TechSpot

My PC is too slow

Inactive
By Angelina
Jun 13, 2012
  1. Hi
    my PC is not working properly.its too slow.my kaspersky anti-virus says no threats detected, but im not convinced.pls help me...
    I followed the instructions and below are the logs :
    Malwarebytes Anti-Malware 1.61.0.1400
    www.malwarebytes.org

    Database version: v2012.06.12.05

    Windows XP Service Pack 2 x86 NTFS
    Internet Explorer 6.0.2900.2180
    AB :: A [administrator]

    6/12/2012 9:01:31 PM
    mbam-log-2012-06-12 (21-54-12).txt

    Scan type: Quick scan
    Scan options enabled: Memory | Startup | Registry | File System | Heuristics/Extra | Heuristics/Shuriken | PUP | PUM
    Scan options disabled: P2P
    Objects scanned: 181275
    Time elapsed: 40 minute(s), 26 second(s)

    Memory Processes Detected: 0
    (No malicious items detected)

    Memory Modules Detected: 0
    (No malicious items detected)

    Registry Keys Detected: 0
    (No malicious items detected)

    Registry Values Detected: 0
    (No malicious items detected)

    Registry Data Items Detected: 3
    HKLM\SOFTWARE\Microsoft\Security Center|AntiVirusDisableNotify (PUM.Disabled.SecurityCenter) -> Bad: (1) Good: (0) -> No action taken.
    HKLM\SOFTWARE\Microsoft\Security Center|FirewallDisableNotify (PUM.Disabled.SecurityCenter) -> Bad: (1) Good: (0) -> No action taken.
    HKLM\SOFTWARE\Microsoft\Security Center|UpdatesDisableNotify (PUM.Disabled.SecurityCenter) -> Bad: (1) Good: (0) -> No action taken.

    Folders Detected: 0
    (No malicious items detected)

    Files Detected: 1
    C:\Documents and Settings\AB\My Documents\Downloads\SoftonicDownloader_for_vlc-media-player.exe (PUP.BundleOffer.Downloader.S) -> No action taken.

    (end)
    GMER 1.0.15.15641 - http://www.gmer.net
    Rootkit scan 2012-06-09 23:38:39
    Windows 5.1.2600 Service Pack 2 Harddisk0\DR0 -> \Device\Ide\IdeDeviceP0T0L0-3 SAMSUNG_SV4002H rev.QP100-12
    Running: 4kfgijq0.exe; Driver: C:\DOCUME~1\AB\LOCALS~1\Temp\pxtdrpow.sys
    ---- System - GMER 1.0.15 ----

    Edit: Duplicate GMER log has been deleted.

    ---- User IAT/EAT - GMER 1.0.15 ----
    couldnt fit everything in 1 thread so contd....
     
  2. Angelina

    Angelina TS Rookie Topic Starter

    Hi
    my PC is not working properly.its too slow.my kaspersky anti-virus says no threats detected, but im not convinced.pls help me...
    I followed the instructions and below are the logs :
    Malwarebytes Anti-Malware 1.61.0.1400
    www.malwarebytes.org

    Edit: Duplicate Malwarebytes log has been deleted. Both logs show No Action Taken
    (end)

    GMER 1.0.15.15641 - http://www.gmer.net
    Rootkit scan 2012-06-09 23:38:39
    Windows 5.1.2600 Service Pack 2 Harddisk0\DR0 -> \Device\Ide\IdeDeviceP0T0L0-3 SAMSUNG_SV4002H rev.QP100-12
    Running: 4kfgijq0.exe; Driver: C:\DOCUME~1\AB\LOCALS~1\Temp\pxtdrpow.sys
    ---- System - GMER 1.0.15 ----
    SSDT \SystemRoot\system32\DRIVERS\klif.sys (Klif Mini-Filter [fre_wnet_x86]/Kaspersky Lab) ZwAdjustPrivilegesToken [0xF4DA35FA]
    Edit: Excess GMER entries have been deleted.

    SSDT \SystemRoot\system32\DRIVERS\klif.sys (Klif Mini-Filter [fre_wnet_x86]/Kaspersky Lab) ZwClose [0xF4DA3EFE]

    ---- User IAT/EAT - GMER 1.0.15 ----
     
  3. Angelina

    Angelina TS Rookie Topic Starter

    contd gmer logs...
    Edit: Excess GMER entries have been deleted.

    ---- User IAT/EAT - GMER 1.0.15 ----

    ---- Devices - GMER 1.0.15 ----

    AttachedDevice \Driver\Tcpip \Device\Ip kl1.sys (Kaspersky Unified Driver/Kaspersky Lab ZAO)
    AttachedDevice \Driver\Tcpip \Device\Tcp kl1.sys (Kaspersky Unified Driver/Kaspersky Lab ZAO)
    AttachedDevice \Driver\Tcpip \Device\Udp kl1.sys (Kaspersky Unified Driver/Kaspersky Lab ZAO)
    AttachedDevice \Driver\Tcpip \Device\RawIp kl1.sys (Kaspersky Unified Driver/Kaspersky Lab ZAO)

