IRP hook slows computer to a crawl

Discussion in 'Malware Help - MG (A Specialist Will Reply)' started by DumboFlies, Sep 29, 2012.

  1. DumboFlies

    DumboFlies Private E-2

    Hi to all MajorGeeks!
    I have been following your site for a couple of years and you've helped alot.
    This is the first time I've gotten a major infection. My daughter goes on Facebook
    alot and fills the computer with cookies and some strange things but I've always been able to get rid of them. About 2 weeks ago the computer suddenly slowed to a crawl.
    I went to add remove programs to see but it wouldn't open and still won't. AVG free av
    found 13 items in C:\system32\Drivers\classpnp.sys but said they would have to be manually removed. I wrote down some examples:
    IRP hook, \Driver\Disk IRP_MJ_CREATE>classpnp.sys Class DebugPrint+Ox618
    IRP hook,\Driver\Disk IRP_MJ_DEVICE_CONTROL->classpnp.sys ClassioComplete+OxEF
    IRP hook,Driver\Disk IRP_MJ_CLOSE-->classpnp.sys ClassDebugPrint+Ox618
    The others substituted FLUSHBUFFERS or INTERNAL_DEVICE_CONTROL after the MJ
    I scanned with AVG again the next day and it came up with just 1 item: C:\windows\system32\drivers\hidclass.sys IRP hook\driver\HidUsb IRP_MJ_CREATE->hidclass.sys
    So.........I've run all programs in the Read and Run Tutorial and they all completed at
    a very slow pace and I am attaching the logs as instructed by Chaslang in his Windows
    xp malware removal instructions. Thank you to anyone who can help.
     

    Attached Files:

    Last edited: Sep 29, 2012
    DumboFlies, Sep 29, 2012
    #1
  2. Caliban

    Caliban I don't need no steenkin' title!

    Greetings, DumboFlies...

    Be advised: I've contacted admin about moving this thread to the Malware Removal forum.

    Good luck!
     
    Caliban, Sep 30, 2012
    #2
  3. Kestrel13!

    Kestrel13! Super Malware Fighter - Major Dilemma Staff Member

    Download and run OTM.

    Download OTM by Old Timer and save it to your Desktop.

    • Right-click OTM.exe And select " Run as administrator " to run it.
    • Paste the following code under the [​IMG] area. Do not include the word Code.

    Code:
    :Files
C:\Documents and Settings\janet reese\Application Data\Babylon
C:\Documents and Settings\All Users\Application Data\Babylon
C:\Documents and Settings\janet reese\Start Menu\Programs\Browser Manager
C:\Program Files\Mozilla Firefox\searchplugins\babylon.xml

:reg
[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run]
"MSMSGS"=-
[HKEY_USERS\S-1-5-21-1580028977-2382851095-3726939340-1006\Software\Microsoft\Windows\CurrentVersion\run]
"MSMSGS"=-
[-HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\SearchScopes\{0ECDF796-C2DC-4d79-A620-CCE0C0A66CC9}]
[-HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\SearchScopes\{171DEBEB-C3D4-40b7-AC73-056A5EBA4A7E}]


:Commands
[emptytemp]
[Reboot]
    • Return to OTM, right click in the Paste List of Files/Folders to Move window (under the yellow bar) and choose Paste.
    • Push the large [​IMG] button.
    • OTM may ask to reboot the machine. Please do so if asked.
    • Copy everything in the Results window (under the green bar), and paste it in your next reply.

    NOTE: If you are unable to copy/paste from this window (as will be the case if the machine was rebooted), open Notepad (Start->All Programs->Accessories->Notepad), click File->Open, in the File Name box enter *.log and press the Enter key, navigate to the C:\_OTM\MovedFiles folder, and open the newest .log file present, and attach the contents of that document back here in your next post.



    Now run the C:\MGtools\GetLogs.bat file by double clicking on it. (Right click and run as admin if using Vista or Windows7) Then attach the new C:\MGlogs.zip file that will be created by running this.

    Let me know of any problems you may have encountered with the above instructions and also let me know how things are running now!
     
