TechSpot

Computer runs extremely slow, can't find cause, must be infected...

Solved
By cehines
Aug 15, 2010
  1. I've noticed our Windows Vista computer runs extremely slow for the last month or so. I've tried installing Spybot and Adaware and ran scans, which they got rid of what they found, but they really didn't find much, so I'm guessing this must be hiding well. Spybot only found one. Adaware found 39. Each removed all, but the pc still seems extremely slow. My virus scanner, McAfee, is up to date. I decided to run Hijack this and post the log to here for some additional analysis. Thanks in advance.
     

    Attached Files:

  2. Broni

    Broni Malware Annihilator Posts: 48,033   +271

  3. cehines

    cehines TS Rookie Topic Starter Posts: 16

    Please don't close this thread...

    I'm still in the process of running all of the steps you outlined in the original post. I'll post back the logs you requested when done, it is taking a while to run all of the stuff. Thanks.
     
  4. Broni

    Broni Malware Annihilator Posts: 48,033   +271

    No problem :)
     
  5. cehines

    cehines TS Rookie Topic Starter Posts: 16

    Ok, here are the logs you requested...

    Thanks for your patience...I have included them all as attachments. If you need any of them to be cut and pasted let me know, some were a little large to cut and paste. Thanks, if you have any additional questions also, please let me know. Thanks again, in advance, sorry again that I took so long.
     

    Attached Files:

  6. Broni

    Broni Malware Annihilator Posts: 48,033   +271

    Thank you :)

    Download MBRCheck to your desktop

    Double click MBRCheck.exe to run (Vista and Windows 7 users, right click and select Run as Administrator).
    It will show a black screen with some data on it.
    A report called MBRcheckxxxx.txt will be on your desktop
    Open this report and post its content in your next reply.

    =================================================================

    Please download ComboFix from Here or Here to your Desktop.

    **Note: In the event you already have Combofix, this is a new version that I need you to download. It is important that it is saved directly to your desktop**
    1. Please, never rename Combofix unless instructed.
    2. Close any open browsers.
    3. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.
      • Very Important! Temporarily disable your anti-virus, script blocking and any anti-malware real-time protection before performing a scan. They can interfere with ComboFix or remove some of its embedded files which may cause "unpredictable results".
      • Click on this link to see a list of programs that should be disabled. The list is not all inclusive. If yours is not listed and you don't know how to disable it, please ask.
      NOTE1. If Combofix asks you to install Recovery Console, please allow it.
      NOTE 2. If Combofix asks you to update the program, always do so.
      • Close any open browsers.
      • WARNING: Combofix will disconnect your machine from the Internet as soon as it starts
      • Please do not attempt to re-connect your machine back to the Internet until Combofix has completely finished.
      • If there is no internet connection after running Combofix, then restart your computer to restore back your connection.
    4. Double click on combofix.exe & follow the prompts.
    5. When finished, it will produce a report for you.
    6. Please post the "C:\ComboFix.txt"
    **Note: Do not mouseclick combofix's window while it's running. That may cause it to stall**

    Make sure, you re-enable your security programs, when you're done with Combofix.

    DO NOT make any other changes to your computer (like installing programs, using other cleaning tools, etc.), until it's officially declared clean!!!
     
  7. cehines

    cehines TS Rookie Topic Starter Posts: 16

    Additional logs...

    Thanks. Below are the contents of the MBR check log, I've attached theCombofix one:
    MBRCheck, version 1.2.3
    (c) 2010, AD

    Command-line:
    Windows Version: Windows Vista Home Basic Edition
    Windows Information: Service Pack 2 (build 6002), 32-bit
    Base Board Manufacturer: Dell Inc.
    BIOS Manufacturer: Dell Inc.
    System Manufacturer: Dell Inc.
    System Product Name: Inspiron 546
    Logical Drives Mask: 0x0000001c

