Another messed up system

Ok you are the second one this week that had issues with AVP not running.

It does have issues uninstalling but I can handle that. But the fact it want run concerns me as it may indicate Malware that is programed to block AVP from running.

So lets get rid of AVP.

In TaskManager end all processes called avp.exe

Browse to and run C:\Documents and Settings\All Users\Desktop\Kaspersky Lab Tool\unins000.exe.

The above may not work, but proceed below if it does or not.

When prompted to, click "yes" and restart your computer.

Once back up

Download AutoRuns http://technet.microsoft.com/en-us/sysinternals/bb963902.aspx

Extract and run AutoRuns, give it a few seconds to populate then click the Everything Tab to make it selected.

Then do a ctrl-f for find. Type in AVP and find.
Click each AVP line to highlight the uncheck the box then rt click the line and delete it.

Once gone ctrl-f to find next same as above.

If any will not delete leave unchecked and continue as after the rest are gone and you have rebooted then you will be able to remove any that would not delete.

After AVP operation above slide the side slider to the top and click to highlight the first entry so to begin new search from here. The do ctrl-f and change search to kaspersky and remove as above.

While in AutoRuns lets get something else not related to AVP.

Slide back to top click top entry to begin search from there. ctrl-f search for "File not found" without quotes.

All computer will have several of these, so delete them all.

Reboot and if all is weel and AVP toll is gone we will proceed differently.

Mike

Uninstalled AVP and tried a fresh download and run, but still failed.

Fully uninstalled AVP now, plus dozens of "File not found".

I've also attached the last ComboFix log.

Eagerly waiting for next steps!

Open MBAM Update then click More Tools-Run Tool

Copy and paste the below line to File name and click OK answer yest to delete.

c:\windows\{00000000-00000000-0000000D-00001102-00000004-20021102}.BAK
----------------------------------------------------------------------------------------------------------------------------------------------------
D/L Xclean_Micro http://www.xblock.com/download/xclean_micro.exe
No install, just run it delete all it finds decline to reboot on each item found, until the program finishes then reboot.

Xclean will run minimized and will pop up a window if it finds anything. If it finds nothing it will exit.
It has no log just let me know what it found as it will be only a couple since running the other tools.
----------------------------------------------------------------------------------------------------------------------------------------------------

Then do Smitfraudfix downlaod and instructions here http://siri.geekstogo.com/SmitfraudFix.php

Mike

OK done all of that.

Xclean found a Spy_Agent_ak in the HKEY/Current....Control Panel/Load.

Not sure what SmitFraudFix found. There were no instructions so I went through each option in turn.

Now my system is cleaner than most, I still suffer from an exceptional bootup time, even in Safe mode.

Any thoughts on what is causing this?

The instructions were on the same screen you downloaded from with screen views and all.

Browse and attach the Smitfraud log C:\rapport.txt.

It never ceases to amaze me that a not very well known program like XClean from a very well know and very reputable company Xblock can still find Malware after all the others we ran. But I have seen this one do it often.
----------------------------------------------------------------------------------------------------------------------------------------------------
For slow boot

Download Dial-A-Fix (DAF)

http://wiki.djlizard.net/Dial-a-fix#...C_and_articles
http://djlizard.net.nyud.net:8080/software/Dial-a-fix-v0.60.0.24.zip

Have XP CD available in case DAF needs a file.

Check all boxes on the screen (clear any restrictions if it shows any)
Then click GO!

When the entire page is finished click the HammerHead at bottom to go to the second DAF page.

Here 1 at a time do the below

Process Idle Tasks
Reset WMI/WBEM (not reinstall)

Watch for any File not found or other errors and make note as this may lead to the fix!

Reboot retest!
----------------------------------------------------------------------------------------------------------------------------------------------------
Clean and tweak services

In services stop and disable all of the below just to get them out of the way for now for trouble shooting purposes.

Nothing is un-installed or deleted only disabled from running!

They can be put back anytime later but I would not, as none of them are needed by most home users and very few business users. Basically stuff M$ thought you should have.

Disabled uses no memory (RAM) and no CPU cycles.
Manual uses the RAM but a small amount of CPU.
Auto and not started they use even more RAM and CPU.
Auto and started even more RAM and CPU ..

Now in this case we disabling for trouble shooting purposes. But when we finish if you leave them all off until it is noticed that you need one (not likely for 99%) then it can be enabled.

Leaving these all off, then becomes a performance tweak/boost as they free some RAM and CPU cycles! Special note. If you are going to pick and choose then be aware that the small amount of RAM and CPU cycles of each one individually is not significant but as a group it is! So if you need most of them (or just think you do because you don't) then just as well enable them all)!