    ---- EOF - GMER 1.0.15 ----

    .
    DDS (Ver_2011-08-26.01) - NTFSx86
    Internet Explorer: 6.0.2900.2180
    Run by AB at 18:47:08 on 2012-06-12
    Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.255.98 [GMT 5.5:30]
    .
    AV: Kaspersky Anti-Virus *Disabled/Updated* {2C4D4BC6-0793-4956-A9F9-E252435469C0}
    .
    ============== Running Processes ===============
    .
    C:\WINDOWS\system32\svchost -k DcomLaunch
    svchost.exe
    C:\WINDOWS\System32\svchost.exe -k netsvcs
    svchost.exe
    svchost.exe
    C:\WINDOWS\system32\spoolsv.exe
    C:\WINDOWS\Explorer.EXE
    C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 2011\avp.exe
    C:\Program Files\Common Files\Nero\Nero BackItUp 4\NBService.exe
    C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 2011\avp.exe
    C:\WINDOWS\system32\rundll32.exe
    .
    ============== Pseudo HJT Report ===============
    .
    uStart Page = hxxp://search.babylon.com/?babsrc=HP_ss&affID=101292&mntrId=b452a30d000000000000000244aa1df0
    BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll
    BHO: Babylon toolbar helper: {2eecd738-5844-4a99-b4b6-146bf802613b} - c:\program files\babylontoolbar\babylontoolbar\1.5.3.17\bh\BabylonToolbar.dll
    BHO: IEVkbdBHO Class: {59273ab4-e7d3-40f9-a1a8-6fa9cca1862c} - c:\program files\kaspersky lab\kaspersky anti-virus 2011\ievkbd.dll
    BHO: FilterBHO Class: {e33cf602-d945-461a-83f0-819f76a199f8} - c:\program files\kaspersky lab\kaspersky anti-virus 2011\klwtbbho.dll
    TB: Babylon Toolbar: {98889811-442d-49dd-99d7-dc866be87dbc} - c:\program files\babylontoolbar\babylontoolbar\1.5.3.17\BabylonToolbarTlbr.dll
    uRun: [Google Update] "c:\documents and settings\ab\local settings\application data\google\update\GoogleUpdate.exe" /c
    mRun: [AVP] "c:\program files\kaspersky lab\kaspersky anti-virus 2011\avp.exe"
    mRun: [Adobe ARM] "c:\program files\common files\adobe\arm\1.0\AdobeARM.exe"
    mPolicies-system: EnableLUA = 0 (0x0)
    IE: E&xport to Microsoft Excel - c:\progra~1\micros~2\office11\EXCEL.EXE/3000
    IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
    IE: {4248FE82-7FCB-46AC-B270-339F08212110} - {4248FE82-7FCB-46AC-B270-339F08212110} - c:\program files\kaspersky lab\kaspersky anti-virus 2011\klwtbbho.dll
    IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~2\office11\REFIEBAR.DLL
    IE: {CCF151D8-D089-449F-A5A4-D9909053F20F} - {CCF151D8-D089-449F-A5A4-D9909053F20F} - c:\program files\kaspersky lab\kaspersky anti-virus 2011\klwtbbho.dll
    Notify: klogon - c:\windows\system32\klogon.dll
    AppInit_DLLs: c:\progra~1\kasper~1\kasper~1\mzvkbd3.dll
    .
    ============= SERVICES / DRIVERS ===============
    .
    R0 KL1;kl1;c:\windows\system32\drivers\kl1.sys [2010-6-9 132184]
    R1 kl2;kl2;c:\windows\system32\drivers\kl2.sys [2010-6-9 11352]
    R1 KLIF;Kaspersky Lab Driver;c:\windows\system32\drivers\klif.sys [2011-7-5 475736]
    R2 AVP;Kaspersky Anti-Virus Service;c:\program files\kaspersky lab\kaspersky anti-virus 2011\avp.exe [2010-11-2 365336]
    R3 klim5;Kaspersky Anti-Virus NDIS Filter;c:\windows\system32\drivers\klim5.sys [2010-5-7 32856]
    R3 klmouflt;Kaspersky Lab KLMOUFLT;c:\windows\system32\drivers\klmouflt.sys [2009-11-2 19472]
    S3 MBAMSwissArmy;MBAMSwissArmy;c:\windows\system32\drivers\mbamswissarmy.sys [2012-5-31 40776]
    .
    =============== Created Last 30 ================
    .
    2012-05-31 16:50:1740776----a-w-c:\windows\system32\drivers\mbamswissarmy.sys
    2012-05-31 16:37:19--------d-----w-c:\documents and settings\ab\application data\Malwarebytes
    2012-05-31 16:34:09--------d-----w-c:\documents and settings\all users\application data\Malwarebytes
    2012-05-31 16:33:5622344----a-w-c:\windows\system32\drivers\mbam.sys
    2012-05-31 16:33:54--------d-----w-c:\program files\Malwarebytes' Anti-Malware
    .
    ==================== Find3M ====================
    .
    .
    ============= FINISH: 18:48:42.93 ===============
    contd. further...
     
  4. Angelina

    Angelina TS Rookie Topic Starter

    contd....