    Kestrel13!, Oct 2, 2012
    #3
  4. DumboFlies

    DumboFlies Private E-2

    All processes killed
    ========== FILES ==========
    File/Folder C:\Documents and Settings\janet reese\Application Data\Babylon not found.
    File/Folder C:\Documents and Settings\All Users\Application Data\Babylon not found.
    File/Folder C:\Documents and Settings\janet reese\Start Menu\Programs\Browser Manager not found.
    Unable to create HKLM\Software\OldTimer Tools\OTM key.
    File move failed. C:\Program Files\Mozilla Firefox\searchplugins\babylon.xml scheduled to be moved on reboot.
    ========== REGISTRY ==========
    Registry delete failed. HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\\MSMSGS scheduled to be deleted on reboot.
    Unable to create HKLM\Software\OldTimer Tools\OTM key.
    Registry delete failed. HKEY_USERS\S-1-5-21-1580028977-2382851095-3726939340-1006\Software\Microsoft\Windows\CurrentVersion\run\\MSMSGS scheduled to be deleted on reboot.
    Unable to create HKLM\Software\OldTimer Tools\OTM key.
    Registry delete failed. HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\SearchScopes\{0ECDF796-C2DC-4d79-A620-CCE0C0A66CC9}\ scheduled to be deleted on reboot.
    Unable to create HKLM\Software\OldTimer Tools\OTM key.
    Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0ECDF796-C2DC-4d79-A620-CCE0C0A66CC9}\ not found.
    Registry delete failed. HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\SearchScopes\{171DEBEB-C3D4-40b7-AC73-056A5EBA4A7E}\ scheduled to be deleted on reboot.
    Unable to create HKLM\Software\OldTimer Tools\OTM key.
    Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{171DEBEB-C3D4-40b7-AC73-056A5EBA4A7E}\ not found.
    ========== COMMANDS ==========

    [EMPTYTEMP]

    User: Administrator

    User: All Users

    User: Default User
    ->Temp folder emptied: 0 bytes
    ->Temporary Internet Files folder emptied: 0 bytes

    User: janet reese
    Unable to create HKLM\Software\OldTimer Tools\OTM key.
    Unable to create HKLM\Software\OldTimer Tools\OTM key.
    Unable to create HKLM\Software\OldTimer Tools\OTM key.
    Unable to create HKLM\Software\OldTimer Tools\OTM key.
    Unable to create HKLM\Software\OldTimer Tools\OTM key.
    Unable to create HKLM\Software\OldTimer Tools\OTM key.
    Unable to create HKLM\Software\OldTimer Tools\OTM key.
    Unable to create HKLM\Software\OldTimer Tools\OTM key.
    Unable to create HKLM\Software\OldTimer Tools\OTM key.
    Unable to create HKLM\Software\OldTimer Tools\OTM key.
    Unable to create HKLM\Software\OldTimer Tools\OTM key.
    ->Temp folder emptied: 813627 bytes

