100 % cpu at reboot and no access to Windows update

Solved/Closed
yanu22 Posts 7 Registration date Monday December 10, 2012 Status Member Last seen December 22, 2012 - Dec 19, 2012 at 04:52 AM
 yanu22 - Dec 30, 2012 at 05:53 AM
Hello,

I have an xp pc that was running ok despite the fact that i can not acess windows update for years but since i run mbam it works ok, although mbam keeps on blocking out-coming and incoming web access with a defined ip adress.

Ok not ideal but it was working well enough but recently it reach a point where at reboot with no programs running, the cpu goes from 10% to 100% erratically. So I tried go to windows update but IE and firefox can not acess the website (error message) !!
i tried other ways to access no success even with a windows update downloader and panda my antivirus no good neither. So then i decide to REpair XP or reinstall
but when I have to choose which windows installation I need to repair then the pc shuts down completely and i have to switch if off in the back to reboot it again. However going to my existing xp takes time but it works !! so I do not think it can be a hardware problem
maybe the BIOS is affected. I mention also that i run a system files check scannow sucessfully...

I nonetheless manage to run ZHPdiag despite 100% cpu, it took ages but here is the log
http://speedy.sh/PZKZn/ZHPDiag.Txt

the shut down at xp install is worrying me, can i fix it or wait for it to die ?

thanks for reading and for your help.
Related:

14 responses

Ambucias Posts 47310 Registration date Monday February 1, 2010 Status Moderator Last seen February 15, 2023 11,163
Dec 19, 2012 at 05:32 AM
Hello,

At first glance, your system is very much infected by all kinds of malware (spyrare, adware, trojan horse) including a rootkit.

I also noticed that you have cracked applications and key generators. I trust that you are willing to delete those, otherwise will not be able to help you.
0
yanu22 Posts 7 Registration date Monday December 10, 2012 Status Member Last seen December 22, 2012
Dec 19, 2012 at 05:40 AM
yes no problem just list them thank you
0
yanu22 Posts 7 Registration date Monday December 10, 2012 Status Member Last seen December 22, 2012
Dec 19, 2012 at 06:13 AM
i got those old crack games from others but i understand it is not a proper way to play it.
0
Ambucias Posts 47310 Registration date Monday February 1, 2010 Status Moderator Last seen February 15, 2023 11,163
Dec 19, 2012 at 06:15 AM
First lets try to gain some power.

This only a first step and considering all the infected files and that I must soon sign off, we may not be able to do everything today.

(You have 4 browser applications, do you need so many?)