    .
    UNLESS SPECIFICALLY INSTRUCTED, DO NOT POST THIS LOG.
    IF REQUESTED, ZIP IT UP & ATTACH IT
    .
    DDS (Ver_2011-08-26.01)
    .
    Microsoft Windows XP Professional
    Boot Device: \Device\HarddiskVolume1
    Install Date: 7/5/2011 4:03:33 PM
    System Uptime: 6/12/2012 6:33:05 PM (0 hours ago)
    .
    Motherboard: | | i845
    Processor: Intel(R) Pentium(R) 4 CPU 1.70GHz | Socket 478 | 1716/100mhz
    .
    ==== Disk Partitions =========================
    .
    A: is Removable
    C: is FIXED (NTFS) - 20 GiB total, 9.964 GiB free.
    D: is FIXED (NTFS) - 18 GiB total, 15.91 GiB free.
    E: is CDROM ()
    .
    ==== Disabled Device Manager Items =============
    .
    Class GUID: {4D36E97E-E325-11CE-BFC1-08002BE10318}
    Description: PCI Simple Communications Controller
    Device ID: PCI\VEN_125D&DEV_2838&SUBSYS_2838125D&REV_01\4&172A2BDD&0&10F0
    Manufacturer:
    Name: PCI Simple Communications Controller
    PNP Device ID: PCI\VEN_125D&DEV_2838&SUBSYS_2838125D&REV_01\4&172A2BDD&0&10F0
    Service:
    .
    ==== System Restore Points ===================
    .
    RP19: 3/26/2012 5:49:24 PM - System Checkpoint
    RP20: 4/25/2012 5:44:42 PM - System Checkpoint
    RP21: 5/18/2012 9:49:22 PM - System Checkpoint
    RP22: 5/24/2012 6:38:36 PM - System Checkpoint
    RP23: 6/9/2012 8:46:48 PM - System Checkpoint
    .
    ==== Installed Programs ======================
    .
    Adobe Reader X (10.1.0)
    Advertising Center
    Babylon toolbar on IE
    DolbyFiles
    Google Chrome
    ImagXpress
    Kaspersky Anti-Virus 2011
    Malwarebytes Anti-Malware version 1.61.0.1400
    Menu Templates - Starter Kit
    Microsoft Office Excel MUI (English) 2007
    Microsoft Office Groove MUI (English) 2007
    Microsoft Office Groove Setup Metadata MUI (English) 2007
    Microsoft Office InfoPath MUI (English) 2007
    Microsoft Office Outlook MUI (English) 2007
    Microsoft Office PowerPoint MUI (English) 2007
    Microsoft Office Professional Edition 2003
    Microsoft Office Shared MUI (English) 2007
    Microsoft Office Shared Setup Metadata MUI (English) 2007
    Microsoft Software Update for Web Folders (English) 12
    Microsoft Visual C++ 2005 Redistributable
    Movie Templates - Starter Kit
    Nero 9 Essentials
    Nero BurnRights
    Nero BurnRights Help
    Nero ControlCenter
    Nero CoverDesigner
    Nero CoverDesigner Help
    Nero DiscSpeed
    Nero DiscSpeed Help
    Nero DriveSpeed
    Nero DriveSpeed Help
    Nero Express Help
    Nero InfoTool
    Nero InfoTool Help
    Nero Installer
    Nero Online Upgrade
    Nero ShowTime
    Nero StartSmart
    Nero StartSmart Help
    Nero Vision
    Nero Vision Help
    NeroExpress
    neroxml
    VLC media player 1.1.11
    WebFldrs XP
    Windows Installer 3.1 (KB893803)
    .
    ==== Event Viewer Messages From Past Week ========
    .
    6/9/2012 9:03:56 PM, error: atapi [9] - The device, \Device\Ide\IdePort0, did not respond within the timeout period.
    6/7/2012 12:44:28 PM, error: W32Time [17] - Time Provider NtpClient: An error occurred during DNS lookup of the manually configured peer 'time.windows.com,0x1'. NtpClient will try the DNS lookup again in 60 minutes. The error was: A socket operation was attempted to an unreachable host. (0x80072751)
    6/7/2012 12:13:16 PM, error: W32Time [17] - Time Provider NtpClient: An error occurred during DNS lookup of the manually configured peer 'time.windows.com,0x1'. NtpClient will try the DNS lookup again in 30 minutes. The error was: A socket operation was attempted to an unreachable host. (0x80072751)
    6/6/2012 3:14:38 PM, error: Service Control Manager [7023] - The Computer Browser service terminated with the following error: This operation returned because the timeout period expired.
    6/6/2012 3:13:28 PM, error: W32Time [17] - Time Provider NtpClient: An error occurred during DNS lookup of the manually configured peer 'time.windows.com,0x1'. NtpClient will try the DNS lookup again in 15 minutes. The error was: A socket operation was attempted to an unreachable host. (0x80072751)
    6/6/2012 3:10:32 PM, error: Service Control Manager [7009] - Timeout (30000 milliseconds) waiting for the Kaspersky Anti-Virus Service service to connect.
    6/6/2012 3:10:32 PM, error: Service Control Manager [7000] - The Kaspersky Anti-Virus Service service failed to start due to the following error: The service did not respond to the start or control request in a timely fashion.
    .
    ==== End Of File ===========================
    any help would be much appreciated...
     