    User: JJC-no Botdf virus

    User: LocalService

    User: NetworkService

    User: Owner

    %systemdrive% .tmp files removed: 0 bytes
    Unable to create HKLM\Software\OldTimer Tools\OTM key.
    %systemroot% .tmp files removed: 19569 bytes
    Unable to create HKLM\Software\OldTimer Tools\OTM key.
    Unable to create HKLM\Software\OldTimer Tools\OTM key.
    Unable to create HKLM\Software\OldTimer Tools\OTM key.
    Unable to create HKLM\Software\OldTimer Tools\OTM key.
    %systemroot%\System32 .tmp files removed: 3613713 bytes
    %systemroot%\System32\dllcache .tmp files removed: 0 bytes
    %systemroot%\System32\drivers .tmp files removed: 0 bytes
    Unable to create HKLM\Software\OldTimer Tools\OTM key.
    Unable to create HKLM\Software\OldTimer Tools\OTM key.
    Unable to create HKLM\Software\OldTimer Tools\OTM key.
    Unable to create HKLM\Software\OldTimer Tools\OTM key.
    Unable to create HKLM\Software\OldTimer Tools\OTM key.
    Unable to create HKLM\Software\OldTimer Tools\OTM key.
    Unable to create HKLM\Software\OldTimer Tools\OTM key.
    Unable to create HKLM\Software\OldTimer Tools\OTM key.
    Windows Temp folder emptied: 33524 bytes
    %systemdrive% .tmp files removed: 0 bytes
    Unable to create HKLM\Software\OldTimer Tools\OTM key.
    %systemroot% .tmp files removed: 19569 bytes
    Unable to create HKLM\Software\OldTimer Tools\OTM key.
    Unable to create HKLM\Software\OldTimer Tools\OTM key.
    Unable to create HKLM\Software\OldTimer Tools\OTM key.
    Unable to create HKLM\Software\OldTimer Tools\OTM key.
    %systemroot%\System32 .tmp files removed: 3613713 bytes
    %systemroot%\System32\dllcache .tmp files removed: 0 bytes
    %systemroot%\System32\drivers .tmp files removed: 0 bytes
    Unable to create HKLM\Software\OldTimer Tools\OTM key.
    Unable to create HKLM\Software\OldTimer Tools\OTM key.
    Unable to create HKLM\Software\OldTimer Tools\OTM key.
    Unable to create HKLM\Software\OldTimer Tools\OTM key.
    Unable to create HKLM\Software\OldTimer Tools\OTM key.
    Unable to create HKLM\Software\OldTimer Tools\OTM key.
    Unable to create HKLM\Software\OldTimer Tools\OTM key.
    Unable to create HKLM\Software\OldTimer Tools\OTM key.
    Windows Temp folder emptied: 33524 bytes
    RecycleBin emptied: 0 bytes

    Total Files Cleaned = 4.00 mb
     
    DumboFlies, Oct 3, 2012
    #4
  5. DumboFlies

    DumboFlies Private E-2

    Hi -
    I downloaded the OTM program and posted the log on Quick Reply.
    When I restarted I immediately got a pop up from above the taskbar
    about improving my computer speed. I ran the scan again and restarted
    and so far have not seen the pop up. This 2nd log is what I sent.
    When I ran MGlog.exe I kept getting an error message that said:
    "C:\windows\system32\cmd.exe Virtual Device Driver Format is Invalid"
    Click Close to close this program.
    I clicked close a couple of times before I realized that cmd.exe was the
    MGtools program that was running. I clicked ignore and the program
    continued to completion. I attached the MGlog.zip to this message.
    Many Thanks for your efforts and help. I think I'm still running slow
    and due to what seemed like a pop up to stop the MG scan that I'm
    probably still infected. Best Regards - DumboFlies
    PS - I haven't seen the Babylon toolbar return - Thanks
     

    Attached Files:

    DumboFlies, Oct 3, 2012
    #5
  6. DumboFlies

    DumboFlies Private E-2

    Dear Caliban -
    I forgot to mention that Add\Remove programs will not
    open. The others in Control Panel will open but the
    flashlight is not even working in A\R like its looking to
    populate the file
    DumboFlies
     
    DumboFlies, Oct 3, 2012
    #6
  7. Kestrel13!

    Kestrel13! Super Malware Fighter - Major Dilemma Staff Member

    It's Kestrel now, not Caliban ;) You can always return to the software forum afterwards to further discuss anything non malware related.

    Delete these folders.
    C:\Documents and Settings\janet reese\Application Data\Babylon
    C:\Documents and Settings\janet reese\Start Menu\Programs\Browser Manager

    Reboot > are they still gone or are they back?

    If you do not use Windows Messenger Run this Disable/Remove Windows Messenger to remove Windows Messenger. Do not confuse Windows Messenger with MSN Messenger because they are not the same. Windows Messenger is a frequent cause of popups.

    How are things running?
     
    Kestrel13!, Oct 3, 2012
    #7
  8. DumboFlies

    DumboFlies Private E-2

    Kestrel 13 -
    Thank you for your help. Babylon is gone. Both files were gone
    on reboot You made it look easy.
    Do you know how to remove the WIZEBAR pop up?
    I still can't access my add\remove programs. I'm afraid to use the Absolute Uninstaller because when I did is around the time the Babylon toolbar showed up. It showed up when I was trying to get access to add\remove.
    If you have any suggestion I would really appreciate it
    Thanks for being on MajorGeeks.
    DumboFlies
    PS - I ran the windows messenger disabler. It didn't confirm
    that it worked but my firewall said it was accessing.
     