Attacking the rootkit

1. Downnload the following on your desktop:

https://support.kaspersky.com/downloads/utils/tdsskiller.zip

2. Close all running application including this one.

3. Unzip the folder and run the tool.

4. Once the scan is finished, check all the items found and delete.

5. Close the tool

Attacking some viruses

On your desktop, ZHP Diag created an icon called ZHP Fix

1. Open ZHP Fix

2. Copy the following lines:

[MD5.0A61A3ACE26CA4FC637BC8AF8C05CC00] - (.SweetIM Technologies Ltd. - SweetIM Instant Messenger Enhancer.) -- C:\Program Files\SweetIM\Messenger\SweetIM.exe [115032] [PID.] O4 - HKLM\..\Run: [SweetIM] . (.SweetIM Technologies Ltd. - SweetIM Instant Messenger Enhancer.) -- C:\Program Files\SweetIM\Messenger\SweetIM.exe
O4 - HKLM\..\Run: [Sweetpacks Communicator] . (.SweetIM Technologies Ltd. - Update Manager for SweetPacks.) -- C:\Program Files\SweetIM\Communicator\SweetPacksUpdateManager.exe
O42 - Logiciel: SweetIM for Messenger 3.7 - (.SweetIM Technologies Ltd..) [HKLM] -- {A0C9DF2B-89B5-4483-8983-18A68200F1B4} O42 - Logiciel: SweetPacks bundle uninstaller - (.SweetIM Technologies Ltd..) [HKLM] -- {0C43FE6B-E881-4AFC-B384-4AEBC90047E8}
O42 - Logiciel: pdfforge Toolbar v5.0 - (.Spigot, Inc..) [HKLM] -- {7F77DB04-A969-40a4-89EF-06CE06D56524} [HKCU\Software\BitLord]
[HKCU\Software\C:] => Trojan Remover
[HKCU\Software\Spointer]
[HKCU\Software\SweetIM]
[HKLM\Software\CrazyLoader]
[HKLM\Software\SweetIM]
O43 - CFD: 12/12/2012 - 19:47:19 - [7,547] ----D C:\Program Files\SweetIM
O43 - CFD: 09/04/2011 - 12:19:09 - [0,036] ----D C:\Documents and Settings\nd\Local Settings\Application Data\crazyloader Air
O43 - CFD: 19/03/2011 - 15:21:27 - [0] ----D C:\Documents and Settings\nd\Local Settings\Application Data\PackageAware
O47 - AAKE:Key Export SP - "C:\Program Files\BitLord\BitLord.exe" [Enabled] .(...) -- C:\Program Files\BitLord\BitLord.exe (.not file.)
O47 - AAKE:Key Export SP - "C:\Program Files\CrazyLoader\crazyloader.exe" [Enabled] .(...) -- C:\Program Files\CrazyLoader\crazyloader.exe (.not file.)
O47 - AAKE:Key Export SP - "C:\Program Files\SweetIM\Communicator\SweetPacksUpdateManager.exe" [Enabled] .(.SweetIM Technologies Ltd. - Update Manager for SweetPacks.) -- C:\Program Files\SweetIM\Communicator\SweetPacksUpdateManager.exe
O53 - SMSR:HKLM\...\startupreg\HBLiteSA [Key] . (...) -- C:\Program Files\HBLite\bin\11.0.363.0\HBLiteSA.exe (.not file.)
O81 - IFC: Internet Feature Controls [HKLM] [FEATURE_BROWSER_EMULATION] -- svchost.exe
O81 - IFC: Internet Feature Controls [HKUS\.DEFAULT] [FEATURE_BROWSER_EMULATION] -- svchost.exe
O81 - IFC: Internet Feature Controls [HKUS\S-1-5-18] [FEATURE_BROWSER_EMULATION] -- svchost.exe
[MD5.D9DA3FDE1AEE64CEE57D4C57A538A53B] [SPRF][12/12/2012] (.SweetIM Technologies Ltd. - SweetIM Installer by SweetPacks.) -- C:\Documents and Settings\nd\Bureau\bundlesweetimsetup.exe [7739736] => Infection PUP (PUP.SweetIM)
[HKLM\Software\Classes\bitlordunfinishedfile] => Infection BT (Spyware.WhenUSave)