    Kernel Drivers (total 142):
    0x81E41000 \SystemRoot\system32\ntkrnlpa.exe
    0x81E0E000 \SystemRoot\system32\hal.dll
    0x80402000 \SystemRoot\system32\kdcom.dll
    0x80409000 \SystemRoot\system32\PSHED.dll
    0x8041A000 \SystemRoot\system32\BOOTVID.dll
    0x80422000 \SystemRoot\system32\CLFS.SYS
    0x80463000 \SystemRoot\system32\CI.dll
    0x80543000 \SystemRoot\system32\drivers\Wdf01000.sys
    0x805BF000 \SystemRoot\system32\drivers\WDFLDR.SYS
    0x80605000 \SystemRoot\system32\drivers\acpi.sys
    0x8064B000 \SystemRoot\system32\drivers\WMILIB.SYS
    0x80654000 \SystemRoot\system32\drivers\msisadrv.sys
    0x8065C000 \SystemRoot\system32\drivers\pci.sys
    0x80683000 \SystemRoot\System32\drivers\partmgr.sys
    0x80692000 \SystemRoot\system32\drivers\volmgr.sys
    0x806A1000 \SystemRoot\System32\drivers\volmgrx.sys
    0x806EB000 \SystemRoot\system32\drivers\pciide.sys
    0x806F2000 \SystemRoot\system32\drivers\PCIIDEX.SYS
    0x80700000 \SystemRoot\System32\drivers\mountmgr.sys
    0x80710000 \SystemRoot\system32\drivers\atapi.sys
    0x80718000 \SystemRoot\system32\drivers\ataport.SYS
    0x80736000 \SystemRoot\system32\drivers\fltmgr.sys
    0x80768000 \SystemRoot\system32\drivers\fileinfo.sys
    0x80778000 \SystemRoot\system32\DRIVERS\Lbd.sys
    0x80787000 \SystemRoot\System32\Drivers\PxHelp20.sys
    0x86E0C000 \SystemRoot\System32\Drivers\ksecdd.sys
    0x86E7D000 \SystemRoot\system32\drivers\ndis.sys
    0x86F88000 \SystemRoot\system32\drivers\msrpc.sys
    0x86FB3000 \SystemRoot\system32\drivers\NETIO.SYS
    0x87007000 \SystemRoot\System32\drivers\tcpip.sys
    0x870F4000 \SystemRoot\System32\drivers\fwpkclnt.sys
    0x8720A000 \SystemRoot\System32\Drivers\Ntfs.sys
    0x8731A000 \SystemRoot\system32\drivers\volsnap.sys
    0x87353000 \SystemRoot\System32\Drivers\spldr.sys
    0x8735B000 \SystemRoot\System32\Drivers\mup.sys
    0x8736A000 \SystemRoot\System32\drivers\ecache.sys
    0x87391000 \SystemRoot\system32\drivers\disk.sys
    0x873A2000 \SystemRoot\system32\drivers\CLASSPNP.SYS
    0x873C3000 \SystemRoot\system32\drivers\crcdisk.sys
    0x873EC000 \SystemRoot\system32\DRIVERS\tunmp.sys
    0x8710F000 \SystemRoot\system32\DRIVERS\amdk8.sys
    0x8C802000 \SystemRoot\system32\DRIVERS\atikmdag.sys
    0x8711F000 \SystemRoot\System32\drivers\dxgkrnl.sys
    0x8CDE7000 \SystemRoot\System32\drivers\watchdog.sys
    0x8D001000 \SystemRoot\system32\DRIVERS\HDAudBus.sys
    0x8D08E000 \SystemRoot\system32\DRIVERS\Rtlh86.sys
    0x8D0BD000 \SystemRoot\system32\DRIVERS\cdrom.sys
    0x8D0D5000 \SystemRoot\system32\DRIVERS\usbohci.sys
    0x8D0DF000 \SystemRoot\system32\DRIVERS\USBPORT.SYS
    0x8D11D000 \SystemRoot\system32\DRIVERS\usbehci.sys
    0x8D12C000 \SystemRoot\system32\DRIVERS\BLKWGD.sys
    0x8D19E000 \SystemRoot\system32\DRIVERS\msiscsi.sys
    0x871BE000 \SystemRoot\system32\DRIVERS\storport.sys
    0x8D1CD000 \SystemRoot\system32\DRIVERS\TDI.SYS
    0x8D1D8000 \SystemRoot\system32\DRIVERS\rasl2tp.sys
    0x8D1EF000 \SystemRoot\system32\DRIVERS\ndistapi.sys
    0x80790000 \SystemRoot\system32\DRIVERS\ndiswan.sys
    0x86FEE000 \SystemRoot\system32\DRIVERS\raspppoe.sys
    0x807B3000 \SystemRoot\system32\DRIVERS\raspptp.sys
    0x807C7000 \SystemRoot\system32\DRIVERS\rassstp.sys
    0x807DC000 \SystemRoot\system32\DRIVERS\termdd.sys
    0x8CDF3000 \SystemRoot\system32\DRIVERS\kbdclass.sys
    0x873F5000 \SystemRoot\system32\DRIVERS\mouclass.sys
    0x8D1FA000 \SystemRoot\system32\DRIVERS\swenum.sys
    0x805CC000 \SystemRoot\system32\DRIVERS\ks.sys
    0x87200000 \SystemRoot\system32\DRIVERS\mssmbios.sys
    0x807EC000 \SystemRoot\system32\DRIVERS\umbus.sys
    0x8D400000 \SystemRoot\system32\DRIVERS\usbhub.sys
    0x8D435000 \SystemRoot\System32\Drivers\NDProxy.SYS
    0x8D446000 \SystemRoot\system32\drivers\HdAudio.sys
    0x8D485000 \SystemRoot\system32\drivers\portcls.sys