    Last edited: Oct 5, 2012
    DumboFlies, Oct 5, 2012
    #8
  9. Kestrel13!

    Kestrel13! Super Malware Fighter - Major Dilemma Staff Member

    You are very welcome. :)

    When do you see this pop up? If when surfing, which browser, remind me?

    Does it work by clicking Start->Run, then type in appwiz.cpl and hit Enter/OK.
     
    Kestrel13!, Oct 5, 2012
    #9
  10. DumboFlies

    DumboFlies Private E-2

    Hi Again -
    When using firefox the Wizebar pops up while browsing, even on majorgeeks.
    I typed in appwiz.cpl but add\remove programs will not populate. The add\remove
    box opens up but nothing else.
    Any ideas?
    DumboFlies
     
    DumboFlies, Oct 7, 2012
    #10
  11. Kestrel13!

    Kestrel13! Super Malware Fighter - Major Dilemma Staff Member

    We are going to be uninstalling your old version of FireFox and installing the new version. (Instead of uninstalling the standard way, we shall use REVO Uninstaller) So do the below to save bookmarks:

    • Run FireFox and click Bookmarks.
    • Then select Organize Bootmarks.
    • Then on the next window click File and then select Export. Save the bookmarks.html file to your Desktop for later use in importing.

    Now download and save the installer for the current version of FireFox but DO NOT install it yet. Get it here: Mozilla FireFox

    You will need to exit FireFox now and use Internet Explorer to continue with the below until we reinstall FireFox.

    Start by uninstalling FireFox and then reboot. Do not skip the reboot.
    After reboot, delete the below folders:
    • C:\Program Files\Mozilla Firefox
    • C:\documents and settings\UserAccount\Application Data\Mozilla

    where UserAccount is the actual user account name being used.

    Now reinstall FireFox from the file previously downloaded.
    Import your bookmarks file. (similar process to exporting).

    Has the pop up gone now?

    You may need to post in the software forum regarding the non population of add/remove progs...
     
    Kestrel13!, Oct 7, 2012
    #11
  12. DumboFlies

    DumboFlies Private E-2

    Dear Kestrel13! -
    I can no longer access Firefox or Internet Explorer. They won't open.
    My machine is running very slow. After I start up I go to the Task Mgr and shut down
    as many programs as possible but something still seems to be using a lot of memory
    and the computer has a funny little scratchy beep which repeats every 7 seconds
    or so , which it didn't do before. Should I try to uninstall Firefox from the programs
    file directory or should I download the program to a flash drive & try to use it.
     
    Last edited by a moderator: Oct 9, 2012
    DumboFlies, Oct 9, 2012
    #12
  13. Kestrel13!

    Kestrel13! Super Malware Fighter - Major Dilemma Staff Member

    Do you get an error message or does absolutely nothing happen?? Are you able to access them in safe mode?
     
    Kestrel13!, Oct 9, 2012
    #13
  14. DumboFlies

    DumboFlies Private E-2

    Dear Kestrel13! - I used Absolute Uninstaller to gain access to my add\remove programs folder and I
    deleted Avg and SuperAntispyware and a couple of useless programs I went to Security Center and
    my firewall was not communicating and wouldn't let me open a browser so I re-installed Private Firewall and voila........I can browse again. The computer seems much faster but I haven't had a chance to use it much so, at this time I don't know about other problems. I did find Babylon toolbar
    in the registry and deleted it. It also showed up when I right clicked on bookmarks, right below the Bookmarks toolbar. It says Babylon toolbar. I unchecked it?? DumboFlies
    PS - I had no access to any executable even in safe mode. i WAS ABOUT TO GIVE UP. Without Absolute
    Uninstaller and finding the Babylon references I think the system would have crashed. I'm probably still infected
     
    Last edited: Oct 10, 2012
    DumboFlies, Oct 10, 2012
    #14
  15. Kestrel13!

    Kestrel13! Super Malware Fighter - Major Dilemma Staff Member

    Well let's see...

