCmds] c:\windows\system32\hkcmd.exe
    mRun: [SoundMan] SOUNDMAN.EXE
    mRun: [Adobe Reader Speed Launcher] "c:\program files\adobe\reader 9.0\reader\Reader_sl.exe "
    mRun: [avgnt] "c:\program files\avira\antivir desktop\avgnt.exe" /min
    mRun: [Malwarebytes Anti-Malware (reboot)] "d:\program files\malwarebytes' anti-malware\mbam.exe" /runcleanupscript
    mRun: [MSConfig] c:\windows\pchealth\helpctr\binaries\MSConfig.exe /auto
    StartupFolder: c:\docume~1\admini~1\startm~1\programs\startup\freedo~1.lnk - d:\program files\free download manager\fdm.exe
    StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\rvs201~1.lnk - d:\program files\virturesys\rvs3\rvsgui.exe
    IE: Download all with Free Download Manager - file://d:\program files\free download manager\dlall.htm
    IE: Download selected with Free Download Manager - file://d:\program files\free download manager\dlselected.htm
    IE: Download video with Free Download Manager - file://d:\program files\free download manager\dlfvideo.htm
    IE: Download with Free Download Manager - file://d:\program files\free download manager\dllink.htm
    IE: E&xport to Microsoft Excel - c:\progra~1\micros~2\office11\EXCEL.EXE/3000
    IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
    IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~2\office11\REFIEBAR.DLL
    Handler: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - c:\progra~1\common~1\skype\SKYPE4~1.DLL
    Notify: igfxcui - igfxsrvc.dll

    ================= FIREFOX ===================

    FF - ProfilePath - c:\docume~1\admini~1\applic~1\mozilla\firefox\profiles\ma0lsv56.default\
    FF - prefs.js: browser.search.selectedEngine - Wikipedia (en)
    FF - component: d:\program files\free download manager\firefox\extension\components\vmsfdmff.dll

    ---- FIREFOX POLICIES ----
    d:\program files\mozilla firefox\greprefs\security-prefs.js - pref( "security.ssl3.rsa_seed_sha ", true);

    ============= SERVICES / DRIVERS ===============

    R0 RVSystem;RVSystem;c:\windows\system32\drivers\rvsystem.sys [2009-10-19 45136]
    R1 rvsmon;rvsmon;c:\windows\system32\drivers\rvsmon.sys [2009-10-19 262184]
    R1 rvsmonn;rvsmonn;c:\windows\system32\drivers\rvsmonn1.sys [2009-10-19 28640]
    S2 AntiVirSchedulerService;Avira AntiVir Scheduler;c:\program files\avira\antivir desktop\sched.exe [2003-2-4 108289]
    S2 RVSMONBL;Returnil Virtual System Core Service;c:\windows\system32\returnil\rvs3\rvsmon.exe [2009-10-9 1211552]
    S2 rvsmonf;rvsmonf;c:\windows\system32\drivers\rvsmonf.sys [2009-10-19 1033160]