  5. Bobbye

    Bobbye Helper on the Fringe Posts: 16,392   +36

    I'm having all of your threads merged into the original thread. Please don't start a new thread to continue- start a new reply on the same thread instead.
     
  6. Bobbye

    Bobbye Helper on the Fringe Posts: 16,392   +36

    Please read instructions for scans carefully. The reason you had so many posts is because you missed this in GMER:
    I'vr had all of your logs combined in this thread. We will only use this one threa while we are working on this same problem at the same time.

    You posted the same Malwarebytes log twice, so I have deleted one of them. However, again you didn't read the directions to:
    So all the malware that was found wasn't removed. Please update Malwarebytes and run it again. Take care to check the box to remove all entries found.
    =====================================================
    Please note: If you have previously run Combofix and it's still on the system, please uninstall it. Then download the current version and do the scan: Uninstall directions, if needed
    • Click START> then RUN
    • Now type Combofix /Uninstall in the runbox and click OK. Note the space between the X and the U, it needs to be there.
    --------------------------------------

    • Download Combofix from HERE or HEREand save to the desktop
      • Double click combofix.exe [​IMG]& follow the prompts.
      • If prompted for Recovery Console, please allow.
      • Once installed, you should see a blue screen prompt that says:
      • Note: If Combofix was downloaded to a flash drive, the Recovery Console will not install- just bypass and go on.[/b]
      • Note: No query will be made if the Recovery Console is already on the system.
    • Close any open browsers.
    • Before you run the Combofix scan, please disable any security software you have running.
      (If you need help with this, please see HERE)
    • Click on Yes, to continue scanning for malware
    • If Combofix asks you to update the program, allow
    • When the scan completes , a report will be generated-it will open a text window. Please paste the C:\ComboFix.txt in next reply..
    Re-enable your Antivirus software.
    Note 1:Do not mouse-click Combofix's window while it is running. That may cause it to stall.
    Note 2:If you receive an error "Illegal operation attempted on a registry key that has been marked for deletion", restart the computer.
    Note 3:CF disconnects your machine from the internet. The connection is automatically restored before CF completes its run. If CF runs into difficultyand terminates prematurely, the connection can be manually restored by restarting your machine.
    ==============================================

    To run the Eset Online Virus Scan:
    If you use Internet Explorer:
    1. Open the ESETOnlineScan
    2. Skip to #4 to "Continue with the directions"

      If you are using a browser other than Internet Explorer
    3. Open Eset Smart Installer
      [o] Click on the esetsmartinstaller_enu.exelink and save to the desktop.
      [o] Double click on the desktop icon to run.
      [o] After successful installation of the ESET Smart Installer, the ESET Online Scanner will be launched in a new Window
    4. Continue with the directions.
    5. Check 'Yes I accept terms of use.'
    6. Click Start button
    7. Accept any security warnings from your browser.
      [​IMG]
    8. Uncheck 'Remove found threats'
    9. Check 'Scan archives/
    10. Leave remaining settings as is.
    11. Press the Start button.
    12. ESET will then download updates for itself, install itself, and begin scanning your computer. Please wait for the scan to finish.
    13. When the scan completes, press List of found threats
    14. Push Export of text file and save the file to your desktop using a unique name, such as ESETScan. Paste this log in your next reply.
    15. Push the Back button, then Finish
    NOTE: If no malware is found then no log will be produced. Let me know if this is the case.
    ========================================
    Please leave the following logs in your next reply, on this thread. You may use more than one post for a log if needed, but it must be in this thread:
    New log from rescan with Malwarebytes
    Combofix
    Eset online virus scan.
    ======================================

    My Guidelines: please read and follow:
    • Be patient. Malware cleaning takes time. I am also working with other members while I am helping you.
    • Read my instructions carefully. If you don't understand or have a problem, ask me. Follow the order of the tasks I give you. Order is crucial in cleaning process.
    • If you have questions, or if a program doesn't work, stop and tell me about it. Don't try to get around it yourself.
    • File sharing programs should be uninstalled or disabled during the cleaning process..
    • Observe these:
      [o] Don't follow directions given to someone else
      [o] Don't use any other cleaning programs or scans while I'm helping you.
      [o] Don't use a Registry cleaner or make any changes in the Registry.
      [o] Don't download and install new programs- except those I give you.
    Threads are closed after 5 days if there is no reply.
     
  7. Angelina

    Angelina TS Rookie Topic Starter

    The next set of logs you asked for.....
    Malwarebytes Anti-Malware 1.61.0.1400
    www.malwarebytes.org

    Database version: v2012.06.14.07

    Windows XP Service Pack 2 x86 NTFS
    Internet Explorer 6.0.2900.2180
    AB :: A [administrator]

    6/14/2012 8:56:32 PM
    mbam-log-2012-06-14 (20-56-32).txt

    Scan type: Quick scan
    Scan options enabled: Memory | Startup | Registry | File System | Heuristics/Extra | Heuristics/Shuriken | PUP | PUM
    Scan options disabled: P2P
    Objects scanned: 181673
    Time elapsed: 39 minute(s), 16 second(s)

    Memory Processes Detected: 0
    (No malicious items detected)

    Memory Modules Detected: 0
    (No malicious items detected)