Distributed Link Tracking Client
Distributed Transaction Coordinator
DNS Client
Fast User switching
Health Key and Certificate Management Service
Indexing service
Messenger
Net logon
Net.TCP Port Sharing
NetMeeting Remote Desktop Sharing
IPsec services
QoS RSVP
Remote Registry
Uninterruptable power supply
Universal Plug and play
Web Client
Windows media player Network Sharing

IF you are using a wired network card and "NOT" using wireless on this computer then you can
also disable

Wireless Zero configuration

Wireless Zero configuration is only used on computers with a wireless NIC like a Laptop. Do not disable Wireless Zero configuration on a Laptop. Has nothing to do with other wireless hardware like wireless routers etc.

In short if this computer has a CAT 5 or 6 cable and no ability to connect wirelessly if that cable is unplugged, then you can disable Wireless Zero configuration.

This is not to be confused with Wired Auto Config do not disable that!
----------------------------------------------------------------------------------------------------------------------------------------------------
Look here but DAF did the BootViz above so no need to do it again.

http://www.annoyances.org/exec/forum/winxp/n1041630673

Mike

Thanks for all your help in sorting this.

I've attached the log as requested - I couldn't find it before but is was late at night here!

I know that this has been a long thread so far but I'd like to recap on the progress on initial problems:
- very slow bootup in normal and safe modes (still the same but possible fix now)
- slow system generally (now much improved)
- AVG not adequate and slow (now uninstalled and using AVAST)
- SB Audigy soundcard not performing well - stuttering and not all functions active. (still malfunctioning)

I use my PC a lot for music creation and I haven't been able to rely on it for weeks now.

Hi Gouge

Ok for now lets consider you clean but do the below when convenient while at work bed or when computer is not needed. Just to be sure!

Run Kaspersky Online AV Scanner


Use Internet Explorer.
Click the Accept button at bottom.

With IE7 if you have problems with accepting the license, use Zoom tool at bottom and set zoom to a viewable level. After accepted, reset back.

Attach log back.
------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------
Now lets get on your slow boot and audio issues. These are probably related fix one and both will be fixed.

Now have you ran thu the DAF and other items in my last post if not do so.


After that we will go from there.

Mike

Ok Gouge we continue on your other issues!

I made this a separate post because it is so long and basically on a different matter than Malware.

I just realized in rereading the entire thread that I never got the log files from post #18 RSIT.

This info could help with the slow startup and Audio issues.

So browse to c:\RSIT and post both logs.

Also another log that will help is...
--------------------------------------------------------------
Download OTScanIt: http://download.bleepingcomputer.com/oldtimer/OTScanIt.exe
Close all Apps and Browsers

Download and save to Desktop and Dbl Click extract the files to an OTScanIt Folder.

If Firewall or other Security or Malware protections pop you should allow them to let OTScanit to run.

Enter the OTScanit folder and run OTScanit.exe.

In Additional Scans select BotCheck, Disabled MS Config Items and Eventviewer Errors/Warnings

Top Left click Run Scan.

The scan can take some time so allow it time.

Then finished a log will open,attach back to here.
--------------------------------------------------------------

Next use Revo and clear any Old/Useless programs.

Then use Autoruns go carefully thu the Everything list, scan down the Publisher Column
look at all except Microsoft.

Find anything you have had in past but thought was gone, anything like AVG, Grisoft, Norton, Symantec or Zone Alarm etc and remove them.

Another program similar to AutoRuns but finds some that it don't. It also shows the same in a different way perhaps highlighting something shown in AutoRuns that you missed.

Download RunScanner http://www.runscanner.net/ get it run in Expert mode and click Scan.

1St get rid of all red lines Missing files etc by dbl click to select, once selected click the "Item fixer" to
remove the item.

Then click Extra stuff and do the same red lines also here. To get back to the Item fixer you must click the
Malware Hunting Tab again. Again go thu both Malware hunting and Extra stuff looking for things you thought were gone. Google any item that you are not sure of and or ask me.
--------------------------------------------------------------

D/L install and run ATF-Cleaner clear all except passwords in all browsers you have. Run repeatedly until no more found.

http://www.majorgeeks.com/ATF_Cleaner_d4949.html
--------------------------------------------------------------

ERUNT
Add a redundent Reg backup, get and install ERUNT let it add itself to startup and do a backup on install check all boxes.

ERUNT http://www.larshederer.homepage.t-online.de/erunt/
Yes! Even if you use system restore and other backups Registry and Images.
--------------------------------------------------------------

The issues we cleaned some were found is in System Restore so do the below

Start-Programs-Accessories-System Tools-Disk- System Restore and create a new Restore point. Name it "After cleanup at TechSpot".

Then Start-Programs-Accessories-System Tools-Disk Cleanup
Click OK to accept C:
Select all Boxes
Then click More Options
Here click System Restore and OK to "Are you sure" and the OK to Run.

As this runs it clears all but the most recent Restore Point but it does one other thing that can contain infested files and a huge amount of disk space.

It clears what is known as Shadow copies which are used by specialized back up programs.