[HKLM\Software\Classes\Crazyloader.Spointer] => Infection BT (Adware.SPointer)
[HKLM\Software\Classes\Crazyloader.Spointer.1] => Infection BT (Adware.SPointer)
[HKLM\Software\Classes\Crazyloader.SpointerCtrl] => Infection BT (Adware.SPointer)
[HKLM\Software\Classes\Crazyloader.SpointerCtrl.1] => Infection BT (Adware.SPointer)
[HKLM\Software\Classes\Interface\{471E3998-588E-41D5-A874-FA11C44B70DE}] => Infection PUP (PUP.OfferBox)
[HKLM\Software\Classes\TypeLib\{63AF3145-D2DC-4F1D-BB3A-3AAD9FEC3430}] => Infection PUP (PUP.OfferBox)
[HKLM\Software\Microsoft\Windows\CurrentVersion\Ext\PreApproved\{6DF77AA3-27AF-46f2-A1DA-B569AC6BEEFF}] => Infection PUP (PUP.OfferBox)
[HKLM\Software\Classes\Interface\{6F6C45E4-E231-4F0F-8CD8-AA5770303EAA}] => Infection PUP (PUP.OfferBox)
[HKLM\Software\Microsoft\Windows\CurrentVersion\Uninstall\{A0C9DF2B-89B5-4483-8983-18A68200F1B4}] => Infection PUP (PUP.SweetIM)
[HKLM\Software\Classes\Interface\{A439801C-961D-452C-AB42-7848E9CBD289}] => Infection BT (Toolbar.Babylon)
[HKCU\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{C5F65718-341D-4e7d-9842-FCB9CC89527E}] => Infection BT (Adware.Spointer)
[HKCU\Software\Microsoft\Windows\CurrentVersion\Ext\Settings\{C5F65718-341D-4e7d-9842-FCB9CC89527E}] => Infection BT (Adware.Spointer)
[HKLM\Software\Classes\Interface\{D4E856E7-C034-49BA-BFEF-B785F3CBD7BA}] => Infection PUP (PUP.OfferBox)
[HKLM\Software\Classes\TypeLib\{D530F69A-EB2D-4EC6-BD37-E123AEFCA011}] => Infection PUP (PUP.OfferBox)
[HKLM\Software\Classes\Interface\{DB7A9C36-6C85-48BE-BA8D-151B6B144BE0}] => Infection PUP (PUP.OfferBox)
[HKLM\Software\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{DBA4B812-2415-4000-AFCB-56F53E668DC5}] => Infection PUP (PUP.OfferBox)
[HKCU\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{DF7770F7-832F-4BDF-B144-100EDDD0C3AE}] => Infection BT (Adware.Yontoo)
[HKLM\Software\Classes\Interface\{F4EBB1E2-21F3-4786-8CF4-16EC5925867F}] => Infection BT (Toolbar.Babylon)
[HKLM\Software\Classes\Interface\{F77F3DFC-F5DC-4316-AB50-B50B16F2BEF4}] => Infection PUP (PUP.OfferBox)
[HKCU\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{FC0D62C2-9640-4AEB-A5D5-CF25DF11FA8C}] => Infection BT (Hijack.Browser)
[HKCU\Software\Microsoft\Windows\CurrentVersion\Ext\Settings\{FC0D62C2-9640-4AEB-A5D5-CF25DF11FA8C}] => Infection BT (Hijack.Browser)
[HKCU\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{FD72061E-9FDE-484D-A58A-0BAB4151CAD8}] => Infection BT (Adware.Yontoo)
[HKCU\Software\Microsoft\Windows\CurrentVersion\Ext\Settings\{FD72061E-9FDE-484D-A58A-0BAB4151CAD8}] => Infection BT (Adware.Yontoo)
[HKCU\Software\bitlord] => Infection BT (Spyware.WhenU-Save)
[HKLM\Software\Mozilla\Firefox\Extensions]:crazyloader@spointer.com => Infection BT (Adware.SPointer)
C:\Program Files\SweetIM => Infection PUP (PUP.SweetIM)
C:\Documents and Settings\nd\Local Settings\Application Data\Crazyloader Air => Infection BT (Adware.SPointer)
O90 - PUC: "B2FD9C0A5B9838449838816A28001F4B" . (.SweetIM for Messenger 3.7.) -- C:\WINDOWS\Installer\{A0C9DF2B-89B5-4483-8983-18A68200F1B4}