    ============== File Associations ===============

    regfile= "%1" %*
    scrfile= "%1" %*

    =============== Created Last 30 ================

    2009-11-14 15:28:28 4096 ----a-w- c:\windows\d3dx.dat
    2009-11-14 09:51:05 0 d-s---w- c:\documents and settings\administrator\UserData
    2009-11-14 07:30:34 5460 ----a-w- c:\documents and settings\administrator\.recently-used.xbel
    2009-11-10 13:17:58 578 ----a-w- c:\documents and settings\administrator\WinKawaks.rom
    2009-11-10 13:17:35 5647 ----a-w- c:\documents and settings\administrator\WinKawaks.ini
    2009-11-09 16:09:36 0 d-----w- c:\program files\Defraggler
    2009-11-09 15:03:51 0 d-----w- c:\docume~1\admini~1\applic~1\uTorrent
    2009-11-06 14:38:18 59648 -c--a-w- c:\windows\system32\dllcache\rfcomm.sys
    2009-11-06 14:38:18 59648 ----a-w- c:\windows\system32\drivers\rfcomm.sys
    2009-11-06 14:38:16 27136 -c--a-w- c:\windows\system32\dllcache\irmon.dll
    2009-11-06 14:38:16 27136 ----a-w- c:\windows\system32\irmon.dll
    2009-11-06 14:38:16 17024 -c--a-w- c:\windows\system32\dllcache\bthenum.sys
    2009-11-06 14:38:16 17024 ----a-w- c:\windows\system32\drivers\BthEnum.sys
    2009-11-06 14:38:14 152576 -c--a-w- c:\windows\system32\dllcache\irftp.exe
    2009-11-06 14:38:14 152576 ----a-w- c:\windows\system32\irftp.exe
    2009-11-06 14:38:13 8192 -c--a-w- c:\windows\system32\dllcache\wshirda.dll
    2009-11-06 14:38:13 8192 ----a-w- c:\windows\system32\wshirda.dll
    2009-11-06 13:06:15 0 d-----w- c:\windows\system32\Adobe
    2009-10-30 04:15:53 4992 -c--a-w- c:\windows\system32\dllcache\loop.sys
    2009-10-30 04:15:53 4992 ----a-w- c:\windows\system32\drivers\loop.sys
    2009-10-27 02:58:33 111 ----a-w- c:\documents and settings\administrator\BETA.ini
    2009-10-27 02:53:29 59 ----a-w- c:\documents and settings\administrator\CONFIG.ini
    2009-10-27 02:53:29 285 ----a-w- c:\documents and settings\administrator\SCORES.dat
    2009-10-26 16:04:56 0 d-----w- c:\docume~1\admini~1\applic~1\MAXON
    2009-10-26 03:40:54 0 d-----w- c:\documents and settings\administrator\.thumbnails
    2009-10-26 03:18:53 0 d-----w- c:\documents and settings\administrator\.gimp-2.6
    2009-10-25 15:22:51 0 d-----w- C:\Downloads
    2009-10-25 15:17:15 0 d-----w- c:\docume~1\admini~1\applic~1\Free Download Manager
    2009-10-24 03:17:31 0 d-----w- c:\docume~1\admini~1\applic~1\Malwarebytes
    2009-10-24 03:17:24 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
    2009-10-24 03:17:20 19160 ----a-w- c:\windows\system32\drivers\mbam.sys
    2009-10-24 03:17:20 0 d-----w- c:\docume~1\alluse~1\applic~1\Malwarebytes
    2009-10-20 01:54:33 0 d-----w- c:\documents and settings\administrator\dwhelper
    2009-10-18 16:41:17 327168 ----a-w- c:\windows\IsUninst.exe
    2009-10-18 16:24:44 0 d-----w- c:\docume~1\alluse~1\applic~1\Returnil
    2009-10-18 16:24:17 0 d-----w- c:\docume~1\admini~1\applic~1\Returnil
    2009-10-18 16:24:11 0 d--h--w- C:\Returnil
    2009-10-18 16:24:08 28640 ----a-w- c:\windows\system32\drivers\rvsmonn1.sys
    2009-10-18 16:24:07 1033160 ----a-w- c:\windows\system32\drivers\rvsmonf.sys
    2009-10-18 16:24:04 262184 ----a-w- c:\windows\system32\drivers\rvsmon.sys
    2009-10-18 16:24:00 45136 ----a-w- c:\windows\system32\drivers\rvsystem.sys
    2009-10-18 16:23:59 0 d-----w- c:\windows\system32\Returnil
    2009-10-18 16:20:49 0 d-----w- c:\docume~1\admini~1\applic~1\Inkscape
    2009-10-17 06:15:39 0 d-----w- c:\windows\pss
    2009-10-17 01:41:34 0 d-----w- c:\docume~1\admini~1\applic~1\CoSoSys

    ==================== Find3M ====================

    2009-10-14 14:28:13 55656 ----a-w- c:\windows\system32\drivers\avgntflt.sys

    ============= FINISH: 11:33:03.04 ===============

    file:///C:/Documents and Settings/Administrator/Desktop/Attach.txt

    Should i use combofix? or what else should i do to fix it?
     