    Registry Keys Detected: 0
    (No malicious items detected)

    Registry Values Detected: 0
    (No malicious items detected)

    Registry Data Items Detected: 0
    (No malicious items detected)

    Folders Detected: 0
    (No malicious items detected)

    Files Detected: 0
    (No malicious items detected)

    (end)
    ComboFix 12-06-14.01 - AB 06/14/2012 23:28:05.1.1 - x86
    Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.255.121 [GMT 5.5:30]
    Running from: c:\documents and settings\AB\Desktop\ComboFix.exe
    AV: Kaspersky Anti-Virus *Disabled/Updated* {2C4D4BC6-0793-4956-A9F9-E252435469C0}
    * Created a new restore point
    .
    .
    ((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
    .
    .
    c:\documents and settings\AB\My Documents\~WRL2044.tmp
    c:\documents and settings\AB\My Documents\~WRL2819.tmp
    .
    c:\windows\system32\drivers\usbehci.sys . . . is missing!!
    .
    .
    ((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
    .
    .
    -------\Legacy_ABP470N5
    .
    .
    ((((((((((((((((((((((((( Files Created from 2012-05-14 to 2012-06-14 )))))))))))))))))))))))))))))))
    .
    .
    2012-06-14 16:39 . 2012-06-14 16:39--------d-----w-c:\program files\ESET
    2012-05-31 16:37 . 2012-05-31 16:37--------d-----w-c:\documents and settings\AB\Application Data\Malwarebytes
    2012-05-31 16:34 . 2012-05-31 16:34--------d-----w-c:\documents and settings\All Users\Application Data\Malwarebytes
    2012-05-31 16:33 . 2012-04-04 10:2622344----a-w-c:\windows\system32\drivers\mbam.sys
    2012-05-31 16:33 . 2012-05-31 16:36--------d-----w-c:\program files\Malwarebytes' Anti-Malware
    .
    .
    .
    (((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
    .
    .
    .
    ((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
    .
    .
    *Note* empty entries & legit default entries are not shown
    REGEDIT4
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "AVP"="c:\program files\Kaspersky Lab\Kaspersky Anti-Virus 2011\avp.exe" [2010-11-02 365336]
    "Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2012-01-03 843712]
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\security center]
    "AntiVirusOverride"=dword:00000001
    "FirewallOverride"=dword:00000001
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\KasperskyAntiVirus]
    "DisableMonitoring"=dword:00000001
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\security center\Svc]
    "AntiVirusOverride"=dword:00000001
    "AntiVirusDisableNotify"=dword:00000001
    "FirewallDisableNotify"=dword:00000001
    "FirewallOverride"=dword:00000001
    "UpdatesDisableNotify"=dword:00000001
    "UacDisableNotify"=dword:00000001
    .
    [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
    "EnableFirewall"= 0 (0x0)
    "DisableNotifications"= 1 (0x1)
    .
    [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
    "%windir%\\system32\\sessmgr.exe"=
    "c:\\Program Files\\Adobe\\Reader 10.0\\Reader\\Reader_sl.exe"=
    "c:\\Program Files\\Microsoft Office\\OFFICE11\\WINWORD.EXE"=
    .
    R1 kl2;kl2;c:\windows\system32\drivers\kl2.sys [6/9/2010 4:43 PM 11352]
    R3 klim5;Kaspersky Anti-Virus NDIS Filter;c:\windows\system32\drivers\klim5.sys [5/7/2010 11:06 AM 32856]
    R3 klmouflt;Kaspersky Lab KLMOUFLT;c:\windows\system32\drivers\klmouflt.sys [11/2/2009 7:27 PM 19472]
    S1 tdx;@%SystemRoot%\system32\tcpipcfg.dll,-50004;c:\windows\system32\DRIVERS\tdx.sys --> c:\windows\system32\DRIVERS\tdx.sys [?]
    S3 MBAMSwissArmy;MBAMSwissArmy;\??\c:\windows\system32\drivers\mbamswissarmy.sys --> c:\windows\system32\drivers\mbamswissarmy.sys [?]
    .
    --- Other Services/Drivers In Memory ---
    .
    *NewlyCreated* - IPHLPSVC
    *NewlyCreated* - WS2IFSL
    .
    Contents of the 'Scheduled Tasks' folder
    .
    2012-06-14 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-1644491937-1606980848-1060284298-1003Core.job
    - c:\documents and settings\AB\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2011-07-05 13:24]
    .
    2012-06-14 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-1644491937-1606980848-1060284298-1003UA.job
    - c:\documents and settings\AB\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2011-07-05 13:24]
    .
    .
    ------- Supplementary Scan -------
    .
    uStart Page = hxxp://search.babylon.com/?babsrc=HP_ss&affID=101292&mntrId=b452a30d000000000000000244aa1df0
    IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
    TCP: DhcpNameServer = 203.94.243.70 59.179.243.70
    .
    .
    ------- File Associations -------
    .
    .
    .
    **************************************************************************
    .
    catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
    Rootkit scan 2012-06-14 23:47
    Windows 5.1.2600 Service Pack 2 NTFS
    .
    scanning hidden processes ...
    .
    scanning hidden autostart entries ...
    .
    scanning hidden files ...
    .
    scan completed successfully
    hidden files: 0
    .
    **************************************************************************
    .
    ------------------------ Other Running Processes ------------------------
    .
    c:\program files\Common Files\Nero\Nero BackItUp 4\NBService.exe
    c:\windows\system32\wscntfy.exe
    .
    **************************************************************************
    .
    Completion time: 2012-06-14 23:55:51 - machine was rebooted
    ComboFix-quarantined-files.txt 2012-06-14 18:25
    .
    Pre-Run: 10,779,484,160 bytes free
    Post-Run: 12,166,492,160 bytes free
    .
    WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe
    [boot loader]
    timeout=2
    default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS
    [operating systems]
    c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
    UnsupportedDebug="do not select this" /debug
    multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Professional" /noexecute=optin /fastdetect
    .
    - - End Of File - - 3BFA125B5B6A2314390973CECAE370A5
    eset scan results...
    C:\Documents and Settings\AB\Local Settings\Application Data\Babylon\Setup\Setup.exeWin32/Toolbar.Babylon application
    C:\Program Files\BabylonToolbar\BabylonToolbar\1.5.3.17\BabylonToolbarApp.dlla variant of Win32/Toolbar.Babylon application
    C:\Program Files\BabylonToolbar\BabylonToolbar\1.5.3.17\BabylonToolbarEng.dllWin32/Toolbar.Babylon application
    C:\Program Files\BabylonToolbar\BabylonToolbar\1.5.3.17\BabylonToolbarsrv.exeprobably a variant of Win32/Toolbar.Babylon application
    C:\Program Files\BabylonToolbar\BabylonToolbar\1.5.3.17\BabylonToolbarTlbr.dllWin32/Toolbar.Babylon application
    C:\Program Files\BabylonToolbar\BabylonToolbar\1.5.3.17\bh\BabylonToolbar.dllWin32/Toolbar.Babylon application
    D:\5-7-11 BAckup\My Documents\Downloads\incredimail_install (1).exea variant of Win32/InstallCore.D application
    D:\5-7-11 BAckup\My Documents\Downloads\incredimail_install.exea variant of Win32/InstallCore.D application
     