3. Click on the clipboard icon and a GO button will appear.

4. Click on go

5. Close ZHP Fix

6. Make you delete all ZHP Logs otherwise you may not be able to produce a new one.

7. Produce another log and upload it. Also tell me if you see any improvements.

Good luck
0
yanu22 Posts 7 Registration date Monday December 10, 2012 Status Member Last seen December 22, 2012
Dec 20, 2012 at 05:27 AM
hi
i already tried TDSSkiller it never found anything and this time also
not result, it also true when i run mbam it does not found anything.
ok i run the zhp fix ok , after reboot it seems a bit faster and cpu stay more still than before when no programs running but it still goes high sometimes. However when i run any programs it goes to 99%
thanks for your help i haven't got a log yet, it takes ages. I 'll put it later.
0

Didn't find the answer you are looking for?

Ask a question
Ambucias Posts 47310 Registration date Monday February 1, 2010 Status Moderator Last seen February 15, 2023 11,163
Dec 20, 2012 at 05:31 AM
Never mind the log for now, upload it after running the following tool:

To keep your system safe, you must follow the instructions hereunder to the letter:

1. Download Combofix to your desktop.

https://www.bleepingcomputer.com/download/combofix/

(click on the download @ bleeping computer button)

2.Close all open Windows including this one.

Close or disable all running Antivirus, Antispyware, and Firewall programs as they may interfere with the proper running of ComboFix.

3. Double click on the ComboFix icon.

Windows is issuing this prompt because ComboFix does not have a digital signature. This is perfectly normal and safe and you can click on the Run button to continue.

4. Accept the disclaimer and the recovery

5.You should now press the Yes button to continue. If at any time during the Recovery Console installation you receive a message stating that it failed to install, please allow ComboFix to continue with the scan of your computer.

ComboFix will disconnect your computer from the Internet, so do not be surprised or concerned if you receive any warnings stating that you are no longer on the Internet. When ComboFix has finished it will automatically restore your Internet connection.

While the program is scanning your computer, it will change your clock format, so do not be concerned when you see this happen. When ComboFix is finished it will restore your clock settings to their previous settings.

If you see your Windows desktop disappear, do not worry. This is normal and ComboFix will restore your desktop before it is finished. Eventually you will see a new screen that states the program is almost finished and telling you the programs log file, or report, will be located at C:\ComboFix.txt.

During the process, please do not mouse click nor must you tap on the keyboard. Let the tool run.

Good luck

P.S. I'm getting writer's cramps.
0
yanu22 Posts 7 Registration date Monday December 10, 2012 Status Member Last seen December 22, 2012
Dec 21, 2012 at 04:31 AM
hi
thanks you very much for your help
combofix is still working I'll keep you posted
thanks again
0
Ambucias Posts 47310 Registration date Monday February 1, 2010 Status Moderator Last seen February 15, 2023 11,163
Dec 21, 2012 at 05:58 AM
After Combofix, please upload a new ZHP Diag log
0
yanu22 Posts 7 Registration date Monday December 10, 2012 Status Member Last seen December 22, 2012
Dec 21, 2012 at 02:01 PM
hi
combofix done here is the log
http://speedy.sh/7ueCP/ZHPDiag.Txt
pc ok when nothing run but cpu still 99% when i run a program
thanks
0
Ambucias Posts 47310 Registration date Monday February 1, 2010 Status Moderator Last seen February 15, 2023 11,163
Dec 21, 2012 at 06:05 PM
Hello

What part of France are you from ? Just curious.

Please open ZHP Fix as you did before.
Copy the following
Click on clip board and click on go