    0x8D4B2000 \SystemRoot\system32\drivers\drmk.sys
    0x8D4D7000 \SystemRoot\system32\drivers\viahduaa.sys
    0x8D5D8000 \SystemRoot\system32\DRIVERS\mozy.sys
    0x8D5EB000 \SystemRoot\System32\Drivers\Fs_Rec.SYS
    0x8D5F4000 \SystemRoot\System32\Drivers\Null.SYS
    0x87000000 \SystemRoot\System32\Drivers\Beep.SYS
    0x807F9000 \SystemRoot\system32\DRIVERS\HIDPARSE.SYS
    0x86E00000 \SystemRoot\System32\drivers\vga.sys
    0x8DA0A000 \SystemRoot\System32\drivers\VIDEOPRT.SYS
    0x8DA2B000 \SystemRoot\System32\DRIVERS\RDPCDD.sys
    0x8DA33000 \SystemRoot\system32\drivers\rdpencdd.sys
    0x8DA3B000 \SystemRoot\System32\Drivers\Msfs.SYS
    0x8DA46000 \SystemRoot\System32\Drivers\Npfs.SYS
    0x8DA54000 \SystemRoot\System32\DRIVERS\rasacd.sys
    0x8DA5D000 \SystemRoot\system32\drivers\mfetdik.sys
    0x8DA69000 \SystemRoot\system32\DRIVERS\tdx.sys
    0x8DA7F000 \SystemRoot\system32\DRIVERS\usbccgp.sys
    0x8DA96000 \SystemRoot\system32\DRIVERS\USBD.SYS
    0x8DA98000 \SystemRoot\system32\DRIVERS\hidusb.sys
    0x8DAA1000 \SystemRoot\system32\DRIVERS\HIDCLASS.SYS
    0x8DAB1000 \SystemRoot\system32\DRIVERS\kbdhid.sys
    0x8DABA000 \SystemRoot\system32\DRIVERS\NuidFltr.sys
    0x8DAC1000 \SystemRoot\system32\DRIVERS\mouhid.sys
    0x8DAC9000 \SystemRoot\system32\DRIVERS\usbscan.sys
    0x8DAD6000 \SystemRoot\system32\DRIVERS\usbprint.sys
    0x8DAE0000 \SystemRoot\system32\DRIVERS\smb.sys
    0x8DAF4000 \SystemRoot\System32\DRIVERS\netbt.sys
    0x8DB26000 \SystemRoot\system32\drivers\afd.sys
    0x8DB6E000 \SystemRoot\system32\DRIVERS\vsdatant.sys
    0x8DC05000 \SystemRoot\system32\DRIVERS\pacer.sys
    0x8DC1B000 \SystemRoot\system32\DRIVERS\netbios.sys
    0x8DC29000 \SystemRoot\system32\DRIVERS\wanarp.sys
    0x8DC3C000 \SystemRoot\system32\DRIVERS\rdbss.sys
    0x8DC78000 \SystemRoot\system32\drivers\nsiproxy.sys
    0x8DC82000 \??\C:\Program Files\McAfee\VirusScan Enterprise\mferkdk.sys
    0x8DC89000 \SystemRoot\System32\Drivers\dfsc.sys
    0x8DCA0000 \SystemRoot\system32\DRIVERS\cdfs.sys
    0x8DCB6000 \SystemRoot\System32\Drivers\crashdmp.sys
    0x8DCC3000 \SystemRoot\System32\Drivers\dump_dumpata.sys
    0x8DCCE000 \SystemRoot\System32\Drivers\dump_atapi.sys
    0x96A20000 \SystemRoot\System32\win32k.sys
    0x8DCD6000 \SystemRoot\System32\drivers\Dxapi.sys
    0x8DCE0000 \SystemRoot\system32\DRIVERS\monitor.sys
    0x96C40000 \SystemRoot\System32\TSDDD.dll
    0x96C60000 \SystemRoot\System32\cdd.dll
    0x8DCEF000 \SystemRoot\system32\drivers\luafv.sys
    0x8DD0A000 \SystemRoot\system32\DRIVERS\lltdio.sys
    0x8DD1A000 \SystemRoot\system32\DRIVERS\nwifi.sys
    0x8DD44000 \SystemRoot\system32\DRIVERS\ndisuio.sys
    0x8DD4E000 \SystemRoot\system32\DRIVERS\rspndr.sys
    0x99C0D000 \SystemRoot\system32\drivers\spsys.sys
    0x99CBD000 \??\C:\Program Files\CheckPoint\ZAForceField\ISWKL.sys
    0x99CC5000 \SystemRoot\system32\drivers\HTTP.sys
    0x99D32000 \SystemRoot\System32\DRIVERS\srvnet.sys
    0x99D4F000 \SystemRoot\system32\DRIVERS\bowser.sys
    0x99D68000 \SystemRoot\System32\drivers\mpsdrv.sys
    0x99D7D000 \SystemRoot\system32\drivers\mrxdav.sys
    0x99D9E000 \SystemRoot\system32\DRIVERS\mrxsmb.sys
    0x99DBD000 \SystemRoot\system32\DRIVERS\mrxsmb10.sys
    0x8DD61000 \SystemRoot\system32\DRIVERS\mrxsmb20.sys
    0x8DD79000 \SystemRoot\System32\DRIVERS\srv2.sys
    0x8DDA0000 \SystemRoot\System32\DRIVERS\srv.sys
    0x9F809000 \SystemRoot\System32\Drivers\fastfat.SYS
    0x9F831000 \SystemRoot\system32\drivers\peauth.sys
    0x9F90F000 \SystemRoot\System32\Drivers\secdrv.SYS
    0x9F919000 \SystemRoot\System32\drivers\tcpipreg.sys
    0x9F925000 \SystemRoot\system32\drivers\mfehidk.sys
    0x9F94F000 \SystemRoot\system32\drivers\mfebopk.sys
    0x9F956000 \SystemRoot\system32\drivers\mfeapfk.sys
    0x9F965000 \SystemRoot\system32\drivers\mfeavfk.sys
    0x776C0000 \Windows\System32\ntdll.dll