    Hei,
    #1
  2. 2009/11/08
    broni

    broni Moderator Malware Analyst

    Joined:
    2002/08/01
    Messages:
    21,701
    Likes Received:
    116
    2nd part of DDS log is missing.
     
    broni,
    #2


  3. to hide this advert.

  4. 2009/11/08
    Hei

    Hei Inactive Thread Starter

    Joined:
    2008/09/02
    Messages:
    37
    Likes Received:
    0
    i don't know how to attach so i post this:


    UNLESS SPECIFICALLY INSTRUCTED, DO NOT POST THIS LOG.
    IF REQUESTED, ZIP IT UP & ATTACH IT

    DDS (Ver_09-10-26.01)

    Microsoft Windows XP Professional
    Boot Device: \Device\HarddiskVolume1
    Install Date: 2/4/2003 8:16:38 PM
    System Uptime: 11/15/2009 11:31:48 AM (0 hours ago)

    Motherboard: | | i845G-W83627
    Processor: Intel(R) Pentium(R) 4 CPU 2.40GHz | Socket 478 | 2398/133mhz

    ==== Disk Partitions =========================

    C: is FIXED (NTFS) - 75 GiB total, 67.1 GiB free.
    D: is FIXED (NTFS) - 19 GiB total, 16.623 GiB free.
    E: is FIXED (FAT32) - 19 GiB total, 16.898 GiB free.
    F: is CDROM (UDF)

    ==== Disabled Device Manager Items =============

    ==== System Restore Points ===================

    No restore point in system.

    ==== Installed Programs ======================

    Adobe Flash Player 10 Plugin
    Adobe Reader 9.1
    Adobe Shockwave Player 11.5
    Avira AntiVir Personal - Free Antivirus
    CCleaner
    Defraggler
    Free Download Manager 3.0
    GIMP 2.6.7
    Inkscape 0.45
    Inpaint 2.0
    Intel(R) Extreme Graphics Driver
    K-Lite Codec Pack 5.0.0 (Full)
    Malwarebytes' Anti-Malware
    Microsoft .NET Framework 2.0
    Microsoft Office Professional Edition 2003
    Microsoft Visual C++ 2005 Redistributable
    Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.17
    Mozilla Firefox (3.5.5)
    Puzzle Pirates
    Realtek AC'97 Audio
    Returnil Virtual System 2010
    ScreenDASH
    Skype web features
    Skypeâ„¢ 4.1
    Treasure Of Persia
    Trick Ball 1.1.4
    WebFldrs XP
    Yahoo! Messenger
    Yahoo! Toolbar