HKLM\Software\13fe]
M3 - MFPP: Plugins - [nd] -- C:\Documents and Settings\nd\Application Data\Mozilla\Firefox\Profiles\ybgpfqub.default\searchplugins\sweetim.xml => Toolbar.SweetIM
M2 - MFEP: prefs.js [nd - ybgpfqub.default\{EEE6C361-6118-11DC-9C72-001320C79847}] [] SweetPacks Toolbar for Firefox v1.6.0.3 (.SweetIM Technologies LTD..) => Toolbar.SweetIM
O2 - BHO: (no name) - {414b6d9d-4a95-4e8d-b5b1-149dd2d93bb3} Clé orpheline => Conduit Softonic Toolbar
O2 - BHO: (no name) - {AE805869-2E5C-4ED4-8F7B-F1F7851A4497} Clé orpheline => Toolbar.Skype
O42 - Logiciel: Skype Toolbars - (.Skype Technologies S.A..) [HKLM] -- {A29549FD-65F3-440C-A552-6B8114CF319D} => Toolbar.Skype
O42 - Logiciel: Softonic-Eng7 Toolbar - (.Softonic-Eng7.) [HKLM] -- Softonic-Eng7 Toolbar => Toolbar.Conduit
[HKCU\Software\Softonic-Eng7] => Toolbar.Conduit
[HKLM\Software\Softonic-Eng7] => Toolbar.Conduit
O43 - CFD: 27/03/2011 - 22:31:56 - [11,404] ----D C:\Program Files\Softonic-Eng7 => Toolbar.Conduit
O43 - CFD: 01/04/2011 - 22:22:37 - [5,679] ----D C:\Documents and Settings\nd\Local Settings\Application Data\Softonic-Eng7 => Toolbar.Conduit
[HKLM\Software\Classes\sim-packages] => Toolbar.Agent
[HKLM\Software\Microsoft\Windows\CurrentVersion\Uninstall\{0C43FE6B-E881-4AFC-B384-4AEBC90047E8}] => Toolbar.SweetIM
[HKCU\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{0F6E720A-1A6B-40E1-A294-1D4D19F156C8}] => Toolbar.SFR
[HKCU\Software\Microsoft\Windows\CurrentVersion\Ext\Settings\{0F6E720A-1A6B-40E1-A294-1D4D19F156C8}] => Toolbar.SFR
[HKCU\Software\Microsoft\Windows\CurrentVersion\Ext\Settings\{30F9B915-B755-4826-820B-08FBA6BD249D}] => Toolbar.Conduit
[HKLM\Software\Classes\TypeLib\{4d3b167e-5fd8-4276-8fd7-9df19c1e4d19}] => Toolbar.SweetIM
[HKCU\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{898EA8C8-E7FF-479B-8935-AEC46303B9E5}] => Toolbar.Skype
[HKCU\Software\Microsoft\Windows\CurrentVersion\Ext\Settings\{898EA8C8-E7FF-479B-8935-AEC46303B9E5}] => Toolbar.Skype
[HKLM\Software\Classes\CLSID\{898EA8C8-E7FF-479B-8935-AEC46303B9E5}] => Toolbar.Skype
[HKLM\Software\Microsoft\Internet Explorer\extensions\{898EA8C8-E7FF-479B-8935-AEC46303B9E5}] => Toolbar.Skype
[HKCU\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{AE805869-2E5C-4ED4-8F7B-F1F7851A4497}] => Toolbar.Skype
[HKCU\Software\Microsoft\Windows\CurrentVersion\Ext\Settings\{AE805869-2E5C-4ED4-8F7B-F1F7851A4497}] => Toolbar.Skype
[HKLM\Software\Classes\CLSID\{AE805869-2E5C-4ED4-8F7B-F1F7851A4497}] => Toolbar.Skype
[HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{AE805869-2E5C-4ED4-8F7B-F1F7851A4497}] => Toolbar.Skype
[HKLM\Software\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Components\0E12F736682067FDE4D1158D5940A82E] => Toolbar.Ask
[HKLM\Software\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Components\1A24B5BB8521B03E0C8D908F5ABC0AE6] => Toolbar.Ask
[HKLM\Software\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Components\261F213D1F55267499B1F87D0CC3BCF7] => Toolbar.Ask
[HKLM\Software\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Components\2B0D56C4F4C46D844A57FFED6F0D2852] => Toolbar.Ask
[HKLM\Software\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Components\49D4375FE41653242AEA4C969E4E65E0] => Toolbar.Ask
[HKLM\Software\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Components\6AA0923513360135B272E8289C5F13FA] => Toolbar.Ask
[HKLM\Software\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Components\6F7467AF8F29C134CBBAB394ECCFDE96] => Toolbar.Ask
[HKLM\Software\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Components\741B4ADF27276464790022C965AB6DA8] => Toolbar.Ask
[HKLM\Software\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Components\7DE196B10195F5647A2B21B761F3DE01] => Toolbar.Ask
[HKLM\Software\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Components\922525DCC5199162F8935747CA3D8E59] => Toolbar.Ask
[HKLM\Software\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Components\9D4F5849367142E4685ED8C25E44C5ED] => Toolbar.Ask
[HKLM\Software\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Components\A5875B04372C19545BEB90D4D606C472] => Toolbar.Ask
[HKLM\Software\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Components\A876D9E80B896EC44A8620248CC79296] => Toolbar.Ask
[HKLM\Software\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Components\B66FFAB725B92594C986DE826A867888] => Toolbar.Ask
[HKLM\Software\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Components\BCDA179D619B91648538E3394CAC94CC] => Toolbar.Ask
[HKLM\Software\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Components\D677B1A9671D4D4004F6F2A4469E86EA] => Toolbar.Ask
[HKLM\Software\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Components\DD1402A9DD4215A43ABDE169A41AFA0E] => Toolbar.Ask
[HKLM\Software\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Components\E36E114A0EAD2AD46B381D23AD69CDDF] => Toolbar.Ask
[HKLM\Software\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Components\EF8E618DB3AEDFBB384561B5C548F65E] => Toolbar.Ask
[HKLM\Software\Microsoft\Shared Tools\MSConfig\startupreg\SweetIM] => Toolbar.SweetIM
[HKLM\Software\Microsoft\Windows\CurrentVersion\Uninstall\{A29549FD-65F3-440C-A552-6B8114CF319D}] => Toolbar.Skype
C:\Documents and Settings\nd\Application Data\Mozilla\Firefox\Profiles\ybgpfqub.default\SearchPlugins\sweetim.xml => Toolbar.SweetIM
O90 - PUC: "DF94592A3F56C0445A25B61841FC13D9" . (.Skype Toolbars.) -- C:\WINDOWS\Installer\{A29549FD-65F3-440C-A552-6B8114CF319D}\IconUninstallIco => Toolbar.Skype