    Processes (total 80):
    0 System Idle Process
    4 System
    380 C:\Windows\System32\smss.exe
    456 csrss.exe
    524 C:\Windows\System32\wininit.exe
    532 csrss.exe
    580 C:\Windows\System32\winlogon.exe
    608 C:\Windows\System32\services.exe
    624 C:\Windows\System32\lsass.exe
    632 C:\Windows\System32\lsm.exe
    792 C:\Windows\System32\svchost.exe
    856 C:\Windows\System32\svchost.exe
    892 C:\Windows\System32\svchost.exe
    960 C:\Windows\System32\Ati2evxx.exe
    1024 C:\Windows\System32\svchost.exe
    1076 C:\Windows\System32\svchost.exe
    1092 C:\Windows\System32\svchost.exe
    1160 C:\Windows\System32\audiodg.exe
    1184 C:\Windows\System32\svchost.exe
    1200 C:\Windows\System32\SLsvc.exe
    1232 C:\Windows\System32\svchost.exe
    1304 C:\Program Files\DELL\DellDock\DockLogin.exe
    1380 C:\Windows\System32\Ati2evxx.exe
    1400 C:\Windows\System32\svchost.exe
    1508 C:\Windows\System32\ZoneLabs\vsmon.exe
    1972 C:\Windows\System32\dwm.exe
    1996 C:\Windows\explorer.exe
    296 C:\Program Files\DELL\DellDock\DellDock.exe
    1064 C:\Program Files\CheckPoint\ZAForceField\ISWSVC.exe
    1292 C:\Program Files\Lavasoft\Ad-Aware\AAWService.exe
    1872 C:\Windows\System32\spoolsv.exe
    1992 C:\Windows\System32\taskeng.exe
    1932 C:\Windows\System32\svchost.exe
    1532 C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
    1724 C:\Program Files\Bonjour\mDNSResponder.exe
    1700 C:\Windows\System32\dlbfcoms.exe
    2060 C:\Program Files\McAfee\Common Framework\FrameworkService.exe
    2112 C:\Program Files\McAfee\VirusScan Enterprise\Mcshield.exe
    2208 C:\Program Files\McAfee\VirusScan Enterprise\VsTskMgr.exe
    2296 C:\Program Files\Common Files\microsoft shared\VS7DEBUG\MDM.EXE
    2336 C:\Program Files\MozyHome\mozybackup.exe
    2408 C:\Windows\System32\svchost.exe
    2424 C:\Program Files\CyberLink\Shared Files\RichVideo.exe
    2460 C:\Program Files\Microsoft\Search Enhancement Pack\SeaPort\SeaPort.exe
    2492 C:\Windows\System32\svchost.exe
    2500 naPrdMgr.exe
    2548 C:\Windows\System32\svchost.exe
    2588 C:\Windows\System32\SearchIndexer.exe
    2900 C:\Program Files\Spybot - Search & Destroy\SDWinSec.exe
    3176 C:\Program Files\MozyHome\mozybackup.exe
    3960 unsecapp.exe
    2120 WmiPrvSE.exe
    2964 C:\Program Files\Windows Defender\MSASCui.exe
    2564 C:\Windows\System32\mobsync.exe
    1796 C:\Program Files\VIA\VIAudioi\VDeck\VDeck.exe
    3420 C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\MOM.exe
    3832 C:\Program Files\CyberLink\PowerDVD DX\PDVDDXSrv.exe
    2032 C:\Program Files\McAfee\VirusScan Enterprise\shstat.exe
    3612 C:\Program Files\McAfee\Common Framework\UdaterUI.exe
    3248 C:\Program Files\Dell AIO Printer A960\dlbfmon.exe
    3628 C:\Program Files\Common Files\Adobe\ARM\1.0\AdobeARM.exe
    2088 C:\Program Files\CyberLink\PCM4Everio\EverioService.exe
    3368 C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
    2916 C:\Windows\System32\wbem\unsecapp.exe
    3808 C:\Program Files\Windows Sidebar\sidebar.exe
    3400 C:\Program Files\Content Manager\CmTray.exe
    3444 C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
    2844 C:\Program Files\MozyHome\mozystat.exe
    3412 C:\Program Files\McAfee\Common Framework\Mctray.exe
    4748 C:\Program Files\CheckPoint\ZAForceField\ForceField.exe
    5516 C:\Windows\System32\taskeng.exe
    5580 C:\Program Files\Lavasoft\Ad-Aware\AAWTray.exe
    5616 C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\CCC.exe
    2912 C:\Program Files\Internet Explorer\iexplore.exe
    3660 C:\Program Files\Internet Explorer\iexplore.exe
    5564 C:\Windows\System32\Macromed\Flash\FlashUtil10h_ActiveX.exe
    4944 C:\Program Files\Internet Explorer\iexplore.exe
    5276 C:\Windows\System32\SearchProtocolHost.exe
    2908 C:\Windows\System32\SearchFilterHost.exe
    1896 C:\Users\Chuck\Desktop\MBRCheck.exe