    ==== Event Viewer Messages From Past Week ========

    11/9/2009 2:22:09 PM, error: Server [2505] - The server could not bind to the transport \Device\NetBT_Tcpip_{901BB0E2-0278-499E-AC1C-0602F9996691} because another computer on the network has the same name. The server could not start.
    11/9/2009 2:21:48 PM, error: ipnathlp [32003] - The Network Address Translator (NAT) was unable to request an operation of the kernel-mode translation module. This may indicate misconfiguration, insufficient resources, or an internal error. The data is the error code.
    11/9/2009 10:19:21 AM, error: Service Control Manager [7022] - The Avira AntiVir Guard service hung on starting.
    11/14/2009 7:40:28 PM, error: W32Time [17] - Time Provider NtpClient: An error occurred during DNS lookup of the manually configured peer 'time.windows.com,0x1'. NtpClient will try the DNS lookup again in 30 minutes. The error was: A socket operation was attempted to an unreachable host. (0x80072751)
    11/14/2009 7:25:11 PM, error: W32Time [17] - Time Provider NtpClient: An error occurred during DNS lookup of the manually configured peer 'time.windows.com,0x1'. NtpClient will try the DNS lookup again in 15 minutes. The error was: A socket operation was attempted to an unreachable host. (0x80072751)
    11/14/2009 7:23:21 PM, error: Dhcp [1002] - The IP address lease 192.168.1.2 for the Network Card with network address 00E374271955 has been denied by the DHCP server 192.168.1.1 (The DHCP Server sent a DHCPNACK message).
    11/14/2009 5:49:53 PM, error: Service Control Manager [7026] - The following boot-start or system-start driver(s) failed to load: avgio avipbb Fips intelppm ssmdrv
    11/14/2009 5:46:28 PM, error: W32Time [34] - The time service has detected that the system time needs to be changed by -604843 seconds. The time service will not change the system time by more than -54000 seconds. Verify that your time and time zone are correct, and that the time source time.windows.com (ntp.m|0x1|192.168.1.2:123->207.46.197.32:123) is working properly.
    11/14/2009 2:06:24 PM, error: DCOM [10005] - DCOM got error "%1084" attempting to start the service StiSvc with arguments " " in order to run the server: {A1F4E726-8CF1-11D1-BF92-0060081ED811}
    11/14/2009 1:21:03 PM, error: Service Control Manager [7026] - The following boot-start or system-start driver(s) failed to load: AFD avgio avipbb Fips intelppm IPSec MRxSmb NetBIOS NetBT RasAcd Rdbss rvsmonn ssmdrv Tcpip
    11/14/2009 1:21:03 PM, error: Service Control Manager [7001] - The TCP/IP NetBIOS Helper service depends on the AFD service which failed to start because of the following error: A device attached to the system is not functioning.
    11/14/2009 1:21:03 PM, error: Service Control Manager [7001] - The IPSEC Services service depends on the IPSEC driver service which failed to start because of the following error: A device attached to the system is not functioning.
    11/14/2009 1:21:03 PM, error: Service Control Manager [7001] - The DNS Client service depends on the TCP/IP Protocol Driver service which failed to start because of the following error: A device attached to the system is not functioning.
    11/14/2009 1:21:03 PM, error: Service Control Manager [7001] - The DHCP Client service depends on the NetBios over Tcpip service which failed to start because of the following error: A device attached to the system is not functioning.
    11/14/2009 1:19:59 PM, error: DCOM [10005] - DCOM got error "%1084" attempting to start the service EventSystem with arguments " " in order to run the server: {1BE1F766-5536-11D1-B726-00C04FB926AF}
    11/14/2009 1:19:56 PM, error: DCOM [10005] - DCOM got error "%1084" attempting to start the service netman with arguments " " in order to run the server: {BA126AE5-2166-11D1-B1D0-00805FC1270E}
    11/14/2009 1:19:35 PM, error: RVSystem [1411] -

    ==== End Of File ===========================
     
    Hei,
    #3
  5. 2009/11/08
    broni

    broni Moderator Malware Analyst

    Joined:
    2002/08/01
    Messages:
    21,701
    Likes Received:
    116
    Looking at your Event Viewer log, it looks like you may have some network problem, but let's make sure, your computer is clean...


    Print these instructions out.

    NOTE. If any of the programs listed below refuse to run, try renaming executive file to something else; for instance, rename hijackthis.exe to scanner.exe

    ***VERY IMPORTANT! Make sure, you update Superantispyware, and Malwarebytes before running the scans.***

    STEP 1. Download SUPERAntiSpyware Free for Home Users:
    http://www.superantispyware.com/

    * Double-click SUPERAntiSpyware.exe and use the default settings for installation.
    * An icon will be created on your desktop. Double-click that icon to launch the program.
    * If asked to update the program definitions, click "Yes ". If not, update the definitions before scanning by selecting "Check for Updates ". (If you encounter any problems while downloading the updates, manually download and unzip them from here: http://www.superantispyware.com/definitions.html.)
    * Close SUPERAntiSpyware.