Close ZHP Fix

I would also like that you delete the following:

C:\Nouveau dossier\Trojan.Remover.v6.7.6.WinALL.Incl.Keygen.and.Patch-BRD\brtr676a.zip => Crack, KeyGen, Keymaker - Possible Malware
C:\Nouveau dossier\Trojan.Remover.v6.7.6.WinALL.Incl.Keygen.and.Patch-BRD\brtr676b.zip => Crack, KeyGen, Keymaker - Possible Malware
E:\Nouveau dossier\Trojan.Remover.v6.7.6.WinALL.Incl.Keygen.and.Patch-BRD\brtr676a.zip => Crack, KeyGen, Keymaker - Possible Malware
E:\Nouveau dossier\Trojan.Remover.v6.7.6.WinALL.Incl.Keygen.and.Patch-BRD\brtr676b.zip

C:\Program Files\ComicRack
C:\Program Files\Cracklock
C:\Program Files\Spybot

Go to:

C:\WINDOWS\Prefetch

Delete the contents

The rootkit is still present that's why you run at 99%

Please download and run the following tool and then upload another ZHP Diag log, after you delete all previous one

http://www.gmer.net/
0
yanu22 Posts 7 Registration date Monday December 10, 2012 Status Member Last seen December 22, 2012
Dec 22, 2012 at 10:03 AM
hi
je suis de la région auvergne près du puy de dome
ok je continue en anglais donc?
i 've run the gmer soft it found some things rookit
but i don't know if it fixed it, I just say ok
then i disinstall programs you mentioned
here is the log
http://speedy.sh/Y9f2G/ZHPDiag.Txt

thanks again but I won't be close to that computer for a few days I will reply
when I can work on it again

Bonne fêtes and have a merry time.
0
Ambucias Posts 47310 Registration date Monday February 1, 2010 Status Moderator Last seen February 15, 2023 11,163
Dec 22, 2012 at 04:56 PM
It's been a pleasure trying to help you. I will post my latest findings after I analyse your latest log and wait for your feedback.