    \\.\C: --> \\.\PhysicalDrive0 at offset 0x00000003`ac000000 (NTFS)
    \\.\D: --> \\.\PhysicalDrive0 at offset 0x00000000`02800000 (NTFS)

    PhysicalDrive0 Model Number: WDCWD3200AAKS-75L9A0, Rev: 02.03E02

    Size Device Name MBR Status
    --------------------------------------------
    298 GB \\.\PhysicalDrive0 Dell Inspiron MBR code detected
    SHA1: AE3E0A945D44C8EA304A19A8F50F69065C34344B


    Done!
     

    Attached Files:

  8. Broni

    Broni Malware Annihilator Posts: 48,033   +271

    I can see, you ran Combofix before.
    Please go to C:\Qoobox and post ComboFix2.txt content.
     
  9. cehines

    cehines TS Rookie Topic Starter Posts: 16

    Combofix2.log

    Yeah, I ran it the first time and noticed that I didn't the Windows Defender shut down, so I figured I'd better run it again since you said not to have Malware-defending programs not enabled.
     

    Attached Files:

  10. Broni

    Broni Malware Annihilator Posts: 48,033   +271

    Combofix log looks clean.

    Are you still using ZoneAlarm firewall, or I just see some leftovers?

    How is computer doing at the moment?

    Uninstall Combofix:
    Go Start > Run [Vista users, go Start>"Start search"]
    Type in:
    Combofix /Uninstall
    Note the space between the "Combofix" and the "/Uninstall"
    Click OK (Vista users - press Enter).
    Restart computer.

    ====================================================================

    Download OTL to your Desktop.

    * Double click on the icon to run it. Make sure all other windows are closed and to let it run uninterrupted.
    * Under the Custom Scan box paste this in:



    netsvcs
    drivers32 /all
    %SYSTEMDRIVE%\*.*
    %systemroot%\system32\Spool\prtprocs\w32x86\*.dll
    %systemroot%\system32\*.wt
    %systemroot%\system32\*.ruy
    %systemroot%\Fonts\*.com
    %systemroot%\Fonts\*.dll
    %systemroot%\system32\spool\prtprocs\w32x86\*.tmp
    %systemroot%\*. /mp /s
    /md5start
    /md5stop
    CREATERESTOREPOINT
    %systemroot%\system32\*.dll /lockedfiles
    %systemroot%\Tasks\*.job /lockedfiles
    %systemroot%\System32\config\*.sav
    %systemroot%\system32\user32.dll /md5
    %systemroot%\system32\ws2_32.dll /md5
    %systemroot%\system32\ws2help.dll /md5
    HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\WindowsUpdate\Auto Update\Results\Install|LastSuccessTime /rs



    * Click the Quick Scan button. Do not change any settings unless otherwise told to do so. The scan wont take long.
    • When the scan completes, it will open two notepad windows: OTL.txt and Extras.txt. These are saved in the same location as OTL.
    • Please copy (Edit->Select All, Edit->Copy) the contents of these files, one at a time, and post them back here.
     
  11. cehines

    cehines TS Rookie Topic Starter Posts: 16

    OTL logs...

    I'm still using the ZoneAlarm firewall program. Also, my computer still doesn't really seem to be any better as of now. It is very slow to load anything.
    I'm attaching the OTL.log, as I got an error when I tried to cut and paste it, "The following errors occurred with your submission:
    The text that you have entered is too long (52082 characters). Please shorten it to 20000 characters long. "
     

    Attached Files:

    • OTL.Txt
      File size:
      101.4 KB
      Views:
      3
     
  12. cehines

    cehines TS Rookie Topic Starter Posts: 16

    Extras.txt...

    I got the same error with this file, so I'm adding it as an attachment too...
     

    Attached Files:

  13. Broni

    Broni Malware Annihilator Posts: 48,033   +271

    Update your Java version here: http://www.java.com/en/download/installed.jsp

    Note 1: UNCHECK any pre-checked toolbar and/or software offered with the Java update. The pre-checked toolbars/software are not part of the Java update.

    Note 2: The Java Quick Starter (JQS.exe) adds a service to improve the initial startup time of Java applets and applications. If you don't want to run another extra service, go to Start > Control Panel > Java > Advanced > Miscellaneous and uncheck the box for Java Quick Starter. Click OK and restart your computer.

    Now, we need to remove old Java version and its remnants...

    Download JavaRa to your desktop and unzip it to its own folder
    • Run JavaRa.exe (Vista users! Right click on JavaRa.exe, click Run As Administrator), pick the language of your choice and click Select. Then click Remove Older Versions.
    • Accept any prompts.

    ==========================================================================

    Run OTL
    • Under the Custom Scans/Fixes box at the bottom, paste in the following

      Code:
      :OTL
      O2 - BHO: (no name) - {5C255C8A-E604-49b4-9D64-90988571CECB} - No CLSID value found.
      O6 - HKLM\Software\Policies\Microsoft\Internet Explorer\Restrictions present
      O7 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
      O9 - Extra 'Tools' menuitem : Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll File not found
      O28 - HKLM ShellExecuteHooks: {AEB6717E-7E19-11d0-97EE-00C04FD91972} - Reg Error: Key error. File not found
      @Alternate Data Stream - 122 bytes -> C:\ProgramData\Temp:A8ADE5D8
      @Alternate Data Stream - 121 bytes -> C:\ProgramData\Temp:DFC5A2B2
      
      
      :Services
      
      :Reg
      
      :Files
      
      :Commands
      [purity]
      [emptytemp]
      [emptyflash]
      [Reboot]
      
    • Then click the Run Fix button at the top
    • Let the program run unhindered, reboot the PC when it is done
    • You will get a log that shows the results of the fix. Please post it.