This is if you have the Volume Shadow Copy running which is the default.
--------------------------------------------------------------
Now that you have a new fresh SR point and ERUNT do the below
D/L RegScrubVistaXP http://majorgeeks.com/RegScrubVistaXP_d5946.html install and run

1st click Tweaks and select all but the below count the lines
Items 2, 10 14,17, 19, 22, 26, 28 don't do this one.
Item 22 is recommended but you must remember that when using installing you will have to browse to the CD to run a program. Otherwise these are optional.

Once all Tweaks are done click scan for problems. Then Scan, when done click Select all and then clean.
--------------------------------------------------------------

This is enough to keep you busy for an hour.

So answer this have you had ever Symantec Norton, Mcafee or Zone alarm on this computer?

Mike

I'm getting a bit behind on the actions here!

Just ran DAF with the following results:

All ok until it got to Register DLL's. There was an access violation at 00000000 and the scan would not progress, I tried again with the same result, so skipped Register DLL to complete the rest. I then ran it all and it completed with no problems.

Went to page 2. Process Idle tasks went ok. WMI/WBEM stopped with an access violation 77C0155D module version.dll. Read of address 00000004.

Rebooted and rerun and the same violation occurred.

I didn't run the RSIT as AVP failed. I'll run that as well.

Proceed with all the rest for now we will come back to DAF!

Mike

RSIT 1st log attached.

Also log of 12 adware entries picked up this morning by Spyware Detector.

2nd RSIT log on next reply, as requested.

2nd RSIT log

Your question - So answer this have you had ever Symantec Norton, Mcafee or Zone alarm on this computer?

I have had some elements of Symantec and Zone Alarm in the past.

I tried several times to download/run the Kaspersky onlone AV scanner, but it would not work.

I killed AVAST as instructed, but, after accepting, there was no activity or download.

I even went to the website to run the scanner and it didn't respond.

I'll continue to work through the other actions.

Ok try it one more time but in Safe Mode Networking if it don't work then drop it for now.

Yes continue with all the rest.

I have been traveling today and will be very busy tomorrow but will check in.

Here are some other online scanners. Consider Bitdefender, Etrust and Panda Nanoscan.
Or all 3 if done while you are in bed or at work etc.

http://wiki.castlecops.com/Online_antivirus_scans

We will get it, it don't have to be done in one day, just continue when you can and report back.

Mike

Please revisit the list of Services disabled. Use the following for reference:
http://www.ss64.com/ntsyntax/services.html
http://www.blackviper.com/WinXP/servicecfg.htm

Services has three Staartup Types: Automatic, Manual and Disabled.
Some MUST be on Automatic
Some only need to be on Manual to start when needed.
Others can be Disabled if they are not needed.

Services that are set to Automatic start on boot and run in the background.
Services set to Manual only start if needed.
Some Services, such as the 'remote' Services, can be a security risk and are best disabled if not in use at the time.

Checking the Dependency tab when changing the Startup Type is vital. The Services work together and some depend on other Services to run.

My list stands.

Turn them all off the only thing you will notice is better performance and startup/shutdown times.

Net logon Manual not off. I am sure you do not have Domain Controller Server in your home.

If you are using Switch user then I would stop. So turn off Fast User switching.

No I meant Net.TCP Port Sharing.

Universal PnP not needed and can be a security hole.

Disable all as I posted!

Mike

Which is it?

Well it is up to him!

If he thinks he needs most of the ones I said to disable then he just as well enable them all.

he should disable all as I said and he will see that he don't need any of them.

Mike

OK, here's the progress so far.

I've carried out all of the tasks in Post #28 with the exception of OTScanit, which I'll run tonight and post the results tomorrow. I did run AVAST, which found no viruses.

Lots of rubbish removed using the recommended tools.

RunScanner log now looks OK to me, (although some of the file names don't mean anything to me). I've attached the last log in case you spot something that shouldn't be there.

RegScrub found 710 Registry problems - I had to run it 3 times before all problems were fixed.

I then ran Uniblue RegCleaner (not on your list) which found a further 361 errors! I didn't dare to clean the errors without showing you the log first.

Regarding the startup items, I disabled all on your list and bootup is much quicker now. (20 secs instead of 70 secs for the XP screen) with no obvious adverse effect.

Fantastical!

That boot time is A-OK!

In use the computer should be somewhat more snappy also.

I will look at the logs later, only have a moment now!

I am glad you did not clean with the UniBlue yet.

There are in my opinion only about 6-8 very good Registry Cleaners some very smart people say all Registry Cleaners are snake oil, on the opposite side are some other smart people who say the reverse but these people of whom I am one (well me not as smart as them) say they are very valid.

The right cleaner, used in the correct manner, at the correct time, with the correct guidance.

So that said you made the right decision not to clean.

Multiple runs with the same Cleaner until clean is OK BUT!!

RULE #1 Never Ever run Multiple Registry cleaners back to back without a reboot between.

Later this evening I will check the logs.

Mike