Joyeux Noël, bonne et heureuse année du Québec.
0
Ambucias Posts 47310 Registration date Monday February 1, 2010 Status Moderator Last seen February 15, 2023 11,163
Dec 22, 2012 at 05:48 PM
Pas joli!

I wonder if you have sent me the correct log. If all of the previous ZHP Diag logs have not been completely deleted from the computer and if you attempt another analysis, the logs will not be updated.

The reasons I say this is that the rootkit shows and also the cracked software and key gens. The cracked software and keygen contained the rootkit which were sent to you by UTorrent, Soulseek and Soulseek2.

Have you deleted the cracks and key gen before or after the ZHP Diag analysis ?

Like the following line is definately a rootkit:

O81 - IFC: Internet Feature Controls [HKUS\.DEFAULT] [FEATURE_BROWSER_EMULATION] -- svchost.exe

Best regards
0
Ambucias Posts 47310 Registration date Monday February 1, 2010 Status Moderator Last seen February 15, 2023 11,163
Dec 23, 2012 at 05:13 PM
Hi, me again,

These will be my last instructions to you.

1. Ignore my previous message.

2. Please launch ZHP Fix and copy the following lines after which you will click on the clipboard icon and then on GO

O81 - IFC: Internet Feature Controls [HKLM] [FEATURE_BROWSER_EMULATION] -- svchost.exe
O81 - IFC: Internet Feature Controls [HKUS\.DEFAULT] [FEATURE_BROWSER_EMULATION] -- svchost.exe
O81 - IFC: Internet Feature Controls [HKUS\S-1-5-18] [FEATURE_BROWSER_EMULATION] -- svchost.exe
O23 - Service: Creative Service for CDROM Access (Creative Service for CDROM Access) . (.Creative Technology Ltd - Creative Service for CDROM Access.) - C:\WINDOWS\system32\CTsvcCDA.exe => Unknown owner%Creative Technology
SR - | Auto 12/12/1999 44032 | (Creative Service for CDROM Access) . (.Creative Technology Ltd.) - C:\WINDOWS\system32\CTsvcCDA.exe
O43 - CFD: 27/03/2011 - 19:01:29 - [15,056] ----D C:\Program Files\ComicRack
O43 - CFD: 24/04/2010 - 16:04:06 - [2,389] ----D C:\Program Files\Cracklock

3. Open Explorer and go to programme files, is you see ComicRack and Cracklock, please delete them.

4. Go to c:\windows\system32\ delete CTsvcCDA.exe it's useless.

5. Go to C:Windows, delete soundman.exe, it's totaly useless.

6. Consider if you wish to keep Soulseek, Soulseek2 and UTorrent, they vectors for intrusion and infection.

7. You have a toolbar called SweetIm with your Firefox, it's spyware. You may wish to delete it.

8. I suggest that you remove Softsonic software.

9. Your Windows is in great need for update and you should upgrade to SP3.

10. Please remove Malwarebyte, Spyware Guard and McAfee Security Scan as they may conflict with Panda.

11, Delete Combofix.

12. Run CCleaner for both unwanted files and also for the Registry.

13. Defragment your disk

14. After the above, your computer should be cleaned and working fine.

Best regards
0
hello again
thanks, this will be also my last mail.
I did all you said, still there was high cpu then i look at process explorer
and there was hardware interrupts eating most of the cpu !! looking up
from the net I've check if it had switched to PIO instead of DMA transfer and it was the case for one of my partition !! so it was not a malware problem (even if my pc was full of problem) but a hardware problem. It seem that windows try 8 time to use DMA and if no success it switches to PIO transfer (using all cpu) , the solution uninstall all primary and secondary ati ide in device manager and then reboot !!!!! windows reisntall all/
ok so now everything is even better than before thanks to you and your disponibility, merci
0