    ====================================================================

    Last scans....

    1. Download Security Check from HERE, and save it to your Desktop.
    • Double-click SecurityCheck.exe
    • Follow the onscreen instructions inside of the black box.
    • A Notepad document should open automatically called checkup.txt; please post the contents of that document.


    2. Download Temp File Cleaner (TFC)
    • Double click on TFC.exe to run the program.
    • Click on Start button to begin cleaning process.
    • TFC will close all running programs, and it may ask you to restart computer.


    3. Go to Kaspersky website and perform an online antivirus scan.

    • Disable your active antivirus program.
    • Read through the requirements and privacy statement and click on Accept button.
    • It will start downloading and installing the scanner and virus definitions. You will be prompted to install an application from Kaspersky. Click Run.
    • When the downloads have finished, click on Settings.
    • Make sure these boxes are checked (ticked). If they are not, please tick them and click on the Save button:
      • Spyware, Adware, Dialers, and other potentially dangerous programs
      • Archives
      • Mail databases
    • Click on My Computer under Scan.
    • Once the scan is complete, it will display the results. Click on View Scan Report.
    • You will see a list of infected items there. Click on Save Report As....
    • Save this report to a convenient place. Change the Files of type to Text file (.txt) before clicking on the Save button. Then post it here.
     
  14. cehines

    cehines TS Rookie Topic Starter Posts: 16

    Logs requested now...

    Updated Java...

    Then ran JavaRa...

    Log is attached...

    Ran OTL...


    OTL LOG:

    All processes killed
    ========== OTL ==========
    Registry key HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{5C255C8A-E604-49b4-9D64-90988571CECB}\ deleted successfully.
    Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{5C255C8A-E604-49b4-9D64-90988571CECB}\ not found.
    Registry key HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Internet Explorer\Restrictions\ deleted successfully.
    Registry key HKEY_CURRENT_USER\Software\Policies\Microsoft\Internet Explorer\Control Panel\ deleted successfully.
    Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Extensions\{DFB852A3-47F8-48C4-A200-58CAB36FD2A2}\ deleted successfully.
    Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{DFB852A3-47F8-48C4-A200-58CAB36FD2A2}\ not found.
    Registry value HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks\\{AEB6717E-7E19-11d0-97EE-00C04FD91972} deleted successfully.
    Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{AEB6717E-7E19-11d0-97EE-00C04FD91972}\ not found.
    ADS C:\ProgramData\Temp:A8ADE5D8 deleted successfully.
    ADS C:\ProgramData\Temp:DFC5A2B2 deleted successfully.
    ========== SERVICES/DRIVERS ==========
    ========== REGISTRY ==========
    ========== FILES ==========
    ========== COMMANDS ==========

    [EMPTYTEMP]

    User: All Users

    User: Brady
    ->Temp folder emptied: 0 bytes
    ->Temporary Internet Files folder emptied: 20310966 bytes
    ->Flash cache emptied: 456 bytes

    User: Christi
    ->Temp folder emptied: 0 bytes
    ->Temporary Internet Files folder emptied: 55588310 bytes
    ->Flash cache emptied: 4120 bytes

    User: Chuck
    ->Temp folder emptied: 3516970 bytes
    ->Temporary Internet Files folder emptied: 161519010 bytes
    ->Java cache emptied: 0 bytes
    ->Flash cache emptied: 1393 bytes

    User: Default
    ->Temp folder emptied: 0 bytes
    ->Temporary Internet Files folder emptied: 0 bytes

    User: Default User
    ->Temp folder emptied: 0 bytes
    ->Temporary Internet Files folder emptied: 0 bytes

    User: Gabrielle
    ->Temp folder emptied: 0 bytes
    ->Temporary Internet Files folder emptied: 8965028 bytes
    ->Flash cache emptied: 456 bytes

    User: Hines
    ->Temp folder emptied: 0 bytes
    ->Temporary Internet Files folder emptied: 43179202 bytes
    ->Flash cache emptied: 1066 bytes

    User: Public
    ->Temp folder emptied: 0 bytes

    User: TEMP
    ->Temp folder emptied: 0 bytes
    ->Temporary Internet Files folder emptied: 0 bytes

    %systemdrive% .tmp files removed: 0 bytes
    %systemroot% .tmp files removed: 0 bytes
    %systemroot%\System32 .tmp files removed: 0 bytes
    %systemroot%\System32\drivers .tmp files removed: 0 bytes
    Windows Temp folder emptied: 71421379 bytes
    %systemroot%\system32\config\systemprofile\Local Settings\Temp folder emptied: 0 bytes
    %systemroot%\system32\config\systemprofile\Local Settings\Temporary Internet Files folder emptied: 0 bytes
    RecycleBin emptied: 0 bytes

    Total Files Cleaned = 348.00 mb


    [EMPTYFLASH]

    User: All Users

    User: Brady
    ->Flash cache emptied: 0 bytes

    User: Christi
    ->Flash cache emptied: 0 bytes

    User: Chuck
    ->Flash cache emptied: 0 bytes

    User: Default

    User: Default User

    User: Gabrielle
    ->Flash cache emptied: 0 bytes

    User: Hines
    ->Flash cache emptied: 0 bytes

    User: Public

    User: TEMP

    Total Flash Files Cleaned = 0.00 mb

    Error: Unable to interpret <[Reboot]Then click the Run Fix button at the top > in the current context!