    PHYSICALLY DISCONNECT FROM THE INTERNET

    Restart computer in Safe Mode.
    To enter Safe Mode, restart computer, and keep tapping F8 key, until menu appears; select Safe Mode; you'll see "Safe Mode" in all four corners of your screen

    * Open SUPERAntiSpyware.
    * Click Scan your Computer... button.
    * Click Scanning Preferences/Control Center... button.
    * Under General and Startup tab, make sure, Start SUPERAntiSpyware when Windows starts option is UN-checked.
    * Click the Scanning Control tab.
    * Under Scanner Options make sure the following are checked (leave all others unchecked):
    - Close browsers before scanning.
    - Terminate memory threats before quarantining.
    * Click the Close button to leave the control center screen.
    * On the left, make sure you check C:\Fixed Drive.
    * On the right, choose Perform Complete Scan.
    * Click Next to start the scan. Please be patient while it scans your computer.
    * After the scan is complete, a Scan Summary box will appear with potentially harmful items that were detected. Click OK.
    * Make sure everything has a checkmark next to it and click Next.
    * A notification will appear that Quarantine and Removal is Complete. Click OK and then click the Finish button to return to the main menu.
    * If asked if you want to reboot, click Yes.
    * To retrieve the removal information after reboot, launch SUPERAntispyware again.
    - Click Preferences, then click the Statistics/Logs tab.
    - Under Scanner Logs, double-click SUPERAntiSpyware Scan Log.
    - If there are several logs, click the current dated log and press View log. A text file will open in your default text editor.
    - Please copy and paste the Scan Log results in your next reply.
    * Click Close to exit the program.
    Post SUPERAntiSpyware log.

    RECONNECT TO THE INTERNET

    RESTART COMPUTER!

    STEP 2. Download Malwarebytes' Anti-Malware: http://www.malwarebytes.org/mbam.php to your desktop.
    (Malwarebytes is free to use as a manual scanner. Payment is only required if you wish to have it run and update automatically which is not necessary for our purposes)

    * Double-click mbam-setup.exe and follow the prompts to install the program.
    * At the end, be sure a checkmark is placed next to Update Malwarebytes' Anti-Malware and Launch Malwarebytes' Anti-Malware, then click Finish.
    * If an update is found, it will download and install the latest version.
    * Once the program has loaded, select Perform full scan, then click Scan.
    * When the scan is complete, click OK, then Show Results to view the results.
    * Be sure that everything is checked, and click Remove Selected.
    * When completed, a log will open in Notepad.
    * Post the log back here.

    The log can also be found here:
    C:\Documents and Settings\Username\Application Data\Malwarebytes\Malwarebytes' Anti-Malware\Logs\log-date.txt
    Or at C:\Program Files\Malwarebytes' Anti-Malware\Logs\log-date.txt

    RESTART COMPUTER!

    STEP 3. Download GMER: http://www.gmer.net/files.php, by clicking on Download EXE button.
    Alternative downloads:
    - http://majorgeeks.com/GMER_d5198.html
    - http://www.softpedia.com/get/Interne...ers/GMER.shtml
    Double click on downloaded .exe file, select Rootkit tab and click the Scan button.
    When scan is completed, click Save button, and save the results as gmer.log
    Warning ! Please, do not select the "Show all" checkbox during the scan.
    Post the log to your next reply.

    RESTART COMPUTER

    STEP 4. Download HijackThis:
    http://www.trendsecure.com/portal/en-US/tools/security_tools/hijackthis/download
    by clicking on Download HijackThis Installer
    Install, and run it.
    Post HijackThis log.
    NOTE. If you're using Vista, right click on HijackThis, and click Run as Administrator
    Do NOT attempt to "fix" anything!


    DO NOT make any other changes to your computer (like installing programs, using other cleaning tools, etc.), until it's officially declared clean!!!
     
    broni,
    #4

Share This Page

  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.
    Accept Learn More...