  8. Bobbye

    Bobbye Helper on the Fringe Posts: 16,392   +36

    You need to look for any pre-checked processes on download screens. Frequently toolbard and/or browser helper objects having nothing to do with what you're downloading will be checked. You should also use the Custom install feature if offerred instead of 'standard install.' Then you can prevent some of the useless bundled junk from getting into the system.

    Please uninstall any entries for the Babylon Toolbar.. It's okay if you need Babylon for translation, but the toolbar is useless and bundled in the program.
    Also go to Tools> Manage addons in IE> Look in both sections> addons currently on system/addons previously on system> Delete any addons for the Babylon Toolbar> then click on Apply> OK
    =================================================

    Please download OTMovit by Old Timerand save to your desktop.
    • Double-click OTMoveIt3.exe to run it. (Vista users, please right click on OTMoveit3.exe and select "Run as an Administrator")
    • Copy the file paths below to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose Copy):
      Code:
      :Files
      C:\Documents and Settings\AB\Local Settings\Application Data\Babylon\Setup\Setup.exe
      C:\Program Files\BabylonToolbar\BabylonToolbar\1.5.3.17\BabylonToolbarApp.dll
      C:\Program Files\BabylonToolbar\BabylonToolbar\1.5.3.17\BabylonToolbarEng.dll
      C:\Program Files\BabylonToolbar\BabylonToolbar\1.5.3.17\BabylonToolbarsrv.exe
      C:\Program Files\BabylonToolbar\BabylonToolbar\1.5.3.17\BabylonToolbarTlbr.dll
      C:\Program Files\BabylonToolbar\BabylonToolbar\1.5.3.17\bh\BabylonToolbar.dll
      D:\5-7-11 BAckup\My Documents\Downloads\incredimail_install (1).exe\
      D:\5-7-11 BAckup\My Documents\Downloads\incredimail_install.exe
      :Commands
      [purity]
      [emptytemp]
      [start explorer]
      [Reboot]
    • Return to OTMoveIt3, right click in the "Paste Instructions for Items to be Moved" window and choose Paste.
    • Click the red Moveit! button.
    • A log of files and folders moved will be created in the c:\_OTMoveIt\MovedFiles folder in the form of Date and Time (mmddyyyy_hhmmss.log). Please open this log in Notepad and post its contents in your next reply.
    • Close OTMoveIt3
    If a file or folder cannot be moved immediately you may be asked to reboot the machine to finish the move process. If you are asked to reboot the machine choose Yes.
    --------------------------------------

    Please download SystemLook from one of the links below and save it to your Desktop.
    Download Mirror #1
    Download Mirror #2

    For 64bit: http://jpshortstuff.247fixes.com/SystemLook_x64.exe
    • Double-click SystemLook.exe to run it.
    • Copy the content of the following codebox into the main textfield:
      Code:
      
      :filefind
      usbehci.*
      
      
    • Click the Look button to start the scan.
    • When finished, a notepad window will open with the results of the scan. Please post this log in your next reply.
    Note: The log can also be found on your Desktop entitled SystemLook.txt
    =================================================
    Please run this Custom CFScript:

    • [1]. Close any open browsers.
      [2]. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.
      [3]. Open notepad> click on Format> Uncheck 'Word Wrap> and copy/paste the text in the code below into it:
    Code:
    File::
    Folder::
    DDS::
    BHO: Babylon toolbar helper: {2eecd738-5844-4a99-b4b6-146bf802613b} - c:\program files\babylontoolbar\babylontoolbar\1.5.3.17\bh\BabylonToolbar.dll
    TB: Babylon Toolbar: {98889811-442d-49dd-99d7-dc866be87dbc} - c:\program files\babylontoolbar\babylontoolbar\1.5.3.17\BabylonToolbarTlbr.dll
     
     
    Registry::
    [HKEY_LOCAL_MACHINE\software\microsoft\security center\Svc]
    "AntiVirusOverride"=-
    "AntiVirusDisableNotify"=-
    "FirewallDisableNotify"=-
    "FirewallOverride"=-
    "UpdatesDisableNotify"=-
    "UacDisableNotify"=-
     
     
    Clearjavacache::
     
    
    Save this as CFScript.txt, in the same location as ComboFix.exe
    [​IMG]

    Referring to the picture above, drag CFScript into ComboFix.exe

    When finished, it will produce a log for you at C:\ComboFix.txt . Please paste into to your next reply.
    ====================
    Questions:

    This system shows less than a year old> Microsoft Windows XP Professional
    Install Date: 7/5/2011 4:03:33 PM
    With 2 small hard drives- one almost full.

    How much RAM is there on the system? (Control Panel> System> System properties)
     
  9. Bobbye

    Bobbye Helper on the Fringe Posts: 16,392   +36

    Do you plan to continue?
     
  10. Angelina

    Angelina TS Rookie Topic Starter

    oh im sry...was lil caught up in other things... so here are the logs....



    All processes killed
    ========== FILES ==========
    C:\Documents and Settings\AB\Local Settings\Application Data\Babylon\Setup\Setup.exe moved successfully.
    File/Folder C:\Program Files\BabylonToolbar\BabylonToolbar\1.5.3.17\BabylonToolbarApp.dll not found.
    File/Folder C:\Program Files\BabylonToolbar\BabylonToolbar\1.5.3.17\BabylonToolbarEng.dll not found.
    File/Folder C:\Program Files\BabylonToolbar\BabylonToolbar\1.5.3.17\BabylonToolbarsrv.exe not found.
    File/Folder C:\Program Files\BabylonToolbar\BabylonToolbar\1.5.3.17\BabylonToolbarTlbr.dll not found.
    File/Folder C:\Program Files\BabylonToolbar\BabylonToolbar\1.5.3.17\bh\BabylonToolbar.dll not found.
    D:\5-7-11 BAckup\My Documents\Downloads\incredimail_install (1).exe moved successfully.
    D:\5-7-11 BAckup\My Documents\Downloads\incredimail_install.exe moved successfully.
    ========== COMMANDS ==========

    [EMPTYTEMP]

    User: AB
    ->Temp folder emptied: 495683 bytes
    ->Temporary Internet Files folder emptied: 754556 bytes
    ->Google Chrome cache emptied: 46829944 bytes
    ->Flash cache emptied: 21838 bytes

    User: All Users

    User: Default User
    ->Temp folder emptied: 0 bytes
    ->Temporary Internet Files folder emptied: 33170 bytes

    User: LocalService
    ->Temp folder emptied: 0 bytes
    ->Temporary Internet Files folder emptied: 32902 bytes

    User: NetworkService
    ->Temp folder emptied: 0 bytes
    ->Temporary Internet Files folder emptied: 402 bytes

    %systemdrive% .tmp files removed: 0 bytes
    %systemroot% .tmp files removed: 2142714 bytes
    %systemroot%\System32 .tmp files removed: 2577 bytes
    %systemroot%\System32\dllcache .tmp files removed: 0 bytes
    %systemroot%\System32\drivers .tmp files removed: 0 bytes
    Windows Temp folder emptied: 7372 bytes
    %systemroot%\system32\config\systemprofile\Local Settings\Temp folder emptied: 0 bytes
    %systemroot%\system32\config\systemprofile\Local Settings\Temporary Internet Files folder emptied: 33170 bytes
    RecycleBin emptied: 0 bytes

    Total Files Cleaned = 48.00 mb

    SystemLook 30.07.11 by jpshortstuff
    Log created at 10:53 on 18/06/2012 by AB
    Administrator - Elevation successful

    ========== filefind ==========

    Searching for "usbehci.*"
    C:\cmdcons\USBEHCI.SY_--a---- 15034 bytes[17:38 03/08/2004][17:38 03/08/2004] 4622A7C6B2789441839796EDDDF180B0