    OTL by OldTimer - Version 3.2.10.0 log created on 08232010_212033

    Files\Folders moved on Reboot...
    C:\Users\Chuck\AppData\Local\Temp\~DF8B4C.tmp moved successfully.
    File\Folder C:\Users\Chuck\AppData\Local\Temp\~DF9E55.tmp not found!
    File\Folder C:\Users\Chuck\AppData\Local\Temp\~DF9E75.tmp not found!
    File\Folder C:\Users\Chuck\AppData\Local\Temp\~DF9EDE.tmp not found!
    File\Folder C:\Users\Chuck\AppData\Local\Temp\~DF9EFD.tmp not found!
    File\Folder C:\Users\Chuck\AppData\Local\Temp\~DF9F6B.tmp not found!
    File\Folder C:\Users\Chuck\AppData\Local\Temp\~DF9F8C.tmp not found!
    C:\Users\Chuck\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\WGH2FNTH\df949936-2850-4e26-af65-c14d91c5c48b[1].htm moved successfully.
    C:\Users\Chuck\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\WGH2FNTH\topic151761[2].html moved successfully.
    C:\Users\Chuck\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\RV84348U\sh21[1].html moved successfully.
    C:\Users\Chuck\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\6RJJ94NY\ads[5].htm moved successfully.
    C:\Users\Chuck\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\AntiPhishing\2CEDBFBC-DBA8-43AA-B1FD-CC8E6316E3E2.dat moved successfully.
    C:\Users\Chuck\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\MSIMGSIZ.DAT moved successfully.
    C:\Users\Chuck\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\SuggestedSites.dat moved successfully.
    File\Folder C:\Windows\temp\WFV86EA.tmp not found!
    File\Folder C:\Windows\temp\ZLT060b4.TMP not found!

    Registry entries deleted on Reboot...

    Ran Security check....


    Log is attached...


    Ran TFC. Tried to go to Kaspersky web site, keep getting "This tab has been recovered", won't load the site. I tried just going to it through Google, but get message when you go to the "Free Virus Scan" on their site it says its being upgraded and to download the 30 day trial version. One of the other URL's you gave me in previous posts, I had the same problem with, kept getting the "This tab has been recovered" over and over. I was able to get to that site thru Google. I have all Virus scan and antispyware software disabled. Thanks.
     

    Attached Files:

  15. Broni

    Broni Malware Annihilator Posts: 48,033   +271

    All good, so far :)
     
  16. cehines

    cehines TS Rookie Topic Starter Posts: 16

    I don't understand...

    Broni, I want to say thanks again for all your help. I'm sure this is just as frustrating for you. What should we try next? We've done all of this, yet my system still is horribly slow. I mean it takes literally 15 minutes to get into internet explorer once you turn the computer on. Just now, when I launched the internet explorer, it hung, then crashed the first time. Then, I chose to restart the program and my home page is google, and it took like another 5-7 minutes for it to relaunch and go to google. I'm not sure what is causing all this, maybe a browser hijacker. I don't know where to go at this point.
    I really do appreciate your help, it just seems like we're at a standstill...
     
  17. Broni

    Broni Malware Annihilator Posts: 48,033   +271

    Does the issue concern IE only?

    I still need you to complete Kaspersky scan.
    By now, your computer should be malware free, but I have to make sure.

    We'll try to find some remedy, but we have to proceed one step at a time.
     
  18. cehines

    cehines TS Rookie Topic Starter Posts: 16

    Couple of additional comments...

    I used to run 3-7 programs on my last computer to keep spyware off (Spybot, MalwareBytes, SuperAntiSpyware, SpywareBlaster, Glary Utilities, CCleaner) but found after a while it seemed to be slowing my pc down just as much to run the antispyware software, so it became counterproductive. I decided when we got this new one to go with only a virus scanner. As I said, one of the programs that I used to use was "SuperAntiSpyware". I noticed that you didn't use it, it always seemed to do the best job at removing the stuff, but the thing I found over time is it seemed to be a BIG resource hog and so I eventually took it off...I think I might've actually gotten the recommendations for the above programs from your 8 steps, as I believe it has been updated since I used it last, so maybe those programs have been eliminated...Your thoughts?..
     
  19. cehines

    cehines TS Rookie Topic Starter Posts: 16

    Kaspersky site...

    IE still won't let me into that site, same error. I tried rebooting, but it doesn't like something about that link or even going to it thru Google...
     
  20. Broni

    Broni Malware Annihilator Posts: 48,033   +271

    Firewall + AV + 1 antispyware program (Malwarebytes, or Superantispyware) + your good computer habits, that's all you need to be OK.

    Do you have another browser?

    Try one of these...

    Please run a free online scan with the ESET Online Scanner

    • Disable your antivirus program
    • Tick the box next to YES, I accept the Terms of Use
    • IMPORTANT! UN-check Remove found threats
    • Click Start
    • Accept any security warnings from your browser.
    • Check Scan archives
    • Click Start
    • ESET will then download updates for itself, install itself, and begin scanning your computer. Please be patient as this can take some time.
    • When the scan completes, push List of found threats
    • Push Export to text file , and save the file to your desktop using a unique name, such as ESETScan. Include the contents of this report in your next reply.