    Now run the C:\MGtools\GetLogs.bat file by double clicking on it. (Right click and run as admin if using Vista or Windows7) Then attach the new C:\MGlogs.zip file that will be created by running this.
     
    Kestrel13!, Oct 10, 2012
    #15
  16. DumboFlies

    DumboFlies Private E-2

    To Kestrek13! -
    Hi - I found that Babylon had not been removed after all. I used Revo to un-install
    Firefox and followed the directions from Chaslang but Babylon kept coming
    back so I ran Revo again and re-booted and went thru the registry with a
    fine tooth comb and found a few references to Babylon in HKLM and in HKCU
    I just opened every file in the typical pathways and deleted any Babylon.
    Everything seems ok now. That is a nasty little program and people shouldn't
    be offering the Babylon toolbar with their downloads. It's very damaging!
     
    DumboFlies, Oct 14, 2012
    #16
  17. Kestrel13!

    Kestrel13! Super Malware Fighter - Major Dilemma Staff Member

    Glad it's all as it should be again ;)

    If you are not having any other malware problems, it is time to do our final steps:
    1. We recommend you keep SUPERAntiSpyware and Malwarebytes Anti-Malware for scanning/removal of malware. Unless you purchase them, they provide no protection. They do not use any significant amount of resources ( except a little disk space ) until you run a scan.
    2. If we had you use ComboFix, uninstall ComboFix (This uninstall will only work as written if you installed ComboFix on your Desktop like we requested.)
      • Click START then RUN and enter the below into the run box and then click OK. Note the quotes are required
      • "%userprofile%\Desktop\combofix" /uninstall
        • Notes: The space between the combofix" and the /uninstall, it must be there.
        • This will uninstall ComboFix and also reset hidden files and folders settings back to Windows defaults.
    3. Go back to step 4 of the READ ME and renable your Disk Emulation software with Defogger if you had disabled it.
    4. Any other miscellaneous tools we may have had you install or download can be uninstalled and deleted.
    5. If we had you download any registry patches like fixme.reg or fixWLK.reg (or any others), you can delete these files now.
    6. If running Vista, it is time to make sure you have reenabled UAC by double clicking on the C:\MGtools\enableUAC.reg file and allowing it to be added to the registry.
    7. Go to add/remove programs and uninstall HijackThis.
    8. Goto the C:\MGtools folder and find the MGclean.bat file. Double click on this file to run this cleanup program that will remove files and folders
      related to MGtools and some other items from our cleaning procedures.
    9. If you are running Win 7, Vista, Windows XP or Windows ME, do the below:
      • Refer to the cleaning procedures pointed to by step 6 of the READ ME
        for your Window version and see the instructions to Disable System Restore which will flush your Restore Points.
      • Then reboot and Enable System Restore to create a new clean Restore Point.
    10. After doing the above, you should work thru the below link:
     
    Kestrel13!, Oct 14, 2012
    #17
  18. DumboFlies

    DumboFlies Private E-2

    Kestrel13! -
    I did everything in your message and cleaned up.
    The only problem I can see that remains is I cannot open Add\Remove programs.
    Something is blocking it. I suppose it could be left over from Babylon trying to
    prevent it's removal???? Anyway, thanks so much for your help.
    DumboFlies
     
    DumboFlies, Oct 16, 2012
    #18
  19. Kestrel13!

    Kestrel13! Super Malware Fighter - Major Dilemma Staff Member

    Please post about that in the software forum. :)
     
    Kestrel13!, Oct 16, 2012
    #19

MajorGeeks.Com Menu

Downloads All In One Tweaks \ Android \ Anti-Malware \ Anti-Virus \ Appearance \ Backup \ Browsers \ CD\DVD\Blu-Ray \ Covert Ops \ Drive Utilities \ Drivers \ Graphics \ Internet Tools \ Multimedia \ Networking \ Office Tools \ PC Games \ System Tools \ Mac/Apple/Ipad Downloads

Other News: Top Downloads \ News (Tech) \ Off Base (Other Websites News) \ Way Off Base (Offbeat Stories and Pics)

Social: Facebook \ YouTube \ Twitter \ Tumblr \ Pintrest \ RSS Feeds