    -= EOF =-



    ComboFix 12-06-16.02 - AB 06/18/2012 11:26:52.2.1 - x86
    Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.255.18 [GMT 5.5:30]
    Running from: c:\documents and settings\AB\Desktop\ComboFix.exe
    Command switches used :: c:\documents and settings\AB\Desktop\CFScript.txt
    AV: Kaspersky Anti-Virus *Disabled/Updated* {2C4D4BC6-0793-4956-A9F9-E252435469C0}
    .
    .
    ((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
    .
    .
    c:\windows\TEMP\nst39.tmp\PEV.DAT
    c:\windows\TEMP\nst39.tmp\System.dll
    .
    c:\windows\system32\drivers\usbehci.sys . . . is missing!!
    .
    .
    ((((((((((((((((((((((((( Files Created from 2012-05-18 to 2012-06-18 )))))))))))))))))))))))))))))))
    .
    .
    2012-06-18 05:11 . 2012-06-18 05:11--------d-----w-C:\_OTM
    2012-06-14 16:39 . 2012-06-14 16:39--------d-----w-c:\program files\ESET
    2012-05-31 16:37 . 2012-05-31 16:37--------d-----w-c:\documents and settings\AB\Application Data\Malwarebytes
    2012-05-31 16:34 . 2012-05-31 16:34--------d-----w-c:\documents and settings\All Users\Application Data\Malwarebytes
    2012-05-31 16:33 . 2012-04-04 10:2622344----a-w-c:\windows\system32\drivers\mbam.sys
    2012-05-31 16:33 . 2012-05-31 16:36--------d-----w-c:\program files\Malwarebytes' Anti-Malware
    .
    .
    .
    (((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
    .
    .
    .
    ((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
    .
    .
    *Note* empty entries & legit default entries are not shown
    REGEDIT4
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "AVP"="c:\program files\Kaspersky Lab\Kaspersky Anti-Virus 2011\avp.exe" [2010-11-02 365336]
    "Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2012-01-03 843712]
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\security center]
    "AntiVirusOverride"=dword:00000001
    "FirewallOverride"=dword:00000001
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\KasperskyAntiVirus]
    "DisableMonitoring"=dword:00000001
    .
    [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
    "EnableFirewall"= 0 (0x0)
    "DisableNotifications"= 1 (0x1)
    .
    [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
    "%windir%\\system32\\sessmgr.exe"=
    "c:\\Program Files\\Adobe\\Reader 10.0\\Reader\\Reader_sl.exe"=
    "c:\\Program Files\\Microsoft Office\\OFFICE11\\WINWORD.EXE"=
    .
    R1 kl2;kl2;c:\windows\system32\drivers\kl2.sys [6/9/2010 4:43 PM 11352]
    R3 klim5;Kaspersky Anti-Virus NDIS Filter;c:\windows\system32\drivers\klim5.sys [5/7/2010 11:06 AM 32856]
    R3 klmouflt;Kaspersky Lab KLMOUFLT;c:\windows\system32\drivers\klmouflt.sys [11/2/2009 7:27 PM 19472]
    S3 MBAMSwissArmy;MBAMSwissArmy;\??\c:\windows\system32\drivers\mbamswissarmy.sys --> c:\windows\system32\drivers\mbamswissarmy.sys [?]
    S3 WinDefend;Windows Defender;c:\windows\System32\svchost.exe -k secsvcs [8/4/2004 3:56 PM 14336]
    .
    Contents of the 'Scheduled Tasks' folder
    .
    2012-06-14 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-1644491937-1606980848-1060284298-1003Core.job
    - c:\documents and settings\AB\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2011-07-05 13:24]
    .
    2012-06-18 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-1644491937-1606980848-1060284298-1003UA.job
    - c:\documents and settings\AB\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2011-07-05 13:24]
    .
    .
    ------- Supplementary Scan -------
    .
    uStart Page = hxxp://search.babylon.com/?babsrc=HP_ss&affID=101292&mntrId=b452a30d000000000000000244aa1df0
    IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
    TCP: DhcpNameServer = 203.94.243.70 59.179.243.70
    .
    .
    **************************************************************************
    .
    catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
    Rootkit scan 2012-06-18 11:46
    Windows 5.1.2600 Service Pack 2 NTFS
    .
    scanning hidden processes ...
    .
    scanning hidden autostart entries ...
    .
    scanning hidden files ...
    .
    scan completed successfully
    hidden files: 0
    .
    **************************************************************************
    .
    ------------------------ Other Running Processes ------------------------
    .
    c:\program files\Common Files\Nero\Nero BackItUp 4\NBService.exe
    c:\windows\system32\wscntfy.exe
    .
    **************************************************************************
    .
    Completion time: 2012-06-18 11:52:25 - machine was rebooted
    ComboFix-quarantined-files.txt 2012-06-18 06:22
    ComboFix2.txt 2012-06-14 18:25
    .
    Pre-Run: 12,178,358,272 bytes free
    Post-Run: 12,173,369,344 bytes free
    .
    - - End Of File - - F26271A61C408CE5C33547BCA04DBA12

    OTM by OldTimer - Version 3.1.19.0 log created on 06182012_104107

    Files moved on Reboot...

    Registry entries deleted on Reboot...



    Right now,the computer has 256MB of RAM...I plan to increase it...how much RAM would I need foe normal,home use?
     
Topic Status:
Not open for further replies.


Add New Comment

TechSpot Members
Login or sign up for free,
it takes about 30 seconds.
You may also...


Get complete access to the TechSpot community. Join thousands of technology enthusiasts that contribute and share knowledge in our forum. Get a private inbox, upload your own photo gallery and more.