    ==============================================================

    Please run a BitDefender Online Scan

    • Disable your antivirus program.
    • Click Start Scanner button.
    • Click Start scan button
    • Allow browser plug-in to be installed when prompted.
    • Click I Agree to agree to the EULA.
    • Please refrain from using the computer until the scan is finished.
    • When the scan is finished, click on View log.
    • Notepad will open with scan results.
    • Save the report to your desktop and post its content in your next reply.
     
  21. cehines

    cehines TS Rookie Topic Starter Posts: 16

    virus scans...

    Broni:
    Ran both the virus scans you mentioned, came up clean. The computer seems somewhat faster, I won't be able to tell for sure until I use it this weekend. I work 2 jobs thru the middle of the week, and don't have a lot of time to get on. If there is anything else to do, let me know and I'll post back this weekend. Thanks!
     
  22. Broni

    Broni Malware Annihilator Posts: 48,033   +271

    That's all, we can do in malware forum.
    All clean :)
    Let me know in couple of days, how things are...
     
  23. cehines

    cehines TS Rookie Topic Starter Posts: 16

    Update...

    Broni,
    We started out this forum with a HJT log. However, we ran all the other stuff, never got back to it. I guess since it registered clean with all the other stuff, you felt there is no need to go any further. That's ok. I still don't feel that the computer is running the way it should be, it seems slow still, but I guess if there is nothing else we can do, we can't. I'll try uninstalling all of the spyware tools we used, and just keep one and my virus scanner and see what happens...Thanks again for all your help...
     
  24. Broni

    Broni Malware Annihilator Posts: 48,033   +271

    Your computer is definitely malware free and this is what we make sure of in this forum.
    If you feel, that your computer is still running slow, you may want to create new topic at Windows forum.

    I have a little suggestion/test for you.
    Try to uninstall ZoneAlarm, turn Windows firewall on and see how it goes.

    We still need to run last steps....

    OTL Clean-Up
    Clean up with OTL:

    * Double-click OTL.exe to start the program.
    * Close all other programs apart from OTL as this step will require a reboot
    * On the OTL main screen, press the CLEANUP button
    * Say Yes to the prompt and then allow the program to reboot your computer.

    If you still have any tools or logs leftover on your computer you can go ahead and delete those off of your computer now.

    ===================================================================

    Your computer is clean [​IMG]

    1. We need to reset system restore to prevent your computer from being accidentally reinfected by using some old restore point(s). We'll create fresh, clean restore point.

    Turn off System Restore:

    - Windows XP:
    1. Click Start.
    2. Right-click the My Computer icon, and then click Properties.
    3. Click the System Restore tab.
    4. Check "Turn off System Restore".
    5. Click Apply.
    6. When turning off System Restore, the existing restore points will be deleted. Click Yes to do this.
    7. Click OK.
    - Windows Vista and 7:
    1. Click Start.
    2. Right-click the Computer icon, and then click Properties.
    3. Click on System Protection under the Tasks column on the left side
    4. Click on Continue on the "User Account Control" window that pops up
    5. Under the System Protection tab, find Available Disks
    6. Uncheck the box for any drive you wish to disable system restore on (in most cases, drive "C:")
    7. When turning off System Restore, the existing restore points will be deleted. Click "Turn System Restore Off" on the popup window to do this.
    8. Click OK

    2. Restart computer.

    3. Turn System Restore on.

    4. Make sure, Windows Updates are current.

    5. If any Trojan was listed among your infection(s), make sure, you change all of your on-line important passwords (bank account(s), secured web sites, etc.) immediately!

    6. Download, and install WOT (Web OF Trust): http://www.mywot.com/. It'll warn you (in most cases) about dangerous web sites.

    7. Run Malwarebytes "Quick scan" once in a while to assure safety of your computer.

    8. Run Temporary File Cleaner (TFC) weekly.

    9. Download and install Secunia Personal Software Inspector (PSI): http://secunia.com/vulnerability_scanning/personal/. The Secunia PSI is a FREE security tool designed to detect vulnerable and out-dated programs and plug-ins which expose your PC to attacks. Run it weekly.

    10. (optional) If you want to keep all your programs up to date, download and install FileHippo Update Checker.
    The Update Checker will scan your computer for installed software, check the versions and then send this information to FileHippo.com to see if there are any newer releases.

    11. Run defrag at your convenience.

    12. Read How did I get infected?, With steps so it does not happen again!: http://www.bleepingcomputer.com/forums/topic2520.html
     
  25. cehines

    cehines TS Rookie Topic Starter Posts: 16

    Thanks...

    Ok, I've done the final preparation steps. It seems to be a bit faster already, it may have been the ZA firewall that was slowing it up a lot. Also, thru all of our scanning did we ever really find anything that could've at least been causing part of the problem...?
     
Topic Status:
Not open for further replies.


Add New Comment

TechSpot Members
Login or sign up for free,
it takes about 30 seconds.
You may also...


Get complete access to the TechSpot community. Join thousands of technology enthusiasts that contribute and share knowledge in our forum. Get a private inbox, upload your own photo gallery and more.